Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3367
Views
8
Helpful
6
Replies

TCP/IP PACKETS. can anyone explain this communication?

deenaija1
Level 1
Level 1

‎12-30-2008 04:43 AM

1. 13:12:49.751403 arp who-has 192.168.246.13(Broadcast) tell 192.168.246.128

2. 13:12:49.751602 arp reply 192.168.246.13is-at 00:00:01:0f:2e:7e

3. 13:12:50.441259 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50

4. 13:12:50.441632 IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86

5. 13:12:51.942563 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50

6. 13:12:51.943277 IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86

7. 13:12:53.444627 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50

PLEASE WHY DOES LINES 3, 5 AND 7 REPEAT ITSELF? I THINK THE 1ST COMPUTER IS TRYING TO COMMUNICATE WITH ANOTHER ON A NETWORK. IF IT WONT BE A BOTHER CAN YOU EXPLAIN A LITTLE?

Labels:
0 Helpful
6 Replies 6

MATTHEW BECK
Level 1
Level 1

‎12-30-2008 08:18 AM

It looks to me like host 192.168.246.128 is a windows box trying to find a domain controller or a service on the host 192.168.246.13. UDP 137 is a netbios query and Windows probably tries 3 times before failing that specific query.

Richard Burts
Hall of Fame
Hall of Fame
In response to MATTHEW BECK

‎12-31-2008 11:36 AM

Andrew

I believe that Matthew is on the right track in identifying this as Windows box attempting to access some service. But he gets it backwards about who is the client and who is the "supposed" server. The request is from 192.168.246.13 (the client) and the destination is 192.168.246.128. The real reason that the message is repeated is that it makes the first attempt and it recieves this response:

IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86

this says that the port unreachable and means that the attempt to access the service failed, and so the devices tries again, and fails again. And then tries a third time.

UDP port 137 is a port used for Windows services. The first device is attempting to communicate with the second device on that port. But the second device is rejecting the attempt to communicate for that service.

HTH

Rick

HTH

Rick

deenaija1
Level 1
Level 1
In response to Richard Burts

‎12-31-2008 11:49 AM

Thanks Mat and Rick. its still a little fuzzy to me, i know UDP port 137 refers to NETBIOS, but what does the different lenghts mean? example, ureachable lenght 50

unreachable lenght 50?

thanks for your assistance.

0 Helpful

MATTHEW BECK
Level 1
Level 1
In response to deenaija1

‎12-31-2008 12:00 PM

Hello again,

Yeah, I might have it backwards since I don't use TCPDump that often. Can you capture the full packets instead of just the headers? That will show you what's in there. Use Wireshark and it will decode the packets and tell you what is happening. I think length is just the length of the entire packet in bytes.

Matt

0 Helpful

deenaija1
Level 1
Level 1
In response to MATTHEW BECK

‎12-31-2008 12:04 PM

oh, i dint think of wire shark.

0 Helpful

dany.datacraft
Level 1
Level 1
In response to deenaija1

‎01-02-2009 02:06 AM

I believe length 50 refers to the length of the IP packets.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents