RPPreacher
asked on
PCAP Ethereal Packet Capture Analysis
I need some help understanding what is happening on 1 LAN segment. I have copied 2 packets that I suspect are related to the issue.
--PROBLEM--
One remote office experiences intermittent PC lock ups. This impacts every PC accessing any network resource (file server or printing) on a server (IP 128.1.8.1).
I have looked at the event log of the server (clean), the event log of the PC (clean), have used Solarwinds EE8.2 to monitor all of the switches (clean), have looked at background applications on the affected workstations (clean).
I have replaced the switch (a Cat 3550, IOS 12.2.25-SEE), the GBIC, the cable, and the entire file server.
--PACKET CAPTURE--
I spanned a port on 1 affected PC to a PC running Ethereal 0.99 and was able to capture one of the "down times". During this down time I see a series of these
No. Time Source Destination Protocol Info
19999 1514.295138 128.1.8.155 128.1.8.5 WINREG QueryValue request
20000 1514.295508 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
I suspect this means I have some DNS issue? Can anyone give me a more detailed explanation of these packets? Thanks!
--PACKET CAPTURE DETAIL--
No. Time Source Destination Protocol Info
19999 1514.295138 128.1.8.155 128.1.8.5 WINREG QueryValue request
Frame 19999 (270 bytes on wire, 270 bytes captured)
Arrival Time: Jun 13, 2006 13:36:42.623018000
Time delta from previous packet: 0.000150000 seconds
Time since reference or first frame: 1514.295138000 seconds
Frame Number: 19999
Packet Length: 270 bytes
Capture Length: 270 bytes
Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc
Coloring Rule Name: Checksum Errors
Coloring Rule String: edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad || udp.checksum_bad
Ethernet II, Src: Dell_b7:4d:89 (00:11:43:b7:4d:89), Dst: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
Destination: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
Address: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Source: Dell_b7:4d:89 (00:11:43:b7:4d:89)
Address: Dell_b7:4d:89 (00:11:43:b7:4d:89)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Type: IP (0x0800)
Internet Protocol, Src: 128.1.8.155 (128.1.8.155), Dst: 128.1.8.5 (128.1.8.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 256
Identification: 0x9728 (38696)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x522d [correct]
Good: True
Bad : False
Source: 128.1.8.155 (128.1.8.155)
Destination: 128.1.8.5 (128.1.8.5)
Transmission Control Protocol, Src Port: 1204 (1204), Dst Port: microsoft-ds (445), Seq: 12373, Ack: 6623, Len: 216
Source port: 1204 (1204)
Destination port: microsoft-ds (445)
Sequence number: 12373 (relative sequence number)
Next sequence number: 12589 (relative sequence number)
Acknowledgement number: 6623 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65023
Checksum: 0x1195 [incorrect, should be 0x8949]
NetBIOS Session Service
Message Type: Session message
Length: 212
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response in: 20000
SMB Command: Trans (0x25)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .1.. = Security Signatures: Security signatures are supported
.... .... .... ..1. = Extended Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: DB31073FCE18F6E7
Reserved: 0000
Tree ID: 2053
Process ID: 2532
User ID: 4097
Multiplex ID: 3456
Trans Request (0x25)
Word Count (WCT): 16
Total Parameter Count: 0
Total Data Count: 128
Max Parameter Count: 0
Max Data Count: 1024
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 0
Parameter Offset: 84
Data Count: 128
Data Offset: 84
Setup Count: 2
Reserved: 00
Byte Count (BCC): 145
Transaction Name: \PIPE\
Padding: 0000
SMB Pipe Protocol
Function: TransactNmPipe (0x0026)
FID: 0x4002
DCE RPC Request, Fragment: Single, FragLen: 128, Call: 29 Ctx: 0, [Resp: #20000]
Version: 5
Version (minor): 0
Packet type: Request (0)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 128
Auth Length: 0
Call ID: 29
Alloc hint: 104
Context ID: 0
Opnum: 17
Response in frame: 20000
Remote Registry Service, QueryValue
Operation: QueryValue (17)
Pointer to Handle (policy_handle)
Policy Handle
Handle: 0000000063997B0513E455438D D481BA22C1 E07C
Value Name
Name Len: 24
Name Size: 24
Pointer to Name (uint16): fDisableLPT
Referent ID: 0x76bc1dbc
Max Count: 12
Offset: 0
Actual Count: 12
Name: fDisableLPT
Pointer to Type (winreg_Type)
Referent ID: 0x0006e2cc
Type: Unknown (451300)
Pointer to Data (uint8)
Referent ID: 0x0006e2e4
Max Count: 4
Offset: 0
Actual Count: 0
Pointer to Size (uint32)
Referent ID: 0x0006e2c4
Size: 4
Pointer to Length (uint32)
Referent ID: 0x0006e2bc
Length: 0
No. Time Source Destination Protocol Info
20000 1514.295508 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
Frame 20000 (182 bytes on wire, 182 bytes captured)
Arrival Time: Jun 13, 2006 13:36:42.623388000
Time delta from previous packet: 0.000370000 seconds
Time since reference or first frame: 1514.295508000 seconds
Frame Number: 20000
Packet Length: 182 bytes
Capture Length: 182 bytes
Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc
Coloring Rule Name: SMB
Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios
Ethernet II, Src: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c), Dst: Dell_b7:4d:89 (00:11:43:b7:4d:89)
Destination: Dell_b7:4d:89 (00:11:43:b7:4d:89)
Address: Dell_b7:4d:89 (00:11:43:b7:4d:89)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Source: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
Address: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Type: IP (0x0800)
Internet Protocol, Src: 128.1.8.5 (128.1.8.5), Dst: 128.1.8.155 (128.1.8.155)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 168
Identification: 0xbb17 (47895)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x2e96 [correct]
Good: True
Bad : False
Source: 128.1.8.5 (128.1.8.5)
Destination: 128.1.8.155 (128.1.8.155)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1204 (1204), Seq: 6623, Ack: 12589, Len: 128
Source port: microsoft-ds (445)
Destination port: 1204 (1204)
Sequence number: 6623 (relative sequence number)
Next sequence number: 6751 (relative sequence number)
Acknowledgement number: 12589 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65319
Checksum: 0x6029 [correct]
NetBIOS Session Service
Message Type: Session message
Length: 124
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 19999
Time from request: 0.000370000 seconds
SMB Command: Trans (0x25)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x98
1... .... = Request/Response: Message is a response to the client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .1.. = Security Signatures: Security signatures are supported
.... .... .... ..1. = Extended Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: 9B8F6CD9C56D074B
Reserved: 0000
Tree ID: 2053
Process ID: 2532
User ID: 4097
Multiplex ID: 3456
Trans Response (0x25)
Word Count (WCT): 10
Total Parameter Count: 0
Total Data Count: 68
Reserved: 0000
Parameter Count: 0
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 68
Data Offset: 56
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 69
Padding: 80
SMB Pipe Protocol
Function: TransactNmPipe (0x0026)
FID: 0x4002
DCE RPC Response, Fragment: Single, FragLen: 68, Call: 29 Ctx: 0, [Req: #19999]
Version: 5
Version (minor): 0
Packet type: Response (2)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 68
Auth Length: 0
Call ID: 29
Alloc hint: 44
Context ID: 0
Cancel count: 0
Opnum: 17
Request in frame: 19999
Time from request: 0.000370000 seconds
Remote Registry Service, QueryValue
Operation: QueryValue (17)
Pointer to Type (winreg_Type)
Referent ID: 0x00020000
Type: Unknown (451300)
Pointer to Data (uint8)
Referent ID: 0x00020004
Max Count: 4
Offset: 0
Actual Count: 0
Pointer to Size (uint32)
Referent ID: 0x00020008
Size: 4
Pointer to Length (uint32)
Referent ID: 0x0002000c
Length: 0
Windows Error: File not found (pathname error) (0x00000002)
--PROBLEM--
One remote office experiences intermittent PC lock ups. This impacts every PC accessing any network resource (file server or printing) on a server (IP 128.1.8.1).
I have looked at the event log of the server (clean), the event log of the PC (clean), have used Solarwinds EE8.2 to monitor all of the switches (clean), have looked at background applications on the affected workstations (clean).
I have replaced the switch (a Cat 3550, IOS 12.2.25-SEE), the GBIC, the cable, and the entire file server.
--PACKET CAPTURE--
I spanned a port on 1 affected PC to a PC running Ethereal 0.99 and was able to capture one of the "down times". During this down time I see a series of these
No. Time Source Destination Protocol Info
19999 1514.295138 128.1.8.155 128.1.8.5 WINREG QueryValue request
20000 1514.295508 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
I suspect this means I have some DNS issue? Can anyone give me a more detailed explanation of these packets? Thanks!
--PACKET CAPTURE DETAIL--
No. Time Source Destination Protocol Info
19999 1514.295138 128.1.8.155 128.1.8.5 WINREG QueryValue request
Frame 19999 (270 bytes on wire, 270 bytes captured)
Arrival Time: Jun 13, 2006 13:36:42.623018000
Time delta from previous packet: 0.000150000 seconds
Time since reference or first frame: 1514.295138000 seconds
Frame Number: 19999
Packet Length: 270 bytes
Capture Length: 270 bytes
Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc
Coloring Rule Name: Checksum Errors
Coloring Rule String: edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad || udp.checksum_bad
Ethernet II, Src: Dell_b7:4d:89 (00:11:43:b7:4d:89), Dst: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
Destination: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
Address: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Source: Dell_b7:4d:89 (00:11:43:b7:4d:89)
Address: Dell_b7:4d:89 (00:11:43:b7:4d:89)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Type: IP (0x0800)
Internet Protocol, Src: 128.1.8.155 (128.1.8.155), Dst: 128.1.8.5 (128.1.8.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 256
Identification: 0x9728 (38696)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x522d [correct]
Good: True
Bad : False
Source: 128.1.8.155 (128.1.8.155)
Destination: 128.1.8.5 (128.1.8.5)
Transmission Control Protocol, Src Port: 1204 (1204), Dst Port: microsoft-ds (445), Seq: 12373, Ack: 6623, Len: 216
Source port: 1204 (1204)
Destination port: microsoft-ds (445)
Sequence number: 12373 (relative sequence number)
Next sequence number: 12589 (relative sequence number)
Acknowledgement number: 6623 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65023
Checksum: 0x1195 [incorrect, should be 0x8949]
NetBIOS Session Service
Message Type: Session message
Length: 212
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response in: 20000
SMB Command: Trans (0x25)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .1.. = Security Signatures: Security signatures are supported
.... .... .... ..1. = Extended Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: DB31073FCE18F6E7
Reserved: 0000
Tree ID: 2053
Process ID: 2532
User ID: 4097
Multiplex ID: 3456
Trans Request (0x25)
Word Count (WCT): 16
Total Parameter Count: 0
Total Data Count: 128
Max Parameter Count: 0
Max Data Count: 1024
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 0
Parameter Offset: 84
Data Count: 128
Data Offset: 84
Setup Count: 2
Reserved: 00
Byte Count (BCC): 145
Transaction Name: \PIPE\
Padding: 0000
SMB Pipe Protocol
Function: TransactNmPipe (0x0026)
FID: 0x4002
DCE RPC Request, Fragment: Single, FragLen: 128, Call: 29 Ctx: 0, [Resp: #20000]
Version: 5
Version (minor): 0
Packet type: Request (0)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 128
Auth Length: 0
Call ID: 29
Alloc hint: 104
Context ID: 0
Opnum: 17
Response in frame: 20000
Remote Registry Service, QueryValue
Operation: QueryValue (17)
Pointer to Handle (policy_handle)
Policy Handle
Handle: 0000000063997B0513E455438D
Value Name
Name Len: 24
Name Size: 24
Pointer to Name (uint16): fDisableLPT
Referent ID: 0x76bc1dbc
Max Count: 12
Offset: 0
Actual Count: 12
Name: fDisableLPT
Pointer to Type (winreg_Type)
Referent ID: 0x0006e2cc
Type: Unknown (451300)
Pointer to Data (uint8)
Referent ID: 0x0006e2e4
Max Count: 4
Offset: 0
Actual Count: 0
Pointer to Size (uint32)
Referent ID: 0x0006e2c4
Size: 4
Pointer to Length (uint32)
Referent ID: 0x0006e2bc
Length: 0
No. Time Source Destination Protocol Info
20000 1514.295508 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
Frame 20000 (182 bytes on wire, 182 bytes captured)
Arrival Time: Jun 13, 2006 13:36:42.623388000
Time delta from previous packet: 0.000370000 seconds
Time since reference or first frame: 1514.295508000 seconds
Frame Number: 20000
Packet Length: 182 bytes
Capture Length: 182 bytes
Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc
Coloring Rule Name: SMB
Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios
Ethernet II, Src: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c), Dst: Dell_b7:4d:89 (00:11:43:b7:4d:89)
Destination: Dell_b7:4d:89 (00:11:43:b7:4d:89)
Address: Dell_b7:4d:89 (00:11:43:b7:4d:89)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Source: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
Address: DellComp_5c:ce:5c (00:06:5b:5c:ce:5c)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address
Type: IP (0x0800)
Internet Protocol, Src: 128.1.8.5 (128.1.8.5), Dst: 128.1.8.155 (128.1.8.155)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 168
Identification: 0xbb17 (47895)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x2e96 [correct]
Good: True
Bad : False
Source: 128.1.8.5 (128.1.8.5)
Destination: 128.1.8.155 (128.1.8.155)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1204 (1204), Seq: 6623, Ack: 12589, Len: 128
Source port: microsoft-ds (445)
Destination port: 1204 (1204)
Sequence number: 6623 (relative sequence number)
Next sequence number: 6751 (relative sequence number)
Acknowledgement number: 12589 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65319
Checksum: 0x6029 [correct]
NetBIOS Session Service
Message Type: Session message
Length: 124
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 19999
Time from request: 0.000370000 seconds
SMB Command: Trans (0x25)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x98
1... .... = Request/Response: Message is a response to the client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .1.. = Security Signatures: Security signatures are supported
.... .... .... ..1. = Extended Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: 9B8F6CD9C56D074B
Reserved: 0000
Tree ID: 2053
Process ID: 2532
User ID: 4097
Multiplex ID: 3456
Trans Response (0x25)
Word Count (WCT): 10
Total Parameter Count: 0
Total Data Count: 68
Reserved: 0000
Parameter Count: 0
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 68
Data Offset: 56
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 69
Padding: 80
SMB Pipe Protocol
Function: TransactNmPipe (0x0026)
FID: 0x4002
DCE RPC Response, Fragment: Single, FragLen: 68, Call: 29 Ctx: 0, [Req: #19999]
Version: 5
Version (minor): 0
Packet type: Response (2)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 68
Auth Length: 0
Call ID: 29
Alloc hint: 44
Context ID: 0
Cancel count: 0
Opnum: 17
Request in frame: 19999
Time from request: 0.000370000 seconds
Remote Registry Service, QueryValue
Operation: QueryValue (17)
Pointer to Type (winreg_Type)
Referent ID: 0x00020000
Type: Unknown (451300)
Pointer to Data (uint8)
Referent ID: 0x00020004
Max Count: 4
Offset: 0
Actual Count: 0
Pointer to Size (uint32)
Referent ID: 0x00020008
Size: 4
Pointer to Length (uint32)
Referent ID: 0x0002000c
Length: 0
Windows Error: File not found (pathname error) (0x00000002)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>This line shows error happing while trying to access a file on some share hosted by Linux Server.
Not a linux environment. And SMB is not a linux protocol. It is a Microsoft protocol used by Linux to connect with Microsoft shares.
>Are you doing SMB session within a VPN tunnel?
No. The file server is on the same LAN as the PC. In fact, they are on the same 3550 switch.
Not a linux environment. And SMB is not a linux protocol. It is a Microsoft protocol used by Linux to connect with Microsoft shares.
>Are you doing SMB session within a VPN tunnel?
No. The file server is on the same LAN as the PC. In fact, they are on the same 3550 switch.
I was talking about Protocol WINREG.
It is used by Linux Samba Shares.
It is used by Linux Samba Shares.
ASKER
No linux in this shop. Not a single device.
ASKER
>I was talking about Protocol WINREG.
FYI Also not a linux only thing
http://wiki.ethereal.com/WINREG
FYI Also not a linux only thing
http://wiki.ethereal.com/WINREG
Ok, agreed.
Even then, its just a normal packets where someone is trying to access a file on network share, which was not found.
Also, in first packet, TCP checksum is incorrect.
>Checksum: 0x1195 [incorrect, should be 0x8949]
Destination Port is 445 so it points that Windows Share was used.
Even then, its just a normal packets where someone is trying to access a file on network share, which was not found.
Also, in first packet, TCP checksum is incorrect.
>Checksum: 0x1195 [incorrect, should be 0x8949]
Destination Port is 445 so it points that Windows Share was used.
The file server is at 128.1.8.1. The capture was between 2 other addresses. Was that a sample of traffic between many hosts? Is the problem limited to sessions to 128.1.8.1? I'm trying to understand the relationship between the 2 hosts and 128.1.8.1.
Searching on Google, I see a lot of attention paid to attacks on TCP 445. Might someone have some malware on his PC?
Searching on Google, I see a lot of attention paid to attacks on TCP 445. Might someone have some malware on his PC?
ASKER
Right. 128.1.8.5 is the DC and the DNS which leads me to the DNS issue.
Since we do not know what is causing the lock ups we did a packet capture of a locking up PC. These are the packets that happen during a lock up. So although the affected PCs are accessing the file server (.1), the cause seems to be these packets from the DC/DNS (.5).
Still trying to understand what is happening.
If it was DNS failure, all the workstations would not fail simultaneously. Since workstations cache name resolution, it seems that 1 or 2 might fail, but not everyone.
If it was a physical layer failure, we would not see a response from .1 or .5
Thus the question... I've been architecting networks for 15 years and this has me stumped...
Since we do not know what is causing the lock ups we did a packet capture of a locking up PC. These are the packets that happen during a lock up. So although the affected PCs are accessing the file server (.1), the cause seems to be these packets from the DC/DNS (.5).
Still trying to understand what is happening.
If it was DNS failure, all the workstations would not fail simultaneously. Since workstations cache name resolution, it seems that 1 or 2 might fail, but not everyone.
If it was a physical layer failure, we would not see a response from .1 or .5
Thus the question... I've been architecting networks for 15 years and this has me stumped...
I'm not sure what it is looking for, but it is looking for something in the regitry. I can't find anything on what type 17 is. But whatever it is looking for does not exist.
From what I can guess at, check out your registry
HKLM\\CurrentcontrolSet\Co ntrol\Secu rePipeServ ers\winreg \AllowedPa ths
See if you happen to have like 17 entries and what the 17th value is.
I am also assuming that you have checked the event logs on this server and there is nothing there.
I would also check to see if you have any CLSID's 63997B0513E455438DD481BA22 C1E07C
From what I can guess at, check out your registry
HKLM\\CurrentcontrolSet\Co
See if you happen to have like 17 entries and what the 17th value is.
I am also assuming that you have checked the event logs on this server and there is nothing there.
I would also check to see if you have any CLSID's 63997B0513E455438DD481BA22
Found a bit more. maybe. fDisableLPT is the registry key value that is used by terminal servers/remote desktop to allow or disallow client side LPT redirection.
Normally under:
HKLM\SYSTEM\CurrentControl Set\Contro l\Terminal Server\WinStations\RDP-Tcp
It almost appears as if you are missing the fDisableLPT entry.
Normally under:
HKLM\SYSTEM\CurrentControl
It almost appears as if you are missing the fDisableLPT entry.
Just a suggestion, if you have not already done it.
Have you tried to change the port on the core switch where the edge switch is connecting.
You mentioned that you have change the edge switch and the GBIC, but have you changed the port on core switch where it is uplinking.
You could swap it with a edge switch port where this problem is not occuring.
Have you tried to change the port on the core switch where the edge switch is connecting.
You mentioned that you have change the edge switch and the GBIC, but have you changed the port on core switch where it is uplinking.
You could swap it with a edge switch port where this problem is not occuring.
ASKER
All points between PC and switch have been replaced.
Doing some more reading about winreg. It seem, as you may already know, this is a protcol for remote managment of the Windows registry. Somebody seems to be queirying registry values over the network. In the trace pieces you have provided they are looking for fDisableLPT. I am not sure if the "path does not exist" error is because this key does not exist or becaues they do not have authorization to see that key.
Should the person on 128.1.8.155 being doing anything to the registry on 128.1.8.5?
I don't think this is a network problem, so changes to switches cables hubs will not matter. I would also not worry about the checksum error. I see this message quite a bit in Ethereal but I have never seen where it caused a real problem.
Now for you real problem. Is the remote office on a routed (a different IP subnet) network or are you doing bridging (same IP subnet as the server) over the WAN link.
If it is the same IP subnet as the server, meaning you are doing bridging, I would suggest that you change it to a different subnet and do routing. Bridging over a WAN link will cause performance problems and what appears to be random hangs.
Should the person on 128.1.8.155 being doing anything to the registry on 128.1.8.5?
I don't think this is a network problem, so changes to switches cables hubs will not matter. I would also not worry about the checksum error. I see this message quite a bit in Ethereal but I have never seen where it caused a real problem.
Now for you real problem. Is the remote office on a routed (a different IP subnet) network or are you doing bridging (same IP subnet as the server) over the WAN link.
If it is the same IP subnet as the server, meaning you are doing bridging, I would suggest that you change it to a different subnet and do routing. Bridging over a WAN link will cause performance problems and what appears to be random hangs.
ASKER
>Is the remote office on a routed (a different IP subnet) network or are you doing bridging (same IP subnet as the server) over the WAN link.
These issues appear on the local LAN of the remote office. Not over the WAN link.
These issues appear on the local LAN of the remote office. Not over the WAN link.
Ah. I misread, I was thinking that the remote office was accessing a server at the "central" office and everything on the at centeral office was having problems when PC's at the remote office locked up.
The issue is totally within the remote office, got that now.
1) The other information still is good. Somebody is remotely looking at the registry on the server and the key they are looking for does not exist. I don't know if this has antyhing to do with the lock ups.
Do you run anything that does multi-casting?
Do you have any type of software that shows port utilziation? If so, does it record higher than normal or lower than normal utizlation during the intervals when the lock ups occur?
Do you monitor/track resource utilziation on the server? Does resources (CPU, memory, DISK I/O) go up or down during the intervals.
Does this happen at the same time(s) everyday or at specific intervals? Say like everyday at 8 AM and 4 PM? Does it happen when a specific user comes in and logs on?
How long does it last?
Is is one PC that locks up and the others work fine, but just can't access resources on the server. Or do all PC's just lock up and can't do anything.
The issue is totally within the remote office, got that now.
1) The other information still is good. Somebody is remotely looking at the registry on the server and the key they are looking for does not exist. I don't know if this has antyhing to do with the lock ups.
Do you run anything that does multi-casting?
Do you have any type of software that shows port utilziation? If so, does it record higher than normal or lower than normal utizlation during the intervals when the lock ups occur?
Do you monitor/track resource utilziation on the server? Does resources (CPU, memory, DISK I/O) go up or down during the intervals.
Does this happen at the same time(s) everyday or at specific intervals? Say like everyday at 8 AM and 4 PM? Does it happen when a specific user comes in and logs on?
How long does it last?
Is is one PC that locks up and the others work fine, but just can't access resources on the server. Or do all PC's just lock up and can't do anything.
Did you tried to swap patch cord to make sure the error is not caused by physical layer? This is the kind of error that may occure in such circumstance
ASKER
>Do you run anything that does multi-casting?
No
>Do you have any type of software that shows port utilziation? If so, does it record higher than normal or lower than normal utizlation during the intervals when the lock ups occur?
Yes (PRTG and Orion). Traffic levels are normal.
Do you monitor/track resource utilziation on the server? Does resources (CPU, memory, DISK I/O) go up or down during the intervals.
Yes (Solarwinds EE8.2). No the resources are fine.
>Does this happen at the same time(s) everyday or at specific intervals? Say like everyday at 8 AM and 4 PM? Does it happen when a specific user comes in and logs on?
No.
>How long does it last?
Between 3 and 30 seconds
>Is is one PC that locks up and the others work fine, but just can't access resources on the server. Or do all PC's just lock up and can't do anything.
All PCs accessing network resource at 128.1.8.1 lock up.
No
>Do you have any type of software that shows port utilziation? If so, does it record higher than normal or lower than normal utizlation during the intervals when the lock ups occur?
Yes (PRTG and Orion). Traffic levels are normal.
Do you monitor/track resource utilziation on the server? Does resources (CPU, memory, DISK I/O) go up or down during the intervals.
Yes (Solarwinds EE8.2). No the resources are fine.
>Does this happen at the same time(s) everyday or at specific intervals? Say like everyday at 8 AM and 4 PM? Does it happen when a specific user comes in and logs on?
No.
>How long does it last?
Between 3 and 30 seconds
>Is is one PC that locks up and the others work fine, but just can't access resources on the server. Or do all PC's just lock up and can't do anything.
All PCs accessing network resource at 128.1.8.1 lock up.
ASKER
>Did you tried to swap patch cord to make sure the error is not caused by physical layer? This is the kind of error that may occure in such circumstance
I replaced the entire Catalyst 3550, the GBIC, the fiber cable, the fiber card in the server, and the entire server. (Not at the same time...first I replaced the GBIC, then cable, then switch, then server, then fiber card)
I replaced the entire Catalyst 3550, the GBIC, the fiber cable, the fiber card in the server, and the entire server. (Not at the same time...first I replaced the GBIC, then cable, then switch, then server, then fiber card)
ASKER
Here's a packet list from a PC during the outage
No. Time Source Destination Protocol Info
19842 1511.312459 DellComp_5c:ce:5c Broadcast ARP Who has 128.1.8.155? Tell 128.1.8.5
19843 1511.312474 Dell_b7:4d:89 DellComp_5c:ce:5c ARP 128.1.8.155 is at 00:11:43:b7:4d:89
19844 1511.312629 128.1.8.5 128.1.8.155 TCP epmap > 1198 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
19845 1511.312691 128.1.8.155 128.1.8.5 TCP 1198 > epmap [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19846 1511.312900 128.1.8.155 128.1.8.5 DCERPC Bind: call_id: 1 UUID: EPM
19847 1511.313330 128.1.8.5 128.1.8.155 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
19848 1511.313451 128.1.8.155 128.1.8.5 EPM Map request
19849 1511.314035 128.1.8.5 128.1.8.155 EPM Map response
19850 1511.316742 128.1.8.155 128.1.8.5 TCP 1199 > 1026 [SYN] Seq=0 Len=0 MSS=1460
19851 1511.316932 128.1.8.5 128.1.8.155 TCP 1026 > 1199 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
19852 1511.316989 128.1.8.155 128.1.8.5 TCP 1199 > 1026 [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19853 1511.317215 128.1.8.155 128.1.8.5 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON
19854 1511.317650 128.1.8.5 128.1.8.155 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
19855 1511.317900 128.1.8.155 128.1.8.5 RPC_NETLOGON NetrLogonGetDomainInfo request
19856 1511.319717 128.1.8.5 128.1.8.155 RPC_NETLOGON NetrLogonGetDomainInfo response
19857 1511.496877 128.1.8.155 128.1.8.5 TCP 1198 > epmap [ACK] Seq=229 Ack=213 Win=65323 [TCP CHECKSUM INCORRECT] Len=0
19858 1511.496891 128.1.8.155 128.1.8.5 TCP 1199 > 1026 [ACK] Seq=882 Ack=945 Win=64591 [TCP CHECKSUM INCORRECT] Len=0
19859 1513.133819 Cisco_39:13:1c CDP/VTP/DTP/PAgP/UDLD CDP Cisco Discovery Protocol
19860 1513.173137 Cisco_39:13:1c Spanning-tree-(for-bridges )_00 STP Conf. Root = 32768/00:01:c7:6f:8c:31 Cost = 4 Port = 0x801c
19861 1514.078599 128.1.8.155 128.1.8.5 KRB5 AS-REQ
19862 1514.083908 128.1.8.5 128.1.8.155 KRB5 KRB Error: KRB5KRB_ERR_RESPONSE_TOO_B IG
19863 1514.086392 128.1.8.155 128.1.8.5 TCP 1201 > kerberos [SYN] Seq=0 Len=0 MSS=1460
19864 1514.086661 128.1.8.5 128.1.8.155 TCP kerberos > 1201 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
19865 1514.086707 128.1.8.155 128.1.8.5 TCP 1201 > kerberos [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19866 1514.086819 128.1.8.155 128.1.8.5 KRB5 AS-REQ
19867 1514.091924 128.1.8.5 128.1.8.155 TCP [TCP segment of a reassembled PDU]
19868 1514.091960 128.1.8.5 128.1.8.155 KRB5 AS-REP
19869 1514.091978 128.1.8.155 128.1.8.5 TCP 1201 > kerberos [ACK] Seq=309 Ack=1477 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19870 1514.092113 128.1.8.155 128.1.8.5 TCP 1201 > kerberos [FIN, ACK] Seq=309 Ack=1477 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19871 1514.092301 128.1.8.5 128.1.8.155 TCP kerberos > 1201 [ACK] Seq=1477 Ack=310 Win=65227 Len=0
19872 1514.094054 128.1.8.5 128.1.8.155 TCP kerberos > 1201 [RST, ACK] Seq=1477 Ack=310 Win=0 Len=0
19873 1514.095218 128.1.8.155 128.1.8.5 KRB5 TGS-REQ
19874 1514.111791 128.1.8.5 128.1.8.155 KRB5 TGS-REP
19875 1514.122976 128.1.8.155 128.1.8.5 DNS Standard query SRV _ldap._tcp.CIN._sites.dc._ msdcs.na.i nt-bn.com
19876 1514.123386 128.1.8.5 128.1.8.155 DNS Standard query response SRV 0 100 389 dccin.na.int-bn.com
19877 1514.126636 128.1.8.155 128.1.8.5 CLDAP searchRequest(7) "<ROOT>" baseObject
19878 1514.127183 128.1.8.5 128.1.8.155 CLDAP searchResEntry(7) searchResDone(7)
19879 1514.233473 128.1.8.155 128.1.8.5 ICMP Echo (ping) request
19880 1514.233731 128.1.8.5 128.1.8.155 ICMP Echo (ping) reply
19881 1514.234009 128.1.8.155 128.1.8.5 TCP 1204 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1460
19882 1514.234207 128.1.8.5 128.1.8.155 TCP microsoft-ds > 1204 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
19883 1514.234266 128.1.8.155 128.1.8.5 TCP 1204 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19884 1514.234595 128.1.8.155 128.1.8.5 SMB Negotiate Protocol Request
19885 1514.235184 128.1.8.5 128.1.8.155 SMB Negotiate Protocol Response
19886 1514.238603 128.1.8.155 128.1.8.5 KRB5 TGS-REQ
19887 1514.246692 128.1.8.5 128.1.8.155 KRB5 TGS-REP
19888 1514.249687 128.1.8.155 128.1.8.5 KRB5 TGS-REQ
19889 1514.255259 128.1.8.5 128.1.8.155 KRB5 TGS-REP
19890 1514.255845 128.1.8.155 128.1.8.5 SMB Session Setup AndX Request[Unreassembled Packet [incorrect TCP checksum]]
19891 1514.255873 128.1.8.155 128.1.8.5 NBSS NBSS Continuation Message
19892 1514.255887 128.1.8.155 128.1.8.5 NBSS NBSS Continuation Message
19893 1514.256720 128.1.8.5 128.1.8.155 TCP microsoft-ds > 1204 [ACK] Seq=182 Ack=3098 Win=65535 Len=0
19894 1514.258788 128.1.8.5 128.1.8.155 SMB Session Setup AndX Response
19895 1514.259218 128.1.8.155 128.1.8.5 SMB Tree Connect AndX Request, Path: \\DCCIN\IPC$
19896 1514.259561 128.1.8.5 128.1.8.155 SMB Tree Connect AndX Response
19897 1514.259814 128.1.8.155 128.1.8.5 SMB NT Create AndX Request, Path: \lsarpc
19898 1514.260405 128.1.8.5 128.1.8.155 SMB NT Create AndX Response, FID: 0x4000
19899 1514.260697 128.1.8.155 128.1.8.5 DCERPC Bind: call_id: 1 UUID: LSA
19900 1514.261038 128.1.8.5 128.1.8.155 SMB Write AndX Response, FID: 0x4000, 72 bytes
19901 1514.261196 128.1.8.155 128.1.8.5 SMB Read AndX Request, FID: 0x4000, 1024 bytes at offset 0
19902 1514.261442 128.1.8.5 128.1.8.155 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
19903 1514.261606 128.1.8.155 128.1.8.5 LSA LsarOpenPolicy2 request, \\DCCIN
19904 1514.262324 128.1.8.5 128.1.8.155 LSA LsarOpenPolicy2 response
19905 1514.262505 128.1.8.155 128.1.8.5 LSA LsarQueryInformationPolicy request, Account Domain Information
19906 1514.263000 128.1.8.5 128.1.8.155 LSA LsarQueryInformationPolicy response
19907 1514.263178 128.1.8.155 128.1.8.5 LSA LsarClose request
19908 1514.263569 128.1.8.5 128.1.8.155 LSA LsarClose response
19909 1514.263762 128.1.8.155 128.1.8.5 SMB Close Request, FID: 0x4000
19910 1514.264060 128.1.8.5 128.1.8.155 SMB Close Response
19911 1514.265680 128.1.8.155 128.1.8.5 SMB NT Create AndX Request, Path: \samr
19912 1514.266193 128.1.8.5 128.1.8.155 SMB NT Create AndX Response, FID: 0x4001
19913 1514.266488 128.1.8.155 128.1.8.5 DCERPC Bind: call_id: 1 UUID: SAMR
19914 1514.266809 128.1.8.5 128.1.8.155 SMB Write AndX Response, FID: 0x4001, 72 bytes
19915 1514.266966 128.1.8.155 128.1.8.5 SMB Read AndX Request, FID: 0x4001, 1024 bytes at offset 0
19916 1514.267213 128.1.8.5 128.1.8.155 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
19917 1514.267376 128.1.8.155 128.1.8.5 SAMR SamrConnect5 request, \\DCCIN
19918 1514.268113 128.1.8.5 128.1.8.155 SAMR SamrConnect5 response
19919 1514.268296 128.1.8.155 128.1.8.5 SAMR SamrLookupDomainInSamServe r request
19920 1514.268803 128.1.8.5 128.1.8.155 SAMR SamrLookupDomainInSamServe r response
19921 1514.268956 128.1.8.155 128.1.8.5 SAMR SamrOpenDomain request, S-1-5-21-1958102420-208948 6884-31359 3124
19922 1514.269648 128.1.8.5 128.1.8.155 SAMR SamrOpenDomain response
19923 1514.269804 128.1.8.155 128.1.8.5 SAMR SamrLookupNamesInDomain request
19924 1514.270715 128.1.8.5 128.1.8.155 SAMR SamrLookupNamesInDomain response
19925 1514.270911 128.1.8.155 128.1.8.5 SAMR SamrOpenUser request, rid 0x5256
19926 1514.272166 128.1.8.5 128.1.8.155 SAMR SamrOpenUser response
19927 1514.272320 128.1.8.155 128.1.8.5 SAMR SamrQueryInformationUser request, level 20
19928 1514.273241 128.1.8.5 128.1.8.155 SAMR SamrQueryInformationUser response
19929 1514.273855 128.1.8.155 128.1.8.5 SAMR SamrCloseHandle request, OpenUser(rid 0x5256)
19930 1514.274352 128.1.8.5 128.1.8.155 SAMR SamrCloseHandle response
19931 1514.274501 128.1.8.155 128.1.8.5 SAMR SamrCloseHandle request, Connect5(\\DCCIN)
19932 1514.274911 128.1.8.5 128.1.8.155 SAMR SamrCloseHandle response
19933 1514.275050 128.1.8.155 128.1.8.5 SAMR SamrCloseHandle request, OpenDomain(S-1-5-21-195810 2420-20894 86884-3135 93124)
19934 1514.275460 128.1.8.5 128.1.8.155 SAMR SamrCloseHandle response
19935 1514.275650 128.1.8.155 128.1.8.5 SMB Close Request, FID: 0x4001
19936 1514.275958 128.1.8.5 128.1.8.155 SMB Close Response
19937 1514.277031 128.1.8.155 128.1.8.5 SMB NT Create AndX Request, Path: \winreg
19938 1514.277574 128.1.8.5 128.1.8.155 SMB NT Create AndX Response, FID: 0x4002
19939 1514.277860 128.1.8.155 128.1.8.5 DCERPC Bind: call_id: 1 UUID: WINREG
19940 1514.278390 128.1.8.5 128.1.8.155 SMB Write AndX Response, FID: 0x4002, 72 bytes
19941 1514.278557 128.1.8.155 128.1.8.5 SMB Read AndX Request, FID: 0x4002, 1024 bytes at offset 0
19942 1514.278814 128.1.8.5 128.1.8.155 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
19943 1514.278975 128.1.8.155 128.1.8.5 WINREG OpenHKLM request
19944 1514.279576 128.1.8.5 128.1.8.155 WINREG OpenHKLM response
19945 1514.279780 128.1.8.155 128.1.8.5 WINREG OpenKey request
19946 1514.280299 128.1.8.5 128.1.8.155 WINREG OpenKey response
19947 1514.280476 128.1.8.155 128.1.8.5 WINREG QueryValue request
19948 1514.280889 128.1.8.5 128.1.8.155 WINREG QueryValue response
19949 1514.281036 128.1.8.155 128.1.8.5 WINREG QueryValue request
19950 1514.281417 128.1.8.5 128.1.8.155 WINREG QueryValue response
19951 1514.281560 128.1.8.155 128.1.8.5 WINREG QueryValue request
19952 1514.281940 128.1.8.5 128.1.8.155 WINREG QueryValue response
19953 1514.282082 128.1.8.155 128.1.8.5 WINREG QueryValue request
19954 1514.282462 128.1.8.5 128.1.8.155 WINREG QueryValue response
19955 1514.282605 128.1.8.155 128.1.8.5 WINREG QueryValue request
19956 1514.283702 128.1.8.5 128.1.8.155 WINREG QueryValue response
19957 1514.283842 128.1.8.155 128.1.8.5 WINREG QueryValue request
19958 1514.284231 128.1.8.5 128.1.8.155 WINREG QueryValue response
19959 1514.284369 128.1.8.155 128.1.8.5 WINREG QueryValue request
19960 1514.284748 128.1.8.5 128.1.8.155 WINREG QueryValue response
19961 1514.284887 128.1.8.155 128.1.8.5 WINREG QueryValue request
19962 1514.285267 128.1.8.5 128.1.8.155 WINREG QueryValue response
19963 1514.285417 128.1.8.155 128.1.8.5 WINREG QueryValue request
19964 1514.285806 128.1.8.5 128.1.8.155 WINREG QueryValue response
19965 1514.285944 128.1.8.155 128.1.8.5 WINREG QueryValue request
19966 1514.286324 128.1.8.5 128.1.8.155 WINREG QueryValue response
19967 1514.286463 128.1.8.155 128.1.8.5 WINREG QueryValue request
19968 1514.286843 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19969 1514.286981 128.1.8.155 128.1.8.5 WINREG QueryValue request
19970 1514.287349 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19971 1514.287491 128.1.8.155 128.1.8.5 WINREG QueryValue request
19972 1514.287871 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19973 1514.288011 128.1.8.155 128.1.8.5 WINREG QueryValue request
19974 1514.288390 128.1.8.5 128.1.8.155 WINREG QueryValue response
19975 1514.288526 128.1.8.155 128.1.8.5 WINREG QueryValue request
19976 1514.288906 128.1.8.5 128.1.8.155 WINREG QueryValue response
19977 1514.289045 128.1.8.155 128.1.8.5 WINREG QueryValue request
19978 1514.289414 128.1.8.5 128.1.8.155 WINREG QueryValue response
19979 1514.289553 128.1.8.155 128.1.8.5 WINREG QueryValue request
19980 1514.289922 128.1.8.5 128.1.8.155 WINREG QueryValue response
19981 1514.290061 128.1.8.155 128.1.8.5 WINREG QueryValue request
19982 1514.290430 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19983 1514.290569 128.1.8.155 128.1.8.5 WINREG QueryValue request
19984 1514.290938 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19985 1514.291083 128.1.8.155 128.1.8.5 WINREG QueryValue request
19986 1514.291452 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19987 1514.291592 128.1.8.155 128.1.8.5 WINREG QueryValue request
19988 1514.291971 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19989 1514.292111 128.1.8.155 128.1.8.5 WINREG QueryValue request
19990 1514.292481 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19991 1514.292621 128.1.8.155 128.1.8.5 WINREG QueryValue request
19992 1514.293014 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19993 1514.293208 128.1.8.155 128.1.8.5 WINREG QueryValue request
19994 1514.293592 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19995 1514.293774 128.1.8.155 128.1.8.5 WINREG QueryValue request
19996 1514.294159 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19997 1514.294612 128.1.8.155 128.1.8.5 WINREG QueryValue request
19998 1514.294988 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19999 1514.295138 128.1.8.155 128.1.8.5 WINREG QueryValue request
20000 1514.295508 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20001 1514.295647 128.1.8.155 128.1.8.5 WINREG QueryValue request
20002 1514.296017 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20003 1514.296155 128.1.8.155 128.1.8.5 WINREG QueryValue request
20004 1514.296524 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20005 1514.296673 128.1.8.155 128.1.8.5 WINREG QueryValue request
20006 1514.297042 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20007 1514.297182 128.1.8.155 128.1.8.5 WINREG QueryValue request
20008 1514.297552 128.1.8.5 128.1.8.155 WINREG QueryValue response
20009 1514.297692 128.1.8.155 128.1.8.5 WINREG QueryValue request
20010 1514.298062 128.1.8.5 128.1.8.155 WINREG QueryValue response
20011 1514.298204 128.1.8.155 128.1.8.5 WINREG QueryValue request
20012 1514.298574 128.1.8.5 128.1.8.155 WINREG QueryValue response
20013 1514.298719 128.1.8.155 128.1.8.5 WINREG QueryValue request
20014 1514.299089 128.1.8.5 128.1.8.155 WINREG QueryValue response
20015 1514.299232 128.1.8.155 128.1.8.5 WINREG QueryValue request
20016 1514.299601 128.1.8.5 128.1.8.155 WINREG QueryValue response
20017 1514.299743 128.1.8.155 128.1.8.5 WINREG QueryValue request
20018 1514.300112 128.1.8.5 128.1.8.155 WINREG QueryValue response
20019 1514.300252 128.1.8.155 128.1.8.5 WINREG QueryValue request
20020 1514.300622 128.1.8.5 128.1.8.155 WINREG QueryValue response
20021 1514.300763 128.1.8.155 128.1.8.5 WINREG QueryValue request
20022 1514.301131 128.1.8.5 128.1.8.155 WINREG QueryValue response
20023 1514.301270 128.1.8.155 128.1.8.5 WINREG QueryValue request
20024 1514.301639 128.1.8.5 128.1.8.155 WINREG QueryValue response
20025 1514.301779 128.1.8.155 128.1.8.5 WINREG QueryValue request
20026 1514.302150 128.1.8.5 128.1.8.155 WINREG QueryValue response
20027 1514.302292 128.1.8.155 128.1.8.5 WINREG QueryValue request
20028 1514.302662 128.1.8.5 128.1.8.155 WINREG QueryValue response
20029 1514.302802 128.1.8.155 128.1.8.5 WINREG QueryValue request
20030 1514.304295 128.1.8.5 128.1.8.155 WINREG QueryValue response
20031 1514.304434 128.1.8.155 128.1.8.5 WINREG QueryValue request
20032 1514.304835 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20033 1514.304979 128.1.8.155 128.1.8.5 WINREG OpenKey request
20034 1514.305399 128.1.8.5 128.1.8.155 WINREG OpenKey response, Error: File not found (pathname error)
20035 1514.305540 128.1.8.155 128.1.8.5 WINREG QueryValue request
20036 1514.305920 128.1.8.5 128.1.8.155 WINREG QueryValue response
20037 1514.306060 128.1.8.155 128.1.8.5 WINREG QueryValue request
20038 1514.306429 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20039 1514.306569 128.1.8.155 128.1.8.5 WINREG QueryValue request
20040 1514.306938 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20041 1514.307078 128.1.8.155 128.1.8.5 WINREG QueryValue request
20042 1514.307447 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20043 1514.307585 128.1.8.155 128.1.8.5 WINREG QueryValue request
20044 1514.307956 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20045 1514.308096 128.1.8.155 128.1.8.5 WINREG CloseKey request
20046 1514.308432 128.1.8.5 128.1.8.155 WINREG CloseKey response
20047 1514.308572 128.1.8.155 128.1.8.5 WINREG CloseKey request
20048 1514.308898 128.1.8.5 128.1.8.155 WINREG CloseKey response
20049 1514.309093 128.1.8.155 128.1.8.5 SMB Close Request, FID: 0x4002
20050 1514.309400 128.1.8.5 128.1.8.155 SMB Close Response
20051 1514.450088 128.1.8.155 128.1.8.5 TCP 1204 > microsoft-ds [ACK] Seq=17730 Ack=9854 Win=64896 [TCP CHECKSUM INCORRECT] Len=0
20052 1515.204198 Cisco_39:13:1c Spanning-tree-(for-bridges )_00 STP Conf. Root = 32768/00:01:c7:6f:8c:31 Cost = 4 Port = 0x801c
20053 1515.325773 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20054 1515.702545 65280.108 0.255 RTMP Request
20055 1515.714910 IntelCor_16:51:80 Broadcast ARP Who has 128.1.8.57? Tell 128.1.8.124
20056 1515.768795 Cisco_39:13:1c Cisco_39:13:1c LOOP Reply
20057 1516.325254 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20058 1516.430513 Dell_7c:b8:c7 Broadcast ARP Who has 128.1.9.199? Tell 128.1.8.7
20059 1517.231334 Cisco_39:13:1c Spanning-tree-(for-bridges )_00 STP Conf. Root = 32768/00:01:c7:6f:8c:31 Cost = 4 Port = 0x801c
20060 1517.325243 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20061 1517.752027 DellComp_dd:23:e4 Broadcast ARP Who has 128.1.9.199? Tell 128.1.8.123
20062 1518.134109 Cisco_39:13:1c CDP/VTP/DTP/PAgP/UDLD CDP Cisco Discovery Protocol
20063 1518.325264 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20064 1518.939155 Dell_7c:b8:c7 Broadcast ARP Who has 128.1.8.112? Tell 128.1.8.7
20065 1519.238850 DellComp_5c:ce:5c Broadcast ARP Who has 128.1.8.148? Tell 128.1.8.5
20066 1519.257878 Cisco_39:13:1c Spanning-tree-(for-bridges )_00 STP Conf. Root = 32768/00:01:c7:6f:8c:31 Cost = 4 Port = 0x801c
20067 1519.325340 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20068 1519.554052 HokubuCo_bc:66:d4 Broadcast ARP Who has 128.1.8.120? Tell 128.1.8.1
20069 1519.704797 Dell_7c:b8:c7 Broadcast ARP Who has 128.1.8.116? Tell 128.1.8.7
20070 1520.325919 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20071 1520.389983 DellComp_5c:ce:5c Broadcast ARP Who has 128.1.8.111? Tell 128.1.8.5
20072 1521.289288 Cisco_39:13:1c Spanning-tree-(for-bridges )_00 STP Conf. Root = 32768/00:01:c7:6f:8c:31 Cost = 4 Port = 0x801c
20073 1521.325362 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20074 1522.325439 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20075 1523.133702 Cisco_39:13:1c CDP/VTP/DTP/PAgP/UDLD CDP Cisco Discovery Protocol
20076 1523.315549 Cisco_39:13:1c Spanning-tree-(for-bridges )_00 STP Conf. Root = 32768/00:01:c7:6f:8c:31 Cost = 4 Port = 0x801c
20077 1523.325439 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20078 1524.285956 128.1.8.152 128.1.9.255 BROWSER Host Announcement LPC2275, Workstation, Server, NT Workstation, Potential Browser
20079 1524.325553 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20080 1525.342361 Cisco_39:13:1c Spanning-tree-(for-bridges )_00 STP Conf. Root = 32768/00:01:c7:6f:8c:31 Cost = 4 Port = 0x801c
20081 1525.622360 128.1.8.155 128.1.8.5 SMB Logoff AndX Request
20082 1525.623243 128.1.8.5 128.1.8.155 SMB Logoff AndX Response
20083 1525.623310 128.1.8.155 128.1.8.5 SMB Tree Disconnect Request
20084 1525.623526 128.1.8.5 128.1.8.155 SMB Tree Disconnect Response
20085 1525.623788 128.1.8.155 128.1.8.5 TCP 1204 > microsoft-ds [FIN, ACK] Seq=17812 Ack=9936 Win=64814 [TCP CHECKSUM INCORRECT] Len=0
20086 1525.623979 128.1.8.5 128.1.8.155 TCP microsoft-ds > 1204 [FIN, ACK] Seq=9936 Ack=17813 Win=64704 Len=0
20087 1525.623997 128.1.8.155 128.1.8.5 TCP 1204 > microsoft-ds [ACK] Seq=17813 Ack=9937 Win=64814 [TCP CHECKSUM INCORRECT] Len=0
20088 1525.769443 Cisco_39:13:1c Cisco_39:13:1c LOOP Reply
20089 1526.098106 128.1.8.101 255.255.255.255 DHCP DHCP Inform - Transaction ID 0x293f82ab
20090 1526.098296 Dell_1d:c1:fa Broadcast ARP Who has 128.1.8.101? Tell 128.1.8.8
20091 1527.369267 Cisco_39:13:1c Spanning-tree-(for-bridges )_00 STP Conf. Root = 32768/00:01:c7:6f:8c:31 Cost = 4 Port = 0x801c
20092 1527.488211 128.1.8.123 128.1.9.255 NBNS Name query NB COL2<20>
20093 1527.641059 Cisco_91:a0:46 Broadcast ARP Who has 128.1.8.165? Tell 128.1.9.205
20094 1528.043333 DellComp_24:d8:81 Broadcast ARP Who has 128.1.9.205? Tell 128.1.9.20
20095 1528.134025 Cisco_39:13:1c CDP/VTP/DTP/PAgP/UDLD CDP Cisco Discovery Protocol
20096 1528.138121 128.1.8.101 255.255.255.255 DHCP DHCP Inform - Transaction ID 0x293f82ab
20097 1528.238317 128.1.8.123 128.1.9.255 NBNS Name query NB COL2<20>
20098 1528.267469 128.1.8.101 128.1.9.255 NBNS Name query NB WPAD<00>
No. Time Source Destination Protocol Info
19842 1511.312459 DellComp_5c:ce:5c Broadcast ARP Who has 128.1.8.155? Tell 128.1.8.5
19843 1511.312474 Dell_b7:4d:89 DellComp_5c:ce:5c ARP 128.1.8.155 is at 00:11:43:b7:4d:89
19844 1511.312629 128.1.8.5 128.1.8.155 TCP epmap > 1198 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
19845 1511.312691 128.1.8.155 128.1.8.5 TCP 1198 > epmap [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19846 1511.312900 128.1.8.155 128.1.8.5 DCERPC Bind: call_id: 1 UUID: EPM
19847 1511.313330 128.1.8.5 128.1.8.155 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
19848 1511.313451 128.1.8.155 128.1.8.5 EPM Map request
19849 1511.314035 128.1.8.5 128.1.8.155 EPM Map response
19850 1511.316742 128.1.8.155 128.1.8.5 TCP 1199 > 1026 [SYN] Seq=0 Len=0 MSS=1460
19851 1511.316932 128.1.8.5 128.1.8.155 TCP 1026 > 1199 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
19852 1511.316989 128.1.8.155 128.1.8.5 TCP 1199 > 1026 [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19853 1511.317215 128.1.8.155 128.1.8.5 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON
19854 1511.317650 128.1.8.5 128.1.8.155 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
19855 1511.317900 128.1.8.155 128.1.8.5 RPC_NETLOGON NetrLogonGetDomainInfo request
19856 1511.319717 128.1.8.5 128.1.8.155 RPC_NETLOGON NetrLogonGetDomainInfo response
19857 1511.496877 128.1.8.155 128.1.8.5 TCP 1198 > epmap [ACK] Seq=229 Ack=213 Win=65323 [TCP CHECKSUM INCORRECT] Len=0
19858 1511.496891 128.1.8.155 128.1.8.5 TCP 1199 > 1026 [ACK] Seq=882 Ack=945 Win=64591 [TCP CHECKSUM INCORRECT] Len=0
19859 1513.133819 Cisco_39:13:1c CDP/VTP/DTP/PAgP/UDLD CDP Cisco Discovery Protocol
19860 1513.173137 Cisco_39:13:1c Spanning-tree-(for-bridges
19861 1514.078599 128.1.8.155 128.1.8.5 KRB5 AS-REQ
19862 1514.083908 128.1.8.5 128.1.8.155 KRB5 KRB Error: KRB5KRB_ERR_RESPONSE_TOO_B
19863 1514.086392 128.1.8.155 128.1.8.5 TCP 1201 > kerberos [SYN] Seq=0 Len=0 MSS=1460
19864 1514.086661 128.1.8.5 128.1.8.155 TCP kerberos > 1201 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
19865 1514.086707 128.1.8.155 128.1.8.5 TCP 1201 > kerberos [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19866 1514.086819 128.1.8.155 128.1.8.5 KRB5 AS-REQ
19867 1514.091924 128.1.8.5 128.1.8.155 TCP [TCP segment of a reassembled PDU]
19868 1514.091960 128.1.8.5 128.1.8.155 KRB5 AS-REP
19869 1514.091978 128.1.8.155 128.1.8.5 TCP 1201 > kerberos [ACK] Seq=309 Ack=1477 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19870 1514.092113 128.1.8.155 128.1.8.5 TCP 1201 > kerberos [FIN, ACK] Seq=309 Ack=1477 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19871 1514.092301 128.1.8.5 128.1.8.155 TCP kerberos > 1201 [ACK] Seq=1477 Ack=310 Win=65227 Len=0
19872 1514.094054 128.1.8.5 128.1.8.155 TCP kerberos > 1201 [RST, ACK] Seq=1477 Ack=310 Win=0 Len=0
19873 1514.095218 128.1.8.155 128.1.8.5 KRB5 TGS-REQ
19874 1514.111791 128.1.8.5 128.1.8.155 KRB5 TGS-REP
19875 1514.122976 128.1.8.155 128.1.8.5 DNS Standard query SRV _ldap._tcp.CIN._sites.dc._
19876 1514.123386 128.1.8.5 128.1.8.155 DNS Standard query response SRV 0 100 389 dccin.na.int-bn.com
19877 1514.126636 128.1.8.155 128.1.8.5 CLDAP searchRequest(7) "<ROOT>" baseObject
19878 1514.127183 128.1.8.5 128.1.8.155 CLDAP searchResEntry(7) searchResDone(7)
19879 1514.233473 128.1.8.155 128.1.8.5 ICMP Echo (ping) request
19880 1514.233731 128.1.8.5 128.1.8.155 ICMP Echo (ping) reply
19881 1514.234009 128.1.8.155 128.1.8.5 TCP 1204 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1460
19882 1514.234207 128.1.8.5 128.1.8.155 TCP microsoft-ds > 1204 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
19883 1514.234266 128.1.8.155 128.1.8.5 TCP 1204 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
19884 1514.234595 128.1.8.155 128.1.8.5 SMB Negotiate Protocol Request
19885 1514.235184 128.1.8.5 128.1.8.155 SMB Negotiate Protocol Response
19886 1514.238603 128.1.8.155 128.1.8.5 KRB5 TGS-REQ
19887 1514.246692 128.1.8.5 128.1.8.155 KRB5 TGS-REP
19888 1514.249687 128.1.8.155 128.1.8.5 KRB5 TGS-REQ
19889 1514.255259 128.1.8.5 128.1.8.155 KRB5 TGS-REP
19890 1514.255845 128.1.8.155 128.1.8.5 SMB Session Setup AndX Request[Unreassembled Packet [incorrect TCP checksum]]
19891 1514.255873 128.1.8.155 128.1.8.5 NBSS NBSS Continuation Message
19892 1514.255887 128.1.8.155 128.1.8.5 NBSS NBSS Continuation Message
19893 1514.256720 128.1.8.5 128.1.8.155 TCP microsoft-ds > 1204 [ACK] Seq=182 Ack=3098 Win=65535 Len=0
19894 1514.258788 128.1.8.5 128.1.8.155 SMB Session Setup AndX Response
19895 1514.259218 128.1.8.155 128.1.8.5 SMB Tree Connect AndX Request, Path: \\DCCIN\IPC$
19896 1514.259561 128.1.8.5 128.1.8.155 SMB Tree Connect AndX Response
19897 1514.259814 128.1.8.155 128.1.8.5 SMB NT Create AndX Request, Path: \lsarpc
19898 1514.260405 128.1.8.5 128.1.8.155 SMB NT Create AndX Response, FID: 0x4000
19899 1514.260697 128.1.8.155 128.1.8.5 DCERPC Bind: call_id: 1 UUID: LSA
19900 1514.261038 128.1.8.5 128.1.8.155 SMB Write AndX Response, FID: 0x4000, 72 bytes
19901 1514.261196 128.1.8.155 128.1.8.5 SMB Read AndX Request, FID: 0x4000, 1024 bytes at offset 0
19902 1514.261442 128.1.8.5 128.1.8.155 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
19903 1514.261606 128.1.8.155 128.1.8.5 LSA LsarOpenPolicy2 request, \\DCCIN
19904 1514.262324 128.1.8.5 128.1.8.155 LSA LsarOpenPolicy2 response
19905 1514.262505 128.1.8.155 128.1.8.5 LSA LsarQueryInformationPolicy
19906 1514.263000 128.1.8.5 128.1.8.155 LSA LsarQueryInformationPolicy
19907 1514.263178 128.1.8.155 128.1.8.5 LSA LsarClose request
19908 1514.263569 128.1.8.5 128.1.8.155 LSA LsarClose response
19909 1514.263762 128.1.8.155 128.1.8.5 SMB Close Request, FID: 0x4000
19910 1514.264060 128.1.8.5 128.1.8.155 SMB Close Response
19911 1514.265680 128.1.8.155 128.1.8.5 SMB NT Create AndX Request, Path: \samr
19912 1514.266193 128.1.8.5 128.1.8.155 SMB NT Create AndX Response, FID: 0x4001
19913 1514.266488 128.1.8.155 128.1.8.5 DCERPC Bind: call_id: 1 UUID: SAMR
19914 1514.266809 128.1.8.5 128.1.8.155 SMB Write AndX Response, FID: 0x4001, 72 bytes
19915 1514.266966 128.1.8.155 128.1.8.5 SMB Read AndX Request, FID: 0x4001, 1024 bytes at offset 0
19916 1514.267213 128.1.8.5 128.1.8.155 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
19917 1514.267376 128.1.8.155 128.1.8.5 SAMR SamrConnect5 request, \\DCCIN
19918 1514.268113 128.1.8.5 128.1.8.155 SAMR SamrConnect5 response
19919 1514.268296 128.1.8.155 128.1.8.5 SAMR SamrLookupDomainInSamServe
19920 1514.268803 128.1.8.5 128.1.8.155 SAMR SamrLookupDomainInSamServe
19921 1514.268956 128.1.8.155 128.1.8.5 SAMR SamrOpenDomain request, S-1-5-21-1958102420-208948
19922 1514.269648 128.1.8.5 128.1.8.155 SAMR SamrOpenDomain response
19923 1514.269804 128.1.8.155 128.1.8.5 SAMR SamrLookupNamesInDomain request
19924 1514.270715 128.1.8.5 128.1.8.155 SAMR SamrLookupNamesInDomain response
19925 1514.270911 128.1.8.155 128.1.8.5 SAMR SamrOpenUser request, rid 0x5256
19926 1514.272166 128.1.8.5 128.1.8.155 SAMR SamrOpenUser response
19927 1514.272320 128.1.8.155 128.1.8.5 SAMR SamrQueryInformationUser request, level 20
19928 1514.273241 128.1.8.5 128.1.8.155 SAMR SamrQueryInformationUser response
19929 1514.273855 128.1.8.155 128.1.8.5 SAMR SamrCloseHandle request, OpenUser(rid 0x5256)
19930 1514.274352 128.1.8.5 128.1.8.155 SAMR SamrCloseHandle response
19931 1514.274501 128.1.8.155 128.1.8.5 SAMR SamrCloseHandle request, Connect5(\\DCCIN)
19932 1514.274911 128.1.8.5 128.1.8.155 SAMR SamrCloseHandle response
19933 1514.275050 128.1.8.155 128.1.8.5 SAMR SamrCloseHandle request, OpenDomain(S-1-5-21-195810
19934 1514.275460 128.1.8.5 128.1.8.155 SAMR SamrCloseHandle response
19935 1514.275650 128.1.8.155 128.1.8.5 SMB Close Request, FID: 0x4001
19936 1514.275958 128.1.8.5 128.1.8.155 SMB Close Response
19937 1514.277031 128.1.8.155 128.1.8.5 SMB NT Create AndX Request, Path: \winreg
19938 1514.277574 128.1.8.5 128.1.8.155 SMB NT Create AndX Response, FID: 0x4002
19939 1514.277860 128.1.8.155 128.1.8.5 DCERPC Bind: call_id: 1 UUID: WINREG
19940 1514.278390 128.1.8.5 128.1.8.155 SMB Write AndX Response, FID: 0x4002, 72 bytes
19941 1514.278557 128.1.8.155 128.1.8.5 SMB Read AndX Request, FID: 0x4002, 1024 bytes at offset 0
19942 1514.278814 128.1.8.5 128.1.8.155 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
19943 1514.278975 128.1.8.155 128.1.8.5 WINREG OpenHKLM request
19944 1514.279576 128.1.8.5 128.1.8.155 WINREG OpenHKLM response
19945 1514.279780 128.1.8.155 128.1.8.5 WINREG OpenKey request
19946 1514.280299 128.1.8.5 128.1.8.155 WINREG OpenKey response
19947 1514.280476 128.1.8.155 128.1.8.5 WINREG QueryValue request
19948 1514.280889 128.1.8.5 128.1.8.155 WINREG QueryValue response
19949 1514.281036 128.1.8.155 128.1.8.5 WINREG QueryValue request
19950 1514.281417 128.1.8.5 128.1.8.155 WINREG QueryValue response
19951 1514.281560 128.1.8.155 128.1.8.5 WINREG QueryValue request
19952 1514.281940 128.1.8.5 128.1.8.155 WINREG QueryValue response
19953 1514.282082 128.1.8.155 128.1.8.5 WINREG QueryValue request
19954 1514.282462 128.1.8.5 128.1.8.155 WINREG QueryValue response
19955 1514.282605 128.1.8.155 128.1.8.5 WINREG QueryValue request
19956 1514.283702 128.1.8.5 128.1.8.155 WINREG QueryValue response
19957 1514.283842 128.1.8.155 128.1.8.5 WINREG QueryValue request
19958 1514.284231 128.1.8.5 128.1.8.155 WINREG QueryValue response
19959 1514.284369 128.1.8.155 128.1.8.5 WINREG QueryValue request
19960 1514.284748 128.1.8.5 128.1.8.155 WINREG QueryValue response
19961 1514.284887 128.1.8.155 128.1.8.5 WINREG QueryValue request
19962 1514.285267 128.1.8.5 128.1.8.155 WINREG QueryValue response
19963 1514.285417 128.1.8.155 128.1.8.5 WINREG QueryValue request
19964 1514.285806 128.1.8.5 128.1.8.155 WINREG QueryValue response
19965 1514.285944 128.1.8.155 128.1.8.5 WINREG QueryValue request
19966 1514.286324 128.1.8.5 128.1.8.155 WINREG QueryValue response
19967 1514.286463 128.1.8.155 128.1.8.5 WINREG QueryValue request
19968 1514.286843 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19969 1514.286981 128.1.8.155 128.1.8.5 WINREG QueryValue request
19970 1514.287349 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19971 1514.287491 128.1.8.155 128.1.8.5 WINREG QueryValue request
19972 1514.287871 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19973 1514.288011 128.1.8.155 128.1.8.5 WINREG QueryValue request
19974 1514.288390 128.1.8.5 128.1.8.155 WINREG QueryValue response
19975 1514.288526 128.1.8.155 128.1.8.5 WINREG QueryValue request
19976 1514.288906 128.1.8.5 128.1.8.155 WINREG QueryValue response
19977 1514.289045 128.1.8.155 128.1.8.5 WINREG QueryValue request
19978 1514.289414 128.1.8.5 128.1.8.155 WINREG QueryValue response
19979 1514.289553 128.1.8.155 128.1.8.5 WINREG QueryValue request
19980 1514.289922 128.1.8.5 128.1.8.155 WINREG QueryValue response
19981 1514.290061 128.1.8.155 128.1.8.5 WINREG QueryValue request
19982 1514.290430 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19983 1514.290569 128.1.8.155 128.1.8.5 WINREG QueryValue request
19984 1514.290938 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19985 1514.291083 128.1.8.155 128.1.8.5 WINREG QueryValue request
19986 1514.291452 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19987 1514.291592 128.1.8.155 128.1.8.5 WINREG QueryValue request
19988 1514.291971 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19989 1514.292111 128.1.8.155 128.1.8.5 WINREG QueryValue request
19990 1514.292481 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19991 1514.292621 128.1.8.155 128.1.8.5 WINREG QueryValue request
19992 1514.293014 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19993 1514.293208 128.1.8.155 128.1.8.5 WINREG QueryValue request
19994 1514.293592 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19995 1514.293774 128.1.8.155 128.1.8.5 WINREG QueryValue request
19996 1514.294159 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19997 1514.294612 128.1.8.155 128.1.8.5 WINREG QueryValue request
19998 1514.294988 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
19999 1514.295138 128.1.8.155 128.1.8.5 WINREG QueryValue request
20000 1514.295508 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20001 1514.295647 128.1.8.155 128.1.8.5 WINREG QueryValue request
20002 1514.296017 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20003 1514.296155 128.1.8.155 128.1.8.5 WINREG QueryValue request
20004 1514.296524 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20005 1514.296673 128.1.8.155 128.1.8.5 WINREG QueryValue request
20006 1514.297042 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20007 1514.297182 128.1.8.155 128.1.8.5 WINREG QueryValue request
20008 1514.297552 128.1.8.5 128.1.8.155 WINREG QueryValue response
20009 1514.297692 128.1.8.155 128.1.8.5 WINREG QueryValue request
20010 1514.298062 128.1.8.5 128.1.8.155 WINREG QueryValue response
20011 1514.298204 128.1.8.155 128.1.8.5 WINREG QueryValue request
20012 1514.298574 128.1.8.5 128.1.8.155 WINREG QueryValue response
20013 1514.298719 128.1.8.155 128.1.8.5 WINREG QueryValue request
20014 1514.299089 128.1.8.5 128.1.8.155 WINREG QueryValue response
20015 1514.299232 128.1.8.155 128.1.8.5 WINREG QueryValue request
20016 1514.299601 128.1.8.5 128.1.8.155 WINREG QueryValue response
20017 1514.299743 128.1.8.155 128.1.8.5 WINREG QueryValue request
20018 1514.300112 128.1.8.5 128.1.8.155 WINREG QueryValue response
20019 1514.300252 128.1.8.155 128.1.8.5 WINREG QueryValue request
20020 1514.300622 128.1.8.5 128.1.8.155 WINREG QueryValue response
20021 1514.300763 128.1.8.155 128.1.8.5 WINREG QueryValue request
20022 1514.301131 128.1.8.5 128.1.8.155 WINREG QueryValue response
20023 1514.301270 128.1.8.155 128.1.8.5 WINREG QueryValue request
20024 1514.301639 128.1.8.5 128.1.8.155 WINREG QueryValue response
20025 1514.301779 128.1.8.155 128.1.8.5 WINREG QueryValue request
20026 1514.302150 128.1.8.5 128.1.8.155 WINREG QueryValue response
20027 1514.302292 128.1.8.155 128.1.8.5 WINREG QueryValue request
20028 1514.302662 128.1.8.5 128.1.8.155 WINREG QueryValue response
20029 1514.302802 128.1.8.155 128.1.8.5 WINREG QueryValue request
20030 1514.304295 128.1.8.5 128.1.8.155 WINREG QueryValue response
20031 1514.304434 128.1.8.155 128.1.8.5 WINREG QueryValue request
20032 1514.304835 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20033 1514.304979 128.1.8.155 128.1.8.5 WINREG OpenKey request
20034 1514.305399 128.1.8.5 128.1.8.155 WINREG OpenKey response, Error: File not found (pathname error)
20035 1514.305540 128.1.8.155 128.1.8.5 WINREG QueryValue request
20036 1514.305920 128.1.8.5 128.1.8.155 WINREG QueryValue response
20037 1514.306060 128.1.8.155 128.1.8.5 WINREG QueryValue request
20038 1514.306429 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20039 1514.306569 128.1.8.155 128.1.8.5 WINREG QueryValue request
20040 1514.306938 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20041 1514.307078 128.1.8.155 128.1.8.5 WINREG QueryValue request
20042 1514.307447 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20043 1514.307585 128.1.8.155 128.1.8.5 WINREG QueryValue request
20044 1514.307956 128.1.8.5 128.1.8.155 WINREG QueryValue response, Error: File not found (pathname error)
20045 1514.308096 128.1.8.155 128.1.8.5 WINREG CloseKey request
20046 1514.308432 128.1.8.5 128.1.8.155 WINREG CloseKey response
20047 1514.308572 128.1.8.155 128.1.8.5 WINREG CloseKey request
20048 1514.308898 128.1.8.5 128.1.8.155 WINREG CloseKey response
20049 1514.309093 128.1.8.155 128.1.8.5 SMB Close Request, FID: 0x4002
20050 1514.309400 128.1.8.5 128.1.8.155 SMB Close Response
20051 1514.450088 128.1.8.155 128.1.8.5 TCP 1204 > microsoft-ds [ACK] Seq=17730 Ack=9854 Win=64896 [TCP CHECKSUM INCORRECT] Len=0
20052 1515.204198 Cisco_39:13:1c Spanning-tree-(for-bridges
20053 1515.325773 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20054 1515.702545 65280.108 0.255 RTMP Request
20055 1515.714910 IntelCor_16:51:80 Broadcast ARP Who has 128.1.8.57? Tell 128.1.8.124
20056 1515.768795 Cisco_39:13:1c Cisco_39:13:1c LOOP Reply
20057 1516.325254 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20058 1516.430513 Dell_7c:b8:c7 Broadcast ARP Who has 128.1.9.199? Tell 128.1.8.7
20059 1517.231334 Cisco_39:13:1c Spanning-tree-(for-bridges
20060 1517.325243 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20061 1517.752027 DellComp_dd:23:e4 Broadcast ARP Who has 128.1.9.199? Tell 128.1.8.123
20062 1518.134109 Cisco_39:13:1c CDP/VTP/DTP/PAgP/UDLD CDP Cisco Discovery Protocol
20063 1518.325264 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20064 1518.939155 Dell_7c:b8:c7 Broadcast ARP Who has 128.1.8.112? Tell 128.1.8.7
20065 1519.238850 DellComp_5c:ce:5c Broadcast ARP Who has 128.1.8.148? Tell 128.1.8.5
20066 1519.257878 Cisco_39:13:1c Spanning-tree-(for-bridges
20067 1519.325340 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20068 1519.554052 HokubuCo_bc:66:d4 Broadcast ARP Who has 128.1.8.120? Tell 128.1.8.1
20069 1519.704797 Dell_7c:b8:c7 Broadcast ARP Who has 128.1.8.116? Tell 128.1.8.7
20070 1520.325919 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20071 1520.389983 DellComp_5c:ce:5c Broadcast ARP Who has 128.1.8.111? Tell 128.1.8.5
20072 1521.289288 Cisco_39:13:1c Spanning-tree-(for-bridges
20073 1521.325362 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20074 1522.325439 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20075 1523.133702 Cisco_39:13:1c CDP/VTP/DTP/PAgP/UDLD CDP Cisco Discovery Protocol
20076 1523.315549 Cisco_39:13:1c Spanning-tree-(for-bridges
20077 1523.325439 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20078 1524.285956 128.1.8.152 128.1.9.255 BROWSER Host Announcement LPC2275, Workstation, Server, NT Workstation, Potential Browser
20079 1524.325553 128.1.8.155 128.1.3.244 UDP Source port: 1183 Destination port: 1998
20080 1525.342361 Cisco_39:13:1c Spanning-tree-(for-bridges
20081 1525.622360 128.1.8.155 128.1.8.5 SMB Logoff AndX Request
20082 1525.623243 128.1.8.5 128.1.8.155 SMB Logoff AndX Response
20083 1525.623310 128.1.8.155 128.1.8.5 SMB Tree Disconnect Request
20084 1525.623526 128.1.8.5 128.1.8.155 SMB Tree Disconnect Response
20085 1525.623788 128.1.8.155 128.1.8.5 TCP 1204 > microsoft-ds [FIN, ACK] Seq=17812 Ack=9936 Win=64814 [TCP CHECKSUM INCORRECT] Len=0
20086 1525.623979 128.1.8.5 128.1.8.155 TCP microsoft-ds > 1204 [FIN, ACK] Seq=9936 Ack=17813 Win=64704 Len=0
20087 1525.623997 128.1.8.155 128.1.8.5 TCP 1204 > microsoft-ds [ACK] Seq=17813 Ack=9937 Win=64814 [TCP CHECKSUM INCORRECT] Len=0
20088 1525.769443 Cisco_39:13:1c Cisco_39:13:1c LOOP Reply
20089 1526.098106 128.1.8.101 255.255.255.255 DHCP DHCP Inform - Transaction ID 0x293f82ab
20090 1526.098296 Dell_1d:c1:fa Broadcast ARP Who has 128.1.8.101? Tell 128.1.8.8
20091 1527.369267 Cisco_39:13:1c Spanning-tree-(for-bridges
20092 1527.488211 128.1.8.123 128.1.9.255 NBNS Name query NB COL2<20>
20093 1527.641059 Cisco_91:a0:46 Broadcast ARP Who has 128.1.8.165? Tell 128.1.9.205
20094 1528.043333 DellComp_24:d8:81 Broadcast ARP Who has 128.1.9.205? Tell 128.1.9.20
20095 1528.134025 Cisco_39:13:1c CDP/VTP/DTP/PAgP/UDLD CDP Cisco Discovery Protocol
20096 1528.138121 128.1.8.101 255.255.255.255 DHCP DHCP Inform - Transaction ID 0x293f82ab
20097 1528.238317 128.1.8.123 128.1.9.255 NBNS Name query NB COL2<20>
20098 1528.267469 128.1.8.101 128.1.9.255 NBNS Name query NB WPAD<00>
What is 128.1.9.155?
How big is this remote office? How many IP subnets? I can see that one of your subnets seems to be at least 128.1.8.0/23. I also see an address 128.1.3.244. Is this a seperate subnet?
It also looks like you may have a MTU mismatch someplace. It appears like 129.1.9.5 may have a gigabit connection and has MTU set bigger that 1500 and that 128.1.9.155 has MTU set to 1500.
If your server does have gigabit connection, but everything else is 100 Mbps, you should set the MTU to 1500.
How big is this remote office? How many IP subnets? I can see that one of your subnets seems to be at least 128.1.8.0/23. I also see an address 128.1.3.244. Is this a seperate subnet?
It also looks like you may have a MTU mismatch someplace. It appears like 129.1.9.5 may have a gigabit connection and has MTU set bigger that 1500 and that 128.1.9.155 has MTU set to 1500.
If your server does have gigabit connection, but everything else is 100 Mbps, you should set the MTU to 1500.
ASKER
Remote office = 100 users.
128.1.3.244 = me (in HQ)
128.1.3.244 = me (in HQ)
O.K., but what is 128.1.9.155?
It looks like this box is trying to read/dump all of the AD and registry stuff from the server. This could cause lots of overhead on the server, which in turn could slow everything down. Should it be doing this?
It looks like this box is trying to read/dump all of the AD and registry stuff from the server. This could cause lots of overhead on the server, which in turn could slow everything down. Should it be doing this?
ASKER
128.1.8.155 is the PC I set up with Ethereal
Well that is the PC that is doing all of the WINREG queiries. I would see what services are running on that box because that does not look normal.
I would also suggest that you mirror the port that the server is on and see what all is going on with it.
When the problem is occuring can you:
ping the server specifing the ip address
ping the server specifing the name
ping any of the other comptuers on the LAN specifing either the name or the IP address
ping the switch
remote desktop to the server (assuming you have it installed and setup)
I would also suggest that you mirror the port that the server is on and see what all is going on with it.
When the problem is occuring can you:
ping the server specifing the ip address
ping the server specifing the name
ping any of the other comptuers on the LAN specifing either the name or the IP address
ping the switch
remote desktop to the server (assuming you have it installed and setup)
ASKER
Delayed but not abandoned... it appears that the issue was related to Diskkeeper Standard Edition running on a server with over 2 TB of storage!
I am awarding the points, based on my perception of the most intelligent answer.
I am awarding the points, based on my perception of the most intelligent answer.
This is the protocol used by Samba Shares.
This line shows error happing while trying to access a file on some share hosted by Linux Server.
Its simply file not found error.