The SMB protocol has been widely used for more than 20 years, and is probably in use in almost every business in the world. Being able to analyse the important protocol is a big advantage, and here we've gathered together information to help you do just that.
In this module we will focus on remote file access, although we will see that interprocess communication does play a part in the control of access.
SMB 2 is a significant rewrite of the SMB protocol. There are new concepts, a new message format and a tidier set of messages. There are three dialects of SMB 2:
SMB 2.1 - used by Windows 7 and Windows Server 2008 r2
SMB 3.0 - used by Windows 8, Windows 10 and Windows Server 2012
This course module is based on SMB 2.1 as this is the most prevalent dialect at the time of writing. The differences between 3.0 and 2.1 relate to extended functionality, and so anything learned here can be carried over.
This YouTube video excerpt explains an issue with Wireshark's standard metrics for analysis of file server performance. You can overcome this issue using the TRANSUM plugin. If YouTube is blocked, the MP4 version is here. Choose Part 1 and skip forward 16 mins.
In this YouTube video excerpt, we demonstrate the use of Wireshark with the TRANSUM plugin to analyze an SMB2 performance problem. In just a few minutes we discover a network overload issue. If YouTube is blocked, the MP4 version is here. Choose Part 2 and skip forward 14 mins 37 seconds.