Wireshark-users: [Wireshark-users] TCP / SMB Broadcast? (fwd)

Date: Wed, 15 Jul 2009 04:40:33 -0600
Hi, Ok, I've gone through the captures taken last night. To confirm, there is no port mirroring setup on the switches. This behaviour is only seen on one of the 3750 switches. This does not occur for all data on the VLAN's, and seems to be related to the same systems consistently. I've attached 2 binary capture files: 10.0.4.x.pcap - SMB traffic between 2 XP Professional Workstations. This communication is strange enough (apart from being seen on my monitoring system) because both are Windows XP professional, so neither should act as a Domain Controller anyway. There are also additional packets with icmp and NTP communication between two systems. 192.168.10.x-TCP.pcap - TCP session between 2 UNIX servers and a workstation. This only occurred once around 09:00 - when the workstation logged on.

Mario
----------Forwarded message ----------
From: mv652@xxxxxxxxxxxx
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] TCP / SMB Broadcast?
Date: Wed, 15 Jul 2009 02:11:58 -0600
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Sender: mv652@xxxxxxxxxxxx
X-Originating-IP: [81.57.72.57] Thank you for all those responses. They've all be very helpful.

I'll be looking at this in more detail and will post some more info. In the meantime, the architecture is pretty simple: There are 2 CISCO 3750 switches and 1 CISCO 2950. Besides multi-homed PC's and servers, there is no direct connectivity between any of the switches. The 2950 is used only for internet access. The 3750's are used for business traffic. Each divided into 2 VLAN's - Each VLAN carrying different business data. "ip routing" is not strictly needed on the switches as inter-VLAN routing is not needed. "ip routing" is enabled only because the monitoring system originally had 3 nic's (one per switch) and a way was needed to monitor devices in the 'other' VLAN. Even then, routing was kept to a minimum with none of the PC's or servers having default routes, but rather static routes direct to the monitoring system via the VLAN IP Address. The monitoring system now has 5 nic's - each placed in a different VLAN. I have an overnight capture of 5 instances of wireshark running with all nic's in promiscous mode.

I'll check if this behaviour only occurs in a particular VLAN to drill down the source of the issue.


Point taken regarding the binary capture. I am just very wary of what data I may place on a public forum.

Thanks again for the responses.

Regards,
Mario

------------------------------------------------
Date: Tue, 14 Jul 2009 02:21:03 -0600
From: mv652@xxxxxxxxxxxx
Subject: [Wireshark-users] TCP / SMB Broadcast?
To: wireshark-users@xxxxxxxxxxxxx
Message-ID: <courier.4A5C3FFF.0000589C@xxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi,
I'd appreciate if someone could take a look at the attached capture of 11
packets and explain why I am able to see the TCP & SMB negotiation between
these two hosts.
My capturing device has IP Address 10.0.4.26 connected on the same switch,
same VLAN as the two systems in the capture (10.0.4.50 & 10.0.4.6).  The
capturing system's nic is in promiscious mode.

Note - I understand why I see the ARP request as it's a broadcast to the
network address, what I don't understand is why I see the rest of the
communication between the two.  I even see an ICMP reply from one host to
the other, but not the original request.

These systems are running on a managed switch, not a hub.

Thanks,

Attachment: 192.168.10.x-TCP.pcap
Description: Binary data

Attachment: 10.0.4.x.pcap
Description: Binary data