2.2.3 SMB Message Structure

SMB Messages are divisible into three parts:

  • A fixed-length header

  • A variable length parameter block

  • A variable length data block

The header identifies the message as an SMB message, specifies the command to be executed, and provides context. In a response message, the header also includes status information that indicates whether (and how) the command succeeded or failed.

The parameter block is a short array of two-byte values (words), while the data block is an array of up to 64 KB in size. The structure and contents of these blocks are specific to each SMB message.

SMB messages are structured this way because the protocol was originally conceived of as a rudimentary remote procedure call system. The parameter values were meant to represent the parameters passed into a function. The data section would contain larger structures or data buffers, such as the block of data to be written using an SMB_COM_WRITE command. Although the protocol has evolved over time, this differentiation has been generally maintained.

Show: