Wireshark · Wireshark-users: Re: [Wireshark-users] ODD SMB packets

Wireshark-users: Re: [Wireshark-users] ODD SMB packets

From: Martin Visser <martinvisser99@xxxxxxxxx>

Date: Sat, 12 Sep 2009 09:59:26 +1000

Haven't seen these before, but I would have two questions:-

1. Is this traffic resulting from normal file sharing activity or some other application that uses SMB as a protocol?
2. If you are not capturing directly at the client or server, is there some packet mangling appliance (especially a WAN accelerator) between your packet capture and the client or server.

Regards, Martin

MartinVisser99@xxxxxxxxx

On Thu, Sep 10, 2009 at 2:23 AM, <Tim.Poth@xxxxxxxxxxx> wrote:

I am looking at a performance issue for a customer and looking at some SMB traffic with path names that make no sense IE -   ?\200????       @@???\217         @@???? (best I can tell there are no “real” paths in the whole capture)

In looking at the “Query_Path_Into” Parameters I see the reserved field is set to 0x03534E46 or SNF text (see below), best I understand this field should be 0 so how did it get populated. SNF could be cisco SNF however I have no way of confirming.

Any thoughts? Anyone see something like this before?

Thanks

Tim

No.     Delta       Time            Source                Destination           Protocol Info

    441 0.231000    12:47:03.954000 10.93.184.182         10.116.176.129        SMB      Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: ?\200????

Frame 441 (224 bytes on wire, 224 bytes captured)

    Arrival Time: Sep 4, 2009 12:47:03.954000000

    [Time delta from previous captured frame: 0.009000000 seconds]

    [Time delta from previous displayed frame: 0.231000000 seconds]

    [Time since reference or first frame: 13.799000000 seconds]

    Frame Number: 441

    Frame Length: 224 bytes

    Capture Length: 224 bytes

    [Frame is marked: False]

    [Protocols in frame: eth:ip:tcp:nbss:smb]

    [Coloring Rule Name: SMB]

    [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]

Ethernet II, Src: Ibm_78:bc:c0 (00:1a:64:78:bc:c0), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01)

    Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01)

        Address: All-HSRP-routers_01 (00:00:0c:07:ac:01)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Source: Ibm_78:bc:c0 (00:1a:64:78:bc:c0)

        Address: Ibm_78:bc:c0 (00:1a:64:78:bc:c0)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Type: IP (0x0800)

    Frame check sequence: 0x6bff8010 [incorrect, should be 0xf7b79332]

Internet Protocol, Src: 10.93.184.182 (10.93.184.182), Dst: 10.116.176.129 (10.116.176.129)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x28 (DSCP 0x0a: Assured Forwarding 11; ECN: 0x00)

        0010 10.. = Differentiated Services Codepoint: Assured Forwarding 11 (0x0a)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 206

    Identification: 0x02c6 (710)

    Flags: 0x04 (Don't Fragment)

        0... = Reserved bit: Not set

        .1.. = Don't fragment: Set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 120

    Protocol: TCP (0x06)

    Header checksum: 0x8133 [correct]

        [Good: True]

        [Bad : False]

    Source: 10.93.184.182 (10.93.184.182)

    Destination: 10.116.176.129 (10.116.176.129)

Transmission Control Protocol, Src Port: index-pc-wb (2127), Dst Port: netbios-ssn (139), Seq: 3157, Ack: 3189, Len: 166

    Source port: index-pc-wb (2127)

    Destination port: netbios-ssn (139)

    [Stream index: 1]

    Sequence number: 3157    (relative sequence number)

    [Next sequence number: 3323    (relative sequence number)]

    Acknowledgement number: 3189    (relative ack number)

    Header length: 20 bytes

    Flags: 0x18 (PSH, ACK)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...1 .... = Acknowledgement: Set

        .... 1... = Push: Set

        .... .0.. = Reset: Not set

        .... ..0. = Syn: Not set

        .... ...0 = Fin: Not set

    Window size: 63788

    Checksum: 0xeb3b [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

    [SEQ/ACK analysis]

        [Number of bytes in flight: 166]

NetBIOS Session Service

    Message Type: Session message

    Flags: 0x00

        .... ...0 = Add 0 to length

    Length: 162

SMB (Server Message Block Protocol)

    SMB Header

        Server Component: SMB

        [Response in: 442]

        SMB Command: Trans2 (0x32)

        NT Status: STATUS_SUCCESS (0x00000000)

        Flags: 0x18

            0... .... = Request/Response: Message is a request to the server

            .0.. .... = Notify: Notify client only on open

            ..0. .... = Oplocks: OpLock not requested/granted

            ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized

            .... 1... = Case Sensitivity: Path names are caseless

            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted

            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported

        Flags2: 0xc807

            1... .... .... .... = Unicode Strings: Strings are Unicode

            .1.. .... .... .... = Error Code Type: Error codes are NT error codes

            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only

            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs

            .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported

            .... .... .0.. .... = Long Names Used: Path names in request are not long file names

            .... .... .... .1.. = Security Signatures: Security signatures are supported

            .... .... .... ..1. = Extended Attributes: Extended attributes are supported

            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response

        Process ID High: 0

        Signature: D7D4BAC936AE62C5

        Reserved: 0000

        Tree ID: 2048

        Process ID: 3908

        User ID: 2048

        Multiplex ID: 10305

    Trans2 Request (0x32)

        Word Count (WCT): 15

        Total Parameter Count: 94

        Total Data Count: 0

        Max Parameter Count: 2

        Max Data Count: 40

        Max Setup Count: 0

        Reserved: 00

        Flags: 0x0000

            .... .... .... ..0. = One Way Transaction: Two way transaction

            .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID

        Timeout: Return immediately (0)

        Reserved: 0000

        Parameter Count: 94

        Parameter Offset: 68

        Data Count: 0

        Data Offset: 0

        Setup Count: 1

        Reserved: 00

        Subcommand: QUERY_PATH_INFO (0x0005)

        Byte Count (BCC): 97

        Padding: 000000

        QUERY_PATH_INFO Parameters

            Level of Interest: Query File Basic Info (1004)

            Reserved: 03534E46

            File Name: ?\200????

            Unknown Data: 0008010600000000FFFF1A002200FFFFFFFF000000003092...

0000 00 00 0c 07 ac 01 00 1a 64 78 bc c0 08 00 45 28   ........dx....E(

0010 00 ce 02 c6 40 00 78 06 81 33 0a 5d b8 b6 0a 74   ....@.x..3.]...t

0020 b0 81 08 4f 00 8b 35 1f 08 53 27 07 b3 4b 50 18   ...O..5..S'..KP.

0030 f9 2c eb 3b 00 00 00 00 00 a2 ff 53 4d 42 32 00   .,.;.......SMB2.

0040 00 00 00 18 07 c8 00 00 d7 d4 ba c9 36 ae 62 c5   ............6.b.

0050 00 00 00 08 44 0f 00 08 41 28 0f 5e 00 00 00 02   ....D...A(.^....

0060 00 28 00 00 00 00 00 00 00 00 00 00 00 5e 00 44   .(...........^.D

0070 00 00 00 00 00 01 00 05 00 61 00 00 00 00 ec 03   .........a......

0080 03 53 4e 46 ee 05 80 00 06 01 34 12 48 5a 04 1d   .SNF......4.HZ..

0090 00 00 00 08 01 06 00 00 00 00 ff ff 1a 00 22 00   ..............".

00a0 ff ff ff ff 00 00 00 00 30 92 05 1e 30 92 a5 98   ........0...0...

00b0 00 1a 64 78 bc c0 00 16 9c 1b cc 00 08 00 45 00   ..dx..........E.

00c0 05 dc 85 35 40 00 2a 06 79 0a 62 a0 a3 49 0a 7a   ...5@.*.y.b..I.z

00d0 3c 79 17 0c d5 85 7d 4f 83 6c 81 8f 6b ff 80 10   <y....}O.l..k...

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- Re: [Wireshark-users] ODD SMB packets
  - From: Tim.Poth

References:
- [Wireshark-users] ODD SMB packets
  - From: Tim.Poth

Prev by Date: Re: [Wireshark-users] wireshark and virtual ethernet adapters by parallels
Next by Date: Re: [Wireshark-users] ODD SMB packets
Previous by thread: [Wireshark-users] ODD SMB packets
Next by thread: Re: [Wireshark-users] ODD SMB packets
Index(es):
- Date
- Thread