smbclient -M sends NetBIOS session service header to port 445

Christopher R. Hertel crh at
Mon Jan 6 17:12:31 GMT 2003


SMB messages sent via NBT or via naked TCP both have a four-byte header at 
the top.  Under NBT this is the NetBIOS Session Service header, and it 
should have one byte of zero (indicating it's a Session Message) followed 
by 7-bits of zero (an unused flags field) followed by 17-bits of message 
size (some folks think of the flags field being an 8-bit field with the 
lowest bit meaning "add 0x10000 to the length field".)

Anyway, Microsoft carried that header over to SMB over naked TCP so, yes, 
it's always there.  It's a throw-back to NBT, but on port 445 it's just 
used as a 17-bit length field.  Some folks say it's read as a 24-bit 

Gotta love this stuff, eh?

As for smbclient, there are a number of things that can only really be 
done via port 139.  The Messenger Service is one such, because it is bound 
to NetBIOS (though there is an alternate version that uses MS-RPC...but I 
haven't dug into that yet so all I know is that it uses port 135 somehow).

The NetServerEnum2 calls also don't work on port 445.  That's logical, 
because these are generally used to list workgroups and servers within a 
workgroup, both of which are NetBIOS concepts that don't exist on port 
445.  (Would be nice if they listed Active Directory info.)

There is a problem that I have not had time to address, which is that
newer versions of smbclient (HEAD, for example) default to trying to use
port 445 first (which makes sense because it's much quicker in some cases
to recover and try 139 if 445 fails then doing things the other way
'round).  The problem is that if smbclient succeeds in connecting to 445
then it will try sending the NetServerEnum2 queries on that port, and
Windows will send back either an error message or empty results (can't
remember which off hand).

So, smbclient should default to using port 139 for the NetServerEnum2 
calls (-L option) unless -p is actually specified.  Basically, the same 
problem as -M.

In your example, though, you specify both -M and -p.  Personally, I think
that in this case smbclient is doing the right thing.  If I enter
'smbclient -M server -p 10973', then I would expect smbclient to try
sending the message to that port.  The defaults should be 'best normal 
behavior' but smbclient is much more useful if I can bend it to my will.


Chris -)-----

On Mon, Jan 06, 2003 at 09:17:35AM -0600, Steve Langasek wrote:
> If Samba is configured to try port 445 first, the 'smbclient -M' command
> can't send messages to Win2K machines:
> $ smbclient -M server -p 445
> added interface ip= bcast= nmask=
> Got a positive name query response from ( )
> read_socket_with_timeout: timeout read. read error = Connection reset by peer.
> message start: Read error: Connection reset by peer
> Ethereal shows that the packets sent by Samba include a 'Netbios Session
> Service' header.  Is this the cause of the failure, or is the Windows
> messaging service inextricably bound to NetBIOS?  In the former case,
> where would I look in the code to remove the NetBIOS header from the
> packet?
> -- 
> Steve Langasek
> postmodern programmer

Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list