Wireshark · Smb2-protocol: [Smb2-protocol] Re: New Extrainfo tag : TWrp

[ronnie sahlberg <ronniesahlberg@xxxxxxxxx>]

On 2/6/06, tridge@xxxxxxxxx <tridge@xxxxxxxxx> wrote:
> Ronnie,
>
>  > The create flags contained the bit 0x00200000   which i dont know what it
>  > means.
>
> I think that is FILE_OPEN_REPARSE_POINT. See for example:
>
>   http://cvs.xbox-linux.org/viewcvs.py/xbox-linux/xbeboot/types.h?rev=1.3

Thanks,   I added all the missing flags.


>
>  > The tag is TWrp
>
> Just a guess, but I suspect 'rp' stands for 'reparse point'

I have added dissection of the 8 bytes as a timestamp now and what I
see is that :

Prior to this call, the client calls an IOCTL to get the list of all
the shadow copies for the filesystem.
Using IOCTL function 0x00144064

One of the shadow copy labels returned is
@GMT-xxx-yyy
Which contains the timestamp of the shadow copy as part of the unicode name.

Then follows a Create to open the '@' file that has the 0x00200000 
reparse point bit set nad also contains a TWrp extra info field with
the timestamp as an 8 byte NTTIME and not as a unicode string.


So, this is then probably how they open
shadow copies,
First get the copy name and timestamp as a uniucode string.
Then convert the unicode string into an 8 byte NTTIME
Finally pass this timestamp through the Create call as a TWrp
extrainfo field when opening the file '@'


I will update the wiki.



I have update ethereal to dissect this field and also the create bits above.