Solved

Does SMB file transfers use a 3 way tcp handshake?

Posted on 2011-09-12
9
1,800 Views
Last Modified: 2013-01-06
I am capturing file transfers between two windows computers. Does SMB use a tcp 3 way handshake to start the transmission?

I looked for a syn - syn/ack - ack and did not find one?

I thought SMB used TCP port 445?

The transfer took a minute or two just to start transferring any data and I got a bunch of SMB packets but I did not see a handshake.
0
Comment
Question by:Dragon0x40
9 Comments
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 100 total points
ID: 36527493
It does, most likely the connection to the file server was already present before you started the capture ... once it is set up, the windows box will continue to use the open connection for file transfer ...

Check your "netstat" output, it should list an open TCP connection to port 445/microsoft-ds for every active and used SMB share.

The delay could have been caused by e.g. an Antivirus or other mechanisms in Windows that check out the file before actually starting the copying - was it a rather slow WAN link?
0
 
LVL 8

Assisted Solution

by:SeeMeShakinMyHead
SeeMeShakinMyHead earned 100 total points
ID: 36528491
if its TCP, then it is a 3way handshake.  That's the nature of TCP.  Also, for every packet sequence, there has to be an ACK for it.  Window sizing could have been adjusted to a slower speed (possible congestion).  Can you upload your pcap file?  There should have most definitely been syns, syn-acks, and acks
0
 

Author Comment

by:Dragon0x40
ID: 36530181
Can I search for the 3 way handshake? What keyword would I filter on? syn - syn/ack - ack?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 40

Accepted Solution

by:
noci earned 300 total points
ID: 36540217
SMB can also use port 139 (un encrypted access).
SYN packets are not a keyword, it's a bit in the TCP header.

In wireshark you can use syntax colouring and test for tcp.flags.syn==1 to apply a different colour.
or filter on tcp.flags.syn == 1; note that in the case of filtering you will miss the 3rd ACK.
0
 

Author Comment

by:Dragon0x40
ID: 36574443
I will keep looking with your suggestions.
0
 

Author Comment

by:Dragon0x40
ID: 36959854
filter on tcp.flags.syn == 1 worked.

I was looking at the SMB traffic and could not find the three way handshake.


TCP sets up the the three way handshake and then the Netbios session (layer 5) and SMB application (layer 7) are established.

Wireshark shows the protocol of the three way handshake as TCP and after that shows the protocol as SMB.
0
 
LVL 40

Expert Comment

by:noci
ID: 36965597
That's correct, but the SYN, SYN/ACK, ACK IS the three way handshake, after that it's still TCP, but wireshark shows it as NETBIOS/SMB as that allows for more detailed information, if you disable the disectors for SMB & NETBIOS they would probably still show as TCP.
0
 

Expert Comment

by:qktgfj
ID: 38747820
Hi i'm looking at a trace in wireshark for SMB of TCPIP and have removed the disectors for SMB. Pre-post the removal I see no only a [SYN, ACK] and then SMB "Negoiate Protocol Response" then SMB data. No [SYN] or [ACK] nor [ACK]s during follown data. All seems to be working well just have never seen this before for TCP no [SYN] nor [ACK]. There are over a hundred sequential connections and they're all the same.

Is there some document that explains this scenario. I've been looking for SMB IO Bulk. etc.
0
 
LVL 40

Expert Comment

by:noci
ID: 38749238
SYN, SYN/ACK, ACK ( the first three) have no data associated with it.
After that no SYN or SYN/ACK should be seen for that connection until after a FIN, FIN/ACK, ACK.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question