profro
Posts: 45
Joined: Tue Nov 15, 2016 1:26 pm

Jessie Lite flooding network (netbios-ns)

Mon Jun 19, 2017 6:58 pm

Got a note from my IT today that one of my PiZeroW running Rasbian Jessie Lite was flooding the network with "session" updates. He couldn't give me any information on what the traffic was, who it was too, etc. He said only that it was filling the firewall log with updates, about 100Gbs per week. There were not violations and it wasn't even traversing the firewall.

I have two identical systems running DHT11s and writing data to a server location once every hour. The code and process is really easy. The program has a shell script to run if the server location can't be found. The script will remount the drive. There is no active internet comm.

The only differences between the PiZeroWs would be the deploy dates. I deployed one back in March/April and the latest about a month ago. So I updated them at different times. Is there anything that I could look at locally that would help me understand what is going on with this one?

Doug
Last edited by profro on Wed Jun 21, 2017 12:56 pm, edited 1 time in total.

User avatar
DougieLawson
Posts: 30470
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: Jessie Lite flooding network

Mon Jun 19, 2017 8:33 pm

You won't get far without a packet trace either taken on the RPi with tcpdump or taken at the firewall.
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

Since 2012: 1B*5, 2B*2, B+, A+, Zero*2, 3B*3

Please post ALL technical questions on the forum. Do not send private messages.

profro
Posts: 45
Joined: Tue Nov 15, 2016 1:26 pm

Re: Jessie Lite flooding network

Mon Jun 19, 2017 9:07 pm

ok, I'll give tcpdump a try. I asked IT for packet info and he couldn't provide for whatever reason. I use Wireshark on PCs and was wondering what equivalent would work on Raspbian.

Was more curious if it was a recent OS thing that others had seen. I may have inadvertently set a delay time as ms versus seconds/minute in my code. I really want the packet info to see who/what is going on. Thanks for the reply. I'll post up a conclusion if I can find one.

Doug

User avatar
rpdom
Posts: 11853
Joined: Sun May 06, 2012 5:17 am
Location: Essex, UK

Re: Jessie Lite flooding network

Mon Jun 19, 2017 9:22 pm

profro wrote:ok, I'll give tcpdump a try. I asked IT for packet info and he couldn't provide for whatever reason. I use Wireshark on PCs and was wondering what equivalent would work on Raspbian.
The equivalent of Wireshark on Raspbian is Wireshark.

Code: Select all

Package: wireshark
Version: 1.12.1+g01b65bf-4+deb8u11
Architecture: armhf
Maintainer: Balint Reczey <balint@balintreczey.hu>
Installed-Size: 2034
Depends: libc6 (>= 2.15), libcairo2 (>= 1.2.4), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.31.8), libgtk-3-0 (>= 3.7.10), libnl-3-200 (>= 3.2.7), libnl-genl-3-200 (>= 3.2.7), libnl-route-3-200 (>= 3.2.7), libpango-1.0-0 (>= 1.14.0), libpangocairo-1.0-0 (>= 1.14.0), libpcap0.8 (>= 0.9.8), libportaudio2 (>= 19+svn20101113), libwireshark5 (>= 1.12.0~rc3), libwiretap4 (>= 1.12.0~rc1), libwsutil4 (>= 1.12.0~rc3), zlib1g (>= 1:1.1.4), wireshark-common (= 1.12.1+g01b65bf-4+deb8u11), xdg-utils
Conflicts: ethereal (<< 1.0.0-3)
Replaces: ethereal (<< 1.0.0-3)
Homepage: http://www.wireshark.org/
Priority: optional
Section: net
Filename: pool/main/w/wireshark/wireshark_1.12.1+g01b65bf-4+deb8u11_armhf.deb
Size: 688514
SHA256: 3356732ef05f60ca483036b217b281c1fb911230ebbe72b0fc4b49c17b1ede8b
SHA1: f7528a00e311cb0f4b36d704184469701033fbfe
MD5sum: 09ae2650cde25076e15288d86ecf8349
Description: network traffic analyzer - GTK+ version
 Wireshark is a network "sniffer" - a tool that captures and analyzes
 packets off the wire. Wireshark can decode too many protocols to list
 here.
 .
 This package provides the GTK+ version of wireshark.
Description-md5: 205b792665989c3882b556e37286b93b
tcpdump is a very good on the command line though :)

User avatar
DougieLawson
Posts: 30470
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: Jessie Lite flooding network

Mon Jun 19, 2017 9:34 pm

If you write a tcpdump trace on your Raspberry you can read it on Windows with Wireshark. I do that all the time.
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

Since 2012: 1B*5, 2B*2, B+, A+, Zero*2, 3B*3

Please post ALL technical questions on the forum. Do not send private messages.

profro
Posts: 45
Joined: Tue Nov 15, 2016 1:26 pm

Re: Jessie Lite flooding network

Tue Jun 20, 2017 1:54 pm

Performed a tcpdump and there is a ton of traffic. Its kinda of hard to read from the commandline. I tried writing it to file and its just a confusing to read. I'm still relatively new to it, but I see a lot of "netbios-ns" and other UDP traffic to other machine on the network.

Is there a way to turn of the nmbd service? I have tried to add "disable netbios = yes" and it doesn't work.

I have tried to edit /etc/init/nmbd.conf per a couple threads but I don't even have that file.

profro
Posts: 45
Joined: Tue Nov 15, 2016 1:26 pm

Re: Jessie Lite flooding network

Tue Jun 20, 2017 6:13 pm

Adding "disable netbios = yes" killed my smb mount to the server location. Any other ideas regarding quieting down the netbios traffic while keeping my smb mount alive?

profro
Posts: 45
Joined: Tue Nov 15, 2016 1:26 pm

Re: Jessie Lite flooding network

Tue Jun 20, 2017 7:39 pm

I have also noticed that the newer PiZero continually drops connection to the server and sometimes won't remount. I have a check in my code to see if the folder is available. If not, it runs a shell script to remount the drive. The older PiZero never drops the server mount.

I have compared rc.local, fstab, interfaces, and wpa_supplicant.conf and the only difference was the new PiZero had the wifi country set as GB, not US. I have changed to match, but could cause an issue?

Doug

profro
Posts: 45
Joined: Tue Nov 15, 2016 1:26 pm

Re: Jessie Lite flooding network (netbios-ns)

Wed Jun 21, 2017 1:01 pm

The PiZeroW that works has a uname -r of "4.4.50+"

The PiZeroW that floods the network with netbios and can't maintain a windows server mount is "4.9.24+"

gkreidl
Posts: 5326
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Jessie Lite flooding network (netbios-ns)

Wed Jun 21, 2017 2:33 pm

I think this is the result of the latest samba (server) updates. I've noticed something similar. Here's my situation:

I have three RPis in my network, all of them sharing one or more folders / disks via Samba. All shares are mounted on the other RPis.

After each reboot I notice a lot of traffic and a rather high CPU load (caused by the Samba daemon). To stop it, I have to open each share once from each RPi on the network (usually opening the mounted share using the file manager).

This did not happen with one of the RPis, because it wasn't updated for some time. But two week weeks ago it also got the latest updates and now shows the same problem.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

profro
Posts: 45
Joined: Tue Nov 15, 2016 1:26 pm

Re: Jessie Lite flooding network (netbios-ns)

Mon Jun 26, 2017 12:29 pm

I updated to 4.9.28+ last week and the server mount drops have stopped. A tcpdump has shown the network traffic to be much cleaner as well. Wonder what was up?

Return to “Raspbian”

Who is online

Users browsing this forum: No registered users and 12 guests