Good morning Zachary - thanks for your questions. We have created the following case to track our work on those:
SRX091217600064 [MS-CIFS] OPEN_ANDX undocumented flag with 19 word count I expect the lack of documentation in [MS-CIFS] concerning your questions is due to the relationship between CIFS and SMB, and because the flags and fields in question are SMB extensions to CIFS. I will dig deeper into this and will update you as soon as I can. Here is some initial information for you concerning where the flags and fields in question are documented: SRX091217600064 [MS-CIFS] OPEN_ANDX undocumented flag with 19 word count The SMB_COM_OPEN_ANDX.Flags SMB_OPEN_EXTENDED_RESPONSE (0x0010) flag is documented here: 2.2.10 SMB_COM_OPEN_ANDX Client Request Extension http://msdn.microsoft.com/en-us/library/cc246255.aspx The WordCount value of 19 is documented here: 3.3.5.6 Receiving an SMB_COM_OPEN_ANDX Request (Obsolete) http://msdn.microsoft.com/en-us/library/cc246463.aspx The ServerField is documented here: 2.2.11 SMB_COM_OPEN_ANDX Server Response Extension http://msdn.microsoft.com/en-us/library/cc246256.aspx Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -----Original Message----- From: Zachary Loafman [mailto:zachary.loaf...@isilon.com] Sent: Thursday, December 17, 2009 10:18 AM To: Interoperability Documentation Help Cc: p...@tridgell.net; cifs-proto...@samba.org Subject: OPEN_ANDX undocumented flag with 19 word count response If the client adds a 0x10 flag in the Flags field of SMB_COM_OPEN_ANDX, a Windows server will send back an alternate 19 WordCount response. Neither the 0x10 flag nor the 19 WordCount response are documented in MS-CIFS. Wireshark can't handle the flag or response, but netmon seems to document it. The flag is documented as "RESP_EXTENDED_OPEN_ANDX reply", and the reply seems to contain the MaxAccessRights (as the torture test expects, too). Both the flag and response need to be documented, though. Also, the MS-CIFS OPEN_ANDX documentation doesn't mention ServerFID, but both netmon and wireshark think that the first ULONG worth of the Reserved field is actually "ServerFID," whatever that is. I've attached a short pcap demonstrating the extended response. You can reproduce this at will with the smbtorture RAW-OPEN test. -- Zach Loafman | Staff Engineer Isilon Systems D +1-206-315-7570 F +1-206-315-7485 www.isilon.com P +1-206-315-7500 M +1-206-422-3461 _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
