How To
Summary
Some IBM i systems will allow SMBv1 protocol access by default. Administrators considering configuring IBM i NetServer to explicitly deny SMBv1 protocol access may wish to first survey their network and see if any clients are currently utilizing SMBv1 protocol.
Objective
Detect use of SMBv1 protocol use on the network.
Steps
Disclaimer: This document mainly discusses a third-party, open source software named Wireshark. Support for this product is not part of an IBM i Support Line contract. Use of this document and the Wireshark software is performed at your own risk.
The open source Wireshark network sniffer tool may be used to detect only SMBv1 protocol activity on the network by using a capture filter.
In environments where IBM i NetServer is heavily utilized, running an unfiltered communications trace will quickly result in a very large, unwieldy trace file. Therefor, it is recommended to set a capture filter that will only trace SMBv1 protocol traffic.
The Wireshark forum provided such a capture filter:
https://ask.wireshark.org/question/13598/how-can-i-find-clients-that-are-using-smb1/
The capture filter is :
(tcp port 139 or 445) and tcp[((tcp[12:1] & 0xF0) >> 2):1] = 0x00 and tcp[((tcp[12:1] & 0xF0) >> 2) + 4:4] = 0xff534d42
Capture filters can be added to Wireshark here:
Once the capture filter has been added, start the trace from Capture -> Options... and select the capture filter:
Hit the "Start" button and any SMBv1 protocol traffic on the network segment will be detected.
In the example trace output below, frame #1 is accessing an v730 IBM i NetServer. The Negotiate Protocol Response from the IBM i is not in the trace because v730 defaults to SMB2 and SMB2 is among the supported dialects in the "Negotiate Protocol Request" from the client. The rest of that conversation is SMB2 protocol and was thus filtered out of the trace.
Frames 2-5 are accessing a v720 IBM i NetServer system which defaults to SMB1 protocol.
IBM i NetServer can be configured to only allow SMB2. Please see IBM i NetServer SMB protocol version control guide
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CLSAA2","label":"Integrated File System->NetServer"}],"ARM Case Number":"TS004740479","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
03 February 2021
UID
ibm16409598