malformed broadcast packets?

Jason Boles threepercentmilk at gmail.com
Thu Jul 8 00:17:13 GMT 2004 

Sorry for the delay fellas,

I got some captured packets from tcpdump, see the file attached.

One thing I found (which is odd) is that the sonicwall only sent me
alerts every 15 minutes (and only 137), whereas the log in the
sonicwall lists malformed packets every 5 minutes for 137, and every
12 minutes for port 138 (both UDP).


-Jason



On Wed, 7 Jul 2004 16:44:08 -0500, Christopher R. Hertel
<crh at ubiqx.mn.org> wrote:
> On Wed, Jul 07, 2004 at 02:03:44PM -0700, Richard Sharpe wrote:
> > On Wed, 7 Jul 2004, Jason Boles wrote:
> >
> > >   I recently upgraded to Redhat AS3 from an older 7.3 installation.
> > > With samba 3 (3.0.2-6.3E is the rpm version), I've been seeing
> > > activity that wasn't present before.
> > >
> > > Every 15 minutes (within a few seconds accuracy), I receive an alert
> > > from our SonicWall (firewall appliance) reporting that a "Malformed IP
> > > packet dropped." where the source was the upgraded server, and the
> > > destination was the subnet (x.y.z.255).  Src & Dest port was 137.
> > >
> > > So what is smbd or nmbd (or maybe winbindd) transmitting every 15 minutes ?
> > >
> > > There is nothing in the logs corresponding to those timestamps, or to
> > > indicate that there is another source for this.
> > >
> > > (turning off sonicwall alerts is not an option)
> > >
> > > all of the samba clients are win2k/XP and on the same subnet as the
> > > server.  It's setup for security = DOMAIN, with another Windows Server
> > > 2003 box as the domain controller (also on the same subnet, behind the
> > > same firewall).
> >
> > What would really help is a capture of the offending packets. Perhaps you
> > could run tcpdump on your Samba server capturing the port 137 packets or
> > something like that.
> 
> Capture both 137 and 138 (UDP).  There's nothing that would cause the name
> service to broadcast a message every 15 minutes (nothing I can think of
> off hand) but the Browse Service does have something that runs on a 15
> minute clock.  The Browse Service activity probably triggers name service
> lookups.
> 
> Chris -)-----
> 
> --
> "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
> Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
> jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
> ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
> OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org
>
-------------- next part --------------

anonymized via name replacements:

sambaserver.mydomain.com	= fqdn of server (where mydomain.com is ADS domain)
MYDOMAIN					= netbios domain name
SAMBASERVER					= netbios machine name
1.2.3.x						= IP of server

----------------------------------------------
tcpdump -vvv -x -X "(port 137 or 138) and dst 1.2.3.255 and src sambaserver"
-------------------- log below ---------------


19:37:03.910166 sambaserver.mydomain.com.netbios-ns > 1.2.3.255.netbios-ns: [udp sum ok] 
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x6C4C
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=MYDOMAIN        NameType=0x1D (Master Browser)
QuestionType=0x20
QuestionClass=0x1

 (DF) [ttl 0] (id 864, len 78)
0x0000	 4500 004e 0360 4000 0011 b702 888e 5721	E..N.`@.......W!
0x0010	 888e 57ff 0089 0089 003a 4d66 6c4c 0110	..W......:MflL..
0x0020	 0001 0000 0000 0000 2045 4c45 4646 4a46	.........ELEFFJF
0x0030	 4446 4545 5045 4f45 4643 4143 4143 4143	DFEEPEOEFCACACAC
0x0040	 4143 4143 4143 4142 4e00 0020 0001     	ACACACABN.....
________________________________________________________________________________

19:42:12.220209 sambaserver.mydomain.com.netbios-ns > 1.2.3.255.netbios-ns: [udp sum ok] 
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x6C4D
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=MYDOMAIN        NameType=0x1D (Master Browser)
QuestionType=0x20
QuestionClass=0x1

 (DF) [ttl 0] (id 865, len 78)
0x0000	 4500 004e 0361 4000 0011 b701 888e 5721	E..N.a at .......W!
0x0010	 888e 57ff 0089 0089 003a 4d65 6c4d 0110	..W......:MelM..
0x0020	 0001 0000 0000 0000 2045 4c45 4646 4a46	.........ELEFFJF
0x0030	 4446 4545 5045 4f45 4643 4143 4143 4143	DFEEPEOEFCACACAC
0x0040	 4143 4143 4143 4142 4e00 0020 0001     	ACACACABN.....
________________________________________________________________________________

19:47:18.940213 sambaserver.mydomain.com.netbios-ns > 1.2.3.255.netbios-ns: [udp sum ok] 
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x6C4E
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=MYDOMAIN        NameType=0x1D (Master Browser)
QuestionType=0x20
QuestionClass=0x1

 (DF) [ttl 0] (id 866, len 78)
0x0000	 4500 004e 0362 4000 0011 b700 888e 5721	E..N.b at .......W!
0x0010	 888e 57ff 0089 0089 003a 4d64 6c4e 0110	..W......:MdlN..
0x0020	 0001 0000 0000 0000 2045 4c45 4646 4a46	.........ELEFFJF
0x0030	 4446 4545 5045 4f45 4643 4143 4143 4143	DFEEPEOEFCACACAC
0x0040	 4143 4143 4143 4142 4e00 0020 0001     	ACACACABN.....
________________________________________________________________________________

19:47:46.273838 sambaserver.mydomain.com.netbios-dgm > 1.2.3.255.netbios-dgm: 
>>> NBT UDP PACKET(138) Res=0x110A ID=0x6C4F IP=1 (0x01).2 (0x02).3 (0x03).x (0xXX) Port=138 (0x8a) Length=197 (0xc5) Res2=0x0
SourceName=SAMBASERVER            NameType=0x00 (Workstation)
DestName=
WARNING: Short packet. Try increasing the snap length

 (DF) [ttl 0] (id 292, len 239)
0x0000	 4500 00ef 0124 4000 0011 b89d 888e 5721	E....$@.......W!
0x0010	 888e 57ff 008a 008a 00db aeb1 110a 6c4f	..W...........lO
0x0020	 888e 5721 008a 00c5 0000 2045 4b45 4246	..W!.......EKEBF
0x0030	 4745 4243 4143 4143 4143 4143 4143 4143	GEBCACACACACACAC
0x0040	 4143 4143 4143 4143 4141 4100 2045 4c45	ACACACACAAA..ELE
0x0050	 4646                                   	FF
________________________________________________________________________________

19:52:23.140215 sambaserver.mydomain.com.netbios-ns > 1.2.3.255.netbios-ns: [udp sum ok] 
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x6C50
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=MYDOMAIN        NameType=0x1D (Master Browser)
QuestionType=0x20
QuestionClass=0x1

 (DF) [ttl 0] (id 867, len 78)
0x0000	 4500 004e 0363 4000 0011 b6ff 888e 5721	E..N.c at .......W!
0x0010	 888e 57ff 0089 0089 003a 4d62 6c50 0110	..W......:MblP..
0x0020	 0001 0000 0000 0000 2045 4c45 4646 4a46	.........ELEFFJF
0x0030	 4446 4545 5045 4f45 4643 4143 4143 4143	DFEEPEOEFCACACAC
0x0040	 4143 4143 4143 4142 4e00 0020 0001     	ACACACABN.....

More information about the samba-technical mailing list