Bug 15465

Summary: tcpdump: NBT packets extended dump
Product: [Retired] Red Hat Linux Reporter: giulioo
Component: tcpdumpAssignee: Harald Hoyer <harald>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 7.1   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-01-10 15:31:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description giulioo 2000-08-05 07:31:59 UTC 
When debugging samba/win problems one of the most useful tool is tcpdump 
with the smb patch added (so that every NBT packet is dumped in detail). 

I read that tcpdump3.5 will be for 7.1.

However, I  looked into the src.rpm and there is the file
tcpdump-3.4-ss991030.dif.gz 
which does contain an smb patch (it's old though, no unicode stuff) mixed 
with something else, but:
tcpdump port 139
does not dump the NBT packets in an extended way as it should.

The tcpdump available from samba org will dump NBT packets in extended way 
without need for any command line switch.

So, is this a bug in the tcpdump included in pinstripe, or does it have a 
special switch to enable NBT extended packet dump?

Example of "tcpdump port 139": 
a) pinstripe
11:27:55.601554 eth0 < i4.1364 > i5.netbios-ssn: P 77:245(168) ack 5 win 
32116 <nop,nop,timestamp 205456009 16236465>>>> NBT (DF)
11:27:55.601744 eth0 > i5.netbios-ssn > i4.1364: P 5:86(81) ack 245 win 
31876 <nop,nop,timestamp 16236465 205456009>>>> NBT (DF)

b) samba org tcpdump:
09:26:08.023282 i5.1119 > i4.netbios-ssn: P 480:579(99) ack 260 win 31861 
<nop,nop,timestamp 16246721 205466264>
>>> NBT Packet
flags=0x1
NBT Session Packet
Flags=0x101
Length=2058
found SMB packet at 12
 
SMB PACKET: SMBtrans (REQUEST)
SMB Command   =  0x25
Error class   =  0x0
Error code    =  0
Flags1        =  0x8
Flags2        =  0x1
Tree ID       =  1
Proc ID       =  7785
UID           =  100
MID           =  1
Word Count    =  14
TotParamCnt=Command=0x0
Str1=WrLeh
Str2=B13BWz
Data: (4 bytes)
[000] 01 00 E0 FF                                       ....
...
...
Comment 1 Jeff Johnson 2000-08-06 23:16:49 UTC 
This functionality should be considered at the same time that tcpdump-3.5 from
tcpdump.org
is considered.

FWIW, I've always hated the *very* noisy output of the samba patch, the output 
usually swamps
all other output from tcpdump if there are samba packets on the wire.
Comment 2 Pekka Savola 2000-08-08 07:16:39 UTC 
I agree with the latter.  Perhaps it should be outputted only with '-v' or '-vv'
switch or something.
Comment 3 Jeff Johnson 2001-01-08 19:48:56 UTC 
This problem appears to be resolved. Please reopen if I'm wrong.
Comment 4 giulioo 2001-01-10 15:31:04 UTC 
tcpdump-3.4-34 still does not show extended NBT output (unless there's some 
hidden way to get it).
Comment 5 Jeff Johnson 2001-01-10 16:36:09 UTC 
The problem was closed with WONTFIX because the NBT output is noisy and
confusing.