Wireshark · Smb2-protocol: [Smb2-protocol] Find command and flags

Smb2-protocol: [Smb2-protocol] Find command and flags

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>

Date: Fri, 18 Nov 2005 08:03:58 +0000

Looking at traces it seems the Find command is stateful in the same
way  GetInfo/SMB2_FILE_INFO_0f  reading EAs are.


The first two bytes after the two byte buffercode  change
between the values 0 1 2 3  for each of the two bytes.


for example   ifstest   1065/1088
These bytes have the values
0x01 0x02    and this reads one entry at a time until STATUS_NO_MORE_FILES


1142/1143   a single call with the values
0x03 0x01 which reads several entries (all of them)
followed by
0x03 0x00 where client tries to read the rest?   but gets NO_MORE_FILES



==>
Byte 2     I only saw these two values:
0x01   Read one entry
0x03   Read several entries

Byte 3
0x00   Continue reading
0x01   Read from the beginning
0x02
0x03   Only had this value when pattern was a specific single file  
i.e. no wildcards


I have not enought data to correlate more exact but it could be  if set
Byte 2:
0x01    this bit always set
0x02    read several entries

Byte 3:
0x01    read from the beginning
0x02   ???

Follow-Ups:
- [Smb2-protocol] Re: Find command and flags
  - From: ronnie sahlberg

Prev by Date: [Smb2-protocol] smb qfi level 1018
Next by Date: [Smb2-protocol] Re: Find command and flags
Previous by thread: [Smb2-protocol] Re: smb qfi level 1018
Next by thread: [Smb2-protocol] Re: Find command and flags
Index(es):
- Date
- Thread