Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2018-05-24 20:59:03 +0000

Eddi gravatar image

Hello kalintri

Wireshark is showing the real data (and real filenames) as they go over the network and SMB2 is working as designed.

To get to the root of the 8.3 filenames in your trace file we have to leave the network arena and take a detour into Windows internals.

Short answer

You are (or were) most likely running a legacy application that does not support long file names or explicitly demands 8.3 file names.

Creation of 8.3 filenames

The 8.3 filenames go back to old days of MS-DOS and 640kBytes of Memory. You can control the creation of 8.3 filenames with the command line utility fsutil or through a GPO (Administrative templates -> System -> Filesystem -> NTFS -> Short Name creation Options). By default Windows will create 8.3 file names together with the long name. The Explorer will only show the long names.

8.3 filenames = old stuff

Windows will start using 8.3 file names, when an application is running in compatiblity mode. This can happen due to information in the PE Header or because of the properties of the program.

The PE header is at the beginning of any executable file (.EXE, .DLL, .SYS …) It starts with the letters MZ. The following bytes can give a hint to Windows to present only 8.3 filenames to this application. More precisely and completly off topic for this forum: The PE header includes a datastructure called "optional header" (which is usually present despite its name). That header lists a "subsystem", for example Windows GUI or Command Line or OS/2 console.

Right-click on the program, select properties and go to the tab "Compatibility" to launch old Windows 95 applications. (Note: Windows 95 did support long filenames, but not all applications form the 90ies were Ready for long file names)

8.3 filenames in SMB

Time to go back to the network layer. When a file is opened the client will send a Create Request to the server. This request has a 32-bit field for "Create Options". Here the client can ask the server to use an 8.3 filename for this Operation.

To continue your analysis I recommend a good look at the Create Options.

Good luck