2 * Routines for smb2 packet dissection
5 * For documentation of this protocol, see:
7 * https://wiki.wireshark.org/SMB2
8 * https://msdn.microsoft.com/en-us/library/cc246482.aspx
10 * If you edit this file, keep the wiki updated as well.
12 * Wireshark - Network traffic analyzer
13 * By Gerald Combs <gerald@wireshark.org>
14 * Copyright 1998 Gerald Combs
16 * SPDX-License-Identifier: GPL-2.0-or-later
22 #include <epan/packet.h>
23 #include <epan/prefs.h>
24 #include <epan/expert.h>
26 #include <epan/srt_table.h>
27 #include <epan/aftypes.h>
28 #include <epan/to_str.h>
29 #include <epan/asn1.h>
30 #include <epan/reassemble.h>
33 #include "packet-smb2.h"
34 #include "packet-ntlmssp.h"
35 #include "packet-kerberos.h"
36 #include "packet-windows-common.h"
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-nt.h"
40 #include "read_keytab_file.h"
42 #include <wsutil/wsgcrypt.h>
44 #define NT_STATUS_PENDING 0x00000103
46 void proto_register_smb2(void);
47 void proto_reg_handoff_smb2(void);
49 static const char smb_header_label[] = "SMB2 Header";
50 static const char smb_transform_header_label[] = "SMB2 Transform Header";
52 static int proto_smb2 = -1;
53 static int hf_smb2_cmd = -1;
54 static int hf_smb2_nt_status = -1;
55 static int hf_smb2_response_to = -1;
56 static int hf_smb2_response_in = -1;
57 static int hf_smb2_time = -1;
58 static int hf_smb2_header_len = -1;
59 static int hf_smb2_msg_id = -1;
60 static int hf_smb2_pid = -1;
61 static int hf_smb2_tid = -1;
62 static int hf_smb2_aid = -1;
63 static int hf_smb2_sesid = -1;
64 static int hf_smb2_previous_sesid = -1;
65 static int hf_smb2_flags_response = -1;
66 static int hf_smb2_flags_async_cmd = -1;
67 static int hf_smb2_flags_dfs_op = -1;
68 static int hf_smb2_flags_chained = -1;
69 static int hf_smb2_flags_signature = -1;
70 static int hf_smb2_flags_replay_operation = -1;
71 static int hf_smb2_flags_priority_mask = -1;
72 static int hf_smb2_chain_offset = -1;
73 static int hf_smb2_security_blob = -1;
74 static int hf_smb2_ioctl_in_data = -1;
75 static int hf_smb2_ioctl_out_data = -1;
76 static int hf_smb2_unknown = -1;
77 static int hf_smb2_root_directory_mbz = -1;
78 static int hf_smb2_twrp_timestamp = -1;
79 static int hf_smb2_mxac_timestamp = -1;
80 static int hf_smb2_mxac_status = -1;
81 static int hf_smb2_qfid_fid = -1;
82 static int hf_smb2_create_timestamp = -1;
83 static int hf_smb2_oplock = -1;
84 static int hf_smb2_close_flags = -1;
85 static int hf_smb2_notify_flags = -1;
86 static int hf_smb2_last_access_timestamp = -1;
87 static int hf_smb2_last_write_timestamp = -1;
88 static int hf_smb2_last_change_timestamp = -1;
89 static int hf_smb2_current_time = -1;
90 static int hf_smb2_boot_time = -1;
91 static int hf_smb2_filename = -1;
92 static int hf_smb2_filename_len = -1;
93 static int hf_smb2_replace_if = -1;
94 static int hf_smb2_nlinks = -1;
95 static int hf_smb2_delete_pending = -1;
96 static int hf_smb2_is_directory = -1;
97 static int hf_smb2_file_id = -1;
98 static int hf_smb2_allocation_size = -1;
99 static int hf_smb2_end_of_file = -1;
100 static int hf_smb2_tree = -1;
101 static int hf_smb2_find_pattern = -1;
102 static int hf_smb2_find_info_level = -1;
103 static int hf_smb2_find_info_blob = -1;
104 static int hf_smb2_client_guid = -1;
105 static int hf_smb2_server_guid = -1;
106 static int hf_smb2_object_id = -1;
107 static int hf_smb2_birth_volume_id = -1;
108 static int hf_smb2_birth_object_id = -1;
109 static int hf_smb2_domain_id = -1;
110 static int hf_smb2_class = -1;
111 static int hf_smb2_infolevel = -1;
112 static int hf_smb2_infolevel_file_info = -1;
113 static int hf_smb2_infolevel_fs_info = -1;
114 static int hf_smb2_infolevel_sec_info = -1;
115 static int hf_smb2_infolevel_posix_info = -1;
116 static int hf_smb2_max_response_size = -1;
117 static int hf_smb2_max_ioctl_in_size = -1;
118 static int hf_smb2_max_ioctl_out_size = -1;
119 static int hf_smb2_flags = -1;
120 static int hf_smb2_required_buffer_size = -1;
121 static int hf_smb2_getinfo_input_size = -1;
122 static int hf_smb2_getinfo_input_offset = -1;
123 static int hf_smb2_getinfo_additional = -1;
124 static int hf_smb2_getinfo_flags = -1;
125 static int hf_smb2_setinfo_size = -1;
126 static int hf_smb2_setinfo_offset = -1;
127 static int hf_smb2_file_basic_info = -1;
128 static int hf_smb2_file_standard_info = -1;
129 static int hf_smb2_file_internal_info = -1;
130 static int hf_smb2_file_ea_info = -1;
131 static int hf_smb2_file_access_info = -1;
132 static int hf_smb2_file_rename_info = -1;
133 static int hf_smb2_file_disposition_info = -1;
134 static int hf_smb2_file_position_info = -1;
135 static int hf_smb2_file_full_ea_info = -1;
136 static int hf_smb2_file_mode_info = -1;
137 static int hf_smb2_file_alignment_info = -1;
138 static int hf_smb2_file_all_info = -1;
139 static int hf_smb2_file_allocation_info = -1;
140 static int hf_smb2_file_endoffile_info = -1;
141 static int hf_smb2_file_alternate_name_info = -1;
142 static int hf_smb2_file_stream_info = -1;
143 static int hf_smb2_file_pipe_info = -1;
144 static int hf_smb2_file_compression_info = -1;
145 static int hf_smb2_file_network_open_info = -1;
146 static int hf_smb2_file_attribute_tag_info = -1;
147 static int hf_smb2_fs_info_01 = -1;
148 static int hf_smb2_fs_info_03 = -1;
149 static int hf_smb2_fs_info_04 = -1;
150 static int hf_smb2_fs_info_05 = -1;
151 static int hf_smb2_fs_info_06 = -1;
152 static int hf_smb2_fs_info_07 = -1;
153 static int hf_smb2_fs_objectid_info = -1;
154 static int hf_smb2_sec_info_00 = -1;
155 static int hf_smb2_quota_info = -1;
156 static int hf_smb2_query_quota_info = -1;
157 static int hf_smb2_qq_single = -1;
158 static int hf_smb2_qq_restart = -1;
159 static int hf_smb2_qq_sidlist_len = -1;
160 static int hf_smb2_qq_start_sid_len = -1;
161 static int hf_smb2_qq_start_sid_offset = -1;
162 static int hf_smb2_fid = -1;
163 static int hf_smb2_write_length = -1;
164 static int hf_smb2_write_data = -1;
165 static int hf_smb2_write_flags = -1;
166 static int hf_smb2_write_flags_write_through = -1;
167 static int hf_smb2_write_count = -1;
168 static int hf_smb2_write_remaining = -1;
169 static int hf_smb2_read_length = -1;
170 static int hf_smb2_read_remaining = -1;
171 static int hf_smb2_file_offset = -1;
172 static int hf_smb2_qfr_length = -1;
173 static int hf_smb2_qfr_usage = -1;
174 static int hf_smb2_qfr_flags = -1;
175 static int hf_smb2_qfr_total_region_entry_count = -1;
176 static int hf_smb2_qfr_region_entry_count = -1;
177 static int hf_smb2_read_data = -1;
178 static int hf_smb2_disposition_delete_on_close = -1;
179 static int hf_smb2_create_disposition = -1;
180 static int hf_smb2_create_chain_offset = -1;
181 static int hf_smb2_create_chain_data = -1;
182 static int hf_smb2_data_offset = -1;
183 static int hf_smb2_extrainfo = -1;
184 static int hf_smb2_create_action = -1;
185 static int hf_smb2_create_rep_flags = -1;
186 static int hf_smb2_create_rep_flags_reparse_point = -1;
187 static int hf_smb2_next_offset = -1;
188 static int hf_smb2_negotiate_context_type = -1;
189 static int hf_smb2_negotiate_context_data_length = -1;
190 static int hf_smb2_negotiate_context_offset = -1;
191 static int hf_smb2_negotiate_context_count = -1;
192 static int hf_smb2_hash_alg_count = -1;
193 static int hf_smb2_hash_algorithm = -1;
194 static int hf_smb2_salt_length = -1;
195 static int hf_smb2_salt = -1;
196 static int hf_smb2_cipher_count = -1;
197 static int hf_smb2_cipher_id = -1;
198 static int hf_smb2_ea_size = -1;
199 static int hf_smb2_ea_flags = -1;
200 static int hf_smb2_ea_name_len = -1;
201 static int hf_smb2_ea_data_len = -1;
202 static int hf_smb2_ea_name = -1;
203 static int hf_smb2_ea_data = -1;
204 static int hf_smb2_position_information = -1;
205 static int hf_smb2_mode_information = -1;
206 static int hf_smb2_mode_file_write_through = -1;
207 static int hf_smb2_mode_file_sequential_only = -1;
208 static int hf_smb2_mode_file_no_intermediate_buffering = -1;
209 static int hf_smb2_mode_file_synchronous_io_alert = -1;
210 static int hf_smb2_mode_file_synchronous_io_nonalert = -1;
211 static int hf_smb2_mode_file_delete_on_close = -1;
212 static int hf_smb2_alignment_information = -1;
213 static int hf_smb2_buffer_code = -1;
214 static int hf_smb2_buffer_code_len = -1;
215 static int hf_smb2_buffer_code_flags_dyn = -1;
216 static int hf_smb2_olb_offset = -1;
217 static int hf_smb2_olb_length = -1;
218 static int hf_smb2_tag = -1;
219 static int hf_smb2_impersonation_level = -1;
220 static int hf_smb2_ioctl_function = -1;
221 static int hf_smb2_ioctl_function_device = -1;
222 static int hf_smb2_ioctl_function_access = -1;
223 static int hf_smb2_ioctl_function_function = -1;
224 static int hf_smb2_fsctl_pipe_wait_timeout = -1;
225 static int hf_smb2_fsctl_pipe_wait_name = -1;
227 static int hf_smb2_fsctl_odx_token_type = -1;
228 static int hf_smb2_fsctl_odx_token_idlen = -1;
229 static int hf_smb2_fsctl_odx_token_idraw = -1;
230 static int hf_smb2_fsctl_odx_token_ttl = -1;
231 static int hf_smb2_fsctl_odx_size = -1;
232 static int hf_smb2_fsctl_odx_flags = -1;
233 static int hf_smb2_fsctl_odx_file_offset = -1;
234 static int hf_smb2_fsctl_odx_copy_length = -1;
235 static int hf_smb2_fsctl_odx_xfer_length = -1;
236 static int hf_smb2_fsctl_odx_token_offset = -1;
238 static int hf_smb2_fsctl_sparse_flag = -1;
239 static int hf_smb2_fsctl_range_offset = -1;
240 static int hf_smb2_fsctl_range_length = -1;
241 static int hf_smb2_ioctl_function_method = -1;
242 static int hf_smb2_ioctl_resiliency_timeout = -1;
243 static int hf_smb2_ioctl_resiliency_reserved = -1;
244 static int hf_smb2_ioctl_shared_virtual_disk_support = -1;
245 static int hf_smb2_ioctl_shared_virtual_disk_handle_state = -1;
246 static int hf_smb2_ioctl_sqos_protocol_version = -1;
247 static int hf_smb2_ioctl_sqos_reserved = -1;
248 static int hf_smb2_ioctl_sqos_options = -1;
249 static int hf_smb2_ioctl_sqos_op_set_logical_flow_id = -1;
250 static int hf_smb2_ioctl_sqos_op_set_policy = -1;
251 static int hf_smb2_ioctl_sqos_op_probe_policy = -1;
252 static int hf_smb2_ioctl_sqos_op_get_status = -1;
253 static int hf_smb2_ioctl_sqos_op_update_counters = -1;
254 static int hf_smb2_ioctl_sqos_logical_flow_id = -1;
255 static int hf_smb2_ioctl_sqos_policy_id = -1;
256 static int hf_smb2_ioctl_sqos_initiator_id = -1;
257 static int hf_smb2_ioctl_sqos_limit = -1;
258 static int hf_smb2_ioctl_sqos_reservation = -1;
259 static int hf_smb2_ioctl_sqos_initiator_name = -1;
260 static int hf_smb2_ioctl_sqos_initiator_node_name = -1;
261 static int hf_smb2_ioctl_sqos_io_count_increment = -1;
262 static int hf_smb2_ioctl_sqos_normalized_io_count_increment = -1;
263 static int hf_smb2_ioctl_sqos_latency_increment = -1;
264 static int hf_smb2_ioctl_sqos_lower_latency_increment = -1;
265 static int hf_smb2_ioctl_sqos_bandwidth_limit = -1;
266 static int hf_smb2_ioctl_sqos_kilobyte_count_increment = -1;
267 static int hf_smb2_ioctl_sqos_time_to_live = -1;
268 static int hf_smb2_ioctl_sqos_status = -1;
269 static int hf_smb2_ioctl_sqos_maximum_io_rate = -1;
270 static int hf_smb2_ioctl_sqos_minimum_io_rate = -1;
271 static int hf_smb2_ioctl_sqos_base_io_size = -1;
272 static int hf_smb2_ioctl_sqos_reserved2 = -1;
273 static int hf_smb2_ioctl_sqos_maximum_bandwidth = -1;
274 static int hf_windows_sockaddr_family = -1;
275 static int hf_windows_sockaddr_port = -1;
276 static int hf_windows_sockaddr_in_addr = -1;
277 static int hf_windows_sockaddr_in6_flowinfo = -1;
278 static int hf_windows_sockaddr_in6_addr = -1;
279 static int hf_windows_sockaddr_in6_scope_id = -1;
280 static int hf_smb2_ioctl_network_interface_next_offset = -1;
281 static int hf_smb2_ioctl_network_interface_index = -1;
282 static int hf_smb2_ioctl_network_interface_rss_queue_count = -1;
283 static int hf_smb2_ioctl_network_interface_capabilities = -1;
284 static int hf_smb2_ioctl_network_interface_capability_rss = -1;
285 static int hf_smb2_ioctl_network_interface_capability_rdma = -1;
286 static int hf_smb2_ioctl_network_interface_link_speed = -1;
287 static int hf_smb2_ioctl_shadow_copy_num_volumes = -1;
288 static int hf_smb2_ioctl_shadow_copy_num_labels = -1;
289 static int hf_smb2_ioctl_shadow_copy_count = -1;
290 static int hf_smb2_ioctl_shadow_copy_label = -1;
291 static int hf_smb2_compression_format = -1;
292 static int hf_smb2_checksum_algorithm = -1;
293 static int hf_smb2_integrity_reserved = -1;
294 static int hf_smb2_integrity_flags = -1;
295 static int hf_smb2_integrity_flags_enforcement_off = -1;
296 static int hf_smb2_FILE_OBJECTID_BUFFER = -1;
297 static int hf_smb2_lease_key = -1;
298 static int hf_smb2_lease_state = -1;
299 static int hf_smb2_lease_state_read_caching = -1;
300 static int hf_smb2_lease_state_handle_caching = -1;
301 static int hf_smb2_lease_state_write_caching = -1;
302 static int hf_smb2_lease_flags = -1;
303 static int hf_smb2_lease_flags_break_ack_required = -1;
304 static int hf_smb2_lease_flags_parent_lease_key_set = -1;
305 static int hf_smb2_lease_flags_break_in_progress = -1;
306 static int hf_smb2_lease_duration = -1;
307 static int hf_smb2_parent_lease_key = -1;
308 static int hf_smb2_lease_epoch = -1;
309 static int hf_smb2_lease_reserved = -1;
310 static int hf_smb2_lease_break_reason = -1;
311 static int hf_smb2_lease_access_mask_hint = -1;
312 static int hf_smb2_lease_share_mask_hint = -1;
313 static int hf_smb2_acct_name = -1;
314 static int hf_smb2_domain_name = -1;
315 static int hf_smb2_host_name = -1;
316 static int hf_smb2_auth_frame = -1;
317 static int hf_smb2_tcon_frame = -1;
318 static int hf_smb2_share_type = -1;
319 static int hf_smb2_signature = -1;
320 static int hf_smb2_credit_charge = -1;
321 static int hf_smb2_credits_requested = -1;
322 static int hf_smb2_credits_granted = -1;
323 static int hf_smb2_channel_sequence = -1;
324 static int hf_smb2_dialect_count = -1;
325 static int hf_smb2_security_mode = -1;
326 static int hf_smb2_secmode_flags_sign_required = -1;
327 static int hf_smb2_secmode_flags_sign_enabled = -1;
328 static int hf_smb2_ses_req_flags = -1;
329 static int hf_smb2_ses_req_flags_session_binding = -1;
330 static int hf_smb2_capabilities = -1;
331 static int hf_smb2_cap_dfs = -1;
332 static int hf_smb2_cap_leasing = -1;
333 static int hf_smb2_cap_large_mtu = -1;
334 static int hf_smb2_cap_multi_channel = -1;
335 static int hf_smb2_cap_persistent_handles = -1;
336 static int hf_smb2_cap_directory_leasing = -1;
337 static int hf_smb2_cap_encryption = -1;
338 static int hf_smb2_dialect = -1;
339 static int hf_smb2_max_trans_size = -1;
340 static int hf_smb2_max_read_size = -1;
341 static int hf_smb2_max_write_size = -1;
342 static int hf_smb2_channel = -1;
343 static int hf_smb2_rdma_v1_offset = -1;
344 static int hf_smb2_rdma_v1_token = -1;
345 static int hf_smb2_rdma_v1_length = -1;
346 static int hf_smb2_session_flags = -1;
347 static int hf_smb2_ses_flags_guest = -1;
348 static int hf_smb2_ses_flags_null = -1;
349 static int hf_smb2_ses_flags_encrypt = -1;
350 static int hf_smb2_share_flags = -1;
351 static int hf_smb2_share_flags_dfs = -1;
352 static int hf_smb2_share_flags_dfs_root = -1;
353 static int hf_smb2_share_flags_restrict_exclusive_opens = -1;
354 static int hf_smb2_share_flags_force_shared_delete = -1;
355 static int hf_smb2_share_flags_allow_namespace_caching = -1;
356 static int hf_smb2_share_flags_access_based_dir_enum = -1;
357 static int hf_smb2_share_flags_force_levelii_oplock = -1;
358 static int hf_smb2_share_flags_enable_hash_v1 = -1;
359 static int hf_smb2_share_flags_enable_hash_v2 = -1;
360 static int hf_smb2_share_flags_encrypt_data = -1;
361 static int hf_smb2_share_caching = -1;
362 static int hf_smb2_share_caps = -1;
363 static int hf_smb2_share_caps_dfs = -1;
364 static int hf_smb2_share_caps_continuous_availability = -1;
365 static int hf_smb2_share_caps_scaleout = -1;
366 static int hf_smb2_share_caps_cluster = -1;
367 static int hf_smb2_create_flags = -1;
368 static int hf_smb2_lock_count = -1;
369 static int hf_smb2_min_count = -1;
370 static int hf_smb2_remaining_bytes = -1;
371 static int hf_smb2_channel_info_offset = -1;
372 static int hf_smb2_channel_info_length = -1;
373 static int hf_smb2_channel_info_blob = -1;
374 static int hf_smb2_ioctl_flags = -1;
375 static int hf_smb2_ioctl_is_fsctl = -1;
376 static int hf_smb2_close_pq_attrib = -1;
377 static int hf_smb2_notify_watch_tree = -1;
378 static int hf_smb2_output_buffer_len = -1;
379 static int hf_smb2_notify_out_data = -1;
380 static int hf_smb2_notify_info = -1;
381 static int hf_smb2_notify_next_offset = -1;
382 static int hf_smb2_notify_action = -1;
383 static int hf_smb2_find_flags = -1;
384 static int hf_smb2_find_flags_restart_scans = -1;
385 static int hf_smb2_find_flags_single_entry = -1;
386 static int hf_smb2_find_flags_index_specified = -1;
387 static int hf_smb2_find_flags_reopen = -1;
388 static int hf_smb2_file_index = -1;
389 static int hf_smb2_file_directory_info = -1;
390 static int hf_smb2_both_directory_info = -1;
391 static int hf_smb2_short_name_len = -1;
392 static int hf_smb2_short_name = -1;
393 static int hf_smb2_id_both_directory_info = -1;
394 static int hf_smb2_full_directory_info = -1;
395 static int hf_smb2_lock_info = -1;
396 static int hf_smb2_lock_length = -1;
397 static int hf_smb2_lock_flags = -1;
398 static int hf_smb2_lock_flags_shared = -1;
399 static int hf_smb2_lock_flags_exclusive = -1;
400 static int hf_smb2_lock_flags_unlock = -1;
401 static int hf_smb2_lock_flags_fail_immediately = -1;
402 static int hf_smb2_dhnq_buffer_reserved = -1;
403 static int hf_smb2_dh2x_buffer_timeout = -1;
404 static int hf_smb2_dh2x_buffer_flags = -1;
405 static int hf_smb2_dh2x_buffer_flags_persistent_handle = -1;
406 static int hf_smb2_dh2x_buffer_reserved = -1;
407 static int hf_smb2_dh2x_buffer_create_guid = -1;
408 static int hf_smb2_APP_INSTANCE_buffer_struct_size = -1;
409 static int hf_smb2_APP_INSTANCE_buffer_reserved = -1;
410 static int hf_smb2_APP_INSTANCE_buffer_app_guid = -1;
411 static int hf_smb2_svhdx_open_device_context_version = -1;
412 static int hf_smb2_svhdx_open_device_context_has_initiator_id = -1;
413 static int hf_smb2_svhdx_open_device_context_reserved = -1;
414 static int hf_smb2_svhdx_open_device_context_initiator_id = -1;
415 static int hf_smb2_svhdx_open_device_context_flags = -1;
416 static int hf_smb2_svhdx_open_device_context_originator_flags = -1;
417 static int hf_smb2_svhdx_open_device_context_open_request_id = -1;
418 static int hf_smb2_svhdx_open_device_context_initiator_host_name_len = -1;
419 static int hf_smb2_svhdx_open_device_context_initiator_host_name = -1;
420 static int hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized = -1;
421 static int hf_smb2_svhdx_open_device_context_server_service_version = -1;
422 static int hf_smb2_svhdx_open_device_context_virtual_sector_size = -1;
423 static int hf_smb2_svhdx_open_device_context_physical_sector_size = -1;
424 static int hf_smb2_svhdx_open_device_context_virtual_size = -1;
425 static int hf_smb2_posix_v1_version = -1;
426 static int hf_smb2_posix_v1_request = -1;
427 static int hf_smb2_posix_v1_supported_features = -1;
428 static int hf_smb2_posix_v1_posix_lock = -1;
429 static int hf_smb2_posix_v1_posix_file_semantics = -1;
430 static int hf_smb2_posix_v1_posix_utf8_paths = -1;
431 static int hf_smb2_posix_v1_case_sensitive = -1;
432 static int hf_smb2_posix_v1_posix_will_convert_nt_acls = -1;
433 static int hf_smb2_posix_v1_posix_fileinfo = -1;
434 static int hf_smb2_posix_v1_posix_acls = -1;
435 static int hf_smb2_posix_v1_rich_acls = -1;
436 static int hf_smb2_aapl_command_code = -1;
437 static int hf_smb2_aapl_reserved = -1;
438 static int hf_smb2_aapl_server_query_bitmask = -1;
439 static int hf_smb2_aapl_server_query_bitmask_server_caps = -1;
440 static int hf_smb2_aapl_server_query_bitmask_volume_caps = -1;
441 static int hf_smb2_aapl_server_query_bitmask_model_info = -1;
442 static int hf_smb2_aapl_server_query_caps = -1;
443 static int hf_smb2_aapl_server_query_caps_supports_read_dir_attr = -1;
444 static int hf_smb2_aapl_server_query_caps_supports_osx_copyfile = -1;
445 static int hf_smb2_aapl_server_query_caps_unix_based = -1;
446 static int hf_smb2_aapl_server_query_caps_supports_nfs_ace = -1;
447 static int hf_smb2_aapl_server_query_volume_caps = -1;
448 static int hf_smb2_aapl_server_query_volume_caps_support_resolve_id = -1;
449 static int hf_smb2_aapl_server_query_volume_caps_case_sensitive = -1;
450 static int hf_smb2_aapl_server_query_volume_caps_supports_full_sync = -1;
451 static int hf_smb2_aapl_server_query_model_string = -1;
452 static int hf_smb2_aapl_server_query_server_path = -1;
453 static int hf_smb2_error_context_count = -1;
454 static int hf_smb2_error_reserved = -1;
455 static int hf_smb2_error_byte_count = -1;
456 static int hf_smb2_error_data = -1;
457 static int hf_smb2_reserved = -1;
458 static int hf_smb2_reserved_random = -1;
459 static int hf_smb2_transform_signature = -1;
460 static int hf_smb2_transform_nonce = -1;
461 static int hf_smb2_transform_msg_size = -1;
462 static int hf_smb2_transform_reserved = -1;
463 static int hf_smb2_encryption_aes128_ccm = -1;
464 static int hf_smb2_transform_enc_alg = -1;
465 static int hf_smb2_transform_encrypted_data = -1;
466 static int hf_smb2_server_component_smb2 = -1;
467 static int hf_smb2_server_component_smb2_transform = -1;
468 static int hf_smb2_truncated = -1;
469 static int hf_smb2_pipe_fragments = -1;
470 static int hf_smb2_pipe_fragment = -1;
471 static int hf_smb2_pipe_fragment_overlap = -1;
472 static int hf_smb2_pipe_fragment_overlap_conflict = -1;
473 static int hf_smb2_pipe_fragment_multiple_tails = -1;
474 static int hf_smb2_pipe_fragment_too_long_fragment = -1;
475 static int hf_smb2_pipe_fragment_error = -1;
476 static int hf_smb2_pipe_fragment_count = -1;
477 static int hf_smb2_pipe_reassembled_in = -1;
478 static int hf_smb2_pipe_reassembled_length = -1;
479 static int hf_smb2_pipe_reassembled_data = -1;
480 static int hf_smb2_cchunk_resume_key = -1;
481 static int hf_smb2_cchunk_count = -1;
482 static int hf_smb2_cchunk_src_offset = -1;
483 static int hf_smb2_cchunk_dst_offset = -1;
484 static int hf_smb2_cchunk_xfer_len = -1;
485 static int hf_smb2_cchunk_chunks_written = -1;
486 static int hf_smb2_cchunk_bytes_written = -1;
487 static int hf_smb2_cchunk_total_written = -1;
488 static int hf_smb2_symlink_error_response = -1;
489 static int hf_smb2_symlink_length = -1;
490 static int hf_smb2_symlink_error_tag = -1;
491 static int hf_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER = -1;
492 static int hf_smb2_reparse_tag = -1;
493 static int hf_smb2_reparse_data_length = -1;
494 static int hf_smb2_unparsed_path_length = -1;
495 static int hf_smb2_symlink_substitute_name = -1;
496 static int hf_smb2_symlink_print_name = -1;
497 static int hf_smb2_symlink_flags = -1;
499 static gint ett_smb2 = -1;
500 static gint ett_smb2_olb = -1;
501 static gint ett_smb2_ea = -1;
502 static gint ett_smb2_header = -1;
503 static gint ett_smb2_encrypted = -1;
504 static gint ett_smb2_command = -1;
505 static gint ett_smb2_secblob = -1;
506 static gint ett_smb2_negotiate_context_element = -1;
507 static gint ett_smb2_file_basic_info = -1;
508 static gint ett_smb2_file_standard_info = -1;
509 static gint ett_smb2_file_internal_info = -1;
510 static gint ett_smb2_file_ea_info = -1;
511 static gint ett_smb2_file_access_info = -1;
512 static gint ett_smb2_file_position_info = -1;
513 static gint ett_smb2_file_mode_info = -1;
514 static gint ett_smb2_file_alignment_info = -1;
515 static gint ett_smb2_file_all_info = -1;
516 static gint ett_smb2_file_allocation_info = -1;
517 static gint ett_smb2_file_endoffile_info = -1;
518 static gint ett_smb2_file_alternate_name_info = -1;
519 static gint ett_smb2_file_stream_info = -1;
520 static gint ett_smb2_file_pipe_info = -1;
521 static gint ett_smb2_file_compression_info = -1;
522 static gint ett_smb2_file_network_open_info = -1;
523 static gint ett_smb2_file_attribute_tag_info = -1;
524 static gint ett_smb2_file_rename_info = -1;
525 static gint ett_smb2_file_disposition_info = -1;
526 static gint ett_smb2_file_full_ea_info = -1;
527 static gint ett_smb2_fs_info_01 = -1;
528 static gint ett_smb2_fs_info_03 = -1;
529 static gint ett_smb2_fs_info_04 = -1;
530 static gint ett_smb2_fs_info_05 = -1;
531 static gint ett_smb2_fs_info_06 = -1;
532 static gint ett_smb2_fs_info_07 = -1;
533 static gint ett_smb2_fs_objectid_info = -1;
534 static gint ett_smb2_sec_info_00 = -1;
535 static gint ett_smb2_quota_info = -1;
536 static gint ett_smb2_query_quota_info = -1;
537 static gint ett_smb2_tid_tree = -1;
538 static gint ett_smb2_sesid_tree = -1;
539 static gint ett_smb2_create_chain_element = -1;
540 static gint ett_smb2_MxAc_buffer = -1;
541 static gint ett_smb2_QFid_buffer = -1;
542 static gint ett_smb2_RqLs_buffer = -1;
543 static gint ett_smb2_ioctl_function = -1;
544 static gint ett_smb2_FILE_OBJECTID_BUFFER = -1;
545 static gint ett_smb2_flags = -1;
546 static gint ett_smb2_sec_mode = -1;
547 static gint ett_smb2_capabilities = -1;
548 static gint ett_smb2_ses_req_flags = -1;
549 static gint ett_smb2_ses_flags = -1;
550 static gint ett_smb2_lease_state = -1;
551 static gint ett_smb2_lease_flags = -1;
552 static gint ett_smb2_share_flags = -1;
553 static gint ett_smb2_create_rep_flags = -1;
554 static gint ett_smb2_share_caps = -1;
555 static gint ett_smb2_ioctl_flags = -1;
556 static gint ett_smb2_ioctl_network_interface = -1;
557 static gint ett_smb2_ioctl_sqos_opeations = -1;
558 static gint ett_smb2_fsctl_range_data = -1;
559 static gint ett_windows_sockaddr = -1;
560 static gint ett_smb2_close_flags = -1;
561 static gint ett_smb2_notify_info = -1;
562 static gint ett_smb2_notify_flags = -1;
563 static gint ett_smb2_write_flags = -1;
564 static gint ett_smb2_rdma_v1 = -1;
565 static gint ett_smb2_DH2Q_buffer = -1;
566 static gint ett_smb2_DH2C_buffer = -1;
567 static gint ett_smb2_dh2x_flags = -1;
568 static gint ett_smb2_APP_INSTANCE_buffer = -1;
569 static gint ett_smb2_svhdx_open_device_context = -1;
570 static gint ett_smb2_posix_v1_request = -1;
571 static gint ett_smb2_posix_v1_response = -1;
572 static gint ett_smb2_posix_v1_supported_features = -1;
573 static gint ett_smb2_aapl_create_context_request = -1;
574 static gint ett_smb2_aapl_server_query_bitmask = -1;
575 static gint ett_smb2_aapl_server_query_caps = -1;
576 static gint ett_smb2_aapl_create_context_response = -1;
577 static gint ett_smb2_aapl_server_query_volume_caps = -1;
578 static gint ett_smb2_integrity_flags = -1;
579 static gint ett_smb2_find_flags = -1;
580 static gint ett_smb2_file_directory_info = -1;
581 static gint ett_smb2_both_directory_info = -1;
582 static gint ett_smb2_id_both_directory_info = -1;
583 static gint ett_smb2_full_directory_info = -1;
584 static gint ett_smb2_file_name_info = -1;
585 static gint ett_smb2_lock_info = -1;
586 static gint ett_smb2_lock_flags = -1;
587 static gint ett_smb2_transform_enc_alg = -1;
588 static gint ett_smb2_buffercode = -1;
589 static gint ett_smb2_ioctl_network_interface_capabilities = -1;
590 static gint ett_qfr_entry = -1;
591 static gint ett_smb2_pipe_fragment = -1;
592 static gint ett_smb2_pipe_fragments = -1;
593 static gint ett_smb2_cchunk_entry = -1;
594 static gint ett_smb2_fsctl_odx_token = -1;
595 static gint ett_smb2_symlink_error_response = -1;
596 static gint ett_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER = -1;
597 static gint ett_smb2_error_data = -1;
599 static expert_field ei_smb2_invalid_length = EI_INIT;
600 static expert_field ei_smb2_bad_response = EI_INIT;
601 static expert_field ei_smb2_invalid_getinfo_offset = EI_INIT;
602 static expert_field ei_smb2_invalid_getinfo_size = EI_INIT;
603 static expert_field ei_smb2_empty_getinfo_buffer = EI_INIT;
605 static int smb2_tap = -1;
606 static int smb2_eo_tap = -1;
608 static dissector_handle_t gssapi_handle = NULL;
609 static dissector_handle_t ntlmssp_handle = NULL;
610 static dissector_handle_t rsvd_handle = NULL;
612 static heur_dissector_list_t smb2_pipe_subdissector_list;
614 static const fragment_items smb2_pipe_frag_items = {
615 &ett_smb2_pipe_fragment,
616 &ett_smb2_pipe_fragments,
617 &hf_smb2_pipe_fragments,
618 &hf_smb2_pipe_fragment,
619 &hf_smb2_pipe_fragment_overlap,
620 &hf_smb2_pipe_fragment_overlap_conflict,
621 &hf_smb2_pipe_fragment_multiple_tails,
622 &hf_smb2_pipe_fragment_too_long_fragment,
623 &hf_smb2_pipe_fragment_error,
624 &hf_smb2_pipe_fragment_count,
625 &hf_smb2_pipe_reassembled_in,
626 &hf_smb2_pipe_reassembled_length,
627 &hf_smb2_pipe_reassembled_data,
631 #define FILE_BYTE_ALIGNMENT 0x00
632 #define FILE_WORD_ALIGNMENT 0x01
633 #define FILE_LONG_ALIGNMENT 0x03
634 #define FILE_QUAD_ALIGNMENT 0x07
635 #define FILE_OCTA_ALIGNMENT 0x0f
636 #define FILE_32_BYTE_ALIGNMENT 0x1f
637 #define FILE_64_BYTE_ALIGNMENT 0x3f
638 #define FILE_128_BYTE_ALIGNMENT 0x7f
639 #define FILE_256_BYTE_ALIGNMENT 0xff
640 #define FILE_512_BYTE_ALIGNMENT 0x1ff
641 static const value_string smb2_alignment_vals[] = {
642 { FILE_BYTE_ALIGNMENT, "FILE_BYTE_ALIGNMENT" },
643 { FILE_WORD_ALIGNMENT, "FILE_WORD_ALIGNMENT" },
644 { FILE_LONG_ALIGNMENT, "FILE_LONG_ALIGNMENT" },
645 { FILE_OCTA_ALIGNMENT, "FILE_OCTA_ALIGNMENT" },
646 { FILE_32_BYTE_ALIGNMENT, "FILE_32_BYTE_ALIGNMENT" },
647 { FILE_64_BYTE_ALIGNMENT, "FILE_64_BYTE_ALIGNMENT" },
648 { FILE_128_BYTE_ALIGNMENT, "FILE_128_BYTE_ALIGNMENT" },
649 { FILE_256_BYTE_ALIGNMENT, "FILE_256_BYTE_ALIGNMENT" },
650 { FILE_512_BYTE_ALIGNMENT, "FILE_512_BYTE_ALIGNMENT" },
655 #define SMB2_CLASS_FILE_INFO 0x01
656 #define SMB2_CLASS_FS_INFO 0x02
657 #define SMB2_CLASS_SEC_INFO 0x03
658 #define SMB2_CLASS_QUOTA_INFO 0x04
659 #define SMB2_CLASS_POSIX_INFO 0x80
660 static const value_string smb2_class_vals[] = {
661 { SMB2_CLASS_FILE_INFO, "FILE_INFO"},
662 { SMB2_CLASS_FS_INFO, "FS_INFO"},
663 { SMB2_CLASS_SEC_INFO, "SEC_INFO"},
664 { SMB2_CLASS_QUOTA_INFO, "QUOTA_INFO"},
665 { SMB2_CLASS_POSIX_INFO, "POSIX_INFO"},
669 #define SMB2_SHARE_TYPE_DISK 0x01
670 #define SMB2_SHARE_TYPE_PIPE 0x02
671 #define SMB2_SHARE_TYPE_PRINT 0x03
672 static const value_string smb2_share_type_vals[] = {
673 { SMB2_SHARE_TYPE_DISK, "Physical disk" },
674 { SMB2_SHARE_TYPE_PIPE, "Named pipe" },
675 { SMB2_SHARE_TYPE_PRINT, "Printer" },
680 #define SMB2_FILE_BASIC_INFO 0x04
681 #define SMB2_FILE_STANDARD_INFO 0x05
682 #define SMB2_FILE_INTERNAL_INFO 0x06
683 #define SMB2_FILE_EA_INFO 0x07
684 #define SMB2_FILE_ACCESS_INFO 0x08
685 #define SMB2_FILE_RENAME_INFO 0x0a
686 #define SMB2_FILE_DISPOSITION_INFO 0x0d
687 #define SMB2_FILE_POSITION_INFO 0x0e
688 #define SMB2_FILE_FULL_EA_INFO 0x0f
689 #define SMB2_FILE_MODE_INFO 0x10
690 #define SMB2_FILE_ALIGNMENT_INFO 0x11
691 #define SMB2_FILE_ALL_INFO 0x12
692 #define SMB2_FILE_ALLOCATION_INFO 0x13
693 #define SMB2_FILE_ENDOFFILE_INFO 0x14
694 #define SMB2_FILE_ALTERNATE_NAME_INFO 0x15
695 #define SMB2_FILE_STREAM_INFO 0x16
696 #define SMB2_FILE_PIPE_INFO 0x17
697 #define SMB2_FILE_COMPRESSION_INFO 0x1c
698 #define SMB2_FILE_NETWORK_OPEN_INFO 0x22
699 #define SMB2_FILE_ATTRIBUTE_TAG_INFO 0x23
701 static const value_string smb2_file_info_levels[] = {
702 {SMB2_FILE_BASIC_INFO, "SMB2_FILE_BASIC_INFO" },
703 {SMB2_FILE_STANDARD_INFO, "SMB2_FILE_STANDARD_INFO" },
704 {SMB2_FILE_INTERNAL_INFO, "SMB2_FILE_INTERNAL_INFO" },
705 {SMB2_FILE_EA_INFO, "SMB2_FILE_EA_INFO" },
706 {SMB2_FILE_ACCESS_INFO, "SMB2_FILE_ACCESS_INFO" },
707 {SMB2_FILE_RENAME_INFO, "SMB2_FILE_RENAME_INFO" },
708 {SMB2_FILE_DISPOSITION_INFO, "SMB2_FILE_DISPOSITION_INFO" },
709 {SMB2_FILE_POSITION_INFO, "SMB2_FILE_POSITION_INFO" },
710 {SMB2_FILE_FULL_EA_INFO, "SMB2_FILE_FULL_EA_INFO" },
711 {SMB2_FILE_MODE_INFO, "SMB2_FILE_MODE_INFO" },
712 {SMB2_FILE_ALIGNMENT_INFO, "SMB2_FILE_ALIGNMENT_INFO" },
713 {SMB2_FILE_ALL_INFO, "SMB2_FILE_ALL_INFO" },
714 {SMB2_FILE_ALLOCATION_INFO, "SMB2_FILE_ALLOCATION_INFO" },
715 {SMB2_FILE_ENDOFFILE_INFO, "SMB2_FILE_ENDOFFILE_INFO" },
716 {SMB2_FILE_ALTERNATE_NAME_INFO, "SMB2_FILE_ALTERNATE_NAME_INFO" },
717 {SMB2_FILE_STREAM_INFO, "SMB2_FILE_STREAM_INFO" },
718 {SMB2_FILE_PIPE_INFO, "SMB2_FILE_PIPE_INFO" },
719 {SMB2_FILE_COMPRESSION_INFO, "SMB2_FILE_COMPRESSION_INFO" },
720 {SMB2_FILE_NETWORK_OPEN_INFO, "SMB2_FILE_NETWORK_OPEN_INFO" },
721 {SMB2_FILE_ATTRIBUTE_TAG_INFO, "SMB2_FILE_ATTRIBUTE_TAG_INFO" },
724 static value_string_ext smb2_file_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_file_info_levels);
728 #define SMB2_FS_INFO_01 0x01
729 #define SMB2_FS_LABEL_INFO 0x02
730 #define SMB2_FS_INFO_03 0x03
731 #define SMB2_FS_INFO_04 0x04
732 #define SMB2_FS_INFO_05 0x05
733 #define SMB2_FS_INFO_06 0x06
734 #define SMB2_FS_INFO_07 0x07
735 #define SMB2_FS_OBJECTID_INFO 0x08
736 #define SMB2_FS_DRIVER_PATH_INFO 0x09
737 #define SMB2_FS_VOLUME_FLAGS_INFO 0x0a
738 #define SMB2_FS_SECTOR_SIZE_INFO 0x0b
740 static const value_string smb2_fs_info_levels[] = {
741 {SMB2_FS_INFO_01, "FileFsVolumeInformation" },
742 {SMB2_FS_LABEL_INFO, "FileFsLabelInformation" },
743 {SMB2_FS_INFO_03, "FileFsSizeInformation" },
744 {SMB2_FS_INFO_04, "FileFsDeviceInformation" },
745 {SMB2_FS_INFO_05, "FileFsAttributeInformation" },
746 {SMB2_FS_INFO_06, "FileFsControlInformation" },
747 {SMB2_FS_INFO_07, "FileFsFullSizeInformation" },
748 {SMB2_FS_OBJECTID_INFO, "FileFsObjectIdInformation" },
749 {SMB2_FS_DRIVER_PATH_INFO, "FileFsDriverPathInformation" },
750 {SMB2_FS_VOLUME_FLAGS_INFO, "FileFsVolumeFlagsInformation" },
751 {SMB2_FS_SECTOR_SIZE_INFO, "FileFsSectorSizeInformation" },
754 static value_string_ext smb2_fs_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_fs_info_levels);
756 #define SMB2_SEC_INFO_00 0x00
757 static const value_string smb2_sec_info_levels[] = {
758 {SMB2_SEC_INFO_00, "SMB2_SEC_INFO_00" },
761 static value_string_ext smb2_sec_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_sec_info_levels);
763 static const value_string smb2_posix_info_levels[] = {
764 { 0, "QueryFileUnixBasic" },
765 { 1, "QueryFileUnixLink" },
766 { 3, "QueryFileUnixHLink" },
767 { 5, "QueryFileUnixXAttr" },
768 { 0x0B, "QueryFileUnixInfo2" },
772 static value_string_ext smb2_posix_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_posix_info_levels);
774 #define SMB2_FIND_DIRECTORY_INFO 0x01
775 #define SMB2_FIND_FULL_DIRECTORY_INFO 0x02
776 #define SMB2_FIND_BOTH_DIRECTORY_INFO 0x03
777 #define SMB2_FIND_INDEX_SPECIFIED 0x04
778 #define SMB2_FIND_NAME_INFO 0x0C
779 #define SMB2_FIND_ID_BOTH_DIRECTORY_INFO 0x25
780 #define SMB2_FIND_ID_FULL_DIRECTORY_INFO 0x26
781 static const value_string smb2_find_info_levels[] = {
782 { SMB2_FIND_DIRECTORY_INFO, "SMB2_FIND_DIRECTORY_INFO" },
783 { SMB2_FIND_FULL_DIRECTORY_INFO, "SMB2_FIND_FULL_DIRECTORY_INFO" },
784 { SMB2_FIND_BOTH_DIRECTORY_INFO, "SMB2_FIND_BOTH_DIRECTORY_INFO" },
785 { SMB2_FIND_INDEX_SPECIFIED, "SMB2_FIND_INDEX_SPECIFIED" },
786 { SMB2_FIND_NAME_INFO, "SMB2_FIND_NAME_INFO" },
787 { SMB2_FIND_ID_BOTH_DIRECTORY_INFO, "SMB2_FIND_ID_BOTH_DIRECTORY_INFO" },
788 { SMB2_FIND_ID_FULL_DIRECTORY_INFO, "SMB2_FIND_ID_FULL_DIRECTORY_INFO" },
792 #define SMB2_PREAUTH_INTEGRITY_CAPABILITIES 0x0001
793 #define SMB2_ENCRYPTION_CAPABILITIES 0x0002
794 static const value_string smb2_negotiate_context_types[] = {
795 { SMB2_PREAUTH_INTEGRITY_CAPABILITIES, "SMB2_PREAUTH_INTEGRITY_CAPABILITIES" },
796 { SMB2_ENCRYPTION_CAPABILITIES, "SMB2_ENCRYPTION_CAPABILITIES" },
800 #define SMB2_HASH_ALGORITHM_SHA_512 0x0001
801 static const value_string smb2_hash_algorithm_types[] = {
802 { SMB2_HASH_ALGORITHM_SHA_512, "SHA-512" },
806 #define SMB2_CIPHER_AES_128_CCM 0x0001
807 #define SMB2_CIPHER_AES_128_GCM 0x0002
808 static const value_string smb2_cipher_types[] = {
809 { SMB2_CIPHER_AES_128_CCM, "AES-128-CCM" },
810 { SMB2_CIPHER_AES_128_GCM, "AES-128-GCM" },
814 static const val64_string unique_unsolicited_response[] = {
815 { 0xffffffffffffffff, "unsolicited response" },
819 #define SMB2_NUM_PROCEDURES 256
822 smb2stat_init(struct register_srt* srt _U_, GArray* srt_array)
824 srt_stat_table *smb2_srt_table;
827 smb2_srt_table = init_srt_table("SMB2", NULL, srt_array, SMB2_NUM_PROCEDURES, "Commands", "smb2.cmd", NULL);
828 for (i = 0; i < SMB2_NUM_PROCEDURES; i++)
830 init_srt_table_row(smb2_srt_table, i, val_to_str_ext_const(i, &smb2_cmd_vals_ext, "<unknown>"));
835 smb2stat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const void *prv)
838 srt_stat_table *smb2_srt_table;
839 srt_data_t *data = (srt_data_t *)pss;
840 const smb2_info_t *si=(const smb2_info_t *)prv;
842 /* we are only interested in response packets */
843 if(!(si->flags&SMB2_FLAGS_RESPONSE)){
846 /* We should not include cancel and oplock break requests either */
847 if (si->opcode == SMB2_COM_CANCEL || si->opcode == SMB2_COM_BREAK) {
851 /* if we haven't seen the request, just ignore it */
856 /* SMB2 SRT can be very inaccurate in the presence of retransmissions. Retransmitted responses
857 * not only add additional (bogus) transactions but also the latency associated with them.
858 * This can greatly inflate the maximum and average SRT stats especially in the case of
859 * retransmissions triggered by the expiry of the rexmit timer (RTOs). Only calculating SRT
860 * for the last received response accomplishes this goal without requiring the TCP pref
861 * "Do not call subdissectors for error packets" to be set. */
862 if ((si->saved->frame_req == 0) || (si->saved->frame_res != pinfo->num))
865 smb2_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
866 add_srt_table_data(smb2_srt_table, si->opcode, &si->saved->req_time, pinfo);
870 /* Structure for SessionID <=> SessionKey mapping for decryption. */
871 typedef struct _smb2_seskey_field_t {
876 } smb2_seskey_field_t;
878 static smb2_seskey_field_t *seskey_list = NULL;
879 static guint num_seskey_list = 0;
881 static const gint8 zeros[NTLMSSP_KEY_LEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
883 /* Callbacks for SessionID <=> SessionKey mapping. */
884 UAT_BUFFER_CB_DEF(seskey_list, id, smb2_seskey_field_t, id, id_len)
885 UAT_BUFFER_CB_DEF(seskey_list, key, smb2_seskey_field_t, key, key_len)
887 #define SMB_SESSION_ID_SIZE 8
889 static gboolean seskey_list_update_cb(void *r, char **err)
891 smb2_seskey_field_t *rec = (smb2_seskey_field_t *)r;
895 if (rec->id_len != SMB_SESSION_ID_SIZE) {
896 *err = g_strdup("Session ID must be " G_STRINGIFY(SMB_SESSION_ID_SIZE) " bytes long and in hexadecimal");
900 if (rec->key_len == 0 || rec->key_len > NTLMSSP_KEY_LEN) {
901 *err = g_strdup("Session Key must be a non-empty hexadecimal string representing at most " G_STRINGIFY(NTLMSSP_KEY_LEN) " bytes");
908 static void* seskey_list_copy_cb(void *n, const void *o, size_t siz _U_)
910 smb2_seskey_field_t *new_rec = (smb2_seskey_field_t *)n;
911 const smb2_seskey_field_t *old_rec = (const smb2_seskey_field_t *)o;
913 new_rec->id_len = old_rec->id_len;
914 new_rec->id = old_rec->id ? (guchar *)g_memdup(old_rec->id, old_rec->id_len) : NULL;
915 new_rec->key_len = old_rec->key_len;
916 new_rec->key = old_rec->key ? (guchar *)g_memdup(old_rec->key, old_rec->key_len) : NULL;
921 static void seskey_list_free_cb(void *r)
923 smb2_seskey_field_t *rec = (smb2_seskey_field_t *)r;
929 static gboolean seskey_find_sid_key(guint64 sesid, guint8 *out_key)
933 for (i = 0; i < num_seskey_list; i++) {
934 const smb2_seskey_field_t *p = &seskey_list[i];
935 if (memcmp(&sesid, p->id, SMB_SESSION_ID_SIZE) == 0) {
936 memset(out_key, 0, NTLMSSP_KEY_LEN);
937 memcpy(out_key, p->key, p->key_len);
945 /* ExportObject preferences variable */
946 gboolean eosmb2_take_name_as_fid = FALSE ;
948 /* unmatched smb_saved_info structures.
949 For unmatched smb_saved_info structures we store the smb_saved_info
950 structure using the msg_id field.
953 smb2_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
955 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
956 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
957 return key1->msg_id == key2->msg_id;
960 smb2_saved_info_hash_unmatched(gconstpointer k)
962 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
965 hash = (guint32) (key->msg_id&0xffffffff);
969 /* matched smb_saved_info structures.
970 For matched smb_saved_info structures we store the smb_saved_info
971 structure using the msg_id field.
974 smb2_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
976 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
977 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
978 return key1->msg_id == key2->msg_id;
981 smb2_saved_info_hash_matched(gconstpointer k)
983 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
986 hash = (guint32) (key->msg_id&0xffffffff);
990 /* For Tids of a specific conversation.
991 This keeps track of tid->sharename mappings and other information about the
994 We might need to refine this if it occurs that tids are reused on a single
995 conversation. we don't worry about that yet for simplicity
998 smb2_tid_info_equal(gconstpointer k1, gconstpointer k2)
1000 const smb2_tid_info_t *key1 = (const smb2_tid_info_t *)k1;
1001 const smb2_tid_info_t *key2 = (const smb2_tid_info_t *)k2;
1002 return key1->tid == key2->tid;
1005 smb2_tid_info_hash(gconstpointer k)
1007 const smb2_tid_info_t *key = (const smb2_tid_info_t *)k;
1014 /* For Uids of a specific conversation.
1015 This keeps track of uid->acct_name mappings and other information about the
1018 We might need to refine this if it occurs that uids are reused on a single
1019 conversation. we don't worry about that yet for simplicity
1022 smb2_sesid_info_equal(gconstpointer k1, gconstpointer k2)
1024 const smb2_sesid_info_t *key1 = (const smb2_sesid_info_t *)k1;
1025 const smb2_sesid_info_t *key2 = (const smb2_sesid_info_t *)k2;
1026 return key1->sesid == key2->sesid;
1029 smb2_sesid_info_hash(gconstpointer k)
1031 const smb2_sesid_info_t *key = (const smb2_sesid_info_t *)k;
1034 hash = (guint32)( ((key->sesid>>32)&0xffffffff)+((key->sesid)&0xffffffff) );
1039 * For File IDs of a specific conversation.
1040 * This keeps track of fid to name mapping and application level conversations
1043 * This handles implementation bugs, where the fid_persitent is 0 or
1044 * the fid_persitent/fid_volative is not unique per conversation.
1047 smb2_fid_info_equal(gconstpointer k1, gconstpointer k2)
1049 const smb2_fid_info_t *key1 = (const smb2_fid_info_t *)k1;
1050 const smb2_fid_info_t *key2 = (const smb2_fid_info_t *)k2;
1052 if (key1->fid_persistent != key2->fid_persistent) {
1056 if (key1->fid_volatile != key2->fid_volatile) {
1060 if (key1->sesid != key2->sesid) {
1064 if (key1->tid != key2->tid) {
1072 smb2_fid_info_hash(gconstpointer k)
1074 const smb2_fid_info_t *key = (const smb2_fid_info_t *)k;
1077 if (key->fid_persistent != 0) {
1078 hash = (guint32)( ((key->fid_persistent>>32)&0xffffffff)+((key->fid_persistent)&0xffffffff) );
1080 hash = (guint32)( ((key->fid_volatile>>32)&0xffffffff)+((key->fid_volatile)&0xffffffff) );
1086 /* Callback for destroying the glib hash tables associated with a conversation
1089 smb2_conv_destroy(wmem_allocator_t *allocator _U_, wmem_cb_event_t event _U_,
1092 smb2_conv_info_t *conv = (smb2_conv_info_t *)user_data;
1094 g_hash_table_destroy(conv->matched);
1095 g_hash_table_destroy(conv->unmatched);
1096 g_hash_table_destroy(conv->fids);
1097 g_hash_table_destroy(conv->sesids);
1098 g_hash_table_destroy(conv->files);
1100 /* This conversation is gone, return FALSE to indicate we don't
1101 * want to be called again for this conversation. */
1105 static void smb2_key_derivation(const guint8 *KI, guint32 KI_len,
1106 const guint8 *Label, guint32 Label_len,
1107 const guint8 *Context, guint32 Context_len,
1110 gcry_md_hd_t hd = NULL;
1112 guint8 *digest = NULL;
1115 * a simplified version of
1116 * "NIST Special Publication 800-108" section 5.1
1117 * using hmac-sha256.
1119 gcry_md_open(&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
1120 gcry_md_setkey(hd, KI, KI_len);
1122 memset(buf, 0, sizeof(buf));
1124 gcry_md_write(hd, buf, sizeof(buf));
1125 gcry_md_write(hd, Label, Label_len);
1126 gcry_md_write(hd, buf, 1);
1127 gcry_md_write(hd, Context, Context_len);
1129 gcry_md_write(hd, buf, sizeof(buf));
1131 digest = gcry_md_read(hd, GCRY_MD_SHA256);
1133 memcpy(KO, digest, 16);
1138 /* for export-object-smb2 */
1139 static gchar *policy_hnd_to_file_id(const e_ctx_hnd *hnd) {
1141 file_id = wmem_strdup_printf(wmem_packet_scope(),
1142 "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1153 hnd->uuid.data4[7]);
1156 static guint smb2_eo_files_hash(gconstpointer k) {
1157 return g_str_hash(policy_hnd_to_file_id((const e_ctx_hnd *)k));
1159 static gint smb2_eo_files_equal(gconstpointer k1, gconstpointer k2) {
1161 const e_ctx_hnd *key1 = (const e_ctx_hnd *)k1;
1162 const e_ctx_hnd *key2 = (const e_ctx_hnd *)k2;
1164 are_equal = (key1->uuid.data1==key2->uuid.data1 &&
1165 key1->uuid.data2==key2->uuid.data2 &&
1166 key1->uuid.data3==key2->uuid.data3 &&
1167 key1->uuid.data4[0]==key2->uuid.data4[0] &&
1168 key1->uuid.data4[1]==key2->uuid.data4[1] &&
1169 key1->uuid.data4[2]==key2->uuid.data4[2] &&
1170 key1->uuid.data4[3]==key2->uuid.data4[3] &&
1171 key1->uuid.data4[4]==key2->uuid.data4[4] &&
1172 key1->uuid.data4[5]==key2->uuid.data4[5] &&
1173 key1->uuid.data4[6]==key2->uuid.data4[6] &&
1174 key1->uuid.data4[7]==key2->uuid.data4[7]);
1180 feed_eo_smb2(tvbuff_t * tvb,packet_info *pinfo,smb2_info_t * si, guint16 dataoffset,guint32 length, guint64 file_offset) {
1182 char *fid_name = NULL;
1183 guint32 open_frame = 0, close_frame = 0;
1184 tvbuff_t *data_tvb = NULL;
1188 gchar **aux_string_v;
1190 /* Create a new tvb to point to the payload data */
1191 data_tvb = tvb_new_subset_length(tvb, dataoffset, length);
1192 /* Create the eo_info to pass to the listener */
1193 eo_info = wmem_new(wmem_packet_scope(), smb_eo_t);
1194 /* Fill in eo_info */
1195 eo_info->smbversion=2;
1197 eo_info->cmd=si->opcode;
1198 /* We don't keep track of uid in SMB v2 */
1201 /* Try to get file id and filename */
1202 file_id=policy_hnd_to_file_id(&si->saved->policy_hnd);
1203 dcerpc_fetch_polhnd_data(&si->saved->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num);
1204 if (fid_name && g_strcmp0(fid_name,"File: ")!=0) {
1206 /* Remove "File: " from filename */
1207 if (g_str_has_prefix(auxstring, "File: ")) {
1208 aux_string_v = g_strsplit(auxstring, "File: ", -1);
1209 eo_info->filename = wmem_strdup_printf(wmem_packet_scope(), "\\%s",aux_string_v[g_strv_length(aux_string_v)-1]);
1210 g_strfreev(aux_string_v);
1212 if (g_str_has_prefix(auxstring, "\\")) {
1213 eo_info->filename = wmem_strdup(wmem_packet_scope(), auxstring);
1215 eo_info->filename = wmem_strdup_printf(wmem_packet_scope(), "\\%s",auxstring);
1219 auxstring=wmem_strdup_printf(wmem_packet_scope(), "File_Id_%s", file_id);
1220 eo_info->filename=auxstring;
1225 if (eosmb2_take_name_as_fid) {
1226 eo_info->fid = g_str_hash(eo_info->filename);
1228 eo_info->fid = g_str_hash(file_id);
1231 /* tid, hostname, tree_id */
1233 eo_info->tid=si->tree->tid;
1234 if (strlen(si->tree->name)>0 && strlen(si->tree->name)<=256) {
1235 eo_info->hostname = wmem_strdup(wmem_packet_scope(), si->tree->name);
1237 eo_info->hostname = wmem_strdup_printf(wmem_packet_scope(), "\\\\%s\\TREEID_%i",tree_ip_str(pinfo,si->opcode),si->tree->tid);
1241 eo_info->hostname = wmem_strdup_printf(wmem_packet_scope(), "\\\\%s\\TREEID_UNKNOWN",tree_ip_str(pinfo,si->opcode));
1245 eo_info->pkt_num = pinfo->num;
1248 if (si->eo_file_info->attr_mask & SMB2_FLAGS_ATTR_DIRECTORY) {
1249 eo_info->fid_type=SMB2_FID_TYPE_DIR;
1251 if (si->eo_file_info->attr_mask &
1252 (SMB2_FLAGS_ATTR_ARCHIVE | SMB2_FLAGS_ATTR_NORMAL |
1253 SMB2_FLAGS_ATTR_HIDDEN | SMB2_FLAGS_ATTR_READONLY |
1254 SMB2_FLAGS_ATTR_SYSTEM) ) {
1255 eo_info->fid_type=SMB2_FID_TYPE_FILE;
1257 eo_info->fid_type=SMB2_FID_TYPE_OTHER;
1262 eo_info->end_of_file=si->eo_file_info->end_of_file;
1264 /* data offset and chunk length */
1265 eo_info->smb_file_offset=file_offset;
1266 eo_info->smb_chunk_len=length;
1267 /* XXX is this right? */
1268 if (length<si->saved->bytes_moved) {
1269 si->saved->file_offset=si->saved->file_offset+length;
1270 si->saved->bytes_moved=si->saved->bytes_moved-length;
1274 eo_info->payload_len = length;
1275 eo_info->payload_data = tvb_get_ptr(data_tvb, 0, length);
1277 tap_queue_packet(smb2_eo_tap, pinfo, eo_info);
1281 static int dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si);
1284 /* This is a helper to dissect the common string type
1290 * This function is called twice, first to decode the offset/length and
1291 * second time to dissect the actual string.
1292 * It is done this way since there is no guarantee that we have the full packet and we don't
1293 * want to abort dissection too early if the packet ends somewhere between the
1294 * length/offset and the actual buffer.
1297 enum offset_length_buffer_offset_size {
1298 OLB_O_UINT16_S_UINT16,
1299 OLB_O_UINT16_S_UINT32,
1300 OLB_O_UINT32_S_UINT32,
1301 OLB_S_UINT32_O_UINT32
1303 typedef struct _offset_length_buffer_t {
1308 enum offset_length_buffer_offset_size offset_size;
1310 } offset_length_buffer_t;
1312 dissect_smb2_olb_length_offset(tvbuff_t *tvb, int offset, offset_length_buffer_t *olb,
1313 enum offset_length_buffer_offset_size offset_size, int hfindex)
1315 olb->hfindex = hfindex;
1316 olb->offset_size = offset_size;
1317 switch (offset_size) {
1318 case OLB_O_UINT16_S_UINT16:
1319 olb->off = tvb_get_letohs(tvb, offset);
1320 olb->off_offset = offset;
1322 olb->len = tvb_get_letohs(tvb, offset);
1323 olb->len_offset = offset;
1326 case OLB_O_UINT16_S_UINT32:
1327 olb->off = tvb_get_letohs(tvb, offset);
1328 olb->off_offset = offset;
1330 olb->len = tvb_get_letohl(tvb, offset);
1331 olb->len_offset = offset;
1334 case OLB_O_UINT32_S_UINT32:
1335 olb->off = tvb_get_letohl(tvb, offset);
1336 olb->off_offset = offset;
1338 olb->len = tvb_get_letohl(tvb, offset);
1339 olb->len_offset = offset;
1342 case OLB_S_UINT32_O_UINT32:
1343 olb->len = tvb_get_letohl(tvb, offset);
1344 olb->len_offset = offset;
1346 olb->off = tvb_get_letohl(tvb, offset);
1347 olb->off_offset = offset;
1355 #define OLB_TYPE_UNICODE_STRING 0x01
1356 #define OLB_TYPE_ASCII_STRING 0x02
1358 dissect_smb2_olb_off_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int base, int type)
1361 proto_item *item = NULL;
1362 proto_tree *tree = NULL;
1363 const char *name = NULL;
1372 bc = tvb_captured_length_remaining(tvb, offset);
1376 tvb_ensure_bytes_exist(tvb, off, len);
1378 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
1379 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
1380 "Invalid offset/length. Malformed packet");
1382 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
1389 case OLB_TYPE_UNICODE_STRING:
1390 name = get_unicode_or_ascii_string(tvb, &off,
1391 TRUE, &len, TRUE, TRUE, &bc);
1396 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
1397 tree = proto_item_add_subtree(item, ett_smb2_olb);
1400 case OLB_TYPE_ASCII_STRING:
1401 name = get_unicode_or_ascii_string(tvb, &off,
1402 FALSE, &len, TRUE, TRUE, &bc);
1407 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
1408 tree = proto_item_add_subtree(item, ett_smb2_olb);
1413 switch (olb->offset_size) {
1414 case OLB_O_UINT16_S_UINT16:
1415 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1416 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
1418 case OLB_O_UINT16_S_UINT32:
1419 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1420 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1422 case OLB_O_UINT32_S_UINT32:
1423 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1424 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1426 case OLB_S_UINT32_O_UINT32:
1427 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1428 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1436 dissect_smb2_olb_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int type)
1438 return dissect_smb2_olb_off_string(pinfo, parent_tree, tvb, olb, 0, type);
1442 dissect_smb2_olb_buffer(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb,
1443 offset_length_buffer_t *olb, smb2_info_t *si,
1444 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si))
1447 proto_item *sub_item = NULL;
1448 proto_tree *sub_tree = NULL;
1449 tvbuff_t *sub_tvb = NULL;
1457 tvb_ensure_bytes_exist(tvb, off, len);
1459 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
1460 proto_tree_add_expert_format(parent_tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
1461 "Invalid offset/length. Malformed packet");
1463 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
1468 switch (olb->offset_size) {
1469 case OLB_O_UINT16_S_UINT16:
1470 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1471 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
1473 case OLB_O_UINT16_S_UINT32:
1474 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1475 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1477 case OLB_O_UINT32_S_UINT32:
1478 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1479 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1481 case OLB_S_UINT32_O_UINT32:
1482 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1483 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1487 /* if we don't want/need a subtree */
1488 if (olb->hfindex == -1) {
1489 sub_item = parent_tree;
1490 sub_tree = parent_tree;
1493 sub_item = proto_tree_add_item(parent_tree, olb->hfindex, tvb, offset, len, ENC_NA);
1494 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_olb);
1498 if (off == 0 || len == 0) {
1499 proto_item_append_text(sub_item, ": NO DATA");
1507 sub_tvb = tvb_new_subset_length_caplen(tvb, off, MIN((int)len, tvb_captured_length_remaining(tvb, off)), len);
1509 dissector(sub_tvb, pinfo, sub_tree, si);
1513 dissect_smb2_olb_tvb_max_offset(int offset, offset_length_buffer_t *olb)
1515 if (olb->off == 0) {
1518 return MAX(offset, (int)(olb->off + olb->len));
1521 typedef struct _smb2_function {
1522 int (*request) (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1523 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1526 static const true_false_string tfs_smb2_svhdx_has_initiator_id = {
1527 "Has an initiator id",
1528 "Does not have an initiator id"
1531 static const true_false_string tfs_flags_response = {
1532 "This is a RESPONSE",
1536 static const true_false_string tfs_flags_async_cmd = {
1537 "This is an ASYNC command",
1538 "This is a SYNC command"
1541 static const true_false_string tfs_flags_dfs_op = {
1542 "This is a DFS OPERATION",
1543 "This is a normal operation"
1546 static const true_false_string tfs_flags_chained = {
1547 "This pdu a CHAINED command",
1548 "This pdu is NOT a chained command"
1551 static const true_false_string tfs_flags_signature = {
1552 "This pdu is SIGNED",
1553 "This pdu is NOT signed"
1556 static const true_false_string tfs_flags_replay_operation = {
1557 "This is a REPLAY OPEARATION",
1558 "This is NOT a replay operation"
1561 static const true_false_string tfs_flags_priority_mask = {
1562 "This pdu contains a PRIORITY",
1563 "This pdu does NOT contain a PRIORITY1"
1566 static const true_false_string tfs_cap_dfs = {
1567 "This host supports DFS",
1568 "This host does NOT support DFS"
1571 static const true_false_string tfs_cap_leasing = {
1572 "This host supports LEASING",
1573 "This host does NOT support LEASING"
1576 static const true_false_string tfs_cap_large_mtu = {
1577 "This host supports LARGE_MTU",
1578 "This host does NOT support LARGE_MTU"
1581 static const true_false_string tfs_cap_multi_channel = {
1582 "This host supports MULTI CHANNEL",
1583 "This host does NOT support MULTI CHANNEL"
1586 static const true_false_string tfs_cap_persistent_handles = {
1587 "This host supports PERSISTENT HANDLES",
1588 "This host does NOT support PERSISTENT HANDLES"
1591 static const true_false_string tfs_cap_directory_leasing = {
1592 "This host supports DIRECTORY LEASING",
1593 "This host does NOT support DIRECTORY LEASING"
1596 static const true_false_string tfs_cap_encryption = {
1597 "This host supports ENCRYPTION",
1598 "This host does NOT support ENCRYPTION"
1601 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rss = {
1602 "This interface supports RSS",
1603 "This interface does not support RSS"
1606 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rdma = {
1607 "This interface supports RDMA",
1608 "This interface does not support RDMA"
1611 static const value_string file_region_usage_vals[] = {
1612 { 0x00000001, "FILE_REGION_USAGE_VALID_CACHED_DATA" },
1616 static const value_string originator_flags_vals[] = {
1617 { 1, "SVHDX_ORIGINATOR_PVHDPARSER" },
1618 { 4, "SVHDX_ORIGINATOR_VHDMP" },
1622 static const value_string posix_locks_vals[] = {
1623 { 1, "POSIX_V1_POSIX_LOCK" },
1627 static const value_string posix_utf8_paths_vals[] = {
1628 { 1, "POSIX_V1_UTF8_PATHS" },
1632 static const value_string posix_file_semantics_vals[] = {
1633 { 1, "POSIX_V1_POSIX_FILE_SEMANTICS" },
1637 static const value_string posix_case_sensitive_vals[] = {
1638 { 1, "POSIX_V1_CASE_SENSITIVE" },
1642 static const value_string posix_will_convert_ntacls_vals[] = {
1643 { 1, "POSIX_V1_WILL_CONVERT_NT_ACLS" },
1647 static const value_string posix_fileinfo_vals[] = {
1648 { 1, "POSIX_V1_POSIX_FILEINFO" },
1652 static const value_string posix_acls_vals[] = {
1653 { 1, "POSIX_V1_POSIX_ACLS" },
1657 static const value_string posix_rich_acls_vals[] = {
1658 { 1, "POSIX_V1_RICH_ACLS" },
1662 static const value_string compression_format_vals[] = {
1663 { 0, "COMPRESSION_FORMAT_NONE" },
1664 { 1, "COMPRESSION_FORMAT_DEFAULT" },
1665 { 2, "COMPRESSION_FORMAT_LZNT1" },
1669 static const value_string checksum_algorithm_vals[] = {
1670 { 0x0000, "CHECKSUM_TYPE_NONE" },
1671 { 0x0002, "CHECKSUM_TYPE_CRC64" },
1672 { 0xFFFF, "CHECKSUM_TYPE_UNCHANGED" },
1676 /* Note: All uncommented are "dissector not implemented" */
1677 static const value_string smb2_ioctl_vals[] = {
1678 {0x00060194, "FSCTL_DFS_GET_REFERRALS"}, /* dissector implemented */
1679 {0x000601B0, "FSCTL_DFS_GET_REFERRALS_EX"},
1680 {0x00090000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
1681 {0x00090004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
1682 {0x00090008, "FSCTL_REQUEST_BATCH_OPLOCK"},
1683 {0x0009000C, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
1684 {0x00090010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
1685 {0x00090014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
1686 {0x00090018, "FSCTL_LOCK_VOLUME"},
1687 {0x0009001C, "FSCTL_UNLOCK_VOLUME"},
1688 {0x00090020, "FSCTL_DISMOUNT_VOLUME"},
1689 {0x00090028, "FSCTL_IS_VOLUME_MOUNTED"},
1690 {0x0009002C, "FSCTL_IS_PATHNAME_VALID"},
1691 {0x00090030, "FSCTL_MARK_VOLUME_DIRTY"},
1692 {0x0009003B, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
1693 {0x0009003C, "FSCTL_GET_COMPRESSION"}, /* dissector implemented */
1694 {0x0009004F, "FSCTL_MARK_AS_SYSTEM_HIVE"},
1695 {0x00090050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
1696 {0x00090054, "FSCTL_INVALIDATE_VOLUMES"},
1697 {0x00090058, "FSCTL_QUERY_FAT_BPB"},
1698 {0x0009005C, "FSCTL_REQUEST_FILTER_OPLOCK"},
1699 {0x00090060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
1700 {0x00090064, "FSCTL_GET_NTFS_VOLUME_DATA"},
1701 {0x00090068, "FSCTL_GET_NTFS_FILE_RECORD"},
1702 {0x0009006F, "FSCTL_GET_VOLUME_BITMAP"},
1703 {0x00090073, "FSCTL_GET_RETRIEVAL_POINTERS"},
1704 {0x00090074, "FSCTL_MOVE_FILE"},
1705 {0x00090078, "FSCTL_IS_VOLUME_DIRTY"},
1706 {0x0009007C, "FSCTL_GET_HFS_INFORMATION"},
1707 {0x00090083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
1708 {0x00090087, "FSCTL_READ_PROPERTY_DATA"},
1709 {0x0009008B, "FSCTL_WRITE_PROPERTY_DATA"},
1710 {0x0009008F, "FSCTL_FIND_FILES_BY_SID"},
1711 {0x00090097, "FSCTL_DUMP_PROPERTY_DATA"},
1712 {0x0009009C, "FSCTL_GET_OBJECT_ID"}, /* dissector implemented */
1713 {0x000900A4, "FSCTL_SET_REPARSE_POINT"}, /* dissector implemented */
1714 {0x000900A8, "FSCTL_GET_REPARSE_POINT"}, /* dissector implemented */
1715 {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"}, /* dissector implemented */
1716 {0x000900C4, "FSCTL_SET_SPARSE"}, /* dissector implemented */
1717 {0x000900D4, "FSCTL_SET_ENCRYPTION"},
1718 {0x000900DB, "FSCTL_ENCRYPTION_FSCTL_IO"},
1719 {0x000900DF, "FSCTL_WRITE_RAW_ENCRYPTED"},
1720 {0x000900E3, "FSCTL_READ_RAW_ENCRYPTED"},
1721 {0x000900F0, "FSCTL_EXTEND_VOLUME"},
1722 {0x00090244, "FSCTL_CSV_TUNNEL_REQUEST"},
1723 {0x0009027C, "FSCTL_GET_INTEGRITY_INFORMATION"},
1724 {0x00090284, "FSCTL_QUERY_FILE_REGIONS"}, /* dissector implemented */
1725 {0x000902c8, "FSCTL_CSV_SYNC_TUNNEL_REQUEST"},
1726 {0x00090300, "FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT"}, /* dissector implemented */
1727 {0x00090304, "FSCTL_SVHDX_SYNC_TUNNEL_REQUEST"}, /* dissector implemented */
1728 {0x00090308, "FSCTL_SVHDX_SET_INITIATOR_INFORMATION"},
1729 {0x0009030C, "FSCTL_SET_EXTERNAL_BACKING"},
1730 {0x00090310, "FSCTL_GET_EXTERNAL_BACKING"},
1731 {0x00090314, "FSCTL_DELETE_EXTERNAL_BACKING"},
1732 {0x00090318, "FSCTL_ENUM_EXTERNAL_BACKING"},
1733 {0x0009031F, "FSCTL_ENUM_OVERLAY"},
1734 {0x00090350, "FSCTL_STORAGE_QOS_CONTROL"}, /* dissector implemented */
1735 {0x00090364, "FSCTL_SVHDX_ASYNC_TUNNEL_REQUEST"}, /* dissector implemented */
1736 {0x000940B3, "FSCTL_ENUM_USN_DATA"},
1737 {0x000940B7, "FSCTL_SECURITY_ID_CHECK"},
1738 {0x000940BB, "FSCTL_READ_USN_JOURNAL"},
1739 {0x000940CF, "FSCTL_QUERY_ALLOCATED_RANGES"}, /* dissector implemented */
1740 {0x000940E7, "FSCTL_CREATE_USN_JOURNAL"},
1741 {0x000940EB, "FSCTL_READ_FILE_USN_DATA"},
1742 {0x000940EF, "FSCTL_WRITE_USN_CLOSE_RECORD"},
1743 {0x00094264, "FSCTL_OFFLOAD_READ"}, /* dissector implemented */
1744 {0x00098098, "FSCTL_SET_OBJECT_ID"}, /* dissector implemented */
1745 {0x000980A0, "FSCTL_DELETE_OBJECT_ID"}, /* no data in/out */
1746 {0x000980A4, "FSCTL_SET_REPARSE_POINT"},
1747 {0x000980AC, "FSCTL_DELETE_REPARSE_POINT"},
1748 {0x000980BC, "FSCTL_SET_OBJECT_ID_EXTENDED"}, /* dissector implemented */
1749 {0x000980C8, "FSCTL_SET_ZERO_DATA"}, /* dissector implemented */
1750 {0x000980D0, "FSCTL_ENABLE_UPGRADE"},
1751 {0x00098208, "FSCTL_FILE_LEVEL_TRIM"},
1752 {0x00098268, "FSCTL_OFFLOAD_WRITE"}, /* dissector implemented */
1753 {0x0009C040, "FSCTL_SET_COMPRESSION"}, /* dissector implemented */
1754 {0x0009C280, "FSCTL_SET_INTEGRITY_INFORMATION"}, /* dissector implemented */
1755 {0x00110018, "FSCTL_PIPE_WAIT"}, /* dissector implemented */
1756 {0x0011400C, "FSCTL_PIPE_PEEK"},
1757 {0x0011C017, "FSCTL_PIPE_TRANSCEIVE"}, /* dissector implemented */
1758 {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
1759 {0x001401D4, "FSCTL_LMR_REQUEST_RESILIENCY"}, /* dissector implemented */
1760 {0x001401FC, "FSCTL_QUERY_NETWORK_INTERFACE_INFO"}, /* dissector implemented */
1761 {0x00140200, "FSCTL_VALIDATE_NEGOTIATE_INFO_224"}, /* dissector implemented */
1762 {0x00140204, "FSCTL_VALIDATE_NEGOTIATE_INFO"}, /* dissector implemented */
1763 {0x00144064, "FSCTL_SRV_ENUMERATE_SNAPSHOTS"}, /* dissector implemented */
1764 {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
1765 {0x001441bb, "FSCTL_SRV_READ_HASH"},
1766 {0x001480F2, "FSCTL_SRV_COPYCHUNK_WRITE"},
1769 static value_string_ext smb2_ioctl_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_vals);
1771 static const value_string smb2_ioctl_device_vals[] = {
1773 { 0x0002, "CD_ROM" },
1774 { 0x0003, "CD_ROM_FILE_SYSTEM" },
1775 { 0x0004, "CONTROLLER" },
1776 { 0x0005, "DATALINK" },
1779 { 0x0008, "DISK_FILE_SYSTEM" },
1780 { 0x0009, "FILE_SYSTEM" },
1781 { 0x000a, "INPORT_PORT" },
1782 { 0x000b, "KEYBOARD" },
1783 { 0x000c, "MAILSLOT" },
1784 { 0x000d, "MIDI_IN" },
1785 { 0x000e, "MIDI_OUT" },
1786 { 0x000f, "MOUSE" },
1787 { 0x0010, "MULTI_UNC_PROVIDER" },
1788 { 0x0011, "NAMED_PIPE" },
1789 { 0x0012, "NETWORK" },
1790 { 0x0013, "NETWORK_BROWSER" },
1791 { 0x0014, "NETWORK_FILE_SYSTEM" },
1793 { 0x0016, "PARALLEL_PORT" },
1794 { 0x0017, "PHYSICAL_NETCARD" },
1795 { 0x0018, "PRINTER" },
1796 { 0x0019, "SCANNER" },
1797 { 0x001a, "SERIAL_MOUSE_PORT" },
1798 { 0x001b, "SERIAL_PORT" },
1799 { 0x001c, "SCREEN" },
1800 { 0x001d, "SOUND" },
1801 { 0x001e, "STREAMS" },
1803 { 0x0020, "TAPE_FILE_SYSTEM" },
1804 { 0x0021, "TRANSPORT" },
1805 { 0x0022, "UNKNOWN" },
1806 { 0x0023, "VIDEO" },
1807 { 0x0024, "VIRTUAL_DISK" },
1808 { 0x0025, "WAVE_IN" },
1809 { 0x0026, "WAVE_OUT" },
1810 { 0x0027, "8042_PORT" },
1811 { 0x0028, "NETWORK_REDIRECTOR" },
1812 { 0x0029, "BATTERY" },
1813 { 0x002a, "BUS_EXTENDER" },
1814 { 0x002b, "MODEM" },
1816 { 0x002d, "MASS_STORAGE" },
1819 { 0x0030, "CHANGER" },
1820 { 0x0031, "SMARTCARD" },
1823 { 0x0034, "FULLSCREEN_VIDEO" },
1824 { 0x0035, "DFS_FILE_SYSTEM" },
1825 { 0x0036, "DFS_VOLUME" },
1826 { 0x0037, "SERENUM" },
1827 { 0x0038, "TERMSRV" },
1831 static value_string_ext smb2_ioctl_device_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_device_vals);
1833 static const value_string smb2_ioctl_access_vals[] = {
1834 { 0x00, "FILE_ANY_ACCESS" },
1835 { 0x01, "FILE_READ_ACCESS" },
1836 { 0x02, "FILE_WRITE_ACCESS" },
1837 { 0x03, "FILE_READ_WRITE_ACCESS" },
1841 static const value_string smb2_ioctl_method_vals[] = {
1842 { 0x00, "METHOD_BUFFERED" },
1843 { 0x01, "METHOD_IN_DIRECT" },
1844 { 0x02, "METHOD_OUT_DIRECT" },
1845 { 0x03, "METHOD_NEITHER" },
1849 static const value_string smb2_ioctl_shared_virtual_disk_vals[] = {
1850 { 0x01, "SharedVirtualDisksSupported" },
1851 { 0x07, "SharedVirtualDiskCDPSnapshotsSupported" },
1855 static const value_string smb2_ioctl_shared_virtual_disk_hstate_vals[] = {
1856 { 0x00, "HandleStateNone" },
1857 { 0x01, "HandleStateFileShared" },
1858 { 0x03, "HandleStateShared" },
1862 /* this is called from both smb and smb2. */
1864 dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint32 *ioctlfunc)
1866 proto_item *item = NULL;
1867 proto_tree *tree = NULL;
1868 guint32 ioctl_function;
1871 item = proto_tree_add_item(parent_tree, hf_smb2_ioctl_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1872 tree = proto_item_add_subtree(item, ett_smb2_ioctl_function);
1875 ioctl_function = tvb_get_letohl(tvb, offset);
1877 *ioctlfunc = ioctl_function;
1878 if (ioctl_function) {
1879 const gchar *unknown = "unknown";
1880 const gchar *ioctl_name = val_to_str_ext_const(ioctl_function,
1881 &smb2_ioctl_vals_ext,
1885 * val_to_str_const() doesn't work with a unknown == NULL
1887 if (ioctl_name == unknown) {
1891 if (ioctl_name != NULL) {
1893 pinfo->cinfo, COL_INFO, " %s", ioctl_name);
1897 proto_tree_add_item(tree, hf_smb2_ioctl_function_device, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1898 if (ioctl_name == NULL) {
1900 pinfo->cinfo, COL_INFO, " %s",
1901 val_to_str_ext((ioctl_function>>16)&0xffff, &smb2_ioctl_device_vals_ext,
1902 "Unknown (0x%08X)"));
1906 proto_tree_add_item(tree, hf_smb2_ioctl_function_access, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1909 proto_tree_add_item(tree, hf_smb2_ioctl_function_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1910 if (ioctl_name == NULL) {
1912 pinfo->cinfo, COL_INFO, " Function:0x%04x",
1913 (ioctl_function>>2)&0x0fff);
1917 proto_tree_add_item(tree, hf_smb2_ioctl_function_method, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1925 /* fake the dce/rpc support structures so we can piggy back on
1926 * dissect_nt_policy_hnd() since this will allow us
1927 * a cheap way to track where FIDs are opened, closed
1928 * and fid->filename mappings
1929 * if we want to do those things in the future.
1931 #define FID_MODE_OPEN 0
1932 #define FID_MODE_CLOSE 1
1933 #define FID_MODE_USE 2
1934 #define FID_MODE_DHNQ 3
1935 #define FID_MODE_DHNC 4
1937 dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si, int mode)
1939 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
1940 static dcerpc_info di; /* fake dcerpc_info struct */
1941 static dcerpc_call_value call_data;
1942 e_ctx_hnd policy_hnd;
1943 e_ctx_hnd *policy_hnd_hashtablekey;
1944 proto_item *hnd_item = NULL;
1946 guint32 open_frame = 0, close_frame = 0;
1947 smb2_eo_file_info_t *eo_file_info;
1948 smb2_fid_info_t sfi_key;
1949 smb2_fid_info_t *sfi = NULL;
1951 sfi_key.fid_persistent = tvb_get_letoh64(tvb, offset);
1952 sfi_key.fid_volatile = tvb_get_letoh64(tvb, offset+8);
1953 sfi_key.sesid = si->sesid;
1954 sfi_key.tid = si->tid;
1955 sfi_key.name = NULL;
1957 di.conformant_run = 0;
1958 /* we need di->call_data->flags.NDR64 == 0 */
1959 di.call_data = &call_data;
1963 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, TRUE, FALSE);
1964 if (!pinfo->fd->flags.visited) {
1965 sfi = wmem_new(wmem_file_scope(), smb2_fid_info_t);
1967 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1968 sfi->name = wmem_strdup(wmem_file_scope(), (char *)si->saved->extra_info);
1970 sfi->name = wmem_strdup_printf(wmem_file_scope(), "[unknown]");
1973 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1974 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: %s", (char *)si->saved->extra_info);
1976 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: ");
1978 dcerpc_store_polhnd_name(&policy_hnd, pinfo,
1981 g_hash_table_insert(si->conv->fids, sfi, sfi);
1984 /* If needed, create the file entry and save the policy hnd */
1986 si->saved->file = sfi;
1987 si->saved->policy_hnd = policy_hnd;
1991 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
1992 if (!eo_file_info) {
1993 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
1994 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
1995 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
1996 eo_file_info->end_of_file=0;
1997 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
1999 si->eo_file_info=eo_file_info;
2003 case FID_MODE_CLOSE:
2004 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, TRUE);
2009 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, FALSE);
2013 si->file = (smb2_fid_info_t *)g_hash_table_lookup(si->conv->fids, &sfi_key);
2016 si->saved->file = si->file;
2018 if (si->file->name) {
2020 proto_item_append_text(hnd_item, " File: %s", si->file->name);
2022 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", si->file->name);
2026 if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
2027 /* look for the eo_file_info */
2028 if (!si->eo_file_info) {
2029 if (si->saved) { si->saved->policy_hnd = policy_hnd; }
2031 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
2033 si->eo_file_info=eo_file_info;
2034 } else { /* XXX This should never happen */
2035 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
2036 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
2037 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
2038 eo_file_info->end_of_file=0;
2039 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
2050 /* this info level is unique to SMB2 and differst from the corresponding
2051 * SMB_FILE_ALL_INFO in SMB
2054 dissect_smb2_file_all_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2056 proto_item *item = NULL;
2057 proto_tree *tree = NULL;
2059 const char *name = "";
2061 static const int *mode_fields[] = {
2062 &hf_smb2_mode_file_write_through,
2063 &hf_smb2_mode_file_sequential_only,
2064 &hf_smb2_mode_file_no_intermediate_buffering,
2065 &hf_smb2_mode_file_synchronous_io_alert,
2066 &hf_smb2_mode_file_synchronous_io_nonalert,
2067 &hf_smb2_mode_file_delete_on_close,
2072 item = proto_tree_add_item(parent_tree, hf_smb2_file_all_info, tvb, offset, -1, ENC_NA);
2073 tree = proto_item_add_subtree(item, ett_smb2_file_all_info);
2077 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2080 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2083 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2086 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2088 /* File Attributes */
2089 offset = dissect_file_ext_attr(tvb, tree, offset);
2091 /* some unknown bytes */
2092 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2095 /* allocation size */
2096 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2100 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2103 /* number of links */
2104 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2107 /* delete pending */
2108 proto_tree_add_item(tree, hf_smb2_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2112 proto_tree_add_item(tree, hf_smb2_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2119 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2123 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2127 offset = dissect_smb_access_mask(tvb, tree, offset);
2129 /* Position Information */
2130 proto_tree_add_item(tree, hf_smb2_position_information, tvb, offset, 8, ENC_NA);
2133 /* Mode Information */
2134 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_mode_information, ett_smb2_file_mode_info, mode_fields, ENC_LITTLE_ENDIAN);
2137 /* Alignment Information */
2138 proto_tree_add_item(tree, hf_smb2_alignment_information, tvb, offset, 4, ENC_NA);
2141 /* file name length */
2142 length = tvb_get_letohs(tvb, offset);
2143 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2148 bc = tvb_captured_length_remaining(tvb, offset);
2149 name = get_unicode_or_ascii_string(tvb, &offset,
2150 TRUE, &length, TRUE, TRUE, &bc);
2152 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2153 offset, length, name);
2164 dissect_smb2_file_allocation_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2166 proto_item *item = NULL;
2167 proto_tree *tree = NULL;
2172 item = proto_tree_add_item(parent_tree, hf_smb2_file_allocation_info, tvb, offset, -1, ENC_NA);
2173 tree = proto_item_add_subtree(item, ett_smb2_file_allocation_info);
2176 bc = tvb_captured_length_remaining(tvb, offset);
2177 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2183 dissect_smb2_file_endoffile_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2185 proto_item *item = NULL;
2186 proto_tree *tree = NULL;
2191 item = proto_tree_add_item(parent_tree, hf_smb2_file_endoffile_info, tvb, offset, -1, ENC_NA);
2192 tree = proto_item_add_subtree(item, ett_smb2_file_endoffile_info);
2195 bc = tvb_captured_length_remaining(tvb, offset);
2196 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2202 dissect_smb2_file_alternate_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2204 proto_item *item = NULL;
2205 proto_tree *tree = NULL;
2210 item = proto_tree_add_item(parent_tree, hf_smb2_file_alternate_name_info, tvb, offset, -1, ENC_NA);
2211 tree = proto_item_add_subtree(item, ett_smb2_file_alternate_name_info);
2214 bc = tvb_captured_length_remaining(tvb, offset);
2215 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc, /* XXX assumption hack */ TRUE);
2222 dissect_smb2_file_basic_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2224 proto_item *item = NULL;
2225 proto_tree *tree = NULL;
2228 item = proto_tree_add_item(parent_tree, hf_smb2_file_basic_info, tvb, offset, -1, ENC_NA);
2229 tree = proto_item_add_subtree(item, ett_smb2_file_basic_info);
2233 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2236 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2239 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2242 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2244 /* File Attributes */
2245 offset = dissect_file_ext_attr(tvb, tree, offset);
2247 /* some unknown bytes */
2248 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2255 dissect_smb2_file_standard_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2257 proto_item *item = NULL;
2258 proto_tree *tree = NULL;
2263 item = proto_tree_add_item(parent_tree, hf_smb2_file_standard_info, tvb, offset, -1, ENC_NA);
2264 tree = proto_item_add_subtree(item, ett_smb2_file_standard_info);
2267 bc = tvb_captured_length_remaining(tvb, offset);
2268 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2273 dissect_smb2_file_internal_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2275 proto_item *item = NULL;
2276 proto_tree *tree = NULL;
2281 item = proto_tree_add_item(parent_tree, hf_smb2_file_internal_info, tvb, offset, -1, ENC_NA);
2282 tree = proto_item_add_subtree(item, ett_smb2_file_internal_info);
2285 bc = tvb_captured_length_remaining(tvb, offset);
2286 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2291 dissect_smb2_file_mode_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2293 proto_item *item = NULL;
2294 proto_tree *tree = NULL;
2299 item = proto_tree_add_item(parent_tree, hf_smb2_file_mode_info, tvb, offset, -1, ENC_NA);
2300 tree = proto_item_add_subtree(item, ett_smb2_file_mode_info);
2303 bc = tvb_captured_length_remaining(tvb, offset);
2304 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2309 dissect_smb2_file_alignment_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2311 proto_item *item = NULL;
2312 proto_tree *tree = NULL;
2317 item = proto_tree_add_item(parent_tree, hf_smb2_file_alignment_info, tvb, offset, -1, ENC_NA);
2318 tree = proto_item_add_subtree(item, ett_smb2_file_alignment_info);
2321 bc = tvb_captured_length_remaining(tvb, offset);
2322 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2327 dissect_smb2_file_position_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2329 proto_item *item = NULL;
2330 proto_tree *tree = NULL;
2335 item = proto_tree_add_item(parent_tree, hf_smb2_file_position_info, tvb, offset, -1, ENC_NA);
2336 tree = proto_item_add_subtree(item, ett_smb2_file_position_info);
2339 bc = tvb_captured_length_remaining(tvb, offset);
2340 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2346 dissect_smb2_file_access_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2348 proto_item *item = NULL;
2349 proto_tree *tree = NULL;
2352 item = proto_tree_add_item(parent_tree, hf_smb2_file_access_info, tvb, offset, -1, ENC_NA);
2353 tree = proto_item_add_subtree(item, ett_smb2_file_access_info);
2357 offset = dissect_smb_access_mask(tvb, tree, offset);
2363 dissect_smb2_file_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2365 proto_item *item = NULL;
2366 proto_tree *tree = NULL;
2371 item = proto_tree_add_item(parent_tree, hf_smb2_file_ea_info, tvb, offset, -1, ENC_NA);
2372 tree = proto_item_add_subtree(item, ett_smb2_file_ea_info);
2375 bc = tvb_captured_length_remaining(tvb, offset);
2376 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2382 dissect_smb2_file_stream_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2384 proto_item *item = NULL;
2385 proto_tree *tree = NULL;
2390 item = proto_tree_add_item(parent_tree, hf_smb2_file_stream_info, tvb, offset, -1, ENC_NA);
2391 tree = proto_item_add_subtree(item, ett_smb2_file_stream_info);
2394 bc = tvb_captured_length_remaining(tvb, offset);
2395 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, &bc, &trunc, TRUE);
2401 dissect_smb2_file_pipe_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2403 proto_item *item = NULL;
2404 proto_tree *tree = NULL;
2409 item = proto_tree_add_item(parent_tree, hf_smb2_file_pipe_info, tvb, offset, -1, ENC_NA);
2410 tree = proto_item_add_subtree(item, ett_smb2_file_pipe_info);
2413 bc = tvb_captured_length_remaining(tvb, offset);
2414 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2420 dissect_smb2_file_compression_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2422 proto_item *item = NULL;
2423 proto_tree *tree = NULL;
2428 item = proto_tree_add_item(parent_tree, hf_smb2_file_compression_info, tvb, offset, -1, ENC_NA);
2429 tree = proto_item_add_subtree(item, ett_smb2_file_compression_info);
2432 bc = tvb_captured_length_remaining(tvb, offset);
2433 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2439 dissect_smb2_file_network_open_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2441 proto_item *item = NULL;
2442 proto_tree *tree = NULL;
2447 item = proto_tree_add_item(parent_tree, hf_smb2_file_network_open_info, tvb, offset, -1, ENC_NA);
2448 tree = proto_item_add_subtree(item, ett_smb2_file_network_open_info);
2452 bc = tvb_captured_length_remaining(tvb, offset);
2453 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2459 dissect_smb2_file_attribute_tag_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2461 proto_item *item = NULL;
2462 proto_tree *tree = NULL;
2467 item = proto_tree_add_item(parent_tree, hf_smb2_file_attribute_tag_info, tvb, offset, -1, ENC_NA);
2468 tree = proto_item_add_subtree(item, ett_smb2_file_attribute_tag_info);
2472 bc = tvb_captured_length_remaining(tvb, offset);
2473 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2478 static const true_false_string tfs_disposition_delete_on_close = {
2479 "DELETE this file when closed",
2480 "Normal access, do not delete on close"
2484 dissect_smb2_file_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2486 proto_item *item = NULL;
2487 proto_tree *tree = NULL;
2490 item = proto_tree_add_item(parent_tree, hf_smb2_file_disposition_info, tvb, offset, -1, ENC_NA);
2491 tree = proto_item_add_subtree(item, ett_smb2_file_disposition_info);
2494 /* file disposition */
2495 proto_tree_add_item(tree, hf_smb2_disposition_delete_on_close, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2501 dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2503 proto_item *item = NULL;
2504 proto_tree *tree = NULL;
2505 guint32 next_offset;
2507 guint16 ea_data_len;
2510 item = proto_tree_add_item(parent_tree, hf_smb2_file_full_ea_info, tvb, offset, -1, ENC_NA);
2511 tree = proto_item_add_subtree(item, ett_smb2_file_full_ea_info);
2516 const char *name = "";
2517 const char *data = "";
2519 int start_offset = offset;
2520 proto_item *ea_item;
2521 proto_tree *ea_tree;
2523 ea_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_ea, &ea_item, "EA:");
2526 next_offset = tvb_get_letohl(tvb, offset);
2527 proto_tree_add_item(ea_tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2531 proto_tree_add_item(ea_tree, hf_smb2_ea_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2534 /* EA Name Length */
2535 ea_name_len = tvb_get_guint8(tvb, offset);
2536 proto_tree_add_item(ea_tree, hf_smb2_ea_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2539 /* EA Data Length */
2540 ea_data_len = tvb_get_letohs(tvb, offset);
2541 proto_tree_add_item(ea_tree, hf_smb2_ea_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2545 length = ea_name_len;
2547 bc = tvb_captured_length_remaining(tvb, offset);
2548 name = get_unicode_or_ascii_string(tvb, &offset,
2549 FALSE, &length, TRUE, TRUE, &bc);
2551 proto_tree_add_string(ea_tree, hf_smb2_ea_name, tvb,
2552 offset, length + 1, name);
2556 /* The name is terminated with a NULL */
2557 offset += ea_name_len + 1;
2560 length = ea_data_len;
2562 bc = tvb_captured_length_remaining(tvb, offset);
2563 data = get_unicode_or_ascii_string(tvb, &offset,
2564 FALSE, &length, TRUE, TRUE, &bc);
2566 * We put the data here ...
2568 proto_tree_add_item(ea_tree, hf_smb2_ea_data, tvb,
2569 offset, length, ENC_NA);
2571 offset += ea_data_len;
2575 proto_item_append_text(ea_item, " %s := %s", name, data);
2577 proto_item_set_len(ea_item, offset-start_offset);
2584 offset = start_offset+next_offset;
2590 static const true_false_string tfs_replace_if_exists = {
2591 "Replace the target if it exists",
2592 "Fail if the target exists"
2596 dissect_smb2_file_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2598 proto_item *item = NULL;
2599 proto_tree *tree = NULL;
2601 const char *name = "";
2606 item = proto_tree_add_item(parent_tree, hf_smb2_file_rename_info, tvb, offset, -1, ENC_NA);
2607 tree = proto_item_add_subtree(item, ett_smb2_file_rename_info);
2610 /* ReplaceIfExists */
2611 proto_tree_add_item(tree, hf_smb2_replace_if, tvb, offset, 1, ENC_NA);
2615 proto_tree_add_item(tree, hf_smb2_reserved_random, tvb, offset, 7, ENC_NA);
2618 /* Root Directory Handle, MBZ */
2619 proto_tree_add_item(tree, hf_smb2_root_directory_mbz, tvb, offset, 8, ENC_NA);
2622 /* file name length */
2623 length = tvb_get_letohs(tvb, offset);
2624 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2629 bc = tvb_captured_length_remaining(tvb, offset);
2630 name = get_unicode_or_ascii_string(tvb, &offset,
2631 TRUE, &length, TRUE, TRUE, &bc);
2633 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2634 offset, length, name);
2637 col_append_fstr(pinfo->cinfo, COL_INFO, " NewName:%s", name);
2645 dissect_smb2_sec_info_00(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2647 proto_item *item = NULL;
2648 proto_tree *tree = NULL;
2651 item = proto_tree_add_item(parent_tree, hf_smb2_sec_info_00, tvb, offset, -1, ENC_NA);
2652 tree = proto_item_add_subtree(item, ett_smb2_sec_info_00);
2655 /* security descriptor */
2656 offset = dissect_nt_sec_desc(tvb, offset, pinfo, tree, NULL, TRUE, tvb_captured_length_remaining(tvb, offset), NULL);
2662 dissect_smb2_quota_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2664 proto_item *item = NULL;
2665 proto_tree *tree = NULL;
2669 item = proto_tree_add_item(parent_tree, hf_smb2_quota_info, tvb, offset, -1, ENC_NA);
2670 tree = proto_item_add_subtree(item, ett_smb2_quota_info);
2673 bcp = tvb_captured_length_remaining(tvb, offset);
2674 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
2680 dissect_smb2_fs_info_05(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2682 proto_item *item = NULL;
2683 proto_tree *tree = NULL;
2687 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_05, tvb, offset, -1, ENC_NA);
2688 tree = proto_item_add_subtree(item, ett_smb2_fs_info_05);
2691 bc = tvb_captured_length_remaining(tvb, offset);
2692 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2698 dissect_smb2_fs_info_06(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2700 proto_item *item = NULL;
2701 proto_tree *tree = NULL;
2705 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_06, tvb, offset, -1, ENC_NA);
2706 tree = proto_item_add_subtree(item, ett_smb2_fs_info_06);
2709 bc = tvb_captured_length_remaining(tvb, offset);
2710 offset = dissect_nt_quota(tvb, tree, offset, &bc);
2716 dissect_smb2_FS_OBJECTID_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2718 proto_item *item = NULL;
2719 proto_tree *tree = NULL;
2722 item = proto_tree_add_item(parent_tree, hf_smb2_fs_objectid_info, tvb, offset, -1, ENC_NA);
2723 tree = proto_item_add_subtree(item, ett_smb2_fs_objectid_info);
2726 /* FILE_OBJECTID_BUFFER */
2727 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
2733 dissect_smb2_fs_info_07(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2735 proto_item *item = NULL;
2736 proto_tree *tree = NULL;
2740 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_07, tvb, offset, -1, ENC_NA);
2741 tree = proto_item_add_subtree(item, ett_smb2_fs_info_07);
2744 bc = tvb_captured_length_remaining(tvb, offset);
2745 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2751 dissect_smb2_fs_info_01(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2753 proto_item *item = NULL;
2754 proto_tree *tree = NULL;
2758 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_01, tvb, offset, -1, ENC_NA);
2759 tree = proto_item_add_subtree(item, ett_smb2_fs_info_01);
2763 bc = tvb_captured_length_remaining(tvb, offset);
2764 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2770 dissect_smb2_fs_info_03(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2772 proto_item *item = NULL;
2773 proto_tree *tree = NULL;
2777 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_03, tvb, offset, -1, ENC_NA);
2778 tree = proto_item_add_subtree(item, ett_smb2_fs_info_03);
2782 bc = tvb_captured_length_remaining(tvb, offset);
2783 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2789 dissect_smb2_fs_info_04(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2791 proto_item *item = NULL;
2792 proto_tree *tree = NULL;
2796 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_04, tvb, offset, -1, ENC_NA);
2797 tree = proto_item_add_subtree(item, ett_smb2_fs_info_04);
2801 bc = tvb_captured_length_remaining(tvb, offset);
2802 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, &bc);
2807 static const value_string oplock_vals[] = {
2808 { 0x00, "No oplock" },
2809 { 0x01, "Level2 oplock" },
2810 { 0x08, "Exclusive oplock" },
2811 { 0x09, "Batch oplock" },
2817 dissect_smb2_oplock(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2819 proto_tree_add_item(parent_tree, hf_smb2_oplock, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2826 dissect_smb2_buffercode(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint16 *length)
2830 guint16 buffer_code;
2832 /* dissect the first 2 bytes of the command PDU */
2833 buffer_code = tvb_get_letohs(tvb, offset);
2834 item = proto_tree_add_uint(parent_tree, hf_smb2_buffer_code, tvb, offset, 2, buffer_code);
2835 tree = proto_item_add_subtree(item, ett_smb2_buffercode);
2836 proto_tree_add_item(tree, hf_smb2_buffer_code_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2837 proto_tree_add_item(tree, hf_smb2_buffer_code_flags_dyn, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2841 *length = buffer_code; /*&0xfffe don't mask it here, mask it on caller side */
2847 #define NEGPROT_CAP_DFS 0x00000001
2848 #define NEGPROT_CAP_LEASING 0x00000002
2849 #define NEGPROT_CAP_LARGE_MTU 0x00000004
2850 #define NEGPROT_CAP_MULTI_CHANNEL 0x00000008
2851 #define NEGPROT_CAP_PERSISTENT_HANDLES 0x00000010
2852 #define NEGPROT_CAP_DIRECTORY_LEASING 0x00000020
2853 #define NEGPROT_CAP_ENCRYPTION 0x00000040
2855 dissect_smb2_capabilities(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2857 static const int * flags[] = {
2859 &hf_smb2_cap_leasing,
2860 &hf_smb2_cap_large_mtu,
2861 &hf_smb2_cap_multi_channel,
2862 &hf_smb2_cap_persistent_handles,
2863 &hf_smb2_cap_directory_leasing,
2864 &hf_smb2_cap_encryption,
2868 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_capabilities, ett_smb2_capabilities, flags, ENC_LITTLE_ENDIAN);
2876 #define NEGPROT_SIGN_REQ 0x0002
2877 #define NEGPROT_SIGN_ENABLED 0x0001
2880 dissect_smb2_secmode(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2882 static const int * flags[] = {
2883 &hf_smb2_secmode_flags_sign_enabled,
2884 &hf_smb2_secmode_flags_sign_required,
2888 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_security_mode, ett_smb2_sec_mode, flags, ENC_LITTLE_ENDIAN);
2894 #define SES_REQ_FLAGS_SESSION_BINDING 0x01
2897 dissect_smb2_ses_req_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2899 static const int * flags[] = {
2900 &hf_smb2_ses_req_flags_session_binding,
2904 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_ses_req_flags, ett_smb2_ses_req_flags, flags, ENC_LITTLE_ENDIAN);
2910 #define SES_FLAGS_GUEST 0x0001
2911 #define SES_FLAGS_NULL 0x0002
2912 #define SES_FLAGS_ENCRYPT 0x0004
2915 dissect_smb2_ses_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2917 static const int * flags[] = {
2918 &hf_smb2_ses_flags_guest,
2919 &hf_smb2_ses_flags_null,
2920 &hf_smb2_ses_flags_encrypt,
2924 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_session_flags, ett_smb2_ses_flags, flags, ENC_LITTLE_ENDIAN);
2930 #define SHARE_FLAGS_manual_caching 0x00000000
2931 #define SHARE_FLAGS_auto_caching 0x00000010
2932 #define SHARE_FLAGS_vdo_caching 0x00000020
2933 #define SHARE_FLAGS_no_caching 0x00000030
2935 static const value_string share_cache_vals[] = {
2936 { SHARE_FLAGS_manual_caching, "Manual caching" },
2937 { SHARE_FLAGS_auto_caching, "Auto caching" },
2938 { SHARE_FLAGS_vdo_caching, "VDO caching" },
2939 { SHARE_FLAGS_no_caching, "No caching" },
2943 #define SHARE_FLAGS_dfs 0x00000001
2944 #define SHARE_FLAGS_dfs_root 0x00000002
2945 #define SHARE_FLAGS_restrict_exclusive_opens 0x00000100
2946 #define SHARE_FLAGS_force_shared_delete 0x00000200
2947 #define SHARE_FLAGS_allow_namespace_caching 0x00000400
2948 #define SHARE_FLAGS_access_based_dir_enum 0x00000800
2949 #define SHARE_FLAGS_force_levelii_oplock 0x00001000
2950 #define SHARE_FLAGS_enable_hash_v1 0x00002000
2951 #define SHARE_FLAGS_enable_hash_v2 0x00004000
2952 #define SHARE_FLAGS_encryption_required 0x00008000
2955 dissect_smb2_share_flags(proto_tree *tree, tvbuff_t *tvb, int offset)
2957 static const int *sf_fields[] = {
2958 &hf_smb2_share_flags_dfs,
2959 &hf_smb2_share_flags_dfs_root,
2960 &hf_smb2_share_flags_restrict_exclusive_opens,
2961 &hf_smb2_share_flags_force_shared_delete,
2962 &hf_smb2_share_flags_allow_namespace_caching,
2963 &hf_smb2_share_flags_access_based_dir_enum,
2964 &hf_smb2_share_flags_force_levelii_oplock,
2965 &hf_smb2_share_flags_enable_hash_v1,
2966 &hf_smb2_share_flags_enable_hash_v2,
2967 &hf_smb2_share_flags_encrypt_data,
2973 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_flags, ett_smb2_share_flags, sf_fields, ENC_LITTLE_ENDIAN);
2975 cp = tvb_get_letohl(tvb, offset);
2977 proto_tree_add_uint_format(item, hf_smb2_share_caching, tvb, offset, 4, cp, "Caching policy: %s (%08x)", val_to_str(cp, share_cache_vals, "Unknown:%u"), cp);
2985 #define SHARE_CAPS_DFS 0x00000008
2986 #define SHARE_CAPS_CONTINUOUS_AVAILABILITY 0x00000010
2987 #define SHARE_CAPS_SCALEOUT 0x00000020
2988 #define SHARE_CAPS_CLUSTER 0x00000040
2991 dissect_smb2_share_caps(proto_tree *tree, tvbuff_t *tvb, int offset)
2993 static const int *sc_fields[] = {
2994 &hf_smb2_share_caps_dfs,
2995 &hf_smb2_share_caps_continuous_availability,
2996 &hf_smb2_share_caps_scaleout,
2997 &hf_smb2_share_caps_cluster,
3001 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_caps, ett_smb2_share_caps, sc_fields, ENC_LITTLE_ENDIAN);
3009 dissect_smb2_secblob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
3011 if ((tvb_captured_length(tvb)>=7)
3012 && (!tvb_memeql(tvb, 0, "NTLMSSP", 7))) {
3013 call_dissector(ntlmssp_handle, tvb, pinfo, tree);
3015 call_dissector(gssapi_handle, tvb, pinfo, tree);
3020 * Derive client and server decryption keys from the secret session key
3021 * and set them in the session object.
3023 static void smb2_set_session_keys(smb2_sesid_info_t *sesid, const guint8 *session_key)
3025 if (memcmp(session_key, zeros, NTLMSSP_KEY_LEN) != 0) {
3026 smb2_key_derivation(session_key,
3030 sesid->server_decryption_key);
3031 smb2_key_derivation(session_key,
3035 sesid->client_decryption_key);
3037 memset(sesid->server_decryption_key, 0,
3038 sizeof(sesid->server_decryption_key));
3039 memset(sesid->client_decryption_key, 0,
3040 sizeof(sesid->client_decryption_key));
3045 dissect_smb2_session_setup_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3047 offset_length_buffer_t s_olb;
3048 const ntlmssp_header_t *ntlmssph;
3049 static int ntlmssp_tap_id = 0;
3052 if (!ntlmssp_tap_id) {
3053 GString *error_string;
3054 /* We don't specify any callbacks at all.
3055 * Instead we manually fetch the tapped data after the
3056 * security blob has been fully dissected and before
3057 * we exit from this dissector.
3059 error_string = register_tap_listener("ntlmssp", NULL, NULL,
3060 TL_IS_DISSECTOR_HELPER, NULL, NULL, NULL, NULL);
3061 if (!error_string) {
3062 ntlmssp_tap_id = find_tap_id("ntlmssp");
3064 g_string_free(error_string, TRUE);
3070 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3071 /* some unknown bytes */
3074 offset = dissect_smb2_ses_req_flags(tree, tvb, offset);
3077 offset = dissect_smb2_secmode(tree, tvb, offset);
3080 offset = dissect_smb2_capabilities(tree, tvb, offset);
3083 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3086 /* security blob offset/length */
3087 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
3089 /* previous session id */
3090 proto_tree_add_item(tree, hf_smb2_previous_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3094 /* the security blob itself */
3095 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
3097 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
3099 /* If we have found a uid->acct_name mapping, store it */
3100 if (!pinfo->fd->flags.visited) {
3102 while ((ntlmssph = (const ntlmssp_header_t *)fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL) {
3103 if (ntlmssph && ntlmssph->type == NTLMSSP_AUTH) {
3104 smb2_sesid_info_t *sesid;
3105 guint8 custom_seskey[NTLMSSP_KEY_LEN];
3106 const guint8 *session_key;
3108 sesid = wmem_new(wmem_file_scope(), smb2_sesid_info_t);
3109 sesid->sesid = si->sesid;
3110 sesid->acct_name = wmem_strdup(wmem_file_scope(), ntlmssph->acct_name);
3111 sesid->domain_name = wmem_strdup(wmem_file_scope(), ntlmssph->domain_name);
3112 sesid->host_name = wmem_strdup(wmem_file_scope(), ntlmssph->host_name);
3114 /* Try to see first if we have a
3115 * session key set in the pref for
3116 * this particular session id */
3117 if (seskey_find_sid_key(si->sesid, custom_seskey)) {
3118 session_key = custom_seskey;
3120 session_key = ntlmssph->session_key;
3122 smb2_set_session_keys(sesid, session_key);
3123 sesid->server_port = pinfo->destport;
3124 sesid->auth_frame = pinfo->num;
3125 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
3126 g_hash_table_insert(si->conv->sesids, sesid, sesid);
3135 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3140 offset_length_buffer_t s_olb, p_olb;
3142 item = proto_tree_add_item(parent_tree, hf_smb2_symlink_error_response, tvb, offset, -1, ENC_NA);
3143 tree = proto_item_add_subtree(item, ett_smb2_symlink_error_response);
3145 /* symlink length */
3146 proto_tree_add_item(tree, hf_smb2_symlink_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3149 /* symlink error tag */
3150 proto_tree_add_item(tree, hf_smb2_symlink_error_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3154 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3157 proto_tree_add_item(tree, hf_smb2_reparse_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3160 proto_tree_add_item(tree, hf_smb2_unparsed_path_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3163 /* substitute name offset/length */
3164 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_substitute_name);
3166 /* print name offset/length */
3167 offset = dissect_smb2_olb_length_offset(tvb, offset, &p_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_print_name);
3170 proto_tree_add_item(tree, hf_smb2_symlink_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3173 /* substitute name string */
3174 dissect_smb2_olb_off_string(pinfo, tree, tvb, &s_olb, offset, OLB_TYPE_UNICODE_STRING);
3176 /* print name string */
3177 dissect_smb2_olb_off_string(pinfo, tree, tvb, &p_olb, offset, OLB_TYPE_UNICODE_STRING);
3181 dissect_smb2_error_data(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int error_context_count, smb2_info_t *si _U_)
3188 item = proto_tree_add_item(parent_tree, hf_smb2_error_data, tvb, offset, -1, ENC_NA);
3189 tree = proto_item_add_subtree(item, ett_smb2_error_data);
3191 if (error_context_count == 0) {
3192 switch (si->status) {
3193 case 0x8000002D: /* STATUS_STOPPED_ON_SYMLINK */
3194 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvb, pinfo, tree, offset, si);
3201 /* TODO SMB311 supports multiple error contexts */
3205 /* This needs more fixes for cases when the original header had also the constant value of 9.
3206 This should be fixed on caller side where it decides if it has to call this or not.
3209 dissect_smb2_error_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si,
3210 gboolean* continue_dissection)
3213 guint8 error_context_count;
3218 offset = dissect_smb2_buffercode(tree, tvb, offset, &length);
3220 /* FIX: error response uses this constant, if not then it is not an error response */
3223 if(continue_dissection)
3224 *continue_dissection = TRUE;
3226 if(continue_dissection)
3227 *continue_dissection = FALSE;
3229 /* ErrorContextCount (1 bytes) */
3230 error_context_count = tvb_get_guint8(tvb, offset);
3231 proto_tree_add_item(tree, hf_smb2_error_context_count, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3234 /* Reserved (1 bytes) */
3235 proto_tree_add_item(tree, hf_smb2_error_reserved, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3238 /* ByteCount (4 bytes): The number of bytes of data contained in ErrorData[]. */
3239 byte_count = tvb_get_letohl(tvb, offset);
3240 proto_tree_add_item(tree, hf_smb2_error_byte_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3243 /* If the ByteCount field is zero then the server MUST supply an ErrorData field
3244 that is one byte in length */
3245 if (byte_count == 0) byte_count = 1;
3247 /* ErrorData (variable): A variable-length data field that contains extended
3248 error information.*/
3249 sub_tvb = tvb_new_subset_length(tvb, offset, byte_count);
3250 offset += byte_count;
3252 dissect_smb2_error_data(sub_tvb, pinfo, tree, error_context_count, si);
3259 dissect_smb2_session_setup_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3261 offset_length_buffer_t s_olb;
3263 /* session_setup is special and we don't use dissect_smb2_error_response() here! */
3266 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3269 offset = dissect_smb2_ses_flags(tree, tvb, offset);
3271 /* security blob offset/length */
3272 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
3274 /* the security blob itself */
3275 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
3277 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
3279 /* If we have found a uid->acct_name mapping, store it */
3280 #ifdef HAVE_KERBEROS
3281 if (!pinfo->fd->flags.visited && si->status == 0) {
3285 read_keytab_file_from_preferences();
3288 for (ek=enc_key_list;ek;ek=ek->next) {
3289 if (ek->fd_num == (int)pinfo->num) {
3295 smb2_sesid_info_t *sesid;
3296 guint8 custom_seskey[NTLMSSP_KEY_LEN] = { 0, };
3297 const guint8 *session_key;
3299 sesid = wmem_new(wmem_file_scope(), smb2_sesid_info_t);
3300 sesid->sesid = si->sesid;
3301 /* TODO: fill in the correct information */
3302 sesid->acct_name = NULL;
3303 sesid->domain_name = NULL;
3304 sesid->host_name = NULL;
3306 if (seskey_find_sid_key(si->sesid, custom_seskey)) {
3307 session_key = custom_seskey;
3309 session_key = ek->keyvalue;
3311 smb2_set_session_keys(sesid, session_key);
3312 sesid->server_port = pinfo->srcport;
3313 sesid->auth_frame = pinfo->num;
3314 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
3315 g_hash_table_insert(si->conv->sesids, sesid, sesid);
3324 dissect_smb2_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3326 offset_length_buffer_t olb;
3330 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3333 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3336 /* tree offset/length */
3337 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_tree);
3340 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
3342 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3344 /* treelen +1 is overkill here if the string is unicode,
3345 * but who ever has more than a handful of TCON in a trace anyways
3347 if (!pinfo->fd->flags.visited && si->saved && buf && olb.len) {
3348 si->saved->extra_info_type = SMB2_EI_TREENAME;
3349 si->saved->extra_info = wmem_alloc(wmem_file_scope(), olb.len+1);
3350 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
3353 col_append_fstr(pinfo->cinfo, COL_INFO, " Tree: %s", buf);
3358 dissect_smb2_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3361 gboolean continue_dissection;
3363 switch (si->status) {
3365 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3366 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3367 if (!continue_dissection) return offset;
3371 share_type = tvb_get_guint8(tvb, offset);
3372 proto_tree_add_item(tree, hf_smb2_share_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3375 /* byte is reserved and must be set to zero */
3376 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
3379 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_TREENAME && si->session) {
3380 smb2_tid_info_t *tid, tid_key;
3382 tid_key.tid = si->tid;
3383 tid = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
3385 g_hash_table_remove(si->session->tids, &tid_key);
3387 tid = wmem_new(wmem_file_scope(), smb2_tid_info_t);
3389 tid->name = (char *)si->saved->extra_info;
3390 tid->connect_frame = pinfo->num;
3391 tid->share_type = share_type;
3393 g_hash_table_insert(si->session->tids, tid, tid);
3395 si->saved->extra_info_type = SMB2_EI_NONE;
3396 si->saved->extra_info = NULL;
3400 offset = dissect_smb2_share_flags(tree, tvb, offset);
3402 /* share capabilities */
3403 offset = dissect_smb2_share_caps(tree, tvb, offset);
3405 /* this is some sort of access mask */
3406 offset = dissect_smb_access_mask(tvb, tree, offset);
3412 dissect_smb2_tree_disconnect_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3415 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3418 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3425 dissect_smb2_tree_disconnect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3427 gboolean continue_dissection;
3429 switch (si->status) {
3431 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3432 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3433 if (!continue_dissection) return offset;
3437 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3444 dissect_smb2_sessionlogoff_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3447 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3449 /* reserved bytes */
3456 dissect_smb2_sessionlogoff_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3458 gboolean continue_dissection;
3460 switch (si->status) {
3462 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3463 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3464 if (!continue_dissection) return offset;
3467 /* reserved bytes */
3468 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3475 dissect_smb2_keepalive_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3478 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3480 /* some unknown bytes */
3481 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3488 dissect_smb2_keepalive_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3490 gboolean continue_dissection;
3492 switch (si->status) {
3494 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3495 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3496 if (!continue_dissection) return offset;
3499 /* some unknown bytes */
3500 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3507 dissect_smb2_notify_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3509 proto_tree *flags_tree = NULL;
3510 proto_item *flags_item = NULL;
3513 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3517 flags_item = proto_tree_add_item(tree, hf_smb2_notify_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3518 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_notify_flags);
3520 proto_tree_add_item(flags_tree, hf_smb2_notify_watch_tree, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3523 /* output buffer length */
3524 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3528 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3530 /* completion filter */
3531 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
3534 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
3540 static const value_string notify_action_vals[] = {
3541 {0x01, "FILE_ACTION_ADDED"},
3542 {0x02, "FILE_ACTION_REMOVED"},
3543 {0x03, "FILE_ACTION_MODIFIED"},
3544 {0x04, "FILE_ACTION_RENAMED_OLD_NAME"},
3545 {0x05, "FILE_ACTION_RENAMED_NEW_NAME"},
3546 {0x06, "FILE_ACTION_ADDED_STREAM"},
3547 {0x07, "FILE_ACTION_REMOVED_STREAM"},
3548 {0x08, "FILE_ACTION_MODIFIED_STREAM"},
3549 {0x09, "FILE_ACTION_REMOVED_BY_DELETE"},
3554 dissect_smb2_notify_data_out(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3556 proto_tree *tree = NULL;
3557 proto_item *item = NULL;
3560 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3561 guint32 start_offset = offset;
3562 guint32 next_offset;
3566 item = proto_tree_add_item(parent_tree, hf_smb2_notify_info, tvb, offset, -1, ENC_NA);
3567 tree = proto_item_add_subtree(item, ett_smb2_notify_info);
3571 proto_tree_add_item_ret_uint(tree, hf_smb2_notify_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &next_offset);
3574 proto_tree_add_item(tree, hf_smb2_notify_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3577 /* file name length */
3578 proto_tree_add_item_ret_uint(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
3583 const guchar *name = "";
3586 bc = tvb_reported_length_remaining(tvb, offset);
3587 name = get_unicode_or_ascii_string(tvb, &offset,
3588 TRUE, &length, TRUE, TRUE, &bc);
3590 proto_tree_add_string(tree, hf_smb2_filename,
3591 tvb, offset, length,
3602 offset = start_offset+next_offset;
3607 dissect_smb2_notify_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
3609 offset_length_buffer_t olb;
3610 gboolean continue_dissection;
3612 switch (si->status) {
3613 /* MS-SMB2 3.3.4.4 says STATUS_NOTIFY_ENUM_DIR is not treated as an error */
3614 case 0x0000010c: /* STATUS_NOTIFY_ENUM_DIR */
3615 case 0x00000000: /* buffer code */
3616 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3617 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3618 if (!continue_dissection) return offset;
3621 /* out buffer offset/length */
3622 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_notify_out_data);
3625 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_notify_data_out);
3626 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3631 #define SMB2_FIND_FLAG_RESTART_SCANS 0x01
3632 #define SMB2_FIND_FLAG_SINGLE_ENTRY 0x02
3633 #define SMB2_FIND_FLAG_INDEX_SPECIFIED 0x04
3634 #define SMB2_FIND_FLAG_REOPEN 0x10
3637 dissect_smb2_find_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3639 offset_length_buffer_t olb;
3642 static const int *f_fields[] = {
3643 &hf_smb2_find_flags_restart_scans,
3644 &hf_smb2_find_flags_single_entry,
3645 &hf_smb2_find_flags_index_specified,
3646 &hf_smb2_find_flags_reopen,
3651 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3653 il = tvb_get_guint8(tvb, offset);
3655 si->saved->infolevel = il;
3659 proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 1, il);
3663 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_find_flags, ett_smb2_find_flags, f_fields, ENC_LITTLE_ENDIAN);
3667 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3671 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3673 /* search pattern offset/length */
3674 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_find_pattern);
3676 /* output buffer length */
3677 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3680 /* search pattern */
3681 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
3683 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3685 if (!pinfo->fd->flags.visited && si->saved && olb.len) {
3686 si->saved->extra_info_type = SMB2_EI_FINDPATTERN;
3687 si->saved->extra_info = wmem_alloc(wmem_file_scope(), olb.len+1);
3688 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
3691 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
3692 val_to_str(il, smb2_find_info_levels, "(Level:0x%02x)"),
3698 static void dissect_smb2_file_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3701 proto_item *item = NULL;
3702 proto_tree *tree = NULL;
3703 const char *name = NULL;
3706 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3707 int old_offset = offset;
3712 item = proto_tree_add_item(parent_tree, hf_smb2_file_directory_info, tvb, offset, -1, ENC_NA);
3713 tree = proto_item_add_subtree(item, ett_smb2_file_directory_info);
3717 next_offset = tvb_get_letohl(tvb, offset);
3718 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3722 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3726 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3729 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3732 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3735 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3738 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3741 /* allocation size */
3742 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3745 /* File Attributes */
3746 offset = dissect_file_ext_attr(tvb, tree, offset);
3748 /* file name length */
3749 file_name_len = tvb_get_letohl(tvb, offset);
3750 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3754 if (file_name_len) {
3756 name = get_unicode_or_ascii_string(tvb, &offset,
3757 TRUE, &file_name_len, TRUE, TRUE, &bc);
3759 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3760 offset, file_name_len, name);
3761 proto_item_append_text(item, ": %s", name);
3766 proto_item_set_len(item, offset-old_offset);
3768 if (next_offset == 0) {
3772 offset = old_offset+next_offset;
3773 if (offset < old_offset) {
3774 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3775 "Invalid offset/length. Malformed packet");
3781 static void dissect_smb2_full_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3784 proto_item *item = NULL;
3785 proto_tree *tree = NULL;
3786 const char *name = NULL;
3789 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3790 int old_offset = offset;
3795 item = proto_tree_add_item(parent_tree, hf_smb2_full_directory_info, tvb, offset, -1, ENC_NA);
3796 tree = proto_item_add_subtree(item, ett_smb2_full_directory_info);
3800 next_offset = tvb_get_letohl(tvb, offset);
3801 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3805 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3809 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3812 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3815 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3818 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3821 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3824 /* allocation size */
3825 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3828 /* File Attributes */
3829 offset = dissect_file_ext_attr(tvb, tree, offset);
3831 /* file name length */
3832 file_name_len = tvb_get_letohl(tvb, offset);
3833 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3837 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3841 if (file_name_len) {
3843 name = get_unicode_or_ascii_string(tvb, &offset,
3844 TRUE, &file_name_len, TRUE, TRUE, &bc);
3846 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3847 offset, file_name_len, name);
3848 proto_item_append_text(item, ": %s", name);
3853 proto_item_set_len(item, offset-old_offset);
3855 if (next_offset == 0) {
3859 offset = old_offset+next_offset;
3860 if (offset < old_offset) {
3861 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3862 "Invalid offset/length. Malformed packet");
3868 static void dissect_smb2_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3871 proto_item *item = NULL;
3872 proto_tree *tree = NULL;
3873 const char *name = NULL;
3876 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3877 int old_offset = offset;
3883 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3884 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3888 next_offset = tvb_get_letohl(tvb, offset);
3889 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3893 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3897 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3900 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3903 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3906 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3909 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3912 /* allocation size */
3913 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3916 /* File Attributes */
3917 offset = dissect_file_ext_attr(tvb, tree, offset);
3919 /* file name length */
3920 file_name_len = tvb_get_letohl(tvb, offset);
3921 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3925 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3928 /* short name length */
3929 short_name_len = tvb_get_guint8(tvb, offset);
3930 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3934 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
3938 if (short_name_len) {
3939 bc = short_name_len;
3940 name = get_unicode_or_ascii_string(tvb, &offset,
3941 TRUE, &short_name_len, TRUE, TRUE, &bc);
3943 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3944 offset, short_name_len, name);
3950 if (file_name_len) {
3952 name = get_unicode_or_ascii_string(tvb, &offset,
3953 TRUE, &file_name_len, TRUE, TRUE, &bc);
3955 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3956 offset, file_name_len, name);
3957 proto_item_append_text(item, ": %s", name);
3962 proto_item_set_len(item, offset-old_offset);
3964 if (next_offset == 0) {
3968 offset = old_offset+next_offset;
3969 if (offset < old_offset) {
3970 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3971 "Invalid offset/length. Malformed packet");
3977 static void dissect_smb2_file_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3980 proto_item *item = NULL;
3981 proto_tree *tree = NULL;
3982 const char *name = NULL;
3985 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3986 int old_offset = offset;
3991 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3992 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3996 next_offset = tvb_get_letohl(tvb, offset);
3997 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4001 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4004 /* file name length */
4005 file_name_len = tvb_get_letohl(tvb, offset);
4006 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4010 if (file_name_len) {
4012 name = get_unicode_or_ascii_string(tvb, &offset,
4013 TRUE, &file_name_len, TRUE, TRUE, &bc);
4015 proto_tree_add_string(tree, hf_smb2_filename, tvb,
4016 offset, file_name_len, name);
4017 proto_item_append_text(item, ": %s", name);
4022 proto_item_set_len(item, offset-old_offset);
4024 if (next_offset == 0) {
4028 offset = old_offset+next_offset;
4029 if (offset < old_offset) {
4030 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
4031 "Invalid offset/length. Malformed packet");
4037 static void dissect_smb2_id_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
4040 proto_item *item = NULL;
4041 proto_tree *tree = NULL;
4042 const char *name = NULL;
4045 while (tvb_reported_length_remaining(tvb, offset) > 4) {
4046 int old_offset = offset;
4052 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
4053 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
4057 next_offset = tvb_get_letohl(tvb, offset);
4058 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4062 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4066 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
4069 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
4072 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
4075 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
4078 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4081 /* allocation size */
4082 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4085 /* File Attributes */
4086 offset = dissect_file_ext_attr(tvb, tree, offset);
4088 /* file name length */
4089 file_name_len = tvb_get_letohl(tvb, offset);
4090 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4094 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4097 /* short name length */
4098 short_name_len = tvb_get_guint8(tvb, offset);
4099 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4103 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
4107 if (short_name_len) {
4108 bc = short_name_len;
4109 name = get_unicode_or_ascii_string(tvb, &offset,
4110 TRUE, &short_name_len, TRUE, TRUE, &bc);
4112 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
4113 offset, short_name_len, name);
4119 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4123 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4127 if (file_name_len) {
4129 name = get_unicode_or_ascii_string(tvb, &offset,
4130 TRUE, &file_name_len, TRUE, TRUE, &bc);
4132 proto_tree_add_string(tree, hf_smb2_filename, tvb,
4133 offset, file_name_len, name);
4134 proto_item_append_text(item, ": %s", name);
4139 proto_item_set_len(item, offset-old_offset);
4141 if (next_offset == 0) {
4145 offset = old_offset+next_offset;
4146 if (offset < old_offset) {
4147 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
4148 "Invalid offset/length. Malformed packet");
4155 static void dissect_smb2_id_full_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
4158 proto_item *item = NULL;
4159 proto_tree *tree = NULL;
4160 const char *name = NULL;
4163 while (tvb_reported_length_remaining(tvb, offset) > 4) {
4164 int old_offset = offset;
4169 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
4170 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
4174 next_offset = tvb_get_letohl(tvb, offset);
4175 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4179 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4183 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
4186 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
4189 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
4192 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
4195 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4198 /* allocation size */
4199 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4202 /* File Attributes */
4203 offset = dissect_file_ext_attr(tvb, tree, offset);
4205 /* file name length */
4206 file_name_len = tvb_get_letohl(tvb, offset);
4207 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4211 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4215 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
4219 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4223 if (file_name_len) {
4225 name = get_unicode_or_ascii_string(tvb, &offset,
4226 TRUE, &file_name_len, TRUE, TRUE, &bc);
4228 proto_tree_add_string(tree, hf_smb2_filename, tvb,
4229 offset, file_name_len, name);
4230 proto_item_append_text(item, ": %s", name);
4235 proto_item_set_len(item, offset-old_offset);
4237 if (next_offset == 0) {
4241 offset = old_offset+next_offset;
4242 if (offset < old_offset) {
4243 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
4244 "Invalid offset/length. Malformed packet");
4251 typedef struct _smb2_find_dissector_t {
4253 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
4254 } smb2_find_dissector_t;
4256 smb2_find_dissector_t smb2_find_dissectors[] = {
4257 {SMB2_FIND_DIRECTORY_INFO, dissect_smb2_file_directory_info},
4258 {SMB2_FIND_FULL_DIRECTORY_INFO, dissect_smb2_full_directory_info},
4259 {SMB2_FIND_BOTH_DIRECTORY_INFO, dissect_smb2_both_directory_info},
4260 {SMB2_FIND_NAME_INFO, dissect_smb2_file_name_info},
4261 {SMB2_FIND_ID_BOTH_DIRECTORY_INFO,dissect_smb2_id_both_directory_info},
4262 {SMB2_FIND_ID_FULL_DIRECTORY_INFO,dissect_smb2_id_full_directory_info},
4267 dissect_smb2_find_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4269 smb2_find_dissector_t *dis = smb2_find_dissectors;
4271 while (dis->dissector) {
4272 if (si && si->saved) {
4273 if (dis->level == si->saved->infolevel) {
4274 dis->dissector(tvb, pinfo, tree, si);
4281 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
4285 dissect_smb2_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4287 offset_length_buffer_t olb;
4288 proto_item *item = NULL;
4289 gboolean continue_dissection;
4293 item = proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 0, si->saved->infolevel);
4294 PROTO_ITEM_SET_GENERATED(item);
4297 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_FINDPATTERN) {
4298 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
4299 val_to_str(si->saved->infolevel, smb2_find_info_levels, "(Level:0x%02x)"),
4300 (const char *)si->saved->extra_info);
4302 wmem_free(wmem_file_scope(), si->saved->extra_info);
4303 si->saved->extra_info_type = SMB2_EI_NONE;
4304 si->saved->extra_info = NULL;
4307 switch (si->status) {
4309 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4310 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4311 if (!continue_dissection) return offset;
4314 /* findinfo offset */
4315 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_find_info_blob);
4318 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_find_data);
4320 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
4326 dissect_smb2_negotiate_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4329 const gchar *type_str;
4330 guint32 i, data_length, salt_length, hash_count, cipher_count;
4331 proto_item *sub_item;
4332 proto_tree *sub_tree;
4334 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_negotiate_context_element, &sub_item, "Negotiate Context");
4337 type = tvb_get_letohl(tvb, offset);
4338 type_str = val_to_str(type, smb2_negotiate_context_types, "Unknown Type: (0x%0x)");
4339 proto_item_append_text(sub_item, ": %s ", type_str);
4340 proto_tree_add_item(sub_tree, hf_smb2_negotiate_context_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4344 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_negotiate_context_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &data_length);
4348 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
4353 case SMB2_PREAUTH_INTEGRITY_CAPABILITIES:
4354 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_hash_alg_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &hash_count);
4356 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_salt_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &salt_length);
4359 for (i = 0; i < hash_count; i++)
4361 proto_tree_add_item(sub_tree, hf_smb2_hash_algorithm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4367 proto_tree_add_item(sub_tree, hf_smb2_salt, tvb, offset, salt_length, ENC_NA);
4368 offset += salt_length;
4372 case SMB2_ENCRYPTION_CAPABILITIES:
4373 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_cipher_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &cipher_count);
4376 for (i = 0; i < cipher_count; i ++)
4378 proto_tree_add_item(sub_tree, hf_smb2_cipher_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4384 proto_tree_add_item(sub_tree, hf_smb2_unknown, tvb, offset, data_length, ENC_NA);
4385 offset += data_length;
4393 dissect_smb2_negotiate_protocol_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4397 gboolean supports_smb_3_10 = FALSE;
4402 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4405 dc = tvb_get_letohs(tvb, offset);
4406 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4409 /* security mode, skip second byte */
4410 offset = dissect_smb2_secmode(tree, tvb, offset);
4415 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4419 offset = dissect_smb2_capabilities(tree, tvb, offset);
4422 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4425 /* negotiate context offset */
4426 nco = tvb_get_letohl(tvb, offset);
4427 proto_tree_add_item(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4430 /* negotiate context count */
4431 ncc = tvb_get_letohs(tvb, offset);
4432 proto_tree_add_item(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4436 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4439 for (i = 0 ; i < dc; i++) {
4440 guint16 d = tvb_get_letohs(tvb, offset);
4441 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4445 supports_smb_3_10 = TRUE;
4449 if (!supports_smb_3_10) {
4454 guint32 tmp = 0x40 + 36 + dc * 2;
4457 offset += nco - tmp;
4463 for (i = 0; i < ncc; i++) {
4464 offset = (offset + 7) & ~7;
4465 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
4472 dissect_smb2_negotiate_protocol_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
4474 offset_length_buffer_t s_olb;
4479 gboolean continue_dissection;
4481 switch (si->status) {
4483 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4484 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4485 if (!continue_dissection) return offset;
4488 /* security mode, skip second byte */
4489 offset = dissect_smb2_secmode(tree, tvb, offset);
4492 /* dialect picked */
4493 d = tvb_get_letohs(tvb, offset);
4494 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4497 /* negotiate context count */
4498 ncc = tvb_get_letohs(tvb, offset);
4499 proto_tree_add_item(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4503 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4507 offset = dissect_smb2_capabilities(tree, tvb, offset);
4509 /* max trans size */
4510 proto_tree_add_item(tree, hf_smb2_max_trans_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4514 proto_tree_add_item(tree, hf_smb2_max_read_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4517 /* max write size */
4518 proto_tree_add_item(tree, hf_smb2_max_write_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4522 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_current_time);
4526 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_boot_time);
4529 /* security blob offset/length */
4530 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
4532 /* the security blob itself */
4533 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
4535 /* negotiate context offset */
4536 nco = tvb_get_letohl(tvb, offset);
4537 proto_tree_add_item(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4540 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
4547 guint32 tmp = 0x40 + 64 + s_olb.len;
4550 offset += nco - tmp;
4556 for (i = 0; i < ncc; i++) {
4557 offset = (offset + 7) & ~7;
4558 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
4565 dissect_smb2_getinfo_parameters(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
4567 /* Additional Info */
4568 switch (si->saved->smb2_class) {
4569 case SMB2_CLASS_SEC_INFO:
4570 dissect_security_information_mask(tvb, tree, offset);
4573 proto_tree_add_item(tree, hf_smb2_getinfo_additional, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4578 proto_tree_add_item(tree, hf_smb2_getinfo_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4586 dissect_smb2_getinfo_buffer_quota(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4588 guint32 sidlist_len = 0;
4589 guint32 startsid_len = 0;
4590 guint32 startsid_offset = 0;
4592 proto_item *item = NULL;
4593 proto_tree *tree = NULL;
4596 item = proto_tree_add_item(parent_tree, hf_smb2_query_quota_info, tvb, offset, -1, ENC_NA);
4597 tree = proto_item_add_subtree(item, ett_smb2_query_quota_info);
4600 proto_tree_add_item(tree, hf_smb2_qq_single, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4603 proto_tree_add_item(tree, hf_smb2_qq_restart, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4607 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4610 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_sidlist_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &sidlist_len);
4613 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_start_sid_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &startsid_len);
4616 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_start_sid_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &startsid_offset);
4619 if (sidlist_len != 0) {
4620 offset = dissect_nt_get_user_quota(tvb, tree, offset, &sidlist_len);
4621 } else if (startsid_len != 0) {
4622 offset = dissect_nt_sid(tvb, offset + startsid_offset, tree, "Start SID", NULL, -1);
4629 dissect_smb2_class_infolevel(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
4634 value_string_ext *vsx;
4636 if (si->flags & SMB2_FLAGS_RESPONSE) {
4640 cl = si->saved->smb2_class;
4641 il = si->saved->infolevel;
4643 cl = tvb_get_guint8(tvb, offset);
4644 il = tvb_get_guint8(tvb, offset+1);
4646 si->saved->smb2_class = cl;
4647 si->saved->infolevel = il;
4653 case SMB2_CLASS_FILE_INFO:
4654 hfindex = hf_smb2_infolevel_file_info;
4655 vsx = &smb2_file_info_levels_ext;
4657 case SMB2_CLASS_FS_INFO:
4658 hfindex = hf_smb2_infolevel_fs_info;
4659 vsx = &smb2_fs_info_levels_ext;
4661 case SMB2_CLASS_SEC_INFO:
4662 hfindex = hf_smb2_infolevel_sec_info;
4663 vsx = &smb2_sec_info_levels_ext;
4665 case SMB2_CLASS_QUOTA_INFO:
4666 /* infolevel is not being used for quota */
4667 hfindex = hf_smb2_infolevel;
4670 case SMB2_CLASS_POSIX_INFO:
4671 hfindex = hf_smb2_infolevel_posix_info;
4672 vsx = &smb2_posix_info_levels_ext;
4675 hfindex = hf_smb2_infolevel;
4676 vsx = NULL; /* allowed arg to val_to_str_ext() */
4681 item = proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl);
4682 if (si->flags & SMB2_FLAGS_RESPONSE) {
4683 PROTO_ITEM_SET_GENERATED(item);
4686 item = proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il);
4687 if (si->flags & SMB2_FLAGS_RESPONSE) {
4688 PROTO_ITEM_SET_GENERATED(item);
4692 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
4693 /* Only update COL_INFO for requests. It clutters the
4694 * display a bit too much if we do it for replies
4697 col_append_fstr(pinfo->cinfo, COL_INFO, " %s/%s",
4698 val_to_str(cl, smb2_class_vals, "(Class:0x%02x)"),
4699 val_to_str_ext(il, vsx, "(Level:0x%02x)"));
4706 dissect_smb2_getinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4708 guint32 getinfo_size = 0;
4709 guint32 getinfo_offset = 0;
4710 proto_item *offset_item;
4713 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4715 /* class and info level */
4716 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
4718 /* max response size */
4719 proto_tree_add_item(tree, hf_smb2_max_response_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4723 offset_item = proto_tree_add_item_ret_uint(tree, hf_smb2_getinfo_input_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN, &getinfo_offset);
4727 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4731 proto_tree_add_item_ret_uint(tree, hf_smb2_getinfo_input_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &getinfo_size);
4736 offset = dissect_smb2_getinfo_parameters(tvb, pinfo, tree, offset, si);
4738 /* some unknown bytes */
4739 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 8, ENC_NA);
4744 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4748 if (getinfo_size != 0) {
4750 * 2.2.37 says "For quota requests, this MUST be
4751 * the length of the contained SMB2_QUERY_QUOTA_INFO
4752 * embedded in the request. For FileFullEaInformation
4753 * requests, this MUST be set to the length of the
4754 * user supplied EA list specified in [MS-FSCC]
4755 * section 2.4.15.1. For other information queries,
4756 * this field SHOULD be set to 0 and the server MUST
4757 * ignore it on receipt.
4759 * This seems to imply that, for requests other
4760 * than those to types, we should either completely
4761 * ignore a non-zero getinfo_size or should, at
4762 * most, add a warning-level expert info at the
4763 * protocol level saying that it should be zero,
4764 * but not try and interpret it or check its
4767 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO ||
4768 (si->saved->smb2_class == SMB2_CLASS_FILE_INFO &&
4769 si->saved->infolevel == SMB2_FILE_FULL_EA_INFO)) {
4771 * According to 2.2.37 SMB2 QUERY_INFO
4772 * Request in the current MS-SMB2 spec,
4773 * these are the only info requests that
4774 * have an input buffer.
4778 * Make sure that the input buffer is after
4779 * the fixed-length part of the message.
4781 if (getinfo_offset < (guint)offset) {
4782 expert_add_info(pinfo, offset_item, &ei_smb2_invalid_getinfo_offset);
4787 * Make sure the input buffer is within the
4788 * message, i.e. that it's within the tvbuff.
4790 * We check for offset+length overflowing and
4791 * for offset+length being beyond the reported
4792 * length of the tvbuff.
4794 if (getinfo_offset + getinfo_size < getinfo_offset ||
4795 getinfo_offset + getinfo_size > tvb_reported_length(tvb)) {
4796 expert_add_info(pinfo, offset_item, &ei_smb2_invalid_getinfo_size);
4800 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO) {
4801 dissect_smb2_getinfo_buffer_quota(tvb, pinfo, tree, getinfo_offset, si);
4804 * XXX - handle user supplied EA info.
4806 proto_tree_add_item(tree, hf_smb2_unknown, tvb, getinfo_offset, getinfo_size, ENC_NA);
4808 offset = getinfo_offset + getinfo_size;
4812 * The buffer size is 0, meaning it's not present.
4814 * 2.2.37 says "For FileFullEaInformation requests,
4815 * the input buffer MUST contain the user supplied
4816 * EA list with zero or more FILE_GET_EA_INFORMATION
4817 * structures, specified in [MS-FSCC] section
4818 * 2.4.15.1.", so it seems that, for a "get full
4819 * EA information" request, the size can be zero -
4820 * there's no other obvious way for the list to
4821 * have zero structures.
4823 * 2.2.37 also says "For quota requests, the input
4824 * buffer MUST contain an SMB2_QUERY_QUOTA_INFO,
4825 * as specified in section 2.2.37.1."; that seems
4826 * to imply that the input buffer must not be empty
4829 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO)
4830 expert_add_info(pinfo, offset_item, &ei_smb2_empty_getinfo_buffer);
4838 dissect_smb2_infolevel(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si, guint8 smb2_class, guint8 infolevel)
4840 int old_offset = offset;
4842 switch (smb2_class) {
4843 case SMB2_CLASS_FILE_INFO:
4844 switch (infolevel) {
4845 case SMB2_FILE_BASIC_INFO:
4846 offset = dissect_smb2_file_basic_info(tvb, pinfo, tree, offset, si);
4848 case SMB2_FILE_STANDARD_INFO:
4849 offset = dissect_smb2_file_standard_info(tvb, pinfo, tree, offset, si);
4851 case SMB2_FILE_INTERNAL_INFO:
4852 offset = dissect_smb2_file_internal_info(tvb, pinfo, tree, offset, si);
4854 case SMB2_FILE_EA_INFO:
4855 offset = dissect_smb2_file_ea_info(tvb, pinfo, tree, offset, si);
4857 case SMB2_FILE_ACCESS_INFO:
4858 offset = dissect_smb2_file_access_info(tvb, pinfo, tree, offset, si);
4860 case SMB2_FILE_RENAME_INFO:
4861 offset = dissect_smb2_file_rename_info(tvb, pinfo, tree, offset, si);
4863 case SMB2_FILE_DISPOSITION_INFO:
4864 offset = dissect_smb2_file_disposition_info(tvb, pinfo, tree, offset, si);
4866 case SMB2_FILE_POSITION_INFO:
4867 offset = dissect_smb2_file_position_info(tvb, pinfo, tree, offset, si);
4869 case SMB2_FILE_FULL_EA_INFO:
4870 offset = dissect_smb2_file_full_ea_info(tvb, pinfo, tree, offset, si);
4872 case SMB2_FILE_MODE_INFO:
4873 offset = dissect_smb2_file_mode_info(tvb, pinfo, tree, offset, si);
4875 case SMB2_FILE_ALIGNMENT_INFO:
4876 offset = dissect_smb2_file_alignment_info(tvb, pinfo, tree, offset, si);
4878 case SMB2_FILE_ALL_INFO:
4879 offset = dissect_smb2_file_all_info(tvb, pinfo, tree, offset, si);
4881 case SMB2_FILE_ALLOCATION_INFO:
4882 offset = dissect_smb2_file_allocation_info(tvb, pinfo, tree, offset, si);
4884 case SMB2_FILE_ENDOFFILE_INFO:
4885 dissect_smb2_file_endoffile_info(tvb, pinfo, tree, offset, si);
4887 case SMB2_FILE_ALTERNATE_NAME_INFO:
4888 offset = dissect_smb2_file_alternate_name_info(tvb, pinfo, tree, offset, si);
4890 case SMB2_FILE_STREAM_INFO:
4891 offset = dissect_smb2_file_stream_info(tvb, pinfo, tree, offset, si);
4893 case SMB2_FILE_PIPE_INFO:
4894 offset = dissect_smb2_file_pipe_info(tvb, pinfo, tree, offset, si);
4896 case SMB2_FILE_COMPRESSION_INFO:
4897 offset = dissect_smb2_file_compression_info(tvb, pinfo, tree, offset, si);
4899 case SMB2_FILE_NETWORK_OPEN_INFO:
4900 offset = dissect_smb2_file_network_open_info(tvb, pinfo, tree, offset, si);
4902 case SMB2_FILE_ATTRIBUTE_TAG_INFO:
4903 offset = dissect_smb2_file_attribute_tag_info(tvb, pinfo, tree, offset, si);
4906 /* we don't handle this infolevel yet */
4907 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4908 offset += tvb_captured_length_remaining(tvb, offset);
4911 case SMB2_CLASS_FS_INFO:
4912 switch (infolevel) {
4913 case SMB2_FS_INFO_01:
4914 offset = dissect_smb2_fs_info_01(tvb, pinfo, tree, offset, si);
4916 case SMB2_FS_INFO_03:
4917 offset = dissect_smb2_fs_info_03(tvb, pinfo, tree, offset, si);
4919 case SMB2_FS_INFO_04:
4920 offset = dissect_smb2_fs_info_04(tvb, pinfo, tree, offset, si);
4922 case SMB2_FS_INFO_05:
4923 offset = dissect_smb2_fs_info_05(tvb, pinfo, tree, offset, si);
4925 case SMB2_FS_INFO_06:
4926 offset = dissect_smb2_fs_info_06(tvb, pinfo, tree, offset, si);
4928 case SMB2_FS_INFO_07:
4929 offset = dissect_smb2_fs_info_07(tvb, pinfo, tree, offset, si);
4931 case SMB2_FS_OBJECTID_INFO:
4932 offset = dissect_smb2_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, si);
4935 /* we don't handle this infolevel yet */
4936 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4937 offset += tvb_captured_length_remaining(tvb, offset);
4940 case SMB2_CLASS_SEC_INFO:
4941 switch (infolevel) {
4942 case SMB2_SEC_INFO_00:
4943 offset = dissect_smb2_sec_info_00(tvb, pinfo, tree, offset, si);
4946 /* we don't handle this infolevel yet */
4947 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4948 offset += tvb_captured_length_remaining(tvb, offset);
4951 case SMB2_CLASS_QUOTA_INFO:
4952 offset = dissect_smb2_quota_info(tvb, pinfo, tree, offset, si);
4955 /* we don't handle this class yet */
4956 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4957 offset += tvb_captured_length_remaining(tvb, offset);
4960 /* if we get BUFFER_OVERFLOW there will be truncated data */
4961 if (si->status == 0x80000005) {
4963 item = proto_tree_add_item(tree, hf_smb2_truncated, tvb, old_offset, 0, ENC_NA);
4964 PROTO_ITEM_SET_GENERATED(item);
4970 dissect_smb2_getinfo_response_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4974 dissect_smb2_infolevel(tvb, pinfo, tree, 0, si, si->saved->smb2_class, si->saved->infolevel);
4976 /* some unknown bytes */
4977 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
4984 dissect_smb2_getinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4986 offset_length_buffer_t olb;
4987 gboolean continue_dissection;
4989 /* class/infolevel */
4990 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
4992 switch (si->status) {
4994 /* if we get BUFFER_OVERFLOW there will be truncated data */
4996 /* if we get BUFFER_TOO_SMALL there will not be any data there, only
4997 * a guin32 specifying how big the buffer needs to be
5000 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5003 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5004 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
5005 proto_tree_add_item(tree, hf_smb2_required_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5009 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5010 if (!continue_dissection) return offset;
5013 /* response buffer offset and size */
5014 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
5017 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_getinfo_response_data);
5023 dissect_smb2_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5025 proto_tree *flags_tree = NULL;
5026 proto_item *flags_item = NULL;
5029 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5033 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5034 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
5036 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5043 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_CLOSE);
5049 dissect_smb2_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5051 proto_tree *flags_tree = NULL;
5052 proto_item *flags_item = NULL;
5053 gboolean continue_dissection;
5055 switch (si->status) {
5057 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5058 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5059 if (!continue_dissection) return offset;
5064 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5065 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
5067 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5071 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5075 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
5078 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
5081 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
5084 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
5086 /* allocation size */
5087 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5091 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5094 /* File Attributes */
5095 offset = dissect_file_ext_attr(tvb, tree, offset);
5101 dissect_smb2_flush_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5104 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5106 /* some unknown bytes */
5107 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
5111 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5117 dissect_smb2_flush_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5119 gboolean continue_dissection;
5121 switch (si->status) {
5123 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5124 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5125 if (!continue_dissection) return offset;
5128 /* some unknown bytes */
5129 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
5137 dissect_smb2_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5142 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5145 lock_count = tvb_get_letohs(tvb, offset);
5146 proto_tree_add_item(tree, hf_smb2_lock_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5150 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5154 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5156 while (lock_count--) {
5157 proto_item *lock_item = NULL;
5158 proto_tree *lock_tree = NULL;
5159 static const int *lf_fields[] = {
5160 &hf_smb2_lock_flags_shared,
5161 &hf_smb2_lock_flags_exclusive,
5162 &hf_smb2_lock_flags_unlock,
5163 &hf_smb2_lock_flags_fail_immediately,
5168 lock_item = proto_tree_add_item(tree, hf_smb2_lock_info, tvb, offset, 24, ENC_NA);
5169 lock_tree = proto_item_add_subtree(lock_item, ett_smb2_lock_info);
5173 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5177 proto_tree_add_item(lock_tree, hf_smb2_lock_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5181 proto_tree_add_bitmask(lock_tree, tvb, offset, hf_smb2_lock_flags, ett_smb2_lock_flags, lf_fields, ENC_LITTLE_ENDIAN);
5185 proto_tree_add_item(lock_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5193 dissect_smb2_lock_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5195 gboolean continue_dissection;
5197 switch (si->status) {
5199 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5200 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5201 if (!continue_dissection) return offset;
5204 /* some unknown bytes */
5205 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
5211 dissect_smb2_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5214 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5216 /* some unknown bytes */
5217 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
5223 static const smb2_fid_info_t *
5224 smb2_pipe_get_fid_info(const smb2_info_t *si)
5226 smb2_fid_info_t *file = NULL;
5231 if (si->file != NULL) {
5233 } else if (si->saved != NULL) {
5234 file = si->saved->file;
5244 smb2_pipe_set_file_id(packet_info *pinfo, smb2_info_t *si)
5247 const smb2_fid_info_t *file = NULL;
5249 file = smb2_pipe_get_fid_info(si);
5254 persistent = GPOINTER_TO_UINT(file);
5256 dcerpc_set_transport_salt(persistent, pinfo);
5259 static gboolean smb2_pipe_reassembly = TRUE;
5260 static reassembly_table smb2_pipe_reassembly_table;
5263 dissect_file_data_smb2_pipe(tvbuff_t *raw_tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, guint32 datalen, proto_tree *top_tree, void *data)
5266 * Note: si is NULL for some callers from packet-smb.c
5268 const smb2_info_t *si = (const smb2_info_t *)data;
5270 gboolean save_fragmented;
5273 const smb2_fid_info_t *file = NULL;
5275 fragment_head *fd_head;
5278 proto_item *frag_tree_item;
5279 heur_dtbl_entry_t *hdtbl_entry;
5281 file = smb2_pipe_get_fid_info(si);
5282 id = (guint32)(GPOINTER_TO_UINT(file) & G_MAXUINT32);
5284 remaining = tvb_captured_length_remaining(raw_tvb, offset);
5286 tvb = tvb_new_subset_length_caplen(raw_tvb, offset,
5287 MIN((int)datalen, remaining),
5291 * Offer desegmentation service to Named Pipe subdissectors (e.g. DCERPC)
5292 * if we have all the data. Otherwise, reassembly is (probably) impossible.
5294 pinfo->can_desegment = 0;
5295 pinfo->desegment_offset = 0;
5296 pinfo->desegment_len = 0;
5297 reported_len = tvb_reported_length(tvb);
5298 if (smb2_pipe_reassembly && tvb_captured_length(tvb) >= reported_len) {
5299 pinfo->can_desegment = 2;
5302 save_fragmented = pinfo->fragmented;
5305 * if we are not offering desegmentation, just try the heuristics
5308 if (!pinfo->can_desegment) {
5309 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5310 tvb, pinfo, top_tree,
5311 &hdtbl_entry, data);
5312 goto clean_up_and_exit;
5315 /* below this line, we know we are doing reassembly */
5318 * this is a new packet, see if we are already reassembling this
5319 * pdu and if not, check if the dissector wants us
5322 if (!pinfo->fd->flags.visited) {
5324 * This is the first pass.
5326 * Check if we are already reassembling this PDU or not;
5327 * we check for an in-progress reassembly for this FID
5328 * in this direction, by searching for its reassembly
5331 fd_head = fragment_get(&smb2_pipe_reassembly_table,
5335 * No reassembly, so this is a new pdu. check if the
5336 * dissector wants us to reassemble it or if we
5337 * already got the full pdu in this tvb.
5341 * Try the heuristic dissectors and see if we
5342 * find someone that recognizes this payload.
5344 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5345 tvb, pinfo, top_tree,
5346 &hdtbl_entry, data);
5348 /* no this didn't look like something we know */
5350 goto clean_up_and_exit;
5353 /* did the subdissector want us to reassemble any
5356 if (pinfo->desegment_len) {
5357 fragment_add_check(&smb2_pipe_reassembly_table,
5358 tvb, 0, pinfo, id, NULL,
5359 0, reported_len, TRUE);
5360 fragment_set_tot_len(&smb2_pipe_reassembly_table,
5362 pinfo->desegment_len+reported_len);
5364 goto clean_up_and_exit;
5367 /* OK, we're already doing a reassembly for this FID.
5368 skip to last segment in the existing reassembly structure
5369 and add this fragment there
5371 XXX we might add code here to use any offset values
5372 we might pick up from the Read/Write calls instead of
5373 assuming we always get them in the correct order
5375 while (fd_head->next) {
5376 fd_head = fd_head->next;
5378 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
5379 tvb, 0, pinfo, id, NULL,
5380 fd_head->offset+fd_head->len,
5381 reported_len, TRUE);
5383 /* if we completed reassembly */
5385 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
5386 add_new_data_source(pinfo, new_tvb,
5387 "Named Pipe over SMB2");
5388 pinfo->fragmented=FALSE;
5392 /* list what segments we have */
5393 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
5394 tree, pinfo, tvb, &frag_tree_item);
5396 /* dissect the full PDU */
5397 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5398 tvb, pinfo, top_tree,
5399 &hdtbl_entry, data);
5401 goto clean_up_and_exit;
5405 * This is not the first pass; see if it's in the table of
5406 * reassembled packets.
5408 * XXX - we know that several of the arguments aren't going to
5409 * be used, so we pass bogus variables. Can we clean this
5410 * up so that we don't have to distinguish between the first
5411 * pass and subsequent passes?
5413 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
5414 tvb, 0, pinfo, id, NULL, 0, 0, TRUE);
5416 /* we didn't find it, try any of the heuristic dissectors
5419 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5420 tvb, pinfo, top_tree,
5421 &hdtbl_entry, data);
5422 goto clean_up_and_exit;
5424 if (!(fd_head->flags&FD_DEFRAGMENTED)) {
5425 /* we don't have a fully reassembled frame */
5426 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5427 tvb, pinfo, top_tree,
5428 &hdtbl_entry, data);
5429 goto clean_up_and_exit;
5432 /* it is reassembled but it was reassembled in a different frame */
5433 if (pinfo->num != fd_head->reassembled_in) {
5435 item = proto_tree_add_uint(top_tree, hf_smb2_pipe_reassembled_in,
5436 tvb, 0, 0, fd_head->reassembled_in);
5437 PROTO_ITEM_SET_GENERATED(item);
5438 goto clean_up_and_exit;
5441 /* display the reassembled pdu */
5442 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
5443 add_new_data_source(pinfo, new_tvb,
5444 "Named Pipe over SMB2");
5445 pinfo->fragmented = FALSE;
5449 /* list what segments we have */
5450 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
5451 top_tree, pinfo, tvb, &frag_tree_item);
5453 /* dissect the full PDU */
5454 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5455 tvb, pinfo, top_tree,
5456 &hdtbl_entry, data);
5459 /* clear out the variables */
5460 pinfo->can_desegment=0;
5461 pinfo->desegment_offset = 0;
5462 pinfo->desegment_len = 0;
5465 call_data_dissector(tvb, pinfo, top_tree);
5468 pinfo->fragmented = save_fragmented;
5474 #define SMB2_CHANNEL_NONE 0x00000000
5475 #define SMB2_CHANNEL_RDMA_V1 0x00000001
5476 #define SMB2_CHANNEL_RDMA_V1_INVALIDATE 0x00000002
5478 static const value_string smb2_channel_vals[] = {
5479 { SMB2_CHANNEL_NONE, "None" },
5480 { SMB2_CHANNEL_RDMA_V1, "RDMA V1" },
5481 { SMB2_CHANNEL_RDMA_V1_INVALIDATE, "RDMA V1_INVALIDATE" },
5486 dissect_smb2_rdma_v1_blob(tvbuff_t *tvb, packet_info *pinfo _U_,
5487 proto_tree *parent_tree, smb2_info_t *si _U_)
5493 proto_tree *sub_tree;
5494 proto_item *parent_item;
5496 parent_item = proto_tree_get_parent(parent_tree);
5498 len = tvb_reported_length(tvb);
5503 proto_item_append_text(parent_item, ": SMBDirect Buffer Descriptor V1: (%d elements)", num);
5506 for (i = 0; i < num; i++) {
5507 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, 8, ett_smb2_rdma_v1, NULL, "RDMA V1");
5509 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5512 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_token, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5515 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5520 #define SMB2_WRITE_FLAG_WRITE_THROUGH 0x00000001
5523 dissect_smb2_write_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5525 guint16 dataoffset = 0;
5526 guint32 data_tvb_len;
5527 offset_length_buffer_t c_olb;
5531 static const int *f_fields[] = {
5532 &hf_smb2_write_flags_write_through,
5537 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5540 dataoffset=tvb_get_letohs(tvb,offset);
5541 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5545 length = tvb_get_letohl(tvb, offset);
5546 proto_tree_add_item(tree, hf_smb2_write_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5550 off = tvb_get_letoh64(tvb, offset);
5551 if (si->saved) si->saved->file_offset=off;
5552 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5555 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", length, off);
5558 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5561 channel = tvb_get_letohl(tvb, offset);
5562 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5565 /* remaining bytes */
5566 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5569 /* write channel info blob offset/length */
5570 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
5573 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_write_flags, ett_smb2_write_flags, f_fields, ENC_LITTLE_ENDIAN);
5576 /* the write channel info blob itself */
5578 case SMB2_CHANNEL_RDMA_V1:
5579 case SMB2_CHANNEL_RDMA_V1_INVALIDATE:
5580 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
5582 case SMB2_CHANNEL_NONE:
5584 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
5588 data_tvb_len=(guint32)tvb_captured_length_remaining(tvb, offset);
5590 /* data or namedpipe ?*/
5592 int oldoffset = offset;
5593 smb2_pipe_set_file_id(pinfo, si);
5594 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
5595 if (offset != oldoffset) {
5596 /* managed to dissect pipe data */
5601 /* just ordinary data */
5602 proto_tree_add_item(tree, hf_smb2_write_data, tvb, offset, length, ENC_NA);
5604 offset += MIN(length,(guint32)tvb_captured_length_remaining(tvb, offset));
5606 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
5609 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
5610 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
5611 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,off);
5620 dissect_smb2_write_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5622 gboolean continue_dissection;
5624 switch (si->status) {
5626 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5627 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5628 if (!continue_dissection) return offset;
5632 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5636 proto_tree_add_item(tree, hf_smb2_write_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5639 /* remaining, must be set to 0 */
5640 proto_tree_add_item(tree, hf_smb2_write_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5643 /* write channel info offset */
5644 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5647 /* write channel info length */
5648 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5654 /* The STORAGE_OFFLOAD_TOKEN is used for "Offload Data Transfer" (ODX) operations,
5655 including FSCTL_OFFLOAD_READ, FSCTL_OFFLOAD_WRITE. Ref: MS-FSCC 2.3.79
5656 Note: Unlike most of SMB2, the token fields are BIG-endian! */
5658 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
5660 proto_tree *sub_tree;
5661 proto_item *sub_item;
5665 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 512, ett_smb2_fsctl_odx_token, &sub_item, "Token");
5667 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_fsctl_odx_token_type, tvb, offset, 4, ENC_BIG_ENDIAN, &idtype);
5670 proto_item_append_text(sub_item, " (IdType 0x%x)", idtype);
5673 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5677 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_fsctl_odx_token_idlen, tvb, offset, 2, ENC_BIG_ENDIAN, &idlen);
5680 /* idlen is what the server says is the "meaningful" part of the token.
5681 However, token ID is always 504 bytes */
5682 proto_tree_add_bytes_format_value(sub_tree, hf_smb2_fsctl_odx_token_idraw, tvb,
5683 offset, idlen, NULL, "Opaque Data");
5689 /* MS-FSCC 2.3.77, 2.3.78 */
5691 dissect_smb2_FSCTL_OFFLOAD_READ(tvbuff_t *tvb,
5692 packet_info *pinfo _U_,
5697 proto_tree_add_item(tree, hf_smb2_fsctl_odx_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5700 proto_tree_add_item(tree, hf_smb2_fsctl_odx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5704 proto_tree_add_item(tree, hf_smb2_fsctl_odx_token_ttl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5707 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5710 proto_tree_add_item(tree, hf_smb2_fsctl_odx_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5713 proto_tree_add_item(tree, hf_smb2_fsctl_odx_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5716 proto_tree_add_item(tree, hf_smb2_fsctl_odx_xfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5719 (void) dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb, pinfo, tree, offset);
5723 /* MS-FSCC 2.3.80, 2.3.81 */
5725 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvbuff_t *tvb,
5726 packet_info *pinfo _U_,
5731 proto_tree_add_item(tree, hf_smb2_fsctl_odx_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5734 proto_tree_add_item(tree, hf_smb2_fsctl_odx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5738 proto_tree_add_item(tree, hf_smb2_fsctl_odx_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5741 proto_tree_add_item(tree, hf_smb2_fsctl_odx_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5744 proto_tree_add_item(tree, hf_smb2_fsctl_odx_token_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5747 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb, pinfo, tree, offset);
5750 proto_tree_add_item(tree, hf_smb2_fsctl_odx_xfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5756 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *top_tree, gboolean data_in _U_, void *data)
5758 dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, tvb_captured_length_remaining(tvb, offset), top_tree, data);
5762 dissect_smb2_FSCTL_PIPE_WAIT(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, proto_tree *top_tree, gboolean data_in _U_)
5764 guint8 timeout_specified = tvb_get_guint8(tvb, offset + 12);
5765 guint32 name_len = tvb_get_letohs(tvb, offset + 8);
5767 int off = offset + 14;
5768 guint16 bc = tvb_captured_length_remaining(tvb, off);
5772 tvb_ensure_bytes_exist(tvb, off, name_len);
5774 name = get_unicode_or_ascii_string(tvb, &off, TRUE, &len, TRUE, TRUE, &bc);
5779 col_append_fstr(pinfo->cinfo, COL_INFO, " Pipe: %s", name);
5782 proto_tree_add_string(top_tree, hf_smb2_fsctl_pipe_wait_name, tvb, offset + 14, name_len, name);
5783 if (timeout_specified) {
5784 proto_tree_add_item(top_tree, hf_smb2_fsctl_pipe_wait_timeout, tvb, 0, 8, ENC_LITTLE_ENDIAN);
5790 dissect_smb2_FSCTL_SET_SPARSE(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5793 /* There is no out data */
5798 /* sparse flag (optional) */
5799 if (tvb_reported_length_remaining(tvb, offset) >= 1) {
5800 proto_tree_add_item(tree, hf_smb2_fsctl_sparse_flag, tvb, offset, 1, ENC_NA);
5808 dissect_smb2_FSCTL_SET_ZERO_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5810 proto_tree *sub_tree;
5811 proto_item *sub_item;
5813 /* There is no out data */
5818 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5820 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5823 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5830 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, gboolean data_in)
5832 proto_tree *sub_tree;
5833 proto_item *sub_item;
5836 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5838 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5841 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5844 /* Zero or more allocated ranges may be reported. */
5845 while (tvb_reported_length_remaining(tvb, offset) >= 16) {
5847 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5849 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5852 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5860 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, gboolean data_in)
5864 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5867 proto_tree_add_item(tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5870 proto_tree_add_item(tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5873 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5876 guint32 entry_count = 0;
5878 proto_tree_add_item(tree, hf_smb2_qfr_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5881 proto_tree_add_item(tree, hf_smb2_qfr_total_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5884 proto_tree_add_item_ret_uint(tree, hf_smb2_qfr_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &entry_count);
5887 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5890 while (entry_count && tvb_reported_length_remaining(tvb, offset)) {
5891 proto_tree *sub_tree;
5892 proto_item *sub_item;
5894 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_qfr_entry, &sub_item, "Entry");
5896 proto_tree_add_item(sub_tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5899 proto_tree_add_item(sub_tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5902 proto_tree_add_item(sub_tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5905 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5914 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5916 /* There is no out data */
5922 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5926 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5930 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5932 /* There is no in data */
5937 proto_tree_add_item(tree, hf_smb2_ioctl_shared_virtual_disk_support, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5940 proto_tree_add_item(tree, hf_smb2_ioctl_shared_virtual_disk_handle_state, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5943 #define STORAGE_QOS_CONTROL_FLAG_SET_LOGICAL_FLOW_ID 0x00000001
5944 #define STORAGE_QOS_CONTROL_FLAG_SET_POLICY 0x00000002
5945 #define STORAGE_QOS_CONTROL_FLAG_PROBE_POLICY 0x00000004
5946 #define STORAGE_QOS_CONTROL_FLAG_GET_STATUS 0x00000008
5947 #define STORAGE_QOS_CONTROL_FLAG_UPDATE_COUNTERS 0x00000010
5949 static const value_string smb2_ioctl_sqos_protocol_version_vals[] = {
5950 { 0x0100, "Storage QoS Protocol Version 1.0" },
5951 { 0x0101, "Storage QoS Protocol Version 1.1" },
5955 static const value_string smb2_ioctl_sqos_status_vals[] = {
5956 { 0x00, "StorageQoSStatusOk" },
5957 { 0x01, "StorageQoSStatusInsufficientThroughput" },
5958 { 0x02, "StorageQoSUnknownPolicyId" },
5959 { 0x04, "StorageQoSStatusConfigurationMismatch" },
5960 { 0x05, "StorageQoSStatusNotAvailable" },
5965 dissect_smb2_FSCTL_STORAGE_QOS_CONTROL(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, gboolean data_in)
5967 static const int * operations[] = {
5968 &hf_smb2_ioctl_sqos_op_set_logical_flow_id,
5969 &hf_smb2_ioctl_sqos_op_set_policy,
5970 &hf_smb2_ioctl_sqos_op_probe_policy,
5971 &hf_smb2_ioctl_sqos_op_get_status,
5972 &hf_smb2_ioctl_sqos_op_update_counters,
5978 /* Both request and reply have the same common header */
5980 proto_ver = tvb_get_letohs(tvb, offset);
5981 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_protocol_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5984 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5987 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_ioctl_sqos_options,
5988 ett_smb2_ioctl_sqos_opeations, operations, ENC_LITTLE_ENDIAN);
5991 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_logical_flow_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5994 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_policy_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5997 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_initiator_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6001 offset_length_buffer_t host_olb, node_olb;
6003 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6006 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reservation, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6009 offset = dissect_smb2_olb_length_offset(tvb, offset, &host_olb, OLB_O_UINT16_S_UINT16, hf_smb2_ioctl_sqos_initiator_name);
6011 offset = dissect_smb2_olb_length_offset(tvb, offset, &node_olb, OLB_O_UINT16_S_UINT16, hf_smb2_ioctl_sqos_initiator_node_name);
6013 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_io_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6016 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_normalized_io_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6019 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_latency_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6022 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_lower_latency_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6025 if (proto_ver > 0x0100) {
6026 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_bandwidth_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6029 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_kilobyte_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6033 dissect_smb2_olb_string(pinfo, tree, tvb, &host_olb, OLB_TYPE_UNICODE_STRING);
6035 dissect_smb2_olb_string(pinfo, tree, tvb, &node_olb, OLB_TYPE_UNICODE_STRING);
6037 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_time_to_live, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6040 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6043 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_maximum_io_rate, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6046 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_minimum_io_rate, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6049 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_base_io_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6052 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reserved2, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6054 if (proto_ver > 0x0100) {
6056 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_maximum_bandwidth, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6062 dissect_windows_sockaddr_in(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
6064 proto_item *sub_item;
6065 proto_tree *sub_tree;
6066 proto_item *parent_item;
6072 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
6073 parent_item = proto_tree_get_parent(parent_tree);
6076 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6080 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6084 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in_addr, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6086 proto_item_append_text(sub_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
6087 proto_item_append_text(parent_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
6091 dissect_windows_sockaddr_in6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
6093 proto_item *sub_item;
6094 proto_tree *sub_tree;
6095 proto_item *parent_item;
6101 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
6102 parent_item = proto_tree_get_parent(parent_tree);
6105 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6109 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6113 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_flowinfo, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6117 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_addr, tvb, offset, 16, ENC_NA);
6118 proto_item_append_text(sub_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
6119 proto_item_append_text(parent_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
6123 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_scope_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6127 dissect_windows_sockaddr_storage(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6130 proto_item *sub_item;
6131 proto_tree *sub_tree;
6132 proto_item *parent_item;
6135 family = tvb_get_letohs(tvb, offset);
6137 case WINSOCK_AF_INET:
6138 dissect_windows_sockaddr_in(tvb, pinfo, parent_tree, offset, len);
6140 case WINSOCK_AF_INET6:
6141 dissect_windows_sockaddr_in6(tvb, pinfo, parent_tree, offset, len);
6145 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
6146 parent_item = proto_tree_get_parent(parent_tree);
6149 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6150 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
6151 proto_item_append_text(parent_item, ", Family: %d (0x%04x)", family, family);
6158 #define NETWORK_INTERFACE_CAP_RSS 0x00000001
6159 #define NETWORK_INTERFACE_CAP_RDMA 0x00000002
6162 dissect_smb2_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
6164 guint32 next_offset;
6167 proto_item *sub_item;
6168 proto_tree *sub_tree;
6170 guint32 capabilities;
6173 const char *unit = NULL;
6174 static const int * capability_flags[] = {
6175 &hf_smb2_ioctl_network_interface_capability_rdma,
6176 &hf_smb2_ioctl_network_interface_capability_rss,
6180 next_offset = tvb_get_letohl(tvb, offset);
6185 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_ioctl_network_interface, &sub_item, "Network Interface");
6186 item = proto_tree_get_parent(parent_tree);
6189 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6192 /* interface index */
6193 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6197 capabilities = tvb_get_letohl(tvb, offset);
6198 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_ioctl_network_interface_capabilities, ett_smb2_ioctl_network_interface_capabilities, capability_flags, ENC_LITTLE_ENDIAN);
6200 if (capabilities != 0) {
6201 proto_item_append_text(item, "%s%s",
6202 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
6203 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
6204 proto_item_append_text(sub_item, "%s%s",
6205 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
6206 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
6210 /* rss queue count */
6211 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_rss_queue_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6215 link_speed = tvb_get_letoh64(tvb, offset);
6216 item = proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_link_speed, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6217 if (link_speed >= (1000*1000*1000)) {
6218 val = (gfloat)(link_speed / (1000*1000*1000));
6220 } else if (link_speed >= (1000*1000)) {
6221 val = (gfloat)(link_speed / (1000*1000));
6223 } else if (link_speed >= (1000)) {
6224 val = (gfloat)(link_speed / (1000));
6227 val = (gfloat)(link_speed);
6230 proto_item_append_text(item, ", %.1f %sBits/s", val, unit);
6231 proto_item_append_text(sub_item, ", %.1f %sBits/s", val, unit);
6235 /* socket address */
6236 dissect_windows_sockaddr_storage(tvb, pinfo, sub_tree, offset);
6240 next_tvb = tvb_new_subset_remaining(tvb, next_offset);
6242 /* next extra info */
6243 dissect_smb2_NETWORK_INTERFACE_INFO(next_tvb, pinfo, parent_tree);
6248 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
6250 /* There is no in data */
6255 dissect_smb2_NETWORK_INTERFACE_INFO(tvb, pinfo, tree);
6259 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
6262 * This is only used by Windows 8 beta
6266 offset = dissect_smb2_capabilities(tree, tvb, offset);
6269 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6272 /* security mode, skip second byte */
6273 offset = dissect_smb2_secmode(tree, tvb, offset);
6277 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6281 offset = dissect_smb2_capabilities(tree, tvb, offset);
6284 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6287 /* security mode, skip second byte */
6288 offset = dissect_smb2_secmode(tree, tvb, offset);
6292 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6298 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
6304 offset = dissect_smb2_capabilities(tree, tvb, offset);
6307 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6310 /* security mode, skip second byte */
6311 offset = dissect_smb2_secmode(tree, tvb, offset);
6315 dc = tvb_get_letohs(tvb, offset);
6316 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6319 for ( ; dc>0; dc--) {
6320 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6325 offset = dissect_smb2_capabilities(tree, tvb, offset);
6328 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6331 /* security mode, skip second byte */
6332 offset = dissect_smb2_secmode(tree, tvb, offset);
6336 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6342 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6344 guint32 num_volumes;
6346 /* There is no in data */
6352 num_volumes = tvb_get_letohl(tvb, offset);
6353 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_volumes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6357 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_labels, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6361 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6364 while (num_volumes--) {
6368 int old_offset = offset;
6370 bc = tvb_captured_length_remaining(tvb, offset);
6371 name = get_unicode_or_ascii_string(tvb, &offset,
6372 TRUE, &len, TRUE, FALSE, &bc);
6373 proto_tree_add_string(tree, hf_smb2_ioctl_shadow_copy_label, tvb, old_offset, len, name);
6375 offset = old_offset+len;
6384 dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
6386 proto_item *item = NULL;
6387 proto_tree *tree = NULL;
6389 /* FILE_OBJECTID_BUFFER */
6391 item = proto_tree_add_item(parent_tree, hf_smb2_FILE_OBJECTID_BUFFER, tvb, offset, 64, ENC_NA);
6392 tree = proto_item_add_subtree(item, ett_smb2_FILE_OBJECTID_BUFFER);
6396 proto_tree_add_item(tree, hf_smb2_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6399 /* Birth Volume ID */
6400 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6403 /* Birth Object ID */
6404 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6408 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6415 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6418 /* There is no in data */
6423 /* FILE_OBJECTID_BUFFER */
6424 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
6430 dissect_smb2_FSCTL_GET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6433 /* There is no in data */
6438 /* compression format */
6439 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6446 dissect_smb2_FSCTL_SET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6449 /* There is no out data */
6454 /* compression format */
6455 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6462 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6464 const int *integrity_flags[] = {
6465 &hf_smb2_integrity_flags_enforcement_off,
6469 /* There is no out data */
6474 proto_tree_add_item(tree, hf_smb2_checksum_algorithm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6477 proto_tree_add_item(tree, hf_smb2_integrity_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6480 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_integrity_flags, ett_smb2_integrity_flags, integrity_flags, ENC_LITTLE_ENDIAN);
6487 dissect_smb2_FSCTL_SET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6490 /* There is no out data */
6495 /* FILE_OBJECTID_BUFFER */
6496 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
6502 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6505 /* There is no out data */
6510 /* FILE_OBJECTID_BUFFER->ExtendedInfo */
6512 /* Birth Volume ID */
6513 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6516 /* Birth Object ID */
6517 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6521 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6528 dissect_smb2_cchunk_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
6531 proto_tree_add_bytes_format_value(tree, hf_smb2_cchunk_resume_key, tvb,
6532 offset, 24, NULL, "Opaque Data");
6539 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6542 /* There is no in data */
6547 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
6549 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6553 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6555 proto_tree *sub_tree;
6556 proto_item *sub_item;
6557 guint32 chunk_count = 0;
6559 /* Output is simpler - handle that first. */
6561 proto_tree_add_item(tree, hf_smb2_cchunk_chunks_written, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6562 proto_tree_add_item(tree, hf_smb2_cchunk_bytes_written, tvb, offset+4, 4, ENC_LITTLE_ENDIAN);
6563 proto_tree_add_item(tree, hf_smb2_cchunk_total_written, tvb, offset+8, 4, ENC_LITTLE_ENDIAN);
6567 /* Input data, fixed part */
6568 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
6569 proto_tree_add_item_ret_uint(tree, hf_smb2_cchunk_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &chunk_count);
6572 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6575 /* Zero or more allocated ranges may be reported. */
6576 while (chunk_count && tvb_reported_length_remaining(tvb, offset) >= 24) {
6577 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_smb2_cchunk_entry, &sub_item, "Chunk");
6579 proto_tree_add_item(sub_tree, hf_smb2_cchunk_src_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6582 proto_tree_add_item(sub_tree, hf_smb2_cchunk_dst_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6585 proto_tree_add_item(sub_tree, hf_smb2_cchunk_xfer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6588 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6596 dissect_smb2_FSCTL_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
6598 proto_item *item = NULL;
6599 proto_tree *tree = NULL;
6601 offset_length_buffer_t s_olb, p_olb;
6603 /* SYMBOLIC_LINK_REPARSE_DATA_BUFFER */
6605 item = proto_tree_add_item(parent_tree, hf_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER, tvb, offset, -1, ENC_NA);
6606 tree = proto_item_add_subtree(item, ett_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER);
6610 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6613 proto_tree_add_item(tree, hf_smb2_reparse_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6617 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6620 /* substitute name offset/length */
6621 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_substitute_name);
6623 /* print name offset/length */
6624 offset = dissect_smb2_olb_length_offset(tvb, offset, &p_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_print_name);
6627 proto_tree_add_item(tree, hf_smb2_symlink_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6630 /* substitute name string */
6631 dissect_smb2_olb_off_string(pinfo, tree, tvb, &s_olb, offset, OLB_TYPE_UNICODE_STRING);
6633 /* print name string */
6634 dissect_smb2_olb_off_string(pinfo, tree, tvb, &p_olb, offset, OLB_TYPE_UNICODE_STRING);
6638 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, gboolean data_in)
6644 dissect_smb2_FSCTL_REPARSE_POINT(tvb, pinfo, parent_tree, offset);
6648 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, gboolean data_in)
6654 dissect_smb2_FSCTL_REPARSE_POINT(tvb, pinfo, parent_tree, offset);
6658 dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, guint32 ioctl_function, gboolean data_in, void *private_data _U_)
6662 dc = tvb_reported_length(tvb);
6664 switch (ioctl_function) {
6665 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
6667 dissect_get_dfs_request_data(tvb, pinfo, tree, 0, &dc, TRUE);
6669 dissect_get_dfs_referral_data(tvb, pinfo, tree, 0, &dc, TRUE);
6672 case 0x000940CF: /* FSCTL_QUERY_ALLOCATED_RANGES */
6673 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvb, pinfo, tree, 0, data_in);
6675 case 0x00094264: /* FSCTL_OFFLOAD_READ */
6676 dissect_smb2_FSCTL_OFFLOAD_READ(tvb, pinfo, tree, 0, data_in);
6678 case 0x00098268: /* FSCTL_OFFLOAD_WRITE */
6679 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvb, pinfo, tree, 0, data_in);
6681 case 0x0011c017: /* FSCTL_PIPE_TRANSCEIVE */
6682 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvb, pinfo, tree, 0, top_tree, data_in, private_data);
6684 case 0x00110018: /* FSCTL_PIPE_WAIT */
6685 dissect_smb2_FSCTL_PIPE_WAIT(tvb, pinfo, tree, 0, top_tree, data_in);
6687 case 0x00140078: /* FSCTL_SRV_REQUEST_RESUME_KEY */
6688 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvb, pinfo, tree, 0, data_in);
6690 case 0x001401D4: /* FSCTL_LMR_REQUEST_RESILIENCY */
6691 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvb, pinfo, tree, 0, data_in);
6693 case 0x001401FC: /* FSCTL_QUERY_NETWORK_INTERFACE_INFO */
6694 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvb, pinfo, tree, 0, data_in);
6696 case 0x00140200: /* FSCTL_VALIDATE_NEGOTIATE_INFO_224 */
6697 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvb, pinfo, tree, 0, data_in);
6699 case 0x00140204: /* FSCTL_VALIDATE_NEGOTIATE_INFO */
6700 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvb, pinfo, tree, 0, data_in);
6702 case 0x00144064: /* FSCTL_SRV_ENUMERATE_SNAPSHOTS */
6703 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvb, pinfo, tree, 0, data_in);
6705 case 0x001440F2: /* FSCTL_SRV_COPYCHUNK */
6706 case 0x001480F2: /* FSCTL_SRV_COPYCHUNK_WRITE */
6707 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvb, pinfo, tree, 0, data_in);
6709 case 0x000900A4: /* FSCTL_SET_REPARSE_POINT */
6710 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvb, pinfo, tree, 0, data_in);
6712 case 0x000900A8: /* FSCTL_GET_REPARSE_POINT */
6713 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvb, pinfo, tree, 0, data_in);
6715 case 0x0009009C: /* FSCTL_GET_OBJECT_ID */
6716 case 0x000900c0: /* FSCTL_CREATE_OR_GET_OBJECT_ID */
6717 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
6719 case 0x000900c4: /* FSCTL_SET_SPARSE */
6720 dissect_smb2_FSCTL_SET_SPARSE(tvb, pinfo, tree, 0, data_in);
6722 case 0x00098098: /* FSCTL_SET_OBJECT_ID */
6723 dissect_smb2_FSCTL_SET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
6725 case 0x000980BC: /* FSCTL_SET_OBJECT_ID_EXTENDED */
6726 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvb, pinfo, tree, 0, data_in);
6728 case 0x000980C8: /* FSCTL_SET_ZERO_DATA */
6729 dissect_smb2_FSCTL_SET_ZERO_DATA(tvb, pinfo, tree, 0, data_in);
6731 case 0x0009003C: /* FSCTL_GET_COMPRESSION */
6732 dissect_smb2_FSCTL_GET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
6734 case 0x00090300: /* FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT */
6735 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvb, pinfo, tree, 0, data_in);
6737 case 0x00090304: /* FSCTL_SVHDX_SYNC_TUNNEL or response */
6738 case 0x00090364: /* FSCTL_SVHDX_ASYNC_TUNNEL or response */
6739 call_dissector_with_data(rsvd_handle, tvb, pinfo, top_tree, &data_in);
6741 case 0x00090350: /* FSCTL_STORAGE_QOS_CONTROL */
6742 dissect_smb2_FSCTL_STORAGE_QOS_CONTROL(tvb, pinfo, tree, 0, data_in);
6744 case 0x0009C040: /* FSCTL_SET_COMPRESSION */
6745 dissect_smb2_FSCTL_SET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
6747 case 0x00090284: /* FSCTL_QUERY_FILE_REGIONS */
6748 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvb, pinfo, tree, 0, data_in);
6750 case 0x0009C280: /* FSCTL_SET_INTEGRITY_INFORMATION request or response */
6751 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvb, pinfo, tree, 0, data_in);
6754 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
6759 dissect_smb2_ioctl_data_in(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6761 smb2_pipe_set_file_id(pinfo, si);
6762 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, TRUE, si);
6766 dissect_smb2_ioctl_data_out(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6768 smb2_pipe_set_file_id(pinfo, si);
6769 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, FALSE, si);
6773 dissect_smb2_ioctl_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6775 offset_length_buffer_t o_olb;
6776 offset_length_buffer_t i_olb;
6777 proto_tree *flags_tree = NULL;
6778 proto_item *flags_item = NULL;
6781 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6784 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6787 /* ioctl function */
6788 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
6791 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6793 /* in buffer offset/length */
6794 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
6796 /* max ioctl in size */
6797 proto_tree_add_item(tree, hf_smb2_max_ioctl_in_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6800 /* out buffer offset/length */
6801 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
6803 /* max ioctl out size */
6804 proto_tree_add_item(tree, hf_smb2_max_ioctl_out_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6809 flags_item = proto_tree_add_item(tree, hf_smb2_ioctl_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6810 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_ioctl_flags);
6812 proto_tree_add_item(flags_tree, hf_smb2_ioctl_is_fsctl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6816 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6819 /* try to decode these blobs in the order they were encoded
6820 * so that for "short" packets we will dissect as much as possible
6821 * before aborting with "short packet"
6823 if (i_olb.off>o_olb.off) {
6825 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6827 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6830 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6832 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6835 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
6836 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
6842 dissect_smb2_ioctl_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6844 offset_length_buffer_t o_olb;
6845 offset_length_buffer_t i_olb;
6846 gboolean continue_dissection;
6848 switch (si->status) {
6850 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6851 case 0x80000005: break;
6852 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6853 if (!continue_dissection) return offset;
6856 /* some unknown bytes */
6857 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
6860 /* ioctl function */
6861 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
6864 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6866 /* in buffer offset/length */
6867 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
6869 /* out buffer offset/length */
6870 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
6873 /* flags: reserved: must be zero */
6874 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6878 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6881 /* try to decode these blobs in the order they were encoded
6882 * so that for "short" packets we will dissect as much as possible
6883 * before aborting with "short packet"
6885 if (i_olb.off>o_olb.off) {
6887 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6889 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6892 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6894 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6897 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
6898 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
6905 dissect_smb2_read_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6907 offset_length_buffer_t c_olb;
6913 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6915 /* padding and reserved */
6916 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6920 len = tvb_get_letohl(tvb, offset);
6921 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6925 off = tvb_get_letoh64(tvb, offset);
6926 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6929 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", len, off);
6932 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6935 proto_tree_add_item(tree, hf_smb2_min_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6939 channel = tvb_get_letohl(tvb, offset);
6940 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6943 /* remaining bytes */
6944 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6947 /* read channel info blob offset/length */
6948 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
6950 /* the read channel info blob itself */
6952 case SMB2_CHANNEL_RDMA_V1:
6953 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
6955 case SMB2_CHANNEL_NONE:
6957 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
6961 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
6963 /* Store len and offset */
6965 si->saved->file_offset=off;
6966 si->saved->bytes_moved=len;
6974 dissect_smb2_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
6976 guint16 dataoffset = 0;
6977 guint32 data_tvb_len;
6979 gboolean continue_dissection;
6981 switch (si->status) {
6983 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6984 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6985 if (!continue_dissection) return offset;
6989 dataoffset=tvb_get_letohl(tvb,offset);
6990 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6993 /* length might even be 64bits if they are ambitious*/
6994 length = tvb_get_letohl(tvb, offset);
6995 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6999 proto_tree_add_item(tree, hf_smb2_read_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7003 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7006 data_tvb_len=(guint32)tvb_captured_length_remaining(tvb, offset);
7008 /* data or namedpipe ?*/
7010 int oldoffset = offset;
7011 smb2_pipe_set_file_id(pinfo, si);
7012 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
7013 if (offset != oldoffset) {
7014 /* managed to dissect pipe data */
7020 proto_tree_add_item(tree, hf_smb2_read_data, tvb, offset, length, ENC_NA);
7022 offset += MIN(length,data_tvb_len);
7025 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
7026 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
7027 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,si->saved->file_offset);
7035 report_create_context_malformed_buffer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, const char *buffer_desc)
7037 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_bad_response, tvb, 0, -1,
7038 "%s SHOULD NOT be generated", buffer_desc);
7041 dissect_smb2_ExtA_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
7043 proto_item *item = NULL;
7045 item = proto_tree_get_parent(tree);
7046 proto_item_append_text(item, ": SMB2_FILE_FULL_EA_INFO");
7048 dissect_smb2_file_full_ea_info(tvb, pinfo, tree, 0, si);
7052 dissect_smb2_ExtA_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
7054 report_create_context_malformed_buffer(tvb, pinfo, tree, "ExtA Response");
7058 dissect_smb2_SecD_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
7060 proto_item *item = NULL;
7062 item = proto_tree_get_parent(tree);
7063 proto_item_append_text(item, ": SMB2_SEC_INFO_00");
7065 dissect_smb2_sec_info_00(tvb, pinfo, tree, 0, si);
7069 dissect_smb2_SecD_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
7071 report_create_context_malformed_buffer(tvb, pinfo, tree, "SecD Response");
7075 dissect_smb2_TWrp_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7077 proto_item *item = NULL;
7079 item = proto_tree_get_parent(tree);
7080 proto_item_append_text(item, ": Timestamp");
7082 dissect_nt_64bit_time(tvb, tree, 0, hf_smb2_twrp_timestamp);
7086 dissect_smb2_TWrp_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7088 report_create_context_malformed_buffer(tvb, pinfo, tree, "TWrp Response");
7092 dissect_smb2_QFid_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7094 proto_item *item = NULL;
7097 item = proto_tree_get_parent(tree);
7101 if (tvb_reported_length(tvb) == 0) {
7102 proto_item_append_text(item, ": NO DATA");
7104 proto_item_append_text(item, ": QFid request should have no data, malformed packet");
7110 dissect_smb2_QFid_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7114 proto_item *sub_tree;
7116 item = proto_tree_get_parent(tree);
7118 proto_item_append_text(item, ": QFid INFO");
7119 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_QFid_buffer, NULL, "QFid INFO");
7121 proto_tree_add_item(sub_tree, hf_smb2_qfid_fid, tvb, offset, 32, ENC_NA);
7125 dissect_smb2_AlSi_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7127 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, 0, 8, ENC_LITTLE_ENDIAN);
7131 dissect_smb2_AlSi_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7133 report_create_context_malformed_buffer(tvb, pinfo, tree, "AlSi Response");
7137 dissect_smb2_DHnQ_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
7139 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNQ);
7143 dissect_smb2_DHnQ_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7145 proto_tree_add_item(tree, hf_smb2_dhnq_buffer_reserved, tvb, 0, 8, ENC_LITTLE_ENDIAN);
7149 dissect_smb2_DHnC_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
7151 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNC);
7155 dissect_smb2_DHnC_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
7157 report_create_context_malformed_buffer(tvb, pinfo, tree, "DHnC Response");
7161 * SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
7167 * SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2
7171 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
7176 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
7179 #define SMB2_DH2X_FLAGS_PERSISTENT_HANDLE 0x00000002
7182 dissect_smb2_DH2Q_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7184 static const int *dh2x_flags_fields[] = {
7185 &hf_smb2_dh2x_buffer_flags_persistent_handle,
7190 proto_item *sub_tree;
7192 item = proto_tree_get_parent(tree);
7194 proto_item_append_text(item, ": DH2Q Request");
7195 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Request");
7198 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7202 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_dh2x_buffer_flags,
7203 ett_smb2_dh2x_flags, dh2x_flags_fields, ENC_LITTLE_ENDIAN);
7207 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7211 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7215 dissect_smb2_DH2Q_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7219 proto_item *sub_tree;
7221 item = proto_tree_get_parent(tree);
7223 proto_item_append_text(item, ": DH2Q Response");
7224 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Response");
7227 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7231 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7235 dissect_smb2_DH2C_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
7239 proto_item *sub_tree;
7241 item = proto_tree_get_parent(tree);
7243 proto_item_append_text(item, ": DH2C Request");
7244 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2C_buffer, NULL, "DH2C Request");
7247 dissect_smb2_fid(tvb, pinfo, sub_tree, offset, si, FID_MODE_DHNC);
7251 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7255 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7259 dissect_smb2_DH2C_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
7261 report_create_context_malformed_buffer(tvb, pinfo, tree, "DH2C Response");
7265 dissect_smb2_MxAc_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7268 proto_item *item = NULL;
7271 item = proto_tree_get_parent(tree);
7274 if (tvb_reported_length(tvb) == 0) {
7276 proto_item_append_text(item, ": NO DATA");
7282 proto_item_append_text(item, ": Timestamp");
7285 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_mxac_timestamp);
7289 dissect_smb2_MxAc_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7293 proto_tree *sub_tree;
7295 item = proto_tree_get_parent(tree);
7297 if (tvb_reported_length(tvb) == 0) {
7298 proto_item_append_text(item, ": NO DATA");
7302 proto_item_append_text(item, ": MxAc INFO");
7303 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_MxAc_buffer, NULL, "MxAc INFO");
7305 proto_tree_add_item(sub_tree, hf_smb2_mxac_status, tvb, offset, 4, ENC_BIG_ENDIAN);
7308 dissect_smb_access_mask(tvb, sub_tree, offset);
7312 * SMB2_CREATE_REQUEST_LEASE 32
7316 * 8 - lease duration
7318 * SMB2_CREATE_REQUEST_LEASE_V2 52
7322 * 8 - lease duration
7323 * 16 - parent lease key
7327 #define SMB2_LEASE_STATE_READ_CACHING 0x00000001
7328 #define SMB2_LEASE_STATE_HANDLE_CACHING 0x00000002
7329 #define SMB2_LEASE_STATE_WRITE_CACHING 0x00000004
7331 #define SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED 0x00000001
7332 #define SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS 0x00000002
7333 #define SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET 0x00000004
7335 static const int *lease_state_fields[] = {
7336 &hf_smb2_lease_state_read_caching,
7337 &hf_smb2_lease_state_handle_caching,
7338 &hf_smb2_lease_state_write_caching,
7341 static const int *lease_flags_fields[] = {
7342 &hf_smb2_lease_flags_break_ack_required,
7343 &hf_smb2_lease_flags_break_in_progress,
7344 &hf_smb2_lease_flags_parent_lease_key_set,
7349 dissect_SMB2_CREATE_LEASE_VX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
7353 proto_tree *sub_tree = NULL;
7354 proto_item *parent_item;
7356 parent_item = proto_tree_get_parent(parent_tree);
7358 len = tvb_reported_length(tvb);
7361 case 32: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE */
7362 proto_item_append_text(parent_item, ": LEASE_V1");
7363 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V1");
7365 case 52: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE_V2 */
7366 proto_item_append_text(parent_item, ": LEASE_V2");
7367 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V2");
7370 report_create_context_malformed_buffer(tvb, pinfo, parent_tree, "RqLs");
7374 proto_tree_add_item(sub_tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7377 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_state,
7378 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
7381 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_flags,
7382 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
7385 proto_tree_add_item(sub_tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7392 proto_tree_add_item(sub_tree, hf_smb2_parent_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7395 proto_tree_add_item(sub_tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7398 proto_tree_add_item(sub_tree, hf_smb2_lease_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7402 dissect_smb2_RqLs_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7404 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
7408 dissect_smb2_RqLs_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7410 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
7414 * SMB2_CREATE_APP_INSTANCE_ID
7415 * 2 - structure size - 20
7417 * 16 - application guid
7421 dissect_smb2_APP_INSTANCE_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7425 proto_item *sub_tree;
7427 item = proto_tree_get_parent(tree);
7429 proto_item_append_text(item, ": CREATE APP INSTANCE ID");
7430 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_APP_INSTANCE_buffer, NULL, "APP INSTANCE ID");
7433 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_struct_size,
7434 tvb, offset, 2, ENC_LITTLE_ENDIAN);
7438 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_reserved,
7439 tvb, offset, 2, ENC_LITTLE_ENDIAN);
7443 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_app_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7447 dissect_smb2_APP_INSTANCE_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7449 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Response");
7453 * Dissect the MS-RSVD stuff that turns up when HyperV uses SMB3.x
7456 dissect_smb2_svhdx_open_device_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7461 proto_item *sub_tree;
7463 item = proto_tree_get_parent(tree);
7465 proto_item_append_text(item, ": SVHDX OPEN DEVICE CONTEXT");
7466 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_svhdx_open_device_context, NULL, "SVHDX OPEN DEVICE CONTEXT");
7469 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_svhdx_open_device_context_version,
7470 tvb, offset, 4, ENC_LITTLE_ENDIAN, &version);
7473 /* HasInitiatorId */
7474 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_has_initiator_id,
7475 tvb, offset, 1, ENC_LITTLE_ENDIAN);
7479 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_reserved,
7480 tvb, offset, 3, ENC_NA);
7484 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_id,
7485 tvb, offset, 16, ENC_LITTLE_ENDIAN);
7488 /* Flags TODO: Dissect these*/
7489 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_flags,
7490 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7493 /* OriginatorFlags */
7494 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_originator_flags,
7495 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7499 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_open_request_id,
7500 tvb, offset, 8, ENC_LITTLE_ENDIAN);
7503 /* InitiatorHostNameLength */
7504 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name_len,
7505 tvb, offset, 2, ENC_LITTLE_ENDIAN);
7508 /* InitiatorHostName */
7509 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name,
7510 tvb, offset, 126, ENC_ASCII | ENC_NA);
7514 /* VirtualDiskPropertiesInitialized */
7515 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized,
7516 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7519 /* ServerServiceVersion */
7520 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_server_service_version,
7521 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7524 /* VirtualSectorSize */
7525 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_sector_size,
7526 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7529 /* PhysicalSectorSize */
7530 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_physical_sector_size,
7531 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7535 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_size,
7536 tvb, offset, 8, ENC_LITTLE_ENDIAN);
7540 static const int *posix_flags_fields[] = {
7541 &hf_smb2_posix_v1_case_sensitive,
7542 &hf_smb2_posix_v1_posix_lock,
7543 &hf_smb2_posix_v1_posix_file_semantics,
7544 &hf_smb2_posix_v1_posix_utf8_paths,
7545 &hf_smb2_posix_v1_posix_will_convert_nt_acls,
7546 &hf_smb2_posix_v1_posix_fileinfo,
7547 &hf_smb2_posix_v1_posix_acls,
7548 &hf_smb2_posix_v1_rich_acls,
7553 dissect_smb2_posix_v1_caps_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7557 proto_item *sub_tree;
7559 item = proto_tree_get_parent(tree);
7561 proto_item_append_text(item, ": POSIX V1 CAPS request");
7562 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_posix_v1_request, NULL, "POSIX_V1_REQUEST");
7565 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_version,
7566 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7570 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_request,
7571 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7575 dissect_smb2_posix_v1_caps_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7579 proto_item *sub_tree;
7581 item = proto_tree_get_parent(tree);
7583 proto_item_append_text(item, ": POSIX V1 CAPS response");
7584 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_posix_v1_response, NULL, "POSIX_V1_RESPONSE");
7587 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_version,
7588 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7591 /* Supported Features */
7592 proto_tree_add_bitmask(sub_tree, tvb, offset,
7593 hf_smb2_posix_v1_supported_features,
7594 ett_smb2_posix_v1_supported_features,
7595 posix_flags_fields, ENC_LITTLE_ENDIAN);
7599 #define SMB2_AAPL_SERVER_QUERY 1
7600 #define SMB2_AAPL_RESOLVE_ID 2
7602 static const value_string aapl_command_code_vals[] = {
7603 { SMB2_AAPL_SERVER_QUERY, "Server query"},
7604 { SMB2_AAPL_RESOLVE_ID, "Resolve ID"},
7608 #define SMB2_AAPL_SERVER_CAPS 0x00000001
7609 #define SMB2_AAPL_VOLUME_CAPS 0x00000002
7610 #define SMB2_AAPL_MODEL_INFO 0x00000004
7612 static const int *aapl_server_query_bitmap_fields[] = {
7613 &hf_smb2_aapl_server_query_bitmask_server_caps,
7614 &hf_smb2_aapl_server_query_bitmask_volume_caps,
7615 &hf_smb2_aapl_server_query_bitmask_model_info,
7619 #define SMB2_AAPL_SUPPORTS_READ_DIR_ATTR 0x00000001
7620 #define SMB2_AAPL_SUPPORTS_OSX_COPYFILE 0x00000002
7621 #define SMB2_AAPL_UNIX_BASED 0x00000004
7622 #define SMB2_AAPL_SUPPORTS_NFS_ACE 0x00000008
7624 static const int *aapl_server_query_caps_fields[] = {
7625 &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
7626 &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
7627 &hf_smb2_aapl_server_query_caps_unix_based,
7628 &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
7633 dissect_smb2_AAPL_buffer_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
7637 proto_item *sub_tree;
7638 guint32 command_code;
7640 item = proto_tree_get_parent(tree);
7642 proto_item_append_text(item, ": AAPL Create Context request");
7643 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_request, NULL, "AAPL Create Context request");
7646 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
7647 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
7651 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
7652 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7655 switch (command_code) {
7657 case SMB2_AAPL_SERVER_QUERY:
7658 /* Request bitmap */
7659 proto_tree_add_bitmask(sub_tree, tvb, offset,
7660 hf_smb2_aapl_server_query_bitmask,
7661 ett_smb2_aapl_server_query_bitmask,
7662 aapl_server_query_bitmap_fields,
7666 /* Client capabilities */
7667 proto_tree_add_bitmask(sub_tree, tvb, offset,
7668 hf_smb2_aapl_server_query_caps,
7669 ett_smb2_aapl_server_query_caps,
7670 aapl_server_query_caps_fields,
7674 case SMB2_AAPL_RESOLVE_ID:
7676 proto_tree_add_item(sub_tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7684 #define SMB2_AAPL_SUPPORTS_RESOLVE_ID 0x00000001
7685 #define SMB2_AAPL_CASE_SENSITIVE 0x00000002
7686 #define SMB2_AAPL_SUPPORTS_FULL_SYNC 0x00000004
7688 static const int *aapl_server_query_volume_caps_fields[] = {
7689 &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
7690 &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
7691 &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
7696 dissect_smb2_AAPL_buffer_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
7700 proto_item *sub_tree;
7701 guint32 command_code;
7702 guint64 server_query_bitmask;
7704 item = proto_tree_get_parent(tree);
7706 proto_item_append_text(item, ": AAPL Create Context response");
7707 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_response, NULL, "AAPL Create Context response");
7710 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
7711 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
7715 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
7716 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7719 switch (command_code) {
7721 case SMB2_AAPL_SERVER_QUERY:
7723 proto_tree_add_bitmask_ret_uint64(sub_tree, tvb, offset,
7724 hf_smb2_aapl_server_query_bitmask,
7725 ett_smb2_aapl_server_query_bitmask,
7726 aapl_server_query_bitmap_fields,
7728 &server_query_bitmask);
7731 if (server_query_bitmask & SMB2_AAPL_SERVER_CAPS) {
7732 /* Server capabilities */
7733 proto_tree_add_bitmask(sub_tree, tvb, offset,
7734 hf_smb2_aapl_server_query_caps,
7735 ett_smb2_aapl_server_query_caps,
7736 aapl_server_query_caps_fields,
7740 if (server_query_bitmask & SMB2_AAPL_VOLUME_CAPS) {
7741 /* Volume capabilities */
7742 proto_tree_add_bitmask(sub_tree, tvb, offset,
7743 hf_smb2_aapl_server_query_volume_caps,
7744 ett_smb2_aapl_server_query_volume_caps,
7745 aapl_server_query_volume_caps_fields,
7749 if (server_query_bitmask & SMB2_AAPL_MODEL_INFO) {
7754 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_model_string,
7756 ENC_UTF_16|ENC_LITTLE_ENDIAN);
7760 case SMB2_AAPL_RESOLVE_ID:
7762 proto_tree_add_item(sub_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7766 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_server_path,
7768 ENC_UTF_16|ENC_LITTLE_ENDIAN);
7776 typedef void (*create_context_data_dissector_t)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
7778 typedef struct create_context_data_dissectors {
7779 create_context_data_dissector_t request;
7780 create_context_data_dissector_t response;
7781 } create_context_data_dissectors_t;
7783 struct create_context_data_tag_dissectors {
7786 create_context_data_dissectors_t dissectors;
7789 struct create_context_data_tag_dissectors create_context_dissectors_array[] = {
7790 { "ExtA", "SMB2_CREATE_EA_BUFFER",
7791 { dissect_smb2_ExtA_buffer_request, dissect_smb2_ExtA_buffer_response } },
7792 { "SecD", "SMB2_CREATE_SD_BUFFER",
7793 { dissect_smb2_SecD_buffer_request, dissect_smb2_SecD_buffer_response } },
7794 { "AlSi", "SMB2_CREATE_ALLOCATION_SIZE",
7795 { dissect_smb2_AlSi_buffer_request, dissect_smb2_AlSi_buffer_response } },
7796 { "MxAc", "SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST",
7797 { dissect_smb2_MxAc_buffer_request, dissect_smb2_MxAc_buffer_response } },
7798 { "DHnQ", "SMB2_CREATE_DURABLE_HANDLE_REQUEST",
7799 { dissect_smb2_DHnQ_buffer_request, dissect_smb2_DHnQ_buffer_response } },
7800 { "DHnC", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT",
7801 { dissect_smb2_DHnC_buffer_request, dissect_smb2_DHnC_buffer_response } },
7802 { "DH2Q", "SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2",
7803 { dissect_smb2_DH2Q_buffer_request, dissect_smb2_DH2Q_buffer_response } },
7804 { "DH2C", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2",
7805 { dissect_smb2_DH2C_buffer_request, dissect_smb2_DH2C_buffer_response } },
7806 { "TWrp", "SMB2_CREATE_TIMEWARP_TOKEN",
7807 { dissect_smb2_TWrp_buffer_request, dissect_smb2_TWrp_buffer_response } },
7808 { "QFid", "SMB2_CREATE_QUERY_ON_DISK_ID",
7809 { dissect_smb2_QFid_buffer_request, dissect_smb2_QFid_buffer_response } },
7810 { "RqLs", "SMB2_CREATE_REQUEST_LEASE",
7811 { dissect_smb2_RqLs_buffer_request, dissect_smb2_RqLs_buffer_response } },
7812 { "744D142E-46FA-0890-4AF7-A7EF6AA6BC45", "SMB2_CREATE_APP_INSTANCE_ID",
7813 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
7814 { "6aa6bc45-a7ef-4af7-9008-fa462e144d74", "SMB2_CREATE_APP_INSTANCE_ID",
7815 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
7816 { "9ecfcb9c-c104-43e6-980e-158da1f6ec83", "SVHDX_OPEN_DEVICE_CONTEXT",
7817 { dissect_smb2_svhdx_open_device_context, dissect_smb2_svhdx_open_device_context} },
7818 { "34263501-2921-4912-2586-447794114531", "SMB2_POSIX_V1_CAPS",
7819 { dissect_smb2_posix_v1_caps_request, dissect_smb2_posix_v1_caps_response } },
7820 { "AAPL", "SMB2_AAPL_CREATE_CONTEXT",
7821 { dissect_smb2_AAPL_buffer_request, dissect_smb2_AAPL_buffer_response } },
7824 static struct create_context_data_tag_dissectors*
7825 get_create_context_data_tag_dissectors(const char *tag)
7827 static struct create_context_data_tag_dissectors INVALID = {
7828 NULL, "<invalid>", { NULL, NULL }
7833 for (i = 0; i<array_length(create_context_dissectors_array); i++) {
7834 if (!strcmp(tag, create_context_dissectors_array[i].tag))
7835 return &create_context_dissectors_array[i];
7841 dissect_smb2_create_extra_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si)
7843 offset_length_buffer_t tag_olb;
7844 offset_length_buffer_t data_olb;
7846 guint16 chain_offset;
7849 proto_item *sub_item;
7850 proto_tree *sub_tree;
7851 proto_item *parent_item = NULL;
7852 create_context_data_dissectors_t *dissectors = NULL;
7853 create_context_data_dissector_t dissector = NULL;
7854 struct create_context_data_tag_dissectors *tag_dissectors;
7856 chain_offset = tvb_get_letohl(tvb, offset);
7861 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_create_chain_element, &sub_item, "Chain Element");
7862 parent_item = proto_tree_get_parent(parent_tree);
7865 proto_tree_add_item(sub_tree, hf_smb2_create_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7868 /* tag offset/length */
7869 offset = dissect_smb2_olb_length_offset(tvb, offset, &tag_olb, OLB_O_UINT16_S_UINT32, hf_smb2_tag);
7871 /* data offset/length */
7872 dissect_smb2_olb_length_offset(tvb, offset, &data_olb, OLB_O_UINT16_S_UINT32, hf_smb2_create_chain_data);
7875 * These things are all either 4-char strings, like DH2C, or GUIDs,
7876 * however, at least one of them appears to be a GUID as a string and
7877 * one appears to be a binary guid. So, check if the the length is
7878 * 16, and if so, pull the GUID and convert it to a string. Otherwise
7879 * call dissect_smb2_olb_string.
7881 if (tag_olb.len == 16) {
7883 proto_item *tag_item;
7884 proto_tree *tag_tree;
7886 tvb_get_letohguid(tvb, tag_olb.off, &tag_guid);
7887 tag = guid_to_str(wmem_packet_scope(), &tag_guid);
7889 tag_item = proto_tree_add_string(sub_tree, tag_olb.hfindex, tvb, tag_olb.off, tag_olb.len, tag);
7890 tag_tree = proto_item_add_subtree(tag_item, ett_smb2_olb);
7891 proto_tree_add_item(tag_tree, hf_smb2_olb_offset, tvb, tag_olb.off_offset, 2, ENC_LITTLE_ENDIAN);
7892 proto_tree_add_item(tag_tree, hf_smb2_olb_length, tvb, tag_olb.len_offset, 2, ENC_LITTLE_ENDIAN);
7896 tag = dissect_smb2_olb_string(pinfo, sub_tree, tvb, &tag_olb, OLB_TYPE_ASCII_STRING);
7899 tag_dissectors = get_create_context_data_tag_dissectors(tag);
7901 proto_item_append_text(parent_item, " %s", tag_dissectors->val);
7902 proto_item_append_text(sub_item, ": %s \"%s\"", tag_dissectors->val, tag);
7905 dissectors = &tag_dissectors->dissectors;
7907 dissector = (si->flags & SMB2_FLAGS_RESPONSE) ? dissectors->response : dissectors->request;
7909 dissect_smb2_olb_buffer(pinfo, sub_tree, tvb, &data_olb, si, dissector);
7912 tvbuff_t *chain_tvb;
7913 chain_tvb = tvb_new_subset_remaining(tvb, chain_offset);
7915 /* next extra info */
7916 dissect_smb2_create_extra_info(chain_tvb, pinfo, parent_tree, si);
7921 dissect_smb2_create_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7923 offset_length_buffer_t f_olb, e_olb;
7927 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
7929 /* security flags */
7933 offset = dissect_smb2_oplock(tree, tvb, offset);
7935 /* impersonation level */
7936 proto_tree_add_item(tree, hf_smb2_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7940 proto_tree_add_item(tree, hf_smb2_create_flags, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7944 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 8, ENC_NA);
7948 offset = dissect_smb_access_mask(tvb, tree, offset);
7950 /* File Attributes */
7951 offset = dissect_file_ext_attr(tvb, tree, offset);
7954 offset = dissect_nt_share_access(tvb, tree, offset);
7956 /* create disposition */
7957 proto_tree_add_item(tree, hf_smb2_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7960 /* create options */
7961 offset = dissect_nt_create_options(tvb, tree, offset);
7963 /* filename offset/length */
7964 offset = dissect_smb2_olb_length_offset(tvb, offset, &f_olb, OLB_O_UINT16_S_UINT16, hf_smb2_filename);
7966 /* extrainfo offset */
7967 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
7969 /* filename string */
7970 fname = dissect_smb2_olb_string(pinfo, tree, tvb, &f_olb, OLB_TYPE_UNICODE_STRING);
7971 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", fname);
7973 /* save the name if it looks sane */
7974 if (!pinfo->fd->flags.visited) {
7975 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
7976 wmem_free(wmem_file_scope(), si->saved->extra_info);
7977 si->saved->extra_info = NULL;
7978 si->saved->extra_info_type = SMB2_EI_NONE;
7980 if (si->saved && f_olb.len < 256) {
7981 si->saved->extra_info_type = SMB2_EI_FILENAME;
7982 si->saved->extra_info = (gchar *)wmem_alloc(wmem_file_scope(), f_olb.len+1);
7983 g_snprintf((gchar *)si->saved->extra_info, f_olb.len+1, "%s", fname);
7987 /* If extrainfo_offset is non-null then this points to another
7988 * buffer. The offset is relative to the start of the smb packet
7990 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
7992 offset = dissect_smb2_olb_tvb_max_offset(offset, &f_olb);
7993 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
7998 #define SMB2_CREATE_REP_FLAGS_REPARSE_POINT 0x01
8001 dissect_smb2_create_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8003 guint64 end_of_file;
8005 offset_length_buffer_t e_olb;
8006 static const int *create_rep_flags_fields[] = {
8007 &hf_smb2_create_rep_flags_reparse_point,
8010 gboolean continue_dissection;
8012 switch (si->status) {
8014 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
8015 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
8016 if (!continue_dissection) return offset;
8020 offset = dissect_smb2_oplock(tree, tvb, offset);
8023 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_create_rep_flags,
8024 ett_smb2_create_rep_flags, create_rep_flags_fields, ENC_LITTLE_ENDIAN);
8028 proto_tree_add_item(tree, hf_smb2_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8032 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
8035 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
8038 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
8041 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
8043 /* allocation size */
8044 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8048 end_of_file = tvb_get_letoh64(tvb, offset);
8049 if (si->eo_file_info) {
8050 si->eo_file_info->end_of_file = tvb_get_letoh64(tvb, offset);
8052 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8055 /* File Attributes */
8056 attr_mask=tvb_get_letohl(tvb, offset);
8057 offset = dissect_file_ext_attr(tvb, tree, offset);
8060 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8064 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_OPEN);
8066 /* We save this after dissect_smb2_fid just because it would be
8067 possible to have this response without having the mathing request.
8068 In that case the entry in the file info hash table has been created
8069 in dissect_smb2_fid */
8070 if (si->eo_file_info) {
8071 si->eo_file_info->end_of_file = end_of_file;
8072 si->eo_file_info->attr_mask = attr_mask;
8075 /* extrainfo offset */
8076 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
8078 /* If extrainfo_offset is non-null then this points to another
8079 * buffer. The offset is relative to the start of the smb packet
8081 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
8083 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
8085 /* free si->saved->extra_info we don't need it any more */
8086 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
8087 wmem_free(wmem_file_scope(), si->saved->extra_info);
8088 si->saved->extra_info = NULL;
8089 si->saved->extra_info_type = SMB2_EI_NONE;
8097 dissect_smb2_setinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8099 guint32 setinfo_size;
8100 guint16 setinfo_offset;
8103 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
8105 /* class and info level */
8106 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
8109 setinfo_size = tvb_get_letohl(tvb, offset);
8110 proto_tree_add_item(tree, hf_smb2_setinfo_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8114 setinfo_offset = tvb_get_letohs(tvb, offset);
8115 proto_tree_add_item(tree, hf_smb2_setinfo_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8118 /* some unknown bytes */
8119 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
8123 dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8127 dissect_smb2_infolevel(tvb, pinfo, tree, setinfo_offset, si, si->saved->smb2_class, si->saved->infolevel);
8128 offset = setinfo_offset + setinfo_size;
8134 dissect_smb2_setinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8136 gboolean continue_dissection;
8137 /* class/infolevel */
8138 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
8140 switch (si->status) {
8142 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
8143 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
8144 if (!continue_dissection) return offset;
8151 dissect_smb2_break_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8153 guint16 buffer_code;
8156 buffer_code = tvb_get_letohs(tvb, offset);
8157 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
8159 if (buffer_code == 24) {
8163 offset = dissect_smb2_oplock(tree, tvb, offset);
8166 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
8170 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8174 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8179 if (buffer_code == 36) {
8180 /* Lease Break Acknowledgment */
8183 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8187 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
8188 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
8192 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8196 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
8197 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
8200 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8210 dissect_smb2_break_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8212 guint16 buffer_code;
8213 gboolean continue_dissection;
8216 buffer_code = tvb_get_letohs(tvb, offset);
8217 switch (si->status) {
8218 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
8219 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
8220 if (!continue_dissection) return offset;
8223 if (buffer_code == 24) {
8224 /* OPLOCK Break Notification */
8227 offset = dissect_smb2_oplock(tree, tvb, offset);
8230 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
8234 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8238 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8240 /* in break requests from server to client here're 24 byte zero bytes
8241 * which are likely a bug in windows (they may use 2* 24 bytes instead of just
8247 if (buffer_code == 44) {
8250 /* Lease Break Notification */
8252 /* new lease epoch */
8253 proto_tree_add_item(tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8257 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
8258 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
8262 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8265 /* current lease state */
8266 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
8267 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
8269 proto_item_prepend_text(item, "Current ");
8273 /* new lease state */
8274 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
8275 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
8277 proto_item_prepend_text(item, "New ");
8281 /* break reason - reserved */
8282 proto_tree_add_item(tree, hf_smb2_lease_break_reason, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8285 /* access mask hint - reserved */
8286 proto_tree_add_item(tree, hf_smb2_lease_access_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8289 /* share mask hint - reserved */
8290 proto_tree_add_item(tree, hf_smb2_lease_share_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8296 if (buffer_code == 36) {
8297 /* Lease Break Response */
8300 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8304 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
8305 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
8309 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8313 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
8314 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
8317 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8326 /* names here are just until we find better names for these functions */
8327 static const value_string smb2_cmd_vals[] = {
8328 { 0x00, "Negotiate Protocol" },
8329 { 0x01, "Session Setup" },
8330 { 0x02, "Session Logoff" },
8331 { 0x03, "Tree Connect" },
8332 { 0x04, "Tree Disconnect" },
8341 { 0x0D, "KeepAlive" },
8344 { 0x10, "GetInfo" },
8345 { 0x11, "SetInfo" },
8347 { 0x13, "unknown-0x13" },
8348 { 0x14, "unknown-0x14" },
8349 { 0x15, "unknown-0x15" },
8350 { 0x16, "unknown-0x16" },
8351 { 0x17, "unknown-0x17" },
8352 { 0x18, "unknown-0x18" },
8353 { 0x19, "unknown-0x19" },
8354 { 0x1A, "unknown-0x1A" },
8355 { 0x1B, "unknown-0x1B" },
8356 { 0x1C, "unknown-0x1C" },
8357 { 0x1D, "unknown-0x1D" },
8358 { 0x1E, "unknown-0x1E" },
8359 { 0x1F, "unknown-0x1F" },
8360 { 0x20, "unknown-0x20" },
8361 { 0x21, "unknown-0x21" },
8362 { 0x22, "unknown-0x22" },
8363 { 0x23, "unknown-0x23" },
8364 { 0x24, "unknown-0x24" },
8365 { 0x25, "unknown-0x25" },
8366 { 0x26, "unknown-0x26" },
8367 { 0x27, "unknown-0x27" },
8368 { 0x28, "unknown-0x28" },
8369 { 0x29, "unknown-0x29" },
8370 { 0x2A, "unknown-0x2A" },
8371 { 0x2B, "unknown-0x2B" },
8372 { 0x2C, "unknown-0x2C" },
8373 { 0x2D, "unknown-0x2D" },
8374 { 0x2E, "unknown-0x2E" },
8375 { 0x2F, "unknown-0x2F" },
8376 { 0x30, "unknown-0x30" },
8377 { 0x31, "unknown-0x31" },
8378 { 0x32, "unknown-0x32" },
8379 { 0x33, "unknown-0x33" },
8380 { 0x34, "unknown-0x34" },
8381 { 0x35, "unknown-0x35" },
8382 { 0x36, "unknown-0x36" },
8383 { 0x37, "unknown-0x37" },
8384 { 0x38, "unknown-0x38" },
8385 { 0x39, "unknown-0x39" },
8386 { 0x3A, "unknown-0x3A" },
8387 { 0x3B, "unknown-0x3B" },
8388 { 0x3C, "unknown-0x3C" },
8389 { 0x3D, "unknown-0x3D" },
8390 { 0x3E, "unknown-0x3E" },
8391 { 0x3F, "unknown-0x3F" },
8392 { 0x40, "unknown-0x40" },
8393 { 0x41, "unknown-0x41" },
8394 { 0x42, "unknown-0x42" },
8395 { 0x43, "unknown-0x43" },
8396 { 0x44, "unknown-0x44" },
8397 { 0x45, "unknown-0x45" },
8398 { 0x46, "unknown-0x46" },
8399 { 0x47, "unknown-0x47" },
8400 { 0x48, "unknown-0x48" },
8401 { 0x49, "unknown-0x49" },
8402 { 0x4A, "unknown-0x4A" },
8403 { 0x4B, "unknown-0x4B" },
8404 { 0x4C, "unknown-0x4C" },
8405 { 0x4D, "unknown-0x4D" },
8406 { 0x4E, "unknown-0x4E" },
8407 { 0x4F, "unknown-0x4F" },
8408 { 0x50, "unknown-0x50" },
8409 { 0x51, "unknown-0x51" },
8410 { 0x52, "unknown-0x52" },
8411 { 0x53, "unknown-0x53" },
8412 { 0x54, "unknown-0x54" },
8413 { 0x55, "unknown-0x55" },
8414 { 0x56, "unknown-0x56" },
8415 { 0x57, "unknown-0x57" },
8416 { 0x58, "unknown-0x58" },
8417 { 0x59, "unknown-0x59" },
8418 { 0x5A, "unknown-0x5A" },
8419 { 0x5B, "unknown-0x5B" },
8420 { 0x5C, "unknown-0x5C" },
8421 { 0x5D, "unknown-0x5D" },
8422 { 0x5E, "unknown-0x5E" },
8423 { 0x5F, "unknown-0x5F" },
8424 { 0x60, "unknown-0x60" },
8425 { 0x61, "unknown-0x61" },
8426 { 0x62, "unknown-0x62" },
8427 { 0x63, "unknown-0x63" },
8428 { 0x64, "unknown-0x64" },
8429 { 0x65, "unknown-0x65" },
8430 { 0x66, "unknown-0x66" },
8431 { 0x67, "unknown-0x67" },
8432 { 0x68, "unknown-0x68" },
8433 { 0x69, "unknown-0x69" },
8434 { 0x6A, "unknown-0x6A" },
8435 { 0x6B, "unknown-0x6B" },
8436 { 0x6C, "unknown-0x6C" },
8437 { 0x6D, "unknown-0x6D" },
8438 { 0x6E, "unknown-0x6E" },
8439 { 0x6F, "unknown-0x6F" },
8440 { 0x70, "unknown-0x70" },
8441 { 0x71, "unknown-0x71" },
8442 { 0x72, "unknown-0x72" },
8443 { 0x73, "unknown-0x73" },
8444 { 0x74, "unknown-0x74" },
8445 { 0x75, "unknown-0x75" },
8446 { 0x76, "unknown-0x76" },
8447 { 0x77, "unknown-0x77" },
8448 { 0x78, "unknown-0x78" },
8449 { 0x79, "unknown-0x79" },
8450 { 0x7A, "unknown-0x7A" },
8451 { 0x7B, "unknown-0x7B" },
8452 { 0x7C, "unknown-0x7C" },
8453 { 0x7D, "unknown-0x7D" },
8454 { 0x7E, "unknown-0x7E" },
8455 { 0x7F, "unknown-0x7F" },
8456 { 0x80, "unknown-0x80" },
8457 { 0x81, "unknown-0x81" },
8458 { 0x82, "unknown-0x82" },
8459 { 0x83, "unknown-0x83" },
8460 { 0x84, "unknown-0x84" },
8461 { 0x85, "unknown-0x85" },
8462 { 0x86, "unknown-0x86" },
8463 { 0x87, "unknown-0x87" },
8464 { 0x88, "unknown-0x88" },
8465 { 0x89, "unknown-0x89" },
8466 { 0x8A, "unknown-0x8A" },
8467 { 0x8B, "unknown-0x8B" },
8468 { 0x8C, "unknown-0x8C" },
8469 { 0x8D, "unknown-0x8D" },
8470 { 0x8E, "unknown-0x8E" },
8471 { 0x8F, "unknown-0x8F" },
8472 { 0x90, "unknown-0x90" },
8473 { 0x91, "unknown-0x91" },
8474 { 0x92, "unknown-0x92" },
8475 { 0x93, "unknown-0x93" },
8476 { 0x94, "unknown-0x94" },
8477 { 0x95, "unknown-0x95" },
8478 { 0x96, "unknown-0x96" },
8479 { 0x97, "unknown-0x97" },
8480 { 0x98, "unknown-0x98" },
8481 { 0x99, "unknown-0x99" },
8482 { 0x9A, "unknown-0x9A" },
8483 { 0x9B, "unknown-0x9B" },
8484 { 0x9C, "unknown-0x9C" },
8485 { 0x9D, "unknown-0x9D" },
8486 { 0x9E, "unknown-0x9E" },
8487 { 0x9F, "unknown-0x9F" },
8488 { 0xA0, "unknown-0xA0" },
8489 { 0xA1, "unknown-0xA1" },
8490 { 0xA2, "unknown-0xA2" },
8491 { 0xA3, "unknown-0xA3" },
8492 { 0xA4, "unknown-0xA4" },
8493 { 0xA5, "unknown-0xA5" },
8494 { 0xA6, "unknown-0xA6" },
8495 { 0xA7, "unknown-0xA7" },
8496 { 0xA8, "unknown-0xA8" },
8497 { 0xA9, "unknown-0xA9" },
8498 { 0xAA, "unknown-0xAA" },
8499 { 0xAB, "unknown-0xAB" },
8500 { 0xAC, "unknown-0xAC" },
8501 { 0xAD, "unknown-0xAD" },
8502 { 0xAE, "unknown-0xAE" },
8503 { 0xAF, "unknown-0xAF" },
8504 { 0xB0, "unknown-0xB0" },
8505 { 0xB1, "unknown-0xB1" },
8506 { 0xB2, "unknown-0xB2" },
8507 { 0xB3, "unknown-0xB3" },
8508 { 0xB4, "unknown-0xB4" },
8509 { 0xB5, "unknown-0xB5" },
8510 { 0xB6, "unknown-0xB6" },
8511 { 0xB7, "unknown-0xB7" },
8512 { 0xB8, "unknown-0xB8" },
8513 { 0xB9, "unknown-0xB9" },
8514 { 0xBA, "unknown-0xBA" },
8515 { 0xBB, "unknown-0xBB" },
8516 { 0xBC, "unknown-0xBC" },
8517 { 0xBD, "unknown-0xBD" },
8518 { 0xBE, "unknown-0xBE" },
8519 { 0xBF, "unknown-0xBF" },
8520 { 0xC0, "unknown-0xC0" },
8521 { 0xC1, "unknown-0xC1" },
8522 { 0xC2, "unknown-0xC2" },
8523 { 0xC3, "unknown-0xC3" },
8524 { 0xC4, "unknown-0xC4" },
8525 { 0xC5, "unknown-0xC5" },
8526 { 0xC6, "unknown-0xC6" },
8527 { 0xC7, "unknown-0xC7" },
8528 { 0xC8, "unknown-0xC8" },
8529 { 0xC9, "unknown-0xC9" },
8530 { 0xCA, "unknown-0xCA" },
8531 { 0xCB, "unknown-0xCB" },
8532 { 0xCC, "unknown-0xCC" },
8533 { 0xCD, "unknown-0xCD" },
8534 { 0xCE, "unknown-0xCE" },
8535 { 0xCF, "unknown-0xCF" },
8536 { 0xD0, "unknown-0xD0" },
8537 { 0xD1, "unknown-0xD1" },
8538 { 0xD2, "unknown-0xD2" },
8539 { 0xD3, "unknown-0xD3" },
8540 { 0xD4, "unknown-0xD4" },
8541 { 0xD5, "unknown-0xD5" },
8542 { 0xD6, "unknown-0xD6" },
8543 { 0xD7, "unknown-0xD7" },
8544 { 0xD8, "unknown-0xD8" },
8545 { 0xD9, "unknown-0xD9" },
8546 { 0xDA, "unknown-0xDA" },
8547 { 0xDB, "unknown-0xDB" },
8548 { 0xDC, "unknown-0xDC" },
8549 { 0xDD, "unknown-0xDD" },
8550 { 0xDE, "unknown-0xDE" },
8551 { 0xDF, "unknown-0xDF" },
8552 { 0xE0, "unknown-0xE0" },
8553 { 0xE1, "unknown-0xE1" },
8554 { 0xE2, "unknown-0xE2" },
8555 { 0xE3, "unknown-0xE3" },
8556 { 0xE4, "unknown-0xE4" },
8557 { 0xE5, "unknown-0xE5" },
8558 { 0xE6, "unknown-0xE6" },
8559 { 0xE7, "unknown-0xE7" },
8560 { 0xE8, "unknown-0xE8" },
8561 { 0xE9, "unknown-0xE9" },
8562 { 0xEA, "unknown-0xEA" },
8563 { 0xEB, "unknown-0xEB" },
8564 { 0xEC, "unknown-0xEC" },
8565 { 0xED, "unknown-0xED" },
8566 { 0xEE, "unknown-0xEE" },
8567 { 0xEF, "unknown-0xEF" },
8568 { 0xF0, "unknown-0xF0" },
8569 { 0xF1, "unknown-0xF1" },
8570 { 0xF2, "unknown-0xF2" },
8571 { 0xF3, "unknown-0xF3" },
8572 { 0xF4, "unknown-0xF4" },
8573 { 0xF5, "unknown-0xF5" },
8574 { 0xF6, "unknown-0xF6" },
8575 { 0xF7, "unknown-0xF7" },
8576 { 0xF8, "unknown-0xF8" },
8577 { 0xF9, "unknown-0xF9" },
8578 { 0xFA, "unknown-0xFA" },
8579 { 0xFB, "unknown-0xFB" },
8580 { 0xFC, "unknown-0xFC" },
8581 { 0xFD, "unknown-0xFD" },
8582 { 0xFE, "unknown-0xFE" },
8583 { 0xFF, "unknown-0xFF" },
8586 value_string_ext smb2_cmd_vals_ext = VALUE_STRING_EXT_INIT(smb2_cmd_vals);
8588 static const char *decode_smb2_name(guint16 cmd)
8590 if (cmd > 0xFF) return "unknown";
8591 return(smb2_cmd_vals[cmd & 0xFF].strptr);
8594 static smb2_function smb2_dissector[256] = {
8595 /* 0x00 NegotiateProtocol*/
8596 {dissect_smb2_negotiate_protocol_request,
8597 dissect_smb2_negotiate_protocol_response},
8598 /* 0x01 SessionSetup*/
8599 {dissect_smb2_session_setup_request,
8600 dissect_smb2_session_setup_response},
8601 /* 0x02 SessionLogoff*/
8602 {dissect_smb2_sessionlogoff_request,
8603 dissect_smb2_sessionlogoff_response},
8604 /* 0x03 TreeConnect*/
8605 {dissect_smb2_tree_connect_request,
8606 dissect_smb2_tree_connect_response},
8607 /* 0x04 TreeDisconnect*/
8608 {dissect_smb2_tree_disconnect_request,
8609 dissect_smb2_tree_disconnect_response},
8611 {dissect_smb2_create_request,
8612 dissect_smb2_create_response},
8614 {dissect_smb2_close_request,
8615 dissect_smb2_close_response},
8617 {dissect_smb2_flush_request,
8618 dissect_smb2_flush_response},
8620 {dissect_smb2_read_request,
8621 dissect_smb2_read_response},
8623 {dissect_smb2_write_request,
8624 dissect_smb2_write_response},
8626 {dissect_smb2_lock_request,
8627 dissect_smb2_lock_response},
8629 {dissect_smb2_ioctl_request,
8630 dissect_smb2_ioctl_response},
8632 {dissect_smb2_cancel_request,
8635 {dissect_smb2_keepalive_request,
8636 dissect_smb2_keepalive_response},
8638 {dissect_smb2_find_request,
8639 dissect_smb2_find_response},
8641 {dissect_smb2_notify_request,
8642 dissect_smb2_notify_response},
8644 {dissect_smb2_getinfo_request,
8645 dissect_smb2_getinfo_response},
8647 {dissect_smb2_setinfo_request,
8648 dissect_smb2_setinfo_response},
8650 {dissect_smb2_break_request,
8651 dissect_smb2_break_response},
8652 /* 0x13 */ {NULL, NULL},
8653 /* 0x14 */ {NULL, NULL},
8654 /* 0x15 */ {NULL, NULL},
8655 /* 0x16 */ {NULL, NULL},
8656 /* 0x17 */ {NULL, NULL},
8657 /* 0x18 */ {NULL, NULL},
8658 /* 0x19 */ {NULL, NULL},
8659 /* 0x1a */ {NULL, NULL},
8660 /* 0x1b */ {NULL, NULL},
8661 /* 0x1c */ {NULL, NULL},
8662 /* 0x1d */ {NULL, NULL},
8663 /* 0x1e */ {NULL, NULL},
8664 /* 0x1f */ {NULL, NULL},
8665 /* 0x20 */ {NULL, NULL},
8666 /* 0x21 */ {NULL, NULL},
8667 /* 0x22 */ {NULL, NULL},
8668 /* 0x23 */ {NULL, NULL},
8669 /* 0x24 */ {NULL, NULL},
8670 /* 0x25 */ {NULL, NULL},
8671 /* 0x26 */ {NULL, NULL},
8672 /* 0x27 */ {NULL, NULL},
8673 /* 0x28 */ {NULL, NULL},
8674 /* 0x29 */ {NULL, NULL},
8675 /* 0x2a */ {NULL, NULL},
8676 /* 0x2b */ {NULL, NULL},
8677 /* 0x2c */ {NULL, NULL},
8678 /* 0x2d */ {NULL, NULL},
8679 /* 0x2e */ {NULL, NULL},
8680 /* 0x2f */ {NULL, NULL},
8681 /* 0x30 */ {NULL, NULL},
8682 /* 0x31 */ {NULL, NULL},
8683 /* 0x32 */ {NULL, NULL},
8684 /* 0x33 */ {NULL, NULL},
8685 /* 0x34 */ {NULL, NULL},
8686 /* 0x35 */ {NULL, NULL},
8687 /* 0x36 */ {NULL, NULL},
8688 /* 0x37 */ {NULL, NULL},
8689 /* 0x38 */ {NULL, NULL},
8690 /* 0x39 */ {NULL, NULL},
8691 /* 0x3a */ {NULL, NULL},
8692 /* 0x3b */ {NULL, NULL},
8693 /* 0x3c */ {NULL, NULL},
8694 /* 0x3d */ {NULL, NULL},
8695 /* 0x3e */ {NULL, NULL},
8696 /* 0x3f */ {NULL, NULL},
8697 /* 0x40 */ {NULL, NULL},
8698 /* 0x41 */ {NULL, NULL},
8699 /* 0x42 */ {NULL, NULL},
8700 /* 0x43 */ {NULL, NULL},
8701 /* 0x44 */ {NULL, NULL},
8702 /* 0x45 */ {NULL, NULL},
8703 /* 0x46 */ {NULL, NULL},
8704 /* 0x47 */ {NULL, NULL},
8705 /* 0x48 */ {NULL, NULL},
8706 /* 0x49 */ {NULL, NULL},
8707 /* 0x4a */ {NULL, NULL},
8708 /* 0x4b */ {NULL, NULL},
8709 /* 0x4c */ {NULL, NULL},
8710 /* 0x4d */ {NULL, NULL},
8711 /* 0x4e */ {NULL, NULL},
8712 /* 0x4f */ {NULL, NULL},
8713 /* 0x50 */ {NULL, NULL},
8714 /* 0x51 */ {NULL, NULL},
8715 /* 0x52 */ {NULL, NULL},
8716 /* 0x53 */ {NULL, NULL},
8717 /* 0x54 */ {NULL, NULL},
8718 /* 0x55 */ {NULL, NULL},
8719 /* 0x56 */ {NULL, NULL},
8720 /* 0x57 */ {NULL, NULL},
8721 /* 0x58 */ {NULL, NULL},
8722 /* 0x59 */ {NULL, NULL},
8723 /* 0x5a */ {NULL, NULL},
8724 /* 0x5b */ {NULL, NULL},
8725 /* 0x5c */ {NULL, NULL},
8726 /* 0x5d */ {NULL, NULL},
8727 /* 0x5e */ {NULL, NULL},
8728 /* 0x5f */ {NULL, NULL},
8729 /* 0x60 */ {NULL, NULL},
8730 /* 0x61 */ {NULL, NULL},
8731 /* 0x62 */ {NULL, NULL},
8732 /* 0x63 */ {NULL, NULL},
8733 /* 0x64 */ {NULL, NULL},
8734 /* 0x65 */ {NULL, NULL},
8735 /* 0x66 */ {NULL, NULL},
8736 /* 0x67 */ {NULL, NULL},
8737 /* 0x68 */ {NULL, NULL},
8738 /* 0x69 */ {NULL, NULL},
8739 /* 0x6a */ {NULL, NULL},
8740 /* 0x6b */ {NULL, NULL},
8741 /* 0x6c */ {NULL, NULL},
8742 /* 0x6d */ {NULL, NULL},
8743 /* 0x6e */ {NULL, NULL},
8744 /* 0x6f */ {NULL, NULL},
8745 /* 0x70 */ {NULL, NULL},
8746 /* 0x71 */ {NULL, NULL},
8747 /* 0x72 */ {NULL, NULL},
8748 /* 0x73 */ {NULL, NULL},
8749 /* 0x74 */ {NULL, NULL},
8750 /* 0x75 */ {NULL, NULL},
8751 /* 0x76 */ {NULL, NULL},
8752 /* 0x77 */ {NULL, NULL},
8753 /* 0x78 */ {NULL, NULL},
8754 /* 0x79 */ {NULL, NULL},
8755 /* 0x7a */ {NULL, NULL},
8756 /* 0x7b */ {NULL, NULL},
8757 /* 0x7c */ {NULL, NULL},
8758 /* 0x7d */ {NULL, NULL},
8759 /* 0x7e */ {NULL, NULL},
8760 /* 0x7f */ {NULL, NULL},
8761 /* 0x80 */ {NULL, NULL},
8762 /* 0x81 */ {NULL, NULL},
8763 /* 0x82 */ {NULL, NULL},
8764 /* 0x83 */ {NULL, NULL},
8765 /* 0x84 */ {NULL, NULL},
8766 /* 0x85 */ {NULL, NULL},
8767 /* 0x86 */ {NULL, NULL},
8768 /* 0x87 */ {NULL, NULL},
8769 /* 0x88 */ {NULL, NULL},
8770 /* 0x89 */ {NULL, NULL},
8771 /* 0x8a */ {NULL, NULL},
8772 /* 0x8b */ {NULL, NULL},
8773 /* 0x8c */ {NULL, NULL},
8774 /* 0x8d */ {NULL, NULL},
8775 /* 0x8e */ {NULL, NULL},
8776 /* 0x8f */ {NULL, NULL},
8777 /* 0x90 */ {NULL, NULL},
8778 /* 0x91 */ {NULL, NULL},
8779 /* 0x92 */ {NULL, NULL},
8780 /* 0x93 */ {NULL, NULL},
8781 /* 0x94 */ {NULL, NULL},
8782 /* 0x95 */ {NULL, NULL},
8783 /* 0x96 */ {NULL, NULL},
8784 /* 0x97 */ {NULL, NULL},
8785 /* 0x98 */ {NULL, NULL},
8786 /* 0x99 */ {NULL, NULL},
8787 /* 0x9a */ {NULL, NULL},
8788 /* 0x9b */ {NULL, NULL},
8789 /* 0x9c */ {NULL, NULL},
8790 /* 0x9d */ {NULL, NULL},
8791 /* 0x9e */ {NULL, NULL},
8792 /* 0x9f */ {NULL, NULL},
8793 /* 0xa0 */ {NULL, NULL},
8794 /* 0xa1 */ {NULL, NULL},
8795 /* 0xa2 */ {NULL, NULL},
8796 /* 0xa3 */ {NULL, NULL},
8797 /* 0xa4 */ {NULL, NULL},
8798 /* 0xa5 */ {NULL, NULL},
8799 /* 0xa6 */ {NULL, NULL},
8800 /* 0xa7 */ {NULL, NULL},
8801 /* 0xa8 */ {NULL, NULL},
8802 /* 0xa9 */ {NULL, NULL},
8803 /* 0xaa */ {NULL, NULL},
8804 /* 0xab */ {NULL, NULL},
8805 /* 0xac */ {NULL, NULL},
8806 /* 0xad */ {NULL, NULL},
8807 /* 0xae */ {NULL, NULL},
8808 /* 0xaf */ {NULL, NULL},
8809 /* 0xb0 */ {NULL, NULL},
8810 /* 0xb1 */ {NULL, NULL},
8811 /* 0xb2 */ {NULL, NULL},
8812 /* 0xb3 */ {NULL, NULL},
8813 /* 0xb4 */ {NULL, NULL},
8814 /* 0xb5 */ {NULL, NULL},
8815 /* 0xb6 */ {NULL, NULL},
8816 /* 0xb7 */ {NULL, NULL},
8817 /* 0xb8 */ {NULL, NULL},
8818 /* 0xb9 */ {NULL, NULL},
8819 /* 0xba */ {NULL, NULL},
8820 /* 0xbb */ {NULL, NULL},
8821 /* 0xbc */ {NULL, NULL},
8822 /* 0xbd */ {NULL, NULL},
8823 /* 0xbe */ {NULL, NULL},
8824 /* 0xbf */ {NULL, NULL},
8825 /* 0xc0 */ {NULL, NULL},
8826 /* 0xc1 */ {NULL, NULL},
8827 /* 0xc2 */ {NULL, NULL},
8828 /* 0xc3 */ {NULL, NULL},
8829 /* 0xc4 */ {NULL, NULL},
8830 /* 0xc5 */ {NULL, NULL},
8831 /* 0xc6 */ {NULL, NULL},
8832 /* 0xc7 */ {NULL, NULL},
8833 /* 0xc8 */ {NULL, NULL},
8834 /* 0xc9 */ {NULL, NULL},
8835 /* 0xca */ {NULL, NULL},
8836 /* 0xcb */ {NULL, NULL},
8837 /* 0xcc */ {NULL, NULL},
8838 /* 0xcd */ {NULL, NULL},
8839 /* 0xce */ {NULL, NULL},
8840 /* 0xcf */ {NULL, NULL},
8841 /* 0xd0 */ {NULL, NULL},
8842 /* 0xd1 */ {NULL, NULL},
8843 /* 0xd2 */ {NULL, NULL},
8844 /* 0xd3 */ {NULL, NULL},
8845 /* 0xd4 */ {NULL, NULL},
8846 /* 0xd5 */ {NULL, NULL},
8847 /* 0xd6 */ {NULL, NULL},
8848 /* 0xd7 */ {NULL, NULL},
8849 /* 0xd8 */ {NULL, NULL},
8850 /* 0xd9 */ {NULL, NULL},
8851 /* 0xda */ {NULL, NULL},
8852 /* 0xdb */ {NULL, NULL},
8853 /* 0xdc */ {NULL, NULL},
8854 /* 0xdd */ {NULL, NULL},
8855 /* 0xde */ {NULL, NULL},
8856 /* 0xdf */ {NULL, NULL},
8857 /* 0xe0 */ {NULL, NULL},
8858 /* 0xe1 */ {NULL, NULL},
8859 /* 0xe2 */ {NULL, NULL},
8860 /* 0xe3 */ {NULL, NULL},
8861 /* 0xe4 */ {NULL, NULL},
8862 /* 0xe5 */ {NULL, NULL},
8863 /* 0xe6 */ {NULL, NULL},
8864 /* 0xe7 */ {NULL, NULL},
8865 /* 0xe8 */ {NULL, NULL},
8866 /* 0xe9 */ {NULL, NULL},
8867 /* 0xea */ {NULL, NULL},
8868 /* 0xeb */ {NULL, NULL},
8869 /* 0xec */ {NULL, NULL},
8870 /* 0xed */ {NULL, NULL},
8871 /* 0xee */ {NULL, NULL},
8872 /* 0xef */ {NULL, NULL},
8873 /* 0xf0 */ {NULL, NULL},
8874 /* 0xf1 */ {NULL, NULL},
8875 /* 0xf2 */ {NULL, NULL},
8876 /* 0xf3 */ {NULL, NULL},
8877 /* 0xf4 */ {NULL, NULL},
8878 /* 0xf5 */ {NULL, NULL},
8879 /* 0xf6 */ {NULL, NULL},
8880 /* 0xf7 */ {NULL, NULL},
8881 /* 0xf8 */ {NULL, NULL},
8882 /* 0xf9 */ {NULL, NULL},
8883 /* 0xfa */ {NULL, NULL},
8884 /* 0xfb */ {NULL, NULL},
8885 /* 0xfc */ {NULL, NULL},
8886 /* 0xfd */ {NULL, NULL},
8887 /* 0xfe */ {NULL, NULL},
8888 /* 0xff */ {NULL, NULL},
8892 #define ENC_ALG_aes128_ccm 0x0001
8895 dissect_smb2_transform_header(packet_info *pinfo, proto_tree *tree,
8896 tvbuff_t *tvb, int offset,
8897 smb2_transform_info_t *sti,
8898 tvbuff_t **enc_tvb, tvbuff_t **plain_tvb)
8900 proto_item *sesid_item = NULL;
8901 proto_tree *sesid_tree = NULL;
8902 smb2_sesid_info_t sesid_key;
8904 guint8 *plain_data = NULL;
8905 guint8 *decryption_key = NULL;
8908 static const int *sf_fields[] = {
8909 &hf_smb2_encryption_aes128_ccm,
8917 proto_tree_add_item(tree, hf_smb2_transform_signature, tvb, offset, 16, ENC_NA);
8921 proto_tree_add_item(tree, hf_smb2_transform_nonce, tvb, offset, 16, ENC_NA);
8922 tvb_memcpy(tvb, sti->nonce, offset, 16);
8926 proto_tree_add_item(tree, hf_smb2_transform_msg_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8927 sti->size = tvb_get_letohl(tvb, offset);
8931 proto_tree_add_item(tree, hf_smb2_transform_reserved, tvb, offset, 2, ENC_NA);
8935 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_transform_enc_alg, ett_smb2_transform_enc_alg, sf_fields, ENC_LITTLE_ENDIAN);
8936 sti->alg = tvb_get_letohs(tvb, offset);
8940 sesid_offset = offset;
8941 sti->sesid = tvb_get_letoh64(tvb, offset);
8942 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8943 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
8946 /* now we need to first lookup the uid session */
8947 sesid_key.sesid = sti->sesid;
8948 sti->session = (smb2_sesid_info_t *)g_hash_table_lookup(sti->conv->sesids, &sesid_key);
8950 if (sti->session != NULL && sti->session->auth_frame != (guint32)-1) {
8951 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, sti->session->acct_name);
8952 PROTO_ITEM_SET_GENERATED(item);
8953 proto_item_append_text(sesid_item, " Acct:%s", sti->session->acct_name);
8955 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, sti->session->domain_name);
8956 PROTO_ITEM_SET_GENERATED(item);
8957 proto_item_append_text(sesid_item, " Domain:%s", sti->session->domain_name);
8959 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, sti->session->host_name);
8960 PROTO_ITEM_SET_GENERATED(item);
8961 proto_item_append_text(sesid_item, " Host:%s", sti->session->host_name);
8963 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, sti->session->auth_frame);
8964 PROTO_ITEM_SET_GENERATED(item);
8967 if (sti->session != NULL && sti->alg == ENC_ALG_aes128_ccm) {
8968 if (pinfo->destport == sti->session->server_port) {
8969 decryption_key = sti->session->server_decryption_key;
8971 decryption_key = sti->session->client_decryption_key;
8974 if (memcmp(decryption_key, zeros, NTLMSSP_KEY_LEN) == 0) {
8975 decryption_key = NULL;
8979 if (decryption_key != NULL) {
8980 gcry_cipher_hd_t cipher_hd = NULL;
8981 guint8 A_1[NTLMSSP_KEY_LEN] = {
8982 3, 0, 0, 0, 0, 0, 0, 0,
8983 0, 0, 0, 0, 0, 0, 0, 1
8986 memcpy(&A_1[1], sti->nonce, 15 - 4);
8988 plain_data = (guint8 *)tvb_memdup(pinfo->pool, tvb, offset, sti->size);
8990 /* Open the cipher. */
8991 if (gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0)) {
8992 wmem_free(pinfo->pool, plain_data);
8994 goto done_decryption;
8997 /* Set the key and initial value. */
8998 if (gcry_cipher_setkey(cipher_hd, decryption_key, NTLMSSP_KEY_LEN)) {
8999 gcry_cipher_close(cipher_hd);
9000 wmem_free(pinfo->pool, plain_data);
9002 goto done_decryption;
9004 if (gcry_cipher_setctr(cipher_hd, A_1, NTLMSSP_KEY_LEN)) {
9005 gcry_cipher_close(cipher_hd);
9006 wmem_free(pinfo->pool, plain_data);
9008 goto done_decryption;
9011 if (gcry_cipher_encrypt(cipher_hd, plain_data, sti->size, NULL, 0)) {
9012 gcry_cipher_close(cipher_hd);
9013 wmem_free(pinfo->pool, plain_data);
9015 goto done_decryption;
9018 /* Done with the cipher. */
9019 gcry_cipher_close(cipher_hd);
9022 *enc_tvb = tvb_new_subset_length(tvb, offset, sti->size);
9024 if (plain_data != NULL) {
9025 *plain_tvb = tvb_new_child_real_data(*enc_tvb, plain_data, sti->size, sti->size);
9026 add_new_data_source(pinfo, *plain_tvb, "Decrypted SMB3");
9029 offset += sti->size;
9034 dissect_smb2_command(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
9036 int (*cmd_dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
9037 proto_item *cmd_item;
9038 proto_tree *cmd_tree;
9039 int old_offset = offset;
9041 cmd_tree = proto_tree_add_subtree_format(tree, tvb, offset, -1,
9042 ett_smb2_command, &cmd_item, "%s %s (0x%02x)",
9043 decode_smb2_name(si->opcode),
9044 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request",
9047 cmd_dissector = (si->flags & SMB2_FLAGS_RESPONSE)?
9048 smb2_dissector[si->opcode&0xff].response:
9049 smb2_dissector[si->opcode&0xff].request;
9050 if (cmd_dissector) {
9051 offset = (*cmd_dissector)(tvb, pinfo, cmd_tree, offset, si);
9053 proto_tree_add_item(cmd_tree, hf_smb2_unknown, tvb, offset, -1, ENC_NA);
9054 offset = tvb_captured_length(tvb);
9057 proto_item_set_len(cmd_item, offset-old_offset);
9063 dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
9065 proto_item *tid_item = NULL;
9066 proto_tree *tid_tree = NULL;
9067 smb2_tid_info_t tid_key;
9069 proto_item *sesid_item = NULL;
9070 proto_tree *sesid_tree = NULL;
9071 smb2_sesid_info_t sesid_key;
9076 if (si->flags&SMB2_FLAGS_ASYNC_CMD) {
9077 proto_tree_add_item(tree, hf_smb2_aid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9081 proto_tree_add_item(tree, hf_smb2_pid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9085 tid_offset = offset;
9086 si->tid = tvb_get_letohl(tvb, offset);
9087 tid_item = proto_tree_add_item(tree, hf_smb2_tid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9088 tid_tree = proto_item_add_subtree(tid_item, ett_smb2_tid_tree);
9093 sesid_offset = offset;
9094 si->sesid = tvb_get_letoh64(tvb, offset);
9095 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9096 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
9099 /* now we need to first lookup the uid session */
9100 sesid_key.sesid = si->sesid;
9101 si->session = (smb2_sesid_info_t *)g_hash_table_lookup(si->conv->sesids, &sesid_key);
9103 guint8 seskey[NTLMSSP_KEY_LEN] = {0, };
9105 if (si->opcode != 0x03)
9109 /* if we come to a session that is unknown, and the operation is
9110 * a tree connect, we create a dummy sessison, so we can hang the
9113 si->session = wmem_new0(wmem_file_scope(), smb2_sesid_info_t);
9114 si->session->sesid = si->sesid;
9115 si->session->auth_frame = (guint32)-1;
9116 si->session->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
9117 if (si->flags & SMB2_FLAGS_RESPONSE) {
9118 si->session->server_port = pinfo->srcport;
9120 si->session->server_port = pinfo->destport;
9122 if (seskey_find_sid_key(si->sesid, seskey)) {
9123 smb2_set_session_keys(si->session, seskey);
9126 g_hash_table_insert(si->conv->sesids, si->session, si->session);
9131 if (si->session->auth_frame != (guint32)-1) {
9132 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, si->session->acct_name);
9133 PROTO_ITEM_SET_GENERATED(item);
9134 proto_item_append_text(sesid_item, " Acct:%s", si->session->acct_name);
9136 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, si->session->domain_name);
9137 PROTO_ITEM_SET_GENERATED(item);
9138 proto_item_append_text(sesid_item, " Domain:%s", si->session->domain_name);
9140 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, si->session->host_name);
9141 PROTO_ITEM_SET_GENERATED(item);
9142 proto_item_append_text(sesid_item, " Host:%s", si->session->host_name);
9144 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, si->session->auth_frame);
9145 PROTO_ITEM_SET_GENERATED(item);
9148 if (!(si->flags&SMB2_FLAGS_ASYNC_CMD)) {
9149 /* see if we can find the name for this tid */
9150 tid_key.tid = si->tid;
9151 si->tree = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
9152 if (!si->tree) return offset;
9154 item = proto_tree_add_string(tid_tree, hf_smb2_tree, tvb, tid_offset, 4, si->tree->name);
9155 PROTO_ITEM_SET_GENERATED(item);
9156 proto_item_append_text(tid_item, " %s", si->tree->name);
9158 item = proto_tree_add_uint(tid_tree, hf_smb2_share_type, tvb, tid_offset, 0, si->tree->share_type);
9159 PROTO_ITEM_SET_GENERATED(item);
9161 item = proto_tree_add_uint(tid_tree, hf_smb2_tcon_frame, tvb, tid_offset, 0, si->tree->connect_frame);
9162 PROTO_ITEM_SET_GENERATED(item);
9169 dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolean first_in_chain)
9171 gboolean smb2_transform_header = FALSE;
9172 proto_item *item = NULL;
9173 proto_tree *tree = NULL;
9174 proto_item *header_item = NULL;
9175 proto_tree *header_tree = NULL;
9177 int chain_offset = 0;
9178 const char *label = smb_header_label;
9179 conversation_t *conversation;
9180 smb2_saved_info_t *ssi = NULL, ssi_key;
9182 smb2_transform_info_t *sti;
9184 guint32 open_frame,close_frame;
9185 smb2_eo_file_info_t *eo_file_info;
9186 e_ctx_hnd *policy_hnd_hashtablekey;
9188 sti = wmem_new(wmem_packet_scope(), smb2_transform_info_t);
9189 si = wmem_new0(wmem_packet_scope(), smb2_info_t);
9190 si->top_tree = parent_tree;
9192 if (tvb_get_guint8(tvb, 0) == 0xfd) {
9193 smb2_transform_header = TRUE;
9194 label = smb_transform_header_label;
9196 /* find which conversation we are part of and get the data for that
9199 conversation = find_or_create_conversation(pinfo);
9200 si->conv = (smb2_conv_info_t *)conversation_get_proto_data(conversation, proto_smb2);
9202 /* no smb2_into_t structure for this conversation yet,
9205 si->conv = wmem_new(wmem_file_scope(), smb2_conv_info_t);
9206 /* qqq this leaks memory for now since we never free
9208 si->conv->matched = g_hash_table_new(smb2_saved_info_hash_matched,
9209 smb2_saved_info_equal_matched);
9210 si->conv->unmatched = g_hash_table_new(smb2_saved_info_hash_unmatched,
9211 smb2_saved_info_equal_unmatched);
9212 si->conv->sesids = g_hash_table_new(smb2_sesid_info_hash,
9213 smb2_sesid_info_equal);
9214 si->conv->fids = g_hash_table_new(smb2_fid_info_hash,
9215 smb2_fid_info_equal);
9216 si->conv->files = g_hash_table_new(smb2_eo_files_hash,smb2_eo_files_equal);
9218 /* Bit of a hack to avoid leaking the hash tables - register a
9219 * callback to free them. Ideally wmem would implement a simple
9220 * hash table so we wouldn't have to do this. */
9221 wmem_register_callback(wmem_file_scope(), smb2_conv_destroy,
9224 conversation_add_proto_data(conversation, proto_smb2, si->conv);
9227 sti->conv = si->conv;
9229 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB2");
9230 if (first_in_chain) {
9232 col_clear(pinfo->cinfo, COL_INFO);
9234 col_append_str(pinfo->cinfo, COL_INFO, ";");
9237 item = proto_tree_add_item(parent_tree, proto_smb2, tvb, offset, -1, ENC_NA);
9238 tree = proto_item_add_subtree(item, ett_smb2);
9240 header_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_header, &header_item, label);
9242 /* Decode the header */
9244 if (!smb2_transform_header) {
9246 proto_tree_add_item(header_tree, hf_smb2_server_component_smb2, tvb, offset, 4, ENC_NA);
9249 /* we need the flags before we know how to parse the credits field */
9250 si->flags = tvb_get_letohl(tvb, offset+12);
9253 proto_tree_add_item(header_tree, hf_smb2_header_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9256 /* credit charge (previously "epoch" (unused) which has been deprecated as of "SMB 2.1") */
9257 proto_tree_add_item(header_tree, hf_smb2_credit_charge, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9261 if (si->flags & SMB2_FLAGS_RESPONSE) {
9262 si->status = tvb_get_letohl(tvb, offset);
9263 proto_tree_add_item(header_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9267 proto_tree_add_item(header_tree, hf_smb2_channel_sequence, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9269 proto_tree_add_item(header_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
9274 si->opcode = tvb_get_letohs(tvb, offset);
9275 proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9279 if (si->flags & SMB2_FLAGS_RESPONSE) {
9280 proto_tree_add_item(header_tree, hf_smb2_credits_granted, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9282 proto_tree_add_item(header_tree, hf_smb2_credits_requested, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9288 static const int * flags[] = {
9289 &hf_smb2_flags_response,
9290 &hf_smb2_flags_async_cmd,
9291 &hf_smb2_flags_chained,
9292 &hf_smb2_flags_signature,
9293 &hf_smb2_flags_priority_mask,
9294 &hf_smb2_flags_dfs_op,
9295 &hf_smb2_flags_replay_operation,
9299 proto_tree_add_bitmask(header_tree, tvb, offset, hf_smb2_flags,
9300 ett_smb2_flags, flags, ENC_LITTLE_ENDIAN);
9306 chain_offset = tvb_get_letohl(tvb, offset);
9307 proto_tree_add_item(header_tree, hf_smb2_chain_offset, tvb, offset, 4, ENC_BIG_ENDIAN);
9311 si->msg_id = tvb_get_letoh64(tvb, offset);
9312 ssi_key.msg_id = si->msg_id;
9313 proto_tree_add_item(header_tree, hf_smb2_msg_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9316 /* Tree ID and Session ID */
9317 offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si);
9320 proto_tree_add_item(header_tree, hf_smb2_signature, tvb, offset, 16, ENC_NA);
9323 proto_item_set_len(header_item, offset);
9326 col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s",
9327 decode_smb2_name(si->opcode),
9328 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request");
9331 pinfo->cinfo, COL_INFO, ", Error: %s",
9332 val_to_str_ext(si->status, &NT_errors_ext,
9333 "Unknown (0x%08X)"));
9337 if (!pinfo->fd->flags.visited) {
9338 /* see if we can find this msg_id in the unmatched table */
9339 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
9341 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
9342 /* This is a request */
9344 /* this is a request and we already found
9345 * an older ssi so just delete the previous
9348 g_hash_table_remove(si->conv->unmatched, ssi);
9353 /* no we couldn't find it, so just add it then
9354 * if was a request we are decoding
9356 ssi = wmem_new0(wmem_file_scope(), smb2_saved_info_t);
9357 ssi->msg_id = ssi_key.msg_id;
9358 ssi->frame_req = pinfo->num;
9359 ssi->req_time = pinfo->abs_ts;
9360 ssi->extra_info_type = SMB2_EI_NONE;
9361 g_hash_table_insert(si->conv->unmatched, ssi, ssi);
9364 /* This is a response */
9365 if (!((si->flags & SMB2_FLAGS_ASYNC_CMD)
9366 && si->status == NT_STATUS_PENDING)
9368 /* just set the response frame and move it to the matched table */
9369 ssi->frame_res = pinfo->num;
9370 g_hash_table_remove(si->conv->unmatched, ssi);
9371 g_hash_table_insert(si->conv->matched, ssi, ssi);
9375 /* see if we can find this msg_id in the matched table */
9376 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->matched, &ssi_key);
9377 /* if we couldn't find it in the matched table, it might still
9378 * be in the unmatched table
9381 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
9386 if (dcerpc_fetch_polhnd_data(&ssi->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
9387 /* If needed, create the file entry and save the policy hnd */
9388 if (!si->eo_file_info) {
9390 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&ssi->policy_hnd);
9391 if (!eo_file_info) { /* XXX This should never happen */
9393 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
9394 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
9395 memcpy(policy_hnd_hashtablekey, &ssi->policy_hnd, sizeof(e_ctx_hnd));
9396 eo_file_info->end_of_file=0;
9397 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
9399 si->eo_file_info=eo_file_info;
9404 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
9405 if (ssi->frame_res) {
9406 proto_item *tmp_item;
9407 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res);
9408 PROTO_ITEM_SET_GENERATED(tmp_item);
9411 if (ssi->frame_req) {
9412 proto_item *tmp_item;
9415 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_to, tvb, 0, 0, ssi->frame_req);
9416 PROTO_ITEM_SET_GENERATED(tmp_item);
9418 nstime_delta(&deltat, &t, &ssi->req_time);
9419 tmp_item = proto_tree_add_time(header_tree, hf_smb2_time, tvb,
9421 PROTO_ITEM_SET_GENERATED(tmp_item);
9424 if (si->file != NULL) {
9425 ssi->file = si->file;
9427 si->file = ssi->file;
9430 /* if we don't have ssi yet we must fake it */
9434 tap_queue_packet(smb2_tap, pinfo, si);
9436 /* Decode the payload */
9437 offset = dissect_smb2_command(pinfo, tree, tvb, offset, si);
9439 proto_tree *enc_tree;
9440 tvbuff_t *enc_tvb = NULL;
9441 tvbuff_t *plain_tvb = NULL;
9443 /* SMB2_TRANSFORM marker */
9444 proto_tree_add_item(header_tree, hf_smb2_server_component_smb2_transform, tvb, offset, 4, ENC_NA);
9447 offset = dissect_smb2_transform_header(pinfo, header_tree, tvb, offset, sti,
9448 &enc_tvb, &plain_tvb);
9450 enc_tree = proto_tree_add_subtree(tree, enc_tvb, 0, sti->size, ett_smb2_encrypted, NULL, "Encrypted SMB3 data");
9451 if (plain_tvb != NULL) {
9452 col_append_str(pinfo->cinfo, COL_INFO, "Decrypted SMB3");
9453 dissect_smb2(plain_tvb, pinfo, enc_tree, FALSE);
9455 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted SMB3");
9456 proto_tree_add_item(enc_tree, hf_smb2_transform_encrypted_data,
9457 enc_tvb, 0, sti->size, ENC_NA);
9460 if (tvb_reported_length_remaining(tvb, offset) > 0) {
9461 chain_offset = offset;
9465 if (chain_offset > 0) {
9468 proto_item_set_len(item, chain_offset);
9470 next_tvb = tvb_new_subset_remaining(tvb, chain_offset);
9471 offset = dissect_smb2(next_tvb, pinfo, parent_tree, FALSE);
9478 dissect_smb2_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
9481 /* must check that this really is a smb2 packet */
9482 if (tvb_captured_length(tvb) < 4)
9485 if (((tvb_get_guint8(tvb, 0) != 0xfe) && (tvb_get_guint8(tvb, 0) != 0xfd))
9486 || (tvb_get_guint8(tvb, 1) != 'S')
9487 || (tvb_get_guint8(tvb, 2) != 'M')
9488 || (tvb_get_guint8(tvb, 3) != 'B') ) {
9492 dissect_smb2(tvb, pinfo, parent_tree, TRUE);
9498 proto_register_smb2(void)
9500 module_t *smb2_module;
9501 static hf_register_info hf[] = {
9503 { "Command", "smb2.cmd", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
9504 &smb2_cmd_vals_ext, 0, "SMB2 Command Opcode", HFILL }
9507 { &hf_smb2_response_to,
9508 { "Response to", "smb2.response_to", FT_FRAMENUM, BASE_NONE,
9509 FRAMENUM_TYPE(FT_FRAMENUM_REQUEST), 0, "This packet is a response to the packet in this frame", HFILL }
9512 { &hf_smb2_response_in,
9513 { "Response in", "smb2.response_in", FT_FRAMENUM, BASE_NONE,
9514 FRAMENUM_TYPE(FT_FRAMENUM_RESPONSE), 0, "The response to this packet is in this packet", HFILL }
9518 { "Time from request", "smb2.time", FT_RELATIVE_TIME, BASE_NONE,
9519 NULL, 0, "Time between Request and Response for SMB2 cmds", HFILL }
9522 { &hf_smb2_header_len,
9523 { "Header Length", "smb2.header_len", FT_UINT16, BASE_DEC,
9524 NULL, 0, "SMB2 Size of Header", HFILL }
9527 { &hf_smb2_nt_status,
9528 { "NT Status", "smb2.nt_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
9529 &NT_errors_ext, 0, "NT Status code", HFILL }
9533 { "Message ID", "smb2.msg_id", FT_UINT64, BASE_DEC|BASE_VAL64_STRING|BASE_SPECIAL_VALS,
9534 VALS64(unique_unsolicited_response), 0, NULL, HFILL }
9538 { "Tree Id", "smb2.tid", FT_UINT32, BASE_HEX,
9539 NULL, 0, NULL, HFILL }
9543 { "Async Id", "smb2.aid", FT_UINT64, BASE_HEX,
9544 NULL, 0, NULL, HFILL }
9548 { "Session Id", "smb2.sesid", FT_UINT64, BASE_HEX,
9549 NULL, 0, NULL, HFILL }
9552 { &hf_smb2_previous_sesid,
9553 { "Previous Session Id", "smb2.previous_sesid", FT_UINT64, BASE_HEX,
9554 NULL, 0, NULL, HFILL }
9557 { &hf_smb2_chain_offset,
9558 { "Chain Offset", "smb2.chain_offset", FT_UINT32, BASE_HEX,
9559 NULL, 0, NULL, HFILL }
9562 { &hf_smb2_end_of_file,
9563 { "End Of File", "smb2.eof", FT_UINT64, BASE_DEC,
9564 NULL, 0, "SMB2 End Of File/File size", HFILL }
9568 { "Number of Links", "smb2.nlinks", FT_UINT32, BASE_DEC,
9569 NULL, 0, "Number of links to this object", HFILL }
9573 { "File Id", "smb2.file_id", FT_UINT64, BASE_HEX,
9574 NULL, 0, NULL, HFILL }
9577 { &hf_smb2_allocation_size,
9578 { "Allocation Size", "smb2.allocation_size", FT_UINT64, BASE_DEC,
9579 NULL, 0, NULL, HFILL }
9582 { &hf_smb2_max_response_size,
9583 { "Max Response Size", "smb2.max_response_size", FT_UINT32, BASE_DEC,
9584 NULL, 0, NULL, HFILL }
9587 { &hf_smb2_getinfo_input_size,
9588 { "Getinfo Input Size", "smb2.getinfo_input_size", FT_UINT32, BASE_DEC,
9589 NULL, 0, NULL, HFILL }
9592 { &hf_smb2_getinfo_input_offset,
9593 { "Getinfo Input Offset", "smb2.getinfo_input_offset", FT_UINT16, BASE_HEX,
9594 NULL, 0, NULL, HFILL }
9597 { &hf_smb2_getinfo_additional,
9598 { "Additional Info", "smb2.getinfo_additional", FT_UINT32, BASE_HEX,
9599 NULL, 0, NULL, HFILL }
9602 { &hf_smb2_getinfo_flags,
9603 { "Flags", "smb2.getinfo_flags", FT_UINT32, BASE_HEX,
9604 NULL, 0, NULL, HFILL }
9607 { &hf_smb2_setinfo_size,
9608 { "Setinfo Size", "smb2.setinfo_size", FT_UINT32, BASE_DEC,
9609 NULL, 0, NULL, HFILL }
9612 { &hf_smb2_setinfo_offset,
9613 { "Setinfo Offset", "smb2.setinfo_offset", FT_UINT16, BASE_HEX,
9614 NULL, 0, NULL, HFILL }
9617 { &hf_smb2_max_ioctl_out_size,
9618 { "Max Ioctl Out Size", "smb2.max_ioctl_out_size", FT_UINT32, BASE_DEC,
9619 NULL, 0, NULL, HFILL }
9622 { &hf_smb2_max_ioctl_in_size,
9623 { "Max Ioctl In Size", "smb2.max_ioctl_in_size", FT_UINT32, BASE_DEC,
9624 NULL, 0, NULL, HFILL }
9627 { &hf_smb2_required_buffer_size,
9628 { "Required Buffer Size", "smb2.required_size", FT_UINT32, BASE_DEC,
9629 NULL, 0, NULL, HFILL }
9633 { "Process Id", "smb2.pid", FT_UINT32, BASE_HEX,
9634 NULL, 0, NULL, HFILL }
9638 /* SMB2 header flags */
9640 { "Flags", "smb2.flags", FT_UINT32, BASE_HEX,
9641 NULL, 0, "SMB2 flags", HFILL }
9644 { &hf_smb2_flags_response,
9645 { "Response", "smb2.flags.response", FT_BOOLEAN, 32,
9646 TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }
9649 { &hf_smb2_flags_async_cmd,
9650 { "Async command", "smb2.flags.async", FT_BOOLEAN, 32,
9651 TFS(&tfs_flags_async_cmd), SMB2_FLAGS_ASYNC_CMD, NULL, HFILL }
9654 { &hf_smb2_flags_dfs_op,
9655 { "DFS operation", "smb2.flags.dfs", FT_BOOLEAN, 32,
9656 TFS(&tfs_flags_dfs_op), SMB2_FLAGS_DFS_OP, NULL, HFILL }
9659 { &hf_smb2_flags_chained,
9660 { "Chained", "smb2.flags.chained", FT_BOOLEAN, 32,
9661 TFS(&tfs_flags_chained), SMB2_FLAGS_CHAINED, "Whether the pdu continues a chain or not", HFILL }
9663 { &hf_smb2_flags_signature,
9664 { "Signing", "smb2.flags.signature", FT_BOOLEAN, 32,
9665 TFS(&tfs_flags_signature), SMB2_FLAGS_SIGNATURE, "Whether the pdu is signed or not", HFILL }
9668 { &hf_smb2_flags_replay_operation,
9669 { "Replay operation", "smb2.flags.replay", FT_BOOLEAN, 32,
9670 TFS(&tfs_flags_replay_operation), SMB2_FLAGS_REPLAY_OPERATION, "Whether this is a replay operation", HFILL }
9673 { &hf_smb2_flags_priority_mask,
9674 { "Priority", "smb2.flags.priority_mask", FT_BOOLEAN, 32,
9675 TFS(&tfs_flags_priority_mask), SMB2_FLAGS_PRIORITY_MASK, "Priority Mask", HFILL }
9679 { "Tree", "smb2.tree", FT_STRING, BASE_NONE,
9680 NULL, 0, "Name of the Tree/Share", HFILL }
9683 { &hf_smb2_filename,
9684 { "Filename", "smb2.filename", FT_STRING, BASE_NONE,
9685 NULL, 0, NULL, HFILL }
9688 { &hf_smb2_filename_len,
9689 { "Filename Length", "smb2.filename.len", FT_UINT32, BASE_DEC,
9690 NULL, 0, NULL, HFILL }
9693 { &hf_smb2_replace_if,
9694 { "Replace If", "smb2.rename.replace_if", FT_BOOLEAN, 8,
9695 TFS(&tfs_replace_if_exists), 0xFF, "Whether to replace if the target exists", HFILL }
9698 { &hf_smb2_data_offset,
9699 { "Data Offset", "smb2.data_offset", FT_UINT16, BASE_HEX,
9700 NULL, 0, "Offset to data", HFILL }
9703 { &hf_smb2_find_info_level,
9704 { "Info Level", "smb2.find.infolevel", FT_UINT32, BASE_DEC,
9705 VALS(smb2_find_info_levels), 0, "Find_Info Infolevel", HFILL }
9707 { &hf_smb2_find_flags,
9708 { "Find Flags", "smb2.find.flags", FT_UINT8, BASE_HEX,
9709 NULL, 0, NULL, HFILL }
9712 { &hf_smb2_find_pattern,
9713 { "Search Pattern", "smb2.find.pattern", FT_STRING, BASE_NONE,
9714 NULL, 0, "Find pattern", HFILL }
9717 { &hf_smb2_find_info_blob,
9718 { "Info", "smb2.find.info_blob", FT_BYTES, BASE_NONE,
9719 NULL, 0, "Find Info", HFILL }
9723 { "EA Size", "smb2.ea_size", FT_UINT32, BASE_DEC,
9724 NULL, 0, "Size of EA data", HFILL }
9727 { &hf_smb2_position_information,
9728 { "Position Information", "smb2.position_info", FT_UINT64, BASE_DEC,
9729 NULL, 0, "Current file position", HFILL }
9732 { &hf_smb2_mode_information,
9733 { "Mode Information", "smb2.mode_info", FT_UINT32, BASE_HEX,
9734 NULL, 0, "File mode informatino", HFILL }
9737 { &hf_smb2_mode_file_write_through,
9738 { "FILE_WRITE_THROUGH", "smb2.mode.file_write_through", FT_UINT32, BASE_HEX,
9739 NULL, 0x02, NULL, HFILL }
9742 { &hf_smb2_mode_file_sequential_only,
9743 { "FILE_SEQUENTIAL_ONLY", "smb2.mode.file_sequential_only", FT_UINT32, BASE_HEX,
9744 NULL, 0x04, NULL, HFILL }
9747 { &hf_smb2_mode_file_no_intermediate_buffering,
9748 { "FILE_NO_INTERMEDIATE_BUFFERING", "smb2.mode.file_no_intermediate_buffering", FT_UINT32, BASE_HEX,
9749 NULL, 0x08, NULL, HFILL }
9752 { &hf_smb2_mode_file_synchronous_io_alert,
9753 { "FILE_SYNCHRONOUS_IO_ALERT", "smb2.mode.file_synchronous_io_alert", FT_UINT32, BASE_HEX,
9754 NULL, 0x10, NULL, HFILL }
9757 { &hf_smb2_mode_file_synchronous_io_nonalert,
9758 { "FILE_SYNCHRONOUS_IO_NONALERT", "smb2.mode.file_synchronous_io_nonalert", FT_UINT32, BASE_HEX,
9759 NULL, 0x20, NULL, HFILL }
9762 { &hf_smb2_mode_file_delete_on_close,
9763 { "FILE_DELETE_ON_CLOSE", "smb2.mode.file_delete_on_close", FT_UINT32, BASE_HEX,
9764 NULL, 0x1000, NULL, HFILL }
9767 { &hf_smb2_alignment_information,
9768 { "Alignment Information", "smb2.alignment_info", FT_UINT32, BASE_HEX,
9769 VALS(smb2_alignment_vals), 0, "File alignment", HFILL}
9773 { "Class", "smb2.class", FT_UINT8, BASE_HEX,
9774 VALS(smb2_class_vals), 0, "Info class", HFILL }
9777 { &hf_smb2_infolevel,
9778 { "InfoLevel", "smb2.infolevel", FT_UINT8, BASE_HEX,
9779 NULL, 0, NULL, HFILL }
9782 { &hf_smb2_infolevel_file_info,
9783 { "InfoLevel", "smb2.file_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9784 &smb2_file_info_levels_ext, 0, "File_Info Infolevel", HFILL }
9787 { &hf_smb2_infolevel_fs_info,
9788 { "InfoLevel", "smb2.fs_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9789 &smb2_fs_info_levels_ext, 0, "Fs_Info Infolevel", HFILL }
9792 { &hf_smb2_infolevel_sec_info,
9793 { "InfoLevel", "smb2.sec_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9794 &smb2_sec_info_levels_ext, 0, "Sec_Info Infolevel", HFILL }
9797 { &hf_smb2_infolevel_posix_info,
9798 { "InfoLevel", "smb2.posix_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9799 &smb2_posix_info_levels_ext, 0, "Posix_Info Infolevel", HFILL }
9802 { &hf_smb2_write_length,
9803 { "Write Length", "smb2.write_length", FT_UINT32, BASE_DEC,
9804 NULL, 0, "Amount of data to write", HFILL }
9807 { &hf_smb2_read_length,
9808 { "Read Length", "smb2.read_length", FT_UINT32, BASE_DEC,
9809 NULL, 0, "Amount of data to read", HFILL }
9812 { &hf_smb2_read_remaining,
9813 { "Read Remaining", "smb2.read_remaining", FT_UINT32, BASE_DEC,
9814 NULL, 0, NULL, HFILL }
9817 { &hf_smb2_create_flags,
9818 { "Create Flags", "smb2.create_flags", FT_UINT64, BASE_HEX,
9819 NULL, 0, NULL, HFILL }
9822 { &hf_smb2_file_offset,
9823 { "File Offset", "smb2.file_offset", FT_UINT64, BASE_DEC,
9824 NULL, 0, NULL, HFILL }
9827 { &hf_smb2_fsctl_range_offset,
9828 { "File Offset", "smb2.fsctl.range_offset", FT_UINT64, BASE_DEC,
9829 NULL, 0, NULL, HFILL }
9832 { &hf_smb2_fsctl_range_length,
9833 { "Length", "smb2.fsctl.range_length", FT_UINT64, BASE_DEC,
9834 NULL, 0, NULL, HFILL }
9837 { &hf_smb2_qfr_length,
9838 { "Length", "smb2.qfr_length", FT_UINT64, BASE_DEC,
9839 NULL, 0, NULL, HFILL }
9842 { &hf_smb2_qfr_usage,
9843 { "Desired Usage", "smb2.qfr_usage", FT_UINT32, BASE_HEX,
9844 VALS(file_region_usage_vals), 0, NULL, HFILL }
9847 { &hf_smb2_qfr_flags,
9848 { "Flags", "smb2.qfr_flags", FT_UINT32, BASE_HEX,
9849 NULL, 0, NULL, HFILL }
9852 { &hf_smb2_qfr_total_region_entry_count,
9853 { "Total Region Entry Count", "smb2.qfr_tot_region_entry_count", FT_UINT32, BASE_HEX,
9854 NULL, 0, NULL, HFILL }
9857 { &hf_smb2_qfr_region_entry_count,
9858 { "Region Entry Count", "smb2.qfr_region_entry_count", FT_UINT32, BASE_HEX,
9859 NULL, 0, NULL, HFILL }
9862 { &hf_smb2_security_blob,
9863 { "Security Blob", "smb2.security_blob", FT_BYTES, BASE_NONE,
9864 NULL, 0, NULL, HFILL }
9867 { &hf_smb2_ioctl_out_data,
9868 { "Out Data", "smb2.ioctl.out", FT_NONE, BASE_NONE,
9869 NULL, 0, "Ioctl Out", HFILL }
9872 { &hf_smb2_ioctl_in_data,
9873 { "In Data", "smb2.ioctl.in", FT_NONE, BASE_NONE,
9874 NULL, 0, "Ioctl In", HFILL }
9877 { &hf_smb2_server_guid,
9878 { "Server Guid", "smb2.server_guid", FT_GUID, BASE_NONE,
9879 NULL, 0, NULL, HFILL }
9882 { &hf_smb2_client_guid,
9883 { "Client Guid", "smb2.client_guid", FT_GUID, BASE_NONE,
9884 NULL, 0, NULL, HFILL }
9887 { &hf_smb2_object_id,
9888 { "ObjectId", "smb2.object_id", FT_GUID, BASE_NONE,
9889 NULL, 0, "ObjectID for this FID", HFILL }
9892 { &hf_smb2_birth_volume_id,
9893 { "BirthVolumeId", "smb2.birth_volume_id", FT_GUID, BASE_NONE,
9894 NULL, 0, "ObjectID for the volume where this FID was originally created", HFILL }
9897 { &hf_smb2_birth_object_id,
9898 { "BirthObjectId", "smb2.birth_object_id", FT_GUID, BASE_NONE,
9899 NULL, 0, "ObjectID for this FID when it was originally created", HFILL }
9902 { &hf_smb2_domain_id,
9903 { "DomainId", "smb2.domain_id", FT_GUID, BASE_NONE,
9904 NULL, 0, NULL, HFILL }
9907 { &hf_smb2_create_timestamp,
9908 { "Create", "smb2.create.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9909 NULL, 0, "Time when this object was created", HFILL }
9913 { "File Id", "smb2.fid", FT_GUID, BASE_NONE,
9914 NULL, 0, "SMB2 File Id", HFILL }
9917 { &hf_smb2_write_data,
9918 { "Write Data", "smb2.write_data", FT_BYTES, BASE_NONE,
9919 NULL, 0, "SMB2 Data to be written", HFILL }
9922 { &hf_smb2_write_flags,
9923 { "Write Flags", "smb2.write.flags", FT_UINT32, BASE_HEX,
9924 NULL, 0, NULL, HFILL }
9927 { &hf_smb2_write_flags_write_through,
9928 { "Write through", "smb2.write.flags.write_through", FT_BOOLEAN, 32,
9929 NULL, SMB2_WRITE_FLAG_WRITE_THROUGH, NULL, HFILL }
9932 { &hf_smb2_write_count,
9933 { "Write Count", "smb2.write.count", FT_UINT32, BASE_DEC,
9934 NULL, 0, NULL, HFILL }
9937 { &hf_smb2_write_remaining,
9938 { "Write Remaining", "smb2.write.remaining", FT_UINT32, BASE_DEC,
9939 NULL, 0, NULL, HFILL }
9942 { &hf_smb2_read_data,
9943 { "Read Data", "smb2.read_data", FT_BYTES, BASE_NONE,
9944 NULL, 0, "SMB2 Data that is read", HFILL }
9947 { &hf_smb2_last_access_timestamp,
9948 { "Last Access", "smb2.last_access.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9949 NULL, 0, "Time when this object was last accessed", HFILL }
9952 { &hf_smb2_last_write_timestamp,
9953 { "Last Write", "smb2.last_write.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9954 NULL, 0, "Time when this object was last written to", HFILL }
9957 { &hf_smb2_last_change_timestamp,
9958 { "Last Change", "smb2.last_change.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9959 NULL, 0, "Time when this object was last changed", HFILL }
9962 { &hf_smb2_file_all_info,
9963 { "SMB2_FILE_ALL_INFO", "smb2.file_all_info", FT_NONE, BASE_NONE,
9964 NULL, 0, NULL, HFILL }
9967 { &hf_smb2_file_allocation_info,
9968 { "SMB2_FILE_ALLOCATION_INFO", "smb2.file_allocation_info", FT_NONE, BASE_NONE,
9969 NULL, 0, NULL, HFILL }
9972 { &hf_smb2_file_endoffile_info,
9973 { "SMB2_FILE_ENDOFFILE_INFO", "smb2.file_endoffile_info", FT_NONE, BASE_NONE,
9974 NULL, 0, NULL, HFILL }
9977 { &hf_smb2_file_alternate_name_info,
9978 { "SMB2_FILE_ALTERNATE_NAME_INFO", "smb2.file_alternate_name_info", FT_NONE, BASE_NONE,
9979 NULL, 0, NULL, HFILL }
9982 { &hf_smb2_file_stream_info,
9983 { "SMB2_FILE_STREAM_INFO", "smb2.file_stream_info", FT_NONE, BASE_NONE,
9984 NULL, 0, NULL, HFILL }
9987 { &hf_smb2_file_pipe_info,
9988 { "SMB2_FILE_PIPE_INFO", "smb2.file_pipe_info", FT_NONE, BASE_NONE,
9989 NULL, 0, NULL, HFILL }
9992 { &hf_smb2_file_compression_info,
9993 { "SMB2_FILE_COMPRESSION_INFO", "smb2.file_compression_info", FT_NONE, BASE_NONE,
9994 NULL, 0, NULL, HFILL }
9997 { &hf_smb2_file_basic_info,
9998 { "SMB2_FILE_BASIC_INFO", "smb2.file_basic_info", FT_NONE, BASE_NONE,
9999 NULL, 0, NULL, HFILL }
10002 { &hf_smb2_file_standard_info,
10003 { "SMB2_FILE_STANDARD_INFO", "smb2.file_standard_info", FT_NONE, BASE_NONE,
10004 NULL, 0, NULL, HFILL }
10007 { &hf_smb2_file_internal_info,
10008 { "SMB2_FILE_INTERNAL_INFO", "smb2.file_internal_info", FT_NONE, BASE_NONE,
10009 NULL, 0, NULL, HFILL }
10012 { &hf_smb2_file_mode_info,
10013 { "SMB2_FILE_MODE_INFO", "smb2.file_mode_info", FT_NONE, BASE_NONE,
10014 NULL, 0, NULL, HFILL }
10017 { &hf_smb2_file_alignment_info,
10018 { "SMB2_FILE_ALIGNMENT_INFO", "smb2.file_alignment_info", FT_NONE, BASE_NONE,
10019 NULL, 0, NULL, HFILL }
10022 { &hf_smb2_file_position_info,
10023 { "SMB2_FILE_POSITION_INFO", "smb2.file_position_info", FT_NONE, BASE_NONE,
10024 NULL, 0, NULL, HFILL }
10027 { &hf_smb2_file_access_info,
10028 { "SMB2_FILE_ACCESS_INFO", "smb2.file_access_info", FT_NONE, BASE_NONE,
10029 NULL, 0, NULL, HFILL }
10032 { &hf_smb2_file_ea_info,
10033 { "SMB2_FILE_EA_INFO", "smb2.file_ea_info", FT_NONE, BASE_NONE,
10034 NULL, 0, NULL, HFILL }
10037 { &hf_smb2_file_network_open_info,
10038 { "SMB2_FILE_NETWORK_OPEN_INFO", "smb2.file_network_open_info", FT_NONE, BASE_NONE,
10039 NULL, 0, NULL, HFILL }
10042 { &hf_smb2_file_attribute_tag_info,
10043 { "SMB2_FILE_ATTRIBUTE_TAG_INFO", "smb2.file_attribute_tag_info", FT_NONE, BASE_NONE,
10044 NULL, 0, NULL, HFILL }
10047 { &hf_smb2_file_disposition_info,
10048 { "SMB2_FILE_DISPOSITION_INFO", "smb2.file_disposition_info", FT_NONE, BASE_NONE,
10049 NULL, 0, NULL, HFILL }
10052 { &hf_smb2_file_full_ea_info,
10053 { "SMB2_FILE_FULL_EA_INFO", "smb2.file_full_ea_info", FT_NONE, BASE_NONE,
10054 NULL, 0, NULL, HFILL }
10057 { &hf_smb2_file_rename_info,
10058 { "SMB2_FILE_RENAME_INFO", "smb2.file_rename_info", FT_NONE, BASE_NONE,
10059 NULL, 0, NULL, HFILL }
10062 { &hf_smb2_fs_info_01,
10063 { "FileFsVolumeInformation", "smb2.fs_volume_info", FT_NONE, BASE_NONE,
10064 NULL, 0, NULL, HFILL }
10067 { &hf_smb2_fs_info_03,
10068 { "FileFsSizeInformation", "smb2.fs_size_info", FT_NONE, BASE_NONE,
10069 NULL, 0, NULL, HFILL }
10072 { &hf_smb2_fs_info_04,
10073 { "FileFsDeviceInformation", "smb2.fs_device_info", FT_NONE, BASE_NONE,
10074 NULL, 0, NULL, HFILL }
10077 { &hf_smb2_fs_info_05,
10078 { "FileFsAttributeInformation", "smb2.fs_attribute_info", FT_NONE, BASE_NONE,
10079 NULL, 0, NULL, HFILL }
10082 { &hf_smb2_fs_info_06,
10083 { "FileFsControlInformation", "smb2.fs_control_info", FT_NONE, BASE_NONE,
10084 NULL, 0, NULL, HFILL }
10087 { &hf_smb2_fs_info_07,
10088 { "FileFsFullSizeInformation", "smb2.fs_full_size_info", FT_NONE, BASE_NONE,
10089 NULL, 0, NULL, HFILL }
10092 { &hf_smb2_fs_objectid_info,
10093 { "FileFsObjectIdInformation", "smb2.fs_objectid_info", FT_NONE, BASE_NONE,
10094 NULL, 0, NULL, HFILL }
10097 { &hf_smb2_sec_info_00,
10098 { "SMB2_SEC_INFO_00", "smb2.sec_info_00", FT_NONE, BASE_NONE,
10099 NULL, 0, NULL, HFILL }
10102 { &hf_smb2_quota_info,
10103 { "SMB2_QUOTA_INFO", "smb2.quota_info", FT_NONE, BASE_NONE,
10104 NULL, 0, NULL, HFILL }
10107 { &hf_smb2_query_quota_info,
10108 { "SMB2_QUERY_QUOTA_INFO", "smb2.query_quota_info", FT_NONE, BASE_NONE,
10109 NULL, 0, NULL, HFILL }
10112 { &hf_smb2_qq_single,
10113 { "ReturnSingle", "smb2.query_quota_info.single", FT_BOOLEAN, 8,
10114 NULL, 0xff, NULL, HFILL }
10117 { &hf_smb2_qq_restart,
10118 { "RestartScan", "smb2.query_quota_info.restart", FT_BOOLEAN, 8,
10119 NULL, 0xff, NULL, HFILL }
10122 { &hf_smb2_qq_sidlist_len,
10123 { "SidListLength", "smb2.query_quota_info.sidlistlen", FT_UINT32, BASE_DEC,
10124 NULL, 0, NULL, HFILL }
10127 { &hf_smb2_qq_start_sid_len,
10128 { "StartSidLength", "smb2.query_quota_info.startsidlen", FT_UINT32, BASE_DEC,
10129 NULL, 0, NULL, HFILL }
10132 { &hf_smb2_qq_start_sid_offset,
10133 { "StartSidOffset", "smb2.query_quota_info.startsidoffset", FT_UINT32, BASE_DEC,
10134 NULL, 0, NULL, HFILL }
10137 { &hf_smb2_disposition_delete_on_close,
10138 { "Delete on close", "smb2.disposition.delete_on_close", FT_BOOLEAN, 8,
10139 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }
10143 { &hf_smb2_create_disposition,
10144 { "Disposition", "smb2.create.disposition", FT_UINT32, BASE_DEC,
10145 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }
10148 { &hf_smb2_create_action,
10149 { "Create Action", "smb2.create.action", FT_UINT32, BASE_DEC,
10150 VALS(oa_open_vals), 0, NULL, HFILL }
10153 { &hf_smb2_create_rep_flags,
10154 { "Response Flags", "smb2.create.rep_flags", FT_UINT8, BASE_HEX,
10155 NULL, 0, NULL, HFILL }
10158 { &hf_smb2_create_rep_flags_reparse_point,
10159 { "ReparsePoint", "smb2.create.rep_flags.reparse_point", FT_BOOLEAN, 8,
10160 NULL, SMB2_CREATE_REP_FLAGS_REPARSE_POINT, NULL, HFILL }
10163 { &hf_smb2_extrainfo,
10164 { "ExtraInfo", "smb2.create.extrainfo", FT_NONE, BASE_NONE,
10165 NULL, 0, "Create ExtraInfo", HFILL }
10168 { &hf_smb2_create_chain_offset,
10169 { "Chain Offset", "smb2.create.chain_offset", FT_UINT32, BASE_HEX,
10170 NULL, 0, "Offset to next entry in chain or 0", HFILL }
10173 { &hf_smb2_create_chain_data,
10174 { "Data", "smb2.create.chain_data", FT_NONE, BASE_NONE,
10175 NULL, 0, "Chain Data", HFILL }
10178 { &hf_smb2_FILE_OBJECTID_BUFFER,
10179 { "FILE_OBJECTID_BUFFER", "smb2.FILE_OBJECTID_BUFFER", FT_NONE, BASE_NONE,
10180 NULL, 0, NULL, HFILL }
10183 { &hf_smb2_lease_key,
10184 { "Lease Key", "smb2.lease.lease_key", FT_GUID, BASE_NONE,
10185 NULL, 0, NULL, HFILL }
10188 { &hf_smb2_lease_state,
10189 { "Lease State", "smb2.lease.lease_state", FT_UINT32, BASE_HEX,
10190 NULL, 0, NULL, HFILL }
10193 { &hf_smb2_lease_state_read_caching,
10194 { "Read Caching", "smb2.lease.lease_state.read_caching", FT_BOOLEAN, 32,
10195 NULL, SMB2_LEASE_STATE_READ_CACHING, NULL, HFILL }
10198 { &hf_smb2_lease_state_handle_caching,
10199 { "Handle Caching", "smb2.lease.lease_state.handle_caching", FT_BOOLEAN, 32,
10200 NULL, SMB2_LEASE_STATE_HANDLE_CACHING, NULL, HFILL }
10203 { &hf_smb2_lease_state_write_caching,
10204 { "Write Caching", "smb2.lease.lease_state.write_caching", FT_BOOLEAN, 32,
10205 NULL, SMB2_LEASE_STATE_WRITE_CACHING, NULL, HFILL }
10208 { &hf_smb2_lease_flags,
10209 { "Lease Flags", "smb2.lease.lease_flags", FT_UINT32, BASE_HEX,
10210 NULL, 0, NULL, HFILL }
10213 { &hf_smb2_lease_flags_break_ack_required,
10214 { "Break Ack Required", "smb2.lease.lease_state.break_ack_required", FT_BOOLEAN, 32,
10215 NULL, SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED, NULL, HFILL }
10218 { &hf_smb2_lease_flags_break_in_progress,
10219 { "Break In Progress", "smb2.lease.lease_state.break_in_progress", FT_BOOLEAN, 32,
10220 NULL, SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS, NULL, HFILL }
10223 { &hf_smb2_lease_flags_parent_lease_key_set,
10224 { "Parent Lease Key Set", "smb2.lease.lease_state.parent_lease_key_set", FT_BOOLEAN, 32,
10225 NULL, SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET, NULL, HFILL }
10228 { &hf_smb2_lease_duration,
10229 { "Lease Duration", "smb2.lease.lease_duration", FT_UINT64, BASE_HEX,
10230 NULL, 0, NULL, HFILL }
10233 { &hf_smb2_parent_lease_key,
10234 { "Parent Lease Key", "smb2.lease.parent_lease_key", FT_GUID, BASE_NONE,
10235 NULL, 0, NULL, HFILL }
10238 { &hf_smb2_lease_epoch,
10239 { "Lease Epoch", "smb2.lease.lease_oplock", FT_UINT16, BASE_HEX,
10240 NULL, 0, NULL, HFILL }
10243 { &hf_smb2_lease_reserved,
10244 { "Lease Reserved", "smb2.lease.lease_reserved", FT_UINT16, BASE_HEX,
10245 NULL, 0, NULL, HFILL }
10248 { &hf_smb2_lease_break_reason,
10249 { "Lease Break Reason", "smb2.lease.lease_break_reason", FT_UINT32, BASE_HEX,
10250 NULL, 0, NULL, HFILL }
10253 { &hf_smb2_lease_access_mask_hint,
10254 { "Access Mask Hint", "smb2.lease.access_mask_hint", FT_UINT32, BASE_HEX,
10255 NULL, 0, NULL, HFILL }
10258 { &hf_smb2_lease_share_mask_hint,
10259 { "Share Mask Hint", "smb2.lease.share_mask_hint", FT_UINT32, BASE_HEX,
10260 NULL, 0, NULL, HFILL }
10263 { &hf_smb2_next_offset,
10264 { "Next Offset", "smb2.next_offset", FT_UINT32, BASE_DEC,
10265 NULL, 0, "Offset to next buffer or 0", HFILL }
10268 { &hf_smb2_negotiate_context_type,
10269 { "Type", "smb2.negotiate_context.type", FT_UINT16, BASE_HEX,
10270 VALS(smb2_negotiate_context_types), 0, NULL, HFILL }
10273 { &hf_smb2_negotiate_context_data_length,
10274 { "DataLength", "smb2.negotiate_context.data_length", FT_UINT16, BASE_DEC,
10275 NULL, 0, NULL, HFILL }
10278 { &hf_smb2_negotiate_context_offset,
10279 { "NegotiateContextOffset", "smb2.negotiate_context.offset", FT_UINT16, BASE_HEX,
10280 NULL, 0, NULL, HFILL }
10283 { &hf_smb2_negotiate_context_count,
10284 { "NegotiateContextCount", "smb2.negotiate_context.count", FT_UINT16, BASE_DEC,
10285 NULL, 0, NULL, HFILL }
10288 { &hf_smb2_hash_alg_count,
10289 { "HashAlgorithmCount", "smb2.negotiate_context.hash_alg_count", FT_UINT16, BASE_DEC,
10290 NULL, 0, NULL, HFILL }},
10292 { &hf_smb2_hash_algorithm,
10293 { "HashAlgorithm", "smb2.negotiate_context.hash_algorithm", FT_UINT16, BASE_HEX,
10294 VALS(smb2_hash_algorithm_types), 0, NULL, HFILL }},
10296 { &hf_smb2_salt_length,
10297 { "SaltLength", "smb2.negotiate_context.salt_length", FT_UINT16, BASE_DEC,
10298 NULL, 0, NULL, HFILL }},
10301 { "Salt", "smb2.negotiate_context.salt", FT_BYTES, BASE_NONE,
10302 NULL, 0, NULL, HFILL }},
10304 { &hf_smb2_cipher_count,
10305 { "CipherCount", "smb2.negotiate_context.cipher_count", FT_UINT16, BASE_DEC,
10306 NULL, 0, NULL, HFILL }},
10308 { &hf_smb2_cipher_id,
10309 { "CipherId", "smb2.negotiate_context.cipher_id", FT_UINT16, BASE_HEX,
10310 VALS(smb2_cipher_types), 0, NULL, HFILL }},
10312 { &hf_smb2_current_time,
10313 { "Current Time", "smb2.current_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10314 NULL, 0, "Current Time at server", HFILL }
10317 { &hf_smb2_boot_time,
10318 { "Boot Time", "smb2.boot_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10319 NULL, 0, "Boot Time at server", HFILL }
10322 { &hf_smb2_ea_flags,
10323 { "EA Flags", "smb2.ea.flags", FT_UINT8, BASE_HEX,
10324 NULL, 0, NULL, HFILL }
10327 { &hf_smb2_ea_name_len,
10328 { "EA Name Length", "smb2.ea.name_len", FT_UINT8, BASE_DEC,
10329 NULL, 0, NULL, HFILL }
10332 { &hf_smb2_ea_data_len,
10333 { "EA Data Length", "smb2.ea.data_len", FT_UINT16, BASE_DEC,
10334 NULL, 0, NULL, HFILL }
10337 { &hf_smb2_delete_pending,
10338 { "Delete Pending", "smb2.delete_pending", FT_UINT8, BASE_DEC,
10339 NULL, 0, NULL, HFILL }
10342 { &hf_smb2_is_directory,
10343 { "Is Directory", "smb2.is_directory", FT_UINT8, BASE_DEC,
10344 NULL, 0, "Is this a directory?", HFILL }
10348 { "Oplock", "smb2.create.oplock", FT_UINT8, BASE_HEX,
10349 VALS(oplock_vals), 0, "Oplock type", HFILL }
10352 { &hf_smb2_close_flags,
10353 { "Close Flags", "smb2.close.flags", FT_UINT16, BASE_HEX,
10354 NULL, 0, NULL, HFILL }
10357 { &hf_smb2_notify_flags,
10358 { "Notify Flags", "smb2.notify.flags", FT_UINT16, BASE_HEX,
10359 NULL, 0, NULL, HFILL }
10362 { &hf_smb2_buffer_code,
10363 { "StructureSize", "smb2.buffer_code", FT_UINT16, BASE_HEX,
10364 NULL, 0, NULL, HFILL }
10367 { &hf_smb2_buffer_code_len,
10368 { "Fixed Part Length", "smb2.buffer_code.length", FT_UINT16, BASE_DEC,
10369 NULL, 0xFFFE, "Length of fixed portion of PDU", HFILL }
10372 { &hf_smb2_olb_length,
10373 { "Blob Length", "smb2.olb.length", FT_UINT32, BASE_DEC,
10374 NULL, 0, "Length of the buffer", HFILL }
10377 { &hf_smb2_olb_offset,
10378 { "Blob Offset", "smb2.olb.offset", FT_UINT32, BASE_HEX,
10379 NULL, 0, "Offset to the buffer", HFILL }
10382 { &hf_smb2_buffer_code_flags_dyn,
10383 { "Dynamic Part", "smb2.buffer_code.dynamic", FT_BOOLEAN, 16,
10384 NULL, 0x0001, "Whether a dynamic length blob follows", HFILL }
10387 { &hf_smb2_ea_data,
10388 { "EA Data", "smb2.ea.data", FT_BYTES, BASE_NONE,
10389 NULL, 0, NULL, HFILL }
10392 { &hf_smb2_ea_name,
10393 { "EA Name", "smb2.ea.name", FT_STRING, BASE_NONE,
10394 NULL, 0, NULL, HFILL }
10397 { &hf_smb2_impersonation_level,
10398 { "Impersonation level", "smb2.impersonation.level", FT_UINT32, BASE_DEC,
10399 VALS(impersonation_level_vals), 0, NULL, HFILL }
10402 { &hf_smb2_ioctl_function,
10403 { "Function", "smb2.ioctl.function", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
10404 &smb2_ioctl_vals_ext, 0, "Ioctl function", HFILL }
10407 { &hf_smb2_ioctl_function_device,
10408 { "Device", "smb2.ioctl.function.device", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
10409 &smb2_ioctl_device_vals_ext, 0xffff0000, "Device for Ioctl", HFILL }
10412 { &hf_smb2_ioctl_function_access,
10413 { "Access", "smb2.ioctl.function.access", FT_UINT32, BASE_HEX,
10414 VALS(smb2_ioctl_access_vals), 0x0000c000, "Access for Ioctl", HFILL }
10417 { &hf_smb2_ioctl_function_function,
10418 { "Function", "smb2.ioctl.function.function", FT_UINT32, BASE_HEX,
10419 NULL, 0x00003ffc, "Function for Ioctl", HFILL }
10422 { &hf_smb2_ioctl_function_method,
10423 { "Method", "smb2.ioctl.function.method", FT_UINT32, BASE_HEX,
10424 VALS(smb2_ioctl_method_vals), 0x00000003, "Method for Ioctl", HFILL }
10427 { &hf_smb2_fsctl_pipe_wait_timeout,
10428 { "Timeout", "smb2.fsctl.wait.timeout", FT_INT64, BASE_DEC,
10429 NULL, 0, "Wait timeout", HFILL }
10432 { &hf_smb2_fsctl_pipe_wait_name,
10433 { "Name", "smb2.fsctl.wait.name", FT_STRING, BASE_NONE,
10434 NULL, 0, "Pipe name", HFILL }
10437 { &hf_smb2_fsctl_odx_token_type,
10438 { "TokenType", "smb2.fsctl.odx.token.type", FT_UINT32, BASE_HEX,
10439 NULL, 0, NULL, HFILL }
10442 { &hf_smb2_fsctl_odx_token_idlen,
10443 { "TokenIdLength", "smb2.fsctl.odx.token.idlen", FT_UINT16, BASE_DEC,
10444 NULL, 0, NULL, HFILL }
10447 { &hf_smb2_fsctl_odx_token_idraw,
10448 { "TokenId", "smb2.fsctl.odx.token.id", FT_BYTES, BASE_NONE,
10449 NULL, 0, "Token ID (opaque)", HFILL }
10452 { &hf_smb2_fsctl_odx_token_ttl,
10453 { "TokenTimeToLive", "smb2.fsctl.odx.token_ttl", FT_UINT32, BASE_DEC,
10454 NULL, 0, "TTL requested for the token (in milliseconds)", HFILL }
10457 { &hf_smb2_fsctl_odx_size,
10458 { "Size", "smb2.fsctl.odx.size", FT_UINT32, BASE_DEC,
10459 NULL, 0, "Size of this data element", HFILL }
10462 { &hf_smb2_fsctl_odx_flags,
10463 { "Flags", "smb2.fsctl.odx.flags", FT_UINT32, BASE_HEX,
10464 NULL, 0, "Flags for this operation", HFILL }
10467 { &hf_smb2_fsctl_odx_file_offset,
10468 { "FileOffset", "smb2.fsctl.odx.file_offset", FT_UINT64, BASE_DEC,
10469 NULL, 0, NULL, HFILL }
10472 { &hf_smb2_fsctl_odx_copy_length,
10473 { "CopyLength", "smb2.fsctl.odx.copy_length", FT_UINT64, BASE_DEC,
10474 NULL, 0, NULL, HFILL }
10477 { &hf_smb2_fsctl_odx_xfer_length,
10478 { "TransferLength", "smb2.fsctl.odx.xfer_length", FT_UINT64, BASE_DEC,
10479 NULL, 0, NULL, HFILL }
10482 { &hf_smb2_fsctl_odx_token_offset,
10483 { "TokenOffset", "smb2.fsctl.odx.token_offset", FT_UINT64, BASE_DEC,
10484 NULL, 0, "Token Offset (relative to start of token)", HFILL }
10487 { &hf_smb2_fsctl_sparse_flag,
10488 { "SetSparse", "smb2.fsctl.set_sparse", FT_BOOLEAN, 8,
10489 NULL, 0xFF, NULL, HFILL }
10492 { &hf_smb2_ioctl_resiliency_timeout,
10493 { "Timeout", "smb2.ioctl.resiliency.timeout", FT_UINT32, BASE_DEC,
10494 NULL, 0, "Resiliency timeout", HFILL }
10497 { &hf_smb2_ioctl_resiliency_reserved,
10498 { "Reserved", "smb2.ioctl.resiliency.reserved", FT_UINT32, BASE_DEC,
10499 NULL, 0, "Resiliency reserved", HFILL }
10502 { &hf_smb2_ioctl_shared_virtual_disk_support,
10503 { "SharedVirtualDiskSupport", "smb2.ioctl.shared_virtual_disk.support", FT_UINT32, BASE_HEX,
10504 VALS(smb2_ioctl_shared_virtual_disk_vals), 0, "Supported shared capabilities", HFILL }
10507 { &hf_smb2_ioctl_shared_virtual_disk_handle_state,
10508 { "SharedVirtualDiskHandleState", "smb2.ioctl.shared_virtual_disk.handle_state", FT_UINT32, BASE_HEX,
10509 VALS(smb2_ioctl_shared_virtual_disk_hstate_vals), 0, NULL, HFILL }
10512 { &hf_smb2_ioctl_sqos_protocol_version,
10513 { "ProtocolVersion", "smb2.ioctl.sqos.protocol_version", FT_UINT16, BASE_HEX,
10514 VALS(smb2_ioctl_sqos_protocol_version_vals), 0, NULL, HFILL }
10517 { &hf_smb2_ioctl_sqos_reserved,
10518 { "Reserved", "smb2.ioctl.sqos.reserved", FT_UINT16, BASE_DEC,
10519 NULL, 0, NULL, HFILL }
10522 { &hf_smb2_ioctl_sqos_options,
10523 { "Operations", "smb2.ioctl.sqos.operations", FT_UINT32, BASE_HEX,
10524 NULL, 0, "SQOS operations", HFILL }
10527 { &hf_smb2_ioctl_sqos_op_set_logical_flow_id,
10528 { "Set Logical Flow ID", "smb2.ioctl.sqos.operations.set_logical_flow_id", FT_BOOLEAN, 32,
10529 NULL, STORAGE_QOS_CONTROL_FLAG_SET_LOGICAL_FLOW_ID, "Whether Set Logical Flow ID operation is performed", HFILL }
10532 { &hf_smb2_ioctl_sqos_op_set_policy,
10533 { "Set Policy", "smb2.ioctl.sqos.operations.set_policy", FT_BOOLEAN, 32,
10534 NULL, STORAGE_QOS_CONTROL_FLAG_SET_POLICY, "Whether Set Policy operation is performed", HFILL }
10537 { &hf_smb2_ioctl_sqos_op_probe_policy,
10538 { "Probe Policy", "smb2.ioctl.sqos.operations.probe_policy", FT_BOOLEAN, 32,
10539 NULL, STORAGE_QOS_CONTROL_FLAG_PROBE_POLICY, "Whether Probe Policy operation is performed", HFILL }
10542 { &hf_smb2_ioctl_sqos_op_get_status,
10543 { "Get Status", "smb2.ioctl.sqos.operations.get_status", FT_BOOLEAN, 32,
10544 NULL, STORAGE_QOS_CONTROL_FLAG_GET_STATUS, "Whether Get Status operation is performed", HFILL }
10547 { &hf_smb2_ioctl_sqos_op_update_counters,
10548 { "Update Counters", "smb2.ioctl.sqos.operations.update_counters", FT_BOOLEAN, 32,
10549 NULL, STORAGE_QOS_CONTROL_FLAG_UPDATE_COUNTERS, "Whether Update Counters operation is performed", HFILL }
10552 { &hf_smb2_ioctl_sqos_logical_flow_id,
10553 { "LogicalFlowID", "smb2.ioctl.sqos.logical_flow_id", FT_GUID, BASE_NONE,
10554 NULL, 0, NULL, HFILL }
10557 { &hf_smb2_ioctl_sqos_policy_id,
10558 { "PolicyID", "smb2.ioctl.sqos.policy_id", FT_GUID, BASE_NONE,
10559 NULL, 0, NULL, HFILL }
10562 { &hf_smb2_ioctl_sqos_initiator_id,
10563 { "InitiatorID", "smb2.ioctl.sqos.initiator_id", FT_GUID, BASE_NONE,
10564 NULL, 0, NULL, HFILL }
10567 { &hf_smb2_ioctl_sqos_limit,
10568 { "Limit", "smb2.ioctl.sqos.limit", FT_UINT64, BASE_DEC,
10569 NULL, 0, "Desired maximum throughput for the logical flow, in normalized IOPS", HFILL }
10572 { &hf_smb2_ioctl_sqos_reservation,
10573 { "Reservation", "smb2.ioctl.sqos.reservation", FT_UINT64, BASE_DEC,
10574 NULL, 0, "Desired minimum throughput for the logical flow, in normalized 8KB IOPS", HFILL }
10577 { &hf_smb2_ioctl_sqos_initiator_name,
10578 { "InitiatorName", "smb2.ioctl.sqos.initiator_name", FT_STRING, BASE_NONE,
10579 NULL, 0x0, NULL, HFILL }
10582 { &hf_smb2_ioctl_sqos_initiator_node_name,
10583 { "InitiatorNodeName", "smb2.ioctl.sqos.initiator_node_name", FT_STRING, BASE_NONE,
10584 NULL, 0x0, NULL, HFILL }
10587 { &hf_smb2_ioctl_sqos_io_count_increment,
10588 { "IoCountIncrement", "smb2.ioctl.sqos.io_count_increment", FT_UINT64, BASE_DEC,
10589 NULL, 0, "The total number of I/O requests issued by the initiator on the logical flow", HFILL }
10592 { &hf_smb2_ioctl_sqos_normalized_io_count_increment,
10593 { "NormalizedIoCountIncrement", "smb2.ioctl.sqos.normalized_io_count_increment", FT_UINT64, BASE_DEC,
10594 NULL, 0, "The total number of normalized 8-KB I/O requests issued by the initiator on the logical flow", HFILL }
10597 { &hf_smb2_ioctl_sqos_latency_increment,
10598 { "LatencyIncrement", "smb2.ioctl.sqos.latency_increment", FT_UINT64, BASE_DEC,
10599 NULL, 0, "The total latency (including initiator's queues delays) measured by the initiator", HFILL }
10602 { &hf_smb2_ioctl_sqos_lower_latency_increment,
10603 { "LowerLatencyIncrement", "smb2.ioctl.sqos.lower_latency_increment", FT_UINT64, BASE_DEC,
10604 NULL, 0, "The total latency (excluding initiator's queues delays) measured by the initiator", HFILL }
10607 { &hf_smb2_ioctl_sqos_bandwidth_limit,
10608 { "BandwidthLimit", "smb2.ioctl.sqos.bandwidth_limit", FT_UINT64, BASE_DEC,
10609 NULL, 0, "Desired maximum bandwidth for the logical flow, in kilobytes per second", HFILL }
10612 { &hf_smb2_ioctl_sqos_kilobyte_count_increment,
10613 { "KilobyteCountIncrement", "smb2.ioctl.sqos.kilobyte_count_increment", FT_UINT64, BASE_DEC,
10614 NULL, 0, "The total data transfer length of all I/O requests, in kilobyte units, issued by the initiator on the logical flow", HFILL }
10617 { &hf_smb2_ioctl_sqos_time_to_live,
10618 { "TimeToLive", "smb2.ioctl.sqos.time_to_live", FT_UINT32, BASE_DEC,
10619 NULL, 0, "The expected period of validity of the Status, MaximumIoRate and MinimumIoRate fields, expressed in milliseconds", HFILL }
10622 { &hf_smb2_ioctl_sqos_status,
10623 { "Status", "smb2.ioctl.sqos.status", FT_UINT32, BASE_HEX,
10624 VALS(smb2_ioctl_sqos_status_vals), 0, "The current status of the logical flow", HFILL }
10627 { &hf_smb2_ioctl_sqos_maximum_io_rate,
10628 { "MaximumIoRate", "smb2.ioctl.sqos.maximum_io_rate", FT_UINT64, BASE_DEC,
10629 NULL, 0, "The maximum I/O initiation rate currently assigned to the logical flow, expressed in normalized input/output operations per second (normalized IOPS)", HFILL }
10632 { &hf_smb2_ioctl_sqos_minimum_io_rate,
10633 { "MinimumIoRate", "smb2.ioctl.sqos.minimum_io_rate", FT_UINT64, BASE_DEC,
10634 NULL, 0, "The minimum I/O completion rate currently assigned to the logical flow, expressed in normalized IOPS", HFILL }
10637 { &hf_smb2_ioctl_sqos_base_io_size,
10638 { "BaseIoSize", "smb2.ioctl.sqos.base_io_size", FT_UINT32, BASE_DEC,
10639 NULL, 0, "The base I/O size used to compute the normalized size of an I/O request for the logical flow", HFILL }
10642 { &hf_smb2_ioctl_sqos_reserved2,
10643 { "Reserved", "smb2.ioctl.sqos.reserved2", FT_UINT32, BASE_DEC,
10644 NULL, 0, NULL, HFILL }
10647 { &hf_smb2_ioctl_sqos_maximum_bandwidth,
10648 { "MaximumBandwidth", "smb2.ioctl.sqos.maximum_bandwidth", FT_UINT64, BASE_DEC,
10649 NULL, 0, "The maximum bandwidth currently assigned to the logical flow, expressed in kilobytes per second", HFILL }
10653 { &hf_windows_sockaddr_family,
10654 { "Socket Family", "smb2.windows.sockaddr.family", FT_UINT16, BASE_DEC,
10655 NULL, 0, "The socket address family (on windows)", HFILL }
10658 { &hf_windows_sockaddr_port,
10659 { "Socket Port", "smb2.windows.sockaddr.port", FT_UINT16, BASE_DEC,
10660 NULL, 0, "The socket address port", HFILL }
10663 { &hf_windows_sockaddr_in_addr,
10664 { "Socket IPv4", "smb2.windows.sockaddr.in.addr", FT_IPv4, BASE_NONE,
10665 NULL, 0, "The IPv4 address", HFILL }
10668 { &hf_windows_sockaddr_in6_flowinfo,
10669 { "IPv6 Flow Info", "smb2.windows.sockaddr.in6.flow_info", FT_UINT32, BASE_HEX,
10670 NULL, 0, "The socket IPv6 flow info", HFILL }
10673 { &hf_windows_sockaddr_in6_addr,
10674 { "Socket IPv6", "smb2.windows.sockaddr.in6.addr", FT_IPv6, BASE_NONE,
10675 NULL, 0, "The IPv6 address", HFILL }
10678 { &hf_windows_sockaddr_in6_scope_id,
10679 { "IPv6 Scope ID", "smb2.windows.sockaddr.in6.scope_id", FT_UINT32, BASE_DEC,
10680 NULL, 0, "The socket IPv6 scope id", HFILL }
10683 { &hf_smb2_ioctl_network_interface_next_offset,
10684 { "Next Offset", "smb2.ioctl.network_interfaces.next_offset", FT_UINT32, BASE_HEX,
10685 NULL, 0, "Offset to next entry in chain or 0", HFILL }
10688 { &hf_smb2_ioctl_network_interface_index,
10689 { "Interface Index", "smb2.ioctl.network_interfaces.index", FT_UINT32, BASE_DEC,
10690 NULL, 0, "The index of the interface", HFILL }
10693 { &hf_smb2_ioctl_network_interface_rss_queue_count,
10694 { "RSS Queue Count", "smb2.ioctl.network_interfaces.rss_queue_count", FT_UINT32, BASE_DEC,
10695 NULL, 0, "The RSS queue count", HFILL }
10698 { &hf_smb2_ioctl_network_interface_capabilities,
10699 { "Interface Cababilities", "smb2.ioctl.network_interfaces.capabilities", FT_UINT32, BASE_HEX,
10700 NULL, 0, "The RSS queue count", HFILL }
10703 { &hf_smb2_ioctl_network_interface_capability_rss,
10704 { "RSS", "smb2.ioctl.network_interfaces.capabilities.rss", FT_BOOLEAN, 32,
10705 TFS(&tfs_smb2_ioctl_network_interface_capability_rss), NETWORK_INTERFACE_CAP_RSS, "If the host supports RSS", HFILL }
10708 { &hf_smb2_ioctl_network_interface_capability_rdma,
10709 { "RDMA", "smb2.ioctl.network_interfaces.capabilities.rdma", FT_BOOLEAN, 32,
10710 TFS(&tfs_smb2_ioctl_network_interface_capability_rdma), NETWORK_INTERFACE_CAP_RDMA, "If the host supports RDMA", HFILL }
10713 { &hf_smb2_ioctl_network_interface_link_speed,
10714 { "Link Speed", "smb2.ioctl.network_interfaces.link_speed", FT_UINT64, BASE_DEC,
10715 NULL, 0, "The link speed of the interface", HFILL }
10718 { &hf_smb2_ioctl_shadow_copy_num_volumes,
10719 { "Num Volumes", "smb2.ioctl.shadow_copy.num_volumes", FT_UINT32, BASE_DEC,
10720 NULL, 0, "Number of shadow copy volumes", HFILL }
10723 { &hf_smb2_ioctl_shadow_copy_num_labels,
10724 { "Num Labels", "smb2.ioctl.shadow_copy.num_labels", FT_UINT32, BASE_DEC,
10725 NULL, 0, "Number of shadow copy labels", HFILL }
10728 { &hf_smb2_ioctl_shadow_copy_label,
10729 { "Label", "smb2.ioctl.shadow_copy.label", FT_STRING, BASE_NONE,
10730 NULL, 0, "Shadow copy label", HFILL }
10733 { &hf_smb2_compression_format,
10734 { "Compression Format", "smb2.compression_format", FT_UINT16, BASE_DEC,
10735 VALS(compression_format_vals), 0, NULL, HFILL }
10738 { &hf_smb2_checksum_algorithm,
10739 { "Checksum Algorithm", "smb2.checksum_algorithm", FT_UINT16, BASE_HEX,
10740 VALS(checksum_algorithm_vals), 0, NULL, HFILL }
10743 { &hf_smb2_integrity_reserved,
10744 { "Reserved", "smb2.integrity_reserved", FT_UINT16, BASE_DEC,
10745 NULL, 0, NULL, HFILL }
10748 { &hf_smb2_integrity_flags,
10749 { "Flags", "smb2.integrity_flags", FT_UINT32, BASE_HEX,
10750 NULL, 0, NULL, HFILL }
10753 { &hf_smb2_integrity_flags_enforcement_off,
10754 { "FSCTL_INTEGRITY_FLAG_CHECKSUM_ENFORCEMENT_OFF", "smb2.integrity_flags_enforcement", FT_BOOLEAN, 32,
10755 NULL, 0x1, "If checksum error enforcement is off", HFILL }
10758 { &hf_smb2_share_type,
10759 { "Share Type", "smb2.share_type", FT_UINT8, BASE_HEX,
10760 VALS(smb2_share_type_vals), 0, "Type of share", HFILL }
10763 { &hf_smb2_credit_charge,
10764 { "Credit Charge", "smb2.credit.charge", FT_UINT16, BASE_DEC,
10765 NULL, 0, NULL, HFILL }
10768 { &hf_smb2_credits_requested,
10769 { "Credits requested", "smb2.credits.requested", FT_UINT16, BASE_DEC,
10770 NULL, 0, NULL, HFILL }
10773 { &hf_smb2_credits_granted,
10774 { "Credits granted", "smb2.credits.granted", FT_UINT16, BASE_DEC,
10775 NULL, 0, NULL, HFILL }
10778 { &hf_smb2_channel_sequence,
10779 { "Channel Sequence", "smb2.channel_sequence", FT_UINT16, BASE_DEC,
10780 NULL, 0, NULL, HFILL }
10783 { &hf_smb2_dialect_count,
10784 { "Dialect count", "smb2.dialect_count", FT_UINT16, BASE_DEC,
10785 NULL, 0, NULL, HFILL }
10788 { &hf_smb2_dialect,
10789 { "Dialect", "smb2.dialect", FT_UINT16, BASE_HEX,
10790 NULL, 0, NULL, HFILL }
10793 { &hf_smb2_security_mode,
10794 { "Security mode", "smb2.sec_mode", FT_UINT8, BASE_HEX,
10795 NULL, 0, NULL, HFILL }
10798 { &hf_smb2_session_flags,
10799 { "Session Flags", "smb2.session_flags", FT_UINT16, BASE_HEX,
10800 NULL, 0, NULL, HFILL }
10803 { &hf_smb2_lock_count,
10804 { "Lock Count", "smb2.lock_count", FT_UINT16, BASE_DEC,
10805 NULL, 0, NULL, HFILL }
10808 { &hf_smb2_capabilities,
10809 { "Capabilities", "smb2.capabilities", FT_UINT32, BASE_HEX,
10810 NULL, 0, NULL, HFILL }
10813 { &hf_smb2_ioctl_shadow_copy_count,
10814 { "Count", "smb2.ioctl.shadow_copy.count", FT_UINT32, BASE_DEC,
10815 NULL, 0, "Number of bytes for shadow copy label strings", HFILL }
10818 { &hf_smb2_auth_frame,
10819 { "Authenticated in Frame", "smb2.auth_frame", FT_UINT32, BASE_DEC,
10820 NULL, 0, "Which frame this user was authenticated in", HFILL }
10823 { &hf_smb2_tcon_frame,
10824 { "Connected in Frame", "smb2.tcon_frame", FT_UINT32, BASE_DEC,
10825 NULL, 0, "Which frame this share was connected in", HFILL }
10829 { "Tag", "smb2.tag", FT_STRING, BASE_NONE,
10830 NULL, 0, "Tag of chain entry", HFILL }
10833 { &hf_smb2_acct_name,
10834 { "Account", "smb2.acct", FT_STRING, BASE_NONE,
10835 NULL, 0, "Account Name", HFILL }
10838 { &hf_smb2_domain_name,
10839 { "Domain", "smb2.domain", FT_STRING, BASE_NONE,
10840 NULL, 0, "Domain Name", HFILL }
10843 { &hf_smb2_host_name,
10844 { "Host", "smb2.host", FT_STRING, BASE_NONE,
10845 NULL, 0, "Host Name", HFILL }
10848 { &hf_smb2_signature,
10849 { "Signature", "smb2.signature", FT_BYTES, BASE_NONE,
10850 NULL, 0, NULL, HFILL }
10853 { &hf_smb2_unknown,
10854 { "Unknown", "smb2.unknown", FT_BYTES, BASE_NONE,
10855 NULL, 0, NULL, HFILL }
10858 { &hf_smb2_twrp_timestamp,
10859 { "Timestamp", "smb2.twrp_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10860 NULL, 0, "TWrp timestamp", HFILL }
10863 { &hf_smb2_mxac_timestamp,
10864 { "Timestamp", "smb2.mxac_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10865 NULL, 0, "MxAc timestamp", HFILL }
10868 { &hf_smb2_mxac_status,
10869 { "Query Status", "smb2.mxac_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
10870 &NT_errors_ext, 0, "NT Status code", HFILL }
10873 { &hf_smb2_qfid_fid,
10874 { "Opaque File ID", "smb2.qfid_fid", FT_BYTES, BASE_NONE,
10875 NULL, 0, NULL, HFILL }
10878 { &hf_smb2_ses_flags_guest,
10879 { "Guest", "smb2.ses_flags.guest", FT_BOOLEAN, 16,
10880 NULL, SES_FLAGS_GUEST, NULL, HFILL }
10883 { &hf_smb2_ses_flags_null,
10884 { "Null", "smb2.ses_flags.null", FT_BOOLEAN, 16,
10885 NULL, SES_FLAGS_NULL, NULL, HFILL }
10888 { &hf_smb2_ses_flags_encrypt,
10889 { "Encrypt", "smb2.ses_flags.encrypt", FT_BOOLEAN, 16,
10890 NULL, SES_FLAGS_ENCRYPT, NULL, HFILL }},
10892 { &hf_smb2_secmode_flags_sign_required,
10893 { "Signing required", "smb2.sec_mode.sign_required", FT_BOOLEAN, 8,
10894 NULL, NEGPROT_SIGN_REQ, "Is signing required", HFILL }
10897 { &hf_smb2_secmode_flags_sign_enabled,
10898 { "Signing enabled", "smb2.sec_mode.sign_enabled", FT_BOOLEAN, 8,
10899 NULL, NEGPROT_SIGN_ENABLED, "Is signing enabled", HFILL }
10902 { &hf_smb2_ses_req_flags,
10903 { "Flags", "smb2.ses_req_flags", FT_UINT8, BASE_DEC,
10904 NULL, 0, NULL, HFILL }
10907 { &hf_smb2_ses_req_flags_session_binding,
10908 { "Session Binding Request", "smb2.ses_req_flags.session_binding", FT_BOOLEAN, 8,
10909 NULL, SES_REQ_FLAGS_SESSION_BINDING, "The client wants to bind to an existing session", HFILL }
10912 { &hf_smb2_cap_dfs,
10913 { "DFS", "smb2.capabilities.dfs", FT_BOOLEAN, 32,
10914 TFS(&tfs_cap_dfs), NEGPROT_CAP_DFS, "If the host supports dfs", HFILL }
10917 { &hf_smb2_cap_leasing,
10918 { "LEASING", "smb2.capabilities.leasing", FT_BOOLEAN, 32,
10919 TFS(&tfs_cap_leasing), NEGPROT_CAP_LEASING, "If the host supports leasing", HFILL }
10922 { &hf_smb2_cap_large_mtu,
10923 { "LARGE MTU", "smb2.capabilities.large_mtu", FT_BOOLEAN, 32,
10924 TFS(&tfs_cap_large_mtu), NEGPROT_CAP_LARGE_MTU, "If the host supports LARGE MTU", HFILL }
10927 { &hf_smb2_cap_multi_channel,
10928 { "MULTI CHANNEL", "smb2.capabilities.multi_channel", FT_BOOLEAN, 32,
10929 TFS(&tfs_cap_multi_channel), NEGPROT_CAP_MULTI_CHANNEL, "If the host supports MULTI CHANNEL", HFILL }
10932 { &hf_smb2_cap_persistent_handles,
10933 { "PERSISTENT HANDLES", "smb2.capabilities.persistent_handles", FT_BOOLEAN, 32,
10934 TFS(&tfs_cap_persistent_handles), NEGPROT_CAP_PERSISTENT_HANDLES, "If the host supports PERSISTENT HANDLES", HFILL }
10937 { &hf_smb2_cap_directory_leasing,
10938 { "DIRECTORY LEASING", "smb2.capabilities.directory_leasing", FT_BOOLEAN, 32,
10939 TFS(&tfs_cap_directory_leasing), NEGPROT_CAP_DIRECTORY_LEASING, "If the host supports DIRECTORY LEASING", HFILL }
10942 { &hf_smb2_cap_encryption,
10943 { "ENCRYPTION", "smb2.capabilities.encryption", FT_BOOLEAN, 32,
10944 TFS(&tfs_cap_encryption), NEGPROT_CAP_ENCRYPTION, "If the host supports ENCRYPTION", HFILL }
10947 { &hf_smb2_max_trans_size,
10948 { "Max Transaction Size", "smb2.max_trans_size", FT_UINT32, BASE_DEC,
10949 NULL, 0, NULL, HFILL }
10952 { &hf_smb2_max_read_size,
10953 { "Max Read Size", "smb2.max_read_size", FT_UINT32, BASE_DEC,
10954 NULL, 0, NULL, HFILL }
10957 { &hf_smb2_max_write_size,
10958 { "Max Write Size", "smb2.max_write_size", FT_UINT32, BASE_DEC,
10959 NULL, 0, NULL, HFILL }
10962 { &hf_smb2_channel,
10963 { "Channel", "smb2.channel", FT_UINT32, BASE_HEX,
10964 VALS(smb2_channel_vals), 0, NULL, HFILL }
10967 { &hf_smb2_rdma_v1_offset,
10968 { "Offset", "smb2.buffer_descriptor.offset", FT_UINT64, BASE_DEC,
10969 NULL, 0, NULL, HFILL }
10972 { &hf_smb2_rdma_v1_token,
10973 { "Token", "smb2.buffer_descriptor.token", FT_UINT32, BASE_HEX,
10974 NULL, 0, NULL, HFILL }
10977 { &hf_smb2_rdma_v1_length,
10978 { "Length", "smb2.buffer_descriptor.length", FT_UINT32, BASE_DEC,
10979 NULL, 0, NULL, HFILL }
10982 { &hf_smb2_share_flags,
10983 { "Share flags", "smb2.share_flags", FT_UINT32, BASE_HEX,
10984 NULL, 0, NULL, HFILL }
10987 { &hf_smb2_share_flags_dfs,
10988 { "DFS", "smb2.share_flags.dfs", FT_BOOLEAN, 32,
10989 NULL, SHARE_FLAGS_dfs, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }
10992 { &hf_smb2_share_flags_dfs_root,
10993 { "DFS root", "smb2.share_flags.dfs_root", FT_BOOLEAN, 32,
10994 NULL, SHARE_FLAGS_dfs_root, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }
10997 { &hf_smb2_share_flags_restrict_exclusive_opens,
10998 { "Restrict exclusive opens", "smb2.share_flags.restrict_exclusive_opens", FT_BOOLEAN, 32,
10999 NULL, SHARE_FLAGS_restrict_exclusive_opens, "The specified share disallows exclusive file opens that deny reads to an open file", HFILL }
11002 { &hf_smb2_share_flags_force_shared_delete,
11003 { "Force shared delete", "smb2.share_flags.force_shared_delete", FT_BOOLEAN, 32,
11004 NULL, SHARE_FLAGS_force_shared_delete, "Shared files in the specified share can be forcibly deleted", HFILL }
11007 { &hf_smb2_share_flags_allow_namespace_caching,
11008 { "Allow namepsace caching", "smb2.share_flags.allow_namespace_caching", FT_BOOLEAN, 32,
11009 NULL, SHARE_FLAGS_allow_namespace_caching, "Clients are allowed to cache the namespace of the specified share", HFILL }
11012 { &hf_smb2_share_flags_access_based_dir_enum,
11013 { "Access based directory enum", "smb2.share_flags.access_based_dir_enum", FT_BOOLEAN, 32,
11014 NULL, SHARE_FLAGS_access_based_dir_enum, "The server will filter directory entries based on the access permissions of the client", HFILL }
11017 { &hf_smb2_share_flags_force_levelii_oplock,
11018 { "Force level II oplock", "smb2.share_flags.force_levelii_oplock", FT_BOOLEAN, 32,
11019 NULL, SHARE_FLAGS_force_levelii_oplock, "The server will not issue exclusive caching rights on this share", HFILL }
11022 { &hf_smb2_share_flags_enable_hash_v1,
11023 { "Enable hash V1", "smb2.share_flags.enable_hash_v1", FT_BOOLEAN, 32,
11024 NULL, SHARE_FLAGS_enable_hash_v1, "The share supports hash generation V1 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }
11027 { &hf_smb2_share_flags_enable_hash_v2,
11028 { "Enable hash V2", "smb2.share_flags.enable_hash_v2", FT_BOOLEAN, 32,
11029 NULL, SHARE_FLAGS_enable_hash_v2, "The share supports hash generation V2 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }
11032 { &hf_smb2_share_flags_encrypt_data,
11033 { "Encrypted data required", "smb2.share_flags.encrypt_data", FT_BOOLEAN, 32,
11034 NULL, SHARE_FLAGS_encryption_required, "The share require data encryption", HFILL }
11037 { &hf_smb2_share_caching,
11038 { "Caching policy", "smb2.share.caching", FT_UINT32, BASE_HEX,
11039 VALS(share_cache_vals), 0, NULL, HFILL }
11042 { &hf_smb2_share_caps,
11043 { "Share Capabilities", "smb2.share_caps", FT_UINT32, BASE_HEX,
11044 NULL, 0, NULL, HFILL }
11047 { &hf_smb2_share_caps_dfs,
11048 { "DFS", "smb2.share_caps.dfs", FT_BOOLEAN, 32,
11049 NULL, SHARE_CAPS_DFS, "The specified share is present in a DFS tree structure", HFILL }
11052 { &hf_smb2_share_caps_continuous_availability,
11053 { "CONTINUOUS AVAILABILITY", "smb2.share_caps.continuous_availability", FT_BOOLEAN, 32,
11054 NULL, SHARE_CAPS_CONTINUOUS_AVAILABILITY, "The specified share is continuously available", HFILL }
11057 { &hf_smb2_share_caps_scaleout,
11058 { "SCALEOUT", "smb2.share_caps.scaleout", FT_BOOLEAN, 32,
11059 NULL, SHARE_CAPS_SCALEOUT, "The specified share is a scaleout share", HFILL }
11062 { &hf_smb2_share_caps_cluster,
11063 { "CLUSTER", "smb2.share_caps.cluster", FT_BOOLEAN, 32,
11064 NULL, SHARE_CAPS_CLUSTER, "The specified share is a cluster share", HFILL }
11067 { &hf_smb2_ioctl_flags,
11068 { "Flags", "smb2.ioctl.flags", FT_UINT32, BASE_HEX,
11069 NULL, 0, NULL, HFILL }
11072 { &hf_smb2_min_count,
11073 { "Min Count", "smb2.min_count", FT_UINT32, BASE_DEC,
11074 NULL, 0, NULL, HFILL }
11077 { &hf_smb2_remaining_bytes,
11078 { "Remaining Bytes", "smb2.remaining_bytes", FT_UINT32, BASE_DEC,
11079 NULL, 0, NULL, HFILL }
11082 { &hf_smb2_channel_info_offset,
11083 { "Channel Info Offset", "smb2.channel_info_offset", FT_UINT16, BASE_DEC,
11084 NULL, 0, NULL, HFILL }
11087 { &hf_smb2_channel_info_length,
11088 { "Channel Info Length", "smb2.channel_info_length", FT_UINT16, BASE_DEC,
11089 NULL, 0, NULL, HFILL }
11092 { &hf_smb2_channel_info_blob,
11093 { "Channel Info Blob", "smb2.channel_info_blob", FT_NONE, BASE_NONE,
11094 NULL, 0, NULL, HFILL }
11097 { &hf_smb2_ioctl_is_fsctl,
11098 { "Is FSCTL", "smb2.ioctl.is_fsctl", FT_BOOLEAN, 32,
11099 NULL, 0x00000001, NULL, HFILL }
11102 { &hf_smb2_output_buffer_len,
11103 { "Output Buffer Length", "smb2.output_buffer_len", FT_UINT16, BASE_DEC,
11104 NULL, 0, NULL, HFILL }
11107 { &hf_smb2_close_pq_attrib,
11108 { "PostQuery Attrib", "smb2.close.pq_attrib", FT_BOOLEAN, 16,
11109 NULL, 0x0001, NULL, HFILL }
11112 { &hf_smb2_notify_watch_tree,
11113 { "Watch Tree", "smb2.notify.watch_tree", FT_BOOLEAN, 16,
11114 NULL, 0x0001, NULL, HFILL }
11117 { &hf_smb2_notify_out_data,
11118 { "Out Data", "smb2.notify.out", FT_NONE, BASE_NONE,
11119 NULL, 0, NULL, HFILL }
11122 { &hf_smb2_notify_info,
11123 { "Notify Info", "smb2.notify.info", FT_NONE, BASE_NONE,
11124 NULL, 0, NULL, HFILL }
11127 { &hf_smb2_notify_next_offset,
11128 { "Next Offset", "smb2.notify.next_offset", FT_UINT32, BASE_HEX,
11129 NULL, 0, "Offset to next entry in chain or 0", HFILL }
11132 { &hf_smb2_notify_action,
11133 { "Action", "smb2.notify.action", FT_UINT32, BASE_HEX,
11134 VALS(notify_action_vals), 0, "Notify Action", HFILL }
11138 { &hf_smb2_find_flags_restart_scans,
11139 { "Restart Scans", "smb2.find.restart_scans", FT_BOOLEAN, 8,
11140 NULL, SMB2_FIND_FLAG_RESTART_SCANS, NULL, HFILL }
11143 { &hf_smb2_find_flags_single_entry,
11144 { "Single Entry", "smb2.find.single_entry", FT_BOOLEAN, 8,
11145 NULL, SMB2_FIND_FLAG_SINGLE_ENTRY, NULL, HFILL }
11148 { &hf_smb2_find_flags_index_specified,
11149 { "Index Specified", "smb2.find.index_specified", FT_BOOLEAN, 8,
11150 NULL, SMB2_FIND_FLAG_INDEX_SPECIFIED, NULL, HFILL }
11153 { &hf_smb2_find_flags_reopen,
11154 { "Reopen", "smb2.find.reopen", FT_BOOLEAN, 8,
11155 NULL, SMB2_FIND_FLAG_REOPEN, NULL, HFILL }
11158 { &hf_smb2_file_index,
11159 { "File Index", "smb2.file_index", FT_UINT32, BASE_HEX,
11160 NULL, 0, NULL, HFILL }
11163 { &hf_smb2_file_directory_info,
11164 { "FileDirectoryInfo", "smb2.find.file_directory_info", FT_NONE, BASE_NONE,
11165 NULL, 0, NULL, HFILL }
11168 { &hf_smb2_full_directory_info,
11169 { "FullDirectoryInfo", "smb2.find.full_directory_info", FT_NONE, BASE_NONE,
11170 NULL, 0, NULL, HFILL }
11173 { &hf_smb2_both_directory_info,
11174 { "FileBothDirectoryInfo", "smb2.find.both_directory_info", FT_NONE, BASE_NONE,
11175 NULL, 0, NULL, HFILL }
11178 { &hf_smb2_id_both_directory_info,
11179 { "FileIdBothDirectoryInfo", "smb2.find.id_both_directory_info", FT_NONE, BASE_NONE,
11180 NULL, 0, NULL, HFILL }
11183 { &hf_smb2_short_name_len,
11184 { "Short Name Length", "smb2.short_name_len", FT_UINT8, BASE_DEC,
11185 NULL, 0, NULL, HFILL }
11188 { &hf_smb2_short_name,
11189 { "Short Name", "smb2.shortname", FT_STRING, BASE_NONE,
11190 NULL, 0, NULL, HFILL }
11193 { &hf_smb2_lock_info,
11194 { "Lock Info", "smb2.lock_info", FT_NONE, BASE_NONE,
11195 NULL, 0, NULL, HFILL }
11198 { &hf_smb2_lock_length,
11199 { "Length", "smb2.lock_length", FT_UINT64, BASE_DEC,
11200 NULL, 0, NULL, HFILL }
11203 { &hf_smb2_lock_flags,
11204 { "Flags", "smb2.lock_flags", FT_UINT32, BASE_HEX,
11205 NULL, 0, NULL, HFILL }
11208 { &hf_smb2_lock_flags_shared,
11209 { "Shared", "smb2.lock_flags.shared", FT_BOOLEAN, 32,
11210 NULL, 0x00000001, NULL, HFILL }
11213 { &hf_smb2_lock_flags_exclusive,
11214 { "Exclusive", "smb2.lock_flags.exclusive", FT_BOOLEAN, 32,
11215 NULL, 0x00000002, NULL, HFILL }
11218 { &hf_smb2_lock_flags_unlock,
11219 { "Unlock", "smb2.lock_flags.unlock", FT_BOOLEAN, 32,
11220 NULL, 0x00000004, NULL, HFILL }
11223 { &hf_smb2_lock_flags_fail_immediately,
11224 { "Fail Immediately", "smb2.lock_flags.fail_immediately", FT_BOOLEAN, 32,
11225 NULL, 0x00000010, NULL, HFILL }
11228 { &hf_smb2_error_context_count,
11229 { "Error Context Count", "smb2.error.context_count", FT_UINT8, BASE_DEC,
11230 NULL, 0, NULL, HFILL }
11233 { &hf_smb2_error_reserved,
11234 { "Reserved", "smb2.error.reserved", FT_UINT8, BASE_HEX,
11235 NULL, 0, NULL, HFILL }
11238 { &hf_smb2_error_byte_count,
11239 { "Byte Count", "smb2.error.byte_count", FT_UINT32, BASE_DEC,
11240 NULL, 0, NULL, HFILL }
11243 { &hf_smb2_error_data,
11244 { "Error Data", "smb2.error.data", FT_BYTES, BASE_NONE,
11245 NULL, 0, NULL, HFILL }
11248 { &hf_smb2_reserved,
11249 { "Reserved", "smb2.reserved", FT_BYTES, BASE_NONE,
11250 NULL, 0, NULL, HFILL }
11253 { &hf_smb2_reserved_random,
11254 { "Reserved (Random)", "smb2.reserved.random", FT_BYTES, BASE_NONE,
11255 NULL, 0, "Reserved bytes, random data", HFILL }
11258 { &hf_smb2_root_directory_mbz,
11259 { "Root Dir Handle (MBZ)", "smb2.root_directory", FT_BYTES, BASE_NONE,
11260 NULL, 0, NULL, HFILL }
11263 { &hf_smb2_dhnq_buffer_reserved,
11264 { "Reserved", "smb2.dhnq_buffer_reserved", FT_UINT64, BASE_HEX,
11265 NULL, 0, NULL, HFILL }
11268 { &hf_smb2_dh2x_buffer_timeout,
11269 { "Timeout", "smb2.dh2x.timeout", FT_UINT32, BASE_DEC,
11270 NULL, 0, NULL, HFILL }
11273 { &hf_smb2_dh2x_buffer_flags,
11274 { "Flags", "smb2.dh2x.flags", FT_UINT32, BASE_HEX,
11275 NULL, 0, NULL, HFILL }
11278 { &hf_smb2_dh2x_buffer_flags_persistent_handle,
11279 { "Persistent Handle", "smb2.dh2x.flags.persistent_handle", FT_BOOLEAN, 32,
11280 NULL, SMB2_DH2X_FLAGS_PERSISTENT_HANDLE, NULL, HFILL }
11283 { &hf_smb2_dh2x_buffer_reserved,
11284 { "Reserved", "smb2.dh2x.reserved", FT_UINT64, BASE_HEX,
11285 NULL, 0, NULL, HFILL }
11288 { &hf_smb2_dh2x_buffer_create_guid,
11289 { "Create Guid", "smb2.dh2x.create_guid", FT_GUID, BASE_NONE,
11290 NULL, 0, NULL, HFILL }
11293 { &hf_smb2_APP_INSTANCE_buffer_struct_size,
11294 { "Struct Size", "smb2.app_instance.struct_size", FT_UINT16, BASE_DEC,
11295 NULL, 0, NULL, HFILL }
11298 { &hf_smb2_APP_INSTANCE_buffer_reserved,
11299 { "Reserved", "smb2.app_instance.reserved", FT_UINT16, BASE_HEX,
11300 NULL, 0, NULL, HFILL }
11303 { &hf_smb2_APP_INSTANCE_buffer_app_guid,
11304 { "Application Guid", "smb2.app_instance.app_guid", FT_GUID, BASE_NONE,
11305 NULL, 0, NULL, HFILL }
11308 { &hf_smb2_svhdx_open_device_context_version,
11309 { "Version", "smb2.svhdx_open_device_context.version", FT_UINT32, BASE_DEC,
11310 NULL, 0, NULL, HFILL }
11313 { &hf_smb2_svhdx_open_device_context_has_initiator_id,
11314 { "HasInitiatorId", "smb2.svhdx_open_device_context.initiator_has_id", FT_BOOLEAN, 8,
11315 TFS(&tfs_smb2_svhdx_has_initiator_id), 0, "Whether the host has an intiator", HFILL }
11318 { &hf_smb2_svhdx_open_device_context_reserved,
11319 { "Reserved", "smb2.svhdx_open_device_context.reserved", FT_BYTES, BASE_NONE,
11320 NULL, 0, NULL, HFILL }
11323 { &hf_smb2_svhdx_open_device_context_initiator_id,
11324 { "InitiatorId", "smb2.svhdx_open_device_context.initiator_id", FT_GUID, BASE_NONE,
11325 NULL, 0, NULL, HFILL }
11328 { &hf_smb2_svhdx_open_device_context_flags,
11329 { "Flags", "smb2.svhdx_open_device_context.flags", FT_UINT32, BASE_HEX,
11330 NULL, 0, NULL, HFILL }
11333 { &hf_smb2_svhdx_open_device_context_originator_flags,
11334 { "OriginatorFlags", "smb2.svhdx_open_device_context.originator_flags", FT_UINT32, BASE_HEX,
11335 VALS(originator_flags_vals), 0, NULL, HFILL }
11338 { &hf_smb2_svhdx_open_device_context_open_request_id,
11339 { "OpenRequestId","smb2.svhxd_open_device_context.open_request_id", FT_UINT64, BASE_HEX,
11340 NULL, 0, NULL, HFILL }
11343 { &hf_smb2_svhdx_open_device_context_initiator_host_name_len,
11344 { "HostNameLength", "smb2.svhxd_open_device_context.initiator_host_name_len", FT_UINT16, BASE_DEC,
11345 NULL, 0, NULL, HFILL }
11348 { &hf_smb2_svhdx_open_device_context_initiator_host_name,
11349 { "HostName", "smb2.svhdx_open_device_context.host_name", FT_STRING, BASE_NONE,
11350 NULL, 0, NULL, HFILL }
11353 { &hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized,
11354 { "VirtualDiskPropertiesInitialized", "smb2.svhdx_open_device_context.virtual_disk_properties_initialized", FT_BOOLEAN, 32,
11355 NULL, 0, "Whether VirtualSectorSize, PhysicalSectorSize, and VirtualSize fields are filled", HFILL }
11358 { &hf_smb2_svhdx_open_device_context_server_service_version,
11359 { "ServerServiceVersion", "smb2.svhdx_open_device_context.server_service_version", FT_UINT32, BASE_DEC,
11360 NULL, 0, "The current version of the protocol running on the server", HFILL }
11363 { &hf_smb2_svhdx_open_device_context_virtual_sector_size,
11364 { "VirtualSectorSize", "smb2.svhdx_open_device_context.virtual_sector_size", FT_UINT32, BASE_DEC,
11365 NULL, 0, "The virtual sector size of the virtual disk", HFILL }
11368 { &hf_smb2_svhdx_open_device_context_physical_sector_size,
11369 { "PhysicalSectorSize", "smb2.svhdx_open_device_context.physical_sector_size", FT_UINT32, BASE_DEC,
11370 NULL, 0, "The physical sector size of the virtual disk", HFILL }
11373 { &hf_smb2_svhdx_open_device_context_virtual_size,
11374 { "VirtualSize", "smb2.svhdx_open_device_context.virtual_size", FT_UINT64, BASE_DEC,
11375 NULL, 0, "The current length of the virtual disk, in bytes", HFILL }
11378 { &hf_smb2_posix_v1_version,
11379 { "Version", "smb2.posix_v1_version", FT_UINT32, BASE_DEC,
11380 NULL, 0, NULL, HFILL }
11383 { &hf_smb2_posix_v1_request,
11384 { "Request", "smb2.posix_request", FT_UINT32, BASE_HEX,
11385 NULL, 0, NULL, HFILL }
11388 { &hf_smb2_posix_v1_case_sensitive,
11389 { "Posix Case Sensitive File Names", "smb2.posix_case_sensitive", FT_UINT32, BASE_HEX,
11390 VALS(posix_case_sensitive_vals), 0x01, NULL, HFILL }
11393 { &hf_smb2_posix_v1_posix_lock,
11394 { "Posix Byte-Range Locks", "smb2.posix_locks", FT_UINT32, BASE_HEX,
11395 VALS(posix_locks_vals), 0x02, NULL, HFILL }
11398 { &hf_smb2_posix_v1_posix_file_semantics,
11399 { "Posix File Semantics", "smb2.posix_file_semantics", FT_UINT32, BASE_HEX,
11400 VALS(posix_file_semantics_vals), 0x04, NULL, HFILL }
11403 { &hf_smb2_posix_v1_posix_utf8_paths,
11404 { "Posix UTF8 Paths", "smb2.posix_utf8_paths", FT_UINT32, BASE_HEX,
11405 VALS(posix_utf8_paths_vals), 0x08, NULL, HFILL }
11408 { &hf_smb2_posix_v1_posix_will_convert_nt_acls,
11409 { "Posix Will Convert NT ACLs", "smb2.will_convert_NTACLs", FT_UINT32, BASE_HEX,
11410 VALS(posix_will_convert_ntacls_vals), 0x10, NULL, HFILL }
11413 { &hf_smb2_posix_v1_posix_fileinfo,
11414 { "Posix Fileinfo", "smb2.posix_fileinfo", FT_UINT32, BASE_HEX,
11415 VALS(posix_fileinfo_vals), 0x20, NULL, HFILL }
11418 { &hf_smb2_posix_v1_posix_acls,
11419 { "Posix ACLs", "smb2.posix_acls", FT_UINT32, BASE_HEX,
11420 VALS(posix_acls_vals), 0x40, NULL, HFILL }
11423 { &hf_smb2_posix_v1_rich_acls,
11424 { "Rich ACLs", "smb2.rich_acls", FT_UINT32, BASE_HEX,
11425 VALS(posix_rich_acls_vals), 0x80, NULL, HFILL }
11428 { &hf_smb2_posix_v1_supported_features,
11429 { "Supported Features", "smb2.posix_supported_features", FT_UINT32, BASE_HEX,
11430 NULL, 0, NULL, HFILL }
11433 { &hf_smb2_aapl_command_code,
11434 { "Command code", "smb2.aapl.command_code", FT_UINT32, BASE_DEC,
11435 VALS(aapl_command_code_vals), 0, NULL, HFILL }
11438 { &hf_smb2_aapl_reserved,
11439 { "Reserved", "smb2.aapl.reserved", FT_UINT32, BASE_HEX,
11440 NULL, 0, NULL, HFILL }
11443 { &hf_smb2_aapl_server_query_bitmask,
11444 { "Query bitmask", "smb2.aapl.query_bitmask", FT_UINT64, BASE_HEX,
11445 NULL, 0, NULL, HFILL }
11448 { &hf_smb2_aapl_server_query_bitmask_server_caps,
11449 { "Server capabilities", "smb2.aapl.bitmask.server_caps", FT_BOOLEAN, 64,
11450 NULL, SMB2_AAPL_SERVER_CAPS, NULL, HFILL }
11453 { &hf_smb2_aapl_server_query_bitmask_volume_caps,
11454 { "Volume capabilities", "smb2.aapl.bitmask.volume_caps", FT_BOOLEAN, 64,
11455 NULL, SMB2_AAPL_VOLUME_CAPS, NULL, HFILL }
11458 { &hf_smb2_aapl_server_query_bitmask_model_info,
11459 { "Model information", "smb2.aapl.bitmask.model_info", FT_BOOLEAN, 64,
11460 NULL, SMB2_AAPL_MODEL_INFO, NULL, HFILL }
11463 { &hf_smb2_aapl_server_query_caps,
11464 { "Client/Server capabilities", "smb2.aapl.caps", FT_UINT64, BASE_HEX,
11465 NULL, 0, NULL, HFILL }
11468 { &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
11469 { "Supports READDIRATTR", "smb2.aapl.caps.supports_read_dir_addr", FT_BOOLEAN, 64,
11470 NULL, SMB2_AAPL_SUPPORTS_READ_DIR_ATTR, NULL, HFILL }
11473 { &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
11474 { "Supports macOS copyfile", "smb2.aapl.caps.supports_osx_copyfile", FT_BOOLEAN, 64,
11475 NULL, SMB2_AAPL_SUPPORTS_OSX_COPYFILE, NULL, HFILL }
11478 { &hf_smb2_aapl_server_query_caps_unix_based,
11479 { "UNIX-based", "smb2.aapl.caps.unix_based", FT_BOOLEAN, 64,
11480 NULL, SMB2_AAPL_UNIX_BASED, NULL, HFILL }
11483 { &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
11484 { "Supports NFS ACE", "smb2.aapl.supports_nfs_ace", FT_BOOLEAN, 64,
11485 NULL, SMB2_AAPL_SUPPORTS_NFS_ACE, NULL, HFILL }
11488 { &hf_smb2_aapl_server_query_volume_caps,
11489 { "Volume capabilities", "smb2.aapl.volume_caps", FT_UINT64, BASE_HEX,
11490 NULL, 0, NULL, HFILL }
11493 { &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
11494 { "Supports Resolve ID", "smb2.aapl.volume_caps.supports_resolve_id", FT_BOOLEAN, 64,
11495 NULL, SMB2_AAPL_SUPPORTS_RESOLVE_ID, NULL, HFILL }
11498 { &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
11499 { "Case sensitive", "smb2.aapl.volume_caps.case_sensitive", FT_BOOLEAN, 64,
11500 NULL, SMB2_AAPL_CASE_SENSITIVE, NULL, HFILL }
11503 { &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
11504 { "Supports full sync", "smb2.aapl.volume_caps.supports_full_sync", FT_BOOLEAN, 64,
11505 NULL, SMB2_AAPL_SUPPORTS_FULL_SYNC, NULL, HFILL }
11508 { &hf_smb2_aapl_server_query_model_string,
11509 { "Model string", "smb2.aapl.model_string", FT_UINT_STRING, STR_UNICODE,
11510 NULL, 0, NULL, HFILL }
11513 { &hf_smb2_aapl_server_query_server_path,
11514 { "Server path", "smb2.aapl.server_path", FT_UINT_STRING, STR_UNICODE,
11515 NULL, 0, NULL, HFILL }
11518 { &hf_smb2_transform_signature,
11519 { "Signature", "smb2.header.transform.signature", FT_BYTES, BASE_NONE,
11520 NULL, 0, NULL, HFILL }
11523 { &hf_smb2_transform_nonce,
11524 { "Nonce", "smb2.header.transform.nonce", FT_BYTES, BASE_NONE,
11525 NULL, 0, NULL, HFILL }
11528 { &hf_smb2_transform_msg_size,
11529 { "Message size", "smb2.header.transform.msg_size", FT_UINT32, BASE_DEC,
11530 NULL, 0, NULL, HFILL }
11533 { &hf_smb2_transform_reserved,
11534 { "Reserved", "smb2.header.transform.reserved", FT_BYTES, BASE_NONE,
11535 NULL, 0, NULL, HFILL }
11538 { &hf_smb2_transform_enc_alg,
11539 { "Encryption ALG", "smb2.header.transform.encryption_alg", FT_UINT16, BASE_HEX,
11540 NULL, 0, NULL, HFILL }
11543 { &hf_smb2_encryption_aes128_ccm,
11544 { "SMB2_ENCRYPTION_AES128_CCM", "smb2.header.transform.enc_aes128_ccm", FT_BOOLEAN, 16,
11545 NULL, ENC_ALG_aes128_ccm, NULL, HFILL }
11548 { &hf_smb2_transform_encrypted_data,
11549 { "Data", "smb2.header.transform.enc_data", FT_BYTES, BASE_NONE,
11550 NULL, 0, NULL, HFILL }
11553 { &hf_smb2_server_component_smb2,
11554 { "Server Component: SMB2", "smb2.server_component_smb2", FT_NONE, BASE_NONE,
11555 NULL, 0, NULL, HFILL }
11558 { &hf_smb2_server_component_smb2_transform,
11559 { "Server Component: SMB2_TRANSFORM", "smb2.server_component_smb2_transform", FT_NONE, BASE_NONE,
11560 NULL, 0, NULL, HFILL }
11563 { &hf_smb2_truncated,
11564 { "Truncated...", "smb2.truncated", FT_NONE, BASE_NONE,
11565 NULL, 0, NULL, HFILL }
11568 { &hf_smb2_pipe_fragment_overlap,
11569 { "Fragment overlap", "smb2.pipe.fragment.overlap", FT_BOOLEAN, BASE_NONE,
11570 NULL, 0x0, "Fragment overlaps with other fragments", HFILL }
11573 { &hf_smb2_pipe_fragment_overlap_conflict,
11574 { "Conflicting data in fragment overlap", "smb2.pipe.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE,
11575 NULL, 0x0, NULL, HFILL }
11578 { &hf_smb2_pipe_fragment_multiple_tails,
11579 { "Multiple tail fragments found", "smb2.pipe.fragment.multipletails", FT_BOOLEAN, BASE_NONE,
11580 NULL, 0x0, "Several tails were found when defragmenting the packet", HFILL }
11583 { &hf_smb2_pipe_fragment_too_long_fragment,
11584 { "Fragment too long", "smb2.pipe.fragment.toolongfragment", FT_BOOLEAN, BASE_NONE,
11585 NULL, 0x0, "Fragment contained data past end of packet", HFILL }
11588 { &hf_smb2_pipe_fragment_error,
11589 { "Defragmentation error", "smb2.pipe.fragment.error", FT_FRAMENUM, BASE_NONE,
11590 NULL, 0x0, "Defragmentation error due to illegal fragments", HFILL }
11593 { &hf_smb2_pipe_fragment_count,
11594 { "Fragment count", "smb2.pipe.fragment.count", FT_UINT32, BASE_DEC,
11595 NULL, 0x0, NULL, HFILL }
11598 { &hf_smb2_pipe_fragment,
11599 { "Fragment SMB2 Named Pipe", "smb2.pipe.fragment", FT_FRAMENUM, BASE_NONE,
11600 NULL, 0x0, NULL, HFILL }
11603 { &hf_smb2_pipe_fragments,
11604 { "Reassembled SMB2 Named Pipe fragments", "smb2.pipe.fragments", FT_NONE, BASE_NONE,
11605 NULL, 0x0, NULL, HFILL }
11608 { &hf_smb2_pipe_reassembled_in,
11609 { "This SMB2 Named Pipe payload is reassembled in frame", "smb2.pipe.reassembled_in", FT_FRAMENUM, BASE_NONE,
11610 NULL, 0x0, "The Named Pipe PDU is completely reassembled in this frame", HFILL }
11613 { &hf_smb2_pipe_reassembled_length,
11614 { "Reassembled SMB2 Named Pipe length", "smb2.pipe.reassembled.length", FT_UINT32, BASE_DEC,
11615 NULL, 0x0, "The total length of the reassembled payload", HFILL }
11618 { &hf_smb2_pipe_reassembled_data,
11619 { "Reassembled SMB2 Named Pipe Data", "smb2.pipe.reassembled.data", FT_BYTES, BASE_NONE,
11620 NULL, 0x0, "The reassembled payload", HFILL }
11623 { &hf_smb2_cchunk_resume_key,
11624 { "ResumeKey", "smb2.fsctl.cchunk.resume_key", FT_BYTES, BASE_NONE,
11625 NULL, 0x0, "Opaque data representing source of copy", HFILL }
11628 { &hf_smb2_cchunk_count,
11629 { "Chunk Count", "smb2.fsctl.cchunk.count", FT_UINT32, BASE_DEC,
11630 NULL, 0x0, NULL, HFILL }
11633 { &hf_smb2_cchunk_src_offset,
11634 { "Source Offset", "smb2.fsctl.cchunk.src_offset", FT_UINT64, BASE_DEC,
11635 NULL, 0x0, NULL, HFILL }
11638 { &hf_smb2_cchunk_dst_offset,
11639 { "Target Offset", "smb2.fsctl.cchunk.dst_offset", FT_UINT64, BASE_DEC,
11640 NULL, 0x0, NULL, HFILL }
11643 { &hf_smb2_cchunk_xfer_len,
11644 { "Transfer Length", "smb2.fsctl.cchunk.xfer_len", FT_UINT32, BASE_DEC,
11645 NULL, 0x0, NULL, HFILL }
11648 { &hf_smb2_cchunk_chunks_written,
11649 { "Chunks Written", "smb2.fsctl.cchunk.chunks_written", FT_UINT32, BASE_DEC,
11650 NULL, 0x0, NULL, HFILL }
11653 { &hf_smb2_cchunk_bytes_written,
11654 { "Chunk Bytes Written", "smb2.fsctl.cchunk.bytes_written", FT_UINT32, BASE_DEC,
11655 NULL, 0x0, NULL, HFILL }
11658 { &hf_smb2_cchunk_total_written,
11659 { "Total Bytes Written", "smb2.fsctl.cchunk.total_written", FT_UINT32, BASE_DEC,
11660 NULL, 0x0, NULL, HFILL }
11663 { &hf_smb2_symlink_error_response,
11664 { "Symbolic Link Error Response", "smb2.symlink_error_response", FT_NONE, BASE_NONE,
11665 NULL, 0, NULL, HFILL }
11668 { &hf_smb2_symlink_length,
11669 { "SymLink Length", "smb2.symlink.length", FT_UINT32,
11670 BASE_DEC, NULL, 0x0, NULL, HFILL }
11673 { &hf_smb2_symlink_error_tag,
11674 { "SymLink Error Tag", "smb2.symlink.error_tag", FT_UINT32,
11675 BASE_HEX, NULL, 0x0, NULL, HFILL }
11678 { &hf_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER,
11679 { "SYMBOLIC_LINK_REPARSE_DATA_BUFFER", "smb2.SYMBOLIC_LINK_REPARSE_DATA_BUFFER", FT_NONE, BASE_NONE,
11680 NULL, 0, NULL, HFILL }
11682 { &hf_smb2_reparse_tag,
11683 { "Reparse Tag", "smb2.symlink.reparse_tag", FT_UINT32, BASE_HEX,
11684 NULL, 0x0, NULL, HFILL }
11686 { &hf_smb2_reparse_data_length,
11687 { "Reparse Data Length", "smb2.symlink.reparse_data_length", FT_UINT16, BASE_DEC,
11688 NULL, 0x0, NULL, HFILL }
11690 { &hf_smb2_unparsed_path_length,
11691 { "Unparsed Path Length", "smb2.symlink.unparsed_path_length", FT_UINT16, BASE_DEC,
11692 NULL, 0x0, NULL, HFILL }
11694 { &hf_smb2_symlink_substitute_name,
11695 { "Substitute Name", "smb2.symlink.substitute_name", FT_STRING, BASE_NONE,
11696 NULL, 0x0, NULL, HFILL }
11698 { &hf_smb2_symlink_print_name,
11699 { "Print Name", "smb2.symlink.print_name", FT_STRING, BASE_NONE,
11700 NULL, 0x0, NULL, HFILL }
11702 { &hf_smb2_symlink_flags,
11703 { "Flags", "smb2.symlink.flags", FT_UINT32, BASE_DEC,
11704 NULL, 0x0, NULL, HFILL }
11708 static gint *ett[] = {
11713 &ett_smb2_encrypted,
11716 &ett_smb2_negotiate_context_element,
11717 &ett_smb2_file_basic_info,
11718 &ett_smb2_file_standard_info,
11719 &ett_smb2_file_internal_info,
11720 &ett_smb2_file_ea_info,
11721 &ett_smb2_file_access_info,
11722 &ett_smb2_file_rename_info,
11723 &ett_smb2_file_disposition_info,
11724 &ett_smb2_file_position_info,
11725 &ett_smb2_file_full_ea_info,
11726 &ett_smb2_file_mode_info,
11727 &ett_smb2_file_alignment_info,
11728 &ett_smb2_file_all_info,
11729 &ett_smb2_file_allocation_info,
11730 &ett_smb2_file_endoffile_info,
11731 &ett_smb2_file_alternate_name_info,
11732 &ett_smb2_file_stream_info,
11733 &ett_smb2_file_pipe_info,
11734 &ett_smb2_file_compression_info,
11735 &ett_smb2_file_network_open_info,
11736 &ett_smb2_file_attribute_tag_info,
11737 &ett_smb2_fs_info_01,
11738 &ett_smb2_fs_info_03,
11739 &ett_smb2_fs_info_04,
11740 &ett_smb2_fs_info_05,
11741 &ett_smb2_fs_info_06,
11742 &ett_smb2_fs_info_07,
11743 &ett_smb2_fs_objectid_info,
11744 &ett_smb2_sec_info_00,
11745 &ett_smb2_quota_info,
11746 &ett_smb2_query_quota_info,
11747 &ett_smb2_tid_tree,
11748 &ett_smb2_sesid_tree,
11749 &ett_smb2_create_chain_element,
11750 &ett_smb2_MxAc_buffer,
11751 &ett_smb2_QFid_buffer,
11752 &ett_smb2_RqLs_buffer,
11753 &ett_smb2_ioctl_function,
11754 &ett_smb2_FILE_OBJECTID_BUFFER,
11756 &ett_smb2_sec_mode,
11757 &ett_smb2_capabilities,
11758 &ett_smb2_ses_req_flags,
11759 &ett_smb2_ses_flags,
11760 &ett_smb2_create_rep_flags,
11761 &ett_smb2_lease_state,
11762 &ett_smb2_lease_flags,
11763 &ett_smb2_share_flags,
11764 &ett_smb2_share_caps,
11765 &ett_smb2_ioctl_flags,
11766 &ett_smb2_ioctl_network_interface,
11767 &ett_smb2_ioctl_sqos_opeations,
11768 &ett_smb2_fsctl_range_data,
11769 &ett_windows_sockaddr,
11770 &ett_smb2_close_flags,
11771 &ett_smb2_notify_info,
11772 &ett_smb2_notify_flags,
11774 &ett_smb2_write_flags,
11775 &ett_smb2_find_flags,
11776 &ett_smb2_file_directory_info,
11777 &ett_smb2_both_directory_info,
11778 &ett_smb2_id_both_directory_info,
11779 &ett_smb2_full_directory_info,
11780 &ett_smb2_file_name_info,
11781 &ett_smb2_lock_info,
11782 &ett_smb2_lock_flags,
11783 &ett_smb2_DH2Q_buffer,
11784 &ett_smb2_DH2C_buffer,
11785 &ett_smb2_dh2x_flags,
11786 &ett_smb2_APP_INSTANCE_buffer,
11787 &ett_smb2_svhdx_open_device_context,
11788 &ett_smb2_posix_v1_request,
11789 &ett_smb2_posix_v1_response,
11790 &ett_smb2_posix_v1_supported_features,
11791 &ett_smb2_aapl_create_context_request,
11792 &ett_smb2_aapl_server_query_bitmask,
11793 &ett_smb2_aapl_server_query_caps,
11794 &ett_smb2_aapl_create_context_response,
11795 &ett_smb2_aapl_server_query_volume_caps,
11796 &ett_smb2_integrity_flags,
11797 &ett_smb2_transform_enc_alg,
11798 &ett_smb2_buffercode,
11799 &ett_smb2_ioctl_network_interface_capabilities,
11801 &ett_smb2_pipe_fragment,
11802 &ett_smb2_pipe_fragments,
11803 &ett_smb2_cchunk_entry,
11804 &ett_smb2_fsctl_odx_token,
11805 &ett_smb2_symlink_error_response,
11806 &ett_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER,
11807 &ett_smb2_error_data,
11810 static ei_register_info ei[] = {
11811 { &ei_smb2_invalid_length, { "smb2.invalid_length", PI_MALFORMED, PI_ERROR, "Invalid length", EXPFILL }},
11812 { &ei_smb2_bad_response, { "smb2.bad_response", PI_MALFORMED, PI_ERROR, "Bad response", EXPFILL }},
11813 { &ei_smb2_invalid_getinfo_offset, { "smb2.invalid_getinfo_offset", PI_MALFORMED, PI_ERROR, "Input buffer offset isn't past the fixed data in the message", EXPFILL }},
11814 { &ei_smb2_invalid_getinfo_size, { "smb2.invalid_getinfo_size", PI_MALFORMED, PI_ERROR, "Input buffer length goes past the end of the message", EXPFILL }},
11815 { &ei_smb2_empty_getinfo_buffer, { "smb2.empty_getinfo_buffer", PI_PROTOCOL, PI_WARN, "Input buffer length is empty for a quota request", EXPFILL }},
11818 expert_module_t* expert_smb2;
11820 /* SessionID <=> SessionKey mappings for decryption */
11823 static uat_field_t seskey_uat_fields[] = {
11824 UAT_FLD_BUFFER(seskey_list, id, "Session ID", "The session ID buffer, coded as hex string, as it appears on the wire (LE)."),
11825 UAT_FLD_BUFFER(seskey_list, key, "Session Key", "The secret session key buffer, coded as 16-byte hex string as it appears on the wire (LE)."),
11829 proto_smb2 = proto_register_protocol("SMB2 (Server Message Block Protocol version 2)",
11831 proto_register_subtree_array(ett, array_length(ett));
11832 proto_register_field_array(proto_smb2, hf, array_length(hf));
11833 expert_smb2 = expert_register_protocol(proto_smb2);
11834 expert_register_field_array(expert_smb2, ei, array_length(ei));
11836 smb2_module = prefs_register_protocol(proto_smb2, NULL);
11837 prefs_register_bool_preference(smb2_module, "eosmb2_take_name_as_fid",
11838 "Use the full file name as File ID when exporting an SMB2 object",
11839 "Whether the export object functionality will take the full path file name as file identifier",
11840 &eosmb2_take_name_as_fid);
11842 prefs_register_bool_preference(smb2_module, "pipe_reassembly",
11843 "Reassemble Named Pipes over SMB2",
11844 "Whether the dissector should reassemble Named Pipes over SMB2 commands",
11845 &smb2_pipe_reassembly);
11847 seskey_uat = uat_new("Secret session key to use for decryption",
11848 sizeof(smb2_seskey_field_t),
11849 "smb2_seskey_list",
11853 (UAT_AFFECTS_DISSECTION | UAT_AFFECTS_FIELDS),
11855 seskey_list_copy_cb,
11856 seskey_list_update_cb,
11857 seskey_list_free_cb,
11860 seskey_uat_fields);
11862 prefs_register_uat_preference(smb2_module,
11864 "Secret session keys for decryption",
11865 "A table of Session ID to Session key mappings used to derive decryption keys.",
11868 smb2_pipe_subdissector_list = register_heur_dissector_list("smb2_pipe_subdissectors", proto_smb2);
11870 * XXX - addresses_ports_reassembly_table_functions?
11871 * Probably correct for SMB-over-NBT and SMB-over-TCP,
11872 * as stuff from two different connections should
11873 * probably not be combined, but what about other
11874 * transports for SMB, e.g. NBF or Netware?
11876 reassembly_table_register(&smb2_pipe_reassembly_table,
11877 &addresses_reassembly_table_functions);
11879 smb2_tap = register_tap("smb2");
11880 smb2_eo_tap = register_tap("smb_eo"); /* SMB Export Object tap */
11882 register_srt_table(proto_smb2, NULL, 1, smb2stat_packet, smb2stat_init, NULL);
11886 proto_reg_handoff_smb2(void)
11888 gssapi_handle = find_dissector_add_dependency("gssapi", proto_smb2);
11889 ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_smb2);
11890 rsvd_handle = find_dissector_add_dependency("rsvd", proto_smb2);
11891 heur_dissector_add("netbios", dissect_smb2_heur, "SMB2 over Netbios", "smb2_netbios", proto_smb2, HEURISTIC_ENABLE);
11892 heur_dissector_add("smb_direct", dissect_smb2_heur, "SMB2 over SMB Direct", "smb2_smb_direct", proto_smb2, HEURISTIC_ENABLE);
11896 * Editor modelines - http://www.wireshark.org/tools/modelines.html
11899 * c-basic-offset: 8
11901 * indent-tabs-mode: t
11904 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
11905 * :indentSize=8:tabSize=8:noTabs=false:
git.samba.org / metze / wireshark / wip.git / blob