Red Hat Bugzilla – Bug 15465
tcpdump: NBT packets extended dump
Last modified: 2008-05-01 11:37:57 EDT
When debugging samba/win problems one of the most useful tool is tcpdump
with the smb patch added (so that every NBT packet is dumped in detail).
I read that tcpdump3.5 will be for 7.1.
However, I looked into the src.rpm and there is the file
which does contain an smb patch (it's old though, no unicode stuff) mixed
with something else, but:
tcpdump port 139
does not dump the NBT packets in an extended way as it should.
The tcpdump available from samba org will dump NBT packets in extended way
without need for any command line switch.
So, is this a bug in the tcpdump included in pinstripe, or does it have a
special switch to enable NBT extended packet dump?
Example of "tcpdump port 139":
11:27:55.601554 eth0 < i4.1364 > i5.netbios-ssn: P 77:245(168) ack 5 win
32116 <nop,nop,timestamp 205456009 16236465>>>> NBT (DF)
11:27:55.601744 eth0 > i5.netbios-ssn > i4.1364: P 5:86(81) ack 245 win
31876 <nop,nop,timestamp 16236465 205456009>>>> NBT (DF)
b) samba org tcpdump:
09:26:08.023282 i5.1119 > i4.netbios-ssn: P 480:579(99) ack 260 win 31861
<nop,nop,timestamp 16246721 205466264>
>>> NBT Packet
NBT Session Packet
found SMB packet at 12
SMB PACKET: SMBtrans (REQUEST)
SMB Command = 0x25
Error class = 0x0
Error code = 0
Flags1 = 0x8
Flags2 = 0x1
Tree ID = 1
Proc ID = 7785
UID = 100
MID = 1
Word Count = 14
Data: (4 bytes)
 01 00 E0 FF ....
This functionality should be considered at the same time that tcpdump-3.5 from
FWIW, I've always hated the *very* noisy output of the samba patch, the output
all other output from tcpdump if there are samba packets on the wire.
I agree with the latter. Perhaps it should be outputted only with '-v' or '-vv'
switch or something.
This problem appears to be resolved. Please reopen if I'm wrong.
tcpdump-3.4-34 still does not show extended NBT output (unless there's some
hidden way to get it).
The problem was closed with WONTFIX because the NBT output is noisy and