Ask Your Question

SMB2 copy issue and SRT

asked 2023-02-27 12:18:10 +0000

AL gravatar image

updated 2023-02-27 12:23:19 +0000

I am having an issue, copying a single large file (2GB) from a Server 2016 to a Windows 10 client. Both client and server on same network and subnet

2 laptops (different models), on one of the laptops copy takes about 5 mins as expected. One another laptop copy takes about 30 mins and in Windwos copy GUi I can see the transfer rate drop to 0 bytes per second and then increase

I took wireshark trace from both laptops and I am suspecting issue with the SMB2.

I did a SMB2 SRT analysis on the 2 laptops and on the laptop with slow copy the READ SRT sum value is very high, compared to the same read on the laptop with the good copy

Am I correct in thinking the issue is related to SMB on the client side

edit retag flag offensive close merge delete


It is propably a combination of factors. But a client which downgrades a connection type will have a dramatic adverse effect on the performance. But without actually looking at the packet capture it is very hard to tell. But in your case I would lok at the details at the start of the session. Nuances in the negotiation may decrease effentiency a lot.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2023-02-27 13:19:32 +0000 )edit

I did further testing can confirm issue is with SMB2

I copied same file from same server to same client using FTP and 2 Gb file took 7 minutes to copy

Same copy using SMB2 takes 30 mins.

AL gravatar imageAL ( 2023-03-07 10:29:51 +0000 )edit

I agree, I'd love to see the PCAPs for these transfers so that we could see exactly what is going on.

I would like to say that you have to be careful interpreting Wireshark's SRT values for SMB.

In a long time ago Ask Wireshark question:

there were very high SRT values - but they weren't a problem with the server at all. They were an artifact of the way that the SMB client made its READ requests. The client issued large bursts of READs all at once, sometimes more than 120 in one go. These were all done within a single TCP connection - meaning that they had to be serviced sequentially.

Imagine 100 READ requests all arrive at the server at once. The 100th will have to spend time in a server queue, waiting for the data in READ-1 through READ-99 to ...(more)

Philst gravatar imagePhilst ( 2023-04-13 03:42:05 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2023-02-27 21:46:36 +0000

Eddi gravatar image

Just a few ideas:

  • Is the disk full or very fragmented (note that fragmentation is less of an issue with SSDs)
  • Please check your System Event Log for Hardware Errors, especially Disk Errors
  • Another Event Log worth taking a look at is the WHEA Event Log
  • Do you have multiple anti-malware products installed? If so, try to go back to one or set an exclustion
  • Are your anti-malware products up to date?

And, of course, can you share the trace file, so that we might identify if the problem lies on the sender or on the receiver side.

Good luck!

edit flag offensive delete link more


The weird thing is the laptop with the copy issue is a new laptop latest i5 CPU and SSD hard disk where as the laptop with no issue is an old laptop i5 gen 3 CPU with a non SSD hard drive, so I doubt issue would be with the specification of the laptop

The laptop with no issue is running Microsoft built in AV where as the other laptop is running Sophos. I even disabled Sophos and this didnt resolve the issue.

I will upload both capture files

AL gravatar imageAL ( 2023-02-28 09:44:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-02-27 12:18:10 +0000

Seen: 274 times

Last updated: Mar 07 '23