Hello,

here are two packtes .....

Packet 1: 45:00:00:51:24:EB -> 02:B0:C1:B7:08:00

Network: Ethernet, Frame type: ETHERTYPE, Protocol: [4000] unknown

Frame network size (including 4 bytes CRC): 92

Time: 12h:26m 26.506 632s, Diff. time: 0.000000

Date: Tue Oct 15 2002

Packet number in the original buffer: 1151

Raw Packet

0000 02 B0 C1 B7 08 00 45 00 00 51 24 EB 40 00 80 06 .°Á·..E..Q$ë@.€.

0010 09 10 0A 31 5C 1B 0A 31 5C 2F 00 8B 0A 52 3D 5A ...1\..1\/.‹.R=Z

0020 E0 85 D5 74 31 9F 50 18 1C BC 59 F1 00 00 00 00 à…Õt1ŸP..¼Yñ....

0030 00 25 FF 53 4D 42 0B 00 00 00 00 98 03 80 00 00 .%ÿSMB.....˜.€..

0040 00 00 00 00 00 00 00 00 00 00 1A 08 FE CA 05 E8 ............þÊ.è

0050 C0 EA 01 00 00 00 00 00 Àê......

RAW PACKET LISTING:

0000 02 B0 C1 B7 08 00 45 00 00 51 24 EB 40 00 80 06 .°Á·..E..Q$ë@.€.

0010 09 10 0A 31 5C 1B 0A 31 5C 2F 00 8B 0A 52 3D 5A ...1\..1\/.‹.R=Z

0020 E0 85 D5 74 31 9F 50 18 1C BC 59 F1 00 00 00 00 à…Õt1ŸP..¼Yñ....

0030 00 25 FF 53 4D 42 0B 00 00 00 00 98 03 80 00 00 .%ÿSMB.....˜.€..

0040 00 00 00 00 00 00 00 00 00 00 1A 08 FE CA 05 E8 ............þÊ.è

0050 C0 EA 01 00 00 00 00 00 Àê...... þÊ.è

---------------------------------------------------------------

---------------------------------------------------------------

Packet 2: 45:00:00:5B:6B:F3 -> 02:B0:C1:B7:08:00

Network: Ethernet, Frame type: ETHERTYPE, Protocol: [4000] unknown

Frame network size (including 4 bytes CRC): 104

Time: 12h:26m 27.284 459s, Diff. time: 0.777827

Date: Tue Oct 15 2002

Packet number in the original buffer: 1153

Raw Packet

0000 02 B0 C1 B7 08 00 45 00 00 5B 6B F3 40 00 80 06 .°Á·..E..[kó@.€.

0010 C1 FC 0A 31 5C 1B 0A 31 5C 30 00 8B 06 BE 8A D4 Áü.1\..1\0.‹.¾ŠÔ

0020 21 34 D6 F9 4B 63 50 18 22 38 CB 82 00 00 00 00 !4ÖùKcP."8Ë‚....

0030 00 2F FF 53 4D 42 2F 00 00 00 00 98 03 80 00 00 ./ÿSMB/....˜.€..

0040 00 00 00 00 00 00 00 00 00 00 2F 18 FE CA 26 10 ........../.þÊ&.

0050 40 00 06 FF 00 2F 00 84 04 FF FF 00 00 00 00 00 @..ÿ./.„.ÿÿ.....

0060 00 00 00 00 ....

RAW PACKET LISTING:

0000 02 B0 C1 B7 08 00 45 00 00 5B 6B F3 40 00 80 06 .°Á·..E..[kó@.€.

0010 C1 FC 0A 31 5C 1B 0A 31 5C 30 00 8B 06 BE 8A D4 Áü.1\..1\0.‹.¾ŠÔ

0020 21 34 D6 F9 4B 63 50 18 22 38 CB 82 00 00 00 00 !4ÖùKcP."8Ë‚....

0030 00 2F FF 53 4D 42 2F 00 00 00 00 98 03 80 00 00 ./ÿSMB/....˜.€..

0040 00 00 00 00 00 00 00 00 00 00 2F 18 FE CA 26 10 ........../.þÊ&.

0050 40 00 06 FF 00 2F 00 84 04 FF FF 00 00 00 00 00 @..ÿ./.„.ÿÿ.....

0060 00 00 00 00 .... ....

As you can see there is in the protocol field the number 4000 and unknown.

And you can see the mac adresses.

Which sniffer are you using, as I am not sure it's seeing the packets correct, unusual but not unheard of.

The first 6 hex should be destination, next 6 are source, and the rest depend on what type of packet it is (eg llc or IP).

A typical tcp packet is xx xx xx xx xx xx (dest mac) yy yy yy yy yy yy (source mac) 08 00 (type=IP) zz (header length) qq (DSF).

In your packet 2: it is reporting the mac as 45:00, and I searched (http://standards.ieee.org/regauth/oui/oui.txt) and that mac doesn't exist, which leads me to question the sniffer.

The mac address of the source could be 00:5b:6b, made by ELTEC ELEKTRONIK AG, and 00:51:24, made by HOB ELECTRONIC GMBH & CO. KG. Do a search (show cam) for those macs and see if that helps.

Or if I am wrong about the mac/sniffer, do a search for 45:00... and 02:b0...

-The packets are SMB (Server Message Block, a protocol for sharing files, printers, serial ports, named pipes and mail slots between computers) as per the "FF 53 4D 42". Microsoft relies on this heavily.

Steve

I´m using the sniffer observer. Do you know it?! I don´t think that the sniffer is the problem because in the log buffer of our main switch ( a Cat 4006) i get the following error messages: %SYS-4-P2_WARN: 1/Invalid traffic from multicast source address 45:00:00:xx:xx:xx on port x ".

I´ve tried to find the mac addresses of ELTEC and HOB in the cam table of the switch. But i find no mac.

Christian

From http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00800948a3.shtml#MCAST_SOURCE_MAC :

The "Invalid traffic from multicast source address" syslog message is generated when the switch receives packets with a multicast MAC address as the source MAC. Using a broadcast or multicast MAC address as the source MAC for a frame is not standards-compliant behavior. However, the switch still forwards traffic sourced from a multicast MAC address.

The syslog message indicates the multicast MAC address in the source MAC field of the frame, and the port on which the traffic was received.

The workaround is to try to identify the end station that is generating frames with a multicast source MAC address. Typically, such frames are transmitted from a traffic generator (for example, SmartBits) or third party devices that share a multicast MAC address (for example, load balancing firewall or server products).

You know the switch port number and that it is a SMB packet, so it most likely is a server product, for example like Ghost.

Any help?

Steve