Ethereal-users: [Ethereal-users] PLEASE HELP WITH MY PROBLEM
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "john@xxxxxxxxxxxxxxx" <john@xxxxxxxxxxxxxxx>
Date: Mon, 22 Aug 2005 16:18:08 +0100
HelloThanks for creating such a good program, i think ethereal has got me just a little bit closer to a very long on going network problem
that has been haunting me for almost two years. Thus any help from you will be very much appreciated.I am trying to establish whether my fault is some very nasty bug / Trojan (may be a bios virus ???)
if it is nothing seems to find it, and I can't get rid of it the poor network performance on my network
About two years ago I noticed poor network performance, and slow clicking in my computer on drives of P4 xp machines.
I had two servers (1 x file server) and (1 x mail server)I had errors where you could not browse certain machines, windows xp event forced election errors and just poor network performance
and strange things going on.I wiped every machine on the network including both servers and reinstalled everything on client and server machines
formated the drives, reinstalled up to date drivers etc.I still had funny things going on between my servers / Internet / client machines via the net work.
... I thought time to simplify my network......I now only have 1 x client machine, 1x server, 1 x watch guard X500 firewall, 1 x Netopia Router connected to my firewall
my server i.p. is 192.168.1.5 my firewall i.p. is 192.168.1.1 my client i.p is 192.168.1.100for the last two years i have suffered bad network performance locally and Internet and strange problems that I just cant solve
I came across you program which is brilliant, and has shown me all IP traffic across the network.
and I think the problem I have !! I am running the software on a client machine 192.1681.100i keep getting lots of checksum errors... i.e Checksum: 0x8450 [incorrect, should be 0xeac1]
Please see below sample packets below. this must mean something is corrupting the data (what ???) I just know the network has not been right please help what is the next step other than seeing corrupted checksums ??? these errors happen on all outgoing network data is this the cause of something nasty / Trojan i have checked & checked Please Help Regards John >>>>>>>>>>sample data Frame 237 (117 bytes on wire, 117 bytes captured) Arrival Time: Aug 22, 2005 15:14:05.826833000 Time delta from previous packet: 0.000084000 seconds Time since reference or first frame: 6.246286000 seconds Frame Number: 237 Packet Length: 117 bytes Capture Length: 117 bytes Protocols in frame: eth:ip:tcp:nbss:smbEthernet II, Src: 192.168.1.100 (00:0d:61:42:19:56), Dst: 192.168.1.5 (00:b0:d0:68:d0:e4)
Destination: 192.168.1.5 (00:b0:d0:68:d0:e4) Source: 192.168.1.100 (00:0d:61:42:19:56) Type: IP (0x0800)Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.5 (192.168.1.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 103
Identification: 0x706b (28779)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x066c [correct]
Source: 192.168.1.100 (192.168.1.100)
Destination: 192.168.1.5 (192.168.1.5)
Transmission Control Protocol, Src Port: 1490 (1490), Dst Port:
netbios-ssn (139), Seq: 4425, Ack: 5722, Len: 63
Source port: 1490 (1490)
Destination port: netbios-ssn (139)
Sequence number: 4425 (relative sequence number)
Next sequence number: 4488 (relative sequence number)
Acknowledgement number: 5722 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 64781
Checksum: 0x8413 [incorrect, should be 0x6f9b]
SEQ/ACK analysis
This is an ACK to the segment in frame: 236
The RTT to ACK the segment was: 0.000084000 seconds
NetBIOS Session Service
Message Type: Session message
Flags: 0x00
.... ...0 = Add 0 to length
Length: 59
SMB (Server Message Block Protocol)
No. Time Source Destination Protocol
Info
238 6.246445 192.168.1.5 192.168.1.100 DCERPC
Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
Frame 238 (186 bytes on wire, 186 bytes captured) Arrival Time: Aug 22, 2005 15:14:05.826992000 Time delta from previous packet: 0.000159000 seconds Time since reference or first frame: 6.246445000 seconds Frame Number: 238 Packet Length: 186 bytes Capture Length: 186 bytes Protocols in frame: eth:ip:tcp:nbss:smb:dcerpcEthernet II, Src: 192.168.1.5 (00:b0:d0:68:d0:e4), Dst: 192.168.1.100 (00:0d:61:42:19:56)
Destination: 192.168.1.100 (00:0d:61:42:19:56) Source: 192.168.1.5 (00:b0:d0:68:d0:e4) Type: IP (0x0800)Internet Protocol, Src: 192.168.1.5 (192.168.1.5), Dst: 192.168.1.100 (192.168.1.100)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 172
Identification: 0xa67f (42623)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xd012 [correct]
Source: 192.168.1.5 (192.168.1.5)
Destination: 192.168.1.100 (192.168.1.100)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port:
1490 (1490), Seq: 5722, Ack: 4488, Len: 132
Source port: netbios-ssn (139)
Destination port: 1490 (1490)
Sequence number: 5722 (relative sequence number)
Next sequence number: 5854 (relative sequence number)
Acknowledgement number: 4488 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16160
Checksum: 0xe4d5 [correct]
SEQ/ACK analysis
This is an ACK to the segment in frame: 237
The RTT to ACK the segment was: 0.000159000 seconds
NetBIOS Session Service
Message Type: Session message
Flags: 0x00
.... ...0 = Add 0 to length
Length: 128
SMB (Server Message Block Protocol)
DCE RPC Bind_ack, Fragment: Single, FragLen: 68, Call: 1
No. Time Source Destination Protocol
Info
239 6.246515 192.168.1.100 192.168.1.5 WINREG
OpenHKLM request
Frame 239 (178 bytes on wire, 178 bytes captured) Arrival Time: Aug 22, 2005 15:14:05.827062000 Time delta from previous packet: 0.000070000 seconds Time since reference or first frame: 6.246515000 seconds Frame Number: 239 Packet Length: 178 bytes Capture Length: 178 bytes Protocols in frame: eth:ip:tcp:nbss:smb:dcerpcEthernet II, Src: 192.168.1.100 (00:0d:61:42:19:56), Dst: 192.168.1.5 (00:b0:d0:68:d0:e4)
Destination: 192.168.1.5 (00:b0:d0:68:d0:e4) Source: 192.168.1.100 (00:0d:61:42:19:56) Type: IP (0x0800)Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.5 (192.168.1.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 164
Identification: 0x706c (28780)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x062e [correct]
Source: 192.168.1.100 (192.168.1.100)
Destination: 192.168.1.5 (192.168.1.5)
Transmission Control Protocol, Src Port: 1490 (1490), Dst Port:
netbios-ssn (139), Seq: 4488, Ack: 5854, Len: 124
Source port: 1490 (1490)
Destination port: netbios-ssn (139)
Sequence number: 4488 (relative sequence number)
Next sequence number: 4612 (relative sequence number)
Acknowledgement number: 5854 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 64649
Checksum: 0x8450 [incorrect, should be 0xeac1]
SEQ/ACK analysis
This is an ACK to the segment in frame: 238
The RTT to ACK the segment was: 0.000070000 seconds
NetBIOS Session Service
Message Type: Session message
Flags: 0x00
.... ...0 = Add 0 to length
Length: 120
SMB (Server Message Block Protocol)
SMB Pipe Protocol
DCE RPC Request, Fragment: Single, FragLen: 36, Call: 1 Ctx: 0, [Resp: #240]
Microsoft Registry, OpenHKLM
No. Time Source Destination Protocol
Info
240 6.247173 192.168.1.5 192.168.1.100 WINREG
OpenHKLM response
Frame 240 (162 bytes on wire, 162 bytes captured) Arrival Time: Aug 22, 2005 15:14:05.827720000 Time delta from previous packet: 0.000658000 seconds Time since reference or first frame: 6.247173000 seconds Frame Number: 240 Packet Length: 162 bytes Capture Length: 162 bytes Protocols in frame: eth:ip:tcp:nbss:smb:dcerpcEthernet II, Src: 192.168.1.5 (00:b0:d0:68:d0:e4), Dst: 192.168.1.100 (00:0d:61:42:19:56)
Destination: 192.168.1.100 (00:0d:61:42:19:56) Source: 192.168.1.5 (00:b0:d0:68:d0:e4) Type: IP (0x0800)Internet Protocol, Src: 192.168.1.5 (192.168.1.5), Dst: 192.168.1.100 (192.168.1.100)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 148
Identification: 0xa680 (42624)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xd029 [correct]
Source: 192.168.1.5 (192.168.1.5)
Destination: 192.168.1.100 (192.168.1.100)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port:
1490 (1490), Seq: 5854, Ack: 4612, Len: 108
Source port: netbios-ssn (139)
Destination port: 1490 (1490)
Sequence number: 5854 (relative sequence number)
Next sequence number: 5962 (relative sequence number)
Acknowledgement number: 4612 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 17520
Checksum: 0x02a3 [correct]
SEQ/ACK analysis
This is an ACK to the segment in frame: 239
The RTT to ACK the segment was: 0.000658000 seconds
NetBIOS Session Service
Message Type: Session message
Flags: 0x00
.... ...0 = Add 0 to length
Length: 104
SMB (Server Message Block Protocol)
SMB Pipe Protocol
DCE RPC Response, Fragment: Single, FragLen: 48, Call: 1 Ctx: 0, [Req: #239]
Microsoft Registry, OpenHKLM
No. Time Source Destination Protocol
Info
241 6.247246 192.168.1.100 192.168.1.5 WINREG
OpenKey request
Frame 241 (286 bytes on wire, 286 bytes captured) Arrival Time: Aug 22, 2005 15:14:05.827793000 Time delta from previous packet: 0.000073000 seconds Time since reference or first frame: 6.247246000 seconds Frame Number: 241 Packet Length: 286 bytes Capture Length: 286 bytes Protocols in frame: eth:ip:tcp:nbss:smb:dcerpcEthernet II, Src: 192.168.1.100 (00:0d:61:42:19:56), Dst: 192.168.1.5 (00:b0:d0:68:d0:e4)
Destination: 192.168.1.5 (00:b0:d0:68:d0:e4) Source: 192.168.1.100 (00:0d:61:42:19:56) Type: IP (0x0800)Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.5 (192.168.1.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 272
Identification: 0x706d (28781)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x05c1 [correct]
Source: 192.168.1.100 (192.168.1.100)
Destination: 192.168.1.5 (192.168.1.5)
Transmission Control Protocol, Src Port: 1490 (1490), Dst Port:
netbios-ssn (139), Seq: 4612, Ack: 5962, Len: 232
Source port: 1490 (1490)
Destination port: netbios-ssn (139)
Sequence number: 4612 (relative sequence number)
Next sequence number: 4844 (relative sequence number)
Acknowledgement number: 5962 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 64541
Checksum: 0x84bc [incorrect, should be 0x16b9]
SEQ/ACK analysis
This is an ACK to the segment in frame: 240
The RTT to ACK the segment was: 0.000073000 seconds
NetBIOS Session Service
Message Type: Session message
Flags: 0x00
.... ...0 = Add 0 to length
Length: 228
SMB (Server Message Block Protocol)
SMB Pipe Protocol
DCE RPC Request, Fragment: Single, FragLen: 144, Call: 2 Ctx: 0, [Resp:
#242]
Microsoft Registry, OpenKeyNo. Time Source Destination Protocol Info 242 6.247660 192.168.1.5 192.168.1.100 WINREG OpenKey response, Unknown error 0x00000005
- Follow-Ups:
- Re: [Ethereal-users] PLEASE HELP WITH MY PROBLEM
- From: Guy Harris
- Re: [Ethereal-users] PLEASE HELP WITH MY PROBLEM
- Prev by Date: [Ethereal-users] How to schedule Ethereal?
- Next by Date: Re: [Ethereal-users] Installation Error - Gtk-WARNING **: cannot open display
- Previous by thread: Re: [Ethereal-users] How to schedule Ethereal?
- Next by thread: Re: [Ethereal-users] PLEASE HELP WITH MY PROBLEM
- Index(es):