Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP/IP PACKETS. can anyone explain this communication?

1. 13:12:49.751403 arp who-has 192.168.246.13(Broadcast) tell 192.168.246.128

2. 13:12:49.751602 arp reply 192.168.246.13is-at 00:00:01:0f:2e:7e

3. 13:12:50.441259 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50

4. 13:12:50.441632 IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86

5. 13:12:51.942563 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50

6. 13:12:51.943277 IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86

7. 13:12:53.444627 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50

PLEASE WHY DOES LINES 3, 5 AND 7 REPEAT ITSELF? I THINK THE 1ST COMPUTER IS TRYING TO COMMUNICATE WITH ANOTHER ON A NETWORK. IF IT WONT BE A BOTHER CAN YOU EXPLAIN A LITTLE?

6 REPLIES
New Member

Re: TCP/IP PACKETS. can anyone explain this communication?

It looks to me like host 192.168.246.128 is a windows box trying to find a domain controller or a service on the host 192.168.246.13. UDP 137 is a netbios query and Windows probably tries 3 times before failing that specific query.

Hall of Fame Super Silver

Re: TCP/IP PACKETS. can anyone explain this communication?

Andrew

I believe that Matthew is on the right track in identifying this as Windows box attempting to access some service. But he gets it backwards about who is the client and who is the "supposed" server. The request is from 192.168.246.13 (the client) and the destination is 192.168.246.128. The real reason that the message is repeated is that it makes the first attempt and it recieves this response:

IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86

this says that the port unreachable and means that the attempt to access the service failed, and so the devices tries again, and fails again. And then tries a third time.

UDP port 137 is a port used for Windows services. The first device is attempting to communicate with the second device on that port. But the second device is rejecting the attempt to communicate for that service.

HTH

Rick

New Member

Re: TCP/IP PACKETS. can anyone explain this communication?

Thanks Mat and Rick. its still a little fuzzy to me, i know UDP port 137 refers to NETBIOS, but what does the different lenghts mean? example, ureachable lenght 50

unreachable lenght 50?

thanks for your assistance.

New Member

Re: TCP/IP PACKETS. can anyone explain this communication?

Hello again,

Yeah, I might have it backwards since I don't use TCPDump that often. Can you capture the full packets instead of just the headers? That will show you what's in there. Use Wireshark and it will decode the packets and tell you what is happening. I think length is just the length of the entire packet in bytes.

Matt

New Member

Re: TCP/IP PACKETS. can anyone explain this communication?

oh, i dint think of wire shark.

New Member

Re: TCP/IP PACKETS. can anyone explain this communication?

I believe length 50 refers to the length of the IP packets.

1497
Views
8
Helpful
6
Replies