Samba UDP Packet 0 TTL
Christopher R. Hertel
crh at ubiqx.mn.org
Mon Mar 14 18:33:46 GMT 2005
Okay... I took a look at the capture Grant sent and, sure 'nough, it's
the IP header TTL field that is zero.
That's not necessarily wrong for a local broadcast message which, in
theory, shouldn't cross any router boundaries anyway. With a max hop
count of zero, the first router encountered would drop the packet.
On the other hand, the router should drop the packet anyway. With a TTL
of zero, the router should also (probably) send an ICMP type 11
"Time-exceeded" message with a code 0 "ttl-zero-during-transit".
...that is, if I'm reading the ICMP docs correctly.
So it seems that an IP TTL of zero is wrong. The question is, why is it
set that way?
I did a capture on my own net. I've got Samba 1, Samba 2, and Samba 3
systems running on various flavors of Linux and *BSD. In the capture, I
saw some variation, but none of those systems produced a TTL field of
zero.
I'm not aware of any Samba option that would impact the IP header TTL
field. This sounds more like an issue in the RHEL 3.0 IP stack
configuration. Maybe. Dunno for sure.
I suggest generating and capturing other broadcast messages from other
applications to see if any of them have a 0 IP TTL. If so, I'd ask Red
Hat.
Hope that's somewhat useful...
Chris -)-----
On Mon, Mar 14, 2005 at 09:13:39AM -0700, Sturgis, Grant wrote:
> Greetings List,
>
> This message was initially posted to the general samba list, but no
> response:
>
>
> I am having a problem with Samba sending out packets with 0 ttl. The
> main problem is that my IDS complains about it constantly. I know that
> I can change the IDS rules such that it does not alarm on this, but it
> seems to me that Samba should never send out a 0 ttl packet.
>
> I do have a packet trace of the offense (available if necessary), but
> essentially it is:
>
> 11:29:13.045728 192.168.1.1.netbios-ns > 192.168.1.255.netbios-ns: NBT
> UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) [ttl 0]
>
> When I stop the smb service (service smb stop - stopping both smb and
> nmb), these packets do stop occurring.
>
> This is samba-3.0.9-1.3E.2 on RHEL 3.0
>
> Any clues, suggestions, rants, etc are most welcome.
>
> Thank you,
>
> -Grant
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list