Thursday, June 9, 2011

Debugging Network Problems with TCPDUMP

The tcpdump program (dump traffic on a network) can be used to view network traffic, and, if necessary, its output can be parsed do deduce the source of excess packets. You can get the tcpdump-smb program, an extension to tcpdump, from the Samba Website (www.samba.org). It's used to investigate SMB networking problems over NetBUI and TCP/IP. Typically, it must be run as root due to the hardware access level and the information it provides. The following examples shows a debugging session for Samba, but tcpdump can be used for any other networking problems.
Capture all SMB packets to debug Name Resolution Problems (WINS)

# tcpdump port 137 
tcpdump: listening on eth0
15:33:15.437022 opal.netbios-ns > 193.247.121.207.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x3A4F
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=AKADIA NameType=0x1D (Master Browser)
QuestionType=
In the example above, the machine opal sends a broadcast request to the broadcast address 193.247.121.207 for the NetBIOS name resolution.
Capture all SMB packets to debug Network Neighborhood Browsing Problems
# tcpdump port 138
 
tcpdump: listening on eth0
15:46:19.420347 rabbit.netbios-dgm > 193.247.121.207.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x110A ID=0x3B1F IP=193.247.121.196 Port=138 Length=183 Res2=0x0
SourceName=RABBIT NameType=0x00 (Workstation)
DestName=
SMB PACKET: SMBunknown (REQUEST)
Capture all SMB packets to debug NetBIOS Session Problems
# tcpdump -s 100 port 139 
tcpdump: listening on eth0
15:51:00.155440 akadia01.10032 > rabbit.netbios-ssn: P 3139570112:3139570160(48) ack 3279569702 win
8721NBT Packet
NBT Session Packet
Flags=0x0
Length=44

SMB PACKET: SMBchkpth (REQUEST)
SMB Command = 0x10
Error class = 0x0
Error code = 0
Flags1 = 0x18
Flags2 = 0x3
Tree ID = 2
Proc ID = 51966
UID = 101
MID = 3200
Word Count = 0
smbbuf[]=
Path=\Upload
While the above command is running, issue a net view command from a windows client and you will see an output similar the the shown above.
To print traffic between rabbit and either paragon or diamond
# tcpdump host rabbit and \( paragon or diamond \)
Telnet from paragon to rabbit and watch the output.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)