[SMB] NTCreateANDX quesiotn

yang mikey mikeyredmoon at gmail.com
Mon Jun 11 04:08:54 GMT 2007


hi,Mike

yeah, I did not noticed it before just use the value on windows XP sp2 and
2003, because
the BYTE COUNT in wroing place is zero, but when I tested in windows 2000, I
found there is a
unormal large number in there, if I read it, the memory shall crashed.

in fact, I am doing a little tool to monitor the share folder change via
parsing CIFS protocol.
I dont know why MS change the SMB protocle so much by adding some
NTxxxANDXs, I
feel to so hard to know what user done, For example, because of COMMAND_COPY
is obsolete,
I can't judge the COPY operation, copy source , copy target, I just see a
file is opened by 0xA2
and read by 0x2E, and a new file is created(also 0xA2), are there any
document to describe the
procedure?  thanks.
                                                                       Mikey



2007/6/11, Michael B Allen <mba2000 at ioplex.com>:
>
> Ahh, I see what you're talking about. In the response. The WordCount is
> way too large. It should be more like 34 and not 42. Funny, I've written
> multiple CIFS clients and never noticed.
>
> Mike
>
> On Mon, 11 Jun 2007 12:09:38 +0900
> "yang mikey" <mikeyredmoon at gmail.com> wrote:
>
> > hi, Allen
> > Thanks your reply and time.
> > I am sorry that can not send any packet file to you, because you know, I
> am
> > in company.
> > But this packet is not any special I think. just a very common
> NTCreateAndX
> > packet(smb.command == 0xA2), if
> > you login into a server with share folder and make some file operations
> such
> > as delete or create
> > a new file, you shall see the packet in etheral.
> >                                                                   Mikey
> >
> >
> > 2007/6/9, Michael B Allen <mba2000 at ioplex.com>:
> > >
> > > Mikey,
> > >
> > > Is it ok to send me your capture file?
> > >
> > > I'm always interested in seeing mutant packets.
> > >
> > > Mike
> > >
> > > On Fri, 8 Jun 2007 11:11:21 +0900
> > > "yang mikey" <mikeyredmoon at gmail.com> wrote:
> > >
> > > > hi, everybody
> > > > I found a interesting thing,
> > > >
> > > > when I see the header of NTCreateANCX[0xA2] via Ethereal
> > > > I found the value of WORD COUNT is 42, but the position of BYTE
> COUNT is
> > > not
> > > > at
> > > > (offset of WORD COUNT) +  (value of  WORD COUNT) *2.
> > > >
> > > > Why it happened, and How Ethereal knows  the correct position of
> BYTE
> > > COUNT.
> > > >
> > > > thanks a lot
> > > >                                                             Mikey
> > > >
> > >
> > >
> > > --
> > > Michael B Allen
> > > PHP Active Directory Kerberos SSO
> > > http://www.ioplex.com/
> > >
> >
>
>
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
>


More information about the samba-technical mailing list