[cifs-protocol] Strange behaviours in NT Create AndX Request

Joseph Kuan joe.kuan at itheon.com
Mon Mar 27 15:22:11 GMT 2006

Hi all,

    I am really sorry sending a stream of emails but I keep finding 
strange things that are not documented in any CIFS books & documents.

Two things don't look right to me in NT_CREATE_ANDX request (generated 
from WinXP Pro). I inspect the packets with ethereal and tcpdump.

- AndXOffset has the value of 57054!! (0xdede)

- A strange extra byte appears after the ByteCount. I check the byte 
stream and an extra does exist after byte count. The unicode flag in 
request is set but the ByteCount value on ethereal shows 27 (I expect 
plural number because of utf-16), but tcpdump shows 26. As far as I know 
this is nothing to do with padding, as padding happens before the byte 
count, according to the book in 'Implementing CIFS'.

Has anyone come across this before?

Many thanks

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error
please notify the system manager.

This footnote also confirms that this email message has been 
swept for the presence of viruses using SOPHOS.


More information about the cifs-protocol mailing list