# with path names that make no sense IE - ?\200????
@@???\217 @@????
Perhaps not in the English character set,
these may just be Chinese or some other asian language and the logs don’t
understand that language type or are not Unicode.
Certainly 200???? looks like
a date to me.
-Chris
-----Original
Message-----
From:
wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Martin Visser
Sent: 12
September 2009 03:20
To: Community support list for
Wireshark
Subject: Re: [Wireshark-users] ODD
SMB packets
Tim,
I think, if you have responsibility for solving the problem, you are going to
need to know more about how it is setup. Also if you can capture at the client
end (preferably from a port-mirrored switch or even the client itself) you will
get a much better idea of if delays, protocol issues are occurring (from the
point of view of the client).
Regards, Martin
MartinVisser99@xxxxxxxxx
On Sat, Sep 12, 2009 at 11:57 AM, <Tim.Poth@xxxxxxxxxxx>
wrote:
Thanks for the reply,
1. this should be normal smb traffic from a win xp client to a 2008 server
2. the capture was from somewhere inbetween but i have no idea whats on there
network. i have guess wan accelerator but they will not answer that qustion.
thanks for your help
tim
________________________________
From: wireshark-users-bounces@xxxxxxxxxxxxx
[wireshark-users-bounces@xxxxxxxxxxxxx]
On Behalf Of Martin Visser [martinvisser99@xxxxxxxxx]
Sent: Friday, September 11, 2009 7:59 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] ODD SMB packets
Haven't seen these before, but I would have two questions:-
1. Is this traffic resulting from normal file sharing activity or some other
application that uses SMB as a protocol?
2. If you are not capturing directly at the client or server, is there some
packet mangling appliance (especially a WAN accelerator) between your packet
capture and the client or server.
Regards, Martin
MartinVisser99@xxxxxxxxx<mailto:MartinVisser99@xxxxxxxxx>
On Thu, Sep 10, 2009 at 2:23 AM, <Tim.Poth@xxxxxxxxxxx<mailto:Tim.Poth@xxxxxxxxxxx>> wrote:
I am looking at a performance issue for a customer and looking at some SMB
traffic with path names that make no sense IE - ?\200????
@@???\217 @@???? (best I can tell there are
no “real” paths in the whole capture)
In looking at the “Query_Path_Into” Parameters I see the reserved field is set
to 0x03534E46 or SNF text (see below), best I understand this field should be 0
so how did it get populated. SNF could be cisco SNF however I have no way of
confirming.
Any thoughts? Anyone see something like this before?
Thanks
Tim
No. Delta Time
Source
Destination Protocol Info
441 0.231000 12:47:03.954000 10.93.184.182
10.116.176.129 SMB
Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
?\200????
Frame 441 (224 bytes on wire, 224 bytes captured)
Arrival Time: Sep 4, 2009 12:47:03.954000000
[Time delta from previous captured frame: 0.009000000 seconds]
[Time delta from previous displayed frame: 0.231000000 seconds]
[Time since reference or first frame: 13.799000000 seconds]
Frame Number: 441
Frame Length: 224 bytes
Capture Length: 224 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Ibm_78:bc:c0 (00:1a:64:78:bc:c0), Dst: All-HSRP-routers_01
(00:00:0c:07:ac:01)
Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01)
Address: All-HSRP-routers_01 (00:00:0c:07:ac:01)
.... ...0 .... .... .... .... = IG bit: Individual
address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally
unique address (factory default)
Source: Ibm_78:bc:c0 (00:1a:64:78:bc:c0)
Address: Ibm_78:bc:c0 (00:1a:64:78:bc:c0)
.... ...0 .... .... .... .... = IG bit: Individual
address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally
unique address (factory default)
Type: IP (0x0800)
Frame check sequence: 0x6bff8010 [incorrect, should be 0xf7b79332]
Internet Protocol, Src: 10.93.184.182 (10.93.184.182), Dst: 10.116.176.129
(10.116.176.129)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x28 (DSCP 0x0a: Assured Forwarding
11; ECN: 0x00)
0010 10.. = Differentiated Services Codepoint:
Assured Forwarding 11 (0x0a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 206
Identification: 0x02c6 (710)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 120
Protocol: TCP (0x06)
Header checksum: 0x8133 [correct]
[Good: True]
[Bad : False]
Source: 10.93.184.182 (10.93.184.182)
Destination: 10.116.176.129 (10.116.176.129)
Transmission Control Protocol, Src Port: index-pc-wb (2127), Dst Port:
netbios-ssn (139), Seq: 3157, Ack: 3189, Len: 166
Source port: index-pc-wb (2127)
Destination port: netbios-ssn (139)
[Stream index: 1]
Sequence number: 3157 (relative sequence number)
[Next sequence number: 3323 (relative sequence
number)]
Acknowledgement number: 3189 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 63788
Checksum: 0xeb3b [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[Number of bytes in flight: 166]
NetBIOS Session Service
Message Type: Session message
Flags: 0x00
.... ...0 = Add 0 to length
Length: 162
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 442]
SMB Command: Trans2 (0x32)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message
is a request to the server
.0.. .... = Notify: Notify client only
on open
..0. .... = Oplocks: OpLock not
requested/granted
...1 .... = Canonicalized Pathnames:
Pathnames are canonicalized
.... 1... = Case Sensitivity: Path
names are caseless
.... ..0. = Receive Buffer Posted:
Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read,
Write&Unlock are not supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings:
Strings are Unicode
.1.. .... .... .... = Error Code Type:
Error codes are NT error codes
..0. .... .... .... = Execute-only Reads:
Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't
resolve pathnames with Dfs
.... 1... .... .... = Extended
Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used:
Path names in request are not long file names
.... .... .... .1.. = Security
Signatures: Security signatures are supported
.... .... .... ..1. = Extended
Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names
Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: D7D4BAC936AE62C5
Reserved: 0000
Tree ID: 2048
Process ID: 3908
User ID: 2048
Multiplex ID: 10305
Trans2 Request (0x32)
Word Count (WCT): 15
Total Parameter Count: 94
Total Data Count: 0
Max Parameter Count: 2
Max Data Count: 40
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way
Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID:
Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 94
Parameter Offset: 68
Data Count: 0
Data Offset: 0
Setup Count: 1
Reserved: 00
Subcommand: QUERY_PATH_INFO (0x0005)
Byte Count (BCC): 97
Padding: 000000
QUERY_PATH_INFO Parameters
Level of Interest: Query File Basic
Info (1004)
Reserved: 03534E46
File Name: ?\200????
Unknown Data:
0008010600000000FFFF1A002200FFFFFFFF000000003092...
0000 00 00 0c 07 ac 01 00 1a 64 78 bc c0 08 00 45 28
........dx....E(
0010 00 ce 02 c6 40 00 78 06 81 33 0a 5d b8 b6 0a 74
[email protected].]...t
0020 b0 81 08 4f 00 8b 35 1f 08 53 27 07 b3 4b 50 18
...O..5..S'..KP.
0030 f9 2c eb 3b 00 00 00 00 00 a2 ff 53 4d 42 32 00
.,.;.......SMB2.
0040 00 00 00 18 07 c8 00 00 d7 d4 ba c9 36 ae 62 c5
............6.b.
0050 00 00 00 08 44 0f 00 08 41 28 0f 5e 00 00 00 02
....D...A(.^....
0060 00 28 00 00 00 00 00 00 00 00 00 00 00 5e 00 44
.(...........^.D
0070 00 00 00 00 00 01 00 05 00 61 00 00 00 00 ec 03
.........a......
0080 03 53 4e 46 ee 05 80 00 06 01 34 12 48 5a 04 1d
.SNF......4.HZ..
0090 00 00 00 08 01 06 00 00 00 00 ff ff 1a 00 22 00
..............".
00a0 ff ff ff ff 00 00 00 00 30 92 05 1e 30 92 a5 98
........0...0...
00b0 00 1a 64 78 bc c0 00 16 9c 1b cc 00 08 00 45 00
..dx..........E.
00c0 05 dc 85 35 40 00 2a 06 79 0a 62 a0 a3 49 0a 7a
...5@.*.y.b..I.z
00d0 3c 79 17 0c d5 85 7d 4f 83 6c 81 8f 6b ff 80 10
<y....}O.l..k...
___________________________________________________________________________
Sent via:
Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx<mailto:wireshark-users@xxxxxxxxxxxxx>>
mailto:wireshark-users-request@xxxxxxxxxxxxx<mailto:wireshark-users-request@xxxxxxxxxxxxx>?subject=unsubscribe
|