none
Netbios Session Service and SMB

    Question

  • Hi

    I am trying to understand Netbios. I read a lot of things and I must state that I think it has the most confusing terminology.

     

    Some documents say Netbios is a protocol. Some says it is not...

    My question is,

    I downloaded a network capture file: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=smbtorture.cap.gz

    If I open it with wireshark, it shows there is a netbios session service layer:

     

     

    But if I open it with netmon, it shows there is a SMBOverTcp layer.

     

    Which one is true?

    What is the reason of that layer? I mean why does smb need that? (It seems that it just shows a length value?? )

     

    Sunday, February 05, 2012 8:14 PM

Answers

  • SMB- Each SMB message is preceded by a NetBIOS 'session message' prefix (type 0x00, 4 bytes long, includes the length of the message). This is required to specify the length of the message. No NetBIOS session establishment.

    If SMB and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used.If OS doesn't support SMB, NBT will be used.

    SMB Over TCP layer :In previous version SMB traffic requires the NetBIOS over TCP (NBT) protocol to work on a TCP/IP transport. SMB Over TCP layer was Added from windows 2000/above. Removing the NetBIOS transport eliminates Broadcast and better DNS resolution and file/printer sharing.

    vista/above uses SMBV2.

    Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
    Sunday, February 05, 2012 9:14 PM
  • Just to point out, the posted captures show SMB and don't show NetBT, which is what NetBIOS would look like in a capture. If you notice, it shows "DstPort=Microsoft-DS(445)," which is DirectSMB. As Gopi said, Windows 2000 and all newer try both, but more than likely DirectSMB is the one that responds first due to it's efficiency and speed over NetBT.

    Direct hosting of SMB over TCP/IP
    http://support.microsoft.com/kb/204279

    Server Message Block
    http://en.wikipedia.org/wiki/Server_Message_Block

     

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, February 06, 2012 4:11 PM
  • Hi,

    Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

    At Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. And Direct Hosting of SMB over TCP uses TCP port 445. Since Direct Hosting is not reliant on NetBIOS, NetBIOS over TCP/IP can be disabled and connectivity to resources via SMB is still possible to other machines.

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Tuesday, February 07, 2012 6:17 AM
    Moderator

All replies

  • SMB- Each SMB message is preceded by a NetBIOS 'session message' prefix (type 0x00, 4 bytes long, includes the length of the message). This is required to specify the length of the message. No NetBIOS session establishment.

    If SMB and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used.If OS doesn't support SMB, NBT will be used.

    SMB Over TCP layer :In previous version SMB traffic requires the NetBIOS over TCP (NBT) protocol to work on a TCP/IP transport. SMB Over TCP layer was Added from windows 2000/above. Removing the NetBIOS transport eliminates Broadcast and better DNS resolution and file/printer sharing.

    vista/above uses SMBV2.

    Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
    Sunday, February 05, 2012 9:14 PM
  • Just to point out, the posted captures show SMB and don't show NetBT, which is what NetBIOS would look like in a capture. If you notice, it shows "DstPort=Microsoft-DS(445)," which is DirectSMB. As Gopi said, Windows 2000 and all newer try both, but more than likely DirectSMB is the one that responds first due to it's efficiency and speed over NetBT.

    Direct hosting of SMB over TCP/IP
    http://support.microsoft.com/kb/204279

    Server Message Block
    http://en.wikipedia.org/wiki/Server_Message_Block

     

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, February 06, 2012 4:11 PM
  • Hi,

    Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

    At Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. And Direct Hosting of SMB over TCP uses TCP port 445. Since Direct Hosting is not reliant on NetBIOS, NetBIOS over TCP/IP can be disabled and connectivity to resources via SMB is still possible to other machines.

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Tuesday, February 07, 2012 6:17 AM
    Moderator
  • Great post, Aiden! The only caveat I see with disabling NetBIOS are legacy apps that rely on it that don't use DirectSMB, and the browser service for those accustomed to the neighborhood in a multi-subnetted environment.

    Cheers!

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, February 07, 2012 7:23 AM
  • Thank you all for answers;

    I have one question, if we disable netbios over TCP/IP, nebios names can still be resolved by dns server. Right? So SMB can work both netbios names and fqdn right?

    Tuesday, February 07, 2012 9:24 PM
  • <iframe allowTransparency="true" frameBorder="0" id="twttrHubFrame" name="twttrHubFrame" scrolling="no" src="http://platform.twitter.com/widgets/hub.1326407570.html" style="top:-9999em;width:10px;height:10px;position:absolute;" tabIndex="0"></iframe>

    Yes, Windows 2000 and newer, hostname (DNS or hosts file) resolution is used first before NetBIOS:

    1. Checks it's own name.
    2. Local hostname (DNS client side resolver) cache
    3. HOSTS file
    4. DNS (this is where the search suffix comes in play if a single name query)
    5. WINS
    6. Broadcast
    7. LMHOSTS

    Prior to Windows 2000 (ME, 95, DOS, 3.1, etc), NetBIOS was tried first, essentially if using WINS:

    1. Checks it's own name.
    2. NetBIOS name cache
    3. WINS
    4. Broadcast
    5. LMHOSTS files
    6. Local hostname (DNS client side resolver) cache
    7. HOSTS file
    8. DNS (this is where the search suffix comes in play if a single name query)

    However, to dertermine if you need WINS or not or rather, NetBIOS, is something you must evaluate, such as any apps, services (Echange 2003, SQL, McAfee ePO, Symantec AV, Backup Exec, VPN clients expecting to browse the network, and much much more) need NetBIOS. WINS extends this for multiple subnets, because NetBIOS is blocked at a router.

    Here's more:

    WINS - What Is It, How To Install It, Do I need NetBIOS, and how to Configure DHCP Scopes For WINS Client Distribution
    http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

    Ace

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, February 07, 2012 11:11 PM