Packet Analysis Of Netbios And Tcp Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP is a connection-oriented, end-to-end reliable protocol designed to fit into a layered hierarchy of protocols which support multi-network applications. TCP is responsible for verifying the correct delivery of data from client to server [8]. Data can be lost in the intermediate network. TCP is known as a connection-oriented protocol, which means that a connection is established and maintained until such time as the message or messages to be exchanged by the application programs at each end have been exchanged. TCP is responsible for ensuring that a message is divided into the packets that IP manages and for reassembling the packets back into the complete message at the other end. In the Open Systems Interconnection (OSI) communication model, TCP is in layer 4, the Transport Layer. TCP adds some support to detect errors or lost data and to trigger retransmission until the data is correctly and completely received. The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to-host protocol between hosts in packet-switched computer communication networks, and in interconnected systems of such networks. The TCP provides for reliable inter-process communication between pairs of processes in host computers attached to distinct but interconnected computer communication networks. Very few assumptions are made as to the reliability of the communication protocols below the TCP layer. TCP assumes it can obtain a simple, potentially unreliable datagram service from the lower level protocols. In principle, the TCP should be able to operate above a wide spectrum of communication systems ranging from hard-wired connections to packet-switched or circuit-switched networks [1] [2] [3].see figure in appendix named as figure a.

Flags are also known as Control Bits. They shelter 8 1-bit flags for various purposes are as under [6][9]. 

CWR - It stands for Congestion Window Reduced (CWR) flag. It is set by the sending machine to specify that it received a TCP segment with the ECE flag set. 

ECE - It stands for Explicit Congestion Notification. It specifies that the TCP peer is ECN capable during 3-way handshake. 

URG - It specifies that the URGent pointer field is important. 

ACK - It specifies that the ACKnowledgment field is important. 

PSH _ It is used for Push function. 

RST - It is used to ReSeT the connection. 

SYN - It is used to SYNchronize the sequence numbers. 

FIN - It indicates a FINish mark specifying that sender do not have any more data to transfer.

What is NetBIOS?

NetBIOS (Network Basic Input/Output System) is a set of rules that allows different computers to communicate within a local area network. The founder of NetBIOS is IBM in its early days of PC Network, later on adopted by Microsoft, and has since become a de facto industry standard. NetBIOS is used in Ethernet and token ring networks and, also as part of NetBIOS Extended User Interface (NETBEUI), in recent Microsoft Windows operating systems [11] [4].

NetBIOS frees the application from having to understand the details of the network, including error recovery (in session mode). NetBIOS does not allow duplicate names on a same network. A NetBIOS request is provided in the form of a Network Control Block (NCB) which, among other things, specifies a message location and the name [10]. See figure b in appendix for NetBIOS.

Packet analysis (Handshake mechanism):-

In packet analysis phase, the first three packets connect in a full duplex TCP connection develop or initialized by the client and NetBIOS is a last step in this phase just like a session request over TCP.

Following this sequence involving three exchanges the two machines are synchronized and communication can begin!

Network Traffic Analysis Of SMB:


Description: The packet was send from IPclass C address and client is 192 port a 1843 sending a SYN flag in a TCP segment to the client or client, requesting for a connection. The packet received on host of same class 187 through port 139 and here also check for avoid reputation



Description: The receiving client 187 port 139 after receiving the SYN flag, replies an Acknowledgement Ack: 0xF1908362 and server side is ready to make a link with client.



Description: The Requested host replies the client by incrementing the sequence number (0x7CFB7BBA) by 1 to Ack: 0x7CFB7BBB. Here the connection was established through a 3-way handshake. And see figure c in appendix.




The host is requesting (the end client) for the NetBIOS connection. This is a TCP packet sent by the requesting host as it a uni-cast (187) to the subnet (193.63.129). 81 00 00 44 this shows that connection is shared wanted by the receiver network. At the same time the requesting host or the client is checking if there is another computer on the network using (0x00). [7]



Description: The first byte 82 indicates that connection successful between server and client. By the Sequence Number (0x7CFB7BBB ), it is clear that the destination host replied the client or the requesting host for the NetBIOS connection. It is called as server to client response or session Ack. (Blyth, 2010 slides)



Description: This packet is a client response to server. Technically it is notice by the first four bytes of SMB packet code is 0xff+S+M+B. The client is sending a series of SMB dialects to the connecting server hoping the end server to select at least one dialect. If done, the client can continue to negotiate further and maintain the connection. At this point open communication channel is formed between client and server.

The Dialects that are sent are PC Network Program 1.0, Xenix core, Microsoft Networks 1.03, Lanman 1.0, Windows for Workgroups 3.1a, LM1.2X002, Lanman 2.1, NT LM 0.12




Description: This packet is called as server response or SMB negotiation. In this packet server side also send 8 byte challenge key after receiving challenge key client send encrypted key to hash key to a server. Since 07x00 was reserved for SMB dialect NT LM 0.12 and it was selected by the end point server from the series of dialects sent by the client. The server responds to the client representing the dialect NT LM 0.12 (07x00) (S Harris et al 2007). SOC_SECURITY is the SMB domain name and 1E represents the USER level



Description: As the SMB dialects sent by the client was approved by the client server, the client moves to the next step by sending enormous username and null passwords to get authenticated and gain a USER ID. Here used command batching to reduced bandwidth by merging two packets in one. The client is using a series of command lines to connect to the IPC$ tree. The host name of the client server is J4-ITRL-14 and the operating system running is Windows NT 4.0 and the Lan Manager in Windows NT handbook)



Now that we've discussed some of the major components of networks and TCP/IP, you have the necessary background to examine the more critical issues of security in a converged environment. Knowing how networks are built gives you a better understanding of what physical or logical vulnerabilities are introduced by choosing one particular network design over another. Knowing how packets are formed gives you a better understanding of how they can be crafted or modified to achieve a specific purpose. Knowing how packets are transmitted and delivered gives you a better understanding of what can happen to packets as they travel from source to destination. A good understanding of the basics of networking and TCP/IP is critical to identifying, understanding, and correcting vulnerabilities in your converged environment.

Many types of evidence arise during the analysis of these packets. Most interesting part of this analysis's part is null session login process. IPC tree, PIPE/LANMAN gives more claws in the committed action. All the evidence is meaningless with out the last packet where the purpose of this dump is open and exposed. I strongly believe that there is some exploitation or flaws are present in Microsoft Windows NT 4.0 box on local network. With the help of these flaws local user check the share list, browse the list and also enumerate the domain controller.

Another point view is user level security. I know there is no need of password for legal user to use or browse the services of master servers. Now days there are many tools are available which helps the hacker and take the benefits of this null session password techniques and gain the access of master servers


Postel, J. (ed.), "Internet Protocol - DARPA Internet Program Protocol Specification", RFC 791, USC/Information Sciences Institute, September 1981.

Cerf, V., and R. Kahn, "A Protocol for Packet Network Intercommunication", IEEE Transactions on Communications, Vol. COM-22, No. 5, pp 637-648, May 1974.

Transmission Control Protocol Darpa Internet Program Protocol Specification September 1981 prepared for Defense Advanced Research Projects Agency Information Processing URL [access on 25 oct 2010]

NetBIOS all information is available on [access on 25 oct 2010]

Server Message Block Protocol is available on [online] [access on 24 Oct 2010]

About TCP/Ip information is available online [access 26 0ct 2010]

Microsoft hand book is available [online] [access on 30 Oct 2010.]

Douglas Comer ,Internetworking with TCP/IP: Principles, protocols, and architecture,  Page 32-37 5th edition

Philip Miller ,TCP/IP explained, Page 450-451

Joe Casad ,Sams teach yourself TCP/IP in 24 hours ,Page 186-187

Carl Malamud ,Analyzing Novell networks, Page 278-279