Wireshark-users: Re: [Wireshark-users] ODD SMB packets
From: "Phillips, Christopher M" <cmphil@xxxxxxxxxxx>
Date: Wed, 16 Sep 2009 10:16:25 +0100

#   with path names that make no sense IE -   ?\200????       @@???\217         @@????

 

Perhaps not in the English character set, these may just be Chinese or some other asian language and the logs don’t understand that language type or are not Unicode.

Certainly 200???? looks like a date to me.

 

-Chris

 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Martin Visser
Sent:
12 September 2009 03:20
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] ODD SMB packets

 

Tim,

I think, if you have responsibility for solving the problem, you are going to need to know more about how it is setup. Also if you can capture at the client end (preferably from a port-mirrored switch or even the client itself) you will get a much better idea of if delays, protocol issues are occurring (from the point of view of the client).


Regards, Martin

MartinVisser99@xxxxxxxxx

On Sat, Sep 12, 2009 at 11:57 AM, <Tim.Poth@xxxxxxxxxxx> wrote:

Thanks for the reply,
1. this should be normal smb traffic from a win xp client to a 2008 server
2. the capture was from somewhere inbetween but i have no idea whats on there network. i have guess wan accelerator but they will not answer that qustion.
thanks for your help
tim
________________________________
From: wireshark-users-bounces@xxxxxxxxxxxxx [wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Martin Visser [martinvisser99@xxxxxxxxx]
Sent:
Friday, September 11, 2009 7:59 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] ODD SMB packets


Haven't seen these before, but I would have two questions:-

1. Is this traffic resulting from normal file sharing activity or some other application that uses SMB as a protocol?
2. If you are not capturing directly at the client or server, is there some packet mangling appliance (especially a WAN accelerator) between your packet capture and the client or server.

Regards, Martin

MartinVisser99@xxxxxxxxx<mailto:MartinVisser99@xxxxxxxxx>



On Thu,
Sep 10, 2009 at 2:23 AM, <Tim.Poth@xxxxxxxxxxx<mailto:Tim.Poth@xxxxxxxxxxx>> wrote:
I am looking at a performance issue for a customer and looking at some SMB traffic with path names that make no sense IE -   ?\200????       @@???\217         @@???? (best I can tell there are no “real” paths in the whole capture)
In looking at the “Query_Path_Into” Parameters I see the reserved field is set to 0x03534E46 or SNF text (see below), best I understand this field should be 0 so how did it get populated. SNF could be cisco SNF however I have no way of confirming.
Any thoughts? Anyone see something like this before?

Thanks
Tim




No.     Delta       Time            Source                Destination           Protocol Info
   441 0.231000    12:47:03.954000 10.93.184.182         10.116.176.129        SMB      Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: ?\200????

Frame 441 (224 bytes on wire, 224 bytes captured)
   Arrival Time: Sep  4, 2009 12:47:03.954000000
   [Time delta from previous captured frame: 0.009000000 seconds]
   [Time delta from previous displayed frame: 0.231000000 seconds]
   [Time since reference or first frame: 13.799000000 seconds]
   Frame Number: 441
   Frame Length: 224 bytes
   Capture Length: 224 bytes
   [Frame is marked: False]
   [Protocols in frame: eth:ip:tcp:nbss:smb]
   [Coloring Rule Name: SMB]
   [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: Ibm_78:bc:c0 (00:1a:64:78:bc:c0), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01)
   Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01)
       Address: All-HSRP-routers_01 (00:00:0c:07:ac:01)
       .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
       .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
   Source: Ibm_78:bc:c0 (00:1a:64:78:bc:c0)
       Address: Ibm_78:bc:c0 (00:1a:64:78:bc:c0)
       .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
       .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
   Type: IP (0x0800)
   Frame check sequence: 0x6bff8010 [incorrect, should be 0xf7b79332]
Internet Protocol, Src: 10.93.184.182 (10.93.184.182), Dst: 10.116.176.129 (10.116.176.129)
   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0x28 (DSCP 0x0a: Assured Forwarding 11; ECN: 0x00)
       0010 10.. = Differentiated Services Codepoint: Assured Forwarding 11 (0x0a)
       .... ..0. = ECN-Capable Transport (ECT): 0
       .... ...0 = ECN-CE: 0
   Total Length: 206
   Identification: 0x02c6 (710)
   Flags: 0x04 (Don't Fragment)
       0... = Reserved bit: Not set
       .1.. = Don't fragment: Set
       ..0. = More fragments: Not set
   Fragment offset: 0
   Time to live: 120
   Protocol: TCP (0x06)
   Header checksum: 0x8133 [correct]
       [Good: True]
       [Bad : False]
   Source: 10.93.184.182 (10.93.184.182)
   Destination: 10.116.176.129 (10.116.176.129)
Transmission Control Protocol, Src Port: index-pc-wb (2127), Dst Port: netbios-ssn (139), Seq: 3157, Ack: 3189, Len: 166
   Source port: index-pc-wb (2127)
   Destination port: netbios-ssn (139)
   [Stream index: 1]
   Sequence number: 3157    (relative sequence number)
   [Next sequence number: 3323    (relative sequence number)]
   Acknowledgement number: 3189    (relative ack number)
   Header length: 20 bytes
   Flags: 0x18 (PSH, ACK)
       0... .... = Congestion Window Reduced (CWR): Not set
       .0.. .... = ECN-Echo: Not set
       ..0. .... = Urgent: Not set
       ...1 .... = Acknowledgement: Set
       .... 1... = Push: Set
       .... .0.. = Reset: Not set
       .... ..0. = Syn: Not set
       .... ...0 = Fin: Not set
   Window size: 63788
   Checksum: 0xeb3b [validation disabled]
       [Good Checksum: False]
       [Bad Checksum: False]
   [SEQ/ACK analysis]
       [Number of bytes in flight: 166]
NetBIOS Session Service
   Message Type: Session message
   Flags: 0x00
       .... ...0 = Add 0 to length
   Length: 162
SMB (Server Message Block Protocol)
   SMB Header
       Server Component: SMB
       [Response in: 442]
       SMB Command: Trans2 (0x32)
       NT Status: STATUS_SUCCESS (0x00000000)
       Flags: 0x18
           0... .... = Request/Response: Message is a request to the server
           .0.. .... = Notify: Notify client only on open
           ..0. .... = Oplocks: OpLock not requested/granted
           ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
           .... 1... = Case Sensitivity: Path names are caseless
           .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
           .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
       Flags2: 0xc807
           1... .... .... .... = Unicode Strings: Strings are Unicode
           .1.. .... .... .... = Error Code Type: Error codes are NT error codes
           ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
           ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
           .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
           .... .... .0.. .... = Long Names Used: Path names in request are not long file names
           .... .... .... .1.. = Security Signatures: Security signatures are supported
           .... .... .... ..1. = Extended Attributes: Extended attributes are supported
           .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
       Process ID High: 0
       Signature: D7D4BAC936AE62C5
       Reserved: 0000
       Tree ID: 2048
       Process ID: 3908
       User ID: 2048
       Multiplex ID: 10305
   Trans2 Request (0x32)
       Word Count (WCT): 15
       Total Parameter Count: 94
       Total Data Count: 0
       Max Parameter Count: 2
       Max Data Count: 40
       Max Setup Count: 0
       Reserved: 00
       Flags: 0x0000
           .... .... .... ..0. = One Way Transaction: Two way transaction
           .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
       Timeout: Return immediately (0)
       Reserved: 0000
       Parameter Count: 94
       Parameter Offset: 68
       Data Count: 0
       Data Offset: 0
       Setup Count: 1
       Reserved: 00
       Subcommand: QUERY_PATH_INFO (0x0005)
       Byte Count (BCC): 97
       Padding: 000000
       QUERY_PATH_INFO Parameters
           Level of Interest: Query File Basic Info (1004)
           Reserved: 03534E46
           File Name: ?\200????
           Unknown Data: 0008010600000000FFFF1A002200FFFFFFFF000000003092...

0000  00 00 0c 07 ac 01 00 1a 64 78 bc c0 08 00 45 28   ........dx....E(
0010  00 ce 02 c6 40 00 78 06 81 33 0a 5d b8 b6 0a 74   ....@.x..3.]...t
0020  b0 81 08 4f 00 8b 35 1f 08 53 27 07 b3 4b 50 18   ...O..5..S'..KP.
0030  f9 2c eb 3b 00 00 00 00 00 a2 ff 53 4d 42 32 00   .,.;.......SMB2.
0040  00 00 00 18 07 c8 00 00 d7 d4 ba c9 36 ae 62 c5   ............6.b.
0050  00 00 00 08 44 0f 00 08 41 28 0f 5e 00 00 00 02   ....D...A(.^....
0060  00 28 00 00 00 00 00 00 00 00 00 00 00 5e 00 44   .(...........^.D
0070  00 00 00 00 00 01 00 05 00 61 00 00 00 00 ec 03   .........a......
0080  03 53 4e 46 ee 05 80 00 06 01 34 12 48 5a 04 1d   .SNF......4.HZ..
0090  00 00 00 08 01 06 00 00 00 00 ff ff 1a 00 22 00   ..............".
00a0  ff ff ff ff 00 00 00 00 30 92 05 1e 30 92 a5 98   ........0...0...
00b0  00 1a 64 78 bc c0 00 16 9c 1b cc 00 08 00 45 00   ..dx..........E.
00c0  05 dc 85 35 40 00 2a 06 79 0a 62 a0 a3 49 0a 7a   ...5@.*.y.b..I.z
00d0  3c 79 17 0c d5 85 7d 4f 83 6c 81 8f 6b ff 80 10   <y....}O.l..k...


___________________________________________________________________________

Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx<mailto:wireshark-users@xxxxxxxxxxxxx>>

           mailto:wireshark-users-request@xxxxxxxxxxxxx<mailto:wireshark-users-request@xxxxxxxxxxxxx>?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe