2.2.3.1 The SMB Header
The SMB_Header structure is a fixed 32-bytes in length.
-
SMB_Header { UCHAR Protocol[4]; UCHAR Command; SMB_ERROR Status; UCHAR Flags; USHORT Flags2; USHORT PIDHigh; UCHAR SecurityFeatures[8]; USHORT Reserved; USHORT TID; USHORT PIDLow; USHORT UID; USHORT MID; }
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Protocol |
|||||||||||||||||||||||||||||||
|
Command |
Status |
||||||||||||||||||||||||||||||
|
... |
Flags |
Flags2 |
|||||||||||||||||||||||||||||
|
PIDHigh |
SecurityFeatures |
||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
Reserved |
||||||||||||||||||||||||||||||
|
TID |
PIDLow |
||||||||||||||||||||||||||||||
|
UID |
MID |
||||||||||||||||||||||||||||||
Protocol (4 bytes): This field MUST contain the 4-byte literal string '\xFF', 'S', 'M', 'B', with the letters represented by their respective ASCII values in the order shown. In the earliest available SMB documentation, this field is defined as a one byte message type (0xFF) followed by a three byte server type identifier.
Command (1 byte): A one-byte command code. Defined SMB command codes are listed in section 2.2.2.1.
Status (4 bytes): A 32-bit field used to communicate error messages from the server to the client.
Flags (1 byte): An 8-bit field of 1-bit flags describing various features in effect for the message.
|
Name and bitmask |
Description |
Earliest dialect |
|---|---|---|
|
SMB_FLAGS_LOCK_AND_READ_OK 0x01 |
This bit is set (1) in the SMB_COM_NEGOTIATE (0x72) Response (section 2.2.4.52.2) if the server supports SMB_COM_LOCK_AND_READ (0x13) (section 2.2.4.20) and SMB_COM_WRITE_AND_UNLOCK (0x14) (section 2.2.4.21) commands. |
LANMAN1.0 |
|
SMB_FLAGS_BUF_AVAIL 0x02 |
When set (on an SMB request being sent to the server), the client guarantees that there is a receive buffer posted such that a send without acknowledgment can be used by the server to respond to the client's request. This behavior is specific to an obsolete transport. This bit MUST be set to zero by the client and MUST be ignored by the server. |
LANMAN1.0 |
|
Reserved 0x04 |
This flag MUST be set to zero by the client and MUST be ignored by the server. |
LANMAN1.0 |
|
SMB_FLAGS_CASE_INSENSITIVE 0x08 |
Obsolete If this bit is set then all pathnames in the SMB SHOULD be treated as case-insensitive.<26> |
LANMAN1.0 |
|
SMB_FLAGS_CANONICALIZED_PATHS 0x10 |
When set in session setup, this bit indicates that all paths sent to the server are already in canonical format. That is, all file and directory names are composed of valid file name characters in all upper-case, and that the path segments are separated by backslash characters ('\'). |
LANMAN1.0 |
|
SMB_FLAGS_OPLOCK 0x20 |
Obsolescent This bit has meaning only in the deprecated SMB_COM_OPEN (0x02) Request (section 2.2.4.3.1), SMB_COM_CREATE (0x03) Request (section 2.2.4.4.1), and SMB_COM_CREATE_NEW (0x0F) Request (section 2.2.4.16.1) messages, where it is used to indicate that the client is requesting an Exclusive OpLock. It SHOULD be set to zero by the client, and ignored by the server, in all other SMB requests. If the server grants this OpLock request, then this bit SHOULD remain set in the corresponding response SMB to indicate to the client that the OpLock request was granted. |
LANMAN1.0 |
|
SMB_FLAGS_OPBATCH 0x40 |
Obsolescent This bit has meaning only in the deprecated SMB_COM_OPEN (0x02) Request (section 2.2.4.3.1), SMB_COM_CREATE (0x03) Request (section 2.2.4.4.1), and SMB_COM_CREATE_NEW (0x0F) Request (section 2.2.4.16.1) messages, where it is used to indicate that the client is requesting a Batch OpLock. It SHOULD be set to zero by the client, and ignored by the server, in all other SMB requests. If the server grants this OpLock request, then this bit SHOULD remain set in the corresponding response SMB to indicate to the client that the OpLock request was granted. If the SMB_FLAGS_OPLOCK bit is clear (0), then the SMB_FLAGS_OPBATCH bit is ignored. |
LANMAN1.0 |
|
SMB_FLAGS_REPLY 0x80 |
When on, this message is being sent from the server in response to a client request. The Command field usually contains the same value in a protocol request from the client to the server as in the matching response from the server to the client. This bit unambiguously distinguishes the message as a server response. |
LANMAN1.0 |
Flags2 (2 bytes): A 16-bit field of 1-bit flags that represent various features in effect for the message. Unspecified bits are reserved and MUST be zero.
|
Name and bitmask |
Description |
Earliest dialect |
|---|---|---|
|
SMB_FLAGS2_LONG_NAMES 0x0001 |
If the bit is set, the message MAY contain long file names. If the bit is clear then file names in the message MUST adhere to the 8.3 naming convention. If set in a client request for directory enumeration, the server MAY return long names (that is, names that are not 8.3 names) in the response to this request. If not set in a client request for directory enumeration, the server MUST return only 8.3 names in the response to this request. This flag indicates that in a direct enumeration request, paths returned by the server are not restricted to 8.3 names format. This bit field SHOULD be set to 1 when the negotiated dialect is LANMAN2.0 or later. |
LANMAN2.0 |
|
SMB_FLAGS2_EAS 0x0002 |
If the bit is set, the client is aware of extended attributes (EAs). The client MUST set this bit if the client is aware of extended attributes. In response to a client request with this flag set, a server MAY include extended attributes in the response. This bit field SHOULD be set to 1 when the negotiated dialect is LANMAN2.0 or later. |
LANMAN1.2 |
|
SMB_FLAGS2_SMB_SECURITY_SIGNATURE 0x0004 |
If set by the client, the client is requesting signing (if signing is not yet active) or the message being sent is signed. This bit is used on the SMB header of an SMB_COM_SESSION_SETUP_ANDX (section 2.2.4.53) client request to indicate that the client supports signing and that the server can choose to enforce signing on the connection based on its configuration. To turn on signing for a connection, the server MUST set this flag and also sign the SMB_COM_SESSION_SETUP_ANDX Response (section 2.2.4.53), after which all of the traffic on the connection (except for OpLock Break notifications) MUST be signed. In the SMB header of other CIFS client requests, the setting of this bit indicates that the packet has been signed. This bit field SHOULD be set to 1 when the negotiated dialect is NT LANMAN or later. |
NT LANMAN |
|
SMB_FLAGS2_IS_LONG_NAME 0x0040 |
Reserved but not implemented. |
NT LANMAN |
|
SMB_FLAGS2_DFS 0x1000 |
If the bit is set, any pathnames in this SMB SHOULD be resolved in the Distributed File System (DFS). |
NT LANMAN |
|
SMB_FLAGS2_PAGING_IO 0x2000 |
This flag is useful only on a read request. If the bit is set, then the client MAY read the file if the client does not have read permission but does have execute permission. This bit field SHOULD be set to 1 when the negotiated dialect is LANMAN2.0 or later. This flag is also known as SMB_FLAGS2_READ_IF_EXECUTE. |
NT LANMAN |
|
SMB_FLAGS2_NT_STATUS 0x4000 |
If this bit is set in a client request, the server MUST return errors as 32-bit NTSTATUS codes in the response. If it is clear, the server SHOULD<27> return errors in SMBSTATUS format. If this bit is set in the server response, the Status field in the header is formatted as an NTSTATUS code; else, it is in SMBSTATUS format. |
NT LANMAN |
|
SMB_FLAGS2_UNICODE 0x8000 |
If set in a client request or server response, each field that contains a string in this SMB message MUST be encoded as an array of 16-bit Unicode characters, unless otherwise specified. If this bit is clear, each of these fields MUST be encoded as an array of OEM characters. This bit field SHOULD be set to 1 when the negotiated dialect is NT LANMAN. |
NT LANMAN |
PIDHigh (2 bytes): If set to a nonzero value, this field represents the high-order bytes of a process identifier (PID). It is combined with the PIDLow field below to form a full PID.
SecurityFeatures (8 bytes): This 8-byte field has three possible interpretations.
-
In the case that security signatures are negotiated (see SMB_COM_NEGOTIATE (0x72) (section 2.2.4.52), the following format MUST be observed.
-
SecurityFeatures { UCHAR SecuritySignature[8]; }
-
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1SecuritySignature
...
-
SecuritySignature (8 bytes): If SMB signing has been negotiated, this field MUST contain an 8-byte cryptographic message signature that can be used to detect whether the message was modified while in transit. The use of message signing is mutually exclusive with connectionless transport.
-
In the case that CIFS is being transported over a connectionless transport (see section 2.1.2.1), the following format MUST be observed.
-
-
SecurityFeatures { ULONG Key; USHORT CID; USHORT SequenceNumber; }
-
-
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Key
CID
SequenceNumber
-
Key (4 bytes): An encryption key used for validating messages over connectionless transports.
-
CID (2 bytes): A connection identifier (CID).
-
SequenceNumber (2 bytes): A number used to identify the sequence of a message over connectionless transports.
-
Finally, if neither of the above two cases applies, the SecurityFeatures field is treated as a reserved field, which MUST be set to zero by the client and MUST be ignored by the server.
-
-
Reserved (2 bytes): This field is reserved and SHOULD be set to 0x0000.
TID (2 bytes): A tree identifier (TID).
PIDLow (2 bytes): The lower 16-bits of the PID.
UID (2 bytes): A user identifier (UID).
MID (2 bytes): A multiplex identifier (MID).