View Single Post
Old 1st November 2013
virtuvoos virtuvoos is offline
Port Guard
 
Join Date: Oct 2013
Posts: 28
Default

A bit of a late reply.



I issued the command smbtree at 11:23:42, it stopped at 11:23:56 spending most of its time trying to find shares on 192.168.2.131 but not succeeding.
192.168.2.131 is the localhost as well as the host serving the samba share.

The contents of /etc/resolv.conf
Code:
$ cat /etc/resolv.conf                                                                                                                          
# Generated by re0 dhclient
search home
nameserver 195.130.131.4
nameserver 195.130.130.132
nameserver 192.168.2.1
lookup file bind
$
The output of tcpdump:

Code:
11:23:45.152604 192.168.2.131.3414 > 195.130.131.4.53: [bad udp cksum 6e1d!] 37829+ A? PC-BUREEL-.home. (33) (ttl 64, id 23373, len 61, [552/674]
 0! differs by 15b1)
11:23:45.162916 195.130.131.4.53 > 192.168.2.131.3414: [udp sum ok] 37829 NXDomain q: A? PC-BUREEL-.home. 0/1/0 ns: . [8m51s] SOA a.root-servers.
net. nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (108) (ttl 57, id 14551, len 136)
11:23:45.163127 192.168.2.131.38794 > 195.130.131.4.53: [bad udp cksum fff3!] 2789+ A? PC-BUREEL-. (28) (ttl 64, id 45911, len 56, bad cksum 0! d
iffers by bdab)
11:23:45.174856 195.130.131.4.53 > 192.168.2.131.38794: [udp sum ok] 2789 NXDomain q: A? PC-BUREEL-. 0/1/0 ns: . [8m51s] SOA a.root-servers.net. 
nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (103) (ttl 57, id 14552, len 131)
11:23:45.186837 192.168.2.131.2799 > 195.130.131.4.53: [bad udp cksum de82!] 22992+ A? CISCO42080.home. (33) (ttl 64, id 21207, len 61, bad cksum
 0! differs by 1e27)
11:23:45.198672 195.130.131.4.53 > 192.168.2.131.2799: [udp sum ok] 22992 NXDomain q: A? CISCO42080.home. 0/1/0 ns: . [8m51s] SOA a.root-servers.
net. nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (108) (ttl 57, id 14553, len 136)
11:23:45.198909 192.168.2.131.6294 > 195.130.131.4.53: [bad udp cksum 5f2c!] 31374+ A? CISCO42080. (28) (ttl 64, id 44294, len 56, bad cksum 0! d
iffers by c3fc)
11:23:45.210716 195.130.131.4.53 > 192.168.2.131.6294: [udp sum ok] 31374 NXDomain q: A? CISCO42080. 0/1/0 ns: . [8m51s] SOA a.root-servers.net. 
nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (103) (ttl 57, id 14554, len 131)
11:23:45.254804 192.168.2.131.9185 > 195.130.131.4.53: [bad udp cksum fc5d!] 26306+ A? CISCO14042.home. (33) (ttl 64, id 45079, len 61, bad cksum
 0! differs by c0e6)
11:23:45.266982 195.130.131.4.53 > 192.168.2.131.9185: [udp sum ok] 26306 NXDomain q: A? CISCO14042.home. 0/1/0 ns: . [8m51s] SOA a.root-servers.
net. nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (108) (ttl 57, id 14555, len 136)
11:23:45.267205 192.168.2.131.8694 > 195.130.131.4.53: [bad udp cksum 900e!] 36863+ A? CISCO14042. (28) (ttl 64, id 43978, len 56, bad cksum 0! d
iffers by c538)
11:23:45.278799 195.130.131.4.53 > 192.168.2.131.8694: [udp sum ok] 36863 NXDomain q: A? CISCO14042. 0/1/0 ns: . [8m51s] SOA a.root-servers.net. 
nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (103) (ttl 57, id 14556, len 131)
11:23:55.398183 192.168.2.131.43872 > 195.130.131.4.53: [bad udp cksum 4216!] 56010+ A? CINEMAROOM.home. (33) (ttl 64, id 45340, len 61, bad cksu
m 0! differs by bfe1)
11:23:55.408918 195130.131.4.53 > 192.168.2.131.43872: [udp sum ok] 56010 NXDomain q: A? CINEMAROOM.home. 0/1/0 ns: . [7m58s] SOA a.root-servers
.net. nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (108) (ttl 57, id 14557, len 136)
11:23:55.409046 192.168.2.131.19240 > 195.130.131.4.53: [bad udp cksum 7e32!] 63148+ A? CINEMAROOM. (28) (ttl 64, id 53749, len 56, bad cksum 0! 
differs by 9f0d)
11:23:55.420882 195.130.131.4.53 > 192.168.2.131.19240: [udp sum ok] 63148 NXDomain q: A? CINEMAROOM. 0/1/0 ns: . [7m58s] SOA a.root-servers.net.
 nstld.verisign-grs.com. 2013110100 1800 900 604800 86400 (103) (ttl 57, id 14558, len 131)
I'm also trying netflow at the moment. Here's the output of netflow. Only 192.168.2.131 (collector, and Samba Server that is being the "problem" here) and 192.168.2.113(netflow sensor) is behind a cisco switch that monitors its ports. All the windows boxes are connected "outside" this switch so I can't capture all traffic they generate.

SrcP=source port, DstP=destination port, P=protocol, Fl=Decimal TCP-control bits, pkts: number of packets, Octets: nr of bytes in this case

Code:
$ flow-cat ft-v05.2013-11-01.112501+0100    | flow-print -f5 | sort | less 
Start             End               Sif   SrcIPaddress    SrcP  DIf   DstIPaddress    DstP    P Fl Pkts       Octets
1101.11:23:41.157 1101.11:28:16.307 0     192.168.2.1     1900  0     239.255.255.250 1900  17  0  113        38828     
1101.11:23:47.482 1101.11:23:47.482 0     192.168.2.131   37288 0     192.168.2.255   137   17  0  1          78        
1101.11:23:47.483 1101.11:23:47.483 0     192.168.2.142   137   0     192.168.2.131   37288 17  0  1          90        
1101.11:23:47.484 1101.11:23:58.106 0     192.168.2.131   18784 0     192.168.2.142   445   6   3  8          1262      
1101.11:23:47.484 1101.11:23:58.106 0     192.168.2.142   445   0     192.168.2.131   18784 6   6  7          1289      
1101.11:23:47.493 1101.11:23:47.493 0     192.168.2.131   38001 0     192.168.2.255   137   17  0  1          78        
1101.11:23:47.494 1101.11:23:47.494 0     192.168.2.142   137   0     192.168.2.131   38001 17  0  1          90        
1101.11:23:47.519 1101.11:23:47.519 0     192.168.2.116   137   0     192.168.2.131   38001 17  0  1          90        
1101.11:23:47.757 1101.11:23:47.758 0     192.168.2.131   6757  0     192.168.2.142   137   17  0  1          78        
1101.11:23:47.757 1101.11:23:47.758 0     192.168.2.142   137   0     192.168.2.131   6757  17  0  1          239       
1101.11:23:47.758 1101.11:23:47.758 0     192.168.2.131   40805 0     192.168.2.255   137   17  0  1          78        
1101.11:23:47.759 1101.11:23:47.759 0     192.168.2.142   137   0     192.168.2.131   40805 17  0  1          90        
1101.11:23:47.760 1101.11:23:58.106 0     192.168.2.131   46073 0     192.168.2.142   445   6   3  9          1442      
1101.11:23:47.760 1101.11:23:58.106 0     192.168.2.142   445   0     192.168.2.131   46073 6   6  8          1483      
1101.11:23:47.770 1101.11:23:47.770 0     192.168.2.131   30748 0     192.168.2.255   137   17  0  1          78        
1101.11:23:47.779 1101.11:23:47.779 0     192.168.2.116   137   0     192.168.2.131   30748 17  0  1          90        
1101.11:23:47.780 1101.11:23:58.110 0     192.168.2.116   445   0     192.168.2.131   24377 6   3  7          804       
1101.11:23:47.780 1101.11:23:58.110 0     192.168.2.131   24377 0     192.168.2.116   445   6   3  9          1030      
1101.11:23:47.787 1101.11:23:47.789 0     192.168.2.116   139   0     192.168.2.131   12116 6   2  1          60        
1101.11:23:47.787 1101.11:23:47.789 0     192.168.2.131   12116 0     192.168.2.116   139   6   6  2          110       
1101.11:23:47.823 1101.11:23:47.833 0     192.168.2.131   3414  0     195.130.131.4   53    17  0  1          61        
1101.11:23:47.823 1101.11:23:47.833 0     195.130.131.4   53    0     192.168.2.131   3414  17  0  1          136       
1101.11:23:47.834 1101.11:23:47.845 0     192.168.2.131   38794 0     195.130.131.4   53    17  0  1          56        
1101.11:23:47.834 1101.11:23:47.845 0     195.130.131.4   53    0     192.168.2.131   38794 17  0  1          131       
1101.11:23:47.846 1101.11:23:47.846 0     192.168.2.100   137   0     192.168.2.131   32449 17  0  1          90        
1101.11:23:47.846 1101.11:23:47.846 0     192.168.2.131   32449 0     192.168.2.255   137   17  0  1          78        
1101.11:23:47.847 1101.11:23:58.106 0     192.168.2.100   445   0     192.168.2.131   23842 6   6  10         1571      
1101.11:23:47.847 1101.11:23:58.106 0     192.168.2.131   23842 0     192.168.2.100   445   6   3  11         1728      
1101.11:23:47.857 1101.11:23:47.869 0     192.168.2.131   2799  0     195.130.131.4   53    17  0  1          61        
1101.11:23:47.857 1101.11:23:47.869 0     195.130.131.4   53    0     192.168.2.131   2799  17  0  1          136       
1101.11:23:47.869 1101.11:23:47.881 0     192.168.2.131   6294  0     195.130.131.4   53    17  0  1          56        
1101.11:23:47.869 1101.11:23:47.881 0     195.130.131.4   53    0     192.168.2.131   6294  17  0  1          131       
1101.11:23:47.882 1101.11:23:47.882 0     192.168.2.131   6596  0     192.168.2.255   137   17  0  1          78        
1101.11:23:47.883 1101.11:23:47.883 0     192.168.2.1     137   0     192.168.2.131   6596  17  0  1          90        
1101.11:23:47.883 1101.11:23:58.109 0     192.168.2.1     445   0     192.168.2.131   8813  6   3  10         1281      
1101.11:23:47.883 1101.11:23:58.109 0     192.168.2.131   8813  0     192.168.2.1     445   6   3  12         1543      
1101.11:23:47.925 1101.11:23:47.937 0     192.168.2.131   9185  0     195.130.131.4   53    17  0  1          61        
1101.11:23:47.925 1101.11:23:47.937 0     195.130.131.4   53    0     192.168.2.131   9185  17  0  1          136       
1101.11:23:47.938 1101.11:23:47.949 0     192.168.2.131   8694  0     195.130.131.4   53    17  0  1          56        
1101.11:23:47.938 1101.11:23:47.949 0     195.130.131.4   53    0     192.168.2.131   8694  17  0  1          131       
1101.11:23:47.950 1101.11:23:47.950 0     192.168.2.131   7872  0     192.168.2.255   137   17  0  1          78        
1101.11:23:47.960 1101.11:23:47.960 0     192.168.2.116   137   0     192.168.2.131   7872  17  0  1          90        
1101.11:23:47.960 1101.11:23:58.110 0     192.168.2.116   445   0     192.168.2.131   13453 6   3  11         1382      
1101.11:23:47.960 1101.11:23:58.110 0     192.168.2.131   13453 0     192.168.2.116   445   6   3  13         1595      
1101.11:23:47.970 1101.11:23:47.971 0     192.168.2.116   139   0     192.168.2.131   28508 6   2  1          60        
1101.11:23:47.970 1101.11:23:47.971 0     192.168.2.131   28508 0     192.168.2.116   139   6   6  2          110       
1101.11:23:48.019 1101.11:23:48.019 0     192.168.2.131   5769  0     192.168.2.255   137   17  0  1          78        
1101.11:23:48.019 1101.11:23:48.019 0     192.168.2.142   137   0     192.168.2.131   5769  17  0  1          90        
1101.11:23:48.020 1101.11:23:58.106 0     192.168.2.131   48594 0     192.168.2.142   445   6   3  9          1442      
1101.11:23:48.020 1101.11:23:58.106 0     192.168.2.142   445   0     192.168.2.131   48594 6   6  8          1509
Addition, this is what netflow captures when I try to connect over the network from a Windows host. I can only see my samba server being displayed as IO under "Network".When I double click on that I'm asked for a password but I can't see any shares (some of them are public, guest browseable)

Code:
Start             End               Sif   SrcIPaddress    SrcP  DIf   DstIPaddress    DstP    P Fl Pkts       Octets
1101.12:34:28.015 1101.12:38:11.586 0     192.168.2.142   138   0     192.168.2.255   138   17  0  6          1301      
1101.12:34:49.337 1101.12:34:49.745 0     192.168.2.142   51147 0     224.0.0.252     5355  17  0  2          100       
1101.12:34:49.337 1101.12:34:49.745 0     192.168.2.142   64539 0     224.0.0.252     5355  17  0  2          100       
1101.12:34:49.337 1101.12:37:14.378 0     192.168.2.142   137   0     192.168.2.255   137   17  0  23         1794      
1101.12:35:41.718 1101.12:35:52.483 0     192.168.2.131   445   0     192.168.2.142   63560 6   2  10         1539      
1101.12:35:41.718 1101.12:35:52.483 0     192.168.2.142   63560 0     192.168.2.131   445   6   6  13         3021      
1101.12:35:59.734 1101.12:36:21.188 0     192.168.2.131   445   0     192.168.2.142   63562 6   2  44         7132      
1101.12:35:59.734 1101.12:36:21.188 0     192.168.2.142   63562 0     192.168.2.131   445   6   6  67         15001     
1101.12:36:26.688 1101.12:36:42.814 0     192.168.2.131   445   0     192.168.2.142   63564 6   2  20         3184      
1101.12:36:26.688 1101.12:36:42.814 0     192.168.2.142   63564 0     192.168.2.131   445   6   6  24         6357      
1101.12:36:43.893 1101.12:36:54.596 0     192.168.2.131   445   0     192.168.2.142   63565 6   2  8          1210      
1101.12:36:43.893 1101.12:36:54.596 0     192.168.2.142   63565 0     192.168.2.131   445   6   6  11         2363      
1101.12:37:13.457 1101.12:37:40.286 0     192.168.2.131   445   0     192.168.2.142   63587 6   2  62         10093     
1101.12:37:13.457 1101.12:37:40.286 0     192.168.2.142   63587 0     192.168.2.131   445   6   6  74         20543

Last edited by virtuvoos; 1st November 2013 at 11:50 AM.
Reply With Quote