Obtaining a Network Packet CaptureA packet capture is a recording of network traffic. These can be extremely useful when trying to decipher problems with network capable softare. If for example, you are having a problem with the jCIFS client that you do not understand you might send a message to the jCIFS mailing list with an explaination of the problem, which version of jCIFS you're using, etc. Depending on the problem it is desireable to also have a packet capture of the errant traffic and, for maximum results, a packet capture of the analygous operation succeeding (preferrably with a Windows 2000 client which is what jCIFS tries to emulate as closely as possible). Do not send packet captures to public mailing lists if you are not certain it does not contain personal information such as password hashes. If the captures are required a developers will instruct you to send them directly.How to Obtain a Packet CaptureTo take a packet capture of network traffic it is necessary to run special software on a machine that is capable of receiving the traffic of interest. There are many programs that can do this. Three popular ones are:
The packet capture program will need to run on the server (e.g. CIFS server), client (e.g. machine from which you are running the jCIFS client), or a machine connected to the same network as the server or client without a switch in between. For example if you insert a simple hub between the client and server a workstation or laptop plugged into the hub should also be able to capture traffic of any client connected to the hub.
TcpdumpTcpdump is a commandline packet capture program for Linux and UNIX. Here is some sample output:[root@miallen3 root]# tcpdump 'port 137 || 138 || 139 || 445' tcpdump: listening on eth0 00:35:54.713969 miallen3.foo.net.54090 > wins.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST (DF) 00:35:55.110033 wins.netbios-ns > miallen3.foo.net.54090: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST 00:35:55.237285 miallen3.foo.net.46250 > MIALLEN2.foo.net.netbios-ssn: S 781540350:781540350(0) win 5840The above is not a full packet capture. It just prints summary output to the terminal window. Each line represents one network packet. The columns can differ depending on the protocol of the packet but the first three columns are the time the packet was received, the source host and port, and the destination host and port. Sometimes hostnames are used instead of IP addresses and ports can be substituted with the service name from /etc/services (e.g. 'netbios-ssn' over which CIFS/SMB traffic is transferred is port 139). To obtain a full packet capture with tcpdump you need to use '-s 0' to prevent the payload from being stipped and direct the ouput to a file like the following: [root@miallen3 root]# tcpdump -s 0 -w mycapture.pcap 'port 137 || 138 || 139 || 445' tcpdump: listening on eth0 38 packets received by filter 0 packets dropped by kernelNotice you must be root to run any packet capture software. This is because the networking card needs to be switched into "promiscuous mode". Sometimes a computer will beep when this happends to indicate to adminstrative personnel that someone is actively capturing traffic. The expression at the end of the commandline above instructs tcpdump to listen for packets on ports 137, 138, 139, and 445. These are the ports of interest for the CIFS/SMB protocol. If no expression is provided all traffic will be captured.
EtherealEthereal is a packet capture program but it also has a very nice user interface for examining the contents of packets. For example, the jCIFS client was developed almost entirely from viewing Ethereal packet captures. Ethereal will also understand NetMon and tcpdump packet captures.To capture packets using Ethereal start it as root by just typing 'ethereal'. This will launch the UI. Select Capture > Start and change the Interface to 'any'. Enter a filter if necessary. For example, to capture jCIFS traffic enter a filter of 'port 137 || 138 || 139 || 445' (and maybe add '|| port 8080' for NTLM HTTP traffic or whatever port your Servlet container is servicing clients on). Click on Ok to start capturing packets. Now perform the operation you wish to capture and hit stop. See if the traffic of interest has been captured and use File > Save As to save it as libpcap format. I recommend using a file extension of '.pcap' for Ethereal captures to distinquish between libpcap captures and NetMon captures which use filename extensions of '.cap'. Microsoft NetMonIf you do not have root access to Linux or UNIX machine with packet capture software on the network of interest try to get a copy of NetMon for Windows. NetMon is also a GUI. It isn't as nice as Ethereal but it will permit you get capture packets just the same. NetMon is usually packaged as an add-on for other software like SMS.Mon Jan 5 19:04:08 EST 2004 |