Re: tcp 139 or 445
- From: "Bill Grant" <not.available@online>
- Date: Tue, 24 Apr 2007 21:15:49 +1000
Windows can now support direct hosting of SMB over tcp port 445.
http://support.microsoft.com/kb/204279
"Marco Berizzi" <pupilla@xxxxxxxxxxx> wrote in message
news:eXHGCZlhHHA.4980@xxxxxxxxxxxxxxxxxxxxxxx
Hello everybody.
I'm experimenting a crazy behaviour with windows => 2000
When I try to open a shared folder from a windows 2000pro
or XP to a windows 2000/2003 server, the first time the
client open a tcp/139 socket: the second time the windows
client open a tcp/445 socket.
Here is a tcp trace (first time):
172.16.1.227.1270 > 172.21.1.41.139: S, cksum 0x6a24 (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.139 > 172.16.1.227.1270: S, cksum 0xe68d (correct), ack
1095661307 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227 > 172.21.1.41: ICMP echo request, id 512, seq 6656, length 40
172.21.1.41 > 172.16.1.227: ICMP echo reply, id 512, seq 6656, length 40
172.16.1.227.1270 > 172.21.1.41.139: ., cksum 0x5352 (correct), ack 1 win
65535
172.16.1.227.1270 > 172.21.1.41.139: P 1:73(72) ack 1 win 65535 NBT
Session
Packet: Session Request
172.21.1.41.139 > 172.16.1.227.1270: P, cksum 0xd145 (correct), 1:5(4) ack
73 win 65463 NBT Session Packet: Session Granted
172.16.1.227.1268 > 172.21.1.41.445: S, cksum 0xabaa (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.445 > 172.16.1.227.1268: S, cksum 0xf810 (correct), ack
1095709764 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227.1270 > 172.21.1.41.139: P 73:210(137) ack 5 win 65531 NBT
Session Packet: Session Message
172.21.1.41.139 > 172.16.1.227.1270: P 5:182(177) ack 210 win 65326 NBT
Session Packet: Session Message
172.16.1.227.1268 > 172.21.1.41.445: R, cksum 0x62d7 (correct), win 0
and this is another tcp trace (second time):
172.16.1.227.1275 > 172.21.1.41.445: S, cksum 0xa180 (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.445 > 172.16.1.227.1275: S, cksum 0xf044 (correct), ack
1122319569 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227.1276 > 172.21.1.41.139: S, cksum 0x1525 (correct), win 65535
<mss 1460,nop,nop,sackOK>
172.21.1.41.139 > 172.16.1.227.1276: S, cksum 0x6e92 (correct), ack
1122355805 win 16384 <mss 1460,nop,nop,sackOK>
172.16.1.227.1275 > 172.21.1.41.445: ., cksum 0x5d09 (correct), ack 1 win
65535
172.16.1.227.1275 > 172.21.1.41.445: P 1:138(137) ack 1 win 65535
172.16.1.227.1276 > 172.21.1.41.139: R, cksum 0x34a2 (correct), win 0
172.21.1.41.445 > 172.16.1.227.1275: P 1:178(177) ack 138 win 65398
172.16.1.227.1275 > 172.21.1.41.445: P 138:392(254) ack 178 win 65358
the client (172.16.1.227) try to open a tcp/139 socket:
the server (172.21.1.41) send a syn ack to the client tcp/139
the client send an ICMP echo request to the server (???)
the server send an ICMP echo reply to the client (???)
the client & server exchange some packets to the tcp/139 socket
the client try to open a tcp/445 socket
the server send a syn ack to the client tcp/445
the client & server exchange some packets to the tcp/139 socket
the client send a RESET to the server for socket tcp/445
As you may see the second time it send two tcp syn packets:
one for tcp/445 and one for tcp/139 (then the client reset
the tcp/139 session) which is the expected behaviour.
The first time client behaviour is crazy: syn tcp/139 packet,
then icmp echo request packet, and then a syn tcp/445 packets.
It also reset the tcp/445 socket which is wrong.
What about the icmp packets? Is there any documentation about
this?
.
- References:
- tcp 139 or 445
- From: Marco Berizzi
- tcp 139 or 445
- Prev by Date: Re: RRAS on W2K3
- Next by Date: Re: DFS Questions.
- Previous by thread: tcp 139 or 445
- Index(es):
Relevant Pages
|
