back to tools homepage Comments? ==> gregor@majordomus.org

Microsoft SMB, SMB2, NetBIOS, WINS protocol suite

This document provides a quick overview of how various Microsoft protocol (SMB, SMB2, NetBIOS, WINS, dynamic DNS updates) work and interact. This is work in progress and reflects my current knowledge, which might or might not be accurate.

Keywords: SMB, SMB2, CIFS, NetBIOS, WINS, dynamic DNS updates, netbios-ns, netbios-dgm, netbios-ssn, port 137, port 138, port 139, port 445

1   SMB

2   NetBIOS

2.1   Windows Internet Naming Service (WINS)

  • Microsoft's implementation of NetBIOS nameservice.
  • Port 137/UDP, (multicast?, broadcast?, unicast?)
  • Provides serverless NetBIOS name <--> IP translation
  • Can also use central WINS server(s)
    • WINS server can replicate and automatically discover replication partners (see [MS-WINSRA]
  • Superseded since Win2000 by hierarchical dynamic DNS updates (see Section Hierarchical dynamic DNS updates.
    • Dynamic DNS is centralized. Sends Name <--> IP mapping updates to DNS Server
    • Exchange, and MS-SQL (2000 and 2003) still require WINS.
    • LLMNR (see my other site) adds serverless name resolution using mulicast (introduces with WinVista). Might make WINS really obsolete.

2.2   Session service

  • Runs on port 139/TCP
  • See RFCs for details
  • Basic Idea
    • Establish TCP connection
    • Originator sends NetBIOS session request message (type=0x81) (this includes information about the caller and callee, like their WINS / NetBIOS names).
    • Responder sends response (e.g., type=0x82 if session is accepted). But can also deny or send a redirect.
    • Messages are exchanged. These are of type 'session message' (type=0x00). The session message is 4 bytes NetBIOS specific information followed by the payload. SMB is carried in this payload. The first couple of bytes of payload are SMB's magic Note, that the NetBIOS message header specifies the length of the payload.
    • NetBIOS also specifies Keepalives messages, but I don't know whether these are used by Microsoft. They have type=0x85
    • No other services or communication provided by session service

2.3   Datagram service

  • Runs on port 138/UDP
  • See RFC for details
  • Basic idea:
    • Each datagram has caller, callee, etc. header, followed by payload.
    • Has some sort of support for fragmentation, however, I don't know if Microsoft uses this and even they do, why it is necessary, as IP should handle that on its own.
    • SMB is carried as payload of the NetBIOS datagram
    • Unknown which SMB messages use datagram service, as it is unreliable

3   SMB revisited

4   Hierarchical dynamic DNS updates

5   References