This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SMB2 Error Troubleshooting

0
1

Hello,

I'm new to packet analysis and I'm looking for some direction on troubleshooting SMB2 errors.

I have a Windows 7 machine on a corporate network. As soon as I booted it up and logged in, I ran a packet capture. Filtering on SMB errors, I have a boat load of NT Status: STATUS_INVALID_PARAMETER (0xc000000d), NT Status: STATUS_NOT_A_REPARSE_POINT (0xc0000275) and NT Status: STATUS_OBJECT_PATH_NOT_FOUND (0xc000003a). Line after line of them in the same stream. All coming from the server back to the PC.

I've done a lot of searching on the errors but only seem to get Microsoft developer sites that give me no direction. Since it's a fresh reboot, I'm guessing the PC system is running something but have no idea how to proceed.

Does anyone have a troubleshooting methodology, web site, youtube video, etc., for figuring out SMB errors?

asked 13 Aug '14, 08:57

Tom%20Fury's gravatar image

Tom Fury
1232
accept rate: 0%


One Answer:

2

Hi,

The protocol is defined here - http://msdn.microsoft.com/en-gb/library/cc246482.aspx

There's a pdf version; just google [MS-SMB2]

You'll also find an introductory guide here - http://www.advance7.com/smb-2-file-server-protocol-overview

Best regards...Paul

answered 13 Aug '14, 14:57

PaulOfford's gravatar image

PaulOfford
131283237
accept rate: 11%

Paul,

Thanks for the information. The advance7 document really helped with giving me a baseline for how things should work. Unfortunately, I'm still struggling with how to figure out what is not happening correctly.

(18 Aug '14, 09:58) Tom Fury

Hi Tom,

What's the problem you are investigating?

Best regards...Paul

(19 Aug '14, 13:31) PaulOfford

Paul,

On my corporate desktop, I'm being flooded with the repeated SMB errors listed in the original posting above. I've done a lot of searching, but can't find any meaningful information about the errors that would point me in a direction.

It looks to me that my workstation is trying to write something to the server that it doesn't like. I'm troubleshooting it a step at a time and posted a separate question on the forum for information about a successful SMB2 Create that the packet gives me no information on what or where was created. Thanks for your answer on that posting too.

(20 Aug '14, 09:21) Tom Fury

Ok. STATUS_OBJECT_PATH_NOT_FOUND is common as a process tries to open things like .ini files that could reside in a number of directories. The other two I'll need to think about.

You might find it easier to track down the offending program with procmon. It would be pretty fast and simple. If you are up for having a go, check out http://www.lovemytool.com (yes that really is the name) and look for my blogs on procmon. That should give you enough info to do what's needed. Use procmon with Wireshark - again I cover that in a blog.

Procmon will tell you which process is issuing the file system call that is causing the error.

Best regards...Paul

(20 Aug '14, 14:48) PaulOfford