Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Smb2-protocol: [Smb2-protocol] Re: a first look at SMB2

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Mon, 28 Nov 2005 22:45:57 +0000
an easy way to find these packets is to first apply the display filter
smb2.cmd==0x0b
to just see the transaction calls

then CTRL-F   select Hex-Value and Packet-Bytes and specify  17c01100
as the search string



On 11/28/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> On 11/25/05, tridge@xxxxxxxxx > We've also implemented all of the
> above in libcli/smb2/ except for
> > cancel, notify, break and lock.
>
> I then assume you have discovered what the 4 bytes prior to the FID in
> Transaction request is?
>
> I belive this is a field that details what kind of transaction is used
> and it is only dce/rpc if these four bytes are 17.c0.11.00 .
> Can you verify if dcerpc breaks if you use a different value using your
> client?
>
>
> Also for Notify I have guessed what most of the fields are.
>
>
> Please see the Discussion section for SMB2/Transaction and SMB2/Notify
> on the wiki where i have put the current guesswork
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube