SMB Session Setup Multi Channel Error

Parent Previous Next

SMB Session Setup Multi Channel Error



1. What is SMB Multichannel?


SMB Multichannel allows a single SMB session to use multiple TCP connections (channels) simultaneously between a client and a server.


Its goals are:


Higher throughput (aggregate bandwidth across NICs)


Fault tolerance (survive NIC / path failure)


Lower latency (parallel I/O)


Multichannel was introduced in SMB 3.0 (Windows Server 2012 / Windows 8 era).

It is not supported in SMB 2.0 / 2.1, even though the Session Setup command exists there.


Important: Multichannel is a session-level feature, but the actual channel creation happens after Session Setup, during capability negotiation and subsequent connection binding.



2. Where Multichannel fits in the SMB protocol flow


High-level SMB connection flow:


TCP connection established


SMB NEGOTIATE


SMB SESSION_SETUP


SMB TREE_CONNECT


File operations


Multichannel is negotiated and enabled across steps 2–4, not only in Session Setup.



3. SMB NEGOTIATE: Multichannel capability discovery


During SMB NEGOTIATE:


Client and server exchange capabilities


SMB 3.x clients advertise:


SMB2_GLOBAL_CAP_MULTI_CHANNEL



If both sides support Multichannel, the session becomes eligible for multiple channels.


This is the first prerequisite.



4. SMB SESSION_SETUP: Session establishment (security context)


What Session Setup does


The SMB2 SESSION_SETUP request is used to:


Authenticate the user (Kerberos / NTLM)


Establish a Session ID


Bind a security context to the session


Key point


⚠️ Multichannel is NOT created inside a single SESSION_SETUP exchange


Instead:


Session Setup creates a logical SMB session


Multichannel allows multiple transport connections to bind to that same session later



5. How Multichannel actually works after Session Setup


Once the session is authenticated:


5.1 First channel (primary connection)


The initial TCP connection becomes the first channel


It carries:


Session ID


Authentication context


Initial credits


5.2 Additional channels (extra TCP connections)


The client may then open additional TCP connections and:


Send SMB2 NEGOTIATE


Send SMB2 SESSION_SETUP with:


The existing Session ID


The SMB2_SESSION_FLAG_BINDING flag set


This is called Session Binding.


Session binding means:


“This new TCP connection is an additional channel for an existing SMB session.”


No re-authentication is required.



6. Channel selection and usage


Once multiple channels exist:


SMB uses per-request channel selection


Reads/writes are distributed across channels


Credit management is per channel


Failure of one channel does not tear down the session




�Key confirmation point


Multichannel is enabled by negotiation, not by session setup.


❗ Important


There is no multichannel flag in SESSION SETUP


SESSION SETUP is about authentication, not transport paths





�Multichannel activation — SMB2 IOCTL (critical step)


Multichannel becomes visible after SESSION SETUP, using IOCTL FSCTL_QUERY_NETWORK_INTERFACE_INFO.


1 Client → Server: IOCTL Request


Look for:


SMB2 IOCTL Request



Expand:


SMB2 IOCTL Request

└── CtlCode: FSCTL_QUERY_NETWORK_INTERFACE_INFO (0x001401fc)



�This is the trigger for multichannel.


Meaning:


“Server, tell me all your network interfaces that can be used for SMB.”


2 Server → Client: IOCTL Response


Expand:


SMB2 IOCTL Response



You will see one or more interface entries, each with:


Interface Index


Capability Flags


RSS capable


RDMA capable


Link Speed


IP Address


Example:


Network Interface Info:

- IP: 10.10.1.10  Speed: 25 Gbps  RSS

- IP: 10.10.2.10  Speed: 25 Gbps  RSS



�This tells the client how many channels it should create.


3 New TCP connections appear (proof multichannel is active)


Immediately after the IOCTL response:


Observe new TCP handshakes


You will see additional TCP 3-way handshakes:


Client:49152 → Server:445

Client:49153 → Server:445

Client:49154 → Server:445



Each connection:


Uses a different local port


Often maps to different NICs / IPs


Shares the same SMB Session ID



How to prove multichannel in Wireshark (quick checklist)


✅ Must see


NEGOTIATE:


SMB2_GLOBAL_CAP_MULTI_CHANNEL on both sides



IOCTL:


FSCTL_QUERY_NETWORK_INTERFACE_INFO



Multiple TCP connections to port 445


Same Session ID across connections



❌ If multichannel is NOT working


Missing IOCTL


Only one TCP connection


Server capability flag missing


RSS disabled on NIC

www.traceinside.com