Buffer limit on server listings.

Christopher R. Hertel crh at ubiqx.mn.org
Tue Mar 30 06:55:51 GMT 2004

On Mon, Mar 29, 2004 at 07:32:36PM -0500, Eric wrote:
> >>>"NetServerEnum3 turned up in a network trace between an XP client and a
> >>>W2K or W2K3 PDC and appears to solve the 64K server list limit
> >>>problem..."
> >>>
> >>>> I have also never heard of a NetrServerEnum() RPC call, and googling
> >>>turns
> >>>> up nothing.  Can you point me at any documentation?
> >>>
> >>>I just made the name up. I just mean the NetServerEnum RPC.
> >>
> >>Thing is, I'm not aware of an RPC that does this.
> >
> >Sure there is. Just look up NetServerEnum on MSDN.

When I search for NetServerEnum on MSDN I get lots of information about
the RAP NetServerEnum2() call.  Nothing about an RPC call.

> Actually, this is fairly interesting.  There *doesn't* appear to be a 
> precise NetServerEnum RPC for this API call; BrowserrServerEnum is (as I 
> understand it) an RPC from the Browser service, similar in function to 
> NetServerEnum but not identical.

That's what I've come to understand as well.

I've been talking off-line with one of the Ethereal developers, and he 
says that there are two RPC calls that cover this territory:

- BrowserrServerEnum()
- BrowserrServerEnumEx()

I have not seen these used in the wild, but I haven't been looking for
them either.  Again, these are RPCs (and the names are legit, even though
I can't find reference to them on MSDN).

> Over the wire, Windows XP still uses 
> the RAP calls to implement the NetServerEnum API call.

Geez I *hate* the way Microsoft names things.

On MSDN there's a reference to a NetServerEnum() API function call.

At the RAP level, however, the NetServerEnum() function is a *depricated*
RAP call that was used with the old LANMAN 2.x browsing system (or

The NetServerEnum() API function in the MSDN documentation actually calls
the NetServerEnun2() RAP function.  Urg!

> Basically, the 
> NetServerEnum2 RAP is used to get the first set of servers, and 
> NetServerEnum3 is used as a set of "tacked on" calls to get the 
> remainder in the event that NetServerEnum2 indicates more data is available.

Does any other Windows system use NetServerEnum3() or is it just XP?  I've 
never seen NetServerEnum3().

> The reason this is interesting is that the NetServerEnum function has a 
> real old bug, in which the "resume_handle" parameter always returns 0, 
> causing an infinite loop if you actually try to use it as intended 
> (i.e., as the handle for the next set of results when the result = 
> http://support.microsoft.com/support/kb/articles/q136/4/37.asp

I just looked through my own docs
and I don't see how the NetServerEnum2 request packet could specify a 
starting point for reading 'more' data.  The NetServerEnum2 reply does 
have fields that will indicate that there is more data to be retreived, 
but you can't retreive it with the NetServerEnum2() call.

That in mind, it makes sense that there would be a NetServerEnum3() call.  
I've just never seen it documented.

> There is an undocumented API, NetServerEnumEx, which addresses this:
> http://www.activevb.de/rubriken/apikatalog/deklarationen/netserverenumex.html
> This takes the name of the last server in the previous return list as a 
> parameter, returning the next chunk of names; which is pretty much 
> exactly what the NetServerEnum3 RAP call does.
> When I do a NetServerEnum API call for all servers on WinXP, I get 
> (over-the-wire):
> 1) A NetServerEnum2 call with a receive buffer length of 14724, which 
> gets the first set of servers and returns ERROR_MORE_DATA (234).
> 2) A repeat of the NetServerEnum2 with a receive buffer length of 65535, 
> which gets the same initial set of servers (only with some additional 
> entries at the end, due to the bigger return buffer).  Also returns 
> 3) A NetServerEnum3 call, passing the last server in the return list 
> from the previous NetServerEnum2.  This gets the next chunk of servers 
> and returns ERROR_MORE_DATA.
> 4) A series of additional NetServerEnum3 calls, each passing the last 
> server in the return list from the previous call.  This is repeated 
> while the return code is ERROR_MORE_DATA (i.e., until all servers have 
> been retrieved).

...and those are all RAP messages going back and forth, yes?

> I'm not sure why the initial NetServerEnum2 call is done twice, or why 
> the first call uses a smaller buffer; this could be some backward 
> compatibility issue.  It would appear that at some point NetServerEnumEx 
>  (along with the NetServerEnum3) was possibly intended to replace 
> NetServerEnum; but for whatever reason, they used the NetServerEnum API, 
> deprecated the resume_handle parameter, and implemented the whole 
> shebang over-the-wire as a (somewhat bizarre) conversation of 
> NetServerEnum2s and NetServerEnum3s.

...and that still leaves questions about the BrowserrServerEnum() and 
BrowserrServerEnumEx() RPC calls.  What are those?  Are they ever used?  
Were they simply implemented by someone at Microsoft as an attempt to 
replace the older RAP calls...and then forgotten?


Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list