12-30-2008 04:43 AM
1. 13:12:49.751403 arp who-has 192.168.246.13(Broadcast) tell 192.168.246.128
2. 13:12:49.751602 arp reply 192.168.246.13is-at 00:00:01:0f:2e:7e
3. 13:12:50.441259 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50
4. 13:12:50.441632 IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86
5. 13:12:51.942563 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50
6. 13:12:51.943277 IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86
7. 13:12:53.444627 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50
PLEASE WHY DOES LINES 3, 5 AND 7 REPEAT ITSELF? I THINK THE 1ST COMPUTER IS TRYING TO COMMUNICATE WITH ANOTHER ON A NETWORK. IF IT WONT BE A BOTHER CAN YOU EXPLAIN A LITTLE?
12-30-2008 08:18 AM
It looks to me like host 192.168.246.128 is a windows box trying to find a domain controller or a service on the host 192.168.246.13. UDP 137 is a netbios query and Windows probably tries 3 times before failing that specific query.
12-31-2008 11:36 AM
Andrew
I believe that Matthew is on the right track in identifying this as Windows box attempting to access some service. But he gets it backwards about who is the client and who is the "supposed" server. The request is from 192.168.246.13 (the client) and the destination is 192.168.246.128. The real reason that the message is repeated is that it makes the first attempt and it recieves this response:
IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86
this says that the port unreachable and means that the attempt to access the service failed, and so the devices tries again, and fails again. And then tries a third time.
UDP port 137 is a port used for Windows services. The first device is attempting to communicate with the second device on that port. But the second device is rejecting the attempt to communicate for that service.
HTH
Rick
12-31-2008 11:49 AM
Thanks Mat and Rick. its still a little fuzzy to me, i know UDP port 137 refers to NETBIOS, but what does the different lenghts mean? example, ureachable lenght 50
unreachable lenght 50?
thanks for your assistance.
12-31-2008 12:00 PM
Hello again,
Yeah, I might have it backwards since I don't use TCPDump that often. Can you capture the full packets instead of just the headers? That will show you what's in there. Use Wireshark and it will decode the packets and tell you what is happening. I think length is just the length of the entire packet in bytes.
Matt
12-31-2008 12:04 PM
oh, i dint think of wire shark.
01-02-2009 02:06 AM
I believe length 50 refers to the length of the IP packets.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: