print

Tip of the Month

October 2003

SMB Path Search and Layers

One of the most common IT issues is reminiscent of the Hatfield and McCoy family feud. Of course what I am referring to is the age old question: Is the network slow or is it a server issue? Often times it is neither! The problem is often something such as a poorly written application. Historically, it may be viewed as more simple to add bandwidth to compensate for poor performance. However, with an analyzer you can see where the problems occur. So what should you look for and how do you document the issue so a programmer can understand? Use EtherPeek NX.

Conversations between network nodes exude behavior that may easily be viewed in an analyzer. Let’s take SMB for example. SMB is Server Message Block and is used for file sharing. Before files can be shared at the SMB level you first have to set up a conversation. The conversation starts with the TCP ‘3-way handshake’, proceeds to the NetBIOS ‘session request’ and ‘session response’ and then up to SMB’s ‘Negotiate Protocol.’ Knowing this information we first look to ensure that the TCP session was setup without error, then look to the higher layer protocols. Traditionally this was done in the decode of the actual packet, but with analyzers such as EtherPeek NX you may simply look in the Summary Column of the Packets tab for packet information.
Additionally with the EtherPeek NX 2.1 there is a new Column entitled “Decode.” This column is used to bring up a portion of the decode for all applicable packets in the tracefile to an easy to view column in the Packet List Summary window that may scroll in real-time.

After you have ensured that the above procedures have taken place and the conversation is on track to send or receive information, ensure file paths are accurate. If the desired file “myfile.bat” resides at \a\c\myfile.bat, the application should not be searching through other files to find this one e.g. \a\b\myfile.bat, nor should the file include wildcards such as “my*.*” because this will also tax a server to find the file. One or two files may not be noticeable, but several hundred or thousand files will most assuredly degrade network performance. The path search information will easily be viewed in the “Summary” column of EtherPeek NX!

Additionally with the EtherPeek NX 2.1 there is a new Column entitled “Decode.” This column is used to bring up a portion of the decode for all applicable packets in the tracefile to an easy to view column in the Packet List window that may scroll in real-time.

Some other columns of interest are ‘Delta Time’ and ‘Expert’. Delta time removes doubt as to whether the application is incorrectly searching or a human typist is manually searching based on the time it took to query. Ask yourself “how fast could someone type?” If it is a huge stretch to type that fast than it must be automated. Save this information out and take it to the programmer of that particular application.
The Expert Column will notify you if there were issues based on expert events associated with this conversation.

For more detailed information, please note WildPackets Academy courses that go over these situations in much greater depth.