lepus 10 Geschrieben 7. Januar 2010 Melden Teilen Geschrieben 7. Januar 2010 Ich werde dann mal eine Analyse starten.. mal sehen wie weit ich komme. Gute Idee! Viel Erfolg dabei... ich bin auf die Ergebnisse gespannt. Grüße Nils Zitieren Link zu diesem Kommentar
Knorkator 12 Geschrieben 8. Januar 2010 Autor Melden Teilen Geschrieben 8. Januar 2010 Hallo, habe auf dem alten Server eine 2h Prüfung gemacht und versucht das ganze zu analysieren. Neben reichlich svchos.exe Traffic (die rdp Verbindung) habe ich unter Unknown viele Broadcasts, aber auch einige interessante Einträge. Der Rechner mit der ip 125 ist einer von denen die sehr langsam sind. Habe u.a. folgendes gefunden, bei der Auswertung muss ich aber passen. Hier mal ein evtl. wichtiger Auszug: Frame: Number = 12479, Captured Frame Length = 162, MediaType = ETHERNET + Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0E-A6-27-2E-C9],SourceAddress:[00-1A-4D-4F-7B-A4] + Ipv4: Src = 192.168.1.125, Dest = 192.168.1.230, Next Protocol = TCP, Packet ID = 54399, Total IP Length = 148 + Tcp: Flags=...AP..., SrcPort=1477, DstPort=NETBIOS Session Service(139), PayloadLen=108, Seq=694590244 - 694590352, Ack=411384860, Win=16480 (scale factor 0x0) = 16480 + Nbtss: SESSION MESSAGE, Length =104 - SMB: C; Transact2, Get Dfs Referral Protocol: SMB Command: Transact2 50(0x32) + NTStatus: 0x0, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS, Code = (0) STATUS_SUCCESS - SMBHeader: Command, TID: 0x0805, PID: 0x0004, UID: 0x1803, MID: 0x01C0 - Flags: 24 (0x18) LockAndRead: (.......0) LOCK_AND_READ and WRITE_AND_UNLOCK NOT supported (Obsolete) (SMB_FLAGS_LOCK_AND_READ_OK) NoAck: (......0.) An ACK response is needed (SMB_FLAGS_SEND_NO_ACK[only applicable when SMB transport is NetBIOS over IPX]) Reserved_bit2: (.....0..) Reserved (Must Be Zero) CaseInsensitive: (....1...) SMB paths are case-insensitive (SMB_FLAGS_CASE_INSENSITIVE) Canonicalized: (...1....) Canonicalized File and pathnames (Obsolete) (SMB_FLAGS_CANONICALIZED_PATHS) Oplock: (..0.....) Oplocks NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK) OplockNotify: (.0......) Notifications NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK_NOTIFY_ANY) FromServer: (0.......) Command - SMB is being sent from the client (SMB_FLAGS_SERVER_TO_REDIR) - Flags2: 51207 (0xC807) KnowsLongFiles: (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES) ExtendedAttribs: (..............1.) Understands extended attributes (SMB_FLAGS2_KNOWS_EAS) SignEnabled: (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE) Compressed: (............0...) Compression Disabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX (SMB_FLAGS2_COMPRESSED) SignRequired: (...........0....) Security Signatures are NOT required (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED) Reserved_bit5: (..........0.....) Reserved (Must Be Zero) LongFileNames: (.........0......) DO NOT use Long File Names (SMB_FLAGS2_IS_LONG_NAME) Reserved_bits7_9: (......000.......) Reserved (Must Be Zero) ReparsePath: (.....0..........) NOT a Reparse path (SMB_FLAGS2_REPARSE_PATH) ExtSecurity: (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY) Dfs: (...0............) NO DFS namespace (SMB_FLAGS2_DFS) Paging: (..0.............) Read operation will NOT be permitted unless user has permission (NO Paging IO) (SMB_FLAGS2_PAGING_IO) StatusCodes: (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS) Unicode: (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE) PIDHigh: 0 (0x0) SecuritySignature: 0x0 Reserved: 0 (0x0) TreeID: 2053 (0x805) ProcessID: 4 (0x4) UserID: 6147 (0x1803) MultiplexID: 448 (0x1C0) + CTransaction2: - Dfs: Get DFS Referral Request, FileName: \server\dortmund, MaxReferralLevel: 4 MaxReferralLevel: 4 (0x4) RequestFileName: \server\dortmund Zitieren Link zu diesem Kommentar
Knorkator 12 Geschrieben 8. Januar 2010 Autor Melden Teilen Geschrieben 8. Januar 2010 Hab noch mehr.. :) Hoffe das da jemand was mit anfangen kann. Die 230 ist übrigens der alte Server. Kann ja nur mitschneiden, was der Client ihm für Anfragen schickt. Danke an alle im voraus! Frame: Number = 12450, Captured Frame Length = 93, MediaType = ETHERNET + Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-1A-4D-4F-7B-A4],SourceAddress:[00-0E-A6-27-2E-C9] + Ipv4: Src = 192.168.1.230, Dest = 192.168.1.125, Next Protocol = TCP, Packet ID = 18028, Total IP Length = 79 + Tcp: Flags=...AP..., SrcPort=NETBIOS Session Service(139), DstPort=1477, PayloadLen=39, Seq=411384401 - 411384440, Ack=694588637, Win=65345 (scale factor 0x0) = 65345 + Nbtss: SESSION MESSAGE, Length =35 - SMB: R; Transact2, Get Dfs Referral - NT Status: System - Error, Code = (14) STATUS_NO_SUCH_DEVICE Protocol: SMB Command: Transact2 50(0x32) + NTStatus: 0xC000000E, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_ERROR, Code = (14) STATUS_NO_SUCH_DEVICE - SMBHeader: Response, TID: 0x0805, PID: 0x0004, UID: 0x1803, MID: 0x00C0 - Flags: 152 (0x98) LockAndRead: (.......0) LOCK_AND_READ and WRITE_AND_UNLOCK NOT supported (Obsolete) (SMB_FLAGS_LOCK_AND_READ_OK) NoAck: (......0.) An ACK response is needed (SMB_FLAGS_SEND_NO_ACK[only applicable when SMB transport is NetBIOS over IPX]) Reserved_bit2: (.....0..) Reserved (Must Be Zero) CaseInsensitive: (....1...) SMB paths are case-insensitive (SMB_FLAGS_CASE_INSENSITIVE) Canonicalized: (...1....) Canonicalized File and pathnames (Obsolete) (SMB_FLAGS_CANONICALIZED_PATHS) Oplock: (..0.....) Oplocks NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK) OplockNotify: (.0......) Notifications NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK_NOTIFY_ANY) FromServer: (1.......) Response - SMB is being sent from the server (SMB_FLAGS_SERVER_TO_REDIR) - Flags2: 51207 (0xC807) KnowsLongFiles: (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES) ExtendedAttribs: (..............1.) Understands extended attributes (SMB_FLAGS2_KNOWS_EAS) SignEnabled: (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE) Compressed: (............0...) Compression Disabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX (SMB_FLAGS2_COMPRESSED) SignRequired: (...........0....) Security Signatures are NOT required (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED) Reserved_bit5: (..........0.....) Reserved (Must Be Zero) LongFileNames: (.........0......) DO NOT use Long File Names (SMB_FLAGS2_IS_LONG_NAME) Reserved_bits7_9: (......000.......) Reserved (Must Be Zero) ReparsePath: (.....0..........) NOT a Reparse path (SMB_FLAGS2_REPARSE_PATH) ExtSecurity: (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY) Dfs: (...0............) NO DFS namespace (SMB_FLAGS2_DFS) Paging: (..0.............) Read operation will NOT be permitted unless user has permission (NO Paging IO) (SMB_FLAGS2_PAGING_IO) StatusCodes: (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS) Unicode: (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE) PIDHigh: 0 (0x0) SecuritySignature: 0x0 Reserved: 0 (0x0) TreeID: 2053 (0x805) ProcessID: 4 (0x4) UserID: 6147 (0x1803) MultiplexID: 192 (0xC0) + ErrorMessage: 0x1 Zitieren Link zu diesem Kommentar
Empfohlene Beiträge
Schreibe einen Kommentar
Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.