Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] FIND_FIRST2 not being parsed correctly?

From: Jeremy M <jrmymllr@xxxxxxxxxxx>
Date: Sat, 30 Aug 2008 08:12:06 -0400
I seem to be having problems with Wireshark parsing a FIND_FIRST2 response from Samba.  I am using Wireshark 1.0.2 that was downloaded just a few days ago.  The FIND_FIRST2 responses generated by Samba for requests from my Win2000 computer are parsed just fine by Wireshark.  But, Win2000 uses Unicode and the messages in question use ASCII.  The requests in question are generated by an embedded project I'm working on, which is asking for ASCII and not Unicode responses.

It's very possible that there are some problems with the request I'm sending to Samba, but Samba does respond, and I would hope that Samba generates valid messages.  The Samba I'm using is fairly new, within the past year.  I'm  not sure of the version, though.  Below is the response from Samba.  As can be seen, Wireshark is having issues decoding Level of Interest, and off the FIND_FIRST2 data.


No.     Time        Source                Destination           Protocol Info
     19 2.831074    192.168.0.2           192.168.0.169         SMB      Trans2 Response, FIND_FIRST2, Files:

Frame 19 (250 bytes on wire, 250 bytes captured)
Ethernet II, Src: 00:1c:c0:26:6c:19 (00:1c:c0:26:6c:19), Dst: 00:00:00:00:00:00 (00:00:00:00:00:00)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.169 (192.168.0.169)
Transmission Control Protocol, Src Port: 445 (445), Dst Port: 1026 (1026), Seq: 228, Ack: 294, Len: 196
NetBIOS Session Service
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        [Response to: 18]
        [Time from request: 0.018977000 seconds]
        SMB Command: Trans2 (0x32)
        Error Class: Success (0x00)
        Reserved: 00
        Error Code: No Error
        Flags: 0x88
        Flags2: 0x0041
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 1
        Process ID: 0
        User ID: 0
        Multiplex ID: 0
    Trans2 Response (0x32)
        Subcommand: FIND_FIRST2 (0x0001)
        [Level of Interest: Unknown (4294967295)]
        Word Count (WCT): 10
        Total Parameter Count: 10
        Total Data Count: 124
        Reserved: 0000
        Parameter Count: 10
        Parameter Offset: 56
        Parameter Displacement: 0
        Data Count: 124
        Data Offset: 68
        Data Displacement: 0
        Setup Count: 0
        Reserved: 00
        Byte Count (BCC): 137
        Padding: 00
        FIND_FIRST2 Parameters
            Level of Interest: Unknown (4294967295)
            Search ID: 0xfffd
            Search Count: 7
            End Of Search: 1
            EA Error offset: 0
            Last Name Offset: 104
        Padding: 0000
        FIND_FIRST2 Data
            Unknown Data: 1000000000000000020000002E0000001000000000000000...

0000  00 00 00 00 00 00 00 1c c0 26 6c 19 08 00 45 10   .........&l...E.
0010  00 ec b6 d5 40 00 40 06 01 2b c0 a8 00 02 c0 a8   ....@.@..+......
0020  00 a9 01 bd 04 02 e6 a8 30 ae 00 00 01 40 50 18   ........0....@P.
0030  40 00 1f 40 00 00 00 00 00 c0 ff 53 4d 42 32 00   @[email protected].
0040  00 00 00 88 41 00 00 00 00 00 00 00 00 00 00 00   ....A...........
0050  00 00 01 00 00 00 00 00 00 00 0a 0a 00 7c 00 00   .............|..
0060  00 0a 00 38 00 00 00 7c 00 44 00 00 00 00 00 89   ...8...|.D......
0070  00 00 fd ff 07 00 01 00 00 00 68 00 00 00 10 00   ..........h.....
0080  00 00 00 00 00 00 02 00 00 00 2e 00 00 00 10 00   ................
0090  00 00 00 00 00 00 03 00 00 00 2e 2e 00 00 14 00   ................
00a0  00 00 00 00 00 00 08 00 00 00 70 72 69 76 61 74   ..........privat
00b0  65 00 10 00 00 00 00 00 00 00 04 00 00 00 74 6d   e.............tm
00c0  70 00 10 00 00 00 00 00 00 00 04 00 00 00 75 73   p.............us
00d0  72 00 14 00 00 00 00 00 00 00 07 00 00 00 70 75   r.............pu
00e0  62 6c 69 63 00 00 14 00 00 00 00 00 00 00 07 00   blic............
00f0  00 00 31 32 2e 6d 70 33 00 00                     ..12.mp3..


Get ideas on sharing photos from people like you. Find new ways to share. Get Ideas Here!