Jump to content

DC Austausch

Knorkator

Von Knorkator
in Active Directory Forum

Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Empfohlene Beiträge

Knorkator Experienced

Knorkator   12

Geschrieben
  • Autor
Geschrieben

Hallo,

 

habe auf dem alten Server eine 2h Prüfung gemacht und versucht das ganze zu analysieren.

 

Neben reichlich svchos.exe Traffic (die rdp Verbindung) habe ich unter Unknown viele Broadcasts, aber auch einige interessante Einträge.

Der Rechner mit der ip 125 ist einer von denen die sehr langsam sind.

 

Habe u.a. folgendes gefunden, bei der Auswertung muss ich aber passen.

Hier mal ein evtl. wichtiger Auszug:

 

Frame: Number = 12479, Captured Frame Length = 162, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0E-A6-27-2E-C9],SourceAddress:[00-1A-4D-4F-7B-A4]

+ Ipv4: Src = 192.168.1.125, Dest = 192.168.1.230, Next Protocol = TCP, Packet ID = 54399, Total IP Length = 148

+ Tcp: Flags=...AP..., SrcPort=1477, DstPort=NETBIOS Session Service(139), PayloadLen=108, Seq=694590244 - 694590352, Ack=411384860, Win=16480 (scale factor 0x0) = 16480

+ Nbtss: SESSION MESSAGE, Length =104

- SMB: C; Transact2, Get Dfs Referral

Protocol: SMB

Command: Transact2 50(0x32)

+ NTStatus: 0x0, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS, Code = (0) STATUS_SUCCESS

- SMBHeader: Command, TID: 0x0805, PID: 0x0004, UID: 0x1803, MID: 0x01C0

- Flags: 24 (0x18)

LockAndRead: (.......0) LOCK_AND_READ and WRITE_AND_UNLOCK NOT supported (Obsolete) (SMB_FLAGS_LOCK_AND_READ_OK)

NoAck: (......0.) An ACK response is needed (SMB_FLAGS_SEND_NO_ACK[only applicable when SMB transport is NetBIOS over IPX])

Reserved_bit2: (.....0..) Reserved (Must Be Zero)

CaseInsensitive: (....1...) SMB paths are case-insensitive (SMB_FLAGS_CASE_INSENSITIVE)

Canonicalized: (...1....) Canonicalized File and pathnames (Obsolete) (SMB_FLAGS_CANONICALIZED_PATHS)

Oplock: (..0.....) Oplocks NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK)

OplockNotify: (.0......) Notifications NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK_NOTIFY_ANY)

FromServer: (0.......) Command - SMB is being sent from the client (SMB_FLAGS_SERVER_TO_REDIR)

- Flags2: 51207 (0xC807)

KnowsLongFiles: (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES)

ExtendedAttribs: (..............1.) Understands extended attributes (SMB_FLAGS2_KNOWS_EAS)

SignEnabled: (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE)

Compressed: (............0...) Compression Disabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX (SMB_FLAGS2_COMPRESSED)

SignRequired: (...........0....) Security Signatures are NOT required (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED)

Reserved_bit5: (..........0.....) Reserved (Must Be Zero)

LongFileNames: (.........0......) DO NOT use Long File Names (SMB_FLAGS2_IS_LONG_NAME)

Reserved_bits7_9: (......000.......) Reserved (Must Be Zero)

ReparsePath: (.....0..........) NOT a Reparse path (SMB_FLAGS2_REPARSE_PATH)

ExtSecurity: (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY)

Dfs: (...0............) NO DFS namespace (SMB_FLAGS2_DFS)

Paging: (..0.............) Read operation will NOT be permitted unless user has permission (NO Paging IO) (SMB_FLAGS2_PAGING_IO)

StatusCodes: (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS)

Unicode: (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE)

PIDHigh: 0 (0x0)

SecuritySignature: 0x0

Reserved: 0 (0x0)

TreeID: 2053 (0x805)

ProcessID: 4 (0x4)

UserID: 6147 (0x1803)

MultiplexID: 448 (0x1C0)

+ CTransaction2:

- Dfs: Get DFS Referral Request, FileName: \server\dortmund, MaxReferralLevel: 4

MaxReferralLevel: 4 (0x4)

RequestFileName: \server\dortmund

Knorkator Experienced

Knorkator   12

Geschrieben
  • Autor
Geschrieben

Hab noch mehr..

:)

 

Hoffe das da jemand was mit anfangen kann.

Die 230 ist übrigens der alte Server. Kann ja nur mitschneiden, was der Client ihm für Anfragen schickt.

 

Danke an alle im voraus!

 

 

Frame: Number = 12450, Captured Frame Length = 93, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-1A-4D-4F-7B-A4],SourceAddress:[00-0E-A6-27-2E-C9]

+ Ipv4: Src = 192.168.1.230, Dest = 192.168.1.125, Next Protocol = TCP, Packet ID = 18028, Total IP Length = 79

+ Tcp: Flags=...AP..., SrcPort=NETBIOS Session Service(139), DstPort=1477, PayloadLen=39, Seq=411384401 - 411384440, Ack=694588637, Win=65345 (scale factor 0x0) = 65345

+ Nbtss: SESSION MESSAGE, Length =35

- SMB: R; Transact2, Get Dfs Referral - NT Status: System - Error, Code = (14) STATUS_NO_SUCH_DEVICE

Protocol: SMB

Command: Transact2 50(0x32)

+ NTStatus: 0xC000000E, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_ERROR, Code = (14) STATUS_NO_SUCH_DEVICE

- SMBHeader: Response, TID: 0x0805, PID: 0x0004, UID: 0x1803, MID: 0x00C0

- Flags: 152 (0x98)

LockAndRead: (.......0) LOCK_AND_READ and WRITE_AND_UNLOCK NOT supported (Obsolete) (SMB_FLAGS_LOCK_AND_READ_OK)

NoAck: (......0.) An ACK response is needed (SMB_FLAGS_SEND_NO_ACK[only applicable when SMB transport is NetBIOS over IPX])

Reserved_bit2: (.....0..) Reserved (Must Be Zero)

CaseInsensitive: (....1...) SMB paths are case-insensitive (SMB_FLAGS_CASE_INSENSITIVE)

Canonicalized: (...1....) Canonicalized File and pathnames (Obsolete) (SMB_FLAGS_CANONICALIZED_PATHS)

Oplock: (..0.....) Oplocks NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK)

OplockNotify: (.0......) Notifications NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK_NOTIFY_ANY)

FromServer: (1.......) Response - SMB is being sent from the server (SMB_FLAGS_SERVER_TO_REDIR)

- Flags2: 51207 (0xC807)

KnowsLongFiles: (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES)

ExtendedAttribs: (..............1.) Understands extended attributes (SMB_FLAGS2_KNOWS_EAS)

SignEnabled: (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE)

Compressed: (............0...) Compression Disabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX (SMB_FLAGS2_COMPRESSED)

SignRequired: (...........0....) Security Signatures are NOT required (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED)

Reserved_bit5: (..........0.....) Reserved (Must Be Zero)

LongFileNames: (.........0......) DO NOT use Long File Names (SMB_FLAGS2_IS_LONG_NAME)

Reserved_bits7_9: (......000.......) Reserved (Must Be Zero)

ReparsePath: (.....0..........) NOT a Reparse path (SMB_FLAGS2_REPARSE_PATH)

ExtSecurity: (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY)

Dfs: (...0............) NO DFS namespace (SMB_FLAGS2_DFS)

Paging: (..0.............) Read operation will NOT be permitted unless user has permission (NO Paging IO) (SMB_FLAGS2_PAGING_IO)

StatusCodes: (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS)

Unicode: (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE)

PIDHigh: 0 (0x0)

SecuritySignature: 0x0

Reserved: 0 (0x0)

TreeID: 2053 (0x805)

ProcessID: 4 (0x4)

UserID: 6147 (0x1803)

MultiplexID: 192 (0xC0)

+ ErrorMessage: 0x1

Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Erstelle ein Benutzerkonto oder melde dich an, um zu kommentieren

Du musst ein Benutzerkonto haben, um einen Kommentar verfassen zu können

Benutzerkonto erstellen

Neues Benutzerkonto für unsere Community erstellen. Es ist einfach!

Neues Benutzerkonto erstellen

Anmelden

Du hast bereits ein Benutzerkonto? Melde dich hier an.

Jetzt anmelden
Zurück zur Übersicht


×
×
  • Neu erstellen...