Solved

Does SMB file transfers use a 3 way tcp handshake?

Posted on 2011-09-12
9
1,722 Views
Last Modified: 2013-01-06
I am capturing file transfers between two windows computers. Does SMB use a tcp 3 way handshake to start the transmission?

I looked for a syn - syn/ack - ack and did not find one?

I thought SMB used TCP port 445?

The transfer took a minute or two just to start transferring any data and I got a bunch of SMB packets but I did not see a handshake.
0
Comment
Question by:Dragon0x40
9 Comments
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 100 total points
ID: 36527493
It does, most likely the connection to the file server was already present before you started the capture ... once it is set up, the windows box will continue to use the open connection for file transfer ...

Check your "netstat" output, it should list an open TCP connection to port 445/microsoft-ds for every active and used SMB share.

The delay could have been caused by e.g. an Antivirus or other mechanisms in Windows that check out the file before actually starting the copying - was it a rather slow WAN link?
0
 
LVL 8

Assisted Solution

by:SeeMeShakinMyHead
SeeMeShakinMyHead earned 100 total points
ID: 36528491
if its TCP, then it is a 3way handshake.  That's the nature of TCP.  Also, for every packet sequence, there has to be an ACK for it.  Window sizing could have been adjusted to a slower speed (possible congestion).  Can you upload your pcap file?  There should have most definitely been syns, syn-acks, and acks
0
 

Author Comment

by:Dragon0x40
ID: 36530181
Can I search for the 3 way handshake? What keyword would I filter on? syn - syn/ack - ack?
0
 
LVL 40

Accepted Solution

by:
noci earned 300 total points
ID: 36540217
SMB can also use port 139 (un encrypted access).
SYN packets are not a keyword, it's a bit in the TCP header.

In wireshark you can use syntax colouring and test for tcp.flags.syn==1 to apply a different colour.
or filter on tcp.flags.syn == 1; note that in the case of filtering you will miss the 3rd ACK.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Dragon0x40
ID: 36574443
I will keep looking with your suggestions.
0
 

Author Comment

by:Dragon0x40
ID: 36959854
filter on tcp.flags.syn == 1 worked.

I was looking at the SMB traffic and could not find the three way handshake.


TCP sets up the the three way handshake and then the Netbios session (layer 5) and SMB application (layer 7) are established.

Wireshark shows the protocol of the three way handshake as TCP and after that shows the protocol as SMB.
0
 
LVL 40

Expert Comment

by:noci
ID: 36965597
That's correct, but the SYN, SYN/ACK, ACK IS the three way handshake, after that it's still TCP, but wireshark shows it as NETBIOS/SMB as that allows for more detailed information, if you disable the disectors for SMB & NETBIOS they would probably still show as TCP.
0
 

Expert Comment

by:qktgfj
ID: 38747820
Hi i'm looking at a trace in wireshark for SMB of TCPIP and have removed the disectors for SMB. Pre-post the removal I see no only a [SYN, ACK] and then SMB "Negoiate Protocol Response" then SMB data. No [SYN] or [ACK] nor [ACK]s during follown data. All seems to be working well just have never seen this before for TCP no [SYN] nor [ACK]. There are over a hundred sequential connections and they're all the same.

Is there some document that explains this scenario. I've been looking for SMB IO Bulk. etc.
0
 
LVL 40

Expert Comment

by:noci
ID: 38749238
SYN, SYN/ACK, ACK ( the first three) have no data associated with it.
After that no SYN or SYN/ACK should be seen for that connection until after a FIN, FIN/ACK, ACK.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now