Win7 constant access to on SAN

[mushisushi]

Hello,

I have a DNS 323 network drive (linux) connected to the home network. Whenever my windows 7 machine is on, the network drive is accessed and is using up a lot of the resources on the network drive.

I've already stopped the windows indexing service but that doesn't seem to be the issue that's causing the problem.

Is there anything else that windows 7 is doing that could be causing this?

 

[logicearth]

It would be what ever software you have that is access a file on the SAN or just accessing the SAN in general. How is the SAN being connected to Windows?

 

[mushisushi]

That's the thing, it's not.

The SAN drive is on the network with a network printer attached as well. Nothing on the windows 7 pc should be accessing the share.

Also, the only directory shared on the SAN is password protected and I don't save passwords on the computer so it shouldn't be able to access the share...

I just installed avast and scanned the computer and nothing showed up....

 

[logicearth]

Can you log incoming network traffic to the SAN? Even packets if you can?

 

[mushisushi]

hum...

Not sure.. I'll have to check the DNS323 forums on that.. basically it's running a skimmed down linux so i'm guess it can, but just need to know how.

I did get information about what port it was coming from, but that's all the information i have so far.

 

[logicearth]

What port is it?

 

[mushisushi]

Tcp 49160

 

[logicearth]

That defiantly isn't any port used by any builtin Windows services...

 

[mushisushi]

Hum, know of anyway to find out what is using that port?

 

[logicearth]

Without having more information, like packets and other information the port number is not going to be much use. Especially since this port "49160" has no registered service attached to it. It is probably being used as a random port...

Since the SAN is Linux, the simplistic TCPDUMP should be more then enough.
http://en.wikipedia.org/wiki/Tcpdump

 

[mushisushi]

Thanks for your help.

I noticed that it was using a random port each time. I've also installed TCPDump on the SAN and gave it a try.

Not really sure how to use it properly. I ran it and verbose it to a log file. Just trying to figure out what it means now.

 

[mushisushi]

Finally, I've gotten a hold of some information using netstat and I believe the culprit is "microsoft-ds" (directory services for smb).

I'm not 100% sure that is the cause of the heavy process load on the smb, but there are only 2 connections from the windows 7 box, it and the telnet session.

Anyone else having issues with the microsoft-ds service?

 

[logicearth]

No it wouldn't be Directory Services unless an active connection was trying to be made to or from the Windows client. A means of parsing TCPDUMP is to only capture packets with a source IP of the Windows machine.

 

[mushisushi]

SOLVED!

DOH!

I was wrong. It turns out I accidentally disabled the 'Client for Microsoft Networks' option in the LAN settings. This in turn disables the microsoft-ds service so it stopped pinging the SMB.

At least now i know it is an issue with how Windows 7 is accessing the SMB share.

 

[mushisushi]

Is there any way to disable the default way windows 7 accesses SMB and use third party tools to access the smb share?

 

[logicearth]

Method 2 might work...
How to disable automatic search for network printers and folders in Windows XP

 

[mushisushi]

Thanks Logic,

Gave the manual regedit a try and that didn't work, however that gave me an idea.

I removed the network printer (printer is attached to the smb device which is then shared so i can print from any computer) and that seems to have fixed the issue.

So, I guess the question is, what is the printer share on windows 7 trying to do. Immediately after I add the printer, I notice my network usage spike and the SMB server lock up.

Anyone having network printer sharing problems?