How is the FID generated for a SMB “Create AndX Request?”

1

I see in the traces while accessing a network share, there are multiple CreateAndX requests (which opens the folders) with an FID associated with them. However, some of them don’t and they get a different response.

292 7.561217000 client_Ip cifs_Server_ip SMB 184 NT Create AndX Request, FID: 0x1781, Path: \share_folder\subfolder

293 7.565304000 cifs_Server_ip client_Ip SMB 193 NT Create AndX Response, FID: 0x1781

320 7.761995000 clientIp cifs_Server_ip SMB 184 NT Create AndX Request, Path: \share_folder\subfolder

323 7.764860000 cifs_Server_ip client_ip SMB 93 NT Create AndX Response, FID: 0x0000, Error: STATUS_FILE_IS_A_DIRECTORY

The only differences between the two requests is that the first one doesnt have a FID and the CreateOptions field is set to 0x00000040 (Non- directory field is set). The second request has this field set as 0. Both have access mask as 0x00120080.

The client is Windows 7. Why are there two different consecutive CreateAndX requests and why are the getting a different response?

network-shares
samba
wireshark
smb
cifs
asked on Super User Mar 26, 2015 by xerocool • edited Mar 26, 2015 by Giacomo1968

1 Answer

1

got the answer from the wireshark forum: In SMB the FID is send back to the client in the response. Wireshark will show the FID also on the request as it has learned the FID in the response. You can see that the FID is not in the packet, but supplied by wireshark by the square brackets around the FID.

So in frame 292, the FID is known, as it is supplied by the server in frame 293. But for the request in frame 320, there is no valid FID as there is an error and the response does not have a valid FID (FID=0x0000).

In short, no request has a FID, wireshark can add an FID to the request when the response has (a valid) one.

answered on Super User May 8, 2015 by xerocool

User contributions licensed under CC BY-SA 3.0