Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Tracking CIFS v1 traffic in NetFlow

We have an initiative to eradicate SMB/CIFS V1 in our enterprise. We also want to minimize impact to our user community. We were thinking that being able to see the SMB/CIFS V1 traffic in Netflow would allow us to see the endpoints and investigate the ability to move the data to a NAS device in the case of older systems that do not support the later versions of the protocol.

I have searched thwack and google and haven't seen anyone doing this with NetFlow. Is it possible? Would deep packet inspection allow this for certain protocols? I am interested in peoples thoughts/experiences.

Find more posts tagged with

Accepted answers

All comments

mesverrum

Netflow as a protocol does not distinguish between versions of cifs. A full service DPI tool would likely be able sniff it out, but I don't think even nbar2 (newer fancier netflow protocol) is looking for cifs versions. You'd probably need something collecting from a span port or network tap.

darragh.delaney

Hi bud.lande

As mentioned above you will need to use a SPAN, mirror port or TAP as a data source. We develop a tool called LANGuaridan which can detect SMB/CIFS V1 and you can integrate the reports into your Orion deployment. An example here on our online demo.

http://demo2.netfort.com/Orion/SummaryView.aspx?ViewID=75&AccountID=guest

There is a 30-day trial which you can download if you wanted to get an idea as to how much SMB/CIFS V1 is on your network.

Darragh

How to detect SMBv1 scanning and SMBv1 established connections - YouTube

jreves

You may also find this helpful, if you are able to take a server-based approach:https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server

jreves