Hm.
Let me retract that.
There is some sort of structure to these bytes, but I have a hard time making heads or tails out of them.
Maybe they are some sort of flags field after all.
I did spot one thing that is semi-consistent though across my captures.
Bit 0x01 in the first byte of the opcode field
This bit is set for all replies
EXCEPT when you get multiple replies due to STATUS_PENDING
OR during the 4 packet SessionSetup/NTLMSSP dance,
In both those exceptions one of the replies will have the bit set and the other will have it clear.
Could this bit in replies mean something like "ACK that this command
sequence number has been received and is being/has completed execution"?
There is indeed some pattern to it.
On 2/8/06, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
I think those two bytes are just uninitialized data.
In several captures I have I see completely different pattern,
sometimes the Request contains the same value for several calls, then
they use other values.
Some sequences i have the requests having
6F00 and the responses 0100
other sequences in the same capture are
7E00 and the response are 0100
Other sequences the responses start going 0100 0200 0300 0400 then jumping back to 0100 for the rest of the trace.
On 2/7/06, Stefan (metze) Metzmacher <
metze@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi *,
I just noticed that the 2 bytes between opcode and flags,
are also some kind of flags,
it's 0x0030 for requests and 0x0001 for normal replies
(in samba4 both are 0x0000)
it's also 0x0000 in a response with STATUS_CANCELLED
metze
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFD6HrRm70gjA5TCD8RArVQAJ9iEK6VKxLAP0yrngQPuR3jWkxUwQCbBSC8
AiX9obapf6us9q9eu12KU8U=
=EAWT
-----END PGP SIGNATURE-----
_______________________________________________
Smb2-protocol mailing list
Smb2-protocol@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/smb2-protocol
