System information
Chapter 5. Samba management and troubleshooting 91
Viewing all the NetBIOS traffic to and from the server can be done using the command:
tethereal -i eth1 -p -f ‘port 137 or 138 or 139’
The p option runs the program without putting the interface into promiscuous mode. In many
companies, special permission must be granted before running a protocol analyzer in
promiscuous mode. The f option sets the filter string. Ports 137, 138, and 139 are all the
ports defined in /etc/services for NetBIOS traffic. The output of the command shown in
Example 5-18 contains mainly broadcast traffic.
Example 5-18 Show all NetBIOS traffic
linux:~ # tethereal -p -i eth1 -f 'port 137 or 138 or 139'
Capturing on eth1
0.000000 a23ff426.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1b>
0.754595 a23ff426.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1b>
1.509200 a23ff426.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1b>
4.130283 78-ba897.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WTRNTDM<1c>
4.880309 78-ba897.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WTRNTDM<1c>
5.630557 78-ba897.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WTRNTDM<1c>
6.187107 ibm-qu7l6sr9cl6 -> 9.24.105.255 BROWSER Host Announcement KA6BRRA, Workstation,
Server, NT Workstation, NT Server, Backup Browser
7.085537 65652ksv -> 9.24.105.255 BROWSER Host Announcement M23CABXK, Workstation,
Server, NT Workstation, NT Server, Backup Browser
7.296587 m23x2640.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1b>
7.761838 m23kk904.itso.ral.ibm.com -> 9.24.105.255 BROWSER Host Announcement M23KK904,
Workstation, Server, NT Workstation, NT Server, Potential Browser
8.045579 m23x2640.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1b>
8.732341 byron5500.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WTRNTDM<1c>
8.732976 byron5500.itso.ral.ibm.com -> 9.24.105.255 NETLOGON SAM LOGON request from
client
8.795417 m23x2640.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1b>
13.443810 a23ff426.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1b>
14.197594 a23ff426.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1b>
14.948812 itsons.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WTRNTBAK<20>
14.952186 a23ff426.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1b>
17.196362 wtrntbak.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB ITSONS<20>
18.684232 m23x2640.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1c>
19.434101 m23x2640.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1c>
20.183985 m23x2640.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1c>
22.820827 vdputteg.itso.ral.ibm.com -> 9.24.105.255 BROWSER Host Announcement VDPUTTEG,
Workstation, Server, NT Workstation, Potential Browser
23.912973 68622ksv -> 9.24.105.255 NBNS Name query NB BJD1MO<1b>
24.663972 68622ksv -> 9.24.105.255 NBNS Name query NB BJD1MO<1b>
24.882039 a23ff426.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1c>
25.414963 68622ksv -> 9.24.105.255 NBNS Name query NB BJD1MO<1b>
25.636634 a23ff426.itso.ral.ibm.com -> 9.24.105.255 NBNS Name query NB WORKGROUP<1c>
Filtering out all the broadcast traffic is done by including the host address in the filter string, as
shown in Example 5-19.
Example 5-19 Just NetBIOS traffic addressed to server
[root@portal1 root]# tethereal -p -i eth1 -f 'host 9.24.105.99 and (port 137 or 138 or
139)'
Capturing on eth1
0.000000 ibm-76a6i5kadj8 -> portal1.itso.ral.ibm.com SMB NT Create AndX Request, Path:
\srvsvc
0.003648 portal1.itso.ral.ibm.com -> ibm-76a6i5kadj8 SMB NT Create AndX Response, FID:
0x70b4