SMB Tree Connect/Response Details

If you want to play along at home, the sample PCAP I will be using for SMB2+ is here, the SMB v1 PCAP is not something I can give away sadly.

Tree Connect Request/Response

When the SMB protocol connects to a resource it needs to know exactly what is there. This is where the OS retrieves the share name. If the share name has a ‘$’ at the end (like IPC$ or C$) this means the share is hidden, typically the system will create hidden shares, but users can also create them. Hidden means that if you were to go to the root of the resource (\\servername\ ) you would not see the hidden shares listed.

Tip. If you are monitoring SMB and see \\servername\exfil$…. might be worth looking at!


SMB v1 looks like this:

SMB v2 on the other hand looks like this:

So what’s the difference?

As you can see there are some cosmetic changes, the ‘andx’ part has been dropped. The biggest difference for me is the addition of the ‘SessionID’ details in v2, this now provides the requesting username* and the requesting client

In the Hex the Flags have been moved and v2 has less Flags. We can still see the path in the details pane.

*It is worth noting that the username is the one used to connect that share, not the one which is logged on locally. This can be entered when the share is initially created, or is prompted for when the user clicks on the link. Bear this in mind during investigations


This entry was posted in Network Analytics, Network Forensics, SMB and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s