Netbios Session Service and SMB

2012-02-05

Question

_{Sunday, February 5, 2012 8:14 PM}

I am trying to understand Netbios. I read a lot of things and I must state that I think it has the most confusing terminology.

Some documents say Netbios is a protocol. Some says it is not...

My question is,

I downloaded a network capture file: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=smbtorture.cap.gz

If I open it with wireshark, it shows there is a netbios session service layer:

But if I open it with netmon, it shows there is a SMBOverTcp layer.

Which one is true?

What is the reason of that layer? I mean why does smb need that? (It seems that it just shows a length value?? )

All replies (6)

_{Sunday, February 5, 2012 9:14 PM ✅Answered | 1 vote}

SMB- Each SMB message is preceded by a NetBIOS 'session message' prefix (type 0x00, 4 bytes long, includes the length of the message). This is required to specify the length of the message. No NetBIOS session establishment.

If SMB and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used.If OS doesn't support SMB, NBT will be used.

SMB Over TCP layer :In previous version SMB traffic requires the NetBIOS over TCP (NBT) protocol to work on a TCP/IP transport. SMB Over TCP layer was Added from windows 2000/above. Removing the NetBIOS transport eliminates Broadcast and better DNS resolution and file/printer sharing.

vista/above uses SMBV2.
Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.

_{Monday, February 6, 2012 4:11 PM ✅Answered}

Just to point out, the posted captures show SMB and don't show NetBT, which is what NetBIOS would look like in a capture. If you notice, it shows "DstPort=Microsoft-DS(445)," which is DirectSMB. As Gopi said, Windows 2000 and all newer try both, but more than likely DirectSMB is the one that responds first due to it's efficiency and speed over NetBT.

Direct hosting of SMB over TCP/IP
http://support.microsoft.com/kb/204279

Server Message Block
http://en.wikipedia.org/wiki/Server_Message_Block

Ace

Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, February 7, 2012 6:17 AM ✅Answered}

Hi,

Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

At Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. And Direct Hosting of SMB over TCP uses TCP port 445. Since Direct Hosting is not reliant on NetBIOS, NetBIOS over TCP/IP can be disabled and connectivity to resources via SMB is still possible to other machines.

Best Regards,

Aiden

Aiden Cao

TechNet Community Support

_{Tuesday, February 7, 2012 7:23 AM}

Great post, Aiden! The only caveat I see with disabling NetBIOS are legacy apps that rely on it that don't use DirectSMB, and the browser service for those accustomed to the neighborhood in a multi-subnetted environment.

Cheers!

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, February 7, 2012 9:24 PM}

Thank you all for answers;

I have one question, if we disable netbios over TCP/IP, nebios names can still be resolved by dns server. Right? So SMB can work both netbios names and fqdn right?

_{Tuesday, February 7, 2012 11:11 PM}

Yes, Windows 2000 and newer, hostname (DNS or hosts file) resolution is used first before NetBIOS:

Checks it's own name.
Local hostname (DNS client side resolver) cache
HOSTS file
DNS (this is where the search suffix comes in play if a single name query)
WINS
Broadcast
LMHOSTS

Prior to Windows 2000 (ME, 95, DOS, 3.1, etc), NetBIOS was tried first, essentially if using WINS:

Checks it's own name.
NetBIOS name cache
WINS
Broadcast
LMHOSTS files
Local hostname (DNS client side resolver) cache
HOSTS file
DNS (this is where the search suffix comes in play if a single name query)

However, to dertermine if you need WINS or not or rather, NetBIOS, is something you must evaluate, such as any apps, services (Echange 2003, SQL, McAfee ePO, Symantec AV, Backup Exec, VPN clients expecting to browse the network, and much much more) need NetBIOS. WINS extends this for multiple subnets, because NetBIOS is blocked at a router.

Here's more:

WINS - What Is It, How To Install It, Do I need NetBIOS, and how to Configure DHCP Scopes For WINS Client Distribution
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

Netbios Session Service and SMB

Question

All replies (6)

Additional resources