malformed broadcast packets?
Christopher R. Hertel
crh at ubiqx.mn.org
Thu Jul 8 20:33:20 GMT 2004
On Wed, Jul 07, 2004 at 08:17:13PM -0400, Jason Boles wrote:
> Sorry for the delay fellas,
>
> I got some captured packets from tcpdump, see the file attached.
>
> One thing I found (which is odd) is that the sonicwall only sent me
> alerts every 15 minutes (and only 137), whereas the log in the
> sonicwall lists malformed packets every 5 minutes for 137, and every
> 12 minutes for port 138 (both UDP).
I don't see anything wrong with these packets.
Three things that would help:
1) Increase the snapshot length ('-s 1600' or somesuch should be plenty).
The warning in the packet capture has to do with the number of bytes
tcpdump is reading. The packet (as far as I can see) is fine.
2) Write the capture to a capture file ('-w /tmp/mycap.cap' or something).
Much easier to study the actual capture than it is to dig through the
printout of the capture.
3) Change the capture rules so that you see more packets.
I am seeing queries go out, but not seeing the reply. Since only one
query goes out (every 5 minutes) I must assume that the client is
receiving a reply. Otherwise, it would retry the query two more times.
I don't see anything wrong in any of the packets themselves. The queries,
certainly, are okay. I can't see all of the browser announcement message
but what is there looks right.
Bottom line, though, is that this capture isn't showing the real problem.
Either the problem is on the *other* side of the firewall, or the tight
filter is excluding it from the capture.
Chris -)-----
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list