OT: Can SMB filenames be well defined for IDS systems?

Christopher R. Hertel crh at ubiqx.mn.org
Thu May 29 02:12:02 GMT 2003

Tim Potter wrote:
> What if I were copying a packet capture of someone copying a .eml file?
> I'm not sure you will catch all filenames at an offset of 200 bytes.
> A packet capture of a NTCreate&X over port 139 looks like:
>   14 bytes ethernet header
>   20 bytes IP header
>   32 bytes TCP header
>    4 bytes NetBIOS header
> followed by the start of the SMB packet.  For port 445 you can get rid
> of the NetBIOS header.

No, you don't I'm 'fraid.  The four byte NBT Session Service header (it's
not really a NetBIOS header) is still used even over naked TCP transport.

Of course, that makes things simpler in this case...

Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list