This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SMB troubleshooting

0

Can someone help me with troubleshooting SMB/CIFS traffic. I have a user that experiences "lost connections" opening MS Access databases and slowness/errors opening MS Excel documents, both from a remote file share on a NetApp storage appliance. From a network perspective, the traces look good but we are seeing a number of messages in WireShark like the one below.

No.

Time

Source

Destination

Protocol

Info

736722010-09-10 06:28:57.22831994710.225.10.14810.170.100.60SMBNT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED

It has been a long time since I have been in the server world so, I am not sure where to start looking. As I said, there do not appear to be any latency or other issues with the network and based on research, it appears that there are some issues with SMB signing in the MicroSoft world. I am just trying to find a place to really start troubleshooting. If more information is needed let me know. Any help would be appreciated.

Brad Walker

asked 14 Sep '10, 13:17

mbwalker's gravatar image

mbwalker
1112
accept rate: 0%

1

STATUS_ACCESS_DENIED sounds as if a program on the client tried to open or create a file to which the account being used for the SMB connection did not have access - i.e., it's not a networking problem or an SMB packet-signing problem, it's a file permissions problem.

Whether that's the cause of the lost connections or slowness is another matter; it might not be trying to open an Access database or an Excel document. What was the matching NTCreateAndX request? That should indicate what it was trying to open/create.

(15 Sep '10, 17:15) Guy Harris ♦♦

Thanks, Guy! That is what my thoughts were but I was just looking for ways to prove it. I will scan the trace again and see what I can find out.

(17 Sep '10, 09:25) mbwalker

2 Answers:

0

Hello Brad,

I have the same problem working with an MS Access file on a Netapp filer.... if I put the same file on a Windows fileserver all works fine! the nas is joined to the domain and the resource isn't poor (cpu etc. etc.) Do you have resolved the problem? Bye

Federico

answered 16 Sep '10, 06:51

Federico's gravatar image

Federico
1
accept rate: 0%

This is a Q&A site, which operates a little differently from traditional web forums. If you're not answering @mbwalker's question can you click on the "add new comment" button?

(17 Sep '10, 11:04) Gerald Combs ♦♦

0

This message is likely buried in the middle of lots of SMB layer messages, right? Is the user going through Windows Explorer to find the file on the server? If you look at the full decode you should see what they're being denied access to. This is common, especially when the user is browsing the server through WE to find the file - there may be lots of directories/files the user doesn't have access to. AND WE likes to load pretty little icons for the files, which usually requires atleast read access. This/These errors may or may not have anything to do with the disconnections. If the user pings the server what is the response time? Does the connection break during the middle of the transfer? Is he working via VPN? There are lots of factors that can break SMB connections - good luck!

answered 21 Sep '10, 06:18

GeonJay's gravatar image

GeonJay
4705922
accept rate: 5%