Understanding Windows Server 2008 DFS-N by analyzing network traces

1 – Overview

This blog post details the behavior of Windows Server 2008 DFS-N (Distributed File System - Namespaces) clients by looking at network traces. 
The main goal here is to show the interaction between a DFS-N client, a domain controller, a namespace server and a file server.
These traces were taken using Network Monitor 3.3 beta from a set of isolated computers in a domain.
To understand this post, you need some familiarity with common protocols like ARP, ICMP, TCP and DNS.
At least a basic understanding of some more sophisticated protocols like SMB and Kerberos are also helpful.

2 – The environment

There are 4 computers in this environment, as described below.

#	Name	FQDN	IP	Role	Details
1	DC	DC.josebda.local	10.1.1.1	DNS, Domain Controller	DNS Server for zone josebda.local Only DC for josebda.local domain
2	NS	NS.josebda.local	10.1.1.2	File Server, DFS Namespace Server	Hosts namespace \\josebda\NS1 Includes a folder \\josebda\NS1\Folder1 Target for that folder is \\fs.josebda.local\Share1
3	FS	FS.josebda.local	10.1.1.3	File Server	Hosts the share \\fs.josebda.local\Share1
4	CL	CL.josebda.local	10.1.1.4	Client	Where the command lines are run Running Network Monitor

All computers in this setup are running Windows Server 2008 Enterprise Edition (with Service Pack 2 RC).
All command lines and traces are from the point of view of the client (CL.josebda.local or 10.1.1.4).

3 – Cleaning up the caches

In order to clean all the related caches before each trace, I used a series of command on the client:

• To clear the DFS-N domain cache: DFSUTIL cache domain flush
• To clean the DFS-N referral cache: DFSUTIL cache referral flush
• To clear the cached Kerberos tickets: KLIST purge
• To clear the DNS cache: IPCONFIG /flushdns
• To clear the ARP cache: ARP –d * 

Note that each of the commands clears a different kind of cache.

4 – Warming up with a ping by DNS name

This first trace shows a ping of the file server by the client, using the file server name.
This is a simple one, just to get you started with the format. It uses the ARP, DNS and ICMP protocols.
This involves the client (CL), the DNS server (DC) and the file server (FS).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>ping fs.josebda.local Pinging fs.josebda.local [10.1.1.3] with 32 bytes of data: Reply from 10.1.1.3: bytes=32 time<1ms TTL=128 Reply from 10.1.1.3: bytes=32 time<1ms TTL=128 Reply from 10.1.1.3: bytes=32 time<1ms TTL=128 Reply from 10.1.1.3: bytes=32 time<1ms TTL=128 Ping statistics for 10.1.1.3:     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:     Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From	To	Protocol	Details
4.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL	DC	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC	CL	ARP	ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
4.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3 (DC queries ARP back to CL)
CL	DC	DNS	DNS:QueryId = 0xFDF5, QUERY (Standard query), Query  for fs.josebda.local of type Host Addr on class Internet
DC	CL	ARP	ARP:Request, 10.1.1.1 asks for 10.1.1.4
CL	DC	ARP	ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
DC	CL	DNS	DNS:QueryId = 0xFDF5, QUERY (Standard query), Response - Success, 10.1.1.3
4.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL	FS	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS	CL	ARP	ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
4.4. CL pings 10.1.1.3 four times (first time, FS queries ARP back to CL)
CL	FS	ICMP	ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS	CL	ARP	ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL	FS	ARP	ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS	CL	ICMP	ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL	FS	ICMP	ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS	CL	ICMP	ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL	FS	ICMP	ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS	CL	ICMP	ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL	FS	ICMP	ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS	CL	ICMP	ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4

Last, here is a sample NetMon screenshot. You can see the details of the DNS query response frame:

5 – Querying the file server directly

This trace is more interesting, showing an SMB client enumerating a folder on a file server.
Note that, in this case, we are not actually using a DFS namespace yet.
You will be exposed to a larger set of protocols this time, including SMB and Kerberos.
Now there will be three computers involved: the client (CL), the file server (FS) and the domain controller (DC).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>dir \\fs.josebda.local\share1  Volume in drive \\fs.josebda.local\share1 has no label.  Volume Serial Number is 68CD-6098 Directory of \\fs.josebda.local\share1 04/10/2009  10:06 PM    <DIR>          . 04/10/2009  10:06 PM    <DIR>          .. 04/10/2009  10:06 PM                15 File1.txt                1 File(s)             15 bytes                2 Dir(s)  11,459,997,696 bytes free C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From	To	Protocol	Details
5.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL	DC	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC	CL	ARP	ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
5.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3
CL	DC	DNS	DNS:QueryId = 0x5667, QUERY (Standard query), Query  for fs.josebda.local of type Host Addr on class Internet
DC	CL	DNS	DNS:QueryId = 0x5667, QUERY (Standard query), Response - Success, 10.1.1.3
5.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL	FS	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS	CL	ARP	ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
5.4. CL negotiates a TCP session with FS on port 445 (SMB)
CL	FS	TCP	TCP:Flags=......S., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114495, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
FS	CL	ARP	ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL	FS	ARP	ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS	CL	TCP	TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516548, Ack=892114496, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	FS	TCP	TCP:Flags=...A...., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114496, Ack=1956516549, Win=513 (scale factor 0x8) = 131328
5.5. CL and FS negotiate an SMB session (note that FS offers SMB2 and CL takes it)
CL	FS	SMB	SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
FS	CL	SMB2	SMB2:R  NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0
5.6. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for  the domain.
CL	DC	TCP	TCP:Flags=......S., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451346, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134793418, Ack=1788451347, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451347, Ack=4134793419, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC	CL	KerberosV5	KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC	CL	TCP	TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=51, Seq=4134794879 - 4134794930, Ack=1788451665, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=0 (scale factor 0x8) = 0
5.7. CL requests a Kerberos client service authorization ticket for CL to present to FS.joseba.local for cifs service
CL	DC	TCP	TCP:Flags=......S., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892024, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555248, Ack=3552892025, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892025, Ack=1290555249, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/fs.josebda.local
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555249, Ack=3552893597, Win=513 (scale factor 0x8) = 131328
DC	CL	KerberosV5	KerberosV5:TGS Response Cname: Administrator
DC	CL	TCP	TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=118, Seq=1290556709 - 1290556827, Ack=3552893597, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328
5.8. The SMB session is setup (while the last ACKs for the DC are still coming)
CL	FS	SMB2	SMB2:C  SESSION SETUP (0x1), Mid = 1
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=0 (scale factor 0x8) = 0
FS	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516789, Ack=892116277, Win=513 (scale factor 0x8) = 131328
FS	CL	SMB2	SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
5.9. CL connects to \\fs.josebda.local\IPC$ tree, gets referral for \\fs.josebda.local\share1. Note the code 412, telling us that FS is not a DFS server, just a regular file server.
CL	FS	SMB2	SMB2:C  TREE CONNECT (0x3), Path=\\fs.josebda.local\IPC$, Mid = 2
FS	CL	SMB2	SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL	FS	DFS	DFS:Get DFS Referral Request, FileName: \fs.josebda.local\share1, MaxReferralLevel: 4
FS	CL	SMB2	SMB2:R , Mid = 3 - NT Status: System - Error, Code = (412) STATUS_FS_DRIVER_REQUIRED
5.10. CL connects to \\fs.josebda.local\share1 tree, get all information required by DIR command (note that SMB CREATE is used as “OPEN”)
CL	FS	SMB2	SMB2:C  TREE CONNECT (0x3), Path=\\fs.josebda.local\share1, Mid = 4
FS	CL	SMB2	SMB2:R  TREE CONNECT (0x3), TID=0x5, Mid = 4
CL	FS	SMB2	SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 5
FS	CL	SMB2	SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 5
CL	FS	SMB2	SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 6
FS	CL	SMB2	SMB2:R  QUERY INFORMATION (0x10), Mid = 6
CL	FS	SMB2	SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 8
FS	CL	SMB2	SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 8
CL	FS	SMB2	SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 11
FS	CL	SMB2	SMB2:R  CLOSE (0x6), Mid = 11
CL	FS	SMB2	SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 12
FS	CL	SMB2	SMB2:R  QUERY INFORMATION (0x10), Mid = 12
5.11. CL disconnects from both trees, logs off SMB2, closes the TCP session with FS
CL	FS	TCP	TCP:Flags=...A...., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117764, Ack=1956518678, Win=512 (scale factor 0x8) = 131072
CL	FS	SMB2	SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 13
FS	CL	SMB2	SMB2:R  TREE DISCONNECT (0x4), Mid = 13
CL	FS	SMB2	SMB2:C  TREE DISCONNECT (0x4), TID=0x5, Mid = 14
FS	CL	SMB2	SMB2:R  TREE DISCONNECT (0x4), Mid = 14
CL	FS	SMB2	SMB2:C  LOGOFF (0x2), Mid = 15
FS	CL	SMB2	SMB2:R  LOGOFF (0x2), Mid = 15
CL	FS	TCP	TCP:Flags=...A...F, SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117980, Ack=1956518894, Win=511 (scale factor 0x8) = 130816
FS	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=512 (scale factor 0x8) = 131072
CL	FS	TCP	TCP:[Segment Lost]Flags=...A.R.., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117981, Ack=1956518894, Win=0 (scale factor 0x8) = 0
FS	CL	TCP	TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=0

 

6 – Querying only the DFS namespace

This trace now uses a DFS namespace.
In this case, we’re querying just the namespace itself, not following any links in the namespace.
Now we are working with the client (CL), the domain controller (DC) and the namespace server (NS).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>dir \\josebda.local\ns1  Volume in drive \\josebda.local\ns1 has no label.  Volume Serial Number is 34A5-C4AB  Directory of \\josebda.local\ns1 04/10/2009  10:08 PM    <DIR>          . 04/10/2009  10:08 PM    <DIR>          .. 04/10/2009  10:08 PM    <DIR>          Folder1                0 File(s)              0 bytes                3 Dir(s)  11,448,500,224 bytes free   C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From	To	Protocol	Details
6.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL	DC	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC	CL	ARP	ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
6.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1
CL	DC	DNS	DNS:QueryId = 0x7447, QUERY (Standard query), Query  for DC.josebda.local of type Host Addr on class Internet
DC	CL	DNS	DNS:QueryId = 0x7447, QUERY (Standard query), Response - Success, 10.1.1.1
6.3. CL negotiates a TCP session with DC on port 445 (SMB)
CL	DC	TCP	TCP:Flags=......S., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594720, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848417, Ack=1570594721, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594721, Ack=1429848418, Win=513 (scale factor 0x8) = 131328
6.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)
CL	DC	SMB	SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
DC	CL	SMB2	SMB2:R  NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0
6.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain.
CL	DC	TCP	TCP:Flags=......S., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627845, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225518474, Ack=1221627846, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627846, Ack=4225518475, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC	CL	KerberosV5	KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC	CL	TCP	TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=51, Seq=4225519935 - 4225519986, Ack=1221628164, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328
6.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service
CL	DC	TCP	TCP:Flags=......S., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068782, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883192, Ack=4290068783, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=0 (scale factor 0x8) = 0
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068783, Ack=3286883193, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883193, Ack=4290070355, Win=513 (scale factor 0x8) = 131328
DC	CL	KerberosV5	KerberosV5:TGS Response Cname: Administrator
DC	CL	TCP	TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=118, Seq=3286884653 - 3286884771, Ack=4290070355, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328
6.7. CL asks DC for another Kerberos ticket
CL	DC	TCP	TCP:Flags=......S., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990730, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502819863, Ack=341990731, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=0 (scale factor 0x8) = 0
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990731, Ack=2502819864, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC	CL	KerberosV5	KerberosV5:TGS Response Cname: Administrator
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341992176, Ack=2502821322, Win=507 (scale factor 0x8) = 129792
6.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)
CL	DC	SMB2	SMB2:C  SESSION SETUP (0x1), Mid = 1
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848658, Ack=1570597908, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=0 (scale factor 0x8) = 0
DC	CL	SMB2	SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
6.9. CL connects to tree \\dc.josebda.local\IPC$, asks DFS for a referral for “josebda.local”, then “\josebda.local\ns1”
CL	DC	SMB2	SMB2:C  TREE CONNECT (0x3), Path=\\DC.josebda.local\IPC$, Mid = 2
DC	CL	SMB2	SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL	DC	DFS	DFS:Get DFS Referral Request, FileName: josebda.local, MaxReferralLevel: 3
DC	CL	DFS	DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3
CL	DC	DFS	DFS:Get DFS Referral Request, FileName: \josebda.local\ns1, MaxReferralLevel: 4
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849264, Ack=1570598348, Win=511 (scale factor 0x8) = 130816
DC	CL	DFS	DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
6.10. CL now knows that it needs to talk to “ns.josebda.local”.  Queries DNS to find it’s “10.1.1.2”, then ARP
CL	DC	DNS	DNS:QueryId = 0xC0C7, QUERY (Standard query), Query  for NS.josebda.local of type Host Addr on class Internet
DC	CL	DNS	DNS:QueryId = 0xC0C7, QUERY (Standard query), Response - Success, 10.1.1.2
CL	NS	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.2
NS	CL	ARP	ARP:Response, 10.1.1.2 at 00-15-5D-6C-0D-04
6.11. CL negotiates a TCP session with NS on port 445 (SMB)
CL	NS	TCP	TCP:Flags=......S., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869345207, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
NS	CL	TCP	TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42140879, Ack=869345208, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	NS	TCP	TCP:Flags=...A...., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869345208, Ack=42140880, Win=513 (scale factor 0x8) = 131328
6.12. CL negotiates an SMB session with DC (selects SMB2 dialect)
CL	NS	SMB	SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
NS	CL	SMB2	SMB2:R  NEGOTIATE (0x0), GUID={9832F94A-1CD3-61B4-40A3-F01305CCDB7E}, Mid = 0
6.13. CL requests a Kerberos service authorization ticket to present to NS.joseba.local for cifs service
CL	DC	TCP	TCP:Flags=......S., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328527949, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914299011, Ack=1328527950, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328527950, Ack=1914299012, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/NS.josebda.local
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914299012, Ack=1328529522, Win=513 (scale factor 0x8) = 131328
DC	CL	KerberosV5	KerberosV5:TGS Response Cname: Administrator
DC	CL	TCP	TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=118, Seq=1914300472 - 1914300590, Ack=1328529522, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328529522, Ack=1914300590, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328529522, Ack=1914300590, Win=513 (scale factor 0x8) = 131328
6.14. SMB session with NS is setup. (while the last ACKs for the DC are still coming)
CL	NS	SMB2	SMB2:C  SESSION SETUP (0x1), Mid = 1
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914300590, Ack=1328529523, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914300590, Ack=1328529523, Win=0 (scale factor 0x8) = 0
NS	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42141120, Ack=869346989, Win=513 (scale factor 0x8) = 131328
NS	CL	SMB2	SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
6.15. CL connects to tree \\ns\NS1, opens the \NS\ns1 namespace and links, queries information (note that SMB2 CREATE is also used as “OPEN”)
CL	NS	SMB2	SMB2:C  TREE CONNECT (0x3), Path=\\NS\NS1, Mid = 2
NS	CL	SMB2	SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL	NS	SMB2	SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#380, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
NS	CL	SMB2	SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL	NS	SMB2	SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 4
NS	CL	SMB2	SMB2:R  QUERY INFORMATION (0x10), Mid = 4
CL	NS	SMB2	SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 6
NS	CL	SMB2	SMB2:R  CLOSE (0x6), Mid = 6
CL	NS	SMB2	SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#386, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 7
NS	CL	SMB2	SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 7
CL	NS	SMB2	SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000005, Mid = 10
NS	CL	SMB2	SMB2:R  CLOSE (0x6), Mid = 10
CL	NS	SMB2	SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#390, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 11
NS	CL	SMB2	SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000009, Mid = 11
CL	NS	SMB2	SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000009, Mid = 13
NS	CL	SMB2	SMB2:R  CLOSE (0x6), Mid = 13
6.16. CL disconnects from trees, logs off SMB2 and closes TCP sessions with DC, NS
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598348, Ack=1429849514, Win=509 (scale factor 0x8) = 130304
CL	NS	TCP	TCP:Flags=...A...., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348640, Ack=42143344, Win=510 (scale factor 0x8) = 130560
CL	DC	SMB2	SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 5
DC	CL	SMB2	SMB2:R  TREE DISCONNECT (0x4), Mid = 5
CL	DC	SMB2	SMB2:C  LOGOFF (0x2), Mid = 6
DC	CL	SMB2	SMB2:R  LOGOFF (0x2), Mid = 6
CL	NS	SMB2	SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 14
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598492, Ack=1429849658, Win=508 (scale factor 0x8) = 130048
NS	CL	SMB2	SMB2:R  TREE DISCONNECT (0x4), Mid = 14
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849658, Ack=1570598493, Win=511 (scale factor 0x8) = 130816
CL	NS	SMB2	SMB2:C  LOGOFF (0x2), Mid = 15
CL	DC	TCP	TCP:[Segment Lost]Flags=...A.R.., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598493, Ack=1429849658, Win=0 (scale factor 0x8) = 0
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849658, Ack=1570598493, Win=0
NS	CL	SMB2	SMB2:R  LOGOFF (0x2), Mid = 15
CL	NS	TCP	TCP:Flags=...A...F, SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348784, Ack=42143488, Win=510 (scale factor 0x8) = 130560
NS	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42143488, Ack=869348785, Win=512 (scale factor 0x8) = 131072
CL	NS	TCP	TCP:[Segment Lost]Flags=...A.R.., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348785, Ack=42143488, Win=0 (scale factor 0x8) = 0

Last, here is a sample NetMon screenshot. Here we see the detail of the DFS referral response in (the second one in 6.9), with the frame details showing that josebda.local\ns1 is actually handled by \ns\ns1. See also that the referral has a time-to-live (how much time it should be kept in the cache).

7 – Finally, looking at the file server via the DFS namespace

This is the final and most complex of the traces here. We’re listing details about a file inside a link in a namespace.
This time we’re involving the client (CL), the domain controller (DC), the namespace server (NS) and the file server (FS).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>dir \\josebda.local\ns1\folder1  Volume in drive \\josebda.local\ns1 has no label.  Volume Serial Number is 34A5-C4AB    Directory of \\josebda.local\ns1\folder1   04/10/2009  10:06 PM    <DIR>          . 04/10/2009  10:06 PM    <DIR>          .. 04/10/2009  10:06 PM                15 File1.txt                1 File(s)             15 bytes                2 Dir(s)  11,459,997,696 bytes free C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From	To	Protocol	Details
7.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL	DC	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC	CL	ARP	ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
7.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1
CL	DC	DNS	DNS:QueryId = 0x36AE, QUERY (Standard query), Query  for DC.josebda.local of type Host Addr on class Internet
DC	CL	DNS	DNS:QueryId = 0x36AE, QUERY (Standard query), Response - Success, 10.1.1.1
7.3. CL negotiates a TCP session with DC on port 445 (SMB)
CL	DC	TCP	TCP:Flags=......S., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348427785, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806692608, Ack=1348427786, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348427786, Ack=806692609, Win=513 (scale factor 0x8) = 131328
7.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)
CL	DC	SMB	SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
DC	CL	SMB2	SMB2:R  NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0
7.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain
CL	DC	TCP	TCP:Flags=......S., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774373, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481525383, Ack=2790774374, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774374, Ack=2481525384, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC	CL	KerberosV5	KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC	CL	TCP	TCP:[Continuation to #451]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=51, Seq=2481526844 - 2481526895, Ack=2790774692, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774692, Ack=2481526895, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774692, Ack=2481526895, Win=513 (scale factor 0x8) = 131328
7.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service
CL	DC	TCP	TCP:Flags=......S., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217473064, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51552186, Ack=1217473065, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481526895, Ack=2790774693, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481526895, Ack=2790774693, Win=0 (scale factor 0x8) = 0
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217473065, Ack=51552187, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51552187, Ack=1217474637, Win=513 (scale factor 0x8) = 131328
DC	CL	KerberosV5	KerberosV5:TGS Response Cname: Administrator
DC	CL	TCP	TCP:[Continuation to #462]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=118, Seq=51553647 - 51553765, Ack=1217474637, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217474637, Ack=51553765, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217474637, Ack=51553765, Win=513 (scale factor 0x8) = 131328
7.7. CL asks DC for another Kerberos ticket
CL	DC	TCP	TCP:Flags=......S., SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381120000, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51553765, Ack=1217474638, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51553765, Ack=1217474638, Win=0 (scale factor 0x8) = 0
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880462364, Ack=2381120001, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381120001, Ack=1880462365, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC	CL	KerberosV5	KerberosV5:TGS Response Cname: Administrator
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381121446, Ack=1880463823, Win=507 (scale factor 0x8) = 129792
7.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)
CL	DC	SMB2	SMB2:C  SESSION SETUP (0x1), Mid = 1
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880463823, Ack=2381121447, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806692849, Ack=1348430973, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880463823, Ack=2381121447, Win=0 (scale factor 0x8) = 0
DC	CL	SMB2	SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.9. CL connects to tree \\dc.josebda.local\IPC$, asks DFS for a referral for “josebda.local”, then “\josebda.local\ns1”
CL	DC	SMB2	SMB2:C  TREE CONNECT (0x3), Path=\\DC.josebda.local\IPC$, Mid = 2
DC	CL	SMB2	SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL	DC	DFS	DFS:Get DFS Referral Request, FileName: josebda.local, MaxReferralLevel: 3
DC	CL	DFS	DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3
CL	DC	DFS	DFS:Get DFS Referral Request, FileName: \josebda.local\ns1, MaxReferralLevel: 4
DC	CL	DFS	DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
7.11. CL now knows that it needs to talk to “ns.josebda.local”.  Queries DNS to find it’s “10.1.1.2”, then ARP
CL	DC	DNS	DNS:QueryId = 0xA941, QUERY (Standard query), Query  for NS.josebda.local of type Host Addr on class Internet
DC	CL	DNS	DNS:QueryId = 0xA941, QUERY (Standard query), Response - Success, 10.1.1.2
CL	NS	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.2
NS	CL	ARP	ARP:Response, 10.1.1.2 at 00-15-5D-6C-0D-04
7.12. CL negotiates a TCP session with NS on port 445 (SMB)
CL	NS	TCP	TCP:Flags=......S., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616429650, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
NS	CL	TCP	TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802553199, Ack=1616429651, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	NS	TCP	TCP:Flags=...A...., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616429651, Ack=802553200, Win=513 (scale factor 0x8) = 131328
7.13. CL negotiates an SMB session with NS (selects SMB2 dialect)
CL	NS	SMB	SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
NS	CL	SMB2	SMB2:R  NEGOTIATE (0x0), GUID={9832F94A-1CD3-61B4-40A3-F01305CCDB7E}, Mid = 0
7.14. CL requests a Kerberos service authorization ticket to present to NS.joseba.local for cifs service
CL	DC	TCP	TCP:Flags=......S., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584167390, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711096963, Ack=2584167391, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584167391, Ack=2711096964, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/NS.josebda.local
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711096964, Ack=2584168963, Win=513 (scale factor 0x8) = 131328
DC	CL	KerberosV5	KerberosV5:TGS Response Cname: Administrator
DC	CL	TCP	TCP:[Continuation to #499]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=118, Seq=2711098424 - 2711098542, Ack=2584168963, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584168963, Ack=2711098542, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584168963, Ack=2711098542, Win=513 (scale factor 0x8) = 131328
7.15. SMB session with NS is setup. (while the last ACKs for the DC are still coming)
CL	NS	SMB2	SMB2:C  SESSION SETUP (0x1), Mid = 1
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711098542, Ack=2584168964, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711098542, Ack=2584168964, Win=0 (scale factor 0x8) = 0
NS	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802553440, Ack=1616431432, Win=513 (scale factor 0x8) = 131328
NS	CL	SMB2	SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.16. CL connects to tree \\ns\NS1, opens and queries information for josebda.local\ns1 and josebda.local\ns1\folder1. Error 599 on the last response indicates we need a referral
CL	NS	SMB2	SMB2:C  TREE CONNECT (0x3), Path=\\NS\NS1, Mid = 2
NS	CL	SMB2	SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL	NS	SMB2	SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#510, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
NS	CL	SMB2	SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL	NS	SMB2	SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 4
NS	CL	SMB2	SMB2:R  QUERY INFORMATION (0x10), Mid = 4
CL	NS	SMB2	SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 6
NS	CL	SMB2	SMB2:R  CLOSE (0x6), Mid = 6
CL	NS	SMB2	SMB2:C  CREATE (0x5), Name=josebda.local\ns1\folder1@#516, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 7
NS	CL	SMB2	SMB2:R , Mid = 7 - NT Status: System - Error, Code = (599) STATUS_PATH_NOT_COVERED
7.17. CL connects to tree \\ns\IPC$, asks DFS for a referral for “\NS\ns1\folder1”  (note via ARP that NS talks to the DC)
CL	NS	SMB2	SMB2:C  TREE CONNECT (0x3), Path=\\NS\IPC$, Mid = 8
NS	CL	SMB2	SMB2:R  TREE CONNECT (0x3), TID=0x5, Mid = 8
CL	NS	DFS	DFS:Get DFS Referral Request, FileName: \NS\ns1\folder1, MaxReferralLevel: 4
NS	DC	ARP	ARP:Request, 10.1.1.2 asks for 10.1.1.1
DC	NS	ARP	ARP:Request, 10.1.1.1 asks for 10.1.1.2
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431413, Ack=806693705, Win=509 (scale factor 0x8) = 130304
NS	CL	DFS	DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
7.18. CL now knows that it needs to talk to “fs.josebda.local”.  Queries DNS to find it’s “10.1.1.3”, then ARP
CL	DC	DNS	DNS:QueryId = 0x9848, QUERY (Standard query), Query  for FS.josebda.local of type Host Addr on class Internet
DC	CL	DNS	DNS:QueryId = 0x9848, QUERY (Standard query), Response - Success, 10.1.1.3
CL	FS	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS	CL	ARP	ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
7.19. CL negotiates a TCP session with FS on port 445 (SMB). Note the ARP back from FS, since it’s the first time it talks to CL
CL	FS	TCP	TCP:Flags=......S., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441020583, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
FS	CL	ARP	ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL	FS	ARP	ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS	CL	TCP	TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109428157, Ack=3441020584, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	FS	TCP	TCP:Flags=...A...., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441020584, Ack=109428158, Win=513 (scale factor 0x8) = 131328
7.20. CL negotiates an SMB session with FS(selects SMB2 dialect)
CL	FS	SMB	SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
FS	CL	SMB2	SMB2:R  NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0
7.21. CL requests a Kerberos service authorization ticket to present to FS.joseba.local for cifs service
CL	DC	TCP	TCP:Flags=......S., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155214818, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC	CL	TCP	TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938378401, Ack=4155214819, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155214819, Ack=938378402, Win=513 (scale factor 0x8) = 131328
CL	DC	KerberosV5	KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/FS.josebda.local
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938378402, Ack=4155216391, Win=513 (scale factor 0x8) = 131328
DC	CL	KerberosV5	KerberosV5:TGS Response Cname: Administrator
DC	CL	TCP	TCP:[Continuation to #543]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=118, Seq=938379862 - 938379980, Ack=4155216391, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155216391, Ack=938379980, Win=513 (scale factor 0x8) = 131328
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155216391, Ack=938379980, Win=513 (scale factor 0x8) = 131328
7.22. SMB session with FS is setup. (while the last ACKs for the DC are still coming)
CL	FS	SMB2	SMB2:C  SESSION SETUP (0x1), Mid = 1
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938379980, Ack=4155216392, Win=513 (scale factor 0x8) = 131328
DC	CL	TCP	TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938379980, Ack=4155216392, Win=0 (scale factor 0x8) = 0
FS	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109428398, Ack=3441022365, Win=513 (scale factor 0x8) = 131328
FS	CL	SMB2	SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.23. CL connects to tree \\fs\josebda.local\Share1, opens the folder and file, queries information (note that SMB2 CREATE is also used as “OPEN”)
CL	FS	SMB2	SMB2:C  TREE CONNECT (0x3), Path=\\FS.josebda.local\Share1, Mid = 2
FS	CL	SMB2	SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL	FS	SMB2	SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
FS	CL	SMB2	SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL	FS	SMB2	SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 4
FS	CL	SMB2	SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 4
CL	FS	SMB2	SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 7
FS	CL	SMB2	SMB2:R  CLOSE (0x6), Mid = 7
CL	FS	SMB2	SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000005, Mid = 8
FS	CL	SMB2	SMB2:R  QUERY INFORMATION (0x10), Mid = 8
CL	FS	SMB2	SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 10
FS	CL	SMB2	SMB2:R  QUERY INFORMATION (0x10), Mid = 10
7.24. CL disconnects from trees, logs off SMB2 and closes TCP sessions with DC, NS, FS
CL	NS	TCP	TCP:Flags=...A...., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432609, Ack=802554785, Win=513 (scale factor 0x8) = 131328
CL	FS	TCP	TCP:Flags=...A...., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441023554, Ack=109430126, Win=511 (scale factor 0x8) = 130816
CL	DC	SMB2	SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 5
DC	CL	SMB2	SMB2:R  TREE DISCONNECT (0x4), Mid = 5
CL	DC	SMB2	SMB2:C  LOGOFF (0x2), Mid = 6
DC	CL	SMB2	SMB2:R  LOGOFF (0x2), Mid = 6
CL	NS	SMB2	SMB2:C  TREE DISCONNECT (0x4), TID=0x5, Mid = 10
CL	DC	TCP	TCP:Flags=...A...F, SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431557, Ack=806693849, Win=508 (scale factor 0x8) = 130048
NS	CL	SMB2	SMB2:R  TREE DISCONNECT (0x4), Mid = 10
DC	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806693849, Ack=1348431558, Win=511 (scale factor 0x8) = 130816
CL	NS	SMB2	SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 11
CL	DC	TCP	TCP:[Segment Lost]Flags=...A.R.., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431558, Ack=806693849, Win=0 (scale factor 0x8) = 0
NS	CL	SMB2	SMB2:R  TREE DISCONNECT (0x4), Mid = 11
CL	NS	SMB2	SMB2:C  LOGOFF (0x2), Mid = 12
NS	CL	SMB2	SMB2:R  LOGOFF (0x2), Mid = 12
CL	FS	SMB2	SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 11
CL	NS	TCP	TCP:Flags=...A...F, SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432825, Ack=802555001, Win=512 (scale factor 0x8) = 131072
NS	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802555001, Ack=1616432826, Win=507 (scale factor 0x8) = 129792
FS	CL	SMB2	SMB2:R  TREE DISCONNECT (0x4), Mid = 11
CL	NS	TCP	TCP:[Segment Lost]Flags=...A.R.., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432826, Ack=802555001, Win=0 (scale factor 0x8) = 0
NS	CL	TCP	TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802555001, Ack=1616432826, Win=0
CL	FS	SMB2	SMB2:C  LOGOFF (0x2), Mid = 12
FS	CL	SMB2	SMB2:R  LOGOFF (0x2), Mid = 12
CL	FS	TCP	TCP:Flags=...A...F, SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441023698, Ack=109430270, Win=511 (scale factor 0x8) = 130816
FS	CL	TCP	TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109430270, Ack=3441023699, Win=508 (scale factor 0x8) = 130048
FS	CL	TCP	TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109430270, Ack=3441023699, Win=0 (scale factor 0x8) = 0

Last, here is a sample NetMon screenshot. I'm using this to highlight compound SMB2 requests. What you see above in step 7.23 as simple a CREATE (or OPEN) for the folder is actually a CREATE and a couple of QUERY DIRECTORY. The frame details shows the compound response, which shows that we actually enumerated the entire folder (with just 1 file) with a single request:

8 – Conclusion

I hope this blog post helped you understand the behavior of DFS-N clients and encouraged you to try running Network Monitor and capturing some traces yourself.

For additional information on how DFS-N works, check these two links:
http://technet.microsoft.com/en-us/library/cc782417.aspx
http://www.snia.org/events/storage-developer2008/presentations/wednesday/DanLovingerImplementingDFSN-SDC08-v2.pdf