SMB2 Negotiate Failure

Parent Previous Next

SMB2 Negotiate Failure


Basic SMB2 workflow


NEGOTIATE → client and server agree on SMB version/features.


SESSION_SETUP → client authenticates (user login).


TREE_CONNECT → client connects to a share (like \\server\share).


CREATE / READ / WRITE → client performs file operations inside that share.




Purpose of SMB2 Negotiate


The client and server exchange supported SMB versions (dialects) and features.


They agree on the highest common dialect and set of capabilities.


This lays the foundation for the rest of the SMB session (authentication, tree connect, file access).



SMB2 Negotiate Workflow


1. Client → Server: NEGOTIATE Request


The client sends:


List of dialects it supports (e.g., 0x0202 = SMB 2.0.2, 0x0311 = SMB 3.1.1).


Client GUID (unique identifier for the client).


Security mode flags:


Signing Enabled (required if server demands it).


Signing Required.


Capabilities (things the client can do, e.g., DFS support).


Optionally, pre-authentication data for SMB 3.1.1 (for integrity protection).


2. Server → Client: NEGOTIATE Response


The server replies with:


Selected dialect (the highest common version).


Security mode (whether signing is required).


Server GUID (unique ID for the server).


Capabilities flags (DFS, Leasing, Large MTU, Multi-channel, Persistent Handles, Directory Leasing, Encryption).


Max transaction/fragment/credit sizes (tells client how large its requests can be).


A GSS security blob (usually SPNEGO/NTLM/Kerberos negotiation data).


For SMB 3.1.1 → Pre-authentication integrity hash algorithm list + encryption algorithm list.


3. Result


Client and server now agree on:


SMB dialect (e.g., SMB 3.1.1).


Whether signing is required.


What advanced features are allowed (encryption, multi-channel, large MTU, etc.).


Next step is SESSION_SETUP (user authentication).







smb.cmd vs smb2.cmd


smb.cmd → This is the old SMB1 command field.


If you see this populated, the packet is SMB1.


During negotiation, the client might first try SMB1 NEGOTIATE; if the server supports SMB2+, it replies with an SMB2 negotiate response.



smb2.cmd → The SMB2 command field.


For negotiation, the value is always:


0x0000 → NEGOTIATE


So in a modern trace you’ll usually see:


smb2.cmd = NEGOTIATE


smb.cmd might be empty (or only used in legacy fallback cases).



smb.flags.response vs smb2.flags.response


smb.flags.response → Used in SMB1 only.


0 = request, 1 = response.



smb2.flags.response → Used in SMB2/3.


0 = request (client → server).


1 = response (server → client).



So in a Negotiate exchange:


Client → smb2.flags.response = 0


Server → smb2.flags.response = 1



smb2.capabilities.large_mtu


Part of the NEGOTIATE Response, under SMB2 capabilities.


Indicates whether the server supports large MTU (multi-credit operations).


If set, the client can send larger read/write requests than the default 64 KB (e.g., up to multiple MB), improving performance on high-speed networks.


Typical values in capabilities field include:


DFS


LEASING


LARGE_MTU


MULTI_CHANNEL


PERSISTENT_HANDLES


DIRECTORY_LEASING


ENCRYPTION




Example Packet Flow in Wireshark


Client Request


smb2.cmd = NEGOTIATE


smb2.flags.response = 0


Server Response


smb2.cmd = NEGOTIATE


smb2.flags.response = 1


smb2.capabilities.large_mtu = 1 (server supports large I/O)



In short:


smb2.cmd = operation type (NEGOTIATE here).


smb2.flags.response = tells if it’s request/response.


smb2.capabilities.large_mtu = says the server supports large I/O requests (bigger than 64 KB), which speeds up file transfers.




SMB2 Capabilities Flags


Capability Flag                                        Hex Value                 Meaning

SMB2_GLOBAL_CAP_DFS                 0x00000001                Server supports DFS (Distributed File System).

SMB2_GLOBAL_CAP_LEASING        0x00000002                Server supports leasing (advanced caching mechanism for files/directories).

SMB2_GLOBAL_CAP_LARGE_MTU           0x00000004      Server supports large read/write requests (bigger than 64 KB, using multi-credit I/O).

SMB2_GLOBAL_CAP_MULTI_CHANNEL  0x00000008      Server supports SMB Multi-Channel (use multiple TCP connections per session for bandwidth/HA).

SMB2_GLOBAL_CAP_PERSISTENT_HANDLES     0x00000010      Server supports persistent file handles (important for clustered/continuously available shares).

SMB2_GLOBAL_CAP_DIRECTORY_LEASING       0x00000020      Server supports directory leases (clients cache directory metadata).

SMB2_GLOBAL_CAP_ENCRYPTION          0x00000040                  Server supports encryption (SMB3 feature).

www.traceinside.com