Hi Folks I am trying to understand the notion of parsing a SMB packet under wireshark, espcially the flags2 field in the smb header. This is a 16bit value where we have 14 flags with 2 reserved bits but wireshark interprets only 10. not sure if we aggregate the fields. For example if I look at SMB signing in the Protocol C and R Negotiate (SMB_COM_NEGOTIATE), the wireshark parses it as SMB signing is enabled or disabled or required where as these are two seperate fields.
whereas if I compare the same with network monitor the flags are parsed to the entirety with all 16 fields shown as shown below. Flags2: 51205 (0xC805) KnowsLongFiles: (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES) ExtendedAttribs: (..............0.) Does NOT understand extended attributes (SMB_FLAGS2_KNOWS_EAS) SignEnabled: (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE) Compressed: (............0...) Compression Disabled for REQ_NT_WRITE_ANDX and RESP_READ_ANDX (SMB_FLAGS2_COMPRESSED) SignRequired: (...........0....) Security Signatures are NOT required (SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED) Reserved_bit5: (..........0.....) Reserved (Must Be Zero) LongFileNames: (.........0......) DO NOT use Long File Names (SMB_FLAGS2_IS_LONG_NAME) Reserved_bits7_9: (......000.......) Reserved (Must Be Zero) ReparsePath: (.....0..........) NOT a Reparse path (SMB_FLAGS2_REPARSE_PATH) ExtSecurity: (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY) Dfs: (...0............) NO DFS namespace (SMB_FLAGS2_DFS) Paging: (..0.............) Read operation will NOT be permitted unless user has permission (NO Paging IO) (SMB_FLAGS2_PAGING_IO) StatusCodes: (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS) Unicode: (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE) So while reading the trace how do I interpret these and are there any plans of modifying t he same. Thanks and Regards Dev
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe