This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Need Help Understanding Capture

0

I am working on a pair of Windows 7 x64 machines. When I open a DOC file across the network it takes a long time to open and save. If I rename the file DOCX it opens and saves quickly. I have used Wireshark to capture traffic for both operations but don't know enough about TCP to analyze what I have.

Are there any examples around that might help?

asked 14 Nov '10, 21:54

broosth's gravatar image

broosth
1111
accept rate: 0%

I don't see how file extension can cause a network slowdown. Why don't you take word out of the picture and simply copy your doc and docx files using windows explorer. I bet it would take same time to copy, if it doesn't you may have an antivirus application that's scanning doc, but does not scan docx files. Anyway this sounds like a problem in the Application Layer, which wireshark would not make obvious. (Please correct me on the last sentence if i am mistaken)

(15 Nov '10, 12:13) net_tech

2 Answers:

0

There are tons of example files at www.wiresharkbook.com in the downloads section. You can also see several videos on that site as well.

When you rename the file are you saving it local or on the network? Are you opening in Word 2003 or 2007?

Can you look through both trace files and examine the Analyze > Expert Info Composite to see TCP errors listed?

answered 14 Nov '10, 22:02

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

0

broosth, CIFS protocol can take a HUGE performance hit when copying, opening across WAN (with high latency). DOCX happens to produce a much smaller file so it can be as simple as that. It can also have to do with file locking, but the most likely suspect is simple file size issue.

In CIFS, the rule of thumb can be, READ operations will consume data at 16KB or 32KB per round-trip. WRITE operation will consume 8KB or 16KB per round trip.

So regardless of available bandwidth, speed of the circuit, or TCP window sizes, READ and WRITE operations are limited by CIFS upper bound. CIFS is the weakest link.

Windows 7 (and Vista, I suppose) can improve on the READ/WRITE performance, but as a general rule of thumb, what I wrote is "good enough."

answered 15 Nov '10, 14:04

hansangb's gravatar image

hansangb
7912619
accept rate: 12%