2 * Routines for smb2 packet dissection
5 * For documentation of this protocol, see:
7 * https://wiki.wireshark.org/SMB2
8 * https://msdn.microsoft.com/en-us/library/cc246482.aspx
10 * If you edit this file, keep the wiki updated as well.
12 * Wireshark - Network traffic analyzer
13 * By Gerald Combs <gerald@wireshark.org>
14 * Copyright 1998 Gerald Combs
16 * This program is free software; you can redistribute it and/or
17 * modify it under the terms of the GNU General Public License
18 * as published by the Free Software Foundation; either version 2
19 * of the License, or (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, write to the Free Software
28 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
34 #include <epan/packet.h>
35 #include <epan/prefs.h>
36 #include <epan/expert.h>
38 #include <epan/srt_table.h>
39 #include <epan/aftypes.h>
40 #include <epan/to_str.h>
41 #include <epan/asn1.h>
42 #include <epan/reassemble.h>
45 #include "packet-smb2.h"
46 #include "packet-ntlmssp.h"
47 #include "packet-kerberos.h"
48 #include "packet-windows-common.h"
49 #include "packet-smb-common.h"
50 #include "packet-dcerpc-nt.h"
52 #include "read_keytab_file.h"
54 #include <wsutil/wsgcrypt.h>
56 #define NT_STATUS_PENDING 0x00000103
58 void proto_register_smb2(void);
59 void proto_reg_handoff_smb2(void);
61 static const char smb_header_label[] = "SMB2 Header";
62 static const char smb_transform_header_label[] = "SMB2 Transform Header";
64 static int proto_smb2 = -1;
65 static int hf_smb2_cmd = -1;
66 static int hf_smb2_nt_status = -1;
67 static int hf_smb2_response_to = -1;
68 static int hf_smb2_response_in = -1;
69 static int hf_smb2_time = -1;
70 static int hf_smb2_header_len = -1;
71 static int hf_smb2_msg_id = -1;
72 static int hf_smb2_pid = -1;
73 static int hf_smb2_tid = -1;
74 static int hf_smb2_aid = -1;
75 static int hf_smb2_sesid = -1;
76 static int hf_smb2_previous_sesid = -1;
77 static int hf_smb2_flags_response = -1;
78 static int hf_smb2_flags_async_cmd = -1;
79 static int hf_smb2_flags_dfs_op = -1;
80 static int hf_smb2_flags_chained = -1;
81 static int hf_smb2_flags_signature = -1;
82 static int hf_smb2_flags_replay_operation = -1;
83 static int hf_smb2_flags_priority_mask = -1;
84 static int hf_smb2_chain_offset = -1;
85 static int hf_smb2_security_blob = -1;
86 static int hf_smb2_ioctl_in_data = -1;
87 static int hf_smb2_ioctl_out_data = -1;
88 static int hf_smb2_unknown = -1;
89 static int hf_smb2_root_directory_mbz = -1;
90 static int hf_smb2_twrp_timestamp = -1;
91 static int hf_smb2_mxac_timestamp = -1;
92 static int hf_smb2_mxac_status = -1;
93 static int hf_smb2_qfid_fid = -1;
94 static int hf_smb2_create_timestamp = -1;
95 static int hf_smb2_oplock = -1;
96 static int hf_smb2_close_flags = -1;
97 static int hf_smb2_notify_flags = -1;
98 static int hf_smb2_last_access_timestamp = -1;
99 static int hf_smb2_last_write_timestamp = -1;
100 static int hf_smb2_last_change_timestamp = -1;
101 static int hf_smb2_current_time = -1;
102 static int hf_smb2_boot_time = -1;
103 static int hf_smb2_filename = -1;
104 static int hf_smb2_filename_len = -1;
105 static int hf_smb2_replace_if = -1;
106 static int hf_smb2_nlinks = -1;
107 static int hf_smb2_delete_pending = -1;
108 static int hf_smb2_is_directory = -1;
109 static int hf_smb2_file_id = -1;
110 static int hf_smb2_allocation_size = -1;
111 static int hf_smb2_end_of_file = -1;
112 static int hf_smb2_tree = -1;
113 static int hf_smb2_find_pattern = -1;
114 static int hf_smb2_find_info_level = -1;
115 static int hf_smb2_find_info_blob = -1;
116 static int hf_smb2_client_guid = -1;
117 static int hf_smb2_server_guid = -1;
118 static int hf_smb2_object_id = -1;
119 static int hf_smb2_birth_volume_id = -1;
120 static int hf_smb2_birth_object_id = -1;
121 static int hf_smb2_domain_id = -1;
122 static int hf_smb2_class = -1;
123 static int hf_smb2_infolevel = -1;
124 static int hf_smb2_infolevel_file_info = -1;
125 static int hf_smb2_infolevel_fs_info = -1;
126 static int hf_smb2_infolevel_sec_info = -1;
127 static int hf_smb2_infolevel_posix_info = -1;
128 static int hf_smb2_max_response_size = -1;
129 static int hf_smb2_max_ioctl_in_size = -1;
130 static int hf_smb2_max_ioctl_out_size = -1;
131 static int hf_smb2_flags = -1;
132 static int hf_smb2_required_buffer_size = -1;
133 static int hf_smb2_getinfo_input_size = -1;
134 static int hf_smb2_getinfo_input_offset = -1;
135 static int hf_smb2_getinfo_additional = -1;
136 static int hf_smb2_getinfo_flags = -1;
137 static int hf_smb2_setinfo_size = -1;
138 static int hf_smb2_setinfo_offset = -1;
139 static int hf_smb2_file_basic_info = -1;
140 static int hf_smb2_file_standard_info = -1;
141 static int hf_smb2_file_internal_info = -1;
142 static int hf_smb2_file_ea_info = -1;
143 static int hf_smb2_file_access_info = -1;
144 static int hf_smb2_file_rename_info = -1;
145 static int hf_smb2_file_disposition_info = -1;
146 static int hf_smb2_file_position_info = -1;
147 static int hf_smb2_file_full_ea_info = -1;
148 static int hf_smb2_file_mode_info = -1;
149 static int hf_smb2_file_alignment_info = -1;
150 static int hf_smb2_file_all_info = -1;
151 static int hf_smb2_file_allocation_info = -1;
152 static int hf_smb2_file_endoffile_info = -1;
153 static int hf_smb2_file_alternate_name_info = -1;
154 static int hf_smb2_file_stream_info = -1;
155 static int hf_smb2_file_pipe_info = -1;
156 static int hf_smb2_file_compression_info = -1;
157 static int hf_smb2_file_network_open_info = -1;
158 static int hf_smb2_file_attribute_tag_info = -1;
159 static int hf_smb2_fs_info_01 = -1;
160 static int hf_smb2_fs_info_03 = -1;
161 static int hf_smb2_fs_info_04 = -1;
162 static int hf_smb2_fs_info_05 = -1;
163 static int hf_smb2_fs_info_06 = -1;
164 static int hf_smb2_fs_info_07 = -1;
165 static int hf_smb2_fs_objectid_info = -1;
166 static int hf_smb2_sec_info_00 = -1;
167 static int hf_smb2_quota_info = -1;
168 static int hf_smb2_query_quota_info = -1;
169 static int hf_smb2_qq_single = -1;
170 static int hf_smb2_qq_restart = -1;
171 static int hf_smb2_qq_sidlist_len = -1;
172 static int hf_smb2_qq_start_sid_len = -1;
173 static int hf_smb2_qq_start_sid_offset = -1;
174 static int hf_smb2_fid = -1;
175 static int hf_smb2_write_length = -1;
176 static int hf_smb2_write_data = -1;
177 static int hf_smb2_write_flags = -1;
178 static int hf_smb2_write_flags_write_through = -1;
179 static int hf_smb2_write_count = -1;
180 static int hf_smb2_write_remaining = -1;
181 static int hf_smb2_read_length = -1;
182 static int hf_smb2_read_remaining = -1;
183 static int hf_smb2_file_offset = -1;
184 static int hf_smb2_qfr_length = -1;
185 static int hf_smb2_qfr_usage = -1;
186 static int hf_smb2_qfr_flags = -1;
187 static int hf_smb2_qfr_total_region_entry_count = -1;
188 static int hf_smb2_qfr_region_entry_count = -1;
189 static int hf_smb2_read_data = -1;
190 static int hf_smb2_disposition_delete_on_close = -1;
191 static int hf_smb2_create_disposition = -1;
192 static int hf_smb2_create_chain_offset = -1;
193 static int hf_smb2_create_chain_data = -1;
194 static int hf_smb2_data_offset = -1;
195 static int hf_smb2_extrainfo = -1;
196 static int hf_smb2_create_action = -1;
197 static int hf_smb2_create_rep_flags = -1;
198 static int hf_smb2_create_rep_flags_reparse_point = -1;
199 static int hf_smb2_next_offset = -1;
200 static int hf_smb2_negotiate_context_type = -1;
201 static int hf_smb2_negotiate_context_data_length = -1;
202 static int hf_smb2_negotiate_context_offset = -1;
203 static int hf_smb2_negotiate_context_count = -1;
204 static int hf_smb2_hash_alg_count = -1;
205 static int hf_smb2_hash_algorithm = -1;
206 static int hf_smb2_salt_length = -1;
207 static int hf_smb2_salt = -1;
208 static int hf_smb2_cipher_count = -1;
209 static int hf_smb2_cipher_id = -1;
210 static int hf_smb2_ea_size = -1;
211 static int hf_smb2_ea_flags = -1;
212 static int hf_smb2_ea_name_len = -1;
213 static int hf_smb2_ea_data_len = -1;
214 static int hf_smb2_ea_name = -1;
215 static int hf_smb2_ea_data = -1;
216 static int hf_smb2_position_information = -1;
217 static int hf_smb2_mode_information = -1;
218 static int hf_smb2_mode_file_write_through = -1;
219 static int hf_smb2_mode_file_sequential_only = -1;
220 static int hf_smb2_mode_file_no_intermediate_buffering = -1;
221 static int hf_smb2_mode_file_synchronous_io_alert = -1;
222 static int hf_smb2_mode_file_synchronous_io_nonalert = -1;
223 static int hf_smb2_mode_file_delete_on_close = -1;
224 static int hf_smb2_alignment_information = -1;
225 static int hf_smb2_buffer_code = -1;
226 static int hf_smb2_buffer_code_len = -1;
227 static int hf_smb2_buffer_code_flags_dyn = -1;
228 static int hf_smb2_olb_offset = -1;
229 static int hf_smb2_olb_length = -1;
230 static int hf_smb2_tag = -1;
231 static int hf_smb2_impersonation_level = -1;
232 static int hf_smb2_ioctl_function = -1;
233 static int hf_smb2_ioctl_function_device = -1;
234 static int hf_smb2_ioctl_function_access = -1;
235 static int hf_smb2_ioctl_function_function = -1;
236 static int hf_smb2_fsctl_pipe_wait_timeout = -1;
237 static int hf_smb2_fsctl_pipe_wait_name = -1;
239 static int hf_smb2_fsctl_odx_token_type = -1;
240 static int hf_smb2_fsctl_odx_token_idlen = -1;
241 static int hf_smb2_fsctl_odx_token_idraw = -1;
242 static int hf_smb2_fsctl_odx_token_ttl = -1;
243 static int hf_smb2_fsctl_odx_size = -1;
244 static int hf_smb2_fsctl_odx_flags = -1;
245 static int hf_smb2_fsctl_odx_file_offset = -1;
246 static int hf_smb2_fsctl_odx_copy_length = -1;
247 static int hf_smb2_fsctl_odx_xfer_length = -1;
248 static int hf_smb2_fsctl_odx_token_offset = -1;
250 static int hf_smb2_fsctl_sparse_flag = -1;
251 static int hf_smb2_fsctl_range_offset = -1;
252 static int hf_smb2_fsctl_range_length = -1;
253 static int hf_smb2_ioctl_function_method = -1;
254 static int hf_smb2_ioctl_resiliency_timeout = -1;
255 static int hf_smb2_ioctl_resiliency_reserved = -1;
256 static int hf_smb2_ioctl_shared_virtual_disk_support = -1;
257 static int hf_smb2_ioctl_shared_virtual_disk_handle_state = -1;
258 static int hf_smb2_ioctl_sqos_protocol_version = -1;
259 static int hf_smb2_ioctl_sqos_reserved = -1;
260 static int hf_smb2_ioctl_sqos_options = -1;
261 static int hf_smb2_ioctl_sqos_op_set_logical_flow_id = -1;
262 static int hf_smb2_ioctl_sqos_op_set_policy = -1;
263 static int hf_smb2_ioctl_sqos_op_probe_policy = -1;
264 static int hf_smb2_ioctl_sqos_op_get_status = -1;
265 static int hf_smb2_ioctl_sqos_op_update_counters = -1;
266 static int hf_smb2_ioctl_sqos_logical_flow_id = -1;
267 static int hf_smb2_ioctl_sqos_policy_id = -1;
268 static int hf_smb2_ioctl_sqos_initiator_id = -1;
269 static int hf_smb2_ioctl_sqos_limit = -1;
270 static int hf_smb2_ioctl_sqos_reservation = -1;
271 static int hf_smb2_ioctl_sqos_initiator_name = -1;
272 static int hf_smb2_ioctl_sqos_initiator_node_name = -1;
273 static int hf_smb2_ioctl_sqos_io_count_increment = -1;
274 static int hf_smb2_ioctl_sqos_normalized_io_count_increment = -1;
275 static int hf_smb2_ioctl_sqos_latency_increment = -1;
276 static int hf_smb2_ioctl_sqos_lower_latency_increment = -1;
277 static int hf_smb2_ioctl_sqos_bandwidth_limit = -1;
278 static int hf_smb2_ioctl_sqos_kilobyte_count_increment = -1;
279 static int hf_smb2_ioctl_sqos_time_to_live = -1;
280 static int hf_smb2_ioctl_sqos_status = -1;
281 static int hf_smb2_ioctl_sqos_maximum_io_rate = -1;
282 static int hf_smb2_ioctl_sqos_minimum_io_rate = -1;
283 static int hf_smb2_ioctl_sqos_base_io_size = -1;
284 static int hf_smb2_ioctl_sqos_reserved2 = -1;
285 static int hf_smb2_ioctl_sqos_maximum_bandwidth = -1;
286 static int hf_windows_sockaddr_family = -1;
287 static int hf_windows_sockaddr_port = -1;
288 static int hf_windows_sockaddr_in_addr = -1;
289 static int hf_windows_sockaddr_in6_flowinfo = -1;
290 static int hf_windows_sockaddr_in6_addr = -1;
291 static int hf_windows_sockaddr_in6_scope_id = -1;
292 static int hf_smb2_ioctl_network_interface_next_offset = -1;
293 static int hf_smb2_ioctl_network_interface_index = -1;
294 static int hf_smb2_ioctl_network_interface_rss_queue_count = -1;
295 static int hf_smb2_ioctl_network_interface_capabilities = -1;
296 static int hf_smb2_ioctl_network_interface_capability_rss = -1;
297 static int hf_smb2_ioctl_network_interface_capability_rdma = -1;
298 static int hf_smb2_ioctl_network_interface_link_speed = -1;
299 static int hf_smb2_ioctl_shadow_copy_num_volumes = -1;
300 static int hf_smb2_ioctl_shadow_copy_num_labels = -1;
301 static int hf_smb2_ioctl_shadow_copy_count = -1;
302 static int hf_smb2_ioctl_shadow_copy_label = -1;
303 static int hf_smb2_compression_format = -1;
304 static int hf_smb2_checksum_algorithm = -1;
305 static int hf_smb2_integrity_reserved = -1;
306 static int hf_smb2_integrity_flags = -1;
307 static int hf_smb2_integrity_flags_enforcement_off = -1;
308 static int hf_smb2_FILE_OBJECTID_BUFFER = -1;
309 static int hf_smb2_lease_key = -1;
310 static int hf_smb2_lease_state = -1;
311 static int hf_smb2_lease_state_read_caching = -1;
312 static int hf_smb2_lease_state_handle_caching = -1;
313 static int hf_smb2_lease_state_write_caching = -1;
314 static int hf_smb2_lease_flags = -1;
315 static int hf_smb2_lease_flags_break_ack_required = -1;
316 static int hf_smb2_lease_flags_parent_lease_key_set = -1;
317 static int hf_smb2_lease_flags_break_in_progress = -1;
318 static int hf_smb2_lease_duration = -1;
319 static int hf_smb2_parent_lease_key = -1;
320 static int hf_smb2_lease_epoch = -1;
321 static int hf_smb2_lease_reserved = -1;
322 static int hf_smb2_lease_break_reason = -1;
323 static int hf_smb2_lease_access_mask_hint = -1;
324 static int hf_smb2_lease_share_mask_hint = -1;
325 static int hf_smb2_acct_name = -1;
326 static int hf_smb2_domain_name = -1;
327 static int hf_smb2_host_name = -1;
328 static int hf_smb2_auth_frame = -1;
329 static int hf_smb2_tcon_frame = -1;
330 static int hf_smb2_share_type = -1;
331 static int hf_smb2_signature = -1;
332 static int hf_smb2_credit_charge = -1;
333 static int hf_smb2_credits_requested = -1;
334 static int hf_smb2_credits_granted = -1;
335 static int hf_smb2_channel_sequence = -1;
336 static int hf_smb2_dialect_count = -1;
337 static int hf_smb2_security_mode = -1;
338 static int hf_smb2_secmode_flags_sign_required = -1;
339 static int hf_smb2_secmode_flags_sign_enabled = -1;
340 static int hf_smb2_ses_req_flags = -1;
341 static int hf_smb2_ses_req_flags_session_binding = -1;
342 static int hf_smb2_capabilities = -1;
343 static int hf_smb2_cap_dfs = -1;
344 static int hf_smb2_cap_leasing = -1;
345 static int hf_smb2_cap_large_mtu = -1;
346 static int hf_smb2_cap_multi_channel = -1;
347 static int hf_smb2_cap_persistent_handles = -1;
348 static int hf_smb2_cap_directory_leasing = -1;
349 static int hf_smb2_cap_encryption = -1;
350 static int hf_smb2_dialect = -1;
351 static int hf_smb2_max_trans_size = -1;
352 static int hf_smb2_max_read_size = -1;
353 static int hf_smb2_max_write_size = -1;
354 static int hf_smb2_channel = -1;
355 static int hf_smb2_rdma_v1_offset = -1;
356 static int hf_smb2_rdma_v1_token = -1;
357 static int hf_smb2_rdma_v1_length = -1;
358 static int hf_smb2_session_flags = -1;
359 static int hf_smb2_ses_flags_guest = -1;
360 static int hf_smb2_ses_flags_null = -1;
361 static int hf_smb2_ses_flags_encrypt = -1;
362 static int hf_smb2_share_flags = -1;
363 static int hf_smb2_share_flags_dfs = -1;
364 static int hf_smb2_share_flags_dfs_root = -1;
365 static int hf_smb2_share_flags_restrict_exclusive_opens = -1;
366 static int hf_smb2_share_flags_force_shared_delete = -1;
367 static int hf_smb2_share_flags_allow_namespace_caching = -1;
368 static int hf_smb2_share_flags_access_based_dir_enum = -1;
369 static int hf_smb2_share_flags_force_levelii_oplock = -1;
370 static int hf_smb2_share_flags_enable_hash_v1 = -1;
371 static int hf_smb2_share_flags_enable_hash_v2 = -1;
372 static int hf_smb2_share_flags_encrypt_data = -1;
373 static int hf_smb2_share_caching = -1;
374 static int hf_smb2_share_caps = -1;
375 static int hf_smb2_share_caps_dfs = -1;
376 static int hf_smb2_share_caps_continuous_availability = -1;
377 static int hf_smb2_share_caps_scaleout = -1;
378 static int hf_smb2_share_caps_cluster = -1;
379 static int hf_smb2_create_flags = -1;
380 static int hf_smb2_lock_count = -1;
381 static int hf_smb2_min_count = -1;
382 static int hf_smb2_remaining_bytes = -1;
383 static int hf_smb2_channel_info_offset = -1;
384 static int hf_smb2_channel_info_length = -1;
385 static int hf_smb2_channel_info_blob = -1;
386 static int hf_smb2_ioctl_flags = -1;
387 static int hf_smb2_ioctl_is_fsctl = -1;
388 static int hf_smb2_close_pq_attrib = -1;
389 static int hf_smb2_notify_watch_tree = -1;
390 static int hf_smb2_output_buffer_len = -1;
391 static int hf_smb2_notify_out_data = -1;
392 static int hf_smb2_notify_info = -1;
393 static int hf_smb2_notify_next_offset = -1;
394 static int hf_smb2_notify_action = -1;
395 static int hf_smb2_find_flags = -1;
396 static int hf_smb2_find_flags_restart_scans = -1;
397 static int hf_smb2_find_flags_single_entry = -1;
398 static int hf_smb2_find_flags_index_specified = -1;
399 static int hf_smb2_find_flags_reopen = -1;
400 static int hf_smb2_file_index = -1;
401 static int hf_smb2_file_directory_info = -1;
402 static int hf_smb2_both_directory_info = -1;
403 static int hf_smb2_short_name_len = -1;
404 static int hf_smb2_short_name = -1;
405 static int hf_smb2_id_both_directory_info = -1;
406 static int hf_smb2_full_directory_info = -1;
407 static int hf_smb2_lock_info = -1;
408 static int hf_smb2_lock_length = -1;
409 static int hf_smb2_lock_flags = -1;
410 static int hf_smb2_lock_flags_shared = -1;
411 static int hf_smb2_lock_flags_exclusive = -1;
412 static int hf_smb2_lock_flags_unlock = -1;
413 static int hf_smb2_lock_flags_fail_immediately = -1;
414 static int hf_smb2_dhnq_buffer_reserved = -1;
415 static int hf_smb2_dh2x_buffer_timeout = -1;
416 static int hf_smb2_dh2x_buffer_flags = -1;
417 static int hf_smb2_dh2x_buffer_flags_persistent_handle = -1;
418 static int hf_smb2_dh2x_buffer_reserved = -1;
419 static int hf_smb2_dh2x_buffer_create_guid = -1;
420 static int hf_smb2_APP_INSTANCE_buffer_struct_size = -1;
421 static int hf_smb2_APP_INSTANCE_buffer_reserved = -1;
422 static int hf_smb2_APP_INSTANCE_buffer_app_guid = -1;
423 static int hf_smb2_svhdx_open_device_context_version = -1;
424 static int hf_smb2_svhdx_open_device_context_has_initiator_id = -1;
425 static int hf_smb2_svhdx_open_device_context_reserved = -1;
426 static int hf_smb2_svhdx_open_device_context_initiator_id = -1;
427 static int hf_smb2_svhdx_open_device_context_flags = -1;
428 static int hf_smb2_svhdx_open_device_context_originator_flags = -1;
429 static int hf_smb2_svhdx_open_device_context_open_request_id = -1;
430 static int hf_smb2_svhdx_open_device_context_initiator_host_name_len = -1;
431 static int hf_smb2_svhdx_open_device_context_initiator_host_name = -1;
432 static int hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized = -1;
433 static int hf_smb2_svhdx_open_device_context_server_service_version = -1;
434 static int hf_smb2_svhdx_open_device_context_virtual_sector_size = -1;
435 static int hf_smb2_svhdx_open_device_context_physical_sector_size = -1;
436 static int hf_smb2_svhdx_open_device_context_virtual_size = -1;
437 static int hf_smb2_posix_v1_version = -1;
438 static int hf_smb2_posix_v1_request = -1;
439 static int hf_smb2_posix_v1_supported_features = -1;
440 static int hf_smb2_posix_v1_posix_lock = -1;
441 static int hf_smb2_posix_v1_posix_file_semantics = -1;
442 static int hf_smb2_posix_v1_posix_utf8_paths = -1;
443 static int hf_smb2_posix_v1_case_sensitive = -1;
444 static int hf_smb2_posix_v1_posix_will_convert_nt_acls = -1;
445 static int hf_smb2_posix_v1_posix_fileinfo = -1;
446 static int hf_smb2_posix_v1_posix_acls = -1;
447 static int hf_smb2_posix_v1_rich_acls = -1;
448 static int hf_smb2_aapl_command_code = -1;
449 static int hf_smb2_aapl_reserved = -1;
450 static int hf_smb2_aapl_server_query_bitmask = -1;
451 static int hf_smb2_aapl_server_query_bitmask_server_caps = -1;
452 static int hf_smb2_aapl_server_query_bitmask_volume_caps = -1;
453 static int hf_smb2_aapl_server_query_bitmask_model_info = -1;
454 static int hf_smb2_aapl_server_query_caps = -1;
455 static int hf_smb2_aapl_server_query_caps_supports_read_dir_attr = -1;
456 static int hf_smb2_aapl_server_query_caps_supports_osx_copyfile = -1;
457 static int hf_smb2_aapl_server_query_caps_unix_based = -1;
458 static int hf_smb2_aapl_server_query_caps_supports_nfs_ace = -1;
459 static int hf_smb2_aapl_server_query_volume_caps = -1;
460 static int hf_smb2_aapl_server_query_volume_caps_support_resolve_id = -1;
461 static int hf_smb2_aapl_server_query_volume_caps_case_sensitive = -1;
462 static int hf_smb2_aapl_server_query_volume_caps_supports_full_sync = -1;
463 static int hf_smb2_aapl_server_query_model_string = -1;
464 static int hf_smb2_aapl_server_query_server_path = -1;
465 static int hf_smb2_error_context_count = -1;
466 static int hf_smb2_error_reserved = -1;
467 static int hf_smb2_error_byte_count = -1;
468 static int hf_smb2_error_data = -1;
469 static int hf_smb2_reserved = -1;
470 static int hf_smb2_reserved_random = -1;
471 static int hf_smb2_transform_signature = -1;
472 static int hf_smb2_transform_nonce = -1;
473 static int hf_smb2_transform_msg_size = -1;
474 static int hf_smb2_transform_reserved = -1;
475 static int hf_smb2_encryption_aes128_ccm = -1;
476 static int hf_smb2_transform_enc_alg = -1;
477 static int hf_smb2_transform_encrypted_data = -1;
478 static int hf_smb2_server_component_smb2 = -1;
479 static int hf_smb2_server_component_smb2_transform = -1;
480 static int hf_smb2_truncated = -1;
481 static int hf_smb2_pipe_fragments = -1;
482 static int hf_smb2_pipe_fragment = -1;
483 static int hf_smb2_pipe_fragment_overlap = -1;
484 static int hf_smb2_pipe_fragment_overlap_conflict = -1;
485 static int hf_smb2_pipe_fragment_multiple_tails = -1;
486 static int hf_smb2_pipe_fragment_too_long_fragment = -1;
487 static int hf_smb2_pipe_fragment_error = -1;
488 static int hf_smb2_pipe_fragment_count = -1;
489 static int hf_smb2_pipe_reassembled_in = -1;
490 static int hf_smb2_pipe_reassembled_length = -1;
491 static int hf_smb2_pipe_reassembled_data = -1;
492 static int hf_smb2_cchunk_resume_key = -1;
493 static int hf_smb2_cchunk_count = -1;
494 static int hf_smb2_cchunk_src_offset = -1;
495 static int hf_smb2_cchunk_dst_offset = -1;
496 static int hf_smb2_cchunk_xfer_len = -1;
497 static int hf_smb2_cchunk_chunks_written = -1;
498 static int hf_smb2_cchunk_bytes_written = -1;
499 static int hf_smb2_cchunk_total_written = -1;
500 static int hf_smb2_symlink_error_response = -1;
501 static int hf_smb2_symlink_length = -1;
502 static int hf_smb2_symlink_error_tag = -1;
503 static int hf_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER = -1;
504 static int hf_smb2_reparse_tag = -1;
505 static int hf_smb2_reparse_data_length = -1;
506 static int hf_smb2_unparsed_path_length = -1;
507 static int hf_smb2_symlink_substitute_name = -1;
508 static int hf_smb2_symlink_print_name = -1;
509 static int hf_smb2_symlink_flags = -1;
511 static gint ett_smb2 = -1;
512 static gint ett_smb2_olb = -1;
513 static gint ett_smb2_ea = -1;
514 static gint ett_smb2_header = -1;
515 static gint ett_smb2_encrypted = -1;
516 static gint ett_smb2_command = -1;
517 static gint ett_smb2_secblob = -1;
518 static gint ett_smb2_negotiate_context_element = -1;
519 static gint ett_smb2_file_basic_info = -1;
520 static gint ett_smb2_file_standard_info = -1;
521 static gint ett_smb2_file_internal_info = -1;
522 static gint ett_smb2_file_ea_info = -1;
523 static gint ett_smb2_file_access_info = -1;
524 static gint ett_smb2_file_position_info = -1;
525 static gint ett_smb2_file_mode_info = -1;
526 static gint ett_smb2_file_alignment_info = -1;
527 static gint ett_smb2_file_all_info = -1;
528 static gint ett_smb2_file_allocation_info = -1;
529 static gint ett_smb2_file_endoffile_info = -1;
530 static gint ett_smb2_file_alternate_name_info = -1;
531 static gint ett_smb2_file_stream_info = -1;
532 static gint ett_smb2_file_pipe_info = -1;
533 static gint ett_smb2_file_compression_info = -1;
534 static gint ett_smb2_file_network_open_info = -1;
535 static gint ett_smb2_file_attribute_tag_info = -1;
536 static gint ett_smb2_file_rename_info = -1;
537 static gint ett_smb2_file_disposition_info = -1;
538 static gint ett_smb2_file_full_ea_info = -1;
539 static gint ett_smb2_fs_info_01 = -1;
540 static gint ett_smb2_fs_info_03 = -1;
541 static gint ett_smb2_fs_info_04 = -1;
542 static gint ett_smb2_fs_info_05 = -1;
543 static gint ett_smb2_fs_info_06 = -1;
544 static gint ett_smb2_fs_info_07 = -1;
545 static gint ett_smb2_fs_objectid_info = -1;
546 static gint ett_smb2_sec_info_00 = -1;
547 static gint ett_smb2_quota_info = -1;
548 static gint ett_smb2_query_quota_info = -1;
549 static gint ett_smb2_tid_tree = -1;
550 static gint ett_smb2_sesid_tree = -1;
551 static gint ett_smb2_create_chain_element = -1;
552 static gint ett_smb2_MxAc_buffer = -1;
553 static gint ett_smb2_QFid_buffer = -1;
554 static gint ett_smb2_RqLs_buffer = -1;
555 static gint ett_smb2_ioctl_function = -1;
556 static gint ett_smb2_FILE_OBJECTID_BUFFER = -1;
557 static gint ett_smb2_flags = -1;
558 static gint ett_smb2_sec_mode = -1;
559 static gint ett_smb2_capabilities = -1;
560 static gint ett_smb2_ses_req_flags = -1;
561 static gint ett_smb2_ses_flags = -1;
562 static gint ett_smb2_lease_state = -1;
563 static gint ett_smb2_lease_flags = -1;
564 static gint ett_smb2_share_flags = -1;
565 static gint ett_smb2_create_rep_flags = -1;
566 static gint ett_smb2_share_caps = -1;
567 static gint ett_smb2_ioctl_flags = -1;
568 static gint ett_smb2_ioctl_network_interface = -1;
569 static gint ett_smb2_ioctl_sqos_opeations = -1;
570 static gint ett_smb2_fsctl_range_data = -1;
571 static gint ett_windows_sockaddr = -1;
572 static gint ett_smb2_close_flags = -1;
573 static gint ett_smb2_notify_info = -1;
574 static gint ett_smb2_notify_flags = -1;
575 static gint ett_smb2_write_flags = -1;
576 static gint ett_smb2_rdma_v1 = -1;
577 static gint ett_smb2_DH2Q_buffer = -1;
578 static gint ett_smb2_DH2C_buffer = -1;
579 static gint ett_smb2_dh2x_flags = -1;
580 static gint ett_smb2_APP_INSTANCE_buffer = -1;
581 static gint ett_smb2_svhdx_open_device_context = -1;
582 static gint ett_smb2_posix_v1_request = -1;
583 static gint ett_smb2_posix_v1_response = -1;
584 static gint ett_smb2_posix_v1_supported_features = -1;
585 static gint ett_smb2_aapl_create_context_request = -1;
586 static gint ett_smb2_aapl_server_query_bitmask = -1;
587 static gint ett_smb2_aapl_server_query_caps = -1;
588 static gint ett_smb2_aapl_create_context_response = -1;
589 static gint ett_smb2_aapl_server_query_volume_caps = -1;
590 static gint ett_smb2_integrity_flags = -1;
591 static gint ett_smb2_find_flags = -1;
592 static gint ett_smb2_file_directory_info = -1;
593 static gint ett_smb2_both_directory_info = -1;
594 static gint ett_smb2_id_both_directory_info = -1;
595 static gint ett_smb2_full_directory_info = -1;
596 static gint ett_smb2_file_name_info = -1;
597 static gint ett_smb2_lock_info = -1;
598 static gint ett_smb2_lock_flags = -1;
599 static gint ett_smb2_transform_enc_alg = -1;
600 static gint ett_smb2_buffercode = -1;
601 static gint ett_smb2_ioctl_network_interface_capabilities = -1;
602 static gint ett_qfr_entry = -1;
603 static gint ett_smb2_pipe_fragment = -1;
604 static gint ett_smb2_pipe_fragments = -1;
605 static gint ett_smb2_cchunk_entry = -1;
606 static gint ett_smb2_fsctl_odx_token = -1;
607 static gint ett_smb2_symlink_error_response = -1;
608 static gint ett_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER = -1;
609 static gint ett_smb2_error_data = -1;
611 static expert_field ei_smb2_invalid_length = EI_INIT;
612 static expert_field ei_smb2_bad_response = EI_INIT;
613 static expert_field ei_smb2_invalid_getinfo_offset = EI_INIT;
614 static expert_field ei_smb2_invalid_getinfo_size = EI_INIT;
615 static expert_field ei_smb2_empty_getinfo_buffer = EI_INIT;
617 static int smb2_tap = -1;
618 static int smb2_eo_tap = -1;
620 static dissector_handle_t gssapi_handle = NULL;
621 static dissector_handle_t ntlmssp_handle = NULL;
622 static dissector_handle_t rsvd_handle = NULL;
624 static heur_dissector_list_t smb2_pipe_subdissector_list;
626 static const fragment_items smb2_pipe_frag_items = {
627 &ett_smb2_pipe_fragment,
628 &ett_smb2_pipe_fragments,
629 &hf_smb2_pipe_fragments,
630 &hf_smb2_pipe_fragment,
631 &hf_smb2_pipe_fragment_overlap,
632 &hf_smb2_pipe_fragment_overlap_conflict,
633 &hf_smb2_pipe_fragment_multiple_tails,
634 &hf_smb2_pipe_fragment_too_long_fragment,
635 &hf_smb2_pipe_fragment_error,
636 &hf_smb2_pipe_fragment_count,
637 &hf_smb2_pipe_reassembled_in,
638 &hf_smb2_pipe_reassembled_length,
639 &hf_smb2_pipe_reassembled_data,
643 #define FILE_BYTE_ALIGNMENT 0x00
644 #define FILE_WORD_ALIGNMENT 0x01
645 #define FILE_LONG_ALIGNMENT 0x03
646 #define FILE_QUAD_ALIGNMENT 0x07
647 #define FILE_OCTA_ALIGNMENT 0x0f
648 #define FILE_32_BYTE_ALIGNMENT 0x1f
649 #define FILE_64_BYTE_ALIGNMENT 0x3f
650 #define FILE_128_BYTE_ALIGNMENT 0x7f
651 #define FILE_256_BYTE_ALIGNMENT 0xff
652 #define FILE_512_BYTE_ALIGNMENT 0x1ff
653 static const value_string smb2_alignment_vals[] = {
654 { FILE_BYTE_ALIGNMENT, "FILE_BYTE_ALIGNMENT" },
655 { FILE_WORD_ALIGNMENT, "FILE_WORD_ALIGNMENT" },
656 { FILE_LONG_ALIGNMENT, "FILE_LONG_ALIGNMENT" },
657 { FILE_OCTA_ALIGNMENT, "FILE_OCTA_ALIGNMENT" },
658 { FILE_32_BYTE_ALIGNMENT, "FILE_32_BYTE_ALIGNMENT" },
659 { FILE_64_BYTE_ALIGNMENT, "FILE_64_BYTE_ALIGNMENT" },
660 { FILE_128_BYTE_ALIGNMENT, "FILE_128_BYTE_ALIGNMENT" },
661 { FILE_256_BYTE_ALIGNMENT, "FILE_256_BYTE_ALIGNMENT" },
662 { FILE_512_BYTE_ALIGNMENT, "FILE_512_BYTE_ALIGNMENT" },
667 #define SMB2_CLASS_FILE_INFO 0x01
668 #define SMB2_CLASS_FS_INFO 0x02
669 #define SMB2_CLASS_SEC_INFO 0x03
670 #define SMB2_CLASS_QUOTA_INFO 0x04
671 #define SMB2_CLASS_POSIX_INFO 0x80
672 static const value_string smb2_class_vals[] = {
673 { SMB2_CLASS_FILE_INFO, "FILE_INFO"},
674 { SMB2_CLASS_FS_INFO, "FS_INFO"},
675 { SMB2_CLASS_SEC_INFO, "SEC_INFO"},
676 { SMB2_CLASS_QUOTA_INFO, "QUOTA_INFO"},
677 { SMB2_CLASS_POSIX_INFO, "POSIX_INFO"},
681 #define SMB2_SHARE_TYPE_DISK 0x01
682 #define SMB2_SHARE_TYPE_PIPE 0x02
683 #define SMB2_SHARE_TYPE_PRINT 0x03
684 static const value_string smb2_share_type_vals[] = {
685 { SMB2_SHARE_TYPE_DISK, "Physical disk" },
686 { SMB2_SHARE_TYPE_PIPE, "Named pipe" },
687 { SMB2_SHARE_TYPE_PRINT, "Printer" },
692 #define SMB2_FILE_BASIC_INFO 0x04
693 #define SMB2_FILE_STANDARD_INFO 0x05
694 #define SMB2_FILE_INTERNAL_INFO 0x06
695 #define SMB2_FILE_EA_INFO 0x07
696 #define SMB2_FILE_ACCESS_INFO 0x08
697 #define SMB2_FILE_RENAME_INFO 0x0a
698 #define SMB2_FILE_DISPOSITION_INFO 0x0d
699 #define SMB2_FILE_POSITION_INFO 0x0e
700 #define SMB2_FILE_FULL_EA_INFO 0x0f
701 #define SMB2_FILE_MODE_INFO 0x10
702 #define SMB2_FILE_ALIGNMENT_INFO 0x11
703 #define SMB2_FILE_ALL_INFO 0x12
704 #define SMB2_FILE_ALLOCATION_INFO 0x13
705 #define SMB2_FILE_ENDOFFILE_INFO 0x14
706 #define SMB2_FILE_ALTERNATE_NAME_INFO 0x15
707 #define SMB2_FILE_STREAM_INFO 0x16
708 #define SMB2_FILE_PIPE_INFO 0x17
709 #define SMB2_FILE_COMPRESSION_INFO 0x1c
710 #define SMB2_FILE_NETWORK_OPEN_INFO 0x22
711 #define SMB2_FILE_ATTRIBUTE_TAG_INFO 0x23
713 static const value_string smb2_file_info_levels[] = {
714 {SMB2_FILE_BASIC_INFO, "SMB2_FILE_BASIC_INFO" },
715 {SMB2_FILE_STANDARD_INFO, "SMB2_FILE_STANDARD_INFO" },
716 {SMB2_FILE_INTERNAL_INFO, "SMB2_FILE_INTERNAL_INFO" },
717 {SMB2_FILE_EA_INFO, "SMB2_FILE_EA_INFO" },
718 {SMB2_FILE_ACCESS_INFO, "SMB2_FILE_ACCESS_INFO" },
719 {SMB2_FILE_RENAME_INFO, "SMB2_FILE_RENAME_INFO" },
720 {SMB2_FILE_DISPOSITION_INFO, "SMB2_FILE_DISPOSITION_INFO" },
721 {SMB2_FILE_POSITION_INFO, "SMB2_FILE_POSITION_INFO" },
722 {SMB2_FILE_FULL_EA_INFO, "SMB2_FILE_FULL_EA_INFO" },
723 {SMB2_FILE_MODE_INFO, "SMB2_FILE_MODE_INFO" },
724 {SMB2_FILE_ALIGNMENT_INFO, "SMB2_FILE_ALIGNMENT_INFO" },
725 {SMB2_FILE_ALL_INFO, "SMB2_FILE_ALL_INFO" },
726 {SMB2_FILE_ALLOCATION_INFO, "SMB2_FILE_ALLOCATION_INFO" },
727 {SMB2_FILE_ENDOFFILE_INFO, "SMB2_FILE_ENDOFFILE_INFO" },
728 {SMB2_FILE_ALTERNATE_NAME_INFO, "SMB2_FILE_ALTERNATE_NAME_INFO" },
729 {SMB2_FILE_STREAM_INFO, "SMB2_FILE_STREAM_INFO" },
730 {SMB2_FILE_PIPE_INFO, "SMB2_FILE_PIPE_INFO" },
731 {SMB2_FILE_COMPRESSION_INFO, "SMB2_FILE_COMPRESSION_INFO" },
732 {SMB2_FILE_NETWORK_OPEN_INFO, "SMB2_FILE_NETWORK_OPEN_INFO" },
733 {SMB2_FILE_ATTRIBUTE_TAG_INFO, "SMB2_FILE_ATTRIBUTE_TAG_INFO" },
736 static value_string_ext smb2_file_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_file_info_levels);
740 #define SMB2_FS_INFO_01 0x01
741 #define SMB2_FS_LABEL_INFO 0x02
742 #define SMB2_FS_INFO_03 0x03
743 #define SMB2_FS_INFO_04 0x04
744 #define SMB2_FS_INFO_05 0x05
745 #define SMB2_FS_INFO_06 0x06
746 #define SMB2_FS_INFO_07 0x07
747 #define SMB2_FS_OBJECTID_INFO 0x08
748 #define SMB2_FS_DRIVER_PATH_INFO 0x09
749 #define SMB2_FS_VOLUME_FLAGS_INFO 0x0a
750 #define SMB2_FS_SECTOR_SIZE_INFO 0x0b
752 static const value_string smb2_fs_info_levels[] = {
753 {SMB2_FS_INFO_01, "FileFsVolumeInformation" },
754 {SMB2_FS_LABEL_INFO, "FileFsLabelInformation" },
755 {SMB2_FS_INFO_03, "FileFsSizeInformation" },
756 {SMB2_FS_INFO_04, "FileFsDeviceInformation" },
757 {SMB2_FS_INFO_05, "FileFsAttributeInformation" },
758 {SMB2_FS_INFO_06, "FileFsControlInformation" },
759 {SMB2_FS_INFO_07, "FileFsFullSizeInformation" },
760 {SMB2_FS_OBJECTID_INFO, "FileFsObjectIdInformation" },
761 {SMB2_FS_DRIVER_PATH_INFO, "FileFsDriverPathInformation" },
762 {SMB2_FS_VOLUME_FLAGS_INFO, "FileFsVolumeFlagsInformation" },
763 {SMB2_FS_SECTOR_SIZE_INFO, "FileFsSectorSizeInformation" },
766 static value_string_ext smb2_fs_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_fs_info_levels);
768 #define SMB2_SEC_INFO_00 0x00
769 static const value_string smb2_sec_info_levels[] = {
770 {SMB2_SEC_INFO_00, "SMB2_SEC_INFO_00" },
773 static value_string_ext smb2_sec_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_sec_info_levels);
775 static const value_string smb2_posix_info_levels[] = {
776 { 0, "QueryFileUnixBasic" },
777 { 1, "QueryFileUnixLink" },
778 { 3, "QueryFileUnixHLink" },
779 { 5, "QueryFileUnixXAttr" },
780 { 0x0B, "QueryFileUnixInfo2" },
784 static value_string_ext smb2_posix_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_posix_info_levels);
786 #define SMB2_FIND_DIRECTORY_INFO 0x01
787 #define SMB2_FIND_FULL_DIRECTORY_INFO 0x02
788 #define SMB2_FIND_BOTH_DIRECTORY_INFO 0x03
789 #define SMB2_FIND_INDEX_SPECIFIED 0x04
790 #define SMB2_FIND_NAME_INFO 0x0C
791 #define SMB2_FIND_ID_BOTH_DIRECTORY_INFO 0x25
792 #define SMB2_FIND_ID_FULL_DIRECTORY_INFO 0x26
793 static const value_string smb2_find_info_levels[] = {
794 { SMB2_FIND_DIRECTORY_INFO, "SMB2_FIND_DIRECTORY_INFO" },
795 { SMB2_FIND_FULL_DIRECTORY_INFO, "SMB2_FIND_FULL_DIRECTORY_INFO" },
796 { SMB2_FIND_BOTH_DIRECTORY_INFO, "SMB2_FIND_BOTH_DIRECTORY_INFO" },
797 { SMB2_FIND_INDEX_SPECIFIED, "SMB2_FIND_INDEX_SPECIFIED" },
798 { SMB2_FIND_NAME_INFO, "SMB2_FIND_NAME_INFO" },
799 { SMB2_FIND_ID_BOTH_DIRECTORY_INFO, "SMB2_FIND_ID_BOTH_DIRECTORY_INFO" },
800 { SMB2_FIND_ID_FULL_DIRECTORY_INFO, "SMB2_FIND_ID_FULL_DIRECTORY_INFO" },
804 #define SMB2_PREAUTH_INTEGRITY_CAPABILITIES 0x0001
805 #define SMB2_ENCRYPTION_CAPABILITIES 0x0002
806 static const value_string smb2_negotiate_context_types[] = {
807 { SMB2_PREAUTH_INTEGRITY_CAPABILITIES, "SMB2_PREAUTH_INTEGRITY_CAPABILITIES" },
808 { SMB2_ENCRYPTION_CAPABILITIES, "SMB2_ENCRYPTION_CAPABILITIES" },
812 #define SMB2_HASH_ALGORITHM_SHA_512 0x0001
813 static const value_string smb2_hash_algorithm_types[] = {
814 { SMB2_HASH_ALGORITHM_SHA_512, "SHA-512" },
818 #define SMB2_CIPHER_AES_128_CCM 0x0001
819 #define SMB2_CIPHER_AES_128_GCM 0x0002
820 static const value_string smb2_cipher_types[] = {
821 { SMB2_CIPHER_AES_128_CCM, "AES-128-CCM" },
822 { SMB2_CIPHER_AES_128_GCM, "AES-128-GCM" },
826 static const val64_string unique_unsolicited_response[] = {
827 { 0xffffffffffffffff, "unsolicited response" },
831 #define SMB2_NUM_PROCEDURES 256
834 smb2stat_init(struct register_srt* srt _U_, GArray* srt_array, srt_gui_init_cb gui_callback, void* gui_data)
836 srt_stat_table *smb2_srt_table;
839 smb2_srt_table = init_srt_table("SMB2", NULL, srt_array, SMB2_NUM_PROCEDURES, "Commands", "smb2.cmd", gui_callback, gui_data, NULL);
840 for (i = 0; i < SMB2_NUM_PROCEDURES; i++)
842 init_srt_table_row(smb2_srt_table, i, val_to_str_ext_const(i, &smb2_cmd_vals_ext, "<unknown>"));
847 smb2stat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const void *prv)
850 srt_stat_table *smb2_srt_table;
851 srt_data_t *data = (srt_data_t *)pss;
852 const smb2_info_t *si=(const smb2_info_t *)prv;
854 /* we are only interested in response packets */
855 if(!(si->flags&SMB2_FLAGS_RESPONSE)){
858 /* if we haven't seen the request, just ignore it */
863 /* SMB2 SRT can be very inaccurate in the presence of retransmissions. Retransmitted responses
864 * not only add additional (bogus) transactions but also the latency associated with them.
865 * This can greatly inflate the maximum and average SRT stats especially in the case of
866 * retransmissions triggered by the expiry of the rexmit timer (RTOs). Only calculating SRT
867 * for the last received response accomplishes this goal without requiring the TCP pref
868 * "Do not call subdissectors for error packets" to be set. */
869 if ((si->saved->frame_req == 0) || (si->saved->frame_res != pinfo->num))
872 smb2_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
873 add_srt_table_data(smb2_srt_table, si->opcode, &si->saved->req_time, pinfo);
877 /* Structure for SessionID <=> SessionKey mapping for decryption. */
878 typedef struct _smb2_seskey_field_t {
883 } smb2_seskey_field_t;
885 static smb2_seskey_field_t *seskey_list = NULL;
886 static guint num_seskey_list = 0;
888 static const gint8 zeros[NTLMSSP_KEY_LEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
890 /* Callbacks for SessionID <=> SessionKey mapping. */
891 UAT_BUFFER_CB_DEF(seskey_list, id, smb2_seskey_field_t, id, id_len)
892 UAT_BUFFER_CB_DEF(seskey_list, key, smb2_seskey_field_t, key, key_len)
894 #define SMB_SESSION_ID_SIZE 8
896 static gboolean seskey_list_update_cb(void *r, char **err)
898 smb2_seskey_field_t *rec = (smb2_seskey_field_t *)r;
902 if (rec->id_len != SMB_SESSION_ID_SIZE) {
903 *err = g_strdup("Session ID must be " G_STRINGIFY(SMB_SESSION_ID_SIZE) " bytes long and in hexadecimal");
907 if (rec->key_len == 0 || rec->key_len > NTLMSSP_KEY_LEN) {
908 *err = g_strdup("Session Key must be a non-empty hexadecimal string representing at most " G_STRINGIFY(NTLMSSP_KEY_LEN) " bytes");
915 static void* seskey_list_copy_cb(void *n, const void *o, size_t siz _U_)
917 smb2_seskey_field_t *new_rec = (smb2_seskey_field_t *)n;
918 const smb2_seskey_field_t *old_rec = (const smb2_seskey_field_t *)o;
920 new_rec->id_len = old_rec->id_len;
921 new_rec->id = old_rec->id ? (guchar *)g_memdup(old_rec->id, old_rec->id_len) : NULL;
922 new_rec->key_len = old_rec->key_len;
923 new_rec->key = old_rec->key ? (guchar *)g_memdup(old_rec->key, old_rec->key_len) : NULL;
928 static void seskey_list_free_cb(void *r)
930 smb2_seskey_field_t *rec = (smb2_seskey_field_t *)r;
936 static gboolean seskey_find_sid_key(guint64 sesid, guint8 *out_key)
940 for (i = 0; i < num_seskey_list; i++) {
941 const smb2_seskey_field_t *p = &seskey_list[i];
942 if (memcmp(&sesid, p->id, SMB_SESSION_ID_SIZE) == 0) {
943 memset(out_key, 0, NTLMSSP_KEY_LEN);
944 memcpy(out_key, p->key, p->key_len);
952 /* ExportObject preferences variable */
953 gboolean eosmb2_take_name_as_fid = FALSE ;
955 /* unmatched smb_saved_info structures.
956 For unmatched smb_saved_info structures we store the smb_saved_info
957 structure using the msg_id field.
960 smb2_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
962 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
963 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
964 return key1->msg_id == key2->msg_id;
967 smb2_saved_info_hash_unmatched(gconstpointer k)
969 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
972 hash = (guint32) (key->msg_id&0xffffffff);
976 /* matched smb_saved_info structures.
977 For matched smb_saved_info structures we store the smb_saved_info
978 structure using the msg_id field.
981 smb2_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
983 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
984 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
985 return key1->msg_id == key2->msg_id;
988 smb2_saved_info_hash_matched(gconstpointer k)
990 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
993 hash = (guint32) (key->msg_id&0xffffffff);
997 /* For Tids of a specific conversation.
998 This keeps track of tid->sharename mappings and other information about the
1001 We might need to refine this if it occurs that tids are reused on a single
1002 conversation. we don't worry about that yet for simplicity
1005 smb2_tid_info_equal(gconstpointer k1, gconstpointer k2)
1007 const smb2_tid_info_t *key1 = (const smb2_tid_info_t *)k1;
1008 const smb2_tid_info_t *key2 = (const smb2_tid_info_t *)k2;
1009 return key1->tid == key2->tid;
1012 smb2_tid_info_hash(gconstpointer k)
1014 const smb2_tid_info_t *key = (const smb2_tid_info_t *)k;
1021 /* For Uids of a specific conversation.
1022 This keeps track of uid->acct_name mappings and other information about the
1025 We might need to refine this if it occurs that uids are reused on a single
1026 conversation. we don't worry about that yet for simplicity
1029 smb2_sesid_info_equal(gconstpointer k1, gconstpointer k2)
1031 const smb2_sesid_info_t *key1 = (const smb2_sesid_info_t *)k1;
1032 const smb2_sesid_info_t *key2 = (const smb2_sesid_info_t *)k2;
1033 return key1->sesid == key2->sesid;
1036 smb2_sesid_info_hash(gconstpointer k)
1038 const smb2_sesid_info_t *key = (const smb2_sesid_info_t *)k;
1041 hash = (guint32)( ((key->sesid>>32)&0xffffffff)+((key->sesid)&0xffffffff) );
1046 * For File IDs of a specific conversation.
1047 * This keeps track of fid to name mapping and application level conversations
1050 * This handles implementation bugs, where the fid_persitent is 0 or
1051 * the fid_persitent/fid_volative is not unique per conversation.
1054 smb2_fid_info_equal(gconstpointer k1, gconstpointer k2)
1056 const smb2_fid_info_t *key1 = (const smb2_fid_info_t *)k1;
1057 const smb2_fid_info_t *key2 = (const smb2_fid_info_t *)k2;
1059 if (key1->fid_persistent != key2->fid_persistent) {
1063 if (key1->fid_volatile != key2->fid_volatile) {
1067 if (key1->sesid != key2->sesid) {
1071 if (key1->tid != key2->tid) {
1079 smb2_fid_info_hash(gconstpointer k)
1081 const smb2_fid_info_t *key = (const smb2_fid_info_t *)k;
1084 if (key->fid_persistent != 0) {
1085 hash = (guint32)( ((key->fid_persistent>>32)&0xffffffff)+((key->fid_persistent)&0xffffffff) );
1087 hash = (guint32)( ((key->fid_volatile>>32)&0xffffffff)+((key->fid_volatile)&0xffffffff) );
1093 /* Callback for destroying the glib hash tables associated with a conversation
1096 smb2_conv_destroy(wmem_allocator_t *allocator _U_, wmem_cb_event_t event _U_,
1099 smb2_conv_info_t *conv = (smb2_conv_info_t *)user_data;
1101 g_hash_table_destroy(conv->matched);
1102 g_hash_table_destroy(conv->unmatched);
1103 g_hash_table_destroy(conv->fids);
1104 g_hash_table_destroy(conv->sesids);
1105 g_hash_table_destroy(conv->files);
1107 /* This conversation is gone, return FALSE to indicate we don't
1108 * want to be called again for this conversation. */
1112 static void smb2_key_derivation(const guint8 *KI, guint32 KI_len,
1113 const guint8 *Label, guint32 Label_len,
1114 const guint8 *Context, guint32 Context_len,
1117 gcry_md_hd_t hd = NULL;
1119 guint8 *digest = NULL;
1122 * a simplified version of
1123 * "NIST Special Publication 800-108" section 5.1
1124 * using hmac-sha256.
1126 gcry_md_open(&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
1127 gcry_md_setkey(hd, KI, KI_len);
1129 memset(buf, 0, sizeof(buf));
1131 gcry_md_write(hd, buf, sizeof(buf));
1132 gcry_md_write(hd, Label, Label_len);
1133 gcry_md_write(hd, buf, 1);
1134 gcry_md_write(hd, Context, Context_len);
1136 gcry_md_write(hd, buf, sizeof(buf));
1138 digest = gcry_md_read(hd, GCRY_MD_SHA256);
1140 memcpy(KO, digest, 16);
1145 /* for export-object-smb2 */
1146 static gchar *policy_hnd_to_file_id(const e_ctx_hnd *hnd) {
1148 file_id = wmem_strdup_printf(wmem_packet_scope(),
1149 "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1160 hnd->uuid.data4[7]);
1163 static guint smb2_eo_files_hash(gconstpointer k) {
1164 return g_str_hash(policy_hnd_to_file_id((const e_ctx_hnd *)k));
1166 static gint smb2_eo_files_equal(gconstpointer k1, gconstpointer k2) {
1168 const e_ctx_hnd *key1 = (const e_ctx_hnd *)k1;
1169 const e_ctx_hnd *key2 = (const e_ctx_hnd *)k2;
1171 are_equal = (key1->uuid.data1==key2->uuid.data1 &&
1172 key1->uuid.data2==key2->uuid.data2 &&
1173 key1->uuid.data3==key2->uuid.data3 &&
1174 key1->uuid.data4[0]==key2->uuid.data4[0] &&
1175 key1->uuid.data4[1]==key2->uuid.data4[1] &&
1176 key1->uuid.data4[2]==key2->uuid.data4[2] &&
1177 key1->uuid.data4[3]==key2->uuid.data4[3] &&
1178 key1->uuid.data4[4]==key2->uuid.data4[4] &&
1179 key1->uuid.data4[5]==key2->uuid.data4[5] &&
1180 key1->uuid.data4[6]==key2->uuid.data4[6] &&
1181 key1->uuid.data4[7]==key2->uuid.data4[7]);
1187 feed_eo_smb2(tvbuff_t * tvb,packet_info *pinfo,smb2_info_t * si, guint16 dataoffset,guint32 length, guint64 file_offset) {
1189 char *fid_name = NULL;
1190 guint32 open_frame = 0, close_frame = 0;
1191 tvbuff_t *data_tvb = NULL;
1195 gchar **aux_string_v;
1197 /* Create a new tvb to point to the payload data */
1198 data_tvb = tvb_new_subset_length(tvb, dataoffset, length);
1199 /* Create the eo_info to pass to the listener */
1200 eo_info = wmem_new(wmem_packet_scope(), smb_eo_t);
1201 /* Fill in eo_info */
1202 eo_info->smbversion=2;
1204 eo_info->cmd=si->opcode;
1205 /* We don't keep track of uid in SMB v2 */
1208 /* Try to get file id and filename */
1209 file_id=policy_hnd_to_file_id(&si->saved->policy_hnd);
1210 dcerpc_fetch_polhnd_data(&si->saved->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num);
1211 if (fid_name && g_strcmp0(fid_name,"File: ")!=0) {
1213 /* Remove "File: " from filename */
1214 if (g_str_has_prefix(auxstring, "File: ")) {
1215 aux_string_v = g_strsplit(auxstring, "File: ", -1);
1216 eo_info->filename = wmem_strdup_printf(wmem_packet_scope(), "\\%s",aux_string_v[g_strv_length(aux_string_v)-1]);
1217 g_strfreev(aux_string_v);
1219 if (g_str_has_prefix(auxstring, "\\")) {
1220 eo_info->filename = wmem_strdup(wmem_packet_scope(), auxstring);
1222 eo_info->filename = wmem_strdup_printf(wmem_packet_scope(), "\\%s",auxstring);
1226 auxstring=wmem_strdup_printf(wmem_packet_scope(), "File_Id_%s", file_id);
1227 eo_info->filename=auxstring;
1232 if (eosmb2_take_name_as_fid) {
1233 eo_info->fid = g_str_hash(eo_info->filename);
1235 eo_info->fid = g_str_hash(file_id);
1238 /* tid, hostname, tree_id */
1240 eo_info->tid=si->tree->tid;
1241 if (strlen(si->tree->name)>0 && strlen(si->tree->name)<=256) {
1242 eo_info->hostname = wmem_strdup(wmem_packet_scope(), si->tree->name);
1244 eo_info->hostname = wmem_strdup_printf(wmem_packet_scope(), "\\\\%s\\TREEID_%i",tree_ip_str(pinfo,si->opcode),si->tree->tid);
1248 eo_info->hostname = wmem_strdup_printf(wmem_packet_scope(), "\\\\%s\\TREEID_UNKNOWN",tree_ip_str(pinfo,si->opcode));
1252 eo_info->pkt_num = pinfo->num;
1255 if (si->eo_file_info->attr_mask & SMB2_FLAGS_ATTR_DIRECTORY) {
1256 eo_info->fid_type=SMB2_FID_TYPE_DIR;
1258 if (si->eo_file_info->attr_mask &
1259 (SMB2_FLAGS_ATTR_ARCHIVE | SMB2_FLAGS_ATTR_NORMAL |
1260 SMB2_FLAGS_ATTR_HIDDEN | SMB2_FLAGS_ATTR_READONLY |
1261 SMB2_FLAGS_ATTR_SYSTEM) ) {
1262 eo_info->fid_type=SMB2_FID_TYPE_FILE;
1264 eo_info->fid_type=SMB2_FID_TYPE_OTHER;
1269 eo_info->end_of_file=si->eo_file_info->end_of_file;
1271 /* data offset and chunk length */
1272 eo_info->smb_file_offset=file_offset;
1273 eo_info->smb_chunk_len=length;
1274 /* XXX is this right? */
1275 if (length<si->saved->bytes_moved) {
1276 si->saved->file_offset=si->saved->file_offset+length;
1277 si->saved->bytes_moved=si->saved->bytes_moved-length;
1281 eo_info->payload_len = length;
1282 eo_info->payload_data = tvb_get_ptr(data_tvb, 0, length);
1284 tap_queue_packet(smb2_eo_tap, pinfo, eo_info);
1288 static int dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si);
1291 /* This is a helper to dissect the common string type
1297 * This function is called twice, first to decode the offset/length and
1298 * second time to dissect the actual string.
1299 * It is done this way since there is no guarantee that we have the full packet and we don't
1300 * want to abort dissection too early if the packet ends somewhere between the
1301 * length/offset and the actual buffer.
1304 enum offset_length_buffer_offset_size {
1305 OLB_O_UINT16_S_UINT16,
1306 OLB_O_UINT16_S_UINT32,
1307 OLB_O_UINT32_S_UINT32,
1308 OLB_S_UINT32_O_UINT32
1310 typedef struct _offset_length_buffer_t {
1315 enum offset_length_buffer_offset_size offset_size;
1317 } offset_length_buffer_t;
1319 dissect_smb2_olb_length_offset(tvbuff_t *tvb, int offset, offset_length_buffer_t *olb,
1320 enum offset_length_buffer_offset_size offset_size, int hfindex)
1322 olb->hfindex = hfindex;
1323 olb->offset_size = offset_size;
1324 switch (offset_size) {
1325 case OLB_O_UINT16_S_UINT16:
1326 olb->off = tvb_get_letohs(tvb, offset);
1327 olb->off_offset = offset;
1329 olb->len = tvb_get_letohs(tvb, offset);
1330 olb->len_offset = offset;
1333 case OLB_O_UINT16_S_UINT32:
1334 olb->off = tvb_get_letohs(tvb, offset);
1335 olb->off_offset = offset;
1337 olb->len = tvb_get_letohl(tvb, offset);
1338 olb->len_offset = offset;
1341 case OLB_O_UINT32_S_UINT32:
1342 olb->off = tvb_get_letohl(tvb, offset);
1343 olb->off_offset = offset;
1345 olb->len = tvb_get_letohl(tvb, offset);
1346 olb->len_offset = offset;
1349 case OLB_S_UINT32_O_UINT32:
1350 olb->len = tvb_get_letohl(tvb, offset);
1351 olb->len_offset = offset;
1353 olb->off = tvb_get_letohl(tvb, offset);
1354 olb->off_offset = offset;
1362 #define OLB_TYPE_UNICODE_STRING 0x01
1363 #define OLB_TYPE_ASCII_STRING 0x02
1365 dissect_smb2_olb_off_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int base, int type)
1368 proto_item *item = NULL;
1369 proto_tree *tree = NULL;
1370 const char *name = NULL;
1379 bc = tvb_captured_length_remaining(tvb, offset);
1383 tvb_ensure_bytes_exist(tvb, off, len);
1385 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
1386 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
1387 "Invalid offset/length. Malformed packet");
1389 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
1396 case OLB_TYPE_UNICODE_STRING:
1397 name = get_unicode_or_ascii_string(tvb, &off,
1398 TRUE, &len, TRUE, TRUE, &bc);
1403 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
1404 tree = proto_item_add_subtree(item, ett_smb2_olb);
1407 case OLB_TYPE_ASCII_STRING:
1408 name = get_unicode_or_ascii_string(tvb, &off,
1409 FALSE, &len, TRUE, TRUE, &bc);
1414 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
1415 tree = proto_item_add_subtree(item, ett_smb2_olb);
1420 switch (olb->offset_size) {
1421 case OLB_O_UINT16_S_UINT16:
1422 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1423 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
1425 case OLB_O_UINT16_S_UINT32:
1426 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1427 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1429 case OLB_O_UINT32_S_UINT32:
1430 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1431 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1433 case OLB_S_UINT32_O_UINT32:
1434 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1435 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1443 dissect_smb2_olb_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int type)
1445 return dissect_smb2_olb_off_string(pinfo, parent_tree, tvb, olb, 0, type);
1449 dissect_smb2_olb_buffer(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb,
1450 offset_length_buffer_t *olb, smb2_info_t *si,
1451 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si))
1454 proto_item *sub_item = NULL;
1455 proto_tree *sub_tree = NULL;
1456 tvbuff_t *sub_tvb = NULL;
1464 tvb_ensure_bytes_exist(tvb, off, len);
1466 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
1467 proto_tree_add_expert_format(parent_tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
1468 "Invalid offset/length. Malformed packet");
1470 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
1475 switch (olb->offset_size) {
1476 case OLB_O_UINT16_S_UINT16:
1477 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1478 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
1480 case OLB_O_UINT16_S_UINT32:
1481 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1482 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1484 case OLB_O_UINT32_S_UINT32:
1485 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1486 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1488 case OLB_S_UINT32_O_UINT32:
1489 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1490 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1494 /* if we don't want/need a subtree */
1495 if (olb->hfindex == -1) {
1496 sub_item = parent_tree;
1497 sub_tree = parent_tree;
1500 sub_item = proto_tree_add_item(parent_tree, olb->hfindex, tvb, offset, len, ENC_NA);
1501 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_olb);
1505 if (off == 0 || len == 0) {
1506 proto_item_append_text(sub_item, ": NO DATA");
1514 sub_tvb = tvb_new_subset_length_caplen(tvb, off, MIN((int)len, tvb_captured_length_remaining(tvb, off)), len);
1516 dissector(sub_tvb, pinfo, sub_tree, si);
1520 dissect_smb2_olb_tvb_max_offset(int offset, offset_length_buffer_t *olb)
1522 if (olb->off == 0) {
1525 return MAX(offset, (int)(olb->off + olb->len));
1528 typedef struct _smb2_function {
1529 int (*request) (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1530 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1533 static const true_false_string tfs_smb2_svhdx_has_initiator_id = {
1534 "Has an initiator id",
1535 "Does not have an initiator id"
1538 static const true_false_string tfs_flags_response = {
1539 "This is a RESPONSE",
1543 static const true_false_string tfs_flags_async_cmd = {
1544 "This is an ASYNC command",
1545 "This is a SYNC command"
1548 static const true_false_string tfs_flags_dfs_op = {
1549 "This is a DFS OPERATION",
1550 "This is a normal operation"
1553 static const true_false_string tfs_flags_chained = {
1554 "This pdu a CHAINED command",
1555 "This pdu is NOT a chained command"
1558 static const true_false_string tfs_flags_signature = {
1559 "This pdu is SIGNED",
1560 "This pdu is NOT signed"
1563 static const true_false_string tfs_flags_replay_operation = {
1564 "This is a REPLAY OPEARATION",
1565 "This is NOT a replay operation"
1568 static const true_false_string tfs_flags_priority_mask = {
1569 "This pdu contains a PRIORITY",
1570 "This pdu does NOT contain a PRIORITY1"
1573 static const true_false_string tfs_cap_dfs = {
1574 "This host supports DFS",
1575 "This host does NOT support DFS"
1578 static const true_false_string tfs_cap_leasing = {
1579 "This host supports LEASING",
1580 "This host does NOT support LEASING"
1583 static const true_false_string tfs_cap_large_mtu = {
1584 "This host supports LARGE_MTU",
1585 "This host does NOT support LARGE_MTU"
1588 static const true_false_string tfs_cap_multi_channel = {
1589 "This host supports MULTI CHANNEL",
1590 "This host does NOT support MULTI CHANNEL"
1593 static const true_false_string tfs_cap_persistent_handles = {
1594 "This host supports PERSISTENT HANDLES",
1595 "This host does NOT support PERSISTENT HANDLES"
1598 static const true_false_string tfs_cap_directory_leasing = {
1599 "This host supports DIRECTORY LEASING",
1600 "This host does NOT support DIRECTORY LEASING"
1603 static const true_false_string tfs_cap_encryption = {
1604 "This host supports ENCRYPTION",
1605 "This host does NOT support ENCRYPTION"
1608 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rss = {
1609 "This interface supports RSS",
1610 "This interface does not support RSS"
1613 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rdma = {
1614 "This interface supports RDMA",
1615 "This interface does not support RDMA"
1618 static const value_string file_region_usage_vals[] = {
1619 { 0x00000001, "FILE_REGION_USAGE_VALID_CACHED_DATA" },
1623 static const value_string originator_flags_vals[] = {
1624 { 1, "SVHDX_ORIGINATOR_PVHDPARSER" },
1625 { 4, "SVHDX_ORIGINATOR_VHDMP" },
1629 static const value_string posix_locks_vals[] = {
1630 { 1, "POSIX_V1_POSIX_LOCK" },
1634 static const value_string posix_utf8_paths_vals[] = {
1635 { 1, "POSIX_V1_UTF8_PATHS" },
1639 static const value_string posix_file_semantics_vals[] = {
1640 { 1, "POSIX_V1_POSIX_FILE_SEMANTICS" },
1644 static const value_string posix_case_sensitive_vals[] = {
1645 { 1, "POSIX_V1_CASE_SENSITIVE" },
1649 static const value_string posix_will_convert_ntacls_vals[] = {
1650 { 1, "POSIX_V1_WILL_CONVERT_NT_ACLS" },
1654 static const value_string posix_fileinfo_vals[] = {
1655 { 1, "POSIX_V1_POSIX_FILEINFO" },
1659 static const value_string posix_acls_vals[] = {
1660 { 1, "POSIX_V1_POSIX_ACLS" },
1664 static const value_string posix_rich_acls_vals[] = {
1665 { 1, "POSIX_V1_RICH_ACLS" },
1669 static const value_string compression_format_vals[] = {
1670 { 0, "COMPRESSION_FORMAT_NONE" },
1671 { 1, "COMPRESSION_FORMAT_DEFAULT" },
1672 { 2, "COMPRESSION_FORMAT_LZNT1" },
1676 static const value_string checksum_algorithm_vals[] = {
1677 { 0x0000, "CHECKSUM_TYPE_NONE" },
1678 { 0x0002, "CHECKSUM_TYPE_CRC64" },
1679 { 0xFFFF, "CHECKSUM_TYPE_UNCHANGED" },
1683 /* Note: All uncommented are "dissector not implemented" */
1684 static const value_string smb2_ioctl_vals[] = {
1685 {0x00060194, "FSCTL_DFS_GET_REFERRALS"}, /* dissector implemented */
1686 {0x000601B0, "FSCTL_DFS_GET_REFERRALS_EX"},
1687 {0x00090000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
1688 {0x00090004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
1689 {0x00090008, "FSCTL_REQUEST_BATCH_OPLOCK"},
1690 {0x0009000C, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
1691 {0x00090010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
1692 {0x00090014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
1693 {0x00090018, "FSCTL_LOCK_VOLUME"},
1694 {0x0009001C, "FSCTL_UNLOCK_VOLUME"},
1695 {0x00090020, "FSCTL_DISMOUNT_VOLUME"},
1696 {0x00090028, "FSCTL_IS_VOLUME_MOUNTED"},
1697 {0x0009002C, "FSCTL_IS_PATHNAME_VALID"},
1698 {0x00090030, "FSCTL_MARK_VOLUME_DIRTY"},
1699 {0x0009003B, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
1700 {0x0009003C, "FSCTL_GET_COMPRESSION"}, /* dissector implemented */
1701 {0x0009004F, "FSCTL_MARK_AS_SYSTEM_HIVE"},
1702 {0x00090050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
1703 {0x00090054, "FSCTL_INVALIDATE_VOLUMES"},
1704 {0x00090058, "FSCTL_QUERY_FAT_BPB"},
1705 {0x0009005C, "FSCTL_REQUEST_FILTER_OPLOCK"},
1706 {0x00090060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
1707 {0x00090064, "FSCTL_GET_NTFS_VOLUME_DATA"},
1708 {0x00090068, "FSCTL_GET_NTFS_FILE_RECORD"},
1709 {0x0009006F, "FSCTL_GET_VOLUME_BITMAP"},
1710 {0x00090073, "FSCTL_GET_RETRIEVAL_POINTERS"},
1711 {0x00090074, "FSCTL_MOVE_FILE"},
1712 {0x00090078, "FSCTL_IS_VOLUME_DIRTY"},
1713 {0x0009007C, "FSCTL_GET_HFS_INFORMATION"},
1714 {0x00090083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
1715 {0x00090087, "FSCTL_READ_PROPERTY_DATA"},
1716 {0x0009008B, "FSCTL_WRITE_PROPERTY_DATA"},
1717 {0x0009008F, "FSCTL_FIND_FILES_BY_SID"},
1718 {0x00090097, "FSCTL_DUMP_PROPERTY_DATA"},
1719 {0x0009009C, "FSCTL_GET_OBJECT_ID"}, /* dissector implemented */
1720 {0x000900A4, "FSCTL_SET_REPARSE_POINT"}, /* dissector implemented */
1721 {0x000900A8, "FSCTL_GET_REPARSE_POINT"}, /* dissector implemented */
1722 {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"}, /* dissector implemented */
1723 {0x000900C4, "FSCTL_SET_SPARSE"}, /* dissector implemented */
1724 {0x000900D4, "FSCTL_SET_ENCRYPTION"},
1725 {0x000900DB, "FSCTL_ENCRYPTION_FSCTL_IO"},
1726 {0x000900DF, "FSCTL_WRITE_RAW_ENCRYPTED"},
1727 {0x000900E3, "FSCTL_READ_RAW_ENCRYPTED"},
1728 {0x000900F0, "FSCTL_EXTEND_VOLUME"},
1729 {0x00090244, "FSCTL_CSV_TUNNEL_REQUEST"},
1730 {0x0009027C, "FSCTL_GET_INTEGRITY_INFORMATION"},
1731 {0x00090284, "FSCTL_QUERY_FILE_REGIONS"}, /* dissector implemented */
1732 {0x000902c8, "FSCTL_CSV_SYNC_TUNNEL_REQUEST"},
1733 {0x00090300, "FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT"}, /* dissector implemented */
1734 {0x00090304, "FSCTL_SVHDX_SYNC_TUNNEL_REQUEST"}, /* dissector implemented */
1735 {0x00090308, "FSCTL_SVHDX_SET_INITIATOR_INFORMATION"},
1736 {0x0009030C, "FSCTL_SET_EXTERNAL_BACKING"},
1737 {0x00090310, "FSCTL_GET_EXTERNAL_BACKING"},
1738 {0x00090314, "FSCTL_DELETE_EXTERNAL_BACKING"},
1739 {0x00090318, "FSCTL_ENUM_EXTERNAL_BACKING"},
1740 {0x0009031F, "FSCTL_ENUM_OVERLAY"},
1741 {0x00090350, "FSCTL_STORAGE_QOS_CONTROL"}, /* dissector implemented */
1742 {0x00090364, "FSCTL_SVHDX_ASYNC_TUNNEL_REQUEST"}, /* dissector implemented */
1743 {0x000940B3, "FSCTL_ENUM_USN_DATA"},
1744 {0x000940B7, "FSCTL_SECURITY_ID_CHECK"},
1745 {0x000940BB, "FSCTL_READ_USN_JOURNAL"},
1746 {0x000940CF, "FSCTL_QUERY_ALLOCATED_RANGES"}, /* dissector implemented */
1747 {0x000940E7, "FSCTL_CREATE_USN_JOURNAL"},
1748 {0x000940EB, "FSCTL_READ_FILE_USN_DATA"},
1749 {0x000940EF, "FSCTL_WRITE_USN_CLOSE_RECORD"},
1750 {0x00094264, "FSCTL_OFFLOAD_READ"}, /* dissector implemented */
1751 {0x00098098, "FSCTL_SET_OBJECT_ID"}, /* dissector implemented */
1752 {0x000980A0, "FSCTL_DELETE_OBJECT_ID"}, /* no data in/out */
1753 {0x000980A4, "FSCTL_SET_REPARSE_POINT"},
1754 {0x000980AC, "FSCTL_DELETE_REPARSE_POINT"},
1755 {0x000980BC, "FSCTL_SET_OBJECT_ID_EXTENDED"}, /* dissector implemented */
1756 {0x000980C8, "FSCTL_SET_ZERO_DATA"}, /* dissector implemented */
1757 {0x000980D0, "FSCTL_ENABLE_UPGRADE"},
1758 {0x00098208, "FSCTL_FILE_LEVEL_TRIM"},
1759 {0x00098268, "FSCTL_OFFLOAD_WRITE"}, /* dissector implemented */
1760 {0x0009C040, "FSCTL_SET_COMPRESSION"}, /* dissector implemented */
1761 {0x0009C280, "FSCTL_SET_INTEGRITY_INFORMATION"}, /* dissector implemented */
1762 {0x00110018, "FSCTL_PIPE_WAIT"}, /* dissector implemented */
1763 {0x0011400C, "FSCTL_PIPE_PEEK"},
1764 {0x0011C017, "FSCTL_PIPE_TRANSCEIVE"}, /* dissector implemented */
1765 {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
1766 {0x001401D4, "FSCTL_LMR_REQUEST_RESILIENCY"}, /* dissector implemented */
1767 {0x001401FC, "FSCTL_QUERY_NETWORK_INTERFACE_INFO"}, /* dissector implemented */
1768 {0x00140200, "FSCTL_VALIDATE_NEGOTIATE_INFO_224"}, /* dissector implemented */
1769 {0x00140204, "FSCTL_VALIDATE_NEGOTIATE_INFO"}, /* dissector implemented */
1770 {0x00144064, "FSCTL_SRV_ENUMERATE_SNAPSHOTS"}, /* dissector implemented */
1771 {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
1772 {0x001441bb, "FSCTL_SRV_READ_HASH"},
1773 {0x001480F2, "FSCTL_SRV_COPYCHUNK_WRITE"},
1776 static value_string_ext smb2_ioctl_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_vals);
1778 static const value_string smb2_ioctl_device_vals[] = {
1780 { 0x0002, "CD_ROM" },
1781 { 0x0003, "CD_ROM_FILE_SYSTEM" },
1782 { 0x0004, "CONTROLLER" },
1783 { 0x0005, "DATALINK" },
1786 { 0x0008, "DISK_FILE_SYSTEM" },
1787 { 0x0009, "FILE_SYSTEM" },
1788 { 0x000a, "INPORT_PORT" },
1789 { 0x000b, "KEYBOARD" },
1790 { 0x000c, "MAILSLOT" },
1791 { 0x000d, "MIDI_IN" },
1792 { 0x000e, "MIDI_OUT" },
1793 { 0x000f, "MOUSE" },
1794 { 0x0010, "MULTI_UNC_PROVIDER" },
1795 { 0x0011, "NAMED_PIPE" },
1796 { 0x0012, "NETWORK" },
1797 { 0x0013, "NETWORK_BROWSER" },
1798 { 0x0014, "NETWORK_FILE_SYSTEM" },
1800 { 0x0016, "PARALLEL_PORT" },
1801 { 0x0017, "PHYSICAL_NETCARD" },
1802 { 0x0018, "PRINTER" },
1803 { 0x0019, "SCANNER" },
1804 { 0x001a, "SERIAL_MOUSE_PORT" },
1805 { 0x001b, "SERIAL_PORT" },
1806 { 0x001c, "SCREEN" },
1807 { 0x001d, "SOUND" },
1808 { 0x001e, "STREAMS" },
1810 { 0x0020, "TAPE_FILE_SYSTEM" },
1811 { 0x0021, "TRANSPORT" },
1812 { 0x0022, "UNKNOWN" },
1813 { 0x0023, "VIDEO" },
1814 { 0x0024, "VIRTUAL_DISK" },
1815 { 0x0025, "WAVE_IN" },
1816 { 0x0026, "WAVE_OUT" },
1817 { 0x0027, "8042_PORT" },
1818 { 0x0028, "NETWORK_REDIRECTOR" },
1819 { 0x0029, "BATTERY" },
1820 { 0x002a, "BUS_EXTENDER" },
1821 { 0x002b, "MODEM" },
1823 { 0x002d, "MASS_STORAGE" },
1826 { 0x0030, "CHANGER" },
1827 { 0x0031, "SMARTCARD" },
1830 { 0x0034, "FULLSCREEN_VIDEO" },
1831 { 0x0035, "DFS_FILE_SYSTEM" },
1832 { 0x0036, "DFS_VOLUME" },
1833 { 0x0037, "SERENUM" },
1834 { 0x0038, "TERMSRV" },
1838 static value_string_ext smb2_ioctl_device_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_device_vals);
1840 static const value_string smb2_ioctl_access_vals[] = {
1841 { 0x00, "FILE_ANY_ACCESS" },
1842 { 0x01, "FILE_READ_ACCESS" },
1843 { 0x02, "FILE_WRITE_ACCESS" },
1844 { 0x03, "FILE_READ_WRITE_ACCESS" },
1848 static const value_string smb2_ioctl_method_vals[] = {
1849 { 0x00, "METHOD_BUFFERED" },
1850 { 0x01, "METHOD_IN_DIRECT" },
1851 { 0x02, "METHOD_OUT_DIRECT" },
1852 { 0x03, "METHOD_NEITHER" },
1856 static const value_string smb2_ioctl_shared_virtual_disk_vals[] = {
1857 { 0x01, "SharedVirtualDisksSupported" },
1858 { 0x07, "SharedVirtualDiskCDPSnapshotsSupported" },
1862 static const value_string smb2_ioctl_shared_virtual_disk_hstate_vals[] = {
1863 { 0x00, "HandleStateNone" },
1864 { 0x01, "HandleStateFileShared" },
1865 { 0x03, "HandleStateShared" },
1869 /* this is called from both smb and smb2. */
1871 dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint32 *ioctlfunc)
1873 proto_item *item = NULL;
1874 proto_tree *tree = NULL;
1875 guint32 ioctl_function;
1878 item = proto_tree_add_item(parent_tree, hf_smb2_ioctl_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1879 tree = proto_item_add_subtree(item, ett_smb2_ioctl_function);
1882 ioctl_function = tvb_get_letohl(tvb, offset);
1884 *ioctlfunc = ioctl_function;
1885 if (ioctl_function) {
1886 const gchar *unknown = "unknown";
1887 const gchar *ioctl_name = val_to_str_ext_const(ioctl_function,
1888 &smb2_ioctl_vals_ext,
1892 * val_to_str_const() doesn't work with a unknown == NULL
1894 if (ioctl_name == unknown) {
1898 if (ioctl_name != NULL) {
1900 pinfo->cinfo, COL_INFO, " %s", ioctl_name);
1904 proto_tree_add_item(tree, hf_smb2_ioctl_function_device, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1905 if (ioctl_name == NULL) {
1907 pinfo->cinfo, COL_INFO, " %s",
1908 val_to_str_ext((ioctl_function>>16)&0xffff, &smb2_ioctl_device_vals_ext,
1909 "Unknown (0x%08X)"));
1913 proto_tree_add_item(tree, hf_smb2_ioctl_function_access, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1916 proto_tree_add_item(tree, hf_smb2_ioctl_function_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1917 if (ioctl_name == NULL) {
1919 pinfo->cinfo, COL_INFO, " Function:0x%04x",
1920 (ioctl_function>>2)&0x0fff);
1924 proto_tree_add_item(tree, hf_smb2_ioctl_function_method, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1932 /* fake the dce/rpc support structures so we can piggy back on
1933 * dissect_nt_policy_hnd() since this will allow us
1934 * a cheap way to track where FIDs are opened, closed
1935 * and fid->filename mappings
1936 * if we want to do those things in the future.
1938 #define FID_MODE_OPEN 0
1939 #define FID_MODE_CLOSE 1
1940 #define FID_MODE_USE 2
1941 #define FID_MODE_DHNQ 3
1942 #define FID_MODE_DHNC 4
1944 dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si, int mode)
1946 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
1947 static dcerpc_info di; /* fake dcerpc_info struct */
1948 static dcerpc_call_value call_data;
1949 e_ctx_hnd policy_hnd;
1950 e_ctx_hnd *policy_hnd_hashtablekey;
1951 proto_item *hnd_item = NULL;
1953 guint32 open_frame = 0, close_frame = 0;
1954 smb2_eo_file_info_t *eo_file_info;
1955 smb2_fid_info_t sfi_key;
1956 smb2_fid_info_t *sfi = NULL;
1958 sfi_key.fid_persistent = tvb_get_letoh64(tvb, offset);
1959 sfi_key.fid_volatile = tvb_get_letoh64(tvb, offset+8);
1960 sfi_key.sesid = si->sesid;
1961 sfi_key.tid = si->tid;
1962 sfi_key.name = NULL;
1964 di.conformant_run = 0;
1965 /* we need di->call_data->flags.NDR64 == 0 */
1966 di.call_data = &call_data;
1970 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, TRUE, FALSE);
1971 if (!pinfo->fd->flags.visited) {
1972 sfi = wmem_new(wmem_file_scope(), smb2_fid_info_t);
1974 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1975 sfi->name = wmem_strdup(wmem_file_scope(), (char *)si->saved->extra_info);
1977 sfi->name = wmem_strdup_printf(wmem_file_scope(), "[unknown]");
1980 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1981 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: %s", (char *)si->saved->extra_info);
1983 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: ");
1985 dcerpc_store_polhnd_name(&policy_hnd, pinfo,
1988 g_hash_table_insert(si->conv->fids, sfi, sfi);
1991 /* If needed, create the file entry and save the policy hnd */
1993 si->saved->file = sfi;
1994 si->saved->policy_hnd = policy_hnd;
1998 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
1999 if (!eo_file_info) {
2000 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
2001 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
2002 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
2003 eo_file_info->end_of_file=0;
2004 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
2006 si->eo_file_info=eo_file_info;
2010 case FID_MODE_CLOSE:
2011 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, TRUE);
2016 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, FALSE);
2020 si->file = (smb2_fid_info_t *)g_hash_table_lookup(si->conv->fids, &sfi_key);
2023 si->saved->file = si->file;
2025 if (si->file->name) {
2027 proto_item_append_text(hnd_item, " File: %s", si->file->name);
2029 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", si->file->name);
2033 if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
2034 /* look for the eo_file_info */
2035 if (!si->eo_file_info) {
2036 if (si->saved) { si->saved->policy_hnd = policy_hnd; }
2038 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
2040 si->eo_file_info=eo_file_info;
2041 } else { /* XXX This should never happen */
2042 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
2043 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
2044 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
2045 eo_file_info->end_of_file=0;
2046 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
2057 /* this info level is unique to SMB2 and differst from the corresponding
2058 * SMB_FILE_ALL_INFO in SMB
2061 dissect_smb2_file_all_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2063 proto_item *item = NULL;
2064 proto_tree *tree = NULL;
2066 const char *name = "";
2068 static const int *mode_fields[] = {
2069 &hf_smb2_mode_file_write_through,
2070 &hf_smb2_mode_file_sequential_only,
2071 &hf_smb2_mode_file_no_intermediate_buffering,
2072 &hf_smb2_mode_file_synchronous_io_alert,
2073 &hf_smb2_mode_file_synchronous_io_nonalert,
2074 &hf_smb2_mode_file_delete_on_close,
2079 item = proto_tree_add_item(parent_tree, hf_smb2_file_all_info, tvb, offset, -1, ENC_NA);
2080 tree = proto_item_add_subtree(item, ett_smb2_file_all_info);
2084 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2087 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2090 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2093 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2095 /* File Attributes */
2096 offset = dissect_file_ext_attr(tvb, tree, offset);
2098 /* some unknown bytes */
2099 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2102 /* allocation size */
2103 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2107 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2110 /* number of links */
2111 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2114 /* delete pending */
2115 proto_tree_add_item(tree, hf_smb2_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2119 proto_tree_add_item(tree, hf_smb2_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2126 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2130 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2134 offset = dissect_smb_access_mask(tvb, tree, offset);
2136 /* Position Information */
2137 proto_tree_add_item(tree, hf_smb2_position_information, tvb, offset, 8, ENC_NA);
2140 /* Mode Information */
2141 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_mode_information, ett_smb2_file_mode_info, mode_fields, ENC_LITTLE_ENDIAN);
2144 /* Alignment Information */
2145 proto_tree_add_item(tree, hf_smb2_alignment_information, tvb, offset, 4, ENC_NA);
2148 /* file name length */
2149 length = tvb_get_letohs(tvb, offset);
2150 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2155 bc = tvb_captured_length_remaining(tvb, offset);
2156 name = get_unicode_or_ascii_string(tvb, &offset,
2157 TRUE, &length, TRUE, TRUE, &bc);
2159 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2160 offset, length, name);
2171 dissect_smb2_file_allocation_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2173 proto_item *item = NULL;
2174 proto_tree *tree = NULL;
2179 item = proto_tree_add_item(parent_tree, hf_smb2_file_allocation_info, tvb, offset, -1, ENC_NA);
2180 tree = proto_item_add_subtree(item, ett_smb2_file_allocation_info);
2183 bc = tvb_captured_length_remaining(tvb, offset);
2184 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2190 dissect_smb2_file_endoffile_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2192 proto_item *item = NULL;
2193 proto_tree *tree = NULL;
2198 item = proto_tree_add_item(parent_tree, hf_smb2_file_endoffile_info, tvb, offset, -1, ENC_NA);
2199 tree = proto_item_add_subtree(item, ett_smb2_file_endoffile_info);
2202 bc = tvb_captured_length_remaining(tvb, offset);
2203 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2209 dissect_smb2_file_alternate_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2211 proto_item *item = NULL;
2212 proto_tree *tree = NULL;
2217 item = proto_tree_add_item(parent_tree, hf_smb2_file_alternate_name_info, tvb, offset, -1, ENC_NA);
2218 tree = proto_item_add_subtree(item, ett_smb2_file_alternate_name_info);
2221 bc = tvb_captured_length_remaining(tvb, offset);
2222 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc, /* XXX assumption hack */ TRUE);
2229 dissect_smb2_file_basic_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2231 proto_item *item = NULL;
2232 proto_tree *tree = NULL;
2235 item = proto_tree_add_item(parent_tree, hf_smb2_file_basic_info, tvb, offset, -1, ENC_NA);
2236 tree = proto_item_add_subtree(item, ett_smb2_file_basic_info);
2240 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2243 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2246 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2249 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2251 /* File Attributes */
2252 offset = dissect_file_ext_attr(tvb, tree, offset);
2254 /* some unknown bytes */
2255 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2262 dissect_smb2_file_standard_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2264 proto_item *item = NULL;
2265 proto_tree *tree = NULL;
2270 item = proto_tree_add_item(parent_tree, hf_smb2_file_standard_info, tvb, offset, -1, ENC_NA);
2271 tree = proto_item_add_subtree(item, ett_smb2_file_standard_info);
2274 bc = tvb_captured_length_remaining(tvb, offset);
2275 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2280 dissect_smb2_file_internal_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2282 proto_item *item = NULL;
2283 proto_tree *tree = NULL;
2288 item = proto_tree_add_item(parent_tree, hf_smb2_file_internal_info, tvb, offset, -1, ENC_NA);
2289 tree = proto_item_add_subtree(item, ett_smb2_file_internal_info);
2292 bc = tvb_captured_length_remaining(tvb, offset);
2293 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2298 dissect_smb2_file_mode_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2300 proto_item *item = NULL;
2301 proto_tree *tree = NULL;
2306 item = proto_tree_add_item(parent_tree, hf_smb2_file_mode_info, tvb, offset, -1, ENC_NA);
2307 tree = proto_item_add_subtree(item, ett_smb2_file_mode_info);
2310 bc = tvb_captured_length_remaining(tvb, offset);
2311 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2316 dissect_smb2_file_alignment_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2318 proto_item *item = NULL;
2319 proto_tree *tree = NULL;
2324 item = proto_tree_add_item(parent_tree, hf_smb2_file_alignment_info, tvb, offset, -1, ENC_NA);
2325 tree = proto_item_add_subtree(item, ett_smb2_file_alignment_info);
2328 bc = tvb_captured_length_remaining(tvb, offset);
2329 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2334 dissect_smb2_file_position_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2336 proto_item *item = NULL;
2337 proto_tree *tree = NULL;
2342 item = proto_tree_add_item(parent_tree, hf_smb2_file_position_info, tvb, offset, -1, ENC_NA);
2343 tree = proto_item_add_subtree(item, ett_smb2_file_position_info);
2346 bc = tvb_captured_length_remaining(tvb, offset);
2347 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2353 dissect_smb2_file_access_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2355 proto_item *item = NULL;
2356 proto_tree *tree = NULL;
2359 item = proto_tree_add_item(parent_tree, hf_smb2_file_access_info, tvb, offset, -1, ENC_NA);
2360 tree = proto_item_add_subtree(item, ett_smb2_file_access_info);
2364 offset = dissect_smb_access_mask(tvb, tree, offset);
2370 dissect_smb2_file_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2372 proto_item *item = NULL;
2373 proto_tree *tree = NULL;
2378 item = proto_tree_add_item(parent_tree, hf_smb2_file_ea_info, tvb, offset, -1, ENC_NA);
2379 tree = proto_item_add_subtree(item, ett_smb2_file_ea_info);
2382 bc = tvb_captured_length_remaining(tvb, offset);
2383 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2389 dissect_smb2_file_stream_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2391 proto_item *item = NULL;
2392 proto_tree *tree = NULL;
2397 item = proto_tree_add_item(parent_tree, hf_smb2_file_stream_info, tvb, offset, -1, ENC_NA);
2398 tree = proto_item_add_subtree(item, ett_smb2_file_stream_info);
2401 bc = tvb_captured_length_remaining(tvb, offset);
2402 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, &bc, &trunc, TRUE);
2408 dissect_smb2_file_pipe_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2410 proto_item *item = NULL;
2411 proto_tree *tree = NULL;
2416 item = proto_tree_add_item(parent_tree, hf_smb2_file_pipe_info, tvb, offset, -1, ENC_NA);
2417 tree = proto_item_add_subtree(item, ett_smb2_file_pipe_info);
2420 bc = tvb_captured_length_remaining(tvb, offset);
2421 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2427 dissect_smb2_file_compression_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2429 proto_item *item = NULL;
2430 proto_tree *tree = NULL;
2435 item = proto_tree_add_item(parent_tree, hf_smb2_file_compression_info, tvb, offset, -1, ENC_NA);
2436 tree = proto_item_add_subtree(item, ett_smb2_file_compression_info);
2439 bc = tvb_captured_length_remaining(tvb, offset);
2440 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2446 dissect_smb2_file_network_open_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2448 proto_item *item = NULL;
2449 proto_tree *tree = NULL;
2454 item = proto_tree_add_item(parent_tree, hf_smb2_file_network_open_info, tvb, offset, -1, ENC_NA);
2455 tree = proto_item_add_subtree(item, ett_smb2_file_network_open_info);
2459 bc = tvb_captured_length_remaining(tvb, offset);
2460 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2466 dissect_smb2_file_attribute_tag_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2468 proto_item *item = NULL;
2469 proto_tree *tree = NULL;
2474 item = proto_tree_add_item(parent_tree, hf_smb2_file_attribute_tag_info, tvb, offset, -1, ENC_NA);
2475 tree = proto_item_add_subtree(item, ett_smb2_file_attribute_tag_info);
2479 bc = tvb_captured_length_remaining(tvb, offset);
2480 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2485 static const true_false_string tfs_disposition_delete_on_close = {
2486 "DELETE this file when closed",
2487 "Normal access, do not delete on close"
2491 dissect_smb2_file_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2493 proto_item *item = NULL;
2494 proto_tree *tree = NULL;
2497 item = proto_tree_add_item(parent_tree, hf_smb2_file_disposition_info, tvb, offset, -1, ENC_NA);
2498 tree = proto_item_add_subtree(item, ett_smb2_file_disposition_info);
2501 /* file disposition */
2502 proto_tree_add_item(tree, hf_smb2_disposition_delete_on_close, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2508 dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2510 proto_item *item = NULL;
2511 proto_tree *tree = NULL;
2512 guint32 next_offset;
2514 guint16 ea_data_len;
2517 item = proto_tree_add_item(parent_tree, hf_smb2_file_full_ea_info, tvb, offset, -1, ENC_NA);
2518 tree = proto_item_add_subtree(item, ett_smb2_file_full_ea_info);
2523 const char *name = "";
2524 const char *data = "";
2526 int start_offset = offset;
2527 proto_item *ea_item;
2528 proto_tree *ea_tree;
2530 ea_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_ea, &ea_item, "EA:");
2533 next_offset = tvb_get_letohl(tvb, offset);
2534 proto_tree_add_item(ea_tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2538 proto_tree_add_item(ea_tree, hf_smb2_ea_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2541 /* EA Name Length */
2542 ea_name_len = tvb_get_guint8(tvb, offset);
2543 proto_tree_add_item(ea_tree, hf_smb2_ea_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2546 /* EA Data Length */
2547 ea_data_len = tvb_get_letohs(tvb, offset);
2548 proto_tree_add_item(ea_tree, hf_smb2_ea_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2552 length = ea_name_len;
2554 bc = tvb_captured_length_remaining(tvb, offset);
2555 name = get_unicode_or_ascii_string(tvb, &offset,
2556 FALSE, &length, TRUE, TRUE, &bc);
2558 proto_tree_add_string(ea_tree, hf_smb2_ea_name, tvb,
2559 offset, length + 1, name);
2563 /* The name is terminated with a NULL */
2564 offset += ea_name_len + 1;
2567 length = ea_data_len;
2569 bc = tvb_captured_length_remaining(tvb, offset);
2570 data = get_unicode_or_ascii_string(tvb, &offset,
2571 FALSE, &length, TRUE, TRUE, &bc);
2573 * We put the data here ...
2575 proto_tree_add_item(ea_tree, hf_smb2_ea_data, tvb,
2576 offset, length, ENC_NA);
2578 offset += ea_data_len;
2582 proto_item_append_text(ea_item, " %s := %s", name, data);
2584 proto_item_set_len(ea_item, offset-start_offset);
2591 offset = start_offset+next_offset;
2597 static const true_false_string tfs_replace_if_exists = {
2598 "Replace the target if it exists",
2599 "Fail if the target exists"
2603 dissect_smb2_file_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2605 proto_item *item = NULL;
2606 proto_tree *tree = NULL;
2608 const char *name = "";
2613 item = proto_tree_add_item(parent_tree, hf_smb2_file_rename_info, tvb, offset, -1, ENC_NA);
2614 tree = proto_item_add_subtree(item, ett_smb2_file_rename_info);
2617 /* ReplaceIfExists */
2618 proto_tree_add_item(tree, hf_smb2_replace_if, tvb, offset, 1, ENC_NA);
2622 proto_tree_add_item(tree, hf_smb2_reserved_random, tvb, offset, 7, ENC_NA);
2625 /* Root Directory Handle, MBZ */
2626 proto_tree_add_item(tree, hf_smb2_root_directory_mbz, tvb, offset, 8, ENC_NA);
2629 /* file name length */
2630 length = tvb_get_letohs(tvb, offset);
2631 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2636 bc = tvb_captured_length_remaining(tvb, offset);
2637 name = get_unicode_or_ascii_string(tvb, &offset,
2638 TRUE, &length, TRUE, TRUE, &bc);
2640 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2641 offset, length, name);
2644 col_append_fstr(pinfo->cinfo, COL_INFO, " NewName:%s", name);
2652 dissect_smb2_sec_info_00(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2654 proto_item *item = NULL;
2655 proto_tree *tree = NULL;
2658 item = proto_tree_add_item(parent_tree, hf_smb2_sec_info_00, tvb, offset, -1, ENC_NA);
2659 tree = proto_item_add_subtree(item, ett_smb2_sec_info_00);
2662 /* security descriptor */
2663 offset = dissect_nt_sec_desc(tvb, offset, pinfo, tree, NULL, TRUE, tvb_captured_length_remaining(tvb, offset), NULL);
2669 dissect_smb2_quota_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2671 proto_item *item = NULL;
2672 proto_tree *tree = NULL;
2676 item = proto_tree_add_item(parent_tree, hf_smb2_quota_info, tvb, offset, -1, ENC_NA);
2677 tree = proto_item_add_subtree(item, ett_smb2_quota_info);
2680 bcp = tvb_captured_length_remaining(tvb, offset);
2681 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
2687 dissect_smb2_fs_info_05(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2689 proto_item *item = NULL;
2690 proto_tree *tree = NULL;
2694 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_05, tvb, offset, -1, ENC_NA);
2695 tree = proto_item_add_subtree(item, ett_smb2_fs_info_05);
2698 bc = tvb_captured_length_remaining(tvb, offset);
2699 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2705 dissect_smb2_fs_info_06(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2707 proto_item *item = NULL;
2708 proto_tree *tree = NULL;
2712 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_06, tvb, offset, -1, ENC_NA);
2713 tree = proto_item_add_subtree(item, ett_smb2_fs_info_06);
2716 bc = tvb_captured_length_remaining(tvb, offset);
2717 offset = dissect_nt_quota(tvb, tree, offset, &bc);
2723 dissect_smb2_FS_OBJECTID_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2725 proto_item *item = NULL;
2726 proto_tree *tree = NULL;
2729 item = proto_tree_add_item(parent_tree, hf_smb2_fs_objectid_info, tvb, offset, -1, ENC_NA);
2730 tree = proto_item_add_subtree(item, ett_smb2_fs_objectid_info);
2733 /* FILE_OBJECTID_BUFFER */
2734 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
2740 dissect_smb2_fs_info_07(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2742 proto_item *item = NULL;
2743 proto_tree *tree = NULL;
2747 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_07, tvb, offset, -1, ENC_NA);
2748 tree = proto_item_add_subtree(item, ett_smb2_fs_info_07);
2751 bc = tvb_captured_length_remaining(tvb, offset);
2752 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2758 dissect_smb2_fs_info_01(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2760 proto_item *item = NULL;
2761 proto_tree *tree = NULL;
2765 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_01, tvb, offset, -1, ENC_NA);
2766 tree = proto_item_add_subtree(item, ett_smb2_fs_info_01);
2770 bc = tvb_captured_length_remaining(tvb, offset);
2771 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2777 dissect_smb2_fs_info_03(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2779 proto_item *item = NULL;
2780 proto_tree *tree = NULL;
2784 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_03, tvb, offset, -1, ENC_NA);
2785 tree = proto_item_add_subtree(item, ett_smb2_fs_info_03);
2789 bc = tvb_captured_length_remaining(tvb, offset);
2790 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2796 dissect_smb2_fs_info_04(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2798 proto_item *item = NULL;
2799 proto_tree *tree = NULL;
2803 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_04, tvb, offset, -1, ENC_NA);
2804 tree = proto_item_add_subtree(item, ett_smb2_fs_info_04);
2808 bc = tvb_captured_length_remaining(tvb, offset);
2809 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, &bc);
2814 static const value_string oplock_vals[] = {
2815 { 0x00, "No oplock" },
2816 { 0x01, "Level2 oplock" },
2817 { 0x08, "Exclusive oplock" },
2818 { 0x09, "Batch oplock" },
2824 dissect_smb2_oplock(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2826 proto_tree_add_item(parent_tree, hf_smb2_oplock, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2833 dissect_smb2_buffercode(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint16 *length)
2837 guint16 buffer_code;
2839 /* dissect the first 2 bytes of the command PDU */
2840 buffer_code = tvb_get_letohs(tvb, offset);
2841 item = proto_tree_add_uint(parent_tree, hf_smb2_buffer_code, tvb, offset, 2, buffer_code);
2842 tree = proto_item_add_subtree(item, ett_smb2_buffercode);
2843 proto_tree_add_item(tree, hf_smb2_buffer_code_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2844 proto_tree_add_item(tree, hf_smb2_buffer_code_flags_dyn, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2848 *length = buffer_code; /*&0xfffe don't mask it here, mask it on caller side */
2854 #define NEGPROT_CAP_DFS 0x00000001
2855 #define NEGPROT_CAP_LEASING 0x00000002
2856 #define NEGPROT_CAP_LARGE_MTU 0x00000004
2857 #define NEGPROT_CAP_MULTI_CHANNEL 0x00000008
2858 #define NEGPROT_CAP_PERSISTENT_HANDLES 0x00000010
2859 #define NEGPROT_CAP_DIRECTORY_LEASING 0x00000020
2860 #define NEGPROT_CAP_ENCRYPTION 0x00000040
2862 dissect_smb2_capabilities(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2864 static const int * flags[] = {
2866 &hf_smb2_cap_leasing,
2867 &hf_smb2_cap_large_mtu,
2868 &hf_smb2_cap_multi_channel,
2869 &hf_smb2_cap_persistent_handles,
2870 &hf_smb2_cap_directory_leasing,
2871 &hf_smb2_cap_encryption,
2875 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_capabilities, ett_smb2_capabilities, flags, ENC_LITTLE_ENDIAN);
2883 #define NEGPROT_SIGN_REQ 0x0002
2884 #define NEGPROT_SIGN_ENABLED 0x0001
2887 dissect_smb2_secmode(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2889 static const int * flags[] = {
2890 &hf_smb2_secmode_flags_sign_enabled,
2891 &hf_smb2_secmode_flags_sign_required,
2895 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_security_mode, ett_smb2_sec_mode, flags, ENC_LITTLE_ENDIAN);
2901 #define SES_REQ_FLAGS_SESSION_BINDING 0x01
2904 dissect_smb2_ses_req_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2906 static const int * flags[] = {
2907 &hf_smb2_ses_req_flags_session_binding,
2911 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_ses_req_flags, ett_smb2_ses_req_flags, flags, ENC_LITTLE_ENDIAN);
2917 #define SES_FLAGS_GUEST 0x0001
2918 #define SES_FLAGS_NULL 0x0002
2919 #define SES_FLAGS_ENCRYPT 0x0004
2922 dissect_smb2_ses_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2924 static const int * flags[] = {
2925 &hf_smb2_ses_flags_guest,
2926 &hf_smb2_ses_flags_null,
2927 &hf_smb2_ses_flags_encrypt,
2931 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_session_flags, ett_smb2_ses_flags, flags, ENC_LITTLE_ENDIAN);
2937 #define SHARE_FLAGS_manual_caching 0x00000000
2938 #define SHARE_FLAGS_auto_caching 0x00000010
2939 #define SHARE_FLAGS_vdo_caching 0x00000020
2940 #define SHARE_FLAGS_no_caching 0x00000030
2942 static const value_string share_cache_vals[] = {
2943 { SHARE_FLAGS_manual_caching, "Manual caching" },
2944 { SHARE_FLAGS_auto_caching, "Auto caching" },
2945 { SHARE_FLAGS_vdo_caching, "VDO caching" },
2946 { SHARE_FLAGS_no_caching, "No caching" },
2950 #define SHARE_FLAGS_dfs 0x00000001
2951 #define SHARE_FLAGS_dfs_root 0x00000002
2952 #define SHARE_FLAGS_restrict_exclusive_opens 0x00000100
2953 #define SHARE_FLAGS_force_shared_delete 0x00000200
2954 #define SHARE_FLAGS_allow_namespace_caching 0x00000400
2955 #define SHARE_FLAGS_access_based_dir_enum 0x00000800
2956 #define SHARE_FLAGS_force_levelii_oplock 0x00001000
2957 #define SHARE_FLAGS_enable_hash_v1 0x00002000
2958 #define SHARE_FLAGS_enable_hash_v2 0x00004000
2959 #define SHARE_FLAGS_encryption_required 0x00008000
2962 dissect_smb2_share_flags(proto_tree *tree, tvbuff_t *tvb, int offset)
2964 static const int *sf_fields[] = {
2965 &hf_smb2_share_flags_dfs,
2966 &hf_smb2_share_flags_dfs_root,
2967 &hf_smb2_share_flags_restrict_exclusive_opens,
2968 &hf_smb2_share_flags_force_shared_delete,
2969 &hf_smb2_share_flags_allow_namespace_caching,
2970 &hf_smb2_share_flags_access_based_dir_enum,
2971 &hf_smb2_share_flags_force_levelii_oplock,
2972 &hf_smb2_share_flags_enable_hash_v1,
2973 &hf_smb2_share_flags_enable_hash_v2,
2974 &hf_smb2_share_flags_encrypt_data,
2980 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_flags, ett_smb2_share_flags, sf_fields, ENC_LITTLE_ENDIAN);
2982 cp = tvb_get_letohl(tvb, offset);
2984 proto_tree_add_uint_format(item, hf_smb2_share_caching, tvb, offset, 4, cp, "Caching policy: %s (%08x)", val_to_str(cp, share_cache_vals, "Unknown:%u"), cp);
2992 #define SHARE_CAPS_DFS 0x00000008
2993 #define SHARE_CAPS_CONTINUOUS_AVAILABILITY 0x00000010
2994 #define SHARE_CAPS_SCALEOUT 0x00000020
2995 #define SHARE_CAPS_CLUSTER 0x00000040
2998 dissect_smb2_share_caps(proto_tree *tree, tvbuff_t *tvb, int offset)
3000 static const int *sc_fields[] = {
3001 &hf_smb2_share_caps_dfs,
3002 &hf_smb2_share_caps_continuous_availability,
3003 &hf_smb2_share_caps_scaleout,
3004 &hf_smb2_share_caps_cluster,
3008 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_caps, ett_smb2_share_caps, sc_fields, ENC_LITTLE_ENDIAN);
3016 dissect_smb2_secblob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
3018 if ((tvb_captured_length(tvb)>=7)
3019 && (!tvb_memeql(tvb, 0, "NTLMSSP", 7))) {
3020 call_dissector(ntlmssp_handle, tvb, pinfo, tree);
3022 call_dissector(gssapi_handle, tvb, pinfo, tree);
3027 * Derive client and server decryption keys from the secret session key
3028 * and set them in the session object.
3030 static void smb2_set_session_keys(smb2_sesid_info_t *sesid, const guint8 *session_key)
3032 if (memcmp(session_key, zeros, NTLMSSP_KEY_LEN) != 0) {
3033 smb2_key_derivation(session_key,
3037 sesid->server_decryption_key);
3038 smb2_key_derivation(session_key,
3042 sesid->client_decryption_key);
3044 memset(sesid->server_decryption_key, 0,
3045 sizeof(sesid->server_decryption_key));
3046 memset(sesid->client_decryption_key, 0,
3047 sizeof(sesid->client_decryption_key));
3052 dissect_smb2_session_setup_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3054 offset_length_buffer_t s_olb;
3055 const ntlmssp_header_t *ntlmssph;
3056 static int ntlmssp_tap_id = 0;
3059 if (!ntlmssp_tap_id) {
3060 GString *error_string;
3061 /* We don't specify any callbacks at all.
3062 * Instead we manually fetch the tapped data after the
3063 * security blob has been fully dissected and before
3064 * we exit from this dissector.
3066 error_string = register_tap_listener("ntlmssp", NULL, NULL,
3067 TL_IS_DISSECTOR_HELPER, NULL, NULL, NULL);
3068 if (!error_string) {
3069 ntlmssp_tap_id = find_tap_id("ntlmssp");
3071 g_string_free(error_string, TRUE);
3077 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3078 /* some unknown bytes */
3081 offset = dissect_smb2_ses_req_flags(tree, tvb, offset);
3084 offset = dissect_smb2_secmode(tree, tvb, offset);
3087 offset = dissect_smb2_capabilities(tree, tvb, offset);
3090 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3093 /* security blob offset/length */
3094 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
3096 /* previous session id */
3097 proto_tree_add_item(tree, hf_smb2_previous_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3101 /* the security blob itself */
3102 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
3104 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
3106 /* If we have found a uid->acct_name mapping, store it */
3107 if (!pinfo->fd->flags.visited) {
3109 while ((ntlmssph = (const ntlmssp_header_t *)fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL) {
3110 if (ntlmssph && ntlmssph->type == NTLMSSP_AUTH) {
3111 smb2_sesid_info_t *sesid;
3112 guint8 custom_seskey[NTLMSSP_KEY_LEN];
3113 const guint8 *session_key;
3115 sesid = wmem_new(wmem_file_scope(), smb2_sesid_info_t);
3116 sesid->sesid = si->sesid;
3117 sesid->acct_name = wmem_strdup(wmem_file_scope(), ntlmssph->acct_name);
3118 sesid->domain_name = wmem_strdup(wmem_file_scope(), ntlmssph->domain_name);
3119 sesid->host_name = wmem_strdup(wmem_file_scope(), ntlmssph->host_name);
3121 /* Try to see first if we have a
3122 * session key set in the pref for
3123 * this particular session id */
3124 if (seskey_find_sid_key(si->sesid, custom_seskey)) {
3125 session_key = custom_seskey;
3127 session_key = ntlmssph->session_key;
3129 smb2_set_session_keys(sesid, session_key);
3130 sesid->server_port = pinfo->destport;
3131 sesid->auth_frame = pinfo->num;
3132 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
3133 g_hash_table_insert(si->conv->sesids, sesid, sesid);
3142 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3147 offset_length_buffer_t s_olb, p_olb;
3149 item = proto_tree_add_item(parent_tree, hf_smb2_symlink_error_response, tvb, offset, -1, ENC_NA);
3150 tree = proto_item_add_subtree(item, ett_smb2_symlink_error_response);
3152 /* symlink length */
3153 proto_tree_add_item(tree, hf_smb2_symlink_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3156 /* symlink error tag */
3157 proto_tree_add_item(tree, hf_smb2_symlink_error_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3161 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3164 proto_tree_add_item(tree, hf_smb2_reparse_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3167 proto_tree_add_item(tree, hf_smb2_unparsed_path_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3170 /* substitute name offset/length */
3171 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_substitute_name);
3173 /* print name offset/length */
3174 offset = dissect_smb2_olb_length_offset(tvb, offset, &p_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_print_name);
3177 proto_tree_add_item(tree, hf_smb2_symlink_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3180 /* substitute name string */
3181 dissect_smb2_olb_off_string(pinfo, tree, tvb, &s_olb, offset, OLB_TYPE_UNICODE_STRING);
3183 /* print name string */
3184 dissect_smb2_olb_off_string(pinfo, tree, tvb, &p_olb, offset, OLB_TYPE_UNICODE_STRING);
3188 dissect_smb2_error_data(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int error_context_count, smb2_info_t *si _U_)
3195 item = proto_tree_add_item(parent_tree, hf_smb2_error_data, tvb, offset, -1, ENC_NA);
3196 tree = proto_item_add_subtree(item, ett_smb2_error_data);
3198 if (error_context_count == 0) {
3199 switch (si->status) {
3200 case 0x8000002D: /* STATUS_STOPPED_ON_SYMLINK */
3201 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvb, pinfo, tree, offset, si);
3208 /* TODO SMB311 supports multiple error contexts */
3212 /* This needs more fixes for cases when the original header had also the constant value of 9.
3213 This should be fixed on caller side where it decides if it has to call this or not.
3216 dissect_smb2_error_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si,
3217 gboolean* continue_dissection)
3220 guint8 error_context_count;
3225 offset = dissect_smb2_buffercode(tree, tvb, offset, &length);
3227 /* FIX: error response uses this constant, if not then it is not an error response */
3230 if(continue_dissection)
3231 *continue_dissection = TRUE;
3233 if(continue_dissection)
3234 *continue_dissection = FALSE;
3236 /* ErrorContextCount (1 bytes) */
3237 error_context_count = tvb_get_guint8(tvb, offset);
3238 proto_tree_add_item(tree, hf_smb2_error_context_count, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3241 /* Reserved (1 bytes) */
3242 proto_tree_add_item(tree, hf_smb2_error_reserved, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3245 /* ByteCount (4 bytes): The number of bytes of data contained in ErrorData[]. */
3246 byte_count = tvb_get_letohl(tvb, offset);
3247 proto_tree_add_item(tree, hf_smb2_error_byte_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3250 /* If the ByteCount field is zero then the server MUST supply an ErrorData field
3251 that is one byte in length */
3252 if (byte_count == 0) byte_count = 1;
3254 /* ErrorData (variable): A variable-length data field that contains extended
3255 error information.*/
3256 sub_tvb = tvb_new_subset_length(tvb, offset, byte_count);
3257 offset += byte_count;
3259 dissect_smb2_error_data(sub_tvb, pinfo, tree, error_context_count, si);
3266 dissect_smb2_session_setup_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3268 offset_length_buffer_t s_olb;
3270 /* session_setup is special and we don't use dissect_smb2_error_response() here! */
3273 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3276 offset = dissect_smb2_ses_flags(tree, tvb, offset);
3278 /* security blob offset/length */
3279 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
3281 /* the security blob itself */
3282 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
3284 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
3286 /* If we have found a uid->acct_name mapping, store it */
3287 #ifdef HAVE_KERBEROS
3288 if (!pinfo->fd->flags.visited && si->status == 0) {
3292 read_keytab_file_from_preferences();
3295 for (ek=enc_key_list;ek;ek=ek->next) {
3296 if (ek->fd_num == (int)pinfo->num) {
3302 smb2_sesid_info_t *sesid;
3303 guint8 custom_seskey[NTLMSSP_KEY_LEN] = { 0, };
3304 const guint8 *session_key;
3306 sesid = wmem_new(wmem_file_scope(), smb2_sesid_info_t);
3307 sesid->sesid = si->sesid;
3308 /* TODO: fill in the correct information */
3309 sesid->acct_name = NULL;
3310 sesid->domain_name = NULL;
3311 sesid->host_name = NULL;
3313 if (seskey_find_sid_key(si->sesid, custom_seskey)) {
3314 session_key = custom_seskey;
3316 session_key = ek->keyvalue;
3318 smb2_set_session_keys(sesid, session_key);
3319 sesid->server_port = pinfo->srcport;
3320 sesid->auth_frame = pinfo->num;
3321 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
3322 g_hash_table_insert(si->conv->sesids, sesid, sesid);
3331 dissect_smb2_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3333 offset_length_buffer_t olb;
3337 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3340 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3343 /* tree offset/length */
3344 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_tree);
3347 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
3349 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3351 /* treelen +1 is overkill here if the string is unicode,
3352 * but who ever has more than a handful of TCON in a trace anyways
3354 if (!pinfo->fd->flags.visited && si->saved && buf && olb.len) {
3355 si->saved->extra_info_type = SMB2_EI_TREENAME;
3356 si->saved->extra_info = wmem_alloc(wmem_file_scope(), olb.len+1);
3357 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
3360 col_append_fstr(pinfo->cinfo, COL_INFO, " Tree: %s", buf);
3365 dissect_smb2_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3368 gboolean continue_dissection;
3370 switch (si->status) {
3372 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3373 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3374 if (!continue_dissection) return offset;
3378 share_type = tvb_get_guint8(tvb, offset);
3379 proto_tree_add_item(tree, hf_smb2_share_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3382 /* byte is reserved and must be set to zero */
3383 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
3386 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_TREENAME && si->session) {
3387 smb2_tid_info_t *tid, tid_key;
3389 tid_key.tid = si->tid;
3390 tid = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
3392 g_hash_table_remove(si->session->tids, &tid_key);
3394 tid = wmem_new(wmem_file_scope(), smb2_tid_info_t);
3396 tid->name = (char *)si->saved->extra_info;
3397 tid->connect_frame = pinfo->num;
3398 tid->share_type = share_type;
3400 g_hash_table_insert(si->session->tids, tid, tid);
3402 si->saved->extra_info_type = SMB2_EI_NONE;
3403 si->saved->extra_info = NULL;
3407 offset = dissect_smb2_share_flags(tree, tvb, offset);
3409 /* share capabilities */
3410 offset = dissect_smb2_share_caps(tree, tvb, offset);
3412 /* this is some sort of access mask */
3413 offset = dissect_smb_access_mask(tvb, tree, offset);
3419 dissect_smb2_tree_disconnect_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3422 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3425 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3432 dissect_smb2_tree_disconnect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3434 gboolean continue_dissection;
3436 switch (si->status) {
3438 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3439 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3440 if (!continue_dissection) return offset;
3444 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3451 dissect_smb2_sessionlogoff_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3454 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3456 /* reserved bytes */
3463 dissect_smb2_sessionlogoff_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3465 gboolean continue_dissection;
3467 switch (si->status) {
3469 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3470 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3471 if (!continue_dissection) return offset;
3474 /* reserved bytes */
3475 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3482 dissect_smb2_keepalive_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3485 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3487 /* some unknown bytes */
3488 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3495 dissect_smb2_keepalive_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3497 gboolean continue_dissection;
3499 switch (si->status) {
3501 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3502 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3503 if (!continue_dissection) return offset;
3506 /* some unknown bytes */
3507 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3514 dissect_smb2_notify_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3516 proto_tree *flags_tree = NULL;
3517 proto_item *flags_item = NULL;
3520 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3524 flags_item = proto_tree_add_item(tree, hf_smb2_notify_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3525 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_notify_flags);
3527 proto_tree_add_item(flags_tree, hf_smb2_notify_watch_tree, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3530 /* output buffer length */
3531 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3535 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3537 /* completion filter */
3538 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
3541 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
3547 static const value_string notify_action_vals[] = {
3548 {0x01, "FILE_ACTION_ADDED"},
3549 {0x02, "FILE_ACTION_REMOVED"},
3550 {0x03, "FILE_ACTION_MODIFIED"},
3551 {0x04, "FILE_ACTION_RENAMED_OLD_NAME"},
3552 {0x05, "FILE_ACTION_RENAMED_NEW_NAME"},
3553 {0x06, "FILE_ACTION_ADDED_STREAM"},
3554 {0x07, "FILE_ACTION_REMOVED_STREAM"},
3555 {0x08, "FILE_ACTION_MODIFIED_STREAM"},
3556 {0x09, "FILE_ACTION_REMOVED_BY_DELETE"},
3561 dissect_smb2_notify_data_out(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3563 proto_tree *tree = NULL;
3564 proto_item *item = NULL;
3567 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3568 guint32 start_offset = offset;
3569 guint32 next_offset;
3573 item = proto_tree_add_item(parent_tree, hf_smb2_notify_info, tvb, offset, -1, ENC_NA);
3574 tree = proto_item_add_subtree(item, ett_smb2_notify_info);
3578 proto_tree_add_item_ret_uint(tree, hf_smb2_notify_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &next_offset);
3581 proto_tree_add_item(tree, hf_smb2_notify_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3584 /* file name length */
3585 proto_tree_add_item_ret_uint(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
3590 const guchar *name = "";
3593 bc = tvb_reported_length_remaining(tvb, offset);
3594 name = get_unicode_or_ascii_string(tvb, &offset,
3595 TRUE, &length, TRUE, TRUE, &bc);
3597 proto_tree_add_string(tree, hf_smb2_filename,
3598 tvb, offset, length,
3609 offset = start_offset+next_offset;
3614 dissect_smb2_notify_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
3616 offset_length_buffer_t olb;
3617 gboolean continue_dissection;
3619 switch (si->status) {
3620 /* MS-SMB2 3.3.4.4 says STATUS_NOTIFY_ENUM_DIR is not treated as an error */
3621 case 0x0000010c: /* STATUS_NOTIFY_ENUM_DIR */
3622 case 0x00000000: /* buffer code */
3623 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3624 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3625 if (!continue_dissection) return offset;
3628 /* out buffer offset/length */
3629 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_notify_out_data);
3632 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_notify_data_out);
3633 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3638 #define SMB2_FIND_FLAG_RESTART_SCANS 0x01
3639 #define SMB2_FIND_FLAG_SINGLE_ENTRY 0x02
3640 #define SMB2_FIND_FLAG_INDEX_SPECIFIED 0x04
3641 #define SMB2_FIND_FLAG_REOPEN 0x10
3644 dissect_smb2_find_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3646 offset_length_buffer_t olb;
3649 static const int *f_fields[] = {
3650 &hf_smb2_find_flags_restart_scans,
3651 &hf_smb2_find_flags_single_entry,
3652 &hf_smb2_find_flags_index_specified,
3653 &hf_smb2_find_flags_reopen,
3658 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3660 il = tvb_get_guint8(tvb, offset);
3662 si->saved->infolevel = il;
3666 proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 1, il);
3670 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_find_flags, ett_smb2_find_flags, f_fields, ENC_LITTLE_ENDIAN);
3674 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3678 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3680 /* search pattern offset/length */
3681 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_find_pattern);
3683 /* output buffer length */
3684 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3687 /* search pattern */
3688 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
3690 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3692 if (!pinfo->fd->flags.visited && si->saved && olb.len) {
3693 si->saved->extra_info_type = SMB2_EI_FINDPATTERN;
3694 si->saved->extra_info = g_malloc(olb.len+1);
3695 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
3698 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
3699 val_to_str(il, smb2_find_info_levels, "(Level:0x%02x)"),
3705 static void dissect_smb2_file_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3708 proto_item *item = NULL;
3709 proto_tree *tree = NULL;
3710 const char *name = NULL;
3713 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3714 int old_offset = offset;
3719 item = proto_tree_add_item(parent_tree, hf_smb2_file_directory_info, tvb, offset, -1, ENC_NA);
3720 tree = proto_item_add_subtree(item, ett_smb2_file_directory_info);
3724 next_offset = tvb_get_letohl(tvb, offset);
3725 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3729 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3733 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3736 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3739 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3742 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3745 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3748 /* allocation size */
3749 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3752 /* File Attributes */
3753 offset = dissect_file_ext_attr(tvb, tree, offset);
3755 /* file name length */
3756 file_name_len = tvb_get_letohl(tvb, offset);
3757 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3761 if (file_name_len) {
3763 name = get_unicode_or_ascii_string(tvb, &offset,
3764 TRUE, &file_name_len, TRUE, TRUE, &bc);
3766 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3767 offset, file_name_len, name);
3768 proto_item_append_text(item, ": %s", name);
3773 proto_item_set_len(item, offset-old_offset);
3775 if (next_offset == 0) {
3779 offset = old_offset+next_offset;
3780 if (offset < old_offset) {
3781 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3782 "Invalid offset/length. Malformed packet");
3788 static void dissect_smb2_full_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3791 proto_item *item = NULL;
3792 proto_tree *tree = NULL;
3793 const char *name = NULL;
3796 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3797 int old_offset = offset;
3802 item = proto_tree_add_item(parent_tree, hf_smb2_full_directory_info, tvb, offset, -1, ENC_NA);
3803 tree = proto_item_add_subtree(item, ett_smb2_full_directory_info);
3807 next_offset = tvb_get_letohl(tvb, offset);
3808 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3812 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3816 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3819 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3822 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3825 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3828 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3831 /* allocation size */
3832 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3835 /* File Attributes */
3836 offset = dissect_file_ext_attr(tvb, tree, offset);
3838 /* file name length */
3839 file_name_len = tvb_get_letohl(tvb, offset);
3840 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3844 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3848 if (file_name_len) {
3850 name = get_unicode_or_ascii_string(tvb, &offset,
3851 TRUE, &file_name_len, TRUE, TRUE, &bc);
3853 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3854 offset, file_name_len, name);
3855 proto_item_append_text(item, ": %s", name);
3860 proto_item_set_len(item, offset-old_offset);
3862 if (next_offset == 0) {
3866 offset = old_offset+next_offset;
3867 if (offset < old_offset) {
3868 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3869 "Invalid offset/length. Malformed packet");
3875 static void dissect_smb2_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3878 proto_item *item = NULL;
3879 proto_tree *tree = NULL;
3880 const char *name = NULL;
3883 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3884 int old_offset = offset;
3890 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3891 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3895 next_offset = tvb_get_letohl(tvb, offset);
3896 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3900 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3904 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3907 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3910 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3913 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3916 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3919 /* allocation size */
3920 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3923 /* File Attributes */
3924 offset = dissect_file_ext_attr(tvb, tree, offset);
3926 /* file name length */
3927 file_name_len = tvb_get_letohl(tvb, offset);
3928 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3932 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3935 /* short name length */
3936 short_name_len = tvb_get_guint8(tvb, offset);
3937 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3941 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
3945 if (short_name_len) {
3946 bc = short_name_len;
3947 name = get_unicode_or_ascii_string(tvb, &offset,
3948 TRUE, &short_name_len, TRUE, TRUE, &bc);
3950 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3951 offset, short_name_len, name);
3957 if (file_name_len) {
3959 name = get_unicode_or_ascii_string(tvb, &offset,
3960 TRUE, &file_name_len, TRUE, TRUE, &bc);
3962 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3963 offset, file_name_len, name);
3964 proto_item_append_text(item, ": %s", name);
3969 proto_item_set_len(item, offset-old_offset);
3971 if (next_offset == 0) {
3975 offset = old_offset+next_offset;
3976 if (offset < old_offset) {
3977 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3978 "Invalid offset/length. Malformed packet");
3984 static void dissect_smb2_file_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3987 proto_item *item = NULL;
3988 proto_tree *tree = NULL;
3989 const char *name = NULL;
3992 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3993 int old_offset = offset;
3998 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3999 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
4003 next_offset = tvb_get_letohl(tvb, offset);
4004 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4008 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4011 /* file name length */
4012 file_name_len = tvb_get_letohl(tvb, offset);
4013 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4017 if (file_name_len) {
4019 name = get_unicode_or_ascii_string(tvb, &offset,
4020 TRUE, &file_name_len, TRUE, TRUE, &bc);
4022 proto_tree_add_string(tree, hf_smb2_filename, tvb,
4023 offset, file_name_len, name);
4024 proto_item_append_text(item, ": %s", name);
4029 proto_item_set_len(item, offset-old_offset);
4031 if (next_offset == 0) {
4035 offset = old_offset+next_offset;
4036 if (offset < old_offset) {
4037 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
4038 "Invalid offset/length. Malformed packet");
4044 static void dissect_smb2_id_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
4047 proto_item *item = NULL;
4048 proto_tree *tree = NULL;
4049 const char *name = NULL;
4052 while (tvb_reported_length_remaining(tvb, offset) > 4) {
4053 int old_offset = offset;
4059 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
4060 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
4064 next_offset = tvb_get_letohl(tvb, offset);
4065 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4069 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4073 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
4076 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
4079 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
4082 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
4085 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4088 /* allocation size */
4089 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4092 /* File Attributes */
4093 offset = dissect_file_ext_attr(tvb, tree, offset);
4095 /* file name length */
4096 file_name_len = tvb_get_letohl(tvb, offset);
4097 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4101 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4104 /* short name length */
4105 short_name_len = tvb_get_guint8(tvb, offset);
4106 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4110 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
4114 if (short_name_len) {
4115 bc = short_name_len;
4116 name = get_unicode_or_ascii_string(tvb, &offset,
4117 TRUE, &short_name_len, TRUE, TRUE, &bc);
4119 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
4120 offset, short_name_len, name);
4126 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4130 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4134 if (file_name_len) {
4136 name = get_unicode_or_ascii_string(tvb, &offset,
4137 TRUE, &file_name_len, TRUE, TRUE, &bc);
4139 proto_tree_add_string(tree, hf_smb2_filename, tvb,
4140 offset, file_name_len, name);
4141 proto_item_append_text(item, ": %s", name);
4146 proto_item_set_len(item, offset-old_offset);
4148 if (next_offset == 0) {
4152 offset = old_offset+next_offset;
4153 if (offset < old_offset) {
4154 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
4155 "Invalid offset/length. Malformed packet");
4162 static void dissect_smb2_id_full_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
4165 proto_item *item = NULL;
4166 proto_tree *tree = NULL;
4167 const char *name = NULL;
4170 while (tvb_reported_length_remaining(tvb, offset) > 4) {
4171 int old_offset = offset;
4176 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
4177 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
4181 next_offset = tvb_get_letohl(tvb, offset);
4182 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4186 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4190 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
4193 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
4196 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
4199 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
4202 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4205 /* allocation size */
4206 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4209 /* File Attributes */
4210 offset = dissect_file_ext_attr(tvb, tree, offset);
4212 /* file name length */
4213 file_name_len = tvb_get_letohl(tvb, offset);
4214 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4218 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4222 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
4226 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4230 if (file_name_len) {
4232 name = get_unicode_or_ascii_string(tvb, &offset,
4233 TRUE, &file_name_len, TRUE, TRUE, &bc);
4235 proto_tree_add_string(tree, hf_smb2_filename, tvb,
4236 offset, file_name_len, name);
4237 proto_item_append_text(item, ": %s", name);
4242 proto_item_set_len(item, offset-old_offset);
4244 if (next_offset == 0) {
4248 offset = old_offset+next_offset;
4249 if (offset < old_offset) {
4250 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
4251 "Invalid offset/length. Malformed packet");
4258 typedef struct _smb2_find_dissector_t {
4260 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
4261 } smb2_find_dissector_t;
4263 smb2_find_dissector_t smb2_find_dissectors[] = {
4264 {SMB2_FIND_DIRECTORY_INFO, dissect_smb2_file_directory_info},
4265 {SMB2_FIND_FULL_DIRECTORY_INFO, dissect_smb2_full_directory_info},
4266 {SMB2_FIND_BOTH_DIRECTORY_INFO, dissect_smb2_both_directory_info},
4267 {SMB2_FIND_NAME_INFO, dissect_smb2_file_name_info},
4268 {SMB2_FIND_ID_BOTH_DIRECTORY_INFO,dissect_smb2_id_both_directory_info},
4269 {SMB2_FIND_ID_FULL_DIRECTORY_INFO,dissect_smb2_id_full_directory_info},
4274 dissect_smb2_find_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4276 smb2_find_dissector_t *dis = smb2_find_dissectors;
4278 while (dis->dissector) {
4279 if (si && si->saved) {
4280 if (dis->level == si->saved->infolevel) {
4281 dis->dissector(tvb, pinfo, tree, si);
4288 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
4292 dissect_smb2_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4294 offset_length_buffer_t olb;
4295 proto_item *item = NULL;
4296 gboolean continue_dissection;
4300 item = proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 0, si->saved->infolevel);
4301 PROTO_ITEM_SET_GENERATED(item);
4304 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_FINDPATTERN) {
4305 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
4306 val_to_str(si->saved->infolevel, smb2_find_info_levels, "(Level:0x%02x)"),
4307 (const char *)si->saved->extra_info);
4309 g_free(si->saved->extra_info);
4310 si->saved->extra_info_type = SMB2_EI_NONE;
4311 si->saved->extra_info = NULL;
4314 switch (si->status) {
4316 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4317 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4318 if (!continue_dissection) return offset;
4321 /* findinfo offset */
4322 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_find_info_blob);
4325 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_find_data);
4327 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
4333 dissect_smb2_negotiate_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4336 const gchar *type_str;
4337 guint32 i, data_length, salt_length, hash_count, cipher_count;
4338 proto_item *sub_item;
4339 proto_tree *sub_tree;
4341 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_negotiate_context_element, &sub_item, "Negotiate Context");
4344 type = tvb_get_letohl(tvb, offset);
4345 type_str = val_to_str(type, smb2_negotiate_context_types, "Unknown Type: (0x%0x)");
4346 proto_item_append_text(sub_item, ": %s ", type_str);
4347 proto_tree_add_item(sub_tree, hf_smb2_negotiate_context_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4351 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_negotiate_context_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &data_length);
4355 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
4360 case SMB2_PREAUTH_INTEGRITY_CAPABILITIES:
4361 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_hash_alg_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &hash_count);
4363 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_salt_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &salt_length);
4366 for (i = 0; i < hash_count; i++)
4368 proto_tree_add_item(sub_tree, hf_smb2_hash_algorithm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4374 proto_tree_add_item(sub_tree, hf_smb2_salt, tvb, offset, salt_length, ENC_NA);
4375 offset += salt_length;
4379 case SMB2_ENCRYPTION_CAPABILITIES:
4380 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_cipher_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &cipher_count);
4383 for (i = 0; i < cipher_count; i ++)
4385 proto_tree_add_item(sub_tree, hf_smb2_cipher_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4391 proto_tree_add_item(sub_tree, hf_smb2_unknown, tvb, offset, data_length, ENC_NA);
4392 offset += data_length;
4400 dissect_smb2_negotiate_protocol_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4404 gboolean supports_smb_3_10 = FALSE;
4409 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4412 dc = tvb_get_letohs(tvb, offset);
4413 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4416 /* security mode, skip second byte */
4417 offset = dissect_smb2_secmode(tree, tvb, offset);
4422 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4426 offset = dissect_smb2_capabilities(tree, tvb, offset);
4429 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4432 /* negotiate context offset */
4433 nco = tvb_get_letohl(tvb, offset);
4434 proto_tree_add_item(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4437 /* negotiate context count */
4438 ncc = tvb_get_letohs(tvb, offset);
4439 proto_tree_add_item(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4443 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4446 for (i = 0 ; i < dc; i++) {
4447 guint16 d = tvb_get_letohs(tvb, offset);
4448 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4452 supports_smb_3_10 = TRUE;
4456 if (!supports_smb_3_10) {
4461 guint32 tmp = 0x40 + 36 + dc * 2;
4464 offset += nco - tmp;
4470 for (i = 0; i < ncc; i++) {
4471 offset = (offset + 7) & ~7;
4472 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
4479 dissect_smb2_negotiate_protocol_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
4481 offset_length_buffer_t s_olb;
4486 gboolean continue_dissection;
4488 switch (si->status) {
4490 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4491 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4492 if (!continue_dissection) return offset;
4495 /* security mode, skip second byte */
4496 offset = dissect_smb2_secmode(tree, tvb, offset);
4499 /* dialect picked */
4500 d = tvb_get_letohs(tvb, offset);
4501 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4504 /* negotiate context count */
4505 ncc = tvb_get_letohs(tvb, offset);
4506 proto_tree_add_item(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4510 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4514 offset = dissect_smb2_capabilities(tree, tvb, offset);
4516 /* max trans size */
4517 proto_tree_add_item(tree, hf_smb2_max_trans_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4521 proto_tree_add_item(tree, hf_smb2_max_read_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4524 /* max write size */
4525 proto_tree_add_item(tree, hf_smb2_max_write_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4529 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_current_time);
4533 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_boot_time);
4536 /* security blob offset/length */
4537 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
4539 /* the security blob itself */
4540 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
4542 /* negotiate context offset */
4543 nco = tvb_get_letohl(tvb, offset);
4544 proto_tree_add_item(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4547 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
4554 guint32 tmp = 0x40 + 64 + s_olb.len;
4557 offset += nco - tmp;
4563 for (i = 0; i < ncc; i++) {
4564 offset = (offset + 7) & ~7;
4565 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
4572 dissect_smb2_getinfo_parameters(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
4574 /* Additional Info */
4575 switch (si->saved->smb2_class) {
4576 case SMB2_CLASS_SEC_INFO:
4577 dissect_security_information_mask(tvb, tree, offset);
4580 proto_tree_add_item(tree, hf_smb2_getinfo_additional, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4585 proto_tree_add_item(tree, hf_smb2_getinfo_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4593 dissect_smb2_getinfo_buffer_quota(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4595 guint32 sidlist_len = 0;
4596 guint32 startsid_len = 0;
4597 guint32 startsid_offset = 0;
4599 proto_item *item = NULL;
4600 proto_tree *tree = NULL;
4603 item = proto_tree_add_item(parent_tree, hf_smb2_query_quota_info, tvb, offset, -1, ENC_NA);
4604 tree = proto_item_add_subtree(item, ett_smb2_query_quota_info);
4607 proto_tree_add_item(tree, hf_smb2_qq_single, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4610 proto_tree_add_item(tree, hf_smb2_qq_restart, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4614 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4617 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_sidlist_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &sidlist_len);
4620 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_start_sid_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &startsid_len);
4623 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_start_sid_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &startsid_offset);
4626 if (sidlist_len != 0) {
4627 offset = dissect_nt_get_user_quota(tvb, tree, offset, &sidlist_len);
4628 } else if (startsid_len != 0) {
4629 offset = dissect_nt_sid(tvb, offset + startsid_offset, tree, "Start SID", NULL, -1);
4636 dissect_smb2_class_infolevel(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
4641 value_string_ext *vsx;
4643 if (si->flags & SMB2_FLAGS_RESPONSE) {
4647 cl = si->saved->smb2_class;
4648 il = si->saved->infolevel;
4650 cl = tvb_get_guint8(tvb, offset);
4651 il = tvb_get_guint8(tvb, offset+1);
4653 si->saved->smb2_class = cl;
4654 si->saved->infolevel = il;
4660 case SMB2_CLASS_FILE_INFO:
4661 hfindex = hf_smb2_infolevel_file_info;
4662 vsx = &smb2_file_info_levels_ext;
4664 case SMB2_CLASS_FS_INFO:
4665 hfindex = hf_smb2_infolevel_fs_info;
4666 vsx = &smb2_fs_info_levels_ext;
4668 case SMB2_CLASS_SEC_INFO:
4669 hfindex = hf_smb2_infolevel_sec_info;
4670 vsx = &smb2_sec_info_levels_ext;
4672 case SMB2_CLASS_QUOTA_INFO:
4673 /* infolevel is not being used for quota */
4674 hfindex = hf_smb2_infolevel;
4677 case SMB2_CLASS_POSIX_INFO:
4678 hfindex = hf_smb2_infolevel_posix_info;
4679 vsx = &smb2_posix_info_levels_ext;
4682 hfindex = hf_smb2_infolevel;
4683 vsx = NULL; /* allowed arg to val_to_str_ext() */
4688 item = proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl);
4689 if (si->flags & SMB2_FLAGS_RESPONSE) {
4690 PROTO_ITEM_SET_GENERATED(item);
4693 item = proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il);
4694 if (si->flags & SMB2_FLAGS_RESPONSE) {
4695 PROTO_ITEM_SET_GENERATED(item);
4699 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
4700 /* Only update COL_INFO for requests. It clutters the
4701 * display a bit too much if we do it for replies
4704 col_append_fstr(pinfo->cinfo, COL_INFO, " %s/%s",
4705 val_to_str(cl, smb2_class_vals, "(Class:0x%02x)"),
4706 val_to_str_ext(il, vsx, "(Level:0x%02x)"));
4713 dissect_smb2_getinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4715 guint32 getinfo_size = 0;
4716 guint32 getinfo_offset = 0;
4717 proto_item *offset_item;
4720 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4722 /* class and info level */
4723 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
4725 /* max response size */
4726 proto_tree_add_item(tree, hf_smb2_max_response_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4730 offset_item = proto_tree_add_item_ret_uint(tree, hf_smb2_getinfo_input_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN, &getinfo_offset);
4734 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4738 proto_tree_add_item_ret_uint(tree, hf_smb2_getinfo_input_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &getinfo_size);
4743 offset = dissect_smb2_getinfo_parameters(tvb, pinfo, tree, offset, si);
4745 /* some unknown bytes */
4746 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 8, ENC_NA);
4751 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4755 if (getinfo_size != 0) {
4757 * 2.2.37 says "For quota requests, this MUST be
4758 * the length of the contained SMB2_QUERY_QUOTA_INFO
4759 * embedded in the request. For FileFullEaInformation
4760 * requests, this MUST be set to the length of the
4761 * user supplied EA list specified in [MS-FSCC]
4762 * section 2.4.15.1. For other information queries,
4763 * this field SHOULD be set to 0 and the server MUST
4764 * ignore it on receipt.
4766 * This seems to imply that, for requests other
4767 * than those to types, we should either completely
4768 * ignore a non-zero getinfo_size or should, at
4769 * most, add a warning-level expert info at the
4770 * protocol level saying that it should be zero,
4771 * but not try and interpret it or check its
4774 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO ||
4775 (si->saved->smb2_class == SMB2_CLASS_FILE_INFO &&
4776 si->saved->infolevel == SMB2_FILE_FULL_EA_INFO)) {
4778 * According to 2.2.37 SMB2 QUERY_INFO
4779 * Request in the current MS-SMB2 spec,
4780 * these are the only info requests that
4781 * have an input buffer.
4785 * Make sure that the input buffer is after
4786 * the fixed-length part of the message.
4788 if (getinfo_offset < (guint)offset) {
4789 expert_add_info(pinfo, offset_item, &ei_smb2_invalid_getinfo_offset);
4794 * Make sure the input buffer is within the
4795 * message, i.e. that it's within the tvbuff.
4797 * We check for offset+length overflowing and
4798 * for offset+length being beyond the reported
4799 * length of the tvbuff.
4801 if (getinfo_offset + getinfo_size < getinfo_offset ||
4802 getinfo_offset + getinfo_size > tvb_reported_length(tvb)) {
4803 expert_add_info(pinfo, offset_item, &ei_smb2_invalid_getinfo_size);
4807 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO) {
4808 dissect_smb2_getinfo_buffer_quota(tvb, pinfo, tree, getinfo_offset, si);
4811 * XXX - handle user supplied EA info.
4813 proto_tree_add_item(tree, hf_smb2_unknown, tvb, getinfo_offset, getinfo_size, ENC_NA);
4815 offset = getinfo_offset + getinfo_size;
4819 * The buffer size is 0, meaning it's not present.
4821 * 2.2.37 says "For FileFullEaInformation requests,
4822 * the input buffer MUST contain the user supplied
4823 * EA list with zero or more FILE_GET_EA_INFORMATION
4824 * structures, specified in [MS-FSCC] section
4825 * 2.4.15.1.", so it seems that, for a "get full
4826 * EA information" request, the size can be zero -
4827 * there's no other obvious way for the list to
4828 * have zero structures.
4830 * 2.2.37 also says "For quota requests, the input
4831 * buffer MUST contain an SMB2_QUERY_QUOTA_INFO,
4832 * as specified in section 2.2.37.1."; that seems
4833 * to imply that the input buffer must not be empty
4836 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO)
4837 expert_add_info(pinfo, offset_item, &ei_smb2_empty_getinfo_buffer);
4845 dissect_smb2_infolevel(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si, guint8 smb2_class, guint8 infolevel)
4847 int old_offset = offset;
4849 switch (smb2_class) {
4850 case SMB2_CLASS_FILE_INFO:
4851 switch (infolevel) {
4852 case SMB2_FILE_BASIC_INFO:
4853 offset = dissect_smb2_file_basic_info(tvb, pinfo, tree, offset, si);
4855 case SMB2_FILE_STANDARD_INFO:
4856 offset = dissect_smb2_file_standard_info(tvb, pinfo, tree, offset, si);
4858 case SMB2_FILE_INTERNAL_INFO:
4859 offset = dissect_smb2_file_internal_info(tvb, pinfo, tree, offset, si);
4861 case SMB2_FILE_EA_INFO:
4862 offset = dissect_smb2_file_ea_info(tvb, pinfo, tree, offset, si);
4864 case SMB2_FILE_ACCESS_INFO:
4865 offset = dissect_smb2_file_access_info(tvb, pinfo, tree, offset, si);
4867 case SMB2_FILE_RENAME_INFO:
4868 offset = dissect_smb2_file_rename_info(tvb, pinfo, tree, offset, si);
4870 case SMB2_FILE_DISPOSITION_INFO:
4871 offset = dissect_smb2_file_disposition_info(tvb, pinfo, tree, offset, si);
4873 case SMB2_FILE_POSITION_INFO:
4874 offset = dissect_smb2_file_position_info(tvb, pinfo, tree, offset, si);
4876 case SMB2_FILE_FULL_EA_INFO:
4877 offset = dissect_smb2_file_full_ea_info(tvb, pinfo, tree, offset, si);
4879 case SMB2_FILE_MODE_INFO:
4880 offset = dissect_smb2_file_mode_info(tvb, pinfo, tree, offset, si);
4882 case SMB2_FILE_ALIGNMENT_INFO:
4883 offset = dissect_smb2_file_alignment_info(tvb, pinfo, tree, offset, si);
4885 case SMB2_FILE_ALL_INFO:
4886 offset = dissect_smb2_file_all_info(tvb, pinfo, tree, offset, si);
4888 case SMB2_FILE_ALLOCATION_INFO:
4889 offset = dissect_smb2_file_allocation_info(tvb, pinfo, tree, offset, si);
4891 case SMB2_FILE_ENDOFFILE_INFO:
4892 dissect_smb2_file_endoffile_info(tvb, pinfo, tree, offset, si);
4894 case SMB2_FILE_ALTERNATE_NAME_INFO:
4895 offset = dissect_smb2_file_alternate_name_info(tvb, pinfo, tree, offset, si);
4897 case SMB2_FILE_STREAM_INFO:
4898 offset = dissect_smb2_file_stream_info(tvb, pinfo, tree, offset, si);
4900 case SMB2_FILE_PIPE_INFO:
4901 offset = dissect_smb2_file_pipe_info(tvb, pinfo, tree, offset, si);
4903 case SMB2_FILE_COMPRESSION_INFO:
4904 offset = dissect_smb2_file_compression_info(tvb, pinfo, tree, offset, si);
4906 case SMB2_FILE_NETWORK_OPEN_INFO:
4907 offset = dissect_smb2_file_network_open_info(tvb, pinfo, tree, offset, si);
4909 case SMB2_FILE_ATTRIBUTE_TAG_INFO:
4910 offset = dissect_smb2_file_attribute_tag_info(tvb, pinfo, tree, offset, si);
4913 /* we don't handle this infolevel yet */
4914 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4915 offset += tvb_captured_length_remaining(tvb, offset);
4918 case SMB2_CLASS_FS_INFO:
4919 switch (infolevel) {
4920 case SMB2_FS_INFO_01:
4921 offset = dissect_smb2_fs_info_01(tvb, pinfo, tree, offset, si);
4923 case SMB2_FS_INFO_03:
4924 offset = dissect_smb2_fs_info_03(tvb, pinfo, tree, offset, si);
4926 case SMB2_FS_INFO_04:
4927 offset = dissect_smb2_fs_info_04(tvb, pinfo, tree, offset, si);
4929 case SMB2_FS_INFO_05:
4930 offset = dissect_smb2_fs_info_05(tvb, pinfo, tree, offset, si);
4932 case SMB2_FS_INFO_06:
4933 offset = dissect_smb2_fs_info_06(tvb, pinfo, tree, offset, si);
4935 case SMB2_FS_INFO_07:
4936 offset = dissect_smb2_fs_info_07(tvb, pinfo, tree, offset, si);
4938 case SMB2_FS_OBJECTID_INFO:
4939 offset = dissect_smb2_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, si);
4942 /* we don't handle this infolevel yet */
4943 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4944 offset += tvb_captured_length_remaining(tvb, offset);
4947 case SMB2_CLASS_SEC_INFO:
4948 switch (infolevel) {
4949 case SMB2_SEC_INFO_00:
4950 offset = dissect_smb2_sec_info_00(tvb, pinfo, tree, offset, si);
4953 /* we don't handle this infolevel yet */
4954 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4955 offset += tvb_captured_length_remaining(tvb, offset);
4958 case SMB2_CLASS_QUOTA_INFO:
4959 offset = dissect_smb2_quota_info(tvb, pinfo, tree, offset, si);
4962 /* we don't handle this class yet */
4963 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4964 offset += tvb_captured_length_remaining(tvb, offset);
4967 /* if we get BUFFER_OVERFLOW there will be truncated data */
4968 if (si->status == 0x80000005) {
4970 item = proto_tree_add_item(tree, hf_smb2_truncated, tvb, old_offset, 0, ENC_NA);
4971 PROTO_ITEM_SET_GENERATED(item);
4977 dissect_smb2_getinfo_response_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4981 dissect_smb2_infolevel(tvb, pinfo, tree, 0, si, si->saved->smb2_class, si->saved->infolevel);
4983 /* some unknown bytes */
4984 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
4991 dissect_smb2_getinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4993 offset_length_buffer_t olb;
4994 gboolean continue_dissection;
4996 /* class/infolevel */
4997 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
4999 switch (si->status) {
5001 /* if we get BUFFER_OVERFLOW there will be truncated data */
5003 /* if we get BUFFER_TOO_SMALL there will not be any data there, only
5004 * a guin32 specifying how big the buffer needs to be
5007 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5010 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5011 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
5012 proto_tree_add_item(tree, hf_smb2_required_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5016 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5017 if (!continue_dissection) return offset;
5020 /* response buffer offset and size */
5021 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
5024 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_getinfo_response_data);
5030 dissect_smb2_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5032 proto_tree *flags_tree = NULL;
5033 proto_item *flags_item = NULL;
5036 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5040 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5041 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
5043 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5050 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_CLOSE);
5056 dissect_smb2_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5058 proto_tree *flags_tree = NULL;
5059 proto_item *flags_item = NULL;
5060 gboolean continue_dissection;
5062 switch (si->status) {
5064 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5065 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5066 if (!continue_dissection) return offset;
5071 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5072 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
5074 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5078 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5082 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
5085 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
5088 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
5091 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
5093 /* allocation size */
5094 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5098 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5101 /* File Attributes */
5102 offset = dissect_file_ext_attr(tvb, tree, offset);
5108 dissect_smb2_flush_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5111 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5113 /* some unknown bytes */
5114 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
5118 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5124 dissect_smb2_flush_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5126 gboolean continue_dissection;
5128 switch (si->status) {
5130 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5131 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5132 if (!continue_dissection) return offset;
5135 /* some unknown bytes */
5136 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
5144 dissect_smb2_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5149 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5152 lock_count = tvb_get_letohs(tvb, offset);
5153 proto_tree_add_item(tree, hf_smb2_lock_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5157 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5161 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5163 while (lock_count--) {
5164 proto_item *lock_item = NULL;
5165 proto_tree *lock_tree = NULL;
5166 static const int *lf_fields[] = {
5167 &hf_smb2_lock_flags_shared,
5168 &hf_smb2_lock_flags_exclusive,
5169 &hf_smb2_lock_flags_unlock,
5170 &hf_smb2_lock_flags_fail_immediately,
5175 lock_item = proto_tree_add_item(tree, hf_smb2_lock_info, tvb, offset, 24, ENC_NA);
5176 lock_tree = proto_item_add_subtree(lock_item, ett_smb2_lock_info);
5180 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5184 proto_tree_add_item(lock_tree, hf_smb2_lock_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5188 proto_tree_add_bitmask(lock_tree, tvb, offset, hf_smb2_lock_flags, ett_smb2_lock_flags, lf_fields, ENC_LITTLE_ENDIAN);
5192 proto_tree_add_item(lock_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5200 dissect_smb2_lock_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5202 gboolean continue_dissection;
5204 switch (si->status) {
5206 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5207 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5208 if (!continue_dissection) return offset;
5211 /* some unknown bytes */
5212 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
5218 dissect_smb2_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5221 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5223 /* some unknown bytes */
5224 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
5230 static const smb2_fid_info_t *
5231 smb2_pipe_get_fid_info(const smb2_info_t *si)
5233 smb2_fid_info_t *file = NULL;
5238 if (si->file != NULL) {
5240 } else if (si->saved != NULL) {
5241 file = si->saved->file;
5251 smb2_pipe_set_file_id(packet_info *pinfo, smb2_info_t *si)
5254 const smb2_fid_info_t *file = NULL;
5256 file = smb2_pipe_get_fid_info(si);
5261 persistent = GPOINTER_TO_UINT(file);
5263 dcerpc_set_transport_salt(persistent, pinfo);
5266 static gboolean smb2_pipe_reassembly = TRUE;
5267 static reassembly_table smb2_pipe_reassembly_table;
5270 dissect_file_data_smb2_pipe(tvbuff_t *raw_tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, guint32 datalen, proto_tree *top_tree, void *data)
5273 * Note: si is NULL for some callers from packet-smb.c
5275 const smb2_info_t *si = (const smb2_info_t *)data;
5277 gboolean save_fragmented;
5280 const smb2_fid_info_t *file = NULL;
5282 fragment_head *fd_head;
5285 proto_item *frag_tree_item;
5286 heur_dtbl_entry_t *hdtbl_entry;
5288 file = smb2_pipe_get_fid_info(si);
5289 id = (guint32)(GPOINTER_TO_UINT(file) & G_MAXUINT32);
5291 remaining = tvb_captured_length_remaining(raw_tvb, offset);
5293 tvb = tvb_new_subset_length_caplen(raw_tvb, offset,
5294 MIN((int)datalen, remaining),
5298 * Offer desegmentation service to Named Pipe subdissectors (e.g. DCERPC)
5299 * if we have all the data. Otherwise, reassembly is (probably) impossible.
5301 pinfo->can_desegment = 0;
5302 pinfo->desegment_offset = 0;
5303 pinfo->desegment_len = 0;
5304 reported_len = tvb_reported_length(tvb);
5305 if (smb2_pipe_reassembly && tvb_captured_length(tvb) >= reported_len) {
5306 pinfo->can_desegment = 2;
5309 save_fragmented = pinfo->fragmented;
5312 * if we are not offering desegmentation, just try the heuristics
5315 if (!pinfo->can_desegment) {
5316 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5317 tvb, pinfo, top_tree,
5318 &hdtbl_entry, data);
5319 goto clean_up_and_exit;
5322 /* below this line, we know we are doing reassembly */
5325 * this is a new packet, see if we are already reassembling this
5326 * pdu and if not, check if the dissector wants us
5329 if (!pinfo->fd->flags.visited) {
5331 * This is the first pass.
5333 * Check if we are already reassembling this PDU or not;
5334 * we check for an in-progress reassembly for this FID
5335 * in this direction, by searching for its reassembly
5338 fd_head = fragment_get(&smb2_pipe_reassembly_table,
5342 * No reassembly, so this is a new pdu. check if the
5343 * dissector wants us to reassemble it or if we
5344 * already got the full pdu in this tvb.
5348 * Try the heuristic dissectors and see if we
5349 * find someone that recognizes this payload.
5351 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5352 tvb, pinfo, top_tree,
5353 &hdtbl_entry, data);
5355 /* no this didn't look like something we know */
5357 goto clean_up_and_exit;
5360 /* did the subdissector want us to reassemble any
5363 if (pinfo->desegment_len) {
5364 fragment_add_check(&smb2_pipe_reassembly_table,
5365 tvb, 0, pinfo, id, NULL,
5366 0, reported_len, TRUE);
5367 fragment_set_tot_len(&smb2_pipe_reassembly_table,
5369 pinfo->desegment_len+reported_len);
5371 goto clean_up_and_exit;
5374 /* OK, we're already doing a reassembly for this FID.
5375 skip to last segment in the existing reassembly structure
5376 and add this fragment there
5378 XXX we might add code here to use any offset values
5379 we might pick up from the Read/Write calls instead of
5380 assuming we always get them in the correct order
5382 while (fd_head->next) {
5383 fd_head = fd_head->next;
5385 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
5386 tvb, 0, pinfo, id, NULL,
5387 fd_head->offset+fd_head->len,
5388 reported_len, TRUE);
5390 /* if we completed reassembly */
5392 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
5393 add_new_data_source(pinfo, new_tvb,
5394 "Named Pipe over SMB2");
5395 pinfo->fragmented=FALSE;
5399 /* list what segments we have */
5400 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
5401 tree, pinfo, tvb, &frag_tree_item);
5403 /* dissect the full PDU */
5404 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5405 tvb, pinfo, top_tree,
5406 &hdtbl_entry, data);
5408 goto clean_up_and_exit;
5412 * This is not the first pass; see if it's in the table of
5413 * reassembled packets.
5415 * XXX - we know that several of the arguments aren't going to
5416 * be used, so we pass bogus variables. Can we clean this
5417 * up so that we don't have to distinguish between the first
5418 * pass and subsequent passes?
5420 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
5421 tvb, 0, pinfo, id, NULL, 0, 0, TRUE);
5423 /* we didn't find it, try any of the heuristic dissectors
5426 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5427 tvb, pinfo, top_tree,
5428 &hdtbl_entry, data);
5429 goto clean_up_and_exit;
5431 if (!(fd_head->flags&FD_DEFRAGMENTED)) {
5432 /* we don't have a fully reassembled frame */
5433 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5434 tvb, pinfo, top_tree,
5435 &hdtbl_entry, data);
5436 goto clean_up_and_exit;
5439 /* it is reassembled but it was reassembled in a different frame */
5440 if (pinfo->num != fd_head->reassembled_in) {
5442 item = proto_tree_add_uint(top_tree, hf_smb2_pipe_reassembled_in,
5443 tvb, 0, 0, fd_head->reassembled_in);
5444 PROTO_ITEM_SET_GENERATED(item);
5445 goto clean_up_and_exit;
5448 /* display the reassembled pdu */
5449 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
5450 add_new_data_source(pinfo, new_tvb,
5451 "Named Pipe over SMB2");
5452 pinfo->fragmented = FALSE;
5456 /* list what segments we have */
5457 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
5458 top_tree, pinfo, tvb, &frag_tree_item);
5460 /* dissect the full PDU */
5461 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5462 tvb, pinfo, top_tree,
5463 &hdtbl_entry, data);
5466 /* clear out the variables */
5467 pinfo->can_desegment=0;
5468 pinfo->desegment_offset = 0;
5469 pinfo->desegment_len = 0;
5472 call_data_dissector(tvb, pinfo, top_tree);
5475 pinfo->fragmented = save_fragmented;
5481 #define SMB2_CHANNEL_NONE 0x00000000
5482 #define SMB2_CHANNEL_RDMA_V1 0x00000001
5483 #define SMB2_CHANNEL_RDMA_V1_INVALIDATE 0x00000002
5485 static const value_string smb2_channel_vals[] = {
5486 { SMB2_CHANNEL_NONE, "None" },
5487 { SMB2_CHANNEL_RDMA_V1, "RDMA V1" },
5488 { SMB2_CHANNEL_RDMA_V1_INVALIDATE, "RDMA V1_INVALIDATE" },
5493 dissect_smb2_rdma_v1_blob(tvbuff_t *tvb, packet_info *pinfo _U_,
5494 proto_tree *parent_tree, smb2_info_t *si _U_)
5500 proto_tree *sub_tree;
5501 proto_item *parent_item;
5503 parent_item = proto_tree_get_parent(parent_tree);
5505 len = tvb_reported_length(tvb);
5510 proto_item_append_text(parent_item, ": SMBDirect Buffer Descriptor V1: (%d elements)", num);
5513 for (i = 0; i < num; i++) {
5514 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, 8, ett_smb2_rdma_v1, NULL, "RDMA V1");
5516 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5519 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_token, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5522 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5527 #define SMB2_WRITE_FLAG_WRITE_THROUGH 0x00000001
5530 dissect_smb2_write_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5532 guint16 dataoffset = 0;
5533 guint32 data_tvb_len;
5534 offset_length_buffer_t c_olb;
5538 static const int *f_fields[] = {
5539 &hf_smb2_write_flags_write_through,
5544 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5547 dataoffset=tvb_get_letohs(tvb,offset);
5548 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5552 length = tvb_get_letohl(tvb, offset);
5553 proto_tree_add_item(tree, hf_smb2_write_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5557 off = tvb_get_letoh64(tvb, offset);
5558 if (si->saved) si->saved->file_offset=off;
5559 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5562 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", length, off);
5565 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5568 channel = tvb_get_letohl(tvb, offset);
5569 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5572 /* remaining bytes */
5573 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5576 /* write channel info blob offset/length */
5577 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
5580 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_write_flags, ett_smb2_write_flags, f_fields, ENC_LITTLE_ENDIAN);
5583 /* the write channel info blob itself */
5585 case SMB2_CHANNEL_RDMA_V1:
5586 case SMB2_CHANNEL_RDMA_V1_INVALIDATE:
5587 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
5589 case SMB2_CHANNEL_NONE:
5591 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
5595 data_tvb_len=(guint32)tvb_captured_length_remaining(tvb, offset);
5597 /* data or namedpipe ?*/
5599 int oldoffset = offset;
5600 smb2_pipe_set_file_id(pinfo, si);
5601 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
5602 if (offset != oldoffset) {
5603 /* managed to dissect pipe data */
5608 /* just ordinary data */
5609 proto_tree_add_item(tree, hf_smb2_write_data, tvb, offset, length, ENC_NA);
5611 offset += MIN(length,(guint32)tvb_captured_length_remaining(tvb, offset));
5613 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
5616 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
5617 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
5618 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,off);
5627 dissect_smb2_write_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5629 gboolean continue_dissection;
5631 switch (si->status) {
5633 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5634 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5635 if (!continue_dissection) return offset;
5639 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5643 proto_tree_add_item(tree, hf_smb2_write_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5646 /* remaining, must be set to 0 */
5647 proto_tree_add_item(tree, hf_smb2_write_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5650 /* write channel info offset */
5651 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5654 /* write channel info length */
5655 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5661 /* The STORAGE_OFFLOAD_TOKEN is used for "Offload Data Transfer" (ODX) operations,
5662 including FSCTL_OFFLOAD_READ, FSCTL_OFFLOAD_WRITE. Ref: MS-FSCC 2.3.79
5663 Note: Unlike most of SMB2, the token fields are BIG-endian! */
5665 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
5667 proto_tree *sub_tree;
5668 proto_item *sub_item;
5672 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 512, ett_smb2_fsctl_odx_token, &sub_item, "Token");
5674 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_fsctl_odx_token_type, tvb, offset, 4, ENC_BIG_ENDIAN, &idtype);
5677 proto_item_append_text(sub_item, " (IdType 0x%x)", idtype);
5680 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5684 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_fsctl_odx_token_idlen, tvb, offset, 2, ENC_BIG_ENDIAN, &idlen);
5687 /* idlen is what the server says is the "meaningful" part of the token.
5688 However, token ID is always 504 bytes */
5689 proto_tree_add_bytes_format_value(sub_tree, hf_smb2_fsctl_odx_token_idraw, tvb,
5690 offset, idlen, NULL, "Opaque Data");
5696 /* MS-FSCC 2.3.77, 2.3.78 */
5698 dissect_smb2_FSCTL_OFFLOAD_READ(tvbuff_t *tvb,
5699 packet_info *pinfo _U_,
5704 proto_tree_add_item(tree, hf_smb2_fsctl_odx_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5707 proto_tree_add_item(tree, hf_smb2_fsctl_odx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5711 proto_tree_add_item(tree, hf_smb2_fsctl_odx_token_ttl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5714 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5717 proto_tree_add_item(tree, hf_smb2_fsctl_odx_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5720 proto_tree_add_item(tree, hf_smb2_fsctl_odx_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5723 proto_tree_add_item(tree, hf_smb2_fsctl_odx_xfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5726 (void) dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb, pinfo, tree, offset);
5730 /* MS-FSCC 2.3.80, 2.3.81 */
5732 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvbuff_t *tvb,
5733 packet_info *pinfo _U_,
5738 proto_tree_add_item(tree, hf_smb2_fsctl_odx_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5741 proto_tree_add_item(tree, hf_smb2_fsctl_odx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5745 proto_tree_add_item(tree, hf_smb2_fsctl_odx_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5748 proto_tree_add_item(tree, hf_smb2_fsctl_odx_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5751 proto_tree_add_item(tree, hf_smb2_fsctl_odx_token_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5754 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb, pinfo, tree, offset);
5757 proto_tree_add_item(tree, hf_smb2_fsctl_odx_xfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5763 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *top_tree, gboolean data_in _U_, void *data)
5765 dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, tvb_captured_length_remaining(tvb, offset), top_tree, data);
5769 dissect_smb2_FSCTL_PIPE_WAIT(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, proto_tree *top_tree, gboolean data_in _U_)
5771 guint8 timeout_specified = tvb_get_guint8(tvb, offset + 12);
5772 guint32 name_len = tvb_get_letohs(tvb, offset + 8);
5774 int off = offset + 14;
5775 guint16 bc = tvb_captured_length_remaining(tvb, off);
5779 tvb_ensure_bytes_exist(tvb, off, name_len);
5781 name = get_unicode_or_ascii_string(tvb, &off, TRUE, &len, TRUE, TRUE, &bc);
5786 col_append_fstr(pinfo->cinfo, COL_INFO, " Pipe: %s", name);
5789 proto_tree_add_string(top_tree, hf_smb2_fsctl_pipe_wait_name, tvb, offset + 14, name_len, name);
5790 if (timeout_specified) {
5791 proto_tree_add_item(top_tree, hf_smb2_fsctl_pipe_wait_timeout, tvb, 0, 8, ENC_LITTLE_ENDIAN);
5797 dissect_smb2_FSCTL_SET_SPARSE(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5800 /* There is no out data */
5805 /* sparse flag (optional) */
5806 if (tvb_reported_length_remaining(tvb, offset) >= 1) {
5807 proto_tree_add_item(tree, hf_smb2_fsctl_sparse_flag, tvb, offset, 1, ENC_NA);
5815 dissect_smb2_FSCTL_SET_ZERO_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5817 proto_tree *sub_tree;
5818 proto_item *sub_item;
5820 /* There is no out data */
5825 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5827 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5830 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5837 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, gboolean data_in)
5839 proto_tree *sub_tree;
5840 proto_item *sub_item;
5843 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5845 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5848 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5851 /* Zero or more allocated ranges may be reported. */
5852 while (tvb_reported_length_remaining(tvb, offset) >= 16) {
5854 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5856 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5859 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5867 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, gboolean data_in)
5871 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5874 proto_tree_add_item(tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5877 proto_tree_add_item(tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5880 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5883 guint32 entry_count = 0;
5885 proto_tree_add_item(tree, hf_smb2_qfr_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5888 proto_tree_add_item(tree, hf_smb2_qfr_total_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5891 proto_tree_add_item_ret_uint(tree, hf_smb2_qfr_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &entry_count);
5894 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5897 while (entry_count && tvb_reported_length_remaining(tvb, offset)) {
5898 proto_tree *sub_tree;
5899 proto_item *sub_item;
5901 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_qfr_entry, &sub_item, "Entry");
5903 proto_tree_add_item(sub_tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5906 proto_tree_add_item(sub_tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5909 proto_tree_add_item(sub_tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5912 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5921 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5923 /* There is no out data */
5929 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5933 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5937 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5939 /* There is no in data */
5944 proto_tree_add_item(tree, hf_smb2_ioctl_shared_virtual_disk_support, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5947 proto_tree_add_item(tree, hf_smb2_ioctl_shared_virtual_disk_handle_state, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5950 #define STORAGE_QOS_CONTROL_FLAG_SET_LOGICAL_FLOW_ID 0x00000001
5951 #define STORAGE_QOS_CONTROL_FLAG_SET_POLICY 0x00000002
5952 #define STORAGE_QOS_CONTROL_FLAG_PROBE_POLICY 0x00000004
5953 #define STORAGE_QOS_CONTROL_FLAG_GET_STATUS 0x00000008
5954 #define STORAGE_QOS_CONTROL_FLAG_UPDATE_COUNTERS 0x00000010
5956 static const value_string smb2_ioctl_sqos_protocol_version_vals[] = {
5957 { 0x0100, "Storage QoS Protocol Version 1.0" },
5958 { 0x0101, "Storage QoS Protocol Version 1.1" },
5962 static const value_string smb2_ioctl_sqos_status_vals[] = {
5963 { 0x00, "StorageQoSStatusOk" },
5964 { 0x01, "StorageQoSStatusInsufficientThroughput" },
5965 { 0x02, "StorageQoSUnknownPolicyId" },
5966 { 0x04, "StorageQoSStatusConfigurationMismatch" },
5967 { 0x05, "StorageQoSStatusNotAvailable" },
5972 dissect_smb2_FSCTL_STORAGE_QOS_CONTROL(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, gboolean data_in)
5974 static const int * operations[] = {
5975 &hf_smb2_ioctl_sqos_op_set_logical_flow_id,
5976 &hf_smb2_ioctl_sqos_op_set_policy,
5977 &hf_smb2_ioctl_sqos_op_probe_policy,
5978 &hf_smb2_ioctl_sqos_op_get_status,
5979 &hf_smb2_ioctl_sqos_op_update_counters,
5985 /* Both request and reply have the same common header */
5987 proto_ver = tvb_get_letohs(tvb, offset);
5988 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_protocol_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5991 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5994 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_ioctl_sqos_options,
5995 ett_smb2_ioctl_sqos_opeations, operations, ENC_LITTLE_ENDIAN);
5998 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_logical_flow_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6001 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_policy_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6004 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_initiator_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6008 offset_length_buffer_t host_olb, node_olb;
6010 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6013 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reservation, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6016 offset = dissect_smb2_olb_length_offset(tvb, offset, &host_olb, OLB_O_UINT16_S_UINT16, hf_smb2_ioctl_sqos_initiator_name);
6018 offset = dissect_smb2_olb_length_offset(tvb, offset, &node_olb, OLB_O_UINT16_S_UINT16, hf_smb2_ioctl_sqos_initiator_node_name);
6020 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_io_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6023 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_normalized_io_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6026 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_latency_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6029 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_lower_latency_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6032 if (proto_ver > 0x0100) {
6033 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_bandwidth_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6036 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_kilobyte_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6040 dissect_smb2_olb_string(pinfo, tree, tvb, &host_olb, OLB_TYPE_UNICODE_STRING);
6042 dissect_smb2_olb_string(pinfo, tree, tvb, &node_olb, OLB_TYPE_UNICODE_STRING);
6044 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_time_to_live, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6047 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6050 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_maximum_io_rate, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6053 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_minimum_io_rate, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6056 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_base_io_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6059 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reserved2, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6061 if (proto_ver > 0x0100) {
6063 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_maximum_bandwidth, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6069 dissect_windows_sockaddr_in(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
6071 proto_item *sub_item;
6072 proto_tree *sub_tree;
6073 proto_item *parent_item;
6079 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
6080 parent_item = proto_tree_get_parent(parent_tree);
6083 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6087 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6091 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in_addr, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6093 proto_item_append_text(sub_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
6094 proto_item_append_text(parent_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
6098 dissect_windows_sockaddr_in6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
6100 proto_item *sub_item;
6101 proto_tree *sub_tree;
6102 proto_item *parent_item;
6108 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
6109 parent_item = proto_tree_get_parent(parent_tree);
6112 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6116 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6120 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_flowinfo, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6124 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_addr, tvb, offset, 16, ENC_NA);
6125 proto_item_append_text(sub_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
6126 proto_item_append_text(parent_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
6130 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_scope_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6134 dissect_windows_sockaddr_storage(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6137 proto_item *sub_item;
6138 proto_tree *sub_tree;
6139 proto_item *parent_item;
6142 family = tvb_get_letohs(tvb, offset);
6144 case WINSOCK_AF_INET:
6145 dissect_windows_sockaddr_in(tvb, pinfo, parent_tree, offset, len);
6147 case WINSOCK_AF_INET6:
6148 dissect_windows_sockaddr_in6(tvb, pinfo, parent_tree, offset, len);
6152 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
6153 parent_item = proto_tree_get_parent(parent_tree);
6156 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6157 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
6158 proto_item_append_text(parent_item, ", Family: %d (0x%04x)", family, family);
6165 #define NETWORK_INTERFACE_CAP_RSS 0x00000001
6166 #define NETWORK_INTERFACE_CAP_RDMA 0x00000002
6169 dissect_smb2_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
6171 guint32 next_offset;
6174 proto_item *sub_item;
6175 proto_tree *sub_tree;
6177 guint32 capabilities;
6180 const char *unit = NULL;
6181 static const int * capability_flags[] = {
6182 &hf_smb2_ioctl_network_interface_capability_rdma,
6183 &hf_smb2_ioctl_network_interface_capability_rss,
6187 next_offset = tvb_get_letohl(tvb, offset);
6192 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_ioctl_network_interface, &sub_item, "Network Interface");
6193 item = proto_tree_get_parent(parent_tree);
6196 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6199 /* interface index */
6200 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6204 capabilities = tvb_get_letohl(tvb, offset);
6205 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_ioctl_network_interface_capabilities, ett_smb2_ioctl_network_interface_capabilities, capability_flags, ENC_LITTLE_ENDIAN);
6207 if (capabilities != 0) {
6208 proto_item_append_text(item, "%s%s",
6209 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
6210 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
6211 proto_item_append_text(sub_item, "%s%s",
6212 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
6213 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
6217 /* rss queue count */
6218 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_rss_queue_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6222 link_speed = tvb_get_letoh64(tvb, offset);
6223 item = proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_link_speed, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6224 if (link_speed >= (1000*1000*1000)) {
6225 val = (gfloat)(link_speed / (1000*1000*1000));
6227 } else if (link_speed >= (1000*1000)) {
6228 val = (gfloat)(link_speed / (1000*1000));
6230 } else if (link_speed >= (1000)) {
6231 val = (gfloat)(link_speed / (1000));
6234 val = (gfloat)(link_speed);
6237 proto_item_append_text(item, ", %.1f %sBits/s", val, unit);
6238 proto_item_append_text(sub_item, ", %.1f %sBits/s", val, unit);
6242 /* socket address */
6243 dissect_windows_sockaddr_storage(tvb, pinfo, sub_tree, offset);
6247 next_tvb = tvb_new_subset_remaining(tvb, next_offset);
6249 /* next extra info */
6250 dissect_smb2_NETWORK_INTERFACE_INFO(next_tvb, pinfo, parent_tree);
6255 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
6257 /* There is no in data */
6262 dissect_smb2_NETWORK_INTERFACE_INFO(tvb, pinfo, tree);
6266 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
6269 * This is only used by Windows 8 beta
6273 offset = dissect_smb2_capabilities(tree, tvb, offset);
6276 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6279 /* security mode, skip second byte */
6280 offset = dissect_smb2_secmode(tree, tvb, offset);
6284 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6288 offset = dissect_smb2_capabilities(tree, tvb, offset);
6291 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6294 /* security mode, skip second byte */
6295 offset = dissect_smb2_secmode(tree, tvb, offset);
6299 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6305 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
6311 offset = dissect_smb2_capabilities(tree, tvb, offset);
6314 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6317 /* security mode, skip second byte */
6318 offset = dissect_smb2_secmode(tree, tvb, offset);
6322 dc = tvb_get_letohs(tvb, offset);
6323 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6326 for ( ; dc>0; dc--) {
6327 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6332 offset = dissect_smb2_capabilities(tree, tvb, offset);
6335 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6338 /* security mode, skip second byte */
6339 offset = dissect_smb2_secmode(tree, tvb, offset);
6343 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6349 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6351 guint32 num_volumes;
6353 /* There is no in data */
6359 num_volumes = tvb_get_letohl(tvb, offset);
6360 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_volumes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6364 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_labels, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6368 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6371 while (num_volumes--) {
6375 int old_offset = offset;
6377 bc = tvb_captured_length_remaining(tvb, offset);
6378 name = get_unicode_or_ascii_string(tvb, &offset,
6379 TRUE, &len, TRUE, FALSE, &bc);
6380 proto_tree_add_string(tree, hf_smb2_ioctl_shadow_copy_label, tvb, old_offset, len, name);
6382 offset = old_offset+len;
6391 dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
6393 proto_item *item = NULL;
6394 proto_tree *tree = NULL;
6396 /* FILE_OBJECTID_BUFFER */
6398 item = proto_tree_add_item(parent_tree, hf_smb2_FILE_OBJECTID_BUFFER, tvb, offset, 64, ENC_NA);
6399 tree = proto_item_add_subtree(item, ett_smb2_FILE_OBJECTID_BUFFER);
6403 proto_tree_add_item(tree, hf_smb2_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6406 /* Birth Volume ID */
6407 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6410 /* Birth Object ID */
6411 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6415 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6422 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6425 /* There is no in data */
6430 /* FILE_OBJECTID_BUFFER */
6431 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
6437 dissect_smb2_FSCTL_GET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6440 /* There is no in data */
6445 /* compression format */
6446 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6453 dissect_smb2_FSCTL_SET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6456 /* There is no out data */
6461 /* compression format */
6462 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6469 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6471 const int *integrity_flags[] = {
6472 &hf_smb2_integrity_flags_enforcement_off,
6476 /* There is no out data */
6481 proto_tree_add_item(tree, hf_smb2_checksum_algorithm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6484 proto_tree_add_item(tree, hf_smb2_integrity_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6487 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_integrity_flags, ett_smb2_integrity_flags, integrity_flags, ENC_LITTLE_ENDIAN);
6494 dissect_smb2_FSCTL_SET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6497 /* There is no out data */
6502 /* FILE_OBJECTID_BUFFER */
6503 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
6509 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6512 /* There is no out data */
6517 /* FILE_OBJECTID_BUFFER->ExtendedInfo */
6519 /* Birth Volume ID */
6520 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6523 /* Birth Object ID */
6524 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6528 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6535 dissect_smb2_cchunk_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
6538 proto_tree_add_bytes_format_value(tree, hf_smb2_cchunk_resume_key, tvb,
6539 offset, 24, NULL, "Opaque Data");
6546 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6549 /* There is no in data */
6554 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
6556 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6560 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6562 proto_tree *sub_tree;
6563 proto_item *sub_item;
6564 guint32 chunk_count = 0;
6566 /* Output is simpler - handle that first. */
6568 proto_tree_add_item(tree, hf_smb2_cchunk_chunks_written, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6569 proto_tree_add_item(tree, hf_smb2_cchunk_bytes_written, tvb, offset+4, 4, ENC_LITTLE_ENDIAN);
6570 proto_tree_add_item(tree, hf_smb2_cchunk_total_written, tvb, offset+8, 4, ENC_LITTLE_ENDIAN);
6574 /* Input data, fixed part */
6575 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
6576 proto_tree_add_item_ret_uint(tree, hf_smb2_cchunk_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &chunk_count);
6579 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6582 /* Zero or more allocated ranges may be reported. */
6583 while (chunk_count && tvb_reported_length_remaining(tvb, offset) >= 24) {
6584 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_smb2_cchunk_entry, &sub_item, "Chunk");
6586 proto_tree_add_item(sub_tree, hf_smb2_cchunk_src_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6589 proto_tree_add_item(sub_tree, hf_smb2_cchunk_dst_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6592 proto_tree_add_item(sub_tree, hf_smb2_cchunk_xfer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6595 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6603 dissect_smb2_FSCTL_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
6605 proto_item *item = NULL;
6606 proto_tree *tree = NULL;
6608 offset_length_buffer_t s_olb, p_olb;
6610 /* SYMBOLIC_LINK_REPARSE_DATA_BUFFER */
6612 item = proto_tree_add_item(parent_tree, hf_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER, tvb, offset, -1, ENC_NA);
6613 tree = proto_item_add_subtree(item, ett_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER);
6617 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6620 proto_tree_add_item(tree, hf_smb2_reparse_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6624 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6627 /* substitute name offset/length */
6628 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_substitute_name);
6630 /* print name offset/length */
6631 offset = dissect_smb2_olb_length_offset(tvb, offset, &p_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_print_name);
6634 proto_tree_add_item(tree, hf_smb2_symlink_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6637 /* substitute name string */
6638 dissect_smb2_olb_off_string(pinfo, tree, tvb, &s_olb, offset, OLB_TYPE_UNICODE_STRING);
6640 /* print name string */
6641 dissect_smb2_olb_off_string(pinfo, tree, tvb, &p_olb, offset, OLB_TYPE_UNICODE_STRING);
6645 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, gboolean data_in)
6651 dissect_smb2_FSCTL_REPARSE_POINT(tvb, pinfo, parent_tree, offset);
6655 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, gboolean data_in)
6661 dissect_smb2_FSCTL_REPARSE_POINT(tvb, pinfo, parent_tree, offset);
6665 dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, guint32 ioctl_function, gboolean data_in, void *private_data _U_)
6669 dc = tvb_reported_length(tvb);
6671 switch (ioctl_function) {
6672 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
6674 dissect_get_dfs_request_data(tvb, pinfo, tree, 0, &dc, TRUE);
6676 dissect_get_dfs_referral_data(tvb, pinfo, tree, 0, &dc, TRUE);
6679 case 0x000940CF: /* FSCTL_QUERY_ALLOCATED_RANGES */
6680 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvb, pinfo, tree, 0, data_in);
6682 case 0x00094264: /* FSCTL_OFFLOAD_READ */
6683 dissect_smb2_FSCTL_OFFLOAD_READ(tvb, pinfo, tree, 0, data_in);
6685 case 0x00098268: /* FSCTL_OFFLOAD_WRITE */
6686 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvb, pinfo, tree, 0, data_in);
6688 case 0x0011c017: /* FSCTL_PIPE_TRANSCEIVE */
6689 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvb, pinfo, tree, 0, top_tree, data_in, private_data);
6691 case 0x00110018: /* FSCTL_PIPE_WAIT */
6692 dissect_smb2_FSCTL_PIPE_WAIT(tvb, pinfo, tree, 0, top_tree, data_in);
6694 case 0x00140078: /* FSCTL_SRV_REQUEST_RESUME_KEY */
6695 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvb, pinfo, tree, 0, data_in);
6697 case 0x001401D4: /* FSCTL_LMR_REQUEST_RESILIENCY */
6698 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvb, pinfo, tree, 0, data_in);
6700 case 0x001401FC: /* FSCTL_QUERY_NETWORK_INTERFACE_INFO */
6701 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvb, pinfo, tree, 0, data_in);
6703 case 0x00140200: /* FSCTL_VALIDATE_NEGOTIATE_INFO_224 */
6704 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvb, pinfo, tree, 0, data_in);
6706 case 0x00140204: /* FSCTL_VALIDATE_NEGOTIATE_INFO */
6707 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvb, pinfo, tree, 0, data_in);
6709 case 0x00144064: /* FSCTL_SRV_ENUMERATE_SNAPSHOTS */
6710 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvb, pinfo, tree, 0, data_in);
6712 case 0x001440F2: /* FSCTL_SRV_COPYCHUNK */
6713 case 0x001480F2: /* FSCTL_SRV_COPYCHUNK_WRITE */
6714 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvb, pinfo, tree, 0, data_in);
6716 case 0x000900A4: /* FSCTL_SET_REPARSE_POINT */
6717 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvb, pinfo, tree, 0, data_in);
6719 case 0x000900A8: /* FSCTL_GET_REPARSE_POINT */
6720 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvb, pinfo, tree, 0, data_in);
6722 case 0x0009009C: /* FSCTL_GET_OBJECT_ID */
6723 case 0x000900c0: /* FSCTL_CREATE_OR_GET_OBJECT_ID */
6724 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
6726 case 0x000900c4: /* FSCTL_SET_SPARSE */
6727 dissect_smb2_FSCTL_SET_SPARSE(tvb, pinfo, tree, 0, data_in);
6729 case 0x00098098: /* FSCTL_SET_OBJECT_ID */
6730 dissect_smb2_FSCTL_SET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
6732 case 0x000980BC: /* FSCTL_SET_OBJECT_ID_EXTENDED */
6733 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvb, pinfo, tree, 0, data_in);
6735 case 0x000980C8: /* FSCTL_SET_ZERO_DATA */
6736 dissect_smb2_FSCTL_SET_ZERO_DATA(tvb, pinfo, tree, 0, data_in);
6738 case 0x0009003C: /* FSCTL_GET_COMPRESSION */
6739 dissect_smb2_FSCTL_GET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
6741 case 0x00090300: /* FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT */
6742 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvb, pinfo, tree, 0, data_in);
6744 case 0x00090304: /* FSCTL_SVHDX_SYNC_TUNNEL or response */
6745 case 0x00090364: /* FSCTL_SVHDX_ASYNC_TUNNEL or response */
6746 call_dissector_with_data(rsvd_handle, tvb, pinfo, top_tree, &data_in);
6748 case 0x00090350: /* FSCTL_STORAGE_QOS_CONTROL */
6749 dissect_smb2_FSCTL_STORAGE_QOS_CONTROL(tvb, pinfo, tree, 0, data_in);
6751 case 0x0009C040: /* FSCTL_SET_COMPRESSION */
6752 dissect_smb2_FSCTL_SET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
6754 case 0x00090284: /* FSCTL_QUERY_FILE_REGIONS */
6755 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvb, pinfo, tree, 0, data_in);
6757 case 0x0009C280: /* FSCTL_SET_INTEGRITY_INFORMATION request or response */
6758 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvb, pinfo, tree, 0, data_in);
6761 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
6766 dissect_smb2_ioctl_data_in(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6768 smb2_pipe_set_file_id(pinfo, si);
6769 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, TRUE, si);
6773 dissect_smb2_ioctl_data_out(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6775 smb2_pipe_set_file_id(pinfo, si);
6776 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, FALSE, si);
6780 dissect_smb2_ioctl_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6782 offset_length_buffer_t o_olb;
6783 offset_length_buffer_t i_olb;
6784 proto_tree *flags_tree = NULL;
6785 proto_item *flags_item = NULL;
6788 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6791 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6794 /* ioctl function */
6795 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
6798 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6800 /* in buffer offset/length */
6801 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
6803 /* max ioctl in size */
6804 proto_tree_add_item(tree, hf_smb2_max_ioctl_in_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6807 /* out buffer offset/length */
6808 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
6810 /* max ioctl out size */
6811 proto_tree_add_item(tree, hf_smb2_max_ioctl_out_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6816 flags_item = proto_tree_add_item(tree, hf_smb2_ioctl_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6817 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_ioctl_flags);
6819 proto_tree_add_item(flags_tree, hf_smb2_ioctl_is_fsctl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6823 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6826 /* try to decode these blobs in the order they were encoded
6827 * so that for "short" packets we will dissect as much as possible
6828 * before aborting with "short packet"
6830 if (i_olb.off>o_olb.off) {
6832 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6834 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6837 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6839 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6842 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
6843 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
6849 dissect_smb2_ioctl_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6851 offset_length_buffer_t o_olb;
6852 offset_length_buffer_t i_olb;
6853 gboolean continue_dissection;
6855 switch (si->status) {
6857 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6858 case 0x80000005: break;
6859 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6860 if (!continue_dissection) return offset;
6863 /* some unknown bytes */
6864 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
6867 /* ioctl function */
6868 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
6871 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6873 /* in buffer offset/length */
6874 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
6876 /* out buffer offset/length */
6877 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
6880 /* flags: reserved: must be zero */
6881 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6885 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6888 /* try to decode these blobs in the order they were encoded
6889 * so that for "short" packets we will dissect as much as possible
6890 * before aborting with "short packet"
6892 if (i_olb.off>o_olb.off) {
6894 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6896 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6899 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6901 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6904 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
6905 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
6912 dissect_smb2_read_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6914 offset_length_buffer_t c_olb;
6920 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6922 /* padding and reserved */
6923 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6927 len = tvb_get_letohl(tvb, offset);
6928 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6932 off = tvb_get_letoh64(tvb, offset);
6933 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6936 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", len, off);
6939 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6942 proto_tree_add_item(tree, hf_smb2_min_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6946 channel = tvb_get_letohl(tvb, offset);
6947 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6950 /* remaining bytes */
6951 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6954 /* read channel info blob offset/length */
6955 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
6957 /* the read channel info blob itself */
6959 case SMB2_CHANNEL_RDMA_V1:
6960 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
6962 case SMB2_CHANNEL_NONE:
6964 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
6968 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
6970 /* Store len and offset */
6972 si->saved->file_offset=off;
6973 si->saved->bytes_moved=len;
6981 dissect_smb2_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
6983 guint16 dataoffset = 0;
6984 guint32 data_tvb_len;
6986 gboolean continue_dissection;
6988 switch (si->status) {
6990 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6991 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6992 if (!continue_dissection) return offset;
6996 dataoffset=tvb_get_letohl(tvb,offset);
6997 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7000 /* length might even be 64bits if they are ambitious*/
7001 length = tvb_get_letohl(tvb, offset);
7002 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7006 proto_tree_add_item(tree, hf_smb2_read_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7010 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7013 data_tvb_len=(guint32)tvb_captured_length_remaining(tvb, offset);
7015 /* data or namedpipe ?*/
7017 int oldoffset = offset;
7018 smb2_pipe_set_file_id(pinfo, si);
7019 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
7020 if (offset != oldoffset) {
7021 /* managed to dissect pipe data */
7027 proto_tree_add_item(tree, hf_smb2_read_data, tvb, offset, length, ENC_NA);
7029 offset += MIN(length,data_tvb_len);
7032 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
7033 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
7034 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,si->saved->file_offset);
7042 report_create_context_malformed_buffer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, const char *buffer_desc)
7044 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_bad_response, tvb, 0, -1,
7045 "%s SHOULD NOT be generated", buffer_desc);
7048 dissect_smb2_ExtA_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
7050 proto_item *item = NULL;
7052 item = proto_tree_get_parent(tree);
7053 proto_item_append_text(item, ": SMB2_FILE_FULL_EA_INFO");
7055 dissect_smb2_file_full_ea_info(tvb, pinfo, tree, 0, si);
7059 dissect_smb2_ExtA_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
7061 report_create_context_malformed_buffer(tvb, pinfo, tree, "ExtA Response");
7065 dissect_smb2_SecD_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
7067 proto_item *item = NULL;
7069 item = proto_tree_get_parent(tree);
7070 proto_item_append_text(item, ": SMB2_SEC_INFO_00");
7072 dissect_smb2_sec_info_00(tvb, pinfo, tree, 0, si);
7076 dissect_smb2_SecD_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
7078 report_create_context_malformed_buffer(tvb, pinfo, tree, "SecD Response");
7082 dissect_smb2_TWrp_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7084 proto_item *item = NULL;
7086 item = proto_tree_get_parent(tree);
7087 proto_item_append_text(item, ": Timestamp");
7089 dissect_nt_64bit_time(tvb, tree, 0, hf_smb2_twrp_timestamp);
7093 dissect_smb2_TWrp_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7095 report_create_context_malformed_buffer(tvb, pinfo, tree, "TWrp Response");
7099 dissect_smb2_QFid_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7101 proto_item *item = NULL;
7104 item = proto_tree_get_parent(tree);
7108 if (tvb_reported_length(tvb) == 0) {
7109 proto_item_append_text(item, ": NO DATA");
7111 proto_item_append_text(item, ": QFid request should have no data, malformed packet");
7117 dissect_smb2_QFid_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7121 proto_item *sub_tree;
7123 item = proto_tree_get_parent(tree);
7125 proto_item_append_text(item, ": QFid INFO");
7126 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_QFid_buffer, NULL, "QFid INFO");
7128 proto_tree_add_item(sub_tree, hf_smb2_qfid_fid, tvb, offset, 32, ENC_NA);
7132 dissect_smb2_AlSi_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7134 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, 0, 8, ENC_LITTLE_ENDIAN);
7138 dissect_smb2_AlSi_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7140 report_create_context_malformed_buffer(tvb, pinfo, tree, "AlSi Response");
7144 dissect_smb2_DHnQ_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
7146 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNQ);
7150 dissect_smb2_DHnQ_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7152 proto_tree_add_item(tree, hf_smb2_dhnq_buffer_reserved, tvb, 0, 8, ENC_LITTLE_ENDIAN);
7156 dissect_smb2_DHnC_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
7158 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNC);
7162 dissect_smb2_DHnC_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
7164 report_create_context_malformed_buffer(tvb, pinfo, tree, "DHnC Response");
7168 * SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
7174 * SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2
7178 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
7183 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
7186 #define SMB2_DH2X_FLAGS_PERSISTENT_HANDLE 0x00000002
7189 dissect_smb2_DH2Q_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7191 static const int *dh2x_flags_fields[] = {
7192 &hf_smb2_dh2x_buffer_flags_persistent_handle,
7197 proto_item *sub_tree;
7199 item = proto_tree_get_parent(tree);
7201 proto_item_append_text(item, ": DH2Q Request");
7202 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Request");
7205 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7209 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_dh2x_buffer_flags,
7210 ett_smb2_dh2x_flags, dh2x_flags_fields, ENC_LITTLE_ENDIAN);
7214 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7218 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7222 dissect_smb2_DH2Q_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7226 proto_item *sub_tree;
7228 item = proto_tree_get_parent(tree);
7230 proto_item_append_text(item, ": DH2Q Response");
7231 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Response");
7234 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7238 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7242 dissect_smb2_DH2C_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
7246 proto_item *sub_tree;
7248 item = proto_tree_get_parent(tree);
7250 proto_item_append_text(item, ": DH2C Request");
7251 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2C_buffer, NULL, "DH2C Request");
7254 dissect_smb2_fid(tvb, pinfo, sub_tree, offset, si, FID_MODE_DHNC);
7258 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7262 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7266 dissect_smb2_DH2C_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
7268 report_create_context_malformed_buffer(tvb, pinfo, tree, "DH2C Response");
7272 dissect_smb2_MxAc_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7275 proto_item *item = NULL;
7278 item = proto_tree_get_parent(tree);
7281 if (tvb_reported_length(tvb) == 0) {
7283 proto_item_append_text(item, ": NO DATA");
7289 proto_item_append_text(item, ": Timestamp");
7292 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_mxac_timestamp);
7296 dissect_smb2_MxAc_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7300 proto_tree *sub_tree;
7302 item = proto_tree_get_parent(tree);
7304 if (tvb_reported_length(tvb) == 0) {
7305 proto_item_append_text(item, ": NO DATA");
7309 proto_item_append_text(item, ": MxAc INFO");
7310 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_MxAc_buffer, NULL, "MxAc INFO");
7312 proto_tree_add_item(sub_tree, hf_smb2_mxac_status, tvb, offset, 4, ENC_BIG_ENDIAN);
7315 dissect_smb_access_mask(tvb, sub_tree, offset);
7319 * SMB2_CREATE_REQUEST_LEASE 32
7323 * 8 - lease duration
7325 * SMB2_CREATE_REQUEST_LEASE_V2 52
7329 * 8 - lease duration
7330 * 16 - parent lease key
7334 #define SMB2_LEASE_STATE_READ_CACHING 0x00000001
7335 #define SMB2_LEASE_STATE_HANDLE_CACHING 0x00000002
7336 #define SMB2_LEASE_STATE_WRITE_CACHING 0x00000004
7338 #define SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED 0x00000001
7339 #define SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS 0x00000002
7340 #define SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET 0x00000004
7342 static const int *lease_state_fields[] = {
7343 &hf_smb2_lease_state_read_caching,
7344 &hf_smb2_lease_state_handle_caching,
7345 &hf_smb2_lease_state_write_caching,
7348 static const int *lease_flags_fields[] = {
7349 &hf_smb2_lease_flags_break_ack_required,
7350 &hf_smb2_lease_flags_break_in_progress,
7351 &hf_smb2_lease_flags_parent_lease_key_set,
7356 dissect_SMB2_CREATE_LEASE_VX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
7360 proto_tree *sub_tree = NULL;
7361 proto_item *parent_item;
7363 parent_item = proto_tree_get_parent(parent_tree);
7365 len = tvb_reported_length(tvb);
7368 case 32: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE */
7369 proto_item_append_text(parent_item, ": LEASE_V1");
7370 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V1");
7372 case 52: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE_V2 */
7373 proto_item_append_text(parent_item, ": LEASE_V2");
7374 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V2");
7377 report_create_context_malformed_buffer(tvb, pinfo, parent_tree, "RqLs");
7381 proto_tree_add_item(sub_tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7384 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_state,
7385 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
7388 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_flags,
7389 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
7392 proto_tree_add_item(sub_tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7399 proto_tree_add_item(sub_tree, hf_smb2_parent_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7402 proto_tree_add_item(sub_tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7405 proto_tree_add_item(sub_tree, hf_smb2_lease_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7409 dissect_smb2_RqLs_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7411 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
7415 dissect_smb2_RqLs_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7417 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
7421 * SMB2_CREATE_APP_INSTANCE_ID
7422 * 2 - structure size - 20
7424 * 16 - application guid
7428 dissect_smb2_APP_INSTANCE_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7432 proto_item *sub_tree;
7434 item = proto_tree_get_parent(tree);
7436 proto_item_append_text(item, ": CREATE APP INSTANCE ID");
7437 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_APP_INSTANCE_buffer, NULL, "APP INSTANCE ID");
7440 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_struct_size,
7441 tvb, offset, 2, ENC_LITTLE_ENDIAN);
7445 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_reserved,
7446 tvb, offset, 2, ENC_LITTLE_ENDIAN);
7450 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_app_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7454 dissect_smb2_APP_INSTANCE_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7456 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Response");
7460 * Dissect the MS-RSVD stuff that turns up when HyperV uses SMB3.x
7463 dissect_smb2_svhdx_open_device_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7468 proto_item *sub_tree;
7470 item = proto_tree_get_parent(tree);
7472 proto_item_append_text(item, ": SVHDX OPEN DEVICE CONTEXT");
7473 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_svhdx_open_device_context, NULL, "SVHDX OPEN DEVICE CONTEXT");
7476 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_svhdx_open_device_context_version,
7477 tvb, offset, 4, ENC_LITTLE_ENDIAN, &version);
7480 /* HasInitiatorId */
7481 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_has_initiator_id,
7482 tvb, offset, 1, ENC_LITTLE_ENDIAN);
7486 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_reserved,
7487 tvb, offset, 3, ENC_NA);
7491 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_id,
7492 tvb, offset, 16, ENC_LITTLE_ENDIAN);
7495 /* Flags TODO: Dissect these*/
7496 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_flags,
7497 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7500 /* OriginatorFlags */
7501 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_originator_flags,
7502 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7506 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_open_request_id,
7507 tvb, offset, 8, ENC_LITTLE_ENDIAN);
7510 /* InitiatorHostNameLength */
7511 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name_len,
7512 tvb, offset, 2, ENC_LITTLE_ENDIAN);
7515 /* InitiatorHostName */
7516 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name,
7517 tvb, offset, 126, ENC_ASCII | ENC_NA);
7521 /* VirtualDiskPropertiesInitialized */
7522 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized,
7523 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7526 /* ServerServiceVersion */
7527 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_server_service_version,
7528 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7531 /* VirtualSectorSize */
7532 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_sector_size,
7533 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7536 /* PhysicalSectorSize */
7537 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_physical_sector_size,
7538 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7542 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_size,
7543 tvb, offset, 8, ENC_LITTLE_ENDIAN);
7547 static const int *posix_flags_fields[] = {
7548 &hf_smb2_posix_v1_case_sensitive,
7549 &hf_smb2_posix_v1_posix_lock,
7550 &hf_smb2_posix_v1_posix_file_semantics,
7551 &hf_smb2_posix_v1_posix_utf8_paths,
7552 &hf_smb2_posix_v1_posix_will_convert_nt_acls,
7553 &hf_smb2_posix_v1_posix_fileinfo,
7554 &hf_smb2_posix_v1_posix_acls,
7555 &hf_smb2_posix_v1_rich_acls,
7560 dissect_smb2_posix_v1_caps_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7564 proto_item *sub_tree;
7566 item = proto_tree_get_parent(tree);
7568 proto_item_append_text(item, ": POSIX V1 CAPS request");
7569 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_posix_v1_request, NULL, "POSIX_V1_REQUEST");
7572 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_version,
7573 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7577 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_request,
7578 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7582 dissect_smb2_posix_v1_caps_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7586 proto_item *sub_tree;
7588 item = proto_tree_get_parent(tree);
7590 proto_item_append_text(item, ": POSIX V1 CAPS response");
7591 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_posix_v1_response, NULL, "POSIX_V1_RESPONSE");
7594 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_version,
7595 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7598 /* Supported Features */
7599 proto_tree_add_bitmask(sub_tree, tvb, offset,
7600 hf_smb2_posix_v1_supported_features,
7601 ett_smb2_posix_v1_supported_features,
7602 posix_flags_fields, ENC_LITTLE_ENDIAN);
7606 #define SMB2_AAPL_SERVER_QUERY 1
7607 #define SMB2_AAPL_RESOLVE_ID 2
7609 static const value_string aapl_command_code_vals[] = {
7610 { SMB2_AAPL_SERVER_QUERY, "Server query"},
7611 { SMB2_AAPL_RESOLVE_ID, "Resolve ID"},
7615 #define SMB2_AAPL_SERVER_CAPS 0x00000001
7616 #define SMB2_AAPL_VOLUME_CAPS 0x00000002
7617 #define SMB2_AAPL_MODEL_INFO 0x00000004
7619 static const int *aapl_server_query_bitmap_fields[] = {
7620 &hf_smb2_aapl_server_query_bitmask_server_caps,
7621 &hf_smb2_aapl_server_query_bitmask_volume_caps,
7622 &hf_smb2_aapl_server_query_bitmask_model_info,
7626 #define SMB2_AAPL_SUPPORTS_READ_DIR_ATTR 0x00000001
7627 #define SMB2_AAPL_SUPPORTS_OSX_COPYFILE 0x00000002
7628 #define SMB2_AAPL_UNIX_BASED 0x00000004
7629 #define SMB2_AAPL_SUPPORTS_NFS_ACE 0x00000008
7631 static const int *aapl_server_query_caps_fields[] = {
7632 &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
7633 &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
7634 &hf_smb2_aapl_server_query_caps_unix_based,
7635 &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
7640 dissect_smb2_AAPL_buffer_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
7644 proto_item *sub_tree;
7645 guint32 command_code;
7647 item = proto_tree_get_parent(tree);
7649 proto_item_append_text(item, ": AAPL Create Context request");
7650 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_request, NULL, "AAPL Create Context request");
7653 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
7654 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
7658 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
7659 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7662 switch (command_code) {
7664 case SMB2_AAPL_SERVER_QUERY:
7665 /* Request bitmap */
7666 proto_tree_add_bitmask(sub_tree, tvb, offset,
7667 hf_smb2_aapl_server_query_bitmask,
7668 ett_smb2_aapl_server_query_bitmask,
7669 aapl_server_query_bitmap_fields,
7673 /* Client capabilities */
7674 proto_tree_add_bitmask(sub_tree, tvb, offset,
7675 hf_smb2_aapl_server_query_caps,
7676 ett_smb2_aapl_server_query_caps,
7677 aapl_server_query_caps_fields,
7681 case SMB2_AAPL_RESOLVE_ID:
7683 proto_tree_add_item(sub_tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7691 #define SMB2_AAPL_SUPPORTS_RESOLVE_ID 0x00000001
7692 #define SMB2_AAPL_CASE_SENSITIVE 0x00000002
7693 #define SMB2_AAPL_SUPPORTS_FULL_SYNC 0x00000004
7695 static const int *aapl_server_query_volume_caps_fields[] = {
7696 &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
7697 &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
7698 &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
7703 dissect_smb2_AAPL_buffer_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
7707 proto_item *sub_tree;
7708 guint32 command_code;
7709 guint64 server_query_bitmask;
7711 item = proto_tree_get_parent(tree);
7713 proto_item_append_text(item, ": AAPL Create Context response");
7714 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_response, NULL, "AAPL Create Context response");
7717 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
7718 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
7722 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
7723 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7726 switch (command_code) {
7728 case SMB2_AAPL_SERVER_QUERY:
7730 proto_tree_add_bitmask_ret_uint64(sub_tree, tvb, offset,
7731 hf_smb2_aapl_server_query_bitmask,
7732 ett_smb2_aapl_server_query_bitmask,
7733 aapl_server_query_bitmap_fields,
7735 &server_query_bitmask);
7738 if (server_query_bitmask & SMB2_AAPL_SERVER_CAPS) {
7739 /* Server capabilities */
7740 proto_tree_add_bitmask(sub_tree, tvb, offset,
7741 hf_smb2_aapl_server_query_caps,
7742 ett_smb2_aapl_server_query_caps,
7743 aapl_server_query_caps_fields,
7747 if (server_query_bitmask & SMB2_AAPL_VOLUME_CAPS) {
7748 /* Volume capabilities */
7749 proto_tree_add_bitmask(sub_tree, tvb, offset,
7750 hf_smb2_aapl_server_query_volume_caps,
7751 ett_smb2_aapl_server_query_volume_caps,
7752 aapl_server_query_volume_caps_fields,
7756 if (server_query_bitmask & SMB2_AAPL_MODEL_INFO) {
7761 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_model_string,
7763 ENC_UTF_16|ENC_LITTLE_ENDIAN);
7767 case SMB2_AAPL_RESOLVE_ID:
7769 proto_tree_add_item(sub_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7773 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_server_path,
7775 ENC_UTF_16|ENC_LITTLE_ENDIAN);
7783 typedef void (*create_context_data_dissector_t)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
7785 typedef struct create_context_data_dissectors {
7786 create_context_data_dissector_t request;
7787 create_context_data_dissector_t response;
7788 } create_context_data_dissectors_t;
7790 struct create_context_data_tag_dissectors {
7793 create_context_data_dissectors_t dissectors;
7796 struct create_context_data_tag_dissectors create_context_dissectors_array[] = {
7797 { "ExtA", "SMB2_CREATE_EA_BUFFER",
7798 { dissect_smb2_ExtA_buffer_request, dissect_smb2_ExtA_buffer_response } },
7799 { "SecD", "SMB2_CREATE_SD_BUFFER",
7800 { dissect_smb2_SecD_buffer_request, dissect_smb2_SecD_buffer_response } },
7801 { "AlSi", "SMB2_CREATE_ALLOCATION_SIZE",
7802 { dissect_smb2_AlSi_buffer_request, dissect_smb2_AlSi_buffer_response } },
7803 { "MxAc", "SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST",
7804 { dissect_smb2_MxAc_buffer_request, dissect_smb2_MxAc_buffer_response } },
7805 { "DHnQ", "SMB2_CREATE_DURABLE_HANDLE_REQUEST",
7806 { dissect_smb2_DHnQ_buffer_request, dissect_smb2_DHnQ_buffer_response } },
7807 { "DHnC", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT",
7808 { dissect_smb2_DHnC_buffer_request, dissect_smb2_DHnC_buffer_response } },
7809 { "DH2Q", "SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2",
7810 { dissect_smb2_DH2Q_buffer_request, dissect_smb2_DH2Q_buffer_response } },
7811 { "DH2C", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2",
7812 { dissect_smb2_DH2C_buffer_request, dissect_smb2_DH2C_buffer_response } },
7813 { "TWrp", "SMB2_CREATE_TIMEWARP_TOKEN",
7814 { dissect_smb2_TWrp_buffer_request, dissect_smb2_TWrp_buffer_response } },
7815 { "QFid", "SMB2_CREATE_QUERY_ON_DISK_ID",
7816 { dissect_smb2_QFid_buffer_request, dissect_smb2_QFid_buffer_response } },
7817 { "RqLs", "SMB2_CREATE_REQUEST_LEASE",
7818 { dissect_smb2_RqLs_buffer_request, dissect_smb2_RqLs_buffer_response } },
7819 { "744D142E-46FA-0890-4AF7-A7EF6AA6BC45", "SMB2_CREATE_APP_INSTANCE_ID",
7820 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
7821 { "6aa6bc45-a7ef-4af7-9008-fa462e144d74", "SMB2_CREATE_APP_INSTANCE_ID",
7822 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
7823 { "9ecfcb9c-c104-43e6-980e-158da1f6ec83", "SVHDX_OPEN_DEVICE_CONTEXT",
7824 { dissect_smb2_svhdx_open_device_context, dissect_smb2_svhdx_open_device_context} },
7825 { "34263501-2921-4912-2586-447794114531", "SMB2_POSIX_V1_CAPS",
7826 { dissect_smb2_posix_v1_caps_request, dissect_smb2_posix_v1_caps_response } },
7827 { "AAPL", "SMB2_AAPL_CREATE_CONTEXT",
7828 { dissect_smb2_AAPL_buffer_request, dissect_smb2_AAPL_buffer_response } },
7831 static struct create_context_data_tag_dissectors*
7832 get_create_context_data_tag_dissectors(const char *tag)
7834 static struct create_context_data_tag_dissectors INVALID = {
7835 NULL, "<invalid>", { NULL, NULL }
7840 for (i = 0; i<array_length(create_context_dissectors_array); i++) {
7841 if (!strcmp(tag, create_context_dissectors_array[i].tag))
7842 return &create_context_dissectors_array[i];
7848 dissect_smb2_create_extra_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si)
7850 offset_length_buffer_t tag_olb;
7851 offset_length_buffer_t data_olb;
7853 guint16 chain_offset;
7856 proto_item *sub_item;
7857 proto_tree *sub_tree;
7858 proto_item *parent_item = NULL;
7859 create_context_data_dissectors_t *dissectors = NULL;
7860 create_context_data_dissector_t dissector = NULL;
7861 struct create_context_data_tag_dissectors *tag_dissectors;
7863 chain_offset = tvb_get_letohl(tvb, offset);
7868 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_create_chain_element, &sub_item, "Chain Element");
7869 parent_item = proto_tree_get_parent(parent_tree);
7872 proto_tree_add_item(sub_tree, hf_smb2_create_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7875 /* tag offset/length */
7876 offset = dissect_smb2_olb_length_offset(tvb, offset, &tag_olb, OLB_O_UINT16_S_UINT32, hf_smb2_tag);
7878 /* data offset/length */
7879 dissect_smb2_olb_length_offset(tvb, offset, &data_olb, OLB_O_UINT16_S_UINT32, hf_smb2_create_chain_data);
7882 * These things are all either 4-char strings, like DH2C, or GUIDs,
7883 * however, at least one of them appears to be a GUID as a string and
7884 * one appears to be a binary guid. So, check if the the length is
7885 * 16, and if so, pull the GUID and convert it to a string. Otherwise
7886 * call dissect_smb2_olb_string.
7888 if (tag_olb.len == 16) {
7890 proto_item *tag_item;
7891 proto_tree *tag_tree;
7893 tvb_get_letohguid(tvb, tag_olb.off, &tag_guid);
7894 tag = guid_to_str(wmem_packet_scope(), &tag_guid);
7896 tag_item = proto_tree_add_string(sub_tree, tag_olb.hfindex, tvb, tag_olb.off, tag_olb.len, tag);
7897 tag_tree = proto_item_add_subtree(tag_item, ett_smb2_olb);
7898 proto_tree_add_item(tag_tree, hf_smb2_olb_offset, tvb, tag_olb.off_offset, 2, ENC_LITTLE_ENDIAN);
7899 proto_tree_add_item(tag_tree, hf_smb2_olb_length, tvb, tag_olb.len_offset, 2, ENC_LITTLE_ENDIAN);
7903 tag = dissect_smb2_olb_string(pinfo, sub_tree, tvb, &tag_olb, OLB_TYPE_ASCII_STRING);
7906 tag_dissectors = get_create_context_data_tag_dissectors(tag);
7908 proto_item_append_text(parent_item, " %s", tag_dissectors->val);
7909 proto_item_append_text(sub_item, ": %s \"%s\"", tag_dissectors->val, tag);
7912 dissectors = &tag_dissectors->dissectors;
7914 dissector = (si->flags & SMB2_FLAGS_RESPONSE) ? dissectors->response : dissectors->request;
7916 dissect_smb2_olb_buffer(pinfo, sub_tree, tvb, &data_olb, si, dissector);
7919 tvbuff_t *chain_tvb;
7920 chain_tvb = tvb_new_subset_remaining(tvb, chain_offset);
7922 /* next extra info */
7923 dissect_smb2_create_extra_info(chain_tvb, pinfo, parent_tree, si);
7928 dissect_smb2_create_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7930 offset_length_buffer_t f_olb, e_olb;
7934 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
7936 /* security flags */
7940 offset = dissect_smb2_oplock(tree, tvb, offset);
7942 /* impersonation level */
7943 proto_tree_add_item(tree, hf_smb2_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7947 proto_tree_add_item(tree, hf_smb2_create_flags, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7951 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 8, ENC_NA);
7955 offset = dissect_smb_access_mask(tvb, tree, offset);
7957 /* File Attributes */
7958 offset = dissect_file_ext_attr(tvb, tree, offset);
7961 offset = dissect_nt_share_access(tvb, tree, offset);
7963 /* create disposition */
7964 proto_tree_add_item(tree, hf_smb2_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7967 /* create options */
7968 offset = dissect_nt_create_options(tvb, tree, offset);
7970 /* filename offset/length */
7971 offset = dissect_smb2_olb_length_offset(tvb, offset, &f_olb, OLB_O_UINT16_S_UINT16, hf_smb2_filename);
7973 /* extrainfo offset */
7974 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
7976 /* filename string */
7977 fname = dissect_smb2_olb_string(pinfo, tree, tvb, &f_olb, OLB_TYPE_UNICODE_STRING);
7978 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", fname);
7980 /* save the name if it looks sane */
7981 if (!pinfo->fd->flags.visited) {
7982 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
7983 g_free(si->saved->extra_info);
7984 si->saved->extra_info = NULL;
7985 si->saved->extra_info_type = SMB2_EI_NONE;
7987 if (si->saved && f_olb.len < 256) {
7988 si->saved->extra_info_type = SMB2_EI_FILENAME;
7989 si->saved->extra_info = (gchar *)g_malloc(f_olb.len+1);
7990 g_snprintf((gchar *)si->saved->extra_info, f_olb.len+1, "%s", fname);
7994 /* If extrainfo_offset is non-null then this points to another
7995 * buffer. The offset is relative to the start of the smb packet
7997 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
7999 offset = dissect_smb2_olb_tvb_max_offset(offset, &f_olb);
8000 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
8005 #define SMB2_CREATE_REP_FLAGS_REPARSE_POINT 0x01
8008 dissect_smb2_create_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8010 guint64 end_of_file;
8012 offset_length_buffer_t e_olb;
8013 static const int *create_rep_flags_fields[] = {
8014 &hf_smb2_create_rep_flags_reparse_point,
8017 gboolean continue_dissection;
8019 switch (si->status) {
8021 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
8022 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
8023 if (!continue_dissection) return offset;
8027 offset = dissect_smb2_oplock(tree, tvb, offset);
8030 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_create_rep_flags,
8031 ett_smb2_create_rep_flags, create_rep_flags_fields, ENC_LITTLE_ENDIAN);
8035 proto_tree_add_item(tree, hf_smb2_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8039 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
8042 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
8045 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
8048 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
8050 /* allocation size */
8051 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8055 end_of_file = tvb_get_letoh64(tvb, offset);
8056 if (si->eo_file_info) {
8057 si->eo_file_info->end_of_file = tvb_get_letoh64(tvb, offset);
8059 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8062 /* File Attributes */
8063 attr_mask=tvb_get_letohl(tvb, offset);
8064 offset = dissect_file_ext_attr(tvb, tree, offset);
8067 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8071 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_OPEN);
8073 /* We save this after dissect_smb2_fid just because it would be
8074 possible to have this response without having the mathing request.
8075 In that case the entry in the file info hash table has been created
8076 in dissect_smb2_fid */
8077 if (si->eo_file_info) {
8078 si->eo_file_info->end_of_file = end_of_file;
8079 si->eo_file_info->attr_mask = attr_mask;
8082 /* extrainfo offset */
8083 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
8085 /* If extrainfo_offset is non-null then this points to another
8086 * buffer. The offset is relative to the start of the smb packet
8088 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
8090 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
8092 /* free si->saved->extra_info we don't need it any more */
8093 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
8094 g_free(si->saved->extra_info);
8095 si->saved->extra_info = NULL;
8096 si->saved->extra_info_type = SMB2_EI_NONE;
8104 dissect_smb2_setinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8106 guint32 setinfo_size;
8107 guint16 setinfo_offset;
8110 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
8112 /* class and info level */
8113 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
8116 setinfo_size = tvb_get_letohl(tvb, offset);
8117 proto_tree_add_item(tree, hf_smb2_setinfo_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8121 setinfo_offset = tvb_get_letohs(tvb, offset);
8122 proto_tree_add_item(tree, hf_smb2_setinfo_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8125 /* some unknown bytes */
8126 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
8130 dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8134 dissect_smb2_infolevel(tvb, pinfo, tree, setinfo_offset, si, si->saved->smb2_class, si->saved->infolevel);
8135 offset = setinfo_offset + setinfo_size;
8141 dissect_smb2_setinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8143 gboolean continue_dissection;
8144 /* class/infolevel */
8145 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
8147 switch (si->status) {
8149 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
8150 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
8151 if (!continue_dissection) return offset;
8158 dissect_smb2_break_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8160 guint16 buffer_code;
8163 buffer_code = tvb_get_letohs(tvb, offset);
8164 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
8166 if (buffer_code == 24) {
8170 offset = dissect_smb2_oplock(tree, tvb, offset);
8173 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
8177 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8181 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8186 if (buffer_code == 36) {
8187 /* Lease Break Acknowledgment */
8190 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8194 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
8195 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
8199 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8203 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
8204 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
8207 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8217 dissect_smb2_break_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8219 guint16 buffer_code;
8220 gboolean continue_dissection;
8223 buffer_code = tvb_get_letohs(tvb, offset);
8224 switch (si->status) {
8225 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
8226 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
8227 if (!continue_dissection) return offset;
8230 if (buffer_code == 24) {
8231 /* OPLOCK Break Notification */
8234 offset = dissect_smb2_oplock(tree, tvb, offset);
8237 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
8241 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8245 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8247 /* in break requests from server to client here're 24 byte zero bytes
8248 * which are likely a bug in windows (they may use 2* 24 bytes instead of just
8254 if (buffer_code == 44) {
8257 /* Lease Break Notification */
8259 /* new lease epoch */
8260 proto_tree_add_item(tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8264 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
8265 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
8269 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8272 /* current lease state */
8273 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
8274 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
8276 proto_item_prepend_text(item, "Current ");
8280 /* new lease state */
8281 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
8282 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
8284 proto_item_prepend_text(item, "New ");
8288 /* break reason - reserved */
8289 proto_tree_add_item(tree, hf_smb2_lease_break_reason, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8292 /* access mask hint - reserved */
8293 proto_tree_add_item(tree, hf_smb2_lease_access_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8296 /* share mask hint - reserved */
8297 proto_tree_add_item(tree, hf_smb2_lease_share_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8303 if (buffer_code == 36) {
8304 /* Lease Break Response */
8307 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8311 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
8312 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
8316 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8320 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
8321 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
8324 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8333 /* names here are just until we find better names for these functions */
8334 static const value_string smb2_cmd_vals[] = {
8335 { 0x00, "Negotiate Protocol" },
8336 { 0x01, "Session Setup" },
8337 { 0x02, "Session Logoff" },
8338 { 0x03, "Tree Connect" },
8339 { 0x04, "Tree Disconnect" },
8348 { 0x0D, "KeepAlive" },
8351 { 0x10, "GetInfo" },
8352 { 0x11, "SetInfo" },
8354 { 0x13, "unknown-0x13" },
8355 { 0x14, "unknown-0x14" },
8356 { 0x15, "unknown-0x15" },
8357 { 0x16, "unknown-0x16" },
8358 { 0x17, "unknown-0x17" },
8359 { 0x18, "unknown-0x18" },
8360 { 0x19, "unknown-0x19" },
8361 { 0x1A, "unknown-0x1A" },
8362 { 0x1B, "unknown-0x1B" },
8363 { 0x1C, "unknown-0x1C" },
8364 { 0x1D, "unknown-0x1D" },
8365 { 0x1E, "unknown-0x1E" },
8366 { 0x1F, "unknown-0x1F" },
8367 { 0x20, "unknown-0x20" },
8368 { 0x21, "unknown-0x21" },
8369 { 0x22, "unknown-0x22" },
8370 { 0x23, "unknown-0x23" },
8371 { 0x24, "unknown-0x24" },
8372 { 0x25, "unknown-0x25" },
8373 { 0x26, "unknown-0x26" },
8374 { 0x27, "unknown-0x27" },
8375 { 0x28, "unknown-0x28" },
8376 { 0x29, "unknown-0x29" },
8377 { 0x2A, "unknown-0x2A" },
8378 { 0x2B, "unknown-0x2B" },
8379 { 0x2C, "unknown-0x2C" },
8380 { 0x2D, "unknown-0x2D" },
8381 { 0x2E, "unknown-0x2E" },
8382 { 0x2F, "unknown-0x2F" },
8383 { 0x30, "unknown-0x30" },
8384 { 0x31, "unknown-0x31" },
8385 { 0x32, "unknown-0x32" },
8386 { 0x33, "unknown-0x33" },
8387 { 0x34, "unknown-0x34" },
8388 { 0x35, "unknown-0x35" },
8389 { 0x36, "unknown-0x36" },
8390 { 0x37, "unknown-0x37" },
8391 { 0x38, "unknown-0x38" },
8392 { 0x39, "unknown-0x39" },
8393 { 0x3A, "unknown-0x3A" },
8394 { 0x3B, "unknown-0x3B" },
8395 { 0x3C, "unknown-0x3C" },
8396 { 0x3D, "unknown-0x3D" },
8397 { 0x3E, "unknown-0x3E" },
8398 { 0x3F, "unknown-0x3F" },
8399 { 0x40, "unknown-0x40" },
8400 { 0x41, "unknown-0x41" },
8401 { 0x42, "unknown-0x42" },
8402 { 0x43, "unknown-0x43" },
8403 { 0x44, "unknown-0x44" },
8404 { 0x45, "unknown-0x45" },
8405 { 0x46, "unknown-0x46" },
8406 { 0x47, "unknown-0x47" },
8407 { 0x48, "unknown-0x48" },
8408 { 0x49, "unknown-0x49" },
8409 { 0x4A, "unknown-0x4A" },
8410 { 0x4B, "unknown-0x4B" },
8411 { 0x4C, "unknown-0x4C" },
8412 { 0x4D, "unknown-0x4D" },
8413 { 0x4E, "unknown-0x4E" },
8414 { 0x4F, "unknown-0x4F" },
8415 { 0x50, "unknown-0x50" },
8416 { 0x51, "unknown-0x51" },
8417 { 0x52, "unknown-0x52" },
8418 { 0x53, "unknown-0x53" },
8419 { 0x54, "unknown-0x54" },
8420 { 0x55, "unknown-0x55" },
8421 { 0x56, "unknown-0x56" },
8422 { 0x57, "unknown-0x57" },
8423 { 0x58, "unknown-0x58" },
8424 { 0x59, "unknown-0x59" },
8425 { 0x5A, "unknown-0x5A" },
8426 { 0x5B, "unknown-0x5B" },
8427 { 0x5C, "unknown-0x5C" },
8428 { 0x5D, "unknown-0x5D" },
8429 { 0x5E, "unknown-0x5E" },
8430 { 0x5F, "unknown-0x5F" },
8431 { 0x60, "unknown-0x60" },
8432 { 0x61, "unknown-0x61" },
8433 { 0x62, "unknown-0x62" },
8434 { 0x63, "unknown-0x63" },
8435 { 0x64, "unknown-0x64" },
8436 { 0x65, "unknown-0x65" },
8437 { 0x66, "unknown-0x66" },
8438 { 0x67, "unknown-0x67" },
8439 { 0x68, "unknown-0x68" },
8440 { 0x69, "unknown-0x69" },
8441 { 0x6A, "unknown-0x6A" },
8442 { 0x6B, "unknown-0x6B" },
8443 { 0x6C, "unknown-0x6C" },
8444 { 0x6D, "unknown-0x6D" },
8445 { 0x6E, "unknown-0x6E" },
8446 { 0x6F, "unknown-0x6F" },
8447 { 0x70, "unknown-0x70" },
8448 { 0x71, "unknown-0x71" },
8449 { 0x72, "unknown-0x72" },
8450 { 0x73, "unknown-0x73" },
8451 { 0x74, "unknown-0x74" },
8452 { 0x75, "unknown-0x75" },
8453 { 0x76, "unknown-0x76" },
8454 { 0x77, "unknown-0x77" },
8455 { 0x78, "unknown-0x78" },
8456 { 0x79, "unknown-0x79" },
8457 { 0x7A, "unknown-0x7A" },
8458 { 0x7B, "unknown-0x7B" },
8459 { 0x7C, "unknown-0x7C" },
8460 { 0x7D, "unknown-0x7D" },
8461 { 0x7E, "unknown-0x7E" },
8462 { 0x7F, "unknown-0x7F" },
8463 { 0x80, "unknown-0x80" },
8464 { 0x81, "unknown-0x81" },
8465 { 0x82, "unknown-0x82" },
8466 { 0x83, "unknown-0x83" },
8467 { 0x84, "unknown-0x84" },
8468 { 0x85, "unknown-0x85" },
8469 { 0x86, "unknown-0x86" },
8470 { 0x87, "unknown-0x87" },
8471 { 0x88, "unknown-0x88" },
8472 { 0x89, "unknown-0x89" },
8473 { 0x8A, "unknown-0x8A" },
8474 { 0x8B, "unknown-0x8B" },
8475 { 0x8C, "unknown-0x8C" },
8476 { 0x8D, "unknown-0x8D" },
8477 { 0x8E, "unknown-0x8E" },
8478 { 0x8F, "unknown-0x8F" },
8479 { 0x90, "unknown-0x90" },
8480 { 0x91, "unknown-0x91" },
8481 { 0x92, "unknown-0x92" },
8482 { 0x93, "unknown-0x93" },
8483 { 0x94, "unknown-0x94" },
8484 { 0x95, "unknown-0x95" },
8485 { 0x96, "unknown-0x96" },
8486 { 0x97, "unknown-0x97" },
8487 { 0x98, "unknown-0x98" },
8488 { 0x99, "unknown-0x99" },
8489 { 0x9A, "unknown-0x9A" },
8490 { 0x9B, "unknown-0x9B" },
8491 { 0x9C, "unknown-0x9C" },
8492 { 0x9D, "unknown-0x9D" },
8493 { 0x9E, "unknown-0x9E" },
8494 { 0x9F, "unknown-0x9F" },
8495 { 0xA0, "unknown-0xA0" },
8496 { 0xA1, "unknown-0xA1" },
8497 { 0xA2, "unknown-0xA2" },
8498 { 0xA3, "unknown-0xA3" },
8499 { 0xA4, "unknown-0xA4" },
8500 { 0xA5, "unknown-0xA5" },
8501 { 0xA6, "unknown-0xA6" },
8502 { 0xA7, "unknown-0xA7" },
8503 { 0xA8, "unknown-0xA8" },
8504 { 0xA9, "unknown-0xA9" },
8505 { 0xAA, "unknown-0xAA" },
8506 { 0xAB, "unknown-0xAB" },
8507 { 0xAC, "unknown-0xAC" },
8508 { 0xAD, "unknown-0xAD" },
8509 { 0xAE, "unknown-0xAE" },
8510 { 0xAF, "unknown-0xAF" },
8511 { 0xB0, "unknown-0xB0" },
8512 { 0xB1, "unknown-0xB1" },
8513 { 0xB2, "unknown-0xB2" },
8514 { 0xB3, "unknown-0xB3" },
8515 { 0xB4, "unknown-0xB4" },
8516 { 0xB5, "unknown-0xB5" },
8517 { 0xB6, "unknown-0xB6" },
8518 { 0xB7, "unknown-0xB7" },
8519 { 0xB8, "unknown-0xB8" },
8520 { 0xB9, "unknown-0xB9" },
8521 { 0xBA, "unknown-0xBA" },
8522 { 0xBB, "unknown-0xBB" },
8523 { 0xBC, "unknown-0xBC" },
8524 { 0xBD, "unknown-0xBD" },
8525 { 0xBE, "unknown-0xBE" },
8526 { 0xBF, "unknown-0xBF" },
8527 { 0xC0, "unknown-0xC0" },
8528 { 0xC1, "unknown-0xC1" },
8529 { 0xC2, "unknown-0xC2" },
8530 { 0xC3, "unknown-0xC3" },
8531 { 0xC4, "unknown-0xC4" },
8532 { 0xC5, "unknown-0xC5" },
8533 { 0xC6, "unknown-0xC6" },
8534 { 0xC7, "unknown-0xC7" },
8535 { 0xC8, "unknown-0xC8" },
8536 { 0xC9, "unknown-0xC9" },
8537 { 0xCA, "unknown-0xCA" },
8538 { 0xCB, "unknown-0xCB" },
8539 { 0xCC, "unknown-0xCC" },
8540 { 0xCD, "unknown-0xCD" },
8541 { 0xCE, "unknown-0xCE" },
8542 { 0xCF, "unknown-0xCF" },
8543 { 0xD0, "unknown-0xD0" },
8544 { 0xD1, "unknown-0xD1" },
8545 { 0xD2, "unknown-0xD2" },
8546 { 0xD3, "unknown-0xD3" },
8547 { 0xD4, "unknown-0xD4" },
8548 { 0xD5, "unknown-0xD5" },
8549 { 0xD6, "unknown-0xD6" },
8550 { 0xD7, "unknown-0xD7" },
8551 { 0xD8, "unknown-0xD8" },
8552 { 0xD9, "unknown-0xD9" },
8553 { 0xDA, "unknown-0xDA" },
8554 { 0xDB, "unknown-0xDB" },
8555 { 0xDC, "unknown-0xDC" },
8556 { 0xDD, "unknown-0xDD" },
8557 { 0xDE, "unknown-0xDE" },
8558 { 0xDF, "unknown-0xDF" },
8559 { 0xE0, "unknown-0xE0" },
8560 { 0xE1, "unknown-0xE1" },
8561 { 0xE2, "unknown-0xE2" },
8562 { 0xE3, "unknown-0xE3" },
8563 { 0xE4, "unknown-0xE4" },
8564 { 0xE5, "unknown-0xE5" },
8565 { 0xE6, "unknown-0xE6" },
8566 { 0xE7, "unknown-0xE7" },
8567 { 0xE8, "unknown-0xE8" },
8568 { 0xE9, "unknown-0xE9" },
8569 { 0xEA, "unknown-0xEA" },
8570 { 0xEB, "unknown-0xEB" },
8571 { 0xEC, "unknown-0xEC" },
8572 { 0xED, "unknown-0xED" },
8573 { 0xEE, "unknown-0xEE" },
8574 { 0xEF, "unknown-0xEF" },
8575 { 0xF0, "unknown-0xF0" },
8576 { 0xF1, "unknown-0xF1" },
8577 { 0xF2, "unknown-0xF2" },
8578 { 0xF3, "unknown-0xF3" },
8579 { 0xF4, "unknown-0xF4" },
8580 { 0xF5, "unknown-0xF5" },
8581 { 0xF6, "unknown-0xF6" },
8582 { 0xF7, "unknown-0xF7" },
8583 { 0xF8, "unknown-0xF8" },
8584 { 0xF9, "unknown-0xF9" },
8585 { 0xFA, "unknown-0xFA" },
8586 { 0xFB, "unknown-0xFB" },
8587 { 0xFC, "unknown-0xFC" },
8588 { 0xFD, "unknown-0xFD" },
8589 { 0xFE, "unknown-0xFE" },
8590 { 0xFF, "unknown-0xFF" },
8593 value_string_ext smb2_cmd_vals_ext = VALUE_STRING_EXT_INIT(smb2_cmd_vals);
8595 static const char *decode_smb2_name(guint16 cmd)
8597 if (cmd > 0xFF) return "unknown";
8598 return(smb2_cmd_vals[cmd & 0xFF].strptr);
8601 static smb2_function smb2_dissector[256] = {
8602 /* 0x00 NegotiateProtocol*/
8603 {dissect_smb2_negotiate_protocol_request,
8604 dissect_smb2_negotiate_protocol_response},
8605 /* 0x01 SessionSetup*/
8606 {dissect_smb2_session_setup_request,
8607 dissect_smb2_session_setup_response},
8608 /* 0x02 SessionLogoff*/
8609 {dissect_smb2_sessionlogoff_request,
8610 dissect_smb2_sessionlogoff_response},
8611 /* 0x03 TreeConnect*/
8612 {dissect_smb2_tree_connect_request,
8613 dissect_smb2_tree_connect_response},
8614 /* 0x04 TreeDisconnect*/
8615 {dissect_smb2_tree_disconnect_request,
8616 dissect_smb2_tree_disconnect_response},
8618 {dissect_smb2_create_request,
8619 dissect_smb2_create_response},
8621 {dissect_smb2_close_request,
8622 dissect_smb2_close_response},
8624 {dissect_smb2_flush_request,
8625 dissect_smb2_flush_response},
8627 {dissect_smb2_read_request,
8628 dissect_smb2_read_response},
8630 {dissect_smb2_write_request,
8631 dissect_smb2_write_response},
8633 {dissect_smb2_lock_request,
8634 dissect_smb2_lock_response},
8636 {dissect_smb2_ioctl_request,
8637 dissect_smb2_ioctl_response},
8639 {dissect_smb2_cancel_request,
8642 {dissect_smb2_keepalive_request,
8643 dissect_smb2_keepalive_response},
8645 {dissect_smb2_find_request,
8646 dissect_smb2_find_response},
8648 {dissect_smb2_notify_request,
8649 dissect_smb2_notify_response},
8651 {dissect_smb2_getinfo_request,
8652 dissect_smb2_getinfo_response},
8654 {dissect_smb2_setinfo_request,
8655 dissect_smb2_setinfo_response},
8657 {dissect_smb2_break_request,
8658 dissect_smb2_break_response},
8659 /* 0x13 */ {NULL, NULL},
8660 /* 0x14 */ {NULL, NULL},
8661 /* 0x15 */ {NULL, NULL},
8662 /* 0x16 */ {NULL, NULL},
8663 /* 0x17 */ {NULL, NULL},
8664 /* 0x18 */ {NULL, NULL},
8665 /* 0x19 */ {NULL, NULL},
8666 /* 0x1a */ {NULL, NULL},
8667 /* 0x1b */ {NULL, NULL},
8668 /* 0x1c */ {NULL, NULL},
8669 /* 0x1d */ {NULL, NULL},
8670 /* 0x1e */ {NULL, NULL},
8671 /* 0x1f */ {NULL, NULL},
8672 /* 0x20 */ {NULL, NULL},
8673 /* 0x21 */ {NULL, NULL},
8674 /* 0x22 */ {NULL, NULL},
8675 /* 0x23 */ {NULL, NULL},
8676 /* 0x24 */ {NULL, NULL},
8677 /* 0x25 */ {NULL, NULL},
8678 /* 0x26 */ {NULL, NULL},
8679 /* 0x27 */ {NULL, NULL},
8680 /* 0x28 */ {NULL, NULL},
8681 /* 0x29 */ {NULL, NULL},
8682 /* 0x2a */ {NULL, NULL},
8683 /* 0x2b */ {NULL, NULL},
8684 /* 0x2c */ {NULL, NULL},
8685 /* 0x2d */ {NULL, NULL},
8686 /* 0x2e */ {NULL, NULL},
8687 /* 0x2f */ {NULL, NULL},
8688 /* 0x30 */ {NULL, NULL},
8689 /* 0x31 */ {NULL, NULL},
8690 /* 0x32 */ {NULL, NULL},
8691 /* 0x33 */ {NULL, NULL},
8692 /* 0x34 */ {NULL, NULL},
8693 /* 0x35 */ {NULL, NULL},
8694 /* 0x36 */ {NULL, NULL},
8695 /* 0x37 */ {NULL, NULL},
8696 /* 0x38 */ {NULL, NULL},
8697 /* 0x39 */ {NULL, NULL},
8698 /* 0x3a */ {NULL, NULL},
8699 /* 0x3b */ {NULL, NULL},
8700 /* 0x3c */ {NULL, NULL},
8701 /* 0x3d */ {NULL, NULL},
8702 /* 0x3e */ {NULL, NULL},
8703 /* 0x3f */ {NULL, NULL},
8704 /* 0x40 */ {NULL, NULL},
8705 /* 0x41 */ {NULL, NULL},
8706 /* 0x42 */ {NULL, NULL},
8707 /* 0x43 */ {NULL, NULL},
8708 /* 0x44 */ {NULL, NULL},
8709 /* 0x45 */ {NULL, NULL},
8710 /* 0x46 */ {NULL, NULL},
8711 /* 0x47 */ {NULL, NULL},
8712 /* 0x48 */ {NULL, NULL},
8713 /* 0x49 */ {NULL, NULL},
8714 /* 0x4a */ {NULL, NULL},
8715 /* 0x4b */ {NULL, NULL},
8716 /* 0x4c */ {NULL, NULL},
8717 /* 0x4d */ {NULL, NULL},
8718 /* 0x4e */ {NULL, NULL},
8719 /* 0x4f */ {NULL, NULL},
8720 /* 0x50 */ {NULL, NULL},
8721 /* 0x51 */ {NULL, NULL},
8722 /* 0x52 */ {NULL, NULL},
8723 /* 0x53 */ {NULL, NULL},
8724 /* 0x54 */ {NULL, NULL},
8725 /* 0x55 */ {NULL, NULL},
8726 /* 0x56 */ {NULL, NULL},
8727 /* 0x57 */ {NULL, NULL},
8728 /* 0x58 */ {NULL, NULL},
8729 /* 0x59 */ {NULL, NULL},
8730 /* 0x5a */ {NULL, NULL},
8731 /* 0x5b */ {NULL, NULL},
8732 /* 0x5c */ {NULL, NULL},
8733 /* 0x5d */ {NULL, NULL},
8734 /* 0x5e */ {NULL, NULL},
8735 /* 0x5f */ {NULL, NULL},
8736 /* 0x60 */ {NULL, NULL},
8737 /* 0x61 */ {NULL, NULL},
8738 /* 0x62 */ {NULL, NULL},
8739 /* 0x63 */ {NULL, NULL},
8740 /* 0x64 */ {NULL, NULL},
8741 /* 0x65 */ {NULL, NULL},
8742 /* 0x66 */ {NULL, NULL},
8743 /* 0x67 */ {NULL, NULL},
8744 /* 0x68 */ {NULL, NULL},
8745 /* 0x69 */ {NULL, NULL},
8746 /* 0x6a */ {NULL, NULL},
8747 /* 0x6b */ {NULL, NULL},
8748 /* 0x6c */ {NULL, NULL},
8749 /* 0x6d */ {NULL, NULL},
8750 /* 0x6e */ {NULL, NULL},
8751 /* 0x6f */ {NULL, NULL},
8752 /* 0x70 */ {NULL, NULL},
8753 /* 0x71 */ {NULL, NULL},
8754 /* 0x72 */ {NULL, NULL},
8755 /* 0x73 */ {NULL, NULL},
8756 /* 0x74 */ {NULL, NULL},
8757 /* 0x75 */ {NULL, NULL},
8758 /* 0x76 */ {NULL, NULL},
8759 /* 0x77 */ {NULL, NULL},
8760 /* 0x78 */ {NULL, NULL},
8761 /* 0x79 */ {NULL, NULL},
8762 /* 0x7a */ {NULL, NULL},
8763 /* 0x7b */ {NULL, NULL},
8764 /* 0x7c */ {NULL, NULL},
8765 /* 0x7d */ {NULL, NULL},
8766 /* 0x7e */ {NULL, NULL},
8767 /* 0x7f */ {NULL, NULL},
8768 /* 0x80 */ {NULL, NULL},
8769 /* 0x81 */ {NULL, NULL},
8770 /* 0x82 */ {NULL, NULL},
8771 /* 0x83 */ {NULL, NULL},
8772 /* 0x84 */ {NULL, NULL},
8773 /* 0x85 */ {NULL, NULL},
8774 /* 0x86 */ {NULL, NULL},
8775 /* 0x87 */ {NULL, NULL},
8776 /* 0x88 */ {NULL, NULL},
8777 /* 0x89 */ {NULL, NULL},
8778 /* 0x8a */ {NULL, NULL},
8779 /* 0x8b */ {NULL, NULL},
8780 /* 0x8c */ {NULL, NULL},
8781 /* 0x8d */ {NULL, NULL},
8782 /* 0x8e */ {NULL, NULL},
8783 /* 0x8f */ {NULL, NULL},
8784 /* 0x90 */ {NULL, NULL},
8785 /* 0x91 */ {NULL, NULL},
8786 /* 0x92 */ {NULL, NULL},
8787 /* 0x93 */ {NULL, NULL},
8788 /* 0x94 */ {NULL, NULL},
8789 /* 0x95 */ {NULL, NULL},
8790 /* 0x96 */ {NULL, NULL},
8791 /* 0x97 */ {NULL, NULL},
8792 /* 0x98 */ {NULL, NULL},
8793 /* 0x99 */ {NULL, NULL},
8794 /* 0x9a */ {NULL, NULL},
8795 /* 0x9b */ {NULL, NULL},
8796 /* 0x9c */ {NULL, NULL},
8797 /* 0x9d */ {NULL, NULL},
8798 /* 0x9e */ {NULL, NULL},
8799 /* 0x9f */ {NULL, NULL},
8800 /* 0xa0 */ {NULL, NULL},
8801 /* 0xa1 */ {NULL, NULL},
8802 /* 0xa2 */ {NULL, NULL},
8803 /* 0xa3 */ {NULL, NULL},
8804 /* 0xa4 */ {NULL, NULL},
8805 /* 0xa5 */ {NULL, NULL},
8806 /* 0xa6 */ {NULL, NULL},
8807 /* 0xa7 */ {NULL, NULL},
8808 /* 0xa8 */ {NULL, NULL},
8809 /* 0xa9 */ {NULL, NULL},
8810 /* 0xaa */ {NULL, NULL},
8811 /* 0xab */ {NULL, NULL},
8812 /* 0xac */ {NULL, NULL},
8813 /* 0xad */ {NULL, NULL},
8814 /* 0xae */ {NULL, NULL},
8815 /* 0xaf */ {NULL, NULL},
8816 /* 0xb0 */ {NULL, NULL},
8817 /* 0xb1 */ {NULL, NULL},
8818 /* 0xb2 */ {NULL, NULL},
8819 /* 0xb3 */ {NULL, NULL},
8820 /* 0xb4 */ {NULL, NULL},
8821 /* 0xb5 */ {NULL, NULL},
8822 /* 0xb6 */ {NULL, NULL},
8823 /* 0xb7 */ {NULL, NULL},
8824 /* 0xb8 */ {NULL, NULL},
8825 /* 0xb9 */ {NULL, NULL},
8826 /* 0xba */ {NULL, NULL},
8827 /* 0xbb */ {NULL, NULL},
8828 /* 0xbc */ {NULL, NULL},
8829 /* 0xbd */ {NULL, NULL},
8830 /* 0xbe */ {NULL, NULL},
8831 /* 0xbf */ {NULL, NULL},
8832 /* 0xc0 */ {NULL, NULL},
8833 /* 0xc1 */ {NULL, NULL},
8834 /* 0xc2 */ {NULL, NULL},
8835 /* 0xc3 */ {NULL, NULL},
8836 /* 0xc4 */ {NULL, NULL},
8837 /* 0xc5 */ {NULL, NULL},
8838 /* 0xc6 */ {NULL, NULL},
8839 /* 0xc7 */ {NULL, NULL},
8840 /* 0xc8 */ {NULL, NULL},
8841 /* 0xc9 */ {NULL, NULL},
8842 /* 0xca */ {NULL, NULL},
8843 /* 0xcb */ {NULL, NULL},
8844 /* 0xcc */ {NULL, NULL},
8845 /* 0xcd */ {NULL, NULL},
8846 /* 0xce */ {NULL, NULL},
8847 /* 0xcf */ {NULL, NULL},
8848 /* 0xd0 */ {NULL, NULL},
8849 /* 0xd1 */ {NULL, NULL},
8850 /* 0xd2 */ {NULL, NULL},
8851 /* 0xd3 */ {NULL, NULL},
8852 /* 0xd4 */ {NULL, NULL},
8853 /* 0xd5 */ {NULL, NULL},
8854 /* 0xd6 */ {NULL, NULL},
8855 /* 0xd7 */ {NULL, NULL},
8856 /* 0xd8 */ {NULL, NULL},
8857 /* 0xd9 */ {NULL, NULL},
8858 /* 0xda */ {NULL, NULL},
8859 /* 0xdb */ {NULL, NULL},
8860 /* 0xdc */ {NULL, NULL},
8861 /* 0xdd */ {NULL, NULL},
8862 /* 0xde */ {NULL, NULL},
8863 /* 0xdf */ {NULL, NULL},
8864 /* 0xe0 */ {NULL, NULL},
8865 /* 0xe1 */ {NULL, NULL},
8866 /* 0xe2 */ {NULL, NULL},
8867 /* 0xe3 */ {NULL, NULL},
8868 /* 0xe4 */ {NULL, NULL},
8869 /* 0xe5 */ {NULL, NULL},
8870 /* 0xe6 */ {NULL, NULL},
8871 /* 0xe7 */ {NULL, NULL},
8872 /* 0xe8 */ {NULL, NULL},
8873 /* 0xe9 */ {NULL, NULL},
8874 /* 0xea */ {NULL, NULL},
8875 /* 0xeb */ {NULL, NULL},
8876 /* 0xec */ {NULL, NULL},
8877 /* 0xed */ {NULL, NULL},
8878 /* 0xee */ {NULL, NULL},
8879 /* 0xef */ {NULL, NULL},
8880 /* 0xf0 */ {NULL, NULL},
8881 /* 0xf1 */ {NULL, NULL},
8882 /* 0xf2 */ {NULL, NULL},
8883 /* 0xf3 */ {NULL, NULL},
8884 /* 0xf4 */ {NULL, NULL},
8885 /* 0xf5 */ {NULL, NULL},
8886 /* 0xf6 */ {NULL, NULL},
8887 /* 0xf7 */ {NULL, NULL},
8888 /* 0xf8 */ {NULL, NULL},
8889 /* 0xf9 */ {NULL, NULL},
8890 /* 0xfa */ {NULL, NULL},
8891 /* 0xfb */ {NULL, NULL},
8892 /* 0xfc */ {NULL, NULL},
8893 /* 0xfd */ {NULL, NULL},
8894 /* 0xfe */ {NULL, NULL},
8895 /* 0xff */ {NULL, NULL},
8899 #define ENC_ALG_aes128_ccm 0x0001
8902 dissect_smb2_transform_header(packet_info *pinfo, proto_tree *tree,
8903 tvbuff_t *tvb, int offset,
8904 smb2_transform_info_t *sti,
8905 tvbuff_t **enc_tvb, tvbuff_t **plain_tvb)
8907 proto_item *sesid_item = NULL;
8908 proto_tree *sesid_tree = NULL;
8909 smb2_sesid_info_t sesid_key;
8911 guint8 *plain_data = NULL;
8912 guint8 *decryption_key = NULL;
8915 static const int *sf_fields[] = {
8916 &hf_smb2_encryption_aes128_ccm,
8924 proto_tree_add_item(tree, hf_smb2_transform_signature, tvb, offset, 16, ENC_NA);
8928 proto_tree_add_item(tree, hf_smb2_transform_nonce, tvb, offset, 16, ENC_NA);
8929 tvb_memcpy(tvb, sti->nonce, offset, 16);
8933 proto_tree_add_item(tree, hf_smb2_transform_msg_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8934 sti->size = tvb_get_letohl(tvb, offset);
8938 proto_tree_add_item(tree, hf_smb2_transform_reserved, tvb, offset, 2, ENC_NA);
8942 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_transform_enc_alg, ett_smb2_transform_enc_alg, sf_fields, ENC_LITTLE_ENDIAN);
8943 sti->alg = tvb_get_letohs(tvb, offset);
8947 sesid_offset = offset;
8948 sti->sesid = tvb_get_letoh64(tvb, offset);
8949 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8950 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
8953 /* now we need to first lookup the uid session */
8954 sesid_key.sesid = sti->sesid;
8955 sti->session = (smb2_sesid_info_t *)g_hash_table_lookup(sti->conv->sesids, &sesid_key);
8957 if (sti->session != NULL && sti->session->auth_frame != (guint32)-1) {
8958 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, sti->session->acct_name);
8959 PROTO_ITEM_SET_GENERATED(item);
8960 proto_item_append_text(sesid_item, " Acct:%s", sti->session->acct_name);
8962 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, sti->session->domain_name);
8963 PROTO_ITEM_SET_GENERATED(item);
8964 proto_item_append_text(sesid_item, " Domain:%s", sti->session->domain_name);
8966 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, sti->session->host_name);
8967 PROTO_ITEM_SET_GENERATED(item);
8968 proto_item_append_text(sesid_item, " Host:%s", sti->session->host_name);
8970 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, sti->session->auth_frame);
8971 PROTO_ITEM_SET_GENERATED(item);
8974 if (sti->session != NULL && sti->alg == ENC_ALG_aes128_ccm) {
8975 if (pinfo->destport == sti->session->server_port) {
8976 decryption_key = sti->session->server_decryption_key;
8978 decryption_key = sti->session->client_decryption_key;
8981 if (memcmp(decryption_key, zeros, NTLMSSP_KEY_LEN) == 0) {
8982 decryption_key = NULL;
8986 if (decryption_key != NULL) {
8987 gcry_cipher_hd_t cipher_hd = NULL;
8988 guint8 A_1[NTLMSSP_KEY_LEN] = {
8989 3, 0, 0, 0, 0, 0, 0, 0,
8990 0, 0, 0, 0, 0, 0, 0, 1
8993 memcpy(&A_1[1], sti->nonce, 15 - 4);
8995 plain_data = (guint8 *)tvb_memdup(pinfo->pool, tvb, offset, sti->size);
8997 /* Open the cipher. */
8998 if (gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0)) {
8999 wmem_free(pinfo->pool, plain_data);
9001 goto done_decryption;
9004 /* Set the key and initial value. */
9005 if (gcry_cipher_setkey(cipher_hd, decryption_key, NTLMSSP_KEY_LEN)) {
9006 gcry_cipher_close(cipher_hd);
9007 wmem_free(pinfo->pool, plain_data);
9009 goto done_decryption;
9011 if (gcry_cipher_setctr(cipher_hd, A_1, NTLMSSP_KEY_LEN)) {
9012 gcry_cipher_close(cipher_hd);
9013 wmem_free(pinfo->pool, plain_data);
9015 goto done_decryption;
9018 if (gcry_cipher_encrypt(cipher_hd, plain_data, sti->size, NULL, 0)) {
9019 gcry_cipher_close(cipher_hd);
9020 wmem_free(pinfo->pool, plain_data);
9022 goto done_decryption;
9025 /* Done with the cipher. */
9026 gcry_cipher_close(cipher_hd);
9029 *enc_tvb = tvb_new_subset_length(tvb, offset, sti->size);
9031 if (plain_data != NULL) {
9032 *plain_tvb = tvb_new_child_real_data(*enc_tvb, plain_data, sti->size, sti->size);
9033 add_new_data_source(pinfo, *plain_tvb, "Decrypted SMB3");
9036 offset += sti->size;
9041 dissect_smb2_command(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
9043 int (*cmd_dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
9044 proto_item *cmd_item;
9045 proto_tree *cmd_tree;
9046 int old_offset = offset;
9048 cmd_tree = proto_tree_add_subtree_format(tree, tvb, offset, -1,
9049 ett_smb2_command, &cmd_item, "%s %s (0x%02x)",
9050 decode_smb2_name(si->opcode),
9051 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request",
9054 cmd_dissector = (si->flags & SMB2_FLAGS_RESPONSE)?
9055 smb2_dissector[si->opcode&0xff].response:
9056 smb2_dissector[si->opcode&0xff].request;
9057 if (cmd_dissector) {
9058 offset = (*cmd_dissector)(tvb, pinfo, cmd_tree, offset, si);
9060 proto_tree_add_item(cmd_tree, hf_smb2_unknown, tvb, offset, -1, ENC_NA);
9061 offset = tvb_captured_length(tvb);
9064 proto_item_set_len(cmd_item, offset-old_offset);
9070 dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
9072 proto_item *tid_item = NULL;
9073 proto_tree *tid_tree = NULL;
9074 smb2_tid_info_t tid_key;
9076 proto_item *sesid_item = NULL;
9077 proto_tree *sesid_tree = NULL;
9078 smb2_sesid_info_t sesid_key;
9083 if (si->flags&SMB2_FLAGS_ASYNC_CMD) {
9084 proto_tree_add_item(tree, hf_smb2_aid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9088 proto_tree_add_item(tree, hf_smb2_pid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9092 tid_offset = offset;
9093 si->tid = tvb_get_letohl(tvb, offset);
9094 tid_item = proto_tree_add_item(tree, hf_smb2_tid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9095 tid_tree = proto_item_add_subtree(tid_item, ett_smb2_tid_tree);
9100 sesid_offset = offset;
9101 si->sesid = tvb_get_letoh64(tvb, offset);
9102 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9103 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
9106 /* now we need to first lookup the uid session */
9107 sesid_key.sesid = si->sesid;
9108 si->session = (smb2_sesid_info_t *)g_hash_table_lookup(si->conv->sesids, &sesid_key);
9110 guint8 seskey[NTLMSSP_KEY_LEN] = {0, };
9112 if (si->opcode != 0x03)
9116 /* if we come to a session that is unknown, and the operation is
9117 * a tree connect, we create a dummy sessison, so we can hang the
9120 si->session = wmem_new0(wmem_file_scope(), smb2_sesid_info_t);
9121 si->session->sesid = si->sesid;
9122 si->session->auth_frame = (guint32)-1;
9123 si->session->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
9124 if (si->flags & SMB2_FLAGS_RESPONSE) {
9125 si->session->server_port = pinfo->srcport;
9127 si->session->server_port = pinfo->destport;
9129 if (seskey_find_sid_key(si->sesid, seskey)) {
9130 smb2_set_session_keys(si->session, seskey);
9133 g_hash_table_insert(si->conv->sesids, si->session, si->session);
9138 if (si->session->auth_frame != (guint32)-1) {
9139 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, si->session->acct_name);
9140 PROTO_ITEM_SET_GENERATED(item);
9141 proto_item_append_text(sesid_item, " Acct:%s", si->session->acct_name);
9143 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, si->session->domain_name);
9144 PROTO_ITEM_SET_GENERATED(item);
9145 proto_item_append_text(sesid_item, " Domain:%s", si->session->domain_name);
9147 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, si->session->host_name);
9148 PROTO_ITEM_SET_GENERATED(item);
9149 proto_item_append_text(sesid_item, " Host:%s", si->session->host_name);
9151 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, si->session->auth_frame);
9152 PROTO_ITEM_SET_GENERATED(item);
9155 if (!(si->flags&SMB2_FLAGS_ASYNC_CMD)) {
9156 /* see if we can find the name for this tid */
9157 tid_key.tid = si->tid;
9158 si->tree = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
9159 if (!si->tree) return offset;
9161 item = proto_tree_add_string(tid_tree, hf_smb2_tree, tvb, tid_offset, 4, si->tree->name);
9162 PROTO_ITEM_SET_GENERATED(item);
9163 proto_item_append_text(tid_item, " %s", si->tree->name);
9165 item = proto_tree_add_uint(tid_tree, hf_smb2_share_type, tvb, tid_offset, 0, si->tree->share_type);
9166 PROTO_ITEM_SET_GENERATED(item);
9168 item = proto_tree_add_uint(tid_tree, hf_smb2_tcon_frame, tvb, tid_offset, 0, si->tree->connect_frame);
9169 PROTO_ITEM_SET_GENERATED(item);
9176 dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolean first_in_chain)
9178 gboolean smb2_transform_header = FALSE;
9179 proto_item *item = NULL;
9180 proto_tree *tree = NULL;
9181 proto_item *header_item = NULL;
9182 proto_tree *header_tree = NULL;
9184 int chain_offset = 0;
9185 const char *label = smb_header_label;
9186 conversation_t *conversation;
9187 smb2_saved_info_t *ssi = NULL, ssi_key;
9189 smb2_transform_info_t *sti;
9191 guint32 open_frame,close_frame;
9192 smb2_eo_file_info_t *eo_file_info;
9193 e_ctx_hnd *policy_hnd_hashtablekey;
9195 sti = wmem_new(wmem_packet_scope(), smb2_transform_info_t);
9196 si = wmem_new0(wmem_packet_scope(), smb2_info_t);
9197 si->top_tree = parent_tree;
9199 if (tvb_get_guint8(tvb, 0) == 0xfd) {
9200 smb2_transform_header = TRUE;
9201 label = smb_transform_header_label;
9203 /* find which conversation we are part of and get the data for that
9206 conversation = find_or_create_conversation(pinfo);
9207 si->conv = (smb2_conv_info_t *)conversation_get_proto_data(conversation, proto_smb2);
9209 /* no smb2_into_t structure for this conversation yet,
9212 si->conv = wmem_new(wmem_file_scope(), smb2_conv_info_t);
9213 /* qqq this leaks memory for now since we never free
9215 si->conv->matched = g_hash_table_new(smb2_saved_info_hash_matched,
9216 smb2_saved_info_equal_matched);
9217 si->conv->unmatched = g_hash_table_new(smb2_saved_info_hash_unmatched,
9218 smb2_saved_info_equal_unmatched);
9219 si->conv->sesids = g_hash_table_new(smb2_sesid_info_hash,
9220 smb2_sesid_info_equal);
9221 si->conv->fids = g_hash_table_new(smb2_fid_info_hash,
9222 smb2_fid_info_equal);
9223 si->conv->files = g_hash_table_new(smb2_eo_files_hash,smb2_eo_files_equal);
9225 /* Bit of a hack to avoid leaking the hash tables - register a
9226 * callback to free them. Ideally wmem would implement a simple
9227 * hash table so we wouldn't have to do this. */
9228 wmem_register_callback(wmem_file_scope(), smb2_conv_destroy,
9231 conversation_add_proto_data(conversation, proto_smb2, si->conv);
9234 sti->conv = si->conv;
9236 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB2");
9237 if (first_in_chain) {
9239 col_clear(pinfo->cinfo, COL_INFO);
9241 col_append_str(pinfo->cinfo, COL_INFO, ";");
9244 item = proto_tree_add_item(parent_tree, proto_smb2, tvb, offset, -1, ENC_NA);
9245 tree = proto_item_add_subtree(item, ett_smb2);
9247 header_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_header, &header_item, label);
9249 /* Decode the header */
9251 if (!smb2_transform_header) {
9253 proto_tree_add_item(header_tree, hf_smb2_server_component_smb2, tvb, offset, 4, ENC_NA);
9256 /* we need the flags before we know how to parse the credits field */
9257 si->flags = tvb_get_letohl(tvb, offset+12);
9260 proto_tree_add_item(header_tree, hf_smb2_header_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9263 /* credit charge (previously "epoch" (unused) which has been deprecated as of "SMB 2.1") */
9264 proto_tree_add_item(header_tree, hf_smb2_credit_charge, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9268 if (si->flags & SMB2_FLAGS_RESPONSE) {
9269 si->status = tvb_get_letohl(tvb, offset);
9270 proto_tree_add_item(header_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9274 proto_tree_add_item(header_tree, hf_smb2_channel_sequence, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9276 proto_tree_add_item(header_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
9281 si->opcode = tvb_get_letohs(tvb, offset);
9282 proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9286 if (si->flags & SMB2_FLAGS_RESPONSE) {
9287 proto_tree_add_item(header_tree, hf_smb2_credits_granted, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9289 proto_tree_add_item(header_tree, hf_smb2_credits_requested, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9295 static const int * flags[] = {
9296 &hf_smb2_flags_response,
9297 &hf_smb2_flags_async_cmd,
9298 &hf_smb2_flags_chained,
9299 &hf_smb2_flags_signature,
9300 &hf_smb2_flags_priority_mask,
9301 &hf_smb2_flags_dfs_op,
9302 &hf_smb2_flags_replay_operation,
9306 proto_tree_add_bitmask(header_tree, tvb, offset, hf_smb2_flags,
9307 ett_smb2_flags, flags, ENC_LITTLE_ENDIAN);
9313 chain_offset = tvb_get_letohl(tvb, offset);
9314 proto_tree_add_item(header_tree, hf_smb2_chain_offset, tvb, offset, 4, ENC_BIG_ENDIAN);
9318 si->msg_id = tvb_get_letoh64(tvb, offset);
9319 ssi_key.msg_id = si->msg_id;
9320 proto_tree_add_item(header_tree, hf_smb2_msg_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9323 /* Tree ID and Session ID */
9324 offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si);
9327 proto_tree_add_item(header_tree, hf_smb2_signature, tvb, offset, 16, ENC_NA);
9330 proto_item_set_len(header_item, offset);
9333 col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s",
9334 decode_smb2_name(si->opcode),
9335 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request");
9338 pinfo->cinfo, COL_INFO, ", Error: %s",
9339 val_to_str_ext(si->status, &NT_errors_ext,
9340 "Unknown (0x%08X)"));
9344 if (!pinfo->fd->flags.visited) {
9345 /* see if we can find this msg_id in the unmatched table */
9346 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
9348 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
9349 /* This is a request */
9351 /* this is a request and we already found
9352 * an older ssi so just delete the previous
9355 g_hash_table_remove(si->conv->unmatched, ssi);
9360 /* no we couldn't find it, so just add it then
9361 * if was a request we are decoding
9363 ssi = wmem_new0(wmem_file_scope(), smb2_saved_info_t);
9364 ssi->msg_id = ssi_key.msg_id;
9365 ssi->frame_req = pinfo->num;
9366 ssi->req_time = pinfo->abs_ts;
9367 ssi->extra_info_type = SMB2_EI_NONE;
9368 g_hash_table_insert(si->conv->unmatched, ssi, ssi);
9371 /* This is a response */
9372 if (!((si->flags & SMB2_FLAGS_ASYNC_CMD)
9373 && si->status == NT_STATUS_PENDING)
9375 /* just set the response frame and move it to the matched table */
9376 ssi->frame_res = pinfo->num;
9377 g_hash_table_remove(si->conv->unmatched, ssi);
9378 g_hash_table_insert(si->conv->matched, ssi, ssi);
9382 /* see if we can find this msg_id in the matched table */
9383 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->matched, &ssi_key);
9384 /* if we couldn't find it in the matched table, it might still
9385 * be in the unmatched table
9388 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
9393 if (dcerpc_fetch_polhnd_data(&ssi->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
9394 /* If needed, create the file entry and save the policy hnd */
9395 if (!si->eo_file_info) {
9397 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&ssi->policy_hnd);
9398 if (!eo_file_info) { /* XXX This should never happen */
9400 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
9401 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
9402 memcpy(policy_hnd_hashtablekey, &ssi->policy_hnd, sizeof(e_ctx_hnd));
9403 eo_file_info->end_of_file=0;
9404 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
9406 si->eo_file_info=eo_file_info;
9411 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
9412 if (ssi->frame_res) {
9413 proto_item *tmp_item;
9414 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res);
9415 PROTO_ITEM_SET_GENERATED(tmp_item);
9418 if (ssi->frame_req) {
9419 proto_item *tmp_item;
9422 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_to, tvb, 0, 0, ssi->frame_req);
9423 PROTO_ITEM_SET_GENERATED(tmp_item);
9425 nstime_delta(&deltat, &t, &ssi->req_time);
9426 tmp_item = proto_tree_add_time(header_tree, hf_smb2_time, tvb,
9428 PROTO_ITEM_SET_GENERATED(tmp_item);
9431 if (si->file != NULL) {
9432 ssi->file = si->file;
9434 si->file = ssi->file;
9437 /* if we don't have ssi yet we must fake it */
9441 tap_queue_packet(smb2_tap, pinfo, si);
9443 /* Decode the payload */
9444 offset = dissect_smb2_command(pinfo, tree, tvb, offset, si);
9446 proto_tree *enc_tree;
9447 tvbuff_t *enc_tvb = NULL;
9448 tvbuff_t *plain_tvb = NULL;
9450 /* SMB2_TRANSFORM marker */
9451 proto_tree_add_item(header_tree, hf_smb2_server_component_smb2_transform, tvb, offset, 4, ENC_NA);
9454 offset = dissect_smb2_transform_header(pinfo, header_tree, tvb, offset, sti,
9455 &enc_tvb, &plain_tvb);
9457 enc_tree = proto_tree_add_subtree(tree, enc_tvb, 0, sti->size, ett_smb2_encrypted, NULL, "Encrypted SMB3 data");
9458 if (plain_tvb != NULL) {
9459 col_append_str(pinfo->cinfo, COL_INFO, "Decrypted SMB3");
9460 dissect_smb2(plain_tvb, pinfo, enc_tree, FALSE);
9462 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted SMB3");
9463 proto_tree_add_item(enc_tree, hf_smb2_transform_encrypted_data,
9464 enc_tvb, 0, sti->size, ENC_NA);
9467 if (tvb_reported_length_remaining(tvb, offset) > 0) {
9468 chain_offset = offset;
9472 if (chain_offset > 0) {
9475 proto_item_set_len(item, chain_offset);
9477 next_tvb = tvb_new_subset_remaining(tvb, chain_offset);
9478 offset = dissect_smb2(next_tvb, pinfo, parent_tree, FALSE);
9485 dissect_smb2_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
9488 /* must check that this really is a smb2 packet */
9489 if (tvb_captured_length(tvb) < 4)
9492 if (((tvb_get_guint8(tvb, 0) != 0xfe) && (tvb_get_guint8(tvb, 0) != 0xfd))
9493 || (tvb_get_guint8(tvb, 1) != 'S')
9494 || (tvb_get_guint8(tvb, 2) != 'M')
9495 || (tvb_get_guint8(tvb, 3) != 'B') ) {
9499 dissect_smb2(tvb, pinfo, parent_tree, TRUE);
9505 proto_register_smb2(void)
9507 module_t *smb2_module;
9508 static hf_register_info hf[] = {
9510 { "Command", "smb2.cmd", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
9511 &smb2_cmd_vals_ext, 0, "SMB2 Command Opcode", HFILL }
9514 { &hf_smb2_response_to,
9515 { "Response to", "smb2.response_to", FT_FRAMENUM, BASE_NONE,
9516 NULL, 0, "This packet is a response to the packet in this frame", HFILL }
9519 { &hf_smb2_response_in,
9520 { "Response in", "smb2.response_in", FT_FRAMENUM, BASE_NONE,
9521 NULL, 0, "The response to this packet is in this packet", HFILL }
9525 { "Time from request", "smb2.time", FT_RELATIVE_TIME, BASE_NONE,
9526 NULL, 0, "Time between Request and Response for SMB2 cmds", HFILL }
9529 { &hf_smb2_header_len,
9530 { "Header Length", "smb2.header_len", FT_UINT16, BASE_DEC,
9531 NULL, 0, "SMB2 Size of Header", HFILL }
9534 { &hf_smb2_nt_status,
9535 { "NT Status", "smb2.nt_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
9536 &NT_errors_ext, 0, "NT Status code", HFILL }
9540 { "Message ID", "smb2.msg_id", FT_UINT64, BASE_DEC|BASE_VAL64_STRING|BASE_SPECIAL_VALS,
9541 VALS64(unique_unsolicited_response), 0, NULL, HFILL }
9545 { "Tree Id", "smb2.tid", FT_UINT32, BASE_HEX,
9546 NULL, 0, NULL, HFILL }
9550 { "Async Id", "smb2.aid", FT_UINT64, BASE_HEX,
9551 NULL, 0, NULL, HFILL }
9555 { "Session Id", "smb2.sesid", FT_UINT64, BASE_HEX,
9556 NULL, 0, NULL, HFILL }
9559 { &hf_smb2_previous_sesid,
9560 { "Previous Session Id", "smb2.previous_sesid", FT_UINT64, BASE_HEX,
9561 NULL, 0, NULL, HFILL }
9564 { &hf_smb2_chain_offset,
9565 { "Chain Offset", "smb2.chain_offset", FT_UINT32, BASE_HEX,
9566 NULL, 0, NULL, HFILL }
9569 { &hf_smb2_end_of_file,
9570 { "End Of File", "smb2.eof", FT_UINT64, BASE_DEC,
9571 NULL, 0, "SMB2 End Of File/File size", HFILL }
9575 { "Number of Links", "smb2.nlinks", FT_UINT32, BASE_DEC,
9576 NULL, 0, "Number of links to this object", HFILL }
9580 { "File Id", "smb2.file_id", FT_UINT64, BASE_HEX,
9581 NULL, 0, NULL, HFILL }
9584 { &hf_smb2_allocation_size,
9585 { "Allocation Size", "smb2.allocation_size", FT_UINT64, BASE_DEC,
9586 NULL, 0, NULL, HFILL }
9589 { &hf_smb2_max_response_size,
9590 { "Max Response Size", "smb2.max_response_size", FT_UINT32, BASE_DEC,
9591 NULL, 0, NULL, HFILL }
9594 { &hf_smb2_getinfo_input_size,
9595 { "Getinfo Input Size", "smb2.getinfo_input_size", FT_UINT32, BASE_DEC,
9596 NULL, 0, NULL, HFILL }
9599 { &hf_smb2_getinfo_input_offset,
9600 { "Getinfo Input Offset", "smb2.getinfo_input_offset", FT_UINT16, BASE_HEX,
9601 NULL, 0, NULL, HFILL }
9604 { &hf_smb2_getinfo_additional,
9605 { "Additional Info", "smb2.getinfo_additional", FT_UINT32, BASE_HEX,
9606 NULL, 0, NULL, HFILL }
9609 { &hf_smb2_getinfo_flags,
9610 { "Flags", "smb2.getinfo_flags", FT_UINT32, BASE_HEX,
9611 NULL, 0, NULL, HFILL }
9614 { &hf_smb2_setinfo_size,
9615 { "Setinfo Size", "smb2.setinfo_size", FT_UINT32, BASE_DEC,
9616 NULL, 0, NULL, HFILL }
9619 { &hf_smb2_setinfo_offset,
9620 { "Setinfo Offset", "smb2.setinfo_offset", FT_UINT16, BASE_HEX,
9621 NULL, 0, NULL, HFILL }
9624 { &hf_smb2_max_ioctl_out_size,
9625 { "Max Ioctl Out Size", "smb2.max_ioctl_out_size", FT_UINT32, BASE_DEC,
9626 NULL, 0, NULL, HFILL }
9629 { &hf_smb2_max_ioctl_in_size,
9630 { "Max Ioctl In Size", "smb2.max_ioctl_in_size", FT_UINT32, BASE_DEC,
9631 NULL, 0, NULL, HFILL }
9634 { &hf_smb2_required_buffer_size,
9635 { "Required Buffer Size", "smb2.required_size", FT_UINT32, BASE_DEC,
9636 NULL, 0, NULL, HFILL }
9640 { "Process Id", "smb2.pid", FT_UINT32, BASE_HEX,
9641 NULL, 0, NULL, HFILL }
9645 /* SMB2 header flags */
9647 { "Flags", "smb2.flags", FT_UINT32, BASE_HEX,
9648 NULL, 0, "SMB2 flags", HFILL }
9651 { &hf_smb2_flags_response,
9652 { "Response", "smb2.flags.response", FT_BOOLEAN, 32,
9653 TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }
9656 { &hf_smb2_flags_async_cmd,
9657 { "Async command", "smb2.flags.async", FT_BOOLEAN, 32,
9658 TFS(&tfs_flags_async_cmd), SMB2_FLAGS_ASYNC_CMD, NULL, HFILL }
9661 { &hf_smb2_flags_dfs_op,
9662 { "DFS operation", "smb2.flags.dfs", FT_BOOLEAN, 32,
9663 TFS(&tfs_flags_dfs_op), SMB2_FLAGS_DFS_OP, NULL, HFILL }
9666 { &hf_smb2_flags_chained,
9667 { "Chained", "smb2.flags.chained", FT_BOOLEAN, 32,
9668 TFS(&tfs_flags_chained), SMB2_FLAGS_CHAINED, "Whether the pdu continues a chain or not", HFILL }
9670 { &hf_smb2_flags_signature,
9671 { "Signing", "smb2.flags.signature", FT_BOOLEAN, 32,
9672 TFS(&tfs_flags_signature), SMB2_FLAGS_SIGNATURE, "Whether the pdu is signed or not", HFILL }
9675 { &hf_smb2_flags_replay_operation,
9676 { "Replay operation", "smb2.flags.replay", FT_BOOLEAN, 32,
9677 TFS(&tfs_flags_replay_operation), SMB2_FLAGS_REPLAY_OPERATION, "Whether this is a replay operation", HFILL }
9680 { &hf_smb2_flags_priority_mask,
9681 { "Priority", "smb2.flags.priority_mask", FT_BOOLEAN, 32,
9682 TFS(&tfs_flags_priority_mask), SMB2_FLAGS_PRIORITY_MASK, "Priority Mask", HFILL }
9686 { "Tree", "smb2.tree", FT_STRING, BASE_NONE,
9687 NULL, 0, "Name of the Tree/Share", HFILL }
9690 { &hf_smb2_filename,
9691 { "Filename", "smb2.filename", FT_STRING, BASE_NONE,
9692 NULL, 0, NULL, HFILL }
9695 { &hf_smb2_filename_len,
9696 { "Filename Length", "smb2.filename.len", FT_UINT32, BASE_DEC,
9697 NULL, 0, NULL, HFILL }
9700 { &hf_smb2_replace_if,
9701 { "Replace If", "smb2.rename.replace_if", FT_BOOLEAN, 8,
9702 TFS(&tfs_replace_if_exists), 0xFF, "Whether to replace if the target exists", HFILL }
9705 { &hf_smb2_data_offset,
9706 { "Data Offset", "smb2.data_offset", FT_UINT16, BASE_HEX,
9707 NULL, 0, "Offset to data", HFILL }
9710 { &hf_smb2_find_info_level,
9711 { "Info Level", "smb2.find.infolevel", FT_UINT32, BASE_DEC,
9712 VALS(smb2_find_info_levels), 0, "Find_Info Infolevel", HFILL }
9714 { &hf_smb2_find_flags,
9715 { "Find Flags", "smb2.find.flags", FT_UINT8, BASE_HEX,
9716 NULL, 0, NULL, HFILL }
9719 { &hf_smb2_find_pattern,
9720 { "Search Pattern", "smb2.find.pattern", FT_STRING, BASE_NONE,
9721 NULL, 0, "Find pattern", HFILL }
9724 { &hf_smb2_find_info_blob,
9725 { "Info", "smb2.find.info_blob", FT_BYTES, BASE_NONE,
9726 NULL, 0, "Find Info", HFILL }
9730 { "EA Size", "smb2.ea_size", FT_UINT32, BASE_DEC,
9731 NULL, 0, "Size of EA data", HFILL }
9734 { &hf_smb2_position_information,
9735 { "Position Information", "smb2.position_info", FT_UINT64, BASE_DEC,
9736 NULL, 0, "Current file position", HFILL }
9739 { &hf_smb2_mode_information,
9740 { "Mode Information", "smb2.mode_info", FT_UINT32, BASE_HEX,
9741 NULL, 0, "File mode informatino", HFILL }
9744 { &hf_smb2_mode_file_write_through,
9745 { "FILE_WRITE_THROUGH", "smb2.mode.file_write_through", FT_UINT32, BASE_HEX,
9746 NULL, 0x02, NULL, HFILL }
9749 { &hf_smb2_mode_file_sequential_only,
9750 { "FILE_SEQUENTIAL_ONLY", "smb2.mode.file_sequential_only", FT_UINT32, BASE_HEX,
9751 NULL, 0x04, NULL, HFILL }
9754 { &hf_smb2_mode_file_no_intermediate_buffering,
9755 { "FILE_NO_INTERMEDIATE_BUFFERING", "smb2.mode.file_no_intermediate_buffering", FT_UINT32, BASE_HEX,
9756 NULL, 0x08, NULL, HFILL }
9759 { &hf_smb2_mode_file_synchronous_io_alert,
9760 { "FILE_SYNCHRONOUS_IO_ALERT", "smb2.mode.file_synchronous_io_alert", FT_UINT32, BASE_HEX,
9761 NULL, 0x10, NULL, HFILL }
9764 { &hf_smb2_mode_file_synchronous_io_nonalert,
9765 { "FILE_SYNCHRONOUS_IO_NONALERT", "smb2.mode.file_synchronous_io_nonalert", FT_UINT32, BASE_HEX,
9766 NULL, 0x20, NULL, HFILL }
9769 { &hf_smb2_mode_file_delete_on_close,
9770 { "FILE_DELETE_ON_CLOSE", "smb2.mode.file_delete_on_close", FT_UINT32, BASE_HEX,
9771 NULL, 0x1000, NULL, HFILL }
9774 { &hf_smb2_alignment_information,
9775 { "Alignment Information", "smb2.alignment_info", FT_UINT32, BASE_HEX,
9776 VALS(smb2_alignment_vals), 0, "File alignment", HFILL}
9780 { "Class", "smb2.class", FT_UINT8, BASE_HEX,
9781 VALS(smb2_class_vals), 0, "Info class", HFILL }
9784 { &hf_smb2_infolevel,
9785 { "InfoLevel", "smb2.infolevel", FT_UINT8, BASE_HEX,
9786 NULL, 0, NULL, HFILL }
9789 { &hf_smb2_infolevel_file_info,
9790 { "InfoLevel", "smb2.file_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9791 &smb2_file_info_levels_ext, 0, "File_Info Infolevel", HFILL }
9794 { &hf_smb2_infolevel_fs_info,
9795 { "InfoLevel", "smb2.fs_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9796 &smb2_fs_info_levels_ext, 0, "Fs_Info Infolevel", HFILL }
9799 { &hf_smb2_infolevel_sec_info,
9800 { "InfoLevel", "smb2.sec_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9801 &smb2_sec_info_levels_ext, 0, "Sec_Info Infolevel", HFILL }
9804 { &hf_smb2_infolevel_posix_info,
9805 { "InfoLevel", "smb2.posix_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9806 &smb2_posix_info_levels_ext, 0, "Posix_Info Infolevel", HFILL }
9809 { &hf_smb2_write_length,
9810 { "Write Length", "smb2.write_length", FT_UINT32, BASE_DEC,
9811 NULL, 0, "Amount of data to write", HFILL }
9814 { &hf_smb2_read_length,
9815 { "Read Length", "smb2.read_length", FT_UINT32, BASE_DEC,
9816 NULL, 0, "Amount of data to read", HFILL }
9819 { &hf_smb2_read_remaining,
9820 { "Read Remaining", "smb2.read_remaining", FT_UINT32, BASE_DEC,
9821 NULL, 0, NULL, HFILL }
9824 { &hf_smb2_create_flags,
9825 { "Create Flags", "smb2.create_flags", FT_UINT64, BASE_HEX,
9826 NULL, 0, NULL, HFILL }
9829 { &hf_smb2_file_offset,
9830 { "File Offset", "smb2.file_offset", FT_UINT64, BASE_DEC,
9831 NULL, 0, NULL, HFILL }
9834 { &hf_smb2_fsctl_range_offset,
9835 { "File Offset", "smb2.fsctl.range_offset", FT_UINT64, BASE_DEC,
9836 NULL, 0, NULL, HFILL }
9839 { &hf_smb2_fsctl_range_length,
9840 { "Length", "smb2.fsctl.range_length", FT_UINT64, BASE_DEC,
9841 NULL, 0, NULL, HFILL }
9844 { &hf_smb2_qfr_length,
9845 { "Length", "smb2.qfr_length", FT_UINT64, BASE_DEC,
9846 NULL, 0, NULL, HFILL }
9849 { &hf_smb2_qfr_usage,
9850 { "Desired Usage", "smb2.qfr_usage", FT_UINT32, BASE_HEX,
9851 VALS(file_region_usage_vals), 0, NULL, HFILL }
9854 { &hf_smb2_qfr_flags,
9855 { "Flags", "smb2.qfr_flags", FT_UINT32, BASE_HEX,
9856 NULL, 0, NULL, HFILL }
9859 { &hf_smb2_qfr_total_region_entry_count,
9860 { "Total Region Entry Count", "smb2.qfr_tot_region_entry_count", FT_UINT32, BASE_HEX,
9861 NULL, 0, NULL, HFILL }
9864 { &hf_smb2_qfr_region_entry_count,
9865 { "Region Entry Count", "smb2.qfr_region_entry_count", FT_UINT32, BASE_HEX,
9866 NULL, 0, NULL, HFILL }
9869 { &hf_smb2_security_blob,
9870 { "Security Blob", "smb2.security_blob", FT_BYTES, BASE_NONE,
9871 NULL, 0, NULL, HFILL }
9874 { &hf_smb2_ioctl_out_data,
9875 { "Out Data", "smb2.ioctl.out", FT_NONE, BASE_NONE,
9876 NULL, 0, "Ioctl Out", HFILL }
9879 { &hf_smb2_ioctl_in_data,
9880 { "In Data", "smb2.ioctl.in", FT_NONE, BASE_NONE,
9881 NULL, 0, "Ioctl In", HFILL }
9884 { &hf_smb2_server_guid,
9885 { "Server Guid", "smb2.server_guid", FT_GUID, BASE_NONE,
9886 NULL, 0, NULL, HFILL }
9889 { &hf_smb2_client_guid,
9890 { "Client Guid", "smb2.client_guid", FT_GUID, BASE_NONE,
9891 NULL, 0, NULL, HFILL }
9894 { &hf_smb2_object_id,
9895 { "ObjectId", "smb2.object_id", FT_GUID, BASE_NONE,
9896 NULL, 0, "ObjectID for this FID", HFILL }
9899 { &hf_smb2_birth_volume_id,
9900 { "BirthVolumeId", "smb2.birth_volume_id", FT_GUID, BASE_NONE,
9901 NULL, 0, "ObjectID for the volume where this FID was originally created", HFILL }
9904 { &hf_smb2_birth_object_id,
9905 { "BirthObjectId", "smb2.birth_object_id", FT_GUID, BASE_NONE,
9906 NULL, 0, "ObjectID for this FID when it was originally created", HFILL }
9909 { &hf_smb2_domain_id,
9910 { "DomainId", "smb2.domain_id", FT_GUID, BASE_NONE,
9911 NULL, 0, NULL, HFILL }
9914 { &hf_smb2_create_timestamp,
9915 { "Create", "smb2.create.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9916 NULL, 0, "Time when this object was created", HFILL }
9920 { "File Id", "smb2.fid", FT_GUID, BASE_NONE,
9921 NULL, 0, "SMB2 File Id", HFILL }
9924 { &hf_smb2_write_data,
9925 { "Write Data", "smb2.write_data", FT_BYTES, BASE_NONE,
9926 NULL, 0, "SMB2 Data to be written", HFILL }
9929 { &hf_smb2_write_flags,
9930 { "Write Flags", "smb2.write.flags", FT_UINT32, BASE_HEX,
9931 NULL, 0, NULL, HFILL }
9934 { &hf_smb2_write_flags_write_through,
9935 { "Write through", "smb2.write.flags.write_through", FT_BOOLEAN, 32,
9936 NULL, SMB2_WRITE_FLAG_WRITE_THROUGH, NULL, HFILL }
9939 { &hf_smb2_write_count,
9940 { "Write Count", "smb2.write.count", FT_UINT32, BASE_DEC,
9941 NULL, 0, NULL, HFILL }
9944 { &hf_smb2_write_remaining,
9945 { "Write Remaining", "smb2.write.remaining", FT_UINT32, BASE_DEC,
9946 NULL, 0, NULL, HFILL }
9949 { &hf_smb2_read_data,
9950 { "Read Data", "smb2.read_data", FT_BYTES, BASE_NONE,
9951 NULL, 0, "SMB2 Data that is read", HFILL }
9954 { &hf_smb2_last_access_timestamp,
9955 { "Last Access", "smb2.last_access.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9956 NULL, 0, "Time when this object was last accessed", HFILL }
9959 { &hf_smb2_last_write_timestamp,
9960 { "Last Write", "smb2.last_write.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9961 NULL, 0, "Time when this object was last written to", HFILL }
9964 { &hf_smb2_last_change_timestamp,
9965 { "Last Change", "smb2.last_change.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9966 NULL, 0, "Time when this object was last changed", HFILL }
9969 { &hf_smb2_file_all_info,
9970 { "SMB2_FILE_ALL_INFO", "smb2.file_all_info", FT_NONE, BASE_NONE,
9971 NULL, 0, NULL, HFILL }
9974 { &hf_smb2_file_allocation_info,
9975 { "SMB2_FILE_ALLOCATION_INFO", "smb2.file_allocation_info", FT_NONE, BASE_NONE,
9976 NULL, 0, NULL, HFILL }
9979 { &hf_smb2_file_endoffile_info,
9980 { "SMB2_FILE_ENDOFFILE_INFO", "smb2.file_endoffile_info", FT_NONE, BASE_NONE,
9981 NULL, 0, NULL, HFILL }
9984 { &hf_smb2_file_alternate_name_info,
9985 { "SMB2_FILE_ALTERNATE_NAME_INFO", "smb2.file_alternate_name_info", FT_NONE, BASE_NONE,
9986 NULL, 0, NULL, HFILL }
9989 { &hf_smb2_file_stream_info,
9990 { "SMB2_FILE_STREAM_INFO", "smb2.file_stream_info", FT_NONE, BASE_NONE,
9991 NULL, 0, NULL, HFILL }
9994 { &hf_smb2_file_pipe_info,
9995 { "SMB2_FILE_PIPE_INFO", "smb2.file_pipe_info", FT_NONE, BASE_NONE,
9996 NULL, 0, NULL, HFILL }
9999 { &hf_smb2_file_compression_info,
10000 { "SMB2_FILE_COMPRESSION_INFO", "smb2.file_compression_info", FT_NONE, BASE_NONE,
10001 NULL, 0, NULL, HFILL }
10004 { &hf_smb2_file_basic_info,
10005 { "SMB2_FILE_BASIC_INFO", "smb2.file_basic_info", FT_NONE, BASE_NONE,
10006 NULL, 0, NULL, HFILL }
10009 { &hf_smb2_file_standard_info,
10010 { "SMB2_FILE_STANDARD_INFO", "smb2.file_standard_info", FT_NONE, BASE_NONE,
10011 NULL, 0, NULL, HFILL }
10014 { &hf_smb2_file_internal_info,
10015 { "SMB2_FILE_INTERNAL_INFO", "smb2.file_internal_info", FT_NONE, BASE_NONE,
10016 NULL, 0, NULL, HFILL }
10019 { &hf_smb2_file_mode_info,
10020 { "SMB2_FILE_MODE_INFO", "smb2.file_mode_info", FT_NONE, BASE_NONE,
10021 NULL, 0, NULL, HFILL }
10024 { &hf_smb2_file_alignment_info,
10025 { "SMB2_FILE_ALIGNMENT_INFO", "smb2.file_alignment_info", FT_NONE, BASE_NONE,
10026 NULL, 0, NULL, HFILL }
10029 { &hf_smb2_file_position_info,
10030 { "SMB2_FILE_POSITION_INFO", "smb2.file_position_info", FT_NONE, BASE_NONE,
10031 NULL, 0, NULL, HFILL }
10034 { &hf_smb2_file_access_info,
10035 { "SMB2_FILE_ACCESS_INFO", "smb2.file_access_info", FT_NONE, BASE_NONE,
10036 NULL, 0, NULL, HFILL }
10039 { &hf_smb2_file_ea_info,
10040 { "SMB2_FILE_EA_INFO", "smb2.file_ea_info", FT_NONE, BASE_NONE,
10041 NULL, 0, NULL, HFILL }
10044 { &hf_smb2_file_network_open_info,
10045 { "SMB2_FILE_NETWORK_OPEN_INFO", "smb2.file_network_open_info", FT_NONE, BASE_NONE,
10046 NULL, 0, NULL, HFILL }
10049 { &hf_smb2_file_attribute_tag_info,
10050 { "SMB2_FILE_ATTRIBUTE_TAG_INFO", "smb2.file_attribute_tag_info", FT_NONE, BASE_NONE,
10051 NULL, 0, NULL, HFILL }
10054 { &hf_smb2_file_disposition_info,
10055 { "SMB2_FILE_DISPOSITION_INFO", "smb2.file_disposition_info", FT_NONE, BASE_NONE,
10056 NULL, 0, NULL, HFILL }
10059 { &hf_smb2_file_full_ea_info,
10060 { "SMB2_FILE_FULL_EA_INFO", "smb2.file_full_ea_info", FT_NONE, BASE_NONE,
10061 NULL, 0, NULL, HFILL }
10064 { &hf_smb2_file_rename_info,
10065 { "SMB2_FILE_RENAME_INFO", "smb2.file_rename_info", FT_NONE, BASE_NONE,
10066 NULL, 0, NULL, HFILL }
10069 { &hf_smb2_fs_info_01,
10070 { "SMB2_FS_INFO_01", "smb2.fs_info_01", FT_NONE, BASE_NONE,
10071 NULL, 0, NULL, HFILL }
10074 { &hf_smb2_fs_info_03,
10075 { "SMB2_FS_INFO_03", "smb2.fs_info_03", FT_NONE, BASE_NONE,
10076 NULL, 0, NULL, HFILL }
10079 { &hf_smb2_fs_info_04,
10080 { "SMB2_FS_INFO_04", "smb2.fs_info_04", FT_NONE, BASE_NONE,
10081 NULL, 0, NULL, HFILL }
10084 { &hf_smb2_fs_info_05,
10085 { "SMB2_FS_INFO_05", "smb2.fs_info_05", FT_NONE, BASE_NONE,
10086 NULL, 0, NULL, HFILL }
10089 { &hf_smb2_fs_info_06,
10090 { "SMB2_FS_INFO_06", "smb2.fs_info_06", FT_NONE, BASE_NONE,
10091 NULL, 0, NULL, HFILL }
10094 { &hf_smb2_fs_info_07,
10095 { "SMB2_FS_INFO_07", "smb2.fs_info_07", FT_NONE, BASE_NONE,
10096 NULL, 0, NULL, HFILL }
10099 { &hf_smb2_fs_objectid_info,
10100 { "SMB2_FS_OBJECTID_INFO", "smb2.fs_objectid_info", FT_NONE, BASE_NONE,
10101 NULL, 0, NULL, HFILL }
10104 { &hf_smb2_sec_info_00,
10105 { "SMB2_SEC_INFO_00", "smb2.sec_info_00", FT_NONE, BASE_NONE,
10106 NULL, 0, NULL, HFILL }
10109 { &hf_smb2_quota_info,
10110 { "SMB2_QUOTA_INFO", "smb2.quota_info", FT_NONE, BASE_NONE,
10111 NULL, 0, NULL, HFILL }
10114 { &hf_smb2_query_quota_info,
10115 { "SMB2_QUERY_QUOTA_INFO", "smb2.query_quota_info", FT_NONE, BASE_NONE,
10116 NULL, 0, NULL, HFILL }
10119 { &hf_smb2_qq_single,
10120 { "ReturnSingle", "smb2.query_quota_info.single", FT_BOOLEAN, 8,
10121 NULL, 0xff, NULL, HFILL }
10124 { &hf_smb2_qq_restart,
10125 { "RestartScan", "smb2.query_quota_info.restart", FT_BOOLEAN, 8,
10126 NULL, 0xff, NULL, HFILL }
10129 { &hf_smb2_qq_sidlist_len,
10130 { "SidListLength", "smb2.query_quota_info.sidlistlen", FT_UINT32, BASE_DEC,
10131 NULL, 0, NULL, HFILL }
10134 { &hf_smb2_qq_start_sid_len,
10135 { "StartSidLength", "smb2.query_quota_info.startsidlen", FT_UINT32, BASE_DEC,
10136 NULL, 0, NULL, HFILL }
10139 { &hf_smb2_qq_start_sid_offset,
10140 { "StartSidOffset", "smb2.query_quota_info.startsidoffset", FT_UINT32, BASE_DEC,
10141 NULL, 0, NULL, HFILL }
10144 { &hf_smb2_disposition_delete_on_close,
10145 { "Delete on close", "smb2.disposition.delete_on_close", FT_BOOLEAN, 8,
10146 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }
10150 { &hf_smb2_create_disposition,
10151 { "Disposition", "smb2.create.disposition", FT_UINT32, BASE_DEC,
10152 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }
10155 { &hf_smb2_create_action,
10156 { "Create Action", "smb2.create.action", FT_UINT32, BASE_DEC,
10157 VALS(oa_open_vals), 0, NULL, HFILL }
10160 { &hf_smb2_create_rep_flags,
10161 { "Response Flags", "smb2.create.rep_flags", FT_UINT8, BASE_HEX,
10162 NULL, 0, NULL, HFILL }
10165 { &hf_smb2_create_rep_flags_reparse_point,
10166 { "ReparsePoint", "smb2.create.rep_flags.reparse_point", FT_BOOLEAN, 8,
10167 NULL, SMB2_CREATE_REP_FLAGS_REPARSE_POINT, NULL, HFILL }
10170 { &hf_smb2_extrainfo,
10171 { "ExtraInfo", "smb2.create.extrainfo", FT_NONE, BASE_NONE,
10172 NULL, 0, "Create ExtraInfo", HFILL }
10175 { &hf_smb2_create_chain_offset,
10176 { "Chain Offset", "smb2.create.chain_offset", FT_UINT32, BASE_HEX,
10177 NULL, 0, "Offset to next entry in chain or 0", HFILL }
10180 { &hf_smb2_create_chain_data,
10181 { "Data", "smb2.create.chain_data", FT_NONE, BASE_NONE,
10182 NULL, 0, "Chain Data", HFILL }
10185 { &hf_smb2_FILE_OBJECTID_BUFFER,
10186 { "FILE_OBJECTID_BUFFER", "smb2.FILE_OBJECTID_BUFFER", FT_NONE, BASE_NONE,
10187 NULL, 0, NULL, HFILL }
10190 { &hf_smb2_lease_key,
10191 { "Lease Key", "smb2.lease.lease_key", FT_GUID, BASE_NONE,
10192 NULL, 0, NULL, HFILL }
10195 { &hf_smb2_lease_state,
10196 { "Lease State", "smb2.lease.lease_state", FT_UINT32, BASE_HEX,
10197 NULL, 0, NULL, HFILL }
10200 { &hf_smb2_lease_state_read_caching,
10201 { "Read Caching", "smb2.lease.lease_state.read_caching", FT_BOOLEAN, 32,
10202 NULL, SMB2_LEASE_STATE_READ_CACHING, NULL, HFILL }
10205 { &hf_smb2_lease_state_handle_caching,
10206 { "Handle Caching", "smb2.lease.lease_state.handle_caching", FT_BOOLEAN, 32,
10207 NULL, SMB2_LEASE_STATE_HANDLE_CACHING, NULL, HFILL }
10210 { &hf_smb2_lease_state_write_caching,
10211 { "Write Caching", "smb2.lease.lease_state.write_caching", FT_BOOLEAN, 32,
10212 NULL, SMB2_LEASE_STATE_WRITE_CACHING, NULL, HFILL }
10215 { &hf_smb2_lease_flags,
10216 { "Lease Flags", "smb2.lease.lease_flags", FT_UINT32, BASE_HEX,
10217 NULL, 0, NULL, HFILL }
10220 { &hf_smb2_lease_flags_break_ack_required,
10221 { "Break Ack Required", "smb2.lease.lease_state.break_ack_required", FT_BOOLEAN, 32,
10222 NULL, SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED, NULL, HFILL }
10225 { &hf_smb2_lease_flags_break_in_progress,
10226 { "Break In Progress", "smb2.lease.lease_state.break_in_progress", FT_BOOLEAN, 32,
10227 NULL, SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS, NULL, HFILL }
10230 { &hf_smb2_lease_flags_parent_lease_key_set,
10231 { "Parent Lease Key Set", "smb2.lease.lease_state.parent_lease_key_set", FT_BOOLEAN, 32,
10232 NULL, SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET, NULL, HFILL }
10235 { &hf_smb2_lease_duration,
10236 { "Lease Duration", "smb2.lease.lease_duration", FT_UINT64, BASE_HEX,
10237 NULL, 0, NULL, HFILL }
10240 { &hf_smb2_parent_lease_key,
10241 { "Parent Lease Key", "smb2.lease.parent_lease_key", FT_GUID, BASE_NONE,
10242 NULL, 0, NULL, HFILL }
10245 { &hf_smb2_lease_epoch,
10246 { "Lease Epoch", "smb2.lease.lease_oplock", FT_UINT16, BASE_HEX,
10247 NULL, 0, NULL, HFILL }
10250 { &hf_smb2_lease_reserved,
10251 { "Lease Reserved", "smb2.lease.lease_reserved", FT_UINT16, BASE_HEX,
10252 NULL, 0, NULL, HFILL }
10255 { &hf_smb2_lease_break_reason,
10256 { "Lease Break Reason", "smb2.lease.lease_break_reason", FT_UINT32, BASE_HEX,
10257 NULL, 0, NULL, HFILL }
10260 { &hf_smb2_lease_access_mask_hint,
10261 { "Access Mask Hint", "smb2.lease.access_mask_hint", FT_UINT32, BASE_HEX,
10262 NULL, 0, NULL, HFILL }
10265 { &hf_smb2_lease_share_mask_hint,
10266 { "Share Mask Hint", "smb2.lease.share_mask_hint", FT_UINT32, BASE_HEX,
10267 NULL, 0, NULL, HFILL }
10270 { &hf_smb2_next_offset,
10271 { "Next Offset", "smb2.next_offset", FT_UINT32, BASE_DEC,
10272 NULL, 0, "Offset to next buffer or 0", HFILL }
10275 { &hf_smb2_negotiate_context_type,
10276 { "Type", "smb2.negotiate_context.type", FT_UINT16, BASE_HEX,
10277 VALS(smb2_negotiate_context_types), 0, NULL, HFILL }
10280 { &hf_smb2_negotiate_context_data_length,
10281 { "DataLength", "smb2.negotiate_context.data_length", FT_UINT16, BASE_DEC,
10282 NULL, 0, NULL, HFILL }
10285 { &hf_smb2_negotiate_context_offset,
10286 { "NegotiateContextOffset", "smb2.negotiate_context.offset", FT_UINT16, BASE_HEX,
10287 NULL, 0, NULL, HFILL }
10290 { &hf_smb2_negotiate_context_count,
10291 { "NegotiateContextCount", "smb2.negotiate_context.count", FT_UINT16, BASE_DEC,
10292 NULL, 0, NULL, HFILL }
10295 { &hf_smb2_hash_alg_count,
10296 { "HashAlgorithmCount", "smb2.negotiate_context.hash_alg_count", FT_UINT16, BASE_DEC,
10297 NULL, 0, NULL, HFILL }},
10299 { &hf_smb2_hash_algorithm,
10300 { "HashAlgorithm", "smb2.negotiate_context.hash_algorithm", FT_UINT16, BASE_HEX,
10301 VALS(smb2_hash_algorithm_types), 0, NULL, HFILL }},
10303 { &hf_smb2_salt_length,
10304 { "SaltLength", "smb2.negotiate_context.salt_length", FT_UINT16, BASE_DEC,
10305 NULL, 0, NULL, HFILL }},
10308 { "Salt", "smb2.negotiate_context.salt", FT_BYTES, BASE_NONE,
10309 NULL, 0, NULL, HFILL }},
10311 { &hf_smb2_cipher_count,
10312 { "CipherCount", "smb2.negotiate_context.cipher_count", FT_UINT16, BASE_DEC,
10313 NULL, 0, NULL, HFILL }},
10315 { &hf_smb2_cipher_id,
10316 { "CipherId", "smb2.negotiate_context.cipher_id", FT_UINT16, BASE_HEX,
10317 VALS(smb2_cipher_types), 0, NULL, HFILL }},
10319 { &hf_smb2_current_time,
10320 { "Current Time", "smb2.current_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10321 NULL, 0, "Current Time at server", HFILL }
10324 { &hf_smb2_boot_time,
10325 { "Boot Time", "smb2.boot_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10326 NULL, 0, "Boot Time at server", HFILL }
10329 { &hf_smb2_ea_flags,
10330 { "EA Flags", "smb2.ea.flags", FT_UINT8, BASE_HEX,
10331 NULL, 0, NULL, HFILL }
10334 { &hf_smb2_ea_name_len,
10335 { "EA Name Length", "smb2.ea.name_len", FT_UINT8, BASE_DEC,
10336 NULL, 0, NULL, HFILL }
10339 { &hf_smb2_ea_data_len,
10340 { "EA Data Length", "smb2.ea.data_len", FT_UINT16, BASE_DEC,
10341 NULL, 0, NULL, HFILL }
10344 { &hf_smb2_delete_pending,
10345 { "Delete Pending", "smb2.delete_pending", FT_UINT8, BASE_DEC,
10346 NULL, 0, NULL, HFILL }
10349 { &hf_smb2_is_directory,
10350 { "Is Directory", "smb2.is_directory", FT_UINT8, BASE_DEC,
10351 NULL, 0, "Is this a directory?", HFILL }
10355 { "Oplock", "smb2.create.oplock", FT_UINT8, BASE_HEX,
10356 VALS(oplock_vals), 0, "Oplock type", HFILL }
10359 { &hf_smb2_close_flags,
10360 { "Close Flags", "smb2.close.flags", FT_UINT16, BASE_HEX,
10361 NULL, 0, NULL, HFILL }
10364 { &hf_smb2_notify_flags,
10365 { "Notify Flags", "smb2.notify.flags", FT_UINT16, BASE_HEX,
10366 NULL, 0, NULL, HFILL }
10369 { &hf_smb2_buffer_code,
10370 { "StructureSize", "smb2.buffer_code", FT_UINT16, BASE_HEX,
10371 NULL, 0, NULL, HFILL }
10374 { &hf_smb2_buffer_code_len,
10375 { "Fixed Part Length", "smb2.buffer_code.length", FT_UINT16, BASE_DEC,
10376 NULL, 0xFFFE, "Length of fixed portion of PDU", HFILL }
10379 { &hf_smb2_olb_length,
10380 { "Blob Length", "smb2.olb.length", FT_UINT32, BASE_DEC,
10381 NULL, 0, "Length of the buffer", HFILL }
10384 { &hf_smb2_olb_offset,
10385 { "Blob Offset", "smb2.olb.offset", FT_UINT32, BASE_HEX,
10386 NULL, 0, "Offset to the buffer", HFILL }
10389 { &hf_smb2_buffer_code_flags_dyn,
10390 { "Dynamic Part", "smb2.buffer_code.dynamic", FT_BOOLEAN, 16,
10391 NULL, 0x0001, "Whether a dynamic length blob follows", HFILL }
10394 { &hf_smb2_ea_data,
10395 { "EA Data", "smb2.ea.data", FT_BYTES, BASE_NONE,
10396 NULL, 0, NULL, HFILL }
10399 { &hf_smb2_ea_name,
10400 { "EA Name", "smb2.ea.name", FT_STRING, BASE_NONE,
10401 NULL, 0, NULL, HFILL }
10404 { &hf_smb2_impersonation_level,
10405 { "Impersonation level", "smb2.impersonation.level", FT_UINT32, BASE_DEC,
10406 VALS(impersonation_level_vals), 0, NULL, HFILL }
10409 { &hf_smb2_ioctl_function,
10410 { "Function", "smb2.ioctl.function", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
10411 &smb2_ioctl_vals_ext, 0, "Ioctl function", HFILL }
10414 { &hf_smb2_ioctl_function_device,
10415 { "Device", "smb2.ioctl.function.device", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
10416 &smb2_ioctl_device_vals_ext, 0xffff0000, "Device for Ioctl", HFILL }
10419 { &hf_smb2_ioctl_function_access,
10420 { "Access", "smb2.ioctl.function.access", FT_UINT32, BASE_HEX,
10421 VALS(smb2_ioctl_access_vals), 0x0000c000, "Access for Ioctl", HFILL }
10424 { &hf_smb2_ioctl_function_function,
10425 { "Function", "smb2.ioctl.function.function", FT_UINT32, BASE_HEX,
10426 NULL, 0x00003ffc, "Function for Ioctl", HFILL }
10429 { &hf_smb2_ioctl_function_method,
10430 { "Method", "smb2.ioctl.function.method", FT_UINT32, BASE_HEX,
10431 VALS(smb2_ioctl_method_vals), 0x00000003, "Method for Ioctl", HFILL }
10434 { &hf_smb2_fsctl_pipe_wait_timeout,
10435 { "Timeout", "smb2.fsctl.wait.timeout", FT_INT64, BASE_DEC,
10436 NULL, 0, "Wait timeout", HFILL }
10439 { &hf_smb2_fsctl_pipe_wait_name,
10440 { "Name", "smb2.fsctl.wait.name", FT_STRING, BASE_NONE,
10441 NULL, 0, "Pipe name", HFILL }
10444 { &hf_smb2_fsctl_odx_token_type,
10445 { "TokenType", "smb2.fsctl.odx.token.type", FT_UINT32, BASE_HEX,
10446 NULL, 0, NULL, HFILL }
10449 { &hf_smb2_fsctl_odx_token_idlen,
10450 { "TokenIdLength", "smb2.fsctl.odx.token.idlen", FT_UINT16, BASE_DEC,
10451 NULL, 0, NULL, HFILL }
10454 { &hf_smb2_fsctl_odx_token_idraw,
10455 { "TokenId", "smb2.fsctl.odx.token.id", FT_BYTES, BASE_NONE,
10456 NULL, 0, "Token ID (opaque)", HFILL }
10459 { &hf_smb2_fsctl_odx_token_ttl,
10460 { "TokenTimeToLive", "smb2.fsctl.odx.token_ttl", FT_UINT32, BASE_DEC,
10461 NULL, 0, "TTL requested for the token (in milliseconds)", HFILL }
10464 { &hf_smb2_fsctl_odx_size,
10465 { "Size", "smb2.fsctl.odx.size", FT_UINT32, BASE_DEC,
10466 NULL, 0, "Size of this data element", HFILL }
10469 { &hf_smb2_fsctl_odx_flags,
10470 { "Flags", "smb2.fsctl.odx.flags", FT_UINT32, BASE_HEX,
10471 NULL, 0, "Flags for this operation", HFILL }
10474 { &hf_smb2_fsctl_odx_file_offset,
10475 { "FileOffset", "smb2.fsctl.odx.file_offset", FT_UINT64, BASE_DEC,
10476 NULL, 0, NULL, HFILL }
10479 { &hf_smb2_fsctl_odx_copy_length,
10480 { "CopyLength", "smb2.fsctl.odx.copy_length", FT_UINT64, BASE_DEC,
10481 NULL, 0, NULL, HFILL }
10484 { &hf_smb2_fsctl_odx_xfer_length,
10485 { "TransferLength", "smb2.fsctl.odx.xfer_length", FT_UINT64, BASE_DEC,
10486 NULL, 0, NULL, HFILL }
10489 { &hf_smb2_fsctl_odx_token_offset,
10490 { "TokenOffset", "smb2.fsctl.odx.token_offset", FT_UINT64, BASE_DEC,
10491 NULL, 0, "Token Offset (relative to start of token)", HFILL }
10494 { &hf_smb2_fsctl_sparse_flag,
10495 { "SetSparse", "smb2.fsctl.set_sparse", FT_BOOLEAN, 8,
10496 NULL, 0xFF, NULL, HFILL }
10499 { &hf_smb2_ioctl_resiliency_timeout,
10500 { "Timeout", "smb2.ioctl.resiliency.timeout", FT_UINT32, BASE_DEC,
10501 NULL, 0, "Resiliency timeout", HFILL }
10504 { &hf_smb2_ioctl_resiliency_reserved,
10505 { "Reserved", "smb2.ioctl.resiliency.reserved", FT_UINT32, BASE_DEC,
10506 NULL, 0, "Resiliency reserved", HFILL }
10509 { &hf_smb2_ioctl_shared_virtual_disk_support,
10510 { "SharedVirtualDiskSupport", "smb2.ioctl.shared_virtual_disk.support", FT_UINT32, BASE_HEX,
10511 VALS(smb2_ioctl_shared_virtual_disk_vals), 0, "Supported shared capabilities", HFILL }
10514 { &hf_smb2_ioctl_shared_virtual_disk_handle_state,
10515 { "SharedVirtualDiskHandleState", "smb2.ioctl.shared_virtual_disk.handle_state", FT_UINT32, BASE_HEX,
10516 VALS(smb2_ioctl_shared_virtual_disk_hstate_vals), 0, NULL, HFILL }
10519 { &hf_smb2_ioctl_sqos_protocol_version,
10520 { "ProtocolVersion", "smb2.ioctl.sqos.protocol_version", FT_UINT16, BASE_HEX,
10521 VALS(smb2_ioctl_sqos_protocol_version_vals), 0, NULL, HFILL }
10524 { &hf_smb2_ioctl_sqos_reserved,
10525 { "Reserved", "smb2.ioctl.sqos.reserved", FT_UINT16, BASE_DEC,
10526 NULL, 0, NULL, HFILL }
10529 { &hf_smb2_ioctl_sqos_options,
10530 { "Operations", "smb2.ioctl.sqos.operations", FT_UINT32, BASE_HEX,
10531 NULL, 0, "SQOS operations", HFILL }
10534 { &hf_smb2_ioctl_sqos_op_set_logical_flow_id,
10535 { "Set Logical Flow ID", "smb2.ioctl.sqos.operations.set_logical_flow_id", FT_BOOLEAN, 32,
10536 NULL, STORAGE_QOS_CONTROL_FLAG_SET_LOGICAL_FLOW_ID, "Whether Set Logical Flow ID operation is performed", HFILL }
10539 { &hf_smb2_ioctl_sqos_op_set_policy,
10540 { "Set Policy", "smb2.ioctl.sqos.operations.set_policy", FT_BOOLEAN, 32,
10541 NULL, STORAGE_QOS_CONTROL_FLAG_SET_POLICY, "Whether Set Policy operation is performed", HFILL }
10544 { &hf_smb2_ioctl_sqos_op_probe_policy,
10545 { "Probe Policy", "smb2.ioctl.sqos.operations.probe_policy", FT_BOOLEAN, 32,
10546 NULL, STORAGE_QOS_CONTROL_FLAG_PROBE_POLICY, "Whether Probe Policy operation is performed", HFILL }
10549 { &hf_smb2_ioctl_sqos_op_get_status,
10550 { "Get Status", "smb2.ioctl.sqos.operations.get_status", FT_BOOLEAN, 32,
10551 NULL, STORAGE_QOS_CONTROL_FLAG_GET_STATUS, "Whether Get Status operation is performed", HFILL }
10554 { &hf_smb2_ioctl_sqos_op_update_counters,
10555 { "Update Counters", "smb2.ioctl.sqos.operations.update_counters", FT_BOOLEAN, 32,
10556 NULL, STORAGE_QOS_CONTROL_FLAG_UPDATE_COUNTERS, "Whether Update Counters operation is performed", HFILL }
10559 { &hf_smb2_ioctl_sqos_logical_flow_id,
10560 { "LogicalFlowID", "smb2.ioctl.sqos.logical_flow_id", FT_GUID, BASE_NONE,
10561 NULL, 0, NULL, HFILL }
10564 { &hf_smb2_ioctl_sqos_policy_id,
10565 { "PolicyID", "smb2.ioctl.sqos.policy_id", FT_GUID, BASE_NONE,
10566 NULL, 0, NULL, HFILL }
10569 { &hf_smb2_ioctl_sqos_initiator_id,
10570 { "InitiatorID", "smb2.ioctl.sqos.initiator_id", FT_GUID, BASE_NONE,
10571 NULL, 0, NULL, HFILL }
10574 { &hf_smb2_ioctl_sqos_limit,
10575 { "Limit", "smb2.ioctl.sqos.limit", FT_UINT64, BASE_DEC,
10576 NULL, 0, "Desired maximum throughput for the logical flow, in normalized IOPS", HFILL }
10579 { &hf_smb2_ioctl_sqos_reservation,
10580 { "Reservation", "smb2.ioctl.sqos.reservation", FT_UINT64, BASE_DEC,
10581 NULL, 0, "Desired minimum throughput for the logical flow, in normalized 8KB IOPS", HFILL }
10584 { &hf_smb2_ioctl_sqos_initiator_name,
10585 { "InitiatorName", "smb2.ioctl.sqos.initiator_name", FT_STRING, BASE_NONE,
10586 NULL, 0x0, NULL, HFILL }
10589 { &hf_smb2_ioctl_sqos_initiator_node_name,
10590 { "InitiatorNodeName", "smb2.ioctl.sqos.initiator_node_name", FT_STRING, BASE_NONE,
10591 NULL, 0x0, NULL, HFILL }
10594 { &hf_smb2_ioctl_sqos_io_count_increment,
10595 { "IoCountIncrement", "smb2.ioctl.sqos.io_count_increment", FT_UINT64, BASE_DEC,
10596 NULL, 0, "The total number of I/O requests issued by the initiator on the logical flow", HFILL }
10599 { &hf_smb2_ioctl_sqos_normalized_io_count_increment,
10600 { "NormalizedIoCountIncrement", "smb2.ioctl.sqos.normalized_io_count_increment", FT_UINT64, BASE_DEC,
10601 NULL, 0, "The total number of normalized 8-KB I/O requests issued by the initiator on the logical flow", HFILL }
10604 { &hf_smb2_ioctl_sqos_latency_increment,
10605 { "LatencyIncrement", "smb2.ioctl.sqos.latency_increment", FT_UINT64, BASE_DEC,
10606 NULL, 0, "The total latency (including initiator's queues delays) measured by the initiator", HFILL }
10609 { &hf_smb2_ioctl_sqos_lower_latency_increment,
10610 { "LowerLatencyIncrement", "smb2.ioctl.sqos.lower_latency_increment", FT_UINT64, BASE_DEC,
10611 NULL, 0, "The total latency (excluding initiator's queues delays) measured by the initiator", HFILL }
10614 { &hf_smb2_ioctl_sqos_bandwidth_limit,
10615 { "BandwidthLimit", "smb2.ioctl.sqos.bandwidth_limit", FT_UINT64, BASE_DEC,
10616 NULL, 0, "Desired maximum bandwidth for the logical flow, in kilobytes per second", HFILL }
10619 { &hf_smb2_ioctl_sqos_kilobyte_count_increment,
10620 { "KilobyteCountIncrement", "smb2.ioctl.sqos.kilobyte_count_increment", FT_UINT64, BASE_DEC,
10621 NULL, 0, "The total data transfer length of all I/O requests, in kilobyte units, issued by the initiator on the logical flow", HFILL }
10624 { &hf_smb2_ioctl_sqos_time_to_live,
10625 { "TimeToLive", "smb2.ioctl.sqos.time_to_live", FT_UINT32, BASE_DEC,
10626 NULL, 0, "The expected period of validity of the Status, MaximumIoRate and MinimumIoRate fields, expressed in milliseconds", HFILL }
10629 { &hf_smb2_ioctl_sqos_status,
10630 { "Status", "smb2.ioctl.sqos.status", FT_UINT32, BASE_HEX,
10631 VALS(smb2_ioctl_sqos_status_vals), 0, "The current status of the logical flow", HFILL }
10634 { &hf_smb2_ioctl_sqos_maximum_io_rate,
10635 { "MaximumIoRate", "smb2.ioctl.sqos.maximum_io_rate", FT_UINT64, BASE_DEC,
10636 NULL, 0, "The maximum I/O initiation rate currently assigned to the logical flow, expressed in normalized input/output operations per second (normalized IOPS)", HFILL }
10639 { &hf_smb2_ioctl_sqos_minimum_io_rate,
10640 { "MinimumIoRate", "smb2.ioctl.sqos.minimum_io_rate", FT_UINT64, BASE_DEC,
10641 NULL, 0, "The minimum I/O completion rate currently assigned to the logical flow, expressed in normalized IOPS", HFILL }
10644 { &hf_smb2_ioctl_sqos_base_io_size,
10645 { "BaseIoSize", "smb2.ioctl.sqos.base_io_size", FT_UINT32, BASE_DEC,
10646 NULL, 0, "The base I/O size used to compute the normalized size of an I/O request for the logical flow", HFILL }
10649 { &hf_smb2_ioctl_sqos_reserved2,
10650 { "Reserved", "smb2.ioctl.sqos.reserved2", FT_UINT32, BASE_DEC,
10651 NULL, 0, NULL, HFILL }
10654 { &hf_smb2_ioctl_sqos_maximum_bandwidth,
10655 { "MaximumBandwidth", "smb2.ioctl.sqos.maximum_bandwidth", FT_UINT64, BASE_DEC,
10656 NULL, 0, "The maximum bandwidth currently assigned to the logical flow, expressed in kilobytes per second", HFILL }
10660 { &hf_windows_sockaddr_family,
10661 { "Socket Family", "smb2.windows.sockaddr.family", FT_UINT16, BASE_DEC,
10662 NULL, 0, "The socket address family (on windows)", HFILL }
10665 { &hf_windows_sockaddr_port,
10666 { "Socket Port", "smb2.windows.sockaddr.port", FT_UINT16, BASE_DEC,
10667 NULL, 0, "The socket address port", HFILL }
10670 { &hf_windows_sockaddr_in_addr,
10671 { "Socket IPv4", "smb2.windows.sockaddr.in.addr", FT_IPv4, BASE_NONE,
10672 NULL, 0, "The IPv4 address", HFILL }
10675 { &hf_windows_sockaddr_in6_flowinfo,
10676 { "IPv6 Flow Info", "smb2.windows.sockaddr.in6.flow_info", FT_UINT32, BASE_HEX,
10677 NULL, 0, "The socket IPv6 flow info", HFILL }
10680 { &hf_windows_sockaddr_in6_addr,
10681 { "Socket IPv6", "smb2.windows.sockaddr.in6.addr", FT_IPv6, BASE_NONE,
10682 NULL, 0, "The IPv6 address", HFILL }
10685 { &hf_windows_sockaddr_in6_scope_id,
10686 { "IPv6 Scope ID", "smb2.windows.sockaddr.in6.scope_id", FT_UINT32, BASE_DEC,
10687 NULL, 0, "The socket IPv6 scope id", HFILL }
10690 { &hf_smb2_ioctl_network_interface_next_offset,
10691 { "Next Offset", "smb2.ioctl.network_interfaces.next_offset", FT_UINT32, BASE_HEX,
10692 NULL, 0, "Offset to next entry in chain or 0", HFILL }
10695 { &hf_smb2_ioctl_network_interface_index,
10696 { "Interface Index", "smb2.ioctl.network_interfaces.index", FT_UINT32, BASE_DEC,
10697 NULL, 0, "The index of the interface", HFILL }
10700 { &hf_smb2_ioctl_network_interface_rss_queue_count,
10701 { "RSS Queue Count", "smb2.ioctl.network_interfaces.rss_queue_count", FT_UINT32, BASE_DEC,
10702 NULL, 0, "The RSS queue count", HFILL }
10705 { &hf_smb2_ioctl_network_interface_capabilities,
10706 { "Interface Cababilities", "smb2.ioctl.network_interfaces.capabilities", FT_UINT32, BASE_HEX,
10707 NULL, 0, "The RSS queue count", HFILL }
10710 { &hf_smb2_ioctl_network_interface_capability_rss,
10711 { "RSS", "smb2.ioctl.network_interfaces.capabilities.rss", FT_BOOLEAN, 32,
10712 TFS(&tfs_smb2_ioctl_network_interface_capability_rss), NETWORK_INTERFACE_CAP_RSS, "If the host supports RSS", HFILL }
10715 { &hf_smb2_ioctl_network_interface_capability_rdma,
10716 { "RDMA", "smb2.ioctl.network_interfaces.capabilities.rdma", FT_BOOLEAN, 32,
10717 TFS(&tfs_smb2_ioctl_network_interface_capability_rdma), NETWORK_INTERFACE_CAP_RDMA, "If the host supports RDMA", HFILL }
10720 { &hf_smb2_ioctl_network_interface_link_speed,
10721 { "Link Speed", "smb2.ioctl.network_interfaces.link_speed", FT_UINT64, BASE_DEC,
10722 NULL, 0, "The link speed of the interface", HFILL }
10725 { &hf_smb2_ioctl_shadow_copy_num_volumes,
10726 { "Num Volumes", "smb2.ioctl.shadow_copy.num_volumes", FT_UINT32, BASE_DEC,
10727 NULL, 0, "Number of shadow copy volumes", HFILL }
10730 { &hf_smb2_ioctl_shadow_copy_num_labels,
10731 { "Num Labels", "smb2.ioctl.shadow_copy.num_labels", FT_UINT32, BASE_DEC,
10732 NULL, 0, "Number of shadow copy labels", HFILL }
10735 { &hf_smb2_ioctl_shadow_copy_label,
10736 { "Label", "smb2.ioctl.shadow_copy.label", FT_STRING, BASE_NONE,
10737 NULL, 0, "Shadow copy label", HFILL }
10740 { &hf_smb2_compression_format,
10741 { "Compression Format", "smb2.compression_format", FT_UINT16, BASE_DEC,
10742 VALS(compression_format_vals), 0, NULL, HFILL }
10745 { &hf_smb2_checksum_algorithm,
10746 { "Checksum Algorithm", "smb2.checksum_algorithm", FT_UINT16, BASE_HEX,
10747 VALS(checksum_algorithm_vals), 0, NULL, HFILL }
10750 { &hf_smb2_integrity_reserved,
10751 { "Reserved", "smb2.integrity_reserved", FT_UINT16, BASE_DEC,
10752 NULL, 0, NULL, HFILL }
10755 { &hf_smb2_integrity_flags,
10756 { "Flags", "smb2.integrity_flags", FT_UINT32, BASE_HEX,
10757 NULL, 0, NULL, HFILL }
10760 { &hf_smb2_integrity_flags_enforcement_off,
10761 { "FSCTL_INTEGRITY_FLAG_CHECKSUM_ENFORCEMENT_OFF", "smb2.integrity_flags_enforcement", FT_BOOLEAN, 32,
10762 NULL, 0x1, "If checksum error enforcement is off", HFILL }
10765 { &hf_smb2_share_type,
10766 { "Share Type", "smb2.share_type", FT_UINT8, BASE_HEX,
10767 VALS(smb2_share_type_vals), 0, "Type of share", HFILL }
10770 { &hf_smb2_credit_charge,
10771 { "Credit Charge", "smb2.credit.charge", FT_UINT16, BASE_DEC,
10772 NULL, 0, NULL, HFILL }
10775 { &hf_smb2_credits_requested,
10776 { "Credits requested", "smb2.credits.requested", FT_UINT16, BASE_DEC,
10777 NULL, 0, NULL, HFILL }
10780 { &hf_smb2_credits_granted,
10781 { "Credits granted", "smb2.credits.granted", FT_UINT16, BASE_DEC,
10782 NULL, 0, NULL, HFILL }
10785 { &hf_smb2_channel_sequence,
10786 { "Channel Sequence", "smb2.channel_sequence", FT_UINT16, BASE_DEC,
10787 NULL, 0, NULL, HFILL }
10790 { &hf_smb2_dialect_count,
10791 { "Dialect count", "smb2.dialect_count", FT_UINT16, BASE_DEC,
10792 NULL, 0, NULL, HFILL }
10795 { &hf_smb2_dialect,
10796 { "Dialect", "smb2.dialect", FT_UINT16, BASE_HEX,
10797 NULL, 0, NULL, HFILL }
10800 { &hf_smb2_security_mode,
10801 { "Security mode", "smb2.sec_mode", FT_UINT8, BASE_HEX,
10802 NULL, 0, NULL, HFILL }
10805 { &hf_smb2_session_flags,
10806 { "Session Flags", "smb2.session_flags", FT_UINT16, BASE_HEX,
10807 NULL, 0, NULL, HFILL }
10810 { &hf_smb2_lock_count,
10811 { "Lock Count", "smb2.lock_count", FT_UINT16, BASE_DEC,
10812 NULL, 0, NULL, HFILL }
10815 { &hf_smb2_capabilities,
10816 { "Capabilities", "smb2.capabilities", FT_UINT32, BASE_HEX,
10817 NULL, 0, NULL, HFILL }
10820 { &hf_smb2_ioctl_shadow_copy_count,
10821 { "Count", "smb2.ioctl.shadow_copy.count", FT_UINT32, BASE_DEC,
10822 NULL, 0, "Number of bytes for shadow copy label strings", HFILL }
10825 { &hf_smb2_auth_frame,
10826 { "Authenticated in Frame", "smb2.auth_frame", FT_UINT32, BASE_DEC,
10827 NULL, 0, "Which frame this user was authenticated in", HFILL }
10830 { &hf_smb2_tcon_frame,
10831 { "Connected in Frame", "smb2.tcon_frame", FT_UINT32, BASE_DEC,
10832 NULL, 0, "Which frame this share was connected in", HFILL }
10836 { "Tag", "smb2.tag", FT_STRING, BASE_NONE,
10837 NULL, 0, "Tag of chain entry", HFILL }
10840 { &hf_smb2_acct_name,
10841 { "Account", "smb2.acct", FT_STRING, BASE_NONE,
10842 NULL, 0, "Account Name", HFILL }
10845 { &hf_smb2_domain_name,
10846 { "Domain", "smb2.domain", FT_STRING, BASE_NONE,
10847 NULL, 0, "Domain Name", HFILL }
10850 { &hf_smb2_host_name,
10851 { "Host", "smb2.host", FT_STRING, BASE_NONE,
10852 NULL, 0, "Host Name", HFILL }
10855 { &hf_smb2_signature,
10856 { "Signature", "smb2.signature", FT_BYTES, BASE_NONE,
10857 NULL, 0, NULL, HFILL }
10860 { &hf_smb2_unknown,
10861 { "Unknown", "smb2.unknown", FT_BYTES, BASE_NONE,
10862 NULL, 0, NULL, HFILL }
10865 { &hf_smb2_twrp_timestamp,
10866 { "Timestamp", "smb2.twrp_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10867 NULL, 0, "TWrp timestamp", HFILL }
10870 { &hf_smb2_mxac_timestamp,
10871 { "Timestamp", "smb2.mxac_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10872 NULL, 0, "MxAc timestamp", HFILL }
10875 { &hf_smb2_mxac_status,
10876 { "Query Status", "smb2.mxac_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
10877 &NT_errors_ext, 0, "NT Status code", HFILL }
10880 { &hf_smb2_qfid_fid,
10881 { "Opaque File ID", "smb2.qfid_fid", FT_BYTES, BASE_NONE,
10882 NULL, 0, NULL, HFILL }
10885 { &hf_smb2_ses_flags_guest,
10886 { "Guest", "smb2.ses_flags.guest", FT_BOOLEAN, 16,
10887 NULL, SES_FLAGS_GUEST, NULL, HFILL }
10890 { &hf_smb2_ses_flags_null,
10891 { "Null", "smb2.ses_flags.null", FT_BOOLEAN, 16,
10892 NULL, SES_FLAGS_NULL, NULL, HFILL }
10895 { &hf_smb2_ses_flags_encrypt,
10896 { "Encrypt", "smb2.ses_flags.encrypt", FT_BOOLEAN, 16,
10897 NULL, SES_FLAGS_ENCRYPT, NULL, HFILL }},
10899 { &hf_smb2_secmode_flags_sign_required,
10900 { "Signing required", "smb2.sec_mode.sign_required", FT_BOOLEAN, 8,
10901 NULL, NEGPROT_SIGN_REQ, "Is signing required", HFILL }
10904 { &hf_smb2_secmode_flags_sign_enabled,
10905 { "Signing enabled", "smb2.sec_mode.sign_enabled", FT_BOOLEAN, 8,
10906 NULL, NEGPROT_SIGN_ENABLED, "Is signing enabled", HFILL }
10909 { &hf_smb2_ses_req_flags,
10910 { "Flags", "smb2.ses_req_flags", FT_UINT8, BASE_DEC,
10911 NULL, 0, NULL, HFILL }
10914 { &hf_smb2_ses_req_flags_session_binding,
10915 { "Session Binding Request", "smb2.ses_req_flags.session_binding", FT_BOOLEAN, 8,
10916 NULL, SES_REQ_FLAGS_SESSION_BINDING, "The client wants to bind to an existing session", HFILL }
10919 { &hf_smb2_cap_dfs,
10920 { "DFS", "smb2.capabilities.dfs", FT_BOOLEAN, 32,
10921 TFS(&tfs_cap_dfs), NEGPROT_CAP_DFS, "If the host supports dfs", HFILL }
10924 { &hf_smb2_cap_leasing,
10925 { "LEASING", "smb2.capabilities.leasing", FT_BOOLEAN, 32,
10926 TFS(&tfs_cap_leasing), NEGPROT_CAP_LEASING, "If the host supports leasing", HFILL }
10929 { &hf_smb2_cap_large_mtu,
10930 { "LARGE MTU", "smb2.capabilities.large_mtu", FT_BOOLEAN, 32,
10931 TFS(&tfs_cap_large_mtu), NEGPROT_CAP_LARGE_MTU, "If the host supports LARGE MTU", HFILL }
10934 { &hf_smb2_cap_multi_channel,
10935 { "MULTI CHANNEL", "smb2.capabilities.multi_channel", FT_BOOLEAN, 32,
10936 TFS(&tfs_cap_multi_channel), NEGPROT_CAP_MULTI_CHANNEL, "If the host supports MULTI CHANNEL", HFILL }
10939 { &hf_smb2_cap_persistent_handles,
10940 { "PERSISTENT HANDLES", "smb2.capabilities.persistent_handles", FT_BOOLEAN, 32,
10941 TFS(&tfs_cap_persistent_handles), NEGPROT_CAP_PERSISTENT_HANDLES, "If the host supports PERSISTENT HANDLES", HFILL }
10944 { &hf_smb2_cap_directory_leasing,
10945 { "DIRECTORY LEASING", "smb2.capabilities.directory_leasing", FT_BOOLEAN, 32,
10946 TFS(&tfs_cap_directory_leasing), NEGPROT_CAP_DIRECTORY_LEASING, "If the host supports DIRECTORY LEASING", HFILL }
10949 { &hf_smb2_cap_encryption,
10950 { "ENCRYPTION", "smb2.capabilities.encryption", FT_BOOLEAN, 32,
10951 TFS(&tfs_cap_encryption), NEGPROT_CAP_ENCRYPTION, "If the host supports ENCRYPTION", HFILL }
10954 { &hf_smb2_max_trans_size,
10955 { "Max Transaction Size", "smb2.max_trans_size", FT_UINT32, BASE_DEC,
10956 NULL, 0, NULL, HFILL }
10959 { &hf_smb2_max_read_size,
10960 { "Max Read Size", "smb2.max_read_size", FT_UINT32, BASE_DEC,
10961 NULL, 0, NULL, HFILL }
10964 { &hf_smb2_max_write_size,
10965 { "Max Write Size", "smb2.max_write_size", FT_UINT32, BASE_DEC,
10966 NULL, 0, NULL, HFILL }
10969 { &hf_smb2_channel,
10970 { "Channel", "smb2.channel", FT_UINT32, BASE_HEX,
10971 VALS(smb2_channel_vals), 0, NULL, HFILL }
10974 { &hf_smb2_rdma_v1_offset,
10975 { "Offset", "smb2.buffer_descriptor.offset", FT_UINT64, BASE_DEC,
10976 NULL, 0, NULL, HFILL }
10979 { &hf_smb2_rdma_v1_token,
10980 { "Token", "smb2.buffer_descriptor.token", FT_UINT32, BASE_HEX,
10981 NULL, 0, NULL, HFILL }
10984 { &hf_smb2_rdma_v1_length,
10985 { "Length", "smb2.buffer_descriptor.length", FT_UINT32, BASE_DEC,
10986 NULL, 0, NULL, HFILL }
10989 { &hf_smb2_share_flags,
10990 { "Share flags", "smb2.share_flags", FT_UINT32, BASE_HEX,
10991 NULL, 0, NULL, HFILL }
10994 { &hf_smb2_share_flags_dfs,
10995 { "DFS", "smb2.share_flags.dfs", FT_BOOLEAN, 32,
10996 NULL, SHARE_FLAGS_dfs, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }
10999 { &hf_smb2_share_flags_dfs_root,
11000 { "DFS root", "smb2.share_flags.dfs_root", FT_BOOLEAN, 32,
11001 NULL, SHARE_FLAGS_dfs_root, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }
11004 { &hf_smb2_share_flags_restrict_exclusive_opens,
11005 { "Restrict exclusive opens", "smb2.share_flags.restrict_exclusive_opens", FT_BOOLEAN, 32,
11006 NULL, SHARE_FLAGS_restrict_exclusive_opens, "The specified share disallows exclusive file opens that deny reads to an open file", HFILL }
11009 { &hf_smb2_share_flags_force_shared_delete,
11010 { "Force shared delete", "smb2.share_flags.force_shared_delete", FT_BOOLEAN, 32,
11011 NULL, SHARE_FLAGS_force_shared_delete, "Shared files in the specified share can be forcibly deleted", HFILL }
11014 { &hf_smb2_share_flags_allow_namespace_caching,
11015 { "Allow namepsace caching", "smb2.share_flags.allow_namespace_caching", FT_BOOLEAN, 32,
11016 NULL, SHARE_FLAGS_allow_namespace_caching, "Clients are allowed to cache the namespace of the specified share", HFILL }
11019 { &hf_smb2_share_flags_access_based_dir_enum,
11020 { "Access based directory enum", "smb2.share_flags.access_based_dir_enum", FT_BOOLEAN, 32,
11021 NULL, SHARE_FLAGS_access_based_dir_enum, "The server will filter directory entries based on the access permissions of the client", HFILL }
11024 { &hf_smb2_share_flags_force_levelii_oplock,
11025 { "Force level II oplock", "smb2.share_flags.force_levelii_oplock", FT_BOOLEAN, 32,
11026 NULL, SHARE_FLAGS_force_levelii_oplock, "The server will not issue exclusive caching rights on this share", HFILL }
11029 { &hf_smb2_share_flags_enable_hash_v1,
11030 { "Enable hash V1", "smb2.share_flags.enable_hash_v1", FT_BOOLEAN, 32,
11031 NULL, SHARE_FLAGS_enable_hash_v1, "The share supports hash generation V1 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }
11034 { &hf_smb2_share_flags_enable_hash_v2,
11035 { "Enable hash V2", "smb2.share_flags.enable_hash_v2", FT_BOOLEAN, 32,
11036 NULL, SHARE_FLAGS_enable_hash_v2, "The share supports hash generation V2 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }
11039 { &hf_smb2_share_flags_encrypt_data,
11040 { "Encrypted data required", "smb2.share_flags.encrypt_data", FT_BOOLEAN, 32,
11041 NULL, SHARE_FLAGS_encryption_required, "The share require data encryption", HFILL }
11044 { &hf_smb2_share_caching,
11045 { "Caching policy", "smb2.share.caching", FT_UINT32, BASE_HEX,
11046 VALS(share_cache_vals), 0, NULL, HFILL }
11049 { &hf_smb2_share_caps,
11050 { "Share Capabilities", "smb2.share_caps", FT_UINT32, BASE_HEX,
11051 NULL, 0, NULL, HFILL }
11054 { &hf_smb2_share_caps_dfs,
11055 { "DFS", "smb2.share_caps.dfs", FT_BOOLEAN, 32,
11056 NULL, SHARE_CAPS_DFS, "The specified share is present in a DFS tree structure", HFILL }
11059 { &hf_smb2_share_caps_continuous_availability,
11060 { "CONTINUOUS AVAILABILITY", "smb2.share_caps.continuous_availability", FT_BOOLEAN, 32,
11061 NULL, SHARE_CAPS_CONTINUOUS_AVAILABILITY, "The specified share is continuously available", HFILL }
11064 { &hf_smb2_share_caps_scaleout,
11065 { "SCALEOUT", "smb2.share_caps.scaleout", FT_BOOLEAN, 32,
11066 NULL, SHARE_CAPS_SCALEOUT, "The specified share is a scaleout share", HFILL }
11069 { &hf_smb2_share_caps_cluster,
11070 { "CLUSTER", "smb2.share_caps.cluster", FT_BOOLEAN, 32,
11071 NULL, SHARE_CAPS_CLUSTER, "The specified share is a cluster share", HFILL }
11074 { &hf_smb2_ioctl_flags,
11075 { "Flags", "smb2.ioctl.flags", FT_UINT32, BASE_HEX,
11076 NULL, 0, NULL, HFILL }
11079 { &hf_smb2_min_count,
11080 { "Min Count", "smb2.min_count", FT_UINT32, BASE_DEC,
11081 NULL, 0, NULL, HFILL }
11084 { &hf_smb2_remaining_bytes,
11085 { "Remaining Bytes", "smb2.remaining_bytes", FT_UINT32, BASE_DEC,
11086 NULL, 0, NULL, HFILL }
11089 { &hf_smb2_channel_info_offset,
11090 { "Channel Info Offset", "smb2.channel_info_offset", FT_UINT16, BASE_DEC,
11091 NULL, 0, NULL, HFILL }
11094 { &hf_smb2_channel_info_length,
11095 { "Channel Info Length", "smb2.channel_info_length", FT_UINT16, BASE_DEC,
11096 NULL, 0, NULL, HFILL }
11099 { &hf_smb2_channel_info_blob,
11100 { "Channel Info Blob", "smb2.channel_info_blob", FT_NONE, BASE_NONE,
11101 NULL, 0, NULL, HFILL }
11104 { &hf_smb2_ioctl_is_fsctl,
11105 { "Is FSCTL", "smb2.ioctl.is_fsctl", FT_BOOLEAN, 32,
11106 NULL, 0x00000001, NULL, HFILL }
11109 { &hf_smb2_output_buffer_len,
11110 { "Output Buffer Length", "smb2.output_buffer_len", FT_UINT16, BASE_DEC,
11111 NULL, 0, NULL, HFILL }
11114 { &hf_smb2_close_pq_attrib,
11115 { "PostQuery Attrib", "smb2.close.pq_attrib", FT_BOOLEAN, 16,
11116 NULL, 0x0001, NULL, HFILL }
11119 { &hf_smb2_notify_watch_tree,
11120 { "Watch Tree", "smb2.notify.watch_tree", FT_BOOLEAN, 16,
11121 NULL, 0x0001, NULL, HFILL }
11124 { &hf_smb2_notify_out_data,
11125 { "Out Data", "smb2.notify.out", FT_NONE, BASE_NONE,
11126 NULL, 0, NULL, HFILL }
11129 { &hf_smb2_notify_info,
11130 { "Notify Info", "smb2.notify.info", FT_NONE, BASE_NONE,
11131 NULL, 0, NULL, HFILL }
11134 { &hf_smb2_notify_next_offset,
11135 { "Next Offset", "smb2.notify.next_offset", FT_UINT32, BASE_HEX,
11136 NULL, 0, "Offset to next entry in chain or 0", HFILL }
11139 { &hf_smb2_notify_action,
11140 { "Action", "smb2.notify.action", FT_UINT32, BASE_HEX,
11141 VALS(notify_action_vals), 0, "Notify Action", HFILL }
11145 { &hf_smb2_find_flags_restart_scans,
11146 { "Restart Scans", "smb2.find.restart_scans", FT_BOOLEAN, 8,
11147 NULL, SMB2_FIND_FLAG_RESTART_SCANS, NULL, HFILL }
11150 { &hf_smb2_find_flags_single_entry,
11151 { "Single Entry", "smb2.find.single_entry", FT_BOOLEAN, 8,
11152 NULL, SMB2_FIND_FLAG_SINGLE_ENTRY, NULL, HFILL }
11155 { &hf_smb2_find_flags_index_specified,
11156 { "Index Specified", "smb2.find.index_specified", FT_BOOLEAN, 8,
11157 NULL, SMB2_FIND_FLAG_INDEX_SPECIFIED, NULL, HFILL }
11160 { &hf_smb2_find_flags_reopen,
11161 { "Reopen", "smb2.find.reopen", FT_BOOLEAN, 8,
11162 NULL, SMB2_FIND_FLAG_REOPEN, NULL, HFILL }
11165 { &hf_smb2_file_index,
11166 { "File Index", "smb2.file_index", FT_UINT32, BASE_HEX,
11167 NULL, 0, NULL, HFILL }
11170 { &hf_smb2_file_directory_info,
11171 { "FileDirectoryInfo", "smb2.find.file_directory_info", FT_NONE, BASE_NONE,
11172 NULL, 0, NULL, HFILL }
11175 { &hf_smb2_full_directory_info,
11176 { "FullDirectoryInfo", "smb2.find.full_directory_info", FT_NONE, BASE_NONE,
11177 NULL, 0, NULL, HFILL }
11180 { &hf_smb2_both_directory_info,
11181 { "FileBothDirectoryInfo", "smb2.find.both_directory_info", FT_NONE, BASE_NONE,
11182 NULL, 0, NULL, HFILL }
11185 { &hf_smb2_id_both_directory_info,
11186 { "FileIdBothDirectoryInfo", "smb2.find.id_both_directory_info", FT_NONE, BASE_NONE,
11187 NULL, 0, NULL, HFILL }
11190 { &hf_smb2_short_name_len,
11191 { "Short Name Length", "smb2.short_name_len", FT_UINT8, BASE_DEC,
11192 NULL, 0, NULL, HFILL }
11195 { &hf_smb2_short_name,
11196 { "Short Name", "smb2.shortname", FT_STRING, BASE_NONE,
11197 NULL, 0, NULL, HFILL }
11200 { &hf_smb2_lock_info,
11201 { "Lock Info", "smb2.lock_info", FT_NONE, BASE_NONE,
11202 NULL, 0, NULL, HFILL }
11205 { &hf_smb2_lock_length,
11206 { "Length", "smb2.lock_length", FT_UINT64, BASE_DEC,
11207 NULL, 0, NULL, HFILL }
11210 { &hf_smb2_lock_flags,
11211 { "Flags", "smb2.lock_flags", FT_UINT32, BASE_HEX,
11212 NULL, 0, NULL, HFILL }
11215 { &hf_smb2_lock_flags_shared,
11216 { "Shared", "smb2.lock_flags.shared", FT_BOOLEAN, 32,
11217 NULL, 0x00000001, NULL, HFILL }
11220 { &hf_smb2_lock_flags_exclusive,
11221 { "Exclusive", "smb2.lock_flags.exclusive", FT_BOOLEAN, 32,
11222 NULL, 0x00000002, NULL, HFILL }
11225 { &hf_smb2_lock_flags_unlock,
11226 { "Unlock", "smb2.lock_flags.unlock", FT_BOOLEAN, 32,
11227 NULL, 0x00000004, NULL, HFILL }
11230 { &hf_smb2_lock_flags_fail_immediately,
11231 { "Fail Immediately", "smb2.lock_flags.fail_immediately", FT_BOOLEAN, 32,
11232 NULL, 0x00000010, NULL, HFILL }
11235 { &hf_smb2_error_context_count,
11236 { "Error Context Count", "smb2.error.context_count", FT_UINT8, BASE_DEC,
11237 NULL, 0, NULL, HFILL }
11240 { &hf_smb2_error_reserved,
11241 { "Reserved", "smb2.error.reserved", FT_UINT8, BASE_HEX,
11242 NULL, 0, NULL, HFILL }
11245 { &hf_smb2_error_byte_count,
11246 { "Byte Count", "smb2.error.byte_count", FT_UINT32, BASE_DEC,
11247 NULL, 0, NULL, HFILL }
11250 { &hf_smb2_error_data,
11251 { "Error Data", "smb2.error.data", FT_BYTES, BASE_NONE,
11252 NULL, 0, NULL, HFILL }
11255 { &hf_smb2_reserved,
11256 { "Reserved", "smb2.reserved", FT_BYTES, BASE_NONE,
11257 NULL, 0, NULL, HFILL }
11260 { &hf_smb2_reserved_random,
11261 { "Reserved (Random)", "smb2.reserved.random", FT_BYTES, BASE_NONE,
11262 NULL, 0, "Reserved bytes, random data", HFILL }
11265 { &hf_smb2_root_directory_mbz,
11266 { "Root Dir Handle (MBZ)", "smb2.root_directory", FT_BYTES, BASE_NONE,
11267 NULL, 0, NULL, HFILL }
11270 { &hf_smb2_dhnq_buffer_reserved,
11271 { "Reserved", "smb2.dhnq_buffer_reserved", FT_UINT64, BASE_HEX,
11272 NULL, 0, NULL, HFILL }
11275 { &hf_smb2_dh2x_buffer_timeout,
11276 { "Timeout", "smb2.dh2x.timeout", FT_UINT32, BASE_DEC,
11277 NULL, 0, NULL, HFILL }
11280 { &hf_smb2_dh2x_buffer_flags,
11281 { "Flags", "smb2.dh2x.flags", FT_UINT32, BASE_HEX,
11282 NULL, 0, NULL, HFILL }
11285 { &hf_smb2_dh2x_buffer_flags_persistent_handle,
11286 { "Persistent Handle", "smb2.dh2x.flags.persistent_handle", FT_BOOLEAN, 32,
11287 NULL, SMB2_DH2X_FLAGS_PERSISTENT_HANDLE, NULL, HFILL }
11290 { &hf_smb2_dh2x_buffer_reserved,
11291 { "Reserved", "smb2.dh2x.reserved", FT_UINT64, BASE_HEX,
11292 NULL, 0, NULL, HFILL }
11295 { &hf_smb2_dh2x_buffer_create_guid,
11296 { "Create Guid", "smb2.dh2x.create_guid", FT_GUID, BASE_NONE,
11297 NULL, 0, NULL, HFILL }
11300 { &hf_smb2_APP_INSTANCE_buffer_struct_size,
11301 { "Struct Size", "smb2.app_instance.struct_size", FT_UINT16, BASE_DEC,
11302 NULL, 0, NULL, HFILL }
11305 { &hf_smb2_APP_INSTANCE_buffer_reserved,
11306 { "Reserved", "smb2.app_instance.reserved", FT_UINT16, BASE_HEX,
11307 NULL, 0, NULL, HFILL }
11310 { &hf_smb2_APP_INSTANCE_buffer_app_guid,
11311 { "Application Guid", "smb2.app_instance.app_guid", FT_GUID, BASE_NONE,
11312 NULL, 0, NULL, HFILL }
11315 { &hf_smb2_svhdx_open_device_context_version,
11316 { "Version", "smb2.svhdx_open_device_context.version", FT_UINT32, BASE_DEC,
11317 NULL, 0, NULL, HFILL }
11320 { &hf_smb2_svhdx_open_device_context_has_initiator_id,
11321 { "HasInitiatorId", "smb2.svhdx_open_device_context.initiator_has_id", FT_BOOLEAN, 8,
11322 TFS(&tfs_smb2_svhdx_has_initiator_id), 0, "Whether the host has an intiator", HFILL }
11325 { &hf_smb2_svhdx_open_device_context_reserved,
11326 { "Reserved", "smb2.svhdx_open_device_context.reserved", FT_BYTES, BASE_NONE,
11327 NULL, 0, NULL, HFILL }
11330 { &hf_smb2_svhdx_open_device_context_initiator_id,
11331 { "InitiatorId", "smb2.svhdx_open_device_context.initiator_id", FT_GUID, BASE_NONE,
11332 NULL, 0, NULL, HFILL }
11335 { &hf_smb2_svhdx_open_device_context_flags,
11336 { "Flags", "smb2.svhdx_open_device_context.flags", FT_UINT32, BASE_HEX,
11337 NULL, 0, NULL, HFILL }
11340 { &hf_smb2_svhdx_open_device_context_originator_flags,
11341 { "OriginatorFlags", "smb2.svhdx_open_device_context.originator_flags", FT_UINT32, BASE_HEX,
11342 VALS(originator_flags_vals), 0, NULL, HFILL }
11345 { &hf_smb2_svhdx_open_device_context_open_request_id,
11346 { "OpenRequestId","smb2.svhxd_open_device_context.open_request_id", FT_UINT64, BASE_HEX,
11347 NULL, 0, NULL, HFILL }
11350 { &hf_smb2_svhdx_open_device_context_initiator_host_name_len,
11351 { "HostNameLength", "smb2.svhxd_open_device_context.initiator_host_name_len", FT_UINT16, BASE_DEC,
11352 NULL, 0, NULL, HFILL }
11355 { &hf_smb2_svhdx_open_device_context_initiator_host_name,
11356 { "HostName", "smb2.svhdx_open_device_context.host_name", FT_STRING, BASE_NONE,
11357 NULL, 0, NULL, HFILL }
11360 { &hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized,
11361 { "VirtualDiskPropertiesInitialized", "smb2.svhdx_open_device_context.virtual_disk_properties_initialized", FT_BOOLEAN, 32,
11362 NULL, 0, "Whether VirtualSectorSize, PhysicalSectorSize, and VirtualSize fields are filled", HFILL }
11365 { &hf_smb2_svhdx_open_device_context_server_service_version,
11366 { "ServerServiceVersion", "smb2.svhdx_open_device_context.server_service_version", FT_UINT32, BASE_DEC,
11367 NULL, 0, "The current version of the protocol running on the server", HFILL }
11370 { &hf_smb2_svhdx_open_device_context_virtual_sector_size,
11371 { "VirtualSectorSize", "smb2.svhdx_open_device_context.virtual_sector_size", FT_UINT32, BASE_DEC,
11372 NULL, 0, "The virtual sector size of the virtual disk", HFILL }
11375 { &hf_smb2_svhdx_open_device_context_physical_sector_size,
11376 { "PhysicalSectorSize", "smb2.svhdx_open_device_context.physical_sector_size", FT_UINT32, BASE_DEC,
11377 NULL, 0, "The physical sector size of the virtual disk", HFILL }
11380 { &hf_smb2_svhdx_open_device_context_virtual_size,
11381 { "VirtualSize", "smb2.svhdx_open_device_context.virtual_size", FT_UINT64, BASE_DEC,
11382 NULL, 0, "The current length of the virtual disk, in bytes", HFILL }
11385 { &hf_smb2_posix_v1_version,
11386 { "Version", "smb2.posix_v1_version", FT_UINT32, BASE_DEC,
11387 NULL, 0, NULL, HFILL }
11390 { &hf_smb2_posix_v1_request,
11391 { "Request", "smb2.posix_request", FT_UINT32, BASE_HEX,
11392 NULL, 0, NULL, HFILL }
11395 { &hf_smb2_posix_v1_case_sensitive,
11396 { "Posix Case Sensitive File Names", "smb2.posix_case_sensitive", FT_UINT32, BASE_HEX,
11397 VALS(posix_case_sensitive_vals), 0x01, NULL, HFILL }
11400 { &hf_smb2_posix_v1_posix_lock,
11401 { "Posix Byte-Range Locks", "smb2.posix_locks", FT_UINT32, BASE_HEX,
11402 VALS(posix_locks_vals), 0x02, NULL, HFILL }
11405 { &hf_smb2_posix_v1_posix_file_semantics,
11406 { "Posix File Semantics", "smb2.posix_file_semantics", FT_UINT32, BASE_HEX,
11407 VALS(posix_file_semantics_vals), 0x04, NULL, HFILL }
11410 { &hf_smb2_posix_v1_posix_utf8_paths,
11411 { "Posix UTF8 Paths", "smb2.posix_utf8_paths", FT_UINT32, BASE_HEX,
11412 VALS(posix_utf8_paths_vals), 0x08, NULL, HFILL }
11415 { &hf_smb2_posix_v1_posix_will_convert_nt_acls,
11416 { "Posix Will Convert NT ACLs", "smb2.will_convert_NTACLs", FT_UINT32, BASE_HEX,
11417 VALS(posix_will_convert_ntacls_vals), 0x10, NULL, HFILL }
11420 { &hf_smb2_posix_v1_posix_fileinfo,
11421 { "Posix Fileinfo", "smb2.posix_fileinfo", FT_UINT32, BASE_HEX,
11422 VALS(posix_fileinfo_vals), 0x20, NULL, HFILL }
11425 { &hf_smb2_posix_v1_posix_acls,
11426 { "Posix ACLs", "smb2.posix_acls", FT_UINT32, BASE_HEX,
11427 VALS(posix_acls_vals), 0x40, NULL, HFILL }
11430 { &hf_smb2_posix_v1_rich_acls,
11431 { "Rich ACLs", "smb2.rich_acls", FT_UINT32, BASE_HEX,
11432 VALS(posix_rich_acls_vals), 0x80, NULL, HFILL }
11435 { &hf_smb2_posix_v1_supported_features,
11436 { "Supported Features", "smb2.posix_supported_features", FT_UINT32, BASE_HEX,
11437 NULL, 0, NULL, HFILL }
11440 { &hf_smb2_aapl_command_code,
11441 { "Command code", "smb2.aapl.command_code", FT_UINT32, BASE_DEC,
11442 VALS(aapl_command_code_vals), 0, NULL, HFILL }
11445 { &hf_smb2_aapl_reserved,
11446 { "Reserved", "smb2.aapl.reserved", FT_UINT32, BASE_HEX,
11447 NULL, 0, NULL, HFILL }
11450 { &hf_smb2_aapl_server_query_bitmask,
11451 { "Query bitmask", "smb2.aapl.query_bitmask", FT_UINT64, BASE_HEX,
11452 NULL, 0, NULL, HFILL }
11455 { &hf_smb2_aapl_server_query_bitmask_server_caps,
11456 { "Server capabilities", "smb2.aapl.bitmask.server_caps", FT_BOOLEAN, 64,
11457 NULL, SMB2_AAPL_SERVER_CAPS, NULL, HFILL }
11460 { &hf_smb2_aapl_server_query_bitmask_volume_caps,
11461 { "Volume capabilities", "smb2.aapl.bitmask.volume_caps", FT_BOOLEAN, 64,
11462 NULL, SMB2_AAPL_VOLUME_CAPS, NULL, HFILL }
11465 { &hf_smb2_aapl_server_query_bitmask_model_info,
11466 { "Model information", "smb2.aapl.bitmask.model_info", FT_BOOLEAN, 64,
11467 NULL, SMB2_AAPL_MODEL_INFO, NULL, HFILL }
11470 { &hf_smb2_aapl_server_query_caps,
11471 { "Client/Server capabilities", "smb2.aapl.caps", FT_UINT64, BASE_HEX,
11472 NULL, 0, NULL, HFILL }
11475 { &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
11476 { "Supports READDIRATTR", "smb2.aapl.caps.supports_read_dir_addr", FT_BOOLEAN, 64,
11477 NULL, SMB2_AAPL_SUPPORTS_READ_DIR_ATTR, NULL, HFILL }
11480 { &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
11481 { "Supports macOS copyfile", "smb2.aapl.caps.supports_osx_copyfile", FT_BOOLEAN, 64,
11482 NULL, SMB2_AAPL_SUPPORTS_OSX_COPYFILE, NULL, HFILL }
11485 { &hf_smb2_aapl_server_query_caps_unix_based,
11486 { "UNIX-based", "smb2.aapl.caps.unix_based", FT_BOOLEAN, 64,
11487 NULL, SMB2_AAPL_UNIX_BASED, NULL, HFILL }
11490 { &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
11491 { "Supports NFS ACE", "smb2.aapl.supports_nfs_ace", FT_BOOLEAN, 64,
11492 NULL, SMB2_AAPL_SUPPORTS_NFS_ACE, NULL, HFILL }
11495 { &hf_smb2_aapl_server_query_volume_caps,
11496 { "Volume capabilities", "smb2.aapl.volume_caps", FT_UINT64, BASE_HEX,
11497 NULL, 0, NULL, HFILL }
11500 { &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
11501 { "Supports Resolve ID", "smb2.aapl.volume_caps.supports_resolve_id", FT_BOOLEAN, 64,
11502 NULL, SMB2_AAPL_SUPPORTS_RESOLVE_ID, NULL, HFILL }
11505 { &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
11506 { "Case sensitive", "smb2.aapl.volume_caps.case_sensitive", FT_BOOLEAN, 64,
11507 NULL, SMB2_AAPL_CASE_SENSITIVE, NULL, HFILL }
11510 { &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
11511 { "Supports full sync", "smb2.aapl.volume_caps.supports_full_sync", FT_BOOLEAN, 64,
11512 NULL, SMB2_AAPL_SUPPORTS_FULL_SYNC, NULL, HFILL }
11515 { &hf_smb2_aapl_server_query_model_string,
11516 { "Model string", "smb2.aapl.model_string", FT_UINT_STRING, STR_UNICODE,
11517 NULL, 0, NULL, HFILL }
11520 { &hf_smb2_aapl_server_query_server_path,
11521 { "Server path", "smb2.aapl.server_path", FT_UINT_STRING, STR_UNICODE,
11522 NULL, 0, NULL, HFILL }
11525 { &hf_smb2_transform_signature,
11526 { "Signature", "smb2.header.transform.signature", FT_BYTES, BASE_NONE,
11527 NULL, 0, NULL, HFILL }
11530 { &hf_smb2_transform_nonce,
11531 { "Nonce", "smb2.header.transform.nonce", FT_BYTES, BASE_NONE,
11532 NULL, 0, NULL, HFILL }
11535 { &hf_smb2_transform_msg_size,
11536 { "Message size", "smb2.header.transform.msg_size", FT_UINT32, BASE_DEC,
11537 NULL, 0, NULL, HFILL }
11540 { &hf_smb2_transform_reserved,
11541 { "Reserved", "smb2.header.transform.reserved", FT_BYTES, BASE_NONE,
11542 NULL, 0, NULL, HFILL }
11545 { &hf_smb2_transform_enc_alg,
11546 { "Encryption ALG", "smb2.header.transform.encryption_alg", FT_UINT16, BASE_HEX,
11547 NULL, 0, NULL, HFILL }
11550 { &hf_smb2_encryption_aes128_ccm,
11551 { "SMB2_ENCRYPTION_AES128_CCM", "smb2.header.transform.enc_aes128_ccm", FT_BOOLEAN, 16,
11552 NULL, ENC_ALG_aes128_ccm, NULL, HFILL }
11555 { &hf_smb2_transform_encrypted_data,
11556 { "Data", "smb2.header.transform.enc_data", FT_BYTES, BASE_NONE,
11557 NULL, 0, NULL, HFILL }
11560 { &hf_smb2_server_component_smb2,
11561 { "Server Component: SMB2", "smb2.server_component_smb2", FT_NONE, BASE_NONE,
11562 NULL, 0, NULL, HFILL }
11565 { &hf_smb2_server_component_smb2_transform,
11566 { "Server Component: SMB2_TRANSFORM", "smb2.server_component_smb2_transform", FT_NONE, BASE_NONE,
11567 NULL, 0, NULL, HFILL }
11570 { &hf_smb2_truncated,
11571 { "Truncated...", "smb2.truncated", FT_NONE, BASE_NONE,
11572 NULL, 0, NULL, HFILL }
11575 { &hf_smb2_pipe_fragment_overlap,
11576 { "Fragment overlap", "smb2.pipe.fragment.overlap", FT_BOOLEAN, BASE_NONE,
11577 NULL, 0x0, "Fragment overlaps with other fragments", HFILL }
11580 { &hf_smb2_pipe_fragment_overlap_conflict,
11581 { "Conflicting data in fragment overlap", "smb2.pipe.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE,
11582 NULL, 0x0, NULL, HFILL }
11585 { &hf_smb2_pipe_fragment_multiple_tails,
11586 { "Multiple tail fragments found", "smb2.pipe.fragment.multipletails", FT_BOOLEAN, BASE_NONE,
11587 NULL, 0x0, "Several tails were found when defragmenting the packet", HFILL }
11590 { &hf_smb2_pipe_fragment_too_long_fragment,
11591 { "Fragment too long", "smb2.pipe.fragment.toolongfragment", FT_BOOLEAN, BASE_NONE,
11592 NULL, 0x0, "Fragment contained data past end of packet", HFILL }
11595 { &hf_smb2_pipe_fragment_error,
11596 { "Defragmentation error", "smb2.pipe.fragment.error", FT_FRAMENUM, BASE_NONE,
11597 NULL, 0x0, "Defragmentation error due to illegal fragments", HFILL }
11600 { &hf_smb2_pipe_fragment_count,
11601 { "Fragment count", "smb2.pipe.fragment.count", FT_UINT32, BASE_DEC,
11602 NULL, 0x0, NULL, HFILL }
11605 { &hf_smb2_pipe_fragment,
11606 { "Fragment SMB2 Named Pipe", "smb2.pipe.fragment", FT_FRAMENUM, BASE_NONE,
11607 NULL, 0x0, NULL, HFILL }
11610 { &hf_smb2_pipe_fragments,
11611 { "Reassembled SMB2 Named Pipe fragments", "smb2.pipe.fragments", FT_NONE, BASE_NONE,
11612 NULL, 0x0, NULL, HFILL }
11615 { &hf_smb2_pipe_reassembled_in,
11616 { "This SMB2 Named Pipe payload is reassembled in frame", "smb2.pipe.reassembled_in", FT_FRAMENUM, BASE_NONE,
11617 NULL, 0x0, "The Named Pipe PDU is completely reassembled in this frame", HFILL }
11620 { &hf_smb2_pipe_reassembled_length,
11621 { "Reassembled SMB2 Named Pipe length", "smb2.pipe.reassembled.length", FT_UINT32, BASE_DEC,
11622 NULL, 0x0, "The total length of the reassembled payload", HFILL }
11625 { &hf_smb2_pipe_reassembled_data,
11626 { "Reassembled SMB2 Named Pipe Data", "smb2.pipe.reassembled.data", FT_BYTES, BASE_NONE,
11627 NULL, 0x0, "The reassembled payload", HFILL }
11630 { &hf_smb2_cchunk_resume_key,
11631 { "ResumeKey", "smb2.fsctl.cchunk.resume_key", FT_BYTES, BASE_NONE,
11632 NULL, 0x0, "Opaque data representing source of copy", HFILL }
11635 { &hf_smb2_cchunk_count,
11636 { "Chunk Count", "smb2.fsctl.cchunk.count", FT_UINT32, BASE_DEC,
11637 NULL, 0x0, NULL, HFILL }
11640 { &hf_smb2_cchunk_src_offset,
11641 { "Source Offset", "smb2.fsctl.cchunk.src_offset", FT_UINT64, BASE_DEC,
11642 NULL, 0x0, NULL, HFILL }
11645 { &hf_smb2_cchunk_dst_offset,
11646 { "Target Offset", "smb2.fsctl.cchunk.dst_offset", FT_UINT64, BASE_DEC,
11647 NULL, 0x0, NULL, HFILL }
11650 { &hf_smb2_cchunk_xfer_len,
11651 { "Transfer Length", "smb2.fsctl.cchunk.xfer_len", FT_UINT32, BASE_DEC,
11652 NULL, 0x0, NULL, HFILL }
11655 { &hf_smb2_cchunk_chunks_written,
11656 { "Chunks Written", "smb2.fsctl.cchunk.chunks_written", FT_UINT32, BASE_DEC,
11657 NULL, 0x0, NULL, HFILL }
11660 { &hf_smb2_cchunk_bytes_written,
11661 { "Chunk Bytes Written", "smb2.fsctl.cchunk.bytes_written", FT_UINT32, BASE_DEC,
11662 NULL, 0x0, NULL, HFILL }
11665 { &hf_smb2_cchunk_total_written,
11666 { "Total Bytes Written", "smb2.fsctl.cchunk.total_written", FT_UINT32, BASE_DEC,
11667 NULL, 0x0, NULL, HFILL }
11670 { &hf_smb2_symlink_error_response,
11671 { "Symbolic Link Error Response", "smb2.symlink_error_response", FT_NONE, BASE_NONE,
11672 NULL, 0, NULL, HFILL }
11675 { &hf_smb2_symlink_length,
11676 { "SymLink Length", "smb2.symlink.length", FT_UINT32,
11677 BASE_DEC, NULL, 0x0, NULL, HFILL }
11680 { &hf_smb2_symlink_error_tag,
11681 { "SymLink Error Tag", "smb2.symlink.error_tag", FT_UINT32,
11682 BASE_HEX, NULL, 0x0, NULL, HFILL }
11685 { &hf_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER,
11686 { "SYMBOLIC_LINK_REPARSE_DATA_BUFFER", "smb2.SYMBOLIC_LINK_REPARSE_DATA_BUFFER", FT_NONE, BASE_NONE,
11687 NULL, 0, NULL, HFILL }
11689 { &hf_smb2_reparse_tag,
11690 { "Reparse Tag", "smb2.symlink.reparse_tag", FT_UINT32, BASE_HEX,
11691 NULL, 0x0, NULL, HFILL }
11693 { &hf_smb2_reparse_data_length,
11694 { "Reparse Data Length", "smb2.symlink.reparse_data_length", FT_UINT16, BASE_DEC,
11695 NULL, 0x0, NULL, HFILL }
11697 { &hf_smb2_unparsed_path_length,
11698 { "Unparsed Path Length", "smb2.symlink.unparsed_path_length", FT_UINT16, BASE_DEC,
11699 NULL, 0x0, NULL, HFILL }
11701 { &hf_smb2_symlink_substitute_name,
11702 { "Substitute Name", "smb2.symlink.substitute_name", FT_STRING, BASE_NONE,
11703 NULL, 0x0, NULL, HFILL }
11705 { &hf_smb2_symlink_print_name,
11706 { "Print Name", "smb2.symlink.print_name", FT_STRING, BASE_NONE,
11707 NULL, 0x0, NULL, HFILL }
11709 { &hf_smb2_symlink_flags,
11710 { "Flags", "smb2.symlink.flags", FT_UINT32, BASE_DEC,
11711 NULL, 0x0, NULL, HFILL }
11715 static gint *ett[] = {
11720 &ett_smb2_encrypted,
11723 &ett_smb2_negotiate_context_element,
11724 &ett_smb2_file_basic_info,
11725 &ett_smb2_file_standard_info,
11726 &ett_smb2_file_internal_info,
11727 &ett_smb2_file_ea_info,
11728 &ett_smb2_file_access_info,
11729 &ett_smb2_file_rename_info,
11730 &ett_smb2_file_disposition_info,
11731 &ett_smb2_file_position_info,
11732 &ett_smb2_file_full_ea_info,
11733 &ett_smb2_file_mode_info,
11734 &ett_smb2_file_alignment_info,
11735 &ett_smb2_file_all_info,
11736 &ett_smb2_file_allocation_info,
11737 &ett_smb2_file_endoffile_info,
11738 &ett_smb2_file_alternate_name_info,
11739 &ett_smb2_file_stream_info,
11740 &ett_smb2_file_pipe_info,
11741 &ett_smb2_file_compression_info,
11742 &ett_smb2_file_network_open_info,
11743 &ett_smb2_file_attribute_tag_info,
11744 &ett_smb2_fs_info_01,
11745 &ett_smb2_fs_info_03,
11746 &ett_smb2_fs_info_04,
11747 &ett_smb2_fs_info_05,
11748 &ett_smb2_fs_info_06,
11749 &ett_smb2_fs_info_07,
11750 &ett_smb2_fs_objectid_info,
11751 &ett_smb2_sec_info_00,
11752 &ett_smb2_quota_info,
11753 &ett_smb2_query_quota_info,
11754 &ett_smb2_tid_tree,
11755 &ett_smb2_sesid_tree,
11756 &ett_smb2_create_chain_element,
11757 &ett_smb2_MxAc_buffer,
11758 &ett_smb2_QFid_buffer,
11759 &ett_smb2_RqLs_buffer,
11760 &ett_smb2_ioctl_function,
11761 &ett_smb2_FILE_OBJECTID_BUFFER,
11763 &ett_smb2_sec_mode,
11764 &ett_smb2_capabilities,
11765 &ett_smb2_ses_req_flags,
11766 &ett_smb2_ses_flags,
11767 &ett_smb2_create_rep_flags,
11768 &ett_smb2_lease_state,
11769 &ett_smb2_lease_flags,
11770 &ett_smb2_share_flags,
11771 &ett_smb2_share_caps,
11772 &ett_smb2_ioctl_flags,
11773 &ett_smb2_ioctl_network_interface,
11774 &ett_smb2_ioctl_sqos_opeations,
11775 &ett_smb2_fsctl_range_data,
11776 &ett_windows_sockaddr,
11777 &ett_smb2_close_flags,
11778 &ett_smb2_notify_info,
11779 &ett_smb2_notify_flags,
11781 &ett_smb2_write_flags,
11782 &ett_smb2_find_flags,
11783 &ett_smb2_file_directory_info,
11784 &ett_smb2_both_directory_info,
11785 &ett_smb2_id_both_directory_info,
11786 &ett_smb2_full_directory_info,
11787 &ett_smb2_file_name_info,
11788 &ett_smb2_lock_info,
11789 &ett_smb2_lock_flags,
11790 &ett_smb2_DH2Q_buffer,
11791 &ett_smb2_DH2C_buffer,
11792 &ett_smb2_dh2x_flags,
11793 &ett_smb2_APP_INSTANCE_buffer,
11794 &ett_smb2_svhdx_open_device_context,
11795 &ett_smb2_posix_v1_request,
11796 &ett_smb2_posix_v1_response,
11797 &ett_smb2_posix_v1_supported_features,
11798 &ett_smb2_aapl_create_context_request,
11799 &ett_smb2_aapl_server_query_bitmask,
11800 &ett_smb2_aapl_server_query_caps,
11801 &ett_smb2_aapl_create_context_response,
11802 &ett_smb2_aapl_server_query_volume_caps,
11803 &ett_smb2_integrity_flags,
11804 &ett_smb2_transform_enc_alg,
11805 &ett_smb2_buffercode,
11806 &ett_smb2_ioctl_network_interface_capabilities,
11808 &ett_smb2_pipe_fragment,
11809 &ett_smb2_pipe_fragments,
11810 &ett_smb2_cchunk_entry,
11811 &ett_smb2_fsctl_odx_token,
11812 &ett_smb2_symlink_error_response,
11813 &ett_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER,
11814 &ett_smb2_error_data,
11817 static ei_register_info ei[] = {
11818 { &ei_smb2_invalid_length, { "smb2.invalid_length", PI_MALFORMED, PI_ERROR, "Invalid length", EXPFILL }},
11819 { &ei_smb2_bad_response, { "smb2.bad_response", PI_MALFORMED, PI_ERROR, "Bad response", EXPFILL }},
11820 { &ei_smb2_invalid_getinfo_offset, { "smb2.invalid_getinfo_offset", PI_MALFORMED, PI_ERROR, "Input buffer offset isn't past the fixed data in the message", EXPFILL }},
11821 { &ei_smb2_invalid_getinfo_size, { "smb2.invalid_getinfo_size", PI_MALFORMED, PI_ERROR, "Input buffer length goes past the end of the message", EXPFILL }},
11822 { &ei_smb2_empty_getinfo_buffer, { "smb2.empty_getinfo_buffer", PI_PROTOCOL, PI_WARN, "Input buffer length is empty for a quota request", EXPFILL }},
11825 expert_module_t* expert_smb2;
11827 /* SessionID <=> SessionKey mappings for decryption */
11830 static uat_field_t seskey_uat_fields[] = {
11831 UAT_FLD_BUFFER(seskey_list, id, "Session ID", "The session ID buffer, coded as hex string, as it appears on the wire (LE)."),
11832 UAT_FLD_BUFFER(seskey_list, key, "Session Key", "The secret session key buffer, coded as 16-byte hex string as it appears on the wire (LE)."),
11836 proto_smb2 = proto_register_protocol("SMB2 (Server Message Block Protocol version 2)",
11838 proto_register_subtree_array(ett, array_length(ett));
11839 proto_register_field_array(proto_smb2, hf, array_length(hf));
11840 expert_smb2 = expert_register_protocol(proto_smb2);
11841 expert_register_field_array(expert_smb2, ei, array_length(ei));
11843 smb2_module = prefs_register_protocol(proto_smb2, NULL);
11844 prefs_register_bool_preference(smb2_module, "eosmb2_take_name_as_fid",
11845 "Use the full file name as File ID when exporting an SMB2 object",
11846 "Whether the export object functionality will take the full path file name as file identifier",
11847 &eosmb2_take_name_as_fid);
11849 prefs_register_bool_preference(smb2_module, "pipe_reassembly",
11850 "Reassemble Named Pipes over SMB2",
11851 "Whether the dissector should reassemble Named Pipes over SMB2 commands",
11852 &smb2_pipe_reassembly);
11854 seskey_uat = uat_new("Secret session key to use for decryption",
11855 sizeof(smb2_seskey_field_t),
11856 "smb2_seskey_list",
11860 (UAT_AFFECTS_DISSECTION | UAT_AFFECTS_FIELDS),
11862 seskey_list_copy_cb,
11863 seskey_list_update_cb,
11864 seskey_list_free_cb,
11867 seskey_uat_fields);
11869 prefs_register_uat_preference(smb2_module,
11871 "Secret session keys for decryption",
11872 "A table of Session ID to Session key mappings used to derive decryption keys.",
11875 smb2_pipe_subdissector_list = register_heur_dissector_list("smb2_pipe_subdissectors", proto_smb2);
11877 * XXX - addresses_ports_reassembly_table_functions?
11878 * Probably correct for SMB-over-NBT and SMB-over-TCP,
11879 * as stuff from two different connections should
11880 * probably not be combined, but what about other
11881 * transports for SMB, e.g. NBF or Netware?
11883 reassembly_table_register(&smb2_pipe_reassembly_table,
11884 &addresses_reassembly_table_functions);
11886 smb2_tap = register_tap("smb2");
11887 smb2_eo_tap = register_tap("smb_eo"); /* SMB Export Object tap */
11889 register_srt_table(proto_smb2, NULL, 1, smb2stat_packet, smb2stat_init, NULL);
11893 proto_reg_handoff_smb2(void)
11895 gssapi_handle = find_dissector_add_dependency("gssapi", proto_smb2);
11896 ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_smb2);
11897 rsvd_handle = find_dissector_add_dependency("rsvd", proto_smb2);
11898 heur_dissector_add("netbios", dissect_smb2_heur, "SMB2 over Netbios", "smb2_netbios", proto_smb2, HEURISTIC_ENABLE);
11899 heur_dissector_add("smb_direct", dissect_smb2_heur, "SMB2 over SMB Direct", "smb2_smb_direct", proto_smb2, HEURISTIC_ENABLE);
11903 * Editor modelines - http://www.wireshark.org/tools/modelines.html
11906 * c-basic-offset: 8
11908 * indent-tabs-mode: t
11911 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
11912 * :indentSize=8:tabSize=8:noTabs=false:
git.samba.org / metze / wireshark / wip.git / blob