[cifs-protocol] Strange behaviours in NT Create AndX Request

Adam Simpkins simpkins at neopathnetworks.com
Mon Mar 27 21:14:40 GMT 2006

On Mon, Mar 27, 2006 at 04:22:11PM +0100, Joseph Kuan wrote:
>    I am really sorry sending a stream of emails but I keep finding 
> strange things that are not documented in any CIFS books & documents.
> Two things don't look right to me in NT_CREATE_ANDX request (generated 
> from WinXP Pro). I inspect the packets with ethereal and tcpdump.
> - AndXOffset has the value of 57054!! (0xdede)

The AndXOffset is ignored if the AndXCommand is 0xff (which means no
AndX command is present).

> - A strange extra byte appears after the ByteCount. I check the byte 
> stream and an extra does exist after byte count. The unicode flag in 
> request is set but the ByteCount value on ethereal shows 27 (I expect 
> plural number because of utf-16), but tcpdump shows 26. As far as I know 
> this is nothing to do with padding, as padding happens before the byte 
> count, according to the book in 'Implementing CIFS'.
> Has anyone come across this before?

The client is probably sending Unicode path names.  In nearly all
requests that contain Unicode path names, the path name is padded so
that it is 2-byte aligned.  This extra byte is just padding.  Windows
clients frequently seem to leave the padding uninitialized to some
random value.

Adam Simpkins
simpkins at neopathnetworks.com

More information about the cifs-protocol mailing list