Wireshark-users: [Wireshark-users] SMB Broadcast Traffic
From: "Stephen Bader" <sbader@xxxxxxxxx>
Date: Fri, 21 Nov 2008 10:11:52 -0600
I am trying to troubleshoot why I am seeing SMB traffic between very limited devices broadcast across an entire VLAN. This is only happening in a single direction, so Wireshark is reporting 'Trans2 Response<unknown>' because it did not see the initial request packet.

The network this is occurring on is entirely switched, so I can't explain why I am seeing this SMB traffic which was taken from a device plugged into the same VLAN as the destination host (10.24.x.x/16). In the sample I've included, there is only a single destination address, but this is happening for a handful of machines.

To run this test, I plugged a laptop into the same VLAN as the destination address, and ran wireshark. The port the laptop was connected to is not a mirror port, but I am still seeing unicast traffic between 10.40.12.18 (a file server) and 10.24.8.167 (a workstation). The laptop has an address of 10.24.100.94. I am only seeing traffic in one direction from 10.40.12.18 --> 10.24.8.167, and I am not seeing traffic in the opposite direction.

In looking at the output from Wireshark, I'm unable to determine why the laptop would have been sent a copy of this packet. Have any of you ever seen anything like this? Am I overlooking something in the packet that is causing it to be broadcast across the entire vlan?

Any help would be greatly appreciated.

Thanks,

-Steve

Attachment: smb.pcap
Description: Binary data