SMB Packet Header

  • Article

The SMB packet header is the header of a CIFS (SMB) command request or response packet. A complete CIFS command packet consists of an header followed by a list of parameters. The parameter list is defined in the header field ParameterWords and is parsed depending on the CIFS command code in Command.

0 1 2 3 4 5 6 7 8 9 1
0		 1 2 3 4 5 6 7 8 9 2
0		 1 2 3 4 5 6 7 8 9 3
0		 1
     

Fields

  • Protocol[4]
    Data type: UCHAR

    Protocol identifier. The value must be 0xFF, 'SMB'.

  • Command
    Data type: UCHAR

    CIFS command code. A server response usually contains the same command code as the corresponding client request. The Flag2 bit SMB_FLAGS_SERVER_TO_REDIR identifies the packet as a server response.

  • Status

    0 1 2 3 4 5 6 7 8 9 1
    0    		 1 2 3 4 5 6 7 8 9 2
    0    		 1 2 3 4 5 6 7 8 9 3
    0    		 1
    StatusDosError

    Data type: union

    If the ERR_STATUS bit is set in Flags2, the error status is shown in Status.Status. Otherwise, the error status is shown in DosError.ErrorClass and DosError.Error.

    • Status
      32-bit error status code. A server returns error information to the client in the Status field. Protocol dialects prior to NTLM 0.12 return status to the client using the combination of Status.DosError.ErrorClass and Status.DosError.Error. Beginning with NTLM 0.12, CIFS servers can return 32-bit error information to clients using Status.Status if the incoming client SMB has bit 14 set in the Flags2 field of the SMB header. The contents of response parameters are not guaranteed in the case of an error return, and must be ignored. For write-behind activity, a subsequent write operation or close of the file may return the fact that a previous write operation failed. Normally, write-behind failures are limited to hard disk errors and device out of space.

    • DosError

      0 1 2 3 4 5 6 7 8 9 1
      0      		 1 2 3 4 5 6 7 8 9 2
      0      		 1 2 3 4 5 6 7 8 9 3
      0      		 1
      ErrorClassReservedError

      Data type: struct

      • ErrorClass
        Data type: UCHAR

        Error class.

      • Reserved
        Data type: UCHAR

        Reserved for future use.

      • Error
        Data type: USHORT

        Error code.

  • Flags
    Data type: UCHAR

    Flags characterizing the CIFS request/response. If bit 7 (SMB_FLAGS_SERVER_TO_REDIR) is set, this packet is a server response.

    Value Meaning
    Bit0 Reserved for obsolescent requests LOCK_AND_READ, WRITE_AND_CLOSE. Dialects LANMAN 1.0 or later.
    Bit1 Reserved (must be zero).
    Bit2 Reserved (must be zero).
    Bit3 When on, all paths in this SMB must be treated as case-less. When off, the pathnames are case sensitive. Dialects LANMAN 1.0 or later.
    Bit4 Reserved (clients must send as zero; servers must ignore).
    Bit5 Reserved for obsolescent requests SMB_COM_OPEN, SMB_COM_CREATE and SMB_COM_CREATE_NEW. Dialects LANMAN 1.0 or later.
    Bit6 Reserved for obsolescent requests SMB_COM_OPEN, SMB_COM_CREATE and SMB_COM_CREATE_NEW. Dialects LANMAN 1.0 or later.
    Bit7 SMB_FLAGS_SERVER_TO_REDIR: When on, this packet is being sent from the server in response to a client request. The Command field usually contains the same value in a protocol request from the client to the server as in the matching response from the server to the client. This bit unambiguously distinguishes the command request from the command response. Dialects PC NETWORK PROGRAM 1.0 or later.

  • Flags2
    Data type: USHORT

    16-bit flag field defining the capabilities of the client/server transaction.

    Value Meaning
    KNOWS_LONG_NAMES
    Bit0    		 If set in a request, the server may return long components in response paths.
    KNOWS_EAS
    Bit1    		 If set, the client is aware of extended attributes.
    SECURITY_SIGNATURE
    Bit2    		 If set, the client is security signature enabled. Dialects NTLM 0.12 or later.
    COMPRESSED
    Bit3    		 Compressed.

    Bit4    		 Reserved. Must be zero.
    IS_LONG_NAME
    Bit5    		 Is a long name.
    EXT_SEC
    Bit11    		 Reserved.
    DFS
    Bit12    		 If set, any request paths in this SMB should be resolved in the Distributed File System (DFS). Dialects NTLM 0.12 or later.
    PAGING_IO
    Bit13    		 If set, indicates that a read operation will be permitted if the client does not have read permission but does have execute permission. This flag is only useful on a read request. Dialects NTLM 0.12 or later.
    ERR_STATUS
    Bit14    		 If set, specifies that the returned error code is a 32-bit error code in Status.Status. Otherwise the Status.DosError.ErrorClass and Status.DosError.Error fields contain the DOS-style error information. When passing Windows NT status codes is negotiated, this flag should be set for every SMB. Dialects NTLM 0.12 or later.
    UNICODE
    Bit15    		 If set, any fields of datatype STRING in this SMB packet are encoded as UNICODE. Otherwise, they are in ASCII. Dialects NTLM 0.12 or later.
  • 0 1 2 3 4 5 6 7 8 9 1
    0    		 1 2 3 4 5 6 7 8 9 2
    0    		 1 2 3 4 5 6 7 8 9 3
    0    		 1
    Pad[6] Extra 

    Data type: union

    • Pad[6]
      Padding to ensure that the section is 12 bytes long.

    • Extra

      0 1 2 3 4 5 6 7 8 9 1
      0      		 1 2 3 4 5 6 7 8 9 2
      0      		 1 2 3 4 5 6 7 8 9 3
      0      		 1
      PidHighSecuritySignature[8] 

      Data type: structure

      • PidHigh
        Data type: USHORT

        High part of client process ID.

      • SecuritySignature[8]
        Data type: UCHAR

        Reserved for security.

  • Tid
    Data type: USHORT

    Instance of an authenticated connection to a server resource. The server returns the Tid value to the client when the client successfully connects to a resource, and the client uses Tid in subsequent requests referring to the resource. In most SMB requests, Tid must contain a valid value. Exceptions include prior to getting a TID established, including the commands SMB_COM_NEGOTIATE, SMB_COM_TREE_CONNECT, SMB_COM_ECHO, and SMB_COM_SESSION_SETUP_ANDX. A Tid value of 0xFFFF should be used in these situations. The server is always responsible for enforcing use of a valid Tid value where appropriate.

  • Pid
    Data type: USHORT

    Caller process identifier, generated by the client to uniquely identify a process within the client computer. Concurrency control is associated with Pid (and PidHigh) since sharing modes and locks are arbitrated using Pid. For example, if a file is successfully opened for exclusive access, subsequent open requests from other clients or from the same client with a different Pid value will be refused. Clients inform servers of the creation of a new process by simply introducing a new Pid value into the dialogue for new processes. The client operating system must ensure that the appropriate close and cleanup SMBs will be sent when the last process referencing a file closes it. From the server's point of view, there is no concept of Fid values belonging to processes. A Fid returned by the server to one process may be used by any other process using the same transport connection and Tid value. It is up to the client operating system to ensure only authorized client processes gain access to Fid values (and Tid values). On SMB_COM_TREE_DISCONNECT (or when the client and server session is terminated) with a given Tid value, the server will invalidate any files opened by any process on that client.

  • Uid
    Data type: USHORT

    User ID assigned by the server after a user authenticates to it, and that it will associate with that user until the client requests that the association be broken. After authentication to the server, the client should make sure that the Uid value is not used for a different user than the authenticated one. (It is permitted that a single user have more than one Uid value.) Requests that do authorization, such as open requests, will perform access checks using the identity associated with the Uid.

  • Mid
    Data type: USHORT

    Used along with Pid to allow multiplexing the single client and server connection among the client's multiple processes, threads, and requests per thread. Clients may have many outstanding requests (up to the negotiated number) at one time. Servers may respond to requests in any order, but a response message must always contain the same Mid and Pid values as the corresponding request message. The client must not have multiple outstanding requests to a server with the same Mid and Pid.

  • WordCount
    Data type: UCHAR

    Count of parameter words defining the data portion of the packet.

  • ParameterWords[Wordcount]
    Data type: USHORT

    Parameter words defining the data portion of the packet.

  • ByteCount
    Data type: USHORT

    Size of the data portion of the packet.

  • Buffer[ ByteCount ]
    Data type: UCHAR

    Data portion of the packet. The format of the data portion depends on the command code. Fields in the data portion consist of an identifier byte followed by the data.

    The value of the data identifier defines the format of the data immediately following.

    Data identifier/value Description
    Data Block
    1    		 Word indicating length, followed by the data.
    Dialect
    2    		 Null-terminated string.
    Pathname
    3    		 Null-terminated string.
    ASCII
    4    		 Null-terminated string.
    Variable block
    5    		 Word indicating length, followed by the data.

Example Code

All CIFS headers follow the SMB header format and have identical format up to the ParameterWords fields. (Some obsolescent ones do not.) CIFS requests and responses differ in the number and interpretation of the fields ParameterWords and Buffer. All reserved fields in the header must be zero. The field Command is the operation code for the CIFS request or response.

typedef unsigned char UCHAR;          // 8 unsigned bits
typedef unsigned short USHORT;        // 16 unsigned bits
typedef unsigned long ULONG;          // 32 unsigned bits

typedef struct {
    ULONG LowPart;
    LONG HighPart;
} LARGE_INTEGER;                      // 64 bits of data

typedef struct  {
    UCHAR Protocol[4];                // Contains 0xFF,'SMB'
    UCHAR Command;                    // Command code
    union {
        struct {
            UCHAR ErrorClass;         // Error class
            UCHAR Reserved;           // Reserved for future use
            USHORT Error;             // Error code
        } DosError;
        ULONG Status;                 // 32-bit error code
    } Status;
    UCHAR Flags;                      // Flags
    USHORT Flags2;                    // More flags
    union {
        USHORT Pad[6];                // Ensure section is 12 bytes long
        struct {
            USHORT PidHigh;           // High part of PID
            UCHAR SecuritySignature[8];	  // reserved for security
  	   } Extra;
    };
    USHORT Tid;                       // Tree identifier
    USHORT Pid;                       // Caller's process id
    USHORT Uid;                       // Unauthenticated user id
    USHORT Mid;                       // multiplex id
    UCHAR  WordCount;                 // Count of parameter words
    USHORT ParameterWords[ WordCount ];    // The parameter words
    USHORT ByteCount;                 // Count of bytes
    UCHAR  Buffer[ ByteCount ];       // The bytes
} SMB_HEADER;

See Also

CIFS Command Codes, CIFS Error Codes and Classes, CIFS Flags, Royalty-Free CIFS Technical Reference License Agreement