2 * Routines for smb2 packet dissection
5 * For documentation of this protocol, see:
7 * http://wiki.wireshark.org/SMB2
8 * http://msdn.microsoft.com/en-us/library/cc246482(PROT.10).aspx
10 * If you edit this file, keep the wiki updated as well.
14 * Wireshark - Network traffic analyzer
15 * By Gerald Combs <gerald@wireshark.org>
16 * Copyright 1998 Gerald Combs
18 * This program is free software; you can redistribute it and/or
19 * modify it under the terms of the GNU General Public License
20 * as published by the Free Software Foundation; either version 2
21 * of the License, or (at your option) any later version.
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
28 * You should have received a copy of the GNU General Public License
29 * along with this program; if not, write to the Free Software
30 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include <epan/packet.h>
36 #include <epan/conversation.h>
38 #include <epan/wmem/wmem.h>
39 #include <epan/aftypes.h>
40 #include <epan/to_str.h>
42 #include "packet-smb2.h"
43 #include "packet-dcerpc.h"
44 #include "packet-ntlmssp.h"
45 #include "packet-windows-common.h"
46 #include "packet-smb-common.h"
47 #include "packet-smb.h"
48 #include "packet-dcerpc-nt.h"
50 #include <epan/prefs.h>
53 /* Use libgcrypt for cipher libraries. */
55 #include <wsutil/wsgcrypt.h>
56 #endif /* HAVE_LIBGCRYPT */
58 void proto_register_smb2(void);
59 void proto_reg_handoff_smb2(void);
61 static const char smb_header_label[] = "SMB2 Header";
62 static const char smb_transform_header_label[] = "SMB2 Transform Header";
64 static int proto_smb2 = -1;
65 static int hf_smb2_cmd = -1;
66 static int hf_smb2_nt_status = -1;
67 static int hf_smb2_response_to = -1;
68 static int hf_smb2_response_in = -1;
69 static int hf_smb2_time = -1;
70 static int hf_smb2_header_len = -1;
71 static int hf_smb2_msg_id = -1;
72 static int hf_smb2_pid = -1;
73 static int hf_smb2_tid = -1;
74 static int hf_smb2_aid = -1;
75 static int hf_smb2_sesid = -1;
76 static int hf_smb2_previous_sesid = -1;
77 static int hf_smb2_flags_response = -1;
78 static int hf_smb2_flags_async_cmd = -1;
79 static int hf_smb2_flags_dfs_op = -1;
80 static int hf_smb2_flags_chained = -1;
81 static int hf_smb2_flags_signature = -1;
82 static int hf_smb2_flags_replay_operation = -1;
83 static int hf_smb2_chain_offset = -1;
84 static int hf_smb2_security_blob = -1;
85 static int hf_smb2_ioctl_in_data = -1;
86 static int hf_smb2_ioctl_out_data = -1;
87 static int hf_smb2_unknown = -1;
88 static int hf_smb2_twrp_timestamp = -1;
89 static int hf_smb2_mxac_timestamp = -1;
90 static int hf_smb2_mxac_status = -1;
91 static int hf_smb2_qfid_fid = -1;
92 static int hf_smb2_create_timestamp = -1;
93 static int hf_smb2_oplock = -1;
94 static int hf_smb2_close_flags = -1;
95 static int hf_smb2_notify_flags = -1;
96 static int hf_smb2_last_access_timestamp = -1;
97 static int hf_smb2_last_write_timestamp = -1;
98 static int hf_smb2_last_change_timestamp = -1;
99 static int hf_smb2_current_time = -1;
100 static int hf_smb2_boot_time = -1;
101 static int hf_smb2_filename = -1;
102 static int hf_smb2_filename_len = -1;
103 static int hf_smb2_nlinks = -1;
104 static int hf_smb2_delete_pending = -1;
105 static int hf_smb2_is_directory = -1;
106 static int hf_smb2_file_id = -1;
107 static int hf_smb2_allocation_size = -1;
108 static int hf_smb2_end_of_file = -1;
109 static int hf_smb2_tree = -1;
110 static int hf_smb2_find_pattern = -1;
111 static int hf_smb2_find_info_level = -1;
112 static int hf_smb2_find_info_blob = -1;
113 static int hf_smb2_client_guid = -1;
114 static int hf_smb2_server_guid = -1;
115 static int hf_smb2_object_id = -1;
116 static int hf_smb2_birth_volume_id = -1;
117 static int hf_smb2_birth_object_id = -1;
118 static int hf_smb2_domain_id = -1;
119 static int hf_smb2_class = -1;
120 static int hf_smb2_infolevel = -1;
121 static int hf_smb2_infolevel_file_info = -1;
122 static int hf_smb2_infolevel_fs_info = -1;
123 static int hf_smb2_infolevel_sec_info = -1;
124 static int hf_smb2_max_response_size = -1;
125 static int hf_smb2_max_ioctl_in_size = -1;
126 static int hf_smb2_max_ioctl_out_size = -1;
127 static int hf_smb2_flags = -1;
128 static int hf_smb2_required_buffer_size = -1;
129 static int hf_smb2_setinfo_size = -1;
130 static int hf_smb2_setinfo_offset = -1;
131 static int hf_smb2_file_basic_info = -1;
132 static int hf_smb2_file_standard_info = -1;
133 static int hf_smb2_file_internal_info = -1;
134 static int hf_smb2_file_ea_info = -1;
135 static int hf_smb2_file_access_info = -1;
136 static int hf_smb2_file_rename_info = -1;
137 static int hf_smb2_file_disposition_info = -1;
138 static int hf_smb2_file_position_info = -1;
139 static int hf_smb2_file_full_ea_info = -1;
140 static int hf_smb2_file_mode_info = -1;
141 static int hf_smb2_file_alignment_info = -1;
142 static int hf_smb2_file_all_info = -1;
143 static int hf_smb2_file_allocation_info = -1;
144 static int hf_smb2_file_endoffile_info = -1;
145 static int hf_smb2_file_alternate_name_info = -1;
146 static int hf_smb2_file_stream_info = -1;
147 static int hf_smb2_file_pipe_info = -1;
148 static int hf_smb2_file_compression_info = -1;
149 static int hf_smb2_file_network_open_info = -1;
150 static int hf_smb2_file_attribute_tag_info = -1;
151 static int hf_smb2_fs_info_01 = -1;
152 static int hf_smb2_fs_info_03 = -1;
153 static int hf_smb2_fs_info_04 = -1;
154 static int hf_smb2_fs_info_05 = -1;
155 static int hf_smb2_fs_info_06 = -1;
156 static int hf_smb2_fs_info_07 = -1;
157 static int hf_smb2_fs_objectid_info = -1;
158 static int hf_smb2_sec_info_00 = -1;
159 static int hf_smb2_fid = -1;
160 static int hf_smb2_write_length = -1;
161 static int hf_smb2_write_data = -1;
162 static int hf_smb2_write_flags = -1;
163 static int hf_smb2_write_flags_write_through = -1;
164 static int hf_smb2_write_count = -1;
165 static int hf_smb2_write_remaining = -1;
166 static int hf_smb2_read_length = -1;
167 static int hf_smb2_read_remaining = -1;
168 static int hf_smb2_file_offset = -1;
169 static int hf_smb2_read_data = -1;
170 static int hf_smb2_disposition_delete_on_close = -1;
171 static int hf_smb2_create_disposition = -1;
172 static int hf_smb2_create_chain_offset = -1;
173 static int hf_smb2_create_chain_data = -1;
174 static int hf_smb2_data_offset = -1;
175 static int hf_smb2_extrainfo = -1;
176 static int hf_smb2_create_action = -1;
177 static int hf_smb2_create_rep_flags = -1;
178 static int hf_smb2_create_rep_flags_reparse_point = -1;
179 static int hf_smb2_next_offset = -1;
180 static int hf_smb2_ea_size = -1;
181 static int hf_smb2_ea_flags = -1;
182 static int hf_smb2_ea_name_len = -1;
183 static int hf_smb2_ea_data_len = -1;
184 static int hf_smb2_ea_name = -1;
185 static int hf_smb2_ea_data = -1;
186 static int hf_smb2_buffer_code = -1;
187 static int hf_smb2_buffer_code_len = -1;
188 static int hf_smb2_buffer_code_flags_dyn = -1;
189 static int hf_smb2_olb_offset = -1;
190 static int hf_smb2_olb_length = -1;
191 static int hf_smb2_tag = -1;
192 static int hf_smb2_impersonation_level = -1;
193 static int hf_smb2_ioctl_function = -1;
194 static int hf_smb2_ioctl_function_device = -1;
195 static int hf_smb2_ioctl_function_access = -1;
196 static int hf_smb2_ioctl_function_function = -1;
197 static int hf_smb2_ioctl_function_method = -1;
198 static int hf_smb2_ioctl_resiliency_timeout = -1;
199 static int hf_smb2_ioctl_resiliency_reserved = -1;
200 static int hf_windows_sockaddr_family = -1;
201 static int hf_windows_sockaddr_port = -1;
202 static int hf_windows_sockaddr_in_addr = -1;
203 static int hf_windows_sockaddr_in6_flowinfo = -1;
204 static int hf_windows_sockaddr_in6_addr = -1;
205 static int hf_windows_sockaddr_in6_scope_id = -1;
206 static int hf_smb2_ioctl_network_interface_next_offset = -1;
207 static int hf_smb2_ioctl_network_interface_index = -1;
208 static int hf_smb2_ioctl_network_interface_rss_queue_count = -1;
209 static int hf_smb2_ioctl_network_interface_capabilities = -1;
210 static int hf_smb2_ioctl_network_interface_capability_rss = -1;
211 static int hf_smb2_ioctl_network_interface_capability_rdma = -1;
212 static int hf_smb2_ioctl_network_interface_link_speed = -1;
213 static int hf_smb2_ioctl_shadow_copy_num_volumes = -1;
214 static int hf_smb2_ioctl_shadow_copy_num_labels = -1;
215 static int hf_smb2_ioctl_shadow_copy_count = -1;
216 static int hf_smb2_ioctl_shadow_copy_label = -1;
217 static int hf_smb2_compression_format = -1;
218 static int hf_smb2_FILE_OBJECTID_BUFFER = -1;
219 static int hf_smb2_lease_key = -1;
220 static int hf_smb2_lease_state = -1;
221 static int hf_smb2_lease_state_read_caching = -1;
222 static int hf_smb2_lease_state_handle_caching = -1;
223 static int hf_smb2_lease_state_write_caching = -1;
224 static int hf_smb2_lease_flags = -1;
225 static int hf_smb2_lease_flags_break_ack_required = -1;
226 static int hf_smb2_lease_flags_parent_lease_key_set = -1;
227 static int hf_smb2_lease_flags_break_in_progress = -1;
228 static int hf_smb2_lease_duration = -1;
229 static int hf_smb2_parent_lease_key = -1;
230 static int hf_smb2_lease_epoch = -1;
231 static int hf_smb2_lease_reserved = -1;
232 static int hf_smb2_lease_break_reason = -1;
233 static int hf_smb2_lease_access_mask_hint = -1;
234 static int hf_smb2_lease_share_mask_hint = -1;
235 static int hf_smb2_acct_name = -1;
236 static int hf_smb2_domain_name = -1;
237 static int hf_smb2_host_name = -1;
238 static int hf_smb2_auth_frame = -1;
239 static int hf_smb2_tcon_frame = -1;
240 static int hf_smb2_share_type = -1;
241 static int hf_smb2_signature = -1;
242 static int hf_smb2_credit_charge = -1;
243 static int hf_smb2_credits_requested = -1;
244 static int hf_smb2_credits_granted = -1;
245 static int hf_smb2_channel_sequence = -1;
246 static int hf_smb2_dialect_count = -1;
247 static int hf_smb2_security_mode = -1;
248 static int hf_smb2_secmode_flags_sign_required = -1;
249 static int hf_smb2_secmode_flags_sign_enabled = -1;
250 static int hf_smb2_ses_req_flags = -1;
251 static int hf_smb2_ses_req_flags_session_binding = -1;
252 static int hf_smb2_capabilities = -1;
253 static int hf_smb2_cap_dfs = -1;
254 static int hf_smb2_cap_leasing = -1;
255 static int hf_smb2_cap_large_mtu = -1;
256 static int hf_smb2_cap_multi_channel = -1;
257 static int hf_smb2_cap_persistent_handles = -1;
258 static int hf_smb2_cap_directory_leasing = -1;
259 static int hf_smb2_cap_encryption = -1;
260 static int hf_smb2_dialect = -1;
261 static int hf_smb2_max_trans_size = -1;
262 static int hf_smb2_max_read_size = -1;
263 static int hf_smb2_max_write_size = -1;
264 static int hf_smb2_channel = -1;
265 static int hf_smb2_rdma_v1_offset = -1;
266 static int hf_smb2_rdma_v1_token = -1;
267 static int hf_smb2_rdma_v1_length = -1;
268 static int hf_smb2_session_flags = -1;
269 static int hf_smb2_ses_flags_guest = -1;
270 static int hf_smb2_ses_flags_null = -1;
271 static int hf_smb2_share_flags = -1;
272 static int hf_smb2_share_flags_dfs = -1;
273 static int hf_smb2_share_flags_dfs_root = -1;
274 static int hf_smb2_share_flags_restrict_exclusive_opens = -1;
275 static int hf_smb2_share_flags_force_shared_delete = -1;
276 static int hf_smb2_share_flags_allow_namespace_caching = -1;
277 static int hf_smb2_share_flags_access_based_dir_enum = -1;
278 static int hf_smb2_share_flags_force_levelii_oplock = -1;
279 static int hf_smb2_share_flags_enable_hash_v1 = -1;
280 static int hf_smb2_share_flags_enable_hash_v2 = -1;
281 static int hf_smb2_share_flags_encrypt_data = -1;
282 static int hf_smb2_share_caching = -1;
283 static int hf_smb2_share_caps = -1;
284 static int hf_smb2_share_caps_dfs = -1;
285 static int hf_smb2_share_caps_continuous_availability = -1;
286 static int hf_smb2_share_caps_scaleout = -1;
287 static int hf_smb2_share_caps_cluster = -1;
288 static int hf_smb2_create_flags = -1;
289 static int hf_smb2_lock_count = -1;
290 static int hf_smb2_min_count = -1;
291 static int hf_smb2_remaining_bytes = -1;
292 static int hf_smb2_channel_info_offset = -1;
293 static int hf_smb2_channel_info_length = -1;
294 static int hf_smb2_channel_info_blob = -1;
295 static int hf_smb2_ioctl_flags = -1;
296 static int hf_smb2_ioctl_is_fsctl = -1;
297 static int hf_smb2_close_pq_attrib = -1;
298 static int hf_smb2_notify_watch_tree = -1;
299 static int hf_smb2_output_buffer_len = -1;
300 static int hf_smb2_notify_out_data = -1;
301 static int hf_smb2_find_flags = -1;
302 static int hf_smb2_find_flags_restart_scans = -1;
303 static int hf_smb2_find_flags_single_entry = -1;
304 static int hf_smb2_find_flags_index_specified = -1;
305 static int hf_smb2_find_flags_reopen = -1;
306 static int hf_smb2_file_index = -1;
307 static int hf_smb2_file_directory_info = -1;
308 static int hf_smb2_both_directory_info = -1;
309 static int hf_smb2_short_name_len = -1;
310 static int hf_smb2_short_name = -1;
311 static int hf_smb2_id_both_directory_info = -1;
312 static int hf_smb2_full_directory_info = -1;
313 static int hf_smb2_lock_info = -1;
314 static int hf_smb2_lock_length = -1;
315 static int hf_smb2_lock_flags = -1;
316 static int hf_smb2_lock_flags_shared = -1;
317 static int hf_smb2_lock_flags_exclusive = -1;
318 static int hf_smb2_lock_flags_unlock = -1;
319 static int hf_smb2_lock_flags_fail_immediately = -1;
320 static int hf_smb2_dhnq_buffer_reserved = -1;
321 static int hf_smb2_dh2x_buffer_timeout = -1;
322 static int hf_smb2_dh2x_buffer_flags = -1;
323 static int hf_smb2_dh2x_buffer_flags_persistent_handle = -1;
324 static int hf_smb2_dh2x_buffer_reserved = -1;
325 static int hf_smb2_dh2x_buffer_create_guid = -1;
326 static int hf_smb2_APP_INSTANCE_buffer_struct_size = -1;
327 static int hf_smb2_APP_INSTANCE_buffer_reserved = -1;
328 static int hf_smb2_APP_INSTANCE_buffer_app_guid = -1;
329 static int hf_smb2_error_byte_count = -1;
330 static int hf_smb2_error_data = -1;
331 static int hf_smb2_error_reserved = -1;
332 static int hf_smb2_reserved = -1;
333 static int hf_smb2_transform_signature = -1;
334 static int hf_smb2_transform_nonce = -1;
335 static int hf_smb2_transform_msg_size = -1;
336 static int hf_smb2_transform_reserved = -1;
337 static int hf_smb2_encryption_aes128_ccm = -1;
338 static int hf_smb2_transform_enc_alg = -1;
339 static int hf_smb2_transform_encrypted_data = -1;
341 static gint ett_smb2 = -1;
342 static gint ett_smb2_olb = -1;
343 static gint ett_smb2_ea = -1;
344 static gint ett_smb2_header = -1;
345 static gint ett_smb2_encrypted = -1;
346 static gint ett_smb2_command = -1;
347 static gint ett_smb2_secblob = -1;
348 static gint ett_smb2_file_basic_info = -1;
349 static gint ett_smb2_file_standard_info = -1;
350 static gint ett_smb2_file_internal_info = -1;
351 static gint ett_smb2_file_ea_info = -1;
352 static gint ett_smb2_file_access_info = -1;
353 static gint ett_smb2_file_position_info = -1;
354 static gint ett_smb2_file_mode_info = -1;
355 static gint ett_smb2_file_alignment_info = -1;
356 static gint ett_smb2_file_all_info = -1;
357 static gint ett_smb2_file_allocation_info = -1;
358 static gint ett_smb2_file_endoffile_info = -1;
359 static gint ett_smb2_file_alternate_name_info = -1;
360 static gint ett_smb2_file_stream_info = -1;
361 static gint ett_smb2_file_pipe_info = -1;
362 static gint ett_smb2_file_compression_info = -1;
363 static gint ett_smb2_file_network_open_info = -1;
364 static gint ett_smb2_file_attribute_tag_info = -1;
365 static gint ett_smb2_file_rename_info = -1;
366 static gint ett_smb2_file_disposition_info = -1;
367 static gint ett_smb2_file_full_ea_info = -1;
368 static gint ett_smb2_fs_info_01 = -1;
369 static gint ett_smb2_fs_info_03 = -1;
370 static gint ett_smb2_fs_info_04 = -1;
371 static gint ett_smb2_fs_info_05 = -1;
372 static gint ett_smb2_fs_info_06 = -1;
373 static gint ett_smb2_fs_info_07 = -1;
374 static gint ett_smb2_fs_objectid_info = -1;
375 static gint ett_smb2_sec_info_00 = -1;
376 static gint ett_smb2_tid_tree = -1;
377 static gint ett_smb2_sesid_tree = -1;
378 static gint ett_smb2_create_chain_element = -1;
379 static gint ett_smb2_MxAc_buffer = -1;
380 static gint ett_smb2_QFid_buffer = -1;
381 static gint ett_smb2_RqLs_buffer = -1;
382 static gint ett_smb2_ioctl_function = -1;
383 static gint ett_smb2_FILE_OBJECTID_BUFFER = -1;
384 static gint ett_smb2_flags = -1;
385 static gint ett_smb2_sec_mode = -1;
386 static gint ett_smb2_capabilities = -1;
387 static gint ett_smb2_ses_req_flags = -1;
388 static gint ett_smb2_ses_flags = -1;
389 static gint ett_smb2_lease_state = -1;
390 static gint ett_smb2_lease_flags = -1;
391 static gint ett_smb2_share_flags = -1;
392 static gint ett_smb2_create_rep_flags = -1;
393 static gint ett_smb2_share_caps = -1;
394 static gint ett_smb2_ioctl_flags = -1;
395 static gint ett_smb2_ioctl_network_interface = -1;
396 static gint ett_windows_sockaddr = -1;
397 static gint ett_smb2_close_flags = -1;
398 static gint ett_smb2_notify_flags = -1;
399 static gint ett_smb2_write_flags = -1;
400 static gint ett_smb2_rdma_v1 = -1;
401 static gint ett_smb2_DH2Q_buffer = -1;
402 static gint ett_smb2_DH2C_buffer = -1;
403 static gint ett_smb2_dh2x_flags = -1;
404 static gint ett_smb2_APP_INSTANCE_buffer = -1;
405 static gint ett_smb2_find_flags = -1;
406 static gint ett_smb2_file_directory_info = -1;
407 static gint ett_smb2_both_directory_info = -1;
408 static gint ett_smb2_id_both_directory_info = -1;
409 static gint ett_smb2_full_directory_info = -1;
410 static gint ett_smb2_file_name_info = -1;
411 static gint ett_smb2_lock_info = -1;
412 static gint ett_smb2_lock_flags = -1;
413 static gint ett_smb2_transform_enc_alg = -1;
414 static gint ett_smb2_buffercode = -1;
416 static int smb2_tap = -1;
417 static int smb2_eo_tap = -1;
419 static dissector_handle_t gssapi_handle = NULL;
420 static dissector_handle_t ntlmssp_handle = NULL;
422 static heur_dissector_list_t smb2_heur_subdissector_list;
424 #define SMB2_CLASS_FILE_INFO 0x01
425 #define SMB2_CLASS_FS_INFO 0x02
426 #define SMB2_CLASS_SEC_INFO 0x03
427 static const value_string smb2_class_vals[] = {
428 { SMB2_CLASS_FILE_INFO, "FILE_INFO"},
429 { SMB2_CLASS_FS_INFO, "FS_INFO"},
430 { SMB2_CLASS_SEC_INFO, "SEC_INFO"},
434 #define SMB2_SHARE_TYPE_DISK 0x01
435 #define SMB2_SHARE_TYPE_PIPE 0x02
436 #define SMB2_SHARE_TYPE_PRINT 0x03
437 static const value_string smb2_share_type_vals[] = {
438 { SMB2_SHARE_TYPE_DISK, "Physical disk" },
439 { SMB2_SHARE_TYPE_PIPE, "Named pipe" },
440 { SMB2_SHARE_TYPE_PRINT, "Printer" },
445 #define SMB2_FILE_BASIC_INFO 0x04
446 #define SMB2_FILE_STANDARD_INFO 0x05
447 #define SMB2_FILE_INTERNAL_INFO 0x06
448 #define SMB2_FILE_EA_INFO 0x07
449 #define SMB2_FILE_ACCESS_INFO 0x08
450 #define SMB2_FILE_RENAME_INFO 0x0a
451 #define SMB2_FILE_DISPOSITION_INFO 0x0d
452 #define SMB2_FILE_POSITION_INFO 0x0e
453 #define SMB2_FILE_FULL_EA_INFO 0x0f
454 #define SMB2_FILE_MODE_INFO 0x10
455 #define SMB2_FILE_ALIGNMENT_INFO 0x11
456 #define SMB2_FILE_ALL_INFO 0x12
457 #define SMB2_FILE_ALLOCATION_INFO 0x13
458 #define SMB2_FILE_ENDOFFILE_INFO 0x14
459 #define SMB2_FILE_ALTERNATE_NAME_INFO 0x15
460 #define SMB2_FILE_STREAM_INFO 0x16
461 #define SMB2_FILE_PIPE_INFO 0x17
462 #define SMB2_FILE_COMPRESSION_INFO 0x1c
463 #define SMB2_FILE_NETWORK_OPEN_INFO 0x22
464 #define SMB2_FILE_ATTRIBUTE_TAG_INFO 0x23
466 static const value_string smb2_file_info_levels[] = {
467 {SMB2_FILE_BASIC_INFO, "SMB2_FILE_BASIC_INFO" },
468 {SMB2_FILE_STANDARD_INFO, "SMB2_FILE_STANDARD_INFO" },
469 {SMB2_FILE_INTERNAL_INFO, "SMB2_FILE_INTERNAL_INFO" },
470 {SMB2_FILE_EA_INFO, "SMB2_FILE_EA_INFO" },
471 {SMB2_FILE_ACCESS_INFO, "SMB2_FILE_ACCESS_INFO" },
472 {SMB2_FILE_RENAME_INFO, "SMB2_FILE_RENAME_INFO" },
473 {SMB2_FILE_DISPOSITION_INFO, "SMB2_FILE_DISPOSITION_INFO" },
474 {SMB2_FILE_POSITION_INFO, "SMB2_FILE_POSITION_INFO" },
475 {SMB2_FILE_FULL_EA_INFO, "SMB2_FILE_FULL_EA_INFO" },
476 {SMB2_FILE_MODE_INFO, "SMB2_FILE_MODE_INFO" },
477 {SMB2_FILE_ALIGNMENT_INFO, "SMB2_FILE_ALIGNMENT_INFO" },
478 {SMB2_FILE_ALL_INFO, "SMB2_FILE_ALL_INFO" },
479 {SMB2_FILE_ALLOCATION_INFO, "SMB2_FILE_ALLOCATION_INFO" },
480 {SMB2_FILE_ENDOFFILE_INFO, "SMB2_FILE_ENDOFFILE_INFO" },
481 {SMB2_FILE_ALTERNATE_NAME_INFO, "SMB2_FILE_ALTERNATE_NAME_INFO" },
482 {SMB2_FILE_STREAM_INFO, "SMB2_FILE_STREAM_INFO" },
483 {SMB2_FILE_PIPE_INFO, "SMB2_FILE_PIPE_INFO" },
484 {SMB2_FILE_COMPRESSION_INFO, "SMB2_FILE_COMPRESSION_INFO" },
485 {SMB2_FILE_NETWORK_OPEN_INFO, "SMB2_FILE_NETWORK_OPEN_INFO" },
486 {SMB2_FILE_ATTRIBUTE_TAG_INFO, "SMB2_FILE_ATTRIBUTE_TAG_INFO" },
489 static value_string_ext smb2_file_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_file_info_levels);
493 #define SMB2_FS_INFO_01 0x01
494 #define SMB2_FS_INFO_03 0x03
495 #define SMB2_FS_INFO_04 0x04
496 #define SMB2_FS_INFO_05 0x05
497 #define SMB2_FS_INFO_06 0x06
498 #define SMB2_FS_INFO_07 0x07
499 #define SMB2_FS_OBJECTID_INFO 0x08
501 static const value_string smb2_fs_info_levels[] = {
502 {SMB2_FS_INFO_01, "SMB2_FS_INFO_01" },
503 {SMB2_FS_INFO_03, "SMB2_FS_INFO_03" },
504 {SMB2_FS_INFO_04, "SMB2_FS_INFO_04" },
505 {SMB2_FS_INFO_05, "SMB2_FS_INFO_05" },
506 {SMB2_FS_INFO_06, "SMB2_FS_INFO_06" },
507 {SMB2_FS_INFO_07, "SMB2_FS_INFO_07" },
508 {SMB2_FS_OBJECTID_INFO, "SMB2_FS_OBJECTID_INFO" },
511 static value_string_ext smb2_fs_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_fs_info_levels);
513 #define SMB2_SEC_INFO_00 0x00
514 static const value_string smb2_sec_info_levels[] = {
515 {SMB2_SEC_INFO_00, "SMB2_SEC_INFO_00" },
518 static value_string_ext smb2_sec_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_sec_info_levels);
520 #define SMB2_FIND_DIRECTORY_INFO 0x01
521 #define SMB2_FIND_FULL_DIRECTORY_INFO 0x02
522 #define SMB2_FIND_BOTH_DIRECTORY_INFO 0x03
523 #define SMB2_FIND_INDEX_SPECIFIED 0x04
524 #define SMB2_FIND_NAME_INFO 0x0C
525 #define SMB2_FIND_ID_BOTH_DIRECTORY_INFO 0x25
526 #define SMB2_FIND_ID_FULL_DIRECTORY_INFO 0x26
527 static const value_string smb2_find_info_levels[] = {
528 { SMB2_FIND_DIRECTORY_INFO, "SMB2_FIND_DIRECTORY_INFO" },
529 { SMB2_FIND_FULL_DIRECTORY_INFO, "SMB2_FIND_FULL_DIRECTORY_INFO" },
530 { SMB2_FIND_BOTH_DIRECTORY_INFO, "SMB2_FIND_BOTH_DIRECTORY_INFO" },
531 { SMB2_FIND_INDEX_SPECIFIED, "SMB2_FIND_INDEX_SPECIFIED" },
532 { SMB2_FIND_NAME_INFO, "SMB2_FIND_NAME_INFO" },
533 { SMB2_FIND_ID_BOTH_DIRECTORY_INFO, "SMB2_FIND_ID_BOTH_DIRECTORY_INFO" },
534 { SMB2_FIND_ID_FULL_DIRECTORY_INFO, "SMB2_FIND_ID_FULL_DIRECTORY_INFO" },
538 static const gint8 zeros[NTLMSSP_KEY_LEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
540 /* ExportObject preferences variable */
541 gboolean eosmb2_take_name_as_fid = FALSE ;
543 /* unmatched smb_saved_info structures.
544 For unmatched smb_saved_info structures we store the smb_saved_info
545 structure using the msg_id field.
548 smb2_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
550 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
551 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
552 return key1->msg_id == key2->msg_id;
555 smb2_saved_info_hash_unmatched(gconstpointer k)
557 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
560 hash = (guint32) (key->msg_id&0xffffffff);
564 /* matched smb_saved_info structures.
565 For matched smb_saved_info structures we store the smb_saved_info
566 structure using the msg_id field.
569 smb2_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
571 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
572 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
573 return key1->msg_id == key2->msg_id;
576 smb2_saved_info_hash_matched(gconstpointer k)
578 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
581 hash = (guint32) (key->msg_id&0xffffffff);
585 /* For Tids of a specific conversation.
586 This keeps track of tid->sharename mappings and other information about the
589 We might need to refine this if it occurs that tids are reused on a single
590 conversation. we dont worry about that yet for simplicity
593 smb2_tid_info_equal(gconstpointer k1, gconstpointer k2)
595 const smb2_tid_info_t *key1 = (const smb2_tid_info_t *)k1;
596 const smb2_tid_info_t *key2 = (const smb2_tid_info_t *)k2;
597 return key1->tid == key2->tid;
600 smb2_tid_info_hash(gconstpointer k)
602 const smb2_tid_info_t *key = (const smb2_tid_info_t *)k;
609 /* For Uids of a specific conversation.
610 This keeps track of uid->acct_name mappings and other information about the
613 We might need to refine this if it occurs that uids are reused on a single
614 conversation. we dont worry about that yet for simplicity
617 smb2_sesid_info_equal(gconstpointer k1, gconstpointer k2)
619 const smb2_sesid_info_t *key1 = (const smb2_sesid_info_t *)k1;
620 const smb2_sesid_info_t *key2 = (const smb2_sesid_info_t *)k2;
621 return key1->sesid == key2->sesid;
624 smb2_sesid_info_hash(gconstpointer k)
626 const smb2_sesid_info_t *key = (const smb2_sesid_info_t *)k;
629 hash = (guint32)( ((key->sesid>>32)&0xffffffff)+((key->sesid)&0xffffffff) );
633 /* Callback for destroying the glib hash tables associated with a conversation
636 smb2_conv_destroy(wmem_allocator_t *allocator _U_, wmem_cb_event_t event _U_,
639 smb2_conv_info_t *conv = (smb2_conv_info_t *)user_data;
641 g_hash_table_destroy(conv->matched);
642 g_hash_table_destroy(conv->unmatched);
643 g_hash_table_destroy(conv->sesids);
644 g_hash_table_destroy(conv->files);
646 /* This conversation is gone, return FALSE to indicate we don't
647 * want to be called again for this conversation. */
651 static void smb2_key_derivation(const guint8 *KI _U_, guint32 KI_len _U_,
652 const guint8 *Label _U_, guint32 Label_len _U_,
653 const guint8 *Context _U_, guint32 Context_len _U_,
656 #ifdef HAVE_LIBGCRYPT
657 gcry_md_hd_t hd = NULL;
659 guint8 *digest = NULL;
662 * a simplified version of
663 * "NIST Special Publication 800-108" section 5.1
666 gcry_md_open(&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
667 gcry_md_setkey(hd, KI, KI_len);
669 memset(buf, 0, sizeof(buf));
671 gcry_md_write(hd, buf, sizeof(buf));
672 gcry_md_write(hd, Label, Label_len);
673 gcry_md_write(hd, buf, 1);
674 gcry_md_write(hd, Context, Context_len);
676 gcry_md_write(hd, buf, sizeof(buf));
678 digest = gcry_md_read(hd, GCRY_MD_SHA256);
680 memcpy(KO, digest, 16);
688 /* for export-object-smb2 */
689 static gchar *policy_hnd_to_file_id(const e_ctx_hnd *hnd) {
691 file_id = wmem_strdup_printf(wmem_packet_scope(),
692 "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
706 static guint smb2_eo_files_hash(gconstpointer k) {
707 return g_str_hash(policy_hnd_to_file_id((const e_ctx_hnd *)k));
709 static gint smb2_eo_files_equal(gconstpointer k1, gconstpointer k2) {
711 const e_ctx_hnd *key1 = (const e_ctx_hnd *)k1;
712 const e_ctx_hnd *key2 = (const e_ctx_hnd *)k2;
714 are_equal = (key1->uuid.Data1==key2->uuid.Data1 &&
715 key1->uuid.Data2==key2->uuid.Data2 &&
716 key1->uuid.Data3==key2->uuid.Data3 &&
717 key1->uuid.Data4[0]==key2->uuid.Data4[0] &&
718 key1->uuid.Data4[1]==key2->uuid.Data4[1] &&
719 key1->uuid.Data4[2]==key2->uuid.Data4[2] &&
720 key1->uuid.Data4[3]==key2->uuid.Data4[3] &&
721 key1->uuid.Data4[4]==key2->uuid.Data4[4] &&
722 key1->uuid.Data4[5]==key2->uuid.Data4[5] &&
723 key1->uuid.Data4[6]==key2->uuid.Data4[6] &&
724 key1->uuid.Data4[7]==key2->uuid.Data4[7]);
730 feed_eo_smb2(tvbuff_t * tvb,packet_info *pinfo,smb2_info_t * si, guint16 dataoffset,guint32 length, guint64 file_offset) {
732 char *fid_name = NULL;
733 guint32 open_frame = 0, close_frame = 0;
734 tvbuff_t *data_tvb = NULL;
738 gchar **aux_string_v;
740 /* Create a new tvb to point to the payload data */
741 data_tvb = tvb_new_subset(tvb, dataoffset, length, length);
742 /* Create the eo_info to pass to the listener */
743 eo_info = wmem_new(wmem_packet_scope(), smb_eo_t);
744 /* Fill in eo_info */
745 eo_info->smbversion=2;
747 eo_info->cmd=si->opcode;
748 /* We don't keep track of uid in SMB v2 */
751 /* Try to get file id and filename */
752 file_id=policy_hnd_to_file_id(&si->saved->policy_hnd);
753 dcerpc_fetch_polhnd_data(&si->saved->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->fd->num);
754 if (fid_name && g_strcmp0(fid_name,"File: ")!=0) {
756 /* Remove "File: " from filename */
757 if (g_str_has_prefix(auxstring, "File: ")) {
758 aux_string_v = g_strsplit(auxstring, "File: ", -1);
759 eo_info->filename = wmem_strdup_printf(wmem_packet_scope(), "\\%s",aux_string_v[g_strv_length(aux_string_v)-1]);
760 g_strfreev(aux_string_v);
762 if (g_str_has_prefix(auxstring, "\\")) {
763 eo_info->filename = wmem_strdup(wmem_packet_scope(), auxstring);
765 eo_info->filename = wmem_strdup_printf(wmem_packet_scope(), "\\%s",auxstring);
769 auxstring=wmem_strdup_printf(wmem_packet_scope(), "File_Id_%s", file_id);
770 eo_info->filename=auxstring;
775 if (eosmb2_take_name_as_fid) {
776 eo_info->fid = g_str_hash(eo_info->filename);
778 eo_info->fid = g_str_hash(file_id);
781 /* tid, hostname, tree_id */
783 eo_info->tid=si->tree->tid;
784 if (strlen(si->tree->name)>0 && strlen(si->tree->name)<=256) {
785 eo_info->hostname = wmem_strdup(wmem_packet_scope(), si->tree->name);
787 eo_info->hostname = wmem_strdup_printf(wmem_packet_scope(), "\\\\%s\\TREEID_%i",tree_ip_str(pinfo,si->opcode),si->tree->tid);
791 eo_info->hostname = wmem_strdup_printf(wmem_packet_scope(), "\\\\%s\\TREEID_UNKNOWN",tree_ip_str(pinfo,si->opcode));
795 eo_info->pkt_num = pinfo->fd->num;
798 if (si->eo_file_info->attr_mask & SMB2_FLAGS_ATTR_DIRECTORY) {
799 eo_info->fid_type=SMB2_FID_TYPE_DIR;
801 if (si->eo_file_info->attr_mask &
802 (SMB2_FLAGS_ATTR_ARCHIVE | SMB2_FLAGS_ATTR_NORMAL |
803 SMB2_FLAGS_ATTR_HIDDEN | SMB2_FLAGS_ATTR_READONLY |
804 SMB2_FLAGS_ATTR_SYSTEM) ) {
805 eo_info->fid_type=SMB2_FID_TYPE_FILE;
807 eo_info->fid_type=SMB2_FID_TYPE_OTHER;
812 eo_info->end_of_file=si->eo_file_info->end_of_file;
814 /* data offset and chunk length */
815 eo_info->smb_file_offset=file_offset;
816 eo_info->smb_chunk_len=length;
817 /* XXX is this right? */
818 if (length<si->saved->bytes_moved) {
819 si->saved->file_offset=si->saved->file_offset+length;
820 si->saved->bytes_moved=si->saved->bytes_moved-length;
824 eo_info->payload_len = length;
825 eo_info->payload_data = tvb_get_ptr(data_tvb, 0, length);
827 tap_queue_packet(smb2_eo_tap, pinfo, eo_info);
831 static int dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si);
834 /* This is a helper to dissect the common string type
840 * This function is called twice, first to decode the offset/length and
841 * second time to dissect the actual string.
842 * It is done this way since there is no guarantee that we have the full packet and we dont
843 * want to abort dissection too early if the packet ends somewhere between the
844 * length/offset and the actual buffer.
847 enum offset_length_buffer_offset_size {
848 OLB_O_UINT16_S_UINT16,
849 OLB_O_UINT16_S_UINT32,
850 OLB_O_UINT32_S_UINT32,
851 OLB_S_UINT32_O_UINT32
853 typedef struct _offset_length_buffer_t {
858 enum offset_length_buffer_offset_size offset_size;
860 } offset_length_buffer_t;
862 dissect_smb2_olb_length_offset(tvbuff_t *tvb, int offset, offset_length_buffer_t *olb,
863 enum offset_length_buffer_offset_size offset_size, int hfindex)
865 olb->hfindex = hfindex;
866 olb->offset_size = offset_size;
867 switch (offset_size) {
868 case OLB_O_UINT16_S_UINT16:
869 olb->off = tvb_get_letohs(tvb, offset);
870 olb->off_offset = offset;
872 olb->len = tvb_get_letohs(tvb, offset);
873 olb->len_offset = offset;
876 case OLB_O_UINT16_S_UINT32:
877 olb->off = tvb_get_letohs(tvb, offset);
878 olb->off_offset = offset;
880 olb->len = tvb_get_letohl(tvb, offset);
881 olb->len_offset = offset;
884 case OLB_O_UINT32_S_UINT32:
885 olb->off = tvb_get_letohl(tvb, offset);
886 olb->off_offset = offset;
888 olb->len = tvb_get_letohl(tvb, offset);
889 olb->len_offset = offset;
892 case OLB_S_UINT32_O_UINT32:
893 olb->len = tvb_get_letohl(tvb, offset);
894 olb->len_offset = offset;
896 olb->off = tvb_get_letohl(tvb, offset);
897 olb->off_offset = offset;
905 #define OLB_TYPE_UNICODE_STRING 0x01
906 #define OLB_TYPE_ASCII_STRING 0x02
908 dissect_smb2_olb_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int type)
911 proto_item *item = NULL;
912 proto_tree *tree = NULL;
913 const char *name = NULL;
920 bc = tvb_length_remaining(tvb, offset);
924 tvb_ensure_bytes_exist(tvb, off, len);
926 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
927 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
928 "Invalid offset/length. Malformed packet");
930 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
937 case OLB_TYPE_UNICODE_STRING:
938 name = get_unicode_or_ascii_string(tvb, &off,
939 TRUE, &len, TRUE, TRUE, &bc);
944 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
945 tree = proto_item_add_subtree(item, ett_smb2_olb);
948 case OLB_TYPE_ASCII_STRING:
949 name = get_unicode_or_ascii_string(tvb, &off,
950 FALSE, &len, TRUE, TRUE, &bc);
955 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
956 tree = proto_item_add_subtree(item, ett_smb2_olb);
961 switch (olb->offset_size) {
962 case OLB_O_UINT16_S_UINT16:
963 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
964 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
966 case OLB_O_UINT16_S_UINT32:
967 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
968 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
970 case OLB_O_UINT32_S_UINT32:
971 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
972 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
974 case OLB_S_UINT32_O_UINT32:
975 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
976 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
984 dissect_smb2_olb_buffer(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb,
985 offset_length_buffer_t *olb, smb2_info_t *si,
986 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si))
989 proto_item *sub_item = NULL;
990 proto_tree *sub_tree = NULL;
991 tvbuff_t *sub_tvb = NULL;
999 tvb_ensure_bytes_exist(tvb, off, len);
1001 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
1002 proto_tree_add_text(parent_tree, tvb, offset, tvb_length_remaining(tvb, offset),
1003 "Invalid offset/length. Malformed packet");
1005 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
1010 /* if we dont want/need a subtree */
1011 if (olb->hfindex == -1) {
1012 sub_item = parent_tree;
1013 sub_tree = parent_tree;
1016 sub_item = proto_tree_add_item(parent_tree, olb->hfindex, tvb, offset, len, ENC_NA);
1017 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_olb);
1021 switch (olb->offset_size) {
1022 case OLB_O_UINT16_S_UINT16:
1023 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1024 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
1026 case OLB_O_UINT16_S_UINT32:
1027 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1028 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1030 case OLB_O_UINT32_S_UINT32:
1031 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1032 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1034 case OLB_S_UINT32_O_UINT32:
1035 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1036 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1040 if (off == 0 || len == 0) {
1041 proto_item_append_text(sub_item, ": NO DATA");
1049 sub_tvb = tvb_new_subset(tvb, off, MIN((int)len, tvb_length_remaining(tvb, off)), len);
1051 dissector(sub_tvb, pinfo, sub_tree, si);
1055 dissect_smb2_olb_tvb_max_offset(int offset, offset_length_buffer_t *olb)
1057 if (olb->off == 0) {
1060 return MAX(offset, (int)(olb->off + olb->len));
1063 typedef struct _smb2_function {
1064 int (*request) (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1065 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1068 static const true_false_string tfs_flags_response = {
1069 "This is a RESPONSE",
1073 static const true_false_string tfs_flags_async_cmd = {
1074 "This is an ASYNC command",
1075 "This is a SYNC command"
1078 static const true_false_string tfs_flags_dfs_op = {
1079 "This is a DFS OPERATION",
1080 "This is a normal operation"
1083 static const true_false_string tfs_flags_chained = {
1084 "This pdu a CHAINED command",
1085 "This pdu is NOT a chained command"
1088 static const true_false_string tfs_flags_signature = {
1089 "This pdu is SIGNED",
1090 "This pdu is NOT signed"
1093 static const true_false_string tfs_flags_replay_operation = {
1094 "This is a REPLAY OPEARATION",
1095 "This is NOT a replay operation"
1098 static const true_false_string tfs_cap_dfs = {
1099 "This host supports DFS",
1100 "This host does NOT support DFS"
1103 static const true_false_string tfs_cap_leasing = {
1104 "This host supports LEASING",
1105 "This host does NOT support LEASING"
1108 static const true_false_string tfs_cap_large_mtu = {
1109 "This host supports LARGE_MTU",
1110 "This host does NOT support LARGE_MTU"
1113 static const true_false_string tfs_cap_multi_channel = {
1114 "This host supports MULTI CHANNEL",
1115 "This host does NOT support MULTI CHANNEL"
1118 static const true_false_string tfs_cap_persistent_handles = {
1119 "This host supports PERSISTENT HANDLES",
1120 "This host does NOT support PERSISTENT HANDLES"
1123 static const true_false_string tfs_cap_directory_leasing = {
1124 "This host supports DIRECTORY LEASING",
1125 "This host does NOT support DIRECTORY LEASING"
1128 static const true_false_string tfs_cap_encryption = {
1129 "This host supports ENCRYPTION",
1130 "This host does NOT support ENCRYPTION"
1133 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rss = {
1134 "This interface supports RSS",
1135 "This interface does not support RSS"
1138 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rdma = {
1139 "This interface supports RDMA",
1140 "This interface does not support RDMA"
1143 static const value_string compression_format_vals[] = {
1144 { 0, "COMPRESSION_FORMAT_NONE" },
1145 { 1, "COMPRESSION_FORMAT_DEFAULT" },
1146 { 2, "COMPRESSION_FORMAT_LZNT1" },
1151 /* Note: All uncommented are "dissector not implemented" */
1152 static const value_string smb2_ioctl_vals[] = {
1153 {0x00060194, "FSCTL_DFS_GET_REFERRALS"}, /* dissector implemented */
1154 {0x00090000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
1155 {0x00090004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
1156 {0x00090008, "FSCTL_REQUEST_BATCH_OPLOCK"},
1157 {0x0009000C, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
1158 {0x00090010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
1159 {0x00090014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
1160 {0x00090018, "FSCTL_LOCK_VOLUME"},
1161 {0x0009001C, "FSCTL_UNLOCK_VOLUME"},
1162 {0x00090020, "FSCTL_DISMOUNT_VOLUME"},
1163 {0x00090028, "FSCTL_IS_VOLUME_MOUNTED"},
1164 {0x0009002C, "FSCTL_IS_PATHNAME_VALID"},
1165 {0x00090030, "FSCTL_MARK_VOLUME_DIRTY"},
1166 {0x0009003B, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
1167 {0x0009003C, "FSCTL_GET_COMPRESSION"}, /* dissector implemented */
1168 {0x0009004F, "FSCTL_MARK_AS_SYSTEM_HIVE"},
1169 {0x00090050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
1170 {0x00090054, "FSCTL_INVALIDATE_VOLUMES"},
1171 {0x00090058, "FSCTL_QUERY_FAT_BPB"},
1172 {0x0009005C, "FSCTL_REQUEST_FILTER_OPLOCK"},
1173 {0x00090060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
1174 {0x00090064, "FSCTL_GET_NTFS_VOLUME_DATA"},
1175 {0x00090068, "FSCTL_GET_NTFS_FILE_RECORD"},
1176 {0x0009006F, "FSCTL_GET_VOLUME_BITMAP"},
1177 {0x00090073, "FSCTL_GET_RETRIEVAL_POINTERS"},
1178 {0x00090074, "FSCTL_MOVE_FILE"},
1179 {0x00090078, "FSCTL_IS_VOLUME_DIRTY"},
1180 {0x0009007C, "FSCTL_GET_HFS_INFORMATION"},
1181 {0x00090083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
1182 {0x00090087, "FSCTL_READ_PROPERTY_DATA"},
1183 {0x0009008B, "FSCTL_WRITE_PROPERTY_DATA"},
1184 {0x0009008F, "FSCTL_FIND_FILES_BY_SID"},
1185 {0x00090097, "FSCTL_DUMP_PROPERTY_DATA"},
1186 {0x0009009C, "FSCTL_GET_OBJECT_ID"}, /* dissector implemented */
1187 {0x000900A8, "FSCTL_GET_REPARSE_POINT"},
1188 {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"}, /* dissector implemented */
1189 {0x000900D4, "FSCTL_SET_ENCRYPTION"},
1190 {0x000900DB, "FSCTL_ENCRYPTION_FSCTL_IO"},
1191 {0x000900DF, "FSCTL_WRITE_RAW_ENCRYPTED"},
1192 {0x000900E3, "FSCTL_READ_RAW_ENCRYPTED"},
1193 {0x000900F0, "FSCTL_EXTEND_VOLUME"},
1194 {0x000940B3, "FSCTL_ENUM_USN_DATA"},
1195 {0x000940B7, "FSCTL_SECURITY_ID_CHECK"},
1196 {0x000940BB, "FSCTL_READ_USN_JOURNAL"},
1197 {0x000940CF, "FSCTL_QUERY_ALLOCATED_RANGES"},
1198 {0x000940E7, "FSCTL_CREATE_USN_JOURNAL"},
1199 {0x000940EB, "FSCTL_READ_FILE_USN_DATA"},
1200 {0x000940EF, "FSCTL_WRITE_USN_CLOSE_RECORD"},
1201 {0x00098098, "FSCTL_SET_OBJECT_ID"}, /* dissector implemented */
1202 {0x000980A0, "FSCTL_DELETE_OBJECT_ID"}, /* no data in/out */ /* dissector implemented */
1203 {0x000980A4, "FSCTL_SET_REPARSE_POINT"},
1204 {0x000980AC, "FSCTL_DELETE_REPARSE_POINT"},
1205 {0x000980BC, "FSCTL_SET_OBJECT_ID_EXTENDED"}, /* dissector implemented */
1206 {0x000980C4, "FSCTL_SET_SPARSE"},
1207 {0x000980C8, "FSCTL_SET_ZERO_DATA"},
1208 {0x000980D0, "FSCTL_ENABLE_UPGRADE"},
1209 {0x0009C040, "FSCTL_SET_COMPRESSION"}, /* dissector implemented */
1210 {0x0011C017, "FSCTL_PIPE_TRANSCEIVE"}, /* dissector implemented */
1211 {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
1212 {0x001401D4, "FSCTL_LMR_REQUEST_RESILIENCY"}, /* dissector implemented */
1213 {0x001401FC, "FSCTL_QUERY_NETWORK_INTERFACE_INFO"}, /* dissector implemented */
1214 {0x00140200, "FSCTL_VALIDATE_NEGOTIATE_INFO_224"}, /* dissector implemented */
1215 {0x00140204, "FSCTL_VALIDATE_NEGOTIATE_INFO"}, /* dissector implemented */
1216 {0x00144064, "FSCTL_GET_SHADOW_COPY_DATA"}, /* dissector implemented */
1217 {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
1218 {0x001441bb, "FSCTL_SRV_READ_HASH"},
1219 {0x001480F2, "FSCTL_SRV_COPYCHUNK_WRITE"},
1222 static value_string_ext smb2_ioctl_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_vals);
1224 static const value_string smb2_ioctl_device_vals[] = {
1226 { 0x0002, "CD_ROM" },
1227 { 0x0003, "CD_ROM_FILE_SYSTEM" },
1228 { 0x0004, "CONTROLLER" },
1229 { 0x0005, "DATALINK" },
1232 { 0x0008, "DISK_FILE_SYSTEM" },
1233 { 0x0009, "FILE_SYSTEM" },
1234 { 0x000a, "INPORT_PORT" },
1235 { 0x000b, "KEYBOARD" },
1236 { 0x000c, "MAILSLOT" },
1237 { 0x000d, "MIDI_IN" },
1238 { 0x000e, "MIDI_OUT" },
1239 { 0x000f, "MOUSE" },
1240 { 0x0010, "MULTI_UNC_PROVIDER" },
1241 { 0x0011, "NAMED_PIPE" },
1242 { 0x0012, "NETWORK" },
1243 { 0x0013, "NETWORK_BROWSER" },
1244 { 0x0014, "NETWORK_FILE_SYSTEM" },
1246 { 0x0016, "PARALLEL_PORT" },
1247 { 0x0017, "PHYSICAL_NETCARD" },
1248 { 0x0018, "PRINTER" },
1249 { 0x0019, "SCANNER" },
1250 { 0x001a, "SERIAL_MOUSE_PORT" },
1251 { 0x001b, "SERIAL_PORT" },
1252 { 0x001c, "SCREEN" },
1253 { 0x001d, "SOUND" },
1254 { 0x001e, "STREAMS" },
1256 { 0x0020, "TAPE_FILE_SYSTEM" },
1257 { 0x0021, "TRANSPORT" },
1258 { 0x0022, "UNKNOWN" },
1259 { 0x0023, "VIDEO" },
1260 { 0x0024, "VIRTUAL_DISK" },
1261 { 0x0025, "WAVE_IN" },
1262 { 0x0026, "WAVE_OUT" },
1263 { 0x0027, "8042_PORT" },
1264 { 0x0028, "NETWORK_REDIRECTOR" },
1265 { 0x0029, "BATTERY" },
1266 { 0x002a, "BUS_EXTENDER" },
1267 { 0x002b, "MODEM" },
1269 { 0x002d, "MASS_STORAGE" },
1272 { 0x0030, "CHANGER" },
1273 { 0x0031, "SMARTCARD" },
1276 { 0x0034, "FULLSCREEN_VIDEO" },
1277 { 0x0035, "DFS_FILE_SYSTEM" },
1278 { 0x0036, "DFS_VOLUME" },
1279 { 0x0037, "SERENUM" },
1280 { 0x0038, "TERMSRV" },
1284 static value_string_ext smb2_ioctl_device_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_device_vals);
1286 static const value_string smb2_ioctl_access_vals[] = {
1287 { 0x00, "FILE_ANY_ACCESS" },
1288 { 0x01, "FILE_READ_ACCESS" },
1289 { 0x02, "FILE_WRITE_ACCESS" },
1290 { 0x03, "FILE_READ_WRITE_ACCESS" },
1294 static const value_string smb2_ioctl_method_vals[] = {
1295 { 0x00, "METHOD_BUFFERED" },
1296 { 0x01, "METHOD_IN_DIRECT" },
1297 { 0x02, "METHOD_OUT_DIRECT" },
1298 { 0x03, "METHOD_NEITHER" },
1302 /* this is called from both smb and smb2. */
1304 dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint32 *ioctlfunc)
1306 proto_item *item = NULL;
1307 proto_tree *tree = NULL;
1308 guint32 ioctl_function;
1311 item = proto_tree_add_item(parent_tree, hf_smb2_ioctl_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1312 tree = proto_item_add_subtree(item, ett_smb2_ioctl_function);
1315 ioctl_function = tvb_get_letohl(tvb, offset);
1317 *ioctlfunc = ioctl_function;
1318 if (ioctl_function) {
1319 const gchar *unknown = "unknown";
1320 const gchar *ioctl_name = val_to_str_ext_const(ioctl_function,
1321 &smb2_ioctl_vals_ext,
1325 * val_to_str_const() doesn't work with a unknown == NULL
1327 if (ioctl_name == unknown) {
1331 if (ioctl_name != NULL) {
1333 pinfo->cinfo, COL_INFO, " %s", ioctl_name);
1337 proto_tree_add_item(tree, hf_smb2_ioctl_function_device, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1338 if (ioctl_name == NULL) {
1340 pinfo->cinfo, COL_INFO, " %s",
1341 val_to_str_ext((ioctl_function>>16)&0xffff, &smb2_ioctl_device_vals_ext,
1342 "Unknown (0x%08X)"));
1346 proto_tree_add_item(tree, hf_smb2_ioctl_function_access, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1349 proto_tree_add_item(tree, hf_smb2_ioctl_function_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1350 if (ioctl_name == NULL) {
1352 pinfo->cinfo, COL_INFO, " Function:0x%04x",
1353 (ioctl_function>>2)&0x0fff);
1357 proto_tree_add_item(tree, hf_smb2_ioctl_function_method, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1365 /* fake the dce/rpc support structures so we can piggy back on
1366 * dissect_nt_policy_hnd() since this will allow us
1367 * a cheap way to track where FIDs are opened, closed
1368 * and fid->filename mappings
1369 * if we want to do those things in the future.
1371 #define FID_MODE_OPEN 0
1372 #define FID_MODE_CLOSE 1
1373 #define FID_MODE_USE 2
1374 #define FID_MODE_DHNQ 3
1375 #define FID_MODE_DHNC 4
1377 dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si, int mode)
1379 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
1380 static dcerpc_info di; /* fake dcerpc_info struct */
1381 static dcerpc_call_value call_data;
1382 e_ctx_hnd policy_hnd;
1383 e_ctx_hnd *policy_hnd_hashtablekey;
1384 proto_item *hnd_item = NULL;
1386 guint32 open_frame = 0, close_frame = 0;
1387 smb2_eo_file_info_t *eo_file_info;
1389 di.conformant_run = 0;
1390 /* we need di->call_data->flags.NDR64 == 0 */
1391 di.call_data = &call_data;
1392 di.dcerpc_procedure_name = "";
1396 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, TRUE, FALSE);
1397 if (!pinfo->fd->flags.visited) {
1398 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1399 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: %s", (char *)si->saved->extra_info);
1401 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: ");
1403 dcerpc_store_polhnd_name(&policy_hnd, pinfo,
1406 /* If needed, create the file entry and save the policy hnd */
1407 if (si->saved) { si->saved->policy_hnd = policy_hnd; }
1410 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
1411 if (!eo_file_info) {
1412 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
1413 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
1414 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
1415 eo_file_info->end_of_file=0;
1416 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
1418 si->eo_file_info=eo_file_info;
1422 case FID_MODE_CLOSE:
1423 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, TRUE);
1428 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, FALSE);
1432 if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->fd->num)) {
1433 /* put the filename in col_info */
1436 proto_item_append_text(hnd_item, " %s", fid_name);
1438 col_append_fstr(pinfo->cinfo, COL_INFO, " %s", fid_name);
1441 /* look for the eo_file_info */
1442 if (!si->eo_file_info) {
1443 if (si->saved) { si->saved->policy_hnd = policy_hnd; }
1445 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
1447 si->eo_file_info=eo_file_info;
1448 } else { /* XXX This should never happen */
1449 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
1450 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
1451 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
1452 eo_file_info->end_of_file=0;
1453 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
1464 /* this info level is unique to SMB2 and differst from the corresponding
1465 * SMB_FILE_ALL_INFO in SMB
1468 dissect_smb2_file_all_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1470 proto_item *item = NULL;
1471 proto_tree *tree = NULL;
1473 const char *name = "";
1477 item = proto_tree_add_item(parent_tree, hf_smb2_file_all_info, tvb, offset, -1, ENC_NA);
1478 tree = proto_item_add_subtree(item, ett_smb2_file_all_info);
1482 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
1485 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
1488 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
1491 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
1493 /* File Attributes */
1494 offset = dissect_file_ext_attr(tvb, tree, offset);
1496 /* some unknown bytes */
1497 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
1500 /* allocation size */
1501 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1505 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1508 /* number of links */
1509 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1512 /* delete pending */
1513 proto_tree_add_item(tree, hf_smb2_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1517 proto_tree_add_item(tree, hf_smb2_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1524 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1528 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1532 offset = dissect_smb_access_mask(tvb, tree, offset);
1534 /* some unknown bytes */
1535 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
1538 /* file name length */
1539 length = tvb_get_letohs(tvb, offset);
1540 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1543 /* some unknown bytes */
1544 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
1549 bc = tvb_length_remaining(tvb, offset);
1550 name = get_unicode_or_ascii_string(tvb, &offset,
1551 TRUE, &length, TRUE, TRUE, &bc);
1553 proto_tree_add_string(tree, hf_smb2_filename, tvb,
1554 offset, length, name);
1566 dissect_smb2_file_allocation_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1568 proto_item *item = NULL;
1569 proto_tree *tree = NULL;
1574 item = proto_tree_add_item(parent_tree, hf_smb2_file_allocation_info, tvb, offset, -1, ENC_NA);
1575 tree = proto_item_add_subtree(item, ett_smb2_file_allocation_info);
1578 bc = tvb_length_remaining(tvb, offset);
1579 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1585 dissect_smb2_file_endoffile_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1587 proto_item *item = NULL;
1588 proto_tree *tree = NULL;
1593 item = proto_tree_add_item(parent_tree, hf_smb2_file_endoffile_info, tvb, offset, -1, ENC_NA);
1594 tree = proto_item_add_subtree(item, ett_smb2_file_endoffile_info);
1597 bc = tvb_length_remaining(tvb, offset);
1598 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1604 dissect_smb2_file_alternate_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1606 proto_item *item = NULL;
1607 proto_tree *tree = NULL;
1612 item = proto_tree_add_item(parent_tree, hf_smb2_file_alternate_name_info, tvb, offset, -1, ENC_NA);
1613 tree = proto_item_add_subtree(item, ett_smb2_file_alternate_name_info);
1616 bc = tvb_length_remaining(tvb, offset);
1617 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc, /* XXX assumption hack */ TRUE);
1624 dissect_smb2_file_basic_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1626 proto_item *item = NULL;
1627 proto_tree *tree = NULL;
1630 item = proto_tree_add_item(parent_tree, hf_smb2_file_basic_info, tvb, offset, -1, ENC_NA);
1631 tree = proto_item_add_subtree(item, ett_smb2_file_basic_info);
1635 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
1638 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
1641 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
1644 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
1646 /* File Attributes */
1647 offset = dissect_file_ext_attr(tvb, tree, offset);
1649 /* some unknown bytes */
1650 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
1657 dissect_smb2_file_standard_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1659 proto_item *item = NULL;
1660 proto_tree *tree = NULL;
1665 item = proto_tree_add_item(parent_tree, hf_smb2_file_standard_info, tvb, offset, -1, ENC_NA);
1666 tree = proto_item_add_subtree(item, ett_smb2_file_standard_info);
1669 bc = tvb_length_remaining(tvb, offset);
1670 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1675 dissect_smb2_file_internal_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1677 proto_item *item = NULL;
1678 proto_tree *tree = NULL;
1683 item = proto_tree_add_item(parent_tree, hf_smb2_file_internal_info, tvb, offset, -1, ENC_NA);
1684 tree = proto_item_add_subtree(item, ett_smb2_file_internal_info);
1687 bc = tvb_length_remaining(tvb, offset);
1688 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1693 dissect_smb2_file_mode_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1695 proto_item *item = NULL;
1696 proto_tree *tree = NULL;
1701 item = proto_tree_add_item(parent_tree, hf_smb2_file_mode_info, tvb, offset, -1, ENC_NA);
1702 tree = proto_item_add_subtree(item, ett_smb2_file_mode_info);
1705 bc = tvb_length_remaining(tvb, offset);
1706 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1711 dissect_smb2_file_alignment_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1713 proto_item *item = NULL;
1714 proto_tree *tree = NULL;
1719 item = proto_tree_add_item(parent_tree, hf_smb2_file_alignment_info, tvb, offset, -1, ENC_NA);
1720 tree = proto_item_add_subtree(item, ett_smb2_file_alignment_info);
1723 bc = tvb_length_remaining(tvb, offset);
1724 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1729 dissect_smb2_file_position_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1731 proto_item *item = NULL;
1732 proto_tree *tree = NULL;
1737 item = proto_tree_add_item(parent_tree, hf_smb2_file_position_info, tvb, offset, -1, ENC_NA);
1738 tree = proto_item_add_subtree(item, ett_smb2_file_position_info);
1741 bc = tvb_length_remaining(tvb, offset);
1742 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1748 dissect_smb2_file_access_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1750 proto_item *item = NULL;
1751 proto_tree *tree = NULL;
1754 item = proto_tree_add_item(parent_tree, hf_smb2_file_access_info, tvb, offset, -1, ENC_NA);
1755 tree = proto_item_add_subtree(item, ett_smb2_file_access_info);
1759 offset = dissect_smb_access_mask(tvb, tree, offset);
1765 dissect_smb2_file_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1767 proto_item *item = NULL;
1768 proto_tree *tree = NULL;
1773 item = proto_tree_add_item(parent_tree, hf_smb2_file_ea_info, tvb, offset, -1, ENC_NA);
1774 tree = proto_item_add_subtree(item, ett_smb2_file_ea_info);
1777 bc = tvb_length_remaining(tvb, offset);
1778 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1784 dissect_smb2_file_stream_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1786 proto_item *item = NULL;
1787 proto_tree *tree = NULL;
1792 item = proto_tree_add_item(parent_tree, hf_smb2_file_stream_info, tvb, offset, -1, ENC_NA);
1793 tree = proto_item_add_subtree(item, ett_smb2_file_stream_info);
1796 bc = tvb_length_remaining(tvb, offset);
1797 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, &bc, &trunc, TRUE);
1803 dissect_smb2_file_pipe_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1805 proto_item *item = NULL;
1806 proto_tree *tree = NULL;
1811 item = proto_tree_add_item(parent_tree, hf_smb2_file_pipe_info, tvb, offset, -1, ENC_NA);
1812 tree = proto_item_add_subtree(item, ett_smb2_file_pipe_info);
1815 bc = tvb_length_remaining(tvb, offset);
1816 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1822 dissect_smb2_file_compression_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1824 proto_item *item = NULL;
1825 proto_tree *tree = NULL;
1830 item = proto_tree_add_item(parent_tree, hf_smb2_file_compression_info, tvb, offset, -1, ENC_NA);
1831 tree = proto_item_add_subtree(item, ett_smb2_file_compression_info);
1834 bc = tvb_length_remaining(tvb, offset);
1835 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1841 dissect_smb2_file_network_open_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1843 proto_item *item = NULL;
1844 proto_tree *tree = NULL;
1849 item = proto_tree_add_item(parent_tree, hf_smb2_file_network_open_info, tvb, offset, -1, ENC_NA);
1850 tree = proto_item_add_subtree(item, ett_smb2_file_network_open_info);
1854 bc = tvb_length_remaining(tvb, offset);
1855 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1861 dissect_smb2_file_attribute_tag_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1863 proto_item *item = NULL;
1864 proto_tree *tree = NULL;
1869 item = proto_tree_add_item(parent_tree, hf_smb2_file_attribute_tag_info, tvb, offset, -1, ENC_NA);
1870 tree = proto_item_add_subtree(item, ett_smb2_file_attribute_tag_info);
1874 bc = tvb_length_remaining(tvb, offset);
1875 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1880 static const true_false_string tfs_disposition_delete_on_close = {
1881 "DELETE this file when closed",
1882 "Normal access, do not delete on close"
1886 dissect_smb2_file_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1888 proto_item *item = NULL;
1889 proto_tree *tree = NULL;
1892 item = proto_tree_add_item(parent_tree, hf_smb2_file_disposition_info, tvb, offset, -1, ENC_NA);
1893 tree = proto_item_add_subtree(item, ett_smb2_file_disposition_info);
1896 /* file disposition */
1897 proto_tree_add_item(tree, hf_smb2_disposition_delete_on_close, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1903 dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1905 proto_item *item = NULL;
1906 proto_tree *tree = NULL;
1907 guint32 next_offset;
1909 guint16 ea_data_len;
1912 item = proto_tree_add_item(parent_tree, hf_smb2_file_full_ea_info, tvb, offset, -1, ENC_NA);
1913 tree = proto_item_add_subtree(item, ett_smb2_file_full_ea_info);
1918 const char *name = "";
1919 const char *data = "";
1921 int start_offset = offset;
1922 proto_item *ea_item = NULL;
1923 proto_tree *ea_tree = NULL;
1926 ea_item = proto_tree_add_text(tree, tvb, offset, -1, "EA:");
1927 ea_tree = proto_item_add_subtree(ea_item, ett_smb2_ea);
1931 next_offset = tvb_get_letohl(tvb, offset);
1932 proto_tree_add_item(ea_tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1936 proto_tree_add_item(ea_tree, hf_smb2_ea_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1939 /* EA Name Length */
1940 ea_name_len = tvb_get_guint8(tvb, offset);
1941 proto_tree_add_item(ea_tree, hf_smb2_ea_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1944 /* EA Data Length */
1945 ea_data_len = tvb_get_letohs(tvb, offset);
1946 proto_tree_add_item(ea_tree, hf_smb2_ea_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1950 length = ea_name_len;
1952 bc = tvb_length_remaining(tvb, offset);
1953 name = get_unicode_or_ascii_string(tvb, &offset,
1954 FALSE, &length, TRUE, TRUE, &bc);
1956 proto_tree_add_string(ea_tree, hf_smb2_ea_name, tvb,
1957 offset, length + 1, name);
1961 /* The name is terminated with a NULL */
1962 offset += ea_name_len + 1;
1965 length = ea_data_len;
1967 bc = tvb_length_remaining(tvb, offset);
1968 data = get_unicode_or_ascii_string(tvb, &offset,
1969 FALSE, &length, TRUE, TRUE, &bc);
1971 * We put the data here ...
1973 proto_tree_add_item(ea_tree, hf_smb2_ea_data, tvb,
1974 offset, length, ENC_NA);
1976 offset += ea_data_len;
1980 proto_item_append_text(ea_item, " %s := %s", name, data);
1982 proto_item_set_len(ea_item, offset-start_offset);
1989 offset = start_offset+next_offset;
1996 dissect_smb2_file_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1998 proto_item *item = NULL;
1999 proto_tree *tree = NULL;
2001 const char *name = "";
2006 item = proto_tree_add_item(parent_tree, hf_smb2_file_rename_info, tvb, offset, -1, ENC_NA);
2007 tree = proto_item_add_subtree(item, ett_smb2_file_rename_info);
2010 /* some unknown bytes */
2011 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
2014 /* file name length */
2015 length = tvb_get_letohs(tvb, offset);
2016 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2019 /* some unknown bytes */
2020 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
2025 bc = tvb_length_remaining(tvb, offset);
2026 name = get_unicode_or_ascii_string(tvb, &offset,
2027 TRUE, &length, TRUE, TRUE, &bc);
2029 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2030 offset, length, name);
2033 col_append_fstr(pinfo->cinfo, COL_INFO, " NewName:%s", name);
2037 /* some unknown bytes */
2038 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2045 dissect_smb2_sec_info_00(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2047 proto_item *item = NULL;
2048 proto_tree *tree = NULL;
2051 item = proto_tree_add_item(parent_tree, hf_smb2_sec_info_00, tvb, offset, -1, ENC_NA);
2052 tree = proto_item_add_subtree(item, ett_smb2_sec_info_00);
2055 /* security descriptor */
2056 offset = dissect_nt_sec_desc(tvb, offset, pinfo, tree, NULL, TRUE, tvb_length_remaining(tvb, offset), NULL);
2062 dissect_smb2_fs_info_05(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2064 proto_item *item = NULL;
2065 proto_tree *tree = NULL;
2069 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_05, tvb, offset, -1, ENC_NA);
2070 tree = proto_item_add_subtree(item, ett_smb2_fs_info_05);
2073 bc = tvb_length_remaining(tvb, offset);
2074 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2080 dissect_smb2_fs_info_06(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2082 proto_item *item = NULL;
2083 proto_tree *tree = NULL;
2087 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_06, tvb, offset, -1, ENC_NA);
2088 tree = proto_item_add_subtree(item, ett_smb2_fs_info_06);
2091 bc = tvb_length_remaining(tvb, offset);
2092 offset = dissect_nt_quota(tvb, tree, offset, &bc);
2098 dissect_smb2_FS_OBJECTID_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2100 proto_item *item = NULL;
2101 proto_tree *tree = NULL;
2104 item = proto_tree_add_item(parent_tree, hf_smb2_fs_objectid_info, tvb, offset, -1, ENC_NA);
2105 tree = proto_item_add_subtree(item, ett_smb2_fs_objectid_info);
2108 /* FILE_OBJECTID_BUFFER */
2109 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
2115 dissect_smb2_fs_info_07(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2117 proto_item *item = NULL;
2118 proto_tree *tree = NULL;
2122 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_07, tvb, offset, -1, ENC_NA);
2123 tree = proto_item_add_subtree(item, ett_smb2_fs_info_07);
2126 bc = tvb_length_remaining(tvb, offset);
2127 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2133 dissect_smb2_fs_info_01(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2135 proto_item *item = NULL;
2136 proto_tree *tree = NULL;
2140 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_01, tvb, offset, -1, ENC_NA);
2141 tree = proto_item_add_subtree(item, ett_smb2_fs_info_01);
2145 bc = tvb_length_remaining(tvb, offset);
2146 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2152 dissect_smb2_fs_info_03(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2154 proto_item *item = NULL;
2155 proto_tree *tree = NULL;
2159 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_03, tvb, offset, -1, ENC_NA);
2160 tree = proto_item_add_subtree(item, ett_smb2_fs_info_03);
2164 bc = tvb_length_remaining(tvb, offset);
2165 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2171 dissect_smb2_fs_info_04(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2173 proto_item *item = NULL;
2174 proto_tree *tree = NULL;
2178 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_04, tvb, offset, -1, ENC_NA);
2179 tree = proto_item_add_subtree(item, ett_smb2_fs_info_04);
2183 bc = tvb_length_remaining(tvb, offset);
2184 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, &bc);
2189 static const value_string oplock_vals[] = {
2190 { 0x00, "No oplock" },
2191 { 0x01, "Level2 oplock" },
2192 { 0x08, "Exclusive oplock" },
2193 { 0x09, "Batch oplock" },
2199 dissect_smb2_oplock(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2201 proto_tree_add_item(parent_tree, hf_smb2_oplock, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2208 dissect_smb2_buffercode(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint16 *length)
2212 guint16 buffer_code;
2214 /* dissect the first 2 bytes of the command PDU */
2215 buffer_code = tvb_get_letohs(tvb, offset);
2216 item = proto_tree_add_uint(parent_tree, hf_smb2_buffer_code, tvb, offset, 2, buffer_code);
2217 tree = proto_item_add_subtree(item, ett_smb2_buffercode);
2218 proto_tree_add_uint_format(tree, hf_smb2_buffer_code_len, tvb, offset, 2,
2219 buffer_code&0xfffe, "%s: %u",
2220 decode_numeric_bitfield(buffer_code, 0xfffe, 16, "Fixed Part Length"),
2221 buffer_code&0xfffe);
2222 proto_tree_add_item(tree, hf_smb2_buffer_code_flags_dyn, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2226 *length = buffer_code&0xfffe;
2232 #define NEGPROT_CAP_DFS 0x00000001
2233 #define NEGPROT_CAP_LEASING 0x00000002
2234 #define NEGPROT_CAP_LARGE_MTU 0x00000004
2235 #define NEGPROT_CAP_MULTI_CHANNEL 0x00000008
2236 #define NEGPROT_CAP_PERSISTENT_HANDLES 0x00000010
2237 #define NEGPROT_CAP_DIRECTORY_LEASING 0x00000020
2238 #define NEGPROT_CAP_ENCRYPTION 0x00000040
2240 dissect_smb2_capabilities(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2243 proto_item *item = NULL;
2244 proto_tree *tree = NULL;
2246 cap = tvb_get_letohl(tvb, offset);
2248 item = proto_tree_add_item(parent_tree, hf_smb2_capabilities, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2249 tree = proto_item_add_subtree(item, ett_smb2_capabilities);
2252 proto_tree_add_boolean(tree, hf_smb2_cap_dfs, tvb, offset, 4, cap);
2253 proto_tree_add_boolean(tree, hf_smb2_cap_leasing, tvb, offset, 4, cap);
2254 proto_tree_add_boolean(tree, hf_smb2_cap_large_mtu, tvb, offset, 4, cap);
2255 proto_tree_add_boolean(tree, hf_smb2_cap_multi_channel, tvb, offset, 4, cap);
2256 proto_tree_add_boolean(tree, hf_smb2_cap_persistent_handles, tvb, offset, 4, cap);
2257 proto_tree_add_boolean(tree, hf_smb2_cap_directory_leasing, tvb, offset, 4, cap);
2258 proto_tree_add_boolean(tree, hf_smb2_cap_encryption, tvb, offset, 4, cap);
2267 #define NEGPROT_SIGN_REQ 0x0002
2268 #define NEGPROT_SIGN_ENABLED 0x0001
2271 dissect_smb2_secmode(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2274 proto_item *item = NULL;
2275 proto_tree *tree = NULL;
2277 sm = tvb_get_guint8(tvb, offset);
2279 item = proto_tree_add_item(parent_tree, hf_smb2_security_mode, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2280 tree = proto_item_add_subtree(item, ett_smb2_sec_mode);
2282 proto_tree_add_boolean(tree, hf_smb2_secmode_flags_sign_enabled, tvb, offset, 1, sm);
2283 proto_tree_add_boolean(tree, hf_smb2_secmode_flags_sign_required, tvb, offset, 1, sm);
2290 #define SES_REQ_FLAGS_SESSION_BINDING 0x01
2293 dissect_smb2_ses_req_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2296 proto_item *item = NULL;
2297 proto_tree *tree = NULL;
2299 sf = tvb_get_guint8(tvb, offset);
2301 item = proto_tree_add_item(parent_tree, hf_smb2_ses_req_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2302 tree = proto_item_add_subtree(item, ett_smb2_ses_req_flags);
2304 proto_tree_add_boolean(tree, hf_smb2_ses_req_flags_session_binding, tvb, offset, 1, sf);
2311 #define SES_FLAGS_GUEST 0x0001
2312 #define SES_FLAGS_NULL 0x0002
2315 dissect_smb2_ses_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2318 proto_item *item = NULL;
2319 proto_tree *tree = NULL;
2321 sf = tvb_get_letohs(tvb, offset);
2323 item = proto_tree_add_item(parent_tree, hf_smb2_session_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2324 tree = proto_item_add_subtree(item, ett_smb2_ses_flags);
2326 proto_tree_add_boolean(tree, hf_smb2_ses_flags_guest, tvb, offset, 2, sf);
2327 proto_tree_add_boolean(tree, hf_smb2_ses_flags_null, tvb, offset, 2, sf);
2334 #define SHARE_FLAGS_manual_caching 0x00000000
2335 #define SHARE_FLAGS_auto_caching 0x00000010
2336 #define SHARE_FLAGS_vdo_caching 0x00000020
2337 #define SHARE_FLAGS_no_caching 0x00000030
2339 static const value_string share_cache_vals[] = {
2340 { SHARE_FLAGS_manual_caching, "Manual caching" },
2341 { SHARE_FLAGS_auto_caching, "Auto caching" },
2342 { SHARE_FLAGS_vdo_caching, "VDO caching" },
2343 { SHARE_FLAGS_no_caching, "No caching" },
2347 #define SHARE_FLAGS_dfs 0x00000001
2348 #define SHARE_FLAGS_dfs_root 0x00000002
2349 #define SHARE_FLAGS_restrict_exclusive_opens 0x00000100
2350 #define SHARE_FLAGS_force_shared_delete 0x00000200
2351 #define SHARE_FLAGS_allow_namespace_caching 0x00000400
2352 #define SHARE_FLAGS_access_based_dir_enum 0x00000800
2353 #define SHARE_FLAGS_force_levelii_oplock 0x00001000
2354 #define SHARE_FLAGS_enable_hash_v1 0x00002000
2355 #define SHARE_FLAGS_enable_hash_v2 0x00004000
2356 #define SHARE_FLAGS_encryption_required 0x00008000
2359 dissect_smb2_share_flags(proto_tree *tree, tvbuff_t *tvb, int offset)
2361 static const int *sf_fields[] = {
2362 &hf_smb2_share_flags_dfs,
2363 &hf_smb2_share_flags_dfs_root,
2364 &hf_smb2_share_flags_restrict_exclusive_opens,
2365 &hf_smb2_share_flags_force_shared_delete,
2366 &hf_smb2_share_flags_allow_namespace_caching,
2367 &hf_smb2_share_flags_access_based_dir_enum,
2368 &hf_smb2_share_flags_force_levelii_oplock,
2369 &hf_smb2_share_flags_enable_hash_v1,
2370 &hf_smb2_share_flags_enable_hash_v2,
2371 &hf_smb2_share_flags_encrypt_data,
2377 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_flags, ett_smb2_share_flags, sf_fields, ENC_LITTLE_ENDIAN);
2379 cp = tvb_get_letohl(tvb, offset);
2381 proto_tree_add_uint_format(item, hf_smb2_share_caching, tvb, offset, 4, cp, "Caching policy: %s (%08x)", val_to_str(cp, share_cache_vals, "Unknown:%u"), cp);
2389 #define SHARE_CAPS_DFS 0x00000008
2390 #define SHARE_CAPS_CONTINUOUS_AVAILABILITY 0x00000010
2391 #define SHARE_CAPS_SCALEOUT 0x00000020
2392 #define SHARE_CAPS_CLUSTER 0x00000040
2395 dissect_smb2_share_caps(proto_tree *tree, tvbuff_t *tvb, int offset)
2397 static const int *sc_fields[] = {
2398 &hf_smb2_share_caps_dfs,
2399 &hf_smb2_share_caps_continuous_availability,
2400 &hf_smb2_share_caps_scaleout,
2401 &hf_smb2_share_caps_cluster,
2405 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_caps, ett_smb2_share_caps, sc_fields, ENC_LITTLE_ENDIAN);
2413 dissect_smb2_secblob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
2415 if ((tvb_length(tvb)>=7)
2416 && (!tvb_memeql(tvb, 0, "NTLMSSP", 7))) {
2417 call_dissector(ntlmssp_handle, tvb, pinfo, tree);
2419 call_dissector(gssapi_handle, tvb, pinfo, tree);
2424 dissect_smb2_session_setup_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2426 offset_length_buffer_t s_olb;
2427 const ntlmssp_header_t *ntlmssph;
2428 static int ntlmssp_tap_id = 0;
2431 if (!ntlmssp_tap_id) {
2432 GString *error_string;
2433 /* We dont specify any callbacks at all.
2434 * Instead we manually fetch the tapped data after the
2435 * security blob has been fully dissected and before
2436 * we exit from this dissector.
2438 error_string = register_tap_listener("ntlmssp", NULL, NULL,
2439 TL_IS_DISSECTOR_HELPER, NULL, NULL, NULL);
2440 if (!error_string) {
2441 ntlmssp_tap_id = find_tap_id("ntlmssp");
2443 g_string_free(error_string, TRUE);
2449 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2450 /* some unknown bytes */
2453 offset = dissect_smb2_ses_req_flags(tree, tvb, offset);
2456 offset = dissect_smb2_secmode(tree, tvb, offset);
2459 offset = dissect_smb2_capabilities(tree, tvb, offset);
2462 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2465 /* security blob offset/length */
2466 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
2468 /* previous session id */
2469 proto_tree_add_item(tree, hf_smb2_previous_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2473 /* the security blob itself */
2474 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
2476 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
2478 /* If we have found a uid->acct_name mapping, store it */
2479 if (!pinfo->fd->flags.visited) {
2481 while ((ntlmssph = (const ntlmssp_header_t *)fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL) {
2482 if (ntlmssph && ntlmssph->type == NTLMSSP_AUTH) {
2483 smb2_sesid_info_t *sesid;
2484 sesid = wmem_new(wmem_file_scope(), smb2_sesid_info_t);
2485 sesid->sesid = si->sesid;
2486 sesid->acct_name = wmem_strdup(wmem_file_scope(), ntlmssph->acct_name);
2487 sesid->domain_name = wmem_strdup(wmem_file_scope(), ntlmssph->domain_name);
2488 sesid->host_name = wmem_strdup(wmem_file_scope(), ntlmssph->host_name);
2489 if (memcmp(ntlmssph->session_key, zeros, NTLMSSP_KEY_LEN) != 0) {
2490 smb2_key_derivation(ntlmssph->session_key,
2494 sesid->server_decryption_key);
2495 smb2_key_derivation(ntlmssph->session_key,
2499 sesid->client_decryption_key);
2501 memset(sesid->server_decryption_key, 0,
2502 sizeof(sesid->server_decryption_key));
2503 memset(sesid->client_decryption_key, 0,
2504 sizeof(sesid->client_decryption_key));
2506 sesid->server_port = pinfo->destport;
2507 sesid->auth_frame = pinfo->fd->num;
2508 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
2509 g_hash_table_insert(si->conv->sesids, sesid, sesid);
2518 dissect_smb2_error_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2523 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2526 /* Reserved (2 bytes) */
2527 proto_tree_add_item(tree, hf_smb2_error_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2530 /* ByteCount (4 bytes): The number of bytes of data contained in ErrorData[]. */
2531 byte_count = tvb_get_ntohl(tvb, offset);
2532 proto_tree_add_item(tree, hf_smb2_error_byte_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2535 /* If the ByteCount field is zero then the server MUST supply an ErrorData field
2536 that is one byte in length */
2537 if (byte_count == 0) byte_count = 1;
2539 /* ErrorData (variable): A variable-length data field that contains extended
2540 error information.*/
2541 proto_tree_add_item(tree, hf_smb2_error_data, tvb, offset, byte_count, ENC_NA);
2542 offset += byte_count;
2548 dissect_smb2_session_setup_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2550 offset_length_buffer_t s_olb;
2552 /* session_setup is special and we don't use dissect_smb2_error_response() here! */
2555 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2558 offset = dissect_smb2_ses_flags(tree, tvb, offset);
2560 /* security blob offset/length */
2561 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
2563 /* the security blob itself */
2564 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
2566 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
2572 dissect_smb2_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2574 offset_length_buffer_t olb;
2578 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2583 /* tree offset/length */
2584 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_tree);
2587 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
2589 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
2591 /* treelen +1 is overkill here if the string is unicode,
2592 * but who ever has more than a handful of TCON in a trace anyways
2594 if (!pinfo->fd->flags.visited && si->saved && buf && olb.len) {
2595 si->saved->extra_info_type = SMB2_EI_TREENAME;
2596 si->saved->extra_info = wmem_alloc(wmem_file_scope(), olb.len+1);
2597 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
2600 col_append_fstr(pinfo->cinfo, COL_INFO, " Tree: %s", buf);
2605 dissect_smb2_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2609 switch (si->status) {
2610 case 0x00000000: break;
2611 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2615 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2618 share_type = tvb_get_letohs(tvb, offset);
2619 proto_tree_add_item(tree, hf_smb2_share_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2620 /* Next byte is reserved and must be set to zero */
2623 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_TREENAME && si->session) {
2624 smb2_tid_info_t *tid, tid_key;
2626 tid_key.tid = si->tid;
2627 tid = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
2629 g_hash_table_remove(si->session->tids, &tid_key);
2631 tid = wmem_new(wmem_file_scope(), smb2_tid_info_t);
2633 tid->name = (char *)si->saved->extra_info;
2634 tid->connect_frame = pinfo->fd->num;
2635 tid->share_type = share_type;
2637 g_hash_table_insert(si->session->tids, tid, tid);
2639 si->saved->extra_info_type = SMB2_EI_NONE;
2640 si->saved->extra_info = NULL;
2644 offset = dissect_smb2_share_flags(tree, tvb, offset);
2646 /* share capabilities */
2647 offset = dissect_smb2_share_caps(tree, tvb, offset);
2649 /* this is some sort of access mask */
2650 offset = dissect_smb_access_mask(tvb, tree, offset);
2656 dissect_smb2_tree_disconnect_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2659 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2668 dissect_smb2_tree_disconnect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2670 switch (si->status) {
2671 case 0x00000000: break;
2672 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2676 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2685 dissect_smb2_sessionlogoff_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2688 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2690 /* reserved bytes */
2697 dissect_smb2_sessionlogoff_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2699 switch (si->status) {
2700 case 0x00000000: break;
2701 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2705 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2707 /* reserved bytes */
2714 dissect_smb2_keepalive_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2717 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2719 /* some unknown bytes */
2720 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
2727 dissect_smb2_keepalive_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2729 switch (si->status) {
2730 case 0x00000000: break;
2731 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2735 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2737 /* some unknown bytes */
2738 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
2745 dissect_smb2_notify_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2747 proto_tree *flags_tree = NULL;
2748 proto_item *flags_item = NULL;
2751 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2755 flags_item = proto_tree_add_item(tree, hf_smb2_notify_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2756 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_notify_flags);
2758 proto_tree_add_item(flags_tree, hf_smb2_notify_watch_tree, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2761 /* output buffer length */
2762 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2766 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
2768 /* completion filter */
2769 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
2778 dissect_smb2_notify_data_out(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
2780 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
2784 dissect_smb2_notify_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
2786 offset_length_buffer_t olb;
2788 switch (si->status) {
2789 case 0x00000000: break;
2790 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2794 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2796 /* out buffer offset/length */
2797 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_notify_out_data);
2800 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_notify_data_out);
2801 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
2806 #define SMB2_FIND_FLAG_RESTART_SCANS 0x01
2807 #define SMB2_FIND_FLAG_SINGLE_ENTRY 0x02
2808 #define SMB2_FIND_FLAG_INDEX_SPECIFIED 0x04
2809 #define SMB2_FIND_FLAG_REOPEN 0x10
2812 dissect_smb2_find_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2814 offset_length_buffer_t olb;
2817 static const int *f_fields[] = {
2818 &hf_smb2_find_flags_restart_scans,
2819 &hf_smb2_find_flags_single_entry,
2820 &hf_smb2_find_flags_index_specified,
2821 &hf_smb2_find_flags_reopen,
2826 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2828 il = tvb_get_guint8(tvb, offset);
2830 si->saved->infolevel = il;
2834 proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 1, il);
2838 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_find_flags, ett_smb2_find_flags, f_fields, ENC_LITTLE_ENDIAN);
2842 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2846 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
2848 /* search pattern offset/length */
2849 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_find_pattern);
2851 /* output buffer length */
2852 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2855 /* search pattern */
2856 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
2858 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
2860 if (!pinfo->fd->flags.visited && si->saved && olb.len) {
2861 si->saved->extra_info_type = SMB2_EI_FINDPATTERN;
2862 si->saved->extra_info = g_malloc(olb.len+1);
2863 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
2866 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
2867 val_to_str(il, smb2_find_info_levels, "(Level:0x%02x)"),
2873 static void dissect_smb2_file_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
2876 proto_item *item = NULL;
2877 proto_tree *tree = NULL;
2878 const char *name = NULL;
2881 while (tvb_length_remaining(tvb, offset) > 4) {
2882 int old_offset = offset;
2887 item = proto_tree_add_item(parent_tree, hf_smb2_file_directory_info, tvb, offset, -1, ENC_NA);
2888 tree = proto_item_add_subtree(item, ett_smb2_file_directory_info);
2892 next_offset = tvb_get_letohl(tvb, offset);
2893 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2897 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2901 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2904 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2907 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2910 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2913 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2916 /* allocation size */
2917 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2920 /* File Attributes */
2921 offset = dissect_file_ext_attr(tvb, tree, offset);
2923 /* file name length */
2924 file_name_len = tvb_get_letohl(tvb, offset);
2925 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2929 if (file_name_len) {
2931 name = get_unicode_or_ascii_string(tvb, &offset,
2932 TRUE, &file_name_len, TRUE, TRUE, &bc);
2934 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2935 offset, file_name_len, name);
2936 proto_item_append_text(item, ": %s", name);
2941 proto_item_set_len(item, offset-old_offset);
2943 if (next_offset == 0) {
2947 offset = old_offset+next_offset;
2948 if (offset < old_offset) {
2949 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
2950 "Invalid offset/length. Malformed packet");
2956 static void dissect_smb2_full_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
2959 proto_item *item = NULL;
2960 proto_tree *tree = NULL;
2961 const char *name = NULL;
2964 while (tvb_length_remaining(tvb, offset) > 4) {
2965 int old_offset = offset;
2970 item = proto_tree_add_item(parent_tree, hf_smb2_full_directory_info, tvb, offset, -1, ENC_NA);
2971 tree = proto_item_add_subtree(item, ett_smb2_full_directory_info);
2975 next_offset = tvb_get_letohl(tvb, offset);
2976 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2980 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2984 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2987 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2990 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2993 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2996 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2999 /* allocation size */
3000 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3003 /* File Attributes */
3004 offset = dissect_file_ext_attr(tvb, tree, offset);
3006 /* file name length */
3007 file_name_len = tvb_get_letohl(tvb, offset);
3008 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3012 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3016 if (file_name_len) {
3018 name = get_unicode_or_ascii_string(tvb, &offset,
3019 TRUE, &file_name_len, TRUE, TRUE, &bc);
3021 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3022 offset, file_name_len, name);
3023 proto_item_append_text(item, ": %s", name);
3028 proto_item_set_len(item, offset-old_offset);
3030 if (next_offset == 0) {
3034 offset = old_offset+next_offset;
3035 if (offset < old_offset) {
3036 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
3037 "Invalid offset/length. Malformed packet");
3043 static void dissect_smb2_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3046 proto_item *item = NULL;
3047 proto_tree *tree = NULL;
3048 const char *name = NULL;
3051 while (tvb_length_remaining(tvb, offset) > 4) {
3052 int old_offset = offset;
3058 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3059 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3063 next_offset = tvb_get_letohl(tvb, offset);
3064 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3068 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3072 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3075 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3078 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3081 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3084 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3087 /* allocation size */
3088 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3091 /* File Attributes */
3092 offset = dissect_file_ext_attr(tvb, tree, offset);
3094 /* file name length */
3095 file_name_len = tvb_get_letohl(tvb, offset);
3096 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3100 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3103 /* short name length */
3104 short_name_len = tvb_get_guint8(tvb, offset);
3105 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3112 if (short_name_len) {
3113 bc = short_name_len;
3114 name = get_unicode_or_ascii_string(tvb, &offset,
3115 TRUE, &short_name_len, TRUE, TRUE, &bc);
3117 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3118 offset, short_name_len, name);
3124 if (file_name_len) {
3126 name = get_unicode_or_ascii_string(tvb, &offset,
3127 TRUE, &file_name_len, TRUE, TRUE, &bc);
3129 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3130 offset, file_name_len, name);
3131 proto_item_append_text(item, ": %s", name);
3136 proto_item_set_len(item, offset-old_offset);
3138 if (next_offset == 0) {
3142 offset = old_offset+next_offset;
3143 if (offset < old_offset) {
3144 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
3145 "Invalid offset/length. Malformed packet");
3151 static void dissect_smb2_file_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3154 proto_item *item = NULL;
3155 proto_tree *tree = NULL;
3156 const char *name = NULL;
3159 while (tvb_length_remaining(tvb, offset) > 4) {
3160 int old_offset = offset;
3165 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3166 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3170 next_offset = tvb_get_letohl(tvb, offset);
3171 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3175 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3178 /* file name length */
3179 file_name_len = tvb_get_letohl(tvb, offset);
3180 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3184 if (file_name_len) {
3186 name = get_unicode_or_ascii_string(tvb, &offset,
3187 TRUE, &file_name_len, TRUE, TRUE, &bc);
3189 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3190 offset, file_name_len, name);
3191 proto_item_append_text(item, ": %s", name);
3196 proto_item_set_len(item, offset-old_offset);
3198 if (next_offset == 0) {
3202 offset = old_offset+next_offset;
3203 if (offset < old_offset) {
3204 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
3205 "Invalid offset/length. Malformed packet");
3211 static void dissect_smb2_id_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3214 proto_item *item = NULL;
3215 proto_tree *tree = NULL;
3216 const char *name = NULL;
3219 while (tvb_length_remaining(tvb, offset) > 4) {
3220 int old_offset = offset;
3226 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
3227 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
3231 next_offset = tvb_get_letohl(tvb, offset);
3232 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3236 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3240 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3243 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3246 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3249 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3252 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3255 /* allocation size */
3256 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3259 /* File Attributes */
3260 offset = dissect_file_ext_attr(tvb, tree, offset);
3262 /* file name length */
3263 file_name_len = tvb_get_letohl(tvb, offset);
3264 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3268 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3271 /* short name length */
3272 short_name_len = tvb_get_guint8(tvb, offset);
3273 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3280 if (short_name_len) {
3281 bc = short_name_len;
3282 name = get_unicode_or_ascii_string(tvb, &offset,
3283 TRUE, &short_name_len, TRUE, TRUE, &bc);
3285 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3286 offset, short_name_len, name);
3295 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3299 if (file_name_len) {
3301 name = get_unicode_or_ascii_string(tvb, &offset,
3302 TRUE, &file_name_len, TRUE, TRUE, &bc);
3304 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3305 offset, file_name_len, name);
3306 proto_item_append_text(item, ": %s", name);
3311 proto_item_set_len(item, offset-old_offset);
3313 if (next_offset == 0) {
3317 offset = old_offset+next_offset;
3318 if (offset < old_offset) {
3319 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
3320 "Invalid offset/length. Malformed packet");
3327 typedef struct _smb2_find_dissector_t {
3329 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
3330 } smb2_find_dissector_t;
3332 smb2_find_dissector_t smb2_find_dissectors[] = {
3333 {SMB2_FIND_DIRECTORY_INFO, dissect_smb2_file_directory_info},
3334 {SMB2_FIND_FULL_DIRECTORY_INFO, dissect_smb2_full_directory_info},
3335 {SMB2_FIND_BOTH_DIRECTORY_INFO, dissect_smb2_both_directory_info},
3336 {SMB2_FIND_NAME_INFO, dissect_smb2_file_name_info},
3337 {SMB2_FIND_ID_BOTH_DIRECTORY_INFO,dissect_smb2_id_both_directory_info},
3342 dissect_smb2_find_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
3344 smb2_find_dissector_t *dis = smb2_find_dissectors;
3346 while (dis->dissector) {
3347 if (si && si->saved && si->saved) {
3348 if (dis->level ==si->saved->infolevel) {
3349 dis->dissector(tvb, pinfo, tree, si);
3356 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
3360 dissect_smb2_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3362 offset_length_buffer_t olb;
3363 proto_item *item = NULL;
3367 item = proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 0, si->saved->infolevel);
3368 PROTO_ITEM_SET_GENERATED(item);
3371 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_FINDPATTERN) {
3372 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
3373 val_to_str(si->saved->infolevel, smb2_find_info_levels, "(Level:0x%02x)"),
3374 (const char *)si->saved->extra_info);
3376 g_free(si->saved->extra_info);
3377 si->saved->extra_info_type = SMB2_EI_NONE;
3378 si->saved->extra_info = NULL;
3381 switch (si->status) {
3382 case 0x00000000: break;
3383 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3387 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3389 /* findinfo offset */
3390 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_find_info_blob);
3393 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_find_data);
3395 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3401 dissect_smb2_negotiate_protocol_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3406 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3409 dc = tvb_get_letohs(tvb, offset);
3410 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3413 /* security mode, skip second byte */
3414 offset = dissect_smb2_secmode(tree, tvb, offset);
3422 offset = dissect_smb2_capabilities(tree, tvb, offset);
3425 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
3428 /* client boot time */
3429 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_boot_time);
3432 for ( ; dc>0; dc--) {
3433 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3441 dissect_smb2_negotiate_protocol_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3443 offset_length_buffer_t s_olb;
3445 switch (si->status) {
3446 case 0x00000000: break;
3447 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3451 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3453 /* security mode, skip second byte */
3454 offset = dissect_smb2_secmode(tree, tvb, offset);
3457 /* dialect picked */
3458 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3465 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
3469 offset = dissect_smb2_capabilities(tree, tvb, offset);
3471 /* max trans size */
3472 proto_tree_add_item(tree, hf_smb2_max_trans_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3476 proto_tree_add_item(tree, hf_smb2_max_read_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3479 /* max write size */
3480 proto_tree_add_item(tree, hf_smb2_max_write_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3484 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_current_time);
3488 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_boot_time);
3491 /* security blob offset/length */
3492 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
3494 /* the security blob itself */
3495 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
3500 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
3506 dissect_smb2_getinfo_parameters(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
3508 switch (si->saved->smb2_class) {
3509 case SMB2_CLASS_FILE_INFO:
3510 switch (si->saved->infolevel) {
3512 /* we dont handle this infolevel yet */
3513 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3514 offset += tvb_length_remaining(tvb, offset);
3517 case SMB2_CLASS_FS_INFO:
3518 switch (si->saved->infolevel) {
3520 /* we dont handle this infolevel yet */
3521 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3522 offset += tvb_length_remaining(tvb, offset);
3525 case SMB2_CLASS_SEC_INFO:
3526 switch (si->saved->infolevel) {
3527 case SMB2_SEC_INFO_00:
3528 dissect_security_information_mask(tvb, tree, offset+8);
3531 /* we dont handle this infolevel yet */
3532 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3533 offset += tvb_length_remaining(tvb, offset);
3537 /* we dont handle this class yet */
3538 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3539 offset += tvb_length_remaining(tvb, offset);
3546 dissect_smb2_class_infolevel(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
3551 value_string_ext *vsx;
3553 if (si->flags & SMB2_FLAGS_RESPONSE) {
3557 cl = si->saved->smb2_class;
3558 il = si->saved->infolevel;
3560 cl = tvb_get_guint8(tvb, offset);
3561 il = tvb_get_guint8(tvb, offset+1);
3563 si->saved->smb2_class = cl;
3564 si->saved->infolevel = il;
3570 case SMB2_CLASS_FILE_INFO:
3571 hfindex = hf_smb2_infolevel_file_info;
3572 vsx = &smb2_file_info_levels_ext;
3574 case SMB2_CLASS_FS_INFO:
3575 hfindex = hf_smb2_infolevel_fs_info;
3576 vsx = &smb2_fs_info_levels_ext;
3578 case SMB2_CLASS_SEC_INFO:
3579 hfindex = hf_smb2_infolevel_sec_info;
3580 vsx = &smb2_sec_info_levels_ext;
3583 hfindex = hf_smb2_infolevel;
3584 vsx = NULL; /* allowed arg to val_to_str_ext() */
3589 item = proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl);
3590 if (si->flags & SMB2_FLAGS_RESPONSE) {
3591 PROTO_ITEM_SET_GENERATED(item);
3594 item = proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il);
3595 if (si->flags & SMB2_FLAGS_RESPONSE) {
3596 PROTO_ITEM_SET_GENERATED(item);
3600 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
3601 /* Only update COL_INFO for requests. It clutters the
3602 * display a bit too much if we do it for replies
3605 col_append_fstr(pinfo->cinfo, COL_INFO, " %s/%s",
3606 val_to_str(cl, smb2_class_vals, "(Class:0x%02x)"),
3607 val_to_str_ext(il, vsx, "(Level:0x%02x)"));
3614 dissect_smb2_getinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3617 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3619 /* class and info level */
3620 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
3622 /* max response size */
3623 proto_tree_add_item(tree, hf_smb2_max_response_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3628 dissect_smb2_getinfo_parameters(tvb, pinfo, tree, offset, si);
3630 /* some unknown bytes */
3631 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3636 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3642 dissect_smb2_infolevel(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si, guint8 smb2_class, guint8 infolevel)
3644 int old_offset = offset;
3646 switch (smb2_class) {
3647 case SMB2_CLASS_FILE_INFO:
3648 switch (infolevel) {
3649 case SMB2_FILE_BASIC_INFO:
3650 offset = dissect_smb2_file_basic_info(tvb, pinfo, tree, offset, si);
3652 case SMB2_FILE_STANDARD_INFO:
3653 offset = dissect_smb2_file_standard_info(tvb, pinfo, tree, offset, si);
3655 case SMB2_FILE_INTERNAL_INFO:
3656 offset = dissect_smb2_file_internal_info(tvb, pinfo, tree, offset, si);
3658 case SMB2_FILE_EA_INFO:
3659 offset = dissect_smb2_file_ea_info(tvb, pinfo, tree, offset, si);
3661 case SMB2_FILE_ACCESS_INFO:
3662 offset = dissect_smb2_file_access_info(tvb, pinfo, tree, offset, si);
3664 case SMB2_FILE_RENAME_INFO:
3665 offset = dissect_smb2_file_rename_info(tvb, pinfo, tree, offset, si);
3667 case SMB2_FILE_DISPOSITION_INFO:
3668 offset = dissect_smb2_file_disposition_info(tvb, pinfo, tree, offset, si);
3670 case SMB2_FILE_POSITION_INFO:
3671 offset = dissect_smb2_file_position_info(tvb, pinfo, tree, offset, si);
3673 case SMB2_FILE_FULL_EA_INFO:
3674 offset = dissect_smb2_file_full_ea_info(tvb, pinfo, tree, offset, si);
3676 case SMB2_FILE_MODE_INFO:
3677 offset = dissect_smb2_file_mode_info(tvb, pinfo, tree, offset, si);
3679 case SMB2_FILE_ALIGNMENT_INFO:
3680 offset = dissect_smb2_file_alignment_info(tvb, pinfo, tree, offset, si);
3682 case SMB2_FILE_ALL_INFO:
3683 offset = dissect_smb2_file_all_info(tvb, pinfo, tree, offset, si);
3685 case SMB2_FILE_ALLOCATION_INFO:
3686 offset = dissect_smb2_file_allocation_info(tvb, pinfo, tree, offset, si);
3688 case SMB2_FILE_ENDOFFILE_INFO:
3689 dissect_smb2_file_endoffile_info(tvb, pinfo, tree, offset, si);
3691 case SMB2_FILE_ALTERNATE_NAME_INFO:
3692 offset = dissect_smb2_file_alternate_name_info(tvb, pinfo, tree, offset, si);
3694 case SMB2_FILE_STREAM_INFO:
3695 offset = dissect_smb2_file_stream_info(tvb, pinfo, tree, offset, si);
3697 case SMB2_FILE_PIPE_INFO:
3698 offset = dissect_smb2_file_pipe_info(tvb, pinfo, tree, offset, si);
3700 case SMB2_FILE_COMPRESSION_INFO:
3701 offset = dissect_smb2_file_compression_info(tvb, pinfo, tree, offset, si);
3703 case SMB2_FILE_NETWORK_OPEN_INFO:
3704 offset = dissect_smb2_file_network_open_info(tvb, pinfo, tree, offset, si);
3706 case SMB2_FILE_ATTRIBUTE_TAG_INFO:
3707 offset = dissect_smb2_file_attribute_tag_info(tvb, pinfo, tree, offset, si);
3710 /* we dont handle this infolevel yet */
3711 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3712 offset += tvb_length_remaining(tvb, offset);
3715 case SMB2_CLASS_FS_INFO:
3716 switch (infolevel) {
3717 case SMB2_FS_INFO_01:
3718 offset = dissect_smb2_fs_info_01(tvb, pinfo, tree, offset, si);
3720 case SMB2_FS_INFO_03:
3721 offset = dissect_smb2_fs_info_03(tvb, pinfo, tree, offset, si);
3723 case SMB2_FS_INFO_04:
3724 offset = dissect_smb2_fs_info_04(tvb, pinfo, tree, offset, si);
3726 case SMB2_FS_INFO_05:
3727 offset = dissect_smb2_fs_info_05(tvb, pinfo, tree, offset, si);
3729 case SMB2_FS_INFO_06:
3730 offset = dissect_smb2_fs_info_06(tvb, pinfo, tree, offset, si);
3732 case SMB2_FS_INFO_07:
3733 offset = dissect_smb2_fs_info_07(tvb, pinfo, tree, offset, si);
3735 case SMB2_FS_OBJECTID_INFO:
3736 offset = dissect_smb2_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, si);
3739 /* we dont handle this infolevel yet */
3740 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3741 offset += tvb_length_remaining(tvb, offset);
3744 case SMB2_CLASS_SEC_INFO:
3745 switch (infolevel) {
3746 case SMB2_SEC_INFO_00:
3747 offset = dissect_smb2_sec_info_00(tvb, pinfo, tree, offset, si);
3750 /* we dont handle this infolevel yet */
3751 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3752 offset += tvb_length_remaining(tvb, offset);
3756 /* we dont handle this class yet */
3757 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3758 offset += tvb_length_remaining(tvb, offset);
3761 /* if we get BUFFER_OVERFLOW there will be truncated data */
3762 if (si->status == 0x80000005) {
3764 item = proto_tree_add_text(tree, tvb, old_offset, 0, "Truncated...");
3765 PROTO_ITEM_SET_GENERATED(item);
3771 dissect_smb2_getinfo_response_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
3775 dissect_smb2_infolevel(tvb, pinfo, tree, 0, si, si->saved->smb2_class, si->saved->infolevel);
3777 /* some unknown bytes */
3778 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
3785 dissect_smb2_getinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3787 offset_length_buffer_t olb;
3789 /* class/infolevel */
3790 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
3792 switch (si->status) {
3793 case 0x00000000: break;
3794 /* if we get BUFFER_OVERFLOW there will be truncated data */
3795 case 0x80000005: break;
3796 /* if we get BUFFER_TOO_SMALL there will not be any data there, only
3797 * a guin32 specifying how big the buffer needs to be
3800 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3801 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
3802 proto_tree_add_item(tree, hf_smb2_required_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3806 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3811 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3812 /* response buffer offset and size */
3813 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
3816 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_getinfo_response_data);
3822 dissect_smb2_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3824 proto_tree *flags_tree = NULL;
3825 proto_item *flags_item = NULL;
3828 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3832 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3833 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
3835 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3842 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_CLOSE);
3848 dissect_smb2_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3850 proto_tree *flags_tree = NULL;
3851 proto_item *flags_item = NULL;
3853 switch (si->status) {
3854 case 0x00000000: break;
3855 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3859 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3863 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3864 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
3866 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3873 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3876 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3879 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3882 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3884 /* allocation size */
3885 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3889 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3892 /* File Attributes */
3893 offset = dissect_file_ext_attr(tvb, tree, offset);
3899 dissect_smb2_flush_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3902 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3904 /* some unknown bytes */
3905 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
3909 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3915 dissect_smb2_flush_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3917 switch (si->status) {
3918 case 0x00000000: break;
3919 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3923 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3925 /* some unknown bytes */
3926 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3934 dissect_smb2_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3939 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3942 lock_count = tvb_get_letohs(tvb, offset);
3943 proto_tree_add_item(tree, hf_smb2_lock_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3950 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3952 while (lock_count--) {
3953 proto_item *lock_item = NULL;
3954 proto_tree *lock_tree = NULL;
3955 static const int *lf_fields[] = {
3956 &hf_smb2_lock_flags_shared,
3957 &hf_smb2_lock_flags_exclusive,
3958 &hf_smb2_lock_flags_unlock,
3959 &hf_smb2_lock_flags_fail_immediately,
3964 lock_item = proto_tree_add_item(tree, hf_smb2_lock_info, tvb, offset, 24, ENC_NA);
3965 lock_tree = proto_item_add_subtree(lock_item, ett_smb2_lock_info);
3969 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3973 proto_tree_add_item(lock_tree, hf_smb2_lock_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3977 proto_tree_add_bitmask(lock_tree, tvb, offset, hf_smb2_lock_flags, ett_smb2_lock_flags, lf_fields, ENC_LITTLE_ENDIAN);
3988 dissect_smb2_lock_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3990 switch (si->status) {
3991 case 0x00000000: break;
3992 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3996 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3998 /* some unknown bytes */
3999 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4005 dissect_smb2_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4008 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4010 /* some unknown bytes */
4011 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4019 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, guint32 datalen, proto_tree *top_tree)
4021 tvbuff_t *dcerpc_tvb;
4022 dcerpc_tvb = tvb_new_subset(tvb, offset, MIN((int)datalen, tvb_length_remaining(tvb, offset)), datalen);
4024 /* dissect the full PDU */
4025 dissector_try_heuristic(smb2_heur_subdissector_list, dcerpc_tvb, pinfo, top_tree, NULL);
4033 #define SMB2_CHANNEL_NONE 0x00000000
4034 #define SMB2_CHANNEL_RDMA_V1 0x00000001
4035 #define SMB2_CHANNEL_RDMA_V1_INVALIDATE 0x00000002
4037 static const value_string smb2_channel_vals[] = {
4038 { SMB2_CHANNEL_NONE, "None" },
4039 { SMB2_CHANNEL_RDMA_V1, "RDMA V1" },
4040 { SMB2_CHANNEL_RDMA_V1_INVALIDATE, "RDMA V1_INVALIDATE" },
4045 dissect_smb2_rdma_v1_blob(tvbuff_t *tvb, packet_info *pinfo _U_,
4046 proto_tree *parent_tree, smb2_info_t *si _U_)
4052 proto_item *sub_item = NULL;
4053 proto_tree *sub_tree = NULL;
4054 proto_item *parent_item = NULL;
4057 parent_item = proto_tree_get_parent(parent_tree);
4060 len = tvb_reported_length(tvb);
4065 proto_item_append_text(parent_item, ": SMBDirect Buffer Descriptor V1: (%d elements)", num);
4068 for (i = 0; i < num; i++) {
4070 sub_item = proto_tree_add_text(parent_tree, tvb, offset, 8, "RDMA V1");
4071 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_rdma_v1);
4074 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4077 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_token, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4080 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4085 #define SMB2_WRITE_FLAG_WRITE_THROUGH 0x00000001
4088 dissect_smb2_write_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4090 guint16 dataoffset = 0;
4091 guint32 data_tvb_len;
4092 offset_length_buffer_t c_olb;
4096 static const int *f_fields[] = {
4097 &hf_smb2_write_flags_write_through,
4102 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4105 dataoffset=tvb_get_letohl(tvb,offset);
4106 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4110 length = tvb_get_letohl(tvb, offset);
4111 proto_tree_add_item(tree, hf_smb2_write_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4115 off = tvb_get_letoh64(tvb, offset);
4116 if (si->saved) si->saved->file_offset=off;
4117 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4120 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", length, off);
4123 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4126 channel = tvb_get_letohl(tvb, offset);
4127 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4130 /* remaining bytes */
4131 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4134 /* write channel info blob offset/length */
4135 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
4138 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_write_flags, ett_smb2_write_flags, f_fields, ENC_LITTLE_ENDIAN);
4141 /* the write channel info blob itself */
4143 case SMB2_CHANNEL_RDMA_V1:
4144 case SMB2_CHANNEL_RDMA_V1_INVALIDATE:
4145 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
4147 case SMB2_CHANNEL_NONE:
4149 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
4153 /* data or dcerpc ?*/
4154 if (length && si->tree && si->tree->share_type == SMB2_SHARE_TYPE_PIPE) {
4155 offset = dissect_file_data_dcerpc(tvb, pinfo, tree, offset, length, si->top_tree);
4159 /* just ordinary data */
4160 proto_tree_add_item(tree, hf_smb2_write_data, tvb, offset, length, ENC_NA);
4162 data_tvb_len=(guint32)tvb_length_remaining(tvb, offset);
4164 offset += MIN(length,(guint32)tvb_length_remaining(tvb, offset));
4166 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
4168 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
4169 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
4170 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,off);
4179 dissect_smb2_write_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4181 switch (si->status) {
4182 case 0x00000000: break;
4183 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
4187 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4190 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4194 proto_tree_add_item(tree, hf_smb2_write_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4197 /* remaining, must be set to 0 */
4198 proto_tree_add_item(tree, hf_smb2_write_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4201 /* write channel info offset */
4202 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4205 /* write channel info length */
4206 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4213 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *top_tree, gboolean data_in _U_)
4215 dissect_file_data_dcerpc(tvb, pinfo, tree, offset, tvb_length_remaining(tvb, offset), top_tree);
4219 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4221 /* There is no out data */
4227 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4231 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4235 dissect_windows_sockaddr_in(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
4237 proto_item *sub_item = NULL;
4238 proto_tree *sub_tree = NULL;
4239 proto_item *parent_item = NULL;
4247 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Socket Address");
4248 sub_tree = proto_item_add_subtree(sub_item, ett_windows_sockaddr);
4249 parent_item = proto_tree_get_parent(parent_tree);
4253 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4257 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4261 addr = tvb_get_ipv4(tvb, offset);
4262 proto_tree_add_ipv4(sub_tree, hf_windows_sockaddr_in_addr, tvb, offset, 4, addr);
4264 proto_item_append_text(sub_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
4267 proto_item_append_text(parent_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
4272 dissect_windows_sockaddr_in6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
4274 struct e_in6_addr addr;
4275 proto_item *sub_item = NULL;
4276 proto_tree *sub_tree = NULL;
4277 proto_item *parent_item = NULL;
4284 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Socket Address");
4285 sub_tree = proto_item_add_subtree(sub_item, ett_windows_sockaddr);
4286 parent_item = proto_tree_get_parent(parent_tree);
4290 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4294 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4298 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_flowinfo, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4302 tvb_get_ipv6(tvb, offset, &addr);
4303 proto_tree_add_ipv6(sub_tree, hf_windows_sockaddr_in6_addr, tvb, offset, 16, (guint8 *)&addr);
4305 proto_item_append_text(sub_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
4308 proto_item_append_text(parent_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
4313 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_scope_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4317 dissect_windows_sockaddr_storage(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
4320 proto_item *sub_item = NULL;
4321 proto_tree *sub_tree = NULL;
4322 proto_item *parent_item = NULL;
4325 family = tvb_get_letohs(tvb, offset);
4327 case WINSOCK_AF_INET:
4328 dissect_windows_sockaddr_in(tvb, pinfo, parent_tree, offset, len);
4330 case WINSOCK_AF_INET6:
4331 dissect_windows_sockaddr_in6(tvb, pinfo, parent_tree, offset, len);
4336 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Socket Address");
4337 sub_tree = proto_item_add_subtree(sub_item, ett_windows_sockaddr);
4338 parent_item = proto_tree_get_parent(parent_tree);
4342 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4344 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
4347 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
4355 #define NETWORK_INTERFACE_CAP_RSS 0x00000001
4356 #define NETWORK_INTERFACE_CAP_RDMA 0x00000002
4359 dissect_smb2_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
4361 guint32 next_offset;
4364 proto_item *sub_item = NULL;
4365 proto_tree *sub_tree = NULL;
4366 proto_item *item = NULL;
4367 guint32 capabilities;
4370 const char *unit = NULL;
4372 next_offset = tvb_get_letohl(tvb, offset);
4378 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Network Interface");
4379 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_ioctl_network_interface);
4383 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4386 /* interface index */
4387 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4391 capabilities = tvb_get_letohl(tvb, offset);
4392 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_capabilities, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4393 proto_tree_add_boolean(sub_tree, hf_smb2_ioctl_network_interface_capability_rdma, tvb, offset, 4, capabilities);
4394 proto_tree_add_boolean(sub_tree, hf_smb2_ioctl_network_interface_capability_rss, tvb, offset, 4, capabilities);
4395 if (capabilities != 0) {
4396 proto_item_append_text(item, "%s%s",
4397 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
4398 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
4400 proto_item_append_text(sub_item, "%s%s",
4401 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
4402 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
4407 /* rss queue count */
4408 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_rss_queue_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4412 link_speed = tvb_get_letoh64(tvb, offset);
4413 item = proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_link_speed, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4414 if (link_speed >= (1000*1000*1000)) {
4415 val = (gfloat)(link_speed / (1000*1000*1000));
4417 } else if (link_speed >= (1000*1000)) {
4418 val = (gfloat)(link_speed / (1000*1000));
4420 } else if (link_speed >= (1000)) {
4421 val = (gfloat)(link_speed / (1000));
4424 val = (gfloat)(link_speed);
4427 proto_item_append_text(item, ", %.1f %sBits/s", val, unit);
4429 proto_item_append_text(sub_item, ", %.1f %sBits/s", val, unit);
4434 /* socket address */
4435 dissect_windows_sockaddr_storage(tvb, pinfo, sub_tree, offset);
4439 next_tvb = tvb_new_subset_remaining(tvb, next_offset);
4441 /* next extra info */
4442 dissect_smb2_NETWORK_INTERFACE_INFO(next_tvb, pinfo, parent_tree);
4447 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
4449 /* There is no in data */
4454 dissect_smb2_NETWORK_INTERFACE_INFO(tvb, pinfo, tree);
4458 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
4461 * This is only used by Windows 8 beta
4465 offset = dissect_smb2_capabilities(tree, tvb, offset);
4468 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4471 /* security mode, skip second byte */
4472 offset = dissect_smb2_secmode(tree, tvb, offset);
4476 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4480 offset = dissect_smb2_capabilities(tree, tvb, offset);
4483 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4486 /* security mode, skip second byte */
4487 offset = dissect_smb2_secmode(tree, tvb, offset);
4491 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4497 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
4503 offset = dissect_smb2_capabilities(tree, tvb, offset);
4506 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4509 /* security mode, skip second byte */
4510 offset = dissect_smb2_secmode(tree, tvb, offset);
4514 dc = tvb_get_letohs(tvb, offset);
4515 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4518 for ( ; dc>0; dc--) {
4519 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4524 offset = dissect_smb2_capabilities(tree, tvb, offset);
4527 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4530 /* security mode, skip second byte */
4531 offset = dissect_smb2_secmode(tree, tvb, offset);
4535 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4541 dissect_smb2_FSCTL_GET_SHADOW_COPY_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4543 guint32 num_volumes;
4545 /* There is no in data */
4551 num_volumes = tvb_get_letohl(tvb, offset);
4552 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_volumes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4556 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_labels, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4560 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4563 while (num_volumes--) {
4567 int old_offset = offset;
4569 bc = tvb_length_remaining(tvb, offset);
4570 name = get_unicode_or_ascii_string(tvb, &offset,
4571 TRUE, &len, TRUE, FALSE, &bc);
4572 proto_tree_add_string(tree, hf_smb2_ioctl_shadow_copy_label, tvb, old_offset, len, name);
4574 offset = old_offset+len;
4583 dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
4585 proto_item *item = NULL;
4586 proto_tree *tree = NULL;
4588 /* FILE_OBJECTID_BUFFER */
4590 item = proto_tree_add_item(parent_tree, hf_smb2_FILE_OBJECTID_BUFFER, tvb, offset, 64, ENC_NA);
4591 tree = proto_item_add_subtree(item, ett_smb2_FILE_OBJECTID_BUFFER);
4595 proto_tree_add_item(tree, hf_smb2_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4598 /* Birth Volume ID */
4599 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4602 /* Birth Object ID */
4603 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4607 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4614 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4617 /* There is no in data */
4622 /* FILE_OBJECTID_BUFFER */
4623 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
4629 dissect_smb2_FSCTL_GET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4632 /* There is no in data */
4637 /* compression format */
4638 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4644 dissect_smb2_FSCTL_SET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4647 /* There is no out data */
4652 /* compression format */
4653 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4660 dissect_smb2_FSCTL_SET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4663 /* There is no out data */
4668 /* FILE_OBJECTID_BUFFER */
4669 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
4675 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4678 /* There is no out data */
4683 /* FILE_OBJECTID_BUFFER->ExtendedInfo */
4685 /* Birth Volume ID */
4686 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4689 /* Birth Object ID */
4690 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4694 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4701 dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, guint32 ioctl_function, gboolean data_in)
4705 dc = tvb_reported_length(tvb);
4707 switch (ioctl_function) {
4708 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
4710 dissect_get_dfs_request_data(tvb, pinfo, tree, 0, &dc, TRUE);
4712 dissect_get_dfs_referral_data(tvb, pinfo, tree, 0, &dc, TRUE);
4716 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvb, pinfo, tree, 0, top_tree, data_in);
4718 case 0x001401D4: /* FSCTL_LMR_REQUEST_RESILIENCY */
4719 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvb, pinfo, tree, 0, data_in);
4721 case 0x001401FC: /* FSCTL_QUERY_NETWORK_INTERFACE_INFO */
4722 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvb, pinfo, tree, 0, data_in);
4724 case 0x00140200: /* FSCTL_VALIDATE_NEGOTIATE_INFO_224 */
4725 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvb, pinfo, tree, 0, data_in);
4727 case 0x00140204: /* FSCTL_VALIDATE_NEGOTIATE_INFO */
4728 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvb, pinfo, tree, 0, data_in);
4730 case 0x00144064: /* FSCTL_GET_SHADOW_COPY_DATA */
4731 dissect_smb2_FSCTL_GET_SHADOW_COPY_DATA(tvb, pinfo, tree, 0, data_in);
4733 case 0x0009009C: /* FSCTL_GET_OBJECT_ID */
4734 case 0x000900c0: /* FSCTL_CREATE_OR_GET_OBJECT_ID */
4735 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
4737 case 0x00098098: /* FSCTL_SET_OBJECT_ID */
4738 dissect_smb2_FSCTL_SET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
4740 case 0x000980BC: /* FSCTL_SET_OBJECT_ID_EXTENDED */
4741 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvb, pinfo, tree, 0, data_in);
4743 case 0x0009003C: /* FSCTL_GET_COMPRESSION */
4744 dissect_smb2_FSCTL_GET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
4746 case 0x0009C040: /* FSCTL_SET_COMPRESSION */
4747 dissect_smb2_FSCTL_SET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
4750 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
4755 dissect_smb2_ioctl_data_in(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4757 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, TRUE);
4761 dissect_smb2_ioctl_data_out(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4763 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, FALSE);
4767 dissect_smb2_ioctl_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4769 offset_length_buffer_t o_olb;
4770 offset_length_buffer_t i_olb;
4771 proto_tree *flags_tree = NULL;
4772 proto_item *flags_item = NULL;
4775 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4780 /* ioctl function */
4781 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
4784 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4786 /* in buffer offset/length */
4787 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
4789 /* max ioctl in size */
4790 proto_tree_add_item(tree, hf_smb2_max_ioctl_in_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4793 /* out buffer offset/length */
4794 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
4796 /* max ioctl out size */
4797 proto_tree_add_item(tree, hf_smb2_max_ioctl_out_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4802 flags_item = proto_tree_add_item(tree, hf_smb2_ioctl_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4803 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_ioctl_flags);
4805 proto_tree_add_item(flags_tree, hf_smb2_ioctl_is_fsctl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4811 /* try to decode these blobs in the order they were encoded
4812 * so that for "short" packets we will dissect as much as possible
4813 * before aborting with "short packet"
4815 if (i_olb.off>o_olb.off) {
4817 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4819 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4822 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4824 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4827 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
4828 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
4834 dissect_smb2_ioctl_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4836 offset_length_buffer_t o_olb;
4837 offset_length_buffer_t i_olb;
4839 switch (si->status) {
4840 case 0x00000000: break;
4841 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
4845 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4847 /* some unknown bytes */
4848 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4851 /* ioctl function */
4852 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
4855 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4857 /* in buffer offset/length */
4858 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
4860 /* out buffer offset/length */
4861 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
4864 /* flags: reserved: must be zero */
4870 /* try to decode these blobs in the order they were encoded
4871 * so that for "short" packets we will dissect as much as possible
4872 * before aborting with "short packet"
4874 if (i_olb.off>o_olb.off) {
4876 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4878 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4881 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4883 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4886 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
4887 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
4894 dissect_smb2_read_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4896 offset_length_buffer_t c_olb;
4902 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4904 /* padding and reserved */
4908 len = tvb_get_letohl(tvb, offset);
4909 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4913 off = tvb_get_letoh64(tvb, offset);
4914 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4917 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", len, off);
4920 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4923 proto_tree_add_item(tree, hf_smb2_min_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4927 channel = tvb_get_letohl(tvb, offset);
4928 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4931 /* remaining bytes */
4932 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4935 /* read channel info blob offset/length */
4936 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
4938 /* the read channel info blob itself */
4940 case SMB2_CHANNEL_RDMA_V1:
4941 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
4943 case SMB2_CHANNEL_NONE:
4945 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
4949 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
4951 /* Store len and offset */
4953 si->saved->file_offset=off;
4954 si->saved->bytes_moved=len;
4962 dissect_smb2_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
4964 guint16 dataoffset = 0;
4965 guint32 data_tvb_len;
4967 switch (si->status) {
4968 case 0x00000000: break;
4969 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
4973 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4976 dataoffset=tvb_get_letohl(tvb,offset);
4977 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4980 /* length might even be 64bits if they are ambitious*/
4981 length = tvb_get_letohl(tvb, offset);
4982 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4986 proto_tree_add_item(tree, hf_smb2_read_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4993 * If the pidvalid flag is set we assume it is a deferred
4994 * STATUS_PENDING read and thus a named pipe (==dcerpc)
4996 if (length && ( (si->tree && si->tree->share_type == SMB2_SHARE_TYPE_PIPE)||(si->flags & SMB2_FLAGS_ASYNC_CMD))) {
4997 offset = dissect_file_data_dcerpc(tvb, pinfo, tree, offset, length, si->top_tree);
5002 proto_tree_add_item(tree, hf_smb2_read_data, tvb, offset, length, ENC_NA);
5004 data_tvb_len=(guint32)tvb_length_remaining(tvb, offset);
5006 offset += MIN(length,data_tvb_len);
5008 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
5009 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
5010 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,si->saved->file_offset);
5018 report_create_context_malformed_buffer(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, const char *buffer_desc)
5020 proto_tree_add_text(tree, tvb, 0, tvb_length_remaining(tvb, 0),
5021 "%s SHOULD NOT be generated. Malformed packet", buffer_desc);
5024 dissect_smb2_ExtA_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5026 proto_item *item = NULL;
5028 item = proto_tree_get_parent(tree);
5029 proto_item_append_text(item, ": SMB2_FILE_FULL_EA_INFO");
5031 dissect_smb2_file_full_ea_info(tvb, pinfo, tree, 0, si);
5035 dissect_smb2_ExtA_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
5037 report_create_context_malformed_buffer(tvb, pinfo, tree, "ExtA Response");
5041 dissect_smb2_SecD_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5043 proto_item *item = NULL;
5045 item = proto_tree_get_parent(tree);
5046 proto_item_append_text(item, ": SMB2_SEC_INFO_00");
5048 dissect_smb2_sec_info_00(tvb, pinfo, tree, 0, si);
5052 dissect_smb2_SecD_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
5054 report_create_context_malformed_buffer(tvb, pinfo, tree, "SecD Response");
5058 dissect_smb2_TWrp_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5060 proto_item *item = NULL;
5062 item = proto_tree_get_parent(tree);
5063 proto_item_append_text(item, ": Timestamp");
5065 dissect_nt_64bit_time(tvb, tree, 0, hf_smb2_twrp_timestamp);
5069 dissect_smb2_TWrp_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5071 report_create_context_malformed_buffer(tvb, pinfo, tree, "TWrp Response");
5075 dissect_smb2_QFid_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5077 proto_item *item = NULL;
5080 item = proto_tree_get_parent(tree);
5084 if (tvb_length(tvb) == 0) {
5085 proto_item_append_text(item, ": NO DATA");
5087 proto_item_append_text(item, ": QFid request should have no data, malformed packet");
5093 dissect_smb2_QFid_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5096 proto_item *item = NULL;
5097 proto_item *sub_item = NULL;
5098 proto_item *sub_tree = NULL;
5101 item = proto_tree_get_parent(tree);
5105 proto_item_append_text(item, ": QFid INFO");
5106 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "QFid INFO");
5107 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_QFid_buffer);
5110 proto_tree_add_item(sub_tree, hf_smb2_qfid_fid, tvb, offset, 32, ENC_NA);
5114 dissect_smb2_AlSi_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5116 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, 0, 8, ENC_LITTLE_ENDIAN);
5120 dissect_smb2_AlSi_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5122 report_create_context_malformed_buffer(tvb, pinfo, tree, "AlSi Response");
5126 dissect_smb2_DHnQ_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5128 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNQ);
5132 dissect_smb2_DHnQ_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5134 proto_tree_add_item(tree, hf_smb2_dhnq_buffer_reserved, tvb, 0, 8, ENC_LITTLE_ENDIAN);
5138 dissect_smb2_DHnC_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5140 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNC);
5144 dissect_smb2_DHnC_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
5146 report_create_context_malformed_buffer(tvb, pinfo, tree, "DHnC Response");
5150 * SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
5156 * SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2
5160 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
5165 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
5168 #define SMB2_DH2X_FLAGS_PERSISTENT_HANDLE 0x00000002
5171 dissect_smb2_DH2Q_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5173 static const int *dh2x_flags_fields[] = {
5174 &hf_smb2_dh2x_buffer_flags_persistent_handle,
5178 proto_item *item = NULL;
5179 proto_item *sub_item = NULL;
5180 proto_item *sub_tree = NULL;
5183 item = proto_tree_get_parent(tree);
5187 proto_item_append_text(item, ": DH2Q Request");
5188 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "DH2Q Request");
5189 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_DH2Q_buffer);
5193 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5197 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_dh2x_buffer_flags,
5198 ett_smb2_dh2x_flags, dh2x_flags_fields, ENC_LITTLE_ENDIAN);
5202 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5206 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5210 dissect_smb2_DH2Q_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5213 proto_item *item = NULL;
5214 proto_item *sub_item = NULL;
5215 proto_item *sub_tree = NULL;
5218 item = proto_tree_get_parent(tree);
5222 proto_item_append_text(item, ": DH2Q Response");
5223 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "DH2Q Response");
5224 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_DH2Q_buffer);
5228 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5232 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5236 dissect_smb2_DH2C_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5239 proto_item *item = NULL;
5240 proto_item *sub_item = NULL;
5241 proto_item *sub_tree = NULL;
5244 item = proto_tree_get_parent(tree);
5248 proto_item_append_text(item, ": DH2C Request");
5249 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "DH2C Request");
5250 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_DH2C_buffer);
5254 dissect_smb2_fid(tvb, pinfo, sub_tree, offset, si, FID_MODE_DHNC);
5258 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5262 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5266 dissect_smb2_DH2C_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
5268 report_create_context_malformed_buffer(tvb, pinfo, tree, "DH2C Response");
5272 dissect_smb2_MxAc_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5275 proto_item *item = NULL;
5278 item = proto_tree_get_parent(tree);
5281 if (tvb_length(tvb) == 0) {
5283 proto_item_append_text(item, ": NO DATA");
5289 proto_item_append_text(item, ": Timestamp");
5292 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_mxac_timestamp);
5296 dissect_smb2_MxAc_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5299 proto_item *item = NULL;
5300 proto_item *sub_item = NULL;
5301 proto_tree *sub_tree = NULL;
5304 item = proto_tree_get_parent(tree);
5307 if (tvb_length(tvb) == 0) {
5309 proto_item_append_text(item, ": NO DATA");
5315 proto_item_append_text(item, ": MxAc INFO");
5316 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "MxAc INFO");
5317 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_MxAc_buffer);
5320 proto_tree_add_item(sub_tree, hf_smb2_mxac_status, tvb, offset, 4, ENC_BIG_ENDIAN);
5323 dissect_smb_access_mask(tvb, sub_tree, offset);
5327 * SMB2_CREATE_REQUEST_LEASE 32
5331 * 8 - lease duration
5333 * SMB2_CREATE_REQUEST_LEASE_V2 52
5337 * 8 - lease duration
5338 * 16 - parent lease key
5342 #define SMB2_LEASE_STATE_READ_CACHING 0x00000001
5343 #define SMB2_LEASE_STATE_HANDLE_CACHING 0x00000002
5344 #define SMB2_LEASE_STATE_WRITE_CACHING 0x00000004
5346 #define SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED 0x00000001
5347 #define SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS 0x00000002
5348 #define SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET 0x00000004
5350 static const int *lease_state_fields[] = {
5351 &hf_smb2_lease_state_read_caching,
5352 &hf_smb2_lease_state_handle_caching,
5353 &hf_smb2_lease_state_write_caching,
5356 static const int *lease_flags_fields[] = {
5357 &hf_smb2_lease_flags_break_ack_required,
5358 &hf_smb2_lease_flags_break_in_progress,
5359 &hf_smb2_lease_flags_parent_lease_key_set,
5364 dissect_SMB2_CREATE_LEASE_VX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
5368 proto_item *sub_item = NULL;
5369 proto_tree *sub_tree = NULL;
5370 proto_item *parent_item = NULL;
5373 parent_item = proto_tree_get_parent(parent_tree);
5376 len = tvb_length(tvb);
5379 case 32: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE */
5381 proto_item_append_text(parent_item, ": LEASE_V1");
5382 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "LEASE_V1");
5383 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_RqLs_buffer);
5387 case 52: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE_V2 */
5389 proto_item_append_text(parent_item, ": LEASE_V2");
5390 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "LEASE_V2");
5391 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_RqLs_buffer);
5396 report_create_context_malformed_buffer(tvb, pinfo, parent_tree, "RqLs");
5400 proto_tree_add_item(sub_tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5403 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_state,
5404 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5407 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_flags,
5408 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5411 proto_tree_add_item(sub_tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5418 proto_tree_add_item(sub_tree, hf_smb2_parent_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5421 proto_tree_add_item(sub_tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5424 proto_tree_add_item(sub_tree, hf_smb2_lease_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5428 dissect_smb2_RqLs_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5430 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
5434 dissect_smb2_RqLs_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5436 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
5440 * SMB2_CREATE_APP_INSTANCE_ID
5441 * 2 - structure size - 20
5443 * 16 - application guid
5447 dissect_smb2_APP_INSTANCE_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5450 proto_item *item = NULL;
5451 proto_item *sub_item = NULL;
5452 proto_item *sub_tree = NULL;
5455 item = proto_tree_get_parent(tree);
5459 proto_item_append_text(item, ": APP INSTANCE ID");
5460 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "APP INSTANCE ID");
5461 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_APP_INSTANCE_buffer);
5465 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_struct_size,
5466 tvb, offset, 2, ENC_LITTLE_ENDIAN);
5470 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_reserved,
5471 tvb, offset, 2, ENC_LITTLE_ENDIAN);
5475 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_app_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5479 dissect_smb2_APP_INSTANCE_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5481 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Response");
5484 typedef void (*create_context_data_dissector_t)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
5486 typedef struct create_context_data_dissectors {
5487 create_context_data_dissector_t request;
5488 create_context_data_dissector_t response;
5489 } create_context_data_dissectors_t;
5491 struct create_context_data_tag_dissectors {
5494 create_context_data_dissectors_t dissectors;
5497 struct create_context_data_tag_dissectors create_context_dissectors_array[] = {
5498 { "ExtA", "SMB2_CREATE_EA_BUFFER",
5499 { dissect_smb2_ExtA_buffer_request, dissect_smb2_ExtA_buffer_response } },
5500 { "SecD", "SMB2_CREATE_SD_BUFFER",
5501 { dissect_smb2_SecD_buffer_request, dissect_smb2_SecD_buffer_response } },
5502 { "AlSi", "SMB2_CREATE_ALLOCATION_SIZE",
5503 { dissect_smb2_AlSi_buffer_request, dissect_smb2_AlSi_buffer_response } },
5504 { "MxAc", "SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST",
5505 { dissect_smb2_MxAc_buffer_request, dissect_smb2_MxAc_buffer_response } },
5506 { "DHnQ", "SMB2_CREATE_DURABLE_HANDLE_REQUEST",
5507 { dissect_smb2_DHnQ_buffer_request, dissect_smb2_DHnQ_buffer_response } },
5508 { "DHnC", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT",
5509 { dissect_smb2_DHnC_buffer_request, dissect_smb2_DHnC_buffer_response } },
5510 { "DH2Q", "SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2",
5511 { dissect_smb2_DH2Q_buffer_request, dissect_smb2_DH2Q_buffer_response } },
5512 { "DH2C", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2",
5513 { dissect_smb2_DH2C_buffer_request, dissect_smb2_DH2C_buffer_response } },
5514 { "TWrp", "SMB2_CREATE_TIMEWARP_TOKEN",
5515 { dissect_smb2_TWrp_buffer_request, dissect_smb2_TWrp_buffer_response } },
5516 { "QFid", "SMB2_CREATE_QUERY_ON_DISK_ID",
5517 { dissect_smb2_QFid_buffer_request, dissect_smb2_QFid_buffer_response } },
5518 { "RqLs", "SMB2_CREATE_REQUEST_LEASE",
5519 { dissect_smb2_RqLs_buffer_request, dissect_smb2_RqLs_buffer_response } },
5520 { "744D142E-46FA-0890-4AF7-A7EF6AA6BC45", "SMB2_CREATE_APP_INSTANCE_ID",
5521 { dissect_smb2_APP_INSTANCE_buffer_request,
5522 dissect_smb2_APP_INSTANCE_buffer_response } }
5525 static struct create_context_data_tag_dissectors*
5526 get_create_context_data_tag_dissectors(const char *tag)
5528 static struct create_context_data_tag_dissectors INVALID = {
5529 NULL, "<invalid>", { NULL, NULL }
5533 for (i = 0; i<array_length(create_context_dissectors_array); i++) {
5534 if (!strcmp(tag, create_context_dissectors_array[i].tag))
5535 return &create_context_dissectors_array[i];
5541 dissect_smb2_create_extra_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si)
5543 offset_length_buffer_t tag_olb;
5544 offset_length_buffer_t data_olb;
5546 guint16 chain_offset;
5549 proto_item *sub_item = NULL;
5550 proto_tree *sub_tree = NULL;
5551 proto_item *parent_item = NULL;
5552 create_context_data_dissectors_t *dissectors = NULL;
5553 create_context_data_dissector_t dissector = NULL;
5554 struct create_context_data_tag_dissectors *tag_dissectors;
5556 chain_offset = tvb_get_letohl(tvb, offset);
5562 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Chain Element");
5563 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_create_chain_element);
5564 parent_item = proto_tree_get_parent(parent_tree);
5568 proto_tree_add_item(sub_tree, hf_smb2_create_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5571 /* tag offset/length */
5572 offset = dissect_smb2_olb_length_offset(tvb, offset, &tag_olb, OLB_O_UINT16_S_UINT32, hf_smb2_tag);
5574 /* data offset/length */
5575 dissect_smb2_olb_length_offset(tvb, offset, &data_olb, OLB_O_UINT16_S_UINT32, hf_smb2_create_chain_data);
5578 tag = dissect_smb2_olb_string(pinfo, sub_tree, tvb, &tag_olb, OLB_TYPE_ASCII_STRING);
5580 tag_dissectors = get_create_context_data_tag_dissectors(tag);
5582 proto_item_append_text(parent_item, " %s", tag);
5583 proto_item_append_text(sub_item, ": %s \"%s\"", tag_dissectors->val, tag);
5586 dissectors = &tag_dissectors->dissectors;
5588 dissector = (si->flags & SMB2_FLAGS_RESPONSE) ? dissectors->response : dissectors->request;
5590 dissect_smb2_olb_buffer(pinfo, sub_tree, tvb, &data_olb, si, dissector);
5593 tvbuff_t *chain_tvb;
5594 chain_tvb = tvb_new_subset_remaining(tvb, chain_offset);
5596 /* next extra info */
5597 dissect_smb2_create_extra_info(chain_tvb, pinfo, parent_tree, si);
5602 dissect_smb2_create_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5604 offset_length_buffer_t f_olb, e_olb;
5608 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5610 /* security flags */
5614 offset = dissect_smb2_oplock(tree, tvb, offset);
5616 /* impersonation level */
5617 proto_tree_add_item(tree, hf_smb2_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5621 proto_tree_add_item(tree, hf_smb2_create_flags, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5628 offset = dissect_smb_access_mask(tvb, tree, offset);
5630 /* File Attributes */
5631 offset = dissect_file_ext_attr(tvb, tree, offset);
5634 offset = dissect_nt_share_access(tvb, tree, offset);
5636 /* create disposition */
5637 proto_tree_add_item(tree, hf_smb2_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5640 /* create options */
5641 offset = dissect_nt_create_options(tvb, tree, offset);
5643 /* filename offset/length */
5644 offset = dissect_smb2_olb_length_offset(tvb, offset, &f_olb, OLB_O_UINT16_S_UINT16, hf_smb2_filename);
5646 /* extrainfo offset */
5647 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
5649 /* filename string */
5650 fname = dissect_smb2_olb_string(pinfo, tree, tvb, &f_olb, OLB_TYPE_UNICODE_STRING);
5651 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", fname);
5653 /* save the name if it looks sane */
5654 if (!pinfo->fd->flags.visited) {
5655 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
5656 g_free(si->saved->extra_info);
5657 si->saved->extra_info = NULL;
5658 si->saved->extra_info_type = SMB2_EI_NONE;
5660 if (si->saved && f_olb.len && f_olb.len<256) {
5661 si->saved->extra_info_type = SMB2_EI_FILENAME;
5662 si->saved->extra_info = (gchar *)g_malloc(f_olb.len+1);
5663 g_snprintf((gchar *)si->saved->extra_info, f_olb.len+1, "%s", fname);
5667 /* If extrainfo_offset is non-null then this points to another
5668 * buffer. The offset is relative to the start of the smb packet
5670 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
5672 offset = dissect_smb2_olb_tvb_max_offset(offset, &f_olb);
5673 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
5678 #define SMB2_CREATE_REP_FLAGS_REPARSE_POINT 0x01
5681 dissect_smb2_create_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5683 guint64 end_of_file;
5685 offset_length_buffer_t e_olb;
5686 static const int *create_rep_flags_fields[] = {
5687 &hf_smb2_create_rep_flags_reparse_point,
5691 switch (si->status) {
5692 case 0x00000000: break;
5693 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
5697 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5700 offset = dissect_smb2_oplock(tree, tvb, offset);
5703 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_create_rep_flags,
5704 ett_smb2_create_rep_flags, create_rep_flags_fields, ENC_LITTLE_ENDIAN);
5708 proto_tree_add_item(tree, hf_smb2_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5712 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
5715 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
5718 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
5721 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
5723 /* allocation size */
5724 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5728 end_of_file = tvb_get_letoh64(tvb, offset);
5729 if (si->eo_file_info) {
5730 si->eo_file_info->end_of_file = tvb_get_letoh64(tvb, offset);
5732 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5735 /* File Attributes */
5736 attr_mask=tvb_get_letohl(tvb, offset);
5737 offset = dissect_file_ext_attr(tvb, tree, offset);
5743 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_OPEN);
5745 /* We save this after dissect_smb2_fid just because it would be
5746 possible to have this response without having the mathing request.
5747 In that case the entry in the file info hash table has been created
5748 in dissect_smb2_fid */
5749 if (si->eo_file_info) {
5750 si->eo_file_info->end_of_file = end_of_file;
5751 si->eo_file_info->attr_mask = attr_mask;
5754 /* extrainfo offset */
5755 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
5757 /* If extrainfo_offset is non-null then this points to another
5758 * buffer. The offset is relative to the start of the smb packet
5760 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
5762 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
5764 /* free si->saved->extra_info we dont need it any more */
5765 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
5766 g_free(si->saved->extra_info);
5767 si->saved->extra_info = NULL;
5768 si->saved->extra_info_type = SMB2_EI_NONE;
5776 dissect_smb2_setinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5778 guint32 setinfo_size;
5779 guint16 setinfo_offset;
5782 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5784 /* class and info level */
5785 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
5788 setinfo_size = tvb_get_letohl(tvb, offset);
5789 proto_tree_add_item(tree, hf_smb2_setinfo_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5793 setinfo_offset = tvb_get_letohs(tvb, offset);
5794 proto_tree_add_item(tree, hf_smb2_setinfo_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5797 /* some unknown bytes */
5798 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
5802 dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5806 dissect_smb2_infolevel(tvb, pinfo, tree, setinfo_offset, si, si->saved->smb2_class, si->saved->infolevel);
5807 offset = setinfo_offset + setinfo_size;
5813 dissect_smb2_setinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5815 /* class/infolevel */
5816 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
5818 switch (si->status) {
5819 case 0x00000000: break;
5820 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
5824 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5830 dissect_smb2_break_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5832 guint16 buffer_code;
5835 buffer_code = tvb_get_letohs(tvb, offset);
5836 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5838 if (buffer_code == 24) {
5842 offset = dissect_smb2_oplock(tree, tvb, offset);
5851 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5856 if (buffer_code == 36) {
5857 /* Lease Break Acknowledgment */
5860 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5864 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
5865 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5869 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5873 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5874 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5877 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5887 dissect_smb2_break_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5889 guint16 buffer_code;
5891 switch (si->status) {
5892 case 0x00000000: break;
5893 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
5897 buffer_code = tvb_get_letohs(tvb, offset);
5898 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5900 if (buffer_code == 24) {
5901 /* OPLOCK Break Notification */
5904 offset = dissect_smb2_oplock(tree, tvb, offset);
5913 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5915 /* in break requests from server to client here're 24 byte zero bytes
5916 * which are likely a bug in windows (they may use 2* 24 bytes instead of just
5922 if (buffer_code == 44) {
5925 /* Lease Break Notification */
5927 /* new lease epoch */
5928 proto_tree_add_item(tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5932 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
5933 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5937 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5940 /* current lease state */
5941 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5942 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5944 proto_item_prepend_text(item, "Current ");
5948 /* new lease state */
5949 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5950 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5952 proto_item_prepend_text(item, "New ");
5956 /* break reason - reserved */
5957 proto_tree_add_item(tree, hf_smb2_lease_break_reason, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5960 /* access mask hint - reserved */
5961 proto_tree_add_item(tree, hf_smb2_lease_access_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5964 /* share mask hint - reserved */
5965 proto_tree_add_item(tree, hf_smb2_lease_share_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5971 if (buffer_code == 36) {
5972 /* Lease Break Response */
5975 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5979 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
5980 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5984 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5988 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5989 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5992 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6001 /* names here are just until we find better names for these functions */
6002 static const value_string smb2_cmd_vals[] = {
6003 { 0x00, "Negotiate Protocol" },
6004 { 0x01, "Session Setup" },
6005 { 0x02, "Session Logoff" },
6006 { 0x03, "Tree Connect" },
6007 { 0x04, "Tree Disconnect" },
6016 { 0x0D, "KeepAlive" },
6019 { 0x10, "GetInfo" },
6020 { 0x11, "SetInfo" },
6022 { 0x13, "unknown-0x13" },
6023 { 0x14, "unknown-0x14" },
6024 { 0x15, "unknown-0x15" },
6025 { 0x16, "unknown-0x16" },
6026 { 0x17, "unknown-0x17" },
6027 { 0x18, "unknown-0x18" },
6028 { 0x19, "unknown-0x19" },
6029 { 0x1A, "unknown-0x1A" },
6030 { 0x1B, "unknown-0x1B" },
6031 { 0x1C, "unknown-0x1C" },
6032 { 0x1D, "unknown-0x1D" },
6033 { 0x1E, "unknown-0x1E" },
6034 { 0x1F, "unknown-0x1F" },
6035 { 0x20, "unknown-0x20" },
6036 { 0x21, "unknown-0x21" },
6037 { 0x22, "unknown-0x22" },
6038 { 0x23, "unknown-0x23" },
6039 { 0x24, "unknown-0x24" },
6040 { 0x25, "unknown-0x25" },
6041 { 0x26, "unknown-0x26" },
6042 { 0x27, "unknown-0x27" },
6043 { 0x28, "unknown-0x28" },
6044 { 0x29, "unknown-0x29" },
6045 { 0x2A, "unknown-0x2A" },
6046 { 0x2B, "unknown-0x2B" },
6047 { 0x2C, "unknown-0x2C" },
6048 { 0x2D, "unknown-0x2D" },
6049 { 0x2E, "unknown-0x2E" },
6050 { 0x2F, "unknown-0x2F" },
6051 { 0x30, "unknown-0x30" },
6052 { 0x31, "unknown-0x31" },
6053 { 0x32, "unknown-0x32" },
6054 { 0x33, "unknown-0x33" },
6055 { 0x34, "unknown-0x34" },
6056 { 0x35, "unknown-0x35" },
6057 { 0x36, "unknown-0x36" },
6058 { 0x37, "unknown-0x37" },
6059 { 0x38, "unknown-0x38" },
6060 { 0x39, "unknown-0x39" },
6061 { 0x3A, "unknown-0x3A" },
6062 { 0x3B, "unknown-0x3B" },
6063 { 0x3C, "unknown-0x3C" },
6064 { 0x3D, "unknown-0x3D" },
6065 { 0x3E, "unknown-0x3E" },
6066 { 0x3F, "unknown-0x3F" },
6067 { 0x40, "unknown-0x40" },
6068 { 0x41, "unknown-0x41" },
6069 { 0x42, "unknown-0x42" },
6070 { 0x43, "unknown-0x43" },
6071 { 0x44, "unknown-0x44" },
6072 { 0x45, "unknown-0x45" },
6073 { 0x46, "unknown-0x46" },
6074 { 0x47, "unknown-0x47" },
6075 { 0x48, "unknown-0x48" },
6076 { 0x49, "unknown-0x49" },
6077 { 0x4A, "unknown-0x4A" },
6078 { 0x4B, "unknown-0x4B" },
6079 { 0x4C, "unknown-0x4C" },
6080 { 0x4D, "unknown-0x4D" },
6081 { 0x4E, "unknown-0x4E" },
6082 { 0x4F, "unknown-0x4F" },
6083 { 0x50, "unknown-0x50" },
6084 { 0x51, "unknown-0x51" },
6085 { 0x52, "unknown-0x52" },
6086 { 0x53, "unknown-0x53" },
6087 { 0x54, "unknown-0x54" },
6088 { 0x55, "unknown-0x55" },
6089 { 0x56, "unknown-0x56" },
6090 { 0x57, "unknown-0x57" },
6091 { 0x58, "unknown-0x58" },
6092 { 0x59, "unknown-0x59" },
6093 { 0x5A, "unknown-0x5A" },
6094 { 0x5B, "unknown-0x5B" },
6095 { 0x5C, "unknown-0x5C" },
6096 { 0x5D, "unknown-0x5D" },
6097 { 0x5E, "unknown-0x5E" },
6098 { 0x5F, "unknown-0x5F" },
6099 { 0x60, "unknown-0x60" },
6100 { 0x61, "unknown-0x61" },
6101 { 0x62, "unknown-0x62" },
6102 { 0x63, "unknown-0x63" },
6103 { 0x64, "unknown-0x64" },
6104 { 0x65, "unknown-0x65" },
6105 { 0x66, "unknown-0x66" },
6106 { 0x67, "unknown-0x67" },
6107 { 0x68, "unknown-0x68" },
6108 { 0x69, "unknown-0x69" },
6109 { 0x6A, "unknown-0x6A" },
6110 { 0x6B, "unknown-0x6B" },
6111 { 0x6C, "unknown-0x6C" },
6112 { 0x6D, "unknown-0x6D" },
6113 { 0x6E, "unknown-0x6E" },
6114 { 0x6F, "unknown-0x6F" },
6115 { 0x70, "unknown-0x70" },
6116 { 0x71, "unknown-0x71" },
6117 { 0x72, "unknown-0x72" },
6118 { 0x73, "unknown-0x73" },
6119 { 0x74, "unknown-0x74" },
6120 { 0x75, "unknown-0x75" },
6121 { 0x76, "unknown-0x76" },
6122 { 0x77, "unknown-0x77" },
6123 { 0x78, "unknown-0x78" },
6124 { 0x79, "unknown-0x79" },
6125 { 0x7A, "unknown-0x7A" },
6126 { 0x7B, "unknown-0x7B" },
6127 { 0x7C, "unknown-0x7C" },
6128 { 0x7D, "unknown-0x7D" },
6129 { 0x7E, "unknown-0x7E" },
6130 { 0x7F, "unknown-0x7F" },
6131 { 0x80, "unknown-0x80" },
6132 { 0x81, "unknown-0x81" },
6133 { 0x82, "unknown-0x82" },
6134 { 0x83, "unknown-0x83" },
6135 { 0x84, "unknown-0x84" },
6136 { 0x85, "unknown-0x85" },
6137 { 0x86, "unknown-0x86" },
6138 { 0x87, "unknown-0x87" },
6139 { 0x88, "unknown-0x88" },
6140 { 0x89, "unknown-0x89" },
6141 { 0x8A, "unknown-0x8A" },
6142 { 0x8B, "unknown-0x8B" },
6143 { 0x8C, "unknown-0x8C" },
6144 { 0x8D, "unknown-0x8D" },
6145 { 0x8E, "unknown-0x8E" },
6146 { 0x8F, "unknown-0x8F" },
6147 { 0x90, "unknown-0x90" },
6148 { 0x91, "unknown-0x91" },
6149 { 0x92, "unknown-0x92" },
6150 { 0x93, "unknown-0x93" },
6151 { 0x94, "unknown-0x94" },
6152 { 0x95, "unknown-0x95" },
6153 { 0x96, "unknown-0x96" },
6154 { 0x97, "unknown-0x97" },
6155 { 0x98, "unknown-0x98" },
6156 { 0x99, "unknown-0x99" },
6157 { 0x9A, "unknown-0x9A" },
6158 { 0x9B, "unknown-0x9B" },
6159 { 0x9C, "unknown-0x9C" },
6160 { 0x9D, "unknown-0x9D" },
6161 { 0x9E, "unknown-0x9E" },
6162 { 0x9F, "unknown-0x9F" },
6163 { 0xA0, "unknown-0xA0" },
6164 { 0xA1, "unknown-0xA1" },
6165 { 0xA2, "unknown-0xA2" },
6166 { 0xA3, "unknown-0xA3" },
6167 { 0xA4, "unknown-0xA4" },
6168 { 0xA5, "unknown-0xA5" },
6169 { 0xA6, "unknown-0xA6" },
6170 { 0xA7, "unknown-0xA7" },
6171 { 0xA8, "unknown-0xA8" },
6172 { 0xA9, "unknown-0xA9" },
6173 { 0xAA, "unknown-0xAA" },
6174 { 0xAB, "unknown-0xAB" },
6175 { 0xAC, "unknown-0xAC" },
6176 { 0xAD, "unknown-0xAD" },
6177 { 0xAE, "unknown-0xAE" },
6178 { 0xAF, "unknown-0xAF" },
6179 { 0xB0, "unknown-0xB0" },
6180 { 0xB1, "unknown-0xB1" },
6181 { 0xB2, "unknown-0xB2" },
6182 { 0xB3, "unknown-0xB3" },
6183 { 0xB4, "unknown-0xB4" },
6184 { 0xB5, "unknown-0xB5" },
6185 { 0xB6, "unknown-0xB6" },
6186 { 0xB7, "unknown-0xB7" },
6187 { 0xB8, "unknown-0xB8" },
6188 { 0xB9, "unknown-0xB9" },
6189 { 0xBA, "unknown-0xBA" },
6190 { 0xBB, "unknown-0xBB" },
6191 { 0xBC, "unknown-0xBC" },
6192 { 0xBD, "unknown-0xBD" },
6193 { 0xBE, "unknown-0xBE" },
6194 { 0xBF, "unknown-0xBF" },
6195 { 0xC0, "unknown-0xC0" },
6196 { 0xC1, "unknown-0xC1" },
6197 { 0xC2, "unknown-0xC2" },
6198 { 0xC3, "unknown-0xC3" },
6199 { 0xC4, "unknown-0xC4" },
6200 { 0xC5, "unknown-0xC5" },
6201 { 0xC6, "unknown-0xC6" },
6202 { 0xC7, "unknown-0xC7" },
6203 { 0xC8, "unknown-0xC8" },
6204 { 0xC9, "unknown-0xC9" },
6205 { 0xCA, "unknown-0xCA" },
6206 { 0xCB, "unknown-0xCB" },
6207 { 0xCC, "unknown-0xCC" },
6208 { 0xCD, "unknown-0xCD" },
6209 { 0xCE, "unknown-0xCE" },
6210 { 0xCF, "unknown-0xCF" },
6211 { 0xD0, "unknown-0xD0" },
6212 { 0xD1, "unknown-0xD1" },
6213 { 0xD2, "unknown-0xD2" },
6214 { 0xD3, "unknown-0xD3" },
6215 { 0xD4, "unknown-0xD4" },
6216 { 0xD5, "unknown-0xD5" },
6217 { 0xD6, "unknown-0xD6" },
6218 { 0xD7, "unknown-0xD7" },
6219 { 0xD8, "unknown-0xD8" },
6220 { 0xD9, "unknown-0xD9" },
6221 { 0xDA, "unknown-0xDA" },
6222 { 0xDB, "unknown-0xDB" },
6223 { 0xDC, "unknown-0xDC" },
6224 { 0xDD, "unknown-0xDD" },
6225 { 0xDE, "unknown-0xDE" },
6226 { 0xDF, "unknown-0xDF" },
6227 { 0xE0, "unknown-0xE0" },
6228 { 0xE1, "unknown-0xE1" },
6229 { 0xE2, "unknown-0xE2" },
6230 { 0xE3, "unknown-0xE3" },
6231 { 0xE4, "unknown-0xE4" },
6232 { 0xE5, "unknown-0xE5" },
6233 { 0xE6, "unknown-0xE6" },
6234 { 0xE7, "unknown-0xE7" },
6235 { 0xE8, "unknown-0xE8" },
6236 { 0xE9, "unknown-0xE9" },
6237 { 0xEA, "unknown-0xEA" },
6238 { 0xEB, "unknown-0xEB" },
6239 { 0xEC, "unknown-0xEC" },
6240 { 0xED, "unknown-0xED" },
6241 { 0xEE, "unknown-0xEE" },
6242 { 0xEF, "unknown-0xEF" },
6243 { 0xF0, "unknown-0xF0" },
6244 { 0xF1, "unknown-0xF1" },
6245 { 0xF2, "unknown-0xF2" },
6246 { 0xF3, "unknown-0xF3" },
6247 { 0xF4, "unknown-0xF4" },
6248 { 0xF5, "unknown-0xF5" },
6249 { 0xF6, "unknown-0xF6" },
6250 { 0xF7, "unknown-0xF7" },
6251 { 0xF8, "unknown-0xF8" },
6252 { 0xF9, "unknown-0xF9" },
6253 { 0xFA, "unknown-0xFA" },
6254 { 0xFB, "unknown-0xFB" },
6255 { 0xFC, "unknown-0xFC" },
6256 { 0xFD, "unknown-0xFD" },
6257 { 0xFE, "unknown-0xFE" },
6258 { 0xFF, "unknown-0xFF" },
6261 value_string_ext smb2_cmd_vals_ext = VALUE_STRING_EXT_INIT(smb2_cmd_vals);
6263 static const char *decode_smb2_name(guint16 cmd)
6265 if (cmd > 0xFF) return "unknown";
6266 return(smb2_cmd_vals[cmd & 0xFF].strptr);
6269 static smb2_function smb2_dissector[256] = {
6270 /* 0x00 NegotiateProtocol*/
6271 {dissect_smb2_negotiate_protocol_request,
6272 dissect_smb2_negotiate_protocol_response},
6273 /* 0x01 SessionSetup*/
6274 {dissect_smb2_session_setup_request,
6275 dissect_smb2_session_setup_response},
6276 /* 0x02 SessionLogoff*/
6277 {dissect_smb2_sessionlogoff_request,
6278 dissect_smb2_sessionlogoff_response},
6279 /* 0x03 TreeConnect*/
6280 {dissect_smb2_tree_connect_request,
6281 dissect_smb2_tree_connect_response},
6282 /* 0x04 TreeDisconnect*/
6283 {dissect_smb2_tree_disconnect_request,
6284 dissect_smb2_tree_disconnect_response},
6286 {dissect_smb2_create_request,
6287 dissect_smb2_create_response},
6289 {dissect_smb2_close_request,
6290 dissect_smb2_close_response},
6292 {dissect_smb2_flush_request,
6293 dissect_smb2_flush_response},
6295 {dissect_smb2_read_request,
6296 dissect_smb2_read_response},
6298 {dissect_smb2_write_request,
6299 dissect_smb2_write_response},
6301 {dissect_smb2_lock_request,
6302 dissect_smb2_lock_response},
6304 {dissect_smb2_ioctl_request,
6305 dissect_smb2_ioctl_response},
6307 {dissect_smb2_cancel_request,
6310 {dissect_smb2_keepalive_request,
6311 dissect_smb2_keepalive_response},
6313 {dissect_smb2_find_request,
6314 dissect_smb2_find_response},
6316 {dissect_smb2_notify_request,
6317 dissect_smb2_notify_response},
6319 {dissect_smb2_getinfo_request,
6320 dissect_smb2_getinfo_response},
6322 {dissect_smb2_setinfo_request,
6323 dissect_smb2_setinfo_response},
6325 {dissect_smb2_break_request,
6326 dissect_smb2_break_response},
6327 /* 0x13 */ {NULL, NULL},
6328 /* 0x14 */ {NULL, NULL},
6329 /* 0x15 */ {NULL, NULL},
6330 /* 0x16 */ {NULL, NULL},
6331 /* 0x17 */ {NULL, NULL},
6332 /* 0x18 */ {NULL, NULL},
6333 /* 0x19 */ {NULL, NULL},
6334 /* 0x1a */ {NULL, NULL},
6335 /* 0x1b */ {NULL, NULL},
6336 /* 0x1c */ {NULL, NULL},
6337 /* 0x1d */ {NULL, NULL},
6338 /* 0x1e */ {NULL, NULL},
6339 /* 0x1f */ {NULL, NULL},
6340 /* 0x20 */ {NULL, NULL},
6341 /* 0x21 */ {NULL, NULL},
6342 /* 0x22 */ {NULL, NULL},
6343 /* 0x23 */ {NULL, NULL},
6344 /* 0x24 */ {NULL, NULL},
6345 /* 0x25 */ {NULL, NULL},
6346 /* 0x26 */ {NULL, NULL},
6347 /* 0x27 */ {NULL, NULL},
6348 /* 0x28 */ {NULL, NULL},
6349 /* 0x29 */ {NULL, NULL},
6350 /* 0x2a */ {NULL, NULL},
6351 /* 0x2b */ {NULL, NULL},
6352 /* 0x2c */ {NULL, NULL},
6353 /* 0x2d */ {NULL, NULL},
6354 /* 0x2e */ {NULL, NULL},
6355 /* 0x2f */ {NULL, NULL},
6356 /* 0x30 */ {NULL, NULL},
6357 /* 0x31 */ {NULL, NULL},
6358 /* 0x32 */ {NULL, NULL},
6359 /* 0x33 */ {NULL, NULL},
6360 /* 0x34 */ {NULL, NULL},
6361 /* 0x35 */ {NULL, NULL},
6362 /* 0x36 */ {NULL, NULL},
6363 /* 0x37 */ {NULL, NULL},
6364 /* 0x38 */ {NULL, NULL},
6365 /* 0x39 */ {NULL, NULL},
6366 /* 0x3a */ {NULL, NULL},
6367 /* 0x3b */ {NULL, NULL},
6368 /* 0x3c */ {NULL, NULL},
6369 /* 0x3d */ {NULL, NULL},
6370 /* 0x3e */ {NULL, NULL},
6371 /* 0x3f */ {NULL, NULL},
6372 /* 0x40 */ {NULL, NULL},
6373 /* 0x41 */ {NULL, NULL},
6374 /* 0x42 */ {NULL, NULL},
6375 /* 0x43 */ {NULL, NULL},
6376 /* 0x44 */ {NULL, NULL},
6377 /* 0x45 */ {NULL, NULL},
6378 /* 0x46 */ {NULL, NULL},
6379 /* 0x47 */ {NULL, NULL},
6380 /* 0x48 */ {NULL, NULL},
6381 /* 0x49 */ {NULL, NULL},
6382 /* 0x4a */ {NULL, NULL},
6383 /* 0x4b */ {NULL, NULL},
6384 /* 0x4c */ {NULL, NULL},
6385 /* 0x4d */ {NULL, NULL},
6386 /* 0x4e */ {NULL, NULL},
6387 /* 0x4f */ {NULL, NULL},
6388 /* 0x50 */ {NULL, NULL},
6389 /* 0x51 */ {NULL, NULL},
6390 /* 0x52 */ {NULL, NULL},
6391 /* 0x53 */ {NULL, NULL},
6392 /* 0x54 */ {NULL, NULL},
6393 /* 0x55 */ {NULL, NULL},
6394 /* 0x56 */ {NULL, NULL},
6395 /* 0x57 */ {NULL, NULL},
6396 /* 0x58 */ {NULL, NULL},
6397 /* 0x59 */ {NULL, NULL},
6398 /* 0x5a */ {NULL, NULL},
6399 /* 0x5b */ {NULL, NULL},
6400 /* 0x5c */ {NULL, NULL},
6401 /* 0x5d */ {NULL, NULL},
6402 /* 0x5e */ {NULL, NULL},
6403 /* 0x5f */ {NULL, NULL},
6404 /* 0x60 */ {NULL, NULL},
6405 /* 0x61 */ {NULL, NULL},
6406 /* 0x62 */ {NULL, NULL},
6407 /* 0x63 */ {NULL, NULL},
6408 /* 0x64 */ {NULL, NULL},
6409 /* 0x65 */ {NULL, NULL},
6410 /* 0x66 */ {NULL, NULL},
6411 /* 0x67 */ {NULL, NULL},
6412 /* 0x68 */ {NULL, NULL},
6413 /* 0x69 */ {NULL, NULL},
6414 /* 0x6a */ {NULL, NULL},
6415 /* 0x6b */ {NULL, NULL},
6416 /* 0x6c */ {NULL, NULL},
6417 /* 0x6d */ {NULL, NULL},
6418 /* 0x6e */ {NULL, NULL},
6419 /* 0x6f */ {NULL, NULL},
6420 /* 0x70 */ {NULL, NULL},
6421 /* 0x71 */ {NULL, NULL},
6422 /* 0x72 */ {NULL, NULL},
6423 /* 0x73 */ {NULL, NULL},
6424 /* 0x74 */ {NULL, NULL},
6425 /* 0x75 */ {NULL, NULL},
6426 /* 0x76 */ {NULL, NULL},
6427 /* 0x77 */ {NULL, NULL},
6428 /* 0x78 */ {NULL, NULL},
6429 /* 0x79 */ {NULL, NULL},
6430 /* 0x7a */ {NULL, NULL},
6431 /* 0x7b */ {NULL, NULL},
6432 /* 0x7c */ {NULL, NULL},
6433 /* 0x7d */ {NULL, NULL},
6434 /* 0x7e */ {NULL, NULL},
6435 /* 0x7f */ {NULL, NULL},
6436 /* 0x80 */ {NULL, NULL},
6437 /* 0x81 */ {NULL, NULL},
6438 /* 0x82 */ {NULL, NULL},
6439 /* 0x83 */ {NULL, NULL},
6440 /* 0x84 */ {NULL, NULL},
6441 /* 0x85 */ {NULL, NULL},
6442 /* 0x86 */ {NULL, NULL},
6443 /* 0x87 */ {NULL, NULL},
6444 /* 0x88 */ {NULL, NULL},
6445 /* 0x89 */ {NULL, NULL},
6446 /* 0x8a */ {NULL, NULL},
6447 /* 0x8b */ {NULL, NULL},
6448 /* 0x8c */ {NULL, NULL},
6449 /* 0x8d */ {NULL, NULL},
6450 /* 0x8e */ {NULL, NULL},
6451 /* 0x8f */ {NULL, NULL},
6452 /* 0x90 */ {NULL, NULL},
6453 /* 0x91 */ {NULL, NULL},
6454 /* 0x92 */ {NULL, NULL},
6455 /* 0x93 */ {NULL, NULL},
6456 /* 0x94 */ {NULL, NULL},
6457 /* 0x95 */ {NULL, NULL},
6458 /* 0x96 */ {NULL, NULL},
6459 /* 0x97 */ {NULL, NULL},
6460 /* 0x98 */ {NULL, NULL},
6461 /* 0x99 */ {NULL, NULL},
6462 /* 0x9a */ {NULL, NULL},
6463 /* 0x9b */ {NULL, NULL},
6464 /* 0x9c */ {NULL, NULL},
6465 /* 0x9d */ {NULL, NULL},
6466 /* 0x9e */ {NULL, NULL},
6467 /* 0x9f */ {NULL, NULL},
6468 /* 0xa0 */ {NULL, NULL},
6469 /* 0xa1 */ {NULL, NULL},
6470 /* 0xa2 */ {NULL, NULL},
6471 /* 0xa3 */ {NULL, NULL},
6472 /* 0xa4 */ {NULL, NULL},
6473 /* 0xa5 */ {NULL, NULL},
6474 /* 0xa6 */ {NULL, NULL},
6475 /* 0xa7 */ {NULL, NULL},
6476 /* 0xa8 */ {NULL, NULL},
6477 /* 0xa9 */ {NULL, NULL},
6478 /* 0xaa */ {NULL, NULL},
6479 /* 0xab */ {NULL, NULL},
6480 /* 0xac */ {NULL, NULL},
6481 /* 0xad */ {NULL, NULL},
6482 /* 0xae */ {NULL, NULL},
6483 /* 0xaf */ {NULL, NULL},
6484 /* 0xb0 */ {NULL, NULL},
6485 /* 0xb1 */ {NULL, NULL},
6486 /* 0xb2 */ {NULL, NULL},
6487 /* 0xb3 */ {NULL, NULL},
6488 /* 0xb4 */ {NULL, NULL},
6489 /* 0xb5 */ {NULL, NULL},
6490 /* 0xb6 */ {NULL, NULL},
6491 /* 0xb7 */ {NULL, NULL},
6492 /* 0xb8 */ {NULL, NULL},
6493 /* 0xb9 */ {NULL, NULL},
6494 /* 0xba */ {NULL, NULL},
6495 /* 0xbb */ {NULL, NULL},
6496 /* 0xbc */ {NULL, NULL},
6497 /* 0xbd */ {NULL, NULL},
6498 /* 0xbe */ {NULL, NULL},
6499 /* 0xbf */ {NULL, NULL},
6500 /* 0xc0 */ {NULL, NULL},
6501 /* 0xc1 */ {NULL, NULL},
6502 /* 0xc2 */ {NULL, NULL},
6503 /* 0xc3 */ {NULL, NULL},
6504 /* 0xc4 */ {NULL, NULL},
6505 /* 0xc5 */ {NULL, NULL},
6506 /* 0xc6 */ {NULL, NULL},
6507 /* 0xc7 */ {NULL, NULL},
6508 /* 0xc8 */ {NULL, NULL},
6509 /* 0xc9 */ {NULL, NULL},
6510 /* 0xca */ {NULL, NULL},
6511 /* 0xcb */ {NULL, NULL},
6512 /* 0xcc */ {NULL, NULL},
6513 /* 0xcd */ {NULL, NULL},
6514 /* 0xce */ {NULL, NULL},
6515 /* 0xcf */ {NULL, NULL},
6516 /* 0xd0 */ {NULL, NULL},
6517 /* 0xd1 */ {NULL, NULL},
6518 /* 0xd2 */ {NULL, NULL},
6519 /* 0xd3 */ {NULL, NULL},
6520 /* 0xd4 */ {NULL, NULL},
6521 /* 0xd5 */ {NULL, NULL},
6522 /* 0xd6 */ {NULL, NULL},
6523 /* 0xd7 */ {NULL, NULL},
6524 /* 0xd8 */ {NULL, NULL},
6525 /* 0xd9 */ {NULL, NULL},
6526 /* 0xda */ {NULL, NULL},
6527 /* 0xdb */ {NULL, NULL},
6528 /* 0xdc */ {NULL, NULL},
6529 /* 0xdd */ {NULL, NULL},
6530 /* 0xde */ {NULL, NULL},
6531 /* 0xdf */ {NULL, NULL},
6532 /* 0xe0 */ {NULL, NULL},
6533 /* 0xe1 */ {NULL, NULL},
6534 /* 0xe2 */ {NULL, NULL},
6535 /* 0xe3 */ {NULL, NULL},
6536 /* 0xe4 */ {NULL, NULL},
6537 /* 0xe5 */ {NULL, NULL},
6538 /* 0xe6 */ {NULL, NULL},
6539 /* 0xe7 */ {NULL, NULL},
6540 /* 0xe8 */ {NULL, NULL},
6541 /* 0xe9 */ {NULL, NULL},
6542 /* 0xea */ {NULL, NULL},
6543 /* 0xeb */ {NULL, NULL},
6544 /* 0xec */ {NULL, NULL},
6545 /* 0xed */ {NULL, NULL},
6546 /* 0xee */ {NULL, NULL},
6547 /* 0xef */ {NULL, NULL},
6548 /* 0xf0 */ {NULL, NULL},
6549 /* 0xf1 */ {NULL, NULL},
6550 /* 0xf2 */ {NULL, NULL},
6551 /* 0xf3 */ {NULL, NULL},
6552 /* 0xf4 */ {NULL, NULL},
6553 /* 0xf5 */ {NULL, NULL},
6554 /* 0xf6 */ {NULL, NULL},
6555 /* 0xf7 */ {NULL, NULL},
6556 /* 0xf8 */ {NULL, NULL},
6557 /* 0xf9 */ {NULL, NULL},
6558 /* 0xfa */ {NULL, NULL},
6559 /* 0xfb */ {NULL, NULL},
6560 /* 0xfc */ {NULL, NULL},
6561 /* 0xfd */ {NULL, NULL},
6562 /* 0xfe */ {NULL, NULL},
6563 /* 0xff */ {NULL, NULL},
6567 #define ENC_ALG_aes128_ccm 0x0001
6570 dissect_smb2_transform_header(packet_info *pinfo _U_, proto_tree *tree,
6571 tvbuff_t *tvb, int offset,
6572 smb2_transform_info_t *sti,
6573 tvbuff_t **enc_tvb, tvbuff_t **plain_tvb)
6575 proto_item *sesid_item = NULL;
6576 proto_tree *sesid_tree = NULL;
6577 smb2_sesid_info_t sesid_key;
6579 guint8 *plain_data = NULL;
6580 #ifdef HAVE_LIBGCRYPT
6581 guint8 *decryption_key = NULL;
6585 static const int *sf_fields[] = {
6586 &hf_smb2_encryption_aes128_ccm,
6594 proto_tree_add_item(tree, hf_smb2_transform_signature, tvb, offset, 16, ENC_NA);
6598 proto_tree_add_item(tree, hf_smb2_transform_nonce, tvb, offset, 16, ENC_NA);
6599 tvb_memcpy(tvb, sti->nonce, offset, 16);
6603 proto_tree_add_item(tree, hf_smb2_transform_msg_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6604 sti->size = tvb_get_letohl(tvb, offset);
6608 proto_tree_add_item(tree, hf_smb2_transform_reserved, tvb, offset, 2, ENC_NA);
6612 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_transform_enc_alg, ett_smb2_transform_enc_alg, sf_fields, ENC_LITTLE_ENDIAN);
6613 sti->alg = tvb_get_letohs(tvb, offset);
6617 sesid_offset = offset;
6618 sti->sesid = tvb_get_letoh64(tvb, offset);
6619 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6621 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
6625 /* now we need to first lookup the uid session */
6626 sesid_key.sesid = sti->sesid;
6627 sti->session = (smb2_sesid_info_t *)g_hash_table_lookup(sti->conv->sesids, &sesid_key);
6629 if (sti->session != NULL && sti->session->auth_frame != (guint32)-1) {
6630 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, sti->session->acct_name);
6631 PROTO_ITEM_SET_GENERATED(item);
6632 proto_item_append_text(sesid_item, " Acct:%s", sti->session->acct_name);
6634 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, sti->session->domain_name);
6635 PROTO_ITEM_SET_GENERATED(item);
6636 proto_item_append_text(sesid_item, " Domain:%s", sti->session->domain_name);
6638 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, sti->session->host_name);
6639 PROTO_ITEM_SET_GENERATED(item);
6640 proto_item_append_text(sesid_item, " Host:%s", sti->session->host_name);
6642 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, sti->session->auth_frame);
6643 PROTO_ITEM_SET_GENERATED(item);
6646 #ifdef HAVE_LIBGCRYPT
6647 if (sti->session != NULL && sti->alg == ENC_ALG_aes128_ccm) {
6648 if (pinfo->destport == sti->session->server_port) {
6649 decryption_key = sti->session->server_decryption_key;
6651 decryption_key = sti->session->client_decryption_key;
6654 if (memcmp(decryption_key, zeros, 16) == 0) {
6655 decryption_key = NULL;
6659 if (decryption_key != NULL) {
6660 gcry_cipher_hd_t cipher_hd = NULL;
6662 3, 0, 0, 0, 0, 0, 0, 0,
6663 0, 0, 0, 0, 0, 0, 0, 1
6666 memcpy(&A_1[1], sti->nonce, 15 - 4);
6668 plain_data = (guint8 *)tvb_memdup(NULL, tvb, offset, sti->size);
6670 /* Open the cipher. */
6671 if (gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0)) {
6674 goto done_decryption;
6677 /* Set the key and initial value. */
6678 if (gcry_cipher_setkey(cipher_hd, decryption_key, 16)) {
6679 gcry_cipher_close(cipher_hd);
6682 goto done_decryption;
6684 if (gcry_cipher_setctr(cipher_hd, A_1, 16)) {
6685 gcry_cipher_close(cipher_hd);
6688 goto done_decryption;
6691 if (gcry_cipher_encrypt(cipher_hd, plain_data, sti->size, NULL, 0)) {
6692 gcry_cipher_close(cipher_hd);
6695 goto done_decryption;
6698 /* Done with the cipher. */
6699 gcry_cipher_close(cipher_hd);
6703 *enc_tvb = tvb_new_subset(tvb, offset, sti->size, sti->size);
6705 if (plain_data != NULL) {
6706 *plain_tvb = tvb_new_child_real_data(*enc_tvb, plain_data, sti->size, sti->size);
6707 tvb_set_free_cb(*plain_tvb, g_free);
6708 add_new_data_source(pinfo, *plain_tvb, "Decrypted SMB3");
6711 offset += sti->size;
6716 dissect_smb2_command(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
6718 int (*cmd_dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
6719 proto_item *cmd_item;
6720 proto_tree *cmd_tree;
6721 int old_offset = offset;
6723 cmd_item = proto_tree_add_text(tree, tvb, offset, -1,
6725 decode_smb2_name(si->opcode),
6726 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request",
6728 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb2_command);
6731 cmd_dissector = (si->flags & SMB2_FLAGS_RESPONSE)?
6732 smb2_dissector[si->opcode&0xff].response:
6733 smb2_dissector[si->opcode&0xff].request;
6734 if (cmd_dissector) {
6735 offset = (*cmd_dissector)(tvb, pinfo, cmd_tree, offset, si);
6737 proto_tree_add_item(cmd_tree, hf_smb2_unknown, tvb, offset, -1, ENC_NA);
6738 offset = tvb_length(tvb);
6741 proto_item_set_len(cmd_item, offset-old_offset);
6747 dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
6749 proto_item *tid_item = NULL;
6750 proto_tree *tid_tree = NULL;
6751 smb2_tid_info_t tid_key;
6753 proto_item *sesid_item = NULL;
6754 proto_tree *sesid_tree = NULL;
6755 smb2_sesid_info_t sesid_key;
6760 if (si->flags&SMB2_FLAGS_ASYNC_CMD) {
6761 proto_tree_add_item(tree, hf_smb2_aid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6765 proto_tree_add_item(tree, hf_smb2_pid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6769 tid_offset = offset;
6770 si->tid = tvb_get_letohl(tvb, offset);
6771 tid_item = proto_tree_add_item(tree, hf_smb2_tid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6773 tid_tree = proto_item_add_subtree(tid_item, ett_smb2_tid_tree);
6779 sesid_offset = offset;
6780 si->sesid = tvb_get_letoh64(tvb, offset);
6781 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6783 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
6787 /* now we need to first lookup the uid session */
6788 sesid_key.sesid = si->sesid;
6789 si->session = (smb2_sesid_info_t *)g_hash_table_lookup(si->conv->sesids, &sesid_key);
6791 if (si->opcode != 0x03) return offset;
6793 /* if we come to a session that is unknown, and the operation is
6794 * a tree connect, we create a dummy sessison, so we can hang the
6797 si->session = wmem_new(wmem_file_scope(), smb2_sesid_info_t);
6798 si->session->sesid = si->sesid;
6799 si->session->acct_name = NULL;
6800 si->session->domain_name = NULL;
6801 si->session->host_name = NULL;
6802 si->session->auth_frame = (guint32)-1;
6803 si->session->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
6804 g_hash_table_insert(si->conv->sesids, si->session, si->session);
6809 if (si->session->auth_frame != (guint32)-1) {
6810 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, si->session->acct_name);
6811 PROTO_ITEM_SET_GENERATED(item);
6812 proto_item_append_text(sesid_item, " Acct:%s", si->session->acct_name);
6814 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, si->session->domain_name);
6815 PROTO_ITEM_SET_GENERATED(item);
6816 proto_item_append_text(sesid_item, " Domain:%s", si->session->domain_name);
6818 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, si->session->host_name);
6819 PROTO_ITEM_SET_GENERATED(item);
6820 proto_item_append_text(sesid_item, " Host:%s", si->session->host_name);
6822 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, si->session->auth_frame);
6823 PROTO_ITEM_SET_GENERATED(item);
6826 if (!(si->flags&SMB2_FLAGS_ASYNC_CMD)) {
6827 /* see if we can find the name for this tid */
6828 tid_key.tid = si->tid;
6829 si->tree = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
6830 if (!si->tree) return offset;
6832 item = proto_tree_add_string(tid_tree, hf_smb2_tree, tvb, tid_offset, 4, si->tree->name);
6833 PROTO_ITEM_SET_GENERATED(item);
6834 proto_item_append_text(tid_item, " %s", si->tree->name);
6836 item = proto_tree_add_uint(tid_tree, hf_smb2_share_type, tvb, tid_offset, 0, si->tree->share_type);
6837 PROTO_ITEM_SET_GENERATED(item);
6839 item = proto_tree_add_uint(tid_tree, hf_smb2_tcon_frame, tvb, tid_offset, 0, si->tree->connect_frame);
6840 PROTO_ITEM_SET_GENERATED(item);
6847 dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolean first_in_chain)
6849 gboolean smb2_transform_header = FALSE;
6850 proto_item *msg_id_item;
6851 proto_item *item = NULL;
6852 proto_tree *tree = NULL;
6853 proto_item *header_item = NULL;
6854 proto_tree *header_tree = NULL;
6855 proto_item *flags_item = NULL;
6856 proto_tree *flags_tree = NULL;
6858 int chain_offset = 0;
6859 const char *label = smb_header_label;
6860 conversation_t *conversation;
6861 smb2_saved_info_t *ssi = NULL, ssi_key;
6863 smb2_transform_info_t *sti;
6865 guint32 open_frame,close_frame;
6866 smb2_eo_file_info_t *eo_file_info;
6867 e_ctx_hnd *policy_hnd_hashtablekey;
6869 sti = wmem_new(wmem_packet_scope(), smb2_transform_info_t);
6870 si = wmem_new(wmem_packet_scope(), smb2_info_t);
6871 si->eo_file_info = NULL;
6875 si->top_tree = parent_tree;
6877 if (tvb_get_guint8(tvb, 0) == 0xfd) {
6878 smb2_transform_header = TRUE;
6879 label = smb_transform_header_label;
6881 /* find which conversation we are part of and get the data for that
6884 conversation = find_or_create_conversation(pinfo);
6885 si->conv = (smb2_conv_info_t *)conversation_get_proto_data(conversation, proto_smb2);
6887 /* no smb2_into_t structure for this conversation yet,
6890 si->conv = wmem_new(wmem_file_scope(), smb2_conv_info_t);
6891 /* qqq this leaks memory for now since we never free
6893 si->conv->matched = g_hash_table_new(smb2_saved_info_hash_matched,
6894 smb2_saved_info_equal_matched);
6895 si->conv->unmatched = g_hash_table_new(smb2_saved_info_hash_unmatched,
6896 smb2_saved_info_equal_unmatched);
6897 si->conv->sesids = g_hash_table_new(smb2_sesid_info_hash,
6898 smb2_sesid_info_equal);
6899 si->conv->files = g_hash_table_new(smb2_eo_files_hash,smb2_eo_files_equal);
6901 /* Bit of a hack to avoid leaking the hash tables - register a
6902 * callback to free them. Ideally wmem would implement a simple
6903 * hash table so we wouldn't have to do this. */
6904 wmem_register_callback(wmem_file_scope(), smb2_conv_destroy,
6907 conversation_add_proto_data(conversation, proto_smb2, si->conv);
6910 sti->conv = si->conv;
6912 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB2");
6913 if (first_in_chain) {
6915 col_clear(pinfo->cinfo, COL_INFO);
6917 col_append_str(pinfo->cinfo, COL_INFO, ";");
6921 item = proto_tree_add_item(parent_tree, proto_smb2, tvb, offset,
6923 tree = proto_item_add_subtree(item, ett_smb2);
6928 header_item = proto_tree_add_text(tree, tvb, offset, -1, "%s", label);
6929 header_tree = proto_item_add_subtree(header_item, ett_smb2_header);
6932 /* Decode the header */
6934 if (!smb2_transform_header) {
6936 proto_tree_add_text(header_tree, tvb, offset, 4, "Server Component: SMB2");
6939 /* we need the flags before we know how to parse the credits field */
6940 si->flags = tvb_get_letohl(tvb, offset+12);
6943 proto_tree_add_item(header_tree, hf_smb2_header_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6946 /* credit charge (previously "epoch" (unused) which has been deprecated as of "SMB 2.1") */
6947 proto_tree_add_item(header_tree, hf_smb2_credit_charge, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6951 if (si->flags & SMB2_FLAGS_RESPONSE) {
6952 si->status = tvb_get_letohl(tvb, offset);
6953 proto_tree_add_item(header_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6957 proto_tree_add_item(header_tree, hf_smb2_channel_sequence, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6959 proto_tree_add_item(header_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6964 si->opcode = tvb_get_letohs(tvb, offset);
6965 proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6969 if (si->flags & SMB2_FLAGS_RESPONSE) {
6970 proto_tree_add_item(header_tree, hf_smb2_credits_granted, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6972 proto_tree_add_item(header_tree, hf_smb2_credits_requested, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6978 flags_item = proto_tree_add_uint_format(header_tree, hf_smb2_flags, tvb, offset, 4, si->flags,
6979 "Flags: 0x%08x", si->flags);
6980 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_flags);
6982 proto_tree_add_boolean(flags_tree, hf_smb2_flags_response, tvb, offset, 4, si->flags);
6983 proto_tree_add_boolean(flags_tree, hf_smb2_flags_async_cmd, tvb, offset, 4, si->flags);
6984 proto_tree_add_boolean(flags_tree, hf_smb2_flags_chained, tvb, offset, 4, si->flags);
6985 proto_tree_add_boolean(flags_tree, hf_smb2_flags_signature, tvb, offset, 4, si->flags);
6986 proto_tree_add_boolean(flags_tree, hf_smb2_flags_dfs_op, tvb, offset, 4, si->flags);
6987 proto_tree_add_boolean(flags_tree, hf_smb2_flags_replay_operation, tvb, offset, 4, si->flags);
6993 chain_offset = tvb_get_letohl(tvb, offset);
6994 proto_tree_add_item(header_tree, hf_smb2_chain_offset, tvb, offset, 4, ENC_BIG_ENDIAN);
6998 si->msg_id = tvb_get_letoh64(tvb, offset);
6999 ssi_key.msg_id = si->msg_id;
7000 msg_id_item = proto_tree_add_item(header_tree, hf_smb2_msg_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7001 if (msg_id_item && (si->msg_id == -1)) {
7002 proto_item_append_text(msg_id_item, " (unsolicited response)");
7006 /* Tree ID and Session ID */
7007 offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si);
7010 proto_tree_add_item(header_tree, hf_smb2_signature, tvb, offset, 16, ENC_NA);
7013 proto_item_set_len(header_item, offset);
7016 col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s",
7017 decode_smb2_name(si->opcode),
7018 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request");
7021 pinfo->cinfo, COL_INFO, ", Error: %s",
7022 val_to_str_ext(si->status, &NT_errors_ext,
7023 "Unknown (0x%08X)"));
7027 if (!pinfo->fd->flags.visited) {
7028 /* see if we can find this msg_id in the unmatched table */
7029 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
7031 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
7032 /* This is a request */
7034 /* this is a request and we already found
7035 * an older ssi so just delete the previous
7038 g_hash_table_remove(si->conv->unmatched, ssi);
7043 /* no we couldnt find it, so just add it then
7044 * if was a request we are decoding
7046 ssi = wmem_new0(wmem_file_scope(), smb2_saved_info_t);
7047 ssi->msg_id = ssi_key.msg_id;
7048 ssi->frame_req = pinfo->fd->num;
7049 ssi->req_time = pinfo->fd->abs_ts;
7050 ssi->extra_info_type = SMB2_EI_NONE;
7051 g_hash_table_insert(si->conv->unmatched, ssi, ssi);
7054 /* This is a response */
7056 /* just set the response frame and move it to the matched table */
7057 ssi->frame_res = pinfo->fd->num;
7058 g_hash_table_remove(si->conv->unmatched, ssi);
7059 g_hash_table_insert(si->conv->matched, ssi, ssi);
7063 /* see if we can find this msg_id in the matched table */
7064 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->matched, &ssi_key);
7065 /* if we couldnt find it in the matched table, it might still
7066 * be in the unmatched table
7069 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
7074 if (dcerpc_fetch_polhnd_data(&ssi->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->fd->num)) {
7075 /* If needed, create the file entry and save the policy hnd */
7076 if (!si->eo_file_info) {
7078 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&ssi->policy_hnd);
7079 if (!eo_file_info) { /* XXX This should never happen */
7081 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
7082 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
7083 memcpy(policy_hnd_hashtablekey, &ssi->policy_hnd, sizeof(e_ctx_hnd));
7084 eo_file_info->end_of_file=0;
7085 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
7087 si->eo_file_info=eo_file_info;
7092 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
7093 if (ssi->frame_res) {
7094 proto_item *tmp_item;
7095 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res);
7096 PROTO_ITEM_SET_GENERATED(tmp_item);
7099 if (ssi->frame_req) {
7100 proto_item *tmp_item;
7103 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_to, tvb, 0, 0, ssi->frame_req);
7104 PROTO_ITEM_SET_GENERATED(tmp_item);
7105 t = pinfo->fd->abs_ts;
7106 nstime_delta(&deltat, &t, &ssi->req_time);
7107 tmp_item = proto_tree_add_time(header_tree, hf_smb2_time, tvb,
7109 PROTO_ITEM_SET_GENERATED(tmp_item);
7113 /* if we dont have ssi yet we must fake it */
7117 tap_queue_packet(smb2_tap, pinfo, si);
7119 /* Decode the payload */
7120 offset = dissect_smb2_command(pinfo, tree, tvb, offset, si);
7122 proto_item *enc_item;
7123 proto_tree *enc_tree;
7124 tvbuff_t *enc_tvb = NULL;
7125 tvbuff_t *plain_tvb = NULL;
7127 /* SMB2_TRANSFORM marker */
7128 proto_tree_add_text(header_tree, tvb, offset, 4, "Server Component: SMB2_TRANSFORM");
7131 offset = dissect_smb2_transform_header(pinfo, header_tree, tvb, offset, sti,
7132 &enc_tvb, &plain_tvb);
7134 enc_item = proto_tree_add_text(tree, enc_tvb, 0, sti->size, "Encrypted SMB3 data");
7135 enc_tree = proto_item_add_subtree(enc_item, ett_smb2_encrypted);
7136 if (plain_tvb != NULL) {
7137 col_append_str(pinfo->cinfo, COL_INFO, "Decrypted SMB3");
7138 dissect_smb2(plain_tvb, pinfo, enc_tree, FALSE);
7140 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted SMB3");
7141 proto_tree_add_item(enc_tree, hf_smb2_transform_encrypted_data,
7142 enc_tvb, 0, sti->size, ENC_NA);
7145 if (tvb_reported_length_remaining(tvb, offset) > 0) {
7146 chain_offset = offset;
7150 if (chain_offset > 0) {
7153 proto_item_set_len(item, chain_offset);
7155 next_tvb = tvb_new_subset_remaining(tvb, chain_offset);
7156 offset = dissect_smb2(next_tvb, pinfo, parent_tree, FALSE);
7163 dissect_smb2_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
7166 /* must check that this really is a smb2 packet */
7167 if (tvb_length(tvb) < 4)
7170 if (((tvb_get_guint8(tvb, 0) != 0xfe) && (tvb_get_guint8(tvb, 0) != 0xfd))
7171 || (tvb_get_guint8(tvb, 1) != 'S')
7172 || (tvb_get_guint8(tvb, 2) != 'M')
7173 || (tvb_get_guint8(tvb, 3) != 'B') ) {
7177 dissect_smb2(tvb, pinfo, parent_tree, TRUE);
7183 proto_register_smb2(void)
7185 module_t *smb2_module;
7186 static hf_register_info hf[] = {
7188 { "Command", "smb2.cmd", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
7189 &smb2_cmd_vals_ext, 0, "SMB2 Command Opcode", HFILL }},
7190 { &hf_smb2_response_to,
7191 { "Response to", "smb2.response_to", FT_FRAMENUM, BASE_NONE,
7192 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
7193 { &hf_smb2_response_in,
7194 { "Response in", "smb2.response_in", FT_FRAMENUM, BASE_NONE,
7195 NULL, 0, "The response to this packet is in this packet", HFILL }},
7197 { "Time from request", "smb2.time", FT_RELATIVE_TIME, BASE_NONE,
7198 NULL, 0, "Time between Request and Response for SMB2 cmds", HFILL }},
7199 { &hf_smb2_header_len,
7200 { "Header Length", "smb2.header_len", FT_UINT16, BASE_DEC,
7201 NULL, 0, "SMB2 Size of Header", HFILL }},
7202 { &hf_smb2_nt_status,
7203 { "NT Status", "smb2.nt_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
7204 &NT_errors_ext, 0, "NT Status code", HFILL }},
7206 { "Message ID", "smb2.msg_id", FT_INT64, BASE_DEC,
7207 NULL, 0, "SMB2 Messsage ID", HFILL }},
7209 { "Tree Id", "smb2.tid", FT_UINT32, BASE_HEX,
7210 NULL, 0, "SMB2 Tree Id", HFILL }},
7212 { "Async Id", "smb2.aid", FT_UINT64, BASE_HEX,
7213 NULL, 0, "SMB2 Async Id", HFILL }},
7215 { "Session Id", "smb2.sesid", FT_UINT64, BASE_HEX,
7216 NULL, 0, "SMB2 Session Id", HFILL }},
7217 { &hf_smb2_previous_sesid,
7218 { "Previous Session Id", "smb2.previous_sesid", FT_UINT64, BASE_HEX,
7219 NULL, 0, "SMB2 Previous Session Id", HFILL }},
7220 { &hf_smb2_chain_offset,
7221 { "Chain Offset", "smb2.chain_offset", FT_UINT32, BASE_HEX,
7222 NULL, 0, "SMB2 Chain Offset", HFILL }},
7223 { &hf_smb2_end_of_file,
7224 { "End Of File", "smb2.eof", FT_UINT64, BASE_DEC,
7225 NULL, 0, "SMB2 End Of File/File size", HFILL }},
7227 { "Number of Links", "smb2.nlinks", FT_UINT32, BASE_DEC,
7228 NULL, 0, "Number of links to this object", HFILL }},
7230 { "File Id", "smb2.file_id", FT_UINT64, BASE_HEX,
7231 NULL, 0, "SMB2 File Id", HFILL }},
7232 { &hf_smb2_allocation_size,
7233 { "Allocation Size", "smb2.allocation_size", FT_UINT64, BASE_DEC,
7234 NULL, 0, "SMB2 Allocation Size for this object", HFILL }},
7235 { &hf_smb2_max_response_size,
7236 { "Max Response Size", "smb2.max_response_size", FT_UINT32, BASE_DEC,
7237 NULL, 0, "SMB2 Maximum response size", HFILL }},
7238 { &hf_smb2_setinfo_size,
7239 { "Setinfo Size", "smb2.setinfo_size", FT_UINT32, BASE_DEC,
7240 NULL, 0, "SMB2 setinfo size", HFILL }},
7241 { &hf_smb2_setinfo_offset,
7242 { "Setinfo Offset", "smb2.setinfo_offset", FT_UINT16, BASE_HEX,
7243 NULL, 0, "SMB2 setinfo offset", HFILL }},
7244 { &hf_smb2_max_ioctl_out_size,
7245 { "Max Ioctl Out Size", "smb2.max_ioctl_out_size", FT_UINT32, BASE_DEC,
7246 NULL, 0, "SMB2 Maximum ioctl out size", HFILL }},
7247 { &hf_smb2_max_ioctl_in_size,
7248 { "Max Ioctl In Size", "smb2.max_ioctl_in_size", FT_UINT32, BASE_DEC,
7249 NULL, 0, "SMB2 Maximum ioctl out size", HFILL }},
7250 { &hf_smb2_required_buffer_size,
7251 { "Required Buffer Size", "smb2.required_size", FT_UINT32, BASE_DEC,
7252 NULL, 0, "SMB2 required buffer size", HFILL }},
7254 { "Process Id", "smb2.pid", FT_UINT32, BASE_HEX,
7255 NULL, 0, "SMB2 Process Id", HFILL }},
7257 /* SMB2 header flags */
7259 { "Flags", "smb2.flags", FT_UINT32, BASE_HEX,
7260 NULL, 0, "SMB2 flags", HFILL }},
7261 { &hf_smb2_flags_response,
7262 { "Response", "smb2.flags.response", FT_BOOLEAN, 32,
7263 TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }},
7264 { &hf_smb2_flags_async_cmd,
7265 { "Async command", "smb2.flags.async", FT_BOOLEAN, 32,
7266 TFS(&tfs_flags_async_cmd), SMB2_FLAGS_ASYNC_CMD, NULL, HFILL }},
7267 { &hf_smb2_flags_dfs_op,
7268 { "DFS operation", "smb2.flags.dfs", FT_BOOLEAN, 32,
7269 TFS(&tfs_flags_dfs_op), SMB2_FLAGS_DFS_OP, NULL, HFILL }},
7270 { &hf_smb2_flags_chained,
7271 { "Chained", "smb2.flags.chained", FT_BOOLEAN, 32,
7272 TFS(&tfs_flags_chained), SMB2_FLAGS_CHAINED, "Whether the pdu continues a chain or not", HFILL }},
7273 { &hf_smb2_flags_signature,
7274 { "Signing", "smb2.flags.signature", FT_BOOLEAN, 32,
7275 TFS(&tfs_flags_signature), SMB2_FLAGS_SIGNATURE, "Whether the pdu is signed or not", HFILL }},
7276 { &hf_smb2_flags_replay_operation,
7277 { "Replay operation", "smb2.flags.replay", FT_BOOLEAN, 32,
7278 TFS(&tfs_flags_replay_operation), SMB2_FLAGS_REPLAY_OPERATION, "Whether this is a replay operation", HFILL }},
7281 { "Tree", "smb2.tree", FT_STRING, BASE_NONE,
7282 NULL, 0, "Name of the Tree/Share", HFILL }},
7283 { &hf_smb2_filename,
7284 { "Filename", "smb2.filename", FT_STRING, BASE_NONE,
7285 NULL, 0, "Name of the file", HFILL }},
7286 { &hf_smb2_filename_len,
7287 { "Filename Length", "smb2.filename.len", FT_UINT32, BASE_DEC,
7288 NULL, 0, "Length of the file name", HFILL }},
7290 { &hf_smb2_data_offset,
7291 { "Data Offset", "smb2.data_offset", FT_UINT16, BASE_HEX,
7292 NULL, 0, "Offset to data", HFILL }},
7294 { &hf_smb2_find_info_level,
7295 { "Info Level", "smb2.find.infolevel", FT_UINT32, BASE_DEC,
7296 VALS(smb2_find_info_levels), 0, "Find_Info Infolevel", HFILL }},
7297 { &hf_smb2_find_flags,
7298 { "Find Flags", "smb2.find.flags", FT_UINT8, BASE_HEX,
7299 NULL, 0, NULL, HFILL }},
7301 { &hf_smb2_find_pattern,
7302 { "Search Pattern", "smb2.find.pattern", FT_STRING, BASE_NONE,
7303 NULL, 0, "Find pattern", HFILL }},
7305 { &hf_smb2_find_info_blob,
7306 { "Info", "smb2.find.info_blob", FT_BYTES, BASE_NONE,
7307 NULL, 0, "Find Info", HFILL }},
7310 { "EA Size", "smb2.ea_size", FT_UINT32, BASE_DEC,
7311 NULL, 0, "Size of EA data", HFILL }},
7314 { "Class", "smb2.class", FT_UINT8, BASE_HEX,
7315 VALS(smb2_class_vals), 0, "Info class", HFILL }},
7317 { &hf_smb2_infolevel,
7318 { "InfoLevel", "smb2.infolevel", FT_UINT8, BASE_HEX,
7319 NULL, 0, NULL, HFILL }},
7321 { &hf_smb2_infolevel_file_info,
7322 { "InfoLevel", "smb2.file_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
7323 &smb2_file_info_levels_ext, 0, "File_Info Infolevel", HFILL }},
7325 { &hf_smb2_infolevel_fs_info,
7326 { "InfoLevel", "smb2.fs_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
7327 &smb2_fs_info_levels_ext, 0, "Fs_Info Infolevel", HFILL }},
7329 { &hf_smb2_infolevel_sec_info,
7330 { "InfoLevel", "smb2.sec_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
7331 &smb2_sec_info_levels_ext, 0, "Sec_Info Infolevel", HFILL }},
7333 { &hf_smb2_write_length,
7334 { "Write Length", "smb2.write_length", FT_UINT32, BASE_DEC,
7335 NULL, 0, "Amount of data to write", HFILL }},
7337 { &hf_smb2_read_length,
7338 { "Read Length", "smb2.read_length", FT_UINT32, BASE_DEC,
7339 NULL, 0, "Amount of data to read", HFILL }},
7341 { &hf_smb2_read_remaining,
7342 { "Read Remaining", "smb2.read_remaining", FT_UINT32, BASE_DEC,
7343 NULL, 0, NULL, HFILL }},
7345 { &hf_smb2_create_flags,
7346 { "Create Flags", "smb2.create_flags", FT_UINT64, BASE_HEX,
7347 NULL, 0, NULL, HFILL }},
7349 { &hf_smb2_file_offset,
7350 { "File Offset", "smb2.file_offset", FT_UINT64, BASE_DEC,
7351 NULL, 0, NULL, HFILL }},
7353 { &hf_smb2_security_blob,
7354 { "Security Blob", "smb2.security_blob", FT_BYTES, BASE_NONE,
7355 NULL, 0, NULL, HFILL }},
7357 { &hf_smb2_ioctl_out_data,
7358 { "Out Data", "smb2.ioctl.out", FT_NONE, BASE_NONE,
7359 NULL, 0, "Ioctl Out", HFILL }},
7361 { &hf_smb2_ioctl_in_data,
7362 { "In Data", "smb2.ioctl.in", FT_NONE, BASE_NONE,
7363 NULL, 0, "Ioctl In", HFILL }},
7365 { &hf_smb2_server_guid,
7366 { "Server Guid", "smb2.server_guid", FT_GUID, BASE_NONE,
7367 NULL, 0, NULL, HFILL }},
7369 { &hf_smb2_client_guid,
7370 { "Client Guid", "smb2.client_guid", FT_GUID, BASE_NONE,
7371 NULL, 0, NULL, HFILL }},
7373 { &hf_smb2_object_id,
7374 { "ObjectId", "smb2.object_id", FT_GUID, BASE_NONE,
7375 NULL, 0, "ObjectID for this FID", HFILL }},
7377 { &hf_smb2_birth_volume_id,
7378 { "BirthVolumeId", "smb2.birth_volume_id", FT_GUID, BASE_NONE,
7379 NULL, 0, "ObjectID for the volume where this FID was originally created", HFILL }},
7381 { &hf_smb2_birth_object_id,
7382 { "BirthObjectId", "smb2.birth_object_id", FT_GUID, BASE_NONE,
7383 NULL, 0, "ObjectID for this FID when it was originally created", HFILL }},
7385 { &hf_smb2_domain_id,
7386 { "DomainId", "smb2.domain_id", FT_GUID, BASE_NONE,
7387 NULL, 0, NULL, HFILL }},
7389 { &hf_smb2_create_timestamp,
7390 { "Create", "smb2.create.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7391 NULL, 0, "Time when this object was created", HFILL }},
7394 { "File Id", "smb2.fid", FT_GUID, BASE_NONE,
7395 NULL, 0, "SMB2 File Id", HFILL }},
7397 { &hf_smb2_write_data,
7398 { "Write Data", "smb2.write_data", FT_BYTES, BASE_NONE,
7399 NULL, 0, "SMB2 Data to be written", HFILL }},
7401 { &hf_smb2_write_flags,
7402 { "Write Flags", "smb2.write.flags", FT_UINT32, BASE_HEX,
7403 NULL, 0, NULL, HFILL }},
7405 { &hf_smb2_write_flags_write_through,
7406 { "Write through", "smb2.write.flags.write_through", FT_BOOLEAN, 32,
7407 NULL, SMB2_WRITE_FLAG_WRITE_THROUGH, NULL, HFILL }},
7409 { &hf_smb2_write_count,
7410 { "Write Count", "smb2.write.count", FT_UINT32, BASE_DEC,
7411 NULL, 0, NULL, HFILL }},
7413 { &hf_smb2_write_remaining,
7414 { "Write Remaining", "smb2.write.remaining", FT_UINT32, BASE_DEC,
7415 NULL, 0, NULL, HFILL }},
7417 { &hf_smb2_read_data,
7418 { "Read Data", "smb2.read_data", FT_BYTES, BASE_NONE,
7419 NULL, 0, "SMB2 Data that is read", HFILL }},
7421 { &hf_smb2_last_access_timestamp,
7422 { "Last Access", "smb2.last_access.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7423 NULL, 0, "Time when this object was last accessed", HFILL }},
7425 { &hf_smb2_last_write_timestamp,
7426 { "Last Write", "smb2.last_write.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7427 NULL, 0, "Time when this object was last written to", HFILL }},
7429 { &hf_smb2_last_change_timestamp,
7430 { "Last Change", "smb2.last_change.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7431 NULL, 0, "Time when this object was last changed", HFILL }},
7433 { &hf_smb2_file_all_info,
7434 { "SMB2_FILE_ALL_INFO", "smb2.file_all_info", FT_NONE, BASE_NONE,
7435 NULL, 0, "SMB2_FILE_ALL_INFO structure", HFILL }},
7437 { &hf_smb2_file_allocation_info,
7438 { "SMB2_FILE_ALLOCATION_INFO", "smb2.file_allocation_info", FT_NONE, BASE_NONE,
7439 NULL, 0, "SMB2_FILE_ALLOCATION_INFO structure", HFILL }},
7441 { &hf_smb2_file_endoffile_info,
7442 { "SMB2_FILE_ENDOFFILE_INFO", "smb2.file_endoffile_info", FT_NONE, BASE_NONE,
7443 NULL, 0, "SMB2_FILE_ENDOFFILE_INFO structure", HFILL }},
7445 { &hf_smb2_file_alternate_name_info,
7446 { "SMB2_FILE_ALTERNATE_NAME_INFO", "smb2.file_alternate_name_info", FT_NONE, BASE_NONE,
7447 NULL, 0, "SMB2_FILE_ALTERNATE_NAME_INFO structure", HFILL }},
7449 { &hf_smb2_file_stream_info,
7450 { "SMB2_FILE_STREAM_INFO", "smb2.file_stream_info", FT_NONE, BASE_NONE,
7451 NULL, 0, "SMB2_FILE_STREAM_INFO structure", HFILL }},
7453 { &hf_smb2_file_pipe_info,
7454 { "SMB2_FILE_PIPE_INFO", "smb2.file_pipe_info", FT_NONE, BASE_NONE,
7455 NULL, 0, "SMB2_FILE_PIPE_INFO structure", HFILL }},
7457 { &hf_smb2_file_compression_info,
7458 { "SMB2_FILE_COMPRESSION_INFO", "smb2.file_compression_info", FT_NONE, BASE_NONE,
7459 NULL, 0, "SMB2_FILE_COMPRESSION_INFO structure", HFILL }},
7461 { &hf_smb2_file_basic_info,
7462 { "SMB2_FILE_BASIC_INFO", "smb2.file_basic_info", FT_NONE, BASE_NONE,
7463 NULL, 0, "SMB2_FILE_BASIC_INFO structure", HFILL }},
7465 { &hf_smb2_file_standard_info,
7466 { "SMB2_FILE_STANDARD_INFO", "smb2.file_standard_info", FT_NONE, BASE_NONE,
7467 NULL, 0, "SMB2_FILE_STANDARD_INFO structure", HFILL }},
7469 { &hf_smb2_file_internal_info,
7470 { "SMB2_FILE_INTERNAL_INFO", "smb2.file_internal_info", FT_NONE, BASE_NONE,
7471 NULL, 0, "SMB2_FILE_INTERNAL_INFO structure", HFILL }},
7473 { &hf_smb2_file_mode_info,
7474 { "SMB2_FILE_MODE_INFO", "smb2.file_mode_info", FT_NONE, BASE_NONE,
7475 NULL, 0, "SMB2_FILE_MODE_INFO structure", HFILL }},
7477 { &hf_smb2_file_alignment_info,
7478 { "SMB2_FILE_ALIGNMENT_INFO", "smb2.file_alignment_info", FT_NONE, BASE_NONE,
7479 NULL, 0, "SMB2_FILE_ALIGNMENT_INFO structure", HFILL }},
7481 { &hf_smb2_file_position_info,
7482 { "SMB2_FILE_POSITION_INFO", "smb2.file_position_info", FT_NONE, BASE_NONE,
7483 NULL, 0, "SMB2_FILE_POSITION_INFO structure", HFILL }},
7485 { &hf_smb2_file_access_info,
7486 { "SMB2_FILE_ACCESS_INFO", "smb2.file_access_info", FT_NONE, BASE_NONE,
7487 NULL, 0, "SMB2_FILE_ACCESS_INFO structure", HFILL }},
7489 { &hf_smb2_file_ea_info,
7490 { "SMB2_FILE_EA_INFO", "smb2.file_ea_info", FT_NONE, BASE_NONE,
7491 NULL, 0, "SMB2_FILE_EA_INFO structure", HFILL }},
7493 { &hf_smb2_file_network_open_info,
7494 { "SMB2_FILE_NETWORK_OPEN_INFO", "smb2.file_network_open_info", FT_NONE, BASE_NONE,
7495 NULL, 0, "SMB2_FILE_NETWORK_OPEN_INFO structure", HFILL }},
7497 { &hf_smb2_file_attribute_tag_info,
7498 { "SMB2_FILE_ATTRIBUTE_TAG_INFO", "smb2.file_attribute_tag_info", FT_NONE, BASE_NONE,
7499 NULL, 0, "SMB2_FILE_ATTRIBUTE_TAG_INFO structure", HFILL }},
7501 { &hf_smb2_file_disposition_info,
7502 { "SMB2_FILE_DISPOSITION_INFO", "smb2.file_disposition_info", FT_NONE, BASE_NONE,
7503 NULL, 0, "SMB2_FILE_DISPOSITION_INFO structure", HFILL }},
7505 { &hf_smb2_file_full_ea_info,
7506 { "SMB2_FILE_FULL_EA_INFO", "smb2.file_full_ea_info", FT_NONE, BASE_NONE,
7507 NULL, 0, "SMB2_FILE_FULL_EA_INFO structure", HFILL }},
7509 { &hf_smb2_file_rename_info,
7510 { "SMB2_FILE_RENAME_INFO", "smb2.file_rename_info", FT_NONE, BASE_NONE,
7511 NULL, 0, "SMB2_FILE_RENAME_INFO structure", HFILL }},
7513 { &hf_smb2_fs_info_01,
7514 { "SMB2_FS_INFO_01", "smb2.fs_info_01", FT_NONE, BASE_NONE,
7515 NULL, 0, "SMB2_FS_INFO_01 structure", HFILL }},
7517 { &hf_smb2_fs_info_03,
7518 { "SMB2_FS_INFO_03", "smb2.fs_info_03", FT_NONE, BASE_NONE,
7519 NULL, 0, "SMB2_FS_INFO_03 structure", HFILL }},
7521 { &hf_smb2_fs_info_04,
7522 { "SMB2_FS_INFO_04", "smb2.fs_info_04", FT_NONE, BASE_NONE,
7523 NULL, 0, "SMB2_FS_INFO_04 structure", HFILL }},
7525 { &hf_smb2_fs_info_05,
7526 { "SMB2_FS_INFO_05", "smb2.fs_info_05", FT_NONE, BASE_NONE,
7527 NULL, 0, "SMB2_FS_INFO_05 structure", HFILL }},
7529 { &hf_smb2_fs_info_06,
7530 { "SMB2_FS_INFO_06", "smb2.fs_info_06", FT_NONE, BASE_NONE,
7531 NULL, 0, "SMB2_FS_INFO_06 structure", HFILL }},
7533 { &hf_smb2_fs_info_07,
7534 { "SMB2_FS_INFO_07", "smb2.fs_info_07", FT_NONE, BASE_NONE,
7535 NULL, 0, "SMB2_FS_INFO_07 structure", HFILL }},
7537 { &hf_smb2_fs_objectid_info,
7538 { "SMB2_FS_OBJECTID_INFO", "smb2.fs_objectid_info", FT_NONE, BASE_NONE,
7539 NULL, 0, "SMB2_FS_OBJECTID_INFO structure", HFILL }},
7541 { &hf_smb2_sec_info_00,
7542 { "SMB2_SEC_INFO_00", "smb2.sec_info_00", FT_NONE, BASE_NONE,
7543 NULL, 0, "SMB2_SEC_INFO_00 structure", HFILL }},
7545 { &hf_smb2_disposition_delete_on_close,
7546 { "Delete on close", "smb2.disposition.delete_on_close", FT_BOOLEAN, 8,
7547 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }},
7550 { &hf_smb2_create_disposition,
7551 { "Disposition", "smb2.create.disposition", FT_UINT32, BASE_DEC,
7552 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
7554 { &hf_smb2_create_action,
7555 { "Create Action", "smb2.create.action", FT_UINT32, BASE_DEC,
7556 VALS(oa_open_vals), 0, NULL, HFILL }},
7558 { &hf_smb2_create_rep_flags,
7559 { "Response Flags", "smb2.create.rep_flags", FT_UINT8, BASE_HEX,
7560 NULL, 0, NULL, HFILL }},
7562 { &hf_smb2_create_rep_flags_reparse_point,
7563 { "ReparsePoint", "smb2.create.rep_flags.reparse_point", FT_BOOLEAN, 8,
7564 NULL, SMB2_CREATE_REP_FLAGS_REPARSE_POINT, NULL, HFILL }},
7566 { &hf_smb2_extrainfo,
7567 { "ExtraInfo", "smb2.create.extrainfo", FT_NONE, BASE_NONE,
7568 NULL, 0, "Create ExtraInfo", HFILL }},
7570 { &hf_smb2_create_chain_offset,
7571 { "Chain Offset", "smb2.create.chain_offset", FT_UINT32, BASE_HEX,
7572 NULL, 0, "Offset to next entry in chain or 0", HFILL }},
7574 { &hf_smb2_create_chain_data,
7575 { "Data", "smb2.create.chain_data", FT_NONE, BASE_NONE,
7576 NULL, 0, "Chain Data", HFILL }},
7578 { &hf_smb2_FILE_OBJECTID_BUFFER,
7579 { "FILE_OBJECTID_BUFFER", "smb2.FILE_OBJECTID_BUFFER", FT_NONE, BASE_NONE,
7580 NULL, 0, "A FILE_OBJECTID_BUFFER structure", HFILL }},
7582 { &hf_smb2_lease_key,
7583 { "Lease Key", "smb2.lease.lease_key", FT_GUID, BASE_NONE,
7584 NULL, 0, NULL, HFILL }},
7586 { &hf_smb2_lease_state,
7587 { "Lease State", "smb2.lease.lease_state", FT_UINT32, BASE_HEX,
7588 NULL, 0, NULL, HFILL }},
7590 { &hf_smb2_lease_state_read_caching,
7591 { "Read Caching", "smb2.lease.lease_state.read_caching", FT_BOOLEAN, 32,
7592 NULL, SMB2_LEASE_STATE_READ_CACHING, NULL, HFILL }},
7594 { &hf_smb2_lease_state_handle_caching,
7595 { "Handle Caching", "smb2.lease.lease_state.handle_caching", FT_BOOLEAN, 32,
7596 NULL, SMB2_LEASE_STATE_HANDLE_CACHING, NULL, HFILL }},
7598 { &hf_smb2_lease_state_write_caching,
7599 { "Write Caching", "smb2.lease.lease_state.write_caching", FT_BOOLEAN, 32,
7600 NULL, SMB2_LEASE_STATE_WRITE_CACHING, NULL, HFILL }},
7602 { &hf_smb2_lease_flags,
7603 { "Lease Flags", "smb2.lease.lease_flags", FT_UINT32, BASE_HEX,
7604 NULL, 0, NULL, HFILL }},
7606 { &hf_smb2_lease_flags_break_ack_required,
7607 { "Break Ack Required", "smb2.lease.lease_state.break_ack_required", FT_BOOLEAN, 32,
7608 NULL, SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED, NULL, HFILL }},
7610 { &hf_smb2_lease_flags_break_in_progress,
7611 { "Break In Progress", "smb2.lease.lease_state.break_in_progress", FT_BOOLEAN, 32,
7612 NULL, SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS, NULL, HFILL }},
7614 { &hf_smb2_lease_flags_parent_lease_key_set,
7615 { "Parent Lease Key Set", "smb2.lease.lease_state.parent_lease_key_set", FT_BOOLEAN, 32,
7616 NULL, SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET, NULL, HFILL }},
7618 { &hf_smb2_lease_duration,
7619 { "Lease Duration", "smb2.lease.lease_duration", FT_UINT64, BASE_HEX,
7620 NULL, 0, NULL, HFILL }},
7622 { &hf_smb2_parent_lease_key,
7623 { "Parent Lease Key", "smb2.lease.parent_lease_key", FT_GUID, BASE_NONE,
7624 NULL, 0, NULL, HFILL }},
7626 { &hf_smb2_lease_epoch,
7627 { "Lease Epoch", "smb2.lease.lease_oplock", FT_UINT16, BASE_HEX,
7628 NULL, 0, NULL, HFILL }},
7630 { &hf_smb2_lease_reserved,
7631 { "Lease Reserved", "smb2.lease.lease_reserved", FT_UINT16, BASE_HEX,
7632 NULL, 0, NULL, HFILL }},
7634 { &hf_smb2_lease_break_reason,
7635 { "Lease Break Reason", "smb2.lease.lease_break_reason", FT_UINT32, BASE_HEX,
7636 NULL, 0, NULL, HFILL }},
7638 { &hf_smb2_lease_access_mask_hint,
7639 { "Access Mask Hint", "smb2.lease.access_mask_hint", FT_UINT32, BASE_HEX,
7640 NULL, 0, NULL, HFILL }},
7642 { &hf_smb2_lease_share_mask_hint,
7643 { "Share Mask Hint", "smb2.lease.share_mask_hint", FT_UINT32, BASE_HEX,
7644 NULL, 0, NULL, HFILL }},
7646 { &hf_smb2_next_offset,
7647 { "Next Offset", "smb2.next_offset", FT_UINT32, BASE_DEC,
7648 NULL, 0, "Offset to next buffer or 0", HFILL }},
7650 { &hf_smb2_current_time,
7651 { "Current Time", "smb2.current_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7652 NULL, 0, "Current Time at server", HFILL }},
7654 { &hf_smb2_boot_time,
7655 { "Boot Time", "smb2.boot_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7656 NULL, 0, "Boot Time at server", HFILL }},
7658 { &hf_smb2_ea_flags,
7659 { "EA Flags", "smb2.ea.flags", FT_UINT8, BASE_HEX,
7660 NULL, 0, NULL, HFILL }},
7662 { &hf_smb2_ea_name_len,
7663 { "EA Name Length", "smb2.ea.name_len", FT_UINT8, BASE_DEC,
7664 NULL, 0, NULL, HFILL }},
7666 { &hf_smb2_ea_data_len,
7667 { "EA Data Length", "smb2.ea.data_len", FT_UINT8, BASE_DEC,
7668 NULL, 0, NULL, HFILL }},
7670 { &hf_smb2_delete_pending,
7671 { "Delete Pending", "smb2.delete_pending", FT_UINT8, BASE_DEC,
7672 NULL, 0, NULL, HFILL }},
7674 { &hf_smb2_is_directory,
7675 { "Is Directory", "smb2.is_directory", FT_UINT8, BASE_DEC,
7676 NULL, 0, "Is this a directory?", HFILL }},
7679 { "Oplock", "smb2.create.oplock", FT_UINT8, BASE_HEX,
7680 VALS(oplock_vals), 0, "Oplock type", HFILL }},
7682 { &hf_smb2_close_flags,
7683 { "Close Flags", "smb2.close.flags", FT_UINT16, BASE_HEX,
7684 NULL, 0, NULL, HFILL }},
7686 { &hf_smb2_notify_flags,
7687 { "Notify Flags", "smb2.notify.flags", FT_UINT16, BASE_HEX,
7688 NULL, 0, NULL, HFILL }},
7690 { &hf_smb2_buffer_code,
7691 { "StructureSize", "smb2.buffer_code", FT_UINT16, BASE_HEX,
7692 NULL, 0, NULL, HFILL }},
7694 { &hf_smb2_buffer_code_len,
7695 { "Fixed Part Length", "smb2.buffer_code.length", FT_UINT16, BASE_DEC,
7696 NULL, 0, "Length of fixed portion of PDU", HFILL }},
7698 { &hf_smb2_olb_length,
7699 { "Length", "smb2.olb.length", FT_UINT32, BASE_DEC,
7700 NULL, 0, "Length of the buffer", HFILL }},
7702 { &hf_smb2_olb_offset,
7703 { "Offset", "smb2.olb.offset", FT_UINT32, BASE_HEX,
7704 NULL, 0, "Offset to the buffer", HFILL }},
7706 { &hf_smb2_buffer_code_flags_dyn,
7707 { "Dynamic Part", "smb2.buffer_code.dynamic", FT_BOOLEAN, 16,
7708 NULL, 0x0001, "Whether a dynamic length blob follows", HFILL }},
7711 { "EA Data", "smb2.ea.data", FT_BYTES, BASE_NONE,
7712 NULL, 0, NULL, HFILL }},
7715 { "EA Name", "smb2.ea.name", FT_STRING, BASE_NONE,
7716 NULL, 0, NULL, HFILL }},
7718 { &hf_smb2_impersonation_level,
7719 { "Impersonation", "smb2.impersonation.level", FT_UINT32, BASE_DEC,
7720 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
7722 { &hf_smb2_ioctl_function,
7723 { "Function", "smb2.ioctl.function", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
7724 &smb2_ioctl_vals_ext, 0, "Ioctl function", HFILL }},
7726 { &hf_smb2_ioctl_function_device,
7727 { "Device", "smb2.ioctl.function.device", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
7728 &smb2_ioctl_device_vals_ext, 0xffff0000, "Device for Ioctl", HFILL }},
7730 { &hf_smb2_ioctl_function_access,
7731 { "Access", "smb2.ioctl.function.access", FT_UINT32, BASE_HEX,
7732 VALS(smb2_ioctl_access_vals), 0x0000c000, "Access for Ioctl", HFILL }},
7734 { &hf_smb2_ioctl_function_function,
7735 { "Function", "smb2.ioctl.function.function", FT_UINT32, BASE_HEX,
7736 NULL, 0x00003ffc, "Function for Ioctl", HFILL }},
7738 { &hf_smb2_ioctl_function_method,
7739 { "Method", "smb2.ioctl.function.method", FT_UINT32, BASE_HEX,
7740 VALS(smb2_ioctl_method_vals), 0x00000003, "Method for Ioctl", HFILL }},
7742 { &hf_smb2_ioctl_resiliency_timeout,
7743 { "Timeout", "smb2.ioctl.resiliency.timeout", FT_UINT32, BASE_DEC,
7744 NULL, 0, "Resiliency timeout", HFILL }},
7746 { &hf_smb2_ioctl_resiliency_reserved,
7747 { "Reserved", "smb2.ioctl.resiliency.reserved", FT_UINT32, BASE_DEC,
7748 NULL, 0, "Resiliency reserved", HFILL }},
7750 { &hf_windows_sockaddr_family,
7751 { "Socket Family", "smb2.windows.sockaddr.family", FT_UINT16, BASE_DEC,
7752 NULL, 0, "The socket address family (on windows)", HFILL }},
7754 { &hf_windows_sockaddr_port,
7755 { "Socket Port", "smb2.windows.sockaddr.port", FT_UINT16, BASE_DEC,
7756 NULL, 0, "The socket address port", HFILL }},
7758 { &hf_windows_sockaddr_in_addr,
7759 { "Socket IPv4", "smb2.windows.sockaddr.in.addr", FT_IPv4, BASE_NONE,
7760 NULL, 0, "The IPv4 address", HFILL }},
7762 { &hf_windows_sockaddr_in6_flowinfo,
7763 { "IPv6 Flow Info", "smb2.windows.sockaddr.in6.flow_info", FT_UINT32, BASE_HEX,
7764 NULL, 0, "The socket IPv6 flow info", HFILL }},
7766 { &hf_windows_sockaddr_in6_addr,
7767 { "Socket IPv6", "smb2.windows.sockaddr.in6.addr", FT_IPv6, BASE_NONE,
7768 NULL, 0, "The IPv6 address", HFILL }},
7770 { &hf_windows_sockaddr_in6_scope_id,
7771 { "IPv6 Scope ID", "smb2.windows.sockaddr.in6.scope_id", FT_UINT32, BASE_DEC,
7772 NULL, 0, "The socket IPv6 scope id", HFILL }},
7774 { &hf_smb2_ioctl_network_interface_next_offset,
7775 { "Next Offset", "smb2.ioctl.network_interfaces.next_offset", FT_UINT32, BASE_HEX,
7776 NULL, 0, "Offset to next entry in chain or 0", HFILL }},
7778 { &hf_smb2_ioctl_network_interface_index,
7779 { "Interface Index", "smb2.ioctl.network_interfaces.index", FT_UINT32, BASE_DEC,
7780 NULL, 0, "The index of the interface", HFILL }},
7782 { &hf_smb2_ioctl_network_interface_rss_queue_count,
7783 { "RSS Queue Count", "smb2.ioctl.network_interfaces.rss_queue_count", FT_UINT32, BASE_DEC,
7784 NULL, 0, "The RSS queue count", HFILL }},
7786 { &hf_smb2_ioctl_network_interface_capabilities,
7787 { "Interface Cababilities", "smb2.ioctl.network_interfaces.capabilities", FT_UINT32, BASE_HEX,
7788 NULL, 0, "The RSS queue count", HFILL }},
7790 { &hf_smb2_ioctl_network_interface_capability_rss,
7791 { "RSS", "smb2.ioctl.network_interfaces.capabilities.rss", FT_BOOLEAN, 32,
7792 TFS(&tfs_smb2_ioctl_network_interface_capability_rss),
7793 NETWORK_INTERFACE_CAP_RSS, "If the host supports RSS", HFILL }},
7795 { &hf_smb2_ioctl_network_interface_capability_rdma,
7796 { "RDMA", "smb2.ioctl.network_interfaces.capabilities.rdma", FT_BOOLEAN, 32,
7797 TFS(&tfs_smb2_ioctl_network_interface_capability_rdma),
7798 NETWORK_INTERFACE_CAP_RDMA, "If the host supports RDMA", HFILL }},
7800 { &hf_smb2_ioctl_network_interface_link_speed,
7801 { "Link Speed", "smb2.ioctl.network_interfaces.link_speed", FT_UINT64, BASE_DEC,
7802 NULL, 0, "The link speed of the interface", HFILL }},
7804 { &hf_smb2_ioctl_shadow_copy_num_volumes,
7805 { "Num Volumes", "smb2.ioctl.shadow_copy.num_volumes", FT_UINT32, BASE_DEC,
7806 NULL, 0, "Number of shadow copy volumes", HFILL }},
7808 { &hf_smb2_ioctl_shadow_copy_num_labels,
7809 { "Num Labels", "smb2.ioctl.shadow_copy.num_labels", FT_UINT32, BASE_DEC,
7810 NULL, 0, "Number of shadow copy labels", HFILL }},
7812 { &hf_smb2_ioctl_shadow_copy_label,
7813 { "Label", "smb2.ioctl.shadow_copy.label", FT_STRING, BASE_NONE,
7814 NULL, 0, "Shadow copy label", HFILL }},
7816 { &hf_smb2_compression_format,
7817 { "Compression Format", "smb2.compression_format", FT_UINT16, BASE_DEC,
7818 VALS(compression_format_vals), 0, "Compression to use", HFILL }},
7820 { &hf_smb2_share_type,
7821 { "Share Type", "smb2.share_type", FT_UINT8, BASE_HEX,
7822 VALS(smb2_share_type_vals), 0, "Type of share", HFILL }},
7824 { &hf_smb2_credit_charge,
7825 { "Credit Charge", "smb2.credit.charge", FT_UINT16, BASE_DEC,
7826 NULL, 0, NULL, HFILL }},
7828 { &hf_smb2_credits_requested,
7829 { "Credits requested", "smb2.credits.requested", FT_UINT16, BASE_DEC,
7830 NULL, 0, NULL, HFILL }},
7832 { &hf_smb2_credits_granted,
7833 { "Credits granted", "smb2.credits.granted", FT_UINT16, BASE_DEC,
7834 NULL, 0, NULL, HFILL }},
7836 { &hf_smb2_channel_sequence,
7837 { "Channel Sequence", "smb2.channel_sequence", FT_UINT16, BASE_DEC,
7838 NULL, 0, NULL, HFILL }},
7840 { &hf_smb2_dialect_count,
7841 { "Dialect count", "smb2.dialect_count", FT_UINT16, BASE_DEC,
7842 NULL, 0, NULL, HFILL }},
7845 { "Dialect", "smb2.dialect", FT_UINT16, BASE_HEX,
7846 NULL, 0, NULL, HFILL }},
7848 { &hf_smb2_security_mode,
7849 { "Security mode", "smb2.sec_mode", FT_UINT8, BASE_HEX,
7850 NULL, 0, NULL, HFILL }},
7852 { &hf_smb2_session_flags,
7853 { "Session Flags", "smb2.session_flags", FT_UINT16, BASE_HEX,
7854 NULL, 0, NULL, HFILL }},
7856 { &hf_smb2_lock_count,
7857 { "Lock Count", "smb2.lock_count", FT_UINT16, BASE_DEC,
7858 NULL, 0, NULL, HFILL }},
7860 { &hf_smb2_capabilities,
7861 { "Capabilities", "smb2.capabilities", FT_UINT32, BASE_HEX,
7862 NULL, 0, NULL, HFILL }},
7864 { &hf_smb2_ioctl_shadow_copy_count,
7865 { "Count", "smb2.ioctl.shadow_copy.count", FT_UINT32, BASE_DEC,
7866 NULL, 0, "Number of bytes for shadow copy label strings", HFILL }},
7868 { &hf_smb2_auth_frame,
7869 { "Authenticated in Frame", "smb2.auth_frame", FT_UINT32, BASE_DEC,
7870 NULL, 0, "Which frame this user was authenticated in", HFILL }},
7872 { &hf_smb2_tcon_frame,
7873 { "Connected in Frame", "smb2.tcon_frame", FT_UINT32, BASE_DEC,
7874 NULL, 0, "Which frame this share was connected in", HFILL }},
7877 { "Tag", "smb2.tag", FT_STRING, BASE_NONE,
7878 NULL, 0, "Tag of chain entry", HFILL }},
7880 { &hf_smb2_acct_name,
7881 { "Account", "smb2.acct", FT_STRING, BASE_NONE,
7882 NULL, 0, "Account Name", HFILL }},
7884 { &hf_smb2_domain_name,
7885 { "Domain", "smb2.domain", FT_STRING, BASE_NONE,
7886 NULL, 0, "Domain Name", HFILL }},
7888 { &hf_smb2_host_name,
7889 { "Host", "smb2.host", FT_STRING, BASE_NONE,
7890 NULL, 0, "Host Name", HFILL }},
7892 { &hf_smb2_signature,
7893 { "Signature", "smb2.signature", FT_BYTES, BASE_NONE,
7894 NULL, 0, NULL, HFILL }},
7897 { "unknown", "smb2.unknown", FT_BYTES, BASE_NONE,
7898 NULL, 0, "Unknown bytes", HFILL }},
7900 { &hf_smb2_twrp_timestamp,
7901 { "Timestamp", "smb2.twrp_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7902 NULL, 0, "TWrp timestamp", HFILL }},
7904 { &hf_smb2_mxac_timestamp,
7905 { "Timestamp", "smb2.mxac_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7906 NULL, 0, "MxAc timestamp", HFILL }},
7908 { &hf_smb2_mxac_status,
7909 { "Query Status", "smb2.mxac_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
7910 &NT_errors_ext, 0, "NT Status code", HFILL }},
7912 { &hf_smb2_qfid_fid,
7913 { "Opaque File ID", "smb2.qfid_fid", FT_BYTES, BASE_NONE,
7914 NULL, 0, NULL, HFILL }},
7916 { &hf_smb2_ses_flags_guest,
7917 { "Guest", "smb2.ses_flags.guest", FT_BOOLEAN, 16,
7918 NULL, SES_FLAGS_GUEST, NULL, HFILL }},
7920 { &hf_smb2_ses_flags_null,
7921 { "Null", "smb2.ses_flags.null", FT_BOOLEAN, 16,
7922 NULL, SES_FLAGS_NULL, NULL, HFILL }},
7924 { &hf_smb2_secmode_flags_sign_required,
7925 { "Signing required", "smb2.sec_mode.sign_required", FT_BOOLEAN, 8,
7926 NULL, NEGPROT_SIGN_REQ, "Is signing required", HFILL }},
7928 { &hf_smb2_secmode_flags_sign_enabled,
7929 { "Signing enabled", "smb2.sec_mode.sign_enabled", FT_BOOLEAN, 8,
7930 NULL, NEGPROT_SIGN_ENABLED, "Is signing enabled", HFILL }},
7932 { &hf_smb2_ses_req_flags,
7933 { "Flags", "smb2.ses_req_flags", FT_UINT8, BASE_DEC,
7934 NULL, 0, NULL, HFILL }},
7936 { &hf_smb2_ses_req_flags_session_binding,
7937 { "Session Binding Request", "smb2.ses_req_flags.session_binding", FT_BOOLEAN, 8,
7938 NULL, SES_REQ_FLAGS_SESSION_BINDING,
7939 "The client wants to bind to an existing session", HFILL }},
7942 { "DFS", "smb2.capabilities.dfs", FT_BOOLEAN, 32,
7943 TFS(&tfs_cap_dfs), NEGPROT_CAP_DFS, "If the host supports dfs", HFILL }},
7945 { &hf_smb2_cap_leasing,
7946 { "LEASING", "smb2.capabilities.leasing", FT_BOOLEAN, 32,
7947 TFS(&tfs_cap_leasing), NEGPROT_CAP_LEASING,
7948 "If the host supports leasing", HFILL }},
7950 { &hf_smb2_cap_large_mtu,
7951 { "LARGE MTU", "smb2.capabilities.large_mtu", FT_BOOLEAN, 32,
7952 TFS(&tfs_cap_large_mtu), NEGPROT_CAP_LARGE_MTU,
7953 "If the host supports LARGE MTU", HFILL }},
7955 { &hf_smb2_cap_multi_channel,
7956 { "MULTI CHANNEL", "smb2.capabilities.multi_channel", FT_BOOLEAN, 32,
7957 TFS(&tfs_cap_multi_channel), NEGPROT_CAP_MULTI_CHANNEL,
7958 "If the host supports MULTI CHANNEL", HFILL }},
7960 { &hf_smb2_cap_persistent_handles,
7961 { "PERSISTENT HANDLES", "smb2.capabilities.persistent_handles", FT_BOOLEAN, 32,
7962 TFS(&tfs_cap_persistent_handles), NEGPROT_CAP_PERSISTENT_HANDLES,
7963 "If the host supports PERSISTENT HANDLES", HFILL }},
7965 { &hf_smb2_cap_directory_leasing,
7966 { "DIRECTORY LEASING", "smb2.capabilities.directory_leasing", FT_BOOLEAN, 32,
7967 TFS(&tfs_cap_directory_leasing), NEGPROT_CAP_DIRECTORY_LEASING,
7968 "If the host supports DIRECTORY LEASING", HFILL }},
7970 { &hf_smb2_cap_encryption,
7971 { "ENCRYPTION", "smb2.capabilities.encryption", FT_BOOLEAN, 32,
7972 TFS(&tfs_cap_encryption), NEGPROT_CAP_ENCRYPTION,
7973 "If the host supports ENCRYPTION", HFILL }},
7975 { &hf_smb2_max_trans_size,
7976 { "Max Transaction Size", "smb2.max_trans_size", FT_UINT32, BASE_DEC,
7977 NULL, 0, "Maximum size of a transaction", HFILL }},
7979 { &hf_smb2_max_read_size,
7980 { "Max Read Size", "smb2.max_read_size", FT_UINT32, BASE_DEC,
7981 NULL, 0, "Maximum size of a read", HFILL }},
7983 { &hf_smb2_max_write_size,
7984 { "Max Write Size", "smb2.max_write_size", FT_UINT32, BASE_DEC,
7985 NULL, 0, "Maximum size of a write", HFILL }},
7988 { "Channel", "smb2.channel", FT_UINT32, BASE_HEX,
7989 VALS(smb2_channel_vals), 0, NULL, HFILL }},
7991 { &hf_smb2_rdma_v1_offset,
7992 { "Offset", "smb2.buffer_descriptor.offset", FT_UINT64, BASE_DEC,
7993 NULL, 0, NULL, HFILL }},
7995 { &hf_smb2_rdma_v1_token,
7996 { "Token", "smb2.buffer_descriptor.token", FT_UINT32, BASE_HEX,
7997 NULL, 0, NULL, HFILL }},
7999 { &hf_smb2_rdma_v1_length,
8000 { "Length", "smb2.buffer_descriptor.length", FT_UINT32, BASE_DEC,
8001 NULL, 0, NULL, HFILL }},
8003 { &hf_smb2_share_flags,
8004 { "Share flags", "smb2.share_flags", FT_UINT32, BASE_HEX,
8005 NULL, 0, NULL, HFILL }},
8007 { &hf_smb2_share_flags_dfs,
8008 { "DFS", "smb2.share_flags.dfs", FT_BOOLEAN, 32,
8009 NULL, SHARE_FLAGS_dfs, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }},
8011 { &hf_smb2_share_flags_dfs_root,
8012 { "DFS root", "smb2.share_flags.dfs_root", FT_BOOLEAN, 32,
8013 NULL, SHARE_FLAGS_dfs_root, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }},
8015 { &hf_smb2_share_flags_restrict_exclusive_opens,
8016 { "Restrict exclusive opens", "smb2.share_flags.restrict_exclusive_opens", FT_BOOLEAN, 32,
8017 NULL, SHARE_FLAGS_restrict_exclusive_opens, "The specified share disallows exclusive file opens that deny reads to an open file", HFILL }},
8019 { &hf_smb2_share_flags_force_shared_delete,
8020 { "Force shared delete", "smb2.share_flags.force_shared_delete", FT_BOOLEAN, 32,
8021 NULL, SHARE_FLAGS_force_shared_delete, "Shared files in the specified share can be forcibly deleted", HFILL }},
8023 { &hf_smb2_share_flags_allow_namespace_caching,
8024 { "Allow namepsace caching", "smb2.share_flags.allow_namespace_caching", FT_BOOLEAN, 32,
8025 NULL, SHARE_FLAGS_allow_namespace_caching, "Clients are allowed to cache the namespace of the specified share", HFILL }},
8027 { &hf_smb2_share_flags_access_based_dir_enum,
8028 { "Access based directory enum", "smb2.share_flags.access_based_dir_enum", FT_BOOLEAN, 32,
8029 NULL, SHARE_FLAGS_access_based_dir_enum, "The server will filter directory entries based on the access permissions of the client", HFILL }},
8031 { &hf_smb2_share_flags_force_levelii_oplock,
8032 { "Force level II oplock", "smb2.share_flags.force_levelii_oplock", FT_BOOLEAN, 32,
8033 NULL, SHARE_FLAGS_force_levelii_oplock, "The server will not issue exclusive caching rights on this share", HFILL }},
8035 { &hf_smb2_share_flags_enable_hash_v1,
8036 { "Enable hash V1", "smb2.share_flags.enable_hash_v1", FT_BOOLEAN, 32,
8037 NULL, SHARE_FLAGS_enable_hash_v1, "The share supports hash generation V1 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }},
8039 { &hf_smb2_share_flags_enable_hash_v2,
8040 { "Enable hash V2", "smb2.share_flags.enable_hash_v2", FT_BOOLEAN, 32,
8041 NULL, SHARE_FLAGS_enable_hash_v2, "The share supports hash generation V2 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }},
8043 { &hf_smb2_share_flags_encrypt_data,
8044 { "Encrypted data required", "smb2.share_flags.encrypt_data", FT_BOOLEAN, 32,
8045 NULL, SHARE_FLAGS_encryption_required, "The share require data encryption", HFILL }},
8047 { &hf_smb2_share_caching,
8048 { "Caching policy", "smb2.share.caching", FT_UINT32, BASE_HEX,
8049 VALS(share_cache_vals), 0, NULL, HFILL }},
8051 { &hf_smb2_share_caps,
8052 { "Share Capabilities", "smb2.share_caps", FT_UINT32, BASE_HEX,
8053 NULL, 0, NULL, HFILL }},
8055 { &hf_smb2_share_caps_dfs,
8056 { "DFS", "smb2.share_caps.dfs", FT_BOOLEAN, 32,
8057 NULL, SHARE_CAPS_DFS, "The specified share is present in a DFS tree structure", HFILL }},
8059 { &hf_smb2_share_caps_continuous_availability,
8060 { "CONTINUOUS AVAILABILITY", "smb2.share_caps.continuous_availability", FT_BOOLEAN, 32,
8061 NULL, SHARE_CAPS_CONTINUOUS_AVAILABILITY,
8062 "The specified share is continuously available", HFILL }},
8064 { &hf_smb2_share_caps_scaleout,
8065 { "SCALEOUT", "smb2.share_caps.scaleout", FT_BOOLEAN, 32,
8066 NULL, SHARE_CAPS_SCALEOUT,
8067 "The specified share is a scaleout share", HFILL }},
8069 { &hf_smb2_share_caps_cluster,
8070 { "CLUSTER", "smb2.share_caps.cluster", FT_BOOLEAN, 32,
8071 NULL, SHARE_CAPS_CLUSTER,
8072 "The specified share is a cluster share", HFILL }},
8074 { &hf_smb2_ioctl_flags,
8075 { "Flags", "smb2.ioctl.flags", FT_UINT32, BASE_HEX,
8076 NULL, 0, NULL, HFILL }},
8078 { &hf_smb2_min_count,
8079 { "Min Count", "smb2.min_count", FT_UINT32, BASE_DEC,
8080 NULL, 0, NULL, HFILL }},
8082 { &hf_smb2_remaining_bytes,
8083 { "Remaining Bytes", "smb2.remaining_bytes", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
8085 { &hf_smb2_channel_info_offset,
8086 { "Channel Info Offset", "smb2.channel_info_offset", FT_UINT16, BASE_DEC,
8087 NULL, 0, NULL, HFILL }},
8089 { &hf_smb2_channel_info_length,
8090 { "Channel Info Length", "smb2.channel_info_length", FT_UINT16, BASE_DEC,
8091 NULL, 0, NULL, HFILL }},
8093 { &hf_smb2_channel_info_blob,
8094 { "Channel Info Blob", "smb2.channel_info_blob", FT_NONE, BASE_NONE,
8095 NULL, 0, NULL, HFILL }},
8097 { &hf_smb2_ioctl_is_fsctl,
8098 { "Is FSCTL", "smb2.ioctl.is_fsctl", FT_BOOLEAN, 32,
8099 NULL, 0x00000001, NULL, HFILL }},
8101 { &hf_smb2_output_buffer_len,
8102 { "Output Buffer Length", "smb2.output_buffer_len", FT_UINT16, BASE_DEC,
8103 NULL, 0, NULL, HFILL }},
8105 { &hf_smb2_close_pq_attrib,
8106 { "PostQuery Attrib", "smb2.close.pq_attrib", FT_BOOLEAN, 16,
8107 NULL, 0x0001, NULL, HFILL }},
8109 { &hf_smb2_notify_watch_tree,
8110 { "Watch Tree", "smb2.notify.watch_tree", FT_BOOLEAN, 16,
8111 NULL, 0x0001, NULL, HFILL }},
8113 { &hf_smb2_notify_out_data,
8114 { "Out Data", "smb2.notify.out", FT_NONE, BASE_NONE,
8115 NULL, 0, NULL, HFILL }},
8117 { &hf_smb2_find_flags_restart_scans,
8118 { "Restart Scans", "smb2.find.restart_scans", FT_BOOLEAN, 8,
8119 NULL, SMB2_FIND_FLAG_RESTART_SCANS, NULL, HFILL }},
8121 { &hf_smb2_find_flags_single_entry,
8122 { "Single Entry", "smb2.find.single_entry", FT_BOOLEAN, 8,
8123 NULL, SMB2_FIND_FLAG_SINGLE_ENTRY, NULL, HFILL }},
8125 { &hf_smb2_find_flags_index_specified,
8126 { "Index Specified", "smb2.find.index_specified", FT_BOOLEAN, 8,
8127 NULL, SMB2_FIND_FLAG_INDEX_SPECIFIED, NULL, HFILL }},
8129 { &hf_smb2_find_flags_reopen,
8130 { "Reopen", "smb2.find.reopen", FT_BOOLEAN, 8,
8131 NULL, SMB2_FIND_FLAG_REOPEN, NULL, HFILL }},
8133 { &hf_smb2_file_index,
8134 { "File Index", "smb2.file_index", FT_UINT32, BASE_HEX,
8135 NULL, 0, NULL, HFILL }},
8137 { &hf_smb2_file_directory_info,
8138 { "FileDirectoryInfo", "smb2.find.file_directory_info", FT_NONE, BASE_NONE,
8139 NULL, 0, NULL, HFILL }},
8141 { &hf_smb2_full_directory_info,
8142 { "FullDirectoryInfo", "smb2.find.full_directory_info", FT_NONE, BASE_NONE,
8143 NULL, 0, NULL, HFILL }},
8145 { &hf_smb2_both_directory_info,
8146 { "FileBothDirectoryInfo", "smb2.find.both_directory_info", FT_NONE, BASE_NONE,
8147 NULL, 0, NULL, HFILL }},
8149 { &hf_smb2_id_both_directory_info,
8150 { "FileIdBothDirectoryInfo", "smb2.find.id_both_directory_info", FT_NONE, BASE_NONE,
8151 NULL, 0, NULL, HFILL }},
8153 { &hf_smb2_short_name_len,
8154 { "Short Name Length", "smb2.short_name_len", FT_UINT8, BASE_DEC,
8155 NULL, 0, NULL, HFILL }},
8157 { &hf_smb2_short_name,
8158 { "Short Name", "smb2.shortname", FT_STRING, BASE_NONE,
8159 NULL, 0, NULL, HFILL }},
8161 { &hf_smb2_lock_info,
8162 { "Lock Info", "smb2.lock_info", FT_NONE, BASE_NONE,
8163 NULL, 0, NULL, HFILL }},
8165 { &hf_smb2_lock_length,
8166 { "Length", "smb2.lock_length", FT_UINT64, BASE_DEC,
8167 NULL, 0, NULL, HFILL }},
8169 { &hf_smb2_lock_flags,
8170 { "Flags", "smb2.lock_flags", FT_UINT32, BASE_HEX,
8171 NULL, 0, NULL, HFILL }},
8173 { &hf_smb2_lock_flags_shared,
8174 { "Shared", "smb2.lock_flags.shared", FT_BOOLEAN, 32,
8175 NULL, 0x00000001, NULL, HFILL }},
8177 { &hf_smb2_lock_flags_exclusive,
8178 { "Exclusive", "smb2.lock_flags.exclusive", FT_BOOLEAN, 32,
8179 NULL, 0x00000002, NULL, HFILL }},
8181 { &hf_smb2_lock_flags_unlock,
8182 { "Unlock", "smb2.lock_flags.unlock", FT_BOOLEAN, 32,
8183 NULL, 0x00000004, NULL, HFILL }},
8185 { &hf_smb2_lock_flags_fail_immediately,
8186 { "Fail Immediately", "smb2.lock_flags.fail_immediately", FT_BOOLEAN, 32,
8187 NULL, 0x00000010, NULL, HFILL }},
8189 { &hf_smb2_error_reserved,
8190 { "Reserved", "smb2.error.reserved", FT_UINT16, BASE_HEX,
8191 NULL, 0, NULL, HFILL }},
8193 { &hf_smb2_error_byte_count,
8194 { "Byte Count", "smb2.error.byte_count", FT_UINT32, BASE_DEC,
8195 NULL, 0, NULL, HFILL }},
8197 { &hf_smb2_error_data,
8198 { "Error Data", "smb2.error.data", FT_BYTES, BASE_NONE,
8199 NULL, 0, NULL, HFILL }},
8201 { &hf_smb2_reserved,
8202 { "Reserved", "smb2.reserved", FT_BYTES, BASE_NONE,
8203 NULL, 0, "Reserved bytes", HFILL }},
8205 { &hf_smb2_dhnq_buffer_reserved,
8206 { "Reserved", "smb2.dhnq_buffer_reserved", FT_UINT64, BASE_HEX,
8207 NULL, 0, NULL, HFILL}},
8209 { &hf_smb2_dh2x_buffer_timeout,
8210 { "Timeout", "smb2.dh2x.timeout", FT_UINT32, BASE_DEC,
8211 NULL, 0, NULL, HFILL}},
8213 { &hf_smb2_dh2x_buffer_flags,
8214 { "Flags", "smb2.dh2x.flags", FT_UINT32, BASE_HEX,
8215 NULL, 0, NULL, HFILL}},
8217 { &hf_smb2_dh2x_buffer_flags_persistent_handle,
8218 { "Persistent Handle", "smb2.dh2x.flags.persistent_handle", FT_BOOLEAN, 32,
8219 NULL, SMB2_DH2X_FLAGS_PERSISTENT_HANDLE, NULL, HFILL}},
8221 { &hf_smb2_dh2x_buffer_reserved,
8222 { "Reserved", "smb2.dh2x.reserved", FT_UINT64, BASE_HEX,
8223 NULL, 0, NULL, HFILL}},
8225 { &hf_smb2_dh2x_buffer_create_guid,
8226 { "Create Guid", "smb2.dh2x.create_guid", FT_GUID, BASE_NONE,
8227 NULL, 0, NULL, HFILL}},
8229 { &hf_smb2_APP_INSTANCE_buffer_struct_size,
8230 { "Struct Size", "smb2.app_instance.struct_size", FT_UINT16, BASE_DEC,
8231 NULL, 0, NULL, HFILL}},
8233 { &hf_smb2_APP_INSTANCE_buffer_reserved,
8234 { "Reserved", "smb2.app_instance.reserved", FT_UINT16, BASE_HEX,
8235 NULL, 0, NULL, HFILL}},
8237 { &hf_smb2_APP_INSTANCE_buffer_app_guid,
8238 { "Application Guid", "smb2.app_instance.app_guid", FT_GUID, BASE_NONE,
8239 NULL, 0, NULL, HFILL}},
8241 { &hf_smb2_transform_signature,
8242 { "Signature", "smb2.header.transform.signature", FT_BYTES, BASE_NONE,
8243 NULL, 0, NULL, HFILL }},
8245 { &hf_smb2_transform_nonce,
8246 { "Nonce", "smb2.header.transform.nonce", FT_BYTES, BASE_NONE,
8247 NULL, 0, NULL, HFILL }},
8249 { &hf_smb2_transform_msg_size,
8250 { "Message size", "smb2.header.transform.msg_size", FT_UINT32, BASE_DEC,
8251 NULL, 0, NULL, HFILL }},
8253 { &hf_smb2_transform_reserved,
8254 { "Reserved", "smb2.header.transform.reserved", FT_BYTES, BASE_NONE,
8255 NULL, 0, NULL, HFILL }},
8257 { &hf_smb2_transform_enc_alg,
8258 { "Encryption ALG", "smb2.header.transform.encryption_alg", FT_UINT16, BASE_HEX,
8259 NULL, 0, NULL, HFILL }},
8261 { &hf_smb2_encryption_aes128_ccm,
8262 { "SMB2_ENCRYPTION_AES128_CCM", "smb2.header.transform.enc_aes128_ccm", FT_BOOLEAN, 16,
8263 NULL, ENC_ALG_aes128_ccm, NULL, HFILL }},
8265 { &hf_smb2_transform_encrypted_data,
8266 { "Data", "smb2.header.transform.enc_data", FT_BYTES, BASE_NONE,
8267 NULL, 0, NULL, HFILL }},
8271 static gint *ett[] = {
8276 &ett_smb2_encrypted,
8279 &ett_smb2_file_basic_info,
8280 &ett_smb2_file_standard_info,
8281 &ett_smb2_file_internal_info,
8282 &ett_smb2_file_ea_info,
8283 &ett_smb2_file_access_info,
8284 &ett_smb2_file_rename_info,
8285 &ett_smb2_file_disposition_info,
8286 &ett_smb2_file_position_info,
8287 &ett_smb2_file_full_ea_info,
8288 &ett_smb2_file_mode_info,
8289 &ett_smb2_file_alignment_info,
8290 &ett_smb2_file_all_info,
8291 &ett_smb2_file_allocation_info,
8292 &ett_smb2_file_endoffile_info,
8293 &ett_smb2_file_alternate_name_info,
8294 &ett_smb2_file_stream_info,
8295 &ett_smb2_file_pipe_info,
8296 &ett_smb2_file_compression_info,
8297 &ett_smb2_file_network_open_info,
8298 &ett_smb2_file_attribute_tag_info,
8299 &ett_smb2_fs_info_01,
8300 &ett_smb2_fs_info_03,
8301 &ett_smb2_fs_info_04,
8302 &ett_smb2_fs_info_05,
8303 &ett_smb2_fs_info_06,
8304 &ett_smb2_fs_info_07,
8305 &ett_smb2_fs_objectid_info,
8306 &ett_smb2_sec_info_00,
8308 &ett_smb2_sesid_tree,
8309 &ett_smb2_create_chain_element,
8310 &ett_smb2_MxAc_buffer,
8311 &ett_smb2_QFid_buffer,
8312 &ett_smb2_RqLs_buffer,
8313 &ett_smb2_ioctl_function,
8314 &ett_smb2_FILE_OBJECTID_BUFFER,
8317 &ett_smb2_capabilities,
8318 &ett_smb2_ses_req_flags,
8319 &ett_smb2_ses_flags,
8320 &ett_smb2_create_rep_flags,
8321 &ett_smb2_lease_state,
8322 &ett_smb2_lease_flags,
8323 &ett_smb2_share_flags,
8324 &ett_smb2_share_caps,
8325 &ett_smb2_ioctl_flags,
8326 &ett_smb2_ioctl_network_interface,
8327 &ett_windows_sockaddr,
8328 &ett_smb2_close_flags,
8329 &ett_smb2_notify_flags,
8331 &ett_smb2_write_flags,
8332 &ett_smb2_find_flags,
8333 &ett_smb2_file_directory_info,
8334 &ett_smb2_both_directory_info,
8335 &ett_smb2_id_both_directory_info,
8336 &ett_smb2_full_directory_info,
8337 &ett_smb2_file_name_info,
8338 &ett_smb2_lock_info,
8339 &ett_smb2_lock_flags,
8340 &ett_smb2_DH2Q_buffer,
8341 &ett_smb2_DH2C_buffer,
8342 &ett_smb2_dh2x_flags,
8343 &ett_smb2_APP_INSTANCE_buffer,
8344 &ett_smb2_transform_enc_alg,
8345 &ett_smb2_buffercode,
8348 proto_smb2 = proto_register_protocol("SMB2 (Server Message Block Protocol version 2)",
8350 proto_register_subtree_array(ett, array_length(ett));
8351 proto_register_field_array(proto_smb2, hf, array_length(hf));
8353 smb2_module = prefs_register_protocol(proto_smb2, NULL);
8354 prefs_register_bool_preference(smb2_module, "eosmb2_take_name_as_fid",
8355 "Use the full file name as File ID when exporting an SMB2 object",
8356 "Whether the export object functionality will take the full path file name as file identifier",
8357 &eosmb2_take_name_as_fid);
8359 register_heur_dissector_list("smb2_heur_subdissectors", &smb2_heur_subdissector_list);
8360 smb2_tap = register_tap("smb2");
8361 smb2_eo_tap = register_tap("smb_eo"); /* SMB Export Object tap */
8366 proto_reg_handoff_smb2(void)
8368 gssapi_handle = find_dissector("gssapi");
8369 ntlmssp_handle = find_dissector("ntlmssp");
8370 heur_dissector_add("netbios", dissect_smb2_heur, proto_smb2);
8374 * Editor modelines - http://www.wireshark.org/tools/modelines.html
8379 * indent-tabs-mode: t
8382 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
8383 * :indentSize=8:tabSize=8:noTabs=false: