Solved

PCAP Ethereal Packet Capture Analysis

Posted on 2006-06-13
26
14,860 Views
Last Modified: 2013-12-07
I need some help understanding what is happening on 1 LAN segment.  I have copied 2 packets that I suspect are related to the issue.

--PROBLEM--
One remote office experiences intermittent PC lock ups.  This impacts every PC accessing any network resource (file server or printing) on a server (IP 128.1.8.1).

I have looked at the event log of the server (clean), the event log of the PC (clean), have used Solarwinds EE8.2 to monitor all of the switches (clean), have looked at background applications on the affected workstations (clean).

I have replaced the switch (a Cat 3550, IOS 12.2.25-SEE), the GBIC, the cable, and the entire file server.

--PACKET CAPTURE--
I spanned a port on 1 affected PC to a PC running Ethereal 0.99 and was able to capture one of the "down times".  During this down time I see a series of these

No.     Time        Source                Destination           Protocol Info
  19999 1514.295138 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20000 1514.295508 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)

I suspect this means I have some DNS issue?  Can anyone give me a more detailed explanation of these packets?  Thanks!

--PACKET CAPTURE DETAIL--
No.     Time        Source                Destination           Protocol Info
  19999 1514.295138 128.1.8.155           128.1.8.5             WINREG   QueryValue request

Frame 19999 (270 bytes on wire, 270 bytes captured)
    Arrival Time: Jun 13, 2006 13:36:42.623018000
    Time delta from previous packet: 0.000150000 seconds
    Time since reference or first frame: 1514.295138000 seconds
    Frame Number: 19999
    Packet Length: 270 bytes
    Capture Length: 270 bytes
    Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc
    Coloring Rule Name: Checksum Errors
    Coloring Rule String: edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad || udp.checksum_bad
Ethernet II, Src: Dell_b7:4d:89 (00:11:43:b7:4d:89), Dst: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
    Destination: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
        Address: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
        .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
        .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
    Source: Dell_b7:4d:89 (00:11:43:b7:4d:89)
        Address: Dell_b7:4d:89 (00:11:43:b7:4d:89)
        .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
        .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
    Type: IP (0x0800)
Internet Protocol, Src: 128.1.8.155 (128.1.8.155), Dst: 128.1.8.5 (128.1.8.5)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 256
    Identification: 0x9728 (38696)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x522d [correct]
        Good: True
        Bad : False
    Source: 128.1.8.155 (128.1.8.155)
    Destination: 128.1.8.5 (128.1.8.5)
Transmission Control Protocol, Src Port: 1204 (1204), Dst Port: microsoft-ds (445), Seq: 12373, Ack: 6623, Len: 216
    Source port: 1204 (1204)
    Destination port: microsoft-ds (445)
    Sequence number: 12373    (relative sequence number)
    Next sequence number: 12589    (relative sequence number)
    Acknowledgement number: 6623    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 65023
    Checksum: 0x1195 [incorrect, should be 0x8949]
NetBIOS Session Service
    Message Type: Session message
    Length: 212
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        Response in: 20000
        SMB Command: Trans (0x25)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x18
            0... .... = Request/Response: Message is a request to the server
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
            .... 1... = Case Sensitivity: Path names are caseless
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0xc807
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
            .... .... .0.. .... = Long Names Used: Path names in request are not long file names
            .... .... .... .1.. = Security Signatures: Security signatures are supported
            .... .... .... ..1. = Extended Attributes: Extended attributes are supported
            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
        Process ID High: 0
        Signature: DB31073FCE18F6E7
        Reserved: 0000
        Tree ID: 2053
        Process ID: 2532
        User ID: 4097
        Multiplex ID: 3456
    Trans Request (0x25)
        Word Count (WCT): 16
        Total Parameter Count: 0
        Total Data Count: 128
        Max Parameter Count: 0
        Max Data Count: 1024
        Max Setup Count: 0
        Reserved: 00
        Flags: 0x0000
            .... .... .... ..0. = One Way Transaction: Two way transaction
            .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
        Timeout: Return immediately (0)
        Reserved: 0000
        Parameter Count: 0
        Parameter Offset: 84
        Data Count: 128
        Data Offset: 84
        Setup Count: 2
        Reserved: 00
        Byte Count (BCC): 145
        Transaction Name: \PIPE\
        Padding: 0000
SMB Pipe Protocol
    Function: TransactNmPipe (0x0026)
    FID: 0x4002
DCE RPC Request, Fragment: Single, FragLen: 128, Call: 29 Ctx: 0, [Resp: #20000]
    Version: 5
    Version (minor): 0
    Packet type: Request (0)
    Packet Flags: 0x03
        0... .... = Object: Not set
        .0.. .... = Maybe: Not set
        ..0. .... = Did Not Execute: Not set
        ...0 .... = Multiplex: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Cancel Pending: Not set
        .... ..1. = Last Frag: Set
        .... ...1 = First Frag: Set
    Data Representation: 10000000
        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 128
    Auth Length: 0
    Call ID: 29
    Alloc hint: 104
    Context ID: 0
    Opnum: 17
    Response in frame: 20000
Remote Registry Service, QueryValue
    Operation: QueryValue (17)
    Pointer to Handle (policy_handle)
        Policy Handle
            Handle: 0000000063997B0513E455438DD481BA22C1E07C
    Value Name
        Name Len: 24
        Name Size: 24
        Pointer to Name (uint16): fDisableLPT
            Referent ID: 0x76bc1dbc
            Max Count: 12
            Offset: 0
            Actual Count: 12
            Name: fDisableLPT
    Pointer to Type (winreg_Type)
        Referent ID: 0x0006e2cc
        Type: Unknown (451300)
    Pointer to Data (uint8)
        Referent ID: 0x0006e2e4
        Max Count: 4
        Offset: 0
        Actual Count: 0
    Pointer to Size (uint32)
        Referent ID: 0x0006e2c4
        Size: 4
    Pointer to Length (uint32)
        Referent ID: 0x0006e2bc
        Length: 0

No.     Time        Source                Destination           Protocol Info
  20000 1514.295508 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)

Frame 20000 (182 bytes on wire, 182 bytes captured)
    Arrival Time: Jun 13, 2006 13:36:42.623388000
    Time delta from previous packet: 0.000370000 seconds
    Time since reference or first frame: 1514.295508000 seconds
    Frame Number: 20000
    Packet Length: 182 bytes
    Capture Length: 182 bytes
    Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc
    Coloring Rule Name: SMB
    Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios
Ethernet II, Src: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c), Dst: Dell_b7:4d:89 (00:11:43:b7:4d:89)
    Destination: Dell_b7:4d:89 (00:11:43:b7:4d:89)
        Address: Dell_b7:4d:89 (00:11:43:b7:4d:89)
        .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
        .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
    Source: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
        Address: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
        .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
        .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
    Type: IP (0x0800)
Internet Protocol, Src: 128.1.8.5 (128.1.8.5), Dst: 128.1.8.155 (128.1.8.155)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 168
    Identification: 0xbb17 (47895)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x2e96 [correct]
        Good: True
        Bad : False
    Source: 128.1.8.5 (128.1.8.5)
    Destination: 128.1.8.155 (128.1.8.155)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1204 (1204), Seq: 6623, Ack: 12589, Len: 128
    Source port: microsoft-ds (445)
    Destination port: 1204 (1204)
    Sequence number: 6623    (relative sequence number)
    Next sequence number: 6751    (relative sequence number)
    Acknowledgement number: 12589    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 65319
    Checksum: 0x6029 [correct]
NetBIOS Session Service
    Message Type: Session message
    Length: 124
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        Response to: 19999
        Time from request: 0.000370000 seconds
        SMB Command: Trans (0x25)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x98
            1... .... = Request/Response: Message is a response to the client/redirector
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
            .... 1... = Case Sensitivity: Path names are caseless
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0xc807
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
            .... .... .0.. .... = Long Names Used: Path names in request are not long file names
            .... .... .... .1.. = Security Signatures: Security signatures are supported
            .... .... .... ..1. = Extended Attributes: Extended attributes are supported
            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
        Process ID High: 0
        Signature: 9B8F6CD9C56D074B
        Reserved: 0000
        Tree ID: 2053
        Process ID: 2532
        User ID: 4097
        Multiplex ID: 3456
    Trans Response (0x25)
        Word Count (WCT): 10
        Total Parameter Count: 0
        Total Data Count: 68
        Reserved: 0000
        Parameter Count: 0
        Parameter Offset: 56
        Parameter Displacement: 0
        Data Count: 68
        Data Offset: 56
        Data Displacement: 0
        Setup Count: 0
        Reserved: 00
        Byte Count (BCC): 69
        Padding: 80
SMB Pipe Protocol
    Function: TransactNmPipe (0x0026)
    FID: 0x4002
DCE RPC Response, Fragment: Single, FragLen: 68, Call: 29 Ctx: 0, [Req: #19999]
    Version: 5
    Version (minor): 0
    Packet type: Response (2)
    Packet Flags: 0x03
        0... .... = Object: Not set
        .0.. .... = Maybe: Not set
        ..0. .... = Did Not Execute: Not set
        ...0 .... = Multiplex: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Cancel Pending: Not set
        .... ..1. = Last Frag: Set
        .... ...1 = First Frag: Set
    Data Representation: 10000000
        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 68
    Auth Length: 0
    Call ID: 29
    Alloc hint: 44
    Context ID: 0
    Cancel count: 0
    Opnum: 17
    Request in frame: 19999
    Time from request: 0.000370000 seconds
Remote Registry Service, QueryValue
    Operation: QueryValue (17)
    Pointer to Type (winreg_Type)
        Referent ID: 0x00020000
        Type: Unknown (451300)
    Pointer to Data (uint8)
        Referent ID: 0x00020004
        Max Count: 4
        Offset: 0
        Actual Count: 0
    Pointer to Size (uint32)
        Referent ID: 0x00020008
        Size: 4
    Pointer to Length (uint32)
        Referent ID: 0x0002000c
        Length: 0
    Windows Error: File not found (pathname error) (0x00000002)

0
Comment
Question by:RPPreacher
  • 12
  • 7
  • 4
  • +2
26 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 16897329
WINREG   QueryValue response, Error: File not found (pathname error)

This is the protocol used by Samba Shares.

This line shows error happing while trying to access a file on some share hosted by Linux Server.
Its simply file not found error.
0
 
LVL 8

Accepted Solution

by:
Danny_Larouche earned 500 total points
ID: 16897367
They are 2 smb packets, second one indicating a user requested a non-existing file.  Such false positive error often occure on slow/unstable  network connections.   If the a shortcut to this "wrongly reported as missing" file is located on the Windows`s desktop, it may cause the temporary lock ups issue. Are you doing SMB session within a VPN tunnel?
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16897798
>This line shows error happing while trying to access a file on some share hosted by Linux Server.

Not a linux environment.  And SMB is not a linux protocol.  It is a Microsoft protocol used by Linux to connect with Microsoft shares.

>Are you doing SMB session within a VPN tunnel?

No.  The file server is on the same LAN as the PC.  In fact, they are on the same 3550 switch.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16897843
I was talking about Protocol WINREG.

It is used by Linux Samba Shares.
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16897874
No linux in this shop.  Not a single device.
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16897942
>I was talking about Protocol WINREG.

FYI Also not a linux only thing

http://wiki.ethereal.com/WINREG
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16897974
Ok, agreed.

Even then, its just a normal packets where someone is trying to access a file on network share, which was not found.

Also, in first packet, TCP checksum is incorrect.

>Checksum: 0x1195 [incorrect, should be 0x8949]

Destination Port is 445 so it points that Windows Share was used.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16898000
The file server is at 128.1.8.1. The capture was between 2 other addresses. Was that a sample of traffic between many hosts? Is the problem limited to sessions to 128.1.8.1? I'm trying to understand the relationship between the 2 hosts and 128.1.8.1.

Searching on Google, I see a lot of attention paid to attacks on TCP 445. Might someone have some malware on his PC?
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16898917
Right.  128.1.8.5 is the DC and the DNS which leads me to the DNS issue.

Since we do not know what is causing the lock ups we did a packet capture of a locking up PC.  These are the packets that happen during a lock up.  So although the affected PCs are accessing the file server (.1), the cause seems to be these packets from the DC/DNS (.5).

Still trying to understand what is happening.

If it was DNS failure, all the workstations would not fail simultaneously.  Since workstations cache name resolution, it seems that 1 or 2 might fail, but not everyone.

If it was a physical layer failure, we would not see a response from .1 or .5

Thus the question... I've been architecting networks for 15 years and this has me stumped...
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16899553
I'm not sure what it is looking for, but it is looking for something in the regitry.  I can't find anything on what type 17 is.  But whatever it is looking for does not exist.

From what I can guess at, check out your registry

HKLM\\CurrentcontrolSet\Control\SecurePipeServers\winreg\AllowedPaths

See if you happen to have like 17 entries and what the 17th value is.

I am also assuming that  you have checked the event logs on this server and there is nothing there.

I would also check to see if you have any CLSID's 63997B0513E455438DD481BA22C1E07C
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16899670
Found a bit more. maybe.  fDisableLPT is the registry key value that is used by terminal servers/remote desktop to allow or disallow client side LPT redirection.  

Normally under:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

It almost appears as if you are missing the fDisableLPT entry.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16901558
Just a suggestion, if you have not already done it.

Have you tried to change the port on the core switch where the edge switch is connecting.

You mentioned that you have change the edge switch and the GBIC, but have you changed the port on core switch where it is uplinking.

You could swap it with a edge switch port where this problem is not occuring.

0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16901564
All points between PC and switch have been replaced.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 57

Expert Comment

by:giltjr
ID: 16902493
Doing some more reading about winreg.  It seem, as you may already know, this is a protcol for remote managment of the Windows registry.  Somebody seems to be queirying registry values over the network.  In the trace pieces you have provided they are looking for fDisableLPT.  I am not sure if the "path does not exist" error is because this key does not exist or becaues they do not have authorization to see that key.

Should the person on 128.1.8.155 being doing anything to the registry on 128.1.8.5?

I don't think this is a network problem, so changes to switches cables hubs will not matter.  I would also not worry about the checksum error.  I see this message quite a bit in Ethereal but I have never seen where it caused a real problem.

Now for you real problem.  Is the remote office on a routed (a different IP subnet) network or are you doing bridging (same IP subnet as the server) over the WAN link.

If it is the same IP subnet as the server, meaning you are doing  bridging, I would suggest that you change it to a different subnet and do routing. Bridging over a WAN link will cause performance problems and what appears to be random hangs.
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16902580
>Is the remote office on a routed (a different IP subnet) network or are you doing bridging (same IP subnet as the server) over the WAN link.

These issues appear on the local LAN of the remote office.  Not over the WAN link.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16902803
Ah.  I misread, I was thinking that the remote office was accessing a server at the "central" office and everything on the at centeral office was having problems when PC's at the remote office locked up.

The issue is totally within the remote office, got that now.

1) The other information still is good.  Somebody is remotely looking at the registry on the server and the key they are looking for does not exist.  I don't know if this has antyhing to do with the lock ups.

Do you run anything that does multi-casting?  

Do you have any type of software that shows port utilziation?  If so, does it record higher than normal or lower than normal utizlation during the intervals when the lock ups occur?

Do you monitor/track resource utilziation on the server?  Does resources (CPU, memory, DISK I/O) go up or down during the intervals.

Does this happen at the same time(s) everyday or at specific intervals?  Say like everyday at 8 AM and 4 PM?  Does it happen when a specific user comes in and logs on?

How long does it last?

Is is one PC that locks up and the others work fine, but just can't access resources on the server.  Or do all PC's just lock up and can't do anything.


0
 
LVL 8

Expert Comment

by:Danny_Larouche
ID: 16902820
Did you tried to swap patch cord to make sure the error is not caused by physical layer? This is the kind of error that may occure in such circumstance
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16902831
>Do you run anything that does multi-casting?  
No

>Do you have any type of software that shows port utilziation?  If so, does it record higher than normal or lower than normal utizlation during the intervals when the lock ups occur?
Yes (PRTG and Orion).  Traffic levels are normal.

Do you monitor/track resource utilziation on the server?  Does resources (CPU, memory, DISK I/O) go up or down during the intervals.
Yes (Solarwinds EE8.2).  No the resources are fine.

>Does this happen at the same time(s) everyday or at specific intervals?  Say like everyday at 8 AM and 4 PM?  Does it happen when a specific user comes in and logs on?
No.

>How long does it last?
Between 3 and 30 seconds

>Is is one PC that locks up and the others work fine, but just can't access resources on the server.  Or do all PC's just lock up and can't do anything.
All PCs accessing network resource at 128.1.8.1 lock up.
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16902857
>Did you tried to swap patch cord to make sure the error is not caused by physical layer? This is the kind of error that may occure in such circumstance

I replaced the entire Catalyst 3550, the GBIC, the fiber cable, the fiber card in the server, and the entire server.  (Not at the same time...first I replaced the GBIC, then cable, then switch, then server, then fiber card)
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16902925
Here's a packet list from a PC during the outage

No.     Time        Source                Destination           Protocol Info
  19842 1511.312459 DellComp_5c:ce:5c     Broadcast             ARP      Who has 128.1.8.155?  Tell 128.1.8.5
  19843 1511.312474 Dell_b7:4d:89         DellComp_5c:ce:5c     ARP      128.1.8.155 is at 00:11:43:b7:4d:89
  19844 1511.312629 128.1.8.5             128.1.8.155           TCP      epmap > 1198 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
  19845 1511.312691 128.1.8.155           128.1.8.5             TCP      1198 > epmap [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
  19846 1511.312900 128.1.8.155           128.1.8.5             DCERPC   Bind: call_id: 1 UUID: EPM
  19847 1511.313330 128.1.8.5             128.1.8.155           DCERPC   Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
  19848 1511.313451 128.1.8.155           128.1.8.5             EPM      Map request
  19849 1511.314035 128.1.8.5             128.1.8.155           EPM      Map response
  19850 1511.316742 128.1.8.155           128.1.8.5             TCP      1199 > 1026 [SYN] Seq=0 Len=0 MSS=1460
  19851 1511.316932 128.1.8.5             128.1.8.155           TCP      1026 > 1199 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
  19852 1511.316989 128.1.8.155           128.1.8.5             TCP      1199 > 1026 [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
  19853 1511.317215 128.1.8.155           128.1.8.5             DCERPC   Bind: call_id: 1 UUID: RPC_NETLOGON
  19854 1511.317650 128.1.8.5             128.1.8.155           DCERPC   Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
  19855 1511.317900 128.1.8.155           128.1.8.5             RPC_NETLOGON NetrLogonGetDomainInfo request
  19856 1511.319717 128.1.8.5             128.1.8.155           RPC_NETLOGON NetrLogonGetDomainInfo response
  19857 1511.496877 128.1.8.155           128.1.8.5             TCP      1198 > epmap [ACK] Seq=229 Ack=213 Win=65323 [TCP CHECKSUM INCORRECT] Len=0
  19858 1511.496891 128.1.8.155           128.1.8.5             TCP      1199 > 1026 [ACK] Seq=882 Ack=945 Win=64591 [TCP CHECKSUM INCORRECT] Len=0
  19859 1513.133819 Cisco_39:13:1c        CDP/VTP/DTP/PAgP/UDLD CDP      Cisco Discovery Protocol
  19860 1513.173137 Cisco_39:13:1c        Spanning-tree-(for-bridges)_00 STP      Conf. Root = 32768/00:01:c7:6f:8c:31  Cost = 4  Port = 0x801c
  19861 1514.078599 128.1.8.155           128.1.8.5             KRB5     AS-REQ
  19862 1514.083908 128.1.8.5             128.1.8.155           KRB5     KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG
  19863 1514.086392 128.1.8.155           128.1.8.5             TCP      1201 > kerberos [SYN] Seq=0 Len=0 MSS=1460
  19864 1514.086661 128.1.8.5             128.1.8.155           TCP      kerberos > 1201 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
  19865 1514.086707 128.1.8.155           128.1.8.5             TCP      1201 > kerberos [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
  19866 1514.086819 128.1.8.155           128.1.8.5             KRB5     AS-REQ
  19867 1514.091924 128.1.8.5             128.1.8.155           TCP      [TCP segment of a reassembled PDU]
  19868 1514.091960 128.1.8.5             128.1.8.155           KRB5     AS-REP
  19869 1514.091978 128.1.8.155           128.1.8.5             TCP      1201 > kerberos [ACK] Seq=309 Ack=1477 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
  19870 1514.092113 128.1.8.155           128.1.8.5             TCP      1201 > kerberos [FIN, ACK] Seq=309 Ack=1477 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
  19871 1514.092301 128.1.8.5             128.1.8.155           TCP      kerberos > 1201 [ACK] Seq=1477 Ack=310 Win=65227 Len=0
  19872 1514.094054 128.1.8.5             128.1.8.155           TCP      kerberos > 1201 [RST, ACK] Seq=1477 Ack=310 Win=0 Len=0
  19873 1514.095218 128.1.8.155           128.1.8.5             KRB5     TGS-REQ
  19874 1514.111791 128.1.8.5             128.1.8.155           KRB5     TGS-REP
  19875 1514.122976 128.1.8.155           128.1.8.5             DNS      Standard query SRV _ldap._tcp.CIN._sites.dc._msdcs.na.int-bn.com
  19876 1514.123386 128.1.8.5             128.1.8.155           DNS      Standard query response SRV 0 100 389 dccin.na.int-bn.com
  19877 1514.126636 128.1.8.155           128.1.8.5             CLDAP    searchRequest(7) "<ROOT>" baseObject
  19878 1514.127183 128.1.8.5             128.1.8.155           CLDAP    searchResEntry(7) searchResDone(7)
  19879 1514.233473 128.1.8.155           128.1.8.5             ICMP     Echo (ping) request
  19880 1514.233731 128.1.8.5             128.1.8.155           ICMP     Echo (ping) reply
  19881 1514.234009 128.1.8.155           128.1.8.5             TCP      1204 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1460
  19882 1514.234207 128.1.8.5             128.1.8.155           TCP      microsoft-ds > 1204 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
  19883 1514.234266 128.1.8.155           128.1.8.5             TCP      1204 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
  19884 1514.234595 128.1.8.155           128.1.8.5             SMB      Negotiate Protocol Request
  19885 1514.235184 128.1.8.5             128.1.8.155           SMB      Negotiate Protocol Response
  19886 1514.238603 128.1.8.155           128.1.8.5             KRB5     TGS-REQ
  19887 1514.246692 128.1.8.5             128.1.8.155           KRB5     TGS-REP
  19888 1514.249687 128.1.8.155           128.1.8.5             KRB5     TGS-REQ
  19889 1514.255259 128.1.8.5             128.1.8.155           KRB5     TGS-REP
  19890 1514.255845 128.1.8.155           128.1.8.5             SMB      Session Setup AndX Request[Unreassembled Packet [incorrect TCP checksum]]
  19891 1514.255873 128.1.8.155           128.1.8.5             NBSS     NBSS Continuation Message
  19892 1514.255887 128.1.8.155           128.1.8.5             NBSS     NBSS Continuation Message
  19893 1514.256720 128.1.8.5             128.1.8.155           TCP      microsoft-ds > 1204 [ACK] Seq=182 Ack=3098 Win=65535 Len=0
  19894 1514.258788 128.1.8.5             128.1.8.155           SMB      Session Setup AndX Response
  19895 1514.259218 128.1.8.155           128.1.8.5             SMB      Tree Connect AndX Request, Path: \\DCCIN\IPC$
  19896 1514.259561 128.1.8.5             128.1.8.155           SMB      Tree Connect AndX Response
  19897 1514.259814 128.1.8.155           128.1.8.5             SMB      NT Create AndX Request, Path: \lsarpc
  19898 1514.260405 128.1.8.5             128.1.8.155           SMB      NT Create AndX Response, FID: 0x4000
  19899 1514.260697 128.1.8.155           128.1.8.5             DCERPC   Bind: call_id: 1 UUID: LSA
  19900 1514.261038 128.1.8.5             128.1.8.155           SMB      Write AndX Response, FID: 0x4000, 72 bytes
  19901 1514.261196 128.1.8.155           128.1.8.5             SMB      Read AndX Request, FID: 0x4000, 1024 bytes at offset 0
  19902 1514.261442 128.1.8.5             128.1.8.155           DCERPC   Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
  19903 1514.261606 128.1.8.155           128.1.8.5             LSA      LsarOpenPolicy2 request, \\DCCIN
  19904 1514.262324 128.1.8.5             128.1.8.155           LSA      LsarOpenPolicy2 response
  19905 1514.262505 128.1.8.155           128.1.8.5             LSA      LsarQueryInformationPolicy request, Account Domain Information
  19906 1514.263000 128.1.8.5             128.1.8.155           LSA      LsarQueryInformationPolicy response
  19907 1514.263178 128.1.8.155           128.1.8.5             LSA      LsarClose request
  19908 1514.263569 128.1.8.5             128.1.8.155           LSA      LsarClose response
  19909 1514.263762 128.1.8.155           128.1.8.5             SMB      Close Request, FID: 0x4000
  19910 1514.264060 128.1.8.5             128.1.8.155           SMB      Close Response
  19911 1514.265680 128.1.8.155           128.1.8.5             SMB      NT Create AndX Request, Path: \samr
  19912 1514.266193 128.1.8.5             128.1.8.155           SMB      NT Create AndX Response, FID: 0x4001
  19913 1514.266488 128.1.8.155           128.1.8.5             DCERPC   Bind: call_id: 1 UUID: SAMR
  19914 1514.266809 128.1.8.5             128.1.8.155           SMB      Write AndX Response, FID: 0x4001, 72 bytes
  19915 1514.266966 128.1.8.155           128.1.8.5             SMB      Read AndX Request, FID: 0x4001, 1024 bytes at offset 0
  19916 1514.267213 128.1.8.5             128.1.8.155           DCERPC   Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
  19917 1514.267376 128.1.8.155           128.1.8.5             SAMR     SamrConnect5 request, \\DCCIN
  19918 1514.268113 128.1.8.5             128.1.8.155           SAMR     SamrConnect5 response
  19919 1514.268296 128.1.8.155           128.1.8.5             SAMR     SamrLookupDomainInSamServer request
  19920 1514.268803 128.1.8.5             128.1.8.155           SAMR     SamrLookupDomainInSamServer response
  19921 1514.268956 128.1.8.155           128.1.8.5             SAMR     SamrOpenDomain request, S-1-5-21-1958102420-2089486884-313593124
  19922 1514.269648 128.1.8.5             128.1.8.155           SAMR     SamrOpenDomain response
  19923 1514.269804 128.1.8.155           128.1.8.5             SAMR     SamrLookupNamesInDomain request
  19924 1514.270715 128.1.8.5             128.1.8.155           SAMR     SamrLookupNamesInDomain response
  19925 1514.270911 128.1.8.155           128.1.8.5             SAMR     SamrOpenUser request, rid 0x5256
  19926 1514.272166 128.1.8.5             128.1.8.155           SAMR     SamrOpenUser response
  19927 1514.272320 128.1.8.155           128.1.8.5             SAMR     SamrQueryInformationUser request, level 20
  19928 1514.273241 128.1.8.5             128.1.8.155           SAMR     SamrQueryInformationUser response
  19929 1514.273855 128.1.8.155           128.1.8.5             SAMR     SamrCloseHandle request, OpenUser(rid 0x5256)
  19930 1514.274352 128.1.8.5             128.1.8.155           SAMR     SamrCloseHandle response
  19931 1514.274501 128.1.8.155           128.1.8.5             SAMR     SamrCloseHandle request, Connect5(\\DCCIN)
  19932 1514.274911 128.1.8.5             128.1.8.155           SAMR     SamrCloseHandle response
  19933 1514.275050 128.1.8.155           128.1.8.5             SAMR     SamrCloseHandle request, OpenDomain(S-1-5-21-1958102420-2089486884-313593124)
  19934 1514.275460 128.1.8.5             128.1.8.155           SAMR     SamrCloseHandle response
  19935 1514.275650 128.1.8.155           128.1.8.5             SMB      Close Request, FID: 0x4001
  19936 1514.275958 128.1.8.5             128.1.8.155           SMB      Close Response
  19937 1514.277031 128.1.8.155           128.1.8.5             SMB      NT Create AndX Request, Path: \winreg
  19938 1514.277574 128.1.8.5             128.1.8.155           SMB      NT Create AndX Response, FID: 0x4002
  19939 1514.277860 128.1.8.155           128.1.8.5             DCERPC   Bind: call_id: 1 UUID: WINREG
  19940 1514.278390 128.1.8.5             128.1.8.155           SMB      Write AndX Response, FID: 0x4002, 72 bytes
  19941 1514.278557 128.1.8.155           128.1.8.5             SMB      Read AndX Request, FID: 0x4002, 1024 bytes at offset 0
  19942 1514.278814 128.1.8.5             128.1.8.155           DCERPC   Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
  19943 1514.278975 128.1.8.155           128.1.8.5             WINREG   OpenHKLM request
  19944 1514.279576 128.1.8.5             128.1.8.155           WINREG   OpenHKLM response
  19945 1514.279780 128.1.8.155           128.1.8.5             WINREG   OpenKey request
  19946 1514.280299 128.1.8.5             128.1.8.155           WINREG   OpenKey response
  19947 1514.280476 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19948 1514.280889 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19949 1514.281036 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19950 1514.281417 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19951 1514.281560 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19952 1514.281940 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19953 1514.282082 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19954 1514.282462 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19955 1514.282605 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19956 1514.283702 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19957 1514.283842 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19958 1514.284231 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19959 1514.284369 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19960 1514.284748 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19961 1514.284887 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19962 1514.285267 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19963 1514.285417 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19964 1514.285806 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19965 1514.285944 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19966 1514.286324 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19967 1514.286463 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19968 1514.286843 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19969 1514.286981 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19970 1514.287349 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19971 1514.287491 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19972 1514.287871 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19973 1514.288011 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19974 1514.288390 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19975 1514.288526 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19976 1514.288906 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19977 1514.289045 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19978 1514.289414 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19979 1514.289553 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19980 1514.289922 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  19981 1514.290061 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19982 1514.290430 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19983 1514.290569 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19984 1514.290938 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19985 1514.291083 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19986 1514.291452 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19987 1514.291592 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19988 1514.291971 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19989 1514.292111 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19990 1514.292481 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19991 1514.292621 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19992 1514.293014 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19993 1514.293208 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19994 1514.293592 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19995 1514.293774 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19996 1514.294159 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19997 1514.294612 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  19998 1514.294988 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  19999 1514.295138 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20000 1514.295508 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  20001 1514.295647 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20002 1514.296017 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  20003 1514.296155 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20004 1514.296524 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  20005 1514.296673 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20006 1514.297042 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  20007 1514.297182 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20008 1514.297552 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20009 1514.297692 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20010 1514.298062 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20011 1514.298204 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20012 1514.298574 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20013 1514.298719 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20014 1514.299089 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20015 1514.299232 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20016 1514.299601 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20017 1514.299743 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20018 1514.300112 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20019 1514.300252 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20020 1514.300622 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20021 1514.300763 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20022 1514.301131 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20023 1514.301270 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20024 1514.301639 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20025 1514.301779 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20026 1514.302150 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20027 1514.302292 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20028 1514.302662 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20029 1514.302802 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20030 1514.304295 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20031 1514.304434 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20032 1514.304835 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  20033 1514.304979 128.1.8.155           128.1.8.5             WINREG   OpenKey request
  20034 1514.305399 128.1.8.5             128.1.8.155           WINREG   OpenKey response, Error: File not found (pathname error)
  20035 1514.305540 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20036 1514.305920 128.1.8.5             128.1.8.155           WINREG   QueryValue response
  20037 1514.306060 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20038 1514.306429 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  20039 1514.306569 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20040 1514.306938 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  20041 1514.307078 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20042 1514.307447 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  20043 1514.307585 128.1.8.155           128.1.8.5             WINREG   QueryValue request
  20044 1514.307956 128.1.8.5             128.1.8.155           WINREG   QueryValue response, Error: File not found (pathname error)
  20045 1514.308096 128.1.8.155           128.1.8.5             WINREG   CloseKey request
  20046 1514.308432 128.1.8.5             128.1.8.155           WINREG   CloseKey response
  20047 1514.308572 128.1.8.155           128.1.8.5             WINREG   CloseKey request
  20048 1514.308898 128.1.8.5             128.1.8.155           WINREG   CloseKey response
  20049 1514.309093 128.1.8.155           128.1.8.5             SMB      Close Request, FID: 0x4002
  20050 1514.309400 128.1.8.5             128.1.8.155           SMB      Close Response
  20051 1514.450088 128.1.8.155           128.1.8.5             TCP      1204 > microsoft-ds [ACK] Seq=17730 Ack=9854 Win=64896 [TCP CHECKSUM INCORRECT] Len=0
  20052 1515.204198 Cisco_39:13:1c        Spanning-tree-(for-bridges)_00 STP      Conf. Root = 32768/00:01:c7:6f:8c:31  Cost = 4  Port = 0x801c
  20053 1515.325773 128.1.8.155           128.1.3.244           UDP      Source port: 1183  Destination port: 1998
  20054 1515.702545 65280.108             0.255                 RTMP     Request
  20055 1515.714910 IntelCor_16:51:80     Broadcast             ARP      Who has 128.1.8.57?  Tell 128.1.8.124
  20056 1515.768795 Cisco_39:13:1c        Cisco_39:13:1c        LOOP     Reply
  20057 1516.325254 128.1.8.155           128.1.3.244           UDP      Source port: 1183  Destination port: 1998
  20058 1516.430513 Dell_7c:b8:c7         Broadcast             ARP      Who has 128.1.9.199?  Tell 128.1.8.7
  20059 1517.231334 Cisco_39:13:1c        Spanning-tree-(for-bridges)_00 STP      Conf. Root = 32768/00:01:c7:6f:8c:31  Cost = 4  Port = 0x801c
  20060 1517.325243 128.1.8.155           128.1.3.244           UDP      Source port: 1183  Destination port: 1998
  20061 1517.752027 DellComp_dd:23:e4     Broadcast             ARP      Who has 128.1.9.199?  Tell 128.1.8.123
  20062 1518.134109 Cisco_39:13:1c        CDP/VTP/DTP/PAgP/UDLD CDP      Cisco Discovery Protocol
  20063 1518.325264 128.1.8.155           128.1.3.244           UDP      Source port: 1183  Destination port: 1998
  20064 1518.939155 Dell_7c:b8:c7         Broadcast             ARP      Who has 128.1.8.112?  Tell 128.1.8.7
  20065 1519.238850 DellComp_5c:ce:5c     Broadcast             ARP      Who has 128.1.8.148?  Tell 128.1.8.5
  20066 1519.257878 Cisco_39:13:1c        Spanning-tree-(for-bridges)_00 STP      Conf. Root = 32768/00:01:c7:6f:8c:31  Cost = 4  Port = 0x801c
  20067 1519.325340 128.1.8.155           128.1.3.244           UDP      Source port: 1183  Destination port: 1998
  20068 1519.554052 HokubuCo_bc:66:d4     Broadcast             ARP      Who has 128.1.8.120?  Tell 128.1.8.1
  20069 1519.704797 Dell_7c:b8:c7         Broadcast             ARP      Who has 128.1.8.116?  Tell 128.1.8.7
  20070 1520.325919 128.1.8.155           128.1.3.244           UDP      Source port: 1183  Destination port: 1998
  20071 1520.389983 DellComp_5c:ce:5c     Broadcast             ARP      Who has 128.1.8.111?  Tell 128.1.8.5
  20072 1521.289288 Cisco_39:13:1c        Spanning-tree-(for-bridges)_00 STP      Conf. Root = 32768/00:01:c7:6f:8c:31  Cost = 4  Port = 0x801c
  20073 1521.325362 128.1.8.155           128.1.3.244           UDP      Source port: 1183  Destination port: 1998
  20074 1522.325439 128.1.8.155           128.1.3.244           UDP      Source port: 1183  Destination port: 1998
  20075 1523.133702 Cisco_39:13:1c        CDP/VTP/DTP/PAgP/UDLD CDP      Cisco Discovery Protocol
  20076 1523.315549 Cisco_39:13:1c        Spanning-tree-(for-bridges)_00 STP      Conf. Root = 32768/00:01:c7:6f:8c:31  Cost = 4  Port = 0x801c
  20077 1523.325439 128.1.8.155           128.1.3.244           UDP      Source port: 1183  Destination port: 1998
  20078 1524.285956 128.1.8.152           128.1.9.255           BROWSER  Host Announcement LPC2275, Workstation, Server, NT Workstation, Potential Browser
  20079 1524.325553 128.1.8.155           128.1.3.244           UDP      Source port: 1183  Destination port: 1998
  20080 1525.342361 Cisco_39:13:1c        Spanning-tree-(for-bridges)_00 STP      Conf. Root = 32768/00:01:c7:6f:8c:31  Cost = 4  Port = 0x801c
  20081 1525.622360 128.1.8.155           128.1.8.5             SMB      Logoff AndX Request
  20082 1525.623243 128.1.8.5             128.1.8.155           SMB      Logoff AndX Response
  20083 1525.623310 128.1.8.155           128.1.8.5             SMB      Tree Disconnect Request
  20084 1525.623526 128.1.8.5             128.1.8.155           SMB      Tree Disconnect Response
  20085 1525.623788 128.1.8.155           128.1.8.5             TCP      1204 > microsoft-ds [FIN, ACK] Seq=17812 Ack=9936 Win=64814 [TCP CHECKSUM INCORRECT] Len=0
  20086 1525.623979 128.1.8.5             128.1.8.155           TCP      microsoft-ds > 1204 [FIN, ACK] Seq=9936 Ack=17813 Win=64704 Len=0
  20087 1525.623997 128.1.8.155           128.1.8.5             TCP      1204 > microsoft-ds [ACK] Seq=17813 Ack=9937 Win=64814 [TCP CHECKSUM INCORRECT] Len=0
  20088 1525.769443 Cisco_39:13:1c        Cisco_39:13:1c        LOOP     Reply
  20089 1526.098106 128.1.8.101           255.255.255.255       DHCP     DHCP Inform   - Transaction ID 0x293f82ab
  20090 1526.098296 Dell_1d:c1:fa         Broadcast             ARP      Who has 128.1.8.101?  Tell 128.1.8.8
  20091 1527.369267 Cisco_39:13:1c        Spanning-tree-(for-bridges)_00 STP      Conf. Root = 32768/00:01:c7:6f:8c:31  Cost = 4  Port = 0x801c
  20092 1527.488211 128.1.8.123           128.1.9.255           NBNS     Name query NB COL2<20>
  20093 1527.641059 Cisco_91:a0:46        Broadcast             ARP      Who has 128.1.8.165?  Tell 128.1.9.205
  20094 1528.043333 DellComp_24:d8:81     Broadcast             ARP      Who has 128.1.9.205?  Tell 128.1.9.20
  20095 1528.134025 Cisco_39:13:1c        CDP/VTP/DTP/PAgP/UDLD CDP      Cisco Discovery Protocol
  20096 1528.138121 128.1.8.101           255.255.255.255       DHCP     DHCP Inform   - Transaction ID 0x293f82ab
  20097 1528.238317 128.1.8.123           128.1.9.255           NBNS     Name query NB COL2<20>
  20098 1528.267469 128.1.8.101           128.1.9.255           NBNS     Name query NB WPAD<00>
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16903706
What is 128.1.9.155?

How big is this remote office?  How many IP subnets?  I can see that one of your subnets seems to be at least 128.1.8.0/23.  I also see an address 128.1.3.244.  Is this a seperate subnet?

It also looks like you may have a MTU mismatch someplace.  It appears like 129.1.9.5 may have a gigabit connection and has MTU set bigger that 1500 and that 128.1.9.155 has MTU set to 1500.

If your server does have gigabit connection, but everything else is 100 Mbps, you should set the MTU to 1500.
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16903765
Remote office = 100 users.
128.1.3.244 = me (in HQ)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16904181
O.K., but what is 128.1.9.155?  

It looks like this box is trying to read/dump all of the AD and registry stuff from the server.  This could cause lots of overhead on the server, which in turn could slow everything down.  Should it be doing this?
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 16906667
128.1.8.155 is the PC I set up with Ethereal
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16906784
Well that is the PC that is doing all of the WINREG queiries.  I would see what services are running on that box because that does not look normal.

I would also suggest that you mirror the port that the server is on and see what all is going on with it.

When the problem is occuring can you:

     ping the server specifing the ip address
     ping the server specifing the name
     ping any of the other comptuers on the LAN specifing either the name or the IP address
     ping the switch
     remote desktop to the server (assuming you have it installed and setup)
     




0
 
LVL 20

Author Comment

by:RPPreacher
ID: 17043001
Delayed but not abandoned... it appears that the issue was related to Diskkeeper Standard Edition running on a server with over 2 TB of storage!

I am awarding the points, based on my perception of the most intelligent answer.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now