SMB2 Notify Action Error

If smb2.notify.action value is not in below list, it may indicate server incorrect behavior.

What is SMB2 Change Notify?

SMB2 supports Change Notify requests to monitor a directory for changes.

The client tells the server: “Notify me when files are created, deleted, renamed, or modified in this folder.”

The server responds with notifications when changes occur.

This is widely used by Windows Explorer, syncing apps (OneDrive, SMB file watchers), or backup software.

Key Fields in Wireshark

smb2.cmd

For Change Notify:

0x000F → CHANGE_NOTIFY

smb2.notify.action

Indicates what change occurred. It appears in the response from the server.

Common values:

Value Meaning

0x00000001 FILE_ADDED (file created)

0x00000002 FILE_REMOVED (file deleted)

0x00000003 FILE_MODIFIED (file attributes or size changed)

0x00000004 FILE_RENAMED_OLD_NAME (file renamed – old name)

0x00000005 FILE_RENAMED_NEW_NAME (file renamed – new name)

How It Works

1. Client Request

smb2.cmd = CHANGE_NOTIFY

smb2.flags.response = 0

Tree ID = 0x03

Directory Handle = 0x2000

Filter: FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_ATTRIBUTES

2. Server Response

smb2.cmd = CHANGE_NOTIFY

smb2.flags.response = 1

smb2.notify.action = FILE_ADDED

File Name = "new_file.txt"

smb2.notify.action = FILE_MODIFIED

File Name = "existing_file.docx"

Each smb2.notify.action corresponds to a specific change event.

The client can process these notifications in real time.

Key Points

CHANGE_NOTIFY works per-directory, not per file.

Client subscribes to changes; server sends notifications asynchronously.

Often used for real-time folder monitoring in Windows.

smb2.notify.action tells what type of change occurred for a specific file or folder.

In short:

SMB2 CHANGE_NOTIFY = “watch this directory for changes.”

smb2.notify.action = “here’s what changed” (added, removed, modified, renamed).