Bug 15465
Summary: | tcpdump: NBT packets extended dump | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | giulioo |
Component: | tcpdump | Assignee: | Harald Hoyer <harald> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-01-10 15:31:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
This functionality should be considered at the same time that tcpdump-3.5 from tcpdump.org is considered. FWIW, I've always hated the *very* noisy output of the samba patch, the output usually swamps all other output from tcpdump if there are samba packets on the wire. I agree with the latter. Perhaps it should be outputted only with '-v' or '-vv' switch or something. This problem appears to be resolved. Please reopen if I'm wrong. tcpdump-3.4-34 still does not show extended NBT output (unless there's some hidden way to get it). The problem was closed with WONTFIX because the NBT output is noisy and confusing. |
When debugging samba/win problems one of the most useful tool is tcpdump with the smb patch added (so that every NBT packet is dumped in detail). I read that tcpdump3.5 will be for 7.1. However, I looked into the src.rpm and there is the file tcpdump-3.4-ss991030.dif.gz which does contain an smb patch (it's old though, no unicode stuff) mixed with something else, but: tcpdump port 139 does not dump the NBT packets in an extended way as it should. The tcpdump available from samba org will dump NBT packets in extended way without need for any command line switch. So, is this a bug in the tcpdump included in pinstripe, or does it have a special switch to enable NBT extended packet dump? Example of "tcpdump port 139": a) pinstripe 11:27:55.601554 eth0 < i4.1364 > i5.netbios-ssn: P 77:245(168) ack 5 win 32116 <nop,nop,timestamp 205456009 16236465>>>> NBT (DF) 11:27:55.601744 eth0 > i5.netbios-ssn > i4.1364: P 5:86(81) ack 245 win 31876 <nop,nop,timestamp 16236465 205456009>>>> NBT (DF) b) samba org tcpdump: 09:26:08.023282 i5.1119 > i4.netbios-ssn: P 480:579(99) ack 260 win 31861 <nop,nop,timestamp 16246721 205466264> >>> NBT Packet flags=0x1 NBT Session Packet Flags=0x101 Length=2058 found SMB packet at 12 SMB PACKET: SMBtrans (REQUEST) SMB Command = 0x25 Error class = 0x0 Error code = 0 Flags1 = 0x8 Flags2 = 0x1 Tree ID = 1 Proc ID = 7785 UID = 100 MID = 1 Word Count = 14 TotParamCnt=Command=0x0 Str1=WrLeh Str2=B13BWz Data: (4 bytes) [000] 01 00 E0 FF .... ... ...