Does SMB file transfers use a 3 way tcp handshake?

Posted on 2011-09-12
Medium Priority
Last Modified: 2013-01-06
I am capturing file transfers between two windows computers. Does SMB use a tcp 3 way handshake to start the transmission?

I looked for a syn - syn/ack - ack and did not find one?

I thought SMB used TCP port 445?

The transfer took a minute or two just to start transferring any data and I got a bunch of SMB packets but I did not see a handshake.
Question by:Dragon0x40
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 400 total points
ID: 36527493
It does, most likely the connection to the file server was already present before you started the capture ... once it is set up, the windows box will continue to use the open connection for file transfer ...

Check your "netstat" output, it should list an open TCP connection to port 445/microsoft-ds for every active and used SMB share.

The delay could have been caused by e.g. an Antivirus or other mechanisms in Windows that check out the file before actually starting the copying - was it a rather slow WAN link?

Assisted Solution

SeeMeShakinMyHead earned 400 total points
ID: 36528491
if its TCP, then it is a 3way handshake.  That's the nature of TCP.  Also, for every packet sequence, there has to be an ACK for it.  Window sizing could have been adjusted to a slower speed (possible congestion).  Can you upload your pcap file?  There should have most definitely been syns, syn-acks, and acks

Author Comment

ID: 36530181
Can I search for the 3 way handshake? What keyword would I filter on? syn - syn/ack - ack?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 41

Accepted Solution

noci earned 1200 total points
ID: 36540217
SMB can also use port 139 (un encrypted access).
SYN packets are not a keyword, it's a bit in the TCP header.

In wireshark you can use syntax colouring and test for tcp.flags.syn==1 to apply a different colour.
or filter on tcp.flags.syn == 1; note that in the case of filtering you will miss the 3rd ACK.

Author Comment

ID: 36574443
I will keep looking with your suggestions.

Author Comment

ID: 36959854
filter on tcp.flags.syn == 1 worked.

I was looking at the SMB traffic and could not find the three way handshake.

TCP sets up the the three way handshake and then the Netbios session (layer 5) and SMB application (layer 7) are established.

Wireshark shows the protocol of the three way handshake as TCP and after that shows the protocol as SMB.
LVL 41

Expert Comment

ID: 36965597
That's correct, but the SYN, SYN/ACK, ACK IS the three way handshake, after that it's still TCP, but wireshark shows it as NETBIOS/SMB as that allows for more detailed information, if you disable the disectors for SMB & NETBIOS they would probably still show as TCP.

Expert Comment

ID: 38747820
Hi i'm looking at a trace in wireshark for SMB of TCPIP and have removed the disectors for SMB. Pre-post the removal I see no only a [SYN, ACK] and then SMB "Negoiate Protocol Response" then SMB data. No [SYN] or [ACK] nor [ACK]s during follown data. All seems to be working well just have never seen this before for TCP no [SYN] nor [ACK]. There are over a hundred sequential connections and they're all the same.

Is there some document that explains this scenario. I've been looking for SMB IO Bulk. etc.
LVL 41

Expert Comment

ID: 38749238
SYN, SYN/ACK, ACK ( the first three) have no data associated with it.
After that no SYN or SYN/ACK should be seen for that connection until after a FIN, FIN/ACK, ACK.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question