Wireshark · Smb2-protocol: [Smb2-protocol] Re: Notify

Smb2-protocol: [Smb2-protocol] Re: Notify

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>

Date: Sat, 26 Nov 2005 00:32:28 +0000

Assuming those 4 bytes are the completion filter,   there are still
"missing" fields for

maimum amount of data returned

and

watch tree

Byte 2 of the PDU is either 0 or 1   so i guess this is the watchtree flag.

Bytes 4-7 always has the value 0x20
could this be the max amount of dynamic data to return?    such as a
list of filenames etc.
If it is too small the response is truncated?

On 11/26/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> The first 4 bytes after the FID in Notify request looks like it is the
> completion filter.
>
> I see both 0x03 and 0x17 here which would be normal values to see for
> a standard directory watch.
>
> 0x03:   watch filename, directoryname
> 0x17:   watch fileanme,dirname,attributes,lastwrite
>
>
> looks the same as for Notify in SMB
>

References:
- [Smb2-protocol] Notify
  - From: ronnie sahlberg

Prev by Date: [Smb2-protocol] Notify
Next by Date: [Smb2-protocol] Re: a first look at SMB2
Previous by thread: [Smb2-protocol] Notify
Next by thread: [Smb2-protocol] SMB2 opcode 0x0b is NOT transaction it is IOCTL !
Index(es):
- Date
- Thread