This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How is the FID generated for a SMB CreateAndx request?

0

I see in the traces while accessing a network share, there are multiple CreateAndX requests(which opens the folders) with an FID associated with them. however, some of them dont and they get a different response.

292 7.561217000 client_Ip cifs_Server_ip SMB 184 NT Create AndX Request, FID: 0x1781, Path: \share_folder\subfolder

293 7.565304000 cifs_Server_ip client_Ip SMB 193 NT Create AndX Response, FID: 0x1781

320 7.761995000 clientIp cifs_Server_ip SMB 184 NT Create AndX Request, Path: \share_folder\subfolder

323 7.764860000 cifs_Server_ip client_ip SMB 93 NT Create AndX Response, FID: 0x0000, Error: STATUS_FILE_IS_A_DIRECTORY

The only differences between the two requests is that the first one doesnt have a FID and the CreateOptions field is set to 0x00000040(Non- directory field is set). The second request has this field set as 0. Both have access mask as 0x00120080.

The client is Windows7. Why are there two different consecutive CreateAndx requests and why are the getting a different response?

asked 22 Mar '15, 22:49

xerocool's gravatar image

xerocool
6336
accept rate: 0%


One Answer:

0

In SMB the FID is send back to the client in the response. Wireshark will show the FID also on the request as it has learned the FID in the response. You can see that the FID is not in the packet, but supplied by wireshark by the square brackets around the FID.

So in frame 292, the FID is known, as it is supplied by the server in frame 293. But for the request in frame 320, there is no valid FID as there is an error and the response does not have a valid FID (FID=0x0000).

In short, no request has a FID, wireshark can add an FID to the request when the response has (a valid) one.

answered 24 Mar '15, 13:32

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Actually, FID = 0x0000 is valid according the [MS-CIFS] doc.

"The value 0xFFFF MUST NOT be used as a valid FID. All other possible values for FID, including zero (0x0000) are valid. The value 0xFFFF is used to specify all FIDs or no FID, depending upon the context in which it is used."

Also, how does Wireshark show the FID in request when its being obtained in the response? I mean its a little counter-intuitive

(24 Mar '15, 19:54) xerocool

During the first pass through the capture, Wireshark associates requests and responses for many protocols, including SMB. On that pass, it can't associate the FID with the request, as it hasn't seen the response yet.

On all subsequent references to packets, including the one that happens when you click on a packet, it can, for an SMB request, look up the response and see what the FID in the response was.

(24 Mar '15, 20:48) Guy Harris ♦♦

I see. But if that is so, then why is it not able to get the FID in frame 292 when its there in the response?

(24 Mar '15, 22:46) xerocool