SMB
  • 09 Aug 2024
  • 2 Minutes to read
  • Contributors
  • PDF

SMB

  • PDF

Article summary

The SMB module produces one flow for each couple of a query and its answer. To link queries and responses together, the SMB protocol uses the following IDs:

  • Multiplex ID in SMB1
  • Message ID in SMB2

The sniffer conjointly uses these IDs with the Tree ID, the command type and the underlying connection (a.k.a. IP, ports, VLAN and such) to properly link requests and responses together for each conversation.

However, it may induce a high number of flows for some simple and common operations like reading or writing to files: the operations being sent as multiple read or write commands, using buffers with a maximum size of 64KiB or 1MiB (for the more recent versions of the protocol).

For example, writing a file of 1GiB over 10s (at a rate of roughly 100MiB/s) would generate 1,000 SMB2 WRITE commands with a buffer of 1MiB resulting in 1,000 flows stored in the database. The interval between two of these write commands would roughly be of 10ms. The number of flows would be an order of magnitude higher if the protocol used 64KiB buffers.

This would give a fine-grained precision but it isn’t of much use most of the time and the resulting number of flow may quickly grow the database usage or toward the license limit.

It seems much more interesting to have these statistics aggregated from a higher level. Read and write commands could be aggregated together if they act on the same underlying file (based on its File ID).

As such, from Cisco Provider Connectivity Assurance (formerly Skylight) sensor 5.0 onwards, the sniffer will aggregate successions of the following commands together for a small period of time (which is configurable):

  • SMB1 READ_ANDX & WRITE_ANDX
  • SMB1 TRANS2 FIND_FIRST2, QUERY_PATH_INFORMATION, QUERY_FILE_INFORMATION & QUERY_FS_INFORMATION
  • SMB2 READ & WRITE
  • SMB2 QUERY_INFO
  • SMB2 QUERY_DIRECTORY

Some of these commands use the File ID as a discriminating factor, others require to compare between paths or patterns.

You can expect less SMB flows after upgrading from Provider Connectivity Assurance sensor 4.2, and more importantly, this should decrease SMB flow bursts. Unfortunately, some frequent commands may not be aggregated together, such as closes or opens since they only appear once during file manipulations.

© 2024 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms

For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks



Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.