Stanley.Hopcroft@ipaustralia.gov.au wrote:> > Dear Ladies and Gentlemen, > > I am writing to ask your help using Mr Tridgells tcpdump-smb > (ftp:samba.anu.ed.au/pub/samba/tcpdump-smb/tcpdump-3.2.1.tar.gz). > > My problem is that it appears to erroneosly report very long packets > that it identifies as SMBError = ERROR: Unknown error (32,37233) and > then displays a huge amount of data eg >This version has problems with non-IP traffic, e.g. NetBEUI or IPX. It incorrectly determines start and length of data in such a package. Most probably, you hit this problem. Do you run protocols other than IP on your network? I once had a patch to it, but lost it after crash :-( Since then, never had time to debug it again ... cheers
Dear Ladies and Gentlemen,
I am writing to ask your help using Mr Tridgells tcpdump-smb
(ftp:samba.anu.ed.au/pub/samba/tcpdump-smb/tcpdump-3.2.1.tar.gz).
My problem is that it appears to erroneosly report very long packets
that it identifies as SMBError = ERROR: Unknown error (32,37233) and
then displays a huge amount of data eg
[000] 22 BF 2B 00 00 00 00 00 00 00 00 0B 01 58 FE 2A ".+..... .....X.*
[010] 35 EA 5F 0A 00 44 00 00 00 5B 00 00 00 12 00 00 5._..D.. .[......
[020] 00 01 01 02 82 00 E0 B0 E2 6D B9 08 00 45 00 00 ........ .m...E..
[030] 4D BA 00 00 00 FE 11 14 F9 C0 A8 6A FE C0 03 01 M....... ...j....
[040] FC 00 A1 10 47 00 39 BF FD 30 2F 02 01 00 04 06 ....G.9. .0/.....
[050] 70 75 62 6C 69 63 A2 22 02 04 01 E9 30 91 02 01 public." ....0...
[060] 00 02 01 90 90 58 FE 2A 35 63 D4 0C 00 44 00 00 .....X.* 5c...D..
[070] 00 56 00 00 00 12 00 01 00 5E 00 00 05 00 00 0C .V...... .^......
[080] 00 F3 4F 08 00 45 C0 00 48 00 00 00 00 01 59 17 ..O..E.. H.....Y.
[090] 94 C0 03 01 01 E0 00 00 05 02 01 00 34 C0 03 10 ........ ....4...
[0A0] C0 00 00 00 00 BA 2A 00 00 00 00 00 00 00 00 00 ......*. ........
[0B0] 00 FF FF FF 00 00 0A 02 01 00 00 55 C0 58 FE 2A ........ ...U.X.*
[0C0] 35 97 C4 0D 00 3D 00 00 00 3D 00 00 00 12 00 03 5....=.. .=......
[0D0] 00 00 00 00 01 00 00 6F 14 B6 99 00 2F F0 F0 03 .......o ..../...
[0E0] 2C 00 FF EF 03 01 6E 01 00 00 2C F3 00 00 00 00 ,.....n. ..,.....
[0F0] 00 00 00 00 00 00 88 11 45 37 00 40 00 00 00 00 ........ E7.@....
[100] 00 00 00 00 00 00 99 6D 28 F6 00 00 DC 58 FE 2A .......m (....X.*
[110] 35 20 DB 0D 00 3C 00 00 00 3C 00 00 00 12 00 01 5 ...<.. .<......
[120] 80 C2 00 00 00 00 C0 1D B4 8D FD 00 26 42 42 03 ........ ....&BB.
This appears to contain at least some data for a UDP SNMP packet
(protocol 0x11 and port 0xa1).
The results are the same when tcpdump is linked with libpcap-0.2.1
supplied with the distribution and also the pcap library supplied with
the last tcpdump distribution (libpcap-0.4a6).
This network contains NT servers and hence the SMB-NT commands that
this product does not deal with.
Thank you very much,
Yours sincerely
S Hopcroft
IP Australia
shopcroft@IPAustralia.gov.au