Re: [Wireshark-users] SMB Trans2 FILE_QUERY_INFO Query File Standard Info - what's going on?
Surlow, Jim wrote: > Regarding #1 – Am guessing that the files were written on the unix end > and when read from the Windows side it just keeps searching for a Ctrl-Z > EOF rather than Ctrl-D EOF, ...which would be a bit bizarre given that both Windows and UN*X have a "the file is this many bytes long" EOF - i.e., the file system stores the length of the file, in bytes, as one of the file's properties. There are no actual ^D's stored as end-of-file padding in UN*X files to pad the file out to a disk block or file system block boundary (control-D is handled by the tty driver, which treats it as an indication that, when running in cooked mode, a "line" should be constructed that contains everything typed since the last line but *not* including the ^D, so if you've typed nothing on the line, that looks like a zero-length line, and a read returning a byte count of 0 is generally treated as an end-of-file indication), and, unless you have a very crufty old application, I would hope that there are no actual ^Z's stored as end-of-file padding in Windows files to pad the file out to a disk block or file system block boundary. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] SMB Trans2 FILE_QUERY_INFO Query File Standard Info - what's going on?
Regarding #2 - I found the following link: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cifs/pr otocol/smb_com_transaction2_trans2_query_path_information.asp Regarding #1 - Am guessing that the files were written on the unix end and when read from the Windows side it just keeps searching for a Ctrl-Z EOF rather than Ctrl-D EOF, but I haven't been able to verify this as of yet. Thought I would update the list before signing off. Thx. Jim From: Surlow, Jim Sent: Thursday, February 22, 2007 10:01 AM To: wireshark-users@wireshark.org Subject: SMB Trans2 FILE_QUERY_INFO Query File Standard Info - what's going on? Apologies - as this is more of a problem with SMB client than with Wireshark/Ethereal. But, as I saw a similar thread from 3/2005 from the list http://www.ethereal.com/lists/ethereal-users/200503/msg00048.html, maybe someone could help me: I am seeing hundreds of SMB/Trans2/FILE_QUERY_INFO/Query File Standard Info requests and responses following a file open and prior to the file close. The clients are running a custom application in our Citrix environment running on Windows 2003. We see the same behavior regardless as to whether the file server is Samba, NetApp, or Windows 2000. The custom application, is just reading ini files - and so that is anywhere between a 2-5 packet exchange. The fact that we see hundreds of "Query File Standard Info" requests and responses (200-300 could occur in the same half second of time) is very confusing to us. And of course, it is burying our servers. Questions: 1) Anyone have a clue as to this behavior? 2) What is the difference between: Query File Standard Info, Query File Basic Info, Query File EA Info? Thanks, Jim ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
