This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

why multiple FIDs for the same folder

0

Hi, when i try to read files in a folder in a network share(windows 7 client), i see multiple SMB CREATE ANDX requests with different FIDs for the same folder. In some instances, there are multiple searches going on for the same folder. Can someone please help me understand what is really going on here?

asked 08 Mar '15, 10:24

xerocool's gravatar image

xerocool
6336
accept rate: 0%

Are you reading them in a program that you wrote or are you viewing them in somebody else's program, such as Windows Explorer?

(08 Mar '15, 17:02) Guy Harris ♦♦

am viewing them in windows explorer.

(08 Mar '15, 20:20) xerocool

One Answer:

1

The most likely "someone" would be somebody from the Windows Explorer team at Microsoft.

The different FIDs either result from opens of the folder being done while other opens are still active, so that a new FID has to be assigned for each new open, or from the SMB server not immediately reusing FIDs.

If there are multiple searches in parallel being done by Windows Explorer, those would, when accessing an SMB-mounted folder, translate into multiple opens (SMB CreateAndX requests) going over the wire.

answered 08 Mar '15, 22:47

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

There are no multiple searches being done and my machine is the only client opening that particular share. I took the trace when I opened the folder just once and that's it. So there are no other opens still active.

Can you please explain the "SMB server not immediately reusing FIDs" part a little more? I am new to CIFS/SMB.

(09 Mar '15, 01:32) xerocool

There are no multiple searches being done

Have you run some tracing program against the Windows Explorer to be certain that it does not, for example, have multiple threads making FindFirstFile and FindNextFile calls? If not, then you don't know for certain whether multiple searches are being done.

Can you please explain the "SMB server not immediately reusing FIDs" part a little more?

Section 2.2.1.6.1 "FID Generation" of the [MS-CIFS] specification says that:

  • The FID MUST be unique within a specified client/server SMB connection.

  • The FID MUST remain valid for the lifetime of the SMB connection on which the open request is performed, or until the client sends a request to the server to close the FID.

  • Once a FID has been closed, the value can be reused for another create or open request.

so FIDs can't be reused as long as they're open; they can be reused once closed, but the server isn't obliged to reuse them immediately. It may eventually have to reuse them, as they're only 16 bits wide, but, for whatever reason, it might choose not to do so.

(09 Mar '15, 01:55) Guy Harris ♦♦

You are right. The simultaneous searches occurred just once. I guess there was an active search opened from before.

The part regarding the FID reuse makes sense too. Thanks!

However, now the the client sends a createAndx request, partial listing of the files in the folder is done before it sends a close2 request to stop that. It then resends the CreateAndX request(with FID incremeted by 1) and the listing begins again. This time, its successful.

Could this be due to the fact that the request asked for oplocks and none were granted? So it keeps trying to open the folder, do some operation and close it afterwards repeatedly?

(11 Mar '15, 03:27) xerocool