Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Why so much SMB traffic?

From: "John Trumbell" <JTrumbell@xxxxxxx>
Date: Tue, 11 Nov 2008 12:07:54 -0500
This is from the Microsoft Knowledge article  MS uses the same ports for
a a lot of different processes. So for example Printing uses some of
these ports. Hope this helps Here's the link
http://support.microsoft.com/kb/832017/en-us 

Remote Procedure Call (RPC)
The Remote Procedure Call (RPC) system service is an interprocess
communication (IPC) mechanism that enables data exchange and invocation
of functionality that reside in a different process. The different
process can be on the same computer, on the LAN, or in a remote
location, and can be accessed over a WAN connection or over a VPN
connection. The RPC service serves as the RPC endpoint mapper and
Component Object Model (COM) Service Control Manager. Many services
depend on the RPC service to start successfully. 

System service name: RpcSsApplication protocol Protocol Ports 
RPC TCP 135 
RPC over HTTPS TCP 593 
NetBIOS Datagram Service UDP 138 
NetBIOS Name Resolution UDP 137 
NetBIOS Session Service TCP 139 
SMB TCP 445

John 


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jeff -
Sent: Monday, November 10, 2008 4:36 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Why so much SMB traffic?

Our network uses a Windows 2003 server as our file server.    Has a
basic shared folder and users map it to their machine.

Using Wireshark I'm seeing tons of activity like the following:

No.		Time		SRC				DST
Protocol		INFO
10956	59.354649	192.168.143.23	192.168.143.1	SMB
Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \steve
10957	59.354750	192.168.143.1	192.168.143.23	SMB
Trans2 Response, QUERY_PATH_INFO
10958	59.355077	192.168.143.23	192.168.143.1	SMB
Trans2 Request, FIND_FIRST2, Pattern: \steve\TM_CFW.sys
10959	59.355306	192.168.143.1	192.168.143.23	SMB
Trans2 Response, FIND_FIRST2, Error: STATUS_NO_SUCH_FILE

The user and files vary.

Many users seem to be always searching for files on the file server
which do not exist.  The files it looks for seems like "system" files
and is never files that are on our file server.   Anyone know what this
could mean and/or what could be causing this?


=
Trend Micro oem software
Secure your home network against online threats - Free Download.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=ea524f6bfc6d25b5695b
ca42dd6f3d8c


-- 
Powered by Outblaze
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
The information transmitted is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient any review,
dissemination, reproduction, printing or other use of any part of this communication is strictly prohibited as is the taking of any action in reliance upon this information. If you received this e-mail in error,
please notify us immediately by return e-mail and permanently destroy all copies of this communication.  Thank you. 

Ces informations sont destinées uniquement à la ou aux personne(s) ou à l’entité à laquelle elles sont adressées et  peuvent contenir des documents confidentiels ou à accès réservé. Si vous n’êtes pas le destinataire, 
tout examen, toute diffusion, reproduction, impression ou tout autre usage de cette communication est strictement prohibé, de même que toute action entreprise ayant recours à ces informations. Si vous avez reçu ce 
courriel par erreur, veuillez nous en aviser immédiatement par retour de courriel et détruire tous les exemplaires de cette communication.