2 * Routines for smb2 packet dissection
5 * For documentation of this protocol, see:
7 * https://wiki.wireshark.org/SMB2
8 * https://msdn.microsoft.com/en-us/library/cc246482.aspx
10 * If you edit this file, keep the wiki updated as well.
12 * Wireshark - Network traffic analyzer
13 * By Gerald Combs <gerald@wireshark.org>
14 * Copyright 1998 Gerald Combs
16 * This program is free software; you can redistribute it and/or
17 * modify it under the terms of the GNU General Public License
18 * as published by the Free Software Foundation; either version 2
19 * of the License, or (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, write to the Free Software
28 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
34 #include <epan/packet.h>
35 #include <epan/prefs.h>
36 #include <epan/expert.h>
38 #include <epan/srt_table.h>
39 #include <epan/aftypes.h>
40 #include <epan/to_str.h>
41 #include <epan/asn1.h>
42 #include <epan/reassemble.h>
44 #include "packet-smb2.h"
45 #include "packet-ntlmssp.h"
46 #include "packet-kerberos.h"
47 #include "packet-windows-common.h"
48 #include "packet-smb-common.h"
49 #include "packet-dcerpc-nt.h"
51 #include <wsutil/wsgcrypt.h>
53 #define NT_STATUS_PENDING 0x00000103
55 void proto_register_smb2(void);
56 void proto_reg_handoff_smb2(void);
58 static const char smb_header_label[] = "SMB2 Header";
59 static const char smb_transform_header_label[] = "SMB2 Transform Header";
61 static int proto_smb2 = -1;
62 static int hf_smb2_cmd = -1;
63 static int hf_smb2_nt_status = -1;
64 static int hf_smb2_response_to = -1;
65 static int hf_smb2_response_in = -1;
66 static int hf_smb2_time = -1;
67 static int hf_smb2_header_len = -1;
68 static int hf_smb2_msg_id = -1;
69 static int hf_smb2_pid = -1;
70 static int hf_smb2_tid = -1;
71 static int hf_smb2_aid = -1;
72 static int hf_smb2_sesid = -1;
73 static int hf_smb2_previous_sesid = -1;
74 static int hf_smb2_flags_response = -1;
75 static int hf_smb2_flags_async_cmd = -1;
76 static int hf_smb2_flags_dfs_op = -1;
77 static int hf_smb2_flags_chained = -1;
78 static int hf_smb2_flags_signature = -1;
79 static int hf_smb2_flags_replay_operation = -1;
80 static int hf_smb2_flags_priority_mask = -1;
81 static int hf_smb2_chain_offset = -1;
82 static int hf_smb2_security_blob = -1;
83 static int hf_smb2_ioctl_in_data = -1;
84 static int hf_smb2_ioctl_out_data = -1;
85 static int hf_smb2_unknown = -1;
86 static int hf_smb2_root_directory_mbz = -1;
87 static int hf_smb2_twrp_timestamp = -1;
88 static int hf_smb2_mxac_timestamp = -1;
89 static int hf_smb2_mxac_status = -1;
90 static int hf_smb2_qfid_fid = -1;
91 static int hf_smb2_create_timestamp = -1;
92 static int hf_smb2_oplock = -1;
93 static int hf_smb2_close_flags = -1;
94 static int hf_smb2_notify_flags = -1;
95 static int hf_smb2_last_access_timestamp = -1;
96 static int hf_smb2_last_write_timestamp = -1;
97 static int hf_smb2_last_change_timestamp = -1;
98 static int hf_smb2_current_time = -1;
99 static int hf_smb2_boot_time = -1;
100 static int hf_smb2_filename = -1;
101 static int hf_smb2_filename_len = -1;
102 static int hf_smb2_replace_if = -1;
103 static int hf_smb2_nlinks = -1;
104 static int hf_smb2_delete_pending = -1;
105 static int hf_smb2_is_directory = -1;
106 static int hf_smb2_file_id = -1;
107 static int hf_smb2_allocation_size = -1;
108 static int hf_smb2_end_of_file = -1;
109 static int hf_smb2_tree = -1;
110 static int hf_smb2_find_pattern = -1;
111 static int hf_smb2_find_info_level = -1;
112 static int hf_smb2_find_info_blob = -1;
113 static int hf_smb2_client_guid = -1;
114 static int hf_smb2_server_guid = -1;
115 static int hf_smb2_object_id = -1;
116 static int hf_smb2_birth_volume_id = -1;
117 static int hf_smb2_birth_object_id = -1;
118 static int hf_smb2_domain_id = -1;
119 static int hf_smb2_class = -1;
120 static int hf_smb2_infolevel = -1;
121 static int hf_smb2_infolevel_file_info = -1;
122 static int hf_smb2_infolevel_fs_info = -1;
123 static int hf_smb2_infolevel_sec_info = -1;
124 static int hf_smb2_infolevel_posix_info = -1;
125 static int hf_smb2_max_response_size = -1;
126 static int hf_smb2_max_ioctl_in_size = -1;
127 static int hf_smb2_max_ioctl_out_size = -1;
128 static int hf_smb2_flags = -1;
129 static int hf_smb2_required_buffer_size = -1;
130 static int hf_smb2_setinfo_size = -1;
131 static int hf_smb2_setinfo_offset = -1;
132 static int hf_smb2_file_basic_info = -1;
133 static int hf_smb2_file_standard_info = -1;
134 static int hf_smb2_file_internal_info = -1;
135 static int hf_smb2_file_ea_info = -1;
136 static int hf_smb2_file_access_info = -1;
137 static int hf_smb2_file_rename_info = -1;
138 static int hf_smb2_file_disposition_info = -1;
139 static int hf_smb2_file_position_info = -1;
140 static int hf_smb2_file_full_ea_info = -1;
141 static int hf_smb2_file_mode_info = -1;
142 static int hf_smb2_file_alignment_info = -1;
143 static int hf_smb2_file_all_info = -1;
144 static int hf_smb2_file_allocation_info = -1;
145 static int hf_smb2_file_endoffile_info = -1;
146 static int hf_smb2_file_alternate_name_info = -1;
147 static int hf_smb2_file_stream_info = -1;
148 static int hf_smb2_file_pipe_info = -1;
149 static int hf_smb2_file_compression_info = -1;
150 static int hf_smb2_file_network_open_info = -1;
151 static int hf_smb2_file_attribute_tag_info = -1;
152 static int hf_smb2_fs_info_01 = -1;
153 static int hf_smb2_fs_info_03 = -1;
154 static int hf_smb2_fs_info_04 = -1;
155 static int hf_smb2_fs_info_05 = -1;
156 static int hf_smb2_fs_info_06 = -1;
157 static int hf_smb2_fs_info_07 = -1;
158 static int hf_smb2_fs_objectid_info = -1;
159 static int hf_smb2_sec_info_00 = -1;
160 static int hf_smb2_fid = -1;
161 static int hf_smb2_write_length = -1;
162 static int hf_smb2_write_data = -1;
163 static int hf_smb2_write_flags = -1;
164 static int hf_smb2_write_flags_write_through = -1;
165 static int hf_smb2_write_count = -1;
166 static int hf_smb2_write_remaining = -1;
167 static int hf_smb2_read_length = -1;
168 static int hf_smb2_read_remaining = -1;
169 static int hf_smb2_file_offset = -1;
170 static int hf_smb2_qfr_length = -1;
171 static int hf_smb2_qfr_usage = -1;
172 static int hf_smb2_qfr_flags = -1;
173 static int hf_smb2_qfr_total_region_entry_count = -1;
174 static int hf_smb2_qfr_region_entry_count = -1;
175 static int hf_smb2_read_data = -1;
176 static int hf_smb2_disposition_delete_on_close = -1;
177 static int hf_smb2_create_disposition = -1;
178 static int hf_smb2_create_chain_offset = -1;
179 static int hf_smb2_create_chain_data = -1;
180 static int hf_smb2_data_offset = -1;
181 static int hf_smb2_extrainfo = -1;
182 static int hf_smb2_create_action = -1;
183 static int hf_smb2_create_rep_flags = -1;
184 static int hf_smb2_create_rep_flags_reparse_point = -1;
185 static int hf_smb2_next_offset = -1;
186 static int hf_smb2_negotiate_context_type = -1;
187 static int hf_smb2_negotiate_context_data_length = -1;
188 static int hf_smb2_negotiate_context_offset = -1;
189 static int hf_smb2_negotiate_context_count = -1;
190 static int hf_smb2_ea_size = -1;
191 static int hf_smb2_ea_flags = -1;
192 static int hf_smb2_ea_name_len = -1;
193 static int hf_smb2_ea_data_len = -1;
194 static int hf_smb2_ea_name = -1;
195 static int hf_smb2_ea_data = -1;
196 static int hf_smb2_buffer_code = -1;
197 static int hf_smb2_buffer_code_len = -1;
198 static int hf_smb2_buffer_code_flags_dyn = -1;
199 static int hf_smb2_olb_offset = -1;
200 static int hf_smb2_olb_length = -1;
201 static int hf_smb2_tag = -1;
202 static int hf_smb2_impersonation_level = -1;
203 static int hf_smb2_ioctl_function = -1;
204 static int hf_smb2_ioctl_function_device = -1;
205 static int hf_smb2_ioctl_function_access = -1;
206 static int hf_smb2_ioctl_function_function = -1;
207 static int hf_smb2_fsctl_pipe_wait_timeout = -1;
208 static int hf_smb2_fsctl_pipe_wait_name = -1;
209 static int hf_smb2_fsctl_offload_read_size = -1;
210 static int hf_smb2_fsctl_offload_read_flags = -1;
211 static int hf_smb2_fsctl_offload_read_token_ttl = -1;
212 static int hf_smb2_fsctl_offload_reserved = -1;
213 static int hf_smb2_fsctl_offload_read_file_offset = -1;
214 static int hf_smb2_fsctl_offload_read_copy_length = -1;
215 static int hf_smb2_fsctl_offload_read_transfer_length = -1;
216 static int hf_smb2_fsctl_offload_token = -1;
217 static int hf_smb2_fsctl_sparse_flag = -1;
218 static int hf_smb2_fsctl_range_offset = -1;
219 static int hf_smb2_fsctl_range_length = -1;
220 static int hf_smb2_ioctl_function_method = -1;
221 static int hf_smb2_ioctl_resiliency_timeout = -1;
222 static int hf_smb2_ioctl_resiliency_reserved = -1;
223 static int hf_windows_sockaddr_family = -1;
224 static int hf_windows_sockaddr_port = -1;
225 static int hf_windows_sockaddr_in_addr = -1;
226 static int hf_windows_sockaddr_in6_flowinfo = -1;
227 static int hf_windows_sockaddr_in6_addr = -1;
228 static int hf_windows_sockaddr_in6_scope_id = -1;
229 static int hf_smb2_ioctl_network_interface_next_offset = -1;
230 static int hf_smb2_ioctl_network_interface_index = -1;
231 static int hf_smb2_ioctl_network_interface_rss_queue_count = -1;
232 static int hf_smb2_ioctl_network_interface_capabilities = -1;
233 static int hf_smb2_ioctl_network_interface_capability_rss = -1;
234 static int hf_smb2_ioctl_network_interface_capability_rdma = -1;
235 static int hf_smb2_ioctl_network_interface_link_speed = -1;
236 static int hf_smb2_ioctl_shadow_copy_num_volumes = -1;
237 static int hf_smb2_ioctl_shadow_copy_num_labels = -1;
238 static int hf_smb2_ioctl_shadow_copy_count = -1;
239 static int hf_smb2_ioctl_shadow_copy_label = -1;
240 static int hf_smb2_compression_format = -1;
241 static int hf_smb2_checksum_algorithm = -1;
242 static int hf_smb2_integrity_reserved = -1;
243 static int hf_smb2_integrity_flags = -1;
244 static int hf_smb2_integrity_flags_enforcement_off = -1;
245 static int hf_smb2_FILE_OBJECTID_BUFFER = -1;
246 static int hf_smb2_lease_key = -1;
247 static int hf_smb2_lease_state = -1;
248 static int hf_smb2_lease_state_read_caching = -1;
249 static int hf_smb2_lease_state_handle_caching = -1;
250 static int hf_smb2_lease_state_write_caching = -1;
251 static int hf_smb2_lease_flags = -1;
252 static int hf_smb2_lease_flags_break_ack_required = -1;
253 static int hf_smb2_lease_flags_parent_lease_key_set = -1;
254 static int hf_smb2_lease_flags_break_in_progress = -1;
255 static int hf_smb2_lease_duration = -1;
256 static int hf_smb2_parent_lease_key = -1;
257 static int hf_smb2_lease_epoch = -1;
258 static int hf_smb2_lease_reserved = -1;
259 static int hf_smb2_lease_break_reason = -1;
260 static int hf_smb2_lease_access_mask_hint = -1;
261 static int hf_smb2_lease_share_mask_hint = -1;
262 static int hf_smb2_acct_name = -1;
263 static int hf_smb2_domain_name = -1;
264 static int hf_smb2_host_name = -1;
265 static int hf_smb2_auth_frame = -1;
266 static int hf_smb2_tcon_frame = -1;
267 static int hf_smb2_share_type = -1;
268 static int hf_smb2_signature = -1;
269 static int hf_smb2_credit_charge = -1;
270 static int hf_smb2_credits_requested = -1;
271 static int hf_smb2_credits_granted = -1;
272 static int hf_smb2_channel_sequence = -1;
273 static int hf_smb2_dialect_count = -1;
274 static int hf_smb2_security_mode = -1;
275 static int hf_smb2_secmode_flags_sign_required = -1;
276 static int hf_smb2_secmode_flags_sign_enabled = -1;
277 static int hf_smb2_ses_req_flags = -1;
278 static int hf_smb2_ses_req_flags_session_binding = -1;
279 static int hf_smb2_capabilities = -1;
280 static int hf_smb2_cap_dfs = -1;
281 static int hf_smb2_cap_leasing = -1;
282 static int hf_smb2_cap_large_mtu = -1;
283 static int hf_smb2_cap_multi_channel = -1;
284 static int hf_smb2_cap_persistent_handles = -1;
285 static int hf_smb2_cap_directory_leasing = -1;
286 static int hf_smb2_cap_encryption = -1;
287 static int hf_smb2_dialect = -1;
288 static int hf_smb2_max_trans_size = -1;
289 static int hf_smb2_max_read_size = -1;
290 static int hf_smb2_max_write_size = -1;
291 static int hf_smb2_channel = -1;
292 static int hf_smb2_rdma_v1_offset = -1;
293 static int hf_smb2_rdma_v1_token = -1;
294 static int hf_smb2_rdma_v1_length = -1;
295 static int hf_smb2_session_flags = -1;
296 static int hf_smb2_ses_flags_guest = -1;
297 static int hf_smb2_ses_flags_null = -1;
298 static int hf_smb2_share_flags = -1;
299 static int hf_smb2_share_flags_dfs = -1;
300 static int hf_smb2_share_flags_dfs_root = -1;
301 static int hf_smb2_share_flags_restrict_exclusive_opens = -1;
302 static int hf_smb2_share_flags_force_shared_delete = -1;
303 static int hf_smb2_share_flags_allow_namespace_caching = -1;
304 static int hf_smb2_share_flags_access_based_dir_enum = -1;
305 static int hf_smb2_share_flags_force_levelii_oplock = -1;
306 static int hf_smb2_share_flags_enable_hash_v1 = -1;
307 static int hf_smb2_share_flags_enable_hash_v2 = -1;
308 static int hf_smb2_share_flags_encrypt_data = -1;
309 static int hf_smb2_share_caching = -1;
310 static int hf_smb2_share_caps = -1;
311 static int hf_smb2_share_caps_dfs = -1;
312 static int hf_smb2_share_caps_continuous_availability = -1;
313 static int hf_smb2_share_caps_scaleout = -1;
314 static int hf_smb2_share_caps_cluster = -1;
315 static int hf_smb2_create_flags = -1;
316 static int hf_smb2_lock_count = -1;
317 static int hf_smb2_min_count = -1;
318 static int hf_smb2_remaining_bytes = -1;
319 static int hf_smb2_channel_info_offset = -1;
320 static int hf_smb2_channel_info_length = -1;
321 static int hf_smb2_channel_info_blob = -1;
322 static int hf_smb2_ioctl_flags = -1;
323 static int hf_smb2_ioctl_is_fsctl = -1;
324 static int hf_smb2_close_pq_attrib = -1;
325 static int hf_smb2_notify_watch_tree = -1;
326 static int hf_smb2_output_buffer_len = -1;
327 static int hf_smb2_notify_out_data = -1;
328 static int hf_smb2_notify_info = -1;
329 static int hf_smb2_notify_next_offset = -1;
330 static int hf_smb2_notify_action = -1;
331 static int hf_smb2_find_flags = -1;
332 static int hf_smb2_find_flags_restart_scans = -1;
333 static int hf_smb2_find_flags_single_entry = -1;
334 static int hf_smb2_find_flags_index_specified = -1;
335 static int hf_smb2_find_flags_reopen = -1;
336 static int hf_smb2_file_index = -1;
337 static int hf_smb2_file_directory_info = -1;
338 static int hf_smb2_both_directory_info = -1;
339 static int hf_smb2_short_name_len = -1;
340 static int hf_smb2_short_name = -1;
341 static int hf_smb2_id_both_directory_info = -1;
342 static int hf_smb2_full_directory_info = -1;
343 static int hf_smb2_lock_info = -1;
344 static int hf_smb2_lock_length = -1;
345 static int hf_smb2_lock_flags = -1;
346 static int hf_smb2_lock_flags_shared = -1;
347 static int hf_smb2_lock_flags_exclusive = -1;
348 static int hf_smb2_lock_flags_unlock = -1;
349 static int hf_smb2_lock_flags_fail_immediately = -1;
350 static int hf_smb2_dhnq_buffer_reserved = -1;
351 static int hf_smb2_dh2x_buffer_timeout = -1;
352 static int hf_smb2_dh2x_buffer_flags = -1;
353 static int hf_smb2_dh2x_buffer_flags_persistent_handle = -1;
354 static int hf_smb2_dh2x_buffer_reserved = -1;
355 static int hf_smb2_dh2x_buffer_create_guid = -1;
356 static int hf_smb2_APP_INSTANCE_buffer_struct_size = -1;
357 static int hf_smb2_APP_INSTANCE_buffer_reserved = -1;
358 static int hf_smb2_APP_INSTANCE_buffer_app_guid = -1;
359 static int hf_smb2_svhdx_open_device_context_version = -1;
360 static int hf_smb2_svhdx_open_device_context_has_initiator_id = -1;
361 static int hf_smb2_svhdx_open_device_context_reserved = -1;
362 static int hf_smb2_svhdx_open_device_context_initiator_id = -1;
363 static int hf_smb2_svhdx_open_device_context_flags = -1;
364 static int hf_smb2_svhdx_open_device_context_originator_flags = -1;
365 static int hf_smb2_svhdx_open_device_context_open_request_id = -1;
366 static int hf_smb2_svhdx_open_device_context_initiator_host_name_len = -1;
367 static int hf_smb2_svhdx_open_device_context_initiator_host_name = -1;
368 static int hf_smb2_posix_v1_version = -1;
369 static int hf_smb2_posix_v1_request = -1;
370 static int hf_smb2_posix_v1_supported_features = -1;
371 static int hf_smb2_posix_v1_posix_lock = -1;
372 static int hf_smb2_posix_v1_posix_file_semantics = -1;
373 static int hf_smb2_posix_v1_posix_utf8_paths = -1;
374 static int hf_smb2_posix_v1_case_sensitive = -1;
375 static int hf_smb2_posix_v1_posix_will_convert_nt_acls = -1;
376 static int hf_smb2_posix_v1_posix_fileinfo = -1;
377 static int hf_smb2_posix_v1_posix_acls = -1;
378 static int hf_smb2_posix_v1_rich_acls = -1;
379 static int hf_smb2_aapl_command_code = -1;
380 static int hf_smb2_aapl_reserved = -1;
381 static int hf_smb2_aapl_server_query_bitmask = -1;
382 static int hf_smb2_aapl_server_query_bitmask_server_caps = -1;
383 static int hf_smb2_aapl_server_query_bitmask_volume_caps = -1;
384 static int hf_smb2_aapl_server_query_bitmask_model_info = -1;
385 static int hf_smb2_aapl_server_query_caps = -1;
386 static int hf_smb2_aapl_server_query_caps_supports_read_dir_attr = -1;
387 static int hf_smb2_aapl_server_query_caps_supports_osx_copyfile = -1;
388 static int hf_smb2_aapl_server_query_caps_unix_based = -1;
389 static int hf_smb2_aapl_server_query_caps_supports_nfs_ace = -1;
390 static int hf_smb2_aapl_server_query_volume_caps = -1;
391 static int hf_smb2_aapl_server_query_volume_caps_support_resolve_id = -1;
392 static int hf_smb2_aapl_server_query_volume_caps_case_sensitive = -1;
393 static int hf_smb2_aapl_server_query_volume_caps_supports_full_sync = -1;
394 static int hf_smb2_aapl_server_query_model_string = -1;
395 static int hf_smb2_aapl_server_query_server_path = -1;
396 static int hf_smb2_error_byte_count = -1;
397 static int hf_smb2_error_data = -1;
398 static int hf_smb2_error_reserved = -1;
399 static int hf_smb2_reserved = -1;
400 static int hf_smb2_reserved_random = -1;
401 static int hf_smb2_transform_signature = -1;
402 static int hf_smb2_transform_nonce = -1;
403 static int hf_smb2_transform_msg_size = -1;
404 static int hf_smb2_transform_reserved = -1;
405 static int hf_smb2_encryption_aes128_ccm = -1;
406 static int hf_smb2_transform_enc_alg = -1;
407 static int hf_smb2_transform_encrypted_data = -1;
408 static int hf_smb2_server_component_smb2 = -1;
409 static int hf_smb2_server_component_smb2_transform = -1;
410 static int hf_smb2_truncated = -1;
411 static int hf_smb2_pipe_fragments = -1;
412 static int hf_smb2_pipe_fragment = -1;
413 static int hf_smb2_pipe_fragment_overlap = -1;
414 static int hf_smb2_pipe_fragment_overlap_conflict = -1;
415 static int hf_smb2_pipe_fragment_multiple_tails = -1;
416 static int hf_smb2_pipe_fragment_too_long_fragment = -1;
417 static int hf_smb2_pipe_fragment_error = -1;
418 static int hf_smb2_pipe_fragment_count = -1;
419 static int hf_smb2_pipe_reassembled_in = -1;
420 static int hf_smb2_pipe_reassembled_length = -1;
421 static int hf_smb2_pipe_reassembled_data = -1;
422 static int hf_smb2_cchunk_resume_key = -1;
423 static int hf_smb2_cchunk_count = -1;
424 static int hf_smb2_cchunk_src_offset = -1;
425 static int hf_smb2_cchunk_dst_offset = -1;
426 static int hf_smb2_cchunk_xfer_len = -1;
427 static int hf_smb2_cchunk_chunks_written = -1;
428 static int hf_smb2_cchunk_bytes_written = -1;
429 static int hf_smb2_cchunk_total_written = -1;
431 static gint ett_smb2 = -1;
432 static gint ett_smb2_olb = -1;
433 static gint ett_smb2_ea = -1;
434 static gint ett_smb2_header = -1;
435 static gint ett_smb2_encrypted = -1;
436 static gint ett_smb2_command = -1;
437 static gint ett_smb2_secblob = -1;
438 static gint ett_smb2_negotiate_context_element = -1;
439 static gint ett_smb2_file_basic_info = -1;
440 static gint ett_smb2_file_standard_info = -1;
441 static gint ett_smb2_file_internal_info = -1;
442 static gint ett_smb2_file_ea_info = -1;
443 static gint ett_smb2_file_access_info = -1;
444 static gint ett_smb2_file_position_info = -1;
445 static gint ett_smb2_file_mode_info = -1;
446 static gint ett_smb2_file_alignment_info = -1;
447 static gint ett_smb2_file_all_info = -1;
448 static gint ett_smb2_file_allocation_info = -1;
449 static gint ett_smb2_file_endoffile_info = -1;
450 static gint ett_smb2_file_alternate_name_info = -1;
451 static gint ett_smb2_file_stream_info = -1;
452 static gint ett_smb2_file_pipe_info = -1;
453 static gint ett_smb2_file_compression_info = -1;
454 static gint ett_smb2_file_network_open_info = -1;
455 static gint ett_smb2_file_attribute_tag_info = -1;
456 static gint ett_smb2_file_rename_info = -1;
457 static gint ett_smb2_file_disposition_info = -1;
458 static gint ett_smb2_file_full_ea_info = -1;
459 static gint ett_smb2_fs_info_01 = -1;
460 static gint ett_smb2_fs_info_03 = -1;
461 static gint ett_smb2_fs_info_04 = -1;
462 static gint ett_smb2_fs_info_05 = -1;
463 static gint ett_smb2_fs_info_06 = -1;
464 static gint ett_smb2_fs_info_07 = -1;
465 static gint ett_smb2_fs_objectid_info = -1;
466 static gint ett_smb2_sec_info_00 = -1;
467 static gint ett_smb2_tid_tree = -1;
468 static gint ett_smb2_sesid_tree = -1;
469 static gint ett_smb2_create_chain_element = -1;
470 static gint ett_smb2_MxAc_buffer = -1;
471 static gint ett_smb2_QFid_buffer = -1;
472 static gint ett_smb2_RqLs_buffer = -1;
473 static gint ett_smb2_ioctl_function = -1;
474 static gint ett_smb2_FILE_OBJECTID_BUFFER = -1;
475 static gint ett_smb2_flags = -1;
476 static gint ett_smb2_sec_mode = -1;
477 static gint ett_smb2_capabilities = -1;
478 static gint ett_smb2_ses_req_flags = -1;
479 static gint ett_smb2_ses_flags = -1;
480 static gint ett_smb2_lease_state = -1;
481 static gint ett_smb2_lease_flags = -1;
482 static gint ett_smb2_share_flags = -1;
483 static gint ett_smb2_create_rep_flags = -1;
484 static gint ett_smb2_share_caps = -1;
485 static gint ett_smb2_ioctl_flags = -1;
486 static gint ett_smb2_ioctl_network_interface = -1;
487 static gint ett_smb2_fsctl_range_data = -1;
488 static gint ett_windows_sockaddr = -1;
489 static gint ett_smb2_close_flags = -1;
490 static gint ett_smb2_notify_info = -1;
491 static gint ett_smb2_notify_flags = -1;
492 static gint ett_smb2_write_flags = -1;
493 static gint ett_smb2_rdma_v1 = -1;
494 static gint ett_smb2_DH2Q_buffer = -1;
495 static gint ett_smb2_DH2C_buffer = -1;
496 static gint ett_smb2_dh2x_flags = -1;
497 static gint ett_smb2_APP_INSTANCE_buffer = -1;
498 static gint ett_smb2_svhdx_open_device_context = -1;
499 static gint ett_smb2_posix_v1_request = -1;
500 static gint ett_smb2_posix_v1_response = -1;
501 static gint ett_smb2_posix_v1_supported_features = -1;
502 static gint ett_smb2_aapl_create_context_request = -1;
503 static gint ett_smb2_aapl_server_query_bitmask = -1;
504 static gint ett_smb2_aapl_server_query_caps = -1;
505 static gint ett_smb2_aapl_create_context_response = -1;
506 static gint ett_smb2_aapl_server_query_volume_caps = -1;
507 static gint ett_smb2_integrity_flags = -1;
508 static gint ett_smb2_find_flags = -1;
509 static gint ett_smb2_file_directory_info = -1;
510 static gint ett_smb2_both_directory_info = -1;
511 static gint ett_smb2_id_both_directory_info = -1;
512 static gint ett_smb2_full_directory_info = -1;
513 static gint ett_smb2_file_name_info = -1;
514 static gint ett_smb2_lock_info = -1;
515 static gint ett_smb2_lock_flags = -1;
516 static gint ett_smb2_transform_enc_alg = -1;
517 static gint ett_smb2_buffercode = -1;
518 static gint ett_smb2_ioctl_network_interface_capabilities = -1;
519 static gint ett_qfr_entry = -1;
520 static gint ett_smb2_pipe_fragment = -1;
521 static gint ett_smb2_pipe_fragments = -1;
522 static gint ett_smb2_cchunk_entry = -1;
524 static expert_field ei_smb2_invalid_length = EI_INIT;
525 static expert_field ei_smb2_bad_response = EI_INIT;
527 static int smb2_tap = -1;
528 static int smb2_eo_tap = -1;
530 static dissector_handle_t gssapi_handle = NULL;
531 static dissector_handle_t ntlmssp_handle = NULL;
532 static dissector_handle_t rsvd_handle = NULL;
534 static heur_dissector_list_t smb2_pipe_subdissector_list;
536 static const fragment_items smb2_pipe_frag_items = {
537 &ett_smb2_pipe_fragment,
538 &ett_smb2_pipe_fragments,
539 &hf_smb2_pipe_fragments,
540 &hf_smb2_pipe_fragment,
541 &hf_smb2_pipe_fragment_overlap,
542 &hf_smb2_pipe_fragment_overlap_conflict,
543 &hf_smb2_pipe_fragment_multiple_tails,
544 &hf_smb2_pipe_fragment_too_long_fragment,
545 &hf_smb2_pipe_fragment_error,
546 &hf_smb2_pipe_fragment_count,
547 &hf_smb2_pipe_reassembled_in,
548 &hf_smb2_pipe_reassembled_length,
549 &hf_smb2_pipe_reassembled_data,
553 #define SMB2_CLASS_FILE_INFO 0x01
554 #define SMB2_CLASS_FS_INFO 0x02
555 #define SMB2_CLASS_SEC_INFO 0x03
556 #define SMB2_CLASS_POSIX_INFO 0x80
557 static const value_string smb2_class_vals[] = {
558 { SMB2_CLASS_FILE_INFO, "FILE_INFO"},
559 { SMB2_CLASS_FS_INFO, "FS_INFO"},
560 { SMB2_CLASS_SEC_INFO, "SEC_INFO"},
561 { SMB2_CLASS_POSIX_INFO, "POSIX_INFO"},
565 #define SMB2_SHARE_TYPE_DISK 0x01
566 #define SMB2_SHARE_TYPE_PIPE 0x02
567 #define SMB2_SHARE_TYPE_PRINT 0x03
568 static const value_string smb2_share_type_vals[] = {
569 { SMB2_SHARE_TYPE_DISK, "Physical disk" },
570 { SMB2_SHARE_TYPE_PIPE, "Named pipe" },
571 { SMB2_SHARE_TYPE_PRINT, "Printer" },
576 #define SMB2_FILE_BASIC_INFO 0x04
577 #define SMB2_FILE_STANDARD_INFO 0x05
578 #define SMB2_FILE_INTERNAL_INFO 0x06
579 #define SMB2_FILE_EA_INFO 0x07
580 #define SMB2_FILE_ACCESS_INFO 0x08
581 #define SMB2_FILE_RENAME_INFO 0x0a
582 #define SMB2_FILE_DISPOSITION_INFO 0x0d
583 #define SMB2_FILE_POSITION_INFO 0x0e
584 #define SMB2_FILE_FULL_EA_INFO 0x0f
585 #define SMB2_FILE_MODE_INFO 0x10
586 #define SMB2_FILE_ALIGNMENT_INFO 0x11
587 #define SMB2_FILE_ALL_INFO 0x12
588 #define SMB2_FILE_ALLOCATION_INFO 0x13
589 #define SMB2_FILE_ENDOFFILE_INFO 0x14
590 #define SMB2_FILE_ALTERNATE_NAME_INFO 0x15
591 #define SMB2_FILE_STREAM_INFO 0x16
592 #define SMB2_FILE_PIPE_INFO 0x17
593 #define SMB2_FILE_COMPRESSION_INFO 0x1c
594 #define SMB2_FILE_NETWORK_OPEN_INFO 0x22
595 #define SMB2_FILE_ATTRIBUTE_TAG_INFO 0x23
597 static const value_string smb2_file_info_levels[] = {
598 {SMB2_FILE_BASIC_INFO, "SMB2_FILE_BASIC_INFO" },
599 {SMB2_FILE_STANDARD_INFO, "SMB2_FILE_STANDARD_INFO" },
600 {SMB2_FILE_INTERNAL_INFO, "SMB2_FILE_INTERNAL_INFO" },
601 {SMB2_FILE_EA_INFO, "SMB2_FILE_EA_INFO" },
602 {SMB2_FILE_ACCESS_INFO, "SMB2_FILE_ACCESS_INFO" },
603 {SMB2_FILE_RENAME_INFO, "SMB2_FILE_RENAME_INFO" },
604 {SMB2_FILE_DISPOSITION_INFO, "SMB2_FILE_DISPOSITION_INFO" },
605 {SMB2_FILE_POSITION_INFO, "SMB2_FILE_POSITION_INFO" },
606 {SMB2_FILE_FULL_EA_INFO, "SMB2_FILE_FULL_EA_INFO" },
607 {SMB2_FILE_MODE_INFO, "SMB2_FILE_MODE_INFO" },
608 {SMB2_FILE_ALIGNMENT_INFO, "SMB2_FILE_ALIGNMENT_INFO" },
609 {SMB2_FILE_ALL_INFO, "SMB2_FILE_ALL_INFO" },
610 {SMB2_FILE_ALLOCATION_INFO, "SMB2_FILE_ALLOCATION_INFO" },
611 {SMB2_FILE_ENDOFFILE_INFO, "SMB2_FILE_ENDOFFILE_INFO" },
612 {SMB2_FILE_ALTERNATE_NAME_INFO, "SMB2_FILE_ALTERNATE_NAME_INFO" },
613 {SMB2_FILE_STREAM_INFO, "SMB2_FILE_STREAM_INFO" },
614 {SMB2_FILE_PIPE_INFO, "SMB2_FILE_PIPE_INFO" },
615 {SMB2_FILE_COMPRESSION_INFO, "SMB2_FILE_COMPRESSION_INFO" },
616 {SMB2_FILE_NETWORK_OPEN_INFO, "SMB2_FILE_NETWORK_OPEN_INFO" },
617 {SMB2_FILE_ATTRIBUTE_TAG_INFO, "SMB2_FILE_ATTRIBUTE_TAG_INFO" },
620 static value_string_ext smb2_file_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_file_info_levels);
624 #define SMB2_FS_INFO_01 0x01
625 #define SMB2_FS_LABEL_INFO 0x02
626 #define SMB2_FS_INFO_03 0x03
627 #define SMB2_FS_INFO_04 0x04
628 #define SMB2_FS_INFO_05 0x05
629 #define SMB2_FS_INFO_06 0x06
630 #define SMB2_FS_INFO_07 0x07
631 #define SMB2_FS_OBJECTID_INFO 0x08
632 #define SMB2_FS_DRIVER_PATH_INFO 0x09
633 #define SMB2_FS_VOLUME_FLAGS_INFO 0x0a
634 #define SMB2_FS_SECTOR_SIZE_INFO 0x0b
636 static const value_string smb2_fs_info_levels[] = {
637 {SMB2_FS_INFO_01, "FileFsVolumeInformation" },
638 {SMB2_FS_LABEL_INFO, "FileFsLabelInformation" },
639 {SMB2_FS_INFO_03, "FileFsSizeInformation" },
640 {SMB2_FS_INFO_04, "FileFsDeviceInformation" },
641 {SMB2_FS_INFO_05, "FileFsAttributeInformation" },
642 {SMB2_FS_INFO_06, "FileFsControlInformation" },
643 {SMB2_FS_INFO_07, "FileFsFullSizeInformation" },
644 {SMB2_FS_OBJECTID_INFO, "FileFsObjectIdInformation" },
645 {SMB2_FS_DRIVER_PATH_INFO, "FileFsDriverPathInformation" },
646 {SMB2_FS_VOLUME_FLAGS_INFO, "FileFsVolumeFlagsInformation" },
647 {SMB2_FS_SECTOR_SIZE_INFO, "FileFsSectorSizeInformation" },
650 static value_string_ext smb2_fs_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_fs_info_levels);
652 #define SMB2_SEC_INFO_00 0x00
653 static const value_string smb2_sec_info_levels[] = {
654 {SMB2_SEC_INFO_00, "SMB2_SEC_INFO_00" },
657 static value_string_ext smb2_sec_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_sec_info_levels);
659 static const value_string smb2_posix_info_levels[] = {
660 { 0, "QueryFileUnixBasic" },
661 { 1, "QueryFileUnixLink" },
662 { 3, "QueryFileUnixHLink" },
663 { 5, "QueryFileUnixXAttr" },
664 { 0x0B, "QueryFileUnixInfo2" },
668 static value_string_ext smb2_posix_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_posix_info_levels);
670 #define SMB2_FIND_DIRECTORY_INFO 0x01
671 #define SMB2_FIND_FULL_DIRECTORY_INFO 0x02
672 #define SMB2_FIND_BOTH_DIRECTORY_INFO 0x03
673 #define SMB2_FIND_INDEX_SPECIFIED 0x04
674 #define SMB2_FIND_NAME_INFO 0x0C
675 #define SMB2_FIND_ID_BOTH_DIRECTORY_INFO 0x25
676 #define SMB2_FIND_ID_FULL_DIRECTORY_INFO 0x26
677 static const value_string smb2_find_info_levels[] = {
678 { SMB2_FIND_DIRECTORY_INFO, "SMB2_FIND_DIRECTORY_INFO" },
679 { SMB2_FIND_FULL_DIRECTORY_INFO, "SMB2_FIND_FULL_DIRECTORY_INFO" },
680 { SMB2_FIND_BOTH_DIRECTORY_INFO, "SMB2_FIND_BOTH_DIRECTORY_INFO" },
681 { SMB2_FIND_INDEX_SPECIFIED, "SMB2_FIND_INDEX_SPECIFIED" },
682 { SMB2_FIND_NAME_INFO, "SMB2_FIND_NAME_INFO" },
683 { SMB2_FIND_ID_BOTH_DIRECTORY_INFO, "SMB2_FIND_ID_BOTH_DIRECTORY_INFO" },
684 { SMB2_FIND_ID_FULL_DIRECTORY_INFO, "SMB2_FIND_ID_FULL_DIRECTORY_INFO" },
688 #define SMB2_PREAUTH_INTEGRITY_CAPABILITIES 0x0001
689 #define SMB2_ENCRYPTION_CAPABILITIES 0x0002
690 static const value_string smb2_negotiate_context_types[] = {
691 { SMB2_PREAUTH_INTEGRITY_CAPABILITIES, "SMB2_PREAUTH_INTEGRITY_CAPABILITIES" },
692 { SMB2_ENCRYPTION_CAPABILITIES, "SMB2_ENCRYPTION_CAPABILITIES" },
696 #define SMB2_NUM_PROCEDURES 256
699 smb2stat_init(struct register_srt* srt _U_, GArray* srt_array, srt_gui_init_cb gui_callback, void* gui_data)
701 srt_stat_table *smb2_srt_table;
704 smb2_srt_table = init_srt_table("SMB2", NULL, srt_array, SMB2_NUM_PROCEDURES, "Commands", "smb2.cmd", gui_callback, gui_data, NULL);
705 for (i = 0; i < SMB2_NUM_PROCEDURES; i++)
707 init_srt_table_row(smb2_srt_table, i, val_to_str_ext_const(i, &smb2_cmd_vals_ext, "<unknown>"));
712 smb2stat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const void *prv)
715 srt_stat_table *smb2_srt_table;
716 srt_data_t *data = (srt_data_t *)pss;
717 const smb2_info_t *si=(const smb2_info_t *)prv;
719 /* we are only interested in response packets */
720 if(!(si->flags&SMB2_FLAGS_RESPONSE)){
723 /* if we haven't seen the request, just ignore it */
728 /* SMB2 SRT can be very inaccurate in the presence of retransmissions. Retransmitted responses
729 * not only add additional (bogus) transactions but also the latency associated with them.
730 * This can greatly inflate the maximum and average SRT stats especially in the case of
731 * retransmissions triggered by the expiry of the rexmit timer (RTOs). Only calculating SRT
732 * for the last received response accomplishes this goal without requiring the TCP pref
733 * "Do not call subdissectors for error packets" to be set. */
734 if ((si->saved->frame_req == 0) || (si->saved->frame_res != pinfo->num))
737 smb2_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
738 add_srt_table_data(smb2_srt_table, si->opcode, &si->saved->req_time, pinfo);
743 static const gint8 zeros[NTLMSSP_KEY_LEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
745 /* ExportObject preferences variable */
746 gboolean eosmb2_take_name_as_fid = FALSE ;
748 /* unmatched smb_saved_info structures.
749 For unmatched smb_saved_info structures we store the smb_saved_info
750 structure using the msg_id field.
753 smb2_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
755 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
756 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
757 return key1->msg_id == key2->msg_id;
760 smb2_saved_info_hash_unmatched(gconstpointer k)
762 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
765 hash = (guint32) (key->msg_id&0xffffffff);
769 /* matched smb_saved_info structures.
770 For matched smb_saved_info structures we store the smb_saved_info
771 structure using the msg_id field.
774 smb2_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
776 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
777 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
778 return key1->msg_id == key2->msg_id;
781 smb2_saved_info_hash_matched(gconstpointer k)
783 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
786 hash = (guint32) (key->msg_id&0xffffffff);
790 /* For Tids of a specific conversation.
791 This keeps track of tid->sharename mappings and other information about the
794 We might need to refine this if it occurs that tids are reused on a single
795 conversation. we don't worry about that yet for simplicity
798 smb2_tid_info_equal(gconstpointer k1, gconstpointer k2)
800 const smb2_tid_info_t *key1 = (const smb2_tid_info_t *)k1;
801 const smb2_tid_info_t *key2 = (const smb2_tid_info_t *)k2;
802 return key1->tid == key2->tid;
805 smb2_tid_info_hash(gconstpointer k)
807 const smb2_tid_info_t *key = (const smb2_tid_info_t *)k;
814 /* For Uids of a specific conversation.
815 This keeps track of uid->acct_name mappings and other information about the
818 We might need to refine this if it occurs that uids are reused on a single
819 conversation. we don't worry about that yet for simplicity
822 smb2_sesid_info_equal(gconstpointer k1, gconstpointer k2)
824 const smb2_sesid_info_t *key1 = (const smb2_sesid_info_t *)k1;
825 const smb2_sesid_info_t *key2 = (const smb2_sesid_info_t *)k2;
826 return key1->sesid == key2->sesid;
829 smb2_sesid_info_hash(gconstpointer k)
831 const smb2_sesid_info_t *key = (const smb2_sesid_info_t *)k;
834 hash = (guint32)( ((key->sesid>>32)&0xffffffff)+((key->sesid)&0xffffffff) );
839 * For File IDs of a specific conversation.
840 * This keeps track of fid to name mapping and application level conversations
843 * This handles implementation bugs, where the fid_persitent is 0 or
844 * the fid_persitent/fid_volative is not unique per conversation.
847 smb2_fid_info_equal(gconstpointer k1, gconstpointer k2)
849 const smb2_fid_info_t *key1 = (const smb2_fid_info_t *)k1;
850 const smb2_fid_info_t *key2 = (const smb2_fid_info_t *)k2;
852 if (key1->fid_persistent != key2->fid_persistent) {
856 if (key1->fid_volatile != key2->fid_volatile) {
860 if (key1->sesid != key2->sesid) {
864 if (key1->tid != key2->tid) {
872 smb2_fid_info_hash(gconstpointer k)
874 const smb2_fid_info_t *key = (const smb2_fid_info_t *)k;
877 if (key->fid_persistent != 0) {
878 hash = (guint32)( ((key->fid_persistent>>32)&0xffffffff)+((key->fid_persistent)&0xffffffff) );
880 hash = (guint32)( ((key->fid_volatile>>32)&0xffffffff)+((key->fid_volatile)&0xffffffff) );
886 /* Callback for destroying the glib hash tables associated with a conversation
889 smb2_conv_destroy(wmem_allocator_t *allocator _U_, wmem_cb_event_t event _U_,
892 smb2_conv_info_t *conv = (smb2_conv_info_t *)user_data;
894 g_hash_table_destroy(conv->matched);
895 g_hash_table_destroy(conv->unmatched);
896 g_hash_table_destroy(conv->fids);
897 g_hash_table_destroy(conv->sesids);
898 g_hash_table_destroy(conv->files);
900 /* This conversation is gone, return FALSE to indicate we don't
901 * want to be called again for this conversation. */
905 static void smb2_key_derivation(const guint8 *KI _U_, guint32 KI_len _U_,
906 const guint8 *Label _U_, guint32 Label_len _U_,
907 const guint8 *Context _U_, guint32 Context_len _U_,
910 #ifdef HAVE_LIBGCRYPT
911 gcry_md_hd_t hd = NULL;
913 guint8 *digest = NULL;
916 * a simplified version of
917 * "NIST Special Publication 800-108" section 5.1
920 gcry_md_open(&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
921 gcry_md_setkey(hd, KI, KI_len);
923 memset(buf, 0, sizeof(buf));
925 gcry_md_write(hd, buf, sizeof(buf));
926 gcry_md_write(hd, Label, Label_len);
927 gcry_md_write(hd, buf, 1);
928 gcry_md_write(hd, Context, Context_len);
930 gcry_md_write(hd, buf, sizeof(buf));
932 digest = gcry_md_read(hd, GCRY_MD_SHA256);
934 memcpy(KO, digest, 16);
942 /* for export-object-smb2 */
943 static gchar *policy_hnd_to_file_id(const e_ctx_hnd *hnd) {
945 file_id = wmem_strdup_printf(wmem_packet_scope(),
946 "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
960 static guint smb2_eo_files_hash(gconstpointer k) {
961 return g_str_hash(policy_hnd_to_file_id((const e_ctx_hnd *)k));
963 static gint smb2_eo_files_equal(gconstpointer k1, gconstpointer k2) {
965 const e_ctx_hnd *key1 = (const e_ctx_hnd *)k1;
966 const e_ctx_hnd *key2 = (const e_ctx_hnd *)k2;
968 are_equal = (key1->uuid.data1==key2->uuid.data1 &&
969 key1->uuid.data2==key2->uuid.data2 &&
970 key1->uuid.data3==key2->uuid.data3 &&
971 key1->uuid.data4[0]==key2->uuid.data4[0] &&
972 key1->uuid.data4[1]==key2->uuid.data4[1] &&
973 key1->uuid.data4[2]==key2->uuid.data4[2] &&
974 key1->uuid.data4[3]==key2->uuid.data4[3] &&
975 key1->uuid.data4[4]==key2->uuid.data4[4] &&
976 key1->uuid.data4[5]==key2->uuid.data4[5] &&
977 key1->uuid.data4[6]==key2->uuid.data4[6] &&
978 key1->uuid.data4[7]==key2->uuid.data4[7]);
984 feed_eo_smb2(tvbuff_t * tvb,packet_info *pinfo,smb2_info_t * si, guint16 dataoffset,guint32 length, guint64 file_offset) {
986 char *fid_name = NULL;
987 guint32 open_frame = 0, close_frame = 0;
988 tvbuff_t *data_tvb = NULL;
992 gchar **aux_string_v;
994 /* Create a new tvb to point to the payload data */
995 data_tvb = tvb_new_subset_length(tvb, dataoffset, length);
996 /* Create the eo_info to pass to the listener */
997 eo_info = wmem_new(wmem_packet_scope(), smb_eo_t);
998 /* Fill in eo_info */
999 eo_info->smbversion=2;
1001 eo_info->cmd=si->opcode;
1002 /* We don't keep track of uid in SMB v2 */
1005 /* Try to get file id and filename */
1006 file_id=policy_hnd_to_file_id(&si->saved->policy_hnd);
1007 dcerpc_fetch_polhnd_data(&si->saved->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num);
1008 if (fid_name && g_strcmp0(fid_name,"File: ")!=0) {
1010 /* Remove "File: " from filename */
1011 if (g_str_has_prefix(auxstring, "File: ")) {
1012 aux_string_v = g_strsplit(auxstring, "File: ", -1);
1013 eo_info->filename = wmem_strdup_printf(wmem_packet_scope(), "\\%s",aux_string_v[g_strv_length(aux_string_v)-1]);
1014 g_strfreev(aux_string_v);
1016 if (g_str_has_prefix(auxstring, "\\")) {
1017 eo_info->filename = wmem_strdup(wmem_packet_scope(), auxstring);
1019 eo_info->filename = wmem_strdup_printf(wmem_packet_scope(), "\\%s",auxstring);
1023 auxstring=wmem_strdup_printf(wmem_packet_scope(), "File_Id_%s", file_id);
1024 eo_info->filename=auxstring;
1029 if (eosmb2_take_name_as_fid) {
1030 eo_info->fid = g_str_hash(eo_info->filename);
1032 eo_info->fid = g_str_hash(file_id);
1035 /* tid, hostname, tree_id */
1037 eo_info->tid=si->tree->tid;
1038 if (strlen(si->tree->name)>0 && strlen(si->tree->name)<=256) {
1039 eo_info->hostname = wmem_strdup(wmem_packet_scope(), si->tree->name);
1041 eo_info->hostname = wmem_strdup_printf(wmem_packet_scope(), "\\\\%s\\TREEID_%i",tree_ip_str(pinfo,si->opcode),si->tree->tid);
1045 eo_info->hostname = wmem_strdup_printf(wmem_packet_scope(), "\\\\%s\\TREEID_UNKNOWN",tree_ip_str(pinfo,si->opcode));
1049 eo_info->pkt_num = pinfo->num;
1052 if (si->eo_file_info->attr_mask & SMB2_FLAGS_ATTR_DIRECTORY) {
1053 eo_info->fid_type=SMB2_FID_TYPE_DIR;
1055 if (si->eo_file_info->attr_mask &
1056 (SMB2_FLAGS_ATTR_ARCHIVE | SMB2_FLAGS_ATTR_NORMAL |
1057 SMB2_FLAGS_ATTR_HIDDEN | SMB2_FLAGS_ATTR_READONLY |
1058 SMB2_FLAGS_ATTR_SYSTEM) ) {
1059 eo_info->fid_type=SMB2_FID_TYPE_FILE;
1061 eo_info->fid_type=SMB2_FID_TYPE_OTHER;
1066 eo_info->end_of_file=si->eo_file_info->end_of_file;
1068 /* data offset and chunk length */
1069 eo_info->smb_file_offset=file_offset;
1070 eo_info->smb_chunk_len=length;
1071 /* XXX is this right? */
1072 if (length<si->saved->bytes_moved) {
1073 si->saved->file_offset=si->saved->file_offset+length;
1074 si->saved->bytes_moved=si->saved->bytes_moved-length;
1078 eo_info->payload_len = length;
1079 eo_info->payload_data = tvb_get_ptr(data_tvb, 0, length);
1081 tap_queue_packet(smb2_eo_tap, pinfo, eo_info);
1085 static int dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si);
1088 /* This is a helper to dissect the common string type
1094 * This function is called twice, first to decode the offset/length and
1095 * second time to dissect the actual string.
1096 * It is done this way since there is no guarantee that we have the full packet and we don't
1097 * want to abort dissection too early if the packet ends somewhere between the
1098 * length/offset and the actual buffer.
1101 enum offset_length_buffer_offset_size {
1102 OLB_O_UINT16_S_UINT16,
1103 OLB_O_UINT16_S_UINT32,
1104 OLB_O_UINT32_S_UINT32,
1105 OLB_S_UINT32_O_UINT32
1107 typedef struct _offset_length_buffer_t {
1112 enum offset_length_buffer_offset_size offset_size;
1114 } offset_length_buffer_t;
1116 dissect_smb2_olb_length_offset(tvbuff_t *tvb, int offset, offset_length_buffer_t *olb,
1117 enum offset_length_buffer_offset_size offset_size, int hfindex)
1119 olb->hfindex = hfindex;
1120 olb->offset_size = offset_size;
1121 switch (offset_size) {
1122 case OLB_O_UINT16_S_UINT16:
1123 olb->off = tvb_get_letohs(tvb, offset);
1124 olb->off_offset = offset;
1126 olb->len = tvb_get_letohs(tvb, offset);
1127 olb->len_offset = offset;
1130 case OLB_O_UINT16_S_UINT32:
1131 olb->off = tvb_get_letohs(tvb, offset);
1132 olb->off_offset = offset;
1134 olb->len = tvb_get_letohl(tvb, offset);
1135 olb->len_offset = offset;
1138 case OLB_O_UINT32_S_UINT32:
1139 olb->off = tvb_get_letohl(tvb, offset);
1140 olb->off_offset = offset;
1142 olb->len = tvb_get_letohl(tvb, offset);
1143 olb->len_offset = offset;
1146 case OLB_S_UINT32_O_UINT32:
1147 olb->len = tvb_get_letohl(tvb, offset);
1148 olb->len_offset = offset;
1150 olb->off = tvb_get_letohl(tvb, offset);
1151 olb->off_offset = offset;
1159 #define OLB_TYPE_UNICODE_STRING 0x01
1160 #define OLB_TYPE_ASCII_STRING 0x02
1162 dissect_smb2_olb_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int type)
1165 proto_item *item = NULL;
1166 proto_tree *tree = NULL;
1167 const char *name = NULL;
1174 bc = tvb_captured_length_remaining(tvb, offset);
1178 tvb_ensure_bytes_exist(tvb, off, len);
1180 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
1181 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
1182 "Invalid offset/length. Malformed packet");
1184 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
1191 case OLB_TYPE_UNICODE_STRING:
1192 name = get_unicode_or_ascii_string(tvb, &off,
1193 TRUE, &len, TRUE, TRUE, &bc);
1198 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
1199 tree = proto_item_add_subtree(item, ett_smb2_olb);
1202 case OLB_TYPE_ASCII_STRING:
1203 name = get_unicode_or_ascii_string(tvb, &off,
1204 FALSE, &len, TRUE, TRUE, &bc);
1209 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
1210 tree = proto_item_add_subtree(item, ett_smb2_olb);
1215 switch (olb->offset_size) {
1216 case OLB_O_UINT16_S_UINT16:
1217 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1218 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
1220 case OLB_O_UINT16_S_UINT32:
1221 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1222 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1224 case OLB_O_UINT32_S_UINT32:
1225 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1226 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1228 case OLB_S_UINT32_O_UINT32:
1229 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1230 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1238 dissect_smb2_olb_buffer(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb,
1239 offset_length_buffer_t *olb, smb2_info_t *si,
1240 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si))
1243 proto_item *sub_item = NULL;
1244 proto_tree *sub_tree = NULL;
1245 tvbuff_t *sub_tvb = NULL;
1253 tvb_ensure_bytes_exist(tvb, off, len);
1255 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
1256 proto_tree_add_expert_format(parent_tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
1257 "Invalid offset/length. Malformed packet");
1259 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
1264 /* if we don't want/need a subtree */
1265 if (olb->hfindex == -1) {
1266 sub_item = parent_tree;
1267 sub_tree = parent_tree;
1270 sub_item = proto_tree_add_item(parent_tree, olb->hfindex, tvb, offset, len, ENC_NA);
1271 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_olb);
1275 switch (olb->offset_size) {
1276 case OLB_O_UINT16_S_UINT16:
1277 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1278 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
1280 case OLB_O_UINT16_S_UINT32:
1281 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1282 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1284 case OLB_O_UINT32_S_UINT32:
1285 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1286 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1288 case OLB_S_UINT32_O_UINT32:
1289 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1290 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1294 if (off == 0 || len == 0) {
1295 proto_item_append_text(sub_item, ": NO DATA");
1303 sub_tvb = tvb_new_subset(tvb, off, MIN((int)len, tvb_captured_length_remaining(tvb, off)), len);
1305 dissector(sub_tvb, pinfo, sub_tree, si);
1309 dissect_smb2_olb_tvb_max_offset(int offset, offset_length_buffer_t *olb)
1311 if (olb->off == 0) {
1314 return MAX(offset, (int)(olb->off + olb->len));
1317 typedef struct _smb2_function {
1318 int (*request) (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1319 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1322 static const true_false_string tfs_smb2_svhdx_has_initiator_id = {
1323 "Has an initiator id",
1324 "Does not have an initiator id"
1327 static const true_false_string tfs_flags_response = {
1328 "This is a RESPONSE",
1332 static const true_false_string tfs_flags_async_cmd = {
1333 "This is an ASYNC command",
1334 "This is a SYNC command"
1337 static const true_false_string tfs_flags_dfs_op = {
1338 "This is a DFS OPERATION",
1339 "This is a normal operation"
1342 static const true_false_string tfs_flags_chained = {
1343 "This pdu a CHAINED command",
1344 "This pdu is NOT a chained command"
1347 static const true_false_string tfs_flags_signature = {
1348 "This pdu is SIGNED",
1349 "This pdu is NOT signed"
1352 static const true_false_string tfs_flags_replay_operation = {
1353 "This is a REPLAY OPEARATION",
1354 "This is NOT a replay operation"
1357 static const true_false_string tfs_flags_priority_mask = {
1358 "This pdu contains a PRIORITY",
1359 "This pdu does NOT contain a PRIORITY1"
1362 static const true_false_string tfs_cap_dfs = {
1363 "This host supports DFS",
1364 "This host does NOT support DFS"
1367 static const true_false_string tfs_cap_leasing = {
1368 "This host supports LEASING",
1369 "This host does NOT support LEASING"
1372 static const true_false_string tfs_cap_large_mtu = {
1373 "This host supports LARGE_MTU",
1374 "This host does NOT support LARGE_MTU"
1377 static const true_false_string tfs_cap_multi_channel = {
1378 "This host supports MULTI CHANNEL",
1379 "This host does NOT support MULTI CHANNEL"
1382 static const true_false_string tfs_cap_persistent_handles = {
1383 "This host supports PERSISTENT HANDLES",
1384 "This host does NOT support PERSISTENT HANDLES"
1387 static const true_false_string tfs_cap_directory_leasing = {
1388 "This host supports DIRECTORY LEASING",
1389 "This host does NOT support DIRECTORY LEASING"
1392 static const true_false_string tfs_cap_encryption = {
1393 "This host supports ENCRYPTION",
1394 "This host does NOT support ENCRYPTION"
1397 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rss = {
1398 "This interface supports RSS",
1399 "This interface does not support RSS"
1402 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rdma = {
1403 "This interface supports RDMA",
1404 "This interface does not support RDMA"
1407 static const value_string file_region_usage_vals[] = {
1408 { 0x00000001, "FILE_REGION_USAGE_VALID_CACHED_DATA" },
1412 static const value_string originator_flags_vals[] = {
1413 { 1, "SVHDX_ORIGINATOR_PVHDPARSER" },
1414 { 4, "SVHDX_ORIGINATOR_VHDMP" },
1418 static const value_string posix_locks_vals[] = {
1419 { 1, "POSIX_V1_POSIX_LOCK" },
1423 static const value_string posix_utf8_paths_vals[] = {
1424 { 1, "POSIX_V1_UTF8_PATHS" },
1428 static const value_string posix_file_semantics_vals[] = {
1429 { 1, "POSIX_V1_POSIX_FILE_SEMANTICS" },
1433 static const value_string posix_case_sensitive_vals[] = {
1434 { 1, "POSIX_V1_CASE_SENSITIVE" },
1438 static const value_string posix_will_convert_ntacls_vals[] = {
1439 { 1, "POSIX_V1_WILL_CONVERT_NT_ACLS" },
1443 static const value_string posix_fileinfo_vals[] = {
1444 { 1, "POSIX_V1_POSIX_FILEINFO" },
1448 static const value_string posix_acls_vals[] = {
1449 { 1, "POSIX_V1_POSIX_ACLS" },
1453 static const value_string posix_rich_acls_vals[] = {
1454 { 1, "POSIX_V1_RICH_ACLS" },
1458 static const value_string compression_format_vals[] = {
1459 { 0, "COMPRESSION_FORMAT_NONE" },
1460 { 1, "COMPRESSION_FORMAT_DEFAULT" },
1461 { 2, "COMPRESSION_FORMAT_LZNT1" },
1465 static const value_string checksum_algorithm_vals[] = {
1466 { 0x0000, "CHECKSUM_TYPE_NONE" },
1467 { 0x0002, "CHECKSUM_TYPE_CRC64" },
1468 { 0xFFFF, "CHECKSUM_TYPE_UNCHANGED" },
1472 /* Note: All uncommented are "dissector not implemented" */
1473 static const value_string smb2_ioctl_vals[] = {
1474 {0x00060194, "FSCTL_DFS_GET_REFERRALS"}, /* dissector implemented */
1475 {0x000601B0, "FSCTL_DFS_GET_REFERRALS_EX"},
1476 {0x00090000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
1477 {0x00090004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
1478 {0x00090008, "FSCTL_REQUEST_BATCH_OPLOCK"},
1479 {0x0009000C, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
1480 {0x00090010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
1481 {0x00090014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
1482 {0x00090018, "FSCTL_LOCK_VOLUME"},
1483 {0x0009001C, "FSCTL_UNLOCK_VOLUME"},
1484 {0x00090020, "FSCTL_DISMOUNT_VOLUME"},
1485 {0x00090028, "FSCTL_IS_VOLUME_MOUNTED"},
1486 {0x0009002C, "FSCTL_IS_PATHNAME_VALID"},
1487 {0x00090030, "FSCTL_MARK_VOLUME_DIRTY"},
1488 {0x0009003B, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
1489 {0x0009003C, "FSCTL_GET_COMPRESSION"}, /* dissector implemented */
1490 {0x0009004F, "FSCTL_MARK_AS_SYSTEM_HIVE"},
1491 {0x00090050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
1492 {0x00090054, "FSCTL_INVALIDATE_VOLUMES"},
1493 {0x00090058, "FSCTL_QUERY_FAT_BPB"},
1494 {0x0009005C, "FSCTL_REQUEST_FILTER_OPLOCK"},
1495 {0x00090060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
1496 {0x00090064, "FSCTL_GET_NTFS_VOLUME_DATA"},
1497 {0x00090068, "FSCTL_GET_NTFS_FILE_RECORD"},
1498 {0x0009006F, "FSCTL_GET_VOLUME_BITMAP"},
1499 {0x00090073, "FSCTL_GET_RETRIEVAL_POINTERS"},
1500 {0x00090074, "FSCTL_MOVE_FILE"},
1501 {0x00090078, "FSCTL_IS_VOLUME_DIRTY"},
1502 {0x0009007C, "FSCTL_GET_HFS_INFORMATION"},
1503 {0x00090083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
1504 {0x00090087, "FSCTL_READ_PROPERTY_DATA"},
1505 {0x0009008B, "FSCTL_WRITE_PROPERTY_DATA"},
1506 {0x0009008F, "FSCTL_FIND_FILES_BY_SID"},
1507 {0x00090097, "FSCTL_DUMP_PROPERTY_DATA"},
1508 {0x0009009C, "FSCTL_GET_OBJECT_ID"}, /* dissector implemented */
1509 {0x000900A4, "FSCTL_SET_REPARSE_POINT"},
1510 {0x000900A8, "FSCTL_GET_REPARSE_POINT"},
1511 {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"}, /* dissector implemented */
1512 {0x000900C4, "FSCTL_SET_SPARSE"}, /* dissector implemented */
1513 {0x000900D4, "FSCTL_SET_ENCRYPTION"},
1514 {0x000900DB, "FSCTL_ENCRYPTION_FSCTL_IO"},
1515 {0x000900DF, "FSCTL_WRITE_RAW_ENCRYPTED"},
1516 {0x000900E3, "FSCTL_READ_RAW_ENCRYPTED"},
1517 {0x000900F0, "FSCTL_EXTEND_VOLUME"},
1518 {0x0009027C, "FSCTL_GET_INTEGRITY_INFORMATION"},
1519 {0x00090284, "FSCTL_QUERY_FILE_REGIONS"},
1520 {0x00090300, "FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT"}, /* dissector implemented */
1521 {0x00090304, "FSCTL_SVHDX_SYNC_TUNNEL_REQUEST"}, /* dissector implemented */
1522 {0x00090308, "FSCTL_SVHDX_SET_INITIATOR_INFORMATION"},
1523 {0x0009030C, "FSCTL_SET_EXTERNAL_BACKING"},
1524 {0x00090310, "FSCTL_GET_EXTERNAL_BACKING"},
1525 {0x00090314, "FSCTL_DELETE_EXTERNAL_BACKING"},
1526 {0x00090318, "FSCTL_ENUM_EXTERNAL_BACKING"},
1527 {0x0009031F, "FSCTL_ENUM_OVERLAY"},
1528 {0x000940B3, "FSCTL_ENUM_USN_DATA"},
1529 {0x000940B7, "FSCTL_SECURITY_ID_CHECK"},
1530 {0x000940BB, "FSCTL_READ_USN_JOURNAL"},
1531 {0x000940CF, "FSCTL_QUERY_ALLOCATED_RANGES"}, /* dissector implemented */
1532 {0x000940E7, "FSCTL_CREATE_USN_JOURNAL"},
1533 {0x000940EB, "FSCTL_READ_FILE_USN_DATA"},
1534 {0x000940EF, "FSCTL_WRITE_USN_CLOSE_RECORD"},
1535 {0x00094264, "FSCTL_OFFLOAD_READ"},
1536 {0x00098098, "FSCTL_SET_OBJECT_ID"}, /* dissector implemented */
1537 {0x000980A0, "FSCTL_DELETE_OBJECT_ID"}, /* no data in/out */
1538 {0x000980A4, "FSCTL_SET_REPARSE_POINT"},
1539 {0x000980AC, "FSCTL_DELETE_REPARSE_POINT"},
1540 {0x000980BC, "FSCTL_SET_OBJECT_ID_EXTENDED"}, /* dissector implemented */
1541 {0x000980C8, "FSCTL_SET_ZERO_DATA"}, /* dissector implemented */
1542 {0x000980D0, "FSCTL_ENABLE_UPGRADE"},
1543 {0x00098208, "FSCTL_FILE_LEVEL_TRIM"},
1544 {0x0009C040, "FSCTL_SET_COMPRESSION"}, /* dissector implemented */
1545 {0x0009C280, "FSCTL_SET_INTEGRITY_INFORMATION"}, /* dissector implemented */
1546 {0x00110018, "FSCTL_PIPE_WAIT"}, /* dissector implemented */
1547 {0x0011400C, "FSCTL_PIPE_PEEK"},
1548 {0x0011C017, "FSCTL_PIPE_TRANSCEIVE"}, /* dissector implemented */
1549 {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
1550 {0x001401D4, "FSCTL_LMR_REQUEST_RESILIENCY"}, /* dissector implemented */
1551 {0x001401FC, "FSCTL_QUERY_NETWORK_INTERFACE_INFO"}, /* dissector implemented */
1552 {0x00140200, "FSCTL_VALIDATE_NEGOTIATE_INFO_224"}, /* dissector implemented */
1553 {0x00140204, "FSCTL_VALIDATE_NEGOTIATE_INFO"}, /* dissector implemented */
1554 {0x00144064, "FSCTL_SRV_ENUMERATE_SNAPSHOTS"}, /* dissector implemented */
1555 {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
1556 {0x001441bb, "FSCTL_SRV_READ_HASH"},
1557 {0x001480F2, "FSCTL_SRV_COPYCHUNK_WRITE"},
1560 static value_string_ext smb2_ioctl_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_vals);
1562 static const value_string smb2_ioctl_device_vals[] = {
1564 { 0x0002, "CD_ROM" },
1565 { 0x0003, "CD_ROM_FILE_SYSTEM" },
1566 { 0x0004, "CONTROLLER" },
1567 { 0x0005, "DATALINK" },
1570 { 0x0008, "DISK_FILE_SYSTEM" },
1571 { 0x0009, "FILE_SYSTEM" },
1572 { 0x000a, "INPORT_PORT" },
1573 { 0x000b, "KEYBOARD" },
1574 { 0x000c, "MAILSLOT" },
1575 { 0x000d, "MIDI_IN" },
1576 { 0x000e, "MIDI_OUT" },
1577 { 0x000f, "MOUSE" },
1578 { 0x0010, "MULTI_UNC_PROVIDER" },
1579 { 0x0011, "NAMED_PIPE" },
1580 { 0x0012, "NETWORK" },
1581 { 0x0013, "NETWORK_BROWSER" },
1582 { 0x0014, "NETWORK_FILE_SYSTEM" },
1584 { 0x0016, "PARALLEL_PORT" },
1585 { 0x0017, "PHYSICAL_NETCARD" },
1586 { 0x0018, "PRINTER" },
1587 { 0x0019, "SCANNER" },
1588 { 0x001a, "SERIAL_MOUSE_PORT" },
1589 { 0x001b, "SERIAL_PORT" },
1590 { 0x001c, "SCREEN" },
1591 { 0x001d, "SOUND" },
1592 { 0x001e, "STREAMS" },
1594 { 0x0020, "TAPE_FILE_SYSTEM" },
1595 { 0x0021, "TRANSPORT" },
1596 { 0x0022, "UNKNOWN" },
1597 { 0x0023, "VIDEO" },
1598 { 0x0024, "VIRTUAL_DISK" },
1599 { 0x0025, "WAVE_IN" },
1600 { 0x0026, "WAVE_OUT" },
1601 { 0x0027, "8042_PORT" },
1602 { 0x0028, "NETWORK_REDIRECTOR" },
1603 { 0x0029, "BATTERY" },
1604 { 0x002a, "BUS_EXTENDER" },
1605 { 0x002b, "MODEM" },
1607 { 0x002d, "MASS_STORAGE" },
1610 { 0x0030, "CHANGER" },
1611 { 0x0031, "SMARTCARD" },
1614 { 0x0034, "FULLSCREEN_VIDEO" },
1615 { 0x0035, "DFS_FILE_SYSTEM" },
1616 { 0x0036, "DFS_VOLUME" },
1617 { 0x0037, "SERENUM" },
1618 { 0x0038, "TERMSRV" },
1622 static value_string_ext smb2_ioctl_device_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_device_vals);
1624 static const value_string smb2_ioctl_access_vals[] = {
1625 { 0x00, "FILE_ANY_ACCESS" },
1626 { 0x01, "FILE_READ_ACCESS" },
1627 { 0x02, "FILE_WRITE_ACCESS" },
1628 { 0x03, "FILE_READ_WRITE_ACCESS" },
1632 static const value_string smb2_ioctl_method_vals[] = {
1633 { 0x00, "METHOD_BUFFERED" },
1634 { 0x01, "METHOD_IN_DIRECT" },
1635 { 0x02, "METHOD_OUT_DIRECT" },
1636 { 0x03, "METHOD_NEITHER" },
1640 /* this is called from both smb and smb2. */
1642 dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint32 *ioctlfunc)
1644 proto_item *item = NULL;
1645 proto_tree *tree = NULL;
1646 guint32 ioctl_function;
1649 item = proto_tree_add_item(parent_tree, hf_smb2_ioctl_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1650 tree = proto_item_add_subtree(item, ett_smb2_ioctl_function);
1653 ioctl_function = tvb_get_letohl(tvb, offset);
1655 *ioctlfunc = ioctl_function;
1656 if (ioctl_function) {
1657 const gchar *unknown = "unknown";
1658 const gchar *ioctl_name = val_to_str_ext_const(ioctl_function,
1659 &smb2_ioctl_vals_ext,
1663 * val_to_str_const() doesn't work with a unknown == NULL
1665 if (ioctl_name == unknown) {
1669 if (ioctl_name != NULL) {
1671 pinfo->cinfo, COL_INFO, " %s", ioctl_name);
1675 proto_tree_add_item(tree, hf_smb2_ioctl_function_device, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1676 if (ioctl_name == NULL) {
1678 pinfo->cinfo, COL_INFO, " %s",
1679 val_to_str_ext((ioctl_function>>16)&0xffff, &smb2_ioctl_device_vals_ext,
1680 "Unknown (0x%08X)"));
1684 proto_tree_add_item(tree, hf_smb2_ioctl_function_access, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1687 proto_tree_add_item(tree, hf_smb2_ioctl_function_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1688 if (ioctl_name == NULL) {
1690 pinfo->cinfo, COL_INFO, " Function:0x%04x",
1691 (ioctl_function>>2)&0x0fff);
1695 proto_tree_add_item(tree, hf_smb2_ioctl_function_method, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1703 /* fake the dce/rpc support structures so we can piggy back on
1704 * dissect_nt_policy_hnd() since this will allow us
1705 * a cheap way to track where FIDs are opened, closed
1706 * and fid->filename mappings
1707 * if we want to do those things in the future.
1709 #define FID_MODE_OPEN 0
1710 #define FID_MODE_CLOSE 1
1711 #define FID_MODE_USE 2
1712 #define FID_MODE_DHNQ 3
1713 #define FID_MODE_DHNC 4
1715 dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si, int mode)
1717 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
1718 static dcerpc_info di; /* fake dcerpc_info struct */
1719 static dcerpc_call_value call_data;
1720 e_ctx_hnd policy_hnd;
1721 e_ctx_hnd *policy_hnd_hashtablekey;
1722 proto_item *hnd_item = NULL;
1724 guint32 open_frame = 0, close_frame = 0;
1725 smb2_eo_file_info_t *eo_file_info;
1726 smb2_fid_info_t sfi_key;
1727 smb2_fid_info_t *sfi = NULL;
1729 sfi_key.fid_persistent = tvb_get_letoh64(tvb, offset);
1730 sfi_key.fid_volatile = tvb_get_letoh64(tvb, offset+8);
1731 sfi_key.sesid = si->sesid;
1732 sfi_key.tid = si->tid;
1733 sfi_key.name = NULL;
1735 di.conformant_run = 0;
1736 /* we need di->call_data->flags.NDR64 == 0 */
1737 di.call_data = &call_data;
1741 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, TRUE, FALSE);
1742 if (!pinfo->fd->flags.visited) {
1743 sfi = wmem_new(wmem_file_scope(), smb2_fid_info_t);
1745 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1746 sfi->name = wmem_strdup(wmem_file_scope(), (char *)si->saved->extra_info);
1748 sfi->name = wmem_strdup_printf(wmem_file_scope(), "[unknown]");
1751 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1752 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: %s", (char *)si->saved->extra_info);
1754 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: ");
1756 dcerpc_store_polhnd_name(&policy_hnd, pinfo,
1759 g_hash_table_insert(si->conv->fids, sfi, sfi);
1762 /* If needed, create the file entry and save the policy hnd */
1764 si->saved->file = sfi;
1765 si->saved->policy_hnd = policy_hnd;
1769 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
1770 if (!eo_file_info) {
1771 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
1772 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
1773 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
1774 eo_file_info->end_of_file=0;
1775 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
1777 si->eo_file_info=eo_file_info;
1781 case FID_MODE_CLOSE:
1782 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, TRUE);
1787 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, FALSE);
1791 si->file = (smb2_fid_info_t *)g_hash_table_lookup(si->conv->fids, &sfi_key);
1794 si->saved->file = si->file;
1796 if (si->file->name) {
1798 proto_item_append_text(hnd_item, " File: %s", si->file->name);
1800 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", si->file->name);
1804 if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
1805 /* look for the eo_file_info */
1806 if (!si->eo_file_info) {
1807 if (si->saved) { si->saved->policy_hnd = policy_hnd; }
1809 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
1811 si->eo_file_info=eo_file_info;
1812 } else { /* XXX This should never happen */
1813 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
1814 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
1815 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
1816 eo_file_info->end_of_file=0;
1817 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
1828 /* this info level is unique to SMB2 and differst from the corresponding
1829 * SMB_FILE_ALL_INFO in SMB
1832 dissect_smb2_file_all_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1834 proto_item *item = NULL;
1835 proto_tree *tree = NULL;
1837 const char *name = "";
1841 item = proto_tree_add_item(parent_tree, hf_smb2_file_all_info, tvb, offset, -1, ENC_NA);
1842 tree = proto_item_add_subtree(item, ett_smb2_file_all_info);
1846 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
1849 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
1852 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
1855 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
1857 /* File Attributes */
1858 offset = dissect_file_ext_attr(tvb, tree, offset);
1860 /* some unknown bytes */
1861 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
1864 /* allocation size */
1865 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1869 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1872 /* number of links */
1873 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1876 /* delete pending */
1877 proto_tree_add_item(tree, hf_smb2_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1881 proto_tree_add_item(tree, hf_smb2_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1888 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1892 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1896 offset = dissect_smb_access_mask(tvb, tree, offset);
1898 /* some unknown bytes */
1899 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
1902 /* file name length */
1903 length = tvb_get_letohs(tvb, offset);
1904 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1909 bc = tvb_captured_length_remaining(tvb, offset);
1910 name = get_unicode_or_ascii_string(tvb, &offset,
1911 TRUE, &length, TRUE, TRUE, &bc);
1913 proto_tree_add_string(tree, hf_smb2_filename, tvb,
1914 offset, length, name);
1925 dissect_smb2_file_allocation_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1927 proto_item *item = NULL;
1928 proto_tree *tree = NULL;
1933 item = proto_tree_add_item(parent_tree, hf_smb2_file_allocation_info, tvb, offset, -1, ENC_NA);
1934 tree = proto_item_add_subtree(item, ett_smb2_file_allocation_info);
1937 bc = tvb_captured_length_remaining(tvb, offset);
1938 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1944 dissect_smb2_file_endoffile_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1946 proto_item *item = NULL;
1947 proto_tree *tree = NULL;
1952 item = proto_tree_add_item(parent_tree, hf_smb2_file_endoffile_info, tvb, offset, -1, ENC_NA);
1953 tree = proto_item_add_subtree(item, ett_smb2_file_endoffile_info);
1956 bc = tvb_captured_length_remaining(tvb, offset);
1957 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1963 dissect_smb2_file_alternate_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1965 proto_item *item = NULL;
1966 proto_tree *tree = NULL;
1971 item = proto_tree_add_item(parent_tree, hf_smb2_file_alternate_name_info, tvb, offset, -1, ENC_NA);
1972 tree = proto_item_add_subtree(item, ett_smb2_file_alternate_name_info);
1975 bc = tvb_captured_length_remaining(tvb, offset);
1976 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc, /* XXX assumption hack */ TRUE);
1983 dissect_smb2_file_basic_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1985 proto_item *item = NULL;
1986 proto_tree *tree = NULL;
1989 item = proto_tree_add_item(parent_tree, hf_smb2_file_basic_info, tvb, offset, -1, ENC_NA);
1990 tree = proto_item_add_subtree(item, ett_smb2_file_basic_info);
1994 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
1997 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2000 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2003 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2005 /* File Attributes */
2006 offset = dissect_file_ext_attr(tvb, tree, offset);
2008 /* some unknown bytes */
2009 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2016 dissect_smb2_file_standard_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2018 proto_item *item = NULL;
2019 proto_tree *tree = NULL;
2024 item = proto_tree_add_item(parent_tree, hf_smb2_file_standard_info, tvb, offset, -1, ENC_NA);
2025 tree = proto_item_add_subtree(item, ett_smb2_file_standard_info);
2028 bc = tvb_captured_length_remaining(tvb, offset);
2029 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2034 dissect_smb2_file_internal_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2036 proto_item *item = NULL;
2037 proto_tree *tree = NULL;
2042 item = proto_tree_add_item(parent_tree, hf_smb2_file_internal_info, tvb, offset, -1, ENC_NA);
2043 tree = proto_item_add_subtree(item, ett_smb2_file_internal_info);
2046 bc = tvb_captured_length_remaining(tvb, offset);
2047 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2052 dissect_smb2_file_mode_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2054 proto_item *item = NULL;
2055 proto_tree *tree = NULL;
2060 item = proto_tree_add_item(parent_tree, hf_smb2_file_mode_info, tvb, offset, -1, ENC_NA);
2061 tree = proto_item_add_subtree(item, ett_smb2_file_mode_info);
2064 bc = tvb_captured_length_remaining(tvb, offset);
2065 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2070 dissect_smb2_file_alignment_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2072 proto_item *item = NULL;
2073 proto_tree *tree = NULL;
2078 item = proto_tree_add_item(parent_tree, hf_smb2_file_alignment_info, tvb, offset, -1, ENC_NA);
2079 tree = proto_item_add_subtree(item, ett_smb2_file_alignment_info);
2082 bc = tvb_captured_length_remaining(tvb, offset);
2083 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2088 dissect_smb2_file_position_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2090 proto_item *item = NULL;
2091 proto_tree *tree = NULL;
2096 item = proto_tree_add_item(parent_tree, hf_smb2_file_position_info, tvb, offset, -1, ENC_NA);
2097 tree = proto_item_add_subtree(item, ett_smb2_file_position_info);
2100 bc = tvb_captured_length_remaining(tvb, offset);
2101 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2107 dissect_smb2_file_access_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2109 proto_item *item = NULL;
2110 proto_tree *tree = NULL;
2113 item = proto_tree_add_item(parent_tree, hf_smb2_file_access_info, tvb, offset, -1, ENC_NA);
2114 tree = proto_item_add_subtree(item, ett_smb2_file_access_info);
2118 offset = dissect_smb_access_mask(tvb, tree, offset);
2124 dissect_smb2_file_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2126 proto_item *item = NULL;
2127 proto_tree *tree = NULL;
2132 item = proto_tree_add_item(parent_tree, hf_smb2_file_ea_info, tvb, offset, -1, ENC_NA);
2133 tree = proto_item_add_subtree(item, ett_smb2_file_ea_info);
2136 bc = tvb_captured_length_remaining(tvb, offset);
2137 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2143 dissect_smb2_file_stream_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2145 proto_item *item = NULL;
2146 proto_tree *tree = NULL;
2151 item = proto_tree_add_item(parent_tree, hf_smb2_file_stream_info, tvb, offset, -1, ENC_NA);
2152 tree = proto_item_add_subtree(item, ett_smb2_file_stream_info);
2155 bc = tvb_captured_length_remaining(tvb, offset);
2156 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, &bc, &trunc, TRUE);
2162 dissect_smb2_file_pipe_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2164 proto_item *item = NULL;
2165 proto_tree *tree = NULL;
2170 item = proto_tree_add_item(parent_tree, hf_smb2_file_pipe_info, tvb, offset, -1, ENC_NA);
2171 tree = proto_item_add_subtree(item, ett_smb2_file_pipe_info);
2174 bc = tvb_captured_length_remaining(tvb, offset);
2175 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2181 dissect_smb2_file_compression_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2183 proto_item *item = NULL;
2184 proto_tree *tree = NULL;
2189 item = proto_tree_add_item(parent_tree, hf_smb2_file_compression_info, tvb, offset, -1, ENC_NA);
2190 tree = proto_item_add_subtree(item, ett_smb2_file_compression_info);
2193 bc = tvb_captured_length_remaining(tvb, offset);
2194 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2200 dissect_smb2_file_network_open_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2202 proto_item *item = NULL;
2203 proto_tree *tree = NULL;
2208 item = proto_tree_add_item(parent_tree, hf_smb2_file_network_open_info, tvb, offset, -1, ENC_NA);
2209 tree = proto_item_add_subtree(item, ett_smb2_file_network_open_info);
2213 bc = tvb_captured_length_remaining(tvb, offset);
2214 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2220 dissect_smb2_file_attribute_tag_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2222 proto_item *item = NULL;
2223 proto_tree *tree = NULL;
2228 item = proto_tree_add_item(parent_tree, hf_smb2_file_attribute_tag_info, tvb, offset, -1, ENC_NA);
2229 tree = proto_item_add_subtree(item, ett_smb2_file_attribute_tag_info);
2233 bc = tvb_captured_length_remaining(tvb, offset);
2234 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2239 static const true_false_string tfs_disposition_delete_on_close = {
2240 "DELETE this file when closed",
2241 "Normal access, do not delete on close"
2245 dissect_smb2_file_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2247 proto_item *item = NULL;
2248 proto_tree *tree = NULL;
2251 item = proto_tree_add_item(parent_tree, hf_smb2_file_disposition_info, tvb, offset, -1, ENC_NA);
2252 tree = proto_item_add_subtree(item, ett_smb2_file_disposition_info);
2255 /* file disposition */
2256 proto_tree_add_item(tree, hf_smb2_disposition_delete_on_close, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2262 dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2264 proto_item *item = NULL;
2265 proto_tree *tree = NULL;
2266 guint32 next_offset;
2268 guint16 ea_data_len;
2271 item = proto_tree_add_item(parent_tree, hf_smb2_file_full_ea_info, tvb, offset, -1, ENC_NA);
2272 tree = proto_item_add_subtree(item, ett_smb2_file_full_ea_info);
2277 const char *name = "";
2278 const char *data = "";
2280 int start_offset = offset;
2281 proto_item *ea_item;
2282 proto_tree *ea_tree;
2284 ea_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_ea, &ea_item, "EA:");
2287 next_offset = tvb_get_letohl(tvb, offset);
2288 proto_tree_add_item(ea_tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2292 proto_tree_add_item(ea_tree, hf_smb2_ea_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2295 /* EA Name Length */
2296 ea_name_len = tvb_get_guint8(tvb, offset);
2297 proto_tree_add_item(ea_tree, hf_smb2_ea_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2300 /* EA Data Length */
2301 ea_data_len = tvb_get_letohs(tvb, offset);
2302 proto_tree_add_item(ea_tree, hf_smb2_ea_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2306 length = ea_name_len;
2308 bc = tvb_captured_length_remaining(tvb, offset);
2309 name = get_unicode_or_ascii_string(tvb, &offset,
2310 FALSE, &length, TRUE, TRUE, &bc);
2312 proto_tree_add_string(ea_tree, hf_smb2_ea_name, tvb,
2313 offset, length + 1, name);
2317 /* The name is terminated with a NULL */
2318 offset += ea_name_len + 1;
2321 length = ea_data_len;
2323 bc = tvb_captured_length_remaining(tvb, offset);
2324 data = get_unicode_or_ascii_string(tvb, &offset,
2325 FALSE, &length, TRUE, TRUE, &bc);
2327 * We put the data here ...
2329 proto_tree_add_item(ea_tree, hf_smb2_ea_data, tvb,
2330 offset, length, ENC_NA);
2332 offset += ea_data_len;
2336 proto_item_append_text(ea_item, " %s := %s", name, data);
2338 proto_item_set_len(ea_item, offset-start_offset);
2345 offset = start_offset+next_offset;
2351 static const true_false_string tfs_replace_if_exists = {
2352 "Replace the target if it exists",
2353 "Fail if the target exists"
2357 dissect_smb2_file_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2359 proto_item *item = NULL;
2360 proto_tree *tree = NULL;
2362 const char *name = "";
2367 item = proto_tree_add_item(parent_tree, hf_smb2_file_rename_info, tvb, offset, -1, ENC_NA);
2368 tree = proto_item_add_subtree(item, ett_smb2_file_rename_info);
2371 /* ReplaceIfExists */
2372 proto_tree_add_item(tree, hf_smb2_replace_if, tvb, offset, 1, ENC_NA);
2376 proto_tree_add_item(tree, hf_smb2_reserved_random, tvb, offset, 7, ENC_NA);
2379 /* Root Directory Handle, MBZ */
2380 proto_tree_add_item(tree, hf_smb2_root_directory_mbz, tvb, offset, 8, ENC_NA);
2383 /* file name length */
2384 length = tvb_get_letohs(tvb, offset);
2385 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2390 bc = tvb_captured_length_remaining(tvb, offset);
2391 name = get_unicode_or_ascii_string(tvb, &offset,
2392 TRUE, &length, TRUE, TRUE, &bc);
2394 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2395 offset, length, name);
2398 col_append_fstr(pinfo->cinfo, COL_INFO, " NewName:%s", name);
2406 dissect_smb2_sec_info_00(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2408 proto_item *item = NULL;
2409 proto_tree *tree = NULL;
2412 item = proto_tree_add_item(parent_tree, hf_smb2_sec_info_00, tvb, offset, -1, ENC_NA);
2413 tree = proto_item_add_subtree(item, ett_smb2_sec_info_00);
2416 /* security descriptor */
2417 offset = dissect_nt_sec_desc(tvb, offset, pinfo, tree, NULL, TRUE, tvb_captured_length_remaining(tvb, offset), NULL);
2423 dissect_smb2_fs_info_05(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2425 proto_item *item = NULL;
2426 proto_tree *tree = NULL;
2430 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_05, tvb, offset, -1, ENC_NA);
2431 tree = proto_item_add_subtree(item, ett_smb2_fs_info_05);
2434 bc = tvb_captured_length_remaining(tvb, offset);
2435 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2441 dissect_smb2_fs_info_06(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2443 proto_item *item = NULL;
2444 proto_tree *tree = NULL;
2448 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_06, tvb, offset, -1, ENC_NA);
2449 tree = proto_item_add_subtree(item, ett_smb2_fs_info_06);
2452 bc = tvb_captured_length_remaining(tvb, offset);
2453 offset = dissect_nt_quota(tvb, tree, offset, &bc);
2459 dissect_smb2_FS_OBJECTID_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2461 proto_item *item = NULL;
2462 proto_tree *tree = NULL;
2465 item = proto_tree_add_item(parent_tree, hf_smb2_fs_objectid_info, tvb, offset, -1, ENC_NA);
2466 tree = proto_item_add_subtree(item, ett_smb2_fs_objectid_info);
2469 /* FILE_OBJECTID_BUFFER */
2470 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
2476 dissect_smb2_fs_info_07(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2478 proto_item *item = NULL;
2479 proto_tree *tree = NULL;
2483 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_07, tvb, offset, -1, ENC_NA);
2484 tree = proto_item_add_subtree(item, ett_smb2_fs_info_07);
2487 bc = tvb_captured_length_remaining(tvb, offset);
2488 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2494 dissect_smb2_fs_info_01(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2496 proto_item *item = NULL;
2497 proto_tree *tree = NULL;
2501 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_01, tvb, offset, -1, ENC_NA);
2502 tree = proto_item_add_subtree(item, ett_smb2_fs_info_01);
2506 bc = tvb_captured_length_remaining(tvb, offset);
2507 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2513 dissect_smb2_fs_info_03(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2515 proto_item *item = NULL;
2516 proto_tree *tree = NULL;
2520 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_03, tvb, offset, -1, ENC_NA);
2521 tree = proto_item_add_subtree(item, ett_smb2_fs_info_03);
2525 bc = tvb_captured_length_remaining(tvb, offset);
2526 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2532 dissect_smb2_fs_info_04(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2534 proto_item *item = NULL;
2535 proto_tree *tree = NULL;
2539 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_04, tvb, offset, -1, ENC_NA);
2540 tree = proto_item_add_subtree(item, ett_smb2_fs_info_04);
2544 bc = tvb_captured_length_remaining(tvb, offset);
2545 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, &bc);
2550 static const value_string oplock_vals[] = {
2551 { 0x00, "No oplock" },
2552 { 0x01, "Level2 oplock" },
2553 { 0x08, "Exclusive oplock" },
2554 { 0x09, "Batch oplock" },
2560 dissect_smb2_oplock(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2562 proto_tree_add_item(parent_tree, hf_smb2_oplock, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2569 dissect_smb2_buffercode(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint16 *length)
2573 guint16 buffer_code;
2575 /* dissect the first 2 bytes of the command PDU */
2576 buffer_code = tvb_get_letohs(tvb, offset);
2577 item = proto_tree_add_uint(parent_tree, hf_smb2_buffer_code, tvb, offset, 2, buffer_code);
2578 tree = proto_item_add_subtree(item, ett_smb2_buffercode);
2579 proto_tree_add_item(tree, hf_smb2_buffer_code_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2580 proto_tree_add_item(tree, hf_smb2_buffer_code_flags_dyn, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2584 *length = buffer_code; /*&0xfffe don't mask it here, mask it on caller side */
2590 #define NEGPROT_CAP_DFS 0x00000001
2591 #define NEGPROT_CAP_LEASING 0x00000002
2592 #define NEGPROT_CAP_LARGE_MTU 0x00000004
2593 #define NEGPROT_CAP_MULTI_CHANNEL 0x00000008
2594 #define NEGPROT_CAP_PERSISTENT_HANDLES 0x00000010
2595 #define NEGPROT_CAP_DIRECTORY_LEASING 0x00000020
2596 #define NEGPROT_CAP_ENCRYPTION 0x00000040
2598 dissect_smb2_capabilities(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2600 static const int * flags[] = {
2602 &hf_smb2_cap_leasing,
2603 &hf_smb2_cap_large_mtu,
2604 &hf_smb2_cap_multi_channel,
2605 &hf_smb2_cap_persistent_handles,
2606 &hf_smb2_cap_directory_leasing,
2607 &hf_smb2_cap_encryption,
2611 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_capabilities, ett_smb2_capabilities, flags, ENC_LITTLE_ENDIAN);
2619 #define NEGPROT_SIGN_REQ 0x0002
2620 #define NEGPROT_SIGN_ENABLED 0x0001
2623 dissect_smb2_secmode(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2625 static const int * flags[] = {
2626 &hf_smb2_secmode_flags_sign_enabled,
2627 &hf_smb2_secmode_flags_sign_required,
2631 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_security_mode, ett_smb2_sec_mode, flags, ENC_LITTLE_ENDIAN);
2637 #define SES_REQ_FLAGS_SESSION_BINDING 0x01
2640 dissect_smb2_ses_req_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2642 static const int * flags[] = {
2643 &hf_smb2_ses_req_flags_session_binding,
2647 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_ses_req_flags, ett_smb2_ses_req_flags, flags, ENC_LITTLE_ENDIAN);
2653 #define SES_FLAGS_GUEST 0x0001
2654 #define SES_FLAGS_NULL 0x0002
2657 dissect_smb2_ses_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2659 static const int * flags[] = {
2660 &hf_smb2_ses_flags_guest,
2661 &hf_smb2_ses_flags_null,
2665 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_session_flags, ett_smb2_ses_flags, flags, ENC_LITTLE_ENDIAN);
2671 #define SHARE_FLAGS_manual_caching 0x00000000
2672 #define SHARE_FLAGS_auto_caching 0x00000010
2673 #define SHARE_FLAGS_vdo_caching 0x00000020
2674 #define SHARE_FLAGS_no_caching 0x00000030
2676 static const value_string share_cache_vals[] = {
2677 { SHARE_FLAGS_manual_caching, "Manual caching" },
2678 { SHARE_FLAGS_auto_caching, "Auto caching" },
2679 { SHARE_FLAGS_vdo_caching, "VDO caching" },
2680 { SHARE_FLAGS_no_caching, "No caching" },
2684 #define SHARE_FLAGS_dfs 0x00000001
2685 #define SHARE_FLAGS_dfs_root 0x00000002
2686 #define SHARE_FLAGS_restrict_exclusive_opens 0x00000100
2687 #define SHARE_FLAGS_force_shared_delete 0x00000200
2688 #define SHARE_FLAGS_allow_namespace_caching 0x00000400
2689 #define SHARE_FLAGS_access_based_dir_enum 0x00000800
2690 #define SHARE_FLAGS_force_levelii_oplock 0x00001000
2691 #define SHARE_FLAGS_enable_hash_v1 0x00002000
2692 #define SHARE_FLAGS_enable_hash_v2 0x00004000
2693 #define SHARE_FLAGS_encryption_required 0x00008000
2696 dissect_smb2_share_flags(proto_tree *tree, tvbuff_t *tvb, int offset)
2698 static const int *sf_fields[] = {
2699 &hf_smb2_share_flags_dfs,
2700 &hf_smb2_share_flags_dfs_root,
2701 &hf_smb2_share_flags_restrict_exclusive_opens,
2702 &hf_smb2_share_flags_force_shared_delete,
2703 &hf_smb2_share_flags_allow_namespace_caching,
2704 &hf_smb2_share_flags_access_based_dir_enum,
2705 &hf_smb2_share_flags_force_levelii_oplock,
2706 &hf_smb2_share_flags_enable_hash_v1,
2707 &hf_smb2_share_flags_enable_hash_v2,
2708 &hf_smb2_share_flags_encrypt_data,
2714 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_flags, ett_smb2_share_flags, sf_fields, ENC_LITTLE_ENDIAN);
2716 cp = tvb_get_letohl(tvb, offset);
2718 proto_tree_add_uint_format(item, hf_smb2_share_caching, tvb, offset, 4, cp, "Caching policy: %s (%08x)", val_to_str(cp, share_cache_vals, "Unknown:%u"), cp);
2726 #define SHARE_CAPS_DFS 0x00000008
2727 #define SHARE_CAPS_CONTINUOUS_AVAILABILITY 0x00000010
2728 #define SHARE_CAPS_SCALEOUT 0x00000020
2729 #define SHARE_CAPS_CLUSTER 0x00000040
2732 dissect_smb2_share_caps(proto_tree *tree, tvbuff_t *tvb, int offset)
2734 static const int *sc_fields[] = {
2735 &hf_smb2_share_caps_dfs,
2736 &hf_smb2_share_caps_continuous_availability,
2737 &hf_smb2_share_caps_scaleout,
2738 &hf_smb2_share_caps_cluster,
2742 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_caps, ett_smb2_share_caps, sc_fields, ENC_LITTLE_ENDIAN);
2750 dissect_smb2_secblob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
2752 if ((tvb_captured_length(tvb)>=7)
2753 && (!tvb_memeql(tvb, 0, "NTLMSSP", 7))) {
2754 call_dissector(ntlmssp_handle, tvb, pinfo, tree);
2756 call_dissector(gssapi_handle, tvb, pinfo, tree);
2761 dissect_smb2_session_setup_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2763 offset_length_buffer_t s_olb;
2764 const ntlmssp_header_t *ntlmssph;
2765 static int ntlmssp_tap_id = 0;
2768 if (!ntlmssp_tap_id) {
2769 GString *error_string;
2770 /* We don't specify any callbacks at all.
2771 * Instead we manually fetch the tapped data after the
2772 * security blob has been fully dissected and before
2773 * we exit from this dissector.
2775 error_string = register_tap_listener("ntlmssp", NULL, NULL,
2776 TL_IS_DISSECTOR_HELPER, NULL, NULL, NULL);
2777 if (!error_string) {
2778 ntlmssp_tap_id = find_tap_id("ntlmssp");
2780 g_string_free(error_string, TRUE);
2786 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2787 /* some unknown bytes */
2790 offset = dissect_smb2_ses_req_flags(tree, tvb, offset);
2793 offset = dissect_smb2_secmode(tree, tvb, offset);
2796 offset = dissect_smb2_capabilities(tree, tvb, offset);
2799 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2802 /* security blob offset/length */
2803 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
2805 /* previous session id */
2806 proto_tree_add_item(tree, hf_smb2_previous_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2810 /* the security blob itself */
2811 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
2813 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
2815 /* If we have found a uid->acct_name mapping, store it */
2816 if (!pinfo->fd->flags.visited) {
2818 while ((ntlmssph = (const ntlmssp_header_t *)fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL) {
2819 if (ntlmssph && ntlmssph->type == NTLMSSP_AUTH) {
2820 smb2_sesid_info_t *sesid;
2821 sesid = wmem_new(wmem_file_scope(), smb2_sesid_info_t);
2822 sesid->sesid = si->sesid;
2823 sesid->acct_name = wmem_strdup(wmem_file_scope(), ntlmssph->acct_name);
2824 sesid->domain_name = wmem_strdup(wmem_file_scope(), ntlmssph->domain_name);
2825 sesid->host_name = wmem_strdup(wmem_file_scope(), ntlmssph->host_name);
2826 if (memcmp(ntlmssph->session_key, zeros, NTLMSSP_KEY_LEN) != 0) {
2827 smb2_key_derivation(ntlmssph->session_key,
2831 sesid->server_decryption_key);
2832 smb2_key_derivation(ntlmssph->session_key,
2836 sesid->client_decryption_key);
2838 memset(sesid->server_decryption_key, 0,
2839 sizeof(sesid->server_decryption_key));
2840 memset(sesid->client_decryption_key, 0,
2841 sizeof(sesid->client_decryption_key));
2843 sesid->server_port = pinfo->destport;
2844 sesid->auth_frame = pinfo->num;
2845 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
2846 g_hash_table_insert(si->conv->sesids, sesid, sesid);
2854 /* This needs more fixes for cases when the original header had also the constant value of 9.
2855 This should be fixed on caller side where it decides if it has to call this or not.
2858 dissect_smb2_error_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_,
2859 gboolean* continue_dissection)
2865 offset = dissect_smb2_buffercode(tree, tvb, offset, &length);
2867 /* FIX: error response uses this constant, if not then it is not an error response */
2870 if(continue_dissection)
2871 *continue_dissection = TRUE;
2873 if(continue_dissection)
2874 *continue_dissection = FALSE;
2876 /* Reserved (2 bytes) */
2877 proto_tree_add_item(tree, hf_smb2_error_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2880 /* ByteCount (4 bytes): The number of bytes of data contained in ErrorData[]. */
2881 byte_count = tvb_get_ntohl(tvb, offset);
2882 proto_tree_add_item(tree, hf_smb2_error_byte_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2885 /* If the ByteCount field is zero then the server MUST supply an ErrorData field
2886 that is one byte in length */
2887 if (byte_count == 0) byte_count = 1;
2889 /* ErrorData (variable): A variable-length data field that contains extended
2890 error information.*/
2891 proto_tree_add_item(tree, hf_smb2_error_data, tvb, offset, byte_count, ENC_NA);
2892 offset += byte_count;
2899 dissect_smb2_session_setup_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2901 offset_length_buffer_t s_olb;
2903 /* session_setup is special and we don't use dissect_smb2_error_response() here! */
2906 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2909 offset = dissect_smb2_ses_flags(tree, tvb, offset);
2911 /* security blob offset/length */
2912 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
2914 /* the security blob itself */
2915 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
2917 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
2919 /* If we have found a uid->acct_name mapping, store it */
2920 #ifdef HAVE_KERBEROS
2921 if (!pinfo->fd->flags.visited && si->status == 0) {
2925 read_keytab_file_from_preferences();
2928 for (ek=enc_key_list;ek;ek=ek->next) {
2929 if (ek->fd_num == (int)pinfo->num) {
2935 smb2_sesid_info_t *sesid;
2936 guint8 session_key[16] = { 0, };
2938 memcpy(session_key, ek->keyvalue, MIN(ek->keylength, 16));
2940 sesid = wmem_new(wmem_file_scope(), smb2_sesid_info_t);
2941 sesid->sesid = si->sesid;
2942 /* TODO: fill in the correct information */
2943 sesid->acct_name = NULL;
2944 sesid->domain_name = NULL;
2945 sesid->host_name = NULL;
2946 smb2_key_derivation(session_key, sizeof(session_key),
2949 sesid->server_decryption_key);
2950 smb2_key_derivation(session_key, sizeof(session_key),
2953 sesid->client_decryption_key);
2954 sesid->server_port = pinfo->srcport;
2955 sesid->auth_frame = pinfo->num;
2956 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
2957 g_hash_table_insert(si->conv->sesids, sesid, sesid);
2966 dissect_smb2_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2968 offset_length_buffer_t olb;
2972 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2977 /* tree offset/length */
2978 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_tree);
2981 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
2983 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
2985 /* treelen +1 is overkill here if the string is unicode,
2986 * but who ever has more than a handful of TCON in a trace anyways
2988 if (!pinfo->fd->flags.visited && si->saved && buf && olb.len) {
2989 si->saved->extra_info_type = SMB2_EI_TREENAME;
2990 si->saved->extra_info = wmem_alloc(wmem_file_scope(), olb.len+1);
2991 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
2994 col_append_fstr(pinfo->cinfo, COL_INFO, " Tree: %s", buf);
2999 dissect_smb2_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3002 gboolean continue_dissection;
3004 switch (si->status) {
3006 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3007 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3008 if (!continue_dissection) return offset;
3012 share_type = tvb_get_letohs(tvb, offset);
3013 proto_tree_add_item(tree, hf_smb2_share_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3014 /* Next byte is reserved and must be set to zero */
3017 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_TREENAME && si->session) {
3018 smb2_tid_info_t *tid, tid_key;
3020 tid_key.tid = si->tid;
3021 tid = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
3023 g_hash_table_remove(si->session->tids, &tid_key);
3025 tid = wmem_new(wmem_file_scope(), smb2_tid_info_t);
3027 tid->name = (char *)si->saved->extra_info;
3028 tid->connect_frame = pinfo->num;
3029 tid->share_type = share_type;
3031 g_hash_table_insert(si->session->tids, tid, tid);
3033 si->saved->extra_info_type = SMB2_EI_NONE;
3034 si->saved->extra_info = NULL;
3038 offset = dissect_smb2_share_flags(tree, tvb, offset);
3040 /* share capabilities */
3041 offset = dissect_smb2_share_caps(tree, tvb, offset);
3043 /* this is some sort of access mask */
3044 offset = dissect_smb_access_mask(tvb, tree, offset);
3050 dissect_smb2_tree_disconnect_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3053 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3062 dissect_smb2_tree_disconnect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3064 gboolean continue_dissection;
3066 switch (si->status) {
3068 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3069 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3070 if (!continue_dissection) return offset;
3080 dissect_smb2_sessionlogoff_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3083 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3085 /* reserved bytes */
3092 dissect_smb2_sessionlogoff_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3094 gboolean continue_dissection;
3096 switch (si->status) {
3098 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3099 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3100 if (!continue_dissection) return offset;
3103 /* reserved bytes */
3110 dissect_smb2_keepalive_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3113 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3115 /* some unknown bytes */
3116 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3123 dissect_smb2_keepalive_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3125 gboolean continue_dissection;
3127 switch (si->status) {
3129 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3130 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3131 if (!continue_dissection) return offset;
3134 /* some unknown bytes */
3135 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3142 dissect_smb2_notify_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3144 proto_tree *flags_tree = NULL;
3145 proto_item *flags_item = NULL;
3148 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3152 flags_item = proto_tree_add_item(tree, hf_smb2_notify_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3153 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_notify_flags);
3155 proto_tree_add_item(flags_tree, hf_smb2_notify_watch_tree, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3158 /* output buffer length */
3159 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3163 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3165 /* completion filter */
3166 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
3174 static const value_string notify_action_vals[] = {
3175 {0x01, "FILE_ACTION_ADDED"},
3176 {0x02, "FILE_ACTION_REMOVED"},
3177 {0x03, "FILE_ACTION_MODIFIED"},
3178 {0x04, "FILE_ACTION_RENAMED_OLD_NAME"},
3179 {0x05, "FILE_ACTION_RENAMED_NEW_NAME"},
3180 {0x06, "FILE_ACTION_ADDED_STREAM"},
3181 {0x07, "FILE_ACTION_REMOVED_STREAM"},
3182 {0x08, "FILE_ACTION_MODIFIED_STREAM"},
3183 {0x09, "FILE_ACTION_REMOVED_BY_DELETE"},
3188 dissect_smb2_notify_data_out(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3190 proto_tree *tree = NULL;
3191 proto_item *item = NULL;
3194 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3195 guint32 start_offset = offset;
3196 guint32 next_offset;
3200 item = proto_tree_add_item(parent_tree, hf_smb2_notify_info, tvb, offset, -1, ENC_NA);
3201 tree = proto_item_add_subtree(item, ett_smb2_notify_info);
3205 proto_tree_add_item_ret_uint(tree, hf_smb2_notify_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &next_offset);
3208 proto_tree_add_item(tree, hf_smb2_notify_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3211 /* file name length */
3212 proto_tree_add_item_ret_uint(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
3217 const guchar *name = "";
3220 bc = tvb_reported_length_remaining(tvb, offset);
3221 name = get_unicode_or_ascii_string(tvb, &offset,
3222 TRUE, &length, TRUE, TRUE, &bc);
3224 proto_tree_add_string(tree, hf_smb2_filename,
3225 tvb, offset, length,
3236 offset = start_offset+next_offset;
3241 dissect_smb2_notify_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
3243 offset_length_buffer_t olb;
3244 gboolean continue_dissection;
3246 switch (si->status) {
3247 /* MS-SMB2 3.3.4.4 says STATUS_NOTIFY_ENUM_DIR is not treated as an error */
3248 case 0x0000010c: /* STATUS_NOTIFY_ENUM_DIR */
3249 case 0x00000000: /* buffer code */
3250 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3251 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3252 if (!continue_dissection) return offset;
3255 /* out buffer offset/length */
3256 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_notify_out_data);
3259 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_notify_data_out);
3260 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3265 #define SMB2_FIND_FLAG_RESTART_SCANS 0x01
3266 #define SMB2_FIND_FLAG_SINGLE_ENTRY 0x02
3267 #define SMB2_FIND_FLAG_INDEX_SPECIFIED 0x04
3268 #define SMB2_FIND_FLAG_REOPEN 0x10
3271 dissect_smb2_find_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3273 offset_length_buffer_t olb;
3276 static const int *f_fields[] = {
3277 &hf_smb2_find_flags_restart_scans,
3278 &hf_smb2_find_flags_single_entry,
3279 &hf_smb2_find_flags_index_specified,
3280 &hf_smb2_find_flags_reopen,
3285 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3287 il = tvb_get_guint8(tvb, offset);
3289 si->saved->infolevel = il;
3293 proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 1, il);
3297 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_find_flags, ett_smb2_find_flags, f_fields, ENC_LITTLE_ENDIAN);
3301 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3305 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3307 /* search pattern offset/length */
3308 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_find_pattern);
3310 /* output buffer length */
3311 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3314 /* search pattern */
3315 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
3317 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3319 if (!pinfo->fd->flags.visited && si->saved && olb.len) {
3320 si->saved->extra_info_type = SMB2_EI_FINDPATTERN;
3321 si->saved->extra_info = g_malloc(olb.len+1);
3322 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
3325 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
3326 val_to_str(il, smb2_find_info_levels, "(Level:0x%02x)"),
3332 static void dissect_smb2_file_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3335 proto_item *item = NULL;
3336 proto_tree *tree = NULL;
3337 const char *name = NULL;
3340 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3341 int old_offset = offset;
3346 item = proto_tree_add_item(parent_tree, hf_smb2_file_directory_info, tvb, offset, -1, ENC_NA);
3347 tree = proto_item_add_subtree(item, ett_smb2_file_directory_info);
3351 next_offset = tvb_get_letohl(tvb, offset);
3352 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3356 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3360 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3363 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3366 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3369 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3372 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3375 /* allocation size */
3376 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3379 /* File Attributes */
3380 offset = dissect_file_ext_attr(tvb, tree, offset);
3382 /* file name length */
3383 file_name_len = tvb_get_letohl(tvb, offset);
3384 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3388 if (file_name_len) {
3390 name = get_unicode_or_ascii_string(tvb, &offset,
3391 TRUE, &file_name_len, TRUE, TRUE, &bc);
3393 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3394 offset, file_name_len, name);
3395 proto_item_append_text(item, ": %s", name);
3400 proto_item_set_len(item, offset-old_offset);
3402 if (next_offset == 0) {
3406 offset = old_offset+next_offset;
3407 if (offset < old_offset) {
3408 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3409 "Invalid offset/length. Malformed packet");
3415 static void dissect_smb2_full_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3418 proto_item *item = NULL;
3419 proto_tree *tree = NULL;
3420 const char *name = NULL;
3423 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3424 int old_offset = offset;
3429 item = proto_tree_add_item(parent_tree, hf_smb2_full_directory_info, tvb, offset, -1, ENC_NA);
3430 tree = proto_item_add_subtree(item, ett_smb2_full_directory_info);
3434 next_offset = tvb_get_letohl(tvb, offset);
3435 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3439 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3443 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3446 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3449 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3452 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3455 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3458 /* allocation size */
3459 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3462 /* File Attributes */
3463 offset = dissect_file_ext_attr(tvb, tree, offset);
3465 /* file name length */
3466 file_name_len = tvb_get_letohl(tvb, offset);
3467 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3471 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3475 if (file_name_len) {
3477 name = get_unicode_or_ascii_string(tvb, &offset,
3478 TRUE, &file_name_len, TRUE, TRUE, &bc);
3480 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3481 offset, file_name_len, name);
3482 proto_item_append_text(item, ": %s", name);
3487 proto_item_set_len(item, offset-old_offset);
3489 if (next_offset == 0) {
3493 offset = old_offset+next_offset;
3494 if (offset < old_offset) {
3495 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3496 "Invalid offset/length. Malformed packet");
3502 static void dissect_smb2_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3505 proto_item *item = NULL;
3506 proto_tree *tree = NULL;
3507 const char *name = NULL;
3510 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3511 int old_offset = offset;
3517 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3518 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3522 next_offset = tvb_get_letohl(tvb, offset);
3523 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3527 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3531 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3534 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3537 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3540 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3543 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3546 /* allocation size */
3547 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3550 /* File Attributes */
3551 offset = dissect_file_ext_attr(tvb, tree, offset);
3553 /* file name length */
3554 file_name_len = tvb_get_letohl(tvb, offset);
3555 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3559 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3562 /* short name length */
3563 short_name_len = tvb_get_guint8(tvb, offset);
3564 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3571 if (short_name_len) {
3572 bc = short_name_len;
3573 name = get_unicode_or_ascii_string(tvb, &offset,
3574 TRUE, &short_name_len, TRUE, TRUE, &bc);
3576 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3577 offset, short_name_len, name);
3583 if (file_name_len) {
3585 name = get_unicode_or_ascii_string(tvb, &offset,
3586 TRUE, &file_name_len, TRUE, TRUE, &bc);
3588 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3589 offset, file_name_len, name);
3590 proto_item_append_text(item, ": %s", name);
3595 proto_item_set_len(item, offset-old_offset);
3597 if (next_offset == 0) {
3601 offset = old_offset+next_offset;
3602 if (offset < old_offset) {
3603 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3604 "Invalid offset/length. Malformed packet");
3610 static void dissect_smb2_file_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3613 proto_item *item = NULL;
3614 proto_tree *tree = NULL;
3615 const char *name = NULL;
3618 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3619 int old_offset = offset;
3624 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3625 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3629 next_offset = tvb_get_letohl(tvb, offset);
3630 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3634 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3637 /* file name length */
3638 file_name_len = tvb_get_letohl(tvb, offset);
3639 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3643 if (file_name_len) {
3645 name = get_unicode_or_ascii_string(tvb, &offset,
3646 TRUE, &file_name_len, TRUE, TRUE, &bc);
3648 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3649 offset, file_name_len, name);
3650 proto_item_append_text(item, ": %s", name);
3655 proto_item_set_len(item, offset-old_offset);
3657 if (next_offset == 0) {
3661 offset = old_offset+next_offset;
3662 if (offset < old_offset) {
3663 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3664 "Invalid offset/length. Malformed packet");
3670 static void dissect_smb2_id_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3673 proto_item *item = NULL;
3674 proto_tree *tree = NULL;
3675 const char *name = NULL;
3678 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3679 int old_offset = offset;
3685 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
3686 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
3690 next_offset = tvb_get_letohl(tvb, offset);
3691 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3695 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3699 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3702 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3705 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3708 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3711 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3714 /* allocation size */
3715 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3718 /* File Attributes */
3719 offset = dissect_file_ext_attr(tvb, tree, offset);
3721 /* file name length */
3722 file_name_len = tvb_get_letohl(tvb, offset);
3723 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3727 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3730 /* short name length */
3731 short_name_len = tvb_get_guint8(tvb, offset);
3732 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3739 if (short_name_len) {
3740 bc = short_name_len;
3741 name = get_unicode_or_ascii_string(tvb, &offset,
3742 TRUE, &short_name_len, TRUE, TRUE, &bc);
3744 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3745 offset, short_name_len, name);
3754 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3758 if (file_name_len) {
3760 name = get_unicode_or_ascii_string(tvb, &offset,
3761 TRUE, &file_name_len, TRUE, TRUE, &bc);
3763 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3764 offset, file_name_len, name);
3765 proto_item_append_text(item, ": %s", name);
3770 proto_item_set_len(item, offset-old_offset);
3772 if (next_offset == 0) {
3776 offset = old_offset+next_offset;
3777 if (offset < old_offset) {
3778 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3779 "Invalid offset/length. Malformed packet");
3786 typedef struct _smb2_find_dissector_t {
3788 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
3789 } smb2_find_dissector_t;
3791 smb2_find_dissector_t smb2_find_dissectors[] = {
3792 {SMB2_FIND_DIRECTORY_INFO, dissect_smb2_file_directory_info},
3793 {SMB2_FIND_FULL_DIRECTORY_INFO, dissect_smb2_full_directory_info},
3794 {SMB2_FIND_BOTH_DIRECTORY_INFO, dissect_smb2_both_directory_info},
3795 {SMB2_FIND_NAME_INFO, dissect_smb2_file_name_info},
3796 {SMB2_FIND_ID_BOTH_DIRECTORY_INFO,dissect_smb2_id_both_directory_info},
3801 dissect_smb2_find_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
3803 smb2_find_dissector_t *dis = smb2_find_dissectors;
3805 while (dis->dissector) {
3806 if (si && si->saved) {
3807 if (dis->level == si->saved->infolevel) {
3808 dis->dissector(tvb, pinfo, tree, si);
3815 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
3819 dissect_smb2_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3821 offset_length_buffer_t olb;
3822 proto_item *item = NULL;
3823 gboolean continue_dissection;
3827 item = proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 0, si->saved->infolevel);
3828 PROTO_ITEM_SET_GENERATED(item);
3831 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_FINDPATTERN) {
3832 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
3833 val_to_str(si->saved->infolevel, smb2_find_info_levels, "(Level:0x%02x)"),
3834 (const char *)si->saved->extra_info);
3836 g_free(si->saved->extra_info);
3837 si->saved->extra_info_type = SMB2_EI_NONE;
3838 si->saved->extra_info = NULL;
3841 switch (si->status) {
3843 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3844 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3845 if (!continue_dissection) return offset;
3848 /* findinfo offset */
3849 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_find_info_blob);
3852 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_find_data);
3854 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3860 dissect_smb2_negotiate_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3862 int start_offset = offset;
3864 const gchar *type_str;
3865 guint16 data_length;
3866 proto_item *sub_item;
3867 proto_tree *sub_tree;
3870 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_negotiate_context_element, &sub_item, "Negotiate Context");
3873 type = tvb_get_letohl(tvb, offset);
3874 type_str = val_to_str(type, smb2_negotiate_context_types, "Unknown Type: (0x%0x)");
3875 proto_item_append_text(sub_item, ": %s ", type_str);
3876 proto_tree_add_item(sub_tree, hf_smb2_negotiate_context_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3880 data_length = tvb_get_letohl(tvb, offset);
3881 proto_tree_add_item(sub_tree, hf_smb2_negotiate_context_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3885 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
3889 sub_tvb = tvb_new_subset_length(tvb, offset, data_length);
3890 offset += data_length;
3892 proto_item_set_len(sub_item, offset - start_offset);
3895 * TODO: disssect the context data
3897 proto_tree_add_item(sub_tree, hf_smb2_unknown, sub_tvb, 0, data_length, ENC_NA);
3903 dissect_smb2_negotiate_protocol_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3907 gboolean supports_smb_3_10 = FALSE;
3912 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3915 dc = tvb_get_letohs(tvb, offset);
3916 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3919 /* security mode, skip second byte */
3920 offset = dissect_smb2_secmode(tree, tvb, offset);
3925 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3929 offset = dissect_smb2_capabilities(tree, tvb, offset);
3932 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
3935 /* negotiate context offset */
3936 nco = tvb_get_letohl(tvb, offset);
3937 proto_tree_add_item(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3940 /* negotiate context count */
3941 ncc = tvb_get_letohs(tvb, offset);
3942 proto_tree_add_item(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3946 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3949 for (i = 0 ; i < dc; i++) {
3950 guint16 d = tvb_get_letohs(tvb, offset);
3951 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3955 supports_smb_3_10 = TRUE;
3959 if (!supports_smb_3_10) {
3964 guint32 tmp = 0x40 + 36 + dc * 2;
3967 offset += nco - tmp;
3973 for (i = 0; i < ncc; i++) {
3974 offset = (offset + 7) & ~7;
3975 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
3982 dissect_smb2_negotiate_protocol_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3984 offset_length_buffer_t s_olb;
3989 gboolean continue_dissection;
3991 switch (si->status) {
3993 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3994 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3995 if (!continue_dissection) return offset;
3998 /* security mode, skip second byte */
3999 offset = dissect_smb2_secmode(tree, tvb, offset);
4002 /* dialect picked */
4003 d = tvb_get_letohs(tvb, offset);
4004 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4007 /* negotiate context count */
4008 ncc = tvb_get_letohs(tvb, offset);
4009 proto_tree_add_item(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4013 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4017 offset = dissect_smb2_capabilities(tree, tvb, offset);
4019 /* max trans size */
4020 proto_tree_add_item(tree, hf_smb2_max_trans_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4024 proto_tree_add_item(tree, hf_smb2_max_read_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4027 /* max write size */
4028 proto_tree_add_item(tree, hf_smb2_max_write_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4032 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_current_time);
4036 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_boot_time);
4039 /* security blob offset/length */
4040 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
4042 /* the security blob itself */
4043 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
4045 /* negotiate context offset */
4046 nco = tvb_get_letohl(tvb, offset);
4047 proto_tree_add_item(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4050 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
4057 guint32 tmp = 0x40 + 64 + s_olb.len;
4060 offset += nco - tmp;
4066 for (i = 0; i < ncc; i++) {
4067 offset = (offset + 7) & ~7;
4068 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
4075 dissect_smb2_getinfo_parameters(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
4077 switch (si->saved->smb2_class) {
4078 case SMB2_CLASS_FILE_INFO:
4079 switch (si->saved->infolevel) {
4081 /* we don't handle this infolevel yet */
4082 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
4083 offset += tvb_captured_length_remaining(tvb, offset);
4086 case SMB2_CLASS_FS_INFO:
4087 switch (si->saved->infolevel) {
4089 /* we don't handle this infolevel yet */
4090 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
4091 offset += tvb_captured_length_remaining(tvb, offset);
4094 case SMB2_CLASS_SEC_INFO:
4095 switch (si->saved->infolevel) {
4096 case SMB2_SEC_INFO_00:
4097 dissect_security_information_mask(tvb, tree, offset+8);
4100 /* we don't handle this infolevel yet */
4101 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
4102 offset += tvb_captured_length_remaining(tvb, offset);
4106 /* we don't handle this class yet */
4107 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
4108 offset += tvb_captured_length_remaining(tvb, offset);
4115 dissect_smb2_class_infolevel(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
4120 value_string_ext *vsx;
4122 if (si->flags & SMB2_FLAGS_RESPONSE) {
4126 cl = si->saved->smb2_class;
4127 il = si->saved->infolevel;
4129 cl = tvb_get_guint8(tvb, offset);
4130 il = tvb_get_guint8(tvb, offset+1);
4132 si->saved->smb2_class = cl;
4133 si->saved->infolevel = il;
4139 case SMB2_CLASS_FILE_INFO:
4140 hfindex = hf_smb2_infolevel_file_info;
4141 vsx = &smb2_file_info_levels_ext;
4143 case SMB2_CLASS_FS_INFO:
4144 hfindex = hf_smb2_infolevel_fs_info;
4145 vsx = &smb2_fs_info_levels_ext;
4147 case SMB2_CLASS_SEC_INFO:
4148 hfindex = hf_smb2_infolevel_sec_info;
4149 vsx = &smb2_sec_info_levels_ext;
4151 case SMB2_CLASS_POSIX_INFO:
4152 hfindex = hf_smb2_infolevel_posix_info;
4153 vsx = &smb2_posix_info_levels_ext;
4156 hfindex = hf_smb2_infolevel;
4157 vsx = NULL; /* allowed arg to val_to_str_ext() */
4162 item = proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl);
4163 if (si->flags & SMB2_FLAGS_RESPONSE) {
4164 PROTO_ITEM_SET_GENERATED(item);
4167 item = proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il);
4168 if (si->flags & SMB2_FLAGS_RESPONSE) {
4169 PROTO_ITEM_SET_GENERATED(item);
4173 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
4174 /* Only update COL_INFO for requests. It clutters the
4175 * display a bit too much if we do it for replies
4178 col_append_fstr(pinfo->cinfo, COL_INFO, " %s/%s",
4179 val_to_str(cl, smb2_class_vals, "(Class:0x%02x)"),
4180 val_to_str_ext(il, vsx, "(Level:0x%02x)"));
4187 dissect_smb2_getinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4190 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4192 /* class and info level */
4193 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
4195 /* max response size */
4196 proto_tree_add_item(tree, hf_smb2_max_response_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4201 dissect_smb2_getinfo_parameters(tvb, pinfo, tree, offset, si);
4203 /* some unknown bytes */
4204 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
4209 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4215 dissect_smb2_infolevel(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si, guint8 smb2_class, guint8 infolevel)
4217 int old_offset = offset;
4219 switch (smb2_class) {
4220 case SMB2_CLASS_FILE_INFO:
4221 switch (infolevel) {
4222 case SMB2_FILE_BASIC_INFO:
4223 offset = dissect_smb2_file_basic_info(tvb, pinfo, tree, offset, si);
4225 case SMB2_FILE_STANDARD_INFO:
4226 offset = dissect_smb2_file_standard_info(tvb, pinfo, tree, offset, si);
4228 case SMB2_FILE_INTERNAL_INFO:
4229 offset = dissect_smb2_file_internal_info(tvb, pinfo, tree, offset, si);
4231 case SMB2_FILE_EA_INFO:
4232 offset = dissect_smb2_file_ea_info(tvb, pinfo, tree, offset, si);
4234 case SMB2_FILE_ACCESS_INFO:
4235 offset = dissect_smb2_file_access_info(tvb, pinfo, tree, offset, si);
4237 case SMB2_FILE_RENAME_INFO:
4238 offset = dissect_smb2_file_rename_info(tvb, pinfo, tree, offset, si);
4240 case SMB2_FILE_DISPOSITION_INFO:
4241 offset = dissect_smb2_file_disposition_info(tvb, pinfo, tree, offset, si);
4243 case SMB2_FILE_POSITION_INFO:
4244 offset = dissect_smb2_file_position_info(tvb, pinfo, tree, offset, si);
4246 case SMB2_FILE_FULL_EA_INFO:
4247 offset = dissect_smb2_file_full_ea_info(tvb, pinfo, tree, offset, si);
4249 case SMB2_FILE_MODE_INFO:
4250 offset = dissect_smb2_file_mode_info(tvb, pinfo, tree, offset, si);
4252 case SMB2_FILE_ALIGNMENT_INFO:
4253 offset = dissect_smb2_file_alignment_info(tvb, pinfo, tree, offset, si);
4255 case SMB2_FILE_ALL_INFO:
4256 offset = dissect_smb2_file_all_info(tvb, pinfo, tree, offset, si);
4258 case SMB2_FILE_ALLOCATION_INFO:
4259 offset = dissect_smb2_file_allocation_info(tvb, pinfo, tree, offset, si);
4261 case SMB2_FILE_ENDOFFILE_INFO:
4262 dissect_smb2_file_endoffile_info(tvb, pinfo, tree, offset, si);
4264 case SMB2_FILE_ALTERNATE_NAME_INFO:
4265 offset = dissect_smb2_file_alternate_name_info(tvb, pinfo, tree, offset, si);
4267 case SMB2_FILE_STREAM_INFO:
4268 offset = dissect_smb2_file_stream_info(tvb, pinfo, tree, offset, si);
4270 case SMB2_FILE_PIPE_INFO:
4271 offset = dissect_smb2_file_pipe_info(tvb, pinfo, tree, offset, si);
4273 case SMB2_FILE_COMPRESSION_INFO:
4274 offset = dissect_smb2_file_compression_info(tvb, pinfo, tree, offset, si);
4276 case SMB2_FILE_NETWORK_OPEN_INFO:
4277 offset = dissect_smb2_file_network_open_info(tvb, pinfo, tree, offset, si);
4279 case SMB2_FILE_ATTRIBUTE_TAG_INFO:
4280 offset = dissect_smb2_file_attribute_tag_info(tvb, pinfo, tree, offset, si);
4283 /* we don't handle this infolevel yet */
4284 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4285 offset += tvb_captured_length_remaining(tvb, offset);
4288 case SMB2_CLASS_FS_INFO:
4289 switch (infolevel) {
4290 case SMB2_FS_INFO_01:
4291 offset = dissect_smb2_fs_info_01(tvb, pinfo, tree, offset, si);
4293 case SMB2_FS_INFO_03:
4294 offset = dissect_smb2_fs_info_03(tvb, pinfo, tree, offset, si);
4296 case SMB2_FS_INFO_04:
4297 offset = dissect_smb2_fs_info_04(tvb, pinfo, tree, offset, si);
4299 case SMB2_FS_INFO_05:
4300 offset = dissect_smb2_fs_info_05(tvb, pinfo, tree, offset, si);
4302 case SMB2_FS_INFO_06:
4303 offset = dissect_smb2_fs_info_06(tvb, pinfo, tree, offset, si);
4305 case SMB2_FS_INFO_07:
4306 offset = dissect_smb2_fs_info_07(tvb, pinfo, tree, offset, si);
4308 case SMB2_FS_OBJECTID_INFO:
4309 offset = dissect_smb2_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, si);
4312 /* we don't handle this infolevel yet */
4313 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4314 offset += tvb_captured_length_remaining(tvb, offset);
4317 case SMB2_CLASS_SEC_INFO:
4318 switch (infolevel) {
4319 case SMB2_SEC_INFO_00:
4320 offset = dissect_smb2_sec_info_00(tvb, pinfo, tree, offset, si);
4323 /* we don't handle this infolevel yet */
4324 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4325 offset += tvb_captured_length_remaining(tvb, offset);
4329 /* we don't handle this class yet */
4330 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4331 offset += tvb_captured_length_remaining(tvb, offset);
4334 /* if we get BUFFER_OVERFLOW there will be truncated data */
4335 if (si->status == 0x80000005) {
4337 item = proto_tree_add_item(tree, hf_smb2_truncated, tvb, old_offset, 0, ENC_NA);
4338 PROTO_ITEM_SET_GENERATED(item);
4344 dissect_smb2_getinfo_response_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4348 dissect_smb2_infolevel(tvb, pinfo, tree, 0, si, si->saved->smb2_class, si->saved->infolevel);
4350 /* some unknown bytes */
4351 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
4358 dissect_smb2_getinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4360 offset_length_buffer_t olb;
4361 gboolean continue_dissection;
4363 /* class/infolevel */
4364 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
4366 switch (si->status) {
4368 /* if we get BUFFER_OVERFLOW there will be truncated data */
4370 /* if we get BUFFER_TOO_SMALL there will not be any data there, only
4371 * a guin32 specifying how big the buffer needs to be
4374 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4377 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4378 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
4379 proto_tree_add_item(tree, hf_smb2_required_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4383 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4384 if (!continue_dissection) return offset;
4387 /* response buffer offset and size */
4388 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
4391 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_getinfo_response_data);
4397 dissect_smb2_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4399 proto_tree *flags_tree = NULL;
4400 proto_item *flags_item = NULL;
4403 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4407 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4408 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
4410 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4417 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_CLOSE);
4423 dissect_smb2_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4425 proto_tree *flags_tree = NULL;
4426 proto_item *flags_item = NULL;
4427 gboolean continue_dissection;
4429 switch (si->status) {
4431 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4432 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4433 if (!continue_dissection) return offset;
4438 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4439 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
4441 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4448 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
4451 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
4454 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
4457 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
4459 /* allocation size */
4460 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4464 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4467 /* File Attributes */
4468 offset = dissect_file_ext_attr(tvb, tree, offset);
4474 dissect_smb2_flush_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4477 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4479 /* some unknown bytes */
4480 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
4484 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4490 dissect_smb2_flush_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4492 gboolean continue_dissection;
4494 switch (si->status) {
4496 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4497 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4498 if (!continue_dissection) return offset;
4501 /* some unknown bytes */
4502 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4510 dissect_smb2_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4515 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4518 lock_count = tvb_get_letohs(tvb, offset);
4519 proto_tree_add_item(tree, hf_smb2_lock_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4526 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4528 while (lock_count--) {
4529 proto_item *lock_item = NULL;
4530 proto_tree *lock_tree = NULL;
4531 static const int *lf_fields[] = {
4532 &hf_smb2_lock_flags_shared,
4533 &hf_smb2_lock_flags_exclusive,
4534 &hf_smb2_lock_flags_unlock,
4535 &hf_smb2_lock_flags_fail_immediately,
4540 lock_item = proto_tree_add_item(tree, hf_smb2_lock_info, tvb, offset, 24, ENC_NA);
4541 lock_tree = proto_item_add_subtree(lock_item, ett_smb2_lock_info);
4545 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4549 proto_tree_add_item(lock_tree, hf_smb2_lock_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4553 proto_tree_add_bitmask(lock_tree, tvb, offset, hf_smb2_lock_flags, ett_smb2_lock_flags, lf_fields, ENC_LITTLE_ENDIAN);
4564 dissect_smb2_lock_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4566 gboolean continue_dissection;
4568 switch (si->status) {
4570 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4571 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4572 if (!continue_dissection) return offset;
4575 /* some unknown bytes */
4576 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4582 dissect_smb2_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4585 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4587 /* some unknown bytes */
4588 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4594 static const smb2_fid_info_t *
4595 smb2_pipe_get_fid_info(const smb2_info_t *si)
4597 smb2_fid_info_t *file = NULL;
4602 if (si->file != NULL) {
4604 } else if (si->saved != NULL) {
4605 file = si->saved->file;
4615 smb2_pipe_set_file_id(packet_info *pinfo, smb2_info_t *si)
4618 const smb2_fid_info_t *file = NULL;
4620 file = smb2_pipe_get_fid_info(si);
4625 persistent = GPOINTER_TO_UINT(file);
4627 dcerpc_set_transport_salt(persistent, pinfo);
4630 static gboolean smb2_pipe_reassembly = TRUE;
4631 static reassembly_table smb2_pipe_reassembly_table;
4634 smb2_pipe_reassembly_init(void)
4637 * XXX - addresses_ports_reassembly_table_functions?
4638 * Probably correct for SMB-over-NBT and SMB-over-TCP,
4639 * as stuff from two different connections should
4640 * probably not be combined, but what about other
4641 * transports for SMB, e.g. NBF or Netware?
4643 reassembly_table_init(&smb2_pipe_reassembly_table,
4644 &addresses_reassembly_table_functions);
4648 dissect_file_data_smb2_pipe(tvbuff_t *raw_tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, guint32 datalen, proto_tree *top_tree, void *data)
4651 * Note: si is NULL for some callers from packet-smb.c
4653 const smb2_info_t *si = (const smb2_info_t *)data;
4655 gboolean save_fragmented;
4658 const smb2_fid_info_t *file = NULL;
4660 fragment_head *fd_head;
4663 proto_item *frag_tree_item;
4664 heur_dtbl_entry_t *hdtbl_entry;
4666 file = smb2_pipe_get_fid_info(si);
4667 id = (guint32)(GPOINTER_TO_UINT(file) & G_MAXUINT32);
4669 remaining = tvb_captured_length_remaining(raw_tvb, offset);
4671 tvb = tvb_new_subset(raw_tvb, offset,
4672 MIN((int)datalen, remaining),
4676 * Offer desegmentation service to Named Pipe subdissectors (e.g. DCERPC)
4677 * if we have all the data. Otherwise, reassembly is (probably) impossible.
4679 pinfo->can_desegment = 0;
4680 pinfo->desegment_offset = 0;
4681 pinfo->desegment_len = 0;
4682 reported_len = tvb_reported_length(tvb);
4683 if (smb2_pipe_reassembly && tvb_captured_length(tvb) >= reported_len) {
4684 pinfo->can_desegment = 2;
4687 save_fragmented = pinfo->fragmented;
4690 * if we are not offering desegmentation, just try the heuristics
4693 if (!pinfo->can_desegment) {
4694 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
4695 tvb, pinfo, top_tree,
4696 &hdtbl_entry, data);
4697 goto clean_up_and_exit;
4700 /* below this line, we know we are doing reassembly */
4703 * this is a new packet, see if we are already reassembling this
4704 * pdu and if not, check if the dissector wants us
4707 if (!pinfo->fd->flags.visited) {
4709 * This is the first pass.
4711 * Check if we are already reassembling this PDU or not;
4712 * we check for an in-progress reassembly for this FID
4713 * in this direction, by searching for its reassembly
4716 fd_head = fragment_get(&smb2_pipe_reassembly_table,
4720 * No reassembly, so this is a new pdu. check if the
4721 * dissector wants us to reassemble it or if we
4722 * already got the full pdu in this tvb.
4726 * Try the heuristic dissectors and see if we
4727 * find someone that recognizes this payload.
4729 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
4730 tvb, pinfo, top_tree,
4731 &hdtbl_entry, data);
4733 /* no this didn't look like something we know */
4735 goto clean_up_and_exit;
4738 /* did the subdissector want us to reassemble any
4741 if (pinfo->desegment_len) {
4742 fragment_add_check(&smb2_pipe_reassembly_table,
4743 tvb, 0, pinfo, id, NULL,
4744 0, reported_len, TRUE);
4745 fragment_set_tot_len(&smb2_pipe_reassembly_table,
4747 pinfo->desegment_len+reported_len);
4749 goto clean_up_and_exit;
4752 /* OK, we're already doing a reassembly for this FID.
4753 skip to last segment in the existing reassembly structure
4754 and add this fragment there
4756 XXX we might add code here to use any offset values
4757 we might pick up from the Read/Write calls instead of
4758 assuming we always get them in the correct order
4760 while (fd_head->next) {
4761 fd_head = fd_head->next;
4763 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
4764 tvb, 0, pinfo, id, NULL,
4765 fd_head->offset+fd_head->len,
4766 reported_len, TRUE);
4768 /* if we completed reassembly */
4770 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
4771 add_new_data_source(pinfo, new_tvb,
4772 "Named Pipe over SMB2");
4773 pinfo->fragmented=FALSE;
4777 /* list what segments we have */
4778 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
4779 tree, pinfo, tvb, &frag_tree_item);
4781 /* dissect the full PDU */
4782 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
4783 tvb, pinfo, top_tree,
4784 &hdtbl_entry, data);
4786 goto clean_up_and_exit;
4790 * This is not the first pass; see if it's in the table of
4791 * reassembled packets.
4793 * XXX - we know that several of the arguments aren't going to
4794 * be used, so we pass bogus variables. Can we clean this
4795 * up so that we don't have to distinguish between the first
4796 * pass and subsequent passes?
4798 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
4799 tvb, 0, pinfo, id, NULL, 0, 0, TRUE);
4801 /* we didn't find it, try any of the heuristic dissectors
4804 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
4805 tvb, pinfo, top_tree,
4806 &hdtbl_entry, data);
4807 goto clean_up_and_exit;
4809 if (!(fd_head->flags&FD_DEFRAGMENTED)) {
4810 /* we don't have a fully reassembled frame */
4811 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
4812 tvb, pinfo, top_tree,
4813 &hdtbl_entry, data);
4814 goto clean_up_and_exit;
4817 /* it is reassembled but it was reassembled in a different frame */
4818 if (pinfo->num != fd_head->reassembled_in) {
4820 item = proto_tree_add_uint(top_tree, hf_smb2_pipe_reassembled_in,
4821 tvb, 0, 0, fd_head->reassembled_in);
4822 PROTO_ITEM_SET_GENERATED(item);
4823 goto clean_up_and_exit;
4826 /* display the reassembled pdu */
4827 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
4828 add_new_data_source(pinfo, new_tvb,
4829 "Named Pipe over SMB2");
4830 pinfo->fragmented = FALSE;
4834 /* list what segments we have */
4835 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
4836 top_tree, pinfo, tvb, &frag_tree_item);
4838 /* dissect the full PDU */
4839 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
4840 tvb, pinfo, top_tree,
4841 &hdtbl_entry, data);
4844 /* clear out the variables */
4845 pinfo->can_desegment=0;
4846 pinfo->desegment_offset = 0;
4847 pinfo->desegment_len = 0;
4850 call_data_dissector(tvb, pinfo, top_tree);
4853 pinfo->fragmented = save_fragmented;
4859 #define SMB2_CHANNEL_NONE 0x00000000
4860 #define SMB2_CHANNEL_RDMA_V1 0x00000001
4861 #define SMB2_CHANNEL_RDMA_V1_INVALIDATE 0x00000002
4863 static const value_string smb2_channel_vals[] = {
4864 { SMB2_CHANNEL_NONE, "None" },
4865 { SMB2_CHANNEL_RDMA_V1, "RDMA V1" },
4866 { SMB2_CHANNEL_RDMA_V1_INVALIDATE, "RDMA V1_INVALIDATE" },
4871 dissect_smb2_rdma_v1_blob(tvbuff_t *tvb, packet_info *pinfo _U_,
4872 proto_tree *parent_tree, smb2_info_t *si _U_)
4878 proto_tree *sub_tree;
4879 proto_item *parent_item;
4881 parent_item = proto_tree_get_parent(parent_tree);
4883 len = tvb_reported_length(tvb);
4888 proto_item_append_text(parent_item, ": SMBDirect Buffer Descriptor V1: (%d elements)", num);
4891 for (i = 0; i < num; i++) {
4892 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, 8, ett_smb2_rdma_v1, NULL, "RDMA V1");
4894 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4897 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_token, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4900 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4905 #define SMB2_WRITE_FLAG_WRITE_THROUGH 0x00000001
4908 dissect_smb2_write_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4910 guint16 dataoffset = 0;
4911 guint32 data_tvb_len;
4912 offset_length_buffer_t c_olb;
4916 static const int *f_fields[] = {
4917 &hf_smb2_write_flags_write_through,
4922 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4925 dataoffset=tvb_get_letohs(tvb,offset);
4926 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4930 length = tvb_get_letohl(tvb, offset);
4931 proto_tree_add_item(tree, hf_smb2_write_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4935 off = tvb_get_letoh64(tvb, offset);
4936 if (si->saved) si->saved->file_offset=off;
4937 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4940 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", length, off);
4943 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4946 channel = tvb_get_letohl(tvb, offset);
4947 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4950 /* remaining bytes */
4951 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4954 /* write channel info blob offset/length */
4955 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
4958 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_write_flags, ett_smb2_write_flags, f_fields, ENC_LITTLE_ENDIAN);
4961 /* the write channel info blob itself */
4963 case SMB2_CHANNEL_RDMA_V1:
4964 case SMB2_CHANNEL_RDMA_V1_INVALIDATE:
4965 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
4967 case SMB2_CHANNEL_NONE:
4969 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
4973 /* data or namedpipe ?*/
4975 int oldoffset = offset;
4976 smb2_pipe_set_file_id(pinfo, si);
4977 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
4978 if (offset != oldoffset) {
4979 /* managed to dissect pipe data */
4984 /* just ordinary data */
4985 proto_tree_add_item(tree, hf_smb2_write_data, tvb, offset, length, ENC_NA);
4987 data_tvb_len=(guint32)tvb_captured_length_remaining(tvb, offset);
4989 offset += MIN(length,(guint32)tvb_captured_length_remaining(tvb, offset));
4991 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
4993 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
4994 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
4995 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,off);
5004 dissect_smb2_write_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5006 gboolean continue_dissection;
5008 switch (si->status) {
5010 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5011 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5012 if (!continue_dissection) return offset;
5016 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5020 proto_tree_add_item(tree, hf_smb2_write_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5023 /* remaining, must be set to 0 */
5024 proto_tree_add_item(tree, hf_smb2_write_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5027 /* write channel info offset */
5028 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5031 /* write channel info length */
5032 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5039 dissect_smb2_FSCTL_OFFLOAD_READ(tvbuff_t *tvb,
5040 packet_info *pinfo _U_,
5043 proto_tree *top_tree _U_,
5046 proto_tree_add_item(tree, hf_smb2_fsctl_offload_read_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5049 proto_tree_add_item(tree, hf_smb2_fsctl_offload_read_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5053 proto_tree_add_item(tree, hf_smb2_fsctl_offload_read_token_ttl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5056 proto_tree_add_item(tree, hf_smb2_fsctl_offload_reserved, tvb, offset, 4, ENC_NA);
5059 proto_tree_add_item(tree, hf_smb2_fsctl_offload_read_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5062 proto_tree_add_item(tree, hf_smb2_fsctl_offload_read_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5065 proto_tree_add_item(tree, hf_smb2_fsctl_offload_read_transfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5068 proto_tree_add_item(tree, hf_smb2_fsctl_offload_token, tvb, offset, 512, ENC_NA);
5069 /* offset += 512; */
5074 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *top_tree, gboolean data_in _U_, void *data)
5076 dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, tvb_captured_length_remaining(tvb, offset), top_tree, data);
5080 dissect_smb2_FSCTL_PIPE_WAIT(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, proto_tree *top_tree, gboolean data_in _U_)
5082 guint8 timeout_specified = tvb_get_guint8(tvb, offset + 12);
5083 guint32 name_len = tvb_get_letohs(tvb, offset + 8);
5085 int off = offset + 14;
5086 guint16 bc = tvb_captured_length_remaining(tvb, off);
5090 tvb_ensure_bytes_exist(tvb, off, name_len);
5092 name = get_unicode_or_ascii_string(tvb, &off, TRUE, &len, TRUE, TRUE, &bc);
5097 col_append_fstr(pinfo->cinfo, COL_INFO, " Pipe: %s", name);
5100 proto_tree_add_string(top_tree, hf_smb2_fsctl_pipe_wait_name, tvb, offset + 14, name_len, name);
5101 if (timeout_specified) {
5102 proto_tree_add_item(top_tree, hf_smb2_fsctl_pipe_wait_timeout, tvb, 0, 8, ENC_LITTLE_ENDIAN);
5108 dissect_smb2_FSCTL_SET_SPARSE(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5111 /* There is no out data */
5116 /* sparse flag (optional) */
5117 if (tvb_reported_length_remaining(tvb, offset) >= 1) {
5118 proto_tree_add_item(tree, hf_smb2_fsctl_sparse_flag, tvb, offset, 1, ENC_NA);
5126 dissect_smb2_FSCTL_SET_ZERO_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5128 proto_tree *sub_tree;
5129 proto_item *sub_item;
5131 /* There is no out data */
5136 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5138 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5141 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5148 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, gboolean data_in)
5150 proto_tree *sub_tree;
5151 proto_item *sub_item;
5154 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5156 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5159 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5162 /* Zero or more allocated ranges may be reported. */
5163 while (tvb_reported_length_remaining(tvb, offset) >= 16) {
5165 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5167 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5170 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5178 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, gboolean data_in)
5182 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5185 proto_tree_add_item(tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5188 proto_tree_add_item(tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5191 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5194 guint32 entry_count = 0;
5196 proto_tree_add_item(tree, hf_smb2_qfr_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5199 proto_tree_add_item(tree, hf_smb2_qfr_total_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5202 proto_tree_add_item_ret_uint(tree, hf_smb2_qfr_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &entry_count);
5205 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5208 while (entry_count && tvb_reported_length_remaining(tvb, offset)) {
5209 proto_tree *sub_tree;
5210 proto_item *sub_item;
5212 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_qfr_entry, &sub_item, "Entry");
5214 proto_tree_add_item(sub_tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5217 proto_tree_add_item(sub_tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5220 proto_tree_add_item(sub_tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5223 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5232 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5234 /* There is no out data */
5240 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5244 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5248 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, gboolean data_in _U_)
5250 /* There is no out data */
5255 /* There is nothing to do here ... */
5259 dissect_windows_sockaddr_in(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
5261 proto_item *sub_item;
5262 proto_tree *sub_tree;
5263 proto_item *parent_item;
5269 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
5270 parent_item = proto_tree_get_parent(parent_tree);
5273 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5277 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5281 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in_addr, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5283 proto_item_append_text(sub_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
5284 proto_item_append_text(parent_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
5288 dissect_windows_sockaddr_in6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
5290 proto_item *sub_item;
5291 proto_tree *sub_tree;
5292 proto_item *parent_item;
5298 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
5299 parent_item = proto_tree_get_parent(parent_tree);
5302 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5306 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5310 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_flowinfo, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5314 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_addr, tvb, offset, 16, ENC_NA);
5315 proto_item_append_text(sub_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
5316 proto_item_append_text(parent_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
5320 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_scope_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5324 dissect_windows_sockaddr_storage(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5327 proto_item *sub_item;
5328 proto_tree *sub_tree;
5329 proto_item *parent_item;
5332 family = tvb_get_letohs(tvb, offset);
5334 case WINSOCK_AF_INET:
5335 dissect_windows_sockaddr_in(tvb, pinfo, parent_tree, offset, len);
5337 case WINSOCK_AF_INET6:
5338 dissect_windows_sockaddr_in6(tvb, pinfo, parent_tree, offset, len);
5342 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
5343 parent_item = proto_tree_get_parent(parent_tree);
5346 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5347 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
5348 proto_item_append_text(parent_item, ", Family: %d (0x%04x)", family, family);
5355 #define NETWORK_INTERFACE_CAP_RSS 0x00000001
5356 #define NETWORK_INTERFACE_CAP_RDMA 0x00000002
5359 dissect_smb2_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
5361 guint32 next_offset;
5364 proto_item *sub_item;
5365 proto_tree *sub_tree;
5367 guint32 capabilities;
5370 const char *unit = NULL;
5371 static const int * capability_flags[] = {
5372 &hf_smb2_ioctl_network_interface_capability_rdma,
5373 &hf_smb2_ioctl_network_interface_capability_rss,
5377 next_offset = tvb_get_letohl(tvb, offset);
5382 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_ioctl_network_interface, &sub_item, "Network Interface");
5383 item = proto_tree_get_parent(parent_tree);
5386 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5389 /* interface index */
5390 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5394 capabilities = tvb_get_letohl(tvb, offset);
5395 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_ioctl_network_interface_capabilities, ett_smb2_ioctl_network_interface_capabilities, capability_flags, ENC_LITTLE_ENDIAN);
5397 if (capabilities != 0) {
5398 proto_item_append_text(item, "%s%s",
5399 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
5400 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
5401 proto_item_append_text(sub_item, "%s%s",
5402 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
5403 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
5407 /* rss queue count */
5408 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_rss_queue_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5412 link_speed = tvb_get_letoh64(tvb, offset);
5413 item = proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_link_speed, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5414 if (link_speed >= (1000*1000*1000)) {
5415 val = (gfloat)(link_speed / (1000*1000*1000));
5417 } else if (link_speed >= (1000*1000)) {
5418 val = (gfloat)(link_speed / (1000*1000));
5420 } else if (link_speed >= (1000)) {
5421 val = (gfloat)(link_speed / (1000));
5424 val = (gfloat)(link_speed);
5427 proto_item_append_text(item, ", %.1f %sBits/s", val, unit);
5428 proto_item_append_text(sub_item, ", %.1f %sBits/s", val, unit);
5432 /* socket address */
5433 dissect_windows_sockaddr_storage(tvb, pinfo, sub_tree, offset);
5437 next_tvb = tvb_new_subset_remaining(tvb, next_offset);
5439 /* next extra info */
5440 dissect_smb2_NETWORK_INTERFACE_INFO(next_tvb, pinfo, parent_tree);
5445 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
5447 /* There is no in data */
5452 dissect_smb2_NETWORK_INTERFACE_INFO(tvb, pinfo, tree);
5456 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
5459 * This is only used by Windows 8 beta
5463 offset = dissect_smb2_capabilities(tree, tvb, offset);
5466 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5469 /* security mode, skip second byte */
5470 offset = dissect_smb2_secmode(tree, tvb, offset);
5474 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5478 offset = dissect_smb2_capabilities(tree, tvb, offset);
5481 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5484 /* security mode, skip second byte */
5485 offset = dissect_smb2_secmode(tree, tvb, offset);
5489 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5495 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
5501 offset = dissect_smb2_capabilities(tree, tvb, offset);
5504 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5507 /* security mode, skip second byte */
5508 offset = dissect_smb2_secmode(tree, tvb, offset);
5512 dc = tvb_get_letohs(tvb, offset);
5513 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5516 for ( ; dc>0; dc--) {
5517 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5522 offset = dissect_smb2_capabilities(tree, tvb, offset);
5525 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5528 /* security mode, skip second byte */
5529 offset = dissect_smb2_secmode(tree, tvb, offset);
5533 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5539 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5541 guint32 num_volumes;
5543 /* There is no in data */
5549 num_volumes = tvb_get_letohl(tvb, offset);
5550 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_volumes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5554 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_labels, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5558 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5561 while (num_volumes--) {
5565 int old_offset = offset;
5567 bc = tvb_captured_length_remaining(tvb, offset);
5568 name = get_unicode_or_ascii_string(tvb, &offset,
5569 TRUE, &len, TRUE, FALSE, &bc);
5570 proto_tree_add_string(tree, hf_smb2_ioctl_shadow_copy_label, tvb, old_offset, len, name);
5572 offset = old_offset+len;
5581 dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
5583 proto_item *item = NULL;
5584 proto_tree *tree = NULL;
5586 /* FILE_OBJECTID_BUFFER */
5588 item = proto_tree_add_item(parent_tree, hf_smb2_FILE_OBJECTID_BUFFER, tvb, offset, 64, ENC_NA);
5589 tree = proto_item_add_subtree(item, ett_smb2_FILE_OBJECTID_BUFFER);
5593 proto_tree_add_item(tree, hf_smb2_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5596 /* Birth Volume ID */
5597 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5600 /* Birth Object ID */
5601 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5605 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5612 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5615 /* There is no in data */
5620 /* FILE_OBJECTID_BUFFER */
5621 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
5627 dissect_smb2_FSCTL_GET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5630 /* There is no in data */
5635 /* compression format */
5636 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5643 dissect_smb2_FSCTL_SET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5646 /* There is no out data */
5651 /* compression format */
5652 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5659 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5661 const int *integrity_flags[] = {
5662 &hf_smb2_integrity_flags_enforcement_off,
5666 /* There is no out data */
5671 proto_tree_add_item(tree, hf_smb2_checksum_algorithm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5674 proto_tree_add_item(tree, hf_smb2_integrity_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5677 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_integrity_flags, ett_smb2_integrity_flags, integrity_flags, ENC_LITTLE_ENDIAN);
5684 dissect_smb2_FSCTL_SET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5687 /* There is no out data */
5692 /* FILE_OBJECTID_BUFFER */
5693 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
5699 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5702 /* There is no out data */
5707 /* FILE_OBJECTID_BUFFER->ExtendedInfo */
5709 /* Birth Volume ID */
5710 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5713 /* Birth Object ID */
5714 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5718 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5725 dissect_smb2_cchunk_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
5728 proto_tree_add_bytes_format_value(tree, hf_smb2_cchunk_resume_key, tvb,
5729 offset, 24, NULL, "Opaque Data");
5736 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5739 /* There is no in data */
5744 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
5746 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5751 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5753 proto_tree *sub_tree;
5754 proto_item *sub_item;
5755 guint32 chunk_count = 0;
5757 /* Output is simpler - handle that first. */
5759 proto_tree_add_item(tree, hf_smb2_cchunk_chunks_written, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5760 proto_tree_add_item(tree, hf_smb2_cchunk_bytes_written, tvb, offset+4, 4, ENC_LITTLE_ENDIAN);
5761 proto_tree_add_item(tree, hf_smb2_cchunk_total_written, tvb, offset+8, 4, ENC_LITTLE_ENDIAN);
5765 /* Input data, fixed part */
5766 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
5767 proto_tree_add_item_ret_uint(tree, hf_smb2_cchunk_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &chunk_count);
5770 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5773 /* Zero or more allocated ranges may be reported. */
5774 while (chunk_count && tvb_reported_length_remaining(tvb, offset) >= 24) {
5775 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_smb2_cchunk_entry, &sub_item, "Chunk");
5777 proto_tree_add_item(sub_tree, hf_smb2_cchunk_src_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5780 proto_tree_add_item(sub_tree, hf_smb2_cchunk_dst_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5783 proto_tree_add_item(sub_tree, hf_smb2_cchunk_xfer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5786 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5794 dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, guint32 ioctl_function, gboolean data_in, void *private_data _U_)
5798 dc = tvb_reported_length(tvb);
5800 switch (ioctl_function) {
5801 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
5803 dissect_get_dfs_request_data(tvb, pinfo, tree, 0, &dc, TRUE);
5805 dissect_get_dfs_referral_data(tvb, pinfo, tree, 0, &dc, TRUE);
5808 case 0x000940CF: /* FSCTL_QUERY_ALLOCATED_RANGES */
5809 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvb, pinfo, tree, 0, data_in);
5811 case 0x00094264: /* FSCTL_OFFLOAD_READ */
5812 dissect_smb2_FSCTL_OFFLOAD_READ(tvb, pinfo, tree, 0, top_tree, data_in);
5814 case 0x0011c017: /* FSCTL_PIPE_TRANSCEIVE */
5815 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvb, pinfo, tree, 0, top_tree, data_in, private_data);
5817 case 0x00110018: /* FSCTL_PIPE_WAIT */
5818 dissect_smb2_FSCTL_PIPE_WAIT(tvb, pinfo, tree, 0, top_tree, data_in);
5820 case 0x00140078: /* FSCTL_SRV_REQUEST_RESUME_KEY */
5821 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvb, pinfo, tree, 0, data_in);
5823 case 0x001401D4: /* FSCTL_LMR_REQUEST_RESILIENCY */
5824 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvb, pinfo, tree, 0, data_in);
5826 case 0x001401FC: /* FSCTL_QUERY_NETWORK_INTERFACE_INFO */
5827 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvb, pinfo, tree, 0, data_in);
5829 case 0x00140200: /* FSCTL_VALIDATE_NEGOTIATE_INFO_224 */
5830 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvb, pinfo, tree, 0, data_in);
5832 case 0x00140204: /* FSCTL_VALIDATE_NEGOTIATE_INFO */
5833 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvb, pinfo, tree, 0, data_in);
5835 case 0x00144064: /* FSCTL_SRV_ENUMERATE_SNAPSHOTS */
5836 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvb, pinfo, tree, 0, data_in);
5838 case 0x001440F2: /* FSCTL_SRV_COPYCHUNK */
5839 case 0x001480F2: /* FSCTL_SRV_COPYCHUNK_WRITE */
5840 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvb, pinfo, tree, 0, data_in);
5842 case 0x0009009C: /* FSCTL_GET_OBJECT_ID */
5843 case 0x000900c0: /* FSCTL_CREATE_OR_GET_OBJECT_ID */
5844 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
5846 case 0x000900c4: /* FSCTL_SET_SPARSE */
5847 dissect_smb2_FSCTL_SET_SPARSE(tvb, pinfo, tree, 0, data_in);
5849 case 0x00098098: /* FSCTL_SET_OBJECT_ID */
5850 dissect_smb2_FSCTL_SET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
5852 case 0x000980BC: /* FSCTL_SET_OBJECT_ID_EXTENDED */
5853 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvb, pinfo, tree, 0, data_in);
5855 case 0x000980C8: /* FSCTL_SET_ZERO_DATA */
5856 dissect_smb2_FSCTL_SET_ZERO_DATA(tvb, pinfo, tree, 0, data_in);
5858 case 0x0009003C: /* FSCTL_GET_COMPRESSION */
5859 dissect_smb2_FSCTL_GET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
5861 case 0x00090300: /* FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT */
5863 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvb, pinfo, tree, 0, dc);
5865 case 0x00090304: /* FSCTL_SVHDX_SYNC_TUNNEL or response */
5866 call_dissector_with_data(rsvd_handle, tvb, pinfo, top_tree, &data_in);
5868 case 0x0009C040: /* FSCTL_SET_COMPRESSION */
5869 dissect_smb2_FSCTL_SET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
5871 case 0x00090284: /* FSCTL_QUERY_FILE_REGIONS */
5872 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvb, pinfo, tree, 0, data_in);
5874 case 0x0009C280: /* FSCTL_SET_INTEGRITY_INFORMATION request or response */
5875 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvb, pinfo, tree, 0, data_in);
5878 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
5883 dissect_smb2_ioctl_data_in(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5885 smb2_pipe_set_file_id(pinfo, si);
5886 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, TRUE, si);
5890 dissect_smb2_ioctl_data_out(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5892 smb2_pipe_set_file_id(pinfo, si);
5893 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, FALSE, si);
5897 dissect_smb2_ioctl_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5899 offset_length_buffer_t o_olb;
5900 offset_length_buffer_t i_olb;
5901 proto_tree *flags_tree = NULL;
5902 proto_item *flags_item = NULL;
5905 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5910 /* ioctl function */
5911 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
5914 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5916 /* in buffer offset/length */
5917 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
5919 /* max ioctl in size */
5920 proto_tree_add_item(tree, hf_smb2_max_ioctl_in_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5923 /* out buffer offset/length */
5924 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
5926 /* max ioctl out size */
5927 proto_tree_add_item(tree, hf_smb2_max_ioctl_out_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5932 flags_item = proto_tree_add_item(tree, hf_smb2_ioctl_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5933 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_ioctl_flags);
5935 proto_tree_add_item(flags_tree, hf_smb2_ioctl_is_fsctl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5941 /* try to decode these blobs in the order they were encoded
5942 * so that for "short" packets we will dissect as much as possible
5943 * before aborting with "short packet"
5945 if (i_olb.off>o_olb.off) {
5947 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
5949 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
5952 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
5954 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
5957 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
5958 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
5964 dissect_smb2_ioctl_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5966 offset_length_buffer_t o_olb;
5967 offset_length_buffer_t i_olb;
5968 gboolean continue_dissection;
5970 switch (si->status) {
5972 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5973 case 0x80000005: break;
5974 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5975 if (!continue_dissection) return offset;
5978 /* some unknown bytes */
5979 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
5982 /* ioctl function */
5983 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
5986 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5988 /* in buffer offset/length */
5989 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
5991 /* out buffer offset/length */
5992 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
5995 /* flags: reserved: must be zero */
6001 /* try to decode these blobs in the order they were encoded
6002 * so that for "short" packets we will dissect as much as possible
6003 * before aborting with "short packet"
6005 if (i_olb.off>o_olb.off) {
6007 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6009 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6012 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6014 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6017 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
6018 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
6025 dissect_smb2_read_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6027 offset_length_buffer_t c_olb;
6033 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6035 /* padding and reserved */
6039 len = tvb_get_letohl(tvb, offset);
6040 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6044 off = tvb_get_letoh64(tvb, offset);
6045 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6048 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", len, off);
6051 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6054 proto_tree_add_item(tree, hf_smb2_min_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6058 channel = tvb_get_letohl(tvb, offset);
6059 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6062 /* remaining bytes */
6063 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6066 /* read channel info blob offset/length */
6067 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
6069 /* the read channel info blob itself */
6071 case SMB2_CHANNEL_RDMA_V1:
6072 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
6074 case SMB2_CHANNEL_NONE:
6076 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
6080 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
6082 /* Store len and offset */
6084 si->saved->file_offset=off;
6085 si->saved->bytes_moved=len;
6093 dissect_smb2_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
6095 guint16 dataoffset = 0;
6096 guint32 data_tvb_len;
6098 gboolean continue_dissection;
6100 switch (si->status) {
6102 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6103 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6104 if (!continue_dissection) return offset;
6108 dataoffset=tvb_get_letohl(tvb,offset);
6109 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6112 /* length might even be 64bits if they are ambitious*/
6113 length = tvb_get_letohl(tvb, offset);
6114 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6118 proto_tree_add_item(tree, hf_smb2_read_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6124 /* data or namedpipe ?*/
6126 int oldoffset = offset;
6127 smb2_pipe_set_file_id(pinfo, si);
6128 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
6129 if (offset != oldoffset) {
6130 /* managed to dissect pipe data */
6136 proto_tree_add_item(tree, hf_smb2_read_data, tvb, offset, length, ENC_NA);
6138 data_tvb_len=(guint32)tvb_captured_length_remaining(tvb, offset);
6140 offset += MIN(length,data_tvb_len);
6142 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
6143 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
6144 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,si->saved->file_offset);
6152 report_create_context_malformed_buffer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, const char *buffer_desc)
6154 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_bad_response, tvb, 0, -1,
6155 "%s SHOULD NOT be generated", buffer_desc);
6158 dissect_smb2_ExtA_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6160 proto_item *item = NULL;
6162 item = proto_tree_get_parent(tree);
6163 proto_item_append_text(item, ": SMB2_FILE_FULL_EA_INFO");
6165 dissect_smb2_file_full_ea_info(tvb, pinfo, tree, 0, si);
6169 dissect_smb2_ExtA_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
6171 report_create_context_malformed_buffer(tvb, pinfo, tree, "ExtA Response");
6175 dissect_smb2_SecD_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6177 proto_item *item = NULL;
6179 item = proto_tree_get_parent(tree);
6180 proto_item_append_text(item, ": SMB2_SEC_INFO_00");
6182 dissect_smb2_sec_info_00(tvb, pinfo, tree, 0, si);
6186 dissect_smb2_SecD_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
6188 report_create_context_malformed_buffer(tvb, pinfo, tree, "SecD Response");
6192 dissect_smb2_TWrp_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6194 proto_item *item = NULL;
6196 item = proto_tree_get_parent(tree);
6197 proto_item_append_text(item, ": Timestamp");
6199 dissect_nt_64bit_time(tvb, tree, 0, hf_smb2_twrp_timestamp);
6203 dissect_smb2_TWrp_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6205 report_create_context_malformed_buffer(tvb, pinfo, tree, "TWrp Response");
6209 dissect_smb2_QFid_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6211 proto_item *item = NULL;
6214 item = proto_tree_get_parent(tree);
6218 if (tvb_reported_length(tvb) == 0) {
6219 proto_item_append_text(item, ": NO DATA");
6221 proto_item_append_text(item, ": QFid request should have no data, malformed packet");
6227 dissect_smb2_QFid_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6231 proto_item *sub_tree;
6233 item = proto_tree_get_parent(tree);
6235 proto_item_append_text(item, ": QFid INFO");
6236 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_QFid_buffer, NULL, "QFid INFO");
6238 proto_tree_add_item(sub_tree, hf_smb2_qfid_fid, tvb, offset, 32, ENC_NA);
6242 dissect_smb2_AlSi_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6244 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, 0, 8, ENC_LITTLE_ENDIAN);
6248 dissect_smb2_AlSi_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6250 report_create_context_malformed_buffer(tvb, pinfo, tree, "AlSi Response");
6254 dissect_smb2_DHnQ_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6256 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNQ);
6260 dissect_smb2_DHnQ_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6262 proto_tree_add_item(tree, hf_smb2_dhnq_buffer_reserved, tvb, 0, 8, ENC_LITTLE_ENDIAN);
6266 dissect_smb2_DHnC_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6268 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNC);
6272 dissect_smb2_DHnC_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
6274 report_create_context_malformed_buffer(tvb, pinfo, tree, "DHnC Response");
6278 * SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
6284 * SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2
6288 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
6293 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
6296 #define SMB2_DH2X_FLAGS_PERSISTENT_HANDLE 0x00000002
6299 dissect_smb2_DH2Q_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6301 static const int *dh2x_flags_fields[] = {
6302 &hf_smb2_dh2x_buffer_flags_persistent_handle,
6307 proto_item *sub_tree;
6309 item = proto_tree_get_parent(tree);
6311 proto_item_append_text(item, ": DH2Q Request");
6312 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Request");
6315 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6319 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_dh2x_buffer_flags,
6320 ett_smb2_dh2x_flags, dh2x_flags_fields, ENC_LITTLE_ENDIAN);
6324 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6328 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6332 dissect_smb2_DH2Q_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6336 proto_item *sub_tree;
6338 item = proto_tree_get_parent(tree);
6340 proto_item_append_text(item, ": DH2Q Response");
6341 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Response");
6344 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6348 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6352 dissect_smb2_DH2C_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6356 proto_item *sub_tree;
6358 item = proto_tree_get_parent(tree);
6360 proto_item_append_text(item, ": DH2C Request");
6361 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2C_buffer, NULL, "DH2C Request");
6364 dissect_smb2_fid(tvb, pinfo, sub_tree, offset, si, FID_MODE_DHNC);
6368 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6372 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6376 dissect_smb2_DH2C_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
6378 report_create_context_malformed_buffer(tvb, pinfo, tree, "DH2C Response");
6382 dissect_smb2_MxAc_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6385 proto_item *item = NULL;
6388 item = proto_tree_get_parent(tree);
6391 if (tvb_reported_length(tvb) == 0) {
6393 proto_item_append_text(item, ": NO DATA");
6399 proto_item_append_text(item, ": Timestamp");
6402 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_mxac_timestamp);
6406 dissect_smb2_MxAc_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6410 proto_tree *sub_tree;
6412 item = proto_tree_get_parent(tree);
6414 if (tvb_reported_length(tvb) == 0) {
6415 proto_item_append_text(item, ": NO DATA");
6419 proto_item_append_text(item, ": MxAc INFO");
6420 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_MxAc_buffer, NULL, "MxAc INFO");
6422 proto_tree_add_item(sub_tree, hf_smb2_mxac_status, tvb, offset, 4, ENC_BIG_ENDIAN);
6425 dissect_smb_access_mask(tvb, sub_tree, offset);
6429 * SMB2_CREATE_REQUEST_LEASE 32
6433 * 8 - lease duration
6435 * SMB2_CREATE_REQUEST_LEASE_V2 52
6439 * 8 - lease duration
6440 * 16 - parent lease key
6444 #define SMB2_LEASE_STATE_READ_CACHING 0x00000001
6445 #define SMB2_LEASE_STATE_HANDLE_CACHING 0x00000002
6446 #define SMB2_LEASE_STATE_WRITE_CACHING 0x00000004
6448 #define SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED 0x00000001
6449 #define SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS 0x00000002
6450 #define SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET 0x00000004
6452 static const int *lease_state_fields[] = {
6453 &hf_smb2_lease_state_read_caching,
6454 &hf_smb2_lease_state_handle_caching,
6455 &hf_smb2_lease_state_write_caching,
6458 static const int *lease_flags_fields[] = {
6459 &hf_smb2_lease_flags_break_ack_required,
6460 &hf_smb2_lease_flags_break_in_progress,
6461 &hf_smb2_lease_flags_parent_lease_key_set,
6466 dissect_SMB2_CREATE_LEASE_VX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
6470 proto_tree *sub_tree = NULL;
6471 proto_item *parent_item;
6473 parent_item = proto_tree_get_parent(parent_tree);
6475 len = tvb_reported_length(tvb);
6478 case 32: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE */
6479 proto_item_append_text(parent_item, ": LEASE_V1");
6480 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V1");
6482 case 52: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE_V2 */
6483 proto_item_append_text(parent_item, ": LEASE_V2");
6484 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V2");
6487 report_create_context_malformed_buffer(tvb, pinfo, parent_tree, "RqLs");
6491 proto_tree_add_item(sub_tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6494 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_state,
6495 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
6498 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_flags,
6499 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
6502 proto_tree_add_item(sub_tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6509 proto_tree_add_item(sub_tree, hf_smb2_parent_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6512 proto_tree_add_item(sub_tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6515 proto_tree_add_item(sub_tree, hf_smb2_lease_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6519 dissect_smb2_RqLs_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6521 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
6525 dissect_smb2_RqLs_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6527 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
6531 * SMB2_CREATE_APP_INSTANCE_ID
6532 * 2 - structure size - 20
6534 * 16 - application guid
6538 dissect_smb2_APP_INSTANCE_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6542 proto_item *sub_tree;
6544 item = proto_tree_get_parent(tree);
6546 proto_item_append_text(item, ": CREATE APP INSTANCE ID");
6547 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_APP_INSTANCE_buffer, NULL, "APP INSTANCE ID");
6550 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_struct_size,
6551 tvb, offset, 2, ENC_LITTLE_ENDIAN);
6555 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_reserved,
6556 tvb, offset, 2, ENC_LITTLE_ENDIAN);
6560 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_app_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6564 dissect_smb2_APP_INSTANCE_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6566 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Response");
6570 * Dissect the MS-RSVD stuff that turns up when HyperV uses SMB3.x
6573 dissect_smb2_svhdx_open_device_context_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6577 proto_item *sub_tree;
6579 item = proto_tree_get_parent(tree);
6581 proto_item_append_text(item, ": SVHDX OPEN DEVICE CONTEXT");
6582 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_svhdx_open_device_context, NULL, "SVHDX OPEN DEVICE CONTEXT");
6585 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_version,
6586 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6589 /* HasInitiatorId */
6590 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_has_initiator_id,
6591 tvb, offset, 1, ENC_LITTLE_ENDIAN);
6595 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_reserved,
6596 tvb, offset, 3, ENC_NA);
6600 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_id,
6601 tvb, offset, 16, ENC_NA);
6604 /* Flags TODO: Dissect these*/
6605 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_flags,
6606 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6609 /* OriginatorFlags */
6610 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_originator_flags,
6611 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6615 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_open_request_id,
6616 tvb, offset, 8, ENC_LITTLE_ENDIAN);
6619 /* InitiatorHostNameLength */
6620 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name_len,
6621 tvb, offset, 2, ENC_LITTLE_ENDIAN);
6624 /* InitiatorHostName */
6625 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name,
6626 tvb, offset, 126, ENC_ASCII | ENC_NA);
6630 dissect_smb2_svhdx_open_device_context_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6632 report_create_context_malformed_buffer(tvb, pinfo, tree, "SHVXD OPEN DEVICE CONTEXT Response");
6635 static const int *posix_flags_fields[] = {
6636 &hf_smb2_posix_v1_case_sensitive,
6637 &hf_smb2_posix_v1_posix_lock,
6638 &hf_smb2_posix_v1_posix_file_semantics,
6639 &hf_smb2_posix_v1_posix_utf8_paths,
6640 &hf_smb2_posix_v1_posix_will_convert_nt_acls,
6641 &hf_smb2_posix_v1_posix_fileinfo,
6642 &hf_smb2_posix_v1_posix_acls,
6643 &hf_smb2_posix_v1_rich_acls,
6648 dissect_smb2_posix_v1_caps_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6652 proto_item *sub_tree;
6654 item = proto_tree_get_parent(tree);
6656 proto_item_append_text(item, ": POSIX V1 CAPS request");
6657 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_posix_v1_request, NULL, "POSIX_V1_REQUEST");
6660 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_version,
6661 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6665 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_request,
6666 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6670 dissect_smb2_posix_v1_caps_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6674 proto_item *sub_tree;
6676 item = proto_tree_get_parent(tree);
6678 proto_item_append_text(item, ": POSIX V1 CAPS response");
6679 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_posix_v1_response, NULL, "POSIX_V1_RESPONSE");
6682 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_version,
6683 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6686 /* Supported Features */
6687 proto_tree_add_bitmask(sub_tree, tvb, offset,
6688 hf_smb2_posix_v1_supported_features,
6689 ett_smb2_posix_v1_supported_features,
6690 posix_flags_fields, ENC_LITTLE_ENDIAN);
6694 #define SMB2_AAPL_SERVER_QUERY 1
6695 #define SMB2_AAPL_RESOLVE_ID 2
6697 static const value_string aapl_command_code_vals[] = {
6698 { SMB2_AAPL_SERVER_QUERY, "Server query"},
6699 { SMB2_AAPL_RESOLVE_ID, "Resolve ID"},
6703 #define SMB2_AAPL_SERVER_CAPS 0x00000001
6704 #define SMB2_AAPL_VOLUME_CAPS 0x00000002
6705 #define SMB2_AAPL_MODEL_INFO 0x00000004
6707 static const int *aapl_server_query_bitmap_fields[] = {
6708 &hf_smb2_aapl_server_query_bitmask_server_caps,
6709 &hf_smb2_aapl_server_query_bitmask_volume_caps,
6710 &hf_smb2_aapl_server_query_bitmask_model_info,
6714 #define SMB2_AAPL_SUPPORTS_READ_DIR_ATTR 0x00000001
6715 #define SMB2_AAPL_SUPPORTS_OSX_COPYFILE 0x00000002
6716 #define SMB2_AAPL_UNIX_BASED 0x00000004
6717 #define SMB2_AAPL_SUPPORTS_NFS_ACE 0x00000008
6719 static const int *aapl_server_query_caps_fields[] = {
6720 &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
6721 &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
6722 &hf_smb2_aapl_server_query_caps_unix_based,
6723 &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
6728 dissect_smb2_AAPL_buffer_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
6732 proto_item *sub_tree;
6733 guint32 command_code;
6735 item = proto_tree_get_parent(tree);
6737 proto_item_append_text(item, ": AAPL Create Context request");
6738 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_request, NULL, "AAPL Create Context request");
6741 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
6742 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
6746 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
6747 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6750 switch (command_code) {
6752 case SMB2_AAPL_SERVER_QUERY:
6753 /* Request bitmap */
6754 proto_tree_add_bitmask(sub_tree, tvb, offset,
6755 hf_smb2_aapl_server_query_bitmask,
6756 ett_smb2_aapl_server_query_bitmask,
6757 aapl_server_query_bitmap_fields,
6761 /* Client capabilities */
6762 proto_tree_add_bitmask(sub_tree, tvb, offset,
6763 hf_smb2_aapl_server_query_caps,
6764 ett_smb2_aapl_server_query_caps,
6765 aapl_server_query_caps_fields,
6769 case SMB2_AAPL_RESOLVE_ID:
6771 proto_tree_add_item(sub_tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6779 #define SMB2_AAPL_SUPPORTS_RESOLVE_ID 0x00000001
6780 #define SMB2_AAPL_CASE_SENSITIVE 0x00000002
6781 #define SMB2_AAPL_SUPPORTS_FULL_SYNC 0x00000004
6783 static const int *aapl_server_query_volume_caps_fields[] = {
6784 &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
6785 &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
6786 &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
6791 dissect_smb2_AAPL_buffer_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
6795 proto_item *sub_tree;
6796 guint32 command_code;
6797 guint64 server_query_bitmask;
6799 item = proto_tree_get_parent(tree);
6801 proto_item_append_text(item, ": AAPL Create Context response");
6802 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_response, NULL, "AAPL Create Context response");
6805 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
6806 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
6810 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
6811 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6814 switch (command_code) {
6816 case SMB2_AAPL_SERVER_QUERY:
6818 proto_tree_add_bitmask_ret_uint64(sub_tree, tvb, offset,
6819 hf_smb2_aapl_server_query_bitmask,
6820 ett_smb2_aapl_server_query_bitmask,
6821 aapl_server_query_bitmap_fields,
6823 &server_query_bitmask);
6826 if (server_query_bitmask & SMB2_AAPL_SERVER_CAPS) {
6827 /* Server capabilities */
6828 proto_tree_add_bitmask(sub_tree, tvb, offset,
6829 hf_smb2_aapl_server_query_caps,
6830 ett_smb2_aapl_server_query_caps,
6831 aapl_server_query_caps_fields,
6835 if (server_query_bitmask & SMB2_AAPL_VOLUME_CAPS) {
6836 /* Volume capabilities */
6837 proto_tree_add_bitmask(sub_tree, tvb, offset,
6838 hf_smb2_aapl_server_query_volume_caps,
6839 ett_smb2_aapl_server_query_volume_caps,
6840 aapl_server_query_volume_caps_fields,
6844 if (server_query_bitmask & SMB2_AAPL_MODEL_INFO) {
6849 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_model_string,
6851 ENC_UTF_16|ENC_LITTLE_ENDIAN);
6855 case SMB2_AAPL_RESOLVE_ID:
6857 proto_tree_add_item(sub_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6861 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_server_path,
6863 ENC_UTF_16|ENC_LITTLE_ENDIAN);
6871 typedef void (*create_context_data_dissector_t)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
6873 typedef struct create_context_data_dissectors {
6874 create_context_data_dissector_t request;
6875 create_context_data_dissector_t response;
6876 } create_context_data_dissectors_t;
6878 struct create_context_data_tag_dissectors {
6881 create_context_data_dissectors_t dissectors;
6884 struct create_context_data_tag_dissectors create_context_dissectors_array[] = {
6885 { "ExtA", "SMB2_CREATE_EA_BUFFER",
6886 { dissect_smb2_ExtA_buffer_request, dissect_smb2_ExtA_buffer_response } },
6887 { "SecD", "SMB2_CREATE_SD_BUFFER",
6888 { dissect_smb2_SecD_buffer_request, dissect_smb2_SecD_buffer_response } },
6889 { "AlSi", "SMB2_CREATE_ALLOCATION_SIZE",
6890 { dissect_smb2_AlSi_buffer_request, dissect_smb2_AlSi_buffer_response } },
6891 { "MxAc", "SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST",
6892 { dissect_smb2_MxAc_buffer_request, dissect_smb2_MxAc_buffer_response } },
6893 { "DHnQ", "SMB2_CREATE_DURABLE_HANDLE_REQUEST",
6894 { dissect_smb2_DHnQ_buffer_request, dissect_smb2_DHnQ_buffer_response } },
6895 { "DHnC", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT",
6896 { dissect_smb2_DHnC_buffer_request, dissect_smb2_DHnC_buffer_response } },
6897 { "DH2Q", "SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2",
6898 { dissect_smb2_DH2Q_buffer_request, dissect_smb2_DH2Q_buffer_response } },
6899 { "DH2C", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2",
6900 { dissect_smb2_DH2C_buffer_request, dissect_smb2_DH2C_buffer_response } },
6901 { "TWrp", "SMB2_CREATE_TIMEWARP_TOKEN",
6902 { dissect_smb2_TWrp_buffer_request, dissect_smb2_TWrp_buffer_response } },
6903 { "QFid", "SMB2_CREATE_QUERY_ON_DISK_ID",
6904 { dissect_smb2_QFid_buffer_request, dissect_smb2_QFid_buffer_response } },
6905 { "RqLs", "SMB2_CREATE_REQUEST_LEASE",
6906 { dissect_smb2_RqLs_buffer_request, dissect_smb2_RqLs_buffer_response } },
6907 { "744D142E-46FA-0890-4AF7-A7EF6AA6BC45", "SMB2_CREATE_APP_INSTANCE_ID",
6908 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
6909 { "6aa6bc45-a7ef-4af7-9008-fa462e144d74", "SMB2_CREATE_APP_INSTANCE_ID",
6910 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
6911 { "9ecfcb9c-c104-43e6-980e-158da1f6ec83", "SVHDX_OPEN_DEVICE_CONTEXT",
6912 { dissect_smb2_svhdx_open_device_context_request, dissect_smb2_svhdx_open_device_context_response} },
6913 { "34263501-2921-4912-2586-447794114531", "SMB2_POSIX_V1_CAPS",
6914 { dissect_smb2_posix_v1_caps_request, dissect_smb2_posix_v1_caps_response } },
6915 { "AAPL", "SMB2_AAPL_CREATE_CONTEXT",
6916 { dissect_smb2_AAPL_buffer_request, dissect_smb2_AAPL_buffer_response } },
6919 static struct create_context_data_tag_dissectors*
6920 get_create_context_data_tag_dissectors(const char *tag)
6922 static struct create_context_data_tag_dissectors INVALID = {
6923 NULL, "<invalid>", { NULL, NULL }
6928 for (i = 0; i<array_length(create_context_dissectors_array); i++) {
6929 if (!strcmp(tag, create_context_dissectors_array[i].tag))
6930 return &create_context_dissectors_array[i];
6936 dissect_smb2_create_extra_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si)
6938 offset_length_buffer_t tag_olb;
6939 offset_length_buffer_t data_olb;
6941 guint16 chain_offset;
6944 proto_item *sub_item;
6945 proto_tree *sub_tree;
6946 proto_item *parent_item = NULL;
6947 create_context_data_dissectors_t *dissectors = NULL;
6948 create_context_data_dissector_t dissector = NULL;
6949 struct create_context_data_tag_dissectors *tag_dissectors;
6951 chain_offset = tvb_get_letohl(tvb, offset);
6956 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_create_chain_element, &sub_item, "Chain Element");
6957 parent_item = proto_tree_get_parent(parent_tree);
6960 proto_tree_add_item(sub_tree, hf_smb2_create_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6963 /* tag offset/length */
6964 offset = dissect_smb2_olb_length_offset(tvb, offset, &tag_olb, OLB_O_UINT16_S_UINT32, hf_smb2_tag);
6966 /* data offset/length */
6967 dissect_smb2_olb_length_offset(tvb, offset, &data_olb, OLB_O_UINT16_S_UINT32, hf_smb2_create_chain_data);
6970 * These things are all either 4-char strings, like DH2C, or GUIDs,
6971 * however, at least one of them appears to be a GUID as a string and
6972 * one appears to be a binary guid. So, check if the the length is
6973 * 16, and if so, pull the GUID and convert it to a string. Otherwise
6974 * call dissect_smb2_olb_string.
6976 if (tag_olb.len == 16) {
6978 proto_item *tag_item;
6979 proto_tree *tag_tree;
6981 tvb_get_letohguid(tvb, tag_olb.off, &tag_guid);
6982 tag = guid_to_str(wmem_packet_scope(), &tag_guid);
6984 tag_item = proto_tree_add_string(sub_tree, tag_olb.hfindex, tvb, tag_olb.off, tag_olb.len, tag);
6985 tag_tree = proto_item_add_subtree(tag_item, ett_smb2_olb);
6986 proto_tree_add_item(tag_tree, hf_smb2_olb_offset, tvb, tag_olb.off_offset, 2, ENC_LITTLE_ENDIAN);
6987 proto_tree_add_item(tag_tree, hf_smb2_olb_length, tvb, tag_olb.len_offset, 2, ENC_LITTLE_ENDIAN);
6991 tag = dissect_smb2_olb_string(pinfo, sub_tree, tvb, &tag_olb, OLB_TYPE_ASCII_STRING);
6994 tag_dissectors = get_create_context_data_tag_dissectors(tag);
6996 proto_item_append_text(parent_item, " %s", tag_dissectors->val);
6997 proto_item_append_text(sub_item, ": %s \"%s\"", tag_dissectors->val, tag);
7000 dissectors = &tag_dissectors->dissectors;
7002 dissector = (si->flags & SMB2_FLAGS_RESPONSE) ? dissectors->response : dissectors->request;
7004 dissect_smb2_olb_buffer(pinfo, sub_tree, tvb, &data_olb, si, dissector);
7007 tvbuff_t *chain_tvb;
7008 chain_tvb = tvb_new_subset_remaining(tvb, chain_offset);
7010 /* next extra info */
7011 dissect_smb2_create_extra_info(chain_tvb, pinfo, parent_tree, si);
7016 dissect_smb2_create_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7018 offset_length_buffer_t f_olb, e_olb;
7022 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
7024 /* security flags */
7028 offset = dissect_smb2_oplock(tree, tvb, offset);
7030 /* impersonation level */
7031 proto_tree_add_item(tree, hf_smb2_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7035 proto_tree_add_item(tree, hf_smb2_create_flags, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7042 offset = dissect_smb_access_mask(tvb, tree, offset);
7044 /* File Attributes */
7045 offset = dissect_file_ext_attr(tvb, tree, offset);
7048 offset = dissect_nt_share_access(tvb, tree, offset);
7050 /* create disposition */
7051 proto_tree_add_item(tree, hf_smb2_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7054 /* create options */
7055 offset = dissect_nt_create_options(tvb, tree, offset);
7057 /* filename offset/length */
7058 offset = dissect_smb2_olb_length_offset(tvb, offset, &f_olb, OLB_O_UINT16_S_UINT16, hf_smb2_filename);
7060 /* extrainfo offset */
7061 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
7063 /* filename string */
7064 fname = dissect_smb2_olb_string(pinfo, tree, tvb, &f_olb, OLB_TYPE_UNICODE_STRING);
7065 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", fname);
7067 /* save the name if it looks sane */
7068 if (!pinfo->fd->flags.visited) {
7069 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
7070 g_free(si->saved->extra_info);
7071 si->saved->extra_info = NULL;
7072 si->saved->extra_info_type = SMB2_EI_NONE;
7074 if (si->saved && f_olb.len && f_olb.len<256) {
7075 si->saved->extra_info_type = SMB2_EI_FILENAME;
7076 si->saved->extra_info = (gchar *)g_malloc(f_olb.len+1);
7077 g_snprintf((gchar *)si->saved->extra_info, f_olb.len+1, "%s", fname);
7081 /* If extrainfo_offset is non-null then this points to another
7082 * buffer. The offset is relative to the start of the smb packet
7084 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
7086 offset = dissect_smb2_olb_tvb_max_offset(offset, &f_olb);
7087 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
7092 #define SMB2_CREATE_REP_FLAGS_REPARSE_POINT 0x01
7095 dissect_smb2_create_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7097 guint64 end_of_file;
7099 offset_length_buffer_t e_olb;
7100 static const int *create_rep_flags_fields[] = {
7101 &hf_smb2_create_rep_flags_reparse_point,
7104 gboolean continue_dissection;
7106 switch (si->status) {
7108 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
7109 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
7110 if (!continue_dissection) return offset;
7114 offset = dissect_smb2_oplock(tree, tvb, offset);
7117 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_create_rep_flags,
7118 ett_smb2_create_rep_flags, create_rep_flags_fields, ENC_LITTLE_ENDIAN);
7122 proto_tree_add_item(tree, hf_smb2_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7126 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
7129 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
7132 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
7135 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
7137 /* allocation size */
7138 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7142 end_of_file = tvb_get_letoh64(tvb, offset);
7143 if (si->eo_file_info) {
7144 si->eo_file_info->end_of_file = tvb_get_letoh64(tvb, offset);
7146 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7149 /* File Attributes */
7150 attr_mask=tvb_get_letohl(tvb, offset);
7151 offset = dissect_file_ext_attr(tvb, tree, offset);
7157 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_OPEN);
7159 /* We save this after dissect_smb2_fid just because it would be
7160 possible to have this response without having the mathing request.
7161 In that case the entry in the file info hash table has been created
7162 in dissect_smb2_fid */
7163 if (si->eo_file_info) {
7164 si->eo_file_info->end_of_file = end_of_file;
7165 si->eo_file_info->attr_mask = attr_mask;
7168 /* extrainfo offset */
7169 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
7171 /* If extrainfo_offset is non-null then this points to another
7172 * buffer. The offset is relative to the start of the smb packet
7174 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
7176 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
7178 /* free si->saved->extra_info we don't need it any more */
7179 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
7180 g_free(si->saved->extra_info);
7181 si->saved->extra_info = NULL;
7182 si->saved->extra_info_type = SMB2_EI_NONE;
7190 dissect_smb2_setinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7192 guint32 setinfo_size;
7193 guint16 setinfo_offset;
7196 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
7198 /* class and info level */
7199 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
7202 setinfo_size = tvb_get_letohl(tvb, offset);
7203 proto_tree_add_item(tree, hf_smb2_setinfo_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7207 setinfo_offset = tvb_get_letohs(tvb, offset);
7208 proto_tree_add_item(tree, hf_smb2_setinfo_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7211 /* some unknown bytes */
7212 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
7216 dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
7220 dissect_smb2_infolevel(tvb, pinfo, tree, setinfo_offset, si, si->saved->smb2_class, si->saved->infolevel);
7221 offset = setinfo_offset + setinfo_size;
7227 dissect_smb2_setinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7229 gboolean continue_dissection;
7230 /* class/infolevel */
7231 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
7233 switch (si->status) {
7235 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
7236 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
7237 if (!continue_dissection) return offset;
7244 dissect_smb2_break_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7246 guint16 buffer_code;
7249 buffer_code = tvb_get_letohs(tvb, offset);
7250 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
7252 if (buffer_code == 24) {
7256 offset = dissect_smb2_oplock(tree, tvb, offset);
7265 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
7270 if (buffer_code == 36) {
7271 /* Lease Break Acknowledgment */
7274 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
7278 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
7279 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
7283 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7287 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
7288 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
7291 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7301 dissect_smb2_break_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7303 guint16 buffer_code;
7304 gboolean continue_dissection;
7307 buffer_code = tvb_get_letohs(tvb, offset);
7308 switch (si->status) {
7309 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
7310 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
7311 if (!continue_dissection) return offset;
7314 if (buffer_code == 24) {
7315 /* OPLOCK Break Notification */
7318 offset = dissect_smb2_oplock(tree, tvb, offset);
7327 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
7329 /* in break requests from server to client here're 24 byte zero bytes
7330 * which are likely a bug in windows (they may use 2* 24 bytes instead of just
7336 if (buffer_code == 44) {
7339 /* Lease Break Notification */
7341 /* new lease epoch */
7342 proto_tree_add_item(tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7346 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
7347 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
7351 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7354 /* current lease state */
7355 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
7356 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
7358 proto_item_prepend_text(item, "Current ");
7362 /* new lease state */
7363 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
7364 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
7366 proto_item_prepend_text(item, "New ");
7370 /* break reason - reserved */
7371 proto_tree_add_item(tree, hf_smb2_lease_break_reason, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7374 /* access mask hint - reserved */
7375 proto_tree_add_item(tree, hf_smb2_lease_access_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7378 /* share mask hint - reserved */
7379 proto_tree_add_item(tree, hf_smb2_lease_share_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7385 if (buffer_code == 36) {
7386 /* Lease Break Response */
7389 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
7393 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
7394 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
7398 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7402 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
7403 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
7406 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7415 /* names here are just until we find better names for these functions */
7416 static const value_string smb2_cmd_vals[] = {
7417 { 0x00, "Negotiate Protocol" },
7418 { 0x01, "Session Setup" },
7419 { 0x02, "Session Logoff" },
7420 { 0x03, "Tree Connect" },
7421 { 0x04, "Tree Disconnect" },
7430 { 0x0D, "KeepAlive" },
7433 { 0x10, "GetInfo" },
7434 { 0x11, "SetInfo" },
7436 { 0x13, "unknown-0x13" },
7437 { 0x14, "unknown-0x14" },
7438 { 0x15, "unknown-0x15" },
7439 { 0x16, "unknown-0x16" },
7440 { 0x17, "unknown-0x17" },
7441 { 0x18, "unknown-0x18" },
7442 { 0x19, "unknown-0x19" },
7443 { 0x1A, "unknown-0x1A" },
7444 { 0x1B, "unknown-0x1B" },
7445 { 0x1C, "unknown-0x1C" },
7446 { 0x1D, "unknown-0x1D" },
7447 { 0x1E, "unknown-0x1E" },
7448 { 0x1F, "unknown-0x1F" },
7449 { 0x20, "unknown-0x20" },
7450 { 0x21, "unknown-0x21" },
7451 { 0x22, "unknown-0x22" },
7452 { 0x23, "unknown-0x23" },
7453 { 0x24, "unknown-0x24" },
7454 { 0x25, "unknown-0x25" },
7455 { 0x26, "unknown-0x26" },
7456 { 0x27, "unknown-0x27" },
7457 { 0x28, "unknown-0x28" },
7458 { 0x29, "unknown-0x29" },
7459 { 0x2A, "unknown-0x2A" },
7460 { 0x2B, "unknown-0x2B" },
7461 { 0x2C, "unknown-0x2C" },
7462 { 0x2D, "unknown-0x2D" },
7463 { 0x2E, "unknown-0x2E" },
7464 { 0x2F, "unknown-0x2F" },
7465 { 0x30, "unknown-0x30" },
7466 { 0x31, "unknown-0x31" },
7467 { 0x32, "unknown-0x32" },
7468 { 0x33, "unknown-0x33" },
7469 { 0x34, "unknown-0x34" },
7470 { 0x35, "unknown-0x35" },
7471 { 0x36, "unknown-0x36" },
7472 { 0x37, "unknown-0x37" },
7473 { 0x38, "unknown-0x38" },
7474 { 0x39, "unknown-0x39" },
7475 { 0x3A, "unknown-0x3A" },
7476 { 0x3B, "unknown-0x3B" },
7477 { 0x3C, "unknown-0x3C" },
7478 { 0x3D, "unknown-0x3D" },
7479 { 0x3E, "unknown-0x3E" },
7480 { 0x3F, "unknown-0x3F" },
7481 { 0x40, "unknown-0x40" },
7482 { 0x41, "unknown-0x41" },
7483 { 0x42, "unknown-0x42" },
7484 { 0x43, "unknown-0x43" },
7485 { 0x44, "unknown-0x44" },
7486 { 0x45, "unknown-0x45" },
7487 { 0x46, "unknown-0x46" },
7488 { 0x47, "unknown-0x47" },
7489 { 0x48, "unknown-0x48" },
7490 { 0x49, "unknown-0x49" },
7491 { 0x4A, "unknown-0x4A" },
7492 { 0x4B, "unknown-0x4B" },
7493 { 0x4C, "unknown-0x4C" },
7494 { 0x4D, "unknown-0x4D" },
7495 { 0x4E, "unknown-0x4E" },
7496 { 0x4F, "unknown-0x4F" },
7497 { 0x50, "unknown-0x50" },
7498 { 0x51, "unknown-0x51" },
7499 { 0x52, "unknown-0x52" },
7500 { 0x53, "unknown-0x53" },
7501 { 0x54, "unknown-0x54" },
7502 { 0x55, "unknown-0x55" },
7503 { 0x56, "unknown-0x56" },
7504 { 0x57, "unknown-0x57" },
7505 { 0x58, "unknown-0x58" },
7506 { 0x59, "unknown-0x59" },
7507 { 0x5A, "unknown-0x5A" },
7508 { 0x5B, "unknown-0x5B" },
7509 { 0x5C, "unknown-0x5C" },
7510 { 0x5D, "unknown-0x5D" },
7511 { 0x5E, "unknown-0x5E" },
7512 { 0x5F, "unknown-0x5F" },
7513 { 0x60, "unknown-0x60" },
7514 { 0x61, "unknown-0x61" },
7515 { 0x62, "unknown-0x62" },
7516 { 0x63, "unknown-0x63" },
7517 { 0x64, "unknown-0x64" },
7518 { 0x65, "unknown-0x65" },
7519 { 0x66, "unknown-0x66" },
7520 { 0x67, "unknown-0x67" },
7521 { 0x68, "unknown-0x68" },
7522 { 0x69, "unknown-0x69" },
7523 { 0x6A, "unknown-0x6A" },
7524 { 0x6B, "unknown-0x6B" },
7525 { 0x6C, "unknown-0x6C" },
7526 { 0x6D, "unknown-0x6D" },
7527 { 0x6E, "unknown-0x6E" },
7528 { 0x6F, "unknown-0x6F" },
7529 { 0x70, "unknown-0x70" },
7530 { 0x71, "unknown-0x71" },
7531 { 0x72, "unknown-0x72" },
7532 { 0x73, "unknown-0x73" },
7533 { 0x74, "unknown-0x74" },
7534 { 0x75, "unknown-0x75" },
7535 { 0x76, "unknown-0x76" },
7536 { 0x77, "unknown-0x77" },
7537 { 0x78, "unknown-0x78" },
7538 { 0x79, "unknown-0x79" },
7539 { 0x7A, "unknown-0x7A" },
7540 { 0x7B, "unknown-0x7B" },
7541 { 0x7C, "unknown-0x7C" },
7542 { 0x7D, "unknown-0x7D" },
7543 { 0x7E, "unknown-0x7E" },
7544 { 0x7F, "unknown-0x7F" },
7545 { 0x80, "unknown-0x80" },
7546 { 0x81, "unknown-0x81" },
7547 { 0x82, "unknown-0x82" },
7548 { 0x83, "unknown-0x83" },
7549 { 0x84, "unknown-0x84" },
7550 { 0x85, "unknown-0x85" },
7551 { 0x86, "unknown-0x86" },
7552 { 0x87, "unknown-0x87" },
7553 { 0x88, "unknown-0x88" },
7554 { 0x89, "unknown-0x89" },
7555 { 0x8A, "unknown-0x8A" },
7556 { 0x8B, "unknown-0x8B" },
7557 { 0x8C, "unknown-0x8C" },
7558 { 0x8D, "unknown-0x8D" },
7559 { 0x8E, "unknown-0x8E" },
7560 { 0x8F, "unknown-0x8F" },
7561 { 0x90, "unknown-0x90" },
7562 { 0x91, "unknown-0x91" },
7563 { 0x92, "unknown-0x92" },
7564 { 0x93, "unknown-0x93" },
7565 { 0x94, "unknown-0x94" },
7566 { 0x95, "unknown-0x95" },
7567 { 0x96, "unknown-0x96" },
7568 { 0x97, "unknown-0x97" },
7569 { 0x98, "unknown-0x98" },
7570 { 0x99, "unknown-0x99" },
7571 { 0x9A, "unknown-0x9A" },
7572 { 0x9B, "unknown-0x9B" },
7573 { 0x9C, "unknown-0x9C" },
7574 { 0x9D, "unknown-0x9D" },
7575 { 0x9E, "unknown-0x9E" },
7576 { 0x9F, "unknown-0x9F" },
7577 { 0xA0, "unknown-0xA0" },
7578 { 0xA1, "unknown-0xA1" },
7579 { 0xA2, "unknown-0xA2" },
7580 { 0xA3, "unknown-0xA3" },
7581 { 0xA4, "unknown-0xA4" },
7582 { 0xA5, "unknown-0xA5" },
7583 { 0xA6, "unknown-0xA6" },
7584 { 0xA7, "unknown-0xA7" },
7585 { 0xA8, "unknown-0xA8" },
7586 { 0xA9, "unknown-0xA9" },
7587 { 0xAA, "unknown-0xAA" },
7588 { 0xAB, "unknown-0xAB" },
7589 { 0xAC, "unknown-0xAC" },
7590 { 0xAD, "unknown-0xAD" },
7591 { 0xAE, "unknown-0xAE" },
7592 { 0xAF, "unknown-0xAF" },
7593 { 0xB0, "unknown-0xB0" },
7594 { 0xB1, "unknown-0xB1" },
7595 { 0xB2, "unknown-0xB2" },
7596 { 0xB3, "unknown-0xB3" },
7597 { 0xB4, "unknown-0xB4" },
7598 { 0xB5, "unknown-0xB5" },
7599 { 0xB6, "unknown-0xB6" },
7600 { 0xB7, "unknown-0xB7" },
7601 { 0xB8, "unknown-0xB8" },
7602 { 0xB9, "unknown-0xB9" },
7603 { 0xBA, "unknown-0xBA" },
7604 { 0xBB, "unknown-0xBB" },
7605 { 0xBC, "unknown-0xBC" },
7606 { 0xBD, "unknown-0xBD" },
7607 { 0xBE, "unknown-0xBE" },
7608 { 0xBF, "unknown-0xBF" },
7609 { 0xC0, "unknown-0xC0" },
7610 { 0xC1, "unknown-0xC1" },
7611 { 0xC2, "unknown-0xC2" },
7612 { 0xC3, "unknown-0xC3" },
7613 { 0xC4, "unknown-0xC4" },
7614 { 0xC5, "unknown-0xC5" },
7615 { 0xC6, "unknown-0xC6" },
7616 { 0xC7, "unknown-0xC7" },
7617 { 0xC8, "unknown-0xC8" },
7618 { 0xC9, "unknown-0xC9" },
7619 { 0xCA, "unknown-0xCA" },
7620 { 0xCB, "unknown-0xCB" },
7621 { 0xCC, "unknown-0xCC" },
7622 { 0xCD, "unknown-0xCD" },
7623 { 0xCE, "unknown-0xCE" },
7624 { 0xCF, "unknown-0xCF" },
7625 { 0xD0, "unknown-0xD0" },
7626 { 0xD1, "unknown-0xD1" },
7627 { 0xD2, "unknown-0xD2" },
7628 { 0xD3, "unknown-0xD3" },
7629 { 0xD4, "unknown-0xD4" },
7630 { 0xD5, "unknown-0xD5" },
7631 { 0xD6, "unknown-0xD6" },
7632 { 0xD7, "unknown-0xD7" },
7633 { 0xD8, "unknown-0xD8" },
7634 { 0xD9, "unknown-0xD9" },
7635 { 0xDA, "unknown-0xDA" },
7636 { 0xDB, "unknown-0xDB" },
7637 { 0xDC, "unknown-0xDC" },
7638 { 0xDD, "unknown-0xDD" },
7639 { 0xDE, "unknown-0xDE" },
7640 { 0xDF, "unknown-0xDF" },
7641 { 0xE0, "unknown-0xE0" },
7642 { 0xE1, "unknown-0xE1" },
7643 { 0xE2, "unknown-0xE2" },
7644 { 0xE3, "unknown-0xE3" },
7645 { 0xE4, "unknown-0xE4" },
7646 { 0xE5, "unknown-0xE5" },
7647 { 0xE6, "unknown-0xE6" },
7648 { 0xE7, "unknown-0xE7" },
7649 { 0xE8, "unknown-0xE8" },
7650 { 0xE9, "unknown-0xE9" },
7651 { 0xEA, "unknown-0xEA" },
7652 { 0xEB, "unknown-0xEB" },
7653 { 0xEC, "unknown-0xEC" },
7654 { 0xED, "unknown-0xED" },
7655 { 0xEE, "unknown-0xEE" },
7656 { 0xEF, "unknown-0xEF" },
7657 { 0xF0, "unknown-0xF0" },
7658 { 0xF1, "unknown-0xF1" },
7659 { 0xF2, "unknown-0xF2" },
7660 { 0xF3, "unknown-0xF3" },
7661 { 0xF4, "unknown-0xF4" },
7662 { 0xF5, "unknown-0xF5" },
7663 { 0xF6, "unknown-0xF6" },
7664 { 0xF7, "unknown-0xF7" },
7665 { 0xF8, "unknown-0xF8" },
7666 { 0xF9, "unknown-0xF9" },
7667 { 0xFA, "unknown-0xFA" },
7668 { 0xFB, "unknown-0xFB" },
7669 { 0xFC, "unknown-0xFC" },
7670 { 0xFD, "unknown-0xFD" },
7671 { 0xFE, "unknown-0xFE" },
7672 { 0xFF, "unknown-0xFF" },
7675 value_string_ext smb2_cmd_vals_ext = VALUE_STRING_EXT_INIT(smb2_cmd_vals);
7677 static const char *decode_smb2_name(guint16 cmd)
7679 if (cmd > 0xFF) return "unknown";
7680 return(smb2_cmd_vals[cmd & 0xFF].strptr);
7683 static smb2_function smb2_dissector[256] = {
7684 /* 0x00 NegotiateProtocol*/
7685 {dissect_smb2_negotiate_protocol_request,
7686 dissect_smb2_negotiate_protocol_response},
7687 /* 0x01 SessionSetup*/
7688 {dissect_smb2_session_setup_request,
7689 dissect_smb2_session_setup_response},
7690 /* 0x02 SessionLogoff*/
7691 {dissect_smb2_sessionlogoff_request,
7692 dissect_smb2_sessionlogoff_response},
7693 /* 0x03 TreeConnect*/
7694 {dissect_smb2_tree_connect_request,
7695 dissect_smb2_tree_connect_response},
7696 /* 0x04 TreeDisconnect*/
7697 {dissect_smb2_tree_disconnect_request,
7698 dissect_smb2_tree_disconnect_response},
7700 {dissect_smb2_create_request,
7701 dissect_smb2_create_response},
7703 {dissect_smb2_close_request,
7704 dissect_smb2_close_response},
7706 {dissect_smb2_flush_request,
7707 dissect_smb2_flush_response},
7709 {dissect_smb2_read_request,
7710 dissect_smb2_read_response},
7712 {dissect_smb2_write_request,
7713 dissect_smb2_write_response},
7715 {dissect_smb2_lock_request,
7716 dissect_smb2_lock_response},
7718 {dissect_smb2_ioctl_request,
7719 dissect_smb2_ioctl_response},
7721 {dissect_smb2_cancel_request,
7724 {dissect_smb2_keepalive_request,
7725 dissect_smb2_keepalive_response},
7727 {dissect_smb2_find_request,
7728 dissect_smb2_find_response},
7730 {dissect_smb2_notify_request,
7731 dissect_smb2_notify_response},
7733 {dissect_smb2_getinfo_request,
7734 dissect_smb2_getinfo_response},
7736 {dissect_smb2_setinfo_request,
7737 dissect_smb2_setinfo_response},
7739 {dissect_smb2_break_request,
7740 dissect_smb2_break_response},
7741 /* 0x13 */ {NULL, NULL},
7742 /* 0x14 */ {NULL, NULL},
7743 /* 0x15 */ {NULL, NULL},
7744 /* 0x16 */ {NULL, NULL},
7745 /* 0x17 */ {NULL, NULL},
7746 /* 0x18 */ {NULL, NULL},
7747 /* 0x19 */ {NULL, NULL},
7748 /* 0x1a */ {NULL, NULL},
7749 /* 0x1b */ {NULL, NULL},
7750 /* 0x1c */ {NULL, NULL},
7751 /* 0x1d */ {NULL, NULL},
7752 /* 0x1e */ {NULL, NULL},
7753 /* 0x1f */ {NULL, NULL},
7754 /* 0x20 */ {NULL, NULL},
7755 /* 0x21 */ {NULL, NULL},
7756 /* 0x22 */ {NULL, NULL},
7757 /* 0x23 */ {NULL, NULL},
7758 /* 0x24 */ {NULL, NULL},
7759 /* 0x25 */ {NULL, NULL},
7760 /* 0x26 */ {NULL, NULL},
7761 /* 0x27 */ {NULL, NULL},
7762 /* 0x28 */ {NULL, NULL},
7763 /* 0x29 */ {NULL, NULL},
7764 /* 0x2a */ {NULL, NULL},
7765 /* 0x2b */ {NULL, NULL},
7766 /* 0x2c */ {NULL, NULL},
7767 /* 0x2d */ {NULL, NULL},
7768 /* 0x2e */ {NULL, NULL},
7769 /* 0x2f */ {NULL, NULL},
7770 /* 0x30 */ {NULL, NULL},
7771 /* 0x31 */ {NULL, NULL},
7772 /* 0x32 */ {NULL, NULL},
7773 /* 0x33 */ {NULL, NULL},
7774 /* 0x34 */ {NULL, NULL},
7775 /* 0x35 */ {NULL, NULL},
7776 /* 0x36 */ {NULL, NULL},
7777 /* 0x37 */ {NULL, NULL},
7778 /* 0x38 */ {NULL, NULL},
7779 /* 0x39 */ {NULL, NULL},
7780 /* 0x3a */ {NULL, NULL},
7781 /* 0x3b */ {NULL, NULL},
7782 /* 0x3c */ {NULL, NULL},
7783 /* 0x3d */ {NULL, NULL},
7784 /* 0x3e */ {NULL, NULL},
7785 /* 0x3f */ {NULL, NULL},
7786 /* 0x40 */ {NULL, NULL},
7787 /* 0x41 */ {NULL, NULL},
7788 /* 0x42 */ {NULL, NULL},
7789 /* 0x43 */ {NULL, NULL},
7790 /* 0x44 */ {NULL, NULL},
7791 /* 0x45 */ {NULL, NULL},
7792 /* 0x46 */ {NULL, NULL},
7793 /* 0x47 */ {NULL, NULL},
7794 /* 0x48 */ {NULL, NULL},
7795 /* 0x49 */ {NULL, NULL},
7796 /* 0x4a */ {NULL, NULL},
7797 /* 0x4b */ {NULL, NULL},
7798 /* 0x4c */ {NULL, NULL},
7799 /* 0x4d */ {NULL, NULL},
7800 /* 0x4e */ {NULL, NULL},
7801 /* 0x4f */ {NULL, NULL},
7802 /* 0x50 */ {NULL, NULL},
7803 /* 0x51 */ {NULL, NULL},
7804 /* 0x52 */ {NULL, NULL},
7805 /* 0x53 */ {NULL, NULL},
7806 /* 0x54 */ {NULL, NULL},
7807 /* 0x55 */ {NULL, NULL},
7808 /* 0x56 */ {NULL, NULL},
7809 /* 0x57 */ {NULL, NULL},
7810 /* 0x58 */ {NULL, NULL},
7811 /* 0x59 */ {NULL, NULL},
7812 /* 0x5a */ {NULL, NULL},
7813 /* 0x5b */ {NULL, NULL},
7814 /* 0x5c */ {NULL, NULL},
7815 /* 0x5d */ {NULL, NULL},
7816 /* 0x5e */ {NULL, NULL},
7817 /* 0x5f */ {NULL, NULL},
7818 /* 0x60 */ {NULL, NULL},
7819 /* 0x61 */ {NULL, NULL},
7820 /* 0x62 */ {NULL, NULL},
7821 /* 0x63 */ {NULL, NULL},
7822 /* 0x64 */ {NULL, NULL},
7823 /* 0x65 */ {NULL, NULL},
7824 /* 0x66 */ {NULL, NULL},
7825 /* 0x67 */ {NULL, NULL},
7826 /* 0x68 */ {NULL, NULL},
7827 /* 0x69 */ {NULL, NULL},
7828 /* 0x6a */ {NULL, NULL},
7829 /* 0x6b */ {NULL, NULL},
7830 /* 0x6c */ {NULL, NULL},
7831 /* 0x6d */ {NULL, NULL},
7832 /* 0x6e */ {NULL, NULL},
7833 /* 0x6f */ {NULL, NULL},
7834 /* 0x70 */ {NULL, NULL},
7835 /* 0x71 */ {NULL, NULL},
7836 /* 0x72 */ {NULL, NULL},
7837 /* 0x73 */ {NULL, NULL},
7838 /* 0x74 */ {NULL, NULL},
7839 /* 0x75 */ {NULL, NULL},
7840 /* 0x76 */ {NULL, NULL},
7841 /* 0x77 */ {NULL, NULL},
7842 /* 0x78 */ {NULL, NULL},
7843 /* 0x79 */ {NULL, NULL},
7844 /* 0x7a */ {NULL, NULL},
7845 /* 0x7b */ {NULL, NULL},
7846 /* 0x7c */ {NULL, NULL},
7847 /* 0x7d */ {NULL, NULL},
7848 /* 0x7e */ {NULL, NULL},
7849 /* 0x7f */ {NULL, NULL},
7850 /* 0x80 */ {NULL, NULL},
7851 /* 0x81 */ {NULL, NULL},
7852 /* 0x82 */ {NULL, NULL},
7853 /* 0x83 */ {NULL, NULL},
7854 /* 0x84 */ {NULL, NULL},
7855 /* 0x85 */ {NULL, NULL},
7856 /* 0x86 */ {NULL, NULL},
7857 /* 0x87 */ {NULL, NULL},
7858 /* 0x88 */ {NULL, NULL},
7859 /* 0x89 */ {NULL, NULL},
7860 /* 0x8a */ {NULL, NULL},
7861 /* 0x8b */ {NULL, NULL},
7862 /* 0x8c */ {NULL, NULL},
7863 /* 0x8d */ {NULL, NULL},
7864 /* 0x8e */ {NULL, NULL},
7865 /* 0x8f */ {NULL, NULL},
7866 /* 0x90 */ {NULL, NULL},
7867 /* 0x91 */ {NULL, NULL},
7868 /* 0x92 */ {NULL, NULL},
7869 /* 0x93 */ {NULL, NULL},
7870 /* 0x94 */ {NULL, NULL},
7871 /* 0x95 */ {NULL, NULL},
7872 /* 0x96 */ {NULL, NULL},
7873 /* 0x97 */ {NULL, NULL},
7874 /* 0x98 */ {NULL, NULL},
7875 /* 0x99 */ {NULL, NULL},
7876 /* 0x9a */ {NULL, NULL},
7877 /* 0x9b */ {NULL, NULL},
7878 /* 0x9c */ {NULL, NULL},
7879 /* 0x9d */ {NULL, NULL},
7880 /* 0x9e */ {NULL, NULL},
7881 /* 0x9f */ {NULL, NULL},
7882 /* 0xa0 */ {NULL, NULL},
7883 /* 0xa1 */ {NULL, NULL},
7884 /* 0xa2 */ {NULL, NULL},
7885 /* 0xa3 */ {NULL, NULL},
7886 /* 0xa4 */ {NULL, NULL},
7887 /* 0xa5 */ {NULL, NULL},
7888 /* 0xa6 */ {NULL, NULL},
7889 /* 0xa7 */ {NULL, NULL},
7890 /* 0xa8 */ {NULL, NULL},
7891 /* 0xa9 */ {NULL, NULL},
7892 /* 0xaa */ {NULL, NULL},
7893 /* 0xab */ {NULL, NULL},
7894 /* 0xac */ {NULL, NULL},
7895 /* 0xad */ {NULL, NULL},
7896 /* 0xae */ {NULL, NULL},
7897 /* 0xaf */ {NULL, NULL},
7898 /* 0xb0 */ {NULL, NULL},
7899 /* 0xb1 */ {NULL, NULL},
7900 /* 0xb2 */ {NULL, NULL},
7901 /* 0xb3 */ {NULL, NULL},
7902 /* 0xb4 */ {NULL, NULL},
7903 /* 0xb5 */ {NULL, NULL},
7904 /* 0xb6 */ {NULL, NULL},
7905 /* 0xb7 */ {NULL, NULL},
7906 /* 0xb8 */ {NULL, NULL},
7907 /* 0xb9 */ {NULL, NULL},
7908 /* 0xba */ {NULL, NULL},
7909 /* 0xbb */ {NULL, NULL},
7910 /* 0xbc */ {NULL, NULL},
7911 /* 0xbd */ {NULL, NULL},
7912 /* 0xbe */ {NULL, NULL},
7913 /* 0xbf */ {NULL, NULL},
7914 /* 0xc0 */ {NULL, NULL},
7915 /* 0xc1 */ {NULL, NULL},
7916 /* 0xc2 */ {NULL, NULL},
7917 /* 0xc3 */ {NULL, NULL},
7918 /* 0xc4 */ {NULL, NULL},
7919 /* 0xc5 */ {NULL, NULL},
7920 /* 0xc6 */ {NULL, NULL},
7921 /* 0xc7 */ {NULL, NULL},
7922 /* 0xc8 */ {NULL, NULL},
7923 /* 0xc9 */ {NULL, NULL},
7924 /* 0xca */ {NULL, NULL},
7925 /* 0xcb */ {NULL, NULL},
7926 /* 0xcc */ {NULL, NULL},
7927 /* 0xcd */ {NULL, NULL},
7928 /* 0xce */ {NULL, NULL},
7929 /* 0xcf */ {NULL, NULL},
7930 /* 0xd0 */ {NULL, NULL},
7931 /* 0xd1 */ {NULL, NULL},
7932 /* 0xd2 */ {NULL, NULL},
7933 /* 0xd3 */ {NULL, NULL},
7934 /* 0xd4 */ {NULL, NULL},
7935 /* 0xd5 */ {NULL, NULL},
7936 /* 0xd6 */ {NULL, NULL},
7937 /* 0xd7 */ {NULL, NULL},
7938 /* 0xd8 */ {NULL, NULL},
7939 /* 0xd9 */ {NULL, NULL},
7940 /* 0xda */ {NULL, NULL},
7941 /* 0xdb */ {NULL, NULL},
7942 /* 0xdc */ {NULL, NULL},
7943 /* 0xdd */ {NULL, NULL},
7944 /* 0xde */ {NULL, NULL},
7945 /* 0xdf */ {NULL, NULL},
7946 /* 0xe0 */ {NULL, NULL},
7947 /* 0xe1 */ {NULL, NULL},
7948 /* 0xe2 */ {NULL, NULL},
7949 /* 0xe3 */ {NULL, NULL},
7950 /* 0xe4 */ {NULL, NULL},
7951 /* 0xe5 */ {NULL, NULL},
7952 /* 0xe6 */ {NULL, NULL},
7953 /* 0xe7 */ {NULL, NULL},
7954 /* 0xe8 */ {NULL, NULL},
7955 /* 0xe9 */ {NULL, NULL},
7956 /* 0xea */ {NULL, NULL},
7957 /* 0xeb */ {NULL, NULL},
7958 /* 0xec */ {NULL, NULL},
7959 /* 0xed */ {NULL, NULL},
7960 /* 0xee */ {NULL, NULL},
7961 /* 0xef */ {NULL, NULL},
7962 /* 0xf0 */ {NULL, NULL},
7963 /* 0xf1 */ {NULL, NULL},
7964 /* 0xf2 */ {NULL, NULL},
7965 /* 0xf3 */ {NULL, NULL},
7966 /* 0xf4 */ {NULL, NULL},
7967 /* 0xf5 */ {NULL, NULL},
7968 /* 0xf6 */ {NULL, NULL},
7969 /* 0xf7 */ {NULL, NULL},
7970 /* 0xf8 */ {NULL, NULL},
7971 /* 0xf9 */ {NULL, NULL},
7972 /* 0xfa */ {NULL, NULL},
7973 /* 0xfb */ {NULL, NULL},
7974 /* 0xfc */ {NULL, NULL},
7975 /* 0xfd */ {NULL, NULL},
7976 /* 0xfe */ {NULL, NULL},
7977 /* 0xff */ {NULL, NULL},
7981 #define ENC_ALG_aes128_ccm 0x0001
7984 dissect_smb2_transform_header(packet_info *pinfo _U_, proto_tree *tree,
7985 tvbuff_t *tvb, int offset,
7986 smb2_transform_info_t *sti,
7987 tvbuff_t **enc_tvb, tvbuff_t **plain_tvb)
7989 proto_item *sesid_item = NULL;
7990 proto_tree *sesid_tree = NULL;
7991 smb2_sesid_info_t sesid_key;
7993 guint8 *plain_data = NULL;
7994 #ifdef HAVE_LIBGCRYPT
7995 guint8 *decryption_key = NULL;
7999 static const int *sf_fields[] = {
8000 &hf_smb2_encryption_aes128_ccm,
8008 proto_tree_add_item(tree, hf_smb2_transform_signature, tvb, offset, 16, ENC_NA);
8012 proto_tree_add_item(tree, hf_smb2_transform_nonce, tvb, offset, 16, ENC_NA);
8013 tvb_memcpy(tvb, sti->nonce, offset, 16);
8017 proto_tree_add_item(tree, hf_smb2_transform_msg_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8018 sti->size = tvb_get_letohl(tvb, offset);
8022 proto_tree_add_item(tree, hf_smb2_transform_reserved, tvb, offset, 2, ENC_NA);
8026 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_transform_enc_alg, ett_smb2_transform_enc_alg, sf_fields, ENC_LITTLE_ENDIAN);
8027 sti->alg = tvb_get_letohs(tvb, offset);
8031 sesid_offset = offset;
8032 sti->sesid = tvb_get_letoh64(tvb, offset);
8033 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8034 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
8037 /* now we need to first lookup the uid session */
8038 sesid_key.sesid = sti->sesid;
8039 sti->session = (smb2_sesid_info_t *)g_hash_table_lookup(sti->conv->sesids, &sesid_key);
8041 if (sti->session != NULL && sti->session->auth_frame != (guint32)-1) {
8042 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, sti->session->acct_name);
8043 PROTO_ITEM_SET_GENERATED(item);
8044 proto_item_append_text(sesid_item, " Acct:%s", sti->session->acct_name);
8046 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, sti->session->domain_name);
8047 PROTO_ITEM_SET_GENERATED(item);
8048 proto_item_append_text(sesid_item, " Domain:%s", sti->session->domain_name);
8050 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, sti->session->host_name);
8051 PROTO_ITEM_SET_GENERATED(item);
8052 proto_item_append_text(sesid_item, " Host:%s", sti->session->host_name);
8054 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, sti->session->auth_frame);
8055 PROTO_ITEM_SET_GENERATED(item);
8058 #ifdef HAVE_LIBGCRYPT
8059 if (sti->session != NULL && sti->alg == ENC_ALG_aes128_ccm) {
8060 if (pinfo->destport == sti->session->server_port) {
8061 decryption_key = sti->session->server_decryption_key;
8063 decryption_key = sti->session->client_decryption_key;
8066 if (memcmp(decryption_key, zeros, 16) == 0) {
8067 decryption_key = NULL;
8071 if (decryption_key != NULL) {
8072 gcry_cipher_hd_t cipher_hd = NULL;
8074 3, 0, 0, 0, 0, 0, 0, 0,
8075 0, 0, 0, 0, 0, 0, 0, 1
8078 memcpy(&A_1[1], sti->nonce, 15 - 4);
8080 plain_data = (guint8 *)tvb_memdup(pinfo->pool, tvb, offset, sti->size);
8082 /* Open the cipher. */
8083 if (gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0)) {
8084 wmem_free(pinfo->pool, plain_data);
8086 goto done_decryption;
8089 /* Set the key and initial value. */
8090 if (gcry_cipher_setkey(cipher_hd, decryption_key, 16)) {
8091 gcry_cipher_close(cipher_hd);
8092 wmem_free(pinfo->pool, plain_data);
8094 goto done_decryption;
8096 if (gcry_cipher_setctr(cipher_hd, A_1, 16)) {
8097 gcry_cipher_close(cipher_hd);
8098 wmem_free(pinfo->pool, plain_data);
8100 goto done_decryption;
8103 if (gcry_cipher_encrypt(cipher_hd, plain_data, sti->size, NULL, 0)) {
8104 gcry_cipher_close(cipher_hd);
8105 wmem_free(pinfo->pool, plain_data);
8107 goto done_decryption;
8110 /* Done with the cipher. */
8111 gcry_cipher_close(cipher_hd);
8115 *enc_tvb = tvb_new_subset_length(tvb, offset, sti->size);
8117 if (plain_data != NULL) {
8118 *plain_tvb = tvb_new_child_real_data(*enc_tvb, plain_data, sti->size, sti->size);
8119 add_new_data_source(pinfo, *plain_tvb, "Decrypted SMB3");
8122 offset += sti->size;
8127 dissect_smb2_command(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
8129 int (*cmd_dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
8130 proto_item *cmd_item;
8131 proto_tree *cmd_tree;
8132 int old_offset = offset;
8134 cmd_tree = proto_tree_add_subtree_format(tree, tvb, offset, -1,
8135 ett_smb2_command, &cmd_item, "%s %s (0x%02x)",
8136 decode_smb2_name(si->opcode),
8137 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request",
8140 cmd_dissector = (si->flags & SMB2_FLAGS_RESPONSE)?
8141 smb2_dissector[si->opcode&0xff].response:
8142 smb2_dissector[si->opcode&0xff].request;
8143 if (cmd_dissector) {
8144 offset = (*cmd_dissector)(tvb, pinfo, cmd_tree, offset, si);
8146 proto_tree_add_item(cmd_tree, hf_smb2_unknown, tvb, offset, -1, ENC_NA);
8147 offset = tvb_captured_length(tvb);
8150 proto_item_set_len(cmd_item, offset-old_offset);
8156 dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
8158 proto_item *tid_item = NULL;
8159 proto_tree *tid_tree = NULL;
8160 smb2_tid_info_t tid_key;
8162 proto_item *sesid_item = NULL;
8163 proto_tree *sesid_tree = NULL;
8164 smb2_sesid_info_t sesid_key;
8169 if (si->flags&SMB2_FLAGS_ASYNC_CMD) {
8170 proto_tree_add_item(tree, hf_smb2_aid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8174 proto_tree_add_item(tree, hf_smb2_pid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8178 tid_offset = offset;
8179 si->tid = tvb_get_letohl(tvb, offset);
8180 tid_item = proto_tree_add_item(tree, hf_smb2_tid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8181 tid_tree = proto_item_add_subtree(tid_item, ett_smb2_tid_tree);
8186 sesid_offset = offset;
8187 si->sesid = tvb_get_letoh64(tvb, offset);
8188 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8189 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
8192 /* now we need to first lookup the uid session */
8193 sesid_key.sesid = si->sesid;
8194 si->session = (smb2_sesid_info_t *)g_hash_table_lookup(si->conv->sesids, &sesid_key);
8196 if (si->opcode != 0x03) return offset;
8198 /* if we come to a session that is unknown, and the operation is
8199 * a tree connect, we create a dummy sessison, so we can hang the
8202 si->session = wmem_new0(wmem_file_scope(), smb2_sesid_info_t);
8203 si->session->sesid = si->sesid;
8204 si->session->auth_frame = (guint32)-1;
8205 si->session->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
8206 g_hash_table_insert(si->conv->sesids, si->session, si->session);
8211 if (si->session->auth_frame != (guint32)-1) {
8212 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, si->session->acct_name);
8213 PROTO_ITEM_SET_GENERATED(item);
8214 proto_item_append_text(sesid_item, " Acct:%s", si->session->acct_name);
8216 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, si->session->domain_name);
8217 PROTO_ITEM_SET_GENERATED(item);
8218 proto_item_append_text(sesid_item, " Domain:%s", si->session->domain_name);
8220 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, si->session->host_name);
8221 PROTO_ITEM_SET_GENERATED(item);
8222 proto_item_append_text(sesid_item, " Host:%s", si->session->host_name);
8224 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, si->session->auth_frame);
8225 PROTO_ITEM_SET_GENERATED(item);
8228 if (!(si->flags&SMB2_FLAGS_ASYNC_CMD)) {
8229 /* see if we can find the name for this tid */
8230 tid_key.tid = si->tid;
8231 si->tree = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
8232 if (!si->tree) return offset;
8234 item = proto_tree_add_string(tid_tree, hf_smb2_tree, tvb, tid_offset, 4, si->tree->name);
8235 PROTO_ITEM_SET_GENERATED(item);
8236 proto_item_append_text(tid_item, " %s", si->tree->name);
8238 item = proto_tree_add_uint(tid_tree, hf_smb2_share_type, tvb, tid_offset, 0, si->tree->share_type);
8239 PROTO_ITEM_SET_GENERATED(item);
8241 item = proto_tree_add_uint(tid_tree, hf_smb2_tcon_frame, tvb, tid_offset, 0, si->tree->connect_frame);
8242 PROTO_ITEM_SET_GENERATED(item);
8249 dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolean first_in_chain)
8251 gboolean smb2_transform_header = FALSE;
8252 proto_item *msg_id_item;
8253 proto_item *item = NULL;
8254 proto_tree *tree = NULL;
8255 proto_item *header_item = NULL;
8256 proto_tree *header_tree = NULL;
8258 int chain_offset = 0;
8259 const char *label = smb_header_label;
8260 conversation_t *conversation;
8261 smb2_saved_info_t *ssi = NULL, ssi_key;
8263 smb2_transform_info_t *sti;
8265 guint32 open_frame,close_frame;
8266 smb2_eo_file_info_t *eo_file_info;
8267 e_ctx_hnd *policy_hnd_hashtablekey;
8269 sti = wmem_new(wmem_packet_scope(), smb2_transform_info_t);
8270 si = wmem_new0(wmem_packet_scope(), smb2_info_t);
8271 si->top_tree = parent_tree;
8273 if (tvb_get_guint8(tvb, 0) == 0xfd) {
8274 smb2_transform_header = TRUE;
8275 label = smb_transform_header_label;
8277 /* find which conversation we are part of and get the data for that
8280 conversation = find_or_create_conversation(pinfo);
8281 si->conv = (smb2_conv_info_t *)conversation_get_proto_data(conversation, proto_smb2);
8283 /* no smb2_into_t structure for this conversation yet,
8286 si->conv = wmem_new(wmem_file_scope(), smb2_conv_info_t);
8287 /* qqq this leaks memory for now since we never free
8289 si->conv->matched = g_hash_table_new(smb2_saved_info_hash_matched,
8290 smb2_saved_info_equal_matched);
8291 si->conv->unmatched = g_hash_table_new(smb2_saved_info_hash_unmatched,
8292 smb2_saved_info_equal_unmatched);
8293 si->conv->sesids = g_hash_table_new(smb2_sesid_info_hash,
8294 smb2_sesid_info_equal);
8295 si->conv->fids = g_hash_table_new(smb2_fid_info_hash,
8296 smb2_fid_info_equal);
8297 si->conv->files = g_hash_table_new(smb2_eo_files_hash,smb2_eo_files_equal);
8299 /* Bit of a hack to avoid leaking the hash tables - register a
8300 * callback to free them. Ideally wmem would implement a simple
8301 * hash table so we wouldn't have to do this. */
8302 wmem_register_callback(wmem_file_scope(), smb2_conv_destroy,
8305 conversation_add_proto_data(conversation, proto_smb2, si->conv);
8308 sti->conv = si->conv;
8310 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB2");
8311 if (first_in_chain) {
8313 col_clear(pinfo->cinfo, COL_INFO);
8315 col_append_str(pinfo->cinfo, COL_INFO, ";");
8318 item = proto_tree_add_item(parent_tree, proto_smb2, tvb, offset, -1, ENC_NA);
8319 tree = proto_item_add_subtree(item, ett_smb2);
8321 header_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_header, &header_item, label);
8323 /* Decode the header */
8325 if (!smb2_transform_header) {
8327 proto_tree_add_item(header_tree, hf_smb2_server_component_smb2, tvb, offset, 4, ENC_NA);
8330 /* we need the flags before we know how to parse the credits field */
8331 si->flags = tvb_get_letohl(tvb, offset+12);
8334 proto_tree_add_item(header_tree, hf_smb2_header_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8337 /* credit charge (previously "epoch" (unused) which has been deprecated as of "SMB 2.1") */
8338 proto_tree_add_item(header_tree, hf_smb2_credit_charge, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8342 if (si->flags & SMB2_FLAGS_RESPONSE) {
8343 si->status = tvb_get_letohl(tvb, offset);
8344 proto_tree_add_item(header_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8348 proto_tree_add_item(header_tree, hf_smb2_channel_sequence, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8350 proto_tree_add_item(header_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8355 si->opcode = tvb_get_letohs(tvb, offset);
8356 proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8360 if (si->flags & SMB2_FLAGS_RESPONSE) {
8361 proto_tree_add_item(header_tree, hf_smb2_credits_granted, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8363 proto_tree_add_item(header_tree, hf_smb2_credits_requested, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8369 static const int * flags[] = {
8370 &hf_smb2_flags_response,
8371 &hf_smb2_flags_async_cmd,
8372 &hf_smb2_flags_chained,
8373 &hf_smb2_flags_signature,
8374 &hf_smb2_flags_priority_mask,
8375 &hf_smb2_flags_dfs_op,
8376 &hf_smb2_flags_replay_operation,
8380 proto_tree_add_bitmask(header_tree, tvb, offset, hf_smb2_flags,
8381 ett_smb2_flags, flags, ENC_LITTLE_ENDIAN);
8387 chain_offset = tvb_get_letohl(tvb, offset);
8388 proto_tree_add_item(header_tree, hf_smb2_chain_offset, tvb, offset, 4, ENC_BIG_ENDIAN);
8392 si->msg_id = tvb_get_letoh64(tvb, offset);
8393 ssi_key.msg_id = si->msg_id;
8394 msg_id_item = proto_tree_add_item(header_tree, hf_smb2_msg_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8395 if (msg_id_item && (si->msg_id == -1)) {
8396 proto_item_append_text(msg_id_item, " (unsolicited response)");
8400 /* Tree ID and Session ID */
8401 offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si);
8404 proto_tree_add_item(header_tree, hf_smb2_signature, tvb, offset, 16, ENC_NA);
8407 proto_item_set_len(header_item, offset);
8410 col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s",
8411 decode_smb2_name(si->opcode),
8412 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request");
8415 pinfo->cinfo, COL_INFO, ", Error: %s",
8416 val_to_str_ext(si->status, &NT_errors_ext,
8417 "Unknown (0x%08X)"));
8421 if (!pinfo->fd->flags.visited) {
8422 /* see if we can find this msg_id in the unmatched table */
8423 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
8425 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
8426 /* This is a request */
8428 /* this is a request and we already found
8429 * an older ssi so just delete the previous
8432 g_hash_table_remove(si->conv->unmatched, ssi);
8437 /* no we couldn't find it, so just add it then
8438 * if was a request we are decoding
8440 ssi = wmem_new0(wmem_file_scope(), smb2_saved_info_t);
8441 ssi->msg_id = ssi_key.msg_id;
8442 ssi->frame_req = pinfo->num;
8443 ssi->req_time = pinfo->abs_ts;
8444 ssi->extra_info_type = SMB2_EI_NONE;
8445 g_hash_table_insert(si->conv->unmatched, ssi, ssi);
8448 /* This is a response */
8449 if (!((si->flags & SMB2_FLAGS_ASYNC_CMD)
8450 && si->status == NT_STATUS_PENDING)
8452 /* just set the response frame and move it to the matched table */
8453 ssi->frame_res = pinfo->num;
8454 g_hash_table_remove(si->conv->unmatched, ssi);
8455 g_hash_table_insert(si->conv->matched, ssi, ssi);
8459 /* see if we can find this msg_id in the matched table */
8460 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->matched, &ssi_key);
8461 /* if we couldn't find it in the matched table, it might still
8462 * be in the unmatched table
8465 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
8470 if (dcerpc_fetch_polhnd_data(&ssi->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
8471 /* If needed, create the file entry and save the policy hnd */
8472 if (!si->eo_file_info) {
8474 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&ssi->policy_hnd);
8475 if (!eo_file_info) { /* XXX This should never happen */
8477 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
8478 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
8479 memcpy(policy_hnd_hashtablekey, &ssi->policy_hnd, sizeof(e_ctx_hnd));
8480 eo_file_info->end_of_file=0;
8481 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
8483 si->eo_file_info=eo_file_info;
8488 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
8489 if (ssi->frame_res) {
8490 proto_item *tmp_item;
8491 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res);
8492 PROTO_ITEM_SET_GENERATED(tmp_item);
8495 if (ssi->frame_req) {
8496 proto_item *tmp_item;
8499 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_to, tvb, 0, 0, ssi->frame_req);
8500 PROTO_ITEM_SET_GENERATED(tmp_item);
8502 nstime_delta(&deltat, &t, &ssi->req_time);
8503 tmp_item = proto_tree_add_time(header_tree, hf_smb2_time, tvb,
8505 PROTO_ITEM_SET_GENERATED(tmp_item);
8508 if (si->file != NULL) {
8509 ssi->file = si->file;
8511 si->file = ssi->file;
8514 /* if we don't have ssi yet we must fake it */
8518 tap_queue_packet(smb2_tap, pinfo, si);
8520 /* Decode the payload */
8521 offset = dissect_smb2_command(pinfo, tree, tvb, offset, si);
8523 proto_tree *enc_tree;
8524 tvbuff_t *enc_tvb = NULL;
8525 tvbuff_t *plain_tvb = NULL;
8527 /* SMB2_TRANSFORM marker */
8528 proto_tree_add_item(header_tree, hf_smb2_server_component_smb2_transform, tvb, offset, 4, ENC_NA);
8531 offset = dissect_smb2_transform_header(pinfo, header_tree, tvb, offset, sti,
8532 &enc_tvb, &plain_tvb);
8534 enc_tree = proto_tree_add_subtree(tree, enc_tvb, 0, sti->size, ett_smb2_encrypted, NULL, "Encrypted SMB3 data");
8535 if (plain_tvb != NULL) {
8536 col_append_str(pinfo->cinfo, COL_INFO, "Decrypted SMB3");
8537 dissect_smb2(plain_tvb, pinfo, enc_tree, FALSE);
8539 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted SMB3");
8540 proto_tree_add_item(enc_tree, hf_smb2_transform_encrypted_data,
8541 enc_tvb, 0, sti->size, ENC_NA);
8544 if (tvb_reported_length_remaining(tvb, offset) > 0) {
8545 chain_offset = offset;
8549 if (chain_offset > 0) {
8552 proto_item_set_len(item, chain_offset);
8554 next_tvb = tvb_new_subset_remaining(tvb, chain_offset);
8555 offset = dissect_smb2(next_tvb, pinfo, parent_tree, FALSE);
8562 dissect_smb2_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
8565 /* must check that this really is a smb2 packet */
8566 if (tvb_captured_length(tvb) < 4)
8569 if (((tvb_get_guint8(tvb, 0) != 0xfe) && (tvb_get_guint8(tvb, 0) != 0xfd))
8570 || (tvb_get_guint8(tvb, 1) != 'S')
8571 || (tvb_get_guint8(tvb, 2) != 'M')
8572 || (tvb_get_guint8(tvb, 3) != 'B') ) {
8576 dissect_smb2(tvb, pinfo, parent_tree, TRUE);
8582 proto_register_smb2(void)
8584 module_t *smb2_module;
8585 static hf_register_info hf[] = {
8587 { "Command", "smb2.cmd", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
8588 &smb2_cmd_vals_ext, 0, "SMB2 Command Opcode", HFILL }},
8589 { &hf_smb2_response_to,
8590 { "Response to", "smb2.response_to", FT_FRAMENUM, BASE_NONE,
8591 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
8592 { &hf_smb2_response_in,
8593 { "Response in", "smb2.response_in", FT_FRAMENUM, BASE_NONE,
8594 NULL, 0, "The response to this packet is in this packet", HFILL }},
8596 { "Time from request", "smb2.time", FT_RELATIVE_TIME, BASE_NONE,
8597 NULL, 0, "Time between Request and Response for SMB2 cmds", HFILL }},
8598 { &hf_smb2_header_len,
8599 { "Header Length", "smb2.header_len", FT_UINT16, BASE_DEC,
8600 NULL, 0, "SMB2 Size of Header", HFILL }},
8601 { &hf_smb2_nt_status,
8602 { "NT Status", "smb2.nt_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
8603 &NT_errors_ext, 0, "NT Status code", HFILL }},
8605 { "Message ID", "smb2.msg_id", FT_INT64, BASE_DEC,
8606 NULL, 0, "SMB2 Message ID", HFILL }},
8608 { "Tree Id", "smb2.tid", FT_UINT32, BASE_HEX,
8609 NULL, 0, "SMB2 Tree Id", HFILL }},
8611 { "Async Id", "smb2.aid", FT_UINT64, BASE_HEX,
8612 NULL, 0, "SMB2 Async Id", HFILL }},
8614 { "Session Id", "smb2.sesid", FT_UINT64, BASE_HEX,
8615 NULL, 0, "SMB2 Session Id", HFILL }},
8616 { &hf_smb2_previous_sesid,
8617 { "Previous Session Id", "smb2.previous_sesid", FT_UINT64, BASE_HEX,
8618 NULL, 0, "SMB2 Previous Session Id", HFILL }},
8619 { &hf_smb2_chain_offset,
8620 { "Chain Offset", "smb2.chain_offset", FT_UINT32, BASE_HEX,
8621 NULL, 0, "SMB2 Chain Offset", HFILL }},
8622 { &hf_smb2_end_of_file,
8623 { "End Of File", "smb2.eof", FT_UINT64, BASE_DEC,
8624 NULL, 0, "SMB2 End Of File/File size", HFILL }},
8626 { "Number of Links", "smb2.nlinks", FT_UINT32, BASE_DEC,
8627 NULL, 0, "Number of links to this object", HFILL }},
8629 { "File Id", "smb2.file_id", FT_UINT64, BASE_HEX,
8630 NULL, 0, "SMB2 File Id", HFILL }},
8631 { &hf_smb2_allocation_size,
8632 { "Allocation Size", "smb2.allocation_size", FT_UINT64, BASE_DEC,
8633 NULL, 0, "SMB2 Allocation Size for this object", HFILL }},
8634 { &hf_smb2_max_response_size,
8635 { "Max Response Size", "smb2.max_response_size", FT_UINT32, BASE_DEC,
8636 NULL, 0, "SMB2 Maximum response size", HFILL }},
8637 { &hf_smb2_setinfo_size,
8638 { "Setinfo Size", "smb2.setinfo_size", FT_UINT32, BASE_DEC,
8639 NULL, 0, "SMB2 setinfo size", HFILL }},
8640 { &hf_smb2_setinfo_offset,
8641 { "Setinfo Offset", "smb2.setinfo_offset", FT_UINT16, BASE_HEX,
8642 NULL, 0, "SMB2 setinfo offset", HFILL }},
8643 { &hf_smb2_max_ioctl_out_size,
8644 { "Max Ioctl Out Size", "smb2.max_ioctl_out_size", FT_UINT32, BASE_DEC,
8645 NULL, 0, "SMB2 Maximum ioctl out size", HFILL }},
8646 { &hf_smb2_max_ioctl_in_size,
8647 { "Max Ioctl In Size", "smb2.max_ioctl_in_size", FT_UINT32, BASE_DEC,
8648 NULL, 0, "SMB2 Maximum ioctl out size", HFILL }},
8649 { &hf_smb2_required_buffer_size,
8650 { "Required Buffer Size", "smb2.required_size", FT_UINT32, BASE_DEC,
8651 NULL, 0, "SMB2 required buffer size", HFILL }},
8653 { "Process Id", "smb2.pid", FT_UINT32, BASE_HEX,
8654 NULL, 0, "SMB2 Process Id", HFILL }},
8656 /* SMB2 header flags */
8658 { "Flags", "smb2.flags", FT_UINT32, BASE_HEX,
8659 NULL, 0, "SMB2 flags", HFILL }},
8660 { &hf_smb2_flags_response,
8661 { "Response", "smb2.flags.response", FT_BOOLEAN, 32,
8662 TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }},
8663 { &hf_smb2_flags_async_cmd,
8664 { "Async command", "smb2.flags.async", FT_BOOLEAN, 32,
8665 TFS(&tfs_flags_async_cmd), SMB2_FLAGS_ASYNC_CMD, NULL, HFILL }},
8666 { &hf_smb2_flags_dfs_op,
8667 { "DFS operation", "smb2.flags.dfs", FT_BOOLEAN, 32,
8668 TFS(&tfs_flags_dfs_op), SMB2_FLAGS_DFS_OP, NULL, HFILL }},
8669 { &hf_smb2_flags_chained,
8670 { "Chained", "smb2.flags.chained", FT_BOOLEAN, 32,
8671 TFS(&tfs_flags_chained), SMB2_FLAGS_CHAINED, "Whether the pdu continues a chain or not", HFILL }},
8672 { &hf_smb2_flags_signature,
8673 { "Signing", "smb2.flags.signature", FT_BOOLEAN, 32,
8674 TFS(&tfs_flags_signature), SMB2_FLAGS_SIGNATURE, "Whether the pdu is signed or not", HFILL }},
8675 { &hf_smb2_flags_replay_operation,
8676 { "Replay operation", "smb2.flags.replay", FT_BOOLEAN, 32,
8677 TFS(&tfs_flags_replay_operation), SMB2_FLAGS_REPLAY_OPERATION, "Whether this is a replay operation", HFILL }},
8678 { &hf_smb2_flags_priority_mask,
8679 { "Priority", "smb2.flags.priority_mask", FT_BOOLEAN, 32,
8680 TFS(&tfs_flags_priority_mask), SMB2_FLAGS_PRIORITY_MASK, "Priority Mask", HFILL }},
8683 { "Tree", "smb2.tree", FT_STRING, BASE_NONE,
8684 NULL, 0, "Name of the Tree/Share", HFILL }},
8686 { &hf_smb2_filename,
8687 { "Filename", "smb2.filename", FT_STRING, BASE_NONE,
8688 NULL, 0, "Name of the file", HFILL }},
8690 { &hf_smb2_filename_len,
8691 { "Filename Length", "smb2.filename.len", FT_UINT32, BASE_DEC,
8692 NULL, 0, "Length of the file name", HFILL }},
8694 { &hf_smb2_replace_if,
8695 { "Replace If", "smb2.rename.replace_if", FT_BOOLEAN, 8,
8696 TFS(&tfs_replace_if_exists), 0xFF, "Whether to replace if the target exists", HFILL }},
8698 { &hf_smb2_data_offset,
8699 { "Data Offset", "smb2.data_offset", FT_UINT16, BASE_HEX,
8700 NULL, 0, "Offset to data", HFILL }},
8702 { &hf_smb2_find_info_level,
8703 { "Info Level", "smb2.find.infolevel", FT_UINT32, BASE_DEC,
8704 VALS(smb2_find_info_levels), 0, "Find_Info Infolevel", HFILL }},
8705 { &hf_smb2_find_flags,
8706 { "Find Flags", "smb2.find.flags", FT_UINT8, BASE_HEX,
8707 NULL, 0, NULL, HFILL }},
8709 { &hf_smb2_find_pattern,
8710 { "Search Pattern", "smb2.find.pattern", FT_STRING, BASE_NONE,
8711 NULL, 0, "Find pattern", HFILL }},
8713 { &hf_smb2_find_info_blob,
8714 { "Info", "smb2.find.info_blob", FT_BYTES, BASE_NONE,
8715 NULL, 0, "Find Info", HFILL }},
8718 { "EA Size", "smb2.ea_size", FT_UINT32, BASE_DEC,
8719 NULL, 0, "Size of EA data", HFILL }},
8722 { "Class", "smb2.class", FT_UINT8, BASE_HEX,
8723 VALS(smb2_class_vals), 0, "Info class", HFILL }},
8725 { &hf_smb2_infolevel,
8726 { "InfoLevel", "smb2.infolevel", FT_UINT8, BASE_HEX,
8727 NULL, 0, NULL, HFILL }},
8729 { &hf_smb2_infolevel_file_info,
8730 { "InfoLevel", "smb2.file_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
8731 &smb2_file_info_levels_ext, 0, "File_Info Infolevel", HFILL }},
8733 { &hf_smb2_infolevel_fs_info,
8734 { "InfoLevel", "smb2.fs_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
8735 &smb2_fs_info_levels_ext, 0, "Fs_Info Infolevel", HFILL }},
8737 { &hf_smb2_infolevel_sec_info,
8738 { "InfoLevel", "smb2.sec_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
8739 &smb2_sec_info_levels_ext, 0, "Sec_Info Infolevel", HFILL }},
8741 { &hf_smb2_infolevel_posix_info,
8742 { "InfoLevel", "smb2.posix_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
8743 &smb2_posix_info_levels_ext, 0, "Posix_Info Infolevel", HFILL }},
8745 { &hf_smb2_write_length,
8746 { "Write Length", "smb2.write_length", FT_UINT32, BASE_DEC,
8747 NULL, 0, "Amount of data to write", HFILL }},
8749 { &hf_smb2_read_length,
8750 { "Read Length", "smb2.read_length", FT_UINT32, BASE_DEC,
8751 NULL, 0, "Amount of data to read", HFILL }},
8753 { &hf_smb2_read_remaining,
8754 { "Read Remaining", "smb2.read_remaining", FT_UINT32, BASE_DEC,
8755 NULL, 0, NULL, HFILL }},
8757 { &hf_smb2_create_flags,
8758 { "Create Flags", "smb2.create_flags", FT_UINT64, BASE_HEX,
8759 NULL, 0, NULL, HFILL }},
8761 { &hf_smb2_file_offset,
8762 { "File Offset", "smb2.file_offset", FT_UINT64, BASE_DEC,
8763 NULL, 0, NULL, HFILL }},
8765 { &hf_smb2_fsctl_range_offset,
8766 { "File Offset", "smb2.fsctl.range_offset", FT_UINT64, BASE_DEC,
8767 NULL, 0, NULL, HFILL }},
8769 { &hf_smb2_fsctl_range_length,
8770 { "Length", "smb2.fsctl.range_length", FT_UINT64, BASE_DEC,
8771 NULL, 0, NULL, HFILL }},
8773 { &hf_smb2_qfr_length,
8774 { "Length", "smb2.qfr_length", FT_UINT64, BASE_DEC,
8775 NULL, 0, NULL, HFILL }},
8777 { &hf_smb2_qfr_usage,
8778 { "Desired Usage", "smb2.qfr_usage", FT_UINT32, BASE_HEX,
8779 VALS(file_region_usage_vals), 0, NULL, HFILL }},
8781 { &hf_smb2_qfr_flags,
8782 { "Flags", "smb2.qfr_flags", FT_UINT32, BASE_HEX,
8783 NULL, 0, NULL, HFILL }},
8785 { &hf_smb2_qfr_total_region_entry_count,
8786 { "Total Region Entry Count", "smb2.qfr_tot_region_entry_count", FT_UINT32, BASE_HEX,
8787 NULL, 0, NULL, HFILL }},
8789 { &hf_smb2_qfr_region_entry_count,
8790 { "Region Entry Count", "smb2.qfr_region_entry_count", FT_UINT32, BASE_HEX,
8791 NULL, 0, NULL, HFILL }},
8793 { &hf_smb2_security_blob,
8794 { "Security Blob", "smb2.security_blob", FT_BYTES, BASE_NONE,
8795 NULL, 0, NULL, HFILL }},
8797 { &hf_smb2_ioctl_out_data,
8798 { "Out Data", "smb2.ioctl.out", FT_NONE, BASE_NONE,
8799 NULL, 0, "Ioctl Out", HFILL }},
8801 { &hf_smb2_ioctl_in_data,
8802 { "In Data", "smb2.ioctl.in", FT_NONE, BASE_NONE,
8803 NULL, 0, "Ioctl In", HFILL }},
8805 { &hf_smb2_server_guid,
8806 { "Server Guid", "smb2.server_guid", FT_GUID, BASE_NONE,
8807 NULL, 0, NULL, HFILL }},
8809 { &hf_smb2_client_guid,
8810 { "Client Guid", "smb2.client_guid", FT_GUID, BASE_NONE,
8811 NULL, 0, NULL, HFILL }},
8813 { &hf_smb2_object_id,
8814 { "ObjectId", "smb2.object_id", FT_GUID, BASE_NONE,
8815 NULL, 0, "ObjectID for this FID", HFILL }},
8817 { &hf_smb2_birth_volume_id,
8818 { "BirthVolumeId", "smb2.birth_volume_id", FT_GUID, BASE_NONE,
8819 NULL, 0, "ObjectID for the volume where this FID was originally created", HFILL }},
8821 { &hf_smb2_birth_object_id,
8822 { "BirthObjectId", "smb2.birth_object_id", FT_GUID, BASE_NONE,
8823 NULL, 0, "ObjectID for this FID when it was originally created", HFILL }},
8825 { &hf_smb2_domain_id,
8826 { "DomainId", "smb2.domain_id", FT_GUID, BASE_NONE,
8827 NULL, 0, NULL, HFILL }},
8829 { &hf_smb2_create_timestamp,
8830 { "Create", "smb2.create.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8831 NULL, 0, "Time when this object was created", HFILL }},
8834 { "File Id", "smb2.fid", FT_GUID, BASE_NONE,
8835 NULL, 0, "SMB2 File Id", HFILL }},
8837 { &hf_smb2_write_data,
8838 { "Write Data", "smb2.write_data", FT_BYTES, BASE_NONE,
8839 NULL, 0, "SMB2 Data to be written", HFILL }},
8841 { &hf_smb2_write_flags,
8842 { "Write Flags", "smb2.write.flags", FT_UINT32, BASE_HEX,
8843 NULL, 0, NULL, HFILL }},
8845 { &hf_smb2_write_flags_write_through,
8846 { "Write through", "smb2.write.flags.write_through", FT_BOOLEAN, 32,
8847 NULL, SMB2_WRITE_FLAG_WRITE_THROUGH, NULL, HFILL }},
8849 { &hf_smb2_write_count,
8850 { "Write Count", "smb2.write.count", FT_UINT32, BASE_DEC,
8851 NULL, 0, NULL, HFILL }},
8853 { &hf_smb2_write_remaining,
8854 { "Write Remaining", "smb2.write.remaining", FT_UINT32, BASE_DEC,
8855 NULL, 0, NULL, HFILL }},
8857 { &hf_smb2_read_data,
8858 { "Read Data", "smb2.read_data", FT_BYTES, BASE_NONE,
8859 NULL, 0, "SMB2 Data that is read", HFILL }},
8861 { &hf_smb2_last_access_timestamp,
8862 { "Last Access", "smb2.last_access.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8863 NULL, 0, "Time when this object was last accessed", HFILL }},
8865 { &hf_smb2_last_write_timestamp,
8866 { "Last Write", "smb2.last_write.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8867 NULL, 0, "Time when this object was last written to", HFILL }},
8869 { &hf_smb2_last_change_timestamp,
8870 { "Last Change", "smb2.last_change.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8871 NULL, 0, "Time when this object was last changed", HFILL }},
8873 { &hf_smb2_file_all_info,
8874 { "SMB2_FILE_ALL_INFO", "smb2.file_all_info", FT_NONE, BASE_NONE,
8875 NULL, 0, "SMB2_FILE_ALL_INFO structure", HFILL }},
8877 { &hf_smb2_file_allocation_info,
8878 { "SMB2_FILE_ALLOCATION_INFO", "smb2.file_allocation_info", FT_NONE, BASE_NONE,
8879 NULL, 0, "SMB2_FILE_ALLOCATION_INFO structure", HFILL }},
8881 { &hf_smb2_file_endoffile_info,
8882 { "SMB2_FILE_ENDOFFILE_INFO", "smb2.file_endoffile_info", FT_NONE, BASE_NONE,
8883 NULL, 0, "SMB2_FILE_ENDOFFILE_INFO structure", HFILL }},
8885 { &hf_smb2_file_alternate_name_info,
8886 { "SMB2_FILE_ALTERNATE_NAME_INFO", "smb2.file_alternate_name_info", FT_NONE, BASE_NONE,
8887 NULL, 0, "SMB2_FILE_ALTERNATE_NAME_INFO structure", HFILL }},
8889 { &hf_smb2_file_stream_info,
8890 { "SMB2_FILE_STREAM_INFO", "smb2.file_stream_info", FT_NONE, BASE_NONE,
8891 NULL, 0, "SMB2_FILE_STREAM_INFO structure", HFILL }},
8893 { &hf_smb2_file_pipe_info,
8894 { "SMB2_FILE_PIPE_INFO", "smb2.file_pipe_info", FT_NONE, BASE_NONE,
8895 NULL, 0, "SMB2_FILE_PIPE_INFO structure", HFILL }},
8897 { &hf_smb2_file_compression_info,
8898 { "SMB2_FILE_COMPRESSION_INFO", "smb2.file_compression_info", FT_NONE, BASE_NONE,
8899 NULL, 0, "SMB2_FILE_COMPRESSION_INFO structure", HFILL }},
8901 { &hf_smb2_file_basic_info,
8902 { "SMB2_FILE_BASIC_INFO", "smb2.file_basic_info", FT_NONE, BASE_NONE,
8903 NULL, 0, "SMB2_FILE_BASIC_INFO structure", HFILL }},
8905 { &hf_smb2_file_standard_info,
8906 { "SMB2_FILE_STANDARD_INFO", "smb2.file_standard_info", FT_NONE, BASE_NONE,
8907 NULL, 0, "SMB2_FILE_STANDARD_INFO structure", HFILL }},
8909 { &hf_smb2_file_internal_info,
8910 { "SMB2_FILE_INTERNAL_INFO", "smb2.file_internal_info", FT_NONE, BASE_NONE,
8911 NULL, 0, "SMB2_FILE_INTERNAL_INFO structure", HFILL }},
8913 { &hf_smb2_file_mode_info,
8914 { "SMB2_FILE_MODE_INFO", "smb2.file_mode_info", FT_NONE, BASE_NONE,
8915 NULL, 0, "SMB2_FILE_MODE_INFO structure", HFILL }},
8917 { &hf_smb2_file_alignment_info,
8918 { "SMB2_FILE_ALIGNMENT_INFO", "smb2.file_alignment_info", FT_NONE, BASE_NONE,
8919 NULL, 0, "SMB2_FILE_ALIGNMENT_INFO structure", HFILL }},
8921 { &hf_smb2_file_position_info,
8922 { "SMB2_FILE_POSITION_INFO", "smb2.file_position_info", FT_NONE, BASE_NONE,
8923 NULL, 0, "SMB2_FILE_POSITION_INFO structure", HFILL }},
8925 { &hf_smb2_file_access_info,
8926 { "SMB2_FILE_ACCESS_INFO", "smb2.file_access_info", FT_NONE, BASE_NONE,
8927 NULL, 0, "SMB2_FILE_ACCESS_INFO structure", HFILL }},
8929 { &hf_smb2_file_ea_info,
8930 { "SMB2_FILE_EA_INFO", "smb2.file_ea_info", FT_NONE, BASE_NONE,
8931 NULL, 0, "SMB2_FILE_EA_INFO structure", HFILL }},
8933 { &hf_smb2_file_network_open_info,
8934 { "SMB2_FILE_NETWORK_OPEN_INFO", "smb2.file_network_open_info", FT_NONE, BASE_NONE,
8935 NULL, 0, "SMB2_FILE_NETWORK_OPEN_INFO structure", HFILL }},
8937 { &hf_smb2_file_attribute_tag_info,
8938 { "SMB2_FILE_ATTRIBUTE_TAG_INFO", "smb2.file_attribute_tag_info", FT_NONE, BASE_NONE,
8939 NULL, 0, "SMB2_FILE_ATTRIBUTE_TAG_INFO structure", HFILL }},
8941 { &hf_smb2_file_disposition_info,
8942 { "SMB2_FILE_DISPOSITION_INFO", "smb2.file_disposition_info", FT_NONE, BASE_NONE,
8943 NULL, 0, "SMB2_FILE_DISPOSITION_INFO structure", HFILL }},
8945 { &hf_smb2_file_full_ea_info,
8946 { "SMB2_FILE_FULL_EA_INFO", "smb2.file_full_ea_info", FT_NONE, BASE_NONE,
8947 NULL, 0, "SMB2_FILE_FULL_EA_INFO structure", HFILL }},
8949 { &hf_smb2_file_rename_info,
8950 { "SMB2_FILE_RENAME_INFO", "smb2.file_rename_info", FT_NONE, BASE_NONE,
8951 NULL, 0, "SMB2_FILE_RENAME_INFO structure", HFILL }},
8953 { &hf_smb2_fs_info_01,
8954 { "SMB2_FS_INFO_01", "smb2.fs_info_01", FT_NONE, BASE_NONE,
8955 NULL, 0, "SMB2_FS_INFO_01 structure", HFILL }},
8957 { &hf_smb2_fs_info_03,
8958 { "SMB2_FS_INFO_03", "smb2.fs_info_03", FT_NONE, BASE_NONE,
8959 NULL, 0, "SMB2_FS_INFO_03 structure", HFILL }},
8961 { &hf_smb2_fs_info_04,
8962 { "SMB2_FS_INFO_04", "smb2.fs_info_04", FT_NONE, BASE_NONE,
8963 NULL, 0, "SMB2_FS_INFO_04 structure", HFILL }},
8965 { &hf_smb2_fs_info_05,
8966 { "SMB2_FS_INFO_05", "smb2.fs_info_05", FT_NONE, BASE_NONE,
8967 NULL, 0, "SMB2_FS_INFO_05 structure", HFILL }},
8969 { &hf_smb2_fs_info_06,
8970 { "SMB2_FS_INFO_06", "smb2.fs_info_06", FT_NONE, BASE_NONE,
8971 NULL, 0, "SMB2_FS_INFO_06 structure", HFILL }},
8973 { &hf_smb2_fs_info_07,
8974 { "SMB2_FS_INFO_07", "smb2.fs_info_07", FT_NONE, BASE_NONE,
8975 NULL, 0, "SMB2_FS_INFO_07 structure", HFILL }},
8977 { &hf_smb2_fs_objectid_info,
8978 { "SMB2_FS_OBJECTID_INFO", "smb2.fs_objectid_info", FT_NONE, BASE_NONE,
8979 NULL, 0, "SMB2_FS_OBJECTID_INFO structure", HFILL }},
8981 { &hf_smb2_sec_info_00,
8982 { "SMB2_SEC_INFO_00", "smb2.sec_info_00", FT_NONE, BASE_NONE,
8983 NULL, 0, "SMB2_SEC_INFO_00 structure", HFILL }},
8985 { &hf_smb2_disposition_delete_on_close,
8986 { "Delete on close", "smb2.disposition.delete_on_close", FT_BOOLEAN, 8,
8987 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }},
8990 { &hf_smb2_create_disposition,
8991 { "Disposition", "smb2.create.disposition", FT_UINT32, BASE_DEC,
8992 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
8994 { &hf_smb2_create_action,
8995 { "Create Action", "smb2.create.action", FT_UINT32, BASE_DEC,
8996 VALS(oa_open_vals), 0, NULL, HFILL }},
8998 { &hf_smb2_create_rep_flags,
8999 { "Response Flags", "smb2.create.rep_flags", FT_UINT8, BASE_HEX,
9000 NULL, 0, NULL, HFILL }},
9002 { &hf_smb2_create_rep_flags_reparse_point,
9003 { "ReparsePoint", "smb2.create.rep_flags.reparse_point", FT_BOOLEAN, 8,
9004 NULL, SMB2_CREATE_REP_FLAGS_REPARSE_POINT, NULL, HFILL }},
9006 { &hf_smb2_extrainfo,
9007 { "ExtraInfo", "smb2.create.extrainfo", FT_NONE, BASE_NONE,
9008 NULL, 0, "Create ExtraInfo", HFILL }},
9010 { &hf_smb2_create_chain_offset,
9011 { "Chain Offset", "smb2.create.chain_offset", FT_UINT32, BASE_HEX,
9012 NULL, 0, "Offset to next entry in chain or 0", HFILL }},
9014 { &hf_smb2_create_chain_data,
9015 { "Data", "smb2.create.chain_data", FT_NONE, BASE_NONE,
9016 NULL, 0, "Chain Data", HFILL }},
9018 { &hf_smb2_FILE_OBJECTID_BUFFER,
9019 { "FILE_OBJECTID_BUFFER", "smb2.FILE_OBJECTID_BUFFER", FT_NONE, BASE_NONE,
9020 NULL, 0, "A FILE_OBJECTID_BUFFER structure", HFILL }},
9022 { &hf_smb2_lease_key,
9023 { "Lease Key", "smb2.lease.lease_key", FT_GUID, BASE_NONE,
9024 NULL, 0, NULL, HFILL }},
9026 { &hf_smb2_lease_state,
9027 { "Lease State", "smb2.lease.lease_state", FT_UINT32, BASE_HEX,
9028 NULL, 0, NULL, HFILL }},
9030 { &hf_smb2_lease_state_read_caching,
9031 { "Read Caching", "smb2.lease.lease_state.read_caching", FT_BOOLEAN, 32,
9032 NULL, SMB2_LEASE_STATE_READ_CACHING, NULL, HFILL }},
9034 { &hf_smb2_lease_state_handle_caching,
9035 { "Handle Caching", "smb2.lease.lease_state.handle_caching", FT_BOOLEAN, 32,
9036 NULL, SMB2_LEASE_STATE_HANDLE_CACHING, NULL, HFILL }},
9038 { &hf_smb2_lease_state_write_caching,
9039 { "Write Caching", "smb2.lease.lease_state.write_caching", FT_BOOLEAN, 32,
9040 NULL, SMB2_LEASE_STATE_WRITE_CACHING, NULL, HFILL }},
9042 { &hf_smb2_lease_flags,
9043 { "Lease Flags", "smb2.lease.lease_flags", FT_UINT32, BASE_HEX,
9044 NULL, 0, NULL, HFILL }},
9046 { &hf_smb2_lease_flags_break_ack_required,
9047 { "Break Ack Required", "smb2.lease.lease_state.break_ack_required", FT_BOOLEAN, 32,
9048 NULL, SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED, NULL, HFILL }},
9050 { &hf_smb2_lease_flags_break_in_progress,
9051 { "Break In Progress", "smb2.lease.lease_state.break_in_progress", FT_BOOLEAN, 32,
9052 NULL, SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS, NULL, HFILL }},
9054 { &hf_smb2_lease_flags_parent_lease_key_set,
9055 { "Parent Lease Key Set", "smb2.lease.lease_state.parent_lease_key_set", FT_BOOLEAN, 32,
9056 NULL, SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET, NULL, HFILL }},
9058 { &hf_smb2_lease_duration,
9059 { "Lease Duration", "smb2.lease.lease_duration", FT_UINT64, BASE_HEX,
9060 NULL, 0, NULL, HFILL }},
9062 { &hf_smb2_parent_lease_key,
9063 { "Parent Lease Key", "smb2.lease.parent_lease_key", FT_GUID, BASE_NONE,
9064 NULL, 0, NULL, HFILL }},
9066 { &hf_smb2_lease_epoch,
9067 { "Lease Epoch", "smb2.lease.lease_oplock", FT_UINT16, BASE_HEX,
9068 NULL, 0, NULL, HFILL }},
9070 { &hf_smb2_lease_reserved,
9071 { "Lease Reserved", "smb2.lease.lease_reserved", FT_UINT16, BASE_HEX,
9072 NULL, 0, NULL, HFILL }},
9074 { &hf_smb2_lease_break_reason,
9075 { "Lease Break Reason", "smb2.lease.lease_break_reason", FT_UINT32, BASE_HEX,
9076 NULL, 0, NULL, HFILL }},
9078 { &hf_smb2_lease_access_mask_hint,
9079 { "Access Mask Hint", "smb2.lease.access_mask_hint", FT_UINT32, BASE_HEX,
9080 NULL, 0, NULL, HFILL }},
9082 { &hf_smb2_lease_share_mask_hint,
9083 { "Share Mask Hint", "smb2.lease.share_mask_hint", FT_UINT32, BASE_HEX,
9084 NULL, 0, NULL, HFILL }},
9086 { &hf_smb2_next_offset,
9087 { "Next Offset", "smb2.next_offset", FT_UINT32, BASE_DEC,
9088 NULL, 0, "Offset to next buffer or 0", HFILL }},
9090 { &hf_smb2_negotiate_context_type,
9091 { "Type", "smb2.negotiate_context.type", FT_UINT16, BASE_HEX,
9092 VALS(smb2_negotiate_context_types), 0, "NegotiateContext Type", HFILL }},
9094 { &hf_smb2_negotiate_context_data_length,
9095 { "DataLength", "smb2.negotiate_context.data_length", FT_UINT16, BASE_DEC,
9096 NULL, 0, "NegotiateContext DataLength", HFILL }},
9098 { &hf_smb2_negotiate_context_offset,
9099 { "NegotiateContextOffset", "smb2.negotiate_context.offset", FT_UINT16, BASE_HEX,
9100 NULL, 0, "NegotiateContext Offset", HFILL }},
9102 { &hf_smb2_negotiate_context_count,
9103 { "NegotiateContextCount", "smb2.negotiate_context.count", FT_UINT16, BASE_DEC,
9104 NULL, 0, "NegotiateContext Count", HFILL }},
9106 { &hf_smb2_current_time,
9107 { "Current Time", "smb2.current_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9108 NULL, 0, "Current Time at server", HFILL }},
9110 { &hf_smb2_boot_time,
9111 { "Boot Time", "smb2.boot_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9112 NULL, 0, "Boot Time at server", HFILL }},
9114 { &hf_smb2_ea_flags,
9115 { "EA Flags", "smb2.ea.flags", FT_UINT8, BASE_HEX,
9116 NULL, 0, NULL, HFILL }},
9118 { &hf_smb2_ea_name_len,
9119 { "EA Name Length", "smb2.ea.name_len", FT_UINT8, BASE_DEC,
9120 NULL, 0, NULL, HFILL }},
9122 { &hf_smb2_ea_data_len,
9123 { "EA Data Length", "smb2.ea.data_len", FT_UINT8, BASE_DEC,
9124 NULL, 0, NULL, HFILL }},
9126 { &hf_smb2_delete_pending,
9127 { "Delete Pending", "smb2.delete_pending", FT_UINT8, BASE_DEC,
9128 NULL, 0, NULL, HFILL }},
9130 { &hf_smb2_is_directory,
9131 { "Is Directory", "smb2.is_directory", FT_UINT8, BASE_DEC,
9132 NULL, 0, "Is this a directory?", HFILL }},
9135 { "Oplock", "smb2.create.oplock", FT_UINT8, BASE_HEX,
9136 VALS(oplock_vals), 0, "Oplock type", HFILL }},
9138 { &hf_smb2_close_flags,
9139 { "Close Flags", "smb2.close.flags", FT_UINT16, BASE_HEX,
9140 NULL, 0, NULL, HFILL }},
9142 { &hf_smb2_notify_flags,
9143 { "Notify Flags", "smb2.notify.flags", FT_UINT16, BASE_HEX,
9144 NULL, 0, NULL, HFILL }},
9146 { &hf_smb2_buffer_code,
9147 { "StructureSize", "smb2.buffer_code", FT_UINT16, BASE_HEX,
9148 NULL, 0, NULL, HFILL }},
9150 { &hf_smb2_buffer_code_len,
9151 { "Fixed Part Length", "smb2.buffer_code.length", FT_UINT16, BASE_DEC,
9152 NULL, 0xFFFE, "Length of fixed portion of PDU", HFILL }},
9154 { &hf_smb2_olb_length,
9155 { "Length", "smb2.olb.length", FT_UINT32, BASE_DEC,
9156 NULL, 0, "Length of the buffer", HFILL }},
9158 { &hf_smb2_olb_offset,
9159 { "Offset", "smb2.olb.offset", FT_UINT32, BASE_HEX,
9160 NULL, 0, "Offset to the buffer", HFILL }},
9162 { &hf_smb2_buffer_code_flags_dyn,
9163 { "Dynamic Part", "smb2.buffer_code.dynamic", FT_BOOLEAN, 16,
9164 NULL, 0x0001, "Whether a dynamic length blob follows", HFILL }},
9167 { "EA Data", "smb2.ea.data", FT_BYTES, BASE_NONE,
9168 NULL, 0, NULL, HFILL }},
9171 { "EA Name", "smb2.ea.name", FT_STRING, BASE_NONE,
9172 NULL, 0, NULL, HFILL }},
9174 { &hf_smb2_impersonation_level,
9175 { "Impersonation", "smb2.impersonation.level", FT_UINT32, BASE_DEC,
9176 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
9178 { &hf_smb2_ioctl_function,
9179 { "Function", "smb2.ioctl.function", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
9180 &smb2_ioctl_vals_ext, 0, "Ioctl function", HFILL }},
9182 { &hf_smb2_ioctl_function_device,
9183 { "Device", "smb2.ioctl.function.device", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
9184 &smb2_ioctl_device_vals_ext, 0xffff0000, "Device for Ioctl", HFILL }},
9186 { &hf_smb2_ioctl_function_access,
9187 { "Access", "smb2.ioctl.function.access", FT_UINT32, BASE_HEX,
9188 VALS(smb2_ioctl_access_vals), 0x0000c000, "Access for Ioctl", HFILL }},
9190 { &hf_smb2_ioctl_function_function,
9191 { "Function", "smb2.ioctl.function.function", FT_UINT32, BASE_HEX,
9192 NULL, 0x00003ffc, "Function for Ioctl", HFILL }},
9194 { &hf_smb2_ioctl_function_method,
9195 { "Method", "smb2.ioctl.function.method", FT_UINT32, BASE_HEX,
9196 VALS(smb2_ioctl_method_vals), 0x00000003, "Method for Ioctl", HFILL }},
9198 { &hf_smb2_fsctl_pipe_wait_timeout,
9199 { "Timeout", "smb2.fsctl.wait.timeout", FT_INT64, BASE_DEC,
9200 NULL, 0, "Wait timeout", HFILL }},
9202 { &hf_smb2_fsctl_pipe_wait_name,
9203 { "Name", "smb2.fsctl.wait.name", FT_STRING, BASE_NONE,
9204 NULL, 0, "Pipe name", HFILL }},
9206 { &hf_smb2_fsctl_offload_read_size,
9207 { "Size", "smb2.fsctl.offload.read", FT_UINT32, BASE_DEC,
9208 NULL, 0, "Size of data element", HFILL }},
9210 { &hf_smb2_fsctl_offload_read_flags,
9211 { "Flags", "smb2.fsctl.offload.flags", FT_UINT32, BASE_HEX,
9212 NULL, 0, "Flags for this operation", HFILL }},
9214 { &hf_smb2_fsctl_offload_read_token_ttl,
9215 { "TokenTimeToLive", "smb2.fsctl.offload.token_ttl",
9216 FT_UINT32, BASE_DEC, NULL, 0,
9217 "TTL for the generated token (in milliseconds)", HFILL }},
9219 { &hf_smb2_fsctl_offload_reserved,
9220 { "Reserved", "smb2.fsctl.offload.reserved",
9221 FT_BYTES, BASE_NONE, NULL, 0,
9224 { &hf_smb2_fsctl_offload_read_file_offset,
9225 { "FileOffset", "smb2.fsctl.offload.file_offset",
9226 FT_UINT64, BASE_DEC, NULL, 0,
9227 "File offset", HFILL }},
9229 { &hf_smb2_fsctl_offload_read_copy_length,
9230 { "CopyLength", "smb2.fsctl.offload.copy_length",
9231 FT_UINT64, BASE_DEC, NULL, 0,
9232 "Copy length", HFILL }},
9234 { &hf_smb2_fsctl_offload_read_transfer_length,
9235 { "TransferLength", "smb2.fsctl.offload.transfer_length",
9236 FT_UINT64, BASE_DEC, NULL, 0,
9237 "Transfer length", HFILL }},
9239 { &hf_smb2_fsctl_offload_token,
9240 { "Token", "smb2.fsctl.offload.token",
9241 FT_BYTES, BASE_NONE, NULL, 0,
9244 { &hf_smb2_fsctl_sparse_flag,
9245 { "SetSparse", "smb2.fsctl.set_sparse", FT_BOOLEAN, 8,
9246 NULL, 0xFF, NULL, HFILL }},
9248 { &hf_smb2_ioctl_resiliency_timeout,
9249 { "Timeout", "smb2.ioctl.resiliency.timeout", FT_UINT32, BASE_DEC,
9250 NULL, 0, "Resiliency timeout", HFILL }},
9252 { &hf_smb2_ioctl_resiliency_reserved,
9253 { "Reserved", "smb2.ioctl.resiliency.reserved", FT_UINT32, BASE_DEC,
9254 NULL, 0, "Resiliency reserved", HFILL }},
9256 { &hf_windows_sockaddr_family,
9257 { "Socket Family", "smb2.windows.sockaddr.family", FT_UINT16, BASE_DEC,
9258 NULL, 0, "The socket address family (on windows)", HFILL }},
9260 { &hf_windows_sockaddr_port,
9261 { "Socket Port", "smb2.windows.sockaddr.port", FT_UINT16, BASE_DEC,
9262 NULL, 0, "The socket address port", HFILL }},
9264 { &hf_windows_sockaddr_in_addr,
9265 { "Socket IPv4", "smb2.windows.sockaddr.in.addr", FT_IPv4, BASE_NONE,
9266 NULL, 0, "The IPv4 address", HFILL }},
9268 { &hf_windows_sockaddr_in6_flowinfo,
9269 { "IPv6 Flow Info", "smb2.windows.sockaddr.in6.flow_info", FT_UINT32, BASE_HEX,
9270 NULL, 0, "The socket IPv6 flow info", HFILL }},
9272 { &hf_windows_sockaddr_in6_addr,
9273 { "Socket IPv6", "smb2.windows.sockaddr.in6.addr", FT_IPv6, BASE_NONE,
9274 NULL, 0, "The IPv6 address", HFILL }},
9276 { &hf_windows_sockaddr_in6_scope_id,
9277 { "IPv6 Scope ID", "smb2.windows.sockaddr.in6.scope_id", FT_UINT32, BASE_DEC,
9278 NULL, 0, "The socket IPv6 scope id", HFILL }},
9280 { &hf_smb2_ioctl_network_interface_next_offset,
9281 { "Next Offset", "smb2.ioctl.network_interfaces.next_offset", FT_UINT32, BASE_HEX,
9282 NULL, 0, "Offset to next entry in chain or 0", HFILL }},
9284 { &hf_smb2_ioctl_network_interface_index,
9285 { "Interface Index", "smb2.ioctl.network_interfaces.index", FT_UINT32, BASE_DEC,
9286 NULL, 0, "The index of the interface", HFILL }},
9288 { &hf_smb2_ioctl_network_interface_rss_queue_count,
9289 { "RSS Queue Count", "smb2.ioctl.network_interfaces.rss_queue_count", FT_UINT32, BASE_DEC,
9290 NULL, 0, "The RSS queue count", HFILL }},
9292 { &hf_smb2_ioctl_network_interface_capabilities,
9293 { "Interface Cababilities", "smb2.ioctl.network_interfaces.capabilities", FT_UINT32, BASE_HEX,
9294 NULL, 0, "The RSS queue count", HFILL }},
9296 { &hf_smb2_ioctl_network_interface_capability_rss,
9297 { "RSS", "smb2.ioctl.network_interfaces.capabilities.rss", FT_BOOLEAN, 32,
9298 TFS(&tfs_smb2_ioctl_network_interface_capability_rss),
9299 NETWORK_INTERFACE_CAP_RSS, "If the host supports RSS", HFILL }},
9301 { &hf_smb2_ioctl_network_interface_capability_rdma,
9302 { "RDMA", "smb2.ioctl.network_interfaces.capabilities.rdma", FT_BOOLEAN, 32,
9303 TFS(&tfs_smb2_ioctl_network_interface_capability_rdma),
9304 NETWORK_INTERFACE_CAP_RDMA, "If the host supports RDMA", HFILL }},
9306 { &hf_smb2_ioctl_network_interface_link_speed,
9307 { "Link Speed", "smb2.ioctl.network_interfaces.link_speed", FT_UINT64, BASE_DEC,
9308 NULL, 0, "The link speed of the interface", HFILL }},
9310 { &hf_smb2_ioctl_shadow_copy_num_volumes,
9311 { "Num Volumes", "smb2.ioctl.shadow_copy.num_volumes", FT_UINT32, BASE_DEC,
9312 NULL, 0, "Number of shadow copy volumes", HFILL }},
9314 { &hf_smb2_ioctl_shadow_copy_num_labels,
9315 { "Num Labels", "smb2.ioctl.shadow_copy.num_labels", FT_UINT32, BASE_DEC,
9316 NULL, 0, "Number of shadow copy labels", HFILL }},
9318 { &hf_smb2_ioctl_shadow_copy_label,
9319 { "Label", "smb2.ioctl.shadow_copy.label", FT_STRING, BASE_NONE,
9320 NULL, 0, "Shadow copy label", HFILL }},
9322 { &hf_smb2_compression_format,
9323 { "Compression Format", "smb2.compression_format", FT_UINT16, BASE_DEC,
9324 VALS(compression_format_vals), 0, "Compression to use", HFILL }},
9326 { &hf_smb2_checksum_algorithm,
9327 { "Checksum Algorithm", "smb2.checksum_algorithm", FT_UINT16, BASE_HEX,
9328 VALS(checksum_algorithm_vals), 0, "Checksum algorithm to use", HFILL}},
9330 { &hf_smb2_integrity_reserved,
9331 { "Reserved", "smb2.integrity_reserved", FT_UINT16, BASE_DEC,
9332 NULL, 0, "Reserved Field", HFILL}},
9334 { &hf_smb2_integrity_flags,
9335 { "Flags", "smb2.integrity_flags", FT_UINT32, BASE_HEX,
9336 NULL, 0, NULL, HFILL }},
9338 { &hf_smb2_integrity_flags_enforcement_off,
9339 { "FSCTL_INTEGRITY_FLAG_CHECKSUM_ENFORCEMENT_OFF", "smb2.integrity_flags_enforcement", FT_BOOLEAN, 32,
9340 NULL, 0x1, "If checksum error enforcement is off", HFILL }},
9342 { &hf_smb2_share_type,
9343 { "Share Type", "smb2.share_type", FT_UINT8, BASE_HEX,
9344 VALS(smb2_share_type_vals), 0, "Type of share", HFILL }},
9346 { &hf_smb2_credit_charge,
9347 { "Credit Charge", "smb2.credit.charge", FT_UINT16, BASE_DEC,
9348 NULL, 0, NULL, HFILL }},
9350 { &hf_smb2_credits_requested,
9351 { "Credits requested", "smb2.credits.requested", FT_UINT16, BASE_DEC,
9352 NULL, 0, NULL, HFILL }},
9354 { &hf_smb2_credits_granted,
9355 { "Credits granted", "smb2.credits.granted", FT_UINT16, BASE_DEC,
9356 NULL, 0, NULL, HFILL }},
9358 { &hf_smb2_channel_sequence,
9359 { "Channel Sequence", "smb2.channel_sequence", FT_UINT16, BASE_DEC,
9360 NULL, 0, NULL, HFILL }},
9362 { &hf_smb2_dialect_count,
9363 { "Dialect count", "smb2.dialect_count", FT_UINT16, BASE_DEC,
9364 NULL, 0, NULL, HFILL }},
9367 { "Dialect", "smb2.dialect", FT_UINT16, BASE_HEX,
9368 NULL, 0, NULL, HFILL }},
9370 { &hf_smb2_security_mode,
9371 { "Security mode", "smb2.sec_mode", FT_UINT8, BASE_HEX,
9372 NULL, 0, NULL, HFILL }},
9374 { &hf_smb2_session_flags,
9375 { "Session Flags", "smb2.session_flags", FT_UINT16, BASE_HEX,
9376 NULL, 0, NULL, HFILL }},
9378 { &hf_smb2_lock_count,
9379 { "Lock Count", "smb2.lock_count", FT_UINT16, BASE_DEC,
9380 NULL, 0, NULL, HFILL }},
9382 { &hf_smb2_capabilities,
9383 { "Capabilities", "smb2.capabilities", FT_UINT32, BASE_HEX,
9384 NULL, 0, NULL, HFILL }},
9386 { &hf_smb2_ioctl_shadow_copy_count,
9387 { "Count", "smb2.ioctl.shadow_copy.count", FT_UINT32, BASE_DEC,
9388 NULL, 0, "Number of bytes for shadow copy label strings", HFILL }},
9390 { &hf_smb2_auth_frame,
9391 { "Authenticated in Frame", "smb2.auth_frame", FT_UINT32, BASE_DEC,
9392 NULL, 0, "Which frame this user was authenticated in", HFILL }},
9394 { &hf_smb2_tcon_frame,
9395 { "Connected in Frame", "smb2.tcon_frame", FT_UINT32, BASE_DEC,
9396 NULL, 0, "Which frame this share was connected in", HFILL }},
9399 { "Tag", "smb2.tag", FT_STRING, BASE_NONE,
9400 NULL, 0, "Tag of chain entry", HFILL }},
9402 { &hf_smb2_acct_name,
9403 { "Account", "smb2.acct", FT_STRING, BASE_NONE,
9404 NULL, 0, "Account Name", HFILL }},
9406 { &hf_smb2_domain_name,
9407 { "Domain", "smb2.domain", FT_STRING, BASE_NONE,
9408 NULL, 0, "Domain Name", HFILL }},
9410 { &hf_smb2_host_name,
9411 { "Host", "smb2.host", FT_STRING, BASE_NONE,
9412 NULL, 0, "Host Name", HFILL }},
9414 { &hf_smb2_signature,
9415 { "Signature", "smb2.signature", FT_BYTES, BASE_NONE,
9416 NULL, 0, NULL, HFILL }},
9419 { "unknown", "smb2.unknown", FT_BYTES, BASE_NONE,
9420 NULL, 0, "Unknown bytes", HFILL }},
9422 { &hf_smb2_twrp_timestamp,
9423 { "Timestamp", "smb2.twrp_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9424 NULL, 0, "TWrp timestamp", HFILL }},
9426 { &hf_smb2_mxac_timestamp,
9427 { "Timestamp", "smb2.mxac_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9428 NULL, 0, "MxAc timestamp", HFILL }},
9430 { &hf_smb2_mxac_status,
9431 { "Query Status", "smb2.mxac_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
9432 &NT_errors_ext, 0, "NT Status code", HFILL }},
9434 { &hf_smb2_qfid_fid,
9435 { "Opaque File ID", "smb2.qfid_fid", FT_BYTES, BASE_NONE,
9436 NULL, 0, NULL, HFILL }},
9438 { &hf_smb2_ses_flags_guest,
9439 { "Guest", "smb2.ses_flags.guest", FT_BOOLEAN, 16,
9440 NULL, SES_FLAGS_GUEST, NULL, HFILL }},
9442 { &hf_smb2_ses_flags_null,
9443 { "Null", "smb2.ses_flags.null", FT_BOOLEAN, 16,
9444 NULL, SES_FLAGS_NULL, NULL, HFILL }},
9446 { &hf_smb2_secmode_flags_sign_required,
9447 { "Signing required", "smb2.sec_mode.sign_required", FT_BOOLEAN, 8,
9448 NULL, NEGPROT_SIGN_REQ, "Is signing required", HFILL }},
9450 { &hf_smb2_secmode_flags_sign_enabled,
9451 { "Signing enabled", "smb2.sec_mode.sign_enabled", FT_BOOLEAN, 8,
9452 NULL, NEGPROT_SIGN_ENABLED, "Is signing enabled", HFILL }},
9454 { &hf_smb2_ses_req_flags,
9455 { "Flags", "smb2.ses_req_flags", FT_UINT8, BASE_DEC,
9456 NULL, 0, NULL, HFILL }},
9458 { &hf_smb2_ses_req_flags_session_binding,
9459 { "Session Binding Request", "smb2.ses_req_flags.session_binding", FT_BOOLEAN, 8,
9460 NULL, SES_REQ_FLAGS_SESSION_BINDING,
9461 "The client wants to bind to an existing session", HFILL }},
9464 { "DFS", "smb2.capabilities.dfs", FT_BOOLEAN, 32,
9465 TFS(&tfs_cap_dfs), NEGPROT_CAP_DFS, "If the host supports dfs", HFILL }},
9467 { &hf_smb2_cap_leasing,
9468 { "LEASING", "smb2.capabilities.leasing", FT_BOOLEAN, 32,
9469 TFS(&tfs_cap_leasing), NEGPROT_CAP_LEASING,
9470 "If the host supports leasing", HFILL }},
9472 { &hf_smb2_cap_large_mtu,
9473 { "LARGE MTU", "smb2.capabilities.large_mtu", FT_BOOLEAN, 32,
9474 TFS(&tfs_cap_large_mtu), NEGPROT_CAP_LARGE_MTU,
9475 "If the host supports LARGE MTU", HFILL }},
9477 { &hf_smb2_cap_multi_channel,
9478 { "MULTI CHANNEL", "smb2.capabilities.multi_channel", FT_BOOLEAN, 32,
9479 TFS(&tfs_cap_multi_channel), NEGPROT_CAP_MULTI_CHANNEL,
9480 "If the host supports MULTI CHANNEL", HFILL }},
9482 { &hf_smb2_cap_persistent_handles,
9483 { "PERSISTENT HANDLES", "smb2.capabilities.persistent_handles", FT_BOOLEAN, 32,
9484 TFS(&tfs_cap_persistent_handles), NEGPROT_CAP_PERSISTENT_HANDLES,
9485 "If the host supports PERSISTENT HANDLES", HFILL }},
9487 { &hf_smb2_cap_directory_leasing,
9488 { "DIRECTORY LEASING", "smb2.capabilities.directory_leasing", FT_BOOLEAN, 32,
9489 TFS(&tfs_cap_directory_leasing), NEGPROT_CAP_DIRECTORY_LEASING,
9490 "If the host supports DIRECTORY LEASING", HFILL }},
9492 { &hf_smb2_cap_encryption,
9493 { "ENCRYPTION", "smb2.capabilities.encryption", FT_BOOLEAN, 32,
9494 TFS(&tfs_cap_encryption), NEGPROT_CAP_ENCRYPTION,
9495 "If the host supports ENCRYPTION", HFILL }},
9497 { &hf_smb2_max_trans_size,
9498 { "Max Transaction Size", "smb2.max_trans_size", FT_UINT32, BASE_DEC,
9499 NULL, 0, "Maximum size of a transaction", HFILL }},
9501 { &hf_smb2_max_read_size,
9502 { "Max Read Size", "smb2.max_read_size", FT_UINT32, BASE_DEC,
9503 NULL, 0, "Maximum size of a read", HFILL }},
9505 { &hf_smb2_max_write_size,
9506 { "Max Write Size", "smb2.max_write_size", FT_UINT32, BASE_DEC,
9507 NULL, 0, "Maximum size of a write", HFILL }},
9510 { "Channel", "smb2.channel", FT_UINT32, BASE_HEX,
9511 VALS(smb2_channel_vals), 0, NULL, HFILL }},
9513 { &hf_smb2_rdma_v1_offset,
9514 { "Offset", "smb2.buffer_descriptor.offset", FT_UINT64, BASE_DEC,
9515 NULL, 0, NULL, HFILL }},
9517 { &hf_smb2_rdma_v1_token,
9518 { "Token", "smb2.buffer_descriptor.token", FT_UINT32, BASE_HEX,
9519 NULL, 0, NULL, HFILL }},
9521 { &hf_smb2_rdma_v1_length,
9522 { "Length", "smb2.buffer_descriptor.length", FT_UINT32, BASE_DEC,
9523 NULL, 0, NULL, HFILL }},
9525 { &hf_smb2_share_flags,
9526 { "Share flags", "smb2.share_flags", FT_UINT32, BASE_HEX,
9527 NULL, 0, NULL, HFILL }},
9529 { &hf_smb2_share_flags_dfs,
9530 { "DFS", "smb2.share_flags.dfs", FT_BOOLEAN, 32,
9531 NULL, SHARE_FLAGS_dfs, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }},
9533 { &hf_smb2_share_flags_dfs_root,
9534 { "DFS root", "smb2.share_flags.dfs_root", FT_BOOLEAN, 32,
9535 NULL, SHARE_FLAGS_dfs_root, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }},
9537 { &hf_smb2_share_flags_restrict_exclusive_opens,
9538 { "Restrict exclusive opens", "smb2.share_flags.restrict_exclusive_opens", FT_BOOLEAN, 32,
9539 NULL, SHARE_FLAGS_restrict_exclusive_opens, "The specified share disallows exclusive file opens that deny reads to an open file", HFILL }},
9541 { &hf_smb2_share_flags_force_shared_delete,
9542 { "Force shared delete", "smb2.share_flags.force_shared_delete", FT_BOOLEAN, 32,
9543 NULL, SHARE_FLAGS_force_shared_delete, "Shared files in the specified share can be forcibly deleted", HFILL }},
9545 { &hf_smb2_share_flags_allow_namespace_caching,
9546 { "Allow namepsace caching", "smb2.share_flags.allow_namespace_caching", FT_BOOLEAN, 32,
9547 NULL, SHARE_FLAGS_allow_namespace_caching, "Clients are allowed to cache the namespace of the specified share", HFILL }},
9549 { &hf_smb2_share_flags_access_based_dir_enum,
9550 { "Access based directory enum", "smb2.share_flags.access_based_dir_enum", FT_BOOLEAN, 32,
9551 NULL, SHARE_FLAGS_access_based_dir_enum, "The server will filter directory entries based on the access permissions of the client", HFILL }},
9553 { &hf_smb2_share_flags_force_levelii_oplock,
9554 { "Force level II oplock", "smb2.share_flags.force_levelii_oplock", FT_BOOLEAN, 32,
9555 NULL, SHARE_FLAGS_force_levelii_oplock, "The server will not issue exclusive caching rights on this share", HFILL }},
9557 { &hf_smb2_share_flags_enable_hash_v1,
9558 { "Enable hash V1", "smb2.share_flags.enable_hash_v1", FT_BOOLEAN, 32,
9559 NULL, SHARE_FLAGS_enable_hash_v1, "The share supports hash generation V1 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }},
9561 { &hf_smb2_share_flags_enable_hash_v2,
9562 { "Enable hash V2", "smb2.share_flags.enable_hash_v2", FT_BOOLEAN, 32,
9563 NULL, SHARE_FLAGS_enable_hash_v2, "The share supports hash generation V2 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }},
9565 { &hf_smb2_share_flags_encrypt_data,
9566 { "Encrypted data required", "smb2.share_flags.encrypt_data", FT_BOOLEAN, 32,
9567 NULL, SHARE_FLAGS_encryption_required, "The share require data encryption", HFILL }},
9569 { &hf_smb2_share_caching,
9570 { "Caching policy", "smb2.share.caching", FT_UINT32, BASE_HEX,
9571 VALS(share_cache_vals), 0, NULL, HFILL }},
9573 { &hf_smb2_share_caps,
9574 { "Share Capabilities", "smb2.share_caps", FT_UINT32, BASE_HEX,
9575 NULL, 0, NULL, HFILL }},
9577 { &hf_smb2_share_caps_dfs,
9578 { "DFS", "smb2.share_caps.dfs", FT_BOOLEAN, 32,
9579 NULL, SHARE_CAPS_DFS, "The specified share is present in a DFS tree structure", HFILL }},
9581 { &hf_smb2_share_caps_continuous_availability,
9582 { "CONTINUOUS AVAILABILITY", "smb2.share_caps.continuous_availability", FT_BOOLEAN, 32,
9583 NULL, SHARE_CAPS_CONTINUOUS_AVAILABILITY,
9584 "The specified share is continuously available", HFILL }},
9586 { &hf_smb2_share_caps_scaleout,
9587 { "SCALEOUT", "smb2.share_caps.scaleout", FT_BOOLEAN, 32,
9588 NULL, SHARE_CAPS_SCALEOUT,
9589 "The specified share is a scaleout share", HFILL }},
9591 { &hf_smb2_share_caps_cluster,
9592 { "CLUSTER", "smb2.share_caps.cluster", FT_BOOLEAN, 32,
9593 NULL, SHARE_CAPS_CLUSTER,
9594 "The specified share is a cluster share", HFILL }},
9596 { &hf_smb2_ioctl_flags,
9597 { "Flags", "smb2.ioctl.flags", FT_UINT32, BASE_HEX,
9598 NULL, 0, NULL, HFILL }},
9600 { &hf_smb2_min_count,
9601 { "Min Count", "smb2.min_count", FT_UINT32, BASE_DEC,
9602 NULL, 0, NULL, HFILL }},
9604 { &hf_smb2_remaining_bytes,
9605 { "Remaining Bytes", "smb2.remaining_bytes", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
9607 { &hf_smb2_channel_info_offset,
9608 { "Channel Info Offset", "smb2.channel_info_offset", FT_UINT16, BASE_DEC,
9609 NULL, 0, NULL, HFILL }},
9611 { &hf_smb2_channel_info_length,
9612 { "Channel Info Length", "smb2.channel_info_length", FT_UINT16, BASE_DEC,
9613 NULL, 0, NULL, HFILL }},
9615 { &hf_smb2_channel_info_blob,
9616 { "Channel Info Blob", "smb2.channel_info_blob", FT_NONE, BASE_NONE,
9617 NULL, 0, NULL, HFILL }},
9619 { &hf_smb2_ioctl_is_fsctl,
9620 { "Is FSCTL", "smb2.ioctl.is_fsctl", FT_BOOLEAN, 32,
9621 NULL, 0x00000001, NULL, HFILL }},
9623 { &hf_smb2_output_buffer_len,
9624 { "Output Buffer Length", "smb2.output_buffer_len", FT_UINT16, BASE_DEC,
9625 NULL, 0, NULL, HFILL }},
9627 { &hf_smb2_close_pq_attrib,
9628 { "PostQuery Attrib", "smb2.close.pq_attrib", FT_BOOLEAN, 16,
9629 NULL, 0x0001, NULL, HFILL }},
9631 { &hf_smb2_notify_watch_tree,
9632 { "Watch Tree", "smb2.notify.watch_tree", FT_BOOLEAN, 16,
9633 NULL, 0x0001, NULL, HFILL }},
9635 { &hf_smb2_notify_out_data,
9636 { "Out Data", "smb2.notify.out", FT_NONE, BASE_NONE,
9637 NULL, 0, NULL, HFILL }},
9639 { &hf_smb2_notify_info,
9640 { "Notify Info", "smb2.notify.info", FT_NONE, BASE_NONE,
9641 NULL, 0, NULL, HFILL }},
9643 { &hf_smb2_notify_next_offset,
9644 { "Next Offset", "smb2.notify.next_offset", FT_UINT32, BASE_HEX,
9645 NULL, 0, "Offset to next entry in chain or 0", HFILL }},
9647 { &hf_smb2_notify_action,
9648 { "Action", "smb2.notify.action", FT_UINT32, BASE_HEX,
9649 VALS(notify_action_vals), 0, "Notify Action", HFILL }},
9652 { &hf_smb2_find_flags_restart_scans,
9653 { "Restart Scans", "smb2.find.restart_scans", FT_BOOLEAN, 8,
9654 NULL, SMB2_FIND_FLAG_RESTART_SCANS, NULL, HFILL }},
9656 { &hf_smb2_find_flags_single_entry,
9657 { "Single Entry", "smb2.find.single_entry", FT_BOOLEAN, 8,
9658 NULL, SMB2_FIND_FLAG_SINGLE_ENTRY, NULL, HFILL }},
9660 { &hf_smb2_find_flags_index_specified,
9661 { "Index Specified", "smb2.find.index_specified", FT_BOOLEAN, 8,
9662 NULL, SMB2_FIND_FLAG_INDEX_SPECIFIED, NULL, HFILL }},
9664 { &hf_smb2_find_flags_reopen,
9665 { "Reopen", "smb2.find.reopen", FT_BOOLEAN, 8,
9666 NULL, SMB2_FIND_FLAG_REOPEN, NULL, HFILL }},
9668 { &hf_smb2_file_index,
9669 { "File Index", "smb2.file_index", FT_UINT32, BASE_HEX,
9670 NULL, 0, NULL, HFILL }},
9672 { &hf_smb2_file_directory_info,
9673 { "FileDirectoryInfo", "smb2.find.file_directory_info", FT_NONE, BASE_NONE,
9674 NULL, 0, NULL, HFILL }},
9676 { &hf_smb2_full_directory_info,
9677 { "FullDirectoryInfo", "smb2.find.full_directory_info", FT_NONE, BASE_NONE,
9678 NULL, 0, NULL, HFILL }},
9680 { &hf_smb2_both_directory_info,
9681 { "FileBothDirectoryInfo", "smb2.find.both_directory_info", FT_NONE, BASE_NONE,
9682 NULL, 0, NULL, HFILL }},
9684 { &hf_smb2_id_both_directory_info,
9685 { "FileIdBothDirectoryInfo", "smb2.find.id_both_directory_info", FT_NONE, BASE_NONE,
9686 NULL, 0, NULL, HFILL }},
9688 { &hf_smb2_short_name_len,
9689 { "Short Name Length", "smb2.short_name_len", FT_UINT8, BASE_DEC,
9690 NULL, 0, NULL, HFILL }},
9692 { &hf_smb2_short_name,
9693 { "Short Name", "smb2.shortname", FT_STRING, BASE_NONE,
9694 NULL, 0, NULL, HFILL }},
9696 { &hf_smb2_lock_info,
9697 { "Lock Info", "smb2.lock_info", FT_NONE, BASE_NONE,
9698 NULL, 0, NULL, HFILL }},
9700 { &hf_smb2_lock_length,
9701 { "Length", "smb2.lock_length", FT_UINT64, BASE_DEC,
9702 NULL, 0, NULL, HFILL }},
9704 { &hf_smb2_lock_flags,
9705 { "Flags", "smb2.lock_flags", FT_UINT32, BASE_HEX,
9706 NULL, 0, NULL, HFILL }},
9708 { &hf_smb2_lock_flags_shared,
9709 { "Shared", "smb2.lock_flags.shared", FT_BOOLEAN, 32,
9710 NULL, 0x00000001, NULL, HFILL }},
9712 { &hf_smb2_lock_flags_exclusive,
9713 { "Exclusive", "smb2.lock_flags.exclusive", FT_BOOLEAN, 32,
9714 NULL, 0x00000002, NULL, HFILL }},
9716 { &hf_smb2_lock_flags_unlock,
9717 { "Unlock", "smb2.lock_flags.unlock", FT_BOOLEAN, 32,
9718 NULL, 0x00000004, NULL, HFILL }},
9720 { &hf_smb2_lock_flags_fail_immediately,
9721 { "Fail Immediately", "smb2.lock_flags.fail_immediately", FT_BOOLEAN, 32,
9722 NULL, 0x00000010, NULL, HFILL }},
9724 { &hf_smb2_error_reserved,
9725 { "Reserved", "smb2.error.reserved", FT_UINT16, BASE_HEX,
9726 NULL, 0, NULL, HFILL }},
9728 { &hf_smb2_error_byte_count,
9729 { "Byte Count", "smb2.error.byte_count", FT_UINT32, BASE_DEC,
9730 NULL, 0, NULL, HFILL }},
9732 { &hf_smb2_error_data,
9733 { "Error Data", "smb2.error.data", FT_BYTES, BASE_NONE,
9734 NULL, 0, NULL, HFILL }},
9736 { &hf_smb2_reserved,
9737 { "Reserved", "smb2.reserved", FT_BYTES, BASE_NONE,
9738 NULL, 0, "Reserved bytes", HFILL }},
9740 { &hf_smb2_reserved_random,
9741 { "Reserved (Random)", "smb2.reserved.random", FT_BYTES, BASE_NONE,
9742 NULL, 0, "Reserved bytes, random data", HFILL }},
9744 { &hf_smb2_root_directory_mbz,
9745 { "Root Dir Handle (MBZ)", "smb2.root_directory", FT_BYTES, BASE_NONE,
9746 NULL, 0, "Root Directory Handle, mbz", HFILL }},
9748 { &hf_smb2_dhnq_buffer_reserved,
9749 { "Reserved", "smb2.dhnq_buffer_reserved", FT_UINT64, BASE_HEX,
9750 NULL, 0, NULL, HFILL}},
9752 { &hf_smb2_dh2x_buffer_timeout,
9753 { "Timeout", "smb2.dh2x.timeout", FT_UINT32, BASE_DEC,
9754 NULL, 0, NULL, HFILL}},
9756 { &hf_smb2_dh2x_buffer_flags,
9757 { "Flags", "smb2.dh2x.flags", FT_UINT32, BASE_HEX,
9758 NULL, 0, NULL, HFILL}},
9760 { &hf_smb2_dh2x_buffer_flags_persistent_handle,
9761 { "Persistent Handle", "smb2.dh2x.flags.persistent_handle", FT_BOOLEAN, 32,
9762 NULL, SMB2_DH2X_FLAGS_PERSISTENT_HANDLE, NULL, HFILL}},
9764 { &hf_smb2_dh2x_buffer_reserved,
9765 { "Reserved", "smb2.dh2x.reserved", FT_UINT64, BASE_HEX,
9766 NULL, 0, NULL, HFILL}},
9768 { &hf_smb2_dh2x_buffer_create_guid,
9769 { "Create Guid", "smb2.dh2x.create_guid", FT_GUID, BASE_NONE,
9770 NULL, 0, NULL, HFILL}},
9772 { &hf_smb2_APP_INSTANCE_buffer_struct_size,
9773 { "Struct Size", "smb2.app_instance.struct_size", FT_UINT16, BASE_DEC,
9774 NULL, 0, NULL, HFILL}},
9776 { &hf_smb2_APP_INSTANCE_buffer_reserved,
9777 { "Reserved", "smb2.app_instance.reserved", FT_UINT16, BASE_HEX,
9778 NULL, 0, NULL, HFILL}},
9780 { &hf_smb2_APP_INSTANCE_buffer_app_guid,
9781 { "Application Guid", "smb2.app_instance.app_guid", FT_GUID, BASE_NONE,
9782 NULL, 0, NULL, HFILL}},
9784 { &hf_smb2_svhdx_open_device_context_version,
9785 { "Version", "smb2.svhdx_open_device_context.version", FT_UINT32, BASE_DEC,
9786 NULL, 0, NULL, HFILL}},
9788 { &hf_smb2_svhdx_open_device_context_has_initiator_id,
9789 { "HasInitiatorId", "smb2.svhdx_open_device_context.initiator_has_id", FT_BOOLEAN, 8,
9790 TFS(&tfs_smb2_svhdx_has_initiator_id), 0, "Whether the host has an intiator", HFILL}},
9792 { &hf_smb2_svhdx_open_device_context_reserved,
9793 { "Reserved", "smb2.svhdx_open_device_context.reserved", FT_BYTES, BASE_NONE,
9794 NULL, 0, NULL, HFILL }},
9796 { &hf_smb2_svhdx_open_device_context_initiator_id,
9797 { "InitiatorId", "smb2.svhdx_open_device_context.initiator_id", FT_BYTES, BASE_NONE,
9798 NULL, 0, NULL, HFILL }},
9800 { &hf_smb2_svhdx_open_device_context_flags,
9801 { "Flags", "smb2.svhdx_open_device_context.flags", FT_UINT32, BASE_HEX,
9802 NULL, 0, NULL, HFILL }},
9804 { &hf_smb2_svhdx_open_device_context_originator_flags,
9805 { "OriginatorFlags", "smb2.svhdx_open_device_context.originator_flags", FT_UINT32, BASE_HEX,
9806 VALS(originator_flags_vals), 0, "Originator Flags", HFILL }},
9808 { &hf_smb2_svhdx_open_device_context_open_request_id,
9809 { "OpenRequestId","smb2.svhxd_open_device_context.open_request_id", FT_UINT64, BASE_HEX,
9810 NULL, 0, NULL, HFILL }},
9812 { &hf_smb2_svhdx_open_device_context_initiator_host_name_len,
9813 { "HostNameLength", "smb2.svhxd_open_device_context.initiator_host_name_len", FT_UINT16, BASE_DEC,
9814 NULL, 0, NULL, HFILL }},
9816 { &hf_smb2_svhdx_open_device_context_initiator_host_name,
9817 { "HostName", "smb2.svhdx_open_device_context.host_name", FT_STRING, BASE_NONE,
9818 NULL, 0, NULL, HFILL }},
9820 { &hf_smb2_posix_v1_version,
9821 { "Version", "smb2.posix_v1_version", FT_UINT32, BASE_DEC,
9822 NULL, 0, NULL, HFILL }},
9824 { &hf_smb2_posix_v1_request,
9825 { "Request", "smb2.posix_request", FT_UINT32, BASE_HEX,
9826 NULL, 0, NULL, HFILL }},
9828 { &hf_smb2_posix_v1_case_sensitive,
9829 { "Posix Case Sensitive File Names", "smb2.posix_case_sensitive", FT_UINT32, BASE_HEX,
9830 VALS(posix_case_sensitive_vals), 0x01, NULL, HFILL }},
9832 { &hf_smb2_posix_v1_posix_lock,
9833 { "Posix Byte-Range Locks", "smb2.posix_locks", FT_UINT32, BASE_HEX,
9834 VALS(posix_locks_vals), 0x02, NULL, HFILL }},
9836 { &hf_smb2_posix_v1_posix_file_semantics,
9837 { "Posix File Semantics", "smb2.posix_file_semantics", FT_UINT32, BASE_HEX,
9838 VALS(posix_file_semantics_vals), 0x04, NULL, HFILL }},
9840 { &hf_smb2_posix_v1_posix_utf8_paths,
9841 { "Posix UTF8 Paths", "smb2.posix_utf8_paths", FT_UINT32, BASE_HEX,
9842 VALS(posix_utf8_paths_vals), 0x08, NULL, HFILL }},
9844 { &hf_smb2_posix_v1_posix_will_convert_nt_acls,
9845 { "Posix Will Convert NT ACLs", "smb2.will_convert_NTACLs", FT_UINT32, BASE_HEX,
9846 VALS(posix_will_convert_ntacls_vals), 0x10, NULL, HFILL }},
9848 { &hf_smb2_posix_v1_posix_fileinfo,
9849 { "Posix Fileinfo", "smb2.posix_fileinfo", FT_UINT32, BASE_HEX,
9850 VALS(posix_fileinfo_vals), 0x20, NULL, HFILL }},
9852 { &hf_smb2_posix_v1_posix_acls,
9853 { "Posix ACLs", "smb2.posix_acls", FT_UINT32, BASE_HEX,
9854 VALS(posix_acls_vals), 0x40, NULL, HFILL }},
9856 { &hf_smb2_posix_v1_rich_acls,
9857 { "Rich ACLs", "smb2.rich_acls", FT_UINT32, BASE_HEX,
9858 VALS(posix_rich_acls_vals), 0x80, NULL, HFILL }},
9860 { &hf_smb2_posix_v1_supported_features,
9861 { "Supported Features", "smb2.posix_supported_features", FT_UINT32, BASE_HEX,
9862 NULL, 0, NULL, HFILL }},
9864 { &hf_smb2_aapl_command_code,
9865 { "Command code", "smb2.aapl.command_code", FT_UINT32, BASE_DEC,
9866 VALS(aapl_command_code_vals), 0, NULL, HFILL }},
9868 { &hf_smb2_aapl_reserved,
9869 { "Reserved", "smb2.aapl.reserved", FT_UINT32, BASE_HEX,
9870 NULL, 0, NULL, HFILL }},
9872 { &hf_smb2_aapl_server_query_bitmask,
9873 { "Query bitmask", "smb2.aapl.query_bitmask", FT_UINT64, BASE_HEX,
9874 NULL, 0, NULL, HFILL }},
9876 { &hf_smb2_aapl_server_query_bitmask_server_caps,
9877 { "Server capabilities", "smb2.aapl.bitmask.server_caps", FT_BOOLEAN, 64,
9878 NULL, SMB2_AAPL_SERVER_CAPS, NULL, HFILL }},
9880 { &hf_smb2_aapl_server_query_bitmask_volume_caps,
9881 { "Volume capabilities", "smb2.aapl.bitmask.volume_caps", FT_BOOLEAN, 64,
9882 NULL, SMB2_AAPL_VOLUME_CAPS, NULL, HFILL }},
9884 { &hf_smb2_aapl_server_query_bitmask_model_info,
9885 { "Model information", "smb2.aapl.bitmask.model_info", FT_BOOLEAN, 64,
9886 NULL, SMB2_AAPL_MODEL_INFO, NULL, HFILL }},
9888 { &hf_smb2_aapl_server_query_caps,
9889 { "Client/Server capabilities", "smb2.aapl.caps", FT_UINT64, BASE_HEX,
9890 NULL, 0, NULL, HFILL }},
9892 { &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
9893 { "Supports READDIRATTR", "smb2.aapl.caps.supports_read_dir_addr", FT_BOOLEAN, 64,
9894 NULL, SMB2_AAPL_SUPPORTS_READ_DIR_ATTR, NULL, HFILL }},
9896 { &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
9897 { "Supports OS X copyfile", "smb2.aapl.caps.supports_osx_copyfile", FT_BOOLEAN, 64,
9898 NULL, SMB2_AAPL_SUPPORTS_OSX_COPYFILE, NULL, HFILL }},
9900 { &hf_smb2_aapl_server_query_caps_unix_based,
9901 { "UNIX-based", "smb2.aapl.caps.unix_based", FT_BOOLEAN, 64,
9902 NULL, SMB2_AAPL_UNIX_BASED, NULL, HFILL }},
9904 { &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
9905 { "Supports NFS ACE", "smb2.aapl.supports_nfs_ace", FT_BOOLEAN, 64,
9906 NULL, SMB2_AAPL_SUPPORTS_NFS_ACE, NULL, HFILL }},
9908 { &hf_smb2_aapl_server_query_volume_caps,
9909 { "Volume capabilities", "smb2.aapl.volume_caps", FT_UINT64, BASE_HEX,
9910 NULL, 0, NULL, HFILL }},
9912 { &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
9913 { "Supports Resolve ID", "smb2.aapl.volume_caps.supports_resolve_id", FT_BOOLEAN, 64,
9914 NULL, SMB2_AAPL_SUPPORTS_RESOLVE_ID, NULL, HFILL }},
9916 { &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
9917 { "Case sensitive", "smb2.aapl.volume_caps.case_sensitive", FT_BOOLEAN, 64,
9918 NULL, SMB2_AAPL_CASE_SENSITIVE, NULL, HFILL }},
9920 { &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
9921 { "Supports full sync", "smb2.aapl.volume_caps.supports_full_sync", FT_BOOLEAN, 64,
9922 NULL, SMB2_AAPL_SUPPORTS_FULL_SYNC, NULL, HFILL }},
9924 { &hf_smb2_aapl_server_query_model_string,
9925 { "Model string", "smb2.aapl.model_string", FT_UINT_STRING, STR_UNICODE,
9926 NULL, 0, NULL, HFILL }},
9928 { &hf_smb2_aapl_server_query_server_path,
9929 { "Server path", "smb2.aapl.server_path", FT_UINT_STRING, STR_UNICODE,
9930 NULL, 0, NULL, HFILL }},
9932 { &hf_smb2_transform_signature,
9933 { "Signature", "smb2.header.transform.signature", FT_BYTES, BASE_NONE,
9934 NULL, 0, NULL, HFILL }},
9936 { &hf_smb2_transform_nonce,
9937 { "Nonce", "smb2.header.transform.nonce", FT_BYTES, BASE_NONE,
9938 NULL, 0, NULL, HFILL }},
9940 { &hf_smb2_transform_msg_size,
9941 { "Message size", "smb2.header.transform.msg_size", FT_UINT32, BASE_DEC,
9942 NULL, 0, NULL, HFILL }},
9944 { &hf_smb2_transform_reserved,
9945 { "Reserved", "smb2.header.transform.reserved", FT_BYTES, BASE_NONE,
9946 NULL, 0, NULL, HFILL }},
9948 { &hf_smb2_transform_enc_alg,
9949 { "Encryption ALG", "smb2.header.transform.encryption_alg", FT_UINT16, BASE_HEX,
9950 NULL, 0, NULL, HFILL }},
9952 { &hf_smb2_encryption_aes128_ccm,
9953 { "SMB2_ENCRYPTION_AES128_CCM", "smb2.header.transform.enc_aes128_ccm", FT_BOOLEAN, 16,
9954 NULL, ENC_ALG_aes128_ccm, NULL, HFILL }},
9956 { &hf_smb2_transform_encrypted_data,
9957 { "Data", "smb2.header.transform.enc_data", FT_BYTES, BASE_NONE,
9958 NULL, 0, NULL, HFILL }},
9960 { &hf_smb2_server_component_smb2,
9961 { "Server Component: SMB2", "smb2.server_component_smb2", FT_NONE, BASE_NONE,
9962 NULL, 0, NULL, HFILL }},
9964 { &hf_smb2_server_component_smb2_transform,
9965 { "Server Component: SMB2_TRANSFORM", "smb2.server_component_smb2_transform", FT_NONE, BASE_NONE,
9966 NULL, 0, NULL, HFILL }},
9968 { &hf_smb2_truncated,
9969 { "Truncated...", "smb2.truncated", FT_NONE, BASE_NONE,
9970 NULL, 0, NULL, HFILL }},
9972 { &hf_smb2_pipe_fragment_overlap,
9973 { "Fragment overlap", "smb2.pipe.fragment.overlap", FT_BOOLEAN, BASE_NONE,
9974 NULL, 0x0, "Fragment overlaps with other fragments", HFILL }},
9975 { &hf_smb2_pipe_fragment_overlap_conflict,
9976 { "Conflicting data in fragment overlap", "smb2.pipe.fragment.overlap.conflict", FT_BOOLEAN,
9977 BASE_NONE, NULL, 0x0, "Overlapping fragments contained conflicting data", HFILL }},
9978 { &hf_smb2_pipe_fragment_multiple_tails,
9979 { "Multiple tail fragments found", "smb2.pipe.fragment.multipletails", FT_BOOLEAN,
9980 BASE_NONE, NULL, 0x0, "Several tails were found when defragmenting the packet", HFILL }},
9981 { &hf_smb2_pipe_fragment_too_long_fragment,
9982 { "Fragment too long", "smb2.pipe.fragment.toolongfragment", FT_BOOLEAN,
9983 BASE_NONE, NULL, 0x0, "Fragment contained data past end of packet", HFILL }},
9984 { &hf_smb2_pipe_fragment_error,
9985 { "Defragmentation error", "smb2.pipe.fragment.error", FT_FRAMENUM,
9986 BASE_NONE, NULL, 0x0, "Defragmentation error due to illegal fragments", HFILL }},
9987 { &hf_smb2_pipe_fragment_count,
9988 { "Fragment count", "smb2.pipe.fragment.count", FT_UINT32,
9989 BASE_DEC, NULL, 0x0, NULL, HFILL }},
9990 { &hf_smb2_pipe_fragment,
9991 { "Fragment SMB2 Named Pipe", "smb2.pipe.fragment", FT_FRAMENUM,
9992 BASE_NONE, NULL, 0x0, "SMB2 Named Pipe Fragment", HFILL }},
9993 { &hf_smb2_pipe_fragments,
9994 { "Reassembled SMB2 Named Pipe fragments", "smb2.pipe.fragments", FT_NONE,
9995 BASE_NONE, NULL, 0x0, "SMB2 Named Pipe Fragments", HFILL }},
9996 { &hf_smb2_pipe_reassembled_in,
9997 { "This SMB2 Named Pipe payload is reassembled in frame", "smb2.pipe.reassembled_in", FT_FRAMENUM,
9998 BASE_NONE, NULL, 0x0, "The Named Pipe PDU is completely reassembled in this frame", HFILL }},
9999 { &hf_smb2_pipe_reassembled_length,
10000 { "Reassembled SMB2 Named Pipe length", "smb2.pipe.reassembled.length", FT_UINT32,
10001 BASE_DEC, NULL, 0x0, "The total length of the reassembled payload", HFILL }},
10002 { &hf_smb2_pipe_reassembled_data,
10003 { "Reassembled SMB2 Named Pipe Data", "smb2.pipe.reassembled.data", FT_BYTES,
10004 BASE_NONE, NULL, 0x0, "The reassembled payload", HFILL }},
10005 { &hf_smb2_cchunk_resume_key,
10006 { "ResumeKey", "smb2.fsctl.cchunk.resume_key", FT_BYTES,
10007 BASE_NONE, NULL, 0x0, "Opaque data representing source of copy", HFILL }},
10008 { &hf_smb2_cchunk_count,
10009 { "Chunk Count", "smb2.fsctl.cchunk.count", FT_UINT32,
10010 BASE_DEC, NULL, 0x0, NULL, HFILL }},
10011 { &hf_smb2_cchunk_src_offset,
10012 { "Source Offset", "smb2.fsctl.cchunk.src_offset", FT_UINT64,
10013 BASE_DEC, NULL, 0x0, NULL, HFILL }},
10014 { &hf_smb2_cchunk_dst_offset,
10015 { "Target Offset", "smb2.fsctl.cchunk.dst_offset", FT_UINT64,
10016 BASE_DEC, NULL, 0x0, NULL, HFILL }},
10017 { &hf_smb2_cchunk_xfer_len,
10018 { "Transfer Length", "smb2.fsctl.cchunk.xfer_len", FT_UINT32,
10019 BASE_DEC, NULL, 0x0, NULL, HFILL }},
10020 { &hf_smb2_cchunk_chunks_written,
10021 { "Chunks Written", "smb2.fsctl.cchunk.chunks_written", FT_UINT32,
10022 BASE_DEC, NULL, 0x0, NULL, HFILL }},
10023 { &hf_smb2_cchunk_bytes_written,
10024 { "Chunk Bytes Written", "smb2.fsctl.cchunk.bytes_written", FT_UINT32,
10025 BASE_DEC, NULL, 0x0, NULL, HFILL }},
10026 { &hf_smb2_cchunk_total_written,
10027 { "Total Bytes Written", "smb2.fsctl.cchunk.total_written", FT_UINT32,
10028 BASE_DEC, NULL, 0x0, NULL, HFILL }},
10031 static gint *ett[] = {
10036 &ett_smb2_encrypted,
10039 &ett_smb2_negotiate_context_element,
10040 &ett_smb2_file_basic_info,
10041 &ett_smb2_file_standard_info,
10042 &ett_smb2_file_internal_info,
10043 &ett_smb2_file_ea_info,
10044 &ett_smb2_file_access_info,
10045 &ett_smb2_file_rename_info,
10046 &ett_smb2_file_disposition_info,
10047 &ett_smb2_file_position_info,
10048 &ett_smb2_file_full_ea_info,
10049 &ett_smb2_file_mode_info,
10050 &ett_smb2_file_alignment_info,
10051 &ett_smb2_file_all_info,
10052 &ett_smb2_file_allocation_info,
10053 &ett_smb2_file_endoffile_info,
10054 &ett_smb2_file_alternate_name_info,
10055 &ett_smb2_file_stream_info,
10056 &ett_smb2_file_pipe_info,
10057 &ett_smb2_file_compression_info,
10058 &ett_smb2_file_network_open_info,
10059 &ett_smb2_file_attribute_tag_info,
10060 &ett_smb2_fs_info_01,
10061 &ett_smb2_fs_info_03,
10062 &ett_smb2_fs_info_04,
10063 &ett_smb2_fs_info_05,
10064 &ett_smb2_fs_info_06,
10065 &ett_smb2_fs_info_07,
10066 &ett_smb2_fs_objectid_info,
10067 &ett_smb2_sec_info_00,
10068 &ett_smb2_tid_tree,
10069 &ett_smb2_sesid_tree,
10070 &ett_smb2_create_chain_element,
10071 &ett_smb2_MxAc_buffer,
10072 &ett_smb2_QFid_buffer,
10073 &ett_smb2_RqLs_buffer,
10074 &ett_smb2_ioctl_function,
10075 &ett_smb2_FILE_OBJECTID_BUFFER,
10077 &ett_smb2_sec_mode,
10078 &ett_smb2_capabilities,
10079 &ett_smb2_ses_req_flags,
10080 &ett_smb2_ses_flags,
10081 &ett_smb2_create_rep_flags,
10082 &ett_smb2_lease_state,
10083 &ett_smb2_lease_flags,
10084 &ett_smb2_share_flags,
10085 &ett_smb2_share_caps,
10086 &ett_smb2_ioctl_flags,
10087 &ett_smb2_ioctl_network_interface,
10088 &ett_smb2_fsctl_range_data,
10089 &ett_windows_sockaddr,
10090 &ett_smb2_close_flags,
10091 &ett_smb2_notify_info,
10092 &ett_smb2_notify_flags,
10094 &ett_smb2_write_flags,
10095 &ett_smb2_find_flags,
10096 &ett_smb2_file_directory_info,
10097 &ett_smb2_both_directory_info,
10098 &ett_smb2_id_both_directory_info,
10099 &ett_smb2_full_directory_info,
10100 &ett_smb2_file_name_info,
10101 &ett_smb2_lock_info,
10102 &ett_smb2_lock_flags,
10103 &ett_smb2_DH2Q_buffer,
10104 &ett_smb2_DH2C_buffer,
10105 &ett_smb2_dh2x_flags,
10106 &ett_smb2_APP_INSTANCE_buffer,
10107 &ett_smb2_svhdx_open_device_context,
10108 &ett_smb2_posix_v1_request,
10109 &ett_smb2_posix_v1_response,
10110 &ett_smb2_posix_v1_supported_features,
10111 &ett_smb2_aapl_create_context_request,
10112 &ett_smb2_aapl_server_query_bitmask,
10113 &ett_smb2_aapl_server_query_caps,
10114 &ett_smb2_aapl_create_context_response,
10115 &ett_smb2_aapl_server_query_volume_caps,
10116 &ett_smb2_integrity_flags,
10117 &ett_smb2_transform_enc_alg,
10118 &ett_smb2_buffercode,
10119 &ett_smb2_ioctl_network_interface_capabilities,
10121 &ett_smb2_pipe_fragment,
10122 &ett_smb2_pipe_fragments,
10123 &ett_smb2_cchunk_entry,
10126 static ei_register_info ei[] = {
10127 { &ei_smb2_invalid_length, { "smb2.invalid_length", PI_MALFORMED, PI_ERROR, "Invalid length", EXPFILL }},
10128 { &ei_smb2_bad_response, { "smb2.bad_response", PI_MALFORMED, PI_ERROR, "Bad response", EXPFILL }},
10131 expert_module_t* expert_smb2;
10133 proto_smb2 = proto_register_protocol("SMB2 (Server Message Block Protocol version 2)",
10135 proto_register_subtree_array(ett, array_length(ett));
10136 proto_register_field_array(proto_smb2, hf, array_length(hf));
10137 expert_smb2 = expert_register_protocol(proto_smb2);
10138 expert_register_field_array(expert_smb2, ei, array_length(ei));
10140 smb2_module = prefs_register_protocol(proto_smb2, NULL);
10141 prefs_register_bool_preference(smb2_module, "eosmb2_take_name_as_fid",
10142 "Use the full file name as File ID when exporting an SMB2 object",
10143 "Whether the export object functionality will take the full path file name as file identifier",
10144 &eosmb2_take_name_as_fid);
10146 prefs_register_bool_preference(smb2_module, "pipe_reassembly",
10147 "Reassemble Named Pipes over SMB2",
10148 "Whether the dissector should reassemble Named Pipes over SMB2 commands",
10149 &smb2_pipe_reassembly);
10150 smb2_pipe_subdissector_list = register_heur_dissector_list("smb2_pipe_subdissectors", proto_smb2);
10151 register_init_routine(smb2_pipe_reassembly_init);
10153 smb2_tap = register_tap("smb2");
10154 smb2_eo_tap = register_tap("smb_eo"); /* SMB Export Object tap */
10156 register_srt_table(proto_smb2, NULL, 1, smb2stat_packet, smb2stat_init, NULL);
10160 proto_reg_handoff_smb2(void)
10162 gssapi_handle = find_dissector_add_dependency("gssapi", proto_smb2);
10163 ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_smb2);
10164 rsvd_handle = find_dissector_add_dependency("rsvd", proto_smb2);
10165 heur_dissector_add("netbios", dissect_smb2_heur, "SMB2 over Netbios", "smb2_netbios", proto_smb2, HEURISTIC_ENABLE);
10166 heur_dissector_add("smb_direct", dissect_smb2_heur, "SMB2 over SMB Direct", "smb2_smb_direct", proto_smb2, HEURISTIC_ENABLE);
10170 * Editor modelines - http://www.wireshark.org/tools/modelines.html
10173 * c-basic-offset: 8
10175 * indent-tabs-mode: t
10178 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
10179 * :indentSize=8:tabSize=8:noTabs=false:
git.samba.org / metze / wireshark / wip.git / blob