Samba UDP Packet 0 TTL

Christopher R. Hertel crh at ubiqx.mn.org
Mon Mar 14 16:45:14 GMT 2005


On Mon, Mar 14, 2005 at 09:13:39AM -0700, Sturgis, Grant wrote:
> Greetings List,
> 
> This message was initially posted to the general samba list, but no
> response:
> 
> 
> I am having a problem with Samba sending out packets with 0 ttl.  

>From the trace information below, you're seeing an NBT Name Query Request.
There is no NetBIOS Name Service TTL field in an NBT Name Query Request
(see http://ubiqx.org/cifs/NetBIOS.html#NBT.43.2).

The only other TTL field of which I'm aware would be the IP header TTL
(the maximum hop count).  Samba wouldn't be fiddling with that, and in my 
quick test with nmblookup the Linux IP stack sets that field to 64.

I'd want to see the capture...

> The
> main problem is that my IDS complains about it constantly.  I know that
> I can change the IDS rules such that it does not alarm on this, but it
> seems to me that Samba should never send out a 0 ttl packet.
> 
> I do have a packet trace of the offense (available if necessary), but
> essentially it is:
> 
> 11:29:13.045728 192.168.1.1.netbios-ns > 192.168.1.255.netbios-ns: NBT
> UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) [ttl 0]
> 
> When I stop the smb service (service smb stop - stopping both smb and
> nmb), these packets do stop occurring.  
> 
> This is samba-3.0.9-1.3E.2 on RHEL 3.0
> 
> Any clues, suggestions, rants, etc are most welcome.
> 
> Thank you,
> 
> -Grant
> ------------------

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org


More information about the samba-technical mailing list