[SMB] NTCreateANDX quesiotn

Michael B Allen mba2000 at ioplex.com
Mon Jun 11 18:52:41 GMT 2007 

Hi Chris,

It looks to me like the WordCount is too big but Jeremy said 42 was
right so I'm not sure.

If you can decipher the output of my 'hexd' tool the packet I'm looking
at is:

$ hexd Frame457.bin -r "0x36:Frame457,4:NetBIOS Header,32:SMB \
   Header,1:WordCount,84:Words,256:Unknown"
Frame457
00000:  00 07 e9 09 b2 cb 00 07 e9 09 ba 5c 08 00 45 00  |...........\..E.|
00010:  00 b3 d0 57 40 00 80 06 a2 9a c0 a8 03 80 c0 a8  |...W at ...........|
00020:  02 82 01 bd 04 25 8b d0 b0 41 87 14 5f 2d 50 18  |.....%...A.._-P.|
00030:  fa 88 27 a5 00 00                                |..'...          |
NetBIOS Header
00000:  00 00 00 87                                      |....            |
SMB Header
00000:  ff 53 4d 42 a2 00 00 00 00 98 07 c8 00 00 44 77  |.SMB..........Dw|
00010:  28 30 80 f2 a4 3d 00 00 07 08 d0 03 01 10 c0 18  |(0...=..........|
WordCount
00000:  2a                                               |*               |
Words
00000:  ff 00 87 00 03 00 c0 01 00 00 00 80 65 7a c2 f5  |............ez..|
00010:  77 c3 01 5e 1b 3e 77 91 6c c6 01 80 65 7a c2 f5  |w..^.>w.l...ez..|
00020:  77 c3 01 28 34 0f 62 2d 21 c4 01 20 00 00 00 00  |w..(4.b-!.. ....|
00030:  f0 00 00 00 00 00 00 00 e8 00 00 00 00 00 00 00  |................|
00040:  00 07 00 00 00 00 00 70 00 2e 00 65 00 78 00 65  |.......p...e.x.e|
00050:  00 00 00 00                                      |....            |
Unknown
00000:  00 03 81 d8 bf 03 81 20 ff 01 1f 00 00 00 00 00  |....... ........|
00010:  00 00                                            |..              |

So I see 'p.exe' in the Words and Wireshark doesn't decode those bytes
so it looks like there's just garbage at the end. Meaning the WordCount
and the NetBIOS header payload size are incorrect (too large).

Mike

On Mon, 11 Jun 2007 12:41:31 -0500
"Christopher R. Hertel" <crh at ubiqx.mn.org> wrote:

> Jeremy, Mike,
> 
> If you can provide some additional details, I'll write up a note and add it
> to the online version of my book.  Is it just that the numbers are not
> correct, or is there some other data being tacked on somewhere else?
> 
> The term "extended response" falls within the range of Jeremy's sense of humor.
> 
> Chris -)-----
> 
> Jeremy Allison wrote:
> > On Sun, Jun 10, 2007 at 11:35:03PM -0400, Michael B Allen wrote:
> >> Ahh, I see what you're talking about. In the response. The WordCount is
> >> way too large. It should be more like 34 and not 42. Funny, I've written
> >> multiple CIFS clients and never noticed.
> > 
> > It's the "extended response" that's undocumented in any of the current
> > CIFS specs (at least any public ones). The latest code in SAMBA_3_0_25
> > does this right now.
> > 
> > Jeremy.
> 
> -- 
> "Implementing CIFS - the Common Internet FileSystem"    ISBN: 013047116X
> Samba Team -- http://www.samba.org/    -)-----     Christopher R. Hertel
> jCIFS Team -- http://jcifs.samba.org/  -)-----  ubiqx development, uninq
> ubiqx Team -- http://www.ubiqx.org/    -)-----          crh at ubiqx.mn.org
> OnLineBook -- http://ubiqx.org/cifs/   -)-----             crh at ubiqx.org
> 


-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

More information about the samba-technical mailing list