Looking through my captures i find the following pattern for the 4
bytes prior to the FID in both the requests and responses:
17.c0.11.00
all these contain DCERPC. All DCERPC traffic has this value.
00.00.00.00
all responses that do not contain any buffers but instead return an
NT_STATUS !=0
94.01.06.00
c8.01.14.00
These all occur for transactions where the FID is
ffffffff-ffffffff-ffffffff-ffffffff all requests with this fid has
any of these two values.
The C8... form is used when teh payload contains the string
\PIPE\LANMAN while the other form is used when the payload contains
\<IPADDRESS>\filename
None of these seems to complete successfully so i have no idea about
the response payload.
af.01.09.00
These all take 8 bytes as out data and all opeate on the file ""
the share itself?
All responses are error STATUS_NOT_SUPPORTED
c0.00.09.00
The requests never provide any out data. The responses always return
64 bytes of in data.
This command succeeds both for real files as well as for ""
64.40.14.00
only used on real files?
No out data.
Returns a variable amount of in data
