SMB2 traffic crashes network?

Posted by Phil Cross on Server Fault See other posts from Server Fault or by Phil Cross
Published on 2012-12-07T11:00:59Z Indexed on 2012/12/07 11:07 UTC
Read the original article Hit count: 993

We've been having significant network slowdown issues over the past few weeks, primarily on a Friday morning. We run Windows 7 client machines, with Windows Server 2008 R2 servers.

What generally happens is the network starts to slow down massively at 08:55 and resumes normal speeds at around 09:20

This affects everything on the network from logging on, resetting passwords, opening programs and files etc. On my client machine, Physical Memory usage remains at around 40% (normal) and CPU usage hovers around 0-10% idle.

The servers show memory usage spikes massively and remains quite intense during the times mentioned above.

I have taken several wireshark captures, both during the slowdown and when the network operates fine.

One of the main things I noticed is the increase in SMB2 entries in the wireshark log during the slowdown.

Record Time         Source          Destination     Protocol Length Info
382    3.976460000  10.47.35.11     10.47.32.3      SMB2     362    Create Request File: pcross\My Documents
413    4.525047000  10.47.35.11     10.47.32.3      SMB2     146    Close Request File: pcross\My Documents
441    5.235927000  10.47.32.3      10.47.35.11     SMB2     298    Create Response File: pcross\My Documents\Downloads
442    5.236199000  10.47.35.11     10.47.32.3      SMB2     260    Find Request File: pcross\My Documents\Downloads SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Request File: pcross\My Documents\Downloads SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *
573    6.327634000  10.47.35.11     10.47.32.3      SMB2     146    Close Request File: pcross\My Documents\Downloads
703    7.664186000  10.47.35.11     10.47.32.3      SMB2     394    Create Request File: pcross\My Documents\Downloads\WestlandsProspectus\P24 __ P21.pdf

These are some of the SMB2 records from a list of a couple of hundred which original from my computer with a destination of the fileserver.

One of the interesting things to note is the last entry in the examples above is for a PDF file. That file was not open anywhere on my computer, or on anyone elses. No folders with the files in were open either.

When I took another capture when the network was running fine, there were hardly any SMB2 entries, and the ones that were displayed were mainly from Wireshark.

We currently have around 800 computers, 90 Macs and 200 Laptops and Netbooks. Our concern is if this traffic is happening on my computer, is it happening on other computers, and if so, would those computers be adding to the slow network issues?

Again, this only happens during certain times. We're pretty sure its not the our antivirus. Is there anything to narrow down whats initializing this SMB traffic during the particular times?

Or if anyone has any extra advice, or links to resources it would be appreciate.

© Server Fault or respective owner

Related posts about windows-server-2008-r2

Related posts about windows-7