[cifs-protocol] Strange behaviours in NT Create AndX Request
Joseph Kuan
joe.kuan at itheon.com
Mon Mar 27 15:22:11 GMT 2006
Hi all,
I am really sorry sending a stream of emails but I keep finding
strange things that are not documented in any CIFS books & documents.
Two things don't look right to me in NT_CREATE_ANDX request (generated
from WinXP Pro). I inspect the packets with ethereal and tcpdump.
- AndXOffset has the value of 57054!! (0xdede)
- A strange extra byte appears after the ByteCount. I check the byte
stream and an extra does exist after byte count. The unicode flag in
request is set but the ByteCount value on ethereal shows 27 (I expect
plural number because of utf-16), but tcpdump shows 26. As far as I know
this is nothing to do with padding, as padding happens before the byte
count, according to the book in 'Implementing CIFS'.
Has anyone come across this before?
Many thanks
Joe
******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error
please notify the system manager.
This footnote also confirms that this email message has been
swept for the presence of viruses using SOPHOS.
http://www.itheon.com
******************************************************************
More information about the cifs-protocol
mailing list