Wireshark · Smb2-protocol: [Smb2-protocol] SMB2 opcode 0x0b is NOT transaction it is IOCTL !

Smb2-protocol: [Smb2-protocol] SMB2 opcode 0x0b is NOT transaction it is IOCTL !

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>

Date: Thu, 1 Dec 2005 10:04:13 +1100

Looking more at the "transaction" calls
and the four mysterious bytes prior to the fid for a dce/rpc "17.c0.11.00"
i looked at some of the other values i have spotted that are for non-dcerpc traffic and this is what i found :

c0.00.09.00 : No data in the request,  it returns 64 bytes of data.  operates on both "" as well as normal files.

But 0x000900c0   in SMB ioctl is 
         {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"},



Pop the other values into http://www.osronline.com/article.cfm?article=229
and it all makes sense.

00.14.01.c8  decodes to device:NetworkFileSystem  function:0x72  Access:file_any_access  Method:method_buffered

0x0011c017   the dcerpc one   decodes to   device:NamedPipe function:5   access:read_write   method:method_neither

coincidence?   i doubt it.

I will rename this function to IOCTL in both ethereal and the wiki   and advice you to do the same.

The 4 bytes prior to the FID is definitely the IOCTL value   and not pipeflags.

Follow-Ups:
- Re: [Smb2-protocol] SMB2 opcode 0x0b is NOT transaction it is IOCTL !
  - From: tridge
- Re: [Smb2-protocol] SMB2 opcode 0x0b is NOT transaction it is IOCTL !
  - From: tridge

Prev by Date: [Smb2-protocol] Re: a first look at SMB2
Next by Date: Re: [Smb2-protocol] SMB2 opcode 0x0b is NOT transaction it is IOCTL !
Previous by thread: [Smb2-protocol] Re: Notify
Next by thread: Re: [Smb2-protocol] SMB2 opcode 0x0b is NOT transaction it is IOCTL !
Index(es):
- Date
- Thread