Jump to content

DC Austausch

Knorkator

Von Knorkator
in Active Directory Forum

Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Empfohlene Beiträge

Knorkator Experienced

Knorkator   12

Geschrieben
  • Autor
Geschrieben

Hallo,

 

habe auf dem alten Server eine 2h Prüfung gemacht und versucht das ganze zu analysieren.

 

Neben reichlich svchos.exe Traffic (die rdp Verbindung) habe ich unter Unknown viele Broadcasts, aber auch einige interessante Einträge.

Der Rechner mit der ip 125 ist einer von denen die sehr langsam sind.

 

Habe u.a. folgendes gefunden, bei der Auswertung muss ich aber passen.

Hier mal ein evtl. wichtiger Auszug:

 

Frame: Number = 12479, Captured Frame Length = 162, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0E-A6-27-2E-C9],SourceAddress:[00-1A-4D-4F-7B-A4]

+ Ipv4: Src = 192.168.1.125, Dest = 192.168.1.230, Next Protocol = TCP, Packet ID = 54399, Total IP Length = 148

+ Tcp: Flags=...AP..., SrcPort=1477, DstPort=NETBIOS Session Service(139), PayloadLen=108, Seq=694590244 - 694590352, Ack=411384860, Win=16480 (scale factor 0x0) = 16480

+ Nbtss: SESSION MESSAGE, Length =104

- SMB: C; Transact2, Get Dfs Referral

Protocol: SMB

Command: Transact2 50(0x32)

+ NTStatus: 0x0, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS, Code = (0) STATUS_SUCCESS

- SMBHeader: Command, TID: 0x0805, PID: 0x0004, UID: 0x1803, MID: 0x01C0

- Flags: 24 (0x18)

LockAndRead: (.......0) LOCK_AND_READ and WRITE_AND_UNLOCK NOT supported (Obsolete) (SMB_FLAGS_LOCK_AND_READ_OK)

NoAck: (......0.) An ACK response is needed (SMB_FLAGS_SEND_NO_ACK[only applicable when SMB transport is NetBIOS over IPX])

Reserved_bit2: (.....0..) Reserved (Must Be Zero)

CaseInsensitive: (....1...) SMB paths are case-insensitive (SMB_FLAGS_CASE_INSENSITIVE)

Canonicalized: (...1....) Canonicalized File and pathnames (Obsolete) (SMB_FLAGS_CANONICALIZED_PATHS)

Oplock: (..0.....) Oplocks NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK)

OplockNotify: (.0......) Notifications NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK_NOTIFY_ANY)

FromServer: (0.......) Command - SMB is being sent from the client (SMB_FLAGS_SERVER_TO_REDIR)

- Flags2: 51207 (0xC807)

KnowsLongFiles: (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES)

ExtendedAttribs: (..............1.) Understands extended attributes (SMB_FLAGS2_KNOWS_EAS)

SignEnabled: (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE)

Compressed: (............0...) Compression Disabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX (SMB_FLAGS2_COMPRESSED)

SignRequired: (...........0....) Security Signatures are NOT required (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED)

Reserved_bit5: (..........0.....) Reserved (Must Be Zero)

LongFileNames: (.........0......) DO NOT use Long File Names (SMB_FLAGS2_IS_LONG_NAME)

Reserved_bits7_9: (......000.......) Reserved (Must Be Zero)

ReparsePath: (.....0..........) NOT a Reparse path (SMB_FLAGS2_REPARSE_PATH)

ExtSecurity: (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY)

Dfs: (...0............) NO DFS namespace (SMB_FLAGS2_DFS)

Paging: (..0.............) Read operation will NOT be permitted unless user has permission (NO Paging IO) (SMB_FLAGS2_PAGING_IO)

StatusCodes: (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS)

Unicode: (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE)

PIDHigh: 0 (0x0)

SecuritySignature: 0x0

Reserved: 0 (0x0)

TreeID: 2053 (0x805)

ProcessID: 4 (0x4)

UserID: 6147 (0x1803)

MultiplexID: 448 (0x1C0)

+ CTransaction2:

- Dfs: Get DFS Referral Request, FileName: \server\dortmund, MaxReferralLevel: 4

MaxReferralLevel: 4 (0x4)

RequestFileName: \server\dortmund

Link zu diesem Kommentar
Knorkator Experienced

Knorkator   12

Geschrieben
  • Autor
Geschrieben

Hab noch mehr..

:)

 

Hoffe das da jemand was mit anfangen kann.

Die 230 ist übrigens der alte Server. Kann ja nur mitschneiden, was der Client ihm für Anfragen schickt.

 

Danke an alle im voraus!

 

 

Frame: Number = 12450, Captured Frame Length = 93, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-1A-4D-4F-7B-A4],SourceAddress:[00-0E-A6-27-2E-C9]

+ Ipv4: Src = 192.168.1.230, Dest = 192.168.1.125, Next Protocol = TCP, Packet ID = 18028, Total IP Length = 79

+ Tcp: Flags=...AP..., SrcPort=NETBIOS Session Service(139), DstPort=1477, PayloadLen=39, Seq=411384401 - 411384440, Ack=694588637, Win=65345 (scale factor 0x0) = 65345

+ Nbtss: SESSION MESSAGE, Length =35

- SMB: R; Transact2, Get Dfs Referral - NT Status: System - Error, Code = (14) STATUS_NO_SUCH_DEVICE

Protocol: SMB

Command: Transact2 50(0x32)

+ NTStatus: 0xC000000E, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_ERROR, Code = (14) STATUS_NO_SUCH_DEVICE

- SMBHeader: Response, TID: 0x0805, PID: 0x0004, UID: 0x1803, MID: 0x00C0

- Flags: 152 (0x98)

LockAndRead: (.......0) LOCK_AND_READ and WRITE_AND_UNLOCK NOT supported (Obsolete) (SMB_FLAGS_LOCK_AND_READ_OK)

NoAck: (......0.) An ACK response is needed (SMB_FLAGS_SEND_NO_ACK[only applicable when SMB transport is NetBIOS over IPX])

Reserved_bit2: (.....0..) Reserved (Must Be Zero)

CaseInsensitive: (....1...) SMB paths are case-insensitive (SMB_FLAGS_CASE_INSENSITIVE)

Canonicalized: (...1....) Canonicalized File and pathnames (Obsolete) (SMB_FLAGS_CANONICALIZED_PATHS)

Oplock: (..0.....) Oplocks NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK)

OplockNotify: (.0......) Notifications NOT supported for OPEN, CREATE & CREATE_NEW (Obsolete) (SMB_FLAGS_OPLOCK_NOTIFY_ANY)

FromServer: (1.......) Response - SMB is being sent from the server (SMB_FLAGS_SERVER_TO_REDIR)

- Flags2: 51207 (0xC807)

KnowsLongFiles: (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES)

ExtendedAttribs: (..............1.) Understands extended attributes (SMB_FLAGS2_KNOWS_EAS)

SignEnabled: (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE)

Compressed: (............0...) Compression Disabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX (SMB_FLAGS2_COMPRESSED)

SignRequired: (...........0....) Security Signatures are NOT required (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED)

Reserved_bit5: (..........0.....) Reserved (Must Be Zero)

LongFileNames: (.........0......) DO NOT use Long File Names (SMB_FLAGS2_IS_LONG_NAME)

Reserved_bits7_9: (......000.......) Reserved (Must Be Zero)

ReparsePath: (.....0..........) NOT a Reparse path (SMB_FLAGS2_REPARSE_PATH)

ExtSecurity: (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY)

Dfs: (...0............) NO DFS namespace (SMB_FLAGS2_DFS)

Paging: (..0.............) Read operation will NOT be permitted unless user has permission (NO Paging IO) (SMB_FLAGS2_PAGING_IO)

StatusCodes: (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS)

Unicode: (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE)

PIDHigh: 0 (0x0)

SecuritySignature: 0x0

Reserved: 0 (0x0)

TreeID: 2053 (0x805)

ProcessID: 4 (0x4)

UserID: 6147 (0x1803)

MultiplexID: 192 (0xC0)

+ ErrorMessage: 0x1

Link zu diesem Kommentar
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Schreibe einen Kommentar

Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.

Gast
Auf dieses Thema antworten...

×   Du hast formatierten Text eingefügt.   Formatierung jetzt entfernen

  Only 75 emoji are allowed.

×   Dein Link wurde automatisch eingebettet.   Einbetten rückgängig machen und als Link darstellen

×   Dein vorheriger Inhalt wurde wiederhergestellt.   Editor-Fenster leeren

×   Du kannst Bilder nicht direkt einfügen. Lade Bilder hoch oder lade sie von einer URL.

×
Zurück zur Übersicht


×
×
  • Neu erstellen...