SMB2 Negotiate Failure

Parent Previous Next

SMB2 Negotiate Failure


Basic SMB2 Workflow


NEGOTIATE →

client and server agree on SMB version/features.

SESSION_SETUP →

client authenticates (user login).

TREE_CONNECT →

client connects to a share (like \\server\share).

CREATE / READ / WRITE →

client performs file operations inside that share.





Purpose of SMB2 Negotiate


The client and server exchange supported SMB versions (dialects) and features.


They agree on the highest common dialect and set of capabilities.


This lays the foundation for the rest of the SMB session (authentication, tree connect, file access).



SMB2 Negotiate Workflow



Client →

Server

NEGOTIATE Request:


The client sends:


List of dialects it supports (e.g., 0x0202 = SMB 2.0.2, 0x0311 = SMB 3.1.1).


Client GUID (unique identifier for the client).


Security mode flags:


Signing Enabled (required if server demands it).


Signing Required.


Capabilities (things the client can do, e.g., DFS support).


Optionally, pre-authentication data for SMB 3.1.1 (for integrity protection).

Client

Server

NEGOTIATE Response:


The server replies with:


Selected dialect (the highest common version).


Security mode (whether signing is required).


Server GUID (unique ID for the server).


Capabilities flags (DFS, Leasing, Large MTU, Multi-channel, Persistent Handles, Directory Leasing, Encryption).


Max transaction/fragment/credit sizes (tells client how large its requests can be).


A GSS security blob (usually SPNEGO/NTLM/Kerberos negotiation data).


For SMB 3.1.1 → Pre-authentication integrity hash algorithm list + encryption algorithm list.

Result


Client and server now agree on:


SMB dialect (e.g., SMB 3.1.1).


Whether signing is required.


What advanced features are allowed (encryption, multi-channel, large MTU, etc.).


Next step is SESSION_SETUP (user authentication).







smb.cmd vs smb2.cmd


smb.cmd → This is the old SMB1 command field.


If you see this populated, the packet is SMB1.


During negotiation, the client might first try SMB1 NEGOTIATE; if the server supports SMB2+, it replies with an SMB2 negotiate response.



smb2.cmd → The SMB2 command field.


For negotiation, the value is always:


0x0000 → NEGOTIATE


So in a modern trace you’ll usually see:


smb2.cmd = NEGOTIATE


smb.cmd might be empty (or only used in legacy fallback cases).



smb.flags.response vs smb2.flags.response


smb.flags.response → Used in SMB1 only.


0 = request, 1 = response.



smb2.flags.response → Used in SMB2/3.


0 = request (client → server).


1 = response (server → client).



So in a Negotiate exchange:


Client → smb2.flags.response = 0


Server → smb2.flags.response = 1



smb2.capabilities.large_mtu


Part of the NEGOTIATE Response, under SMB2 capabilities.


Indicates whether the server supports large MTU (multi-credit operations).


If set, the client can send larger read/write requests than the default 64 KB (e.g., up to multiple MB), improving performance on high-speed networks.



Typical values in capabilities field include:


DFS


LEASING


LARGE_MTU


MULTI_CHANNEL


PERSISTENT_HANDLES


DIRECTORY_LEASING


ENCRYPTION




Example Packet Flow in Wireshark


Client Request


smb2.cmd = NEGOTIATE


smb2.flags.response = 0


Server Response


smb2.cmd = NEGOTIATE


smb2.flags.response = 1


smb2.capabilities.large_mtu = 1 (server supports large I/O)



In short:


smb2.cmd = operation type (NEGOTIATE here).


smb2.flags.response = tells if it’s request/response.


smb2.capabilities.large_mtu = says the server supports large I/O requests (bigger than 64 KB), which speeds up file transfers.




SMB2 Capabilities Flags


Capability Flag

Hex Value

Meaning

SMB2_GLOBAL_CAP_DFS

0x00000001

Server supports DFS (Distributed File System).

SMB2_GLOBAL_CAP_LEASING

0x00000002

Server supports leasing (advanced caching mechanism for files/directories).

SMB2_GLOBAL_CAP_LARGE_MTU

0x00000004

Server supports large read/write requests (bigger than 64 KB, using multi-credit I/O).

SMB2_GLOBAL_CAP_MULTI_CHANNEL

0x00000008

Server supports SMB Multi-Channel (use multiple TCP connections per session for bandwidth/HA).

SMB2_GLOBAL_CAP_PERSISTENT_HANDLES

0x00000010

Server supports persistent file handles (important for clustered/continuously available shares).

SMB2_GLOBAL_CAP_DIRECTORY_LEASING

0x00000020

Server supports directory leases (clients cache directory metadata).

SMB2_GLOBAL_CAP_ENCRYPTION

0x00000040

Server supports encryption (SMB3 feature).



www.traceinside.com