Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

malformed smb2 packet for Server 2016 across a MPLS WAN

Hello,

I am fairly new to Wireshark but I have some experience troubleshooting network issues. I am trying to troubleshoot connecting to an admin share (\servername\c$) across a MPLS WAN connection. According to our MPLS provider there are no ports being blocked on the MPLS WAN. I saved a capture file and it is located at the google drive link below.

When the packets start the SMB2 negotiation I am getting a Malformed Packet followed by a reset of the TCP/IP handshake. I'm not sure if this is an error in Wireshark or if the packet is getting modified incorrectly by a router or other network device.

What is interesting to me is the fact that I can connect to admin shares in the reverse direction. Additionally this error is only happening when the source and destination are Windows 2016 servers. Admin shares on Server 2012 R2 work fine both directions. Connecting to admin shares on the local subnet works just fine using 2 Windows 2016 servers.

10.254.164.166 --> admin share --> 10.254.188.123 Does not work 10.254.188.123 --> admin share --> 10.254.164.66 Works just fine

https://drive.google.com/open?id=1C4mrQ3x0HnaRyVSK2a2FOBhf9OWCafcB

I'm using the following filter to show SMB2 traffic: ip.addr==10.254.164.166 and ip.addr==10.254.188.123 and tcp.port==445

I'm leaning towards something being blocked or the traffic being changed to cause the error. But my Senior Network Engineer thinks it is a Server 2016 issue and not network related. I'm looking for some proof that it is a network issue from the information in the packets, but I'm not sure what to look for.

Thank you in advance!