Appendix G: File Session Traffic
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
This section lists the different types of network traffic that is generated during ...
Resolving IP Addresses
Every time a Microsoft client initializes using TCP/IP, it initiates an ARP Request packet in an attempt to verify the IP address it is attempting to initialize using is unique. An ARP Request is also delivered whenever one IP host needs to communicate with another IP host, and the destination host's IP address and MAC address mapping is not currently located in the originating host's ARP cache.
The ARP Request frame is a 60 bytes packet of type 0x0806 (normal IP traffic is 0x0800). This frame is an Ethernet broadcast, containing all F's in the Destination Address field. This frame stays on the local network, as IP routers do not forward ARP broadcasts.
The last 46 bytes of the frame contain the ARP header, with the following fields:
An Opcode (Operation Code) of 1, which indicates a request, or query, as opposed to a reply.
The Sender's Hardware Address lists the local MAC address.
The Sender's Protocol Address lists the source host's IP address.
The Target's Hardware Address shows all 0"s, since it is not know the MAC address of the target computer.
The Target's Protocol Address lists the destination host's IP address. In the case of the local host attempting to verify its IP address is unique, the Target's Protocol Address contains the Sender's Protocol Address.
If the target host is running on the local network, then it responds with an ARP Reply. The ARP Reply frame is a 42 bytes packet of type. This frame is a directed Ethernet packet, containing the originator of the ARP Request frame in the Destination Address field.
The last 28 bytes of the frame contain the ARP header, with the following fields:
An Opcode (Operation Code) of 2, which indicates a reply.
The Sender's Hardware Address lists the local MAC address. This was the Target's Hardware Address in the ARP Request frame, and was all 0"s.
The Sender's Protocol Address lists the source host's IP address.
The Target's Hardware Address lists the destination host's MAC address.
The Target's Protocol Address lists the destination host's IP address.
In the case of a host verifying its IP address is unique, there should not be an ARP Reply frame. If there is, that indicates that the IP address the host is attempting to initialize with is not unique, and the local host does not continue to initialize IP.
Establishing a TCP session
Once the target computer has been found, and NetBIOS name resolution has been accomplished, the next step in the process is to establish a TCP session. TCP sessions are established in a three step process, referred to as the TCP three-way handshake.
The first step is a session establishment frame from the source computer. This frame is 60 bytes in size. It is a directed frame at both the Ethernet and IP layers.
The remaining 24 bytes are the TCP header and data. This frame contains the following details:
Source Port will be a unique number generated on the source computer to reference the specific session.
Destination Port is TCP 139 (NetBIOS Session Service).
Sequence Number is a random number used to guarantee the successful transfer of data.
Acknowledgement number of 0 number used to guarantee the successful transfer of data.
The "Synchronize sequence numbers" flag is set. This is the flag to tell the destination that a session is being requested.
TCP Window size is listed. Newer Microsoft clients set the TCP Window size to approximately 8K (8,192 on Windows 95 to 8,760 on Windows NT) for Ethernet.
The destination host receives the session request, and provided it is able to create another TCP session, responds with a similar frame. The response frame is 58 bytes in size, and is directed at both the Ethernet and IP layers.
The remaining 24 bytes are the TCP header and data. This frame details are:
Source Port is TCP 139 (NetBIOS Session Service).
Destination Port is the same unique number generated by the source computer.
Sequence Number is a random number used to guarantee the successful transfer of data. This will not the same number as the originator created.
Acknowledgement number is set to one higher than the originating host's sequence number. This tells the first host that this is the next sequence expected to be seen in this session.
The "Synchronize sequence numbers" flag is set. This is the flag to tell the destination that a session is being requested.
The "Acknowledgement field significant" bit is set. This is the acknowledgment to the originating host that the session request was received.
The local TCP Window size is listed.
The host that originated the session request receives the acknowledgment, and responds with one final frame. The response frame is 60 bytes in size, and is directed at both the Ethernet and IP layers.
The TCP header and data details are:
Source Port is the same unique number generated in the original session request.
Destination Port is TCP 139 (NetBIOS Session Service).
Sequence Number is set to the acknowledgment number from the previous frame.
Acknowledgement number is set to one higher than the destination host's sequence number. This indicates to the destination host the next sequence number expected to be seen in this session.
The "Acknowledgement field significant" bit is set. This is the acknowledgment to the target host that the session request was received.
TCP Window size is established for use throughout the session.
At this point, the TCP session is established, and the next phase can begin.
NetBIOS Session Establishment
The next step in the process of establishing a file session is to establish a NetBIOS session. This is a two frame exchange between the two hosts.
The client sends a Session Request frame that is 126 bytes in size, and is directed at both the Ethernet and IP layers.
The 20 byte TCP header looks very similar to the TCP session establishment frames. The unique item here is that the "Acknowledgement field significant" and "Push function" flags are set. This is to force the destination host to act upon this frame immediately, and not buffer it as would be normal.
The final 72 bytes contain the NBT header. It contains the following values:
Packet Type is set to Session Request.
Called Name is the destination computer name.
Calling Name is the local computer name.
The destination host receives this frame, and if able to establish another NetBIOS session, responds with a Positive Session Response frame. This frame is 58 bytes in size, and is directed to the client.
In the TCP header, both the "Acknowledgement field significant" and "Push function" flags are set.
The NBT header lists a Packet Type of Positive Session Response.
SMB Protocol Negotiation
The next step in the process is to agree upon, or negotiate, a common level of SMB's each host can understand. This is referred to as SMB Protocol Negotiation.
The client computer sends a directed frame to the target computer that may vary in size, depending upon the number of SMB levels understood by the client. On a Windows 95 client, this frame was 212 bytes, as it understood six SMB levels (as described below). NT 3.51 understands eight SMB levels, Windows for Workgroups five.
As with the NetBIOS Session Request, the "Acknowledgement field significant" and "Push function" flags are set in the TCP header.
The four byte NBT header indicates this as a Session Message.
The final 154 (variable) bytes contain the SMB header with the following detail:
SMB Command is negotiate.
The Dialect Strings Understood lists all the SMB levels that the client computer supports. The list for Windows 95 includes:
PC Network Program 1.0
Microsoft Networks 3.0
DOS LM1.2x002
DOS LANMAN2.1
Windows for Workgroups 3.1a
NT LM 0.12
The target host will then pick the highest SMS level understood by itself and the client computer, and respond to the negotiation request with a frame containing the following details:
138 - 152 bytes in size, depending upon enhanced SMB capabilities, such as understanding long file names, extended attributes, and so on.
"Acknowledgement field significant" and "Push function" flags are set in the TCP header.
NBT header indicates this as a Session Message.
The remainder of the frame is the SMB header. It contains:
A "Server response" flag set.
SMB Command of negotiate.
Protocol Index of 5.
The protocol index of 5 indicates that the server (a Windows NT Server 3.51 computer) will use NT LM 0.12 SMB dialects (commands) with the Windows 95 client computer.
Connection Sequence
The final step in the process of a file session connection is the actual connection request and response. This entire exchange should be three frames, though if using File Manager, and automatically opening a window for the connected drive, many more frames will be used to display the contents of the remote resource.
The first frame is an SMB Session Setup frame. It will vary in size, depending upon the target computer name and share name connecting to, and appropriate SMB capabilities. A ten character computer name and a six character share name yielded a 224 byte directed request from the Windows 95 client computer to the Windows NT Server 3.51 server computer.
The "Acknowledgement field significant" and "Push function" flags are set in the TCP header, and the NBT header indicates this as a Session Message.
The final portion of the frame is the SMB header, and provides the command and data necessary for the connection request. This includes:
SMB Command of "session setup & X".
Account Name of the user logged on at the client computer.
Domain Name lists the domain the user account is a member of.
Native OS displays the version of the operating system on the client. This appears as Windows 4.0 for Windows 95, Windows 3.1 for Windows for Workgroups, and Windows NT 1057 for Windows NT 3.51.
Native Lanman displays the network operating system of the client. This is listed as Windows 4.0, Windows for Workgroups 1.0, and Windows NT 3.51 respectively.
Another SMB Command of "tree connect & X".
Path Name lists the UNC path of the server and share names in the request.
A similar connection request from a Windows NT Server 3.51 computer as a client resulted in a frame that was 333 bytes in size. The increased size was due to Windows NT's support of long file names, extended attributes, and UNICODE, which are all specified in the SMB header.
The server will then respond with a SMB Session Setup Response frame. The size of this frame varies depending upon the extra attributes as described above. The response to the Windows 95 client request was 159 bytes, while the Windows NT 3.51 response was 210 bytes.
The "Acknowledgement field significant" and "Push function" flags are set in the TCP header, and the NBT header indicates this as a Session Message.
The remainder of the frame is the SMB header, and includes:
SMB Header that includes a Tree ID (TID) and a User ID (UID) for the connection.
SMB "Server response" flag is set.
SMB Command of "session setup & X".
Native OS displays the version of the operating system on the server, in this case, Windows NT 3.51.
Native Lanman displays the network operating system of the server, in this case, Windows NT 3.51.
Domain Name lists the domain the user account is a member of.
Another SMB Command of "tree connect & X".
Native FS lists the file system of the connected drive, such as FAT, or CDFS.
The final frame in the sequence is a TCP Acknowledgement frame to acknowledge the connect at the client. This frame is 60 bytes in size, and contains the "Acknowledgement field significant" flag set in the TCP header.
Once the connection has been established, any further network traffic generated will be a result of a directory being displayed, data files being accessed, programs launched, etc.
Delivery Tips
Display frames 15-19 in "NETUSE.CAP".
Disconnecting a Session
Network traffic is also generated when a session is terminated. When a user initiates the closing of a session, the following exchange of frames occurs.
The SMB Tree Disconnect message is contained in a 93 byte directed frame.
The "Acknowledgement field significant" and "Push function" flags are set in the TCP header, and the NBT header indicates this as a Session Message.
The remainder of the frame (35 bytes) is the SMB header, and includes:
SMB Header that includes a Tree ID (TID) and a User ID (UID) for the connection to be terminated.
SMB Command of "tree disconnect".
The server then responds with a frame that is identical, with the SMB Server Response flag set to indicate it has terminated the session.
If there are still other connections active between the two hosts active, then the client replies to the server with a TCP Acknowledgement frame. This frame is 60 bytes in size, and has the "Acknowledgement field significant" bit set for the appropriate Source port and Sequence number.
If this is the last connection using that NetBIOS session, the TCP session will be terminated at this time also. This occurs using a three packet exchange.
The first frame in the sequence is 60 bytes in size, and directed from the client to the server.
In the TCP header, the following details are important:
Source Port is the same random port that the initial session was established with.
The Destination Port is 139 (NetBIOS Session Service).
The "Acknowledgement field significant" flag is set.
The "No more data from sender" flag is set. This flag is also called the "Finish" bit.
The server responds with a 54 byte frame to the client that contains the following information in the TCP header:
Source Port is 139 (NetBIOS Session Service).
The Destination Port is the same as the Source port on the client.
The "Acknowledgement field significant" flag is set.
The "No more data from sender" flag is set.
The client then responds with one final packet, this with same basic properties, with the exception that the "No more data from sender" flag is not set. At this point, the session has been terminated. Any new connection attempts from the client to the server would require a new TCP session to be established before a new NetBIOS session and drive redirection could occur.