Network traffic when opening local files
Well, I have a rather strange problem. I have one computer with
Windows XP pro SP1 + rollup and one with Windows 2000 pro SP3. The
2000 box acts as a kind of fileserver and therefore has many network
shares. Some of them are available on the XP machine as permanent
connections with drive letters.
If I fire up a firewall and open a network share from the 2000 system
on my XP box I can see both computers start to communicate via the
network (remote port 139 and local port 1784), which is of course
fine, since I want data from one computer transferred to the other. I
can see "SMB" in the packets and the file and directory names and I
think this is all normal. Although it is strange that every
information is send twice from the 2000 box to the XP computer, but I
don't know much about the Samba protocol, so this maybe alright.
The funny thing is now that everytime I open a directory or a file on
the XP machine - located on the harddisc in the XP machine itself -
both computers start to communicate like the data were located on the
remote machine!? Packets with "SMB" in them go out to the 2000 box and
are received by the XP system.
I don't think this is right, because when the 2000 system is powered
down I have to wait for network timeouts if I try to open a local file
on the XP system because it thinks it has to tell the 2000 box (which
isn't there anymore) all kinds of interesting stuff.
Any ideas? I could swear that this didn't happen initally after I
installed XP on the one machine, maybe it started after installing
service pack 1 on the XP box, but I'm not sure when I realized the
problem first. Is this some kind of weird traffic or file control
windows tool? A trojan or hack seems quite nonsense, because the
attacker has to be quite invisible, because both machines are in the
Quotomat says: "Much better to be the right hand of the devil than to
be in his path."
(Kevin J. O'Connor as Beni in 'The Mummy', 1999)