SMB2 Operation Error

Parent Previous Next

SMB2 Operation Error




smb2.cmd


Meaning: The SMB2 command code (operation) being carried in the SMB2 packet.


Examples:


0x0005 → SMB2 CREATE (open a file or directory).


0x0008 → SMB2 QUERY_INFO.


0x000e → SMB2 TREE_CONNECT.


0x0011 → SMB2 IOCTL.


This tells you what action the client or server is performing.



smb2.flags.response


Meaning: A flag that indicates whether the packet is a request (0) or a response (1).


Values:


0 → Request (client → server).


1 → Response (server → client).


So you can match client requests to server replies.



smb2.nt_status


Meaning: The NTSTATUS code returned in an SMB2 response.


Only valid when smb2.flags.response = 1 (because only responses carry status).


Examples:


0x00000000 → STATUS_SUCCESS (operation succeeded).


0xc0000034 → STATUS_OBJECT_NAME_NOT_FOUND (file not found).


0xc0000022 → STATUS_ACCESS_DENIED.


0xc000020c → STATUS_END_OF_FILE.



Example flow in a capture:


Client → Server


smb2.cmd = CREATE


smb2.flags.response = 0 (request)


Server → Client


smb2.cmd = CREATE


smb2.flags.response = 1 (response)


smb2.nt_status = 0xc0000034 (file not found)



Common SMB2 Command Codes

smb2.cmd (Hex)        Command Name        Purpose / Meaning

0x0000        NEGOTIATE        Negotiate SMB protocol version & capabilities.

0x0001        SESSION_SETUP        Set up a session (authentication, login).

0x0002        LOGOFF        End a session.

0x0003        TREE_CONNECT        Connect to a share (like \\server\share).

0x0004        TREE_DISCONNECT        Disconnect from a share.

0x0005        CREATE        Open/create a file, directory, or named pipe.

0x0006        CLOSE        Close a file handle.

0x0007        FLUSH        Flush cached file data to disk.

0x0008        READ        Read data from a file.

0x0009        WRITE        Write data to a file.

0x000A        LOCK        Lock/unlock file regions.

0x000B        IOCTL        Send device I/O control (FSCTLs).

0x000C        CANCEL        Cancel a previously sent request.

0x000D        KEEPALIVE        Keep TCP session alive.

0x000E        QUERY_DIRECTORY        List directory contents.

0x000F        CHANGE_NOTIFY        Request change notifications on a directory.

0x0010        QUERY_INFO        Query file or filesystem metadata.

0x0011        SET_INFO        Modify file or filesystem metadata.

0x0012        OPLOCK_BREAK        Break an oplock (opportunistic lock).



Common smb2.nt_status Codes

NTSTATUS Code        Constant Name        Meaning

0x00000000        STATUS_SUCCESS        Operation completed successfully.

0xC000000F        STATUS_NO_SUCH_FILE        The file does not exist.

0xC0000034        STATUS_OBJECT_NAME_NOT_FOUND        File or directory name not found.

0xC0000035        STATUS_OBJECT_NAME_COLLISION        The object name already exists (e.g., file creation conflict).

0xC0000022        STATUS_ACCESS_DENIED        User does not have permission.

0xC0000008        STATUS_INVALID_HANDLE        The file handle is invalid (maybe closed already).

0xC0000010        STATUS_INVALID_DEVICE_REQUEST        The request is not valid for the target device.

0xC000009A        STATUS_INSUFFICIENT_RESOURCES        Out of system resources (memory, handles, etc.).

0xC0000120        STATUS_CANCELLED        The I/O request was canceled.

0xC000020C        STATUS_END_OF_FILE        End of file reached during a read.



Example


Client request: smb2.cmd = CREATE, smb2.flags.response = 0


Server response:


smb2.flags.response = 1


smb2.nt_status = 0xC0000034 (STATUS_OBJECT_NAME_NOT_FOUND)


This means the client tried to open a file, but the server said "file not found."

www.traceinside.com