Wireshark-dev: [Wireshark-dev] Fw: SMB Parsers
From: big dev <bigdev272@xxxxxxxxx>
Date: Sat, 21 Feb 2009 03:09:24 +0530
Any ideas Folks

Dev

On Fri, Feb 20, 2009 at 4:41 AM, big dev <bigdev272@xxxxxxxxx> wrote:
Hi Folks

I am trying to understand the notion of parsing a SMB packet under wireshark, espcially the flags2 field in  the smb header. This is a 16bit value where we have 14 flags with 2 reserved bits but wireshark interprets only 10. not sure if we aggregate the fields. For example if I look at SMB signing in the Protocol C and R Negotiate (SMB_COM_NEGOTIATE), the wireshark parses it as SMB signing is enabled or disabled or required where as these are two seperate fields.

whereas if I compare the same with network monitor the flags are parsed to the entirety with all 16 fields shown as shown below.

 Flags2: 51205 (0xC805)
      KnowsLongFiles:   (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES)
      ExtendedAttribs:  (..............0.) Does NOT understand extended attributes (SMB_FLAGS2_KNOWS_EAS)
      SignEnabled:      (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE)
      Compressed:       (............0...) Compression Disabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX (SMB_FLAGS2_COMPRESSED)
      SignRequired:     (...........0....) Security Signatures are NOT required (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED)
      Reserved_bit5:    (..........0.....) Reserved (Must Be Zero)
      LongFileNames:    (.........0......) DO NOT use Long File Names (SMB_FLAGS2_IS_LONG_NAME)
      Reserved_bits7_9: (......000.......) Reserved (Must Be Zero)
      ReparsePath:      (.....0..........) NOT a Reparse path (SMB_FLAGS2_REPARSE_PATH)
      ExtSecurity:      (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY)
      Dfs:              (...0............) NO DFS namespace (SMB_FLAGS2_DFS)
      Paging:           (..0.............) Read operation will NOT be permitted unless user has permission (NO Paging IO) (SMB_FLAGS2_PAGING_IO)
      StatusCodes:      (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS)
      Unicode:          (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE)

So while reading the trace how do I interpret these and are there any plans of modifying t he same.

Thanks and Regards
Dev