From owner-freebsd-security Wed Oct 3 11:39: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (Postfix) with ESMTP id 729FE37B405 for ; Wed, 3 Oct 2001 11:38:57 -0700 (PDT) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.11.4/8.11.3) id f93IcEe40800; Wed, 3 Oct 2001 14:38:14 -0400 (EDT) (envelope-from dlacroix) From: David La Croix Message-Id: <200110031838.f93IcEe40800@cowpie.acm.vt.edu> Subject: SMBmkdir (REQUEST) packets in tcpdump? To: freebsd-security@freebsd.org Date: Wed, 3 Oct 2001 13:38:14 -0500 (CDT) Cc: dlacroix@cowpie.acm.vt.edu (David La Croix) X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In attempting to get something else working, I was running TCP dump, watching specifically for broadcasted traffic, and I came across the following puzzling output from TCPdump: 13:12:35.579986 10.10.10.251.138 > 10.10.10.255.138: >>> NBT UDP PACKET(138) Res=0x110A ID=0x77B7 IP=10 (0xa).10 (0xa).10 (0xa).251 ( 0xfb) Port=138 (0x8a) Length=213 (0xd5) Res2=0x0 SourceName=NARF NameType=0x00 (Workstation) DestName=LA NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REQUEST) 13:12:35.580115 10.10.10.251.138 > 10.10.10.255.138: >>> NBT UDP PACKET(138) Res=0x110A ID=0x77B8 IP=10 (0xa).10 (0xa).10 (0xa).251 ( 0xfb) Port=138 (0x8a) Length=205 (0xcd) Res2=0x0 SourceName=NARF NameType=0x00 (Workstation) DestName=`a NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REQUEST) This is on a 4.3-secure FreeBSD box behind a nat/firewall (Samba version 2.0.9). The Firewall is an old 486 running 4.3-secure with natd and only ssh and httpd ports open. (The SAMBA is running for one client (win98) that happens to be off at the time of these messages). Can anybody explain this (known bug in Samba???) or point me to a FAQ on the topic? For reference ... just noticed another occurrence: 13:24:36.307205 10.10.10.251.138 > 10.10.10.255.138: >>> NBT UDP PACKET(138) Res=0x110A ID=0x77B9 IP=10 (0xa).10 (0xa).10 (0xa).251 (0xfb) Port=138 (0x8a) Length=213 (0xd5) Res2=0x0 SourceName=NARF NameType=0x00 (Workstation) DestName=LA NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REQUEST) 13:24:36.307347 10.10.10.251.138 > 10.10.10.255.138: >>> NBT UDP PACKET(138) Res=0x110A ID=0x77BA IP=10 (0xa).10 (0xa).10 (0xa).251 (0xfb) Port=138 (0x8a) Length=205 (0xcd) Res2=0x0 SourceName=NARF NameType=0x00 (Workstation) DestName=`a NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REQUEST) Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message