Smb2-protocol: [Smb2-protocol] a few more fields

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: tridge@xxxxxxxxx
Date: Sat, 12 Nov 2005 08:30:17 +1100
Ronnie,

I've worked out a few more fields in create and close. 

close looks like this:

struct smb2_close {
	struct {
		uint32_t unknown1;
		uint32_t unknown2;
		struct smb2_handle handle;
	} in;

	struct {
		uint32_t unknown1;
		uint32_t unknown2;
		NTTIME   create_time;
		NTTIME   access_time;
		NTTIME   write_time;
		NTTIME   change_time;
		uint64_t alloc_size;
		uint64_t size;
		uint32_t file_attr;
	} out;
};

I suspect the unknown2 in the reply is padding. I also suspect the 2nd
16 bits of unknown1 is padding in the reply, leaving just a 16 bit
'buffer format code' which says which of the following pieces of the
close are present.

For create, here is what I have so far:

struct smb2_create {
	struct {
		uint32_t unknown1; /* 0x09000039 */
		uint32_t unknown2; /* 2 */
		uint32_t unknown3[4];
		uint32_t access_mask;
		uint32_t file_attr;
		uint32_t share_access;
		uint32_t open_disposition;
		uint32_t create_options;
		/* ofs/len of name here, 16 bits */
		uint32_t unknown6;
		const char *fname;
		uint32_t unknown7;
		uint32_t unknown8;
		uint32_t unknown9;
		uint32_t unknown10;
		uint64_t unknown11;
	} in;

	struct {
		uint32_t unknown1;
		uint32_t unknown2;
		NTTIME   create_time;
		NTTIME   access_time;
		NTTIME   write_time;
		NTTIME   change_time;
		uint64_t alloc_size;
		uint64_t size;
		uint32_t file_attr;
		uint32_t unknown3;
		struct smb2_handle handle;
		uint32_t unknown4;
	} out;
};


so there are still a bunch of unknowns, but less than yesterday :-)