3.3. SMB transports

Before Windows 2000, the typical transport protocol of SMB/CIFS was NetBIOS over TCP/IP. Starting with Windows 2000, SMB/CIFS can be carried directly into TCP (445/tcp), without an intermediary NetBT layer.

To identify which SMB transports are active on a Windows system, the net config rdr and net config srv commands can be used. These commands use the NetWkstaTransportEnum() and NetServerTransportEnum() Win32 API:

C:\WINNT>net config rdr

[...]

Workstation active on
        NetbiosSmb (000000000000)
        NetBT_Tcpip_{33227EBB-55A3-49EA-823D-51836B978EFD} (000102A495B2)

[...]

C:\WINNT>net config srv

[...]

Server is active on
        NetBT_Tcpip_{33227EBB-55A3-49EA-823D-51836B978EFD} (000102a495b2)
        NetBT_Tcpip_{33227EBB-55A3-49EA-823D-51836B978EFD} (000102a495b2)
        NetbiosSmb (000000000000)
        NetbiosSmb (000000000000)

[...]

The NetWkstaTransportEnum() and NetServerTransportEnum() Win32 API are implemented by two RPC calls, NetrWkstaTransportEnum() and NetrServerTransportEnum(). Samba-TNG [29] rpcclient utility supports the srvtransports command, that can be used to retrieve server-side transports.

Note: Windows NT 4.0 and Windows 2000 systems apparently have a bug in the NetServerTransportEnum() API, which retrieves server-side transports: each transport appears twice.

In Windows Vista, the output of the net config srv is as follows:

C:\WINDOWS>net config srv

[...]

Software version                      Windows (TM) Code Name "Longhor
Server is active on                   
	NetbiosSmb (WINVISTA)
	NetBT_TCPIP_{34559422-6B8D-4328-BAA1-25A6A331C6A8} (WINVISTA)

[...]

Active transports are:

The raw SMB transport can not be disabled on a per-adapter basis. To completely disable it, the NetBT driver must be stopped.

A Windows system with both SMB transports active tries to connect to 445/tcp and 139/tcp at the same time. If the connection to 445/tcp is accepted, the connection to port 139 is closed (sending a TCP segment with the RST flag set), i.e., raw SMB transport is preferred over NetBT transport [31].