Packet Trace of Win95 Browsing a Different Domain

This is a detailed look at a Win95 machine browsing a domain chosen from the Entire Network section of the Network Neighborhood. All non-IPX transactions are described in detail whenever possible. Some packets are rearranged in order to group transactions together. However, no packet content has been modified.

First, the client requests the list of backup browsers from the Local Master Browser for the specified workgroup. In this case, the client is searching for the workgroup HEINZ.

20:32:20.170532 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)
20:32:20.670532 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)
20:32:21.180532 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)

When no response is received, the WINS server is contacted, as the client asks for the Domain Controller for the HEINZ workgroup. The WINS server responds with an IP address (128.2.52.97).

20:32:21.180532 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
20:32:21.190532 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)

With this knowledge, the client asks the domin controller for the list of backup browsers for the HEINZ workgroup. The domain controller answers with a list of two: PHANTOM, and THUNDERBOLT.

20:32:21.190532 128.2.6.192.138 > 128.2.52.97.138: NBT UDP PACKET(138)
20:32:21.210532 128.2.52.97.138 > 128.2.6.192.138: NBT UDP PACKET(138)

Next the client resolves one of these names via the WINS servers, and then transfers the browse list from that machine.

20:32:21.210532 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
20:32:21.210532 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)
20:32:21.210532 128.2.6.192.1030 > 128.2.22.216.139: S 391916:391916(0) win 8192 <mss 1460> (DF)
20:32:21.220532 128.2.22.216.139 > 128.2.6.192.1030: S 2091385691:2091385691(0) ack 391917 win 8760 <mss 1460> (DF)
20:32:21.220532 128.2.6.192.1030 > 128.2.22.216.139: . ack 1 win 8760 (DF)
20:32:21.220532 128.2.6.192.1030 > 128.2.22.216.139: P 1:73(72) ack 1 win 8760 NBT Packet (TCP 139) (DF)
20:32:21.230532 128.2.22.216.139 > 128.2.6.192.1030: P 1:5(4) ack 73 win 8688 NBT Packet (TCP 139) (DF)
20:32:21.230532 128.2.6.192.1030 > 128.2.22.216.139: P 73:231(158) ack 5 win 8756 NBT Packet (TCP 139) (DF)
20:32:21.240532 128.2.22.216.139 > 128.2.6.192.1030: P 5:98(93) ack 231 win 8530 NBT Packet (TCP 139) (DF)
20:32:21.240532 128.2.6.192.1030 > 128.2.22.216.139: P 231:364(133) ack 98 win 8663 NBT Packet (TCP 139) (DF)
20:32:21.250532 128.2.22.216.139 > 128.2.6.192.1030: P 98:197(99) ack 364 win 8397 NBT Packet (TCP 139) (DF)
20:32:21.250532 128.2.6.192.1030 > 128.2.22.216.139: P 364:484(120) ack 197 win 8564 NBT Packet (TCP 139) (DF)
20:32:21.270532 128.2.22.216.139 > 128.2.6.192.1030: . 197:1657(1460) ack 484 win 8277 NBT Packet (TCP 139) (DF)
20:32:21.280532 128.2.22.216.139 > 128.2.6.192.1030: . 1657:3117(1460) ack 484 win 8277 NBT Packet (TCP 139) (DF)
20:32:21.280532 128.2.22.216.139 > 128.2.6.192.1030: P 3117:3121(4) ack 484 win 8277 NBT Packet (TCP 139) (DF)
20:32:21.280532 128.2.6.192.1030 > 128.2.22.216.139: . ack 3117 win 8760 (DF)
20:32:21.400532 128.2.6.192.1030 > 128.2.22.216.139: . ack 3121 win 8756 (DF)
20:32:21.410532 128.2.22.216.139 > 128.2.6.192.1030: P 3121:3183(62) ack 484 win 8277 NBT Packet (TCP 139) (DF)
20:32:21.610532 128.2.6.192.1030 > 128.2.22.216.139: . ack 3183 win 8694 (DF)
20:32:23.870532 128.2.6.192.1030 > 128.2.22.216.139: P 484:523(39) ack 3183 win 8694 NBT Packet (TCP 139) (DF)
20:32:23.880532 128.2.22.216.139 > 128.2.6.192.1030: P 3183:3222(39) ack 523 win 8238 NBT Packet (TCP 139) (DF)
20:32:23.880532 128.2.6.192.1030 > 128.2.22.216.139: F 523:523(0) ack 3222 win 8655 (DF)
20:32:23.890532 128.2.22.216.139 > 128.2.6.192.1030: F 3222:3222(0) ack 524 win 8238 (DF)
20:32:23.890532 128.2.6.192.1030 > 128.2.22.216.139: . ack 3223 win 8655 (DF)

Raw Data: win95-browse-other.tcpdump
Verbose Decoded Data: win95-browse-other.verbose.txt

Ryan Troll

Last modified: Tue Sep 8 13:12:41 EDT