Re: tcp 139 or 445
- From: "Hayman Ezzeldin" <haymanezzeldin@xxxxxxxxx>
- Date: Mon, 23 Apr 2007 15:15:50 +0200
Dear Marco,
If the client has NBT enabled, it will always try to connect to the server
at both port 139 and 445 simultaneously. If there is a response from port
445, it sends a RST to port 139, and continues it's SMB session to port 445
only. If there is no response from port 445, it will continue it's SMB
session to port 139 only, if it gets a response from there. If there is no
response from either of the ports, the session will fail completely.
If the client has NBT disabled, it will always try to connect to the server
at port 445 only. If the server answers on port 445, the session will be
established and continue on that port. If it doesn't answer, the session
will fail completely. This is the case if the server for example runs
Windows NT 4.0.
Try it, you will see it's true.
Best regards.
"Marco Berizzi" <pupilla@xxxxxxxxxxx> wrote in message
news:%23eP$ekYhHHA.4300@xxxxxxxxxxxxxxxxxxxxxxx
Hello everybody.
I'm experimenting a crazy behaviour with windows => 2000
When I try to open a shared folder from a windows 2000pro
or XP to a windows 2000/2003 server, the first time the
client open a tcp/139 socket: the second time the windows
client open a tcp/445 socket.
Here is a tcp trace (first time):
172.16.1.227.1270 > 172.21.1.41.139: S, cksum 0x6a24 (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.139 > 172.16.1.227.1270: S, cksum 0xe68d (correct), ack
1095661307 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227 > 172.21.1.41: ICMP echo request, id 512, seq 6656, length 40
172.21.1.41 > 172.16.1.227: ICMP echo reply, id 512, seq 6656, length 40
172.16.1.227.1270 > 172.21.1.41.139: ., cksum 0x5352 (correct), ack 1 win
65535
172.16.1.227.1270 > 172.21.1.41.139: P 1:73(72) ack 1 win 65535 NBT
Session
Packet: Session Request
172.21.1.41.139 > 172.16.1.227.1270: P, cksum 0xd145 (correct), 1:5(4) ack
73 win 65463 NBT Session Packet: Session Granted
172.16.1.227.1268 > 172.21.1.41.445: S, cksum 0xabaa (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.445 > 172.16.1.227.1268: S, cksum 0xf810 (correct), ack
1095709764 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227.1270 > 172.21.1.41.139: P 73:210(137) ack 5 win 65531 NBT
Session Packet: Session Message
172.21.1.41.139 > 172.16.1.227.1270: P 5:182(177) ack 210 win 65326 NBT
Session Packet: Session Message
172.16.1.227.1268 > 172.21.1.41.445: R, cksum 0x62d7 (correct), win 0
and this is another tcp trace (second time):
172.16.1.227.1275 > 172.21.1.41.445: S, cksum 0xa180 (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.445 > 172.16.1.227.1275: S, cksum 0xf044 (correct), ack
1122319569 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227.1276 > 172.21.1.41.139: S, cksum 0x1525 (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.139 > 172.16.1.227.1276: S, cksum 0x6e92 (correct), ack
1122355805 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227.1275 > 172.21.1.41.445: ., cksum 0x5d09 (correct), ack 1 win
65535
172.16.1.227.1275 > 172.21.1.41.445: P 1:138(137) ack 1 win 65535
172.16.1.227.1276 > 172.21.1.41.139: R, cksum 0x34a2 (correct), win 0
172.21.1.41.445 > 172.16.1.227.1275: P 1:178(177) ack 138 win 65398
172.16.1.227.1275 > 172.21.1.41.445: P 138:392(254) ack 178 win 65358
As you may see the second time it send two tcp syn packets:
one for tcp/445 and one for tcp/139 (then the client reset
the tcp/139 session) which is the expected behaviour.
The first time client behaviour is crazy: syn tcp/139 packet,
then icmp echo request packet, and then a syn tcp/445 packets.
It also reset the tcp/445 socket which is wrong.
What about the icmp packets? Is there any documentation about
this?
.
- Follow-Ups:
- Re: tcp 139 or 445
- From: Marco Berizzi
- Re: tcp 139 or 445
- References:
- tcp 139 or 445
- From: Marco Berizzi
- tcp 139 or 445
- Prev by Date: Re: IIS 6.0 - Messages sent via SMTP just sit in mailroot\Queue and ne
- Next by Date: Re: ftp and permissions
- Previous by thread: tcp 139 or 445
- Next by thread: Re: tcp 139 or 445
- Index(es):
Relevant Pages
|
