2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
6 * $Id: packet-smb.c,v 1.344 2003/05/28 22:40:19 guy Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/packet.h>
40 #include <epan/conversation.h>
42 #include "alignment.h"
43 #include <epan/strutil.h>
45 #include "reassemble.h"
47 #include "packet-ipx.h"
49 #include "packet-smb-common.h"
50 #include "packet-smb-mailslot.h"
51 #include "packet-smb-pipe.h"
52 #include "packet-dcerpc.h"
53 #include "packet-smb-sidsnooping.h"
56 * Various specifications and documents about SMB can be found in
58 * ftp://ftp.microsoft.com/developr/drg/CIFS/
60 * and a CIFS specification from the Storage Networking Industry Association
61 * can be found on a link from the page at
63 * http://www.snia.org/tech_activities/CIFS
65 * (it supercedes the document at
67 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
71 * There are also some Open Group publications documenting CIFS available
72 * for download; catalog entries for them are at:
74 * http://www.opengroup.org/products/publications/catalog/c209.htm
76 * http://www.opengroup.org/products/publications/catalog/c195.htm
78 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
81 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
83 * (or, presumably a similar path under the Samba mirrors). As the
84 * ".doc" indicates, it's a Word document. Some of the specs from the
85 * Microsoft FTP site can be found in the
87 * http://www.samba.org/samba/ftp/specs/
91 * Beware - these specs may have errors.
93 static int proto_smb = -1;
94 static int hf_smb_cmd = -1;
95 static int hf_smb_key = -1;
96 static int hf_smb_session_id = -1;
97 static int hf_smb_sequence_num = -1;
98 static int hf_smb_group_id = -1;
99 static int hf_smb_pid = -1;
100 static int hf_smb_tid = -1;
101 static int hf_smb_uid = -1;
102 static int hf_smb_mid = -1;
103 static int hf_smb_response_to = -1;
104 static int hf_smb_time = -1;
105 static int hf_smb_response_in = -1;
106 static int hf_smb_continuation_to = -1;
107 static int hf_smb_nt_status = -1;
108 static int hf_smb_error_class = -1;
109 static int hf_smb_error_code = -1;
110 static int hf_smb_reserved = -1;
111 static int hf_smb_flags_lock = -1;
112 static int hf_smb_flags_receive_buffer = -1;
113 static int hf_smb_flags_caseless = -1;
114 static int hf_smb_flags_canon = -1;
115 static int hf_smb_flags_oplock = -1;
116 static int hf_smb_flags_notify = -1;
117 static int hf_smb_flags_response = -1;
118 static int hf_smb_flags2_long_names_allowed = -1;
119 static int hf_smb_flags2_ea = -1;
120 static int hf_smb_flags2_sec_sig = -1;
121 static int hf_smb_flags2_long_names_used = -1;
122 static int hf_smb_flags2_esn = -1;
123 static int hf_smb_flags2_dfs = -1;
124 static int hf_smb_flags2_roe = -1;
125 static int hf_smb_flags2_nt_error = -1;
126 static int hf_smb_flags2_string = -1;
127 static int hf_smb_word_count = -1;
128 static int hf_smb_byte_count = -1;
129 static int hf_smb_buffer_format = -1;
130 static int hf_smb_dialect_name = -1;
131 static int hf_smb_dialect_index = -1;
132 static int hf_smb_max_trans_buf_size = -1;
133 static int hf_smb_max_mpx_count = -1;
134 static int hf_smb_max_vcs_num = -1;
135 static int hf_smb_session_key = -1;
136 static int hf_smb_server_timezone = -1;
137 static int hf_smb_encryption_key_length = -1;
138 static int hf_smb_encryption_key = -1;
139 static int hf_smb_primary_domain = -1;
140 static int hf_smb_server = -1;
141 static int hf_smb_max_raw_buf_size = -1;
142 static int hf_smb_server_guid = -1;
143 static int hf_smb_security_blob_len = -1;
144 static int hf_smb_security_blob = -1;
145 static int hf_smb_sm_mode16 = -1;
146 static int hf_smb_sm_password16 = -1;
147 static int hf_smb_sm_mode = -1;
148 static int hf_smb_sm_password = -1;
149 static int hf_smb_sm_signatures = -1;
150 static int hf_smb_sm_sig_required = -1;
151 static int hf_smb_rm_read = -1;
152 static int hf_smb_rm_write = -1;
153 static int hf_smb_server_date_time = -1;
154 static int hf_smb_server_smb_date = -1;
155 static int hf_smb_server_smb_time = -1;
156 static int hf_smb_server_cap_raw_mode = -1;
157 static int hf_smb_server_cap_mpx_mode = -1;
158 static int hf_smb_server_cap_unicode = -1;
159 static int hf_smb_server_cap_large_files = -1;
160 static int hf_smb_server_cap_nt_smbs = -1;
161 static int hf_smb_server_cap_rpc_remote_apis = -1;
162 static int hf_smb_server_cap_nt_status = -1;
163 static int hf_smb_server_cap_level_ii_oplocks = -1;
164 static int hf_smb_server_cap_lock_and_read = -1;
165 static int hf_smb_server_cap_nt_find = -1;
166 static int hf_smb_server_cap_dfs = -1;
167 static int hf_smb_server_cap_infolevel_passthru = -1;
168 static int hf_smb_server_cap_large_readx = -1;
169 static int hf_smb_server_cap_large_writex = -1;
170 static int hf_smb_server_cap_unix = -1;
171 static int hf_smb_server_cap_reserved = -1;
172 static int hf_smb_server_cap_bulk_transfer = -1;
173 static int hf_smb_server_cap_compressed_data = -1;
174 static int hf_smb_server_cap_extended_security = -1;
175 static int hf_smb_system_time = -1;
176 static int hf_smb_unknown = -1;
177 static int hf_smb_dir_name = -1;
178 static int hf_smb_echo_count = -1;
179 static int hf_smb_echo_data = -1;
180 static int hf_smb_echo_seq_num = -1;
181 static int hf_smb_max_buf_size = -1;
182 static int hf_smb_password = -1;
183 static int hf_smb_password_len = -1;
184 static int hf_smb_ansi_password = -1;
185 static int hf_smb_ansi_password_len = -1;
186 static int hf_smb_unicode_password = -1;
187 static int hf_smb_unicode_password_len = -1;
188 static int hf_smb_path = -1;
189 static int hf_smb_service = -1;
190 static int hf_smb_move_flags_file = -1;
191 static int hf_smb_move_flags_dir = -1;
192 static int hf_smb_move_flags_verify = -1;
193 static int hf_smb_files_moved = -1;
194 static int hf_smb_copy_flags_file = -1;
195 static int hf_smb_copy_flags_dir = -1;
196 static int hf_smb_copy_flags_dest_mode = -1;
197 static int hf_smb_copy_flags_source_mode = -1;
198 static int hf_smb_copy_flags_verify = -1;
199 static int hf_smb_copy_flags_tree_copy = -1;
200 static int hf_smb_copy_flags_ea_action = -1;
201 static int hf_smb_count = -1;
202 static int hf_smb_file_name = -1;
203 static int hf_smb_open_function_open = -1;
204 static int hf_smb_open_function_create = -1;
205 static int hf_smb_fid = -1;
206 static int hf_smb_file_attr_read_only_16bit = -1;
207 static int hf_smb_file_attr_read_only_8bit = -1;
208 static int hf_smb_file_attr_hidden_16bit = -1;
209 static int hf_smb_file_attr_hidden_8bit = -1;
210 static int hf_smb_file_attr_system_16bit = -1;
211 static int hf_smb_file_attr_system_8bit = -1;
212 static int hf_smb_file_attr_volume_16bit = -1;
213 static int hf_smb_file_attr_volume_8bit = -1;
214 static int hf_smb_file_attr_directory_16bit = -1;
215 static int hf_smb_file_attr_directory_8bit = -1;
216 static int hf_smb_file_attr_archive_16bit = -1;
217 static int hf_smb_file_attr_archive_8bit = -1;
218 static int hf_smb_file_attr_device = -1;
219 static int hf_smb_file_attr_normal = -1;
220 static int hf_smb_file_attr_temporary = -1;
221 static int hf_smb_file_attr_sparse = -1;
222 static int hf_smb_file_attr_reparse = -1;
223 static int hf_smb_file_attr_compressed = -1;
224 static int hf_smb_file_attr_offline = -1;
225 static int hf_smb_file_attr_not_content_indexed = -1;
226 static int hf_smb_file_attr_encrypted = -1;
227 static int hf_smb_file_size = -1;
228 static int hf_smb_search_attribute_read_only = -1;
229 static int hf_smb_search_attribute_hidden = -1;
230 static int hf_smb_search_attribute_system = -1;
231 static int hf_smb_search_attribute_volume = -1;
232 static int hf_smb_search_attribute_directory = -1;
233 static int hf_smb_search_attribute_archive = -1;
234 static int hf_smb_access_mode = -1;
235 static int hf_smb_access_sharing = -1;
236 static int hf_smb_access_locality = -1;
237 static int hf_smb_access_caching = -1;
238 static int hf_smb_access_writetru = -1;
239 static int hf_smb_create_time = -1;
240 static int hf_smb_modify_time = -1;
241 static int hf_smb_backup_time = -1;
242 static int hf_smb_mac_alloc_block_count = -1;
243 static int hf_smb_mac_alloc_block_size = -1;
244 static int hf_smb_mac_free_block_count = -1;
245 static int hf_smb_mac_fndrinfo = -1;
246 static int hf_smb_mac_root_file_count = -1;
247 static int hf_smb_mac_root_dir_count = -1;
248 static int hf_smb_mac_file_count = -1;
249 static int hf_smb_mac_dir_count = -1;
250 static int hf_smb_mac_support_flags = -1;
251 static int hf_smb_mac_sup_access_ctrl = -1;
252 static int hf_smb_mac_sup_getset_comments = -1;
253 static int hf_smb_mac_sup_desktopdb_calls = -1;
254 static int hf_smb_mac_sup_unique_ids = -1;
255 static int hf_smb_mac_sup_streams = -1;
256 static int hf_smb_create_dos_date = -1;
257 static int hf_smb_create_dos_time = -1;
258 static int hf_smb_last_write_time = -1;
259 static int hf_smb_last_write_dos_date = -1;
260 static int hf_smb_last_write_dos_time = -1;
261 static int hf_smb_access_time = -1;
262 static int hf_smb_access_dos_date = -1;
263 static int hf_smb_access_dos_time = -1;
264 static int hf_smb_old_file_name = -1;
265 static int hf_smb_offset = -1;
266 static int hf_smb_remaining = -1;
267 static int hf_smb_padding = -1;
268 static int hf_smb_file_data = -1;
269 static int hf_smb_total_data_len = -1;
270 static int hf_smb_data_len = -1;
271 static int hf_smb_seek_mode = -1;
272 static int hf_smb_data_size = -1;
273 static int hf_smb_alloc_size = -1;
274 static int hf_smb_alloc_size64 = -1;
275 static int hf_smb_max_count = -1;
276 static int hf_smb_min_count = -1;
277 static int hf_smb_timeout = -1;
278 static int hf_smb_high_offset = -1;
279 static int hf_smb_units = -1;
280 static int hf_smb_bpu = -1;
281 static int hf_smb_blocksize = -1;
282 static int hf_smb_freeunits = -1;
283 static int hf_smb_data_offset = -1;
284 static int hf_smb_dcm = -1;
285 static int hf_smb_request_mask = -1;
286 static int hf_smb_response_mask = -1;
287 static int hf_smb_search_id = -1;
288 static int hf_smb_write_mode_write_through = -1;
289 static int hf_smb_write_mode_return_remaining = -1;
290 static int hf_smb_write_mode_raw = -1;
291 static int hf_smb_write_mode_message_start = -1;
292 static int hf_smb_write_mode_connectionless = -1;
293 static int hf_smb_resume_key_len = -1;
294 static int hf_smb_resume_find_id = -1;
295 static int hf_smb_resume_server_cookie = -1;
296 static int hf_smb_resume_client_cookie = -1;
297 static int hf_smb_andxoffset = -1;
298 static int hf_smb_lock_type_large = -1;
299 static int hf_smb_lock_type_cancel = -1;
300 static int hf_smb_lock_type_change = -1;
301 static int hf_smb_lock_type_oplock = -1;
302 static int hf_smb_lock_type_shared = -1;
303 static int hf_smb_locking_ol = -1;
304 static int hf_smb_number_of_locks = -1;
305 static int hf_smb_number_of_unlocks = -1;
306 static int hf_smb_lock_long_offset = -1;
307 static int hf_smb_lock_long_length = -1;
308 static int hf_smb_file_type = -1;
309 static int hf_smb_ipc_state_nonblocking = -1;
310 static int hf_smb_ipc_state_endpoint = -1;
311 static int hf_smb_ipc_state_pipe_type = -1;
312 static int hf_smb_ipc_state_read_mode = -1;
313 static int hf_smb_ipc_state_icount = -1;
314 static int hf_smb_server_fid = -1;
315 static int hf_smb_open_flags_add_info = -1;
316 static int hf_smb_open_flags_ex_oplock = -1;
317 static int hf_smb_open_flags_batch_oplock = -1;
318 static int hf_smb_open_flags_ealen = -1;
319 static int hf_smb_open_action_open = -1;
320 static int hf_smb_open_action_lock = -1;
321 static int hf_smb_vc_num = -1;
322 static int hf_smb_account = -1;
323 static int hf_smb_os = -1;
324 static int hf_smb_lanman = -1;
325 static int hf_smb_setup_action_guest = -1;
326 static int hf_smb_fs = -1;
327 static int hf_smb_connect_flags_dtid = -1;
328 static int hf_smb_connect_support_search = -1;
329 static int hf_smb_connect_support_in_dfs = -1;
330 static int hf_smb_max_setup_count = -1;
331 static int hf_smb_total_param_count = -1;
332 static int hf_smb_total_data_count = -1;
333 static int hf_smb_max_param_count = -1;
334 static int hf_smb_max_data_count = -1;
335 static int hf_smb_param_disp16 = -1;
336 static int hf_smb_param_count16 = -1;
337 static int hf_smb_param_offset16 = -1;
338 static int hf_smb_param_disp32 = -1;
339 static int hf_smb_param_count32 = -1;
340 static int hf_smb_param_offset32 = -1;
341 static int hf_smb_data_disp16 = -1;
342 static int hf_smb_data_count16 = -1;
343 static int hf_smb_data_offset16 = -1;
344 static int hf_smb_data_disp32 = -1;
345 static int hf_smb_data_count32 = -1;
346 static int hf_smb_data_offset32 = -1;
347 static int hf_smb_setup_count = -1;
348 static int hf_smb_nt_trans_subcmd = -1;
349 static int hf_smb_nt_ioctl_function_code = -1;
350 static int hf_smb_nt_ioctl_isfsctl = -1;
351 static int hf_smb_nt_ioctl_flags_root_handle = -1;
352 static int hf_smb_nt_ioctl_data = -1;
353 #ifdef SMB_UNUSED_HANDLES
354 static int hf_smb_nt_security_information = -1;
356 static int hf_smb_nt_notify_action = -1;
357 static int hf_smb_nt_notify_watch_tree = -1;
358 static int hf_smb_nt_notify_stream_write = -1;
359 static int hf_smb_nt_notify_stream_size = -1;
360 static int hf_smb_nt_notify_stream_name = -1;
361 static int hf_smb_nt_notify_security = -1;
362 static int hf_smb_nt_notify_ea = -1;
363 static int hf_smb_nt_notify_creation = -1;
364 static int hf_smb_nt_notify_last_access = -1;
365 static int hf_smb_nt_notify_last_write = -1;
366 static int hf_smb_nt_notify_size = -1;
367 static int hf_smb_nt_notify_attributes = -1;
368 static int hf_smb_nt_notify_dir_name = -1;
369 static int hf_smb_nt_notify_file_name = -1;
370 static int hf_smb_root_dir_fid = -1;
371 static int hf_smb_nt_create_disposition = -1;
372 static int hf_smb_sd_length = -1;
373 static int hf_smb_ea_length = -1;
374 static int hf_smb_file_name_len = -1;
375 static int hf_smb_nt_impersonation_level = -1;
376 static int hf_smb_nt_security_flags_context_tracking = -1;
377 static int hf_smb_nt_security_flags_effective_only = -1;
378 static int hf_smb_nt_access_mask_generic_read = -1;
379 static int hf_smb_nt_access_mask_generic_write = -1;
380 static int hf_smb_nt_access_mask_generic_execute = -1;
381 static int hf_smb_nt_access_mask_generic_all = -1;
382 static int hf_smb_nt_access_mask_maximum_allowed = -1;
383 static int hf_smb_nt_access_mask_system_security = -1;
384 static int hf_smb_nt_access_mask_synchronize = -1;
385 static int hf_smb_nt_access_mask_write_owner = -1;
386 static int hf_smb_nt_access_mask_write_dac = -1;
387 static int hf_smb_nt_access_mask_read_control = -1;
388 static int hf_smb_nt_access_mask_delete = -1;
389 static int hf_smb_nt_access_mask_write_attributes = -1;
390 static int hf_smb_nt_access_mask_read_attributes = -1;
391 static int hf_smb_nt_access_mask_delete_child = -1;
392 static int hf_smb_nt_access_mask_execute = -1;
393 static int hf_smb_nt_access_mask_write_ea = -1;
394 static int hf_smb_nt_access_mask_read_ea = -1;
395 static int hf_smb_nt_access_mask_append = -1;
396 static int hf_smb_nt_access_mask_write = -1;
397 static int hf_smb_nt_access_mask_read = -1;
398 static int hf_smb_nt_create_bits_oplock = -1;
399 static int hf_smb_nt_create_bits_boplock = -1;
400 static int hf_smb_nt_create_bits_dir = -1;
401 static int hf_smb_nt_create_bits_ext_resp = -1;
402 static int hf_smb_nt_create_options_directory_file = -1;
403 static int hf_smb_nt_create_options_write_through = -1;
404 static int hf_smb_nt_create_options_sequential_only = -1;
405 static int hf_smb_nt_create_options_sync_io_alert = -1;
406 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
407 static int hf_smb_nt_create_options_non_directory_file = -1;
408 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
409 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
410 static int hf_smb_nt_create_options_random_access = -1;
411 static int hf_smb_nt_create_options_delete_on_close = -1;
412 static int hf_smb_nt_share_access_read = -1;
413 static int hf_smb_nt_share_access_write = -1;
414 static int hf_smb_nt_share_access_delete = -1;
415 static int hf_smb_file_eattr_read_only = -1;
416 static int hf_smb_file_eattr_hidden = -1;
417 static int hf_smb_file_eattr_system = -1;
418 static int hf_smb_file_eattr_volume = -1;
419 static int hf_smb_file_eattr_directory = -1;
420 static int hf_smb_file_eattr_archive = -1;
421 static int hf_smb_file_eattr_device = -1;
422 static int hf_smb_file_eattr_normal = -1;
423 static int hf_smb_file_eattr_temporary = -1;
424 static int hf_smb_file_eattr_sparse = -1;
425 static int hf_smb_file_eattr_reparse = -1;
426 static int hf_smb_file_eattr_compressed = -1;
427 static int hf_smb_file_eattr_offline = -1;
428 static int hf_smb_file_eattr_not_content_indexed = -1;
429 static int hf_smb_file_eattr_encrypted = -1;
430 static int hf_smb_sec_desc_len = -1;
431 static int hf_smb_sec_desc_revision = -1;
432 static int hf_smb_sec_desc_type_owner_defaulted = -1;
433 static int hf_smb_sec_desc_type_group_defaulted = -1;
434 static int hf_smb_sec_desc_type_dacl_present = -1;
435 static int hf_smb_sec_desc_type_dacl_defaulted = -1;
436 static int hf_smb_sec_desc_type_sacl_present = -1;
437 static int hf_smb_sec_desc_type_sacl_defaulted = -1;
438 static int hf_smb_sec_desc_type_dacl_auto_inherit_req = -1;
439 static int hf_smb_sec_desc_type_sacl_auto_inherit_req = -1;
440 static int hf_smb_sec_desc_type_dacl_auto_inherited = -1;
441 static int hf_smb_sec_desc_type_sacl_auto_inherited = -1;
442 static int hf_smb_sec_desc_type_dacl_protected = -1;
443 static int hf_smb_sec_desc_type_sacl_protected = -1;
444 static int hf_smb_sec_desc_type_self_relative = -1;
445 static int hf_smb_sid = -1;
446 static int hf_smb_sid_revision = -1;
447 static int hf_smb_sid_num_auth = -1;
448 static int hf_smb_acl_revision = -1;
449 static int hf_smb_acl_size = -1;
450 static int hf_smb_acl_num_aces = -1;
451 static int hf_smb_ace_type = -1;
452 static int hf_smb_ace_size = -1;
453 static int hf_smb_ace_flags_object_inherit = -1;
454 static int hf_smb_ace_flags_container_inherit = -1;
455 static int hf_smb_ace_flags_non_propagate_inherit = -1;
456 static int hf_smb_ace_flags_inherit_only = -1;
457 static int hf_smb_ace_flags_inherited_ace = -1;
458 static int hf_smb_ace_flags_successful_access = -1;
459 static int hf_smb_ace_flags_failed_access = -1;
460 static int hf_smb_nt_qsd_owner = -1;
461 static int hf_smb_nt_qsd_group = -1;
462 static int hf_smb_nt_qsd_dacl = -1;
463 static int hf_smb_nt_qsd_sacl = -1;
464 static int hf_smb_extended_attributes = -1;
465 static int hf_smb_oplock_level = -1;
466 static int hf_smb_create_action = -1;
467 static int hf_smb_file_id = -1;
468 static int hf_smb_ea_error_offset = -1;
469 static int hf_smb_end_of_file = -1;
470 static int hf_smb_device_type = -1;
471 static int hf_smb_is_directory = -1;
472 static int hf_smb_next_entry_offset = -1;
473 static int hf_smb_change_time = -1;
474 static int hf_smb_setup_len = -1;
475 static int hf_smb_print_mode = -1;
476 static int hf_smb_print_identifier = -1;
477 static int hf_smb_restart_index = -1;
478 static int hf_smb_print_queue_date = -1;
479 static int hf_smb_print_queue_dos_date = -1;
480 static int hf_smb_print_queue_dos_time = -1;
481 static int hf_smb_print_status = -1;
482 static int hf_smb_print_spool_file_number = -1;
483 static int hf_smb_print_spool_file_size = -1;
484 static int hf_smb_print_spool_file_name = -1;
485 static int hf_smb_start_index = -1;
486 static int hf_smb_originator_name = -1;
487 static int hf_smb_destination_name = -1;
488 static int hf_smb_message_len = -1;
489 static int hf_smb_message = -1;
490 static int hf_smb_mgid = -1;
491 static int hf_smb_forwarded_name = -1;
492 static int hf_smb_machine_name = -1;
493 static int hf_smb_cancel_to = -1;
494 static int hf_smb_trans2_subcmd = -1;
495 static int hf_smb_trans_name = -1;
496 static int hf_smb_transaction_flags_dtid = -1;
497 static int hf_smb_transaction_flags_owt = -1;
498 static int hf_smb_search_count = -1;
499 static int hf_smb_search_pattern = -1;
500 static int hf_smb_ff2_backup = -1;
501 static int hf_smb_ff2_continue = -1;
502 static int hf_smb_ff2_resume = -1;
503 static int hf_smb_ff2_close_eos = -1;
504 static int hf_smb_ff2_close = -1;
505 static int hf_smb_ff2_information_level = -1;
506 static int hf_smb_qpi_loi = -1;
508 static int hf_smb_sfi_writetru = -1;
509 static int hf_smb_sfi_caching = -1;
511 static int hf_smb_storage_type = -1;
512 static int hf_smb_resume = -1;
513 static int hf_smb_max_referral_level = -1;
514 static int hf_smb_qfsi_information_level = -1;
515 static int hf_smb_ea_size = -1;
516 static int hf_smb_list_length = -1;
517 static int hf_smb_number_of_links = -1;
518 static int hf_smb_delete_pending = -1;
519 static int hf_smb_index_number = -1;
520 static int hf_smb_current_offset = -1;
521 static int hf_smb_t2_alignment = -1;
522 static int hf_smb_t2_stream_name_length = -1;
523 static int hf_smb_t2_stream_size = -1;
524 static int hf_smb_t2_stream_name = -1;
525 static int hf_smb_t2_compressed_file_size = -1;
526 static int hf_smb_t2_compressed_format = -1;
527 static int hf_smb_t2_compressed_unit_shift = -1;
528 static int hf_smb_t2_compressed_chunk_shift = -1;
529 static int hf_smb_t2_compressed_cluster_shift = -1;
530 static int hf_smb_dfs_path_consumed = -1;
531 static int hf_smb_dfs_num_referrals = -1;
532 static int hf_smb_get_dfs_server_hold_storage = -1;
533 static int hf_smb_get_dfs_fielding = -1;
534 static int hf_smb_dfs_referral_version = -1;
535 static int hf_smb_dfs_referral_size = -1;
536 static int hf_smb_dfs_referral_server_type = -1;
537 static int hf_smb_dfs_referral_flags_strip = -1;
538 static int hf_smb_dfs_referral_node_offset = -1;
539 static int hf_smb_dfs_referral_node = -1;
540 static int hf_smb_dfs_referral_proximity = -1;
541 static int hf_smb_dfs_referral_ttl = -1;
542 static int hf_smb_dfs_referral_path_offset = -1;
543 static int hf_smb_dfs_referral_path = -1;
544 static int hf_smb_dfs_referral_alt_path_offset = -1;
545 static int hf_smb_dfs_referral_alt_path = -1;
546 static int hf_smb_end_of_search = -1;
547 static int hf_smb_last_name_offset = -1;
548 static int hf_smb_fn_information_level = -1;
549 static int hf_smb_monitor_handle = -1;
550 static int hf_smb_change_count = -1;
551 static int hf_smb_file_index = -1;
552 static int hf_smb_short_file_name = -1;
553 static int hf_smb_short_file_name_len = -1;
554 static int hf_smb_fs_id = -1;
555 static int hf_smb_sector_unit = -1;
556 static int hf_smb_fs_units = -1;
557 static int hf_smb_fs_sector = -1;
558 static int hf_smb_avail_units = -1;
559 static int hf_smb_volume_serial_num = -1;
560 static int hf_smb_volume_label_len = -1;
561 static int hf_smb_volume_label = -1;
562 static int hf_smb_free_alloc_units64 = -1;
563 static int hf_smb_caller_free_alloc_units64 = -1;
564 static int hf_smb_actual_free_alloc_units64 = -1;
565 static int hf_smb_max_name_len = -1;
566 static int hf_smb_fs_name_len = -1;
567 static int hf_smb_fs_name = -1;
568 static int hf_smb_device_char_removable = -1;
569 static int hf_smb_device_char_read_only = -1;
570 static int hf_smb_device_char_floppy = -1;
571 static int hf_smb_device_char_write_once = -1;
572 static int hf_smb_device_char_remote = -1;
573 static int hf_smb_device_char_mounted = -1;
574 static int hf_smb_device_char_virtual = -1;
575 static int hf_smb_fs_attr_css = -1;
576 static int hf_smb_fs_attr_cpn = -1;
577 static int hf_smb_fs_attr_pacls = -1;
578 static int hf_smb_fs_attr_fc = -1;
579 static int hf_smb_fs_attr_vq = -1;
580 static int hf_smb_fs_attr_dim = -1;
581 static int hf_smb_fs_attr_vic = -1;
582 static int hf_smb_quota_flags_enabled = -1;
583 static int hf_smb_quota_flags_deny_disk = -1;
584 static int hf_smb_quota_flags_log_limit = -1;
585 static int hf_smb_quota_flags_log_warning = -1;
586 static int hf_smb_soft_quota_limit = -1;
587 static int hf_smb_hard_quota_limit = -1;
588 static int hf_smb_user_quota_used = -1;
589 static int hf_smb_user_quota_offset = -1;
590 static int hf_smb_nt_rename_level = -1;
591 static int hf_smb_cluster_count = -1;
592 static int hf_smb_segments = -1;
593 static int hf_smb_segment = -1;
594 static int hf_smb_segment_overlap = -1;
595 static int hf_smb_segment_overlap_conflict = -1;
596 static int hf_smb_segment_multiple_tails = -1;
597 static int hf_smb_segment_too_long_fragment = -1;
598 static int hf_smb_segment_error = -1;
599 static int hf_smb_pipe_write_len = -1;
601 static gint ett_smb = -1;
602 static gint ett_smb_hdr = -1;
603 static gint ett_smb_command = -1;
604 static gint ett_smb_fileattributes = -1;
605 static gint ett_smb_capabilities = -1;
606 static gint ett_smb_aflags = -1;
607 static gint ett_smb_dialect = -1;
608 static gint ett_smb_dialects = -1;
609 static gint ett_smb_mode = -1;
610 static gint ett_smb_rawmode = -1;
611 static gint ett_smb_flags = -1;
612 static gint ett_smb_flags2 = -1;
613 static gint ett_smb_desiredaccess = -1;
614 static gint ett_smb_search = -1;
615 static gint ett_smb_file = -1;
616 static gint ett_smb_openfunction = -1;
617 static gint ett_smb_filetype = -1;
618 static gint ett_smb_openaction = -1;
619 static gint ett_smb_writemode = -1;
620 static gint ett_smb_lock_type = -1;
621 static gint ett_smb_ssetupandxaction = -1;
622 static gint ett_smb_optionsup = -1;
623 static gint ett_smb_time_date = -1;
624 static gint ett_smb_move_copy_flags = -1;
625 static gint ett_smb_file_attributes = -1;
626 static gint ett_smb_search_resume_key = -1;
627 static gint ett_smb_search_dir_info = -1;
628 static gint ett_smb_unlocks = -1;
629 static gint ett_smb_unlock = -1;
630 static gint ett_smb_locks = -1;
631 static gint ett_smb_lock = -1;
632 static gint ett_smb_open_flags = -1;
633 static gint ett_smb_ipc_state = -1;
634 static gint ett_smb_open_action = -1;
635 static gint ett_smb_setup_action = -1;
636 static gint ett_smb_connect_flags = -1;
637 static gint ett_smb_connect_support_bits = -1;
638 static gint ett_smb_nt_access_mask = -1;
639 static gint ett_smb_nt_create_bits = -1;
640 static gint ett_smb_nt_create_options = -1;
641 static gint ett_smb_nt_share_access = -1;
642 static gint ett_smb_nt_security_flags = -1;
643 static gint ett_smb_nt_trans_setup = -1;
644 static gint ett_smb_nt_trans_data = -1;
645 static gint ett_smb_nt_trans_param = -1;
646 static gint ett_smb_nt_notify_completion_filter = -1;
647 static gint ett_smb_nt_ioctl_flags = -1;
648 static gint ett_smb_security_information_mask = -1;
649 static gint ett_smb_print_queue_entry = -1;
650 static gint ett_smb_transaction_flags = -1;
651 static gint ett_smb_transaction_params = -1;
652 static gint ett_smb_find_first2_flags = -1;
653 static gint ett_smb_mac_support_flags = -1;
655 static gint ett_smb_ioflag = -1;
657 static gint ett_smb_transaction_data = -1;
658 static gint ett_smb_stream_info = -1;
659 static gint ett_smb_dfs_referrals = -1;
660 static gint ett_smb_dfs_referral = -1;
661 static gint ett_smb_dfs_referral_flags = -1;
662 static gint ett_smb_get_dfs_flags = -1;
663 static gint ett_smb_ff2_data = -1;
664 static gint ett_smb_device_characteristics = -1;
665 static gint ett_smb_fs_attributes = -1;
666 static gint ett_smb_segments = -1;
667 static gint ett_smb_segment = -1;
668 static gint ett_smb_sec_desc = -1;
669 static gint ett_smb_sid = -1;
670 static gint ett_smb_acl = -1;
671 static gint ett_smb_ace = -1;
672 static gint ett_smb_ace_flags = -1;
673 static gint ett_smb_sec_desc_type = -1;
674 static gint ett_smb_quotaflags = -1;
675 static gint ett_smb_secblob = -1;
676 static gint ett_smb_unicode_password = -1;
678 static int smb_tap = -1;
680 static dissector_handle_t gssapi_handle = NULL;
681 static dissector_handle_t ntlmssp_handle = NULL;
683 static const fragment_items smb_frag_items = {
689 &hf_smb_segment_overlap,
690 &hf_smb_segment_overlap_conflict,
691 &hf_smb_segment_multiple_tails,
692 &hf_smb_segment_too_long_fragment,
693 &hf_smb_segment_error,
699 proto_tree *top_tree=NULL; /* ugly */
701 static char *decode_smb_name(unsigned char);
702 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu);
705 * Macros for use in the main dissector routines for an SMB.
710 wc = tvb_get_guint8(tvb, offset); \
711 proto_tree_add_uint(tree, hf_smb_word_count, \
712 tvb, offset, 1, wc); \
714 if(wc==0) goto bytecount;
718 bc = tvb_get_letohs(tvb, offset); \
719 proto_tree_add_uint(tree, hf_smb_byte_count, \
720 tvb, offset, 2, bc); \
722 if(bc==0) goto endofcommand;
724 #define CHECK_BYTE_COUNT(len) \
725 if (bc < len) goto endofcommand;
727 #define COUNT_BYTES(len) {\
736 proto_tree_add_text(tree, tvb, offset, bc, \
737 "Extra byte parameters"); \
743 * Macros for use in routines called by them.
745 #define CHECK_BYTE_COUNT_SUBR(len) \
751 #define CHECK_STRING_SUBR(fn) \
757 #define COUNT_BYTES_SUBR(len) \
762 * Macros for use when dissecting transaction parameters and data
764 #define CHECK_BYTE_COUNT_TRANS(len) \
765 if (bc < len) return offset;
767 #define CHECK_STRING_TRANS(fn) \
768 if (fn == NULL) return offset;
770 #define COUNT_BYTES_TRANS(len) \
775 * Macros for use in subrroutines dissecting transaction parameters or data
777 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
778 if (*bcp < len) return offset;
780 #define CHECK_STRING_TRANS_SUBR(fn) \
781 if (fn == NULL) return offset;
783 #define COUNT_BYTES_TRANS_SUBR(len) \
788 gboolean sid_name_snooping = FALSE;
790 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
791 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
792 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
793 static gboolean smb_trans_reassembly = FALSE;
794 gboolean smb_dcerpc_reassembly = FALSE;
796 static GHashTable *smb_trans_fragment_table = NULL;
799 smb_trans_reassembly_init(void)
801 fragment_table_init(&smb_trans_fragment_table);
804 static fragment_data *
805 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
806 int offset, int count, int pos, int totlen)
808 fragment_data *fd_head=NULL;
812 more_frags=totlen>(pos+count);
814 si = (smb_info_t *)pinfo->private_data;
815 if (si->sip == NULL) {
817 * We don't have the frame number of the request.
819 * XXX - is there truly nothing we can do here?
820 * Can we not separately keep track of the original
821 * transaction and its continuations, as we did
824 * It is probably not much point in even trying to do something here
825 * if we have never seen the initial request. Without the initial
826 * request we probably miss all parameters and the begining of data
827 * so we cant even call a subdissector since we can not determine
828 * which type of transaction call this is.
833 if(!pinfo->fd->flags.visited){
834 fd_head = fragment_add(tvb, offset, pinfo,
835 si->sip->frame_req, smb_trans_fragment_table,
836 pos, count, more_frags);
838 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
841 /* we only show the defragmented packet for the first fragment,
842 or else we might end up with dissecting one HUGE transaction PDU
843 a LOT of times. (first fragment is the only one containing the setup
845 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
846 SMBs. Takes a LOT of time dissecting and is not fun.
848 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
859 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
860 These variables and functions are used to match
862 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
864 * The information we need to save about a request in order to show the
865 * frame number of the request in the dissection of the reply.
870 } smb_saved_info_key_t;
872 static GMemChunk *smb_saved_info_key_chunk = NULL;
873 static GMemChunk *smb_saved_info_chunk = NULL;
874 static int smb_saved_info_init_count = 200;
876 /* unmatched smb_saved_info structures.
877 For unmatched smb_saved_info structures we store the smb_saved_info
878 structure using the MID and the PID as the key.
880 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
881 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
882 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
885 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
887 register guint32 key1 = (guint32)k1;
888 register guint32 key2 = (guint32)k2;
892 smb_saved_info_hash_unmatched(gconstpointer k)
894 register guint32 key = (guint32)k;
898 /* matched smb_saved_info structures.
899 For matched smb_saved_info structures we store the smb_saved_info
900 structure twice in the table using the frame number, and a combination
901 of the MID and the PID, as the key.
902 The frame number is guaranteed to be unique but if ever someone makes
903 some change that will renumber the frames in a capture we are in BIG trouble.
904 This is not likely though since that would break (among other things) all the
905 reassembly routines as well.
907 We also need the MID as there may be more than one SMB request or reply
908 in a single frame, and we also need the PID as there may be more than
909 one outstanding request with the same MID and different PIDs.
912 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
914 const smb_saved_info_key_t *key1 = k1;
915 const smb_saved_info_key_t *key2 = k2;
916 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
919 smb_saved_info_hash_matched(gconstpointer k)
921 const smb_saved_info_key_t *key = k;
922 return key->frame + key->pid_mid;
925 static GMemChunk *smb_nt_transact_info_chunk = NULL;
926 static int smb_nt_transact_info_init_count = 200;
928 static GMemChunk *smb_transact2_info_chunk = NULL;
929 static int smb_transact2_info_init_count = 200;
932 * The information we need to save about a Transaction request in order
933 * to dissect the reply; this includes information for use by the
934 * Remote API dissector.
936 static GMemChunk *smb_transact_info_chunk = NULL;
937 static int smb_transact_info_init_count = 200;
939 static GMemChunk *conv_tables_chunk = NULL;
940 static GSList *conv_tables = NULL;
941 static int conv_tables_count = 10;
944 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
945 End of request/response matching functions
946 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
948 static const value_string buffer_format_vals[] = {
953 {5, "Variable Block"},
958 * UTIME - this is *almost* like a UNIX time stamp, except that it's
959 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
960 * January 1, 1970, 00:00:00 GMT.
962 * This means we have to do some extra work to convert it. This code is
963 * based on the Samba code:
965 * Unix SMB/Netbios implementation.
967 * time handling functions
968 * Copyright (C) Andrew Tridgell 1992-1998
972 * Yield the difference between *A and *B, in seconds, ignoring leap
975 #define TM_YEAR_BASE 1900
978 tm_diff(struct tm *a, struct tm *b)
980 int ay = a->tm_year + (TM_YEAR_BASE - 1);
981 int by = b->tm_year + (TM_YEAR_BASE - 1);
982 int intervening_leap_days =
983 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
986 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
987 int hours = 24*days + (a->tm_hour - b->tm_hour);
988 int minutes = 60*hours + (a->tm_min - b->tm_min);
989 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
995 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
1001 struct tm *tm = gmtime(&t);
1010 return tm_diff(&tm_utc,tm);
1014 * Return the same value as TimeZone, but it should be more efficient.
1016 * We keep a table of DST offsets to prevent calling localtime() on each
1017 * call of this function. This saves a LOT of time on many unixes.
1019 * Updated by Paul Eggert <eggert@twinsun.com>
1026 #define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
1027 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
1030 #define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
1034 TimeZoneFaster(time_t t)
1036 static struct dst_table {time_t start,end; int zone;} *tdt;
1037 static struct dst_table *dst_table = NULL;
1038 static int table_size = 0;
1045 /* Tunis has a 8 day DST region, we need to be careful ... */
1046 #define MAX_DST_WIDTH (365*24*60*60)
1047 #define MAX_DST_SKIP (7*24*60*60)
1049 for (i = 0; i < table_size; i++) {
1050 if (t >= dst_table[i].start && t <= dst_table[i].end)
1054 if (i < table_size) {
1055 zone = dst_table[i].zone;
1060 if (dst_table == NULL)
1061 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1063 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1072 dst_table[i].zone = zone;
1073 dst_table[i].start = dst_table[i].end = t;
1075 /* no entry will cover more than 6 months */
1076 low = t - MAX_DST_WIDTH/2;
1080 high = t + MAX_DST_WIDTH/2;
1085 * Widen the new entry using two bisection searches.
1087 while (low+60*60 < dst_table[i].start) {
1088 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1089 t = dst_table[i].start - MAX_DST_SKIP;
1091 t = low + (dst_table[i].start-low)/2;
1092 if (TimeZone(t) == zone)
1093 dst_table[i].start = t;
1098 while (high-60*60 > dst_table[i].end) {
1099 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1100 t = dst_table[i].end + MAX_DST_SKIP;
1102 t = high - (high-dst_table[i].end)/2;
1103 if (TimeZone(t) == zone)
1104 dst_table[i].end = t;
1114 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1115 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1116 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1117 * daylight savings transitions because some local times are ambiguous.
1118 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1121 LocTimeDiff(time_t lt)
1123 int d = TimeZoneFaster(lt);
1126 /* if overflow occurred, ignore all the adjustments so far */
1127 if (((t < lt) ^ (d < 0)))
1131 * Now t should be close enough to the true UTC to yield the
1134 return TimeZoneFaster(t);
1138 dissect_smb_UTIME(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1143 timeval = tvb_get_letohl(tvb, offset);
1144 if (timeval == 0xffffffff) {
1145 proto_tree_add_text(tree, tvb, offset, 4,
1146 "%s: No time specified (0xffffffff)",
1147 proto_registrar_get_name(hf_date));
1153 * We add the local time offset.
1155 ts.secs = timeval + LocTimeDiff(timeval);
1158 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1164 #define TIME_FIXUP_CONSTANT (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
1167 * Translate an 8-byte FILETIME value, given as the upper and lower 32 bits,
1169 * A FILETIME is a 64-bit integer, giving the time since Jan 1, 1601,
1170 * midnight "UTC", in 100ns units.
1171 * Return TRUE if the conversion succeeds, FALSE otherwise.
1173 * According to the Samba code, it appears to be kludge-GMT (at least for
1174 * file listings). This means it's the GMT you get by taking a local time
1175 * and adding the server time zone offset. This is NOT the same as GMT in
1176 * some cases. However, we don't know the server time zone, so we don't
1177 * do that adjustment.
1179 * This code is based on the Samba code:
1181 * Unix SMB/Netbios implementation.
1183 * time handling functions
1184 * Copyright (C) Andrew Tridgell 1992-1998
1187 nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
1190 /* The next two lines are a fix needed for the
1191 broken SCO compiler. JRA. */
1192 time_t l_time_min = TIME_T_MIN;
1193 time_t l_time_max = TIME_T_MAX;
1195 if (filetime_high == 0)
1199 * Get the time as a double, in seconds and fractional seconds.
1201 d = ((double)filetime_high)*4.0*(double)(1<<30);
1205 /* Now adjust by 369 years, to make the seconds since 1970. */
1206 d -= TIME_FIXUP_CONSTANT;
1208 if (!(l_time_min <= d && d <= l_time_max))
1212 * Get the time as seconds and nanoseconds.
1215 tv->nsecs = (d - tv->secs)*1000000000;
1221 dissect_smb_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1223 guint32 filetime_high, filetime_low;
1226 /* XXX there seems also to be another special time value which is fairly common :
1228 the meaning of this one is yet unknown
1231 filetime_low = tvb_get_letohl(tvb, offset);
1232 filetime_high = tvb_get_letohl(tvb, offset + 4);
1233 if (filetime_low == 0 && filetime_high == 0) {
1234 proto_tree_add_text(tree, tvb, offset, 8,
1235 "%s: No time specified (0)",
1236 proto_registrar_get_name(hf_date));
1237 } else if(filetime_low==0 && filetime_high==0x80000000){
1238 proto_tree_add_text(tree, tvb, offset, 8,
1239 "%s: Infinity (relative time)",
1240 proto_registrar_get_name(hf_date));
1241 } else if(filetime_low==0xffffffff && filetime_high==0x7fffffff){
1242 proto_tree_add_text(tree, tvb, offset, 8,
1243 "%s: Infinity (absolute time)",
1244 proto_registrar_get_name(hf_date));
1246 if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
1247 proto_tree_add_time(tree, hf_date, tvb,
1250 proto_tree_add_text(tree, tvb, offset, 8,
1251 "%s: Time can't be converted",
1252 proto_registrar_get_name(hf_date));
1262 dissect_smb_datetime(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1263 int hf_date, int hf_dos_date, int hf_dos_time, gboolean time_first)
1265 guint16 dos_time, dos_date;
1266 proto_item *item = NULL;
1267 proto_tree *tree = NULL;
1270 static const int mday_noleap[12] = {
1271 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1273 static const int mday_leap[12] = {
1274 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1276 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1280 dos_time = tvb_get_letohs(tvb, offset);
1281 dos_date = tvb_get_letohs(tvb, offset+2);
1283 dos_date = tvb_get_letohs(tvb, offset);
1284 dos_time = tvb_get_letohs(tvb, offset+2);
1287 if ((dos_date == 0xffff && dos_time == 0xffff) ||
1288 (dos_date == 0 && dos_time == 0)) {
1290 * No date/time specified.
1293 proto_tree_add_text(parent_tree, tvb, offset, 4,
1294 "%s: No time specified (0x%08x)",
1295 proto_registrar_get_name(hf_date),
1296 (dos_date << 16) | dos_time);
1302 tm.tm_sec = (dos_time&0x1f)*2;
1303 tm.tm_min = (dos_time>>5)&0x3f;
1304 tm.tm_hour = (dos_time>>11)&0x1f;
1305 tm.tm_mday = dos_date&0x1f;
1306 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1307 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1311 * Do some sanity checks before calling "mktime()";
1312 * "mktime()" doesn't do them, it "normalizes" out-of-range
1315 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1316 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1317 (ISLEAP(tm.tm_year + 1900) ?
1318 tm.tm_mday > mday_leap[tm.tm_mon] :
1319 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1320 (t = mktime(&tm)) == -1) {
1322 * Invalid date/time.
1325 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1327 proto_registrar_get_name(hf_date));
1328 tree = proto_item_add_subtree(item, ett_smb_time_date);
1330 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1331 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1333 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1334 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1345 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1346 tree = proto_item_add_subtree(item, ett_smb_time_date);
1348 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1349 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1351 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1352 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1362 static const value_string da_access_vals[] = {
1363 { 0, "Open for reading"},
1364 { 1, "Open for writing"},
1365 { 2, "Open for reading and writing"},
1366 { 3, "Open for execute"},
1369 static const value_string da_sharing_vals[] = {
1370 { 0, "Compatibility mode"},
1371 { 1, "Deny read/write/execute (exclusive)"},
1373 { 3, "Deny read/execute"},
1377 static const value_string da_locality_vals[] = {
1378 { 0, "Locality of reference unknown"},
1379 { 1, "Mainly sequential access"},
1380 { 2, "Mainly random access"},
1381 { 3, "Random access with some locality"},
1384 static const true_false_string tfs_da_caching = {
1385 "Do not cache this file",
1386 "Caching permitted on this file"
1388 static const true_false_string tfs_da_writetru = {
1389 "Write through enabled",
1390 "Write through disabled"
1393 dissect_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset, char *type)
1396 proto_item *item = NULL;
1397 proto_tree *tree = NULL;
1399 mask = tvb_get_letohs(tvb, offset);
1402 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1403 "%s Access: 0x%04x", type, mask);
1404 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1407 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1408 tvb, offset, 2, mask);
1409 proto_tree_add_boolean(tree, hf_smb_access_caching,
1410 tvb, offset, 2, mask);
1411 proto_tree_add_uint(tree, hf_smb_access_locality,
1412 tvb, offset, 2, mask);
1413 proto_tree_add_uint(tree, hf_smb_access_sharing,
1414 tvb, offset, 2, mask);
1415 proto_tree_add_uint(tree, hf_smb_access_mode,
1416 tvb, offset, 2, mask);
1423 #define SMB_FILE_ATTRIBUTE_READ_ONLY 0x00000001
1424 #define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
1425 #define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
1426 #define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
1427 #define SMB_FILE_ATTRIBUTE_DIRECTORY 0x00000010
1428 #define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
1429 #define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
1430 #define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
1431 #define SMB_FILE_ATTRIBUTE_TEMPORARY 0x00000100
1432 #define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
1433 #define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
1434 #define SMB_FILE_ATTRIBUTE_COMPRESSED 0x00000800
1435 #define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
1436 #define SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1437 #define SMB_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1439 static const true_false_string tfs_file_attribute_read_only = {
1440 "This file is READ ONLY",
1441 "This file is NOT read only",
1443 static const true_false_string tfs_file_attribute_hidden = {
1444 "This is a HIDDEN file",
1445 "This is NOT a hidden file"
1447 static const true_false_string tfs_file_attribute_system = {
1448 "This is a SYSTEM file",
1449 "This is NOT a system file"
1451 static const true_false_string tfs_file_attribute_volume = {
1452 "This is a VOLUME ID",
1453 "This is NOT a volume ID"
1455 static const true_false_string tfs_file_attribute_directory = {
1456 "This is a DIRECTORY",
1457 "This is NOT a directory"
1459 static const true_false_string tfs_file_attribute_archive = {
1460 "This file has been modified since last ARCHIVE",
1461 "This file has NOT been modified since last archive"
1463 static const true_false_string tfs_file_attribute_device = {
1465 "This is NOT a device"
1467 static const true_false_string tfs_file_attribute_normal = {
1468 "This file is an ordinary file",
1469 "This file has some attribute set"
1471 static const true_false_string tfs_file_attribute_temporary = {
1472 "This is a TEMPORARY file",
1473 "This is NOT a temporary file"
1475 static const true_false_string tfs_file_attribute_sparse = {
1476 "This is a SPARSE file",
1477 "This is NOT a sparse file"
1479 static const true_false_string tfs_file_attribute_reparse = {
1480 "This file has an associated REPARSE POINT",
1481 "This file does NOT have an associated reparse point"
1483 static const true_false_string tfs_file_attribute_compressed = {
1484 "This is a COMPRESSED file",
1485 "This is NOT a compressed file"
1487 static const true_false_string tfs_file_attribute_offline = {
1488 "This file is OFFLINE",
1489 "This file is NOT offline"
1491 static const true_false_string tfs_file_attribute_not_content_indexed = {
1492 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1493 "This file MAY be indexed by the content indexing service"
1495 static const true_false_string tfs_file_attribute_encrypted = {
1496 "This is an ENCRYPTED file",
1497 "This is NOT an encrypted file"
1501 * In some places in the CIFS_TR_1p00.pdf, from SNIA, file attributes are
1502 * listed as USHORT, and seem to be in packets in the wild, while in other
1503 * places they are listed as ULONG, and also seem to be.
1505 * So, I (Richard Sharpe), added a parameter to allow us to specify how many
1510 dissect_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1514 proto_item *item = NULL;
1515 proto_tree *tree = NULL;
1517 if (bytes != 2 && bytes != 4) {
1519 fprintf(stderr, "Incorrect number of bytes passed to dissect_file_attributes.\nMust be 2 or 4, was %d\n", bytes);
1525 * The actual bits of interest appear to only be a USHORT
1527 /* FIXME if this ever changes! */
1528 mask = tvb_get_letohs(tvb, offset);
1531 item = proto_tree_add_text(parent_tree, tvb, offset, bytes,
1532 "File Attributes: 0x%08x", mask);
1533 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1535 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1536 tvb, offset, bytes, mask);
1537 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1538 tvb, offset, bytes, mask);
1539 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1540 tvb, offset, bytes, mask);
1541 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1542 tvb, offset, bytes, mask);
1543 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1544 tvb, offset, bytes, mask);
1545 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1546 tvb, offset, bytes, mask);
1547 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1548 tvb, offset, bytes, mask);
1549 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1550 tvb, offset, bytes, mask);
1551 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1552 tvb, offset, bytes, mask);
1553 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1554 tvb, offset, bytes, mask);
1555 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1556 tvb, offset, bytes, mask);
1557 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1558 tvb, offset, bytes, mask);
1559 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1560 tvb, offset, bytes, mask);
1561 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1562 tvb, offset, bytes, mask);
1563 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1564 tvb, offset, bytes, mask);
1573 dissect_file_ext_attr(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1576 proto_item *item = NULL;
1577 proto_tree *tree = NULL;
1579 mask = tvb_get_letohl(tvb, offset);
1582 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1583 "File Attributes: 0x%08x", mask);
1584 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1588 * XXX - Network Monitor disagrees on some of the
1589 * bits, e.g. the bits above temporary are "atomic write"
1590 * and "transaction write", and it says nothing about the
1593 * Does the Win32 API documentation, or the NT Native API book,
1596 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1597 tvb, offset, 4, mask);
1598 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1599 tvb, offset, 4, mask);
1600 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1601 tvb, offset, 4, mask);
1602 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1603 tvb, offset, 4, mask);
1604 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1605 tvb, offset, 4, mask);
1606 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1607 tvb, offset, 4, mask);
1608 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1609 tvb, offset, 4, mask);
1610 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1611 tvb, offset, 4, mask);
1612 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1613 tvb, offset, 4, mask);
1614 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1615 tvb, offset, 4, mask);
1616 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1617 tvb, offset, 4, mask);
1618 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1619 tvb, offset, 4, mask);
1620 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1621 tvb, offset, 4, mask);
1622 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1623 tvb, offset, 4, mask);
1624 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1625 tvb, offset, 4, mask);
1633 dissect_dir_info_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1636 proto_item *item = NULL;
1637 proto_tree *tree = NULL;
1639 mask = tvb_get_guint8(tvb, offset);
1642 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1643 "File Attributes: 0x%02x", mask);
1644 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1646 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1647 tvb, offset, 1, mask);
1648 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1649 tvb, offset, 1, mask);
1650 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1651 tvb, offset, 1, mask);
1652 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1653 tvb, offset, 1, mask);
1654 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1655 tvb, offset, 1, mask);
1656 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1657 tvb, offset, 1, mask);
1664 static const true_false_string tfs_search_attribute_read_only = {
1665 "Include READ ONLY files in search results",
1666 "Do NOT include read only files in search results",
1668 static const true_false_string tfs_search_attribute_hidden = {
1669 "Include HIDDEN files in search results",
1670 "Do NOT include hidden files in search results"
1672 static const true_false_string tfs_search_attribute_system = {
1673 "Include SYSTEM files in search results",
1674 "Do NOT include system files in search results"
1676 static const true_false_string tfs_search_attribute_volume = {
1677 "Include VOLUME IDs in search results",
1678 "Do NOT include volume IDs in search results"
1680 static const true_false_string tfs_search_attribute_directory = {
1681 "Include DIRECTORIES in search results",
1682 "Do NOT include directories in search results"
1684 static const true_false_string tfs_search_attribute_archive = {
1685 "Include ARCHIVE files in search results",
1686 "Do NOT include archive files in search results"
1690 dissect_search_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1693 proto_item *item = NULL;
1694 proto_tree *tree = NULL;
1696 mask = tvb_get_letohs(tvb, offset);
1699 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1700 "Search Attributes: 0x%04x", mask);
1701 tree = proto_item_add_subtree(item, ett_smb_search);
1704 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1705 tvb, offset, 2, mask);
1706 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1707 tvb, offset, 2, mask);
1708 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1709 tvb, offset, 2, mask);
1710 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1711 tvb, offset, 2, mask);
1712 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1713 tvb, offset, 2, mask);
1714 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1715 tvb, offset, 2, mask);
1723 * XXX - this isn't used.
1724 * Is this used for anything? NT Create AndX doesn't use it.
1725 * Is there some 16-bit attribute field with more bits than Read Only,
1726 * Hidden, System, Volume ID, Directory, and Archive?
1729 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1732 proto_item *item = NULL;
1733 proto_tree *tree = NULL;
1735 mask = tvb_get_letohl(tvb, offset);
1738 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1739 "File Attributes: 0x%08x", mask);
1740 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1742 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1743 tvb, offset, 2, mask);
1744 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1745 tvb, offset, 2, mask);
1746 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1747 tvb, offset, 2, mask);
1748 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1749 tvb, offset, 2, mask);
1750 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1751 tvb, offset, 2, mask);
1752 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1753 tvb, offset, 2, mask);
1754 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1755 tvb, offset, 2, mask);
1756 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1757 tvb, offset, 2, mask);
1758 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1759 tvb, offset, 2, mask);
1760 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1761 tvb, offset, 2, mask);
1762 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1763 tvb, offset, 2, mask);
1764 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1765 tvb, offset, 2, mask);
1766 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1767 tvb, offset, 2, mask);
1768 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1769 tvb, offset, 2, mask);
1770 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1771 tvb, offset, 2, mask);
1780 #define SERVER_CAP_RAW_MODE 0x00000001
1781 #define SERVER_CAP_MPX_MODE 0x00000002
1782 #define SERVER_CAP_UNICODE 0x00000004
1783 #define SERVER_CAP_LARGE_FILES 0x00000008
1784 #define SERVER_CAP_NT_SMBS 0x00000010
1785 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1786 #define SERVER_CAP_STATUS32 0x00000040
1787 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1788 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1789 #define SERVER_CAP_NT_FIND 0x00000200
1790 #define SERVER_CAP_DFS 0x00001000
1791 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1792 #define SERVER_CAP_LARGE_READX 0x00004000
1793 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1794 #define SERVER_CAP_UNIX 0x00800000
1795 #define SERVER_CAP_RESERVED 0x02000000
1796 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1797 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1798 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1799 static const true_false_string tfs_server_cap_raw_mode = {
1800 "Read Raw and Write Raw are supported",
1801 "Read Raw and Write Raw are not supported"
1803 static const true_false_string tfs_server_cap_mpx_mode = {
1804 "Read Mpx and Write Mpx are supported",
1805 "Read Mpx and Write Mpx are not supported"
1807 static const true_false_string tfs_server_cap_unicode = {
1808 "Unicode strings are supported",
1809 "Unicode strings are not supported"
1811 static const true_false_string tfs_server_cap_large_files = {
1812 "Large files are supported",
1813 "Large files are not supported",
1815 static const true_false_string tfs_server_cap_nt_smbs = {
1816 "NT SMBs are supported",
1817 "NT SMBs are not supported"
1819 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1820 "RPC remote APIs are supported",
1821 "RPC remote APIs are not supported"
1823 static const true_false_string tfs_server_cap_nt_status = {
1824 "NT status codes are supported",
1825 "NT status codes are not supported"
1827 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1828 "Level 2 oplocks are supported",
1829 "Level 2 oplocks are not supported"
1831 static const true_false_string tfs_server_cap_lock_and_read = {
1832 "Lock and Read is supported",
1833 "Lock and Read is not supported"
1835 static const true_false_string tfs_server_cap_nt_find = {
1836 "NT Find is supported",
1837 "NT Find is not supported"
1839 static const true_false_string tfs_server_cap_dfs = {
1841 "Dfs is not supported"
1843 static const true_false_string tfs_server_cap_infolevel_passthru = {
1844 "NT information level request passthrough is supported",
1845 "NT information level request passthrough is not supported"
1847 static const true_false_string tfs_server_cap_large_readx = {
1848 "Large Read andX is supported",
1849 "Large Read andX is not supported"
1851 static const true_false_string tfs_server_cap_large_writex = {
1852 "Large Write andX is supported",
1853 "Large Write andX is not supported"
1855 static const true_false_string tfs_server_cap_unix = {
1856 "UNIX extensions are supported",
1857 "UNIX extensions are not supported"
1859 static const true_false_string tfs_server_cap_reserved = {
1863 static const true_false_string tfs_server_cap_bulk_transfer = {
1864 "Bulk Read and Bulk Write are supported",
1865 "Bulk Read and Bulk Write are not supported"
1867 static const true_false_string tfs_server_cap_compressed_data = {
1868 "Compressed data transfer is supported",
1869 "Compressed data transfer is not supported"
1871 static const true_false_string tfs_server_cap_extended_security = {
1872 "Extended security exchanges are supported",
1873 "Extended security exchanges are not supported"
1876 dissect_negprot_capabilities(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1879 proto_item *item = NULL;
1880 proto_tree *tree = NULL;
1882 mask = tvb_get_letohl(tvb, offset);
1885 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1886 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1889 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1890 tvb, offset, 4, mask);
1891 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1892 tvb, offset, 4, mask);
1893 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1894 tvb, offset, 4, mask);
1895 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1896 tvb, offset, 4, mask);
1897 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1898 tvb, offset, 4, mask);
1899 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1900 tvb, offset, 4, mask);
1901 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1902 tvb, offset, 4, mask);
1903 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1904 tvb, offset, 4, mask);
1905 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1906 tvb, offset, 4, mask);
1907 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1908 tvb, offset, 4, mask);
1909 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1910 tvb, offset, 4, mask);
1911 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1912 tvb, offset, 4, mask);
1913 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1914 tvb, offset, 4, mask);
1915 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1916 tvb, offset, 4, mask);
1917 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1918 tvb, offset, 4, mask);
1919 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1920 tvb, offset, 4, mask);
1921 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1922 tvb, offset, 4, mask);
1923 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1924 tvb, offset, 4, mask);
1925 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1926 tvb, offset, 4, mask);
1931 #define RAWMODE_READ 0x01
1932 #define RAWMODE_WRITE 0x02
1933 static const true_false_string tfs_rm_read = {
1934 "Read Raw is supported",
1935 "Read Raw is not supported"
1937 static const true_false_string tfs_rm_write = {
1938 "Write Raw is supported",
1939 "Write Raw is not supported"
1943 dissect_negprot_rawmode(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1946 proto_item *item = NULL;
1947 proto_tree *tree = NULL;
1949 mask = tvb_get_letohs(tvb, offset);
1952 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
1953 tree = proto_item_add_subtree(item, ett_smb_rawmode);
1956 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
1957 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
1964 #define SECURITY_MODE_MODE 0x01
1965 #define SECURITY_MODE_PASSWORD 0x02
1966 #define SECURITY_MODE_SIGNATURES 0x04
1967 #define SECURITY_MODE_SIG_REQUIRED 0x08
1968 static const true_false_string tfs_sm_mode = {
1969 "USER security mode",
1970 "SHARE security mode"
1972 static const true_false_string tfs_sm_password = {
1973 "ENCRYPTED password. Use challenge/response",
1974 "PLAINTEXT password"
1976 static const true_false_string tfs_sm_signatures = {
1977 "Security signatures ENABLED",
1978 "Security signatures NOT enabled"
1980 static const true_false_string tfs_sm_sig_required = {
1981 "Security signatures REQUIRED",
1982 "Security signatures NOT required"
1986 dissect_negprot_security_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int wc)
1989 proto_item *item = NULL;
1990 proto_tree *tree = NULL;
1994 mask = tvb_get_letohs(tvb, offset);
1995 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1996 "Security Mode: 0x%04x", mask);
1997 tree = proto_item_add_subtree(item, ett_smb_mode);
1998 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
1999 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
2004 mask = tvb_get_guint8(tvb, offset);
2005 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
2006 "Security Mode: 0x%02x", mask);
2007 tree = proto_item_add_subtree(item, ett_smb_mode);
2008 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
2009 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
2010 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
2011 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
2020 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2022 proto_item *it = NULL;
2023 proto_tree *tr = NULL;
2032 it = proto_tree_add_text(tree, tvb, offset, bc,
2033 "Requested Dialects");
2034 tr = proto_item_add_subtree(it, ett_smb_dialects);
2040 proto_item *dit = NULL;
2041 proto_tree *dtr = NULL;
2043 /* XXX - what if this runs past bc? */
2044 len = tvb_strsize(tvb, offset+1);
2045 str = tvb_get_ptr(tvb, offset+1, len);
2048 dit = proto_tree_add_text(tr, tvb, offset, len+1,
2049 "Dialect: %s", str);
2050 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2054 CHECK_BYTE_COUNT(1);
2055 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2060 CHECK_BYTE_COUNT(len);
2061 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
2072 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2074 smb_info_t *si = pinfo->private_data;
2087 dialect = tvb_get_letohs(tvb, offset);
2090 if(dialect==0xffff){
2091 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2092 tvb, offset, 2, dialect,
2093 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2095 proto_tree_add_uint(tree, hf_smb_dialect_index,
2096 tvb, offset, 2, dialect);
2100 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2101 tvb, offset, 2, dialect,
2102 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2105 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2106 tvb, offset, 2, dialect,
2107 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2110 proto_tree_add_text(tree, tvb, offset, wc*2,
2111 "Words for unknown response format");
2120 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2122 /* Maximum Transmit Buffer Size */
2123 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2124 tvb, offset, 2, TRUE);
2127 /* Maximum Multiplex Count */
2128 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2129 tvb, offset, 2, TRUE);
2132 /* Maximum Vcs Number */
2133 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2134 tvb, offset, 2, TRUE);
2138 offset = dissect_negprot_rawmode(tvb, tree, offset);
2141 proto_tree_add_item(tree, hf_smb_session_key,
2142 tvb, offset, 4, TRUE);
2145 /* current time and date at server */
2146 offset = dissect_smb_datetime(tvb, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2150 tz = tvb_get_letohs(tvb, offset);
2151 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2154 /* encryption key length */
2155 ekl = tvb_get_letohs(tvb, offset);
2156 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2159 /* 2 reserved bytes */
2160 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2167 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2169 /* Maximum Multiplex Count */
2170 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2171 tvb, offset, 2, TRUE);
2174 /* Maximum Vcs Number */
2175 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2176 tvb, offset, 2, TRUE);
2179 /* Maximum Transmit Buffer Size */
2180 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2181 tvb, offset, 4, TRUE);
2184 /* maximum raw buffer size */
2185 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2186 tvb, offset, 4, TRUE);
2190 proto_tree_add_item(tree, hf_smb_session_key,
2191 tvb, offset, 4, TRUE);
2194 /* server capabilities */
2195 caps = dissect_negprot_capabilities(tvb, tree, offset);
2199 offset = dissect_smb_64bit_time(tvb, tree, offset,
2200 hf_smb_system_time);
2203 tz = tvb_get_letohs(tvb, offset);
2204 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2206 "Server Time Zone: %d min from UTC", tz);
2209 /* encryption key length */
2210 ekl = tvb_get_guint8(tvb, offset);
2211 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2212 tvb, offset, 1, ekl);
2222 /* challenge/response encryption key */
2224 CHECK_BYTE_COUNT(ekl);
2225 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2232 * XXX - not present if negotiated dialect isn't
2233 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
2234 * have to see the request, or assume what dialect strings
2235 * were sent, to determine that.
2237 * Is this something other than a primary domain if the
2238 * negotiated dialect is Windows for Workgroups 3.1a?
2239 * It appears to be 8 bytes of binary data in at least
2240 * one capture - is that an encryption key or something
2243 dn = get_unicode_or_ascii_string(tvb, &offset,
2244 si->unicode, &dn_len, FALSE, FALSE, &bc);
2247 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2249 COUNT_BYTES(dn_len);
2253 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2254 /* challenge/response encryption key */
2255 /* XXX - is this aligned on an even boundary? */
2257 CHECK_BYTE_COUNT(ekl);
2258 proto_tree_add_item(tree, hf_smb_encryption_key,
2259 tvb, offset, ekl, TRUE);
2264 /* this string is special, unicode is flagged in caps */
2265 /* This string is NOT padded to be 16bit aligned.
2266 (seen in actual capture)
2267 XXX - I've seen a capture where it appears to be
2268 so aligned, but I've also seen captures where
2269 it is. The captures where it appeared to be
2270 aligned may have been from buggy servers. */
2271 /* However, don't get rid of existing setting */
2272 si->unicode = (caps&SERVER_CAP_UNICODE) ||
2275 dn = get_unicode_or_ascii_string(tvb,
2276 &offset, si->unicode, &dn_len, TRUE, FALSE,
2280 proto_tree_add_string(tree, hf_smb_primary_domain,
2281 tvb, offset, dn_len, dn);
2282 COUNT_BYTES(dn_len);
2284 /* server name, seen in w2k pro capture */
2285 dn = get_unicode_or_ascii_string(tvb,
2286 &offset, si->unicode, &dn_len, TRUE, FALSE,
2290 proto_tree_add_string(tree, hf_smb_server,
2291 tvb, offset, dn_len, dn);
2292 COUNT_BYTES(dn_len);
2295 proto_item *blob_item;
2298 /* XXX - show it in the standard Microsoft format
2300 CHECK_BYTE_COUNT(16);
2301 proto_tree_add_item(tree, hf_smb_server_guid,
2302 tvb, offset, 16, TRUE);
2305 blob_item = proto_tree_add_item(
2306 tree, hf_smb_security_blob,
2307 tvb, offset, bc, TRUE);
2311 * If Extended security and BCC == 16, then raw
2312 * NTLMSSP is in use. We need to save this info
2316 tvbuff_t *gssapi_tvb;
2317 proto_tree *gssapi_tree;
2319 gssapi_tree = proto_item_add_subtree(
2320 blob_item, ett_smb_secblob);
2322 gssapi_tvb = tvb_new_subset(
2323 tvb, offset, bc, bc);
2326 gssapi_handle, gssapi_tvb, pinfo,
2330 si->ct->raw_ntlmssp = 0;
2337 * There is no blob. We just have to make sure
2338 * that subsequent routines know to call the
2343 si->ct->raw_ntlmssp = 1;
2357 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2359 smb_info_t *si = pinfo->private_data;
2370 CHECK_BYTE_COUNT(1);
2371 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2375 dn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &dn_len,
2379 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2381 COUNT_BYTES(dn_len);
2383 if (check_col(pinfo->cinfo, COL_INFO)) {
2384 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s", dn);
2393 dissect_empty(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2408 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2416 ec = tvb_get_letohs(tvb, offset);
2417 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2424 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2434 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2441 /* echo sequence number */
2442 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2449 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2459 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2461 smb_info_t *si = pinfo->private_data;
2472 CHECK_BYTE_COUNT(1);
2473 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2477 an = get_unicode_or_ascii_string(tvb, &offset,
2478 si->unicode, &an_len, FALSE, FALSE, &bc);
2481 proto_tree_add_string(tree, hf_smb_path, tvb,
2482 offset, an_len, an);
2483 COUNT_BYTES(an_len);
2485 if (check_col(pinfo->cinfo, COL_INFO)) {
2486 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
2490 CHECK_BYTE_COUNT(1);
2491 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2494 /* password, ANSI */
2495 /* XXX - what if this runs past bc? */
2496 pwlen = tvb_strsize(tvb, offset);
2497 CHECK_BYTE_COUNT(pwlen);
2498 proto_tree_add_item(tree, hf_smb_password,
2499 tvb, offset, pwlen, TRUE);
2503 CHECK_BYTE_COUNT(1);
2504 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2508 an = get_unicode_or_ascii_string(tvb, &offset,
2509 si->unicode, &an_len, FALSE, FALSE, &bc);
2512 proto_tree_add_string(tree, hf_smb_service, tvb,
2513 offset, an_len, an);
2514 COUNT_BYTES(an_len);
2522 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2529 /* Maximum Buffer Size */
2530 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2534 proto_tree_add_item(tree, hf_smb_tid, tvb, offset, 2, TRUE);
2545 static const true_false_string tfs_of_create = {
2546 "Create file if it does not exist",
2547 "Fail if file does not exist"
2549 static const value_string of_open[] = {
2550 { 0, "Fail if file exists"},
2551 { 1, "Open file if it exists"},
2552 { 2, "Truncate file if it exists"},
2556 dissect_open_function(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2559 proto_item *item = NULL;
2560 proto_tree *tree = NULL;
2562 mask = tvb_get_letohs(tvb, offset);
2565 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2566 "Open Function: 0x%04x", mask);
2567 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2570 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2571 tvb, offset, 2, mask);
2572 proto_tree_add_uint(tree, hf_smb_open_function_open,
2573 tvb, offset, 2, mask);
2581 static const true_false_string tfs_mf_file = {
2582 "Target must be a file",
2583 "Target needn't be a file"
2585 static const true_false_string tfs_mf_dir = {
2586 "Target must be a directory",
2587 "Target needn't be a directory"
2589 static const true_false_string tfs_mf_verify = {
2590 "MUST verify all writes",
2591 "Don't have to verify writes"
2594 dissect_move_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2597 proto_item *item = NULL;
2598 proto_tree *tree = NULL;
2600 mask = tvb_get_letohs(tvb, offset);
2603 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2604 "Flags: 0x%04x", mask);
2605 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2608 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2609 tvb, offset, 2, mask);
2610 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2611 tvb, offset, 2, mask);
2612 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2613 tvb, offset, 2, mask);
2620 static const true_false_string tfs_cf_mode = {
2624 static const true_false_string tfs_cf_tree_copy = {
2625 "Copy is a tree copy",
2626 "Copy is a file copy"
2628 static const true_false_string tfs_cf_ea_action = {
2633 dissect_copy_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2636 proto_item *item = NULL;
2637 proto_tree *tree = NULL;
2639 mask = tvb_get_letohs(tvb, offset);
2642 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2643 "Flags: 0x%04x", mask);
2644 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2647 proto_tree_add_boolean(tree, hf_smb_copy_flags_ea_action,
2648 tvb, offset, 2, mask);
2649 proto_tree_add_boolean(tree, hf_smb_copy_flags_tree_copy,
2650 tvb, offset, 2, mask);
2651 proto_tree_add_boolean(tree, hf_smb_copy_flags_verify,
2652 tvb, offset, 2, mask);
2653 proto_tree_add_boolean(tree, hf_smb_copy_flags_source_mode,
2654 tvb, offset, 2, mask);
2655 proto_tree_add_boolean(tree, hf_smb_copy_flags_dest_mode,
2656 tvb, offset, 2, mask);
2657 proto_tree_add_boolean(tree, hf_smb_copy_flags_dir,
2658 tvb, offset, 2, mask);
2659 proto_tree_add_boolean(tree, hf_smb_copy_flags_file,
2660 tvb, offset, 2, mask);
2668 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2670 smb_info_t *si = pinfo->private_data;
2680 tid = tvb_get_letohs(tvb, offset);
2681 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2682 "TID (target): 0x%04x", tid);
2686 offset = dissect_open_function(tvb, tree, offset);
2689 offset = dissect_move_flags(tvb, tree, offset);
2694 CHECK_BYTE_COUNT(1);
2695 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2699 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2703 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2704 fn_len, fn, "Old File Name: %s", fn);
2705 COUNT_BYTES(fn_len);
2707 if (check_col(pinfo->cinfo, COL_INFO)) {
2708 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2712 CHECK_BYTE_COUNT(1);
2713 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2717 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2721 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2722 fn_len, fn, "New File Name: %s", fn);
2723 COUNT_BYTES(fn_len);
2725 if (check_col(pinfo->cinfo, COL_INFO)) {
2726 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2735 dissect_copy_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2737 smb_info_t *si = pinfo->private_data;
2747 tid = tvb_get_letohs(tvb, offset);
2748 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2749 "TID (target): 0x%04x", tid);
2753 offset = dissect_open_function(tvb, tree, offset);
2756 offset = dissect_copy_flags(tvb, tree, offset);
2761 CHECK_BYTE_COUNT(1);
2762 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2766 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2770 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2771 fn_len, fn, "Source File Name: %s", fn);
2772 COUNT_BYTES(fn_len);
2774 if (check_col(pinfo->cinfo, COL_INFO)) {
2775 col_append_fstr(pinfo->cinfo, COL_INFO, ", Source Name: %s", fn);
2779 CHECK_BYTE_COUNT(1);
2780 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2784 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2788 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2789 fn_len, fn, "Destination File Name: %s", fn);
2790 COUNT_BYTES(fn_len);
2792 if (check_col(pinfo->cinfo, COL_INFO)) {
2793 col_append_fstr(pinfo->cinfo, COL_INFO, ", Destination Name: %s", fn);
2802 dissect_move_copy_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2804 smb_info_t *si = pinfo->private_data;
2812 /* # of files moved */
2813 proto_tree_add_item(tree, hf_smb_files_moved, tvb, offset, 2, TRUE);
2819 CHECK_BYTE_COUNT(1);
2820 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2824 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2828 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2830 COUNT_BYTES(fn_len);
2838 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2840 smb_info_t *si = pinfo->private_data;
2848 /* desired access */
2849 offset = dissect_access(tvb, tree, offset, "Desired");
2851 /* Search Attributes */
2852 offset = dissect_search_attributes(tvb, tree, offset);
2857 CHECK_BYTE_COUNT(1);
2858 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2862 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2866 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2868 COUNT_BYTES(fn_len);
2870 if (check_col(pinfo->cinfo, COL_INFO)) {
2871 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2880 add_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
2881 int len, guint16 fid)
2883 proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
2884 if (check_col(pinfo->cinfo, COL_INFO))
2885 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
2889 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2898 fid = tvb_get_letohs(tvb, offset);
2899 add_fid(tvb, pinfo, tree, offset, 2, fid);
2902 /* File Attributes */
2903 offset = dissect_file_attributes(tvb, tree, offset, 2);
2905 /* last write time */
2906 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
2909 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2912 /* granted access */
2913 offset = dissect_access(tvb, tree, offset, "Granted");
2923 dissect_fid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2932 fid = tvb_get_letohs(tvb, offset);
2933 add_fid(tvb, pinfo, tree, offset, 2, fid);
2944 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2946 smb_info_t *si = pinfo->private_data;
2954 /* file attributes */
2955 offset = dissect_file_attributes(tvb, tree, offset, 2);
2958 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
2963 CHECK_BYTE_COUNT(1);
2964 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2968 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2972 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2974 COUNT_BYTES(fn_len);
2976 if (check_col(pinfo->cinfo, COL_INFO)) {
2977 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2986 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2994 fid = tvb_get_letohs(tvb, offset);
2995 add_fid(tvb, pinfo, tree, offset, 2, fid);
2998 /* last write time */
2999 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3009 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3011 smb_info_t *si = pinfo->private_data;
3019 /* search attributes */
3020 offset = dissect_search_attributes(tvb, tree, offset);
3025 CHECK_BYTE_COUNT(1);
3026 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3030 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3034 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3036 COUNT_BYTES(fn_len);
3038 if (check_col(pinfo->cinfo, COL_INFO)) {
3039 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3048 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3050 smb_info_t *si = pinfo->private_data;
3058 /* search attributes */
3059 offset = dissect_search_attributes(tvb, tree, offset);
3064 CHECK_BYTE_COUNT(1);
3065 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3069 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3073 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3075 COUNT_BYTES(fn_len);
3077 if (check_col(pinfo->cinfo, COL_INFO)) {
3078 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
3082 CHECK_BYTE_COUNT(1);
3083 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3087 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3091 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3093 COUNT_BYTES(fn_len);
3095 if (check_col(pinfo->cinfo, COL_INFO)) {
3096 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
3105 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3107 smb_info_t *si = pinfo->private_data;
3115 /* search attributes */
3116 offset = dissect_search_attributes(tvb, tree, offset);
3118 proto_tree_add_uint(tree, hf_smb_nt_rename_level, tvb, offset, 2, tvb_get_letohs(tvb, offset));
3121 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, TRUE);
3127 CHECK_BYTE_COUNT(1);
3128 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3132 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3136 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3138 COUNT_BYTES(fn_len);
3140 if (check_col(pinfo->cinfo, COL_INFO)) {
3141 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
3145 CHECK_BYTE_COUNT(1);
3146 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3150 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3154 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3156 COUNT_BYTES(fn_len);
3158 if (check_col(pinfo->cinfo, COL_INFO)) {
3159 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
3169 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3171 smb_info_t *si = pinfo->private_data;
3182 CHECK_BYTE_COUNT(1);
3183 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3187 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3191 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3193 COUNT_BYTES(fn_len);
3195 if (check_col(pinfo->cinfo, COL_INFO)) {
3196 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3205 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3212 /* File Attributes */
3213 offset = dissect_file_attributes(tvb, tree, offset, 2);
3215 /* Last Write Time */
3216 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3219 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3222 /* 10 reserved bytes */
3223 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3234 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3236 smb_info_t *si = pinfo->private_data;
3244 /* file attributes */
3245 offset = dissect_file_attributes(tvb, tree, offset, 2);
3247 /* last write time */
3248 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3250 /* 10 reserved bytes */
3251 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3257 CHECK_BYTE_COUNT(1);
3258 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3262 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3266 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3268 COUNT_BYTES(fn_len);
3270 if (check_col(pinfo->cinfo, COL_INFO)) {
3271 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3280 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3291 fid = tvb_get_letohs(tvb, offset);
3292 add_fid(tvb, pinfo, tree, offset, 2, fid);
3294 if (!pinfo->fd->flags.visited) {
3295 /* remember the FID for the processing of the response */
3296 si = (smb_info_t *)pinfo->private_data;
3297 si->sip->extra_info=(void *)fid;
3301 cnt = tvb_get_letohs(tvb, offset);
3302 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3306 ofs = tvb_get_letohl(tvb, offset);
3307 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3310 if (check_col(pinfo->cinfo, COL_INFO))
3311 col_append_fstr(pinfo->cinfo, COL_INFO,
3312 ", %u byte%s at offset %u", cnt,
3313 (cnt == 1) ? "" : "s", ofs);
3316 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3327 dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
3332 /* We have some initial padding bytes. */
3333 /* XXX - use the data offset here instead? */
3334 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3336 offset += bc-datalen;
3339 tvblen = tvb_length_remaining(tvb, offset);
3341 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
3344 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
3351 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3352 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
3355 tvbuff_t *dcerpc_tvb;
3358 /* We have some initial padding bytes. */
3359 /* XXX - use the data offset here instead? */
3360 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3362 offset += bc-datalen;
3365 tvblen = tvb_length_remaining(tvb, offset);
3366 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
3367 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
3376 * transporting DCERPC over SMB seems to be implemented in various
3377 * ways. We might just assume it can be done by an almost random
3378 * mix of Trans/Read/Write calls
3380 * if we suspect dcerpc, just send them all down to packet-smb-pipe.c
3381 * and let him sort them out
3384 dissect_file_data_maybe_dcerpc(tvbuff_t *tvb, packet_info *pinfo,
3385 proto_tree *tree, proto_tree *top_tree, int offset, guint16 bc,
3386 guint16 datalen, guint32 ofs, guint16 fid)
3388 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3390 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
3392 return dissect_file_data_dcerpc(tvb, pinfo, tree,
3393 top_tree, offset, bc, datalen, fid);
3395 /* ordinary file data */
3396 return dissect_file_data(tvb, tree, offset, bc, datalen);
3401 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3405 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3411 cnt = tvb_get_letohs(tvb, offset);
3412 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3415 /* 8 reserved bytes */
3416 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3419 /* If we have seen the request, then print which FID this refers to */
3420 /* first check if we have seen the request */
3421 if(si->sip != NULL && si->sip->frame_req>0){
3422 fid=(int)si->sip->extra_info;
3423 add_fid(tvb, pinfo, tree, 0, 0, fid);
3429 CHECK_BYTE_COUNT(1);
3430 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3434 CHECK_BYTE_COUNT(2);
3435 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3438 /* file data, might be DCERPC on a pipe */
3440 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3441 top_tree, offset, bc, bc, 0, fid);
3451 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3459 cnt = tvb_get_letohs(tvb, offset);
3460 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3463 /* 8 reserved bytes */
3464 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3470 CHECK_BYTE_COUNT(1);
3471 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3475 CHECK_BYTE_COUNT(2);
3476 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3486 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3489 guint16 cnt=0, bc, fid=0;
3495 fid = tvb_get_letohs(tvb, offset);
3496 add_fid(tvb, pinfo, tree, offset, 2, fid);
3500 cnt = tvb_get_letohs(tvb, offset);
3501 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3505 ofs = tvb_get_letohl(tvb, offset);
3506 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3509 if (check_col(pinfo->cinfo, COL_INFO))
3510 col_append_fstr(pinfo->cinfo, COL_INFO,
3511 ", %u byte%s at offset %u", cnt,
3512 (cnt == 1) ? "" : "s", ofs);
3515 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3521 CHECK_BYTE_COUNT(1);
3522 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3526 CHECK_BYTE_COUNT(2);
3527 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3530 /* file data, might be DCERPC on a pipe */
3532 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3533 top_tree, offset, bc, bc, ofs, fid);
3543 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3551 cnt = tvb_get_letohs(tvb, offset);
3552 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3555 if (check_col(pinfo->cinfo, COL_INFO))
3556 col_append_fstr(pinfo->cinfo, COL_INFO,
3557 ", %u byte%s", cnt, (cnt == 1) ? "" : "s");
3567 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3575 fid = tvb_get_letohs(tvb, offset);
3576 add_fid(tvb, pinfo, tree, offset, 2, fid);
3580 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
3584 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3595 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3597 smb_info_t *si = pinfo->private_data;
3605 /* 2 reserved bytes */
3606 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3610 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3615 CHECK_BYTE_COUNT(1);
3616 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3619 /* directory name */
3620 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3624 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
3626 COUNT_BYTES(fn_len);
3628 if (check_col(pinfo->cinfo, COL_INFO)) {
3629 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3638 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3640 smb_info_t *si = pinfo->private_data;
3649 fid = tvb_get_letohs(tvb, offset);
3650 add_fid(tvb, pinfo, tree, offset, 2, fid);
3656 CHECK_BYTE_COUNT(1);
3657 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3661 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3665 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3667 COUNT_BYTES(fn_len);
3674 static const value_string seek_mode_vals[] = {
3675 {0, "From Start Of File"},
3676 {1, "From Current Position"},
3677 {2, "From End Of File"},
3682 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3690 fid = tvb_get_letohs(tvb, offset);
3691 add_fid(tvb, pinfo, tree, offset, 2, fid);
3695 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
3699 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3710 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3718 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3729 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3737 fid = tvb_get_letohs(tvb, offset);
3738 add_fid(tvb, pinfo, tree, offset, 2, fid);
3742 offset = dissect_smb_datetime(tvb, tree, offset,
3744 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3747 offset = dissect_smb_datetime(tvb, tree, offset,
3749 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3751 /* last write time */
3752 offset = dissect_smb_datetime(tvb, tree, offset,
3753 hf_smb_last_write_time,
3754 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3764 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3772 offset = dissect_smb_datetime(tvb, tree, offset,
3774 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3777 offset = dissect_smb_datetime(tvb, tree, offset,
3779 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3781 /* last write time */
3782 offset = dissect_smb_datetime(tvb, tree, offset,
3783 hf_smb_last_write_time,
3784 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3787 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
3790 /* allocation size */
3791 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
3794 /* File Attributes */
3795 offset = dissect_file_attributes(tvb, tree, offset, 2);
3805 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3814 fid = tvb_get_letohs(tvb, offset);
3815 add_fid(tvb, pinfo, tree, offset, 2, fid);
3819 cnt = tvb_get_letohs(tvb, offset);
3820 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3824 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3827 /* last write time */
3828 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3831 /* 12 reserved bytes */
3832 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
3839 CHECK_BYTE_COUNT(1);
3840 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
3843 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
3852 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3860 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3871 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3880 fid = tvb_get_letohs(tvb, offset);
3881 add_fid(tvb, pinfo, tree, offset, 2, fid);
3885 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3889 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3893 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3897 to = tvb_get_letohl(tvb, offset);
3898 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3901 /* 2 reserved bytes */
3902 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3907 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
3919 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3927 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
3931 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
3935 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
3939 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
3942 /* 2 reserved bytes */
3943 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3954 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3962 fid = tvb_get_letohs(tvb, offset);
3963 add_fid(tvb, pinfo, tree, offset, 2, fid);
3967 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3971 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3975 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3978 /* 6 reserved bytes */
3979 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
3990 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3992 guint16 datalen=0, bc;
3998 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4002 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4005 /* 2 reserved bytes */
4006 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4009 /* data compaction mode */
4010 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4013 /* 2 reserved bytes */
4014 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4018 datalen = tvb_get_letohs(tvb, offset);
4019 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4023 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4029 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4038 static const true_false_string tfs_write_mode_write_through = {
4039 "WRITE THROUGH requested",
4040 "Write through not requested"
4042 static const true_false_string tfs_write_mode_return_remaining = {
4043 "RETURN REMAINING (pipe/dev) requested",
4044 "DON'T return remaining (pipe/dev)"
4046 static const true_false_string tfs_write_mode_raw = {
4047 "Use WriteRawNamedPipe (pipe)",
4048 "DON'T use WriteRawNamedPipe (pipe)"
4050 static const true_false_string tfs_write_mode_message_start = {
4051 "This is the START of a MESSAGE (pipe)",
4052 "This is NOT the start of a message (pipe)"
4054 static const true_false_string tfs_write_mode_connectionless = {
4055 "CONNECTIONLESS mode requested",
4056 "Connectionless mode NOT requested"
4059 #define WRITE_MODE_CONNECTIONLESS 0x0080
4060 #define WRITE_MODE_MESSAGE_START 0x0008
4061 #define WRITE_MODE_RAW 0x0004
4062 #define WRITE_MODE_RETURN_REMAINING 0x0002
4063 #define WRITE_MODE_WRITE_THROUGH 0x0001
4066 dissect_write_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4069 proto_item *item = NULL;
4070 proto_tree *tree = NULL;
4072 mask = tvb_get_letohs(tvb, offset);
4075 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4076 "Write Mode: 0x%04x", mask);
4077 tree = proto_item_add_subtree(item, ett_smb_rawmode);
4080 if(bm&WRITE_MODE_CONNECTIONLESS){
4081 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
4082 tvb, offset, 2, mask);
4084 if(bm&WRITE_MODE_MESSAGE_START){
4085 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
4086 tvb, offset, 2, mask);
4088 if(bm&WRITE_MODE_RAW){
4089 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
4090 tvb, offset, 2, mask);
4092 if(bm&WRITE_MODE_RETURN_REMAINING){
4093 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
4094 tvb, offset, 2, mask);
4096 if(bm&WRITE_MODE_WRITE_THROUGH){
4097 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
4098 tvb, offset, 2, mask);
4106 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4109 guint16 datalen=0, bc, fid;
4115 fid = tvb_get_letohs(tvb, offset);
4116 add_fid(tvb, pinfo, tree, offset, 2, fid);
4119 /* total data length */
4120 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4123 /* 2 reserved bytes */
4124 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4128 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4132 to = tvb_get_letohl(tvb, offset);
4133 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4137 offset = dissect_write_mode(tvb, tree, offset, 0x0003);
4139 /* 4 reserved bytes */
4140 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4144 datalen = tvb_get_letohs(tvb, offset);
4145 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4149 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4155 /* XXX - use the data offset to determine where the data starts? */
4156 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4165 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4173 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4184 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4187 guint16 datalen=0, bc, fid;
4193 fid = tvb_get_letohs(tvb, offset);
4194 add_fid(tvb, pinfo, tree, offset, 2, fid);
4197 /* total data length */
4198 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4201 /* 2 reserved bytes */
4202 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4206 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4210 to = tvb_get_letohl(tvb, offset);
4211 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4215 offset = dissect_write_mode(tvb, tree, offset, 0x0083);
4218 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
4222 datalen = tvb_get_letohs(tvb, offset);
4223 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4227 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4233 /* XXX - use the data offset to determine where the data starts? */
4234 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4243 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4251 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
4262 dissect_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4270 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
4281 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
4282 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4283 gboolean has_find_id)
4285 proto_item *item = NULL;
4286 proto_tree *tree = NULL;
4287 smb_info_t *si = pinfo->private_data;
4293 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
4295 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
4299 CHECK_BYTE_COUNT_SUBR(1);
4300 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4301 COUNT_BYTES_SUBR(1);
4305 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4307 CHECK_STRING_SUBR(fn);
4308 /* ensure that it's null-terminated */
4309 strncpy(fname, fn, 11);
4311 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
4313 COUNT_BYTES_SUBR(fn_len);
4316 CHECK_BYTE_COUNT_SUBR(1);
4317 proto_tree_add_item(tree, hf_smb_resume_find_id, tvb, offset, 1, TRUE);
4318 COUNT_BYTES_SUBR(1);
4321 CHECK_BYTE_COUNT_SUBR(4);
4322 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 4, TRUE);
4323 COUNT_BYTES_SUBR(4);
4326 CHECK_BYTE_COUNT_SUBR(5);
4327 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
4328 COUNT_BYTES_SUBR(5);
4332 CHECK_BYTE_COUNT_SUBR(4);
4333 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
4334 COUNT_BYTES_SUBR(4);
4341 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
4342 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4343 gboolean has_find_id)
4345 proto_item *item = NULL;
4346 proto_tree *tree = NULL;
4347 smb_info_t *si = pinfo->private_data;
4353 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
4354 "Directory Information");
4355 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
4359 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp,
4360 trunc, has_find_id);
4364 /* File Attributes */
4365 CHECK_BYTE_COUNT_SUBR(1);
4366 offset = dissect_dir_info_file_attributes(tvb, tree, offset);
4369 /* last write time */
4370 CHECK_BYTE_COUNT_SUBR(4);
4371 offset = dissect_smb_datetime(tvb, tree, offset,
4372 hf_smb_last_write_time,
4373 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
4378 CHECK_BYTE_COUNT_SUBR(4);
4379 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4380 COUNT_BYTES_SUBR(4);
4384 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4386 CHECK_STRING_SUBR(fn);
4387 /* ensure that it's null-terminated */
4388 strncpy(fname, fn, 13);
4390 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4392 COUNT_BYTES_SUBR(fn_len);
4400 dissect_search_find_request(tvbuff_t *tvb, packet_info *pinfo,
4401 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4402 gboolean has_find_id)
4404 smb_info_t *si = pinfo->private_data;
4415 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4418 /* Search Attributes */
4419 offset = dissect_search_attributes(tvb, tree, offset);
4424 CHECK_BYTE_COUNT(1);
4425 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4429 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4433 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4435 COUNT_BYTES(fn_len);
4437 if (check_col(pinfo->cinfo, COL_INFO)) {
4438 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s", fn);
4442 CHECK_BYTE_COUNT(1);
4443 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4446 /* resume key length */
4447 CHECK_BYTE_COUNT(2);
4448 rkl = tvb_get_letohs(tvb, offset);
4449 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
4454 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
4455 &bc, &trunc, has_find_id);
4466 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4467 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4469 return dissect_search_find_request(tvb, pinfo, tree, offset,
4474 dissect_find_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4475 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4477 return dissect_search_find_request(tvb, pinfo, tree, offset,
4482 dissect_find_close_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4483 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4485 return dissect_search_find_request(tvb, pinfo, tree, offset,
4490 dissect_search_find_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4491 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4492 gboolean has_find_id)
4502 count = tvb_get_letohs(tvb, offset);
4503 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
4509 CHECK_BYTE_COUNT(1);
4510 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4514 CHECK_BYTE_COUNT(2);
4515 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4519 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
4520 &bc, &trunc, has_find_id);
4531 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4533 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4538 dissect_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4540 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4545 dissect_find_close_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4546 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4555 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4561 CHECK_BYTE_COUNT(1);
4562 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4566 CHECK_BYTE_COUNT(2);
4567 data_len = tvb_get_ntohs(tvb, offset);
4568 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, data_len);
4571 if (data_len != 0) {
4572 CHECK_BYTE_COUNT(data_len);
4573 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset,
4575 COUNT_BYTES(data_len);
4583 static const value_string locking_ol_vals[] = {
4584 {0, "Client is not holding oplock on this file"},
4585 {1, "Level 2 oplock currently held by client"},
4589 static const true_false_string tfs_lock_type_large = {
4590 "Large file locking format requested",
4591 "Large file locking format not requested"
4593 static const true_false_string tfs_lock_type_cancel = {
4594 "Cancel outstanding lock request",
4595 "Don't cancel outstanding lock request"
4597 static const true_false_string tfs_lock_type_change = {
4599 "Don't change lock type"
4601 static const true_false_string tfs_lock_type_oplock = {
4602 "This is an oplock break notification/response",
4603 "This is not an oplock break notification/response"
4605 static const true_false_string tfs_lock_type_shared = {
4606 "This is a shared lock",
4607 "This is an exclusive lock"
4610 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4612 guint8 wc, cmd=0xff, lt=0;
4613 guint16 andxoffset=0, un=0, ln=0, bc, fid;
4615 proto_item *litem = NULL;
4616 proto_tree *ltree = NULL;
4617 proto_item *it = NULL;
4618 proto_tree *tr = NULL;
4619 int old_offset = offset;
4623 /* next smb command */
4624 cmd = tvb_get_guint8(tvb, offset);
4626 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4628 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4633 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4637 andxoffset = tvb_get_letohs(tvb, offset);
4638 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4642 fid = tvb_get_letohs(tvb, offset);
4643 add_fid(tvb, pinfo, tree, offset, 2, fid);
4647 lt = tvb_get_guint8(tvb, offset);
4649 litem = proto_tree_add_text(tree, tvb, offset, 1,
4650 "Lock Type: 0x%02x", lt);
4651 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
4653 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
4654 tvb, offset, 1, lt);
4655 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
4656 tvb, offset, 1, lt);
4657 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
4658 tvb, offset, 1, lt);
4659 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
4660 tvb, offset, 1, lt);
4661 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
4662 tvb, offset, 1, lt);
4666 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
4670 to = tvb_get_letohl(tvb, offset);
4672 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
4673 else if (to == 0xffffffff)
4674 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
4676 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4679 /* number of unlocks */
4680 un = tvb_get_letohs(tvb, offset);
4681 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
4684 /* number of locks */
4685 ln = tvb_get_letohs(tvb, offset);
4686 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
4693 old_offset = offset;
4695 it = proto_tree_add_text(tree, tvb, offset, -1,
4697 tr = proto_item_add_subtree(it, ett_smb_unlocks);
4699 proto_item *litem = NULL;
4700 proto_tree *ltree = NULL;
4702 /* large lock format */
4703 litem = proto_tree_add_text(tr, tvb, offset, 20,
4705 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4708 CHECK_BYTE_COUNT(2);
4709 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4712 /* 2 reserved bytes */
4713 CHECK_BYTE_COUNT(2);
4714 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4718 CHECK_BYTE_COUNT(8);
4719 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4723 CHECK_BYTE_COUNT(8);
4724 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4727 /* normal lock format */
4728 litem = proto_tree_add_text(tr, tvb, offset, 10,
4730 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4733 CHECK_BYTE_COUNT(2);
4734 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4738 CHECK_BYTE_COUNT(4);
4739 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4743 CHECK_BYTE_COUNT(4);
4744 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4748 proto_item_set_len(it, offset-old_offset);
4754 old_offset = offset;
4756 it = proto_tree_add_text(tree, tvb, offset, -1,
4758 tr = proto_item_add_subtree(it, ett_smb_locks);
4760 proto_item *litem = NULL;
4761 proto_tree *ltree = NULL;
4763 /* large lock format */
4764 litem = proto_tree_add_text(tr, tvb, offset, 20,
4766 ltree = proto_item_add_subtree(litem, ett_smb_lock);
4769 CHECK_BYTE_COUNT(2);
4770 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4773 /* 2 reserved bytes */
4774 CHECK_BYTE_COUNT(2);
4775 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4779 CHECK_BYTE_COUNT(8);
4780 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4784 CHECK_BYTE_COUNT(8);
4785 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4788 /* normal lock format */
4789 litem = proto_tree_add_text(tr, tvb, offset, 10,
4791 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4794 CHECK_BYTE_COUNT(2);
4795 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4799 CHECK_BYTE_COUNT(4);
4800 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4804 CHECK_BYTE_COUNT(4);
4805 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4809 proto_item_set_len(it, offset-old_offset);
4817 * We ran out of byte count in the middle of dissecting
4818 * the locks or the unlocks; set the site of the item
4819 * we were dissecting.
4821 proto_item_set_len(it, offset-old_offset);
4824 /* call AndXCommand (if there are any) */
4825 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4831 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4833 guint8 wc, cmd=0xff;
4834 guint16 andxoffset=0;
4839 /* next smb command */
4840 cmd = tvb_get_guint8(tvb, offset);
4842 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4844 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4849 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4853 andxoffset = tvb_get_letohs(tvb, offset);
4854 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4861 /* call AndXCommand (if there are any) */
4862 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4868 static const value_string oa_open_vals[] = {
4869 { 0, "No action taken?"},
4870 { 1, "The file existed and was opened"},
4871 { 2, "The file did not exist but was created"},
4872 { 3, "The file existed and was truncated"},
4873 { 0x8001, "The file existed and was opened, and an OpLock was granted"},
4874 { 0x8002, "The file did not exist but was created, and an OpLock was granted"},
4875 { 0x8002, "The file existed and was truncated, and an OpLock was granted"},
4878 static const true_false_string tfs_oa_lock = {
4879 "File is currently opened only by this user",
4880 "File is opened by another user (or mode not supported by server)"
4883 dissect_open_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
4886 proto_item *item = NULL;
4887 proto_tree *tree = NULL;
4889 mask = tvb_get_letohs(tvb, offset);
4892 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4893 "Action: 0x%04x", mask);
4894 tree = proto_item_add_subtree(item, ett_smb_open_action);
4897 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
4898 tvb, offset, 2, mask);
4899 proto_tree_add_uint(tree, hf_smb_open_action_open,
4900 tvb, offset, 2, mask);
4907 static const true_false_string tfs_open_flags_add_info = {
4908 "Additional information requested",
4909 "Additional information not requested"
4911 static const true_false_string tfs_open_flags_ex_oplock = {
4912 "Exclusive oplock requested",
4913 "Exclusive oplock not requested"
4915 static const true_false_string tfs_open_flags_batch_oplock = {
4916 "Batch oplock requested",
4917 "Batch oplock not requested"
4919 static const true_false_string tfs_open_flags_ealen = {
4920 "Total length of EAs requested",
4921 "Total length of EAs not requested"
4924 dissect_open_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4927 proto_item *item = NULL;
4928 proto_tree *tree = NULL;
4930 mask = tvb_get_letohs(tvb, offset);
4933 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4934 "Flags: 0x%04x", mask);
4935 tree = proto_item_add_subtree(item, ett_smb_open_flags);
4939 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
4940 tvb, offset, 2, mask);
4943 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
4944 tvb, offset, 2, mask);
4947 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
4948 tvb, offset, 2, mask);
4951 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
4952 tvb, offset, 2, mask);
4960 static const value_string filetype_vals[] = {
4961 { 0, "Disk file or directory"},
4962 { 1, "Named pipe in byte mode"},
4963 { 2, "Named pipe in message mode"},
4964 { 3, "Spooled printer"},
4968 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4970 guint8 wc, cmd=0xff;
4971 guint16 andxoffset=0, bc;
4972 smb_info_t *si = pinfo->private_data;
4978 /* next smb command */
4979 cmd = tvb_get_guint8(tvb, offset);
4981 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4983 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4988 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4992 andxoffset = tvb_get_letohs(tvb, offset);
4993 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4997 offset = dissect_open_flags(tvb, tree, offset, 0x0007);
4999 /* desired access */
5000 offset = dissect_access(tvb, tree, offset, "Desired");
5002 /* Search Attributes */
5003 offset = dissect_search_attributes(tvb, tree, offset);
5005 /* File Attributes */
5006 offset = dissect_file_attributes(tvb, tree, offset, 2);
5009 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
5012 offset = dissect_open_function(tvb, tree, offset);
5014 /* allocation size */
5015 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
5018 /* 8 reserved bytes */
5019 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
5025 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5029 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5031 COUNT_BYTES(fn_len);
5033 if (check_col(pinfo->cinfo, COL_INFO)) {
5034 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
5039 /* call AndXCommand (if there are any) */
5040 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5045 static const true_false_string tfs_ipc_state_nonblocking = {
5046 "Reads/writes return immediately if no data available",
5047 "Reads/writes block if no data available"
5049 static const value_string ipc_state_endpoint_vals[] = {
5050 { 0, "Consumer end of pipe"},
5051 { 1, "Server end of pipe"},
5054 static const value_string ipc_state_pipe_type_vals[] = {
5055 { 0, "Byte stream pipe"},
5056 { 1, "Message pipe"},
5059 static const value_string ipc_state_read_mode_vals[] = {
5060 { 0, "Read pipe as a byte stream"},
5061 { 1, "Read messages from pipe"},
5066 dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
5070 proto_item *item = NULL;
5071 proto_tree *tree = NULL;
5073 mask = tvb_get_letohs(tvb, offset);
5076 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5077 "IPC State: 0x%04x", mask);
5078 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
5081 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
5082 tvb, offset, 2, mask);
5084 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
5085 tvb, offset, 2, mask);
5086 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
5087 tvb, offset, 2, mask);
5089 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
5090 tvb, offset, 2, mask);
5092 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
5093 tvb, offset, 2, mask);
5102 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5104 guint8 wc, cmd=0xff;
5105 guint16 andxoffset=0, bc;
5110 /* next smb command */
5111 cmd = tvb_get_guint8(tvb, offset);
5113 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5115 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5120 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5124 andxoffset = tvb_get_letohs(tvb, offset);
5125 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5129 fid = tvb_get_letohs(tvb, offset);
5130 add_fid(tvb, pinfo, tree, offset, 2, fid);
5133 /* File Attributes */
5134 offset = dissect_file_attributes(tvb, tree, offset, 2);
5136 /* last write time */
5137 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
5140 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
5143 /* granted access */
5144 offset = dissect_access(tvb, tree, offset, "Granted");
5147 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
5151 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
5154 offset = dissect_open_action(tvb, tree, offset);
5157 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
5160 /* 2 reserved bytes */
5161 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5168 /* call AndXCommand (if there are any) */
5169 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5175 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5177 guint8 wc, cmd=0xff;
5178 guint16 andxoffset=0, bc, maxcnt = 0;
5185 /* next smb command */
5186 cmd = tvb_get_guint8(tvb, offset);
5188 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5190 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5195 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5199 andxoffset = tvb_get_letohs(tvb, offset);
5200 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5204 fid = tvb_get_letohs(tvb, offset);
5205 add_fid(tvb, pinfo, tree, offset, 2, fid);
5207 if (!pinfo->fd->flags.visited) {
5208 /* remember the FID for the processing of the response */
5209 si = (smb_info_t *)pinfo->private_data;
5210 si->sip->extra_info=(void *)fid;
5214 ofs = tvb_get_letohl(tvb, offset);
5215 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5219 maxcnt = tvb_get_letohs(tvb, offset);
5220 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
5223 if (check_col(pinfo->cinfo, COL_INFO))
5224 col_append_fstr(pinfo->cinfo, COL_INFO,
5225 ", %u byte%s at offset %u", maxcnt,
5226 (maxcnt == 1) ? "" : "s", ofs);
5229 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
5232 /* XXX - max count high */
5233 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5237 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5242 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5250 /* call AndXCommand (if there are any) */
5251 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5257 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5259 guint8 wc, cmd=0xff;
5260 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
5261 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5266 /* next smb command */
5267 cmd = tvb_get_guint8(tvb, offset);
5269 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5271 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5276 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5280 andxoffset = tvb_get_letohs(tvb, offset);
5281 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5284 /* If we have seen the request, then print which FID this refers to */
5285 /* first check if we have seen the request */
5286 if(si->sip != NULL && si->sip->frame_req>0){
5287 fid=(int)si->sip->extra_info;
5288 add_fid(tvb, pinfo, tree, 0, 0, fid);
5292 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5295 /* data compaction mode */
5296 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
5299 /* 2 reserved bytes */
5300 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5304 datalen = tvb_get_letohs(tvb, offset);
5305 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5308 if (check_col(pinfo->cinfo, COL_INFO))
5309 col_append_fstr(pinfo->cinfo, COL_INFO,
5310 ", %u byte%s", datalen,
5311 (datalen == 1) ? "" : "s");
5314 dataoffset=tvb_get_letohs(tvb, offset);
5315 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5318 /* 10 reserved bytes */
5319 /* XXX - first 2 bytes are data length high, not reserved */
5320 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
5325 /* file data, might be DCERPC on a pipe */
5327 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5328 top_tree, offset, bc, datalen, 0, fid);
5334 /* call AndXCommand (if there are any) */
5335 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5341 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5344 guint8 wc, cmd=0xff;
5345 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
5346 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5353 /* next smb command */
5354 cmd = tvb_get_guint8(tvb, offset);
5356 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5358 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5363 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5367 andxoffset = tvb_get_letohs(tvb, offset);
5368 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5372 fid = tvb_get_letohs(tvb, offset);
5373 add_fid(tvb, pinfo, tree, offset, 2, fid);
5375 if (!pinfo->fd->flags.visited) {
5376 /* remember the FID for the processing of the response */
5377 si->sip->extra_info=(void *)fid;
5381 ofs = tvb_get_letohl(tvb, offset);
5382 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5386 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5390 mode = tvb_get_letohs(tvb, offset);
5391 offset = dissect_write_mode(tvb, tree, offset, 0x000f);
5394 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5397 /* XXX - data length high */
5398 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5402 datalen = tvb_get_letohs(tvb, offset);
5403 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5407 dataoffset=tvb_get_letohs(tvb, offset);
5408 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5411 /* FIXME: handle Large (48-bit) byte/offset to COL_INFO */
5412 if (check_col(pinfo->cinfo, COL_INFO))
5413 col_append_fstr(pinfo->cinfo, COL_INFO,
5414 ", %u byte%s at offset %u", datalen,
5415 (datalen == 1) ? "" : "s", ofs);
5419 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5425 /* if both the MessageStart and the WriteRawNamedPipe flags are set
5426 the first two bytes of the payload is the length of the data
5427 also this tells us that this is indeed the IPC$ share
5428 (if we didnt already know that
5430 if((mode&(WRITE_MODE_MESSAGE_START|WRITE_MODE_RAW))==(WRITE_MODE_MESSAGE_START|WRITE_MODE_RAW)){
5431 proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE);
5437 si->sip->flags|=SMB_SIF_TID_IS_IPC;
5441 /* file data, might be DCERPC on a pipe */
5443 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5444 top_tree, offset, bc, datalen, 0, fid);
5450 /* call AndXCommand (if there are any) */
5451 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5457 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5459 guint8 wc, cmd=0xff;
5460 guint16 andxoffset=0, bc, datalen=0;
5465 /* next smb command */
5466 cmd = tvb_get_guint8(tvb, offset);
5468 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5470 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5475 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5479 andxoffset = tvb_get_letohs(tvb, offset);
5480 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5483 /* If we have seen the request, then print which FID this refers to */
5484 si = (smb_info_t *)pinfo->private_data;
5485 /* first check if we have seen the request */
5486 if(si->sip != NULL && si->sip->frame_req>0){
5487 add_fid(tvb, pinfo, tree, 0, 0, (int)si->sip->extra_info);
5491 datalen = tvb_get_letohs(tvb, offset);
5492 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
5495 if (check_col(pinfo->cinfo, COL_INFO))
5496 col_append_fstr(pinfo->cinfo, COL_INFO,
5497 ", %u byte%s", datalen,
5498 (datalen == 1) ? "" : "s");
5501 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5504 /* 4 reserved bytes */
5505 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5512 /* call AndXCommand (if there are any) */
5513 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5519 static const true_false_string tfs_setup_action_guest = {
5520 "Logged in as GUEST",
5521 "Not logged in as GUEST"
5524 dissect_setup_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
5527 proto_item *item = NULL;
5528 proto_tree *tree = NULL;
5530 mask = tvb_get_letohs(tvb, offset);
5533 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5534 "Action: 0x%04x", mask);
5535 tree = proto_item_add_subtree(item, ett_smb_setup_action);
5538 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
5539 tvb, offset, 2, mask);
5548 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5550 guint8 wc, cmd=0xff;
5552 guint16 andxoffset=0;
5553 smb_info_t *si = pinfo->private_data;
5560 guint16 apwlen=0, upwlen=0;
5564 /* next smb command */
5565 cmd = tvb_get_guint8(tvb, offset);
5567 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5569 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5574 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5578 andxoffset = tvb_get_letohs(tvb, offset);
5579 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5582 /* Maximum Buffer Size */
5583 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
5586 /* Maximum Multiplex Count */
5587 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
5591 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
5595 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
5600 /* password length, ASCII*/
5601 pwlen = tvb_get_letohs(tvb, offset);
5602 proto_tree_add_uint(tree, hf_smb_password_len,
5603 tvb, offset, 2, pwlen);
5606 /* 4 reserved bytes */
5607 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5613 /* security blob length */
5614 sbloblen = tvb_get_letohs(tvb, offset);
5615 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5618 /* 4 reserved bytes */
5619 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5623 dissect_negprot_capabilities(tvb, tree, offset);
5629 /* password length, ANSI*/
5630 apwlen = tvb_get_letohs(tvb, offset);
5631 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
5632 tvb, offset, 2, apwlen);
5635 /* password length, Unicode*/
5636 upwlen = tvb_get_letohs(tvb, offset);
5637 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
5638 tvb, offset, 2, upwlen);
5641 /* 4 reserved bytes */
5642 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5646 dissect_negprot_capabilities(tvb, tree, offset);
5655 proto_item *blob_item;
5659 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
5660 tvb, offset, sbloblen, TRUE);
5662 /* As an optimization, because Windows is perverse,
5663 we check to see if NTLMSSP is the first part of the
5664 blob, and if so, call the NTLMSSP dissector,
5665 otherwise we call the GSS-API dissector. This is because
5666 Windows can request RAW NTLMSSP, but will happily handle
5667 a client that wraps NTLMSSP in SPNEGO
5672 proto_tree *blob_tree;
5674 blob_tree = proto_item_add_subtree(blob_item,
5676 CHECK_BYTE_COUNT(sbloblen);
5678 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
5681 if (si && si->ct && si->ct->raw_ntlmssp &&
5683 tvb_get_ptr(tvb, offset, 7), 7)) {
5684 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
5689 call_dissector(gssapi_handle, blob_tvb,
5693 COUNT_BYTES(sbloblen);
5697 an = get_unicode_or_ascii_string(tvb, &offset,
5698 si->unicode, &an_len, FALSE, FALSE, &bc);
5701 proto_tree_add_string(tree, hf_smb_os, tvb,
5702 offset, an_len, an);
5703 COUNT_BYTES(an_len);
5706 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5707 * padding/null string/whatever in front of this. W2K doesn't
5708 * appear to. I suspect that's a bug that got fixed; I also
5709 * suspect that, in practice, nobody ever looks at that field
5710 * because the bug didn't appear to get fixed until NT 5.0....
5712 an = get_unicode_or_ascii_string(tvb, &offset,
5713 si->unicode, &an_len, FALSE, FALSE, &bc);
5716 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5717 offset, an_len, an);
5718 COUNT_BYTES(an_len);
5720 /* Primary domain */
5721 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5722 * byte in front of this, at least if all the strings are
5723 * ASCII and the account name is empty. Another bug?
5725 dn = get_unicode_or_ascii_string(tvb, &offset,
5726 si->unicode, &dn_len, FALSE, FALSE, &bc);
5729 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5730 offset, dn_len, dn);
5731 COUNT_BYTES(dn_len);
5737 /* password, ASCII */
5738 CHECK_BYTE_COUNT(pwlen);
5739 proto_tree_add_item(tree, hf_smb_password,
5740 tvb, offset, pwlen, TRUE);
5748 /* password, ANSI */
5749 CHECK_BYTE_COUNT(apwlen);
5750 proto_tree_add_item(tree, hf_smb_ansi_password,
5751 tvb, offset, apwlen, TRUE);
5752 COUNT_BYTES(apwlen);
5758 /* password, Unicode */
5759 CHECK_BYTE_COUNT(upwlen);
5760 item = proto_tree_add_item(tree, hf_smb_unicode_password,
5761 tvb, offset, upwlen, TRUE);
5764 proto_tree *subtree;
5766 subtree = proto_item_add_subtree(item, ett_smb_unicode_password);
5768 dissect_ntlmv2_response(
5769 tvb, subtree, offset, upwlen);
5772 COUNT_BYTES(upwlen);
5779 an = get_unicode_or_ascii_string(tvb, &offset,
5780 si->unicode, &an_len, FALSE, FALSE, &bc);
5783 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
5785 COUNT_BYTES(an_len);
5787 /* Primary domain */
5788 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5789 * byte in front of this, at least if all the strings are
5790 * ASCII and the account name is empty. Another bug?
5792 dn = get_unicode_or_ascii_string(tvb, &offset,
5793 si->unicode, &dn_len, FALSE, FALSE, &bc);
5796 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5797 offset, dn_len, dn);
5798 COUNT_BYTES(dn_len);
5800 if (check_col(pinfo->cinfo, COL_INFO)) {
5801 col_append_fstr(pinfo->cinfo, COL_INFO, ", User: ");
5803 if (!dn[0] && !an[0])
5804 col_append_fstr(pinfo->cinfo, COL_INFO,
5807 col_append_fstr(pinfo->cinfo, COL_INFO,
5812 an = get_unicode_or_ascii_string(tvb, &offset,
5813 si->unicode, &an_len, FALSE, FALSE, &bc);
5816 proto_tree_add_string(tree, hf_smb_os, tvb,
5817 offset, an_len, an);
5818 COUNT_BYTES(an_len);
5821 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5822 * padding/null string/whatever in front of this. W2K doesn't
5823 * appear to. I suspect that's a bug that got fixed; I also
5824 * suspect that, in practice, nobody ever looks at that field
5825 * because the bug didn't appear to get fixed until NT 5.0....
5827 an = get_unicode_or_ascii_string(tvb, &offset,
5828 si->unicode, &an_len, FALSE, FALSE, &bc);
5831 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5832 offset, an_len, an);
5833 COUNT_BYTES(an_len);
5838 /* call AndXCommand (if there are any) */
5839 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5845 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5847 guint8 wc, cmd=0xff;
5848 guint16 andxoffset=0, bc;
5850 smb_info_t *si = pinfo->private_data;
5856 /* next smb command */
5857 cmd = tvb_get_guint8(tvb, offset);
5859 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5861 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5866 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5870 andxoffset = tvb_get_letohs(tvb, offset);
5871 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5875 offset = dissect_setup_action(tvb, tree, offset);
5878 /* security blob length */
5879 sbloblen = tvb_get_letohs(tvb, offset);
5880 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5887 proto_item *blob_item;
5891 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
5892 tvb, offset, sbloblen, TRUE);
5896 proto_tree *blob_tree;
5898 blob_tree = proto_item_add_subtree(blob_item,
5900 CHECK_BYTE_COUNT(sbloblen);
5902 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
5905 if (si && si->ct && si->ct->raw_ntlmssp &&
5907 tvb_get_ptr(tvb, offset, 7), 7)) {
5908 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
5913 call_dissector(gssapi_handle, blob_tvb, pinfo,
5918 COUNT_BYTES(sbloblen);
5923 an = get_unicode_or_ascii_string(tvb, &offset,
5924 si->unicode, &an_len, FALSE, FALSE, &bc);
5927 proto_tree_add_string(tree, hf_smb_os, tvb,
5928 offset, an_len, an);
5929 COUNT_BYTES(an_len);
5932 an = get_unicode_or_ascii_string(tvb, &offset,
5933 si->unicode, &an_len, FALSE, FALSE, &bc);
5936 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5937 offset, an_len, an);
5938 COUNT_BYTES(an_len);
5941 /* Primary domain */
5942 an = get_unicode_or_ascii_string(tvb, &offset,
5943 si->unicode, &an_len, FALSE, FALSE, &bc);
5946 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5947 offset, an_len, an);
5948 COUNT_BYTES(an_len);
5953 /* call AndXCommand (if there are any) */
5954 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5961 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5963 guint8 wc, cmd=0xff;
5964 guint16 andxoffset=0;
5969 /* next smb command */
5970 cmd = tvb_get_guint8(tvb, offset);
5972 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5974 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5979 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5983 andxoffset = tvb_get_letohs(tvb, offset);
5984 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5991 /* call AndXCommand (if there are any) */
5992 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5998 static const true_false_string tfs_connect_support_search = {
5999 "Exclusive search bits supported",
6000 "Exclusive search bits not supported"
6002 static const true_false_string tfs_connect_support_in_dfs = {
6004 "Share isn't in Dfs"
6008 dissect_connect_support_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6011 proto_item *item = NULL;
6012 proto_tree *tree = NULL;
6014 mask = tvb_get_letohs(tvb, offset);
6017 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6018 "Optional Support: 0x%04x", mask);
6019 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
6022 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
6023 tvb, offset, 2, mask);
6024 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
6025 tvb, offset, 2, mask);
6032 static const true_false_string tfs_disconnect_tid = {
6034 "Do NOT disconnect TID"
6038 dissect_connect_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6041 proto_item *item = NULL;
6042 proto_tree *tree = NULL;
6044 mask = tvb_get_letohs(tvb, offset);
6047 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6048 "Flags: 0x%04x", mask);
6049 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
6052 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
6053 tvb, offset, 2, mask);
6061 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6063 guint8 wc, cmd=0xff;
6065 guint16 andxoffset=0, pwlen=0;
6066 smb_info_t *si = pinfo->private_data;
6072 /* next smb command */
6073 cmd = tvb_get_guint8(tvb, offset);
6075 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6077 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
6082 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6086 andxoffset = tvb_get_letohs(tvb, offset);
6087 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6091 offset = dissect_connect_flags(tvb, tree, offset);
6093 /* password length*/
6094 pwlen = tvb_get_letohs(tvb, offset);
6095 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
6101 CHECK_BYTE_COUNT(pwlen);
6102 proto_tree_add_item(tree, hf_smb_password,
6103 tvb, offset, pwlen, TRUE);
6107 an = get_unicode_or_ascii_string(tvb, &offset,
6108 si->unicode, &an_len, FALSE, FALSE, &bc);
6111 proto_tree_add_string(tree, hf_smb_path, tvb,
6112 offset, an_len, an);
6113 COUNT_BYTES(an_len);
6115 if (check_col(pinfo->cinfo, COL_INFO)) {
6116 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
6120 * NOTE: the Service string is always ASCII, even if the
6121 * "strings are Unicode" bit is set in the flags2 field
6126 /* XXX - what if this runs past bc? */
6127 an_len = tvb_strsize(tvb, offset);
6128 CHECK_BYTE_COUNT(an_len);
6129 an = tvb_get_ptr(tvb, offset, an_len);
6130 proto_tree_add_string(tree, hf_smb_service, tvb,
6131 offset, an_len, an);
6132 COUNT_BYTES(an_len);
6136 /* call AndXCommand (if there are any) */
6137 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6144 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6146 guint8 wc, wleft, cmd=0xff;
6147 guint16 andxoffset=0;
6151 smb_info_t *si = pinfo->private_data;
6155 wleft = wc; /* this is at least 1 */
6157 /* next smb command */
6158 cmd = tvb_get_guint8(tvb, offset);
6160 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6162 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
6167 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6175 andxoffset = tvb_get_letohs(tvb, offset);
6176 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6183 offset = dissect_connect_support_bits(tvb, tree, offset);
6186 /* XXX - I've seen captures where this is 7, but I have no
6187 idea how to dissect it. I'm guessing the third word
6188 contains connect support bits, which looks plausible
6189 from the values I've seen. */
6191 while (wleft != 0) {
6192 proto_tree_add_text(tree, tvb, offset, 2,
6193 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
6201 * NOTE: even though the SNIA CIFS spec doesn't say there's
6202 * a "Service" string if there's a word count of 2, the
6205 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
6207 * (it's in an ugly format - text intended to be sent to a
6208 * printer, with backspaces and overstrikes used for boldfacing
6209 * and underlining; UNIX "col -b" can be used to strip the
6210 * overstrikes out) says there's a "Service" string there, and
6211 * some network traffic has it.
6215 * NOTE: the Service string is always ASCII, even if the
6216 * "strings are Unicode" bit is set in the flags2 field
6221 /* XXX - what if this runs past bc? */
6222 an_len = tvb_strsize(tvb, offset);
6223 CHECK_BYTE_COUNT(an_len);
6224 an = tvb_get_ptr(tvb, offset, an_len);
6225 proto_tree_add_string(tree, hf_smb_service, tvb,
6226 offset, an_len, an);
6227 COUNT_BYTES(an_len);
6229 /* Now when we know the service type, store it so that we know it for later commands down
6231 if(!pinfo->fd->flags.visited){
6232 /* Remove any previous entry for this TID */
6233 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
6234 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
6236 if(strcmp(an,"IPC") == 0){
6237 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
6239 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_NORMAL);
6247 * Sometimes this isn't present.
6251 an = get_unicode_or_ascii_string(tvb, &offset,
6252 si->unicode, &an_len, /*TRUE*/FALSE, FALSE,
6256 proto_tree_add_string(tree, hf_smb_fs, tvb,
6257 offset, an_len, an);
6258 COUNT_BYTES(an_len);
6264 /* call AndXCommand (if there are any) */
6265 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6272 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6273 NT Transaction command begins here
6274 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
6275 #define NT_TRANS_CREATE 1
6276 #define NT_TRANS_IOCTL 2
6277 #define NT_TRANS_SSD 3
6278 #define NT_TRANS_NOTIFY 4
6279 #define NT_TRANS_RENAME 5
6280 #define NT_TRANS_QSD 6
6281 #define NT_TRANS_GET_USER_QUOTA 7
6282 #define NT_TRANS_SET_USER_QUOTA 8
6283 const value_string nt_cmd_vals[] = {
6284 {NT_TRANS_CREATE, "NT CREATE"},
6285 {NT_TRANS_IOCTL, "NT IOCTL"},
6286 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
6287 {NT_TRANS_NOTIFY, "NT NOTIFY"},
6288 {NT_TRANS_RENAME, "NT RENAME"},
6289 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
6290 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
6291 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
6295 static const value_string nt_ioctl_isfsctl_vals[] = {
6296 {0, "Device IOCTL"},
6297 {1, "FS control : FSCTL"},
6301 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
6302 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
6303 "Apply the command to share root handle (MUST BE Dfs)",
6304 "Apply to this share",
6307 static const value_string nt_notify_action_vals[] = {
6308 {1, "ADDED (object was added"},
6309 {2, "REMOVED (object was removed)"},
6310 {3, "MODIFIED (object was modified)"},
6311 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
6312 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
6313 {6, "ADDED_STREAM (a stream was added)"},
6314 {7, "REMOVED_STREAM (a stream was removed)"},
6315 {8, "MODIFIED_STREAM (a stream was modified)"},
6319 static const value_string watch_tree_vals[] = {
6320 {0, "Current directory only"},
6321 {1, "Subdirectories also"},
6325 #define NT_NOTIFY_STREAM_WRITE 0x00000800
6326 #define NT_NOTIFY_STREAM_SIZE 0x00000400
6327 #define NT_NOTIFY_STREAM_NAME 0x00000200
6328 #define NT_NOTIFY_SECURITY 0x00000100
6329 #define NT_NOTIFY_EA 0x00000080
6330 #define NT_NOTIFY_CREATION 0x00000040
6331 #define NT_NOTIFY_LAST_ACCESS 0x00000020
6332 #define NT_NOTIFY_LAST_WRITE 0x00000010
6333 #define NT_NOTIFY_SIZE 0x00000008
6334 #define NT_NOTIFY_ATTRIBUTES 0x00000004
6335 #define NT_NOTIFY_DIR_NAME 0x00000002
6336 #define NT_NOTIFY_FILE_NAME 0x00000001
6337 static const true_false_string tfs_nt_notify_stream_write = {
6338 "Notify on changes to STREAM WRITE",
6339 "Do NOT notify on changes to stream write",
6341 static const true_false_string tfs_nt_notify_stream_size = {
6342 "Notify on changes to STREAM SIZE",
6343 "Do NOT notify on changes to stream size",
6345 static const true_false_string tfs_nt_notify_stream_name = {
6346 "Notify on changes to STREAM NAME",
6347 "Do NOT notify on changes to stream name",
6349 static const true_false_string tfs_nt_notify_security = {
6350 "Notify on changes to SECURITY",
6351 "Do NOT notify on changes to security",
6353 static const true_false_string tfs_nt_notify_ea = {
6354 "Notify on changes to EA",
6355 "Do NOT notify on changes to EA",
6357 static const true_false_string tfs_nt_notify_creation = {
6358 "Notify on changes to CREATION TIME",
6359 "Do NOT notify on changes to creation time",
6361 static const true_false_string tfs_nt_notify_last_access = {
6362 "Notify on changes to LAST ACCESS TIME",
6363 "Do NOT notify on changes to last access time",
6365 static const true_false_string tfs_nt_notify_last_write = {
6366 "Notify on changes to LAST WRITE TIME",
6367 "Do NOT notify on changes to last write time",
6369 static const true_false_string tfs_nt_notify_size = {
6370 "Notify on changes to SIZE",
6371 "Do NOT notify on changes to size",
6373 static const true_false_string tfs_nt_notify_attributes = {
6374 "Notify on changes to ATTRIBUTES",
6375 "Do NOT notify on changes to attributes",
6377 static const true_false_string tfs_nt_notify_dir_name = {
6378 "Notify on changes to DIR NAME",
6379 "Do NOT notify on changes to dir name",
6381 static const true_false_string tfs_nt_notify_file_name = {
6382 "Notify on changes to FILE NAME",
6383 "Do NOT notify on changes to file name",
6386 static const value_string create_disposition_vals[] = {
6387 {0, "Supersede (supersede existing file (if it exists))"},
6388 {1, "Open (if file exists open it, else fail)"},
6389 {2, "Create (if file exists fail, else create it)"},
6390 {3, "Open If (if file exists open it, else create it)"},
6391 {4, "Overwrite (if file exists overwrite, else fail)"},
6392 {5, "Overwrite If (if file exists overwrite, else create it)"},
6396 static const value_string impersonation_level_vals[] = {
6398 {1, "Identification"},
6399 {2, "Impersonation"},
6404 static const true_false_string tfs_nt_security_flags_context_tracking = {
6405 "Security tracking mode is DYNAMIC",
6406 "Security tracking mode is STATIC",
6409 static const true_false_string tfs_nt_security_flags_effective_only = {
6410 "ONLY ENABLED aspects of the client's security context are available",
6411 "ALL aspects of the client's security context are available",
6414 static const true_false_string tfs_nt_create_bits_oplock = {
6415 "Requesting OPLOCK",
6416 "Does NOT request oplock"
6419 static const true_false_string tfs_nt_create_bits_boplock = {
6420 "Requesting BATCH OPLOCK",
6421 "Does NOT request batch oplock"
6425 * XXX - must be a directory, and can be a file, or can be a directory,
6426 * and must be a file?
6428 static const true_false_string tfs_nt_create_bits_dir = {
6429 "Target of open MUST be a DIRECTORY",
6430 "Target of open can be a file"
6433 static const true_false_string tfs_nt_create_bits_ext_resp = {
6434 "Extended responses required",
6435 "Extended responses NOT required"
6438 static const true_false_string tfs_nt_access_mask_generic_read = {
6439 "GENERIC READ is set",
6440 "Generic read is NOT set"
6442 static const true_false_string tfs_nt_access_mask_generic_write = {
6443 "GENERIC WRITE is set",
6444 "Generic write is NOT set"
6446 static const true_false_string tfs_nt_access_mask_generic_execute = {
6447 "GENERIC EXECUTE is set",
6448 "Generic execute is NOT set"
6450 static const true_false_string tfs_nt_access_mask_generic_all = {
6451 "GENERIC ALL is set",
6452 "Generic all is NOT set"
6454 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
6455 "MAXIMUM ALLOWED is set",
6456 "Maximum allowed is NOT set"
6458 static const true_false_string tfs_nt_access_mask_system_security = {
6459 "SYSTEM SECURITY is set",
6460 "System security is NOT set"
6462 static const true_false_string tfs_nt_access_mask_synchronize = {
6463 "Can wait on handle to SYNCHRONIZE on completion of I/O",
6464 "Can NOT wait on handle to synchronize on completion of I/O"
6466 static const true_false_string tfs_nt_access_mask_write_owner = {
6467 "Can WRITE OWNER (take ownership)",
6468 "Can NOT write owner (take ownership)"
6470 static const true_false_string tfs_nt_access_mask_write_dac = {
6471 "OWNER may WRITE the DAC",
6472 "Owner may NOT write to the DAC"
6474 static const true_false_string tfs_nt_access_mask_read_control = {
6475 "READ ACCESS to owner, group and ACL of the SID",
6476 "Read access is NOT granted to owner, group and ACL of the SID"
6478 static const true_false_string tfs_nt_access_mask_delete = {
6482 static const true_false_string tfs_nt_access_mask_write_attributes = {
6483 "WRITE ATTRIBUTES access",
6484 "NO write attributes access"
6486 static const true_false_string tfs_nt_access_mask_read_attributes = {
6487 "READ ATTRIBUTES access",
6488 "NO read attributes access"
6490 static const true_false_string tfs_nt_access_mask_delete_child = {
6491 "DELETE CHILD access",
6492 "NO delete child access"
6494 static const true_false_string tfs_nt_access_mask_execute = {
6498 static const true_false_string tfs_nt_access_mask_write_ea = {
6499 "WRITE EXTENDED ATTRIBUTES access",
6500 "NO write extended attributes access"
6502 static const true_false_string tfs_nt_access_mask_read_ea = {
6503 "READ EXTENDED ATTRIBUTES access",
6504 "NO read extended attributes access"
6506 static const true_false_string tfs_nt_access_mask_append = {
6510 static const true_false_string tfs_nt_access_mask_write = {
6514 static const true_false_string tfs_nt_access_mask_read = {
6519 static const true_false_string tfs_nt_share_access_delete = {
6520 "Object can be shared for DELETE",
6521 "Object can NOT be shared for delete"
6523 static const true_false_string tfs_nt_share_access_write = {
6524 "Object can be shared for WRITE",
6525 "Object can NOT be shared for write"
6527 static const true_false_string tfs_nt_share_access_read = {
6528 "Object can be shared for READ",
6529 "Object can NOT be shared for read"
6532 static const value_string oplock_level_vals[] = {
6533 {0, "No oplock granted"},
6534 {1, "Exclusive oplock granted"},
6535 {2, "Batch oplock granted"},
6536 {3, "Level II oplock granted"},
6540 static const value_string device_type_vals[] = {
6541 {0x00000001, "Beep"},
6542 {0x00000002, "CDROM"},
6543 {0x00000003, "CDROM Filesystem"},
6544 {0x00000004, "Controller"},
6545 {0x00000005, "Datalink"},
6546 {0x00000006, "Dfs"},
6547 {0x00000007, "Disk"},
6548 {0x00000008, "Disk Filesystem"},
6549 {0x00000009, "Filesystem"},
6550 {0x0000000a, "Inport Port"},
6551 {0x0000000b, "Keyboard"},
6552 {0x0000000c, "Mailslot"},
6553 {0x0000000d, "MIDI-In"},
6554 {0x0000000e, "MIDI-Out"},
6555 {0x0000000f, "Mouse"},
6556 {0x00000010, "Multi UNC Provider"},
6557 {0x00000011, "Named Pipe"},
6558 {0x00000012, "Network"},
6559 {0x00000013, "Network Browser"},
6560 {0x00000014, "Network Filesystem"},
6561 {0x00000015, "NULL"},
6562 {0x00000016, "Parallel Port"},
6563 {0x00000017, "Physical card"},
6564 {0x00000018, "Printer"},
6565 {0x00000019, "Scanner"},
6566 {0x0000001a, "Serial Mouse port"},
6567 {0x0000001b, "Serial port"},
6568 {0x0000001c, "Screen"},
6569 {0x0000001d, "Sound"},
6570 {0x0000001e, "Streams"},
6571 {0x0000001f, "Tape"},
6572 {0x00000020, "Tape Filesystem"},
6573 {0x00000021, "Transport"},
6574 {0x00000022, "Unknown"},
6575 {0x00000023, "Video"},
6576 {0x00000024, "Virtual Disk"},
6577 {0x00000025, "WAVE-In"},
6578 {0x00000026, "WAVE-Out"},
6579 {0x00000027, "8042 Port"},
6580 {0x00000028, "Network Redirector"},
6581 {0x00000029, "Battery"},
6582 {0x0000002a, "Bus Extender"},
6583 {0x0000002b, "Modem"},
6584 {0x0000002c, "VDM"},
6588 static const value_string is_directory_vals[] = {
6589 {0, "This is NOT a directory"},
6590 {1, "This is a DIRECTORY"},
6594 typedef struct _nt_trans_data {
6603 dissect_nt_security_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6606 proto_item *item = NULL;
6607 proto_tree *tree = NULL;
6609 mask = tvb_get_guint8(tvb, offset);
6612 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6613 "Security Flags: 0x%02x", mask);
6614 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
6617 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
6618 tvb, offset, 1, mask);
6619 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
6620 tvb, offset, 1, mask);
6628 dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6631 proto_item *item = NULL;
6632 proto_tree *tree = NULL;
6634 mask = tvb_get_letohl(tvb, offset);
6637 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6638 "Share Access: 0x%08x", mask);
6639 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
6642 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
6643 tvb, offset, 4, mask);
6644 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
6645 tvb, offset, 4, mask);
6646 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
6647 tvb, offset, 4, mask);
6654 /* FIXME: need to call dissect_nt_access_mask() instead */
6657 dissect_smb_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6660 proto_item *item = NULL;
6661 proto_tree *tree = NULL;
6663 mask = tvb_get_letohl(tvb, offset);
6666 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6667 "Access Mask: 0x%08x", mask);
6668 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
6672 * Some of these bits come from
6674 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6676 * and others come from the section on ZwOpenFile in "Windows(R)
6677 * NT(R)/2000 Native API Reference".
6679 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
6680 tvb, offset, 4, mask);
6681 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
6682 tvb, offset, 4, mask);
6683 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
6684 tvb, offset, 4, mask);
6685 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
6686 tvb, offset, 4, mask);
6687 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
6688 tvb, offset, 4, mask);
6689 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
6690 tvb, offset, 4, mask);
6691 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
6692 tvb, offset, 4, mask);
6693 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
6694 tvb, offset, 4, mask);
6695 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
6696 tvb, offset, 4, mask);
6697 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
6698 tvb, offset, 4, mask);
6699 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
6700 tvb, offset, 4, mask);
6701 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
6702 tvb, offset, 4, mask);
6703 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
6704 tvb, offset, 4, mask);
6705 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
6706 tvb, offset, 4, mask);
6707 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
6708 tvb, offset, 4, mask);
6709 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
6710 tvb, offset, 4, mask);
6711 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
6712 tvb, offset, 4, mask);
6713 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
6714 tvb, offset, 4, mask);
6715 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
6716 tvb, offset, 4, mask);
6717 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
6718 tvb, offset, 4, mask);
6726 dissect_nt_create_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6729 proto_item *item = NULL;
6730 proto_tree *tree = NULL;
6732 mask = tvb_get_letohl(tvb, offset);
6735 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6736 "Create Flags: 0x%08x", mask);
6737 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
6741 * XXX - it's 0x00000016 in at least one capture, but
6742 * Network Monitor doesn't say what the 0x00000010 bit is.
6743 * Does the Win32 API documentation, or NT Native API book,
6746 * That is the extended response desired bit ... RJS, from Samba
6747 * Well, maybe. Samba thinks it is, and uses it to encode
6748 * OpLock granted as the high order bit of the Action field
6749 * in the response. However, Windows does not do that. Or at least
6752 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_ext_resp,
6753 tvb, offset, 4, mask);
6754 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
6755 tvb, offset, 4, mask);
6756 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
6757 tvb, offset, 4, mask);
6758 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
6759 tvb, offset, 4, mask);
6767 * XXX - there are some more flags in the description of "ZwOpenFile()"
6768 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
6769 * the wire as well? (The spec at
6771 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6773 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
6774 * via the SMB protocol. The NT redirector should convert this option
6775 * to FILE_WRITE_THROUGH."
6777 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
6778 * values one would infer from their position in the list of flags for
6779 * "ZwOpenFile()". Most of the others probably have those values
6780 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
6781 * which might go over the wire (for the benefit of backup/restore software).
6783 static const true_false_string tfs_nt_create_options_directory = {
6784 "File being created/opened must be a directory",
6785 "File being created/opened must not be a directory"
6787 static const true_false_string tfs_nt_create_options_write_through = {
6788 "Writes should flush buffered data before completing",
6789 "Writes need not flush buffered data before completing"
6791 static const true_false_string tfs_nt_create_options_sequential_only = {
6792 "The file will only be accessed sequentially",
6793 "The file might not only be accessed sequentially"
6795 static const true_false_string tfs_nt_create_options_sync_io_alert = {
6796 "All operations SYNCHRONOUS, waits subject to termination from alert",
6797 "Operations NOT necessarily synchronous"
6799 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
6800 "All operations SYNCHRONOUS, waits not subject to alert",
6801 "Operations NOT necessarily synchronous"
6803 static const true_false_string tfs_nt_create_options_non_directory = {
6804 "File being created/opened must not be a directory",
6805 "File being created/opened must be a directory"
6807 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
6808 "The client does not understand extended attributes",
6809 "The client understands extended attributes"
6811 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
6812 "The client understands only 8.3 file names",
6813 "The client understands long file names"
6815 static const true_false_string tfs_nt_create_options_random_access = {
6816 "The file will be accessed randomly",
6817 "The file will not be accessed randomly"
6819 static const true_false_string tfs_nt_create_options_delete_on_close = {
6820 "The file should be deleted when it is closed",
6821 "The file should not be deleted when it is closed"
6825 dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6828 proto_item *item = NULL;
6829 proto_tree *tree = NULL;
6831 mask = tvb_get_letohl(tvb, offset);
6834 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6835 "Create Options: 0x%08x", mask);
6836 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
6842 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6844 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
6845 tvb, offset, 4, mask);
6846 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
6847 tvb, offset, 4, mask);
6848 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
6849 tvb, offset, 4, mask);
6850 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
6851 tvb, offset, 4, mask);
6852 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
6853 tvb, offset, 4, mask);
6854 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
6855 tvb, offset, 4, mask);
6856 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
6857 tvb, offset, 4, mask);
6858 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
6859 tvb, offset, 4, mask);
6860 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
6861 tvb, offset, 4, mask);
6862 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
6863 tvb, offset, 4, mask);
6871 dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6874 proto_item *item = NULL;
6875 proto_tree *tree = NULL;
6877 mask = tvb_get_letohl(tvb, offset);
6880 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6881 "Completion Filter: 0x%08x", mask);
6882 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
6885 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
6886 tvb, offset, 4, mask);
6887 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
6888 tvb, offset, 4, mask);
6889 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
6890 tvb, offset, 4, mask);
6891 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
6892 tvb, offset, 4, mask);
6893 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
6894 tvb, offset, 4, mask);
6895 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
6896 tvb, offset, 4, mask);
6897 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
6898 tvb, offset, 4, mask);
6899 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
6900 tvb, offset, 4, mask);
6901 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
6902 tvb, offset, 4, mask);
6903 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
6904 tvb, offset, 4, mask);
6905 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
6906 tvb, offset, 4, mask);
6907 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
6908 tvb, offset, 4, mask);
6915 dissect_nt_ioctl_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6918 proto_item *item = NULL;
6919 proto_tree *tree = NULL;
6921 mask = tvb_get_guint8(tvb, offset);
6924 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6925 "Completion Filter: 0x%02x", mask);
6926 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
6929 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
6930 tvb, offset, 1, mask);
6937 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
6938 * Native API Reference".
6940 static const true_false_string tfs_nt_qsd_owner = {
6941 "Requesting OWNER security information",
6942 "NOT requesting owner security information",
6945 static const true_false_string tfs_nt_qsd_group = {
6946 "Requesting GROUP security information",
6947 "NOT requesting group security information",
6950 static const true_false_string tfs_nt_qsd_dacl = {
6951 "Requesting DACL security information",
6952 "NOT requesting DACL security information",
6955 static const true_false_string tfs_nt_qsd_sacl = {
6956 "Requesting SACL security information",
6957 "NOT requesting SACL security information",
6960 #define NT_QSD_OWNER 0x00000001
6961 #define NT_QSD_GROUP 0x00000002
6962 #define NT_QSD_DACL 0x00000004
6963 #define NT_QSD_SACL 0x00000008
6966 dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6969 proto_item *item = NULL;
6970 proto_tree *tree = NULL;
6972 mask = tvb_get_letohl(tvb, offset);
6975 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6976 "Security Information: 0x%08x", mask);
6977 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
6980 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
6981 tvb, offset, 4, mask);
6982 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
6983 tvb, offset, 4, mask);
6984 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
6985 tvb, offset, 4, mask);
6986 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
6987 tvb, offset, 4, mask);
6995 free_g_string(void *arg)
6997 g_string_free(arg, TRUE);
7000 /* Dissect a NT SID. Label it with 'name' and return a string version of
7001 the SID in the 'sid_str' parameter which must be freed by the caller.
7002 hf_sid can be -1 if the caller doesnt care what name is used and then
7003 "smb.sid" will be the default instead. If the caller wants a more
7004 appropriate hf field, it will just pass a FT_STRING hf field here
7008 dissect_nt_sid(tvbuff_t *tvb, int offset, proto_tree *parent_tree, char *name,
7009 char **sid_str, int hf_sid)
7011 proto_item *item = NULL;
7012 proto_tree *tree = NULL;
7013 int old_offset = offset, sa_offset = offset;
7014 gboolean rid_present;
7021 guint auth = 0; /* FIXME: What if it is larger than 32-bits */
7024 char sid_string[245];
7031 /* revision of sid */
7032 revision = tvb_get_guint8(tvb, offset);
7033 rev_offset = offset;
7038 case 2: /* Not sure what the different revision numbers mean */
7039 /* number of authorities*/
7040 num_auth = tvb_get_guint8(tvb, offset);
7044 /* XXX perhaps we should have these thing searchable?
7045 a new FT_xxx thingie? SMB is quite common!*/
7046 /* identifier authorities */
7049 auth = (auth << 8) + tvb_get_guint8(tvb, offset);
7056 gstr = g_string_new("");
7058 CLEANUP_PUSH(free_g_string, gstr);
7060 /* sub authorities, leave RID to last */
7061 for(i=0; i < (num_auth > 4?(num_auth - 1):num_auth); i++){
7063 * XXX should not be letohl but native byteorder according to
7064 * Samba header files.
7066 * However, considering that there were never any NT ports
7067 * to big-endian platforms (PowerPC and MIPS ran little-endian,
7068 * and IA-64 runs little-endian, as does x86-64), we can (?)
7069 * assume that non le byte encodings will be "uncommon"?
7071 g_string_sprintfa(gstr, (i>0 ? "-%u" : "%u"),
7072 tvb_get_letohl(tvb, offset));
7078 rid = tvb_get_letohl(tvb, offset);
7082 sprintf(sid_string, "S-1-%u-%s-%u", auth, gstr->str, rid);
7085 sprintf(sid_string, "S-1-%u-%s", auth, gstr->str);
7089 if(sid_name_snooping){
7090 sid_name=find_sid_name(sid_string);
7095 item = proto_tree_add_string_format(parent_tree, hf_sid, tvb, old_offset, offset-old_offset, sid_string, "%s: %s (%s)", name, sid_string, sid_name);
7097 item = proto_tree_add_string_format(parent_tree, hf_sid, tvb, old_offset, offset-old_offset, sid_string, "%s: %s", name, sid_string);
7099 tree = proto_item_add_subtree(item, ett_smb_sid);
7102 proto_tree_add_item(tree, hf_smb_sid_revision, tvb, rev_offset, 1, TRUE);
7103 proto_tree_add_item(tree, hf_smb_sid_num_auth, tvb, na_offset, 1, TRUE);
7104 proto_tree_add_text(tree, tvb, na_offset+1, 6, "Authority: %u", auth);
7105 proto_tree_add_text(tree, tvb, sa_offset, num_auth * 4, "Sub-authorities: %s", gstr->str);
7108 proto_tree_add_text(tree, tvb, rid_offset, 4, "RID: %u", rid);
7113 *sid_str = g_strdup_printf("%s (%s)", sid_string, sid_name);
7115 *sid_str = g_strdup(sid_string);
7119 CLEANUP_CALL_AND_POP;
7127 static const value_string ace_type_vals[] = {
7128 { 0, "Access Allowed"},
7129 { 1, "Access Denied"},
7130 { 2, "System Audit"},
7131 { 3, "System Alarm"},
7134 static const true_false_string tfs_ace_flags_object_inherit = {
7135 "Subordinate files will inherit this ACE",
7136 "Subordinate files will not inherit this ACE"
7138 static const true_false_string tfs_ace_flags_container_inherit = {
7139 "Subordinate containers will inherit this ACE",
7140 "Subordinate containers will not inherit this ACE"
7142 static const true_false_string tfs_ace_flags_non_propagate_inherit = {
7143 "Subordinate object will not propagate the inherited ACE further",
7144 "Subordinate object will propagate the inherited ACE further"
7146 static const true_false_string tfs_ace_flags_inherit_only = {
7147 "This ACE does not apply to the current object",
7148 "This ACE applies to the current object"
7150 static const true_false_string tfs_ace_flags_inherited_ace = {
7151 "This ACE was inherited from its parent object",
7152 "This ACE was not inherited from its parent object"
7154 static const true_false_string tfs_ace_flags_successful_access = {
7155 "Successful accesses will be audited",
7156 "Successful accesses will not be audited"
7158 static const true_false_string tfs_ace_flags_failed_access = {
7159 "Failed accesses will be audited",
7160 "Failed accesses will not be audited"
7163 #define APPEND_ACE_TEXT(flag, item, string) \
7166 proto_item_append_text(item, string, sep); \
7171 dissect_nt_v2_ace_flags(tvbuff_t *tvb, int offset, proto_tree *parent_tree,
7174 proto_item *item = NULL;
7175 proto_tree *tree = NULL;
7179 mask = tvb_get_guint8(tvb, offset);
7186 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7187 "NT ACE Flags: 0x%02x", mask);
7188 tree = proto_item_add_subtree(item, ett_smb_ace_flags);
7191 proto_tree_add_boolean(tree, hf_smb_ace_flags_failed_access,
7192 tvb, offset, 1, mask);
7193 APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access");
7195 proto_tree_add_boolean(tree, hf_smb_ace_flags_successful_access,
7196 tvb, offset, 1, mask);
7197 APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access");
7199 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherited_ace,
7200 tvb, offset, 1, mask);
7201 APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE");
7203 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherit_only,
7204 tvb, offset, 1, mask);
7205 APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only");
7207 proto_tree_add_boolean(tree, hf_smb_ace_flags_non_propagate_inherit,
7208 tvb, offset, 1, mask);
7209 APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit");
7211 proto_tree_add_boolean(tree, hf_smb_ace_flags_container_inherit,
7212 tvb, offset, 1, mask);
7213 APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit");
7215 proto_tree_add_boolean(tree, hf_smb_ace_flags_object_inherit,
7216 tvb, offset, 1, mask);
7217 APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit");
7224 /* Dissect an access mask. All this stuff is kind of explained at MSDN:
7226 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/windows_2000_windows_nt_access_mask_format.asp
7230 static gint ett_nt_access_mask = -1;
7231 static gint ett_nt_access_mask_generic = -1;
7232 static gint ett_nt_access_mask_standard = -1;
7233 static gint ett_nt_access_mask_specific = -1;
7235 static int hf_access_sacl = -1;
7236 static int hf_access_maximum_allowed = -1;
7237 static int hf_access_generic_read = -1;
7238 static int hf_access_generic_write = -1;
7239 static int hf_access_generic_execute = -1;
7240 static int hf_access_generic_all = -1;
7241 static int hf_access_standard_delete = -1;
7242 static int hf_access_standard_read_control = -1;
7243 static int hf_access_standard_synchronise = -1;
7244 static int hf_access_standard_write_dac = -1;
7245 static int hf_access_standard_write_owner = -1;
7246 static int hf_access_specific_15 = -1;
7247 static int hf_access_specific_14 = -1;
7248 static int hf_access_specific_13 = -1;
7249 static int hf_access_specific_12 = -1;
7250 static int hf_access_specific_11 = -1;
7251 static int hf_access_specific_10 = -1;
7252 static int hf_access_specific_9 = -1;
7253 static int hf_access_specific_8 = -1;
7254 static int hf_access_specific_7 = -1;
7255 static int hf_access_specific_6 = -1;
7256 static int hf_access_specific_5 = -1;
7257 static int hf_access_specific_4 = -1;
7258 static int hf_access_specific_3 = -1;
7259 static int hf_access_specific_2 = -1;
7260 static int hf_access_specific_1 = -1;
7261 static int hf_access_specific_0 = -1;
7263 /* Map generic permissions to specific permissions */
7265 static void map_generic_access(guint32 *access_mask,
7266 struct generic_mapping *mapping)
7268 if (*access_mask & GENERIC_READ_ACCESS) {
7269 *access_mask &= ~GENERIC_READ_ACCESS;
7270 *access_mask |= mapping->generic_read;
7273 if (*access_mask & GENERIC_WRITE_ACCESS) {
7274 *access_mask &= ~GENERIC_WRITE_ACCESS;
7275 *access_mask |= mapping->generic_write;
7278 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
7279 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
7280 *access_mask |= mapping->generic_execute;
7283 if (*access_mask & GENERIC_ALL_ACCESS) {
7284 *access_mask &= ~GENERIC_ALL_ACCESS;
7285 *access_mask |= mapping->generic_all;
7289 /* Map standard permissions to specific permissions */
7291 static void map_standard_access(guint32 *access_mask,
7292 struct standard_mapping *mapping)
7294 if (*access_mask & READ_CONTROL_ACCESS) {
7295 *access_mask &= ~READ_CONTROL_ACCESS;
7296 *access_mask |= mapping->std_read;
7299 if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|
7300 SYNCHRONIZE_ACCESS)) {
7301 *access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS|
7302 WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS);
7303 *access_mask |= mapping->std_all;
7309 dissect_nt_access_mask(tvbuff_t *tvb, gint offset, packet_info *pinfo,
7310 proto_tree *tree, char *drep, int hfindex,
7311 struct access_mask_info *ami)
7314 proto_tree *subtree, *generic_tree, *standard_tree, *specific_tree;
7319 * Called from a DCE RPC protocol dissector, for a
7320 * protocol where a 32-bit NDR integer contains
7321 * an NT access mask; extract the access mask
7324 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
7328 * Called from SMB, where the access mask is just a
7329 * 4-byte little-endian quantity with no special
7330 * NDR alignment requirement; extract it with
7331 * "tvb_get_letohl()".
7333 access = tvb_get_letohl(tvb, offset);
7337 item = proto_tree_add_uint(tree, hfindex, tvb, offset - 4, 4, access);
7339 subtree = proto_item_add_subtree(item, ett_nt_access_mask);
7341 /* Generic access rights */
7343 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7344 "Generic rights: 0x%08x",
7345 access & GENERIC_RIGHTS_MASK);
7347 generic_tree = proto_item_add_subtree(
7348 item, ett_nt_access_mask_generic);
7350 proto_tree_add_boolean(
7351 generic_tree, hf_access_generic_read, tvb, offset - 4, 4,
7354 proto_tree_add_boolean(
7355 generic_tree, hf_access_generic_write, tvb, offset - 4, 4,
7358 proto_tree_add_boolean(
7359 generic_tree, hf_access_generic_execute, tvb, offset - 4, 4,
7362 proto_tree_add_boolean(
7363 generic_tree, hf_access_generic_all, tvb, offset - 4, 4,
7368 proto_tree_add_boolean(
7369 subtree, hf_access_maximum_allowed, tvb, offset - 4, 4,
7372 /* Access system security */
7374 proto_tree_add_boolean(
7375 subtree, hf_access_sacl, tvb, offset - 4, 4,
7378 /* Standard access rights */
7380 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7381 "Standard rights: 0x%08x",
7382 access & STANDARD_RIGHTS_MASK);
7384 standard_tree = proto_item_add_subtree(
7385 item, ett_nt_access_mask_standard);
7387 proto_tree_add_boolean(
7388 standard_tree, hf_access_standard_synchronise, tvb,
7389 offset - 4, 4, access);
7391 proto_tree_add_boolean(
7392 standard_tree, hf_access_standard_write_owner, tvb,
7393 offset - 4, 4, access);
7395 proto_tree_add_boolean(
7396 standard_tree, hf_access_standard_write_dac, tvb,
7397 offset - 4, 4, access);
7399 proto_tree_add_boolean(
7400 standard_tree, hf_access_standard_read_control, tvb,
7401 offset - 4, 4, access);
7403 proto_tree_add_boolean(
7404 standard_tree, hf_access_standard_delete, tvb, offset - 4, 4,
7407 /* Specific access rights. Call the specific_rights_fn
7408 pointer if we have one, otherwise just display bits 0-15 in
7411 if (ami && ami->specific_rights_name)
7412 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7413 "%s specific rights: 0x%08x",
7414 ami->specific_rights_name,
7415 access & SPECIFIC_RIGHTS_MASK);
7417 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7418 "Specific rights: 0x%08x",
7419 access & SPECIFIC_RIGHTS_MASK);
7421 specific_tree = proto_item_add_subtree(
7422 item, ett_nt_access_mask_specific);
7424 if (ami && ami->specific_rights_fn) {
7425 guint32 mapped_access = access;
7426 proto_tree *specific_mapped;
7428 specific_mapped = proto_item_add_subtree(
7429 item, ett_nt_access_mask_specific);
7431 ami->specific_rights_fn(
7432 tvb, offset - 4, specific_tree, access);
7434 if (ami->generic_mapping)
7435 map_generic_access(&access, ami->generic_mapping);
7437 if (ami->standard_mapping)
7438 map_standard_access(&access, ami->standard_mapping);
7440 if (access != mapped_access) {
7441 ami->specific_rights_fn(
7442 tvb, offset - 4, specific_mapped,
7449 proto_tree_add_boolean(
7450 specific_tree, hf_access_specific_15, tvb, offset - 4, 4,
7453 proto_tree_add_boolean(
7454 specific_tree, hf_access_specific_14, tvb, offset - 4, 4,
7457 proto_tree_add_boolean(
7458 specific_tree, hf_access_specific_13, tvb, offset - 4, 4,
7461 proto_tree_add_boolean(
7462 specific_tree, hf_access_specific_12, tvb, offset - 4, 4,
7465 proto_tree_add_boolean(
7466 specific_tree, hf_access_specific_11, tvb, offset - 4, 4,
7469 proto_tree_add_boolean(
7470 specific_tree, hf_access_specific_10, tvb, offset - 4, 4,
7473 proto_tree_add_boolean(
7474 specific_tree, hf_access_specific_9, tvb, offset - 4, 4,
7477 proto_tree_add_boolean(
7478 specific_tree, hf_access_specific_8, tvb, offset - 4, 4,
7481 proto_tree_add_boolean(
7482 specific_tree, hf_access_specific_7, tvb, offset - 4, 4,
7485 proto_tree_add_boolean(
7486 specific_tree, hf_access_specific_6, tvb, offset - 4, 4,
7489 proto_tree_add_boolean(
7490 specific_tree, hf_access_specific_5, tvb, offset - 4, 4,
7493 proto_tree_add_boolean(
7494 specific_tree, hf_access_specific_4, tvb, offset - 4, 4,
7497 proto_tree_add_boolean(
7498 specific_tree, hf_access_specific_3, tvb, offset - 4, 4,
7501 proto_tree_add_boolean(
7502 specific_tree, hf_access_specific_2, tvb, offset - 4, 4,
7505 proto_tree_add_boolean(
7506 specific_tree, hf_access_specific_1, tvb, offset - 4, 4,
7509 proto_tree_add_boolean(
7510 specific_tree, hf_access_specific_0, tvb, offset - 4, 4,
7516 static int hf_smb_access_mask = -1;
7519 dissect_nt_v2_ace(tvbuff_t *tvb, int offset, packet_info *pinfo,
7520 proto_tree *parent_tree, char *drep,
7521 struct access_mask_info *ami)
7523 proto_item *item = NULL;
7524 proto_tree *tree = NULL;
7525 int old_offset = offset;
7527 char *sid_str = NULL;
7532 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7534 tree = proto_item_add_subtree(item, ett_smb_ace);
7538 type = tvb_get_guint8(tvb, offset);
7539 proto_tree_add_uint(tree, hf_smb_ace_type, tvb, offset, 1, type);
7543 offset = dissect_nt_v2_ace_flags(tvb, offset, tree, &flags);
7546 size = tvb_get_letohs(tvb, offset);
7547 proto_tree_add_uint(tree, hf_smb_ace_size, tvb, offset, 2, size);
7551 offset = dissect_nt_access_mask(
7552 tvb, offset, pinfo, tree, drep, hf_smb_access_mask, ami);
7555 offset = dissect_nt_sid(tvb, offset, tree, "ACE", &sid_str, -1);
7558 proto_item_append_text(
7559 item, "%s, flags 0x%02x, %s", sid_str, flags,
7560 val_to_str(type, ace_type_vals, "Unknown ACE type (0x%02x)"));
7564 proto_item_set_len(item, offset-old_offset);
7566 /* Sometimes there is some spare space at the end of the ACE so use
7567 the size field to work out where the end is. */
7569 return old_offset + size;
7573 dissect_nt_acl(tvbuff_t *tvb, int offset, packet_info *pinfo,
7574 proto_tree *parent_tree, char *drep, char *name,
7575 struct access_mask_info *ami)
7577 proto_item *item = NULL;
7578 proto_tree *tree = NULL;
7579 int old_offset = offset;
7584 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7586 tree = proto_item_add_subtree(item, ett_smb_acl);
7590 revision = tvb_get_letohs(tvb, offset);
7591 proto_tree_add_uint(tree, hf_smb_acl_revision,
7592 tvb, offset, 2, revision);
7596 case 2: /* only version we will ever see of this structure?*/
7599 proto_tree_add_item(tree, hf_smb_acl_size, tvb, offset, 2, TRUE);
7602 /* number of ace structures */
7603 num_aces = tvb_get_letohl(tvb, offset);
7604 proto_tree_add_uint(tree, hf_smb_acl_num_aces,
7605 tvb, offset, 4, num_aces);
7609 offset=dissect_nt_v2_ace(
7610 tvb, offset, pinfo, tree, drep, ami);
7614 proto_item_set_len(item, offset-old_offset);
7618 static const true_false_string tfs_sec_desc_type_owner_defaulted = {
7619 "OWNER is DEFAULTED",
7620 "Owner is NOT defaulted"
7622 static const true_false_string tfs_sec_desc_type_group_defaulted = {
7623 "GROUP is DEFAULTED",
7624 "Group is NOT defaulted"
7626 static const true_false_string tfs_sec_desc_type_dacl_present = {
7628 "DACL is NOT present"
7630 static const true_false_string tfs_sec_desc_type_dacl_defaulted = {
7631 "DACL is DEFAULTED",
7632 "DACL is NOT defaulted"
7634 static const true_false_string tfs_sec_desc_type_sacl_present = {
7636 "SACL is NOT present"
7638 static const true_false_string tfs_sec_desc_type_sacl_defaulted = {
7639 "SACL is DEFAULTED",
7640 "SACL is NOT defaulted"
7642 static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = {
7643 "DACL has AUTO INHERIT REQUIRED",
7644 "DACL does NOT require auto inherit"
7646 static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = {
7647 "SACL has AUTO INHERIT REQUIRED",
7648 "SACL does NOT require auto inherit"
7650 static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = {
7651 "DACL is AUTO INHERITED",
7652 "DACL is NOT auto inherited"
7654 static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = {
7655 "SACL is AUTO INHERITED",
7656 "SACL is NOT auto inherited"
7658 static const true_false_string tfs_sec_desc_type_dacl_protected = {
7659 "The DACL is PROTECTED",
7660 "The DACL is NOT protected"
7662 static const true_false_string tfs_sec_desc_type_sacl_protected = {
7663 "The SACL is PROTECTED",
7664 "The SACL is NOT protected"
7666 static const true_false_string tfs_sec_desc_type_self_relative = {
7667 "This SecDesc is SELF RELATIVE",
7668 "This SecDesc is NOT self relative"
7673 dissect_nt_sec_desc_type(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
7675 proto_item *item = NULL;
7676 proto_tree *tree = NULL;
7679 mask = tvb_get_letohs(tvb, offset);
7681 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
7682 "Type: 0x%04x", mask);
7683 tree = proto_item_add_subtree(item, ett_smb_sec_desc_type);
7686 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_self_relative,
7687 tvb, offset, 2, mask);
7688 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_protected,
7689 tvb, offset, 2, mask);
7690 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_protected,
7691 tvb, offset, 2, mask);
7692 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherited,
7693 tvb, offset, 2, mask);
7694 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherited,
7695 tvb, offset, 2, mask);
7696 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherit_req,
7697 tvb, offset, 2, mask);
7698 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherit_req,
7699 tvb, offset, 2, mask);
7700 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_defaulted,
7701 tvb, offset, 2, mask);
7702 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_present,
7703 tvb, offset, 2, mask);
7704 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_defaulted,
7705 tvb, offset, 2, mask);
7706 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_present,
7707 tvb, offset, 2, mask);
7708 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_group_defaulted,
7709 tvb, offset, 2, mask);
7710 proto_tree_add_boolean(tree, hf_smb_sec_desc_type_owner_defaulted,
7711 tvb, offset, 2, mask);
7719 dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
7720 proto_tree *parent_tree, char *drep, int len,
7721 struct access_mask_info *ami)
7723 proto_item *item = NULL;
7724 proto_tree *tree = NULL;
7726 int old_offset = offset;
7727 guint32 owner_sid_offset;
7728 guint32 group_sid_offset;
7729 guint32 sacl_offset;
7730 guint32 dacl_offset;
7733 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7734 "NT Security Descriptor");
7735 tree = proto_item_add_subtree(item, ett_smb_sec_desc);
7739 revision = tvb_get_guint8(tvb, offset);
7740 proto_tree_add_uint(tree, hf_smb_sec_desc_revision,
7741 tvb, offset, 1, revision);
7744 /* next byte should be zero, for now just ignore it */
7749 case 1: /* only version we will ever see of this structure?*/
7751 offset = dissect_nt_sec_desc_type(tvb, offset, tree);
7753 /* offset to owner sid */
7754 owner_sid_offset = tvb_get_letohl(tvb, offset);
7755 proto_tree_add_text(tree, tvb, offset, 4, "Offset to owner SID: %u", owner_sid_offset);
7758 /* offset to group sid */
7759 group_sid_offset = tvb_get_letohl(tvb, offset);
7760 proto_tree_add_text(tree, tvb, offset, 4, "Offset to group SID: %u", group_sid_offset);
7763 /* offset to sacl */
7764 sacl_offset = tvb_get_letohl(tvb, offset);
7765 proto_tree_add_text(tree, tvb, offset, 4, "Offset to SACL: %u", sacl_offset);
7768 /* offset to dacl */
7769 dacl_offset = tvb_get_letohl(tvb, offset);
7770 proto_tree_add_text(tree, tvb, offset, 4, "Offset to DACL: %u", dacl_offset);
7774 if(owner_sid_offset){
7776 offset = dissect_nt_sid(tvb, offset, tree, "Owner", NULL, -1);
7779 tvb, old_offset+owner_sid_offset, tree, "Owner", NULL, -1);
7783 if(group_sid_offset){
7785 tvb, old_offset+group_sid_offset, tree, "Group", NULL, -1);
7790 dissect_nt_acl(tvb, old_offset+sacl_offset, pinfo, tree,
7791 drep, "System (SACL)", ami);
7796 dissect_nt_acl(tvb, old_offset+dacl_offset, pinfo, tree,
7797 drep, "User (DACL)", ami);
7806 dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
7808 int old_offset, old_sid_offset;
7814 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7815 qsize=tvb_get_letohl(tvb, offset);
7816 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
7817 COUNT_BYTES_TRANS_SUBR(4);
7819 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7821 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7822 COUNT_BYTES_TRANS_SUBR(4);
7824 /* 16 unknown bytes */
7825 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7826 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7828 COUNT_BYTES_TRANS_SUBR(8);
7830 /* number of bytes for used quota */
7831 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7832 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
7833 COUNT_BYTES_TRANS_SUBR(8);
7835 /* number of bytes for quota warning */
7836 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7837 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
7838 COUNT_BYTES_TRANS_SUBR(8);
7840 /* number of bytes for quota limit */
7841 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7842 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
7843 COUNT_BYTES_TRANS_SUBR(8);
7845 /* SID of the user */
7846 old_sid_offset=offset;
7847 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
7848 *bcp -= (offset-old_sid_offset);
7851 offset = old_offset+qsize;
7861 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd)
7863 proto_item *item = NULL;
7864 proto_tree *tree = NULL;
7866 int old_offset = offset;
7867 guint16 bcp=bc; /* XXX fixme */
7869 si = (smb_info_t *)pinfo->private_data;
7872 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
7874 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7875 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7878 switch(ntd->subcmd){
7879 case NT_TRANS_CREATE:
7880 /* security descriptor */
7882 offset = dissect_nt_sec_desc(
7883 tvb, offset, pinfo, tree, NULL, ntd->sd_len,
7887 /* extended attributes */
7889 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
7890 offset += ntd->ea_len;
7894 case NT_TRANS_IOCTL:
7896 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, bc, TRUE);
7901 offset = dissect_nt_sec_desc(
7902 tvb, offset, pinfo, tree, NULL, bc, NULL);
7904 case NT_TRANS_NOTIFY:
7906 case NT_TRANS_RENAME:
7907 /* XXX not documented */
7911 case NT_TRANS_GET_USER_QUOTA:
7912 /* unknown 4 bytes */
7913 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7918 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7921 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
7923 case NT_TRANS_SET_USER_QUOTA:
7924 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
7928 /* ooops there were data we didnt know how to process */
7929 if((offset-old_offset) < bc){
7930 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
7931 bc - (offset-old_offset), TRUE);
7932 offset += bc - (offset-old_offset);
7939 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7941 proto_item *item = NULL;
7942 proto_tree *tree = NULL;
7947 si = (smb_info_t *)pinfo->private_data;
7950 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7952 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7953 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7956 switch(ntd->subcmd){
7957 case NT_TRANS_CREATE:
7959 offset = dissect_nt_create_bits(tvb, tree, offset);
7962 /* root directory fid */
7963 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
7966 /* nt access mask */
7967 offset = dissect_smb_access_mask(tvb, tree, offset);
7970 /* allocation size */
7971 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7974 /* Extended File Attributes */
7975 offset = dissect_file_ext_attr(tvb, tree, offset);
7979 offset = dissect_nt_share_access(tvb, tree, offset);
7982 /* create disposition */
7983 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
7986 /* create options */
7987 offset = dissect_nt_create_options(tvb, tree, offset);
7991 ntd->sd_len = tvb_get_letohl(tvb, offset);
7992 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
7996 ntd->ea_len = tvb_get_letohl(tvb, offset);
7997 proto_tree_add_uint(tree, hf_smb_ea_length, tvb, offset, 4, ntd->ea_len);
8001 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8002 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8005 /* impersonation level */
8006 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8009 /* security flags */
8010 offset = dissect_nt_security_flags(tvb, tree, offset);
8014 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8016 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8018 COUNT_BYTES(fn_len);
8022 case NT_TRANS_IOCTL:
8024 case NT_TRANS_SSD: {
8028 fid = tvb_get_letohs(tvb, offset);
8029 add_fid(tvb, pinfo, tree, offset, 2, fid);
8032 /* 2 reserved bytes */
8033 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8036 /* security information */
8037 offset = dissect_security_information_mask(tvb, tree, offset);
8040 case NT_TRANS_NOTIFY:
8042 case NT_TRANS_RENAME:
8043 /* XXX not documented */
8045 case NT_TRANS_QSD: {
8049 fid = tvb_get_letohs(tvb, offset);
8050 add_fid(tvb, pinfo, tree, offset, 2, fid);
8053 /* 2 reserved bytes */
8054 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8057 /* security information */
8058 offset = dissect_security_information_mask(tvb, tree, offset);
8061 case NT_TRANS_GET_USER_QUOTA:
8062 /* not decoded yet */
8064 case NT_TRANS_SET_USER_QUOTA:
8065 /* not decoded yet */
8073 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
8075 proto_item *item = NULL;
8076 proto_tree *tree = NULL;
8078 int old_offset = offset;
8080 si = (smb_info_t *)pinfo->private_data;
8083 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8085 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8086 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8089 switch(ntd->subcmd){
8090 case NT_TRANS_CREATE:
8092 case NT_TRANS_IOCTL: {
8096 proto_tree_add_item(tree, hf_smb_nt_ioctl_function_code, tvb, offset, 4, TRUE);
8100 fid = tvb_get_letohs(tvb, offset);
8101 add_fid(tvb, pinfo, tree, offset, 2, fid);
8105 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
8109 offset = dissect_nt_ioctl_flags(tvb, tree, offset);
8115 case NT_TRANS_NOTIFY: {
8118 /* completion filter */
8119 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
8122 fid = tvb_get_letohs(tvb, offset);
8123 add_fid(tvb, pinfo, tree, offset, 2, fid);
8127 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
8131 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8136 case NT_TRANS_RENAME:
8137 /* XXX not documented */
8141 case NT_TRANS_GET_USER_QUOTA:
8142 /* not decoded yet */
8144 case NT_TRANS_SET_USER_QUOTA:
8145 /* not decoded yet */
8149 return old_offset+len;
8154 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8157 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
8159 smb_saved_info_t *sip;
8164 smb_nt_transact_info_t *nti;
8166 si = (smb_info_t *)pinfo->private_data;
8172 /* primary request */
8173 /* max setup count */
8174 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
8177 /* 2 reserved bytes */
8178 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8181 /* secondary request */
8182 /* 3 reserved bytes */
8183 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8188 /* total param count */
8189 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
8192 /* total data count */
8193 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
8197 /* primary request */
8198 /* max param count */
8199 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
8202 /* max data count */
8203 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
8208 pc = tvb_get_letohl(tvb, offset);
8209 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8213 po = tvb_get_letohl(tvb, offset);
8214 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8217 /* param displacement */
8219 /* primary request*/
8222 /* secondary request */
8223 pd = tvb_get_letohl(tvb, offset);
8224 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8229 dc = tvb_get_letohl(tvb, offset);
8230 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8234 od = tvb_get_letohl(tvb, offset);
8235 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8238 /* data displacement */
8240 /* primary request */
8243 /* secondary request */
8244 dd = tvb_get_letohl(tvb, offset);
8245 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8251 /* primary request */
8252 sc = tvb_get_guint8(tvb, offset);
8253 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8256 /* secondary request */
8262 /* primary request */
8263 subcmd = tvb_get_letohs(tvb, offset);
8264 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
8265 if(check_col(pinfo->cinfo, COL_INFO)){
8266 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8267 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
8269 ntd.subcmd = subcmd;
8271 if(!pinfo->fd->flags.visited){
8273 * Allocate a new smb_nt_transact_info_t
8276 nti = g_mem_chunk_alloc(smb_nt_transact_info_chunk);
8277 nti->subcmd = subcmd;
8278 sip->extra_info = nti;
8282 /* secondary request */
8283 if(check_col(pinfo->cinfo, COL_INFO)){
8284 col_append_fstr(pinfo->cinfo, COL_INFO, " (secondary request)");
8289 /* this is a padding byte */
8292 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
8296 /* if there were any setup bytes, decode them */
8298 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
8305 if(po>(guint32)offset){
8306 /* We have some initial padding bytes.
8311 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8312 COUNT_BYTES(padcnt);
8315 CHECK_BYTE_COUNT(pc);
8316 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc);
8321 if(od>(guint32)offset){
8322 /* We have some initial padding bytes.
8327 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8328 COUNT_BYTES(padcnt);
8331 CHECK_BYTE_COUNT(dc);
8332 dissect_nt_trans_data_request(
8333 tvb, pinfo, offset, tree, dc, &ntd);
8345 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
8346 int offset, proto_tree *parent_tree, int len,
8347 nt_trans_data *ntd _U_)
8349 proto_item *item = NULL;
8350 proto_tree *tree = NULL;
8352 smb_nt_transact_info_t *nti;
8355 si = (smb_info_t *)pinfo->private_data;
8356 if (si->sip != NULL)
8357 nti = si->sip->extra_info;
8363 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8365 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8368 * We never saw the request to which this is a
8371 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8372 "Unknown NT Transaction Data (matching request not seen)");
8374 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8381 switch(nti->subcmd){
8382 case NT_TRANS_CREATE:
8384 case NT_TRANS_IOCTL:
8386 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, len, TRUE);
8392 case NT_TRANS_NOTIFY:
8394 case NT_TRANS_RENAME:
8395 /* XXX not documented */
8397 case NT_TRANS_QSD: {
8399 * XXX - this is probably a SECURITY_DESCRIPTOR structure,
8400 * which may be documented in the Win32 documentation
8403 offset = dissect_nt_sec_desc(
8404 tvb, offset, pinfo, tree, NULL, len, NULL);
8407 case NT_TRANS_GET_USER_QUOTA:
8409 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8411 case NT_TRANS_SET_USER_QUOTA:
8412 /* not decoded yet */
8420 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
8421 int offset, proto_tree *parent_tree,
8422 int len, nt_trans_data *ntd _U_, guint16 bc)
8424 proto_item *item = NULL;
8425 proto_tree *tree = NULL;
8429 smb_nt_transact_info_t *nti;
8435 si = (smb_info_t *)pinfo->private_data;
8436 if (si->sip != NULL)
8437 nti = si->sip->extra_info;
8443 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8445 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8448 * We never saw the request to which this is a
8451 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8452 "Unknown NT Transaction Parameters (matching request not seen)");
8454 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8461 switch(nti->subcmd){
8462 case NT_TRANS_CREATE:
8464 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8468 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8472 fid = tvb_get_letohs(tvb, offset);
8473 add_fid(tvb, pinfo, tree, offset, 2, fid);
8477 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8480 /* ea error offset */
8481 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
8485 offset = dissect_smb_64bit_time(tvb, tree, offset,
8486 hf_smb_create_time);
8489 offset = dissect_smb_64bit_time(tvb, tree, offset,
8490 hf_smb_access_time);
8492 /* last write time */
8493 offset = dissect_smb_64bit_time(tvb, tree, offset,
8494 hf_smb_last_write_time);
8496 /* last change time */
8497 offset = dissect_smb_64bit_time(tvb, tree, offset,
8498 hf_smb_change_time);
8500 /* Extended File Attributes */
8501 offset = dissect_file_ext_attr(tvb, tree, offset);
8503 /* allocation size */
8504 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8508 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8512 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8516 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
8519 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8522 case NT_TRANS_IOCTL:
8526 case NT_TRANS_NOTIFY:
8528 old_offset = offset;
8530 /* next entry offset */
8531 neo = tvb_get_letohl(tvb, offset);
8532 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
8535 /* broken implementations */
8539 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
8542 /* broken implementations */
8546 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8547 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8550 /* broken implementations */
8554 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8557 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8559 COUNT_BYTES(fn_len);
8561 /* broken implementations */
8565 break; /* no more structures */
8567 /* skip to next structure */
8568 padcnt = (old_offset + neo) - offset;
8571 * XXX - this is bogus; flag it?
8576 COUNT_BYTES(padcnt);
8578 /* broken implementations */
8583 case NT_TRANS_RENAME:
8584 /* XXX not documented */
8588 * This appears to be the size of the security
8589 * descriptor; the calling sequence of
8590 * "ZwQuerySecurityObject()" suggests that it would
8591 * be. The actual security descriptor wouldn't
8592 * follow if the max data count in the request
8593 * was smaller; this lets the client know how
8594 * big a buffer it needs to provide.
8596 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
8599 case NT_TRANS_GET_USER_QUOTA:
8600 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
8601 tvb_get_letohl(tvb, offset));
8604 case NT_TRANS_SET_USER_QUOTA:
8605 /* not decoded yet */
8613 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
8614 int offset, proto_tree *parent_tree,
8615 int len, nt_trans_data *ntd _U_)
8617 proto_item *item = NULL;
8618 proto_tree *tree = NULL;
8620 smb_nt_transact_info_t *nti;
8622 si = (smb_info_t *)pinfo->private_data;
8623 if (si->sip != NULL)
8624 nti = si->sip->extra_info;
8630 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8632 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8635 * We never saw the request to which this is a
8638 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8639 "Unknown NT Transaction Setup (matching request not seen)");
8641 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8648 switch(nti->subcmd){
8649 case NT_TRANS_CREATE:
8651 case NT_TRANS_IOCTL:
8655 case NT_TRANS_NOTIFY:
8657 case NT_TRANS_RENAME:
8658 /* XXX not documented */
8662 case NT_TRANS_GET_USER_QUOTA:
8663 /* not decoded yet */
8665 case NT_TRANS_SET_USER_QUOTA:
8666 /* not decoded yet */
8674 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8677 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
8680 smb_nt_transact_info_t *nti;
8681 static nt_trans_data ntd;
8684 fragment_data *r_fd = NULL;
8685 tvbuff_t *pd_tvb=NULL;
8686 gboolean save_fragmented;
8688 si = (smb_info_t *)pinfo->private_data;
8689 if (si->sip != NULL)
8690 nti = si->sip->extra_info;
8694 /* primary request */
8696 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
8697 if(check_col(pinfo->cinfo, COL_INFO)){
8698 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8699 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
8702 proto_tree_add_text(tree, tvb, offset, 0,
8703 "Function: <unknown function - could not find matching request>");
8704 if(check_col(pinfo->cinfo, COL_INFO)){
8705 col_append_fstr(pinfo->cinfo, COL_INFO, ", <unknown>");
8711 /* 3 reserved bytes */
8712 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8715 /* total param count */
8716 tp = tvb_get_letohl(tvb, offset);
8717 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
8720 /* total data count */
8721 td = tvb_get_letohl(tvb, offset);
8722 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
8726 pc = tvb_get_letohl(tvb, offset);
8727 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8731 po = tvb_get_letohl(tvb, offset);
8732 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8735 /* param displacement */
8736 pd = tvb_get_letohl(tvb, offset);
8737 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8741 dc = tvb_get_letohl(tvb, offset);
8742 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8746 od = tvb_get_letohl(tvb, offset);
8747 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8750 /* data displacement */
8751 dd = tvb_get_letohl(tvb, offset);
8752 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8756 sc = tvb_get_guint8(tvb, offset);
8757 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8762 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
8768 /* reassembly of SMB NT Transaction data payload.
8769 In this section we do reassembly of both the data and parameters
8770 blocks of the SMB transaction command.
8772 save_fragmented = pinfo->fragmented;
8773 /* do we need reassembly? */
8774 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
8775 /* oh yeah, either data or parameter section needs
8778 pinfo->fragmented = TRUE;
8779 if(smb_trans_reassembly){
8780 /* ...and we were told to do reassembly */
8781 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
8782 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8786 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
8787 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8788 od, dc, dd+tp, td+tp);
8793 /* if we got a reassembled fd structure from the reassembly routine we
8794 must create pd_tvb from it
8797 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
8799 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
8800 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
8802 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
8807 /* we have reassembled data, grab param and data from there */
8808 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
8809 &ntd, tvb_length(pd_tvb));
8810 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
8812 /* we do not have reassembled data, just use what we have in the
8813 packet as well as we can */
8815 if(po>(guint32)offset){
8816 /* We have some initial padding bytes.
8821 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8822 COUNT_BYTES(padcnt);
8825 CHECK_BYTE_COUNT(pc);
8826 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
8831 if(od>(guint32)offset){
8832 /* We have some initial padding bytes.
8837 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8838 COUNT_BYTES(padcnt);
8841 CHECK_BYTE_COUNT(dc);
8842 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd);
8846 pinfo->fragmented = save_fragmented;
8853 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8854 NT Transaction command ends here
8855 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8857 static const value_string print_mode_vals[] = {
8859 {1, "Graphics Mode"},
8864 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8866 smb_info_t *si = pinfo->private_data;
8875 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
8879 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
8885 CHECK_BYTE_COUNT(1);
8886 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8889 /* print identifier */
8890 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, FALSE, &bc);
8893 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
8895 COUNT_BYTES(fn_len);
8904 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8913 fid = tvb_get_letohs(tvb, offset);
8914 add_fid(tvb, pinfo, tree, offset, 2, fid);
8920 CHECK_BYTE_COUNT(1);
8921 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8925 CHECK_BYTE_COUNT(2);
8926 cnt = tvb_get_letohs(tvb, offset);
8927 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
8931 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
8939 static const value_string print_status_vals[] = {
8940 {1, "Held or Stopped"},
8942 {3, "Awaiting print"},
8943 {4, "In intercept"},
8944 {5, "File had error"},
8945 {6, "Printer error"},
8950 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8958 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
8962 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
8973 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
8974 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
8976 proto_item *item = NULL;
8977 proto_tree *tree = NULL;
8978 smb_info_t *si = pinfo->private_data;
8983 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
8985 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
8989 CHECK_BYTE_COUNT_SUBR(4);
8990 offset = dissect_smb_datetime(tvb, tree, offset,
8991 hf_smb_print_queue_date,
8992 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
8996 CHECK_BYTE_COUNT_SUBR(1);
8997 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
8998 COUNT_BYTES_SUBR(1);
9000 /* spool file number */
9001 CHECK_BYTE_COUNT_SUBR(2);
9002 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
9003 COUNT_BYTES_SUBR(2);
9005 /* spool file size */
9006 CHECK_BYTE_COUNT_SUBR(4);
9007 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
9008 COUNT_BYTES_SUBR(4);
9011 CHECK_BYTE_COUNT_SUBR(1);
9012 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9013 COUNT_BYTES_SUBR(1);
9017 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
9018 CHECK_STRING_SUBR(fn);
9019 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
9021 COUNT_BYTES_SUBR(fn_len);
9028 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9038 cnt = tvb_get_letohs(tvb, offset);
9039 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
9043 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
9049 CHECK_BYTE_COUNT(1);
9050 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9054 CHECK_BYTE_COUNT(2);
9055 len = tvb_get_letohs(tvb, offset);
9056 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
9059 /* queue elements */
9061 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
9074 dissect_send_single_block_message_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9079 guint16 message_len;
9086 CHECK_BYTE_COUNT(1);
9087 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9090 /* originator name */
9091 /* XXX - what if this runs past bc? */
9092 name_len = tvb_strsize(tvb, offset);
9093 CHECK_BYTE_COUNT(name_len);
9094 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9096 COUNT_BYTES(name_len);
9099 CHECK_BYTE_COUNT(1);
9100 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9103 /* destination name */
9104 /* XXX - what if this runs past bc? */
9105 name_len = tvb_strsize(tvb, offset);
9106 CHECK_BYTE_COUNT(name_len);
9107 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9109 COUNT_BYTES(name_len);
9112 CHECK_BYTE_COUNT(1);
9113 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9117 CHECK_BYTE_COUNT(2);
9118 message_len = tvb_get_letohs(tvb, offset);
9119 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9124 CHECK_BYTE_COUNT(message_len);
9125 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9127 COUNT_BYTES(message_len);
9135 dissect_send_multi_block_message_start_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9146 CHECK_BYTE_COUNT(1);
9147 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9150 /* originator name */
9151 /* XXX - what if this runs past bc? */
9152 name_len = tvb_strsize(tvb, offset);
9153 CHECK_BYTE_COUNT(name_len);
9154 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9156 COUNT_BYTES(name_len);
9159 CHECK_BYTE_COUNT(1);
9160 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9163 /* destination name */
9164 /* XXX - what if this runs past bc? */
9165 name_len = tvb_strsize(tvb, offset);
9166 CHECK_BYTE_COUNT(name_len);
9167 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9169 COUNT_BYTES(name_len);
9177 dissect_message_group_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9184 /* message group ID */
9185 proto_tree_add_item(tree, hf_smb_mgid, tvb, offset, 2, TRUE);
9196 dissect_send_multi_block_message_text_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9200 guint16 message_len;
9207 CHECK_BYTE_COUNT(1);
9208 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9212 CHECK_BYTE_COUNT(2);
9213 message_len = tvb_get_letohs(tvb, offset);
9214 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9219 CHECK_BYTE_COUNT(message_len);
9220 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9222 COUNT_BYTES(message_len);
9230 dissect_forwarded_name(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9241 CHECK_BYTE_COUNT(1);
9242 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9245 /* forwarded name */
9246 /* XXX - what if this runs past bc? */
9247 name_len = tvb_strsize(tvb, offset);
9248 CHECK_BYTE_COUNT(name_len);
9249 proto_tree_add_item(tree, hf_smb_forwarded_name, tvb, offset,
9251 COUNT_BYTES(name_len);
9259 dissect_get_machine_name_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9270 CHECK_BYTE_COUNT(1);
9271 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9275 /* XXX - what if this runs past bc? */
9276 name_len = tvb_strsize(tvb, offset);
9277 CHECK_BYTE_COUNT(name_len);
9278 proto_tree_add_item(tree, hf_smb_machine_name, tvb, offset,
9280 COUNT_BYTES(name_len);
9289 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9291 guint8 wc, cmd=0xff;
9292 guint16 andxoffset=0;
9294 smb_info_t *si = pinfo->private_data;
9300 /* next smb command */
9301 cmd = tvb_get_guint8(tvb, offset);
9303 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9305 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
9310 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9314 andxoffset = tvb_get_letohs(tvb, offset);
9315 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9319 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9323 fn_len = tvb_get_letohs(tvb, offset);
9324 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
9328 offset = dissect_nt_create_bits(tvb, tree, offset);
9330 /* root directory fid */
9331 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
9334 /* nt access mask */
9335 offset = dissect_smb_access_mask(tvb, tree, offset);
9337 /* allocation size */
9338 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9341 /* Extended File Attributes */
9342 offset = dissect_file_ext_attr(tvb, tree, offset);
9345 offset = dissect_nt_share_access(tvb, tree, offset);
9347 /* create disposition */
9348 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
9351 /* create options */
9352 offset = dissect_nt_create_options(tvb, tree, offset);
9354 /* impersonation level */
9355 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
9358 /* security flags */
9359 offset = dissect_nt_security_flags(tvb, tree, offset);
9364 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9367 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9369 COUNT_BYTES(fn_len);
9371 if (check_col(pinfo->cinfo, COL_INFO)) {
9372 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
9377 /* call AndXCommand (if there are any) */
9378 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9385 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9387 guint8 wc, cmd=0xff;
9388 guint16 andxoffset=0;
9394 /* next smb command */
9395 cmd = tvb_get_guint8(tvb, offset);
9397 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9399 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
9404 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9408 andxoffset = tvb_get_letohs(tvb, offset);
9409 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9413 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
9417 fid = tvb_get_letohs(tvb, offset);
9418 add_fid(tvb, pinfo, tree, offset, 2, fid);
9422 /*XXX is this really the same as create disposition in the request? it looks so*/
9423 /* No, it is not. It is the same as the create action from an Open&X request ... RJS */
9424 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
9428 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
9431 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
9433 /* last write time */
9434 offset = dissect_smb_64bit_time(tvb, tree, offset,
9435 hf_smb_last_write_time);
9437 /* last change time */
9438 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
9440 /* Extended File Attributes */
9441 offset = dissect_file_ext_attr(tvb, tree, offset);
9443 /* allocation size */
9444 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9448 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
9452 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
9456 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
9459 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
9466 /* call AndXCommand (if there are any) */
9467 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9474 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9488 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9489 BEGIN Transaction/Transaction2 Primary and secondary requests
9490 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
9493 const value_string trans2_cmd_vals[] = {
9495 { 0x01, "FIND_FIRST2" },
9496 { 0x02, "FIND_NEXT2" },
9497 { 0x03, "QUERY_FS_INFORMATION" },
9498 { 0x04, "SET_FS_QUOTA" },
9499 { 0x05, "QUERY_PATH_INFORMATION" },
9500 { 0x06, "SET_PATH_INFORMATION" },
9501 { 0x07, "QUERY_FILE_INFORMATION" },
9502 { 0x08, "SET_FILE_INFORMATION" },
9505 { 0x0B, "FIND_NOTIFY_FIRST" },
9506 { 0x0C, "FIND_NOTIFY_NEXT" },
9507 { 0x0D, "CREATE_DIRECTORY" },
9508 { 0x0E, "SESSION_SETUP" },
9509 { 0x10, "GET_DFS_REFERRAL" },
9510 { 0x11, "REPORT_DFS_INCONSISTENCY" },
9514 static const true_false_string tfs_tf_dtid = {
9515 "Also DISCONNECT TID",
9516 "Do NOT disconnect TID"
9518 static const true_false_string tfs_tf_owt = {
9519 "One Way Transaction (NO RESPONSE)",
9520 "Two way transaction"
9523 static const true_false_string tfs_ff2_backup = {
9524 "Find WITH backup intent",
9527 static const true_false_string tfs_ff2_continue = {
9528 "CONTINUE search from previous position",
9529 "New search, do NOT continue from previous position"
9531 static const true_false_string tfs_ff2_resume = {
9532 "Return RESUME keys",
9533 "Do NOT return resume keys"
9535 static const true_false_string tfs_ff2_close_eos = {
9536 "CLOSE search if END OF SEARCH is reached",
9537 "Do NOT close search if end of search reached"
9539 static const true_false_string tfs_ff2_close = {
9540 "CLOSE search after this request",
9541 "Do NOT close search after this request"
9547 static const value_string ff2_il_vals[] = {
9548 { 1, "Info Standard (4.3.4.1)"},
9549 { 2, "Info Query EA Size (4.3.4.2)"},
9550 { 3, "Info Query EAs From List (4.3.4.2)"},
9551 { 0x0101, "Find File Directory Info (4.3.4.4)"},
9552 { 0x0102, "Find File Full Directory Info (4.3.4.5)"},
9553 { 0x0103, "Find File Names Info (4.3.4.7)"},
9554 { 0x0104, "Find File Both Directory Info (4.3.4.6)"},
9555 { 0x0202, "Find File UNIX (4.3.4.8)"},
9560 TRANS2_QUERY_PATH_INFORMATION
9561 TRANS2_SET_PATH_INFORMATION
9563 static const value_string qpi_loi_vals[] = {
9564 { 1, "Info Standard (4.2.14.1)"},
9565 { 2, "Info Query EA Size (4.2.14.1)"},
9566 { 3, "Info Query EAs From List (4.2.14.2)"},
9567 { 4, "Info Query All EAs (4.2.14.2)"},
9568 { 6, "Info Is Name Valid (4.2.14.3)"},
9569 { 0x0101, "Query File Basic Info (4.2.14.4)"},
9570 { 0x0102, "Query File Standard Info (4.2.14.5)"},
9571 { 0x0103, "Query File EA Info (4.2.14.6)"},
9572 { 0x0104, "Query File Name Info (4.2.14.7)"},
9573 { 0x0107, "Query File All Info (4.2.14.8)"},
9574 { 0x0108, "Query File Alt Name Info (4.2.14.7)"},
9575 { 0x0109, "Query File Stream Info (4.2.14.10)"},
9576 { 0x010b, "Query File Compression Info (4.2.14.11)"},
9577 { 0x0200, "Set File Unix Basic"},
9578 { 0x0201, "Set File Unix Link"},
9579 { 0x0202, "Set File Unix HardLink"},
9580 { 1004, "Query File Basic Info (4.2.14.4)"},
9581 { 1005, "Query File Standard Info (4.2.14.5)"},
9582 { 1006, "Query File Internal Info (4.2.14.?)"},
9583 { 1007, "Query File EA Info (4.2.14.6)"},
9584 { 1009, "Query File Name Info (4.2.14.7)"},
9585 { 1010, "Query File Rename Info (4.2.14.?)"},
9586 { 1011, "Query File Link Info (4.2.14.?)"},
9587 { 1012, "Query File Names Info (4.2.14.?)"},
9588 { 1013, "Query File Disposition Info (4.2.14.?)"},
9589 { 1014, "Query File Position Info (4.2.14.?)"},
9590 { 1015, "Query File Full EA Info (4.2.14.?)"},
9591 { 1016, "Query File Mode Info (4.2.14.?)"},
9592 { 1017, "Query File Alignment Info (4.2.14.?)"},
9593 { 1018, "Query File All Info (4.2.14.8)"},
9594 { 1019, "Query File Allocation Info (4.2.14.?)"},
9595 { 1020, "Query File End of File Info (4.2.14.?)"},
9596 { 1021, "Query File Alt Name Info (4.2.14.7)"},
9597 { 1022, "Query File Stream Info (4.2.14.10)"},
9598 { 1023, "Query File Pipe Info (4.2.14.?)"},
9599 { 1024, "Query File Pipe Local Info (4.2.14.?)"},
9600 { 1025, "Query File Pipe Remote Info (4.2.14.?)"},
9601 { 1026, "Query File Mailslot Query Info (4.2.14.?)"},
9602 { 1027, "Query File Mailslot Set Info (4.2.14.?)"},
9603 { 1028, "Query File Compression Info (4.2.14.11)"},
9604 { 1029, "Query File ObjectID Info (4.2.14.?)"},
9605 { 1030, "Query File Completion Info (4.2.14.?)"},
9606 { 1031, "Query File Move Cluster Info (4.2.14.?)"},
9607 { 1032, "Query File Quota Info (4.2.14.?)"},
9608 { 1033, "Query File Reparsepoint Info (4.2.14.?)"},
9609 { 1034, "Query File Network Open Info (4.2.14.?)"},
9610 { 1035, "Query File Attribute Tag Info (4.2.14.?)"},
9611 { 1036, "Query File Tracking Info (4.2.14.?)"},
9612 { 1037, "Query File Maximum Info (4.2.14.?)"},
9616 static const value_string qfsi_vals[] = {
9617 { 1, "Info Allocation"},
9618 { 2, "Info Volume"},
9619 { 0x0101, "Query FS Label Info"},
9620 { 0x0102, "Query FS Volume Info"},
9621 { 0x0103, "Query FS Size Info"},
9622 { 0x0104, "Query FS Device Info"},
9623 { 0x0105, "Query FS Attribute Info"},
9624 { 0x0301, "Mac Query FS INFO"},
9625 { 1001, "Query FS Label Info"},
9626 { 1002, "Query FS Volume Info"},
9627 { 1003, "Query FS Size Info"},
9628 { 1004, "Query FS Device Info"},
9629 { 1005, "Query FS Attribute Info"},
9630 { 1006, "Query FS Quota Info"},
9631 { 1007, "Query Full FS Size Info"},
9635 static const value_string nt_rename_vals[] = {
9636 { 0x0103, "Create Hard Link"},
9641 static const value_string delete_pending_vals[] = {
9642 {0, "Normal, no pending delete"},
9643 {1, "This object has DELETE PENDING"},
9647 static const value_string alignment_vals[] = {
9648 {0, "Byte alignment"},
9649 {1, "Word (16bit) alignment"},
9650 {3, "Long (32bit) alignment"},
9651 {7, "8 byte boundary alignment"},
9652 {0x0f, "16 byte boundary alignment"},
9653 {0x1f, "32 byte boundary alignment"},
9654 {0x3f, "64 byte boundary alignment"},
9655 {0x7f, "128 byte boundary alignment"},
9656 {0xff, "256 byte boundary alignment"},
9657 {0x1ff, "512 byte boundary alignment"},
9662 static const true_false_string tfs_get_dfs_server_hold_storage = {
9663 "Referral SERVER HOLDS STORAGE for the file",
9664 "Referral server does NOT hold storage for the file"
9666 static const true_false_string tfs_get_dfs_fielding = {
9667 "The server in referral is FIELDING CAPABLE",
9668 "The server in referrals is NOT fielding capable"
9671 static const true_false_string tfs_dfs_referral_flags_strip = {
9672 "STRIP off pathconsumed characters before submitting",
9673 "Do NOT strip off any characters"
9676 static const value_string dfs_referral_server_type_vals[] = {
9679 {2, "Netware Server"},
9680 {3, "Domain Server"},
9685 static const true_false_string tfs_device_char_removable = {
9686 "This is a REMOVABLE device",
9687 "This is NOT a removable device"
9689 static const true_false_string tfs_device_char_read_only = {
9690 "This is a READ-ONLY device",
9691 "This is NOT a read-only device"
9693 static const true_false_string tfs_device_char_floppy = {
9694 "This is a FLOPPY DISK device",
9695 "This is NOT a floppy disk device"
9697 static const true_false_string tfs_device_char_write_once = {
9698 "This is a WRITE-ONCE device",
9699 "This is NOT a write-once device"
9701 static const true_false_string tfs_device_char_remote = {
9702 "This is a REMOTE device",
9703 "This is NOT a remote device"
9705 static const true_false_string tfs_device_char_mounted = {
9706 "This device is MOUNTED",
9707 "This device is NOT mounted"
9709 static const true_false_string tfs_device_char_virtual = {
9710 "This is a VIRTUAL device",
9711 "This is NOT a virtual device"
9715 static const true_false_string tfs_fs_attr_css = {
9716 "This FS supports CASE SENSITIVE SEARCHes",
9717 "This FS does NOT support case sensitive searches"
9719 static const true_false_string tfs_fs_attr_cpn = {
9720 "This FS supports CASE PRESERVED NAMES",
9721 "This FS does NOT support case preserved names"
9723 static const true_false_string tfs_fs_attr_pacls = {
9724 "This FS supports PERSISTENT ACLs",
9725 "This FS does NOT support persistent acls"
9727 static const true_false_string tfs_fs_attr_fc = {
9728 "This FS supports COMPRESSED FILES",
9729 "This FS does NOT support compressed files"
9731 static const true_false_string tfs_fs_attr_vq = {
9732 "This FS supports VOLUME QUOTAS",
9733 "This FS does NOT support volume quotas"
9735 static const true_false_string tfs_fs_attr_dim = {
9736 "This FS is on a MOUNTED DEVICE",
9737 "This FS is NOT on a mounted device"
9739 static const true_false_string tfs_fs_attr_vic = {
9740 "This FS is on a COMPRESSED VOLUME",
9741 "This FS is NOT on a compressed volume"
9744 #define FF2_RESUME 0x0004
9747 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9750 proto_item *item = NULL;
9751 proto_tree *tree = NULL;
9753 smb_transact2_info_t *t2i;
9755 mask = tvb_get_letohs(tvb, offset);
9757 si = (smb_info_t *)pinfo->private_data;
9758 if (si->sip != NULL) {
9759 t2i = si->sip->extra_info;
9761 if (!pinfo->fd->flags.visited)
9762 t2i->resume_keys = (mask & FF2_RESUME);
9767 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9768 "Flags: 0x%04x", mask);
9769 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
9772 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
9773 tvb, offset, 2, mask);
9774 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
9775 tvb, offset, 2, mask);
9776 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
9777 tvb, offset, 2, mask);
9778 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
9779 tvb, offset, 2, mask);
9780 proto_tree_add_boolean(tree, hf_smb_ff2_close,
9781 tvb, offset, 2, mask);
9790 dissect_sfi_ioflag(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9793 proto_item *item = NULL;
9794 proto_tree *tree = NULL;
9796 mask = tvb_get_letohs(tvb, offset);
9799 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9800 "IO Flag: 0x%04x", mask);
9801 tree = proto_item_add_subtree(item, ett_smb_ioflag);
9804 proto_tree_add_boolean(tree, hf_smb_sfi_writetru,
9805 tvb, offset, 2, mask);
9806 proto_tree_add_boolean(tree, hf_smb_sfi_caching,
9807 tvb, offset, 2, mask);
9816 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
9817 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
9819 proto_item *item = NULL;
9820 proto_tree *tree = NULL;
9822 smb_transact2_info_t *t2i;
9825 int old_offset = offset;
9827 si = (smb_info_t *)pinfo->private_data;
9828 if (si->sip != NULL)
9829 t2i = si->sip->extra_info;
9834 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
9836 val_to_str(subcmd, trans2_cmd_vals,
9837 "Unknown (0x%02x)"));
9838 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
9842 case 0x00: /*TRANS2_OPEN2*/
9844 CHECK_BYTE_COUNT_TRANS(2);
9845 offset = dissect_open_flags(tvb, tree, offset, 0x000f);
9848 /* desired access */
9849 CHECK_BYTE_COUNT_TRANS(2);
9850 offset = dissect_access(tvb, tree, offset, "Desired");
9853 /* Search Attributes */
9854 CHECK_BYTE_COUNT_TRANS(2);
9855 offset = dissect_search_attributes(tvb, tree, offset);
9858 /* File Attributes */
9859 CHECK_BYTE_COUNT_TRANS(2);
9860 offset = dissect_file_attributes(tvb, tree, offset, 2);
9864 CHECK_BYTE_COUNT_TRANS(4);
9865 offset = dissect_smb_datetime(tvb, tree, offset,
9867 hf_smb_create_dos_date, hf_smb_create_dos_time,
9872 CHECK_BYTE_COUNT_TRANS(2);
9873 offset = dissect_open_function(tvb, tree, offset);
9876 /* allocation size */
9877 CHECK_BYTE_COUNT_TRANS(4);
9878 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
9879 COUNT_BYTES_TRANS(4);
9881 /* 10 reserved bytes */
9882 CHECK_BYTE_COUNT_TRANS(10);
9883 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
9884 COUNT_BYTES_TRANS(10);
9887 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9888 CHECK_STRING_TRANS(fn);
9889 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9891 COUNT_BYTES_TRANS(fn_len);
9893 if (check_col(pinfo->cinfo, COL_INFO)) {
9894 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9898 case 0x01: /*TRANS2_FIND_FIRST2*/
9899 /* Search Attributes */
9900 CHECK_BYTE_COUNT_TRANS(2);
9901 offset = dissect_search_attributes(tvb, tree, offset);
9905 CHECK_BYTE_COUNT_TRANS(2);
9906 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
9907 COUNT_BYTES_TRANS(2);
9909 /* Find First2 flags */
9910 CHECK_BYTE_COUNT_TRANS(2);
9911 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
9914 /* Find First2 information level */
9915 CHECK_BYTE_COUNT_TRANS(2);
9916 si->info_level = tvb_get_letohs(tvb, offset);
9917 if (!pinfo->fd->flags.visited)
9918 t2i->info_level = si->info_level;
9919 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
9920 COUNT_BYTES_TRANS(2);
9923 CHECK_BYTE_COUNT_TRANS(4);
9924 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
9925 COUNT_BYTES_TRANS(4);
9927 /* search pattern */
9928 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9929 CHECK_STRING_TRANS(fn);
9930 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
9932 COUNT_BYTES_TRANS(fn_len);
9934 if (check_col(pinfo->cinfo, COL_INFO)) {
9935 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
9940 case 0x02: /*TRANS2_FIND_NEXT2*/
9942 CHECK_BYTE_COUNT_TRANS(2);
9943 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
9944 COUNT_BYTES_TRANS(2);
9947 CHECK_BYTE_COUNT_TRANS(2);
9948 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
9949 COUNT_BYTES_TRANS(2);
9951 /* Find First2 information level */
9952 CHECK_BYTE_COUNT_TRANS(2);
9953 si->info_level = tvb_get_letohs(tvb, offset);
9954 if (!pinfo->fd->flags.visited)
9955 t2i->info_level = si->info_level;
9956 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
9957 COUNT_BYTES_TRANS(2);
9960 CHECK_BYTE_COUNT_TRANS(4);
9961 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
9962 COUNT_BYTES_TRANS(4);
9964 /* Find First2 flags */
9965 CHECK_BYTE_COUNT_TRANS(2);
9966 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
9970 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9971 CHECK_STRING_TRANS(fn);
9972 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9974 COUNT_BYTES_TRANS(fn_len);
9976 if (check_col(pinfo->cinfo, COL_INFO)) {
9977 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
9982 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
9983 /* level of interest */
9984 CHECK_BYTE_COUNT_TRANS(2);
9985 si->info_level = tvb_get_letohs(tvb, offset);
9986 if (!pinfo->fd->flags.visited)
9987 t2i->info_level = si->info_level;
9988 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
9989 COUNT_BYTES_TRANS(2);
9992 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
9993 /* level of interest */
9994 CHECK_BYTE_COUNT_TRANS(2);
9995 si->info_level = tvb_get_letohs(tvb, offset);
9996 if (!pinfo->fd->flags.visited)
9997 t2i->info_level = si->info_level;
9998 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9999 COUNT_BYTES_TRANS(2);
10001 /* 4 reserved bytes */
10002 CHECK_BYTE_COUNT_TRANS(4);
10003 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10004 COUNT_BYTES_TRANS(4);
10007 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10008 CHECK_STRING_TRANS(fn);
10009 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10011 COUNT_BYTES_TRANS(fn_len);
10013 if (check_col(pinfo->cinfo, COL_INFO)) {
10014 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10019 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
10020 /* level of interest */
10021 CHECK_BYTE_COUNT_TRANS(2);
10022 si->info_level = tvb_get_letohs(tvb, offset);
10023 if (!pinfo->fd->flags.visited)
10024 t2i->info_level = si->info_level;
10025 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10026 COUNT_BYTES_TRANS(2);
10028 /* 4 reserved bytes */
10029 CHECK_BYTE_COUNT_TRANS(4);
10030 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10031 COUNT_BYTES_TRANS(4);
10034 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10035 CHECK_STRING_TRANS(fn);
10036 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10038 COUNT_BYTES_TRANS(fn_len);
10040 if (check_col(pinfo->cinfo, COL_INFO)) {
10041 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10046 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
10050 CHECK_BYTE_COUNT_TRANS(2);
10051 fid = tvb_get_letohs(tvb, offset);
10052 add_fid(tvb, pinfo, tree, offset, 2, fid);
10053 COUNT_BYTES_TRANS(2);
10055 /* level of interest */
10056 CHECK_BYTE_COUNT_TRANS(2);
10057 si->info_level = tvb_get_letohs(tvb, offset);
10058 if (!pinfo->fd->flags.visited)
10059 t2i->info_level = si->info_level;
10060 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10061 COUNT_BYTES_TRANS(2);
10065 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
10069 CHECK_BYTE_COUNT_TRANS(2);
10070 fid = tvb_get_letohs(tvb, offset);
10071 add_fid(tvb, pinfo, tree, offset, 2, fid);
10072 COUNT_BYTES_TRANS(2);
10074 /* level of interest */
10075 CHECK_BYTE_COUNT_TRANS(2);
10076 si->info_level = tvb_get_letohs(tvb, offset);
10077 if (!pinfo->fd->flags.visited)
10078 t2i->info_level = si->info_level;
10079 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10080 COUNT_BYTES_TRANS(2);
10084 * XXX - "Microsoft Networks SMB File Sharing Protocol
10085 * Extensions Version 3.0, Document Version 1.11,
10086 * July 19, 1990" says this is I/O flags, but it's
10087 * reserved in the SNIA spec, and some clients appear
10088 * to leave junk in it.
10090 * Is this some field used only if a particular
10091 * dialect was negotiated, so that clients can feel
10092 * safe not setting it if they haven't negotiated that
10093 * dialect? Or do the (non-OS/2) clients simply not care
10094 * about that particular OS/2-oriented dialect?
10098 CHECK_BYTE_COUNT_TRANS(2);
10099 offset = dissect_sfi_ioflag(tvb, tree, offset);
10102 /* 2 reserved bytes */
10103 CHECK_BYTE_COUNT_TRANS(2);
10104 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
10105 COUNT_BYTES_TRANS(2);
10110 case 0x09: /*TRANS2_FSCTL*/
10111 /* this call has no parameter block in the request */
10114 * XXX - "Microsoft Networks SMB File Sharing Protocol
10115 * Extensions Version 3.0, Document Version 1.11,
10116 * July 19, 1990" says this this contains a
10117 * "File system specific parameter block". (That means
10118 * we may not be able to dissect it in any case.)
10121 case 0x0a: /*TRANS2_IOCTL2*/
10122 /* this call has no parameter block in the request */
10125 * XXX - "Microsoft Networks SMB File Sharing Protocol
10126 * Extensions Version 3.0, Document Version 1.11,
10127 * July 19, 1990" says this this contains a
10128 * "Device/function specific parameter block". (That
10129 * means we may not be able to dissect it in any case.)
10132 case 0x0b: { /*TRANS2_FIND_NOTIFY_FIRST*/
10133 /* Search Attributes */
10134 CHECK_BYTE_COUNT_TRANS(2);
10135 offset = dissect_search_attributes(tvb, tree, offset);
10138 /* Number of changes to wait for */
10139 CHECK_BYTE_COUNT_TRANS(2);
10140 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10141 COUNT_BYTES_TRANS(2);
10143 /* Find Notify information level */
10144 CHECK_BYTE_COUNT_TRANS(2);
10145 si->info_level = tvb_get_letohs(tvb, offset);
10146 if (!pinfo->fd->flags.visited)
10147 t2i->info_level = si->info_level;
10148 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, offset, 2, si->info_level);
10149 COUNT_BYTES_TRANS(2);
10151 /* 4 reserved bytes */
10152 CHECK_BYTE_COUNT_TRANS(4);
10153 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10154 COUNT_BYTES_TRANS(4);
10157 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10158 CHECK_STRING_TRANS(fn);
10159 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10161 COUNT_BYTES_TRANS(fn_len);
10163 if (check_col(pinfo->cinfo, COL_INFO)) {
10164 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10170 case 0x0c: { /*TRANS2_FIND_NOTIFY_NEXT*/
10171 /* Monitor handle */
10172 CHECK_BYTE_COUNT_TRANS(2);
10173 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
10174 COUNT_BYTES_TRANS(2);
10176 /* Number of changes to wait for */
10177 CHECK_BYTE_COUNT_TRANS(2);
10178 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10179 COUNT_BYTES_TRANS(2);
10183 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
10184 /* 4 reserved bytes */
10185 CHECK_BYTE_COUNT_TRANS(4);
10186 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10187 COUNT_BYTES_TRANS(4);
10190 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
10191 FALSE, FALSE, &bc);
10192 CHECK_STRING_TRANS(fn);
10193 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
10195 COUNT_BYTES_TRANS(fn_len);
10197 if (check_col(pinfo->cinfo, COL_INFO)) {
10198 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
10202 case 0x0e: /*TRANS2_SESSION_SETUP*/
10203 /* XXX unknown structure*/
10205 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
10206 /* referral level */
10207 CHECK_BYTE_COUNT_TRANS(2);
10208 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
10209 COUNT_BYTES_TRANS(2);
10212 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10213 CHECK_STRING_TRANS(fn);
10214 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10216 COUNT_BYTES_TRANS(fn_len);
10218 if (check_col(pinfo->cinfo, COL_INFO)) {
10219 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10224 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
10226 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10227 CHECK_STRING_TRANS(fn);
10228 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10230 COUNT_BYTES_TRANS(fn_len);
10232 if (check_col(pinfo->cinfo, COL_INFO)) {
10233 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10240 /* ooops there were data we didnt know how to process */
10241 if((offset-old_offset) < bc){
10242 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
10243 bc - (offset-old_offset), TRUE);
10244 offset += bc - (offset-old_offset);
10251 * XXX - just use "dissect_connect_flags()" here?
10254 dissect_transaction_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10257 proto_item *item = NULL;
10258 proto_tree *tree = NULL;
10260 mask = tvb_get_letohs(tvb, offset);
10263 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10264 "Flags: 0x%04x", mask);
10265 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
10268 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
10269 tvb, offset, 2, mask);
10270 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
10271 tvb, offset, 2, mask);
10278 dissect_get_dfs_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10281 proto_item *item = NULL;
10282 proto_tree *tree = NULL;
10284 mask = tvb_get_letohs(tvb, offset);
10287 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10288 "Flags: 0x%04x", mask);
10289 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
10292 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
10293 tvb, offset, 2, mask);
10294 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
10295 tvb, offset, 2, mask);
10302 dissect_dfs_referral_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10305 proto_item *item = NULL;
10306 proto_tree *tree = NULL;
10308 mask = tvb_get_letohs(tvb, offset);
10311 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10312 "Flags: 0x%04x", mask);
10313 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
10316 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
10317 tvb, offset, 2, mask);
10325 /* dfs inconsistency data (4.4.2)
10328 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
10329 proto_tree *tree, int offset, guint16 *bcp)
10331 smb_info_t *si = pinfo->private_data;
10335 /*XXX shouldn this data hold version and size? unclear from doc*/
10336 /* referral version */
10337 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10338 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
10339 COUNT_BYTES_TRANS_SUBR(2);
10341 /* referral size */
10342 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10343 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
10344 COUNT_BYTES_TRANS_SUBR(2);
10346 /* referral server type */
10347 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10348 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10349 COUNT_BYTES_TRANS_SUBR(2);
10351 /* referral flags */
10352 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10353 offset = dissect_dfs_referral_flags(tvb, tree, offset);
10357 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10358 CHECK_STRING_TRANS_SUBR(fn);
10359 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10361 COUNT_BYTES_TRANS_SUBR(fn_len);
10366 /* get dfs referral data (4.4.1)
10369 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
10370 proto_tree *tree, int offset, guint16 *bcp)
10372 smb_info_t *si = pinfo->private_data;
10375 guint16 pathoffset;
10376 guint16 altpathoffset;
10377 guint16 nodeoffset;
10387 /* path consumed */
10388 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10389 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
10390 COUNT_BYTES_TRANS_SUBR(2);
10392 /* num referrals */
10393 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10394 numref = tvb_get_letohs(tvb, offset);
10395 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
10396 COUNT_BYTES_TRANS_SUBR(2);
10398 /* get dfs flags */
10399 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10400 offset = dissect_get_dfs_flags(tvb, tree, offset);
10403 /* XXX - in at least one capture there appears to be 2 bytes
10404 of stuff after the Dfs flags, perhaps so that the header
10405 in front of the referral list is a multiple of 4 bytes long. */
10406 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10407 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
10408 COUNT_BYTES_TRANS_SUBR(2);
10410 /* if there are any referrals */
10412 proto_item *ref_item = NULL;
10413 proto_tree *ref_tree = NULL;
10414 int old_offset=offset;
10417 ref_item = proto_tree_add_text(tree,
10418 tvb, offset, *bcp, "Referrals");
10419 ref_tree = proto_item_add_subtree(ref_item,
10420 ett_smb_dfs_referrals);
10425 proto_item *ri = NULL;
10426 proto_tree *rt = NULL;
10427 int old_offset=offset;
10431 ri = proto_tree_add_text(ref_tree,
10432 tvb, offset, *bcp, "Referral");
10433 rt = proto_item_add_subtree(ri,
10434 ett_smb_dfs_referral);
10437 /* referral version */
10438 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10439 version = tvb_get_letohs(tvb, offset);
10440 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
10441 tvb, offset, 2, version);
10442 COUNT_BYTES_TRANS_SUBR(2);
10444 /* referral size */
10445 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10446 refsize = tvb_get_letohs(tvb, offset);
10447 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
10448 COUNT_BYTES_TRANS_SUBR(2);
10450 /* referral server type */
10451 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10452 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10453 COUNT_BYTES_TRANS_SUBR(2);
10455 /* referral flags */
10456 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10457 offset = dissect_dfs_referral_flags(tvb, rt, offset);
10464 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10465 CHECK_STRING_TRANS_SUBR(fn);
10466 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10468 COUNT_BYTES_TRANS_SUBR(fn_len);
10472 case 3: /* XXX - like version 2, but not identical;
10473 seen in a capture, but the format isn't
10476 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10477 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
10478 COUNT_BYTES_TRANS_SUBR(2);
10481 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10482 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
10483 COUNT_BYTES_TRANS_SUBR(2);
10486 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10487 pathoffset = tvb_get_letohs(tvb, offset);
10488 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
10489 COUNT_BYTES_TRANS_SUBR(2);
10491 /* alt path offset */
10492 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10493 altpathoffset = tvb_get_letohs(tvb, offset);
10494 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
10495 COUNT_BYTES_TRANS_SUBR(2);
10498 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10499 nodeoffset = tvb_get_letohs(tvb, offset);
10500 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
10501 COUNT_BYTES_TRANS_SUBR(2);
10504 if (pathoffset != 0) {
10505 stroffset = old_offset + pathoffset;
10506 offsetoffset = stroffset - offset;
10507 if (offsetoffset > 0 &&
10508 *bcp > offsetoffset) {
10510 *bcp -= offsetoffset;
10511 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10512 CHECK_STRING_TRANS_SUBR(fn);
10513 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
10515 stroffset += fn_len;
10516 if (ucstring_end < stroffset)
10517 ucstring_end = stroffset;
10523 if (altpathoffset != 0) {
10524 stroffset = old_offset + altpathoffset;
10525 offsetoffset = stroffset - offset;
10526 if (offsetoffset > 0 &&
10527 *bcp > offsetoffset) {
10529 *bcp -= offsetoffset;
10530 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10531 CHECK_STRING_TRANS_SUBR(fn);
10532 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
10534 stroffset += fn_len;
10535 if (ucstring_end < stroffset)
10536 ucstring_end = stroffset;
10542 if (nodeoffset != 0) {
10543 stroffset = old_offset + nodeoffset;
10544 offsetoffset = stroffset - offset;
10545 if (offsetoffset > 0 &&
10546 *bcp > offsetoffset) {
10548 *bcp -= offsetoffset;
10549 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10550 CHECK_STRING_TRANS_SUBR(fn);
10551 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
10553 stroffset += fn_len;
10554 if (ucstring_end < stroffset)
10555 ucstring_end = stroffset;
10563 * Show anything beyond the length of the referral
10566 unklen = (old_offset + refsize) - offset;
10569 * XXX - the length is bogus.
10574 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
10575 proto_tree_add_item(rt, hf_smb_unknown, tvb,
10576 offset, unklen, TRUE);
10577 COUNT_BYTES_TRANS_SUBR(unklen);
10580 proto_item_set_len(ri, offset-old_offset);
10584 * Treat the offset past the end of the last Unicode
10585 * string after the referrals (if any) as the last
10588 if (ucstring_end > offset) {
10589 ucstring_len = ucstring_end - offset;
10590 if (*bcp < ucstring_len)
10591 ucstring_len = *bcp;
10592 offset += ucstring_len;
10593 *bcp -= ucstring_len;
10595 proto_item_set_len(ref_item, offset-old_offset);
10602 /* this dissects the SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE
10603 as described in 4.2.14.1
10606 dissect_4_2_14_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10607 int offset, guint16 *bcp, gboolean *trunc)
10610 CHECK_BYTE_COUNT_SUBR(4);
10611 offset = dissect_smb_datetime(tvb, tree, offset,
10612 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
10617 CHECK_BYTE_COUNT_SUBR(4);
10618 offset = dissect_smb_datetime(tvb, tree, offset,
10619 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
10623 /* last write time */
10624 CHECK_BYTE_COUNT_SUBR(4);
10625 offset = dissect_smb_datetime(tvb, tree, offset,
10626 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
10631 CHECK_BYTE_COUNT_SUBR(4);
10632 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10633 COUNT_BYTES_SUBR(4);
10635 /* allocation size */
10636 CHECK_BYTE_COUNT_SUBR(4);
10637 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10638 COUNT_BYTES_SUBR(4);
10640 /* File Attributes */
10641 CHECK_BYTE_COUNT_SUBR(2);
10642 offset = dissect_file_attributes(tvb, tree, offset, 2);
10646 CHECK_BYTE_COUNT_SUBR(4);
10647 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10648 COUNT_BYTES_SUBR(4);
10654 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
10655 as described in 4.2.14.2
10658 dissect_4_2_14_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10659 int offset, guint16 *bcp, gboolean *trunc)
10662 CHECK_BYTE_COUNT_SUBR(4);
10663 proto_tree_add_item(tree, hf_smb_list_length, tvb, offset, 4, TRUE);
10664 COUNT_BYTES_SUBR(4);
10670 /* this dissects the SMB_INFO_IS_NAME_VALID
10671 as described in 4.2.14.3
10674 dissect_4_2_14_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10675 int offset, guint16 *bcp, gboolean *trunc)
10677 smb_info_t *si = pinfo->private_data;
10682 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10683 CHECK_STRING_SUBR(fn);
10684 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10686 COUNT_BYTES_SUBR(fn_len);
10692 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
10693 as described in 4.2.14.4
10696 dissect_4_2_14_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10697 int offset, guint16 *bcp, gboolean *trunc)
10700 CHECK_BYTE_COUNT_SUBR(8);
10701 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
10705 CHECK_BYTE_COUNT_SUBR(8);
10706 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
10709 /* last write time */
10710 CHECK_BYTE_COUNT_SUBR(8);
10711 offset = dissect_smb_64bit_time(tvb, tree, offset,
10712 hf_smb_last_write_time);
10715 /* last change time */
10716 CHECK_BYTE_COUNT_SUBR(8);
10717 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
10720 /* File Attributes */
10721 CHECK_BYTE_COUNT_SUBR(4);
10722 offset = dissect_file_attributes(tvb, tree, offset, 4);
10729 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
10730 as described in 4.2.14.5
10733 dissect_4_2_14_5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10734 int offset, guint16 *bcp, gboolean *trunc)
10736 /* allocation size */
10737 CHECK_BYTE_COUNT_SUBR(8);
10738 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10739 COUNT_BYTES_SUBR(8);
10742 CHECK_BYTE_COUNT_SUBR(8);
10743 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10744 COUNT_BYTES_SUBR(8);
10746 /* number of links */
10747 CHECK_BYTE_COUNT_SUBR(4);
10748 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
10749 COUNT_BYTES_SUBR(4);
10751 /* delete pending */
10752 CHECK_BYTE_COUNT_SUBR(1);
10753 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, TRUE);
10754 COUNT_BYTES_SUBR(1);
10757 CHECK_BYTE_COUNT_SUBR(1);
10758 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
10759 COUNT_BYTES_SUBR(1);
10765 /* this dissects the SMB_QUERY_FILE_EA_INFO
10766 as described in 4.2.14.6
10769 dissect_4_2_14_6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10770 int offset, guint16 *bcp, gboolean *trunc)
10773 CHECK_BYTE_COUNT_SUBR(4);
10774 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10775 COUNT_BYTES_SUBR(4);
10781 /* this dissects the SMB_QUERY_FILE_NAME_INFO
10782 as described in 4.2.14.7
10783 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
10784 as described in 4.2.14.9
10787 dissect_4_2_14_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10788 int offset, guint16 *bcp, gboolean *trunc)
10790 smb_info_t *si = pinfo->private_data;
10794 /* file name len */
10795 CHECK_BYTE_COUNT_SUBR(4);
10796 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
10797 COUNT_BYTES_SUBR(4);
10800 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10801 CHECK_STRING_SUBR(fn);
10802 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10804 COUNT_BYTES_SUBR(fn_len);
10810 /* this dissects the SMB_QUERY_FILE_ALL_INFO
10811 as described in 4.2.14.8
10814 dissect_4_2_14_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10815 int offset, guint16 *bcp, gboolean *trunc)
10818 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp, trunc);
10822 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp, trunc);
10828 CHECK_BYTE_COUNT_SUBR(8);
10829 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
10830 COUNT_BYTES_SUBR(8);
10832 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
10837 CHECK_BYTE_COUNT_SUBR(4);
10838 offset = dissect_smb_access_mask(tvb, tree, offset);
10839 COUNT_BYTES_SUBR(4);
10842 CHECK_BYTE_COUNT_SUBR(8);
10843 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
10844 COUNT_BYTES_SUBR(8);
10846 /* current offset */
10847 CHECK_BYTE_COUNT_SUBR(8);
10848 proto_tree_add_item(tree, hf_smb_current_offset, tvb, offset, 8, TRUE);
10849 COUNT_BYTES_SUBR(8);
10852 CHECK_BYTE_COUNT_SUBR(4);
10853 offset = dissect_nt_create_options(tvb, tree, offset);
10857 CHECK_BYTE_COUNT_SUBR(4);
10858 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
10859 COUNT_BYTES_SUBR(4);
10861 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
10866 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
10867 as described in 4.2.14.10
10870 dissect_4_2_14_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10871 int offset, guint16 *bcp, gboolean *trunc)
10877 smb_info_t *si = pinfo->private_data;
10883 old_offset = offset;
10885 /* next entry offset */
10886 CHECK_BYTE_COUNT_SUBR(4);
10888 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
10889 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10895 neo = tvb_get_letohl(tvb, offset);
10896 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10897 COUNT_BYTES_SUBR(4);
10899 /* stream name len */
10900 CHECK_BYTE_COUNT_SUBR(4);
10901 fn_len = tvb_get_letohl(tvb, offset);
10902 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
10903 COUNT_BYTES_SUBR(4);
10906 CHECK_BYTE_COUNT_SUBR(8);
10907 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
10908 COUNT_BYTES_SUBR(8);
10910 /* allocation size */
10911 CHECK_BYTE_COUNT_SUBR(8);
10912 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10913 COUNT_BYTES_SUBR(8);
10916 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
10917 CHECK_STRING_SUBR(fn);
10918 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
10920 COUNT_BYTES_SUBR(fn_len);
10922 proto_item_append_text(item, ": %s", fn);
10923 proto_item_set_len(item, offset-old_offset);
10926 break; /* no more structures */
10928 /* skip to next structure */
10929 padcnt = (old_offset + neo) - offset;
10932 * XXX - this is bogus; flag it?
10937 CHECK_BYTE_COUNT_SUBR(padcnt);
10938 COUNT_BYTES_SUBR(padcnt);
10946 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
10947 as described in 4.2.14.11
10950 dissect_4_2_14_11(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10951 int offset, guint16 *bcp, gboolean *trunc)
10953 /* compressed file size */
10954 CHECK_BYTE_COUNT_SUBR(8);
10955 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
10956 COUNT_BYTES_SUBR(8);
10958 /* compression format */
10959 CHECK_BYTE_COUNT_SUBR(2);
10960 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
10961 COUNT_BYTES_SUBR(2);
10963 /* compression unit shift */
10964 CHECK_BYTE_COUNT_SUBR(1);
10965 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
10966 COUNT_BYTES_SUBR(1);
10968 /* compression chunk shift */
10969 CHECK_BYTE_COUNT_SUBR(1);
10970 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
10971 COUNT_BYTES_SUBR(1);
10973 /* compression cluster shift */
10974 CHECK_BYTE_COUNT_SUBR(1);
10975 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
10976 COUNT_BYTES_SUBR(1);
10978 /* 3 reserved bytes */
10979 CHECK_BYTE_COUNT_SUBR(3);
10980 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
10981 COUNT_BYTES_SUBR(3);
10989 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION*/
10991 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
10992 int offset, guint16 *bcp)
11001 si = (smb_info_t *)pinfo->private_data;
11002 switch(si->info_level){
11003 case 1: /*Info Standard*/
11004 case 2: /*Info Query EA Size*/
11005 offset = dissect_4_2_14_1(tvb, pinfo, tree, offset, bcp,
11008 case 3: /*Info Query EAs From List*/
11009 case 4: /*Info Query All EAs*/
11010 offset = dissect_4_2_14_2(tvb, pinfo, tree, offset, bcp,
11013 case 6: /*Info Is Name Valid*/
11014 offset = dissect_4_2_14_3(tvb, pinfo, tree, offset, bcp,
11017 case 0x0101: /*Query File Basic Info*/
11018 case 1004: /* SMB_FILE_BASIC_INFORMATION */
11019 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp,
11022 case 0x0102: /*Query File Standard Info*/
11023 case 1005: /* SMB_FILE_STANDARD_INFORMATION */
11024 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp,
11027 case 0x0103: /*Query File EA Info*/
11028 case 1007: /* SMB_FILE_EA_INFORMATION */
11029 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp,
11032 case 0x0104: /*Query File Name Info*/
11033 case 1009: /* SMB_FILE_NAME_INFORMATION */
11034 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
11037 case 0x0107: /*Query File All Info*/
11038 case 1018: /* SMB_FILE_ALL_INFORMATION */
11039 offset = dissect_4_2_14_8(tvb, pinfo, tree, offset, bcp,
11042 case 0x0108: /*Query File Alt File Info*/
11043 case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
11044 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
11047 case 1022: /* SMB_FILE_STREAM_INFORMATION */
11048 ((smb_info_t *)(pinfo->private_data))->unicode = TRUE;
11049 case 0x0109: /*Query File Stream Info*/
11050 offset = dissect_4_2_14_10(tvb, pinfo, tree, offset, bcp,
11053 case 0x010b: /*Query File Compression Info*/
11054 case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
11055 offset = dissect_4_2_14_11(tvb, pinfo, tree, offset, bcp,
11058 case 0x0200: /*Set File Unix Basic*/
11059 /* XXX add this from the SNIA doc */
11061 case 0x0201: /*Set File Unix Link*/
11062 /* XXX add this from the SNIA doc */
11064 case 0x0202: /*Set File Unix HardLink*/
11065 /* XXX add this from the SNIA doc */
11073 static const true_false_string tfs_quota_flags_deny_disk = {
11074 "DENY DISK SPACE for users exceeding quota limit",
11075 "Do NOT deny disk space for users exceeding quota limit"
11077 static const true_false_string tfs_quota_flags_log_limit = {
11078 "LOG EVENT when a user exceeds their QUOTA LIMIT",
11079 "Do NOT log event when a user exceeds their quota limit"
11081 static const true_false_string tfs_quota_flags_log_warning = {
11082 "LOG EVENT when a user exceeds their WARNING LEVEL",
11083 "Do NOT log event when a user exceeds their warning level"
11085 static const true_false_string tfs_quota_flags_enabled = {
11086 "Quotas are ENABLED of this fs",
11087 "Quotas are NOT enabled on this fs"
11090 dissect_quota_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
11093 proto_item *item = NULL;
11094 proto_tree *tree = NULL;
11096 mask = tvb_get_guint8(tvb, offset);
11099 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
11100 "Quota Flags: 0x%02x %s", mask,
11101 mask?"Enabled":"Disabled");
11102 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
11105 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
11106 tvb, offset, 1, mask);
11107 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
11108 tvb, offset, 1, mask);
11109 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
11110 tvb, offset, 1, mask);
11112 if(mask && (!(mask&0x01))){
11113 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
11114 tvb, offset, 1, 0x01);
11116 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
11117 tvb, offset, 1, mask);
11123 dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
11125 /* first 24 bytes are unknown */
11126 CHECK_BYTE_COUNT_TRANS_SUBR(24);
11127 proto_tree_add_item(tree, hf_smb_unknown, tvb,
11129 COUNT_BYTES_TRANS_SUBR(24);
11131 /* number of bytes for quota warning */
11132 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11133 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
11134 COUNT_BYTES_TRANS_SUBR(8);
11136 /* number of bytes for quota limit */
11137 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11138 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
11139 COUNT_BYTES_TRANS_SUBR(8);
11141 /* one byte of quota flags */
11142 CHECK_BYTE_COUNT_TRANS_SUBR(1);
11143 dissect_quota_flags(tvb, tree, offset);
11144 COUNT_BYTES_TRANS_SUBR(1);
11146 /* these 7 bytes are unknown */
11147 CHECK_BYTE_COUNT_TRANS_SUBR(7);
11148 proto_tree_add_item(tree, hf_smb_unknown, tvb,
11150 COUNT_BYTES_TRANS_SUBR(7);
11156 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
11157 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
11159 proto_item *item = NULL;
11160 proto_tree *tree = NULL;
11163 si = (smb_info_t *)pinfo->private_data;
11166 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11168 val_to_str(subcmd, trans2_cmd_vals,
11169 "Unknown (0x%02x)"));
11170 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
11174 case 0x00: /*TRANS2_OPEN2*/
11175 /* XXX dont know how to decode FEAList */
11177 case 0x01: /*TRANS2_FIND_FIRST2*/
11178 /* XXX dont know how to decode FEAList */
11180 case 0x02: /*TRANS2_FIND_NEXT2*/
11181 /* XXX dont know how to decode FEAList */
11183 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11184 /* no data field in this request */
11186 case 0x04: /* TRANS2_SET_QUOTA */
11187 offset = dissect_nt_quota(tvb, tree, offset, &dc);
11189 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11190 /* no data field in this request */
11192 * XXX - "Microsoft Networks SMB File Sharing Protocol
11193 * Extensions Version 3.0, Document Version 1.11,
11194 * July 19, 1990" says there may be "Additional
11195 * FileInfoLevel dependent information" here.
11197 * Was that just a cut-and-pasteo?
11198 * TRANS2_SET_PATH_INFORMATION *does* have that information
11202 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11203 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
11205 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11206 /* no data field in this request */
11208 * XXX - "Microsoft Networks SMB File Sharing Protocol
11209 * Extensions Version 3.0, Document Version 1.11,
11210 * July 19, 1990" says there may be "Additional
11211 * FileInfoLevel dependent information" here.
11213 * Was that just a cut-and-pasteo?
11214 * TRANS2_SET_FILE_INFORMATION *does* have that information
11218 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11219 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
11221 case 0x09: /*TRANS2_FSCTL*/
11222 /*XXX dont know how to decode this yet */
11225 * XXX - "Microsoft Networks SMB File Sharing Protocol
11226 * Extensions Version 3.0, Document Version 1.11,
11227 * July 19, 1990" says this this contains a
11228 * "File system specific data block". (That means we
11229 * may not be able to dissect it in any case.)
11232 case 0x0a: /*TRANS2_IOCTL2*/
11233 /*XXX dont know how to decode this yet */
11236 * XXX - "Microsoft Networks SMB File Sharing Protocol
11237 * Extensions Version 3.0, Document Version 1.11,
11238 * July 19, 1990" says this this contains a
11239 * "Device/function specific data block". (That
11240 * means we may not be able to dissect it in any case.)
11243 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11244 /*XXX dont know how to decode this yet */
11247 * XXX - "Microsoft Networks SMB File Sharing Protocol
11248 * Extensions Version 3.0, Document Version 1.11,
11249 * July 19, 1990" says this this contains "additional
11250 * level dependent match data".
11253 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11254 /*XXX dont know how to decode this yet */
11257 * XXX - "Microsoft Networks SMB File Sharing Protocol
11258 * Extensions Version 3.0, Document Version 1.11,
11259 * July 19, 1990" says this this contains "additional
11260 * level dependent monitor information".
11263 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11264 /* XXX optional FEAList, unknown what FEAList looks like*/
11266 case 0x0e: /*TRANS2_SESSION_SETUP*/
11267 /*XXX dont know how to decode this yet */
11269 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11270 /* no data field in this request */
11272 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11273 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
11277 /* ooops there were data we didnt know how to process */
11279 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
11288 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
11296 * Show the setup words.
11298 if (s_tvb != NULL) {
11299 length = tvb_reported_length(s_tvb);
11300 for (i = 0, offset = 0; length >= 2;
11301 i++, offset += 2, length -= 2) {
11303 * XXX - add a setup word filterable field?
11305 proto_tree_add_text(tree, s_tvb, offset, 2,
11306 "Setup Word %d: 0x%04x", i,
11307 tvb_get_letohs(s_tvb, offset));
11312 * Show the parameters, if any.
11314 if (p_tvb != NULL) {
11315 length = tvb_reported_length(p_tvb);
11317 proto_tree_add_text(tree, p_tvb, 0, length,
11319 tvb_bytes_to_str(p_tvb, 0, length));
11324 * Show the data, if any.
11326 if (d_tvb != NULL) {
11327 length = tvb_reported_length(d_tvb);
11329 proto_tree_add_text(tree, d_tvb, 0, length,
11330 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
11335 /* This routine handles the following 4 calls
11337 Transaction Secondary 0x26
11339 Transaction2 Secondary 0x33
11342 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
11349 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
11353 const char *an = NULL;
11355 smb_transact2_info_t *t2i;
11356 smb_transact_info_t *tri;
11359 gboolean dissected_trans;
11361 si = (smb_info_t *)pinfo->private_data;
11366 /*secondary client request*/
11368 /* total param count, only a 16bit integer here*/
11369 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11372 /* total data count , only 16bit integer here*/
11373 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11377 pc = tvb_get_letohs(tvb, offset);
11378 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11382 po = tvb_get_letohs(tvb, offset);
11383 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11387 pd = tvb_get_letohs(tvb, offset);
11388 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
11392 dc = tvb_get_letohs(tvb, offset);
11393 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11397 od = tvb_get_letohs(tvb, offset);
11398 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11402 dd = tvb_get_letohs(tvb, offset);
11403 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
11406 if(si->cmd==SMB_COM_TRANSACTION2){
11410 fid = tvb_get_letohs(tvb, offset);
11411 add_fid(tvb, pinfo, tree, offset, 2, fid);
11416 /* There are no setup words. */
11421 /* it is not a secondary request */
11423 /* total param count , only a 16 bit integer here*/
11424 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11427 /* total data count , only 16bit integer here*/
11428 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11431 /* max param count , only 16bit integer here*/
11432 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11435 /* max data count, only 16bit integer here*/
11436 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11439 /* max setup count, only 16bit integer here*/
11440 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
11443 /* reserved byte */
11444 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11447 /* transaction flags */
11448 tf = dissect_transaction_flags(tvb, tree, offset);
11452 to = tvb_get_letohl(tvb, offset);
11454 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
11455 else if (to == 0xffffffff)
11456 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
11458 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
11461 /* 2 reserved bytes */
11462 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11466 pc = tvb_get_letohs(tvb, offset);
11467 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11471 po = tvb_get_letohs(tvb, offset);
11472 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11475 /* param displacement is zero here */
11479 dc = tvb_get_letohs(tvb, offset);
11480 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11484 od = tvb_get_letohs(tvb, offset);
11485 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11488 /* data displacement is zero here */
11492 sc = tvb_get_guint8(tvb, offset);
11493 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
11496 /* reserved byte */
11497 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11500 /* this is where the setup bytes, if any start */
11504 /* if there were any setup bytes, decode them */
11508 case SMB_COM_TRANSACTION2:
11509 /* TRANSACTION2 only has one setup word and
11510 that is the subcommand code.
11512 XXX - except for TRANS2_FSCTL
11513 and TRANS2_IOCTL. */
11514 subcmd = tvb_get_letohs(tvb, offset);
11515 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
11516 tvb, offset, 2, subcmd);
11517 if (check_col(pinfo->cinfo, COL_INFO)) {
11518 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11519 val_to_str(subcmd, trans2_cmd_vals,
11520 "Unknown (0x%02x)"));
11523 if(!pinfo->fd->flags.visited){
11526 * smb_transact2_info_t
11529 t2i = g_mem_chunk_alloc(smb_transact2_info_chunk);
11530 t2i->subcmd = subcmd;
11531 t2i->info_level = -1;
11532 t2i->resume_keys = FALSE;
11533 si->sip->extra_info = t2i;
11538 * XXX - process TRANS2_FSCTL and
11539 * TRANS2_IOCTL setup words here.
11543 case SMB_COM_TRANSACTION:
11544 /* TRANSACTION setup words processed below */
11555 /* primary request */
11556 /* name is NULL if transaction2 */
11557 if(si->cmd == SMB_COM_TRANSACTION){
11558 /* Transaction Name */
11559 an = get_unicode_or_ascii_string(tvb, &offset,
11560 si->unicode, &an_len, FALSE, FALSE, &bc);
11563 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
11564 offset, an_len, an);
11565 COUNT_BYTES(an_len);
11570 * The pipe or mailslot arguments for Transaction start with
11571 * the first setup word (or where the first setup word would
11572 * be if there were any setup words), and run to the current
11573 * offset (which could mean that there aren't any).
11576 spc = offset - spo;
11580 /* We have some initial padding bytes.
11582 padcnt = po-offset;
11585 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11586 COUNT_BYTES(padcnt);
11589 CHECK_BYTE_COUNT(pc);
11592 case SMB_COM_TRANSACTION2:
11593 /* TRANSACTION2 parameters*/
11594 offset = dissect_transaction2_request_parameters(tvb,
11595 pinfo, tree, offset, subcmd, pc);
11599 case SMB_COM_TRANSACTION:
11600 /* TRANSACTION parameters processed below */
11608 /* We have some initial padding bytes.
11610 padcnt = od-offset;
11613 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11614 COUNT_BYTES(padcnt);
11617 CHECK_BYTE_COUNT(dc);
11620 case SMB_COM_TRANSACTION2:
11621 /* TRANSACTION2 data*/
11622 offset = dissect_transaction2_request_data(tvb, pinfo,
11623 tree, offset, subcmd, dc);
11627 case SMB_COM_TRANSACTION:
11628 /* TRANSACTION data processed below */
11634 /*TRANSACTION request parameters */
11635 if(si->cmd==SMB_COM_TRANSACTION){
11636 /*XXX replace this block with a function and use that one
11637 for both requests/responses*/
11639 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
11640 tvbuff_t *sp_tvb, *pd_tvb;
11643 if(pc>tvb_length_remaining(tvb, po)){
11644 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
11646 p_tvb = tvb_new_subset(tvb, po, pc, pc);
11652 if(dc>tvb_length_remaining(tvb, od)){
11653 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
11655 d_tvb = tvb_new_subset(tvb, od, dc, dc);
11661 if(sl>tvb_length_remaining(tvb, so)){
11662 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
11664 s_tvb = tvb_new_subset(tvb, so, sl, sl);
11671 if(!pinfo->fd->flags.visited){
11673 * Allocate a new smb_transact_info_t
11676 tri = g_mem_chunk_alloc(smb_transact_info_chunk);
11678 tri->trans_subcmd = -1;
11679 tri->function = -1;
11681 tri->lanman_cmd = 0;
11682 tri->param_descrip = NULL;
11683 tri->data_descrip = NULL;
11684 tri->aux_data_descrip = NULL;
11685 tri->info_level = -1;
11686 si->sip->extra_info = tri;
11689 * We already filled the structure
11690 * in; don't bother doing so again.
11696 * This is a unidirectional message, for
11697 * which there will be no reply; don't
11698 * bother allocating an "smb_transact_info_t"
11699 * structure for it.
11703 dissected_trans = FALSE;
11704 if(strncmp("\\PIPE\\", an, 6) == 0){
11706 tri->subcmd=TRANSACTION_PIPE;
11709 * A tvbuff containing the setup words and
11712 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
11715 * A tvbuff containing the parameters and the
11718 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
11720 dissected_trans = dissect_pipe_smb(sp_tvb,
11721 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
11724 /* In case we did not see the TreeConnect call,
11725 store this TID here as well as a IPC TID
11726 so we know that future Read/Writes to this
11727 TID is (probably) DCERPC.
11729 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
11730 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
11732 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
11733 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
11735 tri->subcmd=TRANSACTION_MAILSLOT;
11738 * A tvbuff containing the setup words and
11739 * the mailslot path.
11741 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
11742 dissected_trans = dissect_mailslot_smb(sp_tvb,
11743 s_tvb, d_tvb, an+10, pinfo, top_tree);
11745 if (!dissected_trans)
11746 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
11748 if(check_col(pinfo->cinfo, COL_INFO)){
11749 col_append_str(pinfo->cinfo, COL_INFO,
11750 "[transact continuation]");
11763 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11764 int offset, guint16 *bcp, gboolean *trunc)
11768 int old_offset = offset;
11769 proto_item *item = NULL;
11770 proto_tree *tree = NULL;
11772 smb_transact2_info_t *t2i;
11773 gboolean resume_keys = FALSE;
11775 si = (smb_info_t *)pinfo->private_data;
11776 if (si->sip != NULL) {
11777 t2i = si->sip->extra_info;
11779 resume_keys = t2i->resume_keys;
11783 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11784 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11785 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11790 CHECK_BYTE_COUNT_SUBR(4);
11791 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
11792 COUNT_BYTES_SUBR(4);
11796 CHECK_BYTE_COUNT_SUBR(4);
11797 offset = dissect_smb_datetime(tvb, tree, offset,
11798 hf_smb_create_time,
11799 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
11803 CHECK_BYTE_COUNT_SUBR(4);
11804 offset = dissect_smb_datetime(tvb, tree, offset,
11805 hf_smb_access_time,
11806 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
11809 /* last write time */
11810 CHECK_BYTE_COUNT_SUBR(4);
11811 offset = dissect_smb_datetime(tvb, tree, offset,
11812 hf_smb_last_write_time,
11813 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
11817 CHECK_BYTE_COUNT_SUBR(4);
11818 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11819 COUNT_BYTES_SUBR(4);
11821 /* allocation size */
11822 CHECK_BYTE_COUNT_SUBR(4);
11823 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11824 COUNT_BYTES_SUBR(4);
11826 /* File Attributes */
11827 CHECK_BYTE_COUNT_SUBR(2);
11828 offset = dissect_file_attributes(tvb, tree, offset, 2);
11831 /* file name len */
11832 CHECK_BYTE_COUNT_SUBR(1);
11833 fn_len = tvb_get_guint8(tvb, offset);
11834 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
11835 COUNT_BYTES_SUBR(1);
11837 fn_len += 2; /* include terminating '\0' */
11839 fn_len++; /* include terminating '\0' */
11842 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11843 CHECK_STRING_SUBR(fn);
11844 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11846 COUNT_BYTES_SUBR(fn_len);
11848 if (check_col(pinfo->cinfo, COL_INFO)) {
11849 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11853 proto_item_append_text(item, " File: %s", fn);
11854 proto_item_set_len(item, offset-old_offset);
11861 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11862 int offset, guint16 *bcp, gboolean *trunc)
11866 int old_offset = offset;
11867 proto_item *item = NULL;
11868 proto_tree *tree = NULL;
11870 smb_transact2_info_t *t2i;
11871 gboolean resume_keys = FALSE;
11873 si = (smb_info_t *)pinfo->private_data;
11874 if (si->sip != NULL) {
11875 t2i = si->sip->extra_info;
11877 resume_keys = t2i->resume_keys;
11881 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11882 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11883 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11888 CHECK_BYTE_COUNT_SUBR(4);
11889 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
11890 COUNT_BYTES_SUBR(4);
11894 CHECK_BYTE_COUNT_SUBR(4);
11895 offset = dissect_smb_datetime(tvb, tree, offset,
11896 hf_smb_create_time,
11897 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
11901 CHECK_BYTE_COUNT_SUBR(4);
11902 offset = dissect_smb_datetime(tvb, tree, offset,
11903 hf_smb_access_time,
11904 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
11907 /* last write time */
11908 CHECK_BYTE_COUNT_SUBR(4);
11909 offset = dissect_smb_datetime(tvb, tree, offset,
11910 hf_smb_last_write_time,
11911 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
11915 CHECK_BYTE_COUNT_SUBR(4);
11916 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11917 COUNT_BYTES_SUBR(4);
11919 /* allocation size */
11920 CHECK_BYTE_COUNT_SUBR(4);
11921 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11922 COUNT_BYTES_SUBR(4);
11924 /* File Attributes */
11925 CHECK_BYTE_COUNT_SUBR(2);
11926 offset = dissect_file_attributes(tvb, tree, offset, 2);
11930 CHECK_BYTE_COUNT_SUBR(4);
11931 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
11932 COUNT_BYTES_SUBR(4);
11934 /* file name len */
11935 CHECK_BYTE_COUNT_SUBR(1);
11936 fn_len = tvb_get_guint8(tvb, offset);
11937 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
11938 COUNT_BYTES_SUBR(1);
11940 fn_len += 2; /* include terminating '\0' */
11942 fn_len++; /* include terminating '\0' */
11945 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11946 CHECK_STRING_SUBR(fn);
11947 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11949 COUNT_BYTES_SUBR(fn_len);
11951 if (check_col(pinfo->cinfo, COL_INFO)) {
11952 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11956 proto_item_append_text(item, " File: %s", fn);
11957 proto_item_set_len(item, offset-old_offset);
11964 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11965 int offset, guint16 *bcp, gboolean *trunc)
11969 int old_offset = offset;
11970 proto_item *item = NULL;
11971 proto_tree *tree = NULL;
11976 si = (smb_info_t *)pinfo->private_data;
11979 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11980 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11981 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11985 * We assume that the presence of a next entry offset implies the
11986 * absence of a resume key, as appears to be the case for 4.3.4.6.
11989 /* next entry offset */
11990 CHECK_BYTE_COUNT_SUBR(4);
11991 neo = tvb_get_letohl(tvb, offset);
11992 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11993 COUNT_BYTES_SUBR(4);
11996 CHECK_BYTE_COUNT_SUBR(4);
11997 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11998 COUNT_BYTES_SUBR(4);
12001 CHECK_BYTE_COUNT_SUBR(8);
12002 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12006 CHECK_BYTE_COUNT_SUBR(8);
12007 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12010 /* last write time */
12011 CHECK_BYTE_COUNT_SUBR(8);
12012 offset = dissect_smb_64bit_time(tvb, tree, offset,
12013 hf_smb_last_write_time);
12016 /* last change time */
12017 CHECK_BYTE_COUNT_SUBR(8);
12018 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12022 CHECK_BYTE_COUNT_SUBR(8);
12023 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12024 COUNT_BYTES_SUBR(8);
12026 /* allocation size */
12027 CHECK_BYTE_COUNT_SUBR(8);
12028 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12029 COUNT_BYTES_SUBR(8);
12031 /* Extended File Attributes */
12032 CHECK_BYTE_COUNT_SUBR(4);
12033 offset = dissect_file_ext_attr(tvb, tree, offset);
12036 /* file name len */
12037 CHECK_BYTE_COUNT_SUBR(4);
12038 fn_len = tvb_get_letohl(tvb, offset);
12039 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12040 COUNT_BYTES_SUBR(4);
12043 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12044 CHECK_STRING_SUBR(fn);
12045 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12047 COUNT_BYTES_SUBR(fn_len);
12049 if (check_col(pinfo->cinfo, COL_INFO)) {
12050 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12054 /* skip to next structure */
12056 padcnt = (old_offset + neo) - offset;
12059 * XXX - this is bogus; flag it?
12064 CHECK_BYTE_COUNT_SUBR(padcnt);
12065 COUNT_BYTES_SUBR(padcnt);
12069 proto_item_append_text(item, " File: %s", fn);
12070 proto_item_set_len(item, offset-old_offset);
12077 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12078 int offset, guint16 *bcp, gboolean *trunc)
12082 int old_offset = offset;
12083 proto_item *item = NULL;
12084 proto_tree *tree = NULL;
12089 si = (smb_info_t *)pinfo->private_data;
12092 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12093 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12094 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12098 * We assume that the presence of a next entry offset implies the
12099 * absence of a resume key, as appears to be the case for 4.3.4.6.
12102 /* next entry offset */
12103 CHECK_BYTE_COUNT_SUBR(4);
12104 neo = tvb_get_letohl(tvb, offset);
12105 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12106 COUNT_BYTES_SUBR(4);
12109 CHECK_BYTE_COUNT_SUBR(4);
12110 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12111 COUNT_BYTES_SUBR(4);
12114 CHECK_BYTE_COUNT_SUBR(8);
12115 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12119 CHECK_BYTE_COUNT_SUBR(8);
12120 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12123 /* last write time */
12124 CHECK_BYTE_COUNT_SUBR(8);
12125 offset = dissect_smb_64bit_time(tvb, tree, offset,
12126 hf_smb_last_write_time);
12129 /* last change time */
12130 CHECK_BYTE_COUNT_SUBR(8);
12131 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12135 CHECK_BYTE_COUNT_SUBR(8);
12136 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12137 COUNT_BYTES_SUBR(8);
12139 /* allocation size */
12140 CHECK_BYTE_COUNT_SUBR(8);
12141 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12142 COUNT_BYTES_SUBR(8);
12144 /* Extended File Attributes */
12145 CHECK_BYTE_COUNT_SUBR(4);
12146 offset = dissect_file_ext_attr(tvb, tree, offset);
12149 /* file name len */
12150 CHECK_BYTE_COUNT_SUBR(4);
12151 fn_len = tvb_get_letohl(tvb, offset);
12152 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12153 COUNT_BYTES_SUBR(4);
12156 CHECK_BYTE_COUNT_SUBR(4);
12157 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
12158 COUNT_BYTES_SUBR(4);
12161 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12162 CHECK_STRING_SUBR(fn);
12163 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12165 COUNT_BYTES_SUBR(fn_len);
12167 if (check_col(pinfo->cinfo, COL_INFO)) {
12168 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12172 /* skip to next structure */
12174 padcnt = (old_offset + neo) - offset;
12177 * XXX - this is bogus; flag it?
12182 CHECK_BYTE_COUNT_SUBR(padcnt);
12183 COUNT_BYTES_SUBR(padcnt);
12187 proto_item_append_text(item, " File: %s", fn);
12188 proto_item_set_len(item, offset-old_offset);
12195 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12196 int offset, guint16 *bcp, gboolean *trunc)
12198 int fn_len, sfn_len;
12199 const char *fn, *sfn;
12200 int old_offset = offset;
12201 proto_item *item = NULL;
12202 proto_tree *tree = NULL;
12207 si = (smb_info_t *)pinfo->private_data;
12210 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12211 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12212 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12216 * XXX - I have not seen any of these that contain a resume
12217 * key, even though some of the requests had the "return resume
12221 /* next entry offset */
12222 CHECK_BYTE_COUNT_SUBR(4);
12223 neo = tvb_get_letohl(tvb, offset);
12224 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12225 COUNT_BYTES_SUBR(4);
12228 CHECK_BYTE_COUNT_SUBR(4);
12229 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12230 COUNT_BYTES_SUBR(4);
12233 CHECK_BYTE_COUNT_SUBR(8);
12234 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12238 CHECK_BYTE_COUNT_SUBR(8);
12239 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12242 /* last write time */
12243 CHECK_BYTE_COUNT_SUBR(8);
12244 offset = dissect_smb_64bit_time(tvb, tree, offset,
12245 hf_smb_last_write_time);
12248 /* last change time */
12249 CHECK_BYTE_COUNT_SUBR(8);
12250 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12254 CHECK_BYTE_COUNT_SUBR(8);
12255 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12256 COUNT_BYTES_SUBR(8);
12258 /* allocation size */
12259 CHECK_BYTE_COUNT_SUBR(8);
12260 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12261 COUNT_BYTES_SUBR(8);
12263 /* Extended File Attributes */
12264 CHECK_BYTE_COUNT_SUBR(4);
12265 offset = dissect_file_ext_attr(tvb, tree, offset);
12268 /* file name len */
12269 CHECK_BYTE_COUNT_SUBR(4);
12270 fn_len = tvb_get_letohl(tvb, offset);
12271 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12272 COUNT_BYTES_SUBR(4);
12275 CHECK_BYTE_COUNT_SUBR(4);
12276 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
12277 COUNT_BYTES_SUBR(4);
12279 /* short file name len */
12280 CHECK_BYTE_COUNT_SUBR(1);
12281 sfn_len = tvb_get_guint8(tvb, offset);
12282 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
12283 COUNT_BYTES_SUBR(1);
12285 /* reserved byte */
12286 CHECK_BYTE_COUNT_SUBR(1);
12287 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12288 COUNT_BYTES_SUBR(1);
12290 /* short file name */
12291 sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
12292 CHECK_STRING_SUBR(sfn);
12293 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
12295 COUNT_BYTES_SUBR(24);
12298 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12299 CHECK_STRING_SUBR(fn);
12300 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12302 COUNT_BYTES_SUBR(fn_len);
12304 if (check_col(pinfo->cinfo, COL_INFO)) {
12305 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12309 /* skip to next structure */
12311 padcnt = (old_offset + neo) - offset;
12314 * XXX - this is bogus; flag it?
12319 CHECK_BYTE_COUNT_SUBR(padcnt);
12320 COUNT_BYTES_SUBR(padcnt);
12324 proto_item_append_text(item, " File: %s", fn);
12325 proto_item_set_len(item, offset-old_offset);
12332 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12333 int offset, guint16 *bcp, gboolean *trunc)
12337 int old_offset = offset;
12338 proto_item *item = NULL;
12339 proto_tree *tree = NULL;
12344 si = (smb_info_t *)pinfo->private_data;
12347 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12348 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12349 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12353 * We assume that the presence of a next entry offset implies the
12354 * absence of a resume key, as appears to be the case for 4.3.4.6.
12357 /* next entry offset */
12358 CHECK_BYTE_COUNT_SUBR(4);
12359 neo = tvb_get_letohl(tvb, offset);
12360 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12361 COUNT_BYTES_SUBR(4);
12364 CHECK_BYTE_COUNT_SUBR(4);
12365 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12366 COUNT_BYTES_SUBR(4);
12368 /* file name len */
12369 CHECK_BYTE_COUNT_SUBR(4);
12370 fn_len = tvb_get_letohl(tvb, offset);
12371 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12372 COUNT_BYTES_SUBR(4);
12375 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12376 CHECK_STRING_SUBR(fn);
12377 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12379 COUNT_BYTES_SUBR(fn_len);
12381 if (check_col(pinfo->cinfo, COL_INFO)) {
12382 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12386 /* skip to next structure */
12388 padcnt = (old_offset + neo) - offset;
12391 * XXX - this is bogus; flag it?
12396 CHECK_BYTE_COUNT_SUBR(padcnt);
12397 COUNT_BYTES_SUBR(padcnt);
12401 proto_item_append_text(item, " File: %s", fn);
12402 proto_item_set_len(item, offset-old_offset);
12409 dissect_4_3_4_8(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
12410 proto_tree *parent_tree _U_, int offset, guint16 *bcp,
12413 /*XXX im lazy. i havnt implemented this */
12420 /*dissect the data block for TRANS2_FIND_FIRST2*/
12422 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
12423 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
12431 si = (smb_info_t *)pinfo->private_data;
12432 switch(si->info_level){
12433 case 1: /*Info Standard*/
12434 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
12437 case 2: /*Info Query EA Size*/
12438 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
12441 case 3: /*Info Query EAs From List same as
12443 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
12446 case 0x0101: /*Find File Directory Info*/
12447 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
12450 case 0x0102: /*Find File Full Directory Info*/
12451 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
12454 case 0x0103: /*Find File Names Info*/
12455 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
12458 case 0x0104: /*Find File Both Directory Info*/
12459 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
12462 case 0x0202: /*Find File UNIX*/
12463 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
12466 default: /* unknown info level */
12475 dissect_fs_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12478 proto_item *item = NULL;
12479 proto_tree *tree = NULL;
12481 mask = tvb_get_letohl(tvb, offset);
12484 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
12485 "FS Attributes: 0x%08x", mask);
12486 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
12489 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
12490 tvb, offset, 4, mask);
12491 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
12492 tvb, offset, 4, mask);
12493 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
12494 tvb, offset, 4, mask);
12495 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
12496 tvb, offset, 4, mask);
12497 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
12498 tvb, offset, 4, mask);
12499 proto_tree_add_boolean(tree, hf_smb_fs_attr_dim,
12500 tvb, offset, 4, mask);
12501 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
12502 tvb, offset, 4, mask);
12510 dissect_device_characteristics(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12513 proto_item *item = NULL;
12514 proto_tree *tree = NULL;
12516 mask = tvb_get_letohl(tvb, offset);
12519 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
12520 "Device Characteristics: 0x%08x", mask);
12521 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
12524 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
12525 tvb, offset, 4, mask);
12526 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
12527 tvb, offset, 4, mask);
12528 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
12529 tvb, offset, 4, mask);
12530 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
12531 tvb, offset, 4, mask);
12532 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
12533 tvb, offset, 4, mask);
12534 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
12535 tvb, offset, 4, mask);
12536 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
12537 tvb, offset, 4, mask);
12543 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
12545 static const true_false_string tfs_smb_mac_access_ctrl = {
12546 "Macintosh Access Control Supported",
12547 "Macintosh Access Control Not Supported"
12550 static const true_false_string tfs_smb_mac_getset_comments = {
12551 "Macintosh Get & Set Comments Supported",
12552 "Macintosh Get & Set Comments Not Supported"
12555 static const true_false_string tfs_smb_mac_desktopdb_calls = {
12556 "Macintosh Get & Set Desktop Database Info Supported",
12557 "Macintosh Get & Set Desktop Database Info Supported"
12560 static const true_false_string tfs_smb_mac_unique_ids = {
12561 "Macintosh Unique IDs Supported",
12562 "Macintosh Unique IDs Not Supported"
12565 static const true_false_string tfs_smb_mac_streams = {
12566 "Macintosh and Streams Extensions Not Supported",
12567 "Macintosh and Streams Extensions Supported"
12571 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
12572 int offset, guint16 *bcp)
12575 int fn_len, vll, fnl;
12578 proto_item *item = NULL;
12579 proto_tree *ti = NULL;
12585 si = (smb_info_t *)pinfo->private_data;
12586 switch(si->info_level){
12587 case 1: /* SMB_INFO_ALLOCATION */
12588 /* filesystem id */
12589 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12590 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
12591 COUNT_BYTES_TRANS_SUBR(4);
12593 /* sectors per unit */
12594 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12595 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12596 COUNT_BYTES_TRANS_SUBR(4);
12599 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12600 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
12601 COUNT_BYTES_TRANS_SUBR(4);
12604 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12605 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
12606 COUNT_BYTES_TRANS_SUBR(4);
12608 /* bytes per sector, only 16bit integer here */
12609 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12610 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12611 COUNT_BYTES_TRANS_SUBR(2);
12614 case 2: /* SMB_INFO_VOLUME */
12615 /* volume serial number */
12616 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12617 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
12618 COUNT_BYTES_TRANS_SUBR(4);
12620 /* volume label length, only one byte here */
12621 CHECK_BYTE_COUNT_TRANS_SUBR(1);
12622 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
12623 COUNT_BYTES_TRANS_SUBR(1);
12626 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
12627 CHECK_STRING_TRANS_SUBR(fn);
12628 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12630 COUNT_BYTES_TRANS_SUBR(fn_len);
12633 case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
12634 case 1001: /* SMB_FS_LABEL_INFORMATION */
12635 /* volume label length */
12636 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12637 vll = tvb_get_letohl(tvb, offset);
12638 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
12639 COUNT_BYTES_TRANS_SUBR(4);
12643 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12644 CHECK_STRING_TRANS_SUBR(fn);
12645 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12647 COUNT_BYTES_TRANS_SUBR(fn_len);
12650 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
12651 case 1002: /* SMB_FS_VOLUME_INFORMATION */
12653 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12654 offset = dissect_smb_64bit_time(tvb, tree, offset,
12655 hf_smb_create_time);
12658 /* volume serial number */
12659 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12660 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
12661 COUNT_BYTES_TRANS_SUBR(4);
12663 /* volume label length */
12664 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12665 vll = tvb_get_letohl(tvb, offset);
12666 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
12667 COUNT_BYTES_TRANS_SUBR(4);
12669 /* 2 reserved bytes */
12670 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12671 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
12672 COUNT_BYTES_TRANS_SUBR(2);
12676 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12677 CHECK_STRING_TRANS_SUBR(fn);
12678 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12680 COUNT_BYTES_TRANS_SUBR(fn_len);
12683 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
12684 case 1003: /* SMB_FS_SIZE_INFORMATION */
12685 /* allocation size */
12686 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12687 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12688 COUNT_BYTES_TRANS_SUBR(8);
12690 /* free allocation units */
12691 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12692 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
12693 COUNT_BYTES_TRANS_SUBR(8);
12695 /* sectors per unit */
12696 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12697 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12698 COUNT_BYTES_TRANS_SUBR(4);
12700 /* bytes per sector */
12701 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12702 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
12703 COUNT_BYTES_TRANS_SUBR(4);
12706 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
12707 case 1004: /* SMB_FS_DEVICE_INFORMATION */
12709 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12710 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
12711 COUNT_BYTES_TRANS_SUBR(4);
12713 /* device characteristics */
12714 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12715 offset = dissect_device_characteristics(tvb, tree, offset);
12719 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
12720 case 1005: /* SMB_FS_ATTRIBUTE_INFORMATION */
12721 /* FS attributes */
12722 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12723 offset = dissect_fs_attributes(tvb, tree, offset);
12727 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12728 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
12729 COUNT_BYTES_TRANS_SUBR(4);
12731 /* fs name length */
12732 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12733 fnl = tvb_get_letohl(tvb, offset);
12734 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
12735 COUNT_BYTES_TRANS_SUBR(4);
12739 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12740 CHECK_STRING_TRANS_SUBR(fn);
12741 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
12743 COUNT_BYTES_TRANS_SUBR(fn_len);
12746 case 0x301: /* MAC_QUERY_FS_INFO */
12748 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12749 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12752 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12753 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_modify_time);
12756 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12757 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_backup_time);
12759 /* Allocation blocks */
12760 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12761 proto_tree_add_item(tree, hf_smb_mac_alloc_block_count, tvb,
12764 COUNT_BYTES_TRANS_SUBR(4);
12765 /* Allocation Block Size */
12766 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12767 proto_tree_add_item(tree, hf_smb_mac_alloc_block_size, tvb,
12769 COUNT_BYTES_TRANS_SUBR(4);
12770 /* Free Block Count */
12771 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12772 proto_tree_add_item(tree, hf_smb_mac_free_block_count, tvb,
12774 COUNT_BYTES_TRANS_SUBR(4);
12775 /* Finder Info ... */
12776 CHECK_BYTE_COUNT_TRANS_SUBR(32);
12777 proto_tree_add_bytes_format(tree, hf_smb_mac_fndrinfo, tvb,
12779 tvb_get_ptr(tvb, offset,32),
12781 tvb_format_text(tvb, offset, 32));
12782 COUNT_BYTES_TRANS_SUBR(32);
12784 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12785 proto_tree_add_item(tree, hf_smb_mac_root_file_count, tvb,
12787 COUNT_BYTES_TRANS_SUBR(4);
12788 /* Number of Root Directories */
12789 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12790 proto_tree_add_item(tree, hf_smb_mac_root_dir_count, tvb,
12792 COUNT_BYTES_TRANS_SUBR(4);
12793 /* Number of files */
12794 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12795 proto_tree_add_item(tree, hf_smb_mac_file_count, tvb,
12797 COUNT_BYTES_TRANS_SUBR(4);
12799 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12800 proto_tree_add_item(tree, hf_smb_mac_dir_count, tvb,
12802 COUNT_BYTES_TRANS_SUBR(4);
12803 /* Mac Support Flags */
12804 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12805 support = tvb_get_ntohl(tvb, offset);
12806 item = proto_tree_add_text(tree, tvb, offset, 4,
12807 "Mac Support Flags: 0x%08x", support);
12808 ti = proto_item_add_subtree(item, ett_smb_mac_support_flags);
12809 proto_tree_add_boolean(ti, hf_smb_mac_sup_access_ctrl,
12810 tvb, offset, 4, support);
12811 proto_tree_add_boolean(ti, hf_smb_mac_sup_getset_comments,
12812 tvb, offset, 4, support);
12813 proto_tree_add_boolean(ti, hf_smb_mac_sup_desktopdb_calls,
12814 tvb, offset, 4, support);
12815 proto_tree_add_boolean(ti, hf_smb_mac_sup_unique_ids,
12816 tvb, offset, 4, support);
12817 proto_tree_add_boolean(ti, hf_smb_mac_sup_streams,
12818 tvb, offset, 4, support);
12819 COUNT_BYTES_TRANS_SUBR(4);
12821 case 1006: /* QUERY_FS_QUOTA_INFO */
12822 offset = dissect_nt_quota(tvb, tree, offset, bcp);
12824 case 1007: /* SMB_FS_FULL_SIZE_INFORMATION */
12825 /* allocation size */
12826 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12827 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12828 COUNT_BYTES_TRANS_SUBR(8);
12830 /* caller free allocation units */
12831 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12832 proto_tree_add_item(tree, hf_smb_caller_free_alloc_units64, tvb, offset, 8, TRUE);
12833 COUNT_BYTES_TRANS_SUBR(8);
12835 /* actual free allocation units */
12836 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12837 proto_tree_add_item(tree, hf_smb_actual_free_alloc_units64, tvb, offset, 8, TRUE);
12838 COUNT_BYTES_TRANS_SUBR(8);
12840 /* sectors per unit */
12841 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12842 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12843 COUNT_BYTES_TRANS_SUBR(4);
12845 /* bytes per sector */
12846 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12847 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
12848 COUNT_BYTES_TRANS_SUBR(4);
12856 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
12857 proto_tree *parent_tree)
12859 proto_item *item = NULL;
12860 proto_tree *tree = NULL;
12862 smb_transact2_info_t *t2i;
12868 dc = tvb_reported_length(tvb);
12870 si = (smb_info_t *)pinfo->private_data;
12871 if (si->sip != NULL)
12872 t2i = si->sip->extra_info;
12877 if (t2i != NULL && t2i->subcmd != -1) {
12878 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
12880 val_to_str(t2i->subcmd, trans2_cmd_vals,
12881 "Unknown (0x%02x)"));
12882 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
12884 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
12885 "Unknown Transaction2 Data");
12893 switch(t2i->subcmd){
12894 case 0x00: /*TRANS2_OPEN2*/
12895 /* XXX not implemented yet. See SNIA doc */
12897 case 0x01: /*TRANS2_FIND_FIRST2*/
12898 /* returned data */
12899 count = si->info_count;
12901 if (count && check_col(pinfo->cinfo, COL_INFO)) {
12902 col_append_fstr(pinfo->cinfo, COL_INFO,
12907 offset = dissect_ff2_response_data(tvb, pinfo, tree,
12908 offset, &dc, &trunc);
12913 case 0x02: /*TRANS2_FIND_NEXT2*/
12914 /* returned data */
12915 count = si->info_count;
12917 if (count && check_col(pinfo->cinfo, COL_INFO)) {
12918 col_append_fstr(pinfo->cinfo, COL_INFO,
12923 offset = dissect_ff2_response_data(tvb, pinfo, tree,
12924 offset, &dc, &trunc);
12929 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
12930 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
12932 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
12933 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
12935 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
12936 /* no data in this response */
12938 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
12939 /* identical to QUERY_PATH_INFO */
12940 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
12942 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
12943 /* no data in this response */
12945 case 0x09: /*TRANS2_FSCTL*/
12946 /* XXX dont know how to dissect this one (yet)*/
12949 * XXX - "Microsoft Networks SMB File Sharing Protocol
12950 * Extensions Version 3.0, Document Version 1.11,
12951 * July 19, 1990" says this this contains a
12952 * "File system specific return data block".
12953 * (That means we may not be able to dissect it in any
12957 case 0x0a: /*TRANS2_IOCTL2*/
12958 /* XXX dont know how to dissect this one (yet)*/
12961 * XXX - "Microsoft Networks SMB File Sharing Protocol
12962 * Extensions Version 3.0, Document Version 1.11,
12963 * July 19, 1990" says this this contains a
12964 * "Device/function specific return data block".
12965 * (That means we may not be able to dissect it in any
12969 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
12970 /* XXX dont know how to dissect this one (yet)*/
12973 * XXX - "Microsoft Networks SMB File Sharing Protocol
12974 * Extensions Version 3.0, Document Version 1.11,
12975 * July 19, 1990" says this this contains "the level
12976 * dependent information about the changes which
12980 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
12981 /* XXX dont know how to dissect this one (yet)*/
12984 * XXX - "Microsoft Networks SMB File Sharing Protocol
12985 * Extensions Version 3.0, Document Version 1.11,
12986 * July 19, 1990" says this this contains "the level
12987 * dependent information about the changes which
12991 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
12992 /* no data in this response */
12994 case 0x0e: /*TRANS2_SESSION_SETUP*/
12995 /* XXX dont know how to dissect this one (yet)*/
12997 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
12998 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
13000 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
13001 /* the SNIA spec appears to say the response has no data */
13005 * We don't know what the matching request was; don't
13006 * bother putting anything else into the tree for the data.
13013 /* ooops there were data we didnt know how to process */
13015 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
13024 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
13026 proto_item *item = NULL;
13027 proto_tree *tree = NULL;
13029 smb_transact2_info_t *t2i;
13035 pc = tvb_reported_length(tvb);
13037 si = (smb_info_t *)pinfo->private_data;
13038 if (si->sip != NULL)
13039 t2i = si->sip->extra_info;
13044 if (t2i != NULL && t2i->subcmd != -1) {
13045 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
13047 val_to_str(t2i->subcmd, trans2_cmd_vals,
13048 "Unknown (0x%02x)"));
13049 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
13051 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
13052 "Unknown Transaction2 Parameters");
13060 switch(t2i->subcmd){
13061 case 0x00: /*TRANS2_OPEN2*/
13063 fid = tvb_get_letohs(tvb, offset);
13064 add_fid(tvb, pinfo, tree, offset, 2, fid);
13068 * XXX - Microsoft Networks SMB File Sharing Protocol
13069 * Extensions Version 3.0, Document Version 1.11,
13070 * July 19, 1990 says that the file attributes, create
13071 * time (which it says is the last modification time),
13072 * data size, granted access, file type, and IPC state
13073 * are returned only if bit 0 is set in the open flags,
13074 * and that the EA length is returned only if bit 3
13075 * is set in the open flags. Does that mean that,
13076 * at least in that SMB dialect, those fields are not
13077 * present in the reply parameters if the bits in
13078 * question aren't set?
13081 /* File Attributes */
13082 offset = dissect_file_attributes(tvb, tree, offset, 2);
13085 offset = dissect_smb_datetime(tvb, tree, offset,
13086 hf_smb_create_time,
13087 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
13090 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
13093 /* granted access */
13094 offset = dissect_access(tvb, tree, offset, "Granted");
13097 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
13101 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
13104 offset = dissect_open_action(tvb, tree, offset);
13106 /* server unique file ID */
13107 proto_tree_add_item(tree, hf_smb_file_id, tvb, offset, 4, TRUE);
13110 /* ea error offset, only a 16 bit integer here */
13111 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13115 proto_tree_add_item(tree, hf_smb_ea_length, tvb, offset, 4, TRUE);
13119 case 0x01: /*TRANS2_FIND_FIRST2*/
13120 /* Find First2 information level */
13121 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
13124 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
13128 si->info_count = tvb_get_letohs(tvb, offset);
13129 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13132 /* end of search */
13133 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13136 /* ea error offset, only a 16 bit integer here */
13137 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13140 /* last name offset */
13141 lno = tvb_get_letohs(tvb, offset);
13142 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13146 case 0x02: /*TRANS2_FIND_NEXT2*/
13148 si->info_count = tvb_get_letohs(tvb, offset);
13149 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13152 /* end of search */
13153 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13156 /* ea_error_offset, only a 16 bit integer here*/
13157 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13160 /* last name offset */
13161 lno = tvb_get_letohs(tvb, offset);
13162 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13166 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
13167 /* no parameter block here */
13169 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
13170 /* ea_error_offset, only a 16 bit integer here*/
13171 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13175 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
13176 /* ea_error_offset, only a 16 bit integer here*/
13177 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13181 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
13182 /* ea_error_offset, only a 16 bit integer here*/
13183 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13187 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
13188 /* ea_error_offset, only a 16 bit integer here*/
13189 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13193 case 0x09: /*TRANS2_FSCTL*/
13194 /* XXX dont know how to dissect this one (yet)*/
13197 * XXX - "Microsoft Networks SMB File Sharing Protocol
13198 * Extensions Version 3.0, Document Version 1.11,
13199 * July 19, 1990" says this this contains a
13200 * "File system specific return parameter block".
13201 * (That means we may not be able to dissect it in any
13205 case 0x0a: /*TRANS2_IOCTL2*/
13206 /* XXX dont know how to dissect this one (yet)*/
13209 * XXX - "Microsoft Networks SMB File Sharing Protocol
13210 * Extensions Version 3.0, Document Version 1.11,
13211 * July 19, 1990" says this this contains a
13212 * "Device/function specific return parameter block".
13213 * (That means we may not be able to dissect it in any
13217 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
13218 /* Find Notify information level */
13219 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13221 /* Monitor handle */
13222 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13226 si->info_count = tvb_get_letohs(tvb, offset);
13227 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13230 /* ea_error_offset, only a 16 bit integer here*/
13231 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13235 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
13236 /* Find Notify information level */
13237 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13240 si->info_count = tvb_get_letohs(tvb, offset);
13241 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13244 /* ea_error_offset, only a 16 bit integer here*/
13245 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13249 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
13250 /* ea error offset, only a 16 bit integer here */
13251 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13255 case 0x0e: /*TRANS2_SESSION_SETUP*/
13256 /* XXX dont know how to dissect this one (yet)*/
13258 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
13259 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
13261 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
13262 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
13266 * We don't know what the matching request was; don't
13267 * bother putting anything else into the tree for the data.
13273 /* ooops there were data we didnt know how to process */
13275 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
13276 offset += pc-offset;
13282 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13285 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
13287 smb_transact2_info_t *t2i = NULL;
13290 gboolean dissected_trans;
13291 fragment_data *r_fd = NULL;
13292 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
13293 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
13294 gboolean save_fragmented;
13296 si = (smb_info_t *)pinfo->private_data;
13299 case SMB_COM_TRANSACTION2:
13301 if (si->sip != NULL) {
13302 t2i = si->sip->extra_info;
13307 * We didn't see the matching request, so we don't
13308 * know what type of transaction this is.
13310 proto_tree_add_text(tree, tvb, 0, 0,
13311 "Subcommand: <UNKNOWN> since request packet wasn't seen");
13312 if (check_col(pinfo->cinfo, COL_INFO)) {
13313 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
13316 si->info_level = t2i->info_level;
13317 if (t2i->subcmd == -1) {
13319 * We didn't manage to extract the subcommand
13320 * from the matching request (perhaps because
13321 * the frame was short), so we don't know what
13322 * type of transaction this is.
13324 proto_tree_add_text(tree, tvb, 0, 0,
13325 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
13326 if (check_col(pinfo->cinfo, COL_INFO)) {
13327 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
13330 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
13331 if (check_col(pinfo->cinfo, COL_INFO)) {
13332 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13333 val_to_str(t2i->subcmd,
13335 "<unknown (0x%02x)>"));
13344 /* total param count, only a 16bit integer here */
13345 tp = tvb_get_letohs(tvb, offset);
13346 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
13349 /* total data count, only a 16 bit integer here */
13350 td = tvb_get_letohs(tvb, offset);
13351 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
13354 /* 2 reserved bytes */
13355 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
13359 pc = tvb_get_letohs(tvb, offset);
13360 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
13364 po = tvb_get_letohs(tvb, offset);
13365 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
13369 pd = tvb_get_letohs(tvb, offset);
13370 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
13374 dc = tvb_get_letohs(tvb, offset);
13375 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
13379 od = tvb_get_letohs(tvb, offset);
13380 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
13384 dd = tvb_get_letohs(tvb, offset);
13385 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
13389 sc = tvb_get_guint8(tvb, offset);
13390 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
13393 /* reserved byte */
13394 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
13398 /* if there were any setup bytes, put them in a tvb for later */
13400 if((2*sc)>tvb_length_remaining(tvb, offset)){
13401 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
13403 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
13405 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
13416 /* reassembly of SMB Transaction data payload.
13417 In this section we do reassembly of both the data and parameters
13418 blocks of the SMB transaction command.
13420 save_fragmented = pinfo->fragmented;
13421 /* do we need reassembly? */
13422 if( (td!=dc) || (tp!=pc) ){
13423 /* oh yeah, either data or parameter section needs
13426 pinfo->fragmented = TRUE;
13427 if(smb_trans_reassembly){
13428 /* ...and we were told to do reassembly */
13429 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
13430 r_fd = smb_trans_defragment(tree, pinfo, tvb,
13431 po, pc, pd, td+tp);
13434 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
13435 r_fd = smb_trans_defragment(tree, pinfo, tvb,
13436 od, dc, dd+tp, td+tp);
13441 /* if we got a reassembled fd structure from the reassembly routine we must
13442 create pd_tvb from it
13445 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
13447 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
13448 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
13449 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
13454 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
13456 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
13459 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
13462 /* It was not reassembled. Do as best as we can.
13463 * in this case we always try to dissect the stuff if
13464 * data and param displacement is 0. i.e. for the first
13465 * (and maybe only) packet.
13467 if( (pd==0) && (dd==0) ){
13470 min = MIN(pc,tvb_length_remaining(tvb,po));
13471 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
13472 if(min && reported_min) {
13473 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
13475 min = MIN(dc,tvb_length_remaining(tvb,od));
13476 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
13477 if(min && reported_min) {
13478 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
13481 * A tvbuff containing the parameters
13483 * XXX - check pc and dc as well?
13485 if (tvb_length_remaining(tvb, po)){
13486 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
13495 /* We have some padding bytes.
13497 padcnt = po-offset;
13500 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13501 COUNT_BYTES(padcnt);
13503 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
13504 /* TRANSACTION2 parameters*/
13505 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
13512 /* We have some initial padding bytes.
13514 padcnt = od-offset;
13517 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13518 COUNT_BYTES(padcnt);
13521 * If the data count is bigger than the count of bytes
13522 * remaining, clamp it so that the count of bytes remaining
13523 * doesn't go negative.
13531 /* from now on, everything is in separate tvbuffs so we dont count
13532 the bytes with COUNT_BYTES any more.
13533 neither do we reference offset any more (which by now points to the
13534 first byte AFTER this PDU */
13537 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
13538 /* TRANSACTION2 parameters*/
13539 dissect_transaction2_response_data(d_tvb, pinfo, tree);
13543 if(si->cmd==SMB_COM_TRANSACTION){
13544 smb_transact_info_t *tri;
13546 dissected_trans = FALSE;
13547 if (si->sip != NULL)
13548 tri = si->sip->extra_info;
13552 switch(tri->subcmd){
13554 case TRANSACTION_PIPE:
13555 /* This function is safe to call for
13556 s_tvb==sp_tvb==NULL, i.e. if we don't
13557 know them at this point.
13558 It's also safe to call if "p_tvb"
13559 or "d_tvb" are null.
13562 dissected_trans = dissect_pipe_smb(
13563 sp_tvb, s_tvb, pd_tvb, p_tvb,
13564 d_tvb, NULL, pinfo, top_tree);
13568 case TRANSACTION_MAILSLOT:
13569 /* This one should be safe to call
13570 even if s_tvb and sp_tvb is NULL
13573 dissected_trans = dissect_mailslot_smb(
13574 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
13580 if (!dissected_trans) {
13581 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
13582 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
13587 if( (p_tvb==0) && (d_tvb==0) ){
13588 if(check_col(pinfo->cinfo, COL_INFO)){
13589 col_append_str(pinfo->cinfo, COL_INFO,
13590 "[transact continuation]");
13594 pinfo->fragmented = save_fragmented;
13602 dissect_find_notify_close(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13609 /* Monitor handle */
13610 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13620 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13621 END Transaction/Transaction2 Primary and secondary requests
13622 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
13626 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13634 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
13641 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
13651 typedef struct _smb_function {
13652 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13653 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13656 static smb_function smb_dissector[256] = {
13657 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
13658 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
13659 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
13660 /* 0x03 Create File*/ {dissect_create_file_request, dissect_fid},
13661 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
13662 /* 0x05 Flush File*/ {dissect_fid, dissect_empty},
13663 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
13664 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_empty},
13665 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
13666 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
13667 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
13668 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
13669 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
13670 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
13671 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
13672 /* 0x0f Create New*/ {dissect_create_file_request, dissect_fid},
13674 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
13675 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
13676 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
13677 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
13678 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
13679 /* 0x15 */ {dissect_unknown, dissect_unknown},
13680 /* 0x16 */ {dissect_unknown, dissect_unknown},
13681 /* 0x17 */ {dissect_unknown, dissect_unknown},
13682 /* 0x18 */ {dissect_unknown, dissect_unknown},
13683 /* 0x19 */ {dissect_unknown, dissect_unknown},
13684 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
13685 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
13686 /* 0x1c Read MPX Secondary*/ {dissect_unknown, dissect_unknown},
13687 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
13688 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
13689 /* 0x1f Write MPX Secondary*/ {dissect_unknown, dissect_unknown},
13691 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
13692 /* 0x21 */ {dissect_unknown, dissect_unknown},
13693 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
13694 /* 0x23 Query Info2*/ {dissect_fid, dissect_query_information2_response},
13695 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
13696 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
13697 /* 0x26 Transaction Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
13698 /* 0x27 IOCTL*/ {dissect_unknown, dissect_unknown},
13699 /* 0x28 IOCTL Secondary*/ {dissect_unknown, dissect_unknown},
13700 /* 0x29 Copy File*/ {dissect_copy_request, dissect_move_copy_response},
13701 /* 0x2a Move File*/ {dissect_move_request, dissect_move_copy_response},
13702 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
13703 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
13704 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
13705 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
13706 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
13708 /* 0x30 */ {dissect_unknown, dissect_unknown},
13709 /* 0x31 Close And Tree Disconnect */ {dissect_close_file_request, dissect_empty},
13710 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
13711 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
13712 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
13713 /* 0x35 Find Notify Close*/ {dissect_find_notify_close, dissect_empty},
13714 /* 0x36 */ {dissect_unknown, dissect_unknown},
13715 /* 0x37 */ {dissect_unknown, dissect_unknown},
13716 /* 0x38 */ {dissect_unknown, dissect_unknown},
13717 /* 0x39 */ {dissect_unknown, dissect_unknown},
13718 /* 0x3a */ {dissect_unknown, dissect_unknown},
13719 /* 0x3b */ {dissect_unknown, dissect_unknown},
13720 /* 0x3c */ {dissect_unknown, dissect_unknown},
13721 /* 0x3d */ {dissect_unknown, dissect_unknown},
13722 /* 0x3e */ {dissect_unknown, dissect_unknown},
13723 /* 0x3f */ {dissect_unknown, dissect_unknown},
13725 /* 0x40 */ {dissect_unknown, dissect_unknown},
13726 /* 0x41 */ {dissect_unknown, dissect_unknown},
13727 /* 0x42 */ {dissect_unknown, dissect_unknown},
13728 /* 0x43 */ {dissect_unknown, dissect_unknown},
13729 /* 0x44 */ {dissect_unknown, dissect_unknown},
13730 /* 0x45 */ {dissect_unknown, dissect_unknown},
13731 /* 0x46 */ {dissect_unknown, dissect_unknown},
13732 /* 0x47 */ {dissect_unknown, dissect_unknown},
13733 /* 0x48 */ {dissect_unknown, dissect_unknown},
13734 /* 0x49 */ {dissect_unknown, dissect_unknown},
13735 /* 0x4a */ {dissect_unknown, dissect_unknown},
13736 /* 0x4b */ {dissect_unknown, dissect_unknown},
13737 /* 0x4c */ {dissect_unknown, dissect_unknown},
13738 /* 0x4d */ {dissect_unknown, dissect_unknown},
13739 /* 0x4e */ {dissect_unknown, dissect_unknown},
13740 /* 0x4f */ {dissect_unknown, dissect_unknown},
13742 /* 0x50 */ {dissect_unknown, dissect_unknown},
13743 /* 0x51 */ {dissect_unknown, dissect_unknown},
13744 /* 0x52 */ {dissect_unknown, dissect_unknown},
13745 /* 0x53 */ {dissect_unknown, dissect_unknown},
13746 /* 0x54 */ {dissect_unknown, dissect_unknown},
13747 /* 0x55 */ {dissect_unknown, dissect_unknown},
13748 /* 0x56 */ {dissect_unknown, dissect_unknown},
13749 /* 0x57 */ {dissect_unknown, dissect_unknown},
13750 /* 0x58 */ {dissect_unknown, dissect_unknown},
13751 /* 0x59 */ {dissect_unknown, dissect_unknown},
13752 /* 0x5a */ {dissect_unknown, dissect_unknown},
13753 /* 0x5b */ {dissect_unknown, dissect_unknown},
13754 /* 0x5c */ {dissect_unknown, dissect_unknown},
13755 /* 0x5d */ {dissect_unknown, dissect_unknown},
13756 /* 0x5e */ {dissect_unknown, dissect_unknown},
13757 /* 0x5f */ {dissect_unknown, dissect_unknown},
13759 /* 0x60 */ {dissect_unknown, dissect_unknown},
13760 /* 0x61 */ {dissect_unknown, dissect_unknown},
13761 /* 0x62 */ {dissect_unknown, dissect_unknown},
13762 /* 0x63 */ {dissect_unknown, dissect_unknown},
13763 /* 0x64 */ {dissect_unknown, dissect_unknown},
13764 /* 0x65 */ {dissect_unknown, dissect_unknown},
13765 /* 0x66 */ {dissect_unknown, dissect_unknown},
13766 /* 0x67 */ {dissect_unknown, dissect_unknown},
13767 /* 0x68 */ {dissect_unknown, dissect_unknown},
13768 /* 0x69 */ {dissect_unknown, dissect_unknown},
13769 /* 0x6a */ {dissect_unknown, dissect_unknown},
13770 /* 0x6b */ {dissect_unknown, dissect_unknown},
13771 /* 0x6c */ {dissect_unknown, dissect_unknown},
13772 /* 0x6d */ {dissect_unknown, dissect_unknown},
13773 /* 0x6e */ {dissect_unknown, dissect_unknown},
13774 /* 0x6f */ {dissect_unknown, dissect_unknown},
13776 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
13777 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
13778 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
13779 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
13780 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
13781 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
13782 /* 0x76 */ {dissect_unknown, dissect_unknown},
13783 /* 0x77 */ {dissect_unknown, dissect_unknown},
13784 /* 0x78 */ {dissect_unknown, dissect_unknown},
13785 /* 0x79 */ {dissect_unknown, dissect_unknown},
13786 /* 0x7a */ {dissect_unknown, dissect_unknown},
13787 /* 0x7b */ {dissect_unknown, dissect_unknown},
13788 /* 0x7c */ {dissect_unknown, dissect_unknown},
13789 /* 0x7d */ {dissect_unknown, dissect_unknown},
13790 /* 0x7e */ {dissect_unknown, dissect_unknown},
13791 /* 0x7f */ {dissect_unknown, dissect_unknown},
13793 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
13794 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
13795 /* 0x82 Find*/ {dissect_find_request, dissect_find_response},
13796 /* 0x83 Find Unique*/ {dissect_find_request, dissect_find_response},
13797 /* 0x84 Find Close*/ {dissect_find_close_request, dissect_find_close_response},
13798 /* 0x85 */ {dissect_unknown, dissect_unknown},
13799 /* 0x86 */ {dissect_unknown, dissect_unknown},
13800 /* 0x87 */ {dissect_unknown, dissect_unknown},
13801 /* 0x88 */ {dissect_unknown, dissect_unknown},
13802 /* 0x89 */ {dissect_unknown, dissect_unknown},
13803 /* 0x8a */ {dissect_unknown, dissect_unknown},
13804 /* 0x8b */ {dissect_unknown, dissect_unknown},
13805 /* 0x8c */ {dissect_unknown, dissect_unknown},
13806 /* 0x8d */ {dissect_unknown, dissect_unknown},
13807 /* 0x8e */ {dissect_unknown, dissect_unknown},
13808 /* 0x8f */ {dissect_unknown, dissect_unknown},
13810 /* 0x90 */ {dissect_unknown, dissect_unknown},
13811 /* 0x91 */ {dissect_unknown, dissect_unknown},
13812 /* 0x92 */ {dissect_unknown, dissect_unknown},
13813 /* 0x93 */ {dissect_unknown, dissect_unknown},
13814 /* 0x94 */ {dissect_unknown, dissect_unknown},
13815 /* 0x95 */ {dissect_unknown, dissect_unknown},
13816 /* 0x96 */ {dissect_unknown, dissect_unknown},
13817 /* 0x97 */ {dissect_unknown, dissect_unknown},
13818 /* 0x98 */ {dissect_unknown, dissect_unknown},
13819 /* 0x99 */ {dissect_unknown, dissect_unknown},
13820 /* 0x9a */ {dissect_unknown, dissect_unknown},
13821 /* 0x9b */ {dissect_unknown, dissect_unknown},
13822 /* 0x9c */ {dissect_unknown, dissect_unknown},
13823 /* 0x9d */ {dissect_unknown, dissect_unknown},
13824 /* 0x9e */ {dissect_unknown, dissect_unknown},
13825 /* 0x9f */ {dissect_unknown, dissect_unknown},
13827 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
13828 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
13829 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
13830 /* 0xa3 */ {dissect_unknown, dissect_unknown},
13831 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
13832 /* 0xa5 NT Rename*/ {dissect_nt_rename_file_request, dissect_empty},
13833 /* 0xa6 */ {dissect_unknown, dissect_unknown},
13834 /* 0xa7 */ {dissect_unknown, dissect_unknown},
13835 /* 0xa8 */ {dissect_unknown, dissect_unknown},
13836 /* 0xa9 */ {dissect_unknown, dissect_unknown},
13837 /* 0xaa */ {dissect_unknown, dissect_unknown},
13838 /* 0xab */ {dissect_unknown, dissect_unknown},
13839 /* 0xac */ {dissect_unknown, dissect_unknown},
13840 /* 0xad */ {dissect_unknown, dissect_unknown},
13841 /* 0xae */ {dissect_unknown, dissect_unknown},
13842 /* 0xaf */ {dissect_unknown, dissect_unknown},
13844 /* 0xb0 */ {dissect_unknown, dissect_unknown},
13845 /* 0xb1 */ {dissect_unknown, dissect_unknown},
13846 /* 0xb2 */ {dissect_unknown, dissect_unknown},
13847 /* 0xb3 */ {dissect_unknown, dissect_unknown},
13848 /* 0xb4 */ {dissect_unknown, dissect_unknown},
13849 /* 0xb5 */ {dissect_unknown, dissect_unknown},
13850 /* 0xb6 */ {dissect_unknown, dissect_unknown},
13851 /* 0xb7 */ {dissect_unknown, dissect_unknown},
13852 /* 0xb8 */ {dissect_unknown, dissect_unknown},
13853 /* 0xb9 */ {dissect_unknown, dissect_unknown},
13854 /* 0xba */ {dissect_unknown, dissect_unknown},
13855 /* 0xbb */ {dissect_unknown, dissect_unknown},
13856 /* 0xbc */ {dissect_unknown, dissect_unknown},
13857 /* 0xbd */ {dissect_unknown, dissect_unknown},
13858 /* 0xbe */ {dissect_unknown, dissect_unknown},
13859 /* 0xbf */ {dissect_unknown, dissect_unknown},
13861 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_fid},
13862 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
13863 /* 0xc2 Close Print File*/ {dissect_fid, dissect_empty},
13864 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
13865 /* 0xc4 */ {dissect_unknown, dissect_unknown},
13866 /* 0xc5 */ {dissect_unknown, dissect_unknown},
13867 /* 0xc6 */ {dissect_unknown, dissect_unknown},
13868 /* 0xc7 */ {dissect_unknown, dissect_unknown},
13869 /* 0xc8 */ {dissect_unknown, dissect_unknown},
13870 /* 0xc9 */ {dissect_unknown, dissect_unknown},
13871 /* 0xca */ {dissect_unknown, dissect_unknown},
13872 /* 0xcb */ {dissect_unknown, dissect_unknown},
13873 /* 0xcc */ {dissect_unknown, dissect_unknown},
13874 /* 0xcd */ {dissect_unknown, dissect_unknown},
13875 /* 0xce */ {dissect_unknown, dissect_unknown},
13876 /* 0xcf */ {dissect_unknown, dissect_unknown},
13878 /* 0xd0 Send Single Block Message*/ {dissect_send_single_block_message_request, dissect_empty},
13879 /* 0xd1 Send Broadcast Message*/ {dissect_send_single_block_message_request, dissect_empty},
13880 /* 0xd2 Forward User Name*/ {dissect_forwarded_name, dissect_empty},
13881 /* 0xd3 Cancel Forward*/ {dissect_forwarded_name, dissect_empty},
13882 /* 0xd4 Get Machine Name*/ {dissect_empty, dissect_get_machine_name_response},
13883 /* 0xd5 Send Start of Multi-block Message*/ {dissect_send_multi_block_message_start_request, dissect_message_group_id},
13884 /* 0xd6 Send End of Multi-block Message*/ {dissect_message_group_id, dissect_empty},
13885 /* 0xd7 Send Text of Multi-block Message*/ {dissect_send_multi_block_message_text_request, dissect_empty},
13886 /* 0xd8 SMBreadbulk*/ {dissect_unknown, dissect_unknown},
13887 /* 0xd9 SMBwritebulk*/ {dissect_unknown, dissect_unknown},
13888 /* 0xda SMBwritebulkdata*/ {dissect_unknown, dissect_unknown},
13889 /* 0xdb */ {dissect_unknown, dissect_unknown},
13890 /* 0xdc */ {dissect_unknown, dissect_unknown},
13891 /* 0xdd */ {dissect_unknown, dissect_unknown},
13892 /* 0xde */ {dissect_unknown, dissect_unknown},
13893 /* 0xdf */ {dissect_unknown, dissect_unknown},
13895 /* 0xe0 */ {dissect_unknown, dissect_unknown},
13896 /* 0xe1 */ {dissect_unknown, dissect_unknown},
13897 /* 0xe2 */ {dissect_unknown, dissect_unknown},
13898 /* 0xe3 */ {dissect_unknown, dissect_unknown},
13899 /* 0xe4 */ {dissect_unknown, dissect_unknown},
13900 /* 0xe5 */ {dissect_unknown, dissect_unknown},
13901 /* 0xe6 */ {dissect_unknown, dissect_unknown},
13902 /* 0xe7 */ {dissect_unknown, dissect_unknown},
13903 /* 0xe8 */ {dissect_unknown, dissect_unknown},
13904 /* 0xe9 */ {dissect_unknown, dissect_unknown},
13905 /* 0xea */ {dissect_unknown, dissect_unknown},
13906 /* 0xeb */ {dissect_unknown, dissect_unknown},
13907 /* 0xec */ {dissect_unknown, dissect_unknown},
13908 /* 0xed */ {dissect_unknown, dissect_unknown},
13909 /* 0xee */ {dissect_unknown, dissect_unknown},
13910 /* 0xef */ {dissect_unknown, dissect_unknown},
13912 /* 0xf0 */ {dissect_unknown, dissect_unknown},
13913 /* 0xf1 */ {dissect_unknown, dissect_unknown},
13914 /* 0xf2 */ {dissect_unknown, dissect_unknown},
13915 /* 0xf3 */ {dissect_unknown, dissect_unknown},
13916 /* 0xf4 */ {dissect_unknown, dissect_unknown},
13917 /* 0xf5 */ {dissect_unknown, dissect_unknown},
13918 /* 0xf6 */ {dissect_unknown, dissect_unknown},
13919 /* 0xf7 */ {dissect_unknown, dissect_unknown},
13920 /* 0xf8 */ {dissect_unknown, dissect_unknown},
13921 /* 0xf9 */ {dissect_unknown, dissect_unknown},
13922 /* 0xfa */ {dissect_unknown, dissect_unknown},
13923 /* 0xfb */ {dissect_unknown, dissect_unknown},
13924 /* 0xfc */ {dissect_unknown, dissect_unknown},
13925 /* 0xfd */ {dissect_unknown, dissect_unknown},
13926 /* 0xfe */ {dissect_unknown, dissect_unknown},
13927 /* 0xff */ {dissect_unknown, dissect_unknown},
13931 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu)
13935 si = pinfo->private_data;
13937 proto_item *cmd_item;
13938 proto_tree *cmd_tree;
13939 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13941 if (check_col(pinfo->cinfo, COL_INFO)) {
13943 col_append_fstr(pinfo->cinfo, COL_INFO,
13945 decode_smb_name(cmd),
13946 (si->request)? "Request" : "Response");
13948 col_append_fstr(pinfo->cinfo, COL_INFO,
13950 decode_smb_name(cmd));
13955 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
13957 decode_smb_name(cmd),
13958 (si->request)?"Request":"Response",
13961 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
13963 dissector = (si->request)?
13964 smb_dissector[cmd].request:smb_dissector[cmd].response;
13966 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
13967 proto_item_set_end(cmd_item, tvb, offset);
13973 /* NOTE: this value_string array will also be used to access data directly by
13974 * index instead of val_to_str() since
13975 * 1, the array will always span every value from 0x00 to 0xff and
13976 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
13977 * This means that this value_string array MUST always
13978 * 1, contain all entries 0x00 to 0xff
13979 * 2, all entries must be in order.
13981 const value_string smb_cmd_vals[] = {
13982 { 0x00, "Create Directory" },
13983 { 0x01, "Delete Directory" },
13985 { 0x03, "Create" },
13988 { 0x06, "Delete" },
13989 { 0x07, "Rename" },
13990 { 0x08, "Query Information" },
13991 { 0x09, "Set Information" },
13994 { 0x0C, "Lock Byte Range" },
13995 { 0x0D, "Unlock Byte Range" },
13996 { 0x0E, "Create Temp" },
13997 { 0x0F, "Create New" },
13998 { 0x10, "Check Directory" },
13999 { 0x11, "Process Exit" },
14001 { 0x13, "Lock And Read" },
14002 { 0x14, "Write And Unlock" },
14003 { 0x15, "unknown-0x15" },
14004 { 0x16, "unknown-0x16" },
14005 { 0x17, "unknown-0x17" },
14006 { 0x18, "unknown-0x18" },
14007 { 0x19, "unknown-0x19" },
14008 { 0x1A, "Read Raw" },
14009 { 0x1B, "Read MPX" },
14010 { 0x1C, "Read MPX Secondary" },
14011 { 0x1D, "Write Raw" },
14012 { 0x1E, "Write MPX" },
14013 { 0x1F, "Write MPX Secondary" },
14014 { 0x20, "Write Complete" },
14015 { 0x21, "unknown-0x21" },
14016 { 0x22, "Set Information2" },
14017 { 0x23, "Query Information2" },
14018 { 0x24, "Locking AndX" },
14019 { 0x25, "Transaction" },
14020 { 0x26, "Transaction Secondary" },
14022 { 0x28, "IOCTL Secondary" },
14026 { 0x2C, "Write And Close" },
14027 { 0x2D, "Open AndX" },
14028 { 0x2E, "Read AndX" },
14029 { 0x2F, "Write AndX" },
14030 { 0x30, "unknown-0x30" },
14031 { 0x31, "Close And Tree Disconnect" },
14032 { 0x32, "Transaction2" },
14033 { 0x33, "Transaction2 Secondary" },
14034 { 0x34, "Find Close2" },
14035 { 0x35, "Find Notify Close" },
14036 { 0x36, "unknown-0x36" },
14037 { 0x37, "unknown-0x37" },
14038 { 0x38, "unknown-0x38" },
14039 { 0x39, "unknown-0x39" },
14040 { 0x3A, "unknown-0x3A" },
14041 { 0x3B, "unknown-0x3B" },
14042 { 0x3C, "unknown-0x3C" },
14043 { 0x3D, "unknown-0x3D" },
14044 { 0x3E, "unknown-0x3E" },
14045 { 0x3F, "unknown-0x3F" },
14046 { 0x40, "unknown-0x40" },
14047 { 0x41, "unknown-0x41" },
14048 { 0x42, "unknown-0x42" },
14049 { 0x43, "unknown-0x43" },
14050 { 0x44, "unknown-0x44" },
14051 { 0x45, "unknown-0x45" },
14052 { 0x46, "unknown-0x46" },
14053 { 0x47, "unknown-0x47" },
14054 { 0x48, "unknown-0x48" },
14055 { 0x49, "unknown-0x49" },
14056 { 0x4A, "unknown-0x4A" },
14057 { 0x4B, "unknown-0x4B" },
14058 { 0x4C, "unknown-0x4C" },
14059 { 0x4D, "unknown-0x4D" },
14060 { 0x4E, "unknown-0x4E" },
14061 { 0x4F, "unknown-0x4F" },
14062 { 0x50, "unknown-0x50" },
14063 { 0x51, "unknown-0x51" },
14064 { 0x52, "unknown-0x52" },
14065 { 0x53, "unknown-0x53" },
14066 { 0x54, "unknown-0x54" },
14067 { 0x55, "unknown-0x55" },
14068 { 0x56, "unknown-0x56" },
14069 { 0x57, "unknown-0x57" },
14070 { 0x58, "unknown-0x58" },
14071 { 0x59, "unknown-0x59" },
14072 { 0x5A, "unknown-0x5A" },
14073 { 0x5B, "unknown-0x5B" },
14074 { 0x5C, "unknown-0x5C" },
14075 { 0x5D, "unknown-0x5D" },
14076 { 0x5E, "unknown-0x5E" },
14077 { 0x5F, "unknown-0x5F" },
14078 { 0x60, "unknown-0x60" },
14079 { 0x61, "unknown-0x61" },
14080 { 0x62, "unknown-0x62" },
14081 { 0x63, "unknown-0x63" },
14082 { 0x64, "unknown-0x64" },
14083 { 0x65, "unknown-0x65" },
14084 { 0x66, "unknown-0x66" },
14085 { 0x67, "unknown-0x67" },
14086 { 0x68, "unknown-0x68" },
14087 { 0x69, "unknown-0x69" },
14088 { 0x6A, "unknown-0x6A" },
14089 { 0x6B, "unknown-0x6B" },
14090 { 0x6C, "unknown-0x6C" },
14091 { 0x6D, "unknown-0x6D" },
14092 { 0x6E, "unknown-0x6E" },
14093 { 0x6F, "unknown-0x6F" },
14094 { 0x70, "Tree Connect" },
14095 { 0x71, "Tree Disconnect" },
14096 { 0x72, "Negotiate Protocol" },
14097 { 0x73, "Session Setup AndX" },
14098 { 0x74, "Logoff AndX" },
14099 { 0x75, "Tree Connect AndX" },
14100 { 0x76, "unknown-0x76" },
14101 { 0x77, "unknown-0x77" },
14102 { 0x78, "unknown-0x78" },
14103 { 0x79, "unknown-0x79" },
14104 { 0x7A, "unknown-0x7A" },
14105 { 0x7B, "unknown-0x7B" },
14106 { 0x7C, "unknown-0x7C" },
14107 { 0x7D, "unknown-0x7D" },
14108 { 0x7E, "unknown-0x7E" },
14109 { 0x7F, "unknown-0x7F" },
14110 { 0x80, "Query Information Disk" },
14111 { 0x81, "Search" },
14113 { 0x83, "Find Unique" },
14114 { 0x84, "Find Close" },
14115 { 0x85, "unknown-0x85" },
14116 { 0x86, "unknown-0x86" },
14117 { 0x87, "unknown-0x87" },
14118 { 0x88, "unknown-0x88" },
14119 { 0x89, "unknown-0x89" },
14120 { 0x8A, "unknown-0x8A" },
14121 { 0x8B, "unknown-0x8B" },
14122 { 0x8C, "unknown-0x8C" },
14123 { 0x8D, "unknown-0x8D" },
14124 { 0x8E, "unknown-0x8E" },
14125 { 0x8F, "unknown-0x8F" },
14126 { 0x90, "unknown-0x90" },
14127 { 0x91, "unknown-0x91" },
14128 { 0x92, "unknown-0x92" },
14129 { 0x93, "unknown-0x93" },
14130 { 0x94, "unknown-0x94" },
14131 { 0x95, "unknown-0x95" },
14132 { 0x96, "unknown-0x96" },
14133 { 0x97, "unknown-0x97" },
14134 { 0x98, "unknown-0x98" },
14135 { 0x99, "unknown-0x99" },
14136 { 0x9A, "unknown-0x9A" },
14137 { 0x9B, "unknown-0x9B" },
14138 { 0x9C, "unknown-0x9C" },
14139 { 0x9D, "unknown-0x9D" },
14140 { 0x9E, "unknown-0x9E" },
14141 { 0x9F, "unknown-0x9F" },
14142 { 0xA0, "NT Transact" },
14143 { 0xA1, "NT Transact Secondary" },
14144 { 0xA2, "NT Create AndX" },
14145 { 0xA3, "unknown-0xA3" },
14146 { 0xA4, "NT Cancel" },
14147 { 0xA5, "NT Rename" },
14148 { 0xA6, "unknown-0xA6" },
14149 { 0xA7, "unknown-0xA7" },
14150 { 0xA8, "unknown-0xA8" },
14151 { 0xA9, "unknown-0xA9" },
14152 { 0xAA, "unknown-0xAA" },
14153 { 0xAB, "unknown-0xAB" },
14154 { 0xAC, "unknown-0xAC" },
14155 { 0xAD, "unknown-0xAD" },
14156 { 0xAE, "unknown-0xAE" },
14157 { 0xAF, "unknown-0xAF" },
14158 { 0xB0, "unknown-0xB0" },
14159 { 0xB1, "unknown-0xB1" },
14160 { 0xB2, "unknown-0xB2" },
14161 { 0xB3, "unknown-0xB3" },
14162 { 0xB4, "unknown-0xB4" },
14163 { 0xB5, "unknown-0xB5" },
14164 { 0xB6, "unknown-0xB6" },
14165 { 0xB7, "unknown-0xB7" },
14166 { 0xB8, "unknown-0xB8" },
14167 { 0xB9, "unknown-0xB9" },
14168 { 0xBA, "unknown-0xBA" },
14169 { 0xBB, "unknown-0xBB" },
14170 { 0xBC, "unknown-0xBC" },
14171 { 0xBD, "unknown-0xBD" },
14172 { 0xBE, "unknown-0xBE" },
14173 { 0xBF, "unknown-0xBF" },
14174 { 0xC0, "Open Print File" },
14175 { 0xC1, "Write Print File" },
14176 { 0xC2, "Close Print File" },
14177 { 0xC3, "Get Print Queue" },
14178 { 0xC4, "unknown-0xC4" },
14179 { 0xC5, "unknown-0xC5" },
14180 { 0xC6, "unknown-0xC6" },
14181 { 0xC7, "unknown-0xC7" },
14182 { 0xC8, "unknown-0xC8" },
14183 { 0xC9, "unknown-0xC9" },
14184 { 0xCA, "unknown-0xCA" },
14185 { 0xCB, "unknown-0xCB" },
14186 { 0xCC, "unknown-0xCC" },
14187 { 0xCD, "unknown-0xCD" },
14188 { 0xCE, "unknown-0xCE" },
14189 { 0xCF, "unknown-0xCF" },
14190 { 0xD0, "Send Single Block Message" },
14191 { 0xD1, "Send Broadcast Message" },
14192 { 0xD2, "Forward User Name" },
14193 { 0xD3, "Cancel Forward" },
14194 { 0xD4, "Get Machine Name" },
14195 { 0xD5, "Send Start of Multi-block Message" },
14196 { 0xD6, "Send End of Multi-block Message" },
14197 { 0xD7, "Send Text of Multi-block Message" },
14198 { 0xD8, "SMBreadbulk" },
14199 { 0xD9, "SMBwritebulk" },
14200 { 0xDA, "SMBwritebulkdata" },
14201 { 0xDB, "unknown-0xDB" },
14202 { 0xDC, "unknown-0xDC" },
14203 { 0xDD, "unknown-0xDD" },
14204 { 0xDE, "unknown-0xDE" },
14205 { 0xDF, "unknown-0xDF" },
14206 { 0xE0, "unknown-0xE0" },
14207 { 0xE1, "unknown-0xE1" },
14208 { 0xE2, "unknown-0xE2" },
14209 { 0xE3, "unknown-0xE3" },
14210 { 0xE4, "unknown-0xE4" },
14211 { 0xE5, "unknown-0xE5" },
14212 { 0xE6, "unknown-0xE6" },
14213 { 0xE7, "unknown-0xE7" },
14214 { 0xE8, "unknown-0xE8" },
14215 { 0xE9, "unknown-0xE9" },
14216 { 0xEA, "unknown-0xEA" },
14217 { 0xEB, "unknown-0xEB" },
14218 { 0xEC, "unknown-0xEC" },
14219 { 0xED, "unknown-0xED" },
14220 { 0xEE, "unknown-0xEE" },
14221 { 0xEF, "unknown-0xEF" },
14222 { 0xF0, "unknown-0xF0" },
14223 { 0xF1, "unknown-0xF1" },
14224 { 0xF2, "unknown-0xF2" },
14225 { 0xF3, "unknown-0xF3" },
14226 { 0xF4, "unknown-0xF4" },
14227 { 0xF5, "unknown-0xF5" },
14228 { 0xF6, "unknown-0xF6" },
14229 { 0xF7, "unknown-0xF7" },
14230 { 0xF8, "unknown-0xF8" },
14231 { 0xF9, "unknown-0xF9" },
14232 { 0xFA, "unknown-0xFA" },
14233 { 0xFB, "unknown-0xFB" },
14234 { 0xFC, "unknown-0xFC" },
14235 { 0xFD, "unknown-0xFD" },
14236 { 0xFE, "SMBinvalid" },
14237 { 0xFF, "unknown-0xFF" },
14241 static char *decode_smb_name(unsigned char cmd)
14243 return(smb_cmd_vals[cmd].strptr);
14248 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14249 * Everything TVBUFFIFIED above this line
14250 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
14254 free_hash_tables(gpointer ctarg, gpointer user_data _U_)
14256 conv_tables_t *ct = ctarg;
14259 g_hash_table_destroy(ct->unmatched);
14261 g_hash_table_destroy(ct->matched);
14262 if (ct->dcerpc_fid_to_frame)
14263 g_hash_table_destroy(ct->dcerpc_fid_to_frame);
14264 if (ct->dcerpc_frame_to_dcerpc_pdu)
14265 g_hash_table_destroy(ct->dcerpc_frame_to_dcerpc_pdu);
14266 if (ct->tid_service)
14267 g_hash_table_destroy(ct->tid_service);
14271 smb_init_protocol(void)
14273 if (smb_saved_info_key_chunk)
14274 g_mem_chunk_destroy(smb_saved_info_key_chunk);
14275 if (smb_saved_info_chunk)
14276 g_mem_chunk_destroy(smb_saved_info_chunk);
14277 if (smb_nt_transact_info_chunk)
14278 g_mem_chunk_destroy(smb_nt_transact_info_chunk);
14279 if (smb_transact2_info_chunk)
14280 g_mem_chunk_destroy(smb_transact2_info_chunk);
14281 if (smb_transact_info_chunk)
14282 g_mem_chunk_destroy(smb_transact_info_chunk);
14285 * Free the hash tables attached to the conversation table
14286 * structures, and then free the list of conversation table
14287 * data structures (which doesn't free the data structures
14288 * themselves; that's done by destroying the chunk from
14289 * which they were allocated).
14292 g_slist_foreach(conv_tables, free_hash_tables, NULL);
14293 g_slist_free(conv_tables);
14294 conv_tables = NULL;
14298 * Now destroy the chunk from which the conversation table
14299 * structures were allocated.
14301 if (conv_tables_chunk)
14302 g_mem_chunk_destroy(conv_tables_chunk);
14304 smb_saved_info_chunk = g_mem_chunk_new("smb_saved_info_chunk",
14305 sizeof(smb_saved_info_t),
14306 smb_saved_info_init_count * sizeof(smb_saved_info_t),
14308 smb_saved_info_key_chunk = g_mem_chunk_new("smb_saved_info_key_chunk",
14309 sizeof(smb_saved_info_key_t),
14310 smb_saved_info_init_count * sizeof(smb_saved_info_key_t),
14312 smb_nt_transact_info_chunk = g_mem_chunk_new("smb_nt_transact_info_chunk",
14313 sizeof(smb_nt_transact_info_t),
14314 smb_nt_transact_info_init_count * sizeof(smb_nt_transact_info_t),
14316 smb_transact2_info_chunk = g_mem_chunk_new("smb_transact2_info_chunk",
14317 sizeof(smb_transact2_info_t),
14318 smb_transact2_info_init_count * sizeof(smb_transact2_info_t),
14320 smb_transact_info_chunk = g_mem_chunk_new("smb_transact_info_chunk",
14321 sizeof(smb_transact_info_t),
14322 smb_transact_info_init_count * sizeof(smb_transact_info_t),
14324 conv_tables_chunk = g_mem_chunk_new("conv_tables_chunk",
14325 sizeof(conv_tables_t),
14326 conv_tables_count * sizeof(conv_tables_t),
14330 static const value_string errcls_types[] = {
14331 { SMB_SUCCESS, "Success"},
14332 { SMB_ERRDOS, "DOS Error"},
14333 { SMB_ERRSRV, "Server Error"},
14334 { SMB_ERRHRD, "Hardware Error"},
14335 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
14339 const value_string DOS_errors[] = {
14341 {SMBE_insufficientbuffer, "Insufficient buffer"},
14342 {SMBE_badfunc, "Invalid function (or system call)"},
14343 {SMBE_badfile, "File not found (pathname error)"},
14344 {SMBE_badpath, "Directory not found"},
14345 {SMBE_nofids, "Too many open files"},
14346 {SMBE_noaccess, "Access denied"},
14347 {SMBE_badfid, "Invalid fid"},
14348 {SMBE_nomem, "Out of memory"},
14349 {SMBE_badmem, "Invalid memory block address"},
14350 {SMBE_badenv, "Invalid environment"},
14351 {SMBE_badaccess, "Invalid open mode"},
14352 {SMBE_baddata, "Invalid data (only from ioctl call)"},
14353 {SMBE_res, "Reserved error code?"},
14354 {SMBE_baddrive, "Invalid drive"},
14355 {SMBE_remcd, "Attempt to delete current directory"},
14356 {SMBE_diffdevice, "Rename/move across different filesystems"},
14357 {SMBE_nofiles, "No more files found in file search"},
14358 {SMBE_badshare, "Share mode on file conflict with open mode"},
14359 {SMBE_lock, "Lock request conflicts with existing lock"},
14360 {SMBE_unsup, "Request unsupported, returned by Win 95"},
14361 {SMBE_nosuchshare, "Requested share does not exist"},
14362 {SMBE_filexists, "File in operation already exists"},
14363 {SMBE_cannotopen, "Cannot open the file specified"},
14364 {SMBE_unknownlevel, "Unknown info level"},
14365 {SMBE_invalidname, "Invalid name"},
14366 {SMBE_badpipe, "Named pipe invalid"},
14367 {SMBE_pipebusy, "All instances of pipe are busy"},
14368 {SMBE_pipeclosing, "Named pipe close in progress"},
14369 {SMBE_notconnected, "No process on other end of named pipe"},
14370 {SMBE_moredata, "More data to be returned"},
14371 {SMBE_baddirectory, "Invalid directory name in a path."},
14372 {SMBE_eas_didnt_fit, "Extended attributes didn't fit"},
14373 {SMBE_eas_nsup, "Extended attributes not supported"},
14374 {SMBE_notify_buf_small, "Buffer too small to return change notify."},
14375 {SMBE_unknownipc, "Unknown IPC Operation"},
14376 {SMBE_noipc, "Don't support ipc"},
14377 {SMBE_alreadyexists, "File already exists"},
14378 {SMBE_unknownprinterdriver, "Unknown printer driver"},
14379 {SMBE_invalidprintername, "Invalid printer name"},
14380 {SMBE_printeralreadyexists, "Printer already exists"},
14381 {SMBE_invaliddatatype, "Invalid data type"},
14382 {SMBE_invalidenvironment, "Invalid environment"},
14383 {SMBE_printerdriverinuse, "Printer driver in use"},
14384 {SMBE_invalidparam, "Invalid parameter"},
14385 {SMBE_invalidformsize, "Invalid form size"},
14386 {SMBE_invalidsecuritydescriptor, "Invalid security descriptor"},
14387 {SMBE_invalidowner, "Invalid owner"},
14388 {SMBE_nomoreitems, "No more items"},
14389 {SMBE_serverunavailable, "Server unavailable"},
14393 /* Error codes for the ERRSRV class */
14395 static const value_string SRV_errors[] = {
14396 {SMBE_error, "Non specific error code"},
14397 {SMBE_badpw, "Bad password"},
14398 {SMBE_badtype, "Reserved"},
14399 {SMBE_access, "No permissions to perform the requested operation"},
14400 {SMBE_invnid, "TID invalid"},
14401 {SMBE_invnetname, "Invalid network name. Service not found"},
14402 {SMBE_invdevice, "Invalid device"},
14403 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
14404 {SMBE_qfull, "Print queue full"},
14405 {SMBE_qtoobig, "Queued item too big"},
14406 {SMBE_qeof, "EOF on print queue dump"},
14407 {SMBE_invpfid, "Invalid print file in smb_fid"},
14408 {SMBE_smbcmd, "Unrecognised command"},
14409 {SMBE_srverror, "SMB server internal error"},
14410 {SMBE_filespecs, "Fid and pathname invalid combination"},
14411 {SMBE_badlink, "Bad link in request ???"},
14412 {SMBE_badpermits, "Access specified for a file is not valid"},
14413 {SMBE_badpid, "Bad process id in request"},
14414 {SMBE_setattrmode, "Attribute mode invalid"},
14415 {SMBE_paused, "Message server paused"},
14416 {SMBE_msgoff, "Not receiving messages"},
14417 {SMBE_noroom, "No room for message"},
14418 {SMBE_rmuns, "Too many remote usernames"},
14419 {SMBE_timeout, "Operation timed out"},
14420 {SMBE_noresource, "No resources currently available for request."},
14421 {SMBE_toomanyuids, "Too many userids"},
14422 {SMBE_baduid, "Bad userid"},
14423 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
14424 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
14425 {SMBE_contMPX, "Resume MPX mode"},
14426 {SMBE_badPW, "Bad Password???"},
14427 {SMBE_nosupport, "Operation not supported"},
14431 /* Error codes for the ERRHRD class */
14433 static const value_string HRD_errors[] = {
14434 {SMBE_nowrite, "Read only media"},
14435 {SMBE_badunit, "Unknown device"},
14436 {SMBE_notready, "Drive not ready"},
14437 {SMBE_badcmd, "Unknown command"},
14438 {SMBE_data, "Data (CRC) error"},
14439 {SMBE_badreq, "Bad request structure length"},
14440 {SMBE_seek, "Seek error"},
14441 {SMBE_badmedia, "Unknown media type"},
14442 {SMBE_badsector, "Sector not found"},
14443 {SMBE_nopaper, "Printer out of paper"},
14444 {SMBE_write, "Write fault"},
14445 {SMBE_read, "Read fault"},
14446 {SMBE_general, "General failure"},
14447 {SMBE_badshare, "A open conflicts with an existing open"},
14448 {SMBE_lock, "Lock conflict/invalid mode, or unlock of another process's lock"},
14449 {SMBE_wrongdisk, "The wrong disk was found in a drive"},
14450 {SMBE_FCBunavail, "No FCBs are available to process request"},
14451 {SMBE_sharebufexc, "A sharing buffer has been exceeded"},
14452 {SMBE_diskfull, "Disk full???"},
14456 static char *decode_smb_error(guint8 errcls, guint16 errcode)
14463 return("No Error"); /* No error ??? */
14468 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
14473 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
14478 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
14483 return("Unknown error class!");
14490 /* These are the MS country codes from
14492 http://www.unicode.org/unicode/onlinedat/countries.html
14494 For countries that share the same number, I choose to use only the
14495 name of the largest country. Apologies for this. If this offends you,
14496 here is the table to change that.
14498 This also includes the code of 0 for "Default", which isn't in
14499 that list, but is in Microsoft's SDKs and the Cygnus "winnls.h"
14500 header file. Presumably it means "don't override the setting
14501 on the user's machine".
14503 Future versions of Microsoft's "winnls.h" header file might include
14504 additional codes; the current version matches the Unicode Consortium's
14507 const value_string ms_country_codes[] = {
14513 { 27, "South Africa"},
14515 { 31, "Netherlands"},
14522 { 41, "Switzerland"},
14524 { 44, "United Kingdom"},
14532 { 54, "Argentina"},
14536 { 58, "Venezuela"},
14538 { 61, "Australia"},
14539 { 62, "Indonesia"},
14540 { 63, "Philippines"},
14541 { 64, "New Zealand"},
14542 { 65, "Singapore"},
14545 { 82, "South Korea"},
14557 {298, "Faroe Islands"},
14559 {352, "Luxembourg"},
14565 {370, "Lithuania"},
14574 {389, "Macedonia"},
14575 {420, "Czech Republic"},
14576 {421, "Slovak Republic"},
14578 {502, "Guatemala"},
14579 {503, "El Salvador"},
14581 {505, "Nicaragua"},
14582 {506, "Costa Rica"},
14588 {673, "Brunei Darussalam"},
14589 {852, "Hong Kong"},
14598 {966, "Saudi Arabia"},
14601 {971, "United Arab Emirates"},
14607 {994, "Azerbaijan"},
14609 {996, "Kyrgyzstan"},
14619 * http://www.wildpackets.com/elements/SMB_NT_Status_Codes.txt
14621 const value_string NT_errors[] = {
14622 { 0x00000000, "STATUS_SUCCESS" },
14623 { 0x00000000, "STATUS_WAIT_0" },
14624 { 0x00000001, "STATUS_WAIT_1" },
14625 { 0x00000002, "STATUS_WAIT_2" },
14626 { 0x00000003, "STATUS_WAIT_3" },
14627 { 0x0000003F, "STATUS_WAIT_63" },
14628 { 0x00000080, "STATUS_ABANDONED" },
14629 { 0x00000080, "STATUS_ABANDONED_WAIT_0" },
14630 { 0x000000BF, "STATUS_ABANDONED_WAIT_63" },
14631 { 0x000000C0, "STATUS_USER_APC" },
14632 { 0x00000100, "STATUS_KERNEL_APC" },
14633 { 0x00000101, "STATUS_ALERTED" },
14634 { 0x00000102, "STATUS_TIMEOUT" },
14635 { 0x00000103, "STATUS_PENDING" },
14636 { 0x00000104, "STATUS_REPARSE" },
14637 { 0x00000105, "STATUS_MORE_ENTRIES" },
14638 { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" },
14639 { 0x00000107, "STATUS_SOME_NOT_MAPPED" },
14640 { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" },
14641 { 0x00000109, "STATUS_VOLUME_MOUNTED" },
14642 { 0x0000010A, "STATUS_RXACT_COMMITTED" },
14643 { 0x0000010B, "STATUS_NOTIFY_CLEANUP" },
14644 { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" },
14645 { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" },
14646 { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" },
14647 { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" },
14648 { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" },
14649 { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" },
14650 { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" },
14651 { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" },
14652 { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" },
14653 { 0x00000116, "STATUS_CRASH_DUMP" },
14654 { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
14655 { 0x00000118, "STATUS_REPARSE_OBJECT" },
14656 { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
14657 { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
14658 { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
14659 { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" },
14660 { 0x40000004, "STATUS_RXACT_STATE_CREATED" },
14661 { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" },
14662 { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" },
14663 { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" },
14664 { 0x40000008, "STATUS_SERIAL_MORE_WRITES" },
14665 { 0x40000009, "STATUS_REGISTRY_RECOVERED" },
14666 { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" },
14667 { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" },
14668 { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" },
14669 { 0x4000000D, "STATUS_NULL_LM_PASSWORD" },
14670 { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" },
14671 { 0x4000000F, "STATUS_RECEIVE_PARTIAL" },
14672 { 0x40000010, "STATUS_RECEIVE_EXPEDITED" },
14673 { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" },
14674 { 0x40000012, "STATUS_EVENT_DONE" },
14675 { 0x40000013, "STATUS_EVENT_PENDING" },
14676 { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" },
14677 { 0x40000015, "STATUS_FATAL_APP_EXIT" },
14678 { 0x40000016, "STATUS_PREDEFINED_HANDLE" },
14679 { 0x40000017, "STATUS_WAS_UNLOCKED" },
14680 { 0x40000018, "STATUS_SERVICE_NOTIFICATION" },
14681 { 0x40000019, "STATUS_WAS_LOCKED" },
14682 { 0x4000001A, "STATUS_LOG_HARD_ERROR" },
14683 { 0x4000001B, "STATUS_ALREADY_WIN32" },
14684 { 0x4000001C, "STATUS_WX86_UNSIMULATE" },
14685 { 0x4000001D, "STATUS_WX86_CONTINUE" },
14686 { 0x4000001E, "STATUS_WX86_SINGLE_STEP" },
14687 { 0x4000001F, "STATUS_WX86_BREAKPOINT" },
14688 { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" },
14689 { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" },
14690 { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" },
14691 { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" },
14692 { 0x40000024, "STATUS_NO_YIELD_PERFORMED" },
14693 { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" },
14694 { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" },
14695 { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" },
14696 { 0x80000003, "STATUS_BREAKPOINT" },
14697 { 0x80000004, "STATUS_SINGLE_STEP" },
14698 { 0x80000005, "STATUS_BUFFER_OVERFLOW" },
14699 { 0x80000006, "STATUS_NO_MORE_FILES" },
14700 { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" },
14701 { 0x8000000A, "STATUS_HANDLES_CLOSED" },
14702 { 0x8000000B, "STATUS_NO_INHERITANCE" },
14703 { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" },
14704 { 0x8000000D, "STATUS_PARTIAL_COPY" },
14705 { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" },
14706 { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" },
14707 { 0x80000010, "STATUS_DEVICE_OFF_LINE" },
14708 { 0x80000011, "STATUS_DEVICE_BUSY" },
14709 { 0x80000012, "STATUS_NO_MORE_EAS" },
14710 { 0x80000013, "STATUS_INVALID_EA_NAME" },
14711 { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" },
14712 { 0x80000015, "STATUS_INVALID_EA_FLAG" },
14713 { 0x80000016, "STATUS_VERIFY_REQUIRED" },
14714 { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" },
14715 { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" },
14716 { 0x8000001A, "STATUS_NO_MORE_ENTRIES" },
14717 { 0x8000001B, "STATUS_FILEMARK_DETECTED" },
14718 { 0x8000001C, "STATUS_MEDIA_CHANGED" },
14719 { 0x8000001D, "STATUS_BUS_RESET" },
14720 { 0x8000001E, "STATUS_END_OF_MEDIA" },
14721 { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" },
14722 { 0x80000020, "STATUS_MEDIA_CHECK" },
14723 { 0x80000021, "STATUS_SETMARK_DETECTED" },
14724 { 0x80000022, "STATUS_NO_DATA_DETECTED" },
14725 { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" },
14726 { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" },
14727 { 0x80000025, "STATUS_ALREADY_DISCONNECTED" },
14728 { 0x80000026, "STATUS_LONGJUMP" },
14729 { 0x80040111, "MAPI_E_LOGON_FAILED" },
14730 { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" },
14731 { 0x80090301, "SEC_E_INVALID_HANDLE" },
14732 { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" },
14733 { 0x8009030B, "SEC_E_NO_IMPERSONATION" },
14734 { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" },
14735 { 0x8009030E, "SEC_E_NO_CREDENTIALS" },
14736 { 0x8009030F, "SEC_E_MESSAGE_ALTERED" },
14737 { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" },
14738 { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" },
14739 { 0xC0000001, "STATUS_UNSUCCESSFUL" },
14740 { 0xC0000002, "STATUS_NOT_IMPLEMENTED" },
14741 { 0xC0000003, "STATUS_INVALID_INFO_CLASS" },
14742 { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" },
14743 { 0xC0000005, "STATUS_ACCESS_VIOLATION" },
14744 { 0xC0000006, "STATUS_IN_PAGE_ERROR" },
14745 { 0xC0000007, "STATUS_PAGEFILE_QUOTA" },
14746 { 0xC0000008, "STATUS_INVALID_HANDLE" },
14747 { 0xC0000009, "STATUS_BAD_INITIAL_STACK" },
14748 { 0xC000000A, "STATUS_BAD_INITIAL_PC" },
14749 { 0xC000000B, "STATUS_INVALID_CID" },
14750 { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" },
14751 { 0xC000000D, "STATUS_INVALID_PARAMETER" },
14752 { 0xC000000E, "STATUS_NO_SUCH_DEVICE" },
14753 { 0xC000000F, "STATUS_NO_SUCH_FILE" },
14754 { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" },
14755 { 0xC0000011, "STATUS_END_OF_FILE" },
14756 { 0xC0000012, "STATUS_WRONG_VOLUME" },
14757 { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" },
14758 { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" },
14759 { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" },
14760 { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" },
14761 { 0xC0000017, "STATUS_NO_MEMORY" },
14762 { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" },
14763 { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" },
14764 { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" },
14765 { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" },
14766 { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" },
14767 { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" },
14768 { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" },
14769 { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" },
14770 { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" },
14771 { 0xC0000021, "STATUS_ALREADY_COMMITTED" },
14772 { 0xC0000022, "STATUS_ACCESS_DENIED" },
14773 { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" },
14774 { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" },
14775 { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" },
14776 { 0xC0000026, "STATUS_INVALID_DISPOSITION" },
14777 { 0xC0000027, "STATUS_UNWIND" },
14778 { 0xC0000028, "STATUS_BAD_STACK" },
14779 { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" },
14780 { 0xC000002A, "STATUS_NOT_LOCKED" },
14781 { 0xC000002B, "STATUS_PARITY_ERROR" },
14782 { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" },
14783 { 0xC000002D, "STATUS_NOT_COMMITTED" },
14784 { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" },
14785 { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" },
14786 { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" },
14787 { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" },
14788 { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" },
14789 { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" },
14790 { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" },
14791 { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" },
14792 { 0xC0000037, "STATUS_PORT_DISCONNECTED" },
14793 { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" },
14794 { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" },
14795 { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" },
14796 { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" },
14797 { 0xC000003C, "STATUS_DATA_OVERRUN" },
14798 { 0xC000003D, "STATUS_DATA_LATE_ERROR" },
14799 { 0xC000003E, "STATUS_DATA_ERROR" },
14800 { 0xC000003F, "STATUS_CRC_ERROR" },
14801 { 0xC0000040, "STATUS_SECTION_TOO_BIG" },
14802 { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" },
14803 { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" },
14804 { 0xC0000043, "STATUS_SHARING_VIOLATION" },
14805 { 0xC0000044, "STATUS_QUOTA_EXCEEDED" },
14806 { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" },
14807 { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" },
14808 { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" },
14809 { 0xC0000048, "STATUS_PORT_ALREADY_SET" },
14810 { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" },
14811 { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" },
14812 { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" },
14813 { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" },
14814 { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" },
14815 { 0xC000004E, "STATUS_SECTION_PROTECTION" },
14816 { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" },
14817 { 0xC0000050, "STATUS_EA_TOO_LARGE" },
14818 { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" },
14819 { 0xC0000052, "STATUS_NO_EAS_ON_FILE" },
14820 { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" },
14821 { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" },
14822 { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" },
14823 { 0xC0000056, "STATUS_DELETE_PENDING" },
14824 { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" },
14825 { 0xC0000058, "STATUS_UNKNOWN_REVISION" },
14826 { 0xC0000059, "STATUS_REVISION_MISMATCH" },
14827 { 0xC000005A, "STATUS_INVALID_OWNER" },
14828 { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" },
14829 { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" },
14830 { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" },
14831 { 0xC000005E, "STATUS_NO_LOGON_SERVERS" },
14832 { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" },
14833 { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" },
14834 { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" },
14835 { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" },
14836 { 0xC0000063, "STATUS_USER_EXISTS" },
14837 { 0xC0000064, "STATUS_NO_SUCH_USER" },
14838 { 0xC0000065, "STATUS_GROUP_EXISTS" },
14839 { 0xC0000066, "STATUS_NO_SUCH_GROUP" },
14840 { 0xC0000067, "STATUS_MEMBER_IN_GROUP" },
14841 { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" },
14842 { 0xC0000069, "STATUS_LAST_ADMIN" },
14843 { 0xC000006A, "STATUS_WRONG_PASSWORD" },
14844 { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" },
14845 { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" },
14846 { 0xC000006D, "STATUS_LOGON_FAILURE" },
14847 { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" },
14848 { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" },
14849 { 0xC0000070, "STATUS_INVALID_WORKSTATION" },
14850 { 0xC0000071, "STATUS_PASSWORD_EXPIRED" },
14851 { 0xC0000072, "STATUS_ACCOUNT_DISABLED" },
14852 { 0xC0000073, "STATUS_NONE_MAPPED" },
14853 { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" },
14854 { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" },
14855 { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" },
14856 { 0xC0000077, "STATUS_INVALID_ACL" },
14857 { 0xC0000078, "STATUS_INVALID_SID" },
14858 { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" },
14859 { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" },
14860 { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" },
14861 { 0xC000007C, "STATUS_NO_TOKEN" },
14862 { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" },
14863 { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" },
14864 { 0xC000007F, "STATUS_DISK_FULL" },
14865 { 0xC0000080, "STATUS_SERVER_DISABLED" },
14866 { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" },
14867 { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" },
14868 { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" },
14869 { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" },
14870 { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" },
14871 { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" },
14872 { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" },
14873 { 0xC0000088, "STATUS_NOT_MAPPED_DATA" },
14874 { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" },
14875 { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" },
14876 { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" },
14877 { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" },
14878 { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" },
14879 { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" },
14880 { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" },
14881 { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" },
14882 { 0xC0000091, "STATUS_FLOAT_OVERFLOW" },
14883 { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" },
14884 { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" },
14885 { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" },
14886 { 0xC0000095, "STATUS_INTEGER_OVERFLOW" },
14887 { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" },
14888 { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" },
14889 { 0xC0000098, "STATUS_FILE_INVALID" },
14890 { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" },
14891 { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" },
14892 { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" },
14893 { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" },
14894 { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" },
14895 { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" },
14896 { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" },
14897 { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" },
14898 { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" },
14899 { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" },
14900 { 0xC00000A3, "STATUS_DEVICE_NOT_READY" },
14901 { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" },
14902 { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" },
14903 { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" },
14904 { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" },
14905 { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" },
14906 { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" },
14907 { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" },
14908 { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" },
14909 { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" },
14910 { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" },
14911 { 0xC00000AE, "STATUS_PIPE_BUSY" },
14912 { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" },
14913 { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" },
14914 { 0xC00000B1, "STATUS_PIPE_CLOSING" },
14915 { 0xC00000B2, "STATUS_PIPE_CONNECTED" },
14916 { 0xC00000B3, "STATUS_PIPE_LISTENING" },
14917 { 0xC00000B4, "STATUS_INVALID_READ_MODE" },
14918 { 0xC00000B5, "STATUS_IO_TIMEOUT" },
14919 { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" },
14920 { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" },
14921 { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" },
14922 { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" },
14923 { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" },
14924 { 0xC00000BB, "STATUS_NOT_SUPPORTED" },
14925 { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" },
14926 { 0xC00000BD, "STATUS_DUPLICATE_NAME" },
14927 { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" },
14928 { 0xC00000BF, "STATUS_NETWORK_BUSY" },
14929 { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" },
14930 { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" },
14931 { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" },
14932 { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" },
14933 { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" },
14934 { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" },
14935 { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" },
14936 { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" },
14937 { 0xC00000C8, "STATUS_PRINT_CANCELLED" },
14938 { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" },
14939 { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" },
14940 { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" },
14941 { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" },
14942 { 0xC00000CD, "STATUS_TOO_MANY_NAMES" },
14943 { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" },
14944 { 0xC00000CF, "STATUS_SHARING_PAUSED" },
14945 { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" },
14946 { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" },
14947 { 0xC00000D2, "STATUS_NET_WRITE_FAULT" },
14948 { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" },
14949 { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" },
14950 { 0xC00000D5, "STATUS_FILE_RENAMED" },
14951 { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" },
14952 { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" },
14953 { 0xC00000D8, "STATUS_CANT_WAIT" },
14954 { 0xC00000D9, "STATUS_PIPE_EMPTY" },
14955 { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" },
14956 { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" },
14957 { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" },
14958 { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" },
14959 { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" },
14960 { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" },
14961 { 0xC00000E0, "STATUS_DOMAIN_EXISTS" },
14962 { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" },
14963 { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" },
14964 { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" },
14965 { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" },
14966 { 0xC00000E5, "STATUS_INTERNAL_ERROR" },
14967 { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" },
14968 { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" },
14969 { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" },
14970 { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" },
14971 { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" },
14972 { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" },
14973 { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" },
14974 { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" },
14975 { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" },
14976 { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" },
14977 { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" },
14978 { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" },
14979 { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" },
14980 { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" },
14981 { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" },
14982 { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" },
14983 { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" },
14984 { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" },
14985 { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" },
14986 { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" },
14987 { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" },
14988 { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" },
14989 { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" },
14990 { 0xC00000FD, "STATUS_STACK_OVERFLOW" },
14991 { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" },
14992 { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" },
14993 { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" },
14994 { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" },
14995 { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" },
14996 { 0xC0000103, "STATUS_NOT_A_DIRECTORY" },
14997 { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" },
14998 { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" },
14999 { 0xC0000106, "STATUS_NAME_TOO_LONG" },
15000 { 0xC0000107, "STATUS_FILES_OPEN" },
15001 { 0xC0000108, "STATUS_CONNECTION_IN_USE" },
15002 { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" },
15003 { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" },
15004 { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" },
15005 { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" },
15006 { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" },
15007 { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" },
15008 { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" },
15009 { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" },
15010 { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" },
15011 { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" },
15012 { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" },
15013 { 0xC0000114, "STATUS_ABIOS_INVALID_LID" },
15014 { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" },
15015 { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" },
15016 { 0xC0000117, "STATUS_NO_LDT" },
15017 { 0xC0000118, "STATUS_INVALID_LDT_SIZE" },
15018 { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" },
15019 { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" },
15020 { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" },
15021 { 0xC000011C, "STATUS_RXACT_INVALID_STATE" },
15022 { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" },
15023 { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" },
15024 { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" },
15025 { 0xC0000120, "STATUS_CANCELLED" },
15026 { 0xC0000121, "STATUS_CANNOT_DELETE" },
15027 { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" },
15028 { 0xC0000123, "STATUS_FILE_DELETED" },
15029 { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" },
15030 { 0xC0000125, "STATUS_SPECIAL_GROUP" },
15031 { 0xC0000126, "STATUS_SPECIAL_USER" },
15032 { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" },
15033 { 0xC0000128, "STATUS_FILE_CLOSED" },
15034 { 0xC0000129, "STATUS_TOO_MANY_THREADS" },
15035 { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" },
15036 { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" },
15037 { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" },
15038 { 0xC000012D, "STATUS_COMMITMENT_LIMIT" },
15039 { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" },
15040 { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" },
15041 { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" },
15042 { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" },
15043 { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" },
15044 { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" },
15045 { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" },
15046 { 0xC0000135, "STATUS_DLL_NOT_FOUND" },
15047 { 0xC0000136, "STATUS_OPEN_FAILED" },
15048 { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" },
15049 { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" },
15050 { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" },
15051 { 0xC000013A, "STATUS_CONTROL_C_EXIT" },
15052 { 0xC000013B, "STATUS_LOCAL_DISCONNECT" },
15053 { 0xC000013C, "STATUS_REMOTE_DISCONNECT" },
15054 { 0xC000013D, "STATUS_REMOTE_RESOURCES" },
15055 { 0xC000013E, "STATUS_LINK_FAILED" },
15056 { 0xC000013F, "STATUS_LINK_TIMEOUT" },
15057 { 0xC0000140, "STATUS_INVALID_CONNECTION" },
15058 { 0xC0000141, "STATUS_INVALID_ADDRESS" },
15059 { 0xC0000142, "STATUS_DLL_INIT_FAILED" },
15060 { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" },
15061 { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" },
15062 { 0xC0000145, "STATUS_APP_INIT_FAILURE" },
15063 { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" },
15064 { 0xC0000147, "STATUS_NO_PAGEFILE" },
15065 { 0xC0000148, "STATUS_INVALID_LEVEL" },
15066 { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" },
15067 { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" },
15068 { 0xC000014B, "STATUS_PIPE_BROKEN" },
15069 { 0xC000014C, "STATUS_REGISTRY_CORRUPT" },
15070 { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" },
15071 { 0xC000014E, "STATUS_NO_EVENT_PAIR" },
15072 { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" },
15073 { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" },
15074 { 0xC0000151, "STATUS_NO_SUCH_ALIAS" },
15075 { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" },
15076 { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" },
15077 { 0xC0000154, "STATUS_ALIAS_EXISTS" },
15078 { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" },
15079 { 0xC0000156, "STATUS_TOO_MANY_SECRETS" },
15080 { 0xC0000157, "STATUS_SECRET_TOO_LONG" },
15081 { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" },
15082 { 0xC0000159, "STATUS_FULLSCREEN_MODE" },
15083 { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" },
15084 { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" },
15085 { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" },
15086 { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" },
15087 { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" },
15088 { 0xC000015F, "STATUS_FT_MISSING_MEMBER" },
15089 { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" },
15090 { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" },
15091 { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" },
15092 { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" },
15093 { 0xC0000164, "STATUS_FLOPPY_VOLUME" },
15094 { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" },
15095 { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" },
15096 { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" },
15097 { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" },
15098 { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" },
15099 { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" },
15100 { 0xC000016B, "STATUS_DISK_RESET_FAILED" },
15101 { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" },
15102 { 0xC000016D, "STATUS_FT_ORPHANING" },
15103 { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" },
15104 { 0xC0000172, "STATUS_PARTITION_FAILURE" },
15105 { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" },
15106 { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" },
15107 { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" },
15108 { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" },
15109 { 0xC0000177, "STATUS_EOM_OVERFLOW" },
15110 { 0xC0000178, "STATUS_NO_MEDIA" },
15111 { 0xC000017A, "STATUS_NO_SUCH_MEMBER" },
15112 { 0xC000017B, "STATUS_INVALID_MEMBER" },
15113 { 0xC000017C, "STATUS_KEY_DELETED" },
15114 { 0xC000017D, "STATUS_NO_LOG_SPACE" },
15115 { 0xC000017E, "STATUS_TOO_MANY_SIDS" },
15116 { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" },
15117 { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" },
15118 { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" },
15119 { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" },
15120 { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" },
15121 { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" },
15122 { 0xC0000185, "STATUS_IO_DEVICE_ERROR" },
15123 { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" },
15124 { 0xC0000187, "STATUS_BACKUP_CONTROLLER" },
15125 { 0xC0000188, "STATUS_LOG_FILE_FULL" },
15126 { 0xC0000189, "STATUS_TOO_LATE" },
15127 { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" },
15128 { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" },
15129 { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" },
15130 { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" },
15131 { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" },
15132 { 0xC000018F, "STATUS_EVENTLOG_CANT_START" },
15133 { 0xC0000190, "STATUS_TRUST_FAILURE" },
15134 { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" },
15135 { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" },
15136 { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" },
15137 { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" },
15138 { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" },
15139 { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" },
15140 { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" },
15141 { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" },
15142 { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" },
15143 { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" },
15144 { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" },
15145 { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" },
15146 { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" },
15147 { 0xC0000203, "STATUS_USER_SESSION_DELETED" },
15148 { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" },
15149 { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" },
15150 { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" },
15151 { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" },
15152 { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" },
15153 { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" },
15154 { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" },
15155 { 0xC000020B, "STATUS_ADDRESS_CLOSED" },
15156 { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" },
15157 { 0xC000020D, "STATUS_CONNECTION_RESET" },
15158 { 0xC000020E, "STATUS_TOO_MANY_NODES" },
15159 { 0xC000020F, "STATUS_TRANSACTION_ABORTED" },
15160 { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" },
15161 { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" },
15162 { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" },
15163 { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" },
15164 { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" },
15165 { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" },
15166 { 0xC0000216, "STATUS_NOT_SERVER_SESSION" },
15167 { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" },
15168 { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" },
15169 { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" },
15170 { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" },
15171 { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" },
15172 { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" },
15173 { 0xC000021D, "STATUS_VDM_HARD_ERROR" },
15174 { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" },
15175 { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" },
15176 { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" },
15177 { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" },
15178 { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" },
15179 { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" },
15180 { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" },
15181 { 0xC0000225, "STATUS_NOT_FOUND" },
15182 { 0xC0000226, "STATUS_NOT_TINY_STREAM" },
15183 { 0xC0000227, "STATUS_RECOVERY_FAILURE" },
15184 { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" },
15185 { 0xC0000229, "STATUS_FAIL_CHECK" },
15186 { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" },
15187 { 0xC000022B, "STATUS_OBJECTID_EXISTS" },
15188 { 0xC000022C, "STATUS_CONVERT_TO_LARGE" },
15189 { 0xC000022D, "STATUS_RETRY" },
15190 { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" },
15191 { 0xC000022F, "STATUS_ALLOCATE_BUCKET" },
15192 { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" },
15193 { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" },
15194 { 0xC0000232, "STATUS_INVALID_VARIANT" },
15195 { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" },
15196 { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" },
15197 { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" },
15198 { 0xC0000236, "STATUS_CONNECTION_REFUSED" },
15199 { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" },
15200 { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" },
15201 { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" },
15202 { 0xC000023A, "STATUS_CONNECTION_INVALID" },
15203 { 0xC000023B, "STATUS_CONNECTION_ACTIVE" },
15204 { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" },
15205 { 0xC000023D, "STATUS_HOST_UNREACHABLE" },
15206 { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" },
15207 { 0xC000023F, "STATUS_PORT_UNREACHABLE" },
15208 { 0xC0000240, "STATUS_REQUEST_ABORTED" },
15209 { 0xC0000241, "STATUS_CONNECTION_ABORTED" },
15210 { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" },
15211 { 0xC0000243, "STATUS_USER_MAPPED_FILE" },
15212 { 0xC0000244, "STATUS_AUDIT_FAILED" },
15213 { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" },
15214 { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" },
15215 { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" },
15216 { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" },
15217 { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" },
15218 { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" },
15219 { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" },
15220 { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" },
15221 { 0xC0000253, "STATUS_LPC_REPLY_LOST" },
15222 { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" },
15223 { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" },
15224 { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" },
15225 { 0xC0000257, "STATUS_PATH_NOT_COVERED" },
15226 { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" },
15227 { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" },
15228 { 0xC000025A, "STATUS_PWD_TOO_SHORT" },
15229 { 0xC000025B, "STATUS_PWD_TOO_RECENT" },
15230 { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" },
15231 { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" },
15232 { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" },
15233 { 0xC0000260, "STATUS_INVALID_HW_PROFILE" },
15234 { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" },
15235 { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" },
15236 { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" },
15237 { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" },
15238 { 0xC0000265, "STATUS_TOO_MANY_LINKS" },
15239 { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" },
15240 { 0xC0000267, "STATUS_FILE_IS_OFFLINE" },
15241 { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" },
15242 { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" },
15243 { 0xC000026A, "STATUS_LICENSE_VIOLATION" },
15244 { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" },
15245 { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" },
15246 { 0xC000026D, "STATUS_DFS_UNAVAILABLE" },
15247 { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" },
15248 { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" },
15249 { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" },
15250 { 0xC0000271, "STATUS_VALIDATE_CONTINUE" },
15251 { 0xC0000272, "STATUS_NO_MATCH" },
15252 { 0xC0000273, "STATUS_NO_MORE_MATCHES" },
15253 { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" },
15254 { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" },
15255 { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" },
15256 { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" },
15257 { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" },
15258 { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" },
15259 { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" },
15260 { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" },
15261 { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" },
15262 { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" },
15263 { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" },
15264 { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" },
15265 { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" },
15266 { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" },
15267 { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" },
15268 { 0xC000028A, "STATUS_ENCRYPTION_FAILED" },
15269 { 0xC000028B, "STATUS_DECRYPTION_FAILED" },
15270 { 0xC000028C, "STATUS_RANGE_NOT_FOUND" },
15271 { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" },
15272 { 0xC000028E, "STATUS_NO_EFS" },
15273 { 0xC000028F, "STATUS_WRONG_EFS" },
15274 { 0xC0000290, "STATUS_NO_USER_KEYS" },
15275 { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" },
15276 { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" },
15277 { 0xC0000293, "STATUS_FILE_ENCRYPTED" },
15278 { 0x40000294, "STATUS_WAKE_SYSTEM" },
15279 { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" },
15280 { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" },
15281 { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" },
15282 { 0xC0000298, "STATUS_WMI_TRY_AGAIN" },
15283 { 0xC0000299, "STATUS_SHARED_POLICY" },
15284 { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" },
15285 { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" },
15286 { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" },
15287 { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" },
15288 { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" },
15289 { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" },
15290 { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" },
15291 { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" },
15292 { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" },
15293 { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" },
15294 { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" },
15295 { 0xC00002A5, "STATUS_DS_BUSY" },
15296 { 0xC00002A6, "STATUS_DS_UNAVAILABLE" },
15297 { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" },
15298 { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" },
15299 { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" },
15300 { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" },
15301 { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" },
15302 { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" },
15303 { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" },
15304 { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" },
15305 { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" },
15306 { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" },
15307 { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" },
15308 { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" },
15309 { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" },
15310 { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" },
15311 { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" },
15312 { 0xC00002B6, "STATUS_DEVICE_REMOVED" },
15313 { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" },
15314 { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" },
15315 { 0xC00002B9, "STATUS_NOINTERFACE" },
15316 { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" },
15317 { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" },
15318 { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" },
15319 { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" },
15320 { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" },
15321 { 0xC00002C6, "STATUS_WMI_READ_ONLY" },
15322 { 0xC00002C7, "STATUS_WMI_SET_FAILURE" },
15323 { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" },
15324 { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" },
15325 { 0xC00002CA, "STATUS_TRANSPORT_FULL" },
15326 { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" },
15327 { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" },
15328 { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" },
15329 { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" },
15330 { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" },
15331 { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" },
15332 { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" },
15333 { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" },
15334 { 0xC00002D3, "STATUS_POWER_STATE_INVALID" },
15335 { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" },
15336 { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" },
15337 { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" },
15338 { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" },
15339 { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" },
15340 { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" },
15341 { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" },
15342 { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" },
15343 { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" },
15344 { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" },
15345 { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" },
15346 { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" },
15347 { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" },
15348 { 0xC00002E1, "STATUS_DS_CANT_START" },
15349 { 0xC00002E2, "STATUS_DS_INIT_FAILURE" },
15350 { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" },
15351 { 0xC00002E4, "STATUS_DS_GC_REQUIRED" },
15352 { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" },
15353 { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" },
15354 { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" },
15355 { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" },
15356 { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" },
15357 { 0xC0009898, "STATUS_WOW_ASSERTION" },
15358 { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" },
15359 { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" },
15360 { 0xC0020003, "RPC_NT_INVALID_BINDING" },
15361 { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" },
15362 { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" },
15363 { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" },
15364 { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" },
15365 { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" },
15366 { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" },
15367 { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" },
15368 { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" },
15369 { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" },
15370 { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" },
15371 { 0xC002000E, "RPC_NT_ALREADY_LISTENING" },
15372 { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" },
15373 { 0xC0020010, "RPC_NT_NOT_LISTENING" },
15374 { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" },
15375 { 0xC0020012, "RPC_NT_UNKNOWN_IF" },
15376 { 0xC0020013, "RPC_NT_NO_BINDINGS" },
15377 { 0xC0020014, "RPC_NT_NO_PROTSEQS" },
15378 { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" },
15379 { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" },
15380 { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" },
15381 { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" },
15382 { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" },
15383 { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" },
15384 { 0xC002001B, "RPC_NT_CALL_FAILED" },
15385 { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" },
15386 { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" },
15387 { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" },
15388 { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" },
15389 { 0xC0020022, "RPC_NT_INVALID_TAG" },
15390 { 0xC0020023, "RPC_NT_INVALID_BOUND" },
15391 { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" },
15392 { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" },
15393 { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" },
15394 { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" },
15395 { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" },
15396 { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" },
15397 { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" },
15398 { 0xC002002C, "RPC_NT_STRING_TOO_LONG" },
15399 { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" },
15400 { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" },
15401 { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" },
15402 { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" },
15403 { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" },
15404 { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" },
15405 { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" },
15406 { 0xC0020034, "EPT_NT_INVALID_ENTRY" },
15407 { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" },
15408 { 0xC0020036, "EPT_NT_NOT_REGISTERED" },
15409 { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" },
15410 { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" },
15411 { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" },
15412 { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" },
15413 { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" },
15414 { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" },
15415 { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" },
15416 { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" },
15417 { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" },
15418 { 0xC0020040, "RPC_NT_INVALID_NAF_ID" },
15419 { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" },
15420 { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" },
15421 { 0xC0020043, "RPC_NT_INTERNAL_ERROR" },
15422 { 0xC0020044, "RPC_NT_ZERO_DIVIDE" },
15423 { 0xC0020045, "RPC_NT_ADDRESS_ERROR" },
15424 { 0xC0020046, "RPC_NT_FP_DIV_ZERO" },
15425 { 0xC0020047, "RPC_NT_FP_UNDERFLOW" },
15426 { 0xC0020048, "RPC_NT_FP_OVERFLOW" },
15427 { 0xC0021007, "RPC_P_RECEIVE_ALERTED" },
15428 { 0xC0021008, "RPC_P_CONNECTION_CLOSED" },
15429 { 0xC0021009, "RPC_P_RECEIVE_FAILED" },
15430 { 0xC002100A, "RPC_P_SEND_FAILED" },
15431 { 0xC002100B, "RPC_P_TIMEOUT" },
15432 { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" },
15433 { 0xC002100E, "RPC_P_EXCEPTION_OCCURED" },
15434 { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" },
15435 { 0xC0021015, "RPC_P_THREAD_LISTENING" },
15436 { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" },
15437 { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" },
15438 { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" },
15439 { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" },
15440 { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" },
15441 { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" },
15442 { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" },
15443 { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" },
15444 { 0xC0030009, "RPC_NT_NULL_REF_POINTER" },
15445 { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" },
15446 { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" },
15447 { 0xC003000C, "RPC_NT_BAD_STUB_DATA" },
15448 { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" },
15449 { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" },
15450 { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" },
15451 { 0xC002004C, "EPT_NT_CANT_CREATE" },
15452 { 0xC002004D, "RPC_NT_INVALID_OBJECT" },
15453 { 0xC002004F, "RPC_NT_NO_INTERFACES" },
15454 { 0xC0020050, "RPC_NT_CALL_CANCELLED" },
15455 { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" },
15456 { 0xC0020052, "RPC_NT_COMM_FAILURE" },
15457 { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" },
15458 { 0xC0020054, "RPC_NT_NO_PRINC_NAME" },
15459 { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" },
15460 { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" },
15461 { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" },
15462 { 0xC0020058, "RPC_NT_NOT_CANCELLED" },
15463 { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" },
15464 { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" },
15465 { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" },
15466 { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" },
15467 { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" },
15468 { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" },
15469 { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" },
15475 static const true_false_string tfs_smb_flags_lock = {
15476 "Lock&Read, Write&Unlock are supported",
15477 "Lock&Read, Write&Unlock are not supported"
15479 static const true_false_string tfs_smb_flags_receive_buffer = {
15480 "Receive buffer has been posted",
15481 "Receive buffer has not been posted"
15483 static const true_false_string tfs_smb_flags_caseless = {
15484 "Path names are caseless",
15485 "Path names are case sensitive"
15487 static const true_false_string tfs_smb_flags_canon = {
15488 "Pathnames are canonicalized",
15489 "Pathnames are not canonicalized"
15491 static const true_false_string tfs_smb_flags_oplock = {
15492 "OpLock requested/granted",
15493 "OpLock not requested/granted"
15495 static const true_false_string tfs_smb_flags_notify = {
15496 "Notify client on all modifications",
15497 "Notify client only on open"
15499 static const true_false_string tfs_smb_flags_response = {
15500 "Message is a response to the client/redirector",
15501 "Message is a request to the server"
15505 dissect_smb_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
15508 proto_item *item = NULL;
15509 proto_tree *tree = NULL;
15511 mask = tvb_get_guint8(tvb, offset);
15514 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
15515 "Flags: 0x%02x", mask);
15516 tree = proto_item_add_subtree(item, ett_smb_flags);
15518 proto_tree_add_boolean(tree, hf_smb_flags_response,
15519 tvb, offset, 1, mask);
15520 proto_tree_add_boolean(tree, hf_smb_flags_notify,
15521 tvb, offset, 1, mask);
15522 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
15523 tvb, offset, 1, mask);
15524 proto_tree_add_boolean(tree, hf_smb_flags_canon,
15525 tvb, offset, 1, mask);
15526 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
15527 tvb, offset, 1, mask);
15528 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
15529 tvb, offset, 1, mask);
15530 proto_tree_add_boolean(tree, hf_smb_flags_lock,
15531 tvb, offset, 1, mask);
15538 static const true_false_string tfs_smb_flags2_long_names_allowed = {
15539 "Long file names are allowed in the response",
15540 "Long file names are not allowed in the response"
15542 static const true_false_string tfs_smb_flags2_ea = {
15543 "Extended attributes are supported",
15544 "Extended attributes are not supported"
15546 static const true_false_string tfs_smb_flags2_sec_sig = {
15547 "Security signatures are supported",
15548 "Security signatures are not supported"
15550 static const true_false_string tfs_smb_flags2_long_names_used = {
15551 "Path names in request are long file names",
15552 "Path names in request are not long file names"
15554 static const true_false_string tfs_smb_flags2_esn = {
15555 "Extended security negotiation is supported",
15556 "Extended security negotiation is not supported"
15558 static const true_false_string tfs_smb_flags2_dfs = {
15559 "Resolve pathnames with Dfs",
15560 "Don't resolve pathnames with Dfs"
15562 static const true_false_string tfs_smb_flags2_roe = {
15563 "Permit reads if execute-only",
15564 "Don't permit reads if execute-only"
15566 static const true_false_string tfs_smb_flags2_nt_error = {
15567 "Error codes are NT error codes",
15568 "Error codes are DOS error codes"
15570 static const true_false_string tfs_smb_flags2_string = {
15571 "Strings are Unicode",
15572 "Strings are ASCII"
15575 dissect_smb_flags2(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
15578 proto_item *item = NULL;
15579 proto_tree *tree = NULL;
15581 mask = tvb_get_letohs(tvb, offset);
15584 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
15585 "Flags2: 0x%04x", mask);
15586 tree = proto_item_add_subtree(item, ett_smb_flags2);
15589 proto_tree_add_boolean(tree, hf_smb_flags2_string,
15590 tvb, offset, 2, mask);
15591 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
15592 tvb, offset, 2, mask);
15593 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
15594 tvb, offset, 2, mask);
15595 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
15596 tvb, offset, 2, mask);
15597 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
15598 tvb, offset, 2, mask);
15599 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
15600 tvb, offset, 2, mask);
15601 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
15602 tvb, offset, 2, mask);
15603 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
15604 tvb, offset, 2, mask);
15605 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
15606 tvb, offset, 2, mask);
15614 #define SMB_FLAGS_DIRN 0x80
15618 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
15621 proto_item *item = NULL, *hitem = NULL;
15622 proto_tree *tree = NULL, *htree = NULL;
15625 static smb_info_t si_arr[20];
15626 static int si_counter=0;
15628 smb_saved_info_t *sip = NULL;
15629 smb_saved_info_key_t key;
15630 smb_saved_info_key_t *new_key;
15631 guint32 nt_status = 0;
15632 guint8 errclass = 0;
15633 guint16 errcode = 0;
15635 conversation_t *conversation;
15639 if(si_counter==20){
15642 si=&si_arr[si_counter];
15644 top_tree=parent_tree;
15646 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
15647 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
15649 if (check_col(pinfo->cinfo, COL_INFO)){
15650 col_clear(pinfo->cinfo, COL_INFO);
15653 /* start off using the local variable, we will allocate a new one if we
15655 si->cmd = tvb_get_guint8(tvb, offset+4);
15656 flags = tvb_get_guint8(tvb, offset+9);
15658 * XXX - in some SMB-over-OSI-transport and SMB-over-Vines traffic,
15659 * the direction flag appears never to be set, even for what appear
15660 * to be replies. Do some SMB servers fail to set that flag,
15661 * under the assumption that the client knows it's a reply because
15664 si->request = !(flags&SMB_FLAGS_DIRN);
15665 flags2 = tvb_get_letohs(tvb, offset+10);
15666 if(flags2 & 0x8000){
15667 si->unicode = TRUE; /* Mark them as Unicode */
15669 si->unicode = FALSE;
15671 si->tid = tvb_get_letohs(tvb, offset+24);
15672 si->pid = tvb_get_letohs(tvb, offset+26);
15673 si->uid = tvb_get_letohs(tvb, offset+28);
15674 si->mid = tvb_get_letohs(tvb, offset+30);
15675 pid_mid = (si->pid << 16) | si->mid;
15676 si->info_level = -1;
15677 si->info_count = -1;
15680 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
15682 tree = proto_item_add_subtree(item, ett_smb);
15684 hitem = proto_tree_add_text(tree, tvb, offset, 32,
15687 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
15690 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
15691 offset += 4; /* Skip the marker */
15693 /* find which conversation we are part of and get the tables for that
15695 conversation = find_conversation(&pinfo->src, &pinfo->dst,
15696 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
15698 /* OK this is a new conversation so lets create it */
15699 conversation = conversation_new(&pinfo->src, &pinfo->dst,
15700 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
15702 /* see if we already have the smb data for this conversation */
15703 si->ct=conversation_get_proto_data(conversation, proto_smb);
15705 /* No, not yet. create it and attach it to the conversation */
15706 si->ct = g_mem_chunk_alloc(conv_tables_chunk);
15707 conv_tables = g_slist_prepend(conv_tables, si->ct);
15708 si->ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
15709 smb_saved_info_equal_matched);
15710 si->ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
15711 smb_saved_info_equal_unmatched);
15712 si->ct->dcerpc_fid_to_frame=g_hash_table_new(
15713 smb_saved_info_hash_unmatched,
15714 smb_saved_info_equal_unmatched);
15715 si->ct->dcerpc_frame_to_dcerpc_pdu=g_hash_table_new(
15716 smb_saved_info_hash_unmatched,
15717 smb_saved_info_equal_unmatched);
15718 si->ct->tid_service=g_hash_table_new(
15719 smb_saved_info_hash_unmatched,
15720 smb_saved_info_equal_unmatched);
15721 conversation_add_proto_data(conversation, proto_smb, si->ct);
15729 /* this is a broadcast SMB packet, there will not be a reply.
15730 We dont need to do anything
15733 } else if( (si->cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
15734 ||(si->cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
15735 ||(si->cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
15736 ||(si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
15737 /* Ok, we got a special request type. This request is either
15738 an NT Cancel or a continuation relative to a real request
15739 in an earlier packet. In either case, we don't expect any
15740 responses to this packet. For continuations, any later
15741 responses we see really just belong to the original request.
15742 Anyway, we want to remember this packet somehow and
15743 remember which original request it is associated with so
15744 we can say nice things such as "This is a Cancellation to
15745 the request in frame x", but we don't want the
15746 request/response matching to get messed up.
15748 The only thing we do in this case is trying to find which original
15749 request we match with and insert an entry for this "special"
15750 request for later reference. We continue to reference the original
15751 requests smb_saved_info_t but we dont touch it or change anything
15755 si->unidir = TRUE; /*we dont expect an answer to this one*/
15757 if(!pinfo->fd->flags.visited){
15758 /* try to find which original call we match and if we
15759 find it add us to the matched table. Dont touch
15760 anything else since we dont want this one to mess
15761 up the request/response matching. We still consider
15762 the initial call the real request and this is only
15763 some sort of continuation.
15765 /* we only check the unmatched table and assume that the
15766 last seen MID matching ours is the right one.
15767 This can fail but is better than nothing
15769 sip=g_hash_table_lookup(si->ct->unmatched, (void *)pid_mid);
15771 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15772 new_key->frame = pinfo->fd->num;
15773 new_key->pid_mid = pid_mid;
15774 g_hash_table_insert(si->ct->matched, new_key,
15778 /* we have seen this packet before; check the
15781 key.frame = pinfo->fd->num;
15782 key.pid_mid = pid_mid;
15783 sip=g_hash_table_lookup(si->ct->matched, &key);
15787 Too bad, unfortunately there is not really much we can
15788 do now since this means that we never saw the initial
15795 if(sip && sip->frame_req){
15797 case SMB_COM_NT_CANCEL:
15798 proto_tree_add_uint(htree, hf_smb_cancel_to,
15799 tvb, 0, 0, sip->frame_req);
15801 case SMB_COM_TRANSACTION_SECONDARY:
15802 case SMB_COM_TRANSACTION2_SECONDARY:
15803 case SMB_COM_NT_TRANSACT_SECONDARY:
15804 proto_tree_add_uint(htree, hf_smb_continuation_to,
15805 tvb, 0, 0, sip->frame_req);
15810 case SMB_COM_NT_CANCEL:
15811 proto_tree_add_text(htree, tvb, 0, 0,
15812 "Cancellation to: <unknown frame>");
15814 case SMB_COM_TRANSACTION_SECONDARY:
15815 case SMB_COM_TRANSACTION2_SECONDARY:
15816 case SMB_COM_NT_TRANSACT_SECONDARY:
15817 proto_tree_add_text(htree, tvb, 0, 0,
15818 "Continuation to: <unknown frame>");
15822 } else { /* normal bidirectional request or response */
15823 si->unidir = FALSE;
15825 if(!pinfo->fd->flags.visited){
15826 /* first see if we find an unmatched smb "equal" to
15829 sip=g_hash_table_lookup(si->ct->unmatched, (void *)pid_mid);
15831 gboolean cmd_match=FALSE;
15834 * Make sure the SMB we found was the
15835 * same command, or a different command
15836 * that's another valid type of reply
15839 if(si->cmd==sip->cmd){
15842 else if(si->cmd==SMB_COM_NT_CANCEL){
15845 else if((si->cmd==SMB_COM_TRANSACTION_SECONDARY)
15846 && (sip->cmd==SMB_COM_TRANSACTION)){
15849 else if((si->cmd==SMB_COM_TRANSACTION2_SECONDARY)
15850 && (sip->cmd==SMB_COM_TRANSACTION2)){
15853 else if((si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)
15854 && (sip->cmd==SMB_COM_NT_TRANSACT)){
15858 if( (si->request) || (!cmd_match) ) {
15859 /* If we are processing an SMB request but there was already
15860 another "identical" smb resuest we had not matched yet.
15861 This must mean that either we have a retransmission or that the
15862 response to the previous one was lost and the client has reused
15863 the MID for this conversation. In either case it's not much more
15864 we can do than forget the old request and concentrate on the
15865 present one instead.
15867 We also do this cleanup if we see that the cmd in the original
15868 request in sip->cmd is not compatible with the current cmd.
15869 This is to prevent matching errors such as if there were two
15870 SMBs of different cmds but with identical MID and PID values and
15871 if ethereal lost the first reply and the second request.
15873 g_hash_table_remove(si->ct->unmatched, (void *)pid_mid);
15874 sip=NULL; /* XXX should free it as well */
15876 /* we have found a response to some request we have seen earlier.
15877 What we do now depends on whether this is the first response
15878 to that request we see (id frame_res==0) or not.
15880 if(sip->frame_res==0){
15881 /* ok it is the first response we have seen to this packet */
15882 sip->frame_res = pinfo->fd->num;
15883 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15884 new_key->frame = sip->frame_res;
15885 new_key->pid_mid = pid_mid;
15886 g_hash_table_insert(si->ct->matched, new_key, sip);
15888 /* we have already seen another response to this one, but
15889 register it anyway so we see which request it matches
15891 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15892 new_key->frame = pinfo->fd->num;
15893 new_key->pid_mid = pid_mid;
15894 g_hash_table_insert(si->ct->matched, new_key, sip);
15899 sip = g_mem_chunk_alloc(smb_saved_info_chunk);
15900 sip->frame_req = pinfo->fd->num;
15901 sip->frame_res = 0;
15902 sip->req_time.secs=pinfo->fd->abs_secs;
15903 sip->req_time.nsecs=pinfo->fd->abs_usecs*1000;
15905 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)
15906 == (void *)TID_IPC) {
15907 sip->flags |= SMB_SIF_TID_IS_IPC;
15909 sip->cmd = si->cmd;
15910 sip->extra_info = NULL;
15911 g_hash_table_insert(si->ct->unmatched, (void *)pid_mid, sip);
15912 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15913 new_key->frame = sip->frame_req;
15914 new_key->pid_mid = pid_mid;
15915 g_hash_table_insert(si->ct->matched, new_key, sip);
15918 /* we have seen this packet before; check the
15920 If we haven't yet seen the reply, we won't
15921 find the info for it; we don't need it, as
15922 we only use it to save information, and, as
15923 we've seen this packet before, we've already
15924 saved the information.
15926 key.frame = pinfo->fd->num;
15927 key.pid_mid = pid_mid;
15928 sip=g_hash_table_lookup(si->ct->matched, &key);
15933 * Pass the "sip" on to subdissectors through "si".
15939 * Put in fields for the frame number of the frame to which
15940 * this is a response or the frame with the response to this
15941 * frame - if we know the frame number (i.e., it's not 0).
15944 if (sip->frame_res != 0)
15945 proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
15947 if (sip->frame_req != 0) {
15948 proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
15949 ns.secs = pinfo->fd->abs_secs - sip->req_time.secs;
15950 ns.nsecs = pinfo->fd->abs_usecs*1000 - sip->req_time.nsecs;
15952 ns.nsecs+=1000000000;
15955 proto_tree_add_time(htree, hf_smb_time, tvb,
15962 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si->cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si->cmd), si->cmd);
15965 if(flags2 & 0x4000){
15966 /* handle NT 32 bit error code */
15968 nt_status = tvb_get_letohl(tvb, offset);
15970 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
15975 /* handle DOS error code & class */
15976 errclass = tvb_get_guint8(tvb, offset);
15977 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
15981 /* reserved byte */
15982 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
15986 /* XXX - the type of this field depends on the value of
15987 * "errcls", so there is isn't a single value_string array
15988 * fo it, so there can't be a single field for it.
15990 errcode = tvb_get_letohs(tvb, offset);
15991 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
15992 offset, 2, errcode, "Error Code: %s",
15993 decode_smb_error(errclass, errcode));
15998 offset = dissect_smb_flags(tvb, htree, offset);
16001 offset = dissect_smb_flags2(tvb, htree, offset);
16006 * http://www.samba.org/samba/ftp/specs/smbpub.txt
16008 * (a text version of "Microsoft Networks SMB FILE SHARING
16009 * PROTOCOL, Document Version 6.0p") says that:
16011 * the first 2 bytes of these 12 bytes are, for NT Create and X,
16012 * the "High Part of PID";
16014 * the next four bytes are reserved;
16016 * the next four bytes are, for SMB-over-IPX (with no
16017 * NetBIOS involved) two bytes of Session ID and two bytes
16018 * of SequenceNumber.
16020 * Network Monitor 2.x dissects the four bytes before the Session ID
16021 * as a "Key", and the two bytes after the SequenceNumber as
16024 if (pinfo->ptype == PT_IPX &&
16025 (pinfo->match_port == IPX_SOCKET_NWLINK_SMB_SERVER ||
16026 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_REDIR ||
16027 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_MESSENGER)) {
16029 * This is SMB-over-IPX.
16030 * XXX - high part of pid?
16031 * XXX - doe we have to worry about "sequenced commands",
16032 * as per the Samba document? They say that for
16033 * "unsequenced commands" (with a sequence number of 0),
16034 * the Mid must be unique, but perhaps the Mid doesn't
16035 * have to be unique for sequenced commands. In at least
16036 * one capture with SMB-over-IPX, however, the Mids
16037 * are unique even for sequenced commands.
16039 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2,
16044 proto_tree_add_item(htree, hf_smb_key, tvb, offset, 4,
16049 proto_tree_add_item(htree, hf_smb_session_id, tvb, offset, 2,
16053 /* Sequence number */
16054 proto_tree_add_item(htree, hf_smb_sequence_num, tvb, offset, 2,
16059 proto_tree_add_item(htree, hf_smb_group_id, tvb, offset, 2,
16064 * 12 reserved bytes.
16065 * XXX - high part of pid?
16067 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 12, TRUE);
16072 proto_tree_add_uint(htree, hf_smb_tid, tvb, offset, 2, si->tid);
16076 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si->pid);
16080 proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si->uid);
16084 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid);
16087 pinfo->private_data = si;
16089 /* tap the packet before the dissectors are called so we still get
16090 the tap listener called even if there is an exception.
16092 tap_queue_packet(smb_tap, pinfo, si);
16093 dissect_smb_command(tvb, pinfo, offset, tree, si->cmd, TRUE);
16095 /* Append error info from this packet to info string. */
16096 if (!si->request && check_col(pinfo->cinfo, COL_INFO)) {
16097 if (flags2 & 0x4000) {
16099 * The status is an NT status code; was there
16102 if ((nt_status & 0xC0000000) == 0xC0000000) {
16107 pinfo->cinfo, COL_INFO, ", Error: %s",
16108 val_to_str(nt_status, NT_errors,
16109 "Unknown (0x%08X)"));
16113 * The status is a DOS error class and code; was
16116 if (errclass != SMB_SUCCESS) {
16121 pinfo->cinfo, COL_INFO, ", Error: %s",
16122 decode_smb_error(errclass, errcode));
16129 dissect_smb_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
16131 /* must check that this really is a smb packet */
16132 if (!tvb_bytes_exist(tvb, 0, 4))
16135 if( (tvb_get_guint8(tvb, 0) != 0xff)
16136 || (tvb_get_guint8(tvb, 1) != 'S')
16137 || (tvb_get_guint8(tvb, 2) != 'M')
16138 || (tvb_get_guint8(tvb, 3) != 'B') ){
16142 dissect_smb(tvb, pinfo, parent_tree);
16147 proto_register_smb(void)
16149 static hf_register_info hf[] = {
16151 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
16152 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
16154 { &hf_smb_word_count,
16155 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
16156 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
16158 { &hf_smb_byte_count,
16159 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
16160 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
16162 { &hf_smb_response_to,
16163 { "Response to", "smb.response_to", FT_FRAMENUM, BASE_NONE,
16164 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
16167 { "Time from request", "smb.time", FT_RELATIVE_TIME, BASE_NONE,
16168 NULL, 0, "Time between Request and Response for SMB cmds", HFILL }},
16170 { &hf_smb_response_in,
16171 { "Response in", "smb.response_in", FT_FRAMENUM, BASE_NONE,
16172 NULL, 0, "The response to this packet is in this packet", HFILL }},
16174 { &hf_smb_continuation_to,
16175 { "Continuation to", "smb.continuation_to", FT_FRAMENUM, BASE_NONE,
16176 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
16178 { &hf_smb_nt_status,
16179 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
16180 VALS(NT_errors), 0, "NT Status code", HFILL }},
16182 { &hf_smb_error_class,
16183 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
16184 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
16186 { &hf_smb_error_code,
16187 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
16188 NULL, 0, "DOS Error Code", HFILL }},
16190 { &hf_smb_reserved,
16191 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
16192 NULL, 0, "Reserved bytes, must be zero", HFILL }},
16195 { "Key", "smb.key", FT_UINT32, BASE_HEX,
16196 NULL, 0, "SMB-over-IPX Key", HFILL }},
16198 { &hf_smb_session_id,
16199 { "Session ID", "smb.sessid", FT_UINT16, BASE_DEC,
16200 NULL, 0, "SMB-over-IPX Session ID", HFILL }},
16202 { &hf_smb_sequence_num,
16203 { "Sequence Number", "smb.sequence_num", FT_UINT16, BASE_DEC,
16204 NULL, 0, "SMB-over-IPX Sequence Number", HFILL }},
16206 { &hf_smb_group_id,
16207 { "Group ID", "smb.group_id", FT_UINT16, BASE_DEC,
16208 NULL, 0, "SMB-over-IPX Group ID", HFILL }},
16211 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
16212 NULL, 0, "Process ID", HFILL }},
16215 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
16216 NULL, 0, "Tree ID", HFILL }},
16219 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
16220 NULL, 0, "User ID", HFILL }},
16223 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
16224 NULL, 0, "Multiplex ID", HFILL }},
16226 { &hf_smb_flags_lock,
16227 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
16228 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
16230 { &hf_smb_flags_receive_buffer,
16231 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
16232 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
16234 { &hf_smb_flags_caseless,
16235 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
16236 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
16238 { &hf_smb_flags_canon,
16239 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
16240 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
16242 { &hf_smb_flags_oplock,
16243 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
16244 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
16246 { &hf_smb_flags_notify,
16247 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
16248 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
16250 { &hf_smb_flags_response,
16251 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
16252 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
16254 { &hf_smb_flags2_long_names_allowed,
16255 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
16256 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
16258 { &hf_smb_flags2_ea,
16259 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
16260 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
16262 { &hf_smb_flags2_sec_sig,
16263 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
16264 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
16266 { &hf_smb_flags2_long_names_used,
16267 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
16268 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
16270 { &hf_smb_flags2_esn,
16271 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
16272 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
16274 { &hf_smb_flags2_dfs,
16275 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
16276 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
16278 { &hf_smb_flags2_roe,
16279 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
16280 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
16282 { &hf_smb_flags2_nt_error,
16283 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
16284 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
16286 { &hf_smb_flags2_string,
16287 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
16288 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
16290 { &hf_smb_buffer_format,
16291 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
16292 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
16294 { &hf_smb_dialect_name,
16295 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
16296 NULL, 0, "Name of dialect", HFILL }},
16298 { &hf_smb_dialect_index,
16299 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
16300 NULL, 0, "Index of selected dialect", HFILL }},
16302 { &hf_smb_max_trans_buf_size,
16303 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
16304 NULL, 0, "Maximum transmit buffer size", HFILL }},
16306 { &hf_smb_max_mpx_count,
16307 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
16308 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
16310 { &hf_smb_max_vcs_num,
16311 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
16312 NULL, 0, "Maximum VCs between client and server", HFILL }},
16314 { &hf_smb_session_key,
16315 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
16316 NULL, 0, "Unique token identifying this session", HFILL }},
16318 { &hf_smb_server_timezone,
16319 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
16320 NULL, 0, "Current timezone at server.", HFILL }},
16322 { &hf_smb_encryption_key_length,
16323 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
16324 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
16326 { &hf_smb_encryption_key,
16327 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
16328 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
16330 { &hf_smb_primary_domain,
16331 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
16332 NULL, 0, "The server's primary domain", HFILL }},
16335 { "Server", "smb.server", FT_STRING, BASE_NONE,
16336 NULL, 0, "The name of the DC/server", HFILL }},
16338 { &hf_smb_max_raw_buf_size,
16339 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
16340 NULL, 0, "Maximum raw buffer size", HFILL }},
16342 { &hf_smb_server_guid,
16343 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
16344 NULL, 0, "Globally unique identifier for this server", HFILL }},
16346 { &hf_smb_security_blob_len,
16347 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
16348 NULL, 0, "Security blob length", HFILL }},
16350 { &hf_smb_security_blob,
16351 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
16352 NULL, 0, "Security blob", HFILL }},
16354 { &hf_smb_sm_mode16,
16355 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
16356 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
16358 { &hf_smb_sm_password16,
16359 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
16360 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
16363 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
16364 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
16366 { &hf_smb_sm_password,
16367 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
16368 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
16370 { &hf_smb_sm_signatures,
16371 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
16372 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
16374 { &hf_smb_sm_sig_required,
16375 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
16376 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
16379 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
16380 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
16382 { &hf_smb_rm_write,
16383 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
16384 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
16386 { &hf_smb_server_date_time,
16387 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
16388 NULL, 0, "Current date and time at server", HFILL }},
16390 { &hf_smb_server_smb_date,
16391 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
16392 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
16394 { &hf_smb_server_smb_time,
16395 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
16396 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
16398 { &hf_smb_server_cap_raw_mode,
16399 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
16400 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
16402 { &hf_smb_server_cap_mpx_mode,
16403 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
16404 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
16406 { &hf_smb_server_cap_unicode,
16407 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
16408 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
16410 { &hf_smb_server_cap_large_files,
16411 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
16412 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
16414 { &hf_smb_server_cap_nt_smbs,
16415 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
16416 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
16418 { &hf_smb_server_cap_rpc_remote_apis,
16419 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
16420 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
16422 { &hf_smb_server_cap_nt_status,
16423 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
16424 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
16426 { &hf_smb_server_cap_level_ii_oplocks,
16427 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
16428 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
16430 { &hf_smb_server_cap_lock_and_read,
16431 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
16432 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
16434 { &hf_smb_server_cap_nt_find,
16435 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
16436 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
16438 { &hf_smb_server_cap_dfs,
16439 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
16440 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
16442 { &hf_smb_server_cap_infolevel_passthru,
16443 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
16444 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
16446 { &hf_smb_server_cap_large_readx,
16447 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
16448 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
16450 { &hf_smb_server_cap_large_writex,
16451 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
16452 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
16454 { &hf_smb_server_cap_unix,
16455 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
16456 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
16458 { &hf_smb_server_cap_reserved,
16459 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
16460 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
16462 { &hf_smb_server_cap_bulk_transfer,
16463 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
16464 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
16466 { &hf_smb_server_cap_compressed_data,
16467 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
16468 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
16470 { &hf_smb_server_cap_extended_security,
16471 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
16472 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
16474 { &hf_smb_system_time,
16475 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
16476 NULL, 0, "System Time", HFILL }},
16479 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
16480 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
16482 { &hf_smb_dir_name,
16483 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
16484 NULL, 0, "SMB Directory Name", HFILL }},
16486 { &hf_smb_echo_count,
16487 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
16488 NULL, 0, "Number of times to echo data back", HFILL }},
16490 { &hf_smb_echo_data,
16491 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
16492 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
16494 { &hf_smb_echo_seq_num,
16495 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
16496 NULL, 0, "Sequence number for this echo response", HFILL }},
16498 { &hf_smb_max_buf_size,
16499 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
16500 NULL, 0, "Max client buffer size", HFILL }},
16503 { "Path", "smb.path", FT_STRING, BASE_NONE,
16504 NULL, 0, "Path. Server name and share name", HFILL }},
16507 { "Service", "smb.service", FT_STRING, BASE_NONE,
16508 NULL, 0, "Service name", HFILL }},
16510 { &hf_smb_password,
16511 { "Password", "smb.password", FT_BYTES, BASE_NONE,
16512 NULL, 0, "Password", HFILL }},
16514 { &hf_smb_ansi_password,
16515 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
16516 NULL, 0, "ANSI Password", HFILL }},
16518 { &hf_smb_unicode_password,
16519 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
16520 NULL, 0, "Unicode Password", HFILL }},
16522 { &hf_smb_move_flags_file,
16523 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
16524 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
16526 { &hf_smb_move_flags_dir,
16527 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
16528 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
16530 { &hf_smb_move_flags_verify,
16531 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
16532 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
16534 { &hf_smb_files_moved,
16535 { "Files Moved", "smb.files_moved", FT_UINT16, BASE_DEC,
16536 NULL, 0, "Number of files moved", HFILL }},
16538 { &hf_smb_copy_flags_file,
16539 { "Must be file", "smb.copy.flags.file", FT_BOOLEAN, 16,
16540 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
16542 { &hf_smb_copy_flags_dir,
16543 { "Must be directory", "smb.copy.flags.dir", FT_BOOLEAN, 16,
16544 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
16546 { &hf_smb_copy_flags_dest_mode,
16547 { "Destination mode", "smb.copy.flags.dest_mode", FT_BOOLEAN, 16,
16548 TFS(&tfs_cf_mode), 0x0004, "Is destination in ASCII?", HFILL }},
16550 { &hf_smb_copy_flags_source_mode,
16551 { "Source mode", "smb.copy.flags.source_mode", FT_BOOLEAN, 16,
16552 TFS(&tfs_cf_mode), 0x0008, "Is source in ASCII?", HFILL }},
16554 { &hf_smb_copy_flags_verify,
16555 { "Verify writes", "smb.copy.flags.verify", FT_BOOLEAN, 16,
16556 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
16558 { &hf_smb_copy_flags_tree_copy,
16559 { "Tree copy", "smb.copy.flags.tree_copy", FT_BOOLEAN, 16,
16560 TFS(&tfs_cf_tree_copy), 0x0010, "Is copy a tree copy?", HFILL }},
16562 { &hf_smb_copy_flags_ea_action,
16563 { "EA action if EAs not supported on dest", "smb.copy.flags.ea_action", FT_BOOLEAN, 16,
16564 TFS(&tfs_cf_ea_action), 0x0010, "Fail copy if source file has EAs and dest doesn't support EAs?", HFILL }},
16567 { "Count", "smb.count", FT_UINT32, BASE_DEC,
16568 NULL, 0, "Count number of items/bytes", HFILL }},
16570 { &hf_smb_file_name,
16571 { "File Name", "smb.file", FT_STRING, BASE_NONE,
16572 NULL, 0, "File Name", HFILL }},
16574 { &hf_smb_open_function_create,
16575 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
16576 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
16578 { &hf_smb_open_function_open,
16579 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
16580 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
16583 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
16584 NULL, 0, "FID: File ID", HFILL }},
16586 { &hf_smb_file_attr_read_only_16bit,
16587 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
16588 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
16590 { &hf_smb_file_attr_read_only_8bit,
16591 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
16592 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
16594 { &hf_smb_file_attr_hidden_16bit,
16595 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
16596 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
16598 { &hf_smb_file_attr_hidden_8bit,
16599 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
16600 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
16602 { &hf_smb_file_attr_system_16bit,
16603 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
16604 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
16606 { &hf_smb_file_attr_system_8bit,
16607 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
16608 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
16610 { &hf_smb_file_attr_volume_16bit,
16611 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
16612 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
16614 { &hf_smb_file_attr_volume_8bit,
16615 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
16616 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
16618 { &hf_smb_file_attr_directory_16bit,
16619 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
16620 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
16622 { &hf_smb_file_attr_directory_8bit,
16623 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
16624 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
16626 { &hf_smb_file_attr_archive_16bit,
16627 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
16628 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
16630 { &hf_smb_file_attr_archive_8bit,
16631 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
16632 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
16634 { &hf_smb_file_attr_device,
16635 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
16636 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
16638 { &hf_smb_file_attr_normal,
16639 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
16640 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
16642 { &hf_smb_file_attr_temporary,
16643 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
16644 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
16646 { &hf_smb_file_attr_sparse,
16647 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
16648 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
16650 { &hf_smb_file_attr_reparse,
16651 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
16652 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
16654 { &hf_smb_file_attr_compressed,
16655 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
16656 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
16658 { &hf_smb_file_attr_offline,
16659 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
16660 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
16662 { &hf_smb_file_attr_not_content_indexed,
16663 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
16664 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
16666 { &hf_smb_file_attr_encrypted,
16667 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
16668 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
16670 { &hf_smb_file_size,
16671 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
16672 NULL, 0, "File Size", HFILL }},
16674 { &hf_smb_search_attribute_read_only,
16675 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
16676 TFS(&tfs_search_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
16678 { &hf_smb_search_attribute_hidden,
16679 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
16680 TFS(&tfs_search_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
16682 { &hf_smb_search_attribute_system,
16683 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
16684 TFS(&tfs_search_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
16686 { &hf_smb_search_attribute_volume,
16687 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
16688 TFS(&tfs_search_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
16690 { &hf_smb_search_attribute_directory,
16691 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
16692 TFS(&tfs_search_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
16694 { &hf_smb_search_attribute_archive,
16695 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
16696 TFS(&tfs_search_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
16698 { &hf_smb_access_mode,
16699 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
16700 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
16702 { &hf_smb_access_sharing,
16703 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
16704 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
16706 { &hf_smb_access_locality,
16707 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
16708 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
16710 { &hf_smb_access_caching,
16711 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
16712 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
16714 { &hf_smb_access_writetru,
16715 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
16716 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
16718 { &hf_smb_create_time,
16719 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
16720 NULL, 0, "Creation Time", HFILL }},
16722 { &hf_smb_modify_time,
16723 { "Modified", "smb.modify.time", FT_ABSOLUTE_TIME, BASE_NONE,
16724 NULL, 0, "Modification Time", HFILL }},
16726 { &hf_smb_backup_time,
16727 { "Backed-up", "smb.backup.time", FT_ABSOLUTE_TIME, BASE_NONE,
16728 NULL, 0, "Backup time", HFILL}},
16730 { &hf_smb_mac_alloc_block_count,
16731 { "Allocation Block Count", "smb.alloc.count", FT_UINT32, BASE_DEC,
16732 NULL, 0, "Allocation Block Count", HFILL}},
16734 { &hf_smb_mac_alloc_block_size,
16735 { "Allocation Block Count", "smb.alloc.size", FT_UINT32, BASE_DEC,
16736 NULL, 0, "Allocation Block Size", HFILL}},
16738 { &hf_smb_mac_free_block_count,
16739 { "Free Block Count", "smb.free_block.count", FT_UINT32, BASE_DEC,
16740 NULL, 0, "Free Block Count", HFILL}},
16742 { &hf_smb_mac_root_file_count,
16743 { "Root File Count", "smb.root.file.count", FT_UINT32, BASE_DEC,
16744 NULL, 0, "Root File Count", HFILL}},
16746 { &hf_smb_mac_root_dir_count,
16747 { "Root Directory Count", "smb.root.dir.count", FT_UINT32, BASE_DEC,
16748 NULL, 0, "Root Directory Count", HFILL}},
16750 { &hf_smb_mac_file_count,
16751 { "Root File Count", "smb.file.count", FT_UINT32, BASE_DEC,
16752 NULL, 0, "File Count", HFILL}},
16754 { &hf_smb_mac_dir_count,
16755 { "Root Directory Count", "smb.dir.count", FT_UINT32, BASE_DEC,
16756 NULL, 0, "Directory Count", HFILL}},
16758 { &hf_smb_mac_support_flags,
16759 { "Mac Support Flags", "smb.mac.support.flags", FT_UINT32, BASE_DEC,
16760 NULL, 0, "Mac Support Flags", HFILL}},
16762 { &hf_smb_mac_sup_access_ctrl,
16763 { "Mac Access Control", "smb.mac.access_control", FT_BOOLEAN, 32,
16764 TFS(&tfs_smb_mac_access_ctrl), 0x0010, "Are Mac Access Control Supported", HFILL }},
16766 { &hf_smb_mac_sup_getset_comments,
16767 { "Get Set Comments", "smb.mac.get_set_comments", FT_BOOLEAN, 32,
16768 TFS(&tfs_smb_mac_getset_comments), 0x0020, "Are Mac Get Set Comments supported?", HFILL }},
16770 { &hf_smb_mac_sup_desktopdb_calls,
16771 { "Desktop DB Calls", "smb.mac.desktop_db_calls", FT_BOOLEAN, 32,
16772 TFS(&tfs_smb_mac_desktopdb_calls), 0x0040, "Are Macintosh Desktop DB Calls Supported?", HFILL }},
16774 { &hf_smb_mac_sup_unique_ids,
16775 { "Macintosh Unique IDs", "smb.mac.uids", FT_BOOLEAN, 32,
16776 TFS(&tfs_smb_mac_unique_ids), 0x0080, "Are Unique IDs supported", HFILL }},
16778 { &hf_smb_mac_sup_streams,
16779 { "Mac Streams", "smb.mac.streams_support", FT_BOOLEAN, 32,
16780 TFS(&tfs_smb_mac_streams), 0x0100, "Are Mac Extensions and streams supported?", HFILL }},
16782 { &hf_smb_create_dos_date,
16783 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
16784 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
16786 { &hf_smb_create_dos_time,
16787 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
16788 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
16790 { &hf_smb_last_write_time,
16791 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
16792 NULL, 0, "Time this file was last written to", HFILL }},
16794 { &hf_smb_last_write_dos_date,
16795 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
16796 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
16798 { &hf_smb_last_write_dos_time,
16799 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
16800 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
16802 { &hf_smb_old_file_name,
16803 { "Old File Name", "smb.file", FT_STRING, BASE_NONE,
16804 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
16807 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
16808 NULL, 0, "Offset in file", HFILL }},
16810 { &hf_smb_remaining,
16811 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
16812 NULL, 0, "Remaining number of bytes", HFILL }},
16815 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
16816 NULL, 0, "Padding or unknown data", HFILL }},
16818 { &hf_smb_file_data,
16819 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
16820 NULL, 0, "Data read/written to the file", HFILL }},
16822 { &hf_smb_mac_fndrinfo,
16823 { "Finder Info", "smb.mac.finderinfo", FT_BYTES, BASE_HEX,
16824 NULL, 0, "Finder Info", HFILL}},
16826 { &hf_smb_total_data_len,
16827 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
16828 NULL, 0, "Total length of data", HFILL }},
16830 { &hf_smb_data_len,
16831 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
16832 NULL, 0, "Length of data", HFILL }},
16834 { &hf_smb_seek_mode,
16835 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
16836 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
16838 { &hf_smb_access_time,
16839 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
16840 NULL, 0, "Last Access Time", HFILL }},
16842 { &hf_smb_access_dos_date,
16843 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
16844 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
16846 { &hf_smb_access_dos_time,
16847 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
16848 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
16850 { &hf_smb_data_size,
16851 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
16852 NULL, 0, "Data Size", HFILL }},
16854 { &hf_smb_alloc_size,
16855 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
16856 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
16858 { &hf_smb_max_count,
16859 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
16860 NULL, 0, "Maximum Count", HFILL }},
16862 { &hf_smb_min_count,
16863 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
16864 NULL, 0, "Minimum Count", HFILL }},
16867 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
16868 NULL, 0, "Timeout in miliseconds", HFILL }},
16870 { &hf_smb_high_offset,
16871 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
16872 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
16875 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
16876 NULL, 0, "Total number of units at server", HFILL }},
16879 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
16880 NULL, 0, "Blocks per unit at server", HFILL }},
16882 { &hf_smb_blocksize,
16883 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
16884 NULL, 0, "Block size (in bytes) at server", HFILL }},
16886 { &hf_smb_freeunits,
16887 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
16888 NULL, 0, "Number of free units at server", HFILL }},
16890 { &hf_smb_data_offset,
16891 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
16892 NULL, 0, "Data Offset", HFILL }},
16895 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
16896 NULL, 0, "Data Compaction Mode", HFILL }},
16898 { &hf_smb_request_mask,
16899 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
16900 NULL, 0, "Connectionless mode mask", HFILL }},
16902 { &hf_smb_response_mask,
16903 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
16904 NULL, 0, "Connectionless mode mask", HFILL }},
16906 { &hf_smb_search_id,
16907 { "Search ID", "smb.search_id", FT_UINT16, BASE_HEX,
16908 NULL, 0, "Search ID, handle for find operations", HFILL }},
16910 { &hf_smb_write_mode_write_through,
16911 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
16912 TFS(&tfs_write_mode_write_through), WRITE_MODE_WRITE_THROUGH, "Write through mode requested?", HFILL }},
16914 { &hf_smb_write_mode_return_remaining,
16915 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
16916 TFS(&tfs_write_mode_return_remaining), WRITE_MODE_RETURN_REMAINING, "Return remaining data responses?", HFILL }},
16918 { &hf_smb_write_mode_raw,
16919 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
16920 TFS(&tfs_write_mode_raw), WRITE_MODE_RAW, "Use WriteRawNamedPipe?", HFILL }},
16922 { &hf_smb_write_mode_message_start,
16923 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
16924 TFS(&tfs_write_mode_message_start), WRITE_MODE_MESSAGE_START, "Is this the start of a message?", HFILL }},
16926 { &hf_smb_write_mode_connectionless,
16927 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
16928 TFS(&tfs_write_mode_connectionless), WRITE_MODE_CONNECTIONLESS, "Connectionless mode requested?", HFILL }},
16930 { &hf_smb_resume_key_len,
16931 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
16932 NULL, 0, "Resume Key length", HFILL }},
16934 { &hf_smb_resume_find_id,
16935 { "Find ID", "smb.resume.find_id", FT_UINT8, BASE_HEX,
16936 NULL, 0, "Handle for Find operation", HFILL }},
16938 { &hf_smb_resume_server_cookie,
16939 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
16940 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
16942 { &hf_smb_resume_client_cookie,
16943 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
16944 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
16946 { &hf_smb_andxoffset,
16947 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
16948 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
16950 { &hf_smb_lock_type_large,
16951 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
16952 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
16954 { &hf_smb_lock_type_cancel,
16955 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
16956 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
16958 { &hf_smb_lock_type_change,
16959 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
16960 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
16962 { &hf_smb_lock_type_oplock,
16963 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
16964 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
16966 { &hf_smb_lock_type_shared,
16967 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
16968 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
16970 { &hf_smb_locking_ol,
16971 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
16972 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
16974 { &hf_smb_number_of_locks,
16975 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
16976 NULL, 0, "Number of lock requests in this request", HFILL }},
16978 { &hf_smb_number_of_unlocks,
16979 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
16980 NULL, 0, "Number of unlock requests in this request", HFILL }},
16982 { &hf_smb_lock_long_length,
16983 { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
16984 NULL, 0, "Length of lock/unlock region", HFILL }},
16986 { &hf_smb_lock_long_offset,
16987 { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
16988 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
16990 { &hf_smb_file_type,
16991 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
16992 VALS(filetype_vals), 0, "Type of file", HFILL }},
16994 { &hf_smb_ipc_state_nonblocking,
16995 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
16996 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
16998 { &hf_smb_ipc_state_endpoint,
16999 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
17000 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
17002 { &hf_smb_ipc_state_pipe_type,
17003 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
17004 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
17006 { &hf_smb_ipc_state_read_mode,
17007 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
17008 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
17010 { &hf_smb_ipc_state_icount,
17011 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
17012 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
17014 { &hf_smb_server_fid,
17015 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
17016 NULL, 0, "Server unique File ID", HFILL }},
17018 { &hf_smb_open_flags_add_info,
17019 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
17020 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
17022 { &hf_smb_open_flags_ex_oplock,
17023 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
17024 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
17026 { &hf_smb_open_flags_batch_oplock,
17027 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
17028 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
17030 { &hf_smb_open_flags_ealen,
17031 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
17032 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
17034 { &hf_smb_open_action_open,
17035 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
17036 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
17038 { &hf_smb_open_action_lock,
17039 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
17040 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
17043 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
17044 NULL, 0, "VC Number", HFILL }},
17046 { &hf_smb_password_len,
17047 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
17048 NULL, 0, "Length of password", HFILL }},
17050 { &hf_smb_ansi_password_len,
17051 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
17052 NULL, 0, "Length of ANSI password", HFILL }},
17054 { &hf_smb_unicode_password_len,
17055 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
17056 NULL, 0, "Length of Unicode password", HFILL }},
17059 { "Account", "smb.account", FT_STRING, BASE_NONE,
17060 NULL, 0, "Account, username", HFILL }},
17063 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
17064 NULL, 0, "Which OS we are running", HFILL }},
17067 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
17068 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
17070 { &hf_smb_setup_action_guest,
17071 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
17072 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
17075 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
17076 NULL, 0, "Native File System", HFILL }},
17078 { &hf_smb_connect_flags_dtid,
17079 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
17080 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
17082 { &hf_smb_connect_support_search,
17083 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
17084 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
17086 { &hf_smb_connect_support_in_dfs,
17087 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
17088 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
17090 { &hf_smb_max_setup_count,
17091 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
17092 NULL, 0, "Maximum number of setup words to return", HFILL }},
17094 { &hf_smb_total_param_count,
17095 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
17096 NULL, 0, "Total number of parameter bytes", HFILL }},
17098 { &hf_smb_total_data_count,
17099 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
17100 NULL, 0, "Total number of data bytes", HFILL }},
17102 { &hf_smb_max_param_count,
17103 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
17104 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
17106 { &hf_smb_max_data_count,
17107 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
17108 NULL, 0, "Maximum number of data bytes to return", HFILL }},
17110 { &hf_smb_param_disp16,
17111 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
17112 NULL, 0, "Displacement of these parameter bytes", HFILL }},
17114 { &hf_smb_param_count16,
17115 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
17116 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
17118 { &hf_smb_param_offset16,
17119 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
17120 NULL, 0, "Offset (from header start) to parameters", HFILL }},
17122 { &hf_smb_param_disp32,
17123 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
17124 NULL, 0, "Displacement of these parameter bytes", HFILL }},
17126 { &hf_smb_param_count32,
17127 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
17128 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
17130 { &hf_smb_param_offset32,
17131 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
17132 NULL, 0, "Offset (from header start) to parameters", HFILL }},
17134 { &hf_smb_data_count16,
17135 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
17136 NULL, 0, "Number of data bytes in this buffer", HFILL }},
17138 { &hf_smb_data_disp16,
17139 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
17140 NULL, 0, "Data Displacement", HFILL }},
17142 { &hf_smb_data_offset16,
17143 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
17144 NULL, 0, "Data Offset", HFILL }},
17146 { &hf_smb_data_count32,
17147 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
17148 NULL, 0, "Number of data bytes in this buffer", HFILL }},
17150 { &hf_smb_data_disp32,
17151 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
17152 NULL, 0, "Data Displacement", HFILL }},
17154 { &hf_smb_data_offset32,
17155 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
17156 NULL, 0, "Data Offset", HFILL }},
17158 { &hf_smb_setup_count,
17159 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
17160 NULL, 0, "Number of setup words in this buffer", HFILL }},
17162 { &hf_smb_nt_trans_subcmd,
17163 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
17164 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
17166 { &hf_smb_nt_ioctl_function_code,
17167 { "Function", "smb.nt.ioctl.function", FT_UINT32, BASE_HEX,
17168 NULL, 0, "NT IOCTL function code", HFILL }},
17170 { &hf_smb_nt_ioctl_isfsctl,
17171 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
17172 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
17174 { &hf_smb_nt_ioctl_flags_root_handle,
17175 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
17176 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
17178 { &hf_smb_nt_ioctl_data,
17179 { "IOCTL Data", "smb.nt.ioctl.data", FT_BYTES, BASE_HEX,
17180 NULL, 0, "Data for the IOCTL call", HFILL }},
17182 { &hf_smb_nt_notify_action,
17183 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
17184 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
17186 { &hf_smb_nt_notify_watch_tree,
17187 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
17188 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
17190 { &hf_smb_nt_notify_stream_write,
17191 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
17192 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
17194 { &hf_smb_nt_notify_stream_size,
17195 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
17196 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
17198 { &hf_smb_nt_notify_stream_name,
17199 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
17200 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
17202 { &hf_smb_nt_notify_security,
17203 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
17204 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
17206 { &hf_smb_nt_notify_ea,
17207 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
17208 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
17210 { &hf_smb_nt_notify_creation,
17211 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
17212 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
17214 { &hf_smb_nt_notify_last_access,
17215 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
17216 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
17218 { &hf_smb_nt_notify_last_write,
17219 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
17220 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
17222 { &hf_smb_nt_notify_size,
17223 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
17224 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
17226 { &hf_smb_nt_notify_attributes,
17227 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
17228 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
17230 { &hf_smb_nt_notify_dir_name,
17231 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
17232 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
17234 { &hf_smb_nt_notify_file_name,
17235 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
17236 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
17238 { &hf_smb_root_dir_fid,
17239 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
17240 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
17242 { &hf_smb_alloc_size64,
17243 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
17244 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
17246 { &hf_smb_nt_create_disposition,
17247 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
17248 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
17250 { &hf_smb_sd_length,
17251 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
17252 NULL, 0, "Total length of security descriptor", HFILL }},
17254 { &hf_smb_ea_length,
17255 { "EA Length", "smb.ea.length", FT_UINT32, BASE_DEC,
17256 NULL, 0, "Total EA length for opened file", HFILL }},
17258 { &hf_smb_file_name_len,
17259 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
17260 NULL, 0, "Length of File Name", HFILL }},
17262 { &hf_smb_nt_impersonation_level,
17263 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
17264 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
17266 { &hf_smb_nt_security_flags_context_tracking,
17267 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
17268 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
17270 { &hf_smb_nt_security_flags_effective_only,
17271 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
17272 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
17274 { &hf_smb_nt_access_mask_generic_read,
17275 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
17276 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
17278 { &hf_smb_nt_access_mask_generic_write,
17279 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
17280 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
17282 { &hf_smb_nt_access_mask_generic_execute,
17283 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
17284 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
17286 { &hf_smb_nt_access_mask_generic_all,
17287 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
17288 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
17290 { &hf_smb_nt_access_mask_maximum_allowed,
17291 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
17292 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
17294 { &hf_smb_nt_access_mask_system_security,
17295 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
17296 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
17298 { &hf_smb_nt_access_mask_synchronize,
17299 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
17300 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
17302 { &hf_smb_nt_access_mask_write_owner,
17303 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
17304 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
17306 { &hf_smb_nt_access_mask_write_dac,
17307 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
17308 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
17310 { &hf_smb_nt_access_mask_read_control,
17311 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
17312 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
17314 { &hf_smb_nt_access_mask_delete,
17315 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
17316 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
17318 { &hf_smb_nt_access_mask_write_attributes,
17319 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
17320 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
17322 { &hf_smb_nt_access_mask_read_attributes,
17323 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
17324 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
17326 { &hf_smb_nt_access_mask_delete_child,
17327 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
17328 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
17331 * "Execute" for files, "traverse" for directories.
17333 { &hf_smb_nt_access_mask_execute,
17334 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
17335 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
17337 { &hf_smb_nt_access_mask_write_ea,
17338 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
17339 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
17341 { &hf_smb_nt_access_mask_read_ea,
17342 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
17343 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
17346 * "Append data" for files, "add subdirectory" for directories,
17347 * "create pipe instance" for named pipes.
17349 { &hf_smb_nt_access_mask_append,
17350 { "Append", "smb.access.append", FT_BOOLEAN, 32,
17351 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
17354 * "Write data" for files and pipes, "add file" for directory.
17356 { &hf_smb_nt_access_mask_write,
17357 { "Write", "smb.access.write", FT_BOOLEAN, 32,
17358 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
17361 * "Read data" for files and pipes, "list directory" for directory.
17363 { &hf_smb_nt_access_mask_read,
17364 { "Read", "smb.access.read", FT_BOOLEAN, 32,
17365 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
17367 { &hf_smb_nt_create_bits_oplock,
17368 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
17369 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
17371 { &hf_smb_nt_create_bits_boplock,
17372 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
17373 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
17375 { &hf_smb_nt_create_bits_dir,
17376 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
17377 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
17379 { &hf_smb_nt_create_bits_ext_resp,
17380 { "Extended Response", "smb.nt.create.ext", FT_BOOLEAN, 32,
17381 TFS(&tfs_nt_create_bits_ext_resp), 0x00000010, "Extended response required?", HFILL }},
17383 { &hf_smb_nt_create_options_directory_file,
17384 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
17385 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
17387 { &hf_smb_nt_create_options_write_through,
17388 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
17389 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
17391 { &hf_smb_nt_create_options_sequential_only,
17392 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
17393 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
17395 { &hf_smb_nt_create_options_sync_io_alert,
17396 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
17397 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
17399 { &hf_smb_nt_create_options_sync_io_nonalert,
17400 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
17401 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
17403 { &hf_smb_nt_create_options_non_directory_file,
17404 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
17405 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
17407 /* 0x00000080 is "tree connect", at least in "NtCreateFile()"
17408 and "NtOpenFile()"; is that sent over the wire? Network
17409 Monitor thinks so, but its author may just have grabbed
17410 the flag bits from a system header file. */
17412 /* 0x00000100 is "complete if oplocked", at least in "NtCreateFile()"
17413 and "NtOpenFile()"; is that sent over the wire? NetMon
17414 thinks so, but see previous comment. */
17416 { &hf_smb_nt_create_options_no_ea_knowledge,
17417 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
17418 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
17420 { &hf_smb_nt_create_options_eight_dot_three_only,
17421 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
17422 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
17424 { &hf_smb_nt_create_options_random_access,
17425 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
17426 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
17428 { &hf_smb_nt_create_options_delete_on_close,
17429 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
17430 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
17432 /* 0x00002000 is "open by FID", or something such as that (which
17433 I suspect is like "open by inumber" on UNIX), at least in
17434 "NtCreateFile()" and "NtOpenFile()"; is that sent over the
17435 wire? NetMon thinks so, but see previous comment. */
17437 /* 0x00004000 is "open for backup", at least in "NtCreateFile()"
17438 and "NtOpenFile()"; is that sent over the wire? NetMon
17439 thinks so, but see previous comment. */
17441 { &hf_smb_nt_share_access_read,
17442 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
17443 TFS(&tfs_nt_share_access_read), 0x00000001, "Can the object be shared for reading?", HFILL }},
17445 { &hf_smb_nt_share_access_write,
17446 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
17447 TFS(&tfs_nt_share_access_write), 0x00000002, "Can the object be shared for write?", HFILL }},
17449 { &hf_smb_nt_share_access_delete,
17450 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
17451 TFS(&tfs_nt_share_access_delete), 0x00000004, "", HFILL }},
17453 { &hf_smb_file_eattr_read_only,
17454 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
17455 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
17457 { &hf_smb_file_eattr_hidden,
17458 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
17459 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
17461 { &hf_smb_file_eattr_system,
17462 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
17463 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
17465 { &hf_smb_file_eattr_volume,
17466 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
17467 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
17469 { &hf_smb_file_eattr_directory,
17470 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
17471 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
17473 { &hf_smb_file_eattr_archive,
17474 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
17475 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17477 { &hf_smb_file_eattr_device,
17478 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
17479 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
17481 { &hf_smb_file_eattr_normal,
17482 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
17483 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
17485 { &hf_smb_file_eattr_temporary,
17486 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
17487 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
17489 { &hf_smb_file_eattr_sparse,
17490 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
17491 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
17493 { &hf_smb_file_eattr_reparse,
17494 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
17495 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
17497 { &hf_smb_file_eattr_compressed,
17498 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
17499 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
17501 { &hf_smb_file_eattr_offline,
17502 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
17503 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
17505 { &hf_smb_file_eattr_not_content_indexed,
17506 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
17507 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
17509 { &hf_smb_file_eattr_encrypted,
17510 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
17511 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
17513 { &hf_smb_sec_desc_len,
17514 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
17515 NULL, 0, "Security Descriptor Length", HFILL }},
17517 { &hf_smb_nt_qsd_owner,
17518 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
17519 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
17521 { &hf_smb_nt_qsd_group,
17522 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
17523 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
17525 { &hf_smb_nt_qsd_dacl,
17526 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
17527 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
17529 { &hf_smb_nt_qsd_sacl,
17530 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
17531 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
17533 { &hf_smb_extended_attributes,
17534 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
17535 NULL, 0, "Extended Attributes", HFILL }},
17537 { &hf_smb_oplock_level,
17538 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
17539 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
17541 { &hf_smb_create_action,
17542 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
17543 VALS(oa_open_vals), 0, "Type of action taken", HFILL }},
17546 { "Server unique file ID", "smb.create.file_id", FT_UINT32, BASE_HEX,
17547 NULL, 0, "Server unique file ID", HFILL }},
17549 { &hf_smb_ea_error_offset,
17550 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
17551 NULL, 0, "Offset into EA list if EA error", HFILL }},
17553 { &hf_smb_end_of_file,
17554 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
17555 NULL, 0, "Offset to the first free byte in the file", HFILL }},
17557 { &hf_smb_device_type,
17558 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
17559 VALS(device_type_vals), 0, "Type of device", HFILL }},
17561 { &hf_smb_is_directory,
17562 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
17563 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
17565 { &hf_smb_next_entry_offset,
17566 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
17567 NULL, 0, "Offset to next entry", HFILL }},
17569 { &hf_smb_change_time,
17570 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
17571 NULL, 0, "Last Change Time", HFILL }},
17573 { &hf_smb_setup_len,
17574 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
17575 NULL, 0, "Length of printer setup data", HFILL }},
17577 { &hf_smb_print_mode,
17578 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
17579 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
17581 { &hf_smb_print_identifier,
17582 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
17583 NULL, 0, "Identifier string for this print job", HFILL }},
17585 { &hf_smb_restart_index,
17586 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
17587 NULL, 0, "Index of entry after last returned", HFILL }},
17589 { &hf_smb_print_queue_date,
17590 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
17591 NULL, 0, "Date when this entry was queued", HFILL }},
17593 { &hf_smb_print_queue_dos_date,
17594 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
17595 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
17597 { &hf_smb_print_queue_dos_time,
17598 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
17599 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
17601 { &hf_smb_print_status,
17602 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
17603 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
17605 { &hf_smb_print_spool_file_number,
17606 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
17607 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
17609 { &hf_smb_print_spool_file_size,
17610 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
17611 NULL, 0, "Number of bytes in spool file", HFILL }},
17613 { &hf_smb_print_spool_file_name,
17614 { "Name", "smb.print.spool.name", FT_BYTES, BASE_HEX,
17615 NULL, 0, "Name of client that submitted this job", HFILL }},
17617 { &hf_smb_start_index,
17618 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
17619 NULL, 0, "First queue entry to return", HFILL }},
17621 { &hf_smb_originator_name,
17622 { "Originator Name", "smb.originator_name", FT_STRINGZ, BASE_NONE,
17623 NULL, 0, "Name of sender of message", HFILL }},
17625 { &hf_smb_destination_name,
17626 { "Destination Name", "smb.destination_name", FT_STRINGZ, BASE_NONE,
17627 NULL, 0, "Name of recipient of message", HFILL }},
17629 { &hf_smb_message_len,
17630 { "Message Len", "smb.message.len", FT_UINT16, BASE_DEC,
17631 NULL, 0, "Length of message", HFILL }},
17634 { "Message", "smb.message", FT_STRING, BASE_NONE,
17635 NULL, 0, "Message text", HFILL }},
17638 { "Message Group ID", "smb.mgid", FT_UINT16, BASE_DEC,
17639 NULL, 0, "Message group ID for multi-block messages", HFILL }},
17641 { &hf_smb_forwarded_name,
17642 { "Forwarded Name", "smb.forwarded_name", FT_STRINGZ, BASE_NONE,
17643 NULL, 0, "Recipient name being forwarded", HFILL }},
17645 { &hf_smb_machine_name,
17646 { "Machine Name", "smb.machine_name", FT_STRINGZ, BASE_NONE,
17647 NULL, 0, "Name of target machine", HFILL }},
17649 { &hf_smb_cancel_to,
17650 { "Cancel to", "smb.cancel_to", FT_FRAMENUM, BASE_NONE,
17651 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
17653 { &hf_smb_trans2_subcmd,
17654 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
17655 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
17657 { &hf_smb_trans_name,
17658 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
17659 NULL, 0, "Name of transaction", HFILL }},
17661 { &hf_smb_transaction_flags_dtid,
17662 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
17663 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
17665 { &hf_smb_transaction_flags_owt,
17666 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
17667 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
17669 { &hf_smb_search_count,
17670 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
17671 NULL, 0, "Maximum number of search entries to return", HFILL }},
17673 { &hf_smb_search_pattern,
17674 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
17675 NULL, 0, "Search Pattern", HFILL }},
17677 { &hf_smb_ff2_backup,
17678 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
17679 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
17681 { &hf_smb_ff2_continue,
17682 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
17683 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
17685 { &hf_smb_ff2_resume,
17686 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
17687 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
17689 { &hf_smb_ff2_close_eos,
17690 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
17691 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
17693 { &hf_smb_ff2_close,
17694 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
17695 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
17697 { &hf_smb_ff2_information_level,
17698 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
17699 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
17702 { "Level of Interest", "smb.loi", FT_UINT16, BASE_DEC,
17703 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] commands", HFILL }},
17706 { &hf_smb_sfi_writetru,
17707 { "Writethrough", "smb.sfi_writethrough", FT_BOOLEAN, 16,
17708 TFS(&tfs_da_writetru), 0x0010, "Writethrough mode?", HFILL }},
17710 { &hf_smb_sfi_caching,
17711 { "Caching", "smb.sfi_caching", FT_BOOLEAN, 16,
17712 TFS(&tfs_da_caching), 0x0020, "Caching mode?", HFILL }},
17715 { &hf_smb_storage_type,
17716 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
17717 NULL, 0, "Type of storage", HFILL }},
17720 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
17721 NULL, 0, "Resume Key", HFILL }},
17723 { &hf_smb_max_referral_level,
17724 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
17725 NULL, 0, "Latest referral version number understood", HFILL }},
17727 { &hf_smb_qfsi_information_level,
17728 { "Level of Interest", "smb.qfi_loi", FT_UINT16, BASE_HEX,
17729 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
17731 { &hf_smb_nt_rename_level,
17732 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
17733 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
17735 { &hf_smb_cluster_count,
17736 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
17737 NULL, 0, "Number of clusters", HFILL }},
17740 { "EA Size", "smb.ea_size", FT_UINT32, BASE_DEC,
17741 NULL, 0, "Size of file's EA information", HFILL }},
17743 { &hf_smb_list_length,
17744 { "ListLength", "smb.list_len", FT_UINT32, BASE_DEC,
17745 NULL, 0, "Length of the remaining data", HFILL }},
17747 { &hf_smb_number_of_links,
17748 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
17749 NULL, 0, "Number of hard links to the file", HFILL }},
17751 { &hf_smb_delete_pending,
17752 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
17753 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
17755 { &hf_smb_index_number,
17756 { "Index Number", "smb.index_number", FT_UINT64, BASE_DEC,
17757 NULL, 0, "File system unique identifier", HFILL }},
17759 { &hf_smb_current_offset,
17760 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
17761 NULL, 0, "Current offset in the file", HFILL }},
17763 { &hf_smb_t2_alignment,
17764 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
17765 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
17767 { &hf_smb_t2_stream_name_length,
17768 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
17769 NULL, 0, "Length of stream name", HFILL }},
17771 { &hf_smb_t2_stream_size,
17772 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
17773 NULL, 0, "Size of the stream in number of bytes", HFILL }},
17775 { &hf_smb_t2_stream_name,
17776 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
17777 NULL, 0, "Name of the stream", HFILL }},
17779 { &hf_smb_t2_compressed_file_size,
17780 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
17781 NULL, 0, "Size of the compressed file", HFILL }},
17783 { &hf_smb_t2_compressed_format,
17784 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
17785 NULL, 0, "Compression algorithm used", HFILL }},
17787 { &hf_smb_t2_compressed_unit_shift,
17788 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
17789 NULL, 0, "Size of the stream in number of bytes", HFILL }},
17791 { &hf_smb_t2_compressed_chunk_shift,
17792 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
17793 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
17795 { &hf_smb_t2_compressed_cluster_shift,
17796 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
17797 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
17799 { &hf_smb_dfs_path_consumed,
17800 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
17801 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
17803 { &hf_smb_dfs_num_referrals,
17804 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
17805 NULL, 0, "Number of referrals in this pdu", HFILL }},
17807 { &hf_smb_get_dfs_server_hold_storage,
17808 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
17809 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
17811 { &hf_smb_get_dfs_fielding,
17812 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
17813 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
17815 { &hf_smb_dfs_referral_version,
17816 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
17817 NULL, 0, "Version of referral element", HFILL }},
17819 { &hf_smb_dfs_referral_size,
17820 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
17821 NULL, 0, "Size of referral element", HFILL }},
17823 { &hf_smb_dfs_referral_server_type,
17824 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
17825 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
17827 { &hf_smb_dfs_referral_flags_strip,
17828 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
17829 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
17831 { &hf_smb_dfs_referral_node_offset,
17832 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
17833 NULL, 0, "Offset of name of entity to visit next", HFILL }},
17835 { &hf_smb_dfs_referral_node,
17836 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
17837 NULL, 0, "Name of entity to visit next", HFILL }},
17839 { &hf_smb_dfs_referral_proximity,
17840 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
17841 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
17843 { &hf_smb_dfs_referral_ttl,
17844 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
17845 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
17847 { &hf_smb_dfs_referral_path_offset,
17848 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
17849 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
17851 { &hf_smb_dfs_referral_path,
17852 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
17853 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
17855 { &hf_smb_dfs_referral_alt_path_offset,
17856 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
17857 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
17859 { &hf_smb_dfs_referral_alt_path,
17860 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
17861 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
17863 { &hf_smb_end_of_search,
17864 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
17865 NULL, 0, "Was last entry returned?", HFILL }},
17867 { &hf_smb_last_name_offset,
17868 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
17869 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
17871 { &hf_smb_fn_information_level,
17872 { "Level of Interest", "smb.fn_loi", FT_UINT16, BASE_DEC,
17873 NULL, 0, "Level of interest for FIND_NOTIFY command", HFILL }},
17875 { &hf_smb_monitor_handle,
17876 { "Monitor Handle", "smb.monitor_handle", FT_UINT16, BASE_HEX,
17877 NULL, 0, "Handle for Find Notify operations", HFILL }},
17879 { &hf_smb_change_count,
17880 { "Change Count", "smb.change_count", FT_UINT16, BASE_DEC,
17881 NULL, 0, "Number of changes to wait for", HFILL }},
17883 { &hf_smb_file_index,
17884 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
17885 NULL, 0, "File index", HFILL }},
17887 { &hf_smb_short_file_name,
17888 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
17889 NULL, 0, "Short (8.3) File Name", HFILL }},
17891 { &hf_smb_short_file_name_len,
17892 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
17893 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
17896 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
17897 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
17899 { &hf_smb_sector_unit,
17900 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
17901 NULL, 0, "Sectors per allocation unit", HFILL }},
17903 { &hf_smb_fs_units,
17904 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
17905 NULL, 0, "Total number of units on this filesystem", HFILL }},
17907 { &hf_smb_fs_sector,
17908 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
17909 NULL, 0, "Bytes per sector", HFILL }},
17911 { &hf_smb_avail_units,
17912 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
17913 NULL, 0, "Total number of available units on this filesystem", HFILL }},
17915 { &hf_smb_volume_serial_num,
17916 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
17917 NULL, 0, "Volume serial number", HFILL }},
17919 { &hf_smb_volume_label_len,
17920 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
17921 NULL, 0, "Length of volume label", HFILL }},
17923 { &hf_smb_volume_label,
17924 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
17925 NULL, 0, "Volume label", HFILL }},
17927 { &hf_smb_free_alloc_units64,
17928 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
17929 NULL, 0, "Number of free allocation units", HFILL }},
17931 { &hf_smb_caller_free_alloc_units64,
17932 { "Caller Free Units", "smb.caller_free_alloc_units", FT_UINT64, BASE_DEC,
17933 NULL, 0, "Number of caller free allocation units", HFILL }},
17935 { &hf_smb_actual_free_alloc_units64,
17936 { "Actual Free Units", "smb.actual_free_alloc_units", FT_UINT64, BASE_DEC,
17937 NULL, 0, "Number of actual free allocation units", HFILL }},
17939 { &hf_smb_soft_quota_limit,
17940 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
17941 NULL, 0, "Soft Quota treshold", HFILL }},
17943 { &hf_smb_hard_quota_limit,
17944 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
17945 NULL, 0, "Hard Quota limit", HFILL }},
17947 { &hf_smb_user_quota_used,
17948 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
17949 NULL, 0, "How much Quota is used by this user", HFILL }},
17951 { &hf_smb_max_name_len,
17952 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
17953 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
17955 { &hf_smb_fs_name_len,
17956 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
17957 NULL, 0, "Length of filesystem name in bytes", HFILL }},
17960 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
17961 NULL, 0, "Name of filesystem", HFILL }},
17963 { &hf_smb_device_char_removable,
17964 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
17965 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
17967 { &hf_smb_device_char_read_only,
17968 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
17969 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
17971 { &hf_smb_device_char_floppy,
17972 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
17973 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
17975 { &hf_smb_device_char_write_once,
17976 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
17977 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
17979 { &hf_smb_device_char_remote,
17980 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
17981 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
17983 { &hf_smb_device_char_mounted,
17984 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
17985 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
17987 { &hf_smb_device_char_virtual,
17988 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
17989 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
17991 { &hf_smb_fs_attr_css,
17992 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
17993 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
17995 { &hf_smb_fs_attr_cpn,
17996 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
17997 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
17999 { &hf_smb_fs_attr_pacls,
18000 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
18001 TFS(&tfs_fs_attr_pacls), 0x00000004, "Does this FS support Persistent ACLs?", HFILL }},
18003 { &hf_smb_fs_attr_fc,
18004 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
18005 TFS(&tfs_fs_attr_fc), 0x00000008, "Does this FS support File Compression?", HFILL }},
18007 { &hf_smb_fs_attr_vq,
18008 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
18009 TFS(&tfs_fs_attr_vq), 0x00000010, "Does this FS support Volume Quotas?", HFILL }},
18011 { &hf_smb_fs_attr_dim,
18012 { "Mounted", "smb.fs_attr.dim", FT_BOOLEAN, 32,
18013 TFS(&tfs_fs_attr_dim), 0x00000020, "Is this FS a Mounted Device?", HFILL }},
18015 { &hf_smb_fs_attr_vic,
18016 { "Compressed", "smb.fs_attr.vic", FT_BOOLEAN, 32,
18017 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS Compressed?", HFILL }},
18019 { &hf_smb_sec_desc_revision,
18020 { "Revision", "smb.sec_desc.revision", FT_UINT8, BASE_DEC,
18021 NULL, 0, "Version of NT Security Descriptor structure", HFILL }},
18024 { "SID", "smb.sid", FT_STRING, BASE_DEC,
18025 NULL, 0, "SID: Security Identifier", HFILL }},
18027 { &hf_smb_sid_revision,
18028 { "Revision", "smb.sid.revision", FT_UINT8, BASE_DEC,
18029 NULL, 0, "Version of SID structure", HFILL }},
18031 { &hf_smb_sid_num_auth,
18032 { "Num Auth", "smb.sid.num_auth", FT_UINT8, BASE_DEC,
18033 NULL, 0, "Number of authorities for this SID", HFILL }},
18035 { &hf_smb_acl_revision,
18036 { "Revision", "smb.acl.revision", FT_UINT16, BASE_DEC,
18037 NULL, 0, "Version of NT ACL structure", HFILL }},
18039 { &hf_smb_acl_size,
18040 { "Size", "smb.acl.size", FT_UINT16, BASE_DEC,
18041 NULL, 0, "Size of NT ACL structure", HFILL }},
18043 { &hf_smb_acl_num_aces,
18044 { "Num ACEs", "smb.acl.num_aces", FT_UINT32, BASE_DEC,
18045 NULL, 0, "Number of ACE structures for this ACL", HFILL }},
18047 { &hf_smb_user_quota_offset,
18048 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
18049 NULL, 0, "Relative offset to next user quota structure", HFILL }},
18051 { &hf_smb_ace_type,
18052 { "Type", "smb.ace.type", FT_UINT8, BASE_DEC,
18053 VALS(ace_type_vals), 0, "Type of ACE", HFILL }},
18055 { &hf_smb_pipe_write_len,
18056 { "Pipe Write Len", "smb.pipe.write_len", FT_UINT16, BASE_DEC,
18057 NULL, 0, "Number of bytes written to pipe", HFILL }},
18059 { &hf_smb_ace_size,
18060 { "Size", "smb.ace.size", FT_UINT16, BASE_DEC,
18061 NULL, 0, "Size of this ACE", HFILL }},
18063 { &hf_smb_ace_flags_object_inherit,
18064 { "Object Inherit", "smb.ace.flags.object_inherit", FT_BOOLEAN, 8,
18065 TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }},
18067 { &hf_smb_ace_flags_container_inherit,
18068 { "Container Inherit", "smb.ace.flags.container_inherit", FT_BOOLEAN, 8,
18069 TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }},
18071 { &hf_smb_ace_flags_non_propagate_inherit,
18072 { "Non-Propagate Inherit", "smb.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8,
18073 TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }},
18075 { &hf_smb_ace_flags_inherit_only,
18076 { "Inherit Only", "smb.ace.flags.inherit_only", FT_BOOLEAN, 8,
18077 TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }},
18079 { &hf_smb_ace_flags_inherited_ace,
18080 { "Inherited ACE", "smb.ace.flags.inherited_ace", FT_BOOLEAN, 8,
18081 TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }},
18083 { &hf_smb_ace_flags_successful_access,
18084 { "Audit Successful Accesses", "smb.ace.flags.successful_access", FT_BOOLEAN, 8,
18085 TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }},
18087 { &hf_smb_ace_flags_failed_access,
18088 { "Audit Failed Accesses", "smb.ace.flags.failed_access", FT_BOOLEAN, 8,
18089 TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }},
18091 { &hf_smb_sec_desc_type_owner_defaulted,
18092 { "Owner Defaulted", "smb.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16,
18093 TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }},
18095 { &hf_smb_sec_desc_type_group_defaulted,
18096 { "Group Defaulted", "smb.sec_desc.type.group_defaulted", FT_BOOLEAN, 16,
18097 TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }},
18099 { &hf_smb_sec_desc_type_dacl_present,
18100 { "DACL Present", "smb.sec_desc.type.dacl_present", FT_BOOLEAN, 16,
18101 TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }},
18103 { &hf_smb_sec_desc_type_dacl_defaulted,
18104 { "DACL Defaulted", "smb.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16,
18105 TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }},
18107 { &hf_smb_sec_desc_type_sacl_present,
18108 { "SACL Present", "smb.sec_desc.type.sacl_present", FT_BOOLEAN, 16,
18109 TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }},
18111 { &hf_smb_sec_desc_type_sacl_defaulted,
18112 { "SACL Defaulted", "smb.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16,
18113 TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }},
18115 { &hf_smb_sec_desc_type_dacl_auto_inherit_req,
18116 { "DACL Auto Inherit Required", "smb.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16,
18117 TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }},
18119 { &hf_smb_sec_desc_type_sacl_auto_inherit_req,
18120 { "SACL Auto Inherit Required", "smb.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16,
18121 TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }},
18123 { &hf_smb_sec_desc_type_dacl_auto_inherited,
18124 { "DACL Auto Inherited", "smb.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16,
18125 TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }},
18127 { &hf_smb_sec_desc_type_sacl_auto_inherited,
18128 { "SACL Auto Inherited", "smb.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16,
18129 TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }},
18131 { &hf_smb_sec_desc_type_dacl_protected,
18132 { "DACL Protected", "smb.sec_desc.type.dacl_protected", FT_BOOLEAN, 16,
18133 TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }},
18135 { &hf_smb_sec_desc_type_sacl_protected,
18136 { "SACL Protected", "smb.sec_desc.type.sacl_protected", FT_BOOLEAN, 16,
18137 TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }},
18139 { &hf_smb_sec_desc_type_self_relative,
18140 { "Self Relative", "smb.sec_desc.type.self_relative", FT_BOOLEAN, 16,
18141 TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }},
18143 { &hf_smb_quota_flags_deny_disk,
18144 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
18145 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
18147 { &hf_smb_quota_flags_log_limit,
18148 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
18149 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
18151 { &hf_smb_quota_flags_log_warning,
18152 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
18153 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
18155 { &hf_smb_quota_flags_enabled,
18156 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
18157 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
18159 { &hf_smb_segment_overlap,
18160 { "Fragment overlap", "smb.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18161 "Fragment overlaps with other fragments", HFILL }},
18163 { &hf_smb_segment_overlap_conflict,
18164 { "Conflicting data in fragment overlap", "smb.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18165 "Overlapping fragments contained conflicting data", HFILL }},
18167 { &hf_smb_segment_multiple_tails,
18168 { "Multiple tail fragments found", "smb.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18169 "Several tails were found when defragmenting the packet", HFILL }},
18171 { &hf_smb_segment_too_long_fragment,
18172 { "Fragment too long", "smb.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18173 "Fragment contained data past end of packet", HFILL }},
18175 { &hf_smb_segment_error,
18176 { "Defragmentation error", "smb.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18177 "Defragmentation error due to illegal fragments", HFILL }},
18180 { "SMB Segment", "smb.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18181 "SMB Segment", HFILL }},
18183 { &hf_smb_segments,
18184 { "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
18185 "SMB Segments", HFILL }},
18189 { &hf_smb_access_mask,
18190 { "Access required", "smb.access_mask",
18191 FT_UINT32, BASE_HEX, NULL, 0x0, "Access mask",
18193 { &hf_access_generic_read,
18194 { "Generic read", "nt.access_mask.generic_read",
18195 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18196 GENERIC_READ_ACCESS, "Generic read", HFILL }},
18198 { &hf_access_generic_write,
18199 { "Generic write", "nt.access_mask.generic_write",
18200 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18201 GENERIC_WRITE_ACCESS, "Generic write", HFILL }},
18203 { &hf_access_generic_execute,
18204 { "Generic execute", "nt.access_mask.generic_execute",
18205 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18206 GENERIC_EXECUTE_ACCESS, "Generic execute", HFILL }},
18208 { &hf_access_generic_all,
18209 { "Generic all", "nt.access_mask.generic_all",
18210 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18211 GENERIC_ALL_ACCESS, "Generic all", HFILL }},
18213 { &hf_access_maximum_allowed,
18214 { "Maximum allowed", "nt.access_mask.maximum_allowed",
18215 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18216 MAXIMUM_ALLOWED_ACCESS, "Maximum allowed", HFILL }},
18219 { "Access SACL", "nt.access_mask.access_sacl",
18220 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18221 ACCESS_SACL_ACCESS, "Access SACL", HFILL }},
18223 { &hf_access_standard_read_control,
18224 { "Read control", "nt.access_mask.read_control",
18225 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18226 READ_CONTROL_ACCESS, "Read control", HFILL }},
18228 { &hf_access_standard_delete,
18229 { "Delete", "nt.access_mask.delete",
18230 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18231 DELETE_ACCESS, "Delete", HFILL }},
18233 { &hf_access_standard_synchronise,
18234 { "Synchronise", "nt.access_mask.synchronise",
18235 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18236 SYNCHRONIZE_ACCESS, "Synchronise", HFILL }},
18238 { &hf_access_standard_write_dac,
18239 { "Write DAC", "nt.access_mask.write_dac",
18240 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18241 WRITE_DAC_ACCESS, "Write DAC", HFILL }},
18243 { &hf_access_standard_write_owner,
18244 { "Write owner", "nt.access_mask.write_owner",
18245 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18246 WRITE_OWNER_ACCESS, "Write owner", HFILL }},
18248 { &hf_access_specific_15,
18249 { "Specific access, bit 15", "nt.access_mask.specific_15",
18250 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18251 0x8000, "Specific access, bit 15", HFILL }},
18253 { &hf_access_specific_14,
18254 { "Specific access, bit 14", "nt.access_mask.specific_14",
18255 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18256 0x4000, "Specific access, bit 14", HFILL }},
18258 { &hf_access_specific_13,
18259 { "Specific access, bit 13", "nt.access_mask.specific_13",
18260 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18261 0x2000, "Specific access, bit 13", HFILL }},
18263 { &hf_access_specific_12,
18264 { "Specific access, bit 12", "nt.access_mask.specific_12",
18265 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18266 0x1000, "Specific access, bit 12", HFILL }},
18268 { &hf_access_specific_11,
18269 { "Specific access, bit 11", "nt.access_mask.specific_11",
18270 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18271 0x0800, "Specific access, bit 11", HFILL }},
18273 { &hf_access_specific_10,
18274 { "Specific access, bit 10", "nt.access_mask.specific_10",
18275 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18276 0x0400, "Specific access, bit 10", HFILL }},
18278 { &hf_access_specific_9,
18279 { "Specific access, bit 9", "nt.access_mask.specific_9",
18280 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18281 0x0200, "Specific access, bit 9", HFILL }},
18283 { &hf_access_specific_8,
18284 { "Specific access, bit 8", "nt.access_mask.specific_8",
18285 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18286 0x0100, "Specific access, bit 8", HFILL }},
18288 { &hf_access_specific_7,
18289 { "Specific access, bit 7", "nt.access_mask.specific_7",
18290 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18291 0x0080, "Specific access, bit 7", HFILL }},
18293 { &hf_access_specific_6,
18294 { "Specific access, bit 6", "nt.access_mask.specific_6",
18295 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18296 0x0040, "Specific access, bit 6", HFILL }},
18298 { &hf_access_specific_5,
18299 { "Specific access, bit 5", "nt.access_mask.specific_5",
18300 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18301 0x0020, "Specific access, bit 5", HFILL }},
18303 { &hf_access_specific_4,
18304 { "Specific access, bit 4", "nt.access_mask.specific_4",
18305 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18306 0x0010, "Specific access, bit 4", HFILL }},
18308 { &hf_access_specific_3,
18309 { "Specific access, bit 3", "nt.access_mask.specific_3",
18310 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18311 0x0008, "Specific access, bit 3", HFILL }},
18313 { &hf_access_specific_2,
18314 { "Specific access, bit 2", "nt.access_mask.specific_2",
18315 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18316 0x0004, "Specific access, bit 2", HFILL }},
18318 { &hf_access_specific_1,
18319 { "Specific access, bit 1", "nt.access_mask.specific_1",
18320 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18321 0x0002, "Specific access, bit 1", HFILL }},
18323 { &hf_access_specific_0,
18324 { "Specific access, bit 0", "nt.access_mask.specific_0",
18325 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18326 0x0001, "Specific access, bit 0", HFILL }}
18329 static gint *ett[] = {
18333 &ett_smb_fileattributes,
18334 &ett_smb_capabilities,
18342 &ett_smb_desiredaccess,
18345 &ett_smb_openfunction,
18347 &ett_smb_openaction,
18348 &ett_smb_writemode,
18349 &ett_smb_lock_type,
18350 &ett_smb_ssetupandxaction,
18351 &ett_smb_optionsup,
18352 &ett_smb_time_date,
18353 &ett_smb_move_copy_flags,
18354 &ett_smb_file_attributes,
18355 &ett_smb_search_resume_key,
18356 &ett_smb_search_dir_info,
18361 &ett_smb_open_flags,
18362 &ett_smb_ipc_state,
18363 &ett_smb_open_action,
18364 &ett_smb_setup_action,
18365 &ett_smb_connect_flags,
18366 &ett_smb_connect_support_bits,
18367 &ett_smb_nt_access_mask,
18368 &ett_smb_nt_create_bits,
18369 &ett_smb_nt_create_options,
18370 &ett_smb_nt_share_access,
18371 &ett_smb_nt_security_flags,
18372 &ett_smb_nt_trans_setup,
18373 &ett_smb_nt_trans_data,
18374 &ett_smb_nt_trans_param,
18375 &ett_smb_nt_notify_completion_filter,
18376 &ett_smb_nt_ioctl_flags,
18377 &ett_smb_security_information_mask,
18378 &ett_smb_print_queue_entry,
18379 &ett_smb_transaction_flags,
18380 &ett_smb_transaction_params,
18381 &ett_smb_find_first2_flags,
18385 &ett_smb_transaction_data,
18386 &ett_smb_stream_info,
18387 &ett_smb_dfs_referrals,
18388 &ett_smb_dfs_referral,
18389 &ett_smb_dfs_referral_flags,
18390 &ett_smb_get_dfs_flags,
18392 &ett_smb_device_characteristics,
18393 &ett_smb_fs_attributes,
18400 &ett_smb_ace_flags,
18401 &ett_smb_sec_desc_type,
18402 &ett_smb_quotaflags,
18404 &ett_smb_mac_support_flags,
18405 &ett_nt_access_mask,
18406 &ett_nt_access_mask_generic,
18407 &ett_nt_access_mask_standard,
18408 &ett_nt_access_mask_specific,
18409 &ett_smb_unicode_password
18411 module_t *smb_module;
18413 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
18415 proto_register_subtree_array(ett, array_length(ett));
18416 proto_register_field_array(proto_smb, hf, array_length(hf));
18418 register_smb_common(proto_smb);
18420 register_init_routine(&smb_init_protocol);
18421 smb_module = prefs_register_protocol(proto_smb, NULL);
18422 prefs_register_bool_preference(smb_module, "trans_reassembly",
18423 "Reassemble SMB Transaction payload",
18424 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
18425 &smb_trans_reassembly);
18426 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
18427 "Reassemble DCERPC over SMB",
18428 "Whether the dissector should reassemble DCERPC over SMB commands",
18429 &smb_dcerpc_reassembly);
18430 prefs_register_bool_preference(smb_module, "sid_name_snooping",
18431 "Snoop SID to Name mappings",
18432 "Whether the dissector should snoop SMB and related CIFS protocols to discover and display Names associated with SIDs",
18433 &sid_name_snooping);
18435 register_init_routine(smb_trans_reassembly_init);
18436 smb_tap = register_tap("smb");
18440 proto_reg_handoff_smb(void)
18442 dissector_handle_t smb_handle;
18444 gssapi_handle = find_dissector("gssapi");
18445 ntlmssp_handle = find_dissector("ntlmssp");
18447 heur_dissector_add("netbios", dissect_smb_heur, proto_smb);
18448 heur_dissector_add("cotp", dissect_smb_heur, proto_smb);
18449 heur_dissector_add("vines_spp", dissect_smb_heur, proto_smb);
18450 smb_handle = create_dissector_handle(dissect_smb, proto_smb);
18451 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_SERVER, smb_handle);
18452 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_REDIR, smb_handle);
18453 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_MESSENGER,