Page 1 of 1

In a Windows domain network, is it normal?

Posted: 2019/06/02 08:01:57
by hack3rcon
Hello.
My Linux box is in a Windows domain network but I never joined my Linux to the windows domain. I did below command:

Code: Select all

$ sudo tcpdump -i eth1 net 172 and dst host "MY IP" and port 445
Then I see some request from DC computer on port 445:

Code: Select all

12:16:29.700792 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [S.], seq 381694702, ack 2634118497, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 38509174 ecr 2358727], length 0
12:16:29.701558 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [P.], seq 1:253, ack 160, win 260, options [nop,nop,TS val 38509174 ecr 2358727], length 252 SMB-over-TCP packet:(raw data or continuation?)
12:16:29.702264 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [P.], seq 253:505, ack 268, win 259, options [nop,nop,TS val 38509174 ecr 2358727], length 252 SMB-over-TCP packet:(raw data or continuation?)
12:16:29.703838 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [.], ack 3279, win 260, options [nop,nop,TS val 38509174 ecr 2358728], length 0
12:16:29.704651 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [P.], seq 505:765, ack 3279, win 260, options [nop,nop,TS val 38509174 ecr 2358728], length 260 SMB-over-TCP packet:(raw data or continuation?)
12:16:29.705419 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [P.], seq 765:849, ack 3401, win 259, options [nop,nop,TS val 38509174 ecr 2358728], length 84 SMB-over-TCP packet:(raw data or continuation?)
12:16:29.706187 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [P.], seq 849:1149, ack 3529, win 259, options [nop,nop,TS val 38509174 ecr 2358728], length 300 SMB-over-TCP packet:(raw data or continuation?)
12:16:39.881678 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [P.], seq 1149:1221, ack 3601, win 258, options [nop,nop,TS val 38510192 ecr 2361272], length 72 SMB-over-TCP packet:(raw data or continuation?)
12:16:39.882314 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [P.], seq 1221:1293, ack 3673, win 258, options [nop,nop,TS val 38510192 ecr 2361272], length 72 SMB-over-TCP packet:(raw data or continuation?)
12:16:39.882818 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [.], ack 3674, win 258, options [nop,nop,TS val 38510192 ecr 2361273], length 0
12:16:39.882958 IP DC.MyDC.xyz.microsoft-ds > "MY IP".57627: Flags [R.], seq 1293, ack 3674, win 0, length 0
Is it normal?

Thank you.

Re: In a Windows domain network, is it normal?

Posted: 2019/06/02 16:47:13
by aks
Given there is no actual data here (just headers/summary):

Is it normal for Windows machines (even if they are not *really* Windows machines, but emulating Windows) to talk a lot on the network?

YES

Re: In a Windows domain network, is it normal?

Posted: 2019/06/23 15:05:25
by hack3rcon
What actual data look like?

Re: In a Windows domain network, is it normal?

Posted: 2019/06/24 00:58:55
by aks
SMB usually over TCP. Quite often a subnet broadcast.
But in reality it looks like a frequency being carried by a medium....

Re: In a Windows domain network, is it normal?

Posted: 2019/06/24 05:33:07
by hack3rcon
Thus, It is normal.

Thank you.