Samba UDP Packet 0 TTL

Mon Mar 14 18:41:32 GMT 2005

Chris,

Very helpful, thanks a bunch.  This system is running 2.4.21-15.EL which
is a few revisions old.  I think we can update to the newest EL kernel,
perhaps that will make a difference.  I will check for other local
broadcast packets from this system and will post more info if / when I
can find them.

-G

> -----Original Message-----
> From: Christopher R. Hertel [mailto:crh at ubiqx.mn.org] 
> Sent: Monday, March 14, 2005 11:34 AM
> To: Sturgis, Grant
> Cc: samba-technical at lists.samba.org
> Subject: Re: Samba UDP Packet 0 TTL
> 
> 
> Okay...  I took a look at the capture Grant sent and, sure 
> 'nough, it's 
> the IP header TTL field that is zero.
> 
> That's not necessarily wrong for a local broadcast message 
> which, in theory, shouldn't cross any router boundaries 
> anyway.  With a max hop count of zero, the first router 
> encountered would drop the packet.
> 
> On the other hand, the router should drop the packet anyway.  
> With a TTL of zero, the router should also (probably) send an 
> ICMP type 11 "Time-exceeded"  message with a code 0 
> "ttl-zero-during-transit".  
> ...that is, if I'm reading the ICMP docs correctly.
> 
> So it seems that an IP TTL of zero is wrong.  The question 
> is, why is it 
> set that way?
> 
> I did a capture on my own net.  I've got Samba 1, Samba 2, 
> and Samba 3 systems running on various flavors of Linux and 
> *BSD.  In the capture, I saw some variation, but none of 
> those systems produced a TTL field of zero.
> 
> I'm not aware of any Samba option that would impact the IP 
> header TTL field.  This sounds more like an issue in the RHEL 
> 3.0 IP stack 
> configuration.  Maybe.  Dunno for sure.
> 
> I suggest generating and capturing other broadcast messages 
> from other applications to see if any of them have a 0 IP 
> TTL.  If so, I'd ask Red Hat.
> 
> Hope that's somewhat useful...
> 
> Chris -)-----
> 
> On Mon, Mar 14, 2005 at 09:13:39AM -0700, Sturgis, Grant wrote:
> > Greetings List,
> > 
> > This message was initially posted to the general samba list, but no
> > response:
> > 
> > 
> > I am having a problem with Samba sending out packets with 0 
> ttl.  The 
> > main problem is that my IDS complains about it constantly.  I know 
> > that I can change the IDS rules such that it does not alarm 
> on this, 
> > but it seems to me that Samba should never send out a 0 ttl packet.
> > 
> > I do have a packet trace of the offense (available if 
> necessary), but 
> > essentially it is:
> > 
> > 11:29:13.045728 192.168.1.1.netbios-ns > 
> 192.168.1.255.netbios-ns: NBT 
> > UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) [ttl 0]
> > 
> > When I stop the smb service (service smb stop - stopping 
> both smb and 
> > nmb), these packets do stop occurring.
> > 
> > This is samba-3.0.9-1.3E.2 on RHEL 3.0
> > 
> > Any clues, suggestions, rants, etc are most welcome.
> > 
> > Thank you,
> > 
> > -Grant
> 
> -- 
> "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
> Samba Team -- http://www.samba.org/     -)-----   Christopher 
> R. Hertel
> jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx 
> development, uninq.
> ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
> OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org
> 

This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is intended 
to be for the use of the individual or entity named above. If you are not the 
intended recipient, please be aware that any disclosure, copying, distribution 
or use of the contents of this information is prohibited. Please notify the
sender  of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.