Lots of SMB traffic

  • Thread starter Thread starter Harrison Midkiff
  • Start date Start date
H

Harrison Midkiff

Hello:

I am new to packet sniffing. I had a user complain that it was taking to
long for an Excel spreadsheet to open. I tested from my machine and it only
took about 5 seconds which is what I would expect it to take. From his
machine it was taking over a minute! I installed WireShark on his computer
can did a sniff while attempting to open the file. In the sniff I saw a
tremendous amount of SMB traffic. I have been googling this to try and make
sense but still am not sure what is going on. Below is a what I am seeing.
Any advice would be appreciated

Harrison Midkiff



No. Time Source Destination Protocol Info

7 2.163980 192.168.2.45 192.168.28.120 SMB NT Trans Response, <unknown>

8 2.164192 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY, FID:
0x4001

9 2.296280 192.168.2.45 192.168.28.120 SMB NT Trans Response, NT NOTIFY

10 2.306404 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY,
FID: 0x4001

11 2.376536 192.168.2.45 192.168.28.120 SMB NT Trans Response, NT NOTIFY

12 2.376771 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY,
FID: 0x4001

13 2.440911 192.168.2.45 192.168.28.120 TCP 139 > 2008 [ACK] Seq=267 Ack=380
Win=64459 Len=0 TSV=8560114 TSER=715938

14 2.468087 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

15 2.468689 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

16 2.468879 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

17 2.469410 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

18 2.502085 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

19 2.502735 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

20 2.502925 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

21 2.503460 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

22 2.503972 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

23 2.504429 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

24 2.504552 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

25 2.505160 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

26 2.505838 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION

27 2.506389 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

28 2.506543 192.168.28.120 192.168.2.45 SMB Trans2 Request, FIND_FIRST2,
Pattern: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN REGION\TAMPA

29 2.507106 192.168.2.45 192.168.28.120 SMB Trans2 Response, FIND_FIRST2,
Files: TAMPA

30 2.515711 192.168.28.120 192.168.2.45 TCP [TCP segment of a reassembled
PDU]

31 2.515770 192.168.28.120 192.168.2.45 SMB Session Setup AndX Request

32 2.516354 192.168.2.45 192.168.28.120 TCP 139 > 2008 [ACK] Seq=1175
Ack=4578 Win=65535 Len=0 TSV=8560114 TSER=715939

33 2.517080 192.168.2.45 192.168.28.120 SMB Session Setup AndX Response

34 2.520029 192.168.28.120 192.168.2.45 SMB Tree Connect AndX Request, Path:
\\SID\IPC$

35 2.520485 192.168.2.45 192.168.28.120 SMB Tree Connect AndX Response

36 2.520673 192.168.28.120 192.168.2.45 SMB Trans2 Request,
GET_DFS_REFERRAL, File: \SID\TPA-DEPT

37 2.520970 192.168.2.45 192.168.28.120 SMB Trans2 Response,
GET_DFS_REFERRAL, Error: STATUS_NO_SUCH_DEVICE

38 2.521547 192.168.28.120 192.168.2.45 SMB Logoff AndX Request

39 2.521942 192.168.2.45 192.168.28.120 SMB Logoff AndX Response

40 2.522084 192.168.28.120 192.168.2.45 SMB NT Create AndX Request, Path:
\srvsvc

41 2.522672 192.168.2.45 192.168.28.120 SMB NT Create AndX Response, FID:
0x0009

42 2.522937 192.168.28.120 192.168.2.45 DCERPC Bind: call_id: 1 SRVSVC V3.0

43 2.523156 192.168.2.45 192.168.28.120 SMB Write AndX Response, FID:
0x0009, 72 bytes

44 2.526249 192.168.28.120 192.168.2.45 SMB Tree Disconnect Request

45 2.526368 192.168.28.120 192.168.2.45 SMB Read AndX Request, FID: 0x0009,
1024 bytes at offset 0

46 2.526567 192.168.2.45 192.168.28.120 SMB Tree Disconnect Response

47 2.526603 192.168.2.45 192.168.28.120 DCERPC Bind_ack: call_id: 1 accept
max_xmit: 4280 max_recv: 4280

48 2.526635 192.168.28.120 192.168.2.45 TCP 2008 > 139 [ACK] Seq=5145
Ack=2016 Win=38433 Len=0 TSV=715939 TSER=8560114

49 2.526888 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

50 2.527292 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

51 2.527374 192.168.28.120 192.168.2.45 SRVSVC NetShareGetInfo request

52 2.527541 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

53 2.527776 192.168.2.45 192.168.28.120 SRVSVC NetShareGetInfo response

54 2.527921 192.168.28.120 192.168.2.45 SMB Close Request, FID: 0x0009

55 2.528017 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

56 2.528262 192.168.2.45 192.168.28.120 SMB Close Response
 
Question, is it ONLY Excel spreadsheets? Or ALL MS Office files? Also is
that computer's A-V set to "scan" Office files using some sort of Office
Plugin?

Harrison said:
Hello:

I am new to packet sniffing. I had a user complain that it was taking to
long for an Excel spreadsheet to open. I tested from my machine and it only
took about 5 seconds which is what I would expect it to take. From his
machine it was taking over a minute! I installed WireShark on his computer
can did a sniff while attempting to open the file. In the sniff I saw a
tremendous amount of SMB traffic. I have been googling this to try and make
sense but still am not sure what is going on. Below is a what I am seeing.
Any advice would be appreciated

Harrison Midkiff



No. Time Source Destination Protocol Info

7 2.163980 192.168.2.45 192.168.28.120 SMB NT Trans Response, <unknown>

8 2.164192 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY, FID:
0x4001

9 2.296280 192.168.2.45 192.168.28.120 SMB NT Trans Response, NT NOTIFY

10 2.306404 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY,
FID: 0x4001

11 2.376536 192.168.2.45 192.168.28.120 SMB NT Trans Response, NT NOTIFY

12 2.376771 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY,
FID: 0x4001

13 2.440911 192.168.2.45 192.168.28.120 TCP 139 > 2008 [ACK] Seq=267 Ack=380
Win=64459 Len=0 TSV=8560114 TSER=715938

14 2.468087 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

15 2.468689 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

16 2.468879 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

17 2.469410 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

18 2.502085 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

19 2.502735 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

20 2.502925 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

21 2.503460 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

22 2.503972 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

23 2.504429 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

24 2.504552 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

25 2.505160 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

26 2.505838 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION

27 2.506389 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

28 2.506543 192.168.28.120 192.168.2.45 SMB Trans2 Request, FIND_FIRST2,
Pattern: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN REGION\TAMPA

29 2.507106 192.168.2.45 192.168.28.120 SMB Trans2 Response, FIND_FIRST2,
Files: TAMPA

30 2.515711 192.168.28.120 192.168.2.45 TCP [TCP segment of a reassembled
PDU]

31 2.515770 192.168.28.120 192.168.2.45 SMB Session Setup AndX Request

32 2.516354 192.168.2.45 192.168.28.120 TCP 139 > 2008 [ACK] Seq=1175
Ack=4578 Win=65535 Len=0 TSV=8560114 TSER=715939

33 2.517080 192.168.2.45 192.168.28.120 SMB Session Setup AndX Response

34 2.520029 192.168.28.120 192.168.2.45 SMB Tree Connect AndX Request, Path:
\\SID\IPC$

35 2.520485 192.168.2.45 192.168.28.120 SMB Tree Connect AndX Response

36 2.520673 192.168.28.120 192.168.2.45 SMB Trans2 Request,
GET_DFS_REFERRAL, File: \SID\TPA-DEPT

37 2.520970 192.168.2.45 192.168.28.120 SMB Trans2 Response,
GET_DFS_REFERRAL, Error: STATUS_NO_SUCH_DEVICE

38 2.521547 192.168.28.120 192.168.2.45 SMB Logoff AndX Request

39 2.521942 192.168.2.45 192.168.28.120 SMB Logoff AndX Response

40 2.522084 192.168.28.120 192.168.2.45 SMB NT Create AndX Request, Path:
\srvsvc

41 2.522672 192.168.2.45 192.168.28.120 SMB NT Create AndX Response, FID:
0x0009

42 2.522937 192.168.28.120 192.168.2.45 DCERPC Bind: call_id: 1 SRVSVC V3.0

43 2.523156 192.168.2.45 192.168.28.120 SMB Write AndX Response, FID:
0x0009, 72 bytes

44 2.526249 192.168.28.120 192.168.2.45 SMB Tree Disconnect Request

45 2.526368 192.168.28.120 192.168.2.45 SMB Read AndX Request, FID: 0x0009,
1024 bytes at offset 0

46 2.526567 192.168.2.45 192.168.28.120 SMB Tree Disconnect Response

47 2.526603 192.168.2.45 192.168.28.120 DCERPC Bind_ack: call_id: 1 accept
max_xmit: 4280 max_recv: 4280

48 2.526635 192.168.28.120 192.168.2.45 TCP 2008 > 139 [ACK] Seq=5145
Ack=2016 Win=38433 Len=0 TSV=715939 TSER=8560114

49 2.526888 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

50 2.527292 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

51 2.527374 192.168.28.120 192.168.2.45 SRVSVC NetShareGetInfo request

52 2.527541 192.168.28.120 192.168.2.45 SMB Trans2 Request, QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

53 2.527776 192.168.2.45 192.168.28.120 SRVSVC NetShareGetInfo response

54 2.527921 192.168.28.120 192.168.2.45 SMB Close Request, FID: 0x0009

55 2.528017 192.168.2.45 192.168.28.120 SMB Trans2 Response, QUERY_PATH_INFO

56 2.528262 192.168.2.45 192.168.28.120 SMB Close Response
Click to expand...
 
Bob:

Thanks for your reply. It seems to be only Excels when they are opened via
Windows Explorer. I tried a test by doing File/Open and it opened fine.
Strange.....



Bob I said:
Question, is it ONLY Excel spreadsheets? Or ALL MS Office files? Also is
that computer's A-V set to "scan" Office files using some sort of Office
Plugin?

Harrison said:
Hello:

I am new to packet sniffing. I had a user complain that it was taking to
long for an Excel spreadsheet to open. I tested from my machine and it
only
took about 5 seconds which is what I would expect it to take. From his
machine it was taking over a minute! I installed WireShark on his
computer
can did a sniff while attempting to open the file. In the sniff I saw a
tremendous amount of SMB traffic. I have been googling this to try and
make
sense but still am not sure what is going on. Below is a what I am
seeing.
Any advice would be appreciated

Harrison Midkiff



No. Time Source Destination Protocol Info

7 2.163980 192.168.2.45 192.168.28.120 SMB NT Trans Response, <unknown>

8 2.164192 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY,
FID:
0x4001

9 2.296280 192.168.2.45 192.168.28.120 SMB NT Trans Response, NT NOTIFY

10 2.306404 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY,
FID: 0x4001

11 2.376536 192.168.2.45 192.168.28.120 SMB NT Trans Response, NT NOTIFY

12 2.376771 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY,
FID: 0x4001

13 2.440911 192.168.2.45 192.168.28.120 TCP 139 > 2008 [ACK] Seq=267
Ack=380
Win=64459 Len=0 TSV=8560114 TSER=715938

14 2.468087 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

15 2.468689 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

16 2.468879 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

17 2.469410 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

18 2.502085 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

19 2.502735 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

20 2.502925 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

21 2.503460 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

22 2.503972 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

23 2.504429 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

24 2.504552 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

25 2.505160 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

26 2.505838 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION

27 2.506389 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

28 2.506543 192.168.28.120 192.168.2.45 SMB Trans2 Request, FIND_FIRST2,
Pattern: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN REGION\TAMPA

29 2.507106 192.168.2.45 192.168.28.120 SMB Trans2 Response, FIND_FIRST2,
Files: TAMPA

30 2.515711 192.168.28.120 192.168.2.45 TCP [TCP segment of a reassembled
PDU]

31 2.515770 192.168.28.120 192.168.2.45 SMB Session Setup AndX Request

32 2.516354 192.168.2.45 192.168.28.120 TCP 139 > 2008 [ACK] Seq=1175
Ack=4578 Win=65535 Len=0 TSV=8560114 TSER=715939

33 2.517080 192.168.2.45 192.168.28.120 SMB Session Setup AndX Response

34 2.520029 192.168.28.120 192.168.2.45 SMB Tree Connect AndX Request,
Path:
\\SID\IPC$

35 2.520485 192.168.2.45 192.168.28.120 SMB Tree Connect AndX Response

36 2.520673 192.168.28.120 192.168.2.45 SMB Trans2 Request,
GET_DFS_REFERRAL, File: \SID\TPA-DEPT

37 2.520970 192.168.2.45 192.168.28.120 SMB Trans2 Response,
GET_DFS_REFERRAL, Error: STATUS_NO_SUCH_DEVICE

38 2.521547 192.168.28.120 192.168.2.45 SMB Logoff AndX Request

39 2.521942 192.168.2.45 192.168.28.120 SMB Logoff AndX Response

40 2.522084 192.168.28.120 192.168.2.45 SMB NT Create AndX Request, Path:
\srvsvc

41 2.522672 192.168.2.45 192.168.28.120 SMB NT Create AndX Response, FID:
0x0009

42 2.522937 192.168.28.120 192.168.2.45 DCERPC Bind: call_id: 1 SRVSVC
V3.0

43 2.523156 192.168.2.45 192.168.28.120 SMB Write AndX Response, FID:
0x0009, 72 bytes

44 2.526249 192.168.28.120 192.168.2.45 SMB Tree Disconnect Request

45 2.526368 192.168.28.120 192.168.2.45 SMB Read AndX Request, FID:
0x0009,
1024 bytes at offset 0

46 2.526567 192.168.2.45 192.168.28.120 SMB Tree Disconnect Response

47 2.526603 192.168.2.45 192.168.28.120 DCERPC Bind_ack: call_id: 1
accept
max_xmit: 4280 max_recv: 4280

48 2.526635 192.168.28.120 192.168.2.45 TCP 2008 > 139 [ACK] Seq=5145
Ack=2016 Win=38433 Len=0 TSV=715939 TSER=8560114

49 2.526888 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

50 2.527292 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

51 2.527374 192.168.28.120 192.168.2.45 SRVSVC NetShareGetInfo request

52 2.527541 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

53 2.527776 192.168.2.45 192.168.28.120 SRVSVC NetShareGetInfo response

54 2.527921 192.168.28.120 192.168.2.45 SMB Close Request, FID: 0x0009

55 2.528017 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

56 2.528262 192.168.2.45 192.168.28.120 SMB Close Response
Click to expand...
Click to expand...
 
You could try "Tools","Options","General", tick in "Ignore other
applications". See if that "cures" it.

Harrison said:
Bob:

Thanks for your reply. It seems to be only Excels when they are opened via
Windows Explorer. I tried a test by doing File/Open and it opened fine.
Strange.....



Question, is it ONLY Excel spreadsheets? Or ALL MS Office files? Also is
that computer's A-V set to "scan" Office files using some sort of Office
Plugin?

Harrison said:
Hello:

I am new to packet sniffing. I had a user complain that it was taking to
long for an Excel spreadsheet to open. I tested from my machine and it
only
took about 5 seconds which is what I would expect it to take. From his
machine it was taking over a minute! I installed WireShark on his
computer
can did a sniff while attempting to open the file. In the sniff I saw a
tremendous amount of SMB traffic. I have been googling this to try and
make
sense but still am not sure what is going on. Below is a what I am
seeing.
Any advice would be appreciated

Harrison Midkiff



No. Time Source Destination Protocol Info

7 2.163980 192.168.2.45 192.168.28.120 SMB NT Trans Response, <unknown>

8 2.164192 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY,
FID:
0x4001

9 2.296280 192.168.2.45 192.168.28.120 SMB NT Trans Response, NT NOTIFY

10 2.306404 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY,
FID: 0x4001

11 2.376536 192.168.2.45 192.168.28.120 SMB NT Trans Response, NT NOTIFY

12 2.376771 192.168.28.120 192.168.2.45 SMB NT Trans Request, NT NOTIFY,
FID: 0x4001

13 2.440911 192.168.2.45 192.168.28.120 TCP 139 > 2008 [ACK] Seq=267
Ack=380
Win=64459 Len=0 TSV=8560114 TSER=715938

14 2.468087 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

15 2.468689 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

16 2.468879 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

17 2.469410 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

18 2.502085 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

19 2.502735 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

20 2.502925 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

21 2.503460 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

22 2.503972 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

23 2.504429 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

24 2.504552 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal\Hillsborough Sheriff's Dept SOD.xls

25 2.505160 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

26 2.505838 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION

27 2.506389 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

28 2.506543 192.168.28.120 192.168.2.45 SMB Trans2 Request, FIND_FIRST2,
Pattern: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN REGION\TAMPA

29 2.507106 192.168.2.45 192.168.28.120 SMB Trans2 Response, FIND_FIRST2,
Files: TAMPA

30 2.515711 192.168.28.120 192.168.2.45 TCP [TCP segment of a reassembled
PDU]

31 2.515770 192.168.28.120 192.168.2.45 SMB Session Setup AndX Request

32 2.516354 192.168.2.45 192.168.28.120 TCP 139 > 2008 [ACK] Seq=1175
Ack=4578 Win=65535 Len=0 TSV=8560114 TSER=715939

33 2.517080 192.168.2.45 192.168.28.120 SMB Session Setup AndX Response

34 2.520029 192.168.28.120 192.168.2.45 SMB Tree Connect AndX Request,
Path:
\\SID\IPC$

35 2.520485 192.168.2.45 192.168.28.120 SMB Tree Connect AndX Response

36 2.520673 192.168.28.120 192.168.2.45 SMB Trans2 Request,
GET_DFS_REFERRAL, File: \SID\TPA-DEPT

37 2.520970 192.168.2.45 192.168.28.120 SMB Trans2 Response,
GET_DFS_REFERRAL, Error: STATUS_NO_SUCH_DEVICE

38 2.521547 192.168.28.120 192.168.2.45 SMB Logoff AndX Request

39 2.521942 192.168.2.45 192.168.28.120 SMB Logoff AndX Response

40 2.522084 192.168.28.120 192.168.2.45 SMB NT Create AndX Request, Path:
\srvsvc

41 2.522672 192.168.2.45 192.168.28.120 SMB NT Create AndX Response, FID:
0x0009

42 2.522937 192.168.28.120 192.168.2.45 DCERPC Bind: call_id: 1 SRVSVC
V3.0

43 2.523156 192.168.2.45 192.168.28.120 SMB Write AndX Response, FID:
0x0009, 72 bytes

44 2.526249 192.168.28.120 192.168.2.45 SMB Tree Disconnect Request

45 2.526368 192.168.28.120 192.168.2.45 SMB Read AndX Request, FID:
0x0009,
1024 bytes at offset 0

46 2.526567 192.168.2.45 192.168.28.120 SMB Tree Disconnect Response

47 2.526603 192.168.2.45 192.168.28.120 DCERPC Bind_ack: call_id: 1
accept
max_xmit: 4280 max_recv: 4280

48 2.526635 192.168.28.120 192.168.2.45 TCP 2008 > 139 [ACK] Seq=5145
Ack=2016 Win=38433 Len=0 TSV=715939 TSER=8560114

49 2.526888 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

50 2.527292 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

51 2.527374 192.168.28.120 192.168.2.45 SRVSVC NetShareGetInfo request

52 2.527541 192.168.28.120 192.168.2.45 SMB Trans2 Request,
QUERY_PATH_INFO,
Query File Basic Info, Path: \(Eng Jobs)\2007 JOBS IN PROGRESS - EASTERN
REGION\TAMPA\01-07-2090 HCSO Conference Rooms SOC DAS & FRW HSD Roll
Call\System Proposal

53 2.527776 192.168.2.45 192.168.28.120 SRVSVC NetShareGetInfo response

54 2.527921 192.168.28.120 192.168.2.45 SMB Close Request, FID: 0x0009

55 2.528017 192.168.2.45 192.168.28.120 SMB Trans2 Response,
QUERY_PATH_INFO

56 2.528262 192.168.2.45 192.168.28.120 SMB Close Response
Click to expand...
Click to expand...
Click to expand...
 
Back
Top