I looked at the samba server source code today and found if you set the
debug level to 5 it prints out the TID,PID etc values (along with a load of
other stuff). I would still like to do the same on an NT machine but my
curiosity has been satisfied.
Thanks all
----
alanharrison@xxxxxxxx
----- Original Message -----
From: "Guy Harris" <guy@xxxxxxxxxx>
To: "Alan Harrison" <alanharrison@xxxxxxxx>
Sent: Thursday, May 18, 2000 9:06 PM
Subject: Re: [ethereal-users] SMB Decodes
> > Just to clarify what I was asking: I have been capturing SMB packets on
my
> > system and noticed that if I missed the start of a file open I was not
able
> > to identify the share, file or process which the TIP,PID etc fields
related
> > to on the client or server.
>
> There's no guarantee that you can do so on the server side (the server
> isn't necessarily running Windows; I forget how our file server
> appliances generate the TID field); I suspect the reason you found
> nothing in MSDN or sysinternals.com is that there's no way to do it on
> the client side, either.
>
> None of those fields will identify the *file*; read and write requests,
> for example, have a "Fid" field that specifies which file is being read
> or written. The "Fid" value is what's returned by the server in
> response to an open request; it may well be a number that the server
> arbitrarily assigned when the file was opened (it's only 16 bits, so
> it's unlikely to be a value generated from some internal system-wide
> file ID).
>
> > This information will be held on the client and server somewhere so that
it
> > can respond to the received packets. I presume this is buried deep in
the
> > low level networking code and there is no way to access it.
>
> Buried deep in the SMB server or client, yes.
>
>
----
alanharrison@xxxxxxxx
