Export (0) Print
Expand All

Configuring Windows NT Satellite Networking at Coho Winery

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
By Jim Gowler, MCS—Great Lakes

Editor's Note This article is excerpted from "Optimizing Network Traffic," which is part of the Microsoft Press Notes From the Field series that outlines the best system management practices and procedures. For more information on this and other Microsoft Press books, go to http://www.microsoft.com/mspress/.

Enterprise network infrastructure often includes a variety of communication media and links: Ethernet, integrated services digital network (ISDN), frame relay, dial-up lines, and satellite connections. This chapter focuses on using Microsoft Transmission Control Protocol/Internet Protocol (TCP/IP) with Microsoft Windows for Workgroups 3.11, Windows 9x, Windows NT Workstation and Server, and Windows 2000 in an Ethernet local area network (LAN) environment communicating to remote sites over satellite connections. The configuration recommendations also apply to wide area networks (WANs) and dial-up connections.

On This Page

In Focus
Enterprise Requirements
Overview of Satellite Communications
Services and Application Transactions
NETLOGON.BAT (Batch File Execution)
Copy Command (CMD, WINFILE, Explorer)
Microsoft Word 97
Microsoft Excel 97
Microsoft PowerPoint 97
Microsoft Outlook 98
SMTP Transport
IMAP4 Transport
Microsoft Outlook Web Access (OWA)
Microsoft Exchange Server
Microsoft SQL 6.5/7.0
TCP Sockets
Performance Results

In Focus

Enterprise

Coho Winery, a growing company with vineyards throughout North America and Australia, and international distributorships.

Network

Over 8000 remote offices and distributorships linked to the corporate headquarters based in Napa Valley over satellite connections.

Challenge

Systems administrators must optimize the network for satellite communications, configuring packet transmission latency (lag time), the Server Message Block (SMB) size on Windows NT Server, and the Maximum Transmit Unit (MTU) size of the LAN.

Solution

Satellite links typically impose the highest latency of any media, and they require more complex parameter adjustment to optimize network communications.

What You'll Find In This Chapter

  • How to test, assess, and deal with latency in your network.

  • How to configure networks effectively for the varying speeds found in networks incorporating satellite links.

  • How to adjust parameters for replication in large networks and those with multiple-processor PDCs and BDCs. (This discussion also explains which parameters do not require adjustment and why.)

  • How to incorporate configuration ideas on most Microsoft operating systems (Windows NT Server/Workstation, Windows 2000 Server/Professional, Windows for Workgroups, Windows 9x) and Microsoft server applications such as Microsoft SQL Server and Microsoft Exchange Server.

Warning: This chapter makes recommendations for modifying or adding Windows registry parameters with REGEDIT.EXE or REGEDT32.EXE. Using Registry Editor incorrectly can cause serious, system-wide problems that require you to reinstall Windows NT. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

Windows NT setup installs two versions of Registry Editor: REGEDT32.EXE (the Windows NT version) and REGEDIT.EXE (the Windows 9x version). Although you can use REGEDIT.EXE to search for keys and values in Windows NT 4.0, use REGEDT32.EXE to edit the Windows NT registry.

Enterprise Requirements

The recommendations and best practices in this chapter address some basic networking requirements.

For Windows for Workgroups, Windows 9x, Windows NT Workstation, and Windows 2000 Professional, each desktop:

  • Uses TCP/IP for network communications.

  • Can browse every corporate-supported resource server in the LAN.

  • Can browse every corporate-supported resource server in the WAN.

  • Communicates over satellite links.

For Windows NT Server, Windows 2000 Server, Microsoft SQL Server, and Microsoft Exchange, each server and service:

  • Uses TCP/IP for network communications.

  • Has access to every corporate-supported resource server in the LAN.

  • Has access to every corporate-supported resource server in the WAN.

  • Communicates over satellite links.

Overview of Satellite Communications

A typical network with satellite links includes earth stations (remote sites) that communicate to a hub site (also an earth station) that serves as the main data center in the enterprise. The hub site does not have to be at the same physical location of the main data repository; it can be a remote site with a secure connection to a LAN or a WAN.

An earth station consists of a satellite dish (with a central head) and a digital interface unit (DIU) connected to the local network through a turbo port card. The dish transmits and receives data to the satellite (bird). Dish bandwidths vary from 128 Kbs to 1 Mbs. The available bandwidth to each earth station can be divided (the term is carved) into separate channels varying from 9600 baud to 1 Mb.

You can configure the maximum transmit unit (MTU) size of data sent through software and hardware and over satellite links to a maximum of 1500 bytes to match the default size of the DIU. You can also drop the MTU below this figure to match available bandwidth for performance reasons. The circled numbers in the figure apply to the explanation that follows.

Figure 6.1: Communications between earth stations and the hub site.

Figure 6.1: Communications between earth stations and the hub site.

The terminology that describes satellite communications is similar to other telecommunications terminology. All communications from the hub site are outbound transmissions (1), and all communications to the hub site are inbound transmissions (2). Communications from the satellite to the remote earth stations are outroute (3), and communications to the satellite from the remote earth station are inroute (4).

Network administrators must tune three areas to optimize satellite links for networking communications: packet transmission latency (lag time), the Server Message Block (SMB) size of Windows NT Servers, and the LAN's maximum transmit unit (MTU) size. These areas are discussed in the next three sections.

Latency

The following illustrations show the results of using PING.EXE to test latency across network segments. These use baseline measurements set in a test lab; individual measurements and results vary with network design.

Figure 6.2: Checking latency period on a LAN using PING.

Figure 6.2: Checking latency period on a LAN using PING.

Figure 6.2 uses the PING utility to set a reference point for latency in milliseconds (ms). In this example, a local PING reports a latency less than 10 ms.

Figure 6.3: Checking latency across a local router.

Figure 6.3: Checking latency across a local router.

This shows a local router with a latency of 10 ms or less. Latency increases as router load and the number of routers increase.

Figure 6.4: Checking latency across a remote router or bridge.

Figure 6.4: Checking latency across a remote router or bridge.

Figure 6.4 shows PING results in a WAN environment. Here response time increases substantially from less than 10 ms to more than 110 ms. By default Microsoft's implementation of TCP/IP addresses potential LAN and WAN latency by setting the wait time to 750 ms. This is important, because when latency starts approaching wait time, as it often does over WANs, timeouts (and communications failures) increase.

When sending a PING from the hub site to the satellite (outbound) and from there to a remote earth station (outroute) the test returns these results (the path is from 1 to 3 in Figure 6.1):

Pinging 123.456.789.10 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

When using the commands below, the NetBIOS TCP (NetBT) stack also fails when communications travel outbound from the hub site, over the satellite, and outroute to a remote earth station. Both the PING utility and the NET USE DOS command use a Broadcast Query Time-out value to locate the destination host:

NET VIEW \\SATURN
System error 53 has occurred.

NET USE Z: \\SATURN\NETLOGON
System error 53 has occurred.

To troubleshoot, use the PING utility with the -w option to increase the ms time-out value and determine the network latency. The results in this example are:

PING 123.123.123.10 -w 1600

Pinging 197.127.135.10 with 32 bytes of data:

Reply from 123.123.123.10: bytes=32 time=1382ms TTL=32
Reply from 123.123.123.10: bytes=32 time=1331ms TTL=32
Reply from 123.123.123.10: bytes=32 time=1342ms TTL=32
Reply from 123.123.123.10: bytes=32 time=1342ms TTL=32

After you have determined the proper ms time-out value, you can modify the Broadcast Query Time-out values for workstations to accommodate the latency across satellite links.

Configuring BcastQueryTimeout Values

The default value for BcastQueryTimeout is 750 ms (hexadecimal value 2ee). In the previous example, the satellite (123.123.123.10) has a latency period greater than 1300 ms. You can increase this value to 1600 ms, allowing NBT name query to resolve machine names submitted via the NET USE command.

Note: The PING.EXE utility only creates its packets: it does not resolve a hostname to an IP address, nor does it use the NBT to do so. Increasing the BcastQueryTimeout parameter does not apply to PING, but does work for all other WINSOCK and NBT programs.

  • For Windows for Workgroups 3.11, modify the SYSTEM.INI file:

    [NBT]
    BcastQueryTimeout =
    Default: 750

For Windows 9x, edit the BcastQueryTimeout registry subkey:

HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \VxD \MSTCP

For Windows NT versions through 4.0, and Windows 2000, modify the BcastQueryTimeout parameter:

HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \NetBT \Parameters \BcastQueryTimeout

Cc767910.opt6_5(en-us,TechNet.10).gif

Figure 6.5: Using Registry Editor (REGEDIT.EXE) to configure BcastQueryTimeout in Windows NT.

To modify this setting, double-click on the parameter in the right pane of the Registry Editor window, bringing up the Edit DWORD Value window:

Figure 6.6: Edit DWORD Value window to modify BcastQueryTimeout.

Figure 6.6: Edit DWORD Value window to modify BcastQueryTimeout.

Server Message Block (SMB)

Configuring SizReqBuf for Windows NT Server versions 3.5x

Windows NT Server manages input/output by carving data into blocks. When enough memory is available, it operates in raw mode, allocating large blocks of data (64 KB). When there is not enough memory, the server uses a request buffer for large- and small-block reads/writes. You can configure these sizes in the SizReqBuf parameter (default 4356 bytes, range 512 to 65536).

By increasing the SizReqBuf to match the TCP/IP window for RawIoTimeLimit, EnableRaw, and MaxLinkDelay (discussed in the next section), you can load-balance the system for buffering when there is not enough memory available to run in raw mode. Two common increases are:

  • 12288 to match the default transmission size of Windows 95 and Windows for Workgroups 3.11's internal reads/writes buffering of the 32-bit redirector.

  • 12548 to create best throughput and support for Windows NT Server, Windows for Workgroups 3.11, Windows 9x.

The redirector in Windows NT Server and Workstation can dynamically adjust to operate in raw state or to use the request buffer (SizReqBuf), which does not affect raw requests from a remote Windows NT Workstation/Server, Windows for Workgroups 3.11, or Windows 9x nodes. It controls the data flow only to nodes with other operating systems.

Windows NT Server and Workstation by default invoke raw mode when requested by other Windows NT computers. When the connection is established, the redirector determines if it is over a slow link and uses SizReqBuf if it is.

To modify the SizReqBuf registry subkey:

  1. Start Registry Editor (REGEDT32.EXE).

  2. Go to this subkey:

    HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters \SizReqBuf

To add the SizReqBuf registry subkey:

  1. Create the SizReqBuf value using this information:

    Value name: SizReqBuf

    Data type: REG_DWORD (DWORD)

    Data: 512 to 65536 (bytes in decimal)

  2. Close Registry Editor and restart the computer.

For more information on this registry subkey, see Microsoft Knowledge Base article 177266, Title: Remote Directory Lists Are Slower Than Local Directory Listings.

In a Windows NT 3.5x environment, the redirector counts the amount of data in a specified time frame to decide if the connection a slow link. If it is, the operating system switches to request buffer input/output.

Configuring RawIoTimeLimit for Windows NT 3.5x (and 4.0)

This Windows NT registry parameter (default 5 seconds) allows you to set the redirector to send data in 64-KB blocks (raw mode) if you are not using Remote Access Service (RAS). Increasing the timing interval "tricks" the operating system into thinking a higher speed connection exists, causing it to shift into raw mode. For example, if you increase the RawIoTimeLimit parameter to 20, the redirector switches into raw mode, without having to make special calculations to find a boundary for SizReqBuf.

  1. Start Registry Editor (REGEDT32.EXE).

  2. Go to this subkey:

    HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Rdr \Paramaters \RawIoTimeLimit

  3. If this value does not exist, add it using these parameters:

    Value name: RawIoTimeLimit

    Data type: REG_DWORD (DWORD)

    Data range: 0 to 65535 seconds

  4. To stop and restart the redirector use the commands net stop rdr and net start rdr from a command prompt. This puts the new setting into effect.

Cc767910.opt6_7(en-us,TechNet.10).gif

Figure 6.7: Using Registry Editor (REGEDIT.EXE) to search for RawIoTimeLimit in Windows NT.

Warning: Although you can use the RawIoTimeLimit parameter to speed up copying from a network server down to the desktop, you cannot use it with RAS because copying data from the desktop up to a RAS server overrides that server's serial line, truncates the copy, and exits. The only error seen on the workstation is copy failure. On the server side, the modem reports CRC errors and disconnects the network session.

Configuring Windows NT 4.0 and Windows 2000 (EnableRaw and MaxLinkDelay)

The previous parameter modifications enable raw detection over the WAN with satellite connections. You do not need to implement them on Windows NT 4.0 because processing raw SMBs can impede performance on some networks. You can disable the raw mode by adding the parameter EnableRaw and setting it to 0:

HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanmanServer \Parameters \EnableRaw

Cc767910.opt6_8(en-us,TechNet.10).gif

Figure 6.8: Using Registry Editor (REGEDIT.EXE) to search for EnableRaw.

For more information, see Knowledge Base article 127023, Title: Raw SMB Requests Across Router Results in Session Termination.

MaxLinkDelay specifies the maximum time allowed for a link delay (default 60 seconds) before a server automatically disables raw mode input/output for a connection. Increase the MaxLinkDelay registry subkey to override this feature:

HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanmanServer \Parameters \MaxLinkDelay

Cc767910.opt6_9(en-us,TechNet.10).gif

Figure 6.9: Using Registry Editor (REGEDIT.EXE) to search for MaxLinkDelay.

HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \rdr \Parameters \RawIoTimeLimit

You can modify or add the parameter RawIoTimeLimit to Windows NT 4.0 and Windows 2000 (see the above section "Configuring RawIoTimeLimit for Windows NT 3.5x (and 4.0)") in network configurations using the NetBIOS gateway. When turned on, this setting can increase throughput by 10-15 percent, blocking all other data transfers. By default, RawIoTimeLimit is disabled over slow links speeds of 14,400 BPS (or slower) and enabled (default 5 seconds) over faster links, such as ISDN lines.

For more information, see the Windows NT Server Networking Supplement Manual, "Appendix A—RAS Registry Values."

TCP Window Size

Configuring DefaultRcvWindow

The transmission control protocol (TCP) receive window specifies the maximum number of bytes a sender can transmit without receiving an acknowledgment (ACK). Increasing this value improves performance on networks with high latency. Both sides of a network connection control the TCP receive window size. You can configure receive window size for Windows for Workgroups in the SYSTEM.INI file, and for Windows 9x with the DefaultRcvWindow registry entry.

  • For Windows for Workgroups 3.11, modify the SYSTEM.INI file:

    [MSTCP]

    DefaultRcvWindow =
    Default: 8192

For Windows 9x, modify the DefaultRcvWindow registry subkey in:

HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \VXD \MSTCP

Windows NT TCPWindowSize

When data blocks greater than the MTU or segment size travel across the network, the TCP Window Size buffers them, returning acknowledgments to notify the sending computer when one block has been received and it is time to send the next one. Larger buffers can accommodate larger blocks of data, allowing more data to flow before reversing direction and sending an acknowledgment. This reduces traffic by generating fewer ACK packets.

Windows NT default TCPWindowSize values.

Registry Parameters

Windows NT 3.1

Windows NT 3.5 x

Windows NT 4.0

Windows 2000

TCPWindowSize

8192 (1)

8760

8760

16504

 

8K

8K

8K

16K

To adjust the TCP Window size, modify or add this registry subkey:

HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Tcpip \Parameters \TCPWindowSize

Cc767910.opt6_10(en-us,TechNet.10).gif

Figure 6.10: Using Registry Editor (REGEDT32.EXE) to modify TCPWindowSize.

Note: When a TCP/IP client communicates over a router that imposes a hop-count—which limits the number of subsequent routers a message can pass through—a forced ACK is issued for every two packets. This avoids the silly window syndrome, which occurs when the window is so large that it causes a high retransmission rate and system thrashing. This is rare in test labs, but common in production environments. Microsoft TCP/IP does not allow you to disable the forced ACK setting (every two packets over a router).

TCP Window Size in Windows 2000

Windows 2000 addressing performance is optimized for all types of media and WAN connectivity, effectively avoiding silly window syndrome. The protocol stack maintains the two-packet recommendation over routers, but it waits for a response rather than reversing the data flow and issuing an ACK. This improves performance over satellite links. Here's a representation:

  • Windows 2000:

    DATA==> DATA==> DATA==> DATA==> DATA==> DATA==> <==ACK <==ACK <==ACK

  • Windows NT:

    DATA==> DATA==> <==ACK DATA==> DATA==> <==ACK DATA==> DATA==> <==ACK

Maximum Transmit Unit (MTU) Registry Parameters

Windows NT TCP transport entries govern the segment size of data traveling over the network. TCPRecvSegmentSize specifies the maximum receive segment size, and TCPSendSegmentSize specifies the maximum send segment size. You can modify or add these parameters (REG_DWORD or DWORD) in:

HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \TCPIP \Parameters

Windows NT registry parameters for MTU.

Registry Parameters

Windows NT 3.1

Windows NT 3.5 x

Windows NT 4.0

Windows 2000

TCPRecvSegmentSize

1460

0 (1)

0 (1)

0 (1)

TCPSendSegmentSize

1460

0 (1)

0 (1)

0 (1)

MTU

1500

0 (2)

0 (2)

0 (2)

Notes on Windows NT MTU parameters:

(1) MTU size - 40 = segment size.

(2) Windows NT 3.5 uses the default MTU size of the MAC interface: Ethernet = 1500.

In token ring networks, this value depends on the MAXFRAME size of the token ring card. Because the desktop cannot process transactions larger than 4096 bytes, avoid token ring net cards with hard coded MTU MAXFRAME sizes greater than 4096.

Cautionary Notes

MTU settings can create problems when:

  • Sending packets (that require a response) from one token ring site over a satellite to another token ring site with a smaller MTU size.

  • Sending packets from one token ring site over frame relay to another token ring site.

  • Communicating from one token ring site over Asynchronous Transfer Mode (ATM) to another token ring site.

  • Using different media types in any combination.

Use the Ethernet default size of 1500 to avoid these problems.

Configuring MTU Size for Windows NT

  • For Windows for Workgroups 3.11, you can set the MaxMTU parameter in the SYSTEM.INI file.

    [network_card]
    MaxMTU =
    Default: 0 (use the value supplied by the network adapter manufacturer)

  • For Windows 95 and Windows 98, you can configure MaxMTU in the registry subkey:

    HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Class \NetTrans \000n

  • For Windows NT modify or add the MTU subkey:

    HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \CENDIS31 \Parameters \Tcpip \MTU

Cc767910.opt6_11(en-us,TechNet.10).gif

Figure 6.11: Looking for MTU with Registry Editor (REGEDIT.EXE).

Configuring MTU Size for Windows 2000

The redesigned Windows 2000 registry parameters for network services use a component object model (COM) component interface design. COM uses a global unique identifier (GUID) for each component, including network adapter cards. The registry subkey example below is for a Compaq NetFlex network adapter card:

HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \tcpip \Parameters \interface \F8B40F3E-6F17-11D2-90E1-D0086EA127CB\MTU

The COM component design allows you to disconnect the network interface, change parameters such as the MTU size, and connect the TCP/IP stack to the network interface without rebooting.

Services and Application Transactions

Trust Relationships

Once a trust has been established, primary domain controllers (PDCs) and backup domain controllers (BDCs) locate trusted domains while booting up, establishing a password-protected communications "pipe." The PDC generates a pulse (approximately every day) and changes the internal password on the secure pipe. If domain controllers do not receive this pulse at boot time for internal password changes or initiations of pass-through authentication, then the trust goes dormant for 15 minutes.

Note: If a user tries to log on when the trust is inactive, the system uses cached logon accounts. The maximum for the cache is 10 accounts, so if the user is not one of the last 10 accounts to log on, the attempt fails.

Every 15 minutes the domain controller tries to locate the trusted domain. Because of this, a trust may work initially then stop working after 15-30 minutes. In general, using Windows Internet Naming Service (WINS) keeps the trust relationship intact, but WINS server location and link speed (below 128 Kbs) can introduce a resolution latency that causes a trust to fail, rendering the domain dormant until contact is reestablished. You can avoid this by adding the entries described below to the LMHOSTS file on all domain controllers that are connected by slow links:

197.127.137.10 ACCOUNTS1 #DOM:NORTHAMERICA #PRE

197.127.136.11 RESOURCE1 #DOM:RESOURCE_DOMAIN #PRE

Performance Hints and Tips

The trust tries to change its internal secure pipe password, and if it cannot communicate the new password to both sides within a week, the trust breaks and you must delete and re-add it. To disable the password change so that the trust is not automatically broken, you can change the DisablePasswordChange from 0 (default) to 1 in the registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogon\Parameters\DisablePasswordChange

Cc767910.opt6_12(en-us,TechNet.10).gif

Figure 6.12: Searching for DisablePasswordChange with Registry Editor (REGEDIT.EXE).

Primary Domain Controller (PDC)

Even when using large (5,000 +) account domains, daily change replication from the PDC to the BDCs is small. The NETLOGON service tracks changes in a log which is by default 64 KB (roughly 2,000 changes). In most cases 64 KB is large enough to queue the daily changes, but if it isn't you can increase the log size by changing the ChangeLogSize registry subkey:

HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \NetLogon \Parameters \ChangeLogSize

Cc767910.opt6_13(en-us,TechNet.10).gif

Figure 6.13: Looking for ChangeLogSize with Registry Editor (REGEDIT.EXE).

Replication Issues In Large Networks

Before the replication process starts, the PDC freezes time inside the box, grabs 98% of the CPU processing, and starts calculating what changes go where. In a perfect world this happens without a hitch, but in the real world the Change Log sometimes is overrun before all BDCs are synchronized. This forces a full synchronization, which can be a cascading event if all BDCs need a full synchronization instead of just the deltas.

You could increase the Change Log size as stated above but it is not really necessary, not even when dealing with large numbers in a single-processor environment. When the PDC freezes time and starts calculating what changes go where, it collects the deltas (changes) into groups of up to 255 deltas for each remote procedure call (RPC) transmission. If the PDC is interrupted during the calculation process (such as to service a bad password check request), the PDC stops all calculations, sends any deltas that have been calculated, services the request, and then resumes calculating what changes go where. This starting and stopping calculation (and thus replication) does not flood the network with RCP transmissions because the network segment with the highest bandwidth is the segment where the PDC is located—and the PDC never floods this segment.

When there is more than one processor, the lowest-order processor works as stated above, exclusively handling all exceptions (service requests) when required. The other processors do not halt—they continue replicating. The lowest-order processor has to start over when the exceptions have been completed but if another processor has meanwhile completed the synchronization, the lowest-order processor backs off rather than duplicate network traffic unnecessarily.

Multiple-Processor Replication Issues in Large Systems

Multiple processors are used only on PDCs, not on BDCs, which simply request data from the PDC. But does a multiple-processor PDC require a multiple-processor BDC for a back up? After all, a backup controller should be able to step in as a new PDC (if needed) and preserve the network topology. Nevertheless, the backup in these cases does not require multiple processors.

Loss of the PDC deprives the system of functions (Enable and Disable Logon Account—Create, and Delete Logon Account—Change Password) that should not break the system over the 15 minutes or so that it takes to promote the backup to PDC (not even if all passwords expire or all accounts are disabled). Users are not even affected, although it may take longer to fully synchronize the entire domain. If you have been diligent with upgrades and maintenance you can promote the backup controller without affecting administrators, telecommunications, support, or users.

With a large number of BDCs (more than 50) the time during which the PDC uses resources increases exponentially with the number of accounts, BDCs, and changes. PDCs are designed to handle this stress and instead of flooding the network with changes they distribute updated information in an orderly fashion.

Although the PDC is designed to calculate replication changes simultaneously for 10 BDCs in Windows NT 3.51 and 20 BDCs in Windows NT 4.0, these figures may be too low to keep large numbers of BDCs updated evenly. In this case, a multiple-processor PDC issues round-robin updates from processor to processor until it reaches the Pulse Concurrency limit (the maximum number of simultaneous pulses a PDC sends to BDCs).

High-Latency Connections

Overall you should not have to change this parameter. Only changes get forwarded through the network so on the last days of a required 90-day password change only passwords are replicated, not the complete user account databases. For slow links, monitor the network traffic and if this traffic causes problems on lines slower than 64 Kbps, use the ReplicationGovernor.

Performance Hints and Tips

  • You can configure different replication rates at different times of the day. With the AT command, use a script file containing the path to the ReplicationGovernor parameter and the new Registry entries. (For example: net stop netlogon, regini script file, net start netlogon). REGINI.EXE is part of the Windows NT Resource Kit.

Dial-up Links

In a dial-up environment you may exercise all of these suggested options but still fail to get the BDC to synchronize with the PDC in a controlled process rather than having it connect all day long across expensive dial-up lines. To make the connection when you want and automate on-demand synchronization, use the command line utility NLTEST.EXE. Combining this utility with RASDIAL you can "batch dial" and synchronize the BDC. Here is an example:

 :RASDIALOUT
 RASDIAL PDCSERVER
 IF ERRORLEVEL == 1 GOTO BADRASDIAL
 NLTEST /TRANSPORT_NOTIFY
 NLTEST /SERVER:BDCLOCAL /REPL
 GOTO END
 :BADRASDIAL
 WAIT 5
 GOTO RASDIALOUT
 :END

The example above is only a sample; below is a complete list of parameters and options. (Refer to the Microsoft Windows NT 4.0 Resource Kit, Supplement Two for complete information and examples.)

Usage: nltest [/OPTIONS]
/SERVER:<ServerName> - Specify <ServerName>
/QUERY - Query <ServerName> netlogon service
/REPL - Force replication on <ServerName> BDC
/SYNC - Force SYNC on <ServerName> BDC
/PDC_REPL - Force UAS change message from <ServerName> PDC
/SC_QUERY:<DomainName> - Query secure channel for <Domain> on <ServerName>
/SC_RESET:<DomainName> - Reset secure channel for <Domain> on <ServerName>
/DCLIST:<DomainName> - Get list of DC's for <DomainName>
/DCNAME:<DomainName> - Get the PDC name for <DomainName>
/DCTRUST:<DomainName> - Get name of DC is used for  trust of <DomainName>

/WHOWILL:<Domain>* <User> [<Iteration>] - See if <Domain> will log on <User>
/FINDUSER:<User> - See which trusted <Domain> will log on <User>
/TRANSPORT_NOTIFY - Notify of netlogon of new transport
/RID:<HexRid> - RID to encrypt Password with
/USER:<UserName> - Query User info on <ServerName>
/TIME:<Hex LSL> <Hex MSL> - Convert NT GMT time to ascii
/LOGON_QUERY - Query number of cumulative logon attempts
/TRUSTED_DOMAINS - Query names of domains trusted by workstation
/BDC_QUERY:<DomainName> - Query replication status of BDCs for <DomainName>
/SIM_SYNC:<DomainName> <MachineName> - Simulate full sync replication
/LIST_DELTAS:<FileName> - display the content of given change log file
/LIST_REDO:<FileName> - display the content of given redo log file

Performance Hints and Tips

  • On the PDC increase the change log so that the transaction log can hold the worst-case number of changes for the time the BDC is off line.

  • Use a script file with the AT command to configure different replication rates at different times of the day. See above.

  • Use a batch file to dial, connect, and execute NLTEST.EXE.

NETLOGON.BAT (Batch File Execution)

Windows NT provides logon scripts that enforce standards on the desktop. The following example performs a virus check, and links a home directory, a mail drive, a common applications drive, and common printers.

 @echo off
 rem echo netlogon.bat version 01.00.00
 echo.
 msav /c /r /a
 net use h: /HOME
 net use m: \\MYSERVER\MAIL
 net use s: \\MYSERVER\APPS
 net use lpt1: \\MYSERVER\printer1
 net use lpt2: \\MYSERVER\printer2

You can use the NetLogon feature to impose and enforce standards, but it can create performance issues when executed over slower links. This batch file was created and executed from Windows NT Workstation and a Windows 95 workstation.

NETLOGON
@Echo off
Echo netlogon.bat version 01.00.00
Echo.
NET VIEW

Network Trace—Windows NT NETLOGON (Remote)

The trace below shows the network traffic generated by NETLOGON.BAT from a remote Windows NT workstation. At the command line the batch file NETLOGON <enter> was used.

  • When executed from a Windows NT workstation, 26 packets were generated to "find" the file to execute. The logic used at the command line is to find NETLOGON, then NETLOGON.COM, then NETLOGON.EXE, and finally NETLOGON.BAT. Typing NETLOGON.BAT at the command line avoids the execution of 26 packets of data.

  • Echo is used to insert a CR/LF on the screen during execution of a batch file. It makes reading the output more manageable, but generates 4 packets, which really are not required for the execution.

  • The net command goes through the same search for the program net, generating extra 14 packets.

  • Note that the system is now trying to load the NET.EXE and the DLLs that support the call, even though all the files are in the local search path and the program executes it. The drive off of which NETLOGON was executed is always searched before the search path. Note that this generated over 133 packets.

Network Monitor trace Sat 04/15/98 15:48:18 NT Netlogon (Remote).

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

5 4.344 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

6 4.347 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x8003

7 4.351 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \netlogon"*

8 4.356 ANDROMEDAII 3COM 4CEC95 SMB R transact2

9 4.359 3COM 4CEC95 ANDROMEDAII SMB C find close, FID = 0x5

10 4.362 ANDROMEDAII 3COM 4CEC95 SMB R find close

Network Monitor trace Sat 04/15/98 15:48:18 NT Netlogon (Remote). (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

11 4.363 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x8003

12 4.366 ANDROMEDAII 3COM 4CEC95 SMB R close file

13 4.369 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

14 4.373 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x7804

15 4.377 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \NETLOGON.COM

16 4.382 ANDROMEDAII 3COM 4CEC95 SMB R transact2 (Error)

17 4.385 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x7804

18 4.387 ANDROMEDAII 3COM 4CEC95 SMB R close file

19 4.391 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

20 4.394 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x7006

21 4.397 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \NETLOGON.EXE

22 4.403 ANDROMEDAII 3COM 4CEC95 SMB R transact2 (Error)

23 4.406 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x7006

24 4.408 ANDROMEDAII 3COM 4CEC95 SMB R close file

25 4.412 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

26 4.415 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x8002

27 4.421 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \NETLOGON.BAT

28 4.428 ANDROMEDAII 3COM 4CEC95 SMB R transact2 FindFirst (response to frame 27)

29 4.431 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x8002

30 4.433 ANDROMEDAII 3COM 4CEC95 SMB R close file

Network Monitor trace Sat 04/15/98 15:48:18 NT Netlogon (Remote). (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

31 4.440 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \NETLOGON.BAT

32 4.444 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x780d

33 4.448 3COM 4CEC95 ANDROMEDAII SMB C read & X, FID = 0x780d, Read 0xa4 at 0x0

34 4.450 ANDROMEDAII 3COM 4CEC95 SMB R read & X, Read 0xa4

35 4.497 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

36 4.500 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x8005

37 4.503 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x780d

38 4.505 ANDROMEDAII 3COM 4CEC95 SMB R close file

39 4.507 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \Echo."*

40 4.513 ANDROMEDAII 3COM 4CEC95 SMB R transact2 (Error)

41 4.516 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x8005

42 4.519 ANDROMEDAII 3COM 4CEC95 SMB R close file

43 4.548 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \NETLOGON.BAT

44 4.550 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x780d

45 4.554 3COM 4CEC95 ANDROMEDAII SMB C read & X, FID = 0x780d, Read 0xa4 at 0x0

46 4.555 ANDROMEDAII 3COM 4CEC95 SMB R read & X, Read 0xa4

47 4.572 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

48 4.575 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x780a

49 4.578 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x780d

50 4.580 ANDROMEDAII 3COM 4CEC95 SMB R close file

Network Monitor trace Sat 04/15/98 15:48:18 NT Netlogon (Remote). (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

51 4.583 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \NET"*

52 4.589 ANDROMEDAII 3COM 4CEC95 SMB R transact2 FindFirst (response to frame 51)

53 4.592 3COM 4CEC95 ANDROMEDAII SMB C find close, FID = 0x802

54 4.594 ANDROMEDAII 3COM 4CEC95 SMB R find close

55 4.596 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x780a

56 4.598 ANDROMEDAII 3COM 4CEC95 SMB R close file

57 4.602 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

58 4.605 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x3801

59 4.608 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \NET.COM

60 4.614 ANDROMEDAII 3COM 4CEC95 SMB R transact2 (Error)

61 4.616 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x3801

62 4.619 ANDROMEDAII 3COM 4CEC95 SMB R close file

63 4.622 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

64 4.626 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x4000

65 4.629 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \NET.EXE

66 4.635 ANDROMEDAII 3COM 4CEC95 SMB R transact2 FindFirst (response to frame 65)

67 4.638 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x4000

68 4.641 ANDROMEDAII 3COM 4CEC95 SMB R close file

69 4.644 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

70 4.648 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x6807

Network Monitor trace Sat 04/15/98 15:48:18 NT Netlogon (Remote). (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

71 4.650 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetFileInfo, FID = 0x6807

72 4.652 ANDROMEDAII 3COM 4CEC95 SMB R transact2 GetFileInfo (response to frame 71)

73 4.655 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetFsInfo

74 4.657 ANDROMEDAII 3COM 4CEC95 SMB R transact2 GetFsInfo (response to frame 73)

75 4.660 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x6807

76 4.663 ANDROMEDAII 3COM 4CEC95 SMB R close file

77 4.669 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

78 4.673 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x800e

79 4.677 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \NET"*

80 4.683 ANDROMEDAII 3COM 4CEC95 SMB R transact2 FindFirst (response to frame 79)

81 4.687 3COM 4CEC95 ANDROMEDAII SMB C find close, FID = 0x805

82 4.689 ANDROMEDAII 3COM 4CEC95 SMB R find close

83 4.690 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x800e

84 4.693 ANDROMEDAII 3COM 4CEC95 SMB R close file

85 4.696 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

86 4.700 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x800b

87 4.703 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \NET.COM

88 4.709 ANDROMEDAII 3COM 4CEC95 SMB R transact2 (Error)

89 4.711 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x800b

90 4.714 ANDROMEDAII 3COM 4CEC95 SMB R close file

Network Monitor trace Sat 04/15/98 15:48:18 NT Netlogon (Remote). (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

91 4.717 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

92 4.721 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x780f

93 4.724 3COM 4CEC95 ANDROMEDAII SMB C transact2 FindFirst, File = \NET.EXE

94 4.731 ANDROMEDAII 3COM 4CEC95 SMB R transact2 FindFirst (response to frame 93)

95 4.734 3COM 4CEC95 ANDROMEDAII SMB C close file, FID = 0x780f

96 4.736 ANDROMEDAII 3COM 4CEC95 SMB R close file

97 4.742 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \NET.EXE

98 4.744 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x6808

99 4.747 3COM 4CEC95 ANDROMEDAII SMB C read & X, FID = 0x6808, Read 0x1000 at 0x0

100 4.750 ANDROMEDAII 3COM 4CEC95 SMB R read & X, Read 0x1000

101 4.751 ANDROMEDAII 3COM 4CEC95 NBT SS: Session Message Cont., 1460 Bytes

102 4.752 ANDROMEDAII 3COM 4CEC95 NBT SS: Session Message Cont., 1240 Bytes

103 4.753 3COM 4CEC95 ANDROMEDAII TCP .A...., len: 0, seq: 506612, ack: 1100064, win: 8760

104 4.763 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetPathInfo, File = \

105 4.767 ANDROMEDAII 3COM 4CEC95 SMB R transact2 GetPathInfo (response to frame 104)

106 4.791 3COM 4CEC95 ANDROMEDAII SMB C NT create & X, File = \

107 4.794 ANDROMEDAII 3COM 4CEC95 SMB R NT create & X, FID = 0x8803

108 4.797 3COM 4CEC95 ANDROMEDAII SMB C read & X, FID = 0x6808, Read 0xa00 at 0xae00

109 4.800 ANDROMEDAII 3COM 4CEC95 SMB R read & X, Read 0xa00

110 4.801 ANDROMEDAII 3COM 4CEC95 NBT SS: Session Message Cont., 1164 Bytes

Network Monitor trace Sat 04/15/98 15:48:18 NT Netlogon (Remote). (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

111 4.802 3COM 4CEC95 ANDROMEDAII TCP .A...., len: 0, seq: 506850, ack: 1104139, win: 8760

112 4.807 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetPathInfo, File = \NETAPI32.dll

113 4.810 ANDROMEDAII 3COM 4CEC95 SMB C transact2 (Error)

114 4.814 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetPathInfo, File = \NETAPI32.dll

115 4.817 ANDROMEDAII 3COM 4CEC95 SMB C transact2 (Error)

116 4.841 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetPathInfo, File = \NETRAP.dll

117 4.845 ANDROMEDAII 3COM 4CEC95 SMB C transact2 (Error)

118 4.849 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetPathInfo, File = \NETRAP.dll

119 4.852 ANDROMEDAII 3COM 4CEC95 SMB C transact2 (Error)

120 4.866 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetPathInfo, File = \SAMLIB.dll

121 4.869 ANDROMEDAII 3COM 4CEC95 SMB C transact2 (Error)

122 4.873 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetPathInfo, File = \SAMLIB.dll

123 4.877 ANDROMEDAII 3COM 4CEC95 SMB C transact2 (Error)

124 4.889 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetPathInfo, File = \MPR.dll

125 4.893 ANDROMEDAII 3COM 4CEC95 SMB C transact2 (Error)

126 4.897 3COM 4CEC95 ANDROMEDAII SMB C transact2 GetPathInfo, File = \MPR.dll

127 4.901 ANDROMEDAII 3COM 4CEC95 SMB C transact2 (Error)

128 4.914 3COM 4CEC95 ANDROMEDAII SMB C read & X, FID = 0x6808, Read 0x400 at 0xb800

129 4.916 ANDROMEDAII 3COM 4CEC95 SMB R read & X, Read 0x400

130 4.969 3COM 4CEC95 ANDROMEDAII SMB C read block raw, FID = 0x6808, Read 0x6600 at 0x400

131 4.972 ANDROMEDAII 3COM 4CEC95 NBT SS: Session Message, Len: 26112

132 4.973 ANDROMEDAII 3COM 4CEC95 NBT SS: Session Message Cont., 1460 Bytes

133 4.974 ANDROMEDAII 3COM 4CEC95 NBT SS: Session Message Cont., 1460 Bytes

134 4.975 3COM 4CEC95 ANDROMEDAII TCP .A...., len: 0, seq: 507785, ack: 1108459, win: 876

Network Trace—Windows 95 NETLOGON.BAT (Remote)

The next trace shows the network traffic generated by executing NETLOGON.BAT from a remote Windows 95 workstation. At the command line the batch file NETLOGON <enter> was used.

  • When executed from a Windows 95 workstation, it takes fewer packets; the search order is netlogon, NETLOGON.BAT.

  • Echo does not generate any network traffic.

  • Note that loading the NET.EXE off the network generated 207 packets.

Network Monitor trace Thu 04/13/98 19:52:48 Windows 95 Netlogon.bat (Remote).

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

1 1.956 WORK1 TXI320 SMB C search directory, File = \NETLOGON">>>

2 1.959 TXI320 WORK1 SMB R search directory, Files = 1

3 1.961 WORK1 TXI320 SMB C search directory, File =

4 1.962 TXI320 WORK1 SMB R search directory (Error)

5 1.963 WORK1 TXI320 SMB C search directory, File = \NETLOGON"BAT

6 1.966 TXI320 WORK1 SMB R search directory, Files = 1

7 2.017 WORK1 TXI320 SMB C search directory, File = \NET">>>

8 2.021 TXI320 WORK1 SMB R search directory, Files = 1

9 2.022 WORK1 TXI320 SMB C search directory, File =

10 2.023 TXI320 WORK1 SMB R search directory (Error)

11 2.024 WORK1 TXI320 SMB C open & X, File = \NET.EXE (R -Share Deny None)

12 2.027 TXI320 WORK1 SMB R open & X, FID = 0x1004, File Size = 0x5b40a

Network Monitor trace Thu 04/13/98 19:52:48 Windows 95 Netlogon.bat (Remote). (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

13 2.028 WORK1 TXI320 SMB C read block raw, FID = 0x1004, Read 0x1000 at 0x0

14 2.032 TXI320 WORK1 NBT SS: Session Message, Len: 4096

15 2.033 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

16 2.034 TXI320 WORK1 NBT SS: Session Message Cont., 1180 Bytes

17 2.036 WORK1 TXI320 TCP .A...., len: 0, seq: 6174814, ack: 1323028, win: 8760

18 2.039 WORK1 TXI320 SMB C open & X, File = \NET.EXE (X -Share Deny W)

19 2.041 TXI320 WORK1 SMB C lock & X, FID = 0x1004

20 2.042 WORK1 TXI320 SMB C close file, FID = 0x1004

21 2.044 TXI320 WORK1 SMB R close file

22 2.045 TXI320 WORK1 SMB R open & X, FID = 0x1006, File Size = 0x5b40a

23 2.045 WORK1 TXI320 TCP .A...., len: 0, seq: 6174947, ack: 1324371, win: 7417

24 2.047 WORK1 TXI320 SMB C read block raw, FID = 0x1006, Read 0xfe00 at 0x2a00

25 2.054 TXI320 WORK1 NBT SS: Session Message, Len: 65024

26 2.055 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

27 2.057 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

28 2.058 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

29 2.059 WORK1 TXI320 TCP .A...., len: 0, seq: 6175002, ack: 1327291, win: 8760

30 2.060 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

31 2.062 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

32 2.063 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

Network Monitor trace Thu 04/13/98 19:52:48 Windows 95 Netlogon.bat (Remote). (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

33 2.064 WORK1 TXI320 TCP .A...., len: 0, seq: 6175002, ack: 1330211, win: 8760

34 2.064 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

35 2.066 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

36 2.067 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

37 2.068 WORK1 TXI320 TCP .A...., len: 0, seq: 6175002, ack: 1333131, win: 8760

38 2.070 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

39 2.073 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

40 2.074 WORK1 TXI320 TCP .A...., len: 0, seq: 6175002, ack: 1337511, win: 8760

41 2.076 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

42 2.077 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

43 2.078 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

44 2.079 WORK1 TXI320 TCP .A...., len: 0, seq: 6175002, ack: 1341891, win: 8760

45 2.082 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

46 2.083 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

47 2.084 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

48 2.087 WORK1 TXI320 TCP .A...., len: 0, seq: 6175002, ack: 1346271, win: 8760

49 2.089 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

50 2.091 TXI320 WORK1 NBT SS: Session Message Cont., 1460 Bytes

...

216 2.367 WORK1 TXI320 SMB C read block raw, FID = 0x1006, Read 0xa00 at 0x2000

Network Monitor trace Thu 04/13/98 19:52:48 Windows 95 Netlogon.bat (Remote). (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

217 2.371 TXI320 WORK1 NBT SS: Session Message, Len: 2560

218 2.372 TXI320 WORK1 NBT SS: Session Message Cont., 1104 Bytes

219 2.375 WORK1 TXI320 TCP .A...., len: 0, seq: 6175222, ack: 1525095, win: 8760

220 2.383 WORK1 TXI320 SMB C tree connect & X, Share = \\TXI320\IPC$

221 2.384 TXI320 WORK1 SMB R tree connect & X, Type = IPC

222 2.386 WORK1 TXI320 SMB C transact, Remote API

223 2.399 TXI320 WORK1 SMB R transact, Remote API (response to frame 222)

224 2.551 WORK1 TXI320 TCP .A...., len: 0, seq: 6175401, ack: 1525579, win: 8276

225 3.851 WORK1 TXI320 SMB C tree disconnect

226 3.852 TXI320 WORK1 SMB R tree disconnect

227 4.056 WORK1 TXI320 TCP .A...., len: 0, seq: 6175440, ack: 1525618, win: 8237

Network Trace—Windows 95 NETLOGON.BAT (Local)

The next trace shows the network traffic generated by executing NETLOGON.BAT from a local Windows 95 workstation. At the command line the batch file NETLOGON <enter> was used. At the command line the batch file NETLOGON <enter> was used.

  • This was executed with the NET.EXE local to the machine. The total number of packets generated during the execution was only 21.

Network Monitor trace Thu 04/13/95 20:19:03 Windows 95 NETLOGON.BAT (Local).

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

2 4.955 WORK1 TXI320 SMB C search directory, File = \NETLOGON">>>

3 4.959 TXI320 WORK1 SMB R search directory, Files = 1

4 4.960 WORK1 TXI320 SMB C search directory, File =

5 4.961 TXI320 WORK1 SMB R search directory (Error)

Network Monitor trace Thu 04/13/95 20:19:03 Windows 95 NETLOGON.BAT (Local). (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

6 4.963 WORK1 TXI320 SMB C search directory, File = \NETLOGON"BAT

7 4.966 TXI320 WORK1 SMB R search directory, Files = 1

8 4.968 WORK1 TXI320 SMB C open & X, File = \NETLOGON.BAT (R -Share Deny W)

9 4.972 TXI320 WORK1 SMB R open & X, FID = 0x1001, File Size = 0x4c

10 4.973 WORK1 TXI320 SMB C read block raw, FID = 0x1001, Read 0x1000 at 0x0

11 4.974 TXI320 WORK1 NBT SS: Session Message, Len: 76

12 5.005 WORK1 TXI320 SMB C search directory, File = \NET">>>

13 5.007 TXI320 WORK1 SMB R search directory (Error)

14 5.040 WORK1 TXI320 SMB C tree connect & X, Share = \\TXI320\IPC$

15 5.042 TXI320 WORK1 SMB R tree connect & X, Type = IPC

16 5.043 WORK1 TXI320 SMB C transact, Remote API

17 5.056 TXI320 WORK1 SMB R transact, Remote API (response to frame 16)

18 5.216 WORK1 TXI320 TCP .A...., len: 0, seq: 5799747, ack: 1319143, win: 8237

19 7.468 WORK1 TXI320 SMB C tree disconnect

20 7.469 TXI320 WORK1 SMB R tree disconnect

21 7.591 WORK1 TXI320 TCP .A...., len: 0, seq: 5799786, ack: 1319182, win: 8198

Performance Hints and Tips

  • Try to avoid executing EXE, COM, DLL files over a slow link.

  • If you need to execute files, first copy them down to a local drive of the client and then execute them

  • When you do execute files over a slow link make sure you include the extensions, TEST.BAT, TEST.EXE, TEST.COM so that the redirector does not have to discover which extension to use.

  • Do not use the ECHO. The information it provides can enhance your understanding of batch file execution, but it generates unwanted network traffic.

Copy Command (CMD, WINFILE, Explorer)

Network Trace—Copy Command: Windows 95 Workstation Redirector Requests

Using COMMAND.COM, CMD.EXE, or WINFILE.EXE interfaces to copy files across the network requests the redirector to use large read or writes blocks. By default the Windows 95 workstation redirector requests large read or write blocks (64-K—raw state). The trace below shows that when the system invokes the raw state there is only a single 2-SMB packet for every 64 K of data.

Network Monitor trace Mon 03/13/98 13:36:17 Small / Medium / Large Reads & Writes.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

4 2.597 VOYAGERIX WANTEST2 SMB C get attributes, File = \temp\002

5 2.685 WANTEST2 VOYAGERIX SMB R get attributes

6 2.689 VOYAGERIX WANTEST2 SMB C NT create & X, File = \temp

8 4.065 WANTEST2 VOYAGERIX SMB R NT create & X, FID = 0x806

9 4.068 VOYAGERIX WANTEST2 SMB C transact2 FindFirst, File = \temp\002

Network Monitor trace Mon 03/13/98 13:36:17 Small / Medium / Large Reads & Writes. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

11 6.075 WANTEST2 VOYAGERIX SMB R transact2

12 6.079 VOYAGERIX WANTEST2 SMB C NT create & X, File = \temp\002

13 7.418 WANTEST2 VOYAGERIX SMB R NT create & X, FID = 0x807

14 7.422 VOYAGERIX WANTEST2 SMB C read & X, FID = 0x807, Read 0x1000 at 0x0

15 8.885 WANTEST2 VOYAGERIX SMB R read & X, Read 0x1000

16 9.006 VOYAGERIX WANTEST2 TCP .A...., len: 0, seq: 2259110, ack: 239873, win:12288

17 9.014 WANTEST2 VOYAGERIX NBT SS: Session Message Cont., 1460 Bytes

18 9.115 WANTEST2 VOYAGERIX SS: Session Message Cont., 1240 Bytes

19 9.117 VOYAGERIX WANTEST2 TCP .A...., len: 0, seq: 2259110, ack: 242573, win:12288

Network Trace—Copy Command: Windows NT Clients

By default Windows NT 3.5x disables raw mode over slow links from Windows NT client to Windows NT server. But Windows NT Server will service (raw state) over slow links, so you see great performance of Windows 95 connected to a Windows NT server even over a slow link. The Windows NT clients use the default size of SizReqBuf of 4292, as shown in this trace. Note that there are 2-SMB packets for every 4292 bytes of data.

Network Monitor trace Sun 03/05/98 12:57:59 Copy Command -COMMAND.COM, CMD.EXE, WINFILE.EXE.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

19 15.191 VOYAGERIX 3COM 8DFB25 SMB C write & X, FID = 0x801, Write 0x10c4 at 0x0

20 15.194 VOYAGERIX 3COM 8DFB25 NBT SS: Session Message Cont., 1460 Bytes

21 15.196 VOYAGERIX 3COM 8DFB25 NBT SS: Session Message Cont., 1439 Bytes

22 16.659 3COM 8DFB25 VOYAGERIX TCP .A...., len: 0, seq: 205717, ack: 2468724, win: 8760, src

Network Monitor trace Sun 03/05/98 12:57:59 Copy Command -COMMAND.COM, CMD.EXE, WINFILE.EXE. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

23 17.337 3COM 8DFB25 VOYAGERIX SMB R write & X, Wrote 0x10c4

24 17.341 VOYAGERIX 3COM 8DFB25 SMB C write & X, FID = 0x801, Write 0x10c4 at 0x10c4

25 17.343 VOYAGERIX 3COM 8DFB25 NBT SS: Session Message Cont., 1460 Bytes

26 17.345 VOYAGERIX 3COM 8DFB25 NBT SS: Session Message Cont., 1439 Bytes

27 18.864 3COM 8DFB25 VOYAGERIX TCP .A...., len: 0, seq: 205768, ack: 2473083, win: 8760, src

28 19.545 3COM 8DFB25 VOYAGERIX SMB R write & X, Wrote 0x10c4

29 19.548 VOYAGERIX 3COM 8DFB25 SMB C write & X, FID = 0x801, Write 0x10c4 at 0x2188

30 19.551 VOYAGERIX 3COM 8DFB25 NBT SS: Session Message Cont., 1460 Bytes

31 19.553 VOYAGERIX 3COM 8DFB25 NBT SS: Session Message Cont., 1439 Bytes

32 21.024 3COM 8DFB25 VOYAGERIX TCP .A...., len: 0, seq: 205819, ack: 2477442, win: 8760, src

33 21.704 3COM 8DFB25 VOYAGERIX SMB R write & X, Wrote 0x10c4

34 21.708 VOYAGERIX 3COM 8DFB25 SMB C write & X, FID = 0x801, Write 0x10c4 at 0x324c

35 21.710 VOYAGERIX 3COM 8DFB25 NBT SS: Session Message Cont., 1460 Bytes

36 21.712 VOYAGERIX 3COM 8DFB25 NBT SS: Session Message Cont., 1439 Bytes

37 23.237 3COM 8DFB25 VOYAGERIX TCP .A...., len: 0, seq: 205870, ack: 2481801, win: 8760, src

38 23.254 3COM 8DFB25 VOYAGERIX SMB R write & X, Wrote 0x10c4

Network Trace—Increasing SizReqBuf for Windows NT

This trace shows that increasing the SizReqBuf from 11504 to 12548 for the Windows NT client and server increases performance. This increase is shown in Figure 6-15 in the Performance Results section at the end of this chapter.

Network Monitor trace Sun 03/05/98 13:49:39 SizReqBuf of 12548.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

66 24.840 VOYAGERIX WANTEST2 SMB C write & X, FID = 0x804, Write 0x30c4 at 0x924c

67 24.842 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

68 24.844 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

69 24.846 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

70 24.848 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

71 24.850 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

72 24.852 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

73 26.386 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233563, ack: 1293253, win:12288

74 26.389 VOYAGERIX WANTST2 NB SS: Session Message Cont., 1460 Bytes

75 26.390 VOYAGERIX WANTST2 NB SS: Session Message Cont., 871 Bytes

76 27.072 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233563, ack: 1296173, win:12288

77 27.098 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233563, ack: 1299093, win:12288

78 27.098 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233563, ack: 1300553, win:12288

79 28.421 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233563, ack: 1302884, win:12288

80 28.437 WANTEST2 VOYAGERIX SMB R write & X, Wrote 0x30c4

81 28.440 VOYAGERIX WANTEST2 SMB C write & X, FID = 0x804, Write 0x2cf0 at 0xc310

82 28.442 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

83 28.445 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

84 28.447 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

Network Monitor trace Sun 03/05/98 13:49:39 SizReqBuf of 12548. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

85 28.449 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

86 28.451 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

87 28.453 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

88 28.455 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1351 Bytes

89 29.986 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233614, ack: 1305804, win:12288

90 30.675 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233614, ack: 1308724, win:12288

91 30.711 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233614, ack: 1311644, win:12288

92 30.711 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233614, ack: 1314455, win:12288

93 30.711 WANTEST2 VOYAGERIX SMB R write & X, Wrote 0x2cf0

94 30.721 VOYAGERIX WANTEST2 SMB C write & X, FID = 0x804, Write 0x30c4 at 0xf000

95 30.723 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

96 30.725 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

97 30.727 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

98 30.729 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

99 30.731 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

100 30.733 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

101 30.735 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 1460 Bytes

102 32.193 WANTEST2 VOYAGERIX TC .A...., len: 0, seq: 233665, ack: 1315915, win:12288

103 32.194 VOYAGERIX WANTEST2 NBT SS: Session Message Cont., 871 Bytes

104 32.880 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233665, ack: 1318835, win:12288

105 32.917 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233665, ack: 1321755, win:12288

106 32.917 WANTEST2 VOYAGERIX TC .A...., len: 0, seq: 233665, ack: 1324675, win:12288

107 32.917 WANTEST2 VOYAGERIX TCP .A...., len: 0, seq: 233665, ack: 1326135, win:12288

108 33.543 WANTEST2 VOYAGERIX SMB R write & X, Wrote 0x30c4

Windows NT 4.0/Windows 2000

When using NT 4.0 and Windows 2000 there is no requirement for modifying the SizReqBuf parameter. These operating systems have been designed to address the raw mode over high-latency, dial-up, and slow-link connections.

With the introduction of EXPLORER.EXE with Windows NT 4.0 more data is brought across the network while viewing a network drive's resources. Each version of the EXPLORER.EXE has introduced networking savings transactions for attributes, icons, and directories. In order of most-to-least traffic for network drive access, these services are:

  1. EXPLORER.EXE

  2. WINFILE.EXE

  3. FTP command

  4. CMD.EXE

Performance Hints and Tips

  • See the Performance Results section (at the end of this chapter) for your operating system version.

  • Compress the files that you want to move as in WinZip (by Niko Mak Computing, Inc.)

  • Using the operating compression bit does not retain compression over the network.

Microsoft Word 97

This network trace is typical network activity running Microsoft Word 97 over the network. Starting at packet 16 you will note that the file TECH01.DOC was accessed multiple times. This is a combination of Windows Explorer and Word. Attributes are being read. If Word is configured to pre-view in the Open pane, even more traffic is generated.

You can see at packet 213 that a file is being generated (~TEXCH01.DOC). Looking closely you will see that there is a lot of write activity to the destination drive. Not shown is read-only of the drive or document. If the share is read-only, attribute read-only, or the document is password protected (so you are prompted for read-only), Word generates a lot of overhead is as it determines how to proceed, where to generate temporary files, and so on. This can be an additional 100 packets or so.

Performance Hints and Tips

  • Make sure you do not attempt to load WORD.EXE program over a slow link WORD.EXE program should be loaded locally or off a local network server.

  • Make sure to configure Word to generate TEMP files locally and not to generate them on the default drive off of which the document is retrieved.

  • Always try to copy the document to a local drive—remember: a copy command is the most efficient method for moving data over slow links.

Network Trace—Typical Network Activity Running Microsoft Word 97 Over the Network

Network Monitor trace Tue 04/11/98 00:20:15 Word.DOC.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

16 24.364 TIGERII VOYAGERIX SMB R session setup & X, and R tree connect & X, Type = A:

17 24.367 VOYAGERIX TIGERII SMB C NT create & X, File = \source\teched

18 24.668 TIGERII VOYAGERIX NBT SS: Session Keep Alive, Len: 0

19 24.801 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5707630, ack:1893659553, win: 8496

20 25.077 TIGERII VOYAGERIX SMB R NT create & X, FID = 0x3008

21 25.201 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5707630, ack:1893659660, win: 8389

Network Monitor trace Tue 04/11/98 00:20:15 Word.DOC. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

22 25.459 VOYAGERIX TIGERII SMB C close file, FID = 0x3008

23 25.741 TIGERII VOYAGERIX SMB R close file

24 25.902 VOYAGERIX TIGERII TCP A...., len: 0, seq: 5707676, ack:1893659699, win: 8350

25 45.989 VOYAGERIX TIGERII C NT create & X, File = \SOURCE\TECHED\TECH01.DOC

26 46.353 TIGERII VOYAGERIX SMB R NTcreate & X (Error)

27 46.358 VOYAGERIX TIGERII SMB C NTcreate & X, File = \source\teched

28 46.645 TIGERII VOYAGERIX SMB R NTcreate & X, FID = 0x3006

29 46.685 VOYAGERIX TIGERII SMB C transact2 GetPathInfo, File =

\SOURCE\TECHED\TECH01.DOC

30 47.054 TIGERII VOYAGERIX SMB R transact2 GetPathInfo (response to frame 29)

31 47.236 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5708060, ack:1893659949, win: 8100

32 47.412 VOYAGERIX TIGERII SMB C transact2 GetPathInfo, File =

\SOURCE\TECHED\TECH01.DOC

33 47.756 TIGERII VOYAGERIX SMB R transact2 GetPathInfo (response to frame 32)

34 47.764 VOYAGERIX TIGERII SMB C close file, FID = 0x3006

35 48.010 TIGERII VOYAGERIX SMB R close file

36 48.138 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5708234, ack:1893660092, win: 7957

37 48.160 VOYAGERIX TIGERII SMB C NT create & X, File = \SOURCE\TECHED\TECH01.DOC

38 48.494 TIGERII VOYAGERIX SMB R NT create & X, FID = 0x3004

39 48.495 VOYAGERIX TIGERII SMB C transact2 GetFsInfo

40 48.798 TIGERII VOYAGERIX SMB R transact2 GetFsInfo (response to frame 39)

41 48.803 VOYAGERIX TIGERII SMB C read & X, FID = 0x3004, Read 0x1000 at 0x0

Network Monitor trace Tue 04/11/98 00:20:15 Word.DOC. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

42 49.513 TIGERII VOYAGERIX SMB R read & X, Read 0x1000

43 49.640 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5708510, ack:1893661743, win: 8760

44 50.051 TIGERII VOYAGERIX NBT SS: Session Message Cont., 1460 Bytes

45 50.241 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5708510, ack:1893663203, win: 8760

46 50.353 TIGERII VOYAGERIX NBT SS: Session Message Cont., 1240 Bytes

47 50.357 VOYAGERIX TIGERII SMB C read & X, FID = 0x3004, Read 0x10c5 at 0x1000

48 50.963 TIGERII VOYAGERIX SMB R read & X, Read 0x10c5

108 77.440 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5709022, ack:1893697723, win: 8760

109 77.453 VOYAGERIX TIGERII SMB C close file, FID = 0x3004

110 77.932 TIGERII VOYAGERIX SMB R close file

111 77.936 VOYAGERIX TIGERII SMB R NT create & X, FID = 0x300a

113 78.393 VOYAGERIX TIGERII SMB C read & X, FID = 0x300a, Read 0x1000 at 0x0

114 79.883 TIGERII VOYAGERIX SMB R read & X, Read 0x1000

115 79.989 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5709270, ack:1893699329, win: 8760

116 80.405 TIGERII VOYAGERIX NBT SS: Session Message Cont., 1460 Bytes

117 80.590 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5709270, ack:1893700789, win: 8760

118 80.664 TIGERII VOYAGERIX NBT SS: Session Message Cont., 1240 Bytes

213 118.049 VOYAGERIX TIGERII SMB C NT create & X, File = \SOURCE\TECHED\~$TECH01.DOC

214 118.408 TIGERII VOYAGERIX SMB R NT create & X, FID = 0x3009

Network Monitor trace Tue 04/11/98 00:20:15 Word.DOC. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

215 118.413 VOYAGERIX TIGERII SMB C write, FID = 0x3009, Write 0x0 at 0x36

216 118.493 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1893764536, ack: 5710372, win: 7794

217 118.665 TIGERII VOYAGERIX SMB R write, Wrote 0x0

218 118.721 VOYAGERIX TIGERII SMB C read & X, FID = 0x300a, Read 0xa00 at 0xb6000

219 119.939 TIGERII VOYAGERIX SMB R read & X, Read 0xa00

220 119.940 VOYAGERIX TIGERI SMB C write & X, FID = 0x3009, Write 0x36 at 0x0

222 120.639 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1893767201, ack: 5710609, win: 7557

223 120.753 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5710609, ack:1893767201, win: 7596

224 120.978 TIGERII VOYAGERIX SMB R write & X, Wrote 0x36

225 121.010 VOYAGERIX TIGERII SMB C read & X, FID = 0x300a, Read 0x1000 at 0xb5000

226 121.318 TIGERII VOYAGERIX SMB R read & X, Read 0x1000

227 121.454 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5710673, ack:1893768712, win: 8760

228 121.627 TIGERII VOYAGERIX NBT SS: Session Message Cont., 1460 Bytes

Microsoft Excel 97

This network trace shows typical network activity running Microsoft Excel 5.0 over the network. Note that the Excel application is read in a header of the file first—a 4096-byte read. Next it reads a block of data that is defined in the first header, then the next header of 4096 bytes, then the next block of data referenced by the second header. This goes on throughout the trace. This technique is used so the system can recover at any time. This does cause overhead on the network, but helps in any error recovery that may be needed. Towards the end of the action of opening the document, the File TECH01.XLS is opened again to update the workbook and statistics of the file.

Performance Hints and Tips

  • Make sure you do not attempt to load EXCEL.EXE program over a slow link. Load EXCEL.EXE locally or off a local network server

  • Make sure to configure Excel to generate TEMP files locally and not on the default drive from which the document is retrieved.

  • Try to always copy the spreadsheet to a local drive—remember: a copy command is the most efficient method of moving data over slow links.

Network Trace—Typical Network Activity Running Microsoft Excel 5.0 Over the Network

Network Monitor trace Tue 04/11/98 00:18:09 Excel.XLS.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

1 2.442 TIGERII VOYAGERIX NBT SS: Session Keep Alive, Len: 0

2 2.607 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5996073, ack: 722263424, win: 8097

3 7.042 VOYAGERIX TIGERII SMB C NT create & X, File = \SOURCE\TECHED\TECH01.XLS

4 7.323 TIGERII VOYAGERIX SMB R NT create & X (Error)

5 7.331 VOYAGERIX TIGERII SMB C transact2 GetPathInfo, File =

\SOURCE\TECHED\TECH01.XLS

6 8.015 VOYAGERIX TIGERII SMB C transact2 GetPathInfo, File =

\SOURCE\TECHED\TECH01.XLS

7 8.448 TIGERII VOYAGERIX SMB R transact2

8 8.521 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1894305079, ack: 5836658, win: 7410

9 8.564 VOYAGERIX TIGERII SMB C transact2 GetPathInfo, File =

\SOURCE\TECHED\TECH01.XLS

10 9.919 VOYAGERIX TIGERII SMB C transact2 GetPathInfo, File =

\SOURCE\TECHED\TECH01.XLS

11 10.130 TIGERII VOYAGERIX SMB R transact2

Network Monitor trace Tue 04/11/98 00:18:09 Excel.XLS. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

12 10.130 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5836786, ack:1894305079, win: 8539

13 10.158 TIGERII VOYAGERIX SMB R transact2

14 10.180 VOYAGERIX TIGERII SMB C transact2 GetPathInfo, File =

\SOURCE\TECHED\TECH01.XLS

15 10.345 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1894305183, ack: 5836786, win: 7282

16 10.480 TIGERII VOYAGERIX SMB R transact2

17 10.619 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5836914, ack:1894305287, win: 8331

18 10.757 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4000, Unlocks = 1 (0x2d for

0xff930000)

19 11.016 TIGERII VOYAGERIX SMB R lock & X

20 11.017 VOYAGERIX TIGERII NBT SS: Session Message Cont., 150 Bytes

21 11.521 VOYAGERIX TIGERII NBT SS: Session Message Cont., 150 Bytes

22 11.852 TIGERII VOYAGERIX SMB R lock & X

23 11.946 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1894305373, ack: 5837139, win: 6929

24 12.022 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5837139, ack:1894305373, win: 8245

25 12.250 TIGERII VOYAGERIX SMB R lock & X

26 12.257 VOYAGERIX TIGERII SMB C close file, FID = 0x4000

27 12.488 TIGERII VOYAGERIX SMB R close file

28 12.595 VOYAGERIX TIGERII SMB C NT create & X, File = \SOURCE\TECHED\TECH01.XLS

29 12.918 TIGERII VOYAGERIX SMB R NT create & X, FID = 0x400f

30 12.928 VOYAGERIX TIGERII SMB C read & X, FID = 0x400f, Read 0x1000 at 0x0

34 20.615 TIGERII VOYAGERIX SMB R read & X, Read 0x1000

35 20.735 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5837387, ack:1894307022, win: 8760

Network Monitor trace Tue 04/11/98 00:18:09 Excel.XLS. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

36 21.131 TIGERII VOYAGERIX NBT SS: Session Message Cont., 1460 Bytes

37 21.236 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5837387, ack:1894308482, win: 8760

38 21.416 TIGERII VOYAGERIX NBT SS: Session Message Cont., 1240 Bytes

39 21.420 VOYAGERIX TIGERII SMB C read & X, FID = 0x400f, Read 0x10c5 at 0x1000

69 28.401 VOYAGERIX TIGERII SMB C transact2 FindFirst, File = \SOURCE

71 29.684 TIGERII VOYAGERIX SMB R transact2 FindFirst (response to frame 70)

72 29.690 VOYAGERIX TIGERII SMB C NT create & X, File = \SOURCE

73 29.776 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1894319310, ack: 5837679, win: 7900

74 29.957 TIGERII VOYAGERIX SMB R NT create & X, FID = 0x4801

75 29.961 VOYAGERIX TIGERII SMB C transact2 FindFirst, File = \SOURCE\TECHED

76 30.952 VOYAGERIX TIGERII SMB C transact2 FindFirst, File = \SOURCE\TECHED

77 32.386 TIGERII VOYAGERIX SMB R transact2 FindFirst (response to frame 76)

78 32.390 VOYAGERIX TIGERII SMB C close file, FID = 0x4801

79 32.470 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1894319597, ack: 5837897, win: 7682

80 32.612 TIGERII VOYAGERIX SMB R transact2 FindFirst (response to frame 76)

81 32.612 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5837943, ack:1894319597, win: 8293

82 32.648 TIGERII VOYAGERIX SMB R close file

83 32.652 VOYAGERIX TIGERII SMB C NT create & X, File = \source\teched

84 32.907 TIGERII VOYAGERIX SMB R NT create & X, FID = 0x4803

85 32.910 VOYAGERIX TIGERII SMB C transact2 FindFirst, File = \source\teched\TECH01.XLS

Network Monitor trace Tue 04/11/98 00:18:09 Excel.XLS. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

86 33.243 TIGERII VOYAGERIX SMB R transact2 FindFirst (response to frame 85)

87 33.248 VOYAGERIX TIGERII SMB C close file, FID = 0x4803

88 33.459 TIGERII VOYAGERIX SMB R close file

89 33.475 VOYAGERIX TIGERII SMB C NT create & X, File = \SOURCE\TECHED\TECH01.XLS

90 33.718 TIGERII VOYAGERIX SMB C lock & X, FID = 0x400f

91 33.720 VOYAGERIX TIGERII SMB C lock & X, FID = 0x400f, Locks = 3 (0x0 for 0xff930000)

92 33.963 TIGERII VOYAGERIX SMB R lock & X

93 33.965 VOYAGERIX TIGERII SMB C lock & X, FID = 0x400f

94 34.209 TIGERII VOYAGERIX SMB R NT create & X, FID = 0x4802

95 34.212 VOYAGERIX TIGERII SMB C read & X, FID = 0x4802, Read 0x200 at 0x0

96 34.517 TIGERII VOYAGERIX SMB R read & X, Read 0x200

97 34.521 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Locks = 1 (0x0 for 0xff920000)

98 34.750 TIGERII VOYAGERIX SMB C lock & X, FID = 0x400f

99 34.858 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5838688, ack:1894320809, win: 8705

100 35.060 TIGERII VOYAGERIX SMB R lock & X

101 35.062 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Locks = 1 (0x0 for 0xffbb0000)

102 35.297 TIGERII VOYAGERIX SMB R lock & X

103 35.300 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Unlocks = 1 (0x0 for 0xffbb0000)

104 35.524 TIGERII VOYAGERIX SMB R lock & X

105 35.525 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Locks = 1 (0x0 for 0xff940000)

106 35.741 TIGERII VOYAGERIX SMB R lock & X

Network Monitor trace Tue 04/11/98 00:18:09 Excel.XLS. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

107 35.743 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Locks = 1 (0x0 for 0xffa80000)

108 35.959 TIGERII VOYAGERIX SMB R lock & X

109 35.964 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Locks = 1 (0x0 for 0xffbc0000)

110 36.173 TIGERII VOYAGERIX SMB R lock & X

111 36.175 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Locks = 1 (0x0 for 0xffd00000)

112 36.379 TIGERII VOYAGERIX SMB R lock & X

113 36.381 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Unlocks = 1 (0x0 for 0xffa80000)

114 36.566 TIGERII VOYAGERIX SMB R lock & X

115 36.567 VOYAGERIX TIGERII NBT SS: Session Message Cont., 300 Bytes

116 36.837 TIGERII VOYAGERIX SMB R lock & X

117 36.962 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5839513, ack:1894321199, win: 8315

118 37.176 TIGERII VOYAGERIX NBT SS: Session Message Cont., 129 Bytes

119 37.180 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Locks = 1 (0x0 for 0xff810000)

120 37.380 TIGERII VOYAGERIX SMB R lock & X

121 37.383 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Unlocks = 1 (0x0 for 0xff800000)

122 37.596 TIGERII VOYAGERIX SMB R lock & X

123 37.599 VOYAGERIX TIGERII SMB C read & X, FID = 0x4802, Read 0x80 at 0x400

124 37.920 TIGERII VOYAGERIX SMB R read & X, Read 0x80

125 37.923 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Unlocks = 1 (0x0 for 0xff810000)

126 38.120 TIGERII VOYAGERIX SMB R lock & X

127 38.121 VOYAGERIX TIGERII SMB C lock & X, FID = 0x4802, Unlocks = 1 (0x0 for 0xff940000)

Network Monitor trace Tue 04/11/98 00:18:09 Excel.XLS. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

128 38.318 TIGERII OYAGERIX SMB R lock & X

129 38.320 VOYAGERIX TIGERII SMB C close file, FID = 0x4802

130 38.528 TIGERII VOYAGERIX SMB R close file

131 38.536 VOYAGERIX TIGERII SMB C NT create & X, File = \source\teched

132 38.789 TIGERII VOYAGERIX SMB R NT create & X, FID = 0x400b

133 38.793 VOYAGERIX TIGERII SMB C transact2 FindFirst, File = \source\teched\TECH01.XLS

134 39.027 TIGERII VOYAGERIX SMB R transact2 FindFirst (response to frame 133)

135 39.031 VOYAGERIX TIGERII SMB C close file, FID = 0x400b

136 39.243 TIGERII VOYAGERIX SMB R close file

137 39.346 VOYAGERIX TIGERII SMB C transact2 GetFileInfo, FID = 0x400f

138 39.626 TIGERII VOYAGERIX SMB R transact2 GetFileInfo (response to frame 137)

139 39.629 VOYAGERIX TIGERII SMB C transact2 GetFileInfo, FID = 0x400f

140 39.913 TIGERII VOYAGERIX SMB R transact2 GetFileInfo (response to frame 139)

141 39.921 VOYAGERIX TIGERII SMB C transact2 GetPathInfo, File =

\SOURCE\TECHED\TECH01.XLS

142 40.121 TIGERII VOYAGERIX SMB R transact2 GetPathInfo (response to frame 141)

143 40.158 VOYAGERIX TIGERII SMB C read & X, FID = 0x400f, Read 0x1000 at 0x1400

144 40.667 VOYAGERIX TIGERII SMB C read & X, FID = 0x400f, Read 0x1000 at 0x1400

145 41.224 TIGERII VOYAGERIX SMB R read & X, Read 0x1000

146 41.368 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5840565, ack:1894323821, win: 8760

147 45.040 TIGERII VOYAGERIX NBT SS: Session Message, Len: 57344

148 45.136 TIGERII VOYAGERIX NBT SS: Session Message Cont., 1240 Bytes

Network Monitor trace Tue 04/11/98 00:18:09 Excel.XLS. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

149 45.137 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5840565, ack:1894326521, win: 8760

150 45.154 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1894326521, ack: 5840565, win: 8000

151 45.157 VOYAGERIX TIGERII SMB C transact2 GetFileInfo, FID = 0x400f

152 45.177 TIGERII VOYAGERIX SMB R read & X, Read 0x1000

153 45.178 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5840641, ack:1894326521, win: 8760

154 45.189 TIGERII VOYAGERIX NBT SS: Session Message, Len: 57344

155 45.190 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5840641, ack:1894326521, win: 8760

156 45.194 TIGERII VOYAGERIX NBT SS: Session Message Cont., 1240 Bytes

157 45.195 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5840641, ack:1894326521, win: 8760,

158 45.683 TIGERII VOYAGERIX NBT SS: Session Message, Len: 57344

159 45.684 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5840641, ack:1894326521, win: 8760

160 45.761 TIGERII VOYAGERIX SMB R transact2 GetFileInfo (response to frame 151)

161 45.764 VOYAGERIX TIGERII SMB C transact2 GetFileInfo, FID = 0x400f

162 46.044 TIGERII VOYAGERIX SMB R transact2 GetFileInfo (response to frame 161)

163 46.047 VOYAGERIX TIGERII SMB C transact2 GetFileInfo, FID = 0x400f

164 46.275 TIGERII VOYAGERIX SMB R transact2 GetFileInfo (response to frame 163)

165 46.279 VOYAGERIX TIGERII SMB C transact2 GetFileInfo, FID = 0x400f

166 46.493 TIGERII VOYAGERIX SMB R transact2 GetFileInfo (response to frame 165)

167 46.495 VOYAGERIX TIGERII SMB C write, FID = 0x400f, Write 0x0 at 0x3400

168 46.747 TIGERII VOYAGERIX SMB R write, Wrote 0x0

169 46.750 VOYAGERIX TIGERII SMB C transact2 SetFileInfo, FID = 0x400f

Network Monitor trace Tue 04/11/98 00:18:09 Excel.XLS. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

170 47.039 TIGERII VOYAGERIX SMB R transact2 SetFileInfo (response to frame 169)

171 47.042 VOYAGERIX TIGERII SMB C lock & X, FID = 0x400f, Locks = 1 (0x5 for 0xff800000)

172 47.300 TIGERII VOYAGERIX SMB R lock & X

173 47.306 VOYAGERIX TIGERII SMB C write & X, FID = 0x400f, Write 0x1000 at 0x1400

174 47.310 VOYAGERIX TIGERII NBT SS: Session Message Cont., 1460 Bytes

175 47.671 VOYAGERIX TIGERII NBT SS: Session Message Cont., 1243 Bytes

176 47.991 TIGERII VOYAGERIX SMB R lock & X

177 48.112 VOYAGERIX TIGERII SMB C write & X, FID = 0x400f, Write 0x1000 at 0x1400

178 48.184 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1894327053, ack: 5842544, win: 8192

179 48.201 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5842544, ack:1894327053, win: 8228

180 48.230 VOYAGERIX TIGERII NBT SS: Session Message Cont., 1460 Bytes

181 48.240 VOYAGERIX TIGERII NBT SS: Session Message Cont., 1243 Bytes

182 48.591 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1894327053, ack: 5845247, win: 8192

183 48.639 TIGERII VOYAGERIX SMB R write & X, Wrote 0x1000

184 48.642 VOYAGERIX TIGERII SMB C write & X, FID = 0x400f, Write 0x200 at 0x400

188 48.690 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1894327104, ack: 5845247, win: 8192

189 49.043 TIGERII VOYAGERIX SMB R write & X, Wrote 0x200

190 49.046 VOYAGERIX TIGERII SMB C write, FID = 0x400f, Write 0x0 at 0x3400

191 49.502 TIGERII VOYAGERIX SMB R write, Wrote 0x0

192 49.507 VOYAGERIX TIGERII SMB C transact2 SetFileInfo, FID = 0x400f

193 49.801 TIGERII VOYAGERIX SMB R transact2 SetFileInfo (response to frame 192)

Network Monitor trace Tue 04/11/98 00:18:09 Excel.XLS. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

194 49.805 VOYAGERIX TIGERII SMB C lock & X, FID = 0x400f, Unlocks = 1 (0x5 for 0xff800000)

195 50.080 TIGERII VOYAGERIX SMB R lock & X

196 50.182 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5846041, ack:1894327303, win: 7978

197 50.367 VOYAGERIX TIGERII SMB C read & X, FID = 0x400f, Read 0x800 at 0x1400

198 50.984 VOYAGERIX TIGERII SMB C read & X, FID = 0x400f, Read 0x800 at 0x1400

199 51.064 TIGERII VOYAGERIX SMB R read & X, Read 0x800

200 51.184 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5846105, ack:1894328763, win: 8760

201 51.271 TIGERII VOYAGERIX NBT SS: Session Message, Len: 57344

202 51.305 TIGERII VOYAGERIX SMB R read & X, Read 0x800

203 51.306 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5846105, ack:1894329415, win: 8108

204 51.312 TIGERII VOYAGERIX TCP .A...., len: 0, seq:1894328763, ack: 5846105, win: 7334

205 51.313 VOYAGERIX TIGERII TCP .A...., len: 0, seq: 5846105, ack:1894329415, win: 8108

Microsoft PowerPoint 97

This network trace shows typical network activity running Microsoft PowerPoint 97 over the network. Note that the PowerPoint application reads in larger blocks of data than do other Office applications. Note that PowerPoint opens and closes the TECH01.PPT presentation in large-block increments—a technique that allows the system to recover at any time. This causes overhead on the network, but helps error recovery. In this example the presentation had embedded sounds and special effects that were not installed on the default machine that was reading the file. Notice the extra overhead that was caused over the network looking for "missing DLL support."

Performance Hints and Tips

  • Make sure you do not attempt to load PPOINT.EXE program over a slow link. It should be loaded locally or off a local network server.

  • Make sure to configure Excel to generate TEMP files locally and not on the default drive from which the document is retrieved.

  • Always try to copy the PowerPoint presentation to a local drive—remember: a copy command is the most efficient method for moving data over slow links.

Network Trace—Typical Network Activity Running Microsoft PowerPoint 97 Over the Network

Network Monitor trace Sun 03/05/98 12:57:59 PowerPoint 97.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

29 3.840 BLACKHOLES PIONEERV SMB R NT transact

30 3.841 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

31 3.843 BLACKHOLES PIONEERV SMB R NT create & X, FID = 0x7807

32 3.843 PIONEERV BLACKHOLES SMB C NT create & X, File = \Tech01.ppt

33 3.844 BLACKHOLES PIONEERV SMB R NT transact

34 3.844 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

35 3.849 PIONEERV BLACKHOLES SMB C read & X, FID = 0x7807, Read 0x8000 at 0x00000000

36 3.850 BLACKHOLES PIONEERV SMB R read & X, Read 0x8000

37 3.851 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

38 3.851 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13104926-13104926, ack: 31472886,

win:1

39 3.852 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

Network Monitor trace Sun 03/05/98 12:57:59 PowerPoint 97. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

40 3.854 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

41 3.854 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13104926-13104926, ack: 31475806

win:1

42 3.855 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

43 3.856 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

44 3.857 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13104926-13104926, ack: 31478726,

win:1

45 3.857 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

46 3.859 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

47 3.859 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13104926-13104926, ack: 31481646,

win:1

48 3.860 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

49 3.861 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

50 3.862 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13104926-13104926, ack: 31484566,

win:1

51 3.863 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

52 3.864 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

...

103 3.907 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

104 3.908 BLACKHOLES PIONEERV SMB R close file

105 3.909 PIONEERV BLACKHOLES SMB C close file, FID = 0x7807

Network Monitor trace Sun 03/05/98 12:57:59 PowerPoint 97. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

106 3.910 BLACKHOLES PIONEERV SMB R NT create & X, FID = 0x600a

107 3.910 PIONEERV BLACKHOLES SMB C NT create & X, File = \Tech01.ppt

108 3.911 PIONEERV BLACKHOLES SMB C read & X, FID = 0x600a, Read 0x1000 at 0x00000000

109 3.912 BLACKHOLES PIONEERV SMB R read & X, Read 0x1000

110 3.913 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

111 3.914 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13105300-13105300, ack: 31536214,

win:1

112 3.914 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1240 Bytes

113 3.979 BLACKHOLES PIONEERV SMB R NT transact

114 3.979 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

115 3.980 BLACKHOLES PIONEERV SMB R NT transact

116 3.981 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

117 3.983 BLACKHOLES PIONEERV SMB R transact2 Open (response)

118 3.983 PIONEERV BLACKHOLES SMB C transact2 Findfirst, File = \Tech01.ppt

119 3.984 BLACKHOLES PIONEERV SMB R NT transact

120 3.984 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

121 3.985 BLACKHOLES PIONEERV SMB R close file

122 3.985 PIONEERV BLACKHOLES SMB C close file, FID = 0x600a

123 3.986 BLACKHOLES PIONEERV SMB R NT create & X, FID = 0x7805

124 3.986 PIONEERV BLACKHOLES SMB C NT create & X, File = \Tech01.ppt

125 3.987 BLACKHOLES PIONEERV SMB R NT transact

Network Monitor trace Sun 03/05/98 12:57:59 PowerPoint 97. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

126 3.987 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

127 3.990 PIONEERV BLACKHOLES SMB C read & X, FID = 0x7805, Read 0x1000 at 0x00000000

128 3.991 BLACKHOLES PIONEERV SMB R read & X, Read 0x1000

129 3.992 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

130 3.993 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13105982-13105982, ack: 31541032,

win:1

131 3.993 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1240 Bytes

132 3.995 PIONEERV BLACKHOLES SMB C read & X, FID = 0x7805, Read 0x600 at 0x0008F000

133 3.996 BLACKHOLES PIONEERV SMB R read & X, Read 0x600

134 3.996 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 140 Bytes

135 3.996 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13106046-13106046, ack: 31543872,

win:1

136 3.998 PIONEERV BLACKHOLES SMB C read & X, FID = 0x7805, Read 0x1000 at 0x0008D000

137 3.999 BLACKHOLES PIONEERV SMB R read & X, Read 0x1000

138 4.001 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

139 4.001 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13106110-13106110, ack: 31546792,

win:1

140 4.002 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1240 Bytes

141 4.006 BLACKHOLES PIONEERV SMB R write, Wrote 0x0

142 4.006 PIONEERV BLACKHOLES SMB C write, FID = 0x7805, Write 0x0 at 0x0008F600

143 4.007 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 216 Bytes

Network Monitor trace Sun 03/05/98 12:57:59 PowerPoint 97. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

144 4.007 PIONEERV BLACKHOLES SMB C transact2 Set file info, FID = 0x7805

145 4.008 BLACKHOLES PIONEERV SMB R transact2 Set file info (response to frame 144)

146 4.008 PIONEERV BLACKHOLES SMB C NT transact - Notify Change

147 4.011 PIONEERV BLACKHOLES SMB C write & X, FID = 0x7805, Write 0x1000 at 0x0008D000

148 4.011 PIONEERV BLACKHOLES NBT SS: Session Message Cont., 1460 Bytes

149 4.011 PIONEERV BLACKHOLES NBT SS: Session Message Cont., 1243 Bytes

150 4.012 BLACKHOLES PIONEERV SMB R NT transact

151 4.013 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 31548461-31548461, ack: 13110498,

win:

152 4.014 BLACKHOLES PIONEERV SMB R write & X, Wrote 0x1000

153 4.014 PIONEERV BLACKHOLES SMB C NT transact - Notify Change

154 4.018 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 31548512-31548512, ack: 13112186,

win:

155 4.018 BLACKHOLES PIONEERV SMB R write & X, Wrote 0x600

156 4.018 PIONEERV BLACKHOLES SMB C write & X, FID = 0x7805, Write 0x600 at 0x0008F000

157 4.018 PIONEERV BLACKHOLES NBT SS: Session Message Cont., 143 Bytes

158 4.030 PIONEERV BLACKHOLES SMB C flush file, FID = 0x7805

159 4.091 BLACKHOLES PIONEERV SMB R NT transact

160 4.093 BLACKHOLES PIONEERV SMB R flush file

161 4.093 PIONEERV BLACKHOLES SMB C NT transact - Notify Change

162 4.095 BLACKHOLES PIONEERV SMB R NT transact

Network Monitor trace Sun 03/05/98 12:57:59 PowerPoint 97. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

163 4.095 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

164 4.098 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 31548790-31548790, ack: 13114003,

win:

165 4.098 BLACKHOLES PIONEERV SMB R write & X, Wrote 0x600

166 4.098 PIONEERV BLACKHOLES SMB C write & X, FID = 0x7805, Write 0x600 at 0x0008F000

167 4.098 PIONEERV BLACKHOLES NBT SS: Session Message Cont., 143 Bytes

168 4.099 BLACKHOLES PIONEERV SMB R close file

169 4.099 PIONEERV BLACKHOLES SMB C close file, FID = 0x7805

170 4.100 BLACKHOLES PIONEERV SMB R NT transact

171 4.100 PIONEERV BLACKHOLES SMB C NT create & X, File = \Tech01.ppt

172 4.102 BLACKHOLES PIONEERV SMB R NT create & X, FID = 0x780e

173 4.102 PIONEERV BLACKHOLES SMB C NT transact - Notify Change

174 4.103 BLACKHOLES PIONEERV SMB R transact2 NT Get DFS Referral (response)

175 4.104 PIONEERV BLACKHOLES SMB C transact2 Set file info, FID = 0x780e

176 4.104 BLACKHOLES PIONEERV SMB R NT transact - Notify Change (response to frame 173)

177 4.104 PIONEERV BLACKHOLES SMB C close file, FID = 0x780e

178 4.106 BLACKHOLES PIONEERV SMB R close file

179 4.106 PIONEERV BLACKHOLES SMB C NT transact - Notify Change

180 4.107 BLACKHOLES PIONEERV SMB R NT transact

181 4.107 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

182 4.108 BLACKHOLES PIONEERV SMB R NT create & X, FID = 0x5809

Network Monitor trace Sun 03/05/98 12:57:59 PowerPoint 97. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

183 4.108 PIONEERV BLACKHOLES SMB C NT create & X, File = \Tech01.ppt

184 4.109 BLACKHOLES PIONEERV SMB R transact2 NT Get DFS Referral (response)

185 4.110 PIONEERV BLACKHOLES SMB C transact2 Set file info, FID = 0x5809

186 4.110 BLACKHOLES PIONEERV SMB R NT transact - Notify Change (response to frame 179)

187 4.110 PIONEERV BLACKHOLES SMB C close file, FID = 0x5809

188 4.113 BLACKHOLES PIONEERV SMB R close file

189 4.113 PIONEERV BLACKHOLES SMB C NT transact - Notify Change

190 4.115 BLACKHOLES PIONEERV SMB R NT transact

191 4.115 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

192 4.116 BLACKHOLES PIONEERV SMB R NT create & X, FID = 0x680f

193 4.116 PIONEERV BLACKHOLES SMB C NT create & X, File = \Tech01.ppt

194 4.117 BLACKHOLES PIONEERV SMB R NT transact

195 4.117 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

196 4.120 PIONEERV BLACKHOLES SMB C read & X, FID = 0x680f, Read 0x8000 at 0x00000000

197 4.121 BLACKHOLES PIONEERV SMB R read & X, Read 0x8000

198 4.122 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

199 4.123 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13115300-13115300, ack: 31552891,

win:1

200 4.124 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

201 4.125 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

Network Monitor trace Sun 03/05/98 12:57:59 PowerPoint 97. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

202 4.125 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13115300-13115300, ack: 31555811,

win:1

203 4.126 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

204 4.128 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

205 4.128 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13115300-13115300, ack: 31558731,

win:1

206 4.129 BLACKHOLES PIONEERV NBT SS: Session Message Cont., 1460 Bytes

353 4.494 PIONEERV BLACKHOLES SMB C transact2 Query path info, File = \#96.mci

354 4.711 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13116436-13116436, ack: 31679330,

win:1

355 6.122 BLACKHOLES PIONEERV SMB R transact2 Open (response)

356 6.122 PIONEERV BLACKHOLES SMB C transact2 Findfirst, File = \*

357 6.127 BLACKHOLES PIONEERV SMB R transact2 Open (response)

358 6.128 PIONEERV BLACKHOLES SMB C transact2 Query file system info

359 6.131 BLACKHOLES PIONEERV SMB R find close

360 6.131 PIONEERV BLACKHOLES SMB C find close, FID = 0x1807

...

512 9.255 PIONEERV BLACKHOLES SMB C transact2 Query path info, File = \mciwave.dll

513 9.259 BLACKHOLES PIONEERV SMB R NT transact

Network Monitor trace Sun 03/05/98 12:57:59 PowerPoint 97. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

514 9.259 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

...

895 12.702 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

896 12.703 BLACKHOLES PIONEERV SMB R transact2 - NT error, System, Error, Code = (52)

897 12.703 PIONEERV BLACKHOLES SMB C transact2 Query path info, File = \OLEAUT32.dll

898 12.755 BLACKHOLES PIONEERV SMB R NT transact

899 12.756 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

900 12.924 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13126675-13126675, ack: 31993906,

win:1

901 13.343 BLACKHOLES PIONEERV SMB R NT transact

902 13.343 PIONEERV BLACKHOLES SMB C NT transact - NT IOCTL

903 13.345 BLACKHOLES PIONEERV SMB R transact2 Open (response)

904 13.345 PIONEERV BLACKHOLES SMB C transact2 Findfirst, File = \Tech01.ppt

905 13.456 BLACKHOLES PIONEERV SMB R NT create & X, FID = 0x7006

906 13.456 PIONEERV BLACKHOLES SMB C NT create & X, File = \srvsvc

907 13.458 BLACKHOLES PIONEERV SMB R transact

...

913 13.465 BLACKHOLES PIONEERV SMB R close file

914 13.465 PIONEERV BLACKHOLES SMB C close file, FID = 0x7006

915 13.625 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 13127429-13127429, ack: 31996636,

win:1

916 13.736 PIONEERV BLACKHOLES SMB C read & X, FID = 0x680f, Read 0x8000 at 0x00018000

917 13.737 BLACKHOLES PIONEERV SMB R read & X, Read 0x8000

Microsoft Outlook 98

Exchange RPC Transport

The Exchange Server provider is based on RPCs. By using RPCs the Exchange client benefits from single-logon authentication, single bit reorder for encryption of mail traffic over the LAN, and protocol independence. The RPC interface includes full functionality for the Exchange client. In addition to the three features above, the client provides a full Messaging Application Interface (MAPI) that provides an automated access for offline and on-line address book. As part of the negotiation, the RPC interface determines if the mailbox has moved and if it has the software automatically reconfigures the client to use the correct Exchange Server. This interface increases performance by compressing e-mail to and from the desktop. RPC connections are session-based: the system logs on only once, which also reduces network traffic.

Message Storage Options

  • On the Exchange Server. This generates a lot of traffic because all titles must come down the pipe and most users prefer opening mail in auto view, reading the first 20 lines or so, then opening each message as they work through the inbox.

  • Locally in a Personal Store (PST). Messages are delivered to the local PST in the background, using Outlook 98's multi-threaded capability.

  • In an Offline Store (OST). One copy of the message is stored on the network and one locally. The user can make changes off line and the system synchronizes both stores when the user reconnects to the network.

  • Using the Remote Mail (Dial-up Networking). Even without a local modem you can select "use existing connection," connect to the server store, and pick which messages to download rather than downloading them all. This differs from the first option in that only titles are displayed and the tools are optimized for high-latency and lower-speed links.

Short Cuts

The Outlook client's desktop design allows you to create Short Cuts to folders on the Exchange Server. The default configuration has all the mail short cuts referenced over the network. The trace below (Outlook RPC Default) shows Outlook booting up and logging in. While Outlook is loading it must enumerate all the short cuts. To see if Outlook is completely initialized, use the Tools option on the pull-down menu. The Outlook client may take a while to respond while initializing all the default short cuts—Inbox, Calendar, Notes, Contacts, Tasks and Public folders.

The second trace below (Outlook RPC Local PST without Short Cuts) shows that only 41 packets were generated (the default configuration generated 176 packets). In a high-latency network, 135 packets can make quite a difference in response times.

Performance Hints and Tips

  • For best performance the client should have a local Exchange Server. This shields the user from any high-latency and dial-up issues. (See the Microsoft Exchange Server section below.)

  • For best performance over high-latency or slow links, use a local PST to store mail.

  • Make sure to remove any toolbar short cut references for use over high-latency or slow links; reference only local folders.

  • Frequent connecting and disconnecting create traffic; it is more efficient to connect and stay connected. Users who have to connect frequently can also use the dial-up feature.

Exchange Service Provider

The Exchange Service provider controls the connection order of protocols used by the Exchange RPC Provider. This registry entry lists the current protocols available for RPC connection. Each is tried in the RPC_Bindings_Order until a connection is made.

HKEY_LOCAL_MACHINE\Software\Microsoft\Exhange\Exchange Provider

Cc767910.opt6_14(en-us,TechNet.10).gif

Figure 6.14: Looking for the RPC_Binding_Order with Registry Editor (REGEDIT.EXE).
  • NCALRPC—Local RPC is the first in the binding order. This is a local RPC internal to the machine; it does not pass over the network.

  • NCACN_IP_TCP—This binding creates an RPC connection using the TCP transport (a connection state instead of a connectionless state).

  • NCACN_SPX—This binding creates an RPC connection using the Sequenced Package Exchange (SPX) protocol.

  • NCACN_NP—This binding creates an RPC connection using a NamePipe interface. When more than one NetBIOS is loaded, the provider tries each in the NetBIOS binding order.

  • NETBIOS—This binding creates an RPC connection using the NetBEUI protocol.

  • NCACN_VNS_SPP—This binding creates an RPC connection using the Banyan Vines scalable parallel processing (SPP) protocol (a connection state instead of a connectionless state).

Outlook 98 binding order has been changed from previous versions to optimize performance order, trying first for TCP, the most efficient. If connection cannot be established, the provider tries the next binding. This can have inconvenient consequences. For instance, if you mistype a server name you have to wait for all six bindings to fail or for a security credential mismatch to prompt for a password six times, once for each binding. So while this is a good default configuration for an unknown network, you should consider deleting unsupported protocols from the list when you deploy: it makes for faster error message response and higher user satisfaction.

Performance Hints and Tips

  • When using TCP provider for fastest response in a high-latency or dial-up network, use HOSTS file for the Exchange Server.

  • When using TCP provider make sure the DNS is configured properly and the Exchange Server is listed in DNS, or you will have to wait up to 3 x 750 ms before an error message is issued or the next bindings are tried.

  • When using Name-Pipe over TCP/IP for fastest response in a high-latency or dial-up network, include an LMHOSTS #PRE entry for the Exchange Server.

  • When using Name-Pipe over TCP/IP, make sure the WINS is configured properly and the Exchange Server is listed in the WINS database, or you will have to wait up to 3 x 750 ms before an error message is issued or the next bindings are tried.

  • Delete unsupported protocols for better performance at connect time.

Network Trace—Outlook RPC Default

Network Monitor trace Fri 11/13/98 23:09:22 \OutlookRPCDefault.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

1 2.774 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116498-116501, ack: 120353, win: 87

2 2.775 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120352-120355, ack: 0, win:163

3 2.775 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120353-120353, ack: 116499, win:163

4 2.777 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0x0 assoc grp 0x187C5 xmit

5 2.777 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID E1AF8308-5D1F-11C9-91A4-

6 2.779 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x1 context 0x0 hint 0x80

cancels 0

7 2.779 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x1 opnum 0x3 context 0x0 hint

8 2.780 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 116711-116711, ack: 120582, win: 85

9 2.780 PIONEERV BLACKHOLES TCP .A...F, len: 0, seq: 120581-120581, ack: 116711, win:161

10 2.780 BLACKHOLES PIONEERV TCP .A...F, len: 0, seq: 116711-116711, ack: 120582, win: 85

11 2.780 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120582-120582, ack: 116712, win:161

Network Monitor trace Fri 11/13/98 23:09:22 \OutlookRPCDefault. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

12 2.790 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116509-116512, ack: 120367, win: 87

13 2.790 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120366-120369, ack: 0, win:163

14 2.791 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120367-120367, ack: 116510, win:163

15 2.792 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0x1 assoc grp 0x1D69C xmit

16 2.793 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID F5CC5A18-4264-101A-8C59-

17 2.794 BLACKHOLES PIONEERV R_NSPI Error: Bad Opcode (Function does not exist)

18 2.794 PIONEERV BLACKHOLES R_NSPI RPC Client call nspi:NspiBind(..)

19 2.858 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116524-116527, ack: 120368, win: 87

20 2.858 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120367-120370, ack: 0, win:163

21 2.858 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120368-120368, ack: 116525, win:163

22 2.861 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0x44 assoc grp 0x1D69C xmit

23 2.861 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID F5CC5A18-4264-101A-8C59-

24 2.867 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 116657-116657, ack: 120806, win: 83

25 2.868 PIONEERV BLACKHOLES TCP .AP..., len: 198, seq: 120496-120693, ack: 116657,

win:162

26 2.868 PIONEERV BLACKHOLES R_NSPI RPC Client call nspi:NspiBind(..)

27 2.874 BLACKHOLES PIONEERV R_NSPI RPC Server response nspi:NspiBind(..)

28 2.931 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120523-120523, ack: 116638, win:162

29 2.975 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116529-116532, ack: 120381, win: 87

30 2.975 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120380-120383, ack: 0, win:163

31 2.975 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120381-120381, ack: 116530, win:163

Network Monitor trace Fri 11/13/98 23:09:22 \OutlookRPCDefault. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

32 2.977 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0x0 assoc grp 0x187C6 xmit

33 2.977 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID E1AF8308-5D1F-11C9-91A4-

34 2.978 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x1 context 0x0 hint 0x80 cancels

35 2.978 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x1 opnum 0x3 context 0x0 hint

36 2.979 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 116742-116742, ack: 120610, win: 85

37 2.979 PIONEERV BLACKHOLES TCP .A...F, len: 0, seq: 120609-120609, ack: 116742, win:161

38 2.979 BLACKHOLES PIONEERV TCP .A...F, len: 0, seq: 116742-116742, ack: 120610, win: 85

39 2.979 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120610-120610, ack: 116743, win:161

40 2.990 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116532-116535, ack: 120383, win: 87

41 2.990 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120382-120385, ack: 0, win:163

42 2.990 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120383-120383, ack: 116533, win:163

43 2.993 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0x0 assoc grp 0x1F85A xmit

44 2.993 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID A4F1DB00-CA47-1067-B31F-

45 3.001 PIONEERV BLACKHOLES TCP .AP..., len: 198, seq: 120511-120708, ack: 116665,

win:162

46 3.004 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 116665-116665, ack: 120885, win: 82

47 3.004 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x1 opnum 0x0 context 0x0 hint

48 3.016 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x1 context 0x0 hint 0x9C cancels

49 3.016 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120806-120806, ack: 116753, win:161

Network Monitor trace Fri 11/13/98 23:09:22 \OutlookRPCDefault. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

50 3.031 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x2 opnum 0x2 context 0x0 hint

51 3.047 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x2 context 0x0 hint 0xD4

cancels

52 3.064 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x3 context 0x0 hint 0x58 cancels

53 3.064 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x3 opnum 0x2 context 0x0 hint

54 3.212 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x4 opnum 0x2 context 0x0 hint

55 3.214 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x4 context 0x0 hint 0x34 cancels

56 3.219 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x5 context 0x0 hint 0x108

cancels

57 3.219 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x5 opnum 0x2 context 0x0 hint

58 3.225 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x6 context 0x0 hint 0x238

cancels

59 3.225 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x6 opnum 0x2 context 0x0 hint

60 3.230 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x7 context 0x0 hint 0x1C cancels

61 3.231 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x7 opnum 0x4 context 0x0 hint

62 3.305 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x8 context 0x0 hint 0xA0

cancels

63 3.305 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x8 opnum 0x2 context 0x0 hint

64 3.310 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x9 context 0x0 hint 0x1D0

65 3.310 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x9 opnum 0x2 context 0x0 hint

Network Monitor trace Fri 11/13/98 23:09:22 \OutlookRPCDefault. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

66 3.398 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0xA context 0x0 hint 0x44

cancels

67 3.398 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0xA opnum 0x2 context 0x0 hint

68 3.401 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0xB context 0x0 hint 0x58 cancels

69 3.402 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0xB opnum 0x2 context 0x0 hint

70 3.463 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0xC context 0x0 hint 0x5C

cancels

71 3.463 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0xC opnum 0x2 context 0x0 hint

72 3.592 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0xD context 0x0 hint 0x58

cancels

73 3.592 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0xD opnum 0x2 context 0x0 hint

74 3.732 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 123029-123029, ack: 119705, win:150

75 3.929 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116546-116549, ack: 120385, win: 87

76 3.929 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120384-120387, ack: 0, win:163

77 3.929 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120385-120385, ack: 116547, win:163

78 3.931 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0xA assoc grp 0x187C7 xmit

79 3.931 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID E1AF8308-5D1F-11C9-91A4-

80 3.933 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x1 context 0x0 hint 0x80 cancels

81 3.933 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x1 opnum 0x3 context 0x0 hint

82 3.934 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 116759-116759, ack: 120614, win: 85

83 3.934 PIONEERV BLACKHOLES TCP .A...F, len: 0, seq: 120613-120613, ack: 116759, win:161

84 3.934 BLACKHOLES PIONEERV TCP .A...F, len: 0, seq: 116759-116759, ack: 120614, win: 85

Network Monitor trace Fri 11/13/98 23:09:22 \OutlookRPCDefault. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

85 3.934 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120614-120614, ack: 116760, win:161

86 3.945 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116558-116561, ack: 120400, win: 87

87 3.945 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120399-120402, ack: 0, win:163

88 3.945 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120400-120400, ack: 116559, win:163

89 3.947 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0x0 assoc grp 0x1D69D xmit

90 3.947 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID F5CC5A18-4264-101A-8C59-

91 3.948 BLACKHOLES PIONEERV R_NSPI Error: Bad Opcode (Function does not exist)

92 3.948 PIONEERV BLACKHOLES R_NSPI RPC Client call nspi:NspiBind(..)

93 3.959 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116566-116569, ack: 120402, win: 87

94 3.959 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120401-120404, ack: 0, win:163

95 3.959 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120402-120402, ack: 116567, win:163

96 3.962 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0x44 assoc grp 0x1D69D xmit

97 3.962 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID F5CC5A18-4264-101A-8C59-

98 3.965 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 116699-116699, ack: 120840, win: 83

99 3.965 PIONEERV BLACKHOLES TCP .AP..., len: 198, seq: 120530-120727, ack: 116699, win:162

100 3.965 PIONEERV BLACKHOLES R_NSPI RPC Client call nspi:NspiBind(..)

101 3.973 BLACKHOLES PIONEERV R_NSPI RPC Server response nspi:NspiBind(..)

102 4.094 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116579-116582, ack: 120416, win: 87

103 4.094 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120415-120418, ack: 0, win:163

104 4.094 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120416-120416, ack: 116580, win:163

Network Monitor trace Fri 11/13/98 23:09:22 \OutlookRPCDefault. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

105 4.095 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0x1 assoc grp 0x187C8 xmit

106 4.095 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID E1AF8308-5D1F-11C9-91A4-

107 4.096 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x1 context 0x0 hint 0x80 cancels

108 4.097 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x1 opnum 0x3 context 0x0 hint

109 4.097 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 116792-116792, ack: 120645, win: 85

110 4.097 PIONEERV BLACKHOLES TCP .A...F, len: 0, seq: 120644-120644, ack: 116792, win:161

111 4.098 BLACKHOLES PIONEERV TCP .A...F, len: 0, seq: 116792-116792, ack: 120645, win: 85

112 4.098 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120645-120645, ack: 116793, win:161

113 4.108 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116590-116593, ack: 120427, win: 87

114 4.108 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120426-120429, ack: 0, win:163

115 4.108 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120427-120427, ack: 116591, win:163

116 4.111 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0x0 assoc grp 0x1F85B xmit

117 4.111 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID A4F1DB00-CA47-1067-B31F-

118 4.114 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 116723-116723, ack: 120929, win: 82

119 4.114 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120556-120556, ack: 116687, win:162

120 4.114 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120840-120840, ack: 116795, win:161

121 4.114 PIONEERV BLACKHOLES TCP AP..., len: 198, seq: 120555-120752, ack: 116723, win:162

122 4.114 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x1 opnum 0x0 context 0x0 hint

123 4.128 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x1 context 0x0 hint 0x9C cancels

Network Monitor trace Fri 11/13/98 23:09:22 \OutlookRPCDefault. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

124 4.131 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x2 context 0x0 hint 0xD4 cancels

125 4.131 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x2 opnum 0x2 context 0x0 hint

126 4.333 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 121105-121105, ack: 117203, win:157

127 5.153 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 116594-116597, ack: 120435, win: 87

128 5.153 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120434-120437, ack: 0, win:163

129 5.153 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120435-120435, ack: 116595, win:163

130 5.155 BLACKHOLES PIONEERV MSRPC c/o RPC Bind Ack: call 0x44 assoc grp 0x187C9 xmit

131 5.155 PIONEERV BLACKHOLES MSRPC c/o RPC Bind: UUID E1AF8308-5D1F-11C9-91A4-

132 5.157 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x1 context 0x0 hint 0x80 cancels

133 5.157 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x1 opnum 0x3 context 0x0 hint

134 5.158 BLACKHOLES PIONEERV TCP A...., len: 0, seq: 116807-116807, ack: 120664, win: 85

135 5.158 PIONEERV BLACKHOLES TCP .A...F, len: 0, seq: 120663-120663, ack: 116807, win:161

136 5.158 BLACKHOLES PIONEERV TCP .A...F, len: 0, seq: 116807-116807, ack: 120664, win: 85

137 5.158 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120664-120664, ack: 116808, win:161

138 5.170 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x3 context 0x0 hint 0x9C cancels

139 5.170 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x3 opnum 0x0 context 0x0 hint

140 5.173 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x4 context 0x0 hint 0xD4 cancels

141 5.173 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x4 opnum 0x2 context 0x0 hint

142 5.189 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x5 context 0x0 hint 0x1C cancels

Network Monitor trace Fri 11/13/98 23:09:22 \OutlookRPCDefault. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

143 5.189 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x5 opnum 0x4 context 0x0 hint

144 5.296 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x6 context 0x0 hint 0x5C cancels

145 5.296 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x6 opnum 0x2 context 0x0 hint

146 5.435 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 121745-121745, ack: 117907, win:150

147 8.620 PIONEERV BLACKHOLES R_NSPI RPC Client call nspi:NspiGetHierarchyInfo(..)

148 8.620 BLACKHOLES PIONEERV R_NSPI RPC Server response nspi:NspiGetHierarchyInfo(..)

149 8.668 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0xE context 0x0 hint 0xB8 cancels

150 8.668 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0xE opnum 0x2 context 0x0 hint

151 8.717 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0xF context 0x0 hint 0xA8 cancels

152 8.717 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0xF opnum 0x2 context 0x0 hint

153 8.729 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x10 context 0x0 hint 0x84

154 8.729 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x10 opnum 0x2 context 0x0 hint

155 8.740 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x11 context 0x0 hint 0x44

156 8.740 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x11 opnum 0x2 context 0x0 hint

157 8.744 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x12 context 0x0 hint 0x78

158 8.744 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x12 opnum 0x2 context 0x0 hint

159 8.748 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x13 context 0x0 hint 0x1B8

160 8.748 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x13 opnum 0x2 context 0x0 hint

161 8.751 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x14 context 0x0 hint 0xBC

Network Monitor trace Fri 11/13/98 23:09:22 \OutlookRPCDefault. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

162 8.751 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x14 opnum 0x2 context 0x0 hint

163 8.770 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x15 context 0x0 hint 0x70

164 8.770 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x15 opnum 0x2 context 0x0 hint

165 8.840 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120918-120918, ack: 117761, win:151

166 8.941 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 124501-124501, ack: 121561, win:163

167 23.034 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 116638-116638, ack: 120524, win: 86

168 23.034 PIONEERV BLACKHOLES TCP .A...F, len: 0, seq: 120523-120523, ack: 116638, win:162

169 23.035 BLACKHOLES PIONEERV TCP .A...F, len: 0, seq: 116638-116638, ack: 120524, win: 86

170 23.035 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120524-120524, ack: 116639, win:162

171 23.404 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 116687-116687, ack: 120557, win: 86

172 23.405 PIONEERV BLACKHOLES TCP .A...F, len: 0, seq: 120556-120556, ack: 116687, win:162

173 23.405 BLACKHOLES PIONEERV TCP .A...F, len: 0, seq: 116687-116687, ack: 120557, win: 86

174 23.405 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120557-120557, ack: 116688, win:162

175 57.849 BLACKHOLES PIONEERV NBT NS: Query (Node Status) resp. for JSPNRMPTGSBSSDIR,

176 57.849 PIONEERV BLACKHOLES NBT NS: Query req. for JSPNRMPTGSBSSDIR

177 0.000 000000000000 000000000000 STATS Number of Frames Captured = 176

Network Trace—Outlook RPC Local PST Without Shortcuts

Network Monitor trace Fri 11/13/98 23:12:44 \OutlookRPC Local PST without Shortcuts.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

1 3.391 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x5 context 0x0 hint 0x1C cancels

Network Monitor trace Fri 11/13/98 23:12:44 \OutlookRPC Local PST without Shortcuts. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

2 3.391 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x5 opnum 0x7 context 0x0 hint

3 3.394 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x6 opnum 0x3 context 0x0 hint

4 3.394 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x6 context 0x0 hint 0x254 cancels

5 3.542 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 121799-121799, ack: 119530, win:156

6 4.413 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x7 context 0x0 hint 0x1C cancels

7 4.413 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x7 opnum 0x7 context 0x0 hint

8 4.418 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x8 context 0x0 hint 0x190 cancels

9 4.418 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x8 opnum 0x9 context 0x0 hint

10 4.430 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x9 context 0x0 hint 0x1C cancels

11 4.430 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x9 opnum 0x7 context 0x0 hint

12 4.433 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0xA context 0x0 hint 0x244

13 4.433 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0xA opnum 0x3 context 0x0 hint

14 4.436 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 123895-123895, ack: 127056, win: 87

15 4.437 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x15 opnum 0x2 context 0x0 hint

16 4.437 PIONEERV BLACKHOLES TCP .AP..., len: 156, seq: 126900-127055, ack: 123895, win:161

17 4.643 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 122519-122519, ack: 119675, win:151

18 4.751 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x15 context 0x0 hint 0x218

Network Monitor trace Fri 11/13/98 23:12:44 \OutlookRPC Local PST without Shortcuts. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

19 4.796 BLACKHOLES PIONEERV UDP Src Port: Unknown, (1088); Dst Port: Unknown (1272); Length =

20 4.796 BLACKHOLES PIONEERV UDP Src Port: Unknown, (1089); Dst Port: Unknown (1279); Length =

21 4.800 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x16 context 0x0 hint 0x6C

22 4.800 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x16 opnum 0x2 context 0x0 hint

23 4.800 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x16 opnum 0x2 context 0x0 hint

24 4.800 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x16 context 0x0 hint 0x84 cancels

25 4.944 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 127152-127152, ack: 124679, win:153

26 4.944 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 125228-125228, ack: 121763, win:163

27 6.768 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x17 context 0x0 hint 0x3C

28 6.768 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x17 opnum 0x2 context 0x0 hint

29 6.947 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 127248-127248, ack: 124791, win:152

30 8.775 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x18 context 0x0 hint 0x64 cancels

31 8.775 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x18 opnum 0x2 context 0x0 hint

32 8.784 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x19 opnum 0x2 context 0x0 hint

33 8.785 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x19 context 0x0 hint 0xEA8

34 8.786 BLACKHOLES PIONEERV TCP .A...., len: 1460, seq: 126411-127870, ack: 127504, win: 83

35 8.786 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 127504-127504, ack: 127871, win:163

Network Monitor trace Fri 11/13/98 23:12:44 \OutlookRPC Local PST without Shortcuts. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

36 8.786 BLACKHOLES PIONEERV TCP .AP..., len: 888, seq: 127871-128758, ack: 127504, win: 83

37 8.811 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x1A context 0x0 hint 0x2C

38 8.811 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x1A opnum 0x2 context 0x0 hint

39 8.950 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 127600-127600, ack: 128855, win:154

40 8.980 PIONEERV BLACKHOLES MSRPC c/o RPC Request: call 0x1B opnum 0x2 context 0x0 hint

41 9.026 BLACKHOLES PIONEERV MSRPC c/o RPC Response: call 0x1B context 0x0 hint 0x58

42 0.000 000000000000 000000000000 STATS Number of Frames Captured = 41

SMTP Transport

The Simple Mail Transport Protocol (SMTP) is a lightweight mail transport and an unsecured environment. In SMTP, anyone can send e-mail as (or otherwise impersonate) another mail user. SMTP passes the user name and password over the network in clear text.

You can configure the client to use a Secure Socket Layer (SSL) for more secure communication, but then you must manage the certificates required on both sides of the communication pipe. Each time you send or receive e-mail you must log onto the SMTP server. The more messages you send and receive, the more traffic is generated—for text and for the overhead of making and breaking connections.

SMTP does not offer online or offline address book. The mail server name must be maintained at the client; if you move the mailbox for load balancing or performance reasons you must reconfigure the client. These features (address book and name change) must be created and maintained outside of the mail client by the user. The trace below shows that an SMTP e-mail send generates only 24 packets. It also shows that SMTP has to negotiate and logon for every block of e-mail, and this can be frequent, causing significant traffic. The trace for Outlook RPC with a PST (above) shows that it requires 41 packets to log on and initialize once, after which only e-mail traffic passes up and down. As a rule, this should generate fewer than 24 packets for each e-mail message.

Performance Hints and Tips

  • When using SMTP make sure to batch your mail as much as possible. When sending in a batch mode, SMTP tries to logon and logoff as infrequently as it can.

Network Trace—SMTP Send

Network Monitor trace Fri 11/13/98 23:10:45 \SMTP SEND.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

1 12.025 BLACKHOLES PIONEERV TCP .A..S., len: 4, seq: 117045-117048, ack: 120798, win: 87

2 12.025 PIONEERV BLACKHOLES TCP ....S., len: 4, seq: 120797-120800, ack: 0, win:163

3 12.025 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 120798-120798, ack: 117046, win:163

4 27.043 BLACKHOLES PIONEERV NBT NS: Query req. for *<00...(15)>

5 27.043 PIONEERV BLACKHOLES NBT NS: Query (Node Status) resp. for *<00...(15)>, Success

6 27.045 BLACKHOLES PIONEERV SMTP Rsp: Service ready, 106 bytes

7 27.046 BLACKHOLES PIONEERV SMTP Rsp: Requested mail action okay, completed, 8 bytes

8 27.047 PIONEERV BLACKHOLES SMTP Cmd: Hello, host identifier, 15 bytes

9 27.048 BLACKHOLES PIONEERV SMTP Rsp: Requested mail action okay, completed, 53 bytes

10 27.048 PIONEERV BLACKHOLES SMTP Cmd: Mail from <administrator@myowncompany.com>, 45

11 27.049 BLACKHOLES PIONEERV SMTP Rsp: Requested mail action okay, completed, 53 bytes

12 27.049 PIONEERV BLACKHOLES SMTP Cmd: Recipient <administrator@myowncompany.com>, 43

13 27.052 BLACKHOLES PIONEERV SMTP Rsp: Enter mail ..., 36 bytes

14 27.052 PIONEERV BLACKHOLES SMTP Cmd: Data: Mail data to follow, 6 bytes

Network Monitor trace Fri 11/13/98 23:10:45 \SMTP SEND. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

15 27.071 PIONEERV BLACKHOLES SMTP Data - continued from frame 14, 558 bytes

16 27.182 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 117302-117302, ack: 121465, win: 80

17 27.183 PIONEERV BLACKHOLES SMTP Data - continued from frame 15, 5 bytes

18 27.216 BLACKHOLES PIONEERV SMTP Rsp: Requested mail action okay, completed, 8 bytes

19 27.221 BLACKHOLES PIONEERV SMTP Rsp: Service closing transmission channel, 24 bytes

20 27.221 PIONEERV BLACKHOLES SMTP Cmd: Quit, losing connection, 6 bytes

21 27.222 BLACKHOLES PIONEERV TCP .A...., len: 0, seq: 117334-117334, ack: 121477, win: 80

22 27.222 PIONEERV BLACKHOLES TCP .A...F, len: 0, seq: 121476-121476, ack: 117334, win:160

23 27.222 BLACKHOLES PIONEERV TCP .A...F, len: 0, seq: 117334-117334, ack: 121477, win: 80

24 27.222 PIONEERV BLACKHOLES TCP .A...., len: 0, seq: 121477-121477, ack: 117335, win:160

25 0.000 000000000000 000000000000 STATS Number of Frames Captured = 24

IMAP4 Transport

The transport (IMAP4) is a more efficient version of SMTP. The security model is better but still lacks an online or offline address book. The mail server name must be maintained at the client, so if you move the mailbox for load balancing or performance you must reconfigure the client.

Performance Hints and Tips

  • When using IMAP4, make sure to batch mail as much as possible.

Microsoft Outlook Web Access (OWA)

If you must leave your e-mail up on a central Exchange Server and on the hub site, Outlook Web Access may be an option for you. Using OWA, all e-mail is left on the Exchange Server, and the Internet Information Server (IIS) renders a HyperText Markup Language (HTML) version of the e-mail message down to the client—using HTTP (an Internet communications protocol). HTTP is a lightweight protocol and does not timeout very easily. OWA offers e-mail and calendar access by using a simple browser on the remote client desktop.

Performance Hints and Tips

  • Make sure to configure your BcastQueryTimeout large enough to allow time for computer name resolution, which takes longer when OWA is used.

Microsoft Exchange Server

Microsoft Exchange Server uses an RPC interface to communicate between servers. This requires high-speed connection, which usually is available within a LAN. If the connection passes across a router, a site connector can be configured to boost performance by controlling data flow.

In high-latency, dial-up, and slow-link environments, putting an Exchange Server at each remote site provides the best performance and user satisfaction. This allows clients to communicate with the Exchange Server directly at LAN speeds, and to use the servers to store and forward (in the background) e-mail and directory information. Three types of connectors manage flow control across a WAN environment: Exchange Site Connector, Exchange X.400 Site Connector, and Exchange Internet Site Connector.

Exchange Site Connector

This is an RPC interface that functions like the default communication between servers but can be configured to control the flow of data by scheduling windows. It requires high-speed connections, so in WAN applications you should use a T1 line at least. In a lot of sites the T1 does not provide enough bandwidth and has to be upgraded to an ATM network. This is why two additional connectors are provided.

Performance Hints and Tips

  • Do not use this connector over any high-latency, dial-up, or slow connection: it will thrash and fill the communication pipe.

Exchange X.400 Site Connector

The X.400 Site Connector provides the most flexibility, because X.400 protocol has very granular timing options for all Microsoft site connectors. In a satellite network with peak of 28.8 baud and minimum level of 9600 baud, even an 800,000-object Exchange Directory replicates flawlessly.

Performance Hints and Tips

  • This is the best connector over high-latency, dial-up, and slow links. It will not thrash, and it has timeout parameters for the different levels of the X.400 protocol.

Exchange Internet Site Connector

This is designed to connect Exchange sites through the Internet. It is a secured connection and encrypted, but it does not offer the flexibility of the X.400 Site Connector.

Performance Hints and Tips

  • In the event of Exchange Internet Site Connector thrashing, the only current alternative is to use the Microsoft X.400 Site Connector, which has been designed for high-latency, dial-up, and slow links. Microsoft is working on a more resilient Internet Site Connector.

Microsoft SQL 6.5/7.0

NamePipe

The NamePipe default configuration for SQL DBLIB can be configured to support data sizes up to 64K but defaults to 512 bytes for SQL use. Below is a sample query using SQL Authors database file.

Select * from authors.

au_id

au_lname

au_fname

phone

address

city

state

zip

922-32-9926

White

Johnson

408 496-7223

90932 Bigge Rd.

Kenlo Park

CA

94026 9

293-46-8996

Green

Karjorie

496 986-7020

309 63rd St. #499

Oakland

CA

94698 9

238-96-2266

Carson

Cheryl

496 698-7723

689 Darwin Ln.

Berkeley

CA

94706 9

262-49-2394

O'Leary

Kichael

408 286-2428

22 Cleveland Av. #94

San Jose

CA

96928 9

224-80-9399

Straught

Deon

496 834-2999

6420 College Av.

Oakland

CA

94609 9

349-22-9282

Skith

Keander

993 843-0462

90 Kississippi Dr.

Lawrence

KS

66044 0

Select * from authors. (continued)

au_id

au_lname

au_fname

phone

address

city

state

zip

409-66-2008

Bennet

Abrahak

496 668-9932

6223 Batekan St.

Berkeley

RI

94706 9

422-92-2399

Dull

Randy

496 896-7928

3490 Blande St.

Palo Alto

CA

94309 9

422-22-2349

Gringlesby

Burt

707 938-6446

PO Box 792

Covelo

CA

96428 9

486-29-9286

Locksley

Charlee

496 686-4620

98 Broadway Av.

San Francisco

CA

94930 9

622-22-3246

Greene

Kong

696 292-2223

22 Graybar Big House Rd.

Nashville

TN

32296 0

648-92-9822

Blotchet-Halls

Regina

603 246-6402

66 Hillsdale Bl.

Corvallis

OR

92330 9

622-29-3249

Yokokoto

Akiko

496 936-4228

3 Silver Ct.

Walnut Creek

CA

94696 9

292-46-9862

del Castillo

Innes

696 996-8226

2286 Crak Pl. #86

Ann Arbor

MI

48906 9

222-69-6464

DeFrance

Kichel

299 642-9982

3 Balding Pl.

Gary

IN

46403 9

224-08-9939

Stringer

Dirk

496 843-2999

6420 Telegraph Av.

Oakland

CA

94609 0

224-80-9399

MacFeather

Stearns

496 364-2928

44 Upland Hts.

Darkland

CA

94692 9

266-30-2399

Karsen

Livia

496 634-9299

6220 McAuley St.

Oakland

CA

94609 9

Select * from authors. (continued)

au_id

au_lname

au_fname

phone

address

city

state

zip

266-30-2399

Karsen

Livia

496 634-9299

6220 McAuley St.

Oakland

CA

94609 9

802-99-6664

Vandelay

Art

309 946-8863

9966 Arlington Pl.

Rockville

KY

20863 9

846-92-2986

Hunter

Sheryl

496 836-2928

3490 Blonde St.

Palo Alto

CA

94309 9

893-22-9968

McBadden

Caryl

202 448-4982

309 Putnak

Vacaville

CA

96688 0

899-46-2036

Kramer

Meryl

809 826-0262

62 Seventh Av.

Dent City

CT

44962 9

998-22-3662

Kramer

Dustin

809 826-0262

62 Seventh Av.

Salt Lake City

UT

84962 9

(23 row(s) affected)

The trace below shows that the transactions are broken up into 512-byte blocks; this keeps the application from saturating the network with a large query, preventing other applications from functioning effectively on the network.

Network Monitor trace Sat 04/15/98 03:06:34 SQL NAMEPIPE.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

1 12.620 EXPLORERIV 3COM 037F17 SMB C write & X, FID = 0x803, Write 0x1b at 0x0

2 12.622 3COM 037F17 EXPLORERIV SMB R write & X, Wrote 0x1b

3 12.626 EXPLORERIV 3COM 037F17 SMB C read & X, FID = 0x803, Read 0x200 at 0x0

4 12.631 3COM 037F17 EXPLORERIV SMB R read & X, Read 0x26

Network Monitor trace Sat 04/15/98 03:06:34 SQL NAMEPIPE. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

5 12.726 EXPLORERIV 3COM 037F17 SMB C write & X, FID = 0x803, Write 0x1f at 0x0

6 12.728 3COM 037F17 EXPLORERIV SMB R write & X, Wrote 0x1f

7 12.837 EXPLORERIV 3COM 037F17 TCP .A...., len: 0, seq:1729734776, ack: 97304, win: 8556

8 12.979 EXPLORERIV 3COM 037F17 SMB C transact PeekNmPipe, FID = 0x803

9 12.981 3COM 037F17 EXPLORERIV SMB R transact (Error)

10 12.985 EXPLORERIV 3COM 037F17 SMB C read & X, FID = 0x803, Read 0x200 at 0x0

11 12.987 3COM 037F17 EXPLORERIV SMB R read & X, Read 0x200

12 13.076 EXPLORERIV 3COM 037F17 SMB C read & X, FID = 0x803, Read 0x200 at 0x0

13 13.078 3COM 037F17 EXPLORERIV SMB R read & X, Read 0x200

14 13.173 EXPLORERIV 3COM 037F17 SMB C read & X, FID = 0x803, Read 0x200 at 0x0

15 13.176 3COM 037F17 EXPLORERIV SMB R read & X, Read 0x200

16 13.212 EXPLORERIV 3COM 037F17 SMB C read & X, FID = 0x803, Read 0x200 at 0x0

17 13.215 3COM 037F17 EXPLORERIV SMB R read & X, Read 0x1a9

18 13.338 EXPLORERIV 3COM 037F17 TCP .A...., len: 0, seq:1729735120, ack: 99597, win: 8271

TCP Sockets

SQL has support for TCP Sockets interface for DBLib and the SQL Server. With this interface, the example query generates only 7 packets (see the SQL WINSOCK trace below) compared to 18 packets for NamePipes (see the SQL NAMEPIPE trace above). The Sockets interface uses the full segment size of the TCP/IP packet interface for the transaction—it is not restricted to 512-byte blocks—and this is very beneficial when using compression techniques over slow links. As voice grade lines start to approach 64Kbs, the modem delivers higher performance by compressing large blocks of data and pushing them through the 28.8 carrier. Trying to move smaller blocks of data (such as 512-byte blocks) through 28.8 voice-grade lines can decrease performance to less than 10 Kb/sec.

Performance Hints and Tips

  • TCP sockets provides the best performance over high-latency, dial-up or slow links.

Network Trace—SQL WINSOCK

Network Monitor trace Sat 04/15/98 03:04:27 SQL WINSOCK.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

1 5.707 EXPLORERIV 3COM 037F17 TCP .AP..., len: 27, seq:1731074000, ack: 1438552, win: 8760

2 5.714 3COM 037F17 EXPLORERIV TCP .AP..., len: 38, seq: 1438552, ack:1731074027, win: 7357

3 5.806 EXPLORERIV 3COM 037F17 TCP .AP..., len: 31, seq:1731074027, ack: 1438590, win: 8722

4 5.818 3COM 037F17 EXPLORERIV TCP .AP..., len: 512, seq: 1438590, ack:1731074058, win: 7326

5 6.005 EXPLORERIV 3COM 037F17 TCP .A...., len: 0, seq:1731074058, ack: 1439102, win: 8210

6 6.008 3COM 037F17 EXPLORERIV TCP .AP..., len: 1449, seq: 1439102, ack:1731074058, win: 7326

7 6.205 EXPLORERIV 3COM 037F17 TCP .A...., len: 0, seq:1731074058, ack: 1440551, win: 8760

Performance Results

Windows NT3.x COPY Command: Windows NT Server to Windows NT Server SMB Parameters

Figure 6.15 shows some sample performance numbers gathered over a satellite link. The test was transaction-based processing with Aloha channel for ACKs. Note that the default average is 15 Kb. Detecting a slow link, Windows NT disabled raw state and used the default value of 4352 SizReqBuf. The table on page 284 shows the performance impact of increasing the SizReqBuf and TCP/IP Window sizes.

Network Trace—Copy Command Windows NT Clients (page 229) shows the packet movement reading and writing using the default SizReqBuf of 4292; the trace below shows the packet movement reading and writing using the default SizReqBuf of 4352.

Network Trace—Increasing SizReqBuf for Windows NT (pages 230 - 232) demonstrates the use of 12548 SizReqBuf; note the better spacing. The performance chart below shows the significant difference and the impact this change makes.

Figure 6.15: Performance impact over satellite link by adjusting SizReqBuf.

Figure 6.15: Performance impact over satellite link by adjusting SizReqBuf.

Network Trace—Copy Command

Network Monitor trace Sun 03/05/98 13:10:09
Copy Command -COMMAND.COM, CMD.EXE, WINFILE.EXE.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

29 17.022 3COM 8DFB25 VOYAGERIX SMB R read & X, Read 0x10c5

30 17.191 VOYAGERIX 3COM 8DFB25 TCP .A...., len: 0, seq: 3483455, ack: 229189, win: 8760

31 17.692 3COM 8DFB25 VOYAGERIX NBT SS: Session Message Cont., 1460 Bytes

32 17.812 3COM 8DFB25 VOYAGERIX NBT SS: Session Message Cont., 1437 Bytes

33 17.813 VOYAGERIX 3COM 8DFB25 TCP .A...., len: 0, seq: 3483455, ack: 232086, win: 8760

34 17.815 VOYAGERIX 3COM 8DFB25 SMB C read & X, FID = 0x804, Read 0x10c5 at 0x318a

35 19.314 3COM 8DFB25 VOYAGERIX SMB R read & X, Read 0x10c5

36 19.494 VOYAGERIX 3COM 8DFB25 TCP .A...., len: 0, seq: 3483519, ack: 233546, win: 8760

37 19.984 3COM 8DFB25 VOYAGERIX NBT SS: Session Message Cont., 1460 Bytes

38 20.095 VOYAGERIX 3COM 8DFB25 TCP .A...., len: 0, seq: 3483519, ack: 235006, win: 8760

39 20.104 3COM 8DFB25 VOYAGERIX NBT SS: Session Message Cont., 1437 Bytes

40 20.107 VOYAGERIX 3COM 8DFB25 SMB C read & X, FID = 0x804, Read 0x10c5 at 0x424f

41 21.656 3COM 8DFB25 VOYAGERIX SMB R read & X, Read 0x10c5

42 21.797 VOYAGERIX 3COM 8DFB25 TCP .A...., len: 0, seq: 3483583, ack: 237903, win: 8760

43 22.325 3COM 8DFB25 VOYAGERIX NBT SS: Session Message Cont., 1460 Bytes

44 22.444 3COM 8DFB25 VOYAGERIX NBT SS: Session Message Cont., 1437 Bytes

Network Monitor trace Sun 03/05/98 13:10:09
Copy Command -COMMAND.COM, CMD.EXE, WINFILE.EXE. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

45 22.446 VOYAGERIX 3COM 8DFB25 TCP .A...., len: 0, seq: 3483583, ack: 240800, win: 8760

46 22.447 VOYAGERIX 3COM 8DFB25 SMB C read & X, FID = 0x804, Read 0x10c5 at 0x5314

Windows NT Server to Windows NT Server TCP/IP Parameters.

Data Type

TCPWindow

Size

SizReqBuf

Outbound

Time

Outbound

Kb/sec

Inbound

Time

Outbound

Kb/sec

Copy

8192 (1)

4352 (1)

7:59

16.7

9:23

14.2

Copy

8192 (1)

8452

6:49

19.6

7:09

18.6

Copy

12288

12548

4:55

27

5:30

24.2

Copy

16644

16384

2:09

31.8

2:03

31.7

 

 

(1) Default parameters of NT 3.51.

Windows 95 to Windows NT Server SMB Parameters

When Windows 95 and Windows for Workgroups 3.11 workstations connect to a Windows NT Server, the server uses raw state (see the trace below), but it still gates the performance to the workstations. The chart below shows that the performance gains are not huge, but sufficient to warrant correcting the parameters. The chart on page 288 lists the parameters changed on the Windows NT Server and not the Windows 95/Windows for Workgroups 3.11 workstations.

Figure 6.16: Windows NT Server gates performance to Windows 95 and Windows for Workgroups workstations.

Figure 6.16: Windows NT Server gates performance to Windows 95 and Windows for Workgroups workstations.

Network Trace—Windows 95 and Windows for Workgroups 3.11 Connect to a Windows NT Server Using Raw State

Network Monitor trace Mon 03/13/98 15:29:44
RAW State Copy Command - COMMAND.COM, CMD.EXE, WINFILE.EXE.

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

1 0.000 COMPAQC8F61A VOYAGERIX SMB C open & X, File = \TEMP\002 (R -Share Deny None)

2 0.005 VOYAGERIX COMPAQC8F61A SMB R open & X, FID = 0x801, File Size = 0xf4240

3 1.341 COMPAQC8F61A VOYAGERIX SMB C close file, FID = 0x80

4 1.343 VOYAGERIX COMPAQC8F61A SMB R close file

5 2.690 COMPAQC8F61A VOYAGERIX SMB C get attributes, File = \TEMP\002

6 2.693 VOYAGERIX COMPAQC8F61A SMB R get attributes

7 4.052 COMPAQC8F61A VOYAGERIX SMB C transact2 FindFirst, File = \TEMP\002

8 4.057 VOYAGERIX COMPAQC8F61A SMB R transact2 FindFirst (response to frame 7)

9 4230548 COMPAQC8F61A VOYAGERIX SMB C open & X, File = \TEMP\002 (R -Share Deny None)

10 4230548 VOYAGERIX COMPAQC8F61A SMB R open & X, FID = 0x801, File Size = 0xf4240

11 4230549 COMPAQC8F61A VOYAGERIX SMB C read block raw, FID = 0x801, Read 0xfe00 at 0x0

12 4230549 VOYAGERIX COMPAQC8F61A NBT SS: Session Message, Len: 65024

13 4230549 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

14 4230549 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

15 4230549 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

16 4230549 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

Network Monitor trace Mon 03/13/98 15:29:44
RAW State Copy Command - COMMAND.COM, CMD.EXE, WINFILE.EXE. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

17 4230551 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2017849, win: 8760

18 4230551 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

19 4230551 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

20 4230551 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

21 4230551 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2020769, win: 8760

22 4230551 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

23 4230551 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

24 4230551 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2022229, win: 8760

25 4230551 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

26 4230553 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2025149, win: 8760

27 4230553 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

28 4230553 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

29 4230553 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2026609, win: 8760

30 4230553 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

31 4230554 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2029529, win: 8760

32 4230554 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

33 4230554 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

34 4230554 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2030989, win: 8760

35 4230554 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

36 4230555 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2033909, win: 8760

37 4230555 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

Network Monitor trace Mon 03/13/98 15:29:44 RAW State Copy Command - COMMAND.COM, CMD.EXE, WINFILE.EXE. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

38 4230555 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

39 4230555 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2035369, win: 8760

40 4230555 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

41 4230556 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2038289, win: 8760

42 4230556 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

43 4230556 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

44 4230556 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2039749, win: 8760

45 4230556 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

46 4230557 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2042669, win: 8760

47 4230557 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

48 4230557 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

49 4230557 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2044129, win: 8760

50 4230557 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

51 4230558 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2047049, win: 8760

52 4230558 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

53 4230558 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

54 4230558 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2048509, win: 8760

55 4230558 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

Network Monitor trace Mon 03/13/98 15:29:44

RAW State Copy Command - COMMAND.COM, CMD.EXE, WINFILE.EXE. (continued)

Frame Time Src MAC Addr Dst MAC Addr Protocol Description

56 4230559 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2051429, win: 8760

57 4230559 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

58 4230559 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

59 4230559 COMPAQC8F61A VOYAGERIX TCP .A...., len: 0, seq: 16140934, ack: 2052889, win: 8760

60 4230559 VOYAGERIX COMPAQC8F61A NBT SS: Session Message Cont., 1460 Bytes

61 4230560 COMPAQC8F61A VOYAGERIX TCP A...., len: 0, seq: 16140934, ack: 2055809, win: 8760

62 4230560 VOYAGERIX COMPAQC8F61A NBT S: Session Message Cont., 1460 Bytes

Windows 95 to Windows NT Server TCP/IP Parameters

TCP/IP parameters.

Data Type

TCPWindow

Size

SizReqBuf

Outbound

Time

Outbound

Kb/sec

Inbound

Time

Outbound

Kb/sec

Copy

8192 (1)

4352 (1)

4.49

27.7

4.25

30.2

Copy

8192 (1)

8452

4:45

28

4.24

30.3

Copy

12288

12548

3.56

33.9

4.25

30.2

 

 

(1) Default parameters of Windows NT 3.51.

Copy Command: Windows 2000 to Windows 2000 SMB Parameters

Figure 6.17: Windows 2000 Post BETA 2 default parameters.

Figure 6.17: Windows 2000 Post BETA 2 default parameters.

Windows NT to Windows NT/Windows 2000 to Windows 2000 FTP Parameters

Figure 6.18: Windows 2000 Post BETA 2 default parameters.

Figure 6.18: Windows 2000 Post BETA 2 default parameters.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft