This command is used to search directories.
| Client Request ================================== |
Description ================================= |
| UCHAR WordCount; | Count of parameter words = 2 |
| USHORT MaxCount; | Number of dir. entries to return |
| USHORT SearchAttributes; | |
| USHORT ByteCount; | Count of data bytes; min = 5 |
| UCHAR BufferFormat1; | 0x04 -- ASCII |
| UCHAR FileName[]; | File name, may be null |
| UCHAR BufferFormat2; | 0x05 -- Variable block |
| USHORT ResumeKeyLength; | Length of resume key, may be 0 |
| UCHAR ResumeKey[]; | Resume key |
filename specifies the file to be sought. searchattributes indicates the attributes that the file must have, and is described in the "File Attribute Encoding" section of this document. If searchattributes is zero then only normal files are returned. If the system file, hidden or directory attributes are specified then the search is inclusive–both the specified type(s) of files and normal files are returned. If the volume label attribute is specified then the search is exclusive, and only the volume label entry is returned.
maxcount specifies the number of directory entries to be returned.
| Server Response ================================== |
Description ================================= |
| UCHAR WordCount; | Count of parameter words = 1 |
| USHORT Count; | Number of entries returned |
| USHORT ByteCount; | Count of data bytes; min = 3 |
| UCHAR BufferFormat; | 0x05 -- Variable block |
| USHORT DataLength; | Length of data |
| UCHAR DirectoryInformationData[]; | Data |
The response will contain one or more directory entries as determined by the count field. No more than maxcount entries will be returned. Only entries that match the sought filename and searchattributes combination will be returned.
resumekey must be null (length = 0) on the initial search request. Subsequent search requests intended to continue a search must contain the resumekey field extracted from the last directory entry of the previous response. resumekey is self-contained, for on calls containing a non-zero resumekey neither the searchattributes or filename fields will be valid in the request. resumekey has the following format:
| Resume Key Field ================================== |
Description ================================= |
| UCHAR Reserved; | bit 7 - consumer use |
| bits 5,6 - system use (must preserve) | |
| bits 0-4 - server use (must preserve) | |
| UCHAR FileName[11]; | Name of the returned file |
| UCHAR ReservedForServer[5]; | Client must not modify |
| UCHAR ReservedForConsumer[4]; | Server must not modify |
filename is 8.3 format, with the three character extension left justified into filename[9-11]. If the client is prior to the LANMAN1.0 dialect, the returned filename should be uppercased.
SMB_COM_SEARCH terminates when either the requested maximum number of entries that match the named file are found, or the end of directory is reached without the maximum number of matches being found. A response containing no entries indicates that no matching entries were found between the starting point of the search and the end of directory.
There may be multiple matching entries in response to a single request as SMB_COM_SEARCH supports wildcards in the last component of filename of the initial request.
Returned directory entries in the directoryinformationdata field of the response each have the following format:
| Directory Information Field ================================== |
Description ================================= |
| SMB_RESUME_KEY ResumeKey; | Described above |
| UCHAR FileAttributes; | Attributes of the found file |
| SMB_TIME LastWriteTime; | Time file was last written |
| SMB_DATE LastWriteDate; | Date file was last written |
| ULONG FileSize; | Size of the file |
| UCHAR FileName[13]; | ASCII, space-filled null terminated |
filename must conform to 8.3 rules, and is padded after the extension with 0x20 characters if necessary. If the client has negotiated a dialect prior to the LANMAN1.0 dialect, or if bit0 of the flags2 SMB header field of the request is clear, the returned filename should be uppercased.
As can be seen from the above structure, SMB_COM_SEARCH can not return long filenames, and can not return UNICODE filenames. Files which have a size greater than 2^32 bytes should have the least significant 32 bits of their size returned in filesize.