Just a guess. The user's virus scanner decided to scan your server. On 7/16/12, Ludovic Rouse-Lamarre <ludovic.rouse-lama...@xyzcivitas.com> wrote: > Hello, > > Last week I have detected with Zabbix that a member of my Samba domain > had been downloading at a rate of around 8 Mbps for two days and a half. > When asking the person to whom belonged the machine, he didn't know he > was downloading anything but he said he had observed his machine had > slowed down since then. I took a tcpdump of the traffic before > terminating his session on Windows XP. I checked and there wasn't any > large amount of data on his hard drive as the total drive capacity was > 80GiB and there was 30GiB free. One of the oddities for me was that the > bandwidth was being consumed through port tcp 139 of the Samba machine. > Normally data is downloaded on port tcp 445. Another oddity is that when > I put together some of the names in the trace from tcpdump, I can > reconstitute names of files on the server. Unless I'm mistaken this type > of information shouldn't be circulating on port 139? > > Here is the version of Samba: > Samba version 3.4.9 > > Here is a sample of the trace from tcpdump: > 17:46:35.838212 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123157, win 65535, > length 1239 NBT Session Packet: Unknown packet type 0x38Data: (41 bytes) > [000] D5 F1 4E 73 4E 02 00 00 FB 04 00 00 2E 00 00 00 > \0xd5\0xf1NsN\0x02\0x00\0x00 \0xfb\0x04\0x00\0x00.\0x00\0x00\0x00 > [010] 00 00 00 00 01 00 00 00 00 00 64 40 43 32 32 30 > \0x00\0x00\0x00\0x00\0x01\0x00\0x00\0x00 \0x00\0x00d@C220 > [020] 30 38 2D 30 37 2D 32 33 5F 08-07-23 _ > > 17:46:35.842050 IP GBY-PC-125.xyzcivitas.com.1026 > > pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7980391, win 65535, > length 0 > 17:46:35.842313 IP GBY-PC-125.xyzcivitas.com.1026 > > pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7981630, win > 64296, length 63 NBT Session Packet: Session Message > 17:46:35.842446 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123220, win 65535, length > 1460 NBT Session Packet: Session Message > 17:46:35.842460 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123220, win 65535, length > 1460 NBT Session Packet: Unknown packet type 0x70Data: (41 bytes) > [000] 63 50 4B 01 02 14 0B 14 00 00 00 08 00 80 96 F7 > cPK\0x01\0x02\0x14\0x0b\0x14 \0x00\0x00\0x00\0x08\0x00\0x80\0x96\0xf7 > [010] 38 63 04 52 FB 4E 02 00 00 FB 04 00 00 2E 00 00 > 8c\0x04R\0xfbN\0x02\0x00 \0x00\0xfb\0x04\0x00\0x00.\0x00\0x00 > [020] 00 00 00 00 00 01 00 00 00 > \0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00 \0x00 > > 17:46:35.842472 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123220, win 65535, > length 1239 NBT Session Packet: Session Message > 17:46:35.846333 IP GBY-PC-125.xyzcivitas.com.1026 > > pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7984550, win 65535, > length 0 > 17:46:35.846580 IP GBY-PC-125.xyzcivitas.com.1026 > > pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7985789, win > 64296, length 63 NBT Session Packet: Session Message > 17:46:35.846692 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123283, win 65535, length > 1460 NBT Session Packet: Session Message > 17:46:35.846701 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123283, win 65535, length > 1460 NBT Session Packet: Unknown packet type 0x12Data: (41 bytes) > [000] 01 00 0B 14 01 00 32 00 00 00 00 00 00 00 00 00 > \0x01\0x00\0x0b\0x14\0x01\0x002\0x00 > \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00 > [010] 00 00 00 00 40 A6 59 32 32 30 30 38 2D 30 37 2D > \0x00\0x00\0x00\0x00@\0xa6Y2 2008-07- > [020] 32 33 5F 4C 31 2F 53 68 65 23_L1/Sh e > > 17:46:35.846707 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123283, win 65535, > length 1239 NBT Session Packet: Unknown packet type 0x66Data: (41 bytes) > [000] 6F 72 64 2F 41 4C 5F 33 39 5F 34 31 33 5F 38 37 ord/AL_3 9_413_87 > [010] 38 5F 30 30 31 5F 41 66 69 63 68 43 70 63 2E 68 8_001_Af ichCpc.h > [020] 74 6D 50 4B 01 02 14 0B 14 > tmPK\0x01\0x02\0x14\0x0b \0x14 > > 17:46:35.850610 IP GBY-PC-125.xyzcivitas.com.1026 > > pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7988709, win 65535, > length 0 > 17:46:35.850826 IP GBY-PC-125.xyzcivitas.com.1026 > > pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7989948, win > 64296, length 63 NBT Session Packet: Session Message > 17:46:35.850954 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123346, win 65535, length > 1460 NBT Session Packet: Session Message > 17:46:35.850968 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123346, win 65535, length > 1460 NBT Session Packet: Unknown packet type 0x30Data: (41 bytes) > [000] 30 38 2D 30 37 2D 32 33 5F 4C 31 2F 53 68 65 66 08-07-23 _L1/Shef > [010] 66 6F 72 64 2F 41 4C 5F 33 39 5F 34 31 34 5F 33 ford/AL_ 39_414_3 > [020] 35 30 5F 30 30 31 5F 41 66 50_001_A f > > 17:46:35.850974 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123346, win 65535, > length 1239 NBT Session Packet: Unknown packet type 0x6EData: (41 bytes) > [000] 61 76 67 74 2E 68 74 6D 50 4B 01 02 14 0B 14 00 avgt.htm > PK\0x01\0x02\0x14\0x0b\0x14\0x00 > [010] 00 00 08 00 80 96 F7 38 D4 24 0A F9 18 01 00 00 > \0x00\0x00\0x08\0x00\0x80\0x96\0xf78 \0xd4$\0x0a\0xf9\0x18\0x01\0x00\0x00 > [020] 3A 02 00 00 35 00 00 00 00 > :\0x02\0x00\0x005\0x00\0x00\0x00 \0x00 > > 17:46:35.854859 IP GBY-PC-125.xyzcivitas.com.1026 > > pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7992868, win 65535, > length 0 > 17:46:35.855062 IP GBY-PC-125.xyzcivitas.com.1026 > > pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7994107, win > 64296, length 63 NBT Session Packet: Session Message > 17:46:35.855187 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123409, win 65535, length > 1460 NBT Session Packet: Session Message > 17:46:35.855195 IP pdc-canix.xyzcivitas.com.netbios-ssn > > GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123409, win 65535, length > 1460 NBT Session Packet: Unknown packet type 0x72Data: (41 bytes) > [000] 64 2F 41 4C 5F 33 39 5F 34 31 35 5F 35 39 34 5F d/AL_39_ 415_594_ > [010] 6E 61 76 67 74 2E 68 74 6D 50 4B 01 02 14 0B 14 navgt.ht > mPK\0x01\0x02\0x14\0x0b\0x14 > [020] 00 00 00 08 00 80 96 F7 38 > \0x00\0x00\0x00\0x08\0x00\0x80\0x96\0xf7 8 > > Thanks for your time, > Ludovic Rouse-Lamarre > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
-- Michael Wood <esiot...@gmail.com> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba