of file access over smb and trace analysis

file access over the network using the command prompt is utilized by the Microsoft CSS engineers to understand if a specific file access problem over the network is associated with the shell or the OS. while this is not conclusive, this simple test will tell you if you are hitting an issue in the shell and related installed 3rd party shell extensions or not. to be %100 sure, any file access problem need to be reproduced at the Safe Mode with Networking in order for the problem to be attributed to the OS.

in this post I've attached a simple network trace that you can check together with its analysis of the first 2 frames. I will continue analyzing this trace with multiple posts. at the first sight, trace analysis applications seem simple, applications like Microsoft Network Monitor or Wireshark (these are 2 best out there and all other seem to lack the extensibility and the vast support for the protocols that these 2 have). they will parse the packets from the trace file into fields and their associated values in a readable format. while this may be sufficient with simple cases, most of the the time, one who wants to analyze the situation over the network needs to have extensive protocol information in order to be able to find a root cause, the reason why a specific operation over the network fails.

this trace will include a very generic xp client accessing a 2003 file server, both at SP2, mapping a drive, listing files and outputting contents of a file in that share and then disconnecting. I'll try to give as much detail as possible.

     24 24.641698   192.168.1.6           192.168.1.8           SMB      Negotiate Protocol Request
     28 25.797167   192.168.1.8           192.168.1.6           SMB      Negotiate Protocol Response

the very first that happens before the above 2 packets will actually be the transport connection. the client, here 192.168.1.6, will initiate a 3 way handshake with 192.168.1.8. by default Windows clients will try to establish a connection over 139 and 445 simultaneously. while these can be controlled, if you don't choose to do so, the first port that the client receives a syn,ack from will be the one used for the comms. for your reference 139 is the netbios session protocol port and 445 is direct hosted smb.

after this is successful, next thing will be negotiate protocol request. this is the very first in an smb communication. client will send a list of dialects it supports:

 

SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        [Response in: 28]
        SMB Command: Negotiate Protocol (0x72)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x18
            0... .... = Request/Response: Message is a request to the server
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
            .... 1... = Case Sensitivity: Path names are caseless
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0xc853
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
            .... .... .1.. .... = Long Names Used: Path names in request are long file names
            .... .... .... .0.. = Security Signatures: Security signatures are not supported
            .... .... .... ..1. = Extended Attributes: Extended attributes are supported
            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 0
        Process ID: 65279
        User ID: 0
        Multiplex ID: 0
    Negotiate Protocol Request (0x72)
        Word Count (WCT): 0
        Byte Count (BCC): 98
        Requested Dialects
            Dialect: PC NETWORK PROGRAM 1.0
                Buffer Format: Dialect (2)
                Name: PC NETWORK PROGRAM 1.0
            Dialect: LANMAN1.0
                Buffer Format: Dialect (2)
                Name: LANMAN1.0
            Dialect: Windows for Workgroups 3.1a
                Buffer Format: Dialect (2)
                Name: Windows for Workgroups 3.1a
            Dialect: LM1.2X002
                Buffer Format: Dialect (2)
                Name: LM1.2X002
            Dialect: LANMAN2.1
                Buffer Format: Dialect (2)
                Name: LANMAN2.1
            Dialect: NT LM 0.12
                Buffer Format: Dialect (2)
                Name: NT LM 0.12

 

the server will respond back with:

 Negotiate Protocol Response (0x72)
        Word Count (WCT): 17
   Dialect Index: 5, greater than LANMAN2.1
        Security Mode: 0x03
            .... ...1 = Mode: USER security mode
            .... ..1. = Password: ENCRYPTED password. Use challenge/response
            .... .0.. = Signatures: Security signatures NOT enabled
            .... 0... = Sig Req: Security signatures NOT required
        Max Mpx Count: 50
        Max VCs: 1
        Max Buffer Size: 4356
        Max Raw Buffer: 65536
        Session Key: 0x00000000
        Capabilities: 0x8001f3fd
            .... .... .... .... .... .... .... ...1 = Raw Mode: Read Raw and Write Raw are supported
            .... .... .... .... .... .... .... ..0. = MPX Mode: Read Mpx and Write Mpx are not supported
            .... .... .... .... .... .... .... .1.. = Unicode: Unicode strings are supported
            .... .... .... .... .... .... .... 1... = Large Files: Large files are supported
            .... .... .... .... .... .... ...1 .... = NT SMBs: NT SMBs are supported
            .... .... .... .... .... .... ..1. .... = RPC Remote APIs: RPC remote APIs are supported
            .... .... .... .... .... .... .1.. .... = NT Status Codes: NT status codes are supported
            .... .... .... .... .... .... 1... .... = Level 2 Oplocks: Level 2 oplocks are supported
            .... .... .... .... .... ...1 .... .... = Lock and Read: Lock and Read is supported
            .... .... .... .... .... ..1. .... .... = NT Find: NT Find is supported
            .... .... .... .... ...1 .... .... .... = Dfs: Dfs is supported
            .... .... .... .... ..1. .... .... .... = Infolevel Passthru: NT information level request passthrough is supported
            .... .... .... .... .1.. .... .... .... = Large ReadX: Large Read andX is supported
            .... .... .... .... 1... .... .... .... = Large WriteX: Large Write andX is supported
            .... .... 0... .... .... .... .... .... = UNIX: UNIX extensions are not supported
            .... ..0. .... .... .... .... .... .... = Reserved: Reserved
            ..0. .... .... .... .... .... .... .... = Bulk Transfer: Bulk Read and Bulk Write are not supported
            .0.. .... .... .... .... .... .... .... = Compressed Data: Compressed data transfer is not supported
            1... .... .... .... .... .... .... .... = Extended Security: Extended security exchanges are supported
        System Time: Dec  9, 2007 15:00:34.908906400
        Server Time Zone: -120 min from UTC
        Key Length: 0
        Byte Count (BCC): 16
        Server GUID: 4900C30A3474AB418E7207FA3774EC7E
        Security Blob: <MISSING>

with this negotiate protocol response back from the server, the dialect to be used can be seen. in this case it is greater than lanman2.1 and will be:

            Dialect: NT LM 0.12
                Buffer Format: Dialect (2)
                Name: NT LM 0.12

the other important part in this response is the capabilities part. this tells you what options and features of smb is supported on the file server. this is maybe the first thing to check as for example in an oplock problem, will tell you if the server support oplocks and a bunc of other things.

the next thing will be obvious, user authentication. that will be in another post, until then happy networking..

smb.cap