Ethereal-users: RE: [Ethereal-users] Trans2 packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Dave Lanagan <dave.lanagan@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Nov 2004 12:42:04 -0000
Sorry about the gif, forgot my auto-sig!

The unknowns are coming in several seconds after the packet capture was
started.  What is unusual is that I get these unknown capturing one VLAN but
not the other.  They also appear to be excessive at the time of the VLAN
users having a slowdown but at other times they're not as bad (but still
there).

I'll get a block of 20-40 a second for 90 seconds (or more, 90seconds was
the length of the capture)

They're pretty much consecutive too.

Not all are unknown it does see some fine.  In fact it recognises far more
in one VLAN that it does the other (or so it would appear by the capture).

Thanks for your help so far Ronnie! Any more would be most appreciated!
Take it we can't post captures on here!!!! (rather too big!)

-----Original Message-----
From: ronnie sahlberg [mailto:ronniesahlberg@xxxxxxxxx]
Sent: 26 November 2004 12:01
To: Ethereal user support
Subject: Re: [Ethereal-users] Trans2 packets


You might have a problem with your email client,  it attached an
excessively huge gif image as signature.

#1
Trans2  response unknown    means
There was a SMB Trans2 response packet seen in the trace and Ethereal
did not see the previous matching Trans2 Request  so ethereal has no
way of knowing what kind of Trans2 command it was.
(Trans2 sub command types are only present in the request).


If the packets were in the beginning of the trace it is likely that
you just did not capture the actual Requests and thus ethereal can not
determine what kind of Trans2 command it was.
(To decode Trans/ Trans2/NTTrans  ethereal keeps track of
request/respons ematching and keeps state between the packets)


Without seeing the capture it is not possible to say whetehr this is
expected or not,.


If I were to make a guess  and if these packets were in the immediate
start of the trace I would guess they are just some sort of
QUERY_FILE_INFO or something and you just missed to capture the
Requests.


#2  this one is probably normal.
Unknown NTTrans replies are usually responses to NT Trans/NOTIFY: the
mechanism an application in cifs can use to monitor a file/directory
for changes.
(main applications that do this are file Explorer and IIS)
This is a very longlived function call   which does not terminate
until it is either cancelled (application is killed)  or the
file/directory actually changes.
It is very common to see these NTTrans unknown response in traces
since these commands are so long lived that it is unlikely you have
the Request in the trace.
(same here  the type of NTTrans subcommand is only present in the
Request, if the Request is not present in the trace it is impossible
to know for sure what kind of NTTrans command it was)


#3 this one is either normal or a problem.
To say for sure one would need to see the request to see the file name
searched for.
(but the request is not in the capture since ehtereal thinks it is unknown)
It could be an app that is just starting and trying to (windows does
this) look in the current directory (assuming the app is loaded from a
cifs share) for system DLLs before looking elsewhere.


If all your Trans/Trans2/NTTrans responses are always "unknown" it
might be that you are running a samba-TNG server.
Samba-TNG used very very lax rules on how and what to specify as
uid/mid/pid in the SMB responses that makes ethereal (which is much
more stringent) not being able to match requests and replies at all
resulting in all of these ones being "unknown".
(this will not change,  the rules are too lax in cifs already making
it likely for mismatches in lossy captures as it is)



On Fri, 26 Nov 2004 11:19:26 -0000, Dave Lanagan
<dave.lanagan@xxxxxxxxxxxxxxxxxxxx> wrote:
>  
>  
> Guys, 
>   My first post, sorry it's not just an intro - I've got a problem I need
> your help on too!  I'm seeing an excessive number of the following packets
> and wondered if you could give me some guidance on what they are and
whether
> they're expected traffic (I'm sure they're not) 
>   
> Packet type #1 
> Protocol: SMB 
> Info: Trans2 Response<unknown> 
>   
> Packet type #2 
> Protocol: SMB 
> Info: NT Trans response, Unknown 
>   
>   I'm getting these form a Windows 2003 server to Windows XP clients. 
> Definitely looks like it floods in.  I also get a fair few of the
following:
>   
> Packet type #3 
> Protocol: SMB 
> Info: Trans2 Response<unknown>, Error: STATUS_OBJECT_NAME_NOT_FOUND 
>   
>   Can you shed any light?  Oh, and Hi everyone - glad to join the Ethereal
> fan club :-) 
>   
> Dave. 
> 
>  
> 
> 
> Dave Lanagan
> Consultant 
> 
> PTS Consulting
> PTS House
> 50 Liverpool Street
> London EC2M 7PR 
> 
> Tel:+44 (0) 20 7539 6240
> Fax:+44 (0) 20 7539 6300 
> 
> http://www.pts-consultinggroup.com 
> 
>   
> 
> Registered in England and Wales as company number 4748207 and having its
> registered office at 50 Liverpool Street, London, EC2M 7PR. The
information
> in this internet E-mail is confidential and is intended solely for the
> addressee. Unless you are the named addressee (or authorised to receive it
> for the addressee) you may not copy or use it, or disclose it to anyone
> else. Any views or opinions presented are solely those of the author and
do
> not necessarily represent those of PTS Consulting (UK) Ltd. If you are not
> the intended recipient please contact postmaster@xxxxxxxxxxxxxxxxxxxx 
>   
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 
>

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users