[Samba] RPC error logging in to PDC on Win-64
EA
ops21 at earthlink.net
Sat May 21 12:35:40 GMT 2005
root at phobos root]# tethereal -i 3 -z smb,rtt,ip.addr==192.168.1.6 -f tcp port 137 or tcp port 137 or port 138 or tcp port 139 or tcp port 445 -s 2000
Capturing on eth1
0.000000 192.168.1.6 -> 192.168.1.255 NBNS Name query NB HOME<1c>
0.001632 192.168.1.1 -> 192.168.1.6 NBNS Name query response NB 192.168.1.1
0.001803 192.168.1.6 -> 192.168.1.255 SMB_NETLOGON SAM LOGON request from client
0.002050 192.168.1.1 -> 192.168.1.6 SMB_NETLOGON SAM Response - user unknown
0.002347 192.168.1.6 -> 192.168.1.1 SMB_NETLOGON SAM LOGON request from client
0.002465 192.168.1.1 -> 192.168.1.6 SMB_NETLOGON SAM Response - user unknown
0.097579 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \NETLOGON
0.099257 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7372
0.099661 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7372, 64 bytes at offset 0[Unreassembled Packet]
0.100714 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7372, 116 bytes
0.100926 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7372, 1024 bytes at offset 0
0.101883 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
0.102117 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7372, 64 bytes at offset 0[Unreassembled Packet]
0.103180 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7372, 102 bytes
0.103373 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7372, 1024 bytes at offset 0
0.104309 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 1 ctx_id: 0
0.104578 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7372, 64 bytes at offset 0[Unreassembled Packet]
0.105532 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7372, 148 bytes
0.105732 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7372, 1024 bytes at offset 0
0.106605 192.168.1.1 -> 192.168.1.6 DCERPC Fault: call_id: 2 ctx_id: 0 status: nca_op_rng_error
0.106869 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7372, 64 bytes at offset 0[Unreassembled Packet]
0.110524 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7372, 148 bytes
0.110713 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7372, 1024 bytes at offset 0
0.112268 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 3 ctx_id: 0
0.112589 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \lsarpc
0.113859 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7373
0.114124 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7373, 64 bytes at offset 0[Unreassembled Packet]
0.115229 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7373, 160 bytes
0.115424 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7373, 1024 bytes at offset 0
0.116448 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
0.116680 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7373, 64 bytes at offset 0[Unreassembled Packet]
0.116927 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7373, 88 bytes
0.117121 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7373, 1024 bytes at offset 0
0.119314 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 1 ctx_id: 0
0.119549 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7373, 64 bytes at offset 0[Unreassembled Packet]
0.122162 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7373, 52 bytes
0.122348 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7373, 1024 bytes at offset 0
0.123776 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 2 ctx_id: 0
0.123993 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7373, 64 bytes at offset 0[Unreassembled Packet]
0.124930 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7373, 44 bytes
0.125121 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7373, 1024 bytes at offset 0
0.126601 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 3 ctx_id: 0
0.126812 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7373
0.127876 192.168.1.1 -> 192.168.1.6 SMB Close Response
0.128642 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \NETLOGON
0.129428 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7374
0.129718 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7374, 64 bytes at offset 0[Unreassembled Packet]
0.130874 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7374, 116 bytes
0.131073 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7374, 1024 bytes at offset 0
0.131943 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 4 accept max_xmit: 4280 max_recv: 4280
0.132272 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7374, 64 bytes at offset 0[Unreassembled Packet]
0.137409 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7374, 352 bytes
0.137597 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7374, 1024 bytes at offset 0
0.139166 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 4 ctx_id: 0
0.139455 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7374
0.140592 192.168.1.1 -> 192.168.1.6 SMB Close Response
0.140843 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7372
0.141632 192.168.1.1 -> 192.168.1.6 SMB Close Response
0.142003 192.168.1.6 -> 192.168.1.255 NBNS Name query NB HOME<1c>
0.142141 192.168.1.1 -> 192.168.1.6 NBNS Name query response NB 192.168.1.1
0.142304 192.168.1.6 -> 192.168.1.255 SMB_NETLOGON SAM LOGON request from client
0.142402 192.168.1.1 -> 192.168.1.6 SMB_NETLOGON SAM Response - user unknown
0.142799 192.168.1.6 -> 192.168.1.1 SMB_NETLOGON SAM LOGON request from client
0.143168 192.168.1.1 -> 192.168.1.6 SMB_NETLOGON SAM Response - user unknown
0.238181 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \NETLOGON
0.238956 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7375
0.239345 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7375, 64 bytes at offset 0[Unreassembled Packet]
0.239498 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7375, 116 bytes
0.239766 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7375, 1024 bytes at offset 0
0.239863 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
0.240239 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7375, 64 bytes at offset 0[Unreassembled Packet]
0.240466 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7375, 102 bytes
0.240675 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7375, 1024 bytes at offset 0
0.240782 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 1 ctx_id: 0
0.241213 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7375, 64 bytes at offset 0[Unreassembled Packet]
0.241548 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7375, 148 bytes
0.242054 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7375, 1024 bytes at offset 0
0.242199 192.168.1.1 -> 192.168.1.6 DCERPC Fault: call_id: 2 ctx_id: 0 status: nca_op_rng_error
0.242583 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7375, 64 bytes at offset 0[Unreassembled Packet]
0.245101 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7375, 148 bytes
0.245287 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7375, 1024 bytes at offset 0
0.246857 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 3 ctx_id: 0
0.247180 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \lsarpc
0.254949 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7376
0.255200 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7376, 64 bytes at offset 0[Unreassembled Packet]
0.255357 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7376, 160 bytes
0.255615 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7376, 1024 bytes at offset 0
0.255712 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
0.256105 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7376, 64 bytes at offset 0[Unreassembled Packet]
0.256270 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7376, 88 bytes
0.256551 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7376, 1024 bytes at offset 0
0.256670 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 1 ctx_id: 0
0.257056 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7376, 64 bytes at offset 0[Unreassembled Packet]
0.258530 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7376, 52 bytes
0.258714 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7376, 1024 bytes at offset 0
0.262919 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 2 ctx_id: 0
0.263138 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7376, 64 bytes at offset 0[Unreassembled Packet]
0.263436 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7376, 44 bytes
0.263586 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7376, 1024 bytes at offset 0
0.267544 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 3 ctx_id: 0
0.267762 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7376
0.267881 192.168.1.1 -> 192.168.1.6 SMB Close Response
0.268770 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \NETLOGON
0.269046 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7377
0.269415 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7377, 64 bytes at offset 0[Unreassembled Packet]
0.269621 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7377, 116 bytes
0.269822 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7377, 1024 bytes at offset 0
0.269903 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 4 accept max_xmit: 4280 max_recv: 4280
0.270408 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7377, 64 bytes at offset 0[Unreassembled Packet]
0.274013 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7377, 352 bytes
0.274204 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7377, 1024 bytes at offset 0
0.280704 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 4 ctx_id: 0
0.281002 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7377
0.281151 192.168.1.1 -> 192.168.1.6 SMB Close Response
0.281520 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7375
0.281676 192.168.1.1 -> 192.168.1.6 SMB Close Response
0.394220 192.168.1.6 -> 192.168.1.1 TCP 1296 > netbios-ssn [ACK] Seq=6182 Ack=5252 Win=65457 Len=0
2.487734 192.168.1.6 -> 192.168.1.1 SMB Logoff AndX Request
2.488542 192.168.1.1 -> 192.168.1.6 SMB Logoff AndX Response
2.488836 192.168.1.6 -> 192.168.1.1 SMB Tree Disconnect Request
2.489791 192.168.1.1 -> 192.168.1.6 SMB Tree Disconnect Response
2.490016 192.168.1.6 -> 192.168.1.1 SMB Logoff AndX Request
2.490922 192.168.1.1 -> 192.168.1.6 SMB Logoff AndX Response
2.491087 192.168.1.6 -> 192.168.1.1 SMB Tree Disconnect Request
2.491364 192.168.1.1 -> 192.168.1.6 SMB Tree Disconnect Response
2.491580 192.168.1.6 -> 192.168.1.1 TCP 1296 > netbios-ssn [FIN, ACK] Seq=6346 Ack=5416 Win=65293 Len=0
2.494668 192.168.1.1 -> 192.168.1.6 TCP netbios-ssn > 1296 [FIN, ACK] Seq=5416 Ack=6347 Win=5840 Len=0
2.494753 192.168.1.6 -> 192.168.1.1 TCP 1296 > netbios-ssn [ACK] Seq=6347 Ack=5417 Win=65293 Len=0
===================================================================
SMB RTT Statistics:
Filter: ip.addr==192.168.1.6
Commands Calls Min RTT Max RTT Avg RTT
Close 6 0.00011 0.00113 0.00056
Read AndX 20 0.00008 0.00650 0.00148
Write AndX 20 0.00015 0.00513 0.00135
Tree Disconnect 2 0.00027 0.00095 0.00061
Logoff AndX 2 0.00080 0.00090 0.00085
NT Create AndX 6 0.00027 0.00776 0.00209
Transaction2 Commands Calls Min RTT Max RTT Avg RTT
NT Transaction Commands Calls Min RTT Max RTT Avg RTT
=================================================================
-----Original Message-----
From: Jeremy Allison <jra at samba.org>
Sent: May 20, 2005 11:51 PM
To: EA <ops21 at earthlink.net>
Cc: samba at lists.samba.org
Subject: Re: [Samba] RPC error logging in to PDC on Win-64
On Fri, May 20, 2005 at 09:56:47PM -0500, EA wrote:
> I ran tethereal and captured smb,rtt packets on the ports used by SMB but only those from the XP-64 box. I used tethereal -i 3 -z smb,rtt,ip.addr==192.168.1.6 -f tcp port 137 or tcp port 137 or port 138 or tcp port 139 or tcp port 445 -w scan
>
> I dumped it to a text file -> http://home.mindspring.com/~ops21/scan
>
> Let me know if there was something else I should have scanned for.
Test files are no good as packet captures. We need the raw
data. Please just capture the entire conversation with snaplen > 2000
and dump the raw capture somewhere.
As I keep saying, TEXT FILES ARE NOT PACKET CAPTURES !!!
(Sorry, it's a pet peeve of mine :-).
Jeremy.
More information about the samba
mailing list