This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SMB2 Successful Create of a Blank File?

Below is the SMB2 header for a successful Create from a client to a server. The next packet in the trace says the Create was successful. How do I figure out what file was created and where? There is nothing in the Filename and nothing under the Tree Id.

alt text

create smb2

asked 18 Aug '14, 10:13

Tom Fury
1●2●3●2
accept rate: 0%

One Answer:

Hi Tom,

I've often seen this in SMB2 traces. I think the answer is that the client is opening the root directory relative to the current share. The share is identified by the Tree ID value, and if you've captured the connection to the share you'll see the Tree Connect request which will contain the share name.

I've noticed a typical scenario is the client opens the directory with a Create Request (Disposition - Open), issues a Find Request looking for a particular file (sometimes with wildcard values) and then you see a Close Request for the directory.

Some information that may help:

Overview of SMB: http://www.advance7.com/smb-2-file-server-protocol-overview
SMB2 Protocol Definition - http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-SMB2%5D.pdf
File System Control Codes - http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-FSCC%5D.pdf

Best regards...Paul

answered 19 Aug '14, 13:05

PaulOfford
131●28●32●37
accept rate: 11%