Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

SMB monitoring, identifying All other operations


Hi All,

I have a question regarding the SMB monitoring and how to analyze the "All other operations". I have a manually created Software Service using the SMB decode that is reporting various Read, Control, Write and Session Setup operations and then a substantial amount of All other operations. Interestingly while the All other operations amount to roughly 25% of the operation count, they also amount to roughly 90% of the total traffic per "Total bytes". For this reason it would be very beneficial to understand what does get counted towards the "All other operations".

The system is running on 12.4.




SMB will associate operations with the "All other operations" bucket when it fails to see the resource (e.g. file, directory or share) identifier. Typically it will happen when the AMD is restarted or is missing data (e.g. due to packet loss).



Hi Wojciech,

Thank you for your input. While I agree with your assessment that the lost packets could well result in this kind of reporting, it seems weird in this case. The ratio I mentioned is more or less constant between "All Other Operations" and the recognized operations, especially for the large volume concentration on the catch-all bucket.

Are there any changes on AMD- or Software Service-level that can be tried out to experiment with this?