2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
6 * $Id: packet-smb.c,v 1.330 2003/04/17 20:30:41 guy Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/packet.h>
40 #include <epan/conversation.h>
42 #include "alignment.h"
43 #include <epan/strutil.h>
45 #include "reassemble.h"
47 #include "packet-ipx.h"
49 #include "packet-smb-common.h"
50 #include "packet-smb-mailslot.h"
51 #include "packet-smb-pipe.h"
52 #include "packet-dcerpc.h"
53 #include "packet-smb-sidsnooping.h"
56 * Various specifications and documents about SMB can be found in
58 * ftp://ftp.microsoft.com/developr/drg/CIFS/
60 * and a CIFS specification from the Storage Networking Industry Association
61 * can be found on a link from the page at
63 * http://www.snia.org/tech_activities/CIFS
65 * (it supercedes the document at
67 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
71 * There are also some Open Group publications documenting CIFS available
72 * for download; catalog entries for them are at:
74 * http://www.opengroup.org/products/publications/catalog/c209.htm
76 * http://www.opengroup.org/products/publications/catalog/c195.htm
78 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
81 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
83 * (or, presumably a similar path under the Samba mirrors). As the
84 * ".doc" indicates, it's a Word document. Some of the specs from the
85 * Microsoft FTP site can be found in the
87 * http://www.samba.org/samba/ftp/specs/
91 * Beware - these specs may have errors.
93 static int proto_smb = -1;
94 static int hf_smb_cmd = -1;
95 static int hf_smb_key = -1;
96 static int hf_smb_session_id = -1;
97 static int hf_smb_sequence_num = -1;
98 static int hf_smb_group_id = -1;
99 static int hf_smb_pid = -1;
100 static int hf_smb_tid = -1;
101 static int hf_smb_uid = -1;
102 static int hf_smb_mid = -1;
103 static int hf_smb_response_to = -1;
104 static int hf_smb_time = -1;
105 static int hf_smb_response_in = -1;
106 static int hf_smb_continuation_to = -1;
107 static int hf_smb_nt_status = -1;
108 static int hf_smb_error_class = -1;
109 static int hf_smb_error_code = -1;
110 static int hf_smb_reserved = -1;
111 static int hf_smb_flags_lock = -1;
112 static int hf_smb_flags_receive_buffer = -1;
113 static int hf_smb_flags_caseless = -1;
114 static int hf_smb_flags_canon = -1;
115 static int hf_smb_flags_oplock = -1;
116 static int hf_smb_flags_notify = -1;
117 static int hf_smb_flags_response = -1;
118 static int hf_smb_flags2_long_names_allowed = -1;
119 static int hf_smb_flags2_ea = -1;
120 static int hf_smb_flags2_sec_sig = -1;
121 static int hf_smb_flags2_long_names_used = -1;
122 static int hf_smb_flags2_esn = -1;
123 static int hf_smb_flags2_dfs = -1;
124 static int hf_smb_flags2_roe = -1;
125 static int hf_smb_flags2_nt_error = -1;
126 static int hf_smb_flags2_string = -1;
127 static int hf_smb_word_count = -1;
128 static int hf_smb_byte_count = -1;
129 static int hf_smb_buffer_format = -1;
130 static int hf_smb_dialect_name = -1;
131 static int hf_smb_dialect_index = -1;
132 static int hf_smb_max_trans_buf_size = -1;
133 static int hf_smb_max_mpx_count = -1;
134 static int hf_smb_max_vcs_num = -1;
135 static int hf_smb_session_key = -1;
136 static int hf_smb_server_timezone = -1;
137 static int hf_smb_encryption_key_length = -1;
138 static int hf_smb_encryption_key = -1;
139 static int hf_smb_primary_domain = -1;
140 static int hf_smb_server = -1;
141 static int hf_smb_max_raw_buf_size = -1;
142 static int hf_smb_server_guid = -1;
143 static int hf_smb_security_blob_len = -1;
144 static int hf_smb_security_blob = -1;
145 static int hf_smb_sm_mode16 = -1;
146 static int hf_smb_sm_password16 = -1;
147 static int hf_smb_sm_mode = -1;
148 static int hf_smb_sm_password = -1;
149 static int hf_smb_sm_signatures = -1;
150 static int hf_smb_sm_sig_required = -1;
151 static int hf_smb_rm_read = -1;
152 static int hf_smb_rm_write = -1;
153 static int hf_smb_server_date_time = -1;
154 static int hf_smb_server_smb_date = -1;
155 static int hf_smb_server_smb_time = -1;
156 static int hf_smb_server_cap_raw_mode = -1;
157 static int hf_smb_server_cap_mpx_mode = -1;
158 static int hf_smb_server_cap_unicode = -1;
159 static int hf_smb_server_cap_large_files = -1;
160 static int hf_smb_server_cap_nt_smbs = -1;
161 static int hf_smb_server_cap_rpc_remote_apis = -1;
162 static int hf_smb_server_cap_nt_status = -1;
163 static int hf_smb_server_cap_level_ii_oplocks = -1;
164 static int hf_smb_server_cap_lock_and_read = -1;
165 static int hf_smb_server_cap_nt_find = -1;
166 static int hf_smb_server_cap_dfs = -1;
167 static int hf_smb_server_cap_infolevel_passthru = -1;
168 static int hf_smb_server_cap_large_readx = -1;
169 static int hf_smb_server_cap_large_writex = -1;
170 static int hf_smb_server_cap_unix = -1;
171 static int hf_smb_server_cap_reserved = -1;
172 static int hf_smb_server_cap_bulk_transfer = -1;
173 static int hf_smb_server_cap_compressed_data = -1;
174 static int hf_smb_server_cap_extended_security = -1;
175 static int hf_smb_system_time = -1;
176 static int hf_smb_unknown = -1;
177 static int hf_smb_dir_name = -1;
178 static int hf_smb_echo_count = -1;
179 static int hf_smb_echo_data = -1;
180 static int hf_smb_echo_seq_num = -1;
181 static int hf_smb_max_buf_size = -1;
182 static int hf_smb_password = -1;
183 static int hf_smb_password_len = -1;
184 static int hf_smb_ansi_password = -1;
185 static int hf_smb_ansi_password_len = -1;
186 static int hf_smb_unicode_password = -1;
187 static int hf_smb_unicode_password_len = -1;
188 static int hf_smb_path = -1;
189 static int hf_smb_service = -1;
190 static int hf_smb_move_flags_file = -1;
191 static int hf_smb_move_flags_dir = -1;
192 static int hf_smb_move_flags_verify = -1;
193 static int hf_smb_files_moved = -1;
194 static int hf_smb_copy_flags_file = -1;
195 static int hf_smb_copy_flags_dir = -1;
196 static int hf_smb_copy_flags_dest_mode = -1;
197 static int hf_smb_copy_flags_source_mode = -1;
198 static int hf_smb_copy_flags_verify = -1;
199 static int hf_smb_copy_flags_tree_copy = -1;
200 static int hf_smb_copy_flags_ea_action = -1;
201 static int hf_smb_count = -1;
202 static int hf_smb_file_name = -1;
203 static int hf_smb_open_function_open = -1;
204 static int hf_smb_open_function_create = -1;
205 static int hf_smb_fid = -1;
206 static int hf_smb_file_attr_read_only_16bit = -1;
207 static int hf_smb_file_attr_read_only_8bit = -1;
208 static int hf_smb_file_attr_hidden_16bit = -1;
209 static int hf_smb_file_attr_hidden_8bit = -1;
210 static int hf_smb_file_attr_system_16bit = -1;
211 static int hf_smb_file_attr_system_8bit = -1;
212 static int hf_smb_file_attr_volume_16bit = -1;
213 static int hf_smb_file_attr_volume_8bit = -1;
214 static int hf_smb_file_attr_directory_16bit = -1;
215 static int hf_smb_file_attr_directory_8bit = -1;
216 static int hf_smb_file_attr_archive_16bit = -1;
217 static int hf_smb_file_attr_archive_8bit = -1;
218 static int hf_smb_file_attr_device = -1;
219 static int hf_smb_file_attr_normal = -1;
220 static int hf_smb_file_attr_temporary = -1;
221 static int hf_smb_file_attr_sparse = -1;
222 static int hf_smb_file_attr_reparse = -1;
223 static int hf_smb_file_attr_compressed = -1;
224 static int hf_smb_file_attr_offline = -1;
225 static int hf_smb_file_attr_not_content_indexed = -1;
226 static int hf_smb_file_attr_encrypted = -1;
227 static int hf_smb_file_size = -1;
228 static int hf_smb_search_attribute_read_only = -1;
229 static int hf_smb_search_attribute_hidden = -1;
230 static int hf_smb_search_attribute_system = -1;
231 static int hf_smb_search_attribute_volume = -1;
232 static int hf_smb_search_attribute_directory = -1;
233 static int hf_smb_search_attribute_archive = -1;
234 static int hf_smb_access_mode = -1;
235 static int hf_smb_access_sharing = -1;
236 static int hf_smb_access_locality = -1;
237 static int hf_smb_access_caching = -1;
238 static int hf_smb_access_writetru = -1;
239 static int hf_smb_create_time = -1;
240 static int hf_smb_modify_time = -1;
241 static int hf_smb_backup_time = -1;
242 static int hf_smb_mac_alloc_block_count = -1;
243 static int hf_smb_mac_alloc_block_size = -1;
244 static int hf_smb_mac_free_block_count = -1;
245 static int hf_smb_mac_fndrinfo = -1;
246 static int hf_smb_mac_root_file_count = -1;
247 static int hf_smb_mac_root_dir_count = -1;
248 static int hf_smb_mac_file_count = -1;
249 static int hf_smb_mac_dir_count = -1;
250 static int hf_smb_mac_support_flags = -1;
251 static int hf_smb_mac_sup_access_ctrl = -1;
252 static int hf_smb_mac_sup_getset_comments = -1;
253 static int hf_smb_mac_sup_desktopdb_calls = -1;
254 static int hf_smb_mac_sup_unique_ids = -1;
255 static int hf_smb_mac_sup_streams = -1;
256 static int hf_smb_create_dos_date = -1;
257 static int hf_smb_create_dos_time = -1;
258 static int hf_smb_last_write_time = -1;
259 static int hf_smb_last_write_dos_date = -1;
260 static int hf_smb_last_write_dos_time = -1;
261 static int hf_smb_access_time = -1;
262 static int hf_smb_access_dos_date = -1;
263 static int hf_smb_access_dos_time = -1;
264 static int hf_smb_old_file_name = -1;
265 static int hf_smb_offset = -1;
266 static int hf_smb_remaining = -1;
267 static int hf_smb_padding = -1;
268 static int hf_smb_file_data = -1;
269 static int hf_smb_total_data_len = -1;
270 static int hf_smb_data_len = -1;
271 static int hf_smb_seek_mode = -1;
272 static int hf_smb_data_size = -1;
273 static int hf_smb_alloc_size = -1;
274 static int hf_smb_alloc_size64 = -1;
275 static int hf_smb_max_count = -1;
276 static int hf_smb_min_count = -1;
277 static int hf_smb_timeout = -1;
278 static int hf_smb_high_offset = -1;
279 static int hf_smb_units = -1;
280 static int hf_smb_bpu = -1;
281 static int hf_smb_blocksize = -1;
282 static int hf_smb_freeunits = -1;
283 static int hf_smb_data_offset = -1;
284 static int hf_smb_dcm = -1;
285 static int hf_smb_request_mask = -1;
286 static int hf_smb_response_mask = -1;
287 static int hf_smb_search_id = -1;
288 static int hf_smb_write_mode_write_through = -1;
289 static int hf_smb_write_mode_return_remaining = -1;
290 static int hf_smb_write_mode_raw = -1;
291 static int hf_smb_write_mode_message_start = -1;
292 static int hf_smb_write_mode_connectionless = -1;
293 static int hf_smb_resume_key_len = -1;
294 static int hf_smb_resume_find_id = -1;
295 static int hf_smb_resume_server_cookie = -1;
296 static int hf_smb_resume_client_cookie = -1;
297 static int hf_smb_andxoffset = -1;
298 static int hf_smb_lock_type_large = -1;
299 static int hf_smb_lock_type_cancel = -1;
300 static int hf_smb_lock_type_change = -1;
301 static int hf_smb_lock_type_oplock = -1;
302 static int hf_smb_lock_type_shared = -1;
303 static int hf_smb_locking_ol = -1;
304 static int hf_smb_number_of_locks = -1;
305 static int hf_smb_number_of_unlocks = -1;
306 static int hf_smb_lock_long_offset = -1;
307 static int hf_smb_lock_long_length = -1;
308 static int hf_smb_file_type = -1;
309 static int hf_smb_ipc_state_nonblocking = -1;
310 static int hf_smb_ipc_state_endpoint = -1;
311 static int hf_smb_ipc_state_pipe_type = -1;
312 static int hf_smb_ipc_state_read_mode = -1;
313 static int hf_smb_ipc_state_icount = -1;
314 static int hf_smb_server_fid = -1;
315 static int hf_smb_open_flags_add_info = -1;
316 static int hf_smb_open_flags_ex_oplock = -1;
317 static int hf_smb_open_flags_batch_oplock = -1;
318 static int hf_smb_open_flags_ealen = -1;
319 static int hf_smb_open_action_open = -1;
320 static int hf_smb_open_action_lock = -1;
321 static int hf_smb_vc_num = -1;
322 static int hf_smb_account = -1;
323 static int hf_smb_os = -1;
324 static int hf_smb_lanman = -1;
325 static int hf_smb_setup_action_guest = -1;
326 static int hf_smb_fs = -1;
327 static int hf_smb_connect_flags_dtid = -1;
328 static int hf_smb_connect_support_search = -1;
329 static int hf_smb_connect_support_in_dfs = -1;
330 static int hf_smb_max_setup_count = -1;
331 static int hf_smb_total_param_count = -1;
332 static int hf_smb_total_data_count = -1;
333 static int hf_smb_max_param_count = -1;
334 static int hf_smb_max_data_count = -1;
335 static int hf_smb_param_disp16 = -1;
336 static int hf_smb_param_count16 = -1;
337 static int hf_smb_param_offset16 = -1;
338 static int hf_smb_param_disp32 = -1;
339 static int hf_smb_param_count32 = -1;
340 static int hf_smb_param_offset32 = -1;
341 static int hf_smb_data_disp16 = -1;
342 static int hf_smb_data_count16 = -1;
343 static int hf_smb_data_offset16 = -1;
344 static int hf_smb_data_disp32 = -1;
345 static int hf_smb_data_count32 = -1;
346 static int hf_smb_data_offset32 = -1;
347 static int hf_smb_setup_count = -1;
348 static int hf_smb_nt_trans_subcmd = -1;
349 static int hf_smb_nt_ioctl_function_code = -1;
350 static int hf_smb_nt_ioctl_isfsctl = -1;
351 static int hf_smb_nt_ioctl_flags_root_handle = -1;
352 static int hf_smb_nt_ioctl_data = -1;
353 #ifdef SMB_UNUSED_HANDLES
354 static int hf_smb_nt_security_information = -1;
356 static int hf_smb_nt_notify_action = -1;
357 static int hf_smb_nt_notify_watch_tree = -1;
358 static int hf_smb_nt_notify_stream_write = -1;
359 static int hf_smb_nt_notify_stream_size = -1;
360 static int hf_smb_nt_notify_stream_name = -1;
361 static int hf_smb_nt_notify_security = -1;
362 static int hf_smb_nt_notify_ea = -1;
363 static int hf_smb_nt_notify_creation = -1;
364 static int hf_smb_nt_notify_last_access = -1;
365 static int hf_smb_nt_notify_last_write = -1;
366 static int hf_smb_nt_notify_size = -1;
367 static int hf_smb_nt_notify_attributes = -1;
368 static int hf_smb_nt_notify_dir_name = -1;
369 static int hf_smb_nt_notify_file_name = -1;
370 static int hf_smb_root_dir_fid = -1;
371 static int hf_smb_nt_create_disposition = -1;
372 static int hf_smb_sd_length = -1;
373 static int hf_smb_ea_length = -1;
374 static int hf_smb_file_name_len = -1;
375 static int hf_smb_nt_impersonation_level = -1;
376 static int hf_smb_nt_security_flags_context_tracking = -1;
377 static int hf_smb_nt_security_flags_effective_only = -1;
378 static int hf_smb_nt_access_mask_generic_read = -1;
379 static int hf_smb_nt_access_mask_generic_write = -1;
380 static int hf_smb_nt_access_mask_generic_execute = -1;
381 static int hf_smb_nt_access_mask_generic_all = -1;
382 static int hf_smb_nt_access_mask_maximum_allowed = -1;
383 static int hf_smb_nt_access_mask_system_security = -1;
384 static int hf_smb_nt_access_mask_synchronize = -1;
385 static int hf_smb_nt_access_mask_write_owner = -1;
386 static int hf_smb_nt_access_mask_write_dac = -1;
387 static int hf_smb_nt_access_mask_read_control = -1;
388 static int hf_smb_nt_access_mask_delete = -1;
389 static int hf_smb_nt_access_mask_write_attributes = -1;
390 static int hf_smb_nt_access_mask_read_attributes = -1;
391 static int hf_smb_nt_access_mask_delete_child = -1;
392 static int hf_smb_nt_access_mask_execute = -1;
393 static int hf_smb_nt_access_mask_write_ea = -1;
394 static int hf_smb_nt_access_mask_read_ea = -1;
395 static int hf_smb_nt_access_mask_append = -1;
396 static int hf_smb_nt_access_mask_write = -1;
397 static int hf_smb_nt_access_mask_read = -1;
398 static int hf_smb_nt_create_bits_oplock = -1;
399 static int hf_smb_nt_create_bits_boplock = -1;
400 static int hf_smb_nt_create_bits_dir = -1;
401 static int hf_smb_nt_create_options_directory_file = -1;
402 static int hf_smb_nt_create_options_write_through = -1;
403 static int hf_smb_nt_create_options_sequential_only = -1;
404 static int hf_smb_nt_create_options_sync_io_alert = -1;
405 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
406 static int hf_smb_nt_create_options_non_directory_file = -1;
407 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
408 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
409 static int hf_smb_nt_create_options_random_access = -1;
410 static int hf_smb_nt_create_options_delete_on_close = -1;
411 static int hf_smb_nt_share_access_read = -1;
412 static int hf_smb_nt_share_access_write = -1;
413 static int hf_smb_nt_share_access_delete = -1;
414 static int hf_smb_file_eattr_read_only = -1;
415 static int hf_smb_file_eattr_hidden = -1;
416 static int hf_smb_file_eattr_system = -1;
417 static int hf_smb_file_eattr_volume = -1;
418 static int hf_smb_file_eattr_directory = -1;
419 static int hf_smb_file_eattr_archive = -1;
420 static int hf_smb_file_eattr_device = -1;
421 static int hf_smb_file_eattr_normal = -1;
422 static int hf_smb_file_eattr_temporary = -1;
423 static int hf_smb_file_eattr_sparse = -1;
424 static int hf_smb_file_eattr_reparse = -1;
425 static int hf_smb_file_eattr_compressed = -1;
426 static int hf_smb_file_eattr_offline = -1;
427 static int hf_smb_file_eattr_not_content_indexed = -1;
428 static int hf_smb_file_eattr_encrypted = -1;
429 static int hf_smb_sec_desc_len = -1;
430 static int hf_smb_sec_desc_revision = -1;
431 static int hf_smb_sec_desc_type_owner_defaulted = -1;
432 static int hf_smb_sec_desc_type_group_defaulted = -1;
433 static int hf_smb_sec_desc_type_dacl_present = -1;
434 static int hf_smb_sec_desc_type_dacl_defaulted = -1;
435 static int hf_smb_sec_desc_type_sacl_present = -1;
436 static int hf_smb_sec_desc_type_sacl_defaulted = -1;
437 static int hf_smb_sec_desc_type_dacl_auto_inherit_req = -1;
438 static int hf_smb_sec_desc_type_sacl_auto_inherit_req = -1;
439 static int hf_smb_sec_desc_type_dacl_auto_inherited = -1;
440 static int hf_smb_sec_desc_type_sacl_auto_inherited = -1;
441 static int hf_smb_sec_desc_type_dacl_protected = -1;
442 static int hf_smb_sec_desc_type_sacl_protected = -1;
443 static int hf_smb_sec_desc_type_self_relative = -1;
444 static int hf_smb_sid = -1;
445 static int hf_smb_sid_revision = -1;
446 static int hf_smb_sid_num_auth = -1;
447 static int hf_smb_acl_revision = -1;
448 static int hf_smb_acl_size = -1;
449 static int hf_smb_acl_num_aces = -1;
450 static int hf_smb_ace_type = -1;
451 static int hf_smb_ace_size = -1;
452 static int hf_smb_ace_flags_object_inherit = -1;
453 static int hf_smb_ace_flags_container_inherit = -1;
454 static int hf_smb_ace_flags_non_propagate_inherit = -1;
455 static int hf_smb_ace_flags_inherit_only = -1;
456 static int hf_smb_ace_flags_inherited_ace = -1;
457 static int hf_smb_ace_flags_successful_access = -1;
458 static int hf_smb_ace_flags_failed_access = -1;
459 static int hf_smb_nt_qsd_owner = -1;
460 static int hf_smb_nt_qsd_group = -1;
461 static int hf_smb_nt_qsd_dacl = -1;
462 static int hf_smb_nt_qsd_sacl = -1;
463 static int hf_smb_extended_attributes = -1;
464 static int hf_smb_oplock_level = -1;
465 static int hf_smb_create_action = -1;
466 static int hf_smb_file_id = -1;
467 static int hf_smb_ea_error_offset = -1;
468 static int hf_smb_end_of_file = -1;
469 static int hf_smb_device_type = -1;
470 static int hf_smb_is_directory = -1;
471 static int hf_smb_next_entry_offset = -1;
472 static int hf_smb_change_time = -1;
473 static int hf_smb_setup_len = -1;
474 static int hf_smb_print_mode = -1;
475 static int hf_smb_print_identifier = -1;
476 static int hf_smb_restart_index = -1;
477 static int hf_smb_print_queue_date = -1;
478 static int hf_smb_print_queue_dos_date = -1;
479 static int hf_smb_print_queue_dos_time = -1;
480 static int hf_smb_print_status = -1;
481 static int hf_smb_print_spool_file_number = -1;
482 static int hf_smb_print_spool_file_size = -1;
483 static int hf_smb_print_spool_file_name = -1;
484 static int hf_smb_start_index = -1;
485 static int hf_smb_originator_name = -1;
486 static int hf_smb_destination_name = -1;
487 static int hf_smb_message_len = -1;
488 static int hf_smb_message = -1;
489 static int hf_smb_mgid = -1;
490 static int hf_smb_forwarded_name = -1;
491 static int hf_smb_machine_name = -1;
492 static int hf_smb_cancel_to = -1;
493 static int hf_smb_trans2_subcmd = -1;
494 static int hf_smb_trans_name = -1;
495 static int hf_smb_transaction_flags_dtid = -1;
496 static int hf_smb_transaction_flags_owt = -1;
497 static int hf_smb_search_count = -1;
498 static int hf_smb_search_pattern = -1;
499 static int hf_smb_ff2_backup = -1;
500 static int hf_smb_ff2_continue = -1;
501 static int hf_smb_ff2_resume = -1;
502 static int hf_smb_ff2_close_eos = -1;
503 static int hf_smb_ff2_close = -1;
504 static int hf_smb_ff2_information_level = -1;
505 static int hf_smb_qpi_loi = -1;
507 static int hf_smb_sfi_writetru = -1;
508 static int hf_smb_sfi_caching = -1;
510 static int hf_smb_storage_type = -1;
511 static int hf_smb_resume = -1;
512 static int hf_smb_max_referral_level = -1;
513 static int hf_smb_qfsi_information_level = -1;
514 static int hf_smb_ea_size = -1;
515 static int hf_smb_list_length = -1;
516 static int hf_smb_number_of_links = -1;
517 static int hf_smb_delete_pending = -1;
518 static int hf_smb_index_number = -1;
519 static int hf_smb_current_offset = -1;
520 static int hf_smb_t2_alignment = -1;
521 static int hf_smb_t2_stream_name_length = -1;
522 static int hf_smb_t2_stream_size = -1;
523 static int hf_smb_t2_stream_name = -1;
524 static int hf_smb_t2_compressed_file_size = -1;
525 static int hf_smb_t2_compressed_format = -1;
526 static int hf_smb_t2_compressed_unit_shift = -1;
527 static int hf_smb_t2_compressed_chunk_shift = -1;
528 static int hf_smb_t2_compressed_cluster_shift = -1;
529 static int hf_smb_dfs_path_consumed = -1;
530 static int hf_smb_dfs_num_referrals = -1;
531 static int hf_smb_get_dfs_server_hold_storage = -1;
532 static int hf_smb_get_dfs_fielding = -1;
533 static int hf_smb_dfs_referral_version = -1;
534 static int hf_smb_dfs_referral_size = -1;
535 static int hf_smb_dfs_referral_server_type = -1;
536 static int hf_smb_dfs_referral_flags_strip = -1;
537 static int hf_smb_dfs_referral_node_offset = -1;
538 static int hf_smb_dfs_referral_node = -1;
539 static int hf_smb_dfs_referral_proximity = -1;
540 static int hf_smb_dfs_referral_ttl = -1;
541 static int hf_smb_dfs_referral_path_offset = -1;
542 static int hf_smb_dfs_referral_path = -1;
543 static int hf_smb_dfs_referral_alt_path_offset = -1;
544 static int hf_smb_dfs_referral_alt_path = -1;
545 static int hf_smb_end_of_search = -1;
546 static int hf_smb_last_name_offset = -1;
547 static int hf_smb_fn_information_level = -1;
548 static int hf_smb_monitor_handle = -1;
549 static int hf_smb_change_count = -1;
550 static int hf_smb_file_index = -1;
551 static int hf_smb_short_file_name = -1;
552 static int hf_smb_short_file_name_len = -1;
553 static int hf_smb_fs_id = -1;
554 static int hf_smb_sector_unit = -1;
555 static int hf_smb_fs_units = -1;
556 static int hf_smb_fs_sector = -1;
557 static int hf_smb_avail_units = -1;
558 static int hf_smb_volume_serial_num = -1;
559 static int hf_smb_volume_label_len = -1;
560 static int hf_smb_volume_label = -1;
561 static int hf_smb_free_alloc_units64 = -1;
562 static int hf_smb_caller_free_alloc_units64 = -1;
563 static int hf_smb_actual_free_alloc_units64 = -1;
564 static int hf_smb_max_name_len = -1;
565 static int hf_smb_fs_name_len = -1;
566 static int hf_smb_fs_name = -1;
567 static int hf_smb_device_char_removable = -1;
568 static int hf_smb_device_char_read_only = -1;
569 static int hf_smb_device_char_floppy = -1;
570 static int hf_smb_device_char_write_once = -1;
571 static int hf_smb_device_char_remote = -1;
572 static int hf_smb_device_char_mounted = -1;
573 static int hf_smb_device_char_virtual = -1;
574 static int hf_smb_fs_attr_css = -1;
575 static int hf_smb_fs_attr_cpn = -1;
576 static int hf_smb_fs_attr_pacls = -1;
577 static int hf_smb_fs_attr_fc = -1;
578 static int hf_smb_fs_attr_vq = -1;
579 static int hf_smb_fs_attr_dim = -1;
580 static int hf_smb_fs_attr_vic = -1;
581 static int hf_smb_quota_flags_enabled = -1;
582 static int hf_smb_quota_flags_deny_disk = -1;
583 static int hf_smb_quota_flags_log_limit = -1;
584 static int hf_smb_quota_flags_log_warning = -1;
585 static int hf_smb_soft_quota_limit = -1;
586 static int hf_smb_hard_quota_limit = -1;
587 static int hf_smb_user_quota_used = -1;
588 static int hf_smb_user_quota_offset = -1;
589 static int hf_smb_nt_rename_level = -1;
590 static int hf_smb_cluster_count = -1;
591 static int hf_smb_segments = -1;
592 static int hf_smb_segment = -1;
593 static int hf_smb_segment_overlap = -1;
594 static int hf_smb_segment_overlap_conflict = -1;
595 static int hf_smb_segment_multiple_tails = -1;
596 static int hf_smb_segment_too_long_fragment = -1;
597 static int hf_smb_segment_error = -1;
598 static int hf_smb_pipe_write_len = -1;
600 static gint ett_smb = -1;
601 static gint ett_smb_hdr = -1;
602 static gint ett_smb_command = -1;
603 static gint ett_smb_fileattributes = -1;
604 static gint ett_smb_capabilities = -1;
605 static gint ett_smb_aflags = -1;
606 static gint ett_smb_dialect = -1;
607 static gint ett_smb_dialects = -1;
608 static gint ett_smb_mode = -1;
609 static gint ett_smb_rawmode = -1;
610 static gint ett_smb_flags = -1;
611 static gint ett_smb_flags2 = -1;
612 static gint ett_smb_desiredaccess = -1;
613 static gint ett_smb_search = -1;
614 static gint ett_smb_file = -1;
615 static gint ett_smb_openfunction = -1;
616 static gint ett_smb_filetype = -1;
617 static gint ett_smb_openaction = -1;
618 static gint ett_smb_writemode = -1;
619 static gint ett_smb_lock_type = -1;
620 static gint ett_smb_ssetupandxaction = -1;
621 static gint ett_smb_optionsup = -1;
622 static gint ett_smb_time_date = -1;
623 static gint ett_smb_move_copy_flags = -1;
624 static gint ett_smb_file_attributes = -1;
625 static gint ett_smb_search_resume_key = -1;
626 static gint ett_smb_search_dir_info = -1;
627 static gint ett_smb_unlocks = -1;
628 static gint ett_smb_unlock = -1;
629 static gint ett_smb_locks = -1;
630 static gint ett_smb_lock = -1;
631 static gint ett_smb_open_flags = -1;
632 static gint ett_smb_ipc_state = -1;
633 static gint ett_smb_open_action = -1;
634 static gint ett_smb_setup_action = -1;
635 static gint ett_smb_connect_flags = -1;
636 static gint ett_smb_connect_support_bits = -1;
637 static gint ett_smb_nt_access_mask = -1;
638 static gint ett_smb_nt_create_bits = -1;
639 static gint ett_smb_nt_create_options = -1;
640 static gint ett_smb_nt_share_access = -1;
641 static gint ett_smb_nt_security_flags = -1;
642 static gint ett_smb_nt_trans_setup = -1;
643 static gint ett_smb_nt_trans_data = -1;
644 static gint ett_smb_nt_trans_param = -1;
645 static gint ett_smb_nt_notify_completion_filter = -1;
646 static gint ett_smb_nt_ioctl_flags = -1;
647 static gint ett_smb_security_information_mask = -1;
648 static gint ett_smb_print_queue_entry = -1;
649 static gint ett_smb_transaction_flags = -1;
650 static gint ett_smb_transaction_params = -1;
651 static gint ett_smb_find_first2_flags = -1;
652 static gint ett_smb_mac_support_flags = -1;
654 static gint ett_smb_ioflag = -1;
656 static gint ett_smb_transaction_data = -1;
657 static gint ett_smb_stream_info = -1;
658 static gint ett_smb_dfs_referrals = -1;
659 static gint ett_smb_dfs_referral = -1;
660 static gint ett_smb_dfs_referral_flags = -1;
661 static gint ett_smb_get_dfs_flags = -1;
662 static gint ett_smb_ff2_data = -1;
663 static gint ett_smb_device_characteristics = -1;
664 static gint ett_smb_fs_attributes = -1;
665 static gint ett_smb_segments = -1;
666 static gint ett_smb_segment = -1;
667 static gint ett_smb_sec_desc = -1;
668 static gint ett_smb_sid = -1;
669 static gint ett_smb_acl = -1;
670 static gint ett_smb_ace = -1;
671 static gint ett_smb_ace_flags = -1;
672 static gint ett_smb_sec_desc_type = -1;
673 static gint ett_smb_quotaflags = -1;
674 static gint ett_smb_secblob = -1;
677 static int smb_tap = -1;
679 static dissector_handle_t gssapi_handle = NULL;
680 static dissector_handle_t ntlmssp_handle = NULL;
682 static const fragment_items smb_frag_items = {
688 &hf_smb_segment_overlap,
689 &hf_smb_segment_overlap_conflict,
690 &hf_smb_segment_multiple_tails,
691 &hf_smb_segment_too_long_fragment,
692 &hf_smb_segment_error,
697 proto_tree *top_tree=NULL; /* ugly */
699 static char *decode_smb_name(unsigned char);
700 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu);
703 * Macros for use in the main dissector routines for an SMB.
708 wc = tvb_get_guint8(tvb, offset); \
709 proto_tree_add_uint(tree, hf_smb_word_count, \
710 tvb, offset, 1, wc); \
712 if(wc==0) goto bytecount;
716 bc = tvb_get_letohs(tvb, offset); \
717 proto_tree_add_uint(tree, hf_smb_byte_count, \
718 tvb, offset, 2, bc); \
720 if(bc==0) goto endofcommand;
722 #define CHECK_BYTE_COUNT(len) \
723 if (bc < len) goto endofcommand;
725 #define COUNT_BYTES(len) {\
734 proto_tree_add_text(tree, tvb, offset, bc, \
735 "Extra byte parameters"); \
741 * Macros for use in routines called by them.
743 #define CHECK_BYTE_COUNT_SUBR(len) \
749 #define CHECK_STRING_SUBR(fn) \
755 #define COUNT_BYTES_SUBR(len) \
760 * Macros for use when dissecting transaction parameters and data
762 #define CHECK_BYTE_COUNT_TRANS(len) \
763 if (bc < len) return offset;
765 #define CHECK_STRING_TRANS(fn) \
766 if (fn == NULL) return offset;
768 #define COUNT_BYTES_TRANS(len) \
773 * Macros for use in subrroutines dissecting transaction parameters or data
775 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
776 if (*bcp < len) return offset;
778 #define CHECK_STRING_TRANS_SUBR(fn) \
779 if (fn == NULL) return offset;
781 #define COUNT_BYTES_TRANS_SUBR(len) \
786 gboolean sid_name_snooping = FALSE;
788 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
789 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
790 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
791 static gboolean smb_trans_reassembly = FALSE;
792 gboolean smb_dcerpc_reassembly = FALSE;
794 static GHashTable *smb_trans_fragment_table = NULL;
797 smb_trans_reassembly_init(void)
799 fragment_table_init(&smb_trans_fragment_table);
802 static fragment_data *
803 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
804 int offset, int count, int pos, int totlen)
806 fragment_data *fd_head=NULL;
810 more_frags=totlen>(pos+count);
812 si = (smb_info_t *)pinfo->private_data;
813 if (si->sip == NULL) {
815 * We don't have the frame number of the request.
817 * XXX - is there truly nothing we can do here?
818 * Can we not separately keep track of the original
819 * transaction and its continuations, as we did
822 * It is probably not much point in even trying to do something here
823 * if we have never seen the initial request. Without the initial
824 * request we probably miss all parameters and the begining of data
825 * so we cant even call a subdissector since we can not determine
826 * which type of transaction call this is.
831 if(!pinfo->fd->flags.visited){
832 fd_head = fragment_add(tvb, offset, pinfo,
833 si->sip->frame_req, smb_trans_fragment_table,
834 pos, count, more_frags);
836 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
839 /* we only show the defragmented packet for the first fragment,
840 or else we might end up with dissecting one HUGE transaction PDU
841 a LOT of times. (first fragment is the only one containing the setup
843 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
844 SMBs. Takes a LOT of time dissecting and is not fun.
846 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
857 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
858 These variables and functions are used to match
860 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
862 * The information we need to save about a request in order to show the
863 * frame number of the request in the dissection of the reply.
868 } smb_saved_info_key_t;
870 static GMemChunk *smb_saved_info_key_chunk = NULL;
871 static GMemChunk *smb_saved_info_chunk = NULL;
872 static int smb_saved_info_init_count = 200;
874 /* unmatched smb_saved_info structures.
875 For unmatched smb_saved_info structures we store the smb_saved_info
876 structure using the MID and the PID as the key.
878 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
879 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
880 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
883 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
885 register guint32 key1 = (guint32)k1;
886 register guint32 key2 = (guint32)k2;
890 smb_saved_info_hash_unmatched(gconstpointer k)
892 register guint32 key = (guint32)k;
896 /* matched smb_saved_info structures.
897 For matched smb_saved_info structures we store the smb_saved_info
898 structure twice in the table using the frame number, and a combination
899 of the MID and the PID, as the key.
900 The frame number is guaranteed to be unique but if ever someone makes
901 some change that will renumber the frames in a capture we are in BIG trouble.
902 This is not likely though since that would break (among other things) all the
903 reassembly routines as well.
905 We also need the MID as there may be more than one SMB request or reply
906 in a single frame, and we also need the PID as there may be more than
907 one outstanding request with the same MID and different PIDs.
910 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
912 const smb_saved_info_key_t *key1 = k1;
913 const smb_saved_info_key_t *key2 = k2;
914 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
917 smb_saved_info_hash_matched(gconstpointer k)
919 const smb_saved_info_key_t *key = k;
920 return key->frame + key->pid_mid;
923 static GMemChunk *smb_nt_transact_info_chunk = NULL;
924 static int smb_nt_transact_info_init_count = 200;
926 static GMemChunk *smb_transact2_info_chunk = NULL;
927 static int smb_transact2_info_init_count = 200;
930 * The information we need to save about a Transaction request in order
931 * to dissect the reply; this includes information for use by the
932 * Remote API dissector.
934 static GMemChunk *smb_transact_info_chunk = NULL;
935 static int smb_transact_info_init_count = 200;
937 static GMemChunk *conv_tables_chunk = NULL;
938 static GSList *conv_tables = NULL;
939 static int conv_tables_count = 10;
942 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
943 End of request/response matching functions
944 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
946 static const value_string buffer_format_vals[] = {
951 {5, "Variable Block"},
956 * UTIME - this is *almost* like a UNIX time stamp, except that it's
957 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
958 * January 1, 1970, 00:00:00 GMT.
960 * This means we have to do some extra work to convert it. This code is
961 * based on the Samba code:
963 * Unix SMB/Netbios implementation.
965 * time handling functions
966 * Copyright (C) Andrew Tridgell 1992-1998
970 * Yield the difference between *A and *B, in seconds, ignoring leap
973 #define TM_YEAR_BASE 1900
976 tm_diff(struct tm *a, struct tm *b)
978 int ay = a->tm_year + (TM_YEAR_BASE - 1);
979 int by = b->tm_year + (TM_YEAR_BASE - 1);
980 int intervening_leap_days =
981 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
984 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
985 int hours = 24*days + (a->tm_hour - b->tm_hour);
986 int minutes = 60*hours + (a->tm_min - b->tm_min);
987 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
993 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
999 struct tm *tm = gmtime(&t);
1008 return tm_diff(&tm_utc,tm);
1012 * Return the same value as TimeZone, but it should be more efficient.
1014 * We keep a table of DST offsets to prevent calling localtime() on each
1015 * call of this function. This saves a LOT of time on many unixes.
1017 * Updated by Paul Eggert <eggert@twinsun.com>
1024 #define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
1025 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
1028 #define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
1032 TimeZoneFaster(time_t t)
1034 static struct dst_table {time_t start,end; int zone;} *tdt;
1035 static struct dst_table *dst_table = NULL;
1036 static int table_size = 0;
1043 /* Tunis has a 8 day DST region, we need to be careful ... */
1044 #define MAX_DST_WIDTH (365*24*60*60)
1045 #define MAX_DST_SKIP (7*24*60*60)
1047 for (i = 0; i < table_size; i++) {
1048 if (t >= dst_table[i].start && t <= dst_table[i].end)
1052 if (i < table_size) {
1053 zone = dst_table[i].zone;
1058 if (dst_table == NULL)
1059 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1061 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1070 dst_table[i].zone = zone;
1071 dst_table[i].start = dst_table[i].end = t;
1073 /* no entry will cover more than 6 months */
1074 low = t - MAX_DST_WIDTH/2;
1078 high = t + MAX_DST_WIDTH/2;
1083 * Widen the new entry using two bisection searches.
1085 while (low+60*60 < dst_table[i].start) {
1086 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1087 t = dst_table[i].start - MAX_DST_SKIP;
1089 t = low + (dst_table[i].start-low)/2;
1090 if (TimeZone(t) == zone)
1091 dst_table[i].start = t;
1096 while (high-60*60 > dst_table[i].end) {
1097 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1098 t = dst_table[i].end + MAX_DST_SKIP;
1100 t = high - (high-dst_table[i].end)/2;
1101 if (TimeZone(t) == zone)
1102 dst_table[i].end = t;
1112 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1113 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1114 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1115 * daylight savings transitions because some local times are ambiguous.
1116 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1119 LocTimeDiff(time_t lt)
1121 int d = TimeZoneFaster(lt);
1124 /* if overflow occurred, ignore all the adjustments so far */
1125 if (((t < lt) ^ (d < 0)))
1129 * Now t should be close enough to the true UTC to yield the
1132 return TimeZoneFaster(t);
1136 dissect_smb_UTIME(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1141 timeval = tvb_get_letohl(tvb, offset);
1142 if (timeval == 0xffffffff) {
1143 proto_tree_add_text(tree, tvb, offset, 4,
1144 "%s: No time specified (0xffffffff)",
1145 proto_registrar_get_name(hf_date));
1151 * We add the local time offset.
1153 ts.secs = timeval + LocTimeDiff(timeval);
1156 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1162 #define TIME_FIXUP_CONSTANT (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
1165 * Translate an 8-byte FILETIME value, given as the upper and lower 32 bits,
1167 * A FILETIME is a 64-bit integer, giving the time since Jan 1, 1601,
1168 * midnight "UTC", in 100ns units.
1169 * Return TRUE if the conversion succeeds, FALSE otherwise.
1171 * According to the Samba code, it appears to be kludge-GMT (at least for
1172 * file listings). This means it's the GMT you get by taking a local time
1173 * and adding the server time zone offset. This is NOT the same as GMT in
1174 * some cases. However, we don't know the server time zone, so we don't
1175 * do that adjustment.
1177 * This code is based on the Samba code:
1179 * Unix SMB/Netbios implementation.
1181 * time handling functions
1182 * Copyright (C) Andrew Tridgell 1992-1998
1185 nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
1188 /* The next two lines are a fix needed for the
1189 broken SCO compiler. JRA. */
1190 time_t l_time_min = TIME_T_MIN;
1191 time_t l_time_max = TIME_T_MAX;
1193 if (filetime_high == 0)
1197 * Get the time as a double, in seconds and fractional seconds.
1199 d = ((double)filetime_high)*4.0*(double)(1<<30);
1203 /* Now adjust by 369 years, to make the seconds since 1970. */
1204 d -= TIME_FIXUP_CONSTANT;
1206 if (!(l_time_min <= d && d <= l_time_max))
1210 * Get the time as seconds and nanoseconds.
1213 tv->nsecs = (d - tv->secs)*1000000000;
1219 dissect_smb_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1221 guint32 filetime_high, filetime_low;
1224 /* XXX there seems also to be another special time value which is fairly common :
1226 the meaning of this one is yet unknown
1229 filetime_low = tvb_get_letohl(tvb, offset);
1230 filetime_high = tvb_get_letohl(tvb, offset + 4);
1231 if (filetime_low == 0 && filetime_high == 0) {
1232 proto_tree_add_text(tree, tvb, offset, 8,
1233 "%s: No time specified (0)",
1234 proto_registrar_get_name(hf_date));
1235 } else if(filetime_low==0 && filetime_high==0x80000000){
1236 proto_tree_add_text(tree, tvb, offset, 8,
1237 "%s: Infinity (relative time)",
1238 proto_registrar_get_name(hf_date));
1239 } else if(filetime_low==0xffffffff && filetime_high==0x7fffffff){
1240 proto_tree_add_text(tree, tvb, offset, 8,
1241 "%s: Infinity (absolute time)",
1242 proto_registrar_get_name(hf_date));
1244 if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
1245 proto_tree_add_time(tree, hf_date, tvb,
1248 proto_tree_add_text(tree, tvb, offset, 8,
1249 "%s: Time can't be converted",
1250 proto_registrar_get_name(hf_date));
1260 dissect_smb_datetime(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1261 int hf_date, int hf_dos_date, int hf_dos_time, gboolean time_first)
1263 guint16 dos_time, dos_date;
1264 proto_item *item = NULL;
1265 proto_tree *tree = NULL;
1268 static const int mday_noleap[12] = {
1269 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1271 static const int mday_leap[12] = {
1272 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1274 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1278 dos_time = tvb_get_letohs(tvb, offset);
1279 dos_date = tvb_get_letohs(tvb, offset+2);
1281 dos_date = tvb_get_letohs(tvb, offset);
1282 dos_time = tvb_get_letohs(tvb, offset+2);
1285 if ((dos_date == 0xffff && dos_time == 0xffff) ||
1286 (dos_date == 0 && dos_time == 0)) {
1288 * No date/time specified.
1291 proto_tree_add_text(parent_tree, tvb, offset, 4,
1292 "%s: No time specified (0x%08x)",
1293 proto_registrar_get_name(hf_date),
1294 (dos_date << 16) | dos_time);
1300 tm.tm_sec = (dos_time&0x1f)*2;
1301 tm.tm_min = (dos_time>>5)&0x3f;
1302 tm.tm_hour = (dos_time>>11)&0x1f;
1303 tm.tm_mday = dos_date&0x1f;
1304 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1305 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1309 * Do some sanity checks before calling "mktime()";
1310 * "mktime()" doesn't do them, it "normalizes" out-of-range
1313 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1314 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1315 (ISLEAP(tm.tm_year + 1900) ?
1316 tm.tm_mday > mday_leap[tm.tm_mon] :
1317 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1318 (t = mktime(&tm)) == -1) {
1320 * Invalid date/time.
1323 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1325 proto_registrar_get_name(hf_date));
1326 tree = proto_item_add_subtree(item, ett_smb_time_date);
1328 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1329 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1331 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1332 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1343 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1344 tree = proto_item_add_subtree(item, ett_smb_time_date);
1346 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1347 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1349 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1350 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1360 static const value_string da_access_vals[] = {
1361 { 0, "Open for reading"},
1362 { 1, "Open for writing"},
1363 { 2, "Open for reading and writing"},
1364 { 3, "Open for execute"},
1367 static const value_string da_sharing_vals[] = {
1368 { 0, "Compatibility mode"},
1369 { 1, "Deny read/write/execute (exclusive)"},
1371 { 3, "Deny read/execute"},
1375 static const value_string da_locality_vals[] = {
1376 { 0, "Locality of reference unknown"},
1377 { 1, "Mainly sequential access"},
1378 { 2, "Mainly random access"},
1379 { 3, "Random access with some locality"},
1382 static const true_false_string tfs_da_caching = {
1383 "Do not cache this file",
1384 "Caching permitted on this file"
1386 static const true_false_string tfs_da_writetru = {
1387 "Write through enabled",
1388 "Write through disabled"
1391 dissect_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset, char *type)
1394 proto_item *item = NULL;
1395 proto_tree *tree = NULL;
1397 mask = tvb_get_letohs(tvb, offset);
1400 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1401 "%s Access: 0x%04x", type, mask);
1402 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1405 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1406 tvb, offset, 2, mask);
1407 proto_tree_add_boolean(tree, hf_smb_access_caching,
1408 tvb, offset, 2, mask);
1409 proto_tree_add_uint(tree, hf_smb_access_locality,
1410 tvb, offset, 2, mask);
1411 proto_tree_add_uint(tree, hf_smb_access_sharing,
1412 tvb, offset, 2, mask);
1413 proto_tree_add_uint(tree, hf_smb_access_mode,
1414 tvb, offset, 2, mask);
1421 #define SMB_FILE_ATTRIBUTE_READ_ONLY 0x00000001
1422 #define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
1423 #define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
1424 #define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
1425 #define SMB_FILE_ATTRIBUTE_DIRECTORY 0x00000010
1426 #define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
1427 #define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
1428 #define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
1429 #define SMB_FILE_ATTRIBUTE_TEMPORARY 0x00000100
1430 #define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
1431 #define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
1432 #define SMB_FILE_ATTRIBUTE_COMPRESSED 0x00000800
1433 #define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
1434 #define SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1435 #define SMB_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1437 static const true_false_string tfs_file_attribute_read_only = {
1438 "This file is READ ONLY",
1439 "This file is NOT read only",
1441 static const true_false_string tfs_file_attribute_hidden = {
1442 "This is a HIDDEN file",
1443 "This is NOT a hidden file"
1445 static const true_false_string tfs_file_attribute_system = {
1446 "This is a SYSTEM file",
1447 "This is NOT a system file"
1449 static const true_false_string tfs_file_attribute_volume = {
1450 "This is a VOLUME ID",
1451 "This is NOT a volume ID"
1453 static const true_false_string tfs_file_attribute_directory = {
1454 "This is a DIRECTORY",
1455 "This is NOT a directory"
1457 static const true_false_string tfs_file_attribute_archive = {
1458 "This file has been modified since last ARCHIVE",
1459 "This file has NOT been modified since last archive"
1461 static const true_false_string tfs_file_attribute_device = {
1463 "This is NOT a device"
1465 static const true_false_string tfs_file_attribute_normal = {
1466 "This file is an ordinary file",
1467 "This file has some attribute set"
1469 static const true_false_string tfs_file_attribute_temporary = {
1470 "This is a TEMPORARY file",
1471 "This is NOT a temporary file"
1473 static const true_false_string tfs_file_attribute_sparse = {
1474 "This is a SPARSE file",
1475 "This is NOT a sparse file"
1477 static const true_false_string tfs_file_attribute_reparse = {
1478 "This file has an associated REPARSE POINT",
1479 "This file does NOT have an associated reparse point"
1481 static const true_false_string tfs_file_attribute_compressed = {
1482 "This is a COMPRESSED file",
1483 "This is NOT a compressed file"
1485 static const true_false_string tfs_file_attribute_offline = {
1486 "This file is OFFLINE",
1487 "This file is NOT offline"
1489 static const true_false_string tfs_file_attribute_not_content_indexed = {
1490 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1491 "This file MAY be indexed by the content indexing service"
1493 static const true_false_string tfs_file_attribute_encrypted = {
1494 "This is an ENCRYPTED file",
1495 "This is NOT an encrypted file"
1499 * In some places in the CIFS_TR_1p00.pdf, from SNIA, file attributes are
1500 * listed as USHORT, and seem to be in packets in the wild, while in other
1501 * places they are listed as ULONG, and also seem to be.
1503 * So, I (Richard Sharpe), added a parameter to allow us to specify how many
1508 dissect_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1512 proto_item *item = NULL;
1513 proto_tree *tree = NULL;
1515 if (bytes != 2 && bytes != 4) {
1517 fprintf(stderr, "Incorrect number of bytes passed to dissect_file_attributes.\nMust be 2 or 4, was %d\n", bytes);
1523 * The actual bits of interest appear to only be a USHORT
1525 /* FIXME if this ever changes! */
1526 mask = tvb_get_letohs(tvb, offset);
1529 item = proto_tree_add_text(parent_tree, tvb, offset, bytes,
1530 "File Attributes: 0x%08x", mask);
1531 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1533 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1534 tvb, offset, bytes, mask);
1535 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1536 tvb, offset, bytes, mask);
1537 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1538 tvb, offset, bytes, mask);
1539 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1540 tvb, offset, bytes, mask);
1541 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1542 tvb, offset, bytes, mask);
1543 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1544 tvb, offset, bytes, mask);
1545 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1546 tvb, offset, bytes, mask);
1547 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1548 tvb, offset, bytes, mask);
1549 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1550 tvb, offset, bytes, mask);
1551 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1552 tvb, offset, bytes, mask);
1553 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1554 tvb, offset, bytes, mask);
1555 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1556 tvb, offset, bytes, mask);
1557 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1558 tvb, offset, bytes, mask);
1559 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1560 tvb, offset, bytes, mask);
1561 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1562 tvb, offset, bytes, mask);
1571 dissect_file_ext_attr(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1574 proto_item *item = NULL;
1575 proto_tree *tree = NULL;
1577 mask = tvb_get_letohl(tvb, offset);
1580 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1581 "File Attributes: 0x%08x", mask);
1582 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1586 * XXX - Network Monitor disagrees on some of the
1587 * bits, e.g. the bits above temporary are "atomic write"
1588 * and "transaction write", and it says nothing about the
1591 * Does the Win32 API documentation, or the NT Native API book,
1594 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1595 tvb, offset, 4, mask);
1596 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1597 tvb, offset, 4, mask);
1598 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1599 tvb, offset, 4, mask);
1600 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1601 tvb, offset, 4, mask);
1602 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1603 tvb, offset, 4, mask);
1604 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1605 tvb, offset, 4, mask);
1606 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1607 tvb, offset, 4, mask);
1608 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1609 tvb, offset, 4, mask);
1610 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1611 tvb, offset, 4, mask);
1612 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1613 tvb, offset, 4, mask);
1614 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1615 tvb, offset, 4, mask);
1616 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1617 tvb, offset, 4, mask);
1618 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1619 tvb, offset, 4, mask);
1620 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1621 tvb, offset, 4, mask);
1622 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1623 tvb, offset, 4, mask);
1631 dissect_dir_info_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1634 proto_item *item = NULL;
1635 proto_tree *tree = NULL;
1637 mask = tvb_get_guint8(tvb, offset);
1640 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1641 "File Attributes: 0x%02x", mask);
1642 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1644 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1645 tvb, offset, 1, mask);
1646 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1647 tvb, offset, 1, mask);
1648 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1649 tvb, offset, 1, mask);
1650 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1651 tvb, offset, 1, mask);
1652 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1653 tvb, offset, 1, mask);
1654 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1655 tvb, offset, 1, mask);
1662 static const true_false_string tfs_search_attribute_read_only = {
1663 "Include READ ONLY files in search results",
1664 "Do NOT include read only files in search results",
1666 static const true_false_string tfs_search_attribute_hidden = {
1667 "Include HIDDEN files in search results",
1668 "Do NOT include hidden files in search results"
1670 static const true_false_string tfs_search_attribute_system = {
1671 "Include SYSTEM files in search results",
1672 "Do NOT include system files in search results"
1674 static const true_false_string tfs_search_attribute_volume = {
1675 "Include VOLUME IDs in search results",
1676 "Do NOT include volume IDs in search results"
1678 static const true_false_string tfs_search_attribute_directory = {
1679 "Include DIRECTORIES in search results",
1680 "Do NOT include directories in search results"
1682 static const true_false_string tfs_search_attribute_archive = {
1683 "Include ARCHIVE files in search results",
1684 "Do NOT include archive files in search results"
1688 dissect_search_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1691 proto_item *item = NULL;
1692 proto_tree *tree = NULL;
1694 mask = tvb_get_letohs(tvb, offset);
1697 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1698 "Search Attributes: 0x%04x", mask);
1699 tree = proto_item_add_subtree(item, ett_smb_search);
1702 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1703 tvb, offset, 2, mask);
1704 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1705 tvb, offset, 2, mask);
1706 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1707 tvb, offset, 2, mask);
1708 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1709 tvb, offset, 2, mask);
1710 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1711 tvb, offset, 2, mask);
1712 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1713 tvb, offset, 2, mask);
1721 * XXX - this isn't used.
1722 * Is this used for anything? NT Create AndX doesn't use it.
1723 * Is there some 16-bit attribute field with more bits than Read Only,
1724 * Hidden, System, Volume ID, Directory, and Archive?
1727 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1730 proto_item *item = NULL;
1731 proto_tree *tree = NULL;
1733 mask = tvb_get_letohl(tvb, offset);
1736 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1737 "File Attributes: 0x%08x", mask);
1738 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1740 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1741 tvb, offset, 2, mask);
1742 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1743 tvb, offset, 2, mask);
1744 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1745 tvb, offset, 2, mask);
1746 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1747 tvb, offset, 2, mask);
1748 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1749 tvb, offset, 2, mask);
1750 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1751 tvb, offset, 2, mask);
1752 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1753 tvb, offset, 2, mask);
1754 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1755 tvb, offset, 2, mask);
1756 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1757 tvb, offset, 2, mask);
1758 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1759 tvb, offset, 2, mask);
1760 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1761 tvb, offset, 2, mask);
1762 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1763 tvb, offset, 2, mask);
1764 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1765 tvb, offset, 2, mask);
1766 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1767 tvb, offset, 2, mask);
1768 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1769 tvb, offset, 2, mask);
1778 #define SERVER_CAP_RAW_MODE 0x00000001
1779 #define SERVER_CAP_MPX_MODE 0x00000002
1780 #define SERVER_CAP_UNICODE 0x00000004
1781 #define SERVER_CAP_LARGE_FILES 0x00000008
1782 #define SERVER_CAP_NT_SMBS 0x00000010
1783 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1784 #define SERVER_CAP_STATUS32 0x00000040
1785 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1786 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1787 #define SERVER_CAP_NT_FIND 0x00000200
1788 #define SERVER_CAP_DFS 0x00001000
1789 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1790 #define SERVER_CAP_LARGE_READX 0x00004000
1791 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1792 #define SERVER_CAP_UNIX 0x00800000
1793 #define SERVER_CAP_RESERVED 0x02000000
1794 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1795 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1796 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1797 static const true_false_string tfs_server_cap_raw_mode = {
1798 "Read Raw and Write Raw are supported",
1799 "Read Raw and Write Raw are not supported"
1801 static const true_false_string tfs_server_cap_mpx_mode = {
1802 "Read Mpx and Write Mpx are supported",
1803 "Read Mpx and Write Mpx are not supported"
1805 static const true_false_string tfs_server_cap_unicode = {
1806 "Unicode strings are supported",
1807 "Unicode strings are not supported"
1809 static const true_false_string tfs_server_cap_large_files = {
1810 "Large files are supported",
1811 "Large files are not supported",
1813 static const true_false_string tfs_server_cap_nt_smbs = {
1814 "NT SMBs are supported",
1815 "NT SMBs are not supported"
1817 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1818 "RPC remote APIs are supported",
1819 "RPC remote APIs are not supported"
1821 static const true_false_string tfs_server_cap_nt_status = {
1822 "NT status codes are supported",
1823 "NT status codes are not supported"
1825 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1826 "Level 2 oplocks are supported",
1827 "Level 2 oplocks are not supported"
1829 static const true_false_string tfs_server_cap_lock_and_read = {
1830 "Lock and Read is supported",
1831 "Lock and Read is not supported"
1833 static const true_false_string tfs_server_cap_nt_find = {
1834 "NT Find is supported",
1835 "NT Find is not supported"
1837 static const true_false_string tfs_server_cap_dfs = {
1839 "Dfs is not supported"
1841 static const true_false_string tfs_server_cap_infolevel_passthru = {
1842 "NT information level request passthrough is supported",
1843 "NT information level request passthrough is not supported"
1845 static const true_false_string tfs_server_cap_large_readx = {
1846 "Large Read andX is supported",
1847 "Large Read andX is not supported"
1849 static const true_false_string tfs_server_cap_large_writex = {
1850 "Large Write andX is supported",
1851 "Large Write andX is not supported"
1853 static const true_false_string tfs_server_cap_unix = {
1854 "UNIX extensions are supported",
1855 "UNIX extensions are not supported"
1857 static const true_false_string tfs_server_cap_reserved = {
1861 static const true_false_string tfs_server_cap_bulk_transfer = {
1862 "Bulk Read and Bulk Write are supported",
1863 "Bulk Read and Bulk Write are not supported"
1865 static const true_false_string tfs_server_cap_compressed_data = {
1866 "Compressed data transfer is supported",
1867 "Compressed data transfer is not supported"
1869 static const true_false_string tfs_server_cap_extended_security = {
1870 "Extended security exchanges are supported",
1871 "Extended security exchanges are not supported"
1874 dissect_negprot_capabilities(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1877 proto_item *item = NULL;
1878 proto_tree *tree = NULL;
1880 mask = tvb_get_letohl(tvb, offset);
1883 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1884 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1887 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1888 tvb, offset, 4, mask);
1889 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1890 tvb, offset, 4, mask);
1891 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1892 tvb, offset, 4, mask);
1893 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1894 tvb, offset, 4, mask);
1895 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1896 tvb, offset, 4, mask);
1897 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1898 tvb, offset, 4, mask);
1899 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1900 tvb, offset, 4, mask);
1901 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1902 tvb, offset, 4, mask);
1903 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1904 tvb, offset, 4, mask);
1905 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1906 tvb, offset, 4, mask);
1907 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1908 tvb, offset, 4, mask);
1909 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1910 tvb, offset, 4, mask);
1911 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1912 tvb, offset, 4, mask);
1913 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1914 tvb, offset, 4, mask);
1915 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1916 tvb, offset, 4, mask);
1917 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1918 tvb, offset, 4, mask);
1919 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1920 tvb, offset, 4, mask);
1921 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1922 tvb, offset, 4, mask);
1923 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1924 tvb, offset, 4, mask);
1929 #define RAWMODE_READ 0x01
1930 #define RAWMODE_WRITE 0x02
1931 static const true_false_string tfs_rm_read = {
1932 "Read Raw is supported",
1933 "Read Raw is not supported"
1935 static const true_false_string tfs_rm_write = {
1936 "Write Raw is supported",
1937 "Write Raw is not supported"
1941 dissect_negprot_rawmode(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1944 proto_item *item = NULL;
1945 proto_tree *tree = NULL;
1947 mask = tvb_get_letohs(tvb, offset);
1950 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
1951 tree = proto_item_add_subtree(item, ett_smb_rawmode);
1954 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
1955 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
1962 #define SECURITY_MODE_MODE 0x01
1963 #define SECURITY_MODE_PASSWORD 0x02
1964 #define SECURITY_MODE_SIGNATURES 0x04
1965 #define SECURITY_MODE_SIG_REQUIRED 0x08
1966 static const true_false_string tfs_sm_mode = {
1967 "USER security mode",
1968 "SHARE security mode"
1970 static const true_false_string tfs_sm_password = {
1971 "ENCRYPTED password. Use challenge/response",
1972 "PLAINTEXT password"
1974 static const true_false_string tfs_sm_signatures = {
1975 "Security signatures ENABLED",
1976 "Security signatures NOT enabled"
1978 static const true_false_string tfs_sm_sig_required = {
1979 "Security signatures REQUIRED",
1980 "Security signatures NOT required"
1984 dissect_negprot_security_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int wc)
1987 proto_item *item = NULL;
1988 proto_tree *tree = NULL;
1992 mask = tvb_get_letohs(tvb, offset);
1993 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1994 "Security Mode: 0x%04x", mask);
1995 tree = proto_item_add_subtree(item, ett_smb_mode);
1996 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
1997 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
2002 mask = tvb_get_guint8(tvb, offset);
2003 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
2004 "Security Mode: 0x%02x", mask);
2005 tree = proto_item_add_subtree(item, ett_smb_mode);
2006 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
2007 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
2008 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
2009 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
2018 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2020 proto_item *it = NULL;
2021 proto_tree *tr = NULL;
2030 it = proto_tree_add_text(tree, tvb, offset, bc,
2031 "Requested Dialects");
2032 tr = proto_item_add_subtree(it, ett_smb_dialects);
2038 proto_item *dit = NULL;
2039 proto_tree *dtr = NULL;
2041 /* XXX - what if this runs past bc? */
2042 len = tvb_strsize(tvb, offset+1);
2043 str = tvb_get_ptr(tvb, offset+1, len);
2046 dit = proto_tree_add_text(tr, tvb, offset, len+1,
2047 "Dialect: %s", str);
2048 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2052 CHECK_BYTE_COUNT(1);
2053 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2058 CHECK_BYTE_COUNT(len);
2059 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
2070 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2072 smb_info_t *si = pinfo->private_data;
2085 dialect = tvb_get_letohs(tvb, offset);
2088 if(dialect==0xffff){
2089 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2090 tvb, offset, 2, dialect,
2091 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2093 proto_tree_add_uint(tree, hf_smb_dialect_index,
2094 tvb, offset, 2, dialect);
2098 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2099 tvb, offset, 2, dialect,
2100 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2103 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2104 tvb, offset, 2, dialect,
2105 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2108 proto_tree_add_text(tree, tvb, offset, wc*2,
2109 "Words for unknown response format");
2118 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2120 /* Maximum Transmit Buffer Size */
2121 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2122 tvb, offset, 2, TRUE);
2125 /* Maximum Multiplex Count */
2126 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2127 tvb, offset, 2, TRUE);
2130 /* Maximum Vcs Number */
2131 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2132 tvb, offset, 2, TRUE);
2136 offset = dissect_negprot_rawmode(tvb, tree, offset);
2139 proto_tree_add_item(tree, hf_smb_session_key,
2140 tvb, offset, 4, TRUE);
2143 /* current time and date at server */
2144 offset = dissect_smb_datetime(tvb, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2148 tz = tvb_get_letohs(tvb, offset);
2149 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2152 /* encryption key length */
2153 ekl = tvb_get_letohs(tvb, offset);
2154 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2157 /* 2 reserved bytes */
2158 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2165 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2167 /* Maximum Multiplex Count */
2168 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2169 tvb, offset, 2, TRUE);
2172 /* Maximum Vcs Number */
2173 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2174 tvb, offset, 2, TRUE);
2177 /* Maximum Transmit Buffer Size */
2178 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2179 tvb, offset, 4, TRUE);
2182 /* maximum raw buffer size */
2183 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2184 tvb, offset, 4, TRUE);
2188 proto_tree_add_item(tree, hf_smb_session_key,
2189 tvb, offset, 4, TRUE);
2192 /* server capabilities */
2193 caps = dissect_negprot_capabilities(tvb, tree, offset);
2197 offset = dissect_smb_64bit_time(tvb, tree, offset,
2198 hf_smb_system_time);
2201 tz = tvb_get_letohs(tvb, offset);
2202 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2204 "Server Time Zone: %d min from UTC", tz);
2207 /* encryption key length */
2208 ekl = tvb_get_guint8(tvb, offset);
2209 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2210 tvb, offset, 1, ekl);
2220 /* challenge/response encryption key */
2222 CHECK_BYTE_COUNT(ekl);
2223 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2230 * XXX - not present if negotiated dialect isn't
2231 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
2232 * have to see the request, or assume what dialect strings
2233 * were sent, to determine that.
2235 * Is this something other than a primary domain if the
2236 * negotiated dialect is Windows for Workgroups 3.1a?
2237 * It appears to be 8 bytes of binary data in at least
2238 * one capture - is that an encryption key or something
2241 dn = get_unicode_or_ascii_string(tvb, &offset,
2242 si->unicode, &dn_len, FALSE, FALSE, &bc);
2245 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2247 COUNT_BYTES(dn_len);
2251 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2252 /* challenge/response encryption key */
2253 /* XXX - is this aligned on an even boundary? */
2255 CHECK_BYTE_COUNT(ekl);
2256 proto_tree_add_item(tree, hf_smb_encryption_key,
2257 tvb, offset, ekl, TRUE);
2262 /* this string is special, unicode is flagged in caps */
2263 /* This string is NOT padded to be 16bit aligned.
2264 (seen in actual capture)
2265 XXX - I've seen a capture where it appears to be
2266 so aligned, but I've also seen captures where
2267 it is. The captures where it appeared to be
2268 aligned may have been from buggy servers. */
2269 /* However, don't get rid of existing setting */
2270 si->unicode = (caps&SERVER_CAP_UNICODE) ||
2273 dn = get_unicode_or_ascii_string(tvb,
2274 &offset, si->unicode, &dn_len, TRUE, FALSE,
2278 proto_tree_add_string(tree, hf_smb_primary_domain,
2279 tvb, offset, dn_len, dn);
2280 COUNT_BYTES(dn_len);
2282 /* server name, seen in w2k pro capture */
2283 dn = get_unicode_or_ascii_string(tvb,
2284 &offset, si->unicode, &dn_len, TRUE, FALSE,
2288 proto_tree_add_string(tree, hf_smb_server,
2289 tvb, offset, dn_len, dn);
2290 COUNT_BYTES(dn_len);
2293 proto_item *blob_item;
2296 /* XXX - show it in the standard Microsoft format
2298 CHECK_BYTE_COUNT(16);
2299 proto_tree_add_item(tree, hf_smb_server_guid,
2300 tvb, offset, 16, TRUE);
2303 blob_item = proto_tree_add_item(
2304 tree, hf_smb_security_blob,
2305 tvb, offset, bc, TRUE);
2309 * If Extended security and BCC == 16, then raw
2310 * NTLMSSP is in use. We need to save this info
2314 tvbuff_t *gssapi_tvb;
2315 proto_tree *gssapi_tree;
2317 gssapi_tree = proto_item_add_subtree(
2318 blob_item, ett_smb_secblob);
2320 gssapi_tvb = tvb_new_subset(
2321 tvb, offset, bc, bc);
2324 gssapi_handle, gssapi_tvb, pinfo,
2328 si->ct->raw_ntlmssp = 0;
2335 * There is no blob. We just have to make sure
2336 * that subsequent routines know to call the
2341 si->ct->raw_ntlmssp = 1;
2355 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2357 smb_info_t *si = pinfo->private_data;
2368 CHECK_BYTE_COUNT(1);
2369 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2373 dn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &dn_len,
2377 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2379 COUNT_BYTES(dn_len);
2381 if (check_col(pinfo->cinfo, COL_INFO)) {
2382 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s", dn);
2391 dissect_empty(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2406 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2414 ec = tvb_get_letohs(tvb, offset);
2415 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2422 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2432 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2439 /* echo sequence number */
2440 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2447 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2457 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2459 smb_info_t *si = pinfo->private_data;
2470 CHECK_BYTE_COUNT(1);
2471 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2475 an = get_unicode_or_ascii_string(tvb, &offset,
2476 si->unicode, &an_len, FALSE, FALSE, &bc);
2479 proto_tree_add_string(tree, hf_smb_path, tvb,
2480 offset, an_len, an);
2481 COUNT_BYTES(an_len);
2483 if (check_col(pinfo->cinfo, COL_INFO)) {
2484 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
2488 CHECK_BYTE_COUNT(1);
2489 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2492 /* password, ANSI */
2493 /* XXX - what if this runs past bc? */
2494 pwlen = tvb_strsize(tvb, offset);
2495 CHECK_BYTE_COUNT(pwlen);
2496 proto_tree_add_item(tree, hf_smb_password,
2497 tvb, offset, pwlen, TRUE);
2501 CHECK_BYTE_COUNT(1);
2502 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2506 an = get_unicode_or_ascii_string(tvb, &offset,
2507 si->unicode, &an_len, FALSE, FALSE, &bc);
2510 proto_tree_add_string(tree, hf_smb_service, tvb,
2511 offset, an_len, an);
2512 COUNT_BYTES(an_len);
2520 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2527 /* Maximum Buffer Size */
2528 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2532 proto_tree_add_item(tree, hf_smb_tid, tvb, offset, 2, TRUE);
2543 static const true_false_string tfs_of_create = {
2544 "Create file if it does not exist",
2545 "Fail if file does not exist"
2547 static const value_string of_open[] = {
2548 { 0, "Fail if file exists"},
2549 { 1, "Open file if it exists"},
2550 { 2, "Truncate file if it exists"},
2554 dissect_open_function(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2557 proto_item *item = NULL;
2558 proto_tree *tree = NULL;
2560 mask = tvb_get_letohs(tvb, offset);
2563 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2564 "Open Function: 0x%04x", mask);
2565 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2568 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2569 tvb, offset, 2, mask);
2570 proto_tree_add_uint(tree, hf_smb_open_function_open,
2571 tvb, offset, 2, mask);
2579 static const true_false_string tfs_mf_file = {
2580 "Target must be a file",
2581 "Target needn't be a file"
2583 static const true_false_string tfs_mf_dir = {
2584 "Target must be a directory",
2585 "Target needn't be a directory"
2587 static const true_false_string tfs_mf_verify = {
2588 "MUST verify all writes",
2589 "Don't have to verify writes"
2592 dissect_move_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2595 proto_item *item = NULL;
2596 proto_tree *tree = NULL;
2598 mask = tvb_get_letohs(tvb, offset);
2601 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2602 "Flags: 0x%04x", mask);
2603 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2606 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2607 tvb, offset, 2, mask);
2608 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2609 tvb, offset, 2, mask);
2610 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2611 tvb, offset, 2, mask);
2618 static const true_false_string tfs_cf_mode = {
2622 static const true_false_string tfs_cf_tree_copy = {
2623 "Copy is a tree copy",
2624 "Copy is a file copy"
2626 static const true_false_string tfs_cf_ea_action = {
2631 dissect_copy_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2634 proto_item *item = NULL;
2635 proto_tree *tree = NULL;
2637 mask = tvb_get_letohs(tvb, offset);
2640 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2641 "Flags: 0x%04x", mask);
2642 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2645 proto_tree_add_boolean(tree, hf_smb_copy_flags_ea_action,
2646 tvb, offset, 2, mask);
2647 proto_tree_add_boolean(tree, hf_smb_copy_flags_tree_copy,
2648 tvb, offset, 2, mask);
2649 proto_tree_add_boolean(tree, hf_smb_copy_flags_verify,
2650 tvb, offset, 2, mask);
2651 proto_tree_add_boolean(tree, hf_smb_copy_flags_source_mode,
2652 tvb, offset, 2, mask);
2653 proto_tree_add_boolean(tree, hf_smb_copy_flags_dest_mode,
2654 tvb, offset, 2, mask);
2655 proto_tree_add_boolean(tree, hf_smb_copy_flags_dir,
2656 tvb, offset, 2, mask);
2657 proto_tree_add_boolean(tree, hf_smb_copy_flags_file,
2658 tvb, offset, 2, mask);
2666 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2668 smb_info_t *si = pinfo->private_data;
2678 tid = tvb_get_letohs(tvb, offset);
2679 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2680 "TID (target): 0x%04x", tid);
2684 offset = dissect_open_function(tvb, tree, offset);
2687 offset = dissect_move_flags(tvb, tree, offset);
2692 CHECK_BYTE_COUNT(1);
2693 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2697 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2701 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2702 fn_len, fn, "Old File Name: %s", fn);
2703 COUNT_BYTES(fn_len);
2705 if (check_col(pinfo->cinfo, COL_INFO)) {
2706 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2710 CHECK_BYTE_COUNT(1);
2711 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2715 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2719 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2720 fn_len, fn, "New File Name: %s", fn);
2721 COUNT_BYTES(fn_len);
2723 if (check_col(pinfo->cinfo, COL_INFO)) {
2724 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2733 dissect_copy_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2735 smb_info_t *si = pinfo->private_data;
2745 tid = tvb_get_letohs(tvb, offset);
2746 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2747 "TID (target): 0x%04x", tid);
2751 offset = dissect_open_function(tvb, tree, offset);
2754 offset = dissect_copy_flags(tvb, tree, offset);
2759 CHECK_BYTE_COUNT(1);
2760 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2764 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2768 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2769 fn_len, fn, "Source File Name: %s", fn);
2770 COUNT_BYTES(fn_len);
2772 if (check_col(pinfo->cinfo, COL_INFO)) {
2773 col_append_fstr(pinfo->cinfo, COL_INFO, ", Source Name: %s", fn);
2777 CHECK_BYTE_COUNT(1);
2778 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2782 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2786 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2787 fn_len, fn, "Destination File Name: %s", fn);
2788 COUNT_BYTES(fn_len);
2790 if (check_col(pinfo->cinfo, COL_INFO)) {
2791 col_append_fstr(pinfo->cinfo, COL_INFO, ", Destination Name: %s", fn);
2800 dissect_move_copy_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2802 smb_info_t *si = pinfo->private_data;
2810 /* # of files moved */
2811 proto_tree_add_item(tree, hf_smb_files_moved, tvb, offset, 2, TRUE);
2817 CHECK_BYTE_COUNT(1);
2818 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2822 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2826 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2828 COUNT_BYTES(fn_len);
2836 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2838 smb_info_t *si = pinfo->private_data;
2846 /* desired access */
2847 offset = dissect_access(tvb, tree, offset, "Desired");
2849 /* Search Attributes */
2850 offset = dissect_search_attributes(tvb, tree, offset);
2855 CHECK_BYTE_COUNT(1);
2856 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2860 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2864 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2866 COUNT_BYTES(fn_len);
2868 if (check_col(pinfo->cinfo, COL_INFO)) {
2869 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2878 add_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
2879 int len, guint16 fid)
2881 proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
2882 if (check_col(pinfo->cinfo, COL_INFO))
2883 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
2887 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2896 fid = tvb_get_letohs(tvb, offset);
2897 add_fid(tvb, pinfo, tree, offset, 2, fid);
2900 /* File Attributes */
2901 offset = dissect_file_attributes(tvb, tree, offset, 2);
2903 /* last write time */
2904 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
2907 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2910 /* granted access */
2911 offset = dissect_access(tvb, tree, offset, "Granted");
2921 dissect_fid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2930 fid = tvb_get_letohs(tvb, offset);
2931 add_fid(tvb, pinfo, tree, offset, 2, fid);
2942 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2944 smb_info_t *si = pinfo->private_data;
2952 /* file attributes */
2953 offset = dissect_file_attributes(tvb, tree, offset, 2);
2956 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
2961 CHECK_BYTE_COUNT(1);
2962 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2966 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2970 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2972 COUNT_BYTES(fn_len);
2974 if (check_col(pinfo->cinfo, COL_INFO)) {
2975 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2984 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2992 fid = tvb_get_letohs(tvb, offset);
2993 add_fid(tvb, pinfo, tree, offset, 2, fid);
2996 /* last write time */
2997 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3007 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3009 smb_info_t *si = pinfo->private_data;
3017 /* search attributes */
3018 offset = dissect_search_attributes(tvb, tree, offset);
3023 CHECK_BYTE_COUNT(1);
3024 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3028 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3032 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3034 COUNT_BYTES(fn_len);
3036 if (check_col(pinfo->cinfo, COL_INFO)) {
3037 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3046 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3048 smb_info_t *si = pinfo->private_data;
3056 /* search attributes */
3057 offset = dissect_search_attributes(tvb, tree, offset);
3062 CHECK_BYTE_COUNT(1);
3063 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3067 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3071 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3073 COUNT_BYTES(fn_len);
3075 if (check_col(pinfo->cinfo, COL_INFO)) {
3076 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
3080 CHECK_BYTE_COUNT(1);
3081 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3085 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3089 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3091 COUNT_BYTES(fn_len);
3093 if (check_col(pinfo->cinfo, COL_INFO)) {
3094 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
3103 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3105 smb_info_t *si = pinfo->private_data;
3113 /* search attributes */
3114 offset = dissect_search_attributes(tvb, tree, offset);
3116 proto_tree_add_uint(tree, hf_smb_nt_rename_level, tvb, offset, 2, tvb_get_letohs(tvb, offset));
3119 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, TRUE);
3125 CHECK_BYTE_COUNT(1);
3126 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3130 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3134 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3136 COUNT_BYTES(fn_len);
3138 if (check_col(pinfo->cinfo, COL_INFO)) {
3139 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
3143 CHECK_BYTE_COUNT(1);
3144 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3148 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3152 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3154 COUNT_BYTES(fn_len);
3156 if (check_col(pinfo->cinfo, COL_INFO)) {
3157 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
3167 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3169 smb_info_t *si = pinfo->private_data;
3180 CHECK_BYTE_COUNT(1);
3181 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3185 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3189 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3191 COUNT_BYTES(fn_len);
3193 if (check_col(pinfo->cinfo, COL_INFO)) {
3194 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3203 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3210 /* File Attributes */
3211 offset = dissect_file_attributes(tvb, tree, offset, 2);
3213 /* Last Write Time */
3214 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3217 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3220 /* 10 reserved bytes */
3221 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3232 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3234 smb_info_t *si = pinfo->private_data;
3242 /* file attributes */
3243 offset = dissect_file_attributes(tvb, tree, offset, 2);
3245 /* last write time */
3246 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3248 /* 10 reserved bytes */
3249 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3255 CHECK_BYTE_COUNT(1);
3256 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3260 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3264 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3266 COUNT_BYTES(fn_len);
3268 if (check_col(pinfo->cinfo, COL_INFO)) {
3269 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3278 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3289 fid = tvb_get_letohs(tvb, offset);
3290 add_fid(tvb, pinfo, tree, offset, 2, fid);
3292 if (!pinfo->fd->flags.visited) {
3293 /* remember the FID for the processing of the response */
3294 si = (smb_info_t *)pinfo->private_data;
3295 si->sip->extra_info=(void *)fid;
3299 cnt = tvb_get_letohs(tvb, offset);
3300 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3304 ofs = tvb_get_letohl(tvb, offset);
3305 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3308 if (check_col(pinfo->cinfo, COL_INFO))
3309 col_append_fstr(pinfo->cinfo, COL_INFO,
3310 ", %u byte%s at offset %u", cnt,
3311 (cnt == 1) ? "" : "s", ofs);
3314 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3325 dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
3330 /* We have some initial padding bytes. */
3331 /* XXX - use the data offset here instead? */
3332 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3334 offset += bc-datalen;
3337 tvblen = tvb_length_remaining(tvb, offset);
3339 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
3342 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
3349 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3350 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
3353 tvbuff_t *dcerpc_tvb;
3356 /* We have some initial padding bytes. */
3357 /* XXX - use the data offset here instead? */
3358 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3360 offset += bc-datalen;
3363 tvblen = tvb_length_remaining(tvb, offset);
3364 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
3365 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
3374 * transporting DCERPC over SMB seems to be implemented in various
3375 * ways. We might just assume it can be done by an almost random
3376 * mix of Trans/Read/Write calls
3378 * if we suspect dcerpc, just send them all down to packet-smb-pipe.c
3379 * and let him sort them out
3382 dissect_file_data_maybe_dcerpc(tvbuff_t *tvb, packet_info *pinfo,
3383 proto_tree *tree, proto_tree *top_tree, int offset, guint16 bc,
3384 guint16 datalen, guint32 ofs, guint16 fid)
3386 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3388 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
3390 return dissect_file_data_dcerpc(tvb, pinfo, tree,
3391 top_tree, offset, bc, datalen, fid);
3393 /* ordinary file data */
3394 return dissect_file_data(tvb, tree, offset, bc, datalen);
3399 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3403 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3409 cnt = tvb_get_letohs(tvb, offset);
3410 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3413 /* 8 reserved bytes */
3414 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3417 /* If we have seen the request, then print which FID this refers to */
3418 /* first check if we have seen the request */
3419 if(si->sip != NULL && si->sip->frame_req>0){
3420 fid=(int)si->sip->extra_info;
3421 add_fid(tvb, pinfo, tree, 0, 0, fid);
3427 CHECK_BYTE_COUNT(1);
3428 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3432 CHECK_BYTE_COUNT(2);
3433 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3436 /* file data, might be DCERPC on a pipe */
3438 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3439 top_tree, offset, bc, bc, 0, fid);
3449 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3457 cnt = tvb_get_letohs(tvb, offset);
3458 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3461 /* 8 reserved bytes */
3462 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3468 CHECK_BYTE_COUNT(1);
3469 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3473 CHECK_BYTE_COUNT(2);
3474 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3484 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3487 guint16 cnt=0, bc, fid=0;
3493 fid = tvb_get_letohs(tvb, offset);
3494 add_fid(tvb, pinfo, tree, offset, 2, fid);
3498 cnt = tvb_get_letohs(tvb, offset);
3499 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3503 ofs = tvb_get_letohl(tvb, offset);
3504 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3507 if (check_col(pinfo->cinfo, COL_INFO))
3508 col_append_fstr(pinfo->cinfo, COL_INFO,
3509 ", %u byte%s at offset %u", cnt,
3510 (cnt == 1) ? "" : "s", ofs);
3513 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3519 CHECK_BYTE_COUNT(1);
3520 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3524 CHECK_BYTE_COUNT(2);
3525 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3528 /* file data, might be DCERPC on a pipe */
3530 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3531 top_tree, offset, bc, bc, ofs, fid);
3541 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3549 cnt = tvb_get_letohs(tvb, offset);
3550 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3553 if (check_col(pinfo->cinfo, COL_INFO))
3554 col_append_fstr(pinfo->cinfo, COL_INFO,
3555 ", %u byte%s", cnt, (cnt == 1) ? "" : "s");
3565 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3573 fid = tvb_get_letohs(tvb, offset);
3574 add_fid(tvb, pinfo, tree, offset, 2, fid);
3578 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
3582 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3593 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3595 smb_info_t *si = pinfo->private_data;
3603 /* 2 reserved bytes */
3604 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3608 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3613 CHECK_BYTE_COUNT(1);
3614 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3617 /* directory name */
3618 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3622 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
3624 COUNT_BYTES(fn_len);
3626 if (check_col(pinfo->cinfo, COL_INFO)) {
3627 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3636 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3638 smb_info_t *si = pinfo->private_data;
3647 fid = tvb_get_letohs(tvb, offset);
3648 add_fid(tvb, pinfo, tree, offset, 2, fid);
3654 CHECK_BYTE_COUNT(1);
3655 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3659 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3663 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3665 COUNT_BYTES(fn_len);
3672 static const value_string seek_mode_vals[] = {
3673 {0, "From Start Of File"},
3674 {1, "From Current Position"},
3675 {2, "From End Of File"},
3680 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3688 fid = tvb_get_letohs(tvb, offset);
3689 add_fid(tvb, pinfo, tree, offset, 2, fid);
3693 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
3697 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3708 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3716 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3727 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3735 fid = tvb_get_letohs(tvb, offset);
3736 add_fid(tvb, pinfo, tree, offset, 2, fid);
3740 offset = dissect_smb_datetime(tvb, tree, offset,
3742 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3745 offset = dissect_smb_datetime(tvb, tree, offset,
3747 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3749 /* last write time */
3750 offset = dissect_smb_datetime(tvb, tree, offset,
3751 hf_smb_last_write_time,
3752 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3762 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3770 offset = dissect_smb_datetime(tvb, tree, offset,
3772 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3775 offset = dissect_smb_datetime(tvb, tree, offset,
3777 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3779 /* last write time */
3780 offset = dissect_smb_datetime(tvb, tree, offset,
3781 hf_smb_last_write_time,
3782 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3785 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
3788 /* allocation size */
3789 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
3792 /* File Attributes */
3793 offset = dissect_file_attributes(tvb, tree, offset, 2);
3803 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3812 fid = tvb_get_letohs(tvb, offset);
3813 add_fid(tvb, pinfo, tree, offset, 2, fid);
3817 cnt = tvb_get_letohs(tvb, offset);
3818 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3822 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3825 /* last write time */
3826 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3829 /* 12 reserved bytes */
3830 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
3837 CHECK_BYTE_COUNT(1);
3838 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
3841 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
3850 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3858 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3869 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3878 fid = tvb_get_letohs(tvb, offset);
3879 add_fid(tvb, pinfo, tree, offset, 2, fid);
3883 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3887 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3891 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3895 to = tvb_get_letohl(tvb, offset);
3896 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3899 /* 2 reserved bytes */
3900 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3905 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
3917 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3925 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
3929 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
3933 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
3937 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
3940 /* 2 reserved bytes */
3941 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3952 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3960 fid = tvb_get_letohs(tvb, offset);
3961 add_fid(tvb, pinfo, tree, offset, 2, fid);
3965 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3969 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3973 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3976 /* 6 reserved bytes */
3977 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
3988 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3990 guint16 datalen=0, bc;
3996 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4000 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4003 /* 2 reserved bytes */
4004 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4007 /* data compaction mode */
4008 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4011 /* 2 reserved bytes */
4012 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4016 datalen = tvb_get_letohs(tvb, offset);
4017 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4021 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4027 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4036 static const true_false_string tfs_write_mode_write_through = {
4037 "WRITE THROUGH requested",
4038 "Write through not requested"
4040 static const true_false_string tfs_write_mode_return_remaining = {
4041 "RETURN REMAINING (pipe/dev) requested",
4042 "DON'T return remaining (pipe/dev)"
4044 static const true_false_string tfs_write_mode_raw = {
4045 "Use WriteRawNamedPipe (pipe)",
4046 "DON'T use WriteRawNamedPipe (pipe)"
4048 static const true_false_string tfs_write_mode_message_start = {
4049 "This is the START of a MESSAGE (pipe)",
4050 "This is NOT the start of a message (pipe)"
4052 static const true_false_string tfs_write_mode_connectionless = {
4053 "CONNECTIONLESS mode requested",
4054 "Connectionless mode NOT requested"
4057 #define WRITE_MODE_CONNECTIONLESS 0x0080
4058 #define WRITE_MODE_MESSAGE_START 0x0008
4059 #define WRITE_MODE_RAW 0x0004
4060 #define WRITE_MODE_RETURN_REMAINING 0x0002
4061 #define WRITE_MODE_WRITE_THROUGH 0x0001
4064 dissect_write_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4067 proto_item *item = NULL;
4068 proto_tree *tree = NULL;
4070 mask = tvb_get_letohs(tvb, offset);
4073 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4074 "Write Mode: 0x%04x", mask);
4075 tree = proto_item_add_subtree(item, ett_smb_rawmode);
4078 if(bm&WRITE_MODE_CONNECTIONLESS){
4079 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
4080 tvb, offset, 2, mask);
4082 if(bm&WRITE_MODE_MESSAGE_START){
4083 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
4084 tvb, offset, 2, mask);
4086 if(bm&WRITE_MODE_RAW){
4087 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
4088 tvb, offset, 2, mask);
4090 if(bm&WRITE_MODE_RETURN_REMAINING){
4091 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
4092 tvb, offset, 2, mask);
4094 if(bm&WRITE_MODE_WRITE_THROUGH){
4095 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
4096 tvb, offset, 2, mask);
4104 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4107 guint16 datalen=0, bc, fid;
4113 fid = tvb_get_letohs(tvb, offset);
4114 add_fid(tvb, pinfo, tree, offset, 2, fid);
4117 /* total data length */
4118 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4121 /* 2 reserved bytes */
4122 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4126 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4130 to = tvb_get_letohl(tvb, offset);
4131 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4135 offset = dissect_write_mode(tvb, tree, offset, 0x0003);
4137 /* 4 reserved bytes */
4138 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4142 datalen = tvb_get_letohs(tvb, offset);
4143 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4147 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4153 /* XXX - use the data offset to determine where the data starts? */
4154 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4163 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4171 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4182 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4185 guint16 datalen=0, bc, fid;
4191 fid = tvb_get_letohs(tvb, offset);
4192 add_fid(tvb, pinfo, tree, offset, 2, fid);
4195 /* total data length */
4196 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4199 /* 2 reserved bytes */
4200 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4204 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4208 to = tvb_get_letohl(tvb, offset);
4209 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4213 offset = dissect_write_mode(tvb, tree, offset, 0x0083);
4216 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
4220 datalen = tvb_get_letohs(tvb, offset);
4221 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4225 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4231 /* XXX - use the data offset to determine where the data starts? */
4232 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4241 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4249 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
4260 dissect_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4268 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
4279 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
4280 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4281 gboolean has_find_id)
4283 proto_item *item = NULL;
4284 proto_tree *tree = NULL;
4285 smb_info_t *si = pinfo->private_data;
4291 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
4293 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
4297 CHECK_BYTE_COUNT_SUBR(1);
4298 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4299 COUNT_BYTES_SUBR(1);
4303 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4305 CHECK_STRING_SUBR(fn);
4306 /* ensure that it's null-terminated */
4307 strncpy(fname, fn, 11);
4309 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
4311 COUNT_BYTES_SUBR(fn_len);
4314 CHECK_BYTE_COUNT_SUBR(1);
4315 proto_tree_add_item(tree, hf_smb_resume_find_id, tvb, offset, 1, TRUE);
4316 COUNT_BYTES_SUBR(1);
4319 CHECK_BYTE_COUNT_SUBR(4);
4320 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 4, TRUE);
4321 COUNT_BYTES_SUBR(4);
4324 CHECK_BYTE_COUNT_SUBR(5);
4325 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
4326 COUNT_BYTES_SUBR(5);
4330 CHECK_BYTE_COUNT_SUBR(4);
4331 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
4332 COUNT_BYTES_SUBR(4);
4339 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
4340 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4341 gboolean has_find_id)
4343 proto_item *item = NULL;
4344 proto_tree *tree = NULL;
4345 smb_info_t *si = pinfo->private_data;
4351 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
4352 "Directory Information");
4353 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
4357 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp,
4358 trunc, has_find_id);
4362 /* File Attributes */
4363 CHECK_BYTE_COUNT_SUBR(1);
4364 offset = dissect_dir_info_file_attributes(tvb, tree, offset);
4367 /* last write time */
4368 CHECK_BYTE_COUNT_SUBR(4);
4369 offset = dissect_smb_datetime(tvb, tree, offset,
4370 hf_smb_last_write_time,
4371 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
4376 CHECK_BYTE_COUNT_SUBR(4);
4377 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4378 COUNT_BYTES_SUBR(4);
4382 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4384 CHECK_STRING_SUBR(fn);
4385 /* ensure that it's null-terminated */
4386 strncpy(fname, fn, 13);
4388 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4390 COUNT_BYTES_SUBR(fn_len);
4398 dissect_search_find_request(tvbuff_t *tvb, packet_info *pinfo,
4399 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4400 gboolean has_find_id)
4402 smb_info_t *si = pinfo->private_data;
4413 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4416 /* Search Attributes */
4417 offset = dissect_search_attributes(tvb, tree, offset);
4422 CHECK_BYTE_COUNT(1);
4423 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4427 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4431 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4433 COUNT_BYTES(fn_len);
4435 if (check_col(pinfo->cinfo, COL_INFO)) {
4436 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s", fn);
4440 CHECK_BYTE_COUNT(1);
4441 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4444 /* resume key length */
4445 CHECK_BYTE_COUNT(2);
4446 rkl = tvb_get_letohs(tvb, offset);
4447 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
4452 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
4453 &bc, &trunc, has_find_id);
4464 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4465 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4467 return dissect_search_find_request(tvb, pinfo, tree, offset,
4472 dissect_find_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4473 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4475 return dissect_search_find_request(tvb, pinfo, tree, offset,
4480 dissect_find_close_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4481 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4483 return dissect_search_find_request(tvb, pinfo, tree, offset,
4488 dissect_search_find_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4489 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4490 gboolean has_find_id)
4500 count = tvb_get_letohs(tvb, offset);
4501 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
4507 CHECK_BYTE_COUNT(1);
4508 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4512 CHECK_BYTE_COUNT(2);
4513 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4517 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
4518 &bc, &trunc, has_find_id);
4529 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4531 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4536 dissect_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4538 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4543 dissect_find_close_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4544 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4553 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4559 CHECK_BYTE_COUNT(1);
4560 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4564 CHECK_BYTE_COUNT(2);
4565 data_len = tvb_get_ntohs(tvb, offset);
4566 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, data_len);
4569 if (data_len != 0) {
4570 CHECK_BYTE_COUNT(data_len);
4571 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset,
4573 COUNT_BYTES(data_len);
4581 static const value_string locking_ol_vals[] = {
4582 {0, "Client is not holding oplock on this file"},
4583 {1, "Level 2 oplock currently held by client"},
4587 static const true_false_string tfs_lock_type_large = {
4588 "Large file locking format requested",
4589 "Large file locking format not requested"
4591 static const true_false_string tfs_lock_type_cancel = {
4592 "Cancel outstanding lock request",
4593 "Don't cancel outstanding lock request"
4595 static const true_false_string tfs_lock_type_change = {
4597 "Don't change lock type"
4599 static const true_false_string tfs_lock_type_oplock = {
4600 "This is an oplock break notification/response",
4601 "This is not an oplock break notification/response"
4603 static const true_false_string tfs_lock_type_shared = {
4604 "This is a shared lock",
4605 "This is an exclusive lock"
4608 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4610 guint8 wc, cmd=0xff, lt=0;
4611 guint16 andxoffset=0, un=0, ln=0, bc, fid;
4613 proto_item *litem = NULL;
4614 proto_tree *ltree = NULL;
4615 proto_item *it = NULL;
4616 proto_tree *tr = NULL;
4617 int old_offset = offset;
4621 /* next smb command */
4622 cmd = tvb_get_guint8(tvb, offset);
4624 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4626 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4631 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4635 andxoffset = tvb_get_letohs(tvb, offset);
4636 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4640 fid = tvb_get_letohs(tvb, offset);
4641 add_fid(tvb, pinfo, tree, offset, 2, fid);
4645 lt = tvb_get_guint8(tvb, offset);
4647 litem = proto_tree_add_text(tree, tvb, offset, 1,
4648 "Lock Type: 0x%02x", lt);
4649 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
4651 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
4652 tvb, offset, 1, lt);
4653 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
4654 tvb, offset, 1, lt);
4655 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
4656 tvb, offset, 1, lt);
4657 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
4658 tvb, offset, 1, lt);
4659 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
4660 tvb, offset, 1, lt);
4664 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
4668 to = tvb_get_letohl(tvb, offset);
4670 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
4671 else if (to == 0xffffffff)
4672 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
4674 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4677 /* number of unlocks */
4678 un = tvb_get_letohs(tvb, offset);
4679 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
4682 /* number of locks */
4683 ln = tvb_get_letohs(tvb, offset);
4684 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
4691 old_offset = offset;
4693 it = proto_tree_add_text(tree, tvb, offset, -1,
4695 tr = proto_item_add_subtree(it, ett_smb_unlocks);
4697 proto_item *litem = NULL;
4698 proto_tree *ltree = NULL;
4700 /* large lock format */
4701 litem = proto_tree_add_text(tr, tvb, offset, 20,
4703 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4706 CHECK_BYTE_COUNT(2);
4707 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4710 /* 2 reserved bytes */
4711 CHECK_BYTE_COUNT(2);
4712 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4716 CHECK_BYTE_COUNT(8);
4717 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4721 CHECK_BYTE_COUNT(8);
4722 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4725 /* normal lock format */
4726 litem = proto_tree_add_text(tr, tvb, offset, 10,
4728 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4731 CHECK_BYTE_COUNT(2);
4732 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4736 CHECK_BYTE_COUNT(4);
4737 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4741 CHECK_BYTE_COUNT(4);
4742 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4746 proto_item_set_len(it, offset-old_offset);
4752 old_offset = offset;
4754 it = proto_tree_add_text(tree, tvb, offset, -1,
4756 tr = proto_item_add_subtree(it, ett_smb_locks);
4758 proto_item *litem = NULL;
4759 proto_tree *ltree = NULL;
4761 /* large lock format */
4762 litem = proto_tree_add_text(tr, tvb, offset, 20,
4764 ltree = proto_item_add_subtree(litem, ett_smb_lock);
4767 CHECK_BYTE_COUNT(2);
4768 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4771 /* 2 reserved bytes */
4772 CHECK_BYTE_COUNT(2);
4773 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4777 CHECK_BYTE_COUNT(8);
4778 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4782 CHECK_BYTE_COUNT(8);
4783 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4786 /* normal lock format */
4787 litem = proto_tree_add_text(tr, tvb, offset, 10,
4789 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4792 CHECK_BYTE_COUNT(2);
4793 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4797 CHECK_BYTE_COUNT(4);
4798 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4802 CHECK_BYTE_COUNT(4);
4803 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4807 proto_item_set_len(it, offset-old_offset);
4815 * We ran out of byte count in the middle of dissecting
4816 * the locks or the unlocks; set the site of the item
4817 * we were dissecting.
4819 proto_item_set_len(it, offset-old_offset);
4822 /* call AndXCommand (if there are any) */
4823 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4829 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4831 guint8 wc, cmd=0xff;
4832 guint16 andxoffset=0;
4837 /* next smb command */
4838 cmd = tvb_get_guint8(tvb, offset);
4840 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4842 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4847 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4851 andxoffset = tvb_get_letohs(tvb, offset);
4852 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4859 /* call AndXCommand (if there are any) */
4860 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4866 static const value_string oa_open_vals[] = {
4867 { 0, "No action taken?"},
4868 { 1, "The file existed and was opened"},
4869 { 2, "The file did not exist but was created"},
4870 { 3, "The file existed and was truncated"},
4873 static const true_false_string tfs_oa_lock = {
4874 "File is currently opened only by this user",
4875 "File is opened by another user (or mode not supported by server)"
4878 dissect_open_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
4881 proto_item *item = NULL;
4882 proto_tree *tree = NULL;
4884 mask = tvb_get_letohs(tvb, offset);
4887 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4888 "Action: 0x%04x", mask);
4889 tree = proto_item_add_subtree(item, ett_smb_open_action);
4892 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
4893 tvb, offset, 2, mask);
4894 proto_tree_add_uint(tree, hf_smb_open_action_open,
4895 tvb, offset, 2, mask);
4902 static const true_false_string tfs_open_flags_add_info = {
4903 "Additional information requested",
4904 "Additional information not requested"
4906 static const true_false_string tfs_open_flags_ex_oplock = {
4907 "Exclusive oplock requested",
4908 "Exclusive oplock not requested"
4910 static const true_false_string tfs_open_flags_batch_oplock = {
4911 "Batch oplock requested",
4912 "Batch oplock not requested"
4914 static const true_false_string tfs_open_flags_ealen = {
4915 "Total length of EAs requested",
4916 "Total length of EAs not requested"
4919 dissect_open_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4922 proto_item *item = NULL;
4923 proto_tree *tree = NULL;
4925 mask = tvb_get_letohs(tvb, offset);
4928 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4929 "Flags: 0x%04x", mask);
4930 tree = proto_item_add_subtree(item, ett_smb_open_flags);
4934 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
4935 tvb, offset, 2, mask);
4938 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
4939 tvb, offset, 2, mask);
4942 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
4943 tvb, offset, 2, mask);
4946 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
4947 tvb, offset, 2, mask);
4955 static const value_string filetype_vals[] = {
4956 { 0, "Disk file or directory"},
4957 { 1, "Named pipe in byte mode"},
4958 { 2, "Named pipe in message mode"},
4959 { 3, "Spooled printer"},
4963 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4965 guint8 wc, cmd=0xff;
4966 guint16 andxoffset=0, bc;
4967 smb_info_t *si = pinfo->private_data;
4973 /* next smb command */
4974 cmd = tvb_get_guint8(tvb, offset);
4976 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4978 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4983 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4987 andxoffset = tvb_get_letohs(tvb, offset);
4988 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4992 offset = dissect_open_flags(tvb, tree, offset, 0x0007);
4994 /* desired access */
4995 offset = dissect_access(tvb, tree, offset, "Desired");
4997 /* Search Attributes */
4998 offset = dissect_search_attributes(tvb, tree, offset);
5000 /* File Attributes */
5001 offset = dissect_file_attributes(tvb, tree, offset, 2);
5004 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
5007 offset = dissect_open_function(tvb, tree, offset);
5009 /* allocation size */
5010 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
5013 /* 8 reserved bytes */
5014 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
5020 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5024 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5026 COUNT_BYTES(fn_len);
5028 if (check_col(pinfo->cinfo, COL_INFO)) {
5029 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
5034 /* call AndXCommand (if there are any) */
5035 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5040 static const true_false_string tfs_ipc_state_nonblocking = {
5041 "Reads/writes return immediately if no data available",
5042 "Reads/writes block if no data available"
5044 static const value_string ipc_state_endpoint_vals[] = {
5045 { 0, "Consumer end of pipe"},
5046 { 1, "Server end of pipe"},
5049 static const value_string ipc_state_pipe_type_vals[] = {
5050 { 0, "Byte stream pipe"},
5051 { 1, "Message pipe"},
5054 static const value_string ipc_state_read_mode_vals[] = {
5055 { 0, "Read pipe as a byte stream"},
5056 { 1, "Read messages from pipe"},
5061 dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
5065 proto_item *item = NULL;
5066 proto_tree *tree = NULL;
5068 mask = tvb_get_letohs(tvb, offset);
5071 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5072 "IPC State: 0x%04x", mask);
5073 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
5076 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
5077 tvb, offset, 2, mask);
5079 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
5080 tvb, offset, 2, mask);
5081 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
5082 tvb, offset, 2, mask);
5084 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
5085 tvb, offset, 2, mask);
5087 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
5088 tvb, offset, 2, mask);
5097 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5099 guint8 wc, cmd=0xff;
5100 guint16 andxoffset=0, bc;
5105 /* next smb command */
5106 cmd = tvb_get_guint8(tvb, offset);
5108 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5110 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5115 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5119 andxoffset = tvb_get_letohs(tvb, offset);
5120 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5124 fid = tvb_get_letohs(tvb, offset);
5125 add_fid(tvb, pinfo, tree, offset, 2, fid);
5128 /* File Attributes */
5129 offset = dissect_file_attributes(tvb, tree, offset, 2);
5131 /* last write time */
5132 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
5135 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
5138 /* granted access */
5139 offset = dissect_access(tvb, tree, offset, "Granted");
5142 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
5146 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
5149 offset = dissect_open_action(tvb, tree, offset);
5152 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
5155 /* 2 reserved bytes */
5156 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5163 /* call AndXCommand (if there are any) */
5164 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5170 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5172 guint8 wc, cmd=0xff;
5173 guint16 andxoffset=0, bc, maxcnt = 0;
5180 /* next smb command */
5181 cmd = tvb_get_guint8(tvb, offset);
5183 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5185 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5190 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5194 andxoffset = tvb_get_letohs(tvb, offset);
5195 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5199 fid = tvb_get_letohs(tvb, offset);
5200 add_fid(tvb, pinfo, tree, offset, 2, fid);
5202 if (!pinfo->fd->flags.visited) {
5203 /* remember the FID for the processing of the response */
5204 si = (smb_info_t *)pinfo->private_data;
5205 si->sip->extra_info=(void *)fid;
5209 ofs = tvb_get_letohl(tvb, offset);
5210 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5214 maxcnt = tvb_get_letohs(tvb, offset);
5215 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
5218 if (check_col(pinfo->cinfo, COL_INFO))
5219 col_append_fstr(pinfo->cinfo, COL_INFO,
5220 ", %u byte%s at offset %u", maxcnt,
5221 (maxcnt == 1) ? "" : "s", ofs);
5224 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
5227 /* XXX - max count high */
5228 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5232 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5237 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5245 /* call AndXCommand (if there are any) */
5246 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5252 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5254 guint8 wc, cmd=0xff;
5255 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
5256 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5261 /* next smb command */
5262 cmd = tvb_get_guint8(tvb, offset);
5264 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5266 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5271 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5275 andxoffset = tvb_get_letohs(tvb, offset);
5276 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5279 /* If we have seen the request, then print which FID this refers to */
5280 /* first check if we have seen the request */
5281 if(si->sip != NULL && si->sip->frame_req>0){
5282 fid=(int)si->sip->extra_info;
5283 add_fid(tvb, pinfo, tree, 0, 0, fid);
5287 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5290 /* data compaction mode */
5291 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
5294 /* 2 reserved bytes */
5295 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5299 datalen = tvb_get_letohs(tvb, offset);
5300 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5303 if (check_col(pinfo->cinfo, COL_INFO))
5304 col_append_fstr(pinfo->cinfo, COL_INFO,
5305 ", %u byte%s", datalen,
5306 (datalen == 1) ? "" : "s");
5309 dataoffset=tvb_get_letohs(tvb, offset);
5310 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5313 /* 10 reserved bytes */
5314 /* XXX - first 2 bytes are data length high, not reserved */
5315 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
5320 /* file data, might be DCERPC on a pipe */
5322 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5323 top_tree, offset, bc, datalen, 0, fid);
5329 /* call AndXCommand (if there are any) */
5330 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5336 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5339 guint8 wc, cmd=0xff;
5340 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
5341 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5348 /* next smb command */
5349 cmd = tvb_get_guint8(tvb, offset);
5351 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5353 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5358 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5362 andxoffset = tvb_get_letohs(tvb, offset);
5363 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5367 fid = tvb_get_letohs(tvb, offset);
5368 add_fid(tvb, pinfo, tree, offset, 2, fid);
5370 if (!pinfo->fd->flags.visited) {
5371 /* remember the FID for the processing of the response */
5372 si->sip->extra_info=(void *)fid;
5376 ofs = tvb_get_letohl(tvb, offset);
5377 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5381 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5385 mode = tvb_get_letohs(tvb, offset);
5386 offset = dissect_write_mode(tvb, tree, offset, 0x000f);
5389 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5392 /* XXX - data length high */
5393 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5397 datalen = tvb_get_letohs(tvb, offset);
5398 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5402 dataoffset=tvb_get_letohs(tvb, offset);
5403 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5406 /* FIXME: handle Large (48-bit) byte/offset to COL_INFO */
5407 if (check_col(pinfo->cinfo, COL_INFO))
5408 col_append_fstr(pinfo->cinfo, COL_INFO,
5409 ", %u byte%s at offset %u", datalen,
5410 (datalen == 1) ? "" : "s", ofs);
5414 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5420 /* if both the MessageStart and the WriteRawNamedPipe flags are set
5421 the first two bytes of the payload is the length of the data
5422 also this tells us that this is indeed the IPC$ share
5423 (if we didnt already know that
5425 if((mode&(WRITE_MODE_MESSAGE_START|WRITE_MODE_RAW))==(WRITE_MODE_MESSAGE_START|WRITE_MODE_RAW)){
5426 proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE);
5432 si->sip->flags|=SMB_SIF_TID_IS_IPC;
5436 /* file data, might be DCERPC on a pipe */
5438 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5439 top_tree, offset, bc, datalen, 0, fid);
5445 /* call AndXCommand (if there are any) */
5446 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5452 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5454 guint8 wc, cmd=0xff;
5455 guint16 andxoffset=0, bc, datalen=0;
5460 /* next smb command */
5461 cmd = tvb_get_guint8(tvb, offset);
5463 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5465 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5470 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5474 andxoffset = tvb_get_letohs(tvb, offset);
5475 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5478 /* If we have seen the request, then print which FID this refers to */
5479 si = (smb_info_t *)pinfo->private_data;
5480 /* first check if we have seen the request */
5481 if(si->sip != NULL && si->sip->frame_req>0){
5482 add_fid(tvb, pinfo, tree, 0, 0, (int)si->sip->extra_info);
5486 datalen = tvb_get_letohs(tvb, offset);
5487 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
5490 if (check_col(pinfo->cinfo, COL_INFO))
5491 col_append_fstr(pinfo->cinfo, COL_INFO,
5492 ", %u byte%s", datalen,
5493 (datalen == 1) ? "" : "s");
5496 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5499 /* 4 reserved bytes */
5500 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5507 /* call AndXCommand (if there are any) */
5508 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5514 static const true_false_string tfs_setup_action_guest = {
5515 "Logged in as GUEST",
5516 "Not logged in as GUEST"
5519 dissect_setup_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
5522 proto_item *item = NULL;
5523 proto_tree *tree = NULL;
5525 mask = tvb_get_letohs(tvb, offset);
5528 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5529 "Action: 0x%04x", mask);
5530 tree = proto_item_add_subtree(item, ett_smb_setup_action);
5533 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
5534 tvb, offset, 2, mask);
5543 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5545 guint8 wc, cmd=0xff;
5547 guint16 andxoffset=0;
5548 smb_info_t *si = pinfo->private_data;
5555 guint16 apwlen=0, upwlen=0;
5559 /* next smb command */
5560 cmd = tvb_get_guint8(tvb, offset);
5562 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5564 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5569 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5573 andxoffset = tvb_get_letohs(tvb, offset);
5574 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5577 /* Maximum Buffer Size */
5578 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
5581 /* Maximum Multiplex Count */
5582 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
5586 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
5590 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
5595 /* password length, ASCII*/
5596 pwlen = tvb_get_letohs(tvb, offset);
5597 proto_tree_add_uint(tree, hf_smb_password_len,
5598 tvb, offset, 2, pwlen);
5601 /* 4 reserved bytes */
5602 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5608 /* security blob length */
5609 sbloblen = tvb_get_letohs(tvb, offset);
5610 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5613 /* 4 reserved bytes */
5614 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5618 dissect_negprot_capabilities(tvb, tree, offset);
5624 /* password length, ANSI*/
5625 apwlen = tvb_get_letohs(tvb, offset);
5626 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
5627 tvb, offset, 2, apwlen);
5630 /* password length, Unicode*/
5631 upwlen = tvb_get_letohs(tvb, offset);
5632 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
5633 tvb, offset, 2, upwlen);
5636 /* 4 reserved bytes */
5637 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5641 dissect_negprot_capabilities(tvb, tree, offset);
5650 proto_item *blob_item;
5654 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
5655 tvb, offset, sbloblen, TRUE);
5657 /* As an optimization, because Windows is perverse,
5658 we check to see if NTLMSSP is the first part of the
5659 blob, and if so, call the NTLMSSP dissector,
5660 otherwise we call the GSS-API dissector. This is because
5661 Windows can request RAW NTLMSSP, but will happily handle
5662 a client that wraps NTLMSSP in SPNEGO
5667 proto_tree *blob_tree;
5669 blob_tree = proto_item_add_subtree(blob_item,
5671 CHECK_BYTE_COUNT(sbloblen);
5673 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
5676 if (si && si->ct && si->ct->raw_ntlmssp &&
5678 tvb_get_ptr(tvb, offset, 7), 7)) {
5679 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
5684 call_dissector(gssapi_handle, blob_tvb,
5688 COUNT_BYTES(sbloblen);
5692 an = get_unicode_or_ascii_string(tvb, &offset,
5693 si->unicode, &an_len, FALSE, FALSE, &bc);
5696 proto_tree_add_string(tree, hf_smb_os, tvb,
5697 offset, an_len, an);
5698 COUNT_BYTES(an_len);
5701 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5702 * padding/null string/whatever in front of this. W2K doesn't
5703 * appear to. I suspect that's a bug that got fixed; I also
5704 * suspect that, in practice, nobody ever looks at that field
5705 * because the bug didn't appear to get fixed until NT 5.0....
5707 an = get_unicode_or_ascii_string(tvb, &offset,
5708 si->unicode, &an_len, FALSE, FALSE, &bc);
5711 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5712 offset, an_len, an);
5713 COUNT_BYTES(an_len);
5715 /* Primary domain */
5716 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5717 * byte in front of this, at least if all the strings are
5718 * ASCII and the account name is empty. Another bug?
5720 dn = get_unicode_or_ascii_string(tvb, &offset,
5721 si->unicode, &dn_len, FALSE, FALSE, &bc);
5724 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5725 offset, dn_len, dn);
5726 COUNT_BYTES(dn_len);
5732 /* password, ASCII */
5733 CHECK_BYTE_COUNT(pwlen);
5734 proto_tree_add_item(tree, hf_smb_password,
5735 tvb, offset, pwlen, TRUE);
5743 /* password, ANSI */
5744 CHECK_BYTE_COUNT(apwlen);
5745 proto_tree_add_item(tree, hf_smb_ansi_password,
5746 tvb, offset, apwlen, TRUE);
5747 COUNT_BYTES(apwlen);
5751 /* password, Unicode */
5752 CHECK_BYTE_COUNT(upwlen);
5753 proto_tree_add_item(tree, hf_smb_unicode_password,
5754 tvb, offset, upwlen, TRUE);
5755 COUNT_BYTES(upwlen);
5762 an = get_unicode_or_ascii_string(tvb, &offset,
5763 si->unicode, &an_len, FALSE, FALSE, &bc);
5766 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
5768 COUNT_BYTES(an_len);
5770 /* Primary domain */
5771 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5772 * byte in front of this, at least if all the strings are
5773 * ASCII and the account name is empty. Another bug?
5775 dn = get_unicode_or_ascii_string(tvb, &offset,
5776 si->unicode, &dn_len, FALSE, FALSE, &bc);
5779 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5780 offset, dn_len, dn);
5781 COUNT_BYTES(dn_len);
5783 if (check_col(pinfo->cinfo, COL_INFO)) {
5784 col_append_fstr(pinfo->cinfo, COL_INFO, ", User: ");
5786 if (!dn[0] && !an[0])
5787 col_append_fstr(pinfo->cinfo, COL_INFO,
5790 col_append_fstr(pinfo->cinfo, COL_INFO,
5795 an = get_unicode_or_ascii_string(tvb, &offset,
5796 si->unicode, &an_len, FALSE, FALSE, &bc);
5799 proto_tree_add_string(tree, hf_smb_os, tvb,
5800 offset, an_len, an);
5801 COUNT_BYTES(an_len);
5804 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5805 * padding/null string/whatever in front of this. W2K doesn't
5806 * appear to. I suspect that's a bug that got fixed; I also
5807 * suspect that, in practice, nobody ever looks at that field
5808 * because the bug didn't appear to get fixed until NT 5.0....
5810 an = get_unicode_or_ascii_string(tvb, &offset,
5811 si->unicode, &an_len, FALSE, FALSE, &bc);
5814 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5815 offset, an_len, an);
5816 COUNT_BYTES(an_len);
5821 /* call AndXCommand (if there are any) */
5822 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5828 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5830 guint8 wc, cmd=0xff;
5831 guint16 andxoffset=0, bc;
5833 smb_info_t *si = pinfo->private_data;
5839 /* next smb command */
5840 cmd = tvb_get_guint8(tvb, offset);
5842 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5844 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5849 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5853 andxoffset = tvb_get_letohs(tvb, offset);
5854 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5858 offset = dissect_setup_action(tvb, tree, offset);
5861 /* security blob length */
5862 sbloblen = tvb_get_letohs(tvb, offset);
5863 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5870 proto_item *blob_item;
5874 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
5875 tvb, offset, sbloblen, TRUE);
5879 proto_tree *blob_tree;
5881 blob_tree = proto_item_add_subtree(blob_item,
5883 CHECK_BYTE_COUNT(sbloblen);
5885 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
5888 if (si && si->ct && si->ct->raw_ntlmssp &&
5890 tvb_get_ptr(tvb, offset, 7), 7)) {
5891 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
5896 call_dissector(gssapi_handle, blob_tvb, pinfo,
5901 COUNT_BYTES(sbloblen);
5906 an = get_unicode_or_ascii_string(tvb, &offset,
5907 si->unicode, &an_len, FALSE, FALSE, &bc);
5910 proto_tree_add_string(tree, hf_smb_os, tvb,
5911 offset, an_len, an);
5912 COUNT_BYTES(an_len);
5915 an = get_unicode_or_ascii_string(tvb, &offset,
5916 si->unicode, &an_len, FALSE, FALSE, &bc);
5919 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5920 offset, an_len, an);
5921 COUNT_BYTES(an_len);
5924 /* Primary domain */
5925 an = get_unicode_or_ascii_string(tvb, &offset,
5926 si->unicode, &an_len, FALSE, FALSE, &bc);
5929 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5930 offset, an_len, an);
5931 COUNT_BYTES(an_len);
5936 /* call AndXCommand (if there are any) */
5937 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5944 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5946 guint8 wc, cmd=0xff;
5947 guint16 andxoffset=0;
5952 /* next smb command */
5953 cmd = tvb_get_guint8(tvb, offset);
5955 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5957 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5962 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5966 andxoffset = tvb_get_letohs(tvb, offset);
5967 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5974 /* call AndXCommand (if there are any) */
5975 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5981 static const true_false_string tfs_connect_support_search = {
5982 "Exclusive search bits supported",
5983 "Exclusive search bits not supported"
5985 static const true_false_string tfs_connect_support_in_dfs = {
5987 "Share isn't in Dfs"
5991 dissect_connect_support_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
5994 proto_item *item = NULL;
5995 proto_tree *tree = NULL;
5997 mask = tvb_get_letohs(tvb, offset);
6000 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6001 "Optional Support: 0x%04x", mask);
6002 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
6005 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
6006 tvb, offset, 2, mask);
6007 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
6008 tvb, offset, 2, mask);
6015 static const true_false_string tfs_disconnect_tid = {
6017 "Do NOT disconnect TID"
6021 dissect_connect_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6024 proto_item *item = NULL;
6025 proto_tree *tree = NULL;
6027 mask = tvb_get_letohs(tvb, offset);
6030 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6031 "Flags: 0x%04x", mask);
6032 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
6035 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
6036 tvb, offset, 2, mask);
6044 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6046 guint8 wc, cmd=0xff;
6048 guint16 andxoffset=0, pwlen=0;
6049 smb_info_t *si = pinfo->private_data;
6055 /* next smb command */
6056 cmd = tvb_get_guint8(tvb, offset);
6058 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6060 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
6065 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6069 andxoffset = tvb_get_letohs(tvb, offset);
6070 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6074 offset = dissect_connect_flags(tvb, tree, offset);
6076 /* password length*/
6077 pwlen = tvb_get_letohs(tvb, offset);
6078 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
6084 CHECK_BYTE_COUNT(pwlen);
6085 proto_tree_add_item(tree, hf_smb_password,
6086 tvb, offset, pwlen, TRUE);
6090 an = get_unicode_or_ascii_string(tvb, &offset,
6091 si->unicode, &an_len, FALSE, FALSE, &bc);
6094 proto_tree_add_string(tree, hf_smb_path, tvb,
6095 offset, an_len, an);
6096 COUNT_BYTES(an_len);
6098 if (check_col(pinfo->cinfo, COL_INFO)) {
6099 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
6103 * NOTE: the Service string is always ASCII, even if the
6104 * "strings are Unicode" bit is set in the flags2 field
6109 /* XXX - what if this runs past bc? */
6110 an_len = tvb_strsize(tvb, offset);
6111 CHECK_BYTE_COUNT(an_len);
6112 an = tvb_get_ptr(tvb, offset, an_len);
6113 proto_tree_add_string(tree, hf_smb_service, tvb,
6114 offset, an_len, an);
6115 COUNT_BYTES(an_len);
6119 /* call AndXCommand (if there are any) */
6120 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6127 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6129 guint8 wc, wleft, cmd=0xff;
6130 guint16 andxoffset=0;
6134 smb_info_t *si = pinfo->private_data;
6138 wleft = wc; /* this is at least 1 */
6140 /* next smb command */
6141 cmd = tvb_get_guint8(tvb, offset);
6143 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6145 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
6150 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6158 andxoffset = tvb_get_letohs(tvb, offset);
6159 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6166 offset = dissect_connect_support_bits(tvb, tree, offset);
6169 /* XXX - I've seen captures where this is 7, but I have no
6170 idea how to dissect it. I'm guessing the third word
6171 contains connect support bits, which looks plausible
6172 from the values I've seen. */
6174 while (wleft != 0) {
6175 proto_tree_add_text(tree, tvb, offset, 2,
6176 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
6184 * NOTE: even though the SNIA CIFS spec doesn't say there's
6185 * a "Service" string if there's a word count of 2, the
6188 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
6190 * (it's in an ugly format - text intended to be sent to a
6191 * printer, with backspaces and overstrikes used for boldfacing
6192 * and underlining; UNIX "col -b" can be used to strip the
6193 * overstrikes out) says there's a "Service" string there, and
6194 * some network traffic has it.
6198 * NOTE: the Service string is always ASCII, even if the
6199 * "strings are Unicode" bit is set in the flags2 field
6204 /* XXX - what if this runs past bc? */
6205 an_len = tvb_strsize(tvb, offset);
6206 CHECK_BYTE_COUNT(an_len);
6207 an = tvb_get_ptr(tvb, offset, an_len);
6208 proto_tree_add_string(tree, hf_smb_service, tvb,
6209 offset, an_len, an);
6210 COUNT_BYTES(an_len);
6212 /* Now when we know the service type, store it so that we know it for later commands down
6214 if(!pinfo->fd->flags.visited){
6215 /* Remove any previous entry for this TID */
6216 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
6217 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
6219 if(strcmp(an,"IPC") == 0){
6220 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
6222 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_NORMAL);
6230 * Sometimes this isn't present.
6234 an = get_unicode_or_ascii_string(tvb, &offset,
6235 si->unicode, &an_len, /*TRUE*/FALSE, FALSE,
6239 proto_tree_add_string(tree, hf_smb_fs, tvb,
6240 offset, an_len, an);
6241 COUNT_BYTES(an_len);
6247 /* call AndXCommand (if there are any) */
6248 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6255 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6256 NT Transaction command begins here
6257 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
6258 #define NT_TRANS_CREATE 1
6259 #define NT_TRANS_IOCTL 2
6260 #define NT_TRANS_SSD 3
6261 #define NT_TRANS_NOTIFY 4
6262 #define NT_TRANS_RENAME 5
6263 #define NT_TRANS_QSD 6
6264 #define NT_TRANS_GET_USER_QUOTA 7
6265 #define NT_TRANS_SET_USER_QUOTA 8
6266 const value_string nt_cmd_vals[] = {
6267 {NT_TRANS_CREATE, "NT CREATE"},
6268 {NT_TRANS_IOCTL, "NT IOCTL"},
6269 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
6270 {NT_TRANS_NOTIFY, "NT NOTIFY"},
6271 {NT_TRANS_RENAME, "NT RENAME"},
6272 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
6273 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
6274 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
6278 static const value_string nt_ioctl_isfsctl_vals[] = {
6279 {0, "Device IOCTL"},
6280 {1, "FS control : FSCTL"},
6284 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
6285 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
6286 "Apply the command to share root handle (MUST BE Dfs)",
6287 "Apply to this share",
6290 static const value_string nt_notify_action_vals[] = {
6291 {1, "ADDED (object was added"},
6292 {2, "REMOVED (object was removed)"},
6293 {3, "MODIFIED (object was modified)"},
6294 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
6295 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
6296 {6, "ADDED_STREAM (a stream was added)"},
6297 {7, "REMOVED_STREAM (a stream was removed)"},
6298 {8, "MODIFIED_STREAM (a stream was modified)"},
6302 static const value_string watch_tree_vals[] = {
6303 {0, "Current directory only"},
6304 {1, "Subdirectories also"},
6308 #define NT_NOTIFY_STREAM_WRITE 0x00000800
6309 #define NT_NOTIFY_STREAM_SIZE 0x00000400
6310 #define NT_NOTIFY_STREAM_NAME 0x00000200
6311 #define NT_NOTIFY_SECURITY 0x00000100
6312 #define NT_NOTIFY_EA 0x00000080
6313 #define NT_NOTIFY_CREATION 0x00000040
6314 #define NT_NOTIFY_LAST_ACCESS 0x00000020
6315 #define NT_NOTIFY_LAST_WRITE 0x00000010
6316 #define NT_NOTIFY_SIZE 0x00000008
6317 #define NT_NOTIFY_ATTRIBUTES 0x00000004
6318 #define NT_NOTIFY_DIR_NAME 0x00000002
6319 #define NT_NOTIFY_FILE_NAME 0x00000001
6320 static const true_false_string tfs_nt_notify_stream_write = {
6321 "Notify on changes to STREAM WRITE",
6322 "Do NOT notify on changes to stream write",
6324 static const true_false_string tfs_nt_notify_stream_size = {
6325 "Notify on changes to STREAM SIZE",
6326 "Do NOT notify on changes to stream size",
6328 static const true_false_string tfs_nt_notify_stream_name = {
6329 "Notify on changes to STREAM NAME",
6330 "Do NOT notify on changes to stream name",
6332 static const true_false_string tfs_nt_notify_security = {
6333 "Notify on changes to SECURITY",
6334 "Do NOT notify on changes to security",
6336 static const true_false_string tfs_nt_notify_ea = {
6337 "Notify on changes to EA",
6338 "Do NOT notify on changes to EA",
6340 static const true_false_string tfs_nt_notify_creation = {
6341 "Notify on changes to CREATION TIME",
6342 "Do NOT notify on changes to creation time",
6344 static const true_false_string tfs_nt_notify_last_access = {
6345 "Notify on changes to LAST ACCESS TIME",
6346 "Do NOT notify on changes to last access time",
6348 static const true_false_string tfs_nt_notify_last_write = {
6349 "Notify on changes to LAST WRITE TIME",
6350 "Do NOT notify on changes to last write time",
6352 static const true_false_string tfs_nt_notify_size = {
6353 "Notify on changes to SIZE",
6354 "Do NOT notify on changes to size",
6356 static const true_false_string tfs_nt_notify_attributes = {
6357 "Notify on changes to ATTRIBUTES",
6358 "Do NOT notify on changes to attributes",
6360 static const true_false_string tfs_nt_notify_dir_name = {
6361 "Notify on changes to DIR NAME",
6362 "Do NOT notify on changes to dir name",
6364 static const true_false_string tfs_nt_notify_file_name = {
6365 "Notify on changes to FILE NAME",
6366 "Do NOT notify on changes to file name",
6369 static const value_string create_disposition_vals[] = {
6370 {0, "Supersede (supersede existing file (if it exists))"},
6371 {1, "Open (if file exists open it, else fail)"},
6372 {2, "Create (if file exists fail, else create it)"},
6373 {3, "Open If (if file exists open it, else create it)"},
6374 {4, "Overwrite (if file exists overwrite, else fail)"},
6375 {5, "Overwrite If (if file exists overwrite, else create it)"},
6379 static const value_string impersonation_level_vals[] = {
6381 {1, "Identification"},
6382 {2, "Impersonation"},
6387 static const true_false_string tfs_nt_security_flags_context_tracking = {
6388 "Security tracking mode is DYNAMIC",
6389 "Security tracking mode is STATIC",
6392 static const true_false_string tfs_nt_security_flags_effective_only = {
6393 "ONLY ENABLED aspects of the client's security context are available",
6394 "ALL aspects of the client's security context are available",
6397 static const true_false_string tfs_nt_create_bits_oplock = {
6398 "Requesting OPLOCK",
6399 "Does NOT request oplock"
6402 static const true_false_string tfs_nt_create_bits_boplock = {
6403 "Requesting BATCH OPLOCK",
6404 "Does NOT request batch oplock"
6408 * XXX - must be a directory, and can be a file, or can be a directory,
6409 * and must be a file?
6411 static const true_false_string tfs_nt_create_bits_dir = {
6412 "Target of open MUST be a DIRECTORY",
6413 "Target of open can be a file"
6416 static const true_false_string tfs_nt_access_mask_generic_read = {
6417 "GENERIC READ is set",
6418 "Generic read is NOT set"
6420 static const true_false_string tfs_nt_access_mask_generic_write = {
6421 "GENERIC WRITE is set",
6422 "Generic write is NOT set"
6424 static const true_false_string tfs_nt_access_mask_generic_execute = {
6425 "GENERIC EXECUTE is set",
6426 "Generic execute is NOT set"
6428 static const true_false_string tfs_nt_access_mask_generic_all = {
6429 "GENERIC ALL is set",
6430 "Generic all is NOT set"
6432 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
6433 "MAXIMUM ALLOWED is set",
6434 "Maximum allowed is NOT set"
6436 static const true_false_string tfs_nt_access_mask_system_security = {
6437 "SYSTEM SECURITY is set",
6438 "System security is NOT set"
6440 static const true_false_string tfs_nt_access_mask_synchronize = {
6441 "Can wait on handle to SYNCHRONIZE on completion of I/O",
6442 "Can NOT wait on handle to synchronize on completion of I/O"
6444 static const true_false_string tfs_nt_access_mask_write_owner = {
6445 "Can WRITE OWNER (take ownership)",
6446 "Can NOT write owner (take ownership)"
6448 static const true_false_string tfs_nt_access_mask_write_dac = {
6449 "OWNER may WRITE the DAC",
6450 "Owner may NOT write to the DAC"
6452 static const true_false_string tfs_nt_access_mask_read_control = {
6453 "READ ACCESS to owner, group and ACL of the SID",
6454 "Read access is NOT granted to owner, group and ACL of the SID"
6456 static const true_false_string tfs_nt_access_mask_delete = {
6460 static const true_false_string tfs_nt_access_mask_write_attributes = {
6461 "WRITE ATTRIBUTES access",
6462 "NO write attributes access"
6464 static const true_false_string tfs_nt_access_mask_read_attributes = {
6465 "READ ATTRIBUTES access",
6466 "NO read attributes access"
6468 static const true_false_string tfs_nt_access_mask_delete_child = {
6469 "DELETE CHILD access",
6470 "NO delete child access"
6472 static const true_false_string tfs_nt_access_mask_execute = {
6476 static const true_false_string tfs_nt_access_mask_write_ea = {
6477 "WRITE EXTENDED ATTRIBUTES access",
6478 "NO write extended attributes access"
6480 static const true_false_string tfs_nt_access_mask_read_ea = {
6481 "READ EXTENDED ATTRIBUTES access",
6482 "NO read extended attributes access"
6484 static const true_false_string tfs_nt_access_mask_append = {
6488 static const true_false_string tfs_nt_access_mask_write = {
6492 static const true_false_string tfs_nt_access_mask_read = {
6497 static const true_false_string tfs_nt_share_access_delete = {
6498 "Object can be shared for DELETE",
6499 "Object can NOT be shared for delete"
6501 static const true_false_string tfs_nt_share_access_write = {
6502 "Object can be shared for WRITE",
6503 "Object can NOT be shared for write"
6505 static const true_false_string tfs_nt_share_access_read = {
6506 "Object can be shared for READ",
6507 "Object can NOT be shared for read"
6510 static const value_string oplock_level_vals[] = {
6511 {0, "No oplock granted"},
6512 {1, "Exclusive oplock granted"},
6513 {2, "Batch oplock granted"},
6514 {3, "Level II oplock granted"},
6518 static const value_string device_type_vals[] = {
6519 {0x00000001, "Beep"},
6520 {0x00000002, "CDROM"},
6521 {0x00000003, "CDROM Filesystem"},
6522 {0x00000004, "Controller"},
6523 {0x00000005, "Datalink"},
6524 {0x00000006, "Dfs"},
6525 {0x00000007, "Disk"},
6526 {0x00000008, "Disk Filesystem"},
6527 {0x00000009, "Filesystem"},
6528 {0x0000000a, "Inport Port"},
6529 {0x0000000b, "Keyboard"},
6530 {0x0000000c, "Mailslot"},
6531 {0x0000000d, "MIDI-In"},
6532 {0x0000000e, "MIDI-Out"},
6533 {0x0000000f, "Mouse"},
6534 {0x00000010, "Multi UNC Provider"},
6535 {0x00000011, "Named Pipe"},
6536 {0x00000012, "Network"},
6537 {0x00000013, "Network Browser"},
6538 {0x00000014, "Network Filesystem"},
6539 {0x00000015, "NULL"},
6540 {0x00000016, "Parallel Port"},
6541 {0x00000017, "Physical card"},
6542 {0x00000018, "Printer"},
6543 {0x00000019, "Scanner"},
6544 {0x0000001a, "Serial Mouse port"},
6545 {0x0000001b, "Serial port"},
6546 {0x0000001c, "Screen"},
6547 {0x0000001d, "Sound"},
6548 {0x0000001e, "Streams"},
6549 {0x0000001f, "Tape"},
6550 {0x00000020, "Tape Filesystem"},
6551 {0x00000021, "Transport"},
6552 {0x00000022, "Unknown"},
6553 {0x00000023, "Video"},
6554 {0x00000024, "Virtual Disk"},
6555 {0x00000025, "WAVE-In"},
6556 {0x00000026, "WAVE-Out"},
6557 {0x00000027, "8042 Port"},
6558 {0x00000028, "Network Redirector"},
6559 {0x00000029, "Battery"},
6560 {0x0000002a, "Bus Extender"},
6561 {0x0000002b, "Modem"},
6562 {0x0000002c, "VDM"},
6566 static const value_string is_directory_vals[] = {
6567 {0, "This is NOT a directory"},
6568 {1, "This is a DIRECTORY"},
6572 typedef struct _nt_trans_data {
6581 dissect_nt_security_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6584 proto_item *item = NULL;
6585 proto_tree *tree = NULL;
6587 mask = tvb_get_guint8(tvb, offset);
6590 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6591 "Security Flags: 0x%02x", mask);
6592 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
6595 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
6596 tvb, offset, 1, mask);
6597 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
6598 tvb, offset, 1, mask);
6606 dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6609 proto_item *item = NULL;
6610 proto_tree *tree = NULL;
6612 mask = tvb_get_letohl(tvb, offset);
6615 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6616 "Share Access: 0x%08x", mask);
6617 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
6620 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
6621 tvb, offset, 4, mask);
6622 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
6623 tvb, offset, 4, mask);
6624 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
6625 tvb, offset, 4, mask);
6632 /* FIXME: need to call dissect_nt_access_mask() instead */
6635 dissect_smb_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6638 proto_item *item = NULL;
6639 proto_tree *tree = NULL;
6641 mask = tvb_get_letohl(tvb, offset);
6644 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6645 "Access Mask: 0x%08x", mask);
6646 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
6650 * Some of these bits come from
6652 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6654 * and others come from the section on ZwOpenFile in "Windows(R)
6655 * NT(R)/2000 Native API Reference".
6657 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
6658 tvb, offset, 4, mask);
6659 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
6660 tvb, offset, 4, mask);
6661 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
6662 tvb, offset, 4, mask);
6663 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
6664 tvb, offset, 4, mask);
6665 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
6666 tvb, offset, 4, mask);
6667 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
6668 tvb, offset, 4, mask);
6669 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
6670 tvb, offset, 4, mask);
6671 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
6672 tvb, offset, 4, mask);
6673 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
6674 tvb, offset, 4, mask);
6675 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
6676 tvb, offset, 4, mask);
6677 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
6678 tvb, offset, 4, mask);
6679 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
6680 tvb, offset, 4, mask);
6681 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
6682 tvb, offset, 4, mask);
6683 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
6684 tvb, offset, 4, mask);
6685 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
6686 tvb, offset, 4, mask);
6687 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
6688 tvb, offset, 4, mask);
6689 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
6690 tvb, offset, 4, mask);
6691 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
6692 tvb, offset, 4, mask);
6693 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
6694 tvb, offset, 4, mask);
6695 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
6696 tvb, offset, 4, mask);
6704 dissect_nt_create_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6707 proto_item *item = NULL;
6708 proto_tree *tree = NULL;
6710 mask = tvb_get_letohl(tvb, offset);
6713 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6714 "Create Flags: 0x%08x", mask);
6715 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
6719 * XXX - it's 0x00000016 in at least one capture, but
6720 * Network Monitor doesn't say what the 0x00000010 bit is.
6721 * Does the Win32 API documentation, or NT Native API book,
6724 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
6725 tvb, offset, 4, mask);
6726 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
6727 tvb, offset, 4, mask);
6728 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
6729 tvb, offset, 4, mask);
6737 * XXX - there are some more flags in the description of "ZwOpenFile()"
6738 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
6739 * the wire as well? (The spec at
6741 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6743 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
6744 * via the SMB protocol. The NT redirector should convert this option
6745 * to FILE_WRITE_THROUGH."
6747 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
6748 * values one would infer from their position in the list of flags for
6749 * "ZwOpenFile()". Most of the others probably have those values
6750 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
6751 * which might go over the wire (for the benefit of backup/restore software).
6753 static const true_false_string tfs_nt_create_options_directory = {
6754 "File being created/opened must be a directory",
6755 "File being created/opened must not be a directory"
6757 static const true_false_string tfs_nt_create_options_write_through = {
6758 "Writes should flush buffered data before completing",
6759 "Writes need not flush buffered data before completing"
6761 static const true_false_string tfs_nt_create_options_sequential_only = {
6762 "The file will only be accessed sequentially",
6763 "The file might not only be accessed sequentially"
6765 static const true_false_string tfs_nt_create_options_sync_io_alert = {
6766 "All operations SYNCHRONOUS, waits subject to termination from alert",
6767 "Operations NOT necessarily synchronous"
6769 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
6770 "All operations SYNCHRONOUS, waits not subject to alert",
6771 "Operations NOT necessarily synchronous"
6773 static const true_false_string tfs_nt_create_options_non_directory = {
6774 "File being created/opened must not be a directory",
6775 "File being created/opened must be a directory"
6777 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
6778 "The client does not understand extended attributes",
6779 "The client understands extended attributes"
6781 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
6782 "The client understands only 8.3 file names",
6783 "The client understands long file names"
6785 static const true_false_string tfs_nt_create_options_random_access = {
6786 "The file will be accessed randomly",
6787 "The file will not be accessed randomly"
6789 static const true_false_string tfs_nt_create_options_delete_on_close = {
6790 "The file should be deleted when it is closed",
6791 "The file should not be deleted when it is closed"
6795 dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6798 proto_item *item = NULL;
6799 proto_tree *tree = NULL;
6801 mask = tvb_get_letohl(tvb, offset);
6804 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6805 "Create Options: 0x%08x", mask);
6806 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
6812 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6814 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
6815 tvb, offset, 4, mask);
6816 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
6817 tvb, offset, 4, mask);
6818 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
6819 tvb, offset, 4, mask);
6820 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
6821 tvb, offset, 4, mask);
6822 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
6823 tvb, offset, 4, mask);
6824 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
6825 tvb, offset, 4, mask);
6826 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
6827 tvb, offset, 4, mask);
6828 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
6829 tvb, offset, 4, mask);
6830 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
6831 tvb, offset, 4, mask);
6832 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
6833 tvb, offset, 4, mask);
6841 dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6844 proto_item *item = NULL;
6845 proto_tree *tree = NULL;
6847 mask = tvb_get_letohl(tvb, offset);
6850 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6851 "Completion Filter: 0x%08x", mask);
6852 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
6855 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
6856 tvb, offset, 4, mask);
6857 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
6858 tvb, offset, 4, mask);
6859 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
6860 tvb, offset, 4, mask);
6861 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
6862 tvb, offset, 4, mask);
6863 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
6864 tvb, offset, 4, mask);
6865 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
6866 tvb, offset, 4, mask);
6867 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
6868 tvb, offset, 4, mask);
6869 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
6870 tvb, offset, 4, mask);
6871 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
6872 tvb, offset, 4, mask);
6873 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
6874 tvb, offset, 4, mask);
6875 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
6876 tvb, offset, 4, mask);
6877 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
6878 tvb, offset, 4, mask);
6885 dissect_nt_ioctl_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6888 proto_item *item = NULL;
6889 proto_tree *tree = NULL;
6891 mask = tvb_get_guint8(tvb, offset);
6894 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6895 "Completion Filter: 0x%02x", mask);
6896 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
6899 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
6900 tvb, offset, 1, mask);
6907 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
6908 * Native API Reference".
6910 static const true_false_string tfs_nt_qsd_owner = {
6911 "Requesting OWNER security information",
6912 "NOT requesting owner security information",
6915 static const true_false_string tfs_nt_qsd_group = {
6916 "Requesting GROUP security information",
6917 "NOT requesting group security information",
6920 static const true_false_string tfs_nt_qsd_dacl = {
6921 "Requesting DACL security information",
6922 "NOT requesting DACL security information",
6925 static const true_false_string tfs_nt_qsd_sacl = {
6926 "Requesting SACL security information",
6927 "NOT requesting SACL security information",
6930 #define NT_QSD_OWNER 0x00000001
6931 #define NT_QSD_GROUP 0x00000002
6932 #define NT_QSD_DACL 0x00000004
6933 #define NT_QSD_SACL 0x00000008
6936 dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6939 proto_item *item = NULL;
6940 proto_tree *tree = NULL;
6942 mask = tvb_get_letohl(tvb, offset);
6945 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6946 "Security Information: 0x%08x", mask);
6947 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
6950 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
6951 tvb, offset, 4, mask);
6952 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
6953 tvb, offset, 4, mask);
6954 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
6955 tvb, offset, 4, mask);
6956 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
6957 tvb, offset, 4, mask);
6965 free_g_string(void *arg)
6967 g_string_free(arg, TRUE);
6970 /* Dissect a NT SID. Label it with 'name' and return a string version of
6971 the SID in the 'sid_str' parameter which must be freed by the caller. */
6974 dissect_nt_sid(tvbuff_t *tvb, int offset, proto_tree *parent_tree, char *name,
6977 proto_item *item = NULL;
6978 proto_tree *tree = NULL;
6979 int old_offset = offset, sa_offset = offset;
6980 gboolean rid_present;
6987 guint auth = 0; /* FIXME: What if it is larger than 32-bits */
6990 char sid_string[245];
6993 /* revision of sid */
6994 revision = tvb_get_guint8(tvb, offset);
6995 rev_offset = offset;
7000 case 2: /* Not sure what the different revision numbers mean */
7001 /* number of authorities*/
7002 num_auth = tvb_get_guint8(tvb, offset);
7006 /* XXX perhaps we should have these thing searchable?
7007 a new FT_xxx thingie? SMB is quite common!*/
7008 /* identifier authorities */
7011 auth = (auth << 8) + tvb_get_guint8(tvb, offset);
7018 gstr = g_string_new("");
7020 CLEANUP_PUSH(free_g_string, gstr);
7022 /* sub authorities, leave RID to last */
7023 for(i=0; i < (num_auth > 4?(num_auth - 1):num_auth); i++){
7025 * XXX should not be letohl but native byteorder according to
7026 * Samba header files.
7028 * However, considering that there were never any NT ports
7029 * to big-endian platforms (PowerPC and MIPS ran little-endian,
7030 * and IA-64 runs little-endian, as does x86-64), we can (?)
7031 * assume that non le byte encodings will be "uncommon"?
7033 g_string_sprintfa(gstr, (i>0 ? "-%u" : "%u"),
7034 tvb_get_letohl(tvb, offset));
7040 rid = tvb_get_letohl(tvb, offset);
7044 sprintf(sid_string, "S-1-%u-%s-%u", auth, gstr->str, rid);
7047 sprintf(sid_string, "S-1-%u-%s", auth, gstr->str);
7051 if(sid_name_snooping){
7052 sid_name=find_sid_name(sid_string);
7057 item = proto_tree_add_string_format(parent_tree, hf_smb_sid, tvb, old_offset, offset-old_offset, sid_string, "%s: %s (%s)", name, sid_string, sid_name);
7059 item = proto_tree_add_string_format(parent_tree, hf_smb_sid, tvb, old_offset, offset-old_offset, sid_string, "%s: %s", name, sid_string);
7061 tree = proto_item_add_subtree(item, ett_smb_sid);
7064 proto_tree_add_item(tree, hf_smb_sid_revision, tvb, rev_offset, 1, TRUE);
7065 proto_tree_add_item(tree, hf_smb_sid_num_auth, tvb, na_offset, 1, TRUE);
7066 proto_tree_add_text(tree, tvb, na_offset+1, 6, "Authority: %u", auth);
7067 proto_tree_add_text(tree, tvb, sa_offset, num_auth * 4, "Sub-authorities: %s", gstr->str);
7070 proto_tree_add_text(tree, tvb, rid_offset, 4, "RID: %u", rid);
7074 *sid_str = g_strdup(sid_string);
7077 CLEANUP_CALL_AND_POP;
7085 static const value_string ace_type_vals[] = {
7086 { 0, "Access Allowed"},
7087 { 1, "Access Denied"},
7088 { 2, "System Audit"},
7089 { 3, "System Alarm"},
7092 static const true_false_string tfs_ace_flags_object_inherit = {
7093 "Subordinate files will inherit this ACE",
7094 "Subordinate files will not inherit this ACE"
7096 static const true_false_string tfs_ace_flags_container_inherit = {
7097 "Subordinate containers will inherit this ACE",
7098 "Subordinate containers will not inherit this ACE"
7100 static const true_false_string tfs_ace_flags_non_propagate_inherit = {
7101 "Subordinate object will not propagate the inherited ACE further",
7102 "Subordinate object will propagate the inherited ACE further"
7104 static const true_false_string tfs_ace_flags_inherit_only = {
7105 "This ACE does not apply to the current object",
7106 "This ACE applies to the current object"
7108 static const true_false_string tfs_ace_flags_inherited_ace = {
7109 "This ACE was inherited from its parent object",
7110 "This ACE was not inherited from its parent object"
7112 static const true_false_string tfs_ace_flags_successful_access = {
7113 "Successful accesses will be audited",
7114 "Successful accesses will not be audited"
7116 static const true_false_string tfs_ace_flags_failed_access = {
7117 "Failed accesses will be audited",
7118 "Failed accesses will not be audited"
7121 #define APPEND_ACE_TEXT(flag, item, string) \
7124 proto_item_append_text(item, string, sep); \
7129 dissect_nt_v2_ace_flags(tvbuff_t *tvb, int offset, proto_tree *parent_tree,
7132 proto_item *item = NULL;
7133 proto_tree *tree = NULL;
7137 mask = tvb_get_guint8(tvb, offset);
7144 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7145 "NT ACE Flags: 0x%02x", mask);
7146 tree = proto_item_add_subtree(item, ett_smb_ace_flags);
7149 proto_tree_add_boolean(tree, hf_smb_ace_flags_failed_access,
7150 tvb, offset, 1, mask);
7151 APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access");
7153 proto_tree_add_boolean(tree, hf_smb_ace_flags_successful_access,
7154 tvb, offset, 1, mask);
7155 APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access");
7157 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherited_ace,
7158 tvb, offset, 1, mask);
7159 APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE");
7161 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherit_only,
7162 tvb, offset, 1, mask);
7163 APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only");
7165 proto_tree_add_boolean(tree, hf_smb_ace_flags_non_propagate_inherit,
7166 tvb, offset, 1, mask);
7167 APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit");
7169 proto_tree_add_boolean(tree, hf_smb_ace_flags_container_inherit,
7170 tvb, offset, 1, mask);
7171 APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit");
7173 proto_tree_add_boolean(tree, hf_smb_ace_flags_object_inherit,
7174 tvb, offset, 1, mask);
7175 APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit");
7182 /* Dissect an access mask. All this stuff is kind of explained at MSDN:
7184 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/windows_2000_windows_nt_access_mask_format.asp
7188 static gint ett_nt_access_mask = -1;
7189 static gint ett_nt_access_mask_generic = -1;
7190 static gint ett_nt_access_mask_standard = -1;
7191 static gint ett_nt_access_mask_specific = -1;
7193 static int hf_access_sacl = -1;
7194 static int hf_access_maximum_allowed = -1;
7195 static int hf_access_generic_read = -1;
7196 static int hf_access_generic_write = -1;
7197 static int hf_access_generic_execute = -1;
7198 static int hf_access_generic_all = -1;
7199 static int hf_access_standard_delete = -1;
7200 static int hf_access_standard_read_control = -1;
7201 static int hf_access_standard_synchronise = -1;
7202 static int hf_access_standard_write_dac = -1;
7203 static int hf_access_standard_write_owner = -1;
7204 static int hf_access_specific_15 = -1;
7205 static int hf_access_specific_14 = -1;
7206 static int hf_access_specific_13 = -1;
7207 static int hf_access_specific_12 = -1;
7208 static int hf_access_specific_11 = -1;
7209 static int hf_access_specific_10 = -1;
7210 static int hf_access_specific_9 = -1;
7211 static int hf_access_specific_8 = -1;
7212 static int hf_access_specific_7 = -1;
7213 static int hf_access_specific_6 = -1;
7214 static int hf_access_specific_5 = -1;
7215 static int hf_access_specific_4 = -1;
7216 static int hf_access_specific_3 = -1;
7217 static int hf_access_specific_2 = -1;
7218 static int hf_access_specific_1 = -1;
7219 static int hf_access_specific_0 = -1;
7222 dissect_nt_access_mask(tvbuff_t *tvb, gint offset, packet_info *pinfo,
7223 proto_tree *tree, char *drep, int hfindex,
7224 nt_access_mask_fn_t *specific_rights_fn,
7225 char *specific_rights_name)
7228 proto_tree *subtree, *generic, *standard, *specific;
7233 * Called from a DCE RPC protocol dissector, for a
7234 * protocol where a 32-bit NDR integer contains
7235 * an NT access mask; extract the access mask
7238 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
7242 * Called from SMB, where the access mask is just a
7243 * 4-byte little-endian quantity with no special
7244 * NDR alignment requirement; extract it with
7245 * "tvb_get_letohl()".
7247 access = tvb_get_letohl(tvb, offset);
7251 item = proto_tree_add_uint(tree, hfindex, tvb, offset - 4, 4, access);
7253 subtree = proto_item_add_subtree(item, ett_nt_access_mask);
7255 /* Generic access rights */
7257 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7258 "Generic rights: 0x%08x",
7259 access & GENERIC_RIGHTS_MASK);
7261 generic = proto_item_add_subtree(item, ett_nt_access_mask_generic);
7263 proto_tree_add_boolean(
7264 generic, hf_access_generic_read, tvb, offset - 4, 4,
7267 proto_tree_add_boolean(
7268 generic, hf_access_generic_write, tvb, offset - 4, 4,
7271 proto_tree_add_boolean(
7272 generic, hf_access_generic_execute, tvb, offset - 4, 4,
7275 proto_tree_add_boolean(
7276 generic, hf_access_generic_all, tvb, offset - 4, 4,
7281 proto_tree_add_boolean(
7282 subtree, hf_access_maximum_allowed, tvb, offset - 4, 4,
7285 /* Access system security */
7287 proto_tree_add_boolean(
7288 subtree, hf_access_sacl, tvb, offset - 4, 4,
7291 /* Standard access rights */
7293 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7294 "Standard rights: 0x%08x",
7295 access & STANDARD_RIGHTS_MASK);
7297 standard = proto_item_add_subtree(item, ett_nt_access_mask_standard);
7299 proto_tree_add_boolean(
7300 standard, hf_access_standard_synchronise, tvb, offset - 4, 4,
7303 proto_tree_add_boolean(
7304 standard, hf_access_standard_write_owner, tvb, offset - 4, 4,
7307 proto_tree_add_boolean(
7308 standard, hf_access_standard_write_dac, tvb, offset - 4, 4,
7311 proto_tree_add_boolean(
7312 standard, hf_access_standard_read_control, tvb, offset - 4, 4,
7315 proto_tree_add_boolean(
7316 standard, hf_access_standard_delete, tvb, offset - 4, 4,
7319 /* Specific access rights. Call the specific_rights_fn
7320 pointer if we have one, otherwise just display bits 0-15 in
7323 if (specific_rights_name)
7324 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7325 "%s specific rights: 0x%08x",
7326 specific_rights_name,
7327 access & SPECIFIC_RIGHTS_MASK);
7329 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7330 "Specific rights: 0x%08x",
7331 access & SPECIFIC_RIGHTS_MASK);
7333 specific = proto_item_add_subtree(item, ett_nt_access_mask_specific);
7335 if (specific_rights_fn) {
7336 specific_rights_fn(tvb, offset - 4, specific, access);
7340 proto_tree_add_boolean(
7341 specific, hf_access_specific_15, tvb, offset - 4, 4,
7344 proto_tree_add_boolean(
7345 specific, hf_access_specific_14, tvb, offset - 4, 4,
7348 proto_tree_add_boolean(
7349 specific, hf_access_specific_13, tvb, offset - 4, 4,
7352 proto_tree_add_boolean(
7353 specific, hf_access_specific_12, tvb, offset - 4, 4,
7356 proto_tree_add_boolean(
7357 specific, hf_access_specific_11, tvb, offset - 4, 4,
7360 proto_tree_add_boolean(
7361 specific, hf_access_specific_10, tvb, offset - 4, 4,
7364 proto_tree_add_boolean(
7365 specific, hf_access_specific_9, tvb, offset - 4, 4,
7368 proto_tree_add_boolean(
7369 specific, hf_access_specific_8, tvb, offset - 4, 4,
7372 proto_tree_add_boolean(
7373 specific, hf_access_specific_7, tvb, offset - 4, 4,
7376 proto_tree_add_boolean(
7377 specific, hf_access_specific_6, tvb, offset - 4, 4,
7380 proto_tree_add_boolean(
7381 specific, hf_access_specific_5, tvb, offset - 4, 4,
7384 proto_tree_add_boolean(
7385 specific, hf_access_specific_4, tvb, offset - 4, 4,
7388 proto_tree_add_boolean(
7389 specific, hf_access_specific_3, tvb, offset - 4, 4,
7392 proto_tree_add_boolean(
7393 specific, hf_access_specific_2, tvb, offset - 4, 4,
7396 proto_tree_add_boolean(
7397 specific, hf_access_specific_1, tvb, offset - 4, 4,
7400 proto_tree_add_boolean(
7401 specific, hf_access_specific_0, tvb, offset - 4, 4,
7407 static int hf_smb_access_mask = -1;
7410 dissect_nt_v2_ace(tvbuff_t *tvb, int offset, packet_info *pinfo,
7411 proto_tree *parent_tree, char *drep,
7412 nt_access_mask_fn_t *specific_rights_fn,
7413 char *specific_rights_name)
7415 proto_item *item = NULL;
7416 proto_tree *tree = NULL;
7417 int old_offset = offset;
7424 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7426 tree = proto_item_add_subtree(item, ett_smb_ace);
7430 type = tvb_get_guint8(tvb, offset);
7431 proto_tree_add_uint(tree, hf_smb_ace_type, tvb, offset, 1, type);
7435 offset = dissect_nt_v2_ace_flags(tvb, offset, tree, &flags);
7438 size = tvb_get_letohs(tvb, offset);
7439 proto_tree_add_uint(tree, hf_smb_ace_size, tvb, offset, 2, size);
7443 offset = dissect_nt_access_mask(
7444 tvb, offset, pinfo, tree, drep, hf_smb_access_mask,
7445 specific_rights_fn, specific_rights_name);
7448 offset = dissect_nt_sid(tvb, offset, tree, "ACE", &sid_str);
7451 proto_item_append_text(
7452 item, "%s, flags 0x%02x, %s", sid_str, flags,
7453 val_to_str(type, ace_type_vals, "Unknown ACE type (0x%02x)"));
7457 proto_item_set_len(item, offset-old_offset);
7459 /* Sometimes there is some spare space at the end of the ACE so use
7460 the size field to work out where the end is. */
7462 return old_offset + size;
7466 dissect_nt_acl(tvbuff_t *tvb, int offset, packet_info *pinfo,
7467 proto_tree *parent_tree, char *drep, char *name,
7468 nt_access_mask_fn_t *specific_rights_fn,
7469 char *specific_rights_name)
7471 proto_item *item = NULL;
7472 proto_tree *tree = NULL;
7473 int old_offset = offset;
7478 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7480 tree = proto_item_add_subtree(item, ett_smb_acl);
7484 revision = tvb_get_letohs(tvb, offset);
7485 proto_tree_add_uint(tree, hf_smb_acl_revision,
7486 tvb, offset, 2, revision);
7490 case 2: /* only version we will ever see of this structure?*/
7493 proto_tree_add_item(tree, hf_smb_acl_size, tvb, offset, 2, TRUE);
7496 /* number of ace structures */
7497 num_aces = tvb_get_letohl(tvb, offset);
7498 proto_tree_add_uint(tree, hf_smb_acl_num_aces,
7499 tvb, offset, 4, num_aces);
7503 offset=dissect_nt_v2_ace(
7504 tvb, offset, pinfo, tree, drep, specific_rights_fn,
7505 specific_rights_name);
7509 proto_item_set_len(item, offset-old_offset);
7513 static const true_false_string tfs_sec_desc_type_owner_defaulted = {
7514 "OWNER is DEFAULTED",
7515 "Owner is NOT defaulted"
7517 static const true_false_string tfs_sec_desc_type_group_defaulted = {
7518 "GROUP is DEFAULTED",
7519 "Group is NOT defaulted"
7521 static const true_false_string tfs_sec_desc_type_dacl_present = {
7523 "DACL is NOT present"
7525 static const true_false_string tfs_sec_desc_type_dacl_defaulted = {
7526 "DACL is DEFAULTED",
7527 "DACL is NOT defaulted"
7529 static const true_false_string tfs_sec_desc_type_sacl_present = {
7531 "SACL is NOT present"
7533 static const true_false_string tfs_sec_desc_type_sacl_defaulted = {
7534 "SACL is DEFAULTED",
7535 "SACL is NOT defaulted"
7537 static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = {
7538 "DACL has AUTO INHERIT REQUIRED",
7539 "DACL does NOT require auto inherit"
7541 static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = {
7542 "SACL has AUTO INHERIT REQUIRED",
7543 "SACL does NOT require auto inherit"
7545 static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = {
7546 "DACL is AUTO INHERITED",
7547 "DACL is NOT auto inherited"
7549 static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = {
7550 "SACL is AUTO INHERITED",
7551 "SACL is NOT auto inherited"
7553 static const true_false_string tfs_sec_desc_type_dacl_protected = {
7554 "The DACL is PROTECTED",
7555 "The DACL is NOT protected"
7557 static const true_false_string tfs_sec_desc_type_sacl_protected = {
7558 "The SACL is PROTECTED",
7559 "The SACL is NOT protected"
7561 static const true_false_string tfs_sec_desc_type_self_relative = {
7562 "This SecDesc is SELF RELATIVE",
7563 "This SecDesc is NOT self relative"
7568 dissect_nt_sec_desc_type(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
7570 proto_item *item = NULL;
7571 proto_tree *tree = NULL;
7574 mask = tvb_get_letohs(tvb, offset);
7576 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
7577 "Type: 0x%04x", mask);
7578 tree = proto_item_add_subtree(item, ett_smb_sec_desc_type);
7581 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_self_relative,
7582 tvb, offset, 2, mask);
7583 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_protected,
7584 tvb, offset, 2, mask);
7585 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_protected,
7586 tvb, offset, 2, mask);
7587 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherited,
7588 tvb, offset, 2, mask);
7589 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherited,
7590 tvb, offset, 2, mask);
7591 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherit_req,
7592 tvb, offset, 2, mask);
7593 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherit_req,
7594 tvb, offset, 2, mask);
7595 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_defaulted,
7596 tvb, offset, 2, mask);
7597 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_present,
7598 tvb, offset, 2, mask);
7599 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_defaulted,
7600 tvb, offset, 2, mask);
7601 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_present,
7602 tvb, offset, 2, mask);
7603 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_group_defaulted,
7604 tvb, offset, 2, mask);
7605 proto_tree_add_boolean(tree, hf_smb_sec_desc_type_owner_defaulted,
7606 tvb, offset, 2, mask);
7614 dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
7615 proto_tree *parent_tree, char *drep, int len,
7616 nt_access_mask_fn_t *specific_rights_fn,
7617 char *specific_rights_name)
7619 proto_item *item = NULL;
7620 proto_tree *tree = NULL;
7622 int old_offset = offset;
7623 guint32 owner_sid_offset;
7624 guint32 group_sid_offset;
7625 guint32 sacl_offset;
7626 guint32 dacl_offset;
7629 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7630 "NT Security Descriptor");
7631 tree = proto_item_add_subtree(item, ett_smb_sec_desc);
7635 revision = tvb_get_guint8(tvb, offset);
7636 proto_tree_add_uint(tree, hf_smb_sec_desc_revision,
7637 tvb, offset, 1, revision);
7640 /* next byte should be zero, for now just ignore it */
7645 case 1: /* only version we will ever see of this structure?*/
7647 offset = dissect_nt_sec_desc_type(tvb, offset, tree);
7649 /* offset to owner sid */
7650 owner_sid_offset = tvb_get_letohl(tvb, offset);
7651 proto_tree_add_text(tree, tvb, offset, 4, "Offset to owner SID: %u", owner_sid_offset);
7654 /* offset to group sid */
7655 group_sid_offset = tvb_get_letohl(tvb, offset);
7656 proto_tree_add_text(tree, tvb, offset, 4, "Offset to group SID: %u", group_sid_offset);
7659 /* offset to sacl */
7660 sacl_offset = tvb_get_letohl(tvb, offset);
7661 proto_tree_add_text(tree, tvb, offset, 4, "Offset to SACL: %u", sacl_offset);
7664 /* offset to dacl */
7665 dacl_offset = tvb_get_letohl(tvb, offset);
7666 proto_tree_add_text(tree, tvb, offset, 4, "Offset to DACL: %u", dacl_offset);
7670 if(owner_sid_offset){
7672 offset = dissect_nt_sid(tvb, offset, tree, "Owner", NULL);
7675 tvb, old_offset+owner_sid_offset, tree, "Owner", NULL);
7679 if(group_sid_offset){
7681 tvb, old_offset+group_sid_offset, tree, "Group", NULL);
7686 dissect_nt_acl(tvb, old_offset+sacl_offset, pinfo, tree,
7687 drep, "System (SACL)", specific_rights_fn,
7688 specific_rights_name);
7693 dissect_nt_acl(tvb, old_offset+dacl_offset, pinfo, tree,
7694 drep, "User (DACL)", specific_rights_fn,
7695 specific_rights_name);
7704 dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
7706 int old_offset, old_sid_offset;
7712 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7713 qsize=tvb_get_letohl(tvb, offset);
7714 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
7715 COUNT_BYTES_TRANS_SUBR(4);
7717 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7719 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7720 COUNT_BYTES_TRANS_SUBR(4);
7722 /* 16 unknown bytes */
7723 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7724 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7726 COUNT_BYTES_TRANS_SUBR(8);
7728 /* number of bytes for used quota */
7729 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7730 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
7731 COUNT_BYTES_TRANS_SUBR(8);
7733 /* number of bytes for quota warning */
7734 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7735 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
7736 COUNT_BYTES_TRANS_SUBR(8);
7738 /* number of bytes for quota limit */
7739 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7740 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
7741 COUNT_BYTES_TRANS_SUBR(8);
7743 /* SID of the user */
7744 old_sid_offset=offset;
7745 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL);
7746 *bcp -= (offset-old_sid_offset);
7749 offset = old_offset+qsize;
7759 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd)
7761 proto_item *item = NULL;
7762 proto_tree *tree = NULL;
7764 int old_offset = offset;
7765 guint16 bcp=bc; /* XXX fixme */
7767 si = (smb_info_t *)pinfo->private_data;
7770 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
7772 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7773 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7776 switch(ntd->subcmd){
7777 case NT_TRANS_CREATE:
7778 /* security descriptor */
7780 offset = dissect_nt_sec_desc(
7781 tvb, offset, pinfo, tree, NULL, ntd->sd_len,
7785 /* extended attributes */
7787 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
7788 offset += ntd->ea_len;
7792 case NT_TRANS_IOCTL:
7794 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, bc, TRUE);
7799 offset = dissect_nt_sec_desc(
7800 tvb, offset, pinfo, tree, NULL, bc, NULL, NULL);
7802 case NT_TRANS_NOTIFY:
7804 case NT_TRANS_RENAME:
7805 /* XXX not documented */
7809 case NT_TRANS_GET_USER_QUOTA:
7810 /* unknown 4 bytes */
7811 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7816 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7819 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL);
7821 case NT_TRANS_SET_USER_QUOTA:
7822 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
7826 /* ooops there were data we didnt know how to process */
7827 if((offset-old_offset) < bc){
7828 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
7829 bc - (offset-old_offset), TRUE);
7830 offset += bc - (offset-old_offset);
7837 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7839 proto_item *item = NULL;
7840 proto_tree *tree = NULL;
7845 si = (smb_info_t *)pinfo->private_data;
7848 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7850 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7851 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7854 switch(ntd->subcmd){
7855 case NT_TRANS_CREATE:
7857 offset = dissect_nt_create_bits(tvb, tree, offset);
7860 /* root directory fid */
7861 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
7864 /* nt access mask */
7865 offset = dissect_smb_access_mask(tvb, tree, offset);
7868 /* allocation size */
7869 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7872 /* Extended File Attributes */
7873 offset = dissect_file_ext_attr(tvb, tree, offset);
7877 offset = dissect_nt_share_access(tvb, tree, offset);
7880 /* create disposition */
7881 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
7884 /* create options */
7885 offset = dissect_nt_create_options(tvb, tree, offset);
7889 ntd->sd_len = tvb_get_letohl(tvb, offset);
7890 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
7894 ntd->ea_len = tvb_get_letohl(tvb, offset);
7895 proto_tree_add_uint(tree, hf_smb_ea_length, tvb, offset, 4, ntd->ea_len);
7899 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7900 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7903 /* impersonation level */
7904 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
7907 /* security flags */
7908 offset = dissect_nt_security_flags(tvb, tree, offset);
7912 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
7914 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7916 COUNT_BYTES(fn_len);
7920 case NT_TRANS_IOCTL:
7922 case NT_TRANS_SSD: {
7926 fid = tvb_get_letohs(tvb, offset);
7927 add_fid(tvb, pinfo, tree, offset, 2, fid);
7930 /* 2 reserved bytes */
7931 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7934 /* security information */
7935 offset = dissect_security_information_mask(tvb, tree, offset);
7938 case NT_TRANS_NOTIFY:
7940 case NT_TRANS_RENAME:
7941 /* XXX not documented */
7943 case NT_TRANS_QSD: {
7947 fid = tvb_get_letohs(tvb, offset);
7948 add_fid(tvb, pinfo, tree, offset, 2, fid);
7951 /* 2 reserved bytes */
7952 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7955 /* security information */
7956 offset = dissect_security_information_mask(tvb, tree, offset);
7959 case NT_TRANS_GET_USER_QUOTA:
7960 /* not decoded yet */
7962 case NT_TRANS_SET_USER_QUOTA:
7963 /* not decoded yet */
7971 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7973 proto_item *item = NULL;
7974 proto_tree *tree = NULL;
7976 int old_offset = offset;
7978 si = (smb_info_t *)pinfo->private_data;
7981 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7983 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7984 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7987 switch(ntd->subcmd){
7988 case NT_TRANS_CREATE:
7990 case NT_TRANS_IOCTL: {
7994 proto_tree_add_item(tree, hf_smb_nt_ioctl_function_code, tvb, offset, 4, TRUE);
7998 fid = tvb_get_letohs(tvb, offset);
7999 add_fid(tvb, pinfo, tree, offset, 2, fid);
8003 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
8007 offset = dissect_nt_ioctl_flags(tvb, tree, offset);
8013 case NT_TRANS_NOTIFY: {
8016 /* completion filter */
8017 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
8020 fid = tvb_get_letohs(tvb, offset);
8021 add_fid(tvb, pinfo, tree, offset, 2, fid);
8025 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
8029 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8034 case NT_TRANS_RENAME:
8035 /* XXX not documented */
8039 case NT_TRANS_GET_USER_QUOTA:
8040 /* not decoded yet */
8042 case NT_TRANS_SET_USER_QUOTA:
8043 /* not decoded yet */
8047 return old_offset+len;
8052 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8055 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
8057 smb_saved_info_t *sip;
8062 smb_nt_transact_info_t *nti;
8064 si = (smb_info_t *)pinfo->private_data;
8070 /* primary request */
8071 /* max setup count */
8072 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
8075 /* 2 reserved bytes */
8076 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8079 /* secondary request */
8080 /* 3 reserved bytes */
8081 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8086 /* total param count */
8087 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
8090 /* total data count */
8091 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
8095 /* primary request */
8096 /* max param count */
8097 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
8100 /* max data count */
8101 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
8106 pc = tvb_get_letohl(tvb, offset);
8107 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8111 po = tvb_get_letohl(tvb, offset);
8112 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8115 /* param displacement */
8117 /* primary request*/
8120 /* secondary request */
8121 pd = tvb_get_letohl(tvb, offset);
8122 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8127 dc = tvb_get_letohl(tvb, offset);
8128 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8132 od = tvb_get_letohl(tvb, offset);
8133 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8136 /* data displacement */
8138 /* primary request */
8141 /* secondary request */
8142 dd = tvb_get_letohl(tvb, offset);
8143 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8149 /* primary request */
8150 sc = tvb_get_guint8(tvb, offset);
8151 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8154 /* secondary request */
8160 /* primary request */
8161 subcmd = tvb_get_letohs(tvb, offset);
8162 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
8163 if(check_col(pinfo->cinfo, COL_INFO)){
8164 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8165 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
8167 ntd.subcmd = subcmd;
8169 if(!pinfo->fd->flags.visited){
8171 * Allocate a new smb_nt_transact_info_t
8174 nti = g_mem_chunk_alloc(smb_nt_transact_info_chunk);
8175 nti->subcmd = subcmd;
8176 sip->extra_info = nti;
8180 /* secondary request */
8181 if(check_col(pinfo->cinfo, COL_INFO)){
8182 col_append_fstr(pinfo->cinfo, COL_INFO, " (secondary request)");
8187 /* this is a padding byte */
8190 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
8194 /* if there were any setup bytes, decode them */
8196 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
8203 if(po>(guint32)offset){
8204 /* We have some initial padding bytes.
8209 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8210 COUNT_BYTES(padcnt);
8213 CHECK_BYTE_COUNT(pc);
8214 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc);
8219 if(od>(guint32)offset){
8220 /* We have some initial padding bytes.
8225 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8226 COUNT_BYTES(padcnt);
8229 CHECK_BYTE_COUNT(dc);
8230 dissect_nt_trans_data_request(
8231 tvb, pinfo, offset, tree, dc, &ntd);
8243 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
8244 int offset, proto_tree *parent_tree, int len,
8245 nt_trans_data *ntd _U_)
8247 proto_item *item = NULL;
8248 proto_tree *tree = NULL;
8250 smb_nt_transact_info_t *nti;
8253 si = (smb_info_t *)pinfo->private_data;
8254 if (si->sip != NULL)
8255 nti = si->sip->extra_info;
8261 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8263 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8266 * We never saw the request to which this is a
8269 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8270 "Unknown NT Transaction Data (matching request not seen)");
8272 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8279 switch(nti->subcmd){
8280 case NT_TRANS_CREATE:
8282 case NT_TRANS_IOCTL:
8284 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, len, TRUE);
8290 case NT_TRANS_NOTIFY:
8292 case NT_TRANS_RENAME:
8293 /* XXX not documented */
8295 case NT_TRANS_QSD: {
8297 * XXX - this is probably a SECURITY_DESCRIPTOR structure,
8298 * which may be documented in the Win32 documentation
8301 offset = dissect_nt_sec_desc(
8302 tvb, offset, pinfo, tree, NULL, len, NULL, NULL);
8305 case NT_TRANS_GET_USER_QUOTA:
8307 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8309 case NT_TRANS_SET_USER_QUOTA:
8310 /* not decoded yet */
8318 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
8319 int offset, proto_tree *parent_tree,
8320 int len, nt_trans_data *ntd _U_, guint16 bc)
8322 proto_item *item = NULL;
8323 proto_tree *tree = NULL;
8327 smb_nt_transact_info_t *nti;
8333 si = (smb_info_t *)pinfo->private_data;
8334 if (si->sip != NULL)
8335 nti = si->sip->extra_info;
8341 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8343 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8346 * We never saw the request to which this is a
8349 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8350 "Unknown NT Transaction Parameters (matching request not seen)");
8352 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8359 switch(nti->subcmd){
8360 case NT_TRANS_CREATE:
8362 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8366 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8370 fid = tvb_get_letohs(tvb, offset);
8371 add_fid(tvb, pinfo, tree, offset, 2, fid);
8375 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8378 /* ea error offset */
8379 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
8383 offset = dissect_smb_64bit_time(tvb, tree, offset,
8384 hf_smb_create_time);
8387 offset = dissect_smb_64bit_time(tvb, tree, offset,
8388 hf_smb_access_time);
8390 /* last write time */
8391 offset = dissect_smb_64bit_time(tvb, tree, offset,
8392 hf_smb_last_write_time);
8394 /* last change time */
8395 offset = dissect_smb_64bit_time(tvb, tree, offset,
8396 hf_smb_change_time);
8398 /* Extended File Attributes */
8399 offset = dissect_file_ext_attr(tvb, tree, offset);
8401 /* allocation size */
8402 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8406 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8410 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8414 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
8417 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8420 case NT_TRANS_IOCTL:
8424 case NT_TRANS_NOTIFY:
8426 old_offset = offset;
8428 /* next entry offset */
8429 neo = tvb_get_letohl(tvb, offset);
8430 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
8433 /* broken implementations */
8437 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
8440 /* broken implementations */
8444 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8445 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8448 /* broken implementations */
8452 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8455 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8457 COUNT_BYTES(fn_len);
8459 /* broken implementations */
8463 break; /* no more structures */
8465 /* skip to next structure */
8466 padcnt = (old_offset + neo) - offset;
8469 * XXX - this is bogus; flag it?
8474 COUNT_BYTES(padcnt);
8476 /* broken implementations */
8481 case NT_TRANS_RENAME:
8482 /* XXX not documented */
8486 * This appears to be the size of the security
8487 * descriptor; the calling sequence of
8488 * "ZwQuerySecurityObject()" suggests that it would
8489 * be. The actual security descriptor wouldn't
8490 * follow if the max data count in the request
8491 * was smaller; this lets the client know how
8492 * big a buffer it needs to provide.
8494 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
8497 case NT_TRANS_GET_USER_QUOTA:
8498 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
8499 tvb_get_letohl(tvb, offset));
8502 case NT_TRANS_SET_USER_QUOTA:
8503 /* not decoded yet */
8511 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
8512 int offset, proto_tree *parent_tree,
8513 int len, nt_trans_data *ntd _U_)
8515 proto_item *item = NULL;
8516 proto_tree *tree = NULL;
8518 smb_nt_transact_info_t *nti;
8520 si = (smb_info_t *)pinfo->private_data;
8521 if (si->sip != NULL)
8522 nti = si->sip->extra_info;
8528 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8530 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8533 * We never saw the request to which this is a
8536 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8537 "Unknown NT Transaction Setup (matching request not seen)");
8539 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8546 switch(nti->subcmd){
8547 case NT_TRANS_CREATE:
8549 case NT_TRANS_IOCTL:
8553 case NT_TRANS_NOTIFY:
8555 case NT_TRANS_RENAME:
8556 /* XXX not documented */
8560 case NT_TRANS_GET_USER_QUOTA:
8561 /* not decoded yet */
8563 case NT_TRANS_SET_USER_QUOTA:
8564 /* not decoded yet */
8572 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8575 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
8578 smb_nt_transact_info_t *nti;
8579 static nt_trans_data ntd;
8582 fragment_data *r_fd = NULL;
8583 tvbuff_t *pd_tvb=NULL;
8584 gboolean save_fragmented;
8586 si = (smb_info_t *)pinfo->private_data;
8587 if (si->sip != NULL)
8588 nti = si->sip->extra_info;
8592 /* primary request */
8594 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
8595 if(check_col(pinfo->cinfo, COL_INFO)){
8596 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8597 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
8600 proto_tree_add_text(tree, tvb, offset, 0,
8601 "Function: <unknown function - could not find matching request>");
8602 if(check_col(pinfo->cinfo, COL_INFO)){
8603 col_append_fstr(pinfo->cinfo, COL_INFO, ", <unknown>");
8609 /* 3 reserved bytes */
8610 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8613 /* total param count */
8614 tp = tvb_get_letohl(tvb, offset);
8615 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
8618 /* total data count */
8619 td = tvb_get_letohl(tvb, offset);
8620 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
8624 pc = tvb_get_letohl(tvb, offset);
8625 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8629 po = tvb_get_letohl(tvb, offset);
8630 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8633 /* param displacement */
8634 pd = tvb_get_letohl(tvb, offset);
8635 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8639 dc = tvb_get_letohl(tvb, offset);
8640 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8644 od = tvb_get_letohl(tvb, offset);
8645 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8648 /* data displacement */
8649 dd = tvb_get_letohl(tvb, offset);
8650 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8654 sc = tvb_get_guint8(tvb, offset);
8655 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8660 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
8666 /* reassembly of SMB NT Transaction data payload.
8667 In this section we do reassembly of both the data and parameters
8668 blocks of the SMB transaction command.
8670 save_fragmented = pinfo->fragmented;
8671 /* do we need reassembly? */
8672 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
8673 /* oh yeah, either data or parameter section needs
8676 pinfo->fragmented = TRUE;
8677 if(smb_trans_reassembly){
8678 /* ...and we were told to do reassembly */
8679 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
8680 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8684 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
8685 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8686 od, dc, dd+tp, td+tp);
8691 /* if we got a reassembled fd structure from the reassembly routine we
8692 must create pd_tvb from it
8695 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
8697 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
8698 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
8700 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
8705 /* we have reassembled data, grab param and data from there */
8706 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
8707 &ntd, tvb_length(pd_tvb));
8708 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
8710 /* we do not have reassembled data, just use what we have in the
8711 packet as well as we can */
8713 if(po>(guint32)offset){
8714 /* We have some initial padding bytes.
8719 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8720 COUNT_BYTES(padcnt);
8723 CHECK_BYTE_COUNT(pc);
8724 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
8729 if(od>(guint32)offset){
8730 /* We have some initial padding bytes.
8735 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8736 COUNT_BYTES(padcnt);
8739 CHECK_BYTE_COUNT(dc);
8740 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd);
8744 pinfo->fragmented = save_fragmented;
8751 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8752 NT Transaction command ends here
8753 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8755 static const value_string print_mode_vals[] = {
8757 {1, "Graphics Mode"},
8762 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8764 smb_info_t *si = pinfo->private_data;
8773 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
8777 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
8783 CHECK_BYTE_COUNT(1);
8784 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8787 /* print identifier */
8788 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, FALSE, &bc);
8791 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
8793 COUNT_BYTES(fn_len);
8802 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8811 fid = tvb_get_letohs(tvb, offset);
8812 add_fid(tvb, pinfo, tree, offset, 2, fid);
8818 CHECK_BYTE_COUNT(1);
8819 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8823 CHECK_BYTE_COUNT(2);
8824 cnt = tvb_get_letohs(tvb, offset);
8825 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
8829 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
8837 static const value_string print_status_vals[] = {
8838 {1, "Held or Stopped"},
8840 {3, "Awaiting print"},
8841 {4, "In intercept"},
8842 {5, "File had error"},
8843 {6, "Printer error"},
8848 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8856 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
8860 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
8871 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
8872 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
8874 proto_item *item = NULL;
8875 proto_tree *tree = NULL;
8876 smb_info_t *si = pinfo->private_data;
8881 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
8883 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
8887 CHECK_BYTE_COUNT_SUBR(4);
8888 offset = dissect_smb_datetime(tvb, tree, offset,
8889 hf_smb_print_queue_date,
8890 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
8894 CHECK_BYTE_COUNT_SUBR(1);
8895 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
8896 COUNT_BYTES_SUBR(1);
8898 /* spool file number */
8899 CHECK_BYTE_COUNT_SUBR(2);
8900 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
8901 COUNT_BYTES_SUBR(2);
8903 /* spool file size */
8904 CHECK_BYTE_COUNT_SUBR(4);
8905 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
8906 COUNT_BYTES_SUBR(4);
8909 CHECK_BYTE_COUNT_SUBR(1);
8910 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8911 COUNT_BYTES_SUBR(1);
8915 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
8916 CHECK_STRING_SUBR(fn);
8917 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
8919 COUNT_BYTES_SUBR(fn_len);
8926 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8936 cnt = tvb_get_letohs(tvb, offset);
8937 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
8941 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
8947 CHECK_BYTE_COUNT(1);
8948 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8952 CHECK_BYTE_COUNT(2);
8953 len = tvb_get_letohs(tvb, offset);
8954 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
8957 /* queue elements */
8959 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
8972 dissect_send_single_block_message_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8977 guint16 message_len;
8984 CHECK_BYTE_COUNT(1);
8985 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8988 /* originator name */
8989 /* XXX - what if this runs past bc? */
8990 name_len = tvb_strsize(tvb, offset);
8991 CHECK_BYTE_COUNT(name_len);
8992 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
8994 COUNT_BYTES(name_len);
8997 CHECK_BYTE_COUNT(1);
8998 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9001 /* destination name */
9002 /* XXX - what if this runs past bc? */
9003 name_len = tvb_strsize(tvb, offset);
9004 CHECK_BYTE_COUNT(name_len);
9005 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9007 COUNT_BYTES(name_len);
9010 CHECK_BYTE_COUNT(1);
9011 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9015 CHECK_BYTE_COUNT(2);
9016 message_len = tvb_get_letohs(tvb, offset);
9017 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9022 CHECK_BYTE_COUNT(message_len);
9023 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9025 COUNT_BYTES(message_len);
9033 dissect_send_multi_block_message_start_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9044 CHECK_BYTE_COUNT(1);
9045 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9048 /* originator name */
9049 /* XXX - what if this runs past bc? */
9050 name_len = tvb_strsize(tvb, offset);
9051 CHECK_BYTE_COUNT(name_len);
9052 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9054 COUNT_BYTES(name_len);
9057 CHECK_BYTE_COUNT(1);
9058 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9061 /* destination name */
9062 /* XXX - what if this runs past bc? */
9063 name_len = tvb_strsize(tvb, offset);
9064 CHECK_BYTE_COUNT(name_len);
9065 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9067 COUNT_BYTES(name_len);
9075 dissect_message_group_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9082 /* message group ID */
9083 proto_tree_add_item(tree, hf_smb_mgid, tvb, offset, 2, TRUE);
9094 dissect_send_multi_block_message_text_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9098 guint16 message_len;
9105 CHECK_BYTE_COUNT(1);
9106 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9110 CHECK_BYTE_COUNT(2);
9111 message_len = tvb_get_letohs(tvb, offset);
9112 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9117 CHECK_BYTE_COUNT(message_len);
9118 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9120 COUNT_BYTES(message_len);
9128 dissect_forwarded_name(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9139 CHECK_BYTE_COUNT(1);
9140 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9143 /* forwarded name */
9144 /* XXX - what if this runs past bc? */
9145 name_len = tvb_strsize(tvb, offset);
9146 CHECK_BYTE_COUNT(name_len);
9147 proto_tree_add_item(tree, hf_smb_forwarded_name, tvb, offset,
9149 COUNT_BYTES(name_len);
9157 dissect_get_machine_name_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9168 CHECK_BYTE_COUNT(1);
9169 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9173 /* XXX - what if this runs past bc? */
9174 name_len = tvb_strsize(tvb, offset);
9175 CHECK_BYTE_COUNT(name_len);
9176 proto_tree_add_item(tree, hf_smb_machine_name, tvb, offset,
9178 COUNT_BYTES(name_len);
9187 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9189 guint8 wc, cmd=0xff;
9190 guint16 andxoffset=0;
9192 smb_info_t *si = pinfo->private_data;
9198 /* next smb command */
9199 cmd = tvb_get_guint8(tvb, offset);
9201 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9203 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
9208 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9212 andxoffset = tvb_get_letohs(tvb, offset);
9213 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9217 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9221 fn_len = tvb_get_letohs(tvb, offset);
9222 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
9226 offset = dissect_nt_create_bits(tvb, tree, offset);
9228 /* root directory fid */
9229 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
9232 /* nt access mask */
9233 offset = dissect_smb_access_mask(tvb, tree, offset);
9235 /* allocation size */
9236 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9239 /* Extended File Attributes */
9240 offset = dissect_file_ext_attr(tvb, tree, offset);
9243 offset = dissect_nt_share_access(tvb, tree, offset);
9245 /* create disposition */
9246 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
9249 /* create options */
9250 offset = dissect_nt_create_options(tvb, tree, offset);
9252 /* impersonation level */
9253 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
9256 /* security flags */
9257 offset = dissect_nt_security_flags(tvb, tree, offset);
9262 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9265 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9267 COUNT_BYTES(fn_len);
9269 if (check_col(pinfo->cinfo, COL_INFO)) {
9270 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
9275 /* call AndXCommand (if there are any) */
9276 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9283 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9285 guint8 wc, cmd=0xff;
9286 guint16 andxoffset=0;
9292 /* next smb command */
9293 cmd = tvb_get_guint8(tvb, offset);
9295 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9297 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
9302 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9306 andxoffset = tvb_get_letohs(tvb, offset);
9307 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9311 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
9315 fid = tvb_get_letohs(tvb, offset);
9316 add_fid(tvb, pinfo, tree, offset, 2, fid);
9320 /*XXX is this really the same as create disposition in the request? it looks so*/
9321 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
9325 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
9328 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
9330 /* last write time */
9331 offset = dissect_smb_64bit_time(tvb, tree, offset,
9332 hf_smb_last_write_time);
9334 /* last change time */
9335 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
9337 /* Extended File Attributes */
9338 offset = dissect_file_ext_attr(tvb, tree, offset);
9340 /* allocation size */
9341 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9345 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
9349 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
9353 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
9356 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
9363 /* call AndXCommand (if there are any) */
9364 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9371 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9385 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9386 BEGIN Transaction/Transaction2 Primary and secondary requests
9387 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
9390 const value_string trans2_cmd_vals[] = {
9392 { 0x01, "FIND_FIRST2" },
9393 { 0x02, "FIND_NEXT2" },
9394 { 0x03, "QUERY_FS_INFORMATION" },
9395 { 0x04, "SET_FS_QUOTA" },
9396 { 0x05, "QUERY_PATH_INFORMATION" },
9397 { 0x06, "SET_PATH_INFORMATION" },
9398 { 0x07, "QUERY_FILE_INFORMATION" },
9399 { 0x08, "SET_FILE_INFORMATION" },
9402 { 0x0B, "FIND_NOTIFY_FIRST" },
9403 { 0x0C, "FIND_NOTIFY_NEXT" },
9404 { 0x0D, "CREATE_DIRECTORY" },
9405 { 0x0E, "SESSION_SETUP" },
9406 { 0x10, "GET_DFS_REFERRAL" },
9407 { 0x11, "REPORT_DFS_INCONSISTENCY" },
9411 static const true_false_string tfs_tf_dtid = {
9412 "Also DISCONNECT TID",
9413 "Do NOT disconnect TID"
9415 static const true_false_string tfs_tf_owt = {
9416 "One Way Transaction (NO RESPONSE)",
9417 "Two way transaction"
9420 static const true_false_string tfs_ff2_backup = {
9421 "Find WITH backup intent",
9424 static const true_false_string tfs_ff2_continue = {
9425 "CONTINUE search from previous position",
9426 "New search, do NOT continue from previous position"
9428 static const true_false_string tfs_ff2_resume = {
9429 "Return RESUME keys",
9430 "Do NOT return resume keys"
9432 static const true_false_string tfs_ff2_close_eos = {
9433 "CLOSE search if END OF SEARCH is reached",
9434 "Do NOT close search if end of search reached"
9436 static const true_false_string tfs_ff2_close = {
9437 "CLOSE search after this request",
9438 "Do NOT close search after this request"
9444 static const value_string ff2_il_vals[] = {
9445 { 1, "Info Standard (4.3.4.1)"},
9446 { 2, "Info Query EA Size (4.3.4.2)"},
9447 { 3, "Info Query EAs From List (4.3.4.2)"},
9448 { 0x0101, "Find File Directory Info (4.3.4.4)"},
9449 { 0x0102, "Find File Full Directory Info (4.3.4.5)"},
9450 { 0x0103, "Find File Names Info (4.3.4.7)"},
9451 { 0x0104, "Find File Both Directory Info (4.3.4.6)"},
9452 { 0x0202, "Find File UNIX (4.3.4.8)"},
9457 TRANS2_QUERY_PATH_INFORMATION
9458 TRANS2_SET_PATH_INFORMATION
9460 static const value_string qpi_loi_vals[] = {
9461 { 1, "Info Standard (4.2.14.1)"},
9462 { 2, "Info Query EA Size (4.2.14.1)"},
9463 { 3, "Info Query EAs From List (4.2.14.2)"},
9464 { 4, "Info Query All EAs (4.2.14.2)"},
9465 { 6, "Info Is Name Valid (4.2.14.3)"},
9466 { 0x0101, "Query File Basic Info (4.2.14.4)"},
9467 { 0x0102, "Query File Standard Info (4.2.14.5)"},
9468 { 0x0103, "Query File EA Info (4.2.14.6)"},
9469 { 0x0104, "Query File Name Info (4.2.14.7)"},
9470 { 0x0107, "Query File All Info (4.2.14.8)"},
9471 { 0x0108, "Query File Alt Name Info (4.2.14.7)"},
9472 { 0x0109, "Query File Stream Info (4.2.14.10)"},
9473 { 0x010b, "Query File Compression Info (4.2.14.11)"},
9474 { 0x0200, "Set File Unix Basic"},
9475 { 0x0201, "Set File Unix Link"},
9476 { 0x0202, "Set File Unix HardLink"},
9477 { 1004, "Query File Basic Info (4.2.14.4)"},
9478 { 1005, "Query File Standard Info (4.2.14.5)"},
9479 { 1006, "Query File Internal Info (4.2.14.?)"},
9480 { 1007, "Query File EA Info (4.2.14.6)"},
9481 { 1009, "Query File Name Info (4.2.14.7)"},
9482 { 1010, "Query File Rename Info (4.2.14.?)"},
9483 { 1011, "Query File Link Info (4.2.14.?)"},
9484 { 1012, "Query File Names Info (4.2.14.?)"},
9485 { 1013, "Query File Disposition Info (4.2.14.?)"},
9486 { 1014, "Query File Position Info (4.2.14.?)"},
9487 { 1015, "Query File Full EA Info (4.2.14.?)"},
9488 { 1016, "Query File Mode Info (4.2.14.?)"},
9489 { 1017, "Query File Alignment Info (4.2.14.?)"},
9490 { 1018, "Query File All Info (4.2.14.8)"},
9491 { 1019, "Query File Allocation Info (4.2.14.?)"},
9492 { 1020, "Query File End of File Info (4.2.14.?)"},
9493 { 1021, "Query File Alt Name Info (4.2.14.7)"},
9494 { 1022, "Query File Stream Info (4.2.14.10)"},
9495 { 1023, "Query File Pipe Info (4.2.14.?)"},
9496 { 1024, "Query File Pipe Local Info (4.2.14.?)"},
9497 { 1025, "Query File Pipe Remote Info (4.2.14.?)"},
9498 { 1026, "Query File Mailslot Query Info (4.2.14.?)"},
9499 { 1027, "Query File Mailslot Set Info (4.2.14.?)"},
9500 { 1028, "Query File Compression Info (4.2.14.11)"},
9501 { 1029, "Query File ObjectID Info (4.2.14.?)"},
9502 { 1030, "Query File Completion Info (4.2.14.?)"},
9503 { 1031, "Query File Move Cluster Info (4.2.14.?)"},
9504 { 1032, "Query File Quota Info (4.2.14.?)"},
9505 { 1033, "Query File Reparsepoint Info (4.2.14.?)"},
9506 { 1034, "Query File Network Open Info (4.2.14.?)"},
9507 { 1035, "Query File Attribute Tag Info (4.2.14.?)"},
9508 { 1036, "Query File Tracking Info (4.2.14.?)"},
9509 { 1037, "Query File Maximum Info (4.2.14.?)"},
9513 static const value_string qfsi_vals[] = {
9514 { 1, "Info Allocation"},
9515 { 2, "Info Volume"},
9516 { 0x0101, "Query FS Label Info"},
9517 { 0x0102, "Query FS Volume Info"},
9518 { 0x0103, "Query FS Size Info"},
9519 { 0x0104, "Query FS Device Info"},
9520 { 0x0105, "Query FS Attribute Info"},
9521 { 0x0301, "Mac Query FS INFO"},
9522 { 1001, "Query FS Label Info"},
9523 { 1002, "Query FS Volume Info"},
9524 { 1003, "Query FS Size Info"},
9525 { 1004, "Query FS Device Info"},
9526 { 1005, "Query FS Attribute Info"},
9527 { 1006, "Query FS Quota Info"},
9528 { 1007, "Query Full FS Size Info"},
9532 static const value_string nt_rename_vals[] = {
9533 { 0x0103, "Create Hard Link"},
9538 static const value_string delete_pending_vals[] = {
9539 {0, "Normal, no pending delete"},
9540 {1, "This object has DELETE PENDING"},
9544 static const value_string alignment_vals[] = {
9545 {0, "Byte alignment"},
9546 {1, "Word (16bit) alignment"},
9547 {3, "Long (32bit) alignment"},
9548 {7, "8 byte boundary alignment"},
9549 {0x0f, "16 byte boundary alignment"},
9550 {0x1f, "32 byte boundary alignment"},
9551 {0x3f, "64 byte boundary alignment"},
9552 {0x7f, "128 byte boundary alignment"},
9553 {0xff, "256 byte boundary alignment"},
9554 {0x1ff, "512 byte boundary alignment"},
9559 static const true_false_string tfs_get_dfs_server_hold_storage = {
9560 "Referral SERVER HOLDS STORAGE for the file",
9561 "Referral server does NOT hold storage for the file"
9563 static const true_false_string tfs_get_dfs_fielding = {
9564 "The server in referral is FIELDING CAPABLE",
9565 "The server in referrals is NOT fielding capable"
9568 static const true_false_string tfs_dfs_referral_flags_strip = {
9569 "STRIP off pathconsumed characters before submitting",
9570 "Do NOT strip off any characters"
9573 static const value_string dfs_referral_server_type_vals[] = {
9576 {2, "Netware Server"},
9577 {3, "Domain Server"},
9582 static const true_false_string tfs_device_char_removable = {
9583 "This is a REMOVABLE device",
9584 "This is NOT a removable device"
9586 static const true_false_string tfs_device_char_read_only = {
9587 "This is a READ-ONLY device",
9588 "This is NOT a read-only device"
9590 static const true_false_string tfs_device_char_floppy = {
9591 "This is a FLOPPY DISK device",
9592 "This is NOT a floppy disk device"
9594 static const true_false_string tfs_device_char_write_once = {
9595 "This is a WRITE-ONCE device",
9596 "This is NOT a write-once device"
9598 static const true_false_string tfs_device_char_remote = {
9599 "This is a REMOTE device",
9600 "This is NOT a remote device"
9602 static const true_false_string tfs_device_char_mounted = {
9603 "This device is MOUNTED",
9604 "This device is NOT mounted"
9606 static const true_false_string tfs_device_char_virtual = {
9607 "This is a VIRTUAL device",
9608 "This is NOT a virtual device"
9612 static const true_false_string tfs_fs_attr_css = {
9613 "This FS supports CASE SENSITIVE SEARCHes",
9614 "This FS does NOT support case sensitive searches"
9616 static const true_false_string tfs_fs_attr_cpn = {
9617 "This FS supports CASE PRESERVED NAMES",
9618 "This FS does NOT support case preserved names"
9620 static const true_false_string tfs_fs_attr_pacls = {
9621 "This FS supports PERSISTENT ACLs",
9622 "This FS does NOT support persistent acls"
9624 static const true_false_string tfs_fs_attr_fc = {
9625 "This FS supports COMPRESSED FILES",
9626 "This FS does NOT support compressed files"
9628 static const true_false_string tfs_fs_attr_vq = {
9629 "This FS supports VOLUME QUOTAS",
9630 "This FS does NOT support volume quotas"
9632 static const true_false_string tfs_fs_attr_dim = {
9633 "This FS is on a MOUNTED DEVICE",
9634 "This FS is NOT on a mounted device"
9636 static const true_false_string tfs_fs_attr_vic = {
9637 "This FS is on a COMPRESSED VOLUME",
9638 "This FS is NOT on a compressed volume"
9641 #define FF2_RESUME 0x0004
9644 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9647 proto_item *item = NULL;
9648 proto_tree *tree = NULL;
9650 smb_transact2_info_t *t2i;
9652 mask = tvb_get_letohs(tvb, offset);
9654 si = (smb_info_t *)pinfo->private_data;
9655 if (si->sip != NULL) {
9656 t2i = si->sip->extra_info;
9658 if (!pinfo->fd->flags.visited)
9659 t2i->resume_keys = (mask & FF2_RESUME);
9664 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9665 "Flags: 0x%04x", mask);
9666 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
9669 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
9670 tvb, offset, 2, mask);
9671 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
9672 tvb, offset, 2, mask);
9673 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
9674 tvb, offset, 2, mask);
9675 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
9676 tvb, offset, 2, mask);
9677 proto_tree_add_boolean(tree, hf_smb_ff2_close,
9678 tvb, offset, 2, mask);
9687 dissect_sfi_ioflag(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9690 proto_item *item = NULL;
9691 proto_tree *tree = NULL;
9693 mask = tvb_get_letohs(tvb, offset);
9696 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9697 "IO Flag: 0x%04x", mask);
9698 tree = proto_item_add_subtree(item, ett_smb_ioflag);
9701 proto_tree_add_boolean(tree, hf_smb_sfi_writetru,
9702 tvb, offset, 2, mask);
9703 proto_tree_add_boolean(tree, hf_smb_sfi_caching,
9704 tvb, offset, 2, mask);
9713 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
9714 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
9716 proto_item *item = NULL;
9717 proto_tree *tree = NULL;
9719 smb_transact2_info_t *t2i;
9722 int old_offset = offset;
9724 si = (smb_info_t *)pinfo->private_data;
9725 if (si->sip != NULL)
9726 t2i = si->sip->extra_info;
9731 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
9733 val_to_str(subcmd, trans2_cmd_vals,
9734 "Unknown (0x%02x)"));
9735 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
9739 case 0x00: /*TRANS2_OPEN2*/
9741 CHECK_BYTE_COUNT_TRANS(2);
9742 offset = dissect_open_flags(tvb, tree, offset, 0x000f);
9745 /* desired access */
9746 CHECK_BYTE_COUNT_TRANS(2);
9747 offset = dissect_access(tvb, tree, offset, "Desired");
9750 /* Search Attributes */
9751 CHECK_BYTE_COUNT_TRANS(2);
9752 offset = dissect_search_attributes(tvb, tree, offset);
9755 /* File Attributes */
9756 CHECK_BYTE_COUNT_TRANS(2);
9757 offset = dissect_file_attributes(tvb, tree, offset, 2);
9761 CHECK_BYTE_COUNT_TRANS(4);
9762 offset = dissect_smb_datetime(tvb, tree, offset,
9764 hf_smb_create_dos_date, hf_smb_create_dos_time,
9769 CHECK_BYTE_COUNT_TRANS(2);
9770 offset = dissect_open_function(tvb, tree, offset);
9773 /* allocation size */
9774 CHECK_BYTE_COUNT_TRANS(4);
9775 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
9776 COUNT_BYTES_TRANS(4);
9778 /* 10 reserved bytes */
9779 CHECK_BYTE_COUNT_TRANS(10);
9780 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
9781 COUNT_BYTES_TRANS(10);
9784 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9785 CHECK_STRING_TRANS(fn);
9786 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9788 COUNT_BYTES_TRANS(fn_len);
9790 if (check_col(pinfo->cinfo, COL_INFO)) {
9791 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9795 case 0x01: /*TRANS2_FIND_FIRST2*/
9796 /* Search Attributes */
9797 CHECK_BYTE_COUNT_TRANS(2);
9798 offset = dissect_search_attributes(tvb, tree, offset);
9802 CHECK_BYTE_COUNT_TRANS(2);
9803 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
9804 COUNT_BYTES_TRANS(2);
9806 /* Find First2 flags */
9807 CHECK_BYTE_COUNT_TRANS(2);
9808 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
9811 /* Find First2 information level */
9812 CHECK_BYTE_COUNT_TRANS(2);
9813 si->info_level = tvb_get_letohs(tvb, offset);
9814 if (!pinfo->fd->flags.visited)
9815 t2i->info_level = si->info_level;
9816 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
9817 COUNT_BYTES_TRANS(2);
9820 CHECK_BYTE_COUNT_TRANS(4);
9821 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
9822 COUNT_BYTES_TRANS(4);
9824 /* search pattern */
9825 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9826 CHECK_STRING_TRANS(fn);
9827 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
9829 COUNT_BYTES_TRANS(fn_len);
9831 if (check_col(pinfo->cinfo, COL_INFO)) {
9832 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
9837 case 0x02: /*TRANS2_FIND_NEXT2*/
9839 CHECK_BYTE_COUNT_TRANS(2);
9840 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
9841 COUNT_BYTES_TRANS(2);
9844 CHECK_BYTE_COUNT_TRANS(2);
9845 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
9846 COUNT_BYTES_TRANS(2);
9848 /* Find First2 information level */
9849 CHECK_BYTE_COUNT_TRANS(2);
9850 si->info_level = tvb_get_letohs(tvb, offset);
9851 if (!pinfo->fd->flags.visited)
9852 t2i->info_level = si->info_level;
9853 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
9854 COUNT_BYTES_TRANS(2);
9857 CHECK_BYTE_COUNT_TRANS(4);
9858 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
9859 COUNT_BYTES_TRANS(4);
9861 /* Find First2 flags */
9862 CHECK_BYTE_COUNT_TRANS(2);
9863 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
9867 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9868 CHECK_STRING_TRANS(fn);
9869 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9871 COUNT_BYTES_TRANS(fn_len);
9873 if (check_col(pinfo->cinfo, COL_INFO)) {
9874 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
9879 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
9880 /* level of interest */
9881 CHECK_BYTE_COUNT_TRANS(2);
9882 si->info_level = tvb_get_letohs(tvb, offset);
9883 if (!pinfo->fd->flags.visited)
9884 t2i->info_level = si->info_level;
9885 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
9886 COUNT_BYTES_TRANS(2);
9889 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
9890 /* level of interest */
9891 CHECK_BYTE_COUNT_TRANS(2);
9892 si->info_level = tvb_get_letohs(tvb, offset);
9893 if (!pinfo->fd->flags.visited)
9894 t2i->info_level = si->info_level;
9895 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9896 COUNT_BYTES_TRANS(2);
9898 /* 4 reserved bytes */
9899 CHECK_BYTE_COUNT_TRANS(4);
9900 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9901 COUNT_BYTES_TRANS(4);
9904 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9905 CHECK_STRING_TRANS(fn);
9906 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9908 COUNT_BYTES_TRANS(fn_len);
9910 if (check_col(pinfo->cinfo, COL_INFO)) {
9911 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9916 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
9917 /* level of interest */
9918 CHECK_BYTE_COUNT_TRANS(2);
9919 si->info_level = tvb_get_letohs(tvb, offset);
9920 if (!pinfo->fd->flags.visited)
9921 t2i->info_level = si->info_level;
9922 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9923 COUNT_BYTES_TRANS(2);
9925 /* 4 reserved bytes */
9926 CHECK_BYTE_COUNT_TRANS(4);
9927 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9928 COUNT_BYTES_TRANS(4);
9931 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9932 CHECK_STRING_TRANS(fn);
9933 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9935 COUNT_BYTES_TRANS(fn_len);
9937 if (check_col(pinfo->cinfo, COL_INFO)) {
9938 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9943 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
9947 CHECK_BYTE_COUNT_TRANS(2);
9948 fid = tvb_get_letohs(tvb, offset);
9949 add_fid(tvb, pinfo, tree, offset, 2, fid);
9950 COUNT_BYTES_TRANS(2);
9952 /* level of interest */
9953 CHECK_BYTE_COUNT_TRANS(2);
9954 si->info_level = tvb_get_letohs(tvb, offset);
9955 if (!pinfo->fd->flags.visited)
9956 t2i->info_level = si->info_level;
9957 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9958 COUNT_BYTES_TRANS(2);
9962 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
9966 CHECK_BYTE_COUNT_TRANS(2);
9967 fid = tvb_get_letohs(tvb, offset);
9968 add_fid(tvb, pinfo, tree, offset, 2, fid);
9969 COUNT_BYTES_TRANS(2);
9971 /* level of interest */
9972 CHECK_BYTE_COUNT_TRANS(2);
9973 si->info_level = tvb_get_letohs(tvb, offset);
9974 if (!pinfo->fd->flags.visited)
9975 t2i->info_level = si->info_level;
9976 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9977 COUNT_BYTES_TRANS(2);
9981 * XXX - "Microsoft Networks SMB File Sharing Protocol
9982 * Extensions Version 3.0, Document Version 1.11,
9983 * July 19, 1990" says this is I/O flags, but it's
9984 * reserved in the SNIA spec, and some clients appear
9985 * to leave junk in it.
9987 * Is this some field used only if a particular
9988 * dialect was negotiated, so that clients can feel
9989 * safe not setting it if they haven't negotiated that
9990 * dialect? Or do the (non-OS/2) clients simply not care
9991 * about that particular OS/2-oriented dialect?
9995 CHECK_BYTE_COUNT_TRANS(2);
9996 offset = dissect_sfi_ioflag(tvb, tree, offset);
9999 /* 2 reserved bytes */
10000 CHECK_BYTE_COUNT_TRANS(2);
10001 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
10002 COUNT_BYTES_TRANS(2);
10007 case 0x09: /*TRANS2_FSCTL*/
10008 /* this call has no parameter block in the request */
10011 * XXX - "Microsoft Networks SMB File Sharing Protocol
10012 * Extensions Version 3.0, Document Version 1.11,
10013 * July 19, 1990" says this this contains a
10014 * "File system specific parameter block". (That means
10015 * we may not be able to dissect it in any case.)
10018 case 0x0a: /*TRANS2_IOCTL2*/
10019 /* this call has no parameter block in the request */
10022 * XXX - "Microsoft Networks SMB File Sharing Protocol
10023 * Extensions Version 3.0, Document Version 1.11,
10024 * July 19, 1990" says this this contains a
10025 * "Device/function specific parameter block". (That
10026 * means we may not be able to dissect it in any case.)
10029 case 0x0b: { /*TRANS2_FIND_NOTIFY_FIRST*/
10030 /* Search Attributes */
10031 CHECK_BYTE_COUNT_TRANS(2);
10032 offset = dissect_search_attributes(tvb, tree, offset);
10035 /* Number of changes to wait for */
10036 CHECK_BYTE_COUNT_TRANS(2);
10037 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10038 COUNT_BYTES_TRANS(2);
10040 /* Find Notify information level */
10041 CHECK_BYTE_COUNT_TRANS(2);
10042 si->info_level = tvb_get_letohs(tvb, offset);
10043 if (!pinfo->fd->flags.visited)
10044 t2i->info_level = si->info_level;
10045 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, offset, 2, si->info_level);
10046 COUNT_BYTES_TRANS(2);
10048 /* 4 reserved bytes */
10049 CHECK_BYTE_COUNT_TRANS(4);
10050 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10051 COUNT_BYTES_TRANS(4);
10054 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10055 CHECK_STRING_TRANS(fn);
10056 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10058 COUNT_BYTES_TRANS(fn_len);
10060 if (check_col(pinfo->cinfo, COL_INFO)) {
10061 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10067 case 0x0c: { /*TRANS2_FIND_NOTIFY_NEXT*/
10068 /* Monitor handle */
10069 CHECK_BYTE_COUNT_TRANS(2);
10070 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
10071 COUNT_BYTES_TRANS(2);
10073 /* Number of changes to wait for */
10074 CHECK_BYTE_COUNT_TRANS(2);
10075 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10076 COUNT_BYTES_TRANS(2);
10080 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
10081 /* 4 reserved bytes */
10082 CHECK_BYTE_COUNT_TRANS(4);
10083 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10084 COUNT_BYTES_TRANS(4);
10087 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
10088 FALSE, FALSE, &bc);
10089 CHECK_STRING_TRANS(fn);
10090 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
10092 COUNT_BYTES_TRANS(fn_len);
10094 if (check_col(pinfo->cinfo, COL_INFO)) {
10095 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
10099 case 0x0e: /*TRANS2_SESSION_SETUP*/
10100 /* XXX unknown structure*/
10102 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
10103 /* referral level */
10104 CHECK_BYTE_COUNT_TRANS(2);
10105 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
10106 COUNT_BYTES_TRANS(2);
10109 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10110 CHECK_STRING_TRANS(fn);
10111 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10113 COUNT_BYTES_TRANS(fn_len);
10115 if (check_col(pinfo->cinfo, COL_INFO)) {
10116 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10121 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
10123 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10124 CHECK_STRING_TRANS(fn);
10125 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10127 COUNT_BYTES_TRANS(fn_len);
10129 if (check_col(pinfo->cinfo, COL_INFO)) {
10130 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10137 /* ooops there were data we didnt know how to process */
10138 if((offset-old_offset) < bc){
10139 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
10140 bc - (offset-old_offset), TRUE);
10141 offset += bc - (offset-old_offset);
10148 * XXX - just use "dissect_connect_flags()" here?
10151 dissect_transaction_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10154 proto_item *item = NULL;
10155 proto_tree *tree = NULL;
10157 mask = tvb_get_letohs(tvb, offset);
10160 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10161 "Flags: 0x%04x", mask);
10162 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
10165 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
10166 tvb, offset, 2, mask);
10167 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
10168 tvb, offset, 2, mask);
10175 dissect_get_dfs_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10178 proto_item *item = NULL;
10179 proto_tree *tree = NULL;
10181 mask = tvb_get_letohs(tvb, offset);
10184 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10185 "Flags: 0x%04x", mask);
10186 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
10189 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
10190 tvb, offset, 2, mask);
10191 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
10192 tvb, offset, 2, mask);
10199 dissect_dfs_referral_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10202 proto_item *item = NULL;
10203 proto_tree *tree = NULL;
10205 mask = tvb_get_letohs(tvb, offset);
10208 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10209 "Flags: 0x%04x", mask);
10210 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
10213 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
10214 tvb, offset, 2, mask);
10222 /* dfs inconsistency data (4.4.2)
10225 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
10226 proto_tree *tree, int offset, guint16 *bcp)
10228 smb_info_t *si = pinfo->private_data;
10232 /*XXX shouldn this data hold version and size? unclear from doc*/
10233 /* referral version */
10234 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10235 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
10236 COUNT_BYTES_TRANS_SUBR(2);
10238 /* referral size */
10239 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10240 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
10241 COUNT_BYTES_TRANS_SUBR(2);
10243 /* referral server type */
10244 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10245 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10246 COUNT_BYTES_TRANS_SUBR(2);
10248 /* referral flags */
10249 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10250 offset = dissect_dfs_referral_flags(tvb, tree, offset);
10254 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10255 CHECK_STRING_TRANS_SUBR(fn);
10256 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10258 COUNT_BYTES_TRANS_SUBR(fn_len);
10263 /* get dfs referral data (4.4.1)
10266 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
10267 proto_tree *tree, int offset, guint16 *bcp)
10269 smb_info_t *si = pinfo->private_data;
10272 guint16 pathoffset;
10273 guint16 altpathoffset;
10274 guint16 nodeoffset;
10284 /* path consumed */
10285 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10286 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
10287 COUNT_BYTES_TRANS_SUBR(2);
10289 /* num referrals */
10290 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10291 numref = tvb_get_letohs(tvb, offset);
10292 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
10293 COUNT_BYTES_TRANS_SUBR(2);
10295 /* get dfs flags */
10296 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10297 offset = dissect_get_dfs_flags(tvb, tree, offset);
10300 /* XXX - in at least one capture there appears to be 2 bytes
10301 of stuff after the Dfs flags, perhaps so that the header
10302 in front of the referral list is a multiple of 4 bytes long. */
10303 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10304 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
10305 COUNT_BYTES_TRANS_SUBR(2);
10307 /* if there are any referrals */
10309 proto_item *ref_item = NULL;
10310 proto_tree *ref_tree = NULL;
10311 int old_offset=offset;
10314 ref_item = proto_tree_add_text(tree,
10315 tvb, offset, *bcp, "Referrals");
10316 ref_tree = proto_item_add_subtree(ref_item,
10317 ett_smb_dfs_referrals);
10322 proto_item *ri = NULL;
10323 proto_tree *rt = NULL;
10324 int old_offset=offset;
10328 ri = proto_tree_add_text(ref_tree,
10329 tvb, offset, *bcp, "Referral");
10330 rt = proto_item_add_subtree(ri,
10331 ett_smb_dfs_referral);
10334 /* referral version */
10335 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10336 version = tvb_get_letohs(tvb, offset);
10337 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
10338 tvb, offset, 2, version);
10339 COUNT_BYTES_TRANS_SUBR(2);
10341 /* referral size */
10342 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10343 refsize = tvb_get_letohs(tvb, offset);
10344 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
10345 COUNT_BYTES_TRANS_SUBR(2);
10347 /* referral server type */
10348 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10349 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10350 COUNT_BYTES_TRANS_SUBR(2);
10352 /* referral flags */
10353 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10354 offset = dissect_dfs_referral_flags(tvb, rt, offset);
10361 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10362 CHECK_STRING_TRANS_SUBR(fn);
10363 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10365 COUNT_BYTES_TRANS_SUBR(fn_len);
10369 case 3: /* XXX - like version 2, but not identical;
10370 seen in a capture, but the format isn't
10373 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10374 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
10375 COUNT_BYTES_TRANS_SUBR(2);
10378 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10379 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
10380 COUNT_BYTES_TRANS_SUBR(2);
10383 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10384 pathoffset = tvb_get_letohs(tvb, offset);
10385 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
10386 COUNT_BYTES_TRANS_SUBR(2);
10388 /* alt path offset */
10389 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10390 altpathoffset = tvb_get_letohs(tvb, offset);
10391 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
10392 COUNT_BYTES_TRANS_SUBR(2);
10395 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10396 nodeoffset = tvb_get_letohs(tvb, offset);
10397 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
10398 COUNT_BYTES_TRANS_SUBR(2);
10401 if (pathoffset != 0) {
10402 stroffset = old_offset + pathoffset;
10403 offsetoffset = stroffset - offset;
10404 if (offsetoffset > 0 &&
10405 *bcp > offsetoffset) {
10407 *bcp -= offsetoffset;
10408 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10409 CHECK_STRING_TRANS_SUBR(fn);
10410 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
10412 stroffset += fn_len;
10413 if (ucstring_end < stroffset)
10414 ucstring_end = stroffset;
10420 if (altpathoffset != 0) {
10421 stroffset = old_offset + altpathoffset;
10422 offsetoffset = stroffset - offset;
10423 if (offsetoffset > 0 &&
10424 *bcp > offsetoffset) {
10426 *bcp -= offsetoffset;
10427 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10428 CHECK_STRING_TRANS_SUBR(fn);
10429 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
10431 stroffset += fn_len;
10432 if (ucstring_end < stroffset)
10433 ucstring_end = stroffset;
10439 if (nodeoffset != 0) {
10440 stroffset = old_offset + nodeoffset;
10441 offsetoffset = stroffset - offset;
10442 if (offsetoffset > 0 &&
10443 *bcp > offsetoffset) {
10445 *bcp -= offsetoffset;
10446 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10447 CHECK_STRING_TRANS_SUBR(fn);
10448 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
10450 stroffset += fn_len;
10451 if (ucstring_end < stroffset)
10452 ucstring_end = stroffset;
10460 * Show anything beyond the length of the referral
10463 unklen = (old_offset + refsize) - offset;
10466 * XXX - the length is bogus.
10471 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
10472 proto_tree_add_item(rt, hf_smb_unknown, tvb,
10473 offset, unklen, TRUE);
10474 COUNT_BYTES_TRANS_SUBR(unklen);
10477 proto_item_set_len(ri, offset-old_offset);
10481 * Treat the offset past the end of the last Unicode
10482 * string after the referrals (if any) as the last
10485 if (ucstring_end > offset) {
10486 ucstring_len = ucstring_end - offset;
10487 if (*bcp < ucstring_len)
10488 ucstring_len = *bcp;
10489 offset += ucstring_len;
10490 *bcp -= ucstring_len;
10492 proto_item_set_len(ref_item, offset-old_offset);
10499 /* this dissects the SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE
10500 as described in 4.2.14.1
10503 dissect_4_2_14_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10504 int offset, guint16 *bcp, gboolean *trunc)
10507 CHECK_BYTE_COUNT_SUBR(4);
10508 offset = dissect_smb_datetime(tvb, tree, offset,
10509 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
10514 CHECK_BYTE_COUNT_SUBR(4);
10515 offset = dissect_smb_datetime(tvb, tree, offset,
10516 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
10520 /* last write time */
10521 CHECK_BYTE_COUNT_SUBR(4);
10522 offset = dissect_smb_datetime(tvb, tree, offset,
10523 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
10528 CHECK_BYTE_COUNT_SUBR(4);
10529 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10530 COUNT_BYTES_SUBR(4);
10532 /* allocation size */
10533 CHECK_BYTE_COUNT_SUBR(4);
10534 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10535 COUNT_BYTES_SUBR(4);
10537 /* File Attributes */
10538 CHECK_BYTE_COUNT_SUBR(2);
10539 offset = dissect_file_attributes(tvb, tree, offset, 2);
10543 CHECK_BYTE_COUNT_SUBR(4);
10544 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10545 COUNT_BYTES_SUBR(4);
10551 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
10552 as described in 4.2.14.2
10555 dissect_4_2_14_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10556 int offset, guint16 *bcp, gboolean *trunc)
10559 CHECK_BYTE_COUNT_SUBR(4);
10560 proto_tree_add_item(tree, hf_smb_list_length, tvb, offset, 4, TRUE);
10561 COUNT_BYTES_SUBR(4);
10567 /* this dissects the SMB_INFO_IS_NAME_VALID
10568 as described in 4.2.14.3
10571 dissect_4_2_14_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10572 int offset, guint16 *bcp, gboolean *trunc)
10574 smb_info_t *si = pinfo->private_data;
10579 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10580 CHECK_STRING_SUBR(fn);
10581 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10583 COUNT_BYTES_SUBR(fn_len);
10589 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
10590 as described in 4.2.14.4
10593 dissect_4_2_14_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10594 int offset, guint16 *bcp, gboolean *trunc)
10597 CHECK_BYTE_COUNT_SUBR(8);
10598 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
10602 CHECK_BYTE_COUNT_SUBR(8);
10603 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
10606 /* last write time */
10607 CHECK_BYTE_COUNT_SUBR(8);
10608 offset = dissect_smb_64bit_time(tvb, tree, offset,
10609 hf_smb_last_write_time);
10612 /* last change time */
10613 CHECK_BYTE_COUNT_SUBR(8);
10614 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
10617 /* File Attributes */
10618 CHECK_BYTE_COUNT_SUBR(4);
10619 offset = dissect_file_attributes(tvb, tree, offset, 4);
10626 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
10627 as described in 4.2.14.5
10630 dissect_4_2_14_5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10631 int offset, guint16 *bcp, gboolean *trunc)
10633 /* allocation size */
10634 CHECK_BYTE_COUNT_SUBR(8);
10635 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10636 COUNT_BYTES_SUBR(8);
10639 CHECK_BYTE_COUNT_SUBR(8);
10640 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10641 COUNT_BYTES_SUBR(8);
10643 /* number of links */
10644 CHECK_BYTE_COUNT_SUBR(4);
10645 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
10646 COUNT_BYTES_SUBR(4);
10648 /* delete pending */
10649 CHECK_BYTE_COUNT_SUBR(1);
10650 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, TRUE);
10651 COUNT_BYTES_SUBR(1);
10654 CHECK_BYTE_COUNT_SUBR(1);
10655 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
10656 COUNT_BYTES_SUBR(1);
10662 /* this dissects the SMB_QUERY_FILE_EA_INFO
10663 as described in 4.2.14.6
10666 dissect_4_2_14_6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10667 int offset, guint16 *bcp, gboolean *trunc)
10670 CHECK_BYTE_COUNT_SUBR(4);
10671 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10672 COUNT_BYTES_SUBR(4);
10678 /* this dissects the SMB_QUERY_FILE_NAME_INFO
10679 as described in 4.2.14.7
10680 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
10681 as described in 4.2.14.9
10684 dissect_4_2_14_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10685 int offset, guint16 *bcp, gboolean *trunc)
10687 smb_info_t *si = pinfo->private_data;
10691 /* file name len */
10692 CHECK_BYTE_COUNT_SUBR(4);
10693 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
10694 COUNT_BYTES_SUBR(4);
10697 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10698 CHECK_STRING_SUBR(fn);
10699 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10701 COUNT_BYTES_SUBR(fn_len);
10707 /* this dissects the SMB_QUERY_FILE_ALL_INFO
10708 as described in 4.2.14.8
10711 dissect_4_2_14_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10712 int offset, guint16 *bcp, gboolean *trunc)
10715 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp, trunc);
10719 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp, trunc);
10725 CHECK_BYTE_COUNT_SUBR(8);
10726 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
10727 COUNT_BYTES_SUBR(8);
10729 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
10734 CHECK_BYTE_COUNT_SUBR(4);
10735 offset = dissect_smb_access_mask(tvb, tree, offset);
10736 COUNT_BYTES_SUBR(4);
10739 CHECK_BYTE_COUNT_SUBR(8);
10740 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
10741 COUNT_BYTES_SUBR(8);
10743 /* current offset */
10744 CHECK_BYTE_COUNT_SUBR(8);
10745 proto_tree_add_item(tree, hf_smb_current_offset, tvb, offset, 8, TRUE);
10746 COUNT_BYTES_SUBR(8);
10749 CHECK_BYTE_COUNT_SUBR(4);
10750 offset = dissect_nt_create_options(tvb, tree, offset);
10754 CHECK_BYTE_COUNT_SUBR(4);
10755 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
10756 COUNT_BYTES_SUBR(4);
10758 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
10763 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
10764 as described in 4.2.14.10
10767 dissect_4_2_14_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10768 int offset, guint16 *bcp, gboolean *trunc)
10774 smb_info_t *si = pinfo->private_data;
10780 old_offset = offset;
10782 /* next entry offset */
10783 CHECK_BYTE_COUNT_SUBR(4);
10785 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
10786 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10792 neo = tvb_get_letohl(tvb, offset);
10793 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10794 COUNT_BYTES_SUBR(4);
10796 /* stream name len */
10797 CHECK_BYTE_COUNT_SUBR(4);
10798 fn_len = tvb_get_letohl(tvb, offset);
10799 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
10800 COUNT_BYTES_SUBR(4);
10803 CHECK_BYTE_COUNT_SUBR(8);
10804 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
10805 COUNT_BYTES_SUBR(8);
10807 /* allocation size */
10808 CHECK_BYTE_COUNT_SUBR(8);
10809 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10810 COUNT_BYTES_SUBR(8);
10813 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
10814 CHECK_STRING_SUBR(fn);
10815 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
10817 COUNT_BYTES_SUBR(fn_len);
10819 proto_item_append_text(item, ": %s", fn);
10820 proto_item_set_len(item, offset-old_offset);
10823 break; /* no more structures */
10825 /* skip to next structure */
10826 padcnt = (old_offset + neo) - offset;
10829 * XXX - this is bogus; flag it?
10834 CHECK_BYTE_COUNT_SUBR(padcnt);
10835 COUNT_BYTES_SUBR(padcnt);
10843 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
10844 as described in 4.2.14.11
10847 dissect_4_2_14_11(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10848 int offset, guint16 *bcp, gboolean *trunc)
10850 /* compressed file size */
10851 CHECK_BYTE_COUNT_SUBR(8);
10852 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
10853 COUNT_BYTES_SUBR(8);
10855 /* compression format */
10856 CHECK_BYTE_COUNT_SUBR(2);
10857 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
10858 COUNT_BYTES_SUBR(2);
10860 /* compression unit shift */
10861 CHECK_BYTE_COUNT_SUBR(1);
10862 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
10863 COUNT_BYTES_SUBR(1);
10865 /* compression chunk shift */
10866 CHECK_BYTE_COUNT_SUBR(1);
10867 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
10868 COUNT_BYTES_SUBR(1);
10870 /* compression cluster shift */
10871 CHECK_BYTE_COUNT_SUBR(1);
10872 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
10873 COUNT_BYTES_SUBR(1);
10875 /* 3 reserved bytes */
10876 CHECK_BYTE_COUNT_SUBR(3);
10877 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
10878 COUNT_BYTES_SUBR(3);
10886 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION*/
10888 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
10889 int offset, guint16 *bcp)
10898 si = (smb_info_t *)pinfo->private_data;
10899 switch(si->info_level){
10900 case 1: /*Info Standard*/
10901 case 2: /*Info Query EA Size*/
10902 offset = dissect_4_2_14_1(tvb, pinfo, tree, offset, bcp,
10905 case 3: /*Info Query EAs From List*/
10906 case 4: /*Info Query All EAs*/
10907 offset = dissect_4_2_14_2(tvb, pinfo, tree, offset, bcp,
10910 case 6: /*Info Is Name Valid*/
10911 offset = dissect_4_2_14_3(tvb, pinfo, tree, offset, bcp,
10914 case 0x0101: /*Query File Basic Info*/
10915 case 1004: /* SMB_FILE_BASIC_INFORMATION */
10916 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp,
10919 case 0x0102: /*Query File Standard Info*/
10920 case 1005: /* SMB_FILE_STANDARD_INFORMATION */
10921 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp,
10924 case 0x0103: /*Query File EA Info*/
10925 case 1007: /* SMB_FILE_EA_INFORMATION */
10926 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp,
10929 case 0x0104: /*Query File Name Info*/
10930 case 1009: /* SMB_FILE_NAME_INFORMATION */
10931 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
10934 case 0x0107: /*Query File All Info*/
10935 case 1018: /* SMB_FILE_ALL_INFORMATION */
10936 offset = dissect_4_2_14_8(tvb, pinfo, tree, offset, bcp,
10939 case 0x0108: /*Query File Alt File Info*/
10940 case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
10941 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
10944 case 1022: /* SMB_FILE_STREAM_INFORMATION */
10945 ((smb_info_t *)(pinfo->private_data))->unicode = TRUE;
10946 case 0x0109: /*Query File Stream Info*/
10947 offset = dissect_4_2_14_10(tvb, pinfo, tree, offset, bcp,
10950 case 0x010b: /*Query File Compression Info*/
10951 case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
10952 offset = dissect_4_2_14_11(tvb, pinfo, tree, offset, bcp,
10955 case 0x0200: /*Set File Unix Basic*/
10956 /* XXX add this from the SNIA doc */
10958 case 0x0201: /*Set File Unix Link*/
10959 /* XXX add this from the SNIA doc */
10961 case 0x0202: /*Set File Unix HardLink*/
10962 /* XXX add this from the SNIA doc */
10970 static const true_false_string tfs_quota_flags_deny_disk = {
10971 "DENY DISK SPACE for users exceeding quota limit",
10972 "Do NOT deny disk space for users exceeding quota limit"
10974 static const true_false_string tfs_quota_flags_log_limit = {
10975 "LOG EVENT when a user exceeds their QUOTA LIMIT",
10976 "Do NOT log event when a user exceeds their quota limit"
10978 static const true_false_string tfs_quota_flags_log_warning = {
10979 "LOG EVENT when a user exceeds their WARNING LEVEL",
10980 "Do NOT log event when a user exceeds their warning level"
10982 static const true_false_string tfs_quota_flags_enabled = {
10983 "Quotas are ENABLED of this fs",
10984 "Quotas are NOT enabled on this fs"
10987 dissect_quota_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10990 proto_item *item = NULL;
10991 proto_tree *tree = NULL;
10993 mask = tvb_get_guint8(tvb, offset);
10996 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
10997 "Quota Flags: 0x%02x %s", mask,
10998 mask?"Enabled":"Disabled");
10999 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
11002 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
11003 tvb, offset, 1, mask);
11004 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
11005 tvb, offset, 1, mask);
11006 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
11007 tvb, offset, 1, mask);
11009 if(mask && (!(mask&0x01))){
11010 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
11011 tvb, offset, 1, 0x01);
11013 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
11014 tvb, offset, 1, mask);
11020 dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
11022 /* first 24 bytes are unknown */
11023 CHECK_BYTE_COUNT_TRANS_SUBR(24);
11024 proto_tree_add_item(tree, hf_smb_unknown, tvb,
11026 COUNT_BYTES_TRANS_SUBR(24);
11028 /* number of bytes for quota warning */
11029 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11030 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
11031 COUNT_BYTES_TRANS_SUBR(8);
11033 /* number of bytes for quota limit */
11034 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11035 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
11036 COUNT_BYTES_TRANS_SUBR(8);
11038 /* one byte of quota flags */
11039 CHECK_BYTE_COUNT_TRANS_SUBR(1);
11040 dissect_quota_flags(tvb, tree, offset);
11041 COUNT_BYTES_TRANS_SUBR(1);
11043 /* these 7 bytes are unknown */
11044 CHECK_BYTE_COUNT_TRANS_SUBR(7);
11045 proto_tree_add_item(tree, hf_smb_unknown, tvb,
11047 COUNT_BYTES_TRANS_SUBR(7);
11053 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
11054 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
11056 proto_item *item = NULL;
11057 proto_tree *tree = NULL;
11060 si = (smb_info_t *)pinfo->private_data;
11063 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11065 val_to_str(subcmd, trans2_cmd_vals,
11066 "Unknown (0x%02x)"));
11067 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
11071 case 0x00: /*TRANS2_OPEN2*/
11072 /* XXX dont know how to decode FEAList */
11074 case 0x01: /*TRANS2_FIND_FIRST2*/
11075 /* XXX dont know how to decode FEAList */
11077 case 0x02: /*TRANS2_FIND_NEXT2*/
11078 /* XXX dont know how to decode FEAList */
11080 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11081 /* no data field in this request */
11083 case 0x04: /* TRANS2_SET_QUOTA */
11084 offset = dissect_nt_quota(tvb, tree, offset, &dc);
11086 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11087 /* no data field in this request */
11089 * XXX - "Microsoft Networks SMB File Sharing Protocol
11090 * Extensions Version 3.0, Document Version 1.11,
11091 * July 19, 1990" says there may be "Additional
11092 * FileInfoLevel dependent information" here.
11094 * Was that just a cut-and-pasteo?
11095 * TRANS2_SET_PATH_INFORMATION *does* have that information
11099 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11100 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
11102 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11103 /* no data field in this request */
11105 * XXX - "Microsoft Networks SMB File Sharing Protocol
11106 * Extensions Version 3.0, Document Version 1.11,
11107 * July 19, 1990" says there may be "Additional
11108 * FileInfoLevel dependent information" here.
11110 * Was that just a cut-and-pasteo?
11111 * TRANS2_SET_FILE_INFORMATION *does* have that information
11115 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11116 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
11118 case 0x09: /*TRANS2_FSCTL*/
11119 /*XXX dont know how to decode this yet */
11122 * XXX - "Microsoft Networks SMB File Sharing Protocol
11123 * Extensions Version 3.0, Document Version 1.11,
11124 * July 19, 1990" says this this contains a
11125 * "File system specific data block". (That means we
11126 * may not be able to dissect it in any case.)
11129 case 0x0a: /*TRANS2_IOCTL2*/
11130 /*XXX dont know how to decode this yet */
11133 * XXX - "Microsoft Networks SMB File Sharing Protocol
11134 * Extensions Version 3.0, Document Version 1.11,
11135 * July 19, 1990" says this this contains a
11136 * "Device/function specific data block". (That
11137 * means we may not be able to dissect it in any case.)
11140 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11141 /*XXX dont know how to decode this yet */
11144 * XXX - "Microsoft Networks SMB File Sharing Protocol
11145 * Extensions Version 3.0, Document Version 1.11,
11146 * July 19, 1990" says this this contains "additional
11147 * level dependent match data".
11150 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11151 /*XXX dont know how to decode this yet */
11154 * XXX - "Microsoft Networks SMB File Sharing Protocol
11155 * Extensions Version 3.0, Document Version 1.11,
11156 * July 19, 1990" says this this contains "additional
11157 * level dependent monitor information".
11160 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11161 /* XXX optional FEAList, unknown what FEAList looks like*/
11163 case 0x0e: /*TRANS2_SESSION_SETUP*/
11164 /*XXX dont know how to decode this yet */
11166 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11167 /* no data field in this request */
11169 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11170 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
11174 /* ooops there were data we didnt know how to process */
11176 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
11185 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
11193 * Show the setup words.
11195 if (s_tvb != NULL) {
11196 length = tvb_reported_length(s_tvb);
11197 for (i = 0, offset = 0; length >= 2;
11198 i++, offset += 2, length -= 2) {
11200 * XXX - add a setup word filterable field?
11202 proto_tree_add_text(tree, s_tvb, offset, 2,
11203 "Setup Word %d: 0x%04x", i,
11204 tvb_get_letohs(s_tvb, offset));
11209 * Show the parameters, if any.
11211 if (p_tvb != NULL) {
11212 length = tvb_reported_length(p_tvb);
11214 proto_tree_add_text(tree, p_tvb, 0, length,
11216 tvb_bytes_to_str(p_tvb, 0, length));
11221 * Show the data, if any.
11223 if (d_tvb != NULL) {
11224 length = tvb_reported_length(d_tvb);
11226 proto_tree_add_text(tree, d_tvb, 0, length,
11227 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
11232 /* This routine handles the following 4 calls
11234 Transaction Secondary 0x26
11236 Transaction2 Secondary 0x33
11239 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
11246 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
11250 const char *an = NULL;
11252 smb_transact2_info_t *t2i;
11253 smb_transact_info_t *tri;
11256 gboolean dissected_trans;
11258 si = (smb_info_t *)pinfo->private_data;
11263 /*secondary client request*/
11265 /* total param count, only a 16bit integer here*/
11266 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11269 /* total data count , only 16bit integer here*/
11270 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11274 pc = tvb_get_letohs(tvb, offset);
11275 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11279 po = tvb_get_letohs(tvb, offset);
11280 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11284 pd = tvb_get_letohs(tvb, offset);
11285 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
11289 dc = tvb_get_letohs(tvb, offset);
11290 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11294 od = tvb_get_letohs(tvb, offset);
11295 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11299 dd = tvb_get_letohs(tvb, offset);
11300 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
11303 if(si->cmd==SMB_COM_TRANSACTION2){
11307 fid = tvb_get_letohs(tvb, offset);
11308 add_fid(tvb, pinfo, tree, offset, 2, fid);
11313 /* There are no setup words. */
11318 /* it is not a secondary request */
11320 /* total param count , only a 16 bit integer here*/
11321 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11324 /* total data count , only 16bit integer here*/
11325 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11328 /* max param count , only 16bit integer here*/
11329 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11332 /* max data count, only 16bit integer here*/
11333 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11336 /* max setup count, only 16bit integer here*/
11337 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
11340 /* reserved byte */
11341 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11344 /* transaction flags */
11345 tf = dissect_transaction_flags(tvb, tree, offset);
11349 to = tvb_get_letohl(tvb, offset);
11351 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
11352 else if (to == 0xffffffff)
11353 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
11355 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
11358 /* 2 reserved bytes */
11359 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11363 pc = tvb_get_letohs(tvb, offset);
11364 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11368 po = tvb_get_letohs(tvb, offset);
11369 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11372 /* param displacement is zero here */
11376 dc = tvb_get_letohs(tvb, offset);
11377 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11381 od = tvb_get_letohs(tvb, offset);
11382 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11385 /* data displacement is zero here */
11389 sc = tvb_get_guint8(tvb, offset);
11390 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
11393 /* reserved byte */
11394 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11397 /* this is where the setup bytes, if any start */
11401 /* if there were any setup bytes, decode them */
11405 case SMB_COM_TRANSACTION2:
11406 /* TRANSACTION2 only has one setup word and
11407 that is the subcommand code.
11409 XXX - except for TRANS2_FSCTL
11410 and TRANS2_IOCTL. */
11411 subcmd = tvb_get_letohs(tvb, offset);
11412 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
11413 tvb, offset, 2, subcmd);
11414 if (check_col(pinfo->cinfo, COL_INFO)) {
11415 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11416 val_to_str(subcmd, trans2_cmd_vals,
11417 "Unknown (0x%02x)"));
11420 if(!pinfo->fd->flags.visited){
11423 * smb_transact2_info_t
11426 t2i = g_mem_chunk_alloc(smb_transact2_info_chunk);
11427 t2i->subcmd = subcmd;
11428 t2i->info_level = -1;
11429 t2i->resume_keys = FALSE;
11430 si->sip->extra_info = t2i;
11435 * XXX - process TRANS2_FSCTL and
11436 * TRANS2_IOCTL setup words here.
11440 case SMB_COM_TRANSACTION:
11441 /* TRANSACTION setup words processed below */
11452 /* primary request */
11453 /* name is NULL if transaction2 */
11454 if(si->cmd == SMB_COM_TRANSACTION){
11455 /* Transaction Name */
11456 an = get_unicode_or_ascii_string(tvb, &offset,
11457 si->unicode, &an_len, FALSE, FALSE, &bc);
11460 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
11461 offset, an_len, an);
11462 COUNT_BYTES(an_len);
11467 * The pipe or mailslot arguments for Transaction start with
11468 * the first setup word (or where the first setup word would
11469 * be if there were any setup words), and run to the current
11470 * offset (which could mean that there aren't any).
11473 spc = offset - spo;
11477 /* We have some initial padding bytes.
11479 padcnt = po-offset;
11482 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11483 COUNT_BYTES(padcnt);
11486 CHECK_BYTE_COUNT(pc);
11489 case SMB_COM_TRANSACTION2:
11490 /* TRANSACTION2 parameters*/
11491 offset = dissect_transaction2_request_parameters(tvb,
11492 pinfo, tree, offset, subcmd, pc);
11496 case SMB_COM_TRANSACTION:
11497 /* TRANSACTION parameters processed below */
11505 /* We have some initial padding bytes.
11507 padcnt = od-offset;
11510 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11511 COUNT_BYTES(padcnt);
11514 CHECK_BYTE_COUNT(dc);
11517 case SMB_COM_TRANSACTION2:
11518 /* TRANSACTION2 data*/
11519 offset = dissect_transaction2_request_data(tvb, pinfo,
11520 tree, offset, subcmd, dc);
11524 case SMB_COM_TRANSACTION:
11525 /* TRANSACTION data processed below */
11531 /*TRANSACTION request parameters */
11532 if(si->cmd==SMB_COM_TRANSACTION){
11533 /*XXX replace this block with a function and use that one
11534 for both requests/responses*/
11536 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
11537 tvbuff_t *sp_tvb, *pd_tvb;
11540 if(pc>tvb_length_remaining(tvb, po)){
11541 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
11543 p_tvb = tvb_new_subset(tvb, po, pc, pc);
11549 if(dc>tvb_length_remaining(tvb, od)){
11550 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
11552 d_tvb = tvb_new_subset(tvb, od, dc, dc);
11558 if(sl>tvb_length_remaining(tvb, so)){
11559 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
11561 s_tvb = tvb_new_subset(tvb, so, sl, sl);
11568 if(!pinfo->fd->flags.visited){
11570 * Allocate a new smb_transact_info_t
11573 tri = g_mem_chunk_alloc(smb_transact_info_chunk);
11575 tri->trans_subcmd = -1;
11576 tri->function = -1;
11578 tri->lanman_cmd = 0;
11579 tri->param_descrip = NULL;
11580 tri->data_descrip = NULL;
11581 tri->aux_data_descrip = NULL;
11582 tri->info_level = -1;
11583 si->sip->extra_info = tri;
11586 * We already filled the structure
11587 * in; don't bother doing so again.
11593 * This is a unidirectional message, for
11594 * which there will be no reply; don't
11595 * bother allocating an "smb_transact_info_t"
11596 * structure for it.
11600 dissected_trans = FALSE;
11601 if(strncmp("\\PIPE\\", an, 6) == 0){
11603 tri->subcmd=TRANSACTION_PIPE;
11606 * A tvbuff containing the setup words and
11609 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
11612 * A tvbuff containing the parameters and the
11615 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
11617 dissected_trans = dissect_pipe_smb(sp_tvb,
11618 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
11621 /* In case we did not see the TreeConnect call,
11622 store this TID here as well as a IPC TID
11623 so we know that future Read/Writes to this
11624 TID is (probably) DCERPC.
11626 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
11627 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
11629 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
11630 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
11632 tri->subcmd=TRANSACTION_MAILSLOT;
11635 * A tvbuff containing the setup words and
11636 * the mailslot path.
11638 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
11639 dissected_trans = dissect_mailslot_smb(sp_tvb,
11640 s_tvb, d_tvb, an+10, pinfo, top_tree);
11642 if (!dissected_trans)
11643 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
11645 if(check_col(pinfo->cinfo, COL_INFO)){
11646 col_append_str(pinfo->cinfo, COL_INFO,
11647 "[transact continuation]");
11660 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11661 int offset, guint16 *bcp, gboolean *trunc)
11665 int old_offset = offset;
11666 proto_item *item = NULL;
11667 proto_tree *tree = NULL;
11669 smb_transact2_info_t *t2i;
11670 gboolean resume_keys = FALSE;
11672 si = (smb_info_t *)pinfo->private_data;
11673 if (si->sip != NULL) {
11674 t2i = si->sip->extra_info;
11676 resume_keys = t2i->resume_keys;
11680 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11681 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11682 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11687 CHECK_BYTE_COUNT_SUBR(4);
11688 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
11689 COUNT_BYTES_SUBR(4);
11693 CHECK_BYTE_COUNT_SUBR(4);
11694 offset = dissect_smb_datetime(tvb, tree, offset,
11695 hf_smb_create_time,
11696 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
11700 CHECK_BYTE_COUNT_SUBR(4);
11701 offset = dissect_smb_datetime(tvb, tree, offset,
11702 hf_smb_access_time,
11703 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
11706 /* last write time */
11707 CHECK_BYTE_COUNT_SUBR(4);
11708 offset = dissect_smb_datetime(tvb, tree, offset,
11709 hf_smb_last_write_time,
11710 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
11714 CHECK_BYTE_COUNT_SUBR(4);
11715 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11716 COUNT_BYTES_SUBR(4);
11718 /* allocation size */
11719 CHECK_BYTE_COUNT_SUBR(4);
11720 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11721 COUNT_BYTES_SUBR(4);
11723 /* File Attributes */
11724 CHECK_BYTE_COUNT_SUBR(2);
11725 offset = dissect_file_attributes(tvb, tree, offset, 2);
11728 /* file name len */
11729 CHECK_BYTE_COUNT_SUBR(1);
11730 fn_len = tvb_get_guint8(tvb, offset);
11731 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
11732 COUNT_BYTES_SUBR(1);
11734 fn_len += 2; /* include terminating '\0' */
11736 fn_len++; /* include terminating '\0' */
11739 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11740 CHECK_STRING_SUBR(fn);
11741 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11743 COUNT_BYTES_SUBR(fn_len);
11745 if (check_col(pinfo->cinfo, COL_INFO)) {
11746 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11750 proto_item_append_text(item, " File: %s", fn);
11751 proto_item_set_len(item, offset-old_offset);
11758 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11759 int offset, guint16 *bcp, gboolean *trunc)
11763 int old_offset = offset;
11764 proto_item *item = NULL;
11765 proto_tree *tree = NULL;
11767 smb_transact2_info_t *t2i;
11768 gboolean resume_keys = FALSE;
11770 si = (smb_info_t *)pinfo->private_data;
11771 if (si->sip != NULL) {
11772 t2i = si->sip->extra_info;
11774 resume_keys = t2i->resume_keys;
11778 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11779 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11780 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11785 CHECK_BYTE_COUNT_SUBR(4);
11786 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
11787 COUNT_BYTES_SUBR(4);
11791 CHECK_BYTE_COUNT_SUBR(4);
11792 offset = dissect_smb_datetime(tvb, tree, offset,
11793 hf_smb_create_time,
11794 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
11798 CHECK_BYTE_COUNT_SUBR(4);
11799 offset = dissect_smb_datetime(tvb, tree, offset,
11800 hf_smb_access_time,
11801 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
11804 /* last write time */
11805 CHECK_BYTE_COUNT_SUBR(4);
11806 offset = dissect_smb_datetime(tvb, tree, offset,
11807 hf_smb_last_write_time,
11808 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
11812 CHECK_BYTE_COUNT_SUBR(4);
11813 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11814 COUNT_BYTES_SUBR(4);
11816 /* allocation size */
11817 CHECK_BYTE_COUNT_SUBR(4);
11818 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11819 COUNT_BYTES_SUBR(4);
11821 /* File Attributes */
11822 CHECK_BYTE_COUNT_SUBR(2);
11823 offset = dissect_file_attributes(tvb, tree, offset, 2);
11827 CHECK_BYTE_COUNT_SUBR(4);
11828 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
11829 COUNT_BYTES_SUBR(4);
11831 /* file name len */
11832 CHECK_BYTE_COUNT_SUBR(1);
11833 fn_len = tvb_get_guint8(tvb, offset);
11834 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
11835 COUNT_BYTES_SUBR(1);
11838 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11839 CHECK_STRING_SUBR(fn);
11840 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11842 COUNT_BYTES_SUBR(fn_len);
11844 fn_len += 2; /* include terminating '\0' */
11846 fn_len++; /* include terminating '\0' */
11848 if (check_col(pinfo->cinfo, COL_INFO)) {
11849 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11853 proto_item_append_text(item, " File: %s", fn);
11854 proto_item_set_len(item, offset-old_offset);
11861 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11862 int offset, guint16 *bcp, gboolean *trunc)
11866 int old_offset = offset;
11867 proto_item *item = NULL;
11868 proto_tree *tree = NULL;
11873 si = (smb_info_t *)pinfo->private_data;
11876 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11877 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11878 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11882 * We assume that the presence of a next entry offset implies the
11883 * absence of a resume key, as appears to be the case for 4.3.4.6.
11886 /* next entry offset */
11887 CHECK_BYTE_COUNT_SUBR(4);
11888 neo = tvb_get_letohl(tvb, offset);
11889 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11890 COUNT_BYTES_SUBR(4);
11893 CHECK_BYTE_COUNT_SUBR(4);
11894 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11895 COUNT_BYTES_SUBR(4);
11898 CHECK_BYTE_COUNT_SUBR(8);
11899 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
11903 CHECK_BYTE_COUNT_SUBR(8);
11904 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
11907 /* last write time */
11908 CHECK_BYTE_COUNT_SUBR(8);
11909 offset = dissect_smb_64bit_time(tvb, tree, offset,
11910 hf_smb_last_write_time);
11913 /* last change time */
11914 CHECK_BYTE_COUNT_SUBR(8);
11915 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
11919 CHECK_BYTE_COUNT_SUBR(8);
11920 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11921 COUNT_BYTES_SUBR(8);
11923 /* allocation size */
11924 CHECK_BYTE_COUNT_SUBR(8);
11925 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11926 COUNT_BYTES_SUBR(8);
11928 /* Extended File Attributes */
11929 CHECK_BYTE_COUNT_SUBR(4);
11930 offset = dissect_file_ext_attr(tvb, tree, offset);
11933 /* file name len */
11934 CHECK_BYTE_COUNT_SUBR(4);
11935 fn_len = tvb_get_letohl(tvb, offset);
11936 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11937 COUNT_BYTES_SUBR(4);
11940 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11941 CHECK_STRING_SUBR(fn);
11942 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11944 COUNT_BYTES_SUBR(fn_len);
11946 if (check_col(pinfo->cinfo, COL_INFO)) {
11947 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11951 /* skip to next structure */
11953 padcnt = (old_offset + neo) - offset;
11956 * XXX - this is bogus; flag it?
11961 CHECK_BYTE_COUNT_SUBR(padcnt);
11962 COUNT_BYTES_SUBR(padcnt);
11966 proto_item_append_text(item, " File: %s", fn);
11967 proto_item_set_len(item, offset-old_offset);
11974 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11975 int offset, guint16 *bcp, gboolean *trunc)
11979 int old_offset = offset;
11980 proto_item *item = NULL;
11981 proto_tree *tree = NULL;
11986 si = (smb_info_t *)pinfo->private_data;
11989 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11990 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11991 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11995 * We assume that the presence of a next entry offset implies the
11996 * absence of a resume key, as appears to be the case for 4.3.4.6.
11999 /* next entry offset */
12000 CHECK_BYTE_COUNT_SUBR(4);
12001 neo = tvb_get_letohl(tvb, offset);
12002 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12003 COUNT_BYTES_SUBR(4);
12006 CHECK_BYTE_COUNT_SUBR(4);
12007 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12008 COUNT_BYTES_SUBR(4);
12011 CHECK_BYTE_COUNT_SUBR(8);
12012 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12016 CHECK_BYTE_COUNT_SUBR(8);
12017 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12020 /* last write time */
12021 CHECK_BYTE_COUNT_SUBR(8);
12022 offset = dissect_smb_64bit_time(tvb, tree, offset,
12023 hf_smb_last_write_time);
12026 /* last change time */
12027 CHECK_BYTE_COUNT_SUBR(8);
12028 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12032 CHECK_BYTE_COUNT_SUBR(8);
12033 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12034 COUNT_BYTES_SUBR(8);
12036 /* allocation size */
12037 CHECK_BYTE_COUNT_SUBR(8);
12038 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12039 COUNT_BYTES_SUBR(8);
12041 /* Extended File Attributes */
12042 CHECK_BYTE_COUNT_SUBR(4);
12043 offset = dissect_file_ext_attr(tvb, tree, offset);
12046 /* file name len */
12047 CHECK_BYTE_COUNT_SUBR(4);
12048 fn_len = tvb_get_letohl(tvb, offset);
12049 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12050 COUNT_BYTES_SUBR(4);
12053 CHECK_BYTE_COUNT_SUBR(4);
12054 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
12055 COUNT_BYTES_SUBR(4);
12058 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12059 CHECK_STRING_SUBR(fn);
12060 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12062 COUNT_BYTES_SUBR(fn_len);
12064 if (check_col(pinfo->cinfo, COL_INFO)) {
12065 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12069 /* skip to next structure */
12071 padcnt = (old_offset + neo) - offset;
12074 * XXX - this is bogus; flag it?
12079 CHECK_BYTE_COUNT_SUBR(padcnt);
12080 COUNT_BYTES_SUBR(padcnt);
12084 proto_item_append_text(item, " File: %s", fn);
12085 proto_item_set_len(item, offset-old_offset);
12092 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12093 int offset, guint16 *bcp, gboolean *trunc)
12095 int fn_len, sfn_len;
12096 const char *fn, *sfn;
12097 int old_offset = offset;
12098 proto_item *item = NULL;
12099 proto_tree *tree = NULL;
12104 si = (smb_info_t *)pinfo->private_data;
12107 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12108 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12109 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12113 * XXX - I have not seen any of these that contain a resume
12114 * key, even though some of the requests had the "return resume
12118 /* next entry offset */
12119 CHECK_BYTE_COUNT_SUBR(4);
12120 neo = tvb_get_letohl(tvb, offset);
12121 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12122 COUNT_BYTES_SUBR(4);
12125 CHECK_BYTE_COUNT_SUBR(4);
12126 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12127 COUNT_BYTES_SUBR(4);
12130 CHECK_BYTE_COUNT_SUBR(8);
12131 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12135 CHECK_BYTE_COUNT_SUBR(8);
12136 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12139 /* last write time */
12140 CHECK_BYTE_COUNT_SUBR(8);
12141 offset = dissect_smb_64bit_time(tvb, tree, offset,
12142 hf_smb_last_write_time);
12145 /* last change time */
12146 CHECK_BYTE_COUNT_SUBR(8);
12147 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12151 CHECK_BYTE_COUNT_SUBR(8);
12152 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12153 COUNT_BYTES_SUBR(8);
12155 /* allocation size */
12156 CHECK_BYTE_COUNT_SUBR(8);
12157 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12158 COUNT_BYTES_SUBR(8);
12160 /* Extended File Attributes */
12161 CHECK_BYTE_COUNT_SUBR(4);
12162 offset = dissect_file_ext_attr(tvb, tree, offset);
12165 /* file name len */
12166 CHECK_BYTE_COUNT_SUBR(4);
12167 fn_len = tvb_get_letohl(tvb, offset);
12168 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12169 COUNT_BYTES_SUBR(4);
12172 CHECK_BYTE_COUNT_SUBR(4);
12173 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
12174 COUNT_BYTES_SUBR(4);
12176 /* short file name len */
12177 CHECK_BYTE_COUNT_SUBR(1);
12178 sfn_len = tvb_get_guint8(tvb, offset);
12179 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
12180 COUNT_BYTES_SUBR(1);
12182 /* reserved byte */
12183 CHECK_BYTE_COUNT_SUBR(1);
12184 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12185 COUNT_BYTES_SUBR(1);
12187 /* short file name */
12188 sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
12189 CHECK_STRING_SUBR(sfn);
12190 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
12192 COUNT_BYTES_SUBR(24);
12195 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12196 CHECK_STRING_SUBR(fn);
12197 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12199 COUNT_BYTES_SUBR(fn_len);
12201 if (check_col(pinfo->cinfo, COL_INFO)) {
12202 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12206 /* skip to next structure */
12208 padcnt = (old_offset + neo) - offset;
12211 * XXX - this is bogus; flag it?
12216 CHECK_BYTE_COUNT_SUBR(padcnt);
12217 COUNT_BYTES_SUBR(padcnt);
12221 proto_item_append_text(item, " File: %s", fn);
12222 proto_item_set_len(item, offset-old_offset);
12229 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12230 int offset, guint16 *bcp, gboolean *trunc)
12234 int old_offset = offset;
12235 proto_item *item = NULL;
12236 proto_tree *tree = NULL;
12241 si = (smb_info_t *)pinfo->private_data;
12244 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12245 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12246 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12250 * We assume that the presence of a next entry offset implies the
12251 * absence of a resume key, as appears to be the case for 4.3.4.6.
12254 /* next entry offset */
12255 CHECK_BYTE_COUNT_SUBR(4);
12256 neo = tvb_get_letohl(tvb, offset);
12257 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12258 COUNT_BYTES_SUBR(4);
12261 CHECK_BYTE_COUNT_SUBR(4);
12262 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12263 COUNT_BYTES_SUBR(4);
12265 /* file name len */
12266 CHECK_BYTE_COUNT_SUBR(4);
12267 fn_len = tvb_get_letohl(tvb, offset);
12268 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12269 COUNT_BYTES_SUBR(4);
12272 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12273 CHECK_STRING_SUBR(fn);
12274 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12276 COUNT_BYTES_SUBR(fn_len);
12278 if (check_col(pinfo->cinfo, COL_INFO)) {
12279 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12283 /* skip to next structure */
12285 padcnt = (old_offset + neo) - offset;
12288 * XXX - this is bogus; flag it?
12293 CHECK_BYTE_COUNT_SUBR(padcnt);
12294 COUNT_BYTES_SUBR(padcnt);
12298 proto_item_append_text(item, " File: %s", fn);
12299 proto_item_set_len(item, offset-old_offset);
12306 dissect_4_3_4_8(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
12307 proto_tree *parent_tree _U_, int offset, guint16 *bcp,
12310 /*XXX im lazy. i havnt implemented this */
12317 /*dissect the data block for TRANS2_FIND_FIRST2*/
12319 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
12320 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
12328 si = (smb_info_t *)pinfo->private_data;
12329 switch(si->info_level){
12330 case 1: /*Info Standard*/
12331 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
12334 case 2: /*Info Query EA Size*/
12335 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
12338 case 3: /*Info Query EAs From List same as
12340 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
12343 case 0x0101: /*Find File Directory Info*/
12344 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
12347 case 0x0102: /*Find File Full Directory Info*/
12348 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
12351 case 0x0103: /*Find File Names Info*/
12352 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
12355 case 0x0104: /*Find File Both Directory Info*/
12356 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
12359 case 0x0202: /*Find File UNIX*/
12360 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
12363 default: /* unknown info level */
12372 dissect_fs_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12375 proto_item *item = NULL;
12376 proto_tree *tree = NULL;
12378 mask = tvb_get_letohl(tvb, offset);
12381 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
12382 "FS Attributes: 0x%08x", mask);
12383 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
12386 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
12387 tvb, offset, 4, mask);
12388 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
12389 tvb, offset, 4, mask);
12390 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
12391 tvb, offset, 4, mask);
12392 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
12393 tvb, offset, 4, mask);
12394 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
12395 tvb, offset, 4, mask);
12396 proto_tree_add_boolean(tree, hf_smb_fs_attr_dim,
12397 tvb, offset, 4, mask);
12398 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
12399 tvb, offset, 4, mask);
12407 dissect_device_characteristics(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12410 proto_item *item = NULL;
12411 proto_tree *tree = NULL;
12413 mask = tvb_get_letohl(tvb, offset);
12416 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
12417 "Device Characteristics: 0x%08x", mask);
12418 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
12421 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
12422 tvb, offset, 4, mask);
12423 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
12424 tvb, offset, 4, mask);
12425 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
12426 tvb, offset, 4, mask);
12427 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
12428 tvb, offset, 4, mask);
12429 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
12430 tvb, offset, 4, mask);
12431 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
12432 tvb, offset, 4, mask);
12433 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
12434 tvb, offset, 4, mask);
12440 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
12442 static const true_false_string tfs_smb_mac_access_ctrl = {
12443 "Macintosh Access Control Supported",
12444 "Macintosh Access Control Not Supported"
12447 static const true_false_string tfs_smb_mac_getset_comments = {
12448 "Macintosh Get & Set Comments Supported",
12449 "Macintosh Get & Set Comments Not Supported"
12452 static const true_false_string tfs_smb_mac_desktopdb_calls = {
12453 "Macintosh Get & Set Desktop Database Info Supported",
12454 "Macintosh Get & Set Desktop Database Info Supported"
12457 static const true_false_string tfs_smb_mac_unique_ids = {
12458 "Macintosh Unique IDs Supported",
12459 "Macintosh Unique IDs Not Supported"
12462 static const true_false_string tfs_smb_mac_streams = {
12463 "Macintosh and Streams Extensions Not Supported",
12464 "Macintosh and Streams Extensions Supported"
12468 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
12469 int offset, guint16 *bcp)
12472 int fn_len, vll, fnl;
12475 proto_item *item = NULL;
12476 proto_tree *ti = NULL;
12482 si = (smb_info_t *)pinfo->private_data;
12483 switch(si->info_level){
12484 case 1: /* SMB_INFO_ALLOCATION */
12485 /* filesystem id */
12486 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12487 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
12488 COUNT_BYTES_TRANS_SUBR(4);
12490 /* sectors per unit */
12491 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12492 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12493 COUNT_BYTES_TRANS_SUBR(4);
12496 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12497 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
12498 COUNT_BYTES_TRANS_SUBR(4);
12501 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12502 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
12503 COUNT_BYTES_TRANS_SUBR(4);
12505 /* bytes per sector, only 16bit integer here */
12506 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12507 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12508 COUNT_BYTES_TRANS_SUBR(2);
12511 case 2: /* SMB_INFO_VOLUME */
12512 /* volume serial number */
12513 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12514 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
12515 COUNT_BYTES_TRANS_SUBR(4);
12517 /* volume label length, only one byte here */
12518 CHECK_BYTE_COUNT_TRANS_SUBR(1);
12519 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
12520 COUNT_BYTES_TRANS_SUBR(1);
12523 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
12524 CHECK_STRING_TRANS_SUBR(fn);
12525 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12527 COUNT_BYTES_TRANS_SUBR(fn_len);
12530 case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
12531 case 1001: /* SMB_FS_LABEL_INFORMATION */
12532 /* volume label length */
12533 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12534 vll = tvb_get_letohl(tvb, offset);
12535 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
12536 COUNT_BYTES_TRANS_SUBR(4);
12540 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12541 CHECK_STRING_TRANS_SUBR(fn);
12542 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12544 COUNT_BYTES_TRANS_SUBR(fn_len);
12547 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
12548 case 1002: /* SMB_FS_VOLUME_INFORMATION */
12550 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12551 offset = dissect_smb_64bit_time(tvb, tree, offset,
12552 hf_smb_create_time);
12555 /* volume serial number */
12556 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12557 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
12558 COUNT_BYTES_TRANS_SUBR(4);
12560 /* volume label length */
12561 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12562 vll = tvb_get_letohl(tvb, offset);
12563 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
12564 COUNT_BYTES_TRANS_SUBR(4);
12566 /* 2 reserved bytes */
12567 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12568 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
12569 COUNT_BYTES_TRANS_SUBR(2);
12573 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12574 CHECK_STRING_TRANS_SUBR(fn);
12575 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12577 COUNT_BYTES_TRANS_SUBR(fn_len);
12580 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
12581 case 1003: /* SMB_FS_SIZE_INFORMATION */
12582 /* allocation size */
12583 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12584 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12585 COUNT_BYTES_TRANS_SUBR(8);
12587 /* free allocation units */
12588 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12589 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
12590 COUNT_BYTES_TRANS_SUBR(8);
12592 /* sectors per unit */
12593 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12594 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12595 COUNT_BYTES_TRANS_SUBR(4);
12597 /* bytes per sector */
12598 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12599 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
12600 COUNT_BYTES_TRANS_SUBR(4);
12603 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
12604 case 1004: /* SMB_FS_DEVICE_INFORMATION */
12606 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12607 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
12608 COUNT_BYTES_TRANS_SUBR(4);
12610 /* device characteristics */
12611 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12612 offset = dissect_device_characteristics(tvb, tree, offset);
12616 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
12617 case 1005: /* SMB_FS_ATTRIBUTE_INFORMATION */
12618 /* FS attributes */
12619 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12620 offset = dissect_fs_attributes(tvb, tree, offset);
12624 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12625 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
12626 COUNT_BYTES_TRANS_SUBR(4);
12628 /* fs name length */
12629 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12630 fnl = tvb_get_letohl(tvb, offset);
12631 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
12632 COUNT_BYTES_TRANS_SUBR(4);
12636 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12637 CHECK_STRING_TRANS_SUBR(fn);
12638 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
12640 COUNT_BYTES_TRANS_SUBR(fn_len);
12643 case 0x301: /* MAC_QUERY_FS_INFO */
12645 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12646 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12649 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12650 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_modify_time);
12653 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12654 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_backup_time);
12656 /* Allocation blocks */
12657 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12658 proto_tree_add_item(tree, hf_smb_mac_alloc_block_count, tvb,
12661 COUNT_BYTES_TRANS_SUBR(4);
12662 /* Allocation Block Size */
12663 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12664 proto_tree_add_item(tree, hf_smb_mac_alloc_block_size, tvb,
12666 COUNT_BYTES_TRANS_SUBR(4);
12667 /* Free Block Count */
12668 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12669 proto_tree_add_item(tree, hf_smb_mac_free_block_count, tvb,
12671 COUNT_BYTES_TRANS_SUBR(4);
12672 /* Finder Info ... */
12673 CHECK_BYTE_COUNT_TRANS_SUBR(32);
12674 proto_tree_add_bytes_format(tree, hf_smb_mac_fndrinfo, tvb,
12676 tvb_get_ptr(tvb, offset,32),
12678 tvb_format_text(tvb, offset, 32));
12679 COUNT_BYTES_TRANS_SUBR(32);
12681 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12682 proto_tree_add_item(tree, hf_smb_mac_root_file_count, tvb,
12684 COUNT_BYTES_TRANS_SUBR(4);
12685 /* Number of Root Directories */
12686 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12687 proto_tree_add_item(tree, hf_smb_mac_root_dir_count, tvb,
12689 COUNT_BYTES_TRANS_SUBR(4);
12690 /* Number of files */
12691 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12692 proto_tree_add_item(tree, hf_smb_mac_file_count, tvb,
12694 COUNT_BYTES_TRANS_SUBR(4);
12696 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12697 proto_tree_add_item(tree, hf_smb_mac_dir_count, tvb,
12699 COUNT_BYTES_TRANS_SUBR(4);
12700 /* Mac Support Flags */
12701 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12702 support = tvb_get_ntohl(tvb, offset);
12703 item = proto_tree_add_text(tree, tvb, offset, 4,
12704 "Mac Support Flags: 0x%08x", support);
12705 ti = proto_item_add_subtree(item, ett_smb_mac_support_flags);
12706 proto_tree_add_boolean(ti, hf_smb_mac_sup_access_ctrl,
12707 tvb, offset, 4, support);
12708 proto_tree_add_boolean(ti, hf_smb_mac_sup_getset_comments,
12709 tvb, offset, 4, support);
12710 proto_tree_add_boolean(ti, hf_smb_mac_sup_desktopdb_calls,
12711 tvb, offset, 4, support);
12712 proto_tree_add_boolean(ti, hf_smb_mac_sup_unique_ids,
12713 tvb, offset, 4, support);
12714 proto_tree_add_boolean(ti, hf_smb_mac_sup_streams,
12715 tvb, offset, 4, support);
12716 COUNT_BYTES_TRANS_SUBR(4);
12718 case 1006: /* QUERY_FS_QUOTA_INFO */
12719 offset = dissect_nt_quota(tvb, tree, offset, bcp);
12721 case 1007: /* SMB_FS_FULL_SIZE_INFORMATION */
12722 /* allocation size */
12723 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12724 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12725 COUNT_BYTES_TRANS_SUBR(8);
12727 /* caller free allocation units */
12728 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12729 proto_tree_add_item(tree, hf_smb_caller_free_alloc_units64, tvb, offset, 8, TRUE);
12730 COUNT_BYTES_TRANS_SUBR(8);
12732 /* actual free allocation units */
12733 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12734 proto_tree_add_item(tree, hf_smb_actual_free_alloc_units64, tvb, offset, 8, TRUE);
12735 COUNT_BYTES_TRANS_SUBR(8);
12737 /* sectors per unit */
12738 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12739 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12740 COUNT_BYTES_TRANS_SUBR(4);
12742 /* bytes per sector */
12743 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12744 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
12745 COUNT_BYTES_TRANS_SUBR(4);
12753 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
12754 proto_tree *parent_tree)
12756 proto_item *item = NULL;
12757 proto_tree *tree = NULL;
12759 smb_transact2_info_t *t2i;
12765 dc = tvb_reported_length(tvb);
12767 si = (smb_info_t *)pinfo->private_data;
12768 if (si->sip != NULL)
12769 t2i = si->sip->extra_info;
12774 if (t2i != NULL && t2i->subcmd != -1) {
12775 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
12777 val_to_str(t2i->subcmd, trans2_cmd_vals,
12778 "Unknown (0x%02x)"));
12779 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
12781 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
12782 "Unknown Transaction2 Data");
12790 switch(t2i->subcmd){
12791 case 0x00: /*TRANS2_OPEN2*/
12792 /* XXX not implemented yet. See SNIA doc */
12794 case 0x01: /*TRANS2_FIND_FIRST2*/
12795 /* returned data */
12796 count = si->info_count;
12798 if (count && check_col(pinfo->cinfo, COL_INFO)) {
12799 col_append_fstr(pinfo->cinfo, COL_INFO,
12804 offset = dissect_ff2_response_data(tvb, pinfo, tree,
12805 offset, &dc, &trunc);
12810 case 0x02: /*TRANS2_FIND_NEXT2*/
12811 /* returned data */
12812 count = si->info_count;
12814 if (count && check_col(pinfo->cinfo, COL_INFO)) {
12815 col_append_fstr(pinfo->cinfo, COL_INFO,
12820 offset = dissect_ff2_response_data(tvb, pinfo, tree,
12821 offset, &dc, &trunc);
12826 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
12827 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
12829 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
12830 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
12832 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
12833 /* no data in this response */
12835 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
12836 /* identical to QUERY_PATH_INFO */
12837 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
12839 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
12840 /* no data in this response */
12842 case 0x09: /*TRANS2_FSCTL*/
12843 /* XXX dont know how to dissect this one (yet)*/
12846 * XXX - "Microsoft Networks SMB File Sharing Protocol
12847 * Extensions Version 3.0, Document Version 1.11,
12848 * July 19, 1990" says this this contains a
12849 * "File system specific return data block".
12850 * (That means we may not be able to dissect it in any
12854 case 0x0a: /*TRANS2_IOCTL2*/
12855 /* XXX dont know how to dissect this one (yet)*/
12858 * XXX - "Microsoft Networks SMB File Sharing Protocol
12859 * Extensions Version 3.0, Document Version 1.11,
12860 * July 19, 1990" says this this contains a
12861 * "Device/function specific return data block".
12862 * (That means we may not be able to dissect it in any
12866 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
12867 /* XXX dont know how to dissect this one (yet)*/
12870 * XXX - "Microsoft Networks SMB File Sharing Protocol
12871 * Extensions Version 3.0, Document Version 1.11,
12872 * July 19, 1990" says this this contains "the level
12873 * dependent information about the changes which
12877 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
12878 /* XXX dont know how to dissect this one (yet)*/
12881 * XXX - "Microsoft Networks SMB File Sharing Protocol
12882 * Extensions Version 3.0, Document Version 1.11,
12883 * July 19, 1990" says this this contains "the level
12884 * dependent information about the changes which
12888 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
12889 /* no data in this response */
12891 case 0x0e: /*TRANS2_SESSION_SETUP*/
12892 /* XXX dont know how to dissect this one (yet)*/
12894 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
12895 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
12897 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
12898 /* the SNIA spec appears to say the response has no data */
12902 * We don't know what the matching request was; don't
12903 * bother putting anything else into the tree for the data.
12910 /* ooops there were data we didnt know how to process */
12912 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
12921 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
12923 proto_item *item = NULL;
12924 proto_tree *tree = NULL;
12926 smb_transact2_info_t *t2i;
12932 pc = tvb_reported_length(tvb);
12934 si = (smb_info_t *)pinfo->private_data;
12935 if (si->sip != NULL)
12936 t2i = si->sip->extra_info;
12941 if (t2i != NULL && t2i->subcmd != -1) {
12942 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
12944 val_to_str(t2i->subcmd, trans2_cmd_vals,
12945 "Unknown (0x%02x)"));
12946 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
12948 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
12949 "Unknown Transaction2 Parameters");
12957 switch(t2i->subcmd){
12958 case 0x00: /*TRANS2_OPEN2*/
12960 fid = tvb_get_letohs(tvb, offset);
12961 add_fid(tvb, pinfo, tree, offset, 2, fid);
12965 * XXX - Microsoft Networks SMB File Sharing Protocol
12966 * Extensions Version 3.0, Document Version 1.11,
12967 * July 19, 1990 says that the file attributes, create
12968 * time (which it says is the last modification time),
12969 * data size, granted access, file type, and IPC state
12970 * are returned only if bit 0 is set in the open flags,
12971 * and that the EA length is returned only if bit 3
12972 * is set in the open flags. Does that mean that,
12973 * at least in that SMB dialect, those fields are not
12974 * present in the reply parameters if the bits in
12975 * question aren't set?
12978 /* File Attributes */
12979 offset = dissect_file_attributes(tvb, tree, offset, 2);
12982 offset = dissect_smb_datetime(tvb, tree, offset,
12983 hf_smb_create_time,
12984 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
12987 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
12990 /* granted access */
12991 offset = dissect_access(tvb, tree, offset, "Granted");
12994 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
12998 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
13001 offset = dissect_open_action(tvb, tree, offset);
13003 /* server unique file ID */
13004 proto_tree_add_item(tree, hf_smb_file_id, tvb, offset, 4, TRUE);
13007 /* ea error offset, only a 16 bit integer here */
13008 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13012 proto_tree_add_item(tree, hf_smb_ea_length, tvb, offset, 4, TRUE);
13016 case 0x01: /*TRANS2_FIND_FIRST2*/
13017 /* Find First2 information level */
13018 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
13021 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
13025 si->info_count = tvb_get_letohs(tvb, offset);
13026 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13029 /* end of search */
13030 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13033 /* ea error offset, only a 16 bit integer here */
13034 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13037 /* last name offset */
13038 lno = tvb_get_letohs(tvb, offset);
13039 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13043 case 0x02: /*TRANS2_FIND_NEXT2*/
13045 si->info_count = tvb_get_letohs(tvb, offset);
13046 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13049 /* end of search */
13050 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13053 /* ea_error_offset, only a 16 bit integer here*/
13054 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13057 /* last name offset */
13058 lno = tvb_get_letohs(tvb, offset);
13059 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13063 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
13064 /* no parameter block here */
13066 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
13067 /* ea_error_offset, only a 16 bit integer here*/
13068 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13072 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
13073 /* ea_error_offset, only a 16 bit integer here*/
13074 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13078 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
13079 /* ea_error_offset, only a 16 bit integer here*/
13080 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13084 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
13085 /* ea_error_offset, only a 16 bit integer here*/
13086 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13090 case 0x09: /*TRANS2_FSCTL*/
13091 /* XXX dont know how to dissect this one (yet)*/
13094 * XXX - "Microsoft Networks SMB File Sharing Protocol
13095 * Extensions Version 3.0, Document Version 1.11,
13096 * July 19, 1990" says this this contains a
13097 * "File system specific return parameter block".
13098 * (That means we may not be able to dissect it in any
13102 case 0x0a: /*TRANS2_IOCTL2*/
13103 /* XXX dont know how to dissect this one (yet)*/
13106 * XXX - "Microsoft Networks SMB File Sharing Protocol
13107 * Extensions Version 3.0, Document Version 1.11,
13108 * July 19, 1990" says this this contains a
13109 * "Device/function specific return parameter block".
13110 * (That means we may not be able to dissect it in any
13114 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
13115 /* Find Notify information level */
13116 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13118 /* Monitor handle */
13119 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13123 si->info_count = tvb_get_letohs(tvb, offset);
13124 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13127 /* ea_error_offset, only a 16 bit integer here*/
13128 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13132 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
13133 /* Find Notify information level */
13134 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13137 si->info_count = tvb_get_letohs(tvb, offset);
13138 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13141 /* ea_error_offset, only a 16 bit integer here*/
13142 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13146 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
13147 /* ea error offset, only a 16 bit integer here */
13148 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13152 case 0x0e: /*TRANS2_SESSION_SETUP*/
13153 /* XXX dont know how to dissect this one (yet)*/
13155 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
13156 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
13158 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
13159 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
13163 * We don't know what the matching request was; don't
13164 * bother putting anything else into the tree for the data.
13170 /* ooops there were data we didnt know how to process */
13172 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
13173 offset += pc-offset;
13179 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13182 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
13184 smb_transact2_info_t *t2i = NULL;
13187 gboolean dissected_trans;
13188 fragment_data *r_fd = NULL;
13189 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
13190 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
13191 gboolean save_fragmented;
13193 si = (smb_info_t *)pinfo->private_data;
13196 case SMB_COM_TRANSACTION2:
13198 if (si->sip != NULL) {
13199 t2i = si->sip->extra_info;
13204 * We didn't see the matching request, so we don't
13205 * know what type of transaction this is.
13207 proto_tree_add_text(tree, tvb, 0, 0,
13208 "Subcommand: <UNKNOWN> since request packet wasn't seen");
13209 if (check_col(pinfo->cinfo, COL_INFO)) {
13210 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
13213 si->info_level = t2i->info_level;
13214 if (t2i->subcmd == -1) {
13216 * We didn't manage to extract the subcommand
13217 * from the matching request (perhaps because
13218 * the frame was short), so we don't know what
13219 * type of transaction this is.
13221 proto_tree_add_text(tree, tvb, 0, 0,
13222 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
13223 if (check_col(pinfo->cinfo, COL_INFO)) {
13224 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
13227 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
13228 if (check_col(pinfo->cinfo, COL_INFO)) {
13229 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13230 val_to_str(t2i->subcmd,
13232 "<unknown (0x%02x)>"));
13241 /* total param count, only a 16bit integer here */
13242 tp = tvb_get_letohs(tvb, offset);
13243 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
13246 /* total data count, only a 16 bit integer here */
13247 td = tvb_get_letohs(tvb, offset);
13248 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
13251 /* 2 reserved bytes */
13252 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
13256 pc = tvb_get_letohs(tvb, offset);
13257 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
13261 po = tvb_get_letohs(tvb, offset);
13262 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
13266 pd = tvb_get_letohs(tvb, offset);
13267 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
13271 dc = tvb_get_letohs(tvb, offset);
13272 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
13276 od = tvb_get_letohs(tvb, offset);
13277 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
13281 dd = tvb_get_letohs(tvb, offset);
13282 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
13286 sc = tvb_get_guint8(tvb, offset);
13287 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
13290 /* reserved byte */
13291 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
13295 /* if there were any setup bytes, put them in a tvb for later */
13297 if((2*sc)>tvb_length_remaining(tvb, offset)){
13298 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
13300 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
13302 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
13313 /* reassembly of SMB Transaction data payload.
13314 In this section we do reassembly of both the data and parameters
13315 blocks of the SMB transaction command.
13317 save_fragmented = pinfo->fragmented;
13318 /* do we need reassembly? */
13319 if( (td!=dc) || (tp!=pc) ){
13320 /* oh yeah, either data or parameter section needs
13323 pinfo->fragmented = TRUE;
13324 if(smb_trans_reassembly){
13325 /* ...and we were told to do reassembly */
13326 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
13327 r_fd = smb_trans_defragment(tree, pinfo, tvb,
13328 po, pc, pd, td+tp);
13331 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
13332 r_fd = smb_trans_defragment(tree, pinfo, tvb,
13333 od, dc, dd+tp, td+tp);
13338 /* if we got a reassembled fd structure from the reassembly routine we must
13339 create pd_tvb from it
13342 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
13344 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
13345 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
13346 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
13351 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
13353 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
13356 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
13359 /* It was not reassembled. Do as best as we can.
13360 * in this case we always try to dissect the stuff if
13361 * data and param displacement is 0. i.e. for the first
13362 * (and maybe only) packet.
13364 if( (pd==0) && (dd==0) ){
13367 min = MIN(pc,tvb_length_remaining(tvb,po));
13368 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
13369 if(min && reported_min) {
13370 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
13372 min = MIN(dc,tvb_length_remaining(tvb,od));
13373 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
13374 if(min && reported_min) {
13375 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
13378 * A tvbuff containing the parameters
13380 * XXX - check pc and dc as well?
13382 if (tvb_length_remaining(tvb, po)){
13383 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
13392 /* We have some padding bytes.
13394 padcnt = po-offset;
13397 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13398 COUNT_BYTES(padcnt);
13400 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
13401 /* TRANSACTION2 parameters*/
13402 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
13409 /* We have some initial padding bytes.
13411 padcnt = od-offset;
13414 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13415 COUNT_BYTES(padcnt);
13418 * If the data count is bigger than the count of bytes
13419 * remaining, clamp it so that the count of bytes remaining
13420 * doesn't go negative.
13428 /* from now on, everything is in separate tvbuffs so we dont count
13429 the bytes with COUNT_BYTES any more.
13430 neither do we reference offset any more (which by now points to the
13431 first byte AFTER this PDU */
13434 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
13435 /* TRANSACTION2 parameters*/
13436 dissect_transaction2_response_data(d_tvb, pinfo, tree);
13440 if(si->cmd==SMB_COM_TRANSACTION){
13441 smb_transact_info_t *tri;
13443 dissected_trans = FALSE;
13444 if (si->sip != NULL)
13445 tri = si->sip->extra_info;
13449 switch(tri->subcmd){
13451 case TRANSACTION_PIPE:
13452 /* This function is safe to call for
13453 s_tvb==sp_tvb==NULL, i.e. if we don't
13454 know them at this point.
13455 It's also safe to call if "p_tvb"
13456 or "d_tvb" are null.
13459 dissected_trans = dissect_pipe_smb(
13460 sp_tvb, s_tvb, pd_tvb, p_tvb,
13461 d_tvb, NULL, pinfo, top_tree);
13465 case TRANSACTION_MAILSLOT:
13466 /* This one should be safe to call
13467 even if s_tvb and sp_tvb is NULL
13470 dissected_trans = dissect_mailslot_smb(
13471 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
13477 if (!dissected_trans) {
13478 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
13479 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
13484 if( (p_tvb==0) && (d_tvb==0) ){
13485 if(check_col(pinfo->cinfo, COL_INFO)){
13486 col_append_str(pinfo->cinfo, COL_INFO,
13487 "[transact continuation]");
13491 pinfo->fragmented = save_fragmented;
13499 dissect_find_notify_close(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13506 /* Monitor handle */
13507 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13517 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13518 END Transaction/Transaction2 Primary and secondary requests
13519 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
13523 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13531 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
13538 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
13548 typedef struct _smb_function {
13549 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13550 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13553 static smb_function smb_dissector[256] = {
13554 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
13555 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
13556 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
13557 /* 0x03 Create File*/ {dissect_create_file_request, dissect_fid},
13558 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
13559 /* 0x05 Flush File*/ {dissect_fid, dissect_empty},
13560 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
13561 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_empty},
13562 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
13563 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
13564 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
13565 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
13566 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
13567 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
13568 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
13569 /* 0x0f Create New*/ {dissect_create_file_request, dissect_fid},
13571 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
13572 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
13573 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
13574 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
13575 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
13576 /* 0x15 */ {dissect_unknown, dissect_unknown},
13577 /* 0x16 */ {dissect_unknown, dissect_unknown},
13578 /* 0x17 */ {dissect_unknown, dissect_unknown},
13579 /* 0x18 */ {dissect_unknown, dissect_unknown},
13580 /* 0x19 */ {dissect_unknown, dissect_unknown},
13581 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
13582 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
13583 /* 0x1c Read MPX Secondary*/ {dissect_unknown, dissect_unknown},
13584 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
13585 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
13586 /* 0x1f Write MPX Secondary*/ {dissect_unknown, dissect_unknown},
13588 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
13589 /* 0x21 */ {dissect_unknown, dissect_unknown},
13590 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
13591 /* 0x23 Query Info2*/ {dissect_fid, dissect_query_information2_response},
13592 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
13593 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
13594 /* 0x26 Transaction Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
13595 /* 0x27 IOCTL*/ {dissect_unknown, dissect_unknown},
13596 /* 0x28 IOCTL Secondary*/ {dissect_unknown, dissect_unknown},
13597 /* 0x29 Copy File*/ {dissect_copy_request, dissect_move_copy_response},
13598 /* 0x2a Move File*/ {dissect_move_request, dissect_move_copy_response},
13599 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
13600 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
13601 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
13602 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
13603 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
13605 /* 0x30 */ {dissect_unknown, dissect_unknown},
13606 /* 0x31 Close And Tree Disconnect */ {dissect_close_file_request, dissect_empty},
13607 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
13608 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
13609 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
13610 /* 0x35 Find Notify Close*/ {dissect_find_notify_close, dissect_empty},
13611 /* 0x36 */ {dissect_unknown, dissect_unknown},
13612 /* 0x37 */ {dissect_unknown, dissect_unknown},
13613 /* 0x38 */ {dissect_unknown, dissect_unknown},
13614 /* 0x39 */ {dissect_unknown, dissect_unknown},
13615 /* 0x3a */ {dissect_unknown, dissect_unknown},
13616 /* 0x3b */ {dissect_unknown, dissect_unknown},
13617 /* 0x3c */ {dissect_unknown, dissect_unknown},
13618 /* 0x3d */ {dissect_unknown, dissect_unknown},
13619 /* 0x3e */ {dissect_unknown, dissect_unknown},
13620 /* 0x3f */ {dissect_unknown, dissect_unknown},
13622 /* 0x40 */ {dissect_unknown, dissect_unknown},
13623 /* 0x41 */ {dissect_unknown, dissect_unknown},
13624 /* 0x42 */ {dissect_unknown, dissect_unknown},
13625 /* 0x43 */ {dissect_unknown, dissect_unknown},
13626 /* 0x44 */ {dissect_unknown, dissect_unknown},
13627 /* 0x45 */ {dissect_unknown, dissect_unknown},
13628 /* 0x46 */ {dissect_unknown, dissect_unknown},
13629 /* 0x47 */ {dissect_unknown, dissect_unknown},
13630 /* 0x48 */ {dissect_unknown, dissect_unknown},
13631 /* 0x49 */ {dissect_unknown, dissect_unknown},
13632 /* 0x4a */ {dissect_unknown, dissect_unknown},
13633 /* 0x4b */ {dissect_unknown, dissect_unknown},
13634 /* 0x4c */ {dissect_unknown, dissect_unknown},
13635 /* 0x4d */ {dissect_unknown, dissect_unknown},
13636 /* 0x4e */ {dissect_unknown, dissect_unknown},
13637 /* 0x4f */ {dissect_unknown, dissect_unknown},
13639 /* 0x50 */ {dissect_unknown, dissect_unknown},
13640 /* 0x51 */ {dissect_unknown, dissect_unknown},
13641 /* 0x52 */ {dissect_unknown, dissect_unknown},
13642 /* 0x53 */ {dissect_unknown, dissect_unknown},
13643 /* 0x54 */ {dissect_unknown, dissect_unknown},
13644 /* 0x55 */ {dissect_unknown, dissect_unknown},
13645 /* 0x56 */ {dissect_unknown, dissect_unknown},
13646 /* 0x57 */ {dissect_unknown, dissect_unknown},
13647 /* 0x58 */ {dissect_unknown, dissect_unknown},
13648 /* 0x59 */ {dissect_unknown, dissect_unknown},
13649 /* 0x5a */ {dissect_unknown, dissect_unknown},
13650 /* 0x5b */ {dissect_unknown, dissect_unknown},
13651 /* 0x5c */ {dissect_unknown, dissect_unknown},
13652 /* 0x5d */ {dissect_unknown, dissect_unknown},
13653 /* 0x5e */ {dissect_unknown, dissect_unknown},
13654 /* 0x5f */ {dissect_unknown, dissect_unknown},
13656 /* 0x60 */ {dissect_unknown, dissect_unknown},
13657 /* 0x61 */ {dissect_unknown, dissect_unknown},
13658 /* 0x62 */ {dissect_unknown, dissect_unknown},
13659 /* 0x63 */ {dissect_unknown, dissect_unknown},
13660 /* 0x64 */ {dissect_unknown, dissect_unknown},
13661 /* 0x65 */ {dissect_unknown, dissect_unknown},
13662 /* 0x66 */ {dissect_unknown, dissect_unknown},
13663 /* 0x67 */ {dissect_unknown, dissect_unknown},
13664 /* 0x68 */ {dissect_unknown, dissect_unknown},
13665 /* 0x69 */ {dissect_unknown, dissect_unknown},
13666 /* 0x6a */ {dissect_unknown, dissect_unknown},
13667 /* 0x6b */ {dissect_unknown, dissect_unknown},
13668 /* 0x6c */ {dissect_unknown, dissect_unknown},
13669 /* 0x6d */ {dissect_unknown, dissect_unknown},
13670 /* 0x6e */ {dissect_unknown, dissect_unknown},
13671 /* 0x6f */ {dissect_unknown, dissect_unknown},
13673 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
13674 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
13675 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
13676 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
13677 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
13678 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
13679 /* 0x76 */ {dissect_unknown, dissect_unknown},
13680 /* 0x77 */ {dissect_unknown, dissect_unknown},
13681 /* 0x78 */ {dissect_unknown, dissect_unknown},
13682 /* 0x79 */ {dissect_unknown, dissect_unknown},
13683 /* 0x7a */ {dissect_unknown, dissect_unknown},
13684 /* 0x7b */ {dissect_unknown, dissect_unknown},
13685 /* 0x7c */ {dissect_unknown, dissect_unknown},
13686 /* 0x7d */ {dissect_unknown, dissect_unknown},
13687 /* 0x7e */ {dissect_unknown, dissect_unknown},
13688 /* 0x7f */ {dissect_unknown, dissect_unknown},
13690 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
13691 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
13692 /* 0x82 Find*/ {dissect_find_request, dissect_find_response},
13693 /* 0x83 Find Unique*/ {dissect_find_request, dissect_find_response},
13694 /* 0x84 Find Close*/ {dissect_find_close_request, dissect_find_close_response},
13695 /* 0x85 */ {dissect_unknown, dissect_unknown},
13696 /* 0x86 */ {dissect_unknown, dissect_unknown},
13697 /* 0x87 */ {dissect_unknown, dissect_unknown},
13698 /* 0x88 */ {dissect_unknown, dissect_unknown},
13699 /* 0x89 */ {dissect_unknown, dissect_unknown},
13700 /* 0x8a */ {dissect_unknown, dissect_unknown},
13701 /* 0x8b */ {dissect_unknown, dissect_unknown},
13702 /* 0x8c */ {dissect_unknown, dissect_unknown},
13703 /* 0x8d */ {dissect_unknown, dissect_unknown},
13704 /* 0x8e */ {dissect_unknown, dissect_unknown},
13705 /* 0x8f */ {dissect_unknown, dissect_unknown},
13707 /* 0x90 */ {dissect_unknown, dissect_unknown},
13708 /* 0x91 */ {dissect_unknown, dissect_unknown},
13709 /* 0x92 */ {dissect_unknown, dissect_unknown},
13710 /* 0x93 */ {dissect_unknown, dissect_unknown},
13711 /* 0x94 */ {dissect_unknown, dissect_unknown},
13712 /* 0x95 */ {dissect_unknown, dissect_unknown},
13713 /* 0x96 */ {dissect_unknown, dissect_unknown},
13714 /* 0x97 */ {dissect_unknown, dissect_unknown},
13715 /* 0x98 */ {dissect_unknown, dissect_unknown},
13716 /* 0x99 */ {dissect_unknown, dissect_unknown},
13717 /* 0x9a */ {dissect_unknown, dissect_unknown},
13718 /* 0x9b */ {dissect_unknown, dissect_unknown},
13719 /* 0x9c */ {dissect_unknown, dissect_unknown},
13720 /* 0x9d */ {dissect_unknown, dissect_unknown},
13721 /* 0x9e */ {dissect_unknown, dissect_unknown},
13722 /* 0x9f */ {dissect_unknown, dissect_unknown},
13724 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
13725 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
13726 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
13727 /* 0xa3 */ {dissect_unknown, dissect_unknown},
13728 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
13729 /* 0xa5 NT Rename*/ {dissect_nt_rename_file_request, dissect_empty},
13730 /* 0xa6 */ {dissect_unknown, dissect_unknown},
13731 /* 0xa7 */ {dissect_unknown, dissect_unknown},
13732 /* 0xa8 */ {dissect_unknown, dissect_unknown},
13733 /* 0xa9 */ {dissect_unknown, dissect_unknown},
13734 /* 0xaa */ {dissect_unknown, dissect_unknown},
13735 /* 0xab */ {dissect_unknown, dissect_unknown},
13736 /* 0xac */ {dissect_unknown, dissect_unknown},
13737 /* 0xad */ {dissect_unknown, dissect_unknown},
13738 /* 0xae */ {dissect_unknown, dissect_unknown},
13739 /* 0xaf */ {dissect_unknown, dissect_unknown},
13741 /* 0xb0 */ {dissect_unknown, dissect_unknown},
13742 /* 0xb1 */ {dissect_unknown, dissect_unknown},
13743 /* 0xb2 */ {dissect_unknown, dissect_unknown},
13744 /* 0xb3 */ {dissect_unknown, dissect_unknown},
13745 /* 0xb4 */ {dissect_unknown, dissect_unknown},
13746 /* 0xb5 */ {dissect_unknown, dissect_unknown},
13747 /* 0xb6 */ {dissect_unknown, dissect_unknown},
13748 /* 0xb7 */ {dissect_unknown, dissect_unknown},
13749 /* 0xb8 */ {dissect_unknown, dissect_unknown},
13750 /* 0xb9 */ {dissect_unknown, dissect_unknown},
13751 /* 0xba */ {dissect_unknown, dissect_unknown},
13752 /* 0xbb */ {dissect_unknown, dissect_unknown},
13753 /* 0xbc */ {dissect_unknown, dissect_unknown},
13754 /* 0xbd */ {dissect_unknown, dissect_unknown},
13755 /* 0xbe */ {dissect_unknown, dissect_unknown},
13756 /* 0xbf */ {dissect_unknown, dissect_unknown},
13758 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_fid},
13759 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
13760 /* 0xc2 Close Print File*/ {dissect_fid, dissect_empty},
13761 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
13762 /* 0xc4 */ {dissect_unknown, dissect_unknown},
13763 /* 0xc5 */ {dissect_unknown, dissect_unknown},
13764 /* 0xc6 */ {dissect_unknown, dissect_unknown},
13765 /* 0xc7 */ {dissect_unknown, dissect_unknown},
13766 /* 0xc8 */ {dissect_unknown, dissect_unknown},
13767 /* 0xc9 */ {dissect_unknown, dissect_unknown},
13768 /* 0xca */ {dissect_unknown, dissect_unknown},
13769 /* 0xcb */ {dissect_unknown, dissect_unknown},
13770 /* 0xcc */ {dissect_unknown, dissect_unknown},
13771 /* 0xcd */ {dissect_unknown, dissect_unknown},
13772 /* 0xce */ {dissect_unknown, dissect_unknown},
13773 /* 0xcf */ {dissect_unknown, dissect_unknown},
13775 /* 0xd0 Send Single Block Message*/ {dissect_send_single_block_message_request, dissect_empty},
13776 /* 0xd1 Send Broadcast Message*/ {dissect_send_single_block_message_request, dissect_empty},
13777 /* 0xd2 Forward User Name*/ {dissect_forwarded_name, dissect_empty},
13778 /* 0xd3 Cancel Forward*/ {dissect_forwarded_name, dissect_empty},
13779 /* 0xd4 Get Machine Name*/ {dissect_empty, dissect_get_machine_name_response},
13780 /* 0xd5 Send Start of Multi-block Message*/ {dissect_send_multi_block_message_start_request, dissect_message_group_id},
13781 /* 0xd6 Send End of Multi-block Message*/ {dissect_message_group_id, dissect_empty},
13782 /* 0xd7 Send Text of Multi-block Message*/ {dissect_send_multi_block_message_text_request, dissect_empty},
13783 /* 0xd8 SMBreadbulk*/ {dissect_unknown, dissect_unknown},
13784 /* 0xd9 SMBwritebulk*/ {dissect_unknown, dissect_unknown},
13785 /* 0xda SMBwritebulkdata*/ {dissect_unknown, dissect_unknown},
13786 /* 0xdb */ {dissect_unknown, dissect_unknown},
13787 /* 0xdc */ {dissect_unknown, dissect_unknown},
13788 /* 0xdd */ {dissect_unknown, dissect_unknown},
13789 /* 0xde */ {dissect_unknown, dissect_unknown},
13790 /* 0xdf */ {dissect_unknown, dissect_unknown},
13792 /* 0xe0 */ {dissect_unknown, dissect_unknown},
13793 /* 0xe1 */ {dissect_unknown, dissect_unknown},
13794 /* 0xe2 */ {dissect_unknown, dissect_unknown},
13795 /* 0xe3 */ {dissect_unknown, dissect_unknown},
13796 /* 0xe4 */ {dissect_unknown, dissect_unknown},
13797 /* 0xe5 */ {dissect_unknown, dissect_unknown},
13798 /* 0xe6 */ {dissect_unknown, dissect_unknown},
13799 /* 0xe7 */ {dissect_unknown, dissect_unknown},
13800 /* 0xe8 */ {dissect_unknown, dissect_unknown},
13801 /* 0xe9 */ {dissect_unknown, dissect_unknown},
13802 /* 0xea */ {dissect_unknown, dissect_unknown},
13803 /* 0xeb */ {dissect_unknown, dissect_unknown},
13804 /* 0xec */ {dissect_unknown, dissect_unknown},
13805 /* 0xed */ {dissect_unknown, dissect_unknown},
13806 /* 0xee */ {dissect_unknown, dissect_unknown},
13807 /* 0xef */ {dissect_unknown, dissect_unknown},
13809 /* 0xf0 */ {dissect_unknown, dissect_unknown},
13810 /* 0xf1 */ {dissect_unknown, dissect_unknown},
13811 /* 0xf2 */ {dissect_unknown, dissect_unknown},
13812 /* 0xf3 */ {dissect_unknown, dissect_unknown},
13813 /* 0xf4 */ {dissect_unknown, dissect_unknown},
13814 /* 0xf5 */ {dissect_unknown, dissect_unknown},
13815 /* 0xf6 */ {dissect_unknown, dissect_unknown},
13816 /* 0xf7 */ {dissect_unknown, dissect_unknown},
13817 /* 0xf8 */ {dissect_unknown, dissect_unknown},
13818 /* 0xf9 */ {dissect_unknown, dissect_unknown},
13819 /* 0xfa */ {dissect_unknown, dissect_unknown},
13820 /* 0xfb */ {dissect_unknown, dissect_unknown},
13821 /* 0xfc */ {dissect_unknown, dissect_unknown},
13822 /* 0xfd */ {dissect_unknown, dissect_unknown},
13823 /* 0xfe */ {dissect_unknown, dissect_unknown},
13824 /* 0xff */ {dissect_unknown, dissect_unknown},
13828 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu)
13830 int old_offset = offset;
13833 si = pinfo->private_data;
13835 proto_item *cmd_item;
13836 proto_tree *cmd_tree;
13837 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13839 if (check_col(pinfo->cinfo, COL_INFO)) {
13841 col_append_fstr(pinfo->cinfo, COL_INFO,
13843 decode_smb_name(cmd),
13844 (si->request)? "Request" : "Response");
13846 col_append_fstr(pinfo->cinfo, COL_INFO,
13848 decode_smb_name(cmd));
13853 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
13855 decode_smb_name(cmd),
13856 (si->request)?"Request":"Response",
13859 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
13861 dissector = (si->request)?
13862 smb_dissector[cmd].request:smb_dissector[cmd].response;
13864 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
13865 proto_item_set_len(cmd_item, offset-old_offset);
13871 /* NOTE: this value_string array will also be used to access data directly by
13872 * index instead of val_to_str() since
13873 * 1, the array will always span every value from 0x00 to 0xff and
13874 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
13875 * This means that this value_string array MUST always
13876 * 1, contain all entries 0x00 to 0xff
13877 * 2, all entries must be in order.
13879 const value_string smb_cmd_vals[] = {
13880 { 0x00, "Create Directory" },
13881 { 0x01, "Delete Directory" },
13883 { 0x03, "Create" },
13886 { 0x06, "Delete" },
13887 { 0x07, "Rename" },
13888 { 0x08, "Query Information" },
13889 { 0x09, "Set Information" },
13892 { 0x0C, "Lock Byte Range" },
13893 { 0x0D, "Unlock Byte Range" },
13894 { 0x0E, "Create Temp" },
13895 { 0x0F, "Create New" },
13896 { 0x10, "Check Directory" },
13897 { 0x11, "Process Exit" },
13899 { 0x13, "Lock And Read" },
13900 { 0x14, "Write And Unlock" },
13901 { 0x15, "unknown-0x15" },
13902 { 0x16, "unknown-0x16" },
13903 { 0x17, "unknown-0x17" },
13904 { 0x18, "unknown-0x18" },
13905 { 0x19, "unknown-0x19" },
13906 { 0x1A, "Read Raw" },
13907 { 0x1B, "Read MPX" },
13908 { 0x1C, "Read MPX Secondary" },
13909 { 0x1D, "Write Raw" },
13910 { 0x1E, "Write MPX" },
13911 { 0x1F, "Write MPX Secondary" },
13912 { 0x20, "Write Complete" },
13913 { 0x21, "unknown-0x21" },
13914 { 0x22, "Set Information2" },
13915 { 0x23, "Query Information2" },
13916 { 0x24, "Locking AndX" },
13917 { 0x25, "Transaction" },
13918 { 0x26, "Transaction Secondary" },
13920 { 0x28, "IOCTL Secondary" },
13924 { 0x2C, "Write And Close" },
13925 { 0x2D, "Open AndX" },
13926 { 0x2E, "Read AndX" },
13927 { 0x2F, "Write AndX" },
13928 { 0x30, "unknown-0x30" },
13929 { 0x31, "Close And Tree Disconnect" },
13930 { 0x32, "Transaction2" },
13931 { 0x33, "Transaction2 Secondary" },
13932 { 0x34, "Find Close2" },
13933 { 0x35, "Find Notify Close" },
13934 { 0x36, "unknown-0x36" },
13935 { 0x37, "unknown-0x37" },
13936 { 0x38, "unknown-0x38" },
13937 { 0x39, "unknown-0x39" },
13938 { 0x3A, "unknown-0x3A" },
13939 { 0x3B, "unknown-0x3B" },
13940 { 0x3C, "unknown-0x3C" },
13941 { 0x3D, "unknown-0x3D" },
13942 { 0x3E, "unknown-0x3E" },
13943 { 0x3F, "unknown-0x3F" },
13944 { 0x40, "unknown-0x40" },
13945 { 0x41, "unknown-0x41" },
13946 { 0x42, "unknown-0x42" },
13947 { 0x43, "unknown-0x43" },
13948 { 0x44, "unknown-0x44" },
13949 { 0x45, "unknown-0x45" },
13950 { 0x46, "unknown-0x46" },
13951 { 0x47, "unknown-0x47" },
13952 { 0x48, "unknown-0x48" },
13953 { 0x49, "unknown-0x49" },
13954 { 0x4A, "unknown-0x4A" },
13955 { 0x4B, "unknown-0x4B" },
13956 { 0x4C, "unknown-0x4C" },
13957 { 0x4D, "unknown-0x4D" },
13958 { 0x4E, "unknown-0x4E" },
13959 { 0x4F, "unknown-0x4F" },
13960 { 0x50, "unknown-0x50" },
13961 { 0x51, "unknown-0x51" },
13962 { 0x52, "unknown-0x52" },
13963 { 0x53, "unknown-0x53" },
13964 { 0x54, "unknown-0x54" },
13965 { 0x55, "unknown-0x55" },
13966 { 0x56, "unknown-0x56" },
13967 { 0x57, "unknown-0x57" },
13968 { 0x58, "unknown-0x58" },
13969 { 0x59, "unknown-0x59" },
13970 { 0x5A, "unknown-0x5A" },
13971 { 0x5B, "unknown-0x5B" },
13972 { 0x5C, "unknown-0x5C" },
13973 { 0x5D, "unknown-0x5D" },
13974 { 0x5E, "unknown-0x5E" },
13975 { 0x5F, "unknown-0x5F" },
13976 { 0x60, "unknown-0x60" },
13977 { 0x61, "unknown-0x61" },
13978 { 0x62, "unknown-0x62" },
13979 { 0x63, "unknown-0x63" },
13980 { 0x64, "unknown-0x64" },
13981 { 0x65, "unknown-0x65" },
13982 { 0x66, "unknown-0x66" },
13983 { 0x67, "unknown-0x67" },
13984 { 0x68, "unknown-0x68" },
13985 { 0x69, "unknown-0x69" },
13986 { 0x6A, "unknown-0x6A" },
13987 { 0x6B, "unknown-0x6B" },
13988 { 0x6C, "unknown-0x6C" },
13989 { 0x6D, "unknown-0x6D" },
13990 { 0x6E, "unknown-0x6E" },
13991 { 0x6F, "unknown-0x6F" },
13992 { 0x70, "Tree Connect" },
13993 { 0x71, "Tree Disconnect" },
13994 { 0x72, "Negotiate Protocol" },
13995 { 0x73, "Session Setup AndX" },
13996 { 0x74, "Logoff AndX" },
13997 { 0x75, "Tree Connect AndX" },
13998 { 0x76, "unknown-0x76" },
13999 { 0x77, "unknown-0x77" },
14000 { 0x78, "unknown-0x78" },
14001 { 0x79, "unknown-0x79" },
14002 { 0x7A, "unknown-0x7A" },
14003 { 0x7B, "unknown-0x7B" },
14004 { 0x7C, "unknown-0x7C" },
14005 { 0x7D, "unknown-0x7D" },
14006 { 0x7E, "unknown-0x7E" },
14007 { 0x7F, "unknown-0x7F" },
14008 { 0x80, "Query Information Disk" },
14009 { 0x81, "Search" },
14011 { 0x83, "Find Unique" },
14012 { 0x84, "Find Close" },
14013 { 0x85, "unknown-0x85" },
14014 { 0x86, "unknown-0x86" },
14015 { 0x87, "unknown-0x87" },
14016 { 0x88, "unknown-0x88" },
14017 { 0x89, "unknown-0x89" },
14018 { 0x8A, "unknown-0x8A" },
14019 { 0x8B, "unknown-0x8B" },
14020 { 0x8C, "unknown-0x8C" },
14021 { 0x8D, "unknown-0x8D" },
14022 { 0x8E, "unknown-0x8E" },
14023 { 0x8F, "unknown-0x8F" },
14024 { 0x90, "unknown-0x90" },
14025 { 0x91, "unknown-0x91" },
14026 { 0x92, "unknown-0x92" },
14027 { 0x93, "unknown-0x93" },
14028 { 0x94, "unknown-0x94" },
14029 { 0x95, "unknown-0x95" },
14030 { 0x96, "unknown-0x96" },
14031 { 0x97, "unknown-0x97" },
14032 { 0x98, "unknown-0x98" },
14033 { 0x99, "unknown-0x99" },
14034 { 0x9A, "unknown-0x9A" },
14035 { 0x9B, "unknown-0x9B" },
14036 { 0x9C, "unknown-0x9C" },
14037 { 0x9D, "unknown-0x9D" },
14038 { 0x9E, "unknown-0x9E" },
14039 { 0x9F, "unknown-0x9F" },
14040 { 0xA0, "NT Transact" },
14041 { 0xA1, "NT Transact Secondary" },
14042 { 0xA2, "NT Create AndX" },
14043 { 0xA3, "unknown-0xA3" },
14044 { 0xA4, "NT Cancel" },
14045 { 0xA5, "NT Rename" },
14046 { 0xA6, "unknown-0xA6" },
14047 { 0xA7, "unknown-0xA7" },
14048 { 0xA8, "unknown-0xA8" },
14049 { 0xA9, "unknown-0xA9" },
14050 { 0xAA, "unknown-0xAA" },
14051 { 0xAB, "unknown-0xAB" },
14052 { 0xAC, "unknown-0xAC" },
14053 { 0xAD, "unknown-0xAD" },
14054 { 0xAE, "unknown-0xAE" },
14055 { 0xAF, "unknown-0xAF" },
14056 { 0xB0, "unknown-0xB0" },
14057 { 0xB1, "unknown-0xB1" },
14058 { 0xB2, "unknown-0xB2" },
14059 { 0xB3, "unknown-0xB3" },
14060 { 0xB4, "unknown-0xB4" },
14061 { 0xB5, "unknown-0xB5" },
14062 { 0xB6, "unknown-0xB6" },
14063 { 0xB7, "unknown-0xB7" },
14064 { 0xB8, "unknown-0xB8" },
14065 { 0xB9, "unknown-0xB9" },
14066 { 0xBA, "unknown-0xBA" },
14067 { 0xBB, "unknown-0xBB" },
14068 { 0xBC, "unknown-0xBC" },
14069 { 0xBD, "unknown-0xBD" },
14070 { 0xBE, "unknown-0xBE" },
14071 { 0xBF, "unknown-0xBF" },
14072 { 0xC0, "Open Print File" },
14073 { 0xC1, "Write Print File" },
14074 { 0xC2, "Close Print File" },
14075 { 0xC3, "Get Print Queue" },
14076 { 0xC4, "unknown-0xC4" },
14077 { 0xC5, "unknown-0xC5" },
14078 { 0xC6, "unknown-0xC6" },
14079 { 0xC7, "unknown-0xC7" },
14080 { 0xC8, "unknown-0xC8" },
14081 { 0xC9, "unknown-0xC9" },
14082 { 0xCA, "unknown-0xCA" },
14083 { 0xCB, "unknown-0xCB" },
14084 { 0xCC, "unknown-0xCC" },
14085 { 0xCD, "unknown-0xCD" },
14086 { 0xCE, "unknown-0xCE" },
14087 { 0xCF, "unknown-0xCF" },
14088 { 0xD0, "Send Single Block Message" },
14089 { 0xD1, "Send Broadcast Message" },
14090 { 0xD2, "Forward User Name" },
14091 { 0xD3, "Cancel Forward" },
14092 { 0xD4, "Get Machine Name" },
14093 { 0xD5, "Send Start of Multi-block Message" },
14094 { 0xD6, "Send End of Multi-block Message" },
14095 { 0xD7, "Send Text of Multi-block Message" },
14096 { 0xD8, "SMBreadbulk" },
14097 { 0xD9, "SMBwritebulk" },
14098 { 0xDA, "SMBwritebulkdata" },
14099 { 0xDB, "unknown-0xDB" },
14100 { 0xDC, "unknown-0xDC" },
14101 { 0xDD, "unknown-0xDD" },
14102 { 0xDE, "unknown-0xDE" },
14103 { 0xDF, "unknown-0xDF" },
14104 { 0xE0, "unknown-0xE0" },
14105 { 0xE1, "unknown-0xE1" },
14106 { 0xE2, "unknown-0xE2" },
14107 { 0xE3, "unknown-0xE3" },
14108 { 0xE4, "unknown-0xE4" },
14109 { 0xE5, "unknown-0xE5" },
14110 { 0xE6, "unknown-0xE6" },
14111 { 0xE7, "unknown-0xE7" },
14112 { 0xE8, "unknown-0xE8" },
14113 { 0xE9, "unknown-0xE9" },
14114 { 0xEA, "unknown-0xEA" },
14115 { 0xEB, "unknown-0xEB" },
14116 { 0xEC, "unknown-0xEC" },
14117 { 0xED, "unknown-0xED" },
14118 { 0xEE, "unknown-0xEE" },
14119 { 0xEF, "unknown-0xEF" },
14120 { 0xF0, "unknown-0xF0" },
14121 { 0xF1, "unknown-0xF1" },
14122 { 0xF2, "unknown-0xF2" },
14123 { 0xF3, "unknown-0xF3" },
14124 { 0xF4, "unknown-0xF4" },
14125 { 0xF5, "unknown-0xF5" },
14126 { 0xF6, "unknown-0xF6" },
14127 { 0xF7, "unknown-0xF7" },
14128 { 0xF8, "unknown-0xF8" },
14129 { 0xF9, "unknown-0xF9" },
14130 { 0xFA, "unknown-0xFA" },
14131 { 0xFB, "unknown-0xFB" },
14132 { 0xFC, "unknown-0xFC" },
14133 { 0xFD, "unknown-0xFD" },
14134 { 0xFE, "SMBinvalid" },
14135 { 0xFF, "unknown-0xFF" },
14139 static char *decode_smb_name(unsigned char cmd)
14141 return(smb_cmd_vals[cmd].strptr);
14146 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14147 * Everything TVBUFFIFIED above this line
14148 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
14152 free_hash_tables(gpointer ctarg, gpointer user_data _U_)
14154 conv_tables_t *ct = ctarg;
14157 g_hash_table_destroy(ct->unmatched);
14159 g_hash_table_destroy(ct->matched);
14160 if (ct->dcerpc_fid_to_frame)
14161 g_hash_table_destroy(ct->dcerpc_fid_to_frame);
14162 if (ct->dcerpc_frame_to_dcerpc_pdu)
14163 g_hash_table_destroy(ct->dcerpc_frame_to_dcerpc_pdu);
14164 if (ct->tid_service)
14165 g_hash_table_destroy(ct->tid_service);
14169 smb_init_protocol(void)
14171 if (smb_saved_info_key_chunk)
14172 g_mem_chunk_destroy(smb_saved_info_key_chunk);
14173 if (smb_saved_info_chunk)
14174 g_mem_chunk_destroy(smb_saved_info_chunk);
14175 if (smb_nt_transact_info_chunk)
14176 g_mem_chunk_destroy(smb_nt_transact_info_chunk);
14177 if (smb_transact2_info_chunk)
14178 g_mem_chunk_destroy(smb_transact2_info_chunk);
14179 if (smb_transact_info_chunk)
14180 g_mem_chunk_destroy(smb_transact_info_chunk);
14183 * Free the hash tables attached to the conversation table
14184 * structures, and then free the list of conversation table
14185 * data structures (which doesn't free the data structures
14186 * themselves; that's done by destroying the chunk from
14187 * which they were allocated).
14190 g_slist_foreach(conv_tables, free_hash_tables, NULL);
14191 g_slist_free(conv_tables);
14192 conv_tables = NULL;
14196 * Now destroy the chunk from which the conversation table
14197 * structures were allocated.
14199 if (conv_tables_chunk)
14200 g_mem_chunk_destroy(conv_tables_chunk);
14202 smb_saved_info_chunk = g_mem_chunk_new("smb_saved_info_chunk",
14203 sizeof(smb_saved_info_t),
14204 smb_saved_info_init_count * sizeof(smb_saved_info_t),
14206 smb_saved_info_key_chunk = g_mem_chunk_new("smb_saved_info_key_chunk",
14207 sizeof(smb_saved_info_key_t),
14208 smb_saved_info_init_count * sizeof(smb_saved_info_key_t),
14210 smb_nt_transact_info_chunk = g_mem_chunk_new("smb_nt_transact_info_chunk",
14211 sizeof(smb_nt_transact_info_t),
14212 smb_nt_transact_info_init_count * sizeof(smb_nt_transact_info_t),
14214 smb_transact2_info_chunk = g_mem_chunk_new("smb_transact2_info_chunk",
14215 sizeof(smb_transact2_info_t),
14216 smb_transact2_info_init_count * sizeof(smb_transact2_info_t),
14218 smb_transact_info_chunk = g_mem_chunk_new("smb_transact_info_chunk",
14219 sizeof(smb_transact_info_t),
14220 smb_transact_info_init_count * sizeof(smb_transact_info_t),
14222 conv_tables_chunk = g_mem_chunk_new("conv_tables_chunk",
14223 sizeof(conv_tables_t),
14224 conv_tables_count * sizeof(conv_tables_t),
14228 static const value_string errcls_types[] = {
14229 { SMB_SUCCESS, "Success"},
14230 { SMB_ERRDOS, "DOS Error"},
14231 { SMB_ERRSRV, "Server Error"},
14232 { SMB_ERRHRD, "Hardware Error"},
14233 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
14237 const value_string DOS_errors[] = {
14239 {SMBE_insufficientbuffer, "Insufficient buffer"},
14240 {SMBE_badfunc, "Invalid function (or system call)"},
14241 {SMBE_badfile, "File not found (pathname error)"},
14242 {SMBE_badpath, "Directory not found"},
14243 {SMBE_nofids, "Too many open files"},
14244 {SMBE_noaccess, "Access denied"},
14245 {SMBE_badfid, "Invalid fid"},
14246 {SMBE_nomem, "Out of memory"},
14247 {SMBE_badmem, "Invalid memory block address"},
14248 {SMBE_badenv, "Invalid environment"},
14249 {SMBE_badaccess, "Invalid open mode"},
14250 {SMBE_baddata, "Invalid data (only from ioctl call)"},
14251 {SMBE_res, "Reserved error code?"},
14252 {SMBE_baddrive, "Invalid drive"},
14253 {SMBE_remcd, "Attempt to delete current directory"},
14254 {SMBE_diffdevice, "Rename/move across different filesystems"},
14255 {SMBE_nofiles, "No more files found in file search"},
14256 {SMBE_badshare, "Share mode on file conflict with open mode"},
14257 {SMBE_lock, "Lock request conflicts with existing lock"},
14258 {SMBE_unsup, "Request unsupported, returned by Win 95"},
14259 {SMBE_nosuchshare, "Requested share does not exist"},
14260 {SMBE_filexists, "File in operation already exists"},
14261 {SMBE_cannotopen, "Cannot open the file specified"},
14262 {SMBE_unknownlevel, "Unknown info level"},
14263 {SMBE_invalidname, "Invalid name"},
14264 {SMBE_badpipe, "Named pipe invalid"},
14265 {SMBE_pipebusy, "All instances of pipe are busy"},
14266 {SMBE_pipeclosing, "Named pipe close in progress"},
14267 {SMBE_notconnected, "No process on other end of named pipe"},
14268 {SMBE_moredata, "More data to be returned"},
14269 {SMBE_baddirectory, "Invalid directory name in a path."},
14270 {SMBE_eas_didnt_fit, "Extended attributes didn't fit"},
14271 {SMBE_eas_nsup, "Extended attributes not supported"},
14272 {SMBE_notify_buf_small, "Buffer too small to return change notify."},
14273 {SMBE_unknownipc, "Unknown IPC Operation"},
14274 {SMBE_noipc, "Don't support ipc"},
14275 {SMBE_alreadyexists, "File already exists"},
14276 {SMBE_unknownprinterdriver, "Unknown printer driver"},
14277 {SMBE_invalidprintername, "Invalid printer name"},
14278 {SMBE_printeralreadyexists, "Printer already exists"},
14279 {SMBE_invaliddatatype, "Invalid data type"},
14280 {SMBE_invalidenvironment, "Invalid environment"},
14281 {SMBE_printerdriverinuse, "Printer driver in use"},
14282 {SMBE_invalidparam, "Invalid parameter"},
14283 {SMBE_invalidformsize, "Invalid form size"},
14284 {SMBE_invalidsecuritydescriptor, "Invalid security descriptor"},
14285 {SMBE_invalidowner, "Invalid owner"},
14286 {SMBE_nomoreitems, "No more items"},
14287 {SMBE_serverunavailable, "Server unavailable"},
14291 /* Error codes for the ERRSRV class */
14293 static const value_string SRV_errors[] = {
14294 {SMBE_error, "Non specific error code"},
14295 {SMBE_badpw, "Bad password"},
14296 {SMBE_badtype, "Reserved"},
14297 {SMBE_access, "No permissions to perform the requested operation"},
14298 {SMBE_invnid, "TID invalid"},
14299 {SMBE_invnetname, "Invalid network name. Service not found"},
14300 {SMBE_invdevice, "Invalid device"},
14301 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
14302 {SMBE_qfull, "Print queue full"},
14303 {SMBE_qtoobig, "Queued item too big"},
14304 {SMBE_qeof, "EOF on print queue dump"},
14305 {SMBE_invpfid, "Invalid print file in smb_fid"},
14306 {SMBE_smbcmd, "Unrecognised command"},
14307 {SMBE_srverror, "SMB server internal error"},
14308 {SMBE_filespecs, "Fid and pathname invalid combination"},
14309 {SMBE_badlink, "Bad link in request ???"},
14310 {SMBE_badpermits, "Access specified for a file is not valid"},
14311 {SMBE_badpid, "Bad process id in request"},
14312 {SMBE_setattrmode, "Attribute mode invalid"},
14313 {SMBE_paused, "Message server paused"},
14314 {SMBE_msgoff, "Not receiving messages"},
14315 {SMBE_noroom, "No room for message"},
14316 {SMBE_rmuns, "Too many remote usernames"},
14317 {SMBE_timeout, "Operation timed out"},
14318 {SMBE_noresource, "No resources currently available for request."},
14319 {SMBE_toomanyuids, "Too many userids"},
14320 {SMBE_baduid, "Bad userid"},
14321 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
14322 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
14323 {SMBE_contMPX, "Resume MPX mode"},
14324 {SMBE_badPW, "Bad Password???"},
14325 {SMBE_nosupport, "Operation not supported"},
14329 /* Error codes for the ERRHRD class */
14331 static const value_string HRD_errors[] = {
14332 {SMBE_nowrite, "Read only media"},
14333 {SMBE_badunit, "Unknown device"},
14334 {SMBE_notready, "Drive not ready"},
14335 {SMBE_badcmd, "Unknown command"},
14336 {SMBE_data, "Data (CRC) error"},
14337 {SMBE_badreq, "Bad request structure length"},
14338 {SMBE_seek, "Seek error"},
14339 {SMBE_badmedia, "Unknown media type"},
14340 {SMBE_badsector, "Sector not found"},
14341 {SMBE_nopaper, "Printer out of paper"},
14342 {SMBE_write, "Write fault"},
14343 {SMBE_read, "Read fault"},
14344 {SMBE_general, "General failure"},
14345 {SMBE_badshare, "A open conflicts with an existing open"},
14346 {SMBE_lock, "Lock conflict/invalid mode, or unlock of another process's lock"},
14347 {SMBE_wrongdisk, "The wrong disk was found in a drive"},
14348 {SMBE_FCBunavail, "No FCBs are available to process request"},
14349 {SMBE_sharebufexc, "A sharing buffer has been exceeded"},
14350 {SMBE_diskfull, "Disk full???"},
14354 static char *decode_smb_error(guint8 errcls, guint16 errcode)
14361 return("No Error"); /* No error ??? */
14366 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
14371 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
14376 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
14381 return("Unknown error class!");
14388 /* These are the MS country codes from
14390 http://www.unicode.org/unicode/onlinedat/countries.html
14392 For countries that share the same number, I choose to use only the
14393 name of the largest country. Apologies for this. If this offends you,
14394 here is the table to change that.
14396 This also includes the code of 0 for "Default", which isn't in
14397 that list, but is in Microsoft's SDKs and the Cygnus "winnls.h"
14398 header file. Presumably it means "don't override the setting
14399 on the user's machine".
14401 Future versions of Microsoft's "winnls.h" header file might include
14402 additional codes; the current version matches the Unicode Consortium's
14405 const value_string ms_country_codes[] = {
14411 { 27, "South Africa"},
14413 { 31, "Netherlands"},
14420 { 41, "Switzerland"},
14422 { 44, "United Kingdom"},
14430 { 54, "Argentina"},
14434 { 58, "Venezuela"},
14436 { 61, "Australia"},
14437 { 62, "Indonesia"},
14438 { 63, "Philippines"},
14439 { 64, "New Zealand"},
14440 { 65, "Singapore"},
14443 { 82, "South Korea"},
14455 {298, "Faroe Islands"},
14457 {352, "Luxembourg"},
14463 {370, "Lithuania"},
14472 {389, "Macedonia"},
14473 {420, "Czech Republic"},
14474 {421, "Slovak Republic"},
14476 {502, "Guatemala"},
14477 {503, "El Salvador"},
14479 {505, "Nicaragua"},
14480 {506, "Costa Rica"},
14486 {673, "Brunei Darussalam"},
14487 {852, "Hong Kong"},
14496 {966, "Saudi Arabia"},
14499 {971, "United Arab Emirates"},
14505 {994, "Azerbaijan"},
14507 {996, "Kyrgyzstan"},
14517 * http://www.wildpackets.com/elements/SMB_NT_Status_Codes.txt
14519 const value_string NT_errors[] = {
14520 { 0x00000000, "STATUS_SUCCESS" },
14521 { 0x00000000, "STATUS_WAIT_0" },
14522 { 0x00000001, "STATUS_WAIT_1" },
14523 { 0x00000002, "STATUS_WAIT_2" },
14524 { 0x00000003, "STATUS_WAIT_3" },
14525 { 0x0000003F, "STATUS_WAIT_63" },
14526 { 0x00000080, "STATUS_ABANDONED" },
14527 { 0x00000080, "STATUS_ABANDONED_WAIT_0" },
14528 { 0x000000BF, "STATUS_ABANDONED_WAIT_63" },
14529 { 0x000000C0, "STATUS_USER_APC" },
14530 { 0x00000100, "STATUS_KERNEL_APC" },
14531 { 0x00000101, "STATUS_ALERTED" },
14532 { 0x00000102, "STATUS_TIMEOUT" },
14533 { 0x00000103, "STATUS_PENDING" },
14534 { 0x00000104, "STATUS_REPARSE" },
14535 { 0x00000105, "STATUS_MORE_ENTRIES" },
14536 { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" },
14537 { 0x00000107, "STATUS_SOME_NOT_MAPPED" },
14538 { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" },
14539 { 0x00000109, "STATUS_VOLUME_MOUNTED" },
14540 { 0x0000010A, "STATUS_RXACT_COMMITTED" },
14541 { 0x0000010B, "STATUS_NOTIFY_CLEANUP" },
14542 { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" },
14543 { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" },
14544 { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" },
14545 { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" },
14546 { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" },
14547 { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" },
14548 { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" },
14549 { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" },
14550 { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" },
14551 { 0x00000116, "STATUS_CRASH_DUMP" },
14552 { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
14553 { 0x00000118, "STATUS_REPARSE_OBJECT" },
14554 { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
14555 { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
14556 { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
14557 { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" },
14558 { 0x40000004, "STATUS_RXACT_STATE_CREATED" },
14559 { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" },
14560 { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" },
14561 { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" },
14562 { 0x40000008, "STATUS_SERIAL_MORE_WRITES" },
14563 { 0x40000009, "STATUS_REGISTRY_RECOVERED" },
14564 { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" },
14565 { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" },
14566 { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" },
14567 { 0x4000000D, "STATUS_NULL_LM_PASSWORD" },
14568 { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" },
14569 { 0x4000000F, "STATUS_RECEIVE_PARTIAL" },
14570 { 0x40000010, "STATUS_RECEIVE_EXPEDITED" },
14571 { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" },
14572 { 0x40000012, "STATUS_EVENT_DONE" },
14573 { 0x40000013, "STATUS_EVENT_PENDING" },
14574 { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" },
14575 { 0x40000015, "STATUS_FATAL_APP_EXIT" },
14576 { 0x40000016, "STATUS_PREDEFINED_HANDLE" },
14577 { 0x40000017, "STATUS_WAS_UNLOCKED" },
14578 { 0x40000018, "STATUS_SERVICE_NOTIFICATION" },
14579 { 0x40000019, "STATUS_WAS_LOCKED" },
14580 { 0x4000001A, "STATUS_LOG_HARD_ERROR" },
14581 { 0x4000001B, "STATUS_ALREADY_WIN32" },
14582 { 0x4000001C, "STATUS_WX86_UNSIMULATE" },
14583 { 0x4000001D, "STATUS_WX86_CONTINUE" },
14584 { 0x4000001E, "STATUS_WX86_SINGLE_STEP" },
14585 { 0x4000001F, "STATUS_WX86_BREAKPOINT" },
14586 { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" },
14587 { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" },
14588 { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" },
14589 { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" },
14590 { 0x40000024, "STATUS_NO_YIELD_PERFORMED" },
14591 { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" },
14592 { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" },
14593 { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" },
14594 { 0x80000003, "STATUS_BREAKPOINT" },
14595 { 0x80000004, "STATUS_SINGLE_STEP" },
14596 { 0x80000005, "STATUS_BUFFER_OVERFLOW" },
14597 { 0x80000006, "STATUS_NO_MORE_FILES" },
14598 { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" },
14599 { 0x8000000A, "STATUS_HANDLES_CLOSED" },
14600 { 0x8000000B, "STATUS_NO_INHERITANCE" },
14601 { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" },
14602 { 0x8000000D, "STATUS_PARTIAL_COPY" },
14603 { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" },
14604 { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" },
14605 { 0x80000010, "STATUS_DEVICE_OFF_LINE" },
14606 { 0x80000011, "STATUS_DEVICE_BUSY" },
14607 { 0x80000012, "STATUS_NO_MORE_EAS" },
14608 { 0x80000013, "STATUS_INVALID_EA_NAME" },
14609 { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" },
14610 { 0x80000015, "STATUS_INVALID_EA_FLAG" },
14611 { 0x80000016, "STATUS_VERIFY_REQUIRED" },
14612 { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" },
14613 { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" },
14614 { 0x8000001A, "STATUS_NO_MORE_ENTRIES" },
14615 { 0x8000001B, "STATUS_FILEMARK_DETECTED" },
14616 { 0x8000001C, "STATUS_MEDIA_CHANGED" },
14617 { 0x8000001D, "STATUS_BUS_RESET" },
14618 { 0x8000001E, "STATUS_END_OF_MEDIA" },
14619 { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" },
14620 { 0x80000020, "STATUS_MEDIA_CHECK" },
14621 { 0x80000021, "STATUS_SETMARK_DETECTED" },
14622 { 0x80000022, "STATUS_NO_DATA_DETECTED" },
14623 { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" },
14624 { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" },
14625 { 0x80000025, "STATUS_ALREADY_DISCONNECTED" },
14626 { 0x80000026, "STATUS_LONGJUMP" },
14627 { 0x80040111, "MAPI_E_LOGON_FAILED" },
14628 { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" },
14629 { 0x80090301, "SEC_E_INVALID_HANDLE" },
14630 { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" },
14631 { 0x8009030B, "SEC_E_NO_IMPERSONATION" },
14632 { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" },
14633 { 0x8009030E, "SEC_E_NO_CREDENTIALS" },
14634 { 0x8009030F, "SEC_E_MESSAGE_ALTERED" },
14635 { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" },
14636 { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" },
14637 { 0xC0000001, "STATUS_UNSUCCESSFUL" },
14638 { 0xC0000002, "STATUS_NOT_IMPLEMENTED" },
14639 { 0xC0000003, "STATUS_INVALID_INFO_CLASS" },
14640 { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" },
14641 { 0xC0000005, "STATUS_ACCESS_VIOLATION" },
14642 { 0xC0000006, "STATUS_IN_PAGE_ERROR" },
14643 { 0xC0000007, "STATUS_PAGEFILE_QUOTA" },
14644 { 0xC0000008, "STATUS_INVALID_HANDLE" },
14645 { 0xC0000009, "STATUS_BAD_INITIAL_STACK" },
14646 { 0xC000000A, "STATUS_BAD_INITIAL_PC" },
14647 { 0xC000000B, "STATUS_INVALID_CID" },
14648 { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" },
14649 { 0xC000000D, "STATUS_INVALID_PARAMETER" },
14650 { 0xC000000E, "STATUS_NO_SUCH_DEVICE" },
14651 { 0xC000000F, "STATUS_NO_SUCH_FILE" },
14652 { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" },
14653 { 0xC0000011, "STATUS_END_OF_FILE" },
14654 { 0xC0000012, "STATUS_WRONG_VOLUME" },
14655 { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" },
14656 { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" },
14657 { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" },
14658 { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" },
14659 { 0xC0000017, "STATUS_NO_MEMORY" },
14660 { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" },
14661 { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" },
14662 { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" },
14663 { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" },
14664 { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" },
14665 { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" },
14666 { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" },
14667 { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" },
14668 { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" },
14669 { 0xC0000021, "STATUS_ALREADY_COMMITTED" },
14670 { 0xC0000022, "STATUS_ACCESS_DENIED" },
14671 { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" },
14672 { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" },
14673 { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" },
14674 { 0xC0000026, "STATUS_INVALID_DISPOSITION" },
14675 { 0xC0000027, "STATUS_UNWIND" },
14676 { 0xC0000028, "STATUS_BAD_STACK" },
14677 { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" },
14678 { 0xC000002A, "STATUS_NOT_LOCKED" },
14679 { 0xC000002B, "STATUS_PARITY_ERROR" },
14680 { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" },
14681 { 0xC000002D, "STATUS_NOT_COMMITTED" },
14682 { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" },
14683 { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" },
14684 { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" },
14685 { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" },
14686 { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" },
14687 { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" },
14688 { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" },
14689 { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" },
14690 { 0xC0000037, "STATUS_PORT_DISCONNECTED" },
14691 { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" },
14692 { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" },
14693 { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" },
14694 { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" },
14695 { 0xC000003C, "STATUS_DATA_OVERRUN" },
14696 { 0xC000003D, "STATUS_DATA_LATE_ERROR" },
14697 { 0xC000003E, "STATUS_DATA_ERROR" },
14698 { 0xC000003F, "STATUS_CRC_ERROR" },
14699 { 0xC0000040, "STATUS_SECTION_TOO_BIG" },
14700 { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" },
14701 { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" },
14702 { 0xC0000043, "STATUS_SHARING_VIOLATION" },
14703 { 0xC0000044, "STATUS_QUOTA_EXCEEDED" },
14704 { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" },
14705 { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" },
14706 { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" },
14707 { 0xC0000048, "STATUS_PORT_ALREADY_SET" },
14708 { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" },
14709 { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" },
14710 { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" },
14711 { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" },
14712 { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" },
14713 { 0xC000004E, "STATUS_SECTION_PROTECTION" },
14714 { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" },
14715 { 0xC0000050, "STATUS_EA_TOO_LARGE" },
14716 { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" },
14717 { 0xC0000052, "STATUS_NO_EAS_ON_FILE" },
14718 { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" },
14719 { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" },
14720 { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" },
14721 { 0xC0000056, "STATUS_DELETE_PENDING" },
14722 { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" },
14723 { 0xC0000058, "STATUS_UNKNOWN_REVISION" },
14724 { 0xC0000059, "STATUS_REVISION_MISMATCH" },
14725 { 0xC000005A, "STATUS_INVALID_OWNER" },
14726 { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" },
14727 { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" },
14728 { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" },
14729 { 0xC000005E, "STATUS_NO_LOGON_SERVERS" },
14730 { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" },
14731 { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" },
14732 { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" },
14733 { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" },
14734 { 0xC0000063, "STATUS_USER_EXISTS" },
14735 { 0xC0000064, "STATUS_NO_SUCH_USER" },
14736 { 0xC0000065, "STATUS_GROUP_EXISTS" },
14737 { 0xC0000066, "STATUS_NO_SUCH_GROUP" },
14738 { 0xC0000067, "STATUS_MEMBER_IN_GROUP" },
14739 { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" },
14740 { 0xC0000069, "STATUS_LAST_ADMIN" },
14741 { 0xC000006A, "STATUS_WRONG_PASSWORD" },
14742 { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" },
14743 { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" },
14744 { 0xC000006D, "STATUS_LOGON_FAILURE" },
14745 { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" },
14746 { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" },
14747 { 0xC0000070, "STATUS_INVALID_WORKSTATION" },
14748 { 0xC0000071, "STATUS_PASSWORD_EXPIRED" },
14749 { 0xC0000072, "STATUS_ACCOUNT_DISABLED" },
14750 { 0xC0000073, "STATUS_NONE_MAPPED" },
14751 { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" },
14752 { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" },
14753 { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" },
14754 { 0xC0000077, "STATUS_INVALID_ACL" },
14755 { 0xC0000078, "STATUS_INVALID_SID" },
14756 { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" },
14757 { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" },
14758 { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" },
14759 { 0xC000007C, "STATUS_NO_TOKEN" },
14760 { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" },
14761 { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" },
14762 { 0xC000007F, "STATUS_DISK_FULL" },
14763 { 0xC0000080, "STATUS_SERVER_DISABLED" },
14764 { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" },
14765 { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" },
14766 { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" },
14767 { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" },
14768 { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" },
14769 { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" },
14770 { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" },
14771 { 0xC0000088, "STATUS_NOT_MAPPED_DATA" },
14772 { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" },
14773 { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" },
14774 { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" },
14775 { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" },
14776 { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" },
14777 { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" },
14778 { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" },
14779 { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" },
14780 { 0xC0000091, "STATUS_FLOAT_OVERFLOW" },
14781 { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" },
14782 { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" },
14783 { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" },
14784 { 0xC0000095, "STATUS_INTEGER_OVERFLOW" },
14785 { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" },
14786 { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" },
14787 { 0xC0000098, "STATUS_FILE_INVALID" },
14788 { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" },
14789 { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" },
14790 { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" },
14791 { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" },
14792 { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" },
14793 { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" },
14794 { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" },
14795 { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" },
14796 { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" },
14797 { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" },
14798 { 0xC00000A3, "STATUS_DEVICE_NOT_READY" },
14799 { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" },
14800 { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" },
14801 { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" },
14802 { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" },
14803 { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" },
14804 { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" },
14805 { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" },
14806 { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" },
14807 { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" },
14808 { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" },
14809 { 0xC00000AE, "STATUS_PIPE_BUSY" },
14810 { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" },
14811 { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" },
14812 { 0xC00000B1, "STATUS_PIPE_CLOSING" },
14813 { 0xC00000B2, "STATUS_PIPE_CONNECTED" },
14814 { 0xC00000B3, "STATUS_PIPE_LISTENING" },
14815 { 0xC00000B4, "STATUS_INVALID_READ_MODE" },
14816 { 0xC00000B5, "STATUS_IO_TIMEOUT" },
14817 { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" },
14818 { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" },
14819 { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" },
14820 { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" },
14821 { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" },
14822 { 0xC00000BB, "STATUS_NOT_SUPPORTED" },
14823 { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" },
14824 { 0xC00000BD, "STATUS_DUPLICATE_NAME" },
14825 { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" },
14826 { 0xC00000BF, "STATUS_NETWORK_BUSY" },
14827 { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" },
14828 { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" },
14829 { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" },
14830 { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" },
14831 { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" },
14832 { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" },
14833 { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" },
14834 { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" },
14835 { 0xC00000C8, "STATUS_PRINT_CANCELLED" },
14836 { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" },
14837 { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" },
14838 { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" },
14839 { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" },
14840 { 0xC00000CD, "STATUS_TOO_MANY_NAMES" },
14841 { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" },
14842 { 0xC00000CF, "STATUS_SHARING_PAUSED" },
14843 { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" },
14844 { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" },
14845 { 0xC00000D2, "STATUS_NET_WRITE_FAULT" },
14846 { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" },
14847 { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" },
14848 { 0xC00000D5, "STATUS_FILE_RENAMED" },
14849 { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" },
14850 { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" },
14851 { 0xC00000D8, "STATUS_CANT_WAIT" },
14852 { 0xC00000D9, "STATUS_PIPE_EMPTY" },
14853 { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" },
14854 { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" },
14855 { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" },
14856 { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" },
14857 { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" },
14858 { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" },
14859 { 0xC00000E0, "STATUS_DOMAIN_EXISTS" },
14860 { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" },
14861 { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" },
14862 { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" },
14863 { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" },
14864 { 0xC00000E5, "STATUS_INTERNAL_ERROR" },
14865 { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" },
14866 { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" },
14867 { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" },
14868 { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" },
14869 { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" },
14870 { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" },
14871 { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" },
14872 { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" },
14873 { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" },
14874 { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" },
14875 { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" },
14876 { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" },
14877 { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" },
14878 { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" },
14879 { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" },
14880 { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" },
14881 { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" },
14882 { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" },
14883 { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" },
14884 { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" },
14885 { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" },
14886 { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" },
14887 { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" },
14888 { 0xC00000FD, "STATUS_STACK_OVERFLOW" },
14889 { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" },
14890 { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" },
14891 { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" },
14892 { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" },
14893 { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" },
14894 { 0xC0000103, "STATUS_NOT_A_DIRECTORY" },
14895 { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" },
14896 { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" },
14897 { 0xC0000106, "STATUS_NAME_TOO_LONG" },
14898 { 0xC0000107, "STATUS_FILES_OPEN" },
14899 { 0xC0000108, "STATUS_CONNECTION_IN_USE" },
14900 { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" },
14901 { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" },
14902 { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" },
14903 { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" },
14904 { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" },
14905 { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" },
14906 { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" },
14907 { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" },
14908 { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" },
14909 { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" },
14910 { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" },
14911 { 0xC0000114, "STATUS_ABIOS_INVALID_LID" },
14912 { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" },
14913 { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" },
14914 { 0xC0000117, "STATUS_NO_LDT" },
14915 { 0xC0000118, "STATUS_INVALID_LDT_SIZE" },
14916 { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" },
14917 { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" },
14918 { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" },
14919 { 0xC000011C, "STATUS_RXACT_INVALID_STATE" },
14920 { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" },
14921 { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" },
14922 { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" },
14923 { 0xC0000120, "STATUS_CANCELLED" },
14924 { 0xC0000121, "STATUS_CANNOT_DELETE" },
14925 { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" },
14926 { 0xC0000123, "STATUS_FILE_DELETED" },
14927 { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" },
14928 { 0xC0000125, "STATUS_SPECIAL_GROUP" },
14929 { 0xC0000126, "STATUS_SPECIAL_USER" },
14930 { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" },
14931 { 0xC0000128, "STATUS_FILE_CLOSED" },
14932 { 0xC0000129, "STATUS_TOO_MANY_THREADS" },
14933 { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" },
14934 { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" },
14935 { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" },
14936 { 0xC000012D, "STATUS_COMMITMENT_LIMIT" },
14937 { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" },
14938 { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" },
14939 { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" },
14940 { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" },
14941 { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" },
14942 { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" },
14943 { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" },
14944 { 0xC0000135, "STATUS_DLL_NOT_FOUND" },
14945 { 0xC0000136, "STATUS_OPEN_FAILED" },
14946 { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" },
14947 { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" },
14948 { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" },
14949 { 0xC000013A, "STATUS_CONTROL_C_EXIT" },
14950 { 0xC000013B, "STATUS_LOCAL_DISCONNECT" },
14951 { 0xC000013C, "STATUS_REMOTE_DISCONNECT" },
14952 { 0xC000013D, "STATUS_REMOTE_RESOURCES" },
14953 { 0xC000013E, "STATUS_LINK_FAILED" },
14954 { 0xC000013F, "STATUS_LINK_TIMEOUT" },
14955 { 0xC0000140, "STATUS_INVALID_CONNECTION" },
14956 { 0xC0000141, "STATUS_INVALID_ADDRESS" },
14957 { 0xC0000142, "STATUS_DLL_INIT_FAILED" },
14958 { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" },
14959 { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" },
14960 { 0xC0000145, "STATUS_APP_INIT_FAILURE" },
14961 { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" },
14962 { 0xC0000147, "STATUS_NO_PAGEFILE" },
14963 { 0xC0000148, "STATUS_INVALID_LEVEL" },
14964 { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" },
14965 { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" },
14966 { 0xC000014B, "STATUS_PIPE_BROKEN" },
14967 { 0xC000014C, "STATUS_REGISTRY_CORRUPT" },
14968 { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" },
14969 { 0xC000014E, "STATUS_NO_EVENT_PAIR" },
14970 { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" },
14971 { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" },
14972 { 0xC0000151, "STATUS_NO_SUCH_ALIAS" },
14973 { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" },
14974 { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" },
14975 { 0xC0000154, "STATUS_ALIAS_EXISTS" },
14976 { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" },
14977 { 0xC0000156, "STATUS_TOO_MANY_SECRETS" },
14978 { 0xC0000157, "STATUS_SECRET_TOO_LONG" },
14979 { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" },
14980 { 0xC0000159, "STATUS_FULLSCREEN_MODE" },
14981 { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" },
14982 { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" },
14983 { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" },
14984 { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" },
14985 { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" },
14986 { 0xC000015F, "STATUS_FT_MISSING_MEMBER" },
14987 { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" },
14988 { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" },
14989 { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" },
14990 { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" },
14991 { 0xC0000164, "STATUS_FLOPPY_VOLUME" },
14992 { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" },
14993 { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" },
14994 { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" },
14995 { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" },
14996 { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" },
14997 { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" },
14998 { 0xC000016B, "STATUS_DISK_RESET_FAILED" },
14999 { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" },
15000 { 0xC000016D, "STATUS_FT_ORPHANING" },
15001 { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" },
15002 { 0xC0000172, "STATUS_PARTITION_FAILURE" },
15003 { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" },
15004 { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" },
15005 { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" },
15006 { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" },
15007 { 0xC0000177, "STATUS_EOM_OVERFLOW" },
15008 { 0xC0000178, "STATUS_NO_MEDIA" },
15009 { 0xC000017A, "STATUS_NO_SUCH_MEMBER" },
15010 { 0xC000017B, "STATUS_INVALID_MEMBER" },
15011 { 0xC000017C, "STATUS_KEY_DELETED" },
15012 { 0xC000017D, "STATUS_NO_LOG_SPACE" },
15013 { 0xC000017E, "STATUS_TOO_MANY_SIDS" },
15014 { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" },
15015 { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" },
15016 { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" },
15017 { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" },
15018 { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" },
15019 { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" },
15020 { 0xC0000185, "STATUS_IO_DEVICE_ERROR" },
15021 { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" },
15022 { 0xC0000187, "STATUS_BACKUP_CONTROLLER" },
15023 { 0xC0000188, "STATUS_LOG_FILE_FULL" },
15024 { 0xC0000189, "STATUS_TOO_LATE" },
15025 { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" },
15026 { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" },
15027 { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" },
15028 { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" },
15029 { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" },
15030 { 0xC000018F, "STATUS_EVENTLOG_CANT_START" },
15031 { 0xC0000190, "STATUS_TRUST_FAILURE" },
15032 { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" },
15033 { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" },
15034 { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" },
15035 { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" },
15036 { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" },
15037 { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" },
15038 { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" },
15039 { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" },
15040 { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" },
15041 { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" },
15042 { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" },
15043 { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" },
15044 { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" },
15045 { 0xC0000203, "STATUS_USER_SESSION_DELETED" },
15046 { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" },
15047 { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" },
15048 { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" },
15049 { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" },
15050 { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" },
15051 { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" },
15052 { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" },
15053 { 0xC000020B, "STATUS_ADDRESS_CLOSED" },
15054 { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" },
15055 { 0xC000020D, "STATUS_CONNECTION_RESET" },
15056 { 0xC000020E, "STATUS_TOO_MANY_NODES" },
15057 { 0xC000020F, "STATUS_TRANSACTION_ABORTED" },
15058 { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" },
15059 { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" },
15060 { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" },
15061 { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" },
15062 { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" },
15063 { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" },
15064 { 0xC0000216, "STATUS_NOT_SERVER_SESSION" },
15065 { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" },
15066 { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" },
15067 { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" },
15068 { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" },
15069 { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" },
15070 { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" },
15071 { 0xC000021D, "STATUS_VDM_HARD_ERROR" },
15072 { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" },
15073 { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" },
15074 { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" },
15075 { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" },
15076 { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" },
15077 { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" },
15078 { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" },
15079 { 0xC0000225, "STATUS_NOT_FOUND" },
15080 { 0xC0000226, "STATUS_NOT_TINY_STREAM" },
15081 { 0xC0000227, "STATUS_RECOVERY_FAILURE" },
15082 { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" },
15083 { 0xC0000229, "STATUS_FAIL_CHECK" },
15084 { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" },
15085 { 0xC000022B, "STATUS_OBJECTID_EXISTS" },
15086 { 0xC000022C, "STATUS_CONVERT_TO_LARGE" },
15087 { 0xC000022D, "STATUS_RETRY" },
15088 { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" },
15089 { 0xC000022F, "STATUS_ALLOCATE_BUCKET" },
15090 { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" },
15091 { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" },
15092 { 0xC0000232, "STATUS_INVALID_VARIANT" },
15093 { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" },
15094 { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" },
15095 { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" },
15096 { 0xC0000236, "STATUS_CONNECTION_REFUSED" },
15097 { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" },
15098 { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" },
15099 { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" },
15100 { 0xC000023A, "STATUS_CONNECTION_INVALID" },
15101 { 0xC000023B, "STATUS_CONNECTION_ACTIVE" },
15102 { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" },
15103 { 0xC000023D, "STATUS_HOST_UNREACHABLE" },
15104 { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" },
15105 { 0xC000023F, "STATUS_PORT_UNREACHABLE" },
15106 { 0xC0000240, "STATUS_REQUEST_ABORTED" },
15107 { 0xC0000241, "STATUS_CONNECTION_ABORTED" },
15108 { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" },
15109 { 0xC0000243, "STATUS_USER_MAPPED_FILE" },
15110 { 0xC0000244, "STATUS_AUDIT_FAILED" },
15111 { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" },
15112 { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" },
15113 { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" },
15114 { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" },
15115 { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" },
15116 { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" },
15117 { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" },
15118 { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" },
15119 { 0xC0000253, "STATUS_LPC_REPLY_LOST" },
15120 { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" },
15121 { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" },
15122 { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" },
15123 { 0xC0000257, "STATUS_PATH_NOT_COVERED" },
15124 { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" },
15125 { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" },
15126 { 0xC000025A, "STATUS_PWD_TOO_SHORT" },
15127 { 0xC000025B, "STATUS_PWD_TOO_RECENT" },
15128 { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" },
15129 { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" },
15130 { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" },
15131 { 0xC0000260, "STATUS_INVALID_HW_PROFILE" },
15132 { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" },
15133 { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" },
15134 { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" },
15135 { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" },
15136 { 0xC0000265, "STATUS_TOO_MANY_LINKS" },
15137 { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" },
15138 { 0xC0000267, "STATUS_FILE_IS_OFFLINE" },
15139 { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" },
15140 { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" },
15141 { 0xC000026A, "STATUS_LICENSE_VIOLATION" },
15142 { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" },
15143 { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" },
15144 { 0xC000026D, "STATUS_DFS_UNAVAILABLE" },
15145 { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" },
15146 { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" },
15147 { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" },
15148 { 0xC0000271, "STATUS_VALIDATE_CONTINUE" },
15149 { 0xC0000272, "STATUS_NO_MATCH" },
15150 { 0xC0000273, "STATUS_NO_MORE_MATCHES" },
15151 { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" },
15152 { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" },
15153 { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" },
15154 { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" },
15155 { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" },
15156 { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" },
15157 { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" },
15158 { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" },
15159 { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" },
15160 { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" },
15161 { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" },
15162 { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" },
15163 { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" },
15164 { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" },
15165 { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" },
15166 { 0xC000028A, "STATUS_ENCRYPTION_FAILED" },
15167 { 0xC000028B, "STATUS_DECRYPTION_FAILED" },
15168 { 0xC000028C, "STATUS_RANGE_NOT_FOUND" },
15169 { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" },
15170 { 0xC000028E, "STATUS_NO_EFS" },
15171 { 0xC000028F, "STATUS_WRONG_EFS" },
15172 { 0xC0000290, "STATUS_NO_USER_KEYS" },
15173 { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" },
15174 { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" },
15175 { 0xC0000293, "STATUS_FILE_ENCRYPTED" },
15176 { 0x40000294, "STATUS_WAKE_SYSTEM" },
15177 { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" },
15178 { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" },
15179 { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" },
15180 { 0xC0000298, "STATUS_WMI_TRY_AGAIN" },
15181 { 0xC0000299, "STATUS_SHARED_POLICY" },
15182 { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" },
15183 { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" },
15184 { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" },
15185 { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" },
15186 { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" },
15187 { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" },
15188 { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" },
15189 { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" },
15190 { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" },
15191 { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" },
15192 { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" },
15193 { 0xC00002A5, "STATUS_DS_BUSY" },
15194 { 0xC00002A6, "STATUS_DS_UNAVAILABLE" },
15195 { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" },
15196 { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" },
15197 { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" },
15198 { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" },
15199 { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" },
15200 { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" },
15201 { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" },
15202 { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" },
15203 { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" },
15204 { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" },
15205 { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" },
15206 { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" },
15207 { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" },
15208 { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" },
15209 { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" },
15210 { 0xC00002B6, "STATUS_DEVICE_REMOVED" },
15211 { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" },
15212 { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" },
15213 { 0xC00002B9, "STATUS_NOINTERFACE" },
15214 { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" },
15215 { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" },
15216 { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" },
15217 { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" },
15218 { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" },
15219 { 0xC00002C6, "STATUS_WMI_READ_ONLY" },
15220 { 0xC00002C7, "STATUS_WMI_SET_FAILURE" },
15221 { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" },
15222 { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" },
15223 { 0xC00002CA, "STATUS_TRANSPORT_FULL" },
15224 { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" },
15225 { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" },
15226 { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" },
15227 { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" },
15228 { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" },
15229 { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" },
15230 { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" },
15231 { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" },
15232 { 0xC00002D3, "STATUS_POWER_STATE_INVALID" },
15233 { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" },
15234 { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" },
15235 { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" },
15236 { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" },
15237 { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" },
15238 { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" },
15239 { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" },
15240 { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" },
15241 { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" },
15242 { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" },
15243 { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" },
15244 { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" },
15245 { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" },
15246 { 0xC00002E1, "STATUS_DS_CANT_START" },
15247 { 0xC00002E2, "STATUS_DS_INIT_FAILURE" },
15248 { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" },
15249 { 0xC00002E4, "STATUS_DS_GC_REQUIRED" },
15250 { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" },
15251 { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" },
15252 { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" },
15253 { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" },
15254 { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" },
15255 { 0xC0009898, "STATUS_WOW_ASSERTION" },
15256 { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" },
15257 { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" },
15258 { 0xC0020003, "RPC_NT_INVALID_BINDING" },
15259 { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" },
15260 { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" },
15261 { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" },
15262 { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" },
15263 { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" },
15264 { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" },
15265 { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" },
15266 { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" },
15267 { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" },
15268 { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" },
15269 { 0xC002000E, "RPC_NT_ALREADY_LISTENING" },
15270 { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" },
15271 { 0xC0020010, "RPC_NT_NOT_LISTENING" },
15272 { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" },
15273 { 0xC0020012, "RPC_NT_UNKNOWN_IF" },
15274 { 0xC0020013, "RPC_NT_NO_BINDINGS" },
15275 { 0xC0020014, "RPC_NT_NO_PROTSEQS" },
15276 { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" },
15277 { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" },
15278 { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" },
15279 { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" },
15280 { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" },
15281 { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" },
15282 { 0xC002001B, "RPC_NT_CALL_FAILED" },
15283 { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" },
15284 { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" },
15285 { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" },
15286 { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" },
15287 { 0xC0020022, "RPC_NT_INVALID_TAG" },
15288 { 0xC0020023, "RPC_NT_INVALID_BOUND" },
15289 { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" },
15290 { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" },
15291 { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" },
15292 { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" },
15293 { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" },
15294 { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" },
15295 { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" },
15296 { 0xC002002C, "RPC_NT_STRING_TOO_LONG" },
15297 { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" },
15298 { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" },
15299 { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" },
15300 { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" },
15301 { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" },
15302 { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" },
15303 { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" },
15304 { 0xC0020034, "EPT_NT_INVALID_ENTRY" },
15305 { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" },
15306 { 0xC0020036, "EPT_NT_NOT_REGISTERED" },
15307 { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" },
15308 { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" },
15309 { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" },
15310 { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" },
15311 { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" },
15312 { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" },
15313 { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" },
15314 { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" },
15315 { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" },
15316 { 0xC0020040, "RPC_NT_INVALID_NAF_ID" },
15317 { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" },
15318 { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" },
15319 { 0xC0020043, "RPC_NT_INTERNAL_ERROR" },
15320 { 0xC0020044, "RPC_NT_ZERO_DIVIDE" },
15321 { 0xC0020045, "RPC_NT_ADDRESS_ERROR" },
15322 { 0xC0020046, "RPC_NT_FP_DIV_ZERO" },
15323 { 0xC0020047, "RPC_NT_FP_UNDERFLOW" },
15324 { 0xC0020048, "RPC_NT_FP_OVERFLOW" },
15325 { 0xC0021007, "RPC_P_RECEIVE_ALERTED" },
15326 { 0xC0021008, "RPC_P_CONNECTION_CLOSED" },
15327 { 0xC0021009, "RPC_P_RECEIVE_FAILED" },
15328 { 0xC002100A, "RPC_P_SEND_FAILED" },
15329 { 0xC002100B, "RPC_P_TIMEOUT" },
15330 { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" },
15331 { 0xC002100E, "RPC_P_EXCEPTION_OCCURED" },
15332 { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" },
15333 { 0xC0021015, "RPC_P_THREAD_LISTENING" },
15334 { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" },
15335 { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" },
15336 { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" },
15337 { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" },
15338 { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" },
15339 { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" },
15340 { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" },
15341 { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" },
15342 { 0xC0030009, "RPC_NT_NULL_REF_POINTER" },
15343 { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" },
15344 { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" },
15345 { 0xC003000C, "RPC_NT_BAD_STUB_DATA" },
15346 { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" },
15347 { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" },
15348 { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" },
15349 { 0xC002004C, "EPT_NT_CANT_CREATE" },
15350 { 0xC002004D, "RPC_NT_INVALID_OBJECT" },
15351 { 0xC002004F, "RPC_NT_NO_INTERFACES" },
15352 { 0xC0020050, "RPC_NT_CALL_CANCELLED" },
15353 { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" },
15354 { 0xC0020052, "RPC_NT_COMM_FAILURE" },
15355 { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" },
15356 { 0xC0020054, "RPC_NT_NO_PRINC_NAME" },
15357 { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" },
15358 { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" },
15359 { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" },
15360 { 0xC0020058, "RPC_NT_NOT_CANCELLED" },
15361 { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" },
15362 { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" },
15363 { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" },
15364 { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" },
15365 { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" },
15366 { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" },
15367 { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" },
15373 static const true_false_string tfs_smb_flags_lock = {
15374 "Lock&Read, Write&Unlock are supported",
15375 "Lock&Read, Write&Unlock are not supported"
15377 static const true_false_string tfs_smb_flags_receive_buffer = {
15378 "Receive buffer has been posted",
15379 "Receive buffer has not been posted"
15381 static const true_false_string tfs_smb_flags_caseless = {
15382 "Path names are caseless",
15383 "Path names are case sensitive"
15385 static const true_false_string tfs_smb_flags_canon = {
15386 "Pathnames are canonicalized",
15387 "Pathnames are not canonicalized"
15389 static const true_false_string tfs_smb_flags_oplock = {
15390 "OpLock requested/granted",
15391 "OpLock not requested/granted"
15393 static const true_false_string tfs_smb_flags_notify = {
15394 "Notify client on all modifications",
15395 "Notify client only on open"
15397 static const true_false_string tfs_smb_flags_response = {
15398 "Message is a response to the client/redirector",
15399 "Message is a request to the server"
15403 dissect_smb_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
15406 proto_item *item = NULL;
15407 proto_tree *tree = NULL;
15409 mask = tvb_get_guint8(tvb, offset);
15412 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
15413 "Flags: 0x%02x", mask);
15414 tree = proto_item_add_subtree(item, ett_smb_flags);
15416 proto_tree_add_boolean(tree, hf_smb_flags_response,
15417 tvb, offset, 1, mask);
15418 proto_tree_add_boolean(tree, hf_smb_flags_notify,
15419 tvb, offset, 1, mask);
15420 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
15421 tvb, offset, 1, mask);
15422 proto_tree_add_boolean(tree, hf_smb_flags_canon,
15423 tvb, offset, 1, mask);
15424 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
15425 tvb, offset, 1, mask);
15426 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
15427 tvb, offset, 1, mask);
15428 proto_tree_add_boolean(tree, hf_smb_flags_lock,
15429 tvb, offset, 1, mask);
15436 static const true_false_string tfs_smb_flags2_long_names_allowed = {
15437 "Long file names are allowed in the response",
15438 "Long file names are not allowed in the response"
15440 static const true_false_string tfs_smb_flags2_ea = {
15441 "Extended attributes are supported",
15442 "Extended attributes are not supported"
15444 static const true_false_string tfs_smb_flags2_sec_sig = {
15445 "Security signatures are supported",
15446 "Security signatures are not supported"
15448 static const true_false_string tfs_smb_flags2_long_names_used = {
15449 "Path names in request are long file names",
15450 "Path names in request are not long file names"
15452 static const true_false_string tfs_smb_flags2_esn = {
15453 "Extended security negotiation is supported",
15454 "Extended security negotiation is not supported"
15456 static const true_false_string tfs_smb_flags2_dfs = {
15457 "Resolve pathnames with Dfs",
15458 "Don't resolve pathnames with Dfs"
15460 static const true_false_string tfs_smb_flags2_roe = {
15461 "Permit reads if execute-only",
15462 "Don't permit reads if execute-only"
15464 static const true_false_string tfs_smb_flags2_nt_error = {
15465 "Error codes are NT error codes",
15466 "Error codes are DOS error codes"
15468 static const true_false_string tfs_smb_flags2_string = {
15469 "Strings are Unicode",
15470 "Strings are ASCII"
15473 dissect_smb_flags2(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
15476 proto_item *item = NULL;
15477 proto_tree *tree = NULL;
15479 mask = tvb_get_letohs(tvb, offset);
15482 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
15483 "Flags2: 0x%04x", mask);
15484 tree = proto_item_add_subtree(item, ett_smb_flags2);
15487 proto_tree_add_boolean(tree, hf_smb_flags2_string,
15488 tvb, offset, 2, mask);
15489 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
15490 tvb, offset, 2, mask);
15491 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
15492 tvb, offset, 2, mask);
15493 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
15494 tvb, offset, 2, mask);
15495 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
15496 tvb, offset, 2, mask);
15497 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
15498 tvb, offset, 2, mask);
15499 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
15500 tvb, offset, 2, mask);
15501 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
15502 tvb, offset, 2, mask);
15503 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
15504 tvb, offset, 2, mask);
15512 #define SMB_FLAGS_DIRN 0x80
15516 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
15519 proto_item *item = NULL, *hitem = NULL;
15520 proto_tree *tree = NULL, *htree = NULL;
15523 static smb_info_t si_arr[20];
15524 static int si_counter=0;
15526 smb_saved_info_t *sip = NULL;
15527 smb_saved_info_key_t key;
15528 smb_saved_info_key_t *new_key;
15529 guint32 nt_status = 0;
15530 guint8 errclass = 0;
15531 guint16 errcode = 0;
15533 conversation_t *conversation;
15537 if(si_counter==20){
15540 si=&si_arr[si_counter];
15542 top_tree=parent_tree;
15544 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
15545 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
15547 if (check_col(pinfo->cinfo, COL_INFO)){
15548 col_clear(pinfo->cinfo, COL_INFO);
15551 /* start off using the local variable, we will allocate a new one if we
15553 si->cmd = tvb_get_guint8(tvb, offset+4);
15554 flags = tvb_get_guint8(tvb, offset+9);
15555 si->request = !(flags&SMB_FLAGS_DIRN);
15556 flags2 = tvb_get_letohs(tvb, offset+10);
15557 if(flags2 & 0x8000){
15558 si->unicode = TRUE; /* Mark them as Unicode */
15560 si->unicode = FALSE;
15562 si->tid = tvb_get_letohs(tvb, offset+24);
15563 si->pid = tvb_get_letohs(tvb, offset+26);
15564 si->uid = tvb_get_letohs(tvb, offset+28);
15565 si->mid = tvb_get_letohs(tvb, offset+30);
15566 pid_mid = (si->pid << 16) | si->mid;
15567 si->info_level = -1;
15568 si->info_count = -1;
15571 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
15573 tree = proto_item_add_subtree(item, ett_smb);
15575 hitem = proto_tree_add_text(tree, tvb, offset, 32,
15578 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
15581 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
15582 offset += 4; /* Skip the marker */
15584 /* find which conversation we are part of and get the tables for that
15586 conversation = find_conversation(&pinfo->src, &pinfo->dst,
15587 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
15589 /* OK this is a new conversation so lets create it */
15590 conversation = conversation_new(&pinfo->src, &pinfo->dst,
15591 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
15593 /* see if we already have the smb data for this conversation */
15594 si->ct=conversation_get_proto_data(conversation, proto_smb);
15596 /* No, not yet. create it and attach it to the conversation */
15597 si->ct = g_mem_chunk_alloc(conv_tables_chunk);
15598 conv_tables = g_slist_prepend(conv_tables, si->ct);
15599 si->ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
15600 smb_saved_info_equal_matched);
15601 si->ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
15602 smb_saved_info_equal_unmatched);
15603 si->ct->dcerpc_fid_to_frame=g_hash_table_new(
15604 smb_saved_info_hash_unmatched,
15605 smb_saved_info_equal_unmatched);
15606 si->ct->dcerpc_frame_to_dcerpc_pdu=g_hash_table_new(
15607 smb_saved_info_hash_unmatched,
15608 smb_saved_info_equal_unmatched);
15609 si->ct->tid_service=g_hash_table_new(
15610 smb_saved_info_hash_unmatched,
15611 smb_saved_info_equal_unmatched);
15612 conversation_add_proto_data(conversation, proto_smb, si->ct);
15620 /* this is a broadcast SMB packet, there will not be a reply.
15621 We dont need to do anything
15624 } else if( (si->cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
15625 ||(si->cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
15626 ||(si->cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
15627 ||(si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
15628 /* Ok, we got a special request type. This request is either
15629 an NT Cancel or a continuation relative to a real request
15630 in an earlier packet. In either case, we don't expect any
15631 responses to this packet. For continuations, any later
15632 responses we see really just belong to the original request.
15633 Anyway, we want to remember this packet somehow and
15634 remember which original request it is associated with so
15635 we can say nice things such as "This is a Cancellation to
15636 the request in frame x", but we don't want the
15637 request/response matching to get messed up.
15639 The only thing we do in this case is trying to find which original
15640 request we match with and insert an entry for this "special"
15641 request for later reference. We continue to reference the original
15642 requests smb_saved_info_t but we dont touch it or change anything
15646 si->unidir = TRUE; /*we dont expect an answer to this one*/
15648 if(!pinfo->fd->flags.visited){
15649 /* try to find which original call we match and if we
15650 find it add us to the matched table. Dont touch
15651 anything else since we dont want this one to mess
15652 up the request/response matching. We still consider
15653 the initial call the real request and this is only
15654 some sort of continuation.
15656 /* we only check the unmatched table and assume that the
15657 last seen MID matching ours is the right one.
15658 This can fail but is better than nothing
15660 sip=g_hash_table_lookup(si->ct->unmatched, (void *)pid_mid);
15662 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15663 new_key->frame = pinfo->fd->num;
15664 new_key->pid_mid = pid_mid;
15665 g_hash_table_insert(si->ct->matched, new_key,
15669 /* we have seen this packet before; check the
15672 key.frame = pinfo->fd->num;
15673 key.pid_mid = pid_mid;
15674 sip=g_hash_table_lookup(si->ct->matched, &key);
15678 Too bad, unfortunately there is not really much we can
15679 do now since this means that we never saw the initial
15686 if(sip && sip->frame_req){
15688 case SMB_COM_NT_CANCEL:
15689 proto_tree_add_uint(htree, hf_smb_cancel_to,
15690 tvb, 0, 0, sip->frame_req);
15692 case SMB_COM_TRANSACTION_SECONDARY:
15693 case SMB_COM_TRANSACTION2_SECONDARY:
15694 case SMB_COM_NT_TRANSACT_SECONDARY:
15695 proto_tree_add_uint(htree, hf_smb_continuation_to,
15696 tvb, 0, 0, sip->frame_req);
15701 case SMB_COM_NT_CANCEL:
15702 proto_tree_add_text(htree, tvb, 0, 0,
15703 "Cancellation to: <unknown frame>");
15705 case SMB_COM_TRANSACTION_SECONDARY:
15706 case SMB_COM_TRANSACTION2_SECONDARY:
15707 case SMB_COM_NT_TRANSACT_SECONDARY:
15708 proto_tree_add_text(htree, tvb, 0, 0,
15709 "Continuation to: <unknown frame>");
15713 } else { /* normal bidirectional request or response */
15714 si->unidir = FALSE;
15716 if(!pinfo->fd->flags.visited){
15717 /* first see if we find an unmatched smb "equal" to
15720 sip=g_hash_table_lookup(si->ct->unmatched, (void *)pid_mid);
15722 gboolean cmd_match=FALSE;
15725 * Make sure the SMB we found was the
15726 * same command, or a different command
15727 * that's another valid type of reply
15730 if(si->cmd==sip->cmd){
15733 else if(si->cmd==SMB_COM_NT_CANCEL){
15736 else if((si->cmd==SMB_COM_TRANSACTION_SECONDARY)
15737 && (sip->cmd==SMB_COM_TRANSACTION)){
15740 else if((si->cmd==SMB_COM_TRANSACTION2_SECONDARY)
15741 && (sip->cmd==SMB_COM_TRANSACTION2)){
15744 else if((si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)
15745 && (sip->cmd==SMB_COM_NT_TRANSACT)){
15749 if( (si->request) || (!cmd_match) ) {
15750 /* If we are processing an SMB request but there was already
15751 another "identical" smb resuest we had not matched yet.
15752 This must mean that either we have a retransmission or that the
15753 response to the previous one was lost and the client has reused
15754 the MID for this conversation. In either case it's not much more
15755 we can do than forget the old request and concentrate on the
15756 present one instead.
15758 We also do this cleanup if we see that the cmd in the original
15759 request in sip->cmd is not compatible with the current cmd.
15760 This is to prevent matching errors such as if there were two
15761 SMBs of different cmds but with identical MID and PID values and
15762 if ethereal lost the first reply and the second request.
15764 g_hash_table_remove(si->ct->unmatched, (void *)pid_mid);
15765 sip=NULL; /* XXX should free it as well */
15767 /* we have found a response to some request we have seen earlier.
15768 What we do now depends on whether this is the first response
15769 to that request we see (id frame_res==0) or not.
15771 if(sip->frame_res==0){
15772 /* ok it is the first response we have seen to this packet */
15773 sip->frame_res = pinfo->fd->num;
15774 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15775 new_key->frame = sip->frame_res;
15776 new_key->pid_mid = pid_mid;
15777 g_hash_table_insert(si->ct->matched, new_key, sip);
15779 /* we have already seen another response to this one, but
15780 register it anyway so we see which request it matches
15782 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15783 new_key->frame = pinfo->fd->num;
15784 new_key->pid_mid = pid_mid;
15785 g_hash_table_insert(si->ct->matched, new_key, sip);
15790 sip = g_mem_chunk_alloc(smb_saved_info_chunk);
15791 sip->frame_req = pinfo->fd->num;
15792 sip->frame_res = 0;
15793 sip->req_time.secs=pinfo->fd->abs_secs;
15794 sip->req_time.nsecs=pinfo->fd->abs_usecs*1000;
15796 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)
15797 == (void *)TID_IPC) {
15798 sip->flags |= SMB_SIF_TID_IS_IPC;
15800 sip->cmd = si->cmd;
15801 sip->extra_info = NULL;
15802 g_hash_table_insert(si->ct->unmatched, (void *)pid_mid, sip);
15803 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15804 new_key->frame = sip->frame_req;
15805 new_key->pid_mid = pid_mid;
15806 g_hash_table_insert(si->ct->matched, new_key, sip);
15809 /* we have seen this packet before; check the
15811 If we haven't yet seen the reply, we won't
15812 find the info for it; we don't need it, as
15813 we only use it to save information, and, as
15814 we've seen this packet before, we've already
15815 saved the information.
15817 key.frame = pinfo->fd->num;
15818 key.pid_mid = pid_mid;
15819 sip=g_hash_table_lookup(si->ct->matched, &key);
15824 * Pass the "sip" on to subdissectors through "si".
15830 * Put in fields for the frame number of the frame to which
15831 * this is a response or the frame with the response to this
15832 * frame - if we know the frame number (i.e., it's not 0).
15835 if (sip->frame_res != 0)
15836 proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
15838 if (sip->frame_req != 0) {
15839 proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
15840 ns.secs = pinfo->fd->abs_secs - sip->req_time.secs;
15841 ns.nsecs = pinfo->fd->abs_usecs*1000 - sip->req_time.nsecs;
15843 ns.nsecs+=1000000000;
15846 proto_tree_add_time(htree, hf_smb_time, tvb,
15853 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si->cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si->cmd), si->cmd);
15856 if(flags2 & 0x4000){
15857 /* handle NT 32 bit error code */
15859 nt_status = tvb_get_letohl(tvb, offset);
15861 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
15866 /* handle DOS error code & class */
15867 errclass = tvb_get_guint8(tvb, offset);
15868 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
15872 /* reserved byte */
15873 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
15877 /* XXX - the type of this field depends on the value of
15878 * "errcls", so there is isn't a single value_string array
15879 * fo it, so there can't be a single field for it.
15881 errcode = tvb_get_letohs(tvb, offset);
15882 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
15883 offset, 2, errcode, "Error Code: %s",
15884 decode_smb_error(errclass, errcode));
15889 offset = dissect_smb_flags(tvb, htree, offset);
15892 offset = dissect_smb_flags2(tvb, htree, offset);
15897 * http://www.samba.org/samba/ftp/specs/smbpub.txt
15899 * (a text version of "Microsoft Networks SMB FILE SHARING
15900 * PROTOCOL, Document Version 6.0p") says that:
15902 * the first 2 bytes of these 12 bytes are, for NT Create and X,
15903 * the "High Part of PID";
15905 * the next four bytes are reserved;
15907 * the next four bytes are, for SMB-over-IPX (with no
15908 * NetBIOS involved) two bytes of Session ID and two bytes
15909 * of SequenceNumber.
15911 * Network Monitor 2.x dissects the four bytes before the Session ID
15912 * as a "Key", and the two bytes after the SequenceNumber as
15915 if (pinfo->ptype == PT_IPX &&
15916 (pinfo->match_port == IPX_SOCKET_NWLINK_SMB_SERVER ||
15917 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_REDIR ||
15918 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_MESSENGER)) {
15920 * This is SMB-over-IPX.
15921 * XXX - high part of pid?
15922 * XXX - doe we have to worry about "sequenced commands",
15923 * as per the Samba document? They say that for
15924 * "unsequenced commands" (with a sequence number of 0),
15925 * the Mid must be unique, but perhaps the Mid doesn't
15926 * have to be unique for sequenced commands. In at least
15927 * one capture with SMB-over-IPX, however, the Mids
15928 * are unique even for sequenced commands.
15930 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2,
15935 proto_tree_add_item(htree, hf_smb_key, tvb, offset, 4,
15940 proto_tree_add_item(htree, hf_smb_session_id, tvb, offset, 2,
15944 /* Sequence number */
15945 proto_tree_add_item(htree, hf_smb_sequence_num, tvb, offset, 2,
15950 proto_tree_add_item(htree, hf_smb_group_id, tvb, offset, 2,
15955 * 12 reserved bytes.
15956 * XXX - high part of pid?
15958 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 12, TRUE);
15963 proto_tree_add_uint(htree, hf_smb_tid, tvb, offset, 2, si->tid);
15967 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si->pid);
15971 proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si->uid);
15975 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid);
15978 pinfo->private_data = si;
15979 dissect_smb_command(tvb, pinfo, offset, tree, si->cmd, TRUE);
15981 /* Append error info from this packet to info string. */
15982 if (!si->request && check_col(pinfo->cinfo, COL_INFO)) {
15983 if (flags2 & 0x4000) {
15985 * The status is an NT status code; was there
15988 if ((nt_status & 0xC0000000) == 0xC0000000) {
15993 pinfo->cinfo, COL_INFO, ", Error: %s",
15994 val_to_str(nt_status, NT_errors,
15995 "Unknown (0x%08X)"));
15999 * The status is a DOS error class and code; was
16002 if (errclass != SMB_SUCCESS) {
16007 pinfo->cinfo, COL_INFO, ", Error: %s",
16008 decode_smb_error(errclass, errcode));
16013 tap_queue_packet(smb_tap, pinfo, si);
16017 dissect_smb_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
16019 /* must check that this really is a smb packet */
16020 if (!tvb_bytes_exist(tvb, 0, 4))
16023 if( (tvb_get_guint8(tvb, 0) != 0xff)
16024 || (tvb_get_guint8(tvb, 1) != 'S')
16025 || (tvb_get_guint8(tvb, 2) != 'M')
16026 || (tvb_get_guint8(tvb, 3) != 'B') ){
16030 dissect_smb(tvb, pinfo, parent_tree);
16035 proto_register_smb(void)
16037 static hf_register_info hf[] = {
16039 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
16040 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
16042 { &hf_smb_word_count,
16043 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
16044 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
16046 { &hf_smb_byte_count,
16047 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
16048 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
16050 { &hf_smb_response_to,
16051 { "Response to", "smb.response_to", FT_FRAMENUM, BASE_NONE,
16052 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
16055 { "Time from request", "smb.time", FT_RELATIVE_TIME, BASE_NONE,
16056 NULL, 0, "Time between Request and Response for SMB cmds", HFILL }},
16058 { &hf_smb_response_in,
16059 { "Response in", "smb.response_in", FT_FRAMENUM, BASE_NONE,
16060 NULL, 0, "The response to this packet is in this packet", HFILL }},
16062 { &hf_smb_continuation_to,
16063 { "Continuation to", "smb.continuation_to", FT_FRAMENUM, BASE_NONE,
16064 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
16066 { &hf_smb_nt_status,
16067 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
16068 VALS(NT_errors), 0, "NT Status code", HFILL }},
16070 { &hf_smb_error_class,
16071 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
16072 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
16074 { &hf_smb_error_code,
16075 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
16076 NULL, 0, "DOS Error Code", HFILL }},
16078 { &hf_smb_reserved,
16079 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
16080 NULL, 0, "Reserved bytes, must be zero", HFILL }},
16083 { "Key", "smb.key", FT_UINT32, BASE_HEX,
16084 NULL, 0, "SMB-over-IPX Key", HFILL }},
16086 { &hf_smb_session_id,
16087 { "Session ID", "smb.sessid", FT_UINT16, BASE_DEC,
16088 NULL, 0, "SMB-over-IPX Session ID", HFILL }},
16090 { &hf_smb_sequence_num,
16091 { "Sequence Number", "smb.sequence_num", FT_UINT16, BASE_DEC,
16092 NULL, 0, "SMB-over-IPX Sequence Number", HFILL }},
16094 { &hf_smb_group_id,
16095 { "Group ID", "smb.group_id", FT_UINT16, BASE_DEC,
16096 NULL, 0, "SMB-over-IPX Group ID", HFILL }},
16099 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
16100 NULL, 0, "Process ID", HFILL }},
16103 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
16104 NULL, 0, "Tree ID", HFILL }},
16107 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
16108 NULL, 0, "User ID", HFILL }},
16111 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
16112 NULL, 0, "Multiplex ID", HFILL }},
16114 { &hf_smb_flags_lock,
16115 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
16116 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
16118 { &hf_smb_flags_receive_buffer,
16119 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
16120 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
16122 { &hf_smb_flags_caseless,
16123 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
16124 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
16126 { &hf_smb_flags_canon,
16127 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
16128 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
16130 { &hf_smb_flags_oplock,
16131 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
16132 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
16134 { &hf_smb_flags_notify,
16135 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
16136 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
16138 { &hf_smb_flags_response,
16139 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
16140 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
16142 { &hf_smb_flags2_long_names_allowed,
16143 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
16144 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
16146 { &hf_smb_flags2_ea,
16147 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
16148 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
16150 { &hf_smb_flags2_sec_sig,
16151 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
16152 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
16154 { &hf_smb_flags2_long_names_used,
16155 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
16156 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
16158 { &hf_smb_flags2_esn,
16159 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
16160 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
16162 { &hf_smb_flags2_dfs,
16163 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
16164 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
16166 { &hf_smb_flags2_roe,
16167 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
16168 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
16170 { &hf_smb_flags2_nt_error,
16171 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
16172 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
16174 { &hf_smb_flags2_string,
16175 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
16176 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
16178 { &hf_smb_buffer_format,
16179 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
16180 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
16182 { &hf_smb_dialect_name,
16183 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
16184 NULL, 0, "Name of dialect", HFILL }},
16186 { &hf_smb_dialect_index,
16187 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
16188 NULL, 0, "Index of selected dialect", HFILL }},
16190 { &hf_smb_max_trans_buf_size,
16191 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
16192 NULL, 0, "Maximum transmit buffer size", HFILL }},
16194 { &hf_smb_max_mpx_count,
16195 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
16196 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
16198 { &hf_smb_max_vcs_num,
16199 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
16200 NULL, 0, "Maximum VCs between client and server", HFILL }},
16202 { &hf_smb_session_key,
16203 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
16204 NULL, 0, "Unique token identifying this session", HFILL }},
16206 { &hf_smb_server_timezone,
16207 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
16208 NULL, 0, "Current timezone at server.", HFILL }},
16210 { &hf_smb_encryption_key_length,
16211 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
16212 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
16214 { &hf_smb_encryption_key,
16215 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
16216 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
16218 { &hf_smb_primary_domain,
16219 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
16220 NULL, 0, "The server's primary domain", HFILL }},
16223 { "Server", "smb.server", FT_STRING, BASE_NONE,
16224 NULL, 0, "The name of the DC/server", HFILL }},
16226 { &hf_smb_max_raw_buf_size,
16227 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
16228 NULL, 0, "Maximum raw buffer size", HFILL }},
16230 { &hf_smb_server_guid,
16231 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
16232 NULL, 0, "Globally unique identifier for this server", HFILL }},
16234 { &hf_smb_security_blob_len,
16235 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
16236 NULL, 0, "Security blob length", HFILL }},
16238 { &hf_smb_security_blob,
16239 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
16240 NULL, 0, "Security blob", HFILL }},
16242 { &hf_smb_sm_mode16,
16243 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
16244 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
16246 { &hf_smb_sm_password16,
16247 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
16248 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
16251 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
16252 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
16254 { &hf_smb_sm_password,
16255 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
16256 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
16258 { &hf_smb_sm_signatures,
16259 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
16260 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
16262 { &hf_smb_sm_sig_required,
16263 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
16264 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
16267 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
16268 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
16270 { &hf_smb_rm_write,
16271 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
16272 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
16274 { &hf_smb_server_date_time,
16275 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
16276 NULL, 0, "Current date and time at server", HFILL }},
16278 { &hf_smb_server_smb_date,
16279 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
16280 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
16282 { &hf_smb_server_smb_time,
16283 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
16284 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
16286 { &hf_smb_server_cap_raw_mode,
16287 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
16288 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
16290 { &hf_smb_server_cap_mpx_mode,
16291 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
16292 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
16294 { &hf_smb_server_cap_unicode,
16295 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
16296 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
16298 { &hf_smb_server_cap_large_files,
16299 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
16300 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
16302 { &hf_smb_server_cap_nt_smbs,
16303 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
16304 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
16306 { &hf_smb_server_cap_rpc_remote_apis,
16307 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
16308 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
16310 { &hf_smb_server_cap_nt_status,
16311 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
16312 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
16314 { &hf_smb_server_cap_level_ii_oplocks,
16315 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
16316 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
16318 { &hf_smb_server_cap_lock_and_read,
16319 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
16320 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
16322 { &hf_smb_server_cap_nt_find,
16323 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
16324 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
16326 { &hf_smb_server_cap_dfs,
16327 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
16328 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
16330 { &hf_smb_server_cap_infolevel_passthru,
16331 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
16332 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
16334 { &hf_smb_server_cap_large_readx,
16335 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
16336 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
16338 { &hf_smb_server_cap_large_writex,
16339 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
16340 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
16342 { &hf_smb_server_cap_unix,
16343 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
16344 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
16346 { &hf_smb_server_cap_reserved,
16347 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
16348 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
16350 { &hf_smb_server_cap_bulk_transfer,
16351 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
16352 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
16354 { &hf_smb_server_cap_compressed_data,
16355 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
16356 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
16358 { &hf_smb_server_cap_extended_security,
16359 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
16360 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
16362 { &hf_smb_system_time,
16363 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
16364 NULL, 0, "System Time", HFILL }},
16367 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
16368 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
16370 { &hf_smb_dir_name,
16371 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
16372 NULL, 0, "SMB Directory Name", HFILL }},
16374 { &hf_smb_echo_count,
16375 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
16376 NULL, 0, "Number of times to echo data back", HFILL }},
16378 { &hf_smb_echo_data,
16379 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
16380 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
16382 { &hf_smb_echo_seq_num,
16383 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
16384 NULL, 0, "Sequence number for this echo response", HFILL }},
16386 { &hf_smb_max_buf_size,
16387 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
16388 NULL, 0, "Max client buffer size", HFILL }},
16391 { "Path", "smb.path", FT_STRING, BASE_NONE,
16392 NULL, 0, "Path. Server name and share name", HFILL }},
16395 { "Service", "smb.service", FT_STRING, BASE_NONE,
16396 NULL, 0, "Service name", HFILL }},
16398 { &hf_smb_password,
16399 { "Password", "smb.password", FT_BYTES, BASE_NONE,
16400 NULL, 0, "Password", HFILL }},
16402 { &hf_smb_ansi_password,
16403 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
16404 NULL, 0, "ANSI Password", HFILL }},
16406 { &hf_smb_unicode_password,
16407 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
16408 NULL, 0, "Unicode Password", HFILL }},
16410 { &hf_smb_move_flags_file,
16411 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
16412 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
16414 { &hf_smb_move_flags_dir,
16415 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
16416 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
16418 { &hf_smb_move_flags_verify,
16419 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
16420 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
16422 { &hf_smb_files_moved,
16423 { "Files Moved", "smb.files_moved", FT_UINT16, BASE_DEC,
16424 NULL, 0, "Number of files moved", HFILL }},
16426 { &hf_smb_copy_flags_file,
16427 { "Must be file", "smb.copy.flags.file", FT_BOOLEAN, 16,
16428 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
16430 { &hf_smb_copy_flags_dir,
16431 { "Must be directory", "smb.copy.flags.dir", FT_BOOLEAN, 16,
16432 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
16434 { &hf_smb_copy_flags_dest_mode,
16435 { "Destination mode", "smb.copy.flags.dest_mode", FT_BOOLEAN, 16,
16436 TFS(&tfs_cf_mode), 0x0004, "Is destination in ASCII?", HFILL }},
16438 { &hf_smb_copy_flags_source_mode,
16439 { "Source mode", "smb.copy.flags.source_mode", FT_BOOLEAN, 16,
16440 TFS(&tfs_cf_mode), 0x0008, "Is source in ASCII?", HFILL }},
16442 { &hf_smb_copy_flags_verify,
16443 { "Verify writes", "smb.copy.flags.verify", FT_BOOLEAN, 16,
16444 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
16446 { &hf_smb_copy_flags_tree_copy,
16447 { "Tree copy", "smb.copy.flags.tree_copy", FT_BOOLEAN, 16,
16448 TFS(&tfs_cf_tree_copy), 0x0010, "Is copy a tree copy?", HFILL }},
16450 { &hf_smb_copy_flags_ea_action,
16451 { "EA action if EAs not supported on dest", "smb.copy.flags.ea_action", FT_BOOLEAN, 16,
16452 TFS(&tfs_cf_ea_action), 0x0010, "Fail copy if source file has EAs and dest doesn't support EAs?", HFILL }},
16455 { "Count", "smb.count", FT_UINT32, BASE_DEC,
16456 NULL, 0, "Count number of items/bytes", HFILL }},
16458 { &hf_smb_file_name,
16459 { "File Name", "smb.file", FT_STRING, BASE_NONE,
16460 NULL, 0, "File Name", HFILL }},
16462 { &hf_smb_open_function_create,
16463 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
16464 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
16466 { &hf_smb_open_function_open,
16467 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
16468 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
16471 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
16472 NULL, 0, "FID: File ID", HFILL }},
16474 { &hf_smb_file_attr_read_only_16bit,
16475 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
16476 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
16478 { &hf_smb_file_attr_read_only_8bit,
16479 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
16480 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
16482 { &hf_smb_file_attr_hidden_16bit,
16483 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
16484 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
16486 { &hf_smb_file_attr_hidden_8bit,
16487 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
16488 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
16490 { &hf_smb_file_attr_system_16bit,
16491 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
16492 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
16494 { &hf_smb_file_attr_system_8bit,
16495 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
16496 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
16498 { &hf_smb_file_attr_volume_16bit,
16499 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
16500 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
16502 { &hf_smb_file_attr_volume_8bit,
16503 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
16504 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
16506 { &hf_smb_file_attr_directory_16bit,
16507 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
16508 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
16510 { &hf_smb_file_attr_directory_8bit,
16511 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
16512 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
16514 { &hf_smb_file_attr_archive_16bit,
16515 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
16516 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
16518 { &hf_smb_file_attr_archive_8bit,
16519 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
16520 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
16522 { &hf_smb_file_attr_device,
16523 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
16524 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
16526 { &hf_smb_file_attr_normal,
16527 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
16528 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
16530 { &hf_smb_file_attr_temporary,
16531 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
16532 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
16534 { &hf_smb_file_attr_sparse,
16535 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
16536 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
16538 { &hf_smb_file_attr_reparse,
16539 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
16540 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
16542 { &hf_smb_file_attr_compressed,
16543 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
16544 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
16546 { &hf_smb_file_attr_offline,
16547 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
16548 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
16550 { &hf_smb_file_attr_not_content_indexed,
16551 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
16552 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
16554 { &hf_smb_file_attr_encrypted,
16555 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
16556 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
16558 { &hf_smb_file_size,
16559 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
16560 NULL, 0, "File Size", HFILL }},
16562 { &hf_smb_search_attribute_read_only,
16563 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
16564 TFS(&tfs_search_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
16566 { &hf_smb_search_attribute_hidden,
16567 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
16568 TFS(&tfs_search_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
16570 { &hf_smb_search_attribute_system,
16571 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
16572 TFS(&tfs_search_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
16574 { &hf_smb_search_attribute_volume,
16575 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
16576 TFS(&tfs_search_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
16578 { &hf_smb_search_attribute_directory,
16579 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
16580 TFS(&tfs_search_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
16582 { &hf_smb_search_attribute_archive,
16583 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
16584 TFS(&tfs_search_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
16586 { &hf_smb_access_mode,
16587 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
16588 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
16590 { &hf_smb_access_sharing,
16591 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
16592 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
16594 { &hf_smb_access_locality,
16595 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
16596 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
16598 { &hf_smb_access_caching,
16599 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
16600 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
16602 { &hf_smb_access_writetru,
16603 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
16604 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
16606 { &hf_smb_create_time,
16607 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
16608 NULL, 0, "Creation Time", HFILL }},
16610 { &hf_smb_modify_time,
16611 { "Modified", "smb.modify.time", FT_ABSOLUTE_TIME, BASE_NONE,
16612 NULL, 0, "Modification Time", HFILL }},
16614 { &hf_smb_backup_time,
16615 { "Backed-up", "smb.backup.time", FT_ABSOLUTE_TIME, BASE_NONE,
16616 NULL, 0, "Backup time", HFILL}},
16618 { &hf_smb_mac_alloc_block_count,
16619 { "Allocation Block Count", "smb.alloc.count", FT_UINT32, BASE_DEC,
16620 NULL, 0, "Allocation Block Count", HFILL}},
16622 { &hf_smb_mac_alloc_block_size,
16623 { "Allocation Block Count", "smb.alloc.size", FT_UINT32, BASE_DEC,
16624 NULL, 0, "Allocation Block Size", HFILL}},
16626 { &hf_smb_mac_free_block_count,
16627 { "Free Block Count", "smb.free_block.count", FT_UINT32, BASE_DEC,
16628 NULL, 0, "Free Block Count", HFILL}},
16630 { &hf_smb_mac_root_file_count,
16631 { "Root File Count", "smb.root.file.count", FT_UINT32, BASE_DEC,
16632 NULL, 0, "Root File Count", HFILL}},
16634 { &hf_smb_mac_root_dir_count,
16635 { "Root Directory Count", "smb.root.dir.count", FT_UINT32, BASE_DEC,
16636 NULL, 0, "Root Directory Count", HFILL}},
16638 { &hf_smb_mac_file_count,
16639 { "Root File Count", "smb.file.count", FT_UINT32, BASE_DEC,
16640 NULL, 0, "File Count", HFILL}},
16642 { &hf_smb_mac_dir_count,
16643 { "Root Directory Count", "smb.dir.count", FT_UINT32, BASE_DEC,
16644 NULL, 0, "Directory Count", HFILL}},
16646 { &hf_smb_mac_support_flags,
16647 { "Mac Support Flags", "smb.mac.support.flags", FT_UINT32, BASE_DEC,
16648 NULL, 0, "Mac Support Flags", HFILL}},
16650 { &hf_smb_mac_sup_access_ctrl,
16651 { "Mac Access Control", "smb.mac.access_control", FT_BOOLEAN, 32,
16652 TFS(&tfs_smb_mac_access_ctrl), 0x0010, "Are Mac Access Control Supported", HFILL }},
16654 { &hf_smb_mac_sup_getset_comments,
16655 { "Get Set Comments", "smb.mac.get_set_comments", FT_BOOLEAN, 32,
16656 TFS(&tfs_smb_mac_getset_comments), 0x0020, "Are Mac Get Set Comments supported?", HFILL }},
16658 { &hf_smb_mac_sup_desktopdb_calls,
16659 { "Desktop DB Calls", "smb.mac.desktop_db_calls", FT_BOOLEAN, 32,
16660 TFS(&tfs_smb_mac_desktopdb_calls), 0x0040, "Are Macintosh Desktop DB Calls Supported?", HFILL }},
16662 { &hf_smb_mac_sup_unique_ids,
16663 { "Macintosh Unique IDs", "smb.mac.uids", FT_BOOLEAN, 32,
16664 TFS(&tfs_smb_mac_unique_ids), 0x0080, "Are Unique IDs supported", HFILL }},
16666 { &hf_smb_mac_sup_streams,
16667 { "Mac Streams", "smb.mac.streams_support", FT_BOOLEAN, 32,
16668 TFS(&tfs_smb_mac_streams), 0x0100, "Are Mac Extensions and streams supported?", HFILL }},
16670 { &hf_smb_create_dos_date,
16671 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
16672 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
16674 { &hf_smb_create_dos_time,
16675 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
16676 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
16678 { &hf_smb_last_write_time,
16679 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
16680 NULL, 0, "Time this file was last written to", HFILL }},
16682 { &hf_smb_last_write_dos_date,
16683 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
16684 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
16686 { &hf_smb_last_write_dos_time,
16687 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
16688 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
16690 { &hf_smb_old_file_name,
16691 { "Old File Name", "smb.file", FT_STRING, BASE_NONE,
16692 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
16695 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
16696 NULL, 0, "Offset in file", HFILL }},
16698 { &hf_smb_remaining,
16699 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
16700 NULL, 0, "Remaining number of bytes", HFILL }},
16703 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
16704 NULL, 0, "Padding or unknown data", HFILL }},
16706 { &hf_smb_file_data,
16707 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
16708 NULL, 0, "Data read/written to the file", HFILL }},
16710 { &hf_smb_mac_fndrinfo,
16711 { "Finder Info", "smb.mac.finderinfo", FT_BYTES, BASE_HEX,
16712 NULL, 0, "Finder Info", HFILL}},
16714 { &hf_smb_total_data_len,
16715 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
16716 NULL, 0, "Total length of data", HFILL }},
16718 { &hf_smb_data_len,
16719 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
16720 NULL, 0, "Length of data", HFILL }},
16722 { &hf_smb_seek_mode,
16723 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
16724 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
16726 { &hf_smb_access_time,
16727 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
16728 NULL, 0, "Last Access Time", HFILL }},
16730 { &hf_smb_access_dos_date,
16731 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
16732 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
16734 { &hf_smb_access_dos_time,
16735 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
16736 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
16738 { &hf_smb_data_size,
16739 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
16740 NULL, 0, "Data Size", HFILL }},
16742 { &hf_smb_alloc_size,
16743 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
16744 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
16746 { &hf_smb_max_count,
16747 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
16748 NULL, 0, "Maximum Count", HFILL }},
16750 { &hf_smb_min_count,
16751 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
16752 NULL, 0, "Minimum Count", HFILL }},
16755 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
16756 NULL, 0, "Timeout in miliseconds", HFILL }},
16758 { &hf_smb_high_offset,
16759 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
16760 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
16763 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
16764 NULL, 0, "Total number of units at server", HFILL }},
16767 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
16768 NULL, 0, "Blocks per unit at server", HFILL }},
16770 { &hf_smb_blocksize,
16771 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
16772 NULL, 0, "Block size (in bytes) at server", HFILL }},
16774 { &hf_smb_freeunits,
16775 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
16776 NULL, 0, "Number of free units at server", HFILL }},
16778 { &hf_smb_data_offset,
16779 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
16780 NULL, 0, "Data Offset", HFILL }},
16783 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
16784 NULL, 0, "Data Compaction Mode", HFILL }},
16786 { &hf_smb_request_mask,
16787 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
16788 NULL, 0, "Connectionless mode mask", HFILL }},
16790 { &hf_smb_response_mask,
16791 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
16792 NULL, 0, "Connectionless mode mask", HFILL }},
16794 { &hf_smb_search_id,
16795 { "Search ID", "smb.search_id", FT_UINT16, BASE_HEX,
16796 NULL, 0, "Search ID, handle for find operations", HFILL }},
16798 { &hf_smb_write_mode_write_through,
16799 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
16800 TFS(&tfs_write_mode_write_through), WRITE_MODE_WRITE_THROUGH, "Write through mode requested?", HFILL }},
16802 { &hf_smb_write_mode_return_remaining,
16803 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
16804 TFS(&tfs_write_mode_return_remaining), WRITE_MODE_RETURN_REMAINING, "Return remaining data responses?", HFILL }},
16806 { &hf_smb_write_mode_raw,
16807 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
16808 TFS(&tfs_write_mode_raw), WRITE_MODE_RAW, "Use WriteRawNamedPipe?", HFILL }},
16810 { &hf_smb_write_mode_message_start,
16811 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
16812 TFS(&tfs_write_mode_message_start), WRITE_MODE_MESSAGE_START, "Is this the start of a message?", HFILL }},
16814 { &hf_smb_write_mode_connectionless,
16815 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
16816 TFS(&tfs_write_mode_connectionless), WRITE_MODE_CONNECTIONLESS, "Connectionless mode requested?", HFILL }},
16818 { &hf_smb_resume_key_len,
16819 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
16820 NULL, 0, "Resume Key length", HFILL }},
16822 { &hf_smb_resume_find_id,
16823 { "Find ID", "smb.resume.find_id", FT_UINT8, BASE_HEX,
16824 NULL, 0, "Handle for Find operation", HFILL }},
16826 { &hf_smb_resume_server_cookie,
16827 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
16828 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
16830 { &hf_smb_resume_client_cookie,
16831 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
16832 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
16834 { &hf_smb_andxoffset,
16835 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
16836 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
16838 { &hf_smb_lock_type_large,
16839 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
16840 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
16842 { &hf_smb_lock_type_cancel,
16843 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
16844 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
16846 { &hf_smb_lock_type_change,
16847 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
16848 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
16850 { &hf_smb_lock_type_oplock,
16851 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
16852 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
16854 { &hf_smb_lock_type_shared,
16855 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
16856 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
16858 { &hf_smb_locking_ol,
16859 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
16860 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
16862 { &hf_smb_number_of_locks,
16863 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
16864 NULL, 0, "Number of lock requests in this request", HFILL }},
16866 { &hf_smb_number_of_unlocks,
16867 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
16868 NULL, 0, "Number of unlock requests in this request", HFILL }},
16870 { &hf_smb_lock_long_length,
16871 { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
16872 NULL, 0, "Length of lock/unlock region", HFILL }},
16874 { &hf_smb_lock_long_offset,
16875 { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
16876 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
16878 { &hf_smb_file_type,
16879 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
16880 VALS(filetype_vals), 0, "Type of file", HFILL }},
16882 { &hf_smb_ipc_state_nonblocking,
16883 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
16884 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
16886 { &hf_smb_ipc_state_endpoint,
16887 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
16888 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
16890 { &hf_smb_ipc_state_pipe_type,
16891 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
16892 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
16894 { &hf_smb_ipc_state_read_mode,
16895 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
16896 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
16898 { &hf_smb_ipc_state_icount,
16899 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
16900 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
16902 { &hf_smb_server_fid,
16903 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
16904 NULL, 0, "Server unique File ID", HFILL }},
16906 { &hf_smb_open_flags_add_info,
16907 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
16908 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
16910 { &hf_smb_open_flags_ex_oplock,
16911 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
16912 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
16914 { &hf_smb_open_flags_batch_oplock,
16915 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
16916 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
16918 { &hf_smb_open_flags_ealen,
16919 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
16920 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
16922 { &hf_smb_open_action_open,
16923 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
16924 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
16926 { &hf_smb_open_action_lock,
16927 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
16928 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
16931 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
16932 NULL, 0, "VC Number", HFILL }},
16934 { &hf_smb_password_len,
16935 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
16936 NULL, 0, "Length of password", HFILL }},
16938 { &hf_smb_ansi_password_len,
16939 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
16940 NULL, 0, "Length of ANSI password", HFILL }},
16942 { &hf_smb_unicode_password_len,
16943 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
16944 NULL, 0, "Length of Unicode password", HFILL }},
16947 { "Account", "smb.account", FT_STRING, BASE_NONE,
16948 NULL, 0, "Account, username", HFILL }},
16951 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
16952 NULL, 0, "Which OS we are running", HFILL }},
16955 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
16956 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
16958 { &hf_smb_setup_action_guest,
16959 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
16960 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
16963 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
16964 NULL, 0, "Native File System", HFILL }},
16966 { &hf_smb_connect_flags_dtid,
16967 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
16968 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
16970 { &hf_smb_connect_support_search,
16971 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
16972 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
16974 { &hf_smb_connect_support_in_dfs,
16975 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
16976 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
16978 { &hf_smb_max_setup_count,
16979 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
16980 NULL, 0, "Maximum number of setup words to return", HFILL }},
16982 { &hf_smb_total_param_count,
16983 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
16984 NULL, 0, "Total number of parameter bytes", HFILL }},
16986 { &hf_smb_total_data_count,
16987 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
16988 NULL, 0, "Total number of data bytes", HFILL }},
16990 { &hf_smb_max_param_count,
16991 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
16992 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
16994 { &hf_smb_max_data_count,
16995 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
16996 NULL, 0, "Maximum number of data bytes to return", HFILL }},
16998 { &hf_smb_param_disp16,
16999 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
17000 NULL, 0, "Displacement of these parameter bytes", HFILL }},
17002 { &hf_smb_param_count16,
17003 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
17004 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
17006 { &hf_smb_param_offset16,
17007 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
17008 NULL, 0, "Offset (from header start) to parameters", HFILL }},
17010 { &hf_smb_param_disp32,
17011 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
17012 NULL, 0, "Displacement of these parameter bytes", HFILL }},
17014 { &hf_smb_param_count32,
17015 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
17016 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
17018 { &hf_smb_param_offset32,
17019 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
17020 NULL, 0, "Offset (from header start) to parameters", HFILL }},
17022 { &hf_smb_data_count16,
17023 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
17024 NULL, 0, "Number of data bytes in this buffer", HFILL }},
17026 { &hf_smb_data_disp16,
17027 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
17028 NULL, 0, "Data Displacement", HFILL }},
17030 { &hf_smb_data_offset16,
17031 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
17032 NULL, 0, "Data Offset", HFILL }},
17034 { &hf_smb_data_count32,
17035 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
17036 NULL, 0, "Number of data bytes in this buffer", HFILL }},
17038 { &hf_smb_data_disp32,
17039 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
17040 NULL, 0, "Data Displacement", HFILL }},
17042 { &hf_smb_data_offset32,
17043 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
17044 NULL, 0, "Data Offset", HFILL }},
17046 { &hf_smb_setup_count,
17047 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
17048 NULL, 0, "Number of setup words in this buffer", HFILL }},
17050 { &hf_smb_nt_trans_subcmd,
17051 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
17052 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
17054 { &hf_smb_nt_ioctl_function_code,
17055 { "Function", "smb.nt.ioctl.function", FT_UINT32, BASE_HEX,
17056 NULL, 0, "NT IOCTL function code", HFILL }},
17058 { &hf_smb_nt_ioctl_isfsctl,
17059 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
17060 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
17062 { &hf_smb_nt_ioctl_flags_root_handle,
17063 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
17064 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
17066 { &hf_smb_nt_ioctl_data,
17067 { "IOCTL Data", "smb.nt.ioctl.data", FT_BYTES, BASE_HEX,
17068 NULL, 0, "Data for the IOCTL call", HFILL }},
17070 { &hf_smb_nt_notify_action,
17071 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
17072 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
17074 { &hf_smb_nt_notify_watch_tree,
17075 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
17076 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
17078 { &hf_smb_nt_notify_stream_write,
17079 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
17080 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
17082 { &hf_smb_nt_notify_stream_size,
17083 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
17084 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
17086 { &hf_smb_nt_notify_stream_name,
17087 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
17088 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
17090 { &hf_smb_nt_notify_security,
17091 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
17092 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
17094 { &hf_smb_nt_notify_ea,
17095 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
17096 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
17098 { &hf_smb_nt_notify_creation,
17099 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
17100 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
17102 { &hf_smb_nt_notify_last_access,
17103 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
17104 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
17106 { &hf_smb_nt_notify_last_write,
17107 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
17108 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
17110 { &hf_smb_nt_notify_size,
17111 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
17112 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
17114 { &hf_smb_nt_notify_attributes,
17115 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
17116 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
17118 { &hf_smb_nt_notify_dir_name,
17119 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
17120 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
17122 { &hf_smb_nt_notify_file_name,
17123 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
17124 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
17126 { &hf_smb_root_dir_fid,
17127 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
17128 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
17130 { &hf_smb_alloc_size64,
17131 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
17132 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
17134 { &hf_smb_nt_create_disposition,
17135 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
17136 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
17138 { &hf_smb_sd_length,
17139 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
17140 NULL, 0, "Total length of security descriptor", HFILL }},
17142 { &hf_smb_ea_length,
17143 { "EA Length", "smb.ea.length", FT_UINT32, BASE_DEC,
17144 NULL, 0, "Total EA length for opened file", HFILL }},
17146 { &hf_smb_file_name_len,
17147 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
17148 NULL, 0, "Length of File Name", HFILL }},
17150 { &hf_smb_nt_impersonation_level,
17151 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
17152 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
17154 { &hf_smb_nt_security_flags_context_tracking,
17155 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
17156 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
17158 { &hf_smb_nt_security_flags_effective_only,
17159 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
17160 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
17162 { &hf_smb_nt_access_mask_generic_read,
17163 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
17164 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
17166 { &hf_smb_nt_access_mask_generic_write,
17167 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
17168 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
17170 { &hf_smb_nt_access_mask_generic_execute,
17171 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
17172 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
17174 { &hf_smb_nt_access_mask_generic_all,
17175 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
17176 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
17178 { &hf_smb_nt_access_mask_maximum_allowed,
17179 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
17180 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
17182 { &hf_smb_nt_access_mask_system_security,
17183 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
17184 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
17186 { &hf_smb_nt_access_mask_synchronize,
17187 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
17188 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
17190 { &hf_smb_nt_access_mask_write_owner,
17191 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
17192 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
17194 { &hf_smb_nt_access_mask_write_dac,
17195 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
17196 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
17198 { &hf_smb_nt_access_mask_read_control,
17199 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
17200 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
17202 { &hf_smb_nt_access_mask_delete,
17203 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
17204 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
17206 { &hf_smb_nt_access_mask_write_attributes,
17207 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
17208 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
17210 { &hf_smb_nt_access_mask_read_attributes,
17211 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
17212 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
17214 { &hf_smb_nt_access_mask_delete_child,
17215 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
17216 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
17219 * "Execute" for files, "traverse" for directories.
17221 { &hf_smb_nt_access_mask_execute,
17222 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
17223 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
17225 { &hf_smb_nt_access_mask_write_ea,
17226 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
17227 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
17229 { &hf_smb_nt_access_mask_read_ea,
17230 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
17231 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
17234 * "Append data" for files, "add subdirectory" for directories,
17235 * "create pipe instance" for named pipes.
17237 { &hf_smb_nt_access_mask_append,
17238 { "Append", "smb.access.append", FT_BOOLEAN, 32,
17239 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
17242 * "Write data" for files and pipes, "add file" for directory.
17244 { &hf_smb_nt_access_mask_write,
17245 { "Write", "smb.access.write", FT_BOOLEAN, 32,
17246 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
17249 * "Read data" for files and pipes, "list directory" for directory.
17251 { &hf_smb_nt_access_mask_read,
17252 { "Read", "smb.access.read", FT_BOOLEAN, 32,
17253 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
17255 { &hf_smb_nt_create_bits_oplock,
17256 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
17257 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
17259 { &hf_smb_nt_create_bits_boplock,
17260 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
17261 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
17263 { &hf_smb_nt_create_bits_dir,
17264 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
17265 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
17267 { &hf_smb_nt_create_options_directory_file,
17268 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
17269 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
17271 { &hf_smb_nt_create_options_write_through,
17272 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
17273 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
17275 { &hf_smb_nt_create_options_sequential_only,
17276 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
17277 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
17279 { &hf_smb_nt_create_options_sync_io_alert,
17280 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
17281 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
17283 { &hf_smb_nt_create_options_sync_io_nonalert,
17284 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
17285 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
17287 { &hf_smb_nt_create_options_non_directory_file,
17288 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
17289 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
17291 /* 0x00000080 is "tree connect", at least in "NtCreateFile()"
17292 and "NtOpenFile()"; is that sent over the wire? Network
17293 Monitor thinks so, but its author may just have grabbed
17294 the flag bits from a system header file. */
17296 /* 0x00000100 is "complete if oplocked", at least in "NtCreateFile()"
17297 and "NtOpenFile()"; is that sent over the wire? NetMon
17298 thinks so, but see previous comment. */
17300 { &hf_smb_nt_create_options_no_ea_knowledge,
17301 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
17302 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
17304 { &hf_smb_nt_create_options_eight_dot_three_only,
17305 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
17306 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
17308 { &hf_smb_nt_create_options_random_access,
17309 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
17310 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
17312 { &hf_smb_nt_create_options_delete_on_close,
17313 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
17314 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
17316 /* 0x00002000 is "open by FID", or something such as that (which
17317 I suspect is like "open by inumber" on UNIX), at least in
17318 "NtCreateFile()" and "NtOpenFile()"; is that sent over the
17319 wire? NetMon thinks so, but see previous comment. */
17321 /* 0x00004000 is "open for backup", at least in "NtCreateFile()"
17322 and "NtOpenFile()"; is that sent over the wire? NetMon
17323 thinks so, but see previous comment. */
17325 { &hf_smb_nt_share_access_read,
17326 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
17327 TFS(&tfs_nt_share_access_read), 0x00000001, "Can the object be shared for reading?", HFILL }},
17329 { &hf_smb_nt_share_access_write,
17330 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
17331 TFS(&tfs_nt_share_access_write), 0x00000002, "Can the object be shared for write?", HFILL }},
17333 { &hf_smb_nt_share_access_delete,
17334 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
17335 TFS(&tfs_nt_share_access_delete), 0x00000004, "", HFILL }},
17337 { &hf_smb_file_eattr_read_only,
17338 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
17339 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
17341 { &hf_smb_file_eattr_hidden,
17342 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
17343 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
17345 { &hf_smb_file_eattr_system,
17346 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
17347 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
17349 { &hf_smb_file_eattr_volume,
17350 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
17351 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
17353 { &hf_smb_file_eattr_directory,
17354 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
17355 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
17357 { &hf_smb_file_eattr_archive,
17358 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
17359 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17361 { &hf_smb_file_eattr_device,
17362 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
17363 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
17365 { &hf_smb_file_eattr_normal,
17366 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
17367 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
17369 { &hf_smb_file_eattr_temporary,
17370 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
17371 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
17373 { &hf_smb_file_eattr_sparse,
17374 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
17375 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
17377 { &hf_smb_file_eattr_reparse,
17378 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
17379 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
17381 { &hf_smb_file_eattr_compressed,
17382 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
17383 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
17385 { &hf_smb_file_eattr_offline,
17386 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
17387 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
17389 { &hf_smb_file_eattr_not_content_indexed,
17390 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
17391 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
17393 { &hf_smb_file_eattr_encrypted,
17394 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
17395 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
17397 { &hf_smb_sec_desc_len,
17398 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
17399 NULL, 0, "Security Descriptor Length", HFILL }},
17401 { &hf_smb_nt_qsd_owner,
17402 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
17403 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
17405 { &hf_smb_nt_qsd_group,
17406 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
17407 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
17409 { &hf_smb_nt_qsd_dacl,
17410 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
17411 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
17413 { &hf_smb_nt_qsd_sacl,
17414 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
17415 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
17417 { &hf_smb_extended_attributes,
17418 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
17419 NULL, 0, "Extended Attributes", HFILL }},
17421 { &hf_smb_oplock_level,
17422 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
17423 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
17425 { &hf_smb_create_action,
17426 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
17427 VALS(create_disposition_vals), 0, "Type of action taken", HFILL }},
17430 { "Server unique file ID", "smb.create.file_id", FT_UINT32, BASE_HEX,
17431 NULL, 0, "Server unique file ID", HFILL }},
17433 { &hf_smb_ea_error_offset,
17434 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
17435 NULL, 0, "Offset into EA list if EA error", HFILL }},
17437 { &hf_smb_end_of_file,
17438 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
17439 NULL, 0, "Offset to the first free byte in the file", HFILL }},
17441 { &hf_smb_device_type,
17442 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
17443 VALS(device_type_vals), 0, "Type of device", HFILL }},
17445 { &hf_smb_is_directory,
17446 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
17447 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
17449 { &hf_smb_next_entry_offset,
17450 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
17451 NULL, 0, "Offset to next entry", HFILL }},
17453 { &hf_smb_change_time,
17454 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
17455 NULL, 0, "Last Change Time", HFILL }},
17457 { &hf_smb_setup_len,
17458 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
17459 NULL, 0, "Length of printer setup data", HFILL }},
17461 { &hf_smb_print_mode,
17462 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
17463 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
17465 { &hf_smb_print_identifier,
17466 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
17467 NULL, 0, "Identifier string for this print job", HFILL }},
17469 { &hf_smb_restart_index,
17470 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
17471 NULL, 0, "Index of entry after last returned", HFILL }},
17473 { &hf_smb_print_queue_date,
17474 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
17475 NULL, 0, "Date when this entry was queued", HFILL }},
17477 { &hf_smb_print_queue_dos_date,
17478 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
17479 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
17481 { &hf_smb_print_queue_dos_time,
17482 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
17483 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
17485 { &hf_smb_print_status,
17486 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
17487 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
17489 { &hf_smb_print_spool_file_number,
17490 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
17491 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
17493 { &hf_smb_print_spool_file_size,
17494 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
17495 NULL, 0, "Number of bytes in spool file", HFILL }},
17497 { &hf_smb_print_spool_file_name,
17498 { "Name", "smb.print.spool.name", FT_BYTES, BASE_HEX,
17499 NULL, 0, "Name of client that submitted this job", HFILL }},
17501 { &hf_smb_start_index,
17502 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
17503 NULL, 0, "First queue entry to return", HFILL }},
17505 { &hf_smb_originator_name,
17506 { "Originator Name", "smb.originator_name", FT_STRINGZ, BASE_NONE,
17507 NULL, 0, "Name of sender of message", HFILL }},
17509 { &hf_smb_destination_name,
17510 { "Destination Name", "smb.destination_name", FT_STRINGZ, BASE_NONE,
17511 NULL, 0, "Name of recipient of message", HFILL }},
17513 { &hf_smb_message_len,
17514 { "Message Len", "smb.message.len", FT_UINT16, BASE_DEC,
17515 NULL, 0, "Length of message", HFILL }},
17518 { "Message", "smb.message", FT_STRING, BASE_NONE,
17519 NULL, 0, "Message text", HFILL }},
17522 { "Message Group ID", "smb.mgid", FT_UINT16, BASE_DEC,
17523 NULL, 0, "Message group ID for multi-block messages", HFILL }},
17525 { &hf_smb_forwarded_name,
17526 { "Forwarded Name", "smb.forwarded_name", FT_STRINGZ, BASE_NONE,
17527 NULL, 0, "Recipient name being forwarded", HFILL }},
17529 { &hf_smb_machine_name,
17530 { "Machine Name", "smb.machine_name", FT_STRINGZ, BASE_NONE,
17531 NULL, 0, "Name of target machine", HFILL }},
17533 { &hf_smb_cancel_to,
17534 { "Cancel to", "smb.cancel_to", FT_FRAMENUM, BASE_NONE,
17535 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
17537 { &hf_smb_trans2_subcmd,
17538 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
17539 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
17541 { &hf_smb_trans_name,
17542 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
17543 NULL, 0, "Name of transaction", HFILL }},
17545 { &hf_smb_transaction_flags_dtid,
17546 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
17547 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
17549 { &hf_smb_transaction_flags_owt,
17550 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
17551 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
17553 { &hf_smb_search_count,
17554 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
17555 NULL, 0, "Maximum number of search entries to return", HFILL }},
17557 { &hf_smb_search_pattern,
17558 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
17559 NULL, 0, "Search Pattern", HFILL }},
17561 { &hf_smb_ff2_backup,
17562 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
17563 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
17565 { &hf_smb_ff2_continue,
17566 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
17567 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
17569 { &hf_smb_ff2_resume,
17570 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
17571 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
17573 { &hf_smb_ff2_close_eos,
17574 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
17575 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
17577 { &hf_smb_ff2_close,
17578 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
17579 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
17581 { &hf_smb_ff2_information_level,
17582 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
17583 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
17586 { "Level of Interest", "smb.loi", FT_UINT16, BASE_DEC,
17587 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] commands", HFILL }},
17590 { &hf_smb_sfi_writetru,
17591 { "Writethrough", "smb.sfi_writethrough", FT_BOOLEAN, 16,
17592 TFS(&tfs_da_writetru), 0x0010, "Writethrough mode?", HFILL }},
17594 { &hf_smb_sfi_caching,
17595 { "Caching", "smb.sfi_caching", FT_BOOLEAN, 16,
17596 TFS(&tfs_da_caching), 0x0020, "Caching mode?", HFILL }},
17599 { &hf_smb_storage_type,
17600 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
17601 NULL, 0, "Type of storage", HFILL }},
17604 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
17605 NULL, 0, "Resume Key", HFILL }},
17607 { &hf_smb_max_referral_level,
17608 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
17609 NULL, 0, "Latest referral version number understood", HFILL }},
17611 { &hf_smb_qfsi_information_level,
17612 { "Level of Interest", "smb.qfi_loi", FT_UINT16, BASE_HEX,
17613 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
17615 { &hf_smb_nt_rename_level,
17616 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
17617 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
17619 { &hf_smb_cluster_count,
17620 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
17621 NULL, 0, "Number of clusters", HFILL }},
17624 { "EA Size", "smb.ea_size", FT_UINT32, BASE_DEC,
17625 NULL, 0, "Size of file's EA information", HFILL }},
17627 { &hf_smb_list_length,
17628 { "ListLength", "smb.list_len", FT_UINT32, BASE_DEC,
17629 NULL, 0, "Length of the remaining data", HFILL }},
17631 { &hf_smb_number_of_links,
17632 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
17633 NULL, 0, "Number of hard links to the file", HFILL }},
17635 { &hf_smb_delete_pending,
17636 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
17637 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
17639 { &hf_smb_index_number,
17640 { "Index Number", "smb.index_number", FT_UINT64, BASE_DEC,
17641 NULL, 0, "File system unique identifier", HFILL }},
17643 { &hf_smb_current_offset,
17644 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
17645 NULL, 0, "Current offset in the file", HFILL }},
17647 { &hf_smb_t2_alignment,
17648 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
17649 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
17651 { &hf_smb_t2_stream_name_length,
17652 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
17653 NULL, 0, "Length of stream name", HFILL }},
17655 { &hf_smb_t2_stream_size,
17656 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
17657 NULL, 0, "Size of the stream in number of bytes", HFILL }},
17659 { &hf_smb_t2_stream_name,
17660 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
17661 NULL, 0, "Name of the stream", HFILL }},
17663 { &hf_smb_t2_compressed_file_size,
17664 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
17665 NULL, 0, "Size of the compressed file", HFILL }},
17667 { &hf_smb_t2_compressed_format,
17668 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
17669 NULL, 0, "Compression algorithm used", HFILL }},
17671 { &hf_smb_t2_compressed_unit_shift,
17672 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
17673 NULL, 0, "Size of the stream in number of bytes", HFILL }},
17675 { &hf_smb_t2_compressed_chunk_shift,
17676 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
17677 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
17679 { &hf_smb_t2_compressed_cluster_shift,
17680 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
17681 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
17683 { &hf_smb_dfs_path_consumed,
17684 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
17685 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
17687 { &hf_smb_dfs_num_referrals,
17688 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
17689 NULL, 0, "Number of referrals in this pdu", HFILL }},
17691 { &hf_smb_get_dfs_server_hold_storage,
17692 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
17693 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
17695 { &hf_smb_get_dfs_fielding,
17696 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
17697 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
17699 { &hf_smb_dfs_referral_version,
17700 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
17701 NULL, 0, "Version of referral element", HFILL }},
17703 { &hf_smb_dfs_referral_size,
17704 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
17705 NULL, 0, "Size of referral element", HFILL }},
17707 { &hf_smb_dfs_referral_server_type,
17708 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
17709 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
17711 { &hf_smb_dfs_referral_flags_strip,
17712 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
17713 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
17715 { &hf_smb_dfs_referral_node_offset,
17716 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
17717 NULL, 0, "Offset of name of entity to visit next", HFILL }},
17719 { &hf_smb_dfs_referral_node,
17720 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
17721 NULL, 0, "Name of entity to visit next", HFILL }},
17723 { &hf_smb_dfs_referral_proximity,
17724 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
17725 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
17727 { &hf_smb_dfs_referral_ttl,
17728 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
17729 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
17731 { &hf_smb_dfs_referral_path_offset,
17732 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
17733 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
17735 { &hf_smb_dfs_referral_path,
17736 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
17737 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
17739 { &hf_smb_dfs_referral_alt_path_offset,
17740 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
17741 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
17743 { &hf_smb_dfs_referral_alt_path,
17744 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
17745 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
17747 { &hf_smb_end_of_search,
17748 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
17749 NULL, 0, "Was last entry returned?", HFILL }},
17751 { &hf_smb_last_name_offset,
17752 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
17753 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
17755 { &hf_smb_fn_information_level,
17756 { "Level of Interest", "smb.fn_loi", FT_UINT16, BASE_DEC,
17757 NULL, 0, "Level of interest for FIND_NOTIFY command", HFILL }},
17759 { &hf_smb_monitor_handle,
17760 { "Monitor Handle", "smb.monitor_handle", FT_UINT16, BASE_HEX,
17761 NULL, 0, "Handle for Find Notify operations", HFILL }},
17763 { &hf_smb_change_count,
17764 { "Change Count", "smb.change_count", FT_UINT16, BASE_DEC,
17765 NULL, 0, "Number of changes to wait for", HFILL }},
17767 { &hf_smb_file_index,
17768 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
17769 NULL, 0, "File index", HFILL }},
17771 { &hf_smb_short_file_name,
17772 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
17773 NULL, 0, "Short (8.3) File Name", HFILL }},
17775 { &hf_smb_short_file_name_len,
17776 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
17777 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
17780 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
17781 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
17783 { &hf_smb_sector_unit,
17784 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
17785 NULL, 0, "Sectors per allocation unit", HFILL }},
17787 { &hf_smb_fs_units,
17788 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
17789 NULL, 0, "Total number of units on this filesystem", HFILL }},
17791 { &hf_smb_fs_sector,
17792 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
17793 NULL, 0, "Bytes per sector", HFILL }},
17795 { &hf_smb_avail_units,
17796 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
17797 NULL, 0, "Total number of available units on this filesystem", HFILL }},
17799 { &hf_smb_volume_serial_num,
17800 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
17801 NULL, 0, "Volume serial number", HFILL }},
17803 { &hf_smb_volume_label_len,
17804 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
17805 NULL, 0, "Length of volume label", HFILL }},
17807 { &hf_smb_volume_label,
17808 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
17809 NULL, 0, "Volume label", HFILL }},
17811 { &hf_smb_free_alloc_units64,
17812 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
17813 NULL, 0, "Number of free allocation units", HFILL }},
17815 { &hf_smb_caller_free_alloc_units64,
17816 { "Caller Free Units", "smb.caller_free_alloc_units", FT_UINT64, BASE_DEC,
17817 NULL, 0, "Number of caller free allocation units", HFILL }},
17819 { &hf_smb_actual_free_alloc_units64,
17820 { "Actual Free Units", "smb.actual_free_alloc_units", FT_UINT64, BASE_DEC,
17821 NULL, 0, "Number of actual free allocation units", HFILL }},
17823 { &hf_smb_soft_quota_limit,
17824 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
17825 NULL, 0, "Soft Quota treshold", HFILL }},
17827 { &hf_smb_hard_quota_limit,
17828 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
17829 NULL, 0, "Hard Quota limit", HFILL }},
17831 { &hf_smb_user_quota_used,
17832 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
17833 NULL, 0, "How much Quota is used by this user", HFILL }},
17835 { &hf_smb_max_name_len,
17836 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
17837 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
17839 { &hf_smb_fs_name_len,
17840 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
17841 NULL, 0, "Length of filesystem name in bytes", HFILL }},
17844 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
17845 NULL, 0, "Name of filesystem", HFILL }},
17847 { &hf_smb_device_char_removable,
17848 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
17849 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
17851 { &hf_smb_device_char_read_only,
17852 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
17853 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
17855 { &hf_smb_device_char_floppy,
17856 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
17857 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
17859 { &hf_smb_device_char_write_once,
17860 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
17861 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
17863 { &hf_smb_device_char_remote,
17864 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
17865 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
17867 { &hf_smb_device_char_mounted,
17868 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
17869 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
17871 { &hf_smb_device_char_virtual,
17872 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
17873 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
17875 { &hf_smb_fs_attr_css,
17876 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
17877 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
17879 { &hf_smb_fs_attr_cpn,
17880 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
17881 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
17883 { &hf_smb_fs_attr_pacls,
17884 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
17885 TFS(&tfs_fs_attr_pacls), 0x00000004, "Does this FS support Persistent ACLs?", HFILL }},
17887 { &hf_smb_fs_attr_fc,
17888 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
17889 TFS(&tfs_fs_attr_fc), 0x00000008, "Does this FS support File Compression?", HFILL }},
17891 { &hf_smb_fs_attr_vq,
17892 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
17893 TFS(&tfs_fs_attr_vq), 0x00000010, "Does this FS support Volume Quotas?", HFILL }},
17895 { &hf_smb_fs_attr_dim,
17896 { "Mounted", "smb.fs_attr.dim", FT_BOOLEAN, 32,
17897 TFS(&tfs_fs_attr_dim), 0x00000020, "Is this FS a Mounted Device?", HFILL }},
17899 { &hf_smb_fs_attr_vic,
17900 { "Compressed", "smb.fs_attr.vic", FT_BOOLEAN, 32,
17901 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS Compressed?", HFILL }},
17903 { &hf_smb_sec_desc_revision,
17904 { "Revision", "smb.sec_desc.revision", FT_UINT8, BASE_DEC,
17905 NULL, 0, "Version of NT Security Descriptor structure", HFILL }},
17908 { "SID", "smb.sid", FT_STRING, BASE_DEC,
17909 NULL, 0, "SID: Security Identifier", HFILL }},
17911 { &hf_smb_sid_revision,
17912 { "Revision", "smb.sid.revision", FT_UINT8, BASE_DEC,
17913 NULL, 0, "Version of SID structure", HFILL }},
17915 { &hf_smb_sid_num_auth,
17916 { "Num Auth", "smb.sid.num_auth", FT_UINT8, BASE_DEC,
17917 NULL, 0, "Number of authorities for this SID", HFILL }},
17919 { &hf_smb_acl_revision,
17920 { "Revision", "smb.acl.revision", FT_UINT16, BASE_DEC,
17921 NULL, 0, "Version of NT ACL structure", HFILL }},
17923 { &hf_smb_acl_size,
17924 { "Size", "smb.acl.size", FT_UINT16, BASE_DEC,
17925 NULL, 0, "Size of NT ACL structure", HFILL }},
17927 { &hf_smb_acl_num_aces,
17928 { "Num ACEs", "smb.acl.num_aces", FT_UINT32, BASE_DEC,
17929 NULL, 0, "Number of ACE structures for this ACL", HFILL }},
17931 { &hf_smb_user_quota_offset,
17932 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
17933 NULL, 0, "Relative offset to next user quota structure", HFILL }},
17935 { &hf_smb_ace_type,
17936 { "Type", "smb.ace.type", FT_UINT8, BASE_DEC,
17937 VALS(ace_type_vals), 0, "Type of ACE", HFILL }},
17939 { &hf_smb_pipe_write_len,
17940 { "Pipe Write Len", "smb.pipe.write_len", FT_UINT16, BASE_DEC,
17941 NULL, 0, "Number of bytes written to pipe", HFILL }},
17943 { &hf_smb_ace_size,
17944 { "Size", "smb.ace.size", FT_UINT16, BASE_DEC,
17945 NULL, 0, "Size of this ACE", HFILL }},
17947 { &hf_smb_ace_flags_object_inherit,
17948 { "Object Inherit", "smb.ace.flags.object_inherit", FT_BOOLEAN, 8,
17949 TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }},
17951 { &hf_smb_ace_flags_container_inherit,
17952 { "Container Inherit", "smb.ace.flags.container_inherit", FT_BOOLEAN, 8,
17953 TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }},
17955 { &hf_smb_ace_flags_non_propagate_inherit,
17956 { "Non-Propagate Inherit", "smb.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8,
17957 TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }},
17959 { &hf_smb_ace_flags_inherit_only,
17960 { "Inherit Only", "smb.ace.flags.inherit_only", FT_BOOLEAN, 8,
17961 TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }},
17963 { &hf_smb_ace_flags_inherited_ace,
17964 { "Inherited ACE", "smb.ace.flags.inherited_ace", FT_BOOLEAN, 8,
17965 TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }},
17967 { &hf_smb_ace_flags_successful_access,
17968 { "Audit Successful Accesses", "smb.ace.flags.successful_access", FT_BOOLEAN, 8,
17969 TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }},
17971 { &hf_smb_ace_flags_failed_access,
17972 { "Audit Failed Accesses", "smb.ace.flags.failed_access", FT_BOOLEAN, 8,
17973 TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }},
17975 { &hf_smb_sec_desc_type_owner_defaulted,
17976 { "Owner Defaulted", "smb.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16,
17977 TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }},
17979 { &hf_smb_sec_desc_type_group_defaulted,
17980 { "Group Defaulted", "smb.sec_desc.type.group_defaulted", FT_BOOLEAN, 16,
17981 TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }},
17983 { &hf_smb_sec_desc_type_dacl_present,
17984 { "DACL Present", "smb.sec_desc.type.dacl_present", FT_BOOLEAN, 16,
17985 TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }},
17987 { &hf_smb_sec_desc_type_dacl_defaulted,
17988 { "DACL Defaulted", "smb.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16,
17989 TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }},
17991 { &hf_smb_sec_desc_type_sacl_present,
17992 { "SACL Present", "smb.sec_desc.type.sacl_present", FT_BOOLEAN, 16,
17993 TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }},
17995 { &hf_smb_sec_desc_type_sacl_defaulted,
17996 { "SACL Defaulted", "smb.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16,
17997 TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }},
17999 { &hf_smb_sec_desc_type_dacl_auto_inherit_req,
18000 { "DACL Auto Inherit Required", "smb.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16,
18001 TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }},
18003 { &hf_smb_sec_desc_type_sacl_auto_inherit_req,
18004 { "SACL Auto Inherit Required", "smb.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16,
18005 TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }},
18007 { &hf_smb_sec_desc_type_dacl_auto_inherited,
18008 { "DACL Auto Inherited", "smb.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16,
18009 TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }},
18011 { &hf_smb_sec_desc_type_sacl_auto_inherited,
18012 { "SACL Auto Inherited", "smb.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16,
18013 TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }},
18015 { &hf_smb_sec_desc_type_dacl_protected,
18016 { "DACL Protected", "smb.sec_desc.type.dacl_protected", FT_BOOLEAN, 16,
18017 TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }},
18019 { &hf_smb_sec_desc_type_sacl_protected,
18020 { "SACL Protected", "smb.sec_desc.type.sacl_protected", FT_BOOLEAN, 16,
18021 TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }},
18023 { &hf_smb_sec_desc_type_self_relative,
18024 { "Self Relative", "smb.sec_desc.type.self_relative", FT_BOOLEAN, 16,
18025 TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }},
18027 { &hf_smb_quota_flags_deny_disk,
18028 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
18029 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
18031 { &hf_smb_quota_flags_log_limit,
18032 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
18033 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
18035 { &hf_smb_quota_flags_log_warning,
18036 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
18037 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
18039 { &hf_smb_quota_flags_enabled,
18040 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
18041 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
18043 { &hf_smb_segment_overlap,
18044 { "Fragment overlap", "smb.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18045 "Fragment overlaps with other fragments", HFILL }},
18047 { &hf_smb_segment_overlap_conflict,
18048 { "Conflicting data in fragment overlap", "smb.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18049 "Overlapping fragments contained conflicting data", HFILL }},
18051 { &hf_smb_segment_multiple_tails,
18052 { "Multiple tail fragments found", "smb.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18053 "Several tails were found when defragmenting the packet", HFILL }},
18055 { &hf_smb_segment_too_long_fragment,
18056 { "Fragment too long", "smb.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18057 "Fragment contained data past end of packet", HFILL }},
18059 { &hf_smb_segment_error,
18060 { "Defragmentation error", "smb.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18061 "Defragmentation error due to illegal fragments", HFILL }},
18064 { "SMB Segment", "smb.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18065 "SMB Segment", HFILL }},
18067 { &hf_smb_segments,
18068 { "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
18069 "SMB Segments", HFILL }},
18073 { &hf_smb_access_mask,
18074 { "Access required", "smb.access_mask",
18075 FT_UINT32, BASE_HEX, NULL, 0x0, "Access mask",
18077 { &hf_access_generic_read,
18078 { "Generic read", "nt.access_mask.generic_read",
18079 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18080 GENERIC_READ_ACCESS, "Generic read", HFILL }},
18082 { &hf_access_generic_write,
18083 { "Generic write", "nt.access_mask.generic_write",
18084 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18085 GENERIC_WRITE_ACCESS, "Generic write", HFILL }},
18087 { &hf_access_generic_execute,
18088 { "Generic execute", "nt.access_mask.generic_execute",
18089 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18090 GENERIC_EXECUTE_ACCESS, "Generic execute", HFILL }},
18092 { &hf_access_generic_all,
18093 { "Generic all", "nt.access_mask.generic_all",
18094 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18095 GENERIC_ALL_ACCESS, "Generic all", HFILL }},
18097 { &hf_access_maximum_allowed,
18098 { "Maximum allowed", "nt.access_mask.maximum_allowed",
18099 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18100 MAXIMUM_ALLOWED_ACCESS, "Maximum allowed", HFILL }},
18103 { "Access SACL", "nt.access_mask.access_sacl",
18104 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18105 ACCESS_SACL_ACCESS, "Access SACL", HFILL }},
18107 { &hf_access_standard_read_control,
18108 { "Read control", "nt.access_mask.read_control",
18109 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18110 READ_CONTROL_ACCESS, "Read control", HFILL }},
18112 { &hf_access_standard_delete,
18113 { "Delete", "nt.access_mask.delete",
18114 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18115 DELETE_ACCESS, "Delete", HFILL }},
18117 { &hf_access_standard_synchronise,
18118 { "Synchronise", "nt.access_mask.synchronise",
18119 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18120 SYNCHRONIZE_ACCESS, "Synchronise", HFILL }},
18122 { &hf_access_standard_write_dac,
18123 { "Write DAC", "nt.access_mask.write_dac",
18124 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18125 WRITE_DAC_ACCESS, "Write DAC", HFILL }},
18127 { &hf_access_standard_write_owner,
18128 { "Write owner", "nt.access_mask.write_owner",
18129 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18130 WRITE_OWNER_ACCESS, "Write owner", HFILL }},
18132 { &hf_access_specific_15,
18133 { "Specific access, bit 15", "nt.access_mask.specific_15",
18134 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18135 0x8000, "Specific access, bit 15", HFILL }},
18137 { &hf_access_specific_14,
18138 { "Specific access, bit 14", "nt.access_mask.specific_14",
18139 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18140 0x4000, "Specific access, bit 14", HFILL }},
18142 { &hf_access_specific_13,
18143 { "Specific access, bit 13", "nt.access_mask.specific_13",
18144 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18145 0x2000, "Specific access, bit 13", HFILL }},
18147 { &hf_access_specific_12,
18148 { "Specific access, bit 12", "nt.access_mask.specific_12",
18149 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18150 0x1000, "Specific access, bit 12", HFILL }},
18152 { &hf_access_specific_11,
18153 { "Specific access, bit 11", "nt.access_mask.specific_11",
18154 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18155 0x0800, "Specific access, bit 11", HFILL }},
18157 { &hf_access_specific_10,
18158 { "Specific access, bit 10", "nt.access_mask.specific_10",
18159 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18160 0x0400, "Specific access, bit 10", HFILL }},
18162 { &hf_access_specific_9,
18163 { "Specific access, bit 9", "nt.access_mask.specific_9",
18164 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18165 0x0200, "Specific access, bit 9", HFILL }},
18167 { &hf_access_specific_8,
18168 { "Specific access, bit 8", "nt.access_mask.specific_8",
18169 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18170 0x0100, "Specific access, bit 8", HFILL }},
18172 { &hf_access_specific_7,
18173 { "Specific access, bit 7", "nt.access_mask.specific_7",
18174 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18175 0x0080, "Specific access, bit 7", HFILL }},
18177 { &hf_access_specific_6,
18178 { "Specific access, bit 6", "nt.access_mask.specific_6",
18179 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18180 0x0040, "Specific access, bit 6", HFILL }},
18182 { &hf_access_specific_5,
18183 { "Specific access, bit 5", "nt.access_mask.specific_5",
18184 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18185 0x0020, "Specific access, bit 5", HFILL }},
18187 { &hf_access_specific_4,
18188 { "Specific access, bit 4", "nt.access_mask.specific_4",
18189 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18190 0x0010, "Specific access, bit 4", HFILL }},
18192 { &hf_access_specific_3,
18193 { "Specific access, bit 3", "nt.access_mask.specific_3",
18194 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18195 0x0008, "Specific access, bit 3", HFILL }},
18197 { &hf_access_specific_2,
18198 { "Specific access, bit 2", "nt.access_mask.specific_2",
18199 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18200 0x0004, "Specific access, bit 2", HFILL }},
18202 { &hf_access_specific_1,
18203 { "Specific access, bit 1", "nt.access_mask.specific_1",
18204 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18205 0x0002, "Specific access, bit 1", HFILL }},
18207 { &hf_access_specific_0,
18208 { "Specific access, bit 0", "nt.access_mask.specific_0",
18209 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18210 0x0001, "Specific access, bit 0", HFILL }},
18212 static gint *ett[] = {
18216 &ett_smb_fileattributes,
18217 &ett_smb_capabilities,
18225 &ett_smb_desiredaccess,
18228 &ett_smb_openfunction,
18230 &ett_smb_openaction,
18231 &ett_smb_writemode,
18232 &ett_smb_lock_type,
18233 &ett_smb_ssetupandxaction,
18234 &ett_smb_optionsup,
18235 &ett_smb_time_date,
18236 &ett_smb_move_copy_flags,
18237 &ett_smb_file_attributes,
18238 &ett_smb_search_resume_key,
18239 &ett_smb_search_dir_info,
18244 &ett_smb_open_flags,
18245 &ett_smb_ipc_state,
18246 &ett_smb_open_action,
18247 &ett_smb_setup_action,
18248 &ett_smb_connect_flags,
18249 &ett_smb_connect_support_bits,
18250 &ett_smb_nt_access_mask,
18251 &ett_smb_nt_create_bits,
18252 &ett_smb_nt_create_options,
18253 &ett_smb_nt_share_access,
18254 &ett_smb_nt_security_flags,
18255 &ett_smb_nt_trans_setup,
18256 &ett_smb_nt_trans_data,
18257 &ett_smb_nt_trans_param,
18258 &ett_smb_nt_notify_completion_filter,
18259 &ett_smb_nt_ioctl_flags,
18260 &ett_smb_security_information_mask,
18261 &ett_smb_print_queue_entry,
18262 &ett_smb_transaction_flags,
18263 &ett_smb_transaction_params,
18264 &ett_smb_find_first2_flags,
18268 &ett_smb_transaction_data,
18269 &ett_smb_stream_info,
18270 &ett_smb_dfs_referrals,
18271 &ett_smb_dfs_referral,
18272 &ett_smb_dfs_referral_flags,
18273 &ett_smb_get_dfs_flags,
18275 &ett_smb_device_characteristics,
18276 &ett_smb_fs_attributes,
18283 &ett_smb_ace_flags,
18284 &ett_smb_sec_desc_type,
18285 &ett_smb_quotaflags,
18287 &ett_smb_mac_support_flags,
18288 &ett_nt_access_mask,
18289 &ett_nt_access_mask_generic,
18290 &ett_nt_access_mask_standard,
18291 &ett_nt_access_mask_specific,
18293 module_t *smb_module;
18295 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
18297 proto_register_subtree_array(ett, array_length(ett));
18298 proto_register_field_array(proto_smb, hf, array_length(hf));
18299 register_init_routine(&smb_init_protocol);
18300 smb_module = prefs_register_protocol(proto_smb, NULL);
18301 prefs_register_bool_preference(smb_module, "trans_reassembly",
18302 "Reassemble SMB Transaction payload",
18303 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
18304 &smb_trans_reassembly);
18305 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
18306 "Reassemble DCERPC over SMB",
18307 "Whether the dissector should reassemble DCERPC over SMB commands",
18308 &smb_dcerpc_reassembly);
18309 prefs_register_bool_preference(smb_module, "sid_name_snooping",
18310 "Snoop SID to Name mappings",
18311 "Whether the dissector should snoop SMB and related CIFS protocols to discover and display Names associated with SIDs",
18312 &sid_name_snooping);
18314 register_init_routine(smb_trans_reassembly_init);
18315 smb_tap = register_tap("smb");
18319 proto_reg_handoff_smb(void)
18321 dissector_handle_t smb_handle;
18323 gssapi_handle = find_dissector("gssapi");
18324 ntlmssp_handle = find_dissector("ntlmssp");
18326 heur_dissector_add("netbios", dissect_smb_heur, proto_smb);
18327 heur_dissector_add("cotp", dissect_smb_heur, proto_smb);
18328 heur_dissector_add("vines_spp", dissect_smb_heur, proto_smb);
18329 smb_handle = create_dissector_handle(dissect_smb, proto_smb);
18330 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_SERVER, smb_handle);
18331 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_REDIR, smb_handle);
18332 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_MESSENGER,