tcp 139 or 445

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Marco Berizzi" <pupilla@xxxxxxxxxxx>
Date: Mon, 23 Apr 2007 11:23:38 +0200

Hello everybody.
I'm experimenting a crazy behaviour with windows => 2000
When I try to open a shared folder from a windows 2000pro
or XP to a windows 2000/2003 server, the first time the
client open a tcp/139 socket: the second time the windows
client open a tcp/445 socket.

Here is a tcp trace (first time):

172.16.1.227.1270 > 172.21.1.41.139: S, cksum 0x6a24 (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.139 > 172.16.1.227.1270: S, cksum 0xe68d (correct), ack
1095661307 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227 > 172.21.1.41: ICMP echo request, id 512, seq 6656, length 40
172.21.1.41 > 172.16.1.227: ICMP echo reply, id 512, seq 6656, length 40
172.16.1.227.1270 > 172.21.1.41.139: ., cksum 0x5352 (correct), ack 1 win
65535
172.16.1.227.1270 > 172.21.1.41.139: P 1:73(72) ack 1 win 65535 NBT Session
Packet: Session Request
172.21.1.41.139 > 172.16.1.227.1270: P, cksum 0xd145 (correct), 1:5(4) ack
73 win 65463 NBT Session Packet: Session Granted
172.16.1.227.1268 > 172.21.1.41.445: S, cksum 0xabaa (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.445 > 172.16.1.227.1268: S, cksum 0xf810 (correct), ack
1095709764 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227.1270 > 172.21.1.41.139: P 73:210(137) ack 5 win 65531 NBT
Session Packet: Session Message
172.21.1.41.139 > 172.16.1.227.1270: P 5:182(177) ack 210 win 65326 NBT
Session Packet: Session Message
172.16.1.227.1268 > 172.21.1.41.445: R, cksum 0x62d7 (correct), win 0

and this is another tcp trace (second time):

172.16.1.227.1275 > 172.21.1.41.445: S, cksum 0xa180 (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.445 > 172.16.1.227.1275: S, cksum 0xf044 (correct), ack
1122319569 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227.1276 > 172.21.1.41.139: S, cksum 0x1525 (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.139 > 172.16.1.227.1276: S, cksum 0x6e92 (correct), ack
1122355805 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227.1275 > 172.21.1.41.445: ., cksum 0x5d09 (correct), ack 1 win
65535
172.16.1.227.1275 > 172.21.1.41.445: P 1:138(137) ack 1 win 65535
172.16.1.227.1276 > 172.21.1.41.139: R, cksum 0x34a2 (correct), win 0
172.21.1.41.445 > 172.16.1.227.1275: P 1:178(177) ack 138 win 65398
172.16.1.227.1275 > 172.21.1.41.445: P 138:392(254) ack 178 win 65358

As you may see the second time it send two tcp syn packets:
one for tcp/445 and one for tcp/139 (then the client reset
the tcp/139 session) which is the expected behaviour.
The first time client behaviour is crazy: syn tcp/139 packet,
then icmp echo request packet, and then a syn tcp/445 packets.
It also reset the tcp/445 socket which is wrong.
What about the icmp packets? Is there any documentation about
this?

.

Follow-Ups:
- Re: tcp 139 or 445
  - From: Hayman Ezzeldin

Prev by Date: Re: RAID 1 help
Next by Date: Re: RAID 1 help
Previous by thread: RAID 1 help
Next by thread: Re: tcp 139 or 445
Index(es):
- Date
- Thread

Relevant Pages

Re: tcp 139 or 445
... Windows can now support direct hosting of SMB over tcp port 445. ... client open a tcp/445 socket. ... Packet: Session Request ...
(microsoft.public.windows.server.networking)
[NT] Cryptographic Flaw in RDP Protocol Can Lead to Information Disclosure
... The Remote Data Protocol (RDP) provides the means by which Windows systems ... The first involves how session encryption is implemented in certain ... An attacker who was able to eavesdrop on and record ...
(Securiteam)
Re: Security Question
... This article by Mark Russinovich about "Inside Windows Vista User Account Control" might be interresting... ... is logged into that session where it's displayed. ... Similarly, there is no sharp dividing line between two windows on the same desktop - they share a communication to and from the desktop, and sometimes between themselves. ... So, no, what the original poster describes is clearly _not_ the case - two processes running in different sessions should not interfere, because there is a security boundary between them. ...
(microsoft.public.windows.vista.security)
Re: Only some websites will open - Ubuntu
... I recently put together a new computer and installed Kubuntu ... However it MAY be to do with window sizes..in addition to the MTU - which is the MAX size of each data packet - there is a window size that is negotiated for a TCP connection..that specifies how much data can be sent without waiting for an ACK. ... I have no idea how t tune a Linux kernel for windows size tho. ...
(comp.os.linux.misc)
RE: Spying, admin to user login?, Is it possible?
... shadow session could not be created directly on Windows XP computer. ... you could active only one user session at one time ... you need to remote desktop to a Windows 2003 ... Microsoft also publishes a KB to describe this work around in detail. ...
(microsoft.public.windows.server.sbs)