Wireshark-users: [Wireshark-users] ODD SMB packets
From: <Tim.Poth@xxxxxxxxxxx>
Date: Wed, 9 Sep 2009 12:23:29 -0400
I am looking at a performance issue for a customer and looking at some SMB traffic with path names that make no sense IE - ?\200???? @@???\217 @@???? (best I can tell there are no “real” paths in the whole capture)
In looking at the “Query_Path_Into” Parameters I see the reserved field is set to 0x03534E46 or SNF text (see below), best I understand this field should be 0 so how did it get populated. SNF could be cisco SNF however I have no way of confirming.
Any thoughts? Anyone see something like this before?
Thanks
Tim
No. Delta Time Source Destination Protocol Info
441 0.231000 12:47:03.954000 10.93.184.182 10.116.176.129 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: ?\200????
Frame 441 (224 bytes on wire, 224 bytes captured)
Arrival Time: Sep 4, 2009 12:47:03.954000000
[Time delta from previous captured frame: 0.009000000 seconds]
[Time delta from previous displayed frame: 0.231000000 seconds]
[Time since reference or first frame: 13.799000000 seconds]
Frame Number: 441
Frame Length: 224 bytes
Capture Length: 224 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: Ibm_78:bc:c0 (00:1a:64:78:bc:c0), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01)
Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01)
Address: All-HSRP-routers_01 (00:00:0c:07:ac:01)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Ibm_78:bc:c0 (00:1a:64:78:bc:c0)
Address: Ibm_78:bc:c0 (00:1a:64:78:bc:c0)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Frame check sequence: 0x6bff8010 [incorrect, should be 0xf7b79332]
Internet Protocol, Src: 10.93.184.182 (10.93.184.182), Dst: 10.116.176.129 (10.116.176.129)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x28 (DSCP 0x0a: Assured Forwarding 11; ECN: 0x00)
0010 10.. = Differentiated Services Codepoint: Assured Forwarding 11 (0x0a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 206
Identification: 0x02c6 (710)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 120
Protocol: TCP (0x06)
Header checksum: 0x8133 [correct]
[Good: True]
[Bad : False]
Source: 10.93.184.182 (10.93.184.182)
Destination: 10.116.176.129 (10.116.176.129)
Transmission Control Protocol, Src Port: index-pc-wb (2127), Dst Port: netbios-ssn (139), Seq: 3157, Ack: 3189, Len: 166
Source port: index-pc-wb (2127)
Destination port: netbios-ssn (139)
[Stream index: 1]
Sequence number: 3157 (relative sequence number)
[Next sequence number: 3323 (relative sequence number)]
Acknowledgement number: 3189 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 63788
Checksum: 0xeb3b [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[Number of bytes in flight: 166]
NetBIOS Session Service
Message Type: Session message
Flags: 0x00
.... ...0 = Add 0 to length
Length: 162
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 442]
SMB Command: Trans2 (0x32)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .1.. = Security Signatures: Security signatures are supported
.... .... .... ..1. = Extended Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: D7D4BAC936AE62C5
Reserved: 0000
Tree ID: 2048
Process ID: 3908
User ID: 2048
Multiplex ID: 10305
Trans2 Request (0x32)
Word Count (WCT): 15
Total Parameter Count: 94
Total Data Count: 0
Max Parameter Count: 2
Max Data Count: 40
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 94
Parameter Offset: 68
Data Count: 0
Data Offset: 0
Setup Count: 1
Reserved: 00
Subcommand: QUERY_PATH_INFO (0x0005)
Byte Count (BCC): 97
Padding: 000000
QUERY_PATH_INFO Parameters
Level of Interest: Query File Basic Info (1004)
Reserved: 03534E46
File Name: ?\200????
Unknown Data: 0008010600000000FFFF1A002200FFFFFFFF000000003092...
0000 00 00 0c 07 ac 01 00 1a 64 78 bc c0 08 00 45 28 ........dx....E(
0010 00 ce 02 c6 40 00 78 06 81 33 0a 5d b8 b6 0a 74 [email protected].]...t
0020 b0 81 08 4f 00 8b 35 1f 08 53 27 07 b3 4b 50 18 ...O..5..S'..KP.
0030 f9 2c eb 3b 00 00 00 00 00 a2 ff 53 4d 42 32 00 .,.;.......SMB2.
0040 00 00 00 18 07 c8 00 00 d7 d4 ba c9 36 ae 62 c5 ............6.b.
0050 00 00 00 08 44 0f 00 08 41 28 0f 5e 00 00 00 02 ....D...A(.^....
0060 00 28 00 00 00 00 00 00 00 00 00 00 00 5e 00 44 .(...........^.D
0070 00 00 00 00 00 01 00 05 00 61 00 00 00 00 ec 03 .........a......
0080 03 53 4e 46 ee 05 80 00 06 01 34 12 48 5a 04 1d .SNF......4.HZ..
0090 00 00 00 08 01 06 00 00 00 00 ff ff 1a 00 22 00 ..............".
00a0 ff ff ff ff 00 00 00 00 30 92 05 1e 30 92 a5 98 ........0...0...
00b0 00 1a 64 78 bc c0 00 16 9c 1b cc 00 08 00 45 00 ..dx..........E.
00c0 05 dc 85 35 40 00 2a 06 79 0a 62 a0 a3 49 0a 7a ...5@.*.y.b..I.z
00d0 3c 79 17 0c d5 85 7d 4f 83 6c 81 8f 6b ff 80 10 <y....}O.l..k...
- Follow-Ups:
- Re: [Wireshark-users] ODD SMB packets
- From: Martin Visser
- Re: [Wireshark-users] ODD SMB packets
- Prev by Date: Re: [Wireshark-users] Active filter
- Next by Date: [Wireshark-users] filter one ip while excluding another
- Previous by thread: Re: [Wireshark-users] wireshark and virtual ethernet adapters by parallels
- Next by thread: Re: [Wireshark-users] ODD SMB packets
- Index(es):