Wireshark-users: Re: [Wireshark-users] SMB problems when ICMP is blocked?

From: "Feeny, Michael (GWMT-TASCS)" <michael_feeny@xxxxxx>
Date: Fri, 12 Mar 2010 17:15:00 -0500
All,

First, thanx so much for your responses.  It's ALWAYS good to get ideas from fellow packeteers :-)

Now, for the Epilogue...

It turns out that the ICMP-blocking was NOT the root cause of the problem (though I had lots of evidence that pointed me in that direction).

The root of the problem was:

There was overlapping IP Address space among the many clients of this file server (this fact did not surface until much interrogation).  The client IP's were NAT'd on their way to the server in a "many-to-one" configuration.  That is, 2 different clients in the overlapping IP Address space could arrive at the server sourced with the same NAT'd IP Address.  When this occurred, as the second client arrived with the same IP as an existing client, the file server killed the first client's connection and serviced the second (and so on for the 3rd, 4th, etc.  Each one bumping off the previous connection).

The TACTICAL solution was to configure the file server to detect duplicate connections based upon machine name, and not by IP Address.

The strategic solution will be to eliminate the overlapping IP Address space, but that may take some time (we are merging 2 HUGE organizations).

Thanx again for all your feedback - I always learn a lot from the conversations here.

Michael

Michael Feeny 
Bank of America / Merrill Lynch
Global Wealth Management Technology 
Technology Architecture, Strategy & Core Services 
Application Infrastructure Services
Office: 609-274-2761 
Mobile:  484-995-1745 
AOL IM: feenyman99 


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jens Link
Sent: Sunday, March 07, 2010 4:32 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] SMB problems when ICMP is blocked?

Andrew Hood <ajhood@xxxxxxxxx> writes:

> You are preaching to the choir Jens. Once upon a time someone told
> security a fable about all ICMP being the tool of evil hackers. They
> believed it. IPv6 won't affect this network unless IPv4 is deleted by M$
> from all versions of the Windows stack.

Microsoft is heavily using IPv6. I usually don't work with Microsoft
products  but I was told that current Microsoft products will only talk
IPv6 to each other and if they don't have IPv6 they'll tunnel over
IPv4. It's time for a lot of people to a) IPv6 and b) TCP basics. And b)
includes not block each and *every* ICMP packets. No matter if it is
IPv4 or IPv6. 

cheers

Jens
-- 
-------------------------------------------------------------------------
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264         |
| http://www.quux.de | http://blog.quux.de   | jabber: jenslink@xxxxxxx |
-------------------------------------------------------------------------
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

--------------------------------------------------------------------------
This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. The information contained in this e-mail was obtained from sources believed to be reliable; however, the accuracy or completeness of this information is not guaranteed. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Past performance is no guarantee of future results. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
--------------------------------------------------------------------------