Understanding Windows Server 2008 DFS-N by analyzing network traces

Understanding Windows Server 2008 DFS-N by analyzing network traces

  • Comments 3
  • Likes

1 – Overview

This blog post details the behavior of Windows Server 2008 DFS-N (Distributed File System - Namespaces) clients by looking at network traces. 
The main goal here is to show the interaction between a DFS-N client, a domain controller, a namespace server and a file server.
These traces were taken using Network Monitor 3.3 beta from a set of isolated computers in a domain.
To understand this post, you need some familiarity with common protocols like ARP, ICMP, TCP and DNS.
At least a basic understanding of some more sophisticated protocols like SMB and Kerberos are also helpful.

2 – The environment

There are 4 computers in this environment, as described below.

# Name FQDN IP Role Details
1 DC DC.josebda.local 10.1.1.1 DNS, Domain Controller DNS Server for zone josebda.local
Only DC for josebda.local domain
2 NS NS.josebda.local 10.1.1.2 File Server, DFS Namespace Server Hosts namespace \\josebda\NS1
Includes a folder \\josebda\NS1\Folder1
Target for that folder is \\fs.josebda.local\Share1
3 FS FS.josebda.local 10.1.1.3 File Server Hosts the share \\fs.josebda.local\Share1
4 CL CL.josebda.local 10.1.1.4 Client Where the command lines are run
Running Network Monitor

All computers in this setup are running Windows Server 2008 Enterprise Edition (with Service Pack 2 RC).
All command lines and traces are from the point of view of the client (CL.josebda.local or 10.1.1.4).

3 – Cleaning up the caches

In order to clean all the related caches before each trace, I used a series of command on the client:

  • To clear the DFS-N domain cache: DFSUTIL cache domain flush
  • To clean the DFS-N referral cache: DFSUTIL cache referral flush
  • To clear the cached Kerberos tickets: KLIST purge
  • To clear the DNS cache: IPCONFIG /flushdns
  • To clear the ARP cache: ARP –d * 

Note that each of the commands clears a different kind of cache.

4 – Warming up with a ping by DNS name

This first trace shows a ping of the file server by the client, using the file server name.
This is a simple one, just to get you started with the format. It uses the ARP, DNS and ICMP protocols.
This involves the client (CL), the DNS server (DC) and the file server (FS).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>ping fs.josebda.local

Pinging fs.josebda.local [10.1.1.3] with 32 bytes of data:

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128

Ping statistics for 10.1.1.3:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
4.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
4.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3 (DC queries ARP back to CL)
CL DC DNS DNS:QueryId = 0xFDF5, QUERY (Standard query), Query  for fs.josebda.local of type Host Addr on class Internet
DC CL ARP ARP:Request, 10.1.1.1 asks for 10.1.1.4
CL DC ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
DC CL DNS DNS:QueryId = 0xFDF5, QUERY (Standard query), Response - Success, 10.1.1.3
4.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
4.4. CL pings 10.1.1.3 four times (first time, FS queries ARP back to CL)
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4

Last, here is a sample NetMon screenshot. You can see the details of the DNS query response frame:

DFSNM1

5 – Querying the file server directly

This trace is more interesting, showing an SMB client enumerating a folder on a file server.
Note that, in this case, we are not actually using a DFS namespace yet.
You will be exposed to a larger set of protocols this time, including SMB and Kerberos.
Now there will be three computers involved: the client (CL), the file server (FS) and the domain controller (DC).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>dir \\fs.josebda.local\share1

 Volume in drive \\fs.josebda.local\share1 has no label.

 Volume Serial Number is 68CD-6098

Directory of \\fs.josebda.local\share1

04/10/2009  10:06 PM    <DIR>          .

04/10/2009  10:06 PM    <DIR>          ..

04/10/2009  10:06 PM                15 File1.txt

               1 File(s)             15 bytes

               2 Dir(s)  11,459,997,696 bytes free

C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
5.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
5.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3
CL DC DNS DNS:QueryId = 0x5667, QUERY (Standard query), Query  for fs.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x5667, QUERY (Standard query), Response - Success, 10.1.1.3
5.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
5.4. CL negotiates a TCP session with FS on port 445 (SMB)
CL FS TCP TCP:Flags=......S., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114495, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516548, Ack=892114496, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL FS TCP TCP:Flags=...A...., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114496, Ack=1956516549, Win=513 (scale factor 0x8) = 131328
5.5. CL and FS negotiate an SMB session (note that FS offers SMB2 and CL takes it)
CL FS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
FS CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0
5.6. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for  the domain.
CL DC TCP TCP:Flags=......S., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451346, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134793418, Ack=1788451347, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451347, Ack=4134793419, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=51, Seq=4134794879 - 4134794930, Ack=1788451665, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=0 (scale factor 0x8) = 0
5.7. CL requests a Kerberos client service authorization ticket for CL to present to FS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892024, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555248, Ack=3552892025, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892025, Ack=1290555249, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/fs.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555249, Ack=3552893597, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=118, Seq=1290556709 - 1290556827, Ack=3552893597, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328
5.8. The SMB session is setup (while the last ACKs for the DC are still coming)
CL FS SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516789, Ack=892116277, Win=513 (scale factor 0x8) = 131328
FS CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
5.9. CL connects to \\fs.josebda.local\IPC$ tree, gets referral for \\fs.josebda.local\share1. Note the code 412, telling us that FS is not a DFS server, just a regular file server.
CL FS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\fs.josebda.local\IPC$, Mid = 2
FS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL FS DFS DFS:Get DFS Referral Request, FileName: \fs.josebda.local\share1, MaxReferralLevel: 4
FS CL SMB2 SMB2:R , Mid = 3 - NT Status: System - Error, Code = (412) STATUS_FS_DRIVER_REQUIRED
5.10. CL connects to \\fs.josebda.local\share1 tree, get all information required by DIR command (note that SMB CREATE is used as “OPEN”)
CL FS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\fs.josebda.local\share1, Mid = 4
FS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x5, Mid = 4
CL FS SMB2 SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 5
FS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 5
CL FS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 6
FS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 6
CL FS SMB2 SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 8
FS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 8
CL FS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 11
FS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 11
CL FS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 12
FS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 12
5.11. CL disconnects from both trees, logs off SMB2, closes the TCP session with FS
CL FS TCP TCP:Flags=...A...., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117764, Ack=1956518678, Win=512 (scale factor 0x8) = 131072
CL FS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 13
FS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 13
CL FS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x5, Mid = 14
FS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 14
CL FS SMB2 SMB2:C  LOGOFF (0x2), Mid = 15
FS CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 15
CL FS TCP TCP:Flags=...A...F, SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117980, Ack=1956518894, Win=511 (scale factor 0x8) = 130816
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=512 (scale factor 0x8) = 131072
CL FS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117981, Ack=1956518894, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=0

 

6 – Querying only the DFS namespace

This trace now uses a DFS namespace.
In this case, we’re querying just the namespace itself, not following any links in the namespace.
Now we are working with the client (CL), the domain controller (DC) and the namespace server (NS).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>dir \\josebda.local\ns1

 Volume in drive \\josebda.local\ns1 has no label.

 Volume Serial Number is 34A5-C4AB

 Directory of \\josebda.local\ns1

04/10/2009  10:08 PM    <DIR>          .

04/10/2009  10:08 PM    <DIR>          ..

04/10/2009  10:08 PM    <DIR>          Folder1

               0 File(s)              0 bytes

               3 Dir(s)  11,448,500,224 bytes free

 

C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
6.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
6.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1
CL DC DNS DNS:QueryId = 0x7447, QUERY (Standard query), Query  for DC.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x7447, QUERY (Standard query), Response - Success, 10.1.1.1
6.3. CL negotiates a TCP session with DC on port 445 (SMB)
CL DC TCP TCP:Flags=......S., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594720, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848417, Ack=1570594721, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594721, Ack=1429848418, Win=513 (scale factor 0x8) = 131328
6.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)
CL DC SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
DC CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0
6.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain.
CL DC TCP TCP:Flags=......S., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627845, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225518474, Ack=1221627846, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627846, Ack=4225518475, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=51, Seq=4225519935 - 4225519986, Ack=1221628164, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328
6.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068782, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883192, Ack=4290068783, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=...A...., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068783, Ack=3286883193, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883193, Ack=4290070355, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=118, Seq=3286884653 - 3286884771, Ack=4290070355, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328
6.7. CL asks DC for another Kerberos ticket
CL DC TCP TCP:Flags=......S., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990730, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502819863, Ack=341990731, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=...A...., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990731, Ack=2502819864, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
CL DC TCP TCP:Flags=...A...F, SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341992176, Ack=2502821322, Win=507 (scale factor 0x8) = 129792
6.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)
CL DC SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848658, Ack=1570597908, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=0 (scale factor 0x8) = 0
DC CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
6.9. CL connects to tree \\dc.josebda.local\IPC$, asks DFS for a referral for “josebda.local”, then “\josebda.local\ns1”
CL DC SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\DC.josebda.local\IPC$, Mid = 2
DC CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL DC DFS DFS:Get DFS Referral Request, FileName: josebda.local, MaxReferralLevel: 3
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3
CL DC DFS DFS:Get DFS Referral Request, FileName: \josebda.local\ns1, MaxReferralLevel: 4
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849264, Ack=1570598348, Win=511 (scale factor 0x8) = 130816
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
6.10. CL now knows that it needs to talk to “ns.josebda.local”.  Queries DNS to find it’s “10.1.1.2”, then ARP
CL DC DNS DNS:QueryId = 0xC0C7, QUERY (Standard query), Query  for NS.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0xC0C7, QUERY (Standard query), Response - Success, 10.1.1.2
CL NS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.2
NS CL ARP ARP:Response, 10.1.1.2 at 00-15-5D-6C-0D-04
6.11. CL negotiates a TCP session with NS on port 445 (SMB)
CL NS TCP TCP:Flags=......S., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869345207, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
NS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42140879, Ack=869345208, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL NS TCP TCP:Flags=...A...., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869345208, Ack=42140880, Win=513 (scale factor 0x8) = 131328
6.12. CL negotiates an SMB session with DC (selects SMB2 dialect)
CL NS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
NS CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={9832F94A-1CD3-61B4-40A3-F01305CCDB7E}, Mid = 0
6.13. CL requests a Kerberos service authorization ticket to present to NS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328527949, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914299011, Ack=1328527950, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328527950, Ack=1914299012, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/NS.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914299012, Ack=1328529522, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=118, Seq=1914300472 - 1914300590, Ack=1328529522, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328529522, Ack=1914300590, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328529522, Ack=1914300590, Win=513 (scale factor 0x8) = 131328
6.14. SMB session with NS is setup. (while the last ACKs for the DC are still coming)
CL NS SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914300590, Ack=1328529523, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914300590, Ack=1328529523, Win=0 (scale factor 0x8) = 0
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42141120, Ack=869346989, Win=513 (scale factor 0x8) = 131328
NS CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
6.15. CL connects to tree \\ns\NS1, opens the \NS\ns1 namespace and links, queries information (note that SMB2 CREATE is also used as “OPEN”)
CL NS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\NS\NS1, Mid = 2
NS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL NS SMB2 SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#380, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
NS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL NS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 4
NS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 4
CL NS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 6
NS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 6
CL NS SMB2 SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#386, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 7
NS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 7
CL NS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000005, Mid = 10
NS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 10
CL NS SMB2 SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#390, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 11
NS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000009, Mid = 11
CL NS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000009, Mid = 13
NS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 13
6.16. CL disconnects from trees, logs off SMB2 and closes TCP sessions with DC, NS
CL DC TCP TCP:Flags=...A...., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598348, Ack=1429849514, Win=509 (scale factor 0x8) = 130304
CL NS TCP TCP:Flags=...A...., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348640, Ack=42143344, Win=510 (scale factor 0x8) = 130560
CL DC SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 5
DC CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 5
CL DC SMB2 SMB2:C  LOGOFF (0x2), Mid = 6
DC CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 6
CL NS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 14
CL DC TCP TCP:Flags=...A...F, SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598492, Ack=1429849658, Win=508 (scale factor 0x8) = 130048
NS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 14
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849658, Ack=1570598493, Win=511 (scale factor 0x8) = 130816
CL NS SMB2 SMB2:C  LOGOFF (0x2), Mid = 15
CL DC TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598493, Ack=1429849658, Win=0 (scale factor 0x8) = 0
DC CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849658, Ack=1570598493, Win=0
NS CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 15
CL NS TCP TCP:Flags=...A...F, SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348784, Ack=42143488, Win=510 (scale factor 0x8) = 130560
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42143488, Ack=869348785, Win=512 (scale factor 0x8) = 131072
CL NS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348785, Ack=42143488, Win=0 (scale factor 0x8) = 0

Last, here is a sample NetMon screenshot. Here we see the detail of the DFS referral response in (the second one in 6.9), with the frame details showing that josebda.local\ns1 is actually handled by \ns\ns1. See also that the referral has a time-to-live (how much time it should be kept in the cache).

DFSNM2

7 – Finally, looking at the file server via the DFS namespace

This is the final and most complex of the traces here. We’re listing details about a file inside a link in a namespace.
This time we’re involving the client (CL), the domain controller (DC), the namespace server (NS) and the file server (FS).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>dir \\josebda.local\ns1\folder1

 Volume in drive \\josebda.local\ns1 has no label.

 Volume Serial Number is 34A5-C4AB

 

 Directory of \\josebda.local\ns1\folder1

 

04/10/2009  10:06 PM    <DIR>          .

04/10/2009  10:06 PM    <DIR>          ..

04/10/2009  10:06 PM                15 File1.txt

               1 File(s)             15 bytes

               2 Dir(s)  11,459,997,696 bytes free

C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
7.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
7.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1
CL DC DNS DNS:QueryId = 0x36AE, QUERY (Standard query), Query  for DC.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x36AE, QUERY (Standard query), Response - Success, 10.1.1.1
7.3. CL negotiates a TCP session with DC on port 445 (SMB)
CL DC TCP TCP:Flags=......S., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348427785, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806692608, Ack=1348427786, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348427786, Ack=806692609, Win=513 (scale factor 0x8) = 131328
7.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)
CL DC SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
DC CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0
7.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain
CL DC TCP TCP:Flags=......S., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774373, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481525383, Ack=2790774374, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774374, Ack=2481525384, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation to #451]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=51, Seq=2481526844 - 2481526895, Ack=2790774692, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774692, Ack=2481526895, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774692, Ack=2481526895, Win=513 (scale factor 0x8) = 131328
7.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217473064, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51552186, Ack=1217473065, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481526895, Ack=2790774693, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481526895, Ack=2790774693, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=...A...., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217473065, Ack=51552187, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51552187, Ack=1217474637, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation to #462]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=118, Seq=51553647 - 51553765, Ack=1217474637, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217474637, Ack=51553765, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217474637, Ack=51553765, Win=513 (scale factor 0x8) = 131328
7.7. CL asks DC for another Kerberos ticket
CL DC TCP TCP:Flags=......S., SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381120000, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51553765, Ack=1217474638, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51553765, Ack=1217474638, Win=0 (scale factor 0x8) = 0
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880462364, Ack=2381120001, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381120001, Ack=1880462365, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
CL DC TCP TCP:Flags=...A...F, SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381121446, Ack=1880463823, Win=507 (scale factor 0x8) = 129792
7.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)
CL DC SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880463823, Ack=2381121447, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806692849, Ack=1348430973, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880463823, Ack=2381121447, Win=0 (scale factor 0x8) = 0
DC CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.9. CL connects to tree \\dc.josebda.local\IPC$, asks DFS for a referral for “josebda.local”, then “\josebda.local\ns1”
CL DC SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\DC.josebda.local\IPC$, Mid = 2
DC CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL DC DFS DFS:Get DFS Referral Request, FileName: josebda.local, MaxReferralLevel: 3
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3
CL DC DFS DFS:Get DFS Referral Request, FileName: \josebda.local\ns1, MaxReferralLevel: 4
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
7.11. CL now knows that it needs to talk to “ns.josebda.local”.  Queries DNS to find it’s “10.1.1.2”, then ARP
CL DC DNS DNS:QueryId = 0xA941, QUERY (Standard query), Query  for NS.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0xA941, QUERY (Standard query), Response - Success, 10.1.1.2
CL NS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.2
NS CL ARP ARP:Response, 10.1.1.2 at 00-15-5D-6C-0D-04
7.12. CL negotiates a TCP session with NS on port 445 (SMB)
CL NS TCP TCP:Flags=......S., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616429650, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
NS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802553199, Ack=1616429651, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL NS TCP TCP:Flags=...A...., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616429651, Ack=802553200, Win=513 (scale factor 0x8) = 131328
7.13. CL negotiates an SMB session with NS (selects SMB2 dialect)
CL NS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
NS CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={9832F94A-1CD3-61B4-40A3-F01305CCDB7E}, Mid = 0
7.14. CL requests a Kerberos service authorization ticket to present to NS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584167390, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711096963, Ack=2584167391, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584167391, Ack=2711096964, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/NS.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711096964, Ack=2584168963, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation to #499]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=118, Seq=2711098424 - 2711098542, Ack=2584168963, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584168963, Ack=2711098542, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584168963, Ack=2711098542, Win=513 (scale factor 0x8) = 131328
7.15. SMB session with NS is setup. (while the last ACKs for the DC are still coming)
CL NS SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711098542, Ack=2584168964, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711098542, Ack=2584168964, Win=0 (scale factor 0x8) = 0
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802553440, Ack=1616431432, Win=513 (scale factor 0x8) = 131328
NS CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.16. CL connects to tree \\ns\NS1, opens and queries information for josebda.local\ns1 and josebda.local\ns1\folder1. Error 599 on the last response indicates we need a referral
CL NS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\NS\NS1, Mid = 2
NS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL NS SMB2 SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#510, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
NS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL NS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 4
NS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 4
CL NS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 6
NS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 6
CL NS SMB2 SMB2:C  CREATE (0x5), Name=josebda.local\ns1\folder1@#516, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 7
NS CL SMB2 SMB2:R , Mid = 7 - NT Status: System - Error, Code = (599) STATUS_PATH_NOT_COVERED
7.17. CL connects to tree \\ns\IPC$, asks DFS for a referral for “\NS\ns1\folder1”  (note via ARP that NS talks to the DC)
CL NS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\NS\IPC$, Mid = 8
NS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x5, Mid = 8
CL NS DFS DFS:Get DFS Referral Request, FileName: \NS\ns1\folder1, MaxReferralLevel: 4
NS DC ARP ARP:Request, 10.1.1.2 asks for 10.1.1.1
DC NS ARP ARP:Request, 10.1.1.1 asks for 10.1.1.2
CL DC TCP TCP:Flags=...A...., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431413, Ack=806693705, Win=509 (scale factor 0x8) = 130304
NS CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
7.18. CL now knows that it needs to talk to “fs.josebda.local”.  Queries DNS to find it’s “10.1.1.3”, then ARP
CL DC DNS DNS:QueryId = 0x9848, QUERY (Standard query), Query  for FS.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x9848, QUERY (Standard query), Response - Success, 10.1.1.3
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
7.19. CL negotiates a TCP session with FS on port 445 (SMB). Note the ARP back from FS, since it’s the first time it talks to CL
CL FS TCP TCP:Flags=......S., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441020583, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109428157, Ack=3441020584, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL FS TCP TCP:Flags=...A...., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441020584, Ack=109428158, Win=513 (scale factor 0x8) = 131328
7.20. CL negotiates an SMB session with FS(selects SMB2 dialect)
CL FS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
FS CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0
7.21. CL requests a Kerberos service authorization ticket to present to FS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155214818, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938378401, Ack=4155214819, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155214819, Ack=938378402, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/FS.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938378402, Ack=4155216391, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation to #543]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=118, Seq=938379862 - 938379980, Ack=4155216391, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155216391, Ack=938379980, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155216391, Ack=938379980, Win=513 (scale factor 0x8) = 131328
7.22. SMB session with FS is setup. (while the last ACKs for the DC are still coming)
CL FS SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938379980, Ack=4155216392, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938379980, Ack=4155216392, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109428398, Ack=3441022365, Win=513 (scale factor 0x8) = 131328
FS CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.23. CL connects to tree \\fs\josebda.local\Share1, opens the folder and file, queries information (note that SMB2 CREATE is also used as “OPEN”)
CL FS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\FS.josebda.local\Share1, Mid = 2
FS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL FS SMB2 SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
FS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL FS SMB2 SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 4
FS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 4
CL FS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 7
FS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 7
CL FS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000005, Mid = 8
FS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 8
CL FS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 10
FS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 10
7.24. CL disconnects from trees, logs off SMB2 and closes TCP sessions with DC, NS, FS
CL NS TCP TCP:Flags=...A...., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432609, Ack=802554785, Win=513 (scale factor 0x8) = 131328
CL FS TCP TCP:Flags=...A...., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441023554, Ack=109430126, Win=511 (scale factor 0x8) = 130816
CL DC SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 5
DC CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 5
CL DC SMB2 SMB2:C  LOGOFF (0x2), Mid = 6
DC CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 6
CL NS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x5, Mid = 10
CL DC TCP TCP:Flags=...A...F, SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431557, Ack=806693849, Win=508 (scale factor 0x8) = 130048
NS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 10
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806693849, Ack=1348431558, Win=511 (scale factor 0x8) = 130816
CL NS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 11
CL DC TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431558, Ack=806693849, Win=0 (scale factor 0x8) = 0
NS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 11
CL NS SMB2 SMB2:C  LOGOFF (0x2), Mid = 12
NS CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 12
CL FS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 11
CL NS TCP TCP:Flags=...A...F, SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432825, Ack=802555001, Win=512 (scale factor 0x8) = 131072
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802555001, Ack=1616432826, Win=507 (scale factor 0x8) = 129792
FS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 11
CL NS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432826, Ack=802555001, Win=0 (scale factor 0x8) = 0
NS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802555001, Ack=1616432826, Win=0
CL FS SMB2 SMB2:C  LOGOFF (0x2), Mid = 12
FS CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 12
CL FS TCP TCP:Flags=...A...F, SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441023698, Ack=109430270, Win=511 (scale factor 0x8) = 130816
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109430270, Ack=3441023699, Win=508 (scale factor 0x8) = 130048
FS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109430270, Ack=3441023699, Win=0 (scale factor 0x8) = 0

Last, here is a sample NetMon screenshot. I'm using this to highlight compound SMB2 requests. What you see above in step 7.23 as simple a CREATE (or OPEN) for the folder is actually a CREATE and a couple of QUERY DIRECTORY. The frame details shows the compound response, which shows that we actually enumerated the entire folder (with just 1 file) with a single request:

DFSNM3

8 – Conclusion

I hope this blog post helped you understand the behavior of DFS-N clients and encouraged you to try running Network Monitor and capturing some traces yourself.

For additional information on how DFS-N works, check these two links:
http://technet.microsoft.com/en-us/library/cc782417.aspx
http://www.snia.org/events/storage-developer2008/presentations/wednesday/DanLovingerImplementingDFSN-SDC08-v2.pdf

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Jose Barreto has a new blog post covering details of the behavior of Windows Server 2008 DFS-N (Distributed

  • Pessoal, Esta semana o Jose Barreto publicou um artigo muito interessante sobre Windows Server 2008 DFS-N

  • Pessoal, Esta semana o Jose Barreto publicou um artigo muito interessante sobre Windows Server 2008 DFS-N