2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
6 * $Id: packet-smb.c,v 1.370 2003/09/28 00:11:01 sahlberg Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/int-64bit.h>
40 #include <epan/packet.h>
41 #include <epan/conversation.h>
43 #include "alignment.h"
44 #include <epan/strutil.h>
46 #include "reassemble.h"
48 #include "packet-ipx.h"
50 #include "packet-smb-common.h"
51 #include "packet-smb-mailslot.h"
52 #include "packet-smb-pipe.h"
53 #include "packet-dcerpc.h"
54 #include "packet-smb-sidsnooping.h"
57 * Various specifications and documents about SMB can be found in
59 * ftp://ftp.microsoft.com/developr/drg/CIFS/
61 * and a CIFS specification from the Storage Networking Industry Association
62 * can be found on a link from the page at
64 * http://www.snia.org/tech_activities/CIFS
66 * (it supercedes the document at
68 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
72 * There are also some Open Group publications documenting CIFS available
73 * for download; catalog entries for them are at:
75 * http://www.opengroup.org/products/publications/catalog/c209.htm
77 * http://www.opengroup.org/products/publications/catalog/c195.htm
79 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
82 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
84 * (or, presumably a similar path under the Samba mirrors). As the
85 * ".doc" indicates, it's a Word document. Some of the specs from the
86 * Microsoft FTP site can be found in the
88 * http://www.samba.org/samba/ftp/specs/
92 * Beware - these specs may have errors.
94 static int proto_smb = -1;
95 static int hf_smb_cmd = -1;
96 static int hf_smb_key = -1;
97 static int hf_smb_session_id = -1;
98 static int hf_smb_sequence_num = -1;
99 static int hf_smb_group_id = -1;
100 static int hf_smb_pid = -1;
101 static int hf_smb_tid = -1;
102 static int hf_smb_uid = -1;
103 static int hf_smb_mid = -1;
104 static int hf_smb_pid_high = -1;
105 static int hf_smb_sig = -1;
106 static int hf_smb_response_to = -1;
107 static int hf_smb_time = -1;
108 static int hf_smb_response_in = -1;
109 static int hf_smb_continuation_to = -1;
110 static int hf_smb_nt_status = -1;
111 static int hf_smb_error_class = -1;
112 static int hf_smb_error_code = -1;
113 static int hf_smb_reserved = -1;
114 static int hf_smb_flags_lock = -1;
115 static int hf_smb_flags_receive_buffer = -1;
116 static int hf_smb_flags_caseless = -1;
117 static int hf_smb_flags_canon = -1;
118 static int hf_smb_flags_oplock = -1;
119 static int hf_smb_flags_notify = -1;
120 static int hf_smb_flags_response = -1;
121 static int hf_smb_flags2_long_names_allowed = -1;
122 static int hf_smb_flags2_ea = -1;
123 static int hf_smb_flags2_sec_sig = -1;
124 static int hf_smb_flags2_long_names_used = -1;
125 static int hf_smb_flags2_esn = -1;
126 static int hf_smb_flags2_dfs = -1;
127 static int hf_smb_flags2_roe = -1;
128 static int hf_smb_flags2_nt_error = -1;
129 static int hf_smb_flags2_string = -1;
130 static int hf_smb_word_count = -1;
131 static int hf_smb_byte_count = -1;
132 static int hf_smb_buffer_format = -1;
133 static int hf_smb_dialect_name = -1;
134 static int hf_smb_dialect_index = -1;
135 static int hf_smb_max_trans_buf_size = -1;
136 static int hf_smb_max_mpx_count = -1;
137 static int hf_smb_max_vcs_num = -1;
138 static int hf_smb_session_key = -1;
139 static int hf_smb_server_timezone = -1;
140 static int hf_smb_encryption_key_length = -1;
141 static int hf_smb_encryption_key = -1;
142 static int hf_smb_primary_domain = -1;
143 static int hf_smb_server = -1;
144 static int hf_smb_max_raw_buf_size = -1;
145 static int hf_smb_server_guid = -1;
146 static int hf_smb_security_blob_len = -1;
147 static int hf_smb_security_blob = -1;
148 static int hf_smb_sm_mode16 = -1;
149 static int hf_smb_sm_password16 = -1;
150 static int hf_smb_sm_mode = -1;
151 static int hf_smb_sm_password = -1;
152 static int hf_smb_sm_signatures = -1;
153 static int hf_smb_sm_sig_required = -1;
154 static int hf_smb_rm_read = -1;
155 static int hf_smb_rm_write = -1;
156 static int hf_smb_server_date_time = -1;
157 static int hf_smb_server_smb_date = -1;
158 static int hf_smb_server_smb_time = -1;
159 static int hf_smb_server_cap_raw_mode = -1;
160 static int hf_smb_server_cap_mpx_mode = -1;
161 static int hf_smb_server_cap_unicode = -1;
162 static int hf_smb_server_cap_large_files = -1;
163 static int hf_smb_server_cap_nt_smbs = -1;
164 static int hf_smb_server_cap_rpc_remote_apis = -1;
165 static int hf_smb_server_cap_nt_status = -1;
166 static int hf_smb_server_cap_level_ii_oplocks = -1;
167 static int hf_smb_server_cap_lock_and_read = -1;
168 static int hf_smb_server_cap_nt_find = -1;
169 static int hf_smb_server_cap_dfs = -1;
170 static int hf_smb_server_cap_infolevel_passthru = -1;
171 static int hf_smb_server_cap_large_readx = -1;
172 static int hf_smb_server_cap_large_writex = -1;
173 static int hf_smb_server_cap_unix = -1;
174 static int hf_smb_server_cap_reserved = -1;
175 static int hf_smb_server_cap_bulk_transfer = -1;
176 static int hf_smb_server_cap_compressed_data = -1;
177 static int hf_smb_server_cap_extended_security = -1;
178 static int hf_smb_system_time = -1;
179 static int hf_smb_unknown = -1;
180 static int hf_smb_dir_name = -1;
181 static int hf_smb_echo_count = -1;
182 static int hf_smb_echo_data = -1;
183 static int hf_smb_echo_seq_num = -1;
184 static int hf_smb_max_buf_size = -1;
185 static int hf_smb_password = -1;
186 static int hf_smb_password_len = -1;
187 static int hf_smb_ansi_password = -1;
188 static int hf_smb_ansi_password_len = -1;
189 static int hf_smb_unicode_password = -1;
190 static int hf_smb_unicode_password_len = -1;
191 static int hf_smb_path = -1;
192 static int hf_smb_service = -1;
193 static int hf_smb_move_flags_file = -1;
194 static int hf_smb_move_flags_dir = -1;
195 static int hf_smb_move_flags_verify = -1;
196 static int hf_smb_files_moved = -1;
197 static int hf_smb_copy_flags_file = -1;
198 static int hf_smb_copy_flags_dir = -1;
199 static int hf_smb_copy_flags_dest_mode = -1;
200 static int hf_smb_copy_flags_source_mode = -1;
201 static int hf_smb_copy_flags_verify = -1;
202 static int hf_smb_copy_flags_tree_copy = -1;
203 static int hf_smb_copy_flags_ea_action = -1;
204 static int hf_smb_count = -1;
205 static int hf_smb_count_low = -1;
206 static int hf_smb_count_high = -1;
207 static int hf_smb_file_name = -1;
208 static int hf_smb_open_function_open = -1;
209 static int hf_smb_open_function_create = -1;
210 static int hf_smb_fid = -1;
211 static int hf_smb_file_attr_read_only_16bit = -1;
212 static int hf_smb_file_attr_read_only_8bit = -1;
213 static int hf_smb_file_attr_hidden_16bit = -1;
214 static int hf_smb_file_attr_hidden_8bit = -1;
215 static int hf_smb_file_attr_system_16bit = -1;
216 static int hf_smb_file_attr_system_8bit = -1;
217 static int hf_smb_file_attr_volume_16bit = -1;
218 static int hf_smb_file_attr_volume_8bit = -1;
219 static int hf_smb_file_attr_directory_16bit = -1;
220 static int hf_smb_file_attr_directory_8bit = -1;
221 static int hf_smb_file_attr_archive_16bit = -1;
222 static int hf_smb_file_attr_archive_8bit = -1;
223 static int hf_smb_file_attr_device = -1;
224 static int hf_smb_file_attr_normal = -1;
225 static int hf_smb_file_attr_temporary = -1;
226 static int hf_smb_file_attr_sparse = -1;
227 static int hf_smb_file_attr_reparse = -1;
228 static int hf_smb_file_attr_compressed = -1;
229 static int hf_smb_file_attr_offline = -1;
230 static int hf_smb_file_attr_not_content_indexed = -1;
231 static int hf_smb_file_attr_encrypted = -1;
232 static int hf_smb_file_size = -1;
233 static int hf_smb_search_attribute_read_only = -1;
234 static int hf_smb_search_attribute_hidden = -1;
235 static int hf_smb_search_attribute_system = -1;
236 static int hf_smb_search_attribute_volume = -1;
237 static int hf_smb_search_attribute_directory = -1;
238 static int hf_smb_search_attribute_archive = -1;
239 static int hf_smb_access_mode = -1;
240 static int hf_smb_access_sharing = -1;
241 static int hf_smb_access_locality = -1;
242 static int hf_smb_access_caching = -1;
243 static int hf_smb_access_writetru = -1;
244 static int hf_smb_create_time = -1;
245 static int hf_smb_modify_time = -1;
246 static int hf_smb_backup_time = -1;
247 static int hf_smb_mac_alloc_block_count = -1;
248 static int hf_smb_mac_alloc_block_size = -1;
249 static int hf_smb_mac_free_block_count = -1;
250 static int hf_smb_mac_fndrinfo = -1;
251 static int hf_smb_mac_root_file_count = -1;
252 static int hf_smb_mac_root_dir_count = -1;
253 static int hf_smb_mac_file_count = -1;
254 static int hf_smb_mac_dir_count = -1;
255 static int hf_smb_mac_support_flags = -1;
256 static int hf_smb_mac_sup_access_ctrl = -1;
257 static int hf_smb_mac_sup_getset_comments = -1;
258 static int hf_smb_mac_sup_desktopdb_calls = -1;
259 static int hf_smb_mac_sup_unique_ids = -1;
260 static int hf_smb_mac_sup_streams = -1;
261 static int hf_smb_create_dos_date = -1;
262 static int hf_smb_create_dos_time = -1;
263 static int hf_smb_last_write_time = -1;
264 static int hf_smb_last_write_dos_date = -1;
265 static int hf_smb_last_write_dos_time = -1;
266 static int hf_smb_access_time = -1;
267 static int hf_smb_access_dos_date = -1;
268 static int hf_smb_access_dos_time = -1;
269 static int hf_smb_old_file_name = -1;
270 static int hf_smb_offset = -1;
271 static int hf_smb_remaining = -1;
272 static int hf_smb_padding = -1;
273 static int hf_smb_file_data = -1;
274 static int hf_smb_total_data_len = -1;
275 static int hf_smb_data_len = -1;
276 static int hf_smb_data_len_low = -1;
277 static int hf_smb_data_len_high = -1;
278 static int hf_smb_seek_mode = -1;
279 static int hf_smb_data_size = -1;
280 static int hf_smb_alloc_size = -1;
281 static int hf_smb_alloc_size64 = -1;
282 static int hf_smb_max_count = -1;
283 static int hf_smb_max_count_low = -1;
284 static int hf_smb_max_count_high = -1;
285 static int hf_smb_min_count = -1;
286 static int hf_smb_timeout = -1;
287 static int hf_smb_high_offset = -1;
288 static int hf_smb_units = -1;
289 static int hf_smb_bpu = -1;
290 static int hf_smb_blocksize = -1;
291 static int hf_smb_freeunits = -1;
292 static int hf_smb_data_offset = -1;
293 static int hf_smb_dcm = -1;
294 static int hf_smb_request_mask = -1;
295 static int hf_smb_response_mask = -1;
296 static int hf_smb_search_id = -1;
297 static int hf_smb_write_mode_write_through = -1;
298 static int hf_smb_write_mode_return_remaining = -1;
299 static int hf_smb_write_mode_raw = -1;
300 static int hf_smb_write_mode_message_start = -1;
301 static int hf_smb_write_mode_connectionless = -1;
302 static int hf_smb_resume_key_len = -1;
303 static int hf_smb_resume_find_id = -1;
304 static int hf_smb_resume_server_cookie = -1;
305 static int hf_smb_resume_client_cookie = -1;
306 static int hf_smb_andxoffset = -1;
307 static int hf_smb_lock_type_large = -1;
308 static int hf_smb_lock_type_cancel = -1;
309 static int hf_smb_lock_type_change = -1;
310 static int hf_smb_lock_type_oplock = -1;
311 static int hf_smb_lock_type_shared = -1;
312 static int hf_smb_locking_ol = -1;
313 static int hf_smb_number_of_locks = -1;
314 static int hf_smb_number_of_unlocks = -1;
315 static int hf_smb_lock_long_offset = -1;
316 static int hf_smb_lock_long_length = -1;
317 static int hf_smb_file_type = -1;
318 static int hf_smb_ipc_state_nonblocking = -1;
319 static int hf_smb_ipc_state_endpoint = -1;
320 static int hf_smb_ipc_state_pipe_type = -1;
321 static int hf_smb_ipc_state_read_mode = -1;
322 static int hf_smb_ipc_state_icount = -1;
323 static int hf_smb_server_fid = -1;
324 static int hf_smb_open_flags_add_info = -1;
325 static int hf_smb_open_flags_ex_oplock = -1;
326 static int hf_smb_open_flags_batch_oplock = -1;
327 static int hf_smb_open_flags_ealen = -1;
328 static int hf_smb_open_action_open = -1;
329 static int hf_smb_open_action_lock = -1;
330 static int hf_smb_vc_num = -1;
331 static int hf_smb_account = -1;
332 static int hf_smb_os = -1;
333 static int hf_smb_lanman = -1;
334 static int hf_smb_setup_action_guest = -1;
335 static int hf_smb_fs = -1;
336 static int hf_smb_connect_flags_dtid = -1;
337 static int hf_smb_connect_support_search = -1;
338 static int hf_smb_connect_support_in_dfs = -1;
339 static int hf_smb_max_setup_count = -1;
340 static int hf_smb_total_param_count = -1;
341 static int hf_smb_total_data_count = -1;
342 static int hf_smb_max_param_count = -1;
343 static int hf_smb_max_data_count = -1;
344 static int hf_smb_param_disp16 = -1;
345 static int hf_smb_param_count16 = -1;
346 static int hf_smb_param_offset16 = -1;
347 static int hf_smb_param_disp32 = -1;
348 static int hf_smb_param_count32 = -1;
349 static int hf_smb_param_offset32 = -1;
350 static int hf_smb_data_disp16 = -1;
351 static int hf_smb_data_count16 = -1;
352 static int hf_smb_data_offset16 = -1;
353 static int hf_smb_data_disp32 = -1;
354 static int hf_smb_data_count32 = -1;
355 static int hf_smb_data_offset32 = -1;
356 static int hf_smb_setup_count = -1;
357 static int hf_smb_nt_trans_subcmd = -1;
358 static int hf_smb_nt_ioctl_function_code = -1;
359 static int hf_smb_nt_ioctl_isfsctl = -1;
360 static int hf_smb_nt_ioctl_flags_root_handle = -1;
361 static int hf_smb_nt_ioctl_data = -1;
362 #ifdef SMB_UNUSED_HANDLES
363 static int hf_smb_nt_security_information = -1;
365 static int hf_smb_nt_notify_action = -1;
366 static int hf_smb_nt_notify_watch_tree = -1;
367 static int hf_smb_nt_notify_stream_write = -1;
368 static int hf_smb_nt_notify_stream_size = -1;
369 static int hf_smb_nt_notify_stream_name = -1;
370 static int hf_smb_nt_notify_security = -1;
371 static int hf_smb_nt_notify_ea = -1;
372 static int hf_smb_nt_notify_creation = -1;
373 static int hf_smb_nt_notify_last_access = -1;
374 static int hf_smb_nt_notify_last_write = -1;
375 static int hf_smb_nt_notify_size = -1;
376 static int hf_smb_nt_notify_attributes = -1;
377 static int hf_smb_nt_notify_dir_name = -1;
378 static int hf_smb_nt_notify_file_name = -1;
379 static int hf_smb_root_dir_fid = -1;
380 static int hf_smb_nt_create_disposition = -1;
381 static int hf_smb_sd_length = -1;
382 static int hf_smb_ea_list_length = -1;
383 static int hf_smb_ea_flags = -1;
384 static int hf_smb_ea_name_length = -1;
385 static int hf_smb_ea_data_length = -1;
386 static int hf_smb_ea_name = -1;
387 static int hf_smb_ea_data = -1;
388 static int hf_smb_file_name_len = -1;
389 static int hf_smb_nt_impersonation_level = -1;
390 static int hf_smb_nt_security_flags_context_tracking = -1;
391 static int hf_smb_nt_security_flags_effective_only = -1;
392 static int hf_smb_nt_access_mask_generic_read = -1;
393 static int hf_smb_nt_access_mask_generic_write = -1;
394 static int hf_smb_nt_access_mask_generic_execute = -1;
395 static int hf_smb_nt_access_mask_generic_all = -1;
396 static int hf_smb_nt_access_mask_maximum_allowed = -1;
397 static int hf_smb_nt_access_mask_system_security = -1;
398 static int hf_smb_nt_access_mask_synchronize = -1;
399 static int hf_smb_nt_access_mask_write_owner = -1;
400 static int hf_smb_nt_access_mask_write_dac = -1;
401 static int hf_smb_nt_access_mask_read_control = -1;
402 static int hf_smb_nt_access_mask_delete = -1;
403 static int hf_smb_nt_access_mask_write_attributes = -1;
404 static int hf_smb_nt_access_mask_read_attributes = -1;
405 static int hf_smb_nt_access_mask_delete_child = -1;
406 static int hf_smb_nt_access_mask_execute = -1;
407 static int hf_smb_nt_access_mask_write_ea = -1;
408 static int hf_smb_nt_access_mask_read_ea = -1;
409 static int hf_smb_nt_access_mask_append = -1;
410 static int hf_smb_nt_access_mask_write = -1;
411 static int hf_smb_nt_access_mask_read = -1;
412 static int hf_smb_nt_create_bits_oplock = -1;
413 static int hf_smb_nt_create_bits_boplock = -1;
414 static int hf_smb_nt_create_bits_dir = -1;
415 static int hf_smb_nt_create_bits_ext_resp = -1;
416 static int hf_smb_nt_create_options_directory_file = -1;
417 static int hf_smb_nt_create_options_write_through = -1;
418 static int hf_smb_nt_create_options_sequential_only = -1;
419 static int hf_smb_nt_create_options_sync_io_alert = -1;
420 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
421 static int hf_smb_nt_create_options_non_directory_file = -1;
422 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
423 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
424 static int hf_smb_nt_create_options_random_access = -1;
425 static int hf_smb_nt_create_options_delete_on_close = -1;
426 static int hf_smb_nt_share_access_read = -1;
427 static int hf_smb_nt_share_access_write = -1;
428 static int hf_smb_nt_share_access_delete = -1;
429 static int hf_smb_file_eattr_read_only = -1;
430 static int hf_smb_file_eattr_hidden = -1;
431 static int hf_smb_file_eattr_system = -1;
432 static int hf_smb_file_eattr_volume = -1;
433 static int hf_smb_file_eattr_directory = -1;
434 static int hf_smb_file_eattr_archive = -1;
435 static int hf_smb_file_eattr_device = -1;
436 static int hf_smb_file_eattr_normal = -1;
437 static int hf_smb_file_eattr_temporary = -1;
438 static int hf_smb_file_eattr_sparse = -1;
439 static int hf_smb_file_eattr_reparse = -1;
440 static int hf_smb_file_eattr_compressed = -1;
441 static int hf_smb_file_eattr_offline = -1;
442 static int hf_smb_file_eattr_not_content_indexed = -1;
443 static int hf_smb_file_eattr_encrypted = -1;
444 static int hf_smb_sec_desc_len = -1;
445 static int hf_smb_sec_desc_revision = -1;
446 static int hf_smb_sec_desc_type_owner_defaulted = -1;
447 static int hf_smb_sec_desc_type_group_defaulted = -1;
448 static int hf_smb_sec_desc_type_dacl_present = -1;
449 static int hf_smb_sec_desc_type_dacl_defaulted = -1;
450 static int hf_smb_sec_desc_type_sacl_present = -1;
451 static int hf_smb_sec_desc_type_sacl_defaulted = -1;
452 static int hf_smb_sec_desc_type_dacl_auto_inherit_req = -1;
453 static int hf_smb_sec_desc_type_sacl_auto_inherit_req = -1;
454 static int hf_smb_sec_desc_type_dacl_auto_inherited = -1;
455 static int hf_smb_sec_desc_type_sacl_auto_inherited = -1;
456 static int hf_smb_sec_desc_type_dacl_protected = -1;
457 static int hf_smb_sec_desc_type_sacl_protected = -1;
458 static int hf_smb_sec_desc_type_self_relative = -1;
459 static int hf_smb_sid = -1;
460 static int hf_smb_sid_revision = -1;
461 static int hf_smb_sid_num_auth = -1;
462 static int hf_smb_acl_revision = -1;
463 static int hf_smb_acl_size = -1;
464 static int hf_smb_acl_num_aces = -1;
465 static int hf_smb_ace_type = -1;
466 static int hf_smb_ace_size = -1;
467 static int hf_smb_ace_flags_object_inherit = -1;
468 static int hf_smb_ace_flags_container_inherit = -1;
469 static int hf_smb_ace_flags_non_propagate_inherit = -1;
470 static int hf_smb_ace_flags_inherit_only = -1;
471 static int hf_smb_ace_flags_inherited_ace = -1;
472 static int hf_smb_ace_flags_successful_access = -1;
473 static int hf_smb_ace_flags_failed_access = -1;
474 static int hf_smb_nt_qsd_owner = -1;
475 static int hf_smb_nt_qsd_group = -1;
476 static int hf_smb_nt_qsd_dacl = -1;
477 static int hf_smb_nt_qsd_sacl = -1;
478 static int hf_smb_extended_attributes = -1;
479 static int hf_smb_oplock_level = -1;
480 static int hf_smb_create_action = -1;
481 static int hf_smb_file_id = -1;
482 static int hf_smb_ea_error_offset = -1;
483 static int hf_smb_end_of_file = -1;
484 static int hf_smb_device_type = -1;
485 static int hf_smb_is_directory = -1;
486 static int hf_smb_next_entry_offset = -1;
487 static int hf_smb_change_time = -1;
488 static int hf_smb_setup_len = -1;
489 static int hf_smb_print_mode = -1;
490 static int hf_smb_print_identifier = -1;
491 static int hf_smb_restart_index = -1;
492 static int hf_smb_print_queue_date = -1;
493 static int hf_smb_print_queue_dos_date = -1;
494 static int hf_smb_print_queue_dos_time = -1;
495 static int hf_smb_print_status = -1;
496 static int hf_smb_print_spool_file_number = -1;
497 static int hf_smb_print_spool_file_size = -1;
498 static int hf_smb_print_spool_file_name = -1;
499 static int hf_smb_start_index = -1;
500 static int hf_smb_originator_name = -1;
501 static int hf_smb_destination_name = -1;
502 static int hf_smb_message_len = -1;
503 static int hf_smb_message = -1;
504 static int hf_smb_mgid = -1;
505 static int hf_smb_forwarded_name = -1;
506 static int hf_smb_machine_name = -1;
507 static int hf_smb_cancel_to = -1;
508 static int hf_smb_trans2_subcmd = -1;
509 static int hf_smb_trans_name = -1;
510 static int hf_smb_transaction_flags_dtid = -1;
511 static int hf_smb_transaction_flags_owt = -1;
512 static int hf_smb_search_count = -1;
513 static int hf_smb_search_pattern = -1;
514 static int hf_smb_ff2_backup = -1;
515 static int hf_smb_ff2_continue = -1;
516 static int hf_smb_ff2_resume = -1;
517 static int hf_smb_ff2_close_eos = -1;
518 static int hf_smb_ff2_close = -1;
519 static int hf_smb_ff2_information_level = -1;
520 static int hf_smb_qpi_loi = -1;
521 static int hf_smb_spi_loi = -1;
523 static int hf_smb_sfi_writetru = -1;
524 static int hf_smb_sfi_caching = -1;
526 static int hf_smb_storage_type = -1;
527 static int hf_smb_resume = -1;
528 static int hf_smb_max_referral_level = -1;
529 static int hf_smb_qfsi_information_level = -1;
530 static int hf_smb_number_of_links = -1;
531 static int hf_smb_delete_pending = -1;
532 static int hf_smb_index_number = -1;
533 static int hf_smb_current_offset = -1;
534 static int hf_smb_t2_alignment = -1;
535 static int hf_smb_t2_stream_name_length = -1;
536 static int hf_smb_t2_stream_size = -1;
537 static int hf_smb_t2_stream_name = -1;
538 static int hf_smb_t2_compressed_file_size = -1;
539 static int hf_smb_t2_compressed_format = -1;
540 static int hf_smb_t2_compressed_unit_shift = -1;
541 static int hf_smb_t2_compressed_chunk_shift = -1;
542 static int hf_smb_t2_compressed_cluster_shift = -1;
543 static int hf_smb_t2_marked_for_deletion = -1;
544 static int hf_smb_dfs_path_consumed = -1;
545 static int hf_smb_dfs_num_referrals = -1;
546 static int hf_smb_get_dfs_server_hold_storage = -1;
547 static int hf_smb_get_dfs_fielding = -1;
548 static int hf_smb_dfs_referral_version = -1;
549 static int hf_smb_dfs_referral_size = -1;
550 static int hf_smb_dfs_referral_server_type = -1;
551 static int hf_smb_dfs_referral_flags_strip = -1;
552 static int hf_smb_dfs_referral_node_offset = -1;
553 static int hf_smb_dfs_referral_node = -1;
554 static int hf_smb_dfs_referral_proximity = -1;
555 static int hf_smb_dfs_referral_ttl = -1;
556 static int hf_smb_dfs_referral_path_offset = -1;
557 static int hf_smb_dfs_referral_path = -1;
558 static int hf_smb_dfs_referral_alt_path_offset = -1;
559 static int hf_smb_dfs_referral_alt_path = -1;
560 static int hf_smb_end_of_search = -1;
561 static int hf_smb_last_name_offset = -1;
562 static int hf_smb_fn_information_level = -1;
563 static int hf_smb_monitor_handle = -1;
564 static int hf_smb_change_count = -1;
565 static int hf_smb_file_index = -1;
566 static int hf_smb_short_file_name = -1;
567 static int hf_smb_short_file_name_len = -1;
568 static int hf_smb_fs_id = -1;
569 static int hf_smb_fs_guid = -1;
570 static int hf_smb_sector_unit = -1;
571 static int hf_smb_fs_units = -1;
572 static int hf_smb_fs_sector = -1;
573 static int hf_smb_avail_units = -1;
574 static int hf_smb_volume_serial_num = -1;
575 static int hf_smb_volume_label_len = -1;
576 static int hf_smb_volume_label = -1;
577 static int hf_smb_free_alloc_units64 = -1;
578 static int hf_smb_caller_free_alloc_units64 = -1;
579 static int hf_smb_actual_free_alloc_units64 = -1;
580 static int hf_smb_max_name_len = -1;
581 static int hf_smb_fs_name_len = -1;
582 static int hf_smb_fs_name = -1;
583 static int hf_smb_device_char_removable = -1;
584 static int hf_smb_device_char_read_only = -1;
585 static int hf_smb_device_char_floppy = -1;
586 static int hf_smb_device_char_write_once = -1;
587 static int hf_smb_device_char_remote = -1;
588 static int hf_smb_device_char_mounted = -1;
589 static int hf_smb_device_char_virtual = -1;
590 static int hf_smb_fs_attr_css = -1;
591 static int hf_smb_fs_attr_cpn = -1;
592 static int hf_smb_fs_attr_pacls = -1;
593 static int hf_smb_fs_attr_fc = -1;
594 static int hf_smb_fs_attr_vq = -1;
595 static int hf_smb_fs_attr_dim = -1;
596 static int hf_smb_fs_attr_vic = -1;
597 static int hf_smb_quota_flags_enabled = -1;
598 static int hf_smb_quota_flags_deny_disk = -1;
599 static int hf_smb_quota_flags_log_limit = -1;
600 static int hf_smb_quota_flags_log_warning = -1;
601 static int hf_smb_soft_quota_limit = -1;
602 static int hf_smb_hard_quota_limit = -1;
603 static int hf_smb_user_quota_used = -1;
604 static int hf_smb_user_quota_offset = -1;
605 static int hf_smb_nt_rename_level = -1;
606 static int hf_smb_cluster_count = -1;
607 static int hf_smb_segments = -1;
608 static int hf_smb_segment = -1;
609 static int hf_smb_segment_overlap = -1;
610 static int hf_smb_segment_overlap_conflict = -1;
611 static int hf_smb_segment_multiple_tails = -1;
612 static int hf_smb_segment_too_long_fragment = -1;
613 static int hf_smb_segment_error = -1;
614 static int hf_smb_pipe_write_len = -1;
615 static int hf_smb_unix_major_version = -1;
616 static int hf_smb_unix_minor_version = -1;
617 static int hf_smb_unix_capability_fcntl = -1;
618 static int hf_smb_unix_capability_posix_acl = -1;
619 static int hf_smb_unix_file_size = -1;
620 static int hf_smb_unix_file_num_bytes = -1;
621 static int hf_smb_unix_file_last_status = -1;
622 static int hf_smb_unix_file_last_access = -1;
623 static int hf_smb_unix_file_last_change = -1;
624 static int hf_smb_unix_file_uid = -1;
625 static int hf_smb_unix_file_gid = -1;
626 static int hf_smb_unix_file_type = -1;
627 static int hf_smb_unix_file_dev_major = -1;
628 static int hf_smb_unix_file_dev_minor = -1;
629 static int hf_smb_unix_file_unique_id = -1;
630 static int hf_smb_unix_file_permissions = -1;
631 static int hf_smb_unix_file_nlinks = -1;
632 static int hf_smb_unix_file_link_dest = -1;
633 static int hf_smb_unix_find_file_nextoffset = -1;
634 static int hf_smb_unix_find_file_resumekey = -1;
636 static gint ett_smb = -1;
637 static gint ett_smb_hdr = -1;
638 static gint ett_smb_command = -1;
639 static gint ett_smb_fileattributes = -1;
640 static gint ett_smb_capabilities = -1;
641 static gint ett_smb_aflags = -1;
642 static gint ett_smb_dialect = -1;
643 static gint ett_smb_dialects = -1;
644 static gint ett_smb_mode = -1;
645 static gint ett_smb_rawmode = -1;
646 static gint ett_smb_flags = -1;
647 static gint ett_smb_flags2 = -1;
648 static gint ett_smb_desiredaccess = -1;
649 static gint ett_smb_search = -1;
650 static gint ett_smb_file = -1;
651 static gint ett_smb_openfunction = -1;
652 static gint ett_smb_filetype = -1;
653 static gint ett_smb_openaction = -1;
654 static gint ett_smb_writemode = -1;
655 static gint ett_smb_lock_type = -1;
656 static gint ett_smb_ssetupandxaction = -1;
657 static gint ett_smb_optionsup = -1;
658 static gint ett_smb_time_date = -1;
659 static gint ett_smb_move_copy_flags = -1;
660 static gint ett_smb_file_attributes = -1;
661 static gint ett_smb_search_resume_key = -1;
662 static gint ett_smb_search_dir_info = -1;
663 static gint ett_smb_unlocks = -1;
664 static gint ett_smb_unlock = -1;
665 static gint ett_smb_locks = -1;
666 static gint ett_smb_lock = -1;
667 static gint ett_smb_open_flags = -1;
668 static gint ett_smb_ipc_state = -1;
669 static gint ett_smb_open_action = -1;
670 static gint ett_smb_setup_action = -1;
671 static gint ett_smb_connect_flags = -1;
672 static gint ett_smb_connect_support_bits = -1;
673 static gint ett_smb_nt_access_mask = -1;
674 static gint ett_smb_nt_create_bits = -1;
675 static gint ett_smb_nt_create_options = -1;
676 static gint ett_smb_nt_share_access = -1;
677 static gint ett_smb_nt_security_flags = -1;
678 static gint ett_smb_nt_trans_setup = -1;
679 static gint ett_smb_nt_trans_data = -1;
680 static gint ett_smb_nt_trans_param = -1;
681 static gint ett_smb_nt_notify_completion_filter = -1;
682 static gint ett_smb_nt_ioctl_flags = -1;
683 static gint ett_smb_security_information_mask = -1;
684 static gint ett_smb_print_queue_entry = -1;
685 static gint ett_smb_transaction_flags = -1;
686 static gint ett_smb_transaction_params = -1;
687 static gint ett_smb_find_first2_flags = -1;
688 static gint ett_smb_mac_support_flags = -1;
690 static gint ett_smb_ioflag = -1;
692 static gint ett_smb_transaction_data = -1;
693 static gint ett_smb_stream_info = -1;
694 static gint ett_smb_dfs_referrals = -1;
695 static gint ett_smb_dfs_referral = -1;
696 static gint ett_smb_dfs_referral_flags = -1;
697 static gint ett_smb_get_dfs_flags = -1;
698 static gint ett_smb_ff2_data = -1;
699 static gint ett_smb_device_characteristics = -1;
700 static gint ett_smb_fs_attributes = -1;
701 static gint ett_smb_segments = -1;
702 static gint ett_smb_segment = -1;
703 static gint ett_smb_sec_desc = -1;
704 static gint ett_smb_sid = -1;
705 static gint ett_smb_acl = -1;
706 static gint ett_smb_ace = -1;
707 static gint ett_smb_ace_flags = -1;
708 static gint ett_smb_sec_desc_type = -1;
709 static gint ett_smb_quotaflags = -1;
710 static gint ett_smb_secblob = -1;
711 static gint ett_smb_unicode_password = -1;
712 static gint ett_smb_ea = -1;
713 static gint ett_smb_unix_capabilities = -1;
715 static int smb_tap = -1;
717 static dissector_handle_t gssapi_handle = NULL;
718 static dissector_handle_t ntlmssp_handle = NULL;
720 static const fragment_items smb_frag_items = {
726 &hf_smb_segment_overlap,
727 &hf_smb_segment_overlap_conflict,
728 &hf_smb_segment_multiple_tails,
729 &hf_smb_segment_too_long_fragment,
730 &hf_smb_segment_error,
736 proto_tree *top_tree=NULL; /* ugly */
738 static char *decode_smb_name(unsigned char);
739 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu);
742 * Macros for use in the main dissector routines for an SMB.
747 wc = tvb_get_guint8(tvb, offset); \
748 proto_tree_add_uint(tree, hf_smb_word_count, \
749 tvb, offset, 1, wc); \
751 if(wc==0) goto bytecount;
755 bc = tvb_get_letohs(tvb, offset); \
756 proto_tree_add_uint(tree, hf_smb_byte_count, \
757 tvb, offset, 2, bc); \
759 if(bc==0) goto endofcommand;
761 #define CHECK_BYTE_COUNT(len) \
762 if (bc < len) goto endofcommand;
764 #define COUNT_BYTES(len) {\
773 proto_tree_add_text(tree, tvb, offset, bc, \
774 "Extra byte parameters"); \
780 * Macros for use in routines called by them.
782 #define CHECK_BYTE_COUNT_SUBR(len) \
788 #define CHECK_STRING_SUBR(fn) \
794 #define COUNT_BYTES_SUBR(len) \
799 * Macros for use when dissecting transaction parameters and data
801 #define CHECK_BYTE_COUNT_TRANS(len) \
802 if (bc < len) return offset;
804 #define CHECK_STRING_TRANS(fn) \
805 if (fn == NULL) return offset;
807 #define COUNT_BYTES_TRANS(len) \
812 * Macros for use in subrroutines dissecting transaction parameters or data
814 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
815 if (*bcp < len) return offset;
817 #define CHECK_STRING_TRANS_SUBR(fn) \
818 if (fn == NULL) return offset;
820 #define COUNT_BYTES_TRANS_SUBR(len) \
825 gboolean sid_name_snooping = FALSE;
827 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
828 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
829 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
830 static gboolean smb_trans_reassembly = FALSE;
831 gboolean smb_dcerpc_reassembly = FALSE;
833 static GHashTable *smb_trans_fragment_table = NULL;
836 smb_trans_reassembly_init(void)
838 fragment_table_init(&smb_trans_fragment_table);
841 static fragment_data *
842 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
843 int offset, int count, int pos, int totlen)
845 fragment_data *fd_head=NULL;
849 more_frags=totlen>(pos+count);
851 si = (smb_info_t *)pinfo->private_data;
852 if (si->sip == NULL) {
854 * We don't have the frame number of the request.
856 * XXX - is there truly nothing we can do here?
857 * Can we not separately keep track of the original
858 * transaction and its continuations, as we did
861 * It is probably not much point in even trying to do something here
862 * if we have never seen the initial request. Without the initial
863 * request we probably miss all parameters and the begining of data
864 * so we cant even call a subdissector since we can not determine
865 * which type of transaction call this is.
870 if(!pinfo->fd->flags.visited){
871 fd_head = fragment_add(tvb, offset, pinfo,
872 si->sip->frame_req, smb_trans_fragment_table,
873 pos, count, more_frags);
875 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
878 /* we only show the defragmented packet for the first fragment,
879 or else we might end up with dissecting one HUGE transaction PDU
880 a LOT of times. (first fragment is the only one containing the setup
882 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
883 SMBs. Takes a LOT of time dissecting and is not fun.
885 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
896 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
897 These variables and functions are used to match
899 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
901 * The information we need to save about a request in order to show the
902 * frame number of the request in the dissection of the reply.
907 } smb_saved_info_key_t;
909 static GMemChunk *smb_saved_info_key_chunk = NULL;
910 static GMemChunk *smb_saved_info_chunk = NULL;
911 static int smb_saved_info_init_count = 200;
913 /* unmatched smb_saved_info structures.
914 For unmatched smb_saved_info structures we store the smb_saved_info
915 structure using the MID and the PID as the key.
917 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
918 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
919 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
922 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
924 register guint32 key1 = (guint32)k1;
925 register guint32 key2 = (guint32)k2;
929 smb_saved_info_hash_unmatched(gconstpointer k)
931 register guint32 key = (guint32)k;
935 /* matched smb_saved_info structures.
936 For matched smb_saved_info structures we store the smb_saved_info
937 structure twice in the table using the frame number, and a combination
938 of the MID and the PID, as the key.
939 The frame number is guaranteed to be unique but if ever someone makes
940 some change that will renumber the frames in a capture we are in BIG trouble.
941 This is not likely though since that would break (among other things) all the
942 reassembly routines as well.
944 We also need the MID as there may be more than one SMB request or reply
945 in a single frame, and we also need the PID as there may be more than
946 one outstanding request with the same MID and different PIDs.
949 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
951 const smb_saved_info_key_t *key1 = k1;
952 const smb_saved_info_key_t *key2 = k2;
953 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
956 smb_saved_info_hash_matched(gconstpointer k)
958 const smb_saved_info_key_t *key = k;
959 return key->frame + key->pid_mid;
962 static GMemChunk *smb_nt_transact_info_chunk = NULL;
963 static int smb_nt_transact_info_init_count = 200;
965 static GMemChunk *smb_transact2_info_chunk = NULL;
966 static int smb_transact2_info_init_count = 200;
969 * The information we need to save about a Transaction request in order
970 * to dissect the reply; this includes information for use by the
971 * Remote API dissector.
973 static GMemChunk *smb_transact_info_chunk = NULL;
974 static int smb_transact_info_init_count = 200;
976 static GMemChunk *conv_tables_chunk = NULL;
977 static GSList *conv_tables = NULL;
978 static int conv_tables_count = 10;
981 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
982 End of request/response matching functions
983 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
985 static const value_string buffer_format_vals[] = {
990 {5, "Variable Block"},
995 * UTIME - this is *almost* like a UNIX time stamp, except that it's
996 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
997 * January 1, 1970, 00:00:00 GMT.
999 * This means we have to do some extra work to convert it. This code is
1000 * based on the Samba code:
1002 * Unix SMB/Netbios implementation.
1004 * time handling functions
1005 * Copyright (C) Andrew Tridgell 1992-1998
1009 * Yield the difference between *A and *B, in seconds, ignoring leap
1012 #define TM_YEAR_BASE 1900
1015 tm_diff(struct tm *a, struct tm *b)
1017 int ay = a->tm_year + (TM_YEAR_BASE - 1);
1018 int by = b->tm_year + (TM_YEAR_BASE - 1);
1019 int intervening_leap_days =
1020 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
1021 int years = ay - by;
1023 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
1024 int hours = 24*days + (a->tm_hour - b->tm_hour);
1025 int minutes = 60*hours + (a->tm_min - b->tm_min);
1026 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
1032 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
1038 struct tm *tm = gmtime(&t);
1047 return tm_diff(&tm_utc,tm);
1051 * Return the same value as TimeZone, but it should be more efficient.
1053 * We keep a table of DST offsets to prevent calling localtime() on each
1054 * call of this function. This saves a LOT of time on many unixes.
1056 * Updated by Paul Eggert <eggert@twinsun.com>
1063 #define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
1064 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
1067 #define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
1071 TimeZoneFaster(time_t t)
1073 static struct dst_table {time_t start,end; int zone;} *tdt;
1074 static struct dst_table *dst_table = NULL;
1075 static int table_size = 0;
1082 /* Tunis has a 8 day DST region, we need to be careful ... */
1083 #define MAX_DST_WIDTH (365*24*60*60)
1084 #define MAX_DST_SKIP (7*24*60*60)
1086 for (i = 0; i < table_size; i++) {
1087 if (t >= dst_table[i].start && t <= dst_table[i].end)
1091 if (i < table_size) {
1092 zone = dst_table[i].zone;
1097 if (dst_table == NULL)
1098 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1100 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1109 dst_table[i].zone = zone;
1110 dst_table[i].start = dst_table[i].end = t;
1112 /* no entry will cover more than 6 months */
1113 low = t - MAX_DST_WIDTH/2;
1117 high = t + MAX_DST_WIDTH/2;
1122 * Widen the new entry using two bisection searches.
1124 while (low+60*60 < dst_table[i].start) {
1125 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1126 t = dst_table[i].start - MAX_DST_SKIP;
1128 t = low + (dst_table[i].start-low)/2;
1129 if (TimeZone(t) == zone)
1130 dst_table[i].start = t;
1135 while (high-60*60 > dst_table[i].end) {
1136 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1137 t = dst_table[i].end + MAX_DST_SKIP;
1139 t = high - (high-dst_table[i].end)/2;
1140 if (TimeZone(t) == zone)
1141 dst_table[i].end = t;
1151 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1152 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1153 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1154 * daylight savings transitions because some local times are ambiguous.
1155 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1158 LocTimeDiff(time_t lt)
1160 int d = TimeZoneFaster(lt);
1163 /* if overflow occurred, ignore all the adjustments so far */
1164 if (((t < lt) ^ (d < 0)))
1168 * Now t should be close enough to the true UTC to yield the
1171 return TimeZoneFaster(t);
1175 dissect_smb_UTIME(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1180 timeval = tvb_get_letohl(tvb, offset);
1181 if (timeval == 0xffffffff) {
1182 proto_tree_add_text(tree, tvb, offset, 4,
1183 "%s: No time specified (0xffffffff)",
1184 proto_registrar_get_name(hf_date));
1190 * We add the local time offset.
1192 ts.secs = timeval + LocTimeDiff(timeval);
1195 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1201 #define TIME_FIXUP_CONSTANT (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
1204 * Translate an 8-byte FILETIME value, given as the upper and lower 32 bits,
1206 * A FILETIME is a 64-bit integer, giving the time since Jan 1, 1601,
1207 * midnight "UTC", in 100ns units.
1208 * Return TRUE if the conversion succeeds, FALSE otherwise.
1210 * According to the Samba code, it appears to be kludge-GMT (at least for
1211 * file listings). This means it's the GMT you get by taking a local time
1212 * and adding the server time zone offset. This is NOT the same as GMT in
1213 * some cases. However, we don't know the server time zone, so we don't
1214 * do that adjustment.
1216 * This code is based on the Samba code:
1218 * Unix SMB/Netbios implementation.
1220 * time handling functions
1221 * Copyright (C) Andrew Tridgell 1992-1998
1224 nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
1227 /* The next two lines are a fix needed for the
1228 broken SCO compiler. JRA. */
1229 time_t l_time_min = TIME_T_MIN;
1230 time_t l_time_max = TIME_T_MAX;
1232 if (filetime_high == 0)
1236 * Get the time as a double, in seconds and fractional seconds.
1238 d = ((double)filetime_high)*4.0*(double)(1<<30);
1242 /* Now adjust by 369 years, to make the seconds since 1970. */
1243 d -= TIME_FIXUP_CONSTANT;
1245 if (!(l_time_min <= d && d <= l_time_max))
1249 * Get the time as seconds and nanoseconds.
1252 tv->nsecs = (d - tv->secs)*1000000000;
1258 dissect_smb_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1260 guint32 filetime_high, filetime_low;
1263 /* XXX there seems also to be another special time value which is fairly common :
1265 the meaning of this one is yet unknown
1268 filetime_low = tvb_get_letohl(tvb, offset);
1269 filetime_high = tvb_get_letohl(tvb, offset + 4);
1270 if (filetime_low == 0 && filetime_high == 0) {
1271 proto_tree_add_text(tree, tvb, offset, 8,
1272 "%s: No time specified (0)",
1273 proto_registrar_get_name(hf_date));
1274 } else if(filetime_low==0 && filetime_high==0x80000000){
1275 proto_tree_add_text(tree, tvb, offset, 8,
1276 "%s: Infinity (relative time)",
1277 proto_registrar_get_name(hf_date));
1278 } else if(filetime_low==0xffffffff && filetime_high==0x7fffffff){
1279 proto_tree_add_text(tree, tvb, offset, 8,
1280 "%s: Infinity (absolute time)",
1281 proto_registrar_get_name(hf_date));
1283 if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
1284 proto_tree_add_time(tree, hf_date, tvb,
1287 proto_tree_add_text(tree, tvb, offset, 8,
1288 "%s: Time can't be converted",
1289 proto_registrar_get_name(hf_date));
1299 dissect_smb_datetime(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1300 int hf_date, int hf_dos_date, int hf_dos_time, gboolean time_first)
1302 guint16 dos_time, dos_date;
1303 proto_item *item = NULL;
1304 proto_tree *tree = NULL;
1307 static const int mday_noleap[12] = {
1308 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1310 static const int mday_leap[12] = {
1311 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1313 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1317 dos_time = tvb_get_letohs(tvb, offset);
1318 dos_date = tvb_get_letohs(tvb, offset+2);
1320 dos_date = tvb_get_letohs(tvb, offset);
1321 dos_time = tvb_get_letohs(tvb, offset+2);
1324 if ((dos_date == 0xffff && dos_time == 0xffff) ||
1325 (dos_date == 0 && dos_time == 0)) {
1327 * No date/time specified.
1330 proto_tree_add_text(parent_tree, tvb, offset, 4,
1331 "%s: No time specified (0x%08x)",
1332 proto_registrar_get_name(hf_date),
1333 (dos_date << 16) | dos_time);
1339 tm.tm_sec = (dos_time&0x1f)*2;
1340 tm.tm_min = (dos_time>>5)&0x3f;
1341 tm.tm_hour = (dos_time>>11)&0x1f;
1342 tm.tm_mday = dos_date&0x1f;
1343 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1344 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1348 * Do some sanity checks before calling "mktime()";
1349 * "mktime()" doesn't do them, it "normalizes" out-of-range
1352 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1353 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1354 (ISLEAP(tm.tm_year + 1900) ?
1355 tm.tm_mday > mday_leap[tm.tm_mon] :
1356 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1357 (t = mktime(&tm)) == -1) {
1359 * Invalid date/time.
1362 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1364 proto_registrar_get_name(hf_date));
1365 tree = proto_item_add_subtree(item, ett_smb_time_date);
1367 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1368 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1370 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1371 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1382 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1383 tree = proto_item_add_subtree(item, ett_smb_time_date);
1385 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1386 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1388 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1389 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1399 static const value_string da_access_vals[] = {
1400 { 0, "Open for reading"},
1401 { 1, "Open for writing"},
1402 { 2, "Open for reading and writing"},
1403 { 3, "Open for execute"},
1406 static const value_string da_sharing_vals[] = {
1407 { 0, "Compatibility mode"},
1408 { 1, "Deny read/write/execute (exclusive)"},
1410 { 3, "Deny read/execute"},
1414 static const value_string da_locality_vals[] = {
1415 { 0, "Locality of reference unknown"},
1416 { 1, "Mainly sequential access"},
1417 { 2, "Mainly random access"},
1418 { 3, "Random access with some locality"},
1421 static const true_false_string tfs_da_caching = {
1422 "Do not cache this file",
1423 "Caching permitted on this file"
1425 static const true_false_string tfs_da_writetru = {
1426 "Write through enabled",
1427 "Write through disabled"
1430 dissect_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset, char *type)
1433 proto_item *item = NULL;
1434 proto_tree *tree = NULL;
1436 mask = tvb_get_letohs(tvb, offset);
1439 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1440 "%s Access: 0x%04x", type, mask);
1441 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1444 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1445 tvb, offset, 2, mask);
1446 proto_tree_add_boolean(tree, hf_smb_access_caching,
1447 tvb, offset, 2, mask);
1448 proto_tree_add_uint(tree, hf_smb_access_locality,
1449 tvb, offset, 2, mask);
1450 proto_tree_add_uint(tree, hf_smb_access_sharing,
1451 tvb, offset, 2, mask);
1452 proto_tree_add_uint(tree, hf_smb_access_mode,
1453 tvb, offset, 2, mask);
1460 #define SMB_FILE_ATTRIBUTE_READ_ONLY 0x00000001
1461 #define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
1462 #define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
1463 #define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
1464 #define SMB_FILE_ATTRIBUTE_DIRECTORY 0x00000010
1465 #define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
1466 #define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
1467 #define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
1468 #define SMB_FILE_ATTRIBUTE_TEMPORARY 0x00000100
1469 #define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
1470 #define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
1471 #define SMB_FILE_ATTRIBUTE_COMPRESSED 0x00000800
1472 #define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
1473 #define SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1474 #define SMB_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1476 static const true_false_string tfs_file_attribute_read_only = {
1477 "This file is READ ONLY",
1478 "This file is NOT read only",
1480 static const true_false_string tfs_file_attribute_hidden = {
1481 "This is a HIDDEN file",
1482 "This is NOT a hidden file"
1484 static const true_false_string tfs_file_attribute_system = {
1485 "This is a SYSTEM file",
1486 "This is NOT a system file"
1488 static const true_false_string tfs_file_attribute_volume = {
1489 "This is a VOLUME ID",
1490 "This is NOT a volume ID"
1492 static const true_false_string tfs_file_attribute_directory = {
1493 "This is a DIRECTORY",
1494 "This is NOT a directory"
1496 static const true_false_string tfs_file_attribute_archive = {
1497 "This file has been modified since last ARCHIVE",
1498 "This file has NOT been modified since last archive"
1500 static const true_false_string tfs_file_attribute_device = {
1502 "This is NOT a device"
1504 static const true_false_string tfs_file_attribute_normal = {
1505 "This file is an ordinary file",
1506 "This file has some attribute set"
1508 static const true_false_string tfs_file_attribute_temporary = {
1509 "This is a TEMPORARY file",
1510 "This is NOT a temporary file"
1512 static const true_false_string tfs_file_attribute_sparse = {
1513 "This is a SPARSE file",
1514 "This is NOT a sparse file"
1516 static const true_false_string tfs_file_attribute_reparse = {
1517 "This file has an associated REPARSE POINT",
1518 "This file does NOT have an associated reparse point"
1520 static const true_false_string tfs_file_attribute_compressed = {
1521 "This is a COMPRESSED file",
1522 "This is NOT a compressed file"
1524 static const true_false_string tfs_file_attribute_offline = {
1525 "This file is OFFLINE",
1526 "This file is NOT offline"
1528 static const true_false_string tfs_file_attribute_not_content_indexed = {
1529 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1530 "This file MAY be indexed by the content indexing service"
1532 static const true_false_string tfs_file_attribute_encrypted = {
1533 "This is an ENCRYPTED file",
1534 "This is NOT an encrypted file"
1538 * In some places in the CIFS_TR_1p00.pdf, from SNIA, file attributes are
1539 * listed as USHORT, and seem to be in packets in the wild, while in other
1540 * places they are listed as ULONG, and also seem to be.
1542 * So, I (Richard Sharpe), added a parameter to allow us to specify how many
1547 dissect_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1551 proto_item *item = NULL;
1552 proto_tree *tree = NULL;
1554 if (bytes != 2 && bytes != 4) {
1556 fprintf(stderr, "Incorrect number of bytes passed to dissect_file_attributes.\nMust be 2 or 4, was %d\n", bytes);
1562 * The actual bits of interest appear to only be a USHORT
1564 /* FIXME if this ever changes! */
1565 mask = tvb_get_letohs(tvb, offset);
1568 item = proto_tree_add_text(parent_tree, tvb, offset, bytes,
1569 "File Attributes: 0x%08x", mask);
1570 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1572 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1573 tvb, offset, bytes, mask);
1574 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1575 tvb, offset, bytes, mask);
1576 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1577 tvb, offset, bytes, mask);
1578 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1579 tvb, offset, bytes, mask);
1580 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1581 tvb, offset, bytes, mask);
1582 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1583 tvb, offset, bytes, mask);
1584 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1585 tvb, offset, bytes, mask);
1586 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1587 tvb, offset, bytes, mask);
1588 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1589 tvb, offset, bytes, mask);
1590 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1591 tvb, offset, bytes, mask);
1592 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1593 tvb, offset, bytes, mask);
1594 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1595 tvb, offset, bytes, mask);
1596 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1597 tvb, offset, bytes, mask);
1598 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1599 tvb, offset, bytes, mask);
1600 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1601 tvb, offset, bytes, mask);
1610 dissect_file_ext_attr(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1613 proto_item *item = NULL;
1614 proto_tree *tree = NULL;
1616 mask = tvb_get_letohl(tvb, offset);
1619 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1620 "File Attributes: 0x%08x", mask);
1621 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1625 * XXX - Network Monitor disagrees on some of the
1626 * bits, e.g. the bits above temporary are "atomic write"
1627 * and "transaction write", and it says nothing about the
1630 * Does the Win32 API documentation, or the NT Native API book,
1633 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1634 tvb, offset, 4, mask);
1635 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1636 tvb, offset, 4, mask);
1637 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1638 tvb, offset, 4, mask);
1639 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1640 tvb, offset, 4, mask);
1641 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1642 tvb, offset, 4, mask);
1643 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1644 tvb, offset, 4, mask);
1645 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1646 tvb, offset, 4, mask);
1647 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1648 tvb, offset, 4, mask);
1649 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1650 tvb, offset, 4, mask);
1651 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1652 tvb, offset, 4, mask);
1653 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1654 tvb, offset, 4, mask);
1655 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1656 tvb, offset, 4, mask);
1657 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1658 tvb, offset, 4, mask);
1659 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1660 tvb, offset, 4, mask);
1661 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1662 tvb, offset, 4, mask);
1670 dissect_dir_info_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1673 proto_item *item = NULL;
1674 proto_tree *tree = NULL;
1676 mask = tvb_get_guint8(tvb, offset);
1679 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1680 "File Attributes: 0x%02x", mask);
1681 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1683 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1684 tvb, offset, 1, mask);
1685 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1686 tvb, offset, 1, mask);
1687 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1688 tvb, offset, 1, mask);
1689 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1690 tvb, offset, 1, mask);
1691 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1692 tvb, offset, 1, mask);
1693 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1694 tvb, offset, 1, mask);
1701 static const true_false_string tfs_search_attribute_read_only = {
1702 "Include READ ONLY files in search results",
1703 "Do NOT include read only files in search results",
1705 static const true_false_string tfs_search_attribute_hidden = {
1706 "Include HIDDEN files in search results",
1707 "Do NOT include hidden files in search results"
1709 static const true_false_string tfs_search_attribute_system = {
1710 "Include SYSTEM files in search results",
1711 "Do NOT include system files in search results"
1713 static const true_false_string tfs_search_attribute_volume = {
1714 "Include VOLUME IDs in search results",
1715 "Do NOT include volume IDs in search results"
1717 static const true_false_string tfs_search_attribute_directory = {
1718 "Include DIRECTORIES in search results",
1719 "Do NOT include directories in search results"
1721 static const true_false_string tfs_search_attribute_archive = {
1722 "Include ARCHIVE files in search results",
1723 "Do NOT include archive files in search results"
1727 dissect_search_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1730 proto_item *item = NULL;
1731 proto_tree *tree = NULL;
1733 mask = tvb_get_letohs(tvb, offset);
1736 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1737 "Search Attributes: 0x%04x", mask);
1738 tree = proto_item_add_subtree(item, ett_smb_search);
1741 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1742 tvb, offset, 2, mask);
1743 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1744 tvb, offset, 2, mask);
1745 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1746 tvb, offset, 2, mask);
1747 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1748 tvb, offset, 2, mask);
1749 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1750 tvb, offset, 2, mask);
1751 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1752 tvb, offset, 2, mask);
1760 * XXX - this isn't used.
1761 * Is this used for anything? NT Create AndX doesn't use it.
1762 * Is there some 16-bit attribute field with more bits than Read Only,
1763 * Hidden, System, Volume ID, Directory, and Archive?
1766 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1769 proto_item *item = NULL;
1770 proto_tree *tree = NULL;
1772 mask = tvb_get_letohl(tvb, offset);
1775 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1776 "File Attributes: 0x%08x", mask);
1777 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1779 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1780 tvb, offset, 2, mask);
1781 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1782 tvb, offset, 2, mask);
1783 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1784 tvb, offset, 2, mask);
1785 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1786 tvb, offset, 2, mask);
1787 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1788 tvb, offset, 2, mask);
1789 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1790 tvb, offset, 2, mask);
1791 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1792 tvb, offset, 2, mask);
1793 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1794 tvb, offset, 2, mask);
1795 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1796 tvb, offset, 2, mask);
1797 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1798 tvb, offset, 2, mask);
1799 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1800 tvb, offset, 2, mask);
1801 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1802 tvb, offset, 2, mask);
1803 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1804 tvb, offset, 2, mask);
1805 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1806 tvb, offset, 2, mask);
1807 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1808 tvb, offset, 2, mask);
1817 #define SERVER_CAP_RAW_MODE 0x00000001
1818 #define SERVER_CAP_MPX_MODE 0x00000002
1819 #define SERVER_CAP_UNICODE 0x00000004
1820 #define SERVER_CAP_LARGE_FILES 0x00000008
1821 #define SERVER_CAP_NT_SMBS 0x00000010
1822 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1823 #define SERVER_CAP_STATUS32 0x00000040
1824 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1825 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1826 #define SERVER_CAP_NT_FIND 0x00000200
1827 #define SERVER_CAP_DFS 0x00001000
1828 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1829 #define SERVER_CAP_LARGE_READX 0x00004000
1830 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1831 #define SERVER_CAP_UNIX 0x00800000
1832 #define SERVER_CAP_RESERVED 0x02000000
1833 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1834 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1835 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1836 static const true_false_string tfs_server_cap_raw_mode = {
1837 "Read Raw and Write Raw are supported",
1838 "Read Raw and Write Raw are not supported"
1840 static const true_false_string tfs_server_cap_mpx_mode = {
1841 "Read Mpx and Write Mpx are supported",
1842 "Read Mpx and Write Mpx are not supported"
1844 static const true_false_string tfs_server_cap_unicode = {
1845 "Unicode strings are supported",
1846 "Unicode strings are not supported"
1848 static const true_false_string tfs_server_cap_large_files = {
1849 "Large files are supported",
1850 "Large files are not supported",
1852 static const true_false_string tfs_server_cap_nt_smbs = {
1853 "NT SMBs are supported",
1854 "NT SMBs are not supported"
1856 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1857 "RPC remote APIs are supported",
1858 "RPC remote APIs are not supported"
1860 static const true_false_string tfs_server_cap_nt_status = {
1861 "NT status codes are supported",
1862 "NT status codes are not supported"
1864 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1865 "Level 2 oplocks are supported",
1866 "Level 2 oplocks are not supported"
1868 static const true_false_string tfs_server_cap_lock_and_read = {
1869 "Lock and Read is supported",
1870 "Lock and Read is not supported"
1872 static const true_false_string tfs_server_cap_nt_find = {
1873 "NT Find is supported",
1874 "NT Find is not supported"
1876 static const true_false_string tfs_server_cap_dfs = {
1878 "Dfs is not supported"
1880 static const true_false_string tfs_server_cap_infolevel_passthru = {
1881 "NT information level request passthrough is supported",
1882 "NT information level request passthrough is not supported"
1884 static const true_false_string tfs_server_cap_large_readx = {
1885 "Large Read andX is supported",
1886 "Large Read andX is not supported"
1888 static const true_false_string tfs_server_cap_large_writex = {
1889 "Large Write andX is supported",
1890 "Large Write andX is not supported"
1892 static const true_false_string tfs_server_cap_unix = {
1893 "UNIX extensions are supported",
1894 "UNIX extensions are not supported"
1896 static const true_false_string tfs_server_cap_reserved = {
1900 static const true_false_string tfs_server_cap_bulk_transfer = {
1901 "Bulk Read and Bulk Write are supported",
1902 "Bulk Read and Bulk Write are not supported"
1904 static const true_false_string tfs_server_cap_compressed_data = {
1905 "Compressed data transfer is supported",
1906 "Compressed data transfer is not supported"
1908 static const true_false_string tfs_server_cap_extended_security = {
1909 "Extended security exchanges are supported",
1910 "Extended security exchanges are not supported"
1913 dissect_negprot_capabilities(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1916 proto_item *item = NULL;
1917 proto_tree *tree = NULL;
1919 mask = tvb_get_letohl(tvb, offset);
1922 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1923 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1926 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1927 tvb, offset, 4, mask);
1928 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1929 tvb, offset, 4, mask);
1930 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1931 tvb, offset, 4, mask);
1932 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1933 tvb, offset, 4, mask);
1934 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1935 tvb, offset, 4, mask);
1936 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1937 tvb, offset, 4, mask);
1938 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1939 tvb, offset, 4, mask);
1940 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1941 tvb, offset, 4, mask);
1942 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1943 tvb, offset, 4, mask);
1944 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1945 tvb, offset, 4, mask);
1946 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1947 tvb, offset, 4, mask);
1948 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1949 tvb, offset, 4, mask);
1950 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1951 tvb, offset, 4, mask);
1952 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1953 tvb, offset, 4, mask);
1954 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1955 tvb, offset, 4, mask);
1956 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1957 tvb, offset, 4, mask);
1958 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1959 tvb, offset, 4, mask);
1960 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1961 tvb, offset, 4, mask);
1962 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1963 tvb, offset, 4, mask);
1968 #define RAWMODE_READ 0x01
1969 #define RAWMODE_WRITE 0x02
1970 static const true_false_string tfs_rm_read = {
1971 "Read Raw is supported",
1972 "Read Raw is not supported"
1974 static const true_false_string tfs_rm_write = {
1975 "Write Raw is supported",
1976 "Write Raw is not supported"
1980 dissect_negprot_rawmode(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1983 proto_item *item = NULL;
1984 proto_tree *tree = NULL;
1986 mask = tvb_get_letohs(tvb, offset);
1989 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
1990 tree = proto_item_add_subtree(item, ett_smb_rawmode);
1993 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
1994 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
2001 #define SECURITY_MODE_MODE 0x01
2002 #define SECURITY_MODE_PASSWORD 0x02
2003 #define SECURITY_MODE_SIGNATURES 0x04
2004 #define SECURITY_MODE_SIG_REQUIRED 0x08
2005 static const true_false_string tfs_sm_mode = {
2006 "USER security mode",
2007 "SHARE security mode"
2009 static const true_false_string tfs_sm_password = {
2010 "ENCRYPTED password. Use challenge/response",
2011 "PLAINTEXT password"
2013 static const true_false_string tfs_sm_signatures = {
2014 "Security signatures ENABLED",
2015 "Security signatures NOT enabled"
2017 static const true_false_string tfs_sm_sig_required = {
2018 "Security signatures REQUIRED",
2019 "Security signatures NOT required"
2023 dissect_negprot_security_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int wc)
2026 proto_item *item = NULL;
2027 proto_tree *tree = NULL;
2031 mask = tvb_get_letohs(tvb, offset);
2032 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2033 "Security Mode: 0x%04x", mask);
2034 tree = proto_item_add_subtree(item, ett_smb_mode);
2035 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
2036 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
2041 mask = tvb_get_guint8(tvb, offset);
2042 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
2043 "Security Mode: 0x%02x", mask);
2044 tree = proto_item_add_subtree(item, ett_smb_mode);
2045 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
2046 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
2047 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
2048 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
2057 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2059 proto_item *it = NULL;
2060 proto_tree *tr = NULL;
2069 it = proto_tree_add_text(tree, tvb, offset, bc,
2070 "Requested Dialects");
2071 tr = proto_item_add_subtree(it, ett_smb_dialects);
2077 proto_item *dit = NULL;
2078 proto_tree *dtr = NULL;
2080 /* XXX - what if this runs past bc? */
2081 len = tvb_strsize(tvb, offset+1);
2082 str = tvb_get_ptr(tvb, offset+1, len);
2085 dit = proto_tree_add_text(tr, tvb, offset, len+1,
2086 "Dialect: %s", str);
2087 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2091 CHECK_BYTE_COUNT(1);
2092 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2097 CHECK_BYTE_COUNT(len);
2098 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
2109 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2111 smb_info_t *si = pinfo->private_data;
2124 dialect = tvb_get_letohs(tvb, offset);
2127 if(dialect==0xffff){
2128 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2129 tvb, offset, 2, dialect,
2130 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2132 proto_tree_add_uint(tree, hf_smb_dialect_index,
2133 tvb, offset, 2, dialect);
2137 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2138 tvb, offset, 2, dialect,
2139 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2142 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2143 tvb, offset, 2, dialect,
2144 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2147 proto_tree_add_text(tree, tvb, offset, wc*2,
2148 "Words for unknown response format");
2157 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2159 /* Maximum Transmit Buffer Size */
2160 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2161 tvb, offset, 2, TRUE);
2164 /* Maximum Multiplex Count */
2165 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2166 tvb, offset, 2, TRUE);
2169 /* Maximum Vcs Number */
2170 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2171 tvb, offset, 2, TRUE);
2175 offset = dissect_negprot_rawmode(tvb, tree, offset);
2178 proto_tree_add_item(tree, hf_smb_session_key,
2179 tvb, offset, 4, TRUE);
2182 /* current time and date at server */
2183 offset = dissect_smb_datetime(tvb, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2187 tz = tvb_get_letohs(tvb, offset);
2188 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2191 /* encryption key length */
2192 ekl = tvb_get_letohs(tvb, offset);
2193 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2196 /* 2 reserved bytes */
2197 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2204 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2206 /* Maximum Multiplex Count */
2207 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2208 tvb, offset, 2, TRUE);
2211 /* Maximum Vcs Number */
2212 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2213 tvb, offset, 2, TRUE);
2216 /* Maximum Transmit Buffer Size */
2217 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2218 tvb, offset, 4, TRUE);
2221 /* maximum raw buffer size */
2222 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2223 tvb, offset, 4, TRUE);
2227 proto_tree_add_item(tree, hf_smb_session_key,
2228 tvb, offset, 4, TRUE);
2231 /* server capabilities */
2232 caps = dissect_negprot_capabilities(tvb, tree, offset);
2236 offset = dissect_smb_64bit_time(tvb, tree, offset,
2237 hf_smb_system_time);
2240 tz = tvb_get_letohs(tvb, offset);
2241 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2243 "Server Time Zone: %d min from UTC", tz);
2246 /* encryption key length */
2247 ekl = tvb_get_guint8(tvb, offset);
2248 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2249 tvb, offset, 1, ekl);
2259 /* challenge/response encryption key */
2261 CHECK_BYTE_COUNT(ekl);
2262 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2269 * XXX - not present if negotiated dialect isn't
2270 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
2271 * have to see the request, or assume what dialect strings
2272 * were sent, to determine that.
2274 * Is this something other than a primary domain if the
2275 * negotiated dialect is Windows for Workgroups 3.1a?
2276 * It appears to be 8 bytes of binary data in at least
2277 * one capture - is that an encryption key or something
2280 dn = get_unicode_or_ascii_string(tvb, &offset,
2281 si->unicode, &dn_len, FALSE, FALSE, &bc);
2284 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2286 COUNT_BYTES(dn_len);
2290 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2291 /* challenge/response encryption key */
2292 /* XXX - is this aligned on an even boundary? */
2294 CHECK_BYTE_COUNT(ekl);
2295 proto_tree_add_item(tree, hf_smb_encryption_key,
2296 tvb, offset, ekl, TRUE);
2301 /* this string is special, unicode is flagged in caps */
2302 /* This string is NOT padded to be 16bit aligned.
2303 (seen in actual capture)
2304 XXX - I've seen a capture where it appears to be
2305 so aligned, but I've also seen captures where
2306 it is. The captures where it appeared to be
2307 aligned may have been from buggy servers. */
2308 /* However, don't get rid of existing setting */
2309 si->unicode = (caps&SERVER_CAP_UNICODE) ||
2312 dn = get_unicode_or_ascii_string(tvb,
2313 &offset, si->unicode, &dn_len, TRUE, FALSE,
2317 proto_tree_add_string(tree, hf_smb_primary_domain,
2318 tvb, offset, dn_len, dn);
2319 COUNT_BYTES(dn_len);
2321 /* server name, seen in w2k pro capture */
2322 dn = get_unicode_or_ascii_string(tvb,
2323 &offset, si->unicode, &dn_len, TRUE, FALSE,
2327 proto_tree_add_string(tree, hf_smb_server,
2328 tvb, offset, dn_len, dn);
2329 COUNT_BYTES(dn_len);
2332 proto_item *blob_item;
2335 /* XXX - show it in the standard Microsoft format
2337 CHECK_BYTE_COUNT(16);
2338 proto_tree_add_item(tree, hf_smb_server_guid,
2339 tvb, offset, 16, TRUE);
2342 blob_item = proto_tree_add_item(
2343 tree, hf_smb_security_blob,
2344 tvb, offset, bc, TRUE);
2348 * If Extended security and BCC == 16, then raw
2349 * NTLMSSP is in use. We need to save this info
2353 tvbuff_t *gssapi_tvb;
2354 proto_tree *gssapi_tree;
2356 gssapi_tree = proto_item_add_subtree(
2357 blob_item, ett_smb_secblob);
2359 gssapi_tvb = tvb_new_subset(
2360 tvb, offset, bc, bc);
2363 gssapi_handle, gssapi_tvb, pinfo,
2367 si->ct->raw_ntlmssp = 0;
2374 * There is no blob. We just have to make sure
2375 * that subsequent routines know to call the
2380 si->ct->raw_ntlmssp = 1;
2394 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2396 smb_info_t *si = pinfo->private_data;
2407 CHECK_BYTE_COUNT(1);
2408 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2412 dn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &dn_len,
2416 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2418 COUNT_BYTES(dn_len);
2420 if (check_col(pinfo->cinfo, COL_INFO)) {
2421 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s", dn);
2430 dissect_empty(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2445 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2453 ec = tvb_get_letohs(tvb, offset);
2454 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2461 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2471 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2478 /* echo sequence number */
2479 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2486 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2496 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2498 smb_info_t *si = pinfo->private_data;
2509 CHECK_BYTE_COUNT(1);
2510 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2514 an = get_unicode_or_ascii_string(tvb, &offset,
2515 si->unicode, &an_len, FALSE, FALSE, &bc);
2518 proto_tree_add_string(tree, hf_smb_path, tvb,
2519 offset, an_len, an);
2520 COUNT_BYTES(an_len);
2522 if (check_col(pinfo->cinfo, COL_INFO)) {
2523 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
2527 CHECK_BYTE_COUNT(1);
2528 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2531 /* password, ANSI */
2532 /* XXX - what if this runs past bc? */
2533 pwlen = tvb_strsize(tvb, offset);
2534 CHECK_BYTE_COUNT(pwlen);
2535 proto_tree_add_item(tree, hf_smb_password,
2536 tvb, offset, pwlen, TRUE);
2540 CHECK_BYTE_COUNT(1);
2541 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2545 an = get_unicode_or_ascii_string(tvb, &offset,
2546 si->unicode, &an_len, FALSE, FALSE, &bc);
2549 proto_tree_add_string(tree, hf_smb_service, tvb,
2550 offset, an_len, an);
2551 COUNT_BYTES(an_len);
2559 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2566 /* Maximum Buffer Size */
2567 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2571 proto_tree_add_item(tree, hf_smb_tid, tvb, offset, 2, TRUE);
2582 static const true_false_string tfs_of_create = {
2583 "Create file if it does not exist",
2584 "Fail if file does not exist"
2586 static const value_string of_open[] = {
2587 { 0, "Fail if file exists"},
2588 { 1, "Open file if it exists"},
2589 { 2, "Truncate file if it exists"},
2593 dissect_open_function(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2596 proto_item *item = NULL;
2597 proto_tree *tree = NULL;
2599 mask = tvb_get_letohs(tvb, offset);
2602 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2603 "Open Function: 0x%04x", mask);
2604 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2607 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2608 tvb, offset, 2, mask);
2609 proto_tree_add_uint(tree, hf_smb_open_function_open,
2610 tvb, offset, 2, mask);
2618 static const true_false_string tfs_mf_file = {
2619 "Target must be a file",
2620 "Target needn't be a file"
2622 static const true_false_string tfs_mf_dir = {
2623 "Target must be a directory",
2624 "Target needn't be a directory"
2626 static const true_false_string tfs_mf_verify = {
2627 "MUST verify all writes",
2628 "Don't have to verify writes"
2631 dissect_move_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2634 proto_item *item = NULL;
2635 proto_tree *tree = NULL;
2637 mask = tvb_get_letohs(tvb, offset);
2640 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2641 "Flags: 0x%04x", mask);
2642 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2645 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2646 tvb, offset, 2, mask);
2647 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2648 tvb, offset, 2, mask);
2649 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2650 tvb, offset, 2, mask);
2657 static const true_false_string tfs_cf_mode = {
2661 static const true_false_string tfs_cf_tree_copy = {
2662 "Copy is a tree copy",
2663 "Copy is a file copy"
2665 static const true_false_string tfs_cf_ea_action = {
2670 dissect_copy_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2673 proto_item *item = NULL;
2674 proto_tree *tree = NULL;
2676 mask = tvb_get_letohs(tvb, offset);
2679 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2680 "Flags: 0x%04x", mask);
2681 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2684 proto_tree_add_boolean(tree, hf_smb_copy_flags_ea_action,
2685 tvb, offset, 2, mask);
2686 proto_tree_add_boolean(tree, hf_smb_copy_flags_tree_copy,
2687 tvb, offset, 2, mask);
2688 proto_tree_add_boolean(tree, hf_smb_copy_flags_verify,
2689 tvb, offset, 2, mask);
2690 proto_tree_add_boolean(tree, hf_smb_copy_flags_source_mode,
2691 tvb, offset, 2, mask);
2692 proto_tree_add_boolean(tree, hf_smb_copy_flags_dest_mode,
2693 tvb, offset, 2, mask);
2694 proto_tree_add_boolean(tree, hf_smb_copy_flags_dir,
2695 tvb, offset, 2, mask);
2696 proto_tree_add_boolean(tree, hf_smb_copy_flags_file,
2697 tvb, offset, 2, mask);
2705 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2707 smb_info_t *si = pinfo->private_data;
2717 tid = tvb_get_letohs(tvb, offset);
2718 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2719 "TID (target): 0x%04x", tid);
2723 offset = dissect_open_function(tvb, tree, offset);
2726 offset = dissect_move_flags(tvb, tree, offset);
2731 CHECK_BYTE_COUNT(1);
2732 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2736 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2740 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2741 fn_len, fn, "Old File Name: %s", fn);
2742 COUNT_BYTES(fn_len);
2744 if (check_col(pinfo->cinfo, COL_INFO)) {
2745 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2749 CHECK_BYTE_COUNT(1);
2750 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2754 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2758 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2759 fn_len, fn, "New File Name: %s", fn);
2760 COUNT_BYTES(fn_len);
2762 if (check_col(pinfo->cinfo, COL_INFO)) {
2763 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2772 dissect_copy_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2774 smb_info_t *si = pinfo->private_data;
2784 tid = tvb_get_letohs(tvb, offset);
2785 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2786 "TID (target): 0x%04x", tid);
2790 offset = dissect_open_function(tvb, tree, offset);
2793 offset = dissect_copy_flags(tvb, tree, offset);
2798 CHECK_BYTE_COUNT(1);
2799 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2803 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2807 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2808 fn_len, fn, "Source File Name: %s", fn);
2809 COUNT_BYTES(fn_len);
2811 if (check_col(pinfo->cinfo, COL_INFO)) {
2812 col_append_fstr(pinfo->cinfo, COL_INFO, ", Source Name: %s", fn);
2816 CHECK_BYTE_COUNT(1);
2817 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2821 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2825 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2826 fn_len, fn, "Destination File Name: %s", fn);
2827 COUNT_BYTES(fn_len);
2829 if (check_col(pinfo->cinfo, COL_INFO)) {
2830 col_append_fstr(pinfo->cinfo, COL_INFO, ", Destination Name: %s", fn);
2839 dissect_move_copy_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2841 smb_info_t *si = pinfo->private_data;
2849 /* # of files moved */
2850 proto_tree_add_item(tree, hf_smb_files_moved, tvb, offset, 2, TRUE);
2856 CHECK_BYTE_COUNT(1);
2857 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2861 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2865 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2867 COUNT_BYTES(fn_len);
2875 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2877 smb_info_t *si = pinfo->private_data;
2885 /* desired access */
2886 offset = dissect_access(tvb, tree, offset, "Desired");
2888 /* Search Attributes */
2889 offset = dissect_search_attributes(tvb, tree, offset);
2894 CHECK_BYTE_COUNT(1);
2895 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2899 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2903 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2905 COUNT_BYTES(fn_len);
2907 if (check_col(pinfo->cinfo, COL_INFO)) {
2908 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2917 add_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
2918 int len, guint16 fid)
2920 proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
2921 if (check_col(pinfo->cinfo, COL_INFO))
2922 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
2926 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2935 fid = tvb_get_letohs(tvb, offset);
2936 add_fid(tvb, pinfo, tree, offset, 2, fid);
2939 /* File Attributes */
2940 offset = dissect_file_attributes(tvb, tree, offset, 2);
2942 /* last write time */
2943 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
2946 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2949 /* granted access */
2950 offset = dissect_access(tvb, tree, offset, "Granted");
2960 dissect_fid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2969 fid = tvb_get_letohs(tvb, offset);
2970 add_fid(tvb, pinfo, tree, offset, 2, fid);
2981 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2983 smb_info_t *si = pinfo->private_data;
2991 /* file attributes */
2992 offset = dissect_file_attributes(tvb, tree, offset, 2);
2995 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3000 CHECK_BYTE_COUNT(1);
3001 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3005 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3009 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3011 COUNT_BYTES(fn_len);
3013 if (check_col(pinfo->cinfo, COL_INFO)) {
3014 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3023 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3031 fid = tvb_get_letohs(tvb, offset);
3032 add_fid(tvb, pinfo, tree, offset, 2, fid);
3035 /* last write time */
3036 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3046 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3048 smb_info_t *si = pinfo->private_data;
3056 /* search attributes */
3057 offset = dissect_search_attributes(tvb, tree, offset);
3062 CHECK_BYTE_COUNT(1);
3063 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3067 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3071 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3073 COUNT_BYTES(fn_len);
3075 if (check_col(pinfo->cinfo, COL_INFO)) {
3076 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3085 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3087 smb_info_t *si = pinfo->private_data;
3095 /* search attributes */
3096 offset = dissect_search_attributes(tvb, tree, offset);
3101 CHECK_BYTE_COUNT(1);
3102 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3106 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3110 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3112 COUNT_BYTES(fn_len);
3114 if (check_col(pinfo->cinfo, COL_INFO)) {
3115 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
3119 CHECK_BYTE_COUNT(1);
3120 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3124 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3128 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3130 COUNT_BYTES(fn_len);
3132 if (check_col(pinfo->cinfo, COL_INFO)) {
3133 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
3142 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3144 smb_info_t *si = pinfo->private_data;
3152 /* search attributes */
3153 offset = dissect_search_attributes(tvb, tree, offset);
3155 proto_tree_add_uint(tree, hf_smb_nt_rename_level, tvb, offset, 2, tvb_get_letohs(tvb, offset));
3158 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, TRUE);
3164 CHECK_BYTE_COUNT(1);
3165 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3169 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3173 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3175 COUNT_BYTES(fn_len);
3177 if (check_col(pinfo->cinfo, COL_INFO)) {
3178 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
3182 CHECK_BYTE_COUNT(1);
3183 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3187 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3191 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3193 COUNT_BYTES(fn_len);
3195 if (check_col(pinfo->cinfo, COL_INFO)) {
3196 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
3206 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3208 smb_info_t *si = pinfo->private_data;
3219 CHECK_BYTE_COUNT(1);
3220 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3224 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3228 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3230 COUNT_BYTES(fn_len);
3232 if (check_col(pinfo->cinfo, COL_INFO)) {
3233 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3242 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3249 /* File Attributes */
3250 offset = dissect_file_attributes(tvb, tree, offset, 2);
3252 /* Last Write Time */
3253 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3256 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3259 /* 10 reserved bytes */
3260 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3271 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3273 smb_info_t *si = pinfo->private_data;
3281 /* file attributes */
3282 offset = dissect_file_attributes(tvb, tree, offset, 2);
3284 /* last write time */
3285 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3287 /* 10 reserved bytes */
3288 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3294 CHECK_BYTE_COUNT(1);
3295 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3299 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3303 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3305 COUNT_BYTES(fn_len);
3307 if (check_col(pinfo->cinfo, COL_INFO)) {
3308 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3317 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3328 fid = tvb_get_letohs(tvb, offset);
3329 add_fid(tvb, pinfo, tree, offset, 2, fid);
3331 if (!pinfo->fd->flags.visited) {
3332 /* remember the FID for the processing of the response */
3333 si = (smb_info_t *)pinfo->private_data;
3334 si->sip->extra_info=(void *)fid;
3338 cnt = tvb_get_letohs(tvb, offset);
3339 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3343 ofs = tvb_get_letohl(tvb, offset);
3344 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3347 if (check_col(pinfo->cinfo, COL_INFO))
3348 col_append_fstr(pinfo->cinfo, COL_INFO,
3349 ", %u byte%s at offset %u", cnt,
3350 (cnt == 1) ? "" : "s", ofs);
3353 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3364 dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
3369 /* We have some initial padding bytes. */
3370 /* XXX - use the data offset here instead? */
3371 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3373 offset += bc-datalen;
3376 tvblen = tvb_length_remaining(tvb, offset);
3378 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
3381 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
3388 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3389 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
3392 tvbuff_t *dcerpc_tvb;
3395 /* We have some initial padding bytes. */
3396 /* XXX - use the data offset here instead? */
3397 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3399 offset += bc-datalen;
3402 tvblen = tvb_length_remaining(tvb, offset);
3403 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
3404 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
3413 * transporting DCERPC over SMB seems to be implemented in various
3414 * ways. We might just assume it can be done by an almost random
3415 * mix of Trans/Read/Write calls
3417 * if we suspect dcerpc, just send them all down to packet-smb-pipe.c
3418 * and let him sort them out
3421 dissect_file_data_maybe_dcerpc(tvbuff_t *tvb, packet_info *pinfo,
3422 proto_tree *tree, proto_tree *top_tree, int offset, guint16 bc,
3423 guint16 datalen, guint32 ofs, guint16 fid)
3425 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3427 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
3429 return dissect_file_data_dcerpc(tvb, pinfo, tree,
3430 top_tree, offset, bc, datalen, fid);
3432 /* ordinary file data */
3433 return dissect_file_data(tvb, tree, offset, bc, datalen);
3438 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3442 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3448 cnt = tvb_get_letohs(tvb, offset);
3449 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3452 /* 8 reserved bytes */
3453 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3456 /* If we have seen the request, then print which FID this refers to */
3457 /* first check if we have seen the request */
3458 if(si->sip != NULL && si->sip->frame_req>0){
3459 fid=(int)si->sip->extra_info;
3460 add_fid(tvb, pinfo, tree, 0, 0, fid);
3466 CHECK_BYTE_COUNT(1);
3467 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3471 CHECK_BYTE_COUNT(2);
3472 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3475 /* file data, might be DCERPC on a pipe */
3477 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3478 top_tree, offset, bc, bc, 0, fid);
3488 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3496 cnt = tvb_get_letohs(tvb, offset);
3497 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3500 /* 8 reserved bytes */
3501 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3507 CHECK_BYTE_COUNT(1);
3508 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3512 CHECK_BYTE_COUNT(2);
3513 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3523 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3526 guint16 cnt=0, bc, fid=0;
3532 fid = tvb_get_letohs(tvb, offset);
3533 add_fid(tvb, pinfo, tree, offset, 2, fid);
3537 cnt = tvb_get_letohs(tvb, offset);
3538 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3542 ofs = tvb_get_letohl(tvb, offset);
3543 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3546 if (check_col(pinfo->cinfo, COL_INFO))
3547 col_append_fstr(pinfo->cinfo, COL_INFO,
3548 ", %u byte%s at offset %u", cnt,
3549 (cnt == 1) ? "" : "s", ofs);
3552 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3558 CHECK_BYTE_COUNT(1);
3559 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3563 CHECK_BYTE_COUNT(2);
3564 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3567 /* file data, might be DCERPC on a pipe */
3569 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3570 top_tree, offset, bc, bc, ofs, fid);
3580 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3588 cnt = tvb_get_letohs(tvb, offset);
3589 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3592 if (check_col(pinfo->cinfo, COL_INFO))
3593 col_append_fstr(pinfo->cinfo, COL_INFO,
3594 ", %u byte%s", cnt, (cnt == 1) ? "" : "s");
3604 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3612 fid = tvb_get_letohs(tvb, offset);
3613 add_fid(tvb, pinfo, tree, offset, 2, fid);
3617 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
3621 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3632 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3634 smb_info_t *si = pinfo->private_data;
3642 /* 2 reserved bytes */
3643 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3647 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3652 CHECK_BYTE_COUNT(1);
3653 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3656 /* directory name */
3657 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3661 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
3663 COUNT_BYTES(fn_len);
3665 if (check_col(pinfo->cinfo, COL_INFO)) {
3666 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3675 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3677 smb_info_t *si = pinfo->private_data;
3686 fid = tvb_get_letohs(tvb, offset);
3687 add_fid(tvb, pinfo, tree, offset, 2, fid);
3693 CHECK_BYTE_COUNT(1);
3694 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3698 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3702 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3704 COUNT_BYTES(fn_len);
3711 static const value_string seek_mode_vals[] = {
3712 {0, "From Start Of File"},
3713 {1, "From Current Position"},
3714 {2, "From End Of File"},
3719 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3727 fid = tvb_get_letohs(tvb, offset);
3728 add_fid(tvb, pinfo, tree, offset, 2, fid);
3732 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
3736 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3747 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3755 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3766 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3774 fid = tvb_get_letohs(tvb, offset);
3775 add_fid(tvb, pinfo, tree, offset, 2, fid);
3779 offset = dissect_smb_datetime(tvb, tree, offset,
3781 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3784 offset = dissect_smb_datetime(tvb, tree, offset,
3786 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3788 /* last write time */
3789 offset = dissect_smb_datetime(tvb, tree, offset,
3790 hf_smb_last_write_time,
3791 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3801 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3809 offset = dissect_smb_datetime(tvb, tree, offset,
3811 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3814 offset = dissect_smb_datetime(tvb, tree, offset,
3816 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3818 /* last write time */
3819 offset = dissect_smb_datetime(tvb, tree, offset,
3820 hf_smb_last_write_time,
3821 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3824 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
3827 /* allocation size */
3828 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
3831 /* File Attributes */
3832 offset = dissect_file_attributes(tvb, tree, offset, 2);
3842 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3851 fid = tvb_get_letohs(tvb, offset);
3852 add_fid(tvb, pinfo, tree, offset, 2, fid);
3856 cnt = tvb_get_letohs(tvb, offset);
3857 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3861 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3864 /* last write time */
3865 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3868 /* 12 reserved bytes */
3869 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
3876 CHECK_BYTE_COUNT(1);
3877 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
3880 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
3889 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3897 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3908 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3917 fid = tvb_get_letohs(tvb, offset);
3918 add_fid(tvb, pinfo, tree, offset, 2, fid);
3922 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3926 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3930 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3934 to = tvb_get_letohl(tvb, offset);
3935 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3938 /* 2 reserved bytes */
3939 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3944 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
3956 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3964 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
3968 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
3972 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
3976 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
3979 /* 2 reserved bytes */
3980 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3991 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3999 fid = tvb_get_letohs(tvb, offset);
4000 add_fid(tvb, pinfo, tree, offset, 2, fid);
4004 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4008 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4012 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
4015 /* 6 reserved bytes */
4016 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
4027 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4029 guint16 datalen=0, bc;
4035 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4039 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4042 /* 2 reserved bytes */
4043 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4046 /* data compaction mode */
4047 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4050 /* 2 reserved bytes */
4051 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4055 datalen = tvb_get_letohs(tvb, offset);
4056 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4060 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4066 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4075 static const true_false_string tfs_write_mode_write_through = {
4076 "WRITE THROUGH requested",
4077 "Write through not requested"
4079 static const true_false_string tfs_write_mode_return_remaining = {
4080 "RETURN REMAINING (pipe/dev) requested",
4081 "DON'T return remaining (pipe/dev)"
4083 static const true_false_string tfs_write_mode_raw = {
4084 "Use WriteRawNamedPipe (pipe)",
4085 "DON'T use WriteRawNamedPipe (pipe)"
4087 static const true_false_string tfs_write_mode_message_start = {
4088 "This is the START of a MESSAGE (pipe)",
4089 "This is NOT the start of a message (pipe)"
4091 static const true_false_string tfs_write_mode_connectionless = {
4092 "CONNECTIONLESS mode requested",
4093 "Connectionless mode NOT requested"
4096 #define WRITE_MODE_CONNECTIONLESS 0x0080
4097 #define WRITE_MODE_MESSAGE_START 0x0008
4098 #define WRITE_MODE_RAW 0x0004
4099 #define WRITE_MODE_RETURN_REMAINING 0x0002
4100 #define WRITE_MODE_WRITE_THROUGH 0x0001
4103 dissect_write_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4106 proto_item *item = NULL;
4107 proto_tree *tree = NULL;
4109 mask = tvb_get_letohs(tvb, offset);
4112 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4113 "Write Mode: 0x%04x", mask);
4114 tree = proto_item_add_subtree(item, ett_smb_rawmode);
4117 if(bm&WRITE_MODE_CONNECTIONLESS){
4118 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
4119 tvb, offset, 2, mask);
4121 if(bm&WRITE_MODE_MESSAGE_START){
4122 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
4123 tvb, offset, 2, mask);
4125 if(bm&WRITE_MODE_RAW){
4126 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
4127 tvb, offset, 2, mask);
4129 if(bm&WRITE_MODE_RETURN_REMAINING){
4130 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
4131 tvb, offset, 2, mask);
4133 if(bm&WRITE_MODE_WRITE_THROUGH){
4134 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
4135 tvb, offset, 2, mask);
4143 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4146 guint16 datalen=0, bc, fid;
4152 fid = tvb_get_letohs(tvb, offset);
4153 add_fid(tvb, pinfo, tree, offset, 2, fid);
4156 /* total data length */
4157 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4160 /* 2 reserved bytes */
4161 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4165 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4169 to = tvb_get_letohl(tvb, offset);
4170 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4174 offset = dissect_write_mode(tvb, tree, offset, 0x0003);
4176 /* 4 reserved bytes */
4177 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4181 datalen = tvb_get_letohs(tvb, offset);
4182 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4186 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4192 /* XXX - use the data offset to determine where the data starts? */
4193 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4202 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4210 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4221 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4224 guint16 datalen=0, bc, fid;
4230 fid = tvb_get_letohs(tvb, offset);
4231 add_fid(tvb, pinfo, tree, offset, 2, fid);
4234 /* total data length */
4235 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4238 /* 2 reserved bytes */
4239 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4243 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4247 to = tvb_get_letohl(tvb, offset);
4248 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4252 offset = dissect_write_mode(tvb, tree, offset, 0x0083);
4255 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
4259 datalen = tvb_get_letohs(tvb, offset);
4260 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4264 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4270 /* XXX - use the data offset to determine where the data starts? */
4271 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4280 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4288 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
4299 dissect_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4307 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
4318 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
4319 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4320 gboolean has_find_id)
4322 proto_item *item = NULL;
4323 proto_tree *tree = NULL;
4324 smb_info_t *si = pinfo->private_data;
4330 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
4332 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
4336 CHECK_BYTE_COUNT_SUBR(1);
4337 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4338 COUNT_BYTES_SUBR(1);
4342 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4344 CHECK_STRING_SUBR(fn);
4345 /* ensure that it's null-terminated */
4346 strncpy(fname, fn, 11);
4348 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
4350 COUNT_BYTES_SUBR(fn_len);
4353 CHECK_BYTE_COUNT_SUBR(1);
4354 proto_tree_add_item(tree, hf_smb_resume_find_id, tvb, offset, 1, TRUE);
4355 COUNT_BYTES_SUBR(1);
4358 CHECK_BYTE_COUNT_SUBR(4);
4359 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 4, TRUE);
4360 COUNT_BYTES_SUBR(4);
4363 CHECK_BYTE_COUNT_SUBR(5);
4364 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
4365 COUNT_BYTES_SUBR(5);
4369 CHECK_BYTE_COUNT_SUBR(4);
4370 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
4371 COUNT_BYTES_SUBR(4);
4378 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
4379 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4380 gboolean has_find_id)
4382 proto_item *item = NULL;
4383 proto_tree *tree = NULL;
4384 smb_info_t *si = pinfo->private_data;
4390 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
4391 "Directory Information");
4392 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
4396 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp,
4397 trunc, has_find_id);
4401 /* File Attributes */
4402 CHECK_BYTE_COUNT_SUBR(1);
4403 offset = dissect_dir_info_file_attributes(tvb, tree, offset);
4406 /* last write time */
4407 CHECK_BYTE_COUNT_SUBR(4);
4408 offset = dissect_smb_datetime(tvb, tree, offset,
4409 hf_smb_last_write_time,
4410 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
4415 CHECK_BYTE_COUNT_SUBR(4);
4416 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4417 COUNT_BYTES_SUBR(4);
4421 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4423 CHECK_STRING_SUBR(fn);
4424 /* ensure that it's null-terminated */
4425 strncpy(fname, fn, 13);
4427 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4429 COUNT_BYTES_SUBR(fn_len);
4437 dissect_search_find_request(tvbuff_t *tvb, packet_info *pinfo,
4438 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4439 gboolean has_find_id)
4441 smb_info_t *si = pinfo->private_data;
4452 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4455 /* Search Attributes */
4456 offset = dissect_search_attributes(tvb, tree, offset);
4461 CHECK_BYTE_COUNT(1);
4462 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4466 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4470 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4472 COUNT_BYTES(fn_len);
4474 if (check_col(pinfo->cinfo, COL_INFO)) {
4475 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s", fn);
4479 CHECK_BYTE_COUNT(1);
4480 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4483 /* resume key length */
4484 CHECK_BYTE_COUNT(2);
4485 rkl = tvb_get_letohs(tvb, offset);
4486 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
4491 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
4492 &bc, &trunc, has_find_id);
4503 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4504 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4506 return dissect_search_find_request(tvb, pinfo, tree, offset,
4511 dissect_find_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4512 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4514 return dissect_search_find_request(tvb, pinfo, tree, offset,
4519 dissect_find_close_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4520 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4522 return dissect_search_find_request(tvb, pinfo, tree, offset,
4527 dissect_search_find_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4528 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4529 gboolean has_find_id)
4539 count = tvb_get_letohs(tvb, offset);
4540 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
4546 CHECK_BYTE_COUNT(1);
4547 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4551 CHECK_BYTE_COUNT(2);
4552 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4556 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
4557 &bc, &trunc, has_find_id);
4568 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4570 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4575 dissect_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4577 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4582 dissect_find_close_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4583 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4592 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4598 CHECK_BYTE_COUNT(1);
4599 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4603 CHECK_BYTE_COUNT(2);
4604 data_len = tvb_get_ntohs(tvb, offset);
4605 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, data_len);
4608 if (data_len != 0) {
4609 CHECK_BYTE_COUNT(data_len);
4610 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset,
4612 COUNT_BYTES(data_len);
4620 static const value_string locking_ol_vals[] = {
4621 {0, "Client is not holding oplock on this file"},
4622 {1, "Level 2 oplock currently held by client"},
4626 static const true_false_string tfs_lock_type_large = {
4627 "Large file locking format requested",
4628 "Large file locking format not requested"
4630 static const true_false_string tfs_lock_type_cancel = {
4631 "Cancel outstanding lock request",
4632 "Don't cancel outstanding lock request"
4634 static const true_false_string tfs_lock_type_change = {
4636 "Don't change lock type"
4638 static const true_false_string tfs_lock_type_oplock = {
4639 "This is an oplock break notification/response",
4640 "This is not an oplock break notification/response"
4642 static const true_false_string tfs_lock_type_shared = {
4643 "This is a shared lock",
4644 "This is an exclusive lock"
4647 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4649 guint8 wc, cmd=0xff, lt=0;
4650 guint16 andxoffset=0, un=0, ln=0, bc, fid;
4652 proto_item *litem = NULL;
4653 proto_tree *ltree = NULL;
4654 proto_item *it = NULL;
4655 proto_tree *tr = NULL;
4656 int old_offset = offset;
4660 /* next smb command */
4661 cmd = tvb_get_guint8(tvb, offset);
4663 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4665 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
4670 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4674 andxoffset = tvb_get_letohs(tvb, offset);
4675 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4679 fid = tvb_get_letohs(tvb, offset);
4680 add_fid(tvb, pinfo, tree, offset, 2, fid);
4684 lt = tvb_get_guint8(tvb, offset);
4686 litem = proto_tree_add_text(tree, tvb, offset, 1,
4687 "Lock Type: 0x%02x", lt);
4688 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
4690 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
4691 tvb, offset, 1, lt);
4692 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
4693 tvb, offset, 1, lt);
4694 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
4695 tvb, offset, 1, lt);
4696 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
4697 tvb, offset, 1, lt);
4698 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
4699 tvb, offset, 1, lt);
4703 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
4707 to = tvb_get_letohl(tvb, offset);
4709 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
4710 else if (to == 0xffffffff)
4711 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
4713 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4716 /* number of unlocks */
4717 un = tvb_get_letohs(tvb, offset);
4718 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
4721 /* number of locks */
4722 ln = tvb_get_letohs(tvb, offset);
4723 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
4730 old_offset = offset;
4732 it = proto_tree_add_text(tree, tvb, offset, -1,
4734 tr = proto_item_add_subtree(it, ett_smb_unlocks);
4736 proto_item *litem = NULL;
4737 proto_tree *ltree = NULL;
4742 /* large lock format */
4743 litem = proto_tree_add_text(tr, tvb, offset, 20,
4745 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4748 CHECK_BYTE_COUNT(2);
4749 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4752 /* 2 reserved bytes */
4753 CHECK_BYTE_COUNT(2);
4754 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4758 CHECK_BYTE_COUNT(8);
4759 val=tvb_get_letohl(tvb, offset);
4760 buf[3]=(val>>24)&0xff;
4761 buf[2]=(val>>16)&0xff;
4762 buf[1]=(val>> 8)&0xff;
4764 val=tvb_get_letohl(tvb, offset+4);
4765 buf[7]=(val>>24)&0xff;
4766 buf[6]=(val>>16)&0xff;
4767 buf[5]=(val>> 8)&0xff;
4769 proto_tree_add_string(ltree, hf_smb_lock_long_offset, tvb, offset, 8, u64toa(buf));
4773 CHECK_BYTE_COUNT(8);
4774 val=tvb_get_letohl(tvb, offset);
4775 buf[3]=(val>>24)&0xff;
4776 buf[2]=(val>>16)&0xff;
4777 buf[1]=(val>> 8)&0xff;
4779 val=tvb_get_letohl(tvb, offset+4);
4780 buf[7]=(val>>24)&0xff;
4781 buf[6]=(val>>16)&0xff;
4782 buf[5]=(val>> 8)&0xff;
4784 proto_tree_add_string(ltree, hf_smb_lock_long_length, tvb, offset, 8, u64toa(buf));
4787 /* normal lock format */
4788 litem = proto_tree_add_text(tr, tvb, offset, 10,
4790 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4793 CHECK_BYTE_COUNT(2);
4794 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4798 CHECK_BYTE_COUNT(4);
4799 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4803 CHECK_BYTE_COUNT(4);
4804 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4808 proto_item_set_len(it, offset-old_offset);
4814 old_offset = offset;
4816 it = proto_tree_add_text(tree, tvb, offset, -1,
4818 tr = proto_item_add_subtree(it, ett_smb_locks);
4820 proto_item *litem = NULL;
4821 proto_tree *ltree = NULL;
4826 /* large lock format */
4827 litem = proto_tree_add_text(tr, tvb, offset, 20,
4829 ltree = proto_item_add_subtree(litem, ett_smb_lock);
4832 CHECK_BYTE_COUNT(2);
4833 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4836 /* 2 reserved bytes */
4837 CHECK_BYTE_COUNT(2);
4838 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4842 CHECK_BYTE_COUNT(8);
4843 val=tvb_get_letohl(tvb, offset);
4845 buf[2]=(val>> 8)&0xff;
4846 buf[1]=(val>>16)&0xff;
4847 buf[0]=(val>>24)&0xff;
4848 val=tvb_get_letohl(tvb, offset+4);
4850 buf[6]=(val>> 8)&0xff;
4851 buf[5]=(val>>16)&0xff;
4852 buf[4]=(val>>24)&0xff;
4853 proto_tree_add_string(ltree, hf_smb_lock_long_offset, tvb, offset, 8, u64toa(buf));
4857 CHECK_BYTE_COUNT(8);
4858 val=tvb_get_letohl(tvb, offset);
4860 buf[2]=(val>> 8)&0xff;
4861 buf[1]=(val>>16)&0xff;
4862 buf[0]=(val>>24)&0xff;
4863 val=tvb_get_letohl(tvb, offset+4);
4865 buf[6]=(val>> 8)&0xff;
4866 buf[5]=(val>>16)&0xff;
4867 buf[4]=(val>>24)&0xff;
4868 proto_tree_add_string(ltree, hf_smb_lock_long_length, tvb, offset, 8, u64toa(buf));
4871 /* normal lock format */
4872 litem = proto_tree_add_text(tr, tvb, offset, 10,
4874 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4877 CHECK_BYTE_COUNT(2);
4878 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4882 CHECK_BYTE_COUNT(4);
4883 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4887 CHECK_BYTE_COUNT(4);
4888 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4892 proto_item_set_len(it, offset-old_offset);
4900 * We ran out of byte count in the middle of dissecting
4901 * the locks or the unlocks; set the site of the item
4902 * we were dissecting.
4904 proto_item_set_len(it, offset-old_offset);
4907 /* call AndXCommand (if there are any) */
4908 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4914 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4916 guint8 wc, cmd=0xff;
4917 guint16 andxoffset=0;
4922 /* next smb command */
4923 cmd = tvb_get_guint8(tvb, offset);
4925 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4927 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
4932 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4936 andxoffset = tvb_get_letohs(tvb, offset);
4937 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4944 /* call AndXCommand (if there are any) */
4945 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4951 static const value_string oa_open_vals[] = {
4952 { 0, "No action taken?"},
4953 { 1, "The file existed and was opened"},
4954 { 2, "The file did not exist but was created"},
4955 { 3, "The file existed and was truncated"},
4956 { 0x8001, "The file existed and was opened, and an OpLock was granted"},
4957 { 0x8002, "The file did not exist but was created, and an OpLock was granted"},
4958 { 0x8002, "The file existed and was truncated, and an OpLock was granted"},
4961 static const true_false_string tfs_oa_lock = {
4962 "File is currently opened only by this user",
4963 "File is opened by another user (or mode not supported by server)"
4966 dissect_open_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
4969 proto_item *item = NULL;
4970 proto_tree *tree = NULL;
4972 mask = tvb_get_letohs(tvb, offset);
4975 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4976 "Action: 0x%04x", mask);
4977 tree = proto_item_add_subtree(item, ett_smb_open_action);
4980 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
4981 tvb, offset, 2, mask);
4982 proto_tree_add_uint(tree, hf_smb_open_action_open,
4983 tvb, offset, 2, mask);
4990 static const true_false_string tfs_open_flags_add_info = {
4991 "Additional information requested",
4992 "Additional information not requested"
4994 static const true_false_string tfs_open_flags_ex_oplock = {
4995 "Exclusive oplock requested",
4996 "Exclusive oplock not requested"
4998 static const true_false_string tfs_open_flags_batch_oplock = {
4999 "Batch oplock requested",
5000 "Batch oplock not requested"
5002 static const true_false_string tfs_open_flags_ealen = {
5003 "Total length of EAs requested",
5004 "Total length of EAs not requested"
5007 dissect_open_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
5010 proto_item *item = NULL;
5011 proto_tree *tree = NULL;
5013 mask = tvb_get_letohs(tvb, offset);
5016 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5017 "Flags: 0x%04x", mask);
5018 tree = proto_item_add_subtree(item, ett_smb_open_flags);
5022 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
5023 tvb, offset, 2, mask);
5026 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
5027 tvb, offset, 2, mask);
5030 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
5031 tvb, offset, 2, mask);
5034 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
5035 tvb, offset, 2, mask);
5043 static const value_string filetype_vals[] = {
5044 { 0, "Disk file or directory"},
5045 { 1, "Named pipe in byte mode"},
5046 { 2, "Named pipe in message mode"},
5047 { 3, "Spooled printer"},
5051 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5053 guint8 wc, cmd=0xff;
5054 guint16 andxoffset=0, bc;
5055 smb_info_t *si = pinfo->private_data;
5061 /* next smb command */
5062 cmd = tvb_get_guint8(tvb, offset);
5064 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5066 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5071 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5075 andxoffset = tvb_get_letohs(tvb, offset);
5076 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5080 offset = dissect_open_flags(tvb, tree, offset, 0x0007);
5082 /* desired access */
5083 offset = dissect_access(tvb, tree, offset, "Desired");
5085 /* Search Attributes */
5086 offset = dissect_search_attributes(tvb, tree, offset);
5088 /* File Attributes */
5089 offset = dissect_file_attributes(tvb, tree, offset, 2);
5092 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
5095 offset = dissect_open_function(tvb, tree, offset);
5097 /* allocation size */
5098 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
5101 /* 8 reserved bytes */
5102 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
5108 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5112 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5114 COUNT_BYTES(fn_len);
5116 if (check_col(pinfo->cinfo, COL_INFO)) {
5117 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
5122 /* call AndXCommand (if there are any) */
5123 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5128 static const true_false_string tfs_ipc_state_nonblocking = {
5129 "Reads/writes return immediately if no data available",
5130 "Reads/writes block if no data available"
5132 static const value_string ipc_state_endpoint_vals[] = {
5133 { 0, "Consumer end of pipe"},
5134 { 1, "Server end of pipe"},
5137 static const value_string ipc_state_pipe_type_vals[] = {
5138 { 0, "Byte stream pipe"},
5139 { 1, "Message pipe"},
5142 static const value_string ipc_state_read_mode_vals[] = {
5143 { 0, "Read pipe as a byte stream"},
5144 { 1, "Read messages from pipe"},
5149 dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
5153 proto_item *item = NULL;
5154 proto_tree *tree = NULL;
5156 mask = tvb_get_letohs(tvb, offset);
5159 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5160 "IPC State: 0x%04x", mask);
5161 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
5164 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
5165 tvb, offset, 2, mask);
5167 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
5168 tvb, offset, 2, mask);
5169 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
5170 tvb, offset, 2, mask);
5172 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
5173 tvb, offset, 2, mask);
5175 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
5176 tvb, offset, 2, mask);
5185 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5187 guint8 wc, cmd=0xff;
5188 guint16 andxoffset=0, bc;
5193 /* next smb command */
5194 cmd = tvb_get_guint8(tvb, offset);
5196 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5198 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5203 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5207 andxoffset = tvb_get_letohs(tvb, offset);
5208 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5212 fid = tvb_get_letohs(tvb, offset);
5213 add_fid(tvb, pinfo, tree, offset, 2, fid);
5216 /* File Attributes */
5217 offset = dissect_file_attributes(tvb, tree, offset, 2);
5219 /* last write time */
5220 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
5223 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
5226 /* granted access */
5227 offset = dissect_access(tvb, tree, offset, "Granted");
5230 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
5234 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
5237 offset = dissect_open_action(tvb, tree, offset);
5240 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
5243 /* 2 reserved bytes */
5244 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5251 /* call AndXCommand (if there are any) */
5252 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5258 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5260 guint8 wc, cmd=0xff;
5261 guint16 andxoffset=0, bc, maxcnt_low, maxcnt_high;
5269 /* next smb command */
5270 cmd = tvb_get_guint8(tvb, offset);
5272 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5274 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5279 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5283 andxoffset = tvb_get_letohs(tvb, offset);
5284 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5288 fid = tvb_get_letohs(tvb, offset);
5289 add_fid(tvb, pinfo, tree, offset, 2, fid);
5291 if (!pinfo->fd->flags.visited) {
5292 /* remember the FID for the processing of the response */
5293 si = (smb_info_t *)pinfo->private_data;
5294 si->sip->extra_info=(void *)fid;
5298 ofs = tvb_get_letohl(tvb, offset);
5299 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5303 maxcnt_low = tvb_get_letohs(tvb, offset);
5304 proto_tree_add_uint(tree, hf_smb_max_count_low, tvb, offset, 2, maxcnt_low);
5308 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
5314 * XXX - we should really only do this in case we have seen
5315 * LARGE FILE being negotiated. Unfortunately, we might not
5316 * have seen the negotiation phase in the capture....
5318 * XXX - this is shown as a ULONG in the SNIA SMB spec, i.e.
5319 * it's 32 bits, but the description says "High 16 bits of
5320 * MaxCount if CAP_LARGE_READX".
5322 * The SMB File Sharing Protocol Extensions Version 2.0,
5323 * Document Version 3.3 spec doesn't speak of an extra 16
5324 * bits in max count, but it does show a 32-bit timeout
5325 * after the min count field.
5327 * Perhaps the 32-bit timeout field was hijacked as a 16-bit
5328 * high count and a 16-bit reserved field.
5330 * XXX if maxcount high is 0xFFFFFFFF we assume it is just padding
5331 * bytes and we just ignore it.
5333 /* Amasingly enough, this really is 4 bytes, according to the SNIA spec */
5334 maxcnt_high = tvb_get_letohl(tvb, offset);
5335 if(maxcnt_high==0xffffffff){
5338 proto_tree_add_uint(tree, hf_smb_max_count_high, tvb, offset, 4, maxcnt_high);
5344 maxcnt=(maxcnt<<16)|maxcnt_low;
5346 if (check_col(pinfo->cinfo, COL_INFO))
5347 col_append_fstr(pinfo->cinfo, COL_INFO,
5348 ", %u byte%s at offset %u", maxcnt,
5349 (maxcnt == 1) ? "" : "s", ofs);
5352 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5357 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5365 /* call AndXCommand (if there are any) */
5366 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5372 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5374 guint8 wc, cmd=0xff;
5375 guint16 andxoffset=0, bc, datalen_low, datalen_high, dataoffset=0;
5377 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5382 /* next smb command */
5383 cmd = tvb_get_guint8(tvb, offset);
5385 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5387 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5392 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5396 andxoffset = tvb_get_letohs(tvb, offset);
5397 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5400 /* If we have seen the request, then print which FID this refers to */
5401 /* first check if we have seen the request */
5402 if(si->sip != NULL && si->sip->frame_req>0){
5403 fid=(int)si->sip->extra_info;
5404 add_fid(tvb, pinfo, tree, 0, 0, fid);
5408 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5411 /* data compaction mode */
5412 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
5415 /* 2 reserved bytes */
5416 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5420 datalen_low = tvb_get_letohs(tvb, offset);
5421 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
5425 dataoffset=tvb_get_letohs(tvb, offset);
5426 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5429 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5430 /* data length high */
5431 datalen_high = tvb_get_letohs(tvb, offset);
5432 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 2, datalen_high);
5435 datalen=datalen_high;
5436 datalen=(datalen<<16)|datalen_low;
5439 if (check_col(pinfo->cinfo, COL_INFO))
5440 col_append_fstr(pinfo->cinfo, COL_INFO,
5441 ", %u byte%s", datalen,
5442 (datalen == 1) ? "" : "s");
5445 /* 8 reserved bytes */
5446 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
5451 /* file data, might be DCERPC on a pipe */
5453 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5454 top_tree, offset, bc, datalen, 0, fid);
5460 /* call AndXCommand (if there are any) */
5461 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5467 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5470 guint8 wc, cmd=0xff;
5471 guint16 andxoffset=0, bc, dataoffset=0, datalen_low, datalen_high;
5473 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5479 /* next smb command */
5480 cmd = tvb_get_guint8(tvb, offset);
5482 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5484 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5489 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5493 andxoffset = tvb_get_letohs(tvb, offset);
5494 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5498 fid = tvb_get_letohs(tvb, offset);
5499 add_fid(tvb, pinfo, tree, offset, 2, fid);
5501 if (!pinfo->fd->flags.visited) {
5502 /* remember the FID for the processing of the response */
5503 si->sip->extra_info=(void *)fid;
5507 ofs = tvb_get_letohl(tvb, offset);
5508 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5512 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5516 mode = tvb_get_letohs(tvb, offset);
5517 offset = dissect_write_mode(tvb, tree, offset, 0x000f);
5520 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5523 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5524 /* data length high */
5525 datalen_high = tvb_get_letohs(tvb, offset);
5526 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 2, datalen_high);
5530 datalen_low = tvb_get_letohs(tvb, offset);
5531 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
5534 datalen=datalen_high;
5535 datalen=(datalen<<16)|datalen_low;
5538 dataoffset=tvb_get_letohs(tvb, offset);
5539 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5542 /* FIXME: handle Large (48-bit) byte/offset to COL_INFO */
5543 if (check_col(pinfo->cinfo, COL_INFO))
5544 col_append_fstr(pinfo->cinfo, COL_INFO,
5545 ", %u byte%s at offset %u", datalen,
5546 (datalen == 1) ? "" : "s", ofs);
5550 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5556 /* if both the MessageStart and the WriteRawNamedPipe flags are set
5557 the first two bytes of the payload is the length of the data
5558 also this tells us that this is indeed the IPC$ share
5559 (if we didnt already know that
5561 if((mode&(WRITE_MODE_MESSAGE_START|WRITE_MODE_RAW))==(WRITE_MODE_MESSAGE_START|WRITE_MODE_RAW)){
5562 proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE);
5568 si->sip->flags|=SMB_SIF_TID_IS_IPC;
5572 /* file data, might be DCERPC on a pipe */
5574 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5575 top_tree, offset, bc, datalen, 0, fid);
5581 /* call AndXCommand (if there are any) */
5582 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5588 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5590 guint8 wc, cmd=0xff;
5591 guint16 andxoffset=0, bc, count_low, count_high;
5597 /* next smb command */
5598 cmd = tvb_get_guint8(tvb, offset);
5600 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5602 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5607 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5611 andxoffset = tvb_get_letohs(tvb, offset);
5612 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5615 /* If we have seen the request, then print which FID this refers to */
5616 si = (smb_info_t *)pinfo->private_data;
5617 /* first check if we have seen the request */
5618 if(si->sip != NULL && si->sip->frame_req>0){
5619 add_fid(tvb, pinfo, tree, 0, 0, (int)si->sip->extra_info);
5622 /* write count low */
5623 count_low = tvb_get_letohs(tvb, offset);
5624 proto_tree_add_uint(tree, hf_smb_count_low, tvb, offset, 2, count_low);
5628 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5631 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5632 /* write count high */
5633 count_high = tvb_get_letohs(tvb, offset);
5634 proto_tree_add_uint(tree, hf_smb_count_high, tvb, offset, 2, count_high);
5638 count=(count<<16)|count_low;
5640 if (check_col(pinfo->cinfo, COL_INFO))
5641 col_append_fstr(pinfo->cinfo, COL_INFO,
5642 ", %u byte%s", count,
5643 (count == 1) ? "" : "s");
5645 /* 2 reserved bytes */
5646 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5653 /* call AndXCommand (if there are any) */
5654 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5660 static const true_false_string tfs_setup_action_guest = {
5661 "Logged in as GUEST",
5662 "Not logged in as GUEST"
5665 dissect_setup_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
5668 proto_item *item = NULL;
5669 proto_tree *tree = NULL;
5671 mask = tvb_get_letohs(tvb, offset);
5674 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5675 "Action: 0x%04x", mask);
5676 tree = proto_item_add_subtree(item, ett_smb_setup_action);
5679 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
5680 tvb, offset, 2, mask);
5689 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5691 guint8 wc, cmd=0xff;
5693 guint16 andxoffset=0;
5694 smb_info_t *si = pinfo->private_data;
5701 guint16 apwlen=0, upwlen=0;
5705 /* next smb command */
5706 cmd = tvb_get_guint8(tvb, offset);
5708 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5710 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5715 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5719 andxoffset = tvb_get_letohs(tvb, offset);
5720 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5723 /* Maximum Buffer Size */
5724 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
5727 /* Maximum Multiplex Count */
5728 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
5732 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
5736 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
5741 /* password length, ASCII*/
5742 pwlen = tvb_get_letohs(tvb, offset);
5743 proto_tree_add_uint(tree, hf_smb_password_len,
5744 tvb, offset, 2, pwlen);
5747 /* 4 reserved bytes */
5748 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5754 /* security blob length */
5755 sbloblen = tvb_get_letohs(tvb, offset);
5756 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5759 /* 4 reserved bytes */
5760 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5764 dissect_negprot_capabilities(tvb, tree, offset);
5770 /* password length, ANSI*/
5771 apwlen = tvb_get_letohs(tvb, offset);
5772 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
5773 tvb, offset, 2, apwlen);
5776 /* password length, Unicode*/
5777 upwlen = tvb_get_letohs(tvb, offset);
5778 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
5779 tvb, offset, 2, upwlen);
5782 /* 4 reserved bytes */
5783 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5787 dissect_negprot_capabilities(tvb, tree, offset);
5796 proto_item *blob_item;
5800 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
5801 tvb, offset, sbloblen, TRUE);
5803 /* As an optimization, because Windows is perverse,
5804 we check to see if NTLMSSP is the first part of the
5805 blob, and if so, call the NTLMSSP dissector,
5806 otherwise we call the GSS-API dissector. This is because
5807 Windows can request RAW NTLMSSP, but will happily handle
5808 a client that wraps NTLMSSP in SPNEGO
5813 proto_tree *blob_tree;
5815 blob_tree = proto_item_add_subtree(blob_item,
5817 CHECK_BYTE_COUNT(sbloblen);
5819 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
5822 if (si && si->ct && si->ct->raw_ntlmssp &&
5824 tvb_get_ptr(tvb, offset, 7), 7)) {
5825 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
5830 call_dissector(gssapi_handle, blob_tvb,
5834 COUNT_BYTES(sbloblen);
5838 an = get_unicode_or_ascii_string(tvb, &offset,
5839 si->unicode, &an_len, FALSE, FALSE, &bc);
5842 proto_tree_add_string(tree, hf_smb_os, tvb,
5843 offset, an_len, an);
5844 COUNT_BYTES(an_len);
5847 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5848 * padding/null string/whatever in front of this. W2K doesn't
5849 * appear to. I suspect that's a bug that got fixed; I also
5850 * suspect that, in practice, nobody ever looks at that field
5851 * because the bug didn't appear to get fixed until NT 5.0....
5853 an = get_unicode_or_ascii_string(tvb, &offset,
5854 si->unicode, &an_len, FALSE, FALSE, &bc);
5857 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5858 offset, an_len, an);
5859 COUNT_BYTES(an_len);
5861 /* Primary domain */
5862 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5863 * byte in front of this, at least if all the strings are
5864 * ASCII and the account name is empty. Another bug?
5866 dn = get_unicode_or_ascii_string(tvb, &offset,
5867 si->unicode, &dn_len, FALSE, FALSE, &bc);
5870 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5871 offset, dn_len, dn);
5872 COUNT_BYTES(dn_len);
5878 /* password, ASCII */
5879 CHECK_BYTE_COUNT(pwlen);
5880 proto_tree_add_item(tree, hf_smb_password,
5881 tvb, offset, pwlen, TRUE);
5889 /* password, ANSI */
5890 CHECK_BYTE_COUNT(apwlen);
5891 proto_tree_add_item(tree, hf_smb_ansi_password,
5892 tvb, offset, apwlen, TRUE);
5893 COUNT_BYTES(apwlen);
5899 /* password, Unicode */
5900 CHECK_BYTE_COUNT(upwlen);
5901 item = proto_tree_add_item(tree, hf_smb_unicode_password,
5902 tvb, offset, upwlen, TRUE);
5905 proto_tree *subtree;
5907 subtree = proto_item_add_subtree(item, ett_smb_unicode_password);
5909 dissect_ntlmv2_response(
5910 tvb, subtree, offset, upwlen);
5913 COUNT_BYTES(upwlen);
5920 an = get_unicode_or_ascii_string(tvb, &offset,
5921 si->unicode, &an_len, FALSE, FALSE, &bc);
5924 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
5926 COUNT_BYTES(an_len);
5928 /* Primary domain */
5929 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5930 * byte in front of this, at least if all the strings are
5931 * ASCII and the account name is empty. Another bug?
5933 dn = get_unicode_or_ascii_string(tvb, &offset,
5934 si->unicode, &dn_len, FALSE, FALSE, &bc);
5937 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5938 offset, dn_len, dn);
5939 COUNT_BYTES(dn_len);
5941 if (check_col(pinfo->cinfo, COL_INFO)) {
5942 col_append_fstr(pinfo->cinfo, COL_INFO, ", User: ");
5944 if (!dn[0] && !an[0])
5945 col_append_fstr(pinfo->cinfo, COL_INFO,
5948 col_append_fstr(pinfo->cinfo, COL_INFO,
5953 an = get_unicode_or_ascii_string(tvb, &offset,
5954 si->unicode, &an_len, FALSE, FALSE, &bc);
5957 proto_tree_add_string(tree, hf_smb_os, tvb,
5958 offset, an_len, an);
5959 COUNT_BYTES(an_len);
5962 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5963 * padding/null string/whatever in front of this. W2K doesn't
5964 * appear to. I suspect that's a bug that got fixed; I also
5965 * suspect that, in practice, nobody ever looks at that field
5966 * because the bug didn't appear to get fixed until NT 5.0....
5968 an = get_unicode_or_ascii_string(tvb, &offset,
5969 si->unicode, &an_len, FALSE, FALSE, &bc);
5972 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5973 offset, an_len, an);
5974 COUNT_BYTES(an_len);
5979 /* call AndXCommand (if there are any) */
5980 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5986 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5988 guint8 wc, cmd=0xff;
5989 guint16 andxoffset=0, bc;
5991 smb_info_t *si = pinfo->private_data;
5997 /* next smb command */
5998 cmd = tvb_get_guint8(tvb, offset);
6000 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6002 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6007 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6011 andxoffset = tvb_get_letohs(tvb, offset);
6012 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6016 offset = dissect_setup_action(tvb, tree, offset);
6019 /* security blob length */
6020 sbloblen = tvb_get_letohs(tvb, offset);
6021 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
6028 proto_item *blob_item;
6032 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
6033 tvb, offset, sbloblen, TRUE);
6037 proto_tree *blob_tree;
6039 blob_tree = proto_item_add_subtree(blob_item,
6041 CHECK_BYTE_COUNT(sbloblen);
6043 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
6046 if (si && si->ct && si->ct->raw_ntlmssp &&
6048 tvb_get_ptr(tvb, offset, 7), 7)) {
6049 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
6054 call_dissector(gssapi_handle, blob_tvb, pinfo,
6059 COUNT_BYTES(sbloblen);
6064 an = get_unicode_or_ascii_string(tvb, &offset,
6065 si->unicode, &an_len, FALSE, FALSE, &bc);
6068 proto_tree_add_string(tree, hf_smb_os, tvb,
6069 offset, an_len, an);
6070 COUNT_BYTES(an_len);
6073 an = get_unicode_or_ascii_string(tvb, &offset,
6074 si->unicode, &an_len, FALSE, FALSE, &bc);
6077 proto_tree_add_string(tree, hf_smb_lanman, tvb,
6078 offset, an_len, an);
6079 COUNT_BYTES(an_len);
6082 /* Primary domain */
6083 an = get_unicode_or_ascii_string(tvb, &offset,
6084 si->unicode, &an_len, FALSE, FALSE, &bc);
6087 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
6088 offset, an_len, an);
6089 COUNT_BYTES(an_len);
6094 /* call AndXCommand (if there are any) */
6095 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6102 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6104 guint8 wc, cmd=0xff;
6105 guint16 andxoffset=0;
6110 /* next smb command */
6111 cmd = tvb_get_guint8(tvb, offset);
6113 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6115 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6120 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6124 andxoffset = tvb_get_letohs(tvb, offset);
6125 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6132 /* call AndXCommand (if there are any) */
6133 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6139 static const true_false_string tfs_connect_support_search = {
6140 "Exclusive search bits supported",
6141 "Exclusive search bits not supported"
6143 static const true_false_string tfs_connect_support_in_dfs = {
6145 "Share isn't in Dfs"
6149 dissect_connect_support_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6152 proto_item *item = NULL;
6153 proto_tree *tree = NULL;
6155 mask = tvb_get_letohs(tvb, offset);
6158 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6159 "Optional Support: 0x%04x", mask);
6160 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
6163 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
6164 tvb, offset, 2, mask);
6165 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
6166 tvb, offset, 2, mask);
6173 static const true_false_string tfs_disconnect_tid = {
6175 "Do NOT disconnect TID"
6179 dissect_connect_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6182 proto_item *item = NULL;
6183 proto_tree *tree = NULL;
6185 mask = tvb_get_letohs(tvb, offset);
6188 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6189 "Flags: 0x%04x", mask);
6190 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
6193 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
6194 tvb, offset, 2, mask);
6202 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6204 guint8 wc, cmd=0xff;
6206 guint16 andxoffset=0, pwlen=0;
6207 smb_info_t *si = pinfo->private_data;
6213 /* next smb command */
6214 cmd = tvb_get_guint8(tvb, offset);
6216 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6218 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6223 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6227 andxoffset = tvb_get_letohs(tvb, offset);
6228 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6232 offset = dissect_connect_flags(tvb, tree, offset);
6234 /* password length*/
6235 pwlen = tvb_get_letohs(tvb, offset);
6236 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
6242 CHECK_BYTE_COUNT(pwlen);
6243 proto_tree_add_item(tree, hf_smb_password,
6244 tvb, offset, pwlen, TRUE);
6248 an = get_unicode_or_ascii_string(tvb, &offset,
6249 si->unicode, &an_len, FALSE, FALSE, &bc);
6252 proto_tree_add_string(tree, hf_smb_path, tvb,
6253 offset, an_len, an);
6254 COUNT_BYTES(an_len);
6256 if (check_col(pinfo->cinfo, COL_INFO)) {
6257 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
6261 * NOTE: the Service string is always ASCII, even if the
6262 * "strings are Unicode" bit is set in the flags2 field
6267 /* XXX - what if this runs past bc? */
6268 an_len = tvb_strsize(tvb, offset);
6269 CHECK_BYTE_COUNT(an_len);
6270 an = tvb_get_ptr(tvb, offset, an_len);
6271 proto_tree_add_string(tree, hf_smb_service, tvb,
6272 offset, an_len, an);
6273 COUNT_BYTES(an_len);
6277 /* call AndXCommand (if there are any) */
6278 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6285 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6287 guint8 wc, wleft, cmd=0xff;
6288 guint16 andxoffset=0;
6292 smb_info_t *si = pinfo->private_data;
6296 wleft = wc; /* this is at least 1 */
6298 /* next smb command */
6299 cmd = tvb_get_guint8(tvb, offset);
6301 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6303 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6308 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6316 andxoffset = tvb_get_letohs(tvb, offset);
6317 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6324 offset = dissect_connect_support_bits(tvb, tree, offset);
6327 /* XXX - I've seen captures where this is 7, but I have no
6328 idea how to dissect it. I'm guessing the third word
6329 contains connect support bits, which looks plausible
6330 from the values I've seen. */
6332 while (wleft != 0) {
6333 proto_tree_add_text(tree, tvb, offset, 2,
6334 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
6342 * NOTE: even though the SNIA CIFS spec doesn't say there's
6343 * a "Service" string if there's a word count of 2, the
6346 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
6348 * (it's in an ugly format - text intended to be sent to a
6349 * printer, with backspaces and overstrikes used for boldfacing
6350 * and underlining; UNIX "col -b" can be used to strip the
6351 * overstrikes out) says there's a "Service" string there, and
6352 * some network traffic has it.
6356 * NOTE: the Service string is always ASCII, even if the
6357 * "strings are Unicode" bit is set in the flags2 field
6362 /* XXX - what if this runs past bc? */
6363 an_len = tvb_strsize(tvb, offset);
6364 CHECK_BYTE_COUNT(an_len);
6365 an = tvb_get_ptr(tvb, offset, an_len);
6366 proto_tree_add_string(tree, hf_smb_service, tvb,
6367 offset, an_len, an);
6368 COUNT_BYTES(an_len);
6370 /* Now when we know the service type, store it so that we know it for later commands down
6372 if(!pinfo->fd->flags.visited){
6373 /* Remove any previous entry for this TID */
6374 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
6375 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
6377 if(strcmp(an,"IPC") == 0){
6378 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
6380 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_NORMAL);
6388 * Sometimes this isn't present.
6392 an = get_unicode_or_ascii_string(tvb, &offset,
6393 si->unicode, &an_len, /*TRUE*/FALSE, FALSE,
6397 proto_tree_add_string(tree, hf_smb_fs, tvb,
6398 offset, an_len, an);
6399 COUNT_BYTES(an_len);
6405 /* call AndXCommand (if there are any) */
6406 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6413 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6414 NT Transaction command begins here
6415 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
6416 #define NT_TRANS_CREATE 1
6417 #define NT_TRANS_IOCTL 2
6418 #define NT_TRANS_SSD 3
6419 #define NT_TRANS_NOTIFY 4
6420 #define NT_TRANS_RENAME 5
6421 #define NT_TRANS_QSD 6
6422 #define NT_TRANS_GET_USER_QUOTA 7
6423 #define NT_TRANS_SET_USER_QUOTA 8
6424 const value_string nt_cmd_vals[] = {
6425 {NT_TRANS_CREATE, "NT CREATE"},
6426 {NT_TRANS_IOCTL, "NT IOCTL"},
6427 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
6428 {NT_TRANS_NOTIFY, "NT NOTIFY"},
6429 {NT_TRANS_RENAME, "NT RENAME"},
6430 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
6431 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
6432 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
6436 static const value_string nt_ioctl_isfsctl_vals[] = {
6437 {0, "Device IOCTL"},
6438 {1, "FS control : FSCTL"},
6442 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
6443 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
6444 "Apply the command to share root handle (MUST BE Dfs)",
6445 "Apply to this share",
6448 static const value_string nt_notify_action_vals[] = {
6449 {1, "ADDED (object was added"},
6450 {2, "REMOVED (object was removed)"},
6451 {3, "MODIFIED (object was modified)"},
6452 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
6453 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
6454 {6, "ADDED_STREAM (a stream was added)"},
6455 {7, "REMOVED_STREAM (a stream was removed)"},
6456 {8, "MODIFIED_STREAM (a stream was modified)"},
6460 static const value_string watch_tree_vals[] = {
6461 {0, "Current directory only"},
6462 {1, "Subdirectories also"},
6466 #define NT_NOTIFY_STREAM_WRITE 0x00000800
6467 #define NT_NOTIFY_STREAM_SIZE 0x00000400
6468 #define NT_NOTIFY_STREAM_NAME 0x00000200
6469 #define NT_NOTIFY_SECURITY 0x00000100
6470 #define NT_NOTIFY_EA 0x00000080
6471 #define NT_NOTIFY_CREATION 0x00000040
6472 #define NT_NOTIFY_LAST_ACCESS 0x00000020
6473 #define NT_NOTIFY_LAST_WRITE 0x00000010
6474 #define NT_NOTIFY_SIZE 0x00000008
6475 #define NT_NOTIFY_ATTRIBUTES 0x00000004
6476 #define NT_NOTIFY_DIR_NAME 0x00000002
6477 #define NT_NOTIFY_FILE_NAME 0x00000001
6478 static const true_false_string tfs_nt_notify_stream_write = {
6479 "Notify on changes to STREAM WRITE",
6480 "Do NOT notify on changes to stream write",
6482 static const true_false_string tfs_nt_notify_stream_size = {
6483 "Notify on changes to STREAM SIZE",
6484 "Do NOT notify on changes to stream size",
6486 static const true_false_string tfs_nt_notify_stream_name = {
6487 "Notify on changes to STREAM NAME",
6488 "Do NOT notify on changes to stream name",
6490 static const true_false_string tfs_nt_notify_security = {
6491 "Notify on changes to SECURITY",
6492 "Do NOT notify on changes to security",
6494 static const true_false_string tfs_nt_notify_ea = {
6495 "Notify on changes to EA",
6496 "Do NOT notify on changes to EA",
6498 static const true_false_string tfs_nt_notify_creation = {
6499 "Notify on changes to CREATION TIME",
6500 "Do NOT notify on changes to creation time",
6502 static const true_false_string tfs_nt_notify_last_access = {
6503 "Notify on changes to LAST ACCESS TIME",
6504 "Do NOT notify on changes to last access time",
6506 static const true_false_string tfs_nt_notify_last_write = {
6507 "Notify on changes to LAST WRITE TIME",
6508 "Do NOT notify on changes to last write time",
6510 static const true_false_string tfs_nt_notify_size = {
6511 "Notify on changes to SIZE",
6512 "Do NOT notify on changes to size",
6514 static const true_false_string tfs_nt_notify_attributes = {
6515 "Notify on changes to ATTRIBUTES",
6516 "Do NOT notify on changes to attributes",
6518 static const true_false_string tfs_nt_notify_dir_name = {
6519 "Notify on changes to DIR NAME",
6520 "Do NOT notify on changes to dir name",
6522 static const true_false_string tfs_nt_notify_file_name = {
6523 "Notify on changes to FILE NAME",
6524 "Do NOT notify on changes to file name",
6527 static const value_string create_disposition_vals[] = {
6528 {0, "Supersede (supersede existing file (if it exists))"},
6529 {1, "Open (if file exists open it, else fail)"},
6530 {2, "Create (if file exists fail, else create it)"},
6531 {3, "Open If (if file exists open it, else create it)"},
6532 {4, "Overwrite (if file exists overwrite, else fail)"},
6533 {5, "Overwrite If (if file exists overwrite, else create it)"},
6537 static const value_string impersonation_level_vals[] = {
6539 {1, "Identification"},
6540 {2, "Impersonation"},
6545 static const true_false_string tfs_nt_security_flags_context_tracking = {
6546 "Security tracking mode is DYNAMIC",
6547 "Security tracking mode is STATIC",
6550 static const true_false_string tfs_nt_security_flags_effective_only = {
6551 "ONLY ENABLED aspects of the client's security context are available",
6552 "ALL aspects of the client's security context are available",
6555 static const true_false_string tfs_nt_create_bits_oplock = {
6556 "Requesting OPLOCK",
6557 "Does NOT request oplock"
6560 static const true_false_string tfs_nt_create_bits_boplock = {
6561 "Requesting BATCH OPLOCK",
6562 "Does NOT request batch oplock"
6566 * XXX - must be a directory, and can be a file, or can be a directory,
6567 * and must be a file?
6569 static const true_false_string tfs_nt_create_bits_dir = {
6570 "Target of open MUST be a DIRECTORY",
6571 "Target of open can be a file"
6574 static const true_false_string tfs_nt_create_bits_ext_resp = {
6575 "Extended responses required",
6576 "Extended responses NOT required"
6579 static const true_false_string tfs_nt_access_mask_generic_read = {
6580 "GENERIC READ is set",
6581 "Generic read is NOT set"
6583 static const true_false_string tfs_nt_access_mask_generic_write = {
6584 "GENERIC WRITE is set",
6585 "Generic write is NOT set"
6587 static const true_false_string tfs_nt_access_mask_generic_execute = {
6588 "GENERIC EXECUTE is set",
6589 "Generic execute is NOT set"
6591 static const true_false_string tfs_nt_access_mask_generic_all = {
6592 "GENERIC ALL is set",
6593 "Generic all is NOT set"
6595 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
6596 "MAXIMUM ALLOWED is set",
6597 "Maximum allowed is NOT set"
6599 static const true_false_string tfs_nt_access_mask_system_security = {
6600 "SYSTEM SECURITY is set",
6601 "System security is NOT set"
6603 static const true_false_string tfs_nt_access_mask_synchronize = {
6604 "Can wait on handle to SYNCHRONIZE on completion of I/O",
6605 "Can NOT wait on handle to synchronize on completion of I/O"
6607 static const true_false_string tfs_nt_access_mask_write_owner = {
6608 "Can WRITE OWNER (take ownership)",
6609 "Can NOT write owner (take ownership)"
6611 static const true_false_string tfs_nt_access_mask_write_dac = {
6612 "OWNER may WRITE the DAC",
6613 "Owner may NOT write to the DAC"
6615 static const true_false_string tfs_nt_access_mask_read_control = {
6616 "READ ACCESS to owner, group and ACL of the SID",
6617 "Read access is NOT granted to owner, group and ACL of the SID"
6619 static const true_false_string tfs_nt_access_mask_delete = {
6623 static const true_false_string tfs_nt_access_mask_write_attributes = {
6624 "WRITE ATTRIBUTES access",
6625 "NO write attributes access"
6627 static const true_false_string tfs_nt_access_mask_read_attributes = {
6628 "READ ATTRIBUTES access",
6629 "NO read attributes access"
6631 static const true_false_string tfs_nt_access_mask_delete_child = {
6632 "DELETE CHILD access",
6633 "NO delete child access"
6635 static const true_false_string tfs_nt_access_mask_execute = {
6639 static const true_false_string tfs_nt_access_mask_write_ea = {
6640 "WRITE EXTENDED ATTRIBUTES access",
6641 "NO write extended attributes access"
6643 static const true_false_string tfs_nt_access_mask_read_ea = {
6644 "READ EXTENDED ATTRIBUTES access",
6645 "NO read extended attributes access"
6647 static const true_false_string tfs_nt_access_mask_append = {
6651 static const true_false_string tfs_nt_access_mask_write = {
6655 static const true_false_string tfs_nt_access_mask_read = {
6660 static const true_false_string tfs_nt_share_access_delete = {
6661 "Object can be shared for DELETE",
6662 "Object can NOT be shared for delete"
6664 static const true_false_string tfs_nt_share_access_write = {
6665 "Object can be shared for WRITE",
6666 "Object can NOT be shared for write"
6668 static const true_false_string tfs_nt_share_access_read = {
6669 "Object can be shared for READ",
6670 "Object can NOT be shared for read"
6673 static const value_string oplock_level_vals[] = {
6674 {0, "No oplock granted"},
6675 {1, "Exclusive oplock granted"},
6676 {2, "Batch oplock granted"},
6677 {3, "Level II oplock granted"},
6681 static const value_string device_type_vals[] = {
6682 {0x00000001, "Beep"},
6683 {0x00000002, "CDROM"},
6684 {0x00000003, "CDROM Filesystem"},
6685 {0x00000004, "Controller"},
6686 {0x00000005, "Datalink"},
6687 {0x00000006, "Dfs"},
6688 {0x00000007, "Disk"},
6689 {0x00000008, "Disk Filesystem"},
6690 {0x00000009, "Filesystem"},
6691 {0x0000000a, "Inport Port"},
6692 {0x0000000b, "Keyboard"},
6693 {0x0000000c, "Mailslot"},
6694 {0x0000000d, "MIDI-In"},
6695 {0x0000000e, "MIDI-Out"},
6696 {0x0000000f, "Mouse"},
6697 {0x00000010, "Multi UNC Provider"},
6698 {0x00000011, "Named Pipe"},
6699 {0x00000012, "Network"},
6700 {0x00000013, "Network Browser"},
6701 {0x00000014, "Network Filesystem"},
6702 {0x00000015, "NULL"},
6703 {0x00000016, "Parallel Port"},
6704 {0x00000017, "Physical card"},
6705 {0x00000018, "Printer"},
6706 {0x00000019, "Scanner"},
6707 {0x0000001a, "Serial Mouse port"},
6708 {0x0000001b, "Serial port"},
6709 {0x0000001c, "Screen"},
6710 {0x0000001d, "Sound"},
6711 {0x0000001e, "Streams"},
6712 {0x0000001f, "Tape"},
6713 {0x00000020, "Tape Filesystem"},
6714 {0x00000021, "Transport"},
6715 {0x00000022, "Unknown"},
6716 {0x00000023, "Video"},
6717 {0x00000024, "Virtual Disk"},
6718 {0x00000025, "WAVE-In"},
6719 {0x00000026, "WAVE-Out"},
6720 {0x00000027, "8042 Port"},
6721 {0x00000028, "Network Redirector"},
6722 {0x00000029, "Battery"},
6723 {0x0000002a, "Bus Extender"},
6724 {0x0000002b, "Modem"},
6725 {0x0000002c, "VDM"},
6729 static const value_string is_directory_vals[] = {
6730 {0, "This is NOT a directory"},
6731 {1, "This is a DIRECTORY"},
6735 typedef struct _nt_trans_data {
6744 dissect_nt_security_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6747 proto_item *item = NULL;
6748 proto_tree *tree = NULL;
6750 mask = tvb_get_guint8(tvb, offset);
6753 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6754 "Security Flags: 0x%02x", mask);
6755 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
6758 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
6759 tvb, offset, 1, mask);
6760 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
6761 tvb, offset, 1, mask);
6769 dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6772 proto_item *item = NULL;
6773 proto_tree *tree = NULL;
6775 mask = tvb_get_letohl(tvb, offset);
6778 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6779 "Share Access: 0x%08x", mask);
6780 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
6783 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
6784 tvb, offset, 4, mask);
6785 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
6786 tvb, offset, 4, mask);
6787 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
6788 tvb, offset, 4, mask);
6795 /* FIXME: need to call dissect_nt_access_mask() instead */
6798 dissect_smb_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6801 proto_item *item = NULL;
6802 proto_tree *tree = NULL;
6804 mask = tvb_get_letohl(tvb, offset);
6807 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6808 "Access Mask: 0x%08x", mask);
6809 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
6813 * Some of these bits come from
6815 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6817 * and others come from the section on ZwOpenFile in "Windows(R)
6818 * NT(R)/2000 Native API Reference".
6820 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
6821 tvb, offset, 4, mask);
6822 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
6823 tvb, offset, 4, mask);
6824 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
6825 tvb, offset, 4, mask);
6826 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
6827 tvb, offset, 4, mask);
6828 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
6829 tvb, offset, 4, mask);
6830 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
6831 tvb, offset, 4, mask);
6832 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
6833 tvb, offset, 4, mask);
6834 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
6835 tvb, offset, 4, mask);
6836 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
6837 tvb, offset, 4, mask);
6838 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
6839 tvb, offset, 4, mask);
6840 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
6841 tvb, offset, 4, mask);
6842 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
6843 tvb, offset, 4, mask);
6844 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
6845 tvb, offset, 4, mask);
6846 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
6847 tvb, offset, 4, mask);
6848 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
6849 tvb, offset, 4, mask);
6850 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
6851 tvb, offset, 4, mask);
6852 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
6853 tvb, offset, 4, mask);
6854 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
6855 tvb, offset, 4, mask);
6856 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
6857 tvb, offset, 4, mask);
6858 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
6859 tvb, offset, 4, mask);
6867 dissect_nt_create_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6870 proto_item *item = NULL;
6871 proto_tree *tree = NULL;
6873 mask = tvb_get_letohl(tvb, offset);
6876 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6877 "Create Flags: 0x%08x", mask);
6878 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
6882 * XXX - it's 0x00000016 in at least one capture, but
6883 * Network Monitor doesn't say what the 0x00000010 bit is.
6884 * Does the Win32 API documentation, or NT Native API book,
6887 * That is the extended response desired bit ... RJS, from Samba
6888 * Well, maybe. Samba thinks it is, and uses it to encode
6889 * OpLock granted as the high order bit of the Action field
6890 * in the response. However, Windows does not do that. Or at least
6893 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_ext_resp,
6894 tvb, offset, 4, mask);
6895 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
6896 tvb, offset, 4, mask);
6897 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
6898 tvb, offset, 4, mask);
6899 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
6900 tvb, offset, 4, mask);
6908 * XXX - there are some more flags in the description of "ZwOpenFile()"
6909 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
6910 * the wire as well? (The spec at
6912 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6914 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
6915 * via the SMB protocol. The NT redirector should convert this option
6916 * to FILE_WRITE_THROUGH."
6918 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
6919 * values one would infer from their position in the list of flags for
6920 * "ZwOpenFile()". Most of the others probably have those values
6921 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
6922 * which might go over the wire (for the benefit of backup/restore software).
6924 static const true_false_string tfs_nt_create_options_directory = {
6925 "File being created/opened must be a directory",
6926 "File being created/opened must not be a directory"
6928 static const true_false_string tfs_nt_create_options_write_through = {
6929 "Writes should flush buffered data before completing",
6930 "Writes need not flush buffered data before completing"
6932 static const true_false_string tfs_nt_create_options_sequential_only = {
6933 "The file will only be accessed sequentially",
6934 "The file might not only be accessed sequentially"
6936 static const true_false_string tfs_nt_create_options_sync_io_alert = {
6937 "All operations SYNCHRONOUS, waits subject to termination from alert",
6938 "Operations NOT necessarily synchronous"
6940 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
6941 "All operations SYNCHRONOUS, waits not subject to alert",
6942 "Operations NOT necessarily synchronous"
6944 static const true_false_string tfs_nt_create_options_non_directory = {
6945 "File being created/opened must not be a directory",
6946 "File being created/opened must be a directory"
6948 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
6949 "The client does not understand extended attributes",
6950 "The client understands extended attributes"
6952 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
6953 "The client understands only 8.3 file names",
6954 "The client understands long file names"
6956 static const true_false_string tfs_nt_create_options_random_access = {
6957 "The file will be accessed randomly",
6958 "The file will not be accessed randomly"
6960 static const true_false_string tfs_nt_create_options_delete_on_close = {
6961 "The file should be deleted when it is closed",
6962 "The file should not be deleted when it is closed"
6966 dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6969 proto_item *item = NULL;
6970 proto_tree *tree = NULL;
6972 mask = tvb_get_letohl(tvb, offset);
6975 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6976 "Create Options: 0x%08x", mask);
6977 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
6983 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6985 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
6986 tvb, offset, 4, mask);
6987 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
6988 tvb, offset, 4, mask);
6989 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
6990 tvb, offset, 4, mask);
6991 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
6992 tvb, offset, 4, mask);
6993 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
6994 tvb, offset, 4, mask);
6995 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
6996 tvb, offset, 4, mask);
6997 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
6998 tvb, offset, 4, mask);
6999 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
7000 tvb, offset, 4, mask);
7001 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
7002 tvb, offset, 4, mask);
7003 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
7004 tvb, offset, 4, mask);
7012 dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7015 proto_item *item = NULL;
7016 proto_tree *tree = NULL;
7018 mask = tvb_get_letohl(tvb, offset);
7021 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7022 "Completion Filter: 0x%08x", mask);
7023 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
7026 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
7027 tvb, offset, 4, mask);
7028 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
7029 tvb, offset, 4, mask);
7030 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
7031 tvb, offset, 4, mask);
7032 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
7033 tvb, offset, 4, mask);
7034 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
7035 tvb, offset, 4, mask);
7036 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
7037 tvb, offset, 4, mask);
7038 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
7039 tvb, offset, 4, mask);
7040 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
7041 tvb, offset, 4, mask);
7042 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
7043 tvb, offset, 4, mask);
7044 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
7045 tvb, offset, 4, mask);
7046 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
7047 tvb, offset, 4, mask);
7048 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
7049 tvb, offset, 4, mask);
7056 dissect_nt_ioctl_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7059 proto_item *item = NULL;
7060 proto_tree *tree = NULL;
7062 mask = tvb_get_guint8(tvb, offset);
7065 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7066 "Completion Filter: 0x%02x", mask);
7067 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
7070 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
7071 tvb, offset, 1, mask);
7078 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
7079 * Native API Reference".
7081 static const true_false_string tfs_nt_qsd_owner = {
7082 "Requesting OWNER security information",
7083 "NOT requesting owner security information",
7086 static const true_false_string tfs_nt_qsd_group = {
7087 "Requesting GROUP security information",
7088 "NOT requesting group security information",
7091 static const true_false_string tfs_nt_qsd_dacl = {
7092 "Requesting DACL security information",
7093 "NOT requesting DACL security information",
7096 static const true_false_string tfs_nt_qsd_sacl = {
7097 "Requesting SACL security information",
7098 "NOT requesting SACL security information",
7101 #define NT_QSD_OWNER 0x00000001
7102 #define NT_QSD_GROUP 0x00000002
7103 #define NT_QSD_DACL 0x00000004
7104 #define NT_QSD_SACL 0x00000008
7107 dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7110 proto_item *item = NULL;
7111 proto_tree *tree = NULL;
7113 mask = tvb_get_letohl(tvb, offset);
7116 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7117 "Security Information: 0x%08x", mask);
7118 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
7121 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
7122 tvb, offset, 4, mask);
7123 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
7124 tvb, offset, 4, mask);
7125 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
7126 tvb, offset, 4, mask);
7127 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
7128 tvb, offset, 4, mask);
7136 free_g_string(void *arg)
7138 g_string_free(arg, TRUE);
7141 /* Dissect a NT SID. Label it with 'name' and return a string version of
7142 the SID in the 'sid_str' parameter which must be freed by the caller.
7143 hf_sid can be -1 if the caller doesnt care what name is used and then
7144 "smb.sid" will be the default instead. If the caller wants a more
7145 appropriate hf field, it will just pass a FT_STRING hf field here
7149 dissect_nt_sid(tvbuff_t *tvb, int offset, proto_tree *parent_tree, char *name,
7150 char **sid_str, int hf_sid)
7152 proto_item *item = NULL;
7153 proto_tree *tree = NULL;
7154 int old_offset = offset, sa_offset = offset;
7155 gboolean rid_present;
7162 guint auth = 0; /* FIXME: What if it is larger than 32-bits */
7165 char sid_string[245];
7172 /* revision of sid */
7173 revision = tvb_get_guint8(tvb, offset);
7174 rev_offset = offset;
7179 case 2: /* Not sure what the different revision numbers mean */
7180 /* number of authorities*/
7181 num_auth = tvb_get_guint8(tvb, offset);
7185 /* XXX perhaps we should have these thing searchable?
7186 a new FT_xxx thingie? SMB is quite common!*/
7187 /* identifier authorities */
7190 auth = (auth << 8) + tvb_get_guint8(tvb, offset);
7197 gstr = g_string_new("");
7199 CLEANUP_PUSH(free_g_string, gstr);
7201 /* sub authorities, leave RID to last */
7202 for(i=0; i < (num_auth > 4?(num_auth - 1):num_auth); i++){
7204 * XXX should not be letohl but native byteorder according to
7205 * Samba header files.
7207 * However, considering that there were never any NT ports
7208 * to big-endian platforms (PowerPC and MIPS ran little-endian,
7209 * and IA-64 runs little-endian, as does x86-64), we can (?)
7210 * assume that non le byte encodings will be "uncommon"?
7212 g_string_sprintfa(gstr, (i>0 ? "-%u" : "%u"),
7213 tvb_get_letohl(tvb, offset));
7219 rid = tvb_get_letohl(tvb, offset);
7223 sprintf(sid_string, "S-1-%u-%s-%u", auth, gstr->str, rid);
7226 sprintf(sid_string, "S-1-%u-%s", auth, gstr->str);
7230 if(sid_name_snooping){
7231 sid_name=find_sid_name(sid_string);
7236 item = proto_tree_add_string_format(parent_tree, hf_sid, tvb, old_offset, offset-old_offset, sid_string, "%s: %s (%s)", name, sid_string, sid_name);
7238 item = proto_tree_add_string_format(parent_tree, hf_sid, tvb, old_offset, offset-old_offset, sid_string, "%s: %s", name, sid_string);
7240 tree = proto_item_add_subtree(item, ett_smb_sid);
7243 proto_tree_add_item(tree, hf_smb_sid_revision, tvb, rev_offset, 1, TRUE);
7244 proto_tree_add_item(tree, hf_smb_sid_num_auth, tvb, na_offset, 1, TRUE);
7245 proto_tree_add_text(tree, tvb, na_offset+1, 6, "Authority: %u", auth);
7246 proto_tree_add_text(tree, tvb, sa_offset, num_auth * 4, "Sub-authorities: %s", gstr->str);
7249 proto_tree_add_text(tree, tvb, rid_offset, 4, "RID: %u", rid);
7254 *sid_str = g_strdup_printf("%s (%s)", sid_string, sid_name);
7256 *sid_str = g_strdup(sid_string);
7260 CLEANUP_CALL_AND_POP;
7268 static const value_string ace_type_vals[] = {
7269 { 0, "Access Allowed"},
7270 { 1, "Access Denied"},
7271 { 2, "System Audit"},
7272 { 3, "System Alarm"},
7275 static const true_false_string tfs_ace_flags_object_inherit = {
7276 "Subordinate files will inherit this ACE",
7277 "Subordinate files will not inherit this ACE"
7279 static const true_false_string tfs_ace_flags_container_inherit = {
7280 "Subordinate containers will inherit this ACE",
7281 "Subordinate containers will not inherit this ACE"
7283 static const true_false_string tfs_ace_flags_non_propagate_inherit = {
7284 "Subordinate object will not propagate the inherited ACE further",
7285 "Subordinate object will propagate the inherited ACE further"
7287 static const true_false_string tfs_ace_flags_inherit_only = {
7288 "This ACE does not apply to the current object",
7289 "This ACE applies to the current object"
7291 static const true_false_string tfs_ace_flags_inherited_ace = {
7292 "This ACE was inherited from its parent object",
7293 "This ACE was not inherited from its parent object"
7295 static const true_false_string tfs_ace_flags_successful_access = {
7296 "Successful accesses will be audited",
7297 "Successful accesses will not be audited"
7299 static const true_false_string tfs_ace_flags_failed_access = {
7300 "Failed accesses will be audited",
7301 "Failed accesses will not be audited"
7304 #define APPEND_ACE_TEXT(flag, item, string) \
7307 proto_item_append_text(item, string, sep); \
7312 dissect_nt_v2_ace_flags(tvbuff_t *tvb, int offset, proto_tree *parent_tree,
7315 proto_item *item = NULL;
7316 proto_tree *tree = NULL;
7320 mask = tvb_get_guint8(tvb, offset);
7327 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7328 "NT ACE Flags: 0x%02x", mask);
7329 tree = proto_item_add_subtree(item, ett_smb_ace_flags);
7332 proto_tree_add_boolean(tree, hf_smb_ace_flags_failed_access,
7333 tvb, offset, 1, mask);
7334 APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access");
7336 proto_tree_add_boolean(tree, hf_smb_ace_flags_successful_access,
7337 tvb, offset, 1, mask);
7338 APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access");
7340 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherited_ace,
7341 tvb, offset, 1, mask);
7342 APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE");
7344 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherit_only,
7345 tvb, offset, 1, mask);
7346 APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only");
7348 proto_tree_add_boolean(tree, hf_smb_ace_flags_non_propagate_inherit,
7349 tvb, offset, 1, mask);
7350 APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit");
7352 proto_tree_add_boolean(tree, hf_smb_ace_flags_container_inherit,
7353 tvb, offset, 1, mask);
7354 APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit");
7356 proto_tree_add_boolean(tree, hf_smb_ace_flags_object_inherit,
7357 tvb, offset, 1, mask);
7358 APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit");
7365 /* Dissect an access mask. All this stuff is kind of explained at MSDN:
7367 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/windows_2000_windows_nt_access_mask_format.asp
7371 static gint ett_nt_access_mask = -1;
7372 static gint ett_nt_access_mask_generic = -1;
7373 static gint ett_nt_access_mask_standard = -1;
7374 static gint ett_nt_access_mask_specific = -1;
7376 static int hf_access_sacl = -1;
7377 static int hf_access_maximum_allowed = -1;
7378 static int hf_access_generic_read = -1;
7379 static int hf_access_generic_write = -1;
7380 static int hf_access_generic_execute = -1;
7381 static int hf_access_generic_all = -1;
7382 static int hf_access_standard_delete = -1;
7383 static int hf_access_standard_read_control = -1;
7384 static int hf_access_standard_synchronise = -1;
7385 static int hf_access_standard_write_dac = -1;
7386 static int hf_access_standard_write_owner = -1;
7387 static int hf_access_specific_15 = -1;
7388 static int hf_access_specific_14 = -1;
7389 static int hf_access_specific_13 = -1;
7390 static int hf_access_specific_12 = -1;
7391 static int hf_access_specific_11 = -1;
7392 static int hf_access_specific_10 = -1;
7393 static int hf_access_specific_9 = -1;
7394 static int hf_access_specific_8 = -1;
7395 static int hf_access_specific_7 = -1;
7396 static int hf_access_specific_6 = -1;
7397 static int hf_access_specific_5 = -1;
7398 static int hf_access_specific_4 = -1;
7399 static int hf_access_specific_3 = -1;
7400 static int hf_access_specific_2 = -1;
7401 static int hf_access_specific_1 = -1;
7402 static int hf_access_specific_0 = -1;
7404 /* Map generic permissions to specific permissions */
7406 static void map_generic_access(guint32 *access_mask,
7407 struct generic_mapping *mapping)
7409 if (*access_mask & GENERIC_READ_ACCESS) {
7410 *access_mask &= ~GENERIC_READ_ACCESS;
7411 *access_mask |= mapping->generic_read;
7414 if (*access_mask & GENERIC_WRITE_ACCESS) {
7415 *access_mask &= ~GENERIC_WRITE_ACCESS;
7416 *access_mask |= mapping->generic_write;
7419 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
7420 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
7421 *access_mask |= mapping->generic_execute;
7424 if (*access_mask & GENERIC_ALL_ACCESS) {
7425 *access_mask &= ~GENERIC_ALL_ACCESS;
7426 *access_mask |= mapping->generic_all;
7430 /* Map standard permissions to specific permissions */
7432 static void map_standard_access(guint32 *access_mask,
7433 struct standard_mapping *mapping)
7435 if (*access_mask & READ_CONTROL_ACCESS) {
7436 *access_mask &= ~READ_CONTROL_ACCESS;
7437 *access_mask |= mapping->std_read;
7440 if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|
7441 SYNCHRONIZE_ACCESS)) {
7442 *access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS|
7443 WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS);
7444 *access_mask |= mapping->std_all;
7450 dissect_nt_access_mask(tvbuff_t *tvb, gint offset, packet_info *pinfo,
7451 proto_tree *tree, char *drep, int hfindex,
7452 struct access_mask_info *ami)
7455 proto_tree *subtree, *generic_tree, *standard_tree, *specific_tree;
7460 * Called from a DCE RPC protocol dissector, for a
7461 * protocol where a 32-bit NDR integer contains
7462 * an NT access mask; extract the access mask
7465 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
7469 * Called from SMB, where the access mask is just a
7470 * 4-byte little-endian quantity with no special
7471 * NDR alignment requirement; extract it with
7472 * "tvb_get_letohl()".
7474 access = tvb_get_letohl(tvb, offset);
7478 item = proto_tree_add_uint(tree, hfindex, tvb, offset - 4, 4, access);
7480 subtree = proto_item_add_subtree(item, ett_nt_access_mask);
7482 /* Generic access rights */
7484 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7485 "Generic rights: 0x%08x",
7486 access & GENERIC_RIGHTS_MASK);
7488 generic_tree = proto_item_add_subtree(
7489 item, ett_nt_access_mask_generic);
7491 proto_tree_add_boolean(
7492 generic_tree, hf_access_generic_read, tvb, offset - 4, 4,
7495 proto_tree_add_boolean(
7496 generic_tree, hf_access_generic_write, tvb, offset - 4, 4,
7499 proto_tree_add_boolean(
7500 generic_tree, hf_access_generic_execute, tvb, offset - 4, 4,
7503 proto_tree_add_boolean(
7504 generic_tree, hf_access_generic_all, tvb, offset - 4, 4,
7509 proto_tree_add_boolean(
7510 subtree, hf_access_maximum_allowed, tvb, offset - 4, 4,
7513 /* Access system security */
7515 proto_tree_add_boolean(
7516 subtree, hf_access_sacl, tvb, offset - 4, 4,
7519 /* Standard access rights */
7521 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7522 "Standard rights: 0x%08x",
7523 access & STANDARD_RIGHTS_MASK);
7525 standard_tree = proto_item_add_subtree(
7526 item, ett_nt_access_mask_standard);
7528 proto_tree_add_boolean(
7529 standard_tree, hf_access_standard_synchronise, tvb,
7530 offset - 4, 4, access);
7532 proto_tree_add_boolean(
7533 standard_tree, hf_access_standard_write_owner, tvb,
7534 offset - 4, 4, access);
7536 proto_tree_add_boolean(
7537 standard_tree, hf_access_standard_write_dac, tvb,
7538 offset - 4, 4, access);
7540 proto_tree_add_boolean(
7541 standard_tree, hf_access_standard_read_control, tvb,
7542 offset - 4, 4, access);
7544 proto_tree_add_boolean(
7545 standard_tree, hf_access_standard_delete, tvb, offset - 4, 4,
7548 /* Specific access rights. Call the specific_rights_fn
7549 pointer if we have one, otherwise just display bits 0-15 in
7552 if (ami && ami->specific_rights_name)
7553 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7554 "%s specific rights: 0x%08x",
7555 ami->specific_rights_name,
7556 access & SPECIFIC_RIGHTS_MASK);
7558 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7559 "Specific rights: 0x%08x",
7560 access & SPECIFIC_RIGHTS_MASK);
7562 specific_tree = proto_item_add_subtree(
7563 item, ett_nt_access_mask_specific);
7565 if (ami && ami->specific_rights_fn) {
7566 guint32 mapped_access = access;
7567 proto_tree *specific_mapped;
7569 specific_mapped = proto_item_add_subtree(
7570 item, ett_nt_access_mask_specific);
7572 ami->specific_rights_fn(
7573 tvb, offset - 4, specific_tree, access);
7575 if (ami->generic_mapping)
7576 map_generic_access(&access, ami->generic_mapping);
7578 if (ami->standard_mapping)
7579 map_standard_access(&access, ami->standard_mapping);
7581 if (access != mapped_access) {
7582 ami->specific_rights_fn(
7583 tvb, offset - 4, specific_mapped,
7590 proto_tree_add_boolean(
7591 specific_tree, hf_access_specific_15, tvb, offset - 4, 4,
7594 proto_tree_add_boolean(
7595 specific_tree, hf_access_specific_14, tvb, offset - 4, 4,
7598 proto_tree_add_boolean(
7599 specific_tree, hf_access_specific_13, tvb, offset - 4, 4,
7602 proto_tree_add_boolean(
7603 specific_tree, hf_access_specific_12, tvb, offset - 4, 4,
7606 proto_tree_add_boolean(
7607 specific_tree, hf_access_specific_11, tvb, offset - 4, 4,
7610 proto_tree_add_boolean(
7611 specific_tree, hf_access_specific_10, tvb, offset - 4, 4,
7614 proto_tree_add_boolean(
7615 specific_tree, hf_access_specific_9, tvb, offset - 4, 4,
7618 proto_tree_add_boolean(
7619 specific_tree, hf_access_specific_8, tvb, offset - 4, 4,
7622 proto_tree_add_boolean(
7623 specific_tree, hf_access_specific_7, tvb, offset - 4, 4,
7626 proto_tree_add_boolean(
7627 specific_tree, hf_access_specific_6, tvb, offset - 4, 4,
7630 proto_tree_add_boolean(
7631 specific_tree, hf_access_specific_5, tvb, offset - 4, 4,
7634 proto_tree_add_boolean(
7635 specific_tree, hf_access_specific_4, tvb, offset - 4, 4,
7638 proto_tree_add_boolean(
7639 specific_tree, hf_access_specific_3, tvb, offset - 4, 4,
7642 proto_tree_add_boolean(
7643 specific_tree, hf_access_specific_2, tvb, offset - 4, 4,
7646 proto_tree_add_boolean(
7647 specific_tree, hf_access_specific_1, tvb, offset - 4, 4,
7650 proto_tree_add_boolean(
7651 specific_tree, hf_access_specific_0, tvb, offset - 4, 4,
7657 static int hf_smb_access_mask = -1;
7660 dissect_nt_v2_ace(tvbuff_t *tvb, int offset, packet_info *pinfo,
7661 proto_tree *parent_tree, char *drep,
7662 struct access_mask_info *ami)
7664 proto_item *item = NULL;
7665 proto_tree *tree = NULL;
7666 int old_offset = offset;
7668 char *sid_str = NULL;
7673 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7675 tree = proto_item_add_subtree(item, ett_smb_ace);
7679 type = tvb_get_guint8(tvb, offset);
7680 proto_tree_add_uint(tree, hf_smb_ace_type, tvb, offset, 1, type);
7684 offset = dissect_nt_v2_ace_flags(tvb, offset, tree, &flags);
7687 size = tvb_get_letohs(tvb, offset);
7688 proto_tree_add_uint(tree, hf_smb_ace_size, tvb, offset, 2, size);
7692 offset = dissect_nt_access_mask(
7693 tvb, offset, pinfo, tree, drep, hf_smb_access_mask, ami);
7696 offset = dissect_nt_sid(tvb, offset, tree, "ACE", &sid_str, -1);
7699 proto_item_append_text(
7700 item, "%s, flags 0x%02x, %s", sid_str, flags,
7701 val_to_str(type, ace_type_vals, "Unknown ACE type (0x%02x)"));
7705 proto_item_set_len(item, offset-old_offset);
7707 /* Sometimes there is some spare space at the end of the ACE so use
7708 the size field to work out where the end is. */
7710 return old_offset + size;
7714 dissect_nt_acl(tvbuff_t *tvb, int offset, packet_info *pinfo,
7715 proto_tree *parent_tree, char *drep, char *name,
7716 struct access_mask_info *ami)
7718 proto_item *item = NULL;
7719 proto_tree *tree = NULL;
7720 int old_offset = offset;
7725 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7727 tree = proto_item_add_subtree(item, ett_smb_acl);
7731 revision = tvb_get_letohs(tvb, offset);
7732 proto_tree_add_uint(tree, hf_smb_acl_revision,
7733 tvb, offset, 2, revision);
7737 case 2: /* only version we will ever see of this structure?*/
7740 proto_tree_add_item(tree, hf_smb_acl_size, tvb, offset, 2, TRUE);
7743 /* number of ace structures */
7744 num_aces = tvb_get_letohl(tvb, offset);
7745 proto_tree_add_uint(tree, hf_smb_acl_num_aces,
7746 tvb, offset, 4, num_aces);
7750 offset=dissect_nt_v2_ace(
7751 tvb, offset, pinfo, tree, drep, ami);
7755 proto_item_set_len(item, offset-old_offset);
7759 static const true_false_string tfs_sec_desc_type_owner_defaulted = {
7760 "OWNER is DEFAULTED",
7761 "Owner is NOT defaulted"
7763 static const true_false_string tfs_sec_desc_type_group_defaulted = {
7764 "GROUP is DEFAULTED",
7765 "Group is NOT defaulted"
7767 static const true_false_string tfs_sec_desc_type_dacl_present = {
7769 "DACL is NOT present"
7771 static const true_false_string tfs_sec_desc_type_dacl_defaulted = {
7772 "DACL is DEFAULTED",
7773 "DACL is NOT defaulted"
7775 static const true_false_string tfs_sec_desc_type_sacl_present = {
7777 "SACL is NOT present"
7779 static const true_false_string tfs_sec_desc_type_sacl_defaulted = {
7780 "SACL is DEFAULTED",
7781 "SACL is NOT defaulted"
7783 static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = {
7784 "DACL has AUTO INHERIT REQUIRED",
7785 "DACL does NOT require auto inherit"
7787 static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = {
7788 "SACL has AUTO INHERIT REQUIRED",
7789 "SACL does NOT require auto inherit"
7791 static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = {
7792 "DACL is AUTO INHERITED",
7793 "DACL is NOT auto inherited"
7795 static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = {
7796 "SACL is AUTO INHERITED",
7797 "SACL is NOT auto inherited"
7799 static const true_false_string tfs_sec_desc_type_dacl_protected = {
7800 "The DACL is PROTECTED",
7801 "The DACL is NOT protected"
7803 static const true_false_string tfs_sec_desc_type_sacl_protected = {
7804 "The SACL is PROTECTED",
7805 "The SACL is NOT protected"
7807 static const true_false_string tfs_sec_desc_type_self_relative = {
7808 "This SecDesc is SELF RELATIVE",
7809 "This SecDesc is NOT self relative"
7814 dissect_nt_sec_desc_type(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
7816 proto_item *item = NULL;
7817 proto_tree *tree = NULL;
7820 mask = tvb_get_letohs(tvb, offset);
7822 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
7823 "Type: 0x%04x", mask);
7824 tree = proto_item_add_subtree(item, ett_smb_sec_desc_type);
7827 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_self_relative,
7828 tvb, offset, 2, mask);
7829 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_protected,
7830 tvb, offset, 2, mask);
7831 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_protected,
7832 tvb, offset, 2, mask);
7833 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherited,
7834 tvb, offset, 2, mask);
7835 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherited,
7836 tvb, offset, 2, mask);
7837 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherit_req,
7838 tvb, offset, 2, mask);
7839 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherit_req,
7840 tvb, offset, 2, mask);
7841 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_defaulted,
7842 tvb, offset, 2, mask);
7843 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_present,
7844 tvb, offset, 2, mask);
7845 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_defaulted,
7846 tvb, offset, 2, mask);
7847 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_present,
7848 tvb, offset, 2, mask);
7849 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_group_defaulted,
7850 tvb, offset, 2, mask);
7851 proto_tree_add_boolean(tree, hf_smb_sec_desc_type_owner_defaulted,
7852 tvb, offset, 2, mask);
7860 dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
7861 proto_tree *parent_tree, char *drep, int len,
7862 struct access_mask_info *ami)
7864 proto_item *item = NULL;
7865 proto_tree *tree = NULL;
7867 int old_offset = offset;
7868 guint32 owner_sid_offset;
7869 guint32 group_sid_offset;
7870 guint32 sacl_offset;
7871 guint32 dacl_offset;
7874 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7875 "NT Security Descriptor");
7876 tree = proto_item_add_subtree(item, ett_smb_sec_desc);
7880 revision = tvb_get_guint8(tvb, offset);
7881 proto_tree_add_uint(tree, hf_smb_sec_desc_revision,
7882 tvb, offset, 1, revision);
7885 /* next byte should be zero, for now just ignore it */
7890 case 1: /* only version we will ever see of this structure?*/
7892 offset = dissect_nt_sec_desc_type(tvb, offset, tree);
7894 /* offset to owner sid */
7895 owner_sid_offset = tvb_get_letohl(tvb, offset);
7896 proto_tree_add_text(tree, tvb, offset, 4, "Offset to owner SID: %u", owner_sid_offset);
7899 /* offset to group sid */
7900 group_sid_offset = tvb_get_letohl(tvb, offset);
7901 proto_tree_add_text(tree, tvb, offset, 4, "Offset to group SID: %u", group_sid_offset);
7904 /* offset to sacl */
7905 sacl_offset = tvb_get_letohl(tvb, offset);
7906 proto_tree_add_text(tree, tvb, offset, 4, "Offset to SACL: %u", sacl_offset);
7909 /* offset to dacl */
7910 dacl_offset = tvb_get_letohl(tvb, offset);
7911 proto_tree_add_text(tree, tvb, offset, 4, "Offset to DACL: %u", dacl_offset);
7915 if(owner_sid_offset){
7917 offset = dissect_nt_sid(tvb, offset, tree, "Owner", NULL, -1);
7920 tvb, old_offset+owner_sid_offset, tree, "Owner", NULL, -1);
7924 if(group_sid_offset){
7926 tvb, old_offset+group_sid_offset, tree, "Group", NULL, -1);
7931 dissect_nt_acl(tvb, old_offset+sacl_offset, pinfo, tree,
7932 drep, "System (SACL)", ami);
7937 dissect_nt_acl(tvb, old_offset+dacl_offset, pinfo, tree,
7938 drep, "User (DACL)", ami);
7947 dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
7949 int old_offset, old_sid_offset;
7955 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7956 qsize=tvb_get_letohl(tvb, offset);
7957 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
7958 COUNT_BYTES_TRANS_SUBR(4);
7960 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7962 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7963 COUNT_BYTES_TRANS_SUBR(4);
7965 /* 16 unknown bytes */
7966 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7967 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7969 COUNT_BYTES_TRANS_SUBR(8);
7971 /* number of bytes for used quota */
7972 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7973 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
7974 COUNT_BYTES_TRANS_SUBR(8);
7976 /* number of bytes for quota warning */
7977 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7978 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
7979 COUNT_BYTES_TRANS_SUBR(8);
7981 /* number of bytes for quota limit */
7982 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7983 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
7984 COUNT_BYTES_TRANS_SUBR(8);
7986 /* SID of the user */
7987 old_sid_offset=offset;
7988 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
7989 *bcp -= (offset-old_sid_offset);
7992 offset = old_offset+qsize;
8002 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd)
8004 proto_item *item = NULL;
8005 proto_tree *tree = NULL;
8007 int old_offset = offset;
8008 guint16 bcp=bc; /* XXX fixme */
8010 si = (smb_info_t *)pinfo->private_data;
8013 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
8015 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8016 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8019 switch(ntd->subcmd){
8020 case NT_TRANS_CREATE:
8021 /* security descriptor */
8023 offset = dissect_nt_sec_desc(
8024 tvb, offset, pinfo, tree, NULL, ntd->sd_len,
8028 /* extended attributes */
8030 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
8031 offset += ntd->ea_len;
8035 case NT_TRANS_IOCTL:
8037 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, bc, TRUE);
8042 offset = dissect_nt_sec_desc(
8043 tvb, offset, pinfo, tree, NULL, bc, NULL);
8045 case NT_TRANS_NOTIFY:
8047 case NT_TRANS_RENAME:
8048 /* XXX not documented */
8052 case NT_TRANS_GET_USER_QUOTA:
8053 /* unknown 4 bytes */
8054 proto_tree_add_item(tree, hf_smb_unknown, tvb,
8059 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
8062 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
8064 case NT_TRANS_SET_USER_QUOTA:
8065 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8069 /* ooops there were data we didnt know how to process */
8070 if((offset-old_offset) < bc){
8071 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
8072 bc - (offset-old_offset), TRUE);
8073 offset += bc - (offset-old_offset);
8080 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
8082 proto_item *item = NULL;
8083 proto_tree *tree = NULL;
8088 si = (smb_info_t *)pinfo->private_data;
8091 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8093 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8094 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8097 switch(ntd->subcmd){
8098 case NT_TRANS_CREATE:
8100 offset = dissect_nt_create_bits(tvb, tree, offset);
8103 /* root directory fid */
8104 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
8107 /* nt access mask */
8108 offset = dissect_smb_access_mask(tvb, tree, offset);
8111 /* allocation size */
8112 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8115 /* Extended File Attributes */
8116 offset = dissect_file_ext_attr(tvb, tree, offset);
8120 offset = dissect_nt_share_access(tvb, tree, offset);
8123 /* create disposition */
8124 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
8127 /* create options */
8128 offset = dissect_nt_create_options(tvb, tree, offset);
8132 ntd->sd_len = tvb_get_letohl(tvb, offset);
8133 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
8137 ntd->ea_len = tvb_get_letohl(tvb, offset);
8138 proto_tree_add_uint(tree, hf_smb_ea_list_length, tvb, offset, 4, ntd->ea_len);
8142 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8143 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8146 /* impersonation level */
8147 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8150 /* security flags */
8151 offset = dissect_nt_security_flags(tvb, tree, offset);
8155 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8157 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8159 COUNT_BYTES(fn_len);
8163 case NT_TRANS_IOCTL:
8165 case NT_TRANS_SSD: {
8169 fid = tvb_get_letohs(tvb, offset);
8170 add_fid(tvb, pinfo, tree, offset, 2, fid);
8173 /* 2 reserved bytes */
8174 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8177 /* security information */
8178 offset = dissect_security_information_mask(tvb, tree, offset);
8181 case NT_TRANS_NOTIFY:
8183 case NT_TRANS_RENAME:
8184 /* XXX not documented */
8186 case NT_TRANS_QSD: {
8190 fid = tvb_get_letohs(tvb, offset);
8191 add_fid(tvb, pinfo, tree, offset, 2, fid);
8194 /* 2 reserved bytes */
8195 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8198 /* security information */
8199 offset = dissect_security_information_mask(tvb, tree, offset);
8202 case NT_TRANS_GET_USER_QUOTA:
8203 /* not decoded yet */
8205 case NT_TRANS_SET_USER_QUOTA:
8206 /* not decoded yet */
8214 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
8216 proto_item *item = NULL;
8217 proto_tree *tree = NULL;
8219 int old_offset = offset;
8221 si = (smb_info_t *)pinfo->private_data;
8224 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8226 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8227 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8230 switch(ntd->subcmd){
8231 case NT_TRANS_CREATE:
8233 case NT_TRANS_IOCTL: {
8237 proto_tree_add_item(tree, hf_smb_nt_ioctl_function_code, tvb, offset, 4, TRUE);
8241 fid = tvb_get_letohs(tvb, offset);
8242 add_fid(tvb, pinfo, tree, offset, 2, fid);
8246 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
8250 offset = dissect_nt_ioctl_flags(tvb, tree, offset);
8256 case NT_TRANS_NOTIFY: {
8259 /* completion filter */
8260 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
8263 fid = tvb_get_letohs(tvb, offset);
8264 add_fid(tvb, pinfo, tree, offset, 2, fid);
8268 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
8272 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8277 case NT_TRANS_RENAME:
8278 /* XXX not documented */
8282 case NT_TRANS_GET_USER_QUOTA:
8283 /* not decoded yet */
8285 case NT_TRANS_SET_USER_QUOTA:
8286 /* not decoded yet */
8290 return old_offset+len;
8295 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8298 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
8300 smb_saved_info_t *sip;
8305 smb_nt_transact_info_t *nti;
8307 si = (smb_info_t *)pinfo->private_data;
8313 /* primary request */
8314 /* max setup count */
8315 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
8318 /* 2 reserved bytes */
8319 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8322 /* secondary request */
8323 /* 3 reserved bytes */
8324 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8329 /* total param count */
8330 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
8333 /* total data count */
8334 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
8338 /* primary request */
8339 /* max param count */
8340 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
8343 /* max data count */
8344 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
8349 pc = tvb_get_letohl(tvb, offset);
8350 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8354 po = tvb_get_letohl(tvb, offset);
8355 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8358 /* param displacement */
8360 /* primary request*/
8363 /* secondary request */
8364 pd = tvb_get_letohl(tvb, offset);
8365 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8370 dc = tvb_get_letohl(tvb, offset);
8371 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8375 od = tvb_get_letohl(tvb, offset);
8376 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8379 /* data displacement */
8381 /* primary request */
8384 /* secondary request */
8385 dd = tvb_get_letohl(tvb, offset);
8386 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8392 /* primary request */
8393 sc = tvb_get_guint8(tvb, offset);
8394 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8397 /* secondary request */
8403 /* primary request */
8404 subcmd = tvb_get_letohs(tvb, offset);
8405 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
8406 if(check_col(pinfo->cinfo, COL_INFO)){
8407 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8408 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
8410 ntd.subcmd = subcmd;
8412 if(!pinfo->fd->flags.visited){
8414 * Allocate a new smb_nt_transact_info_t
8417 nti = g_mem_chunk_alloc(smb_nt_transact_info_chunk);
8418 nti->subcmd = subcmd;
8419 sip->extra_info = nti;
8423 /* secondary request */
8424 if(check_col(pinfo->cinfo, COL_INFO)){
8425 col_append_fstr(pinfo->cinfo, COL_INFO, " (secondary request)");
8430 /* this is a padding byte */
8433 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
8437 /* if there were any setup bytes, decode them */
8439 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
8446 if(po>(guint32)offset){
8447 /* We have some initial padding bytes.
8452 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8453 COUNT_BYTES(padcnt);
8456 CHECK_BYTE_COUNT(pc);
8457 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc);
8462 if(od>(guint32)offset){
8463 /* We have some initial padding bytes.
8468 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8469 COUNT_BYTES(padcnt);
8472 CHECK_BYTE_COUNT(dc);
8473 dissect_nt_trans_data_request(
8474 tvb, pinfo, offset, tree, dc, &ntd);
8486 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
8487 int offset, proto_tree *parent_tree, int len,
8488 nt_trans_data *ntd _U_)
8490 proto_item *item = NULL;
8491 proto_tree *tree = NULL;
8493 smb_nt_transact_info_t *nti;
8496 si = (smb_info_t *)pinfo->private_data;
8497 if (si->sip != NULL)
8498 nti = si->sip->extra_info;
8504 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8506 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8509 * We never saw the request to which this is a
8512 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8513 "Unknown NT Transaction Data (matching request not seen)");
8515 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8522 switch(nti->subcmd){
8523 case NT_TRANS_CREATE:
8525 case NT_TRANS_IOCTL:
8527 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, len, TRUE);
8533 case NT_TRANS_NOTIFY:
8535 case NT_TRANS_RENAME:
8536 /* XXX not documented */
8538 case NT_TRANS_QSD: {
8540 * XXX - this is probably a SECURITY_DESCRIPTOR structure,
8541 * which may be documented in the Win32 documentation
8544 offset = dissect_nt_sec_desc(
8545 tvb, offset, pinfo, tree, NULL, len, NULL);
8548 case NT_TRANS_GET_USER_QUOTA:
8550 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8552 case NT_TRANS_SET_USER_QUOTA:
8553 /* not decoded yet */
8561 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
8562 int offset, proto_tree *parent_tree,
8563 int len, nt_trans_data *ntd _U_, guint16 bc)
8565 proto_item *item = NULL;
8566 proto_tree *tree = NULL;
8570 smb_nt_transact_info_t *nti;
8576 si = (smb_info_t *)pinfo->private_data;
8577 if (si->sip != NULL)
8578 nti = si->sip->extra_info;
8584 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8586 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8589 * We never saw the request to which this is a
8592 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8593 "Unknown NT Transaction Parameters (matching request not seen)");
8595 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8602 switch(nti->subcmd){
8603 case NT_TRANS_CREATE:
8605 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8609 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8613 fid = tvb_get_letohs(tvb, offset);
8614 add_fid(tvb, pinfo, tree, offset, 2, fid);
8618 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8621 /* ea error offset */
8622 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
8626 offset = dissect_smb_64bit_time(tvb, tree, offset,
8627 hf_smb_create_time);
8630 offset = dissect_smb_64bit_time(tvb, tree, offset,
8631 hf_smb_access_time);
8633 /* last write time */
8634 offset = dissect_smb_64bit_time(tvb, tree, offset,
8635 hf_smb_last_write_time);
8637 /* last change time */
8638 offset = dissect_smb_64bit_time(tvb, tree, offset,
8639 hf_smb_change_time);
8641 /* Extended File Attributes */
8642 offset = dissect_file_ext_attr(tvb, tree, offset);
8644 /* allocation size */
8645 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8649 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8653 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8657 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
8660 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8663 case NT_TRANS_IOCTL:
8667 case NT_TRANS_NOTIFY:
8669 old_offset = offset;
8671 /* next entry offset */
8672 neo = tvb_get_letohl(tvb, offset);
8673 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
8676 /* broken implementations */
8680 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
8683 /* broken implementations */
8687 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8688 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8691 /* broken implementations */
8695 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8698 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8700 COUNT_BYTES(fn_len);
8702 /* broken implementations */
8706 break; /* no more structures */
8708 /* skip to next structure */
8709 padcnt = (old_offset + neo) - offset;
8712 * XXX - this is bogus; flag it?
8717 COUNT_BYTES(padcnt);
8719 /* broken implementations */
8724 case NT_TRANS_RENAME:
8725 /* XXX not documented */
8729 * This appears to be the size of the security
8730 * descriptor; the calling sequence of
8731 * "ZwQuerySecurityObject()" suggests that it would
8732 * be. The actual security descriptor wouldn't
8733 * follow if the max data count in the request
8734 * was smaller; this lets the client know how
8735 * big a buffer it needs to provide.
8737 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
8740 case NT_TRANS_GET_USER_QUOTA:
8741 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
8742 tvb_get_letohl(tvb, offset));
8745 case NT_TRANS_SET_USER_QUOTA:
8746 /* not decoded yet */
8754 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
8755 int offset, proto_tree *parent_tree,
8756 int len, nt_trans_data *ntd _U_)
8758 proto_item *item = NULL;
8759 proto_tree *tree = NULL;
8761 smb_nt_transact_info_t *nti;
8763 si = (smb_info_t *)pinfo->private_data;
8764 if (si->sip != NULL)
8765 nti = si->sip->extra_info;
8771 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8773 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8776 * We never saw the request to which this is a
8779 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8780 "Unknown NT Transaction Setup (matching request not seen)");
8782 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8789 switch(nti->subcmd){
8790 case NT_TRANS_CREATE:
8792 case NT_TRANS_IOCTL:
8796 case NT_TRANS_NOTIFY:
8798 case NT_TRANS_RENAME:
8799 /* XXX not documented */
8803 case NT_TRANS_GET_USER_QUOTA:
8804 /* not decoded yet */
8806 case NT_TRANS_SET_USER_QUOTA:
8807 /* not decoded yet */
8815 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8818 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
8821 smb_nt_transact_info_t *nti;
8822 static nt_trans_data ntd;
8825 fragment_data *r_fd = NULL;
8826 tvbuff_t *pd_tvb=NULL;
8827 gboolean save_fragmented;
8829 si = (smb_info_t *)pinfo->private_data;
8830 if (si->sip != NULL)
8831 nti = si->sip->extra_info;
8835 /* primary request */
8837 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
8838 if(check_col(pinfo->cinfo, COL_INFO)){
8839 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8840 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
8843 proto_tree_add_text(tree, tvb, offset, 0,
8844 "Function: <unknown function - could not find matching request>");
8845 if(check_col(pinfo->cinfo, COL_INFO)){
8846 col_append_fstr(pinfo->cinfo, COL_INFO, ", <unknown>");
8852 /* 3 reserved bytes */
8853 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8856 /* total param count */
8857 tp = tvb_get_letohl(tvb, offset);
8858 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
8861 /* total data count */
8862 td = tvb_get_letohl(tvb, offset);
8863 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
8867 pc = tvb_get_letohl(tvb, offset);
8868 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8872 po = tvb_get_letohl(tvb, offset);
8873 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8876 /* param displacement */
8877 pd = tvb_get_letohl(tvb, offset);
8878 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8882 dc = tvb_get_letohl(tvb, offset);
8883 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8887 od = tvb_get_letohl(tvb, offset);
8888 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8891 /* data displacement */
8892 dd = tvb_get_letohl(tvb, offset);
8893 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8897 sc = tvb_get_guint8(tvb, offset);
8898 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8903 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
8909 /* reassembly of SMB NT Transaction data payload.
8910 In this section we do reassembly of both the data and parameters
8911 blocks of the SMB transaction command.
8913 save_fragmented = pinfo->fragmented;
8914 /* do we need reassembly? */
8915 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
8916 /* oh yeah, either data or parameter section needs
8919 pinfo->fragmented = TRUE;
8920 if(smb_trans_reassembly){
8921 /* ...and we were told to do reassembly */
8922 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
8923 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8927 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
8928 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8929 od, dc, dd+tp, td+tp);
8934 /* if we got a reassembled fd structure from the reassembly routine we
8935 must create pd_tvb from it
8938 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
8940 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
8941 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
8943 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
8948 /* we have reassembled data, grab param and data from there */
8949 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
8950 &ntd, tvb_length(pd_tvb));
8951 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
8953 /* we do not have reassembled data, just use what we have in the
8954 packet as well as we can */
8956 if(po>(guint32)offset){
8957 /* We have some initial padding bytes.
8962 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8963 COUNT_BYTES(padcnt);
8966 CHECK_BYTE_COUNT(pc);
8967 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
8972 if(od>(guint32)offset){
8973 /* We have some initial padding bytes.
8978 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8979 COUNT_BYTES(padcnt);
8982 CHECK_BYTE_COUNT(dc);
8983 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd);
8987 pinfo->fragmented = save_fragmented;
8994 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8995 NT Transaction command ends here
8996 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8998 static const value_string print_mode_vals[] = {
9000 {1, "Graphics Mode"},
9005 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9007 smb_info_t *si = pinfo->private_data;
9016 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
9020 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
9026 CHECK_BYTE_COUNT(1);
9027 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9030 /* print identifier */
9031 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, FALSE, &bc);
9034 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
9036 COUNT_BYTES(fn_len);
9045 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9054 fid = tvb_get_letohs(tvb, offset);
9055 add_fid(tvb, pinfo, tree, offset, 2, fid);
9061 CHECK_BYTE_COUNT(1);
9062 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9066 CHECK_BYTE_COUNT(2);
9067 cnt = tvb_get_letohs(tvb, offset);
9068 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
9072 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
9080 static const value_string print_status_vals[] = {
9081 {1, "Held or Stopped"},
9083 {3, "Awaiting print"},
9084 {4, "In intercept"},
9085 {5, "File had error"},
9086 {6, "Printer error"},
9091 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9099 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
9103 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
9114 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
9115 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
9117 proto_item *item = NULL;
9118 proto_tree *tree = NULL;
9119 smb_info_t *si = pinfo->private_data;
9124 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
9126 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
9130 CHECK_BYTE_COUNT_SUBR(4);
9131 offset = dissect_smb_datetime(tvb, tree, offset,
9132 hf_smb_print_queue_date,
9133 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
9137 CHECK_BYTE_COUNT_SUBR(1);
9138 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
9139 COUNT_BYTES_SUBR(1);
9141 /* spool file number */
9142 CHECK_BYTE_COUNT_SUBR(2);
9143 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
9144 COUNT_BYTES_SUBR(2);
9146 /* spool file size */
9147 CHECK_BYTE_COUNT_SUBR(4);
9148 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
9149 COUNT_BYTES_SUBR(4);
9152 CHECK_BYTE_COUNT_SUBR(1);
9153 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9154 COUNT_BYTES_SUBR(1);
9158 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
9159 CHECK_STRING_SUBR(fn);
9160 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
9162 COUNT_BYTES_SUBR(fn_len);
9169 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9179 cnt = tvb_get_letohs(tvb, offset);
9180 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
9184 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
9190 CHECK_BYTE_COUNT(1);
9191 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9195 CHECK_BYTE_COUNT(2);
9196 len = tvb_get_letohs(tvb, offset);
9197 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
9200 /* queue elements */
9202 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
9215 dissect_send_single_block_message_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9220 guint16 message_len;
9227 CHECK_BYTE_COUNT(1);
9228 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9231 /* originator name */
9232 /* XXX - what if this runs past bc? */
9233 name_len = tvb_strsize(tvb, offset);
9234 CHECK_BYTE_COUNT(name_len);
9235 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9237 COUNT_BYTES(name_len);
9240 CHECK_BYTE_COUNT(1);
9241 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9244 /* destination name */
9245 /* XXX - what if this runs past bc? */
9246 name_len = tvb_strsize(tvb, offset);
9247 CHECK_BYTE_COUNT(name_len);
9248 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9250 COUNT_BYTES(name_len);
9253 CHECK_BYTE_COUNT(1);
9254 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9258 CHECK_BYTE_COUNT(2);
9259 message_len = tvb_get_letohs(tvb, offset);
9260 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9265 CHECK_BYTE_COUNT(message_len);
9266 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9268 COUNT_BYTES(message_len);
9276 dissect_send_multi_block_message_start_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9287 CHECK_BYTE_COUNT(1);
9288 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9291 /* originator name */
9292 /* XXX - what if this runs past bc? */
9293 name_len = tvb_strsize(tvb, offset);
9294 CHECK_BYTE_COUNT(name_len);
9295 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9297 COUNT_BYTES(name_len);
9300 CHECK_BYTE_COUNT(1);
9301 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9304 /* destination name */
9305 /* XXX - what if this runs past bc? */
9306 name_len = tvb_strsize(tvb, offset);
9307 CHECK_BYTE_COUNT(name_len);
9308 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9310 COUNT_BYTES(name_len);
9318 dissect_message_group_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9325 /* message group ID */
9326 proto_tree_add_item(tree, hf_smb_mgid, tvb, offset, 2, TRUE);
9337 dissect_send_multi_block_message_text_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9341 guint16 message_len;
9348 CHECK_BYTE_COUNT(1);
9349 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9353 CHECK_BYTE_COUNT(2);
9354 message_len = tvb_get_letohs(tvb, offset);
9355 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9360 CHECK_BYTE_COUNT(message_len);
9361 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9363 COUNT_BYTES(message_len);
9371 dissect_forwarded_name(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9382 CHECK_BYTE_COUNT(1);
9383 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9386 /* forwarded name */
9387 /* XXX - what if this runs past bc? */
9388 name_len = tvb_strsize(tvb, offset);
9389 CHECK_BYTE_COUNT(name_len);
9390 proto_tree_add_item(tree, hf_smb_forwarded_name, tvb, offset,
9392 COUNT_BYTES(name_len);
9400 dissect_get_machine_name_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9411 CHECK_BYTE_COUNT(1);
9412 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9416 /* XXX - what if this runs past bc? */
9417 name_len = tvb_strsize(tvb, offset);
9418 CHECK_BYTE_COUNT(name_len);
9419 proto_tree_add_item(tree, hf_smb_machine_name, tvb, offset,
9421 COUNT_BYTES(name_len);
9430 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9432 guint8 wc, cmd=0xff;
9433 guint16 andxoffset=0;
9435 smb_info_t *si = pinfo->private_data;
9441 /* next smb command */
9442 cmd = tvb_get_guint8(tvb, offset);
9444 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9446 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
9451 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9455 andxoffset = tvb_get_letohs(tvb, offset);
9456 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9460 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9464 fn_len = tvb_get_letohs(tvb, offset);
9465 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
9469 offset = dissect_nt_create_bits(tvb, tree, offset);
9471 /* root directory fid */
9472 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
9475 /* nt access mask */
9476 offset = dissect_smb_access_mask(tvb, tree, offset);
9478 /* allocation size */
9479 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9482 /* Extended File Attributes */
9483 offset = dissect_file_ext_attr(tvb, tree, offset);
9486 offset = dissect_nt_share_access(tvb, tree, offset);
9488 /* create disposition */
9489 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
9492 /* create options */
9493 offset = dissect_nt_create_options(tvb, tree, offset);
9495 /* impersonation level */
9496 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
9499 /* security flags */
9500 offset = dissect_nt_security_flags(tvb, tree, offset);
9505 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9508 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9510 COUNT_BYTES(fn_len);
9512 if (check_col(pinfo->cinfo, COL_INFO)) {
9513 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
9518 /* call AndXCommand (if there are any) */
9519 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9526 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9528 guint8 wc, cmd=0xff;
9529 guint16 andxoffset=0;
9535 /* next smb command */
9536 cmd = tvb_get_guint8(tvb, offset);
9538 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9540 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
9545 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9549 andxoffset = tvb_get_letohs(tvb, offset);
9550 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9554 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
9558 fid = tvb_get_letohs(tvb, offset);
9559 add_fid(tvb, pinfo, tree, offset, 2, fid);
9563 /*XXX is this really the same as create disposition in the request? it looks so*/
9564 /* No, it is not. It is the same as the create action from an Open&X request ... RJS */
9565 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
9569 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
9572 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
9574 /* last write time */
9575 offset = dissect_smb_64bit_time(tvb, tree, offset,
9576 hf_smb_last_write_time);
9578 /* last change time */
9579 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
9581 /* Extended File Attributes */
9582 offset = dissect_file_ext_attr(tvb, tree, offset);
9584 /* allocation size */
9585 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9589 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
9593 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
9597 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
9600 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
9607 /* call AndXCommand (if there are any) */
9608 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9615 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9629 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9630 BEGIN Transaction/Transaction2 Primary and secondary requests
9631 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
9634 const value_string trans2_cmd_vals[] = {
9636 { 0x01, "FIND_FIRST2" },
9637 { 0x02, "FIND_NEXT2" },
9638 { 0x03, "QUERY_FS_INFO" },
9639 { 0x04, "SET_FS_QUOTA" },
9640 { 0x05, "QUERY_PATH_INFO" },
9641 { 0x06, "SET_PATH_INFO" },
9642 { 0x07, "QUERY_FILE_INFO" },
9643 { 0x08, "SET_FILE_INFO" },
9646 { 0x0B, "FIND_NOTIFY_FIRST" },
9647 { 0x0C, "FIND_NOTIFY_NEXT" },
9648 { 0x0D, "CREATE_DIRECTORY" },
9649 { 0x0E, "SESSION_SETUP" },
9650 { 0x10, "GET_DFS_REFERRAL" },
9651 { 0x11, "REPORT_DFS_INCONSISTENCY" },
9655 static const true_false_string tfs_tf_dtid = {
9656 "Also DISCONNECT TID",
9657 "Do NOT disconnect TID"
9659 static const true_false_string tfs_tf_owt = {
9660 "One Way Transaction (NO RESPONSE)",
9661 "Two way transaction"
9664 static const true_false_string tfs_ff2_backup = {
9665 "Find WITH backup intent",
9668 static const true_false_string tfs_ff2_continue = {
9669 "CONTINUE search from previous position",
9670 "New search, do NOT continue from previous position"
9672 static const true_false_string tfs_ff2_resume = {
9673 "Return RESUME keys",
9674 "Do NOT return resume keys"
9676 static const true_false_string tfs_ff2_close_eos = {
9677 "CLOSE search if END OF SEARCH is reached",
9678 "Do NOT close search if end of search reached"
9680 static const true_false_string tfs_ff2_close = {
9681 "CLOSE search after this request",
9682 "Do NOT close search after this request"
9688 static const value_string ff2_il_vals[] = {
9689 { 1, "Info Standard"},
9690 { 2, "Info Query EA Size"},
9691 { 3, "Info Query EAs From List"},
9692 { 0x0101, "Find File Directory Info"},
9693 { 0x0102, "Find File Full Directory Info"},
9694 { 0x0103, "Find File Names Info"},
9695 { 0x0104, "Find File Both Directory Info"},
9696 { 0x0202, "Find File UNIX"},
9701 TRANS2_QUERY_PATH_INFORMATION
9702 TRANS2_QUERY_FILE_INFORMATION
9704 static const value_string qpi_loi_vals[] = {
9705 { 1, "Info Standard"},
9706 { 2, "Info Query EA Size"},
9707 { 3, "Info Query EAs From List"},
9708 { 4, "Info Query All EAs"},
9709 { 6, "Info Is Name Valid"},
9710 { 0x0101, "Query File Basic Info"},
9711 { 0x0102, "Query File Standard Info"},
9712 { 0x0103, "Query File EA Info"},
9713 { 0x0104, "Query File Name Info"},
9714 { 0x0107, "Query File All Info"},
9715 { 0x0108, "Query File Alt Name Info"},
9716 { 0x0109, "Query File Stream Info"},
9717 { 0x010b, "Query File Compression Info"},
9718 { 0x0200, "Query File Unix Basic"},
9719 { 0x0201, "Query File Unix Link"},
9720 { 1004, "Query File Basic Info"},
9721 { 1005, "Query File Standard Info"},
9722 { 1006, "Query File Internal Info"},
9723 { 1007, "Query File EA Info"},
9724 { 1009, "Query File Name Info"},
9725 { 1010, "Query File Rename Info"},
9726 { 1011, "Query File Link Info"},
9727 { 1012, "Query File Names Info"},
9728 { 1013, "Query File Disposition Info"},
9729 { 1014, "Query File Position Info"},
9730 { 1015, "Query File Full EA Info"},
9731 { 1016, "Query File Mode Info"},
9732 { 1017, "Query File Alignment Info"},
9733 { 1018, "Query File All Info"},
9734 { 1019, "Query File Allocation Info"},
9735 { 1020, "Query File End of File Info"},
9736 { 1021, "Query File Alt Name Info"},
9737 { 1022, "Query File Stream Info"},
9738 { 1023, "Query File Pipe Info"},
9739 { 1024, "Query File Pipe Local Info"},
9740 { 1025, "Query File Pipe Remote Info"},
9741 { 1026, "Query File Mailslot Query Info"},
9742 { 1027, "Query File Mailslot Set Info"},
9743 { 1028, "Query File Compression Info"},
9744 { 1029, "Query File ObjectID Info"},
9745 { 1030, "Query File Completion Info"},
9746 { 1031, "Query File Move Cluster Info"},
9747 { 1032, "Query File Quota Info"},
9748 { 1033, "Query File Reparsepoint Info"},
9749 { 1034, "Query File Network Open Info"},
9750 { 1035, "Query File Attribute Tag Info"},
9751 { 1036, "Query File Tracking Info"},
9752 { 1037, "Query File Maximum Info"},
9757 TRANS2_SET_PATH_INFORMATION
9758 TRANS2_SET_FILE_INFORMATION
9759 (the SNIA CIFS spec lists some only for TRANS2_SET_FILE_INFORMATION,
9760 but I'm assuming they apply to TRANS2_SET_PATH_INFORMATION as
9761 well; note that they're different from the QUERY_PATH_INFORMATION
9762 and QUERY_FILE_INFORMATION values!)
9764 static const value_string spi_loi_vals[] = {
9765 { 1, "Info Standard"},
9766 { 2, "Info Query EA Size"},
9767 { 4, "Info Query All EAs"},
9768 { 0x0101, "Set File Basic Info"},
9769 { 0x0102, "Set File Disposition Info"},
9770 { 0x0103, "Set File Allocation Info"},
9771 { 0x0104, "Set File End Of File Info"},
9772 { 0x0200, "Set File Unix Basic"},
9773 { 0x0201, "Set File Unix Link"},
9774 { 0x0202, "Set File Unix HardLink"},
9775 { 1004, "Set File Basic Info"},
9776 { 1010, "Set Rename Information"},
9777 { 1013, "Set Disposition Information"},
9778 { 1014, "Set Position Information"},
9779 { 1016, "Set Mode Information"},
9780 { 1019, "Set Allocation Information"},
9781 { 1020, "Set EOF Information"},
9782 { 1023, "Set File Pipe Information"},
9783 { 1025, "Set File Pipe Remote Information"},
9784 { 1029, "Set Copy On Write Information"},
9785 { 1032, "Set OLE Class ID Information"},
9786 { 1039, "Set Inherit Context Index Information"},
9787 { 1040, "Set OLE Information (?)"},
9791 static const value_string qfsi_vals[] = {
9792 { 1, "Info Allocation"},
9793 { 2, "Info Volume"},
9794 { 0x0101, "Query FS Label Info"},
9795 { 0x0102, "Query FS Volume Info"},
9796 { 0x0103, "Query FS Size Info"},
9797 { 0x0104, "Query FS Device Info"},
9798 { 0x0105, "Query FS Attribute Info"},
9799 { 0x0200, "Unix Query FS Info"},
9800 { 0x0301, "Mac Query FS Info"},
9801 { 1001, "Query FS Label Info"},
9802 { 1002, "Query FS Volume Info"},
9803 { 1003, "Query FS Size Info"},
9804 { 1004, "Query FS Device Info"},
9805 { 1005, "Query FS Attribute Info"},
9806 { 1006, "Query FS Quota Info"},
9807 { 1007, "Query Full FS Size Info"},
9808 { 1008, "Object ID Information"},
9812 static const value_string nt_rename_vals[] = {
9813 { 0x0103, "Create Hard Link"},
9818 static const value_string delete_pending_vals[] = {
9819 {0, "Normal, no pending delete"},
9820 {1, "This object has DELETE PENDING"},
9824 static const value_string alignment_vals[] = {
9825 {0, "Byte alignment"},
9826 {1, "Word (16bit) alignment"},
9827 {3, "Long (32bit) alignment"},
9828 {7, "8 byte boundary alignment"},
9829 {0x0f, "16 byte boundary alignment"},
9830 {0x1f, "32 byte boundary alignment"},
9831 {0x3f, "64 byte boundary alignment"},
9832 {0x7f, "128 byte boundary alignment"},
9833 {0xff, "256 byte boundary alignment"},
9834 {0x1ff, "512 byte boundary alignment"},
9838 static const true_false_string tfs_marked_for_deletion = {
9839 "File is MARKED FOR DELETION",
9840 "File is NOT marked for deletion"
9843 static const true_false_string tfs_get_dfs_server_hold_storage = {
9844 "Referral SERVER HOLDS STORAGE for the file",
9845 "Referral server does NOT hold storage for the file"
9847 static const true_false_string tfs_get_dfs_fielding = {
9848 "The server in referral is FIELDING CAPABLE",
9849 "The server in referrals is NOT fielding capable"
9852 static const true_false_string tfs_dfs_referral_flags_strip = {
9853 "STRIP off pathconsumed characters before submitting",
9854 "Do NOT strip off any characters"
9857 static const value_string dfs_referral_server_type_vals[] = {
9860 {2, "Netware Server"},
9861 {3, "Domain Server"},
9866 static const true_false_string tfs_device_char_removable = {
9867 "This is a REMOVABLE device",
9868 "This is NOT a removable device"
9870 static const true_false_string tfs_device_char_read_only = {
9871 "This is a READ-ONLY device",
9872 "This is NOT a read-only device"
9874 static const true_false_string tfs_device_char_floppy = {
9875 "This is a FLOPPY DISK device",
9876 "This is NOT a floppy disk device"
9878 static const true_false_string tfs_device_char_write_once = {
9879 "This is a WRITE-ONCE device",
9880 "This is NOT a write-once device"
9882 static const true_false_string tfs_device_char_remote = {
9883 "This is a REMOTE device",
9884 "This is NOT a remote device"
9886 static const true_false_string tfs_device_char_mounted = {
9887 "This device is MOUNTED",
9888 "This device is NOT mounted"
9890 static const true_false_string tfs_device_char_virtual = {
9891 "This is a VIRTUAL device",
9892 "This is NOT a virtual device"
9896 static const true_false_string tfs_fs_attr_css = {
9897 "This FS supports CASE SENSITIVE SEARCHes",
9898 "This FS does NOT support case sensitive searches"
9900 static const true_false_string tfs_fs_attr_cpn = {
9901 "This FS supports CASE PRESERVED NAMES",
9902 "This FS does NOT support case preserved names"
9904 static const true_false_string tfs_fs_attr_pacls = {
9905 "This FS supports PERSISTENT ACLs",
9906 "This FS does NOT support persistent acls"
9908 static const true_false_string tfs_fs_attr_fc = {
9909 "This FS supports COMPRESSED FILES",
9910 "This FS does NOT support compressed files"
9912 static const true_false_string tfs_fs_attr_vq = {
9913 "This FS supports VOLUME QUOTAS",
9914 "This FS does NOT support volume quotas"
9916 static const true_false_string tfs_fs_attr_dim = {
9917 "This FS is on a MOUNTED DEVICE",
9918 "This FS is NOT on a mounted device"
9920 static const true_false_string tfs_fs_attr_vic = {
9921 "This FS is on a COMPRESSED VOLUME",
9922 "This FS is NOT on a compressed volume"
9925 #define FF2_RESUME 0x0004
9928 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9931 proto_item *item = NULL;
9932 proto_tree *tree = NULL;
9934 smb_transact2_info_t *t2i;
9936 mask = tvb_get_letohs(tvb, offset);
9938 si = (smb_info_t *)pinfo->private_data;
9939 if (si->sip != NULL) {
9940 t2i = si->sip->extra_info;
9942 if (!pinfo->fd->flags.visited)
9943 t2i->resume_keys = (mask & FF2_RESUME);
9948 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9949 "Flags: 0x%04x", mask);
9950 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
9953 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
9954 tvb, offset, 2, mask);
9955 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
9956 tvb, offset, 2, mask);
9957 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
9958 tvb, offset, 2, mask);
9959 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
9960 tvb, offset, 2, mask);
9961 proto_tree_add_boolean(tree, hf_smb_ff2_close,
9962 tvb, offset, 2, mask);
9971 dissect_sfi_ioflag(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9974 proto_item *item = NULL;
9975 proto_tree *tree = NULL;
9977 mask = tvb_get_letohs(tvb, offset);
9980 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9981 "IO Flag: 0x%04x", mask);
9982 tree = proto_item_add_subtree(item, ett_smb_ioflag);
9985 proto_tree_add_boolean(tree, hf_smb_sfi_writetru,
9986 tvb, offset, 2, mask);
9987 proto_tree_add_boolean(tree, hf_smb_sfi_caching,
9988 tvb, offset, 2, mask);
9997 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
9998 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
10000 proto_item *item = NULL;
10001 proto_tree *tree = NULL;
10003 smb_transact2_info_t *t2i;
10007 si = (smb_info_t *)pinfo->private_data;
10008 if (si->sip != NULL)
10009 t2i = si->sip->extra_info;
10014 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
10016 val_to_str(subcmd, trans2_cmd_vals,
10017 "Unknown (0x%02x)"));
10018 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
10022 case 0x00: /*TRANS2_OPEN2*/
10024 CHECK_BYTE_COUNT_TRANS(2);
10025 offset = dissect_open_flags(tvb, tree, offset, 0x000f);
10028 /* desired access */
10029 CHECK_BYTE_COUNT_TRANS(2);
10030 offset = dissect_access(tvb, tree, offset, "Desired");
10033 /* Search Attributes */
10034 CHECK_BYTE_COUNT_TRANS(2);
10035 offset = dissect_search_attributes(tvb, tree, offset);
10038 /* File Attributes */
10039 CHECK_BYTE_COUNT_TRANS(2);
10040 offset = dissect_file_attributes(tvb, tree, offset, 2);
10044 CHECK_BYTE_COUNT_TRANS(4);
10045 offset = dissect_smb_datetime(tvb, tree, offset,
10046 hf_smb_create_time,
10047 hf_smb_create_dos_date, hf_smb_create_dos_time,
10051 /* open function */
10052 CHECK_BYTE_COUNT_TRANS(2);
10053 offset = dissect_open_function(tvb, tree, offset);
10056 /* allocation size */
10057 CHECK_BYTE_COUNT_TRANS(4);
10058 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10059 COUNT_BYTES_TRANS(4);
10061 /* 10 reserved bytes */
10062 CHECK_BYTE_COUNT_TRANS(10);
10063 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
10064 COUNT_BYTES_TRANS(10);
10067 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10068 CHECK_STRING_TRANS(fn);
10069 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10071 COUNT_BYTES_TRANS(fn_len);
10073 if (check_col(pinfo->cinfo, COL_INFO)) {
10074 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10078 case 0x01: /*TRANS2_FIND_FIRST2*/
10079 /* Search Attributes */
10080 CHECK_BYTE_COUNT_TRANS(2);
10081 offset = dissect_search_attributes(tvb, tree, offset);
10085 CHECK_BYTE_COUNT_TRANS(2);
10086 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
10087 COUNT_BYTES_TRANS(2);
10089 /* Find First2 flags */
10090 CHECK_BYTE_COUNT_TRANS(2);
10091 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
10094 /* Find First2 information level */
10095 CHECK_BYTE_COUNT_TRANS(2);
10096 si->info_level = tvb_get_letohs(tvb, offset);
10097 if (!pinfo->fd->flags.visited)
10098 t2i->info_level = si->info_level;
10099 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
10100 COUNT_BYTES_TRANS(2);
10103 CHECK_BYTE_COUNT_TRANS(4);
10104 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
10105 COUNT_BYTES_TRANS(4);
10107 /* search pattern */
10108 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10109 CHECK_STRING_TRANS(fn);
10110 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
10112 COUNT_BYTES_TRANS(fn_len);
10114 if (check_col(pinfo->cinfo, COL_INFO)) {
10115 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
10120 case 0x02: /*TRANS2_FIND_NEXT2*/
10122 CHECK_BYTE_COUNT_TRANS(2);
10123 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
10124 COUNT_BYTES_TRANS(2);
10127 CHECK_BYTE_COUNT_TRANS(2);
10128 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
10129 COUNT_BYTES_TRANS(2);
10131 /* Find First2 information level */
10132 CHECK_BYTE_COUNT_TRANS(2);
10133 si->info_level = tvb_get_letohs(tvb, offset);
10134 if (!pinfo->fd->flags.visited)
10135 t2i->info_level = si->info_level;
10136 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
10137 COUNT_BYTES_TRANS(2);
10140 CHECK_BYTE_COUNT_TRANS(4);
10141 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
10142 COUNT_BYTES_TRANS(4);
10144 /* Find First2 flags */
10145 CHECK_BYTE_COUNT_TRANS(2);
10146 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
10150 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10151 CHECK_STRING_TRANS(fn);
10152 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10154 COUNT_BYTES_TRANS(fn_len);
10156 if (check_col(pinfo->cinfo, COL_INFO)) {
10157 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
10162 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
10163 /* level of interest */
10164 CHECK_BYTE_COUNT_TRANS(2);
10165 si->info_level = tvb_get_letohs(tvb, offset);
10166 if (!pinfo->fd->flags.visited)
10167 t2i->info_level = si->info_level;
10168 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
10169 COUNT_BYTES_TRANS(2);
10171 if (check_col(pinfo->cinfo, COL_INFO))
10172 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
10173 val_to_str(si->info_level, qfsi_vals,
10174 "Unknown (0x%02x)"));
10177 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
10178 /* level of interest */
10179 CHECK_BYTE_COUNT_TRANS(2);
10180 si->info_level = tvb_get_letohs(tvb, offset);
10181 if (!pinfo->fd->flags.visited)
10182 t2i->info_level = si->info_level;
10183 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10184 COUNT_BYTES_TRANS(2);
10186 if (check_col(pinfo->cinfo, COL_INFO)) {
10188 pinfo->cinfo, COL_INFO, ", %s",
10189 val_to_str(si->info_level, qpi_loi_vals,
10193 /* 4 reserved bytes */
10194 CHECK_BYTE_COUNT_TRANS(4);
10195 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10196 COUNT_BYTES_TRANS(4);
10199 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10200 CHECK_STRING_TRANS(fn);
10201 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10203 COUNT_BYTES_TRANS(fn_len);
10205 if (check_col(pinfo->cinfo, COL_INFO)) {
10206 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10211 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
10212 /* level of interest */
10213 CHECK_BYTE_COUNT_TRANS(2);
10214 si->info_level = tvb_get_letohs(tvb, offset);
10215 if (!pinfo->fd->flags.visited)
10216 t2i->info_level = si->info_level;
10217 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
10218 COUNT_BYTES_TRANS(2);
10220 /* 4 reserved bytes */
10221 CHECK_BYTE_COUNT_TRANS(4);
10222 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10223 COUNT_BYTES_TRANS(4);
10226 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10227 CHECK_STRING_TRANS(fn);
10228 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10230 COUNT_BYTES_TRANS(fn_len);
10232 if (check_col(pinfo->cinfo, COL_INFO)) {
10233 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10238 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
10242 CHECK_BYTE_COUNT_TRANS(2);
10243 fid = tvb_get_letohs(tvb, offset);
10244 add_fid(tvb, pinfo, tree, offset, 2, fid);
10245 COUNT_BYTES_TRANS(2);
10247 /* level of interest */
10248 CHECK_BYTE_COUNT_TRANS(2);
10249 si->info_level = tvb_get_letohs(tvb, offset);
10250 if (!pinfo->fd->flags.visited)
10251 t2i->info_level = si->info_level;
10252 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10253 COUNT_BYTES_TRANS(2);
10255 if (check_col(pinfo->cinfo, COL_INFO)) {
10257 pinfo->cinfo, COL_INFO, ", %s",
10258 val_to_str(si->info_level, qpi_loi_vals,
10264 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
10268 CHECK_BYTE_COUNT_TRANS(2);
10269 fid = tvb_get_letohs(tvb, offset);
10270 add_fid(tvb, pinfo, tree, offset, 2, fid);
10271 COUNT_BYTES_TRANS(2);
10273 /* level of interest */
10274 CHECK_BYTE_COUNT_TRANS(2);
10275 si->info_level = tvb_get_letohs(tvb, offset);
10276 if (!pinfo->fd->flags.visited)
10277 t2i->info_level = si->info_level;
10278 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
10279 COUNT_BYTES_TRANS(2);
10283 * XXX - "Microsoft Networks SMB File Sharing Protocol
10284 * Extensions Version 3.0, Document Version 1.11,
10285 * July 19, 1990" says this is I/O flags, but it's
10286 * reserved in the SNIA spec, and some clients appear
10287 * to leave junk in it.
10289 * Is this some field used only if a particular
10290 * dialect was negotiated, so that clients can feel
10291 * safe not setting it if they haven't negotiated that
10292 * dialect? Or do the (non-OS/2) clients simply not care
10293 * about that particular OS/2-oriented dialect?
10297 CHECK_BYTE_COUNT_TRANS(2);
10298 offset = dissect_sfi_ioflag(tvb, tree, offset);
10301 /* 2 reserved bytes */
10302 CHECK_BYTE_COUNT_TRANS(2);
10303 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
10304 COUNT_BYTES_TRANS(2);
10309 case 0x09: /*TRANS2_FSCTL*/
10310 /* this call has no parameter block in the request */
10313 * XXX - "Microsoft Networks SMB File Sharing Protocol
10314 * Extensions Version 3.0, Document Version 1.11,
10315 * July 19, 1990" says this this contains a
10316 * "File system specific parameter block". (That means
10317 * we may not be able to dissect it in any case.)
10320 case 0x0a: /*TRANS2_IOCTL2*/
10321 /* this call has no parameter block in the request */
10324 * XXX - "Microsoft Networks SMB File Sharing Protocol
10325 * Extensions Version 3.0, Document Version 1.11,
10326 * July 19, 1990" says this this contains a
10327 * "Device/function specific parameter block". (That
10328 * means we may not be able to dissect it in any case.)
10331 case 0x0b: { /*TRANS2_FIND_NOTIFY_FIRST*/
10332 /* Search Attributes */
10333 CHECK_BYTE_COUNT_TRANS(2);
10334 offset = dissect_search_attributes(tvb, tree, offset);
10337 /* Number of changes to wait for */
10338 CHECK_BYTE_COUNT_TRANS(2);
10339 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10340 COUNT_BYTES_TRANS(2);
10342 /* Find Notify information level */
10343 CHECK_BYTE_COUNT_TRANS(2);
10344 si->info_level = tvb_get_letohs(tvb, offset);
10345 if (!pinfo->fd->flags.visited)
10346 t2i->info_level = si->info_level;
10347 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, offset, 2, si->info_level);
10348 COUNT_BYTES_TRANS(2);
10350 /* 4 reserved bytes */
10351 CHECK_BYTE_COUNT_TRANS(4);
10352 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10353 COUNT_BYTES_TRANS(4);
10356 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10357 CHECK_STRING_TRANS(fn);
10358 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10360 COUNT_BYTES_TRANS(fn_len);
10362 if (check_col(pinfo->cinfo, COL_INFO)) {
10363 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10369 case 0x0c: { /*TRANS2_FIND_NOTIFY_NEXT*/
10370 /* Monitor handle */
10371 CHECK_BYTE_COUNT_TRANS(2);
10372 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
10373 COUNT_BYTES_TRANS(2);
10375 /* Number of changes to wait for */
10376 CHECK_BYTE_COUNT_TRANS(2);
10377 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10378 COUNT_BYTES_TRANS(2);
10382 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
10383 /* 4 reserved bytes */
10384 CHECK_BYTE_COUNT_TRANS(4);
10385 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10386 COUNT_BYTES_TRANS(4);
10389 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
10390 FALSE, FALSE, &bc);
10391 CHECK_STRING_TRANS(fn);
10392 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
10394 COUNT_BYTES_TRANS(fn_len);
10396 if (check_col(pinfo->cinfo, COL_INFO)) {
10397 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
10401 case 0x0e: /*TRANS2_SESSION_SETUP*/
10402 /* XXX unknown structure*/
10404 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
10405 /* referral level */
10406 CHECK_BYTE_COUNT_TRANS(2);
10407 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
10408 COUNT_BYTES_TRANS(2);
10411 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10412 CHECK_STRING_TRANS(fn);
10413 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10415 COUNT_BYTES_TRANS(fn_len);
10417 if (check_col(pinfo->cinfo, COL_INFO)) {
10418 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10423 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
10425 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10426 CHECK_STRING_TRANS(fn);
10427 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10429 COUNT_BYTES_TRANS(fn_len);
10431 if (check_col(pinfo->cinfo, COL_INFO)) {
10432 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10439 /* ooops there were data we didnt know how to process */
10441 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, bc, TRUE);
10449 * XXX - just use "dissect_connect_flags()" here?
10452 dissect_transaction_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10455 proto_item *item = NULL;
10456 proto_tree *tree = NULL;
10458 mask = tvb_get_letohs(tvb, offset);
10461 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10462 "Flags: 0x%04x", mask);
10463 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
10466 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
10467 tvb, offset, 2, mask);
10468 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
10469 tvb, offset, 2, mask);
10476 dissect_get_dfs_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10479 proto_item *item = NULL;
10480 proto_tree *tree = NULL;
10482 mask = tvb_get_letohs(tvb, offset);
10485 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10486 "Flags: 0x%04x", mask);
10487 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
10490 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
10491 tvb, offset, 2, mask);
10492 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
10493 tvb, offset, 2, mask);
10500 dissect_dfs_referral_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10503 proto_item *item = NULL;
10504 proto_tree *tree = NULL;
10506 mask = tvb_get_letohs(tvb, offset);
10509 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10510 "Flags: 0x%04x", mask);
10511 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
10514 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
10515 tvb, offset, 2, mask);
10523 /* dfs inconsistency data (4.4.2)
10526 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
10527 proto_tree *tree, int offset, guint16 *bcp)
10529 smb_info_t *si = pinfo->private_data;
10533 /*XXX shouldn this data hold version and size? unclear from doc*/
10534 /* referral version */
10535 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10536 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
10537 COUNT_BYTES_TRANS_SUBR(2);
10539 /* referral size */
10540 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10541 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
10542 COUNT_BYTES_TRANS_SUBR(2);
10544 /* referral server type */
10545 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10546 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10547 COUNT_BYTES_TRANS_SUBR(2);
10549 /* referral flags */
10550 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10551 offset = dissect_dfs_referral_flags(tvb, tree, offset);
10555 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10556 CHECK_STRING_TRANS_SUBR(fn);
10557 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10559 COUNT_BYTES_TRANS_SUBR(fn_len);
10564 /* get dfs referral data (4.4.1)
10567 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
10568 proto_tree *tree, int offset, guint16 *bcp)
10570 smb_info_t *si = pinfo->private_data;
10573 guint16 pathoffset;
10574 guint16 altpathoffset;
10575 guint16 nodeoffset;
10585 /* path consumed */
10586 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10587 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
10588 COUNT_BYTES_TRANS_SUBR(2);
10590 /* num referrals */
10591 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10592 numref = tvb_get_letohs(tvb, offset);
10593 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
10594 COUNT_BYTES_TRANS_SUBR(2);
10596 /* get dfs flags */
10597 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10598 offset = dissect_get_dfs_flags(tvb, tree, offset);
10601 /* XXX - in at least one capture there appears to be 2 bytes
10602 of stuff after the Dfs flags, perhaps so that the header
10603 in front of the referral list is a multiple of 4 bytes long. */
10604 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10605 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
10606 COUNT_BYTES_TRANS_SUBR(2);
10608 /* if there are any referrals */
10610 proto_item *ref_item = NULL;
10611 proto_tree *ref_tree = NULL;
10612 int old_offset=offset;
10615 ref_item = proto_tree_add_text(tree,
10616 tvb, offset, *bcp, "Referrals");
10617 ref_tree = proto_item_add_subtree(ref_item,
10618 ett_smb_dfs_referrals);
10623 proto_item *ri = NULL;
10624 proto_tree *rt = NULL;
10625 int old_offset=offset;
10629 ri = proto_tree_add_text(ref_tree,
10630 tvb, offset, *bcp, "Referral");
10631 rt = proto_item_add_subtree(ri,
10632 ett_smb_dfs_referral);
10635 /* referral version */
10636 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10637 version = tvb_get_letohs(tvb, offset);
10638 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
10639 tvb, offset, 2, version);
10640 COUNT_BYTES_TRANS_SUBR(2);
10642 /* referral size */
10643 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10644 refsize = tvb_get_letohs(tvb, offset);
10645 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
10646 COUNT_BYTES_TRANS_SUBR(2);
10648 /* referral server type */
10649 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10650 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10651 COUNT_BYTES_TRANS_SUBR(2);
10653 /* referral flags */
10654 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10655 offset = dissect_dfs_referral_flags(tvb, rt, offset);
10662 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10663 CHECK_STRING_TRANS_SUBR(fn);
10664 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10666 COUNT_BYTES_TRANS_SUBR(fn_len);
10670 case 3: /* XXX - like version 2, but not identical;
10671 seen in a capture, but the format isn't
10674 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10675 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
10676 COUNT_BYTES_TRANS_SUBR(2);
10679 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10680 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
10681 COUNT_BYTES_TRANS_SUBR(2);
10684 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10685 pathoffset = tvb_get_letohs(tvb, offset);
10686 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
10687 COUNT_BYTES_TRANS_SUBR(2);
10689 /* alt path offset */
10690 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10691 altpathoffset = tvb_get_letohs(tvb, offset);
10692 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
10693 COUNT_BYTES_TRANS_SUBR(2);
10696 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10697 nodeoffset = tvb_get_letohs(tvb, offset);
10698 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
10699 COUNT_BYTES_TRANS_SUBR(2);
10702 if (pathoffset != 0) {
10703 stroffset = old_offset + pathoffset;
10704 offsetoffset = stroffset - offset;
10705 if (offsetoffset > 0 &&
10706 *bcp > offsetoffset) {
10708 *bcp -= offsetoffset;
10709 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10710 CHECK_STRING_TRANS_SUBR(fn);
10711 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
10713 stroffset += fn_len;
10714 if (ucstring_end < stroffset)
10715 ucstring_end = stroffset;
10721 if (altpathoffset != 0) {
10722 stroffset = old_offset + altpathoffset;
10723 offsetoffset = stroffset - offset;
10724 if (offsetoffset > 0 &&
10725 *bcp > offsetoffset) {
10727 *bcp -= offsetoffset;
10728 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10729 CHECK_STRING_TRANS_SUBR(fn);
10730 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
10732 stroffset += fn_len;
10733 if (ucstring_end < stroffset)
10734 ucstring_end = stroffset;
10740 if (nodeoffset != 0) {
10741 stroffset = old_offset + nodeoffset;
10742 offsetoffset = stroffset - offset;
10743 if (offsetoffset > 0 &&
10744 *bcp > offsetoffset) {
10746 *bcp -= offsetoffset;
10747 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10748 CHECK_STRING_TRANS_SUBR(fn);
10749 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
10751 stroffset += fn_len;
10752 if (ucstring_end < stroffset)
10753 ucstring_end = stroffset;
10761 * Show anything beyond the length of the referral
10764 unklen = (old_offset + refsize) - offset;
10767 * XXX - the length is bogus.
10772 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
10773 proto_tree_add_item(rt, hf_smb_unknown, tvb,
10774 offset, unklen, TRUE);
10775 COUNT_BYTES_TRANS_SUBR(unklen);
10778 proto_item_set_len(ri, offset-old_offset);
10782 * Treat the offset past the end of the last Unicode
10783 * string after the referrals (if any) as the last
10786 if (ucstring_end > offset) {
10787 ucstring_len = ucstring_end - offset;
10788 if (*bcp < ucstring_len)
10789 ucstring_len = *bcp;
10790 offset += ucstring_len;
10791 *bcp -= ucstring_len;
10793 proto_item_set_len(ref_item, offset-old_offset);
10800 /* this dissects the SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE
10801 as described in 4.2.16.1
10804 dissect_4_2_16_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10805 int offset, guint16 *bcp, gboolean *trunc)
10808 CHECK_BYTE_COUNT_SUBR(4);
10809 offset = dissect_smb_datetime(tvb, tree, offset,
10810 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
10815 CHECK_BYTE_COUNT_SUBR(4);
10816 offset = dissect_smb_datetime(tvb, tree, offset,
10817 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
10821 /* last write time */
10822 CHECK_BYTE_COUNT_SUBR(4);
10823 offset = dissect_smb_datetime(tvb, tree, offset,
10824 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
10829 CHECK_BYTE_COUNT_SUBR(4);
10830 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10831 COUNT_BYTES_SUBR(4);
10833 /* allocation size */
10834 CHECK_BYTE_COUNT_SUBR(4);
10835 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10836 COUNT_BYTES_SUBR(4);
10838 /* File Attributes */
10839 CHECK_BYTE_COUNT_SUBR(2);
10840 offset = dissect_file_attributes(tvb, tree, offset, 2);
10844 CHECK_BYTE_COUNT_SUBR(4);
10845 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
10846 COUNT_BYTES_SUBR(4);
10852 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
10853 as described in 4.2.16.2
10856 dissect_4_2_16_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10857 int offset, guint16 *bcp, gboolean *trunc)
10863 CHECK_BYTE_COUNT_SUBR(4);
10864 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
10865 COUNT_BYTES_SUBR(4);
10869 proto_tree *subtree;
10870 int start_offset = offset;
10873 item = proto_tree_add_text(
10874 tree, tvb, offset, 0, "Extended Attribute");
10875 subtree = proto_item_add_subtree(item, ett_smb_ea);
10879 CHECK_BYTE_COUNT_SUBR(1);
10880 proto_tree_add_item(
10881 subtree, hf_smb_ea_flags, tvb, offset, 1, TRUE);
10882 COUNT_BYTES_SUBR(1);
10884 /* EA name length */
10886 name_len = tvb_get_guint8(tvb, offset);
10888 CHECK_BYTE_COUNT_SUBR(1);
10889 proto_tree_add_item(
10890 subtree, hf_smb_ea_name_length, tvb, offset, 1, TRUE);
10891 COUNT_BYTES_SUBR(1);
10893 /* EA data length */
10895 data_len = tvb_get_letohs(tvb, offset);
10897 CHECK_BYTE_COUNT_SUBR(2);
10898 proto_tree_add_item(
10899 subtree, hf_smb_ea_data_length, tvb, offset, 2, TRUE);
10900 COUNT_BYTES_SUBR(2);
10904 name = tvb_get_string(tvb, offset, name_len);
10905 proto_item_append_text(item, ": %s", name);
10908 CHECK_BYTE_COUNT_SUBR(name_len + 1);
10909 proto_tree_add_item(
10910 subtree, hf_smb_ea_name, tvb, offset, name_len + 1,
10912 COUNT_BYTES_SUBR(name_len + 1);
10916 CHECK_BYTE_COUNT_SUBR(data_len);
10917 proto_tree_add_item(
10918 subtree, hf_smb_ea_data, tvb, offset, data_len, TRUE);
10919 COUNT_BYTES_SUBR(data_len);
10921 proto_item_set_len(item, offset - start_offset);
10928 /* this dissects the SMB_INFO_IS_NAME_VALID
10929 as described in 4.2.16.3
10932 dissect_4_2_16_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10933 int offset, guint16 *bcp, gboolean *trunc)
10935 smb_info_t *si = pinfo->private_data;
10940 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10941 CHECK_STRING_SUBR(fn);
10942 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10944 COUNT_BYTES_SUBR(fn_len);
10950 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
10951 as described in 4.2.16.4
10954 dissect_4_2_16_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10955 int offset, guint16 *bcp, gboolean *trunc)
10958 CHECK_BYTE_COUNT_SUBR(8);
10959 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
10963 CHECK_BYTE_COUNT_SUBR(8);
10964 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
10967 /* last write time */
10968 CHECK_BYTE_COUNT_SUBR(8);
10969 offset = dissect_smb_64bit_time(tvb, tree, offset,
10970 hf_smb_last_write_time);
10973 /* last change time */
10974 CHECK_BYTE_COUNT_SUBR(8);
10975 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
10978 /* File Attributes */
10979 CHECK_BYTE_COUNT_SUBR(4);
10980 offset = dissect_file_attributes(tvb, tree, offset, 4);
10987 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
10988 as described in 4.2.16.5
10991 dissect_4_2_16_5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10992 int offset, guint16 *bcp, gboolean *trunc)
10994 /* allocation size */
10995 CHECK_BYTE_COUNT_SUBR(8);
10996 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10997 COUNT_BYTES_SUBR(8);
11000 CHECK_BYTE_COUNT_SUBR(8);
11001 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11002 COUNT_BYTES_SUBR(8);
11004 /* number of links */
11005 CHECK_BYTE_COUNT_SUBR(4);
11006 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
11007 COUNT_BYTES_SUBR(4);
11009 /* delete pending */
11010 CHECK_BYTE_COUNT_SUBR(1);
11011 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, TRUE);
11012 COUNT_BYTES_SUBR(1);
11015 CHECK_BYTE_COUNT_SUBR(1);
11016 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
11017 COUNT_BYTES_SUBR(1);
11023 /* this dissects the SMB_QUERY_FILE_EA_INFO
11024 as described in 4.2.16.6
11027 dissect_4_2_16_6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11028 int offset, guint16 *bcp, gboolean *trunc)
11031 CHECK_BYTE_COUNT_SUBR(4);
11032 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11033 COUNT_BYTES_SUBR(4);
11039 /* this dissects the SMB_QUERY_FILE_NAME_INFO
11040 as described in 4.2.16.7
11041 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
11042 as described in 4.2.16.9
11045 dissect_4_2_16_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
11046 int offset, guint16 *bcp, gboolean *trunc)
11048 smb_info_t *si = pinfo->private_data;
11052 /* file name len */
11053 CHECK_BYTE_COUNT_SUBR(4);
11054 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
11055 COUNT_BYTES_SUBR(4);
11058 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11059 CHECK_STRING_SUBR(fn);
11060 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11062 COUNT_BYTES_SUBR(fn_len);
11068 /* this dissects the SMB_QUERY_FILE_ALL_INFO
11069 as described in 4.2.16.8
11072 dissect_4_2_16_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
11073 int offset, guint16 *bcp, gboolean *trunc)
11076 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp, trunc);
11080 offset = dissect_4_2_16_5(tvb, pinfo, tree, offset, bcp, trunc);
11086 CHECK_BYTE_COUNT_SUBR(8);
11087 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
11088 COUNT_BYTES_SUBR(8);
11090 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp, trunc);
11095 CHECK_BYTE_COUNT_SUBR(4);
11096 offset = dissect_smb_access_mask(tvb, tree, offset);
11097 COUNT_BYTES_SUBR(4);
11100 CHECK_BYTE_COUNT_SUBR(8);
11101 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
11102 COUNT_BYTES_SUBR(8);
11104 /* current offset */
11105 CHECK_BYTE_COUNT_SUBR(8);
11106 proto_tree_add_item(tree, hf_smb_current_offset, tvb, offset, 8, TRUE);
11107 COUNT_BYTES_SUBR(8);
11110 CHECK_BYTE_COUNT_SUBR(4);
11111 offset = dissect_nt_create_options(tvb, tree, offset);
11115 CHECK_BYTE_COUNT_SUBR(4);
11116 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
11117 COUNT_BYTES_SUBR(4);
11119 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp, trunc);
11124 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
11125 as described in 4.2.16.10
11128 dissect_4_2_16_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11129 int offset, guint16 *bcp, gboolean *trunc)
11135 smb_info_t *si = pinfo->private_data;
11141 old_offset = offset;
11143 /* next entry offset */
11144 CHECK_BYTE_COUNT_SUBR(4);
11146 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
11147 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11153 neo = tvb_get_letohl(tvb, offset);
11154 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11155 COUNT_BYTES_SUBR(4);
11157 /* stream name len */
11158 CHECK_BYTE_COUNT_SUBR(4);
11159 fn_len = tvb_get_letohl(tvb, offset);
11160 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
11161 COUNT_BYTES_SUBR(4);
11164 CHECK_BYTE_COUNT_SUBR(8);
11165 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
11166 COUNT_BYTES_SUBR(8);
11168 /* allocation size */
11169 CHECK_BYTE_COUNT_SUBR(8);
11170 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11171 COUNT_BYTES_SUBR(8);
11174 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11175 CHECK_STRING_SUBR(fn);
11176 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
11178 COUNT_BYTES_SUBR(fn_len);
11180 proto_item_append_text(item, ": %s", fn);
11181 proto_item_set_len(item, offset-old_offset);
11184 break; /* no more structures */
11186 /* skip to next structure */
11187 padcnt = (old_offset + neo) - offset;
11190 * XXX - this is bogus; flag it?
11195 CHECK_BYTE_COUNT_SUBR(padcnt);
11196 COUNT_BYTES_SUBR(padcnt);
11204 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
11205 as described in 4.2.16.11
11208 dissect_4_2_16_11(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11209 int offset, guint16 *bcp, gboolean *trunc)
11211 /* compressed file size */
11212 CHECK_BYTE_COUNT_SUBR(8);
11213 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
11214 COUNT_BYTES_SUBR(8);
11216 /* compression format */
11217 CHECK_BYTE_COUNT_SUBR(2);
11218 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
11219 COUNT_BYTES_SUBR(2);
11221 /* compression unit shift */
11222 CHECK_BYTE_COUNT_SUBR(1);
11223 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
11224 COUNT_BYTES_SUBR(1);
11226 /* compression chunk shift */
11227 CHECK_BYTE_COUNT_SUBR(1);
11228 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
11229 COUNT_BYTES_SUBR(1);
11231 /* compression cluster shift */
11232 CHECK_BYTE_COUNT_SUBR(1);
11233 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
11234 COUNT_BYTES_SUBR(1);
11236 /* 3 reserved bytes */
11237 CHECK_BYTE_COUNT_SUBR(3);
11238 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
11239 COUNT_BYTES_SUBR(3);
11245 /* 4.2.16.12 - SMB_QUERY_FILE_UNIX_BASIC */
11247 static const value_string unix_file_type_vals[] = {
11249 { 1, "Directory" },
11250 { 2, "Symbolic link" },
11251 { 3, "Character device" },
11252 { 4, "Block device" },
11259 dissect_4_2_16_12(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11260 int offset, guint16 *bcp, gboolean *trunc)
11262 /* End of file (file size) */
11263 CHECK_BYTE_COUNT_SUBR(8);
11264 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
11265 COUNT_BYTES_SUBR(8);
11267 /* Number of bytes */
11268 CHECK_BYTE_COUNT_SUBR(8);
11269 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
11270 COUNT_BYTES_SUBR(8);
11272 /* Last status change */
11273 CHECK_BYTE_COUNT_SUBR(8);
11274 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
11275 *bcp -= 8; /* dissect_smb_64bit_time() increments offset */
11277 /* Last access time */
11278 CHECK_BYTE_COUNT_SUBR(8);
11279 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
11282 /* Last modification time */
11283 CHECK_BYTE_COUNT_SUBR(8);
11284 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
11287 /* File owner uid */
11288 CHECK_BYTE_COUNT_SUBR(8);
11289 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
11290 COUNT_BYTES_SUBR(8);
11292 /* File group gid */
11293 CHECK_BYTE_COUNT_SUBR(8);
11294 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
11295 COUNT_BYTES_SUBR(8);
11298 CHECK_BYTE_COUNT_SUBR(4);
11299 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
11300 COUNT_BYTES_SUBR(4);
11302 /* Major device number */
11303 CHECK_BYTE_COUNT_SUBR(8);
11304 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
11305 COUNT_BYTES_SUBR(8);
11307 /* Minor device number */
11308 CHECK_BYTE_COUNT_SUBR(8);
11309 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
11310 COUNT_BYTES_SUBR(8);
11313 CHECK_BYTE_COUNT_SUBR(8);
11314 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
11315 COUNT_BYTES_SUBR(8);
11318 CHECK_BYTE_COUNT_SUBR(8);
11319 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
11320 COUNT_BYTES_SUBR(8);
11323 CHECK_BYTE_COUNT_SUBR(8);
11324 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
11325 COUNT_BYTES_SUBR(8);
11327 /* Sometimes there is one extra byte in the data field which I
11328 guess could be padding, but we are only using 4 or 8 byte
11329 data types so this is a bit confusing. -tpot */
11335 /* 4.2.16.13 - SMB_QUERY_FILE_UNIX_LINK */
11338 dissect_4_2_16_13(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11339 int offset, guint16 *bcp, gboolean *trunc)
11341 smb_info_t *si = pinfo->private_data;
11345 /* Link destination */
11347 fn = get_unicode_or_ascii_string(
11348 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11350 CHECK_STRING_SUBR(fn);
11351 proto_tree_add_string(
11352 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
11353 COUNT_BYTES_SUBR(fn_len);
11359 /* this dissects the SMB_SET_FILE_DISPOSITION_INFO
11360 as described in 4.2.19.2
11363 dissect_4_2_19_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11364 int offset, guint16 *bcp, gboolean *trunc)
11366 /* marked for deletion? */
11367 CHECK_BYTE_COUNT_SUBR(1);
11368 proto_tree_add_item(tree, hf_smb_t2_marked_for_deletion, tvb, offset, 1, TRUE);
11369 COUNT_BYTES_SUBR(1);
11375 /* this dissects the SMB_SET_FILE_ALLOCATION_INFO
11376 as described in 4.2.19.3
11379 dissect_4_2_19_3(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11380 int offset, guint16 *bcp, gboolean *trunc)
11382 /* file allocation size */
11383 CHECK_BYTE_COUNT_SUBR(8);
11384 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11385 COUNT_BYTES_SUBR(8);
11391 /* this dissects the SMB_SET_FILE_END_OF_FILE_INFO
11392 as described in 4.2.19.4
11395 dissect_4_2_19_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11396 int offset, guint16 *bcp, gboolean *trunc)
11398 /* file end of file offset */
11399 CHECK_BYTE_COUNT_SUBR(8);
11400 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11401 COUNT_BYTES_SUBR(8);
11407 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION and
11408 TRANS2_QUERY_FILE_INFORMATION*/
11410 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
11411 int offset, guint16 *bcp)
11420 si = (smb_info_t *)pinfo->private_data;
11421 switch(si->info_level){
11422 case 1: /*Info Standard*/
11424 case 2: /*Info Query EA Size*/
11425 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
11428 case 3: /*Info Query EAs From List*/
11429 case 4: /*Info Query All EAs*/
11430 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
11433 case 6: /*Info Is Name Valid*/
11434 offset = dissect_4_2_16_3(tvb, pinfo, tree, offset, bcp,
11437 case 0x0101: /*Query File Basic Info*/
11438 case 1004: /* SMB_FILE_BASIC_INFORMATION */
11439 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
11442 case 0x0102: /*Query File Standard Info*/
11443 case 1005: /* SMB_FILE_STANDARD_INFORMATION */
11444 offset = dissect_4_2_16_5(tvb, pinfo, tree, offset, bcp,
11447 case 0x0103: /*Query File EA Info*/
11448 case 1007: /* SMB_FILE_EA_INFORMATION */
11449 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp,
11452 case 0x0104: /*Query File Name Info*/
11453 case 1009: /* SMB_FILE_NAME_INFORMATION */
11454 offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp,
11457 case 0x0107: /*Query File All Info*/
11458 case 1018: /* SMB_FILE_ALL_INFORMATION */
11459 offset = dissect_4_2_16_8(tvb, pinfo, tree, offset, bcp,
11462 case 0x0108: /*Query File Alt File Info*/
11463 case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
11464 offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp,
11467 case 1022: /* SMB_FILE_STREAM_INFORMATION */
11468 ((smb_info_t *)(pinfo->private_data))->unicode = TRUE;
11469 case 0x0109: /*Query File Stream Info*/
11470 offset = dissect_4_2_16_10(tvb, pinfo, tree, offset, bcp,
11473 case 0x010b: /*Query File Compression Info*/
11474 case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
11475 offset = dissect_4_2_16_11(tvb, pinfo, tree, offset, bcp,
11478 case 0x0200: /* Query File Unix Basic*/
11479 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
11482 case 0x0201: /* Query File Unix Link*/
11483 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
11486 case 0x0202: /* Query File Unix HardLink*/
11487 /* XXX add this from the SNIA doc */
11494 /*dissect the data block for TRANS2_SET_PATH_INFORMATION and
11495 TRANS2_SET_FILE_INFORMATION*/
11497 dissect_spi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
11498 int offset, guint16 *bcp)
11507 si = (smb_info_t *)pinfo->private_data;
11508 switch(si->info_level){
11509 case 1: /*Info Standard*/
11511 case 2: /*Info Query EA Size*/
11512 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
11515 case 4: /*Info Query All EAs*/
11516 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
11519 case 0x0101: /*Set File Basic Info*/
11520 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
11523 case 0x0102: /*Set File Disposition Info*/
11524 offset = dissect_4_2_19_2(tvb, pinfo, tree, offset, bcp,
11527 case 0x0103: /*Set File Allocation Info*/
11528 offset = dissect_4_2_19_3(tvb, pinfo, tree, offset, bcp,
11531 case 0x0104: /*Set End Of File Info*/
11532 offset = dissect_4_2_19_4(tvb, pinfo, tree, offset, bcp,
11535 case 0x0200: /*Set File Unix Basic. Same as query. */
11536 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
11539 case 0x0201: /*Set File Unix Link. Same as query. */
11540 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
11543 case 0x0203: /*Set File Unix HardLink. Same as link query. */
11544 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
11548 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
11563 /* XXX: TODO, extra levels discovered by tridge */
11571 static const true_false_string tfs_quota_flags_deny_disk = {
11572 "DENY DISK SPACE for users exceeding quota limit",
11573 "Do NOT deny disk space for users exceeding quota limit"
11575 static const true_false_string tfs_quota_flags_log_limit = {
11576 "LOG EVENT when a user exceeds their QUOTA LIMIT",
11577 "Do NOT log event when a user exceeds their quota limit"
11579 static const true_false_string tfs_quota_flags_log_warning = {
11580 "LOG EVENT when a user exceeds their WARNING LEVEL",
11581 "Do NOT log event when a user exceeds their warning level"
11583 static const true_false_string tfs_quota_flags_enabled = {
11584 "Quotas are ENABLED of this fs",
11585 "Quotas are NOT enabled on this fs"
11588 dissect_quota_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
11591 proto_item *item = NULL;
11592 proto_tree *tree = NULL;
11594 mask = tvb_get_guint8(tvb, offset);
11597 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
11598 "Quota Flags: 0x%02x %s", mask,
11599 mask?"Enabled":"Disabled");
11600 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
11603 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
11604 tvb, offset, 1, mask);
11605 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
11606 tvb, offset, 1, mask);
11607 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
11608 tvb, offset, 1, mask);
11610 if(mask && (!(mask&0x01))){
11611 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
11612 tvb, offset, 1, 0x01);
11614 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
11615 tvb, offset, 1, mask);
11621 dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
11623 /* first 24 bytes are unknown */
11624 CHECK_BYTE_COUNT_TRANS_SUBR(24);
11625 proto_tree_add_item(tree, hf_smb_unknown, tvb,
11627 COUNT_BYTES_TRANS_SUBR(24);
11629 /* number of bytes for quota warning */
11630 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11631 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
11632 COUNT_BYTES_TRANS_SUBR(8);
11634 /* number of bytes for quota limit */
11635 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11636 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
11637 COUNT_BYTES_TRANS_SUBR(8);
11639 /* one byte of quota flags */
11640 CHECK_BYTE_COUNT_TRANS_SUBR(1);
11641 dissect_quota_flags(tvb, tree, offset);
11642 COUNT_BYTES_TRANS_SUBR(1);
11644 /* these 7 bytes are unknown */
11645 CHECK_BYTE_COUNT_TRANS_SUBR(7);
11646 proto_tree_add_item(tree, hf_smb_unknown, tvb,
11648 COUNT_BYTES_TRANS_SUBR(7);
11654 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
11655 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
11657 proto_item *item = NULL;
11658 proto_tree *tree = NULL;
11661 si = (smb_info_t *)pinfo->private_data;
11664 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11666 val_to_str(subcmd, trans2_cmd_vals,
11667 "Unknown (0x%02x)"));
11668 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
11672 case 0x00: /*TRANS2_OPEN2*/
11673 /* XXX dont know how to decode FEAList */
11675 case 0x01: /*TRANS2_FIND_FIRST2*/
11676 /* XXX dont know how to decode FEAList */
11678 case 0x02: /*TRANS2_FIND_NEXT2*/
11679 /* XXX dont know how to decode FEAList */
11681 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11682 /* no data field in this request */
11684 case 0x04: /* TRANS2_SET_QUOTA */
11685 offset = dissect_nt_quota(tvb, tree, offset, &dc);
11687 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11688 /* no data field in this request */
11690 * XXX - "Microsoft Networks SMB File Sharing Protocol
11691 * Extensions Version 3.0, Document Version 1.11,
11692 * July 19, 1990" says there may be "Additional
11693 * FileInfoLevel dependent information" here.
11695 * Was that just a cut-and-pasteo?
11696 * TRANS2_SET_PATH_INFORMATION *does* have that information
11700 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11701 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
11703 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11704 /* no data field in this request */
11706 * XXX - "Microsoft Networks SMB File Sharing Protocol
11707 * Extensions Version 3.0, Document Version 1.11,
11708 * July 19, 1990" says there may be "Additional
11709 * FileInfoLevel dependent information" here.
11711 * Was that just a cut-and-pasteo?
11712 * TRANS2_SET_FILE_INFORMATION *does* have that information
11716 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11717 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
11719 case 0x09: /*TRANS2_FSCTL*/
11720 /*XXX dont know how to decode this yet */
11723 * XXX - "Microsoft Networks SMB File Sharing Protocol
11724 * Extensions Version 3.0, Document Version 1.11,
11725 * July 19, 1990" says this this contains a
11726 * "File system specific data block". (That means we
11727 * may not be able to dissect it in any case.)
11730 case 0x0a: /*TRANS2_IOCTL2*/
11731 /*XXX dont know how to decode this yet */
11734 * XXX - "Microsoft Networks SMB File Sharing Protocol
11735 * Extensions Version 3.0, Document Version 1.11,
11736 * July 19, 1990" says this this contains a
11737 * "Device/function specific data block". (That
11738 * means we may not be able to dissect it in any case.)
11741 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11742 /*XXX dont know how to decode this yet */
11745 * XXX - "Microsoft Networks SMB File Sharing Protocol
11746 * Extensions Version 3.0, Document Version 1.11,
11747 * July 19, 1990" says this this contains "additional
11748 * level dependent match data".
11751 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11752 /*XXX dont know how to decode this yet */
11755 * XXX - "Microsoft Networks SMB File Sharing Protocol
11756 * Extensions Version 3.0, Document Version 1.11,
11757 * July 19, 1990" says this this contains "additional
11758 * level dependent monitor information".
11761 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11762 /* XXX optional FEAList, unknown what FEAList looks like*/
11764 case 0x0e: /*TRANS2_SESSION_SETUP*/
11765 /*XXX dont know how to decode this yet */
11767 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11768 /* no data field in this request */
11770 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11771 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
11775 /* ooops there were data we didnt know how to process */
11777 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
11786 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
11794 * Show the setup words.
11796 if (s_tvb != NULL) {
11797 length = tvb_reported_length(s_tvb);
11798 for (i = 0, offset = 0; length >= 2;
11799 i++, offset += 2, length -= 2) {
11801 * XXX - add a setup word filterable field?
11803 proto_tree_add_text(tree, s_tvb, offset, 2,
11804 "Setup Word %d: 0x%04x", i,
11805 tvb_get_letohs(s_tvb, offset));
11810 * Show the parameters, if any.
11812 if (p_tvb != NULL) {
11813 length = tvb_reported_length(p_tvb);
11815 proto_tree_add_text(tree, p_tvb, 0, length,
11817 tvb_bytes_to_str(p_tvb, 0, length));
11822 * Show the data, if any.
11824 if (d_tvb != NULL) {
11825 length = tvb_reported_length(d_tvb);
11827 proto_tree_add_text(tree, d_tvb, 0, length,
11828 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
11833 /* This routine handles the following 4 calls
11835 Transaction Secondary 0x26
11837 Transaction2 Secondary 0x33
11840 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
11847 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
11851 const char *an = NULL;
11853 smb_transact2_info_t *t2i;
11854 smb_transact_info_t *tri;
11857 gboolean dissected_trans;
11859 si = (smb_info_t *)pinfo->private_data;
11864 /*secondary client request*/
11866 /* total param count, only a 16bit integer here*/
11867 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11870 /* total data count , only 16bit integer here*/
11871 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11875 pc = tvb_get_letohs(tvb, offset);
11876 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11880 po = tvb_get_letohs(tvb, offset);
11881 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11885 pd = tvb_get_letohs(tvb, offset);
11886 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
11890 dc = tvb_get_letohs(tvb, offset);
11891 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11895 od = tvb_get_letohs(tvb, offset);
11896 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11900 dd = tvb_get_letohs(tvb, offset);
11901 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
11904 if(si->cmd==SMB_COM_TRANSACTION2){
11908 fid = tvb_get_letohs(tvb, offset);
11909 add_fid(tvb, pinfo, tree, offset, 2, fid);
11914 /* There are no setup words. */
11919 /* it is not a secondary request */
11921 /* total param count , only a 16 bit integer here*/
11922 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11925 /* total data count , only 16bit integer here*/
11926 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11929 /* max param count , only 16bit integer here*/
11930 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11933 /* max data count, only 16bit integer here*/
11934 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11937 /* max setup count, only 16bit integer here*/
11938 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
11941 /* reserved byte */
11942 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11945 /* transaction flags */
11946 tf = dissect_transaction_flags(tvb, tree, offset);
11950 to = tvb_get_letohl(tvb, offset);
11952 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
11953 else if (to == 0xffffffff)
11954 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
11956 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
11959 /* 2 reserved bytes */
11960 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11964 pc = tvb_get_letohs(tvb, offset);
11965 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11969 po = tvb_get_letohs(tvb, offset);
11970 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11973 /* param displacement is zero here */
11977 dc = tvb_get_letohs(tvb, offset);
11978 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11982 od = tvb_get_letohs(tvb, offset);
11983 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11986 /* data displacement is zero here */
11990 sc = tvb_get_guint8(tvb, offset);
11991 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
11994 /* reserved byte */
11995 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11998 /* this is where the setup bytes, if any start */
12002 /* if there were any setup bytes, decode them */
12006 case SMB_COM_TRANSACTION2:
12007 /* TRANSACTION2 only has one setup word and
12008 that is the subcommand code.
12010 XXX - except for TRANS2_FSCTL
12011 and TRANS2_IOCTL. */
12012 subcmd = tvb_get_letohs(tvb, offset);
12013 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
12014 tvb, offset, 2, subcmd);
12015 if (check_col(pinfo->cinfo, COL_INFO)) {
12016 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
12017 val_to_str(subcmd, trans2_cmd_vals,
12018 "Unknown (0x%02x)"));
12021 if(!pinfo->fd->flags.visited){
12024 * smb_transact2_info_t
12027 t2i = g_mem_chunk_alloc(smb_transact2_info_chunk);
12028 t2i->subcmd = subcmd;
12029 t2i->info_level = -1;
12030 t2i->resume_keys = FALSE;
12031 si->sip->extra_info = t2i;
12036 * XXX - process TRANS2_FSCTL and
12037 * TRANS2_IOCTL setup words here.
12041 case SMB_COM_TRANSACTION:
12042 /* TRANSACTION setup words processed below */
12053 /* primary request */
12054 /* name is NULL if transaction2 */
12055 if(si->cmd == SMB_COM_TRANSACTION){
12056 /* Transaction Name */
12057 an = get_unicode_or_ascii_string(tvb, &offset,
12058 si->unicode, &an_len, FALSE, FALSE, &bc);
12061 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
12062 offset, an_len, an);
12063 COUNT_BYTES(an_len);
12068 * The pipe or mailslot arguments for Transaction start with
12069 * the first setup word (or where the first setup word would
12070 * be if there were any setup words), and run to the current
12071 * offset (which could mean that there aren't any).
12074 spc = offset - spo;
12078 /* We have some initial padding bytes.
12080 padcnt = po-offset;
12083 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
12084 COUNT_BYTES(padcnt);
12087 CHECK_BYTE_COUNT(pc);
12090 case SMB_COM_TRANSACTION2:
12091 /* TRANSACTION2 parameters*/
12092 offset = dissect_transaction2_request_parameters(tvb,
12093 pinfo, tree, offset, subcmd, pc);
12097 case SMB_COM_TRANSACTION:
12098 /* TRANSACTION parameters processed below */
12106 /* We have some initial padding bytes.
12108 padcnt = od-offset;
12111 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
12112 COUNT_BYTES(padcnt);
12115 CHECK_BYTE_COUNT(dc);
12118 case SMB_COM_TRANSACTION2:
12119 /* TRANSACTION2 data*/
12120 offset = dissect_transaction2_request_data(tvb, pinfo,
12121 tree, offset, subcmd, dc);
12125 case SMB_COM_TRANSACTION:
12126 /* TRANSACTION data processed below */
12132 /*TRANSACTION request parameters */
12133 if(si->cmd==SMB_COM_TRANSACTION){
12134 /*XXX replace this block with a function and use that one
12135 for both requests/responses*/
12137 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
12138 tvbuff_t *sp_tvb, *pd_tvb;
12141 if(pc>tvb_length_remaining(tvb, po)){
12142 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
12144 p_tvb = tvb_new_subset(tvb, po, pc, pc);
12150 if(dc>tvb_length_remaining(tvb, od)){
12151 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
12153 d_tvb = tvb_new_subset(tvb, od, dc, dc);
12159 if(sl>tvb_length_remaining(tvb, so)){
12160 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
12162 s_tvb = tvb_new_subset(tvb, so, sl, sl);
12169 if(!pinfo->fd->flags.visited){
12171 * Allocate a new smb_transact_info_t
12174 tri = g_mem_chunk_alloc(smb_transact_info_chunk);
12176 tri->trans_subcmd = -1;
12177 tri->function = -1;
12179 tri->lanman_cmd = 0;
12180 tri->param_descrip = NULL;
12181 tri->data_descrip = NULL;
12182 tri->aux_data_descrip = NULL;
12183 tri->info_level = -1;
12184 si->sip->extra_info = tri;
12187 * We already filled the structure
12188 * in; don't bother doing so again.
12194 * This is a unidirectional message, for
12195 * which there will be no reply; don't
12196 * bother allocating an "smb_transact_info_t"
12197 * structure for it.
12201 dissected_trans = FALSE;
12202 if(strncmp("\\PIPE\\", an, 6) == 0){
12204 tri->subcmd=TRANSACTION_PIPE;
12207 * A tvbuff containing the setup words and
12210 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
12213 * A tvbuff containing the parameters and the
12216 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
12218 dissected_trans = dissect_pipe_smb(sp_tvb,
12219 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
12222 /* In case we did not see the TreeConnect call,
12223 store this TID here as well as a IPC TID
12224 so we know that future Read/Writes to this
12225 TID is (probably) DCERPC.
12227 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
12228 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
12230 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
12231 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
12233 tri->subcmd=TRANSACTION_MAILSLOT;
12236 * A tvbuff containing the setup words and
12237 * the mailslot path.
12239 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
12240 dissected_trans = dissect_mailslot_smb(sp_tvb,
12241 s_tvb, d_tvb, an+10, pinfo, top_tree);
12243 if (!dissected_trans)
12244 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
12246 if(check_col(pinfo->cinfo, COL_INFO)){
12247 col_append_str(pinfo->cinfo, COL_INFO,
12248 "[transact continuation]");
12261 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12262 int offset, guint16 *bcp, gboolean *trunc)
12266 int old_offset = offset;
12267 proto_item *item = NULL;
12268 proto_tree *tree = NULL;
12270 smb_transact2_info_t *t2i;
12271 gboolean resume_keys = FALSE;
12273 si = (smb_info_t *)pinfo->private_data;
12274 if (si->sip != NULL) {
12275 t2i = si->sip->extra_info;
12277 resume_keys = t2i->resume_keys;
12281 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12282 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12283 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12288 CHECK_BYTE_COUNT_SUBR(4);
12289 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
12290 COUNT_BYTES_SUBR(4);
12294 CHECK_BYTE_COUNT_SUBR(4);
12295 offset = dissect_smb_datetime(tvb, tree, offset,
12296 hf_smb_create_time,
12297 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
12301 CHECK_BYTE_COUNT_SUBR(4);
12302 offset = dissect_smb_datetime(tvb, tree, offset,
12303 hf_smb_access_time,
12304 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
12307 /* last write time */
12308 CHECK_BYTE_COUNT_SUBR(4);
12309 offset = dissect_smb_datetime(tvb, tree, offset,
12310 hf_smb_last_write_time,
12311 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
12315 CHECK_BYTE_COUNT_SUBR(4);
12316 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
12317 COUNT_BYTES_SUBR(4);
12319 /* allocation size */
12320 CHECK_BYTE_COUNT_SUBR(4);
12321 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
12322 COUNT_BYTES_SUBR(4);
12324 /* File Attributes */
12325 CHECK_BYTE_COUNT_SUBR(2);
12326 offset = dissect_file_attributes(tvb, tree, offset, 2);
12329 /* file name len */
12330 CHECK_BYTE_COUNT_SUBR(1);
12331 fn_len = tvb_get_guint8(tvb, offset);
12332 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
12333 COUNT_BYTES_SUBR(1);
12335 fn_len += 2; /* include terminating '\0' */
12337 fn_len++; /* include terminating '\0' */
12340 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12341 CHECK_STRING_SUBR(fn);
12342 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12344 COUNT_BYTES_SUBR(fn_len);
12346 if (check_col(pinfo->cinfo, COL_INFO)) {
12347 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12351 proto_item_append_text(item, " File: %s", fn);
12352 proto_item_set_len(item, offset-old_offset);
12359 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12360 int offset, guint16 *bcp, gboolean *trunc)
12364 int old_offset = offset;
12365 proto_item *item = NULL;
12366 proto_tree *tree = NULL;
12368 smb_transact2_info_t *t2i;
12369 gboolean resume_keys = FALSE;
12371 si = (smb_info_t *)pinfo->private_data;
12372 if (si->sip != NULL) {
12373 t2i = si->sip->extra_info;
12375 resume_keys = t2i->resume_keys;
12379 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12380 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12381 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12386 CHECK_BYTE_COUNT_SUBR(4);
12387 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
12388 COUNT_BYTES_SUBR(4);
12392 CHECK_BYTE_COUNT_SUBR(4);
12393 offset = dissect_smb_datetime(tvb, tree, offset,
12394 hf_smb_create_time,
12395 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
12399 CHECK_BYTE_COUNT_SUBR(4);
12400 offset = dissect_smb_datetime(tvb, tree, offset,
12401 hf_smb_access_time,
12402 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
12405 /* last write time */
12406 CHECK_BYTE_COUNT_SUBR(4);
12407 offset = dissect_smb_datetime(tvb, tree, offset,
12408 hf_smb_last_write_time,
12409 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
12413 CHECK_BYTE_COUNT_SUBR(4);
12414 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
12415 COUNT_BYTES_SUBR(4);
12417 /* allocation size */
12418 CHECK_BYTE_COUNT_SUBR(4);
12419 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
12420 COUNT_BYTES_SUBR(4);
12422 /* File Attributes */
12423 CHECK_BYTE_COUNT_SUBR(2);
12424 offset = dissect_file_attributes(tvb, tree, offset, 2);
12428 CHECK_BYTE_COUNT_SUBR(4);
12429 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
12430 COUNT_BYTES_SUBR(4);
12432 /* file name len */
12433 CHECK_BYTE_COUNT_SUBR(1);
12434 fn_len = tvb_get_guint8(tvb, offset);
12435 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
12436 COUNT_BYTES_SUBR(1);
12438 fn_len += 2; /* include terminating '\0' */
12440 fn_len++; /* include terminating '\0' */
12443 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12444 CHECK_STRING_SUBR(fn);
12445 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12447 COUNT_BYTES_SUBR(fn_len);
12449 if (check_col(pinfo->cinfo, COL_INFO)) {
12450 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12454 proto_item_append_text(item, " File: %s", fn);
12455 proto_item_set_len(item, offset-old_offset);
12462 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12463 int offset, guint16 *bcp, gboolean *trunc)
12467 int old_offset = offset;
12468 proto_item *item = NULL;
12469 proto_tree *tree = NULL;
12474 si = (smb_info_t *)pinfo->private_data;
12477 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12478 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12479 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12483 * We assume that the presence of a next entry offset implies the
12484 * absence of a resume key, as appears to be the case for 4.3.4.6.
12487 /* next entry offset */
12488 CHECK_BYTE_COUNT_SUBR(4);
12489 neo = tvb_get_letohl(tvb, offset);
12490 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12491 COUNT_BYTES_SUBR(4);
12494 CHECK_BYTE_COUNT_SUBR(4);
12495 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12496 COUNT_BYTES_SUBR(4);
12499 CHECK_BYTE_COUNT_SUBR(8);
12500 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12504 CHECK_BYTE_COUNT_SUBR(8);
12505 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12508 /* last write time */
12509 CHECK_BYTE_COUNT_SUBR(8);
12510 offset = dissect_smb_64bit_time(tvb, tree, offset,
12511 hf_smb_last_write_time);
12514 /* last change time */
12515 CHECK_BYTE_COUNT_SUBR(8);
12516 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12520 CHECK_BYTE_COUNT_SUBR(8);
12521 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12522 COUNT_BYTES_SUBR(8);
12524 /* allocation size */
12525 CHECK_BYTE_COUNT_SUBR(8);
12526 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12527 COUNT_BYTES_SUBR(8);
12529 /* Extended File Attributes */
12530 CHECK_BYTE_COUNT_SUBR(4);
12531 offset = dissect_file_ext_attr(tvb, tree, offset);
12534 /* file name len */
12535 CHECK_BYTE_COUNT_SUBR(4);
12536 fn_len = tvb_get_letohl(tvb, offset);
12537 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12538 COUNT_BYTES_SUBR(4);
12541 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12542 CHECK_STRING_SUBR(fn);
12543 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12545 COUNT_BYTES_SUBR(fn_len);
12547 if (check_col(pinfo->cinfo, COL_INFO)) {
12548 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12552 /* skip to next structure */
12554 padcnt = (old_offset + neo) - offset;
12557 * XXX - this is bogus; flag it?
12562 CHECK_BYTE_COUNT_SUBR(padcnt);
12563 COUNT_BYTES_SUBR(padcnt);
12567 proto_item_append_text(item, " File: %s", fn);
12568 proto_item_set_len(item, offset-old_offset);
12575 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12576 int offset, guint16 *bcp, gboolean *trunc)
12580 int old_offset = offset;
12581 proto_item *item = NULL;
12582 proto_tree *tree = NULL;
12587 si = (smb_info_t *)pinfo->private_data;
12590 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12591 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12592 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12596 * We assume that the presence of a next entry offset implies the
12597 * absence of a resume key, as appears to be the case for 4.3.4.6.
12600 /* next entry offset */
12601 CHECK_BYTE_COUNT_SUBR(4);
12602 neo = tvb_get_letohl(tvb, offset);
12603 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12604 COUNT_BYTES_SUBR(4);
12607 CHECK_BYTE_COUNT_SUBR(4);
12608 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12609 COUNT_BYTES_SUBR(4);
12612 CHECK_BYTE_COUNT_SUBR(8);
12613 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12617 CHECK_BYTE_COUNT_SUBR(8);
12618 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12621 /* last write time */
12622 CHECK_BYTE_COUNT_SUBR(8);
12623 offset = dissect_smb_64bit_time(tvb, tree, offset,
12624 hf_smb_last_write_time);
12627 /* last change time */
12628 CHECK_BYTE_COUNT_SUBR(8);
12629 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12633 CHECK_BYTE_COUNT_SUBR(8);
12634 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12635 COUNT_BYTES_SUBR(8);
12637 /* allocation size */
12638 CHECK_BYTE_COUNT_SUBR(8);
12639 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12640 COUNT_BYTES_SUBR(8);
12642 /* Extended File Attributes */
12643 CHECK_BYTE_COUNT_SUBR(4);
12644 offset = dissect_file_ext_attr(tvb, tree, offset);
12647 /* file name len */
12648 CHECK_BYTE_COUNT_SUBR(4);
12649 fn_len = tvb_get_letohl(tvb, offset);
12650 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12651 COUNT_BYTES_SUBR(4);
12654 CHECK_BYTE_COUNT_SUBR(4);
12655 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
12656 COUNT_BYTES_SUBR(4);
12659 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12660 CHECK_STRING_SUBR(fn);
12661 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12663 COUNT_BYTES_SUBR(fn_len);
12665 if (check_col(pinfo->cinfo, COL_INFO)) {
12666 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12670 /* skip to next structure */
12672 padcnt = (old_offset + neo) - offset;
12675 * XXX - this is bogus; flag it?
12680 CHECK_BYTE_COUNT_SUBR(padcnt);
12681 COUNT_BYTES_SUBR(padcnt);
12685 proto_item_append_text(item, " File: %s", fn);
12686 proto_item_set_len(item, offset-old_offset);
12693 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12694 int offset, guint16 *bcp, gboolean *trunc)
12696 int fn_len, sfn_len;
12697 const char *fn, *sfn;
12698 int old_offset = offset;
12699 proto_item *item = NULL;
12700 proto_tree *tree = NULL;
12705 si = (smb_info_t *)pinfo->private_data;
12708 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12709 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12710 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12714 * XXX - I have not seen any of these that contain a resume
12715 * key, even though some of the requests had the "return resume
12719 /* next entry offset */
12720 CHECK_BYTE_COUNT_SUBR(4);
12721 neo = tvb_get_letohl(tvb, offset);
12722 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12723 COUNT_BYTES_SUBR(4);
12726 CHECK_BYTE_COUNT_SUBR(4);
12727 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12728 COUNT_BYTES_SUBR(4);
12731 CHECK_BYTE_COUNT_SUBR(8);
12732 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12736 CHECK_BYTE_COUNT_SUBR(8);
12737 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12740 /* last write time */
12741 CHECK_BYTE_COUNT_SUBR(8);
12742 offset = dissect_smb_64bit_time(tvb, tree, offset,
12743 hf_smb_last_write_time);
12746 /* last change time */
12747 CHECK_BYTE_COUNT_SUBR(8);
12748 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12752 CHECK_BYTE_COUNT_SUBR(8);
12753 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12754 COUNT_BYTES_SUBR(8);
12756 /* allocation size */
12757 CHECK_BYTE_COUNT_SUBR(8);
12758 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12759 COUNT_BYTES_SUBR(8);
12761 /* Extended File Attributes */
12762 CHECK_BYTE_COUNT_SUBR(4);
12763 offset = dissect_file_ext_attr(tvb, tree, offset);
12766 /* file name len */
12767 CHECK_BYTE_COUNT_SUBR(4);
12768 fn_len = tvb_get_letohl(tvb, offset);
12769 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12770 COUNT_BYTES_SUBR(4);
12775 * XXX - in one captures, this has the topmost bit set, and the
12776 * rest of the bits have the value 7. Is the topmost bit being
12777 * set some indication that the value *isn't* the length of
12780 CHECK_BYTE_COUNT_SUBR(4);
12781 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
12782 COUNT_BYTES_SUBR(4);
12784 /* short file name len */
12785 CHECK_BYTE_COUNT_SUBR(1);
12786 sfn_len = tvb_get_guint8(tvb, offset);
12787 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
12788 COUNT_BYTES_SUBR(1);
12790 /* reserved byte */
12791 CHECK_BYTE_COUNT_SUBR(1);
12792 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12793 COUNT_BYTES_SUBR(1);
12795 /* short file name */
12796 sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
12797 CHECK_STRING_SUBR(sfn);
12798 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
12800 COUNT_BYTES_SUBR(24);
12803 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12804 CHECK_STRING_SUBR(fn);
12805 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12807 COUNT_BYTES_SUBR(fn_len);
12809 if (check_col(pinfo->cinfo, COL_INFO)) {
12810 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12814 /* skip to next structure */
12816 padcnt = (old_offset + neo) - offset;
12819 * XXX - this is bogus; flag it?
12824 CHECK_BYTE_COUNT_SUBR(padcnt);
12825 COUNT_BYTES_SUBR(padcnt);
12829 proto_item_append_text(item, " File: %s", fn);
12830 proto_item_set_len(item, offset-old_offset);
12837 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12838 int offset, guint16 *bcp, gboolean *trunc)
12842 int old_offset = offset;
12843 proto_item *item = NULL;
12844 proto_tree *tree = NULL;
12849 si = (smb_info_t *)pinfo->private_data;
12852 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12853 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12854 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12858 * We assume that the presence of a next entry offset implies the
12859 * absence of a resume key, as appears to be the case for 4.3.4.6.
12862 /* next entry offset */
12863 CHECK_BYTE_COUNT_SUBR(4);
12864 neo = tvb_get_letohl(tvb, offset);
12865 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12866 COUNT_BYTES_SUBR(4);
12869 CHECK_BYTE_COUNT_SUBR(4);
12870 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12871 COUNT_BYTES_SUBR(4);
12873 /* file name len */
12874 CHECK_BYTE_COUNT_SUBR(4);
12875 fn_len = tvb_get_letohl(tvb, offset);
12876 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12877 COUNT_BYTES_SUBR(4);
12880 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12881 CHECK_STRING_SUBR(fn);
12882 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12884 COUNT_BYTES_SUBR(fn_len);
12886 if (check_col(pinfo->cinfo, COL_INFO)) {
12887 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12891 /* skip to next structure */
12893 padcnt = (old_offset + neo) - offset;
12896 * XXX - this is bogus; flag it?
12901 CHECK_BYTE_COUNT_SUBR(padcnt);
12902 COUNT_BYTES_SUBR(padcnt);
12906 proto_item_append_text(item, " File: %s", fn);
12907 proto_item_set_len(item, offset-old_offset);
12913 /* 4.3.4.8 - SMB_FIND_FILE_UNIX */
12916 dissect_4_3_4_8(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
12917 proto_tree *tree, int offset, guint16 *bcp,
12920 smb_info_t *si = pinfo->private_data;
12924 /* NextEntryOffset */
12925 CHECK_BYTE_COUNT_SUBR(4);
12926 proto_tree_add_item(tree, hf_smb_unix_find_file_nextoffset, tvb, offset, 4, TRUE);
12927 COUNT_BYTES_SUBR(4);
12930 CHECK_BYTE_COUNT_SUBR(4);
12931 proto_tree_add_item(tree, hf_smb_unix_find_file_resumekey, tvb, offset, 4, TRUE);
12932 COUNT_BYTES_SUBR(4);
12934 /* End of file (file size) */
12935 CHECK_BYTE_COUNT_SUBR(8);
12936 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
12937 COUNT_BYTES_SUBR(8);
12939 /* Number of bytes */
12940 CHECK_BYTE_COUNT_SUBR(8);
12941 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
12942 COUNT_BYTES_SUBR(8);
12944 /* Last status change */
12945 CHECK_BYTE_COUNT_SUBR(8);
12946 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
12949 /* Last access time */
12950 CHECK_BYTE_COUNT_SUBR(8);
12951 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
12954 /* Last modification time */
12955 CHECK_BYTE_COUNT_SUBR(8);
12956 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
12959 /* File owner uid */
12960 CHECK_BYTE_COUNT_SUBR(8);
12961 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
12962 COUNT_BYTES_SUBR(8);
12964 /* File group gid */
12965 CHECK_BYTE_COUNT_SUBR(8);
12966 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
12967 COUNT_BYTES_SUBR(8);
12970 CHECK_BYTE_COUNT_SUBR(4);
12971 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
12972 COUNT_BYTES_SUBR(4);
12974 /* Major device number */
12975 CHECK_BYTE_COUNT_SUBR(8);
12976 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
12977 COUNT_BYTES_SUBR(8);
12979 /* Minor device number */
12980 CHECK_BYTE_COUNT_SUBR(8);
12981 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
12982 COUNT_BYTES_SUBR(8);
12985 CHECK_BYTE_COUNT_SUBR(8);
12986 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
12987 COUNT_BYTES_SUBR(8);
12990 CHECK_BYTE_COUNT_SUBR(8);
12991 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
12992 COUNT_BYTES_SUBR(8);
12995 CHECK_BYTE_COUNT_SUBR(8);
12996 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
12997 COUNT_BYTES_SUBR(8);
13001 fn = get_unicode_or_ascii_string(
13002 tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
13004 CHECK_STRING_SUBR(fn);
13005 proto_tree_add_string(
13006 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
13007 COUNT_BYTES_SUBR(fn_len);
13009 /* Pad to 4 bytes */
13012 offset += 4 - (offset % 4);
13018 /*dissect the data block for TRANS2_FIND_FIRST2*/
13020 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
13021 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
13029 si = (smb_info_t *)pinfo->private_data;
13030 switch(si->info_level){
13031 case 1: /*Info Standard*/
13032 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
13035 case 2: /*Info Query EA Size*/
13036 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
13039 case 3: /*Info Query EAs From List same as
13041 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
13044 case 0x0101: /*Find File Directory Info*/
13045 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
13048 case 0x0102: /*Find File Full Directory Info*/
13049 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
13052 case 0x0103: /*Find File Names Info*/
13053 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
13056 case 0x0104: /*Find File Both Directory Info*/
13057 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
13060 case 0x0202: /*Find File UNIX*/
13061 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
13064 default: /* unknown info level */
13073 dissect_fs_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
13076 proto_item *item = NULL;
13077 proto_tree *tree = NULL;
13079 mask = tvb_get_letohl(tvb, offset);
13082 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
13083 "FS Attributes: 0x%08x", mask);
13084 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
13087 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
13088 tvb, offset, 4, mask);
13089 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
13090 tvb, offset, 4, mask);
13091 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
13092 tvb, offset, 4, mask);
13093 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
13094 tvb, offset, 4, mask);
13095 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
13096 tvb, offset, 4, mask);
13097 proto_tree_add_boolean(tree, hf_smb_fs_attr_dim,
13098 tvb, offset, 4, mask);
13099 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
13100 tvb, offset, 4, mask);
13108 dissect_device_characteristics(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
13111 proto_item *item = NULL;
13112 proto_tree *tree = NULL;
13114 mask = tvb_get_letohl(tvb, offset);
13117 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
13118 "Device Characteristics: 0x%08x", mask);
13119 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
13122 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
13123 tvb, offset, 4, mask);
13124 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
13125 tvb, offset, 4, mask);
13126 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
13127 tvb, offset, 4, mask);
13128 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
13129 tvb, offset, 4, mask);
13130 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
13131 tvb, offset, 4, mask);
13132 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
13133 tvb, offset, 4, mask);
13134 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
13135 tvb, offset, 4, mask);
13141 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
13143 static const true_false_string tfs_smb_mac_access_ctrl = {
13144 "Macintosh Access Control Supported",
13145 "Macintosh Access Control Not Supported"
13148 static const true_false_string tfs_smb_mac_getset_comments = {
13149 "Macintosh Get & Set Comments Supported",
13150 "Macintosh Get & Set Comments Not Supported"
13153 static const true_false_string tfs_smb_mac_desktopdb_calls = {
13154 "Macintosh Get & Set Desktop Database Info Supported",
13155 "Macintosh Get & Set Desktop Database Info Supported"
13158 static const true_false_string tfs_smb_mac_unique_ids = {
13159 "Macintosh Unique IDs Supported",
13160 "Macintosh Unique IDs Not Supported"
13163 static const true_false_string tfs_smb_mac_streams = {
13164 "Macintosh and Streams Extensions Not Supported",
13165 "Macintosh and Streams Extensions Supported"
13169 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
13170 int offset, guint16 *bcp)
13173 int fn_len, vll, fnl;
13176 proto_item *item = NULL;
13177 proto_tree *ti = NULL;
13183 si = (smb_info_t *)pinfo->private_data;
13184 switch(si->info_level){
13185 case 1: /* SMB_INFO_ALLOCATION */
13186 /* filesystem id */
13187 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13188 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
13189 COUNT_BYTES_TRANS_SUBR(4);
13191 /* sectors per unit */
13192 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13193 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
13194 COUNT_BYTES_TRANS_SUBR(4);
13197 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13198 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
13199 COUNT_BYTES_TRANS_SUBR(4);
13202 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13203 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
13204 COUNT_BYTES_TRANS_SUBR(4);
13206 /* bytes per sector, only 16bit integer here */
13207 CHECK_BYTE_COUNT_TRANS_SUBR(2);
13208 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13209 COUNT_BYTES_TRANS_SUBR(2);
13212 case 2: /* SMB_INFO_VOLUME */
13213 /* volume serial number */
13214 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13215 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
13216 COUNT_BYTES_TRANS_SUBR(4);
13218 /* volume label length, only one byte here */
13219 CHECK_BYTE_COUNT_TRANS_SUBR(1);
13220 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
13221 COUNT_BYTES_TRANS_SUBR(1);
13224 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
13225 CHECK_STRING_TRANS_SUBR(fn);
13226 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
13228 COUNT_BYTES_TRANS_SUBR(fn_len);
13231 case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
13232 case 1002: /* SMB_FS_LABEL_INFORMATION */
13233 /* volume label length */
13234 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13235 vll = tvb_get_letohl(tvb, offset);
13236 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
13237 COUNT_BYTES_TRANS_SUBR(4);
13241 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13242 CHECK_STRING_TRANS_SUBR(fn);
13243 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
13245 COUNT_BYTES_TRANS_SUBR(fn_len);
13248 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
13249 case 1001: /* SMB_FS_VOLUME_INFORMATION */
13251 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13252 offset = dissect_smb_64bit_time(tvb, tree, offset,
13253 hf_smb_create_time);
13256 /* volume serial number */
13257 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13258 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
13259 COUNT_BYTES_TRANS_SUBR(4);
13261 /* volume label length */
13262 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13263 vll = tvb_get_letohl(tvb, offset);
13264 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
13265 COUNT_BYTES_TRANS_SUBR(4);
13267 /* 2 reserved bytes */
13268 CHECK_BYTE_COUNT_TRANS_SUBR(2);
13269 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
13270 COUNT_BYTES_TRANS_SUBR(2);
13274 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13275 CHECK_STRING_TRANS_SUBR(fn);
13276 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
13278 COUNT_BYTES_TRANS_SUBR(fn_len);
13281 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
13282 case 1003: /* SMB_FS_SIZE_INFORMATION */
13283 /* allocation size */
13284 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13285 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13286 COUNT_BYTES_TRANS_SUBR(8);
13288 /* free allocation units */
13289 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13290 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
13291 COUNT_BYTES_TRANS_SUBR(8);
13293 /* sectors per unit */
13294 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13295 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
13296 COUNT_BYTES_TRANS_SUBR(4);
13298 /* bytes per sector */
13299 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13300 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
13301 COUNT_BYTES_TRANS_SUBR(4);
13304 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
13305 case 1004: /* SMB_FS_DEVICE_INFORMATION */
13307 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13308 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
13309 COUNT_BYTES_TRANS_SUBR(4);
13311 /* device characteristics */
13312 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13313 offset = dissect_device_characteristics(tvb, tree, offset);
13317 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
13318 case 1005: /* SMB_FS_ATTRIBUTE_INFORMATION */
13319 /* FS attributes */
13320 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13321 offset = dissect_fs_attributes(tvb, tree, offset);
13325 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13326 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
13327 COUNT_BYTES_TRANS_SUBR(4);
13329 /* fs name length */
13330 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13331 fnl = tvb_get_letohl(tvb, offset);
13332 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
13333 COUNT_BYTES_TRANS_SUBR(4);
13337 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13338 CHECK_STRING_TRANS_SUBR(fn);
13339 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
13341 COUNT_BYTES_TRANS_SUBR(fn_len);
13344 case 0x200: { /* SMB_QUERY_CIFS_UNIX_INFO */
13345 proto_item *item = NULL;
13346 proto_tree *subtree = NULL;
13347 guint32 caps_lo, caps_hi;
13349 /* MajorVersionNumber */
13350 CHECK_BYTE_COUNT_TRANS_SUBR(2);
13351 proto_tree_add_item(tree, hf_smb_unix_major_version, tvb, offset, 2, TRUE);
13352 COUNT_BYTES_TRANS_SUBR(2);
13354 /* MinorVersionNumber */
13355 CHECK_BYTE_COUNT_TRANS_SUBR(2);
13356 proto_tree_add_item(tree, hf_smb_unix_minor_version, tvb, offset, 2, TRUE);
13357 COUNT_BYTES_TRANS_SUBR(2);
13361 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13363 caps_lo = tvb_get_letohl(tvb, offset);
13364 caps_hi = tvb_get_letohl(tvb, offset + 4);
13367 item = proto_tree_add_text(
13368 tree, tvb, offset, 8, "Capabilities: 0x%08x%08x",
13370 subtree = proto_item_add_subtree(
13371 item, ett_smb_unix_capabilities);
13374 proto_tree_add_boolean(
13375 subtree, hf_smb_unix_capability_fcntl, tvb, offset, 8,
13378 proto_tree_add_boolean(
13379 subtree, hf_smb_unix_capability_posix_acl, tvb, offset, 8,
13382 COUNT_BYTES_TRANS_SUBR(8);
13386 case 0x301: /* MAC_QUERY_FS_INFO */
13388 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13389 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
13392 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13393 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_modify_time);
13396 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13397 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_backup_time);
13399 /* Allocation blocks */
13400 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13401 proto_tree_add_item(tree, hf_smb_mac_alloc_block_count, tvb,
13404 COUNT_BYTES_TRANS_SUBR(4);
13405 /* Allocation Block Size */
13406 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13407 proto_tree_add_item(tree, hf_smb_mac_alloc_block_size, tvb,
13409 COUNT_BYTES_TRANS_SUBR(4);
13410 /* Free Block Count */
13411 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13412 proto_tree_add_item(tree, hf_smb_mac_free_block_count, tvb,
13414 COUNT_BYTES_TRANS_SUBR(4);
13415 /* Finder Info ... */
13416 CHECK_BYTE_COUNT_TRANS_SUBR(32);
13417 proto_tree_add_bytes_format(tree, hf_smb_mac_fndrinfo, tvb,
13419 tvb_get_ptr(tvb, offset,32),
13421 tvb_format_text(tvb, offset, 32));
13422 COUNT_BYTES_TRANS_SUBR(32);
13424 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13425 proto_tree_add_item(tree, hf_smb_mac_root_file_count, tvb,
13427 COUNT_BYTES_TRANS_SUBR(4);
13428 /* Number of Root Directories */
13429 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13430 proto_tree_add_item(tree, hf_smb_mac_root_dir_count, tvb,
13432 COUNT_BYTES_TRANS_SUBR(4);
13433 /* Number of files */
13434 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13435 proto_tree_add_item(tree, hf_smb_mac_file_count, tvb,
13437 COUNT_BYTES_TRANS_SUBR(4);
13439 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13440 proto_tree_add_item(tree, hf_smb_mac_dir_count, tvb,
13442 COUNT_BYTES_TRANS_SUBR(4);
13443 /* Mac Support Flags */
13444 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13445 support = tvb_get_ntohl(tvb, offset);
13446 item = proto_tree_add_text(tree, tvb, offset, 4,
13447 "Mac Support Flags: 0x%08x", support);
13448 ti = proto_item_add_subtree(item, ett_smb_mac_support_flags);
13449 proto_tree_add_boolean(ti, hf_smb_mac_sup_access_ctrl,
13450 tvb, offset, 4, support);
13451 proto_tree_add_boolean(ti, hf_smb_mac_sup_getset_comments,
13452 tvb, offset, 4, support);
13453 proto_tree_add_boolean(ti, hf_smb_mac_sup_desktopdb_calls,
13454 tvb, offset, 4, support);
13455 proto_tree_add_boolean(ti, hf_smb_mac_sup_unique_ids,
13456 tvb, offset, 4, support);
13457 proto_tree_add_boolean(ti, hf_smb_mac_sup_streams,
13458 tvb, offset, 4, support);
13459 COUNT_BYTES_TRANS_SUBR(4);
13461 case 1006: /* QUERY_FS_QUOTA_INFO */
13462 offset = dissect_nt_quota(tvb, tree, offset, bcp);
13464 case 1007: /* SMB_FS_FULL_SIZE_INFORMATION */
13465 /* allocation size */
13466 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13467 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13468 COUNT_BYTES_TRANS_SUBR(8);
13470 /* caller free allocation units */
13471 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13472 proto_tree_add_item(tree, hf_smb_caller_free_alloc_units64, tvb, offset, 8, TRUE);
13473 COUNT_BYTES_TRANS_SUBR(8);
13475 /* actual free allocation units */
13476 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13477 proto_tree_add_item(tree, hf_smb_actual_free_alloc_units64, tvb, offset, 8, TRUE);
13478 COUNT_BYTES_TRANS_SUBR(8);
13480 /* sectors per unit */
13481 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13482 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
13483 COUNT_BYTES_TRANS_SUBR(4);
13485 /* bytes per sector */
13486 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13487 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
13488 COUNT_BYTES_TRANS_SUBR(4);
13490 case 1008: /* Query Object ID is GUID plus unknown data */ {
13492 char uuid_str[DCERPC_UUID_STR_LEN];
13496 CHECK_BYTE_COUNT_TRANS_SUBR(16);
13498 dcerpc_tvb_get_uuid (tvb, offset, &drep, &fs_id);
13500 uuid_str_len = snprintf(
13501 uuid_str, DCERPC_UUID_STR_LEN,
13502 "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
13503 fs_id.Data1, fs_id.Data2, fs_id.Data3,
13504 fs_id.Data4[0], fs_id.Data4[1],
13505 fs_id.Data4[2], fs_id.Data4[3],
13506 fs_id.Data4[4], fs_id.Data4[5],
13507 fs_id.Data4[6], fs_id.Data4[7]);
13509 proto_tree_add_string_format(
13510 tree, hf_smb_fs_guid, tvb,
13511 offset, 16, uuid_str, "GUID: %s", uuid_str);
13513 COUNT_BYTES_TRANS_SUBR(16);
13522 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
13523 proto_tree *parent_tree)
13525 proto_item *item = NULL;
13526 proto_tree *tree = NULL;
13528 smb_transact2_info_t *t2i;
13534 dc = tvb_reported_length(tvb);
13536 si = (smb_info_t *)pinfo->private_data;
13537 if (si->sip != NULL)
13538 t2i = si->sip->extra_info;
13543 if (t2i != NULL && t2i->subcmd != -1) {
13544 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
13546 val_to_str(t2i->subcmd, trans2_cmd_vals,
13547 "Unknown (0x%02x)"));
13548 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
13550 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
13551 "Unknown Transaction2 Data");
13559 switch(t2i->subcmd){
13560 case 0x00: /*TRANS2_OPEN2*/
13561 /* XXX not implemented yet. See SNIA doc */
13563 case 0x01: /*TRANS2_FIND_FIRST2*/
13564 /* returned data */
13565 count = si->info_count;
13567 if (count && check_col(pinfo->cinfo, COL_INFO)) {
13568 col_append_fstr(pinfo->cinfo, COL_INFO,
13573 offset = dissect_ff2_response_data(tvb, pinfo, tree,
13574 offset, &dc, &trunc);
13579 case 0x02: /*TRANS2_FIND_NEXT2*/
13580 /* returned data */
13581 count = si->info_count;
13583 if (count && check_col(pinfo->cinfo, COL_INFO)) {
13584 col_append_fstr(pinfo->cinfo, COL_INFO,
13589 offset = dissect_ff2_response_data(tvb, pinfo, tree,
13590 offset, &dc, &trunc);
13595 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
13596 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
13598 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
13599 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
13601 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
13602 /* no data in this response */
13604 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
13605 /* identical to QUERY_PATH_INFO */
13606 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
13608 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
13609 /* no data in this response */
13611 case 0x09: /*TRANS2_FSCTL*/
13612 /* XXX dont know how to dissect this one (yet)*/
13615 * XXX - "Microsoft Networks SMB File Sharing Protocol
13616 * Extensions Version 3.0, Document Version 1.11,
13617 * July 19, 1990" says this this contains a
13618 * "File system specific return data block".
13619 * (That means we may not be able to dissect it in any
13623 case 0x0a: /*TRANS2_IOCTL2*/
13624 /* XXX dont know how to dissect this one (yet)*/
13627 * XXX - "Microsoft Networks SMB File Sharing Protocol
13628 * Extensions Version 3.0, Document Version 1.11,
13629 * July 19, 1990" says this this contains a
13630 * "Device/function specific return data block".
13631 * (That means we may not be able to dissect it in any
13635 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
13636 /* XXX dont know how to dissect this one (yet)*/
13639 * XXX - "Microsoft Networks SMB File Sharing Protocol
13640 * Extensions Version 3.0, Document Version 1.11,
13641 * July 19, 1990" says this this contains "the level
13642 * dependent information about the changes which
13646 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
13647 /* XXX dont know how to dissect this one (yet)*/
13650 * XXX - "Microsoft Networks SMB File Sharing Protocol
13651 * Extensions Version 3.0, Document Version 1.11,
13652 * July 19, 1990" says this this contains "the level
13653 * dependent information about the changes which
13657 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
13658 /* no data in this response */
13660 case 0x0e: /*TRANS2_SESSION_SETUP*/
13661 /* XXX dont know how to dissect this one (yet)*/
13663 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
13664 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
13666 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
13667 /* the SNIA spec appears to say the response has no data */
13671 * We don't know what the matching request was; don't
13672 * bother putting anything else into the tree for the data.
13679 /* ooops there were data we didnt know how to process */
13681 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
13690 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
13692 proto_item *item = NULL;
13693 proto_tree *tree = NULL;
13695 smb_transact2_info_t *t2i;
13701 pc = tvb_reported_length(tvb);
13703 si = (smb_info_t *)pinfo->private_data;
13704 if (si->sip != NULL)
13705 t2i = si->sip->extra_info;
13710 if (t2i != NULL && t2i->subcmd != -1) {
13711 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
13713 val_to_str(t2i->subcmd, trans2_cmd_vals,
13714 "Unknown (0x%02x)"));
13715 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
13717 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
13718 "Unknown Transaction2 Parameters");
13726 switch(t2i->subcmd){
13727 case 0x00: /*TRANS2_OPEN2*/
13729 fid = tvb_get_letohs(tvb, offset);
13730 add_fid(tvb, pinfo, tree, offset, 2, fid);
13734 * XXX - Microsoft Networks SMB File Sharing Protocol
13735 * Extensions Version 3.0, Document Version 1.11,
13736 * July 19, 1990 says that the file attributes, create
13737 * time (which it says is the last modification time),
13738 * data size, granted access, file type, and IPC state
13739 * are returned only if bit 0 is set in the open flags,
13740 * and that the EA length is returned only if bit 3
13741 * is set in the open flags. Does that mean that,
13742 * at least in that SMB dialect, those fields are not
13743 * present in the reply parameters if the bits in
13744 * question aren't set?
13747 /* File Attributes */
13748 offset = dissect_file_attributes(tvb, tree, offset, 2);
13751 offset = dissect_smb_datetime(tvb, tree, offset,
13752 hf_smb_create_time,
13753 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
13756 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
13759 /* granted access */
13760 offset = dissect_access(tvb, tree, offset, "Granted");
13763 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
13767 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
13770 offset = dissect_open_action(tvb, tree, offset);
13772 /* server unique file ID */
13773 proto_tree_add_item(tree, hf_smb_file_id, tvb, offset, 4, TRUE);
13776 /* ea error offset, only a 16 bit integer here */
13777 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13781 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13785 case 0x01: /*TRANS2_FIND_FIRST2*/
13786 /* Find First2 information level */
13787 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
13790 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
13794 si->info_count = tvb_get_letohs(tvb, offset);
13795 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13798 /* end of search */
13799 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13802 /* ea error offset, only a 16 bit integer here */
13803 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13806 /* last name offset */
13807 lno = tvb_get_letohs(tvb, offset);
13808 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13812 case 0x02: /*TRANS2_FIND_NEXT2*/
13814 si->info_count = tvb_get_letohs(tvb, offset);
13815 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13818 /* end of search */
13819 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13822 /* ea_error_offset, only a 16 bit integer here*/
13823 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13826 /* last name offset */
13827 lno = tvb_get_letohs(tvb, offset);
13828 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13832 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
13833 /* no parameter block here */
13835 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
13836 /* ea_error_offset, only a 16 bit integer here*/
13837 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13841 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
13842 /* ea_error_offset, only a 16 bit integer here*/
13843 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13847 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
13848 /* ea_error_offset, only a 16 bit integer here*/
13849 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13853 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
13854 /* ea_error_offset, only a 16 bit integer here*/
13855 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13859 case 0x09: /*TRANS2_FSCTL*/
13860 /* XXX dont know how to dissect this one (yet)*/
13863 * XXX - "Microsoft Networks SMB File Sharing Protocol
13864 * Extensions Version 3.0, Document Version 1.11,
13865 * July 19, 1990" says this this contains a
13866 * "File system specific return parameter block".
13867 * (That means we may not be able to dissect it in any
13871 case 0x0a: /*TRANS2_IOCTL2*/
13872 /* XXX dont know how to dissect this one (yet)*/
13875 * XXX - "Microsoft Networks SMB File Sharing Protocol
13876 * Extensions Version 3.0, Document Version 1.11,
13877 * July 19, 1990" says this this contains a
13878 * "Device/function specific return parameter block".
13879 * (That means we may not be able to dissect it in any
13883 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
13884 /* Find Notify information level */
13885 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13887 /* Monitor handle */
13888 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13892 si->info_count = tvb_get_letohs(tvb, offset);
13893 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13896 /* ea_error_offset, only a 16 bit integer here*/
13897 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13901 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
13902 /* Find Notify information level */
13903 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13906 si->info_count = tvb_get_letohs(tvb, offset);
13907 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13910 /* ea_error_offset, only a 16 bit integer here*/
13911 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13915 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
13916 /* ea error offset, only a 16 bit integer here */
13917 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13921 case 0x0e: /*TRANS2_SESSION_SETUP*/
13922 /* XXX dont know how to dissect this one (yet)*/
13924 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
13925 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
13927 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
13928 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
13932 * We don't know what the matching request was; don't
13933 * bother putting anything else into the tree for the data.
13939 /* ooops there were data we didnt know how to process */
13941 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
13942 offset += pc-offset;
13948 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13951 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
13953 smb_transact2_info_t *t2i = NULL;
13956 gboolean dissected_trans;
13957 fragment_data *r_fd = NULL;
13958 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
13959 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
13960 gboolean save_fragmented;
13962 si = (smb_info_t *)pinfo->private_data;
13965 case SMB_COM_TRANSACTION2:
13967 if (si->sip != NULL) {
13968 t2i = si->sip->extra_info;
13973 * We didn't see the matching request, so we don't
13974 * know what type of transaction this is.
13976 proto_tree_add_text(tree, tvb, 0, 0,
13977 "Subcommand: <UNKNOWN> since request packet wasn't seen");
13978 if (check_col(pinfo->cinfo, COL_INFO)) {
13979 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
13982 si->info_level = t2i->info_level;
13983 if (t2i->subcmd == -1) {
13985 * We didn't manage to extract the subcommand
13986 * from the matching request (perhaps because
13987 * the frame was short), so we don't know what
13988 * type of transaction this is.
13990 proto_tree_add_text(tree, tvb, 0, 0,
13991 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
13992 if (check_col(pinfo->cinfo, COL_INFO)) {
13993 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
13996 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
13997 if (check_col(pinfo->cinfo, COL_INFO)) {
13998 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
13999 val_to_str(t2i->subcmd,
14001 "<unknown (0x%02x)>"));
14010 /* total param count, only a 16bit integer here */
14011 tp = tvb_get_letohs(tvb, offset);
14012 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
14015 /* total data count, only a 16 bit integer here */
14016 td = tvb_get_letohs(tvb, offset);
14017 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
14020 /* 2 reserved bytes */
14021 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
14025 pc = tvb_get_letohs(tvb, offset);
14026 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
14030 po = tvb_get_letohs(tvb, offset);
14031 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
14035 pd = tvb_get_letohs(tvb, offset);
14036 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
14040 dc = tvb_get_letohs(tvb, offset);
14041 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
14045 od = tvb_get_letohs(tvb, offset);
14046 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
14050 dd = tvb_get_letohs(tvb, offset);
14051 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
14055 sc = tvb_get_guint8(tvb, offset);
14056 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
14059 /* reserved byte */
14060 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
14064 /* if there were any setup bytes, put them in a tvb for later */
14066 if((2*sc)>tvb_length_remaining(tvb, offset)){
14067 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
14069 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
14071 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
14082 /* reassembly of SMB Transaction data payload.
14083 In this section we do reassembly of both the data and parameters
14084 blocks of the SMB transaction command.
14086 save_fragmented = pinfo->fragmented;
14087 /* do we need reassembly? */
14088 if( (td!=dc) || (tp!=pc) ){
14089 /* oh yeah, either data or parameter section needs
14092 pinfo->fragmented = TRUE;
14093 if(smb_trans_reassembly){
14094 /* ...and we were told to do reassembly */
14095 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
14096 r_fd = smb_trans_defragment(tree, pinfo, tvb,
14097 po, pc, pd, td+tp);
14100 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
14101 r_fd = smb_trans_defragment(tree, pinfo, tvb,
14102 od, dc, dd+tp, td+tp);
14107 /* if we got a reassembled fd structure from the reassembly routine we must
14108 create pd_tvb from it
14111 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
14113 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
14114 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
14115 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
14120 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
14122 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
14125 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
14128 /* It was not reassembled. Do as best as we can.
14129 * in this case we always try to dissect the stuff if
14130 * data and param displacement is 0. i.e. for the first
14131 * (and maybe only) packet.
14133 if( (pd==0) && (dd==0) ){
14136 min = MIN(pc,tvb_length_remaining(tvb,po));
14137 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
14138 if(min && reported_min) {
14139 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
14141 min = MIN(dc,tvb_length_remaining(tvb,od));
14142 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
14143 if(min && reported_min) {
14144 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
14147 * A tvbuff containing the parameters
14149 * XXX - check pc and dc as well?
14151 if (tvb_length_remaining(tvb, po)){
14152 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
14161 /* We have some padding bytes.
14163 padcnt = po-offset;
14166 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
14167 COUNT_BYTES(padcnt);
14169 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
14170 /* TRANSACTION2 parameters*/
14171 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
14178 /* We have some initial padding bytes.
14180 padcnt = od-offset;
14183 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
14184 COUNT_BYTES(padcnt);
14187 * If the data count is bigger than the count of bytes
14188 * remaining, clamp it so that the count of bytes remaining
14189 * doesn't go negative.
14197 /* from now on, everything is in separate tvbuffs so we dont count
14198 the bytes with COUNT_BYTES any more.
14199 neither do we reference offset any more (which by now points to the
14200 first byte AFTER this PDU */
14203 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
14204 /* TRANSACTION2 parameters*/
14205 dissect_transaction2_response_data(d_tvb, pinfo, tree);
14209 if(si->cmd==SMB_COM_TRANSACTION){
14210 smb_transact_info_t *tri;
14212 dissected_trans = FALSE;
14213 if (si->sip != NULL)
14214 tri = si->sip->extra_info;
14218 switch(tri->subcmd){
14220 case TRANSACTION_PIPE:
14221 /* This function is safe to call for
14222 s_tvb==sp_tvb==NULL, i.e. if we don't
14223 know them at this point.
14224 It's also safe to call if "p_tvb"
14225 or "d_tvb" are null.
14228 dissected_trans = dissect_pipe_smb(
14229 sp_tvb, s_tvb, pd_tvb, p_tvb,
14230 d_tvb, NULL, pinfo, top_tree);
14234 case TRANSACTION_MAILSLOT:
14235 /* This one should be safe to call
14236 even if s_tvb and sp_tvb is NULL
14239 dissected_trans = dissect_mailslot_smb(
14240 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
14246 if (!dissected_trans) {
14247 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
14248 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
14253 if( (p_tvb==0) && (d_tvb==0) ){
14254 if(check_col(pinfo->cinfo, COL_INFO)){
14255 col_append_str(pinfo->cinfo, COL_INFO,
14256 "[transact continuation]");
14260 pinfo->fragmented = save_fragmented;
14268 dissect_find_notify_close(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
14275 /* Monitor handle */
14276 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
14286 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14287 END Transaction/Transaction2 Primary and secondary requests
14288 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
14292 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
14300 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
14307 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
14317 typedef struct _smb_function {
14318 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
14319 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
14322 static smb_function smb_dissector[256] = {
14323 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
14324 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
14325 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
14326 /* 0x03 Create File*/ {dissect_create_file_request, dissect_fid},
14327 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
14328 /* 0x05 Flush File*/ {dissect_fid, dissect_empty},
14329 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
14330 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_empty},
14331 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
14332 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
14333 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
14334 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
14335 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
14336 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
14337 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
14338 /* 0x0f Create New*/ {dissect_create_file_request, dissect_fid},
14340 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
14341 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
14342 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
14343 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
14344 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
14345 /* 0x15 */ {dissect_unknown, dissect_unknown},
14346 /* 0x16 */ {dissect_unknown, dissect_unknown},
14347 /* 0x17 */ {dissect_unknown, dissect_unknown},
14348 /* 0x18 */ {dissect_unknown, dissect_unknown},
14349 /* 0x19 */ {dissect_unknown, dissect_unknown},
14350 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
14351 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
14352 /* 0x1c Read MPX Secondary*/ {dissect_unknown, dissect_unknown},
14353 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
14354 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
14355 /* 0x1f Write MPX Secondary*/ {dissect_unknown, dissect_unknown},
14357 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
14358 /* 0x21 */ {dissect_unknown, dissect_unknown},
14359 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
14360 /* 0x23 Query Info2*/ {dissect_fid, dissect_query_information2_response},
14361 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
14362 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
14363 /* 0x26 Transaction Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
14364 /* 0x27 IOCTL*/ {dissect_unknown, dissect_unknown},
14365 /* 0x28 IOCTL Secondary*/ {dissect_unknown, dissect_unknown},
14366 /* 0x29 Copy File*/ {dissect_copy_request, dissect_move_copy_response},
14367 /* 0x2a Move File*/ {dissect_move_request, dissect_move_copy_response},
14368 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
14369 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
14370 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
14371 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
14372 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
14374 /* 0x30 */ {dissect_unknown, dissect_unknown},
14375 /* 0x31 Close And Tree Disconnect */ {dissect_close_file_request, dissect_empty},
14376 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
14377 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
14378 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
14379 /* 0x35 Find Notify Close*/ {dissect_find_notify_close, dissect_empty},
14380 /* 0x36 */ {dissect_unknown, dissect_unknown},
14381 /* 0x37 */ {dissect_unknown, dissect_unknown},
14382 /* 0x38 */ {dissect_unknown, dissect_unknown},
14383 /* 0x39 */ {dissect_unknown, dissect_unknown},
14384 /* 0x3a */ {dissect_unknown, dissect_unknown},
14385 /* 0x3b */ {dissect_unknown, dissect_unknown},
14386 /* 0x3c */ {dissect_unknown, dissect_unknown},
14387 /* 0x3d */ {dissect_unknown, dissect_unknown},
14388 /* 0x3e */ {dissect_unknown, dissect_unknown},
14389 /* 0x3f */ {dissect_unknown, dissect_unknown},
14391 /* 0x40 */ {dissect_unknown, dissect_unknown},
14392 /* 0x41 */ {dissect_unknown, dissect_unknown},
14393 /* 0x42 */ {dissect_unknown, dissect_unknown},
14394 /* 0x43 */ {dissect_unknown, dissect_unknown},
14395 /* 0x44 */ {dissect_unknown, dissect_unknown},
14396 /* 0x45 */ {dissect_unknown, dissect_unknown},
14397 /* 0x46 */ {dissect_unknown, dissect_unknown},
14398 /* 0x47 */ {dissect_unknown, dissect_unknown},
14399 /* 0x48 */ {dissect_unknown, dissect_unknown},
14400 /* 0x49 */ {dissect_unknown, dissect_unknown},
14401 /* 0x4a */ {dissect_unknown, dissect_unknown},
14402 /* 0x4b */ {dissect_unknown, dissect_unknown},
14403 /* 0x4c */ {dissect_unknown, dissect_unknown},
14404 /* 0x4d */ {dissect_unknown, dissect_unknown},
14405 /* 0x4e */ {dissect_unknown, dissect_unknown},
14406 /* 0x4f */ {dissect_unknown, dissect_unknown},
14408 /* 0x50 */ {dissect_unknown, dissect_unknown},
14409 /* 0x51 */ {dissect_unknown, dissect_unknown},
14410 /* 0x52 */ {dissect_unknown, dissect_unknown},
14411 /* 0x53 */ {dissect_unknown, dissect_unknown},
14412 /* 0x54 */ {dissect_unknown, dissect_unknown},
14413 /* 0x55 */ {dissect_unknown, dissect_unknown},
14414 /* 0x56 */ {dissect_unknown, dissect_unknown},
14415 /* 0x57 */ {dissect_unknown, dissect_unknown},
14416 /* 0x58 */ {dissect_unknown, dissect_unknown},
14417 /* 0x59 */ {dissect_unknown, dissect_unknown},
14418 /* 0x5a */ {dissect_unknown, dissect_unknown},
14419 /* 0x5b */ {dissect_unknown, dissect_unknown},
14420 /* 0x5c */ {dissect_unknown, dissect_unknown},
14421 /* 0x5d */ {dissect_unknown, dissect_unknown},
14422 /* 0x5e */ {dissect_unknown, dissect_unknown},
14423 /* 0x5f */ {dissect_unknown, dissect_unknown},
14425 /* 0x60 */ {dissect_unknown, dissect_unknown},
14426 /* 0x61 */ {dissect_unknown, dissect_unknown},
14427 /* 0x62 */ {dissect_unknown, dissect_unknown},
14428 /* 0x63 */ {dissect_unknown, dissect_unknown},
14429 /* 0x64 */ {dissect_unknown, dissect_unknown},
14430 /* 0x65 */ {dissect_unknown, dissect_unknown},
14431 /* 0x66 */ {dissect_unknown, dissect_unknown},
14432 /* 0x67 */ {dissect_unknown, dissect_unknown},
14433 /* 0x68 */ {dissect_unknown, dissect_unknown},
14434 /* 0x69 */ {dissect_unknown, dissect_unknown},
14435 /* 0x6a */ {dissect_unknown, dissect_unknown},
14436 /* 0x6b */ {dissect_unknown, dissect_unknown},
14437 /* 0x6c */ {dissect_unknown, dissect_unknown},
14438 /* 0x6d */ {dissect_unknown, dissect_unknown},
14439 /* 0x6e */ {dissect_unknown, dissect_unknown},
14440 /* 0x6f */ {dissect_unknown, dissect_unknown},
14442 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
14443 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
14444 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
14445 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
14446 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
14447 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
14448 /* 0x76 */ {dissect_unknown, dissect_unknown},
14449 /* 0x77 */ {dissect_unknown, dissect_unknown},
14450 /* 0x78 */ {dissect_unknown, dissect_unknown},
14451 /* 0x79 */ {dissect_unknown, dissect_unknown},
14452 /* 0x7a */ {dissect_unknown, dissect_unknown},
14453 /* 0x7b */ {dissect_unknown, dissect_unknown},
14454 /* 0x7c */ {dissect_unknown, dissect_unknown},
14455 /* 0x7d */ {dissect_unknown, dissect_unknown},
14456 /* 0x7e */ {dissect_unknown, dissect_unknown},
14457 /* 0x7f */ {dissect_unknown, dissect_unknown},
14459 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
14460 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
14461 /* 0x82 Find*/ {dissect_find_request, dissect_find_response},
14462 /* 0x83 Find Unique*/ {dissect_find_request, dissect_find_response},
14463 /* 0x84 Find Close*/ {dissect_find_close_request, dissect_find_close_response},
14464 /* 0x85 */ {dissect_unknown, dissect_unknown},
14465 /* 0x86 */ {dissect_unknown, dissect_unknown},
14466 /* 0x87 */ {dissect_unknown, dissect_unknown},
14467 /* 0x88 */ {dissect_unknown, dissect_unknown},
14468 /* 0x89 */ {dissect_unknown, dissect_unknown},
14469 /* 0x8a */ {dissect_unknown, dissect_unknown},
14470 /* 0x8b */ {dissect_unknown, dissect_unknown},
14471 /* 0x8c */ {dissect_unknown, dissect_unknown},
14472 /* 0x8d */ {dissect_unknown, dissect_unknown},
14473 /* 0x8e */ {dissect_unknown, dissect_unknown},
14474 /* 0x8f */ {dissect_unknown, dissect_unknown},
14476 /* 0x90 */ {dissect_unknown, dissect_unknown},
14477 /* 0x91 */ {dissect_unknown, dissect_unknown},
14478 /* 0x92 */ {dissect_unknown, dissect_unknown},
14479 /* 0x93 */ {dissect_unknown, dissect_unknown},
14480 /* 0x94 */ {dissect_unknown, dissect_unknown},
14481 /* 0x95 */ {dissect_unknown, dissect_unknown},
14482 /* 0x96 */ {dissect_unknown, dissect_unknown},
14483 /* 0x97 */ {dissect_unknown, dissect_unknown},
14484 /* 0x98 */ {dissect_unknown, dissect_unknown},
14485 /* 0x99 */ {dissect_unknown, dissect_unknown},
14486 /* 0x9a */ {dissect_unknown, dissect_unknown},
14487 /* 0x9b */ {dissect_unknown, dissect_unknown},
14488 /* 0x9c */ {dissect_unknown, dissect_unknown},
14489 /* 0x9d */ {dissect_unknown, dissect_unknown},
14490 /* 0x9e */ {dissect_unknown, dissect_unknown},
14491 /* 0x9f */ {dissect_unknown, dissect_unknown},
14493 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
14494 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
14495 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
14496 /* 0xa3 */ {dissect_unknown, dissect_unknown},
14497 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
14498 /* 0xa5 NT Rename*/ {dissect_nt_rename_file_request, dissect_empty},
14499 /* 0xa6 */ {dissect_unknown, dissect_unknown},
14500 /* 0xa7 */ {dissect_unknown, dissect_unknown},
14501 /* 0xa8 */ {dissect_unknown, dissect_unknown},
14502 /* 0xa9 */ {dissect_unknown, dissect_unknown},
14503 /* 0xaa */ {dissect_unknown, dissect_unknown},
14504 /* 0xab */ {dissect_unknown, dissect_unknown},
14505 /* 0xac */ {dissect_unknown, dissect_unknown},
14506 /* 0xad */ {dissect_unknown, dissect_unknown},
14507 /* 0xae */ {dissect_unknown, dissect_unknown},
14508 /* 0xaf */ {dissect_unknown, dissect_unknown},
14510 /* 0xb0 */ {dissect_unknown, dissect_unknown},
14511 /* 0xb1 */ {dissect_unknown, dissect_unknown},
14512 /* 0xb2 */ {dissect_unknown, dissect_unknown},
14513 /* 0xb3 */ {dissect_unknown, dissect_unknown},
14514 /* 0xb4 */ {dissect_unknown, dissect_unknown},
14515 /* 0xb5 */ {dissect_unknown, dissect_unknown},
14516 /* 0xb6 */ {dissect_unknown, dissect_unknown},
14517 /* 0xb7 */ {dissect_unknown, dissect_unknown},
14518 /* 0xb8 */ {dissect_unknown, dissect_unknown},
14519 /* 0xb9 */ {dissect_unknown, dissect_unknown},
14520 /* 0xba */ {dissect_unknown, dissect_unknown},
14521 /* 0xbb */ {dissect_unknown, dissect_unknown},
14522 /* 0xbc */ {dissect_unknown, dissect_unknown},
14523 /* 0xbd */ {dissect_unknown, dissect_unknown},
14524 /* 0xbe */ {dissect_unknown, dissect_unknown},
14525 /* 0xbf */ {dissect_unknown, dissect_unknown},
14527 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_fid},
14528 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
14529 /* 0xc2 Close Print File*/ {dissect_fid, dissect_empty},
14530 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
14531 /* 0xc4 */ {dissect_unknown, dissect_unknown},
14532 /* 0xc5 */ {dissect_unknown, dissect_unknown},
14533 /* 0xc6 */ {dissect_unknown, dissect_unknown},
14534 /* 0xc7 */ {dissect_unknown, dissect_unknown},
14535 /* 0xc8 */ {dissect_unknown, dissect_unknown},
14536 /* 0xc9 */ {dissect_unknown, dissect_unknown},
14537 /* 0xca */ {dissect_unknown, dissect_unknown},
14538 /* 0xcb */ {dissect_unknown, dissect_unknown},
14539 /* 0xcc */ {dissect_unknown, dissect_unknown},
14540 /* 0xcd */ {dissect_unknown, dissect_unknown},
14541 /* 0xce */ {dissect_unknown, dissect_unknown},
14542 /* 0xcf */ {dissect_unknown, dissect_unknown},
14544 /* 0xd0 Send Single Block Message*/ {dissect_send_single_block_message_request, dissect_empty},
14545 /* 0xd1 Send Broadcast Message*/ {dissect_send_single_block_message_request, dissect_empty},
14546 /* 0xd2 Forward User Name*/ {dissect_forwarded_name, dissect_empty},
14547 /* 0xd3 Cancel Forward*/ {dissect_forwarded_name, dissect_empty},
14548 /* 0xd4 Get Machine Name*/ {dissect_empty, dissect_get_machine_name_response},
14549 /* 0xd5 Send Start of Multi-block Message*/ {dissect_send_multi_block_message_start_request, dissect_message_group_id},
14550 /* 0xd6 Send End of Multi-block Message*/ {dissect_message_group_id, dissect_empty},
14551 /* 0xd7 Send Text of Multi-block Message*/ {dissect_send_multi_block_message_text_request, dissect_empty},
14552 /* 0xd8 SMBreadbulk*/ {dissect_unknown, dissect_unknown},
14553 /* 0xd9 SMBwritebulk*/ {dissect_unknown, dissect_unknown},
14554 /* 0xda SMBwritebulkdata*/ {dissect_unknown, dissect_unknown},
14555 /* 0xdb */ {dissect_unknown, dissect_unknown},
14556 /* 0xdc */ {dissect_unknown, dissect_unknown},
14557 /* 0xdd */ {dissect_unknown, dissect_unknown},
14558 /* 0xde */ {dissect_unknown, dissect_unknown},
14559 /* 0xdf */ {dissect_unknown, dissect_unknown},
14561 /* 0xe0 */ {dissect_unknown, dissect_unknown},
14562 /* 0xe1 */ {dissect_unknown, dissect_unknown},
14563 /* 0xe2 */ {dissect_unknown, dissect_unknown},
14564 /* 0xe3 */ {dissect_unknown, dissect_unknown},
14565 /* 0xe4 */ {dissect_unknown, dissect_unknown},
14566 /* 0xe5 */ {dissect_unknown, dissect_unknown},
14567 /* 0xe6 */ {dissect_unknown, dissect_unknown},
14568 /* 0xe7 */ {dissect_unknown, dissect_unknown},
14569 /* 0xe8 */ {dissect_unknown, dissect_unknown},
14570 /* 0xe9 */ {dissect_unknown, dissect_unknown},
14571 /* 0xea */ {dissect_unknown, dissect_unknown},
14572 /* 0xeb */ {dissect_unknown, dissect_unknown},
14573 /* 0xec */ {dissect_unknown, dissect_unknown},
14574 /* 0xed */ {dissect_unknown, dissect_unknown},
14575 /* 0xee */ {dissect_unknown, dissect_unknown},
14576 /* 0xef */ {dissect_unknown, dissect_unknown},
14578 /* 0xf0 */ {dissect_unknown, dissect_unknown},
14579 /* 0xf1 */ {dissect_unknown, dissect_unknown},
14580 /* 0xf2 */ {dissect_unknown, dissect_unknown},
14581 /* 0xf3 */ {dissect_unknown, dissect_unknown},
14582 /* 0xf4 */ {dissect_unknown, dissect_unknown},
14583 /* 0xf5 */ {dissect_unknown, dissect_unknown},
14584 /* 0xf6 */ {dissect_unknown, dissect_unknown},
14585 /* 0xf7 */ {dissect_unknown, dissect_unknown},
14586 /* 0xf8 */ {dissect_unknown, dissect_unknown},
14587 /* 0xf9 */ {dissect_unknown, dissect_unknown},
14588 /* 0xfa */ {dissect_unknown, dissect_unknown},
14589 /* 0xfb */ {dissect_unknown, dissect_unknown},
14590 /* 0xfc */ {dissect_unknown, dissect_unknown},
14591 /* 0xfd */ {dissect_unknown, dissect_unknown},
14592 /* 0xfe */ {dissect_unknown, dissect_unknown},
14593 /* 0xff */ {dissect_unknown, dissect_unknown},
14597 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu)
14601 si = pinfo->private_data;
14603 proto_item *cmd_item;
14604 proto_tree *cmd_tree;
14605 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
14607 if (check_col(pinfo->cinfo, COL_INFO)) {
14609 col_append_fstr(pinfo->cinfo, COL_INFO,
14611 decode_smb_name(cmd),
14612 (si->request)? "Request" : "Response");
14614 col_append_fstr(pinfo->cinfo, COL_INFO,
14616 decode_smb_name(cmd));
14621 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
14623 decode_smb_name(cmd),
14624 (si->request)?"Request":"Response",
14627 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
14629 dissector = (si->request)?
14630 smb_dissector[cmd].request:smb_dissector[cmd].response;
14632 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
14633 proto_item_set_end(cmd_item, tvb, offset);
14639 /* NOTE: this value_string array will also be used to access data directly by
14640 * index instead of val_to_str() since
14641 * 1, the array will always span every value from 0x00 to 0xff and
14642 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
14643 * This means that this value_string array MUST always
14644 * 1, contain all entries 0x00 to 0xff
14645 * 2, all entries must be in order.
14647 const value_string smb_cmd_vals[] = {
14648 { 0x00, "Create Directory" },
14649 { 0x01, "Delete Directory" },
14651 { 0x03, "Create" },
14654 { 0x06, "Delete" },
14655 { 0x07, "Rename" },
14656 { 0x08, "Query Information" },
14657 { 0x09, "Set Information" },
14660 { 0x0C, "Lock Byte Range" },
14661 { 0x0D, "Unlock Byte Range" },
14662 { 0x0E, "Create Temp" },
14663 { 0x0F, "Create New" },
14664 { 0x10, "Check Directory" },
14665 { 0x11, "Process Exit" },
14667 { 0x13, "Lock And Read" },
14668 { 0x14, "Write And Unlock" },
14669 { 0x15, "unknown-0x15" },
14670 { 0x16, "unknown-0x16" },
14671 { 0x17, "unknown-0x17" },
14672 { 0x18, "unknown-0x18" },
14673 { 0x19, "unknown-0x19" },
14674 { 0x1A, "Read Raw" },
14675 { 0x1B, "Read MPX" },
14676 { 0x1C, "Read MPX Secondary" },
14677 { 0x1D, "Write Raw" },
14678 { 0x1E, "Write MPX" },
14679 { 0x1F, "Write MPX Secondary" },
14680 { 0x20, "Write Complete" },
14681 { 0x21, "unknown-0x21" },
14682 { 0x22, "Set Information2" },
14683 { 0x23, "Query Information2" },
14684 { 0x24, "Locking AndX" },
14686 { 0x26, "Trans Secondary" },
14688 { 0x28, "IOCTL Secondary" },
14692 { 0x2C, "Write And Close" },
14693 { 0x2D, "Open AndX" },
14694 { 0x2E, "Read AndX" },
14695 { 0x2F, "Write AndX" },
14696 { 0x30, "unknown-0x30" },
14697 { 0x31, "Close And Tree Disconnect" },
14698 { 0x32, "Trans2" },
14699 { 0x33, "Trans2 Secondary" },
14700 { 0x34, "Find Close2" },
14701 { 0x35, "Find Notify Close" },
14702 { 0x36, "unknown-0x36" },
14703 { 0x37, "unknown-0x37" },
14704 { 0x38, "unknown-0x38" },
14705 { 0x39, "unknown-0x39" },
14706 { 0x3A, "unknown-0x3A" },
14707 { 0x3B, "unknown-0x3B" },
14708 { 0x3C, "unknown-0x3C" },
14709 { 0x3D, "unknown-0x3D" },
14710 { 0x3E, "unknown-0x3E" },
14711 { 0x3F, "unknown-0x3F" },
14712 { 0x40, "unknown-0x40" },
14713 { 0x41, "unknown-0x41" },
14714 { 0x42, "unknown-0x42" },
14715 { 0x43, "unknown-0x43" },
14716 { 0x44, "unknown-0x44" },
14717 { 0x45, "unknown-0x45" },
14718 { 0x46, "unknown-0x46" },
14719 { 0x47, "unknown-0x47" },
14720 { 0x48, "unknown-0x48" },
14721 { 0x49, "unknown-0x49" },
14722 { 0x4A, "unknown-0x4A" },
14723 { 0x4B, "unknown-0x4B" },
14724 { 0x4C, "unknown-0x4C" },
14725 { 0x4D, "unknown-0x4D" },
14726 { 0x4E, "unknown-0x4E" },
14727 { 0x4F, "unknown-0x4F" },
14728 { 0x50, "unknown-0x50" },
14729 { 0x51, "unknown-0x51" },
14730 { 0x52, "unknown-0x52" },
14731 { 0x53, "unknown-0x53" },
14732 { 0x54, "unknown-0x54" },
14733 { 0x55, "unknown-0x55" },
14734 { 0x56, "unknown-0x56" },
14735 { 0x57, "unknown-0x57" },
14736 { 0x58, "unknown-0x58" },
14737 { 0x59, "unknown-0x59" },
14738 { 0x5A, "unknown-0x5A" },
14739 { 0x5B, "unknown-0x5B" },
14740 { 0x5C, "unknown-0x5C" },
14741 { 0x5D, "unknown-0x5D" },
14742 { 0x5E, "unknown-0x5E" },
14743 { 0x5F, "unknown-0x5F" },
14744 { 0x60, "unknown-0x60" },
14745 { 0x61, "unknown-0x61" },
14746 { 0x62, "unknown-0x62" },
14747 { 0x63, "unknown-0x63" },
14748 { 0x64, "unknown-0x64" },
14749 { 0x65, "unknown-0x65" },
14750 { 0x66, "unknown-0x66" },
14751 { 0x67, "unknown-0x67" },
14752 { 0x68, "unknown-0x68" },
14753 { 0x69, "unknown-0x69" },
14754 { 0x6A, "unknown-0x6A" },
14755 { 0x6B, "unknown-0x6B" },
14756 { 0x6C, "unknown-0x6C" },
14757 { 0x6D, "unknown-0x6D" },
14758 { 0x6E, "unknown-0x6E" },
14759 { 0x6F, "unknown-0x6F" },
14760 { 0x70, "Tree Connect" },
14761 { 0x71, "Tree Disconnect" },
14762 { 0x72, "Negotiate Protocol" },
14763 { 0x73, "Session Setup AndX" },
14764 { 0x74, "Logoff AndX" },
14765 { 0x75, "Tree Connect AndX" },
14766 { 0x76, "unknown-0x76" },
14767 { 0x77, "unknown-0x77" },
14768 { 0x78, "unknown-0x78" },
14769 { 0x79, "unknown-0x79" },
14770 { 0x7A, "unknown-0x7A" },
14771 { 0x7B, "unknown-0x7B" },
14772 { 0x7C, "unknown-0x7C" },
14773 { 0x7D, "unknown-0x7D" },
14774 { 0x7E, "unknown-0x7E" },
14775 { 0x7F, "unknown-0x7F" },
14776 { 0x80, "Query Information Disk" },
14777 { 0x81, "Search" },
14779 { 0x83, "Find Unique" },
14780 { 0x84, "Find Close" },
14781 { 0x85, "unknown-0x85" },
14782 { 0x86, "unknown-0x86" },
14783 { 0x87, "unknown-0x87" },
14784 { 0x88, "unknown-0x88" },
14785 { 0x89, "unknown-0x89" },
14786 { 0x8A, "unknown-0x8A" },
14787 { 0x8B, "unknown-0x8B" },
14788 { 0x8C, "unknown-0x8C" },
14789 { 0x8D, "unknown-0x8D" },
14790 { 0x8E, "unknown-0x8E" },
14791 { 0x8F, "unknown-0x8F" },
14792 { 0x90, "unknown-0x90" },
14793 { 0x91, "unknown-0x91" },
14794 { 0x92, "unknown-0x92" },
14795 { 0x93, "unknown-0x93" },
14796 { 0x94, "unknown-0x94" },
14797 { 0x95, "unknown-0x95" },
14798 { 0x96, "unknown-0x96" },
14799 { 0x97, "unknown-0x97" },
14800 { 0x98, "unknown-0x98" },
14801 { 0x99, "unknown-0x99" },
14802 { 0x9A, "unknown-0x9A" },
14803 { 0x9B, "unknown-0x9B" },
14804 { 0x9C, "unknown-0x9C" },
14805 { 0x9D, "unknown-0x9D" },
14806 { 0x9E, "unknown-0x9E" },
14807 { 0x9F, "unknown-0x9F" },
14808 { 0xA0, "NT Trans" },
14809 { 0xA1, "NT Trans Secondary" },
14810 { 0xA2, "NT Create AndX" },
14811 { 0xA3, "unknown-0xA3" },
14812 { 0xA4, "NT Cancel" },
14813 { 0xA5, "NT Rename" },
14814 { 0xA6, "unknown-0xA6" },
14815 { 0xA7, "unknown-0xA7" },
14816 { 0xA8, "unknown-0xA8" },
14817 { 0xA9, "unknown-0xA9" },
14818 { 0xAA, "unknown-0xAA" },
14819 { 0xAB, "unknown-0xAB" },
14820 { 0xAC, "unknown-0xAC" },
14821 { 0xAD, "unknown-0xAD" },
14822 { 0xAE, "unknown-0xAE" },
14823 { 0xAF, "unknown-0xAF" },
14824 { 0xB0, "unknown-0xB0" },
14825 { 0xB1, "unknown-0xB1" },
14826 { 0xB2, "unknown-0xB2" },
14827 { 0xB3, "unknown-0xB3" },
14828 { 0xB4, "unknown-0xB4" },
14829 { 0xB5, "unknown-0xB5" },
14830 { 0xB6, "unknown-0xB6" },
14831 { 0xB7, "unknown-0xB7" },
14832 { 0xB8, "unknown-0xB8" },
14833 { 0xB9, "unknown-0xB9" },
14834 { 0xBA, "unknown-0xBA" },
14835 { 0xBB, "unknown-0xBB" },
14836 { 0xBC, "unknown-0xBC" },
14837 { 0xBD, "unknown-0xBD" },
14838 { 0xBE, "unknown-0xBE" },
14839 { 0xBF, "unknown-0xBF" },
14840 { 0xC0, "Open Print File" },
14841 { 0xC1, "Write Print File" },
14842 { 0xC2, "Close Print File" },
14843 { 0xC3, "Get Print Queue" },
14844 { 0xC4, "unknown-0xC4" },
14845 { 0xC5, "unknown-0xC5" },
14846 { 0xC6, "unknown-0xC6" },
14847 { 0xC7, "unknown-0xC7" },
14848 { 0xC8, "unknown-0xC8" },
14849 { 0xC9, "unknown-0xC9" },
14850 { 0xCA, "unknown-0xCA" },
14851 { 0xCB, "unknown-0xCB" },
14852 { 0xCC, "unknown-0xCC" },
14853 { 0xCD, "unknown-0xCD" },
14854 { 0xCE, "unknown-0xCE" },
14855 { 0xCF, "unknown-0xCF" },
14856 { 0xD0, "Send Single Block Message" },
14857 { 0xD1, "Send Broadcast Message" },
14858 { 0xD2, "Forward User Name" },
14859 { 0xD3, "Cancel Forward" },
14860 { 0xD4, "Get Machine Name" },
14861 { 0xD5, "Send Start of Multi-block Message" },
14862 { 0xD6, "Send End of Multi-block Message" },
14863 { 0xD7, "Send Text of Multi-block Message" },
14864 { 0xD8, "SMBreadbulk" },
14865 { 0xD9, "SMBwritebulk" },
14866 { 0xDA, "SMBwritebulkdata" },
14867 { 0xDB, "unknown-0xDB" },
14868 { 0xDC, "unknown-0xDC" },
14869 { 0xDD, "unknown-0xDD" },
14870 { 0xDE, "unknown-0xDE" },
14871 { 0xDF, "unknown-0xDF" },
14872 { 0xE0, "unknown-0xE0" },
14873 { 0xE1, "unknown-0xE1" },
14874 { 0xE2, "unknown-0xE2" },
14875 { 0xE3, "unknown-0xE3" },
14876 { 0xE4, "unknown-0xE4" },
14877 { 0xE5, "unknown-0xE5" },
14878 { 0xE6, "unknown-0xE6" },
14879 { 0xE7, "unknown-0xE7" },
14880 { 0xE8, "unknown-0xE8" },
14881 { 0xE9, "unknown-0xE9" },
14882 { 0xEA, "unknown-0xEA" },
14883 { 0xEB, "unknown-0xEB" },
14884 { 0xEC, "unknown-0xEC" },
14885 { 0xED, "unknown-0xED" },
14886 { 0xEE, "unknown-0xEE" },
14887 { 0xEF, "unknown-0xEF" },
14888 { 0xF0, "unknown-0xF0" },
14889 { 0xF1, "unknown-0xF1" },
14890 { 0xF2, "unknown-0xF2" },
14891 { 0xF3, "unknown-0xF3" },
14892 { 0xF4, "unknown-0xF4" },
14893 { 0xF5, "unknown-0xF5" },
14894 { 0xF6, "unknown-0xF6" },
14895 { 0xF7, "unknown-0xF7" },
14896 { 0xF8, "unknown-0xF8" },
14897 { 0xF9, "unknown-0xF9" },
14898 { 0xFA, "unknown-0xFA" },
14899 { 0xFB, "unknown-0xFB" },
14900 { 0xFC, "unknown-0xFC" },
14901 { 0xFD, "unknown-0xFD" },
14902 { 0xFE, "SMBinvalid" },
14903 { 0xFF, "unknown-0xFF" },
14907 static char *decode_smb_name(unsigned char cmd)
14909 return(smb_cmd_vals[cmd].strptr);
14914 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14915 * Everything TVBUFFIFIED above this line
14916 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
14920 free_hash_tables(gpointer ctarg, gpointer user_data _U_)
14922 conv_tables_t *ct = ctarg;
14925 g_hash_table_destroy(ct->unmatched);
14927 g_hash_table_destroy(ct->matched);
14928 if (ct->tid_service)
14929 g_hash_table_destroy(ct->tid_service);
14933 smb_init_protocol(void)
14935 if (smb_saved_info_key_chunk)
14936 g_mem_chunk_destroy(smb_saved_info_key_chunk);
14937 if (smb_saved_info_chunk)
14938 g_mem_chunk_destroy(smb_saved_info_chunk);
14939 if (smb_nt_transact_info_chunk)
14940 g_mem_chunk_destroy(smb_nt_transact_info_chunk);
14941 if (smb_transact2_info_chunk)
14942 g_mem_chunk_destroy(smb_transact2_info_chunk);
14943 if (smb_transact_info_chunk)
14944 g_mem_chunk_destroy(smb_transact_info_chunk);
14947 * Free the hash tables attached to the conversation table
14948 * structures, and then free the list of conversation table
14949 * data structures (which doesn't free the data structures
14950 * themselves; that's done by destroying the chunk from
14951 * which they were allocated).
14954 g_slist_foreach(conv_tables, free_hash_tables, NULL);
14955 g_slist_free(conv_tables);
14956 conv_tables = NULL;
14960 * Now destroy the chunk from which the conversation table
14961 * structures were allocated.
14963 if (conv_tables_chunk)
14964 g_mem_chunk_destroy(conv_tables_chunk);
14966 smb_saved_info_chunk = g_mem_chunk_new("smb_saved_info_chunk",
14967 sizeof(smb_saved_info_t),
14968 smb_saved_info_init_count * sizeof(smb_saved_info_t),
14970 smb_saved_info_key_chunk = g_mem_chunk_new("smb_saved_info_key_chunk",
14971 sizeof(smb_saved_info_key_t),
14972 smb_saved_info_init_count * sizeof(smb_saved_info_key_t),
14974 smb_nt_transact_info_chunk = g_mem_chunk_new("smb_nt_transact_info_chunk",
14975 sizeof(smb_nt_transact_info_t),
14976 smb_nt_transact_info_init_count * sizeof(smb_nt_transact_info_t),
14978 smb_transact2_info_chunk = g_mem_chunk_new("smb_transact2_info_chunk",
14979 sizeof(smb_transact2_info_t),
14980 smb_transact2_info_init_count * sizeof(smb_transact2_info_t),
14982 smb_transact_info_chunk = g_mem_chunk_new("smb_transact_info_chunk",
14983 sizeof(smb_transact_info_t),
14984 smb_transact_info_init_count * sizeof(smb_transact_info_t),
14986 conv_tables_chunk = g_mem_chunk_new("conv_tables_chunk",
14987 sizeof(conv_tables_t),
14988 conv_tables_count * sizeof(conv_tables_t),
14992 static const value_string errcls_types[] = {
14993 { SMB_SUCCESS, "Success"},
14994 { SMB_ERRDOS, "DOS Error"},
14995 { SMB_ERRSRV, "Server Error"},
14996 { SMB_ERRHRD, "Hardware Error"},
14997 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
15001 const value_string DOS_errors[] = {
15003 {SMBE_insufficientbuffer, "Insufficient buffer"},
15004 {SMBE_badfunc, "Invalid function (or system call)"},
15005 {SMBE_badfile, "File not found (pathname error)"},
15006 {SMBE_badpath, "Directory not found"},
15007 {SMBE_nofids, "Too many open files"},
15008 {SMBE_noaccess, "Access denied"},
15009 {SMBE_badfid, "Invalid fid"},
15010 {SMBE_nomem, "Out of memory"},
15011 {SMBE_badmem, "Invalid memory block address"},
15012 {SMBE_badenv, "Invalid environment"},
15013 {SMBE_badaccess, "Invalid open mode"},
15014 {SMBE_baddata, "Invalid data (only from ioctl call)"},
15015 {SMBE_res, "Reserved error code?"},
15016 {SMBE_baddrive, "Invalid drive"},
15017 {SMBE_remcd, "Attempt to delete current directory"},
15018 {SMBE_diffdevice, "Rename/move across different filesystems"},
15019 {SMBE_nofiles, "No more files found in file search"},
15020 {SMBE_badshare, "Share mode on file conflict with open mode"},
15021 {SMBE_lock, "Lock request conflicts with existing lock"},
15022 {SMBE_unsup, "Request unsupported, returned by Win 95"},
15023 {SMBE_nosuchshare, "Requested share does not exist"},
15024 {SMBE_filexists, "File in operation already exists"},
15025 {SMBE_cannotopen, "Cannot open the file specified"},
15026 {SMBE_unknownlevel, "Unknown info level"},
15027 {SMBE_invalidname, "Invalid name"},
15028 {SMBE_badpipe, "Named pipe invalid"},
15029 {SMBE_pipebusy, "All instances of pipe are busy"},
15030 {SMBE_pipeclosing, "Named pipe close in progress"},
15031 {SMBE_notconnected, "No process on other end of named pipe"},
15032 {SMBE_moredata, "More data to be returned"},
15033 {SMBE_baddirectory, "Invalid directory name in a path."},
15034 {SMBE_eas_didnt_fit, "Extended attributes didn't fit"},
15035 {SMBE_eas_nsup, "Extended attributes not supported"},
15036 {SMBE_notify_buf_small, "Buffer too small to return change notify."},
15037 {SMBE_unknownipc, "Unknown IPC Operation"},
15038 {SMBE_noipc, "Don't support ipc"},
15039 {SMBE_alreadyexists, "File already exists"},
15040 {SMBE_unknownprinterdriver, "Unknown printer driver"},
15041 {SMBE_invalidprintername, "Invalid printer name"},
15042 {SMBE_printeralreadyexists, "Printer already exists"},
15043 {SMBE_invaliddatatype, "Invalid data type"},
15044 {SMBE_invalidenvironment, "Invalid environment"},
15045 {SMBE_printerdriverinuse, "Printer driver in use"},
15046 {SMBE_invalidparam, "Invalid parameter"},
15047 {SMBE_invalidformsize, "Invalid form size"},
15048 {SMBE_invalidsecuritydescriptor, "Invalid security descriptor"},
15049 {SMBE_invalidowner, "Invalid owner"},
15050 {SMBE_nomoreitems, "No more items"},
15051 {SMBE_serverunavailable, "Server unavailable"},
15055 /* Error codes for the ERRSRV class */
15057 static const value_string SRV_errors[] = {
15058 {SMBE_error, "Non specific error code"},
15059 {SMBE_badpw, "Bad password"},
15060 {SMBE_badtype, "Reserved"},
15061 {SMBE_access, "No permissions to perform the requested operation"},
15062 {SMBE_invnid, "TID invalid"},
15063 {SMBE_invnetname, "Invalid network name. Service not found"},
15064 {SMBE_invdevice, "Invalid device"},
15065 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
15066 {SMBE_qfull, "Print queue full"},
15067 {SMBE_qtoobig, "Queued item too big"},
15068 {SMBE_qeof, "EOF on print queue dump"},
15069 {SMBE_invpfid, "Invalid print file in smb_fid"},
15070 {SMBE_smbcmd, "Unrecognised command"},
15071 {SMBE_srverror, "SMB server internal error"},
15072 {SMBE_filespecs, "Fid and pathname invalid combination"},
15073 {SMBE_badlink, "Bad link in request ???"},
15074 {SMBE_badpermits, "Access specified for a file is not valid"},
15075 {SMBE_badpid, "Bad process id in request"},
15076 {SMBE_setattrmode, "Attribute mode invalid"},
15077 {SMBE_paused, "Message server paused"},
15078 {SMBE_msgoff, "Not receiving messages"},
15079 {SMBE_noroom, "No room for message"},
15080 {SMBE_rmuns, "Too many remote usernames"},
15081 {SMBE_timeout, "Operation timed out"},
15082 {SMBE_noresource, "No resources currently available for request."},
15083 {SMBE_toomanyuids, "Too many userids"},
15084 {SMBE_baduid, "Bad userid"},
15085 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
15086 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
15087 {SMBE_contMPX, "Resume MPX mode"},
15088 {SMBE_badPW, "Bad Password???"},
15089 {SMBE_nosupport, "Operation not supported"},
15093 /* Error codes for the ERRHRD class */
15095 static const value_string HRD_errors[] = {
15096 {SMBE_nowrite, "Read only media"},
15097 {SMBE_badunit, "Unknown device"},
15098 {SMBE_notready, "Drive not ready"},
15099 {SMBE_badcmd, "Unknown command"},
15100 {SMBE_data, "Data (CRC) error"},
15101 {SMBE_badreq, "Bad request structure length"},
15102 {SMBE_seek, "Seek error"},
15103 {SMBE_badmedia, "Unknown media type"},
15104 {SMBE_badsector, "Sector not found"},
15105 {SMBE_nopaper, "Printer out of paper"},
15106 {SMBE_write, "Write fault"},
15107 {SMBE_read, "Read fault"},
15108 {SMBE_general, "General failure"},
15109 {SMBE_badshare, "A open conflicts with an existing open"},
15110 {SMBE_lock, "Lock conflict/invalid mode, or unlock of another process's lock"},
15111 {SMBE_wrongdisk, "The wrong disk was found in a drive"},
15112 {SMBE_FCBunavail, "No FCBs are available to process request"},
15113 {SMBE_sharebufexc, "A sharing buffer has been exceeded"},
15114 {SMBE_diskfull, "Disk full???"},
15118 static char *decode_smb_error(guint8 errcls, guint16 errcode)
15125 return("No Error"); /* No error ??? */
15130 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
15135 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
15140 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
15145 return("Unknown error class!");
15152 /* These are the MS country codes from
15154 http://www.unicode.org/unicode/onlinedat/countries.html
15156 For countries that share the same number, I choose to use only the
15157 name of the largest country. Apologies for this. If this offends you,
15158 here is the table to change that.
15160 This also includes the code of 0 for "Default", which isn't in
15161 that list, but is in Microsoft's SDKs and the Cygnus "winnls.h"
15162 header file. Presumably it means "don't override the setting
15163 on the user's machine".
15165 Future versions of Microsoft's "winnls.h" header file might include
15166 additional codes; the current version matches the Unicode Consortium's
15169 const value_string ms_country_codes[] = {
15175 { 27, "South Africa"},
15177 { 31, "Netherlands"},
15184 { 41, "Switzerland"},
15186 { 44, "United Kingdom"},
15194 { 54, "Argentina"},
15198 { 58, "Venezuela"},
15200 { 61, "Australia"},
15201 { 62, "Indonesia"},
15202 { 63, "Philippines"},
15203 { 64, "New Zealand"},
15204 { 65, "Singapore"},
15207 { 82, "South Korea"},
15219 {298, "Faroe Islands"},
15221 {352, "Luxembourg"},
15227 {370, "Lithuania"},
15236 {389, "Macedonia"},
15237 {420, "Czech Republic"},
15238 {421, "Slovak Republic"},
15240 {502, "Guatemala"},
15241 {503, "El Salvador"},
15243 {505, "Nicaragua"},
15244 {506, "Costa Rica"},
15250 {673, "Brunei Darussalam"},
15251 {852, "Hong Kong"},
15260 {966, "Saudi Arabia"},
15263 {971, "United Arab Emirates"},
15269 {994, "Azerbaijan"},
15271 {996, "Kyrgyzstan"},
15281 * http://www.wildpackets.com/elements/SMB_NT_Status_Codes.txt
15283 const value_string NT_errors[] = {
15284 { 0x00000000, "STATUS_SUCCESS" },
15285 { 0x00000000, "STATUS_WAIT_0" },
15286 { 0x00000001, "STATUS_WAIT_1" },
15287 { 0x00000002, "STATUS_WAIT_2" },
15288 { 0x00000003, "STATUS_WAIT_3" },
15289 { 0x0000003F, "STATUS_WAIT_63" },
15290 { 0x00000080, "STATUS_ABANDONED" },
15291 { 0x00000080, "STATUS_ABANDONED_WAIT_0" },
15292 { 0x000000BF, "STATUS_ABANDONED_WAIT_63" },
15293 { 0x000000C0, "STATUS_USER_APC" },
15294 { 0x00000100, "STATUS_KERNEL_APC" },
15295 { 0x00000101, "STATUS_ALERTED" },
15296 { 0x00000102, "STATUS_TIMEOUT" },
15297 { 0x00000103, "STATUS_PENDING" },
15298 { 0x00000104, "STATUS_REPARSE" },
15299 { 0x00000105, "STATUS_MORE_ENTRIES" },
15300 { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" },
15301 { 0x00000107, "STATUS_SOME_NOT_MAPPED" },
15302 { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" },
15303 { 0x00000109, "STATUS_VOLUME_MOUNTED" },
15304 { 0x0000010A, "STATUS_RXACT_COMMITTED" },
15305 { 0x0000010B, "STATUS_NOTIFY_CLEANUP" },
15306 { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" },
15307 { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" },
15308 { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" },
15309 { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" },
15310 { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" },
15311 { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" },
15312 { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" },
15313 { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" },
15314 { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" },
15315 { 0x00000116, "STATUS_CRASH_DUMP" },
15316 { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
15317 { 0x00000118, "STATUS_REPARSE_OBJECT" },
15318 { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
15319 { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
15320 { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
15321 { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" },
15322 { 0x40000004, "STATUS_RXACT_STATE_CREATED" },
15323 { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" },
15324 { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" },
15325 { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" },
15326 { 0x40000008, "STATUS_SERIAL_MORE_WRITES" },
15327 { 0x40000009, "STATUS_REGISTRY_RECOVERED" },
15328 { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" },
15329 { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" },
15330 { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" },
15331 { 0x4000000D, "STATUS_NULL_LM_PASSWORD" },
15332 { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" },
15333 { 0x4000000F, "STATUS_RECEIVE_PARTIAL" },
15334 { 0x40000010, "STATUS_RECEIVE_EXPEDITED" },
15335 { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" },
15336 { 0x40000012, "STATUS_EVENT_DONE" },
15337 { 0x40000013, "STATUS_EVENT_PENDING" },
15338 { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" },
15339 { 0x40000015, "STATUS_FATAL_APP_EXIT" },
15340 { 0x40000016, "STATUS_PREDEFINED_HANDLE" },
15341 { 0x40000017, "STATUS_WAS_UNLOCKED" },
15342 { 0x40000018, "STATUS_SERVICE_NOTIFICATION" },
15343 { 0x40000019, "STATUS_WAS_LOCKED" },
15344 { 0x4000001A, "STATUS_LOG_HARD_ERROR" },
15345 { 0x4000001B, "STATUS_ALREADY_WIN32" },
15346 { 0x4000001C, "STATUS_WX86_UNSIMULATE" },
15347 { 0x4000001D, "STATUS_WX86_CONTINUE" },
15348 { 0x4000001E, "STATUS_WX86_SINGLE_STEP" },
15349 { 0x4000001F, "STATUS_WX86_BREAKPOINT" },
15350 { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" },
15351 { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" },
15352 { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" },
15353 { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" },
15354 { 0x40000024, "STATUS_NO_YIELD_PERFORMED" },
15355 { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" },
15356 { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" },
15357 { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" },
15358 { 0x80000003, "STATUS_BREAKPOINT" },
15359 { 0x80000004, "STATUS_SINGLE_STEP" },
15360 { 0x80000005, "STATUS_BUFFER_OVERFLOW" },
15361 { 0x80000006, "STATUS_NO_MORE_FILES" },
15362 { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" },
15363 { 0x8000000A, "STATUS_HANDLES_CLOSED" },
15364 { 0x8000000B, "STATUS_NO_INHERITANCE" },
15365 { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" },
15366 { 0x8000000D, "STATUS_PARTIAL_COPY" },
15367 { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" },
15368 { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" },
15369 { 0x80000010, "STATUS_DEVICE_OFF_LINE" },
15370 { 0x80000011, "STATUS_DEVICE_BUSY" },
15371 { 0x80000012, "STATUS_NO_MORE_EAS" },
15372 { 0x80000013, "STATUS_INVALID_EA_NAME" },
15373 { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" },
15374 { 0x80000015, "STATUS_INVALID_EA_FLAG" },
15375 { 0x80000016, "STATUS_VERIFY_REQUIRED" },
15376 { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" },
15377 { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" },
15378 { 0x8000001A, "STATUS_NO_MORE_ENTRIES" },
15379 { 0x8000001B, "STATUS_FILEMARK_DETECTED" },
15380 { 0x8000001C, "STATUS_MEDIA_CHANGED" },
15381 { 0x8000001D, "STATUS_BUS_RESET" },
15382 { 0x8000001E, "STATUS_END_OF_MEDIA" },
15383 { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" },
15384 { 0x80000020, "STATUS_MEDIA_CHECK" },
15385 { 0x80000021, "STATUS_SETMARK_DETECTED" },
15386 { 0x80000022, "STATUS_NO_DATA_DETECTED" },
15387 { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" },
15388 { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" },
15389 { 0x80000025, "STATUS_ALREADY_DISCONNECTED" },
15390 { 0x80000026, "STATUS_LONGJUMP" },
15391 { 0x80040111, "MAPI_E_LOGON_FAILED" },
15392 { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" },
15393 { 0x80090301, "SEC_E_INVALID_HANDLE" },
15394 { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" },
15395 { 0x8009030B, "SEC_E_NO_IMPERSONATION" },
15396 { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" },
15397 { 0x8009030E, "SEC_E_NO_CREDENTIALS" },
15398 { 0x8009030F, "SEC_E_MESSAGE_ALTERED" },
15399 { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" },
15400 { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" },
15401 { 0xC0000001, "STATUS_UNSUCCESSFUL" },
15402 { 0xC0000002, "STATUS_NOT_IMPLEMENTED" },
15403 { 0xC0000003, "STATUS_INVALID_INFO_CLASS" },
15404 { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" },
15405 { 0xC0000005, "STATUS_ACCESS_VIOLATION" },
15406 { 0xC0000006, "STATUS_IN_PAGE_ERROR" },
15407 { 0xC0000007, "STATUS_PAGEFILE_QUOTA" },
15408 { 0xC0000008, "STATUS_INVALID_HANDLE" },
15409 { 0xC0000009, "STATUS_BAD_INITIAL_STACK" },
15410 { 0xC000000A, "STATUS_BAD_INITIAL_PC" },
15411 { 0xC000000B, "STATUS_INVALID_CID" },
15412 { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" },
15413 { 0xC000000D, "STATUS_INVALID_PARAMETER" },
15414 { 0xC000000E, "STATUS_NO_SUCH_DEVICE" },
15415 { 0xC000000F, "STATUS_NO_SUCH_FILE" },
15416 { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" },
15417 { 0xC0000011, "STATUS_END_OF_FILE" },
15418 { 0xC0000012, "STATUS_WRONG_VOLUME" },
15419 { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" },
15420 { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" },
15421 { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" },
15422 { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" },
15423 { 0xC0000017, "STATUS_NO_MEMORY" },
15424 { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" },
15425 { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" },
15426 { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" },
15427 { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" },
15428 { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" },
15429 { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" },
15430 { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" },
15431 { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" },
15432 { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" },
15433 { 0xC0000021, "STATUS_ALREADY_COMMITTED" },
15434 { 0xC0000022, "STATUS_ACCESS_DENIED" },
15435 { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" },
15436 { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" },
15437 { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" },
15438 { 0xC0000026, "STATUS_INVALID_DISPOSITION" },
15439 { 0xC0000027, "STATUS_UNWIND" },
15440 { 0xC0000028, "STATUS_BAD_STACK" },
15441 { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" },
15442 { 0xC000002A, "STATUS_NOT_LOCKED" },
15443 { 0xC000002B, "STATUS_PARITY_ERROR" },
15444 { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" },
15445 { 0xC000002D, "STATUS_NOT_COMMITTED" },
15446 { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" },
15447 { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" },
15448 { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" },
15449 { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" },
15450 { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" },
15451 { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" },
15452 { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" },
15453 { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" },
15454 { 0xC0000037, "STATUS_PORT_DISCONNECTED" },
15455 { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" },
15456 { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" },
15457 { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" },
15458 { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" },
15459 { 0xC000003C, "STATUS_DATA_OVERRUN" },
15460 { 0xC000003D, "STATUS_DATA_LATE_ERROR" },
15461 { 0xC000003E, "STATUS_DATA_ERROR" },
15462 { 0xC000003F, "STATUS_CRC_ERROR" },
15463 { 0xC0000040, "STATUS_SECTION_TOO_BIG" },
15464 { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" },
15465 { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" },
15466 { 0xC0000043, "STATUS_SHARING_VIOLATION" },
15467 { 0xC0000044, "STATUS_QUOTA_EXCEEDED" },
15468 { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" },
15469 { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" },
15470 { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" },
15471 { 0xC0000048, "STATUS_PORT_ALREADY_SET" },
15472 { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" },
15473 { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" },
15474 { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" },
15475 { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" },
15476 { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" },
15477 { 0xC000004E, "STATUS_SECTION_PROTECTION" },
15478 { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" },
15479 { 0xC0000050, "STATUS_EA_TOO_LARGE" },
15480 { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" },
15481 { 0xC0000052, "STATUS_NO_EAS_ON_FILE" },
15482 { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" },
15483 { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" },
15484 { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" },
15485 { 0xC0000056, "STATUS_DELETE_PENDING" },
15486 { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" },
15487 { 0xC0000058, "STATUS_UNKNOWN_REVISION" },
15488 { 0xC0000059, "STATUS_REVISION_MISMATCH" },
15489 { 0xC000005A, "STATUS_INVALID_OWNER" },
15490 { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" },
15491 { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" },
15492 { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" },
15493 { 0xC000005E, "STATUS_NO_LOGON_SERVERS" },
15494 { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" },
15495 { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" },
15496 { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" },
15497 { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" },
15498 { 0xC0000063, "STATUS_USER_EXISTS" },
15499 { 0xC0000064, "STATUS_NO_SUCH_USER" },
15500 { 0xC0000065, "STATUS_GROUP_EXISTS" },
15501 { 0xC0000066, "STATUS_NO_SUCH_GROUP" },
15502 { 0xC0000067, "STATUS_MEMBER_IN_GROUP" },
15503 { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" },
15504 { 0xC0000069, "STATUS_LAST_ADMIN" },
15505 { 0xC000006A, "STATUS_WRONG_PASSWORD" },
15506 { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" },
15507 { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" },
15508 { 0xC000006D, "STATUS_LOGON_FAILURE" },
15509 { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" },
15510 { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" },
15511 { 0xC0000070, "STATUS_INVALID_WORKSTATION" },
15512 { 0xC0000071, "STATUS_PASSWORD_EXPIRED" },
15513 { 0xC0000072, "STATUS_ACCOUNT_DISABLED" },
15514 { 0xC0000073, "STATUS_NONE_MAPPED" },
15515 { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" },
15516 { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" },
15517 { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" },
15518 { 0xC0000077, "STATUS_INVALID_ACL" },
15519 { 0xC0000078, "STATUS_INVALID_SID" },
15520 { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" },
15521 { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" },
15522 { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" },
15523 { 0xC000007C, "STATUS_NO_TOKEN" },
15524 { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" },
15525 { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" },
15526 { 0xC000007F, "STATUS_DISK_FULL" },
15527 { 0xC0000080, "STATUS_SERVER_DISABLED" },
15528 { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" },
15529 { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" },
15530 { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" },
15531 { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" },
15532 { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" },
15533 { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" },
15534 { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" },
15535 { 0xC0000088, "STATUS_NOT_MAPPED_DATA" },
15536 { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" },
15537 { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" },
15538 { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" },
15539 { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" },
15540 { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" },
15541 { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" },
15542 { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" },
15543 { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" },
15544 { 0xC0000091, "STATUS_FLOAT_OVERFLOW" },
15545 { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" },
15546 { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" },
15547 { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" },
15548 { 0xC0000095, "STATUS_INTEGER_OVERFLOW" },
15549 { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" },
15550 { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" },
15551 { 0xC0000098, "STATUS_FILE_INVALID" },
15552 { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" },
15553 { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" },
15554 { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" },
15555 { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" },
15556 { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" },
15557 { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" },
15558 { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" },
15559 { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" },
15560 { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" },
15561 { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" },
15562 { 0xC00000A3, "STATUS_DEVICE_NOT_READY" },
15563 { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" },
15564 { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" },
15565 { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" },
15566 { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" },
15567 { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" },
15568 { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" },
15569 { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" },
15570 { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" },
15571 { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" },
15572 { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" },
15573 { 0xC00000AE, "STATUS_PIPE_BUSY" },
15574 { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" },
15575 { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" },
15576 { 0xC00000B1, "STATUS_PIPE_CLOSING" },
15577 { 0xC00000B2, "STATUS_PIPE_CONNECTED" },
15578 { 0xC00000B3, "STATUS_PIPE_LISTENING" },
15579 { 0xC00000B4, "STATUS_INVALID_READ_MODE" },
15580 { 0xC00000B5, "STATUS_IO_TIMEOUT" },
15581 { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" },
15582 { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" },
15583 { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" },
15584 { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" },
15585 { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" },
15586 { 0xC00000BB, "STATUS_NOT_SUPPORTED" },
15587 { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" },
15588 { 0xC00000BD, "STATUS_DUPLICATE_NAME" },
15589 { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" },
15590 { 0xC00000BF, "STATUS_NETWORK_BUSY" },
15591 { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" },
15592 { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" },
15593 { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" },
15594 { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" },
15595 { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" },
15596 { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" },
15597 { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" },
15598 { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" },
15599 { 0xC00000C8, "STATUS_PRINT_CANCELLED" },
15600 { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" },
15601 { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" },
15602 { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" },
15603 { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" },
15604 { 0xC00000CD, "STATUS_TOO_MANY_NAMES" },
15605 { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" },
15606 { 0xC00000CF, "STATUS_SHARING_PAUSED" },
15607 { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" },
15608 { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" },
15609 { 0xC00000D2, "STATUS_NET_WRITE_FAULT" },
15610 { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" },
15611 { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" },
15612 { 0xC00000D5, "STATUS_FILE_RENAMED" },
15613 { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" },
15614 { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" },
15615 { 0xC00000D8, "STATUS_CANT_WAIT" },
15616 { 0xC00000D9, "STATUS_PIPE_EMPTY" },
15617 { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" },
15618 { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" },
15619 { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" },
15620 { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" },
15621 { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" },
15622 { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" },
15623 { 0xC00000E0, "STATUS_DOMAIN_EXISTS" },
15624 { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" },
15625 { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" },
15626 { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" },
15627 { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" },
15628 { 0xC00000E5, "STATUS_INTERNAL_ERROR" },
15629 { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" },
15630 { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" },
15631 { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" },
15632 { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" },
15633 { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" },
15634 { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" },
15635 { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" },
15636 { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" },
15637 { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" },
15638 { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" },
15639 { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" },
15640 { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" },
15641 { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" },
15642 { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" },
15643 { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" },
15644 { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" },
15645 { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" },
15646 { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" },
15647 { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" },
15648 { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" },
15649 { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" },
15650 { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" },
15651 { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" },
15652 { 0xC00000FD, "STATUS_STACK_OVERFLOW" },
15653 { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" },
15654 { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" },
15655 { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" },
15656 { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" },
15657 { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" },
15658 { 0xC0000103, "STATUS_NOT_A_DIRECTORY" },
15659 { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" },
15660 { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" },
15661 { 0xC0000106, "STATUS_NAME_TOO_LONG" },
15662 { 0xC0000107, "STATUS_FILES_OPEN" },
15663 { 0xC0000108, "STATUS_CONNECTION_IN_USE" },
15664 { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" },
15665 { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" },
15666 { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" },
15667 { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" },
15668 { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" },
15669 { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" },
15670 { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" },
15671 { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" },
15672 { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" },
15673 { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" },
15674 { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" },
15675 { 0xC0000114, "STATUS_ABIOS_INVALID_LID" },
15676 { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" },
15677 { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" },
15678 { 0xC0000117, "STATUS_NO_LDT" },
15679 { 0xC0000118, "STATUS_INVALID_LDT_SIZE" },
15680 { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" },
15681 { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" },
15682 { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" },
15683 { 0xC000011C, "STATUS_RXACT_INVALID_STATE" },
15684 { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" },
15685 { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" },
15686 { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" },
15687 { 0xC0000120, "STATUS_CANCELLED" },
15688 { 0xC0000121, "STATUS_CANNOT_DELETE" },
15689 { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" },
15690 { 0xC0000123, "STATUS_FILE_DELETED" },
15691 { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" },
15692 { 0xC0000125, "STATUS_SPECIAL_GROUP" },
15693 { 0xC0000126, "STATUS_SPECIAL_USER" },
15694 { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" },
15695 { 0xC0000128, "STATUS_FILE_CLOSED" },
15696 { 0xC0000129, "STATUS_TOO_MANY_THREADS" },
15697 { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" },
15698 { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" },
15699 { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" },
15700 { 0xC000012D, "STATUS_COMMITMENT_LIMIT" },
15701 { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" },
15702 { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" },
15703 { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" },
15704 { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" },
15705 { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" },
15706 { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" },
15707 { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" },
15708 { 0xC0000135, "STATUS_DLL_NOT_FOUND" },
15709 { 0xC0000136, "STATUS_OPEN_FAILED" },
15710 { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" },
15711 { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" },
15712 { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" },
15713 { 0xC000013A, "STATUS_CONTROL_C_EXIT" },
15714 { 0xC000013B, "STATUS_LOCAL_DISCONNECT" },
15715 { 0xC000013C, "STATUS_REMOTE_DISCONNECT" },
15716 { 0xC000013D, "STATUS_REMOTE_RESOURCES" },
15717 { 0xC000013E, "STATUS_LINK_FAILED" },
15718 { 0xC000013F, "STATUS_LINK_TIMEOUT" },
15719 { 0xC0000140, "STATUS_INVALID_CONNECTION" },
15720 { 0xC0000141, "STATUS_INVALID_ADDRESS" },
15721 { 0xC0000142, "STATUS_DLL_INIT_FAILED" },
15722 { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" },
15723 { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" },
15724 { 0xC0000145, "STATUS_APP_INIT_FAILURE" },
15725 { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" },
15726 { 0xC0000147, "STATUS_NO_PAGEFILE" },
15727 { 0xC0000148, "STATUS_INVALID_LEVEL" },
15728 { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" },
15729 { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" },
15730 { 0xC000014B, "STATUS_PIPE_BROKEN" },
15731 { 0xC000014C, "STATUS_REGISTRY_CORRUPT" },
15732 { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" },
15733 { 0xC000014E, "STATUS_NO_EVENT_PAIR" },
15734 { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" },
15735 { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" },
15736 { 0xC0000151, "STATUS_NO_SUCH_ALIAS" },
15737 { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" },
15738 { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" },
15739 { 0xC0000154, "STATUS_ALIAS_EXISTS" },
15740 { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" },
15741 { 0xC0000156, "STATUS_TOO_MANY_SECRETS" },
15742 { 0xC0000157, "STATUS_SECRET_TOO_LONG" },
15743 { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" },
15744 { 0xC0000159, "STATUS_FULLSCREEN_MODE" },
15745 { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" },
15746 { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" },
15747 { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" },
15748 { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" },
15749 { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" },
15750 { 0xC000015F, "STATUS_FT_MISSING_MEMBER" },
15751 { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" },
15752 { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" },
15753 { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" },
15754 { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" },
15755 { 0xC0000164, "STATUS_FLOPPY_VOLUME" },
15756 { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" },
15757 { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" },
15758 { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" },
15759 { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" },
15760 { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" },
15761 { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" },
15762 { 0xC000016B, "STATUS_DISK_RESET_FAILED" },
15763 { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" },
15764 { 0xC000016D, "STATUS_FT_ORPHANING" },
15765 { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" },
15766 { 0xC0000172, "STATUS_PARTITION_FAILURE" },
15767 { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" },
15768 { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" },
15769 { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" },
15770 { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" },
15771 { 0xC0000177, "STATUS_EOM_OVERFLOW" },
15772 { 0xC0000178, "STATUS_NO_MEDIA" },
15773 { 0xC000017A, "STATUS_NO_SUCH_MEMBER" },
15774 { 0xC000017B, "STATUS_INVALID_MEMBER" },
15775 { 0xC000017C, "STATUS_KEY_DELETED" },
15776 { 0xC000017D, "STATUS_NO_LOG_SPACE" },
15777 { 0xC000017E, "STATUS_TOO_MANY_SIDS" },
15778 { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" },
15779 { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" },
15780 { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" },
15781 { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" },
15782 { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" },
15783 { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" },
15784 { 0xC0000185, "STATUS_IO_DEVICE_ERROR" },
15785 { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" },
15786 { 0xC0000187, "STATUS_BACKUP_CONTROLLER" },
15787 { 0xC0000188, "STATUS_LOG_FILE_FULL" },
15788 { 0xC0000189, "STATUS_TOO_LATE" },
15789 { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" },
15790 { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" },
15791 { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" },
15792 { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" },
15793 { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" },
15794 { 0xC000018F, "STATUS_EVENTLOG_CANT_START" },
15795 { 0xC0000190, "STATUS_TRUST_FAILURE" },
15796 { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" },
15797 { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" },
15798 { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" },
15799 { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" },
15800 { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" },
15801 { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" },
15802 { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" },
15803 { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" },
15804 { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" },
15805 { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" },
15806 { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" },
15807 { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" },
15808 { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" },
15809 { 0xC0000203, "STATUS_USER_SESSION_DELETED" },
15810 { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" },
15811 { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" },
15812 { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" },
15813 { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" },
15814 { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" },
15815 { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" },
15816 { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" },
15817 { 0xC000020B, "STATUS_ADDRESS_CLOSED" },
15818 { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" },
15819 { 0xC000020D, "STATUS_CONNECTION_RESET" },
15820 { 0xC000020E, "STATUS_TOO_MANY_NODES" },
15821 { 0xC000020F, "STATUS_TRANSACTION_ABORTED" },
15822 { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" },
15823 { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" },
15824 { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" },
15825 { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" },
15826 { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" },
15827 { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" },
15828 { 0xC0000216, "STATUS_NOT_SERVER_SESSION" },
15829 { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" },
15830 { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" },
15831 { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" },
15832 { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" },
15833 { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" },
15834 { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" },
15835 { 0xC000021D, "STATUS_VDM_HARD_ERROR" },
15836 { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" },
15837 { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" },
15838 { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" },
15839 { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" },
15840 { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" },
15841 { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" },
15842 { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" },
15843 { 0xC0000225, "STATUS_NOT_FOUND" },
15844 { 0xC0000226, "STATUS_NOT_TINY_STREAM" },
15845 { 0xC0000227, "STATUS_RECOVERY_FAILURE" },
15846 { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" },
15847 { 0xC0000229, "STATUS_FAIL_CHECK" },
15848 { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" },
15849 { 0xC000022B, "STATUS_OBJECTID_EXISTS" },
15850 { 0xC000022C, "STATUS_CONVERT_TO_LARGE" },
15851 { 0xC000022D, "STATUS_RETRY" },
15852 { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" },
15853 { 0xC000022F, "STATUS_ALLOCATE_BUCKET" },
15854 { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" },
15855 { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" },
15856 { 0xC0000232, "STATUS_INVALID_VARIANT" },
15857 { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" },
15858 { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" },
15859 { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" },
15860 { 0xC0000236, "STATUS_CONNECTION_REFUSED" },
15861 { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" },
15862 { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" },
15863 { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" },
15864 { 0xC000023A, "STATUS_CONNECTION_INVALID" },
15865 { 0xC000023B, "STATUS_CONNECTION_ACTIVE" },
15866 { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" },
15867 { 0xC000023D, "STATUS_HOST_UNREACHABLE" },
15868 { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" },
15869 { 0xC000023F, "STATUS_PORT_UNREACHABLE" },
15870 { 0xC0000240, "STATUS_REQUEST_ABORTED" },
15871 { 0xC0000241, "STATUS_CONNECTION_ABORTED" },
15872 { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" },
15873 { 0xC0000243, "STATUS_USER_MAPPED_FILE" },
15874 { 0xC0000244, "STATUS_AUDIT_FAILED" },
15875 { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" },
15876 { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" },
15877 { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" },
15878 { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" },
15879 { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" },
15880 { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" },
15881 { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" },
15882 { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" },
15883 { 0xC0000253, "STATUS_LPC_REPLY_LOST" },
15884 { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" },
15885 { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" },
15886 { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" },
15887 { 0xC0000257, "STATUS_PATH_NOT_COVERED" },
15888 { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" },
15889 { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" },
15890 { 0xC000025A, "STATUS_PWD_TOO_SHORT" },
15891 { 0xC000025B, "STATUS_PWD_TOO_RECENT" },
15892 { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" },
15893 { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" },
15894 { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" },
15895 { 0xC0000260, "STATUS_INVALID_HW_PROFILE" },
15896 { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" },
15897 { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" },
15898 { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" },
15899 { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" },
15900 { 0xC0000265, "STATUS_TOO_MANY_LINKS" },
15901 { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" },
15902 { 0xC0000267, "STATUS_FILE_IS_OFFLINE" },
15903 { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" },
15904 { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" },
15905 { 0xC000026A, "STATUS_LICENSE_VIOLATION" },
15906 { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" },
15907 { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" },
15908 { 0xC000026D, "STATUS_DFS_UNAVAILABLE" },
15909 { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" },
15910 { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" },
15911 { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" },
15912 { 0xC0000271, "STATUS_VALIDATE_CONTINUE" },
15913 { 0xC0000272, "STATUS_NO_MATCH" },
15914 { 0xC0000273, "STATUS_NO_MORE_MATCHES" },
15915 { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" },
15916 { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" },
15917 { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" },
15918 { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" },
15919 { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" },
15920 { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" },
15921 { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" },
15922 { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" },
15923 { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" },
15924 { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" },
15925 { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" },
15926 { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" },
15927 { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" },
15928 { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" },
15929 { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" },
15930 { 0xC000028A, "STATUS_ENCRYPTION_FAILED" },
15931 { 0xC000028B, "STATUS_DECRYPTION_FAILED" },
15932 { 0xC000028C, "STATUS_RANGE_NOT_FOUND" },
15933 { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" },
15934 { 0xC000028E, "STATUS_NO_EFS" },
15935 { 0xC000028F, "STATUS_WRONG_EFS" },
15936 { 0xC0000290, "STATUS_NO_USER_KEYS" },
15937 { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" },
15938 { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" },
15939 { 0xC0000293, "STATUS_FILE_ENCRYPTED" },
15940 { 0x40000294, "STATUS_WAKE_SYSTEM" },
15941 { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" },
15942 { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" },
15943 { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" },
15944 { 0xC0000298, "STATUS_WMI_TRY_AGAIN" },
15945 { 0xC0000299, "STATUS_SHARED_POLICY" },
15946 { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" },
15947 { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" },
15948 { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" },
15949 { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" },
15950 { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" },
15951 { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" },
15952 { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" },
15953 { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" },
15954 { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" },
15955 { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" },
15956 { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" },
15957 { 0xC00002A5, "STATUS_DS_BUSY" },
15958 { 0xC00002A6, "STATUS_DS_UNAVAILABLE" },
15959 { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" },
15960 { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" },
15961 { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" },
15962 { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" },
15963 { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" },
15964 { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" },
15965 { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" },
15966 { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" },
15967 { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" },
15968 { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" },
15969 { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" },
15970 { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" },
15971 { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" },
15972 { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" },
15973 { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" },
15974 { 0xC00002B6, "STATUS_DEVICE_REMOVED" },
15975 { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" },
15976 { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" },
15977 { 0xC00002B9, "STATUS_NOINTERFACE" },
15978 { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" },
15979 { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" },
15980 { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" },
15981 { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" },
15982 { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" },
15983 { 0xC00002C6, "STATUS_WMI_READ_ONLY" },
15984 { 0xC00002C7, "STATUS_WMI_SET_FAILURE" },
15985 { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" },
15986 { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" },
15987 { 0xC00002CA, "STATUS_TRANSPORT_FULL" },
15988 { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" },
15989 { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" },
15990 { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" },
15991 { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" },
15992 { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" },
15993 { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" },
15994 { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" },
15995 { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" },
15996 { 0xC00002D3, "STATUS_POWER_STATE_INVALID" },
15997 { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" },
15998 { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" },
15999 { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" },
16000 { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" },
16001 { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" },
16002 { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" },
16003 { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" },
16004 { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" },
16005 { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" },
16006 { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" },
16007 { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" },
16008 { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" },
16009 { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" },
16010 { 0xC00002E1, "STATUS_DS_CANT_START" },
16011 { 0xC00002E2, "STATUS_DS_INIT_FAILURE" },
16012 { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" },
16013 { 0xC00002E4, "STATUS_DS_GC_REQUIRED" },
16014 { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" },
16015 { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" },
16016 { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" },
16017 { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" },
16018 { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" },
16019 { 0xC0009898, "STATUS_WOW_ASSERTION" },
16020 { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" },
16021 { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" },
16022 { 0xC0020003, "RPC_NT_INVALID_BINDING" },
16023 { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" },
16024 { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" },
16025 { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" },
16026 { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" },
16027 { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" },
16028 { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" },
16029 { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" },
16030 { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" },
16031 { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" },
16032 { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" },
16033 { 0xC002000E, "RPC_NT_ALREADY_LISTENING" },
16034 { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" },
16035 { 0xC0020010, "RPC_NT_NOT_LISTENING" },
16036 { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" },
16037 { 0xC0020012, "RPC_NT_UNKNOWN_IF" },
16038 { 0xC0020013, "RPC_NT_NO_BINDINGS" },
16039 { 0xC0020014, "RPC_NT_NO_PROTSEQS" },
16040 { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" },
16041 { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" },
16042 { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" },
16043 { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" },
16044 { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" },
16045 { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" },
16046 { 0xC002001B, "RPC_NT_CALL_FAILED" },
16047 { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" },
16048 { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" },
16049 { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" },
16050 { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" },
16051 { 0xC0020022, "RPC_NT_INVALID_TAG" },
16052 { 0xC0020023, "RPC_NT_INVALID_BOUND" },
16053 { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" },
16054 { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" },
16055 { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" },
16056 { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" },
16057 { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" },
16058 { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" },
16059 { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" },
16060 { 0xC002002C, "RPC_NT_STRING_TOO_LONG" },
16061 { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" },
16062 { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" },
16063 { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" },
16064 { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" },
16065 { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" },
16066 { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" },
16067 { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" },
16068 { 0xC0020034, "EPT_NT_INVALID_ENTRY" },
16069 { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" },
16070 { 0xC0020036, "EPT_NT_NOT_REGISTERED" },
16071 { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" },
16072 { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" },
16073 { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" },
16074 { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" },
16075 { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" },
16076 { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" },
16077 { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" },
16078 { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" },
16079 { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" },
16080 { 0xC0020040, "RPC_NT_INVALID_NAF_ID" },
16081 { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" },
16082 { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" },
16083 { 0xC0020043, "RPC_NT_INTERNAL_ERROR" },
16084 { 0xC0020044, "RPC_NT_ZERO_DIVIDE" },
16085 { 0xC0020045, "RPC_NT_ADDRESS_ERROR" },
16086 { 0xC0020046, "RPC_NT_FP_DIV_ZERO" },
16087 { 0xC0020047, "RPC_NT_FP_UNDERFLOW" },
16088 { 0xC0020048, "RPC_NT_FP_OVERFLOW" },
16089 { 0xC0021007, "RPC_P_RECEIVE_ALERTED" },
16090 { 0xC0021008, "RPC_P_CONNECTION_CLOSED" },
16091 { 0xC0021009, "RPC_P_RECEIVE_FAILED" },
16092 { 0xC002100A, "RPC_P_SEND_FAILED" },
16093 { 0xC002100B, "RPC_P_TIMEOUT" },
16094 { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" },
16095 { 0xC002100E, "RPC_P_EXCEPTION_OCCURED" },
16096 { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" },
16097 { 0xC0021015, "RPC_P_THREAD_LISTENING" },
16098 { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" },
16099 { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" },
16100 { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" },
16101 { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" },
16102 { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" },
16103 { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" },
16104 { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" },
16105 { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" },
16106 { 0xC0030009, "RPC_NT_NULL_REF_POINTER" },
16107 { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" },
16108 { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" },
16109 { 0xC003000C, "RPC_NT_BAD_STUB_DATA" },
16110 { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" },
16111 { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" },
16112 { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" },
16113 { 0xC002004C, "EPT_NT_CANT_CREATE" },
16114 { 0xC002004D, "RPC_NT_INVALID_OBJECT" },
16115 { 0xC002004F, "RPC_NT_NO_INTERFACES" },
16116 { 0xC0020050, "RPC_NT_CALL_CANCELLED" },
16117 { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" },
16118 { 0xC0020052, "RPC_NT_COMM_FAILURE" },
16119 { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" },
16120 { 0xC0020054, "RPC_NT_NO_PRINC_NAME" },
16121 { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" },
16122 { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" },
16123 { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" },
16124 { 0xC0020058, "RPC_NT_NOT_CANCELLED" },
16125 { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" },
16126 { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" },
16127 { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" },
16128 { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" },
16129 { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" },
16130 { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" },
16131 { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" },
16137 static const true_false_string tfs_smb_flags_lock = {
16138 "Lock&Read, Write&Unlock are supported",
16139 "Lock&Read, Write&Unlock are not supported"
16141 static const true_false_string tfs_smb_flags_receive_buffer = {
16142 "Receive buffer has been posted",
16143 "Receive buffer has not been posted"
16145 static const true_false_string tfs_smb_flags_caseless = {
16146 "Path names are caseless",
16147 "Path names are case sensitive"
16149 static const true_false_string tfs_smb_flags_canon = {
16150 "Pathnames are canonicalized",
16151 "Pathnames are not canonicalized"
16153 static const true_false_string tfs_smb_flags_oplock = {
16154 "OpLock requested/granted",
16155 "OpLock not requested/granted"
16157 static const true_false_string tfs_smb_flags_notify = {
16158 "Notify client on all modifications",
16159 "Notify client only on open"
16161 static const true_false_string tfs_smb_flags_response = {
16162 "Message is a response to the client/redirector",
16163 "Message is a request to the server"
16167 dissect_smb_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
16170 proto_item *item = NULL;
16171 proto_tree *tree = NULL;
16173 mask = tvb_get_guint8(tvb, offset);
16176 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
16177 "Flags: 0x%02x", mask);
16178 tree = proto_item_add_subtree(item, ett_smb_flags);
16180 proto_tree_add_boolean(tree, hf_smb_flags_response,
16181 tvb, offset, 1, mask);
16182 proto_tree_add_boolean(tree, hf_smb_flags_notify,
16183 tvb, offset, 1, mask);
16184 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
16185 tvb, offset, 1, mask);
16186 proto_tree_add_boolean(tree, hf_smb_flags_canon,
16187 tvb, offset, 1, mask);
16188 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
16189 tvb, offset, 1, mask);
16190 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
16191 tvb, offset, 1, mask);
16192 proto_tree_add_boolean(tree, hf_smb_flags_lock,
16193 tvb, offset, 1, mask);
16200 static const true_false_string tfs_smb_flags2_long_names_allowed = {
16201 "Long file names are allowed in the response",
16202 "Long file names are not allowed in the response"
16204 static const true_false_string tfs_smb_flags2_ea = {
16205 "Extended attributes are supported",
16206 "Extended attributes are not supported"
16208 static const true_false_string tfs_smb_flags2_sec_sig = {
16209 "Security signatures are supported",
16210 "Security signatures are not supported"
16212 static const true_false_string tfs_smb_flags2_long_names_used = {
16213 "Path names in request are long file names",
16214 "Path names in request are not long file names"
16216 static const true_false_string tfs_smb_flags2_esn = {
16217 "Extended security negotiation is supported",
16218 "Extended security negotiation is not supported"
16220 static const true_false_string tfs_smb_flags2_dfs = {
16221 "Resolve pathnames with Dfs",
16222 "Don't resolve pathnames with Dfs"
16224 static const true_false_string tfs_smb_flags2_roe = {
16225 "Permit reads if execute-only",
16226 "Don't permit reads if execute-only"
16228 static const true_false_string tfs_smb_flags2_nt_error = {
16229 "Error codes are NT error codes",
16230 "Error codes are DOS error codes"
16232 static const true_false_string tfs_smb_flags2_string = {
16233 "Strings are Unicode",
16234 "Strings are ASCII"
16237 dissect_smb_flags2(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
16240 proto_item *item = NULL;
16241 proto_tree *tree = NULL;
16243 mask = tvb_get_letohs(tvb, offset);
16246 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
16247 "Flags2: 0x%04x", mask);
16248 tree = proto_item_add_subtree(item, ett_smb_flags2);
16251 proto_tree_add_boolean(tree, hf_smb_flags2_string,
16252 tvb, offset, 2, mask);
16253 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
16254 tvb, offset, 2, mask);
16255 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
16256 tvb, offset, 2, mask);
16257 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
16258 tvb, offset, 2, mask);
16259 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
16260 tvb, offset, 2, mask);
16261 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
16262 tvb, offset, 2, mask);
16263 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
16264 tvb, offset, 2, mask);
16265 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
16266 tvb, offset, 2, mask);
16267 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
16268 tvb, offset, 2, mask);
16276 #define SMB_FLAGS_DIRN 0x80
16280 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
16283 proto_item *item = NULL, *hitem = NULL;
16284 proto_tree *tree = NULL, *htree = NULL;
16287 static smb_info_t si_arr[20];
16288 static int si_counter=0;
16290 smb_saved_info_t *sip = NULL;
16291 smb_saved_info_key_t key;
16292 smb_saved_info_key_t *new_key;
16293 guint32 nt_status = 0;
16294 guint8 errclass = 0;
16295 guint16 errcode = 0;
16297 conversation_t *conversation;
16301 if(si_counter==20){
16304 si=&si_arr[si_counter];
16306 top_tree=parent_tree;
16308 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
16309 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
16311 if (check_col(pinfo->cinfo, COL_INFO)){
16312 col_clear(pinfo->cinfo, COL_INFO);
16315 /* start off using the local variable, we will allocate a new one if we
16317 si->cmd = tvb_get_guint8(tvb, offset+4);
16318 flags = tvb_get_guint8(tvb, offset+9);
16320 * XXX - in some SMB-over-OSI-transport and SMB-over-Vines traffic,
16321 * the direction flag appears never to be set, even for what appear
16322 * to be replies. Do some SMB servers fail to set that flag,
16323 * under the assumption that the client knows it's a reply because
16326 si->request = !(flags&SMB_FLAGS_DIRN);
16327 flags2 = tvb_get_letohs(tvb, offset+10);
16328 if(flags2 & 0x8000){
16329 si->unicode = TRUE; /* Mark them as Unicode */
16331 si->unicode = FALSE;
16333 si->tid = tvb_get_letohs(tvb, offset+24);
16334 si->pid = tvb_get_letohs(tvb, offset+26);
16335 si->uid = tvb_get_letohs(tvb, offset+28);
16336 si->mid = tvb_get_letohs(tvb, offset+30);
16337 pid_mid = (si->pid << 16) | si->mid;
16338 si->info_level = -1;
16339 si->info_count = -1;
16342 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
16344 tree = proto_item_add_subtree(item, ett_smb);
16346 hitem = proto_tree_add_text(tree, tvb, offset, 32,
16349 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
16352 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
16353 offset += 4; /* Skip the marker */
16355 /* find which conversation we are part of and get the tables for that
16357 conversation = find_conversation(&pinfo->src, &pinfo->dst,
16358 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
16360 /* OK this is a new conversation so lets create it */
16361 conversation = conversation_new(&pinfo->src, &pinfo->dst,
16362 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
16364 /* see if we already have the smb data for this conversation */
16365 si->ct=conversation_get_proto_data(conversation, proto_smb);
16367 /* No, not yet. create it and attach it to the conversation */
16368 si->ct = g_mem_chunk_alloc(conv_tables_chunk);
16369 conv_tables = g_slist_prepend(conv_tables, si->ct);
16370 si->ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
16371 smb_saved_info_equal_matched);
16372 si->ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
16373 smb_saved_info_equal_unmatched);
16374 si->ct->tid_service=g_hash_table_new(
16375 smb_saved_info_hash_unmatched,
16376 smb_saved_info_equal_unmatched);
16377 conversation_add_proto_data(conversation, proto_smb, si->ct);
16385 /* this is a broadcast SMB packet, there will not be a reply.
16386 We dont need to do anything
16389 } else if( (si->cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
16390 ||(si->cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
16391 ||(si->cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
16392 ||(si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
16393 /* Ok, we got a special request type. This request is either
16394 an NT Cancel or a continuation relative to a real request
16395 in an earlier packet. In either case, we don't expect any
16396 responses to this packet. For continuations, any later
16397 responses we see really just belong to the original request.
16398 Anyway, we want to remember this packet somehow and
16399 remember which original request it is associated with so
16400 we can say nice things such as "This is a Cancellation to
16401 the request in frame x", but we don't want the
16402 request/response matching to get messed up.
16404 The only thing we do in this case is trying to find which original
16405 request we match with and insert an entry for this "special"
16406 request for later reference. We continue to reference the original
16407 requests smb_saved_info_t but we dont touch it or change anything
16411 si->unidir = TRUE; /*we dont expect an answer to this one*/
16413 if(!pinfo->fd->flags.visited){
16414 /* try to find which original call we match and if we
16415 find it add us to the matched table. Dont touch
16416 anything else since we dont want this one to mess
16417 up the request/response matching. We still consider
16418 the initial call the real request and this is only
16419 some sort of continuation.
16421 /* we only check the unmatched table and assume that the
16422 last seen MID matching ours is the right one.
16423 This can fail but is better than nothing
16425 sip=g_hash_table_lookup(si->ct->unmatched, (void *)pid_mid);
16427 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
16428 new_key->frame = pinfo->fd->num;
16429 new_key->pid_mid = pid_mid;
16430 g_hash_table_insert(si->ct->matched, new_key,
16434 /* we have seen this packet before; check the
16437 key.frame = pinfo->fd->num;
16438 key.pid_mid = pid_mid;
16439 sip=g_hash_table_lookup(si->ct->matched, &key);
16443 Too bad, unfortunately there is not really much we can
16444 do now since this means that we never saw the initial
16451 if(sip && sip->frame_req){
16453 case SMB_COM_NT_CANCEL:
16454 proto_tree_add_uint(htree, hf_smb_cancel_to,
16455 tvb, 0, 0, sip->frame_req);
16457 case SMB_COM_TRANSACTION_SECONDARY:
16458 case SMB_COM_TRANSACTION2_SECONDARY:
16459 case SMB_COM_NT_TRANSACT_SECONDARY:
16460 proto_tree_add_uint(htree, hf_smb_continuation_to,
16461 tvb, 0, 0, sip->frame_req);
16466 case SMB_COM_NT_CANCEL:
16467 proto_tree_add_text(htree, tvb, 0, 0,
16468 "Cancellation to: <unknown frame>");
16470 case SMB_COM_TRANSACTION_SECONDARY:
16471 case SMB_COM_TRANSACTION2_SECONDARY:
16472 case SMB_COM_NT_TRANSACT_SECONDARY:
16473 proto_tree_add_text(htree, tvb, 0, 0,
16474 "Continuation to: <unknown frame>");
16478 } else { /* normal bidirectional request or response */
16479 si->unidir = FALSE;
16481 if(!pinfo->fd->flags.visited){
16482 /* first see if we find an unmatched smb "equal" to
16485 sip=g_hash_table_lookup(si->ct->unmatched, (void *)pid_mid);
16487 gboolean cmd_match=FALSE;
16490 * Make sure the SMB we found was the
16491 * same command, or a different command
16492 * that's another valid type of reply
16495 if(si->cmd==sip->cmd){
16498 else if(si->cmd==SMB_COM_NT_CANCEL){
16501 else if((si->cmd==SMB_COM_TRANSACTION_SECONDARY)
16502 && (sip->cmd==SMB_COM_TRANSACTION)){
16505 else if((si->cmd==SMB_COM_TRANSACTION2_SECONDARY)
16506 && (sip->cmd==SMB_COM_TRANSACTION2)){
16509 else if((si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)
16510 && (sip->cmd==SMB_COM_NT_TRANSACT)){
16514 if( (si->request) || (!cmd_match) ) {
16515 /* If we are processing an SMB request but there was already
16516 another "identical" smb resuest we had not matched yet.
16517 This must mean that either we have a retransmission or that the
16518 response to the previous one was lost and the client has reused
16519 the MID for this conversation. In either case it's not much more
16520 we can do than forget the old request and concentrate on the
16521 present one instead.
16523 We also do this cleanup if we see that the cmd in the original
16524 request in sip->cmd is not compatible with the current cmd.
16525 This is to prevent matching errors such as if there were two
16526 SMBs of different cmds but with identical MID and PID values and
16527 if ethereal lost the first reply and the second request.
16529 g_hash_table_remove(si->ct->unmatched, (void *)pid_mid);
16530 sip=NULL; /* XXX should free it as well */
16532 /* we have found a response to some request we have seen earlier.
16533 What we do now depends on whether this is the first response
16534 to that request we see (id frame_res==0) or not.
16536 if(sip->frame_res==0){
16537 /* ok it is the first response we have seen to this packet */
16538 sip->frame_res = pinfo->fd->num;
16539 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
16540 new_key->frame = sip->frame_res;
16541 new_key->pid_mid = pid_mid;
16542 g_hash_table_insert(si->ct->matched, new_key, sip);
16544 /* We have already seen another response to this MID.
16545 Since the MID in reality is only something like 10 bits
16546 this probably means that we just have a MID that is being
16547 reused due to the small MID space and that this is a new
16548 command we did not see the original request for.
16555 sip = g_mem_chunk_alloc(smb_saved_info_chunk);
16556 sip->frame_req = pinfo->fd->num;
16557 sip->frame_res = 0;
16558 sip->req_time.secs=pinfo->fd->abs_secs;
16559 sip->req_time.nsecs=pinfo->fd->abs_usecs*1000;
16561 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)
16562 == (void *)TID_IPC) {
16563 sip->flags |= SMB_SIF_TID_IS_IPC;
16565 sip->cmd = si->cmd;
16566 sip->extra_info = NULL;
16567 g_hash_table_insert(si->ct->unmatched, (void *)pid_mid, sip);
16568 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
16569 new_key->frame = sip->frame_req;
16570 new_key->pid_mid = pid_mid;
16571 g_hash_table_insert(si->ct->matched, new_key, sip);
16574 /* we have seen this packet before; check the
16576 If we haven't yet seen the reply, we won't
16577 find the info for it; we don't need it, as
16578 we only use it to save information, and, as
16579 we've seen this packet before, we've already
16580 saved the information.
16582 key.frame = pinfo->fd->num;
16583 key.pid_mid = pid_mid;
16584 sip=g_hash_table_lookup(si->ct->matched, &key);
16589 * Pass the "sip" on to subdissectors through "si".
16595 * Put in fields for the frame number of the frame to which
16596 * this is a response or the frame with the response to this
16597 * frame - if we know the frame number (i.e., it's not 0).
16600 if (sip->frame_res != 0)
16601 proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
16603 if (sip->frame_req != 0) {
16604 proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
16605 ns.secs = pinfo->fd->abs_secs - sip->req_time.secs;
16606 ns.nsecs = pinfo->fd->abs_usecs*1000 - sip->req_time.nsecs;
16608 ns.nsecs+=1000000000;
16611 proto_tree_add_time(htree, hf_smb_time, tvb,
16618 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si->cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si->cmd), si->cmd);
16621 if(flags2 & 0x4000){
16622 /* handle NT 32 bit error code */
16624 nt_status = tvb_get_letohl(tvb, offset);
16626 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
16631 /* handle DOS error code & class */
16632 errclass = tvb_get_guint8(tvb, offset);
16633 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
16637 /* reserved byte */
16638 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
16642 /* XXX - the type of this field depends on the value of
16643 * "errcls", so there is isn't a single value_string array
16644 * fo it, so there can't be a single field for it.
16646 errcode = tvb_get_letohs(tvb, offset);
16647 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
16648 offset, 2, errcode, "Error Code: %s",
16649 decode_smb_error(errclass, errcode));
16654 offset = dissect_smb_flags(tvb, htree, offset);
16657 offset = dissect_smb_flags2(tvb, htree, offset);
16662 * http://www.samba.org/samba/ftp/specs/smbpub.txt
16664 * (a text version of "Microsoft Networks SMB FILE SHARING
16665 * PROTOCOL, Document Version 6.0p") says that:
16667 * the first 2 bytes of these 12 bytes are, for NT Create and X,
16668 * the "High Part of PID";
16670 * the next four bytes are reserved;
16672 * the next four bytes are, for SMB-over-IPX (with no
16673 * NetBIOS involved) two bytes of Session ID and two bytes
16674 * of SequenceNumber.
16676 * Network Monitor 2.x dissects the four bytes before the Session ID
16677 * as a "Key", and the two bytes after the SequenceNumber as
16680 * The "High Part of PID" has been seen in calls other than NT
16681 * Create and X, although most of them appear to be I/O on DCE RPC
16682 * pipes opened with the NT Create and X in question.
16684 proto_tree_add_item(htree, hf_smb_pid_high, tvb, offset, 2, TRUE);
16687 if (pinfo->ptype == PT_IPX &&
16688 (pinfo->match_port == IPX_SOCKET_NWLINK_SMB_SERVER ||
16689 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_REDIR ||
16690 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_MESSENGER)) {
16692 * This is SMB-over-IPX.
16693 * XXX - do we have to worry about "sequenced commands",
16694 * as per the Samba document? They say that for
16695 * "unsequenced commands" (with a sequence number of 0),
16696 * the Mid must be unique, but perhaps the Mid doesn't
16697 * have to be unique for sequenced commands. In at least
16698 * one capture with SMB-over-IPX, however, the Mids
16699 * are unique even for sequenced commands.
16702 proto_tree_add_item(htree, hf_smb_key, tvb, offset, 4,
16707 proto_tree_add_item(htree, hf_smb_session_id, tvb, offset, 2,
16711 /* Sequence number */
16712 proto_tree_add_item(htree, hf_smb_sequence_num, tvb, offset, 2,
16717 proto_tree_add_item(htree, hf_smb_group_id, tvb, offset, 2,
16722 * According to http://ubiqx.org/cifs/SMB.html#SMB.4.2.1
16723 * and http://ubiqx.org/cifs/SMB.html#SMB.5.5.1 the 8
16724 * bytes after the "High part of PID" are an 8-byte
16727 proto_tree_add_item(htree, hf_smb_sig, tvb, offset, 8, TRUE);
16730 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2, TRUE);
16735 proto_tree_add_uint(htree, hf_smb_tid, tvb, offset, 2, si->tid);
16739 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si->pid);
16743 proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si->uid);
16747 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid);
16750 pinfo->private_data = si;
16752 /* tap the packet before the dissectors are called so we still get
16753 the tap listener called even if there is an exception.
16755 tap_queue_packet(smb_tap, pinfo, si);
16756 dissect_smb_command(tvb, pinfo, offset, tree, si->cmd, TRUE);
16758 /* Append error info from this packet to info string. */
16759 if (!si->request && check_col(pinfo->cinfo, COL_INFO)) {
16760 if (flags2 & 0x4000) {
16762 * The status is an NT status code; was there
16765 if ((nt_status & 0xC0000000) == 0xC0000000) {
16770 pinfo->cinfo, COL_INFO, ", Error: %s",
16771 val_to_str(nt_status, NT_errors,
16772 "Unknown (0x%08X)"));
16776 * The status is a DOS error class and code; was
16779 if (errclass != SMB_SUCCESS) {
16784 pinfo->cinfo, COL_INFO, ", Error: %s",
16785 decode_smb_error(errclass, errcode));
16792 dissect_smb_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
16794 /* must check that this really is a smb packet */
16795 if (!tvb_bytes_exist(tvb, 0, 4))
16798 if( (tvb_get_guint8(tvb, 0) != 0xff)
16799 || (tvb_get_guint8(tvb, 1) != 'S')
16800 || (tvb_get_guint8(tvb, 2) != 'M')
16801 || (tvb_get_guint8(tvb, 3) != 'B') ){
16805 dissect_smb(tvb, pinfo, parent_tree);
16810 proto_register_smb(void)
16812 static hf_register_info hf[] = {
16814 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
16815 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
16817 { &hf_smb_word_count,
16818 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
16819 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
16821 { &hf_smb_byte_count,
16822 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
16823 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
16825 { &hf_smb_response_to,
16826 { "Response to", "smb.response_to", FT_FRAMENUM, BASE_NONE,
16827 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
16830 { "Time from request", "smb.time", FT_RELATIVE_TIME, BASE_NONE,
16831 NULL, 0, "Time between Request and Response for SMB cmds", HFILL }},
16833 { &hf_smb_response_in,
16834 { "Response in", "smb.response_in", FT_FRAMENUM, BASE_NONE,
16835 NULL, 0, "The response to this packet is in this packet", HFILL }},
16837 { &hf_smb_continuation_to,
16838 { "Continuation to", "smb.continuation_to", FT_FRAMENUM, BASE_NONE,
16839 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
16841 { &hf_smb_nt_status,
16842 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
16843 VALS(NT_errors), 0, "NT Status code", HFILL }},
16845 { &hf_smb_error_class,
16846 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
16847 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
16849 { &hf_smb_error_code,
16850 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
16851 NULL, 0, "DOS Error Code", HFILL }},
16853 { &hf_smb_reserved,
16854 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
16855 NULL, 0, "Reserved bytes, must be zero", HFILL }},
16858 { "Signature", "smb.signature", FT_BYTES, BASE_HEX,
16859 NULL, 0, "Signature bytes", HFILL }},
16862 { "Key", "smb.key", FT_UINT32, BASE_HEX,
16863 NULL, 0, "SMB-over-IPX Key", HFILL }},
16865 { &hf_smb_session_id,
16866 { "Session ID", "smb.sessid", FT_UINT16, BASE_DEC,
16867 NULL, 0, "SMB-over-IPX Session ID", HFILL }},
16869 { &hf_smb_sequence_num,
16870 { "Sequence Number", "smb.sequence_num", FT_UINT16, BASE_DEC,
16871 NULL, 0, "SMB-over-IPX Sequence Number", HFILL }},
16873 { &hf_smb_group_id,
16874 { "Group ID", "smb.group_id", FT_UINT16, BASE_DEC,
16875 NULL, 0, "SMB-over-IPX Group ID", HFILL }},
16878 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
16879 NULL, 0, "Process ID", HFILL }},
16881 { &hf_smb_pid_high,
16882 { "Process ID High", "smb.pid.high", FT_UINT16, BASE_DEC,
16883 NULL, 0, "Process ID High Bytes", HFILL }},
16886 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
16887 NULL, 0, "Tree ID", HFILL }},
16890 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
16891 NULL, 0, "User ID", HFILL }},
16894 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
16895 NULL, 0, "Multiplex ID", HFILL }},
16897 { &hf_smb_flags_lock,
16898 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
16899 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
16901 { &hf_smb_flags_receive_buffer,
16902 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
16903 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
16905 { &hf_smb_flags_caseless,
16906 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
16907 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
16909 { &hf_smb_flags_canon,
16910 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
16911 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
16913 { &hf_smb_flags_oplock,
16914 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
16915 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
16917 { &hf_smb_flags_notify,
16918 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
16919 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
16921 { &hf_smb_flags_response,
16922 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
16923 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
16925 { &hf_smb_flags2_long_names_allowed,
16926 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
16927 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
16929 { &hf_smb_flags2_ea,
16930 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
16931 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
16933 { &hf_smb_flags2_sec_sig,
16934 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
16935 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
16937 { &hf_smb_flags2_long_names_used,
16938 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
16939 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
16941 { &hf_smb_flags2_esn,
16942 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
16943 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
16945 { &hf_smb_flags2_dfs,
16946 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
16947 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
16949 { &hf_smb_flags2_roe,
16950 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
16951 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
16953 { &hf_smb_flags2_nt_error,
16954 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
16955 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
16957 { &hf_smb_flags2_string,
16958 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
16959 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
16961 { &hf_smb_buffer_format,
16962 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
16963 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
16965 { &hf_smb_dialect_name,
16966 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
16967 NULL, 0, "Name of dialect", HFILL }},
16969 { &hf_smb_dialect_index,
16970 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
16971 NULL, 0, "Index of selected dialect", HFILL }},
16973 { &hf_smb_max_trans_buf_size,
16974 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
16975 NULL, 0, "Maximum transmit buffer size", HFILL }},
16977 { &hf_smb_max_mpx_count,
16978 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
16979 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
16981 { &hf_smb_max_vcs_num,
16982 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
16983 NULL, 0, "Maximum VCs between client and server", HFILL }},
16985 { &hf_smb_session_key,
16986 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
16987 NULL, 0, "Unique token identifying this session", HFILL }},
16989 { &hf_smb_server_timezone,
16990 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
16991 NULL, 0, "Current timezone at server.", HFILL }},
16993 { &hf_smb_encryption_key_length,
16994 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
16995 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
16997 { &hf_smb_encryption_key,
16998 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
16999 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
17001 { &hf_smb_primary_domain,
17002 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
17003 NULL, 0, "The server's primary domain", HFILL }},
17006 { "Server", "smb.server", FT_STRING, BASE_NONE,
17007 NULL, 0, "The name of the DC/server", HFILL }},
17009 { &hf_smb_max_raw_buf_size,
17010 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
17011 NULL, 0, "Maximum raw buffer size", HFILL }},
17013 { &hf_smb_server_guid,
17014 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
17015 NULL, 0, "Globally unique identifier for this server", HFILL }},
17017 { &hf_smb_security_blob_len,
17018 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
17019 NULL, 0, "Security blob length", HFILL }},
17021 { &hf_smb_security_blob,
17022 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
17023 NULL, 0, "Security blob", HFILL }},
17025 { &hf_smb_sm_mode16,
17026 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
17027 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
17029 { &hf_smb_sm_password16,
17030 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
17031 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
17034 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
17035 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
17037 { &hf_smb_sm_password,
17038 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
17039 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
17041 { &hf_smb_sm_signatures,
17042 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
17043 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
17045 { &hf_smb_sm_sig_required,
17046 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
17047 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
17050 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
17051 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
17053 { &hf_smb_rm_write,
17054 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
17055 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
17057 { &hf_smb_server_date_time,
17058 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
17059 NULL, 0, "Current date and time at server", HFILL }},
17061 { &hf_smb_server_smb_date,
17062 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
17063 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
17065 { &hf_smb_server_smb_time,
17066 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
17067 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
17069 { &hf_smb_server_cap_raw_mode,
17070 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
17071 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
17073 { &hf_smb_server_cap_mpx_mode,
17074 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
17075 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
17077 { &hf_smb_server_cap_unicode,
17078 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
17079 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
17081 { &hf_smb_server_cap_large_files,
17082 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
17083 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
17085 { &hf_smb_server_cap_nt_smbs,
17086 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
17087 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
17089 { &hf_smb_server_cap_rpc_remote_apis,
17090 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
17091 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
17093 { &hf_smb_server_cap_nt_status,
17094 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
17095 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
17097 { &hf_smb_server_cap_level_ii_oplocks,
17098 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
17099 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
17101 { &hf_smb_server_cap_lock_and_read,
17102 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
17103 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
17105 { &hf_smb_server_cap_nt_find,
17106 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
17107 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
17109 { &hf_smb_server_cap_dfs,
17110 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
17111 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
17113 { &hf_smb_server_cap_infolevel_passthru,
17114 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
17115 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
17117 { &hf_smb_server_cap_large_readx,
17118 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
17119 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
17121 { &hf_smb_server_cap_large_writex,
17122 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
17123 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
17125 { &hf_smb_server_cap_unix,
17126 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
17127 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
17129 { &hf_smb_server_cap_reserved,
17130 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
17131 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
17133 { &hf_smb_server_cap_bulk_transfer,
17134 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
17135 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
17137 { &hf_smb_server_cap_compressed_data,
17138 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
17139 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
17141 { &hf_smb_server_cap_extended_security,
17142 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
17143 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
17145 { &hf_smb_system_time,
17146 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
17147 NULL, 0, "System Time", HFILL }},
17150 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
17151 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
17153 { &hf_smb_dir_name,
17154 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
17155 NULL, 0, "SMB Directory Name", HFILL }},
17157 { &hf_smb_echo_count,
17158 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
17159 NULL, 0, "Number of times to echo data back", HFILL }},
17161 { &hf_smb_echo_data,
17162 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
17163 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
17165 { &hf_smb_echo_seq_num,
17166 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
17167 NULL, 0, "Sequence number for this echo response", HFILL }},
17169 { &hf_smb_max_buf_size,
17170 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
17171 NULL, 0, "Max client buffer size", HFILL }},
17174 { "Path", "smb.path", FT_STRING, BASE_NONE,
17175 NULL, 0, "Path. Server name and share name", HFILL }},
17178 { "Service", "smb.service", FT_STRING, BASE_NONE,
17179 NULL, 0, "Service name", HFILL }},
17181 { &hf_smb_password,
17182 { "Password", "smb.password", FT_BYTES, BASE_NONE,
17183 NULL, 0, "Password", HFILL }},
17185 { &hf_smb_ansi_password,
17186 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
17187 NULL, 0, "ANSI Password", HFILL }},
17189 { &hf_smb_unicode_password,
17190 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
17191 NULL, 0, "Unicode Password", HFILL }},
17193 { &hf_smb_move_flags_file,
17194 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
17195 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
17197 { &hf_smb_move_flags_dir,
17198 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
17199 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
17201 { &hf_smb_move_flags_verify,
17202 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
17203 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
17205 { &hf_smb_files_moved,
17206 { "Files Moved", "smb.files_moved", FT_UINT16, BASE_DEC,
17207 NULL, 0, "Number of files moved", HFILL }},
17209 { &hf_smb_copy_flags_file,
17210 { "Must be file", "smb.copy.flags.file", FT_BOOLEAN, 16,
17211 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
17213 { &hf_smb_copy_flags_dir,
17214 { "Must be directory", "smb.copy.flags.dir", FT_BOOLEAN, 16,
17215 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
17217 { &hf_smb_copy_flags_dest_mode,
17218 { "Destination mode", "smb.copy.flags.dest_mode", FT_BOOLEAN, 16,
17219 TFS(&tfs_cf_mode), 0x0004, "Is destination in ASCII?", HFILL }},
17221 { &hf_smb_copy_flags_source_mode,
17222 { "Source mode", "smb.copy.flags.source_mode", FT_BOOLEAN, 16,
17223 TFS(&tfs_cf_mode), 0x0008, "Is source in ASCII?", HFILL }},
17225 { &hf_smb_copy_flags_verify,
17226 { "Verify writes", "smb.copy.flags.verify", FT_BOOLEAN, 16,
17227 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
17229 { &hf_smb_copy_flags_tree_copy,
17230 { "Tree copy", "smb.copy.flags.tree_copy", FT_BOOLEAN, 16,
17231 TFS(&tfs_cf_tree_copy), 0x0010, "Is copy a tree copy?", HFILL }},
17233 { &hf_smb_copy_flags_ea_action,
17234 { "EA action if EAs not supported on dest", "smb.copy.flags.ea_action", FT_BOOLEAN, 16,
17235 TFS(&tfs_cf_ea_action), 0x0010, "Fail copy if source file has EAs and dest doesn't support EAs?", HFILL }},
17238 { "Count", "smb.count", FT_UINT32, BASE_DEC,
17239 NULL, 0, "Count number of items/bytes", HFILL }},
17241 { &hf_smb_count_low,
17242 { "Count Low", "smb.count_low", FT_UINT16, BASE_DEC,
17243 NULL, 0, "Count number of items/bytes, Low 16 bits", HFILL }},
17245 { &hf_smb_count_high,
17246 { "Count High (multiply with 64K)", "smb.count_high", FT_UINT16, BASE_DEC,
17247 NULL, 0, "Count number of items/bytes, High 16 bits", HFILL }},
17249 { &hf_smb_file_name,
17250 { "File Name", "smb.file", FT_STRING, BASE_NONE,
17251 NULL, 0, "File Name", HFILL }},
17253 { &hf_smb_open_function_create,
17254 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
17255 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
17257 { &hf_smb_open_function_open,
17258 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
17259 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
17262 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
17263 NULL, 0, "FID: File ID", HFILL }},
17265 { &hf_smb_file_attr_read_only_16bit,
17266 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
17267 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
17269 { &hf_smb_file_attr_read_only_8bit,
17270 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
17271 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
17273 { &hf_smb_file_attr_hidden_16bit,
17274 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
17275 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
17277 { &hf_smb_file_attr_hidden_8bit,
17278 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
17279 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
17281 { &hf_smb_file_attr_system_16bit,
17282 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
17283 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
17285 { &hf_smb_file_attr_system_8bit,
17286 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
17287 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
17289 { &hf_smb_file_attr_volume_16bit,
17290 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
17291 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
17293 { &hf_smb_file_attr_volume_8bit,
17294 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
17295 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
17297 { &hf_smb_file_attr_directory_16bit,
17298 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
17299 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
17301 { &hf_smb_file_attr_directory_8bit,
17302 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
17303 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
17305 { &hf_smb_file_attr_archive_16bit,
17306 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
17307 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17309 { &hf_smb_file_attr_archive_8bit,
17310 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
17311 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17313 { &hf_smb_file_attr_device,
17314 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
17315 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
17317 { &hf_smb_file_attr_normal,
17318 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
17319 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
17321 { &hf_smb_file_attr_temporary,
17322 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
17323 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
17325 { &hf_smb_file_attr_sparse,
17326 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
17327 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
17329 { &hf_smb_file_attr_reparse,
17330 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
17331 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
17333 { &hf_smb_file_attr_compressed,
17334 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
17335 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
17337 { &hf_smb_file_attr_offline,
17338 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
17339 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
17341 { &hf_smb_file_attr_not_content_indexed,
17342 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
17343 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
17345 { &hf_smb_file_attr_encrypted,
17346 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
17347 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
17349 { &hf_smb_file_size,
17350 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
17351 NULL, 0, "File Size", HFILL }},
17353 { &hf_smb_search_attribute_read_only,
17354 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
17355 TFS(&tfs_search_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
17357 { &hf_smb_search_attribute_hidden,
17358 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
17359 TFS(&tfs_search_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
17361 { &hf_smb_search_attribute_system,
17362 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
17363 TFS(&tfs_search_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
17365 { &hf_smb_search_attribute_volume,
17366 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
17367 TFS(&tfs_search_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
17369 { &hf_smb_search_attribute_directory,
17370 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
17371 TFS(&tfs_search_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
17373 { &hf_smb_search_attribute_archive,
17374 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
17375 TFS(&tfs_search_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
17377 { &hf_smb_access_mode,
17378 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
17379 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
17381 { &hf_smb_access_sharing,
17382 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
17383 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
17385 { &hf_smb_access_locality,
17386 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
17387 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
17389 { &hf_smb_access_caching,
17390 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
17391 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
17393 { &hf_smb_access_writetru,
17394 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
17395 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
17397 { &hf_smb_create_time,
17398 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
17399 NULL, 0, "Creation Time", HFILL }},
17401 { &hf_smb_modify_time,
17402 { "Modified", "smb.modify.time", FT_ABSOLUTE_TIME, BASE_NONE,
17403 NULL, 0, "Modification Time", HFILL }},
17405 { &hf_smb_backup_time,
17406 { "Backed-up", "smb.backup.time", FT_ABSOLUTE_TIME, BASE_NONE,
17407 NULL, 0, "Backup time", HFILL}},
17409 { &hf_smb_mac_alloc_block_count,
17410 { "Allocation Block Count", "smb.alloc.count", FT_UINT32, BASE_DEC,
17411 NULL, 0, "Allocation Block Count", HFILL}},
17413 { &hf_smb_mac_alloc_block_size,
17414 { "Allocation Block Count", "smb.alloc.size", FT_UINT32, BASE_DEC,
17415 NULL, 0, "Allocation Block Size", HFILL}},
17417 { &hf_smb_mac_free_block_count,
17418 { "Free Block Count", "smb.free_block.count", FT_UINT32, BASE_DEC,
17419 NULL, 0, "Free Block Count", HFILL}},
17421 { &hf_smb_mac_root_file_count,
17422 { "Root File Count", "smb.root.file.count", FT_UINT32, BASE_DEC,
17423 NULL, 0, "Root File Count", HFILL}},
17425 { &hf_smb_mac_root_dir_count,
17426 { "Root Directory Count", "smb.root.dir.count", FT_UINT32, BASE_DEC,
17427 NULL, 0, "Root Directory Count", HFILL}},
17429 { &hf_smb_mac_file_count,
17430 { "Root File Count", "smb.file.count", FT_UINT32, BASE_DEC,
17431 NULL, 0, "File Count", HFILL}},
17433 { &hf_smb_mac_dir_count,
17434 { "Root Directory Count", "smb.dir.count", FT_UINT32, BASE_DEC,
17435 NULL, 0, "Directory Count", HFILL}},
17437 { &hf_smb_mac_support_flags,
17438 { "Mac Support Flags", "smb.mac.support.flags", FT_UINT32, BASE_DEC,
17439 NULL, 0, "Mac Support Flags", HFILL}},
17441 { &hf_smb_mac_sup_access_ctrl,
17442 { "Mac Access Control", "smb.mac.access_control", FT_BOOLEAN, 32,
17443 TFS(&tfs_smb_mac_access_ctrl), 0x0010, "Are Mac Access Control Supported", HFILL }},
17445 { &hf_smb_mac_sup_getset_comments,
17446 { "Get Set Comments", "smb.mac.get_set_comments", FT_BOOLEAN, 32,
17447 TFS(&tfs_smb_mac_getset_comments), 0x0020, "Are Mac Get Set Comments supported?", HFILL }},
17449 { &hf_smb_mac_sup_desktopdb_calls,
17450 { "Desktop DB Calls", "smb.mac.desktop_db_calls", FT_BOOLEAN, 32,
17451 TFS(&tfs_smb_mac_desktopdb_calls), 0x0040, "Are Macintosh Desktop DB Calls Supported?", HFILL }},
17453 { &hf_smb_mac_sup_unique_ids,
17454 { "Macintosh Unique IDs", "smb.mac.uids", FT_BOOLEAN, 32,
17455 TFS(&tfs_smb_mac_unique_ids), 0x0080, "Are Unique IDs supported", HFILL }},
17457 { &hf_smb_mac_sup_streams,
17458 { "Mac Streams", "smb.mac.streams_support", FT_BOOLEAN, 32,
17459 TFS(&tfs_smb_mac_streams), 0x0100, "Are Mac Extensions and streams supported?", HFILL }},
17461 { &hf_smb_create_dos_date,
17462 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
17463 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
17465 { &hf_smb_create_dos_time,
17466 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
17467 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
17469 { &hf_smb_last_write_time,
17470 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
17471 NULL, 0, "Time this file was last written to", HFILL }},
17473 { &hf_smb_last_write_dos_date,
17474 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
17475 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
17477 { &hf_smb_last_write_dos_time,
17478 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
17479 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
17481 { &hf_smb_old_file_name,
17482 { "Old File Name", "smb.file", FT_STRING, BASE_NONE,
17483 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
17486 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
17487 NULL, 0, "Offset in file", HFILL }},
17489 { &hf_smb_remaining,
17490 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
17491 NULL, 0, "Remaining number of bytes", HFILL }},
17494 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
17495 NULL, 0, "Padding or unknown data", HFILL }},
17497 { &hf_smb_file_data,
17498 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
17499 NULL, 0, "Data read/written to the file", HFILL }},
17501 { &hf_smb_mac_fndrinfo,
17502 { "Finder Info", "smb.mac.finderinfo", FT_BYTES, BASE_HEX,
17503 NULL, 0, "Finder Info", HFILL}},
17505 { &hf_smb_total_data_len,
17506 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
17507 NULL, 0, "Total length of data", HFILL }},
17509 { &hf_smb_data_len,
17510 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
17511 NULL, 0, "Length of data", HFILL }},
17513 { &hf_smb_data_len_low,
17514 { "Data Length Low", "smb.data_len_low", FT_UINT16, BASE_DEC,
17515 NULL, 0, "Length of data, Low 16 bits", HFILL }},
17517 { &hf_smb_data_len_high,
17518 { "Data Length High (multiply with 64K)", "smb.data_len_high", FT_UINT16, BASE_DEC,
17519 NULL, 0, "Length of data, High 16 bits", HFILL }},
17521 { &hf_smb_seek_mode,
17522 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
17523 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
17525 { &hf_smb_access_time,
17526 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
17527 NULL, 0, "Last Access Time", HFILL }},
17529 { &hf_smb_access_dos_date,
17530 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
17531 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
17533 { &hf_smb_access_dos_time,
17534 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
17535 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
17537 { &hf_smb_data_size,
17538 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
17539 NULL, 0, "Data Size", HFILL }},
17541 { &hf_smb_alloc_size,
17542 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
17543 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
17545 { &hf_smb_max_count,
17546 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
17547 NULL, 0, "Maximum Count", HFILL }},
17549 { &hf_smb_max_count_low,
17550 { "Max Count Low", "smb.maxcount_low", FT_UINT16, BASE_DEC,
17551 NULL, 0, "Maximum Count, Low 16 bits", HFILL }},
17553 { &hf_smb_max_count_high,
17554 { "Max Count High (multiply with 64K)", "smb.maxcount_high", FT_UINT16, BASE_DEC,
17555 NULL, 0, "Maximum Count, High 16 bits", HFILL }},
17557 { &hf_smb_min_count,
17558 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
17559 NULL, 0, "Minimum Count", HFILL }},
17562 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
17563 NULL, 0, "Timeout in miliseconds", HFILL }},
17565 { &hf_smb_high_offset,
17566 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
17567 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
17570 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
17571 NULL, 0, "Total number of units at server", HFILL }},
17574 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
17575 NULL, 0, "Blocks per unit at server", HFILL }},
17577 { &hf_smb_blocksize,
17578 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
17579 NULL, 0, "Block size (in bytes) at server", HFILL }},
17581 { &hf_smb_freeunits,
17582 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
17583 NULL, 0, "Number of free units at server", HFILL }},
17585 { &hf_smb_data_offset,
17586 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
17587 NULL, 0, "Data Offset", HFILL }},
17590 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
17591 NULL, 0, "Data Compaction Mode", HFILL }},
17593 { &hf_smb_request_mask,
17594 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
17595 NULL, 0, "Connectionless mode mask", HFILL }},
17597 { &hf_smb_response_mask,
17598 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
17599 NULL, 0, "Connectionless mode mask", HFILL }},
17601 { &hf_smb_search_id,
17602 { "Search ID", "smb.search_id", FT_UINT16, BASE_HEX,
17603 NULL, 0, "Search ID, handle for find operations", HFILL }},
17605 { &hf_smb_write_mode_write_through,
17606 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
17607 TFS(&tfs_write_mode_write_through), WRITE_MODE_WRITE_THROUGH, "Write through mode requested?", HFILL }},
17609 { &hf_smb_write_mode_return_remaining,
17610 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
17611 TFS(&tfs_write_mode_return_remaining), WRITE_MODE_RETURN_REMAINING, "Return remaining data responses?", HFILL }},
17613 { &hf_smb_write_mode_raw,
17614 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
17615 TFS(&tfs_write_mode_raw), WRITE_MODE_RAW, "Use WriteRawNamedPipe?", HFILL }},
17617 { &hf_smb_write_mode_message_start,
17618 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
17619 TFS(&tfs_write_mode_message_start), WRITE_MODE_MESSAGE_START, "Is this the start of a message?", HFILL }},
17621 { &hf_smb_write_mode_connectionless,
17622 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
17623 TFS(&tfs_write_mode_connectionless), WRITE_MODE_CONNECTIONLESS, "Connectionless mode requested?", HFILL }},
17625 { &hf_smb_resume_key_len,
17626 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
17627 NULL, 0, "Resume Key length", HFILL }},
17629 { &hf_smb_resume_find_id,
17630 { "Find ID", "smb.resume.find_id", FT_UINT8, BASE_HEX,
17631 NULL, 0, "Handle for Find operation", HFILL }},
17633 { &hf_smb_resume_server_cookie,
17634 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
17635 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
17637 { &hf_smb_resume_client_cookie,
17638 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
17639 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
17641 { &hf_smb_andxoffset,
17642 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
17643 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
17645 { &hf_smb_lock_type_large,
17646 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
17647 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
17649 { &hf_smb_lock_type_cancel,
17650 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
17651 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
17653 { &hf_smb_lock_type_change,
17654 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
17655 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
17657 { &hf_smb_lock_type_oplock,
17658 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
17659 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
17661 { &hf_smb_lock_type_shared,
17662 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
17663 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
17665 { &hf_smb_locking_ol,
17666 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
17667 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
17669 { &hf_smb_number_of_locks,
17670 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
17671 NULL, 0, "Number of lock requests in this request", HFILL }},
17673 { &hf_smb_number_of_unlocks,
17674 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
17675 NULL, 0, "Number of unlock requests in this request", HFILL }},
17677 { &hf_smb_lock_long_length,
17678 { "Length", "smb.lock.length", FT_STRING, BASE_DEC,
17679 NULL, 0, "Length of lock/unlock region", HFILL }},
17681 { &hf_smb_lock_long_offset,
17682 { "Offset", "smb.lock.offset", FT_STRING, BASE_DEC,
17683 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
17685 { &hf_smb_file_type,
17686 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
17687 VALS(filetype_vals), 0, "Type of file", HFILL }},
17689 { &hf_smb_ipc_state_nonblocking,
17690 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
17691 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
17693 { &hf_smb_ipc_state_endpoint,
17694 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
17695 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
17697 { &hf_smb_ipc_state_pipe_type,
17698 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
17699 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
17701 { &hf_smb_ipc_state_read_mode,
17702 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
17703 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
17705 { &hf_smb_ipc_state_icount,
17706 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
17707 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
17709 { &hf_smb_server_fid,
17710 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
17711 NULL, 0, "Server unique File ID", HFILL }},
17713 { &hf_smb_open_flags_add_info,
17714 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
17715 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
17717 { &hf_smb_open_flags_ex_oplock,
17718 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
17719 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
17721 { &hf_smb_open_flags_batch_oplock,
17722 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
17723 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
17725 { &hf_smb_open_flags_ealen,
17726 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
17727 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
17729 { &hf_smb_open_action_open,
17730 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
17731 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
17733 { &hf_smb_open_action_lock,
17734 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
17735 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
17738 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
17739 NULL, 0, "VC Number", HFILL }},
17741 { &hf_smb_password_len,
17742 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
17743 NULL, 0, "Length of password", HFILL }},
17745 { &hf_smb_ansi_password_len,
17746 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
17747 NULL, 0, "Length of ANSI password", HFILL }},
17749 { &hf_smb_unicode_password_len,
17750 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
17751 NULL, 0, "Length of Unicode password", HFILL }},
17754 { "Account", "smb.account", FT_STRING, BASE_NONE,
17755 NULL, 0, "Account, username", HFILL }},
17758 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
17759 NULL, 0, "Which OS we are running", HFILL }},
17762 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
17763 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
17765 { &hf_smb_setup_action_guest,
17766 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
17767 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
17770 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
17771 NULL, 0, "Native File System", HFILL }},
17773 { &hf_smb_connect_flags_dtid,
17774 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
17775 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
17777 { &hf_smb_connect_support_search,
17778 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
17779 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
17781 { &hf_smb_connect_support_in_dfs,
17782 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
17783 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
17785 { &hf_smb_max_setup_count,
17786 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
17787 NULL, 0, "Maximum number of setup words to return", HFILL }},
17789 { &hf_smb_total_param_count,
17790 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
17791 NULL, 0, "Total number of parameter bytes", HFILL }},
17793 { &hf_smb_total_data_count,
17794 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
17795 NULL, 0, "Total number of data bytes", HFILL }},
17797 { &hf_smb_max_param_count,
17798 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
17799 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
17801 { &hf_smb_max_data_count,
17802 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
17803 NULL, 0, "Maximum number of data bytes to return", HFILL }},
17805 { &hf_smb_param_disp16,
17806 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
17807 NULL, 0, "Displacement of these parameter bytes", HFILL }},
17809 { &hf_smb_param_count16,
17810 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
17811 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
17813 { &hf_smb_param_offset16,
17814 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
17815 NULL, 0, "Offset (from header start) to parameters", HFILL }},
17817 { &hf_smb_param_disp32,
17818 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
17819 NULL, 0, "Displacement of these parameter bytes", HFILL }},
17821 { &hf_smb_param_count32,
17822 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
17823 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
17825 { &hf_smb_param_offset32,
17826 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
17827 NULL, 0, "Offset (from header start) to parameters", HFILL }},
17829 { &hf_smb_data_count16,
17830 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
17831 NULL, 0, "Number of data bytes in this buffer", HFILL }},
17833 { &hf_smb_data_disp16,
17834 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
17835 NULL, 0, "Data Displacement", HFILL }},
17837 { &hf_smb_data_offset16,
17838 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
17839 NULL, 0, "Data Offset", HFILL }},
17841 { &hf_smb_data_count32,
17842 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
17843 NULL, 0, "Number of data bytes in this buffer", HFILL }},
17845 { &hf_smb_data_disp32,
17846 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
17847 NULL, 0, "Data Displacement", HFILL }},
17849 { &hf_smb_data_offset32,
17850 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
17851 NULL, 0, "Data Offset", HFILL }},
17853 { &hf_smb_setup_count,
17854 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
17855 NULL, 0, "Number of setup words in this buffer", HFILL }},
17857 { &hf_smb_nt_trans_subcmd,
17858 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
17859 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
17861 { &hf_smb_nt_ioctl_function_code,
17862 { "Function", "smb.nt.ioctl.function", FT_UINT32, BASE_HEX,
17863 NULL, 0, "NT IOCTL function code", HFILL }},
17865 { &hf_smb_nt_ioctl_isfsctl,
17866 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
17867 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
17869 { &hf_smb_nt_ioctl_flags_root_handle,
17870 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
17871 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
17873 { &hf_smb_nt_ioctl_data,
17874 { "IOCTL Data", "smb.nt.ioctl.data", FT_BYTES, BASE_HEX,
17875 NULL, 0, "Data for the IOCTL call", HFILL }},
17877 { &hf_smb_nt_notify_action,
17878 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
17879 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
17881 { &hf_smb_nt_notify_watch_tree,
17882 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
17883 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
17885 { &hf_smb_nt_notify_stream_write,
17886 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
17887 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
17889 { &hf_smb_nt_notify_stream_size,
17890 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
17891 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
17893 { &hf_smb_nt_notify_stream_name,
17894 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
17895 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
17897 { &hf_smb_nt_notify_security,
17898 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
17899 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
17901 { &hf_smb_nt_notify_ea,
17902 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
17903 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
17905 { &hf_smb_nt_notify_creation,
17906 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
17907 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
17909 { &hf_smb_nt_notify_last_access,
17910 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
17911 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
17913 { &hf_smb_nt_notify_last_write,
17914 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
17915 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
17917 { &hf_smb_nt_notify_size,
17918 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
17919 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
17921 { &hf_smb_nt_notify_attributes,
17922 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
17923 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
17925 { &hf_smb_nt_notify_dir_name,
17926 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
17927 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
17929 { &hf_smb_nt_notify_file_name,
17930 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
17931 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
17933 { &hf_smb_root_dir_fid,
17934 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
17935 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
17937 { &hf_smb_alloc_size64,
17938 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
17939 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
17941 { &hf_smb_nt_create_disposition,
17942 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
17943 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
17945 { &hf_smb_sd_length,
17946 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
17947 NULL, 0, "Total length of security descriptor", HFILL }},
17949 { &hf_smb_ea_list_length,
17950 { "EA List Length", "smb.ea.list_length", FT_UINT32, BASE_DEC,
17951 NULL, 0, "Total length of extended attributes", HFILL }},
17953 { &hf_smb_ea_flags,
17954 { "EA Flags", "smb.ea.flags", FT_UINT8, BASE_HEX,
17955 NULL, 0, "EA Flags", HFILL }},
17957 { &hf_smb_ea_name_length,
17958 { "EA Name Length", "smb.ea.name_length", FT_UINT8, BASE_DEC,
17959 NULL, 0, "EA Name Length", HFILL }},
17961 { &hf_smb_ea_data_length,
17962 { "EA Data Length", "smb.ea.data_length", FT_UINT16, BASE_DEC,
17963 NULL, 0, "EA Data Length", HFILL }},
17966 { "EA Name", "smb.ea.name", FT_STRING, BASE_NONE,
17967 NULL, 0, "EA Name", HFILL }},
17970 { "EA Data", "smb.ea.data", FT_BYTES, BASE_NONE,
17971 NULL, 0, "EA Data", HFILL }},
17973 { &hf_smb_file_name_len,
17974 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
17975 NULL, 0, "Length of File Name", HFILL }},
17977 { &hf_smb_nt_impersonation_level,
17978 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
17979 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
17981 { &hf_smb_nt_security_flags_context_tracking,
17982 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
17983 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
17985 { &hf_smb_nt_security_flags_effective_only,
17986 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
17987 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
17989 { &hf_smb_nt_access_mask_generic_read,
17990 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
17991 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
17993 { &hf_smb_nt_access_mask_generic_write,
17994 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
17995 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
17997 { &hf_smb_nt_access_mask_generic_execute,
17998 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
17999 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
18001 { &hf_smb_nt_access_mask_generic_all,
18002 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
18003 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
18005 { &hf_smb_nt_access_mask_maximum_allowed,
18006 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
18007 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
18009 { &hf_smb_nt_access_mask_system_security,
18010 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
18011 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
18013 { &hf_smb_nt_access_mask_synchronize,
18014 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
18015 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
18017 { &hf_smb_nt_access_mask_write_owner,
18018 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
18019 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
18021 { &hf_smb_nt_access_mask_write_dac,
18022 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
18023 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
18025 { &hf_smb_nt_access_mask_read_control,
18026 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
18027 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
18029 { &hf_smb_nt_access_mask_delete,
18030 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
18031 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
18033 { &hf_smb_nt_access_mask_write_attributes,
18034 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
18035 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
18037 { &hf_smb_nt_access_mask_read_attributes,
18038 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
18039 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
18041 { &hf_smb_nt_access_mask_delete_child,
18042 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
18043 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
18046 * "Execute" for files, "traverse" for directories.
18048 { &hf_smb_nt_access_mask_execute,
18049 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
18050 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
18052 { &hf_smb_nt_access_mask_write_ea,
18053 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
18054 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
18056 { &hf_smb_nt_access_mask_read_ea,
18057 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
18058 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
18061 * "Append data" for files, "add subdirectory" for directories,
18062 * "create pipe instance" for named pipes.
18064 { &hf_smb_nt_access_mask_append,
18065 { "Append", "smb.access.append", FT_BOOLEAN, 32,
18066 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
18069 * "Write data" for files and pipes, "add file" for directory.
18071 { &hf_smb_nt_access_mask_write,
18072 { "Write", "smb.access.write", FT_BOOLEAN, 32,
18073 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
18076 * "Read data" for files and pipes, "list directory" for directory.
18078 { &hf_smb_nt_access_mask_read,
18079 { "Read", "smb.access.read", FT_BOOLEAN, 32,
18080 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
18082 { &hf_smb_nt_create_bits_oplock,
18083 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
18084 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
18086 { &hf_smb_nt_create_bits_boplock,
18087 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
18088 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
18090 { &hf_smb_nt_create_bits_dir,
18091 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
18092 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
18094 { &hf_smb_nt_create_bits_ext_resp,
18095 { "Extended Response", "smb.nt.create.ext", FT_BOOLEAN, 32,
18096 TFS(&tfs_nt_create_bits_ext_resp), 0x00000010, "Extended response required?", HFILL }},
18098 { &hf_smb_nt_create_options_directory_file,
18099 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
18100 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
18102 { &hf_smb_nt_create_options_write_through,
18103 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
18104 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
18106 { &hf_smb_nt_create_options_sequential_only,
18107 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
18108 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
18110 { &hf_smb_nt_create_options_sync_io_alert,
18111 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
18112 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
18114 { &hf_smb_nt_create_options_sync_io_nonalert,
18115 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
18116 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
18118 { &hf_smb_nt_create_options_non_directory_file,
18119 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
18120 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
18122 /* 0x00000080 is "tree connect", at least in "NtCreateFile()"
18123 and "NtOpenFile()"; is that sent over the wire? Network
18124 Monitor thinks so, but its author may just have grabbed
18125 the flag bits from a system header file. */
18127 /* 0x00000100 is "complete if oplocked", at least in "NtCreateFile()"
18128 and "NtOpenFile()"; is that sent over the wire? NetMon
18129 thinks so, but see previous comment. */
18131 { &hf_smb_nt_create_options_no_ea_knowledge,
18132 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
18133 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
18135 { &hf_smb_nt_create_options_eight_dot_three_only,
18136 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
18137 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
18139 { &hf_smb_nt_create_options_random_access,
18140 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
18141 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
18143 { &hf_smb_nt_create_options_delete_on_close,
18144 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
18145 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
18147 /* 0x00002000 is "open by FID", or something such as that (which
18148 I suspect is like "open by inumber" on UNIX), at least in
18149 "NtCreateFile()" and "NtOpenFile()"; is that sent over the
18150 wire? NetMon thinks so, but see previous comment. */
18152 /* 0x00004000 is "open for backup", at least in "NtCreateFile()"
18153 and "NtOpenFile()"; is that sent over the wire? NetMon
18154 thinks so, but see previous comment. */
18156 { &hf_smb_nt_share_access_read,
18157 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
18158 TFS(&tfs_nt_share_access_read), 0x00000001, "Can the object be shared for reading?", HFILL }},
18160 { &hf_smb_nt_share_access_write,
18161 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
18162 TFS(&tfs_nt_share_access_write), 0x00000002, "Can the object be shared for write?", HFILL }},
18164 { &hf_smb_nt_share_access_delete,
18165 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
18166 TFS(&tfs_nt_share_access_delete), 0x00000004, "", HFILL }},
18168 { &hf_smb_file_eattr_read_only,
18169 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
18170 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
18172 { &hf_smb_file_eattr_hidden,
18173 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
18174 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
18176 { &hf_smb_file_eattr_system,
18177 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
18178 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
18180 { &hf_smb_file_eattr_volume,
18181 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
18182 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
18184 { &hf_smb_file_eattr_directory,
18185 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
18186 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
18188 { &hf_smb_file_eattr_archive,
18189 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
18190 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
18192 { &hf_smb_file_eattr_device,
18193 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
18194 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
18196 { &hf_smb_file_eattr_normal,
18197 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
18198 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
18200 { &hf_smb_file_eattr_temporary,
18201 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
18202 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
18204 { &hf_smb_file_eattr_sparse,
18205 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
18206 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
18208 { &hf_smb_file_eattr_reparse,
18209 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
18210 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
18212 { &hf_smb_file_eattr_compressed,
18213 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
18214 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
18216 { &hf_smb_file_eattr_offline,
18217 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
18218 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
18220 { &hf_smb_file_eattr_not_content_indexed,
18221 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
18222 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
18224 { &hf_smb_file_eattr_encrypted,
18225 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
18226 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
18228 { &hf_smb_sec_desc_len,
18229 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
18230 NULL, 0, "Security Descriptor Length", HFILL }},
18232 { &hf_smb_nt_qsd_owner,
18233 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
18234 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
18236 { &hf_smb_nt_qsd_group,
18237 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
18238 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
18240 { &hf_smb_nt_qsd_dacl,
18241 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
18242 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
18244 { &hf_smb_nt_qsd_sacl,
18245 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
18246 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
18248 { &hf_smb_extended_attributes,
18249 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
18250 NULL, 0, "Extended Attributes", HFILL }},
18252 { &hf_smb_oplock_level,
18253 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
18254 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
18256 { &hf_smb_create_action,
18257 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
18258 VALS(oa_open_vals), 0, "Type of action taken", HFILL }},
18261 { "Server unique file ID", "smb.create.file_id", FT_UINT32, BASE_HEX,
18262 NULL, 0, "Server unique file ID", HFILL }},
18264 { &hf_smb_ea_error_offset,
18265 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
18266 NULL, 0, "Offset into EA list if EA error", HFILL }},
18268 { &hf_smb_end_of_file,
18269 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
18270 NULL, 0, "Offset to the first free byte in the file", HFILL }},
18272 { &hf_smb_device_type,
18273 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
18274 VALS(device_type_vals), 0, "Type of device", HFILL }},
18276 { &hf_smb_is_directory,
18277 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
18278 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
18280 { &hf_smb_next_entry_offset,
18281 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
18282 NULL, 0, "Offset to next entry", HFILL }},
18284 { &hf_smb_change_time,
18285 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
18286 NULL, 0, "Last Change Time", HFILL }},
18288 { &hf_smb_setup_len,
18289 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
18290 NULL, 0, "Length of printer setup data", HFILL }},
18292 { &hf_smb_print_mode,
18293 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
18294 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
18296 { &hf_smb_print_identifier,
18297 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
18298 NULL, 0, "Identifier string for this print job", HFILL }},
18300 { &hf_smb_restart_index,
18301 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
18302 NULL, 0, "Index of entry after last returned", HFILL }},
18304 { &hf_smb_print_queue_date,
18305 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
18306 NULL, 0, "Date when this entry was queued", HFILL }},
18308 { &hf_smb_print_queue_dos_date,
18309 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
18310 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
18312 { &hf_smb_print_queue_dos_time,
18313 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
18314 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
18316 { &hf_smb_print_status,
18317 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
18318 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
18320 { &hf_smb_print_spool_file_number,
18321 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
18322 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
18324 { &hf_smb_print_spool_file_size,
18325 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
18326 NULL, 0, "Number of bytes in spool file", HFILL }},
18328 { &hf_smb_print_spool_file_name,
18329 { "Name", "smb.print.spool.name", FT_BYTES, BASE_HEX,
18330 NULL, 0, "Name of client that submitted this job", HFILL }},
18332 { &hf_smb_start_index,
18333 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
18334 NULL, 0, "First queue entry to return", HFILL }},
18336 { &hf_smb_originator_name,
18337 { "Originator Name", "smb.originator_name", FT_STRINGZ, BASE_NONE,
18338 NULL, 0, "Name of sender of message", HFILL }},
18340 { &hf_smb_destination_name,
18341 { "Destination Name", "smb.destination_name", FT_STRINGZ, BASE_NONE,
18342 NULL, 0, "Name of recipient of message", HFILL }},
18344 { &hf_smb_message_len,
18345 { "Message Len", "smb.message.len", FT_UINT16, BASE_DEC,
18346 NULL, 0, "Length of message", HFILL }},
18349 { "Message", "smb.message", FT_STRING, BASE_NONE,
18350 NULL, 0, "Message text", HFILL }},
18353 { "Message Group ID", "smb.mgid", FT_UINT16, BASE_DEC,
18354 NULL, 0, "Message group ID for multi-block messages", HFILL }},
18356 { &hf_smb_forwarded_name,
18357 { "Forwarded Name", "smb.forwarded_name", FT_STRINGZ, BASE_NONE,
18358 NULL, 0, "Recipient name being forwarded", HFILL }},
18360 { &hf_smb_machine_name,
18361 { "Machine Name", "smb.machine_name", FT_STRINGZ, BASE_NONE,
18362 NULL, 0, "Name of target machine", HFILL }},
18364 { &hf_smb_cancel_to,
18365 { "Cancel to", "smb.cancel_to", FT_FRAMENUM, BASE_NONE,
18366 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
18368 { &hf_smb_trans2_subcmd,
18369 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
18370 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
18372 { &hf_smb_trans_name,
18373 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
18374 NULL, 0, "Name of transaction", HFILL }},
18376 { &hf_smb_transaction_flags_dtid,
18377 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
18378 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
18380 { &hf_smb_transaction_flags_owt,
18381 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
18382 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
18384 { &hf_smb_search_count,
18385 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
18386 NULL, 0, "Maximum number of search entries to return", HFILL }},
18388 { &hf_smb_search_pattern,
18389 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
18390 NULL, 0, "Search Pattern", HFILL }},
18392 { &hf_smb_ff2_backup,
18393 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
18394 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
18396 { &hf_smb_ff2_continue,
18397 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
18398 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
18400 { &hf_smb_ff2_resume,
18401 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
18402 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
18404 { &hf_smb_ff2_close_eos,
18405 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
18406 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
18408 { &hf_smb_ff2_close,
18409 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
18410 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
18412 { &hf_smb_ff2_information_level,
18413 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
18414 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
18417 { "Level of Interest", "smb.qpi_loi", FT_UINT16, BASE_DEC,
18418 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] QUERY_{FILE,PATH}_INFO commands", HFILL }},
18421 { "Level of Interest", "smb.spi_loi", FT_UINT16, BASE_DEC,
18422 VALS(spi_loi_vals), 0, "Level of interest for TRANSACTION[2] SET_{FILE,PATH}_INFO commands", HFILL }},
18425 { &hf_smb_sfi_writetru,
18426 { "Writethrough", "smb.sfi_writethrough", FT_BOOLEAN, 16,
18427 TFS(&tfs_da_writetru), 0x0010, "Writethrough mode?", HFILL }},
18429 { &hf_smb_sfi_caching,
18430 { "Caching", "smb.sfi_caching", FT_BOOLEAN, 16,
18431 TFS(&tfs_da_caching), 0x0020, "Caching mode?", HFILL }},
18434 { &hf_smb_storage_type,
18435 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
18436 NULL, 0, "Type of storage", HFILL }},
18439 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
18440 NULL, 0, "Resume Key", HFILL }},
18442 { &hf_smb_max_referral_level,
18443 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
18444 NULL, 0, "Latest referral version number understood", HFILL }},
18446 { &hf_smb_qfsi_information_level,
18447 { "Level of Interest", "smb.qfi_loi", FT_UINT16, BASE_HEX,
18448 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
18450 { &hf_smb_nt_rename_level,
18451 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
18452 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
18454 { &hf_smb_cluster_count,
18455 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
18456 NULL, 0, "Number of clusters", HFILL }},
18458 { &hf_smb_number_of_links,
18459 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
18460 NULL, 0, "Number of hard links to the file", HFILL }},
18462 { &hf_smb_delete_pending,
18463 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
18464 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
18466 { &hf_smb_index_number,
18467 { "Index Number", "smb.index_number", FT_UINT64, BASE_DEC,
18468 NULL, 0, "File system unique identifier", HFILL }},
18470 { &hf_smb_current_offset,
18471 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
18472 NULL, 0, "Current offset in the file", HFILL }},
18474 { &hf_smb_t2_alignment,
18475 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
18476 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
18478 { &hf_smb_t2_stream_name_length,
18479 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
18480 NULL, 0, "Length of stream name", HFILL }},
18482 { &hf_smb_t2_stream_size,
18483 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
18484 NULL, 0, "Size of the stream in number of bytes", HFILL }},
18486 { &hf_smb_t2_stream_name,
18487 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
18488 NULL, 0, "Name of the stream", HFILL }},
18490 { &hf_smb_t2_compressed_file_size,
18491 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
18492 NULL, 0, "Size of the compressed file", HFILL }},
18494 { &hf_smb_t2_compressed_format,
18495 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
18496 NULL, 0, "Compression algorithm used", HFILL }},
18498 { &hf_smb_t2_compressed_unit_shift,
18499 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
18500 NULL, 0, "Size of the stream in number of bytes", HFILL }},
18502 { &hf_smb_t2_compressed_chunk_shift,
18503 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
18504 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
18506 { &hf_smb_t2_compressed_cluster_shift,
18507 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
18508 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
18510 { &hf_smb_t2_marked_for_deletion,
18511 { "Marked for Deletion", "smb.marked_for_deletion", FT_BOOLEAN, BASE_NONE,
18512 TFS(&tfs_marked_for_deletion), 0x0, "Marked for deletion?", HFILL }},
18514 { &hf_smb_dfs_path_consumed,
18515 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
18516 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
18518 { &hf_smb_dfs_num_referrals,
18519 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
18520 NULL, 0, "Number of referrals in this pdu", HFILL }},
18522 { &hf_smb_get_dfs_server_hold_storage,
18523 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
18524 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
18526 { &hf_smb_get_dfs_fielding,
18527 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
18528 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
18530 { &hf_smb_dfs_referral_version,
18531 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
18532 NULL, 0, "Version of referral element", HFILL }},
18534 { &hf_smb_dfs_referral_size,
18535 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
18536 NULL, 0, "Size of referral element", HFILL }},
18538 { &hf_smb_dfs_referral_server_type,
18539 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
18540 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
18542 { &hf_smb_dfs_referral_flags_strip,
18543 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
18544 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
18546 { &hf_smb_dfs_referral_node_offset,
18547 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
18548 NULL, 0, "Offset of name of entity to visit next", HFILL }},
18550 { &hf_smb_dfs_referral_node,
18551 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
18552 NULL, 0, "Name of entity to visit next", HFILL }},
18554 { &hf_smb_dfs_referral_proximity,
18555 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
18556 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
18558 { &hf_smb_dfs_referral_ttl,
18559 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
18560 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
18562 { &hf_smb_dfs_referral_path_offset,
18563 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
18564 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
18566 { &hf_smb_dfs_referral_path,
18567 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
18568 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
18570 { &hf_smb_dfs_referral_alt_path_offset,
18571 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
18572 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
18574 { &hf_smb_dfs_referral_alt_path,
18575 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
18576 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
18578 { &hf_smb_end_of_search,
18579 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
18580 NULL, 0, "Was last entry returned?", HFILL }},
18582 { &hf_smb_last_name_offset,
18583 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
18584 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
18586 { &hf_smb_fn_information_level,
18587 { "Level of Interest", "smb.fn_loi", FT_UINT16, BASE_DEC,
18588 NULL, 0, "Level of interest for FIND_NOTIFY command", HFILL }},
18590 { &hf_smb_monitor_handle,
18591 { "Monitor Handle", "smb.monitor_handle", FT_UINT16, BASE_HEX,
18592 NULL, 0, "Handle for Find Notify operations", HFILL }},
18594 { &hf_smb_change_count,
18595 { "Change Count", "smb.change_count", FT_UINT16, BASE_DEC,
18596 NULL, 0, "Number of changes to wait for", HFILL }},
18598 { &hf_smb_file_index,
18599 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
18600 NULL, 0, "File index", HFILL }},
18602 { &hf_smb_short_file_name,
18603 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
18604 NULL, 0, "Short (8.3) File Name", HFILL }},
18606 { &hf_smb_short_file_name_len,
18607 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
18608 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
18611 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
18612 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
18615 { "FS GUID", "smb.fs_guid", FT_STRING, BASE_NONE,
18616 NULL, 0, "File System GUID", HFILL }},
18618 { &hf_smb_sector_unit,
18619 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
18620 NULL, 0, "Sectors per allocation unit", HFILL }},
18622 { &hf_smb_fs_units,
18623 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
18624 NULL, 0, "Total number of units on this filesystem", HFILL }},
18626 { &hf_smb_fs_sector,
18627 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
18628 NULL, 0, "Bytes per sector", HFILL }},
18630 { &hf_smb_avail_units,
18631 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
18632 NULL, 0, "Total number of available units on this filesystem", HFILL }},
18634 { &hf_smb_volume_serial_num,
18635 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
18636 NULL, 0, "Volume serial number", HFILL }},
18638 { &hf_smb_volume_label_len,
18639 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
18640 NULL, 0, "Length of volume label", HFILL }},
18642 { &hf_smb_volume_label,
18643 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
18644 NULL, 0, "Volume label", HFILL }},
18646 { &hf_smb_free_alloc_units64,
18647 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
18648 NULL, 0, "Number of free allocation units", HFILL }},
18650 { &hf_smb_caller_free_alloc_units64,
18651 { "Caller Free Units", "smb.caller_free_alloc_units", FT_UINT64, BASE_DEC,
18652 NULL, 0, "Number of caller free allocation units", HFILL }},
18654 { &hf_smb_actual_free_alloc_units64,
18655 { "Actual Free Units", "smb.actual_free_alloc_units", FT_UINT64, BASE_DEC,
18656 NULL, 0, "Number of actual free allocation units", HFILL }},
18658 { &hf_smb_soft_quota_limit,
18659 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
18660 NULL, 0, "Soft Quota treshold", HFILL }},
18662 { &hf_smb_hard_quota_limit,
18663 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
18664 NULL, 0, "Hard Quota limit", HFILL }},
18666 { &hf_smb_user_quota_used,
18667 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
18668 NULL, 0, "How much Quota is used by this user", HFILL }},
18670 { &hf_smb_max_name_len,
18671 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
18672 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
18674 { &hf_smb_fs_name_len,
18675 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
18676 NULL, 0, "Length of filesystem name in bytes", HFILL }},
18679 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
18680 NULL, 0, "Name of filesystem", HFILL }},
18682 { &hf_smb_device_char_removable,
18683 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
18684 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
18686 { &hf_smb_device_char_read_only,
18687 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
18688 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
18690 { &hf_smb_device_char_floppy,
18691 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
18692 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
18694 { &hf_smb_device_char_write_once,
18695 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
18696 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
18698 { &hf_smb_device_char_remote,
18699 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
18700 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
18702 { &hf_smb_device_char_mounted,
18703 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
18704 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
18706 { &hf_smb_device_char_virtual,
18707 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
18708 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
18710 { &hf_smb_fs_attr_css,
18711 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
18712 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
18714 { &hf_smb_fs_attr_cpn,
18715 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
18716 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
18718 { &hf_smb_fs_attr_pacls,
18719 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
18720 TFS(&tfs_fs_attr_pacls), 0x00000004, "Does this FS support Persistent ACLs?", HFILL }},
18722 { &hf_smb_fs_attr_fc,
18723 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
18724 TFS(&tfs_fs_attr_fc), 0x00000008, "Does this FS support File Compression?", HFILL }},
18726 { &hf_smb_fs_attr_vq,
18727 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
18728 TFS(&tfs_fs_attr_vq), 0x00000010, "Does this FS support Volume Quotas?", HFILL }},
18730 { &hf_smb_fs_attr_dim,
18731 { "Mounted", "smb.fs_attr.dim", FT_BOOLEAN, 32,
18732 TFS(&tfs_fs_attr_dim), 0x00000020, "Is this FS a Mounted Device?", HFILL }},
18734 { &hf_smb_fs_attr_vic,
18735 { "Compressed", "smb.fs_attr.vic", FT_BOOLEAN, 32,
18736 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS Compressed?", HFILL }},
18738 { &hf_smb_sec_desc_revision,
18739 { "Revision", "smb.sec_desc.revision", FT_UINT8, BASE_DEC,
18740 NULL, 0, "Version of NT Security Descriptor structure", HFILL }},
18743 { "SID", "smb.sid", FT_STRING, BASE_DEC,
18744 NULL, 0, "SID: Security Identifier", HFILL }},
18746 { &hf_smb_sid_revision,
18747 { "Revision", "smb.sid.revision", FT_UINT8, BASE_DEC,
18748 NULL, 0, "Version of SID structure", HFILL }},
18750 { &hf_smb_sid_num_auth,
18751 { "Num Auth", "smb.sid.num_auth", FT_UINT8, BASE_DEC,
18752 NULL, 0, "Number of authorities for this SID", HFILL }},
18754 { &hf_smb_acl_revision,
18755 { "Revision", "smb.acl.revision", FT_UINT16, BASE_DEC,
18756 NULL, 0, "Version of NT ACL structure", HFILL }},
18758 { &hf_smb_acl_size,
18759 { "Size", "smb.acl.size", FT_UINT16, BASE_DEC,
18760 NULL, 0, "Size of NT ACL structure", HFILL }},
18762 { &hf_smb_acl_num_aces,
18763 { "Num ACEs", "smb.acl.num_aces", FT_UINT32, BASE_DEC,
18764 NULL, 0, "Number of ACE structures for this ACL", HFILL }},
18766 { &hf_smb_user_quota_offset,
18767 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
18768 NULL, 0, "Relative offset to next user quota structure", HFILL }},
18770 { &hf_smb_ace_type,
18771 { "Type", "smb.ace.type", FT_UINT8, BASE_DEC,
18772 VALS(ace_type_vals), 0, "Type of ACE", HFILL }},
18774 { &hf_smb_pipe_write_len,
18775 { "Pipe Write Len", "smb.pipe.write_len", FT_UINT16, BASE_DEC,
18776 NULL, 0, "Number of bytes written to pipe", HFILL }},
18778 { &hf_smb_ace_size,
18779 { "Size", "smb.ace.size", FT_UINT16, BASE_DEC,
18780 NULL, 0, "Size of this ACE", HFILL }},
18782 { &hf_smb_ace_flags_object_inherit,
18783 { "Object Inherit", "smb.ace.flags.object_inherit", FT_BOOLEAN, 8,
18784 TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }},
18786 { &hf_smb_ace_flags_container_inherit,
18787 { "Container Inherit", "smb.ace.flags.container_inherit", FT_BOOLEAN, 8,
18788 TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }},
18790 { &hf_smb_ace_flags_non_propagate_inherit,
18791 { "Non-Propagate Inherit", "smb.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8,
18792 TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }},
18794 { &hf_smb_ace_flags_inherit_only,
18795 { "Inherit Only", "smb.ace.flags.inherit_only", FT_BOOLEAN, 8,
18796 TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }},
18798 { &hf_smb_ace_flags_inherited_ace,
18799 { "Inherited ACE", "smb.ace.flags.inherited_ace", FT_BOOLEAN, 8,
18800 TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }},
18802 { &hf_smb_ace_flags_successful_access,
18803 { "Audit Successful Accesses", "smb.ace.flags.successful_access", FT_BOOLEAN, 8,
18804 TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }},
18806 { &hf_smb_ace_flags_failed_access,
18807 { "Audit Failed Accesses", "smb.ace.flags.failed_access", FT_BOOLEAN, 8,
18808 TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }},
18810 { &hf_smb_sec_desc_type_owner_defaulted,
18811 { "Owner Defaulted", "smb.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16,
18812 TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }},
18814 { &hf_smb_sec_desc_type_group_defaulted,
18815 { "Group Defaulted", "smb.sec_desc.type.group_defaulted", FT_BOOLEAN, 16,
18816 TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }},
18818 { &hf_smb_sec_desc_type_dacl_present,
18819 { "DACL Present", "smb.sec_desc.type.dacl_present", FT_BOOLEAN, 16,
18820 TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }},
18822 { &hf_smb_sec_desc_type_dacl_defaulted,
18823 { "DACL Defaulted", "smb.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16,
18824 TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }},
18826 { &hf_smb_sec_desc_type_sacl_present,
18827 { "SACL Present", "smb.sec_desc.type.sacl_present", FT_BOOLEAN, 16,
18828 TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }},
18830 { &hf_smb_sec_desc_type_sacl_defaulted,
18831 { "SACL Defaulted", "smb.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16,
18832 TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }},
18834 { &hf_smb_sec_desc_type_dacl_auto_inherit_req,
18835 { "DACL Auto Inherit Required", "smb.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16,
18836 TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }},
18838 { &hf_smb_sec_desc_type_sacl_auto_inherit_req,
18839 { "SACL Auto Inherit Required", "smb.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16,
18840 TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }},
18842 { &hf_smb_sec_desc_type_dacl_auto_inherited,
18843 { "DACL Auto Inherited", "smb.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16,
18844 TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }},
18846 { &hf_smb_sec_desc_type_sacl_auto_inherited,
18847 { "SACL Auto Inherited", "smb.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16,
18848 TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }},
18850 { &hf_smb_sec_desc_type_dacl_protected,
18851 { "DACL Protected", "smb.sec_desc.type.dacl_protected", FT_BOOLEAN, 16,
18852 TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }},
18854 { &hf_smb_sec_desc_type_sacl_protected,
18855 { "SACL Protected", "smb.sec_desc.type.sacl_protected", FT_BOOLEAN, 16,
18856 TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }},
18858 { &hf_smb_sec_desc_type_self_relative,
18859 { "Self Relative", "smb.sec_desc.type.self_relative", FT_BOOLEAN, 16,
18860 TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }},
18862 { &hf_smb_quota_flags_deny_disk,
18863 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
18864 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
18866 { &hf_smb_quota_flags_log_limit,
18867 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
18868 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
18870 { &hf_smb_quota_flags_log_warning,
18871 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
18872 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
18874 { &hf_smb_quota_flags_enabled,
18875 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
18876 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
18878 { &hf_smb_segment_overlap,
18879 { "Fragment overlap", "smb.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18880 "Fragment overlaps with other fragments", HFILL }},
18882 { &hf_smb_segment_overlap_conflict,
18883 { "Conflicting data in fragment overlap", "smb.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18884 "Overlapping fragments contained conflicting data", HFILL }},
18886 { &hf_smb_segment_multiple_tails,
18887 { "Multiple tail fragments found", "smb.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18888 "Several tails were found when defragmenting the packet", HFILL }},
18890 { &hf_smb_segment_too_long_fragment,
18891 { "Fragment too long", "smb.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18892 "Fragment contained data past end of packet", HFILL }},
18894 { &hf_smb_segment_error,
18895 { "Defragmentation error", "smb.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18896 "Defragmentation error due to illegal fragments", HFILL }},
18899 { "SMB Segment", "smb.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18900 "SMB Segment", HFILL }},
18902 { &hf_smb_segments,
18903 { "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
18904 "SMB Segments", HFILL }},
18906 { &hf_smb_unix_major_version,
18907 { "Major Version", "smb.unix.major_version", FT_UINT16, BASE_DEC,
18908 NULL, 0, "UNIX Major Version", HFILL }},
18910 { &hf_smb_unix_minor_version,
18911 { "Minor Version", "smb.unix.minor_version", FT_UINT16, BASE_DEC,
18912 NULL, 0, "UNIX Minor Version", HFILL }},
18914 { &hf_smb_unix_capability_fcntl,
18915 { "FCNTL Capability", "smb.unix.capability.fcntl", FT_BOOLEAN, 32,
18916 TFS(&flags_set_truth), 0x00000001, "", HFILL }},
18918 { &hf_smb_unix_capability_posix_acl,
18919 { "POSIX ACL Capability", "smb.unix.capability.posix_acl", FT_BOOLEAN, 32,
18920 TFS(&flags_set_truth), 0x00000002, "", HFILL }},
18922 { &hf_smb_unix_file_size,
18923 { "File size", "smb.unix.file.size", FT_UINT64, BASE_DEC,
18924 NULL, 0, "", HFILL }},
18926 { &hf_smb_unix_file_num_bytes,
18927 { "Number of bytes", "smb.unix.file.num_bytes", FT_UINT64, BASE_DEC,
18928 NULL, 0, "Number of bytes used to store the file", HFILL }},
18930 { &hf_smb_unix_file_last_status,
18931 { "Last status change", "smb.unix.file.stime", FT_ABSOLUTE_TIME, BASE_NONE,
18932 NULL, 0, "", HFILL }},
18934 { &hf_smb_unix_file_last_access,
18935 { "Last access", "smb.unix.file.atime", FT_ABSOLUTE_TIME, BASE_NONE,
18936 NULL, 0, "", HFILL }},
18938 { &hf_smb_unix_file_last_change,
18939 { "Last modification", "smb.unix.file.mtime", FT_ABSOLUTE_TIME, BASE_NONE,
18940 NULL, 0, "", HFILL }},
18942 { &hf_smb_unix_file_uid,
18943 { "UID", "smb.unix.file.uid", FT_UINT64, BASE_DEC,
18944 NULL, 0, "", HFILL }},
18946 { &hf_smb_unix_file_gid,
18947 { "GID", "smb.unix.file.gid", FT_UINT64, BASE_DEC,
18948 NULL, 0, "", HFILL }},
18950 { &hf_smb_unix_file_type,
18951 { "File type", "smb.unix.file.file_type", FT_UINT32, BASE_DEC,
18952 VALS(unix_file_type_vals), 0, "", HFILL }},
18954 { &hf_smb_unix_file_dev_major,
18955 { "Major device", "smb.unix.file.dev_major", FT_UINT64, BASE_HEX,
18956 NULL, 0, "", HFILL }},
18958 { &hf_smb_unix_file_dev_minor,
18959 { "Minor device", "smb.unix.file.dev_minor", FT_UINT64, BASE_HEX,
18960 NULL, 0, "", HFILL }},
18962 { &hf_smb_unix_file_unique_id,
18963 { "Unique ID", "smb.unix.file.unique_id", FT_UINT64, BASE_HEX,
18964 NULL, 0, "", HFILL }},
18966 { &hf_smb_unix_file_permissions,
18967 { "File permissions", "smb.unix.file.perms", FT_UINT64, BASE_HEX,
18968 NULL, 0, "", HFILL }},
18970 { &hf_smb_unix_file_nlinks,
18971 { "Num links", "smb.unix.file.num_links", FT_UINT64, BASE_DEC,
18972 NULL, 0, "", HFILL }},
18974 { &hf_smb_unix_file_link_dest,
18975 { "Link destination", "smb.unix.file.link_dest", FT_STRING,
18976 BASE_NONE, NULL, 0, "", HFILL }},
18978 { &hf_smb_unix_find_file_nextoffset,
18979 { "Next entry offset", "smb.unix.find_file.next_offset", FT_UINT32, BASE_DEC,
18980 NULL, 0, "", HFILL }},
18982 { &hf_smb_unix_find_file_resumekey,
18983 { "Resume key", "smb.unix.find_file.resume_key", FT_UINT32, BASE_DEC,
18984 NULL, 0, "", HFILL }},
18988 { &hf_smb_access_mask,
18989 { "Access required", "smb.access_mask",
18990 FT_UINT32, BASE_HEX, NULL, 0x0, "Access mask",
18992 { &hf_access_generic_read,
18993 { "Generic read", "nt.access_mask.generic_read",
18994 FT_BOOLEAN, 32, TFS(&flags_set_truth),
18995 GENERIC_READ_ACCESS, "Generic read", HFILL }},
18997 { &hf_access_generic_write,
18998 { "Generic write", "nt.access_mask.generic_write",
18999 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19000 GENERIC_WRITE_ACCESS, "Generic write", HFILL }},
19002 { &hf_access_generic_execute,
19003 { "Generic execute", "nt.access_mask.generic_execute",
19004 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19005 GENERIC_EXECUTE_ACCESS, "Generic execute", HFILL }},
19007 { &hf_access_generic_all,
19008 { "Generic all", "nt.access_mask.generic_all",
19009 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19010 GENERIC_ALL_ACCESS, "Generic all", HFILL }},
19012 { &hf_access_maximum_allowed,
19013 { "Maximum allowed", "nt.access_mask.maximum_allowed",
19014 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19015 MAXIMUM_ALLOWED_ACCESS, "Maximum allowed", HFILL }},
19018 { "Access SACL", "nt.access_mask.access_sacl",
19019 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19020 ACCESS_SACL_ACCESS, "Access SACL", HFILL }},
19022 { &hf_access_standard_read_control,
19023 { "Read control", "nt.access_mask.read_control",
19024 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19025 READ_CONTROL_ACCESS, "Read control", HFILL }},
19027 { &hf_access_standard_delete,
19028 { "Delete", "nt.access_mask.delete",
19029 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19030 DELETE_ACCESS, "Delete", HFILL }},
19032 { &hf_access_standard_synchronise,
19033 { "Synchronise", "nt.access_mask.synchronise",
19034 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19035 SYNCHRONIZE_ACCESS, "Synchronise", HFILL }},
19037 { &hf_access_standard_write_dac,
19038 { "Write DAC", "nt.access_mask.write_dac",
19039 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19040 WRITE_DAC_ACCESS, "Write DAC", HFILL }},
19042 { &hf_access_standard_write_owner,
19043 { "Write owner", "nt.access_mask.write_owner",
19044 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19045 WRITE_OWNER_ACCESS, "Write owner", HFILL }},
19047 { &hf_access_specific_15,
19048 { "Specific access, bit 15", "nt.access_mask.specific_15",
19049 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19050 0x8000, "Specific access, bit 15", HFILL }},
19052 { &hf_access_specific_14,
19053 { "Specific access, bit 14", "nt.access_mask.specific_14",
19054 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19055 0x4000, "Specific access, bit 14", HFILL }},
19057 { &hf_access_specific_13,
19058 { "Specific access, bit 13", "nt.access_mask.specific_13",
19059 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19060 0x2000, "Specific access, bit 13", HFILL }},
19062 { &hf_access_specific_12,
19063 { "Specific access, bit 12", "nt.access_mask.specific_12",
19064 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19065 0x1000, "Specific access, bit 12", HFILL }},
19067 { &hf_access_specific_11,
19068 { "Specific access, bit 11", "nt.access_mask.specific_11",
19069 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19070 0x0800, "Specific access, bit 11", HFILL }},
19072 { &hf_access_specific_10,
19073 { "Specific access, bit 10", "nt.access_mask.specific_10",
19074 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19075 0x0400, "Specific access, bit 10", HFILL }},
19077 { &hf_access_specific_9,
19078 { "Specific access, bit 9", "nt.access_mask.specific_9",
19079 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19080 0x0200, "Specific access, bit 9", HFILL }},
19082 { &hf_access_specific_8,
19083 { "Specific access, bit 8", "nt.access_mask.specific_8",
19084 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19085 0x0100, "Specific access, bit 8", HFILL }},
19087 { &hf_access_specific_7,
19088 { "Specific access, bit 7", "nt.access_mask.specific_7",
19089 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19090 0x0080, "Specific access, bit 7", HFILL }},
19092 { &hf_access_specific_6,
19093 { "Specific access, bit 6", "nt.access_mask.specific_6",
19094 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19095 0x0040, "Specific access, bit 6", HFILL }},
19097 { &hf_access_specific_5,
19098 { "Specific access, bit 5", "nt.access_mask.specific_5",
19099 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19100 0x0020, "Specific access, bit 5", HFILL }},
19102 { &hf_access_specific_4,
19103 { "Specific access, bit 4", "nt.access_mask.specific_4",
19104 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19105 0x0010, "Specific access, bit 4", HFILL }},
19107 { &hf_access_specific_3,
19108 { "Specific access, bit 3", "nt.access_mask.specific_3",
19109 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19110 0x0008, "Specific access, bit 3", HFILL }},
19112 { &hf_access_specific_2,
19113 { "Specific access, bit 2", "nt.access_mask.specific_2",
19114 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19115 0x0004, "Specific access, bit 2", HFILL }},
19117 { &hf_access_specific_1,
19118 { "Specific access, bit 1", "nt.access_mask.specific_1",
19119 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19120 0x0002, "Specific access, bit 1", HFILL }},
19122 { &hf_access_specific_0,
19123 { "Specific access, bit 0", "nt.access_mask.specific_0",
19124 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19125 0x0001, "Specific access, bit 0", HFILL }}
19128 static gint *ett[] = {
19132 &ett_smb_fileattributes,
19133 &ett_smb_capabilities,
19141 &ett_smb_desiredaccess,
19144 &ett_smb_openfunction,
19146 &ett_smb_openaction,
19147 &ett_smb_writemode,
19148 &ett_smb_lock_type,
19149 &ett_smb_ssetupandxaction,
19150 &ett_smb_optionsup,
19151 &ett_smb_time_date,
19152 &ett_smb_move_copy_flags,
19153 &ett_smb_file_attributes,
19154 &ett_smb_search_resume_key,
19155 &ett_smb_search_dir_info,
19160 &ett_smb_open_flags,
19161 &ett_smb_ipc_state,
19162 &ett_smb_open_action,
19163 &ett_smb_setup_action,
19164 &ett_smb_connect_flags,
19165 &ett_smb_connect_support_bits,
19166 &ett_smb_nt_access_mask,
19167 &ett_smb_nt_create_bits,
19168 &ett_smb_nt_create_options,
19169 &ett_smb_nt_share_access,
19170 &ett_smb_nt_security_flags,
19171 &ett_smb_nt_trans_setup,
19172 &ett_smb_nt_trans_data,
19173 &ett_smb_nt_trans_param,
19174 &ett_smb_nt_notify_completion_filter,
19175 &ett_smb_nt_ioctl_flags,
19176 &ett_smb_security_information_mask,
19177 &ett_smb_print_queue_entry,
19178 &ett_smb_transaction_flags,
19179 &ett_smb_transaction_params,
19180 &ett_smb_find_first2_flags,
19184 &ett_smb_transaction_data,
19185 &ett_smb_stream_info,
19186 &ett_smb_dfs_referrals,
19187 &ett_smb_dfs_referral,
19188 &ett_smb_dfs_referral_flags,
19189 &ett_smb_get_dfs_flags,
19191 &ett_smb_device_characteristics,
19192 &ett_smb_fs_attributes,
19199 &ett_smb_ace_flags,
19200 &ett_smb_sec_desc_type,
19201 &ett_smb_quotaflags,
19203 &ett_smb_mac_support_flags,
19204 &ett_nt_access_mask,
19205 &ett_nt_access_mask_generic,
19206 &ett_nt_access_mask_standard,
19207 &ett_nt_access_mask_specific,
19208 &ett_smb_unicode_password,
19210 &ett_smb_unix_capabilities
19212 module_t *smb_module;
19214 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
19216 proto_register_subtree_array(ett, array_length(ett));
19217 proto_register_field_array(proto_smb, hf, array_length(hf));
19219 register_smb_common(proto_smb);
19221 register_init_routine(&smb_init_protocol);
19222 smb_module = prefs_register_protocol(proto_smb, NULL);
19223 prefs_register_bool_preference(smb_module, "trans_reassembly",
19224 "Reassemble SMB Transaction payload",
19225 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
19226 &smb_trans_reassembly);
19227 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
19228 "Reassemble DCERPC over SMB",
19229 "Whether the dissector should reassemble DCERPC over SMB commands",
19230 &smb_dcerpc_reassembly);
19231 prefs_register_bool_preference(smb_module, "sid_name_snooping",
19232 "Snoop SID to Name mappings",
19233 "Whether the dissector should snoop SMB and related CIFS protocols to discover and display Names associated with SIDs",
19234 &sid_name_snooping);
19236 register_init_routine(smb_trans_reassembly_init);
19237 smb_tap = register_tap("smb");
19241 proto_reg_handoff_smb(void)
19243 dissector_handle_t smb_handle;
19245 gssapi_handle = find_dissector("gssapi");
19246 ntlmssp_handle = find_dissector("ntlmssp");
19248 heur_dissector_add("netbios", dissect_smb_heur, proto_smb);
19249 heur_dissector_add("cotp", dissect_smb_heur, proto_smb);
19250 heur_dissector_add("vines_spp", dissect_smb_heur, proto_smb);
19251 smb_handle = create_dissector_handle(dissect_smb, proto_smb);
19252 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_SERVER, smb_handle);
19253 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_REDIR, smb_handle);
19254 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_MESSENGER,