Can one determine which version of SMB is being used by looking at the SMB header?
asked 20 Mar '12, 10:13
According to Microsoft's [MS-CIFS] specification, the first 4 bytes of the header for an SMB message "MUST contain the 4-byte literal string '\xFF', 'S', 'M', 'B', with the letters represented by their respective ASCII values in the order shown."
According to their [MS-SMB2 specification], the first 4 bytes of the header for an SMB2 message "MUST be (in network order) 0xFE, 'S', 'M', and 'B'."
So the first byte of the message is 0xFF for SMB and 0xFE for SMB2.
answered 20 Mar '12, 16:33
Guy Harris ♦♦