Hall of Fame

1. giltjr299,302
2. uetian1707125,644
3. RobWill96,952
4. chuku76,129
5. SteveJ74,148
6. Roachy1...62,237
7. JFrederic...62,086
8. ikalmar62,064
9. ccomley58,050
10. Darr24758,024
11. lrmoore56,597
12. donjohnston55,525
13. thinkpads...48,794
14. ChiefIT48,718
15. rindi46,465
16. harbor23544,120
17. rochey2...43,710
18. Chris-Dent43,096
19. oBdA42,414
20. demazter38,424
21. arnold37,717
22. Qlemo35,464
23. dariusg34,725
24. keith_ala...34,514
25. dpk_wal34,350

1. lrmoore2,539,417
2. RobWill1,812,229
3. pseudocy...994,178
4. giltjr994,012
5. stevenle...811,769
6. leew489,483
7. PeteLong456,312
8. sciwriter440,723
9. rsivanandan396,936
10. JFrederic...336,900
11. sirbounty335,692
12. harbor235317,780
13. keith_ala...316,428
14. rindi285,215
15. grblades282,960
16. chicagoan271,608
17. r_naren...261,973
18. SysExpert258,282
19. The--C...249,441
20. Naser72248,116
21. uetian1707247,010
22. dragon-it245,904
23. kbbcnet243,526
24. Chris-Dent238,489
25. mikeleebrla230,307

	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

4.8

PCAP Ethereal Packet Capture Analysis

Asked by RPPreacher in Miscellaneous Networking, Network Switches & Hubs, Network Auditing Software

Tags: ethereal

I need some help understanding what is happening on 1 LAN segment. I have copied 2 packets that I suspect are related to the issue.

--PROBLEM--
One remote office experiences intermittent PC lock ups. This impacts every PC accessing any network resource (file server or printing) on a server (IP 128.1.8.1).

I have looked at the event log of the server (clean), the event log of the PC (clean), have used Solarwinds EE8.2 to monitor all of the switches (clean), have looked at background applications on the affected workstations (clean).

I have replaced the switch (a Cat 3550, IOS 12.2.25-SEE), the GBIC, the cable, and the entire file server.

--PACKET CAPTURE--
I spanned a port on 1 affected PC to a PC running Ethereal 0.99 and was able to capture one of the "down times". During this down time I see a series of these

No. Time Source Destination Protocol Info
19999 1514.295138 128.1.8.155 128.1.8.5 WINREG QueryValue request
20000 1514.295508 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)

I suspect this means I have some DNS issue? Can anyone give me a more detailed explanation of these packets? Thanks!

--PACKET CAPTURE DETAIL--
No. Time Source Destination Protocol Info
19999 1514.295138 128.1.8.155 128.1.8.5 WINREG QueryValue request

Frame 19999 (270 bytes on wire, 270 bytes captured)
Arrival Time: Jun 13, 2006 13:36:42.623018000
Time delta from previous packet: 0.000150000 seconds
Time since reference or first frame: 1514.295138000 seconds
Frame Number: 19999
Packet Length: 270 bytes
Capture Length: 270 bytes
Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc
Coloring Rule Name: Checksum Errors
Coloring Rule String: edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad || udp.checksum_bad
Ethernet II, Src: Dell_b7:4d:89 (00:11:43:b7:4d:89), Dst: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
Destination: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
Address: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Source: Dell_b7:4d:89 (00:11:43:b7:4d:89)
Address: Dell_b7:4d:89 (00:11:43:b7:4d:89)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Type: IP (0x0800)
Internet Protocol, Src: 128.1.8.155 (128.1.8.155), Dst: 128.1.8.5 (128.1.8.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 256
Identification: 0x9728 (38696)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x522d [correct]
Good: True
Bad : False
Source: 128.1.8.155 (128.1.8.155)
Destination: 128.1.8.5 (128.1.8.5)
Transmission Control Protocol, Src Port: 1204 (1204), Dst Port: microsoft-ds (445), Seq: 12373, Ack: 6623, Len: 216
Source port: 1204 (1204)
Destination port: microsoft-ds (445)
Sequence number: 12373 (relative sequence number)
Next sequence number: 12589 (relative sequence number)
Acknowledgement number: 6623 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65023
Checksum: 0x1195 [incorrect, should be 0x8949]
NetBIOS Session Service
Message Type: Session message
Length: 212
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response in: 20000
SMB Command: Trans (0x25)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .1.. = Security Signatures: Security signatures are supported
.... .... .... ..1. = Extended Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: DB31073FCE18F6E7
Reserved: 0000
Tree ID: 2053
Process ID: 2532
User ID: 4097
Multiplex ID: 3456
Trans Request (0x25)
Word Count (WCT): 16
Total Parameter Count: 0
Total Data Count: 128
Max Parameter Count: 0
Max Data Count: 1024
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 0
Parameter Offset: 84
Data Count: 128
Data Offset: 84
Setup Count: 2
Reserved: 00
Byte Count (BCC): 145
Transaction Name: \PIPE\
Padding: 0000
SMB Pipe Protocol
Function: TransactNmPipe (0x0026)
FID: 0x4002
DCE RPC Request, Fragment: Single, FragLen: 128, Call: 29 Ctx: 0, [Resp: #20000]
Version: 5
Version (minor): 0
Packet type: Request (0)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 128
Auth Length: 0
Call ID: 29
Alloc hint: 104
Context ID: 0
Opnum: 17
Response in frame: 20000
Remote Registry Service, QueryValue
Operation: QueryValue (17)
Pointer to Handle (policy_handle)
Policy Handle
Handle: 0000000063997B0513E455438DD481BA22C1E07C
Value Name
Name Len: 24
Name Size: 24
Pointer to Name (uint16): fDisableLPT
Referent ID: 0x76bc1dbc
Max Count: 12
Offset: 0
Actual Count: 12
Name: fDisableLPT
Pointer to Type (winreg_Type)
Referent ID: 0x0006e2cc
Type: Unknown (451300)
Pointer to Data (uint8)
Referent ID: 0x0006e2e4
Max Count: 4
Offset: 0
Actual Count: 0
Pointer to Size (uint32)
Referent ID: 0x0006e2c4
Size: 4
Pointer to Length (uint32)
Referent ID: 0x0006e2bc
Length: 0

No. Time Source Destination Protocol Info
20000 1514.295508 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)

Frame 20000 (182 bytes on wire, 182 bytes captured)
Arrival Time: Jun 13, 2006 13:36:42.623388000
Time delta from previous packet: 0.000370000 seconds
Time since reference or first frame: 1514.295508000 seconds
Frame Number: 20000
Packet Length: 182 bytes
Capture Length: 182 bytes
Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc
Coloring Rule Name: SMB
Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios
Ethernet II, Src: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c), Dst: Dell_b7:4d:89 (00:11:43:b7:4d:89)
Destination: Dell_b7:4d:89 (00:11:43:b7:4d:89)
Address: Dell_b7:4d:89 (00:11:43:b7:4d:89)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Source: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
Address: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Type: IP (0x0800)
Internet Protocol, Src: 128.1.8.5 (128.1.8.5), Dst: 128.1.8.155 (128.1.8.155)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 168
Identification: 0xbb17 (47895)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x2e96 [correct]
Good: True
Bad : False
Source: 128.1.8.5 (128.1.8.5)
Destination: 128.1.8.155 (128.1.8.155)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1204 (1204), Seq: 6623, Ack: 12589, Len: 128
Source port: microsoft-ds (445)
Destination port: 1204 (1204)
Sequence number: 6623 (relative sequence number)
Next sequence number: 6751 (relative sequence number)
Acknowledgement number: 12589 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65319
Checksum: 0x6029 [correct]
NetBIOS Session Service
Message Type: Session message
Length: 124
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 19999
Time from request: 0.000370000 seconds
SMB Command: Trans (0x25)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x98
1... .... = Request/Response: Message is a response to the client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .1.. = Security Signatures: Security signatures are supported
.... .... .... ..1. = Extended Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: 9B8F6CD9C56D074B
Reserved: 0000
Tree ID: 2053
Process ID: 2532
User ID: 4097
Multiplex ID: 3456
Trans Response (0x25)
Word Count (WCT): 10
Total Parameter Count: 0
Total Data Count: 68
Reserved: 0000
Parameter Count: 0
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 68
Data Offset: 56
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 69
Padding: 80
SMB Pipe Protocol
Function: TransactNmPipe (0x0026)
FID: 0x4002
DCE RPC Response, Fragment: Single, FragLen: 68, Call: 29 Ctx: 0, [Req: #19999]
Version: 5
Version (minor): 0
Packet type: Response (2)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 68
Auth Length: 0
Call ID: 29
Alloc hint: 44
Context ID: 0
Cancel count: 0
Opnum: 17
Request in frame: 19999
Time from request: 0.000370000 seconds
Remote Registry Service, QueryValue
Operation: QueryValue (17)
Pointer to Type (winreg_Type)
Referent ID: 0x00020000
Type: Unknown (451300)
Pointer to Data (uint8)
Referent ID: 0x00020004
Max Count: 4
Offset: 0
Actual Count: 0
Pointer to Size (uint32)
Referent ID: 0x00020008
Size: 4
Pointer to Length (uint32)
Referent ID: 0x0002000c
Length: 0
Windows Error: File not found (pathname error) (0x00000002)

View the Solution FREE for 30 Days

20091021-EE-VQP-81

PCAP Ethereal Packet Capture Analysis

Asked by RPPreacher in Miscellaneous Networking, Network Switches & Hubs, Network Auditing Software

Tags: ethereal

About this solution