Scan to Server Troubleshooting w/ Wireshark

[teklife256]

The current headache of mine is a scanning issue with a Sharp MX-M5001N. We have been trying to scan to a Windows Server 2012 R2 to no avail. So far we have looked at NTLM settings, SMB v1 vs v2/v3 settings, user rights, network path and such. Sharp tech support has helped as much as possible and yet I find myself here at the community's mercy.

A Netgear gs105e switch is on order and I plan on using Wireshark to further troubleshoot. The truth is I don't have any experience with Wireshark and I do know it is a powerful tool.

So my request is in what should I be looking for in the Wireshark results? That's probably a vague question which makes clear my inexperience with the analyzer.

Any and all help would be appreciated!

Thanks in advance

[slimslob]

You can capture an attempted scan session and then analyze the data to see if you can identify where the error occurred.

[Santander]

WireShark is a good analyzer and will provide you more data than you may be able to use. First question is will the customer's IT allow you to install on their server? Many will not as it reveals data they do not want out of their control that could be used to hack their system. Second question is, do they have Exchange installed on the server? If so, the scanner's IP address needs to be registered in Exchange for a successful scan and the WireShark data will reveal nothing for you to solve the problem as it cannot look into the OS. It would reveal that the scan request was denied by the server, but not the reason why. Have you tried working with the customer's IT support people whether on-site or a third party provider? As an after thought, what port are you using for the scanning to access the server? Port 139 is blocked by Windows, try using either 445 or 443. Hope this helps.

[teklife256]

WireShark is a good analyzer and will provide you more data than you may be able to use. First question is will the customer's IT allow you to install on their server? Many will not as it reveals data they do not want out of their control that could be used to hack their system. Second question is, do they have Exchange installed on the server? If so, the scanner's IP address needs to be registered in Exchange for a successful scan and the WireShark data will reveal nothing for you to solve the problem as it cannot look into the OS. It would reveal that the scan request was denied by the server, but not the reason why. Have you tried working with the customer's IT support people whether on-site or a third party provider? As an after thought, what port are you using for the scanning to access the server? Port 139 is blocked by Windows, try using either 445 or 443. Hope this helps.

The customer has an in house IT admin and they have been reluctant to help with the situation. He has been gracious enough to adjust settings on the server while not fully committed to helping. It was pulling teeth to have him adjust the NTLM settings. At this point I'm planning on running Wireshark on my laptop as I don't see installing on the server very likely.

In regards to Exchange I'm not certain exactly to their setup. As we are scanning to a folder on the server and not to email would Exchange be a concern?

That's a great idea with the ports, I will try that next time out.

[slimslob]

I don't know about Sharp but with Ricoh, I can go into User Tools - System Settings - Interface and print network settings. If I print immediately after a scan failure the third (last) page will have an abbreviated network log that will contain a coupe of lines with SMB followed by a group of numeric codes. Those are the failure codes and they are industry standard that can be looked up on the internet. There could also be error phrases such as "Failed to write" which could be a permission problem or a firmware problem, i.e SMB 3 not supported by current firmware version.

[emujo]

Simply installing wireshark and typing an IP address to monitor usually does not suffice. In this configuration, wireshark is only capturing broadcast data. The proper way to do this is to have wireshark running on your laptop, and a switch that allows for port mirroring. You need to put the switch between the network and the MFP, then your laptop will be on the switch capturing all traffic to and from the MFP IP. Fortunately for me, I normally just send the file off to support and they get the task of deciphering the info. Try a goggle search for "cisco switch + port mirroring". You should be able to find a pretty good PDF for how this is configured. Be sure to get your customer's permission before doing this as in this case, begging forgiveness is not better than asking permission. All you need is for some security scan to show un unknown switch in a mirroring mode to have the jack booted thugs surrounding you in 3 min. (And I speak from experience, did this at an international airport and had the TSA all over me..But, I did ask the POC beforehand, she said go ahead, but never asked IT) Emujo

[slimslob]

A Netgear gs105e switch is on order and I plan on using Wireshark to further troubleshoot.

Be sure to use a network hub, not a switch. Otherwise you can not capture any data.

There are some manageable switches that can be programmed to allow one port to monitor all traffic to another port. Of course these are high end manageable switches.

[faxman28]

the mx5001 is smb v1 and uses port 139 and 445. port 139 is from the old days of win nt and NetBIOS. NetBIOS maybe turned off on server. make sure port 139 and/or port 445 are allowed through firewall. make sure dns server is in mfp, smb1/ cifs needs to be on on the 2012 server(sometimes smb 1 is turned off), if running active directory on server , the mfp needs to be setup as a user/account. also user name for the folder in the mfp settings (address book) may need to be in the domain/user name format.

also check the service web page, there is a log on that web page that maybe helpful.

[Santander]

The customer has an in house IT admin and they have been reluctant to help with the situation. He has been gracious enough to adjust settings on the server while not fully committed to helping. It was pulling teeth to have him adjust the NTLM settings. At this point I'm planning on running Wireshark on my laptop as I don't see installing on the server very likely.

In regards to Exchange I'm not certain exactly to their setup. As we are scanning to a folder on the server and not to email would Exchange be a concern?

That's a great idea with the ports, I will try that next time out.

If they are running Exchange it is a concern even if they are not scanning to email. On a server 2012 with exchange the IP or hostname has to registered to allow scanning. Spent too many hours with a customer's IT dept to discover this one and we were both surprised.

[KenB]

There are some manageable switches that can be programmed to allow one port to monitor all traffic to another port. Of course these are high end manageable switches.

If you don't have a "plain old" hub, you may have to search a bit to find one.

That being the case, though, I'm sure it would be very easy to find one, even new. I just don't think you'll get one at a local store.

If you do go looking for one, don't settle for one that's 10 mb / sec only; try for a 10 / 100. (There is no such thing as a gigabit hub.)

A few years back, I got permission to run a hub, but only to find that the network was 100 mb / sec only, so my antique 10 mb hub not only did not work, it shut down the port the switch it was attached to.