[SMB] NTCreateANDX quesiotn

Christopher R. Hertel crh at ubiqx.mn.org
Mon Jun 11 20:50:04 GMT 2007 

below...

Michael B Allen wrote:
> Hi Chris,
> 
> It looks to me like the WordCount is too big but Jeremy said 42 was
> right so I'm not sure.
> 
> If you can decipher the output of my 'hexd' tool the packet I'm looking
> at is:
> 
> $ hexd Frame457.bin -r "0x36:Frame457,4:NetBIOS Header,32:SMB \
>    Header,1:WordCount,84:Words,256:Unknown"
> Frame457
> 00000:  00 07 e9 09 b2 cb 00 07 e9 09 ba 5c 08 00 45 00  |...........\..E.|
> 00010:  00 b3 d0 57 40 00 80 06 a2 9a c0 a8 03 80 c0 a8  |...W at ...........|
> 00020:  02 82 01 bd 04 25 8b d0 b0 41 87 14 5f 2d 50 18  |.....%...A.._-P.|
> 00030:  fa 88 27 a5 00 00                                |..'...          |
> NetBIOS Header
> 00000:  00 00 00 87                                      |....            |
> SMB Header
> 00000:  ff 53 4d 42 a2 00 00 00 00 98 07 c8 00 00 44 77  |.SMB..........Dw|
> 00010:  28 30 80 f2 a4 3d 00 00 07 08 d0 03 01 10 c0 18  |(0...=..........|
> WordCount
> 00000:  2a                                               |*               |
> Words
> 00000:  ff 00 87 00 03 00 c0 01 00 00 00 80 65 7a c2 f5  |............ez..|
> 00010:  77 c3 01 5e 1b 3e 77 91 6c c6 01 80 65 7a c2 f5  |w..^.>w.l...ez..|
> 00020:  77 c3 01 28 34 0f 62 2d 21 c4 01 20 00 00 00 00  |w..(4.b-!.. ....|
> 00030:  f0 00 00 00 00 00 00 00 e8 00 00 00 00 00 00 00  |................|
> 00040:  00 07 00 00 00 00 00 70 00 2e 00 65 00 78 00 65  |.......p...e.x.e|
> 00050:  00 00 00 00                                      |....            |
> Unknown
> 00000:  00 03 81 d8 bf 03 81 20 ff 01 1f 00 00 00 00 00  |....... ........|
> 00010:  00 00                                            |..              |
> 
> So I see 'p.exe' in the Words and Wireshark doesn't decode those bytes
> so it looks like there's just garbage at the end. Meaning the WordCount
> and the NetBIOS header payload size are incorrect (too large).

So... my next question.  Is the WordCount value 42 (0x2a) correct (for this
packet)?  If so, then the "p.exe" string really is part of the Words.

...but you said earlier that you thought the correct value should be closer
to 34 (0x22).  If that were the case, the bytecount would be zero and
'p.exe' would not be part of the packet at all.

I am curious as to how this packet should be read.

Thanks!

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem"    ISBN: 013047116X
Samba Team -- http://www.samba.org/    -)-----     Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/  -)-----  ubiqx development, uninq
ubiqx Team -- http://www.ubiqx.org/    -)-----          crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/   -)-----             crh at ubiqx.org

More information about the samba-technical mailing list