Discussion:
Bad NetBios name query bringing down network
(too old to reply)
hal korstead
2010-06-09 19:13:18 UTC
Permalink
Sorry for the duplicate post but I found out that if I post under my MSDN
subscriber login I am guaranteed a response.

One XP/SP2 machine in our private network of about 85 identical machines
occasionally is the source of a NetBios name query message that has a bad IP
checksum as indicated by a WireShark trace. In the case we most closely
investigated the high order octet of the source IP address got a bit flipped
so that 192 became 196. This produced an IP checksum error but not a UDP
checksum error. Immediately upon broadcast of this errored packet all
networking to all XP machines on the network except for the source machine
was permanently disabled however switches and a non-MS system on the network
remained intact. Networking could only be restored by rebooting all machines.

I used Wireshark to capture a good name query message and then I corrupted
it in the same way that it had been corrupted in production. I used the
ColaSoft Packet Player to play this message back into a switch and all MS XP
hosts had their networking disabled exactly as in the production scenario.

The machines use XP-Embedded and are headless, etc. so visibility into these
machines is limited and we need to enhance that. Note that XP-Embedded uses
the same OS code as desktop XP so I assume we are dealing with a generic XP
issue. Pending more investigation on our part I am very interested in
knowing whether any aspects of this problem are known or have been seen
before. Also, any insight or suggestions are welcome.
Henry Markov
2010-06-11 13:21:51 UTC
Permalink
We resolved this problem by upgrading Intel 82546EB NIC driver.
Post by hal korstead
Sorry for the duplicate post but I found out that if I post under my MSDN
subscriber login I am guaranteed a response.
One XP/SP2 machine in our private network of about 85 identical machines
occasionally is the source of a NetBios name query message that has a bad IP
checksum as indicated by a WireShark trace. In the case we most closely
investigated the high order octet of the source IP address got a bit flipped
so that 192 became 196. This produced an IP checksum error but not a UDP
checksum error. Immediately upon broadcast of this errored packet all
networking to all XP machines on the network except for the source machine
was permanently disabled however switches and a non-MS system on the network
remained intact. Networking could only be restored by rebooting all machines.
I used Wireshark to capture a good name query message and then I corrupted
it in the same way that it had been corrupted in production. I used the
ColaSoft Packet Player to play this message back into a switch and all MS XP
hosts had their networking disabled exactly as in the production scenario.
The machines use XP-Embedded and are headless, etc. so visibility into these
machines is limited and we need to enhance that. Note that XP-Embedded uses
the same OS code as desktop XP so I assume we are dealing with a generic XP
issue. Pending more investigation on our part I am very interested in
knowing whether any aspects of this problem are known or have been seen
before. Also, any insight or suggestions are welcome.
Loading...