[ronnie sahlberg <ronniesahlberg@xxxxxxxxx>]

In a windows environment a lot of SMB traffic would be normal.

SMB is the protocol that windows hosts use for Filesharing and is also
a transport for other stuff like management protocols so it would be
normal with a lot of SMB.
(Windows boxens in themself are very chatty and talk much more than
they need to but that is a different issue)


As far as i can tell from your very small fragment below it looks like
perfectly normal CIFS/SMB filesharing activities.
A client opening a few files and doing some commands to read the inode
data for the files.


Note that SOME SMB traffic can indicate window viruses   but in order
to analyze these issue it requires a very detailed understanding of
the SMB/CIFS protocol and familiarity with how certain versions of
windows/service packs are expected to talk to a fileserver.




On 4/16/05, Uli DF5SF <uli@xxxxxxxxxxxx> wrote:
> Hi,
> I am new in the group and make my first experience with ethereal.
> We have difficulties with one of our severs. The response time is too slow.
> Now we checked the network (a commercial company 3000$) and on the network
> is all ok. No packets are destroyed and the bandwidth is working with less
> than 20% of the capability.
> Now I logged the traffic on our Windows 2003 server (192.168.0.12) and I was
> very surprised that 99,9 percent of 
> the traffic is smb. Sometimes I can see some TCP or ARP packets.
> 
> Now my question: Can this be normal or do I have a virus/trojan ? 
> I checked both computers with Symantec. All OK.
> 
> Many thanks for your help.
> Uli 
> 
>  1 15:51:02.267395 192.168.0.10 192.168.0.12 SMB Trans2 Request,
> FIND_FIRST2, Pattern: \Bcwin32\order.1
>  2 15:51:02.267897 192.168.0.12 192.168.0.10 SMB Trans2 Response,
> FIND_FIRST2, Files: ORDER.1
>  3 15:51:02.268523 192.168.0.10 192.168.0.12 SMB Close Request, FID: 0x4413
>  4 15:51:02.268666 192.168.0.12 192.168.0.10 SMB Close Response
>  5 15:51:02.268947 192.168.0.10 192.168.0.12 SMB Trans2
> Request,QUERY_PATH_INFO,Query File                                          
>                                                          
> BasicInfo,Path:\BCWIN32\order.1
>  6 15:51:02.269196 192.168.0.12 192.168.0.10 SMB Trans2 Response,
> QUERY_PATH_INFO
>  7 15:51:02.269759 192.168.0.10 192.168.0.12 SMB NT Create AndX Request,
> Path: \BCWIN32\order.1
>  8 15:51:02.270235 192.168.0.12 192.168.0.10 SMB NT Create AndX Response,
> FID: 0x0249
>  9 15:51:02.270597 192.168.0.10 192.168.0.12 SMB Trans2 Request,
> SET_FILE_INFO, FID: 0x0249
> 10 15:51:02.270667 192.168.0.12 192.168.0.10 SMB Trans2 Response,
> SET_FILE_INFO
> 11 15:51:02.270993 192.168.0.10 192.168.0.12 SMB Read AndX Request, FID:
> 0x0249, 660 bytes at offset 0
> 12 15:51:02.271058 192.168.0.12 192.168.0.10 SMB Read AndX Response, FID:
> 0x0249, 660 bytes
> 13 15:51:02.272528 192.168.0.10 192.168.0.12 SMB Trans2 Request,
> QUERY_PATH_INFO, Query File Basic Info, Path:                               
>                                  \BCWIN32\CInohost.1
> 14 15:51:02.272695 192.168.0.12 192.168.0.10 SMB Trans2 Response,
> QUERY_PATH_INFO, Error:                                                     
>                                 STATUS_OBJECT_NAME_NOT_FOUND
> 15 15:51:02.274550 192.168.0.10 192.168.0.12 SMB Close Request, FID: 0x0249
> 16 15:51:02.274643 192.168.0.12 192.168.0.10 SMB Close Response
> 17 15:51:02.274881 192.168.0.10 192.168.0.12 SMB NT Create AndX Request,
> Path: \BCWIN32\CInohost.1
> 18 15:51:02.274959 192.168.0.10 192.168.0.12 SMB NT Create AndX Request,
> Path: \BCWIN32\order.1
> 20 15:51:02.275123 192.168.0.12 192.168.0.10 SMB NT Create AndX Response,
> Error: STATUS_OBJECT_NAME_NOT_FOUND
> 21 15:51:02.275483 192.168.0.12 192.168.0.10 SMB NT Create AndX Response,
> FID: 0x0243
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>