Jose Barreto's Blog : Understanding Windows Server 2008 DFS-N by analyzing network traces

Wednesday, April 15, 2009 8:00 PM josebda

Understanding Windows Server 2008 DFS-N by analyzing network traces

1 – Overview

This blog post details the behavior of Windows Server 2008 DFS-N (Distributed File System - Namespaces) clients by looking at network traces.
The main goal here is to show the interaction between a DFS-N client, a domain controller, a namespace server and a file server.
These traces were taken using Network Monitor 3.3 beta from a set of isolated computers in a domain.
To understand this post, you need some familiarity with common protocols like ARP, ICMP, TCP and DNS.
At least a basic understanding of some more sophisticated protocols like SMB and Kerberos are also helpful.

2 – The environment

There are 4 computers in this environment, as described below.

# Name FQDN IP Role Details

1 DC DC.josebda.local 10.1.1.1 DNS, Domain Controller DNS Server for zone josebda.local
Only DC for josebda.local domain

2 NS NS.josebda.local 10.1.1.2 File Server, DFS Namespace Server Hosts namespace \\josebda\NS1
Includes a folder \\josebda\NS1\Folder1
Target for that folder is \\fs.josebda.local\Share1

3 FS FS.josebda.local 10.1.1.3 File Server Hosts the share \\fs.josebda.local\Share1

4 CL CL.josebda.local 10.1.1.4 Client Where the command lines are run
Running Network Monitor

All computers in this setup are running Windows Server 2008 Enterprise Edition (with Service Pack 2 RC).
All command lines and traces are from the point of view of the client (CL.josebda.local or 10.1.1.4).

3 – Cleaning up the caches

In order to clean all the related caches before each trace, I used a series of command on the client:

To clear the DFS-N domain cache: DFSUTIL cache domain flush

To clean the DFS-N referral cache: DFSUTIL cache referral flush

To clear the cached Kerberos tickets: KLIST purge

To clear the DNS cache: IPCONFIG /flushdns

To clear the ARP cache: ARP –d *

Note that each of the commands clears a different kind of cache.

4 – Warming up with a ping by DNS name

This first trace shows a ping of the file server by the client, using the file server name.
This is a simple one, just to get you started with the format. It uses the ARP, DNS and ICMP protocols.
This involves the client (CL), the DNS server (DC) and the file server (FS).

First, here is the actual command used (in bold) and its output.
C:\Users\administrator>ping fs.josebda.local

Pinging fs.josebda.local [10.1.1.3] with 32 bytes of data:
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128

Ping statistics for 10.1.1.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\administrator>
Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details

4.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server

CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1

DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06

4.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3 (DC queries ARP back to CL)

CL DC DNS DNS:QueryId = 0xFDF5, QUERY (Standard query), Query for fs.josebda.local of type Host Addr on class Internet

DC CL ARP ARP:Request, 10.1.1.1 asks for 10.1.1.4

CL DC ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03

DC CL DNS DNS:QueryId = 0xFDF5, QUERY (Standard query), Response - Success, 10.1.1.3

4.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local

CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3

FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05

4.4. CL pings 10.1.1.3 four times (first time, FS queries ARP back to CL)

CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3

FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4

CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03

FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4

CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3

FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4

CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3

FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4

CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3

FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4

Last, here is a sample NetMon screenshot. You can see the details of the DNS query response frame:

5 – Querying the file server directly

This trace is more interesting, showing an SMB client enumerating a folder on a file server.
Note that, in this case, we are not actually using a DFS namespace yet.
You will be exposed to a larger set of protocols this time, including SMB and Kerberos.
Now there will be three computers involved: the client (CL), the file server (FS) and the domain controller (DC).

First, here is the actual command used (in bold) and its output.
C:\Users\administrator>dir \\fs.josebda.local\share1

 Volume in drive \\fs.josebda.local\share1 has no label.
 Volume Serial Number is 68CD-6098

Directory of \\fs.josebda.local\share1

04/10/2009  10:06 PM    <DIR>          .
04/10/2009  10:06 PM    <DIR>          ..
04/10/2009  10:06 PM                15 File1.txt
               1 File(s)             15 bytes
               2 Dir(s)  11,459,997,696 bytes free

C:\Users\administrator>
Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details

5.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server

CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1

DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06

5.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3

CL DC DNS DNS:QueryId = 0x5667, QUERY (Standard query), Query for fs.josebda.local of type Host Addr on class Internet

DC CL DNS DNS:QueryId = 0x5667, QUERY (Standard query), Response - Success, 10.1.1.3

5.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local

CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3

FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05

5.4. CL negotiates a TCP session with FS on port 445 (SMB)

CL FS TCP TCP:Flags=......S., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114495, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4

CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03

FS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516548, Ack=892114496, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL FS TCP TCP:Flags=...A...., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114496, Ack=1956516549, Win=513 (scale factor 0x8) = 131328

5.5. CL and FS negotiate an SMB session (note that FS offers SMB2 and CL takes it)

CL FS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002

FS CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0

5.6. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain.

CL DC TCP TCP:Flags=......S., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451346, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134793418, Ack=1788451347, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL DC TCP TCP:Flags=...A...., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451347, Ack=4134793419, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL

DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]

DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=51, Seq=4134794879 - 4134794930, Ack=1788451665, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...F, SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=0 (scale factor 0x8) = 0

5.7. CL requests a Kerberos client service authorization ticket for CL to present to FS.joseba.local for cifs service

CL DC TCP TCP:Flags=......S., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892024, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555248, Ack=3552892025, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL DC TCP TCP:Flags=...A...., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892025, Ack=1290555249, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/fs.josebda.local

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555249, Ack=3552893597, Win=513 (scale factor 0x8) = 131328

DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator

DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=118, Seq=1290556709 - 1290556827, Ack=3552893597, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...F, SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328

5.8. The SMB session is setup (while the last ACKs for the DC are still coming)

CL FS SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=0 (scale factor 0x8) = 0

FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516789, Ack=892116277, Win=513 (scale factor 0x8) = 131328

FS CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1

5.9. CL connects to \\fs.josebda.local\IPC$ tree, gets referral for \\fs.josebda.local\share1. Note the code 412, telling us that FS is not a DFS server, just a regular file server.

CL FS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\fs.josebda.local\IPC$, Mid = 2

FS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2

CL FS DFS DFS:Get DFS Referral Request, FileName: \fs.josebda.local\share1, MaxReferralLevel: 4

FS CL SMB2 SMB2:R , Mid = 3 - NT Status: System - Error, Code = (412) STATUS_FS_DRIVER_REQUIRED

5.10. CL connects to \\fs.josebda.local\share1 tree, get all information required by DIR command (note that SMB CREATE is used as “OPEN”)

CL FS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\fs.josebda.local\share1, Mid = 4

FS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x5, Mid = 4

CL FS SMB2 SMB2:C CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 5

FS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 5

CL FS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 6

FS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 6

CL FS SMB2 SMB2:C CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 8

FS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 8

CL FS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 11

FS CL SMB2 SMB2:R CLOSE (0x6), Mid = 11

CL FS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 12

FS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 12

5.11. CL disconnects from both trees, logs off SMB2, closes the TCP session with FS

CL FS TCP TCP:Flags=...A...., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117764, Ack=1956518678, Win=512 (scale factor 0x8) = 131072

CL FS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 13

FS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 13

CL FS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x5, Mid = 14

FS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 14

CL FS SMB2 SMB2:C LOGOFF (0x2), Mid = 15

FS CL SMB2 SMB2:R LOGOFF (0x2), Mid = 15

CL FS TCP TCP:Flags=...A...F, SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117980, Ack=1956518894, Win=511 (scale factor 0x8) = 130816

FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=512 (scale factor 0x8) = 131072

CL FS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117981, Ack=1956518894, Win=0 (scale factor 0x8) = 0

FS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=0

6 – Querying only the DFS namespace

This trace now uses a DFS namespace.
In this case, we’re querying just the namespace itself, not following any links in the namespace.
Now we are working with the client (CL), the domain controller (DC) and the namespace server (NS).

First, here is the actual command used (in bold) and its output.
C:\Users\administrator>dir \\josebda.local\ns1
 Volume in drive \\josebda.local\ns1 has no label.
 Volume Serial Number is 34A5-C4AB

 Directory of \\josebda.local\ns1

04/10/2009  10:08 PM    <DIR>          .
04/10/2009  10:08 PM    <DIR>          ..
04/10/2009  10:08 PM    <DIR>          Folder1
               0 File(s)              0 bytes
               3 Dir(s)  11,448,500,224 bytes free
 
C:\Users\administrator>
Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details

6.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server

CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1

DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06

6.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1

CL DC DNS DNS:QueryId = 0x7447, QUERY (Standard query), Query for DC.josebda.local of type Host Addr on class Internet

DC CL DNS DNS:QueryId = 0x7447, QUERY (Standard query), Response - Success, 10.1.1.1

6.3. CL negotiates a TCP session with DC on port 445 (SMB)

CL DC TCP TCP:Flags=......S., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594720, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848417, Ack=1570594721, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL DC TCP TCP:Flags=...A...., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594721, Ack=1429848418, Win=513 (scale factor 0x8) = 131328

6.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)

CL DC SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002

DC CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0

6.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain.

CL DC TCP TCP:Flags=......S., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627845, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225518474, Ack=1221627846, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL DC TCP TCP:Flags=...A...., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627846, Ack=4225518475, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL

DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]

DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=51, Seq=4225519935 - 4225519986, Ack=1221628164, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...F, SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328

6.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service

CL DC TCP TCP:Flags=......S., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068782, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883192, Ack=4290068783, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=0 (scale factor 0x8) = 0

CL DC TCP TCP:Flags=...A...., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068783, Ack=3286883193, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883193, Ack=4290070355, Win=513 (scale factor 0x8) = 131328

DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator

DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=118, Seq=3286884653 - 3286884771, Ack=4290070355, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...F, SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328

6.7. CL asks DC for another Kerberos ticket

CL DC TCP TCP:Flags=......S., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990730, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502819863, Ack=341990731, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=0 (scale factor 0x8) = 0

CL DC TCP TCP:Flags=...A...., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990731, Ack=2502819864, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL

DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator

CL DC TCP TCP:Flags=...A...F, SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341992176, Ack=2502821322, Win=507 (scale factor 0x8) = 129792

6.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)

CL DC SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848658, Ack=1570597908, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=0 (scale factor 0x8) = 0

DC CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1

6.9. CL connects to tree \\dc.josebda.local\IPC$, asks DFS for a referral for “josebda.local”, then “\josebda.local\ns1”

CL DC SMB2 SMB2:C TREE CONNECT (0x3), Path=\\DC.josebda.local\IPC$, Mid = 2

DC CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2

CL DC DFS DFS:Get DFS Referral Request, FileName: josebda.local, MaxReferralLevel: 3

DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3

CL DC DFS DFS:Get DFS Referral Request, FileName: \josebda.local\ns1, MaxReferralLevel: 4

DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849264, Ack=1570598348, Win=511 (scale factor 0x8) = 130816

DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4

6.10. CL now knows that it needs to talk to “ns.josebda.local”. Queries DNS to find it’s “10.1.1.2”, then ARP

CL DC DNS DNS:QueryId = 0xC0C7, QUERY (Standard query), Query for NS.josebda.local of type Host Addr on class Internet

DC CL DNS DNS:QueryId = 0xC0C7, QUERY (Standard query), Response - Success, 10.1.1.2

CL NS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.2

NS CL ARP ARP:Response, 10.1.1.2 at 00-15-5D-6C-0D-04

6.11. CL negotiates a TCP session with NS on port 445 (SMB)

CL NS TCP TCP:Flags=......S., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869345207, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

NS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42140879, Ack=869345208, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL NS TCP TCP:Flags=...A...., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869345208, Ack=42140880, Win=513 (scale factor 0x8) = 131328

6.12. CL negotiates an SMB session with DC (selects SMB2 dialect)

CL NS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002

NS CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={9832F94A-1CD3-61B4-40A3-F01305CCDB7E}, Mid = 0

6.13. CL requests a Kerberos service authorization ticket to present to NS.joseba.local for cifs service

CL DC TCP TCP:Flags=......S., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328527949, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914299011, Ack=1328527950, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL DC TCP TCP:Flags=...A...., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328527950, Ack=1914299012, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/NS.josebda.local

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914299012, Ack=1328529522, Win=513 (scale factor 0x8) = 131328

DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator

DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=118, Seq=1914300472 - 1914300590, Ack=1328529522, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328529522, Ack=1914300590, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...F, SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328529522, Ack=1914300590, Win=513 (scale factor 0x8) = 131328

6.14. SMB session with NS is setup. (while the last ACKs for the DC are still coming)

CL NS SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914300590, Ack=1328529523, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914300590, Ack=1328529523, Win=0 (scale factor 0x8) = 0

NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42141120, Ack=869346989, Win=513 (scale factor 0x8) = 131328

NS CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1

6.15. CL connects to tree \\ns\NS1, opens the \NS\ns1 namespace and links, queries information (note that SMB2 CREATE is also used as “OPEN”)

CL NS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\NS\NS1, Mid = 2

NS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2

CL NS SMB2 SMB2:C CREATE (0x5), Name=josebda.local\ns1@#380, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3

NS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3

CL NS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 4

NS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 4

CL NS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 6

NS CL SMB2 SMB2:R CLOSE (0x6), Mid = 6

CL NS SMB2 SMB2:C CREATE (0x5), Name=josebda.local\ns1@#386, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 7

NS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 7

CL NS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000005, Mid = 10

NS CL SMB2 SMB2:R CLOSE (0x6), Mid = 10

CL NS SMB2 SMB2:C CREATE (0x5), Name=josebda.local\ns1@#390, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 11

NS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000009, Mid = 11

CL NS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000009, Mid = 13

NS CL SMB2 SMB2:R CLOSE (0x6), Mid = 13

6.16. CL disconnects from trees, logs off SMB2 and closes TCP sessions with DC, NS

CL DC TCP TCP:Flags=...A...., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598348, Ack=1429849514, Win=509 (scale factor 0x8) = 130304

CL NS TCP TCP:Flags=...A...., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348640, Ack=42143344, Win=510 (scale factor 0x8) = 130560

CL DC SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 5

DC CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 5

CL DC SMB2 SMB2:C LOGOFF (0x2), Mid = 6

DC CL SMB2 SMB2:R LOGOFF (0x2), Mid = 6

CL NS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 14

CL DC TCP TCP:Flags=...A...F, SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598492, Ack=1429849658, Win=508 (scale factor 0x8) = 130048

NS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 14

DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849658, Ack=1570598493, Win=511 (scale factor 0x8) = 130816

CL NS SMB2 SMB2:C LOGOFF (0x2), Mid = 15

CL DC TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598493, Ack=1429849658, Win=0 (scale factor 0x8) = 0

DC CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849658, Ack=1570598493, Win=0

NS CL SMB2 SMB2:R LOGOFF (0x2), Mid = 15

CL NS TCP TCP:Flags=...A...F, SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348784, Ack=42143488, Win=510 (scale factor 0x8) = 130560

NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42143488, Ack=869348785, Win=512 (scale factor 0x8) = 131072

CL NS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348785, Ack=42143488, Win=0 (scale factor 0x8) = 0

Last, here is a sample NetMon screenshot. Here we see the detail of the DFS referral response in (the second one in 6.9), with the frame details showing that josebda.local\ns1 is actually handled by \ns\ns1. See also that the referral has a time-to-live (how much time it should be kept in the cache).

7 – Finally, looking at the file server via the DFS namespace

This is the final and most complex of the traces here. We’re listing details about a file inside a link in a namespace.
This time we’re involving the client (CL), the domain controller (DC), the namespace server (NS) and the file server (FS).

First, here is the actual command used (in bold) and its output.
C:\Users\administrator>dir \\josebda.local\ns1\folder1
 Volume in drive \\josebda.local\ns1 has no label.
 Volume Serial Number is 34A5-C4AB
 
 Directory of \\josebda.local\ns1\folder1
 
04/10/2009  10:06 PM    <DIR>          .
04/10/2009  10:06 PM    <DIR>          ..
04/10/2009  10:06 PM                15 File1.txt
               1 File(s)             15 bytes
               2 Dir(s)  11,459,997,696 bytes free

C:\Users\administrator>
Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details

7.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server

CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1

DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06

7.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1

CL DC DNS DNS:QueryId = 0x36AE, QUERY (Standard query), Query for DC.josebda.local of type Host Addr on class Internet

DC CL DNS DNS:QueryId = 0x36AE, QUERY (Standard query), Response - Success, 10.1.1.1

7.3. CL negotiates a TCP session with DC on port 445 (SMB)

CL DC TCP TCP:Flags=......S., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348427785, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806692608, Ack=1348427786, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL DC TCP TCP:Flags=...A...., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348427786, Ack=806692609, Win=513 (scale factor 0x8) = 131328

7.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)

CL DC SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002

DC CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0

7.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain

CL DC TCP TCP:Flags=......S., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774373, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481525383, Ack=2790774374, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL DC TCP TCP:Flags=...A...., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774374, Ack=2481525384, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL

DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]

DC CL TCP TCP:[Continuation to #451]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=51, Seq=2481526844 - 2481526895, Ack=2790774692, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774692, Ack=2481526895, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...F, SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774692, Ack=2481526895, Win=513 (scale factor 0x8) = 131328

7.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service

CL DC TCP TCP:Flags=......S., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217473064, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51552186, Ack=1217473065, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481526895, Ack=2790774693, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481526895, Ack=2790774693, Win=0 (scale factor 0x8) = 0

CL DC TCP TCP:Flags=...A...., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217473065, Ack=51552187, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51552187, Ack=1217474637, Win=513 (scale factor 0x8) = 131328

DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator

DC CL TCP TCP:[Continuation to #462]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=118, Seq=51553647 - 51553765, Ack=1217474637, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217474637, Ack=51553765, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...F, SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217474637, Ack=51553765, Win=513 (scale factor 0x8) = 131328

7.7. CL asks DC for another Kerberos ticket

CL DC TCP TCP:Flags=......S., SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381120000, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51553765, Ack=1217474638, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51553765, Ack=1217474638, Win=0 (scale factor 0x8) = 0

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880462364, Ack=2381120001, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL DC TCP TCP:Flags=...A...., SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381120001, Ack=1880462365, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL

DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator

CL DC TCP TCP:Flags=...A...F, SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381121446, Ack=1880463823, Win=507 (scale factor 0x8) = 129792

7.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)

CL DC SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880463823, Ack=2381121447, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806692849, Ack=1348430973, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880463823, Ack=2381121447, Win=0 (scale factor 0x8) = 0

DC CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1

7.9. CL connects to tree \\dc.josebda.local\IPC$, asks DFS for a referral for “josebda.local”, then “\josebda.local\ns1”

CL DC SMB2 SMB2:C TREE CONNECT (0x3), Path=\\DC.josebda.local\IPC$, Mid = 2

DC CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2

CL DC DFS DFS:Get DFS Referral Request, FileName: josebda.local, MaxReferralLevel: 3

DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3

CL DC DFS DFS:Get DFS Referral Request, FileName: \josebda.local\ns1, MaxReferralLevel: 4

DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4

7.11. CL now knows that it needs to talk to “ns.josebda.local”. Queries DNS to find it’s “10.1.1.2”, then ARP

CL DC DNS DNS:QueryId = 0xA941, QUERY (Standard query), Query for NS.josebda.local of type Host Addr on class Internet

DC CL DNS DNS:QueryId = 0xA941, QUERY (Standard query), Response - Success, 10.1.1.2

CL NS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.2

NS CL ARP ARP:Response, 10.1.1.2 at 00-15-5D-6C-0D-04

7.12. CL negotiates a TCP session with NS on port 445 (SMB)

CL NS TCP TCP:Flags=......S., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616429650, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

NS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802553199, Ack=1616429651, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL NS TCP TCP:Flags=...A...., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616429651, Ack=802553200, Win=513 (scale factor 0x8) = 131328

7.13. CL negotiates an SMB session with NS (selects SMB2 dialect)

CL NS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002

NS CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={9832F94A-1CD3-61B4-40A3-F01305CCDB7E}, Mid = 0

7.14. CL requests a Kerberos service authorization ticket to present to NS.joseba.local for cifs service

CL DC TCP TCP:Flags=......S., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584167390, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711096963, Ack=2584167391, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL DC TCP TCP:Flags=...A...., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584167391, Ack=2711096964, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/NS.josebda.local

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711096964, Ack=2584168963, Win=513 (scale factor 0x8) = 131328

DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator

DC CL TCP TCP:[Continuation to #499]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=118, Seq=2711098424 - 2711098542, Ack=2584168963, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584168963, Ack=2711098542, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...F, SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584168963, Ack=2711098542, Win=513 (scale factor 0x8) = 131328

7.15. SMB session with NS is setup. (while the last ACKs for the DC are still coming)

CL NS SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711098542, Ack=2584168964, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711098542, Ack=2584168964, Win=0 (scale factor 0x8) = 0

NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802553440, Ack=1616431432, Win=513 (scale factor 0x8) = 131328

NS CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1

7.16. CL connects to tree \\ns\NS1, opens and queries information for josebda.local\ns1 and josebda.local\ns1\folder1. Error 599 on the last response indicates we need a referral

CL NS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\NS\NS1, Mid = 2

NS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2

CL NS SMB2 SMB2:C CREATE (0x5), Name=josebda.local\ns1@#510, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3

NS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3

CL NS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 4

NS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 4

CL NS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 6

NS CL SMB2 SMB2:R CLOSE (0x6), Mid = 6

CL NS SMB2 SMB2:C CREATE (0x5), Name=josebda.local\ns1\folder1@#516, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 7

NS CL SMB2 SMB2:R , Mid = 7 - NT Status: System - Error, Code = (599) STATUS_PATH_NOT_COVERED

7.17. CL connects to tree \\ns\IPC$, asks DFS for a referral for “\NS\ns1\folder1” (note via ARP that NS talks to the DC)

CL NS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\NS\IPC$, Mid = 8

NS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x5, Mid = 8

CL NS DFS DFS:Get DFS Referral Request, FileName: \NS\ns1\folder1, MaxReferralLevel: 4

NS DC ARP ARP:Request, 10.1.1.2 asks for 10.1.1.1

DC NS ARP ARP:Request, 10.1.1.1 asks for 10.1.1.2

CL DC TCP TCP:Flags=...A...., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431413, Ack=806693705, Win=509 (scale factor 0x8) = 130304

NS CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4

7.18. CL now knows that it needs to talk to “fs.josebda.local”. Queries DNS to find it’s “10.1.1.3”, then ARP

CL DC DNS DNS:QueryId = 0x9848, QUERY (Standard query), Query for FS.josebda.local of type Host Addr on class Internet

DC CL DNS DNS:QueryId = 0x9848, QUERY (Standard query), Response - Success, 10.1.1.3

CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3

FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05

7.19. CL negotiates a TCP session with FS on port 445 (SMB). Note the ARP back from FS, since it’s the first time it talks to CL

CL FS TCP TCP:Flags=......S., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441020583, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4

CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03

FS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109428157, Ack=3441020584, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL FS TCP TCP:Flags=...A...., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441020584, Ack=109428158, Win=513 (scale factor 0x8) = 131328

7.20. CL negotiates an SMB session with FS(selects SMB2 dialect)

CL FS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002

FS CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0

7.21. CL requests a Kerberos service authorization ticket to present to FS.joseba.local for cifs service

CL DC TCP TCP:Flags=......S., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155214818, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938378401, Ack=4155214819, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

CL DC TCP TCP:Flags=...A...., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155214819, Ack=938378402, Win=513 (scale factor 0x8) = 131328

CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/FS.josebda.local

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938378402, Ack=4155216391, Win=513 (scale factor 0x8) = 131328

DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator

DC CL TCP TCP:[Continuation to #543]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=118, Seq=938379862 - 938379980, Ack=4155216391, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155216391, Ack=938379980, Win=513 (scale factor 0x8) = 131328

CL DC TCP TCP:Flags=...A...F, SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155216391, Ack=938379980, Win=513 (scale factor 0x8) = 131328

7.22. SMB session with FS is setup. (while the last ACKs for the DC are still coming)

CL FS SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1

DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938379980, Ack=4155216392, Win=513 (scale factor 0x8) = 131328

DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938379980, Ack=4155216392, Win=0 (scale factor 0x8) = 0

FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109428398, Ack=3441022365, Win=513 (scale factor 0x8) = 131328

FS CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1

7.23. CL connects to tree \\fs\josebda.local\Share1, opens the folder and file, queries information (note that SMB2 CREATE is also used as “OPEN”)

CL FS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\FS.josebda.local\Share1, Mid = 2

FS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2

CL FS SMB2 SMB2:C CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3

FS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3

CL FS SMB2 SMB2:C CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 4

FS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 4

CL FS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 7

FS CL SMB2 SMB2:R CLOSE (0x6), Mid = 7

CL FS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000005, Mid = 8

FS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 8

CL FS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 10

FS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 10

7.24. CL disconnects from trees, logs off SMB2 and closes TCP sessions with DC, NS, FS

CL NS TCP TCP:Flags=...A...., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432609, Ack=802554785, Win=513 (scale factor 0x8) = 131328

CL FS TCP TCP:Flags=...A...., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441023554, Ack=109430126, Win=511 (scale factor 0x8) = 130816

CL DC SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 5

DC CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 5

CL DC SMB2 SMB2:C LOGOFF (0x2), Mid = 6

DC CL SMB2 SMB2:R LOGOFF (0x2), Mid = 6

CL NS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x5, Mid = 10

CL DC TCP TCP:Flags=...A...F, SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431557, Ack=806693849, Win=508 (scale factor 0x8) = 130048

NS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 10

DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806693849, Ack=1348431558, Win=511 (scale factor 0x8) = 130816

CL NS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 11

CL DC TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431558, Ack=806693849, Win=0 (scale factor 0x8) = 0

NS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 11

CL NS SMB2 SMB2:C LOGOFF (0x2), Mid = 12

NS CL SMB2 SMB2:R LOGOFF (0x2), Mid = 12

CL FS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 11

CL NS TCP TCP:Flags=...A...F, SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432825, Ack=802555001, Win=512 (scale factor 0x8) = 131072

NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802555001, Ack=1616432826, Win=507 (scale factor 0x8) = 129792

FS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 11

CL NS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432826, Ack=802555001, Win=0 (scale factor 0x8) = 0

NS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802555001, Ack=1616432826, Win=0

CL FS SMB2 SMB2:C LOGOFF (0x2), Mid = 12

FS CL SMB2 SMB2:R LOGOFF (0x2), Mid = 12

CL FS TCP TCP:Flags=...A...F, SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441023698, Ack=109430270, Win=511 (scale factor 0x8) = 130816

FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109430270, Ack=3441023699, Win=508 (scale factor 0x8) = 130048

FS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109430270, Ack=3441023699, Win=0 (scale factor 0x8) = 0

Last, here is a sample NetMon screenshot. I'm using this to highlight compound SMB2 requests. What you see above in step 7.23 as simple a CREATE (or OPEN) for the folder is actually a CREATE and a couple of QUERY DIRECTORY. The frame details shows the compound response, which shows that we actually enumerated the entire folder (with just 1 file) with a single request:

8 – Conclusion

I hope this blog post helped you understand the behavior of DFS-N clients and encouraged you to try running Network Monitor and capturing some traces yourself.

For additional information on how DFS-N works, check these two links:
http://technet.microsoft.com/en-us/library/cc782417.aspx
http://www.snia.org/events/storage-developer2008/presentations/wednesday/DanLovingerImplementingDFSN-SDC08-v2.pdf

Filed under: Windows Server 2008, DFS

Comments

# Understanding Windows Server 2008 DFS-N by analyzing network traces

Sunday, April 19, 2009 8:41 PM by The Storage Team at Microsoft - File Cabinet Blog

Jose Barreto has a new blog post covering details of the behavior of Windows Server 2008 DFS-N (Distributed

# Entendendo Windows Server 2008 DFS-N através da análise de network traces

Tuesday, April 28, 2009 8:28 AM by Eduardo Zarpelão

Pessoal, Esta semana o Jose Barreto publicou um artigo muito interessante sobre Windows Server 2008 DFS-N

# Entendendo Windows Server 2008 DFS-N através da análise de network traces

Tuesday, April 28, 2009 8:28 AM by Comunidade Brasileira de AD

Pessoal, Esta semana o Jose Barreto publicou um artigo muito interessante sobre Windows Server 2008 DFS-N

Anonymous comments are disabled

About josebda

Jose Barreto is a Principal Program Manager with the File Server Foundation team and has been with Microsoft since 2002. He graduated in Computer Science at the Universidade Federal do Ceara in Brazil in 1989 and holds several industry certifications, including CISSP, ITIL, MCM, MCITS, MCT and many other Microsoft certifications.

Jose Barreto's Blog

Search

Tags

News

Archives

Understanding Windows Server 2008 DFS-N by analyzing network traces

Comments

# Understanding Windows Server 2008 DFS-N by analyzing network traces

# Entendendo Windows Server 2008 DFS-N através da análise de network traces

# Entendendo Windows Server 2008 DFS-N através da análise de network traces

About josebda

#	Name	FQDN	IP	Role	Details
1	DC	DC.josebda.local	10.1.1.1	DNS, Domain Controller	DNS Server for zone josebda.local Only DC for josebda.local domain
2	NS	NS.josebda.local	10.1.1.2	File Server, DFS Namespace Server	Hosts namespace \\josebda\NS1 Includes a folder \\josebda\NS1\Folder1 Target for that folder is \\fs.josebda.local\Share1
3	FS	FS.josebda.local	10.1.1.3	File Server	Hosts the share \\fs.josebda.local\Share1
4	CL	CL.josebda.local	10.1.1.4	Client	Where the command lines are run Running Network Monitor

From	To	Protocol	Details
4.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL	DC	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC	CL	ARP	ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
4.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3 (DC queries ARP back to CL)
CL	DC	DNS	DNS:QueryId = 0xFDF5, QUERY (Standard query), Query for fs.josebda.local of type Host Addr on class Internet
DC	CL	ARP	ARP:Request, 10.1.1.1 asks for 10.1.1.4
CL	DC	ARP	ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
DC	CL	DNS	DNS:QueryId = 0xFDF5, QUERY (Standard query), Response - Success, 10.1.1.3
4.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL	FS	ARP	ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS	CL	ARP	ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
4.4. CL pings 10.1.1.3 four times (first time, FS queries ARP back to CL)
CL	FS	ICMP	ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS	CL	ARP	ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL	FS	ARP	ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS	CL	ICMP	ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL	FS	ICMP	ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS	CL	ICMP	ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL	FS	ICMP	ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS	CL	ICMP	ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL	FS	ICMP	ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS	CL	ICMP	ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4