This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trying to analyse high network utilization

0

I´m trying to locate an issue with a certain application exe file my company uses. When this exe file is on a network share, every time a user views it, right click & properties, network utilization spikes (60-80%)for 5-20 seconds, depending on the link between client and file server. The exe file is about 118MB, signed with SHA256 digital signature.

Only thing I see in Process Explorer is that system process (pid 4) is responsible but why?

Looking at the wireshark capture is filled with "TCP segment of a reassembled PDU" and "TCP Dup ACP..."

I´m novice to wireshark but fast learner so any help you give me is greatly appreciated.

asked 15 Dec '16, 15:23

kristjang's gravatar image

kristjang
6112
accept rate: 0%

Looking at the wireshark capture

Maybe if we looked at them too we might notice something....

Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc.?

(17 Dec '16, 05:47) Bob Jones

One Answer:

2

A number of things happen in the background, when you point the Windows file explorer to a directory that is located on the network share. Here are a few of the activities, that happen in the background:

  • The explorer will collect a list of all files in the directory and it's attributes like time stamps.
  • Your computer collects or updates icons for all files in the folder.
  • Hopefully at least one virus scanner will check the file (or at least all executable files in that directory).
  • The search indexer might start browsing files to prepare for later search operations.

The virus scanner's behavior depends on your specific configuration. I have seen a number of variations. Some of them are:

  • The client scanns the remote file (ok, but with performance impact)
  • The server delays access for the client until it has finished it's scan (better, since the server can cache the verdict until a pattern update is available or the file has been changed)
  • Both systems scan the file simultaneously (not good, as this can lead to a lot of lock management)

Note A: The client's virus scanner should not cache it's verdict on files stored on the server as the file might be changed (infected) by another client.

Note B: Starting applications from a network drive is always a bad idea: Windows treats executables as small paging file. Sections from the program can be read multiple times, if the Windows kernel needs more space for other applications.

Note C: Programs can be compiled to be kept in memory, once they are loaded. The behavior is specified by a special bit in the EXE-files PE header.

The network load increases if the client uses the program frequently: Windows has a mechanism called the prefetcher or superfetch. The prefetcher will identify the most popular programs and load these into memory, even if the user did not click them (yet). If necessary all required DLLs will be loaded as well. This further increases the network load, as your virus scanner(s) hopefully scans all DLLs.

Many other things can happen in the background: If the 118 MB executable is a self extracting archive or an installer, all the files contained in this container will (hopefully) be scanned by your virus scanner.

As Bob Jones mentioned, a Wireshark trace file will reveal the nature of the traffic.

The fact that the system process (pid 4) is responsible for the I/O is quite comforting: Access to network shares is facilitated by a driver (either SMB.SYS or SMB2.SYS). Drivers are considered part of or an extension to the Windows kernel, hence their activity is charged to the system process.

Good hunting

answered 18 Dec '16, 11:10

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%