4.2 NetServerEnum2

The following diagram demonstrates the steps taken to retrieve an enumeration of servers on the network from a remote server by using the Remote Administration Protocol. Assume that this sequence is executed over an existing SMB connection established between the client and the server. The underlying SMB transaction request and response are included for clarity.

Figure 3: Enumeration of servers

1. The client sends a Remote Administration Protocol request for the NetServerEnum2 command to the server in an SMB transaction request.

    Smb: C; Transact, FileName = \PIPE\LANMAN
     Protocol: SMB
     Command: Transact 37(0x25)
     DOSError: No Error
      ErrorClass: No Error
      Reserved: 0 (0x0)
      Error: No Error
     SMBHeader: Command, TID: 0x0801, PID: 0x74B2, UID: 0x0802, 
                MID: 0x1B02
      Flags: 0 (0x0)
      Flags2: 32768 (0x8000)
      PIDHigh: 0 (0x0)
      SecuritySignature: 0x0
      Reserved: 0 (0x0)
      TreeID: 2049 (0x801)
      ProcessID: 29874 (0x74B2)
      UserID: 2050 (0x802)
      MultiplexID: 6914 (0x1B02)
     CTransaction: 
      WordCount: 14 (0xE)
      TotalParameterCount: 26 (0x1A)
      TotalDataCount: 0 (0x0)
      MaxParameterCount: 8 (0x8)
      MaxDataCount: 6144 (0x1800)
      MaxSetupCount: 0 (0x0)
      Reserved1: 0 (0x0)
      Flags: Do not disconnect TID
       BIT0: ...............0 Do not disconnect TID
      Timeout: 5000 sec(s)
      Reserved2: 0 (0x0)
      ParameterCount: 26 (0x1A)
      ParameterOffset: 90 (0x5A)
      DataCount: 0 (0x0)
      DataOffset: 0 (0x0)
      SetupCount: 0 (0x0)
      Reserved3: 0 (0x0)
      ByteCount: 53 (0x35)
      Pad: 113 (0x71)
      UnicodeFileName: \PIPE\LANMAN
      Parameters: RAPParams and NetServerEnum2 Request (26 Bytes)
         68 00 57 72 4C 65 68 44 4F 00 42 31 36 42 42 44   (h.WrLehDO.B16BBD)
         7A 00 01 00 00 18 FF FF FF FF                     (z.....ÿÿÿÿ)
   

2. The server responds with the list of servers on the network. In this case, there are 12 servers to be returned, and all 12 are returned in this response.

    Smb: R; Transact
     Protocol: SMB
     Command: Transact 37(0x25)
     DOSError: No Error
     ErrorClass: No Error
      Reserved: 0 (0x0)
      Error: No Error
     SMBHeader: Response, TID: 0x0801, PID: 0x74B2, UID: 0x0802, 
                MID: 0x1B02
      Flags: 128 (0x80)
      Flags2: 32768 (0x8000)
      PIDHigh: 0 (0x0)
      SecuritySignature: 0x0
      Reserved: 0 (0x0)
      TreeID: 2049 (0x801)
      ProcessID: 29874 (0x74B2)
      UserID: 2050 (0x802)
      MultiplexID: 6914 (0x1B02)
     RTransaction: 
      WordCount: 10 (0xA)
      TotalParameterCount: 8 (0x8)
      TotalDataCount: 379 (0x17B)
      Reserved: 0 (0x0)
      ParameterCount: 8 (0x8)
      ParameterOffset: 56 (0x38)
      ParamDisplacement: 0 (0x0)
      DataCount: 379 (0x17B)
      DataOffset: 64 (0x40)
      DataDisplacement: 0 (0x0)
      SetupCount: 0 (0x0)
      Reserved1: 0 (0x0)
      ByteCount: 388 (0x184)
      Pad1: Binary Large Object (1 Bytes)
     Parameters: ErrorCode, Converter, and RAPOutParams for 
                 NetServerEnum2 Response (8 Bytes)
        00 00 85 16 0B 00 0B 00                           (..........)
     Data: RAP NetServerInfo1 Array (379 Bytes)
        42 52 55 43 43 4F 2D 4F 46 46 33 00 00 00 00 00   (BRUCCO-OFF3.....)
        05 02 03 92 82 00 FF 17 00 00 53 4D 42 4E 54 34   (...??.ÿ...SMBNT4)
        53 52 56 00 00 00 00 00 00 00 04 00 03 90 01 00   (SRV..........□..)
        FE 17 00 00 53 4D 42 57 46 57 33 31 31 00 00 00   (þ...SMBWFW311...)
        00 00 00 00 01 33 03 20 01 00 CD 17 00 00 53 4D   (.....3. ..Í...SM)
        42 57 49 4E 32 30 30 30 00 00 00 00 00 00 05 00   (BWIN2000........)
        03 90 02 02 CC 17 00 00 53 4D 42 57 49 4E 32 30   (.□..Ì...SMBWIN20)
        30 33 00 00 00 00 00 00 05 02 03 90 82 00 CB 17   (03.........□?.Ë.)
        00 00 53 4D 42 57 49 4E 32 30 30 33 49 41 36 34   (..SMBWIN2003IA64)
        00 00 05 02 03 90 82 00 CA 17 00 00 53 4D 42 57   (.....□?.Ê...SMBW)
        49 4E 39 38 53 45 00 00 00 00 00 00 04 00 03 20   (IN98SE......... )
        41 00 B8 17 00 00 53 4D 42 57 49 4E 39 38 53 45   (A.¸...SMBWIN98SE)
        2D 55 4D 00 00 00 04 00 03 20 41 00 A6 17 00 00   (-UM...... A.¦...)
        53 4D 42 57 49 4E 58 50 00 00 00 00 00 00 00 00   (SMBWINXP........)
        05 01 03 10 00 00 A5 17 00 00 53 50 53 4D 42 44   (......¥...SPSMBD)
        43 31 00 00 00 00 00 00 00 00 05 00 03 90 82 02   (C1...........□?.)
        A4 17 00 00 53 50 53 4D 42 44 43 32 00 00 00 00   (¤...SPSMBDC2....)
        00 00 00 00 05 02 2B 10 84 00 A3 17 00 00 00 00   (......+.?.£.....)
        00 57 49 4E 53 45 20 46 49 4C 45 20 53 59 53 54   (.WINSE FILE SYST)
        45 4D 00 57 49 4E 53 45 20 46 49 4C 45 20 53 59   (EM.WINSE FILE SY)
        53 54 45 4D 00 00 00 00 31 32 33 34 35 36 37 38   (STEM....12345678)
        39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34   (9012345678901234)
        35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30   (5678901234567890)
        31 32 33 34 35 36 37 38 00 00 00                  (12345678...)