I am trying to troubleshoot why I am seeing SMB traffic between very limited devices broadcast across an entire VLAN. This is only happening in a single direction, so Wireshark is reporting 'Trans2 Response<unknown>' because it did not see the initial request packet.
The network this is occurring on is entirely switched, so I can't explain why I am seeing this SMB traffic which was taken from a device plugged into the same VLAN as the destination host (10.24.x.x/16). In the sample I've included, there is only a single destination address, but this is happening for a handful of machines.
To run this test, I plugged a laptop into the same VLAN as the destination address, and ran wireshark. The port the laptop was connected to is not a mirror port, but I am still seeing unicast traffic between
10.40.12.18 (a file server) and
10.24.8.167 (a workstation). The laptop has an address of
10.24.100.94. I am only seeing traffic in one direction from
10.40.12.18 -->
10.24.8.167, and I am not seeing traffic in the opposite direction.
In looking at the output from Wireshark, I'm unable to determine why the laptop would have been sent a copy of this packet. Have any of you ever seen anything like this? Am I overlooking something in the packet that is causing it to be broadcast across the entire vlan?
Any help would be greatly appreciated.
Thanks,
-Steve
Attachment:
smb.pcap
Description: Binary data