Error-related network trace patterns
Error-related network trace patterns
The patterns identified represent only one possible scenario: that the session setup failure may be caused by the multichannel feature.
It is recommended to try disabling multichannel as a workaround.
The security blob SMB server sent back is blank:
<--- NTLM_AUTH returns STATUS_SUCCESS indicating a successful response.
<--- Security blob contains no data
Patter 1
No. Time Source Destination Protocol TCP ipid Length Info
155717 2025-03-18 12:37:02.851773 128.104.198.178 144.92.12.27 SMB2 505 0x338f (13199) 612 Session Setup Request, NTLMSSP_AUTH, User: ENGR\drews
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Command: Session Setup (1)
Session Setup Request (0x01)
StructureSize: 0x0019
0000 0000 0001 100. = Fixed Part Length: 12
.... .... .... ...1 = Dynamic Part: True
Flags: 0
Security mode: 0x01, Signing enabled
Capabilities: 0x00000001, DFS
Channel: None (0x00000000)
Previous Session Id: 0x0000000000000000
Blob Offset: 0x00000058
Blob Length: 466
Security Blob [...: 4e544c4d5353...
NTLM Secure Service Provider
No. Time Source Destination Protocol TCP ipid Length Info
155720 2025-03-18 12:37:02.856682 144.92.12.27 128.104.198.178 SMB2 505 0xbeef (48879) 131 Session Setup Response
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
NT Status: STATUS_SUCCESS (0x00000000) <--- NTLM_AUTH returns STATUS_SUCCESS indicating a successful response.
Command: Session Setup (1)
Session Setup Response (0x01)
StructureSize: 0x0009
0000 0000 0000 100. = Fixed Part Length: 4
.... .... .... ...1 = Dynamic Part: True
Session Flags: 0x0004, Encrypt
.... .... .... ...0 = Guest: False
.... .... .... ..0. = Null: False
.... .... .... .1.. = Encrypt: True
Blob Offset: 0x00000048
Blob Length: 0
Security Blob: <MISSING>: NO DATA <--- Security blob contains no data
Patter 2
Client kills the connection after session setup successfully.
5303 2025-03-27 13:48:43.987889 128.104.198.178 144.92.12.27 SMB2 160 Negotiate Protocol Request
5307 2025-03-27 13:48:43.988215 144.92.12.27 128.104.198.178 SMB2 269 Negotiate Protocol Response
5309 2025-03-27 13:48:43.988561 128.104.198.178 144.92.12.27 SMB2 2527 Session Setup Request <--- Sessionsetup is for ENGR\cmaurice on existing session 0x67e5573a00001c17
5314 2025-03-27 13:48:43.989543 144.92.12.27 128.104.198.178 SMB2 315 Session Setup Response <--- Sessionsetup comes back with NTSTATUS STATUS_SUCCESS and negtokentarg of accept-complete indicating a successful completion
5315 2025-03-27 13:48:43.989588 128.104.198.178 144.92.12.27 TCP 54 58352 → 445 [RST, ACK] Seq=2580 Ack=477 Win=0 Len=0 <<<<<<<<<<< Client kills the connection
No. Time Source Destination Protocol TCP ipid Length Info
5303 2025-03-27 13:48:43.987889 128.104.198.178 144.92.12.27 SMB2 126 0x21e4 (8676) 160 Negotiate Protocol Request
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Negotiate Protocol Request (0x00)
StructureSize: 0x0024
Dialect count: 1
Security mode: 0x01, Signing enabled
Reserved: 0000
Capabilities: 0x0000007f, DFS, LEASING, LARGE MTU, MULTI CHANNEL, PERSISTENT HANDLES, DIRECTORY LEASING, ENCRYPTION
.... .... .... .... .... .... .... ...1 = DFS: This host supports DFS
.... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING
.... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU
.... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL
.... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES
.... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING
.... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION
.... .... .... .... .... .... 0... .... = NOTIFICATIONS: This host does NOT support receiving NOTIFICATIONS
Client Guid: cff8f914-0b12-11f0-8838-aebca1924a08
NegotiateContextOffset: 0x00000000
NegotiateContextCount: 0
Reserved: 0000
Dialect: SMB 3.0.2 (0x0302)
No. Time Source Destination Protocol TCP ipid Length Info
5307 2025-03-27 13:48:43.988215 144.92.12.27 128.104.198.178 SMB2 126 0xb8b7 (47287) 269 Negotiate Protocol Response
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Negotiate Protocol Response (0x00)
StructureSize: 0x0041
Security mode: 0x01, Signing enabled
Dialect: SMB 3.0.2 (0x0302)
Reserved: 0
Server Guid: 447115ad-9204-46c9-b5cb-5f81175d4050
Capabilities: 0x0000007f, DFS, LEASING, LARGE MTU, MULTI CHANNEL, PERSISTENT HANDLES, DIRECTORY LEASING, ENCRYPTION
.... .... .... .... .... .... .... ...1 = DFS: This host supports DFS
.... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING
.... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU
.... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL
.... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES
.... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING
.... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION
.... .... .... .... .... .... 0... .... = NOTIFICATIONS: This host does NOT support receiving NOTIFICATIONS
Max Transaction Size: 8388608
Max Read Size: 8388608
Max Write Size: 8388608
Current Time: Mar 27, 2025 21:48:44.000000000 China Standard Time
Boot Time: Mar 3, 2025 19:18:10.000000000 China Standard Time
Blob Offset: 0x00000080
Blob Length: 83
Security Blob: 605106062b...
Reserved2: 0x00000000
No. Time Source Destination Protocol TCP ipid Length Info
5309 2025-03-27 13:48:43.988561 128.104.198.178 144.92.12.27 SMB2 126 0x21e6 (8678) 2527 Session Setup Request
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Session Setup Request (0x01)
StructureSize: 0x0019
Flags: 1, Session Binding Request
Security mode: 0x01, Signing enabled
Capabilities: 0x00000001, DFS
.... .... .... .... .... .... .... ...1 = DFS: This host supports DFS
.... .... .... .... .... .... .... ..0. = LEASING: This host does NOT support LEASING
.... .... .... .... .... .... .... .0.. = LARGE MTU: This host does NOT support LARGE_MTU
.... .... .... .... .... .... .... 0... = MULTI CHANNEL: This host does NOT support MULTI CHANNEL
.... .... .... .... .... .... ...0 .... = PERSISTENT HANDLES: This host does NOT support PERSISTENT HANDLES
.... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING
.... .... .... .... .... .... .0.. .... = ENCRYPTION: This host does NOT support ENCRYPTION
.... .... .... .... .... .... 0... .... = NOTIFICATIONS: This host does NOT support receiving NOTIFICATIONS
Channel: None (0x00000000)
Previous Session Id: 0x0000000000000000
Blob Offset: 0x00000058
Blob Length: 2381
Security Blob […]: 60820...
No. Time Source Destination Protocol TCP ipid Length Info
5314 2025-03-27 13:48:43.989543 144.92.12.27 128.104.198.178 SMB2 126 0xb8b9 (47289) 315 Session Setup Response
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Session Setup Response (0x01)
StructureSize: 0x0009
Session Flags: 0x0004, Encrypt
.... .... .... ...0 = Guest: False
.... .... .... ..0. = Null: False
.... .... .... .1.. = Encrypt: True
Blob Offset: 0x00000048
Blob Length: 185
Security Blob […]: a181b6308...
No. Time Source Destination Protocol TCP ipid Length Info
5315 2025-03-27 13:48:43.989588 128.104.198.178 144.92.12.27 TCP 126 0x21ea (8682) 54 58352 → 445 [RST, ACK] Seq=4192096831 Ack=520290080 Win=0 Len=0