2 * Routines for smb2 packet dissection
5 * For documentation of this protocol, see:
7 * https://wiki.wireshark.org/SMB2
8 * https://msdn.microsoft.com/en-us/library/cc246482.aspx
10 * If you edit this file, keep the wiki updated as well.
12 * Wireshark - Network traffic analyzer
13 * By Gerald Combs <gerald@wireshark.org>
14 * Copyright 1998 Gerald Combs
16 * This program is free software; you can redistribute it and/or
17 * modify it under the terms of the GNU General Public License
18 * as published by the Free Software Foundation; either version 2
19 * of the License, or (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, write to the Free Software
28 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
34 #include <epan/packet.h>
35 #include <epan/prefs.h>
36 #include <epan/expert.h>
38 #include <epan/srt_table.h>
39 #include <epan/aftypes.h>
40 #include <epan/to_str.h>
41 #include <epan/asn1.h>
42 #include <epan/reassemble.h>
44 #include "packet-smb2.h"
45 #include "packet-ntlmssp.h"
46 #include "packet-kerberos.h"
47 #include "packet-windows-common.h"
48 #include "packet-smb-common.h"
49 #include "packet-dcerpc-nt.h"
51 #include "read_keytab_file.h"
53 #include <wsutil/wsgcrypt.h>
55 #define NT_STATUS_PENDING 0x00000103
57 void proto_register_smb2(void);
58 void proto_reg_handoff_smb2(void);
60 static const char smb_header_label[] = "SMB2 Header";
61 static const char smb_transform_header_label[] = "SMB2 Transform Header";
63 static int proto_smb2 = -1;
64 static int hf_smb2_cmd = -1;
65 static int hf_smb2_nt_status = -1;
66 static int hf_smb2_response_to = -1;
67 static int hf_smb2_response_in = -1;
68 static int hf_smb2_time = -1;
69 static int hf_smb2_header_len = -1;
70 static int hf_smb2_msg_id = -1;
71 static int hf_smb2_pid = -1;
72 static int hf_smb2_tid = -1;
73 static int hf_smb2_aid = -1;
74 static int hf_smb2_sesid = -1;
75 static int hf_smb2_previous_sesid = -1;
76 static int hf_smb2_flags_response = -1;
77 static int hf_smb2_flags_async_cmd = -1;
78 static int hf_smb2_flags_dfs_op = -1;
79 static int hf_smb2_flags_chained = -1;
80 static int hf_smb2_flags_signature = -1;
81 static int hf_smb2_flags_replay_operation = -1;
82 static int hf_smb2_flags_priority_mask = -1;
83 static int hf_smb2_chain_offset = -1;
84 static int hf_smb2_security_blob = -1;
85 static int hf_smb2_ioctl_in_data = -1;
86 static int hf_smb2_ioctl_out_data = -1;
87 static int hf_smb2_unknown = -1;
88 static int hf_smb2_root_directory_mbz = -1;
89 static int hf_smb2_twrp_timestamp = -1;
90 static int hf_smb2_mxac_timestamp = -1;
91 static int hf_smb2_mxac_status = -1;
92 static int hf_smb2_qfid_fid = -1;
93 static int hf_smb2_create_timestamp = -1;
94 static int hf_smb2_oplock = -1;
95 static int hf_smb2_close_flags = -1;
96 static int hf_smb2_notify_flags = -1;
97 static int hf_smb2_last_access_timestamp = -1;
98 static int hf_smb2_last_write_timestamp = -1;
99 static int hf_smb2_last_change_timestamp = -1;
100 static int hf_smb2_current_time = -1;
101 static int hf_smb2_boot_time = -1;
102 static int hf_smb2_filename = -1;
103 static int hf_smb2_filename_len = -1;
104 static int hf_smb2_replace_if = -1;
105 static int hf_smb2_nlinks = -1;
106 static int hf_smb2_delete_pending = -1;
107 static int hf_smb2_is_directory = -1;
108 static int hf_smb2_file_id = -1;
109 static int hf_smb2_allocation_size = -1;
110 static int hf_smb2_end_of_file = -1;
111 static int hf_smb2_tree = -1;
112 static int hf_smb2_find_pattern = -1;
113 static int hf_smb2_find_info_level = -1;
114 static int hf_smb2_find_info_blob = -1;
115 static int hf_smb2_client_guid = -1;
116 static int hf_smb2_server_guid = -1;
117 static int hf_smb2_object_id = -1;
118 static int hf_smb2_birth_volume_id = -1;
119 static int hf_smb2_birth_object_id = -1;
120 static int hf_smb2_domain_id = -1;
121 static int hf_smb2_class = -1;
122 static int hf_smb2_infolevel = -1;
123 static int hf_smb2_infolevel_file_info = -1;
124 static int hf_smb2_infolevel_fs_info = -1;
125 static int hf_smb2_infolevel_sec_info = -1;
126 static int hf_smb2_infolevel_posix_info = -1;
127 static int hf_smb2_max_response_size = -1;
128 static int hf_smb2_max_ioctl_in_size = -1;
129 static int hf_smb2_max_ioctl_out_size = -1;
130 static int hf_smb2_flags = -1;
131 static int hf_smb2_required_buffer_size = -1;
132 static int hf_smb2_getinfo_size = -1;
133 static int hf_smb2_getinfo_offset = -1;
134 static int hf_smb2_getinfo_additional = -1;
135 static int hf_smb2_getinfo_flags = -1;
136 static int hf_smb2_setinfo_size = -1;
137 static int hf_smb2_setinfo_offset = -1;
138 static int hf_smb2_file_basic_info = -1;
139 static int hf_smb2_file_standard_info = -1;
140 static int hf_smb2_file_internal_info = -1;
141 static int hf_smb2_file_ea_info = -1;
142 static int hf_smb2_file_access_info = -1;
143 static int hf_smb2_file_rename_info = -1;
144 static int hf_smb2_file_disposition_info = -1;
145 static int hf_smb2_file_position_info = -1;
146 static int hf_smb2_file_full_ea_info = -1;
147 static int hf_smb2_file_mode_info = -1;
148 static int hf_smb2_file_alignment_info = -1;
149 static int hf_smb2_file_all_info = -1;
150 static int hf_smb2_file_allocation_info = -1;
151 static int hf_smb2_file_endoffile_info = -1;
152 static int hf_smb2_file_alternate_name_info = -1;
153 static int hf_smb2_file_stream_info = -1;
154 static int hf_smb2_file_pipe_info = -1;
155 static int hf_smb2_file_compression_info = -1;
156 static int hf_smb2_file_network_open_info = -1;
157 static int hf_smb2_file_attribute_tag_info = -1;
158 static int hf_smb2_fs_info_01 = -1;
159 static int hf_smb2_fs_info_03 = -1;
160 static int hf_smb2_fs_info_04 = -1;
161 static int hf_smb2_fs_info_05 = -1;
162 static int hf_smb2_fs_info_06 = -1;
163 static int hf_smb2_fs_info_07 = -1;
164 static int hf_smb2_fs_objectid_info = -1;
165 static int hf_smb2_sec_info_00 = -1;
166 static int hf_smb2_quota_info = -1;
167 static int hf_smb2_query_quota_info = -1;
168 static int hf_smb2_qq_single = -1;
169 static int hf_smb2_qq_restart = -1;
170 static int hf_smb2_qq_sidlist_len = -1;
171 static int hf_smb2_qq_start_sid_len = -1;
172 static int hf_smb2_qq_start_sid_offset = -1;
173 static int hf_smb2_fid = -1;
174 static int hf_smb2_write_length = -1;
175 static int hf_smb2_write_data = -1;
176 static int hf_smb2_write_flags = -1;
177 static int hf_smb2_write_flags_write_through = -1;
178 static int hf_smb2_write_count = -1;
179 static int hf_smb2_write_remaining = -1;
180 static int hf_smb2_read_length = -1;
181 static int hf_smb2_read_remaining = -1;
182 static int hf_smb2_file_offset = -1;
183 static int hf_smb2_qfr_length = -1;
184 static int hf_smb2_qfr_usage = -1;
185 static int hf_smb2_qfr_flags = -1;
186 static int hf_smb2_qfr_total_region_entry_count = -1;
187 static int hf_smb2_qfr_region_entry_count = -1;
188 static int hf_smb2_read_data = -1;
189 static int hf_smb2_disposition_delete_on_close = -1;
190 static int hf_smb2_create_disposition = -1;
191 static int hf_smb2_create_chain_offset = -1;
192 static int hf_smb2_create_chain_data = -1;
193 static int hf_smb2_data_offset = -1;
194 static int hf_smb2_extrainfo = -1;
195 static int hf_smb2_create_action = -1;
196 static int hf_smb2_create_rep_flags = -1;
197 static int hf_smb2_create_rep_flags_reparse_point = -1;
198 static int hf_smb2_next_offset = -1;
199 static int hf_smb2_negotiate_context_type = -1;
200 static int hf_smb2_negotiate_context_data_length = -1;
201 static int hf_smb2_negotiate_context_offset = -1;
202 static int hf_smb2_negotiate_context_count = -1;
203 static int hf_smb2_ea_size = -1;
204 static int hf_smb2_ea_flags = -1;
205 static int hf_smb2_ea_name_len = -1;
206 static int hf_smb2_ea_data_len = -1;
207 static int hf_smb2_ea_name = -1;
208 static int hf_smb2_ea_data = -1;
209 static int hf_smb2_buffer_code = -1;
210 static int hf_smb2_buffer_code_len = -1;
211 static int hf_smb2_buffer_code_flags_dyn = -1;
212 static int hf_smb2_olb_offset = -1;
213 static int hf_smb2_olb_length = -1;
214 static int hf_smb2_tag = -1;
215 static int hf_smb2_impersonation_level = -1;
216 static int hf_smb2_ioctl_function = -1;
217 static int hf_smb2_ioctl_function_device = -1;
218 static int hf_smb2_ioctl_function_access = -1;
219 static int hf_smb2_ioctl_function_function = -1;
220 static int hf_smb2_fsctl_pipe_wait_timeout = -1;
221 static int hf_smb2_fsctl_pipe_wait_name = -1;
223 static int hf_smb2_fsctl_odx_token_type = -1;
224 static int hf_smb2_fsctl_odx_token_idlen = -1;
225 static int hf_smb2_fsctl_odx_token_idraw = -1;
226 static int hf_smb2_fsctl_odx_token_ttl = -1;
227 static int hf_smb2_fsctl_odx_size = -1;
228 static int hf_smb2_fsctl_odx_flags = -1;
229 static int hf_smb2_fsctl_odx_file_offset = -1;
230 static int hf_smb2_fsctl_odx_copy_length = -1;
231 static int hf_smb2_fsctl_odx_xfer_length = -1;
232 static int hf_smb2_fsctl_odx_token_offset = -1;
234 static int hf_smb2_fsctl_sparse_flag = -1;
235 static int hf_smb2_fsctl_range_offset = -1;
236 static int hf_smb2_fsctl_range_length = -1;
237 static int hf_smb2_ioctl_function_method = -1;
238 static int hf_smb2_ioctl_resiliency_timeout = -1;
239 static int hf_smb2_ioctl_resiliency_reserved = -1;
240 static int hf_smb2_ioctl_shared_virtual_disk_support = -1;
241 static int hf_smb2_ioctl_shared_virtual_disk_handle_state = -1;
242 static int hf_windows_sockaddr_family = -1;
243 static int hf_windows_sockaddr_port = -1;
244 static int hf_windows_sockaddr_in_addr = -1;
245 static int hf_windows_sockaddr_in6_flowinfo = -1;
246 static int hf_windows_sockaddr_in6_addr = -1;
247 static int hf_windows_sockaddr_in6_scope_id = -1;
248 static int hf_smb2_ioctl_network_interface_next_offset = -1;
249 static int hf_smb2_ioctl_network_interface_index = -1;
250 static int hf_smb2_ioctl_network_interface_rss_queue_count = -1;
251 static int hf_smb2_ioctl_network_interface_capabilities = -1;
252 static int hf_smb2_ioctl_network_interface_capability_rss = -1;
253 static int hf_smb2_ioctl_network_interface_capability_rdma = -1;
254 static int hf_smb2_ioctl_network_interface_link_speed = -1;
255 static int hf_smb2_ioctl_shadow_copy_num_volumes = -1;
256 static int hf_smb2_ioctl_shadow_copy_num_labels = -1;
257 static int hf_smb2_ioctl_shadow_copy_count = -1;
258 static int hf_smb2_ioctl_shadow_copy_label = -1;
259 static int hf_smb2_compression_format = -1;
260 static int hf_smb2_checksum_algorithm = -1;
261 static int hf_smb2_integrity_reserved = -1;
262 static int hf_smb2_integrity_flags = -1;
263 static int hf_smb2_integrity_flags_enforcement_off = -1;
264 static int hf_smb2_FILE_OBJECTID_BUFFER = -1;
265 static int hf_smb2_lease_key = -1;
266 static int hf_smb2_lease_state = -1;
267 static int hf_smb2_lease_state_read_caching = -1;
268 static int hf_smb2_lease_state_handle_caching = -1;
269 static int hf_smb2_lease_state_write_caching = -1;
270 static int hf_smb2_lease_flags = -1;
271 static int hf_smb2_lease_flags_break_ack_required = -1;
272 static int hf_smb2_lease_flags_parent_lease_key_set = -1;
273 static int hf_smb2_lease_flags_break_in_progress = -1;
274 static int hf_smb2_lease_duration = -1;
275 static int hf_smb2_parent_lease_key = -1;
276 static int hf_smb2_lease_epoch = -1;
277 static int hf_smb2_lease_reserved = -1;
278 static int hf_smb2_lease_break_reason = -1;
279 static int hf_smb2_lease_access_mask_hint = -1;
280 static int hf_smb2_lease_share_mask_hint = -1;
281 static int hf_smb2_acct_name = -1;
282 static int hf_smb2_domain_name = -1;
283 static int hf_smb2_host_name = -1;
284 static int hf_smb2_auth_frame = -1;
285 static int hf_smb2_tcon_frame = -1;
286 static int hf_smb2_share_type = -1;
287 static int hf_smb2_signature = -1;
288 static int hf_smb2_credit_charge = -1;
289 static int hf_smb2_credits_requested = -1;
290 static int hf_smb2_credits_granted = -1;
291 static int hf_smb2_channel_sequence = -1;
292 static int hf_smb2_dialect_count = -1;
293 static int hf_smb2_security_mode = -1;
294 static int hf_smb2_secmode_flags_sign_required = -1;
295 static int hf_smb2_secmode_flags_sign_enabled = -1;
296 static int hf_smb2_ses_req_flags = -1;
297 static int hf_smb2_ses_req_flags_session_binding = -1;
298 static int hf_smb2_capabilities = -1;
299 static int hf_smb2_cap_dfs = -1;
300 static int hf_smb2_cap_leasing = -1;
301 static int hf_smb2_cap_large_mtu = -1;
302 static int hf_smb2_cap_multi_channel = -1;
303 static int hf_smb2_cap_persistent_handles = -1;
304 static int hf_smb2_cap_directory_leasing = -1;
305 static int hf_smb2_cap_encryption = -1;
306 static int hf_smb2_dialect = -1;
307 static int hf_smb2_max_trans_size = -1;
308 static int hf_smb2_max_read_size = -1;
309 static int hf_smb2_max_write_size = -1;
310 static int hf_smb2_channel = -1;
311 static int hf_smb2_rdma_v1_offset = -1;
312 static int hf_smb2_rdma_v1_token = -1;
313 static int hf_smb2_rdma_v1_length = -1;
314 static int hf_smb2_session_flags = -1;
315 static int hf_smb2_ses_flags_guest = -1;
316 static int hf_smb2_ses_flags_null = -1;
317 static int hf_smb2_share_flags = -1;
318 static int hf_smb2_share_flags_dfs = -1;
319 static int hf_smb2_share_flags_dfs_root = -1;
320 static int hf_smb2_share_flags_restrict_exclusive_opens = -1;
321 static int hf_smb2_share_flags_force_shared_delete = -1;
322 static int hf_smb2_share_flags_allow_namespace_caching = -1;
323 static int hf_smb2_share_flags_access_based_dir_enum = -1;
324 static int hf_smb2_share_flags_force_levelii_oplock = -1;
325 static int hf_smb2_share_flags_enable_hash_v1 = -1;
326 static int hf_smb2_share_flags_enable_hash_v2 = -1;
327 static int hf_smb2_share_flags_encrypt_data = -1;
328 static int hf_smb2_share_caching = -1;
329 static int hf_smb2_share_caps = -1;
330 static int hf_smb2_share_caps_dfs = -1;
331 static int hf_smb2_share_caps_continuous_availability = -1;
332 static int hf_smb2_share_caps_scaleout = -1;
333 static int hf_smb2_share_caps_cluster = -1;
334 static int hf_smb2_create_flags = -1;
335 static int hf_smb2_lock_count = -1;
336 static int hf_smb2_min_count = -1;
337 static int hf_smb2_remaining_bytes = -1;
338 static int hf_smb2_channel_info_offset = -1;
339 static int hf_smb2_channel_info_length = -1;
340 static int hf_smb2_channel_info_blob = -1;
341 static int hf_smb2_ioctl_flags = -1;
342 static int hf_smb2_ioctl_is_fsctl = -1;
343 static int hf_smb2_close_pq_attrib = -1;
344 static int hf_smb2_notify_watch_tree = -1;
345 static int hf_smb2_output_buffer_len = -1;
346 static int hf_smb2_notify_out_data = -1;
347 static int hf_smb2_notify_info = -1;
348 static int hf_smb2_notify_next_offset = -1;
349 static int hf_smb2_notify_action = -1;
350 static int hf_smb2_find_flags = -1;
351 static int hf_smb2_find_flags_restart_scans = -1;
352 static int hf_smb2_find_flags_single_entry = -1;
353 static int hf_smb2_find_flags_index_specified = -1;
354 static int hf_smb2_find_flags_reopen = -1;
355 static int hf_smb2_file_index = -1;
356 static int hf_smb2_file_directory_info = -1;
357 static int hf_smb2_both_directory_info = -1;
358 static int hf_smb2_short_name_len = -1;
359 static int hf_smb2_short_name = -1;
360 static int hf_smb2_id_both_directory_info = -1;
361 static int hf_smb2_full_directory_info = -1;
362 static int hf_smb2_lock_info = -1;
363 static int hf_smb2_lock_length = -1;
364 static int hf_smb2_lock_flags = -1;
365 static int hf_smb2_lock_flags_shared = -1;
366 static int hf_smb2_lock_flags_exclusive = -1;
367 static int hf_smb2_lock_flags_unlock = -1;
368 static int hf_smb2_lock_flags_fail_immediately = -1;
369 static int hf_smb2_dhnq_buffer_reserved = -1;
370 static int hf_smb2_dh2x_buffer_timeout = -1;
371 static int hf_smb2_dh2x_buffer_flags = -1;
372 static int hf_smb2_dh2x_buffer_flags_persistent_handle = -1;
373 static int hf_smb2_dh2x_buffer_reserved = -1;
374 static int hf_smb2_dh2x_buffer_create_guid = -1;
375 static int hf_smb2_APP_INSTANCE_buffer_struct_size = -1;
376 static int hf_smb2_APP_INSTANCE_buffer_reserved = -1;
377 static int hf_smb2_APP_INSTANCE_buffer_app_guid = -1;
378 static int hf_smb2_svhdx_open_device_context_version = -1;
379 static int hf_smb2_svhdx_open_device_context_has_initiator_id = -1;
380 static int hf_smb2_svhdx_open_device_context_reserved = -1;
381 static int hf_smb2_svhdx_open_device_context_initiator_id = -1;
382 static int hf_smb2_svhdx_open_device_context_flags = -1;
383 static int hf_smb2_svhdx_open_device_context_originator_flags = -1;
384 static int hf_smb2_svhdx_open_device_context_open_request_id = -1;
385 static int hf_smb2_svhdx_open_device_context_initiator_host_name_len = -1;
386 static int hf_smb2_svhdx_open_device_context_initiator_host_name = -1;
387 static int hf_smb2_posix_v1_version = -1;
388 static int hf_smb2_posix_v1_request = -1;
389 static int hf_smb2_posix_v1_supported_features = -1;
390 static int hf_smb2_posix_v1_posix_lock = -1;
391 static int hf_smb2_posix_v1_posix_file_semantics = -1;
392 static int hf_smb2_posix_v1_posix_utf8_paths = -1;
393 static int hf_smb2_posix_v1_case_sensitive = -1;
394 static int hf_smb2_posix_v1_posix_will_convert_nt_acls = -1;
395 static int hf_smb2_posix_v1_posix_fileinfo = -1;
396 static int hf_smb2_posix_v1_posix_acls = -1;
397 static int hf_smb2_posix_v1_rich_acls = -1;
398 static int hf_smb2_aapl_command_code = -1;
399 static int hf_smb2_aapl_reserved = -1;
400 static int hf_smb2_aapl_server_query_bitmask = -1;
401 static int hf_smb2_aapl_server_query_bitmask_server_caps = -1;
402 static int hf_smb2_aapl_server_query_bitmask_volume_caps = -1;
403 static int hf_smb2_aapl_server_query_bitmask_model_info = -1;
404 static int hf_smb2_aapl_server_query_caps = -1;
405 static int hf_smb2_aapl_server_query_caps_supports_read_dir_attr = -1;
406 static int hf_smb2_aapl_server_query_caps_supports_osx_copyfile = -1;
407 static int hf_smb2_aapl_server_query_caps_unix_based = -1;
408 static int hf_smb2_aapl_server_query_caps_supports_nfs_ace = -1;
409 static int hf_smb2_aapl_server_query_volume_caps = -1;
410 static int hf_smb2_aapl_server_query_volume_caps_support_resolve_id = -1;
411 static int hf_smb2_aapl_server_query_volume_caps_case_sensitive = -1;
412 static int hf_smb2_aapl_server_query_volume_caps_supports_full_sync = -1;
413 static int hf_smb2_aapl_server_query_model_string = -1;
414 static int hf_smb2_aapl_server_query_server_path = -1;
415 static int hf_smb2_error_context_count = -1;
416 static int hf_smb2_error_reserved = -1;
417 static int hf_smb2_error_byte_count = -1;
418 static int hf_smb2_error_data = -1;
419 static int hf_smb2_reserved = -1;
420 static int hf_smb2_reserved_random = -1;
421 static int hf_smb2_transform_signature = -1;
422 static int hf_smb2_transform_nonce = -1;
423 static int hf_smb2_transform_msg_size = -1;
424 static int hf_smb2_transform_reserved = -1;
425 static int hf_smb2_encryption_aes128_ccm = -1;
426 static int hf_smb2_transform_enc_alg = -1;
427 static int hf_smb2_transform_encrypted_data = -1;
428 static int hf_smb2_server_component_smb2 = -1;
429 static int hf_smb2_server_component_smb2_transform = -1;
430 static int hf_smb2_truncated = -1;
431 static int hf_smb2_pipe_fragments = -1;
432 static int hf_smb2_pipe_fragment = -1;
433 static int hf_smb2_pipe_fragment_overlap = -1;
434 static int hf_smb2_pipe_fragment_overlap_conflict = -1;
435 static int hf_smb2_pipe_fragment_multiple_tails = -1;
436 static int hf_smb2_pipe_fragment_too_long_fragment = -1;
437 static int hf_smb2_pipe_fragment_error = -1;
438 static int hf_smb2_pipe_fragment_count = -1;
439 static int hf_smb2_pipe_reassembled_in = -1;
440 static int hf_smb2_pipe_reassembled_length = -1;
441 static int hf_smb2_pipe_reassembled_data = -1;
442 static int hf_smb2_cchunk_resume_key = -1;
443 static int hf_smb2_cchunk_count = -1;
444 static int hf_smb2_cchunk_src_offset = -1;
445 static int hf_smb2_cchunk_dst_offset = -1;
446 static int hf_smb2_cchunk_xfer_len = -1;
447 static int hf_smb2_cchunk_chunks_written = -1;
448 static int hf_smb2_cchunk_bytes_written = -1;
449 static int hf_smb2_cchunk_total_written = -1;
450 static int hf_smb2_symlink_error_response = -1;
451 static int hf_smb2_symlink_length = -1;
452 static int hf_smb2_symlink_error_tag = -1;
453 static int hf_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER = -1;
454 static int hf_smb2_reparse_tag = -1;
455 static int hf_smb2_reparse_data_length = -1;
456 static int hf_smb2_unparsed_path_length = -1;
457 static int hf_smb2_symlink_substitute_name = -1;
458 static int hf_smb2_symlink_print_name = -1;
459 static int hf_smb2_symlink_flags = -1;
461 static gint ett_smb2 = -1;
462 static gint ett_smb2_olb = -1;
463 static gint ett_smb2_ea = -1;
464 static gint ett_smb2_header = -1;
465 static gint ett_smb2_encrypted = -1;
466 static gint ett_smb2_command = -1;
467 static gint ett_smb2_secblob = -1;
468 static gint ett_smb2_negotiate_context_element = -1;
469 static gint ett_smb2_file_basic_info = -1;
470 static gint ett_smb2_file_standard_info = -1;
471 static gint ett_smb2_file_internal_info = -1;
472 static gint ett_smb2_file_ea_info = -1;
473 static gint ett_smb2_file_access_info = -1;
474 static gint ett_smb2_file_position_info = -1;
475 static gint ett_smb2_file_mode_info = -1;
476 static gint ett_smb2_file_alignment_info = -1;
477 static gint ett_smb2_file_all_info = -1;
478 static gint ett_smb2_file_allocation_info = -1;
479 static gint ett_smb2_file_endoffile_info = -1;
480 static gint ett_smb2_file_alternate_name_info = -1;
481 static gint ett_smb2_file_stream_info = -1;
482 static gint ett_smb2_file_pipe_info = -1;
483 static gint ett_smb2_file_compression_info = -1;
484 static gint ett_smb2_file_network_open_info = -1;
485 static gint ett_smb2_file_attribute_tag_info = -1;
486 static gint ett_smb2_file_rename_info = -1;
487 static gint ett_smb2_file_disposition_info = -1;
488 static gint ett_smb2_file_full_ea_info = -1;
489 static gint ett_smb2_fs_info_01 = -1;
490 static gint ett_smb2_fs_info_03 = -1;
491 static gint ett_smb2_fs_info_04 = -1;
492 static gint ett_smb2_fs_info_05 = -1;
493 static gint ett_smb2_fs_info_06 = -1;
494 static gint ett_smb2_fs_info_07 = -1;
495 static gint ett_smb2_fs_objectid_info = -1;
496 static gint ett_smb2_sec_info_00 = -1;
497 static gint ett_smb2_quota_info = -1;
498 static gint ett_smb2_query_quota_info = -1;
499 static gint ett_smb2_tid_tree = -1;
500 static gint ett_smb2_sesid_tree = -1;
501 static gint ett_smb2_create_chain_element = -1;
502 static gint ett_smb2_MxAc_buffer = -1;
503 static gint ett_smb2_QFid_buffer = -1;
504 static gint ett_smb2_RqLs_buffer = -1;
505 static gint ett_smb2_ioctl_function = -1;
506 static gint ett_smb2_FILE_OBJECTID_BUFFER = -1;
507 static gint ett_smb2_flags = -1;
508 static gint ett_smb2_sec_mode = -1;
509 static gint ett_smb2_capabilities = -1;
510 static gint ett_smb2_ses_req_flags = -1;
511 static gint ett_smb2_ses_flags = -1;
512 static gint ett_smb2_lease_state = -1;
513 static gint ett_smb2_lease_flags = -1;
514 static gint ett_smb2_share_flags = -1;
515 static gint ett_smb2_create_rep_flags = -1;
516 static gint ett_smb2_share_caps = -1;
517 static gint ett_smb2_ioctl_flags = -1;
518 static gint ett_smb2_ioctl_network_interface = -1;
519 static gint ett_smb2_fsctl_range_data = -1;
520 static gint ett_windows_sockaddr = -1;
521 static gint ett_smb2_close_flags = -1;
522 static gint ett_smb2_notify_info = -1;
523 static gint ett_smb2_notify_flags = -1;
524 static gint ett_smb2_write_flags = -1;
525 static gint ett_smb2_rdma_v1 = -1;
526 static gint ett_smb2_DH2Q_buffer = -1;
527 static gint ett_smb2_DH2C_buffer = -1;
528 static gint ett_smb2_dh2x_flags = -1;
529 static gint ett_smb2_APP_INSTANCE_buffer = -1;
530 static gint ett_smb2_svhdx_open_device_context = -1;
531 static gint ett_smb2_posix_v1_request = -1;
532 static gint ett_smb2_posix_v1_response = -1;
533 static gint ett_smb2_posix_v1_supported_features = -1;
534 static gint ett_smb2_aapl_create_context_request = -1;
535 static gint ett_smb2_aapl_server_query_bitmask = -1;
536 static gint ett_smb2_aapl_server_query_caps = -1;
537 static gint ett_smb2_aapl_create_context_response = -1;
538 static gint ett_smb2_aapl_server_query_volume_caps = -1;
539 static gint ett_smb2_integrity_flags = -1;
540 static gint ett_smb2_find_flags = -1;
541 static gint ett_smb2_file_directory_info = -1;
542 static gint ett_smb2_both_directory_info = -1;
543 static gint ett_smb2_id_both_directory_info = -1;
544 static gint ett_smb2_full_directory_info = -1;
545 static gint ett_smb2_file_name_info = -1;
546 static gint ett_smb2_lock_info = -1;
547 static gint ett_smb2_lock_flags = -1;
548 static gint ett_smb2_transform_enc_alg = -1;
549 static gint ett_smb2_buffercode = -1;
550 static gint ett_smb2_ioctl_network_interface_capabilities = -1;
551 static gint ett_qfr_entry = -1;
552 static gint ett_smb2_pipe_fragment = -1;
553 static gint ett_smb2_pipe_fragments = -1;
554 static gint ett_smb2_cchunk_entry = -1;
555 static gint ett_smb2_fsctl_odx_token = -1;
556 static gint ett_smb2_symlink_error_response = -1;
557 static gint ett_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER = -1;
558 static gint ett_smb2_error_data = -1;
560 static expert_field ei_smb2_invalid_length = EI_INIT;
561 static expert_field ei_smb2_bad_response = EI_INIT;
563 static int smb2_tap = -1;
564 static int smb2_eo_tap = -1;
566 static dissector_handle_t gssapi_handle = NULL;
567 static dissector_handle_t ntlmssp_handle = NULL;
568 static dissector_handle_t rsvd_handle = NULL;
570 static heur_dissector_list_t smb2_pipe_subdissector_list;
572 static const fragment_items smb2_pipe_frag_items = {
573 &ett_smb2_pipe_fragment,
574 &ett_smb2_pipe_fragments,
575 &hf_smb2_pipe_fragments,
576 &hf_smb2_pipe_fragment,
577 &hf_smb2_pipe_fragment_overlap,
578 &hf_smb2_pipe_fragment_overlap_conflict,
579 &hf_smb2_pipe_fragment_multiple_tails,
580 &hf_smb2_pipe_fragment_too_long_fragment,
581 &hf_smb2_pipe_fragment_error,
582 &hf_smb2_pipe_fragment_count,
583 &hf_smb2_pipe_reassembled_in,
584 &hf_smb2_pipe_reassembled_length,
585 &hf_smb2_pipe_reassembled_data,
589 #define SMB2_CLASS_FILE_INFO 0x01
590 #define SMB2_CLASS_FS_INFO 0x02
591 #define SMB2_CLASS_SEC_INFO 0x03
592 #define SMB2_CLASS_QUOTA_INFO 0x04
593 #define SMB2_CLASS_POSIX_INFO 0x80
594 static const value_string smb2_class_vals[] = {
595 { SMB2_CLASS_FILE_INFO, "FILE_INFO"},
596 { SMB2_CLASS_FS_INFO, "FS_INFO"},
597 { SMB2_CLASS_SEC_INFO, "SEC_INFO"},
598 { SMB2_CLASS_QUOTA_INFO, "QUOTA_INFO"},
599 { SMB2_CLASS_POSIX_INFO, "POSIX_INFO"},
603 #define SMB2_SHARE_TYPE_DISK 0x01
604 #define SMB2_SHARE_TYPE_PIPE 0x02
605 #define SMB2_SHARE_TYPE_PRINT 0x03
606 static const value_string smb2_share_type_vals[] = {
607 { SMB2_SHARE_TYPE_DISK, "Physical disk" },
608 { SMB2_SHARE_TYPE_PIPE, "Named pipe" },
609 { SMB2_SHARE_TYPE_PRINT, "Printer" },
614 #define SMB2_FILE_BASIC_INFO 0x04
615 #define SMB2_FILE_STANDARD_INFO 0x05
616 #define SMB2_FILE_INTERNAL_INFO 0x06
617 #define SMB2_FILE_EA_INFO 0x07
618 #define SMB2_FILE_ACCESS_INFO 0x08
619 #define SMB2_FILE_RENAME_INFO 0x0a
620 #define SMB2_FILE_DISPOSITION_INFO 0x0d
621 #define SMB2_FILE_POSITION_INFO 0x0e
622 #define SMB2_FILE_FULL_EA_INFO 0x0f
623 #define SMB2_FILE_MODE_INFO 0x10
624 #define SMB2_FILE_ALIGNMENT_INFO 0x11
625 #define SMB2_FILE_ALL_INFO 0x12
626 #define SMB2_FILE_ALLOCATION_INFO 0x13
627 #define SMB2_FILE_ENDOFFILE_INFO 0x14
628 #define SMB2_FILE_ALTERNATE_NAME_INFO 0x15
629 #define SMB2_FILE_STREAM_INFO 0x16
630 #define SMB2_FILE_PIPE_INFO 0x17
631 #define SMB2_FILE_COMPRESSION_INFO 0x1c
632 #define SMB2_FILE_NETWORK_OPEN_INFO 0x22
633 #define SMB2_FILE_ATTRIBUTE_TAG_INFO 0x23
635 static const value_string smb2_file_info_levels[] = {
636 {SMB2_FILE_BASIC_INFO, "SMB2_FILE_BASIC_INFO" },
637 {SMB2_FILE_STANDARD_INFO, "SMB2_FILE_STANDARD_INFO" },
638 {SMB2_FILE_INTERNAL_INFO, "SMB2_FILE_INTERNAL_INFO" },
639 {SMB2_FILE_EA_INFO, "SMB2_FILE_EA_INFO" },
640 {SMB2_FILE_ACCESS_INFO, "SMB2_FILE_ACCESS_INFO" },
641 {SMB2_FILE_RENAME_INFO, "SMB2_FILE_RENAME_INFO" },
642 {SMB2_FILE_DISPOSITION_INFO, "SMB2_FILE_DISPOSITION_INFO" },
643 {SMB2_FILE_POSITION_INFO, "SMB2_FILE_POSITION_INFO" },
644 {SMB2_FILE_FULL_EA_INFO, "SMB2_FILE_FULL_EA_INFO" },
645 {SMB2_FILE_MODE_INFO, "SMB2_FILE_MODE_INFO" },
646 {SMB2_FILE_ALIGNMENT_INFO, "SMB2_FILE_ALIGNMENT_INFO" },
647 {SMB2_FILE_ALL_INFO, "SMB2_FILE_ALL_INFO" },
648 {SMB2_FILE_ALLOCATION_INFO, "SMB2_FILE_ALLOCATION_INFO" },
649 {SMB2_FILE_ENDOFFILE_INFO, "SMB2_FILE_ENDOFFILE_INFO" },
650 {SMB2_FILE_ALTERNATE_NAME_INFO, "SMB2_FILE_ALTERNATE_NAME_INFO" },
651 {SMB2_FILE_STREAM_INFO, "SMB2_FILE_STREAM_INFO" },
652 {SMB2_FILE_PIPE_INFO, "SMB2_FILE_PIPE_INFO" },
653 {SMB2_FILE_COMPRESSION_INFO, "SMB2_FILE_COMPRESSION_INFO" },
654 {SMB2_FILE_NETWORK_OPEN_INFO, "SMB2_FILE_NETWORK_OPEN_INFO" },
655 {SMB2_FILE_ATTRIBUTE_TAG_INFO, "SMB2_FILE_ATTRIBUTE_TAG_INFO" },
658 static value_string_ext smb2_file_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_file_info_levels);
662 #define SMB2_FS_INFO_01 0x01
663 #define SMB2_FS_LABEL_INFO 0x02
664 #define SMB2_FS_INFO_03 0x03
665 #define SMB2_FS_INFO_04 0x04
666 #define SMB2_FS_INFO_05 0x05
667 #define SMB2_FS_INFO_06 0x06
668 #define SMB2_FS_INFO_07 0x07
669 #define SMB2_FS_OBJECTID_INFO 0x08
670 #define SMB2_FS_DRIVER_PATH_INFO 0x09
671 #define SMB2_FS_VOLUME_FLAGS_INFO 0x0a
672 #define SMB2_FS_SECTOR_SIZE_INFO 0x0b
674 static const value_string smb2_fs_info_levels[] = {
675 {SMB2_FS_INFO_01, "FileFsVolumeInformation" },
676 {SMB2_FS_LABEL_INFO, "FileFsLabelInformation" },
677 {SMB2_FS_INFO_03, "FileFsSizeInformation" },
678 {SMB2_FS_INFO_04, "FileFsDeviceInformation" },
679 {SMB2_FS_INFO_05, "FileFsAttributeInformation" },
680 {SMB2_FS_INFO_06, "FileFsControlInformation" },
681 {SMB2_FS_INFO_07, "FileFsFullSizeInformation" },
682 {SMB2_FS_OBJECTID_INFO, "FileFsObjectIdInformation" },
683 {SMB2_FS_DRIVER_PATH_INFO, "FileFsDriverPathInformation" },
684 {SMB2_FS_VOLUME_FLAGS_INFO, "FileFsVolumeFlagsInformation" },
685 {SMB2_FS_SECTOR_SIZE_INFO, "FileFsSectorSizeInformation" },
688 static value_string_ext smb2_fs_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_fs_info_levels);
690 #define SMB2_SEC_INFO_00 0x00
691 static const value_string smb2_sec_info_levels[] = {
692 {SMB2_SEC_INFO_00, "SMB2_SEC_INFO_00" },
695 static value_string_ext smb2_sec_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_sec_info_levels);
697 static const value_string smb2_posix_info_levels[] = {
698 { 0, "QueryFileUnixBasic" },
699 { 1, "QueryFileUnixLink" },
700 { 3, "QueryFileUnixHLink" },
701 { 5, "QueryFileUnixXAttr" },
702 { 0x0B, "QueryFileUnixInfo2" },
706 static value_string_ext smb2_posix_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_posix_info_levels);
708 #define SMB2_FIND_DIRECTORY_INFO 0x01
709 #define SMB2_FIND_FULL_DIRECTORY_INFO 0x02
710 #define SMB2_FIND_BOTH_DIRECTORY_INFO 0x03
711 #define SMB2_FIND_INDEX_SPECIFIED 0x04
712 #define SMB2_FIND_NAME_INFO 0x0C
713 #define SMB2_FIND_ID_BOTH_DIRECTORY_INFO 0x25
714 #define SMB2_FIND_ID_FULL_DIRECTORY_INFO 0x26
715 static const value_string smb2_find_info_levels[] = {
716 { SMB2_FIND_DIRECTORY_INFO, "SMB2_FIND_DIRECTORY_INFO" },
717 { SMB2_FIND_FULL_DIRECTORY_INFO, "SMB2_FIND_FULL_DIRECTORY_INFO" },
718 { SMB2_FIND_BOTH_DIRECTORY_INFO, "SMB2_FIND_BOTH_DIRECTORY_INFO" },
719 { SMB2_FIND_INDEX_SPECIFIED, "SMB2_FIND_INDEX_SPECIFIED" },
720 { SMB2_FIND_NAME_INFO, "SMB2_FIND_NAME_INFO" },
721 { SMB2_FIND_ID_BOTH_DIRECTORY_INFO, "SMB2_FIND_ID_BOTH_DIRECTORY_INFO" },
722 { SMB2_FIND_ID_FULL_DIRECTORY_INFO, "SMB2_FIND_ID_FULL_DIRECTORY_INFO" },
726 #define SMB2_PREAUTH_INTEGRITY_CAPABILITIES 0x0001
727 #define SMB2_ENCRYPTION_CAPABILITIES 0x0002
728 static const value_string smb2_negotiate_context_types[] = {
729 { SMB2_PREAUTH_INTEGRITY_CAPABILITIES, "SMB2_PREAUTH_INTEGRITY_CAPABILITIES" },
730 { SMB2_ENCRYPTION_CAPABILITIES, "SMB2_ENCRYPTION_CAPABILITIES" },
734 #define SMB2_NUM_PROCEDURES 256
737 smb2stat_init(struct register_srt* srt _U_, GArray* srt_array, srt_gui_init_cb gui_callback, void* gui_data)
739 srt_stat_table *smb2_srt_table;
742 smb2_srt_table = init_srt_table("SMB2", NULL, srt_array, SMB2_NUM_PROCEDURES, "Commands", "smb2.cmd", gui_callback, gui_data, NULL);
743 for (i = 0; i < SMB2_NUM_PROCEDURES; i++)
745 init_srt_table_row(smb2_srt_table, i, val_to_str_ext_const(i, &smb2_cmd_vals_ext, "<unknown>"));
750 smb2stat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const void *prv)
753 srt_stat_table *smb2_srt_table;
754 srt_data_t *data = (srt_data_t *)pss;
755 const smb2_info_t *si=(const smb2_info_t *)prv;
757 /* we are only interested in response packets */
758 if(!(si->flags&SMB2_FLAGS_RESPONSE)){
761 /* if we haven't seen the request, just ignore it */
766 /* SMB2 SRT can be very inaccurate in the presence of retransmissions. Retransmitted responses
767 * not only add additional (bogus) transactions but also the latency associated with them.
768 * This can greatly inflate the maximum and average SRT stats especially in the case of
769 * retransmissions triggered by the expiry of the rexmit timer (RTOs). Only calculating SRT
770 * for the last received response accomplishes this goal without requiring the TCP pref
771 * "Do not call subdissectors for error packets" to be set. */
772 if ((si->saved->frame_req == 0) || (si->saved->frame_res != pinfo->num))
775 smb2_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
776 add_srt_table_data(smb2_srt_table, si->opcode, &si->saved->req_time, pinfo);
781 static const gint8 zeros[NTLMSSP_KEY_LEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
783 /* ExportObject preferences variable */
784 gboolean eosmb2_take_name_as_fid = FALSE ;
786 /* unmatched smb_saved_info structures.
787 For unmatched smb_saved_info structures we store the smb_saved_info
788 structure using the msg_id field.
791 smb2_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
793 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
794 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
795 return key1->msg_id == key2->msg_id;
798 smb2_saved_info_hash_unmatched(gconstpointer k)
800 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
803 hash = (guint32) (key->msg_id&0xffffffff);
807 /* matched smb_saved_info structures.
808 For matched smb_saved_info structures we store the smb_saved_info
809 structure using the msg_id field.
812 smb2_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
814 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
815 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
816 return key1->msg_id == key2->msg_id;
819 smb2_saved_info_hash_matched(gconstpointer k)
821 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
824 hash = (guint32) (key->msg_id&0xffffffff);
828 /* For Tids of a specific conversation.
829 This keeps track of tid->sharename mappings and other information about the
832 We might need to refine this if it occurs that tids are reused on a single
833 conversation. we don't worry about that yet for simplicity
836 smb2_tid_info_equal(gconstpointer k1, gconstpointer k2)
838 const smb2_tid_info_t *key1 = (const smb2_tid_info_t *)k1;
839 const smb2_tid_info_t *key2 = (const smb2_tid_info_t *)k2;
840 return key1->tid == key2->tid;
843 smb2_tid_info_hash(gconstpointer k)
845 const smb2_tid_info_t *key = (const smb2_tid_info_t *)k;
852 /* For Uids of a specific conversation.
853 This keeps track of uid->acct_name mappings and other information about the
856 We might need to refine this if it occurs that uids are reused on a single
857 conversation. we don't worry about that yet for simplicity
860 smb2_sesid_info_equal(gconstpointer k1, gconstpointer k2)
862 const smb2_sesid_info_t *key1 = (const smb2_sesid_info_t *)k1;
863 const smb2_sesid_info_t *key2 = (const smb2_sesid_info_t *)k2;
864 return key1->sesid == key2->sesid;
867 smb2_sesid_info_hash(gconstpointer k)
869 const smb2_sesid_info_t *key = (const smb2_sesid_info_t *)k;
872 hash = (guint32)( ((key->sesid>>32)&0xffffffff)+((key->sesid)&0xffffffff) );
877 * For File IDs of a specific conversation.
878 * This keeps track of fid to name mapping and application level conversations
881 * This handles implementation bugs, where the fid_persitent is 0 or
882 * the fid_persitent/fid_volative is not unique per conversation.
885 smb2_fid_info_equal(gconstpointer k1, gconstpointer k2)
887 const smb2_fid_info_t *key1 = (const smb2_fid_info_t *)k1;
888 const smb2_fid_info_t *key2 = (const smb2_fid_info_t *)k2;
890 if (key1->fid_persistent != key2->fid_persistent) {
894 if (key1->fid_volatile != key2->fid_volatile) {
898 if (key1->sesid != key2->sesid) {
902 if (key1->tid != key2->tid) {
910 smb2_fid_info_hash(gconstpointer k)
912 const smb2_fid_info_t *key = (const smb2_fid_info_t *)k;
915 if (key->fid_persistent != 0) {
916 hash = (guint32)( ((key->fid_persistent>>32)&0xffffffff)+((key->fid_persistent)&0xffffffff) );
918 hash = (guint32)( ((key->fid_volatile>>32)&0xffffffff)+((key->fid_volatile)&0xffffffff) );
924 /* Callback for destroying the glib hash tables associated with a conversation
927 smb2_conv_destroy(wmem_allocator_t *allocator _U_, wmem_cb_event_t event _U_,
930 smb2_conv_info_t *conv = (smb2_conv_info_t *)user_data;
932 g_hash_table_destroy(conv->matched);
933 g_hash_table_destroy(conv->unmatched);
934 g_hash_table_destroy(conv->fids);
935 g_hash_table_destroy(conv->sesids);
936 g_hash_table_destroy(conv->files);
938 /* This conversation is gone, return FALSE to indicate we don't
939 * want to be called again for this conversation. */
943 static void smb2_key_derivation(const guint8 *KI _U_, guint32 KI_len _U_,
944 const guint8 *Label _U_, guint32 Label_len _U_,
945 const guint8 *Context _U_, guint32 Context_len _U_,
948 #ifdef HAVE_LIBGCRYPT
949 gcry_md_hd_t hd = NULL;
951 guint8 *digest = NULL;
954 * a simplified version of
955 * "NIST Special Publication 800-108" section 5.1
958 gcry_md_open(&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
959 gcry_md_setkey(hd, KI, KI_len);
961 memset(buf, 0, sizeof(buf));
963 gcry_md_write(hd, buf, sizeof(buf));
964 gcry_md_write(hd, Label, Label_len);
965 gcry_md_write(hd, buf, 1);
966 gcry_md_write(hd, Context, Context_len);
968 gcry_md_write(hd, buf, sizeof(buf));
970 digest = gcry_md_read(hd, GCRY_MD_SHA256);
972 memcpy(KO, digest, 16);
980 /* for export-object-smb2 */
981 static gchar *policy_hnd_to_file_id(const e_ctx_hnd *hnd) {
983 file_id = wmem_strdup_printf(wmem_packet_scope(),
984 "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
998 static guint smb2_eo_files_hash(gconstpointer k) {
999 return g_str_hash(policy_hnd_to_file_id((const e_ctx_hnd *)k));
1001 static gint smb2_eo_files_equal(gconstpointer k1, gconstpointer k2) {
1003 const e_ctx_hnd *key1 = (const e_ctx_hnd *)k1;
1004 const e_ctx_hnd *key2 = (const e_ctx_hnd *)k2;
1006 are_equal = (key1->uuid.data1==key2->uuid.data1 &&
1007 key1->uuid.data2==key2->uuid.data2 &&
1008 key1->uuid.data3==key2->uuid.data3 &&
1009 key1->uuid.data4[0]==key2->uuid.data4[0] &&
1010 key1->uuid.data4[1]==key2->uuid.data4[1] &&
1011 key1->uuid.data4[2]==key2->uuid.data4[2] &&
1012 key1->uuid.data4[3]==key2->uuid.data4[3] &&
1013 key1->uuid.data4[4]==key2->uuid.data4[4] &&
1014 key1->uuid.data4[5]==key2->uuid.data4[5] &&
1015 key1->uuid.data4[6]==key2->uuid.data4[6] &&
1016 key1->uuid.data4[7]==key2->uuid.data4[7]);
1022 feed_eo_smb2(tvbuff_t * tvb,packet_info *pinfo,smb2_info_t * si, guint16 dataoffset,guint32 length, guint64 file_offset) {
1024 char *fid_name = NULL;
1025 guint32 open_frame = 0, close_frame = 0;
1026 tvbuff_t *data_tvb = NULL;
1030 gchar **aux_string_v;
1032 /* Create a new tvb to point to the payload data */
1033 data_tvb = tvb_new_subset_length(tvb, dataoffset, length);
1034 /* Create the eo_info to pass to the listener */
1035 eo_info = wmem_new(wmem_packet_scope(), smb_eo_t);
1036 /* Fill in eo_info */
1037 eo_info->smbversion=2;
1039 eo_info->cmd=si->opcode;
1040 /* We don't keep track of uid in SMB v2 */
1043 /* Try to get file id and filename */
1044 file_id=policy_hnd_to_file_id(&si->saved->policy_hnd);
1045 dcerpc_fetch_polhnd_data(&si->saved->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num);
1046 if (fid_name && g_strcmp0(fid_name,"File: ")!=0) {
1048 /* Remove "File: " from filename */
1049 if (g_str_has_prefix(auxstring, "File: ")) {
1050 aux_string_v = g_strsplit(auxstring, "File: ", -1);
1051 eo_info->filename = wmem_strdup_printf(wmem_packet_scope(), "\\%s",aux_string_v[g_strv_length(aux_string_v)-1]);
1052 g_strfreev(aux_string_v);
1054 if (g_str_has_prefix(auxstring, "\\")) {
1055 eo_info->filename = wmem_strdup(wmem_packet_scope(), auxstring);
1057 eo_info->filename = wmem_strdup_printf(wmem_packet_scope(), "\\%s",auxstring);
1061 auxstring=wmem_strdup_printf(wmem_packet_scope(), "File_Id_%s", file_id);
1062 eo_info->filename=auxstring;
1067 if (eosmb2_take_name_as_fid) {
1068 eo_info->fid = g_str_hash(eo_info->filename);
1070 eo_info->fid = g_str_hash(file_id);
1073 /* tid, hostname, tree_id */
1075 eo_info->tid=si->tree->tid;
1076 if (strlen(si->tree->name)>0 && strlen(si->tree->name)<=256) {
1077 eo_info->hostname = wmem_strdup(wmem_packet_scope(), si->tree->name);
1079 eo_info->hostname = wmem_strdup_printf(wmem_packet_scope(), "\\\\%s\\TREEID_%i",tree_ip_str(pinfo,si->opcode),si->tree->tid);
1083 eo_info->hostname = wmem_strdup_printf(wmem_packet_scope(), "\\\\%s\\TREEID_UNKNOWN",tree_ip_str(pinfo,si->opcode));
1087 eo_info->pkt_num = pinfo->num;
1090 if (si->eo_file_info->attr_mask & SMB2_FLAGS_ATTR_DIRECTORY) {
1091 eo_info->fid_type=SMB2_FID_TYPE_DIR;
1093 if (si->eo_file_info->attr_mask &
1094 (SMB2_FLAGS_ATTR_ARCHIVE | SMB2_FLAGS_ATTR_NORMAL |
1095 SMB2_FLAGS_ATTR_HIDDEN | SMB2_FLAGS_ATTR_READONLY |
1096 SMB2_FLAGS_ATTR_SYSTEM) ) {
1097 eo_info->fid_type=SMB2_FID_TYPE_FILE;
1099 eo_info->fid_type=SMB2_FID_TYPE_OTHER;
1104 eo_info->end_of_file=si->eo_file_info->end_of_file;
1106 /* data offset and chunk length */
1107 eo_info->smb_file_offset=file_offset;
1108 eo_info->smb_chunk_len=length;
1109 /* XXX is this right? */
1110 if (length<si->saved->bytes_moved) {
1111 si->saved->file_offset=si->saved->file_offset+length;
1112 si->saved->bytes_moved=si->saved->bytes_moved-length;
1116 eo_info->payload_len = length;
1117 eo_info->payload_data = tvb_get_ptr(data_tvb, 0, length);
1119 tap_queue_packet(smb2_eo_tap, pinfo, eo_info);
1123 static int dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si);
1126 /* This is a helper to dissect the common string type
1132 * This function is called twice, first to decode the offset/length and
1133 * second time to dissect the actual string.
1134 * It is done this way since there is no guarantee that we have the full packet and we don't
1135 * want to abort dissection too early if the packet ends somewhere between the
1136 * length/offset and the actual buffer.
1139 enum offset_length_buffer_offset_size {
1140 OLB_O_UINT16_S_UINT16,
1141 OLB_O_UINT16_S_UINT32,
1142 OLB_O_UINT32_S_UINT32,
1143 OLB_S_UINT32_O_UINT32
1145 typedef struct _offset_length_buffer_t {
1150 enum offset_length_buffer_offset_size offset_size;
1152 } offset_length_buffer_t;
1154 dissect_smb2_olb_length_offset(tvbuff_t *tvb, int offset, offset_length_buffer_t *olb,
1155 enum offset_length_buffer_offset_size offset_size, int hfindex)
1157 olb->hfindex = hfindex;
1158 olb->offset_size = offset_size;
1159 switch (offset_size) {
1160 case OLB_O_UINT16_S_UINT16:
1161 olb->off = tvb_get_letohs(tvb, offset);
1162 olb->off_offset = offset;
1164 olb->len = tvb_get_letohs(tvb, offset);
1165 olb->len_offset = offset;
1168 case OLB_O_UINT16_S_UINT32:
1169 olb->off = tvb_get_letohs(tvb, offset);
1170 olb->off_offset = offset;
1172 olb->len = tvb_get_letohl(tvb, offset);
1173 olb->len_offset = offset;
1176 case OLB_O_UINT32_S_UINT32:
1177 olb->off = tvb_get_letohl(tvb, offset);
1178 olb->off_offset = offset;
1180 olb->len = tvb_get_letohl(tvb, offset);
1181 olb->len_offset = offset;
1184 case OLB_S_UINT32_O_UINT32:
1185 olb->len = tvb_get_letohl(tvb, offset);
1186 olb->len_offset = offset;
1188 olb->off = tvb_get_letohl(tvb, offset);
1189 olb->off_offset = offset;
1197 #define OLB_TYPE_UNICODE_STRING 0x01
1198 #define OLB_TYPE_ASCII_STRING 0x02
1200 dissect_smb2_olb_off_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int base, int type)
1203 proto_item *item = NULL;
1204 proto_tree *tree = NULL;
1205 const char *name = NULL;
1214 bc = tvb_captured_length_remaining(tvb, offset);
1218 tvb_ensure_bytes_exist(tvb, off, len);
1220 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
1221 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
1222 "Invalid offset/length. Malformed packet");
1224 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
1231 case OLB_TYPE_UNICODE_STRING:
1232 name = get_unicode_or_ascii_string(tvb, &off,
1233 TRUE, &len, TRUE, TRUE, &bc);
1238 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
1239 tree = proto_item_add_subtree(item, ett_smb2_olb);
1242 case OLB_TYPE_ASCII_STRING:
1243 name = get_unicode_or_ascii_string(tvb, &off,
1244 FALSE, &len, TRUE, TRUE, &bc);
1249 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
1250 tree = proto_item_add_subtree(item, ett_smb2_olb);
1255 switch (olb->offset_size) {
1256 case OLB_O_UINT16_S_UINT16:
1257 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1258 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
1260 case OLB_O_UINT16_S_UINT32:
1261 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1262 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1264 case OLB_O_UINT32_S_UINT32:
1265 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1266 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1268 case OLB_S_UINT32_O_UINT32:
1269 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1270 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1278 dissect_smb2_olb_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int type)
1280 return dissect_smb2_olb_off_string(pinfo, parent_tree, tvb, olb, 0, type);
1284 dissect_smb2_olb_buffer(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb,
1285 offset_length_buffer_t *olb, smb2_info_t *si,
1286 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si))
1289 proto_item *sub_item = NULL;
1290 proto_tree *sub_tree = NULL;
1291 tvbuff_t *sub_tvb = NULL;
1299 tvb_ensure_bytes_exist(tvb, off, len);
1301 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
1302 proto_tree_add_expert_format(parent_tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
1303 "Invalid offset/length. Malformed packet");
1305 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
1310 /* if we don't want/need a subtree */
1311 if (olb->hfindex == -1) {
1312 sub_item = parent_tree;
1313 sub_tree = parent_tree;
1316 sub_item = proto_tree_add_item(parent_tree, olb->hfindex, tvb, offset, len, ENC_NA);
1317 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_olb);
1321 switch (olb->offset_size) {
1322 case OLB_O_UINT16_S_UINT16:
1323 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1324 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
1326 case OLB_O_UINT16_S_UINT32:
1327 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
1328 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1330 case OLB_O_UINT32_S_UINT32:
1331 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1332 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1334 case OLB_S_UINT32_O_UINT32:
1335 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1336 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1340 if (off == 0 || len == 0) {
1341 proto_item_append_text(sub_item, ": NO DATA");
1349 sub_tvb = tvb_new_subset_length_caplen(tvb, off, MIN((int)len, tvb_captured_length_remaining(tvb, off)), len);
1351 dissector(sub_tvb, pinfo, sub_tree, si);
1355 dissect_smb2_olb_tvb_max_offset(int offset, offset_length_buffer_t *olb)
1357 if (olb->off == 0) {
1360 return MAX(offset, (int)(olb->off + olb->len));
1363 typedef struct _smb2_function {
1364 int (*request) (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1365 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1368 static const true_false_string tfs_smb2_svhdx_has_initiator_id = {
1369 "Has an initiator id",
1370 "Does not have an initiator id"
1373 static const true_false_string tfs_flags_response = {
1374 "This is a RESPONSE",
1378 static const true_false_string tfs_flags_async_cmd = {
1379 "This is an ASYNC command",
1380 "This is a SYNC command"
1383 static const true_false_string tfs_flags_dfs_op = {
1384 "This is a DFS OPERATION",
1385 "This is a normal operation"
1388 static const true_false_string tfs_flags_chained = {
1389 "This pdu a CHAINED command",
1390 "This pdu is NOT a chained command"
1393 static const true_false_string tfs_flags_signature = {
1394 "This pdu is SIGNED",
1395 "This pdu is NOT signed"
1398 static const true_false_string tfs_flags_replay_operation = {
1399 "This is a REPLAY OPEARATION",
1400 "This is NOT a replay operation"
1403 static const true_false_string tfs_flags_priority_mask = {
1404 "This pdu contains a PRIORITY",
1405 "This pdu does NOT contain a PRIORITY1"
1408 static const true_false_string tfs_cap_dfs = {
1409 "This host supports DFS",
1410 "This host does NOT support DFS"
1413 static const true_false_string tfs_cap_leasing = {
1414 "This host supports LEASING",
1415 "This host does NOT support LEASING"
1418 static const true_false_string tfs_cap_large_mtu = {
1419 "This host supports LARGE_MTU",
1420 "This host does NOT support LARGE_MTU"
1423 static const true_false_string tfs_cap_multi_channel = {
1424 "This host supports MULTI CHANNEL",
1425 "This host does NOT support MULTI CHANNEL"
1428 static const true_false_string tfs_cap_persistent_handles = {
1429 "This host supports PERSISTENT HANDLES",
1430 "This host does NOT support PERSISTENT HANDLES"
1433 static const true_false_string tfs_cap_directory_leasing = {
1434 "This host supports DIRECTORY LEASING",
1435 "This host does NOT support DIRECTORY LEASING"
1438 static const true_false_string tfs_cap_encryption = {
1439 "This host supports ENCRYPTION",
1440 "This host does NOT support ENCRYPTION"
1443 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rss = {
1444 "This interface supports RSS",
1445 "This interface does not support RSS"
1448 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rdma = {
1449 "This interface supports RDMA",
1450 "This interface does not support RDMA"
1453 static const value_string file_region_usage_vals[] = {
1454 { 0x00000001, "FILE_REGION_USAGE_VALID_CACHED_DATA" },
1458 static const value_string originator_flags_vals[] = {
1459 { 1, "SVHDX_ORIGINATOR_PVHDPARSER" },
1460 { 4, "SVHDX_ORIGINATOR_VHDMP" },
1464 static const value_string posix_locks_vals[] = {
1465 { 1, "POSIX_V1_POSIX_LOCK" },
1469 static const value_string posix_utf8_paths_vals[] = {
1470 { 1, "POSIX_V1_UTF8_PATHS" },
1474 static const value_string posix_file_semantics_vals[] = {
1475 { 1, "POSIX_V1_POSIX_FILE_SEMANTICS" },
1479 static const value_string posix_case_sensitive_vals[] = {
1480 { 1, "POSIX_V1_CASE_SENSITIVE" },
1484 static const value_string posix_will_convert_ntacls_vals[] = {
1485 { 1, "POSIX_V1_WILL_CONVERT_NT_ACLS" },
1489 static const value_string posix_fileinfo_vals[] = {
1490 { 1, "POSIX_V1_POSIX_FILEINFO" },
1494 static const value_string posix_acls_vals[] = {
1495 { 1, "POSIX_V1_POSIX_ACLS" },
1499 static const value_string posix_rich_acls_vals[] = {
1500 { 1, "POSIX_V1_RICH_ACLS" },
1504 static const value_string compression_format_vals[] = {
1505 { 0, "COMPRESSION_FORMAT_NONE" },
1506 { 1, "COMPRESSION_FORMAT_DEFAULT" },
1507 { 2, "COMPRESSION_FORMAT_LZNT1" },
1511 static const value_string checksum_algorithm_vals[] = {
1512 { 0x0000, "CHECKSUM_TYPE_NONE" },
1513 { 0x0002, "CHECKSUM_TYPE_CRC64" },
1514 { 0xFFFF, "CHECKSUM_TYPE_UNCHANGED" },
1518 /* Note: All uncommented are "dissector not implemented" */
1519 static const value_string smb2_ioctl_vals[] = {
1520 {0x00060194, "FSCTL_DFS_GET_REFERRALS"}, /* dissector implemented */
1521 {0x000601B0, "FSCTL_DFS_GET_REFERRALS_EX"},
1522 {0x00090000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
1523 {0x00090004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
1524 {0x00090008, "FSCTL_REQUEST_BATCH_OPLOCK"},
1525 {0x0009000C, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
1526 {0x00090010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
1527 {0x00090014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
1528 {0x00090018, "FSCTL_LOCK_VOLUME"},
1529 {0x0009001C, "FSCTL_UNLOCK_VOLUME"},
1530 {0x00090020, "FSCTL_DISMOUNT_VOLUME"},
1531 {0x00090028, "FSCTL_IS_VOLUME_MOUNTED"},
1532 {0x0009002C, "FSCTL_IS_PATHNAME_VALID"},
1533 {0x00090030, "FSCTL_MARK_VOLUME_DIRTY"},
1534 {0x0009003B, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
1535 {0x0009003C, "FSCTL_GET_COMPRESSION"}, /* dissector implemented */
1536 {0x0009004F, "FSCTL_MARK_AS_SYSTEM_HIVE"},
1537 {0x00090050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
1538 {0x00090054, "FSCTL_INVALIDATE_VOLUMES"},
1539 {0x00090058, "FSCTL_QUERY_FAT_BPB"},
1540 {0x0009005C, "FSCTL_REQUEST_FILTER_OPLOCK"},
1541 {0x00090060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
1542 {0x00090064, "FSCTL_GET_NTFS_VOLUME_DATA"},
1543 {0x00090068, "FSCTL_GET_NTFS_FILE_RECORD"},
1544 {0x0009006F, "FSCTL_GET_VOLUME_BITMAP"},
1545 {0x00090073, "FSCTL_GET_RETRIEVAL_POINTERS"},
1546 {0x00090074, "FSCTL_MOVE_FILE"},
1547 {0x00090078, "FSCTL_IS_VOLUME_DIRTY"},
1548 {0x0009007C, "FSCTL_GET_HFS_INFORMATION"},
1549 {0x00090083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
1550 {0x00090087, "FSCTL_READ_PROPERTY_DATA"},
1551 {0x0009008B, "FSCTL_WRITE_PROPERTY_DATA"},
1552 {0x0009008F, "FSCTL_FIND_FILES_BY_SID"},
1553 {0x00090097, "FSCTL_DUMP_PROPERTY_DATA"},
1554 {0x0009009C, "FSCTL_GET_OBJECT_ID"}, /* dissector implemented */
1555 {0x000900A4, "FSCTL_SET_REPARSE_POINT"}, /* dissector implemented */
1556 {0x000900A8, "FSCTL_GET_REPARSE_POINT"}, /* dissector implemented */
1557 {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"}, /* dissector implemented */
1558 {0x000900C4, "FSCTL_SET_SPARSE"}, /* dissector implemented */
1559 {0x000900D4, "FSCTL_SET_ENCRYPTION"},
1560 {0x000900DB, "FSCTL_ENCRYPTION_FSCTL_IO"},
1561 {0x000900DF, "FSCTL_WRITE_RAW_ENCRYPTED"},
1562 {0x000900E3, "FSCTL_READ_RAW_ENCRYPTED"},
1563 {0x000900F0, "FSCTL_EXTEND_VOLUME"},
1564 {0x00090244, "FSCTL_CSV_TUNNEL_REQUEST"},
1565 {0x0009027C, "FSCTL_GET_INTEGRITY_INFORMATION"},
1566 {0x00090284, "FSCTL_QUERY_FILE_REGIONS"}, /* dissector implemented */
1567 {0x000902c8, "FSCTL_CSV_SYNC_TUNNEL_REQUEST"},
1568 {0x00090300, "FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT"}, /* dissector implemented */
1569 {0x00090304, "FSCTL_SVHDX_SYNC_TUNNEL_REQUEST"}, /* dissector implemented */
1570 {0x00090308, "FSCTL_SVHDX_SET_INITIATOR_INFORMATION"},
1571 {0x0009030C, "FSCTL_SET_EXTERNAL_BACKING"},
1572 {0x00090310, "FSCTL_GET_EXTERNAL_BACKING"},
1573 {0x00090314, "FSCTL_DELETE_EXTERNAL_BACKING"},
1574 {0x00090318, "FSCTL_ENUM_EXTERNAL_BACKING"},
1575 {0x0009031F, "FSCTL_ENUM_OVERLAY"},
1576 {0x00090350, "FSCTL_STORAGE_QOS_CONTROL"},
1577 {0x00090364, "FSCTL_SVHDX_ASYNC_TUNNEL_REQUEST"}, /* dissector implemented */
1578 {0x000940B3, "FSCTL_ENUM_USN_DATA"},
1579 {0x000940B7, "FSCTL_SECURITY_ID_CHECK"},
1580 {0x000940BB, "FSCTL_READ_USN_JOURNAL"},
1581 {0x000940CF, "FSCTL_QUERY_ALLOCATED_RANGES"}, /* dissector implemented */
1582 {0x000940E7, "FSCTL_CREATE_USN_JOURNAL"},
1583 {0x000940EB, "FSCTL_READ_FILE_USN_DATA"},
1584 {0x000940EF, "FSCTL_WRITE_USN_CLOSE_RECORD"},
1585 {0x00094264, "FSCTL_OFFLOAD_READ"}, /* dissector implemented */
1586 {0x00098098, "FSCTL_SET_OBJECT_ID"}, /* dissector implemented */
1587 {0x000980A0, "FSCTL_DELETE_OBJECT_ID"}, /* no data in/out */
1588 {0x000980A4, "FSCTL_SET_REPARSE_POINT"},
1589 {0x000980AC, "FSCTL_DELETE_REPARSE_POINT"},
1590 {0x000980BC, "FSCTL_SET_OBJECT_ID_EXTENDED"}, /* dissector implemented */
1591 {0x000980C8, "FSCTL_SET_ZERO_DATA"}, /* dissector implemented */
1592 {0x000980D0, "FSCTL_ENABLE_UPGRADE"},
1593 {0x00098208, "FSCTL_FILE_LEVEL_TRIM"},
1594 {0x00098268, "FSCTL_OFFLOAD_WRITE"}, /* dissector implemented */
1595 {0x0009C040, "FSCTL_SET_COMPRESSION"}, /* dissector implemented */
1596 {0x0009C280, "FSCTL_SET_INTEGRITY_INFORMATION"}, /* dissector implemented */
1597 {0x00110018, "FSCTL_PIPE_WAIT"}, /* dissector implemented */
1598 {0x0011400C, "FSCTL_PIPE_PEEK"},
1599 {0x0011C017, "FSCTL_PIPE_TRANSCEIVE"}, /* dissector implemented */
1600 {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
1601 {0x001401D4, "FSCTL_LMR_REQUEST_RESILIENCY"}, /* dissector implemented */
1602 {0x001401FC, "FSCTL_QUERY_NETWORK_INTERFACE_INFO"}, /* dissector implemented */
1603 {0x00140200, "FSCTL_VALIDATE_NEGOTIATE_INFO_224"}, /* dissector implemented */
1604 {0x00140204, "FSCTL_VALIDATE_NEGOTIATE_INFO"}, /* dissector implemented */
1605 {0x00144064, "FSCTL_SRV_ENUMERATE_SNAPSHOTS"}, /* dissector implemented */
1606 {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
1607 {0x001441bb, "FSCTL_SRV_READ_HASH"},
1608 {0x001480F2, "FSCTL_SRV_COPYCHUNK_WRITE"},
1611 static value_string_ext smb2_ioctl_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_vals);
1613 static const value_string smb2_ioctl_device_vals[] = {
1615 { 0x0002, "CD_ROM" },
1616 { 0x0003, "CD_ROM_FILE_SYSTEM" },
1617 { 0x0004, "CONTROLLER" },
1618 { 0x0005, "DATALINK" },
1621 { 0x0008, "DISK_FILE_SYSTEM" },
1622 { 0x0009, "FILE_SYSTEM" },
1623 { 0x000a, "INPORT_PORT" },
1624 { 0x000b, "KEYBOARD" },
1625 { 0x000c, "MAILSLOT" },
1626 { 0x000d, "MIDI_IN" },
1627 { 0x000e, "MIDI_OUT" },
1628 { 0x000f, "MOUSE" },
1629 { 0x0010, "MULTI_UNC_PROVIDER" },
1630 { 0x0011, "NAMED_PIPE" },
1631 { 0x0012, "NETWORK" },
1632 { 0x0013, "NETWORK_BROWSER" },
1633 { 0x0014, "NETWORK_FILE_SYSTEM" },
1635 { 0x0016, "PARALLEL_PORT" },
1636 { 0x0017, "PHYSICAL_NETCARD" },
1637 { 0x0018, "PRINTER" },
1638 { 0x0019, "SCANNER" },
1639 { 0x001a, "SERIAL_MOUSE_PORT" },
1640 { 0x001b, "SERIAL_PORT" },
1641 { 0x001c, "SCREEN" },
1642 { 0x001d, "SOUND" },
1643 { 0x001e, "STREAMS" },
1645 { 0x0020, "TAPE_FILE_SYSTEM" },
1646 { 0x0021, "TRANSPORT" },
1647 { 0x0022, "UNKNOWN" },
1648 { 0x0023, "VIDEO" },
1649 { 0x0024, "VIRTUAL_DISK" },
1650 { 0x0025, "WAVE_IN" },
1651 { 0x0026, "WAVE_OUT" },
1652 { 0x0027, "8042_PORT" },
1653 { 0x0028, "NETWORK_REDIRECTOR" },
1654 { 0x0029, "BATTERY" },
1655 { 0x002a, "BUS_EXTENDER" },
1656 { 0x002b, "MODEM" },
1658 { 0x002d, "MASS_STORAGE" },
1661 { 0x0030, "CHANGER" },
1662 { 0x0031, "SMARTCARD" },
1665 { 0x0034, "FULLSCREEN_VIDEO" },
1666 { 0x0035, "DFS_FILE_SYSTEM" },
1667 { 0x0036, "DFS_VOLUME" },
1668 { 0x0037, "SERENUM" },
1669 { 0x0038, "TERMSRV" },
1673 static value_string_ext smb2_ioctl_device_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_device_vals);
1675 static const value_string smb2_ioctl_access_vals[] = {
1676 { 0x00, "FILE_ANY_ACCESS" },
1677 { 0x01, "FILE_READ_ACCESS" },
1678 { 0x02, "FILE_WRITE_ACCESS" },
1679 { 0x03, "FILE_READ_WRITE_ACCESS" },
1683 static const value_string smb2_ioctl_method_vals[] = {
1684 { 0x00, "METHOD_BUFFERED" },
1685 { 0x01, "METHOD_IN_DIRECT" },
1686 { 0x02, "METHOD_OUT_DIRECT" },
1687 { 0x03, "METHOD_NEITHER" },
1691 static const value_string smb2_ioctl_shared_virtual_disk_vals[] = {
1692 { 0x01, "SharedVirtualDisksSupported" },
1693 { 0x07, "SharedVirtualDiskCDPSnapshotsSupported" },
1697 static const value_string smb2_ioctl_shared_virtual_disk_hstate_vals[] = {
1698 { 0x00, "HandleStateNone" },
1699 { 0x01, "HandleStateFileShared" },
1700 { 0x03, "HandleStateShared" },
1704 /* this is called from both smb and smb2. */
1706 dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint32 *ioctlfunc)
1708 proto_item *item = NULL;
1709 proto_tree *tree = NULL;
1710 guint32 ioctl_function;
1713 item = proto_tree_add_item(parent_tree, hf_smb2_ioctl_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1714 tree = proto_item_add_subtree(item, ett_smb2_ioctl_function);
1717 ioctl_function = tvb_get_letohl(tvb, offset);
1719 *ioctlfunc = ioctl_function;
1720 if (ioctl_function) {
1721 const gchar *unknown = "unknown";
1722 const gchar *ioctl_name = val_to_str_ext_const(ioctl_function,
1723 &smb2_ioctl_vals_ext,
1727 * val_to_str_const() doesn't work with a unknown == NULL
1729 if (ioctl_name == unknown) {
1733 if (ioctl_name != NULL) {
1735 pinfo->cinfo, COL_INFO, " %s", ioctl_name);
1739 proto_tree_add_item(tree, hf_smb2_ioctl_function_device, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1740 if (ioctl_name == NULL) {
1742 pinfo->cinfo, COL_INFO, " %s",
1743 val_to_str_ext((ioctl_function>>16)&0xffff, &smb2_ioctl_device_vals_ext,
1744 "Unknown (0x%08X)"));
1748 proto_tree_add_item(tree, hf_smb2_ioctl_function_access, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1751 proto_tree_add_item(tree, hf_smb2_ioctl_function_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1752 if (ioctl_name == NULL) {
1754 pinfo->cinfo, COL_INFO, " Function:0x%04x",
1755 (ioctl_function>>2)&0x0fff);
1759 proto_tree_add_item(tree, hf_smb2_ioctl_function_method, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1767 /* fake the dce/rpc support structures so we can piggy back on
1768 * dissect_nt_policy_hnd() since this will allow us
1769 * a cheap way to track where FIDs are opened, closed
1770 * and fid->filename mappings
1771 * if we want to do those things in the future.
1773 #define FID_MODE_OPEN 0
1774 #define FID_MODE_CLOSE 1
1775 #define FID_MODE_USE 2
1776 #define FID_MODE_DHNQ 3
1777 #define FID_MODE_DHNC 4
1779 dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si, int mode)
1781 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
1782 static dcerpc_info di; /* fake dcerpc_info struct */
1783 static dcerpc_call_value call_data;
1784 e_ctx_hnd policy_hnd;
1785 e_ctx_hnd *policy_hnd_hashtablekey;
1786 proto_item *hnd_item = NULL;
1788 guint32 open_frame = 0, close_frame = 0;
1789 smb2_eo_file_info_t *eo_file_info;
1790 smb2_fid_info_t sfi_key;
1791 smb2_fid_info_t *sfi = NULL;
1793 sfi_key.fid_persistent = tvb_get_letoh64(tvb, offset);
1794 sfi_key.fid_volatile = tvb_get_letoh64(tvb, offset+8);
1795 sfi_key.sesid = si->sesid;
1796 sfi_key.tid = si->tid;
1797 sfi_key.name = NULL;
1799 di.conformant_run = 0;
1800 /* we need di->call_data->flags.NDR64 == 0 */
1801 di.call_data = &call_data;
1805 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, TRUE, FALSE);
1806 if (!pinfo->fd->flags.visited) {
1807 sfi = wmem_new(wmem_file_scope(), smb2_fid_info_t);
1809 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1810 sfi->name = wmem_strdup(wmem_file_scope(), (char *)si->saved->extra_info);
1812 sfi->name = wmem_strdup_printf(wmem_file_scope(), "[unknown]");
1815 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1816 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: %s", (char *)si->saved->extra_info);
1818 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: ");
1820 dcerpc_store_polhnd_name(&policy_hnd, pinfo,
1823 g_hash_table_insert(si->conv->fids, sfi, sfi);
1826 /* If needed, create the file entry and save the policy hnd */
1828 si->saved->file = sfi;
1829 si->saved->policy_hnd = policy_hnd;
1833 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
1834 if (!eo_file_info) {
1835 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
1836 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
1837 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
1838 eo_file_info->end_of_file=0;
1839 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
1841 si->eo_file_info=eo_file_info;
1845 case FID_MODE_CLOSE:
1846 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, TRUE);
1851 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, FALSE);
1855 si->file = (smb2_fid_info_t *)g_hash_table_lookup(si->conv->fids, &sfi_key);
1858 si->saved->file = si->file;
1860 if (si->file->name) {
1862 proto_item_append_text(hnd_item, " File: %s", si->file->name);
1864 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", si->file->name);
1868 if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
1869 /* look for the eo_file_info */
1870 if (!si->eo_file_info) {
1871 if (si->saved) { si->saved->policy_hnd = policy_hnd; }
1873 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
1875 si->eo_file_info=eo_file_info;
1876 } else { /* XXX This should never happen */
1877 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
1878 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
1879 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
1880 eo_file_info->end_of_file=0;
1881 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
1892 /* this info level is unique to SMB2 and differst from the corresponding
1893 * SMB_FILE_ALL_INFO in SMB
1896 dissect_smb2_file_all_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1898 proto_item *item = NULL;
1899 proto_tree *tree = NULL;
1901 const char *name = "";
1905 item = proto_tree_add_item(parent_tree, hf_smb2_file_all_info, tvb, offset, -1, ENC_NA);
1906 tree = proto_item_add_subtree(item, ett_smb2_file_all_info);
1910 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
1913 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
1916 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
1919 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
1921 /* File Attributes */
1922 offset = dissect_file_ext_attr(tvb, tree, offset);
1924 /* some unknown bytes */
1925 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
1928 /* allocation size */
1929 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1933 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1936 /* number of links */
1937 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1940 /* delete pending */
1941 proto_tree_add_item(tree, hf_smb2_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1945 proto_tree_add_item(tree, hf_smb2_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1952 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1956 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1960 offset = dissect_smb_access_mask(tvb, tree, offset);
1962 /* some unknown bytes */
1963 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
1966 /* file name length */
1967 length = tvb_get_letohs(tvb, offset);
1968 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1973 bc = tvb_captured_length_remaining(tvb, offset);
1974 name = get_unicode_or_ascii_string(tvb, &offset,
1975 TRUE, &length, TRUE, TRUE, &bc);
1977 proto_tree_add_string(tree, hf_smb2_filename, tvb,
1978 offset, length, name);
1989 dissect_smb2_file_allocation_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1991 proto_item *item = NULL;
1992 proto_tree *tree = NULL;
1997 item = proto_tree_add_item(parent_tree, hf_smb2_file_allocation_info, tvb, offset, -1, ENC_NA);
1998 tree = proto_item_add_subtree(item, ett_smb2_file_allocation_info);
2001 bc = tvb_captured_length_remaining(tvb, offset);
2002 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2008 dissect_smb2_file_endoffile_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2010 proto_item *item = NULL;
2011 proto_tree *tree = NULL;
2016 item = proto_tree_add_item(parent_tree, hf_smb2_file_endoffile_info, tvb, offset, -1, ENC_NA);
2017 tree = proto_item_add_subtree(item, ett_smb2_file_endoffile_info);
2020 bc = tvb_captured_length_remaining(tvb, offset);
2021 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2027 dissect_smb2_file_alternate_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2029 proto_item *item = NULL;
2030 proto_tree *tree = NULL;
2035 item = proto_tree_add_item(parent_tree, hf_smb2_file_alternate_name_info, tvb, offset, -1, ENC_NA);
2036 tree = proto_item_add_subtree(item, ett_smb2_file_alternate_name_info);
2039 bc = tvb_captured_length_remaining(tvb, offset);
2040 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc, /* XXX assumption hack */ TRUE);
2047 dissect_smb2_file_basic_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2049 proto_item *item = NULL;
2050 proto_tree *tree = NULL;
2053 item = proto_tree_add_item(parent_tree, hf_smb2_file_basic_info, tvb, offset, -1, ENC_NA);
2054 tree = proto_item_add_subtree(item, ett_smb2_file_basic_info);
2058 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2061 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2064 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2067 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2069 /* File Attributes */
2070 offset = dissect_file_ext_attr(tvb, tree, offset);
2072 /* some unknown bytes */
2073 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2080 dissect_smb2_file_standard_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2082 proto_item *item = NULL;
2083 proto_tree *tree = NULL;
2088 item = proto_tree_add_item(parent_tree, hf_smb2_file_standard_info, tvb, offset, -1, ENC_NA);
2089 tree = proto_item_add_subtree(item, ett_smb2_file_standard_info);
2092 bc = tvb_captured_length_remaining(tvb, offset);
2093 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2098 dissect_smb2_file_internal_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2100 proto_item *item = NULL;
2101 proto_tree *tree = NULL;
2106 item = proto_tree_add_item(parent_tree, hf_smb2_file_internal_info, tvb, offset, -1, ENC_NA);
2107 tree = proto_item_add_subtree(item, ett_smb2_file_internal_info);
2110 bc = tvb_captured_length_remaining(tvb, offset);
2111 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2116 dissect_smb2_file_mode_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2118 proto_item *item = NULL;
2119 proto_tree *tree = NULL;
2124 item = proto_tree_add_item(parent_tree, hf_smb2_file_mode_info, tvb, offset, -1, ENC_NA);
2125 tree = proto_item_add_subtree(item, ett_smb2_file_mode_info);
2128 bc = tvb_captured_length_remaining(tvb, offset);
2129 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2134 dissect_smb2_file_alignment_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2136 proto_item *item = NULL;
2137 proto_tree *tree = NULL;
2142 item = proto_tree_add_item(parent_tree, hf_smb2_file_alignment_info, tvb, offset, -1, ENC_NA);
2143 tree = proto_item_add_subtree(item, ett_smb2_file_alignment_info);
2146 bc = tvb_captured_length_remaining(tvb, offset);
2147 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2152 dissect_smb2_file_position_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2154 proto_item *item = NULL;
2155 proto_tree *tree = NULL;
2160 item = proto_tree_add_item(parent_tree, hf_smb2_file_position_info, tvb, offset, -1, ENC_NA);
2161 tree = proto_item_add_subtree(item, ett_smb2_file_position_info);
2164 bc = tvb_captured_length_remaining(tvb, offset);
2165 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2171 dissect_smb2_file_access_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2173 proto_item *item = NULL;
2174 proto_tree *tree = NULL;
2177 item = proto_tree_add_item(parent_tree, hf_smb2_file_access_info, tvb, offset, -1, ENC_NA);
2178 tree = proto_item_add_subtree(item, ett_smb2_file_access_info);
2182 offset = dissect_smb_access_mask(tvb, tree, offset);
2188 dissect_smb2_file_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2190 proto_item *item = NULL;
2191 proto_tree *tree = NULL;
2196 item = proto_tree_add_item(parent_tree, hf_smb2_file_ea_info, tvb, offset, -1, ENC_NA);
2197 tree = proto_item_add_subtree(item, ett_smb2_file_ea_info);
2200 bc = tvb_captured_length_remaining(tvb, offset);
2201 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2207 dissect_smb2_file_stream_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2209 proto_item *item = NULL;
2210 proto_tree *tree = NULL;
2215 item = proto_tree_add_item(parent_tree, hf_smb2_file_stream_info, tvb, offset, -1, ENC_NA);
2216 tree = proto_item_add_subtree(item, ett_smb2_file_stream_info);
2219 bc = tvb_captured_length_remaining(tvb, offset);
2220 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, &bc, &trunc, TRUE);
2226 dissect_smb2_file_pipe_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2228 proto_item *item = NULL;
2229 proto_tree *tree = NULL;
2234 item = proto_tree_add_item(parent_tree, hf_smb2_file_pipe_info, tvb, offset, -1, ENC_NA);
2235 tree = proto_item_add_subtree(item, ett_smb2_file_pipe_info);
2238 bc = tvb_captured_length_remaining(tvb, offset);
2239 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2245 dissect_smb2_file_compression_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2247 proto_item *item = NULL;
2248 proto_tree *tree = NULL;
2253 item = proto_tree_add_item(parent_tree, hf_smb2_file_compression_info, tvb, offset, -1, ENC_NA);
2254 tree = proto_item_add_subtree(item, ett_smb2_file_compression_info);
2257 bc = tvb_captured_length_remaining(tvb, offset);
2258 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2264 dissect_smb2_file_network_open_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2266 proto_item *item = NULL;
2267 proto_tree *tree = NULL;
2272 item = proto_tree_add_item(parent_tree, hf_smb2_file_network_open_info, tvb, offset, -1, ENC_NA);
2273 tree = proto_item_add_subtree(item, ett_smb2_file_network_open_info);
2277 bc = tvb_captured_length_remaining(tvb, offset);
2278 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2284 dissect_smb2_file_attribute_tag_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2286 proto_item *item = NULL;
2287 proto_tree *tree = NULL;
2292 item = proto_tree_add_item(parent_tree, hf_smb2_file_attribute_tag_info, tvb, offset, -1, ENC_NA);
2293 tree = proto_item_add_subtree(item, ett_smb2_file_attribute_tag_info);
2297 bc = tvb_captured_length_remaining(tvb, offset);
2298 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2303 static const true_false_string tfs_disposition_delete_on_close = {
2304 "DELETE this file when closed",
2305 "Normal access, do not delete on close"
2309 dissect_smb2_file_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2311 proto_item *item = NULL;
2312 proto_tree *tree = NULL;
2315 item = proto_tree_add_item(parent_tree, hf_smb2_file_disposition_info, tvb, offset, -1, ENC_NA);
2316 tree = proto_item_add_subtree(item, ett_smb2_file_disposition_info);
2319 /* file disposition */
2320 proto_tree_add_item(tree, hf_smb2_disposition_delete_on_close, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2326 dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2328 proto_item *item = NULL;
2329 proto_tree *tree = NULL;
2330 guint32 next_offset;
2332 guint16 ea_data_len;
2335 item = proto_tree_add_item(parent_tree, hf_smb2_file_full_ea_info, tvb, offset, -1, ENC_NA);
2336 tree = proto_item_add_subtree(item, ett_smb2_file_full_ea_info);
2341 const char *name = "";
2342 const char *data = "";
2344 int start_offset = offset;
2345 proto_item *ea_item;
2346 proto_tree *ea_tree;
2348 ea_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_ea, &ea_item, "EA:");
2351 next_offset = tvb_get_letohl(tvb, offset);
2352 proto_tree_add_item(ea_tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2356 proto_tree_add_item(ea_tree, hf_smb2_ea_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2359 /* EA Name Length */
2360 ea_name_len = tvb_get_guint8(tvb, offset);
2361 proto_tree_add_item(ea_tree, hf_smb2_ea_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2364 /* EA Data Length */
2365 ea_data_len = tvb_get_letohs(tvb, offset);
2366 proto_tree_add_item(ea_tree, hf_smb2_ea_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2370 length = ea_name_len;
2372 bc = tvb_captured_length_remaining(tvb, offset);
2373 name = get_unicode_or_ascii_string(tvb, &offset,
2374 FALSE, &length, TRUE, TRUE, &bc);
2376 proto_tree_add_string(ea_tree, hf_smb2_ea_name, tvb,
2377 offset, length + 1, name);
2381 /* The name is terminated with a NULL */
2382 offset += ea_name_len + 1;
2385 length = ea_data_len;
2387 bc = tvb_captured_length_remaining(tvb, offset);
2388 data = get_unicode_or_ascii_string(tvb, &offset,
2389 FALSE, &length, TRUE, TRUE, &bc);
2391 * We put the data here ...
2393 proto_tree_add_item(ea_tree, hf_smb2_ea_data, tvb,
2394 offset, length, ENC_NA);
2396 offset += ea_data_len;
2400 proto_item_append_text(ea_item, " %s := %s", name, data);
2402 proto_item_set_len(ea_item, offset-start_offset);
2409 offset = start_offset+next_offset;
2415 static const true_false_string tfs_replace_if_exists = {
2416 "Replace the target if it exists",
2417 "Fail if the target exists"
2421 dissect_smb2_file_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2423 proto_item *item = NULL;
2424 proto_tree *tree = NULL;
2426 const char *name = "";
2431 item = proto_tree_add_item(parent_tree, hf_smb2_file_rename_info, tvb, offset, -1, ENC_NA);
2432 tree = proto_item_add_subtree(item, ett_smb2_file_rename_info);
2435 /* ReplaceIfExists */
2436 proto_tree_add_item(tree, hf_smb2_replace_if, tvb, offset, 1, ENC_NA);
2440 proto_tree_add_item(tree, hf_smb2_reserved_random, tvb, offset, 7, ENC_NA);
2443 /* Root Directory Handle, MBZ */
2444 proto_tree_add_item(tree, hf_smb2_root_directory_mbz, tvb, offset, 8, ENC_NA);
2447 /* file name length */
2448 length = tvb_get_letohs(tvb, offset);
2449 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2454 bc = tvb_captured_length_remaining(tvb, offset);
2455 name = get_unicode_or_ascii_string(tvb, &offset,
2456 TRUE, &length, TRUE, TRUE, &bc);
2458 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2459 offset, length, name);
2462 col_append_fstr(pinfo->cinfo, COL_INFO, " NewName:%s", name);
2470 dissect_smb2_sec_info_00(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2472 proto_item *item = NULL;
2473 proto_tree *tree = NULL;
2476 item = proto_tree_add_item(parent_tree, hf_smb2_sec_info_00, tvb, offset, -1, ENC_NA);
2477 tree = proto_item_add_subtree(item, ett_smb2_sec_info_00);
2480 /* security descriptor */
2481 offset = dissect_nt_sec_desc(tvb, offset, pinfo, tree, NULL, TRUE, tvb_captured_length_remaining(tvb, offset), NULL);
2487 dissect_smb2_quota_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2489 proto_item *item = NULL;
2490 proto_tree *tree = NULL;
2494 item = proto_tree_add_item(parent_tree, hf_smb2_quota_info, tvb, offset, -1, ENC_NA);
2495 tree = proto_item_add_subtree(item, ett_smb2_quota_info);
2498 bcp = tvb_captured_length_remaining(tvb, offset);
2499 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
2505 dissect_smb2_fs_info_05(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2507 proto_item *item = NULL;
2508 proto_tree *tree = NULL;
2512 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_05, tvb, offset, -1, ENC_NA);
2513 tree = proto_item_add_subtree(item, ett_smb2_fs_info_05);
2516 bc = tvb_captured_length_remaining(tvb, offset);
2517 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2523 dissect_smb2_fs_info_06(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2525 proto_item *item = NULL;
2526 proto_tree *tree = NULL;
2530 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_06, tvb, offset, -1, ENC_NA);
2531 tree = proto_item_add_subtree(item, ett_smb2_fs_info_06);
2534 bc = tvb_captured_length_remaining(tvb, offset);
2535 offset = dissect_nt_quota(tvb, tree, offset, &bc);
2541 dissect_smb2_FS_OBJECTID_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2543 proto_item *item = NULL;
2544 proto_tree *tree = NULL;
2547 item = proto_tree_add_item(parent_tree, hf_smb2_fs_objectid_info, tvb, offset, -1, ENC_NA);
2548 tree = proto_item_add_subtree(item, ett_smb2_fs_objectid_info);
2551 /* FILE_OBJECTID_BUFFER */
2552 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
2558 dissect_smb2_fs_info_07(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2560 proto_item *item = NULL;
2561 proto_tree *tree = NULL;
2565 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_07, tvb, offset, -1, ENC_NA);
2566 tree = proto_item_add_subtree(item, ett_smb2_fs_info_07);
2569 bc = tvb_captured_length_remaining(tvb, offset);
2570 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2576 dissect_smb2_fs_info_01(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2578 proto_item *item = NULL;
2579 proto_tree *tree = NULL;
2583 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_01, tvb, offset, -1, ENC_NA);
2584 tree = proto_item_add_subtree(item, ett_smb2_fs_info_01);
2588 bc = tvb_captured_length_remaining(tvb, offset);
2589 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2595 dissect_smb2_fs_info_03(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2597 proto_item *item = NULL;
2598 proto_tree *tree = NULL;
2602 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_03, tvb, offset, -1, ENC_NA);
2603 tree = proto_item_add_subtree(item, ett_smb2_fs_info_03);
2607 bc = tvb_captured_length_remaining(tvb, offset);
2608 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2614 dissect_smb2_fs_info_04(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2616 proto_item *item = NULL;
2617 proto_tree *tree = NULL;
2621 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_04, tvb, offset, -1, ENC_NA);
2622 tree = proto_item_add_subtree(item, ett_smb2_fs_info_04);
2626 bc = tvb_captured_length_remaining(tvb, offset);
2627 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, &bc);
2632 static const value_string oplock_vals[] = {
2633 { 0x00, "No oplock" },
2634 { 0x01, "Level2 oplock" },
2635 { 0x08, "Exclusive oplock" },
2636 { 0x09, "Batch oplock" },
2642 dissect_smb2_oplock(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2644 proto_tree_add_item(parent_tree, hf_smb2_oplock, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2651 dissect_smb2_buffercode(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint16 *length)
2655 guint16 buffer_code;
2657 /* dissect the first 2 bytes of the command PDU */
2658 buffer_code = tvb_get_letohs(tvb, offset);
2659 item = proto_tree_add_uint(parent_tree, hf_smb2_buffer_code, tvb, offset, 2, buffer_code);
2660 tree = proto_item_add_subtree(item, ett_smb2_buffercode);
2661 proto_tree_add_item(tree, hf_smb2_buffer_code_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2662 proto_tree_add_item(tree, hf_smb2_buffer_code_flags_dyn, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2666 *length = buffer_code; /*&0xfffe don't mask it here, mask it on caller side */
2672 #define NEGPROT_CAP_DFS 0x00000001
2673 #define NEGPROT_CAP_LEASING 0x00000002
2674 #define NEGPROT_CAP_LARGE_MTU 0x00000004
2675 #define NEGPROT_CAP_MULTI_CHANNEL 0x00000008
2676 #define NEGPROT_CAP_PERSISTENT_HANDLES 0x00000010
2677 #define NEGPROT_CAP_DIRECTORY_LEASING 0x00000020
2678 #define NEGPROT_CAP_ENCRYPTION 0x00000040
2680 dissect_smb2_capabilities(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2682 static const int * flags[] = {
2684 &hf_smb2_cap_leasing,
2685 &hf_smb2_cap_large_mtu,
2686 &hf_smb2_cap_multi_channel,
2687 &hf_smb2_cap_persistent_handles,
2688 &hf_smb2_cap_directory_leasing,
2689 &hf_smb2_cap_encryption,
2693 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_capabilities, ett_smb2_capabilities, flags, ENC_LITTLE_ENDIAN);
2701 #define NEGPROT_SIGN_REQ 0x0002
2702 #define NEGPROT_SIGN_ENABLED 0x0001
2705 dissect_smb2_secmode(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2707 static const int * flags[] = {
2708 &hf_smb2_secmode_flags_sign_enabled,
2709 &hf_smb2_secmode_flags_sign_required,
2713 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_security_mode, ett_smb2_sec_mode, flags, ENC_LITTLE_ENDIAN);
2719 #define SES_REQ_FLAGS_SESSION_BINDING 0x01
2722 dissect_smb2_ses_req_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2724 static const int * flags[] = {
2725 &hf_smb2_ses_req_flags_session_binding,
2729 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_ses_req_flags, ett_smb2_ses_req_flags, flags, ENC_LITTLE_ENDIAN);
2735 #define SES_FLAGS_GUEST 0x0001
2736 #define SES_FLAGS_NULL 0x0002
2739 dissect_smb2_ses_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2741 static const int * flags[] = {
2742 &hf_smb2_ses_flags_guest,
2743 &hf_smb2_ses_flags_null,
2747 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_session_flags, ett_smb2_ses_flags, flags, ENC_LITTLE_ENDIAN);
2753 #define SHARE_FLAGS_manual_caching 0x00000000
2754 #define SHARE_FLAGS_auto_caching 0x00000010
2755 #define SHARE_FLAGS_vdo_caching 0x00000020
2756 #define SHARE_FLAGS_no_caching 0x00000030
2758 static const value_string share_cache_vals[] = {
2759 { SHARE_FLAGS_manual_caching, "Manual caching" },
2760 { SHARE_FLAGS_auto_caching, "Auto caching" },
2761 { SHARE_FLAGS_vdo_caching, "VDO caching" },
2762 { SHARE_FLAGS_no_caching, "No caching" },
2766 #define SHARE_FLAGS_dfs 0x00000001
2767 #define SHARE_FLAGS_dfs_root 0x00000002
2768 #define SHARE_FLAGS_restrict_exclusive_opens 0x00000100
2769 #define SHARE_FLAGS_force_shared_delete 0x00000200
2770 #define SHARE_FLAGS_allow_namespace_caching 0x00000400
2771 #define SHARE_FLAGS_access_based_dir_enum 0x00000800
2772 #define SHARE_FLAGS_force_levelii_oplock 0x00001000
2773 #define SHARE_FLAGS_enable_hash_v1 0x00002000
2774 #define SHARE_FLAGS_enable_hash_v2 0x00004000
2775 #define SHARE_FLAGS_encryption_required 0x00008000
2778 dissect_smb2_share_flags(proto_tree *tree, tvbuff_t *tvb, int offset)
2780 static const int *sf_fields[] = {
2781 &hf_smb2_share_flags_dfs,
2782 &hf_smb2_share_flags_dfs_root,
2783 &hf_smb2_share_flags_restrict_exclusive_opens,
2784 &hf_smb2_share_flags_force_shared_delete,
2785 &hf_smb2_share_flags_allow_namespace_caching,
2786 &hf_smb2_share_flags_access_based_dir_enum,
2787 &hf_smb2_share_flags_force_levelii_oplock,
2788 &hf_smb2_share_flags_enable_hash_v1,
2789 &hf_smb2_share_flags_enable_hash_v2,
2790 &hf_smb2_share_flags_encrypt_data,
2796 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_flags, ett_smb2_share_flags, sf_fields, ENC_LITTLE_ENDIAN);
2798 cp = tvb_get_letohl(tvb, offset);
2800 proto_tree_add_uint_format(item, hf_smb2_share_caching, tvb, offset, 4, cp, "Caching policy: %s (%08x)", val_to_str(cp, share_cache_vals, "Unknown:%u"), cp);
2808 #define SHARE_CAPS_DFS 0x00000008
2809 #define SHARE_CAPS_CONTINUOUS_AVAILABILITY 0x00000010
2810 #define SHARE_CAPS_SCALEOUT 0x00000020
2811 #define SHARE_CAPS_CLUSTER 0x00000040
2814 dissect_smb2_share_caps(proto_tree *tree, tvbuff_t *tvb, int offset)
2816 static const int *sc_fields[] = {
2817 &hf_smb2_share_caps_dfs,
2818 &hf_smb2_share_caps_continuous_availability,
2819 &hf_smb2_share_caps_scaleout,
2820 &hf_smb2_share_caps_cluster,
2824 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_caps, ett_smb2_share_caps, sc_fields, ENC_LITTLE_ENDIAN);
2832 dissect_smb2_secblob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
2834 if ((tvb_captured_length(tvb)>=7)
2835 && (!tvb_memeql(tvb, 0, "NTLMSSP", 7))) {
2836 call_dissector(ntlmssp_handle, tvb, pinfo, tree);
2838 call_dissector(gssapi_handle, tvb, pinfo, tree);
2843 dissect_smb2_session_setup_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2845 offset_length_buffer_t s_olb;
2846 const ntlmssp_header_t *ntlmssph;
2847 static int ntlmssp_tap_id = 0;
2850 if (!ntlmssp_tap_id) {
2851 GString *error_string;
2852 /* We don't specify any callbacks at all.
2853 * Instead we manually fetch the tapped data after the
2854 * security blob has been fully dissected and before
2855 * we exit from this dissector.
2857 error_string = register_tap_listener("ntlmssp", NULL, NULL,
2858 TL_IS_DISSECTOR_HELPER, NULL, NULL, NULL);
2859 if (!error_string) {
2860 ntlmssp_tap_id = find_tap_id("ntlmssp");
2862 g_string_free(error_string, TRUE);
2868 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2869 /* some unknown bytes */
2872 offset = dissect_smb2_ses_req_flags(tree, tvb, offset);
2875 offset = dissect_smb2_secmode(tree, tvb, offset);
2878 offset = dissect_smb2_capabilities(tree, tvb, offset);
2881 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2884 /* security blob offset/length */
2885 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
2887 /* previous session id */
2888 proto_tree_add_item(tree, hf_smb2_previous_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2892 /* the security blob itself */
2893 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
2895 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
2897 /* If we have found a uid->acct_name mapping, store it */
2898 if (!pinfo->fd->flags.visited) {
2900 while ((ntlmssph = (const ntlmssp_header_t *)fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL) {
2901 if (ntlmssph && ntlmssph->type == NTLMSSP_AUTH) {
2902 smb2_sesid_info_t *sesid;
2903 sesid = wmem_new(wmem_file_scope(), smb2_sesid_info_t);
2904 sesid->sesid = si->sesid;
2905 sesid->acct_name = wmem_strdup(wmem_file_scope(), ntlmssph->acct_name);
2906 sesid->domain_name = wmem_strdup(wmem_file_scope(), ntlmssph->domain_name);
2907 sesid->host_name = wmem_strdup(wmem_file_scope(), ntlmssph->host_name);
2908 if (memcmp(ntlmssph->session_key, zeros, NTLMSSP_KEY_LEN) != 0) {
2909 smb2_key_derivation(ntlmssph->session_key,
2913 sesid->server_decryption_key);
2914 smb2_key_derivation(ntlmssph->session_key,
2918 sesid->client_decryption_key);
2920 memset(sesid->server_decryption_key, 0,
2921 sizeof(sesid->server_decryption_key));
2922 memset(sesid->client_decryption_key, 0,
2923 sizeof(sesid->client_decryption_key));
2925 sesid->server_port = pinfo->destport;
2926 sesid->auth_frame = pinfo->num;
2927 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
2928 g_hash_table_insert(si->conv->sesids, sesid, sesid);
2937 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2942 offset_length_buffer_t s_olb, p_olb;
2944 item = proto_tree_add_item(parent_tree, hf_smb2_symlink_error_response, tvb, offset, -1, ENC_NA);
2945 tree = proto_item_add_subtree(item, ett_smb2_symlink_error_response);
2947 /* symlink length */
2948 proto_tree_add_item(tree, hf_smb2_symlink_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2951 /* symlink error tag */
2952 proto_tree_add_item(tree, hf_smb2_symlink_error_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2956 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2959 proto_tree_add_item(tree, hf_smb2_reparse_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2962 proto_tree_add_item(tree, hf_smb2_unparsed_path_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2965 /* substitute name offset/length */
2966 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_substitute_name);
2968 /* print name offset/length */
2969 offset = dissect_smb2_olb_length_offset(tvb, offset, &p_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_print_name);
2972 proto_tree_add_item(tree, hf_smb2_symlink_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2975 /* substitute name string */
2976 dissect_smb2_olb_off_string(pinfo, tree, tvb, &s_olb, offset, OLB_TYPE_UNICODE_STRING);
2978 /* print name string */
2979 dissect_smb2_olb_off_string(pinfo, tree, tvb, &p_olb, offset, OLB_TYPE_UNICODE_STRING);
2983 dissect_smb2_error_data(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int error_context_count, smb2_info_t *si _U_)
2990 item = proto_tree_add_item(parent_tree, hf_smb2_error_data, tvb, offset, -1, ENC_NA);
2991 tree = proto_item_add_subtree(item, ett_smb2_error_data);
2993 if (error_context_count == 0) {
2994 switch (si->status) {
2995 case 0x8000002D: /* STATUS_STOPPED_ON_SYMLINK */
2996 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvb, pinfo, tree, offset, si);
3003 /* TODO SMB311 supports multiple error contexts */
3007 /* This needs more fixes for cases when the original header had also the constant value of 9.
3008 This should be fixed on caller side where it decides if it has to call this or not.
3011 dissect_smb2_error_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si,
3012 gboolean* continue_dissection)
3015 guint8 error_context_count;
3020 offset = dissect_smb2_buffercode(tree, tvb, offset, &length);
3022 /* FIX: error response uses this constant, if not then it is not an error response */
3025 if(continue_dissection)
3026 *continue_dissection = TRUE;
3028 if(continue_dissection)
3029 *continue_dissection = FALSE;
3031 /* ErrorContextCount (1 bytes) */
3032 error_context_count = tvb_get_guint8(tvb, offset);
3033 proto_tree_add_item(tree, hf_smb2_error_context_count, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3036 /* Reserved (1 bytes) */
3037 proto_tree_add_item(tree, hf_smb2_error_reserved, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3040 /* ByteCount (4 bytes): The number of bytes of data contained in ErrorData[]. */
3041 byte_count = tvb_get_letohl(tvb, offset);
3042 proto_tree_add_item(tree, hf_smb2_error_byte_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3045 /* If the ByteCount field is zero then the server MUST supply an ErrorData field
3046 that is one byte in length */
3047 if (byte_count == 0) byte_count = 1;
3049 /* ErrorData (variable): A variable-length data field that contains extended
3050 error information.*/
3051 sub_tvb = tvb_new_subset_length(tvb, offset, byte_count);
3052 offset += byte_count;
3054 dissect_smb2_error_data(sub_tvb, pinfo, tree, error_context_count, si);
3061 dissect_smb2_session_setup_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3063 offset_length_buffer_t s_olb;
3065 /* session_setup is special and we don't use dissect_smb2_error_response() here! */
3068 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3071 offset = dissect_smb2_ses_flags(tree, tvb, offset);
3073 /* security blob offset/length */
3074 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
3076 /* the security blob itself */
3077 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
3079 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
3081 /* If we have found a uid->acct_name mapping, store it */
3082 #ifdef HAVE_KERBEROS
3083 if (!pinfo->fd->flags.visited && si->status == 0) {
3087 read_keytab_file_from_preferences();
3090 for (ek=enc_key_list;ek;ek=ek->next) {
3091 if (ek->fd_num == (int)pinfo->num) {
3097 smb2_sesid_info_t *sesid;
3098 guint8 session_key[16] = { 0, };
3100 memcpy(session_key, ek->keyvalue, MIN(ek->keylength, 16));
3102 sesid = wmem_new(wmem_file_scope(), smb2_sesid_info_t);
3103 sesid->sesid = si->sesid;
3104 /* TODO: fill in the correct information */
3105 sesid->acct_name = NULL;
3106 sesid->domain_name = NULL;
3107 sesid->host_name = NULL;
3108 smb2_key_derivation(session_key, sizeof(session_key),
3111 sesid->server_decryption_key);
3112 smb2_key_derivation(session_key, sizeof(session_key),
3115 sesid->client_decryption_key);
3116 sesid->server_port = pinfo->srcport;
3117 sesid->auth_frame = pinfo->num;
3118 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
3119 g_hash_table_insert(si->conv->sesids, sesid, sesid);
3128 dissect_smb2_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3130 offset_length_buffer_t olb;
3134 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3137 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3140 /* tree offset/length */
3141 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_tree);
3144 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
3146 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3148 /* treelen +1 is overkill here if the string is unicode,
3149 * but who ever has more than a handful of TCON in a trace anyways
3151 if (!pinfo->fd->flags.visited && si->saved && buf && olb.len) {
3152 si->saved->extra_info_type = SMB2_EI_TREENAME;
3153 si->saved->extra_info = wmem_alloc(wmem_file_scope(), olb.len+1);
3154 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
3157 col_append_fstr(pinfo->cinfo, COL_INFO, " Tree: %s", buf);
3162 dissect_smb2_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3165 gboolean continue_dissection;
3167 switch (si->status) {
3169 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3170 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3171 if (!continue_dissection) return offset;
3175 share_type = tvb_get_guint8(tvb, offset);
3176 proto_tree_add_item(tree, hf_smb2_share_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3179 /* byte is reserved and must be set to zero */
3180 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
3183 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_TREENAME && si->session) {
3184 smb2_tid_info_t *tid, tid_key;
3186 tid_key.tid = si->tid;
3187 tid = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
3189 g_hash_table_remove(si->session->tids, &tid_key);
3191 tid = wmem_new(wmem_file_scope(), smb2_tid_info_t);
3193 tid->name = (char *)si->saved->extra_info;
3194 tid->connect_frame = pinfo->num;
3195 tid->share_type = share_type;
3197 g_hash_table_insert(si->session->tids, tid, tid);
3199 si->saved->extra_info_type = SMB2_EI_NONE;
3200 si->saved->extra_info = NULL;
3204 offset = dissect_smb2_share_flags(tree, tvb, offset);
3206 /* share capabilities */
3207 offset = dissect_smb2_share_caps(tree, tvb, offset);
3209 /* this is some sort of access mask */
3210 offset = dissect_smb_access_mask(tvb, tree, offset);
3216 dissect_smb2_tree_disconnect_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3219 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3222 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3229 dissect_smb2_tree_disconnect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3231 gboolean continue_dissection;
3233 switch (si->status) {
3235 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3236 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3237 if (!continue_dissection) return offset;
3241 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3248 dissect_smb2_sessionlogoff_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3251 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3253 /* reserved bytes */
3260 dissect_smb2_sessionlogoff_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3262 gboolean continue_dissection;
3264 switch (si->status) {
3266 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3267 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3268 if (!continue_dissection) return offset;
3271 /* reserved bytes */
3272 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3279 dissect_smb2_keepalive_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3282 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3284 /* some unknown bytes */
3285 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3292 dissect_smb2_keepalive_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3294 gboolean continue_dissection;
3296 switch (si->status) {
3298 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3299 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3300 if (!continue_dissection) return offset;
3303 /* some unknown bytes */
3304 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3311 dissect_smb2_notify_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3313 proto_tree *flags_tree = NULL;
3314 proto_item *flags_item = NULL;
3317 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3321 flags_item = proto_tree_add_item(tree, hf_smb2_notify_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3322 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_notify_flags);
3324 proto_tree_add_item(flags_tree, hf_smb2_notify_watch_tree, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3327 /* output buffer length */
3328 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3332 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3334 /* completion filter */
3335 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
3338 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
3344 static const value_string notify_action_vals[] = {
3345 {0x01, "FILE_ACTION_ADDED"},
3346 {0x02, "FILE_ACTION_REMOVED"},
3347 {0x03, "FILE_ACTION_MODIFIED"},
3348 {0x04, "FILE_ACTION_RENAMED_OLD_NAME"},
3349 {0x05, "FILE_ACTION_RENAMED_NEW_NAME"},
3350 {0x06, "FILE_ACTION_ADDED_STREAM"},
3351 {0x07, "FILE_ACTION_REMOVED_STREAM"},
3352 {0x08, "FILE_ACTION_MODIFIED_STREAM"},
3353 {0x09, "FILE_ACTION_REMOVED_BY_DELETE"},
3358 dissect_smb2_notify_data_out(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3360 proto_tree *tree = NULL;
3361 proto_item *item = NULL;
3364 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3365 guint32 start_offset = offset;
3366 guint32 next_offset;
3370 item = proto_tree_add_item(parent_tree, hf_smb2_notify_info, tvb, offset, -1, ENC_NA);
3371 tree = proto_item_add_subtree(item, ett_smb2_notify_info);
3375 proto_tree_add_item_ret_uint(tree, hf_smb2_notify_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &next_offset);
3378 proto_tree_add_item(tree, hf_smb2_notify_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3381 /* file name length */
3382 proto_tree_add_item_ret_uint(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
3387 const guchar *name = "";
3390 bc = tvb_reported_length_remaining(tvb, offset);
3391 name = get_unicode_or_ascii_string(tvb, &offset,
3392 TRUE, &length, TRUE, TRUE, &bc);
3394 proto_tree_add_string(tree, hf_smb2_filename,
3395 tvb, offset, length,
3406 offset = start_offset+next_offset;
3411 dissect_smb2_notify_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
3413 offset_length_buffer_t olb;
3414 gboolean continue_dissection;
3416 switch (si->status) {
3417 /* MS-SMB2 3.3.4.4 says STATUS_NOTIFY_ENUM_DIR is not treated as an error */
3418 case 0x0000010c: /* STATUS_NOTIFY_ENUM_DIR */
3419 case 0x00000000: /* buffer code */
3420 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
3421 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
3422 if (!continue_dissection) return offset;
3425 /* out buffer offset/length */
3426 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_notify_out_data);
3429 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_notify_data_out);
3430 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3435 #define SMB2_FIND_FLAG_RESTART_SCANS 0x01
3436 #define SMB2_FIND_FLAG_SINGLE_ENTRY 0x02
3437 #define SMB2_FIND_FLAG_INDEX_SPECIFIED 0x04
3438 #define SMB2_FIND_FLAG_REOPEN 0x10
3441 dissect_smb2_find_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3443 offset_length_buffer_t olb;
3446 static const int *f_fields[] = {
3447 &hf_smb2_find_flags_restart_scans,
3448 &hf_smb2_find_flags_single_entry,
3449 &hf_smb2_find_flags_index_specified,
3450 &hf_smb2_find_flags_reopen,
3455 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3457 il = tvb_get_guint8(tvb, offset);
3459 si->saved->infolevel = il;
3463 proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 1, il);
3467 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_find_flags, ett_smb2_find_flags, f_fields, ENC_LITTLE_ENDIAN);
3471 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3475 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3477 /* search pattern offset/length */
3478 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_find_pattern);
3480 /* output buffer length */
3481 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3484 /* search pattern */
3485 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
3487 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3489 if (!pinfo->fd->flags.visited && si->saved && olb.len) {
3490 si->saved->extra_info_type = SMB2_EI_FINDPATTERN;
3491 si->saved->extra_info = g_malloc(olb.len+1);
3492 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
3495 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
3496 val_to_str(il, smb2_find_info_levels, "(Level:0x%02x)"),
3502 static void dissect_smb2_file_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3505 proto_item *item = NULL;
3506 proto_tree *tree = NULL;
3507 const char *name = NULL;
3510 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3511 int old_offset = offset;
3516 item = proto_tree_add_item(parent_tree, hf_smb2_file_directory_info, tvb, offset, -1, ENC_NA);
3517 tree = proto_item_add_subtree(item, ett_smb2_file_directory_info);
3521 next_offset = tvb_get_letohl(tvb, offset);
3522 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3526 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3530 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3533 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3536 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3539 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3542 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3545 /* allocation size */
3546 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3549 /* File Attributes */
3550 offset = dissect_file_ext_attr(tvb, tree, offset);
3552 /* file name length */
3553 file_name_len = tvb_get_letohl(tvb, offset);
3554 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3558 if (file_name_len) {
3560 name = get_unicode_or_ascii_string(tvb, &offset,
3561 TRUE, &file_name_len, TRUE, TRUE, &bc);
3563 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3564 offset, file_name_len, name);
3565 proto_item_append_text(item, ": %s", name);
3570 proto_item_set_len(item, offset-old_offset);
3572 if (next_offset == 0) {
3576 offset = old_offset+next_offset;
3577 if (offset < old_offset) {
3578 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3579 "Invalid offset/length. Malformed packet");
3585 static void dissect_smb2_full_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3588 proto_item *item = NULL;
3589 proto_tree *tree = NULL;
3590 const char *name = NULL;
3593 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3594 int old_offset = offset;
3599 item = proto_tree_add_item(parent_tree, hf_smb2_full_directory_info, tvb, offset, -1, ENC_NA);
3600 tree = proto_item_add_subtree(item, ett_smb2_full_directory_info);
3604 next_offset = tvb_get_letohl(tvb, offset);
3605 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3609 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3613 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3616 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3619 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3622 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3625 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3628 /* allocation size */
3629 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3632 /* File Attributes */
3633 offset = dissect_file_ext_attr(tvb, tree, offset);
3635 /* file name length */
3636 file_name_len = tvb_get_letohl(tvb, offset);
3637 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3641 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3645 if (file_name_len) {
3647 name = get_unicode_or_ascii_string(tvb, &offset,
3648 TRUE, &file_name_len, TRUE, TRUE, &bc);
3650 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3651 offset, file_name_len, name);
3652 proto_item_append_text(item, ": %s", name);
3657 proto_item_set_len(item, offset-old_offset);
3659 if (next_offset == 0) {
3663 offset = old_offset+next_offset;
3664 if (offset < old_offset) {
3665 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3666 "Invalid offset/length. Malformed packet");
3672 static void dissect_smb2_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3675 proto_item *item = NULL;
3676 proto_tree *tree = NULL;
3677 const char *name = NULL;
3680 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3681 int old_offset = offset;
3687 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3688 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3692 next_offset = tvb_get_letohl(tvb, offset);
3693 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3697 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3701 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3704 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3707 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3710 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3713 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3716 /* allocation size */
3717 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3720 /* File Attributes */
3721 offset = dissect_file_ext_attr(tvb, tree, offset);
3723 /* file name length */
3724 file_name_len = tvb_get_letohl(tvb, offset);
3725 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3729 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3732 /* short name length */
3733 short_name_len = tvb_get_guint8(tvb, offset);
3734 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3738 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
3742 if (short_name_len) {
3743 bc = short_name_len;
3744 name = get_unicode_or_ascii_string(tvb, &offset,
3745 TRUE, &short_name_len, TRUE, TRUE, &bc);
3747 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3748 offset, short_name_len, name);
3754 if (file_name_len) {
3756 name = get_unicode_or_ascii_string(tvb, &offset,
3757 TRUE, &file_name_len, TRUE, TRUE, &bc);
3759 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3760 offset, file_name_len, name);
3761 proto_item_append_text(item, ": %s", name);
3766 proto_item_set_len(item, offset-old_offset);
3768 if (next_offset == 0) {
3772 offset = old_offset+next_offset;
3773 if (offset < old_offset) {
3774 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3775 "Invalid offset/length. Malformed packet");
3781 static void dissect_smb2_file_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3784 proto_item *item = NULL;
3785 proto_tree *tree = NULL;
3786 const char *name = NULL;
3789 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3790 int old_offset = offset;
3795 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3796 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3800 next_offset = tvb_get_letohl(tvb, offset);
3801 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3805 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3808 /* file name length */
3809 file_name_len = tvb_get_letohl(tvb, offset);
3810 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3814 if (file_name_len) {
3816 name = get_unicode_or_ascii_string(tvb, &offset,
3817 TRUE, &file_name_len, TRUE, TRUE, &bc);
3819 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3820 offset, file_name_len, name);
3821 proto_item_append_text(item, ": %s", name);
3826 proto_item_set_len(item, offset-old_offset);
3828 if (next_offset == 0) {
3832 offset = old_offset+next_offset;
3833 if (offset < old_offset) {
3834 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3835 "Invalid offset/length. Malformed packet");
3841 static void dissect_smb2_id_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3844 proto_item *item = NULL;
3845 proto_tree *tree = NULL;
3846 const char *name = NULL;
3849 while (tvb_reported_length_remaining(tvb, offset) > 4) {
3850 int old_offset = offset;
3856 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
3857 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
3861 next_offset = tvb_get_letohl(tvb, offset);
3862 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3866 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3870 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3873 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3876 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3879 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3882 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3885 /* allocation size */
3886 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3889 /* File Attributes */
3890 offset = dissect_file_ext_attr(tvb, tree, offset);
3892 /* file name length */
3893 file_name_len = tvb_get_letohl(tvb, offset);
3894 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3898 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3901 /* short name length */
3902 short_name_len = tvb_get_guint8(tvb, offset);
3903 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3907 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
3911 if (short_name_len) {
3912 bc = short_name_len;
3913 name = get_unicode_or_ascii_string(tvb, &offset,
3914 TRUE, &short_name_len, TRUE, TRUE, &bc);
3916 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3917 offset, short_name_len, name);
3923 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
3927 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3931 if (file_name_len) {
3933 name = get_unicode_or_ascii_string(tvb, &offset,
3934 TRUE, &file_name_len, TRUE, TRUE, &bc);
3936 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3937 offset, file_name_len, name);
3938 proto_item_append_text(item, ": %s", name);
3943 proto_item_set_len(item, offset-old_offset);
3945 if (next_offset == 0) {
3949 offset = old_offset+next_offset;
3950 if (offset < old_offset) {
3951 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
3952 "Invalid offset/length. Malformed packet");
3959 typedef struct _smb2_find_dissector_t {
3961 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
3962 } smb2_find_dissector_t;
3964 smb2_find_dissector_t smb2_find_dissectors[] = {
3965 {SMB2_FIND_DIRECTORY_INFO, dissect_smb2_file_directory_info},
3966 {SMB2_FIND_FULL_DIRECTORY_INFO, dissect_smb2_full_directory_info},
3967 {SMB2_FIND_BOTH_DIRECTORY_INFO, dissect_smb2_both_directory_info},
3968 {SMB2_FIND_NAME_INFO, dissect_smb2_file_name_info},
3969 {SMB2_FIND_ID_BOTH_DIRECTORY_INFO,dissect_smb2_id_both_directory_info},
3974 dissect_smb2_find_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
3976 smb2_find_dissector_t *dis = smb2_find_dissectors;
3978 while (dis->dissector) {
3979 if (si && si->saved) {
3980 if (dis->level == si->saved->infolevel) {
3981 dis->dissector(tvb, pinfo, tree, si);
3988 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
3992 dissect_smb2_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3994 offset_length_buffer_t olb;
3995 proto_item *item = NULL;
3996 gboolean continue_dissection;
4000 item = proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 0, si->saved->infolevel);
4001 PROTO_ITEM_SET_GENERATED(item);
4004 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_FINDPATTERN) {
4005 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
4006 val_to_str(si->saved->infolevel, smb2_find_info_levels, "(Level:0x%02x)"),
4007 (const char *)si->saved->extra_info);
4009 g_free(si->saved->extra_info);
4010 si->saved->extra_info_type = SMB2_EI_NONE;
4011 si->saved->extra_info = NULL;
4014 switch (si->status) {
4016 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4017 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4018 if (!continue_dissection) return offset;
4021 /* findinfo offset */
4022 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_find_info_blob);
4025 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_find_data);
4027 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
4033 dissect_smb2_negotiate_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4035 int start_offset = offset;
4037 const gchar *type_str;
4038 guint16 data_length;
4039 proto_item *sub_item;
4040 proto_tree *sub_tree;
4043 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_negotiate_context_element, &sub_item, "Negotiate Context");
4046 type = tvb_get_letohl(tvb, offset);
4047 type_str = val_to_str(type, smb2_negotiate_context_types, "Unknown Type: (0x%0x)");
4048 proto_item_append_text(sub_item, ": %s ", type_str);
4049 proto_tree_add_item(sub_tree, hf_smb2_negotiate_context_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4053 data_length = tvb_get_letohl(tvb, offset);
4054 proto_tree_add_item(sub_tree, hf_smb2_negotiate_context_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4058 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
4062 sub_tvb = tvb_new_subset_length(tvb, offset, data_length);
4063 offset += data_length;
4065 proto_item_set_len(sub_item, offset - start_offset);
4068 * TODO: disssect the context data
4070 proto_tree_add_item(sub_tree, hf_smb2_unknown, sub_tvb, 0, data_length, ENC_NA);
4076 dissect_smb2_negotiate_protocol_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4080 gboolean supports_smb_3_10 = FALSE;
4085 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4088 dc = tvb_get_letohs(tvb, offset);
4089 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4092 /* security mode, skip second byte */
4093 offset = dissect_smb2_secmode(tree, tvb, offset);
4098 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4102 offset = dissect_smb2_capabilities(tree, tvb, offset);
4105 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4108 /* negotiate context offset */
4109 nco = tvb_get_letohl(tvb, offset);
4110 proto_tree_add_item(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4113 /* negotiate context count */
4114 ncc = tvb_get_letohs(tvb, offset);
4115 proto_tree_add_item(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4119 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4122 for (i = 0 ; i < dc; i++) {
4123 guint16 d = tvb_get_letohs(tvb, offset);
4124 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4128 supports_smb_3_10 = TRUE;
4132 if (!supports_smb_3_10) {
4137 guint32 tmp = 0x40 + 36 + dc * 2;
4140 offset += nco - tmp;
4146 for (i = 0; i < ncc; i++) {
4147 offset = (offset + 7) & ~7;
4148 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
4155 dissect_smb2_negotiate_protocol_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
4157 offset_length_buffer_t s_olb;
4162 gboolean continue_dissection;
4164 switch (si->status) {
4166 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4167 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4168 if (!continue_dissection) return offset;
4171 /* security mode, skip second byte */
4172 offset = dissect_smb2_secmode(tree, tvb, offset);
4175 /* dialect picked */
4176 d = tvb_get_letohs(tvb, offset);
4177 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4180 /* negotiate context count */
4181 ncc = tvb_get_letohs(tvb, offset);
4182 proto_tree_add_item(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4186 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4190 offset = dissect_smb2_capabilities(tree, tvb, offset);
4192 /* max trans size */
4193 proto_tree_add_item(tree, hf_smb2_max_trans_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4197 proto_tree_add_item(tree, hf_smb2_max_read_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4200 /* max write size */
4201 proto_tree_add_item(tree, hf_smb2_max_write_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4205 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_current_time);
4209 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_boot_time);
4212 /* security blob offset/length */
4213 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
4215 /* the security blob itself */
4216 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
4218 /* negotiate context offset */
4219 nco = tvb_get_letohl(tvb, offset);
4220 proto_tree_add_item(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4223 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
4230 guint32 tmp = 0x40 + 64 + s_olb.len;
4233 offset += nco - tmp;
4239 for (i = 0; i < ncc; i++) {
4240 offset = (offset + 7) & ~7;
4241 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
4248 dissect_smb2_getinfo_parameters(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
4250 /* Additional Info */
4251 switch (si->saved->smb2_class) {
4252 case SMB2_CLASS_SEC_INFO:
4253 dissect_security_information_mask(tvb, tree, offset);
4256 proto_tree_add_item(tree, hf_smb2_getinfo_additional, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4261 proto_tree_add_item(tree, hf_smb2_getinfo_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4269 dissect_smb2_getinfo_buffer_quota(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4271 guint32 sidlist_len = 0;
4272 guint32 startsid_len = 0;
4273 guint32 startsid_offset = 0;
4275 proto_item *item = NULL;
4276 proto_tree *tree = NULL;
4279 item = proto_tree_add_item(parent_tree, hf_smb2_query_quota_info, tvb, offset, -1, ENC_NA);
4280 tree = proto_item_add_subtree(item, ett_smb2_query_quota_info);
4283 proto_tree_add_item(tree, hf_smb2_qq_single, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4286 proto_tree_add_item(tree, hf_smb2_qq_restart, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4290 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4293 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_sidlist_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &sidlist_len);
4296 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_start_sid_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &startsid_len);
4299 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_start_sid_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &startsid_offset);
4302 if (sidlist_len != 0) {
4303 offset = dissect_nt_get_user_quota(tvb, tree, offset, &sidlist_len);
4304 } else if (startsid_len != 0) {
4305 offset = dissect_nt_sid(tvb, offset + startsid_offset, tree, "Start SID", NULL, -1);
4312 dissect_smb2_getinfo_buffer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int size, smb2_info_t *si)
4314 switch (si->saved->smb2_class) {
4315 case SMB2_CLASS_QUOTA_INFO:
4316 dissect_smb2_getinfo_buffer_quota(tvb, pinfo, tree, offset, si);
4320 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, size, ENC_NA);
4329 dissect_smb2_class_infolevel(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
4334 value_string_ext *vsx;
4336 if (si->flags & SMB2_FLAGS_RESPONSE) {
4340 cl = si->saved->smb2_class;
4341 il = si->saved->infolevel;
4343 cl = tvb_get_guint8(tvb, offset);
4344 il = tvb_get_guint8(tvb, offset+1);
4346 si->saved->smb2_class = cl;
4347 si->saved->infolevel = il;
4353 case SMB2_CLASS_FILE_INFO:
4354 hfindex = hf_smb2_infolevel_file_info;
4355 vsx = &smb2_file_info_levels_ext;
4357 case SMB2_CLASS_FS_INFO:
4358 hfindex = hf_smb2_infolevel_fs_info;
4359 vsx = &smb2_fs_info_levels_ext;
4361 case SMB2_CLASS_SEC_INFO:
4362 hfindex = hf_smb2_infolevel_sec_info;
4363 vsx = &smb2_sec_info_levels_ext;
4365 case SMB2_CLASS_QUOTA_INFO:
4366 /* infolevel is not being used for quota */
4367 hfindex = hf_smb2_infolevel;
4370 case SMB2_CLASS_POSIX_INFO:
4371 hfindex = hf_smb2_infolevel_posix_info;
4372 vsx = &smb2_posix_info_levels_ext;
4375 hfindex = hf_smb2_infolevel;
4376 vsx = NULL; /* allowed arg to val_to_str_ext() */
4381 item = proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl);
4382 if (si->flags & SMB2_FLAGS_RESPONSE) {
4383 PROTO_ITEM_SET_GENERATED(item);
4386 item = proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il);
4387 if (si->flags & SMB2_FLAGS_RESPONSE) {
4388 PROTO_ITEM_SET_GENERATED(item);
4392 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
4393 /* Only update COL_INFO for requests. It clutters the
4394 * display a bit too much if we do it for replies
4397 col_append_fstr(pinfo->cinfo, COL_INFO, " %s/%s",
4398 val_to_str(cl, smb2_class_vals, "(Class:0x%02x)"),
4399 val_to_str_ext(il, vsx, "(Level:0x%02x)"));
4406 dissect_smb2_getinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4408 guint32 getinfo_size = 0;
4409 guint32 getinfo_offset = 0;
4412 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4414 /* class and info level */
4415 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
4417 /* max response size */
4418 proto_tree_add_item(tree, hf_smb2_max_response_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4422 proto_tree_add_item_ret_uint(tree, hf_smb2_getinfo_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN, &getinfo_offset);
4426 proto_tree_add_item_ret_uint(tree, hf_smb2_getinfo_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &getinfo_size);
4431 dissect_smb2_getinfo_parameters(tvb, pinfo, tree, offset, si);
4433 /* some unknown bytes */
4434 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 8, ENC_NA);
4439 dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4443 dissect_smb2_getinfo_buffer(tvb, pinfo, tree, getinfo_offset, getinfo_size, si);
4445 offset = getinfo_offset + getinfo_size;
4451 dissect_smb2_infolevel(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si, guint8 smb2_class, guint8 infolevel)
4453 int old_offset = offset;
4455 switch (smb2_class) {
4456 case SMB2_CLASS_FILE_INFO:
4457 switch (infolevel) {
4458 case SMB2_FILE_BASIC_INFO:
4459 offset = dissect_smb2_file_basic_info(tvb, pinfo, tree, offset, si);
4461 case SMB2_FILE_STANDARD_INFO:
4462 offset = dissect_smb2_file_standard_info(tvb, pinfo, tree, offset, si);
4464 case SMB2_FILE_INTERNAL_INFO:
4465 offset = dissect_smb2_file_internal_info(tvb, pinfo, tree, offset, si);
4467 case SMB2_FILE_EA_INFO:
4468 offset = dissect_smb2_file_ea_info(tvb, pinfo, tree, offset, si);
4470 case SMB2_FILE_ACCESS_INFO:
4471 offset = dissect_smb2_file_access_info(tvb, pinfo, tree, offset, si);
4473 case SMB2_FILE_RENAME_INFO:
4474 offset = dissect_smb2_file_rename_info(tvb, pinfo, tree, offset, si);
4476 case SMB2_FILE_DISPOSITION_INFO:
4477 offset = dissect_smb2_file_disposition_info(tvb, pinfo, tree, offset, si);
4479 case SMB2_FILE_POSITION_INFO:
4480 offset = dissect_smb2_file_position_info(tvb, pinfo, tree, offset, si);
4482 case SMB2_FILE_FULL_EA_INFO:
4483 offset = dissect_smb2_file_full_ea_info(tvb, pinfo, tree, offset, si);
4485 case SMB2_FILE_MODE_INFO:
4486 offset = dissect_smb2_file_mode_info(tvb, pinfo, tree, offset, si);
4488 case SMB2_FILE_ALIGNMENT_INFO:
4489 offset = dissect_smb2_file_alignment_info(tvb, pinfo, tree, offset, si);
4491 case SMB2_FILE_ALL_INFO:
4492 offset = dissect_smb2_file_all_info(tvb, pinfo, tree, offset, si);
4494 case SMB2_FILE_ALLOCATION_INFO:
4495 offset = dissect_smb2_file_allocation_info(tvb, pinfo, tree, offset, si);
4497 case SMB2_FILE_ENDOFFILE_INFO:
4498 dissect_smb2_file_endoffile_info(tvb, pinfo, tree, offset, si);
4500 case SMB2_FILE_ALTERNATE_NAME_INFO:
4501 offset = dissect_smb2_file_alternate_name_info(tvb, pinfo, tree, offset, si);
4503 case SMB2_FILE_STREAM_INFO:
4504 offset = dissect_smb2_file_stream_info(tvb, pinfo, tree, offset, si);
4506 case SMB2_FILE_PIPE_INFO:
4507 offset = dissect_smb2_file_pipe_info(tvb, pinfo, tree, offset, si);
4509 case SMB2_FILE_COMPRESSION_INFO:
4510 offset = dissect_smb2_file_compression_info(tvb, pinfo, tree, offset, si);
4512 case SMB2_FILE_NETWORK_OPEN_INFO:
4513 offset = dissect_smb2_file_network_open_info(tvb, pinfo, tree, offset, si);
4515 case SMB2_FILE_ATTRIBUTE_TAG_INFO:
4516 offset = dissect_smb2_file_attribute_tag_info(tvb, pinfo, tree, offset, si);
4519 /* we don't handle this infolevel yet */
4520 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4521 offset += tvb_captured_length_remaining(tvb, offset);
4524 case SMB2_CLASS_FS_INFO:
4525 switch (infolevel) {
4526 case SMB2_FS_INFO_01:
4527 offset = dissect_smb2_fs_info_01(tvb, pinfo, tree, offset, si);
4529 case SMB2_FS_INFO_03:
4530 offset = dissect_smb2_fs_info_03(tvb, pinfo, tree, offset, si);
4532 case SMB2_FS_INFO_04:
4533 offset = dissect_smb2_fs_info_04(tvb, pinfo, tree, offset, si);
4535 case SMB2_FS_INFO_05:
4536 offset = dissect_smb2_fs_info_05(tvb, pinfo, tree, offset, si);
4538 case SMB2_FS_INFO_06:
4539 offset = dissect_smb2_fs_info_06(tvb, pinfo, tree, offset, si);
4541 case SMB2_FS_INFO_07:
4542 offset = dissect_smb2_fs_info_07(tvb, pinfo, tree, offset, si);
4544 case SMB2_FS_OBJECTID_INFO:
4545 offset = dissect_smb2_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, si);
4548 /* we don't handle this infolevel yet */
4549 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4550 offset += tvb_captured_length_remaining(tvb, offset);
4553 case SMB2_CLASS_SEC_INFO:
4554 switch (infolevel) {
4555 case SMB2_SEC_INFO_00:
4556 offset = dissect_smb2_sec_info_00(tvb, pinfo, tree, offset, si);
4559 /* we don't handle this infolevel yet */
4560 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4561 offset += tvb_captured_length_remaining(tvb, offset);
4564 case SMB2_CLASS_QUOTA_INFO:
4565 offset = dissect_smb2_quota_info(tvb, pinfo, tree, offset, si);
4568 /* we don't handle this class yet */
4569 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
4570 offset += tvb_captured_length_remaining(tvb, offset);
4573 /* if we get BUFFER_OVERFLOW there will be truncated data */
4574 if (si->status == 0x80000005) {
4576 item = proto_tree_add_item(tree, hf_smb2_truncated, tvb, old_offset, 0, ENC_NA);
4577 PROTO_ITEM_SET_GENERATED(item);
4583 dissect_smb2_getinfo_response_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4587 dissect_smb2_infolevel(tvb, pinfo, tree, 0, si, si->saved->smb2_class, si->saved->infolevel);
4589 /* some unknown bytes */
4590 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
4597 dissect_smb2_getinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4599 offset_length_buffer_t olb;
4600 gboolean continue_dissection;
4602 /* class/infolevel */
4603 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
4605 switch (si->status) {
4607 /* if we get BUFFER_OVERFLOW there will be truncated data */
4609 /* if we get BUFFER_TOO_SMALL there will not be any data there, only
4610 * a guin32 specifying how big the buffer needs to be
4613 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4616 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4617 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
4618 proto_tree_add_item(tree, hf_smb2_required_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4622 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4623 if (!continue_dissection) return offset;
4626 /* response buffer offset and size */
4627 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
4630 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_getinfo_response_data);
4636 dissect_smb2_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4638 proto_tree *flags_tree = NULL;
4639 proto_item *flags_item = NULL;
4642 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4646 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4647 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
4649 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4656 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_CLOSE);
4662 dissect_smb2_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4664 proto_tree *flags_tree = NULL;
4665 proto_item *flags_item = NULL;
4666 gboolean continue_dissection;
4668 switch (si->status) {
4670 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4671 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4672 if (!continue_dissection) return offset;
4677 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4678 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
4680 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4684 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
4688 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
4691 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
4694 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
4697 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
4699 /* allocation size */
4700 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4704 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4707 /* File Attributes */
4708 offset = dissect_file_ext_attr(tvb, tree, offset);
4714 dissect_smb2_flush_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4717 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4719 /* some unknown bytes */
4720 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
4724 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4730 dissect_smb2_flush_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4732 gboolean continue_dissection;
4734 switch (si->status) {
4736 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4737 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4738 if (!continue_dissection) return offset;
4741 /* some unknown bytes */
4742 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4750 dissect_smb2_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4755 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4758 lock_count = tvb_get_letohs(tvb, offset);
4759 proto_tree_add_item(tree, hf_smb2_lock_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4763 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
4767 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4769 while (lock_count--) {
4770 proto_item *lock_item = NULL;
4771 proto_tree *lock_tree = NULL;
4772 static const int *lf_fields[] = {
4773 &hf_smb2_lock_flags_shared,
4774 &hf_smb2_lock_flags_exclusive,
4775 &hf_smb2_lock_flags_unlock,
4776 &hf_smb2_lock_flags_fail_immediately,
4781 lock_item = proto_tree_add_item(tree, hf_smb2_lock_info, tvb, offset, 24, ENC_NA);
4782 lock_tree = proto_item_add_subtree(lock_item, ett_smb2_lock_info);
4786 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4790 proto_tree_add_item(lock_tree, hf_smb2_lock_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4794 proto_tree_add_bitmask(lock_tree, tvb, offset, hf_smb2_lock_flags, ett_smb2_lock_flags, lf_fields, ENC_LITTLE_ENDIAN);
4798 proto_tree_add_item(lock_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
4806 dissect_smb2_lock_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4808 gboolean continue_dissection;
4810 switch (si->status) {
4812 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4813 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4814 if (!continue_dissection) return offset;
4817 /* some unknown bytes */
4818 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4824 dissect_smb2_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4827 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4829 /* some unknown bytes */
4830 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4836 static const smb2_fid_info_t *
4837 smb2_pipe_get_fid_info(const smb2_info_t *si)
4839 smb2_fid_info_t *file = NULL;
4844 if (si->file != NULL) {
4846 } else if (si->saved != NULL) {
4847 file = si->saved->file;
4857 smb2_pipe_set_file_id(packet_info *pinfo, smb2_info_t *si)
4860 const smb2_fid_info_t *file = NULL;
4862 file = smb2_pipe_get_fid_info(si);
4867 persistent = GPOINTER_TO_UINT(file);
4869 dcerpc_set_transport_salt(persistent, pinfo);
4872 static gboolean smb2_pipe_reassembly = TRUE;
4873 static reassembly_table smb2_pipe_reassembly_table;
4876 dissect_file_data_smb2_pipe(tvbuff_t *raw_tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, guint32 datalen, proto_tree *top_tree, void *data)
4879 * Note: si is NULL for some callers from packet-smb.c
4881 const smb2_info_t *si = (const smb2_info_t *)data;
4883 gboolean save_fragmented;
4886 const smb2_fid_info_t *file = NULL;
4888 fragment_head *fd_head;
4891 proto_item *frag_tree_item;
4892 heur_dtbl_entry_t *hdtbl_entry;
4894 file = smb2_pipe_get_fid_info(si);
4895 id = (guint32)(GPOINTER_TO_UINT(file) & G_MAXUINT32);
4897 remaining = tvb_captured_length_remaining(raw_tvb, offset);
4899 tvb = tvb_new_subset_length_caplen(raw_tvb, offset,
4900 MIN((int)datalen, remaining),
4904 * Offer desegmentation service to Named Pipe subdissectors (e.g. DCERPC)
4905 * if we have all the data. Otherwise, reassembly is (probably) impossible.
4907 pinfo->can_desegment = 0;
4908 pinfo->desegment_offset = 0;
4909 pinfo->desegment_len = 0;
4910 reported_len = tvb_reported_length(tvb);
4911 if (smb2_pipe_reassembly && tvb_captured_length(tvb) >= reported_len) {
4912 pinfo->can_desegment = 2;
4915 save_fragmented = pinfo->fragmented;
4918 * if we are not offering desegmentation, just try the heuristics
4921 if (!pinfo->can_desegment) {
4922 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
4923 tvb, pinfo, top_tree,
4924 &hdtbl_entry, data);
4925 goto clean_up_and_exit;
4928 /* below this line, we know we are doing reassembly */
4931 * this is a new packet, see if we are already reassembling this
4932 * pdu and if not, check if the dissector wants us
4935 if (!pinfo->fd->flags.visited) {
4937 * This is the first pass.
4939 * Check if we are already reassembling this PDU or not;
4940 * we check for an in-progress reassembly for this FID
4941 * in this direction, by searching for its reassembly
4944 fd_head = fragment_get(&smb2_pipe_reassembly_table,
4948 * No reassembly, so this is a new pdu. check if the
4949 * dissector wants us to reassemble it or if we
4950 * already got the full pdu in this tvb.
4954 * Try the heuristic dissectors and see if we
4955 * find someone that recognizes this payload.
4957 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
4958 tvb, pinfo, top_tree,
4959 &hdtbl_entry, data);
4961 /* no this didn't look like something we know */
4963 goto clean_up_and_exit;
4966 /* did the subdissector want us to reassemble any
4969 if (pinfo->desegment_len) {
4970 fragment_add_check(&smb2_pipe_reassembly_table,
4971 tvb, 0, pinfo, id, NULL,
4972 0, reported_len, TRUE);
4973 fragment_set_tot_len(&smb2_pipe_reassembly_table,
4975 pinfo->desegment_len+reported_len);
4977 goto clean_up_and_exit;
4980 /* OK, we're already doing a reassembly for this FID.
4981 skip to last segment in the existing reassembly structure
4982 and add this fragment there
4984 XXX we might add code here to use any offset values
4985 we might pick up from the Read/Write calls instead of
4986 assuming we always get them in the correct order
4988 while (fd_head->next) {
4989 fd_head = fd_head->next;
4991 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
4992 tvb, 0, pinfo, id, NULL,
4993 fd_head->offset+fd_head->len,
4994 reported_len, TRUE);
4996 /* if we completed reassembly */
4998 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
4999 add_new_data_source(pinfo, new_tvb,
5000 "Named Pipe over SMB2");
5001 pinfo->fragmented=FALSE;
5005 /* list what segments we have */
5006 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
5007 tree, pinfo, tvb, &frag_tree_item);
5009 /* dissect the full PDU */
5010 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5011 tvb, pinfo, top_tree,
5012 &hdtbl_entry, data);
5014 goto clean_up_and_exit;
5018 * This is not the first pass; see if it's in the table of
5019 * reassembled packets.
5021 * XXX - we know that several of the arguments aren't going to
5022 * be used, so we pass bogus variables. Can we clean this
5023 * up so that we don't have to distinguish between the first
5024 * pass and subsequent passes?
5026 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
5027 tvb, 0, pinfo, id, NULL, 0, 0, TRUE);
5029 /* we didn't find it, try any of the heuristic dissectors
5032 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5033 tvb, pinfo, top_tree,
5034 &hdtbl_entry, data);
5035 goto clean_up_and_exit;
5037 if (!(fd_head->flags&FD_DEFRAGMENTED)) {
5038 /* we don't have a fully reassembled frame */
5039 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5040 tvb, pinfo, top_tree,
5041 &hdtbl_entry, data);
5042 goto clean_up_and_exit;
5045 /* it is reassembled but it was reassembled in a different frame */
5046 if (pinfo->num != fd_head->reassembled_in) {
5048 item = proto_tree_add_uint(top_tree, hf_smb2_pipe_reassembled_in,
5049 tvb, 0, 0, fd_head->reassembled_in);
5050 PROTO_ITEM_SET_GENERATED(item);
5051 goto clean_up_and_exit;
5054 /* display the reassembled pdu */
5055 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
5056 add_new_data_source(pinfo, new_tvb,
5057 "Named Pipe over SMB2");
5058 pinfo->fragmented = FALSE;
5062 /* list what segments we have */
5063 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
5064 top_tree, pinfo, tvb, &frag_tree_item);
5066 /* dissect the full PDU */
5067 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
5068 tvb, pinfo, top_tree,
5069 &hdtbl_entry, data);
5072 /* clear out the variables */
5073 pinfo->can_desegment=0;
5074 pinfo->desegment_offset = 0;
5075 pinfo->desegment_len = 0;
5078 call_data_dissector(tvb, pinfo, top_tree);
5081 pinfo->fragmented = save_fragmented;
5087 #define SMB2_CHANNEL_NONE 0x00000000
5088 #define SMB2_CHANNEL_RDMA_V1 0x00000001
5089 #define SMB2_CHANNEL_RDMA_V1_INVALIDATE 0x00000002
5091 static const value_string smb2_channel_vals[] = {
5092 { SMB2_CHANNEL_NONE, "None" },
5093 { SMB2_CHANNEL_RDMA_V1, "RDMA V1" },
5094 { SMB2_CHANNEL_RDMA_V1_INVALIDATE, "RDMA V1_INVALIDATE" },
5099 dissect_smb2_rdma_v1_blob(tvbuff_t *tvb, packet_info *pinfo _U_,
5100 proto_tree *parent_tree, smb2_info_t *si _U_)
5106 proto_tree *sub_tree;
5107 proto_item *parent_item;
5109 parent_item = proto_tree_get_parent(parent_tree);
5111 len = tvb_reported_length(tvb);
5116 proto_item_append_text(parent_item, ": SMBDirect Buffer Descriptor V1: (%d elements)", num);
5119 for (i = 0; i < num; i++) {
5120 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, 8, ett_smb2_rdma_v1, NULL, "RDMA V1");
5122 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5125 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_token, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5128 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5133 #define SMB2_WRITE_FLAG_WRITE_THROUGH 0x00000001
5136 dissect_smb2_write_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5138 guint16 dataoffset = 0;
5139 guint32 data_tvb_len;
5140 offset_length_buffer_t c_olb;
5144 static const int *f_fields[] = {
5145 &hf_smb2_write_flags_write_through,
5150 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5153 dataoffset=tvb_get_letohs(tvb,offset);
5154 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5158 length = tvb_get_letohl(tvb, offset);
5159 proto_tree_add_item(tree, hf_smb2_write_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5163 off = tvb_get_letoh64(tvb, offset);
5164 if (si->saved) si->saved->file_offset=off;
5165 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5168 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", length, off);
5171 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5174 channel = tvb_get_letohl(tvb, offset);
5175 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5178 /* remaining bytes */
5179 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5182 /* write channel info blob offset/length */
5183 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
5186 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_write_flags, ett_smb2_write_flags, f_fields, ENC_LITTLE_ENDIAN);
5189 /* the write channel info blob itself */
5191 case SMB2_CHANNEL_RDMA_V1:
5192 case SMB2_CHANNEL_RDMA_V1_INVALIDATE:
5193 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
5195 case SMB2_CHANNEL_NONE:
5197 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
5201 /* data or namedpipe ?*/
5203 int oldoffset = offset;
5204 smb2_pipe_set_file_id(pinfo, si);
5205 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
5206 if (offset != oldoffset) {
5207 /* managed to dissect pipe data */
5212 /* just ordinary data */
5213 proto_tree_add_item(tree, hf_smb2_write_data, tvb, offset, length, ENC_NA);
5215 data_tvb_len=(guint32)tvb_captured_length_remaining(tvb, offset);
5217 offset += MIN(length,(guint32)tvb_captured_length_remaining(tvb, offset));
5219 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
5221 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
5222 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
5223 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,off);
5232 dissect_smb2_write_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5234 gboolean continue_dissection;
5236 switch (si->status) {
5238 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5239 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5240 if (!continue_dissection) return offset;
5244 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5248 proto_tree_add_item(tree, hf_smb2_write_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5251 /* remaining, must be set to 0 */
5252 proto_tree_add_item(tree, hf_smb2_write_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5255 /* write channel info offset */
5256 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5259 /* write channel info length */
5260 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5266 /* The STORAGE_OFFLOAD_TOKEN is used for "Offload Data Transfer" (ODX) operations,
5267 including FSCTL_OFFLOAD_READ, FSCTL_OFFLOAD_WRITE. Ref: MS-FSCC 2.3.79
5268 Note: Unlike most of SMB2, the token fields are BIG-endian! */
5270 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
5272 proto_tree *sub_tree;
5273 proto_item *sub_item;
5277 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 512, ett_smb2_fsctl_odx_token, &sub_item, "Token");
5279 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_fsctl_odx_token_type, tvb, offset, 4, ENC_BIG_ENDIAN, &idtype);
5282 proto_item_append_text(sub_item, " (IdType 0x%x)", idtype);
5285 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5289 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_fsctl_odx_token_idlen, tvb, offset, 2, ENC_BIG_ENDIAN, &idlen);
5292 /* idlen is what the server says is the "meaningful" part of the token.
5293 However, token ID is always 504 bytes */
5294 proto_tree_add_bytes_format_value(sub_tree, hf_smb2_fsctl_odx_token_idraw, tvb,
5295 offset, idlen, NULL, "Opaque Data");
5301 /* MS-FSCC 2.3.77, 2.3.78 */
5303 dissect_smb2_FSCTL_OFFLOAD_READ(tvbuff_t *tvb,
5304 packet_info *pinfo _U_,
5309 proto_tree_add_item(tree, hf_smb2_fsctl_odx_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5312 proto_tree_add_item(tree, hf_smb2_fsctl_odx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5316 proto_tree_add_item(tree, hf_smb2_fsctl_odx_token_ttl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5319 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5322 proto_tree_add_item(tree, hf_smb2_fsctl_odx_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5325 proto_tree_add_item(tree, hf_smb2_fsctl_odx_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5328 proto_tree_add_item(tree, hf_smb2_fsctl_odx_xfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5331 (void) dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb, pinfo, tree, offset);
5335 /* MS-FSCC 2.3.80, 2.3.81 */
5337 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvbuff_t *tvb,
5338 packet_info *pinfo _U_,
5343 proto_tree_add_item(tree, hf_smb2_fsctl_odx_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5346 proto_tree_add_item(tree, hf_smb2_fsctl_odx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5350 proto_tree_add_item(tree, hf_smb2_fsctl_odx_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5353 proto_tree_add_item(tree, hf_smb2_fsctl_odx_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5356 proto_tree_add_item(tree, hf_smb2_fsctl_odx_token_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5359 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb, pinfo, tree, offset);
5362 proto_tree_add_item(tree, hf_smb2_fsctl_odx_xfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5368 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *top_tree, gboolean data_in _U_, void *data)
5370 dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, tvb_captured_length_remaining(tvb, offset), top_tree, data);
5374 dissect_smb2_FSCTL_PIPE_WAIT(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, proto_tree *top_tree, gboolean data_in _U_)
5376 guint8 timeout_specified = tvb_get_guint8(tvb, offset + 12);
5377 guint32 name_len = tvb_get_letohs(tvb, offset + 8);
5379 int off = offset + 14;
5380 guint16 bc = tvb_captured_length_remaining(tvb, off);
5384 tvb_ensure_bytes_exist(tvb, off, name_len);
5386 name = get_unicode_or_ascii_string(tvb, &off, TRUE, &len, TRUE, TRUE, &bc);
5391 col_append_fstr(pinfo->cinfo, COL_INFO, " Pipe: %s", name);
5394 proto_tree_add_string(top_tree, hf_smb2_fsctl_pipe_wait_name, tvb, offset + 14, name_len, name);
5395 if (timeout_specified) {
5396 proto_tree_add_item(top_tree, hf_smb2_fsctl_pipe_wait_timeout, tvb, 0, 8, ENC_LITTLE_ENDIAN);
5402 dissect_smb2_FSCTL_SET_SPARSE(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5405 /* There is no out data */
5410 /* sparse flag (optional) */
5411 if (tvb_reported_length_remaining(tvb, offset) >= 1) {
5412 proto_tree_add_item(tree, hf_smb2_fsctl_sparse_flag, tvb, offset, 1, ENC_NA);
5420 dissect_smb2_FSCTL_SET_ZERO_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5422 proto_tree *sub_tree;
5423 proto_item *sub_item;
5425 /* There is no out data */
5430 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5432 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5435 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5442 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, gboolean data_in)
5444 proto_tree *sub_tree;
5445 proto_item *sub_item;
5448 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5450 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5453 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5456 /* Zero or more allocated ranges may be reported. */
5457 while (tvb_reported_length_remaining(tvb, offset) >= 16) {
5459 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
5461 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5464 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5472 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, gboolean data_in)
5476 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5479 proto_tree_add_item(tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5482 proto_tree_add_item(tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5485 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5488 guint32 entry_count = 0;
5490 proto_tree_add_item(tree, hf_smb2_qfr_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5493 proto_tree_add_item(tree, hf_smb2_qfr_total_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5496 proto_tree_add_item_ret_uint(tree, hf_smb2_qfr_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &entry_count);
5499 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5502 while (entry_count && tvb_reported_length_remaining(tvb, offset)) {
5503 proto_tree *sub_tree;
5504 proto_item *sub_item;
5506 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_qfr_entry, &sub_item, "Entry");
5508 proto_tree_add_item(sub_tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5511 proto_tree_add_item(sub_tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5514 proto_tree_add_item(sub_tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5517 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5526 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5528 /* There is no out data */
5534 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5538 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5542 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, gboolean data_in _U_)
5544 /* There is no out data */
5549 proto_tree_add_item(tree, hf_smb2_ioctl_shared_virtual_disk_support, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5552 proto_tree_add_item(tree, hf_smb2_ioctl_shared_virtual_disk_handle_state, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5556 dissect_windows_sockaddr_in(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
5558 proto_item *sub_item;
5559 proto_tree *sub_tree;
5560 proto_item *parent_item;
5566 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
5567 parent_item = proto_tree_get_parent(parent_tree);
5570 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5574 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5578 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in_addr, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5580 proto_item_append_text(sub_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
5581 proto_item_append_text(parent_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
5585 dissect_windows_sockaddr_in6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
5587 proto_item *sub_item;
5588 proto_tree *sub_tree;
5589 proto_item *parent_item;
5595 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
5596 parent_item = proto_tree_get_parent(parent_tree);
5599 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5603 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5607 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_flowinfo, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5611 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_addr, tvb, offset, 16, ENC_NA);
5612 proto_item_append_text(sub_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
5613 proto_item_append_text(parent_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
5617 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_scope_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5621 dissect_windows_sockaddr_storage(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5624 proto_item *sub_item;
5625 proto_tree *sub_tree;
5626 proto_item *parent_item;
5629 family = tvb_get_letohs(tvb, offset);
5631 case WINSOCK_AF_INET:
5632 dissect_windows_sockaddr_in(tvb, pinfo, parent_tree, offset, len);
5634 case WINSOCK_AF_INET6:
5635 dissect_windows_sockaddr_in6(tvb, pinfo, parent_tree, offset, len);
5639 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
5640 parent_item = proto_tree_get_parent(parent_tree);
5643 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5644 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
5645 proto_item_append_text(parent_item, ", Family: %d (0x%04x)", family, family);
5652 #define NETWORK_INTERFACE_CAP_RSS 0x00000001
5653 #define NETWORK_INTERFACE_CAP_RDMA 0x00000002
5656 dissect_smb2_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
5658 guint32 next_offset;
5661 proto_item *sub_item;
5662 proto_tree *sub_tree;
5664 guint32 capabilities;
5667 const char *unit = NULL;
5668 static const int * capability_flags[] = {
5669 &hf_smb2_ioctl_network_interface_capability_rdma,
5670 &hf_smb2_ioctl_network_interface_capability_rss,
5674 next_offset = tvb_get_letohl(tvb, offset);
5679 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_ioctl_network_interface, &sub_item, "Network Interface");
5680 item = proto_tree_get_parent(parent_tree);
5683 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5686 /* interface index */
5687 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5691 capabilities = tvb_get_letohl(tvb, offset);
5692 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_ioctl_network_interface_capabilities, ett_smb2_ioctl_network_interface_capabilities, capability_flags, ENC_LITTLE_ENDIAN);
5694 if (capabilities != 0) {
5695 proto_item_append_text(item, "%s%s",
5696 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
5697 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
5698 proto_item_append_text(sub_item, "%s%s",
5699 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
5700 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
5704 /* rss queue count */
5705 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_rss_queue_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5709 link_speed = tvb_get_letoh64(tvb, offset);
5710 item = proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_link_speed, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5711 if (link_speed >= (1000*1000*1000)) {
5712 val = (gfloat)(link_speed / (1000*1000*1000));
5714 } else if (link_speed >= (1000*1000)) {
5715 val = (gfloat)(link_speed / (1000*1000));
5717 } else if (link_speed >= (1000)) {
5718 val = (gfloat)(link_speed / (1000));
5721 val = (gfloat)(link_speed);
5724 proto_item_append_text(item, ", %.1f %sBits/s", val, unit);
5725 proto_item_append_text(sub_item, ", %.1f %sBits/s", val, unit);
5729 /* socket address */
5730 dissect_windows_sockaddr_storage(tvb, pinfo, sub_tree, offset);
5734 next_tvb = tvb_new_subset_remaining(tvb, next_offset);
5736 /* next extra info */
5737 dissect_smb2_NETWORK_INTERFACE_INFO(next_tvb, pinfo, parent_tree);
5742 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
5744 /* There is no in data */
5749 dissect_smb2_NETWORK_INTERFACE_INFO(tvb, pinfo, tree);
5753 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
5756 * This is only used by Windows 8 beta
5760 offset = dissect_smb2_capabilities(tree, tvb, offset);
5763 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5766 /* security mode, skip second byte */
5767 offset = dissect_smb2_secmode(tree, tvb, offset);
5771 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5775 offset = dissect_smb2_capabilities(tree, tvb, offset);
5778 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5781 /* security mode, skip second byte */
5782 offset = dissect_smb2_secmode(tree, tvb, offset);
5786 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5792 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
5798 offset = dissect_smb2_capabilities(tree, tvb, offset);
5801 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5804 /* security mode, skip second byte */
5805 offset = dissect_smb2_secmode(tree, tvb, offset);
5809 dc = tvb_get_letohs(tvb, offset);
5810 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5813 for ( ; dc>0; dc--) {
5814 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5819 offset = dissect_smb2_capabilities(tree, tvb, offset);
5822 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5825 /* security mode, skip second byte */
5826 offset = dissect_smb2_secmode(tree, tvb, offset);
5830 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5836 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5838 guint32 num_volumes;
5840 /* There is no in data */
5846 num_volumes = tvb_get_letohl(tvb, offset);
5847 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_volumes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5851 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_labels, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5855 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5858 while (num_volumes--) {
5862 int old_offset = offset;
5864 bc = tvb_captured_length_remaining(tvb, offset);
5865 name = get_unicode_or_ascii_string(tvb, &offset,
5866 TRUE, &len, TRUE, FALSE, &bc);
5867 proto_tree_add_string(tree, hf_smb2_ioctl_shadow_copy_label, tvb, old_offset, len, name);
5869 offset = old_offset+len;
5878 dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
5880 proto_item *item = NULL;
5881 proto_tree *tree = NULL;
5883 /* FILE_OBJECTID_BUFFER */
5885 item = proto_tree_add_item(parent_tree, hf_smb2_FILE_OBJECTID_BUFFER, tvb, offset, 64, ENC_NA);
5886 tree = proto_item_add_subtree(item, ett_smb2_FILE_OBJECTID_BUFFER);
5890 proto_tree_add_item(tree, hf_smb2_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5893 /* Birth Volume ID */
5894 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5897 /* Birth Object ID */
5898 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5902 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5909 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5912 /* There is no in data */
5917 /* FILE_OBJECTID_BUFFER */
5918 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
5924 dissect_smb2_FSCTL_GET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5927 /* There is no in data */
5932 /* compression format */
5933 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5940 dissect_smb2_FSCTL_SET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5943 /* There is no out data */
5948 /* compression format */
5949 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5956 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5958 const int *integrity_flags[] = {
5959 &hf_smb2_integrity_flags_enforcement_off,
5963 /* There is no out data */
5968 proto_tree_add_item(tree, hf_smb2_checksum_algorithm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5971 proto_tree_add_item(tree, hf_smb2_integrity_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5974 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_integrity_flags, ett_smb2_integrity_flags, integrity_flags, ENC_LITTLE_ENDIAN);
5981 dissect_smb2_FSCTL_SET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5984 /* There is no out data */
5989 /* FILE_OBJECTID_BUFFER */
5990 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
5996 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
5999 /* There is no out data */
6004 /* FILE_OBJECTID_BUFFER->ExtendedInfo */
6006 /* Birth Volume ID */
6007 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6010 /* Birth Object ID */
6011 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6015 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6022 dissect_smb2_cchunk_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
6025 proto_tree_add_bytes_format_value(tree, hf_smb2_cchunk_resume_key, tvb,
6026 offset, 24, NULL, "Opaque Data");
6033 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6036 /* There is no in data */
6041 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
6043 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6047 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
6049 proto_tree *sub_tree;
6050 proto_item *sub_item;
6051 guint32 chunk_count = 0;
6053 /* Output is simpler - handle that first. */
6055 proto_tree_add_item(tree, hf_smb2_cchunk_chunks_written, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6056 proto_tree_add_item(tree, hf_smb2_cchunk_bytes_written, tvb, offset+4, 4, ENC_LITTLE_ENDIAN);
6057 proto_tree_add_item(tree, hf_smb2_cchunk_total_written, tvb, offset+8, 4, ENC_LITTLE_ENDIAN);
6061 /* Input data, fixed part */
6062 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
6063 proto_tree_add_item_ret_uint(tree, hf_smb2_cchunk_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &chunk_count);
6066 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6069 /* Zero or more allocated ranges may be reported. */
6070 while (chunk_count && tvb_reported_length_remaining(tvb, offset) >= 24) {
6071 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_smb2_cchunk_entry, &sub_item, "Chunk");
6073 proto_tree_add_item(sub_tree, hf_smb2_cchunk_src_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6076 proto_tree_add_item(sub_tree, hf_smb2_cchunk_dst_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6079 proto_tree_add_item(sub_tree, hf_smb2_cchunk_xfer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6082 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6090 dissect_smb2_FSCTL_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
6092 proto_item *item = NULL;
6093 proto_tree *tree = NULL;
6095 offset_length_buffer_t s_olb, p_olb;
6097 /* SYMBOLIC_LINK_REPARSE_DATA_BUFFER */
6099 item = proto_tree_add_item(parent_tree, hf_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER, tvb, offset, -1, ENC_NA);
6100 tree = proto_item_add_subtree(item, ett_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER);
6104 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6107 proto_tree_add_item(tree, hf_smb2_reparse_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6111 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6114 /* substitute name offset/length */
6115 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_substitute_name);
6117 /* print name offset/length */
6118 offset = dissect_smb2_olb_length_offset(tvb, offset, &p_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_print_name);
6121 proto_tree_add_item(tree, hf_smb2_symlink_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6124 /* substitute name string */
6125 dissect_smb2_olb_off_string(pinfo, tree, tvb, &s_olb, offset, OLB_TYPE_UNICODE_STRING);
6127 /* print name string */
6128 dissect_smb2_olb_off_string(pinfo, tree, tvb, &p_olb, offset, OLB_TYPE_UNICODE_STRING);
6132 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, gboolean data_in)
6138 dissect_smb2_FSCTL_REPARSE_POINT(tvb, pinfo, parent_tree, offset);
6142 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, gboolean data_in)
6148 dissect_smb2_FSCTL_REPARSE_POINT(tvb, pinfo, parent_tree, offset);
6152 dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, guint32 ioctl_function, gboolean data_in, void *private_data _U_)
6156 dc = tvb_reported_length(tvb);
6158 switch (ioctl_function) {
6159 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
6161 dissect_get_dfs_request_data(tvb, pinfo, tree, 0, &dc, TRUE);
6163 dissect_get_dfs_referral_data(tvb, pinfo, tree, 0, &dc, TRUE);
6166 case 0x000940CF: /* FSCTL_QUERY_ALLOCATED_RANGES */
6167 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvb, pinfo, tree, 0, data_in);
6169 case 0x00094264: /* FSCTL_OFFLOAD_READ */
6170 dissect_smb2_FSCTL_OFFLOAD_READ(tvb, pinfo, tree, 0, data_in);
6172 case 0x00098268: /* FSCTL_OFFLOAD_WRITE */
6173 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvb, pinfo, tree, 0, data_in);
6175 case 0x0011c017: /* FSCTL_PIPE_TRANSCEIVE */
6176 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvb, pinfo, tree, 0, top_tree, data_in, private_data);
6178 case 0x00110018: /* FSCTL_PIPE_WAIT */
6179 dissect_smb2_FSCTL_PIPE_WAIT(tvb, pinfo, tree, 0, top_tree, data_in);
6181 case 0x00140078: /* FSCTL_SRV_REQUEST_RESUME_KEY */
6182 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvb, pinfo, tree, 0, data_in);
6184 case 0x001401D4: /* FSCTL_LMR_REQUEST_RESILIENCY */
6185 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvb, pinfo, tree, 0, data_in);
6187 case 0x001401FC: /* FSCTL_QUERY_NETWORK_INTERFACE_INFO */
6188 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvb, pinfo, tree, 0, data_in);
6190 case 0x00140200: /* FSCTL_VALIDATE_NEGOTIATE_INFO_224 */
6191 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvb, pinfo, tree, 0, data_in);
6193 case 0x00140204: /* FSCTL_VALIDATE_NEGOTIATE_INFO */
6194 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvb, pinfo, tree, 0, data_in);
6196 case 0x00144064: /* FSCTL_SRV_ENUMERATE_SNAPSHOTS */
6197 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvb, pinfo, tree, 0, data_in);
6199 case 0x001440F2: /* FSCTL_SRV_COPYCHUNK */
6200 case 0x001480F2: /* FSCTL_SRV_COPYCHUNK_WRITE */
6201 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvb, pinfo, tree, 0, data_in);
6203 case 0x000900A4: /* FSCTL_SET_REPARSE_POINT */
6204 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvb, pinfo, tree, 0, data_in);
6206 case 0x000900A8: /* FSCTL_GET_REPARSE_POINT */
6207 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvb, pinfo, tree, 0, data_in);
6209 case 0x0009009C: /* FSCTL_GET_OBJECT_ID */
6210 case 0x000900c0: /* FSCTL_CREATE_OR_GET_OBJECT_ID */
6211 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
6213 case 0x000900c4: /* FSCTL_SET_SPARSE */
6214 dissect_smb2_FSCTL_SET_SPARSE(tvb, pinfo, tree, 0, data_in);
6216 case 0x00098098: /* FSCTL_SET_OBJECT_ID */
6217 dissect_smb2_FSCTL_SET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
6219 case 0x000980BC: /* FSCTL_SET_OBJECT_ID_EXTENDED */
6220 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvb, pinfo, tree, 0, data_in);
6222 case 0x000980C8: /* FSCTL_SET_ZERO_DATA */
6223 dissect_smb2_FSCTL_SET_ZERO_DATA(tvb, pinfo, tree, 0, data_in);
6225 case 0x0009003C: /* FSCTL_GET_COMPRESSION */
6226 dissect_smb2_FSCTL_GET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
6228 case 0x00090300: /* FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT */
6230 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvb, pinfo, tree, 0, dc);
6232 case 0x00090304: /* FSCTL_SVHDX_SYNC_TUNNEL or response */
6233 case 0x00090364: /* FSCTL_SVHDX_ASYNC_TUNNEL or response */
6234 call_dissector_with_data(rsvd_handle, tvb, pinfo, top_tree, &data_in);
6236 case 0x0009C040: /* FSCTL_SET_COMPRESSION */
6237 dissect_smb2_FSCTL_SET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
6239 case 0x00090284: /* FSCTL_QUERY_FILE_REGIONS */
6240 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvb, pinfo, tree, 0, data_in);
6242 case 0x0009C280: /* FSCTL_SET_INTEGRITY_INFORMATION request or response */
6243 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvb, pinfo, tree, 0, data_in);
6246 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
6251 dissect_smb2_ioctl_data_in(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6253 smb2_pipe_set_file_id(pinfo, si);
6254 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, TRUE, si);
6258 dissect_smb2_ioctl_data_out(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6260 smb2_pipe_set_file_id(pinfo, si);
6261 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, FALSE, si);
6265 dissect_smb2_ioctl_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6267 offset_length_buffer_t o_olb;
6268 offset_length_buffer_t i_olb;
6269 proto_tree *flags_tree = NULL;
6270 proto_item *flags_item = NULL;
6273 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6276 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6279 /* ioctl function */
6280 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
6283 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6285 /* in buffer offset/length */
6286 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
6288 /* max ioctl in size */
6289 proto_tree_add_item(tree, hf_smb2_max_ioctl_in_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6292 /* out buffer offset/length */
6293 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
6295 /* max ioctl out size */
6296 proto_tree_add_item(tree, hf_smb2_max_ioctl_out_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6301 flags_item = proto_tree_add_item(tree, hf_smb2_ioctl_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6302 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_ioctl_flags);
6304 proto_tree_add_item(flags_tree, hf_smb2_ioctl_is_fsctl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6308 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6311 /* try to decode these blobs in the order they were encoded
6312 * so that for "short" packets we will dissect as much as possible
6313 * before aborting with "short packet"
6315 if (i_olb.off>o_olb.off) {
6317 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6319 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6322 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6324 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6327 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
6328 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
6334 dissect_smb2_ioctl_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6336 offset_length_buffer_t o_olb;
6337 offset_length_buffer_t i_olb;
6338 gboolean continue_dissection;
6340 switch (si->status) {
6342 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6343 case 0x80000005: break;
6344 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6345 if (!continue_dissection) return offset;
6348 /* some unknown bytes */
6349 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
6352 /* ioctl function */
6353 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
6356 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6358 /* in buffer offset/length */
6359 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
6361 /* out buffer offset/length */
6362 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
6365 /* flags: reserved: must be zero */
6366 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6370 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6373 /* try to decode these blobs in the order they were encoded
6374 * so that for "short" packets we will dissect as much as possible
6375 * before aborting with "short packet"
6377 if (i_olb.off>o_olb.off) {
6379 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6381 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6384 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
6386 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
6389 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
6390 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
6397 dissect_smb2_read_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6399 offset_length_buffer_t c_olb;
6405 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6407 /* padding and reserved */
6408 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6412 len = tvb_get_letohl(tvb, offset);
6413 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6417 off = tvb_get_letoh64(tvb, offset);
6418 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6421 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", len, off);
6424 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6427 proto_tree_add_item(tree, hf_smb2_min_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6431 channel = tvb_get_letohl(tvb, offset);
6432 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6435 /* remaining bytes */
6436 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6439 /* read channel info blob offset/length */
6440 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
6442 /* the read channel info blob itself */
6444 case SMB2_CHANNEL_RDMA_V1:
6445 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
6447 case SMB2_CHANNEL_NONE:
6449 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
6453 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
6455 /* Store len and offset */
6457 si->saved->file_offset=off;
6458 si->saved->bytes_moved=len;
6466 dissect_smb2_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
6468 guint16 dataoffset = 0;
6469 guint32 data_tvb_len;
6471 gboolean continue_dissection;
6473 switch (si->status) {
6475 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6476 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6477 if (!continue_dissection) return offset;
6481 dataoffset=tvb_get_letohl(tvb,offset);
6482 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6485 /* length might even be 64bits if they are ambitious*/
6486 length = tvb_get_letohl(tvb, offset);
6487 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6491 proto_tree_add_item(tree, hf_smb2_read_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6495 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6498 /* data or namedpipe ?*/
6500 int oldoffset = offset;
6501 smb2_pipe_set_file_id(pinfo, si);
6502 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
6503 if (offset != oldoffset) {
6504 /* managed to dissect pipe data */
6510 proto_tree_add_item(tree, hf_smb2_read_data, tvb, offset, length, ENC_NA);
6512 data_tvb_len=(guint32)tvb_captured_length_remaining(tvb, offset);
6514 offset += MIN(length,data_tvb_len);
6516 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
6517 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
6518 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,si->saved->file_offset);
6526 report_create_context_malformed_buffer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, const char *buffer_desc)
6528 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_bad_response, tvb, 0, -1,
6529 "%s SHOULD NOT be generated", buffer_desc);
6532 dissect_smb2_ExtA_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6534 proto_item *item = NULL;
6536 item = proto_tree_get_parent(tree);
6537 proto_item_append_text(item, ": SMB2_FILE_FULL_EA_INFO");
6539 dissect_smb2_file_full_ea_info(tvb, pinfo, tree, 0, si);
6543 dissect_smb2_ExtA_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
6545 report_create_context_malformed_buffer(tvb, pinfo, tree, "ExtA Response");
6549 dissect_smb2_SecD_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6551 proto_item *item = NULL;
6553 item = proto_tree_get_parent(tree);
6554 proto_item_append_text(item, ": SMB2_SEC_INFO_00");
6556 dissect_smb2_sec_info_00(tvb, pinfo, tree, 0, si);
6560 dissect_smb2_SecD_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
6562 report_create_context_malformed_buffer(tvb, pinfo, tree, "SecD Response");
6566 dissect_smb2_TWrp_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6568 proto_item *item = NULL;
6570 item = proto_tree_get_parent(tree);
6571 proto_item_append_text(item, ": Timestamp");
6573 dissect_nt_64bit_time(tvb, tree, 0, hf_smb2_twrp_timestamp);
6577 dissect_smb2_TWrp_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6579 report_create_context_malformed_buffer(tvb, pinfo, tree, "TWrp Response");
6583 dissect_smb2_QFid_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6585 proto_item *item = NULL;
6588 item = proto_tree_get_parent(tree);
6592 if (tvb_reported_length(tvb) == 0) {
6593 proto_item_append_text(item, ": NO DATA");
6595 proto_item_append_text(item, ": QFid request should have no data, malformed packet");
6601 dissect_smb2_QFid_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6605 proto_item *sub_tree;
6607 item = proto_tree_get_parent(tree);
6609 proto_item_append_text(item, ": QFid INFO");
6610 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_QFid_buffer, NULL, "QFid INFO");
6612 proto_tree_add_item(sub_tree, hf_smb2_qfid_fid, tvb, offset, 32, ENC_NA);
6616 dissect_smb2_AlSi_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6618 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, 0, 8, ENC_LITTLE_ENDIAN);
6622 dissect_smb2_AlSi_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6624 report_create_context_malformed_buffer(tvb, pinfo, tree, "AlSi Response");
6628 dissect_smb2_DHnQ_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6630 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNQ);
6634 dissect_smb2_DHnQ_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6636 proto_tree_add_item(tree, hf_smb2_dhnq_buffer_reserved, tvb, 0, 8, ENC_LITTLE_ENDIAN);
6640 dissect_smb2_DHnC_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6642 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNC);
6646 dissect_smb2_DHnC_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
6648 report_create_context_malformed_buffer(tvb, pinfo, tree, "DHnC Response");
6652 * SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
6658 * SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2
6662 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
6667 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
6670 #define SMB2_DH2X_FLAGS_PERSISTENT_HANDLE 0x00000002
6673 dissect_smb2_DH2Q_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6675 static const int *dh2x_flags_fields[] = {
6676 &hf_smb2_dh2x_buffer_flags_persistent_handle,
6681 proto_item *sub_tree;
6683 item = proto_tree_get_parent(tree);
6685 proto_item_append_text(item, ": DH2Q Request");
6686 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Request");
6689 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6693 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_dh2x_buffer_flags,
6694 ett_smb2_dh2x_flags, dh2x_flags_fields, ENC_LITTLE_ENDIAN);
6698 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6702 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6706 dissect_smb2_DH2Q_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6710 proto_item *sub_tree;
6712 item = proto_tree_get_parent(tree);
6714 proto_item_append_text(item, ": DH2Q Response");
6715 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Response");
6718 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6722 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6726 dissect_smb2_DH2C_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6730 proto_item *sub_tree;
6732 item = proto_tree_get_parent(tree);
6734 proto_item_append_text(item, ": DH2C Request");
6735 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2C_buffer, NULL, "DH2C Request");
6738 dissect_smb2_fid(tvb, pinfo, sub_tree, offset, si, FID_MODE_DHNC);
6742 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6746 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6750 dissect_smb2_DH2C_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
6752 report_create_context_malformed_buffer(tvb, pinfo, tree, "DH2C Response");
6756 dissect_smb2_MxAc_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6759 proto_item *item = NULL;
6762 item = proto_tree_get_parent(tree);
6765 if (tvb_reported_length(tvb) == 0) {
6767 proto_item_append_text(item, ": NO DATA");
6773 proto_item_append_text(item, ": Timestamp");
6776 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_mxac_timestamp);
6780 dissect_smb2_MxAc_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6784 proto_tree *sub_tree;
6786 item = proto_tree_get_parent(tree);
6788 if (tvb_reported_length(tvb) == 0) {
6789 proto_item_append_text(item, ": NO DATA");
6793 proto_item_append_text(item, ": MxAc INFO");
6794 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_MxAc_buffer, NULL, "MxAc INFO");
6796 proto_tree_add_item(sub_tree, hf_smb2_mxac_status, tvb, offset, 4, ENC_BIG_ENDIAN);
6799 dissect_smb_access_mask(tvb, sub_tree, offset);
6803 * SMB2_CREATE_REQUEST_LEASE 32
6807 * 8 - lease duration
6809 * SMB2_CREATE_REQUEST_LEASE_V2 52
6813 * 8 - lease duration
6814 * 16 - parent lease key
6818 #define SMB2_LEASE_STATE_READ_CACHING 0x00000001
6819 #define SMB2_LEASE_STATE_HANDLE_CACHING 0x00000002
6820 #define SMB2_LEASE_STATE_WRITE_CACHING 0x00000004
6822 #define SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED 0x00000001
6823 #define SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS 0x00000002
6824 #define SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET 0x00000004
6826 static const int *lease_state_fields[] = {
6827 &hf_smb2_lease_state_read_caching,
6828 &hf_smb2_lease_state_handle_caching,
6829 &hf_smb2_lease_state_write_caching,
6832 static const int *lease_flags_fields[] = {
6833 &hf_smb2_lease_flags_break_ack_required,
6834 &hf_smb2_lease_flags_break_in_progress,
6835 &hf_smb2_lease_flags_parent_lease_key_set,
6840 dissect_SMB2_CREATE_LEASE_VX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
6844 proto_tree *sub_tree = NULL;
6845 proto_item *parent_item;
6847 parent_item = proto_tree_get_parent(parent_tree);
6849 len = tvb_reported_length(tvb);
6852 case 32: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE */
6853 proto_item_append_text(parent_item, ": LEASE_V1");
6854 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V1");
6856 case 52: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE_V2 */
6857 proto_item_append_text(parent_item, ": LEASE_V2");
6858 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V2");
6861 report_create_context_malformed_buffer(tvb, pinfo, parent_tree, "RqLs");
6865 proto_tree_add_item(sub_tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6868 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_state,
6869 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
6872 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_flags,
6873 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
6876 proto_tree_add_item(sub_tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6883 proto_tree_add_item(sub_tree, hf_smb2_parent_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6886 proto_tree_add_item(sub_tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6889 proto_tree_add_item(sub_tree, hf_smb2_lease_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6893 dissect_smb2_RqLs_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6895 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
6899 dissect_smb2_RqLs_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6901 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
6905 * SMB2_CREATE_APP_INSTANCE_ID
6906 * 2 - structure size - 20
6908 * 16 - application guid
6912 dissect_smb2_APP_INSTANCE_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6916 proto_item *sub_tree;
6918 item = proto_tree_get_parent(tree);
6920 proto_item_append_text(item, ": CREATE APP INSTANCE ID");
6921 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_APP_INSTANCE_buffer, NULL, "APP INSTANCE ID");
6924 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_struct_size,
6925 tvb, offset, 2, ENC_LITTLE_ENDIAN);
6929 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_reserved,
6930 tvb, offset, 2, ENC_LITTLE_ENDIAN);
6934 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_app_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
6938 dissect_smb2_APP_INSTANCE_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6940 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Response");
6944 * Dissect the MS-RSVD stuff that turns up when HyperV uses SMB3.x
6947 dissect_smb2_svhdx_open_device_context_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
6951 proto_item *sub_tree;
6953 item = proto_tree_get_parent(tree);
6955 proto_item_append_text(item, ": SVHDX OPEN DEVICE CONTEXT");
6956 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_svhdx_open_device_context, NULL, "SVHDX OPEN DEVICE CONTEXT");
6959 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_version,
6960 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6963 /* HasInitiatorId */
6964 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_has_initiator_id,
6965 tvb, offset, 1, ENC_LITTLE_ENDIAN);
6969 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_reserved,
6970 tvb, offset, 3, ENC_NA);
6974 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_id,
6975 tvb, offset, 16, ENC_NA);
6978 /* Flags TODO: Dissect these*/
6979 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_flags,
6980 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6983 /* OriginatorFlags */
6984 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_originator_flags,
6985 tvb, offset, 4, ENC_LITTLE_ENDIAN);
6989 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_open_request_id,
6990 tvb, offset, 8, ENC_LITTLE_ENDIAN);
6993 /* InitiatorHostNameLength */
6994 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name_len,
6995 tvb, offset, 2, ENC_LITTLE_ENDIAN);
6998 /* InitiatorHostName */
6999 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name,
7000 tvb, offset, 126, ENC_ASCII | ENC_NA);
7004 dissect_smb2_svhdx_open_device_context_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7006 report_create_context_malformed_buffer(tvb, pinfo, tree, "SHVXD OPEN DEVICE CONTEXT Response");
7009 static const int *posix_flags_fields[] = {
7010 &hf_smb2_posix_v1_case_sensitive,
7011 &hf_smb2_posix_v1_posix_lock,
7012 &hf_smb2_posix_v1_posix_file_semantics,
7013 &hf_smb2_posix_v1_posix_utf8_paths,
7014 &hf_smb2_posix_v1_posix_will_convert_nt_acls,
7015 &hf_smb2_posix_v1_posix_fileinfo,
7016 &hf_smb2_posix_v1_posix_acls,
7017 &hf_smb2_posix_v1_rich_acls,
7022 dissect_smb2_posix_v1_caps_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7026 proto_item *sub_tree;
7028 item = proto_tree_get_parent(tree);
7030 proto_item_append_text(item, ": POSIX V1 CAPS request");
7031 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_posix_v1_request, NULL, "POSIX_V1_REQUEST");
7034 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_version,
7035 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7039 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_request,
7040 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7044 dissect_smb2_posix_v1_caps_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
7048 proto_item *sub_tree;
7050 item = proto_tree_get_parent(tree);
7052 proto_item_append_text(item, ": POSIX V1 CAPS response");
7053 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_posix_v1_response, NULL, "POSIX_V1_RESPONSE");
7056 proto_tree_add_item(sub_tree, hf_smb2_posix_v1_version,
7057 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7060 /* Supported Features */
7061 proto_tree_add_bitmask(sub_tree, tvb, offset,
7062 hf_smb2_posix_v1_supported_features,
7063 ett_smb2_posix_v1_supported_features,
7064 posix_flags_fields, ENC_LITTLE_ENDIAN);
7068 #define SMB2_AAPL_SERVER_QUERY 1
7069 #define SMB2_AAPL_RESOLVE_ID 2
7071 static const value_string aapl_command_code_vals[] = {
7072 { SMB2_AAPL_SERVER_QUERY, "Server query"},
7073 { SMB2_AAPL_RESOLVE_ID, "Resolve ID"},
7077 #define SMB2_AAPL_SERVER_CAPS 0x00000001
7078 #define SMB2_AAPL_VOLUME_CAPS 0x00000002
7079 #define SMB2_AAPL_MODEL_INFO 0x00000004
7081 static const int *aapl_server_query_bitmap_fields[] = {
7082 &hf_smb2_aapl_server_query_bitmask_server_caps,
7083 &hf_smb2_aapl_server_query_bitmask_volume_caps,
7084 &hf_smb2_aapl_server_query_bitmask_model_info,
7088 #define SMB2_AAPL_SUPPORTS_READ_DIR_ATTR 0x00000001
7089 #define SMB2_AAPL_SUPPORTS_OSX_COPYFILE 0x00000002
7090 #define SMB2_AAPL_UNIX_BASED 0x00000004
7091 #define SMB2_AAPL_SUPPORTS_NFS_ACE 0x00000008
7093 static const int *aapl_server_query_caps_fields[] = {
7094 &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
7095 &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
7096 &hf_smb2_aapl_server_query_caps_unix_based,
7097 &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
7102 dissect_smb2_AAPL_buffer_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
7106 proto_item *sub_tree;
7107 guint32 command_code;
7109 item = proto_tree_get_parent(tree);
7111 proto_item_append_text(item, ": AAPL Create Context request");
7112 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_request, NULL, "AAPL Create Context request");
7115 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
7116 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
7120 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
7121 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7124 switch (command_code) {
7126 case SMB2_AAPL_SERVER_QUERY:
7127 /* Request bitmap */
7128 proto_tree_add_bitmask(sub_tree, tvb, offset,
7129 hf_smb2_aapl_server_query_bitmask,
7130 ett_smb2_aapl_server_query_bitmask,
7131 aapl_server_query_bitmap_fields,
7135 /* Client capabilities */
7136 proto_tree_add_bitmask(sub_tree, tvb, offset,
7137 hf_smb2_aapl_server_query_caps,
7138 ett_smb2_aapl_server_query_caps,
7139 aapl_server_query_caps_fields,
7143 case SMB2_AAPL_RESOLVE_ID:
7145 proto_tree_add_item(sub_tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7153 #define SMB2_AAPL_SUPPORTS_RESOLVE_ID 0x00000001
7154 #define SMB2_AAPL_CASE_SENSITIVE 0x00000002
7155 #define SMB2_AAPL_SUPPORTS_FULL_SYNC 0x00000004
7157 static const int *aapl_server_query_volume_caps_fields[] = {
7158 &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
7159 &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
7160 &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
7165 dissect_smb2_AAPL_buffer_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
7169 proto_item *sub_tree;
7170 guint32 command_code;
7171 guint64 server_query_bitmask;
7173 item = proto_tree_get_parent(tree);
7175 proto_item_append_text(item, ": AAPL Create Context response");
7176 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_response, NULL, "AAPL Create Context response");
7179 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
7180 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
7184 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
7185 tvb, offset, 4, ENC_LITTLE_ENDIAN);
7188 switch (command_code) {
7190 case SMB2_AAPL_SERVER_QUERY:
7192 proto_tree_add_bitmask_ret_uint64(sub_tree, tvb, offset,
7193 hf_smb2_aapl_server_query_bitmask,
7194 ett_smb2_aapl_server_query_bitmask,
7195 aapl_server_query_bitmap_fields,
7197 &server_query_bitmask);
7200 if (server_query_bitmask & SMB2_AAPL_SERVER_CAPS) {
7201 /* Server capabilities */
7202 proto_tree_add_bitmask(sub_tree, tvb, offset,
7203 hf_smb2_aapl_server_query_caps,
7204 ett_smb2_aapl_server_query_caps,
7205 aapl_server_query_caps_fields,
7209 if (server_query_bitmask & SMB2_AAPL_VOLUME_CAPS) {
7210 /* Volume capabilities */
7211 proto_tree_add_bitmask(sub_tree, tvb, offset,
7212 hf_smb2_aapl_server_query_volume_caps,
7213 ett_smb2_aapl_server_query_volume_caps,
7214 aapl_server_query_volume_caps_fields,
7218 if (server_query_bitmask & SMB2_AAPL_MODEL_INFO) {
7223 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_model_string,
7225 ENC_UTF_16|ENC_LITTLE_ENDIAN);
7229 case SMB2_AAPL_RESOLVE_ID:
7231 proto_tree_add_item(sub_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7235 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_server_path,
7237 ENC_UTF_16|ENC_LITTLE_ENDIAN);
7245 typedef void (*create_context_data_dissector_t)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
7247 typedef struct create_context_data_dissectors {
7248 create_context_data_dissector_t request;
7249 create_context_data_dissector_t response;
7250 } create_context_data_dissectors_t;
7252 struct create_context_data_tag_dissectors {
7255 create_context_data_dissectors_t dissectors;
7258 struct create_context_data_tag_dissectors create_context_dissectors_array[] = {
7259 { "ExtA", "SMB2_CREATE_EA_BUFFER",
7260 { dissect_smb2_ExtA_buffer_request, dissect_smb2_ExtA_buffer_response } },
7261 { "SecD", "SMB2_CREATE_SD_BUFFER",
7262 { dissect_smb2_SecD_buffer_request, dissect_smb2_SecD_buffer_response } },
7263 { "AlSi", "SMB2_CREATE_ALLOCATION_SIZE",
7264 { dissect_smb2_AlSi_buffer_request, dissect_smb2_AlSi_buffer_response } },
7265 { "MxAc", "SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST",
7266 { dissect_smb2_MxAc_buffer_request, dissect_smb2_MxAc_buffer_response } },
7267 { "DHnQ", "SMB2_CREATE_DURABLE_HANDLE_REQUEST",
7268 { dissect_smb2_DHnQ_buffer_request, dissect_smb2_DHnQ_buffer_response } },
7269 { "DHnC", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT",
7270 { dissect_smb2_DHnC_buffer_request, dissect_smb2_DHnC_buffer_response } },
7271 { "DH2Q", "SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2",
7272 { dissect_smb2_DH2Q_buffer_request, dissect_smb2_DH2Q_buffer_response } },
7273 { "DH2C", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2",
7274 { dissect_smb2_DH2C_buffer_request, dissect_smb2_DH2C_buffer_response } },
7275 { "TWrp", "SMB2_CREATE_TIMEWARP_TOKEN",
7276 { dissect_smb2_TWrp_buffer_request, dissect_smb2_TWrp_buffer_response } },
7277 { "QFid", "SMB2_CREATE_QUERY_ON_DISK_ID",
7278 { dissect_smb2_QFid_buffer_request, dissect_smb2_QFid_buffer_response } },
7279 { "RqLs", "SMB2_CREATE_REQUEST_LEASE",
7280 { dissect_smb2_RqLs_buffer_request, dissect_smb2_RqLs_buffer_response } },
7281 { "744D142E-46FA-0890-4AF7-A7EF6AA6BC45", "SMB2_CREATE_APP_INSTANCE_ID",
7282 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
7283 { "6aa6bc45-a7ef-4af7-9008-fa462e144d74", "SMB2_CREATE_APP_INSTANCE_ID",
7284 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
7285 { "9ecfcb9c-c104-43e6-980e-158da1f6ec83", "SVHDX_OPEN_DEVICE_CONTEXT",
7286 { dissect_smb2_svhdx_open_device_context_request, dissect_smb2_svhdx_open_device_context_response} },
7287 { "34263501-2921-4912-2586-447794114531", "SMB2_POSIX_V1_CAPS",
7288 { dissect_smb2_posix_v1_caps_request, dissect_smb2_posix_v1_caps_response } },
7289 { "AAPL", "SMB2_AAPL_CREATE_CONTEXT",
7290 { dissect_smb2_AAPL_buffer_request, dissect_smb2_AAPL_buffer_response } },
7293 static struct create_context_data_tag_dissectors*
7294 get_create_context_data_tag_dissectors(const char *tag)
7296 static struct create_context_data_tag_dissectors INVALID = {
7297 NULL, "<invalid>", { NULL, NULL }
7302 for (i = 0; i<array_length(create_context_dissectors_array); i++) {
7303 if (!strcmp(tag, create_context_dissectors_array[i].tag))
7304 return &create_context_dissectors_array[i];
7310 dissect_smb2_create_extra_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si)
7312 offset_length_buffer_t tag_olb;
7313 offset_length_buffer_t data_olb;
7315 guint16 chain_offset;
7318 proto_item *sub_item;
7319 proto_tree *sub_tree;
7320 proto_item *parent_item = NULL;
7321 create_context_data_dissectors_t *dissectors = NULL;
7322 create_context_data_dissector_t dissector = NULL;
7323 struct create_context_data_tag_dissectors *tag_dissectors;
7325 chain_offset = tvb_get_letohl(tvb, offset);
7330 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_create_chain_element, &sub_item, "Chain Element");
7331 parent_item = proto_tree_get_parent(parent_tree);
7334 proto_tree_add_item(sub_tree, hf_smb2_create_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7337 /* tag offset/length */
7338 offset = dissect_smb2_olb_length_offset(tvb, offset, &tag_olb, OLB_O_UINT16_S_UINT32, hf_smb2_tag);
7340 /* data offset/length */
7341 dissect_smb2_olb_length_offset(tvb, offset, &data_olb, OLB_O_UINT16_S_UINT32, hf_smb2_create_chain_data);
7344 * These things are all either 4-char strings, like DH2C, or GUIDs,
7345 * however, at least one of them appears to be a GUID as a string and
7346 * one appears to be a binary guid. So, check if the the length is
7347 * 16, and if so, pull the GUID and convert it to a string. Otherwise
7348 * call dissect_smb2_olb_string.
7350 if (tag_olb.len == 16) {
7352 proto_item *tag_item;
7353 proto_tree *tag_tree;
7355 tvb_get_letohguid(tvb, tag_olb.off, &tag_guid);
7356 tag = guid_to_str(wmem_packet_scope(), &tag_guid);
7358 tag_item = proto_tree_add_string(sub_tree, tag_olb.hfindex, tvb, tag_olb.off, tag_olb.len, tag);
7359 tag_tree = proto_item_add_subtree(tag_item, ett_smb2_olb);
7360 proto_tree_add_item(tag_tree, hf_smb2_olb_offset, tvb, tag_olb.off_offset, 2, ENC_LITTLE_ENDIAN);
7361 proto_tree_add_item(tag_tree, hf_smb2_olb_length, tvb, tag_olb.len_offset, 2, ENC_LITTLE_ENDIAN);
7365 tag = dissect_smb2_olb_string(pinfo, sub_tree, tvb, &tag_olb, OLB_TYPE_ASCII_STRING);
7368 tag_dissectors = get_create_context_data_tag_dissectors(tag);
7370 proto_item_append_text(parent_item, " %s", tag_dissectors->val);
7371 proto_item_append_text(sub_item, ": %s \"%s\"", tag_dissectors->val, tag);
7374 dissectors = &tag_dissectors->dissectors;
7376 dissector = (si->flags & SMB2_FLAGS_RESPONSE) ? dissectors->response : dissectors->request;
7378 dissect_smb2_olb_buffer(pinfo, sub_tree, tvb, &data_olb, si, dissector);
7381 tvbuff_t *chain_tvb;
7382 chain_tvb = tvb_new_subset_remaining(tvb, chain_offset);
7384 /* next extra info */
7385 dissect_smb2_create_extra_info(chain_tvb, pinfo, parent_tree, si);
7390 dissect_smb2_create_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7392 offset_length_buffer_t f_olb, e_olb;
7396 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
7398 /* security flags */
7402 offset = dissect_smb2_oplock(tree, tvb, offset);
7404 /* impersonation level */
7405 proto_tree_add_item(tree, hf_smb2_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7409 proto_tree_add_item(tree, hf_smb2_create_flags, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7413 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 8, ENC_NA);
7417 offset = dissect_smb_access_mask(tvb, tree, offset);
7419 /* File Attributes */
7420 offset = dissect_file_ext_attr(tvb, tree, offset);
7423 offset = dissect_nt_share_access(tvb, tree, offset);
7425 /* create disposition */
7426 proto_tree_add_item(tree, hf_smb2_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7429 /* create options */
7430 offset = dissect_nt_create_options(tvb, tree, offset);
7432 /* filename offset/length */
7433 offset = dissect_smb2_olb_length_offset(tvb, offset, &f_olb, OLB_O_UINT16_S_UINT16, hf_smb2_filename);
7435 /* extrainfo offset */
7436 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
7438 /* filename string */
7439 fname = dissect_smb2_olb_string(pinfo, tree, tvb, &f_olb, OLB_TYPE_UNICODE_STRING);
7440 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", fname);
7442 /* save the name if it looks sane */
7443 if (!pinfo->fd->flags.visited) {
7444 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
7445 g_free(si->saved->extra_info);
7446 si->saved->extra_info = NULL;
7447 si->saved->extra_info_type = SMB2_EI_NONE;
7449 if (si->saved && f_olb.len && f_olb.len<256) {
7450 si->saved->extra_info_type = SMB2_EI_FILENAME;
7451 si->saved->extra_info = (gchar *)g_malloc(f_olb.len+1);
7452 g_snprintf((gchar *)si->saved->extra_info, f_olb.len+1, "%s", fname);
7456 /* If extrainfo_offset is non-null then this points to another
7457 * buffer. The offset is relative to the start of the smb packet
7459 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
7461 offset = dissect_smb2_olb_tvb_max_offset(offset, &f_olb);
7462 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
7467 #define SMB2_CREATE_REP_FLAGS_REPARSE_POINT 0x01
7470 dissect_smb2_create_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7472 guint64 end_of_file;
7474 offset_length_buffer_t e_olb;
7475 static const int *create_rep_flags_fields[] = {
7476 &hf_smb2_create_rep_flags_reparse_point,
7479 gboolean continue_dissection;
7481 switch (si->status) {
7483 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
7484 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
7485 if (!continue_dissection) return offset;
7489 offset = dissect_smb2_oplock(tree, tvb, offset);
7492 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_create_rep_flags,
7493 ett_smb2_create_rep_flags, create_rep_flags_fields, ENC_LITTLE_ENDIAN);
7497 proto_tree_add_item(tree, hf_smb2_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7501 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
7504 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
7507 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
7510 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
7512 /* allocation size */
7513 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7517 end_of_file = tvb_get_letoh64(tvb, offset);
7518 if (si->eo_file_info) {
7519 si->eo_file_info->end_of_file = tvb_get_letoh64(tvb, offset);
7521 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7524 /* File Attributes */
7525 attr_mask=tvb_get_letohl(tvb, offset);
7526 offset = dissect_file_ext_attr(tvb, tree, offset);
7529 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7533 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_OPEN);
7535 /* We save this after dissect_smb2_fid just because it would be
7536 possible to have this response without having the mathing request.
7537 In that case the entry in the file info hash table has been created
7538 in dissect_smb2_fid */
7539 if (si->eo_file_info) {
7540 si->eo_file_info->end_of_file = end_of_file;
7541 si->eo_file_info->attr_mask = attr_mask;
7544 /* extrainfo offset */
7545 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
7547 /* If extrainfo_offset is non-null then this points to another
7548 * buffer. The offset is relative to the start of the smb packet
7550 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
7552 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
7554 /* free si->saved->extra_info we don't need it any more */
7555 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
7556 g_free(si->saved->extra_info);
7557 si->saved->extra_info = NULL;
7558 si->saved->extra_info_type = SMB2_EI_NONE;
7566 dissect_smb2_setinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7568 guint32 setinfo_size;
7569 guint16 setinfo_offset;
7572 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
7574 /* class and info level */
7575 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
7578 setinfo_size = tvb_get_letohl(tvb, offset);
7579 proto_tree_add_item(tree, hf_smb2_setinfo_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7583 setinfo_offset = tvb_get_letohs(tvb, offset);
7584 proto_tree_add_item(tree, hf_smb2_setinfo_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7587 /* some unknown bytes */
7588 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
7592 dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
7596 dissect_smb2_infolevel(tvb, pinfo, tree, setinfo_offset, si, si->saved->smb2_class, si->saved->infolevel);
7597 offset = setinfo_offset + setinfo_size;
7603 dissect_smb2_setinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7605 gboolean continue_dissection;
7606 /* class/infolevel */
7607 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
7609 switch (si->status) {
7611 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
7612 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
7613 if (!continue_dissection) return offset;
7620 dissect_smb2_break_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7622 guint16 buffer_code;
7625 buffer_code = tvb_get_letohs(tvb, offset);
7626 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
7628 if (buffer_code == 24) {
7632 offset = dissect_smb2_oplock(tree, tvb, offset);
7635 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
7639 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7643 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
7648 if (buffer_code == 36) {
7649 /* Lease Break Acknowledgment */
7652 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
7656 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
7657 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
7661 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7665 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
7666 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
7669 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7679 dissect_smb2_break_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7681 guint16 buffer_code;
7682 gboolean continue_dissection;
7685 buffer_code = tvb_get_letohs(tvb, offset);
7686 switch (si->status) {
7687 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
7688 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
7689 if (!continue_dissection) return offset;
7692 if (buffer_code == 24) {
7693 /* OPLOCK Break Notification */
7696 offset = dissect_smb2_oplock(tree, tvb, offset);
7699 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
7703 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7707 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
7709 /* in break requests from server to client here're 24 byte zero bytes
7710 * which are likely a bug in windows (they may use 2* 24 bytes instead of just
7716 if (buffer_code == 44) {
7719 /* Lease Break Notification */
7721 /* new lease epoch */
7722 proto_tree_add_item(tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7726 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
7727 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
7731 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7734 /* current lease state */
7735 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
7736 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
7738 proto_item_prepend_text(item, "Current ");
7742 /* new lease state */
7743 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
7744 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
7746 proto_item_prepend_text(item, "New ");
7750 /* break reason - reserved */
7751 proto_tree_add_item(tree, hf_smb2_lease_break_reason, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7754 /* access mask hint - reserved */
7755 proto_tree_add_item(tree, hf_smb2_lease_access_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7758 /* share mask hint - reserved */
7759 proto_tree_add_item(tree, hf_smb2_lease_share_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7765 if (buffer_code == 36) {
7766 /* Lease Break Response */
7769 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
7773 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
7774 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
7778 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7782 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
7783 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
7786 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7795 /* names here are just until we find better names for these functions */
7796 static const value_string smb2_cmd_vals[] = {
7797 { 0x00, "Negotiate Protocol" },
7798 { 0x01, "Session Setup" },
7799 { 0x02, "Session Logoff" },
7800 { 0x03, "Tree Connect" },
7801 { 0x04, "Tree Disconnect" },
7810 { 0x0D, "KeepAlive" },
7813 { 0x10, "GetInfo" },
7814 { 0x11, "SetInfo" },
7816 { 0x13, "unknown-0x13" },
7817 { 0x14, "unknown-0x14" },
7818 { 0x15, "unknown-0x15" },
7819 { 0x16, "unknown-0x16" },
7820 { 0x17, "unknown-0x17" },
7821 { 0x18, "unknown-0x18" },
7822 { 0x19, "unknown-0x19" },
7823 { 0x1A, "unknown-0x1A" },
7824 { 0x1B, "unknown-0x1B" },
7825 { 0x1C, "unknown-0x1C" },
7826 { 0x1D, "unknown-0x1D" },
7827 { 0x1E, "unknown-0x1E" },
7828 { 0x1F, "unknown-0x1F" },
7829 { 0x20, "unknown-0x20" },
7830 { 0x21, "unknown-0x21" },
7831 { 0x22, "unknown-0x22" },
7832 { 0x23, "unknown-0x23" },
7833 { 0x24, "unknown-0x24" },
7834 { 0x25, "unknown-0x25" },
7835 { 0x26, "unknown-0x26" },
7836 { 0x27, "unknown-0x27" },
7837 { 0x28, "unknown-0x28" },
7838 { 0x29, "unknown-0x29" },
7839 { 0x2A, "unknown-0x2A" },
7840 { 0x2B, "unknown-0x2B" },
7841 { 0x2C, "unknown-0x2C" },
7842 { 0x2D, "unknown-0x2D" },
7843 { 0x2E, "unknown-0x2E" },
7844 { 0x2F, "unknown-0x2F" },
7845 { 0x30, "unknown-0x30" },
7846 { 0x31, "unknown-0x31" },
7847 { 0x32, "unknown-0x32" },
7848 { 0x33, "unknown-0x33" },
7849 { 0x34, "unknown-0x34" },
7850 { 0x35, "unknown-0x35" },
7851 { 0x36, "unknown-0x36" },
7852 { 0x37, "unknown-0x37" },
7853 { 0x38, "unknown-0x38" },
7854 { 0x39, "unknown-0x39" },
7855 { 0x3A, "unknown-0x3A" },
7856 { 0x3B, "unknown-0x3B" },
7857 { 0x3C, "unknown-0x3C" },
7858 { 0x3D, "unknown-0x3D" },
7859 { 0x3E, "unknown-0x3E" },
7860 { 0x3F, "unknown-0x3F" },
7861 { 0x40, "unknown-0x40" },
7862 { 0x41, "unknown-0x41" },
7863 { 0x42, "unknown-0x42" },
7864 { 0x43, "unknown-0x43" },
7865 { 0x44, "unknown-0x44" },
7866 { 0x45, "unknown-0x45" },
7867 { 0x46, "unknown-0x46" },
7868 { 0x47, "unknown-0x47" },
7869 { 0x48, "unknown-0x48" },
7870 { 0x49, "unknown-0x49" },
7871 { 0x4A, "unknown-0x4A" },
7872 { 0x4B, "unknown-0x4B" },
7873 { 0x4C, "unknown-0x4C" },
7874 { 0x4D, "unknown-0x4D" },
7875 { 0x4E, "unknown-0x4E" },
7876 { 0x4F, "unknown-0x4F" },
7877 { 0x50, "unknown-0x50" },
7878 { 0x51, "unknown-0x51" },
7879 { 0x52, "unknown-0x52" },
7880 { 0x53, "unknown-0x53" },
7881 { 0x54, "unknown-0x54" },
7882 { 0x55, "unknown-0x55" },
7883 { 0x56, "unknown-0x56" },
7884 { 0x57, "unknown-0x57" },
7885 { 0x58, "unknown-0x58" },
7886 { 0x59, "unknown-0x59" },
7887 { 0x5A, "unknown-0x5A" },
7888 { 0x5B, "unknown-0x5B" },
7889 { 0x5C, "unknown-0x5C" },
7890 { 0x5D, "unknown-0x5D" },
7891 { 0x5E, "unknown-0x5E" },
7892 { 0x5F, "unknown-0x5F" },
7893 { 0x60, "unknown-0x60" },
7894 { 0x61, "unknown-0x61" },
7895 { 0x62, "unknown-0x62" },
7896 { 0x63, "unknown-0x63" },
7897 { 0x64, "unknown-0x64" },
7898 { 0x65, "unknown-0x65" },
7899 { 0x66, "unknown-0x66" },
7900 { 0x67, "unknown-0x67" },
7901 { 0x68, "unknown-0x68" },
7902 { 0x69, "unknown-0x69" },
7903 { 0x6A, "unknown-0x6A" },
7904 { 0x6B, "unknown-0x6B" },
7905 { 0x6C, "unknown-0x6C" },
7906 { 0x6D, "unknown-0x6D" },
7907 { 0x6E, "unknown-0x6E" },
7908 { 0x6F, "unknown-0x6F" },
7909 { 0x70, "unknown-0x70" },
7910 { 0x71, "unknown-0x71" },
7911 { 0x72, "unknown-0x72" },
7912 { 0x73, "unknown-0x73" },
7913 { 0x74, "unknown-0x74" },
7914 { 0x75, "unknown-0x75" },
7915 { 0x76, "unknown-0x76" },
7916 { 0x77, "unknown-0x77" },
7917 { 0x78, "unknown-0x78" },
7918 { 0x79, "unknown-0x79" },
7919 { 0x7A, "unknown-0x7A" },
7920 { 0x7B, "unknown-0x7B" },
7921 { 0x7C, "unknown-0x7C" },
7922 { 0x7D, "unknown-0x7D" },
7923 { 0x7E, "unknown-0x7E" },
7924 { 0x7F, "unknown-0x7F" },
7925 { 0x80, "unknown-0x80" },
7926 { 0x81, "unknown-0x81" },
7927 { 0x82, "unknown-0x82" },
7928 { 0x83, "unknown-0x83" },
7929 { 0x84, "unknown-0x84" },
7930 { 0x85, "unknown-0x85" },
7931 { 0x86, "unknown-0x86" },
7932 { 0x87, "unknown-0x87" },
7933 { 0x88, "unknown-0x88" },
7934 { 0x89, "unknown-0x89" },
7935 { 0x8A, "unknown-0x8A" },
7936 { 0x8B, "unknown-0x8B" },
7937 { 0x8C, "unknown-0x8C" },
7938 { 0x8D, "unknown-0x8D" },
7939 { 0x8E, "unknown-0x8E" },
7940 { 0x8F, "unknown-0x8F" },
7941 { 0x90, "unknown-0x90" },
7942 { 0x91, "unknown-0x91" },
7943 { 0x92, "unknown-0x92" },
7944 { 0x93, "unknown-0x93" },
7945 { 0x94, "unknown-0x94" },
7946 { 0x95, "unknown-0x95" },
7947 { 0x96, "unknown-0x96" },
7948 { 0x97, "unknown-0x97" },
7949 { 0x98, "unknown-0x98" },
7950 { 0x99, "unknown-0x99" },
7951 { 0x9A, "unknown-0x9A" },
7952 { 0x9B, "unknown-0x9B" },
7953 { 0x9C, "unknown-0x9C" },
7954 { 0x9D, "unknown-0x9D" },
7955 { 0x9E, "unknown-0x9E" },
7956 { 0x9F, "unknown-0x9F" },
7957 { 0xA0, "unknown-0xA0" },
7958 { 0xA1, "unknown-0xA1" },
7959 { 0xA2, "unknown-0xA2" },
7960 { 0xA3, "unknown-0xA3" },
7961 { 0xA4, "unknown-0xA4" },
7962 { 0xA5, "unknown-0xA5" },
7963 { 0xA6, "unknown-0xA6" },
7964 { 0xA7, "unknown-0xA7" },
7965 { 0xA8, "unknown-0xA8" },
7966 { 0xA9, "unknown-0xA9" },
7967 { 0xAA, "unknown-0xAA" },
7968 { 0xAB, "unknown-0xAB" },
7969 { 0xAC, "unknown-0xAC" },
7970 { 0xAD, "unknown-0xAD" },
7971 { 0xAE, "unknown-0xAE" },
7972 { 0xAF, "unknown-0xAF" },
7973 { 0xB0, "unknown-0xB0" },
7974 { 0xB1, "unknown-0xB1" },
7975 { 0xB2, "unknown-0xB2" },
7976 { 0xB3, "unknown-0xB3" },
7977 { 0xB4, "unknown-0xB4" },
7978 { 0xB5, "unknown-0xB5" },
7979 { 0xB6, "unknown-0xB6" },
7980 { 0xB7, "unknown-0xB7" },
7981 { 0xB8, "unknown-0xB8" },
7982 { 0xB9, "unknown-0xB9" },
7983 { 0xBA, "unknown-0xBA" },
7984 { 0xBB, "unknown-0xBB" },
7985 { 0xBC, "unknown-0xBC" },
7986 { 0xBD, "unknown-0xBD" },
7987 { 0xBE, "unknown-0xBE" },
7988 { 0xBF, "unknown-0xBF" },
7989 { 0xC0, "unknown-0xC0" },
7990 { 0xC1, "unknown-0xC1" },
7991 { 0xC2, "unknown-0xC2" },
7992 { 0xC3, "unknown-0xC3" },
7993 { 0xC4, "unknown-0xC4" },
7994 { 0xC5, "unknown-0xC5" },
7995 { 0xC6, "unknown-0xC6" },
7996 { 0xC7, "unknown-0xC7" },
7997 { 0xC8, "unknown-0xC8" },
7998 { 0xC9, "unknown-0xC9" },
7999 { 0xCA, "unknown-0xCA" },
8000 { 0xCB, "unknown-0xCB" },
8001 { 0xCC, "unknown-0xCC" },
8002 { 0xCD, "unknown-0xCD" },
8003 { 0xCE, "unknown-0xCE" },
8004 { 0xCF, "unknown-0xCF" },
8005 { 0xD0, "unknown-0xD0" },
8006 { 0xD1, "unknown-0xD1" },
8007 { 0xD2, "unknown-0xD2" },
8008 { 0xD3, "unknown-0xD3" },
8009 { 0xD4, "unknown-0xD4" },
8010 { 0xD5, "unknown-0xD5" },
8011 { 0xD6, "unknown-0xD6" },
8012 { 0xD7, "unknown-0xD7" },
8013 { 0xD8, "unknown-0xD8" },
8014 { 0xD9, "unknown-0xD9" },
8015 { 0xDA, "unknown-0xDA" },
8016 { 0xDB, "unknown-0xDB" },
8017 { 0xDC, "unknown-0xDC" },
8018 { 0xDD, "unknown-0xDD" },
8019 { 0xDE, "unknown-0xDE" },
8020 { 0xDF, "unknown-0xDF" },
8021 { 0xE0, "unknown-0xE0" },
8022 { 0xE1, "unknown-0xE1" },
8023 { 0xE2, "unknown-0xE2" },
8024 { 0xE3, "unknown-0xE3" },
8025 { 0xE4, "unknown-0xE4" },
8026 { 0xE5, "unknown-0xE5" },
8027 { 0xE6, "unknown-0xE6" },
8028 { 0xE7, "unknown-0xE7" },
8029 { 0xE8, "unknown-0xE8" },
8030 { 0xE9, "unknown-0xE9" },
8031 { 0xEA, "unknown-0xEA" },
8032 { 0xEB, "unknown-0xEB" },
8033 { 0xEC, "unknown-0xEC" },
8034 { 0xED, "unknown-0xED" },
8035 { 0xEE, "unknown-0xEE" },
8036 { 0xEF, "unknown-0xEF" },
8037 { 0xF0, "unknown-0xF0" },
8038 { 0xF1, "unknown-0xF1" },
8039 { 0xF2, "unknown-0xF2" },
8040 { 0xF3, "unknown-0xF3" },
8041 { 0xF4, "unknown-0xF4" },
8042 { 0xF5, "unknown-0xF5" },
8043 { 0xF6, "unknown-0xF6" },
8044 { 0xF7, "unknown-0xF7" },
8045 { 0xF8, "unknown-0xF8" },
8046 { 0xF9, "unknown-0xF9" },
8047 { 0xFA, "unknown-0xFA" },
8048 { 0xFB, "unknown-0xFB" },
8049 { 0xFC, "unknown-0xFC" },
8050 { 0xFD, "unknown-0xFD" },
8051 { 0xFE, "unknown-0xFE" },
8052 { 0xFF, "unknown-0xFF" },
8055 value_string_ext smb2_cmd_vals_ext = VALUE_STRING_EXT_INIT(smb2_cmd_vals);
8057 static const char *decode_smb2_name(guint16 cmd)
8059 if (cmd > 0xFF) return "unknown";
8060 return(smb2_cmd_vals[cmd & 0xFF].strptr);
8063 static smb2_function smb2_dissector[256] = {
8064 /* 0x00 NegotiateProtocol*/
8065 {dissect_smb2_negotiate_protocol_request,
8066 dissect_smb2_negotiate_protocol_response},
8067 /* 0x01 SessionSetup*/
8068 {dissect_smb2_session_setup_request,
8069 dissect_smb2_session_setup_response},
8070 /* 0x02 SessionLogoff*/
8071 {dissect_smb2_sessionlogoff_request,
8072 dissect_smb2_sessionlogoff_response},
8073 /* 0x03 TreeConnect*/
8074 {dissect_smb2_tree_connect_request,
8075 dissect_smb2_tree_connect_response},
8076 /* 0x04 TreeDisconnect*/
8077 {dissect_smb2_tree_disconnect_request,
8078 dissect_smb2_tree_disconnect_response},
8080 {dissect_smb2_create_request,
8081 dissect_smb2_create_response},
8083 {dissect_smb2_close_request,
8084 dissect_smb2_close_response},
8086 {dissect_smb2_flush_request,
8087 dissect_smb2_flush_response},
8089 {dissect_smb2_read_request,
8090 dissect_smb2_read_response},
8092 {dissect_smb2_write_request,
8093 dissect_smb2_write_response},
8095 {dissect_smb2_lock_request,
8096 dissect_smb2_lock_response},
8098 {dissect_smb2_ioctl_request,
8099 dissect_smb2_ioctl_response},
8101 {dissect_smb2_cancel_request,
8104 {dissect_smb2_keepalive_request,
8105 dissect_smb2_keepalive_response},
8107 {dissect_smb2_find_request,
8108 dissect_smb2_find_response},
8110 {dissect_smb2_notify_request,
8111 dissect_smb2_notify_response},
8113 {dissect_smb2_getinfo_request,
8114 dissect_smb2_getinfo_response},
8116 {dissect_smb2_setinfo_request,
8117 dissect_smb2_setinfo_response},
8119 {dissect_smb2_break_request,
8120 dissect_smb2_break_response},
8121 /* 0x13 */ {NULL, NULL},
8122 /* 0x14 */ {NULL, NULL},
8123 /* 0x15 */ {NULL, NULL},
8124 /* 0x16 */ {NULL, NULL},
8125 /* 0x17 */ {NULL, NULL},
8126 /* 0x18 */ {NULL, NULL},
8127 /* 0x19 */ {NULL, NULL},
8128 /* 0x1a */ {NULL, NULL},
8129 /* 0x1b */ {NULL, NULL},
8130 /* 0x1c */ {NULL, NULL},
8131 /* 0x1d */ {NULL, NULL},
8132 /* 0x1e */ {NULL, NULL},
8133 /* 0x1f */ {NULL, NULL},
8134 /* 0x20 */ {NULL, NULL},
8135 /* 0x21 */ {NULL, NULL},
8136 /* 0x22 */ {NULL, NULL},
8137 /* 0x23 */ {NULL, NULL},
8138 /* 0x24 */ {NULL, NULL},
8139 /* 0x25 */ {NULL, NULL},
8140 /* 0x26 */ {NULL, NULL},
8141 /* 0x27 */ {NULL, NULL},
8142 /* 0x28 */ {NULL, NULL},
8143 /* 0x29 */ {NULL, NULL},
8144 /* 0x2a */ {NULL, NULL},
8145 /* 0x2b */ {NULL, NULL},
8146 /* 0x2c */ {NULL, NULL},
8147 /* 0x2d */ {NULL, NULL},
8148 /* 0x2e */ {NULL, NULL},
8149 /* 0x2f */ {NULL, NULL},
8150 /* 0x30 */ {NULL, NULL},
8151 /* 0x31 */ {NULL, NULL},
8152 /* 0x32 */ {NULL, NULL},
8153 /* 0x33 */ {NULL, NULL},
8154 /* 0x34 */ {NULL, NULL},
8155 /* 0x35 */ {NULL, NULL},
8156 /* 0x36 */ {NULL, NULL},
8157 /* 0x37 */ {NULL, NULL},
8158 /* 0x38 */ {NULL, NULL},
8159 /* 0x39 */ {NULL, NULL},
8160 /* 0x3a */ {NULL, NULL},
8161 /* 0x3b */ {NULL, NULL},
8162 /* 0x3c */ {NULL, NULL},
8163 /* 0x3d */ {NULL, NULL},
8164 /* 0x3e */ {NULL, NULL},
8165 /* 0x3f */ {NULL, NULL},
8166 /* 0x40 */ {NULL, NULL},
8167 /* 0x41 */ {NULL, NULL},
8168 /* 0x42 */ {NULL, NULL},
8169 /* 0x43 */ {NULL, NULL},
8170 /* 0x44 */ {NULL, NULL},
8171 /* 0x45 */ {NULL, NULL},
8172 /* 0x46 */ {NULL, NULL},
8173 /* 0x47 */ {NULL, NULL},
8174 /* 0x48 */ {NULL, NULL},
8175 /* 0x49 */ {NULL, NULL},
8176 /* 0x4a */ {NULL, NULL},
8177 /* 0x4b */ {NULL, NULL},
8178 /* 0x4c */ {NULL, NULL},
8179 /* 0x4d */ {NULL, NULL},
8180 /* 0x4e */ {NULL, NULL},
8181 /* 0x4f */ {NULL, NULL},
8182 /* 0x50 */ {NULL, NULL},
8183 /* 0x51 */ {NULL, NULL},
8184 /* 0x52 */ {NULL, NULL},
8185 /* 0x53 */ {NULL, NULL},
8186 /* 0x54 */ {NULL, NULL},
8187 /* 0x55 */ {NULL, NULL},
8188 /* 0x56 */ {NULL, NULL},
8189 /* 0x57 */ {NULL, NULL},
8190 /* 0x58 */ {NULL, NULL},
8191 /* 0x59 */ {NULL, NULL},
8192 /* 0x5a */ {NULL, NULL},
8193 /* 0x5b */ {NULL, NULL},
8194 /* 0x5c */ {NULL, NULL},
8195 /* 0x5d */ {NULL, NULL},
8196 /* 0x5e */ {NULL, NULL},
8197 /* 0x5f */ {NULL, NULL},
8198 /* 0x60 */ {NULL, NULL},
8199 /* 0x61 */ {NULL, NULL},
8200 /* 0x62 */ {NULL, NULL},
8201 /* 0x63 */ {NULL, NULL},
8202 /* 0x64 */ {NULL, NULL},
8203 /* 0x65 */ {NULL, NULL},
8204 /* 0x66 */ {NULL, NULL},
8205 /* 0x67 */ {NULL, NULL},
8206 /* 0x68 */ {NULL, NULL},
8207 /* 0x69 */ {NULL, NULL},
8208 /* 0x6a */ {NULL, NULL},
8209 /* 0x6b */ {NULL, NULL},
8210 /* 0x6c */ {NULL, NULL},
8211 /* 0x6d */ {NULL, NULL},
8212 /* 0x6e */ {NULL, NULL},
8213 /* 0x6f */ {NULL, NULL},
8214 /* 0x70 */ {NULL, NULL},
8215 /* 0x71 */ {NULL, NULL},
8216 /* 0x72 */ {NULL, NULL},
8217 /* 0x73 */ {NULL, NULL},
8218 /* 0x74 */ {NULL, NULL},
8219 /* 0x75 */ {NULL, NULL},
8220 /* 0x76 */ {NULL, NULL},
8221 /* 0x77 */ {NULL, NULL},
8222 /* 0x78 */ {NULL, NULL},
8223 /* 0x79 */ {NULL, NULL},
8224 /* 0x7a */ {NULL, NULL},
8225 /* 0x7b */ {NULL, NULL},
8226 /* 0x7c */ {NULL, NULL},
8227 /* 0x7d */ {NULL, NULL},
8228 /* 0x7e */ {NULL, NULL},
8229 /* 0x7f */ {NULL, NULL},
8230 /* 0x80 */ {NULL, NULL},
8231 /* 0x81 */ {NULL, NULL},
8232 /* 0x82 */ {NULL, NULL},
8233 /* 0x83 */ {NULL, NULL},
8234 /* 0x84 */ {NULL, NULL},
8235 /* 0x85 */ {NULL, NULL},
8236 /* 0x86 */ {NULL, NULL},
8237 /* 0x87 */ {NULL, NULL},
8238 /* 0x88 */ {NULL, NULL},
8239 /* 0x89 */ {NULL, NULL},
8240 /* 0x8a */ {NULL, NULL},
8241 /* 0x8b */ {NULL, NULL},
8242 /* 0x8c */ {NULL, NULL},
8243 /* 0x8d */ {NULL, NULL},
8244 /* 0x8e */ {NULL, NULL},
8245 /* 0x8f */ {NULL, NULL},
8246 /* 0x90 */ {NULL, NULL},
8247 /* 0x91 */ {NULL, NULL},
8248 /* 0x92 */ {NULL, NULL},
8249 /* 0x93 */ {NULL, NULL},
8250 /* 0x94 */ {NULL, NULL},
8251 /* 0x95 */ {NULL, NULL},
8252 /* 0x96 */ {NULL, NULL},
8253 /* 0x97 */ {NULL, NULL},
8254 /* 0x98 */ {NULL, NULL},
8255 /* 0x99 */ {NULL, NULL},
8256 /* 0x9a */ {NULL, NULL},
8257 /* 0x9b */ {NULL, NULL},
8258 /* 0x9c */ {NULL, NULL},
8259 /* 0x9d */ {NULL, NULL},
8260 /* 0x9e */ {NULL, NULL},
8261 /* 0x9f */ {NULL, NULL},
8262 /* 0xa0 */ {NULL, NULL},
8263 /* 0xa1 */ {NULL, NULL},
8264 /* 0xa2 */ {NULL, NULL},
8265 /* 0xa3 */ {NULL, NULL},
8266 /* 0xa4 */ {NULL, NULL},
8267 /* 0xa5 */ {NULL, NULL},
8268 /* 0xa6 */ {NULL, NULL},
8269 /* 0xa7 */ {NULL, NULL},
8270 /* 0xa8 */ {NULL, NULL},
8271 /* 0xa9 */ {NULL, NULL},
8272 /* 0xaa */ {NULL, NULL},
8273 /* 0xab */ {NULL, NULL},
8274 /* 0xac */ {NULL, NULL},
8275 /* 0xad */ {NULL, NULL},
8276 /* 0xae */ {NULL, NULL},
8277 /* 0xaf */ {NULL, NULL},
8278 /* 0xb0 */ {NULL, NULL},
8279 /* 0xb1 */ {NULL, NULL},
8280 /* 0xb2 */ {NULL, NULL},
8281 /* 0xb3 */ {NULL, NULL},
8282 /* 0xb4 */ {NULL, NULL},
8283 /* 0xb5 */ {NULL, NULL},
8284 /* 0xb6 */ {NULL, NULL},
8285 /* 0xb7 */ {NULL, NULL},
8286 /* 0xb8 */ {NULL, NULL},
8287 /* 0xb9 */ {NULL, NULL},
8288 /* 0xba */ {NULL, NULL},
8289 /* 0xbb */ {NULL, NULL},
8290 /* 0xbc */ {NULL, NULL},
8291 /* 0xbd */ {NULL, NULL},
8292 /* 0xbe */ {NULL, NULL},
8293 /* 0xbf */ {NULL, NULL},
8294 /* 0xc0 */ {NULL, NULL},
8295 /* 0xc1 */ {NULL, NULL},
8296 /* 0xc2 */ {NULL, NULL},
8297 /* 0xc3 */ {NULL, NULL},
8298 /* 0xc4 */ {NULL, NULL},
8299 /* 0xc5 */ {NULL, NULL},
8300 /* 0xc6 */ {NULL, NULL},
8301 /* 0xc7 */ {NULL, NULL},
8302 /* 0xc8 */ {NULL, NULL},
8303 /* 0xc9 */ {NULL, NULL},
8304 /* 0xca */ {NULL, NULL},
8305 /* 0xcb */ {NULL, NULL},
8306 /* 0xcc */ {NULL, NULL},
8307 /* 0xcd */ {NULL, NULL},
8308 /* 0xce */ {NULL, NULL},
8309 /* 0xcf */ {NULL, NULL},
8310 /* 0xd0 */ {NULL, NULL},
8311 /* 0xd1 */ {NULL, NULL},
8312 /* 0xd2 */ {NULL, NULL},
8313 /* 0xd3 */ {NULL, NULL},
8314 /* 0xd4 */ {NULL, NULL},
8315 /* 0xd5 */ {NULL, NULL},
8316 /* 0xd6 */ {NULL, NULL},
8317 /* 0xd7 */ {NULL, NULL},
8318 /* 0xd8 */ {NULL, NULL},
8319 /* 0xd9 */ {NULL, NULL},
8320 /* 0xda */ {NULL, NULL},
8321 /* 0xdb */ {NULL, NULL},
8322 /* 0xdc */ {NULL, NULL},
8323 /* 0xdd */ {NULL, NULL},
8324 /* 0xde */ {NULL, NULL},
8325 /* 0xdf */ {NULL, NULL},
8326 /* 0xe0 */ {NULL, NULL},
8327 /* 0xe1 */ {NULL, NULL},
8328 /* 0xe2 */ {NULL, NULL},
8329 /* 0xe3 */ {NULL, NULL},
8330 /* 0xe4 */ {NULL, NULL},
8331 /* 0xe5 */ {NULL, NULL},
8332 /* 0xe6 */ {NULL, NULL},
8333 /* 0xe7 */ {NULL, NULL},
8334 /* 0xe8 */ {NULL, NULL},
8335 /* 0xe9 */ {NULL, NULL},
8336 /* 0xea */ {NULL, NULL},
8337 /* 0xeb */ {NULL, NULL},
8338 /* 0xec */ {NULL, NULL},
8339 /* 0xed */ {NULL, NULL},
8340 /* 0xee */ {NULL, NULL},
8341 /* 0xef */ {NULL, NULL},
8342 /* 0xf0 */ {NULL, NULL},
8343 /* 0xf1 */ {NULL, NULL},
8344 /* 0xf2 */ {NULL, NULL},
8345 /* 0xf3 */ {NULL, NULL},
8346 /* 0xf4 */ {NULL, NULL},
8347 /* 0xf5 */ {NULL, NULL},
8348 /* 0xf6 */ {NULL, NULL},
8349 /* 0xf7 */ {NULL, NULL},
8350 /* 0xf8 */ {NULL, NULL},
8351 /* 0xf9 */ {NULL, NULL},
8352 /* 0xfa */ {NULL, NULL},
8353 /* 0xfb */ {NULL, NULL},
8354 /* 0xfc */ {NULL, NULL},
8355 /* 0xfd */ {NULL, NULL},
8356 /* 0xfe */ {NULL, NULL},
8357 /* 0xff */ {NULL, NULL},
8361 #define ENC_ALG_aes128_ccm 0x0001
8364 dissect_smb2_transform_header(packet_info *pinfo _U_, proto_tree *tree,
8365 tvbuff_t *tvb, int offset,
8366 smb2_transform_info_t *sti,
8367 tvbuff_t **enc_tvb, tvbuff_t **plain_tvb)
8369 proto_item *sesid_item = NULL;
8370 proto_tree *sesid_tree = NULL;
8371 smb2_sesid_info_t sesid_key;
8373 guint8 *plain_data = NULL;
8374 #ifdef HAVE_LIBGCRYPT
8375 guint8 *decryption_key = NULL;
8379 static const int *sf_fields[] = {
8380 &hf_smb2_encryption_aes128_ccm,
8388 proto_tree_add_item(tree, hf_smb2_transform_signature, tvb, offset, 16, ENC_NA);
8392 proto_tree_add_item(tree, hf_smb2_transform_nonce, tvb, offset, 16, ENC_NA);
8393 tvb_memcpy(tvb, sti->nonce, offset, 16);
8397 proto_tree_add_item(tree, hf_smb2_transform_msg_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8398 sti->size = tvb_get_letohl(tvb, offset);
8402 proto_tree_add_item(tree, hf_smb2_transform_reserved, tvb, offset, 2, ENC_NA);
8406 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_transform_enc_alg, ett_smb2_transform_enc_alg, sf_fields, ENC_LITTLE_ENDIAN);
8407 sti->alg = tvb_get_letohs(tvb, offset);
8411 sesid_offset = offset;
8412 sti->sesid = tvb_get_letoh64(tvb, offset);
8413 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8414 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
8417 /* now we need to first lookup the uid session */
8418 sesid_key.sesid = sti->sesid;
8419 sti->session = (smb2_sesid_info_t *)g_hash_table_lookup(sti->conv->sesids, &sesid_key);
8421 if (sti->session != NULL && sti->session->auth_frame != (guint32)-1) {
8422 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, sti->session->acct_name);
8423 PROTO_ITEM_SET_GENERATED(item);
8424 proto_item_append_text(sesid_item, " Acct:%s", sti->session->acct_name);
8426 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, sti->session->domain_name);
8427 PROTO_ITEM_SET_GENERATED(item);
8428 proto_item_append_text(sesid_item, " Domain:%s", sti->session->domain_name);
8430 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, sti->session->host_name);
8431 PROTO_ITEM_SET_GENERATED(item);
8432 proto_item_append_text(sesid_item, " Host:%s", sti->session->host_name);
8434 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, sti->session->auth_frame);
8435 PROTO_ITEM_SET_GENERATED(item);
8438 #ifdef HAVE_LIBGCRYPT
8439 if (sti->session != NULL && sti->alg == ENC_ALG_aes128_ccm) {
8440 if (pinfo->destport == sti->session->server_port) {
8441 decryption_key = sti->session->server_decryption_key;
8443 decryption_key = sti->session->client_decryption_key;
8446 if (memcmp(decryption_key, zeros, 16) == 0) {
8447 decryption_key = NULL;
8451 if (decryption_key != NULL) {
8452 gcry_cipher_hd_t cipher_hd = NULL;
8454 3, 0, 0, 0, 0, 0, 0, 0,
8455 0, 0, 0, 0, 0, 0, 0, 1
8458 memcpy(&A_1[1], sti->nonce, 15 - 4);
8460 plain_data = (guint8 *)tvb_memdup(pinfo->pool, tvb, offset, sti->size);
8462 /* Open the cipher. */
8463 if (gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0)) {
8464 wmem_free(pinfo->pool, plain_data);
8466 goto done_decryption;
8469 /* Set the key and initial value. */
8470 if (gcry_cipher_setkey(cipher_hd, decryption_key, 16)) {
8471 gcry_cipher_close(cipher_hd);
8472 wmem_free(pinfo->pool, plain_data);
8474 goto done_decryption;
8476 if (gcry_cipher_setctr(cipher_hd, A_1, 16)) {
8477 gcry_cipher_close(cipher_hd);
8478 wmem_free(pinfo->pool, plain_data);
8480 goto done_decryption;
8483 if (gcry_cipher_encrypt(cipher_hd, plain_data, sti->size, NULL, 0)) {
8484 gcry_cipher_close(cipher_hd);
8485 wmem_free(pinfo->pool, plain_data);
8487 goto done_decryption;
8490 /* Done with the cipher. */
8491 gcry_cipher_close(cipher_hd);
8495 *enc_tvb = tvb_new_subset_length(tvb, offset, sti->size);
8497 if (plain_data != NULL) {
8498 *plain_tvb = tvb_new_child_real_data(*enc_tvb, plain_data, sti->size, sti->size);
8499 add_new_data_source(pinfo, *plain_tvb, "Decrypted SMB3");
8502 offset += sti->size;
8507 dissect_smb2_command(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
8509 int (*cmd_dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
8510 proto_item *cmd_item;
8511 proto_tree *cmd_tree;
8512 int old_offset = offset;
8514 cmd_tree = proto_tree_add_subtree_format(tree, tvb, offset, -1,
8515 ett_smb2_command, &cmd_item, "%s %s (0x%02x)",
8516 decode_smb2_name(si->opcode),
8517 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request",
8520 cmd_dissector = (si->flags & SMB2_FLAGS_RESPONSE)?
8521 smb2_dissector[si->opcode&0xff].response:
8522 smb2_dissector[si->opcode&0xff].request;
8523 if (cmd_dissector) {
8524 offset = (*cmd_dissector)(tvb, pinfo, cmd_tree, offset, si);
8526 proto_tree_add_item(cmd_tree, hf_smb2_unknown, tvb, offset, -1, ENC_NA);
8527 offset = tvb_captured_length(tvb);
8530 proto_item_set_len(cmd_item, offset-old_offset);
8536 dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
8538 proto_item *tid_item = NULL;
8539 proto_tree *tid_tree = NULL;
8540 smb2_tid_info_t tid_key;
8542 proto_item *sesid_item = NULL;
8543 proto_tree *sesid_tree = NULL;
8544 smb2_sesid_info_t sesid_key;
8549 if (si->flags&SMB2_FLAGS_ASYNC_CMD) {
8550 proto_tree_add_item(tree, hf_smb2_aid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8554 proto_tree_add_item(tree, hf_smb2_pid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8558 tid_offset = offset;
8559 si->tid = tvb_get_letohl(tvb, offset);
8560 tid_item = proto_tree_add_item(tree, hf_smb2_tid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8561 tid_tree = proto_item_add_subtree(tid_item, ett_smb2_tid_tree);
8566 sesid_offset = offset;
8567 si->sesid = tvb_get_letoh64(tvb, offset);
8568 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8569 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
8572 /* now we need to first lookup the uid session */
8573 sesid_key.sesid = si->sesid;
8574 si->session = (smb2_sesid_info_t *)g_hash_table_lookup(si->conv->sesids, &sesid_key);
8576 if (si->opcode != 0x03) return offset;
8578 /* if we come to a session that is unknown, and the operation is
8579 * a tree connect, we create a dummy sessison, so we can hang the
8582 si->session = wmem_new0(wmem_file_scope(), smb2_sesid_info_t);
8583 si->session->sesid = si->sesid;
8584 si->session->auth_frame = (guint32)-1;
8585 si->session->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
8586 g_hash_table_insert(si->conv->sesids, si->session, si->session);
8591 if (si->session->auth_frame != (guint32)-1) {
8592 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, si->session->acct_name);
8593 PROTO_ITEM_SET_GENERATED(item);
8594 proto_item_append_text(sesid_item, " Acct:%s", si->session->acct_name);
8596 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, si->session->domain_name);
8597 PROTO_ITEM_SET_GENERATED(item);
8598 proto_item_append_text(sesid_item, " Domain:%s", si->session->domain_name);
8600 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, si->session->host_name);
8601 PROTO_ITEM_SET_GENERATED(item);
8602 proto_item_append_text(sesid_item, " Host:%s", si->session->host_name);
8604 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, si->session->auth_frame);
8605 PROTO_ITEM_SET_GENERATED(item);
8608 if (!(si->flags&SMB2_FLAGS_ASYNC_CMD)) {
8609 /* see if we can find the name for this tid */
8610 tid_key.tid = si->tid;
8611 si->tree = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
8612 if (!si->tree) return offset;
8614 item = proto_tree_add_string(tid_tree, hf_smb2_tree, tvb, tid_offset, 4, si->tree->name);
8615 PROTO_ITEM_SET_GENERATED(item);
8616 proto_item_append_text(tid_item, " %s", si->tree->name);
8618 item = proto_tree_add_uint(tid_tree, hf_smb2_share_type, tvb, tid_offset, 0, si->tree->share_type);
8619 PROTO_ITEM_SET_GENERATED(item);
8621 item = proto_tree_add_uint(tid_tree, hf_smb2_tcon_frame, tvb, tid_offset, 0, si->tree->connect_frame);
8622 PROTO_ITEM_SET_GENERATED(item);
8629 dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolean first_in_chain)
8631 gboolean smb2_transform_header = FALSE;
8632 proto_item *msg_id_item;
8633 proto_item *item = NULL;
8634 proto_tree *tree = NULL;
8635 proto_item *header_item = NULL;
8636 proto_tree *header_tree = NULL;
8638 int chain_offset = 0;
8639 const char *label = smb_header_label;
8640 conversation_t *conversation;
8641 smb2_saved_info_t *ssi = NULL, ssi_key;
8643 smb2_transform_info_t *sti;
8645 guint32 open_frame,close_frame;
8646 smb2_eo_file_info_t *eo_file_info;
8647 e_ctx_hnd *policy_hnd_hashtablekey;
8649 sti = wmem_new(wmem_packet_scope(), smb2_transform_info_t);
8650 si = wmem_new0(wmem_packet_scope(), smb2_info_t);
8651 si->top_tree = parent_tree;
8653 if (tvb_get_guint8(tvb, 0) == 0xfd) {
8654 smb2_transform_header = TRUE;
8655 label = smb_transform_header_label;
8657 /* find which conversation we are part of and get the data for that
8660 conversation = find_or_create_conversation(pinfo);
8661 si->conv = (smb2_conv_info_t *)conversation_get_proto_data(conversation, proto_smb2);
8663 /* no smb2_into_t structure for this conversation yet,
8666 si->conv = wmem_new(wmem_file_scope(), smb2_conv_info_t);
8667 /* qqq this leaks memory for now since we never free
8669 si->conv->matched = g_hash_table_new(smb2_saved_info_hash_matched,
8670 smb2_saved_info_equal_matched);
8671 si->conv->unmatched = g_hash_table_new(smb2_saved_info_hash_unmatched,
8672 smb2_saved_info_equal_unmatched);
8673 si->conv->sesids = g_hash_table_new(smb2_sesid_info_hash,
8674 smb2_sesid_info_equal);
8675 si->conv->fids = g_hash_table_new(smb2_fid_info_hash,
8676 smb2_fid_info_equal);
8677 si->conv->files = g_hash_table_new(smb2_eo_files_hash,smb2_eo_files_equal);
8679 /* Bit of a hack to avoid leaking the hash tables - register a
8680 * callback to free them. Ideally wmem would implement a simple
8681 * hash table so we wouldn't have to do this. */
8682 wmem_register_callback(wmem_file_scope(), smb2_conv_destroy,
8685 conversation_add_proto_data(conversation, proto_smb2, si->conv);
8688 sti->conv = si->conv;
8690 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB2");
8691 if (first_in_chain) {
8693 col_clear(pinfo->cinfo, COL_INFO);
8695 col_append_str(pinfo->cinfo, COL_INFO, ";");
8698 item = proto_tree_add_item(parent_tree, proto_smb2, tvb, offset, -1, ENC_NA);
8699 tree = proto_item_add_subtree(item, ett_smb2);
8701 header_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_header, &header_item, label);
8703 /* Decode the header */
8705 if (!smb2_transform_header) {
8707 proto_tree_add_item(header_tree, hf_smb2_server_component_smb2, tvb, offset, 4, ENC_NA);
8710 /* we need the flags before we know how to parse the credits field */
8711 si->flags = tvb_get_letohl(tvb, offset+12);
8714 proto_tree_add_item(header_tree, hf_smb2_header_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8717 /* credit charge (previously "epoch" (unused) which has been deprecated as of "SMB 2.1") */
8718 proto_tree_add_item(header_tree, hf_smb2_credit_charge, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8722 if (si->flags & SMB2_FLAGS_RESPONSE) {
8723 si->status = tvb_get_letohl(tvb, offset);
8724 proto_tree_add_item(header_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8728 proto_tree_add_item(header_tree, hf_smb2_channel_sequence, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8730 proto_tree_add_item(header_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8735 si->opcode = tvb_get_letohs(tvb, offset);
8736 proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8740 if (si->flags & SMB2_FLAGS_RESPONSE) {
8741 proto_tree_add_item(header_tree, hf_smb2_credits_granted, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8743 proto_tree_add_item(header_tree, hf_smb2_credits_requested, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8749 static const int * flags[] = {
8750 &hf_smb2_flags_response,
8751 &hf_smb2_flags_async_cmd,
8752 &hf_smb2_flags_chained,
8753 &hf_smb2_flags_signature,
8754 &hf_smb2_flags_priority_mask,
8755 &hf_smb2_flags_dfs_op,
8756 &hf_smb2_flags_replay_operation,
8760 proto_tree_add_bitmask(header_tree, tvb, offset, hf_smb2_flags,
8761 ett_smb2_flags, flags, ENC_LITTLE_ENDIAN);
8767 chain_offset = tvb_get_letohl(tvb, offset);
8768 proto_tree_add_item(header_tree, hf_smb2_chain_offset, tvb, offset, 4, ENC_BIG_ENDIAN);
8772 si->msg_id = tvb_get_letoh64(tvb, offset);
8773 ssi_key.msg_id = si->msg_id;
8774 msg_id_item = proto_tree_add_item(header_tree, hf_smb2_msg_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8775 if (msg_id_item && (si->msg_id == G_GUINT64_CONSTANT(0xFFFFFFFFFFFFFFFF))) {
8776 proto_item_append_text(msg_id_item, " (unsolicited response)");
8780 /* Tree ID and Session ID */
8781 offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si);
8784 proto_tree_add_item(header_tree, hf_smb2_signature, tvb, offset, 16, ENC_NA);
8787 proto_item_set_len(header_item, offset);
8790 col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s",
8791 decode_smb2_name(si->opcode),
8792 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request");
8795 pinfo->cinfo, COL_INFO, ", Error: %s",
8796 val_to_str_ext(si->status, &NT_errors_ext,
8797 "Unknown (0x%08X)"));
8801 if (!pinfo->fd->flags.visited) {
8802 /* see if we can find this msg_id in the unmatched table */
8803 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
8805 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
8806 /* This is a request */
8808 /* this is a request and we already found
8809 * an older ssi so just delete the previous
8812 g_hash_table_remove(si->conv->unmatched, ssi);
8817 /* no we couldn't find it, so just add it then
8818 * if was a request we are decoding
8820 ssi = wmem_new0(wmem_file_scope(), smb2_saved_info_t);
8821 ssi->msg_id = ssi_key.msg_id;
8822 ssi->frame_req = pinfo->num;
8823 ssi->req_time = pinfo->abs_ts;
8824 ssi->extra_info_type = SMB2_EI_NONE;
8825 g_hash_table_insert(si->conv->unmatched, ssi, ssi);
8828 /* This is a response */
8829 if (!((si->flags & SMB2_FLAGS_ASYNC_CMD)
8830 && si->status == NT_STATUS_PENDING)
8832 /* just set the response frame and move it to the matched table */
8833 ssi->frame_res = pinfo->num;
8834 g_hash_table_remove(si->conv->unmatched, ssi);
8835 g_hash_table_insert(si->conv->matched, ssi, ssi);
8839 /* see if we can find this msg_id in the matched table */
8840 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->matched, &ssi_key);
8841 /* if we couldn't find it in the matched table, it might still
8842 * be in the unmatched table
8845 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
8850 if (dcerpc_fetch_polhnd_data(&ssi->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
8851 /* If needed, create the file entry and save the policy hnd */
8852 if (!si->eo_file_info) {
8854 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&ssi->policy_hnd);
8855 if (!eo_file_info) { /* XXX This should never happen */
8857 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
8858 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
8859 memcpy(policy_hnd_hashtablekey, &ssi->policy_hnd, sizeof(e_ctx_hnd));
8860 eo_file_info->end_of_file=0;
8861 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
8863 si->eo_file_info=eo_file_info;
8868 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
8869 if (ssi->frame_res) {
8870 proto_item *tmp_item;
8871 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res);
8872 PROTO_ITEM_SET_GENERATED(tmp_item);
8875 if (ssi->frame_req) {
8876 proto_item *tmp_item;
8879 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_to, tvb, 0, 0, ssi->frame_req);
8880 PROTO_ITEM_SET_GENERATED(tmp_item);
8882 nstime_delta(&deltat, &t, &ssi->req_time);
8883 tmp_item = proto_tree_add_time(header_tree, hf_smb2_time, tvb,
8885 PROTO_ITEM_SET_GENERATED(tmp_item);
8888 if (si->file != NULL) {
8889 ssi->file = si->file;
8891 si->file = ssi->file;
8894 /* if we don't have ssi yet we must fake it */
8898 tap_queue_packet(smb2_tap, pinfo, si);
8900 /* Decode the payload */
8901 offset = dissect_smb2_command(pinfo, tree, tvb, offset, si);
8903 proto_tree *enc_tree;
8904 tvbuff_t *enc_tvb = NULL;
8905 tvbuff_t *plain_tvb = NULL;
8907 /* SMB2_TRANSFORM marker */
8908 proto_tree_add_item(header_tree, hf_smb2_server_component_smb2_transform, tvb, offset, 4, ENC_NA);
8911 offset = dissect_smb2_transform_header(pinfo, header_tree, tvb, offset, sti,
8912 &enc_tvb, &plain_tvb);
8914 enc_tree = proto_tree_add_subtree(tree, enc_tvb, 0, sti->size, ett_smb2_encrypted, NULL, "Encrypted SMB3 data");
8915 if (plain_tvb != NULL) {
8916 col_append_str(pinfo->cinfo, COL_INFO, "Decrypted SMB3");
8917 dissect_smb2(plain_tvb, pinfo, enc_tree, FALSE);
8919 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted SMB3");
8920 proto_tree_add_item(enc_tree, hf_smb2_transform_encrypted_data,
8921 enc_tvb, 0, sti->size, ENC_NA);
8924 if (tvb_reported_length_remaining(tvb, offset) > 0) {
8925 chain_offset = offset;
8929 if (chain_offset > 0) {
8932 proto_item_set_len(item, chain_offset);
8934 next_tvb = tvb_new_subset_remaining(tvb, chain_offset);
8935 offset = dissect_smb2(next_tvb, pinfo, parent_tree, FALSE);
8942 dissect_smb2_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
8945 /* must check that this really is a smb2 packet */
8946 if (tvb_captured_length(tvb) < 4)
8949 if (((tvb_get_guint8(tvb, 0) != 0xfe) && (tvb_get_guint8(tvb, 0) != 0xfd))
8950 || (tvb_get_guint8(tvb, 1) != 'S')
8951 || (tvb_get_guint8(tvb, 2) != 'M')
8952 || (tvb_get_guint8(tvb, 3) != 'B') ) {
8956 dissect_smb2(tvb, pinfo, parent_tree, TRUE);
8962 proto_register_smb2(void)
8964 module_t *smb2_module;
8965 static hf_register_info hf[] = {
8967 { "Command", "smb2.cmd", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
8968 &smb2_cmd_vals_ext, 0, "SMB2 Command Opcode", HFILL }
8971 { &hf_smb2_response_to,
8972 { "Response to", "smb2.response_to", FT_FRAMENUM, BASE_NONE,
8973 NULL, 0, "This packet is a response to the packet in this frame", HFILL }
8976 { &hf_smb2_response_in,
8977 { "Response in", "smb2.response_in", FT_FRAMENUM, BASE_NONE,
8978 NULL, 0, "The response to this packet is in this packet", HFILL }
8982 { "Time from request", "smb2.time", FT_RELATIVE_TIME, BASE_NONE,
8983 NULL, 0, "Time between Request and Response for SMB2 cmds", HFILL }
8986 { &hf_smb2_header_len,
8987 { "Header Length", "smb2.header_len", FT_UINT16, BASE_DEC,
8988 NULL, 0, "SMB2 Size of Header", HFILL }
8991 { &hf_smb2_nt_status,
8992 { "NT Status", "smb2.nt_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
8993 &NT_errors_ext, 0, "NT Status code", HFILL }
8997 { "Message ID", "smb2.msg_id", FT_UINT64, BASE_DEC,
8998 NULL, 0, "SMB2 Message ID", HFILL }
9002 { "Tree Id", "smb2.tid", FT_UINT32, BASE_HEX,
9003 NULL, 0, "SMB2 Tree Id", HFILL }
9007 { "Async Id", "smb2.aid", FT_UINT64, BASE_HEX,
9008 NULL, 0, "SMB2 Async Id", HFILL }
9012 { "Session Id", "smb2.sesid", FT_UINT64, BASE_HEX,
9013 NULL, 0, "SMB2 Session Id", HFILL }
9016 { &hf_smb2_previous_sesid,
9017 { "Previous Session Id", "smb2.previous_sesid", FT_UINT64, BASE_HEX,
9018 NULL, 0, "SMB2 Previous Session Id", HFILL }
9021 { &hf_smb2_chain_offset,
9022 { "Chain Offset", "smb2.chain_offset", FT_UINT32, BASE_HEX,
9023 NULL, 0, "SMB2 Chain Offset", HFILL }
9026 { &hf_smb2_end_of_file,
9027 { "End Of File", "smb2.eof", FT_UINT64, BASE_DEC,
9028 NULL, 0, "SMB2 End Of File/File size", HFILL }
9032 { "Number of Links", "smb2.nlinks", FT_UINT32, BASE_DEC,
9033 NULL, 0, "Number of links to this object", HFILL }
9037 { "File Id", "smb2.file_id", FT_UINT64, BASE_HEX,
9038 NULL, 0, "SMB2 File Id", HFILL }
9041 { &hf_smb2_allocation_size,
9042 { "Allocation Size", "smb2.allocation_size", FT_UINT64, BASE_DEC,
9043 NULL, 0, "SMB2 Allocation Size for this object", HFILL }
9046 { &hf_smb2_max_response_size,
9047 { "Max Response Size", "smb2.max_response_size", FT_UINT32, BASE_DEC,
9048 NULL, 0, "SMB2 Maximum response size", HFILL }
9051 { &hf_smb2_getinfo_size,
9052 { "Getinfo Size", "smb2.getinfo_size", FT_UINT32, BASE_DEC,
9053 NULL, 0, "SMB2 getinfo size", HFILL }
9056 { &hf_smb2_getinfo_offset,
9057 { "Getinfo Offset", "smb2.getinfo_offset", FT_UINT16, BASE_HEX,
9058 NULL, 0, "SMB2 getinfo offset", HFILL }
9061 { &hf_smb2_getinfo_additional,
9062 { "Additional Info", "smb2.getinfo_additional", FT_UINT32, BASE_HEX,
9063 NULL, 0, "SMB2 getinfo additional info", HFILL }
9066 { &hf_smb2_getinfo_flags,
9067 { "Flags", "smb2.getinfo_flags", FT_UINT32, BASE_HEX,
9068 NULL, 0, "SMB2 getinfo flags", HFILL }
9071 { &hf_smb2_setinfo_size,
9072 { "Setinfo Size", "smb2.setinfo_size", FT_UINT32, BASE_DEC,
9073 NULL, 0, "SMB2 setinfo size", HFILL }
9076 { &hf_smb2_setinfo_offset,
9077 { "Setinfo Offset", "smb2.setinfo_offset", FT_UINT16, BASE_HEX,
9078 NULL, 0, "SMB2 setinfo offset", HFILL }
9081 { &hf_smb2_max_ioctl_out_size,
9082 { "Max Ioctl Out Size", "smb2.max_ioctl_out_size", FT_UINT32, BASE_DEC,
9083 NULL, 0, "SMB2 Maximum ioctl out size", HFILL }
9086 { &hf_smb2_max_ioctl_in_size,
9087 { "Max Ioctl In Size", "smb2.max_ioctl_in_size", FT_UINT32, BASE_DEC,
9088 NULL, 0, "SMB2 Maximum ioctl out size", HFILL }
9091 { &hf_smb2_required_buffer_size,
9092 { "Required Buffer Size", "smb2.required_size", FT_UINT32, BASE_DEC,
9093 NULL, 0, "SMB2 required buffer size", HFILL }
9097 { "Process Id", "smb2.pid", FT_UINT32, BASE_HEX,
9098 NULL, 0, "SMB2 Process Id", HFILL }
9102 /* SMB2 header flags */
9104 { "Flags", "smb2.flags", FT_UINT32, BASE_HEX,
9105 NULL, 0, "SMB2 flags", HFILL }
9108 { &hf_smb2_flags_response,
9109 { "Response", "smb2.flags.response", FT_BOOLEAN, 32,
9110 TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }
9113 { &hf_smb2_flags_async_cmd,
9114 { "Async command", "smb2.flags.async", FT_BOOLEAN, 32,
9115 TFS(&tfs_flags_async_cmd), SMB2_FLAGS_ASYNC_CMD, NULL, HFILL }
9118 { &hf_smb2_flags_dfs_op,
9119 { "DFS operation", "smb2.flags.dfs", FT_BOOLEAN, 32,
9120 TFS(&tfs_flags_dfs_op), SMB2_FLAGS_DFS_OP, NULL, HFILL }
9123 { &hf_smb2_flags_chained,
9124 { "Chained", "smb2.flags.chained", FT_BOOLEAN, 32,
9125 TFS(&tfs_flags_chained), SMB2_FLAGS_CHAINED, "Whether the pdu continues a chain or not", HFILL }
9127 { &hf_smb2_flags_signature,
9128 { "Signing", "smb2.flags.signature", FT_BOOLEAN, 32,
9129 TFS(&tfs_flags_signature), SMB2_FLAGS_SIGNATURE, "Whether the pdu is signed or not", HFILL }
9132 { &hf_smb2_flags_replay_operation,
9133 { "Replay operation", "smb2.flags.replay", FT_BOOLEAN, 32,
9134 TFS(&tfs_flags_replay_operation), SMB2_FLAGS_REPLAY_OPERATION, "Whether this is a replay operation", HFILL }
9137 { &hf_smb2_flags_priority_mask,
9138 { "Priority", "smb2.flags.priority_mask", FT_BOOLEAN, 32,
9139 TFS(&tfs_flags_priority_mask), SMB2_FLAGS_PRIORITY_MASK, "Priority Mask", HFILL }
9143 { "Tree", "smb2.tree", FT_STRING, BASE_NONE,
9144 NULL, 0, "Name of the Tree/Share", HFILL }
9147 { &hf_smb2_filename,
9148 { "Filename", "smb2.filename", FT_STRING, BASE_NONE,
9149 NULL, 0, "Name of the file", HFILL }
9152 { &hf_smb2_filename_len,
9153 { "Filename Length", "smb2.filename.len", FT_UINT32, BASE_DEC,
9154 NULL, 0, "Length of the file name", HFILL }
9157 { &hf_smb2_replace_if,
9158 { "Replace If", "smb2.rename.replace_if", FT_BOOLEAN, 8,
9159 TFS(&tfs_replace_if_exists), 0xFF, "Whether to replace if the target exists", HFILL }
9162 { &hf_smb2_data_offset,
9163 { "Data Offset", "smb2.data_offset", FT_UINT16, BASE_HEX,
9164 NULL, 0, "Offset to data", HFILL }
9167 { &hf_smb2_find_info_level,
9168 { "Info Level", "smb2.find.infolevel", FT_UINT32, BASE_DEC,
9169 VALS(smb2_find_info_levels), 0, "Find_Info Infolevel", HFILL }
9171 { &hf_smb2_find_flags,
9172 { "Find Flags", "smb2.find.flags", FT_UINT8, BASE_HEX,
9173 NULL, 0, NULL, HFILL }
9176 { &hf_smb2_find_pattern,
9177 { "Search Pattern", "smb2.find.pattern", FT_STRING, BASE_NONE,
9178 NULL, 0, "Find pattern", HFILL }
9181 { &hf_smb2_find_info_blob,
9182 { "Info", "smb2.find.info_blob", FT_BYTES, BASE_NONE,
9183 NULL, 0, "Find Info", HFILL }
9187 { "EA Size", "smb2.ea_size", FT_UINT32, BASE_DEC,
9188 NULL, 0, "Size of EA data", HFILL }
9192 { "Class", "smb2.class", FT_UINT8, BASE_HEX,
9193 VALS(smb2_class_vals), 0, "Info class", HFILL }
9196 { &hf_smb2_infolevel,
9197 { "InfoLevel", "smb2.infolevel", FT_UINT8, BASE_HEX,
9198 NULL, 0, NULL, HFILL }
9201 { &hf_smb2_infolevel_file_info,
9202 { "InfoLevel", "smb2.file_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9203 &smb2_file_info_levels_ext, 0, "File_Info Infolevel", HFILL }
9206 { &hf_smb2_infolevel_fs_info,
9207 { "InfoLevel", "smb2.fs_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9208 &smb2_fs_info_levels_ext, 0, "Fs_Info Infolevel", HFILL }
9211 { &hf_smb2_infolevel_sec_info,
9212 { "InfoLevel", "smb2.sec_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9213 &smb2_sec_info_levels_ext, 0, "Sec_Info Infolevel", HFILL }
9216 { &hf_smb2_infolevel_posix_info,
9217 { "InfoLevel", "smb2.posix_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
9218 &smb2_posix_info_levels_ext, 0, "Posix_Info Infolevel", HFILL }
9221 { &hf_smb2_write_length,
9222 { "Write Length", "smb2.write_length", FT_UINT32, BASE_DEC,
9223 NULL, 0, "Amount of data to write", HFILL }
9226 { &hf_smb2_read_length,
9227 { "Read Length", "smb2.read_length", FT_UINT32, BASE_DEC,
9228 NULL, 0, "Amount of data to read", HFILL }
9231 { &hf_smb2_read_remaining,
9232 { "Read Remaining", "smb2.read_remaining", FT_UINT32, BASE_DEC,
9233 NULL, 0, NULL, HFILL }
9236 { &hf_smb2_create_flags,
9237 { "Create Flags", "smb2.create_flags", FT_UINT64, BASE_HEX,
9238 NULL, 0, NULL, HFILL }
9241 { &hf_smb2_file_offset,
9242 { "File Offset", "smb2.file_offset", FT_UINT64, BASE_DEC,
9243 NULL, 0, NULL, HFILL }
9246 { &hf_smb2_fsctl_range_offset,
9247 { "File Offset", "smb2.fsctl.range_offset", FT_UINT64, BASE_DEC,
9248 NULL, 0, NULL, HFILL }
9251 { &hf_smb2_fsctl_range_length,
9252 { "Length", "smb2.fsctl.range_length", FT_UINT64, BASE_DEC,
9253 NULL, 0, NULL, HFILL }
9256 { &hf_smb2_qfr_length,
9257 { "Length", "smb2.qfr_length", FT_UINT64, BASE_DEC,
9258 NULL, 0, NULL, HFILL }
9261 { &hf_smb2_qfr_usage,
9262 { "Desired Usage", "smb2.qfr_usage", FT_UINT32, BASE_HEX,
9263 VALS(file_region_usage_vals), 0, NULL, HFILL }
9266 { &hf_smb2_qfr_flags,
9267 { "Flags", "smb2.qfr_flags", FT_UINT32, BASE_HEX,
9268 NULL, 0, NULL, HFILL }
9271 { &hf_smb2_qfr_total_region_entry_count,
9272 { "Total Region Entry Count", "smb2.qfr_tot_region_entry_count", FT_UINT32, BASE_HEX,
9273 NULL, 0, NULL, HFILL }
9276 { &hf_smb2_qfr_region_entry_count,
9277 { "Region Entry Count", "smb2.qfr_region_entry_count", FT_UINT32, BASE_HEX,
9278 NULL, 0, NULL, HFILL }
9281 { &hf_smb2_security_blob,
9282 { "Security Blob", "smb2.security_blob", FT_BYTES, BASE_NONE,
9283 NULL, 0, NULL, HFILL }
9286 { &hf_smb2_ioctl_out_data,
9287 { "Out Data", "smb2.ioctl.out", FT_NONE, BASE_NONE,
9288 NULL, 0, "Ioctl Out", HFILL }
9291 { &hf_smb2_ioctl_in_data,
9292 { "In Data", "smb2.ioctl.in", FT_NONE, BASE_NONE,
9293 NULL, 0, "Ioctl In", HFILL }
9296 { &hf_smb2_server_guid,
9297 { "Server Guid", "smb2.server_guid", FT_GUID, BASE_NONE,
9298 NULL, 0, NULL, HFILL }
9301 { &hf_smb2_client_guid,
9302 { "Client Guid", "smb2.client_guid", FT_GUID, BASE_NONE,
9303 NULL, 0, NULL, HFILL }
9306 { &hf_smb2_object_id,
9307 { "ObjectId", "smb2.object_id", FT_GUID, BASE_NONE,
9308 NULL, 0, "ObjectID for this FID", HFILL }
9311 { &hf_smb2_birth_volume_id,
9312 { "BirthVolumeId", "smb2.birth_volume_id", FT_GUID, BASE_NONE,
9313 NULL, 0, "ObjectID for the volume where this FID was originally created", HFILL }
9316 { &hf_smb2_birth_object_id,
9317 { "BirthObjectId", "smb2.birth_object_id", FT_GUID, BASE_NONE,
9318 NULL, 0, "ObjectID for this FID when it was originally created", HFILL }
9321 { &hf_smb2_domain_id,
9322 { "DomainId", "smb2.domain_id", FT_GUID, BASE_NONE,
9323 NULL, 0, NULL, HFILL }
9326 { &hf_smb2_create_timestamp,
9327 { "Create", "smb2.create.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9328 NULL, 0, "Time when this object was created", HFILL }
9332 { "File Id", "smb2.fid", FT_GUID, BASE_NONE,
9333 NULL, 0, "SMB2 File Id", HFILL }
9336 { &hf_smb2_write_data,
9337 { "Write Data", "smb2.write_data", FT_BYTES, BASE_NONE,
9338 NULL, 0, "SMB2 Data to be written", HFILL }
9341 { &hf_smb2_write_flags,
9342 { "Write Flags", "smb2.write.flags", FT_UINT32, BASE_HEX,
9343 NULL, 0, NULL, HFILL }
9346 { &hf_smb2_write_flags_write_through,
9347 { "Write through", "smb2.write.flags.write_through", FT_BOOLEAN, 32,
9348 NULL, SMB2_WRITE_FLAG_WRITE_THROUGH, NULL, HFILL }
9351 { &hf_smb2_write_count,
9352 { "Write Count", "smb2.write.count", FT_UINT32, BASE_DEC,
9353 NULL, 0, NULL, HFILL }
9356 { &hf_smb2_write_remaining,
9357 { "Write Remaining", "smb2.write.remaining", FT_UINT32, BASE_DEC,
9358 NULL, 0, NULL, HFILL }
9361 { &hf_smb2_read_data,
9362 { "Read Data", "smb2.read_data", FT_BYTES, BASE_NONE,
9363 NULL, 0, "SMB2 Data that is read", HFILL }
9366 { &hf_smb2_last_access_timestamp,
9367 { "Last Access", "smb2.last_access.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9368 NULL, 0, "Time when this object was last accessed", HFILL }
9371 { &hf_smb2_last_write_timestamp,
9372 { "Last Write", "smb2.last_write.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9373 NULL, 0, "Time when this object was last written to", HFILL }
9376 { &hf_smb2_last_change_timestamp,
9377 { "Last Change", "smb2.last_change.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9378 NULL, 0, "Time when this object was last changed", HFILL }
9381 { &hf_smb2_file_all_info,
9382 { "SMB2_FILE_ALL_INFO", "smb2.file_all_info", FT_NONE, BASE_NONE,
9383 NULL, 0, "SMB2_FILE_ALL_INFO structure", HFILL }
9386 { &hf_smb2_file_allocation_info,
9387 { "SMB2_FILE_ALLOCATION_INFO", "smb2.file_allocation_info", FT_NONE, BASE_NONE,
9388 NULL, 0, "SMB2_FILE_ALLOCATION_INFO structure", HFILL }
9391 { &hf_smb2_file_endoffile_info,
9392 { "SMB2_FILE_ENDOFFILE_INFO", "smb2.file_endoffile_info", FT_NONE, BASE_NONE,
9393 NULL, 0, "SMB2_FILE_ENDOFFILE_INFO structure", HFILL }
9396 { &hf_smb2_file_alternate_name_info,
9397 { "SMB2_FILE_ALTERNATE_NAME_INFO", "smb2.file_alternate_name_info", FT_NONE, BASE_NONE,
9398 NULL, 0, "SMB2_FILE_ALTERNATE_NAME_INFO structure", HFILL }
9401 { &hf_smb2_file_stream_info,
9402 { "SMB2_FILE_STREAM_INFO", "smb2.file_stream_info", FT_NONE, BASE_NONE,
9403 NULL, 0, "SMB2_FILE_STREAM_INFO structure", HFILL }
9406 { &hf_smb2_file_pipe_info,
9407 { "SMB2_FILE_PIPE_INFO", "smb2.file_pipe_info", FT_NONE, BASE_NONE,
9408 NULL, 0, "SMB2_FILE_PIPE_INFO structure", HFILL }
9411 { &hf_smb2_file_compression_info,
9412 { "SMB2_FILE_COMPRESSION_INFO", "smb2.file_compression_info", FT_NONE, BASE_NONE,
9413 NULL, 0, "SMB2_FILE_COMPRESSION_INFO structure", HFILL }
9416 { &hf_smb2_file_basic_info,
9417 { "SMB2_FILE_BASIC_INFO", "smb2.file_basic_info", FT_NONE, BASE_NONE,
9418 NULL, 0, "SMB2_FILE_BASIC_INFO structure", HFILL }
9421 { &hf_smb2_file_standard_info,
9422 { "SMB2_FILE_STANDARD_INFO", "smb2.file_standard_info", FT_NONE, BASE_NONE,
9423 NULL, 0, "SMB2_FILE_STANDARD_INFO structure", HFILL }
9426 { &hf_smb2_file_internal_info,
9427 { "SMB2_FILE_INTERNAL_INFO", "smb2.file_internal_info", FT_NONE, BASE_NONE,
9428 NULL, 0, "SMB2_FILE_INTERNAL_INFO structure", HFILL }
9431 { &hf_smb2_file_mode_info,
9432 { "SMB2_FILE_MODE_INFO", "smb2.file_mode_info", FT_NONE, BASE_NONE,
9433 NULL, 0, "SMB2_FILE_MODE_INFO structure", HFILL }
9436 { &hf_smb2_file_alignment_info,
9437 { "SMB2_FILE_ALIGNMENT_INFO", "smb2.file_alignment_info", FT_NONE, BASE_NONE,
9438 NULL, 0, "SMB2_FILE_ALIGNMENT_INFO structure", HFILL }
9441 { &hf_smb2_file_position_info,
9442 { "SMB2_FILE_POSITION_INFO", "smb2.file_position_info", FT_NONE, BASE_NONE,
9443 NULL, 0, "SMB2_FILE_POSITION_INFO structure", HFILL }
9446 { &hf_smb2_file_access_info,
9447 { "SMB2_FILE_ACCESS_INFO", "smb2.file_access_info", FT_NONE, BASE_NONE,
9448 NULL, 0, "SMB2_FILE_ACCESS_INFO structure", HFILL }
9451 { &hf_smb2_file_ea_info,
9452 { "SMB2_FILE_EA_INFO", "smb2.file_ea_info", FT_NONE, BASE_NONE,
9453 NULL, 0, "SMB2_FILE_EA_INFO structure", HFILL }
9456 { &hf_smb2_file_network_open_info,
9457 { "SMB2_FILE_NETWORK_OPEN_INFO", "smb2.file_network_open_info", FT_NONE, BASE_NONE,
9458 NULL, 0, "SMB2_FILE_NETWORK_OPEN_INFO structure", HFILL }
9461 { &hf_smb2_file_attribute_tag_info,
9462 { "SMB2_FILE_ATTRIBUTE_TAG_INFO", "smb2.file_attribute_tag_info", FT_NONE, BASE_NONE,
9463 NULL, 0, "SMB2_FILE_ATTRIBUTE_TAG_INFO structure", HFILL }
9466 { &hf_smb2_file_disposition_info,
9467 { "SMB2_FILE_DISPOSITION_INFO", "smb2.file_disposition_info", FT_NONE, BASE_NONE,
9468 NULL, 0, "SMB2_FILE_DISPOSITION_INFO structure", HFILL }
9471 { &hf_smb2_file_full_ea_info,
9472 { "SMB2_FILE_FULL_EA_INFO", "smb2.file_full_ea_info", FT_NONE, BASE_NONE,
9473 NULL, 0, "SMB2_FILE_FULL_EA_INFO structure", HFILL }
9476 { &hf_smb2_file_rename_info,
9477 { "SMB2_FILE_RENAME_INFO", "smb2.file_rename_info", FT_NONE, BASE_NONE,
9478 NULL, 0, "SMB2_FILE_RENAME_INFO structure", HFILL }
9481 { &hf_smb2_fs_info_01,
9482 { "SMB2_FS_INFO_01", "smb2.fs_info_01", FT_NONE, BASE_NONE,
9483 NULL, 0, "SMB2_FS_INFO_01 structure", HFILL }
9486 { &hf_smb2_fs_info_03,
9487 { "SMB2_FS_INFO_03", "smb2.fs_info_03", FT_NONE, BASE_NONE,
9488 NULL, 0, "SMB2_FS_INFO_03 structure", HFILL }
9491 { &hf_smb2_fs_info_04,
9492 { "SMB2_FS_INFO_04", "smb2.fs_info_04", FT_NONE, BASE_NONE,
9493 NULL, 0, "SMB2_FS_INFO_04 structure", HFILL }
9496 { &hf_smb2_fs_info_05,
9497 { "SMB2_FS_INFO_05", "smb2.fs_info_05", FT_NONE, BASE_NONE,
9498 NULL, 0, "SMB2_FS_INFO_05 structure", HFILL }
9501 { &hf_smb2_fs_info_06,
9502 { "SMB2_FS_INFO_06", "smb2.fs_info_06", FT_NONE, BASE_NONE,
9503 NULL, 0, "SMB2_FS_INFO_06 structure", HFILL }
9506 { &hf_smb2_fs_info_07,
9507 { "SMB2_FS_INFO_07", "smb2.fs_info_07", FT_NONE, BASE_NONE,
9508 NULL, 0, "SMB2_FS_INFO_07 structure", HFILL }
9511 { &hf_smb2_fs_objectid_info,
9512 { "SMB2_FS_OBJECTID_INFO", "smb2.fs_objectid_info", FT_NONE, BASE_NONE,
9513 NULL, 0, "SMB2_FS_OBJECTID_INFO structure", HFILL }
9516 { &hf_smb2_sec_info_00,
9517 { "SMB2_SEC_INFO_00", "smb2.sec_info_00", FT_NONE, BASE_NONE,
9518 NULL, 0, "SMB2_SEC_INFO_00 structure", HFILL }
9521 { &hf_smb2_quota_info,
9522 { "SMB2_QUOTA_INFO", "smb2.quota_info", FT_NONE, BASE_NONE,
9523 NULL, 0, "SMB2_QUOTA_INFO structure", HFILL }
9526 { &hf_smb2_query_quota_info,
9527 { "SMB2_QUERY_QUOTA_INFO", "smb2.query_quota_info", FT_NONE, BASE_NONE,
9528 NULL, 0, "SMB2_QUERY_QUOTA_INFO structure", HFILL }
9531 { &hf_smb2_qq_single,
9532 { "ReturnSingle", "smb2.query_quota_info.single", FT_BOOLEAN, 8,
9533 NULL, 0xff, NULL, HFILL }
9536 { &hf_smb2_qq_restart,
9537 { "RestartScan", "smb2.query_quota_info.restart", FT_BOOLEAN, 8,
9538 NULL, 0xff, NULL, HFILL }
9541 { &hf_smb2_qq_sidlist_len,
9542 { "SidListLength", "smb2.query_quota_info.sidlistlen", FT_UINT32, BASE_DEC,
9543 NULL, 0, NULL, HFILL }
9546 { &hf_smb2_qq_start_sid_len,
9547 { "StartSidLength", "smb2.query_quota_info.startsidlen", FT_UINT32, BASE_DEC,
9548 NULL, 0, NULL, HFILL }
9551 { &hf_smb2_qq_start_sid_offset,
9552 { "StartSidOffset", "smb2.query_quota_info.startsidoffset", FT_UINT32, BASE_DEC,
9553 NULL, 0, NULL, HFILL }
9556 { &hf_smb2_disposition_delete_on_close,
9557 { "Delete on close", "smb2.disposition.delete_on_close", FT_BOOLEAN, 8,
9558 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }
9562 { &hf_smb2_create_disposition,
9563 { "Disposition", "smb2.create.disposition", FT_UINT32, BASE_DEC,
9564 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }
9567 { &hf_smb2_create_action,
9568 { "Create Action", "smb2.create.action", FT_UINT32, BASE_DEC,
9569 VALS(oa_open_vals), 0, NULL, HFILL }
9572 { &hf_smb2_create_rep_flags,
9573 { "Response Flags", "smb2.create.rep_flags", FT_UINT8, BASE_HEX,
9574 NULL, 0, NULL, HFILL }
9577 { &hf_smb2_create_rep_flags_reparse_point,
9578 { "ReparsePoint", "smb2.create.rep_flags.reparse_point", FT_BOOLEAN, 8,
9579 NULL, SMB2_CREATE_REP_FLAGS_REPARSE_POINT, NULL, HFILL }
9582 { &hf_smb2_extrainfo,
9583 { "ExtraInfo", "smb2.create.extrainfo", FT_NONE, BASE_NONE,
9584 NULL, 0, "Create ExtraInfo", HFILL }
9587 { &hf_smb2_create_chain_offset,
9588 { "Chain Offset", "smb2.create.chain_offset", FT_UINT32, BASE_HEX,
9589 NULL, 0, "Offset to next entry in chain or 0", HFILL }
9592 { &hf_smb2_create_chain_data,
9593 { "Data", "smb2.create.chain_data", FT_NONE, BASE_NONE,
9594 NULL, 0, "Chain Data", HFILL }
9597 { &hf_smb2_FILE_OBJECTID_BUFFER,
9598 { "FILE_OBJECTID_BUFFER", "smb2.FILE_OBJECTID_BUFFER", FT_NONE, BASE_NONE,
9599 NULL, 0, "A FILE_OBJECTID_BUFFER structure", HFILL }
9602 { &hf_smb2_lease_key,
9603 { "Lease Key", "smb2.lease.lease_key", FT_GUID, BASE_NONE,
9604 NULL, 0, NULL, HFILL }
9607 { &hf_smb2_lease_state,
9608 { "Lease State", "smb2.lease.lease_state", FT_UINT32, BASE_HEX,
9609 NULL, 0, NULL, HFILL }
9612 { &hf_smb2_lease_state_read_caching,
9613 { "Read Caching", "smb2.lease.lease_state.read_caching", FT_BOOLEAN, 32,
9614 NULL, SMB2_LEASE_STATE_READ_CACHING, NULL, HFILL }
9617 { &hf_smb2_lease_state_handle_caching,
9618 { "Handle Caching", "smb2.lease.lease_state.handle_caching", FT_BOOLEAN, 32,
9619 NULL, SMB2_LEASE_STATE_HANDLE_CACHING, NULL, HFILL }
9622 { &hf_smb2_lease_state_write_caching,
9623 { "Write Caching", "smb2.lease.lease_state.write_caching", FT_BOOLEAN, 32,
9624 NULL, SMB2_LEASE_STATE_WRITE_CACHING, NULL, HFILL }
9627 { &hf_smb2_lease_flags,
9628 { "Lease Flags", "smb2.lease.lease_flags", FT_UINT32, BASE_HEX,
9629 NULL, 0, NULL, HFILL }
9632 { &hf_smb2_lease_flags_break_ack_required,
9633 { "Break Ack Required", "smb2.lease.lease_state.break_ack_required", FT_BOOLEAN, 32,
9634 NULL, SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED, NULL, HFILL }
9637 { &hf_smb2_lease_flags_break_in_progress,
9638 { "Break In Progress", "smb2.lease.lease_state.break_in_progress", FT_BOOLEAN, 32,
9639 NULL, SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS, NULL, HFILL }
9642 { &hf_smb2_lease_flags_parent_lease_key_set,
9643 { "Parent Lease Key Set", "smb2.lease.lease_state.parent_lease_key_set", FT_BOOLEAN, 32,
9644 NULL, SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET, NULL, HFILL }
9647 { &hf_smb2_lease_duration,
9648 { "Lease Duration", "smb2.lease.lease_duration", FT_UINT64, BASE_HEX,
9649 NULL, 0, NULL, HFILL }
9652 { &hf_smb2_parent_lease_key,
9653 { "Parent Lease Key", "smb2.lease.parent_lease_key", FT_GUID, BASE_NONE,
9654 NULL, 0, NULL, HFILL }
9657 { &hf_smb2_lease_epoch,
9658 { "Lease Epoch", "smb2.lease.lease_oplock", FT_UINT16, BASE_HEX,
9659 NULL, 0, NULL, HFILL }
9662 { &hf_smb2_lease_reserved,
9663 { "Lease Reserved", "smb2.lease.lease_reserved", FT_UINT16, BASE_HEX,
9664 NULL, 0, NULL, HFILL }
9667 { &hf_smb2_lease_break_reason,
9668 { "Lease Break Reason", "smb2.lease.lease_break_reason", FT_UINT32, BASE_HEX,
9669 NULL, 0, NULL, HFILL }
9672 { &hf_smb2_lease_access_mask_hint,
9673 { "Access Mask Hint", "smb2.lease.access_mask_hint", FT_UINT32, BASE_HEX,
9674 NULL, 0, NULL, HFILL }
9677 { &hf_smb2_lease_share_mask_hint,
9678 { "Share Mask Hint", "smb2.lease.share_mask_hint", FT_UINT32, BASE_HEX,
9679 NULL, 0, NULL, HFILL }
9682 { &hf_smb2_next_offset,
9683 { "Next Offset", "smb2.next_offset", FT_UINT32, BASE_DEC,
9684 NULL, 0, "Offset to next buffer or 0", HFILL }
9687 { &hf_smb2_negotiate_context_type,
9688 { "Type", "smb2.negotiate_context.type", FT_UINT16, BASE_HEX,
9689 VALS(smb2_negotiate_context_types), 0, "NegotiateContext Type", HFILL }
9692 { &hf_smb2_negotiate_context_data_length,
9693 { "DataLength", "smb2.negotiate_context.data_length", FT_UINT16, BASE_DEC,
9694 NULL, 0, "NegotiateContext DataLength", HFILL }
9697 { &hf_smb2_negotiate_context_offset,
9698 { "NegotiateContextOffset", "smb2.negotiate_context.offset", FT_UINT16, BASE_HEX,
9699 NULL, 0, "NegotiateContext Offset", HFILL }
9702 { &hf_smb2_negotiate_context_count,
9703 { "NegotiateContextCount", "smb2.negotiate_context.count", FT_UINT16, BASE_DEC,
9704 NULL, 0, "NegotiateContext Count", HFILL }
9707 { &hf_smb2_current_time,
9708 { "Current Time", "smb2.current_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9709 NULL, 0, "Current Time at server", HFILL }
9712 { &hf_smb2_boot_time,
9713 { "Boot Time", "smb2.boot_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9714 NULL, 0, "Boot Time at server", HFILL }
9717 { &hf_smb2_ea_flags,
9718 { "EA Flags", "smb2.ea.flags", FT_UINT8, BASE_HEX,
9719 NULL, 0, NULL, HFILL }
9722 { &hf_smb2_ea_name_len,
9723 { "EA Name Length", "smb2.ea.name_len", FT_UINT8, BASE_DEC,
9724 NULL, 0, NULL, HFILL }
9727 { &hf_smb2_ea_data_len,
9728 { "EA Data Length", "smb2.ea.data_len", FT_UINT16, BASE_DEC,
9729 NULL, 0, NULL, HFILL }
9732 { &hf_smb2_delete_pending,
9733 { "Delete Pending", "smb2.delete_pending", FT_UINT8, BASE_DEC,
9734 NULL, 0, NULL, HFILL }
9737 { &hf_smb2_is_directory,
9738 { "Is Directory", "smb2.is_directory", FT_UINT8, BASE_DEC,
9739 NULL, 0, "Is this a directory?", HFILL }
9743 { "Oplock", "smb2.create.oplock", FT_UINT8, BASE_HEX,
9744 VALS(oplock_vals), 0, "Oplock type", HFILL }
9747 { &hf_smb2_close_flags,
9748 { "Close Flags", "smb2.close.flags", FT_UINT16, BASE_HEX,
9749 NULL, 0, NULL, HFILL }
9752 { &hf_smb2_notify_flags,
9753 { "Notify Flags", "smb2.notify.flags", FT_UINT16, BASE_HEX,
9754 NULL, 0, NULL, HFILL }
9757 { &hf_smb2_buffer_code,
9758 { "StructureSize", "smb2.buffer_code", FT_UINT16, BASE_HEX,
9759 NULL, 0, NULL, HFILL }
9762 { &hf_smb2_buffer_code_len,
9763 { "Fixed Part Length", "smb2.buffer_code.length", FT_UINT16, BASE_DEC,
9764 NULL, 0xFFFE, "Length of fixed portion of PDU", HFILL }
9767 { &hf_smb2_olb_length,
9768 { "Length", "smb2.olb.length", FT_UINT32, BASE_DEC,
9769 NULL, 0, "Length of the buffer", HFILL }
9772 { &hf_smb2_olb_offset,
9773 { "Offset", "smb2.olb.offset", FT_UINT32, BASE_HEX,
9774 NULL, 0, "Offset to the buffer", HFILL }
9777 { &hf_smb2_buffer_code_flags_dyn,
9778 { "Dynamic Part", "smb2.buffer_code.dynamic", FT_BOOLEAN, 16,
9779 NULL, 0x0001, "Whether a dynamic length blob follows", HFILL }
9783 { "EA Data", "smb2.ea.data", FT_BYTES, BASE_NONE,
9784 NULL, 0, NULL, HFILL }
9788 { "EA Name", "smb2.ea.name", FT_STRING, BASE_NONE,
9789 NULL, 0, NULL, HFILL }
9792 { &hf_smb2_impersonation_level,
9793 { "Impersonation", "smb2.impersonation.level", FT_UINT32, BASE_DEC,
9794 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }
9797 { &hf_smb2_ioctl_function,
9798 { "Function", "smb2.ioctl.function", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
9799 &smb2_ioctl_vals_ext, 0, "Ioctl function", HFILL }
9802 { &hf_smb2_ioctl_function_device,
9803 { "Device", "smb2.ioctl.function.device", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
9804 &smb2_ioctl_device_vals_ext, 0xffff0000, "Device for Ioctl", HFILL }
9807 { &hf_smb2_ioctl_function_access,
9808 { "Access", "smb2.ioctl.function.access", FT_UINT32, BASE_HEX,
9809 VALS(smb2_ioctl_access_vals), 0x0000c000, "Access for Ioctl", HFILL }
9812 { &hf_smb2_ioctl_function_function,
9813 { "Function", "smb2.ioctl.function.function", FT_UINT32, BASE_HEX,
9814 NULL, 0x00003ffc, "Function for Ioctl", HFILL }
9817 { &hf_smb2_ioctl_function_method,
9818 { "Method", "smb2.ioctl.function.method", FT_UINT32, BASE_HEX,
9819 VALS(smb2_ioctl_method_vals), 0x00000003, "Method for Ioctl", HFILL }
9822 { &hf_smb2_fsctl_pipe_wait_timeout,
9823 { "Timeout", "smb2.fsctl.wait.timeout", FT_INT64, BASE_DEC,
9824 NULL, 0, "Wait timeout", HFILL }
9827 { &hf_smb2_fsctl_pipe_wait_name,
9828 { "Name", "smb2.fsctl.wait.name", FT_STRING, BASE_NONE,
9829 NULL, 0, "Pipe name", HFILL }
9832 { &hf_smb2_fsctl_odx_token_type,
9833 { "TokenType", "smb2.fsctl.odx.token.type", FT_UINT32, BASE_HEX,
9834 NULL, 0, "Token Type", HFILL }
9837 { &hf_smb2_fsctl_odx_token_idlen,
9838 { "TokenIdLength", "smb2.fsctl.odx.token.idlen", FT_UINT16, BASE_DEC,
9839 NULL, 0, "Token ID Length", HFILL }
9842 { &hf_smb2_fsctl_odx_token_idraw,
9843 { "TokenId", "smb2.fsctl.odx.token.id", FT_BYTES, BASE_NONE,
9844 NULL, 0, "Token ID (opaque)", HFILL }
9847 { &hf_smb2_fsctl_odx_token_ttl,
9848 { "TokenTimeToLive", "smb2.fsctl.odx.token_ttl", FT_UINT32, BASE_DEC,
9849 NULL, 0, "TTL requested for the token (in milliseconds)", HFILL }
9852 { &hf_smb2_fsctl_odx_size,
9853 { "Size", "smb2.fsctl.odx.size", FT_UINT32, BASE_DEC,
9854 NULL, 0, "Size of this data element", HFILL }
9857 { &hf_smb2_fsctl_odx_flags,
9858 { "Flags", "smb2.fsctl.odx.flags", FT_UINT32, BASE_HEX,
9859 NULL, 0, "Flags for this operation", HFILL }
9862 { &hf_smb2_fsctl_odx_file_offset,
9863 { "FileOffset", "smb2.fsctl.odx.file_offset", FT_UINT64, BASE_DEC,
9864 NULL, 0, "File offset", HFILL }
9867 { &hf_smb2_fsctl_odx_copy_length,
9868 { "CopyLength", "smb2.fsctl.odx.copy_length", FT_UINT64, BASE_DEC,
9869 NULL, 0, "Copy length", HFILL }
9872 { &hf_smb2_fsctl_odx_xfer_length,
9873 { "TransferLength", "smb2.fsctl.odx.xfer_length", FT_UINT64, BASE_DEC,
9874 NULL, 0, "Length Transferred", HFILL }
9877 { &hf_smb2_fsctl_odx_token_offset,
9878 { "TokenOffset", "smb2.fsctl.odx.token_offset", FT_UINT64, BASE_DEC,
9879 NULL, 0, "Token Offset (relative to start of token)", HFILL }
9882 { &hf_smb2_fsctl_sparse_flag,
9883 { "SetSparse", "smb2.fsctl.set_sparse", FT_BOOLEAN, 8,
9884 NULL, 0xFF, NULL, HFILL }
9887 { &hf_smb2_ioctl_resiliency_timeout,
9888 { "Timeout", "smb2.ioctl.resiliency.timeout", FT_UINT32, BASE_DEC,
9889 NULL, 0, "Resiliency timeout", HFILL }
9892 { &hf_smb2_ioctl_resiliency_reserved,
9893 { "Reserved", "smb2.ioctl.resiliency.reserved", FT_UINT32, BASE_DEC,
9894 NULL, 0, "Resiliency reserved", HFILL }
9897 { &hf_smb2_ioctl_shared_virtual_disk_support,
9898 { "SharedVirtualDiskSupport", "smb2.ioctl.function.shared_virtual_disk_support", FT_UINT32, BASE_HEX,
9899 VALS(smb2_ioctl_shared_virtual_disk_vals), 0, "Supported shared capabilities", HFILL }
9902 { &hf_smb2_ioctl_shared_virtual_disk_handle_state,
9903 { "SharedVirtualDiskHandleState", "smb2.ioctl.function.shared_virtual_disk_handle_state", FT_UINT32, BASE_HEX,
9904 VALS(smb2_ioctl_shared_virtual_disk_hstate_vals), 0, "State of shared disk handle", HFILL }
9907 { &hf_windows_sockaddr_family,
9908 { "Socket Family", "smb2.windows.sockaddr.family", FT_UINT16, BASE_DEC,
9909 NULL, 0, "The socket address family (on windows)", HFILL }
9912 { &hf_windows_sockaddr_port,
9913 { "Socket Port", "smb2.windows.sockaddr.port", FT_UINT16, BASE_DEC,
9914 NULL, 0, "The socket address port", HFILL }
9917 { &hf_windows_sockaddr_in_addr,
9918 { "Socket IPv4", "smb2.windows.sockaddr.in.addr", FT_IPv4, BASE_NONE,
9919 NULL, 0, "The IPv4 address", HFILL }
9922 { &hf_windows_sockaddr_in6_flowinfo,
9923 { "IPv6 Flow Info", "smb2.windows.sockaddr.in6.flow_info", FT_UINT32, BASE_HEX,
9924 NULL, 0, "The socket IPv6 flow info", HFILL }
9927 { &hf_windows_sockaddr_in6_addr,
9928 { "Socket IPv6", "smb2.windows.sockaddr.in6.addr", FT_IPv6, BASE_NONE,
9929 NULL, 0, "The IPv6 address", HFILL }
9932 { &hf_windows_sockaddr_in6_scope_id,
9933 { "IPv6 Scope ID", "smb2.windows.sockaddr.in6.scope_id", FT_UINT32, BASE_DEC,
9934 NULL, 0, "The socket IPv6 scope id", HFILL }
9937 { &hf_smb2_ioctl_network_interface_next_offset,
9938 { "Next Offset", "smb2.ioctl.network_interfaces.next_offset", FT_UINT32, BASE_HEX,
9939 NULL, 0, "Offset to next entry in chain or 0", HFILL }
9942 { &hf_smb2_ioctl_network_interface_index,
9943 { "Interface Index", "smb2.ioctl.network_interfaces.index", FT_UINT32, BASE_DEC,
9944 NULL, 0, "The index of the interface", HFILL }
9947 { &hf_smb2_ioctl_network_interface_rss_queue_count,
9948 { "RSS Queue Count", "smb2.ioctl.network_interfaces.rss_queue_count", FT_UINT32, BASE_DEC,
9949 NULL, 0, "The RSS queue count", HFILL }
9952 { &hf_smb2_ioctl_network_interface_capabilities,
9953 { "Interface Cababilities", "smb2.ioctl.network_interfaces.capabilities", FT_UINT32, BASE_HEX,
9954 NULL, 0, "The RSS queue count", HFILL }
9957 { &hf_smb2_ioctl_network_interface_capability_rss,
9958 { "RSS", "smb2.ioctl.network_interfaces.capabilities.rss", FT_BOOLEAN, 32,
9959 TFS(&tfs_smb2_ioctl_network_interface_capability_rss), NETWORK_INTERFACE_CAP_RSS, "If the host supports RSS", HFILL }
9962 { &hf_smb2_ioctl_network_interface_capability_rdma,
9963 { "RDMA", "smb2.ioctl.network_interfaces.capabilities.rdma", FT_BOOLEAN, 32,
9964 TFS(&tfs_smb2_ioctl_network_interface_capability_rdma), NETWORK_INTERFACE_CAP_RDMA, "If the host supports RDMA", HFILL }
9967 { &hf_smb2_ioctl_network_interface_link_speed,
9968 { "Link Speed", "smb2.ioctl.network_interfaces.link_speed", FT_UINT64, BASE_DEC,
9969 NULL, 0, "The link speed of the interface", HFILL }
9972 { &hf_smb2_ioctl_shadow_copy_num_volumes,
9973 { "Num Volumes", "smb2.ioctl.shadow_copy.num_volumes", FT_UINT32, BASE_DEC,
9974 NULL, 0, "Number of shadow copy volumes", HFILL }
9977 { &hf_smb2_ioctl_shadow_copy_num_labels,
9978 { "Num Labels", "smb2.ioctl.shadow_copy.num_labels", FT_UINT32, BASE_DEC,
9979 NULL, 0, "Number of shadow copy labels", HFILL }
9982 { &hf_smb2_ioctl_shadow_copy_label,
9983 { "Label", "smb2.ioctl.shadow_copy.label", FT_STRING, BASE_NONE,
9984 NULL, 0, "Shadow copy label", HFILL }
9987 { &hf_smb2_compression_format,
9988 { "Compression Format", "smb2.compression_format", FT_UINT16, BASE_DEC,
9989 VALS(compression_format_vals), 0, "Compression to use", HFILL }
9992 { &hf_smb2_checksum_algorithm,
9993 { "Checksum Algorithm", "smb2.checksum_algorithm", FT_UINT16, BASE_HEX,
9994 VALS(checksum_algorithm_vals), 0, "Checksum algorithm to use", HFILL }
9997 { &hf_smb2_integrity_reserved,
9998 { "Reserved", "smb2.integrity_reserved", FT_UINT16, BASE_DEC,
9999 NULL, 0, "Reserved Field", HFILL }
10002 { &hf_smb2_integrity_flags,
10003 { "Flags", "smb2.integrity_flags", FT_UINT32, BASE_HEX,
10004 NULL, 0, NULL, HFILL }
10007 { &hf_smb2_integrity_flags_enforcement_off,
10008 { "FSCTL_INTEGRITY_FLAG_CHECKSUM_ENFORCEMENT_OFF", "smb2.integrity_flags_enforcement", FT_BOOLEAN, 32,
10009 NULL, 0x1, "If checksum error enforcement is off", HFILL }
10012 { &hf_smb2_share_type,
10013 { "Share Type", "smb2.share_type", FT_UINT8, BASE_HEX,
10014 VALS(smb2_share_type_vals), 0, "Type of share", HFILL }
10017 { &hf_smb2_credit_charge,
10018 { "Credit Charge", "smb2.credit.charge", FT_UINT16, BASE_DEC,
10019 NULL, 0, NULL, HFILL }
10022 { &hf_smb2_credits_requested,
10023 { "Credits requested", "smb2.credits.requested", FT_UINT16, BASE_DEC,
10024 NULL, 0, NULL, HFILL }
10027 { &hf_smb2_credits_granted,
10028 { "Credits granted", "smb2.credits.granted", FT_UINT16, BASE_DEC,
10029 NULL, 0, NULL, HFILL }
10032 { &hf_smb2_channel_sequence,
10033 { "Channel Sequence", "smb2.channel_sequence", FT_UINT16, BASE_DEC,
10034 NULL, 0, NULL, HFILL }
10037 { &hf_smb2_dialect_count,
10038 { "Dialect count", "smb2.dialect_count", FT_UINT16, BASE_DEC,
10039 NULL, 0, NULL, HFILL }
10042 { &hf_smb2_dialect,
10043 { "Dialect", "smb2.dialect", FT_UINT16, BASE_HEX,
10044 NULL, 0, NULL, HFILL }
10047 { &hf_smb2_security_mode,
10048 { "Security mode", "smb2.sec_mode", FT_UINT8, BASE_HEX,
10049 NULL, 0, NULL, HFILL }
10052 { &hf_smb2_session_flags,
10053 { "Session Flags", "smb2.session_flags", FT_UINT16, BASE_HEX,
10054 NULL, 0, NULL, HFILL }
10057 { &hf_smb2_lock_count,
10058 { "Lock Count", "smb2.lock_count", FT_UINT16, BASE_DEC,
10059 NULL, 0, NULL, HFILL }
10062 { &hf_smb2_capabilities,
10063 { "Capabilities", "smb2.capabilities", FT_UINT32, BASE_HEX,
10064 NULL, 0, NULL, HFILL }
10067 { &hf_smb2_ioctl_shadow_copy_count,
10068 { "Count", "smb2.ioctl.shadow_copy.count", FT_UINT32, BASE_DEC,
10069 NULL, 0, "Number of bytes for shadow copy label strings", HFILL }
10072 { &hf_smb2_auth_frame,
10073 { "Authenticated in Frame", "smb2.auth_frame", FT_UINT32, BASE_DEC,
10074 NULL, 0, "Which frame this user was authenticated in", HFILL }
10077 { &hf_smb2_tcon_frame,
10078 { "Connected in Frame", "smb2.tcon_frame", FT_UINT32, BASE_DEC,
10079 NULL, 0, "Which frame this share was connected in", HFILL }
10083 { "Tag", "smb2.tag", FT_STRING, BASE_NONE,
10084 NULL, 0, "Tag of chain entry", HFILL }
10087 { &hf_smb2_acct_name,
10088 { "Account", "smb2.acct", FT_STRING, BASE_NONE,
10089 NULL, 0, "Account Name", HFILL }
10092 { &hf_smb2_domain_name,
10093 { "Domain", "smb2.domain", FT_STRING, BASE_NONE,
10094 NULL, 0, "Domain Name", HFILL }
10097 { &hf_smb2_host_name,
10098 { "Host", "smb2.host", FT_STRING, BASE_NONE,
10099 NULL, 0, "Host Name", HFILL }
10102 { &hf_smb2_signature,
10103 { "Signature", "smb2.signature", FT_BYTES, BASE_NONE,
10104 NULL, 0, NULL, HFILL }
10107 { &hf_smb2_unknown,
10108 { "unknown", "smb2.unknown", FT_BYTES, BASE_NONE,
10109 NULL, 0, "Unknown bytes", HFILL }
10112 { &hf_smb2_twrp_timestamp,
10113 { "Timestamp", "smb2.twrp_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10114 NULL, 0, "TWrp timestamp", HFILL }
10117 { &hf_smb2_mxac_timestamp,
10118 { "Timestamp", "smb2.mxac_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10119 NULL, 0, "MxAc timestamp", HFILL }
10122 { &hf_smb2_mxac_status,
10123 { "Query Status", "smb2.mxac_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
10124 &NT_errors_ext, 0, "NT Status code", HFILL }
10127 { &hf_smb2_qfid_fid,
10128 { "Opaque File ID", "smb2.qfid_fid", FT_BYTES, BASE_NONE,
10129 NULL, 0, NULL, HFILL }
10132 { &hf_smb2_ses_flags_guest,
10133 { "Guest", "smb2.ses_flags.guest", FT_BOOLEAN, 16,
10134 NULL, SES_FLAGS_GUEST, NULL, HFILL }
10137 { &hf_smb2_ses_flags_null,
10138 { "Null", "smb2.ses_flags.null", FT_BOOLEAN, 16,
10139 NULL, SES_FLAGS_NULL, NULL, HFILL }
10142 { &hf_smb2_secmode_flags_sign_required,
10143 { "Signing required", "smb2.sec_mode.sign_required", FT_BOOLEAN, 8,
10144 NULL, NEGPROT_SIGN_REQ, "Is signing required", HFILL }
10147 { &hf_smb2_secmode_flags_sign_enabled,
10148 { "Signing enabled", "smb2.sec_mode.sign_enabled", FT_BOOLEAN, 8,
10149 NULL, NEGPROT_SIGN_ENABLED, "Is signing enabled", HFILL }
10152 { &hf_smb2_ses_req_flags,
10153 { "Flags", "smb2.ses_req_flags", FT_UINT8, BASE_DEC,
10154 NULL, 0, NULL, HFILL }
10157 { &hf_smb2_ses_req_flags_session_binding,
10158 { "Session Binding Request", "smb2.ses_req_flags.session_binding", FT_BOOLEAN, 8,
10159 NULL, SES_REQ_FLAGS_SESSION_BINDING, "The client wants to bind to an existing session", HFILL }
10162 { &hf_smb2_cap_dfs,
10163 { "DFS", "smb2.capabilities.dfs", FT_BOOLEAN, 32,
10164 TFS(&tfs_cap_dfs), NEGPROT_CAP_DFS, "If the host supports dfs", HFILL }
10167 { &hf_smb2_cap_leasing,
10168 { "LEASING", "smb2.capabilities.leasing", FT_BOOLEAN, 32,
10169 TFS(&tfs_cap_leasing), NEGPROT_CAP_LEASING, "If the host supports leasing", HFILL }
10172 { &hf_smb2_cap_large_mtu,
10173 { "LARGE MTU", "smb2.capabilities.large_mtu", FT_BOOLEAN, 32,
10174 TFS(&tfs_cap_large_mtu), NEGPROT_CAP_LARGE_MTU, "If the host supports LARGE MTU", HFILL }
10177 { &hf_smb2_cap_multi_channel,
10178 { "MULTI CHANNEL", "smb2.capabilities.multi_channel", FT_BOOLEAN, 32,
10179 TFS(&tfs_cap_multi_channel), NEGPROT_CAP_MULTI_CHANNEL, "If the host supports MULTI CHANNEL", HFILL }
10182 { &hf_smb2_cap_persistent_handles,
10183 { "PERSISTENT HANDLES", "smb2.capabilities.persistent_handles", FT_BOOLEAN, 32,
10184 TFS(&tfs_cap_persistent_handles), NEGPROT_CAP_PERSISTENT_HANDLES, "If the host supports PERSISTENT HANDLES", HFILL }
10187 { &hf_smb2_cap_directory_leasing,
10188 { "DIRECTORY LEASING", "smb2.capabilities.directory_leasing", FT_BOOLEAN, 32,
10189 TFS(&tfs_cap_directory_leasing), NEGPROT_CAP_DIRECTORY_LEASING, "If the host supports DIRECTORY LEASING", HFILL }
10192 { &hf_smb2_cap_encryption,
10193 { "ENCRYPTION", "smb2.capabilities.encryption", FT_BOOLEAN, 32,
10194 TFS(&tfs_cap_encryption), NEGPROT_CAP_ENCRYPTION, "If the host supports ENCRYPTION", HFILL }
10197 { &hf_smb2_max_trans_size,
10198 { "Max Transaction Size", "smb2.max_trans_size", FT_UINT32, BASE_DEC,
10199 NULL, 0, "Maximum size of a transaction", HFILL }
10202 { &hf_smb2_max_read_size,
10203 { "Max Read Size", "smb2.max_read_size", FT_UINT32, BASE_DEC,
10204 NULL, 0, "Maximum size of a read", HFILL }
10207 { &hf_smb2_max_write_size,
10208 { "Max Write Size", "smb2.max_write_size", FT_UINT32, BASE_DEC,
10209 NULL, 0, "Maximum size of a write", HFILL }
10212 { &hf_smb2_channel,
10213 { "Channel", "smb2.channel", FT_UINT32, BASE_HEX,
10214 VALS(smb2_channel_vals), 0, NULL, HFILL }
10217 { &hf_smb2_rdma_v1_offset,
10218 { "Offset", "smb2.buffer_descriptor.offset", FT_UINT64, BASE_DEC,
10219 NULL, 0, NULL, HFILL }
10222 { &hf_smb2_rdma_v1_token,
10223 { "Token", "smb2.buffer_descriptor.token", FT_UINT32, BASE_HEX,
10224 NULL, 0, NULL, HFILL }
10227 { &hf_smb2_rdma_v1_length,
10228 { "Length", "smb2.buffer_descriptor.length", FT_UINT32, BASE_DEC,
10229 NULL, 0, NULL, HFILL }
10232 { &hf_smb2_share_flags,
10233 { "Share flags", "smb2.share_flags", FT_UINT32, BASE_HEX,
10234 NULL, 0, NULL, HFILL }
10237 { &hf_smb2_share_flags_dfs,
10238 { "DFS", "smb2.share_flags.dfs", FT_BOOLEAN, 32,
10239 NULL, SHARE_FLAGS_dfs, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }
10242 { &hf_smb2_share_flags_dfs_root,
10243 { "DFS root", "smb2.share_flags.dfs_root", FT_BOOLEAN, 32,
10244 NULL, SHARE_FLAGS_dfs_root, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }
10247 { &hf_smb2_share_flags_restrict_exclusive_opens,
10248 { "Restrict exclusive opens", "smb2.share_flags.restrict_exclusive_opens", FT_BOOLEAN, 32,
10249 NULL, SHARE_FLAGS_restrict_exclusive_opens, "The specified share disallows exclusive file opens that deny reads to an open file", HFILL }
10252 { &hf_smb2_share_flags_force_shared_delete,
10253 { "Force shared delete", "smb2.share_flags.force_shared_delete", FT_BOOLEAN, 32,
10254 NULL, SHARE_FLAGS_force_shared_delete, "Shared files in the specified share can be forcibly deleted", HFILL }
10257 { &hf_smb2_share_flags_allow_namespace_caching,
10258 { "Allow namepsace caching", "smb2.share_flags.allow_namespace_caching", FT_BOOLEAN, 32,
10259 NULL, SHARE_FLAGS_allow_namespace_caching, "Clients are allowed to cache the namespace of the specified share", HFILL }
10262 { &hf_smb2_share_flags_access_based_dir_enum,
10263 { "Access based directory enum", "smb2.share_flags.access_based_dir_enum", FT_BOOLEAN, 32,
10264 NULL, SHARE_FLAGS_access_based_dir_enum, "The server will filter directory entries based on the access permissions of the client", HFILL }
10267 { &hf_smb2_share_flags_force_levelii_oplock,
10268 { "Force level II oplock", "smb2.share_flags.force_levelii_oplock", FT_BOOLEAN, 32,
10269 NULL, SHARE_FLAGS_force_levelii_oplock, "The server will not issue exclusive caching rights on this share", HFILL }
10272 { &hf_smb2_share_flags_enable_hash_v1,
10273 { "Enable hash V1", "smb2.share_flags.enable_hash_v1", FT_BOOLEAN, 32,
10274 NULL, SHARE_FLAGS_enable_hash_v1, "The share supports hash generation V1 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }
10277 { &hf_smb2_share_flags_enable_hash_v2,
10278 { "Enable hash V2", "smb2.share_flags.enable_hash_v2", FT_BOOLEAN, 32,
10279 NULL, SHARE_FLAGS_enable_hash_v2, "The share supports hash generation V2 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }
10282 { &hf_smb2_share_flags_encrypt_data,
10283 { "Encrypted data required", "smb2.share_flags.encrypt_data", FT_BOOLEAN, 32,
10284 NULL, SHARE_FLAGS_encryption_required, "The share require data encryption", HFILL }
10287 { &hf_smb2_share_caching,
10288 { "Caching policy", "smb2.share.caching", FT_UINT32, BASE_HEX,
10289 VALS(share_cache_vals), 0, NULL, HFILL }
10292 { &hf_smb2_share_caps,
10293 { "Share Capabilities", "smb2.share_caps", FT_UINT32, BASE_HEX,
10294 NULL, 0, NULL, HFILL }
10297 { &hf_smb2_share_caps_dfs,
10298 { "DFS", "smb2.share_caps.dfs", FT_BOOLEAN, 32,
10299 NULL, SHARE_CAPS_DFS, "The specified share is present in a DFS tree structure", HFILL }
10302 { &hf_smb2_share_caps_continuous_availability,
10303 { "CONTINUOUS AVAILABILITY", "smb2.share_caps.continuous_availability", FT_BOOLEAN, 32,
10304 NULL, SHARE_CAPS_CONTINUOUS_AVAILABILITY, "The specified share is continuously available", HFILL }
10307 { &hf_smb2_share_caps_scaleout,
10308 { "SCALEOUT", "smb2.share_caps.scaleout", FT_BOOLEAN, 32,
10309 NULL, SHARE_CAPS_SCALEOUT, "The specified share is a scaleout share", HFILL }
10312 { &hf_smb2_share_caps_cluster,
10313 { "CLUSTER", "smb2.share_caps.cluster", FT_BOOLEAN, 32,
10314 NULL, SHARE_CAPS_CLUSTER, "The specified share is a cluster share", HFILL }
10317 { &hf_smb2_ioctl_flags,
10318 { "Flags", "smb2.ioctl.flags", FT_UINT32, BASE_HEX,
10319 NULL, 0, NULL, HFILL }
10322 { &hf_smb2_min_count,
10323 { "Min Count", "smb2.min_count", FT_UINT32, BASE_DEC,
10324 NULL, 0, NULL, HFILL }
10327 { &hf_smb2_remaining_bytes,
10328 { "Remaining Bytes", "smb2.remaining_bytes", FT_UINT32, BASE_DEC,
10329 NULL, 0, NULL, HFILL }
10332 { &hf_smb2_channel_info_offset,
10333 { "Channel Info Offset", "smb2.channel_info_offset", FT_UINT16, BASE_DEC,
10334 NULL, 0, NULL, HFILL }
10337 { &hf_smb2_channel_info_length,
10338 { "Channel Info Length", "smb2.channel_info_length", FT_UINT16, BASE_DEC,
10339 NULL, 0, NULL, HFILL }
10342 { &hf_smb2_channel_info_blob,
10343 { "Channel Info Blob", "smb2.channel_info_blob", FT_NONE, BASE_NONE,
10344 NULL, 0, NULL, HFILL }
10347 { &hf_smb2_ioctl_is_fsctl,
10348 { "Is FSCTL", "smb2.ioctl.is_fsctl", FT_BOOLEAN, 32,
10349 NULL, 0x00000001, NULL, HFILL }
10352 { &hf_smb2_output_buffer_len,
10353 { "Output Buffer Length", "smb2.output_buffer_len", FT_UINT16, BASE_DEC,
10354 NULL, 0, NULL, HFILL }
10357 { &hf_smb2_close_pq_attrib,
10358 { "PostQuery Attrib", "smb2.close.pq_attrib", FT_BOOLEAN, 16,
10359 NULL, 0x0001, NULL, HFILL }
10362 { &hf_smb2_notify_watch_tree,
10363 { "Watch Tree", "smb2.notify.watch_tree", FT_BOOLEAN, 16,
10364 NULL, 0x0001, NULL, HFILL }
10367 { &hf_smb2_notify_out_data,
10368 { "Out Data", "smb2.notify.out", FT_NONE, BASE_NONE,
10369 NULL, 0, NULL, HFILL }
10372 { &hf_smb2_notify_info,
10373 { "Notify Info", "smb2.notify.info", FT_NONE, BASE_NONE,
10374 NULL, 0, NULL, HFILL }
10377 { &hf_smb2_notify_next_offset,
10378 { "Next Offset", "smb2.notify.next_offset", FT_UINT32, BASE_HEX,
10379 NULL, 0, "Offset to next entry in chain or 0", HFILL }
10382 { &hf_smb2_notify_action,
10383 { "Action", "smb2.notify.action", FT_UINT32, BASE_HEX,
10384 VALS(notify_action_vals), 0, "Notify Action", HFILL }
10388 { &hf_smb2_find_flags_restart_scans,
10389 { "Restart Scans", "smb2.find.restart_scans", FT_BOOLEAN, 8,
10390 NULL, SMB2_FIND_FLAG_RESTART_SCANS, NULL, HFILL }
10393 { &hf_smb2_find_flags_single_entry,
10394 { "Single Entry", "smb2.find.single_entry", FT_BOOLEAN, 8,
10395 NULL, SMB2_FIND_FLAG_SINGLE_ENTRY, NULL, HFILL }
10398 { &hf_smb2_find_flags_index_specified,
10399 { "Index Specified", "smb2.find.index_specified", FT_BOOLEAN, 8,
10400 NULL, SMB2_FIND_FLAG_INDEX_SPECIFIED, NULL, HFILL }
10403 { &hf_smb2_find_flags_reopen,
10404 { "Reopen", "smb2.find.reopen", FT_BOOLEAN, 8,
10405 NULL, SMB2_FIND_FLAG_REOPEN, NULL, HFILL }
10408 { &hf_smb2_file_index,
10409 { "File Index", "smb2.file_index", FT_UINT32, BASE_HEX,
10410 NULL, 0, NULL, HFILL }
10413 { &hf_smb2_file_directory_info,
10414 { "FileDirectoryInfo", "smb2.find.file_directory_info", FT_NONE, BASE_NONE,
10415 NULL, 0, NULL, HFILL }
10418 { &hf_smb2_full_directory_info,
10419 { "FullDirectoryInfo", "smb2.find.full_directory_info", FT_NONE, BASE_NONE,
10420 NULL, 0, NULL, HFILL }
10423 { &hf_smb2_both_directory_info,
10424 { "FileBothDirectoryInfo", "smb2.find.both_directory_info", FT_NONE, BASE_NONE,
10425 NULL, 0, NULL, HFILL }
10428 { &hf_smb2_id_both_directory_info,
10429 { "FileIdBothDirectoryInfo", "smb2.find.id_both_directory_info", FT_NONE, BASE_NONE,
10430 NULL, 0, NULL, HFILL }
10433 { &hf_smb2_short_name_len,
10434 { "Short Name Length", "smb2.short_name_len", FT_UINT8, BASE_DEC,
10435 NULL, 0, NULL, HFILL }
10438 { &hf_smb2_short_name,
10439 { "Short Name", "smb2.shortname", FT_STRING, BASE_NONE,
10440 NULL, 0, NULL, HFILL }
10443 { &hf_smb2_lock_info,
10444 { "Lock Info", "smb2.lock_info", FT_NONE, BASE_NONE,
10445 NULL, 0, NULL, HFILL }
10448 { &hf_smb2_lock_length,
10449 { "Length", "smb2.lock_length", FT_UINT64, BASE_DEC,
10450 NULL, 0, NULL, HFILL }
10453 { &hf_smb2_lock_flags,
10454 { "Flags", "smb2.lock_flags", FT_UINT32, BASE_HEX,
10455 NULL, 0, NULL, HFILL }
10458 { &hf_smb2_lock_flags_shared,
10459 { "Shared", "smb2.lock_flags.shared", FT_BOOLEAN, 32,
10460 NULL, 0x00000001, NULL, HFILL }
10463 { &hf_smb2_lock_flags_exclusive,
10464 { "Exclusive", "smb2.lock_flags.exclusive", FT_BOOLEAN, 32,
10465 NULL, 0x00000002, NULL, HFILL }
10468 { &hf_smb2_lock_flags_unlock,
10469 { "Unlock", "smb2.lock_flags.unlock", FT_BOOLEAN, 32,
10470 NULL, 0x00000004, NULL, HFILL }
10473 { &hf_smb2_lock_flags_fail_immediately,
10474 { "Fail Immediately", "smb2.lock_flags.fail_immediately", FT_BOOLEAN, 32,
10475 NULL, 0x00000010, NULL, HFILL }
10478 { &hf_smb2_error_context_count,
10479 { "Error Context Count", "smb2.error.context_count", FT_UINT8, BASE_DEC,
10480 NULL, 0, NULL, HFILL }
10483 { &hf_smb2_error_reserved,
10484 { "Reserved", "smb2.error.reserved", FT_UINT8, BASE_HEX,
10485 NULL, 0, NULL, HFILL }
10488 { &hf_smb2_error_byte_count,
10489 { "Byte Count", "smb2.error.byte_count", FT_UINT32, BASE_DEC,
10490 NULL, 0, NULL, HFILL }
10493 { &hf_smb2_error_data,
10494 { "Error Data", "smb2.error.data", FT_BYTES, BASE_NONE,
10495 NULL, 0, NULL, HFILL }
10498 { &hf_smb2_reserved,
10499 { "Reserved", "smb2.reserved", FT_BYTES, BASE_NONE,
10500 NULL, 0, "Reserved bytes", HFILL }
10503 { &hf_smb2_reserved_random,
10504 { "Reserved (Random)", "smb2.reserved.random", FT_BYTES, BASE_NONE,
10505 NULL, 0, "Reserved bytes, random data", HFILL }
10508 { &hf_smb2_root_directory_mbz,
10509 { "Root Dir Handle (MBZ)", "smb2.root_directory", FT_BYTES, BASE_NONE,
10510 NULL, 0, "Root Directory Handle, mbz", HFILL }
10513 { &hf_smb2_dhnq_buffer_reserved,
10514 { "Reserved", "smb2.dhnq_buffer_reserved", FT_UINT64, BASE_HEX,
10515 NULL, 0, NULL, HFILL }
10518 { &hf_smb2_dh2x_buffer_timeout,
10519 { "Timeout", "smb2.dh2x.timeout", FT_UINT32, BASE_DEC,
10520 NULL, 0, NULL, HFILL }
10523 { &hf_smb2_dh2x_buffer_flags,
10524 { "Flags", "smb2.dh2x.flags", FT_UINT32, BASE_HEX,
10525 NULL, 0, NULL, HFILL }
10528 { &hf_smb2_dh2x_buffer_flags_persistent_handle,
10529 { "Persistent Handle", "smb2.dh2x.flags.persistent_handle", FT_BOOLEAN, 32,
10530 NULL, SMB2_DH2X_FLAGS_PERSISTENT_HANDLE, NULL, HFILL }
10533 { &hf_smb2_dh2x_buffer_reserved,
10534 { "Reserved", "smb2.dh2x.reserved", FT_UINT64, BASE_HEX,
10535 NULL, 0, NULL, HFILL }
10538 { &hf_smb2_dh2x_buffer_create_guid,
10539 { "Create Guid", "smb2.dh2x.create_guid", FT_GUID, BASE_NONE,
10540 NULL, 0, NULL, HFILL }
10543 { &hf_smb2_APP_INSTANCE_buffer_struct_size,
10544 { "Struct Size", "smb2.app_instance.struct_size", FT_UINT16, BASE_DEC,
10545 NULL, 0, NULL, HFILL }
10548 { &hf_smb2_APP_INSTANCE_buffer_reserved,
10549 { "Reserved", "smb2.app_instance.reserved", FT_UINT16, BASE_HEX,
10550 NULL, 0, NULL, HFILL }
10553 { &hf_smb2_APP_INSTANCE_buffer_app_guid,
10554 { "Application Guid", "smb2.app_instance.app_guid", FT_GUID, BASE_NONE,
10555 NULL, 0, NULL, HFILL }
10558 { &hf_smb2_svhdx_open_device_context_version,
10559 { "Version", "smb2.svhdx_open_device_context.version", FT_UINT32, BASE_DEC,
10560 NULL, 0, NULL, HFILL }
10563 { &hf_smb2_svhdx_open_device_context_has_initiator_id,
10564 { "HasInitiatorId", "smb2.svhdx_open_device_context.initiator_has_id", FT_BOOLEAN, 8,
10565 TFS(&tfs_smb2_svhdx_has_initiator_id), 0, "Whether the host has an intiator", HFILL }
10568 { &hf_smb2_svhdx_open_device_context_reserved,
10569 { "Reserved", "smb2.svhdx_open_device_context.reserved", FT_BYTES, BASE_NONE,
10570 NULL, 0, NULL, HFILL }
10573 { &hf_smb2_svhdx_open_device_context_initiator_id,
10574 { "InitiatorId", "smb2.svhdx_open_device_context.initiator_id", FT_BYTES, BASE_NONE,
10575 NULL, 0, NULL, HFILL }
10578 { &hf_smb2_svhdx_open_device_context_flags,
10579 { "Flags", "smb2.svhdx_open_device_context.flags", FT_UINT32, BASE_HEX,
10580 NULL, 0, NULL, HFILL }
10583 { &hf_smb2_svhdx_open_device_context_originator_flags,
10584 { "OriginatorFlags", "smb2.svhdx_open_device_context.originator_flags", FT_UINT32, BASE_HEX,
10585 VALS(originator_flags_vals), 0, "Originator Flags", HFILL }
10588 { &hf_smb2_svhdx_open_device_context_open_request_id,
10589 { "OpenRequestId","smb2.svhxd_open_device_context.open_request_id", FT_UINT64, BASE_HEX,
10590 NULL, 0, NULL, HFILL }
10593 { &hf_smb2_svhdx_open_device_context_initiator_host_name_len,
10594 { "HostNameLength", "smb2.svhxd_open_device_context.initiator_host_name_len", FT_UINT16, BASE_DEC,
10595 NULL, 0, NULL, HFILL }
10598 { &hf_smb2_svhdx_open_device_context_initiator_host_name,
10599 { "HostName", "smb2.svhdx_open_device_context.host_name", FT_STRING, BASE_NONE,
10600 NULL, 0, NULL, HFILL }
10603 { &hf_smb2_posix_v1_version,
10604 { "Version", "smb2.posix_v1_version", FT_UINT32, BASE_DEC,
10605 NULL, 0, NULL, HFILL }
10608 { &hf_smb2_posix_v1_request,
10609 { "Request", "smb2.posix_request", FT_UINT32, BASE_HEX,
10610 NULL, 0, NULL, HFILL }
10613 { &hf_smb2_posix_v1_case_sensitive,
10614 { "Posix Case Sensitive File Names", "smb2.posix_case_sensitive", FT_UINT32, BASE_HEX,
10615 VALS(posix_case_sensitive_vals), 0x01, NULL, HFILL }
10618 { &hf_smb2_posix_v1_posix_lock,
10619 { "Posix Byte-Range Locks", "smb2.posix_locks", FT_UINT32, BASE_HEX,
10620 VALS(posix_locks_vals), 0x02, NULL, HFILL }
10623 { &hf_smb2_posix_v1_posix_file_semantics,
10624 { "Posix File Semantics", "smb2.posix_file_semantics", FT_UINT32, BASE_HEX,
10625 VALS(posix_file_semantics_vals), 0x04, NULL, HFILL }
10628 { &hf_smb2_posix_v1_posix_utf8_paths,
10629 { "Posix UTF8 Paths", "smb2.posix_utf8_paths", FT_UINT32, BASE_HEX,
10630 VALS(posix_utf8_paths_vals), 0x08, NULL, HFILL }
10633 { &hf_smb2_posix_v1_posix_will_convert_nt_acls,
10634 { "Posix Will Convert NT ACLs", "smb2.will_convert_NTACLs", FT_UINT32, BASE_HEX,
10635 VALS(posix_will_convert_ntacls_vals), 0x10, NULL, HFILL }
10638 { &hf_smb2_posix_v1_posix_fileinfo,
10639 { "Posix Fileinfo", "smb2.posix_fileinfo", FT_UINT32, BASE_HEX,
10640 VALS(posix_fileinfo_vals), 0x20, NULL, HFILL }
10643 { &hf_smb2_posix_v1_posix_acls,
10644 { "Posix ACLs", "smb2.posix_acls", FT_UINT32, BASE_HEX,
10645 VALS(posix_acls_vals), 0x40, NULL, HFILL }
10648 { &hf_smb2_posix_v1_rich_acls,
10649 { "Rich ACLs", "smb2.rich_acls", FT_UINT32, BASE_HEX,
10650 VALS(posix_rich_acls_vals), 0x80, NULL, HFILL }
10653 { &hf_smb2_posix_v1_supported_features,
10654 { "Supported Features", "smb2.posix_supported_features", FT_UINT32, BASE_HEX,
10655 NULL, 0, NULL, HFILL }
10658 { &hf_smb2_aapl_command_code,
10659 { "Command code", "smb2.aapl.command_code", FT_UINT32, BASE_DEC,
10660 VALS(aapl_command_code_vals), 0, NULL, HFILL }
10663 { &hf_smb2_aapl_reserved,
10664 { "Reserved", "smb2.aapl.reserved", FT_UINT32, BASE_HEX,
10665 NULL, 0, NULL, HFILL }
10668 { &hf_smb2_aapl_server_query_bitmask,
10669 { "Query bitmask", "smb2.aapl.query_bitmask", FT_UINT64, BASE_HEX,
10670 NULL, 0, NULL, HFILL }
10673 { &hf_smb2_aapl_server_query_bitmask_server_caps,
10674 { "Server capabilities", "smb2.aapl.bitmask.server_caps", FT_BOOLEAN, 64,
10675 NULL, SMB2_AAPL_SERVER_CAPS, NULL, HFILL }
10678 { &hf_smb2_aapl_server_query_bitmask_volume_caps,
10679 { "Volume capabilities", "smb2.aapl.bitmask.volume_caps", FT_BOOLEAN, 64,
10680 NULL, SMB2_AAPL_VOLUME_CAPS, NULL, HFILL }
10683 { &hf_smb2_aapl_server_query_bitmask_model_info,
10684 { "Model information", "smb2.aapl.bitmask.model_info", FT_BOOLEAN, 64,
10685 NULL, SMB2_AAPL_MODEL_INFO, NULL, HFILL }
10688 { &hf_smb2_aapl_server_query_caps,
10689 { "Client/Server capabilities", "smb2.aapl.caps", FT_UINT64, BASE_HEX,
10690 NULL, 0, NULL, HFILL }
10693 { &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
10694 { "Supports READDIRATTR", "smb2.aapl.caps.supports_read_dir_addr", FT_BOOLEAN, 64,
10695 NULL, SMB2_AAPL_SUPPORTS_READ_DIR_ATTR, NULL, HFILL }
10698 { &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
10699 { "Supports OS X copyfile", "smb2.aapl.caps.supports_osx_copyfile", FT_BOOLEAN, 64,
10700 NULL, SMB2_AAPL_SUPPORTS_OSX_COPYFILE, NULL, HFILL }
10703 { &hf_smb2_aapl_server_query_caps_unix_based,
10704 { "UNIX-based", "smb2.aapl.caps.unix_based", FT_BOOLEAN, 64,
10705 NULL, SMB2_AAPL_UNIX_BASED, NULL, HFILL }
10708 { &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
10709 { "Supports NFS ACE", "smb2.aapl.supports_nfs_ace", FT_BOOLEAN, 64,
10710 NULL, SMB2_AAPL_SUPPORTS_NFS_ACE, NULL, HFILL }
10713 { &hf_smb2_aapl_server_query_volume_caps,
10714 { "Volume capabilities", "smb2.aapl.volume_caps", FT_UINT64, BASE_HEX,
10715 NULL, 0, NULL, HFILL }
10718 { &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
10719 { "Supports Resolve ID", "smb2.aapl.volume_caps.supports_resolve_id", FT_BOOLEAN, 64,
10720 NULL, SMB2_AAPL_SUPPORTS_RESOLVE_ID, NULL, HFILL }
10723 { &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
10724 { "Case sensitive", "smb2.aapl.volume_caps.case_sensitive", FT_BOOLEAN, 64,
10725 NULL, SMB2_AAPL_CASE_SENSITIVE, NULL, HFILL }
10728 { &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
10729 { "Supports full sync", "smb2.aapl.volume_caps.supports_full_sync", FT_BOOLEAN, 64,
10730 NULL, SMB2_AAPL_SUPPORTS_FULL_SYNC, NULL, HFILL }
10733 { &hf_smb2_aapl_server_query_model_string,
10734 { "Model string", "smb2.aapl.model_string", FT_UINT_STRING, STR_UNICODE,
10735 NULL, 0, NULL, HFILL }
10738 { &hf_smb2_aapl_server_query_server_path,
10739 { "Server path", "smb2.aapl.server_path", FT_UINT_STRING, STR_UNICODE,
10740 NULL, 0, NULL, HFILL }
10743 { &hf_smb2_transform_signature,
10744 { "Signature", "smb2.header.transform.signature", FT_BYTES, BASE_NONE,
10745 NULL, 0, NULL, HFILL }
10748 { &hf_smb2_transform_nonce,
10749 { "Nonce", "smb2.header.transform.nonce", FT_BYTES, BASE_NONE,
10750 NULL, 0, NULL, HFILL }
10753 { &hf_smb2_transform_msg_size,
10754 { "Message size", "smb2.header.transform.msg_size", FT_UINT32, BASE_DEC,
10755 NULL, 0, NULL, HFILL }
10758 { &hf_smb2_transform_reserved,
10759 { "Reserved", "smb2.header.transform.reserved", FT_BYTES, BASE_NONE,
10760 NULL, 0, NULL, HFILL }
10763 { &hf_smb2_transform_enc_alg,
10764 { "Encryption ALG", "smb2.header.transform.encryption_alg", FT_UINT16, BASE_HEX,
10765 NULL, 0, NULL, HFILL }
10768 { &hf_smb2_encryption_aes128_ccm,
10769 { "SMB2_ENCRYPTION_AES128_CCM", "smb2.header.transform.enc_aes128_ccm", FT_BOOLEAN, 16,
10770 NULL, ENC_ALG_aes128_ccm, NULL, HFILL }
10773 { &hf_smb2_transform_encrypted_data,
10774 { "Data", "smb2.header.transform.enc_data", FT_BYTES, BASE_NONE,
10775 NULL, 0, NULL, HFILL }
10778 { &hf_smb2_server_component_smb2,
10779 { "Server Component: SMB2", "smb2.server_component_smb2", FT_NONE, BASE_NONE,
10780 NULL, 0, NULL, HFILL }
10783 { &hf_smb2_server_component_smb2_transform,
10784 { "Server Component: SMB2_TRANSFORM", "smb2.server_component_smb2_transform", FT_NONE, BASE_NONE,
10785 NULL, 0, NULL, HFILL }
10788 { &hf_smb2_truncated,
10789 { "Truncated...", "smb2.truncated", FT_NONE, BASE_NONE,
10790 NULL, 0, NULL, HFILL }
10793 { &hf_smb2_pipe_fragment_overlap,
10794 { "Fragment overlap", "smb2.pipe.fragment.overlap", FT_BOOLEAN, BASE_NONE,
10795 NULL, 0x0, "Fragment overlaps with other fragments", HFILL }
10798 { &hf_smb2_pipe_fragment_overlap_conflict,
10799 { "Conflicting data in fragment overlap", "smb2.pipe.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE,
10800 NULL, 0x0, "Overlapping fragments contained conflicting data", HFILL }
10803 { &hf_smb2_pipe_fragment_multiple_tails,
10804 { "Multiple tail fragments found", "smb2.pipe.fragment.multipletails", FT_BOOLEAN, BASE_NONE,
10805 NULL, 0x0, "Several tails were found when defragmenting the packet", HFILL }
10808 { &hf_smb2_pipe_fragment_too_long_fragment,
10809 { "Fragment too long", "smb2.pipe.fragment.toolongfragment", FT_BOOLEAN, BASE_NONE,
10810 NULL, 0x0, "Fragment contained data past end of packet", HFILL }
10813 { &hf_smb2_pipe_fragment_error,
10814 { "Defragmentation error", "smb2.pipe.fragment.error", FT_FRAMENUM, BASE_NONE,
10815 NULL, 0x0, "Defragmentation error due to illegal fragments", HFILL }
10818 { &hf_smb2_pipe_fragment_count,
10819 { "Fragment count", "smb2.pipe.fragment.count", FT_UINT32, BASE_DEC,
10820 NULL, 0x0, NULL, HFILL }
10823 { &hf_smb2_pipe_fragment,
10824 { "Fragment SMB2 Named Pipe", "smb2.pipe.fragment", FT_FRAMENUM, BASE_NONE,
10825 NULL, 0x0, "SMB2 Named Pipe Fragment", HFILL }
10828 { &hf_smb2_pipe_fragments,
10829 { "Reassembled SMB2 Named Pipe fragments", "smb2.pipe.fragments", FT_NONE, BASE_NONE,
10830 NULL, 0x0, "SMB2 Named Pipe Fragments", HFILL }
10833 { &hf_smb2_pipe_reassembled_in,
10834 { "This SMB2 Named Pipe payload is reassembled in frame", "smb2.pipe.reassembled_in", FT_FRAMENUM, BASE_NONE,
10835 NULL, 0x0, "The Named Pipe PDU is completely reassembled in this frame", HFILL }
10838 { &hf_smb2_pipe_reassembled_length,
10839 { "Reassembled SMB2 Named Pipe length", "smb2.pipe.reassembled.length", FT_UINT32, BASE_DEC,
10840 NULL, 0x0, "The total length of the reassembled payload", HFILL }
10843 { &hf_smb2_pipe_reassembled_data,
10844 { "Reassembled SMB2 Named Pipe Data", "smb2.pipe.reassembled.data", FT_BYTES, BASE_NONE,
10845 NULL, 0x0, "The reassembled payload", HFILL }
10848 { &hf_smb2_cchunk_resume_key,
10849 { "ResumeKey", "smb2.fsctl.cchunk.resume_key", FT_BYTES, BASE_NONE,
10850 NULL, 0x0, "Opaque data representing source of copy", HFILL }
10853 { &hf_smb2_cchunk_count,
10854 { "Chunk Count", "smb2.fsctl.cchunk.count", FT_UINT32, BASE_DEC,
10855 NULL, 0x0, NULL, HFILL }
10858 { &hf_smb2_cchunk_src_offset,
10859 { "Source Offset", "smb2.fsctl.cchunk.src_offset", FT_UINT64, BASE_DEC,
10860 NULL, 0x0, NULL, HFILL }
10863 { &hf_smb2_cchunk_dst_offset,
10864 { "Target Offset", "smb2.fsctl.cchunk.dst_offset", FT_UINT64, BASE_DEC,
10865 NULL, 0x0, NULL, HFILL }
10868 { &hf_smb2_cchunk_xfer_len,
10869 { "Transfer Length", "smb2.fsctl.cchunk.xfer_len", FT_UINT32, BASE_DEC,
10870 NULL, 0x0, NULL, HFILL }
10873 { &hf_smb2_cchunk_chunks_written,
10874 { "Chunks Written", "smb2.fsctl.cchunk.chunks_written", FT_UINT32, BASE_DEC,
10875 NULL, 0x0, NULL, HFILL }
10878 { &hf_smb2_cchunk_bytes_written,
10879 { "Chunk Bytes Written", "smb2.fsctl.cchunk.bytes_written", FT_UINT32, BASE_DEC,
10880 NULL, 0x0, NULL, HFILL }
10883 { &hf_smb2_cchunk_total_written,
10884 { "Total Bytes Written", "smb2.fsctl.cchunk.total_written", FT_UINT32, BASE_DEC,
10885 NULL, 0x0, NULL, HFILL }
10888 { &hf_smb2_symlink_error_response,
10889 { "Symbolic Link Error Response", "smb2.symlink_error_response", FT_NONE, BASE_NONE,
10890 NULL, 0, "A Symbolic Link Error Response structure", HFILL }
10893 { &hf_smb2_symlink_length,
10894 { "SymLink Length", "smb2.symlink.length", FT_UINT32,
10895 BASE_DEC, NULL, 0x0, NULL, HFILL }
10898 { &hf_smb2_symlink_error_tag,
10899 { "SymLink Error Tag", "smb2.symlink.error_tag", FT_UINT32,
10900 BASE_HEX, NULL, 0x0, NULL, HFILL }
10903 { &hf_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER,
10904 { "SYMBOLIC_LINK_REPARSE_DATA_BUFFER", "smb2.SYMBOLIC_LINK_REPARSE_DATA_BUFFER", FT_NONE, BASE_NONE,
10905 NULL, 0, "A SYMBOLIC_LINK_REPARSE_DATA_BUFFER structure", HFILL }
10907 { &hf_smb2_reparse_tag,
10908 { "Reparse Tag", "smb2.symlink.reparse_tag", FT_UINT32, BASE_HEX,
10909 NULL, 0x0, NULL, HFILL }
10911 { &hf_smb2_reparse_data_length,
10912 { "Reparse Data Length", "smb2.symlink.reparse_data_length", FT_UINT16, BASE_DEC,
10913 NULL, 0x0, NULL, HFILL }
10915 { &hf_smb2_unparsed_path_length,
10916 { "Unparsed Path Length", "smb2.symlink.unparsed_path_length", FT_UINT16, BASE_DEC,
10917 NULL, 0x0, NULL, HFILL }
10919 { &hf_smb2_symlink_substitute_name,
10920 { "Substitute Name", "smb2.symlink.substitute_name", FT_STRING, BASE_NONE,
10921 NULL, 0x0, NULL, HFILL }
10923 { &hf_smb2_symlink_print_name,
10924 { "Print Name", "smb2.symlink.print_name", FT_STRING, BASE_NONE,
10925 NULL, 0x0, NULL, HFILL }
10927 { &hf_smb2_symlink_flags,
10928 { "Flags", "smb2.symlink.flags", FT_UINT32, BASE_DEC,
10929 NULL, 0x0, NULL, HFILL }
10933 static gint *ett[] = {
10938 &ett_smb2_encrypted,
10941 &ett_smb2_negotiate_context_element,
10942 &ett_smb2_file_basic_info,
10943 &ett_smb2_file_standard_info,
10944 &ett_smb2_file_internal_info,
10945 &ett_smb2_file_ea_info,
10946 &ett_smb2_file_access_info,
10947 &ett_smb2_file_rename_info,
10948 &ett_smb2_file_disposition_info,
10949 &ett_smb2_file_position_info,
10950 &ett_smb2_file_full_ea_info,
10951 &ett_smb2_file_mode_info,
10952 &ett_smb2_file_alignment_info,
10953 &ett_smb2_file_all_info,
10954 &ett_smb2_file_allocation_info,
10955 &ett_smb2_file_endoffile_info,
10956 &ett_smb2_file_alternate_name_info,
10957 &ett_smb2_file_stream_info,
10958 &ett_smb2_file_pipe_info,
10959 &ett_smb2_file_compression_info,
10960 &ett_smb2_file_network_open_info,
10961 &ett_smb2_file_attribute_tag_info,
10962 &ett_smb2_fs_info_01,
10963 &ett_smb2_fs_info_03,
10964 &ett_smb2_fs_info_04,
10965 &ett_smb2_fs_info_05,
10966 &ett_smb2_fs_info_06,
10967 &ett_smb2_fs_info_07,
10968 &ett_smb2_fs_objectid_info,
10969 &ett_smb2_sec_info_00,
10970 &ett_smb2_quota_info,
10971 &ett_smb2_query_quota_info,
10972 &ett_smb2_tid_tree,
10973 &ett_smb2_sesid_tree,
10974 &ett_smb2_create_chain_element,
10975 &ett_smb2_MxAc_buffer,
10976 &ett_smb2_QFid_buffer,
10977 &ett_smb2_RqLs_buffer,
10978 &ett_smb2_ioctl_function,
10979 &ett_smb2_FILE_OBJECTID_BUFFER,
10981 &ett_smb2_sec_mode,
10982 &ett_smb2_capabilities,
10983 &ett_smb2_ses_req_flags,
10984 &ett_smb2_ses_flags,
10985 &ett_smb2_create_rep_flags,
10986 &ett_smb2_lease_state,
10987 &ett_smb2_lease_flags,
10988 &ett_smb2_share_flags,
10989 &ett_smb2_share_caps,
10990 &ett_smb2_ioctl_flags,
10991 &ett_smb2_ioctl_network_interface,
10992 &ett_smb2_fsctl_range_data,
10993 &ett_windows_sockaddr,
10994 &ett_smb2_close_flags,
10995 &ett_smb2_notify_info,
10996 &ett_smb2_notify_flags,
10998 &ett_smb2_write_flags,
10999 &ett_smb2_find_flags,
11000 &ett_smb2_file_directory_info,
11001 &ett_smb2_both_directory_info,
11002 &ett_smb2_id_both_directory_info,
11003 &ett_smb2_full_directory_info,
11004 &ett_smb2_file_name_info,
11005 &ett_smb2_lock_info,
11006 &ett_smb2_lock_flags,
11007 &ett_smb2_DH2Q_buffer,
11008 &ett_smb2_DH2C_buffer,
11009 &ett_smb2_dh2x_flags,
11010 &ett_smb2_APP_INSTANCE_buffer,
11011 &ett_smb2_svhdx_open_device_context,
11012 &ett_smb2_posix_v1_request,
11013 &ett_smb2_posix_v1_response,
11014 &ett_smb2_posix_v1_supported_features,
11015 &ett_smb2_aapl_create_context_request,
11016 &ett_smb2_aapl_server_query_bitmask,
11017 &ett_smb2_aapl_server_query_caps,
11018 &ett_smb2_aapl_create_context_response,
11019 &ett_smb2_aapl_server_query_volume_caps,
11020 &ett_smb2_integrity_flags,
11021 &ett_smb2_transform_enc_alg,
11022 &ett_smb2_buffercode,
11023 &ett_smb2_ioctl_network_interface_capabilities,
11025 &ett_smb2_pipe_fragment,
11026 &ett_smb2_pipe_fragments,
11027 &ett_smb2_cchunk_entry,
11028 &ett_smb2_fsctl_odx_token,
11029 &ett_smb2_symlink_error_response,
11030 &ett_smb2_SYMBOLIC_LINK_REPARSE_DATA_BUFFER,
11031 &ett_smb2_error_data,
11034 static ei_register_info ei[] = {
11035 { &ei_smb2_invalid_length, { "smb2.invalid_length", PI_MALFORMED, PI_ERROR, "Invalid length", EXPFILL }},
11036 { &ei_smb2_bad_response, { "smb2.bad_response", PI_MALFORMED, PI_ERROR, "Bad response", EXPFILL }},
11039 expert_module_t* expert_smb2;
11041 proto_smb2 = proto_register_protocol("SMB2 (Server Message Block Protocol version 2)",
11043 proto_register_subtree_array(ett, array_length(ett));
11044 proto_register_field_array(proto_smb2, hf, array_length(hf));
11045 expert_smb2 = expert_register_protocol(proto_smb2);
11046 expert_register_field_array(expert_smb2, ei, array_length(ei));
11048 smb2_module = prefs_register_protocol(proto_smb2, NULL);
11049 prefs_register_bool_preference(smb2_module, "eosmb2_take_name_as_fid",
11050 "Use the full file name as File ID when exporting an SMB2 object",
11051 "Whether the export object functionality will take the full path file name as file identifier",
11052 &eosmb2_take_name_as_fid);
11054 prefs_register_bool_preference(smb2_module, "pipe_reassembly",
11055 "Reassemble Named Pipes over SMB2",
11056 "Whether the dissector should reassemble Named Pipes over SMB2 commands",
11057 &smb2_pipe_reassembly);
11058 smb2_pipe_subdissector_list = register_heur_dissector_list("smb2_pipe_subdissectors", proto_smb2);
11060 * XXX - addresses_ports_reassembly_table_functions?
11061 * Probably correct for SMB-over-NBT and SMB-over-TCP,
11062 * as stuff from two different connections should
11063 * probably not be combined, but what about other
11064 * transports for SMB, e.g. NBF or Netware?
11066 reassembly_table_register(&smb2_pipe_reassembly_table,
11067 &addresses_reassembly_table_functions);
11069 smb2_tap = register_tap("smb2");
11070 smb2_eo_tap = register_tap("smb_eo"); /* SMB Export Object tap */
11072 register_srt_table(proto_smb2, NULL, 1, smb2stat_packet, smb2stat_init, NULL);
11076 proto_reg_handoff_smb2(void)
11078 gssapi_handle = find_dissector_add_dependency("gssapi", proto_smb2);
11079 ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_smb2);
11080 rsvd_handle = find_dissector_add_dependency("rsvd", proto_smb2);
11081 heur_dissector_add("netbios", dissect_smb2_heur, "SMB2 over Netbios", "smb2_netbios", proto_smb2, HEURISTIC_ENABLE);
11082 heur_dissector_add("smb_direct", dissect_smb2_heur, "SMB2 over SMB Direct", "smb2_smb_direct", proto_smb2, HEURISTIC_ENABLE);
11086 * Editor modelines - http://www.wireshark.org/tools/modelines.html
11089 * c-basic-offset: 8
11091 * indent-tabs-mode: t
11094 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
11095 * :indentSize=8:tabSize=8:noTabs=false: