malformed broadcast packets?
Christopher R. Hertel
crh at ubiqx.mn.org
Wed Jul 7 21:44:08 GMT 2004
On Wed, Jul 07, 2004 at 02:03:44PM -0700, Richard Sharpe wrote:
> On Wed, 7 Jul 2004, Jason Boles wrote:
> > I recently upgraded to Redhat AS3 from an older 7.3 installation.
> > With samba 3 (3.0.2-6.3E is the rpm version), I've been seeing
> > activity that wasn't present before.
> > Every 15 minutes (within a few seconds accuracy), I receive an alert
> > from our SonicWall (firewall appliance) reporting that a "Malformed IP
> > packet dropped." where the source was the upgraded server, and the
> > destination was the subnet (x.y.z.255). Src & Dest port was 137.
> > So what is smbd or nmbd (or maybe winbindd) transmitting every 15 minutes ?
> > There is nothing in the logs corresponding to those timestamps, or to
> > indicate that there is another source for this.
> > (turning off sonicwall alerts is not an option)
> > all of the samba clients are win2k/XP and on the same subnet as the
> > server. It's setup for security = DOMAIN, with another Windows Server
> > 2003 box as the domain controller (also on the same subnet, behind the
> > same firewall).
> What would really help is a capture of the offending packets. Perhaps you
> could run tcpdump on your Samba server capturing the port 137 packets or
> something like that.
Capture both 137 and 138 (UDP). There's nothing that would cause the name
service to broadcast a message every 15 minutes (nothing I can think of
off hand) but the Browse Service does have something that runs on a 15
minute clock. The Browse Service activity probably triggers name service
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical