Wireshark - Resolve high number of SMB2 packets

In this example, the capture has just over 100,000 packets. Selecting Statistics > Protocol Hierarchy shows that 99.6% of the packets are SMB2. In this network, there is a Linux Samba server that is configured to share a network drive. The capture was done on a Windows client, and the Windows client has mapped the network drive.


It may be tempting to jump to the conclusion that something is wrong with the Samba server. However, this would be a false conclusion. There is a very simple reason there are a high number of SMB2 packets in the capture. On the client PC, a folder of the network share was open on the client PC.

Spot checking the capture, most of the SMB2 packets had "Music\a_E_Drive_Backup". This means the client PC had the "Music\a_E_Drive_Backup" folder open, and this folder contains thousands of files, which is why there is such a high volume of SMB2 traffic in the capture.

