Smb2-protocol: [Smb2-protocol] Two more smb2 header flags
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
List,
Looking at traces i have spotted two conditions where two additional flags in the heade is used.
Prior to this, the only flag I know of is the one that indicates whether a PDU is a response or not.
0x08
====
In the same byte as the response flags is see the bit 0x08
This bit is set in two SessionSetup commands where the last 16 bytes of
the header (immediately following the UID) is set to a non-zero value.
The SessionSetup response in question is the 4th and final SessionSetup packet during NTLMSSP authentication.
This happens in two sessionsetup authentications i have seen so far.
These are the only two packets I have where these 16 bytes are set to a non-zero value. Both of them has the bit 0x08 set.
All other packets have these 16 bytes as all zero and all of them have bit 0x08 clear.
These 16 bytes do look very random but in one of the
packets the 16byte blob has two values that both occurs twice in
the same 16byte blob
which would not really look like the entropy i would expect from a purely random (good crypto) blob.
This could be some sort of signature? and the bit 0x08 indicates whether the signature field is used or if it is 0.
0x02
====
For the commands that do not complete immediately but are
initially responded to with STATUS_PENDING and later a real response is
sent,
these packets both the STATUS_PENDING and also the following real response both have bit 0x02 set.
No other packets I have seen have this bit set.
Please come up with good names i can use for these bits temporarily in ethereal (until their usage is confirmed)