What's this 135/UDP traffic?

Pierre Belanger pbelang1 at oss.cantel.rogers.com
Fri Dec 21 09:28:27 GMT 2001 

Hello Joel,

Port 135 is something new to me but NT is a couple of years
old... my Samba is also not listening on port 135 UDP or TCP.

Following is the first UDP packet transmitted from the NT workstation
to the Samba server. As you can see, the client is sending a
"file path" \\alkonost\docums\Structure.vsd . This "Structure.vsd"
file is a link within the original opened document, which is another
document... (Document.doc has an "internal link" pointing to
"Structure.vsd").

10.64.33.238 -> alkonost     UDP D=135 S=1113 LEN=308

           0: 0003 ba08 112b 0030 85f3 9460 0800 4500   
.....+.0...`..E.
          16: 0148 fc0c 0000 7f11 e870 0a40 21ee 0a40   
.Hü......p.@!..@
          32: 1fba 0459 0087 0134 2a87 0400 0800 1000   
...Y...4*.......
          48: 0000 0000 0000 0000 0000 0000 0000 0000   
................
          64: 0000 b84a 9f4d 1c7d cf11 861e 0020 af6e    ...J.M.}.....
.n
          80: 7c57 91b2 4a6d b30b 3b45 9221 0f61 e440   
|W..Jm..;E.!.a.@
          96: 90c0 0000 0000 0000 0000 0000 0000 0000   
................
         112: ffff ffff c800 0000 0a00 0500 0100 0000   
................
         128: 0000 0000 0000 a818 f1cb 4ea1 5b4e 9efd   
..........N.[N.ý
         144: 42f4 52d0 bc0f 0000 0000 121a 0200 0000   
B.R.............
         160: 0000 c000 0000 0000 0046 4c91 1500 2800   
.........FL...(.
         176: 0000 0000 0000 2800 0000 5c00 5c00 6100   
......(...\.\.a.
         192: 6c00 6b00 6f00 6e00 6f00 7300 7400 5c00   
l.k.o.n.o.s.t.\.
         208: 6400 6f00 6300 6f00 7300 7300 5c00 4300   
d.o.c.u.m.s.\.C.
         224: 6f00 6d00 6100 7200 6300 6f00 5c00 5300   
o.m.a.r.c.o.\.S.
         240: 7400 7200 7500 6300 7400 7500 7200 6500   
t.r.u.c.t.u.r.e.
         256: 2e00 7600 7300 6400 0000 0000 0000 0200   
..v.s.d.........
         272: 0000 0200 0000 0100 0000 b091 1500 0100   
................
         288: 0000 0000 0000 0000 0000 c000 0000 0000   
................
         304: 0046 0100 0000 0100 0000 0800 0000 0000   
.F..............
         320: 0000 0400 0000 0100 0000 0000 0000 7109   
..............q.
         336: 95f4 22ab 5cab                             ..".\.

Later on, it tries to connect on port 135 using TCP , 4 times
(it is receiving a connection refuse on each trial) and after the
4th time, it continues to retreive the file.

When opening the same document from another server running VisionFS,
the same Windows NT workstation tries to connect on port 135 TCP...
it doesn't try the UDP port so it doesn't stay in a "timeout"
loop for 2 minutes.

Pierre B.
ps: I am under Solaris, no IP chains.

Joel Hammer wrote:
> 
> No expert here but:
> My samba system doesn't listen on port 135, as far as I can tell using
> netstat -an
> What do you see with netstat -an | grep 135 ?
> Second, could you configure your system to listen on port 135 for UDP
> packets, say with ipchains, and REJECT them, not DENY them.
> The REJECT command notifies the sender that the packet has been rejected.
> That might make the sender switch over to TCP without the 2 minute wait.
> Your log seems to suggest that you are sending notification, but maybe
> REJECT might be more definitive.
> You might even try REJECTing all packets to port 135 and see if your client
> will function ok.
> BTW, my /etc/services doesn't list any assignment for port 135, so this
> might be a Microsoft enhancement.
> Joel
> 
> On Fri, Dec 21, 2001 at 10:56:05AM -0500, Pierre Belanger wrote:
> > Hello,
> >
> > This is a hard one, I've been trying to figure out something since
> > 2 days...
> >
> > When opening a document which has a link to another document, I see
> > traffic
> > from the Windows NT client station going to the Samba server on port
> > 135/UDP. According to Microsoft's web site, port 135 TCP or UDP is
> > "Location Server"... but the Samba server doesn't listen for traffic
> > on port 135/UDP. So, the client keeps trying to connect to port 135/UDP
> > on the Samba server for about 2 minutes and then switches to 135/TCP,
> > which works better...
> >
> > Can someone help me figure out how to fix this "timeout" issue?
> >
> > Here's a snoop of the connection if this can help you understand
> > the situation.
> >
> > 10.64.33.238 -> alkonost     UDP D=135 S=1066 LEN=88
> >     alkonost -> 10.64.33.238 ICMP Destination unreachable (UDP port 135
> > unreachable)
> > 10.64.33.238 -> alkonost     UDP D=135 S=1066 LEN=88
> >     alkonost -> 10.64.33.238 ICMP Destination unreachable (UDP port 135
> > unreachable)
> >
> > About 2 minutes later, the client switches to 135/TCP.
> >
> > 10.64.33.238 -> alkonost     TCP D=135 S=1074 Syn Seq=3472092006 Len=0
> > Win=8192 Options=<mss 1460>
> >     alkonost -> 10.64.33.238 TCP D=1074 S=135 Rst Ack=3472092007 Win=0
> > 10.64.33.238 -> alkonost     TCP D=135 S=1074 Syn Seq=3472092006 Len=0
> > Win=8192 Options=<mss 1460>
> >     alkonost -> 10.64.33.238 TCP D=1074 S=135 Rst Ack=3472092007 Win=0
> > 10.64.33.238 -> alkonost     TCP D=135 S=1074 Syn Seq=3472092006 Len=0
> > Win=8192 Options=<mss 1460>
> >     alkonost -> 10.64.33.238 TCP D=1074 S=135 Rst Ack=3472092007 Win=0
> > 10.64.33.238 -> alkonost     TCP D=135 S=1074 Syn Seq=3472092006 Len=0
> > Win=8192 Options=<mss 1460>
> >     alkonost -> 10.64.33.238 TCP D=1074 S=135 Rst Ack=3472092007 Win=0
> > 10.64.33.238 -> alkonost     SMB C Code=0x2e Name=SMBreadX Error=0
> >     alkonost -> 10.64.33.238 SMB R Code=0x2e Name=SMBreadX Error=0
> >     alkonost -> 10.64.33.238 NBT Type=Unknown Length=1456
> >     alkonost -> 10.64.33.238 NBT Type=SESSION MESSAGE Length=1235
> > 10.64.33.238 -> alkonost     NBT C port=1035
> > 10.64.33.238 -> alkonost     SMB C Code=0x2e Name=SMBreadX Error=0
> >
> >
> > Thank you very much,
> > Pierre B.
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list