malformed broadcast packets?

Richard Sharpe rsharpe at
Wed Jul 7 21:03:44 GMT 2004

On Wed, 7 Jul 2004, Jason Boles wrote:

>   I recently upgraded to Redhat AS3 from an older 7.3 installation.
> With samba 3 (3.0.2-6.3E is the rpm version), I've been seeing
> activity that wasn't present before.
> Every 15 minutes (within a few seconds accuracy), I receive an alert
> from our SonicWall (firewall appliance) reporting that a "Malformed IP
> packet dropped." where the source was the upgraded server, and the
> destination was the subnet (x.y.z.255).  Src & Dest port was 137.
> So what is smbd or nmbd (or maybe winbindd) transmitting every 15 minutes ?
> There is nothing in the logs corresponding to those timestamps, or to
> indicate that there is another source for this.
> (turning off sonicwall alerts is not an option)
> all of the samba clients are win2k/XP and on the same subnet as the
> server.  It's setup for security = DOMAIN, with another Windows Server
> 2003 box as the domain controller (also on the same subnet, behind the
> same firewall).

What would really help is a capture of the offending packets. Perhaps you
could run tcpdump on your Samba server capturing the port 137 packets or
something like that.

Richard Sharpe, rsharpe[at], rsharpe[at],

More information about the samba-technical mailing list