A bit of a late reply.
I issued the command smbtree at 11:23:42, it stopped at 11:23:56 spending most of its time trying to find shares on 192.168.2.131 but not succeeding.
192.168.2.131 is the localhost as well as the host serving the samba share.
The contents of /etc/resolv.conf
Code:
$ cat /etc/resolv.conf
# Generated by re0 dhclient
search home
nameserver 195.130.131.4
nameserver 195.130.130.132
nameserver 192.168.2.1
lookup file bind
$
The output of tcpdump:
Code:
11:23:45.152604 192.168.2.131.3414 > 195.130.131.4.53: [bad udp cksum 6e1d!] 37829+ A? PC-BUREEL-.home. (33) (ttl 64, id 23373, len 61, [552/674]
0! differs by 15b1)
11:23:45.162916 195.130.131.4.53 > 192.168.2.131.3414: [udp sum ok] 37829 NXDomain q: A? PC-BUREEL-.home. 0/1/0 ns: . [8m51s] SOA a.root-servers.
net. nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (108) (ttl 57, id 14551, len 136)
11:23:45.163127 192.168.2.131.38794 > 195.130.131.4.53: [bad udp cksum fff3!] 2789+ A? PC-BUREEL-. (28) (ttl 64, id 45911, len 56, bad cksum 0! d
iffers by bdab)
11:23:45.174856 195.130.131.4.53 > 192.168.2.131.38794: [udp sum ok] 2789 NXDomain q: A? PC-BUREEL-. 0/1/0 ns: . [8m51s] SOA a.root-servers.net.
nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (103) (ttl 57, id 14552, len 131)
11:23:45.186837 192.168.2.131.2799 > 195.130.131.4.53: [bad udp cksum de82!] 22992+ A? CISCO42080.home. (33) (ttl 64, id 21207, len 61, bad cksum
0! differs by 1e27)
11:23:45.198672 195.130.131.4.53 > 192.168.2.131.2799: [udp sum ok] 22992 NXDomain q: A? CISCO42080.home. 0/1/0 ns: . [8m51s] SOA a.root-servers.
net. nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (108) (ttl 57, id 14553, len 136)
11:23:45.198909 192.168.2.131.6294 > 195.130.131.4.53: [bad udp cksum 5f2c!] 31374+ A? CISCO42080. (28) (ttl 64, id 44294, len 56, bad cksum 0! d
iffers by c3fc)
11:23:45.210716 195.130.131.4.53 > 192.168.2.131.6294: [udp sum ok] 31374 NXDomain q: A? CISCO42080. 0/1/0 ns: . [8m51s] SOA a.root-servers.net.
nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (103) (ttl 57, id 14554, len 131)
11:23:45.254804 192.168.2.131.9185 > 195.130.131.4.53: [bad udp cksum fc5d!] 26306+ A? CISCO14042.home. (33) (ttl 64, id 45079, len 61, bad cksum
0! differs by c0e6)
11:23:45.266982 195.130.131.4.53 > 192.168.2.131.9185: [udp sum ok] 26306 NXDomain q: A? CISCO14042.home. 0/1/0 ns: . [8m51s] SOA a.root-servers.
net. nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (108) (ttl 57, id 14555, len 136)
11:23:45.267205 192.168.2.131.8694 > 195.130.131.4.53: [bad udp cksum 900e!] 36863+ A? CISCO14042. (28) (ttl 64, id 43978, len 56, bad cksum 0! d
iffers by c538)
11:23:45.278799 195.130.131.4.53 > 192.168.2.131.8694: [udp sum ok] 36863 NXDomain q: A? CISCO14042. 0/1/0 ns: . [8m51s] SOA a.root-servers.net.
nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (103) (ttl 57, id 14556, len 131)
11:23:55.398183 192.168.2.131.43872 > 195.130.131.4.53: [bad udp cksum 4216!] 56010+ A? CINEMAROOM.home. (33) (ttl 64, id 45340, len 61, bad cksu
m 0! differs by bfe1)
11:23:55.408918 195130.131.4.53 > 192.168.2.131.43872: [udp sum ok] 56010 NXDomain q: A? CINEMAROOM.home. 0/1/0 ns: . [7m58s] SOA a.root-servers
.net. nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (108) (ttl 57, id 14557, len 136)
11:23:55.409046 192.168.2.131.19240 > 195.130.131.4.53: [bad udp cksum 7e32!] 63148+ A? CINEMAROOM. (28) (ttl 64, id 53749, len 56, bad cksum 0!
differs by 9f0d)
11:23:55.420882 195.130.131.4.53 > 192.168.2.131.19240: [udp sum ok] 63148 NXDomain q: A? CINEMAROOM. 0/1/0 ns: . [7m58s] SOA a.root-servers.net.
nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (103) (ttl 57, id 14558, len 131)
I'm also trying netflow at the moment. Here's the output of netflow. Only 192.168.2.131 (collector, and Samba Server that is being the "problem" here) and 192.168.2.113(netflow sensor) is behind a cisco switch that monitors its ports. All the windows boxes are connected "outside" this switch so I can't capture all traffic they generate.
SrcP=source port, DstP=destination port, P=protocol, Fl=Decimal TCP-control bits, pkts: number of packets, Octets: nr of bytes in this case
Code:
$ flow-cat ft-v05.2013-11-01.112501+0100 | flow-print -f5 | sort | less
Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets
1101.11:23:41.157 1101.11:28:16.307 0 192.168.2.1 1900 0 239.255.255.250 1900 17 0 113 38828
1101.11:23:47.482 1101.11:23:47.482 0 192.168.2.131 37288 0 192.168.2.255 137 17 0 1 78
1101.11:23:47.483 1101.11:23:47.483 0 192.168.2.142 137 0 192.168.2.131 37288 17 0 1 90
1101.11:23:47.484 1101.11:23:58.106 0 192.168.2.131 18784 0 192.168.2.142 445 6 3 8 1262
1101.11:23:47.484 1101.11:23:58.106 0 192.168.2.142 445 0 192.168.2.131 18784 6 6 7 1289
1101.11:23:47.493 1101.11:23:47.493 0 192.168.2.131 38001 0 192.168.2.255 137 17 0 1 78
1101.11:23:47.494 1101.11:23:47.494 0 192.168.2.142 137 0 192.168.2.131 38001 17 0 1 90
1101.11:23:47.519 1101.11:23:47.519 0 192.168.2.116 137 0 192.168.2.131 38001 17 0 1 90
1101.11:23:47.757 1101.11:23:47.758 0 192.168.2.131 6757 0 192.168.2.142 137 17 0 1 78
1101.11:23:47.757 1101.11:23:47.758 0 192.168.2.142 137 0 192.168.2.131 6757 17 0 1 239
1101.11:23:47.758 1101.11:23:47.758 0 192.168.2.131 40805 0 192.168.2.255 137 17 0 1 78
1101.11:23:47.759 1101.11:23:47.759 0 192.168.2.142 137 0 192.168.2.131 40805 17 0 1 90
1101.11:23:47.760 1101.11:23:58.106 0 192.168.2.131 46073 0 192.168.2.142 445 6 3 9 1442
1101.11:23:47.760 1101.11:23:58.106 0 192.168.2.142 445 0 192.168.2.131 46073 6 6 8 1483
1101.11:23:47.770 1101.11:23:47.770 0 192.168.2.131 30748 0 192.168.2.255 137 17 0 1 78
1101.11:23:47.779 1101.11:23:47.779 0 192.168.2.116 137 0 192.168.2.131 30748 17 0 1 90
1101.11:23:47.780 1101.11:23:58.110 0 192.168.2.116 445 0 192.168.2.131 24377 6 3 7 804
1101.11:23:47.780 1101.11:23:58.110 0 192.168.2.131 24377 0 192.168.2.116 445 6 3 9 1030
1101.11:23:47.787 1101.11:23:47.789 0 192.168.2.116 139 0 192.168.2.131 12116 6 2 1 60
1101.11:23:47.787 1101.11:23:47.789 0 192.168.2.131 12116 0 192.168.2.116 139 6 6 2 110
1101.11:23:47.823 1101.11:23:47.833 0 192.168.2.131 3414 0 195.130.131.4 53 17 0 1 61
1101.11:23:47.823 1101.11:23:47.833 0 195.130.131.4 53 0 192.168.2.131 3414 17 0 1 136
1101.11:23:47.834 1101.11:23:47.845 0 192.168.2.131 38794 0 195.130.131.4 53 17 0 1 56
1101.11:23:47.834 1101.11:23:47.845 0 195.130.131.4 53 0 192.168.2.131 38794 17 0 1 131
1101.11:23:47.846 1101.11:23:47.846 0 192.168.2.100 137 0 192.168.2.131 32449 17 0 1 90
1101.11:23:47.846 1101.11:23:47.846 0 192.168.2.131 32449 0 192.168.2.255 137 17 0 1 78
1101.11:23:47.847 1101.11:23:58.106 0 192.168.2.100 445 0 192.168.2.131 23842 6 6 10 1571
1101.11:23:47.847 1101.11:23:58.106 0 192.168.2.131 23842 0 192.168.2.100 445 6 3 11 1728
1101.11:23:47.857 1101.11:23:47.869 0 192.168.2.131 2799 0 195.130.131.4 53 17 0 1 61
1101.11:23:47.857 1101.11:23:47.869 0 195.130.131.4 53 0 192.168.2.131 2799 17 0 1 136
1101.11:23:47.869 1101.11:23:47.881 0 192.168.2.131 6294 0 195.130.131.4 53 17 0 1 56
1101.11:23:47.869 1101.11:23:47.881 0 195.130.131.4 53 0 192.168.2.131 6294 17 0 1 131
1101.11:23:47.882 1101.11:23:47.882 0 192.168.2.131 6596 0 192.168.2.255 137 17 0 1 78
1101.11:23:47.883 1101.11:23:47.883 0 192.168.2.1 137 0 192.168.2.131 6596 17 0 1 90
1101.11:23:47.883 1101.11:23:58.109 0 192.168.2.1 445 0 192.168.2.131 8813 6 3 10 1281
1101.11:23:47.883 1101.11:23:58.109 0 192.168.2.131 8813 0 192.168.2.1 445 6 3 12 1543
1101.11:23:47.925 1101.11:23:47.937 0 192.168.2.131 9185 0 195.130.131.4 53 17 0 1 61
1101.11:23:47.925 1101.11:23:47.937 0 195.130.131.4 53 0 192.168.2.131 9185 17 0 1 136
1101.11:23:47.938 1101.11:23:47.949 0 192.168.2.131 8694 0 195.130.131.4 53 17 0 1 56
1101.11:23:47.938 1101.11:23:47.949 0 195.130.131.4 53 0 192.168.2.131 8694 17 0 1 131
1101.11:23:47.950 1101.11:23:47.950 0 192.168.2.131 7872 0 192.168.2.255 137 17 0 1 78
1101.11:23:47.960 1101.11:23:47.960 0 192.168.2.116 137 0 192.168.2.131 7872 17 0 1 90
1101.11:23:47.960 1101.11:23:58.110 0 192.168.2.116 445 0 192.168.2.131 13453 6 3 11 1382
1101.11:23:47.960 1101.11:23:58.110 0 192.168.2.131 13453 0 192.168.2.116 445 6 3 13 1595
1101.11:23:47.970 1101.11:23:47.971 0 192.168.2.116 139 0 192.168.2.131 28508 6 2 1 60
1101.11:23:47.970 1101.11:23:47.971 0 192.168.2.131 28508 0 192.168.2.116 139 6 6 2 110
1101.11:23:48.019 1101.11:23:48.019 0 192.168.2.131 5769 0 192.168.2.255 137 17 0 1 78
1101.11:23:48.019 1101.11:23:48.019 0 192.168.2.142 137 0 192.168.2.131 5769 17 0 1 90
1101.11:23:48.020 1101.11:23:58.106 0 192.168.2.131 48594 0 192.168.2.142 445 6 3 9 1442
1101.11:23:48.020 1101.11:23:58.106 0 192.168.2.142 445 0 192.168.2.131 48594 6 6 8 1509
Addition, this is what netflow captures when I try to connect over the network from a Windows host. I can only see my samba server being displayed as IO under "Network".When I double click on that I'm asked for a password but I can't see any shares (some of them are public, guest browseable)
Code:
Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets
1101.12:34:28.015 1101.12:38:11.586 0 192.168.2.142 138 0 192.168.2.255 138 17 0 6 1301
1101.12:34:49.337 1101.12:34:49.745 0 192.168.2.142 51147 0 224.0.0.252 5355 17 0 2 100
1101.12:34:49.337 1101.12:34:49.745 0 192.168.2.142 64539 0 224.0.0.252 5355 17 0 2 100
1101.12:34:49.337 1101.12:37:14.378 0 192.168.2.142 137 0 192.168.2.255 137 17 0 23 1794
1101.12:35:41.718 1101.12:35:52.483 0 192.168.2.131 445 0 192.168.2.142 63560 6 2 10 1539
1101.12:35:41.718 1101.12:35:52.483 0 192.168.2.142 63560 0 192.168.2.131 445 6 6 13 3021
1101.12:35:59.734 1101.12:36:21.188 0 192.168.2.131 445 0 192.168.2.142 63562 6 2 44 7132
1101.12:35:59.734 1101.12:36:21.188 0 192.168.2.142 63562 0 192.168.2.131 445 6 6 67 15001
1101.12:36:26.688 1101.12:36:42.814 0 192.168.2.131 445 0 192.168.2.142 63564 6 2 20 3184
1101.12:36:26.688 1101.12:36:42.814 0 192.168.2.142 63564 0 192.168.2.131 445 6 6 24 6357
1101.12:36:43.893 1101.12:36:54.596 0 192.168.2.131 445 0 192.168.2.142 63565 6 2 8 1210
1101.12:36:43.893 1101.12:36:54.596 0 192.168.2.142 63565 0 192.168.2.131 445 6 6 11 2363
1101.12:37:13.457 1101.12:37:40.286 0 192.168.2.131 445 0 192.168.2.142 63587 6 2 62 10093
1101.12:37:13.457 1101.12:37:40.286 0 192.168.2.142 63587 0 192.168.2.131 445 6 6 74 20543