If the client adds a 0x10 flag in the Flags field of
SMB_COM_OPEN_ANDX, a Windows server will send back an alternate 19
WordCount response. Neither the 0x10 flag nor the 19 WordCount
response are documented in MS-CIFS.
Wireshark can't handle the flag or response, but netmon seems to
document it.
Bill - Thanks! I apologize for not checking MS-SMB as well, woops.
-Original Message-
From: Bill Wesse [mailto:bil...@microsoft.com]
Sent: Thursday, December 17, 2009 9:25 AM
To: Zachary Loafman
Cc: p...@tridgell.net; cifs-proto...@samba.org
Subject: RE: OPEN_ANDX undocumented flag
-Original Message-
From: cifs-protocol-boun...@cifs.org [mailto:cifs-protocol-
boun...@cifs.org] On Behalf Of Bill Wesse
Sent: Tuesday, December 08, 2009 6:08 AM
To: Tim Prouty
Cc: p...@tridgell.net; cifs-proto...@samba.org
Subject: Re: [cifs-protocol] [Pfif] SMB1
We stumbled across a rather odd behavior related to non-forest-root
tree-root domains. Can you help explain/document this behavior?
I've attached a short pcap showing the start of an XP machine joining a
2k8 tree-root. Here's the setup:
*) I have a Win2k8 DC at 10.54.139.240 for the zl.test
Thanks for the very detailed response!
...Zach
On Wed, Apr 01, 2009 at 09:42:54AM -0700, Bill Wesse wrote:
Mr. Loafman, thanks for your question. I have created case SRX090331600478,
and filed a documentation change request (details below), as applicable to:
[MS-ERREF]: Windows Error Codes