Highly bizarre networking issue with Sveasoft/Satori and WinXP

I'm having a hard time believing this myself. Here goes:

Peer-to-peer network with two WinXP boxes and a WRT54G running Satori
4_0G. One XP box (terrence) is hard-wired to the WRT, the other is a wifi
client (phillip). Workgroup name is "asses_of_fire".

Terrence is 192.168.1.100
Phillip is 192.168.1.99
WRT54G is 192.168.1.1

I cannot go to one PC and access shares on another.

Going to phillip's console and doing a Start | Run | \\terrence gives
Network Path Not Found, and NET VIEW \\terrence gives a similar error.

NET VIEW /D:asses_of_fire does not return a browse list, either. Event
logs on both machines show EventID 8021/8032 from the computer browser
service getting pissed off and giving up.

Ping works fine by IP (not by name) and Start | Run | \\192.168.1.100
gives a list of shares without hesitation, so we know that IP connectivity
is good. We clearly have a name resolution issue then.

I bust out NetMon and capture some packets. Here's where the crackbaby
part begins. FYI, the MAC addy ending in 44C3 is phillip, B145 is the
WRT, and terrence is 7099. I started the capture and immediately executed
a NET VIEW \\terrence over on phillip's console:

-----

1 0.462070 000ED70F44C3 *BROADCAST NBT NS: Query req. for TERRENCE
<00> 192.168.1.1 192.168.1.255 IP
FRAME: Base frame properties
FRAME: Time of capture = 8/19/2004 12:26:42 AM
FRAME: Time delta from previous physical frame: 0 microseconds
FRAME: Frame number: 1
FRAME: Total frame length: 92 bytes
FRAME: Capture frame length: 92 bytes
FRAME: Frame data: Number of data bytes remaining = 92 (0x005C)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = FFFFFFFFFFFF
ETHERNET: 1....... = Group address
ETHERNET: .1...... = Locally administered address
ETHERNET: Source address = 000ED70F44C3
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = UDP - User Datagram; Packet ID = 1779; Total IP Length =
78; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 000..... = Precedence - Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 78 (0x4E)
IP: Identification = 1779 (0x6F3)
IP: Fragmentation Summary = 0 (0x0)
IP: .0.............. = May fragment datagram if necessary
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 128 (0x80)
IP: Protocol = UDP - User Datagram
IP: Checksum = 44891 (0xAF5B)
****IP: Source Address = 192.168.1.1
IP: Destination Address = 192.168.1.255
UDP: Src Port: NETBIOS Name Service (137); Dst Port: NETBIOS Name Service
(137); Length = 58 (0x3A)
UDP: Source Port = NETBIOS Name Service
UDP: Destination Port = NETBIOS Name Service
UDP: Total length = 58 (0x3A)
UDP: UDP Checksum = 0x9C3C
NBT: NS: Query req. for TERRENCE <00>
NBT: Transaction ID = 32867 (0x8063)
NBT: Flags Summary = 0x0110 - Req.; Query; Success
NBT: 0............... = Request
NBT: .0000........... = Query
NBT: .....0.......... = Non-authoritative Answer
NBT: ......0......... = Datagram not truncated
NBT: .......1........ = Recursion desired
NBT: ........0....... = Recursion not available
NBT: .........0...... = Reserved
NBT: ..........0..... = Reserved
NBT: ...........1.... = Broadcast packet
NBT: ............0000 = Success
NBT: Question Count = 1 (0x1)
NBT: Answer Count = 0 (0x0)
NBT: Name Service Count = 0 (0x0)
NBT: Additional Record Count = 0 (0x0)
NBT: Question Name =TERRENCE <00>
NBT: Question Type = General Name Service
NBT: Question Class = Internet Class
00000: FF FF FF FF FF FF 00 0E D7 0F 44 C3 08 00 45 00 ...D..E.
00010: 00 4E 06 F3 00 00 80 11 AF 5B C0 A8 01 01 C0 A8 .N....[..
00020: 01 FF 00 89 00 89 00 3A 9C 3C 80 63 01 10 00 01 ....:<c....
00030: 00 00 00 00 00 00 20 46 45 45 46 46 43 46 43 45 ...... FEEFFCFCE
00040: 46 45 4F 45 44 45 46 43 41 43 41 43 41 43 41 43 FEOEDEFCACACACAC
00050: 41 43 41 43 41 41 41 00 00 20 00 01 ACACAAA.. ..


-----

See the "****" above. Why is phillip masquerading as the router's IP?

Packet 2 is terrence dutifully responding to phillips's NBT name request,
but to the wrong address:

-----

2 0.462070 LOCAL 000F6601B145 NBT NS: Query (Node Status) resp. for
TERRENCE <00>, Success TERRENCE 192.168.1.1 IP
FRAME: Base frame properties
FRAME: Time of capture = 8/19/2004 12:26:42 AM
FRAME: Time delta from previous physical frame: 0 microseconds
FRAME: Frame number: 2
FRAME: Total frame length: 104 bytes
FRAME: Capture frame length: 104 bytes
FRAME: Frame data: Number of data bytes remaining = 104 (0x0068)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = 000F6601B145
ETHERNET: 0....... = Individual address
ETHERNET: .0...... = Universally administered address
ETHERNET: Source address = 000D87BC7099
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = UDP - User Datagram; Packet ID = 31034; Total IP Length =
90; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 000..... = Precedence - Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 90 (0x5A)
IP: Identification = 31034 (0x793A)
IP: Fragmentation Summary = 0 (0x0)
IP: .0.............. = May fragment datagram if necessary
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 128 (0x80)
IP: Protocol = UDP - User Datagram
IP: Checksum = 15779 (0x3DA3)
IP: Source Address = 192.168.1.100
IP: Destination Address = 192.168.1.1
UDP: Src Port: NETBIOS Name Service (137); Dst Port: NETBIOS Name Service
(137); Length = 70 (0x46)
UDP: Source Port = NETBIOS Name Service
UDP: Destination Port = NETBIOS Name Service
UDP: Total length = 70 (0x46)
UDP: UDP Checksum = 0xC2D7
NBT: NS: Query (Node Status) resp. for TERRENCE <00>, Success
NBT: Transaction ID = 32867 (0x8063)
NBT: Flags Summary = 0x8500 - Resp.; Query; Success
NBT: 1............... = Response
NBT: .0000........... = Query
NBT: .....1.......... = Authoritative Answer
NBT: ......0......... = Datagram not truncated
NBT: .......1........ = Recursion desired
NBT: ........0....... = Recursion not available
NBT: .........0...... = Reserved
NBT: ..........0..... = Reserved
NBT: ...........0.... = Not a broadcast packet
NBT: ............0000 = Success
NBT: Question Count = 0 (0x0)
NBT: Answer Count = 1 (0x1)
NBT: Name Service Count = 0 (0x0)
NBT: Additional Record Count = 0 (0x0)
NBT: Resource Record Name =TERRENCE <00>
NBT: Resource Record Type = NetBIOS General Name Service
NBT: Resource Record Class = Internet Class
NBT: Time To Live(Seconds) = 300000 (0x493E0)
NBT: RDATA Length = 6 (0x6)
NBT: Resource Record Flags = 0 (0x0)
NBT: 0............... = Unique NetBIOS Name
NBT: .00............. = B Node
NBT: ...0000000000000 = Reserved
NBT: Owner IP Address = 192.168.1.100
00000: 00 0F 66 01 B1 45 00 0D 87 BC 70 99 08 00 45 00 ..f.E..p..E.
00010: 00 5A 79 3A 00 00 80 11 3D A3 C0 A8 01 64 C0 A8 .Zy:...=.d
00020: 01 01 00 89 00 89 00 46 C2 D7 80 63 85 00 00 00 .....Fc...
00030: 00 01 00 00 00 00 20 46 45 45 46 46 43 46 43 45 ...... FEEFFCFCE
00040: 46 45 4F 45 44 45 46 43 41 43 41 43 41 43 41 43 FEOEDEFCACACACAC
00050: 41 43 41 43 41 41 41 00 00 20 00 01 00 04 93 E0 ACACAAA.. ....
00060: 00 06 00 00 C0 A8 01 64 .....d

-----

Packets 3 and 4 are the same thing but without the <00> NetBIOS suffix.

Packet 5 is the true owner of 192.168.1.1 (the WRT) taking great offense
to this tomfoolery and sending an ICMP "port unreachable" back to
terrence.

----

Here is what happens with the Linksys 2.04 firmware installed:

10 0.681577 000ED70F44C3 *BROADCAST NBT NS: Query req. for TERRENCE PHILIP
192.168.1.255 IP
FRAME: Base frame properties
FRAME: Time of capture = 8/19/2004 1:12:01 AM
FRAME: Time delta from previous physical frame: 87278 microseconds
FRAME: Frame number: 10
FRAME: Total frame length: 92 bytes
FRAME: Capture frame length: 92 bytes
FRAME: Frame data: Number of data bytes remaining = 92 (0x005C)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = FFFFFFFFFFFF
ETHERNET: 1....... = Group address
ETHERNET: .1...... = Locally administered address
ETHERNET: Source address = 000ED70F44C3
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = UDP - User Datagram; Packet ID = 1932; Total IP Length =
78; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 000..... = Precedence - Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 78 (0x4E)
IP: Identification = 1932 (0x78C)
IP: Fragmentation Summary = 0 (0x0)
IP: .0.............. = May fragment datagram if necessary
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 128 (0x80)
IP: Protocol = UDP - User Datagram
IP: Checksum = 44640 (0xAE60)
****IP: Source Address = 192.168.1.99
IP: Destination Address = 192.168.1.255
UDP: Src Port: NETBIOS Name Service (137); Dst Port: NETBIOS Name Service
(137); Length = 58 (0x3A)
UDP: Source Port = NETBIOS Name Service
UDP: Destination Port = NETBIOS Name Service
UDP: Total length = 58 (0x3A)
UDP: UDP Checksum = 0x9B94
NBT: NS: Query req. for TERRENCE
NBT: Transaction ID = 32935 (0x80A7)
NBT: Flags Summary = 0x0110 - Req.; Query; Success
NBT: 0............... = Request
NBT: .0000........... = Query
NBT: .....0.......... = Non-authoritative Answer
NBT: ......0......... = Datagram not truncated
NBT: .......1........ = Recursion desired
NBT: ........0....... = Recursion not available
NBT: .........0...... = Reserved
NBT: ..........0..... = Reserved
NBT: ...........1.... = Broadcast packet
NBT: ............0000 = Success
NBT: Question Count = 1 (0x1)
NBT: Answer Count = 0 (0x0)
NBT: Name Service Count = 0 (0x0)
NBT: Additional Record Count = 0 (0x0)
NBT: Question Name =TERRENCE
NBT: Question Type = General Name Service
NBT: Question Class = Internet Class
00000: FF FF FF FF FF FF 00 0E D7 0F 44 C3 08 00 45 00 ...D..E.
00010: 00 4E 07 8C 00 00 80 11 AE 60 C0 A8 01 63 C0 A8 .N....`.c
00020: 01 FF 00 89 00 89 00 3A 9B 94 80 A7 01 10 00 01 ....:....
00030: 00 00 00 00 00 00 20 46 45 45 46 46 43 46 43 45 ...... FEEFFCFCE
00040: 46 45 4F 45 44 45 46 43 41 43 41 43 41 43 41 43 FEOEDEFCACACACAC
00050: 41 43 41 43 41 43 41 00 00 20 00 01 ACACACA.. ..

----

The source address is correct. The ONLY thing that changed here is the
router firmware. The PC's now talk to one another.

How could the router possibly affect the source address that's embedded
within phillip's NetBIOS name requests?

RM