malformed broadcast packets?

Richard Sharpe rsharpe at richardsharpe.com
Wed Jul 7 21:03:44 GMT 2004


On Wed, 7 Jul 2004, Jason Boles wrote:

>   I recently upgraded to Redhat AS3 from an older 7.3 installation.
> With samba 3 (3.0.2-6.3E is the rpm version), I've been seeing
> activity that wasn't present before.
>
> Every 15 minutes (within a few seconds accuracy), I receive an alert
> from our SonicWall (firewall appliance) reporting that a "Malformed IP
> packet dropped." where the source was the upgraded server, and the
> destination was the subnet (x.y.z.255).  Src & Dest port was 137.
>
> So what is smbd or nmbd (or maybe winbindd) transmitting every 15 minutes ?
>
> There is nothing in the logs corresponding to those timestamps, or to
> indicate that there is another source for this.
>
> (turning off sonicwall alerts is not an option)
>
> all of the samba clients are win2k/XP and on the same subnet as the
> server.  It's setup for security = DOMAIN, with another Windows Server
> 2003 box as the domain controller (also on the same subnet, behind the
> same firewall).

What would really help is a capture of the offending packets. Perhaps you
could run tcpdump on your Samba server capturing the port 137 packets or
something like that.

Regards
-----
Richard Sharpe, rsharpe[at]richardsharpe.com, rsharpe[at]samba.org,
sharpe[at]ethereal.com, http://www.richardsharpe.com


More information about the samba-technical mailing list