Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Smb2-protocol: [Smb2-protocol] Re: Two more smb2 header flags

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Tue, 7 Feb 2006 12:00:42 +1100
Ah,


Flag 0x02 is  "ProcessID is valid"

See attached capture for a transaction with Notify and Cancel where this bit is used.
This bit is also set for Ioctl and Reads to named pipes when they also return STATUS_PENDING. These replies also have a valid (non-0xfffe PID value)


All other packets i have seen always specify this bit as clear and ProcessID as 0xfffe which is likely some default value.




On 2/7/06, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
List,


Looking at traces i have spotted two conditions where two additional flags in the heade is used.
Prior to this, the only flag I know of is the one that indicates whether a PDU is a response or not.

0x08
====
In the same byte as the response flags    is see the bit 0x08
This bit is set in two SessionSetup commands where the last 16 bytes of the header (immediately following the UID) is set to a non-zero value.
The SessionSetup response in question is the 4th and final SessionSetup packet during NTLMSSP authentication.

This happens in two sessionsetup authentications i have seen so far.
These are the only two packets I have where these 16 bytes are set to a non-zero value. Both of them has the bit 0x08 set.
All other packets have these 16 bytes as all zero and all of them have bit 0x08  clear.

These 16 bytes do look very random  but in one of the packets  the 16byte blob has two values that both occurs twice in the same 16byte blob
which would not really look like the entropy i would expect from a purely random (good crypto) blob.

This could be some sort of signature?   and the bit 0x08 indicates whether the signature field is used or if it is 0.



0x02
====
For the commands that do not complete immediately  but are initially responded to with STATUS_PENDING and later a real response is sent,
these packets   both the STATUS_PENDING and also the following real response both have bit 0x02 set.

No other packets I have seen have this bit set.


Please come up with good names i can use for these bits temporarily in ethereal (until their usage is confirmed)




Attachment: smb2_notify_cancel.cap
Description: Binary data

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube