用Wireshark分析SMB2数据传输出现断层实例
通过Wireshark分析SMB2数据传输出现断层实例
今天碰到一个非编室五台非编工作站设备剪辑片子的时候出现花屏、卡屏的问题,排查之后觉得原因可能如下:
- SMB服务出现问题,在运行过程中出现自重启导致数据传输出现断层
- 网络问题,中途出现丢包或者数据帧被摧毁等情况
- 非编软件兼容性问题,在对容量较大的素材进行剪辑的时候出现花屏
经过排查,网络问题可能性最大。在非编机上安装Wireshark,进行剪辑的时候抓包查看
- 过滤器设置为
1 | ip.src==192.168.0.50 and ip.dst=192.168.0.100 and tcp.port==445 |
抓去源为192.168.0.50目标为192.168.0.100之间445端口的数据包
分析SMB数据包。
SMB数据包正常的样子如下
![SMB正常情况]()
数据包详情(为和后面不正常的数据包进行比较,选取的为Response包)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108No. Time Source Destination Protocol Length Info
19546 6.100517 192.168.0.100 192.168.0.50 SMB2 298 Create Response File: ???\??\L\???????\Transferred\5F037F5E-A924-4A37-8E27-D5F7A4A3BD7F.png
Frame 19546: 298 bytes on wire (2384 bits), 298 bytes captured (2384 bits) on interface 0
Ethernet II, Src: DawningI_18:b3:1e (e8:61:1f:18:b3:1e), Dst: AsustekC_16:c9:8b (10:7b:44:16:c9:8b)
Internet Protocol Version 4, Src: 192.168.0.100, Dst: 192.168.0.50
Transmission Control Protocol, Src Port: 445, Dst Port: 49842, Seq: 2995906, Ack: 2310166, Len: 244
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Server Component: SMB2
Header Length: 64
Credit Charge: 1
NT Status: STATUS_SUCCESS (0x00000000)
Command: Create (5)
Credits granted: 1
Flags: 0x00000031, Response, Priority
.... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
.... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
.... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
.... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
.... .... .... .... .... .... .011 .... = Priority: This pdu contains a PRIORITY
...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
Chain Offset: 0x00000000
Message ID: Unknown (12217121)
Process Id: 0x0000feff
Tree Id: 0x513362de
Session Id: 0x00000000b6b8df0a
Signature: 00000000000000000000000000000000
[Response to: 19545]
[Time from request: 0.000240000 seconds]
Create Response (0x05)
StructureSize: 0x0059
Oplock: No oplock (0x00)
Response Flags: 0x00
Create Action: The file existed and was opened (1)
Create: Aug 30, 2017 12:37:20.000000000 中国标准时间
Last Access: Sep 5, 2017 13:52:48.905407000 中国标准时间
Last Write: Aug 30, 2017 12:37:20.000000000 中国标准时间
Last Change: Aug 30, 2017 12:37:20.000000000 中国标准时间
Allocation Size: 2097152
End Of File: 1585585
File Attributes: 0x00000020
.... .... .... .... .... .... .... ...0 = Read Only: NOT read only
.... .... .... .... .... .... .... ..0. = Hidden: NOT hidden
.... .... .... .... .... .... .... .0.. = System: NOT a system file/dir
.... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID
.... .... .... .... .... .... ...0 .... = Directory: NOT a directory
.... .... .... .... .... .... ..1. .... = Archive: Modified since last ARCHIVE
.... .... .... .... .... .... .0.. .... = Device: NOT a device
.... .... .... .... .... .... 0... .... = Normal: Has some attribute set
.... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file
.... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file
.... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
.... .... .... .... .... 0... .... .... = Compressed: Uncompressed
.... .... .... .... ...0 .... .... .... = Offline: Online
.... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed
.... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file
Reserved: 00000000
GUID handle File: ???\??\L\???????\Transferred\5F037F5E-A924-4A37-8E27-D5F7A4A3BD7F.png
File Id: 3b36f0dc-0000-0000-bdb5-09d400000000
[Frame handle opened: 19546]
[Frame handle closed: 19547]
ExtraInfo SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_QUERY_ON_DISK_ID
Offset: 0x00000098
Length: 88
Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
Chain Offset: 0x00000020
Tag: MxAc
Offset: 0x00000010
Length: 4
Data: MxAc INFO
Offset: 0x00000018
Length: 8
MxAc INFO
Query Status: STATUS_SUCCESS (0x00000000)
Access Mask: 0x001f01ff
.... .... .... .... .... .... .... ...1 = Read: READ access
.... .... .... .... .... .... .... ..1. = Write: WRITE access
.... .... .... .... .... .... .... .1.. = Append: APPEND access
.... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access
.... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access
.... .... .... .... .... .... ..1. .... = Execute: EXECUTE access
.... .... .... .... .... .... .1.. .... = Delete Child: DELETE CHILD access
.... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access
.... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access
.... .... .... ...1 .... .... .... .... = Delete: DELETE access
.... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID
.... .... .... .1.. .... .... .... .... = Write DAC: OWNER may WRITE the DAC
.... .... .... 1... .... .... .... .... = Write Owner: Can WRITE OWNER (take ownership)
.... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O
.... ...0 .... .... .... .... .... .... = System Security: System security is NOT set
.... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set
...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set
..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set
.0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set
0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set
Chain Element: SMB2_CREATE_QUERY_ON_DISK_ID "QFid"
Chain Offset: 0x00000000
Tag: QFid
Offset: 0x00000010
Length: 4
Data: QFid INFO
Offset: 0x00000018
Length: 32
QFid INFO
Opaque File ID: b66b04000000000000fd0000000000000000000000000000...- 从I/O图标中可以看到,中途43-61秒出现数据断层,SMB没有数据传输
- 观察43-61秒数据传输过程,出现大量
NT Status: STATUS_INSUFFICIENT_RESOURCES (0xc000009a)报错
出现的报错基本如下
NT Status: STATUS_NOTIFY_ENUM_DIR (0x0000010c)NT Status: STATUS_PENDING (0x00000103)NT Status: STATUS_FILE_IS_A_DIRECTORY (0xc00000ba)NT Status: STATUS_INSUFFICIENT_RESOURCES (0xc000009a)
报错数据包的解读
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38No. Time Source Destination Protocol Length Info
175097 42.315681 192.168.0.100 192.168.0.50 SMB2 131 Create Response, Error: STATUS_INSUFFICIENT_RESOURCES
Frame 175097: 131 bytes on wire (1048 bits), 131 bytes captured (1048 bits) on interface 0
Ethernet II, Src: SuperMic_9d:a8:ee (0c:c4:7a:9d:a8:ee), Dst: AsustekC_16:c9:8b (10:7b:44:16:c9:8b)
Internet Protocol Version 4, Src: 192.168.0.100, Dst: 192.168.0.50
Transmission Control Protocol, Src Port: 445, Dst Port: 49842, Seq: 19602360, Ack: 17867316, Len: 77
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Server Component: SMB2
Header Length: 64
Credit Charge: 1
NT Status: STATUS_INSUFFICIENT_RESOURCES (0xc000009a)
Command: Create (5)
Credits granted: 1
Flags: 0x00000031, Response, Priority
.... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
.... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
.... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
.... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
.... .... .... .... .... .... .011 .... = Priority: This pdu contains a PRIORITY
...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
Chain Offset: 0x00000000
Message ID: Unknown (12288860)
Process Id: 0x0000feff
Tree Id: 0x513362de
Session Id: 0x00000000b6b8df0a
Signature: 00000000000000000000000000000000
[Response to: 175095]
[Time from request: 0.000300000 seconds]
Create Response (0x05)
StructureSize: 0x0009
Error Context Count: 0
Reserved: 0x00
Byte Count: 0
Error Data: 00可以看到二层帧头和三层包头以及TCP头部和SMB载荷头部都没有问题,问题处在SMB数据载荷,基本为空白,也就是说请求的数据从服务器端发送到客户端为空白数据。
microsoft官方解释
0x80000006STATUS_NO_MORE_FILESji 描述 0xC00000BASTATUS_FILE_IS_A_DIRECTORY The file that was specified as a target is a directory and the caller specified that it could be anything but a directory. 0xC000009ASTATUS_INSUFFICIENT_RESOURCES Insufficient system resources exist to complete the API. 0x80000006STATUS_NO_MORE_FILES No more files were found that match the file specification.
对解释的解读为服务器端资源不足,无法完成请求,或者资源不足请求的文件夹无法被服务器定位。造成上述原因在于SMB服务器内存资源不足,在同时对大量用户进行异步数据读取写入,并且数据量较大时会出现内存占用过多,无法及时回收,造成以上卡屏、花屏现象。