From: John Wunderlich on
Bo Berglund <boberglund(a)myotherhome.sec> wrote in
news:c5ubp59ipeae4uqo524mai6divffqcscaj(a)4ax.com:

>> My first step would be to eliminate all mapped network drives,
>> particularly ones that map to XP Home and Pro machines. Instead,
>> use
>
> My problems happen on our corporate LAN and there are absolutely
> no XP-Home machines there. All mapped drives (I have 4) are
> towards Windows 2003 Servers, so these should be OK.

OK. This is new information. Your problem still seems to be associated
with re-attaching to a network mapping which has apparently gone idle.

>
>> shortcuts to a UNC path or a UNC path itself to access a network
>> resource. The advantage here is that accessing "My Computer"
>> will not attempt to connect to these networked drives and
>> possibly eliminate your delay. (Mapped drives are shown under "My
>> Computer"
>
> I never ever use "My Computer" or "My Documents".....

Maybe not directly but "select the dropdown combobox at top of dialog"
brings up a window that contains "My Computer and the lettered drives
within. "Scroll the folder list in Windows Explorer until network
drive..." (same thing); "Dir I:" references network drive; MS Word
lockup may be different... are you editing a file on a network drive at
the time? It could be when "autosave" kicks in it accesses contents of
"My Computer" behind the scenes.

I still would eliminate network drive mapping in favor of UNC/shortcut
access, at least temporarily, in an attempt to discover which network
connection is having problems.

John-John's suggestion of not allowing network card to power down also
has merit.

HTH,
John

From: Bo Berglund on
On Tue, 09 Mar 2010 08:29:01 -0400, John John - MVP
<audetweld(a)nbnot.nb.ca> wrote:

>Bo Berglund wrote:
>Check the Power Management setting on the network adapter's properties
>and see if it is set to 'Allow the computer to turn off the device to
>save power', maybe the adapter gets turned off while you are working.
>

I don't think it is a powerdown problem because whenever the lockup
happens (it lasts for 3 minutes) then I can use my web browser just
fine via the same NIC and I can open a command window and ping
successfully the server on which my mapped drive resides.

So it seems that neither my own nor the server's NIC is in fact dead,
it is just the UNC name handling that has gone haywire....

--

Bo Berglund (Sweden)
From: Bo Berglund on
On Tue, 09 Mar 2010 16:32:58 GMT, John Wunderlich
<jwunderlich(a)lycos.com> wrote:

>Bo Berglund <boberglund(a)myotherhome.sec> wrote in
>news:c5ubp59ipeae4uqo524mai6divffqcscaj(a)4ax.com:
>
>>> My first step would be to eliminate all mapped network drives,
>>> particularly ones that map to XP Home and Pro machines. Instead,
>>> use
>>
>> My problems happen on our corporate LAN and there are absolutely
>> no XP-Home machines there. All mapped drives (I have 4) are
>> towards Windows 2003 Servers, so these should be OK.
>
>OK. This is new information. Your problem still seems to be associated
>with re-attaching to a network mapping which has apparently gone idle.

As I said above this happens at work, so today (I'm back home now) I
made an experiment:
I created a Delphi application that has a timer inside and every time
this times out I run a FileExist call on a file that I have put on the
server (\\server\share\path\filename)

The timer interval is set to 1 second and I read the current time tick
before and after the FileExist call. Then I compute the execution time
and if it is longer than 2 s I log the event.

During 5 hours of monitoring it detected 4 events of this kind, each
lasting between 174 and 186 seconds....

>
>I still would eliminate network drive mapping in favor of UNC/shortcut
>access, at least temporarily, in an attempt to discover which network
>connection is having problems.

Well, the test described above uses a unc path to the file but it does
not help....

>John-John's suggestion of not allowing network card to power down also
>has merit.
>
As I replied to him, while the UNC problem is on I can use my own NIC
for standard TCP/IP connections like web browsing and ping. And the
server I am trying to access by UNC responds immediately to ping
requests. So its NIC is also not dead.

So it is definitely something amiss with the UNC handling.

I downloaded and installed Wireshark in order to try and see what is
going on on my NIC, but unfortunately it records way too much data for
me to make anything sensible out of.....

--

Bo Berglund (Sweden)
From: John Wunderlich on
Bo Berglund <boberglund(a)myotherhome.sec> wrote in
news:7v0dp59iftllhk1ce0h4l8ql3ntr6ibafm(a)4ax.com:

> So it is definitely something amiss with the UNC handling.
>
> I downloaded and installed Wireshark in order to try and see what
> is going on on my NIC, but unfortunately it records way too much
> data for me to make anything sensible out of.....
>
>

It would probably help a little with the volume of data to only
capture the data of interest. When you start Wireshark, click the
"Capture Option" and where you see "Capture Filter", enter a filter of:

host 192.168.1.123 && (port 135 || port 137 || port 138 || port 139 || port 445)

Where you substitute the IP address of your server where you see "192.168.1.123"
This still may capture a lot of data but once you hit your hangup,
you can examine the last of the capture.

HTH,
John
From: Bo Berglund on
On Tue, 09 Mar 2010 22:22:12 GMT, John Wunderlich
<jwunderlich(a)lycos.com> wrote:

>Bo Berglund <boberglund(a)myotherhome.sec> wrote in
>news:7v0dp59iftllhk1ce0h4l8ql3ntr6ibafm(a)4ax.com:
>
>> So it is definitely something amiss with the UNC handling.
>>
>> I downloaded and installed Wireshark in order to try and see what
>> is going on on my NIC, but unfortunately it records way too much
>> data for me to make anything sensible out of.....
>>
>>
>
>It would probably help a little with the volume of data to only
>capture the data of interest. When you start Wireshark, click the
>"Capture Option" and where you see "Capture Filter", enter a filter of:
>
>host 192.168.1.123 && (port 135 || port 137 || port 138 || port 139 || port 445)
>
>Where you substitute the IP address of your server where you see "192.168.1.123"
>This still may capture a lot of data but once you hit your hangup,
>you can examine the last of the capture.
>

Thanks for this! It really cut back on the info being recorded.

I have kept my test application running all day while at the same time
letting Wireshark record with your filter in place. I have had more
than 10 blackouts during this time each lasting 3 minutes. :-(

With the log from my test application I can see the timestamp of the
probelm and locate the right spot in the Wireshark capture file.

The result is really strange. Here are events from one of the lockups:

2612 13:02:03.660702 172.30.176.35 172.30.177.70 SMB Tree
Disconnect Request
2613 13:02:03.660967 172.30.177.70 172.30.176.35 SMB Tree
Disconnect Response
2614 13:02:03.661084 172.30.176.35 172.30.177.70 SMB Logoff
AndX Request
2615 13:02:03.661523 172.30.177.70 172.30.176.35 SMB Logoff
AndX Response
2616 13:02:03.661616 172.30.176.35 172.30.177.70 SMB Tree
Disconnect Request
2617 13:02:03.661846 172.30.177.70 172.30.176.35 SMB Tree
Disconnect Response

The above is where the blackout starts.
After 2 minutes there are a bit of activity from KeepAlive packets:

2623 13:04:03.100948 172.30.177.14 172.30.176.35 TCP [TCP
Keep-Alive] microsoft-ds > fg-fps [ACK] Seq=158703 Ack=117676
Win=63014 Len=1
2624 13:04:03.100999 172.30.176.35 172.30.177.14 TCP [TCP
Keep-Alive ACK] fg-fps > microsoft-ds [ACK] Seq=117676 Ack=158704
Win=36451 Len=0 TSV=4957644 TSER=16429060
2625 13:04:03.802338 172.30.177.70 172.30.176.35 TCP [TCP
Keep-Alive] microsoft-ds > abcvoice-port [ACK] Seq=2848 Ack=6057
Win=65536 Len=1
2626 13:04:03.802389 172.30.176.35 172.30.177.70 TCP [TCP
Keep-Alive ACK] abcvoice-port > microsoft-ds [ACK] Seq=6057 Ack=2849
Win=145688 Len=0 TSV=4957650 TSER=163213097

Then this happens 2.5 minutes into the blackout:
2627 13:04:29.636063 172.30.177.70 172.30.176.35 TCP
microsoft-ds > abcvoice-port [RST, ACK] Seq=2849 Ack=6057 Win=0 Len=0

And finally the end of blackout is signalled by these packets:
2628 13:04:58.511867 172.30.176.35 172.30.177.14 SMB Trans2
Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Bosse
2629 13:04:58.512593 172.30.177.14 172.30.176.35 SMB Trans2
Response, QUERY_PATH_INFO
2630 13:04:58.513369 172.30.176.35 172.30.177.14 SMB Trans2
Request, FIND_FIRST2, Pattern: \Bosse\CheckFile.txt
2631 13:04:58.514038 172.30.177.14 172.30.176.35 SMB Trans2
Response, FIND_FIRST2, Files: CheckFile.txt

From now on the network is OK until the next blackout, which can
happen anytime....
All blackouts last 3 minutes within about 5 seconds and they have the
same basic structure as shown above. Sometimes there are a few TCP
packets inside the blackout (the .... section above) but most often
there is nothing the first 2 minutes until the KeepAlive starts.

What can I do to find out why there are disconnect and logoff requests
posted to the domain controller (172.30.177.70)???
And most importantly to stop it from happening....

--

Bo Berglund (Sweden)