[Samba] Multiple Netbios name queries on ports 32944, 33169 and 33171

Lee Baker LBaker at mcauley.org.uk
Mon Feb 7 17:16:11 GMT 2005 

I've had to set up an iptables filter to drop packets originating from
ports 32944, 33169 and 33171 on a samba 3 server as broadcast 'storms'
lasting ~3seconds have intermittently been taking down all net
communication.
 
Can anyone shed any light on this?  The packet capured in ethereal is
below.
 
Lee Baker
 
 
Sorry for not trimming - not sure what's important:
 
No.     Time        Source                Destination           Protocol
Info
  60621 2047.389515 192.168.5.200         192.168.5.255         NBNS
Name query NB
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
 
Frame 60621 (92 bytes on wire, 92 bytes captured)
    Arrival Time: Feb  7, 2005 17:03:26.942953000
    Time delta from previous packet: 0.000007000 seconds
    Time since reference or first frame: 2047.389515000 seconds
    Frame Number: 60621
    Packet Length: 92 bytes
    Capture Length: 92 bytes
Ethernet II, Src: 00:c0:49:d8:db:36, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source: 00:c0:49:d8:db:36 (192.168.45.200)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.5.200 (192.168.5.200), Dst Addr:
192.168.5.255 (192.168.5.255)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 78
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 61
    Protocol: UDP (0x11)
    Header checksum: 0xb087 (correct)
    Source: 192.168.5.200 (192.168.5.200)
    Destination: 192.168.5.255 (192.168.5.255)
User Datagram Protocol, Src Port: 33171 (33171), Dst Port: netbios-ns
(137)
    Source port: 33171 (33171)
    Destination port: netbios-ns (137)
    Length: 58
    Checksum: 0xaf64 (correct)
NetBIOS Name Service
    Transaction ID: 0x0199
    Flags: 0x0110 (Name query)
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Name query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... ...1 .... = Broadcast: Broadcast packet
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>:
type NB, class inet
            Name:
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
(Workstation/Redirector)
            Type: NB
            Class: inet
 
########################################################################
##################################################
 
This is the response from a workstation:
 
No.     Time        Source                Destination           Protocol
Info
  60622 2047.389527 192.168.5.100         192.168.5.200         NBNS
Name query response NB 192.168.5.100
 
Frame 60622 (104 bytes on wire, 104 bytes captured)
    Arrival Time: Feb  7, 2005 17:03:26.942965000
    Time delta from previous packet: 0.000012000 seconds
    Time since reference or first frame: 2047.389527000 seconds
    Frame Number: 60622
    Packet Length: 104 bytes
    Capture Length: 104 bytes
Ethernet II, Src: 00:07:e9:1a:80:74, Dst: 00:0b:db:90:9f:0b
    Destination: 00:0b:db:90:9f:0b (192.168.5.200)
    Source: 00:07:e9:1a:80:74 (192.168.5.100)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.5.100 (192.168.5.100), Dst Addr:
192.168.5.200 (192.168.5.200)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 90
    Identification: 0x6c52 (27730)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0x41c4 (correct)
    Source: 192.168.5.100 (192.168.5.100)
    Destination: 192.168.5.200 (192.168.5.200)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: 33171
(33171)
    Source port: netbios-ns (137)
    Destination port: 33171 (33171)
    Length: 70
    Checksum: 0xf1fe (correct)
NetBIOS Name Service
    Transaction ID: 0x0199
    Flags: 0x8500 (Name query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Name query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for
domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do
recursive queries
        .... .... ...0 .... = Broadcast: Not a broadcast packet
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 0
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 0
    Answers
        *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>:
type NB, class inet
            Name:
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
(Workstation/Redirector)
            Type: NB
            Class: inet
            Time to live: 3 days, 11 hours, 20 minutes
            Data length: 6
            Flags: 0xe000 (H-node, group)
                1... .... .... .... = Group name
                .11. .... .... .... = H-node
            Addr: 192.168.5.100

More information about the samba mailing list