http://www.ISAserver.org ------------------------------------------------------- Single frames have no real meaning. That's why I said "smells like". This behavior *must* be examined in the context of the entire capture. If you need help, you have to provide data. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve diMascio Sent: Friday, November 17, 2006 09:34 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Help reading an ethereal capture http://www.ISAserver.org ------------------------------------------------------- I just took another capture, a little longer this time, and got this which is also not showing on the known good workstation. Source 10.0.0.135 Destination 10.0.0.214 Protocol TCP Info 4454 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1460 occasionally info changes to <random number> > 280 [SYN] Seq=0 Len=0 MSS=1460 Any help, thoughts or shots in the dark would be very gratefully received. As would any good recommendations for books on learning how to read these captures. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 17 November 2006 16:50 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Help reading an ethereal capture http://www.ISAserver.org ------------------------------------------------------- This smells more like malware than anything else. Mind sending the whole capture? You can send to me privately if you want. MS NDA applies, of course. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve diMascio Sent: Friday, November 17, 2006 08:46 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Help reading an ethereal capture http://www.ISAserver.org ------------------------------------------------------- I'm trying to solve a problem I'm having with one of my workstations that intermittently takes ages to receive email, even from local users, (around 5 minutes anyway). The company owner thinks its a firewall client issue, as he never used them in the past but since I installed the FWC on every workstation this has happened (only to one of the workstations) - that's the whole of his "theory". I don't think its a FWC issue but since I haven't been able to give a definite reason, or prove its not the FWC he's sticking to his "theory". Its an SBS2k3 network 40 workstations 2 member servers (1 is voip the other a TS), obviously exchange and ISA is on the SBS box, although I'm planning on moving ISA to its own hardware over the Christmas break. I've taken a network capture but am pretty useless at reading them. So I compared the capture to a capture taken on a working desktop and the only differences I can see between them are the one that doesn't work has hundreds of lines like this. Source 10.0.0.135 Destination 0.0.0.0 Protocol TCP Info 33037 > 0 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0 There are litterally hundreds of these in a 6 minute capture. The frame number goes up by 1 and the source port changes randomly (seemingly), I've search google but haven't found anything that tells me what this traffic is. Can anyone point me in the right direction, or have any good references for reading ethereal captures ? ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx