malformed broadcast packets?

[Christopher R. Hertel]

On Wed, Jul 07, 2004 at 02:03:44PM -0700, Richard Sharpe wrote:
> On Wed, 7 Jul 2004, Jason Boles wrote:
> 
> >   I recently upgraded to Redhat AS3 from an older 7.3 installation.
> > With samba 3 (3.0.2-6.3E is the rpm version), I've been seeing
> > activity that wasn't present before.
> >
> > Every 15 minutes (within a few seconds accuracy), I receive an alert
> > from our SonicWall (firewall appliance) reporting that a "Malformed IP
> > packet dropped." where the source was the upgraded server, and the
> > destination was the subnet (x.y.z.255).  Src & Dest port was 137.
> >
> > So what is smbd or nmbd (or maybe winbindd) transmitting every 15 minutes ?
> >
> > There is nothing in the logs corresponding to those timestamps, or to
> > indicate that there is another source for this.
> >
> > (turning off sonicwall alerts is not an option)
> >
> > all of the samba clients are win2k/XP and on the same subnet as the
> > server.  It's setup for security = DOMAIN, with another Windows Server
> > 2003 box as the domain controller (also on the same subnet, behind the
> > same firewall).
> 
> What would really help is a capture of the offending packets. Perhaps you
> could run tcpdump on your Samba server capturing the port 137 packets or
> something like that.

Capture both 137 and 138 (UDP).  There's nothing that would cause the name 
service to broadcast a message every 15 minutes (nothing I can think of 
off hand) but the Browse Service does have something that runs on a 15 
minute clock.  The Browse Service activity probably triggers name service 
lookups.

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org