This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

NBSS traffic… Large amounts = Network flood

0

I have a Database server sitting in one vlan and a backup server sitting in another at our co-lo. Occasionally, we will lose connectivity to the co-lo. When I run wireshark on a span port, I see massive amounts of:

137 0.012353000 10.10.1.253 17.16.1.151 NBSS 1434 [TCP ACKed unseen segment] [TCP Out-Of-Order] NBSS Continuation Message

or similar. If I can connect to the ilo on my backup server, I hit reboot and the problem goes away and users go back to normal. I don't get what this is, can someone help me understand what this message is?

asked 10 Sep '12, 10:50

shetldar's gravatar image

shetldar
1111
accept rate: 0%


One Answer:

0

It's telling you a couple of things 1) Your span itself is dropping packets. We know this because Wireshark is telling you that it saw an acknowledgement packet for a packet it did not see. In other words, it didn't see the original packet from the sender to the receiver. However, it saw the ACK coming from the receiver to the sender. So clearly, this is not a "real" packet loss. It wouldn't acknowledge something it didn't see.

2) Assuming your server's IP are 10.x and 17.x, it's kicking off some replication/synchronization, bulkcopy or some other file copy job. And the file copy (using windows file copy aka NBSS) is saturating your pipes.

3) It's also telling you that you need to implement QoS if at all possible. The backup (?) traffic in question should have a lower QoS priority then your user traffic. In most cases, backup jobs or normal file copies are not time sensitive. It's not a transactional, time sensitive thing. So use QoS to give preferential treatment to your users traffic and lower the priority on the backup traffic.

Good luck!

answered 10 Sep '12, 14:07

hansangb's gravatar image

hansangb
7912619
accept rate: 12%

(using windows file copy aka NBSS)

I.e., the NetBIOS Session Service (NBSS) is used to transport SMB packets over TCP (Wireshark might also identify "SMB-over-TCP", i.e. port 443 traffic, as NBSS); SMB is the standard Windows remote file access protocol, so the backup is presumably doing a lot of copies to and/or from a "network drive" and thus causing a lot of network traffic saturating your pipes.

(Slightly more detailed explanation, in case the original poster wasn't familiar with NetBIOS-over-TCP and SMB.)

(10 Sep '12, 17:50) Guy Harris ♦♦