top of page

How to easily detect SMBv1 scanning by using your traffic!

SMB Exploitation is an easy way to take control of a Network! - Read how to easily see this attack method!

NetFort has always believed in the visibility that can be extracted from wire data, basic network traffic analysis or deep packet inspection. Every device, user, and application on the network leaves a trail, always. No need to turn it ON, this vendor agnostic trail can easily be captured on any network and used for many security and operational use cases. Look at Wireshark and how strong the community is, it continues to grow from strength to strength. Of course, one of the main reasons is that all the people involved are passionate about network data traffic and really care about what they do.

The traffic analysis engine should do as much of the heavy lifting as possible, to initially present it at a high level so one can see anomalies, make the network traffic data easier to store, query, search, read, analyse, correlate, and act on. This is what we help our customers do with traffic at NetFort.

One of our core building blocks is the ability to generate metadata for easy visibility!

We have a number of application ‘decoders’, stateful followers that generate application specific metadata. The complexity of the decoder depends on the application, some for example including SMB and NFS are not trivial.

Fingerprinting, reassembly, metadata extraction and storage, all in real time is not easy. We have worked hard on these to get them reliable and to perform at scale. But, as a result, we now have a robust scalable unique engine ideal for many use cases proven on many diverse customer networks. The decoders have also helped us grow because they help organisations of all sizes (including central and local government, utilities, legal, education and the military) address various vulnerabilities including those found in implementations of Server Message Block 1.0. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.

Read more on "How to detect SMB exploitation!"

Both SMB and NFS are file sharing protocols, both seem to have been around a long time, have gone through various iterations and improvements and are used across organisations of all sizes. Our SMB protocol decoder which we initially develop about 7 years ago and have worked on continuously to ensure we ‘keep up’ with any updates or new versions includes a lot of useful detail on SMB activity on any network. It was initially developed in response to a feature request from a large UK financial who had seen a large download of 20 GBs by a user from a share at 4.55 pm. ‘The user is taking this data home to work on, when I drill down I can see the source and destination IP address, port numbers and amount of data. But I really want to see the user name, file and folder name, can you extract that from the traffic?’

We investigated, it was and is not easy, especially to do it reliably and at scale, but we did it.

Some users appreciate the limitations of using logs to get this information at scale. Enabling logging adds significant load to already overburdened servers, and when they are under heavy load, the event is dropped, NOT logged. Also, critically in my opinion, the amount of data and detail logged can be very expensive to retain, search and correlate due to the massive volumes of detail logged. Is all this detail really necessary?

It seems to require really complex products to make any sense of it. It is just too expensive across many fronts especially if one is using some well known SIEMs who charge based on volumes of data stored. Of course there is critical information one can only get by using logging. We believe that the combination and correlation of log and wire data really makes sense, provides detail and context essential for many security and operation issues today.

Recently we have been receiving emails for some large US enterprises who want to use our engine to understand SMBv1 activity across their networks.

  • Hello Guys

  • Could you please send to me all information about your File Activity Monitoring Software with Deep Packet Inspection? Can we use it to see if any servers on our network are still accepting SMBv1 and from which clients?


  • Hi

  • Please advise on pricing for this product, we would like to use it for SMBv1 scanning


It is an ideal use case for our LANGuardian network traffic analysis engine. Download our ISO, install on a standard server or VMware, use a TAP or mirror port to monitor the server VLAN and one can immediately clearly see the information required.

But, does our SMB decoder go to this level?

Can one filter and only see SMB1 connections actually Established ? Yes you can, and very easily too.

Number 1 above shows clients on the network making SMBv1 connection attempt (SMBv1 scanning). This is where a client sends an SMB request to a server and the version flag is set to v1.

Simply click and drill down on the Total, 220 to get more detail including the client and server IP addresses.

Interesting info, why for example are those clients still trying to use SMBv1? But, more importantly, which servers are accepting the SMBv1 connection request and actually establishing a connection?

Use this filters on the left, under Action to only see SMB1 Connection Established or drill down on the 179 under Total in the first screenshot:

Just 2 reports, one drill down to see all the servers still accepting SMB1 connections and the clients who are requesting it. A really good use case that demonstrates one of the many benefits and flexibility of network traffic analysis using Metadata views.

Author - John Bronson - CEO, NetFort - John co-founded NetFort in 2002. Under Johns direction, NetFort has continued to thrive in the network and user activity monitoring market and has built up an impressive portfolio of customers around the world. He has extensive security and networking experience having worked as a Principal Engineer for several years with Digital Equipment Corporation in Ireland, the UK and the US. He has worked on a number of high speed network interconnect projects in the past, specializing in low-level kernel programming. John graduated from the University of Limerick with a B.Eng. Degree in Electronic Engineering (1986) and M.Eng. in Computer Systems (1994).

Editors Note* - If you have not used a Metadata based analyzer - you should really take a look at LANGuardian from Netfort. You will see / Visualize your network for the first time. Once you see Metadata visualization you will see things on your network like never before!

bottom of page