The
tcpdump program, written by Van Jacobson, Craig Leres, and Steven McCanne, and extended by Andrew Tridgell, allows you to monitor network traffic in real time. A variety of output formats are available and you can filter the output to look at only a particular type of traffic. The
tcpdump program lets you examine all conversations between client and server, including SMB and NMB broadcast messages. While its troubleshooting capabilities lie mainly at the OSI network layer, you can still use its output to get a general idea of what the server and client are attempting to accomplish.
A sample
tcpdump log follows. In this instance, the client has requested a directory listing and the server has responded appropriately, giving the directory names
homes,
public,
IPC$, and
temp (we've added a few explanations on the right):
$
tcpdump -v -s 255 -i eth0 port not telnet
SMB PACKET: SMBtrans (REQUEST)
Request packet
SMB Command = 0x25
Request was ls or dir.
[000] 01 00 00 10 ....
>>> NBT Packet
Outer frame of SMB packet
NBT Session Packet
Flags=0x0
Length=226
[lines skipped]
SMB PACKET: SMBtrans (REPLY)
Beginning of a reply to request
SMB Command = 0x25
Command was an ls or dir
Error class = 0x0
Error code = 0
No errors
Flags1 = 0x80
Flags2 = 0x1
Tree ID = 105
Proc ID = 6075
UID = 100
MID = 30337
Word Count = 10
TotParamCnt=8
TotDataCnt=163
Res1=0
ParamCnt=8
ParamOff=55
Res2=0
DataCnt=163
DataOff=63
Res3=0
Lsetup=0
Param Data: (8 bytes)
[000] 00 00 00 00 05 00 05 00 ........
Data Data: (135 bytes)
Actual directory contents:
[000] 68 6F 6D 65 73 00 00 00 00 00 00 00 00 00 00 00 homes... ........
[010] 64 00 00 00 70 75 62 6C 69 63 00 00 00 00 00 00 d...publ ic......
[020] 00 00 00 00 75 00 00 00 74 65 6D 70 00 00 00 00 ....u... temp....
[030] 00 00 00 00 00 00 00 00 76 00 00 00 49 50 43 24 ........ v...IPC$
[040] 00 00 00 00 00 00 00 00 00 00 03 00 77 00 00 00 ........ ....w...
[050] 64 6F 6E 68 61 6D 00 00 00 00 00 00 00 00 00 00 donham.. ........
[060] 92 00 00 00 48 6F 6D 65 20 44 69 72 65 63 74 6F ....Home Directo
[070] 72 69 65 73 00 00 00 49 50 43 20 53 65 72 76 69 ries...I PC Servi
[080] 63 65 20 28 53 61 6D ce (Sam
This is more of the same debugging session as with the
trace command; the listing of a directory. The options we used were
-v (verbose),
-i
eth0 to tell
tcpdump the interface to listen on (an Ethernet port), and
-s
255 to tell it to save the first 255 bytes of each packet instead of the default: the first 68. The option
port
not
telnet is used to avoid screens of telnet traffic, since we were logged in to the server remotely. The
tcpdump program actually has quite a number of options to filter just the traffic you want to look at. If you've used
snoop or
etherdump, they'll look vaguely familiar.
You can download the modified
tcpdump from the Samba FTP server at
ftp://samba.anu.edu.au/pub/samba/tcpdump-smb. Other versions don't include support for the SMB protocol; if you don't see output such as that shown in the example, you'll need to
use the SMB-enabled version.
