HostedDB - Dedicated UNIX Servers
nt-part2_27 Analysis of the Security of  Windows NT 1 March 1999 27 In the NT environment, an SMB is carried on top of a NetBIOS over TCP/IP (NBT) session, including UDP as a carrier for NetBIOS as well. A Server Message has a structure as described in Figure 6. For a pseudo-C description, see appendix C. FIGURE 6. The structure of an SMB The protocol field contains the identifier 0xFF, ‘SMB’. The Status field contains the error codes if the request was not successful. Two types of error responses are supported. A DOS error type with error classes and error codes and a 32-bit error code. The flags and flags2 fields contain flags for different options such as the use of security signatures and long filenames, see appendix C for more details. The Pad or Extra field contains the signature if SMB signing is used otherwise it will contain a padding field. The identifiers field contains four types of identifiers: the tree identifier  Tid, the pro- cess identifier  Pid, the user identifier  Uid and a multiplex identifier  Mid. The  Tid is used to identify the “mounted” share in case the user has more shares mounted on the same session. It also acts as the root of the mounted share so every request is relative to the Tid. The  Tid is set by the server in reply to a  C TreeConnect request. The  Pid is used to decide which process, thread or task that opened a file or requested a lock. It is set by the Client. The Uid identifies the user to the server see section 5.4.3. Finally, the Mid is used to multiplex multiple outstanding requests on one session. The  parameter field contains a word count and a number of parameter words. The word count tells how many parameter words that follows. The number and types of parameters differs among the different commands, see [31] for more details. Finally, the data field. It consists of a byte count and a buffer. The byte count tells how many byte of data that is present in the buffer and the buffer contains the actual data e.g records read from a file. The SMB protocol has the ability to group together commands. This is called  AndX batching. In this case, only the parameter and data fields from the batched command is added after the first command.  AndX batching is permitted as long as the size of the SMB package does not exceed the negotiated size and all commands have to refer to the same identifiers. Protocol Status Flags    Flags2   Pad or Extra Tid Pid Uid Mid Idenifiers Parameters Data WordCount   ParameterWords ByteCount Buffer