Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Hello KBolt

The very first packets of your trace look like a capture taken from a SPAN port. Depending on the configuration, individual packets can be send to the SPAN port twice: Once when the packet arrives at the switch, and again when the packet is delivered to the destination port.

This becomes immediately clear when you look at the three-way-handshake: The SYN-ACK from the server was recorded twice with a delta-time of 150 microseconds. All other packets from also show up twice. This is usually caused by SPAN port definition.

Clearly, Wireshark is confused by the duplicate packets. You might want to use the editcap utility, which is part of the Wireshark distribution. Run editcap -d to remove these duplicate packets.

Since you are using SMB2 or SMB2 I suggest to try Wiresharks excellent Service Response Time feature: Statistics -> Service Response Time -> SMB2

In most cases, Read and Write operations should complete within a few milliseconds. Anything longer is worth investigating.

You can locate long response times by using the Find-packet feature (Ctrl-F): The display filter smb2.time > 0.1 would bring you to the next SMB2 transaction that took longer than 0.1 seconds.

Good luck