Wireshark-users: [Wireshark-users] TCP / SMB Broadcast?
From: mv652@xxxxxxxxxxxx
Date: Tue, 14 Jul 2009 02:21:03 -0600
Hi, I'd appreciate if someone could take a look at the attached capture of 11 packets and explain why I am able to see the TCP & SMB negotiation between these two hosts. My capturing device has IP Address 10.0.4.26 connected on the same switch, same VLAN as the two systems in the capture (10.0.4.50 & 10.0.4.6). The capturing system's nic is in promiscious mode.
Note - I understand why I see the ARP request as it's a broadcast to the network address, what I don't understand is why I see the rest of the communication between the two. I even see an ICMP reply from one host to the other, but not the original request.
These systems are running on a managed switch, not a hub.
Thanks,Mario
No. Time Source Destination Protocol Info
23827 2009-07-14 09:16:48.381420 hostname.domainname Broadcast ARP Who has 10.0.4.6? Tell 10.0.4.50
Frame 23827 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: ARP (0x0806)
Trailer: 000000000000000000000000000000000000
Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: hostname.domainname (00:18:71:08:a3:1d)
Sender IP address: hostname.domainname (10.0.4.50)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 10.0.4.6 (10.0.4.6)
No. Time Source Destination Protocol Info
23828 2009-07-14 09:16:48.381431 hostname.domainname 10.0.4.6 ICMP Echo (ping) reply
Frame 23828 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Destination: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: IP (0x0800)
Internet Protocol, Src: hostname.domainname (10.0.4.50), Dst: 10.0.4.6 (10.0.4.6)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 ()
Checksum: 0xc75d [correct]
Identifier: 0x0200
Sequence number: 36352 (0x8e00)
Data (32 bytes)
0000 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 ABCDEFGHIJKLMNOP
0010 51 52 53 54 55 56 57 41 42 43 44 45 46 47 48 49 QRSTUVWABCDEFGHI
Data: 4142434445464748494A4B4C4D4E4F505152535455565741...
No. Time Source Destination Protocol Info
23829 2009-07-14 09:16:48.381669 hostname.domainname 10.0.4.6 TCP microsoft-ds > dx-instrument [SYN, ACK] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
Frame 23829 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Destination: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: IP (0x0800)
Internet Protocol, Src: hostname.domainname (10.0.4.50), Dst: 10.0.4.6 (10.0.4.6)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: dx-instrument (1325), Seq: 0, Ack: 0, Len: 0
Source port: microsoft-ds (445)
Destination port: dx-instrument (1325)
Sequence number: 0 (relative sequence number)
Acknowledgement number: 0 (relative ack number)
Header length: 28 bytes
Flags: 0x12 (SYN, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 16384
Checksum: 0x5178 [correct]
Options: (8 bytes)
Maximum segment size: 1460 bytes
NOP
NOP
SACK permitted
No. Time Source Destination Protocol Info
23830 2009-07-14 09:16:48.381670 hostname.domainname 10.0.4.6 ICMP Echo (ping) reply
Frame 23830 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Destination: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: IP (0x0800)
Internet Protocol, Src: hostname.domainname (10.0.4.50), Dst: 10.0.4.6 (10.0.4.6)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 ()
Checksum: 0xc65d [correct]
Identifier: 0x0200
Sequence number: 36608 (0x8f00)
Data (32 bytes)
0000 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 ABCDEFGHIJKLMNOP
0010 51 52 53 54 55 56 57 41 42 43 44 45 46 47 48 49 QRSTUVWABCDEFGHI
Data: 4142434445464748494A4B4C4D4E4F505152535455565741...
No. Time Source Destination Protocol Info
23831 2009-07-14 09:16:48.381921 hostname.domainname 10.0.4.6 SMB Negotiate Protocol Response
Frame 23831 (245 bytes on wire, 245 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Destination: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: IP (0x0800)
Internet Protocol, Src: hostname.domainname (10.0.4.50), Dst: 10.0.4.6 (10.0.4.6)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: dx-instrument (1325), Seq: 1, Ack: 137, Len: 191
Source port: microsoft-ds (445)
Destination port: dx-instrument (1325)
Sequence number: 1 (relative sequence number)
[Next sequence number: 192 (relative sequence number)]
Acknowledgement number: 137 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65398
Checksum: 0x0cc7 [correct]
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Header
Negotiate Protocol Response (0x72)
Word Count (WCT): 17
Dialect Index: 5, greater than LANMAN2.1
Security Mode: 0x0f
Max Mpx Count: 50
Max VCs: 1
Max Buffer Size: 16644
Max Raw Buffer: 65536
Session Key: 0x00000000
Capabilities: 0x8001f3fd
System Time: Jul 14, 2009 09:16:51.934035400
Server Time Zone: -120 min from UTC
Key Length: 0
Byte Count (BCC): 118
Server GUID: 3C728C9B734339428EB1B6E6BEC29EBC
Security Blob: 606406062B0601050502A05A3058A030302E06092A864882...
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
SPNEGO
negTokenInit
mechTypes: 4 items
mechListMIC: 3022A0201B1E66696C65736572766572244054524144494E...
principal: hostname$@domainname
No. Time Source Destination Protocol Info
23832 2009-07-14 09:16:48.382668 hostname.domainname 10.0.4.6 TCP microsoft-ds > dx-instrument [ACK] Seq=192 Ack=2833 Win=65535 Len=0
Frame 23832 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Destination: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: hostname.domainname (10.0.4.50), Dst: 10.0.4.6 (10.0.4.6)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: dx-instrument (1325), Seq: 192, Ack: 2833, Len: 0
Source port: microsoft-ds (445)
Destination port: dx-instrument (1325)
Sequence number: 192 (relative sequence number)
Acknowledgement number: 2833 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0xb26c [correct]
No. Time Source Destination Protocol Info
23833 2009-07-14 09:16:48.383667 hostname.domainname 10.0.4.6 SMB Session Setup AndX Response
Frame 23833 (403 bytes on wire, 403 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Destination: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: IP (0x0800)
Internet Protocol, Src: hostname.domainname (10.0.4.50), Dst: 10.0.4.6 (10.0.4.6)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: dx-instrument (1325), Seq: 192, Ack: 2833, Len: 349
Source port: microsoft-ds (445)
Destination port: dx-instrument (1325)
Sequence number: 192 (relative sequence number)
[Next sequence number: 541 (relative sequence number)]
Acknowledgement number: 2833 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0x7ac4 [correct]
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Header
Session Setup AndX Response (0x73)
Word Count (WCT): 4
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 345
Action: 0x0000
Security Blob Length: 162
Byte Count (BCC): 302
Security Blob: A1819F30819CA0030A0100A10B06092A864882F712010202...
GSS-API Generic Security Service Application Program Interface
SPNEGO
negTokenTarg
Native OS: Windows Server 2003 R2 3790 Service Pack 1
Native LAN Manager: Windows Server 2003 R2 5.2
No. Time Source Destination Protocol Info
23834 2009-07-14 09:16:48.383917 hostname.domainname 10.0.4.6 SMB Tree Connect AndX Response
Frame 23834 (114 bytes on wire, 114 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Destination: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: IP (0x0800)
Internet Protocol, Src: hostname.domainname (10.0.4.50), Dst: 10.0.4.6 (10.0.4.6)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: dx-instrument (1325), Seq: 541, Ack: 2961, Len: 60
Source port: microsoft-ds (445)
Destination port: dx-instrument (1325)
Sequence number: 541 (relative sequence number)
[Next sequence number: 601 (relative sequence number)]
Acknowledgement number: 2961 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65407
Checksum: 0x4e43 [correct]
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Header
Tree Connect AndX Response (0x75)
Word Count (WCT): 7
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 56
Optional Support: 0x0001
Word parameter: 0x01ff
Word parameter: 0x0000
Word parameter: 0x01ff
Word parameter: 0x0000
Byte Count (BCC): 7
Service: IPC
Extra byte parameters
No. Time Source Destination Protocol Info
23835 2009-07-14 09:16:48.384417 hostname.domainname 10.0.4.6 SMB Trans2 Response<unknown>
Frame 23835 (254 bytes on wire, 254 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Destination: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: IP (0x0800)
Internet Protocol, Src: hostname.domainname (10.0.4.50), Dst: 10.0.4.6 (10.0.4.6)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: dx-instrument (1325), Seq: 601, Ack: 3037, Len: 200
Source port: microsoft-ds (445)
Destination port: dx-instrument (1325)
Sequence number: 601 (relative sequence number)
[Next sequence number: 801 (relative sequence number)]
Acknowledgement number: 3037 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65331
Checksum: 0x1aee [correct]
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Header
Trans2 Response (0x32)
Subcommand: <UNKNOWN> since request packet wasn't seen
Word Count (WCT): 10
Total Parameter Count: 0
Total Data Count: 140
Reserved: 0000
Parameter Count: 0
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 140
Data Offset: 56
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 141
Padding: 00
Unknown Transaction2 Data
No. Time Source Destination Protocol Info
23836 2009-07-14 09:16:48.386916 hostname.domainname 10.0.4.6 SMB Trans2 Response<unknown>
Frame 23836 (258 bytes on wire, 258 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Destination: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: IP (0x0800)
Internet Protocol, Src: hostname.domainname (10.0.4.50), Dst: 10.0.4.6 (10.0.4.6)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: dx-instrument (1325), Seq: 801, Ack: 3151, Len: 204
Source port: microsoft-ds (445)
Destination port: dx-instrument (1325)
Sequence number: 801 (relative sequence number)
[Next sequence number: 1005 (relative sequence number)]
Acknowledgement number: 3151 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65217
Checksum: 0xb727 [correct]
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Header
Trans2 Response (0x32)
Subcommand: <UNKNOWN> since request packet wasn't seen
Word Count (WCT): 10
Total Parameter Count: 0
Total Data Count: 144
Reserved: 0000
Parameter Count: 0
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 144
Data Offset: 56
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 145
Padding: 00
Unknown Transaction2 Data
No. Time Source Destination Protocol Info
23837 2009-07-14 09:16:48.387166 hostname.domainname 10.0.4.6 SMB Trans2 Response<unknown>
Frame 23837 (204 bytes on wire, 204 bytes captured)
Ethernet II, Src: hostname.domainname (00:18:71:08:a3:1d), Dst: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Destination: Belkin_0a:c5:3a (00:17:3f:0a:c5:3a)
Source: hostname.domainname (00:18:71:08:a3:1d)
Type: IP (0x0800)
Internet Protocol, Src: hostname.domainname (10.0.4.50), Dst: 10.0.4.6 (10.0.4.6)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: dx-instrument (1325), Seq: 1005, Ack: 3249, Len: 150
Source port: microsoft-ds (445)
Destination port: dx-instrument (1325)
Sequence number: 1005 (relative sequence number)
[Next sequence number: 1155 (relative sequence number)]
Acknowledgement number: 3249 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65119
Checksum: 0x6518 [correct]
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Header
Trans2 Response (0x32)
Subcommand: <UNKNOWN> since request packet wasn't seen
Word Count (WCT): 10
Total Parameter Count: 0
Total Data Count: 90
Reserved: 0000
Parameter Count: 0
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 90
Data Offset: 56
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 91
Padding: 00
Unknown Transaction2 Data
- Follow-Ups:
- Re: [Wireshark-users] TCP / SMB Broadcast?
- From: Guy Harris
- Re: [Wireshark-users] TCP / SMB Broadcast?
- From: Chad Dailey
- Re: [Wireshark-users] TCP / SMB Broadcast?
- From: Sake Blok
- Re: [Wireshark-users] TCP / SMB Broadcast?
- From: Hansang Bae
- Re: [Wireshark-users] TCP / SMB Broadcast?
- Prev by Date: Re: [Wireshark-users] no capture interfaces displayed in wireshark
- Next by Date: Re: [Wireshark-users] TCP / SMB Broadcast?
- Previous by thread: [Wireshark-users] Wireshark on serial port
- Next by thread: Re: [Wireshark-users] TCP / SMB Broadcast?
- Index(es):