I'm trying to dissect a NetSessEnum request over SMB2 (srvsvc opnum 12) According to Wireshark, a field called Referent_ID seems to have a value of 0x00020000. I can't find proper documentation regarding this field. I'd like to know, if only 0x00020000 is a valid value for this operation or not. Will appreciate pointer to proper documentation on this.
Asked
Active
Viewed 249 times
1 Answers
1
This field is a serialization mark and it may have any value. For instance in our rpc implementation we are using running numbers. This field means a reference and the referenced value comes later according to the serialization rules. The value is meaningless.
Mark Rabinovich
- 359
- 1
- 1
-
Thanks, I suspected this. – user2679436 Jan 10 '18 at 13:18
-
> the referenced value comes later according to the serialization rules. What do you mean ? – socketpair Jan 25 '18 at 09:32
-
struct s1 { int f1; struct s2 * f2; int f3; } The above data is serialized as 1) f1 value 2) ref id for f2 3) f3 value 4) s2 contents. Hope this helps. – Mark Rabinovich Jan 26 '18 at 13:19