OT: Can SMB filenames be well defined for IDS systems?
Christopher R. Hertel
crh at ubiqx.mn.org
Thu May 29 02:12:02 GMT 2003
Tim Potter wrote:
> What if I were copying a packet capture of someone copying a .eml file?
> I'm not sure you will catch all filenames at an offset of 200 bytes.
> A packet capture of a NTCreate&X over port 139 looks like:
> 14 bytes ethernet header
> 20 bytes IP header
> 32 bytes TCP header
> 4 bytes NetBIOS header
> followed by the start of the SMB packet. For port 445 you can get rid
> of the NetBIOS header.
No, you don't I'm 'fraid. The four byte NBT Session Service header (it's
not really a NetBIOS header) is still used even over naked TCP transport.
Of course, that makes things simpler in this case...
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical