Wireshark-users: Re: [Wireshark-users] Data Capture Question

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 19 Sep 2008 10:05:54 -0700

On Sep 18, 2008, at 9:51 AM, Ed Mendez wrote:
Can you please help me decifer why the user 143.219.121.179 cannot access the NT servers 163.198.217.24 and .31? He can ping the servers but when he tries to access the server via UNC path or Netbios if Fails. I am trying to better understand what the errors in the attached data capture are telling me. Can you help?? Thank you!

Well, some of the errors are for NetBIOS Name Service queries from 143.219.121.179 to 165.216.93.58 - the error in frame 1199 is a reply to the query in 1194, trying to look up the name "USMDLSDOWW038", and the reply says there's no such name. If "USMDLSDOWW038" is the server he's trying to access, and 165.216.93.58 is your WINS server, then the server "USMDLSDOWW038" hasn't registered its name with the WINS server.

Given that, after querying 165.216.93.58, it then tries to broadcast a query for the same name, I suspect 165.216.93.58 is your WINS server. The broadcast query fails (no responses are sent).

There also appear to be some Port Unreachable ICMP messages for what appear to be WINS lookups from 143.219.121.179 to 10.0.1.2 and 10.0.2.12; are those secondary WINS servers? If so, they appear to be saying they're *not* WINS servers, as they're not listening on port 137.

Then there are NetBIOS status messages sent from 143.219.121.179 to 163.198.217.24, presumably because 143.219.121.179 is trying to find the NetBIOS name of 163.198.217.24; 163.198.217.24 is sending back an ICMP Port Unreachable messages saying it's not listening on port 137, which probably means that 163.198.217.24 doesn't have NetBIOS turned on.

It appears that 143.219.121.179 then concludes that 163.198.217.24 might not support NetBIOS, so it tries the new SMB-over-TCP (using DNS for host name resolution, and not using NetBIOS at all) mechanism, connecting to port 445. That fails - no response is sent to the initial connection attempt (initial SYN).

Are you certain that 163.198.217.24 has SMB file service turned on? It sure doesn't look, from this capture, as if it has NetBIOS-over-TCP turned on, and it sure doesn't look as if it has SMB turned on even *without* NetBIOS-over-TCP.

As for 163.198.217.31, all I see is HTTP traffic, so neither NetBIOS- over-TCP nor SMB are involved. What I'm seeing *there* are a bunch of "sorry, you're not allowed to see this page" errors and one "sorry, that page doesn't exist" reply for an attempt to get a GIF image. That might be happening because, well, the user isn't allowed to see that page; you'd have to ask the manager of that server what the problem is.