Any ideas Folks
Dev
On Fri, Feb 20, 2009 at 4:41 AM, big dev
<bigdev272@xxxxxxxxx> wrote:
Hi Folks
I am trying to understand the notion of parsing a SMB packet under wireshark, espcially the flags2 field in the smb header. This is a 16bit value where we have 14 flags with 2 reserved bits but wireshark interprets only 10. not sure if we aggregate the fields. For example if I look at SMB signing in the Protocol C and R Negotiate (SMB_COM_NEGOTIATE), the wireshark parses it as SMB signing is enabled or disabled or required where as these are two seperate fields.
whereas if I compare the same with network monitor the flags are parsed to the entirety with all 16 fields shown as shown below.
Flags2: 51205 (0xC805)
KnowsLongFiles: (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES)
ExtendedAttribs: (..............0.) Does NOT understand extended attributes (SMB_FLAGS2_KNOWS_EAS)
SignEnabled: (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE)
Compressed: (............0...) Compression Disabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX (SMB_FLAGS2_COMPRESSED)
SignRequired: (...........0....) Security Signatures are NOT required (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED)
Reserved_bit5: (..........0.....) Reserved (Must Be Zero)
LongFileNames: (.........0......) DO NOT use Long File Names (SMB_FLAGS2_IS_LONG_NAME)
Reserved_bits7_9: (......000.......) Reserved (Must Be Zero)
ReparsePath: (.....0..........) NOT a Reparse path (SMB_FLAGS2_REPARSE_PATH)
ExtSecurity: (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY)
Dfs: (...0............) NO DFS namespace (SMB_FLAGS2_DFS)
Paging: (..0.............) Read operation will NOT be permitted unless user has permission (NO Paging IO) (SMB_FLAGS2_PAGING_IO)
StatusCodes: (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS)
Unicode: (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE)
So while reading the trace how do I interpret these and are there any plans of modifying t he same.
Thanks and Regards
Dev