2 * Routines for smb2 packet dissection
5 * For documentation of this protocol, see:
7 * http://wiki.wireshark.org/SMB2
8 * http://msdn.microsoft.com/en-us/library/cc246482(PROT.10).aspx
10 * If you edit this file, keep the wiki updated as well.
14 * Wireshark - Network traffic analyzer
15 * By Gerald Combs <gerald@wireshark.org>
16 * Copyright 1998 Gerald Combs
18 * This program is free software; you can redistribute it and/or
19 * modify it under the terms of the GNU General Public License
20 * as published by the Free Software Foundation; either version 2
21 * of the License, or (at your option) any later version.
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
28 * You should have received a copy of the GNU General Public License
29 * along with this program; if not, write to the Free Software
30 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include <epan/packet.h>
36 #include <epan/conversation.h>
38 #include <epan/emem.h>
40 #include "packet-smb2.h"
41 #include "packet-dcerpc.h"
42 #include "packet-ntlmssp.h"
43 #include "packet-windows-common.h"
44 #include "packet-smb-common.h"
45 #include "packet-smb.h"
46 #include "packet-dcerpc-nt.h"
50 /* Use libgcrypt for cipher libraries. */
53 #endif /* HAVE_LIBGCRYPT */
55 static char smb_header_label[] = "SMB2 Header";
56 static char smb_transform_header_label[] = "SMB2 Transform Header";
58 static int proto_smb2 = -1;
59 static int hf_smb2_cmd = -1;
60 static int hf_smb2_nt_status = -1;
61 static int hf_smb2_response_to = -1;
62 static int hf_smb2_response_in = -1;
63 static int hf_smb2_time = -1;
64 static int hf_smb2_header_len = -1;
65 static int hf_smb2_seqnum = -1;
66 static int hf_smb2_pid = -1;
67 static int hf_smb2_tid = -1;
68 static int hf_smb2_aid = -1;
69 static int hf_smb2_sesid = -1;
70 static int hf_smb2_previous_sesid = -1;
71 static int hf_smb2_flags_response = -1;
72 static int hf_smb2_flags_async_cmd = -1;
73 static int hf_smb2_flags_dfs_op = -1;
74 static int hf_smb2_flags_chained = -1;
75 static int hf_smb2_flags_signature = -1;
76 static int hf_smb2_flags_replay_operation = -1;
77 static int hf_smb2_chain_offset = -1;
78 static int hf_smb2_security_blob = -1;
79 static int hf_smb2_ioctl_in_data = -1;
80 static int hf_smb2_ioctl_out_data = -1;
81 static int hf_smb2_unknown = -1;
82 static int hf_smb2_twrp_timestamp = -1;
83 static int hf_smb2_mxac_timestamp = -1;
84 static int hf_smb2_mxac_status = -1;
85 static int hf_smb2_qfid_fid = -1;
86 static int hf_smb2_create_timestamp = -1;
87 static int hf_smb2_oplock = -1;
88 static int hf_smb2_close_flags = -1;
89 static int hf_smb2_notify_flags = -1;
90 static int hf_smb2_last_access_timestamp = -1;
91 static int hf_smb2_last_write_timestamp = -1;
92 static int hf_smb2_last_change_timestamp = -1;
93 static int hf_smb2_current_time = -1;
94 static int hf_smb2_boot_time = -1;
95 static int hf_smb2_filename = -1;
96 static int hf_smb2_filename_len = -1;
97 static int hf_smb2_nlinks = -1;
98 static int hf_smb2_delete_pending = -1;
99 static int hf_smb2_is_directory = -1;
100 static int hf_smb2_file_id = -1;
101 static int hf_smb2_allocation_size = -1;
102 static int hf_smb2_end_of_file = -1;
103 static int hf_smb2_tree = -1;
104 static int hf_smb2_find_pattern = -1;
105 static int hf_smb2_find_info_level = -1;
106 static int hf_smb2_find_info_blob = -1;
107 static int hf_smb2_client_guid = -1;
108 static int hf_smb2_server_guid = -1;
109 static int hf_smb2_object_id = -1;
110 static int hf_smb2_birth_volume_id = -1;
111 static int hf_smb2_birth_object_id = -1;
112 static int hf_smb2_domain_id = -1;
113 static int hf_smb2_class = -1;
114 static int hf_smb2_infolevel = -1;
115 static int hf_smb2_infolevel_file_info = -1;
116 static int hf_smb2_infolevel_fs_info = -1;
117 static int hf_smb2_infolevel_sec_info = -1;
118 static int hf_smb2_max_response_size = -1;
119 static int hf_smb2_max_ioctl_in_size = -1;
120 static int hf_smb2_max_ioctl_out_size = -1;
121 static int hf_smb2_required_buffer_size = -1;
122 static int hf_smb2_setinfo_size = -1;
123 static int hf_smb2_setinfo_offset = -1;
124 static int hf_smb2_file_basic_info = -1;
125 static int hf_smb2_file_standard_info = -1;
126 static int hf_smb2_file_internal_info = -1;
127 static int hf_smb2_file_ea_info = -1;
128 static int hf_smb2_file_access_info = -1;
129 static int hf_smb2_file_rename_info = -1;
130 static int hf_smb2_file_disposition_info = -1;
131 static int hf_smb2_file_position_info = -1;
132 static int hf_smb2_file_info_0f = -1;
133 static int hf_smb2_file_mode_info = -1;
134 static int hf_smb2_file_alignment_info = -1;
135 static int hf_smb2_file_all_info = -1;
136 static int hf_smb2_file_allocation_info = -1;
137 static int hf_smb2_file_endoffile_info = -1;
138 static int hf_smb2_file_alternate_name_info = -1;
139 static int hf_smb2_file_stream_info = -1;
140 static int hf_smb2_file_pipe_info = -1;
141 static int hf_smb2_file_compression_info = -1;
142 static int hf_smb2_file_network_open_info = -1;
143 static int hf_smb2_file_attribute_tag_info = -1;
144 static int hf_smb2_fs_info_01 = -1;
145 static int hf_smb2_fs_info_03 = -1;
146 static int hf_smb2_fs_info_04 = -1;
147 static int hf_smb2_fs_info_05 = -1;
148 static int hf_smb2_fs_info_06 = -1;
149 static int hf_smb2_fs_info_07 = -1;
150 static int hf_smb2_fs_objectid_info = -1;
151 static int hf_smb2_sec_info_00 = -1;
152 static int hf_smb2_fid = -1;
153 static int hf_smb2_write_length = -1;
154 static int hf_smb2_write_data = -1;
155 static int hf_smb2_write_flags = -1;
156 static int hf_smb2_write_flags_write_through = -1;
157 static int hf_smb2_write_count = -1;
158 static int hf_smb2_write_remaining = -1;
159 static int hf_smb2_read_length = -1;
160 static int hf_smb2_read_remaining = -1;
161 static int hf_smb2_file_offset = -1;
162 static int hf_smb2_read_data = -1;
163 static int hf_smb2_disposition_delete_on_close = -1;
164 static int hf_smb2_create_disposition = -1;
165 static int hf_smb2_create_chain_offset = -1;
166 static int hf_smb2_create_chain_data = -1;
167 static int hf_smb2_data_offset = -1;
168 static int hf_smb2_extrainfo = -1;
169 static int hf_smb2_create_action = -1;
170 static int hf_smb2_create_rep_flags = -1;
171 static int hf_smb2_create_rep_flags_reparse_point = -1;
172 static int hf_smb2_next_offset = -1;
173 static int hf_smb2_ea_size = -1;
174 static int hf_smb2_ea_flags = -1;
175 static int hf_smb2_ea_name_len = -1;
176 static int hf_smb2_ea_data_len = -1;
177 static int hf_smb2_ea_name = -1;
178 static int hf_smb2_ea_data = -1;
179 static int hf_smb2_buffer_code_len = -1;
180 static int hf_smb2_buffer_code_flags_dyn = -1;
181 static int hf_smb2_olb_offset = -1;
182 static int hf_smb2_olb_length = -1;
183 static int hf_smb2_tag = -1;
184 static int hf_smb2_impersonation_level = -1;
185 static int hf_smb2_ioctl_function = -1;
186 static int hf_smb2_ioctl_function_device = -1;
187 static int hf_smb2_ioctl_function_access = -1;
188 static int hf_smb2_ioctl_function_function = -1;
189 static int hf_smb2_ioctl_function_method = -1;
190 static int hf_smb2_ioctl_resiliency_timeout = -1;
191 static int hf_smb2_ioctl_resiliency_reserved = -1;
192 static int hf_windows_sockaddr_family = -1;
193 static int hf_windows_sockaddr_port = -1;
194 static int hf_windows_sockaddr_in_addr = -1;
195 static int hf_windows_sockaddr_in6_flowinfo = -1;
196 static int hf_windows_sockaddr_in6_addr = -1;
197 static int hf_windows_sockaddr_in6_scope_id = -1;
198 static int hf_smb2_ioctl_network_interface_next_offset = -1;
199 static int hf_smb2_ioctl_network_interface_index = -1;
200 static int hf_smb2_ioctl_network_interface_rss_queue_count = -1;
201 static int hf_smb2_ioctl_network_interface_capabilities = -1;
202 static int hf_smb2_ioctl_network_interface_capability_rss = -1;
203 static int hf_smb2_ioctl_network_interface_capability_rdma = -1;
204 static int hf_smb2_ioctl_network_interface_link_speed = -1;
205 static int hf_smb2_ioctl_shadow_copy_num_volumes = -1;
206 static int hf_smb2_ioctl_shadow_copy_num_labels = -1;
207 static int hf_smb2_ioctl_shadow_copy_count = -1;
208 static int hf_smb2_ioctl_shadow_copy_label = -1;
209 static int hf_smb2_compression_format = -1;
210 static int hf_smb2_FILE_OBJECTID_BUFFER = -1;
211 static int hf_smb2_lease_key = -1;
212 static int hf_smb2_lease_state = -1;
213 static int hf_smb2_lease_state_read_caching = -1;
214 static int hf_smb2_lease_state_handle_caching = -1;
215 static int hf_smb2_lease_state_write_caching = -1;
216 static int hf_smb2_lease_flags = -1;
217 static int hf_smb2_lease_flags_break_ack_required = -1;
218 static int hf_smb2_lease_flags_parent_lease_key_set = -1;
219 static int hf_smb2_lease_flags_break_in_progress = -1;
220 static int hf_smb2_lease_duration = -1;
221 static int hf_smb2_parent_lease_key = -1;
222 static int hf_smb2_lease_epoch = -1;
223 static int hf_smb2_lease_break_reason = -1;
224 static int hf_smb2_lease_access_mask_hint = -1;
225 static int hf_smb2_lease_share_mask_hint = -1;
226 static int hf_smb2_acct_name = -1;
227 static int hf_smb2_domain_name = -1;
228 static int hf_smb2_host_name = -1;
229 static int hf_smb2_auth_frame = -1;
230 static int hf_smb2_tcon_frame = -1;
231 static int hf_smb2_share_type = -1;
232 static int hf_smb2_signature = -1;
233 static int hf_smb2_credit_charge = -1;
234 static int hf_smb2_credits_requested = -1;
235 static int hf_smb2_credits_granted = -1;
236 static int hf_smb2_channel_sequence = -1;
237 static int hf_smb2_dialect_count = -1;
238 static int hf_smb2_security_mode = -1;
239 static int hf_smb2_secmode_flags_sign_required = -1;
240 static int hf_smb2_secmode_flags_sign_enabled = -1;
241 static int hf_smb2_ses_req_flags = -1;
242 static int hf_smb2_ses_req_flags_session_binding = -1;
243 static int hf_smb2_capabilities = -1;
244 static int hf_smb2_cap_dfs = -1;
245 static int hf_smb2_cap_leasing = -1;
246 static int hf_smb2_cap_large_mtu = -1;
247 static int hf_smb2_cap_multi_channel = -1;
248 static int hf_smb2_cap_persistent_handles = -1;
249 static int hf_smb2_cap_directory_leasing = -1;
250 static int hf_smb2_cap_encryption = -1;
251 static int hf_smb2_dialect = -1;
252 static int hf_smb2_max_trans_size = -1;
253 static int hf_smb2_max_read_size = -1;
254 static int hf_smb2_max_write_size = -1;
255 static int hf_smb2_channel = -1;
256 static int hf_smb2_session_flags = -1;
257 static int hf_smb2_ses_flags_guest = -1;
258 static int hf_smb2_ses_flags_null = -1;
259 static int hf_smb2_share_flags = -1;
260 static int hf_smb2_share_flags_dfs = -1;
261 static int hf_smb2_share_flags_dfs_root = -1;
262 static int hf_smb2_share_flags_restrict_exclusive_opens = -1;
263 static int hf_smb2_share_flags_force_shared_delete = -1;
264 static int hf_smb2_share_flags_allow_namespace_caching = -1;
265 static int hf_smb2_share_flags_access_based_dir_enum = -1;
266 static int hf_smb2_share_flags_force_levelii_oplock = -1;
267 static int hf_smb2_share_flags_enable_hash_v1 = -1;
268 static int hf_smb2_share_flags_enable_hash_v2 = -1;
269 static int hf_smb2_share_flags_encrypt_data = -1;
270 static int hf_smb2_share_caching = -1;
271 static int hf_smb2_share_caps = -1;
272 static int hf_smb2_share_caps_dfs = -1;
273 static int hf_smb2_share_caps_continuous_availability = -1;
274 static int hf_smb2_share_caps_scaleout = -1;
275 static int hf_smb2_share_caps_cluster = -1;
276 static int hf_smb2_create_flags = -1;
277 static int hf_smb2_lock_count = -1;
278 static int hf_smb2_min_count = -1;
279 static int hf_smb2_remaining_bytes = -1;
280 static int hf_smb2_channel_info_offset = -1;
281 static int hf_smb2_channel_info_length = -1;
282 static int hf_smb2_ioctl_flags = -1;
283 static int hf_smb2_ioctl_is_fsctl = -1;
284 static int hf_smb2_close_pq_attrib = -1;
285 static int hf_smb2_notify_watch_tree = -1;
286 static int hf_smb2_output_buffer_len = -1;
287 static int hf_smb2_notify_out_data = -1;
288 static int hf_smb2_find_flags = -1;
289 static int hf_smb2_find_flags_restart_scans = -1;
290 static int hf_smb2_find_flags_single_entry = -1;
291 static int hf_smb2_find_flags_index_specified = -1;
292 static int hf_smb2_find_flags_reopen = -1;
293 static int hf_smb2_file_index = -1;
294 static int hf_smb2_file_directory_info = -1;
295 static int hf_smb2_both_directory_info = -1;
296 static int hf_smb2_short_name_len = -1;
297 static int hf_smb2_short_name = -1;
298 static int hf_smb2_id_both_directory_info = -1;
299 static int hf_smb2_full_directory_info = -1;
300 static int hf_smb2_lock_info = -1;
301 static int hf_smb2_lock_length = -1;
302 static int hf_smb2_lock_flags = -1;
303 static int hf_smb2_lock_flags_shared = -1;
304 static int hf_smb2_lock_flags_exclusive = -1;
305 static int hf_smb2_lock_flags_unlock = -1;
306 static int hf_smb2_lock_flags_fail_immediately = -1;
307 static int hf_smb2_dhnq_buffer_reserved = -1;
308 static int hf_smb2_dh2x_buffer_timeout = -1;
309 static int hf_smb2_dh2x_buffer_flags = -1;
310 static int hf_smb2_dh2x_buffer_flags_persistent_handle = -1;
311 static int hf_smb2_dh2x_buffer_reserved = -1;
312 static int hf_smb2_dh2x_buffer_create_guid = -1;
313 static int hf_smb2_APP_INSTANCE_buffer_struct_size = -1;
314 static int hf_smb2_APP_INSTANCE_buffer_reserved = -1;
315 static int hf_smb2_APP_INSTANCE_buffer_app_guid = -1;
316 static int hf_smb2_error_byte_count = -1;
317 static int hf_smb2_error_data = -1;
318 static int hf_smb2_error_reserved = -1;
319 static int hf_smb2_reserved = -1;
320 static int hf_smb2_transform_signature = -1;
321 static int hf_smb2_transform_nonce = -1;
322 static int hf_smb2_transform_msg_size = -1;
323 static int hf_smb2_transform_reserved = -1;
324 static int hf_smb2_encryption_aes128_ccm = -1;
325 static int hf_smb2_transform_enc_alg = -1;
326 static int hf_smb2_transform_encyrpted_data = -1;
328 static gint ett_smb2 = -1;
329 static gint ett_smb2_olb = -1;
330 static gint ett_smb2_ea = -1;
331 static gint ett_smb2_header = -1;
332 static gint ett_smb2_encrypted = -1;
333 static gint ett_smb2_command = -1;
334 static gint ett_smb2_secblob = -1;
335 static gint ett_smb2_file_basic_info = -1;
336 static gint ett_smb2_file_standard_info = -1;
337 static gint ett_smb2_file_internal_info = -1;
338 static gint ett_smb2_file_ea_info = -1;
339 static gint ett_smb2_file_access_info = -1;
340 static gint ett_smb2_file_position_info = -1;
341 static gint ett_smb2_file_mode_info = -1;
342 static gint ett_smb2_file_alignment_info = -1;
343 static gint ett_smb2_file_all_info = -1;
344 static gint ett_smb2_file_allocation_info = -1;
345 static gint ett_smb2_file_endoffile_info = -1;
346 static gint ett_smb2_file_alternate_name_info = -1;
347 static gint ett_smb2_file_stream_info = -1;
348 static gint ett_smb2_file_pipe_info = -1;
349 static gint ett_smb2_file_compression_info = -1;
350 static gint ett_smb2_file_network_open_info = -1;
351 static gint ett_smb2_file_attribute_tag_info = -1;
352 static gint ett_smb2_file_rename_info = -1;
353 static gint ett_smb2_file_disposition_info = -1;
354 static gint ett_smb2_file_info_0f = -1;
355 static gint ett_smb2_fs_info_01 = -1;
356 static gint ett_smb2_fs_info_03 = -1;
357 static gint ett_smb2_fs_info_04 = -1;
358 static gint ett_smb2_fs_info_05 = -1;
359 static gint ett_smb2_fs_info_06 = -1;
360 static gint ett_smb2_fs_info_07 = -1;
361 static gint ett_smb2_fs_objectid_info = -1;
362 static gint ett_smb2_sec_info_00 = -1;
363 static gint ett_smb2_tid_tree = -1;
364 static gint ett_smb2_sesid_tree = -1;
365 static gint ett_smb2_create_chain_element = -1;
366 static gint ett_smb2_MxAc_buffer = -1;
367 static gint ett_smb2_QFid_buffer = -1;
368 static gint ett_smb2_RqLs_buffer = -1;
369 static gint ett_smb2_ioctl_function = -1;
370 static gint ett_smb2_FILE_OBJECTID_BUFFER = -1;
371 static gint ett_smb2_flags = -1;
372 static gint ett_smb2_sec_mode = -1;
373 static gint ett_smb2_capabilities = -1;
374 static gint ett_smb2_ses_req_flags = -1;
375 static gint ett_smb2_ses_flags = -1;
376 static gint ett_smb2_lease_state = -1;
377 static gint ett_smb2_lease_flags = -1;
378 static gint ett_smb2_share_flags = -1;
379 static gint ett_smb2_create_rep_flags = -1;
380 static gint ett_smb2_share_caps = -1;
381 static gint ett_smb2_ioctl_flags = -1;
382 static gint ett_smb2_ioctl_network_interface = -1;
383 static gint ett_windows_sockaddr = -1;
384 static gint ett_smb2_close_flags = -1;
385 static gint ett_smb2_notify_flags = -1;
386 static gint ett_smb2_write_flags = -1;
387 static gint ett_smb2_DH2Q_buffer = -1;
388 static gint ett_smb2_DH2C_buffer = -1;
389 static gint ett_smb2_dh2x_flags = -1;
390 static gint ett_smb2_APP_INSTANCE_buffer = -1;
391 static gint ett_smb2_find_flags = -1;
392 static gint ett_smb2_file_directory_info = -1;
393 static gint ett_smb2_both_directory_info = -1;
394 static gint ett_smb2_id_both_directory_info = -1;
395 static gint ett_smb2_full_directory_info = -1;
396 static gint ett_smb2_file_name_info = -1;
397 static gint ett_smb2_lock_info = -1;
398 static gint ett_smb2_lock_flags = -1;
399 static gint ett_smb2_transform_enc_alg = -1;
401 static int smb2_tap = -1;
403 static dissector_handle_t gssapi_handle = NULL;
404 static dissector_handle_t ntlmssp_handle = NULL;
406 static heur_dissector_list_t smb2_heur_subdissector_list;
408 #define SMB2_CLASS_FILE_INFO 0x01
409 #define SMB2_CLASS_FS_INFO 0x02
410 #define SMB2_CLASS_SEC_INFO 0x03
411 static const value_string smb2_class_vals[] = {
412 { SMB2_CLASS_FILE_INFO, "FILE_INFO"},
413 { SMB2_CLASS_FS_INFO, "FS_INFO"},
414 { SMB2_CLASS_SEC_INFO, "SEC_INFO"},
418 #define SMB2_SHARE_TYPE_DISK 0x01
419 #define SMB2_SHARE_TYPE_PIPE 0x02
420 #define SMB2_SHARE_TYPE_PRINT 0x03
421 static const value_string smb2_share_type_vals[] = {
422 { SMB2_SHARE_TYPE_DISK, "Physical disk" },
423 { SMB2_SHARE_TYPE_PIPE, "Named pipe" },
424 { SMB2_SHARE_TYPE_PRINT, "Printer" },
429 #define SMB2_FILE_BASIC_INFO 0x04
430 #define SMB2_FILE_STANDARD_INFO 0x05
431 #define SMB2_FILE_INTERNAL_INFO 0x06
432 #define SMB2_FILE_EA_INFO 0x07
433 #define SMB2_FILE_ACCESS_INFO 0x08
434 #define SMB2_FILE_RENAME_INFO 0x0a
435 #define SMB2_FILE_DISPOSITION_INFO 0x0d
436 #define SMB2_FILE_POSITION_INFO 0x0e
437 #define SMB2_FILE_INFO_0f 0x0f
438 #define SMB2_FILE_MODE_INFO 0x10
439 #define SMB2_FILE_ALIGNMENT_INFO 0x11
440 #define SMB2_FILE_ALL_INFO 0x12
441 #define SMB2_FILE_ALLOCATION_INFO 0x13
442 #define SMB2_FILE_ENDOFFILE_INFO 0x14
443 #define SMB2_FILE_ALTERNATE_NAME_INFO 0x15
444 #define SMB2_FILE_STREAM_INFO 0x16
445 #define SMB2_FILE_PIPE_INFO 0x17
446 #define SMB2_FILE_COMPRESSION_INFO 0x1c
447 #define SMB2_FILE_NETWORK_OPEN_INFO 0x22
448 #define SMB2_FILE_ATTRIBUTE_TAG_INFO 0x23
449 static const value_string smb2_file_info_levels[] = {
450 {SMB2_FILE_BASIC_INFO, "SMB2_FILE_BASIC_INFO" },
451 {SMB2_FILE_STANDARD_INFO, "SMB2_FILE_STANDARD_INFO" },
452 {SMB2_FILE_INTERNAL_INFO, "SMB2_FILE_INTERNAL_INFO" },
453 {SMB2_FILE_EA_INFO, "SMB2_FILE_EA_INFO" },
454 {SMB2_FILE_ACCESS_INFO, "SMB2_FILE_ACCESS_INFO" },
455 {SMB2_FILE_RENAME_INFO, "SMB2_FILE_RENAME_INFO" },
456 {SMB2_FILE_DISPOSITION_INFO, "SMB2_FILE_DISPOSITION_INFO" },
457 {SMB2_FILE_POSITION_INFO, "SMB2_FILE_POSITION_INFO" },
458 {SMB2_FILE_INFO_0f, "SMB2_FILE_INFO_0f" },
459 {SMB2_FILE_MODE_INFO, "SMB2_FILE_MODE_INFO" },
460 {SMB2_FILE_ALIGNMENT_INFO, "SMB2_FILE_ALIGNMENT_INFO" },
461 {SMB2_FILE_ALL_INFO, "SMB2_FILE_ALL_INFO" },
462 {SMB2_FILE_ALLOCATION_INFO, "SMB2_FILE_ALLOCATION_INFO" },
463 {SMB2_FILE_ENDOFFILE_INFO, "SMB2_FILE_ENDOFFILE_INFO" },
464 {SMB2_FILE_ALTERNATE_NAME_INFO, "SMB2_FILE_ALTERNATE_NAME_INFO" },
465 {SMB2_FILE_STREAM_INFO, "SMB2_FILE_STREAM_INFO" },
466 {SMB2_FILE_PIPE_INFO, "SMB2_FILE_PIPE_INFO" },
467 {SMB2_FILE_COMPRESSION_INFO, "SMB2_FILE_COMPRESSION_INFO" },
468 {SMB2_FILE_NETWORK_OPEN_INFO, "SMB2_FILE_NETWORK_OPEN_INFO" },
469 {SMB2_FILE_ATTRIBUTE_TAG_INFO, "SMB2_FILE_ATTRIBUTE_TAG_INFO" },
475 #define SMB2_FS_INFO_01 0x01
476 #define SMB2_FS_INFO_03 0x03
477 #define SMB2_FS_INFO_04 0x04
478 #define SMB2_FS_INFO_05 0x05
479 #define SMB2_FS_INFO_06 0x06
480 #define SMB2_FS_INFO_07 0x07
481 #define SMB2_FS_OBJECTID_INFO 0x08
482 static const value_string smb2_fs_info_levels[] = {
483 {SMB2_FS_INFO_01, "SMB2_FS_INFO_01" },
484 {SMB2_FS_INFO_03, "SMB2_FS_INFO_03" },
485 {SMB2_FS_INFO_04, "SMB2_FS_INFO_04" },
486 {SMB2_FS_INFO_05, "SMB2_FS_INFO_05" },
487 {SMB2_FS_INFO_06, "SMB2_FS_INFO_06" },
488 {SMB2_FS_INFO_07, "SMB2_FS_INFO_07" },
489 {SMB2_FS_OBJECTID_INFO, "SMB2_FS_OBJECTID_INFO" },
493 #define SMB2_SEC_INFO_00 0x00
494 static const value_string smb2_sec_info_levels[] = {
495 {SMB2_SEC_INFO_00, "SMB2_SEC_INFO_00" },
499 #define SMB2_FIND_DIRECTORY_INFO 0x01
500 #define SMB2_FIND_FULL_DIRECTORY_INFO 0x02
501 #define SMB2_FIND_BOTH_DIRECTORY_INFO 0x03
502 #define SMB2_FIND_INDEX_SPECIFIED 0x04
503 #define SMB2_FIND_NAME_INFO 0x0C
504 #define SMB2_FIND_ID_BOTH_DIRECTORY_INFO 0x25
505 #define SMB2_FIND_ID_FULL_DIRECTORY_INFO 0x26
506 static const value_string smb2_find_info_levels[] = {
507 { SMB2_FIND_DIRECTORY_INFO, "SMB2_FIND_DIRECTORY_INFO" },
508 { SMB2_FIND_FULL_DIRECTORY_INFO, "SMB2_FIND_FULL_DIRECTORY_INFO" },
509 { SMB2_FIND_BOTH_DIRECTORY_INFO, "SMB2_FIND_BOTH_DIRECTORY_INFO" },
510 { SMB2_FIND_INDEX_SPECIFIED, "SMB2_FIND_INDEX_SPECIFIED" },
511 { SMB2_FIND_NAME_INFO, "SMB2_FIND_NAME_INFO" },
512 { SMB2_FIND_ID_BOTH_DIRECTORY_INFO, "SMB2_FIND_ID_BOTH_DIRECTORY_INFO" },
513 { SMB2_FIND_ID_FULL_DIRECTORY_INFO, "SMB2_FIND_ID_FULL_DIRECTORY_INFO" },
517 /* unmatched smb_saved_info structures.
518 For unmatched smb_saved_info structures we store the smb_saved_info
519 structure using the SEQNUM field.
522 smb2_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
524 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
525 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
526 return key1->seqnum == key2->seqnum;
529 smb2_saved_info_hash_unmatched(gconstpointer k)
531 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
534 hash = (guint32) (key->seqnum&0xffffffff);
538 /* matched smb_saved_info structures.
539 For matched smb_saved_info structures we store the smb_saved_info
540 structure using the SEQNUM field.
543 smb2_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
545 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
546 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
547 return key1->seqnum == key2->seqnum;
550 smb2_saved_info_hash_matched(gconstpointer k)
552 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
555 hash = (guint32) (key->seqnum&0xffffffff);
559 /* For Tids of a specific conversation.
560 This keeps track of tid->sharename mappings and other information about the
563 We might need to refine this if it occurs that tids are reused on a single
564 conversation. we dont worry about that yet for simplicity
567 smb2_tid_info_equal(gconstpointer k1, gconstpointer k2)
569 const smb2_tid_info_t *key1 = (const smb2_tid_info_t *)k1;
570 const smb2_tid_info_t *key2 = (const smb2_tid_info_t *)k2;
571 return key1->tid == key2->tid;
574 smb2_tid_info_hash(gconstpointer k)
576 const smb2_tid_info_t *key = (const smb2_tid_info_t *)k;
583 /* For Uids of a specific conversation.
584 This keeps track of uid->acct_name mappings and other information about the
587 We might need to refine this if it occurs that uids are reused on a single
588 conversation. we dont worry about that yet for simplicity
591 smb2_sesid_info_equal(gconstpointer k1, gconstpointer k2)
593 const smb2_sesid_info_t *key1 = (const smb2_sesid_info_t *)k1;
594 const smb2_sesid_info_t *key2 = (const smb2_sesid_info_t *)k2;
595 return key1->sesid == key2->sesid;
598 smb2_sesid_info_hash(gconstpointer k)
600 const smb2_sesid_info_t *key = (const smb2_sesid_info_t *)k;
603 hash = (guint32)( ((key->sesid>>32)&0xffffffff)+((key->sesid)&0xffffffff) );
607 static void smb2_key_derivation(const guint8 *KI _U_, guint32 KI_len _U_,
608 const guint8 *Label _U_, guint32 Label_len _U_,
609 const guint8 *Context _U_, guint32 Context_len _U_,
612 #ifdef HAVE_LIBGCRYPT
613 gcry_md_hd_t hd = NULL;
615 guint8 *digest = NULL;
618 * a simplified version of
619 * "NIST Special Publication 800-108" section 5.1
622 gcry_md_open(&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
623 gcry_md_setkey(hd, KI, KI_len);
625 memset(buf, 0, sizeof(buf));
627 gcry_md_write(hd, buf, sizeof(buf));
628 gcry_md_write(hd, Label, Label_len);
629 gcry_md_write(hd, buf, 1);
630 gcry_md_write(hd, Context, Context_len);
632 gcry_md_write(hd, buf, sizeof(buf));
634 digest = gcry_md_read(hd, GCRY_MD_SHA256);
636 memcpy(KO, digest, 16);
644 static int dissect_smb2_file_info_0f(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si);
647 /* This is a helper to dissect the common string type
653 * This function is called twice, first to decode the offset/length and
654 * second time to dissect the actual string.
655 * It is done this way since there is no guarantee that we have the full packet and we dont
656 * want to abort dissection too early if the packet ends somewhere between the
657 * length/offset and the actual buffer.
660 enum offset_length_buffer_offset_size {
661 OLB_O_UINT16_S_UINT16,
662 OLB_O_UINT16_S_UINT32,
663 OLB_O_UINT32_S_UINT32,
664 OLB_S_UINT32_O_UINT32
666 typedef struct _offset_length_buffer_t {
671 enum offset_length_buffer_offset_size offset_size;
673 } offset_length_buffer_t;
675 dissect_smb2_olb_length_offset(tvbuff_t *tvb, int offset, offset_length_buffer_t *olb,
676 enum offset_length_buffer_offset_size offset_size, int hfindex)
678 olb->hfindex = hfindex;
679 olb->offset_size = offset_size;
680 switch (offset_size) {
681 case OLB_O_UINT16_S_UINT16:
682 olb->off = tvb_get_letohs(tvb, offset);
683 olb->off_offset = offset;
685 olb->len = tvb_get_letohs(tvb, offset);
686 olb->len_offset = offset;
689 case OLB_O_UINT16_S_UINT32:
690 olb->off = tvb_get_letohs(tvb, offset);
691 olb->off_offset = offset;
693 olb->len = tvb_get_letohl(tvb, offset);
694 olb->len_offset = offset;
697 case OLB_O_UINT32_S_UINT32:
698 olb->off = tvb_get_letohl(tvb, offset);
699 olb->off_offset = offset;
701 olb->len = tvb_get_letohl(tvb, offset);
702 olb->len_offset = offset;
705 case OLB_S_UINT32_O_UINT32:
706 olb->len = tvb_get_letohl(tvb, offset);
707 olb->len_offset = offset;
709 olb->off = tvb_get_letohl(tvb, offset);
710 olb->off_offset = offset;
718 #define OLB_TYPE_UNICODE_STRING 0x01
719 #define OLB_TYPE_ASCII_STRING 0x02
721 dissect_smb2_olb_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int type)
724 proto_item *item = NULL;
725 proto_tree *tree = NULL;
726 const char *name = NULL;
733 bc = tvb_length_remaining(tvb, offset);
737 tvb_ensure_bytes_exist(tvb, off, len);
739 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
740 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
741 "Invalid offset/length. Malformed packet");
743 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
750 case OLB_TYPE_UNICODE_STRING:
751 name = get_unicode_or_ascii_string(tvb, &off,
752 TRUE, &len, TRUE, TRUE, &bc);
757 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
758 tree = proto_item_add_subtree(item, ett_smb2_olb);
761 case OLB_TYPE_ASCII_STRING:
762 name = get_unicode_or_ascii_string(tvb, &off,
763 FALSE, &len, TRUE, TRUE, &bc);
768 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
769 tree = proto_item_add_subtree(item, ett_smb2_olb);
774 switch (olb->offset_size) {
775 case OLB_O_UINT16_S_UINT16:
776 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
777 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
779 case OLB_O_UINT16_S_UINT32:
780 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
781 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
783 case OLB_O_UINT32_S_UINT32:
784 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
785 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
787 case OLB_S_UINT32_O_UINT32:
788 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
789 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
797 dissect_smb2_olb_buffer(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb,
798 offset_length_buffer_t *olb, smb2_info_t *si,
799 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si))
802 proto_item *sub_item = NULL;
803 proto_tree *sub_tree = NULL;
804 tvbuff_t *sub_tvb = NULL;
812 tvb_ensure_bytes_exist(tvb, off, len);
814 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
815 proto_tree_add_text(parent_tree, tvb, offset, tvb_length_remaining(tvb, offset),
816 "Invalid offset/length. Malformed packet");
818 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
823 /* if we dont want/need a subtree */
824 if (olb->hfindex == -1) {
825 sub_item = parent_tree;
826 sub_tree = parent_tree;
829 sub_item = proto_tree_add_item(parent_tree, olb->hfindex, tvb, offset, len, ENC_NA);
830 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_olb);
834 switch (olb->offset_size) {
835 case OLB_O_UINT16_S_UINT16:
836 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
837 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
839 case OLB_O_UINT16_S_UINT32:
840 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
841 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
843 case OLB_O_UINT32_S_UINT32:
844 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
845 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
847 case OLB_S_UINT32_O_UINT32:
848 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
849 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
853 if (off == 0 || len == 0) {
854 proto_item_append_text(sub_item, ": NO DATA");
862 sub_tvb = tvb_new_subset(tvb, off, MIN((int)len, tvb_length_remaining(tvb, off)), len);
864 dissector(sub_tvb, pinfo, sub_tree, si);
868 dissect_smb2_olb_tvb_max_offset(int offset, offset_length_buffer_t *olb)
873 return MAX(offset, (int)(olb->off + olb->len));
876 typedef struct _smb2_function {
877 int (*request) (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
878 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
881 static const true_false_string tfs_flags_response = {
882 "This is a RESPONSE",
886 static const true_false_string tfs_flags_async_cmd = {
887 "This is an ASYNC command",
888 "This is a SYNC command"
891 static const true_false_string tfs_flags_dfs_op = {
892 "This is a DFS OPERATION",
893 "This is a normal operation"
896 static const true_false_string tfs_flags_chained = {
897 "This pdu a CHAINED command",
898 "This pdu is NOT a chained command"
901 static const true_false_string tfs_flags_signature = {
902 "This pdu is SIGNED",
903 "This pdu is NOT signed"
906 static const true_false_string tfs_flags_replay_operation = {
907 "This is a REPLAY OPEARATION",
908 "This is NOT a replay operation"
911 static const true_false_string tfs_cap_dfs = {
912 "This host supports DFS",
913 "This host does NOT support DFS"
916 static const true_false_string tfs_cap_leasing = {
917 "This host supports LEASING",
918 "This host does NOT support LEASING"
921 static const true_false_string tfs_cap_large_mtu = {
922 "This host supports LARGE_MTU",
923 "This host does NOT support LARGE_MTU"
926 static const true_false_string tfs_cap_multi_channel = {
927 "This host supports MULTI CHANNEL",
928 "This host does NOT support MULTI CHANNEL"
931 static const true_false_string tfs_cap_persistent_handles = {
932 "This host supports PERSISTENT HANDLES",
933 "This host does NOT support PERSISTENT HANDLES"
936 static const true_false_string tfs_cap_directory_leasing = {
937 "This host supports DIRECTORY LEASING",
938 "This host does NOT support DIRECTORY LEASING"
941 static const true_false_string tfs_cap_encryption = {
942 "This host supports ENCRYPTION",
943 "This host does NOT support ENCRYPTION"
946 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rss = {
947 "This interface supports RSS",
948 "This interface does not support RSS"
951 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rdma = {
952 "This interface supports RDMA",
953 "This interface does not support RDMA"
956 static const value_string compression_format_vals[] = {
957 { 0, "COMPRESSION_FORMAT_NONE" },
958 { 1, "COMPRESSION_FORMAT_DEFAULT" },
959 { 2, "COMPRESSION_FORMAT_LZNT1" },
964 static const value_string smb2_ioctl_vals[] = {
965 /* dissector implemented */
966 {0x00060194, "FSCTL_DFS_GET_REFERRALS"},
967 {0x0011C017, "FSCTL_PIPE_TRANSCEIVE"},
968 {0x001401D4, "FSCTL_LMR_REQUEST_RESILIENCY"},
969 {0x001401FC, "FSCTL_QUERY_NETWORK_INTERFACE_INFO"},
970 {0x00140200, "FSCTL_VALIDATE_NEGOTIATE_INFO_224"},
971 {0x00140204, "FSCTL_VALIDATE_NEGOTIATE_INFO"},
972 {0x00144064, "FSCTL_GET_SHADOW_COPY_DATA"},
973 {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"},
974 {0x0009009C, "FSCTL_GET_OBJECT_ID"},
975 {0x000980A0, "FSCTL_DELETE_OBJECT_ID"}, /* no data in/out */
976 {0x00098098, "FSCTL_SET_OBJECT_ID"},
977 {0x000980BC, "FSCTL_SET_OBJECT_ID_EXTENDED"},
978 {0x0009003C, "FSCTL_GET_COMPRESSION"},
979 {0x0009C040, "FSCTL_SET_COMPRESSION"},
981 /* dissector not yet implemented */
982 {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
983 {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
984 {0x001441bb, "FSCTL_SRV_READ_HASH"},
985 {0x001480F2, "FSCTL_SRV_COPYCHUNK_WRITE"},
986 {0x00090000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
987 {0x00090004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
988 {0x00090008, "FSCTL_REQUEST_BATCH_OPLOCK"},
989 {0x0009000C, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
990 {0x00090010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
991 {0x00090014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
992 {0x00090018, "FSCTL_LOCK_VOLUME"},
993 {0x0009001C, "FSCTL_UNLOCK_VOLUME"},
994 {0x00090020, "FSCTL_DISMOUNT_VOLUME"},
995 {0x00090028, "FSCTL_IS_VOLUME_MOUNTED"},
996 {0x0009002C, "FSCTL_IS_PATHNAME_VALID"},
997 {0x00090030, "FSCTL_MARK_VOLUME_DIRTY"},
998 {0x0009003B, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
999 {0x0009004F, "FSCTL_MARK_AS_SYSTEM_HIVE"},
1000 {0x00090050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
1001 {0x00090054, "FSCTL_INVALIDATE_VOLUMES"},
1002 {0x00090058, "FSCTL_QUERY_FAT_BPB"},
1003 {0x0009005C, "FSCTL_REQUEST_FILTER_OPLOCK"},
1004 {0x00090060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
1005 {0x00090064, "FSCTL_GET_NTFS_VOLUME_DATA"},
1006 {0x00090068, "FSCTL_GET_NTFS_FILE_RECORD"},
1007 {0x0009006F, "FSCTL_GET_VOLUME_BITMAP"},
1008 {0x00090073, "FSCTL_GET_RETRIEVAL_POINTERS"},
1009 {0x00090074, "FSCTL_MOVE_FILE"},
1010 {0x00090078, "FSCTL_IS_VOLUME_DIRTY"},
1011 {0x0009007C, "FSCTL_GET_HFS_INFORMATION"},
1012 {0x00090083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
1013 {0x00090087, "FSCTL_READ_PROPERTY_DATA"},
1014 {0x0009008B, "FSCTL_WRITE_PROPERTY_DATA"},
1015 {0x0009008F, "FSCTL_FIND_FILES_BY_SID"},
1016 {0x00090097, "FSCTL_DUMP_PROPERTY_DATA"},
1017 {0x000980A4, "FSCTL_SET_REPARSE_POINT"},
1018 {0x000900A8, "FSCTL_GET_REPARSE_POINT"},
1019 {0x000980AC, "FSCTL_DELETE_REPARSE_POINT"},
1020 {0x000940B3, "FSCTL_ENUM_USN_DATA"},
1021 {0x000940B7, "FSCTL_SECURITY_ID_CHECK"},
1022 {0x000940BB, "FSCTL_READ_USN_JOURNAL"},
1023 {0x000980C4, "FSCTL_SET_SPARSE"},
1024 {0x000980C8, "FSCTL_SET_ZERO_DATA"},
1025 {0x000940CF, "FSCTL_QUERY_ALLOCATED_RANGES"},
1026 {0x000980D0, "FSCTL_ENABLE_UPGRADE"},
1027 {0x000900D4, "FSCTL_SET_ENCRYPTION"},
1028 {0x000900DB, "FSCTL_ENCRYPTION_FSCTL_IO"},
1029 {0x000900DF, "FSCTL_WRITE_RAW_ENCRYPTED"},
1030 {0x000900E3, "FSCTL_READ_RAW_ENCRYPTED"},
1031 {0x000940E7, "FSCTL_CREATE_USN_JOURNAL"},
1032 {0x000940EB, "FSCTL_READ_FILE_USN_DATA"},
1033 {0x000940EF, "FSCTL_WRITE_USN_CLOSE_RECORD"},
1034 {0x000900F0, "FSCTL_EXTEND_VOLUME"},
1039 static const value_string smb2_ioctl_device_vals[] = {
1041 { 0x0002, "CD_ROM" },
1042 { 0x0003, "CD_ROM_FILE_SYSTEM" },
1043 { 0x0004, "CONTROLLER" },
1044 { 0x0005, "DATALINK" },
1047 { 0x0008, "DISK_FILE_SYSTEM" },
1048 { 0x0009, "FILE_SYSTEM" },
1049 { 0x000a, "INPORT_PORT" },
1050 { 0x000b, "KEYBOARD" },
1051 { 0x000c, "MAILSLOT" },
1052 { 0x000d, "MIDI_IN" },
1053 { 0x000e, "MIDI_OUT" },
1054 { 0x000f, "MOUSE" },
1055 { 0x0010, "MULTI_UNC_PROVIDER" },
1056 { 0x0011, "NAMED_PIPE" },
1057 { 0x0012, "NETWORK" },
1058 { 0x0013, "NETWORK_BROWSER" },
1059 { 0x0014, "NETWORK_FILE_SYSTEM" },
1061 { 0x0016, "PARALLEL_PORT" },
1062 { 0x0017, "PHYSICAL_NETCARD" },
1063 { 0x0018, "PRINTER" },
1064 { 0x0019, "SCANNER" },
1065 { 0x001a, "SERIAL_MOUSE_PORT" },
1066 { 0x001b, "SERIAL_PORT" },
1067 { 0x001c, "SCREEN" },
1068 { 0x001d, "SOUND" },
1069 { 0x001e, "STREAMS" },
1071 { 0x0020, "TAPE_FILE_SYSTEM" },
1072 { 0x0021, "TRANSPORT" },
1073 { 0x0022, "UNKNOWN" },
1074 { 0x0023, "VIDEO" },
1075 { 0x0024, "VIRTUAL_DISK" },
1076 { 0x0025, "WAVE_IN" },
1077 { 0x0026, "WAVE_OUT" },
1078 { 0x0027, "8042_PORT" },
1079 { 0x0028, "NETWORK_REDIRECTOR" },
1080 { 0x0029, "BATTERY" },
1081 { 0x002a, "BUS_EXTENDER" },
1082 { 0x002b, "MODEM" },
1084 { 0x002d, "MASS_STORAGE" },
1087 { 0x0030, "CHANGER" },
1088 { 0x0031, "SMARTCARD" },
1091 { 0x0034, "FULLSCREEN_VIDEO" },
1092 { 0x0035, "DFS_FILE_SYSTEM" },
1093 { 0x0036, "DFS_VOLUME" },
1094 { 0x0037, "SERENUM" },
1095 { 0x0038, "TERMSRV" },
1100 static const value_string smb2_ioctl_access_vals[] = {
1101 { 0x00, "FILE_ANY_ACCESS" },
1102 { 0x01, "FILE_READ_ACCESS" },
1103 { 0x02, "FILE_WRITE_ACCESS" },
1104 { 0x03, "FILE_READ_WRITE_ACCESS" },
1108 static const value_string smb2_ioctl_method_vals[] = {
1109 { 0x00, "METHOD_BUFFERED" },
1110 { 0x01, "METHOD_IN_DIRECT" },
1111 { 0x02, "METHOD_OUT_DIRECT" },
1112 { 0x03, "METHOD_NEITHER" },
1116 /* this is called from both smb and smb2. */
1118 dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint32 *ioctlfunc)
1120 proto_item *item = NULL;
1121 proto_tree *tree = NULL;
1122 guint32 ioctl_function;
1125 item = proto_tree_add_item(parent_tree, hf_smb2_ioctl_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1126 tree = proto_item_add_subtree(item, ett_smb2_ioctl_function);
1129 ioctl_function = tvb_get_letohl(tvb, offset);
1131 *ioctlfunc = ioctl_function;
1132 if (ioctl_function) {
1133 const gchar *unknown = "unknown";
1134 const gchar *ioctl_name = val_to_str_const(ioctl_function,
1139 * val_to_str_const() doesn't work with a unknown == NULL
1141 if (ioctl_name == unknown) {
1145 if (check_col(pinfo->cinfo, COL_INFO) && ioctl_name != NULL) {
1147 pinfo->cinfo, COL_INFO, " %s", ioctl_name);
1151 proto_tree_add_item(tree, hf_smb2_ioctl_function_device, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1152 if (check_col(pinfo->cinfo, COL_INFO) && ioctl_name == NULL) {
1154 pinfo->cinfo, COL_INFO, " %s",
1155 val_to_str((ioctl_function>>16)&0xffff, smb2_ioctl_device_vals,
1156 "Unknown (0x%08X)"));
1160 proto_tree_add_item(tree, hf_smb2_ioctl_function_access, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1163 proto_tree_add_item(tree, hf_smb2_ioctl_function_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1164 if (check_col(pinfo->cinfo, COL_INFO) && ioctl_name == NULL) {
1166 pinfo->cinfo, COL_INFO, " Function:0x%04x",
1167 (ioctl_function>>2)&0x0fff);
1171 proto_tree_add_item(tree, hf_smb2_ioctl_function_method, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1179 /* fake the dce/rpc support structures so we can piggy back on
1180 * dissect_nt_policy_hnd() since this will allow us
1181 * a cheap way to track where FIDs are opened, closed
1182 * and fid->filename mappings
1183 * if we want to do those things in the future.
1185 #define FID_MODE_OPEN 0
1186 #define FID_MODE_CLOSE 1
1187 #define FID_MODE_USE 2
1188 #define FID_MODE_DHNQ 3
1189 #define FID_MODE_DHNC 4
1191 dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si, int mode)
1193 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
1194 static dcerpc_info di; /* fake dcerpc_info struct */
1195 static dcerpc_call_value call_data;
1196 void *old_private_data;
1197 e_ctx_hnd policy_hnd;
1198 proto_item *hnd_item = NULL;
1200 guint32 open_frame = 0, close_frame = 0;
1202 di.conformant_run = 0;
1203 /* we need di->call_data->flags.NDR64 == 0 */
1204 di.call_data = &call_data;
1205 old_private_data = pinfo->private_data;
1206 pinfo->private_data = &di;
1210 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, drep, hf_smb2_fid, &policy_hnd, &hnd_item, TRUE, FALSE);
1211 if (!pinfo->fd->flags.visited) {
1212 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1213 fid_name = se_strdup_printf("File: %s", (char *)si->saved->extra_info);
1215 fid_name = se_strdup_printf("File: ");
1217 dcerpc_store_polhnd_name(&policy_hnd, pinfo,
1221 case FID_MODE_CLOSE:
1222 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, TRUE);
1227 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, FALSE);
1231 pinfo->private_data = old_private_data;
1234 /* put the filename in col_info */
1235 if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->fd->num)) {
1238 proto_item_append_text(hnd_item, " %s", fid_name);
1240 if (check_col(pinfo->cinfo, COL_INFO)) {
1241 col_append_fstr(pinfo->cinfo, COL_INFO, " %s", fid_name);
1250 /* this info level is unique to SMB2 and differst from the corresponding
1251 * SMB_FILE_ALL_INFO in SMB
1254 dissect_smb2_file_all_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1256 proto_item *item = NULL;
1257 proto_tree *tree = NULL;
1259 const char *name = "";
1263 item = proto_tree_add_item(parent_tree, hf_smb2_file_all_info, tvb, offset, -1, ENC_NA);
1264 tree = proto_item_add_subtree(item, ett_smb2_file_all_info);
1268 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
1271 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
1274 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
1277 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
1279 /* File Attributes */
1280 offset = dissect_file_ext_attr(tvb, tree, offset);
1282 /* some unknown bytes */
1283 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
1286 /* allocation size */
1287 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1291 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1294 /* number of links */
1295 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1298 /* delete pending */
1299 proto_tree_add_item(tree, hf_smb2_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1303 proto_tree_add_item(tree, hf_smb2_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1310 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1314 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1318 offset = dissect_smb_access_mask(tvb, tree, offset);
1320 /* some unknown bytes */
1321 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
1324 /* file name length */
1325 length = tvb_get_letohs(tvb, offset);
1326 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1329 /* some unknown bytes */
1330 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
1335 bc = tvb_length_remaining(tvb, offset);
1336 name = get_unicode_or_ascii_string(tvb, &offset,
1337 TRUE, &length, TRUE, TRUE, &bc);
1339 proto_tree_add_string(tree, hf_smb2_filename, tvb,
1340 offset, length, name);
1352 dissect_smb2_file_allocation_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1354 proto_item *item = NULL;
1355 proto_tree *tree = NULL;
1360 item = proto_tree_add_item(parent_tree, hf_smb2_file_allocation_info, tvb, offset, -1, ENC_NA);
1361 tree = proto_item_add_subtree(item, ett_smb2_file_allocation_info);
1364 bc = tvb_length_remaining(tvb, offset);
1365 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1371 dissect_smb2_file_endoffile_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1373 proto_item *item = NULL;
1374 proto_tree *tree = NULL;
1379 item = proto_tree_add_item(parent_tree, hf_smb2_file_endoffile_info, tvb, offset, -1, ENC_NA);
1380 tree = proto_item_add_subtree(item, ett_smb2_file_endoffile_info);
1383 bc = tvb_length_remaining(tvb, offset);
1384 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1390 dissect_smb2_file_alternate_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1392 proto_item *item = NULL;
1393 proto_tree *tree = NULL;
1398 item = proto_tree_add_item(parent_tree, hf_smb2_file_alternate_name_info, tvb, offset, -1, ENC_NA);
1399 tree = proto_item_add_subtree(item, ett_smb2_file_alternate_name_info);
1402 bc = tvb_length_remaining(tvb, offset);
1403 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1410 dissect_smb2_file_basic_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1412 proto_item *item = NULL;
1413 proto_tree *tree = NULL;
1416 item = proto_tree_add_item(parent_tree, hf_smb2_file_basic_info, tvb, offset, -1, ENC_NA);
1417 tree = proto_item_add_subtree(item, ett_smb2_file_basic_info);
1421 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
1424 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
1427 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
1430 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
1432 /* File Attributes */
1433 offset = dissect_file_ext_attr(tvb, tree, offset);
1435 /* some unknown bytes */
1436 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
1443 dissect_smb2_file_standard_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1445 proto_item *item = NULL;
1446 proto_tree *tree = NULL;
1451 item = proto_tree_add_item(parent_tree, hf_smb2_file_standard_info, tvb, offset, -1, ENC_NA);
1452 tree = proto_item_add_subtree(item, ett_smb2_file_standard_info);
1455 bc = tvb_length_remaining(tvb, offset);
1456 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1461 dissect_smb2_file_internal_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1463 proto_item *item = NULL;
1464 proto_tree *tree = NULL;
1469 item = proto_tree_add_item(parent_tree, hf_smb2_file_internal_info, tvb, offset, -1, ENC_NA);
1470 tree = proto_item_add_subtree(item, ett_smb2_file_internal_info);
1473 bc = tvb_length_remaining(tvb, offset);
1474 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1479 dissect_smb2_file_mode_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1481 proto_item *item = NULL;
1482 proto_tree *tree = NULL;
1487 item = proto_tree_add_item(parent_tree, hf_smb2_file_mode_info, tvb, offset, -1, ENC_NA);
1488 tree = proto_item_add_subtree(item, ett_smb2_file_mode_info);
1491 bc = tvb_length_remaining(tvb, offset);
1492 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1497 dissect_smb2_file_alignment_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1499 proto_item *item = NULL;
1500 proto_tree *tree = NULL;
1505 item = proto_tree_add_item(parent_tree, hf_smb2_file_alignment_info, tvb, offset, -1, ENC_NA);
1506 tree = proto_item_add_subtree(item, ett_smb2_file_alignment_info);
1509 bc = tvb_length_remaining(tvb, offset);
1510 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1515 dissect_smb2_file_position_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1517 proto_item *item = NULL;
1518 proto_tree *tree = NULL;
1523 item = proto_tree_add_item(parent_tree, hf_smb2_file_position_info, tvb, offset, -1, ENC_NA);
1524 tree = proto_item_add_subtree(item, ett_smb2_file_position_info);
1527 bc = tvb_length_remaining(tvb, offset);
1528 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1534 dissect_smb2_file_access_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1536 proto_item *item = NULL;
1537 proto_tree *tree = NULL;
1540 item = proto_tree_add_item(parent_tree, hf_smb2_file_access_info, tvb, offset, -1, ENC_NA);
1541 tree = proto_item_add_subtree(item, ett_smb2_file_access_info);
1545 offset = dissect_smb_access_mask(tvb, tree, offset);
1551 dissect_smb2_file_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1553 proto_item *item = NULL;
1554 proto_tree *tree = NULL;
1559 item = proto_tree_add_item(parent_tree, hf_smb2_file_ea_info, tvb, offset, -1, ENC_NA);
1560 tree = proto_item_add_subtree(item, ett_smb2_file_ea_info);
1563 bc = tvb_length_remaining(tvb, offset);
1564 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1570 dissect_smb2_file_stream_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1572 proto_item *item = NULL;
1573 proto_tree *tree = NULL;
1578 item = proto_tree_add_item(parent_tree, hf_smb2_file_stream_info, tvb, offset, -1, ENC_NA);
1579 tree = proto_item_add_subtree(item, ett_smb2_file_stream_info);
1582 bc = tvb_length_remaining(tvb, offset);
1583 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, &bc, &trunc, TRUE);
1589 dissect_smb2_file_pipe_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1591 proto_item *item = NULL;
1592 proto_tree *tree = NULL;
1597 item = proto_tree_add_item(parent_tree, hf_smb2_file_pipe_info, tvb, offset, -1, ENC_NA);
1598 tree = proto_item_add_subtree(item, ett_smb2_file_pipe_info);
1601 bc = tvb_length_remaining(tvb, offset);
1602 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1608 dissect_smb2_file_compression_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1610 proto_item *item = NULL;
1611 proto_tree *tree = NULL;
1616 item = proto_tree_add_item(parent_tree, hf_smb2_file_compression_info, tvb, offset, -1, ENC_NA);
1617 tree = proto_item_add_subtree(item, ett_smb2_file_compression_info);
1620 bc = tvb_length_remaining(tvb, offset);
1621 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1627 dissect_smb2_file_network_open_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1629 proto_item *item = NULL;
1630 proto_tree *tree = NULL;
1635 item = proto_tree_add_item(parent_tree, hf_smb2_file_network_open_info, tvb, offset, -1, ENC_NA);
1636 tree = proto_item_add_subtree(item, ett_smb2_file_network_open_info);
1640 bc = tvb_length_remaining(tvb, offset);
1641 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1647 dissect_smb2_file_attribute_tag_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1649 proto_item *item = NULL;
1650 proto_tree *tree = NULL;
1655 item = proto_tree_add_item(parent_tree, hf_smb2_file_attribute_tag_info, tvb, offset, -1, ENC_NA);
1656 tree = proto_item_add_subtree(item, ett_smb2_file_attribute_tag_info);
1660 bc = tvb_length_remaining(tvb, offset);
1661 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1666 static const true_false_string tfs_disposition_delete_on_close = {
1667 "DELETE this file when closed",
1668 "Normal access, do not delete on close"
1672 dissect_smb2_file_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1674 proto_item *item = NULL;
1675 proto_tree *tree = NULL;
1678 item = proto_tree_add_item(parent_tree, hf_smb2_file_disposition_info, tvb, offset, -1, ENC_NA);
1679 tree = proto_item_add_subtree(item, ett_smb2_file_disposition_info);
1682 /* file disposition */
1683 proto_tree_add_item(tree, hf_smb2_disposition_delete_on_close, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1689 dissect_smb2_file_info_0f(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1691 proto_item *item = NULL;
1692 proto_tree *tree = NULL;
1693 guint32 next_offset;
1694 guint8 ea_name_len, ea_data_len;
1697 item = proto_tree_add_item(parent_tree, hf_smb2_file_info_0f, tvb, offset, -1, ENC_NA);
1698 tree = proto_item_add_subtree(item, ett_smb2_file_info_0f);
1703 const char *name = "";
1704 const char *data = "";
1706 int start_offset = offset;
1707 proto_item *ea_item = NULL;
1708 proto_tree *ea_tree = NULL;
1711 ea_item = proto_tree_add_text(tree, tvb, offset, -1, "EA:");
1712 ea_tree = proto_item_add_subtree(ea_item, ett_smb2_ea);
1716 next_offset = tvb_get_letohl(tvb, offset);
1717 proto_tree_add_item(ea_tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1721 proto_tree_add_item(ea_tree, hf_smb2_ea_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1724 /* EA Name Length */
1725 ea_name_len = tvb_get_guint8(tvb, offset);
1726 proto_tree_add_item(ea_tree, hf_smb2_ea_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1729 /* EA Data Length */
1730 ea_data_len = tvb_get_guint8(tvb, offset);
1731 proto_tree_add_item(ea_tree, hf_smb2_ea_data_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1734 /* some unknown bytes */
1735 proto_tree_add_item(ea_tree, hf_smb2_unknown, tvb, offset, 1, ENC_NA);
1739 length = ea_name_len;
1741 bc = tvb_length_remaining(tvb, offset);
1742 name = get_unicode_or_ascii_string(tvb, &offset,
1743 FALSE, &length, TRUE, TRUE, &bc);
1745 proto_tree_add_string(ea_tree, hf_smb2_ea_name, tvb,
1746 offset, length, name);
1749 offset += ea_name_len;
1751 /* separator byte */
1755 length = ea_data_len;
1757 bc = tvb_length_remaining(tvb, offset);
1758 data = get_unicode_or_ascii_string(tvb, &offset,
1759 FALSE, &length, TRUE, TRUE, &bc);
1761 proto_tree_add_string(ea_tree, hf_smb2_ea_data, tvb,
1762 offset, length, data);
1765 offset += ea_data_len;
1769 proto_item_append_text(ea_item, " %s := %s", name, data);
1771 proto_item_set_len(ea_item, offset-start_offset);
1777 if (next_offset>256) {
1781 offset = start_offset+next_offset;
1788 dissect_smb2_file_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1790 proto_item *item = NULL;
1791 proto_tree *tree = NULL;
1793 const char *name = "";
1798 item = proto_tree_add_item(parent_tree, hf_smb2_file_rename_info, tvb, offset, -1, ENC_NA);
1799 tree = proto_item_add_subtree(item, ett_smb2_file_rename_info);
1802 /* some unknown bytes */
1803 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
1806 /* file name length */
1807 length = tvb_get_letohs(tvb, offset);
1808 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1811 /* some unknown bytes */
1812 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
1817 bc = tvb_length_remaining(tvb, offset);
1818 name = get_unicode_or_ascii_string(tvb, &offset,
1819 TRUE, &length, TRUE, TRUE, &bc);
1821 proto_tree_add_string(tree, hf_smb2_filename, tvb,
1822 offset, length, name);
1825 if (check_col(pinfo->cinfo, COL_INFO)) {
1826 col_append_fstr(pinfo->cinfo, COL_INFO, " NewName:%s",
1832 /* some unknown bytes */
1833 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
1840 dissect_smb2_sec_info_00(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1842 proto_item *item = NULL;
1843 proto_tree *tree = NULL;
1846 item = proto_tree_add_item(parent_tree, hf_smb2_sec_info_00, tvb, offset, -1, ENC_NA);
1847 tree = proto_item_add_subtree(item, ett_smb2_sec_info_00);
1850 /* security descriptor */
1851 offset = dissect_nt_sec_desc(tvb, offset, pinfo, tree, NULL, TRUE, tvb_length_remaining(tvb, offset), NULL);
1857 dissect_smb2_fs_info_05(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1859 proto_item *item = NULL;
1860 proto_tree *tree = NULL;
1864 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_05, tvb, offset, -1, ENC_NA);
1865 tree = proto_item_add_subtree(item, ett_smb2_fs_info_05);
1868 bc = tvb_length_remaining(tvb, offset);
1869 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
1875 dissect_smb2_fs_info_06(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1877 proto_item *item = NULL;
1878 proto_tree *tree = NULL;
1882 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_06, tvb, offset, -1, ENC_NA);
1883 tree = proto_item_add_subtree(item, ett_smb2_fs_info_06);
1886 bc = tvb_length_remaining(tvb, offset);
1887 offset = dissect_nt_quota(tvb, tree, offset, &bc);
1893 dissect_smb2_FS_OBJECTID_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1895 proto_item *item = NULL;
1896 proto_tree *tree = NULL;
1899 item = proto_tree_add_item(parent_tree, hf_smb2_fs_objectid_info, tvb, offset, -1, ENC_NA);
1900 tree = proto_item_add_subtree(item, ett_smb2_fs_objectid_info);
1903 /* FILE_OBJECTID_BUFFER */
1904 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
1910 dissect_smb2_fs_info_07(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1912 proto_item *item = NULL;
1913 proto_tree *tree = NULL;
1917 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_07, tvb, offset, -1, ENC_NA);
1918 tree = proto_item_add_subtree(item, ett_smb2_fs_info_07);
1921 bc = tvb_length_remaining(tvb, offset);
1922 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
1928 dissect_smb2_fs_info_01(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1930 proto_item *item = NULL;
1931 proto_tree *tree = NULL;
1935 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_01, tvb, offset, -1, ENC_NA);
1936 tree = proto_item_add_subtree(item, ett_smb2_fs_info_01);
1940 bc = tvb_length_remaining(tvb, offset);
1941 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
1947 dissect_smb2_fs_info_03(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1949 proto_item *item = NULL;
1950 proto_tree *tree = NULL;
1954 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_03, tvb, offset, -1, ENC_NA);
1955 tree = proto_item_add_subtree(item, ett_smb2_fs_info_03);
1959 bc = tvb_length_remaining(tvb, offset);
1960 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
1966 dissect_smb2_fs_info_04(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1968 proto_item *item = NULL;
1969 proto_tree *tree = NULL;
1973 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_04, tvb, offset, -1, ENC_NA);
1974 tree = proto_item_add_subtree(item, ett_smb2_fs_info_04);
1978 bc = tvb_length_remaining(tvb, offset);
1979 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, &bc);
1984 static const value_string oplock_vals[] = {
1985 { 0x00, "No oplock" },
1986 { 0x01, "Level2 oplock" },
1987 { 0x08, "Exclusive oplock" },
1988 { 0x09, "Batch oplock" },
1994 dissect_smb2_oplock(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
1996 proto_tree_add_item(parent_tree, hf_smb2_oplock, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2003 dissect_smb2_buffercode(proto_tree *tree, tvbuff_t *tvb, int offset, guint16 *length)
2005 guint16 buffer_code;
2007 /* dissect the first 2 bytes of the command PDU */
2008 buffer_code = tvb_get_letohs(tvb, offset);
2009 proto_tree_add_uint(tree, hf_smb2_buffer_code_len, tvb, offset, 2, buffer_code&0xfffe);
2010 proto_tree_add_item(tree, hf_smb2_buffer_code_flags_dyn, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2014 *length = buffer_code&0xfffe;
2020 #define NEGPROT_CAP_DFS 0x00000001
2021 #define NEGPROT_CAP_LEASING 0x00000002
2022 #define NEGPROT_CAP_LARGE_MTU 0x00000004
2023 #define NEGPROT_CAP_MULTI_CHANNEL 0x00000008
2024 #define NEGPROT_CAP_PERSISTENT_HANDLES 0x00000010
2025 #define NEGPROT_CAP_DIRECTORY_LEASING 0x00000020
2026 #define NEGPROT_CAP_ENCRYPTION 0x00000040
2028 dissect_smb2_capabilities(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2031 proto_item *item = NULL;
2032 proto_tree *tree = NULL;
2034 cap = tvb_get_letohl(tvb, offset);
2036 item = proto_tree_add_item(parent_tree, hf_smb2_capabilities, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2037 tree = proto_item_add_subtree(item, ett_smb2_capabilities);
2040 proto_tree_add_boolean(tree, hf_smb2_cap_dfs, tvb, offset, 4, cap);
2041 proto_tree_add_boolean(tree, hf_smb2_cap_leasing, tvb, offset, 4, cap);
2042 proto_tree_add_boolean(tree, hf_smb2_cap_large_mtu, tvb, offset, 4, cap);
2043 proto_tree_add_boolean(tree, hf_smb2_cap_multi_channel, tvb, offset, 4, cap);
2044 proto_tree_add_boolean(tree, hf_smb2_cap_persistent_handles, tvb, offset, 4, cap);
2045 proto_tree_add_boolean(tree, hf_smb2_cap_directory_leasing, tvb, offset, 4, cap);
2046 proto_tree_add_boolean(tree, hf_smb2_cap_encryption, tvb, offset, 4, cap);
2055 #define NEGPROT_SIGN_REQ 0x0002
2056 #define NEGPROT_SIGN_ENABLED 0x0001
2059 dissect_smb2_secmode(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2062 proto_item *item = NULL;
2063 proto_tree *tree = NULL;
2065 sm = tvb_get_guint8(tvb, offset);
2067 item = proto_tree_add_item(parent_tree, hf_smb2_security_mode, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2068 tree = proto_item_add_subtree(item, ett_smb2_sec_mode);
2071 proto_tree_add_boolean(tree, hf_smb2_secmode_flags_sign_required, tvb, offset, 1, sm);
2072 proto_tree_add_boolean(tree, hf_smb2_secmode_flags_sign_enabled, tvb, offset, 1, sm);
2080 #define SES_REQ_FLAGS_SESSION_BINDING 0x01
2083 dissect_smb2_ses_req_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2086 proto_item *item = NULL;
2087 proto_tree *tree = NULL;
2089 sf = tvb_get_guint8(tvb, offset);
2091 item = proto_tree_add_item(parent_tree, hf_smb2_ses_req_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2092 tree = proto_item_add_subtree(item, ett_smb2_ses_req_flags);
2094 proto_tree_add_boolean(tree, hf_smb2_ses_req_flags_session_binding, tvb, offset, 1, sf);
2101 #define SES_FLAGS_GUEST 0x0001
2102 #define SES_FLAGS_NULL 0x0002
2105 dissect_smb2_ses_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2108 proto_item *item = NULL;
2109 proto_tree *tree = NULL;
2111 sf = tvb_get_letohs(tvb, offset);
2113 item = proto_tree_add_item(parent_tree, hf_smb2_session_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2114 tree = proto_item_add_subtree(item, ett_smb2_ses_flags);
2117 proto_tree_add_boolean(tree, hf_smb2_ses_flags_null, tvb, offset, 2, sf);
2118 proto_tree_add_boolean(tree, hf_smb2_ses_flags_guest, tvb, offset, 2, sf);
2126 #define SHARE_FLAGS_manual_caching 0x00000000
2127 #define SHARE_FLAGS_auto_caching 0x00000010
2128 #define SHARE_FLAGS_vdo_caching 0x00000020
2129 #define SHARE_FLAGS_no_caching 0x00000030
2131 static const value_string share_cache_vals[] = {
2132 { SHARE_FLAGS_manual_caching, "Manual caching" },
2133 { SHARE_FLAGS_auto_caching, "Auto caching" },
2134 { SHARE_FLAGS_vdo_caching, "VDO caching" },
2135 { SHARE_FLAGS_no_caching, "No caching" },
2139 #define SHARE_FLAGS_dfs 0x00000001
2140 #define SHARE_FLAGS_dfs_root 0x00000002
2141 #define SHARE_FLAGS_restrict_exclusive_opens 0x00000100
2142 #define SHARE_FLAGS_force_shared_delete 0x00000200
2143 #define SHARE_FLAGS_allow_namespace_caching 0x00000400
2144 #define SHARE_FLAGS_access_based_dir_enum 0x00000800
2145 #define SHARE_FLAGS_force_levelii_oplock 0x00001000
2146 #define SHARE_FLAGS_enable_hash_v1 0x00002000
2147 #define SHARE_FLAGS_enable_hash_v2 0x00004000
2148 #define SHARE_FLAGS_encryption_required 0x00008000
2151 dissect_smb2_share_flags(proto_tree *tree, tvbuff_t *tvb, int offset)
2153 static const int *sf_fields[] = {
2154 &hf_smb2_share_flags_dfs,
2155 &hf_smb2_share_flags_dfs_root,
2156 &hf_smb2_share_flags_restrict_exclusive_opens,
2157 &hf_smb2_share_flags_force_shared_delete,
2158 &hf_smb2_share_flags_allow_namespace_caching,
2159 &hf_smb2_share_flags_access_based_dir_enum,
2160 &hf_smb2_share_flags_force_levelii_oplock,
2161 &hf_smb2_share_flags_enable_hash_v1,
2162 &hf_smb2_share_flags_enable_hash_v2,
2163 &hf_smb2_share_flags_encrypt_data,
2169 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_flags, ett_smb2_share_flags, sf_fields, ENC_LITTLE_ENDIAN);
2171 cp = tvb_get_letohl(tvb, offset);
2173 proto_tree_add_uint_format(item, hf_smb2_share_caching, tvb, offset, 4, cp, "Caching policy: %s (%08x)", val_to_str(cp, share_cache_vals, "Unknown:%u"), cp);
2181 #define SHARE_CAPS_DFS 0x00000008
2182 #define SHARE_CAPS_CONTINUOUS_AVAILABILITY 0x00000010
2183 #define SHARE_CAPS_SCALEOUT 0x00000020
2184 #define SHARE_CAPS_CLUSTER 0x00000040
2187 dissect_smb2_share_caps(proto_tree *tree, tvbuff_t *tvb, int offset)
2189 static const int *sc_fields[] = {
2190 &hf_smb2_share_caps_dfs,
2191 &hf_smb2_share_caps_continuous_availability,
2192 &hf_smb2_share_caps_scaleout,
2193 &hf_smb2_share_caps_cluster,
2197 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_caps, ett_smb2_share_caps, sc_fields, ENC_LITTLE_ENDIAN);
2205 dissect_smb2_secblob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
2207 if ((tvb_length(tvb)>=7)
2208 && (!tvb_memeql(tvb, 0, "NTLMSSP", 7))) {
2209 call_dissector(ntlmssp_handle, tvb, pinfo, tree);
2211 call_dissector(gssapi_handle, tvb, pinfo, tree);
2216 dissect_smb2_session_setup_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2218 offset_length_buffer_t s_olb;
2219 const ntlmssp_header_t *ntlmssph;
2220 static int ntlmssp_tap_id = 0;
2223 if (!ntlmssp_tap_id) {
2224 GString *error_string;
2225 /* We dont specify any callbacks at all.
2226 * Instead we manually fetch the tapped data after the
2227 * security blob has been fully dissected and before
2228 * we exit from this dissector.
2230 error_string = register_tap_listener("ntlmssp", NULL, NULL,
2231 TL_IS_DISSECTOR_HELPER, NULL, NULL, NULL);
2232 if (!error_string) {
2233 ntlmssp_tap_id = find_tap_id("ntlmssp");
2235 g_string_free(error_string, TRUE);
2241 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2242 /* some unknown bytes */
2245 offset = dissect_smb2_ses_req_flags(tree, tvb, offset);
2248 offset = dissect_smb2_secmode(tree, tvb, offset);
2251 offset = dissect_smb2_capabilities(tree, tvb, offset);
2254 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2257 /* security blob offset/length */
2258 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
2260 /* previous session id */
2261 proto_tree_add_item(tree, hf_smb2_previous_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2265 /* the security blob itself */
2266 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
2268 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
2270 /* If we have found a uid->acct_name mapping, store it */
2271 if (!pinfo->fd->flags.visited) {
2273 while ((ntlmssph = fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL) {
2274 if (ntlmssph && ntlmssph->type == NTLMSSP_AUTH) {
2275 static const gint8 zeros[NTLMSSP_KEY_LEN];
2276 smb2_sesid_info_t *sesid;
2277 sesid = se_alloc(sizeof(smb2_sesid_info_t));
2278 sesid->sesid = si->sesid;
2279 sesid->acct_name = se_strdup(ntlmssph->acct_name);
2280 sesid->domain_name = se_strdup(ntlmssph->domain_name);
2281 sesid->host_name = se_strdup(ntlmssph->host_name);
2282 if (memcmp(ntlmssph->session_key, zeros, NTLMSSP_KEY_LEN) != 0) {
2283 smb2_key_derivation(ntlmssph->session_key,
2287 sesid->server_decryption_key);
2288 smb2_key_derivation(ntlmssph->session_key,
2292 sesid->client_decryption_key);
2294 memset(sesid->server_decryption_key, 0,
2295 sizeof(sesid->server_decryption_key));
2296 memset(sesid->client_decryption_key, 0,
2297 sizeof(sesid->client_decryption_key));
2299 sesid->server_port = pinfo->destport;
2300 sesid->auth_frame = pinfo->fd->num;
2301 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
2302 g_hash_table_insert(si->conv->sesids, sesid, sesid);
2311 dissect_smb2_error_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2316 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2319 /* Reserved (2 bytes) */
2320 proto_tree_add_item(tree, hf_smb2_error_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2323 /* ByteCount (4 bytes): The number of bytes of data contained in ErrorData[]. */
2324 byte_count = tvb_get_ntohl(tvb, offset);
2325 proto_tree_add_item(tree, hf_smb2_error_byte_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2328 /* If the ByteCount field is zero then the server MUST supply an ErrorData field
2329 that is one byte in length */
2330 if (byte_count == 0) byte_count = 1;
2332 /* ErrorData (variable): A variable-length data field that contains extended
2333 error information.*/
2334 proto_tree_add_item(tree, hf_smb2_error_data, tvb, offset, byte_count, ENC_NA);
2335 offset += byte_count;
2341 dissect_smb2_session_setup_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2343 offset_length_buffer_t s_olb;
2345 /* session_setup is special and we don't use dissect_smb2_error_response() here! */
2348 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2351 offset = dissect_smb2_ses_flags(tree, tvb, offset);
2353 /* security blob offset/length */
2354 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
2356 /* the security blob itself */
2357 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
2359 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
2365 dissect_smb2_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2367 offset_length_buffer_t olb;
2371 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2376 /* tree offset/length */
2377 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_tree);
2380 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
2382 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
2384 /* treelen +1 is overkill here if the string is unicode,
2385 * but who ever has more than a handful of TCON in a trace anyways
2387 if (!pinfo->fd->flags.visited && si->saved && buf && olb.len) {
2388 si->saved->extra_info_type = SMB2_EI_TREENAME;
2389 si->saved->extra_info = se_alloc(olb.len+1);
2390 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
2393 if (check_col(pinfo->cinfo, COL_INFO)) {
2394 col_append_fstr(pinfo->cinfo, COL_INFO, " Tree: %s", buf);
2401 dissect_smb2_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2405 switch (si->status) {
2406 case 0x00000000: break;
2407 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2411 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2414 share_type = tvb_get_letohs(tvb, offset);
2415 proto_tree_add_item(tree, hf_smb2_share_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2416 /* Next byte is reserved and must be set to zero */
2419 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_TREENAME && si->session) {
2420 smb2_tid_info_t *tid, tid_key;
2422 tid_key.tid = si->tid;
2423 tid = g_hash_table_lookup(si->session->tids, &tid_key);
2425 g_hash_table_remove(si->session->tids, &tid_key);
2427 tid = se_alloc(sizeof(smb2_tid_info_t));
2429 tid->name = (char *)si->saved->extra_info;
2430 tid->connect_frame = pinfo->fd->num;
2431 tid->share_type = share_type;
2433 g_hash_table_insert(si->session->tids, tid, tid);
2435 si->saved->extra_info_type = SMB2_EI_NONE;
2436 si->saved->extra_info = NULL;
2440 offset = dissect_smb2_share_flags(tree, tvb, offset);
2442 /* share capabilities */
2443 offset = dissect_smb2_share_caps(tree, tvb, offset);
2445 /* this is some sort of access mask */
2446 offset = dissect_smb_access_mask(tvb, tree, offset);
2452 dissect_smb2_tree_disconnect_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2455 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2464 dissect_smb2_tree_disconnect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2466 switch (si->status) {
2467 case 0x00000000: break;
2468 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2472 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2481 dissect_smb2_sessionlogoff_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2484 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2486 /* reserved bytes */
2493 dissect_smb2_sessionlogoff_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2495 switch (si->status) {
2496 case 0x00000000: break;
2497 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2501 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2503 /* reserved bytes */
2510 dissect_smb2_keepalive_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2513 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2515 /* some unknown bytes */
2516 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
2523 dissect_smb2_keepalive_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2525 switch (si->status) {
2526 case 0x00000000: break;
2527 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2531 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2533 /* some unknown bytes */
2534 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
2541 dissect_smb2_notify_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2543 proto_tree *flags_tree = NULL;
2544 proto_item *flags_item = NULL;
2547 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2551 flags_item = proto_tree_add_item(tree, hf_smb2_notify_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2552 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_notify_flags);
2554 proto_tree_add_item(flags_tree, hf_smb2_notify_watch_tree, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2557 /* output buffer length */
2558 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2562 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
2564 /* completion filter */
2565 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
2574 dissect_smb2_notify_data_out(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
2576 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
2580 dissect_smb2_notify_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
2582 offset_length_buffer_t olb;
2584 switch (si->status) {
2585 case 0x00000000: break;
2586 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2590 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2592 /* out buffer offset/length */
2593 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_notify_out_data);
2596 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_notify_data_out);
2597 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
2602 #define SMB2_FIND_FLAG_RESTART_SCANS 0x01
2603 #define SMB2_FIND_FLAG_SINGLE_ENTRY 0x02
2604 #define SMB2_FIND_FLAG_INDEX_SPECIFIED 0x04
2605 #define SMB2_FIND_FLAG_REOPEN 0x10
2608 dissect_smb2_find_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2610 offset_length_buffer_t olb;
2613 static const int *f_fields[] = {
2614 &hf_smb2_find_flags_restart_scans,
2615 &hf_smb2_find_flags_single_entry,
2616 &hf_smb2_find_flags_index_specified,
2617 &hf_smb2_find_flags_reopen,
2622 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2624 il = tvb_get_guint8(tvb, offset);
2626 si->saved->infolevel = il;
2630 proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 1, il);
2634 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_find_flags, ett_smb2_find_flags, f_fields, ENC_LITTLE_ENDIAN);
2638 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2642 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
2644 /* search pattern offset/length */
2645 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_find_pattern);
2647 /* output buffer length */
2648 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2651 /* search pattern */
2652 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
2654 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
2656 if (!pinfo->fd->flags.visited && si->saved && olb.len) {
2657 si->saved->extra_info_type = SMB2_EI_FINDPATTERN;
2658 si->saved->extra_info = g_malloc(olb.len+1);
2659 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
2662 if (check_col(pinfo->cinfo, COL_INFO)) {
2663 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
2664 val_to_str(il, smb2_find_info_levels, "(Level:0x%02x)"),
2671 static void dissect_smb2_file_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
2674 proto_item *item = NULL;
2675 proto_tree *tree = NULL;
2676 const char *name = NULL;
2679 while (tvb_length_remaining(tvb, offset) > 4) {
2680 int old_offset = offset;
2685 item = proto_tree_add_item(parent_tree, hf_smb2_file_directory_info, tvb, offset, -1, ENC_NA);
2686 tree = proto_item_add_subtree(item, ett_smb2_file_directory_info);
2690 next_offset = tvb_get_letohl(tvb, offset);
2691 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2695 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2699 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2702 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2705 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2708 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2711 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2714 /* allocation size */
2715 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2718 /* File Attributes */
2719 offset = dissect_file_ext_attr(tvb, tree, offset);
2721 /* file name length */
2722 file_name_len = tvb_get_letohl(tvb, offset);
2723 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2727 if (file_name_len) {
2729 name = get_unicode_or_ascii_string(tvb, &offset,
2730 TRUE, &file_name_len, TRUE, TRUE, &bc);
2732 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2733 offset, file_name_len, name);
2734 proto_item_append_text(item, ": %s", name);
2739 proto_item_set_len(item, offset-old_offset);
2741 if (next_offset == 0) {
2745 offset = old_offset+next_offset;
2746 if (offset < old_offset) {
2747 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
2748 "Invalid offset/length. Malformed packet");
2754 static void dissect_smb2_full_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
2757 proto_item *item = NULL;
2758 proto_tree *tree = NULL;
2759 const char *name = NULL;
2762 while (tvb_length_remaining(tvb, offset) > 4) {
2763 int old_offset = offset;
2768 item = proto_tree_add_item(parent_tree, hf_smb2_full_directory_info, tvb, offset, -1, ENC_NA);
2769 tree = proto_item_add_subtree(item, ett_smb2_full_directory_info);
2773 next_offset = tvb_get_letohl(tvb, offset);
2774 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2778 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2782 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2785 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2788 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2791 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2794 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2797 /* allocation size */
2798 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2801 /* File Attributes */
2802 offset = dissect_file_ext_attr(tvb, tree, offset);
2804 /* file name length */
2805 file_name_len = tvb_get_letohl(tvb, offset);
2806 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2810 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2814 if (file_name_len) {
2816 name = get_unicode_or_ascii_string(tvb, &offset,
2817 TRUE, &file_name_len, TRUE, TRUE, &bc);
2819 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2820 offset, file_name_len, name);
2821 proto_item_append_text(item, ": %s", name);
2826 proto_item_set_len(item, offset-old_offset);
2828 if (next_offset == 0) {
2832 offset = old_offset+next_offset;
2833 if (offset < old_offset) {
2834 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
2835 "Invalid offset/length. Malformed packet");
2841 static void dissect_smb2_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
2844 proto_item *item = NULL;
2845 proto_tree *tree = NULL;
2846 const char *name = NULL;
2849 while (tvb_length_remaining(tvb, offset) > 4) {
2850 int old_offset = offset;
2856 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
2857 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
2861 next_offset = tvb_get_letohl(tvb, offset);
2862 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2866 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2870 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2873 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2876 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2879 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2882 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2885 /* allocation size */
2886 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2889 /* File Attributes */
2890 offset = dissect_file_ext_attr(tvb, tree, offset);
2892 /* file name length */
2893 file_name_len = tvb_get_letohl(tvb, offset);
2894 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2898 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2901 /* short name length */
2902 short_name_len = tvb_get_guint8(tvb, offset);
2903 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2910 if (short_name_len) {
2911 bc = short_name_len;
2912 name = get_unicode_or_ascii_string(tvb, &offset,
2913 TRUE, &short_name_len, TRUE, TRUE, &bc);
2915 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
2916 offset, short_name_len, name);
2922 if (file_name_len) {
2924 name = get_unicode_or_ascii_string(tvb, &offset,
2925 TRUE, &file_name_len, TRUE, TRUE, &bc);
2927 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2928 offset, file_name_len, name);
2929 proto_item_append_text(item, ": %s", name);
2934 proto_item_set_len(item, offset-old_offset);
2936 if (next_offset == 0) {
2940 offset = old_offset+next_offset;
2941 if (offset < old_offset) {
2942 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
2943 "Invalid offset/length. Malformed packet");
2949 static void dissect_smb2_file_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
2952 proto_item *item = NULL;
2953 proto_tree *tree = NULL;
2954 const char *name = NULL;
2957 while (tvb_length_remaining(tvb, offset) > 4) {
2958 int old_offset = offset;
2963 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
2964 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
2968 next_offset = tvb_get_letohl(tvb, offset);
2969 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2973 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2976 /* file name length */
2977 file_name_len = tvb_get_letohl(tvb, offset);
2978 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2982 if (file_name_len) {
2984 name = get_unicode_or_ascii_string(tvb, &offset,
2985 TRUE, &file_name_len, TRUE, TRUE, &bc);
2987 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2988 offset, file_name_len, name);
2989 proto_item_append_text(item, ": %s", name);
2994 proto_item_set_len(item, offset-old_offset);
2996 if (next_offset == 0) {
3000 offset = old_offset+next_offset;
3001 if (offset < old_offset) {
3002 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
3003 "Invalid offset/length. Malformed packet");
3009 static void dissect_smb2_id_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3012 proto_item *item = NULL;
3013 proto_tree *tree = NULL;
3014 const char *name = NULL;
3017 while (tvb_length_remaining(tvb, offset) > 4) {
3018 int old_offset = offset;
3024 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
3025 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
3029 next_offset = tvb_get_letohl(tvb, offset);
3030 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3034 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3038 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3041 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3044 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3047 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3050 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3053 /* allocation size */
3054 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3057 /* File Attributes */
3058 offset = dissect_file_ext_attr(tvb, tree, offset);
3060 /* file name length */
3061 file_name_len = tvb_get_letohl(tvb, offset);
3062 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3066 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3069 /* short name length */
3070 short_name_len = tvb_get_guint8(tvb, offset);
3071 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3078 if (short_name_len) {
3079 bc = short_name_len;
3080 name = get_unicode_or_ascii_string(tvb, &offset,
3081 TRUE, &short_name_len, TRUE, TRUE, &bc);
3083 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3084 offset, short_name_len, name);
3093 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3097 if (file_name_len) {
3099 name = get_unicode_or_ascii_string(tvb, &offset,
3100 TRUE, &file_name_len, TRUE, TRUE, &bc);
3102 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3103 offset, file_name_len, name);
3104 proto_item_append_text(item, ": %s", name);
3109 proto_item_set_len(item, offset-old_offset);
3111 if (next_offset == 0) {
3115 offset = old_offset+next_offset;
3116 if (offset < old_offset) {
3117 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
3118 "Invalid offset/length. Malformed packet");
3125 typedef struct _smb2_find_dissector_t {
3127 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
3128 } smb2_find_dissector_t;
3130 smb2_find_dissector_t smb2_find_dissectors[] = {
3131 {SMB2_FIND_DIRECTORY_INFO, dissect_smb2_file_directory_info},
3132 {SMB2_FIND_FULL_DIRECTORY_INFO, dissect_smb2_full_directory_info},
3133 {SMB2_FIND_BOTH_DIRECTORY_INFO, dissect_smb2_both_directory_info},
3134 {SMB2_FIND_NAME_INFO, dissect_smb2_file_name_info},
3135 {SMB2_FIND_ID_BOTH_DIRECTORY_INFO,dissect_smb2_id_both_directory_info},
3140 dissect_smb2_find_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
3142 smb2_find_dissector_t *dis = smb2_find_dissectors;
3144 while (dis->dissector) {
3145 if (si && si->saved && si->saved) {
3146 if (dis->level ==si->saved->infolevel) {
3147 dis->dissector(tvb, pinfo, tree, si);
3154 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
3158 dissect_smb2_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3160 offset_length_buffer_t olb;
3161 proto_item *item = NULL;
3165 item = proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 0, si->saved->infolevel);
3166 PROTO_ITEM_SET_GENERATED(item);
3169 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_FINDPATTERN) {
3170 if (check_col(pinfo->cinfo, COL_INFO)) {
3171 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
3172 val_to_str(si->saved->infolevel, smb2_find_info_levels, "(Level:0x%02x)"),
3173 (const char *)si->saved->extra_info);
3176 g_free(si->saved->extra_info);
3177 si->saved->extra_info_type = SMB2_EI_NONE;
3178 si->saved->extra_info = NULL;
3181 switch (si->status) {
3182 case 0x00000000: break;
3183 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3187 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3189 /* findinfo offset */
3190 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_find_info_blob);
3193 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_find_data);
3195 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3201 dissect_smb2_negotiate_protocol_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3206 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3209 dc = tvb_get_letohs(tvb, offset);
3210 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3213 /* security mode, skip second byte */
3214 offset = dissect_smb2_secmode(tree, tvb, offset);
3222 offset = dissect_smb2_capabilities(tree, tvb, offset);
3225 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
3228 /* client boot time */
3229 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_boot_time);
3232 for ( ; dc>0; dc--) {
3233 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3241 dissect_smb2_negotiate_protocol_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3243 offset_length_buffer_t s_olb;
3245 switch (si->status) {
3246 case 0x00000000: break;
3247 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3251 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3253 /* security mode, skip second byte */
3254 offset = dissect_smb2_secmode(tree, tvb, offset);
3257 /* dialect picked */
3258 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3265 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
3269 offset = dissect_smb2_capabilities(tree, tvb, offset);
3271 /* max trans size */
3272 proto_tree_add_item(tree, hf_smb2_max_trans_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3276 proto_tree_add_item(tree, hf_smb2_max_read_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3279 /* max write size */
3280 proto_tree_add_item(tree, hf_smb2_max_write_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3284 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_current_time);
3288 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_boot_time);
3291 /* security blob offset/length */
3292 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
3294 /* the security blob itself */
3295 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
3300 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
3306 dissect_smb2_getinfo_parameters(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
3308 switch (si->saved->class) {
3309 case SMB2_CLASS_FILE_INFO:
3310 switch (si->saved->infolevel) {
3312 /* we dont handle this infolevel yet */
3313 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3314 offset += tvb_length_remaining(tvb, offset);
3317 case SMB2_CLASS_FS_INFO:
3318 switch (si->saved->infolevel) {
3320 /* we dont handle this infolevel yet */
3321 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3322 offset += tvb_length_remaining(tvb, offset);
3325 case SMB2_CLASS_SEC_INFO:
3326 switch (si->saved->infolevel) {
3327 case SMB2_SEC_INFO_00:
3328 dissect_security_information_mask(tvb, tree, offset+8);
3331 /* we dont handle this infolevel yet */
3332 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3333 offset += tvb_length_remaining(tvb, offset);
3337 /* we dont handle this class yet */
3338 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3339 offset += tvb_length_remaining(tvb, offset);
3346 dissect_smb2_class_infolevel(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
3351 static const value_string dummy_value_string[] = {
3354 const value_string *vs;
3356 if (si->flags & SMB2_FLAGS_RESPONSE) {
3360 cl = si->saved->class;
3361 il = si->saved->infolevel;
3363 cl = tvb_get_guint8(tvb, offset);
3364 il = tvb_get_guint8(tvb, offset+1);
3366 si->saved->class = cl;
3367 si->saved->infolevel = il;
3373 case SMB2_CLASS_FILE_INFO:
3374 hfindex = hf_smb2_infolevel_file_info;
3375 vs = smb2_file_info_levels;
3377 case SMB2_CLASS_FS_INFO:
3378 hfindex = hf_smb2_infolevel_fs_info;
3379 vs = smb2_fs_info_levels;
3381 case SMB2_CLASS_SEC_INFO:
3382 hfindex = hf_smb2_infolevel_sec_info;
3383 vs = smb2_sec_info_levels;
3386 hfindex = hf_smb2_infolevel;
3387 vs = dummy_value_string;
3392 item = proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl);
3393 if (si->flags & SMB2_FLAGS_RESPONSE) {
3394 PROTO_ITEM_SET_GENERATED(item);
3397 item = proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il);
3398 if (si->flags & SMB2_FLAGS_RESPONSE) {
3399 PROTO_ITEM_SET_GENERATED(item);
3403 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
3404 /* Only update COL_INFO for requests. It clutters the
3405 * display ab bit too much if we do it for replies
3408 if (check_col(pinfo->cinfo, COL_INFO)) {
3409 col_append_fstr(pinfo->cinfo, COL_INFO, " %s/%s",
3410 val_to_str(cl, smb2_class_vals, "(Class:0x%02x)"),
3411 val_to_str(il, vs, "(Level:0x%02x)"));
3419 dissect_smb2_getinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3422 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3424 /* class and info level */
3425 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
3427 /* max response size */
3428 proto_tree_add_item(tree, hf_smb2_max_response_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3433 dissect_smb2_getinfo_parameters(tvb, pinfo, tree, offset, si);
3435 /* some unknown bytes */
3436 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3441 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3447 dissect_smb2_infolevel(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si, guint8 class, guint8 infolevel)
3449 int old_offset = offset;
3452 case SMB2_CLASS_FILE_INFO:
3453 switch (infolevel) {
3454 case SMB2_FILE_BASIC_INFO:
3455 offset = dissect_smb2_file_basic_info(tvb, pinfo, tree, offset, si);
3457 case SMB2_FILE_STANDARD_INFO:
3458 offset = dissect_smb2_file_standard_info(tvb, pinfo, tree, offset, si);
3460 case SMB2_FILE_INTERNAL_INFO:
3461 offset = dissect_smb2_file_internal_info(tvb, pinfo, tree, offset, si);
3463 case SMB2_FILE_EA_INFO:
3464 offset = dissect_smb2_file_ea_info(tvb, pinfo, tree, offset, si);
3466 case SMB2_FILE_ACCESS_INFO:
3467 offset = dissect_smb2_file_access_info(tvb, pinfo, tree, offset, si);
3469 case SMB2_FILE_RENAME_INFO:
3470 offset = dissect_smb2_file_rename_info(tvb, pinfo, tree, offset, si);
3472 case SMB2_FILE_DISPOSITION_INFO:
3473 offset = dissect_smb2_file_disposition_info(tvb, pinfo, tree, offset, si);
3475 case SMB2_FILE_POSITION_INFO:
3476 offset = dissect_smb2_file_position_info(tvb, pinfo, tree, offset, si);
3478 case SMB2_FILE_INFO_0f:
3479 offset = dissect_smb2_file_info_0f(tvb, pinfo, tree, offset, si);
3481 case SMB2_FILE_MODE_INFO:
3482 offset = dissect_smb2_file_mode_info(tvb, pinfo, tree, offset, si);
3484 case SMB2_FILE_ALIGNMENT_INFO:
3485 offset = dissect_smb2_file_alignment_info(tvb, pinfo, tree, offset, si);
3487 case SMB2_FILE_ALL_INFO:
3488 offset = dissect_smb2_file_all_info(tvb, pinfo, tree, offset, si);
3490 case SMB2_FILE_ALLOCATION_INFO:
3491 offset = dissect_smb2_file_allocation_info(tvb, pinfo, tree, offset, si);
3493 case SMB2_FILE_ENDOFFILE_INFO:
3494 dissect_smb2_file_endoffile_info(tvb, pinfo, tree, offset, si);
3496 case SMB2_FILE_ALTERNATE_NAME_INFO:
3497 offset = dissect_smb2_file_alternate_name_info(tvb, pinfo, tree, offset, si);
3499 case SMB2_FILE_STREAM_INFO:
3500 offset = dissect_smb2_file_stream_info(tvb, pinfo, tree, offset, si);
3502 case SMB2_FILE_PIPE_INFO:
3503 offset = dissect_smb2_file_pipe_info(tvb, pinfo, tree, offset, si);
3505 case SMB2_FILE_COMPRESSION_INFO:
3506 offset = dissect_smb2_file_compression_info(tvb, pinfo, tree, offset, si);
3508 case SMB2_FILE_NETWORK_OPEN_INFO:
3509 offset = dissect_smb2_file_network_open_info(tvb, pinfo, tree, offset, si);
3511 case SMB2_FILE_ATTRIBUTE_TAG_INFO:
3512 offset = dissect_smb2_file_attribute_tag_info(tvb, pinfo, tree, offset, si);
3515 /* we dont handle this infolevel yet */
3516 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3517 offset += tvb_length_remaining(tvb, offset);
3520 case SMB2_CLASS_FS_INFO:
3521 switch (infolevel) {
3522 case SMB2_FS_INFO_01:
3523 offset = dissect_smb2_fs_info_01(tvb, pinfo, tree, offset, si);
3525 case SMB2_FS_INFO_03:
3526 offset = dissect_smb2_fs_info_03(tvb, pinfo, tree, offset, si);
3528 case SMB2_FS_INFO_04:
3529 offset = dissect_smb2_fs_info_04(tvb, pinfo, tree, offset, si);
3531 case SMB2_FS_INFO_05:
3532 offset = dissect_smb2_fs_info_05(tvb, pinfo, tree, offset, si);
3534 case SMB2_FS_INFO_06:
3535 offset = dissect_smb2_fs_info_06(tvb, pinfo, tree, offset, si);
3537 case SMB2_FS_INFO_07:
3538 offset = dissect_smb2_fs_info_07(tvb, pinfo, tree, offset, si);
3540 case SMB2_FS_OBJECTID_INFO:
3541 offset = dissect_smb2_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, si);
3544 /* we dont handle this infolevel yet */
3545 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3546 offset += tvb_length_remaining(tvb, offset);
3549 case SMB2_CLASS_SEC_INFO:
3550 switch (infolevel) {
3551 case SMB2_SEC_INFO_00:
3552 offset = dissect_smb2_sec_info_00(tvb, pinfo, tree, offset, si);
3555 /* we dont handle this infolevel yet */
3556 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3557 offset += tvb_length_remaining(tvb, offset);
3561 /* we dont handle this class yet */
3562 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3563 offset += tvb_length_remaining(tvb, offset);
3566 /* if we get BUFFER_OVERFLOW there will be truncated data */
3567 if (si->status == 0x80000005) {
3569 item = proto_tree_add_text(tree, tvb, old_offset, 0, "Truncated...");
3570 PROTO_ITEM_SET_GENERATED(item);
3576 dissect_smb2_getinfo_response_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
3580 dissect_smb2_infolevel(tvb, pinfo, tree, 0, si, si->saved->class, si->saved->infolevel);
3582 /* some unknown bytes */
3583 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
3590 dissect_smb2_getinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3592 offset_length_buffer_t olb;
3594 /* class/infolevel */
3595 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
3597 switch (si->status) {
3598 case 0x00000000: break;
3599 /* if we get BUFFER_OVERFLOW there will be truncated data */
3600 case 0x80000005: break;
3601 /* if we get BUFFER_TOO_SMALL there will not be any data there, only
3602 * a guin32 specifying how big the buffer needs to be
3605 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3606 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
3607 proto_tree_add_item(tree, hf_smb2_required_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3611 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3616 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3617 /* response buffer offset and size */
3618 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
3621 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_getinfo_response_data);
3627 dissect_smb2_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3629 proto_tree *flags_tree = NULL;
3630 proto_item *flags_item = NULL;
3633 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3637 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3638 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
3640 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3647 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_CLOSE);
3653 dissect_smb2_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3655 proto_tree *flags_tree = NULL;
3656 proto_item *flags_item = NULL;
3658 switch (si->status) {
3659 case 0x00000000: break;
3660 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3664 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3668 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3669 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
3671 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3678 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3681 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3684 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3687 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3689 /* allocation size */
3690 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3694 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3697 /* File Attributes */
3698 offset = dissect_file_ext_attr(tvb, tree, offset);
3704 dissect_smb2_flush_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3707 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3709 /* some unknown bytes */
3710 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
3714 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3720 dissect_smb2_flush_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3722 switch (si->status) {
3723 case 0x00000000: break;
3724 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3728 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3730 /* some unknown bytes */
3731 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3739 dissect_smb2_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3744 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3747 lock_count = tvb_get_letohs(tvb, offset);
3748 proto_tree_add_item(tree, hf_smb2_lock_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3755 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3757 while (lock_count--) {
3758 proto_item *lock_item = NULL;
3759 proto_tree *lock_tree = NULL;
3760 static const int *lf_fields[] = {
3761 &hf_smb2_lock_flags_shared,
3762 &hf_smb2_lock_flags_exclusive,
3763 &hf_smb2_lock_flags_unlock,
3764 &hf_smb2_lock_flags_fail_immediately,
3769 lock_item = proto_tree_add_item(tree, hf_smb2_lock_info, tvb, offset, 24, ENC_NA);
3770 lock_tree = proto_item_add_subtree(lock_item, ett_smb2_lock_info);
3774 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3778 proto_tree_add_item(lock_tree, hf_smb2_lock_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3782 proto_tree_add_bitmask(lock_tree, tvb, offset, hf_smb2_lock_flags, ett_smb2_lock_flags, lf_fields, ENC_LITTLE_ENDIAN);
3793 dissect_smb2_lock_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3795 switch (si->status) {
3796 case 0x00000000: break;
3797 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3801 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3803 /* some unknown bytes */
3804 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3810 dissect_smb2_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3813 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3815 /* some unknown bytes */
3816 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3824 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, guint32 datalen, proto_tree *top_tree)
3826 tvbuff_t *dcerpc_tvb;
3827 dcerpc_tvb = tvb_new_subset(tvb, offset, MIN((int)datalen, tvb_length_remaining(tvb, offset)), datalen);
3829 /* dissect the full PDU */
3830 dissector_try_heuristic(smb2_heur_subdissector_list, dcerpc_tvb, pinfo, top_tree, NULL);
3838 #define SMB2_WRITE_FLAG_WRITE_THROUGH 0x00000001
3841 dissect_smb2_write_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3845 static const int *f_fields[] = {
3846 &hf_smb2_write_flags_write_through,
3851 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3854 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3858 length = tvb_get_letohl(tvb, offset);
3859 proto_tree_add_item(tree, hf_smb2_write_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3863 off = tvb_get_letoh64(tvb, offset);
3864 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3867 if (check_col(pinfo->cinfo, COL_INFO)) {
3868 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", length, off);
3872 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3875 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3878 /* remaining bytes */
3879 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3882 /* write channel info offset */
3883 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3886 /* write channel info length */
3887 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3891 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_write_flags, ett_smb2_write_flags, f_fields, ENC_LITTLE_ENDIAN);
3894 /* data or dcerpc ?*/
3895 if (length && si->tree && si->tree->share_type == SMB2_SHARE_TYPE_PIPE) {
3896 offset = dissect_file_data_dcerpc(tvb, pinfo, tree, offset, length, si->top_tree);
3900 /* just ordinary data */
3901 proto_tree_add_item(tree, hf_smb2_write_data, tvb, offset, length, ENC_NA);
3902 offset += MIN(length,(guint32)tvb_length_remaining(tvb, offset));
3909 dissect_smb2_write_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3911 switch (si->status) {
3912 case 0x00000000: break;
3913 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3917 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3920 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3924 proto_tree_add_item(tree, hf_smb2_write_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3927 /* remaining, must be set to 0 */
3928 proto_tree_add_item(tree, hf_smb2_write_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3931 /* write channel info offset */
3932 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3935 /* write channel info length */
3936 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3943 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *top_tree, gboolean data_in _U_)
3945 dissect_file_data_dcerpc(tvb, pinfo, tree, offset, tvb_length_remaining(tvb, offset), top_tree);
3949 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
3951 /* There is no out data */
3957 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3961 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3965 dissect_windows_sockaddr_in(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
3967 proto_item *sub_item = NULL;
3968 proto_tree *sub_tree = NULL;
3969 proto_item *parent_item = NULL;
3977 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Socket Address");
3978 sub_tree = proto_item_add_subtree(sub_item, ett_windows_sockaddr);
3979 parent_item = proto_tree_get_parent(parent_tree);
3983 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3987 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3991 addr = tvb_get_ipv4(tvb, offset);
3992 proto_tree_add_ipv4(sub_tree, hf_windows_sockaddr_in_addr, tvb, offset, 4, addr);
3994 proto_item_append_text(sub_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
3997 proto_item_append_text(parent_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
4002 dissect_windows_sockaddr_in6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
4004 struct e_in6_addr addr;
4005 proto_item *sub_item = NULL;
4006 proto_tree *sub_tree = NULL;
4007 proto_item *parent_item = NULL;
4014 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Socket Address");
4015 sub_tree = proto_item_add_subtree(sub_item, ett_windows_sockaddr);
4016 parent_item = proto_tree_get_parent(parent_tree);
4020 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4024 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4028 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_flowinfo, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4032 tvb_get_ipv6(tvb, offset, &addr);
4033 proto_tree_add_ipv6(sub_tree, hf_windows_sockaddr_in6_addr, tvb, offset, 16, (guint8 *)&addr);
4035 proto_item_append_text(sub_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
4038 proto_item_append_text(parent_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
4043 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_scope_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4047 dissect_windows_sockaddr_storage(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
4050 proto_item *sub_item = NULL;
4051 proto_tree *sub_tree = NULL;
4052 proto_item *parent_item = NULL;
4055 family = tvb_get_letohs(tvb, offset);
4057 case 2: /* AF_INET */
4058 dissect_windows_sockaddr_in(tvb, pinfo, parent_tree, offset, len);
4060 case 23: /* AF_INET6 */
4061 dissect_windows_sockaddr_in6(tvb, pinfo, parent_tree, offset, len);
4066 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Socket Address");
4067 sub_tree = proto_item_add_subtree(sub_item, ett_windows_sockaddr);
4068 parent_item = proto_tree_get_parent(parent_tree);
4072 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4074 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
4077 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
4085 #define NETWORK_INTERFACE_CAP_RSS 0x00000001
4086 #define NETWORK_INTERFACE_CAP_RMDA 0x00000002
4089 dissect_smb2_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
4091 guint32 next_offset;
4094 proto_item *sub_item = NULL;
4095 proto_tree *sub_tree = NULL;
4096 proto_item *item = NULL;
4097 guint32 capabilities;
4100 const char *unit = NULL;
4102 next_offset = tvb_get_letohl(tvb, offset);
4108 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Network Interface");
4109 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_ioctl_network_interface);
4113 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4116 /* interface index */
4117 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4121 capabilities = tvb_get_letohl(tvb, offset);
4122 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_capabilities, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4123 proto_tree_add_boolean(sub_tree, hf_smb2_ioctl_network_interface_capability_rss, tvb, offset, 4, capabilities);
4124 proto_tree_add_boolean(sub_tree, hf_smb2_ioctl_network_interface_capability_rdma, tvb, offset, 4, capabilities);
4125 if (capabilities != 0) {
4126 proto_item_append_text(item, "%s%s",
4127 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"",
4128 (capabilities & NETWORK_INTERFACE_CAP_RMDA)?", RDMA":"");
4130 proto_item_append_text(sub_item, "%s%s",
4131 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"",
4132 (capabilities & NETWORK_INTERFACE_CAP_RMDA)?", RDMA":"");
4137 /* rss queue count */
4138 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_rss_queue_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4142 link_speed = tvb_get_letoh64(tvb, offset);
4143 item = proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_link_speed, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4144 if (link_speed >= (1000*1000*1000)) {
4145 val = (gfloat)(link_speed / (1000*1000*1000));
4147 } else if (link_speed >= (1000*1000)) {
4148 val = (gfloat)(link_speed / (1000*1000));
4150 } else if (link_speed >= (1000)) {
4151 val = (gfloat)(link_speed / (1000));
4154 val = (gfloat)(link_speed);
4157 proto_item_append_text(item, ", %.1f %sBits/s", val, unit);
4159 proto_item_append_text(sub_item, ", %.1f %sBits/s", val, unit);
4164 /* socket address */
4165 dissect_windows_sockaddr_storage(tvb, pinfo, sub_tree, offset);
4169 next_tvb = tvb_new_subset(tvb, next_offset,
4170 tvb_length_remaining(tvb, next_offset),
4171 tvb_reported_length_remaining(tvb, next_offset));
4173 /* next extra info */
4174 dissect_smb2_NETWORK_INTERFACE_INFO(next_tvb, pinfo, parent_tree);
4179 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
4181 /* There is no in data */
4186 dissect_smb2_NETWORK_INTERFACE_INFO(tvb, pinfo, tree);
4190 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
4193 * This is only used by Windows 8 beta
4197 offset = dissect_smb2_capabilities(tree, tvb, offset);
4200 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4203 /* security mode, skip second byte */
4204 offset = dissect_smb2_secmode(tree, tvb, offset);
4208 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4212 offset = dissect_smb2_capabilities(tree, tvb, offset);
4215 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4218 /* security mode, skip second byte */
4219 offset = dissect_smb2_secmode(tree, tvb, offset);
4223 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4229 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
4235 offset = dissect_smb2_capabilities(tree, tvb, offset);
4238 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4241 /* security mode, skip second byte */
4242 offset = dissect_smb2_secmode(tree, tvb, offset);
4246 dc = tvb_get_letohs(tvb, offset);
4247 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4250 for ( ; dc>0; dc--) {
4251 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4256 offset = dissect_smb2_capabilities(tree, tvb, offset);
4259 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4262 /* security mode, skip second byte */
4263 offset = dissect_smb2_secmode(tree, tvb, offset);
4267 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4273 dissect_smb2_FSCTL_GET_SHADOW_COPY_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4275 guint32 num_volumes;
4277 /* There is no in data */
4283 num_volumes = tvb_get_letohl(tvb, offset);
4284 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_volumes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4288 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_labels, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4292 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4295 while (num_volumes--) {
4299 int old_offset = offset;
4301 bc = tvb_length_remaining(tvb, offset);
4302 name = get_unicode_or_ascii_string(tvb, &offset,
4303 TRUE, &len, TRUE, FALSE, &bc);
4304 proto_tree_add_string(tree, hf_smb2_ioctl_shadow_copy_label, tvb, old_offset, len, name);
4306 offset = old_offset+len;
4315 dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
4317 proto_item *item = NULL;
4318 proto_tree *tree = NULL;
4320 /* FILE_OBJECTID_BUFFER */
4322 item = proto_tree_add_item(parent_tree, hf_smb2_FILE_OBJECTID_BUFFER, tvb, offset, 64, ENC_NA);
4323 tree = proto_item_add_subtree(item, ett_smb2_FILE_OBJECTID_BUFFER);
4327 proto_tree_add_item(tree, hf_smb2_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4330 /* Birth Volume ID */
4331 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4334 /* Birth Object ID */
4335 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4339 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4346 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4349 /* There is no in data */
4354 /* FILE_OBJECTID_BUFFER */
4355 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
4361 dissect_smb2_FSCTL_GET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4364 /* There is no in data */
4369 /* compression format */
4370 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4376 dissect_smb2_FSCTL_SET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4379 /* There is no out data */
4384 /* compression format */
4385 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4392 dissect_smb2_FSCTL_SET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4395 /* There is no out data */
4400 /* FILE_OBJECTID_BUFFER */
4401 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
4407 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4410 /* There is no out data */
4415 /* FILE_OBJECTID_BUFFER->ExtendedInfo */
4417 /* Birth Volume ID */
4418 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4421 /* Birth Object ID */
4422 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4426 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4433 dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, guint32 ioctl_function, gboolean data_in)
4437 dc = tvb_reported_length(tvb);
4439 switch (ioctl_function) {
4440 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
4442 dissect_get_dfs_request_data(tvb, pinfo, tree, 0, &dc);
4444 dissect_get_dfs_referral_data(tvb, pinfo, tree, 0, &dc);
4448 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvb, pinfo, tree, 0, top_tree, data_in);
4450 case 0x001401D4: /* FSCTL_LMR_REQUEST_RESILIENCY */
4451 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvb, pinfo, tree, 0, data_in);
4453 case 0x001401FC: /* FSCTL_QUERY_NETWORK_INTERFACE_INFO */
4454 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvb, pinfo, tree, 0, data_in);
4456 case 0x00140200: /* FSCTL_VALIDATE_NEGOTIATE_INFO_224 */
4457 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvb, pinfo, tree, 0, data_in);
4459 case 0x00140204: /* FSCTL_VALIDATE_NEGOTIATE_INFO */
4460 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvb, pinfo, tree, 0, data_in);
4462 case 0x00144064: /* FSCTL_GET_SHADOW_COPY_DATA */
4463 dissect_smb2_FSCTL_GET_SHADOW_COPY_DATA(tvb, pinfo, tree, 0, data_in);
4465 case 0x0009009C: /* FSCTL_GET_OBJECT_ID */
4466 case 0x000900c0: /* FSCTL_CREATE_OR_GET_OBJECT_ID */
4467 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
4469 case 0x00098098: /* FSCTL_SET_OBJECT_ID */
4470 dissect_smb2_FSCTL_SET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
4472 case 0x000980BC: /* FSCTL_SET_OBJECT_ID_EXTENDED */
4473 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvb, pinfo, tree, 0, data_in);
4475 case 0x0009003C: /* FSCTL_GET_COMPRESSION */
4476 dissect_smb2_FSCTL_GET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
4478 case 0x0009C040: /* FSCTL_SET_COMPRESSION */
4479 dissect_smb2_FSCTL_SET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
4482 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
4487 dissect_smb2_ioctl_data_in(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4489 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, TRUE);
4493 dissect_smb2_ioctl_data_out(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4495 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, FALSE);
4499 dissect_smb2_ioctl_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4501 offset_length_buffer_t o_olb;
4502 offset_length_buffer_t i_olb;
4503 proto_tree *flags_tree = NULL;
4504 proto_item *flags_item = NULL;
4507 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4512 /* ioctl function */
4513 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
4516 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4518 /* in buffer offset/length */
4519 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
4521 /* max ioctl in size */
4522 proto_tree_add_item(tree, hf_smb2_max_ioctl_in_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4525 /* out buffer offset/length */
4526 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
4528 /* max ioctl out size */
4529 proto_tree_add_item(tree, hf_smb2_max_ioctl_out_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4534 flags_item = proto_tree_add_item(tree, hf_smb2_ioctl_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4535 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_ioctl_flags);
4537 proto_tree_add_item(flags_tree, hf_smb2_ioctl_is_fsctl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4543 /* try to decode these blobs in the order they were encoded
4544 * so that for "short" packets we will dissect as much as possible
4545 * before aborting with "short packet"
4547 if (i_olb.off>o_olb.off) {
4549 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4551 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4554 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4556 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4559 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
4560 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
4566 dissect_smb2_ioctl_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4568 offset_length_buffer_t o_olb;
4569 offset_length_buffer_t i_olb;
4571 switch (si->status) {
4572 case 0x00000000: break;
4573 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
4577 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4579 /* some unknown bytes */
4580 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4583 /* ioctl function */
4584 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
4587 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4589 /* in buffer offset/length */
4590 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
4592 /* out buffer offset/length */
4593 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
4596 /* flags: reserved: must be zero */
4602 /* try to decode these blobs in the order they were encoded
4603 * so that for "short" packets we will dissect as much as possible
4604 * before aborting with "short packet"
4606 if (i_olb.off>o_olb.off) {
4608 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4610 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4613 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4615 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4618 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
4619 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
4626 dissect_smb2_read_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4632 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4634 /* padding and reserved */
4638 len = tvb_get_letohl(tvb, offset);
4639 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4643 off = tvb_get_letoh64(tvb, offset);
4644 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4647 if (check_col(pinfo->cinfo, COL_INFO)) {
4648 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", len, off);
4652 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4655 proto_tree_add_item(tree, hf_smb2_min_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4659 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4662 /* remaining bytes */
4663 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4666 /* channel info offset */
4667 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4670 /* channel info length */
4671 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4674 /* there is a buffer here but it is never used (yet) */
4681 dissect_smb2_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
4685 switch (si->status) {
4686 case 0x00000000: break;
4687 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
4691 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4694 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4697 /* length might even be 64bits if they are ambitious*/
4698 length = tvb_get_letohl(tvb, offset);
4699 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4703 proto_tree_add_item(tree, hf_smb2_read_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4710 * If the pidvalid flag is set we assume it is a deferred
4711 * STATUS_PENDING read and thus a named pipe (==dcerpc)
4713 if (length && ( (si->tree && si->tree->share_type == SMB2_SHARE_TYPE_PIPE)||(si->flags & SMB2_FLAGS_ASYNC_CMD))) {
4714 offset = dissect_file_data_dcerpc(tvb, pinfo, tree, offset, length, si->top_tree);
4719 proto_tree_add_item(tree, hf_smb2_read_data, tvb, offset, length, ENC_NA);
4720 offset += MIN(length,(guint32)tvb_length_remaining(tvb, offset));
4726 report_create_context_malformed_buffer(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, const char *buffer_desc)
4728 proto_tree_add_text(tree, tvb, 0, tvb_length_remaining(tvb, 0),
4729 "%s SHOULD NOT be generated. Malformed packet", buffer_desc);
4732 dissect_smb2_ExtA_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4734 proto_item *item = NULL;
4736 item = proto_tree_get_parent(tree);
4737 proto_item_append_text(item, ": SMB2_FILE_INFO_0f");
4739 dissect_smb2_file_info_0f(tvb, pinfo, tree, 0, si);
4743 dissect_smb2_ExtA_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
4745 report_create_context_malformed_buffer(tvb, pinfo, tree, "ExtA Response");
4749 dissect_smb2_SecD_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4751 proto_item *item = NULL;
4753 item = proto_tree_get_parent(tree);
4754 proto_item_append_text(item, ": SMB2_SEC_INFO_00");
4756 dissect_smb2_sec_info_00(tvb, pinfo, tree, 0, si);
4760 dissect_smb2_SecD_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
4762 report_create_context_malformed_buffer(tvb, pinfo, tree, "SecD Response");
4766 dissect_smb2_TWrp_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4768 proto_item *item = NULL;
4770 item = proto_tree_get_parent(tree);
4771 proto_item_append_text(item, ": Timestamp");
4773 dissect_nt_64bit_time(tvb, tree, 0, hf_smb2_twrp_timestamp);
4777 dissect_smb2_TWrp_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4779 report_create_context_malformed_buffer(tvb, pinfo, tree, "TWrp Response");
4783 dissect_smb2_QFid_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4785 proto_item *item = NULL;
4788 item = proto_tree_get_parent(tree);
4792 if (tvb_length(tvb) == 0) {
4793 proto_item_append_text(item, ": NO DATA");
4795 proto_item_append_text(item, ": QFid request should have no data, malformed packet");
4801 dissect_smb2_QFid_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4804 proto_item *item = NULL;
4805 proto_item *sub_item = NULL;
4806 proto_item *sub_tree = NULL;
4809 item = proto_tree_get_parent(tree);
4813 proto_item_append_text(item, ": QFid INFO");
4814 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "QFid INFO");
4815 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_QFid_buffer);
4818 proto_tree_add_item(sub_tree, hf_smb2_qfid_fid, tvb, offset, 32, ENC_NA);
4822 dissect_smb2_AlSi_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4824 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, 0, 8, ENC_LITTLE_ENDIAN);
4828 dissect_smb2_AlSi_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4830 report_create_context_malformed_buffer(tvb, pinfo, tree, "AlSi Response");
4834 dissect_smb2_DHnQ_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4836 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNQ);
4840 dissect_smb2_DHnQ_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4842 proto_tree_add_item(tree, hf_smb2_dhnq_buffer_reserved, tvb, 0, 8, ENC_LITTLE_ENDIAN);
4846 dissect_smb2_DHnC_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4848 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNC);
4852 dissect_smb2_DHnC_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
4854 report_create_context_malformed_buffer(tvb, pinfo, tree, "DHnC Response");
4858 * SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
4864 * SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2
4868 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
4873 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
4876 #define SMB2_DH2X_FLAGS_PERSISTENT_HANDLE 0x00000002
4879 dissect_smb2_DH2Q_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4881 static const int *dh2x_flags_fields[] = {
4882 &hf_smb2_dh2x_buffer_flags_persistent_handle,
4886 proto_item *item = NULL;
4887 proto_item *sub_item = NULL;
4888 proto_item *sub_tree = NULL;
4891 item = proto_tree_get_parent(tree);
4895 proto_item_append_text(item, ": DH2Q Request");
4896 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "DH2Q Request");
4897 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_DH2Q_buffer);
4901 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4905 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_dh2x_buffer_flags,
4906 ett_smb2_dh2x_flags, dh2x_flags_fields, ENC_LITTLE_ENDIAN);
4910 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4914 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4918 dissect_smb2_DH2Q_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4921 proto_item *item = NULL;
4922 proto_item *sub_item = NULL;
4923 proto_item *sub_tree = NULL;
4926 item = proto_tree_get_parent(tree);
4930 proto_item_append_text(item, ": DH2Q Response");
4931 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "DH2Q Response");
4932 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_DH2Q_buffer);
4936 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4940 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4944 dissect_smb2_DH2C_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4947 proto_item *item = NULL;
4948 proto_item *sub_item = NULL;
4949 proto_item *sub_tree = NULL;
4952 item = proto_tree_get_parent(tree);
4956 proto_item_append_text(item, ": DH2C Request");
4957 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "DH2C Request");
4958 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_DH2C_buffer);
4962 dissect_smb2_fid(tvb, pinfo, sub_tree, offset, si, FID_MODE_DHNC);
4966 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4970 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4974 dissect_smb2_DH2C_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
4976 report_create_context_malformed_buffer(tvb, pinfo, tree, "DH2C Response");
4980 dissect_smb2_MxAc_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4983 proto_item *item = NULL;
4986 item = proto_tree_get_parent(tree);
4989 if (tvb_length(tvb) == 0) {
4991 proto_item_append_text(item, ": NO DATA");
4997 proto_item_append_text(item, ": Timestamp");
5000 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_mxac_timestamp);
5004 dissect_smb2_MxAc_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5007 proto_item *item = NULL;
5008 proto_item *sub_item = NULL;
5009 proto_tree *sub_tree = NULL;
5012 item = proto_tree_get_parent(tree);
5015 if (tvb_length(tvb) == 0) {
5017 proto_item_append_text(item, ": NO DATA");
5023 proto_item_append_text(item, ": MxAc INFO");
5024 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "MxAc INFO");
5025 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_MxAc_buffer);
5028 proto_tree_add_item(sub_tree, hf_smb2_mxac_status, tvb, offset, 4, ENC_BIG_ENDIAN);
5031 dissect_smb_access_mask(tvb, sub_tree, offset);
5035 * SMB2_CREATE_REQUEST_LEASE 32
5039 * 8 - lease duration
5041 * SMB2_CREATE_REQUEST_LEASE_V2 52
5045 * 8 - lease duration
5046 * 16 - pareant lease key
5049 #define SMB2_LEASE_STATE_READ_CACHING 0x00000001
5050 #define SMB2_LEASE_STATE_HANDLE_CACHING 0x00000002
5051 #define SMB2_LEASE_STATE_WRITE_CACHING 0x00000004
5053 #define SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED 0x00000001
5054 #define SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS 0x00000002
5055 #define SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET 0x00000004
5057 static const int *lease_state_fields[] = {
5058 &hf_smb2_lease_state_read_caching,
5059 &hf_smb2_lease_state_handle_caching,
5060 &hf_smb2_lease_state_write_caching,
5063 static const int *lease_flags_fields[] = {
5064 &hf_smb2_lease_flags_break_ack_required,
5065 &hf_smb2_lease_flags_break_in_progress,
5066 &hf_smb2_lease_flags_parent_lease_key_set,
5071 dissect_SMB2_CREATE_LEASE_VX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
5075 proto_item *sub_item = NULL;
5076 proto_tree *sub_tree = NULL;
5077 proto_item *parent_item = NULL;
5080 parent_item = proto_tree_get_parent(parent_tree);
5083 len = tvb_length(tvb);
5086 case 32: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE */
5088 proto_item_append_text(parent_item, ": LEASE_V1");
5089 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "LEASE_V1");
5090 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_RqLs_buffer);
5094 case 52: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE_V2 */
5096 proto_item_append_text(parent_item, ": LEASE_V2");
5097 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "LEASE_V2");
5098 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_RqLs_buffer);
5103 report_create_context_malformed_buffer(tvb, pinfo, parent_tree, "RqLs");
5107 proto_tree_add_item(sub_tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5110 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_state,
5111 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5114 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_flags,
5115 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5118 proto_tree_add_item(sub_tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5125 proto_tree_add_item(sub_tree, hf_smb2_parent_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5128 proto_tree_add_item(sub_tree, hf_smb2_lease_epoch, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5132 dissect_smb2_RqLs_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5134 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
5138 dissect_smb2_RqLs_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5140 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
5144 * SMB2_CREATE_APP_INSTANCE_ID
5145 * 2 - structure size - 20
5147 * 16 - application guid
5151 dissect_smb2_APP_INSTANCE_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5154 proto_item *item = NULL;
5155 proto_item *sub_item = NULL;
5156 proto_item *sub_tree = NULL;
5159 item = proto_tree_get_parent(tree);
5163 proto_item_append_text(item, ": APP INSTANCE ID");
5164 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "APP INSTANCE ID");
5165 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_APP_INSTANCE_buffer);
5169 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_struct_size,
5170 tvb, offset, 2, ENC_LITTLE_ENDIAN);
5174 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_reserved,
5175 tvb, offset, 2, ENC_LITTLE_ENDIAN);
5179 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_app_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5183 dissect_smb2_APP_INSTANCE_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5185 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Response");
5188 typedef void (*create_context_data_dissector_t)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
5190 typedef struct create_context_data_dissectors {
5191 create_context_data_dissector_t request;
5192 create_context_data_dissector_t response;
5193 } create_context_data_dissectors_t;
5195 struct create_context_data_tag_dissectors {
5198 create_context_data_dissectors_t dissectors;
5201 struct create_context_data_tag_dissectors create_context_dissectors_array[] = {
5202 { "ExtA", "SMB2_CREATE_EA_BUFFER",
5203 { dissect_smb2_ExtA_buffer_request, dissect_smb2_ExtA_buffer_response } },
5204 { "SecD", "SMB2_CREATE_SD_BUFFER",
5205 { dissect_smb2_SecD_buffer_request, dissect_smb2_SecD_buffer_response } },
5206 { "AlSi", "SMB2_CREATE_ALLOCATION_SIZE",
5207 { dissect_smb2_AlSi_buffer_request, dissect_smb2_AlSi_buffer_response } },
5208 { "MxAc", "SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST",
5209 { dissect_smb2_MxAc_buffer_request, dissect_smb2_MxAc_buffer_response } },
5210 { "DHnQ", "SMB2_CREATE_DURABLE_HANDLE_REQUEST",
5211 { dissect_smb2_DHnQ_buffer_request, dissect_smb2_DHnQ_buffer_response } },
5212 { "DHnC", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT",
5213 { dissect_smb2_DHnC_buffer_request, dissect_smb2_DHnC_buffer_response } },
5214 { "DH2Q", "SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2",
5215 { dissect_smb2_DH2Q_buffer_request, dissect_smb2_DH2Q_buffer_response } },
5216 { "DH2C", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2",
5217 { dissect_smb2_DH2C_buffer_request, dissect_smb2_DH2C_buffer_response } },
5218 { "TWrp", "SMB2_CREATE_TIMEWARP_TOKEN",
5219 { dissect_smb2_TWrp_buffer_request, dissect_smb2_TWrp_buffer_response } },
5220 { "QFid", "SMB2_CREATE_QUERY_ON_DISK_ID",
5221 { dissect_smb2_QFid_buffer_request, dissect_smb2_QFid_buffer_response } },
5222 { "RqLs", "SMB2_CREATE_REQUEST_LEASE",
5223 { dissect_smb2_RqLs_buffer_request, dissect_smb2_RqLs_buffer_response } },
5224 { "744D142E-46FA-0890-4AF7-A7EF6AA6BC45", "SMB2_CREATE_APP_INSTANCE_ID",
5225 { dissect_smb2_APP_INSTANCE_buffer_request,
5226 dissect_smb2_APP_INSTANCE_buffer_response } }
5229 static struct create_context_data_tag_dissectors*
5230 get_create_context_data_tag_dissectors(const char *tag)
5232 static struct create_context_data_tag_dissectors INVALID = {
5233 NULL, "<invalid>", { NULL, NULL }
5237 for (i = 0; i<array_length(create_context_dissectors_array); i++) {
5238 if (!strcmp(tag, create_context_dissectors_array[i].tag))
5239 return &create_context_dissectors_array[i];
5245 dissect_smb2_create_extra_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si)
5247 offset_length_buffer_t tag_olb;
5248 offset_length_buffer_t data_olb;
5250 guint16 chain_offset;
5253 proto_item *sub_item = NULL;
5254 proto_tree *sub_tree = NULL;
5255 proto_item *parent_item = NULL;
5256 create_context_data_dissectors_t *dissectors = NULL;
5257 create_context_data_dissector_t dissector = NULL;
5258 struct create_context_data_tag_dissectors *tag_dissectors;
5260 chain_offset = tvb_get_letohl(tvb, offset);
5266 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Chain Element");
5267 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_create_chain_element);
5268 parent_item = proto_tree_get_parent(parent_tree);
5272 proto_tree_add_item(sub_tree, hf_smb2_create_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5275 /* tag offset/length */
5276 offset = dissect_smb2_olb_length_offset(tvb, offset, &tag_olb, OLB_O_UINT16_S_UINT32, hf_smb2_tag);
5278 /* data offset/length */
5279 dissect_smb2_olb_length_offset(tvb, offset, &data_olb, OLB_O_UINT16_S_UINT32, hf_smb2_create_chain_data);
5282 tag = dissect_smb2_olb_string(pinfo, sub_tree, tvb, &tag_olb, OLB_TYPE_ASCII_STRING);
5284 tag_dissectors = get_create_context_data_tag_dissectors(tag);
5286 proto_item_append_text(parent_item, " %s", tag);
5287 proto_item_append_text(sub_item, ": %s \"%s\"", tag_dissectors->val, tag);
5290 dissectors = &tag_dissectors->dissectors;
5292 dissector = (si->flags & SMB2_FLAGS_RESPONSE) ? dissectors->response : dissectors->request;
5294 dissect_smb2_olb_buffer(pinfo, sub_tree, tvb, &data_olb, si, dissector);
5297 tvbuff_t *chain_tvb;
5298 chain_tvb = tvb_new_subset(tvb, chain_offset, tvb_length_remaining(tvb, chain_offset), tvb_reported_length_remaining(tvb, chain_offset));
5300 /* next extra info */
5301 dissect_smb2_create_extra_info(chain_tvb, pinfo, parent_tree, si);
5306 dissect_smb2_create_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5308 offset_length_buffer_t f_olb, e_olb;
5312 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5314 /* security flags */
5318 offset = dissect_smb2_oplock(tree, tvb, offset);
5320 /* impersonation level */
5321 proto_tree_add_item(tree, hf_smb2_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5325 proto_tree_add_item(tree, hf_smb2_create_flags, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5332 offset = dissect_smb_access_mask(tvb, tree, offset);
5334 /* File Attributes */
5335 offset = dissect_file_ext_attr(tvb, tree, offset);
5338 offset = dissect_nt_share_access(tvb, tree, offset);
5340 /* create disposition */
5341 proto_tree_add_item(tree, hf_smb2_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5344 /* create options */
5345 offset = dissect_nt_create_options(tvb, tree, offset);
5347 /* filename offset/length */
5348 offset = dissect_smb2_olb_length_offset(tvb, offset, &f_olb, OLB_O_UINT16_S_UINT16, hf_smb2_filename);
5350 /* extrainfo offset */
5351 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
5353 /* filename string */
5354 fname = dissect_smb2_olb_string(pinfo, tree, tvb, &f_olb, OLB_TYPE_UNICODE_STRING);
5355 if (check_col(pinfo->cinfo, COL_INFO)) {
5356 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", fname);
5359 /* save the name if it looks sane */
5360 if (!pinfo->fd->flags.visited) {
5361 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
5362 g_free(si->saved->extra_info);
5363 si->saved->extra_info = NULL;
5364 si->saved->extra_info_type = SMB2_EI_NONE;
5366 if (si->saved && f_olb.len && f_olb.len<256) {
5367 si->saved->extra_info_type = SMB2_EI_FILENAME;
5368 si->saved->extra_info = g_malloc(f_olb.len+1);
5369 g_snprintf(si->saved->extra_info, f_olb.len+1, "%s", fname);
5373 /* If extrainfo_offset is non-null then this points to another
5374 * buffer. The offset is relative to the start of the smb packet
5376 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
5378 offset = dissect_smb2_olb_tvb_max_offset(offset, &f_olb);
5379 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
5384 #define SMB2_CREATE_REP_FLAGS_REPARSE_POINT 0x01
5387 dissect_smb2_create_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5389 offset_length_buffer_t e_olb;
5390 static const int *create_rep_flags_fields[] = {
5391 &hf_smb2_create_rep_flags_reparse_point,
5395 switch (si->status) {
5396 case 0x00000000: break;
5397 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
5401 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5404 offset = dissect_smb2_oplock(tree, tvb, offset);
5407 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_create_rep_flags,
5408 ett_smb2_create_rep_flags, create_rep_flags_fields, ENC_LITTLE_ENDIAN);
5412 proto_tree_add_item(tree, hf_smb2_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5416 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
5419 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
5422 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
5425 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
5427 /* allocation size */
5428 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5432 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5435 /* File Attributes */
5436 offset = dissect_file_ext_attr(tvb, tree, offset);
5442 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_OPEN);
5444 /* extrainfo offset */
5445 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
5447 /* If extrainfo_offset is non-null then this points to another
5448 * buffer. The offset is relative to the start of the smb packet
5450 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
5452 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
5454 /* free si->saved->extra_info we dont need it any more */
5455 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
5456 g_free(si->saved->extra_info);
5457 si->saved->extra_info = NULL;
5458 si->saved->extra_info_type = SMB2_EI_NONE;
5466 dissect_smb2_setinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5468 guint32 setinfo_size;
5469 guint16 setinfo_offset;
5472 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5474 /* class and info level */
5475 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
5478 setinfo_size = tvb_get_letohl(tvb, offset);
5479 proto_tree_add_item(tree, hf_smb2_setinfo_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5483 setinfo_offset = tvb_get_letohs(tvb, offset);
5484 proto_tree_add_item(tree, hf_smb2_setinfo_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5487 /* some unknown bytes */
5488 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
5492 dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5496 dissect_smb2_infolevel(tvb, pinfo, tree, setinfo_offset, si, si->saved->class, si->saved->infolevel);
5497 offset = setinfo_offset + setinfo_size;
5503 dissect_smb2_setinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5505 /* class/infolevel */
5506 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
5508 switch (si->status) {
5509 case 0x00000000: break;
5510 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
5514 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5520 dissect_smb2_break_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5522 guint16 buffer_code;
5525 buffer_code = tvb_get_letohs(tvb, offset);
5526 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5528 if (buffer_code == 24) {
5532 offset = dissect_smb2_oplock(tree, tvb, offset);
5541 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5546 if (buffer_code == 36) {
5547 /* Lease Break Acknowledgment */
5550 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5554 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
5555 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5559 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5563 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5564 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5567 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5577 dissect_smb2_break_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5579 guint16 buffer_code;
5581 switch (si->status) {
5582 case 0x00000000: break;
5583 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
5587 buffer_code = tvb_get_letohs(tvb, offset);
5588 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5590 if (buffer_code == 24) {
5591 /* OPLOCK Break Notification */
5594 offset = dissect_smb2_oplock(tree, tvb, offset);
5603 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5605 /* in break requests from server to client here're 24 byte zero bytes
5606 * which are likely a bug in windows (they may use 2* 24 bytes instead of just
5612 if (buffer_code == 44) {
5615 /* Lease Break Notification */
5618 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5622 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
5623 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5627 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5630 /* current lease state */
5631 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5632 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5634 proto_item_prepend_text(item, "Current ");
5638 /* new lease state */
5639 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5640 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5642 proto_item_prepend_text(item, "New ");
5646 /* break reason - reserved */
5647 proto_tree_add_item(tree, hf_smb2_lease_break_reason, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5650 /* access mask hint - reserved */
5651 proto_tree_add_item(tree, hf_smb2_lease_access_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5654 /* share mask hint - reserved */
5655 proto_tree_add_item(tree, hf_smb2_lease_share_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5661 if (buffer_code == 36) {
5662 /* Lease Break Response */
5665 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5669 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
5670 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5674 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5678 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5679 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5682 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5691 /* names here are just until we find better names for these functions */
5692 static const value_string smb2_cmd_vals[] = {
5693 { 0x00, "Negotiate Protocol" },
5694 { 0x01, "Session Setup" },
5695 { 0x02, "Session Logoff" },
5696 { 0x03, "Tree Connect" },
5697 { 0x04, "Tree Disconnect" },
5706 { 0x0D, "KeepAlive" },
5709 { 0x10, "GetInfo" },
5710 { 0x11, "SetInfo" },
5712 { 0x13, "unknown-0x13" },
5713 { 0x14, "unknown-0x14" },
5714 { 0x15, "unknown-0x15" },
5715 { 0x16, "unknown-0x16" },
5716 { 0x17, "unknown-0x17" },
5717 { 0x18, "unknown-0x18" },
5718 { 0x19, "unknown-0x19" },
5719 { 0x1A, "unknown-0x1A" },
5720 { 0x1B, "unknown-0x1B" },
5721 { 0x1C, "unknown-0x1C" },
5722 { 0x1D, "unknown-0x1D" },
5723 { 0x1E, "unknown-0x1E" },
5724 { 0x1F, "unknown-0x1F" },
5725 { 0x20, "unknown-0x20" },
5726 { 0x21, "unknown-0x21" },
5727 { 0x22, "unknown-0x22" },
5728 { 0x23, "unknown-0x23" },
5729 { 0x24, "unknown-0x24" },
5730 { 0x25, "unknown-0x25" },
5731 { 0x26, "unknown-0x26" },
5732 { 0x27, "unknown-0x27" },
5733 { 0x28, "unknown-0x28" },
5734 { 0x29, "unknown-0x29" },
5735 { 0x2A, "unknown-0x2A" },
5736 { 0x2B, "unknown-0x2B" },
5737 { 0x2C, "unknown-0x2C" },
5738 { 0x2D, "unknown-0x2D" },
5739 { 0x2E, "unknown-0x2E" },
5740 { 0x2F, "unknown-0x2F" },
5741 { 0x30, "unknown-0x30" },
5742 { 0x31, "unknown-0x31" },
5743 { 0x32, "unknown-0x32" },
5744 { 0x33, "unknown-0x33" },
5745 { 0x34, "unknown-0x34" },
5746 { 0x35, "unknown-0x35" },
5747 { 0x36, "unknown-0x36" },
5748 { 0x37, "unknown-0x37" },
5749 { 0x38, "unknown-0x38" },
5750 { 0x39, "unknown-0x39" },
5751 { 0x3A, "unknown-0x3A" },
5752 { 0x3B, "unknown-0x3B" },
5753 { 0x3C, "unknown-0x3C" },
5754 { 0x3D, "unknown-0x3D" },
5755 { 0x3E, "unknown-0x3E" },
5756 { 0x3F, "unknown-0x3F" },
5757 { 0x40, "unknown-0x40" },
5758 { 0x41, "unknown-0x41" },
5759 { 0x42, "unknown-0x42" },
5760 { 0x43, "unknown-0x43" },
5761 { 0x44, "unknown-0x44" },
5762 { 0x45, "unknown-0x45" },
5763 { 0x46, "unknown-0x46" },
5764 { 0x47, "unknown-0x47" },
5765 { 0x48, "unknown-0x48" },
5766 { 0x49, "unknown-0x49" },
5767 { 0x4A, "unknown-0x4A" },
5768 { 0x4B, "unknown-0x4B" },
5769 { 0x4C, "unknown-0x4C" },
5770 { 0x4D, "unknown-0x4D" },
5771 { 0x4E, "unknown-0x4E" },
5772 { 0x4F, "unknown-0x4F" },
5773 { 0x50, "unknown-0x50" },
5774 { 0x51, "unknown-0x51" },
5775 { 0x52, "unknown-0x52" },
5776 { 0x53, "unknown-0x53" },
5777 { 0x54, "unknown-0x54" },
5778 { 0x55, "unknown-0x55" },
5779 { 0x56, "unknown-0x56" },
5780 { 0x57, "unknown-0x57" },
5781 { 0x58, "unknown-0x58" },
5782 { 0x59, "unknown-0x59" },
5783 { 0x5A, "unknown-0x5A" },
5784 { 0x5B, "unknown-0x5B" },
5785 { 0x5C, "unknown-0x5C" },
5786 { 0x5D, "unknown-0x5D" },
5787 { 0x5E, "unknown-0x5E" },
5788 { 0x5F, "unknown-0x5F" },
5789 { 0x60, "unknown-0x60" },
5790 { 0x61, "unknown-0x61" },
5791 { 0x62, "unknown-0x62" },
5792 { 0x63, "unknown-0x63" },
5793 { 0x64, "unknown-0x64" },
5794 { 0x65, "unknown-0x65" },
5795 { 0x66, "unknown-0x66" },
5796 { 0x67, "unknown-0x67" },
5797 { 0x68, "unknown-0x68" },
5798 { 0x69, "unknown-0x69" },
5799 { 0x6A, "unknown-0x6A" },
5800 { 0x6B, "unknown-0x6B" },
5801 { 0x6C, "unknown-0x6C" },
5802 { 0x6D, "unknown-0x6D" },
5803 { 0x6E, "unknown-0x6E" },
5804 { 0x6F, "unknown-0x6F" },
5805 { 0x70, "unknown-0x70" },
5806 { 0x71, "unknown-0x71" },
5807 { 0x72, "unknown-0x72" },
5808 { 0x73, "unknown-0x73" },
5809 { 0x74, "unknown-0x74" },
5810 { 0x75, "unknown-0x75" },
5811 { 0x76, "unknown-0x76" },
5812 { 0x77, "unknown-0x77" },
5813 { 0x78, "unknown-0x78" },
5814 { 0x79, "unknown-0x79" },
5815 { 0x7A, "unknown-0x7A" },
5816 { 0x7B, "unknown-0x7B" },
5817 { 0x7C, "unknown-0x7C" },
5818 { 0x7D, "unknown-0x7D" },
5819 { 0x7E, "unknown-0x7E" },
5820 { 0x7F, "unknown-0x7F" },
5821 { 0x80, "unknown-0x80" },
5822 { 0x81, "unknown-0x81" },
5823 { 0x82, "unknown-0x82" },
5824 { 0x83, "unknown-0x83" },
5825 { 0x84, "unknown-0x84" },
5826 { 0x85, "unknown-0x85" },
5827 { 0x86, "unknown-0x86" },
5828 { 0x87, "unknown-0x87" },
5829 { 0x88, "unknown-0x88" },
5830 { 0x89, "unknown-0x89" },
5831 { 0x8A, "unknown-0x8A" },
5832 { 0x8B, "unknown-0x8B" },
5833 { 0x8C, "unknown-0x8C" },
5834 { 0x8D, "unknown-0x8D" },
5835 { 0x8E, "unknown-0x8E" },
5836 { 0x8F, "unknown-0x8F" },
5837 { 0x90, "unknown-0x90" },
5838 { 0x91, "unknown-0x91" },
5839 { 0x92, "unknown-0x92" },
5840 { 0x93, "unknown-0x93" },
5841 { 0x94, "unknown-0x94" },
5842 { 0x95, "unknown-0x95" },
5843 { 0x96, "unknown-0x96" },
5844 { 0x97, "unknown-0x97" },
5845 { 0x98, "unknown-0x98" },
5846 { 0x99, "unknown-0x99" },
5847 { 0x9A, "unknown-0x9A" },
5848 { 0x9B, "unknown-0x9B" },
5849 { 0x9C, "unknown-0x9C" },
5850 { 0x9D, "unknown-0x9D" },
5851 { 0x9E, "unknown-0x9E" },
5852 { 0x9F, "unknown-0x9F" },
5853 { 0xA0, "unknown-0xA0" },
5854 { 0xA1, "unknown-0xA1" },
5855 { 0xA2, "unknown-0xA2" },
5856 { 0xA3, "unknown-0xA3" },
5857 { 0xA4, "unknown-0xA4" },
5858 { 0xA5, "unknown-0xA5" },
5859 { 0xA6, "unknown-0xA6" },
5860 { 0xA7, "unknown-0xA7" },
5861 { 0xA8, "unknown-0xA8" },
5862 { 0xA9, "unknown-0xA9" },
5863 { 0xAA, "unknown-0xAA" },
5864 { 0xAB, "unknown-0xAB" },
5865 { 0xAC, "unknown-0xAC" },
5866 { 0xAD, "unknown-0xAD" },
5867 { 0xAE, "unknown-0xAE" },
5868 { 0xAF, "unknown-0xAF" },
5869 { 0xB0, "unknown-0xB0" },
5870 { 0xB1, "unknown-0xB1" },
5871 { 0xB2, "unknown-0xB2" },
5872 { 0xB3, "unknown-0xB3" },
5873 { 0xB4, "unknown-0xB4" },
5874 { 0xB5, "unknown-0xB5" },
5875 { 0xB6, "unknown-0xB6" },
5876 { 0xB7, "unknown-0xB7" },
5877 { 0xB8, "unknown-0xB8" },
5878 { 0xB9, "unknown-0xB9" },
5879 { 0xBA, "unknown-0xBA" },
5880 { 0xBB, "unknown-0xBB" },
5881 { 0xBC, "unknown-0xBC" },
5882 { 0xBD, "unknown-0xBD" },
5883 { 0xBE, "unknown-0xBE" },
5884 { 0xBF, "unknown-0xBF" },
5885 { 0xC0, "unknown-0xC0" },
5886 { 0xC1, "unknown-0xC1" },
5887 { 0xC2, "unknown-0xC2" },
5888 { 0xC3, "unknown-0xC3" },
5889 { 0xC4, "unknown-0xC4" },
5890 { 0xC5, "unknown-0xC5" },
5891 { 0xC6, "unknown-0xC6" },
5892 { 0xC7, "unknown-0xC7" },
5893 { 0xC8, "unknown-0xC8" },
5894 { 0xC9, "unknown-0xC9" },
5895 { 0xCA, "unknown-0xCA" },
5896 { 0xCB, "unknown-0xCB" },
5897 { 0xCC, "unknown-0xCC" },
5898 { 0xCD, "unknown-0xCD" },
5899 { 0xCE, "unknown-0xCE" },
5900 { 0xCF, "unknown-0xCF" },
5901 { 0xD0, "unknown-0xD0" },
5902 { 0xD1, "unknown-0xD1" },
5903 { 0xD2, "unknown-0xD2" },
5904 { 0xD3, "unknown-0xD3" },
5905 { 0xD4, "unknown-0xD4" },
5906 { 0xD5, "unknown-0xD5" },
5907 { 0xD6, "unknown-0xD6" },
5908 { 0xD7, "unknown-0xD7" },
5909 { 0xD8, "unknown-0xD8" },
5910 { 0xD9, "unknown-0xD9" },
5911 { 0xDA, "unknown-0xDA" },
5912 { 0xDB, "unknown-0xDB" },
5913 { 0xDC, "unknown-0xDC" },
5914 { 0xDD, "unknown-0xDD" },
5915 { 0xDE, "unknown-0xDE" },
5916 { 0xDF, "unknown-0xDF" },
5917 { 0xE0, "unknown-0xE0" },
5918 { 0xE1, "unknown-0xE1" },
5919 { 0xE2, "unknown-0xE2" },
5920 { 0xE3, "unknown-0xE3" },
5921 { 0xE4, "unknown-0xE4" },
5922 { 0xE5, "unknown-0xE5" },
5923 { 0xE6, "unknown-0xE6" },
5924 { 0xE7, "unknown-0xE7" },
5925 { 0xE8, "unknown-0xE8" },
5926 { 0xE9, "unknown-0xE9" },
5927 { 0xEA, "unknown-0xEA" },
5928 { 0xEB, "unknown-0xEB" },
5929 { 0xEC, "unknown-0xEC" },
5930 { 0xED, "unknown-0xED" },
5931 { 0xEE, "unknown-0xEE" },
5932 { 0xEF, "unknown-0xEF" },
5933 { 0xF0, "unknown-0xF0" },
5934 { 0xF1, "unknown-0xF1" },
5935 { 0xF2, "unknown-0xF2" },
5936 { 0xF3, "unknown-0xF3" },
5937 { 0xF4, "unknown-0xF4" },
5938 { 0xF5, "unknown-0xF5" },
5939 { 0xF6, "unknown-0xF6" },
5940 { 0xF7, "unknown-0xF7" },
5941 { 0xF8, "unknown-0xF8" },
5942 { 0xF9, "unknown-0xF9" },
5943 { 0xFA, "unknown-0xFA" },
5944 { 0xFB, "unknown-0xFB" },
5945 { 0xFC, "unknown-0xFC" },
5946 { 0xFD, "unknown-0xFD" },
5947 { 0xFE, "unknown-0xFE" },
5948 { 0xFF, "unknown-0xFF" },
5951 value_string_ext smb2_cmd_vals_ext = VALUE_STRING_EXT_INIT(smb2_cmd_vals);
5953 static const char *decode_smb2_name(guint16 cmd)
5955 if (cmd > 0xFF) return "unknown";
5956 return(smb2_cmd_vals[cmd & 0xFF].strptr);
5959 static smb2_function smb2_dissector[256] = {
5960 /* 0x00 NegotiateProtocol*/
5961 {dissect_smb2_negotiate_protocol_request,
5962 dissect_smb2_negotiate_protocol_response},
5963 /* 0x01 SessionSetup*/
5964 {dissect_smb2_session_setup_request,
5965 dissect_smb2_session_setup_response},
5966 /* 0x02 SessionLogoff*/
5967 {dissect_smb2_sessionlogoff_request,
5968 dissect_smb2_sessionlogoff_response},
5969 /* 0x03 TreeConnect*/
5970 {dissect_smb2_tree_connect_request,
5971 dissect_smb2_tree_connect_response},
5972 /* 0x04 TreeDisconnect*/
5973 {dissect_smb2_tree_disconnect_request,
5974 dissect_smb2_tree_disconnect_response},
5976 {dissect_smb2_create_request,
5977 dissect_smb2_create_response},
5979 {dissect_smb2_close_request,
5980 dissect_smb2_close_response},
5982 {dissect_smb2_flush_request,
5983 dissect_smb2_flush_response},
5985 {dissect_smb2_read_request,
5986 dissect_smb2_read_response},
5988 {dissect_smb2_write_request,
5989 dissect_smb2_write_response},
5991 {dissect_smb2_lock_request,
5992 dissect_smb2_lock_response},
5994 {dissect_smb2_ioctl_request,
5995 dissect_smb2_ioctl_response},
5997 {dissect_smb2_cancel_request,
6000 {dissect_smb2_keepalive_request,
6001 dissect_smb2_keepalive_response},
6003 {dissect_smb2_find_request,
6004 dissect_smb2_find_response},
6006 {dissect_smb2_notify_request,
6007 dissect_smb2_notify_response},
6009 {dissect_smb2_getinfo_request,
6010 dissect_smb2_getinfo_response},
6012 {dissect_smb2_setinfo_request,
6013 dissect_smb2_setinfo_response},
6015 {dissect_smb2_break_request,
6016 dissect_smb2_break_response},
6017 /* 0x13 */ {NULL, NULL},
6018 /* 0x14 */ {NULL, NULL},
6019 /* 0x15 */ {NULL, NULL},
6020 /* 0x16 */ {NULL, NULL},
6021 /* 0x17 */ {NULL, NULL},
6022 /* 0x18 */ {NULL, NULL},
6023 /* 0x19 */ {NULL, NULL},
6024 /* 0x1a */ {NULL, NULL},
6025 /* 0x1b */ {NULL, NULL},
6026 /* 0x1c */ {NULL, NULL},
6027 /* 0x1d */ {NULL, NULL},
6028 /* 0x1e */ {NULL, NULL},
6029 /* 0x1f */ {NULL, NULL},
6030 /* 0x20 */ {NULL, NULL},
6031 /* 0x21 */ {NULL, NULL},
6032 /* 0x22 */ {NULL, NULL},
6033 /* 0x23 */ {NULL, NULL},
6034 /* 0x24 */ {NULL, NULL},
6035 /* 0x25 */ {NULL, NULL},
6036 /* 0x26 */ {NULL, NULL},
6037 /* 0x27 */ {NULL, NULL},
6038 /* 0x28 */ {NULL, NULL},
6039 /* 0x29 */ {NULL, NULL},
6040 /* 0x2a */ {NULL, NULL},
6041 /* 0x2b */ {NULL, NULL},
6042 /* 0x2c */ {NULL, NULL},
6043 /* 0x2d */ {NULL, NULL},
6044 /* 0x2e */ {NULL, NULL},
6045 /* 0x2f */ {NULL, NULL},
6046 /* 0x30 */ {NULL, NULL},
6047 /* 0x31 */ {NULL, NULL},
6048 /* 0x32 */ {NULL, NULL},
6049 /* 0x33 */ {NULL, NULL},
6050 /* 0x34 */ {NULL, NULL},
6051 /* 0x35 */ {NULL, NULL},
6052 /* 0x36 */ {NULL, NULL},
6053 /* 0x37 */ {NULL, NULL},
6054 /* 0x38 */ {NULL, NULL},
6055 /* 0x39 */ {NULL, NULL},
6056 /* 0x3a */ {NULL, NULL},
6057 /* 0x3b */ {NULL, NULL},
6058 /* 0x3c */ {NULL, NULL},
6059 /* 0x3d */ {NULL, NULL},
6060 /* 0x3e */ {NULL, NULL},
6061 /* 0x3f */ {NULL, NULL},
6062 /* 0x40 */ {NULL, NULL},
6063 /* 0x41 */ {NULL, NULL},
6064 /* 0x42 */ {NULL, NULL},
6065 /* 0x43 */ {NULL, NULL},
6066 /* 0x44 */ {NULL, NULL},
6067 /* 0x45 */ {NULL, NULL},
6068 /* 0x46 */ {NULL, NULL},
6069 /* 0x47 */ {NULL, NULL},
6070 /* 0x48 */ {NULL, NULL},
6071 /* 0x49 */ {NULL, NULL},
6072 /* 0x4a */ {NULL, NULL},
6073 /* 0x4b */ {NULL, NULL},
6074 /* 0x4c */ {NULL, NULL},
6075 /* 0x4d */ {NULL, NULL},
6076 /* 0x4e */ {NULL, NULL},
6077 /* 0x4f */ {NULL, NULL},
6078 /* 0x50 */ {NULL, NULL},
6079 /* 0x51 */ {NULL, NULL},
6080 /* 0x52 */ {NULL, NULL},
6081 /* 0x53 */ {NULL, NULL},
6082 /* 0x54 */ {NULL, NULL},
6083 /* 0x55 */ {NULL, NULL},
6084 /* 0x56 */ {NULL, NULL},
6085 /* 0x57 */ {NULL, NULL},
6086 /* 0x58 */ {NULL, NULL},
6087 /* 0x59 */ {NULL, NULL},
6088 /* 0x5a */ {NULL, NULL},
6089 /* 0x5b */ {NULL, NULL},
6090 /* 0x5c */ {NULL, NULL},
6091 /* 0x5d */ {NULL, NULL},
6092 /* 0x5e */ {NULL, NULL},
6093 /* 0x5f */ {NULL, NULL},
6094 /* 0x60 */ {NULL, NULL},
6095 /* 0x61 */ {NULL, NULL},
6096 /* 0x62 */ {NULL, NULL},
6097 /* 0x63 */ {NULL, NULL},
6098 /* 0x64 */ {NULL, NULL},
6099 /* 0x65 */ {NULL, NULL},
6100 /* 0x66 */ {NULL, NULL},
6101 /* 0x67 */ {NULL, NULL},
6102 /* 0x68 */ {NULL, NULL},
6103 /* 0x69 */ {NULL, NULL},
6104 /* 0x6a */ {NULL, NULL},
6105 /* 0x6b */ {NULL, NULL},
6106 /* 0x6c */ {NULL, NULL},
6107 /* 0x6d */ {NULL, NULL},
6108 /* 0x6e */ {NULL, NULL},
6109 /* 0x6f */ {NULL, NULL},
6110 /* 0x70 */ {NULL, NULL},
6111 /* 0x71 */ {NULL, NULL},
6112 /* 0x72 */ {NULL, NULL},
6113 /* 0x73 */ {NULL, NULL},
6114 /* 0x74 */ {NULL, NULL},
6115 /* 0x75 */ {NULL, NULL},
6116 /* 0x76 */ {NULL, NULL},
6117 /* 0x77 */ {NULL, NULL},
6118 /* 0x78 */ {NULL, NULL},
6119 /* 0x79 */ {NULL, NULL},
6120 /* 0x7a */ {NULL, NULL},
6121 /* 0x7b */ {NULL, NULL},
6122 /* 0x7c */ {NULL, NULL},
6123 /* 0x7d */ {NULL, NULL},
6124 /* 0x7e */ {NULL, NULL},
6125 /* 0x7f */ {NULL, NULL},
6126 /* 0x80 */ {NULL, NULL},
6127 /* 0x81 */ {NULL, NULL},
6128 /* 0x82 */ {NULL, NULL},
6129 /* 0x83 */ {NULL, NULL},
6130 /* 0x84 */ {NULL, NULL},
6131 /* 0x85 */ {NULL, NULL},
6132 /* 0x86 */ {NULL, NULL},
6133 /* 0x87 */ {NULL, NULL},
6134 /* 0x88 */ {NULL, NULL},
6135 /* 0x89 */ {NULL, NULL},
6136 /* 0x8a */ {NULL, NULL},
6137 /* 0x8b */ {NULL, NULL},
6138 /* 0x8c */ {NULL, NULL},
6139 /* 0x8d */ {NULL, NULL},
6140 /* 0x8e */ {NULL, NULL},
6141 /* 0x8f */ {NULL, NULL},
6142 /* 0x90 */ {NULL, NULL},
6143 /* 0x91 */ {NULL, NULL},
6144 /* 0x92 */ {NULL, NULL},
6145 /* 0x93 */ {NULL, NULL},
6146 /* 0x94 */ {NULL, NULL},
6147 /* 0x95 */ {NULL, NULL},
6148 /* 0x96 */ {NULL, NULL},
6149 /* 0x97 */ {NULL, NULL},
6150 /* 0x98 */ {NULL, NULL},
6151 /* 0x99 */ {NULL, NULL},
6152 /* 0x9a */ {NULL, NULL},
6153 /* 0x9b */ {NULL, NULL},
6154 /* 0x9c */ {NULL, NULL},
6155 /* 0x9d */ {NULL, NULL},
6156 /* 0x9e */ {NULL, NULL},
6157 /* 0x9f */ {NULL, NULL},
6158 /* 0xa0 */ {NULL, NULL},
6159 /* 0xa1 */ {NULL, NULL},
6160 /* 0xa2 */ {NULL, NULL},
6161 /* 0xa3 */ {NULL, NULL},
6162 /* 0xa4 */ {NULL, NULL},
6163 /* 0xa5 */ {NULL, NULL},
6164 /* 0xa6 */ {NULL, NULL},
6165 /* 0xa7 */ {NULL, NULL},
6166 /* 0xa8 */ {NULL, NULL},
6167 /* 0xa9 */ {NULL, NULL},
6168 /* 0xaa */ {NULL, NULL},
6169 /* 0xab */ {NULL, NULL},
6170 /* 0xac */ {NULL, NULL},
6171 /* 0xad */ {NULL, NULL},
6172 /* 0xae */ {NULL, NULL},
6173 /* 0xaf */ {NULL, NULL},
6174 /* 0xb0 */ {NULL, NULL},
6175 /* 0xb1 */ {NULL, NULL},
6176 /* 0xb2 */ {NULL, NULL},
6177 /* 0xb3 */ {NULL, NULL},
6178 /* 0xb4 */ {NULL, NULL},
6179 /* 0xb5 */ {NULL, NULL},
6180 /* 0xb6 */ {NULL, NULL},
6181 /* 0xb7 */ {NULL, NULL},
6182 /* 0xb8 */ {NULL, NULL},
6183 /* 0xb9 */ {NULL, NULL},
6184 /* 0xba */ {NULL, NULL},
6185 /* 0xbb */ {NULL, NULL},
6186 /* 0xbc */ {NULL, NULL},
6187 /* 0xbd */ {NULL, NULL},
6188 /* 0xbe */ {NULL, NULL},
6189 /* 0xbf */ {NULL, NULL},
6190 /* 0xc0 */ {NULL, NULL},
6191 /* 0xc1 */ {NULL, NULL},
6192 /* 0xc2 */ {NULL, NULL},
6193 /* 0xc3 */ {NULL, NULL},
6194 /* 0xc4 */ {NULL, NULL},
6195 /* 0xc5 */ {NULL, NULL},
6196 /* 0xc6 */ {NULL, NULL},
6197 /* 0xc7 */ {NULL, NULL},
6198 /* 0xc8 */ {NULL, NULL},
6199 /* 0xc9 */ {NULL, NULL},
6200 /* 0xca */ {NULL, NULL},
6201 /* 0xcb */ {NULL, NULL},
6202 /* 0xcc */ {NULL, NULL},
6203 /* 0xcd */ {NULL, NULL},
6204 /* 0xce */ {NULL, NULL},
6205 /* 0xcf */ {NULL, NULL},
6206 /* 0xd0 */ {NULL, NULL},
6207 /* 0xd1 */ {NULL, NULL},
6208 /* 0xd2 */ {NULL, NULL},
6209 /* 0xd3 */ {NULL, NULL},
6210 /* 0xd4 */ {NULL, NULL},
6211 /* 0xd5 */ {NULL, NULL},
6212 /* 0xd6 */ {NULL, NULL},
6213 /* 0xd7 */ {NULL, NULL},
6214 /* 0xd8 */ {NULL, NULL},
6215 /* 0xd9 */ {NULL, NULL},
6216 /* 0xda */ {NULL, NULL},
6217 /* 0xdb */ {NULL, NULL},
6218 /* 0xdc */ {NULL, NULL},
6219 /* 0xdd */ {NULL, NULL},
6220 /* 0xde */ {NULL, NULL},
6221 /* 0xdf */ {NULL, NULL},
6222 /* 0xe0 */ {NULL, NULL},
6223 /* 0xe1 */ {NULL, NULL},
6224 /* 0xe2 */ {NULL, NULL},
6225 /* 0xe3 */ {NULL, NULL},
6226 /* 0xe4 */ {NULL, NULL},
6227 /* 0xe5 */ {NULL, NULL},
6228 /* 0xe6 */ {NULL, NULL},
6229 /* 0xe7 */ {NULL, NULL},
6230 /* 0xe8 */ {NULL, NULL},
6231 /* 0xe9 */ {NULL, NULL},
6232 /* 0xea */ {NULL, NULL},
6233 /* 0xeb */ {NULL, NULL},
6234 /* 0xec */ {NULL, NULL},
6235 /* 0xed */ {NULL, NULL},
6236 /* 0xee */ {NULL, NULL},
6237 /* 0xef */ {NULL, NULL},
6238 /* 0xf0 */ {NULL, NULL},
6239 /* 0xf1 */ {NULL, NULL},
6240 /* 0xf2 */ {NULL, NULL},
6241 /* 0xf3 */ {NULL, NULL},
6242 /* 0xf4 */ {NULL, NULL},
6243 /* 0xf5 */ {NULL, NULL},
6244 /* 0xf6 */ {NULL, NULL},
6245 /* 0xf7 */ {NULL, NULL},
6246 /* 0xf8 */ {NULL, NULL},
6247 /* 0xf9 */ {NULL, NULL},
6248 /* 0xfa */ {NULL, NULL},
6249 /* 0xfb */ {NULL, NULL},
6250 /* 0xfc */ {NULL, NULL},
6251 /* 0xfd */ {NULL, NULL},
6252 /* 0xfe */ {NULL, NULL},
6253 /* 0xff */ {NULL, NULL},
6257 #define ENC_ALG_aes128_ccm 0x0001
6260 dissect_smb2_transform_header(packet_info *pinfo _U_, proto_tree *tree,
6261 tvbuff_t *tvb, int offset,
6262 smb2_transform_info_t *sti,
6263 tvbuff_t **enc_tvb, tvbuff_t **plain_tvb)
6265 proto_item *sesid_item = NULL;
6266 proto_tree *sesid_tree = NULL;
6267 smb2_sesid_info_t sesid_key;
6269 guint8 *plain_data = NULL;
6270 #ifdef HAVE_LIBGCRYPT
6271 guint8 *decryption_key = NULL;
6275 static const int *sf_fields[] = {
6276 &hf_smb2_encryption_aes128_ccm,
6284 proto_tree_add_item(tree, hf_smb2_transform_signature, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6288 proto_tree_add_item(tree, hf_smb2_transform_nonce, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6289 tvb_memcpy(tvb, sti->nonce, offset, 16);
6293 proto_tree_add_item(tree, hf_smb2_transform_msg_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6294 sti->size = tvb_get_letohl(tvb, offset);
6298 proto_tree_add_item(tree, hf_smb2_transform_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6302 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_transform_enc_alg, ett_smb2_transform_enc_alg, sf_fields, ENC_LITTLE_ENDIAN);
6303 sti->alg = tvb_get_letohs(tvb, offset);
6307 sesid_offset = offset;
6308 sti->sesid = tvb_get_letoh64(tvb, offset);
6309 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6311 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
6315 /* now we need to first lookup the uid session */
6316 sesid_key.sesid = sti->sesid;
6317 sti->session = g_hash_table_lookup(sti->conv->sesids, &sesid_key);
6319 if (sti->session != NULL && sti->session->auth_frame != (guint32)-1) {
6320 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, sti->session->acct_name);
6321 PROTO_ITEM_SET_GENERATED(item);
6322 proto_item_append_text(sesid_item, " Acct:%s", sti->session->acct_name);
6324 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, sti->session->domain_name);
6325 PROTO_ITEM_SET_GENERATED(item);
6326 proto_item_append_text(sesid_item, " Domain:%s", sti->session->domain_name);
6328 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, sti->session->host_name);
6329 PROTO_ITEM_SET_GENERATED(item);
6330 proto_item_append_text(sesid_item, " Host:%s", sti->session->host_name);
6332 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, sti->session->auth_frame);
6333 PROTO_ITEM_SET_GENERATED(item);
6336 #ifdef HAVE_LIBGCRYPT
6337 if (sti->session != NULL && sti->alg == ENC_ALG_aes128_ccm) {
6338 static const guint8 zeros[16];
6340 if (pinfo->destport == sti->session->server_port) {
6341 decryption_key = sti->session->server_decryption_key;
6343 decryption_key = sti->session->client_decryption_key;
6346 if (memcmp(decryption_key, zeros, 16) == 0) {
6347 decryption_key = NULL;
6351 if (decryption_key != NULL) {
6352 gcry_cipher_hd_t cipher_hd = NULL;
6354 3, 0, 0, 0, 0, 0, 0, 0,
6355 0, 0, 0, 0, 0, 0, 0, 1
6358 memcpy(&A_1[1], sti->nonce, 15 - 4);
6360 plain_data = tvb_memdup(tvb, offset, sti->size);
6362 /* Open the cipher. */
6363 if (gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0)) {
6366 goto done_decryption;
6369 /* Set the key and initial value. */
6370 if (gcry_cipher_setkey(cipher_hd, decryption_key, 16)) {
6371 gcry_cipher_close(cipher_hd);
6374 goto done_decryption;
6376 if (gcry_cipher_setctr(cipher_hd, A_1, 16)) {
6377 gcry_cipher_close(cipher_hd);
6380 goto done_decryption;
6383 if (gcry_cipher_encrypt(cipher_hd, plain_data, sti->size, NULL, 0)) {
6384 gcry_cipher_close(cipher_hd);
6387 goto done_decryption;
6390 /* Done with the cipher. */
6391 gcry_cipher_close(cipher_hd);
6395 *enc_tvb = tvb_new_subset(tvb, offset, sti->size, sti->size);
6397 if (plain_data != NULL) {
6398 *plain_tvb = tvb_new_child_real_data(*enc_tvb, plain_data, sti->size, sti->size);
6399 tvb_set_free_cb(*plain_tvb, g_free);
6400 add_new_data_source(pinfo, *plain_tvb, "Decrypted SMB3");
6403 offset += sti->size;
6408 dissect_smb2_command(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
6410 int (*cmd_dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
6411 proto_item *cmd_item;
6412 proto_tree *cmd_tree;
6413 int old_offset = offset;
6415 cmd_item = proto_tree_add_text(tree, tvb, offset, -1,
6417 decode_smb2_name(si->opcode),
6418 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request",
6420 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb2_command);
6423 cmd_dissector = (si->flags & SMB2_FLAGS_RESPONSE)?
6424 smb2_dissector[si->opcode&0xff].response:
6425 smb2_dissector[si->opcode&0xff].request;
6426 if (cmd_dissector) {
6427 offset = (*cmd_dissector)(tvb, pinfo, cmd_tree, offset, si);
6429 proto_tree_add_item(cmd_tree, hf_smb2_unknown, tvb, offset, -1, ENC_NA);
6430 offset = tvb_length(tvb);
6433 proto_item_set_len(cmd_item, offset-old_offset);
6439 dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
6441 proto_item *tid_item = NULL;
6442 proto_tree *tid_tree = NULL;
6443 smb2_tid_info_t tid_key;
6445 proto_item *sesid_item = NULL;
6446 proto_tree *sesid_tree = NULL;
6447 smb2_sesid_info_t sesid_key;
6453 if (si->flags&SMB2_FLAGS_ASYNC_CMD) {
6454 proto_tree_add_item(tree, hf_smb2_aid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6458 pid = tvb_get_letohl(tvb, offset);
6459 proto_tree_add_uint_format(tree, hf_smb2_pid, tvb, offset, 4, pid, "Process Id: %08x",pid);
6463 tid_offset = offset;
6464 si->tid = tvb_get_letohl(tvb, offset);
6465 tid_item = proto_tree_add_item(tree, hf_smb2_tid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6467 tid_tree = proto_item_add_subtree(tid_item, ett_smb2_tid_tree);
6473 sesid_offset = offset;
6474 si->sesid = tvb_get_letoh64(tvb, offset);
6475 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6477 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
6481 /* now we need to first lookup the uid session */
6482 sesid_key.sesid = si->sesid;
6483 si->session = g_hash_table_lookup(si->conv->sesids, &sesid_key);
6485 if (si->opcode != 0x03) return offset;
6487 /* if we come to a session that is unknown, and the operation is
6488 * a tree connect, we create a dummy sessison, so we can hang the
6491 si->session = se_alloc(sizeof(smb2_sesid_info_t));
6492 si->session->sesid = si->sesid;
6493 si->session->acct_name = NULL;
6494 si->session->domain_name = NULL;
6495 si->session->host_name = NULL;
6496 si->session->auth_frame = (guint32)-1;
6497 si->session->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
6498 g_hash_table_insert(si->conv->sesids, si->session, si->session);
6503 if (si->session->auth_frame != (guint32)-1) {
6504 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, si->session->acct_name);
6505 PROTO_ITEM_SET_GENERATED(item);
6506 proto_item_append_text(sesid_item, " Acct:%s", si->session->acct_name);
6508 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, si->session->domain_name);
6509 PROTO_ITEM_SET_GENERATED(item);
6510 proto_item_append_text(sesid_item, " Domain:%s", si->session->domain_name);
6512 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, si->session->host_name);
6513 PROTO_ITEM_SET_GENERATED(item);
6514 proto_item_append_text(sesid_item, " Host:%s", si->session->host_name);
6516 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, si->session->auth_frame);
6517 PROTO_ITEM_SET_GENERATED(item);
6520 if (!(si->flags&SMB2_FLAGS_ASYNC_CMD)) {
6521 /* see if we can find the name for this tid */
6522 tid_key.tid = si->tid;
6523 si->tree = g_hash_table_lookup(si->session->tids, &tid_key);
6524 if (!si->tree) return offset;
6526 item = proto_tree_add_string(tid_tree, hf_smb2_tree, tvb, tid_offset, 4, si->tree->name);
6527 PROTO_ITEM_SET_GENERATED(item);
6528 proto_item_append_text(tid_item, " %s", si->tree->name);
6530 item = proto_tree_add_uint(tid_tree, hf_smb2_share_type, tvb, tid_offset, 0, si->tree->share_type);
6531 PROTO_ITEM_SET_GENERATED(item);
6533 item = proto_tree_add_uint(tid_tree, hf_smb2_tcon_frame, tvb, tid_offset, 0, si->tree->connect_frame);
6534 PROTO_ITEM_SET_GENERATED(item);
6541 dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolean first_in_chain)
6543 gboolean smb2_transform_header = FALSE;
6544 proto_item *seqnum_item;
6545 proto_item *item = NULL;
6546 proto_tree *tree = NULL;
6547 proto_item *header_item = NULL;
6548 proto_tree *header_tree = NULL;
6549 proto_item *flags_item = NULL;
6550 proto_tree *flags_tree = NULL;
6552 int chain_offset = 0;
6553 char* label = smb_header_label;
6554 conversation_t *conversation;
6555 smb2_saved_info_t *ssi = NULL, ssi_key;
6557 smb2_transform_info_t *sti;
6559 sti = ep_alloc(sizeof(smb2_transform_info_t));
6560 si = ep_alloc(sizeof(smb2_info_t));
6564 si->top_tree = parent_tree;
6566 if (tvb_get_guint8(tvb, 0) == 0xfd) {
6567 smb2_transform_header = TRUE;
6568 label = smb_transform_header_label;
6570 /* find which conversation we are part of and get the data for that
6573 conversation = find_or_create_conversation(pinfo);
6574 si->conv = conversation_get_proto_data(conversation, proto_smb2);
6576 /* no smb2_into_t structure for this conversation yet,
6579 si->conv = se_alloc(sizeof(smb2_conv_info_t));
6580 /* qqq this leaks memory for now since we never free
6582 si->conv->matched = g_hash_table_new(smb2_saved_info_hash_matched,
6583 smb2_saved_info_equal_matched);
6584 si->conv->unmatched = g_hash_table_new(smb2_saved_info_hash_unmatched,
6585 smb2_saved_info_equal_unmatched);
6586 si->conv->sesids = g_hash_table_new(smb2_sesid_info_hash,
6587 smb2_sesid_info_equal);
6589 conversation_add_proto_data(conversation, proto_smb2, si->conv);
6592 sti->conv = si->conv;
6594 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB2");
6595 if (check_col(pinfo->cinfo, COL_INFO)) {
6596 if (first_in_chain) {
6598 col_clear(pinfo->cinfo, COL_INFO);
6600 col_append_str(pinfo->cinfo, COL_INFO, ";");
6605 item = proto_tree_add_item(parent_tree, proto_smb2, tvb, offset,
6607 tree = proto_item_add_subtree(item, ett_smb2);
6612 header_item = proto_tree_add_text(tree, tvb, offset, -1, "%s", label);
6613 header_tree = proto_item_add_subtree(header_item, ett_smb2_header);
6616 /* Decode the header */
6618 if (!smb2_transform_header) {
6620 proto_tree_add_text(header_tree, tvb, offset, 4, "Server Component: SMB2");
6623 /* we need the flags before we know how to parse the credits field */
6624 si->flags = tvb_get_letohl(tvb, offset+12);
6627 proto_tree_add_item(header_tree, hf_smb2_header_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6630 /* credit charge (previously "epoch" (unused) which has been deprecated as of "SMB 2.1") */
6631 proto_tree_add_item(header_tree, hf_smb2_credit_charge, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6635 if (si->flags & SMB2_FLAGS_RESPONSE) {
6636 si->status = tvb_get_letohl(tvb, offset);
6637 proto_tree_add_item(header_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6641 proto_tree_add_item(header_tree, hf_smb2_channel_sequence, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6643 proto_tree_add_item(header_tree, hf_smb2_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6648 si->opcode = tvb_get_letohs(tvb, offset);
6649 proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6653 if (si->flags & SMB2_FLAGS_RESPONSE) {
6654 proto_tree_add_item(header_tree, hf_smb2_credits_granted, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6656 proto_tree_add_item(header_tree, hf_smb2_credits_requested, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6662 flags_item = proto_tree_add_text(header_tree, tvb, offset, 4,
6663 "Flags: 0x%08x", si->flags);
6664 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_flags);
6666 proto_tree_add_boolean(flags_tree, hf_smb2_flags_replay_operation, tvb, offset, 4, si->flags);
6667 proto_tree_add_boolean(flags_tree, hf_smb2_flags_dfs_op, tvb, offset, 4, si->flags);
6668 proto_tree_add_boolean(flags_tree, hf_smb2_flags_signature, tvb, offset, 4, si->flags);
6669 proto_tree_add_boolean(flags_tree, hf_smb2_flags_chained, tvb, offset, 4, si->flags);
6670 proto_tree_add_boolean(flags_tree, hf_smb2_flags_async_cmd, tvb, offset, 4, si->flags);
6671 proto_tree_add_boolean(flags_tree, hf_smb2_flags_response, tvb, offset, 4, si->flags);
6676 chain_offset = tvb_get_letohl(tvb, offset);
6677 proto_tree_add_item(header_tree, hf_smb2_chain_offset, tvb, offset, 4, ENC_BIG_ENDIAN);
6680 /* command sequence number*/
6681 si->seqnum = tvb_get_letoh64(tvb, offset);
6682 ssi_key.seqnum = si->seqnum;
6683 seqnum_item = proto_tree_add_item(header_tree, hf_smb2_seqnum, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6684 if (seqnum_item && (si->seqnum == -1)) {
6685 proto_item_append_text(seqnum_item, " (unsolicited response)");
6689 /* Tree ID and Session ID */
6690 offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si);
6693 proto_tree_add_item(header_tree, hf_smb2_signature, tvb, offset, 16, ENC_NA);
6696 proto_item_set_len(header_item, offset);
6699 if (check_col(pinfo->cinfo, COL_INFO)) {
6700 col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s",
6701 decode_smb2_name(si->opcode),
6702 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request");
6705 pinfo->cinfo, COL_INFO, ", Error: %s",
6706 val_to_str(si->status, NT_errors,
6707 "Unknown (0x%08X)"));
6712 if (!pinfo->fd->flags.visited) {
6713 /* see if we can find this seqnum in the unmatched table */
6714 ssi = g_hash_table_lookup(si->conv->unmatched, &ssi_key);
6716 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
6717 /* This is a request */
6719 /* this is a request and we already found
6720 * an older ssi so just delete the previous
6723 g_hash_table_remove(si->conv->unmatched, ssi);
6728 /* no we couldnt find it, so just add it then
6729 * if was a request we are decoding
6731 ssi = se_alloc(sizeof(smb2_saved_info_t));
6734 ssi->seqnum = ssi_key.seqnum;
6735 ssi->frame_req = pinfo->fd->num;
6737 ssi->req_time = pinfo->fd->abs_ts;
6738 ssi->extra_info = NULL;
6739 ssi->extra_info_type = SMB2_EI_NONE;
6740 g_hash_table_insert(si->conv->unmatched, ssi, ssi);
6743 /* This is a response */
6745 /* just set the response frame and move it to the matched table */
6746 ssi->frame_res = pinfo->fd->num;
6747 g_hash_table_remove(si->conv->unmatched, ssi);
6748 g_hash_table_insert(si->conv->matched, ssi, ssi);
6752 /* see if we can find this seqnum in the matched table */
6753 ssi = g_hash_table_lookup(si->conv->matched, &ssi_key);
6754 /* if we couldnt find it in the matched table, it might still
6755 * be in the unmatched table
6758 ssi = g_hash_table_lookup(si->conv->unmatched, &ssi_key);
6763 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
6764 if (ssi->frame_res) {
6765 proto_item *tmp_item;
6766 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res);
6767 PROTO_ITEM_SET_GENERATED(tmp_item);
6770 if (ssi->frame_req) {
6771 proto_item *tmp_item;
6774 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_to, tvb, 0, 0, ssi->frame_req);
6775 PROTO_ITEM_SET_GENERATED(tmp_item);
6776 t = pinfo->fd->abs_ts;
6777 nstime_delta(&deltat, &t, &ssi->req_time);
6778 tmp_item = proto_tree_add_time(header_tree, hf_smb2_time, tvb,
6780 PROTO_ITEM_SET_GENERATED(tmp_item);
6784 /* if we dont have ssi yet we must fake it */
6788 tap_queue_packet(smb2_tap, pinfo, si);
6790 /* Decode the payload */
6791 offset = dissect_smb2_command(pinfo, tree, tvb, offset, si);
6793 proto_item *enc_item;
6794 proto_tree *enc_tree;
6795 tvbuff_t *enc_tvb = NULL;
6796 tvbuff_t *plain_tvb = NULL;
6798 /* SMB2_TRANSFORM marker */
6799 proto_tree_add_text(header_tree, tvb, offset, 4, "Server Component: SMB2_TRANSFORM");
6802 offset = dissect_smb2_transform_header(pinfo, header_tree, tvb, offset, sti,
6803 &enc_tvb, &plain_tvb);
6805 enc_item = proto_tree_add_text(tree, enc_tvb, 0, sti->size, "Encrypted SMB3 data");
6806 enc_tree = proto_item_add_subtree(enc_item, ett_smb2_encrypted);
6807 if (plain_tvb != NULL) {
6808 col_append_fstr(pinfo->cinfo, COL_INFO, "Decrypted SMB3");
6809 dissect_smb2(plain_tvb, pinfo, enc_tree, FALSE);
6811 col_append_fstr(pinfo->cinfo, COL_INFO, "Encrypted SMB3");
6812 proto_tree_add_item(enc_tree, hf_smb2_transform_encyrpted_data,
6813 enc_tvb, 0, sti->size, ENC_LITTLE_ENDIAN);
6816 if (tvb_reported_length_remaining(tvb, offset) > 0) {
6817 chain_offset = offset;
6821 if (chain_offset > 0) {
6824 proto_item_set_len(item, chain_offset);
6826 next_tvb = tvb_new_subset_remaining(tvb, chain_offset);
6827 offset = dissect_smb2(next_tvb, pinfo, parent_tree, FALSE);
6834 dissect_smb2_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
6837 /* must check that this really is a smb2 packet */
6838 if (tvb_length(tvb) < 4)
6841 if (((tvb_get_guint8(tvb, 0) != 0xfe) && (tvb_get_guint8(tvb, 0) != 0xfd))
6842 || (tvb_get_guint8(tvb, 1) != 'S')
6843 || (tvb_get_guint8(tvb, 2) != 'M')
6844 || (tvb_get_guint8(tvb, 3) != 'B') ) {
6848 dissect_smb2(tvb, pinfo, parent_tree, TRUE);
6854 proto_register_smb2(void)
6856 static hf_register_info hf[] = {
6858 { "Command", "smb2.cmd", FT_UINT16, BASE_DEC|BASE_EXT_STRING,
6859 &smb2_cmd_vals_ext, 0, "SMB2 Command Opcode", HFILL }},
6860 { &hf_smb2_response_to,
6861 { "Response to", "smb2.response_to", FT_FRAMENUM, BASE_NONE,
6862 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
6863 { &hf_smb2_response_in,
6864 { "Response in", "smb2.response_in", FT_FRAMENUM, BASE_NONE,
6865 NULL, 0, "The response to this packet is in this packet", HFILL }},
6867 { "Time from request", "smb2.time", FT_RELATIVE_TIME, BASE_NONE,
6868 NULL, 0, "Time between Request and Response for SMB2 cmds", HFILL }},
6869 { &hf_smb2_header_len,
6870 { "Header Length", "smb2.header_len", FT_UINT16, BASE_DEC,
6871 NULL, 0, "SMB2 Size of Header", HFILL }},
6872 { &hf_smb2_nt_status,
6873 { "NT Status", "smb2.nt_status", FT_UINT32, BASE_HEX,
6874 VALS(NT_errors), 0, "NT Status code", HFILL }},
6876 { "Command Sequence Number", "smb2.seq_num", FT_INT64, BASE_DEC,
6877 NULL, 0, "SMB2 Command Sequence Number", HFILL }},
6879 { "Tree Id", "smb2.tid", FT_UINT32, BASE_HEX,
6880 NULL, 0, "SMB2 Tree Id", HFILL }},
6882 { "Async Id", "smb2.aid", FT_UINT64, BASE_HEX,
6883 NULL, 0, "SMB2 Async Id", HFILL }},
6885 { "Session Id", "smb2.sesid", FT_UINT64, BASE_HEX,
6886 NULL, 0, "SMB2 Session Id", HFILL }},
6887 { &hf_smb2_previous_sesid,
6888 { "Previous Session Id", "smb2.previous_sesid", FT_UINT64, BASE_HEX,
6889 NULL, 0, "SMB2 Previous Session Id", HFILL }},
6890 { &hf_smb2_chain_offset,
6891 { "Chain Offset", "smb2.chain_offset", FT_UINT32, BASE_HEX,
6892 NULL, 0, "SMB2 Chain Offset", HFILL }},
6893 { &hf_smb2_end_of_file,
6894 { "End Of File", "smb2.eof", FT_UINT64, BASE_DEC,
6895 NULL, 0, "SMB2 End Of File/File size", HFILL }},
6897 { "Number of Links", "smb2.nlinks", FT_UINT32, BASE_DEC,
6898 NULL, 0, "Number of links to this object", HFILL }},
6900 { "File Id", "smb2.file_id", FT_UINT64, BASE_HEX,
6901 NULL, 0, "SMB2 File Id", HFILL }},
6902 { &hf_smb2_allocation_size,
6903 { "Allocation Size", "smb2.allocation_size", FT_UINT64, BASE_DEC,
6904 NULL, 0, "SMB2 Allocation Size for this object", HFILL }},
6905 { &hf_smb2_max_response_size,
6906 { "Max Response Size", "smb2.max_response_size", FT_UINT32, BASE_DEC,
6907 NULL, 0, "SMB2 Maximum response size", HFILL }},
6908 { &hf_smb2_setinfo_size,
6909 { "Setinfo Size", "smb2.setinfo_size", FT_UINT32, BASE_DEC,
6910 NULL, 0, "SMB2 setinfo size", HFILL }},
6911 { &hf_smb2_setinfo_offset,
6912 { "Setinfo Offset", "smb2.setinfo_offset", FT_UINT16, BASE_HEX,
6913 NULL, 0, "SMB2 setinfo offset", HFILL }},
6914 { &hf_smb2_max_ioctl_out_size,
6915 { "Max Ioctl Out Size", "smb2.max_ioctl_out_size", FT_UINT32, BASE_DEC,
6916 NULL, 0, "SMB2 Maximum ioctl out size", HFILL }},
6917 { &hf_smb2_max_ioctl_in_size,
6918 { "Max Ioctl In Size", "smb2.max_ioctl_in_size", FT_UINT32, BASE_DEC,
6919 NULL, 0, "SMB2 Maximum ioctl out size", HFILL }},
6920 { &hf_smb2_required_buffer_size,
6921 { "Required Buffer Size", "smb2.required_size", FT_UINT32, BASE_DEC,
6922 NULL, 0, "SMB2 required buffer size", HFILL }},
6924 { "Process Id", "smb2.pid", FT_UINT32, BASE_HEX,
6925 NULL, 0, "SMB2 Process Id", HFILL }},
6926 { &hf_smb2_flags_response,
6927 { "Response", "smb2.flags.response", FT_BOOLEAN, 32,
6928 TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }},
6929 { &hf_smb2_flags_async_cmd,
6930 { "Async command", "smb2.flags.async", FT_BOOLEAN, 32,
6931 TFS(&tfs_flags_async_cmd), SMB2_FLAGS_ASYNC_CMD, NULL, HFILL }},
6932 { &hf_smb2_flags_dfs_op,
6933 { "DFS operation", "smb2.flags.dfs", FT_BOOLEAN, 32,
6934 TFS(&tfs_flags_dfs_op), SMB2_FLAGS_DFS_OP, NULL, HFILL }},
6935 { &hf_smb2_flags_chained,
6936 { "Chained", "smb2.flags.chained", FT_BOOLEAN, 32,
6937 TFS(&tfs_flags_chained), SMB2_FLAGS_CHAINED, "Whether the pdu continues a chain or not", HFILL }},
6938 { &hf_smb2_flags_signature,
6939 { "Signing", "smb2.flags.signature", FT_BOOLEAN, 32,
6940 TFS(&tfs_flags_signature), SMB2_FLAGS_SIGNATURE, "Whether the pdu is signed or not", HFILL }},
6941 { &hf_smb2_flags_replay_operation,
6942 { "Replay operation", "smb2.flags.replay", FT_BOOLEAN, 32,
6943 TFS(&tfs_flags_replay_operation), SMB2_FLAGS_REPLAY_OPERATION, "Whether this is a replay operation", HFILL }},
6945 { "Tree", "smb2.tree", FT_STRING, BASE_NONE,
6946 NULL, 0, "Name of the Tree/Share", HFILL }},
6947 { &hf_smb2_filename,
6948 { "Filename", "smb2.filename", FT_STRING, BASE_NONE,
6949 NULL, 0, "Name of the file", HFILL }},
6950 { &hf_smb2_filename_len,
6951 { "Filename Length", "smb2.filename.len", FT_UINT32, BASE_DEC,
6952 NULL, 0, "Length of the file name", HFILL }},
6954 { &hf_smb2_data_offset,
6955 { "Data Offset", "smb2.data_offset", FT_UINT16, BASE_HEX,
6956 NULL, 0, "Offset to data", HFILL }},
6958 { &hf_smb2_find_info_level,
6959 { "Info Level", "smb2.find.infolevel", FT_UINT32, BASE_DEC,
6960 VALS(smb2_find_info_levels), 0, "Find_Info Infolevel", HFILL }},
6961 { &hf_smb2_find_flags,
6962 { "Find Flags", "smb2.find.flags", FT_UINT8, BASE_HEX,
6963 NULL, 0, NULL, HFILL }},
6965 { &hf_smb2_find_pattern,
6966 { "Search Pattern", "smb2.find.pattern", FT_STRING, BASE_NONE,
6967 NULL, 0, "Find pattern", HFILL }},
6969 { &hf_smb2_find_info_blob,
6970 { "Info", "smb2.find.info_blob", FT_BYTES, BASE_NONE,
6971 NULL, 0, "Find Info", HFILL }},
6974 { "EA Size", "smb2.ea_size", FT_UINT32, BASE_DEC,
6975 NULL, 0, "Size of EA data", HFILL }},
6978 { "Class", "smb2.class", FT_UINT8, BASE_HEX,
6979 VALS(smb2_class_vals), 0, "Info class", HFILL }},
6981 { &hf_smb2_infolevel,
6982 { "InfoLevel", "smb2.infolevel", FT_UINT8, BASE_HEX,
6983 NULL, 0, NULL, HFILL }},
6985 { &hf_smb2_infolevel_file_info,
6986 { "InfoLevel", "smb2.file_info.infolevel", FT_UINT8, BASE_HEX,
6987 VALS(smb2_file_info_levels), 0, "File_Info Infolevel", HFILL }},
6989 { &hf_smb2_infolevel_fs_info,
6990 { "InfoLevel", "smb2.fs_info.infolevel", FT_UINT8, BASE_HEX,
6991 VALS(smb2_fs_info_levels), 0, "Fs_Info Infolevel", HFILL }},
6993 { &hf_smb2_infolevel_sec_info,
6994 { "InfoLevel", "smb2.sec_info.infolevel", FT_UINT8, BASE_HEX,
6995 VALS(smb2_sec_info_levels), 0, "Sec_Info Infolevel", HFILL }},
6997 { &hf_smb2_write_length,
6998 { "Write Length", "smb2.write_length", FT_UINT32, BASE_DEC,
6999 NULL, 0, "Amount of data to write", HFILL }},
7001 { &hf_smb2_read_length,
7002 { "Read Length", "smb2.read_length", FT_UINT32, BASE_DEC,
7003 NULL, 0, "Amount of data to read", HFILL }},
7005 { &hf_smb2_read_remaining,
7006 { "Read Remaining", "smb2.read_remaining", FT_UINT32, BASE_DEC,
7007 NULL, 0, NULL, HFILL }},
7009 { &hf_smb2_create_flags,
7010 { "Create Flags", "smb2.create_flags", FT_UINT64, BASE_HEX,
7011 NULL, 0, NULL, HFILL }},
7013 { &hf_smb2_file_offset,
7014 { "File Offset", "smb2.file_offset", FT_UINT64, BASE_DEC,
7015 NULL, 0, NULL, HFILL }},
7017 { &hf_smb2_security_blob,
7018 { "Security Blob", "smb2.security_blob", FT_BYTES, BASE_NONE,
7019 NULL, 0, NULL, HFILL }},
7021 { &hf_smb2_ioctl_out_data,
7022 { "Out Data", "smb2.ioctl.out", FT_NONE, BASE_NONE,
7023 NULL, 0, "Ioctl Out", HFILL }},
7025 { &hf_smb2_ioctl_in_data,
7026 { "In Data", "smb2.ioctl.in", FT_NONE, BASE_NONE,
7027 NULL, 0, "Ioctl In", HFILL }},
7029 { &hf_smb2_server_guid,
7030 { "Server Guid", "smb2.server_guid", FT_GUID, BASE_NONE,
7031 NULL, 0, NULL, HFILL }},
7033 { &hf_smb2_client_guid,
7034 { "Client Guid", "smb2.client_guid", FT_GUID, BASE_NONE,
7035 NULL, 0, NULL, HFILL }},
7037 { &hf_smb2_object_id,
7038 { "ObjectId", "smb2.object_id", FT_GUID, BASE_NONE,
7039 NULL, 0, "ObjectID for this FID", HFILL }},
7041 { &hf_smb2_birth_volume_id,
7042 { "BirthVolumeId", "smb2.birth_volume_id", FT_GUID, BASE_NONE,
7043 NULL, 0, "ObjectID for the volume where this FID was originally created", HFILL }},
7045 { &hf_smb2_birth_object_id,
7046 { "BirthObjectId", "smb2.birth_object_id", FT_GUID, BASE_NONE,
7047 NULL, 0, "ObjectID for this FID when it was originally created", HFILL }},
7049 { &hf_smb2_domain_id,
7050 { "DomainId", "smb2.domain_id", FT_GUID, BASE_NONE,
7051 NULL, 0, NULL, HFILL }},
7053 { &hf_smb2_create_timestamp,
7054 { "Create", "smb2.create.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7055 NULL, 0, "Time when this object was created", HFILL }},
7058 { "File Id", "smb2.fid", FT_GUID, BASE_NONE,
7059 NULL, 0, "SMB2 File Id", HFILL }},
7061 { &hf_smb2_write_data,
7062 { "Write Data", "smb2.write_data", FT_BYTES, BASE_NONE,
7063 NULL, 0, "SMB2 Data to be written", HFILL }},
7065 { &hf_smb2_write_flags,
7066 { "Write Flags", "smb2.write.flags", FT_UINT32, BASE_HEX,
7067 NULL, 0, NULL, HFILL }},
7069 { &hf_smb2_write_flags_write_through,
7070 { "Write through", "smb2.write.flags.write_through", FT_BOOLEAN, 32,
7071 NULL, SMB2_WRITE_FLAG_WRITE_THROUGH, NULL, HFILL }},
7073 { &hf_smb2_write_count,
7074 { "Write Count", "smb2.write.count", FT_UINT32, BASE_DEC,
7075 NULL, 0, NULL, HFILL }},
7077 { &hf_smb2_write_remaining,
7078 { "Write Remaining", "smb2.write.remaining", FT_UINT32, BASE_DEC,
7079 NULL, 0, NULL, HFILL }},
7081 { &hf_smb2_read_data,
7082 { "Read Data", "smb2.read_data", FT_BYTES, BASE_NONE,
7083 NULL, 0, "SMB2 Data that is read", HFILL }},
7085 { &hf_smb2_last_access_timestamp,
7086 { "Last Access", "smb2.last_access.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7087 NULL, 0, "Time when this object was last accessed", HFILL }},
7089 { &hf_smb2_last_write_timestamp,
7090 { "Last Write", "smb2.last_write.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7091 NULL, 0, "Time when this object was last written to", HFILL }},
7093 { &hf_smb2_last_change_timestamp,
7094 { "Last Change", "smb2.last_change.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7095 NULL, 0, "Time when this object was last changed", HFILL }},
7097 { &hf_smb2_file_all_info,
7098 { "SMB2_FILE_ALL_INFO", "smb2.file_all_info", FT_NONE, BASE_NONE,
7099 NULL, 0, "SMB2_FILE_ALL_INFO structure", HFILL }},
7101 { &hf_smb2_file_allocation_info,
7102 { "SMB2_FILE_ALLOCATION_INFO", "smb2.file_allocation_info", FT_NONE, BASE_NONE,
7103 NULL, 0, "SMB2_FILE_ALLOCATION_INFO structure", HFILL }},
7105 { &hf_smb2_file_endoffile_info,
7106 { "SMB2_FILE_ENDOFFILE_INFO", "smb2.file_endoffile_info", FT_NONE, BASE_NONE,
7107 NULL, 0, "SMB2_FILE_ENDOFFILE_INFO structure", HFILL }},
7109 { &hf_smb2_file_alternate_name_info,
7110 { "SMB2_FILE_ALTERNATE_NAME_INFO", "smb2.file_alternate_name_info", FT_NONE, BASE_NONE,
7111 NULL, 0, "SMB2_FILE_ALTERNATE_NAME_INFO structure", HFILL }},
7113 { &hf_smb2_file_stream_info,
7114 { "SMB2_FILE_STREAM_INFO", "smb2.file_stream_info", FT_NONE, BASE_NONE,
7115 NULL, 0, "SMB2_FILE_STREAM_INFO structure", HFILL }},
7117 { &hf_smb2_file_pipe_info,
7118 { "SMB2_FILE_PIPE_INFO", "smb2.file_pipe_info", FT_NONE, BASE_NONE,
7119 NULL, 0, "SMB2_FILE_PIPE_INFO structure", HFILL }},
7121 { &hf_smb2_file_compression_info,
7122 { "SMB2_FILE_COMPRESSION_INFO", "smb2.file_compression_info", FT_NONE, BASE_NONE,
7123 NULL, 0, "SMB2_FILE_COMPRESSION_INFO structure", HFILL }},
7125 { &hf_smb2_file_basic_info,
7126 { "SMB2_FILE_BASIC_INFO", "smb2.file_basic_info", FT_NONE, BASE_NONE,
7127 NULL, 0, "SMB2_FILE_BASIC_INFO structure", HFILL }},
7129 { &hf_smb2_file_standard_info,
7130 { "SMB2_FILE_STANDARD_INFO", "smb2.file_standard_info", FT_NONE, BASE_NONE,
7131 NULL, 0, "SMB2_FILE_STANDARD_INFO structure", HFILL }},
7133 { &hf_smb2_file_internal_info,
7134 { "SMB2_FILE_INTERNAL_INFO", "smb2.file_internal_info", FT_NONE, BASE_NONE,
7135 NULL, 0, "SMB2_FILE_INTERNAL_INFO structure", HFILL }},
7137 { &hf_smb2_file_mode_info,
7138 { "SMB2_FILE_MODE_INFO", "smb2.file_mode_info", FT_NONE, BASE_NONE,
7139 NULL, 0, "SMB2_FILE_MODE_INFO structure", HFILL }},
7141 { &hf_smb2_file_alignment_info,
7142 { "SMB2_FILE_ALIGNMENT_INFO", "smb2.file_alignment_info", FT_NONE, BASE_NONE,
7143 NULL, 0, "SMB2_FILE_ALIGNMENT_INFO structure", HFILL }},
7145 { &hf_smb2_file_position_info,
7146 { "SMB2_FILE_POSITION_INFO", "smb2.file_position_info", FT_NONE, BASE_NONE,
7147 NULL, 0, "SMB2_FILE_POSITION_INFO structure", HFILL }},
7149 { &hf_smb2_file_access_info,
7150 { "SMB2_FILE_ACCESS_INFO", "smb2.file_access_info", FT_NONE, BASE_NONE,
7151 NULL, 0, "SMB2_FILE_ACCESS_INFO structure", HFILL }},
7153 { &hf_smb2_file_ea_info,
7154 { "SMB2_FILE_EA_INFO", "smb2.file_ea_info", FT_NONE, BASE_NONE,
7155 NULL, 0, "SMB2_FILE_EA_INFO structure", HFILL }},
7157 { &hf_smb2_file_network_open_info,
7158 { "SMB2_FILE_NETWORK_OPEN_INFO", "smb2.file_network_open_info", FT_NONE, BASE_NONE,
7159 NULL, 0, "SMB2_FILE_NETWORK_OPEN_INFO structure", HFILL }},
7161 { &hf_smb2_file_attribute_tag_info,
7162 { "SMB2_FILE_ATTRIBUTE_TAG_INFO", "smb2.file_attribute_tag_info", FT_NONE, BASE_NONE,
7163 NULL, 0, "SMB2_FILE_ATTRIBUTE_TAG_INFO structure", HFILL }},
7165 { &hf_smb2_file_disposition_info,
7166 { "SMB2_FILE_DISPOSITION_INFO", "smb2.file_disposition_info", FT_NONE, BASE_NONE,
7167 NULL, 0, "SMB2_FILE_DISPOSITION_INFO structure", HFILL }},
7169 { &hf_smb2_file_info_0f,
7170 { "SMB2_FILE_INFO_0f", "smb2.file_info_0f", FT_NONE, BASE_NONE,
7171 NULL, 0, "SMB2_FILE_INFO_0f structure", HFILL }},
7173 { &hf_smb2_file_rename_info,
7174 { "SMB2_FILE_RENAME_INFO", "smb2.file_rename_info", FT_NONE, BASE_NONE,
7175 NULL, 0, "SMB2_FILE_RENAME_INFO structure", HFILL }},
7177 { &hf_smb2_fs_info_01,
7178 { "SMB2_FS_INFO_01", "smb2.fs_info_01", FT_NONE, BASE_NONE,
7179 NULL, 0, "SMB2_FS_INFO_01 structure", HFILL }},
7181 { &hf_smb2_fs_info_03,
7182 { "SMB2_FS_INFO_03", "smb2.fs_info_03", FT_NONE, BASE_NONE,
7183 NULL, 0, "SMB2_FS_INFO_03 structure", HFILL }},
7185 { &hf_smb2_fs_info_04,
7186 { "SMB2_FS_INFO_04", "smb2.fs_info_04", FT_NONE, BASE_NONE,
7187 NULL, 0, "SMB2_FS_INFO_04 structure", HFILL }},
7189 { &hf_smb2_fs_info_05,
7190 { "SMB2_FS_INFO_05", "smb2.fs_info_05", FT_NONE, BASE_NONE,
7191 NULL, 0, "SMB2_FS_INFO_05 structure", HFILL }},
7193 { &hf_smb2_fs_info_06,
7194 { "SMB2_FS_INFO_06", "smb2.fs_info_06", FT_NONE, BASE_NONE,
7195 NULL, 0, "SMB2_FS_INFO_06 structure", HFILL }},
7197 { &hf_smb2_fs_info_07,
7198 { "SMB2_FS_INFO_07", "smb2.fs_info_07", FT_NONE, BASE_NONE,
7199 NULL, 0, "SMB2_FS_INFO_07 structure", HFILL }},
7201 { &hf_smb2_fs_objectid_info,
7202 { "SMB2_FS_OBJECTID_INFO", "smb2.fs_objectid_info", FT_NONE, BASE_NONE,
7203 NULL, 0, "SMB2_FS_OBJECTID_INFO structure", HFILL }},
7205 { &hf_smb2_sec_info_00,
7206 { "SMB2_SEC_INFO_00", "smb2.sec_info_00", FT_NONE, BASE_NONE,
7207 NULL, 0, "SMB2_SEC_INFO_00 structure", HFILL }},
7209 { &hf_smb2_disposition_delete_on_close,
7210 { "Delete on close", "smb2.disposition.delete_on_close", FT_BOOLEAN, 8,
7211 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }},
7214 { &hf_smb2_create_disposition,
7215 { "Disposition", "smb2.create.disposition", FT_UINT32, BASE_DEC,
7216 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
7218 { &hf_smb2_create_action,
7219 { "Create Action", "smb2.create.action", FT_UINT32, BASE_DEC,
7220 VALS(oa_open_vals), 0, NULL, HFILL }},
7222 { &hf_smb2_create_rep_flags,
7223 { "Response Flags", "smb2.create.rep_flags", FT_UINT8, BASE_HEX,
7224 NULL, 0, NULL, HFILL }},
7226 { &hf_smb2_create_rep_flags_reparse_point,
7227 { "ReparsePoint", "smb2.create.rep_flags.reparse_point", FT_BOOLEAN, 8,
7228 NULL, SMB2_CREATE_REP_FLAGS_REPARSE_POINT, NULL, HFILL }},
7230 { &hf_smb2_extrainfo,
7231 { "ExtraInfo", "smb2.create.extrainfo", FT_NONE, BASE_NONE,
7232 NULL, 0, "Create ExtraInfo", HFILL }},
7234 { &hf_smb2_create_chain_offset,
7235 { "Chain Offset", "smb2.create.chain_offset", FT_UINT32, BASE_HEX,
7236 NULL, 0, "Offset to next entry in chain or 0", HFILL }},
7238 { &hf_smb2_create_chain_data,
7239 { "Data", "smb2.create.chain_data", FT_NONE, BASE_NONE,
7240 NULL, 0, "Chain Data", HFILL }},
7242 { &hf_smb2_FILE_OBJECTID_BUFFER,
7243 { "FILE_OBJECTID_BUFFER", "smb2.FILE_OBJECTID_BUFFER", FT_NONE, BASE_NONE,
7244 NULL, 0, "A FILE_OBJECTID_BUFFER structure", HFILL }},
7246 { &hf_smb2_lease_key,
7247 { "Lease Key", "smb2.lease.lease_key", FT_GUID, BASE_NONE,
7248 NULL, 0, NULL, HFILL }},
7250 { &hf_smb2_lease_state,
7251 { "Lease State", "smb2.lease.lease_state", FT_UINT32, BASE_HEX,
7252 NULL, 0, NULL, HFILL }},
7254 { &hf_smb2_lease_state_read_caching,
7255 { "Read Caching", "smb2.lease.lease_state.read_caching", FT_BOOLEAN, 32,
7256 NULL, SMB2_LEASE_STATE_READ_CACHING, NULL, HFILL }},
7258 { &hf_smb2_lease_state_handle_caching,
7259 { "Handle Caching", "smb2.lease.lease_state.handle_caching", FT_BOOLEAN, 32,
7260 NULL, SMB2_LEASE_STATE_HANDLE_CACHING, NULL, HFILL }},
7262 { &hf_smb2_lease_state_write_caching,
7263 { "Write Caching", "smb2.lease.lease_state.write_caching", FT_BOOLEAN, 32,
7264 NULL, SMB2_LEASE_STATE_WRITE_CACHING, NULL, HFILL }},
7266 { &hf_smb2_lease_flags,
7267 { "Lease Flags", "smb2.lease.lease_flags", FT_UINT32, BASE_HEX,
7268 NULL, 0, NULL, HFILL }},
7270 { &hf_smb2_lease_flags_break_ack_required,
7271 { "Break Ack Required", "smb2.lease.lease_state.break_ack_required", FT_BOOLEAN, 32,
7272 NULL, SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED, NULL, HFILL }},
7274 { &hf_smb2_lease_flags_break_in_progress,
7275 { "Break In Progress", "smb2.lease.lease_state.break_in_progress", FT_BOOLEAN, 32,
7276 NULL, SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS, NULL, HFILL }},
7278 { &hf_smb2_lease_flags_parent_lease_key_set,
7279 { "Parent Lease Key Set", "smb2.lease.lease_state.parent_lease_key_set", FT_BOOLEAN, 32,
7280 NULL, SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET, NULL, HFILL }},
7282 { &hf_smb2_lease_duration,
7283 { "Lease Duration", "smb2.lease.lease_duration", FT_UINT64, BASE_HEX,
7284 NULL, 0, NULL, HFILL }},
7286 { &hf_smb2_parent_lease_key,
7287 { "Parent Lease Key", "smb2.lease.parent_lease_key", FT_GUID, BASE_NONE,
7288 NULL, 0, NULL, HFILL }},
7290 { &hf_smb2_lease_epoch,
7291 { "Lease Epoch", "smb2.lease.lease_oplock", FT_UINT32, BASE_HEX,
7292 NULL, 0, NULL, HFILL }},
7294 { &hf_smb2_lease_break_reason,
7295 { "Lease Break Reason", "smb2.lease.lease_break_reason", FT_UINT32, BASE_HEX,
7296 NULL, 0, NULL, HFILL }},
7298 { &hf_smb2_lease_access_mask_hint,
7299 { "Access Mask Hint", "smb2.lease.access_mask_hint", FT_UINT32, BASE_HEX,
7300 NULL, 0, NULL, HFILL }},
7302 { &hf_smb2_lease_share_mask_hint,
7303 { "Share Mask Hint", "smb2.lease.share_mask_hint", FT_UINT32, BASE_HEX,
7304 NULL, 0, NULL, HFILL }},
7306 { &hf_smb2_next_offset,
7307 { "Next Offset", "smb2.next_offset", FT_UINT32, BASE_DEC,
7308 NULL, 0, "Offset to next buffer or 0", HFILL }},
7310 { &hf_smb2_current_time,
7311 { "Current Time", "smb2.current_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7312 NULL, 0, "Current Time at server", HFILL }},
7314 { &hf_smb2_boot_time,
7315 { "Boot Time", "smb2.boot_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7316 NULL, 0, "Boot Time at server", HFILL }},
7318 { &hf_smb2_ea_flags,
7319 { "EA Flags", "smb2.ea.flags", FT_UINT8, BASE_HEX,
7320 NULL, 0, NULL, HFILL }},
7322 { &hf_smb2_ea_name_len,
7323 { "EA Name Length", "smb2.ea.name_len", FT_UINT8, BASE_DEC,
7324 NULL, 0, NULL, HFILL }},
7326 { &hf_smb2_ea_data_len,
7327 { "EA Data Length", "smb2.ea.data_len", FT_UINT8, BASE_DEC,
7328 NULL, 0, NULL, HFILL }},
7330 { &hf_smb2_delete_pending,
7331 { "Delete Pending", "smb2.delete_pending", FT_UINT8, BASE_DEC,
7332 NULL, 0, NULL, HFILL }},
7334 { &hf_smb2_is_directory,
7335 { "Is Directory", "smb2.is_directory", FT_UINT8, BASE_DEC,
7336 NULL, 0, "Is this a directory?", HFILL }},
7339 { "Oplock", "smb2.create.oplock", FT_UINT8, BASE_HEX,
7340 VALS(oplock_vals), 0, "Oplock type", HFILL }},
7342 { &hf_smb2_close_flags,
7343 { "Close Flags", "smb2.close.flags", FT_UINT16, BASE_HEX,
7344 NULL, 0, NULL, HFILL }},
7346 { &hf_smb2_notify_flags,
7347 { "Notify Flags", "smb2.notify.flags", FT_UINT16, BASE_HEX,
7348 NULL, 0, NULL, HFILL }},
7350 { &hf_smb2_buffer_code_len,
7351 { "Length", "smb2.buffer_code.length", FT_UINT16, BASE_DEC,
7352 NULL, 0, "Length of fixed portion of PDU", HFILL }},
7354 { &hf_smb2_olb_length,
7355 { "Length", "smb2.olb.length", FT_UINT32, BASE_DEC,
7356 NULL, 0, "Length of the buffer", HFILL }},
7358 { &hf_smb2_olb_offset,
7359 { "Offset", "smb2.olb.offset", FT_UINT32, BASE_HEX,
7360 NULL, 0, "Offset to the buffer", HFILL }},
7362 { &hf_smb2_buffer_code_flags_dyn,
7363 { "Dynamic Part", "smb2.buffer_code.dynamic", FT_BOOLEAN, 16,
7364 NULL, 0x0001, "Whether a dynamic length blob follows", HFILL }},
7367 { "EA Data", "smb2.ea.data", FT_STRING, BASE_NONE,
7368 NULL, 0, NULL, HFILL }},
7371 { "EA Name", "smb2.ea.name", FT_STRING, BASE_NONE,
7372 NULL, 0, NULL, HFILL }},
7374 { &hf_smb2_impersonation_level,
7375 { "Impersonation", "smb2.impersonation.level", FT_UINT32, BASE_DEC,
7376 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
7378 { &hf_smb2_ioctl_function,
7379 { "Function", "smb2.ioctl.function", FT_UINT32, BASE_HEX,
7380 VALS(smb2_ioctl_vals), 0, "Ioctl function", HFILL }},
7382 { &hf_smb2_ioctl_function_device,
7383 { "Device", "smb2.ioctl.function.device", FT_UINT32, BASE_HEX,
7384 VALS(smb2_ioctl_device_vals), 0xffff0000, "Device for Ioctl", HFILL }},
7386 { &hf_smb2_ioctl_function_access,
7387 { "Access", "smb2.ioctl.function.access", FT_UINT32, BASE_HEX,
7388 VALS(smb2_ioctl_access_vals), 0x0000c000, "Access for Ioctl", HFILL }},
7390 { &hf_smb2_ioctl_function_function,
7391 { "Function", "smb2.ioctl.function.function", FT_UINT32, BASE_HEX,
7392 NULL, 0x00003ffc, "Function for Ioctl", HFILL }},
7394 { &hf_smb2_ioctl_function_method,
7395 { "Method", "smb2.ioctl.function.method", FT_UINT32, BASE_HEX,
7396 VALS(smb2_ioctl_method_vals), 0x00000003, "Method for Ioctl", HFILL }},
7398 { &hf_smb2_ioctl_resiliency_timeout,
7399 { "Timeout", "smb2.ioctl.resiliency.timeout", FT_UINT32, BASE_DEC,
7400 NULL, 0, "Resiliency timeout", HFILL }},
7402 { &hf_smb2_ioctl_resiliency_reserved,
7403 { "Reserved", "smb2.ioctl.resiliency.reserved", FT_UINT32, BASE_DEC,
7404 NULL, 0, "Resiliency reserved", HFILL }},
7406 { &hf_windows_sockaddr_family,
7407 { "Socket Family", "smb2.windows.sockaddr.family", FT_UINT16, BASE_DEC,
7408 NULL, 0, "The socket address family (on windows)", HFILL }},
7410 { &hf_windows_sockaddr_port,
7411 { "Socket Port", "smb2.windows.sockaddr.port", FT_UINT16, BASE_DEC,
7412 NULL, 0, "The socket address port", HFILL }},
7414 { &hf_windows_sockaddr_in_addr,
7415 { "Socket IPv4", "smb2.windows.sockaddr.in.addr", FT_IPv4, BASE_NONE,
7416 NULL, 0, "The IPv4 address", HFILL }},
7418 { &hf_windows_sockaddr_in6_flowinfo,
7419 { "IPv6 Flow Info", "smb2.windows.sockaddr.in6.flow_info", FT_UINT32, BASE_HEX,
7420 NULL, 0, "The socket IPv6 flow info", HFILL }},
7422 { &hf_windows_sockaddr_in6_addr,
7423 { "Socket IPv6", "smb2.windows.sockaddr.in6.addr", FT_IPv6, BASE_NONE,
7424 NULL, 0, "The IPv6 address", HFILL }},
7426 { &hf_windows_sockaddr_in6_scope_id,
7427 { "IPv6 Scope ID", "smb2.windows.sockaddr.in6.scope_id", FT_UINT32, BASE_DEC,
7428 NULL, 0, "The socket IPv6 scope id", HFILL }},
7430 { &hf_smb2_ioctl_network_interface_next_offset,
7431 { "Next Offset", "smb2.ioctl.network_interfaces.next_offset", FT_UINT32, BASE_HEX,
7432 NULL, 0, "Offset to next entry in chain or 0", HFILL }},
7434 { &hf_smb2_ioctl_network_interface_index,
7435 { "Interface Index", "smb2.ioctl.network_interfaces.index", FT_UINT32, BASE_DEC,
7436 NULL, 0, "The index of the interface", HFILL }},
7438 { &hf_smb2_ioctl_network_interface_rss_queue_count,
7439 { "RSS Queue Count", "smb2.ioctl.network_interfaces.rss_queue_count", FT_UINT32, BASE_DEC,
7440 NULL, 0, "The RSS queue count", HFILL }},
7442 { &hf_smb2_ioctl_network_interface_capabilities,
7443 { "Interface Cababilities", "smb2.ioctl.network_interfaces.capabilities", FT_UINT32, BASE_HEX,
7444 NULL, 0, "The RSS queue count", HFILL }},
7446 { &hf_smb2_ioctl_network_interface_capability_rss,
7447 { "RSS", "smb2.ioctl.network_interfaces.capabilities.rss", FT_BOOLEAN, 32,
7448 TFS(&tfs_smb2_ioctl_network_interface_capability_rss),
7449 NETWORK_INTERFACE_CAP_RSS, "If the host supports RSS", HFILL }},
7451 { &hf_smb2_ioctl_network_interface_capability_rdma,
7452 { "RMDA", "smb2.ioctl.network_interfaces.capabilities.rdma", FT_BOOLEAN, 32,
7453 TFS(&tfs_smb2_ioctl_network_interface_capability_rdma),
7454 NETWORK_INTERFACE_CAP_RMDA, "If the host supports RDMA", HFILL }},
7456 { &hf_smb2_ioctl_network_interface_link_speed,
7457 { "Link Speed", "smb2.ioctl.network_interfaces.link_speed", FT_UINT64, BASE_DEC,
7458 NULL, 0, "The link speed of the interface", HFILL }},
7460 { &hf_smb2_ioctl_shadow_copy_num_volumes,
7461 { "Num Volumes", "smb2.ioctl.shadow_copy.num_volumes", FT_UINT32, BASE_DEC,
7462 NULL, 0, "Number of shadow copy volumes", HFILL }},
7464 { &hf_smb2_ioctl_shadow_copy_num_labels,
7465 { "Num Labels", "smb2.ioctl.shadow_copy.num_labels", FT_UINT32, BASE_DEC,
7466 NULL, 0, "Number of shadow copy labels", HFILL }},
7468 { &hf_smb2_ioctl_shadow_copy_label,
7469 { "Label", "smb2.ioctl.shadow_copy.label", FT_STRING, BASE_NONE,
7470 NULL, 0, "Shadow copy label", HFILL }},
7472 { &hf_smb2_compression_format,
7473 { "Compression Format", "smb2.compression_format", FT_UINT16, BASE_DEC,
7474 VALS(compression_format_vals), 0, "Compression to use", HFILL }},
7476 { &hf_smb2_share_type,
7477 { "Share Type", "smb2.share_type", FT_UINT8, BASE_HEX,
7478 VALS(smb2_share_type_vals), 0, "Type of share", HFILL }},
7480 { &hf_smb2_credit_charge,
7481 { "Credit Charge", "smb2.credit.charge", FT_UINT16, BASE_DEC,
7482 NULL, 0, NULL, HFILL }},
7484 { &hf_smb2_credits_requested,
7485 { "Credits requested", "smb2.credits.requested", FT_UINT16, BASE_DEC,
7486 NULL, 0, NULL, HFILL }},
7488 { &hf_smb2_credits_granted,
7489 { "Credits granted", "smb2.credits.granted", FT_UINT16, BASE_DEC,
7490 NULL, 0, NULL, HFILL }},
7492 { &hf_smb2_channel_sequence,
7493 { "Channel Sequence", "smb2.channel_sequence", FT_UINT16, BASE_DEC,
7494 NULL, 0, NULL, HFILL }},
7496 { &hf_smb2_dialect_count,
7497 { "Dialect count", "smb2.dialect_count", FT_UINT16, BASE_DEC,
7498 NULL, 0, NULL, HFILL }},
7501 { "Dialect", "smb2.dialect", FT_UINT16, BASE_HEX,
7502 NULL, 0, NULL, HFILL }},
7504 { &hf_smb2_security_mode,
7505 { "Security mode", "smb2.sec_mode", FT_UINT8, BASE_HEX,
7506 NULL, 0, NULL, HFILL }},
7508 { &hf_smb2_session_flags,
7509 { "Session Flags", "smb2.session_flags", FT_UINT16, BASE_HEX,
7510 NULL, 0, NULL, HFILL }},
7512 { &hf_smb2_lock_count,
7513 { "Lock Count", "smb2.lock_count", FT_UINT16, BASE_DEC,
7514 NULL, 0, NULL, HFILL }},
7516 { &hf_smb2_capabilities,
7517 { "Capabilities", "smb2.capabilities", FT_UINT32, BASE_HEX,
7518 NULL, 0, NULL, HFILL }},
7520 { &hf_smb2_ioctl_shadow_copy_count,
7521 { "Count", "smb2.ioctl.shadow_copy.count", FT_UINT32, BASE_DEC,
7522 NULL, 0, "Number of bytes for shadow copy label strings", HFILL }},
7524 { &hf_smb2_auth_frame,
7525 { "Authenticated in Frame", "smb2.auth_frame", FT_UINT32, BASE_DEC,
7526 NULL, 0, "Which frame this user was authenticated in", HFILL }},
7528 { &hf_smb2_tcon_frame,
7529 { "Connected in Frame", "smb2.tcon_frame", FT_UINT32, BASE_DEC,
7530 NULL, 0, "Which frame this share was connected in", HFILL }},
7533 { "Tag", "smb2.tag", FT_STRING, BASE_NONE,
7534 NULL, 0, "Tag of chain entry", HFILL }},
7536 { &hf_smb2_acct_name,
7537 { "Account", "smb2.acct", FT_STRING, BASE_NONE,
7538 NULL, 0, "Account Name", HFILL }},
7540 { &hf_smb2_domain_name,
7541 { "Domain", "smb2.domain", FT_STRING, BASE_NONE,
7542 NULL, 0, "Domain Name", HFILL }},
7544 { &hf_smb2_host_name,
7545 { "Host", "smb2.host", FT_STRING, BASE_NONE,
7546 NULL, 0, "Host Name", HFILL }},
7548 { &hf_smb2_signature,
7549 { "Signature", "smb2.signature", FT_BYTES, BASE_NONE,
7550 NULL, 0, NULL, HFILL }},
7553 { "unknown", "smb2.unknown", FT_BYTES, BASE_NONE,
7554 NULL, 0, "Unknown bytes", HFILL }},
7556 { &hf_smb2_twrp_timestamp,
7557 { "Timestamp", "smb2.twrp_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7558 NULL, 0, "TWrp timestamp", HFILL }},
7560 { &hf_smb2_mxac_timestamp,
7561 { "Timestamp", "smb2.mxac_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7562 NULL, 0, "MxAc timestamp", HFILL }},
7564 { &hf_smb2_mxac_status,
7565 { "Query Status", "smb2.mxac_status", FT_UINT32, BASE_HEX,
7566 VALS(NT_errors), 0, "NT Status code", HFILL }},
7568 { &hf_smb2_qfid_fid,
7569 { "Opaque File ID", "smb2.qfid_fid", FT_BYTES, BASE_NONE,
7570 NULL, 0, NULL, HFILL }},
7572 { &hf_smb2_ses_flags_guest,
7573 { "Guest", "smb2.ses_flags.guest", FT_BOOLEAN, 16,
7574 NULL, SES_FLAGS_GUEST, NULL, HFILL }},
7576 { &hf_smb2_ses_flags_null,
7577 { "Null", "smb2.ses_flags.null", FT_BOOLEAN, 16,
7578 NULL, SES_FLAGS_NULL, NULL, HFILL }},
7580 { &hf_smb2_secmode_flags_sign_required,
7581 { "Signing required", "smb2.sec_mode.sign_required", FT_BOOLEAN, 8,
7582 NULL, NEGPROT_SIGN_REQ, "Is signing required", HFILL }},
7584 { &hf_smb2_secmode_flags_sign_enabled,
7585 { "Signing enabled", "smb2.sec_mode.sign_enabled", FT_BOOLEAN, 8,
7586 NULL, NEGPROT_SIGN_ENABLED, "Is signing enabled", HFILL }},
7588 { &hf_smb2_ses_req_flags,
7589 { "Flags", "smb2.ses_req_flags", FT_UINT8, BASE_DEC,
7590 NULL, 0, NULL, HFILL }},
7592 { &hf_smb2_ses_req_flags_session_binding,
7593 { "Session Binding Request", "smb2.ses_req_flags.session_binding", FT_BOOLEAN, 8,
7594 NULL, SES_REQ_FLAGS_SESSION_BINDING,
7595 "The client wants to bind to an existing session", HFILL }},
7598 { "DFS", "smb2.capabilities.dfs", FT_BOOLEAN, 32,
7599 TFS(&tfs_cap_dfs), NEGPROT_CAP_DFS, "If the host supports dfs", HFILL }},
7601 { &hf_smb2_cap_leasing,
7602 { "LEASING", "smb2.capabilities.leasing", FT_BOOLEAN, 32,
7603 TFS(&tfs_cap_leasing), NEGPROT_CAP_LEASING,
7604 "If the host supports leasing", HFILL }},
7606 { &hf_smb2_cap_large_mtu,
7607 { "LARGE MTU", "smb2.capabilities.large_mtu", FT_BOOLEAN, 32,
7608 TFS(&tfs_cap_large_mtu), NEGPROT_CAP_LARGE_MTU,
7609 "If the host supports LARGE MTU", HFILL }},
7611 { &hf_smb2_cap_multi_channel,
7612 { "MULTI CHANNEL", "smb2.capabilities.multi_channel", FT_BOOLEAN, 32,
7613 TFS(&tfs_cap_multi_channel), NEGPROT_CAP_MULTI_CHANNEL,
7614 "If the host supports MULTI CHANNEL", HFILL }},
7616 { &hf_smb2_cap_persistent_handles,
7617 { "PERSISTENT HANDLES", "smb2.capabilities.persistent_handles", FT_BOOLEAN, 32,
7618 TFS(&tfs_cap_persistent_handles), NEGPROT_CAP_PERSISTENT_HANDLES,
7619 "If the host supports PERSISTENT HANDLES", HFILL }},
7621 { &hf_smb2_cap_directory_leasing,
7622 { "DIRECTORY LEASING", "smb2.capabilities.directory_leasing", FT_BOOLEAN, 32,
7623 TFS(&tfs_cap_directory_leasing), NEGPROT_CAP_DIRECTORY_LEASING,
7624 "If the host supports DIRECTORY LEASING", HFILL }},
7626 { &hf_smb2_cap_encryption,
7627 { "ENCRYPTION", "smb2.capabilities.encryption", FT_BOOLEAN, 32,
7628 TFS(&tfs_cap_encryption), NEGPROT_CAP_ENCRYPTION,
7629 "If the host supports ENCRYPTION", HFILL }},
7631 { &hf_smb2_max_trans_size,
7632 { "Max Transaction Size", "smb2.max_trans_size", FT_UINT32, BASE_DEC,
7633 NULL, 0, "Maximum size of a transaction", HFILL }},
7635 { &hf_smb2_max_read_size,
7636 { "Max Read Size", "smb2.max_read_size", FT_UINT32, BASE_DEC,
7637 NULL, 0, "Maximum size of a read", HFILL }},
7639 { &hf_smb2_max_write_size,
7640 { "Max Write Size", "smb2.max_write_size", FT_UINT32, BASE_DEC,
7641 NULL, 0, "Maximum size of a write", HFILL }},
7644 { "Channel", "smb2.channel", FT_UINT32, BASE_DEC,
7645 NULL, 0, NULL, HFILL }},
7647 { &hf_smb2_share_flags,
7648 { "Share flags", "smb2.share_flags", FT_UINT32, BASE_HEX,
7649 NULL, 0, NULL, HFILL }},
7651 { &hf_smb2_share_flags_dfs,
7652 { "DFS", "smb2.share_flags.dfs", FT_BOOLEAN, 32,
7653 NULL, SHARE_FLAGS_dfs, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }},
7655 { &hf_smb2_share_flags_dfs_root,
7656 { "DFS root", "smb2.share_flags.dfs_root", FT_BOOLEAN, 32,
7657 NULL, SHARE_FLAGS_dfs_root, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }},
7659 { &hf_smb2_share_flags_restrict_exclusive_opens,
7660 { "Restrict exclusive opens", "smb2.share_flags.restrict_exclusive_opens", FT_BOOLEAN, 32,
7661 NULL, SHARE_FLAGS_restrict_exclusive_opens, "The specified share disallows exclusive file opens that deny reads to an open file", HFILL }},
7663 { &hf_smb2_share_flags_force_shared_delete,
7664 { "Force shared delete", "smb2.share_flags.force_shared_delete", FT_BOOLEAN, 32,
7665 NULL, SHARE_FLAGS_force_shared_delete, "Shared files in the specified share can be forcibly deleted", HFILL }},
7667 { &hf_smb2_share_flags_allow_namespace_caching,
7668 { "Allow namepsace caching", "smb2.share_flags.allow_namespace_caching", FT_BOOLEAN, 32,
7669 NULL, SHARE_FLAGS_allow_namespace_caching, "Clients are allowed to cache the namespace of the specified share", HFILL }},
7671 { &hf_smb2_share_flags_access_based_dir_enum,
7672 { "Access based directory enum", "smb2.share_flags.access_based_dir_enum", FT_BOOLEAN, 32,
7673 NULL, SHARE_FLAGS_access_based_dir_enum, "The server will filter directory entries based on the access permissions of the client", HFILL }},
7675 { &hf_smb2_share_flags_force_levelii_oplock,
7676 { "Force level II oplock", "smb2.share_flags.force_levelii_oplock", FT_BOOLEAN, 32,
7677 NULL, SHARE_FLAGS_force_levelii_oplock, "The server will not issue exclusive caching rights on this share", HFILL }},
7679 { &hf_smb2_share_flags_enable_hash_v1,
7680 { "Enable hash V1", "smb2.share_flags.enable_hash_v1", FT_BOOLEAN, 32,
7681 NULL, SHARE_FLAGS_enable_hash_v1, "The share supports hash generation V1 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }},
7683 { &hf_smb2_share_flags_enable_hash_v2,
7684 { "Enable hash V2", "smb2.share_flags.enable_hash_v2", FT_BOOLEAN, 32,
7685 NULL, SHARE_FLAGS_enable_hash_v2, "The share supports hash generation V2 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }},
7687 { &hf_smb2_share_flags_encrypt_data,
7688 { "Encrypted data required", "smb2.share_flags.encrypt_data", FT_BOOLEAN, 32,
7689 NULL, SHARE_FLAGS_encryption_required, "The share require data encryption", HFILL }},
7691 { &hf_smb2_share_caching,
7692 { "Caching policy", "smb2.share.caching", FT_UINT32, BASE_HEX,
7693 VALS(share_cache_vals), 0, NULL, HFILL }},
7695 { &hf_smb2_share_caps,
7696 { "Share Capabilities", "smb2.share_caps", FT_UINT32, BASE_HEX,
7697 NULL, 0, NULL, HFILL }},
7699 { &hf_smb2_share_caps_dfs,
7700 { "DFS", "smb2.share_caps.dfs", FT_BOOLEAN, 32,
7701 NULL, SHARE_CAPS_DFS, "The specified share is present in a DFS tree structure", HFILL }},
7703 { &hf_smb2_share_caps_continuous_availability,
7704 { "CONTINUOUS AVAILABILITY", "smb2.share_caps.continuous_availability", FT_BOOLEAN, 32,
7705 NULL, SHARE_CAPS_CONTINUOUS_AVAILABILITY,
7706 "The specified share is continuously available", HFILL }},
7708 { &hf_smb2_share_caps_scaleout,
7709 { "SCALEOUT", "smb2.share_caps.scaleout", FT_BOOLEAN, 32,
7710 NULL, SHARE_CAPS_SCALEOUT,
7711 "The specified share is a scaleout share", HFILL }},
7713 { &hf_smb2_share_caps_cluster,
7714 { "CLUSTER", "smb2.share_caps.cluster", FT_BOOLEAN, 32,
7715 NULL, SHARE_CAPS_CLUSTER,
7716 "The specified share is a cluster share", HFILL }},
7718 { &hf_smb2_ioctl_flags,
7719 { "Flags", "smb2.ioctl.flags", FT_UINT32, BASE_HEX,
7720 NULL, 0, NULL, HFILL }},
7722 { &hf_smb2_min_count,
7723 { "Min Count", "smb2.min_count", FT_UINT32, BASE_DEC,
7724 NULL, 0, NULL, HFILL }},
7726 { &hf_smb2_remaining_bytes,
7727 { "Remaining Bytes", "smb2.remaining_bytes", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
7729 { &hf_smb2_channel_info_offset,
7730 { "Channel Info Offset", "smb2.channel_info_offset", FT_UINT16, BASE_DEC,
7731 NULL, 0, NULL, HFILL }},
7733 { &hf_smb2_channel_info_length,
7734 { "Channel Info Length", "smb2.channel_info_length", FT_UINT16, BASE_DEC,
7735 NULL, 0, NULL, HFILL }},
7737 { &hf_smb2_ioctl_is_fsctl,
7738 { "Is FSCTL", "smb2.ioctl.is_fsctl", FT_BOOLEAN, 32,
7739 NULL, 0x00000001, NULL, HFILL }},
7741 { &hf_smb2_output_buffer_len,
7742 { "Output Buffer Length", "smb2.output_buffer_len", FT_UINT16, BASE_DEC,
7743 NULL, 0, NULL, HFILL }},
7745 { &hf_smb2_close_pq_attrib,
7746 { "PostQuery Attrib", "smb2.close.pq_attrib", FT_BOOLEAN, 16,
7747 NULL, 0x0001, NULL, HFILL }},
7749 { &hf_smb2_notify_watch_tree,
7750 { "Watch Tree", "smb2.notify.watch_tree", FT_BOOLEAN, 16,
7751 NULL, 0x0001, NULL, HFILL }},
7753 { &hf_smb2_notify_out_data,
7754 { "Out Data", "smb2.notify.out", FT_NONE, BASE_NONE,
7755 NULL, 0, NULL, HFILL }},
7757 { &hf_smb2_find_flags_restart_scans,
7758 { "Restart Scans", "smb2.find.restart_scans", FT_BOOLEAN, 8,
7759 NULL, SMB2_FIND_FLAG_RESTART_SCANS, NULL, HFILL }},
7761 { &hf_smb2_find_flags_single_entry,
7762 { "Single Entry", "smb2.find.single_entry", FT_BOOLEAN, 8,
7763 NULL, SMB2_FIND_FLAG_SINGLE_ENTRY, NULL, HFILL }},
7765 { &hf_smb2_find_flags_index_specified,
7766 { "Index Specified", "smb2.find.index_specified", FT_BOOLEAN, 8,
7767 NULL, SMB2_FIND_FLAG_INDEX_SPECIFIED, NULL, HFILL }},
7769 { &hf_smb2_find_flags_reopen,
7770 { "Reopen", "smb2.find.reopen", FT_BOOLEAN, 8,
7771 NULL, SMB2_FIND_FLAG_REOPEN, NULL, HFILL }},
7773 { &hf_smb2_file_index,
7774 { "File Index", "smb2.file_index", FT_UINT32, BASE_HEX,
7775 NULL, 0, NULL, HFILL }},
7777 { &hf_smb2_file_directory_info,
7778 { "FileDirectoryInfo", "smb2.find.file_directory_info", FT_NONE, BASE_NONE,
7779 NULL, 0, NULL, HFILL }},
7781 { &hf_smb2_full_directory_info,
7782 { "FullDirectoryInfo", "smb2.find.full_directory_info", FT_NONE, BASE_NONE,
7783 NULL, 0, NULL, HFILL }},
7785 { &hf_smb2_both_directory_info,
7786 { "FileBothDirectoryInfo", "smb2.find.both_directory_info", FT_NONE, BASE_NONE,
7787 NULL, 0, NULL, HFILL }},
7789 { &hf_smb2_id_both_directory_info,
7790 { "FileIdBothDirectoryInfo", "smb2.find.id_both_directory_info", FT_NONE, BASE_NONE,
7791 NULL, 0, NULL, HFILL }},
7793 { &hf_smb2_short_name_len,
7794 { "Short Name Length", "smb2.short_name_len", FT_UINT8, BASE_DEC,
7795 NULL, 0, NULL, HFILL }},
7797 { &hf_smb2_short_name,
7798 { "Short Name", "smb2.shortname", FT_STRING, BASE_NONE,
7799 NULL, 0, NULL, HFILL }},
7801 { &hf_smb2_lock_info,
7802 { "Lock Info", "smb2.lock_info", FT_NONE, BASE_NONE,
7803 NULL, 0, NULL, HFILL }},
7805 { &hf_smb2_lock_length,
7806 { "Length", "smb2.lock_length", FT_UINT64, BASE_DEC,
7807 NULL, 0, NULL, HFILL }},
7809 { &hf_smb2_lock_flags,
7810 { "Flags", "smb2.lock_flags", FT_UINT32, BASE_HEX,
7811 NULL, 0, NULL, HFILL }},
7813 { &hf_smb2_lock_flags_shared,
7814 { "Shared", "smb2.lock_flags.shared", FT_BOOLEAN, 32,
7815 NULL, 0x00000001, NULL, HFILL }},
7817 { &hf_smb2_lock_flags_exclusive,
7818 { "Exclusive", "smb2.lock_flags.exclusive", FT_BOOLEAN, 32,
7819 NULL, 0x00000002, NULL, HFILL }},
7821 { &hf_smb2_lock_flags_unlock,
7822 { "Unlock", "smb2.lock_flags.unlock", FT_BOOLEAN, 32,
7823 NULL, 0x00000004, NULL, HFILL }},
7825 { &hf_smb2_lock_flags_fail_immediately,
7826 { "Fail Immediately", "smb2.lock_flags.fail_immediately", FT_BOOLEAN, 32,
7827 NULL, 0x00000010, NULL, HFILL }},
7829 { &hf_smb2_error_reserved,
7830 { "Reserved", "smb2.error.reserved", FT_UINT16, BASE_HEX,
7831 NULL, 0, NULL, HFILL }},
7833 { &hf_smb2_error_byte_count,
7834 { "Byte Count", "smb2.error.byte_count", FT_UINT32, BASE_DEC,
7835 NULL, 0, NULL, HFILL }},
7837 { &hf_smb2_error_data,
7838 { "Error Data", "smb2.error.data", FT_BYTES, BASE_NONE,
7839 NULL, 0, NULL, HFILL }},
7841 { &hf_smb2_reserved,
7842 { "Reserved", "smb2.reserved", FT_BYTES, BASE_NONE,
7843 NULL, 0, "Reserved bytes", HFILL }},
7845 { &hf_smb2_dhnq_buffer_reserved,
7846 { "Reserved", "smb2.dhnq_buffer_reserved", FT_UINT64, BASE_HEX,
7847 NULL, 0, NULL, HFILL}},
7849 { &hf_smb2_dh2x_buffer_timeout,
7850 { "Timeout", "smb2.dh2x.timeout", FT_UINT32, BASE_DEC,
7851 NULL, 0, NULL, HFILL}},
7853 { &hf_smb2_dh2x_buffer_flags,
7854 { "Flags", "smb2.dh2x.flags", FT_UINT32, BASE_HEX,
7855 NULL, 0, NULL, HFILL}},
7857 { &hf_smb2_dh2x_buffer_flags_persistent_handle,
7858 { "Persistent Handle", "smb2.dh2x.flags.persistent_handle", FT_BOOLEAN, 32,
7859 NULL, SMB2_DH2X_FLAGS_PERSISTENT_HANDLE, NULL, HFILL}},
7861 { &hf_smb2_dh2x_buffer_reserved,
7862 { "Reserved", "smb2.dh2x.reserved", FT_UINT64, BASE_HEX,
7863 NULL, 0, NULL, HFILL}},
7865 { &hf_smb2_dh2x_buffer_create_guid,
7866 { "Create Guid", "smb2.dh2x.create_guid", FT_GUID, BASE_NONE,
7867 NULL, 0, NULL, HFILL}},
7869 { &hf_smb2_APP_INSTANCE_buffer_struct_size,
7870 { "Struct Size", "smb2.app_instance.struct_size", FT_UINT16, BASE_DEC,
7871 NULL, 0, NULL, HFILL}},
7873 { &hf_smb2_APP_INSTANCE_buffer_reserved,
7874 { "Reserved", "smb2.app_instance.reserved", FT_UINT16, BASE_HEX,
7875 NULL, 0, NULL, HFILL}},
7877 { &hf_smb2_APP_INSTANCE_buffer_app_guid,
7878 { "Application Guid", "smb2.app_instance.app_guid", FT_GUID, BASE_NONE,
7879 NULL, 0, NULL, HFILL}},
7881 { &hf_smb2_transform_signature,
7882 { "Signature", "smb2.header.transform.signature", FT_BYTES, BASE_NONE,
7883 NULL, 0, NULL, HFILL }},
7885 { &hf_smb2_transform_nonce,
7886 { "Nonce", "smb2.header.transform.nonce", FT_BYTES, BASE_NONE,
7887 NULL, 0, NULL, HFILL }},
7889 { &hf_smb2_transform_msg_size,
7890 { "Message size", "smb2.header.transform.msg_size", FT_UINT32, BASE_DEC,
7891 NULL, 0, NULL, HFILL }},
7893 { &hf_smb2_transform_reserved,
7894 { "Reserved", "smb2.header.transform.reserved", FT_BYTES, BASE_NONE,
7895 NULL, 0, NULL, HFILL }},
7897 { &hf_smb2_transform_enc_alg,
7898 { "Encryption ALG", "smb2.header.transform.encryption_alg", FT_UINT16, BASE_HEX,
7899 NULL, 0, NULL, HFILL }},
7901 { &hf_smb2_encryption_aes128_ccm,
7902 { "SMB2_ENCRYPTION_AES128_CCM", "smb2.header.transform.enc_aes128_ccm", FT_BOOLEAN, 16,
7903 NULL, ENC_ALG_aes128_ccm, NULL, HFILL }},
7905 { &hf_smb2_transform_encyrpted_data,
7906 { "Data", "smb2.header.transform.enc_data", FT_BYTES, BASE_NONE,
7907 NULL, 0, NULL, HFILL }},
7911 static gint *ett[] = {
7916 &ett_smb2_encrypted,
7919 &ett_smb2_file_basic_info,
7920 &ett_smb2_file_standard_info,
7921 &ett_smb2_file_internal_info,
7922 &ett_smb2_file_ea_info,
7923 &ett_smb2_file_access_info,
7924 &ett_smb2_file_rename_info,
7925 &ett_smb2_file_disposition_info,
7926 &ett_smb2_file_position_info,
7927 &ett_smb2_file_info_0f,
7928 &ett_smb2_file_mode_info,
7929 &ett_smb2_file_alignment_info,
7930 &ett_smb2_file_all_info,
7931 &ett_smb2_file_allocation_info,
7932 &ett_smb2_file_endoffile_info,
7933 &ett_smb2_file_alternate_name_info,
7934 &ett_smb2_file_stream_info,
7935 &ett_smb2_file_pipe_info,
7936 &ett_smb2_file_compression_info,
7937 &ett_smb2_file_network_open_info,
7938 &ett_smb2_file_attribute_tag_info,
7939 &ett_smb2_fs_info_01,
7940 &ett_smb2_fs_info_03,
7941 &ett_smb2_fs_info_04,
7942 &ett_smb2_fs_info_05,
7943 &ett_smb2_fs_info_06,
7944 &ett_smb2_fs_info_07,
7945 &ett_smb2_fs_objectid_info,
7946 &ett_smb2_sec_info_00,
7948 &ett_smb2_sesid_tree,
7949 &ett_smb2_create_chain_element,
7950 &ett_smb2_MxAc_buffer,
7951 &ett_smb2_QFid_buffer,
7952 &ett_smb2_RqLs_buffer,
7953 &ett_smb2_ioctl_function,
7954 &ett_smb2_FILE_OBJECTID_BUFFER,
7957 &ett_smb2_capabilities,
7958 &ett_smb2_ses_req_flags,
7959 &ett_smb2_ses_flags,
7960 &ett_smb2_create_rep_flags,
7961 &ett_smb2_lease_state,
7962 &ett_smb2_lease_flags,
7963 &ett_smb2_share_flags,
7964 &ett_smb2_share_caps,
7965 &ett_smb2_ioctl_flags,
7966 &ett_smb2_ioctl_network_interface,
7967 &ett_windows_sockaddr,
7968 &ett_smb2_close_flags,
7969 &ett_smb2_notify_flags,
7970 &ett_smb2_write_flags,
7971 &ett_smb2_find_flags,
7972 &ett_smb2_file_directory_info,
7973 &ett_smb2_both_directory_info,
7974 &ett_smb2_id_both_directory_info,
7975 &ett_smb2_full_directory_info,
7976 &ett_smb2_file_name_info,
7977 &ett_smb2_lock_info,
7978 &ett_smb2_lock_flags,
7979 &ett_smb2_DH2Q_buffer,
7980 &ett_smb2_DH2C_buffer,
7981 &ett_smb2_dh2x_flags,
7982 &ett_smb2_APP_INSTANCE_buffer,
7983 &ett_smb2_transform_enc_alg,
7986 proto_smb2 = proto_register_protocol("SMB2 (Server Message Block Protocol version 2)",
7988 proto_register_subtree_array(ett, array_length(ett));
7989 proto_register_field_array(proto_smb2, hf, array_length(hf));
7991 register_heur_dissector_list("smb2_heur_subdissectors", &smb2_heur_subdissector_list);
7992 smb2_tap = register_tap("smb2");
7996 proto_reg_handoff_smb2(void)
7998 gssapi_handle = find_dissector("gssapi");
7999 ntlmssp_handle = find_dissector("ntlmssp");
8000 heur_dissector_add("netbios", dissect_smb2_heur, proto_smb2);
git.samba.org / metze / wireshark / wip.git / blob