none
[MS-SMB] 2.2.4.6.1 - SMB_COM_SESSION_SETUP_ANDX - Client Request Extensions - Undocumented field RRS feed

  • Question

  • Hi,

    When viewing packet captures of SMB_COM_SESSION_SETUP_ANDX requests (NT LAN Manager dialect, extended security format), I keep noticing an additional string field (or even two?) following NativeOS and NativeLanMan,

    WireShark suggests that this field is actually "Primary Domain", which makes a lot of sense.

    It would be great to have some details about this additional field (or fields).

    I have already sent to Sreekanth Nadendla a communication between Windows 2000 SP4 and Windows Server 2003 (originally to demonstrate another issue) and this could be seen in packets #8 and #10, I can send additional packet captures if needed.

    Thanks,

    Tal Aloni

    Saturday, February 25, 2017 12:53 PM

Answers

  • Hello Tal,
              Wireshark parsing isn't correct in this case. If you load it in Microsoft Netmon, you can see that NativeLANMan is parsed as "Windows Server 2003 5.2". The extra two bytes at the end serve as padding bytes. Let me know if you have any questions.
      
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Monday, February 27, 2017 9:37 PM
    Moderator

All replies

  • Hi Tal, thank you for your question. A member of the protocol documentation team will respond to you soon.

    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Saturday, February 25, 2017 5:56 PM
    Moderator
  • Hello Tal,
              Wireshark parsing isn't correct in this case. If you load it in Microsoft Netmon, you can see that NativeLANMan is parsed as "Windows Server 2003 5.2". The extra two bytes at the end serve as padding bytes. Let me know if you have any questions.
      
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Monday, February 27, 2017 9:37 PM
    Moderator