[EMAIL PROTECTED] root]# tethereal -i 3 -z smb,rtt,ip.addr==192.168.1.6 -f tcp port 137 or tcp port 137 or port 138 or tcp port 139 or tcp port 445 -s 2000 Capturing on eth1 0.000000 192.168.1.6 -> 192.168.1.255 NBNS Name query NB HOME<1c> 0.001632 192.168.1.1 -> 192.168.1.6 NBNS Name query response NB 192.168.1.1 0.001803 192.168.1.6 -> 192.168.1.255 SMB_NETLOGON SAM LOGON request from client 0.002050 192.168.1.1 -> 192.168.1.6 SMB_NETLOGON SAM Response - user unknown 0.002347 192.168.1.6 -> 192.168.1.1 SMB_NETLOGON SAM LOGON request from client 0.002465 192.168.1.1 -> 192.168.1.6 SMB_NETLOGON SAM Response - user unknown 0.097579 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \NETLOGON 0.099257 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7372 0.099661 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7372, 64 bytes at offset 0[Unreassembled Packet] 0.100714 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7372, 116 bytes 0.100926 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7372, 1024 bytes at offset 0 0.101883 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280 0.102117 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7372, 64 bytes at offset 0[Unreassembled Packet] 0.103180 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7372, 102 bytes 0.103373 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7372, 1024 bytes at offset 0 0.104309 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 1 ctx_id: 0 0.104578 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7372, 64 bytes at offset 0[Unreassembled Packet] 0.105532 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7372, 148 bytes 0.105732 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7372, 1024 bytes at offset 0 0.106605 192.168.1.1 -> 192.168.1.6 DCERPC Fault: call_id: 2 ctx_id: 0 status: nca_op_rng_error 0.106869 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7372, 64 bytes at offset 0[Unreassembled Packet] 0.110524 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7372, 148 bytes 0.110713 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7372, 1024 bytes at offset 0 0.112268 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 3 ctx_id: 0 0.112589 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \lsarpc 0.113859 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7373 0.114124 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7373, 64 bytes at offset 0[Unreassembled Packet] 0.115229 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7373, 160 bytes 0.115424 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7373, 1024 bytes at offset 0 0.116448 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280 0.116680 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7373, 64 bytes at offset 0[Unreassembled Packet] 0.116927 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7373, 88 bytes 0.117121 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7373, 1024 bytes at offset 0 0.119314 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 1 ctx_id: 0 0.119549 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7373, 64 bytes at offset 0[Unreassembled Packet] 0.122162 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7373, 52 bytes 0.122348 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7373, 1024 bytes at offset 0 0.123776 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 2 ctx_id: 0 0.123993 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7373, 64 bytes at offset 0[Unreassembled Packet] 0.124930 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7373, 44 bytes 0.125121 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7373, 1024 bytes at offset 0 0.126601 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 3 ctx_id: 0 0.126812 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7373 0.127876 192.168.1.1 -> 192.168.1.6 SMB Close Response 0.128642 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \NETLOGON 0.129428 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7374 0.129718 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7374, 64 bytes at offset 0[Unreassembled Packet] 0.130874 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7374, 116 bytes 0.131073 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7374, 1024 bytes at offset 0 0.131943 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 4 accept max_xmit: 4280 max_recv: 4280 0.132272 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7374, 64 bytes at offset 0[Unreassembled Packet] 0.137409 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7374, 352 bytes 0.137597 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7374, 1024 bytes at offset 0 0.139166 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 4 ctx_id: 0 0.139455 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7374 0.140592 192.168.1.1 -> 192.168.1.6 SMB Close Response 0.140843 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7372 0.141632 192.168.1.1 -> 192.168.1.6 SMB Close Response 0.142003 192.168.1.6 -> 192.168.1.255 NBNS Name query NB HOME<1c> 0.142141 192.168.1.1 -> 192.168.1.6 NBNS Name query response NB 192.168.1.1 0.142304 192.168.1.6 -> 192.168.1.255 SMB_NETLOGON SAM LOGON request from client 0.142402 192.168.1.1 -> 192.168.1.6 SMB_NETLOGON SAM Response - user unknown 0.142799 192.168.1.6 -> 192.168.1.1 SMB_NETLOGON SAM LOGON request from client 0.143168 192.168.1.1 -> 192.168.1.6 SMB_NETLOGON SAM Response - user unknown 0.238181 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \NETLOGON 0.238956 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7375 0.239345 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7375, 64 bytes at offset 0[Unreassembled Packet] 0.239498 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7375, 116 bytes 0.239766 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7375, 1024 bytes at offset 0 0.239863 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280 0.240239 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7375, 64 bytes at offset 0[Unreassembled Packet] 0.240466 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7375, 102 bytes 0.240675 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7375, 1024 bytes at offset 0 0.240782 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 1 ctx_id: 0 0.241213 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7375, 64 bytes at offset 0[Unreassembled Packet] 0.241548 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7375, 148 bytes 0.242054 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7375, 1024 bytes at offset 0 0.242199 192.168.1.1 -> 192.168.1.6 DCERPC Fault: call_id: 2 ctx_id: 0 status: nca_op_rng_error 0.242583 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7375, 64 bytes at offset 0[Unreassembled Packet] 0.245101 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7375, 148 bytes 0.245287 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7375, 1024 bytes at offset 0 0.246857 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 3 ctx_id: 0 0.247180 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \lsarpc 0.254949 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7376 0.255200 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7376, 64 bytes at offset 0[Unreassembled Packet] 0.255357 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7376, 160 bytes 0.255615 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7376, 1024 bytes at offset 0 0.255712 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280 0.256105 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7376, 64 bytes at offset 0[Unreassembled Packet] 0.256270 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7376, 88 bytes 0.256551 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7376, 1024 bytes at offset 0 0.256670 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 1 ctx_id: 0 0.257056 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7376, 64 bytes at offset 0[Unreassembled Packet] 0.258530 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7376, 52 bytes 0.258714 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7376, 1024 bytes at offset 0 0.262919 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 2 ctx_id: 0 0.263138 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7376, 64 bytes at offset 0[Unreassembled Packet] 0.263436 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7376, 44 bytes 0.263586 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7376, 1024 bytes at offset 0 0.267544 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 3 ctx_id: 0 0.267762 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7376 0.267881 192.168.1.1 -> 192.168.1.6 SMB Close Response 0.268770 192.168.1.6 -> 192.168.1.1 SMB NT Create AndX Request, Path: \NETLOGON 0.269046 192.168.1.1 -> 192.168.1.6 SMB NT Create AndX Response, FID: 0x7377 0.269415 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7377, 64 bytes at offset 0[Unreassembled Packet] 0.269621 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7377, 116 bytes 0.269822 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7377, 1024 bytes at offset 0 0.269903 192.168.1.1 -> 192.168.1.6 DCERPC Bind_ack: call_id: 4 accept max_xmit: 4280 max_recv: 4280 0.270408 192.168.1.6 -> 192.168.1.1 SMB Write AndX Request, FID: 0x7377, 64 bytes at offset 0[Unreassembled Packet] 0.274013 192.168.1.1 -> 192.168.1.6 SMB Write AndX Response, FID: 0x7377, 352 bytes 0.274204 192.168.1.6 -> 192.168.1.1 SMB Read AndX Request, FID: 0x7377, 1024 bytes at offset 0 0.280704 192.168.1.1 -> 192.168.1.6 DCERPC Response: call_id: 4 ctx_id: 0 0.281002 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7377 0.281151 192.168.1.1 -> 192.168.1.6 SMB Close Response 0.281520 192.168.1.6 -> 192.168.1.1 SMB Close Request, FID: 0x7375 0.281676 192.168.1.1 -> 192.168.1.6 SMB Close Response 0.394220 192.168.1.6 -> 192.168.1.1 TCP 1296 > netbios-ssn [ACK] Seq=6182 Ack=5252 Win=65457 Len=0 2.487734 192.168.1.6 -> 192.168.1.1 SMB Logoff AndX Request 2.488542 192.168.1.1 -> 192.168.1.6 SMB Logoff AndX Response 2.488836 192.168.1.6 -> 192.168.1.1 SMB Tree Disconnect Request 2.489791 192.168.1.1 -> 192.168.1.6 SMB Tree Disconnect Response 2.490016 192.168.1.6 -> 192.168.1.1 SMB Logoff AndX Request 2.490922 192.168.1.1 -> 192.168.1.6 SMB Logoff AndX Response 2.491087 192.168.1.6 -> 192.168.1.1 SMB Tree Disconnect Request 2.491364 192.168.1.1 -> 192.168.1.6 SMB Tree Disconnect Response 2.491580 192.168.1.6 -> 192.168.1.1 TCP 1296 > netbios-ssn [FIN, ACK] Seq=6346 Ack=5416 Win=65293 Len=0 2.494668 192.168.1.1 -> 192.168.1.6 TCP netbios-ssn > 1296 [FIN, ACK] Seq=5416 Ack=6347 Win=5840 Len=0 2.494753 192.168.1.6 -> 192.168.1.1 TCP 1296 > netbios-ssn [ACK] Seq=6347 Ack=5417 Win=65293 Len=0
=================================================================== SMB RTT Statistics: Filter: ip.addr==192.168.1.6 Commands Calls Min RTT Max RTT Avg RTT Close 6 0.00011 0.00113 0.00056 Read AndX 20 0.00008 0.00650 0.00148 Write AndX 20 0.00015 0.00513 0.00135 Tree Disconnect 2 0.00027 0.00095 0.00061 Logoff AndX 2 0.00080 0.00090 0.00085 NT Create AndX 6 0.00027 0.00776 0.00209 Transaction2 Commands Calls Min RTT Max RTT Avg RTT NT Transaction Commands Calls Min RTT Max RTT Avg RTT ================================================================= -----Original Message----- From: Jeremy Allison <[EMAIL PROTECTED]> Sent: May 20, 2005 11:51 PM To: EA <[EMAIL PROTECTED]> Cc: samba@lists.samba.org Subject: Re: [Samba] RPC error logging in to PDC on Win-64 On Fri, May 20, 2005 at 09:56:47PM -0500, EA wrote: > I ran tethereal and captured smb,rtt packets on the ports used by SMB but > only those from the XP-64 box. I used tethereal -i 3 -z > smb,rtt,ip.addr==192.168.1.6 -f tcp port 137 or tcp port 137 or port 138 or > tcp port 139 or tcp port 445 -w scan > > I dumped it to a text file -> http://home.mindspring.com/~ops21/scan > > Let me know if there was something else I should have scanned for. Test files are no good as packet captures. We need the raw data. Please just capture the entire conversation with snaplen > 2000 and dump the raw capture somewhere. As I keep saying, TEXT FILES ARE NOT PACKET CAPTURES !!! (Sorry, it's a pet peeve of mine :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba