SMB Packet Header
The SMB packet header is the header of a CIFS (SMB) command request or response packet. A complete CIFS command packet consists of an header followed by a list of parameters. The parameter list is defined in the header field ParameterWords and is parsed depending on the CIFS command code in Command.
0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 0 | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Fields
Protocol[4]
Data type: UCHARProtocol identifier. The value must be 0xFF, 'SMB'.
Command
Data type: UCHARCIFS command code. A server response usually contains the same command code as the corresponding client request. The Flag2 bit SMB_FLAGS_SERVER_TO_REDIR identifies the packet as a server response.
Status
0 1 2 3 4 5 6 7 8 9 1
01 2 3 4 5 6 7 8 9 2
01 2 3 4 5 6 7 8 9 3
01 Status DosError Data type: union
If the ERR_STATUS bit is set in Flags2, the error status is shown in Status.Status. Otherwise, the error status is shown in DosError.ErrorClass and DosError.Error.
Status
32-bit error status code. A server returns error information to the client in the Status field. Protocol dialects prior to NTLM 0.12 return status to the client using the combination of Status.DosError.ErrorClass and Status.DosError.Error. Beginning with NTLM 0.12, CIFS servers can return 32-bit error information to clients using Status.Status if the incoming client SMB has bit 14 set in the Flags2 field of the SMB header. The contents of response parameters are not guaranteed in the case of an error return, and must be ignored. For write-behind activity, a subsequent write operation or close of the file may return the fact that a previous write operation failed. Normally, write-behind failures are limited to hard disk errors and device out of space.DosError
0 1 2 3 4 5 6 7 8 9 1
01 2 3 4 5 6 7 8 9 2
01 2 3 4 5 6 7 8 9 3
01 ErrorClass Reserved Error Data type: struct
ErrorClass
Data type: UCHARError class.
Reserved
Data type: UCHARReserved for future use.
Error
Data type: USHORTError code.
Flags
Data type: UCHARFlags characterizing the CIFS request/response. If bit 7 (SMB_FLAGS_SERVER_TO_REDIR) is set, this packet is a server response.
Value Meaning Bit0 Reserved for obsolescent requests LOCK_AND_READ, WRITE_AND_CLOSE. Dialects LANMAN 1.0
or later.Bit1 Reserved (must be zero). Bit2 Reserved (must be zero). Bit3 When on, all paths in this SMB must be treated as case-less. When off, the pathnames are case sensitive. Dialects LANMAN 1.0
or later.Bit4 Reserved (clients must send as zero; servers must ignore). Bit5 Reserved for obsolescent requests SMB_COM_OPEN, SMB_COM_CREATE and SMB_COM_CREATE_NEW. Dialects LANMAN 1.0
or later.Bit6 Reserved for obsolescent requests SMB_COM_OPEN, SMB_COM_CREATE and SMB_COM_CREATE_NEW. Dialects LANMAN 1.0
or later.Bit7 SMB_FLAGS_SERVER_TO_REDIR: When on, this packet is being sent from the server in response to a client request. The Command field usually contains the same value in a protocol request from the client to the server as in the matching response from the server to the client. This bit unambiguously distinguishes the command request from the command response. Dialects PC NETWORK PROGRAM 1.0
or later.Flags2
Data type: USHORT16-bit flag field defining the capabilities of the client/server transaction.
Value Meaning KNOWS_LONG_NAMES
Bit0If set in a request, the server may return long components in response paths. KNOWS_EAS
Bit1If set, the client is aware of extended attributes. SECURITY_SIGNATURE
Bit2If set, the client is security signature enabled. Dialects NTLM 0.12
or later.COMPRESSED
Bit3Compressed.
Bit4Reserved. Must be zero. IS_LONG_NAME
Bit5Is a long name. EXT_SEC
Bit11Reserved. DFS
Bit12If set, any request paths in this SMB should be resolved in the Distributed File System (DFS). Dialects NTLM 0.12
or later.PAGING_IO
Bit13If set, indicates that a read operation will be permitted if the client does not have read permission but does have execute permission. This flag is only useful on a read request. Dialects NTLM 0.12
or later.ERR_STATUS
Bit14If set, specifies that the returned error code is a 32-bit error code in Status.Status. Otherwise the Status.DosError.ErrorClass and Status.DosError.Error fields contain the DOS-style error information. When passing Windows NT status codes is negotiated, this flag should be set for every SMB. Dialects NTLM 0.12
or later.UNICODE
Bit15If set, any fields of datatype STRING in this SMB packet are encoded as UNICODE. Otherwise, they are in ASCII. Dialects NTLM 0.12
or later.-
0 1 2 3 4 5 6 7 8 9 1
01 2 3 4 5 6 7 8 9 2
01 2 3 4 5 6 7 8 9 3
01 Pad[6] Extra Data type: union
Pad[6]
Padding to ensure that the section is 12 bytes long.Extra
0 1 2 3 4 5 6 7 8 9 1
01 2 3 4 5 6 7 8 9 2
01 2 3 4 5 6 7 8 9 3
01 PidHigh SecuritySignature[8] Data type: structure
PidHigh
Data type: USHORTHigh part of client process ID.
SecuritySignature[8]
Data type: UCHARReserved for security.
Tid
Data type: USHORTInstance of an authenticated connection to a server resource. The server returns the Tid value to the client when the client successfully connects to a resource, and the client uses Tid in subsequent requests referring to the resource. In most SMB requests, Tid must contain a valid value. Exceptions include prior to getting a TID established, including the commands SMB_COM_NEGOTIATE, SMB_COM_TREE_CONNECT, SMB_COM_ECHO, and SMB_COM_SESSION_SETUP_ANDX. A Tid value of 0xFFFF should be used in these situations. The server is always responsible for enforcing use of a valid Tid value where appropriate.
Pid
Data type: USHORTCaller process identifier, generated by the client to uniquely identify a process within the client computer. Concurrency control is associated with Pid (and PidHigh) since sharing modes and locks are arbitrated using Pid. For example, if a file is successfully opened for exclusive access, subsequent open requests from other clients or from the same client with a different Pid value will be refused. Clients inform servers of the creation of a new process by simply introducing a new Pid value into the dialogue for new processes. The client operating system must ensure that the appropriate close and cleanup SMBs will be sent when the last process referencing a file closes it. From the server's point of view, there is no concept of Fid values belonging to processes. A Fid returned by the server to one process may be used by any other process using the same transport connection and Tid value. It is up to the client operating system to ensure only authorized client processes gain access to Fid values (and Tid values). On SMB_COM_TREE_DISCONNECT (or when the client and server session is terminated) with a given Tid value, the server will invalidate any files opened by any process on that client.
Uid
Data type: USHORTUser ID assigned by the server after a user authenticates to it, and that it will associate with that user until the client requests that the association be broken. After authentication to the server, the client should make sure that the Uid value is not used for a different user than the authenticated one. (It is permitted that a single user have more than one Uid value.) Requests that do authorization, such as open requests, will perform access checks using the identity associated with the Uid.
Mid
Data type: USHORTUsed along with Pid to allow multiplexing the single client and server connection among the client's multiple processes, threads, and requests per thread. Clients may have many outstanding requests (up to the negotiated number) at one time. Servers may respond to requests in any order, but a response message must always contain the same Mid and Pid values as the corresponding request message. The client must not have multiple outstanding requests to a server with the same Mid and Pid.
WordCount
Data type: UCHARCount of parameter words defining the data portion of the packet.
ParameterWords[Wordcount]
Data type: USHORTParameter words defining the data portion of the packet.
ByteCount
Data type: USHORTSize of the data portion of the packet.
Buffer[ ByteCount ]
Data type: UCHARData portion of the packet. The format of the data portion depends on the command code. Fields in the data portion consist of an identifier byte followed by the data.
The value of the data identifier defines the format of the data immediately following.
Data identifier/value Description Data Block
1Word indicating length, followed by the data. Dialect
2Null-terminated string. Pathname
3Null-terminated string. ASCII
4Null-terminated string. Variable block
5Word indicating length, followed by the data.
Example Code
All CIFS headers follow the SMB header format and have identical format up to the ParameterWords fields. (Some obsolescent ones do not.) CIFS requests and responses differ in the number and interpretation of the fields ParameterWords and Buffer. All reserved fields in the header must be zero. The field Command is the operation code for the CIFS request or response.
typedef unsigned char UCHAR; // 8 unsigned bits typedef unsigned short USHORT; // 16 unsigned bits typedef unsigned long ULONG; // 32 unsigned bits typedef struct { ULONG LowPart; LONG HighPart; } LARGE_INTEGER; // 64 bits of data typedef struct { UCHAR Protocol[4]; // Contains 0xFF,'SMB' UCHAR Command; // Command code union { struct { UCHAR ErrorClass; // Error class UCHAR Reserved; // Reserved for future use USHORT Error; // Error code } DosError; ULONG Status; // 32-bit error code } Status; UCHAR Flags; // Flags USHORT Flags2; // More flags union { USHORT Pad[6]; // Ensure section is 12 bytes long struct { USHORT PidHigh; // High part of PID UCHAR SecuritySignature[8]; // reserved for security } Extra; }; USHORT Tid; // Tree identifier USHORT Pid; // Caller's process id USHORT Uid; // Unauthenticated user id USHORT Mid; // multiplex id UCHAR WordCount; // Count of parameter words USHORT ParameterWords[ WordCount ]; // The parameter words USHORT ByteCount; // Count of bytes UCHAR Buffer[ ByteCount ]; // The bytes } SMB_HEADER;
See Also
CIFS Command Codes, CIFS Error Codes and Classes, CIFS Flags, Royalty-Free CIFS Technical Reference License Agreement