There 6 remotely mounted volumes on a workstation, 4 NFS, 2 SMB. The connection for each volume is tested once every two (2) seconds. This seems ridiculously excessive.
I have unmounted the SMB volumes. It reduced the probes (observed by Wireshark) to only the NFS volumes. The reverse is true: unmounting the NFS volumes shows only probes for the SMB volumes. Which indicates the probes are initiated by the workstation, not the remote hosts.
Where would I find what controls how often remote volumes are tested for existence?
The issue is a level above SMB (and NFS) anyway, at a more abstract network level. When the SMB volumes are unmounted, the probes continue on the NFS volumes. When the NFS volumes are unmounted, the probes continue on the SMB volumes.
AFAICT the issue is NOT a samba issue. It also affects NFS volumes.
It appears to be some aspect of filesystems control. If I unmount all of the remote volumes, the probes disappear (no trace in Wireshark). If only NFS volumes are mounted, those receive the probes, If only the SMB volumes are mounted, those receive the probes. If both are mounted, both receive the probes.
OK,
I’m having some problems working with your unusual terminology, “probes” is not a typical way to properly describe what you should be experiencing, keepalives are what are implemented to maintain connectivity.
Your description about seeing them when shares are mounted only (and not seen when unmouted) has only limited value because keepalives might be expected for each type of network share.
If you’re captured and inspected packets using Wireshark, then what does Wireshark say about these “probes?”
How does Wireshark classify these packets?
Have you inspected the payloads for any clues?
Is there a pattern and is there any other traffic which might be related to your “probe” traffic?
If you don’t know what to look for in a packet analysis, you can post a screenshot or relevant logs to a pastebin and post the link here.
[/FONT]The NFS packet pair occurs for each NFS volume; there are 4.
The SMB packet pair occurs for each SMB volume; there are 2.
FH = file handle? The same number repeats for each volume.
Have you inspected the payloads for any clues?
Yes. The packets are small, about 200 bytes. There is no textual information. There are probably flags and bit values; I do not know how to read them.
Is there a pattern and is there any other traffic which might be related to your “probe” traffic?
Yes, there is a pattern. The above keepalives (aka: probes), 6 pairs of packets, occur every two seconds.
No, there is no other regular traffic associated with these packets.
Generally when people ask for packet captures, you should post the raw data, either the complete capture or very carefully removing what you know cannot be relevant. And, additional packet data might provide context to the packet streams.
It’s unlikely that anyone can offer any new insight into a couple lines,
There is a chance someone might look at the raw data and see something new.
By a screen capture, I also would have meant displaying a Wireshark display which might show a fair amoun of info although would duffer from not being interactive.
I don’t find this excessive. AFAIK network filesystems need to be checked for their existence all the time.
None of the other workstations (2 of them) indulge such frequent updates. In fact none of the other systems use those packet types; they use an “Echo” or “Renew” request once a minute.