Solved

Does SMB file transfers use a 3 way tcp handshake?

Posted on 2011-09-12
9
1,744 Views
Last Modified: 2013-01-06
I am capturing file transfers between two windows computers. Does SMB use a tcp 3 way handshake to start the transmission?

I looked for a syn - syn/ack - ack and did not find one?

I thought SMB used TCP port 445?

The transfer took a minute or two just to start transferring any data and I got a bunch of SMB packets but I did not see a handshake.
0
Comment
Question by:Dragon0x40
9 Comments
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 100 total points
ID: 36527493
It does, most likely the connection to the file server was already present before you started the capture ... once it is set up, the windows box will continue to use the open connection for file transfer ...

Check your "netstat" output, it should list an open TCP connection to port 445/microsoft-ds for every active and used SMB share.

The delay could have been caused by e.g. an Antivirus or other mechanisms in Windows that check out the file before actually starting the copying - was it a rather slow WAN link?
0
 
LVL 8

Assisted Solution

by:SeeMeShakinMyHead
SeeMeShakinMyHead earned 100 total points
ID: 36528491
if its TCP, then it is a 3way handshake.  That's the nature of TCP.  Also, for every packet sequence, there has to be an ACK for it.  Window sizing could have been adjusted to a slower speed (possible congestion).  Can you upload your pcap file?  There should have most definitely been syns, syn-acks, and acks
0
 

Author Comment

by:Dragon0x40
ID: 36530181
Can I search for the 3 way handshake? What keyword would I filter on? syn - syn/ack - ack?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 40

Accepted Solution

by:
noci earned 300 total points
ID: 36540217
SMB can also use port 139 (un encrypted access).
SYN packets are not a keyword, it's a bit in the TCP header.

In wireshark you can use syntax colouring and test for tcp.flags.syn==1 to apply a different colour.
or filter on tcp.flags.syn == 1; note that in the case of filtering you will miss the 3rd ACK.
0
 

Author Comment

by:Dragon0x40
ID: 36574443
I will keep looking with your suggestions.
0
 

Author Comment

by:Dragon0x40
ID: 36959854
filter on tcp.flags.syn == 1 worked.

I was looking at the SMB traffic and could not find the three way handshake.


TCP sets up the the three way handshake and then the Netbios session (layer 5) and SMB application (layer 7) are established.

Wireshark shows the protocol of the three way handshake as TCP and after that shows the protocol as SMB.
0
 
LVL 40

Expert Comment

by:noci
ID: 36965597
That's correct, but the SYN, SYN/ACK, ACK IS the three way handshake, after that it's still TCP, but wireshark shows it as NETBIOS/SMB as that allows for more detailed information, if you disable the disectors for SMB & NETBIOS they would probably still show as TCP.
0
 

Expert Comment

by:qktgfj
ID: 38747820
Hi i'm looking at a trace in wireshark for SMB of TCPIP and have removed the disectors for SMB. Pre-post the removal I see no only a [SYN, ACK] and then SMB "Negoiate Protocol Response" then SMB data. No [SYN] or [ACK] nor [ACK]s during follown data. All seems to be working well just have never seen this before for TCP no [SYN] nor [ACK]. There are over a hundred sequential connections and they're all the same.

Is there some document that explains this scenario. I've been looking for SMB IO Bulk. etc.
0
 
LVL 40

Expert Comment

by:noci
ID: 38749238
SYN, SYN/ACK, ACK ( the first three) have no data associated with it.
After that no SYN or SYN/ACK should be seen for that connection until after a FIN, FIN/ACK, ACK.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question