malformed broadcast packets?

Christopher R. Hertel crh at
Thu Jul 8 20:33:20 GMT 2004

On Wed, Jul 07, 2004 at 08:17:13PM -0400, Jason Boles wrote:
> Sorry for the delay fellas,
> I got some captured packets from tcpdump, see the file attached.
> One thing I found (which is odd) is that the sonicwall only sent me
> alerts every 15 minutes (and only 137), whereas the log in the
> sonicwall lists malformed packets every 5 minutes for 137, and every
> 12 minutes for port 138 (both UDP).

I don't see anything wrong with these packets.  
Three things that would help:

1) Increase the snapshot length ('-s 1600' or somesuch should be plenty).

   The warning in the packet capture has to do with the number of bytes 
   tcpdump is reading.  The packet (as far as I can see) is fine.

2) Write the capture to a capture file ('-w /tmp/mycap.cap' or something).

   Much easier to study the actual capture than it is to dig through the 
   printout of the capture.

3) Change the capture rules so that you see more packets.

   I am seeing queries go out, but not seeing the reply.  Since only one 
   query goes out (every 5 minutes) I must assume that the client is 
   receiving a reply.  Otherwise, it would retry the query two more times.

I don't see anything wrong in any of the packets themselves.  The queries, 
certainly, are okay.  I can't see all of the browser announcement message 
but what is there looks right.

Bottom line, though, is that this capture isn't showing the real problem.
Either the problem is on the *other* side of the firewall, or the tight 
filter is excluding it from the capture.

Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list