Wireshark · Smb2-protocol: [Smb2-protocol] Re: Two more smb2 header flags

Smb2-protocol: [Smb2-protocol] Re: Two more smb2 header flags

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>

Date: Tue, 7 Feb 2006 12:00:42 +1100

Ah,

Flag 0x02 is "ProcessID is valid"

See attached capture for a transaction with Notify and Cancel where this bit is used.
This bit is also set for Ioctl and Reads to named pipes when they also return STATUS_PENDING. These replies also have a valid (non-0xfffe PID value)

All other packets i have seen always specify this bit as clear and ProcessID as 0xfffe which is likely some default value.

On 2/7/06, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:

List,

Looking at traces i have spotted two conditions where two additional flags in the heade is used.
Prior to this, the only flag I know of is the one that indicates whether a PDU is a response or not.

0x08
====
In the same byte as the response flags    is see the bit 0x08
This bit is set in two SessionSetup commands where the last 16 bytes of the header (immediately following the UID) is set to a non-zero value.
The SessionSetup response in question is the 4th and final SessionSetup packet during NTLMSSP authentication.

This happens in two sessionsetup authentications i have seen so far.
These are the only two packets I have where these 16 bytes are set to a non-zero value. Both of them has the bit 0x08 set.
All other packets have these 16 bytes as all zero and all of them have bit 0x08 clear.

These 16 bytes do look very random but in one of the packets the 16byte blob has two values that both occurs twice in the same 16byte blob
which would not really look like the entropy i would expect from a purely random (good crypto) blob.

This could be some sort of signature?   and the bit 0x08 indicates whether the signature field is used or if it is 0.

0x02
====
For the commands that do not complete immediately but are initially responded to with STATUS_PENDING and later a real response is sent,
these packets   both the STATUS_PENDING and also the following real response both have bit 0x02 set.

No other packets I have seen have this bit set.

Please come up with good names i can use for these bits temporarily in ethereal (until their usage is confirmed)

Attachment: smb2_notify_cancel.cap
Description: Binary data

Follow-Ups:
- Re: [Smb2-protocol] Re: Two more smb2 header flags
  - From: Stefan (metze) Metzmacher

References:
- [Smb2-protocol] Two more smb2 header flags
  - From: ronnie sahlberg

Prev by Date: [Smb2-protocol] Two more smb2 header flags
Next by Date: Re: [Smb2-protocol] Re: Two more smb2 header flags
Previous by thread: [Smb2-protocol] Two more smb2 header flags
Next by thread: Re: [Smb2-protocol] Re: Two more smb2 header flags
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$