Ask Your Question
0

has anyone seen duplicate smb packets

asked 2018-07-05 23:24:52 +0000

updated 2018-07-09 19:25:41 +0000

Eddi gravatar image

I'll make it brief.. I wonder if anyone has seen duplicate SMB commands, responses and data. I'm honestly not suite sure if I've never noticed this before or if its a bad thing

for example in this trace , packets 689 and 714 have the same SMB header, but the ip and tcp headers are different.

the client is windows 7 and the server is 2012 using DFS

any feedback would be appreciatedimage description

edit retag flag offensive close merge delete

Comments

Fyi. Some of my colleagues mentioned they have seen similar behavior with AV applications

thetechfirm gravatar imagethetechfirm ( 2018-07-06 21:24:31 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2018-07-09 19:06:39 +0000

Eddi gravatar image

Hello thetechfirm

Short answer

It looks like two different processes access the same file, or a single process opens the file multiple times. And not to forget the possibility of two threads in the same process.

The behavior documented by Wireshark may be caused by an anti virus program, or it could be the programmed behavior of the application.

Technical background

Before any application can access data on a file server, the client has to run through a number of steps. The major ones are:

  • The client has to establish a SMB session. This includes the negotiation of the SMB dialect, credential checks etc.
  • The client has to specify a share, where the desired files are stored
  • You might notice a couple of other steps, e. g. DFS related transactions, notify requests etc.

Once all this has been sorted out the client has to tell the server name and directory of the desired file. This happens with the "Create Request". The Create Requests returns a GUID, which will be used by the client for later reference. The client will present the GUID in the read statement. As soon as the application closes the file we can see a Close Request on the wire. Please note that Wireshark replaces the GUID with the file name for your convenience.

Your screenshot shows two series of Create / Read / Close transactions.

  • Please check, if each series of Create / Read / Close refers to a different GUID
  • I would expect different GUIDs
  • To me, this is proof that we really have two independent read transactions.

Analysis tip: Create a coloring rule for each file GUID to highlight activities for a specific file.

Finding the root cause

Wireshark can only reveal what's transmitted. Assuming that all requests are made within the same SMB session we cannot identify the responsible application on the host.

If you expect that the virus scanner is causing the double reads, you could define an exclusion for that directory. Reboot if necessary, then run your application again. If your AV solution is responsible you should see only a single chain of Create / Read / Close events.

Security Advice: Since the AppData directory is often used to store malware I highly suggest to keep %AppData% in the list of protected directories. Never whitelist %AppData% and it's sub-directories.

If it's not your anti virus (or you cannot exclude AppData from virus scans) you need a different tool. My next step would be the Sysinternals Process Monitor. The Windows ressource monitor (command line perfmon /res) or the process monitor (command line perfmon) might help, if you are not allowed to install extra tools.

Less obvious possiblities

Just for the sake of completeness: Other options are

  • The read requests refer to files with the same name, but on a different share.
  • The read requests was issued by a different user (using another logon session, background process etc.) on the same computer.
  • The filenames are slightly different (like swuimun and swuirnun), and I missed that detail ...
(more)
edit flag offensive delete link more

Comments

thank you very much.

I've provided this and other feedback to the client and they are looking into it.

thetechfirm gravatar imagethetechfirm ( 2018-07-09 19:33:27 +0000 )edit

Excellent answer - thanks for taking the time! Do you have any sources of similar explanation of SMB behaviour that you can recommend?

NJL gravatar imageNJL ( 2018-07-09 20:01:51 +0000 )edit

Microsoft has published a lot of technical details. Not easy to ready, but very complete and constantly updated.

I had the honor of giving an SMB related talk at Sharkfest Europe. We are currently preparing another presentation for the upcoming Sharkfest Europe in Vienna.

Eddi gravatar imageEddi ( 2018-07-09 20:10:26 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-07-05 23:24:52 +0000

Seen: 962 times

Last updated: Jul 09 '18