Dragon0x40
asked on
Does SMB file transfers use a 3 way tcp handshake?
I am capturing file transfers between two windows computers. Does SMB use a tcp 3 way handshake to start the transmission?
I looked for a syn - syn/ack - ack and did not find one?
I thought SMB used TCP port 445?
The transfer took a minute or two just to start transferring any data and I got a bunch of SMB packets but I did not see a handshake.
I looked for a syn - syn/ack - ack and did not find one?
I thought SMB used TCP port 445?
The transfer took a minute or two just to start transferring any data and I got a bunch of SMB packets but I did not see a handshake.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will keep looking with your suggestions.
ASKER
filter on tcp.flags.syn == 1 worked.
I was looking at the SMB traffic and could not find the three way handshake.
TCP sets up the the three way handshake and then the Netbios session (layer 5) and SMB application (layer 7) are established.
Wireshark shows the protocol of the three way handshake as TCP and after that shows the protocol as SMB.
I was looking at the SMB traffic and could not find the three way handshake.
TCP sets up the the three way handshake and then the Netbios session (layer 5) and SMB application (layer 7) are established.
Wireshark shows the protocol of the three way handshake as TCP and after that shows the protocol as SMB.
That's correct, but the SYN, SYN/ACK, ACK IS the three way handshake, after that it's still TCP, but wireshark shows it as NETBIOS/SMB as that allows for more detailed information, if you disable the disectors for SMB & NETBIOS they would probably still show as TCP.
Hi i'm looking at a trace in wireshark for SMB of TCPIP and have removed the disectors for SMB. Pre-post the removal I see no only a [SYN, ACK] and then SMB "Negoiate Protocol Response" then SMB data. No [SYN] or [ACK] nor [ACK]s during follown data. All seems to be working well just have never seen this before for TCP no [SYN] nor [ACK]. There are over a hundred sequential connections and they're all the same.
Is there some document that explains this scenario. I've been looking for SMB IO Bulk. etc.
Is there some document that explains this scenario. I've been looking for SMB IO Bulk. etc.
SYN, SYN/ACK, ACK ( the first three) have no data associated with it.
After that no SYN or SYN/ACK should be seen for that connection until after a FIN, FIN/ACK, ACK.
After that no SYN or SYN/ACK should be seen for that connection until after a FIN, FIN/ACK, ACK.
ASKER