Bug 15465 - tcpdump: NBT packets extended dump
Summary: tcpdump: NBT packets extended dump
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2000-08-05 07:31 UTC by giulioo
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-01-10 15:31:08 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description giulioo 2000-08-05 07:31:59 UTC
When debugging samba/win problems one of the most useful tool is tcpdump 
with the smb patch added (so that every NBT packet is dumped in detail). 

I read that tcpdump3.5 will be for 7.1.

However, I  looked into the src.rpm and there is the file
which does contain an smb patch (it's old though, no unicode stuff) mixed 
with something else, but:
tcpdump port 139
does not dump the NBT packets in an extended way as it should.

The tcpdump available from samba org will dump NBT packets in extended way 
without need for any command line switch.

So, is this a bug in the tcpdump included in pinstripe, or does it have a 
special switch to enable NBT extended packet dump?

Example of "tcpdump port 139": 
a) pinstripe
11:27:55.601554 eth0 < i4.1364 > i5.netbios-ssn: P 77:245(168) ack 5 win 
32116 <nop,nop,timestamp 205456009 16236465>>>> NBT (DF)
11:27:55.601744 eth0 > i5.netbios-ssn > i4.1364: P 5:86(81) ack 245 win 
31876 <nop,nop,timestamp 16236465 205456009>>>> NBT (DF)

b) samba org tcpdump:
09:26:08.023282 i5.1119 > i4.netbios-ssn: P 480:579(99) ack 260 win 31861 
<nop,nop,timestamp 16246721 205466264>
>>> NBT Packet
NBT Session Packet
found SMB packet at 12
SMB Command   =  0x25
Error class   =  0x0
Error code    =  0
Flags1        =  0x8
Flags2        =  0x1
Tree ID       =  1
Proc ID       =  7785
UID           =  100
MID           =  1
Word Count    =  14
Data: (4 bytes)
[000] 01 00 E0 FF                                       ....

Comment 1 Jeff Johnson 2000-08-06 23:16:49 UTC
This functionality should be considered at the same time that tcpdump-3.5 from
is considered.

FWIW, I've always hated the *very* noisy output of the samba patch, the output 
usually swamps
all other output from tcpdump if there are samba packets on the wire.

Comment 2 Pekka Savola 2000-08-08 07:16:39 UTC
I agree with the latter.  Perhaps it should be outputted only with '-v' or '-vv'
switch or something.

Comment 3 Jeff Johnson 2001-01-08 19:48:56 UTC
This problem appears to be resolved. Please reopen if I'm wrong.

Comment 4 giulioo 2001-01-10 15:31:04 UTC
tcpdump-3.4-34 still does not show extended NBT output (unless there's some 
hidden way to get it).

Comment 5 Jeff Johnson 2001-01-10 16:36:09 UTC
The problem was closed with WONTFIX because the NBT output is noisy and

Note You need to log in before you can comment on or make changes to this bug.