i have checked in changes to ethereal to decode this.
i have yet to update and document this in the wiki
On 11/18/05, tridge@xxxxxxxxx <tridge@xxxxxxxxx> wrote:
> I've decoded the blob at the end of create requests and responses.
>
> It's a 'chained blob' format, consisting of a list of blobs with
> string tag names on each blob. The two tags that I have seen are
> 'ExtA' and 'MxAc'. The ExtA tag is for a blob containing a set of
> extended attributes to put on the file, in chained ea_list format.
>
> At first I thought the MxAc blob was a security descriptor, but it
> turns out to be a placeholder that asks the server to return the
> maximum allowed access mask in the create reply. The server then adds
> a MxAc blob containing 8 bytes, the 2nd 4 bytes is the maximum access
> mask, the first 4 bytes are unknown (I've only seen zeros).
>
> The chained blob format itself is like this:
>
> uint32 chain_offset /* offset to next blob */
> uint16 tag_offset /* offset to tag name */
> uint32 tag_length /* length of the tag name */
> uint16 data_offset /* offset to blob data */
> uint32 data_length /* length of blob data */
> TAG /* ascii string tag, not terminated */
> uint32 pad?
> DATA /* the blob data */
> padding to 8 byte alignment
>
> I've only seen 4 char tag names, but given the tag name length
> is included the format seems to support other lengths.
>
> On the last blob in the chain the chain_offset is zero.
>
> Cheers, Tridge
>
> _______________________________________________
> Smb2-protocol mailing list
> Smb2-protocol@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/smb2-protocol
>
