This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Windows file sharing protocol

0

I understand the capture of a ftp as it uses tcp handshake to setup the communication. But for Windows file sharing, like copy a file from the server to the PC via the WAN. I am not sure what is a normal traffic pattern for Windows copy.

  • Is there a Wireshark trace file of a normal behavior of a Windows copy file?
  • What protocol does Windows copy uses? What CIFS, SMB, and NBSS?

Thanks

asked 05 Dec '12, 10:36

character9's gravatar image

character9
16101012
accept rate: 0%


2 Answers:

0

What protocol does Windows copy uses? What CIFS, SMB, and NBSS?

Could be CIFS/SMB, NFS (if configured) or even WebDAV (if configured). It all depends on the configuration of the systems and how you access the remote file system.

Please read the following to understand how CIFS is related to SMB (and vice versa).

http://msdn.microsoft.com/en-us/library/cc246232%28v=prot.20%29.aspx
http://msdn.microsoft.com/en-us/library/ee441901%28v=prot.20%29.aspx

A bit technical, but ... ;-)

Is there a Wireshark trace file of a normal behavior of a Windows copy file?

Please check out the Wireshark Sample captures. Search for SMB or CIFS.

http://wiki.wireshark.org/SampleCaptures

Maybe you'll find something here:

https://www.openpacket.org/capture/by_tag?tag=smb

Regards
Kurt

answered 05 Dec '12, 11:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

I will take a look at that in more details. But I am having a very slow response while copying files from the server to the PC over the MPLS Wan. It is taking 2 days for a 300mb file to copy from the server to the PC. I looked at the captured files and it using SMB. But from what I noticed, I have many duplicate ACK and a lot of NBSS before the actual transfer of the file. Any help will be appreciated. Thx

(06 Dec '12, 12:31) character9

If "a lot of NBSS" means "a lot of frames marked as NBSS rather than as SMB", those are probably either retransmissions or the result of frames either being lost or not getting captured - the latter would just be a problem with the machine running the capture program not handling incoming packets well enough, but the former could be the result of a networking issue.

(06 Dec '12, 12:37) Guy Harris ♦♦

O.K. if it's SMB, please run the Response time stats and post the screenshot here.

Statistics -> Service Response Time -> SMB

regarding the slow response time. Can you please give some more details.

  • do you have the same problem with other protocols (HTTP, FTP download)
  • is there a VPN involved (IPSEC)?
  • is there any QoS or WAN accelerator device involved?
  • what is the RTT over the MPLS (ping)?
(06 Dec '12, 14:44) Kurt Knochner ♦

0

What protocol does Windows copy uses? What CIFS, SMB, and NBSS?

For "Windows file sharing", it's probably CIFS/SMB; they're really the same thing, just different names. It was originally called SMB (Server Message Block); there was an attempt to standardize it as the Common Internet File System, as a file system for use over the Internet (at about the same time that Sun was promoting WebNFS as "NFS for the Internet"), but it's really all the same thing.

NBSS is the NetBIOS Session Service, as defined in RFC 1001 and RFC 1002. SMB ran atop the NetBIOS services and thus atop the protocols that provide them, including but not limited to the NetBIOS-over-TCP NBSS protocol. Later, the encapsulation of SMB packets over a TCP stream used by NBSS was simplified (by removing all the connection-setup mechanism) and used for a direct encapsulation of SMB over TCP; NBSS ran over TCP port 139, and SMB-over-TCP ran over TCP port 445.

So you're probably either seeing SMB/CIFS-over-NBSS (and thus over TCP) or SMB/CIFS-over-TCP - in current versions of Windows, it's probably SMB/CIFS-over-TCP.

There's a newer "SMB2" protocol, which I think first appeared in Windows Vista and the server equivalent, which would be used between clients and servers that both support SMB2. Wireshark dissects both SMB and SMB2, and both SMB/CIFS-over-TCP and SMB/CIFS-over-NBSS.

answered 05 Dec '12, 15:04

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%