[Wireshark-dev] SMB Parsers

big dev Thu, 19 Feb 2009 15:13:21 -0800

Hi Folks

I am trying to understand the notion of parsing a SMB packet under
wireshark, espcially the flags2 field in  the smb header. This is a 16bit
value where we have 14 flags with 2 reserved bits but wireshark interprets
only 10. not sure if we aggregate the fields. For example if I look at SMB
signing in the Protocol C and R Negotiate (SMB_COM_NEGOTIATE), the wireshark
parses it as SMB signing is enabled or disabled or required where as these
are two seperate fields.


whereas if I compare the same with network monitor the flags are parsed to
the entirety with all 16 fields shown as shown below.

 Flags2: 51205 (0xC805)
      KnowsLongFiles:   (...............1) Understands Long File Names
(SMB_FLAGS2_KNOWS_LONG_NAMES)
      ExtendedAttribs:  (..............0.) Does NOT understand extended
attributes (SMB_FLAGS2_KNOWS_EAS)
      SignEnabled:      (.............1..) Security signatures enabled
(SMB_FLAGS2_SMB_SECURITY_SIGNATURE)
      Compressed:       (............0...) Compression Disabled for
REQ_NT_WRITE_ANDX and RESP_READ_ANDX (SMB_FLAGS2_COMPRESSED)
      SignRequired:     (...........0....) Security Signatures are NOT
required (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED)
      Reserved_bit5:    (..........0.....) Reserved (Must Be Zero)
      LongFileNames:    (.........0......) DO NOT use Long File Names
(SMB_FLAGS2_IS_LONG_NAME)
      Reserved_bits7_9: (......000.......) Reserved (Must Be Zero)
      ReparsePath:      (.....0..........) NOT a Reparse path
(SMB_FLAGS2_REPARSE_PATH)
      ExtSecurity:      (....1...........) Aware of extended security
(SMB_FLAGS2_EXTENDED_SECURITY)
      Dfs:              (...0............) NO DFS namespace (SMB_FLAGS2_DFS)
      Paging:           (..0.............) Read operation will NOT be
permitted unless user has permission (NO Paging IO) (SMB_FLAGS2_PAGING_IO)
      StatusCodes:      (.1..............) Using 32-bit NT status error
codes (SMB_FLAGS2_NT_STATUS)
      Unicode:          (1...............) Using UNICODE strings
(SMB_FLAGS2_UNICODE)

So while reading the trace how do I interpret these and are there any plans
of modifying t he same.

Thanks and Regards
Dev

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe

[Wireshark-dev] SMB Parsers

Reply via email to