(Beginners ?) questions about SMB sniff-results - data-irregularities ... - SMB

This is a discussion on (Beginners ?) questions about SMB sniff-results - data-irregularities ... - SMB ; Hello, I'm Rudy Wieser, and I wrote, to see what is going on the LAN a (very basic) sniffer-tool running on ye olde DOS. The program runs good, but I've got some problems with interpreting what I'm seeing. First problem ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: (Beginners ?) questions about SMB sniff-results - data-irregularities ...

  1. (Beginners ?) questions about SMB sniff-results - data-irregularities ...

    Hello,

    I'm Rudy Wieser, and I wrote, to see what is going on the LAN a (very
    basic) sniffer-tool running on ye olde DOS. The program runs good, but
    I've got some problems with interpreting what I'm seeing.

    First problem :

    ========# Internet IP (IPv4) #=========================
    IP: 192.168.001.083 --> 192.168.001.017 TTL:80 Prot:06 -> TCP
    Ver:4 IHL:5 Len:05DC ID:025B Flags:2 FrgOffs:0000 ChkSum:1665
    --------| TCP |------------------------------------------------------
    Port:0401 --> 008B Seq:00017E0F Ack:38E2905E Len:5*4 Flgs:10
    Win:2055 Chk:FF26 Urg:0000
    --------| NetBios over TCP |----------------------------------------
    Cmd:00 Flags:00 Size:2623 --> Datagram
    --------| SMB |-----------------------------------------------------
    ID:FF 53 4D 42 CMD:0B ErrCls:00 Res1:00 ErrCod:0000
    Flgs:00 Flgs2:0000 Res2:00 00 00 00 00 00 00 00 00 00 00 00
    Tree-id:0100 Proc-id923 User-id:6400 Mux-id:81B1
    Command 0B --> Write byte block
    ParmWords:05
    0000 - 1380 25F3 0000 0000 25F3 ..%....%
    ParmBytes:25F6
    0000 - 01 F3 25 00 00 00 00 00 00 00 00 00 00 00 00 00 .%.............
    0010 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    ........
    25E0 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    25F0 - 00 00 00 00 00 00

    The problem with the above is that the "ParmBytes" extend quite some over
    the end of the received block (the length as in the IPv4 header), and I have
    no idea why. I've searched the documentation I've got (Microsoft
    Networks/OpenNET, FILE SHARING PROTOCOL, INTEL Part Number 138446) to no
    avail ...

    Second problem :

    --------| SMB |----------------------------------------------------
    ID:FF 53 4D 42 CMD:25 ErrCls:00 Res1:00 ErrCod:0000
    Flgs:00 Flgs2:0000 Res2:00 00 00 00 00 00 00 00 00 00 00 00
    Tree-id:0000 Proc-id:0000 User-id:0000 Mux-id:0000
    Command 25 --> Transaction (name, bytes in/out)
    ParmWords:11
    0000 - 0000 000D 0000 0000 0000 0000 0000 0000 ................
    0010 - 0000 0000 0000 000D 005D 0003 0001 0001 ........].......
    0020 - 0002 ..
    ParmBytes:001E
    0000 - 5C 4D 41 49 4C 53 4C 4F 54 5C 54 45 4D 50 5C 4E \MAILSLOT\TEMP\N
    0010 - 45 54 4C 4F 47 4F 4E 00 06 00 5C 5C 48 45 ETLOGON...\\HE
    --------| Unresolved data |---------------------------------------------
    0000 - 4C 49 55 4D 00 FF FF LIUM.

    The above problem is the "unresolved data". Although the ParmWord-data
    correctly points at the "06 00 \\HELIUM" -string, the ParmBytes do not fully
    include that string. What's going on here ?

    I'm probably overlooking something stupid, or just haven't read the right
    documentation yet.
    Can anyone give me a hint to where to look (either for the overlooking part,
    or for the documentation) ?

    Regards,
    Rudy Wieser




  2. Re: (Beginners ?) questions about SMB sniff-results - data-irregularities ...


    Hello again.

    As my previous message ( 42e94cd6$0$11077$e4fe514c@news.xs4all.nl ) did
    not evoke any responses I'm wondering if posted I'm in the wrong group ...

    Could anyone please be so kind as to inform me of a place where my question
    has a beter chance of being answered ?

    Regards,
    Rudy Wieser




  3. Re: (Beginners ?) questions about SMB sniff-results - data-irregularities...

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    R.Wieser wrote:
    > Hello,
    >
    > I'm Rudy Wieser, and I wrote, to see what is going on the LAN a (very
    > basic) sniffer-tool running on ye olde DOS. The program runs good, but
    > I've got some problems with interpreting what I'm seeing.

    .....
    > The problem with the above is that the "ParmBytes" extend quite some over
    > the end of the received block (the length as in the IPv4 header), and I have
    > no idea why. I've searched the documentation I've got (Microsoft
    > Networks/OpenNET, FILE SHARING PROTOCOL, INTEL Part Number 138446) to no
    > avail ...
    >
    > Second problem :
    >

    ....

    > The above problem is the "unresolved data". Although the ParmWord-data
    > correctly points at the "06 00 \\HELIUM" -string, the ParmBytes do not fully
    > include that string. What's going on here ?
    >
    > I'm probably overlooking something stupid, or just haven't read the right
    > documentation yet.
    > Can anyone give me a hint to where to look (either for the overlooking part,
    > or for the documentation) ?


    Rudy,

    Your best bet is to mail the samba-technical@samba.org mailing
    lists. Also note that a new community site is underway for CIFS
    developers (http://www.cifs.org). The site was just introduced
    about a week ago and so has a lot of content missing at the moment.
    There should be some updates late next week.





    cheers, jerry
    ================================================== ===================
    Alleviating the pain of Windows(tm) ------- http://www.samba.org
    GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
    "I never saved anything for the swim back." Ethan Hawk in Gattaca
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFC9iUcIR7qMdg1EfYRAtL2AKDyzLrX5mYHliHV+70KtL xwN8HEmACffHsM
    qWUIe44kpW4u2OUgQ/tv/Oo=
    =xPyk
    -----END PGP SIGNATURE-----

  4. Re: (Beginners ?) questions about SMB sniff-results - data-irregularities...

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    R.Wieser wrote:
    > Hello,
    >
    > I'm Rudy Wieser, and I wrote, to see what is going on the LAN a (very
    > basic) sniffer-tool running on ye olde DOS. The program runs good, but
    > I've got some problems with interpreting what I'm seeing.

    .....
    > The problem with the above is that the "ParmBytes" extend quite some over
    > the end of the received block (the length as in the IPv4 header), and I have
    > no idea why. I've searched the documentation I've got (Microsoft
    > Networks/OpenNET, FILE SHARING PROTOCOL, INTEL Part Number 138446) to no
    > avail ...
    >
    > Second problem :
    >

    ....

    > The above problem is the "unresolved data". Although the ParmWord-data
    > correctly points at the "06 00 \\HELIUM" -string, the ParmBytes do not fully
    > include that string. What's going on here ?
    >
    > I'm probably overlooking something stupid, or just haven't read the right
    > documentation yet.
    > Can anyone give me a hint to where to look (either for the overlooking part,
    > or for the documentation) ?


    Rudy,

    Your best bet is to mail the samba-technical@samba.org mailing
    lists. Also note that a new community site is underway for CIFS
    developers (http://www.cifs.org). The site was just introduced
    about a week ago and so has a lot of content missing at the moment.
    There should be some updates late next week.





    cheers, jerry
    ================================================== ===================
    Alleviating the pain of Windows(tm) ------- http://www.samba.org
    GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
    "I never saved anything for the swim back." Ethan Hawk in Gattaca
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFC9iUcIR7qMdg1EfYRAtL2AKDyzLrX5mYHliHV+70KtL xwN8HEmACffHsM
    qWUIe44kpW4u2OUgQ/tv/Oo=
    =xPyk
    -----END PGP SIGNATURE-----

  5. Re: (Beginners ?) questions about SMB sniff-results - data-irregularities...

    Gerald (Jerry) Carter schreef in berichtnieuws
    42F6254F.90404@samba.org...

    Hello Jerry,
    > ....
    > Rudy,
    >
    > Your best bet is to mail the samba-technical@samba.org mailing
    > lists.
    > ....


    Thanks for your suggestion. I was not sure, after so many days, if I would
    still get one ...

    Regards,
    Rudy Wieser




+ Reply to Thread