SMB NT IOCTL Codes / API / Reference ?

Tim Potter tpot at
Fri Jun 4 01:01:59 GMT 2004

On Thu, Jun 03, 2004 at 08:42:26PM -0400, William R. Lorenz wrote:

> I will indeed try to do some NT IOCTL call sniffing and see what two Win2k
> boxen do when talking to each other.  I have a feeling that this call is
> something ordinary that can just be given a static SMB response of sorts.  


> The tricky part is going to be figuring out which part of packet signifies
> the NT IOCTL hexidecimal code so that I can blaze up the packet sniffer.  
> I know that poking around in the code will probably take hours of time,
> but maybe there's some kind of SMB spec that has the packet structures?

There is the SNIA SMB specification (oops, Technical Reference) at if you
are interested in the nitty gritty.

I would recommend taking your network capture and running it through
ethereal.  You should be able to see all the ioctls by using a filter 
string of 'smb.nt.ioctl.function'.  Hopefully entering this string into
the filter text area and hitting apply should bring up a list of SMB ioctl
packets in your capture.  Then you can start the really interesting part of
working out what the request and response data means.  (-:

> Do you know whether this NT IOCTL call is in fact being made by the SQL
> Server specifically, or is it something embedded in the SMB functionality?  

It could really be either.  Sometimes the CIFS redirector generates multiple
SMB calls per command, and sometimes there is a straightforward mapping
between win32 api calls and what appears on the wire.  If I had to guess 
I would say that an ioctl would be the result of some particular api call 
as ioctls seem to be used for "out of band" type operations like shadow 
copy, quotas and other stuff.

> I did quite a bit of poking around into NT IOCTL references today and the
> associated Microsoft Windows DDK (Driver Development Kit), but I'm still
> left with a few questions with regards to NT IOCTL implementation and
> whether it's the applications or Win2k itself generating these IOCTL
> calls.  Do unimplemented NT IOCTL calls come up often as a result of them
> not having been found in action before, or is this an unordinary thing?

I'm not really sure.  (-:  CIFS clients have a habit of gracefully falling
back when they discover a particular smb/ioctl/rpc call is not present on
the server they are talking too.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :

More information about the samba-technical mailing list