2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
6 * $Id: packet-smb.c,v 1.241 2002/04/09 23:56:57 tpot Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_NETINET_IN_H
40 # include <netinet/in.h>
47 #include <epan/packet.h>
48 #include <epan/conversation.h>
50 #include "alignment.h"
51 #include <epan/strutil.h>
53 #include "reassemble.h"
55 #include "packet-smb-mailslot.h"
56 #include "packet-smb-pipe.h"
59 * Various specifications and documents about SMB can be found in
61 * ftp://ftp.microsoft.com/developr/drg/CIFS/
63 * and a CIFS draft from the Storage Networking Industry Association
64 * can be found on a link from the page at
66 * http://www.snia.org/English/Work_Groups/NAS/CIFS/WG_CIFS_Docs.html
68 * (it supercedes the document at
70 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
74 * There are also some Open Group publications documenting CIFS for sale;
75 * catalog entries for them are at:
77 * http://www.opengroup.org/products/publications/catalog/c209.htm
79 * http://www.opengroup.org/products/publications/catalog/c195.htm
81 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
84 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
86 * (or, presumably a similar path under the Samba mirrors). As the
87 * ".doc" indicates, it's a Word document. Some of the specs from the
88 * Microsoft FTP site can be found in the
90 * http://www.samba.org/samba/ftp/specs/
94 * Beware - these specs may have errors.
96 static int proto_smb = -1;
97 static int hf_smb_cmd = -1;
98 static int hf_smb_pid = -1;
99 static int hf_smb_tid = -1;
100 static int hf_smb_uid = -1;
101 static int hf_smb_mid = -1;
102 static int hf_smb_response_to = -1;
103 static int hf_smb_response_in = -1;
104 static int hf_smb_continuation_to = -1;
105 static int hf_smb_nt_status = -1;
106 static int hf_smb_error_class = -1;
107 static int hf_smb_error_code = -1;
108 static int hf_smb_reserved = -1;
109 static int hf_smb_flags_lock = -1;
110 static int hf_smb_flags_receive_buffer = -1;
111 static int hf_smb_flags_caseless = -1;
112 static int hf_smb_flags_canon = -1;
113 static int hf_smb_flags_oplock = -1;
114 static int hf_smb_flags_notify = -1;
115 static int hf_smb_flags_response = -1;
116 static int hf_smb_flags2_long_names_allowed = -1;
117 static int hf_smb_flags2_ea = -1;
118 static int hf_smb_flags2_sec_sig = -1;
119 static int hf_smb_flags2_long_names_used = -1;
120 static int hf_smb_flags2_esn = -1;
121 static int hf_smb_flags2_dfs = -1;
122 static int hf_smb_flags2_roe = -1;
123 static int hf_smb_flags2_nt_error = -1;
124 static int hf_smb_flags2_string = -1;
125 static int hf_smb_word_count = -1;
126 static int hf_smb_byte_count = -1;
127 static int hf_smb_buffer_format = -1;
128 static int hf_smb_dialect_name = -1;
129 static int hf_smb_dialect_index = -1;
130 static int hf_smb_max_trans_buf_size = -1;
131 static int hf_smb_max_mpx_count = -1;
132 static int hf_smb_max_vcs_num = -1;
133 static int hf_smb_session_key = -1;
134 static int hf_smb_server_timezone = -1;
135 static int hf_smb_encryption_key_length = -1;
136 static int hf_smb_encryption_key = -1;
137 static int hf_smb_primary_domain = -1;
138 static int hf_smb_max_raw_buf_size = -1;
139 static int hf_smb_server_guid = -1;
140 static int hf_smb_security_blob_len = -1;
141 static int hf_smb_security_blob = -1;
142 static int hf_smb_sm_mode16 = -1;
143 static int hf_smb_sm_password16 = -1;
144 static int hf_smb_sm_mode = -1;
145 static int hf_smb_sm_password = -1;
146 static int hf_smb_sm_signatures = -1;
147 static int hf_smb_sm_sig_required = -1;
148 static int hf_smb_rm_read = -1;
149 static int hf_smb_rm_write = -1;
150 static int hf_smb_server_date_time = -1;
151 static int hf_smb_server_smb_date = -1;
152 static int hf_smb_server_smb_time = -1;
153 static int hf_smb_server_cap_raw_mode = -1;
154 static int hf_smb_server_cap_mpx_mode = -1;
155 static int hf_smb_server_cap_unicode = -1;
156 static int hf_smb_server_cap_large_files = -1;
157 static int hf_smb_server_cap_nt_smbs = -1;
158 static int hf_smb_server_cap_rpc_remote_apis = -1;
159 static int hf_smb_server_cap_nt_status = -1;
160 static int hf_smb_server_cap_level_ii_oplocks = -1;
161 static int hf_smb_server_cap_lock_and_read = -1;
162 static int hf_smb_server_cap_nt_find = -1;
163 static int hf_smb_server_cap_dfs = -1;
164 static int hf_smb_server_cap_infolevel_passthru = -1;
165 static int hf_smb_server_cap_large_readx = -1;
166 static int hf_smb_server_cap_large_writex = -1;
167 static int hf_smb_server_cap_unix = -1;
168 static int hf_smb_server_cap_reserved = -1;
169 static int hf_smb_server_cap_bulk_transfer = -1;
170 static int hf_smb_server_cap_compressed_data = -1;
171 static int hf_smb_server_cap_extended_security = -1;
172 static int hf_smb_system_time = -1;
173 static int hf_smb_unknown = -1;
174 static int hf_smb_dir_name = -1;
175 static int hf_smb_echo_count = -1;
176 static int hf_smb_echo_data = -1;
177 static int hf_smb_echo_seq_num = -1;
178 static int hf_smb_max_buf_size = -1;
179 static int hf_smb_password = -1;
180 static int hf_smb_password_len = -1;
181 static int hf_smb_ansi_password = -1;
182 static int hf_smb_ansi_password_len = -1;
183 static int hf_smb_unicode_password = -1;
184 static int hf_smb_unicode_password_len = -1;
185 static int hf_smb_path = -1;
186 static int hf_smb_service = -1;
187 static int hf_smb_move_flags_file = -1;
188 static int hf_smb_move_flags_dir = -1;
189 static int hf_smb_move_flags_verify = -1;
190 static int hf_smb_move_files_moved = -1;
191 static int hf_smb_count = -1;
192 static int hf_smb_file_name = -1;
193 static int hf_smb_open_function_open = -1;
194 static int hf_smb_open_function_create = -1;
195 static int hf_smb_fid = -1;
196 static int hf_smb_file_attr_read_only_16bit = -1;
197 static int hf_smb_file_attr_read_only_8bit = -1;
198 static int hf_smb_file_attr_hidden_16bit = -1;
199 static int hf_smb_file_attr_hidden_8bit = -1;
200 static int hf_smb_file_attr_system_16bit = -1;
201 static int hf_smb_file_attr_system_8bit = -1;
202 static int hf_smb_file_attr_volume_16bit = -1;
203 static int hf_smb_file_attr_volume_8bit = -1;
204 static int hf_smb_file_attr_directory_16bit = -1;
205 static int hf_smb_file_attr_directory_8bit = -1;
206 static int hf_smb_file_attr_archive_16bit = -1;
207 static int hf_smb_file_attr_archive_8bit = -1;
208 static int hf_smb_file_attr_device = -1;
209 static int hf_smb_file_attr_normal = -1;
210 static int hf_smb_file_attr_temporary = -1;
211 static int hf_smb_file_attr_sparse = -1;
212 static int hf_smb_file_attr_reparse = -1;
213 static int hf_smb_file_attr_compressed = -1;
214 static int hf_smb_file_attr_offline = -1;
215 static int hf_smb_file_attr_not_content_indexed = -1;
216 static int hf_smb_file_attr_encrypted = -1;
217 static int hf_smb_file_size = -1;
218 static int hf_smb_search_attribute_read_only = -1;
219 static int hf_smb_search_attribute_hidden = -1;
220 static int hf_smb_search_attribute_system = -1;
221 static int hf_smb_search_attribute_volume = -1;
222 static int hf_smb_search_attribute_directory = -1;
223 static int hf_smb_search_attribute_archive = -1;
224 static int hf_smb_access_mode = -1;
225 static int hf_smb_access_sharing = -1;
226 static int hf_smb_access_locality = -1;
227 static int hf_smb_access_caching = -1;
228 static int hf_smb_access_writetru = -1;
229 static int hf_smb_create_time = -1;
230 static int hf_smb_create_dos_date = -1;
231 static int hf_smb_create_dos_time = -1;
232 static int hf_smb_last_write_time = -1;
233 static int hf_smb_last_write_dos_date = -1;
234 static int hf_smb_last_write_dos_time = -1;
235 static int hf_smb_access_time = -1;
236 static int hf_smb_access_dos_date = -1;
237 static int hf_smb_access_dos_time = -1;
238 static int hf_smb_old_file_name = -1;
239 static int hf_smb_offset = -1;
240 static int hf_smb_remaining = -1;
241 static int hf_smb_padding = -1;
242 static int hf_smb_file_data = -1;
243 static int hf_smb_total_data_len = -1;
244 static int hf_smb_data_len = -1;
245 static int hf_smb_seek_mode = -1;
246 static int hf_smb_data_size = -1;
247 static int hf_smb_alloc_size = -1;
248 static int hf_smb_alloc_size64 = -1;
249 static int hf_smb_max_count = -1;
250 static int hf_smb_min_count = -1;
251 static int hf_smb_timeout = -1;
252 static int hf_smb_high_offset = -1;
253 static int hf_smb_units = -1;
254 static int hf_smb_bpu = -1;
255 static int hf_smb_blocksize = -1;
256 static int hf_smb_freeunits = -1;
257 static int hf_smb_data_offset = -1;
258 static int hf_smb_dcm = -1;
259 static int hf_smb_request_mask = -1;
260 static int hf_smb_response_mask = -1;
261 static int hf_smb_sid = -1;
262 static int hf_smb_write_mode_write_through = -1;
263 static int hf_smb_write_mode_return_remaining = -1;
264 static int hf_smb_write_mode_raw = -1;
265 static int hf_smb_write_mode_message_start = -1;
266 static int hf_smb_write_mode_connectionless = -1;
267 static int hf_smb_resume_key_len = -1;
268 static int hf_smb_resume_server_cookie = -1;
269 static int hf_smb_resume_client_cookie = -1;
270 static int hf_smb_andxoffset = -1;
271 static int hf_smb_lock_type_large = -1;
272 static int hf_smb_lock_type_cancel = -1;
273 static int hf_smb_lock_type_change = -1;
274 static int hf_smb_lock_type_oplock = -1;
275 static int hf_smb_lock_type_shared = -1;
276 static int hf_smb_locking_ol = -1;
277 static int hf_smb_number_of_locks = -1;
278 static int hf_smb_number_of_unlocks = -1;
279 static int hf_smb_lock_long_offset = -1;
280 static int hf_smb_lock_long_length = -1;
281 static int hf_smb_file_type = -1;
282 static int hf_smb_ipc_state_nonblocking = -1;
283 static int hf_smb_ipc_state_endpoint = -1;
284 static int hf_smb_ipc_state_pipe_type = -1;
285 static int hf_smb_ipc_state_read_mode = -1;
286 static int hf_smb_ipc_state_icount = -1;
287 static int hf_smb_server_fid = -1;
288 static int hf_smb_open_flags_add_info = -1;
289 static int hf_smb_open_flags_ex_oplock = -1;
290 static int hf_smb_open_flags_batch_oplock = -1;
291 static int hf_smb_open_flags_ealen = -1;
292 static int hf_smb_open_action_open = -1;
293 static int hf_smb_open_action_lock = -1;
294 static int hf_smb_vc_num = -1;
295 static int hf_smb_account = -1;
296 static int hf_smb_os = -1;
297 static int hf_smb_lanman = -1;
298 static int hf_smb_setup_action_guest = -1;
299 static int hf_smb_fs = -1;
300 static int hf_smb_connect_flags_dtid = -1;
301 static int hf_smb_connect_support_search = -1;
302 static int hf_smb_connect_support_in_dfs = -1;
303 static int hf_smb_max_setup_count = -1;
304 static int hf_smb_total_param_count = -1;
305 static int hf_smb_total_data_count = -1;
306 static int hf_smb_max_param_count = -1;
307 static int hf_smb_max_data_count = -1;
308 static int hf_smb_param_disp16 = -1;
309 static int hf_smb_param_count16 = -1;
310 static int hf_smb_param_offset16 = -1;
311 static int hf_smb_param_disp32 = -1;
312 static int hf_smb_param_count32 = -1;
313 static int hf_smb_param_offset32 = -1;
314 static int hf_smb_data_disp16 = -1;
315 static int hf_smb_data_count16 = -1;
316 static int hf_smb_data_offset16 = -1;
317 static int hf_smb_data_disp32 = -1;
318 static int hf_smb_data_count32 = -1;
319 static int hf_smb_data_offset32 = -1;
320 static int hf_smb_setup_count = -1;
321 static int hf_smb_nt_trans_subcmd = -1;
322 static int hf_smb_nt_ioctl_function_code = -1;
323 static int hf_smb_nt_ioctl_isfsctl = -1;
324 static int hf_smb_nt_ioctl_flags_root_handle = -1;
325 static int hf_smb_nt_ioctl_data = -1;
326 static int hf_smb_nt_security_information = -1;
327 static int hf_smb_nt_notify_action = -1;
328 static int hf_smb_nt_notify_watch_tree = -1;
329 static int hf_smb_nt_notify_stream_write = -1;
330 static int hf_smb_nt_notify_stream_size = -1;
331 static int hf_smb_nt_notify_stream_name = -1;
332 static int hf_smb_nt_notify_security = -1;
333 static int hf_smb_nt_notify_ea = -1;
334 static int hf_smb_nt_notify_creation = -1;
335 static int hf_smb_nt_notify_last_access = -1;
336 static int hf_smb_nt_notify_last_write = -1;
337 static int hf_smb_nt_notify_size = -1;
338 static int hf_smb_nt_notify_attributes = -1;
339 static int hf_smb_nt_notify_dir_name = -1;
340 static int hf_smb_nt_notify_file_name = -1;
341 static int hf_smb_root_dir_fid = -1;
342 static int hf_smb_nt_create_disposition = -1;
343 static int hf_smb_sd_length = -1;
344 static int hf_smb_ea_length = -1;
345 static int hf_smb_file_name_len = -1;
346 static int hf_smb_nt_impersonation_level = -1;
347 static int hf_smb_nt_security_flags_context_tracking = -1;
348 static int hf_smb_nt_security_flags_effective_only = -1;
349 static int hf_smb_nt_access_mask_generic_read = -1;
350 static int hf_smb_nt_access_mask_generic_write = -1;
351 static int hf_smb_nt_access_mask_generic_execute = -1;
352 static int hf_smb_nt_access_mask_generic_all = -1;
353 static int hf_smb_nt_access_mask_maximum_allowed = -1;
354 static int hf_smb_nt_access_mask_system_security = -1;
355 static int hf_smb_nt_access_mask_synchronize = -1;
356 static int hf_smb_nt_access_mask_write_owner = -1;
357 static int hf_smb_nt_access_mask_write_dac = -1;
358 static int hf_smb_nt_access_mask_read_control = -1;
359 static int hf_smb_nt_access_mask_delete = -1;
360 static int hf_smb_nt_access_mask_write_attributes = -1;
361 static int hf_smb_nt_access_mask_read_attributes = -1;
362 static int hf_smb_nt_access_mask_delete_child = -1;
363 static int hf_smb_nt_access_mask_execute = -1;
364 static int hf_smb_nt_access_mask_write_ea = -1;
365 static int hf_smb_nt_access_mask_read_ea = -1;
366 static int hf_smb_nt_access_mask_append = -1;
367 static int hf_smb_nt_access_mask_write = -1;
368 static int hf_smb_nt_access_mask_read = -1;
369 static int hf_smb_nt_create_bits_oplock = -1;
370 static int hf_smb_nt_create_bits_boplock = -1;
371 static int hf_smb_nt_create_bits_dir = -1;
372 static int hf_smb_nt_create_options_directory_file = -1;
373 static int hf_smb_nt_create_options_write_through = -1;
374 static int hf_smb_nt_create_options_sequential_only = -1;
375 static int hf_smb_nt_create_options_sync_io_alert = -1;
376 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
377 static int hf_smb_nt_create_options_non_directory_file = -1;
378 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
379 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
380 static int hf_smb_nt_create_options_random_access = -1;
381 static int hf_smb_nt_create_options_delete_on_close = -1;
382 static int hf_smb_nt_share_access_read = -1;
383 static int hf_smb_nt_share_access_write = -1;
384 static int hf_smb_nt_share_access_delete = -1;
385 static int hf_smb_file_eattr_read_only = -1;
386 static int hf_smb_file_eattr_hidden = -1;
387 static int hf_smb_file_eattr_system = -1;
388 static int hf_smb_file_eattr_volume = -1;
389 static int hf_smb_file_eattr_directory = -1;
390 static int hf_smb_file_eattr_archive = -1;
391 static int hf_smb_file_eattr_device = -1;
392 static int hf_smb_file_eattr_normal = -1;
393 static int hf_smb_file_eattr_temporary = -1;
394 static int hf_smb_file_eattr_sparse = -1;
395 static int hf_smb_file_eattr_reparse = -1;
396 static int hf_smb_file_eattr_compressed = -1;
397 static int hf_smb_file_eattr_offline = -1;
398 static int hf_smb_file_eattr_not_content_indexed = -1;
399 static int hf_smb_file_eattr_encrypted = -1;
400 static int hf_smb_file_eattr_write_through = -1;
401 static int hf_smb_file_eattr_no_buffering = -1;
402 static int hf_smb_file_eattr_random_access = -1;
403 static int hf_smb_file_eattr_sequential_scan = -1;
404 static int hf_smb_file_eattr_delete_on_close = -1;
405 static int hf_smb_file_eattr_backup_semantics = -1;
406 static int hf_smb_file_eattr_posix_semantics = -1;
407 static int hf_smb_sec_desc_len = -1;
408 static int hf_smb_sec_desc_revision = -1;
409 static int hf_smb_sec_desc_type_owner_defaulted = -1;
410 static int hf_smb_sec_desc_type_group_defaulted = -1;
411 static int hf_smb_sec_desc_type_dacl_present = -1;
412 static int hf_smb_sec_desc_type_dacl_defaulted = -1;
413 static int hf_smb_sec_desc_type_sacl_present = -1;
414 static int hf_smb_sec_desc_type_sacl_defaulted = -1;
415 static int hf_smb_sec_desc_type_dacl_auto_inherit_req = -1;
416 static int hf_smb_sec_desc_type_sacl_auto_inherit_req = -1;
417 static int hf_smb_sec_desc_type_dacl_auto_inherited = -1;
418 static int hf_smb_sec_desc_type_sacl_auto_inherited = -1;
419 static int hf_smb_sec_desc_type_dacl_protected = -1;
420 static int hf_smb_sec_desc_type_sacl_protected = -1;
421 static int hf_smb_sec_desc_type_self_relative = -1;
422 static int hf_smb_sid_revision = -1;
423 static int hf_smb_sid_num_auth = -1;
424 static int hf_smb_acl_revision = -1;
425 static int hf_smb_acl_size = -1;
426 static int hf_smb_acl_num_aces = -1;
427 static int hf_smb_ace_type = -1;
428 static int hf_smb_ace_size = -1;
429 static int hf_smb_ace_flags_object_inherit = -1;
430 static int hf_smb_ace_flags_container_inherit = -1;
431 static int hf_smb_ace_flags_non_propagate_inherit = -1;
432 static int hf_smb_ace_flags_inherit_only = -1;
433 static int hf_smb_ace_flags_inherited_ace = -1;
434 static int hf_smb_ace_flags_successful_access = -1;
435 static int hf_smb_ace_flags_failed_access = -1;
436 static int hf_smb_nt_qsd_owner = -1;
437 static int hf_smb_nt_qsd_group = -1;
438 static int hf_smb_nt_qsd_dacl = -1;
439 static int hf_smb_nt_qsd_sacl = -1;
440 static int hf_smb_extended_attributes = -1;
441 static int hf_smb_oplock_level = -1;
442 static int hf_smb_create_action = -1;
443 static int hf_smb_ea_error_offset = -1;
444 static int hf_smb_end_of_file = -1;
445 static int hf_smb_device_type = -1;
446 static int hf_smb_is_directory = -1;
447 static int hf_smb_next_entry_offset = -1;
448 static int hf_smb_change_time = -1;
449 static int hf_smb_setup_len = -1;
450 static int hf_smb_print_mode = -1;
451 static int hf_smb_print_identifier = -1;
452 static int hf_smb_restart_index = -1;
453 static int hf_smb_print_queue_date = -1;
454 static int hf_smb_print_queue_dos_date = -1;
455 static int hf_smb_print_queue_dos_time = -1;
456 static int hf_smb_print_status = -1;
457 static int hf_smb_print_spool_file_number = -1;
458 static int hf_smb_print_spool_file_size = -1;
459 static int hf_smb_print_spool_file_name = -1;
460 static int hf_smb_start_index = -1;
461 static int hf_smb_cancel_to = -1;
462 static int hf_smb_trans2_subcmd = -1;
463 static int hf_smb_trans_name = -1;
464 static int hf_smb_transaction_flags_dtid = -1;
465 static int hf_smb_transaction_flags_owt = -1;
466 static int hf_smb_search_count = -1;
467 static int hf_smb_search_pattern = -1;
468 static int hf_smb_ff2_backup = -1;
469 static int hf_smb_ff2_continue = -1;
470 static int hf_smb_ff2_resume = -1;
471 static int hf_smb_ff2_close_eos = -1;
472 static int hf_smb_ff2_close = -1;
473 static int hf_smb_ff2_information_level = -1;
474 static int hf_smb_qpi_loi = -1;
475 static int hf_smb_storage_type = -1;
476 static int hf_smb_resume = -1;
477 static int hf_smb_max_referral_level = -1;
478 static int hf_smb_qfsi_information_level = -1;
479 static int hf_smb_ea_size = -1;
480 static int hf_smb_list_length = -1;
481 static int hf_smb_number_of_links = -1;
482 static int hf_smb_delete_pending = -1;
483 static int hf_smb_index_number = -1;
484 static int hf_smb_current_offset = -1;
485 static int hf_smb_t2_alignment = -1;
486 static int hf_smb_t2_stream_name_length = -1;
487 static int hf_smb_t2_stream_size = -1;
488 static int hf_smb_t2_stream_name = -1;
489 static int hf_smb_t2_compressed_file_size = -1;
490 static int hf_smb_t2_compressed_format = -1;
491 static int hf_smb_t2_compressed_unit_shift = -1;
492 static int hf_smb_t2_compressed_chunk_shift = -1;
493 static int hf_smb_t2_compressed_cluster_shift = -1;
494 static int hf_smb_dfs_path_consumed = -1;
495 static int hf_smb_dfs_num_referrals = -1;
496 static int hf_smb_get_dfs_server_hold_storage = -1;
497 static int hf_smb_get_dfs_fielding = -1;
498 static int hf_smb_dfs_referral_version = -1;
499 static int hf_smb_dfs_referral_size = -1;
500 static int hf_smb_dfs_referral_server_type = -1;
501 static int hf_smb_dfs_referral_flags_strip = -1;
502 static int hf_smb_dfs_referral_node_offset = -1;
503 static int hf_smb_dfs_referral_node = -1;
504 static int hf_smb_dfs_referral_proximity = -1;
505 static int hf_smb_dfs_referral_ttl = -1;
506 static int hf_smb_dfs_referral_path_offset = -1;
507 static int hf_smb_dfs_referral_path = -1;
508 static int hf_smb_dfs_referral_alt_path_offset = -1;
509 static int hf_smb_dfs_referral_alt_path = -1;
510 static int hf_smb_end_of_search = -1;
511 static int hf_smb_last_name_offset = -1;
512 static int hf_smb_file_index = -1;
513 static int hf_smb_short_file_name = -1;
514 static int hf_smb_short_file_name_len = -1;
515 static int hf_smb_fs_id = -1;
516 static int hf_smb_sector_unit = -1;
517 static int hf_smb_fs_units = -1;
518 static int hf_smb_fs_sector = -1;
519 static int hf_smb_avail_units = -1;
520 static int hf_smb_volume_serial_num = -1;
521 static int hf_smb_volume_label_len = -1;
522 static int hf_smb_volume_label = -1;
523 static int hf_smb_free_alloc_units64 = -1;
524 static int hf_smb_max_name_len = -1;
525 static int hf_smb_fs_name_len = -1;
526 static int hf_smb_fs_name = -1;
527 static int hf_smb_device_char_removable = -1;
528 static int hf_smb_device_char_read_only = -1;
529 static int hf_smb_device_char_floppy = -1;
530 static int hf_smb_device_char_write_once = -1;
531 static int hf_smb_device_char_remote = -1;
532 static int hf_smb_device_char_mounted = -1;
533 static int hf_smb_device_char_virtual = -1;
534 static int hf_smb_fs_attr_css = -1;
535 static int hf_smb_fs_attr_cpn = -1;
536 static int hf_smb_fs_attr_pacls = -1;
537 static int hf_smb_fs_attr_fc = -1;
538 static int hf_smb_fs_attr_vq = -1;
539 static int hf_smb_fs_attr_dim = -1;
540 static int hf_smb_fs_attr_vic = -1;
541 static int hf_smb_quota_flags_enabled = -1;
542 static int hf_smb_quota_flags_deny_disk = -1;
543 static int hf_smb_quota_flags_log_limit = -1;
544 static int hf_smb_quota_flags_log_warning = -1;
545 static int hf_smb_soft_quota_limit = -1;
546 static int hf_smb_hard_quota_limit = -1;
547 static int hf_smb_user_quota_used = -1;
548 static int hf_smb_user_quota_offset = -1;
550 static gint ett_smb = -1;
551 static gint ett_smb_hdr = -1;
552 static gint ett_smb_command = -1;
553 static gint ett_smb_fileattributes = -1;
554 static gint ett_smb_capabilities = -1;
555 static gint ett_smb_aflags = -1;
556 static gint ett_smb_dialect = -1;
557 static gint ett_smb_dialects = -1;
558 static gint ett_smb_mode = -1;
559 static gint ett_smb_rawmode = -1;
560 static gint ett_smb_flags = -1;
561 static gint ett_smb_flags2 = -1;
562 static gint ett_smb_desiredaccess = -1;
563 static gint ett_smb_search = -1;
564 static gint ett_smb_file = -1;
565 static gint ett_smb_openfunction = -1;
566 static gint ett_smb_filetype = -1;
567 static gint ett_smb_openaction = -1;
568 static gint ett_smb_writemode = -1;
569 static gint ett_smb_lock_type = -1;
570 static gint ett_smb_ssetupandxaction = -1;
571 static gint ett_smb_optionsup = -1;
572 static gint ett_smb_time_date = -1;
573 static gint ett_smb_move_flags = -1;
574 static gint ett_smb_file_attributes = -1;
575 static gint ett_smb_search_resume_key = -1;
576 static gint ett_smb_search_dir_info = -1;
577 static gint ett_smb_unlocks = -1;
578 static gint ett_smb_unlock = -1;
579 static gint ett_smb_locks = -1;
580 static gint ett_smb_lock = -1;
581 static gint ett_smb_open_flags = -1;
582 static gint ett_smb_ipc_state = -1;
583 static gint ett_smb_open_action = -1;
584 static gint ett_smb_setup_action = -1;
585 static gint ett_smb_connect_flags = -1;
586 static gint ett_smb_connect_support_bits = -1;
587 static gint ett_smb_nt_access_mask = -1;
588 static gint ett_smb_nt_create_bits = -1;
589 static gint ett_smb_nt_create_options = -1;
590 static gint ett_smb_nt_share_access = -1;
591 static gint ett_smb_nt_security_flags = -1;
592 static gint ett_smb_nt_trans_setup = -1;
593 static gint ett_smb_nt_trans_data = -1;
594 static gint ett_smb_nt_trans_param = -1;
595 static gint ett_smb_nt_notify_completion_filter = -1;
596 static gint ett_smb_nt_ioctl_flags = -1;
597 static gint ett_smb_security_information_mask = -1;
598 static gint ett_smb_print_queue_entry = -1;
599 static gint ett_smb_transaction_flags = -1;
600 static gint ett_smb_transaction_params = -1;
601 static gint ett_smb_find_first2_flags = -1;
602 static gint ett_smb_transaction_data = -1;
603 static gint ett_smb_stream_info = -1;
604 static gint ett_smb_dfs_referrals = -1;
605 static gint ett_smb_dfs_referral = -1;
606 static gint ett_smb_dfs_referral_flags = -1;
607 static gint ett_smb_get_dfs_flags = -1;
608 static gint ett_smb_ff2_data = -1;
609 static gint ett_smb_device_characteristics = -1;
610 static gint ett_smb_fs_attributes = -1;
611 static gint ett_smb_segments = -1;
612 static gint ett_smb_sec_desc = -1;
613 static gint ett_smb_sid = -1;
614 static gint ett_smb_acl = -1;
615 static gint ett_smb_ace = -1;
616 static gint ett_smb_ace_flags = -1;
617 static gint ett_smb_sec_desc_type = -1;
618 static gint ett_smb_quotaflags = -1;
620 proto_tree *top_tree=NULL; /* ugly */
622 static char *decode_smb_name(unsigned char);
623 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, guint8 cmd);
624 static const gchar *get_unicode_or_ascii_string(tvbuff_t *tvb,
625 int *offsetp, packet_info *pinfo, int *len, gboolean nopad,
626 gboolean exactlen, guint16 *bcp);
629 * Macros for use in the main dissector routines for an SMB.
634 wc = tvb_get_guint8(tvb, offset); \
635 proto_tree_add_uint(tree, hf_smb_word_count, \
636 tvb, offset, 1, wc); \
638 if(wc==0) goto bytecount;
642 bc = tvb_get_letohs(tvb, offset); \
643 proto_tree_add_uint(tree, hf_smb_byte_count, \
644 tvb, offset, 2, bc); \
646 if(bc==0) goto endofcommand;
648 #define CHECK_BYTE_COUNT(len) \
649 if (bc < len) goto endofcommand;
651 #define COUNT_BYTES(len) {\
660 proto_tree_add_text(tree, tvb, offset, bc, \
661 "Extra byte parameters"); \
667 * Macros for use in routines called by them.
669 #define CHECK_BYTE_COUNT_SUBR(len) \
675 #define CHECK_STRING_SUBR(fn) \
681 #define COUNT_BYTES_SUBR(len) \
686 * Macros for use when dissecting transaction parameters and data
688 #define CHECK_BYTE_COUNT_TRANS(len) \
689 if (bc < len) return offset;
691 #define CHECK_STRING_TRANS(fn) \
692 if (fn == NULL) return offset;
694 #define COUNT_BYTES_TRANS(len) \
699 * Macros for use in subrroutines dissecting transaction parameters or data
701 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
702 if (*bcp < len) return offset;
704 #define CHECK_STRING_TRANS_SUBR(fn) \
705 if (fn == NULL) return offset;
707 #define COUNT_BYTES_TRANS_SUBR(len) \
712 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
713 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
714 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
715 static gboolean smb_trans_reassembly = FALSE;
716 gboolean smb_dcerpc_reassembly = FALSE;
718 static GHashTable *smb_trans_fragment_table = NULL;
719 GHashTable *dcerpc_fragment_table = NULL;
722 smb_trans_reassembly_init(void)
724 fragment_table_init(&smb_trans_fragment_table);
727 smb_dcerpc_reassembly_init(void)
729 fragment_table_init(&dcerpc_fragment_table);
733 static fragment_data *
734 smb_trans_defragment(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
735 int offset, int count, int pos, int totlen)
737 fragment_data *fd_head=NULL;
741 more_frags=totlen>(pos+count);
743 si = (smb_info_t *)pinfo->private_data;
744 if (si->sip == NULL) {
746 * We don't have the frame number of the request.
748 * XXX - is there truly nothing we can do here?
749 * Can we not separately keep track of the original
750 * transaction and its continuations, as we did
753 * It is probably not much point in even trying to do something here
754 * if we have never seen the initial request. Without the initial
755 * request we probably miss all parameters and the begining of data
756 * so we cant even call a subdissector since we can not determine
757 * which type of transaction call this is.
762 if(!pinfo->fd->flags.visited){
763 fd_head = fragment_add(tvb, offset, pinfo,
764 si->sip->frame_req, smb_trans_fragment_table,
765 pos, count, more_frags);
767 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
770 /* we only show the defragmented packet for the first fragment,
771 or else we might end up with dissecting one HUGE transaction PDU
772 a LOT of times. (first fragment is the only one containing the setup
774 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
775 SMBs. Takes a LOT of time dissecting and is not fun.
777 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
788 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
789 These variables and functions are used to match
791 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
793 * The information we need to save about a request in order to show the
794 * frame number of the request in the dissection of the reply.
799 } smb_saved_info_key_t;
801 static GMemChunk *smb_saved_info_key_chunk = NULL;
802 static GMemChunk *smb_saved_info_chunk = NULL;
803 static int smb_saved_info_init_count = 200;
805 /* unmatched smb_saved_info structures.
806 For unmatched smb_saved_info structures we store the smb_saved_info
807 structure using the MID and the PID as the key.
809 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
810 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
811 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
814 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
816 register guint32 key1 = (guint32)k1;
817 register guint32 key2 = (guint32)k2;
821 smb_saved_info_hash_unmatched(gconstpointer k)
823 register guint32 key = (guint32)k;
827 /* matched smb_saved_info structures.
828 For matched smb_saved_info structures we store the smb_saved_info
829 structure twice in the table using the frame number, and a combination
830 of the MID and the PID, as the key.
831 The frame number is guaranteed to be unique but if ever someone makes
832 some change that will renumber the frames in a capture we are in BIG trouble.
833 This is not likely though since that would break (among other things) all the
834 reassembly routines as well.
836 We also need the MID as there may be more than one SMB request or reply
837 in a single frame, and we also need the PID as there may be more than
838 one outstanding request with the same MID and different PIDs.
841 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
843 const smb_saved_info_key_t *key1 = k1;
844 const smb_saved_info_key_t *key2 = k2;
845 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
848 smb_saved_info_hash_matched(gconstpointer k)
850 const smb_saved_info_key_t *key = k;
851 return key->frame + key->pid_mid;
855 * The information we need to save about an NT Transaction request in order
856 * to dissect the reply.
860 } smb_nt_transact_info_t;
862 static GMemChunk *smb_nt_transact_info_chunk = NULL;
863 static int smb_nt_transact_info_init_count = 200;
866 * The information we need to save about a Transaction2 request in order
867 * to dissect the reply.
872 } smb_transact2_info_t;
874 static GMemChunk *smb_transact2_info_chunk = NULL;
875 static int smb_transact2_info_init_count = 200;
878 * The information we need to save about a Transaction request in order
879 * to dissect the reply; this includes information for use by the
880 * Remote API dissector.
882 static GMemChunk *smb_transact_info_chunk = NULL;
883 static int smb_transact_info_init_count = 200;
885 static GMemChunk *conv_tables_chunk = NULL;
886 static GSList *conv_tables = NULL;
887 static int conv_tables_count = 10;
890 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
891 End of request/response matching functions
892 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
894 static const value_string buffer_format_vals[] = {
899 {5, "Variable Block"},
904 * UTIME - this is *almost* like a UNIX time stamp, except that it's
905 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
906 * January 1, 1970, 00:00:00 GMT.
908 * This means we have to do some extra work to convert it. This code is
909 * based on the Samba code:
911 * Unix SMB/Netbios implementation.
913 * time handling functions
914 * Copyright (C) Andrew Tridgell 1992-1998
918 * Yield the difference between *A and *B, in seconds, ignoring leap
921 #define TM_YEAR_BASE 1900
924 tm_diff(struct tm *a, struct tm *b)
926 int ay = a->tm_year + (TM_YEAR_BASE - 1);
927 int by = b->tm_year + (TM_YEAR_BASE - 1);
928 int intervening_leap_days =
929 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
932 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
933 int hours = 24*days + (a->tm_hour - b->tm_hour);
934 int minutes = 60*hours + (a->tm_min - b->tm_min);
935 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
941 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
947 struct tm *tm = gmtime(&t);
956 return tm_diff(&tm_utc,tm);
960 * Return the same value as TimeZone, but it should be more efficient.
962 * We keep a table of DST offsets to prevent calling localtime() on each
963 * call of this function. This saves a LOT of time on many unixes.
965 * Updated by Paul Eggert <eggert@twinsun.com>
972 #define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
973 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
976 #define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
980 TimeZoneFaster(time_t t)
982 static struct dst_table {time_t start,end; int zone;} *tdt;
983 static struct dst_table *dst_table = NULL;
984 static int table_size = 0;
991 /* Tunis has a 8 day DST region, we need to be careful ... */
992 #define MAX_DST_WIDTH (365*24*60*60)
993 #define MAX_DST_SKIP (7*24*60*60)
995 for (i = 0; i < table_size; i++) {
996 if (t >= dst_table[i].start && t <= dst_table[i].end)
1000 if (i < table_size) {
1001 zone = dst_table[i].zone;
1006 if (dst_table == NULL)
1007 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1009 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1018 dst_table[i].zone = zone;
1019 dst_table[i].start = dst_table[i].end = t;
1021 /* no entry will cover more than 6 months */
1022 low = t - MAX_DST_WIDTH/2;
1026 high = t + MAX_DST_WIDTH/2;
1031 * Widen the new entry using two bisection searches.
1033 while (low+60*60 < dst_table[i].start) {
1034 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1035 t = dst_table[i].start - MAX_DST_SKIP;
1037 t = low + (dst_table[i].start-low)/2;
1038 if (TimeZone(t) == zone)
1039 dst_table[i].start = t;
1044 while (high-60*60 > dst_table[i].end) {
1045 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1046 t = dst_table[i].end + MAX_DST_SKIP;
1048 t = high - (high-dst_table[i].end)/2;
1049 if (TimeZone(t) == zone)
1050 dst_table[i].end = t;
1060 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1061 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1062 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1063 * daylight savings transitions because some local times are ambiguous.
1064 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1067 LocTimeDiff(time_t lt)
1069 int d = TimeZoneFaster(lt);
1072 /* if overflow occurred, ignore all the adjustments so far */
1073 if (((t < lt) ^ (d < 0)))
1077 * Now t should be close enough to the true UTC to yield the
1080 return TimeZoneFaster(t);
1084 dissect_smb_UTIME(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_date)
1089 timeval = tvb_get_letohl(tvb, offset);
1090 if (timeval == 0xffffffff) {
1091 proto_tree_add_text(tree, tvb, offset, 4,
1092 "%s: No time specified (0xffffffff)",
1093 proto_registrar_get_name(hf_date));
1099 * We add the local time offset.
1101 ts.secs = timeval + LocTimeDiff(timeval);
1104 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1110 #define TIME_FIXUP_CONSTANT (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
1113 * Translate an 8-byte FILETIME value, given as the upper and lower 32 bits,
1115 * A FILETIME is a 64-bit integer, giving the time since Jan 1, 1601,
1116 * midnight "UTC", in 100ns units.
1117 * Return TRUE if the conversion succeeds, FALSE otherwise.
1119 * According to the Samba code, it appears to be kludge-GMT (at least for
1120 * file listings). This means it's the GMT you get by taking a local time
1121 * and adding the server time zone offset. This is NOT the same as GMT in
1122 * some cases. However, we don't know the server time zone, so we don't
1123 * do that adjustment.
1125 * This code is based on the Samba code:
1127 * Unix SMB/Netbios implementation.
1129 * time handling functions
1130 * Copyright (C) Andrew Tridgell 1992-1998
1133 nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
1136 /* The next two lines are a fix needed for the
1137 broken SCO compiler. JRA. */
1138 time_t l_time_min = TIME_T_MIN;
1139 time_t l_time_max = TIME_T_MAX;
1141 if (filetime_high == 0)
1145 * Get the time as a double, in seconds and fractional seconds.
1147 d = ((double)filetime_high)*4.0*(double)(1<<30);
1151 /* Now adjust by 369 years, to make the seconds since 1970. */
1152 d -= TIME_FIXUP_CONSTANT;
1154 if (!(l_time_min <= d && d <= l_time_max))
1158 * Get the time as seconds and nanoseconds.
1161 tv->nsecs = (d - tv->secs)*1000000000;
1167 dissect_smb_64bit_time(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_date)
1169 guint32 filetime_high, filetime_low;
1172 /* XXX there seems also to be another special time value which is fairly common :
1174 the meaning of this one is yet unknown
1177 filetime_low = tvb_get_letohl(tvb, offset);
1178 filetime_high = tvb_get_letohl(tvb, offset + 4);
1179 if (filetime_low == 0 && filetime_high == 0) {
1180 proto_tree_add_text(tree, tvb, offset, 8,
1181 "%s: No time specified (0)",
1182 proto_registrar_get_name(hf_date));
1183 } else if(filetime_low==0 && filetime_high==0x80000000){
1184 proto_tree_add_text(tree, tvb, offset, 8,
1185 "%s: Infinity (relative time)",
1186 proto_registrar_get_name(hf_date));
1187 } else if(filetime_low==0xffffffff && filetime_high==0x7fffffff){
1188 proto_tree_add_text(tree, tvb, offset, 8,
1189 "%s: Infinity (absolute time)",
1190 proto_registrar_get_name(hf_date));
1192 if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
1193 proto_tree_add_time(tree, hf_date, tvb,
1196 proto_tree_add_text(tree, tvb, offset, 8,
1197 "%s: Time can't be converted",
1198 proto_registrar_get_name(hf_date));
1208 dissect_smb_datetime(tvbuff_t *tvb, packet_info *pinfo,
1209 proto_tree *parent_tree, int offset, int hf_date, int hf_dos_date,
1210 int hf_dos_time, gboolean time_first)
1212 guint16 dos_time, dos_date;
1213 proto_item *item = NULL;
1214 proto_tree *tree = NULL;
1217 static const int mday_noleap[12] = {
1218 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1220 static const int mday_leap[12] = {
1221 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1223 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1227 dos_time = tvb_get_letohs(tvb, offset);
1228 dos_date = tvb_get_letohs(tvb, offset+2);
1230 dos_date = tvb_get_letohs(tvb, offset);
1231 dos_time = tvb_get_letohs(tvb, offset+2);
1234 if ((dos_time == 0xffff && dos_time == 0xffff) ||
1235 (dos_time == 0 && dos_time == 0)) {
1237 * No date/time specified.
1240 proto_tree_add_text(parent_tree, tvb, offset, 4,
1241 "%s: No time specified (0x%08x)",
1242 proto_registrar_get_name(hf_date),
1243 (dos_date << 16) | dos_time);
1249 tm.tm_sec = (dos_time&0x1f)*2;
1250 tm.tm_min = (dos_time>>5)&0x3f;
1251 tm.tm_hour = (dos_time>>11)&0x1f;
1252 tm.tm_mday = dos_date&0x1f;
1253 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1254 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1258 * Do some sanity checks before calling "mktime()";
1259 * "mktime()" doesn't do them, it "normalizes" out-of-range
1262 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1263 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1264 (ISLEAP(tm.tm_year + 1900) ?
1265 tm.tm_mday > mday_leap[tm.tm_mon] :
1266 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1267 (t = mktime(&tm)) == -1) {
1269 * Invalid date/time.
1272 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1274 proto_registrar_get_name(hf_date));
1275 tree = proto_item_add_subtree(item, ett_smb_time_date);
1277 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1278 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1280 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1281 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1292 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1293 tree = proto_item_add_subtree(item, ett_smb_time_date);
1295 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1296 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1298 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1299 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1309 static const value_string da_access_vals[] = {
1310 { 0, "Open for reading"},
1311 { 1, "Open for writing"},
1312 { 2, "Open for reading and writing"},
1313 { 3, "Open for execute"},
1316 static const value_string da_sharing_vals[] = {
1317 { 0, "Compatibility mode"},
1318 { 1, "Deny read/write/execute (exclusive)"},
1320 { 3, "Deny read/execute"},
1324 static const value_string da_locality_vals[] = {
1325 { 0, "Locality of reference unknown"},
1326 { 1, "Mainly sequential access"},
1327 { 2, "Mainly random access"},
1328 { 3, "Random access with some locality"},
1331 static const true_false_string tfs_da_caching = {
1332 "Do not cache this file",
1333 "Caching permitted on this file"
1335 static const true_false_string tfs_da_writetru = {
1336 "Write through enabled",
1337 "Write through disabled"
1340 dissect_access(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, char *type)
1343 proto_item *item = NULL;
1344 proto_tree *tree = NULL;
1346 mask = tvb_get_letohs(tvb, offset);
1349 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1350 "%s Access: 0x%04x", type, mask);
1351 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1354 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1355 tvb, offset, 2, mask);
1356 proto_tree_add_boolean(tree, hf_smb_access_caching,
1357 tvb, offset, 2, mask);
1358 proto_tree_add_uint(tree, hf_smb_access_locality,
1359 tvb, offset, 2, mask);
1360 proto_tree_add_uint(tree, hf_smb_access_sharing,
1361 tvb, offset, 2, mask);
1362 proto_tree_add_uint(tree, hf_smb_access_mode,
1363 tvb, offset, 2, mask);
1370 #define FILE_ATTRIBUTE_READ_ONLY 0x00000001
1371 #define FILE_ATTRIBUTE_HIDDEN 0x00000002
1372 #define FILE_ATTRIBUTE_SYSTEM 0x00000004
1373 #define FILE_ATTRIBUTE_VOLUME 0x00000008
1374 #define FILE_ATTRIBUTE_DIRECTORY 0x00000010
1375 #define FILE_ATTRIBUTE_ARCHIVE 0x00000020
1376 #define FILE_ATTRIBUTE_DEVICE 0x00000040
1377 #define FILE_ATTRIBUTE_NORMAL 0x00000080
1378 #define FILE_ATTRIBUTE_TEMPORARY 0x00000100
1379 #define FILE_ATTRIBUTE_SPARSE 0x00000200
1380 #define FILE_ATTRIBUTE_REPARSE 0x00000400
1381 #define FILE_ATTRIBUTE_COMPRESSED 0x00000800
1382 #define FILE_ATTRIBUTE_OFFLINE 0x00001000
1383 #define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1384 #define FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1387 * These are flags to be used in NT Create operations.
1389 #define FILE_ATTRIBUTE_WRITE_THROUGH 0x80000000
1390 #define FILE_ATTRIBUTE_NO_BUFFERING 0x20000000
1391 #define FILE_ATTRIBUTE_RANDOM_ACCESS 0x10000000
1392 #define FILE_ATTRIBUTE_SEQUENTIAL_SCAN 0x08000000
1393 #define FILE_ATTRIBUTE_DELETE_ON_CLOSE 0x04000000
1394 #define FILE_ATTRIBUTE_BACKUP_SEMANTICS 0x02000000
1395 #define FILE_ATTRIBUTE_POSIX_SEMANTICS 0x01000000
1397 static const true_false_string tfs_file_attribute_write_through = {
1398 "This object requires WRITE THROUGH",
1399 "This object does NOT require write through",
1401 static const true_false_string tfs_file_attribute_no_buffering = {
1402 "This object requires NO BUFFERING",
1403 "This object can be buffered",
1405 static const true_false_string tfs_file_attribute_random_access = {
1406 "This object will be RANDOM ACCESSed",
1407 "Random access is NOT requested",
1409 static const true_false_string tfs_file_attribute_sequential_scan = {
1410 "This object is optimized for SEQUENTIAL SCAN",
1411 "This object is NOT optimized for sequential scan",
1413 static const true_false_string tfs_file_attribute_delete_on_close = {
1414 "This object will be DELETED ON CLOSE",
1415 "This object will not be deleted on close",
1417 static const true_false_string tfs_file_attribute_backup_semantics = {
1418 "This object supports BACKUP SEMANTICS",
1419 "This object does NOT support backup semantics",
1421 static const true_false_string tfs_file_attribute_posix_semantics = {
1422 "This object supports POSIX SEMANTICS",
1423 "This object does NOT support POSIX semantics",
1425 static const true_false_string tfs_file_attribute_read_only = {
1426 "This file is READ ONLY",
1427 "This file is NOT read only",
1429 static const true_false_string tfs_file_attribute_hidden = {
1430 "This is a HIDDEN file",
1431 "This is NOT a hidden file"
1433 static const true_false_string tfs_file_attribute_system = {
1434 "This is a SYSTEM file",
1435 "This is NOT a system file"
1437 static const true_false_string tfs_file_attribute_volume = {
1438 "This is a VOLUME ID",
1439 "This is NOT a volume ID"
1441 static const true_false_string tfs_file_attribute_directory = {
1442 "This is a DIRECTORY",
1443 "This is NOT a directory"
1445 static const true_false_string tfs_file_attribute_archive = {
1446 "This is an ARCHIVE file",
1447 "This is NOT an archive file"
1449 static const true_false_string tfs_file_attribute_device = {
1451 "This is NOT a device"
1453 static const true_false_string tfs_file_attribute_normal = {
1454 "This file is an ordinary file",
1455 "This file has some attribute set"
1457 static const true_false_string tfs_file_attribute_temporary = {
1458 "This is a TEMPORARY file",
1459 "This is NOT a temporary file"
1461 static const true_false_string tfs_file_attribute_sparse = {
1462 "This is a SPARSE file",
1463 "This is NOT a sparse file"
1465 static const true_false_string tfs_file_attribute_reparse = {
1466 "This file has an associated REPARSE POINT",
1467 "This file does NOT have an associated reparse point"
1469 static const true_false_string tfs_file_attribute_compressed = {
1470 "This is a COMPRESSED file",
1471 "This is NOT a compressed file"
1473 static const true_false_string tfs_file_attribute_offline = {
1474 "This file is OFFLINE",
1475 "This file is NOT offline"
1477 static const true_false_string tfs_file_attribute_not_content_indexed = {
1478 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1479 "This file MAY be indexed by the content indexing service"
1481 static const true_false_string tfs_file_attribute_encrypted = {
1482 "This is an ENCRYPTED file",
1483 "This is NOT an encrypted file"
1487 dissect_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1490 proto_item *item = NULL;
1491 proto_tree *tree = NULL;
1493 mask = tvb_get_letohs(tvb, offset);
1496 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1497 "File Attributes: 0x%04x", mask);
1498 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1500 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1501 tvb, offset, 2, mask);
1502 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1503 tvb, offset, 2, mask);
1504 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1505 tvb, offset, 2, mask);
1506 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1507 tvb, offset, 2, mask);
1508 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1509 tvb, offset, 2, mask);
1510 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1511 tvb, offset, 2, mask);
1520 dissect_file_ext_attr(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1523 proto_item *item = NULL;
1524 proto_tree *tree = NULL;
1526 mask = tvb_get_letohl(tvb, offset);
1529 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1530 "File Attributes: 0x%08x", mask);
1531 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1535 * XXX - Network Monitor disagrees on some of the
1536 * bits, e.g. the bits above temporary are "atomic write"
1537 * and "transaction write", and it says nothing about the
1540 * Does the Win32 API documentation, or the NT Native API book,
1543 proto_tree_add_boolean(tree, hf_smb_file_eattr_write_through,
1544 tvb, offset, 4, mask);
1545 proto_tree_add_boolean(tree, hf_smb_file_eattr_no_buffering,
1546 tvb, offset, 4, mask);
1547 proto_tree_add_boolean(tree, hf_smb_file_eattr_random_access,
1548 tvb, offset, 4, mask);
1549 proto_tree_add_boolean(tree, hf_smb_file_eattr_sequential_scan,
1550 tvb, offset, 4, mask);
1551 proto_tree_add_boolean(tree, hf_smb_file_eattr_delete_on_close,
1552 tvb, offset, 4, mask);
1553 proto_tree_add_boolean(tree, hf_smb_file_eattr_backup_semantics,
1554 tvb, offset, 4, mask);
1555 proto_tree_add_boolean(tree, hf_smb_file_eattr_posix_semantics,
1556 tvb, offset, 4, mask);
1557 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1558 tvb, offset, 4, mask);
1559 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1560 tvb, offset, 4, mask);
1561 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1562 tvb, offset, 4, mask);
1563 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1564 tvb, offset, 4, mask);
1565 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1566 tvb, offset, 4, mask);
1567 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1568 tvb, offset, 4, mask);
1569 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1570 tvb, offset, 4, mask);
1571 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1572 tvb, offset, 4, mask);
1573 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1574 tvb, offset, 4, mask);
1575 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1576 tvb, offset, 4, mask);
1577 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1578 tvb, offset, 4, mask);
1579 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1580 tvb, offset, 4, mask);
1581 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1582 tvb, offset, 4, mask);
1583 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1584 tvb, offset, 4, mask);
1585 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1586 tvb, offset, 4, mask);
1594 dissect_dir_info_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1597 proto_item *item = NULL;
1598 proto_tree *tree = NULL;
1600 mask = tvb_get_guint8(tvb, offset);
1603 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1604 "File Attributes: 0x%02x", mask);
1605 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1607 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1608 tvb, offset, 1, mask);
1609 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1610 tvb, offset, 1, mask);
1611 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1612 tvb, offset, 1, mask);
1613 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1614 tvb, offset, 1, mask);
1615 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1616 tvb, offset, 1, mask);
1617 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1618 tvb, offset, 1, mask);
1625 static const true_false_string tfs_search_attribute_read_only = {
1626 "Include READ ONLY files in search results",
1627 "Do NOT include read only files in search results",
1629 static const true_false_string tfs_search_attribute_hidden = {
1630 "Include HIDDEN files in search results",
1631 "Do NOT include hidden files in search results"
1633 static const true_false_string tfs_search_attribute_system = {
1634 "Include SYSTEM files in search results",
1635 "Do NOT include system files in search results"
1637 static const true_false_string tfs_search_attribute_volume = {
1638 "Include VOLUME IDs in search results",
1639 "Do NOT include volume IDs in search results"
1641 static const true_false_string tfs_search_attribute_directory = {
1642 "Include DIRECTORIES in search results",
1643 "Do NOT include directories in search results"
1645 static const true_false_string tfs_search_attribute_archive = {
1646 "Include ARCHIVE files in search results",
1647 "Do NOT include archive files in search results"
1651 dissect_search_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1654 proto_item *item = NULL;
1655 proto_tree *tree = NULL;
1657 mask = tvb_get_letohs(tvb, offset);
1660 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1661 "Search Attributes: 0x%04x", mask);
1662 tree = proto_item_add_subtree(item, ett_smb_search);
1665 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1666 tvb, offset, 2, mask);
1667 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1668 tvb, offset, 2, mask);
1669 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1670 tvb, offset, 2, mask);
1671 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1672 tvb, offset, 2, mask);
1673 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1674 tvb, offset, 2, mask);
1675 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1676 tvb, offset, 2, mask);
1684 * XXX - this isn't used.
1685 * Is this used for anything? NT Create AndX doesn't use it.
1686 * Is there some 16-bit attribute field with more bits than Read Only,
1687 * Hidden, System, Volume ID, Directory, and Archive?
1690 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1693 proto_item *item = NULL;
1694 proto_tree *tree = NULL;
1696 mask = tvb_get_letohl(tvb, offset);
1699 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1700 "File Attributes: 0x%08x", mask);
1701 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1703 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1704 tvb, offset, 2, mask);
1705 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1706 tvb, offset, 2, mask);
1707 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1708 tvb, offset, 2, mask);
1709 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1710 tvb, offset, 2, mask);
1711 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1712 tvb, offset, 2, mask);
1713 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1714 tvb, offset, 2, mask);
1715 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1716 tvb, offset, 2, mask);
1717 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1718 tvb, offset, 2, mask);
1719 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1720 tvb, offset, 2, mask);
1721 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1722 tvb, offset, 2, mask);
1723 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1724 tvb, offset, 2, mask);
1725 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1726 tvb, offset, 2, mask);
1727 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1728 tvb, offset, 2, mask);
1729 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1730 tvb, offset, 2, mask);
1731 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1732 tvb, offset, 2, mask);
1741 #define SERVER_CAP_RAW_MODE 0x00000001
1742 #define SERVER_CAP_MPX_MODE 0x00000002
1743 #define SERVER_CAP_UNICODE 0x00000004
1744 #define SERVER_CAP_LARGE_FILES 0x00000008
1745 #define SERVER_CAP_NT_SMBS 0x00000010
1746 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1747 #define SERVER_CAP_STATUS32 0x00000040
1748 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1749 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1750 #define SERVER_CAP_NT_FIND 0x00000200
1751 #define SERVER_CAP_DFS 0x00001000
1752 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1753 #define SERVER_CAP_LARGE_READX 0x00004000
1754 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1755 #define SERVER_CAP_UNIX 0x00800000
1756 #define SERVER_CAP_RESERVED 0x02000000
1757 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1758 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1759 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1760 static const true_false_string tfs_server_cap_raw_mode = {
1761 "Read Raw and Write Raw are supported",
1762 "Read Raw and Write Raw are not supported"
1764 static const true_false_string tfs_server_cap_mpx_mode = {
1765 "Read Mpx and Write Mpx are supported",
1766 "Read Mpx and Write Mpx are not supported"
1768 static const true_false_string tfs_server_cap_unicode = {
1769 "Unicode strings are supported",
1770 "Unicode strings are not supported"
1772 static const true_false_string tfs_server_cap_large_files = {
1773 "Large files are supported",
1774 "Large files are not supported",
1776 static const true_false_string tfs_server_cap_nt_smbs = {
1777 "NT SMBs are supported",
1778 "NT SMBs are not supported"
1780 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1781 "RPC remote APIs are supported",
1782 "RPC remote APIs are not supported"
1784 static const true_false_string tfs_server_cap_nt_status = {
1785 "NT status codes are supported",
1786 "NT status codes are not supported"
1788 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1789 "Level 2 oplocks are supported",
1790 "Level 2 oplocks are not supported"
1792 static const true_false_string tfs_server_cap_lock_and_read = {
1793 "Lock and Read is supported",
1794 "Lock and Read is not supported"
1796 static const true_false_string tfs_server_cap_nt_find = {
1797 "NT Find is supported",
1798 "NT Find is not supported"
1800 static const true_false_string tfs_server_cap_dfs = {
1802 "Dfs is not supported"
1804 static const true_false_string tfs_server_cap_infolevel_passthru = {
1805 "NT information level request passthrough is supported",
1806 "NT information level request passthrough is not supported"
1808 static const true_false_string tfs_server_cap_large_readx = {
1809 "Large Read andX is supported",
1810 "Large Read andX is not supported"
1812 static const true_false_string tfs_server_cap_large_writex = {
1813 "Large Write andX is supported",
1814 "Large Write andX is not supported"
1816 static const true_false_string tfs_server_cap_unix = {
1817 "UNIX extensions are supported",
1818 "UNIX extensions are not supported"
1820 static const true_false_string tfs_server_cap_reserved = {
1824 static const true_false_string tfs_server_cap_bulk_transfer = {
1825 "Bulk Read and Bulk Write are supported",
1826 "Bulk Read and Bulk Write are not supported"
1828 static const true_false_string tfs_server_cap_compressed_data = {
1829 "Compressed data transfer is supported",
1830 "Compressed data transfer is not supported"
1832 static const true_false_string tfs_server_cap_extended_security = {
1833 "Extended security exchanges are supported",
1834 "Extended security exchanges are not supported"
1837 dissect_negprot_capabilities(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1840 proto_item *item = NULL;
1841 proto_tree *tree = NULL;
1843 mask = tvb_get_letohl(tvb, offset);
1846 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1847 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1850 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1851 tvb, offset, 4, mask);
1852 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1853 tvb, offset, 4, mask);
1854 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1855 tvb, offset, 4, mask);
1856 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1857 tvb, offset, 4, mask);
1858 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1859 tvb, offset, 4, mask);
1860 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1861 tvb, offset, 4, mask);
1862 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1863 tvb, offset, 4, mask);
1864 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1865 tvb, offset, 4, mask);
1866 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1867 tvb, offset, 4, mask);
1868 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1869 tvb, offset, 4, mask);
1870 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1871 tvb, offset, 4, mask);
1872 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1873 tvb, offset, 4, mask);
1874 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1875 tvb, offset, 4, mask);
1876 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1877 tvb, offset, 4, mask);
1878 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1879 tvb, offset, 4, mask);
1880 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1881 tvb, offset, 4, mask);
1882 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1883 tvb, offset, 4, mask);
1884 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1885 tvb, offset, 4, mask);
1886 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1887 tvb, offset, 4, mask);
1892 #define RAWMODE_READ 0x01
1893 #define RAWMODE_WRITE 0x02
1894 static const true_false_string tfs_rm_read = {
1895 "Read Raw is supported",
1896 "Read Raw is not supported"
1898 static const true_false_string tfs_rm_write = {
1899 "Write Raw is supported",
1900 "Write Raw is not supported"
1904 dissect_negprot_rawmode(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1907 proto_item *item = NULL;
1908 proto_tree *tree = NULL;
1910 mask = tvb_get_letohs(tvb, offset);
1913 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
1914 tree = proto_item_add_subtree(item, ett_smb_rawmode);
1917 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
1918 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
1925 #define SECURITY_MODE_MODE 0x01
1926 #define SECURITY_MODE_PASSWORD 0x02
1927 #define SECURITY_MODE_SIGNATURES 0x04
1928 #define SECURITY_MODE_SIG_REQUIRED 0x08
1929 static const true_false_string tfs_sm_mode = {
1930 "USER security mode",
1931 "SHARE security mode"
1933 static const true_false_string tfs_sm_password = {
1934 "ENCRYPTED password. Use challenge/response",
1935 "PLAINTEXT password"
1937 static const true_false_string tfs_sm_signatures = {
1938 "Security signatures ENABLED",
1939 "Security signatures NOT enabled"
1941 static const true_false_string tfs_sm_sig_required = {
1942 "Security signatures REQUIRED",
1943 "Security signatures NOT required"
1947 dissect_negprot_security_mode(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int wc)
1950 proto_item *item = NULL;
1951 proto_tree *tree = NULL;
1955 mask = tvb_get_letohs(tvb, offset);
1956 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1957 "Security Mode: 0x%04x", mask);
1958 tree = proto_item_add_subtree(item, ett_smb_mode);
1959 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
1960 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
1965 mask = tvb_get_guint8(tvb, offset);
1966 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1967 "Security Mode: 0x%02x", mask);
1968 tree = proto_item_add_subtree(item, ett_smb_mode);
1969 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
1970 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
1971 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
1972 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
1981 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
1983 proto_item *it = NULL;
1984 proto_tree *tr = NULL;
1993 it = proto_tree_add_text(tree, tvb, offset, bc,
1994 "Requested Dialects");
1995 tr = proto_item_add_subtree(it, ett_smb_dialects);
2001 proto_item *dit = NULL;
2002 proto_tree *dtr = NULL;
2004 /* XXX - what if this runs past bc? */
2005 len = tvb_strsize(tvb, offset+1);
2006 str = tvb_get_ptr(tvb, offset+1, len);
2009 dit = proto_tree_add_text(tr, tvb, offset, len+1,
2010 "Dialect: %s", str);
2011 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2015 CHECK_BYTE_COUNT(1);
2016 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2021 CHECK_BYTE_COUNT(len);
2022 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
2033 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2047 dialect = tvb_get_letohs(tvb, offset);
2050 if(dialect==0xffff){
2051 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2052 tvb, offset, 2, dialect,
2053 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2055 proto_tree_add_uint(tree, hf_smb_dialect_index,
2056 tvb, offset, 2, dialect);
2060 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2061 tvb, offset, 2, dialect,
2062 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2065 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2066 tvb, offset, 2, dialect,
2067 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2070 proto_tree_add_text(tree, tvb, offset, wc*2,
2071 "Words for unknown response format");
2080 offset = dissect_negprot_security_mode(tvb, pinfo, tree, offset,
2083 /* Maximum Transmit Buffer Size */
2084 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2085 tvb, offset, 2, TRUE);
2088 /* Maximum Multiplex Count */
2089 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2090 tvb, offset, 2, TRUE);
2093 /* Maximum Vcs Number */
2094 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2095 tvb, offset, 2, TRUE);
2099 offset = dissect_negprot_rawmode(tvb, pinfo, tree, offset);
2102 proto_tree_add_item(tree, hf_smb_session_key,
2103 tvb, offset, 4, TRUE);
2106 /* current time and date at server */
2107 offset = dissect_smb_datetime(tvb, pinfo, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2111 tz = tvb_get_letohs(tvb, offset);
2112 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2115 /* encryption key length */
2116 ekl = tvb_get_letohs(tvb, offset);
2117 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2120 /* 2 reserved bytes */
2121 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2128 offset = dissect_negprot_security_mode(tvb, pinfo, tree, offset, wc);
2130 /* Maximum Multiplex Count */
2131 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2132 tvb, offset, 2, TRUE);
2135 /* Maximum Vcs Number */
2136 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2137 tvb, offset, 2, TRUE);
2140 /* Maximum Transmit Buffer Size */
2141 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2142 tvb, offset, 4, TRUE);
2145 /* maximum raw buffer size */
2146 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2147 tvb, offset, 4, TRUE);
2151 proto_tree_add_item(tree, hf_smb_session_key,
2152 tvb, offset, 4, TRUE);
2155 /* server capabilities */
2156 caps = dissect_negprot_capabilities(tvb, pinfo, tree, offset);
2160 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
2161 hf_smb_system_time);
2164 tz = tvb_get_letohs(tvb, offset);
2165 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2167 "Server Time Zone: %d min from UTC", tz);
2170 /* encryption key length */
2171 ekl = tvb_get_guint8(tvb, offset);
2172 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2173 tvb, offset, 1, ekl);
2183 /* challenge/response encryption key */
2185 CHECK_BYTE_COUNT(ekl);
2186 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2191 dn = get_unicode_or_ascii_string(tvb, &offset,
2192 pinfo, &dn_len, FALSE, FALSE, &bc);
2195 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2197 COUNT_BYTES(dn_len);
2201 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2204 /* challenge/response encryption key */
2205 /* XXX - is this aligned on an even boundary? */
2207 CHECK_BYTE_COUNT(ekl);
2208 proto_tree_add_item(tree, hf_smb_encryption_key,
2209 tvb, offset, ekl, TRUE);
2214 /* this string is special, unicode is flagged in caps */
2215 /* This string is NOT padded to be 16bit aligned. (seen in actual capture) */
2216 si = pinfo->private_data;
2217 si->unicode = (caps&SERVER_CAP_UNICODE);
2218 dn = get_unicode_or_ascii_string(tvb,
2219 &offset, pinfo, &dn_len, TRUE, FALSE,
2223 proto_tree_add_string(tree, hf_smb_primary_domain,
2224 tvb, offset, dn_len, dn);
2225 COUNT_BYTES(dn_len);
2228 /* XXX - show it in the standard Microsoft format
2230 CHECK_BYTE_COUNT(16);
2231 proto_tree_add_item(tree, hf_smb_server_guid,
2232 tvb, offset, 16, TRUE);
2236 /* XXX - is this ASN.1-encoded? Is it a Kerberos
2237 data structure, at least in NT 5.0-and-later
2240 proto_tree_add_item(tree, hf_smb_security_blob,
2241 tvb, offset, bc, TRUE);
2255 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2267 CHECK_BYTE_COUNT(1);
2268 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2272 dn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &dn_len,
2276 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2278 COUNT_BYTES(dn_len);
2280 if (check_col(pinfo->cinfo, COL_INFO)) {
2281 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s", dn);
2290 dissect_empty(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2305 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2313 ec = tvb_get_letohs(tvb, offset);
2314 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2321 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2331 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2338 /* echo sequence number */
2339 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2346 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2356 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2368 CHECK_BYTE_COUNT(1);
2369 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2373 an = get_unicode_or_ascii_string(tvb, &offset,
2374 pinfo, &an_len, FALSE, FALSE, &bc);
2377 proto_tree_add_string(tree, hf_smb_path, tvb,
2378 offset, an_len, an);
2379 COUNT_BYTES(an_len);
2381 if (check_col(pinfo->cinfo, COL_INFO)) {
2382 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
2386 CHECK_BYTE_COUNT(1);
2387 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2390 /* password, ANSI */
2391 /* XXX - what if this runs past bc? */
2392 pwlen = tvb_strsize(tvb, offset);
2393 CHECK_BYTE_COUNT(pwlen);
2394 proto_tree_add_item(tree, hf_smb_password,
2395 tvb, offset, pwlen, TRUE);
2399 CHECK_BYTE_COUNT(1);
2400 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2404 an = get_unicode_or_ascii_string(tvb, &offset,
2405 pinfo, &an_len, FALSE, FALSE, &bc);
2408 proto_tree_add_string(tree, hf_smb_service, tvb,
2409 offset, an_len, an);
2410 COUNT_BYTES(an_len);
2418 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2425 /* Maximum Buffer Size */
2426 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2430 proto_tree_add_item(tree, hf_smb_tid, tvb, offset, 2, TRUE);
2441 static const true_false_string tfs_of_create = {
2442 "Create file if it does not exist",
2443 "Fail if file does not exist"
2445 static const value_string of_open[] = {
2446 { 0, "Fail if file exists"},
2447 { 1, "Open file if it exists"},
2448 { 2, "Truncate file if it exists"},
2452 dissect_open_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
2455 proto_item *item = NULL;
2456 proto_tree *tree = NULL;
2458 mask = tvb_get_letohs(tvb, offset);
2461 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2462 "Open Function: 0x%04x", mask);
2463 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2466 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2467 tvb, offset, 2, mask);
2468 proto_tree_add_uint(tree, hf_smb_open_function_open,
2469 tvb, offset, 2, mask);
2477 static const true_false_string tfs_mf_file = {
2478 "Target must be a file",
2479 "Target needn't be a file"
2481 static const true_false_string tfs_mf_dir = {
2482 "Target must be a directory",
2483 "Target needn't be a directory"
2485 static const true_false_string tfs_mf_verify = {
2486 "MUST verify all writes",
2487 "Don't have to verify writes"
2490 dissect_move_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
2493 proto_item *item = NULL;
2494 proto_tree *tree = NULL;
2496 mask = tvb_get_letohs(tvb, offset);
2499 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2500 "Flags: 0x%04x", mask);
2501 tree = proto_item_add_subtree(item, ett_smb_move_flags);
2504 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2505 tvb, offset, 2, mask);
2506 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2507 tvb, offset, 2, mask);
2508 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2509 tvb, offset, 2, mask);
2517 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2528 tid = tvb_get_letohs(tvb, offset);
2529 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2530 "TID (target): 0x%04x", tid);
2534 offset = dissect_open_function(tvb, pinfo, tree, offset);
2537 offset = dissect_move_flags(tvb, pinfo, tree, offset);
2542 CHECK_BYTE_COUNT(1);
2543 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2547 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2551 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2552 fn_len, fn, "Old File Name: %s", fn);
2553 COUNT_BYTES(fn_len);
2555 if (check_col(pinfo->cinfo, COL_INFO)) {
2556 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2560 CHECK_BYTE_COUNT(1);
2561 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2565 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2569 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2570 fn_len, fn, "New File Name: %s", fn);
2571 COUNT_BYTES(fn_len);
2573 if (check_col(pinfo->cinfo, COL_INFO)) {
2574 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2583 dissect_move_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2592 /* # of files moved */
2593 proto_tree_add_item(tree, hf_smb_move_files_moved, tvb, offset, 2, TRUE);
2599 CHECK_BYTE_COUNT(1);
2600 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2604 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2608 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2610 COUNT_BYTES(fn_len);
2618 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2627 /* desired access */
2628 offset = dissect_access(tvb, pinfo, tree, offset, "Desired");
2630 /* Search Attributes */
2631 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
2636 CHECK_BYTE_COUNT(1);
2637 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2641 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2645 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2647 COUNT_BYTES(fn_len);
2649 if (check_col(pinfo->cinfo, COL_INFO)) {
2650 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2659 add_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
2660 int len, guint16 fid)
2662 proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
2663 if (check_col(pinfo->cinfo, COL_INFO))
2664 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
2668 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2677 fid = tvb_get_letohs(tvb, offset);
2678 add_fid(tvb, pinfo, tree, offset, 2, fid);
2681 /* File Attributes */
2682 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2684 /* last write time */
2685 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
2688 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2691 /* granted access */
2692 offset = dissect_access(tvb, pinfo, tree, offset, "Granted");
2702 dissect_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2711 fid = tvb_get_letohs(tvb, offset);
2712 add_fid(tvb, pinfo, tree, offset, 2, fid);
2723 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2732 /* file attributes */
2733 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2736 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_create_time);
2741 CHECK_BYTE_COUNT(1);
2742 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2746 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2750 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2752 COUNT_BYTES(fn_len);
2754 if (check_col(pinfo->cinfo, COL_INFO)) {
2755 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2764 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2772 fid = tvb_get_letohs(tvb, offset);
2773 add_fid(tvb, pinfo, tree, offset, 2, fid);
2776 /* last write time */
2777 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
2787 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2796 /* search attributes */
2797 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
2802 CHECK_BYTE_COUNT(1);
2803 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2807 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2811 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2813 COUNT_BYTES(fn_len);
2815 if (check_col(pinfo->cinfo, COL_INFO)) {
2816 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2825 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2834 /* search attributes */
2835 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
2840 CHECK_BYTE_COUNT(1);
2841 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2845 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2849 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
2851 COUNT_BYTES(fn_len);
2853 if (check_col(pinfo->cinfo, COL_INFO)) {
2854 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2858 CHECK_BYTE_COUNT(1);
2859 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2863 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2867 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2869 COUNT_BYTES(fn_len);
2871 if (check_col(pinfo->cinfo, COL_INFO)) {
2872 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2881 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2893 CHECK_BYTE_COUNT(1);
2894 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2898 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2902 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2904 COUNT_BYTES(fn_len);
2906 if (check_col(pinfo->cinfo, COL_INFO)) {
2907 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2916 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2923 /* File Attributes */
2924 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2926 /* Last Write Time */
2927 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
2930 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2933 /* 10 reserved bytes */
2934 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
2945 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2954 /* file attributes */
2955 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2957 /* last write time */
2958 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
2960 /* 10 reserved bytes */
2961 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
2967 CHECK_BYTE_COUNT(1);
2968 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2972 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2976 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2978 COUNT_BYTES(fn_len);
2980 if (check_col(pinfo->cinfo, COL_INFO)) {
2981 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2990 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3000 fid = tvb_get_letohs(tvb, offset);
3001 add_fid(tvb, pinfo, tree, offset, 2, fid);
3003 if (!pinfo->fd->flags.visited) {
3004 /* remember the FID for the processing of the response */
3005 si = (smb_info_t *)pinfo->private_data;
3006 si->sip->extra_info=(void *)fid;
3010 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3014 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3018 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3029 dissect_file_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
3034 /* We have some initial padding bytes. */
3035 /* XXX - use the data offset here instead? */
3036 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3038 offset += bc-datalen;
3041 tvblen = tvb_length_remaining(tvb, offset);
3043 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
3046 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
3053 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3054 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
3057 tvbuff_t *dcerpc_tvb;
3060 /* We have some initial padding bytes. */
3061 /* XXX - use the data offset here instead? */
3062 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3064 offset += bc-datalen;
3067 tvblen = tvb_length_remaining(tvb, offset);
3068 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
3069 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
3078 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3082 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3088 cnt = tvb_get_letohs(tvb, offset);
3089 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3092 /* 8 reserved bytes */
3093 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3096 /* If we have seen the request, then print which FID this refers to */
3097 /* first check if we have seen the request */
3098 if(si->sip != NULL && si->sip->frame_req>0){
3099 fid=(int)si->sip->extra_info;
3100 add_fid(tvb, pinfo, tree, 0, 0, fid);
3106 CHECK_BYTE_COUNT(1);
3107 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3111 CHECK_BYTE_COUNT(2);
3112 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3115 /* another way to transport DCERPC over SMB is to skip Transaction completely and just
3118 if(si->sip != NULL && si->sip->flags&SMB_SIF_TID_IS_IPC){
3120 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
3121 top_tree, offset, bc, bc, fid);
3123 /* ordinary file data, or we didn't see the request,
3124 so we don't know whether this is a DCERPC call
3126 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, bc);
3137 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3145 cnt = tvb_get_letohs(tvb, offset);
3146 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3149 /* 8 reserved bytes */
3150 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3156 CHECK_BYTE_COUNT(1);
3157 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3161 CHECK_BYTE_COUNT(2);
3162 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3172 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3175 guint16 cnt=0, bc, fid=0;
3177 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3182 fid = tvb_get_letohs(tvb, offset);
3183 add_fid(tvb, pinfo, tree, offset, 2, fid);
3187 cnt = tvb_get_letohs(tvb, offset);
3188 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3192 ofs = tvb_get_letohl(tvb, offset);
3193 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3196 if (check_col(pinfo->cinfo, COL_INFO))
3197 col_append_fstr(pinfo->cinfo, COL_INFO,
3198 ", %d byte%s at offset %d", cnt,
3199 (cnt == 1) ? "" : "s", ofs);
3202 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3208 CHECK_BYTE_COUNT(1);
3209 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3213 CHECK_BYTE_COUNT(2);
3214 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3218 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
3220 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
3221 top_tree, offset, bc, bc, fid);
3223 /* ordinary file data */
3224 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, bc);
3235 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3243 cnt = tvb_get_letohs(tvb, offset);
3244 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3247 if (check_col(pinfo->cinfo, COL_INFO))
3248 col_append_fstr(pinfo->cinfo, COL_INFO,
3249 ", %d byte%s", cnt, (cnt == 1) ? "" : "s");
3259 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3267 fid = tvb_get_letohs(tvb, offset);
3268 add_fid(tvb, pinfo, tree, offset, 2, fid);
3272 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
3276 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3287 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3296 /* 2 reserved bytes */
3297 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3301 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_create_time);
3306 CHECK_BYTE_COUNT(1);
3307 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3310 /* directory name */
3311 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
3315 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
3317 COUNT_BYTES(fn_len);
3319 if (check_col(pinfo->cinfo, COL_INFO)) {
3320 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3329 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3339 fid = tvb_get_letohs(tvb, offset);
3340 add_fid(tvb, pinfo, tree, offset, 2, fid);
3346 CHECK_BYTE_COUNT(1);
3347 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3351 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
3355 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3357 COUNT_BYTES(fn_len);
3364 static const value_string seek_mode_vals[] = {
3365 {0, "From Start Of File"},
3366 {1, "From Current Position"},
3367 {2, "From End Of File"},
3372 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3380 fid = tvb_get_letohs(tvb, offset);
3381 add_fid(tvb, pinfo, tree, offset, 2, fid);
3385 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
3389 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3400 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3408 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3419 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3427 fid = tvb_get_letohs(tvb, offset);
3428 add_fid(tvb, pinfo, tree, offset, 2, fid);
3432 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3434 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3437 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3439 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3441 /* last write time */
3442 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3443 hf_smb_last_write_time,
3444 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3454 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3462 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3464 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3467 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3469 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3471 /* last write time */
3472 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3473 hf_smb_last_write_time,
3474 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3477 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
3480 /* allocation size */
3481 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
3484 /* File Attributes */
3485 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
3495 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3504 fid = tvb_get_letohs(tvb, offset);
3505 add_fid(tvb, pinfo, tree, offset, 2, fid);
3509 cnt = tvb_get_letohs(tvb, offset);
3510 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3514 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3517 /* last write time */
3518 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
3521 /* 12 reserved bytes */
3522 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
3529 CHECK_BYTE_COUNT(1);
3530 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
3533 offset = dissect_file_data(tvb, pinfo, tree, offset, cnt, cnt);
3542 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3550 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3561 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3570 fid = tvb_get_letohs(tvb, offset);
3571 add_fid(tvb, pinfo, tree, offset, 2, fid);
3575 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3579 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3583 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3587 to = tvb_get_letohl(tvb, offset);
3588 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3591 /* 2 reserved bytes */
3592 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3597 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
3609 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3617 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
3621 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
3625 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
3629 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
3632 /* 2 reserved bytes */
3633 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3644 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3652 fid = tvb_get_letohs(tvb, offset);
3653 add_fid(tvb, pinfo, tree, offset, 2, fid);
3657 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3661 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3665 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3668 /* 6 reserved bytes */
3669 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
3680 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3682 guint16 datalen=0, bc;
3688 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3692 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3695 /* 2 reserved bytes */
3696 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3699 /* data compaction mode */
3700 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
3703 /* 2 reserved bytes */
3704 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3708 datalen = tvb_get_letohs(tvb, offset);
3709 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
3713 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
3719 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
3728 static const true_false_string tfs_write_mode_write_through = {
3729 "WRITE THROUGH requested",
3730 "Write through not requested"
3732 static const true_false_string tfs_write_mode_return_remaining = {
3733 "RETURN REMAINING (pipe/dev) requested",
3734 "DON'T return remaining (pipe/dev)"
3736 static const true_false_string tfs_write_mode_raw = {
3737 "Use WriteRawNamedPipe (pipe)",
3738 "DON'T use WriteRawNamedPipe (pipe)"
3740 static const true_false_string tfs_write_mode_message_start = {
3741 "This is the START of a MESSAGE (pipe)",
3742 "This is NOT the start of a message (pipe)"
3744 static const true_false_string tfs_write_mode_connectionless = {
3745 "CONNECTIONLESS mode requested",
3746 "Connectionless mode NOT requested"
3749 dissect_write_mode(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int bm)
3752 proto_item *item = NULL;
3753 proto_tree *tree = NULL;
3755 mask = tvb_get_letohs(tvb, offset);
3758 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
3759 "Write Mode: 0x%04x", mask);
3760 tree = proto_item_add_subtree(item, ett_smb_rawmode);
3764 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
3765 tvb, offset, 2, mask);
3768 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
3769 tvb, offset, 2, mask);
3772 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
3773 tvb, offset, 2, mask);
3776 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
3777 tvb, offset, 2, mask);
3780 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
3781 tvb, offset, 2, mask);
3789 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3792 guint16 datalen=0, bc, fid;
3798 fid = tvb_get_letohs(tvb, offset);
3799 add_fid(tvb, pinfo, tree, offset, 2, fid);
3802 /* total data length */
3803 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
3806 /* 2 reserved bytes */
3807 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3811 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3815 to = tvb_get_letohl(tvb, offset);
3816 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3820 offset = dissect_write_mode(tvb, pinfo, tree, offset, 0x0003);
3822 /* 4 reserved bytes */
3823 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
3827 datalen = tvb_get_letohs(tvb, offset);
3828 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
3832 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
3838 /* XXX - use the data offset to determine where the data starts? */
3839 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
3848 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3856 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3867 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3870 guint16 datalen=0, bc, fid;
3876 fid = tvb_get_letohs(tvb, offset);
3877 add_fid(tvb, pinfo, tree, offset, 2, fid);
3880 /* total data length */
3881 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
3884 /* 2 reserved bytes */
3885 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3889 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3893 to = tvb_get_letohl(tvb, offset);
3894 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3898 offset = dissect_write_mode(tvb, pinfo, tree, offset, 0x0083);
3901 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
3905 datalen = tvb_get_letohs(tvb, offset);
3906 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
3910 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
3916 /* XXX - use the data offset to determine where the data starts? */
3917 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
3926 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3934 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
3945 dissect_sid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3953 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
3964 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
3965 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
3967 proto_item *item = NULL;
3968 proto_tree *tree = NULL;
3974 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
3976 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
3980 CHECK_BYTE_COUNT_SUBR(1);
3981 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
3982 COUNT_BYTES_SUBR(1);
3986 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
3988 CHECK_STRING_SUBR(fn);
3989 /* ensure that it's null-terminated */
3990 strncpy(fname, fn, 11);
3992 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
3994 COUNT_BYTES_SUBR(fn_len);
3997 CHECK_BYTE_COUNT_SUBR(5);
3998 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
3999 COUNT_BYTES_SUBR(5);
4002 CHECK_BYTE_COUNT_SUBR(4);
4003 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
4004 COUNT_BYTES_SUBR(4);
4011 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
4012 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
4014 proto_item *item = NULL;
4015 proto_tree *tree = NULL;
4021 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
4022 "Directory Information");
4023 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
4027 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp, trunc);
4031 /* File Attributes */
4032 CHECK_BYTE_COUNT_SUBR(1);
4033 offset = dissect_dir_info_file_attributes(tvb, pinfo, tree, offset);
4036 /* last write time */
4037 CHECK_BYTE_COUNT_SUBR(4);
4038 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
4039 hf_smb_last_write_time,
4040 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
4045 CHECK_BYTE_COUNT_SUBR(4);
4046 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4047 COUNT_BYTES_SUBR(4);
4051 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
4053 CHECK_STRING_SUBR(fn);
4054 /* ensure that it's null-terminated */
4055 strncpy(fname, fn, 13);
4057 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4059 COUNT_BYTES_SUBR(fn_len);
4067 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4079 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4082 /* Search Attributes */
4083 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
4088 CHECK_BYTE_COUNT(1);
4089 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4093 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
4097 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4099 COUNT_BYTES(fn_len);
4101 if (check_col(pinfo->cinfo, COL_INFO)) {
4102 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s", fn);
4106 CHECK_BYTE_COUNT(1);
4107 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4110 /* resume key length */
4111 CHECK_BYTE_COUNT(2);
4112 rkl = tvb_get_letohs(tvb, offset);
4113 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
4118 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
4130 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4140 count = tvb_get_letohs(tvb, offset);
4141 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
4147 CHECK_BYTE_COUNT(1);
4148 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4152 CHECK_BYTE_COUNT(2);
4153 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4157 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
4168 static const value_string locking_ol_vals[] = {
4169 {0, "Client is not holding oplock on this file"},
4170 {1, "Level 2 oplock currently held by client"},
4174 static const true_false_string tfs_lock_type_large = {
4175 "Large file locking format requested",
4176 "Large file locking format not requested"
4178 static const true_false_string tfs_lock_type_cancel = {
4179 "Cancel outstanding lock request",
4180 "Don't cancel outstanding lock request"
4182 static const true_false_string tfs_lock_type_change = {
4184 "Don't change lock type"
4186 static const true_false_string tfs_lock_type_oplock = {
4187 "This is an oplock break notification/response",
4188 "This is not an oplock break notification/response"
4190 static const true_false_string tfs_lock_type_shared = {
4191 "This is a shared lock",
4192 "This is an exclusive lock"
4195 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4197 guint8 wc, cmd=0xff, lt=0;
4198 guint16 andxoffset=0, un=0, ln=0, bc, fid;
4200 proto_item *litem = NULL;
4201 proto_tree *ltree = NULL;
4202 proto_item *it = NULL;
4203 proto_tree *tr = NULL;
4204 int old_offset = offset;
4208 /* next smb command */
4209 cmd = tvb_get_guint8(tvb, offset);
4211 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4213 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4218 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4222 andxoffset = tvb_get_letohs(tvb, offset);
4223 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4227 fid = tvb_get_letohs(tvb, offset);
4228 add_fid(tvb, pinfo, tree, offset, 2, fid);
4232 lt = tvb_get_guint8(tvb, offset);
4234 litem = proto_tree_add_text(tree, tvb, offset, 1,
4235 "Lock Type: 0x%02x", lt);
4236 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
4238 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
4239 tvb, offset, 1, lt);
4240 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
4241 tvb, offset, 1, lt);
4242 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
4243 tvb, offset, 1, lt);
4244 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
4245 tvb, offset, 1, lt);
4246 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
4247 tvb, offset, 1, lt);
4251 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
4255 to = tvb_get_letohl(tvb, offset);
4257 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
4258 else if (to == 0xffffffff)
4259 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
4261 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4264 /* number of unlocks */
4265 un = tvb_get_letohs(tvb, offset);
4266 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
4269 /* number of locks */
4270 ln = tvb_get_letohs(tvb, offset);
4271 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
4278 old_offset = offset;
4280 it = proto_tree_add_text(tree, tvb, offset, -1,
4282 tr = proto_item_add_subtree(it, ett_smb_unlocks);
4284 proto_item *litem = NULL;
4285 proto_tree *ltree = NULL;
4287 /* large lock format */
4288 litem = proto_tree_add_text(tr, tvb, offset, 20,
4290 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4293 CHECK_BYTE_COUNT(2);
4294 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4297 /* 2 reserved bytes */
4298 CHECK_BYTE_COUNT(2);
4299 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4303 CHECK_BYTE_COUNT(8);
4304 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4308 CHECK_BYTE_COUNT(8);
4309 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4312 /* normal lock format */
4313 litem = proto_tree_add_text(tr, tvb, offset, 10,
4315 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4318 CHECK_BYTE_COUNT(2);
4319 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4323 CHECK_BYTE_COUNT(4);
4324 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4328 CHECK_BYTE_COUNT(4);
4329 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4333 proto_item_set_len(it, offset-old_offset);
4339 old_offset = offset;
4341 it = proto_tree_add_text(tree, tvb, offset, -1,
4343 tr = proto_item_add_subtree(it, ett_smb_locks);
4345 proto_item *litem = NULL;
4346 proto_tree *ltree = NULL;
4348 /* large lock format */
4349 litem = proto_tree_add_text(tr, tvb, offset, 20,
4351 ltree = proto_item_add_subtree(litem, ett_smb_lock);
4354 CHECK_BYTE_COUNT(2);
4355 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4358 /* 2 reserved bytes */
4359 CHECK_BYTE_COUNT(2);
4360 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4364 CHECK_BYTE_COUNT(8);
4365 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4369 CHECK_BYTE_COUNT(8);
4370 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4373 /* normal lock format */
4374 litem = proto_tree_add_text(tr, tvb, offset, 10,
4376 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4379 CHECK_BYTE_COUNT(2);
4380 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4384 CHECK_BYTE_COUNT(4);
4385 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4389 CHECK_BYTE_COUNT(4);
4390 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4394 proto_item_set_len(it, offset-old_offset);
4402 * We ran out of byte count in the middle of dissecting
4403 * the locks or the unlocks; set the site of the item
4404 * we were dissecting.
4406 proto_item_set_len(it, offset-old_offset);
4409 /* call AndXCommand (if there are any) */
4410 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4416 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4418 guint8 wc, cmd=0xff;
4419 guint16 andxoffset=0;
4424 /* next smb command */
4425 cmd = tvb_get_guint8(tvb, offset);
4427 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4429 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4434 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4438 andxoffset = tvb_get_letohs(tvb, offset);
4439 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4446 /* call AndXCommand (if there are any) */
4447 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4453 static const value_string oa_open_vals[] = {
4454 { 0, "No action taken?"},
4455 { 1, "The file existed and was opened"},
4456 { 2, "The file did not exist but was created"},
4457 { 3, "The file existed and was truncated"},
4460 static const true_false_string tfs_oa_lock = {
4461 "File is currently opened only by this user",
4462 "File is opened by another user (or mode not supported by server)"
4465 dissect_open_action(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
4468 proto_item *item = NULL;
4469 proto_tree *tree = NULL;
4471 mask = tvb_get_letohs(tvb, offset);
4474 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4475 "Action: 0x%04x", mask);
4476 tree = proto_item_add_subtree(item, ett_smb_open_action);
4479 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
4480 tvb, offset, 2, mask);
4481 proto_tree_add_uint(tree, hf_smb_open_action_open,
4482 tvb, offset, 2, mask);
4489 static const true_false_string tfs_open_flags_add_info = {
4490 "Additional information requested",
4491 "Additional information not requested"
4493 static const true_false_string tfs_open_flags_ex_oplock = {
4494 "Exclusive oplock requested",
4495 "Exclusive oplock not requested"
4497 static const true_false_string tfs_open_flags_batch_oplock = {
4498 "Batch oplock requested",
4499 "Batch oplock not requested"
4501 static const true_false_string tfs_open_flags_ealen = {
4502 "Total length of EAs requested",
4503 "Total length of EAs not requested"
4506 dissect_open_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int bm)
4509 proto_item *item = NULL;
4510 proto_tree *tree = NULL;
4512 mask = tvb_get_letohs(tvb, offset);
4515 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4516 "Flags: 0x%04x", mask);
4517 tree = proto_item_add_subtree(item, ett_smb_open_flags);
4521 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
4522 tvb, offset, 2, mask);
4525 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
4526 tvb, offset, 2, mask);
4529 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
4530 tvb, offset, 2, mask);
4533 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
4534 tvb, offset, 2, mask);
4542 static const value_string filetype_vals[] = {
4543 { 0, "Disk file or directory"},
4544 { 1, "Named pipe in byte mode"},
4545 { 2, "Named pipe in message mode"},
4546 { 3, "Spooled printer"},
4550 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4552 guint8 wc, cmd=0xff;
4553 guint16 andxoffset=0, bc;
4559 /* next smb command */
4560 cmd = tvb_get_guint8(tvb, offset);
4562 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4564 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4569 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4573 andxoffset = tvb_get_letohs(tvb, offset);
4574 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4578 offset = dissect_open_flags(tvb, pinfo, tree, offset, 0x0007);
4580 /* desired access */
4581 offset = dissect_access(tvb, pinfo, tree, offset, "Desired");
4583 /* Search Attributes */
4584 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
4586 /* File Attributes */
4587 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
4590 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_create_time);
4593 offset = dissect_open_function(tvb, pinfo, tree, offset);
4595 /* allocation size */
4596 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
4599 /* 8 reserved bytes */
4600 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
4606 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
4610 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4612 COUNT_BYTES(fn_len);
4614 if (check_col(pinfo->cinfo, COL_INFO)) {
4615 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
4620 /* call AndXCommand (if there are any) */
4621 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4626 static const true_false_string tfs_ipc_state_nonblocking = {
4627 "Reads/writes return immediately if no data available",
4628 "Reads/writes block if no data available"
4630 static const value_string ipc_state_endpoint_vals[] = {
4631 { 0, "Consumer end of pipe"},
4632 { 1, "Server end of pipe"},
4635 static const value_string ipc_state_pipe_type_vals[] = {
4636 { 0, "Byte stream pipe"},
4637 { 1, "Message pipe"},
4640 static const value_string ipc_state_read_mode_vals[] = {
4641 { 0, "Read pipe as a byte stream"},
4642 { 1, "Read messages from pipe"},
4647 dissect_ipc_state(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
4648 int offset, gboolean setstate)
4651 proto_item *item = NULL;
4652 proto_tree *tree = NULL;
4654 mask = tvb_get_letohs(tvb, offset);
4657 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4658 "IPC State: 0x%04x", mask);
4659 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
4662 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
4663 tvb, offset, 2, mask);
4665 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
4666 tvb, offset, 2, mask);
4667 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
4668 tvb, offset, 2, mask);
4670 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
4671 tvb, offset, 2, mask);
4673 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
4674 tvb, offset, 2, mask);
4683 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4685 guint8 wc, cmd=0xff;
4686 guint16 andxoffset=0, bc;
4691 /* next smb command */
4692 cmd = tvb_get_guint8(tvb, offset);
4694 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4696 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4701 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4705 andxoffset = tvb_get_letohs(tvb, offset);
4706 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4710 fid = tvb_get_letohs(tvb, offset);
4711 add_fid(tvb, pinfo, tree, offset, 2, fid);
4714 /* File Attributes */
4715 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
4717 /* last write time */
4718 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
4721 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4724 /* granted access */
4725 offset = dissect_access(tvb, pinfo, tree, offset, "Granted");
4728 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
4732 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
4735 offset = dissect_open_action(tvb, pinfo, tree, offset);
4738 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
4741 /* 2 reserved bytes */
4742 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4749 /* call AndXCommand (if there are any) */
4750 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4756 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4758 guint8 wc, cmd=0xff;
4759 guint16 andxoffset=0, bc, maxcnt = 0;
4766 /* next smb command */
4767 cmd = tvb_get_guint8(tvb, offset);
4769 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4771 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4776 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4780 andxoffset = tvb_get_letohs(tvb, offset);
4781 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4785 fid = tvb_get_letohs(tvb, offset);
4786 add_fid(tvb, pinfo, tree, offset, 2, fid);
4788 if (!pinfo->fd->flags.visited) {
4789 /* remember the FID for the processing of the response */
4790 si = (smb_info_t *)pinfo->private_data;
4791 si->sip->extra_info=(void *)fid;
4795 ofs = tvb_get_letohl(tvb, offset);
4796 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4800 maxcnt = tvb_get_letohs(tvb, offset);
4801 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4804 if (check_col(pinfo->cinfo, COL_INFO))
4805 col_append_fstr(pinfo->cinfo, COL_INFO,
4806 ", %d byte%s at offset %d", maxcnt,
4807 (maxcnt == 1) ? "" : "s", ofs);
4810 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
4813 /* XXX - max count high */
4814 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4818 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4823 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
4831 /* call AndXCommand (if there are any) */
4832 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4838 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4840 guint8 wc, cmd=0xff;
4841 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
4842 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4847 /* next smb command */
4848 cmd = tvb_get_guint8(tvb, offset);
4850 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4852 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4857 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4861 andxoffset = tvb_get_letohs(tvb, offset);
4862 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4865 /* If we have seen the request, then print which FID this refers to */
4866 /* first check if we have seen the request */
4867 if(si->sip != NULL && si->sip->frame_req>0){
4868 fid=(int)si->sip->extra_info;
4869 add_fid(tvb, pinfo, tree, 0, 0, fid);
4873 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4876 /* data compaction mode */
4877 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4880 /* 2 reserved bytes */
4881 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4885 datalen = tvb_get_letohs(tvb, offset);
4886 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4889 if (check_col(pinfo->cinfo, COL_INFO))
4890 col_append_fstr(pinfo->cinfo, COL_INFO,
4891 ", %d byte%s", datalen,
4892 (datalen == 1) ? "" : "s");
4895 dataoffset=tvb_get_letohs(tvb, offset);
4896 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
4899 /* 10 reserved bytes */
4900 /* XXX - first 2 bytes are data length high, not reserved */
4901 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
4906 /* is this part of DCERPC over SMB reassembly?*/
4907 if(smb_dcerpc_reassembly && !pinfo->fd->flags.visited
4908 && (bc<=tvb_length_remaining(tvb, offset)) ){
4909 gpointer hash_value;
4910 if (si->sip != NULL && (hash_value = g_hash_table_lookup(
4911 si->ct->dcerpc_fid_to_frame,
4912 si->sip->extra_info)) != NULL) {
4913 fragment_data *fd_head;
4914 guint32 frame = GPOINTER_TO_UINT(hash_value);
4916 /* first fragment is always from a SMB Trans command and
4917 offset 0 of the following read/write SMB commands start
4918 BEYOND the first Trans SMB payload. Look for offset
4919 in first read fragment */
4920 fd_head=fragment_get(pinfo, frame, dcerpc_fragment_table);
4922 /* skip to last fragment and add this data there*/
4923 while(fd_head->next){
4924 fd_head=fd_head->next;
4926 /* if dataoffset was not specified in the SMB command
4927 then we try to guess it as good as we can
4930 dataoffset=offset+bc-datalen;
4932 fd_head=fragment_add(tvb, dataoffset, pinfo,
4933 frame, dcerpc_fragment_table,
4934 fd_head->offset+fd_head->len,
4936 /* we completed reassembly, abort searching for more
4939 g_hash_table_remove(si->ct->dcerpc_fid_to_frame,
4940 si->sip->extra_info);
4946 /* another way to transport DCERPC over SMB is to skip Transaction completely and just
4949 if(si->sip != NULL && si->sip->flags&SMB_SIF_TID_IS_IPC){
4951 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
4952 top_tree, offset, bc, datalen, fid);
4954 /* ordinary file data, or we didn't see the request,
4955 so we don't know whether this is a DCERPC call
4957 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
4964 /* call AndXCommand (if there are any) */
4965 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4971 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4974 guint8 wc, cmd=0xff;
4975 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
4976 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4981 /* next smb command */
4982 cmd = tvb_get_guint8(tvb, offset);
4984 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4986 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4991 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4995 andxoffset = tvb_get_letohs(tvb, offset);
4996 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5000 fid = tvb_get_letohs(tvb, offset);
5001 add_fid(tvb, pinfo, tree, offset, 2, fid);
5003 if (!pinfo->fd->flags.visited) {
5004 /* remember the FID for the processing of the response */
5005 si->sip->extra_info=(void *)fid;
5009 ofs = tvb_get_letohl(tvb, offset);
5010 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5014 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5018 offset = dissect_write_mode(tvb, pinfo, tree, offset, 0x000f);
5021 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5024 /* XXX - data length high */
5025 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5029 datalen = tvb_get_letohs(tvb, offset);
5030 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5034 dataoffset=tvb_get_letohs(tvb, offset);
5035 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5038 /* FIXME: add byte/offset to COL_INFO */
5042 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5048 /* is this part of DCERPC over SMB reassembly?*/
5049 if(smb_dcerpc_reassembly && !pinfo->fd->flags.visited && (bc<=tvb_length_remaining(tvb, offset)) ){
5050 gpointer hash_value;
5051 hash_value = g_hash_table_lookup(si->ct->dcerpc_fid_to_frame,
5052 si->sip->extra_info);
5054 fragment_data *fd_head;
5055 guint32 frame = GPOINTER_TO_UINT(hash_value);
5057 /* first fragment is always from a SMB Trans command and
5058 offset 0 of the following read/write SMB commands start
5059 BEYOND the first Trans SMB payload. Look for offset
5060 in first read fragment */
5061 fd_head=fragment_get(pinfo, frame, dcerpc_fragment_table);
5063 /* skip to last fragment and add this data there*/
5064 while(fd_head->next){
5065 fd_head=fd_head->next;
5067 /* if dataoffset was not specified in the SMB command
5068 then we try to guess it as good as we can
5071 dataoffset=offset+bc-datalen;
5073 fd_head=fragment_add(tvb, dataoffset, pinfo,
5074 frame, dcerpc_fragment_table,
5075 fd_head->offset+fd_head->len,
5077 /* we completed reassembly, abort searching for more
5080 g_hash_table_remove(si->ct->dcerpc_fid_to_frame,
5081 si->sip->extra_info);
5089 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
5091 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
5092 top_tree, offset, bc, datalen, fid);
5094 /* ordinary file data */
5095 offset = dissect_file_data(tvb, pinfo, tree, offset,
5103 /* call AndXCommand (if there are any) */
5104 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5110 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5112 guint8 wc, cmd=0xff;
5113 guint16 andxoffset=0, bc;
5118 /* next smb command */
5119 cmd = tvb_get_guint8(tvb, offset);
5121 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5123 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5128 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5132 andxoffset = tvb_get_letohs(tvb, offset);
5133 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5136 /* If we have seen the request, then print which FID this refers to */
5137 si = (smb_info_t *)pinfo->private_data;
5138 /* first check if we have seen the request */
5139 if(si->sip != NULL && si->sip->frame_req>0){
5140 add_fid(tvb, pinfo, tree, 0, 0, (int)si->sip->extra_info);
5144 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
5148 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5151 /* 4 reserved bytes */
5152 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5159 /* call AndXCommand (if there are any) */
5160 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5166 static const true_false_string tfs_setup_action_guest = {
5167 "Logged in as GUEST",
5168 "Not logged in as GUEST"
5171 dissect_setup_action(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5174 proto_item *item = NULL;
5175 proto_tree *tree = NULL;
5177 mask = tvb_get_letohs(tvb, offset);
5180 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5181 "Action: 0x%04x", mask);
5182 tree = proto_item_add_subtree(item, ett_smb_setup_action);
5185 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
5186 tvb, offset, 2, mask);
5195 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5197 guint8 wc, cmd=0xff;
5199 guint16 andxoffset=0;
5206 guint16 apwlen=0, upwlen=0;
5210 /* next smb command */
5211 cmd = tvb_get_guint8(tvb, offset);
5213 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5215 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5220 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5224 andxoffset = tvb_get_letohs(tvb, offset);
5225 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5228 /* Maximum Buffer Size */
5229 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
5232 /* Maximum Multiplex Count */
5233 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
5237 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
5241 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
5246 /* password length, ASCII*/
5247 pwlen = tvb_get_letohs(tvb, offset);
5248 proto_tree_add_uint(tree, hf_smb_password_len,
5249 tvb, offset, 2, pwlen);
5252 /* 4 reserved bytes */
5253 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5259 /* security blob length */
5260 sbloblen = tvb_get_letohs(tvb, offset);
5261 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5264 /* 4 reserved bytes */
5265 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5269 dissect_negprot_capabilities(tvb, pinfo, tree, offset);
5275 /* password length, ANSI*/
5276 apwlen = tvb_get_letohs(tvb, offset);
5277 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
5278 tvb, offset, 2, apwlen);
5281 /* password length, Unicode*/
5282 upwlen = tvb_get_letohs(tvb, offset);
5283 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
5284 tvb, offset, 2, upwlen);
5287 /* 4 reserved bytes */
5288 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5292 dissect_negprot_capabilities(tvb, pinfo, tree, offset);
5302 /* XXX - is this ASN.1-encoded? Is it a Kerberos
5303 data structure, at least in NT 5.0-and-later
5306 CHECK_BYTE_COUNT(sbloblen);
5307 proto_tree_add_item(tree, hf_smb_security_blob,
5308 tvb, offset, sbloblen, TRUE);
5309 COUNT_BYTES(sbloblen);
5313 an = get_unicode_or_ascii_string(tvb, &offset,
5314 pinfo, &an_len, FALSE, FALSE, &bc);
5317 proto_tree_add_string(tree, hf_smb_os, tvb,
5318 offset, an_len, an);
5319 COUNT_BYTES(an_len);
5322 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5323 * padding/null string/whatever in front of this. W2K doesn't
5324 * appear to. I suspect that's a bug that got fixed; I also
5325 * suspect that, in practice, nobody ever looks at that field
5326 * because the bug didn't appear to get fixed until NT 5.0....
5328 an = get_unicode_or_ascii_string(tvb, &offset,
5329 pinfo, &an_len, FALSE, FALSE, &bc);
5332 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5333 offset, an_len, an);
5334 COUNT_BYTES(an_len);
5336 /* Primary domain */
5337 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5338 * byte in front of this, at least if all the strings are
5339 * ASCII and the account name is empty. Another bug?
5341 dn = get_unicode_or_ascii_string(tvb, &offset,
5342 pinfo, &dn_len, FALSE, FALSE, &bc);
5345 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5346 offset, dn_len, dn);
5347 COUNT_BYTES(dn_len);
5353 /* password, ASCII */
5354 CHECK_BYTE_COUNT(pwlen);
5355 proto_tree_add_item(tree, hf_smb_password,
5356 tvb, offset, pwlen, TRUE);
5364 /* password, ANSI */
5365 CHECK_BYTE_COUNT(apwlen);
5366 proto_tree_add_item(tree, hf_smb_ansi_password,
5367 tvb, offset, apwlen, TRUE);
5368 COUNT_BYTES(apwlen);
5372 /* password, Unicode */
5373 CHECK_BYTE_COUNT(upwlen);
5374 proto_tree_add_item(tree, hf_smb_unicode_password,
5375 tvb, offset, upwlen, TRUE);
5376 COUNT_BYTES(upwlen);
5383 an = get_unicode_or_ascii_string(tvb, &offset,
5384 pinfo, &an_len, FALSE, FALSE, &bc);
5387 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
5389 COUNT_BYTES(an_len);
5391 /* Primary domain */
5392 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5393 * byte in front of this, at least if all the strings are
5394 * ASCII and the account name is empty. Another bug?
5396 dn = get_unicode_or_ascii_string(tvb, &offset,
5397 pinfo, &dn_len, FALSE, FALSE, &bc);
5400 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5401 offset, dn_len, dn);
5402 COUNT_BYTES(dn_len);
5404 if (check_col(pinfo->cinfo, COL_INFO)) {
5405 col_append_fstr(pinfo->cinfo, COL_INFO, ", User: ");
5407 if (!dn[0] && !an[0])
5408 col_append_fstr(pinfo->cinfo, COL_INFO,
5411 col_append_fstr(pinfo->cinfo, COL_INFO,
5416 an = get_unicode_or_ascii_string(tvb, &offset,
5417 pinfo, &an_len, FALSE, FALSE, &bc);
5420 proto_tree_add_string(tree, hf_smb_os, tvb,
5421 offset, an_len, an);
5422 COUNT_BYTES(an_len);
5425 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5426 * padding/null string/whatever in front of this. W2K doesn't
5427 * appear to. I suspect that's a bug that got fixed; I also
5428 * suspect that, in practice, nobody ever looks at that field
5429 * because the bug didn't appear to get fixed until NT 5.0....
5431 an = get_unicode_or_ascii_string(tvb, &offset,
5432 pinfo, &an_len, FALSE, FALSE, &bc);
5435 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5436 offset, an_len, an);
5437 COUNT_BYTES(an_len);
5442 /* call AndXCommand (if there are any) */
5443 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5449 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5451 guint8 wc, cmd=0xff;
5452 guint16 andxoffset=0, bc;
5459 /* next smb command */
5460 cmd = tvb_get_guint8(tvb, offset);
5462 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5464 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5469 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5473 andxoffset = tvb_get_letohs(tvb, offset);
5474 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5478 offset = dissect_setup_action(tvb, pinfo, tree, offset);
5481 /* security blob length */
5482 sbloblen = tvb_get_letohs(tvb, offset);
5483 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5491 /* XXX - is this ASN.1-encoded? Is it a Kerberos
5492 data structure, at least in NT 5.0-and-later
5495 CHECK_BYTE_COUNT(sbloblen);
5496 proto_tree_add_item(tree, hf_smb_security_blob,
5497 tvb, offset, sbloblen, TRUE);
5498 COUNT_BYTES(sbloblen);
5503 an = get_unicode_or_ascii_string(tvb, &offset,
5504 pinfo, &an_len, FALSE, FALSE, &bc);
5507 proto_tree_add_string(tree, hf_smb_os, tvb,
5508 offset, an_len, an);
5509 COUNT_BYTES(an_len);
5512 an = get_unicode_or_ascii_string(tvb, &offset,
5513 pinfo, &an_len, FALSE, FALSE, &bc);
5516 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5517 offset, an_len, an);
5518 COUNT_BYTES(an_len);
5521 /* Primary domain */
5522 an = get_unicode_or_ascii_string(tvb, &offset,
5523 pinfo, &an_len, FALSE, FALSE, &bc);
5526 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5527 offset, an_len, an);
5528 COUNT_BYTES(an_len);
5533 /* call AndXCommand (if there are any) */
5534 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5541 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5543 guint8 wc, cmd=0xff;
5544 guint16 andxoffset=0;
5549 /* next smb command */
5550 cmd = tvb_get_guint8(tvb, offset);
5552 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5554 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5559 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5563 andxoffset = tvb_get_letohs(tvb, offset);
5564 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5571 /* call AndXCommand (if there are any) */
5572 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5578 static const true_false_string tfs_connect_support_search = {
5579 "Exclusive search bits supported",
5580 "Exclusive search bits not supported"
5582 static const true_false_string tfs_connect_support_in_dfs = {
5584 "Share isn't in Dfs"
5588 dissect_connect_support_bits(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5591 proto_item *item = NULL;
5592 proto_tree *tree = NULL;
5594 mask = tvb_get_letohs(tvb, offset);
5597 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5598 "Optional Support: 0x%04x", mask);
5599 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
5602 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
5603 tvb, offset, 2, mask);
5604 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
5605 tvb, offset, 2, mask);
5612 static const true_false_string tfs_disconnect_tid = {
5614 "Do NOT disconnect TID"
5618 dissect_connect_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5621 proto_item *item = NULL;
5622 proto_tree *tree = NULL;
5624 mask = tvb_get_letohs(tvb, offset);
5627 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5628 "Flags: 0x%04x", mask);
5629 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
5632 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
5633 tvb, offset, 2, mask);
5641 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5643 guint8 wc, cmd=0xff;
5645 guint16 andxoffset=0, pwlen=0;
5651 /* next smb command */
5652 cmd = tvb_get_guint8(tvb, offset);
5654 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5656 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
5661 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5665 andxoffset = tvb_get_letohs(tvb, offset);
5666 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5670 offset = dissect_connect_flags(tvb, pinfo, tree, offset);
5672 /* password length*/
5673 pwlen = tvb_get_letohs(tvb, offset);
5674 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
5680 CHECK_BYTE_COUNT(pwlen);
5681 proto_tree_add_item(tree, hf_smb_password,
5682 tvb, offset, pwlen, TRUE);
5686 an = get_unicode_or_ascii_string(tvb, &offset,
5687 pinfo, &an_len, FALSE, FALSE, &bc);
5690 proto_tree_add_string(tree, hf_smb_path, tvb,
5691 offset, an_len, an);
5692 COUNT_BYTES(an_len);
5694 if (check_col(pinfo->cinfo, COL_INFO)) {
5695 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
5699 * NOTE: the Service string is always ASCII, even if the
5700 * "strings are Unicode" bit is set in the flags2 field
5705 /* XXX - what if this runs past bc? */
5706 an_len = tvb_strsize(tvb, offset);
5707 CHECK_BYTE_COUNT(an_len);
5708 an = tvb_get_ptr(tvb, offset, an_len);
5709 proto_tree_add_string(tree, hf_smb_service, tvb,
5710 offset, an_len, an);
5711 COUNT_BYTES(an_len);
5715 /* call AndXCommand (if there are any) */
5716 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5723 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5725 guint8 wc, wleft, cmd=0xff;
5726 guint16 andxoffset=0;
5733 wleft = wc; /* this is at least 1 */
5735 /* next smb command */
5736 cmd = tvb_get_guint8(tvb, offset);
5738 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5740 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
5745 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5753 andxoffset = tvb_get_letohs(tvb, offset);
5754 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5761 offset = dissect_connect_support_bits(tvb, pinfo, tree, offset);
5764 /* XXX - I've seen captures where this is 7, but I have no
5765 idea how to dissect it. I'm guessing the third word
5766 contains connect support bits, which looks plausible
5767 from the values I've seen. */
5769 while (wleft != 0) {
5770 proto_tree_add_text(tree, tvb, offset, 2,
5771 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
5779 * NOTE: even though the SNIA CIFS spec doesn't say there's
5780 * a "Service" string if there's a word count of 2, the
5783 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
5785 * (it's in an ugly format - text intended to be sent to a
5786 * printer, with backspaces and overstrikes used for boldfacing
5787 * and underlining; UNIX "col -b" can be used to strip the
5788 * overstrikes out) says there's a "Service" string there, and
5789 * some network traffic has it.
5793 * NOTE: the Service string is always ASCII, even if the
5794 * "strings are Unicode" bit is set in the flags2 field
5799 /* XXX - what if this runs past bc? */
5800 an_len = tvb_strsize(tvb, offset);
5801 CHECK_BYTE_COUNT(an_len);
5802 an = tvb_get_ptr(tvb, offset, an_len);
5803 proto_tree_add_string(tree, hf_smb_service, tvb,
5804 offset, an_len, an);
5805 COUNT_BYTES(an_len);
5807 /* Now when we know the service type, store it so that we know it for later commands down
5809 if(!pinfo->fd->flags.visited){
5810 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5811 /* Remove any previous entry for this TID */
5812 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
5813 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
5815 if(strcmp(an,"IPC") == 0){
5816 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
5818 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_NORMAL);
5826 * Sometimes this isn't present.
5830 an = get_unicode_or_ascii_string(tvb, &offset,
5831 pinfo, &an_len, /*TRUE*/FALSE, FALSE, &bc);
5834 proto_tree_add_string(tree, hf_smb_fs, tvb,
5835 offset, an_len, an);
5836 COUNT_BYTES(an_len);
5842 /* call AndXCommand (if there are any) */
5843 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5850 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5851 NT Transaction command begins here
5852 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
5853 #define NT_TRANS_CREATE 1
5854 #define NT_TRANS_IOCTL 2
5855 #define NT_TRANS_SSD 3
5856 #define NT_TRANS_NOTIFY 4
5857 #define NT_TRANS_RENAME 5
5858 #define NT_TRANS_QSD 6
5859 #define NT_TRANS_GET_USER_QUOTA 7
5860 #define NT_TRANS_SET_USER_QUOTA 8
5861 static const value_string nt_cmd_vals[] = {
5862 {NT_TRANS_CREATE, "NT CREATE"},
5863 {NT_TRANS_IOCTL, "NT IOCTL"},
5864 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
5865 {NT_TRANS_NOTIFY, "NT NOTIFY"},
5866 {NT_TRANS_RENAME, "NT RENAME"},
5867 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
5868 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
5869 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
5873 static const value_string nt_ioctl_isfsctl_vals[] = {
5874 {0, "Device IOCTL"},
5875 {1, "FS control : FSCTL"},
5879 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
5880 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
5881 "Apply the command to share root handle (MUST BE Dfs)",
5882 "Apply to this share",
5885 static const value_string nt_notify_action_vals[] = {
5886 {1, "ADDED (object was added"},
5887 {2, "REMOVED (object was removed)"},
5888 {3, "MODIFIED (object was modified)"},
5889 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
5890 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
5891 {6, "ADDED_STREAM (a stream was added)"},
5892 {7, "REMOVED_STREAM (a stream was removed)"},
5893 {8, "MODIFIED_STREAM (a stream was modified)"},
5897 static const value_string watch_tree_vals[] = {
5898 {0, "Current directory only"},
5899 {1, "Subdirectories also"},
5903 #define NT_NOTIFY_STREAM_WRITE 0x00000800
5904 #define NT_NOTIFY_STREAM_SIZE 0x00000400
5905 #define NT_NOTIFY_STREAM_NAME 0x00000200
5906 #define NT_NOTIFY_SECURITY 0x00000100
5907 #define NT_NOTIFY_EA 0x00000080
5908 #define NT_NOTIFY_CREATION 0x00000040
5909 #define NT_NOTIFY_LAST_ACCESS 0x00000020
5910 #define NT_NOTIFY_LAST_WRITE 0x00000010
5911 #define NT_NOTIFY_SIZE 0x00000008
5912 #define NT_NOTIFY_ATTRIBUTES 0x00000004
5913 #define NT_NOTIFY_DIR_NAME 0x00000002
5914 #define NT_NOTIFY_FILE_NAME 0x00000001
5915 static const true_false_string tfs_nt_notify_stream_write = {
5916 "Notify on changes to STREAM WRITE",
5917 "Do NOT notify on changes to stream write",
5919 static const true_false_string tfs_nt_notify_stream_size = {
5920 "Notify on changes to STREAM SIZE",
5921 "Do NOT notify on changes to stream size",
5923 static const true_false_string tfs_nt_notify_stream_name = {
5924 "Notify on changes to STREAM NAME",
5925 "Do NOT notify on changes to stream name",
5927 static const true_false_string tfs_nt_notify_security = {
5928 "Notify on changes to SECURITY",
5929 "Do NOT notify on changes to security",
5931 static const true_false_string tfs_nt_notify_ea = {
5932 "Notify on changes to EA",
5933 "Do NOT notify on changes to EA",
5935 static const true_false_string tfs_nt_notify_creation = {
5936 "Notify on changes to CREATION TIME",
5937 "Do NOT notify on changes to creation time",
5939 static const true_false_string tfs_nt_notify_last_access = {
5940 "Notify on changes to LAST ACCESS TIME",
5941 "Do NOT notify on changes to last access time",
5943 static const true_false_string tfs_nt_notify_last_write = {
5944 "Notify on changes to LAST WRITE TIME",
5945 "Do NOT notify on changes to last write time",
5947 static const true_false_string tfs_nt_notify_size = {
5948 "Notify on changes to SIZE",
5949 "Do NOT notify on changes to size",
5951 static const true_false_string tfs_nt_notify_attributes = {
5952 "Notify on changes to ATTRIBUTES",
5953 "Do NOT notify on changes to attributes",
5955 static const true_false_string tfs_nt_notify_dir_name = {
5956 "Notify on changes to DIR NAME",
5957 "Do NOT notify on changes to dir name",
5959 static const true_false_string tfs_nt_notify_file_name = {
5960 "Notify on changes to FILE NAME",
5961 "Do NOT notify on changes to file name",
5964 static const value_string create_disposition_vals[] = {
5965 {0, "Supersede (supersede existing file (if it exists))"},
5966 {1, "Open (if file exists open it, else fail)"},
5967 {2, "Create (if file exists fail, else create it)"},
5968 {3, "Open If (if file exists open it, else create it)"},
5969 {4, "Overwrite (if file exists overwrite, else fail)"},
5970 {5, "Overwrite If (if file exists overwrite, else create it)"},
5974 static const value_string impersonation_level_vals[] = {
5976 {1, "Identification"},
5977 {2, "Impersonation"},
5982 static const true_false_string tfs_nt_security_flags_context_tracking = {
5983 "Security tracking mode is DYNAMIC",
5984 "Security tracking mode is STATIC",
5987 static const true_false_string tfs_nt_security_flags_effective_only = {
5988 "ONLY ENABLED aspects of the client's security context are available",
5989 "ALL aspects of the client's security context are available",
5992 static const true_false_string tfs_nt_create_bits_oplock = {
5993 "Requesting OPLOCK",
5994 "Does NOT request oplock"
5997 static const true_false_string tfs_nt_create_bits_boplock = {
5998 "Requesting BATCH OPLOCK",
5999 "Does NOT request batch oplock"
6003 * XXX - must be a directory, and can be a file, or can be a directory,
6004 * and must be a file?
6006 static const true_false_string tfs_nt_create_bits_dir = {
6007 "Target of open MUST be a DIRECTORY",
6008 "Target of open can be a file"
6011 static const true_false_string tfs_nt_access_mask_generic_read = {
6012 "GENERIC READ is set",
6013 "Generic read is NOT set"
6015 static const true_false_string tfs_nt_access_mask_generic_write = {
6016 "GENERIC WRITE is set",
6017 "Generic write is NOT set"
6019 static const true_false_string tfs_nt_access_mask_generic_execute = {
6020 "GENERIC EXECUTE is set",
6021 "Generic execute is NOT set"
6023 static const true_false_string tfs_nt_access_mask_generic_all = {
6024 "GENERIC ALL is set",
6025 "Generic all is NOT set"
6027 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
6028 "MAXIMUM ALLOWED is set",
6029 "Maximum allowed is NOT set"
6031 static const true_false_string tfs_nt_access_mask_system_security = {
6032 "SYSTEM SECURITY is set",
6033 "System security is NOT set"
6035 static const true_false_string tfs_nt_access_mask_synchronize = {
6036 "Can wait on handle to SYNCHRONIZE on completion of I/O",
6037 "Can NOT wait on handle to synchronize on completion of I/O"
6039 static const true_false_string tfs_nt_access_mask_write_owner = {
6040 "Can WRITE OWNER (take ownership)",
6041 "Can NOT write owner (take ownership)"
6043 static const true_false_string tfs_nt_access_mask_write_dac = {
6044 "OWNER may WRITE the DAC",
6045 "Owner may NOT write to the DAC"
6047 static const true_false_string tfs_nt_access_mask_read_control = {
6048 "READ ACCESS to owner, group and ACL of the SID",
6049 "Read access is NOT granted to owner, group and ACL of the SID"
6051 static const true_false_string tfs_nt_access_mask_delete = {
6055 static const true_false_string tfs_nt_access_mask_write_attributes = {
6056 "WRITE ATTRIBUTES access",
6057 "NO write attributes access"
6059 static const true_false_string tfs_nt_access_mask_read_attributes = {
6060 "READ ATTRIBUTES access",
6061 "NO read attributes access"
6063 static const true_false_string tfs_nt_access_mask_delete_child = {
6064 "DELETE CHILD access",
6065 "NO delete child access"
6067 static const true_false_string tfs_nt_access_mask_execute = {
6071 static const true_false_string tfs_nt_access_mask_write_ea = {
6072 "WRITE EXTENDED ATTRIBUTES access",
6073 "NO write extended attributes access"
6075 static const true_false_string tfs_nt_access_mask_read_ea = {
6076 "READ EXTENDED ATTRIBUTES access",
6077 "NO read extended attributes access"
6079 static const true_false_string tfs_nt_access_mask_append = {
6083 static const true_false_string tfs_nt_access_mask_write = {
6087 static const true_false_string tfs_nt_access_mask_read = {
6092 static const true_false_string tfs_nt_share_access_delete = {
6093 "Object can be shared for DELETE",
6094 "Object can NOT be shared for delete"
6096 static const true_false_string tfs_nt_share_access_write = {
6097 "Object can be shared for WRITE",
6098 "Object can NOT be shared for write"
6100 static const true_false_string tfs_nt_share_access_read = {
6101 "Object can be shared for READ",
6102 "Object can NOT be shared for delete"
6105 static const value_string oplock_level_vals[] = {
6106 {0, "No oplock granted"},
6107 {1, "Exclusive oplock granted"},
6108 {2, "Batch oplock granted"},
6109 {3, "Level II oplock granted"},
6113 static const value_string device_type_vals[] = {
6114 {0x00000001, "Beep"},
6115 {0x00000002, "CDROM"},
6116 {0x00000003, "CDROM Filesystem"},
6117 {0x00000004, "Controller"},
6118 {0x00000005, "Datalink"},
6119 {0x00000006, "Dfs"},
6120 {0x00000007, "Disk"},
6121 {0x00000008, "Disk Filesystem"},
6122 {0x00000009, "Filesystem"},
6123 {0x0000000a, "Inport Port"},
6124 {0x0000000b, "Keyboard"},
6125 {0x0000000c, "Mailslot"},
6126 {0x0000000d, "MIDI-In"},
6127 {0x0000000e, "MIDI-Out"},
6128 {0x0000000f, "Mouse"},
6129 {0x00000010, "Multi UNC Provider"},
6130 {0x00000011, "Named Pipe"},
6131 {0x00000012, "Network"},
6132 {0x00000013, "Network Browser"},
6133 {0x00000014, "Network Filesystem"},
6134 {0x00000015, "NULL"},
6135 {0x00000016, "Parallel Port"},
6136 {0x00000017, "Physical card"},
6137 {0x00000018, "Printer"},
6138 {0x00000019, "Scanner"},
6139 {0x0000001a, "Serial Mouse port"},
6140 {0x0000001b, "Serial port"},
6141 {0x0000001c, "Screen"},
6142 {0x0000001d, "Sound"},
6143 {0x0000001e, "Streams"},
6144 {0x0000001f, "Tape"},
6145 {0x00000020, "Tape Filesystem"},
6146 {0x00000021, "Transport"},
6147 {0x00000022, "Unknown"},
6148 {0x00000023, "Video"},
6149 {0x00000024, "Virtual Disk"},
6150 {0x00000025, "WAVE-In"},
6151 {0x00000026, "WAVE-Out"},
6152 {0x00000027, "8042 Port"},
6153 {0x00000028, "Network Redirector"},
6154 {0x00000029, "Battery"},
6155 {0x0000002a, "Bus Extender"},
6156 {0x0000002b, "Modem"},
6157 {0x0000002c, "VDM"},
6161 static const value_string is_directory_vals[] = {
6162 {0, "This is NOT a directory"},
6163 {1, "This is a DIRECTORY"},
6167 typedef struct _nt_trans_data {
6176 dissect_nt_security_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6179 proto_item *item = NULL;
6180 proto_tree *tree = NULL;
6182 mask = tvb_get_guint8(tvb, offset);
6185 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6186 "Security Flags: 0x%02x", mask);
6187 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
6190 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
6191 tvb, offset, 1, mask);
6192 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
6193 tvb, offset, 1, mask);
6201 dissect_nt_share_access(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6204 proto_item *item = NULL;
6205 proto_tree *tree = NULL;
6207 mask = tvb_get_letohl(tvb, offset);
6210 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6211 "Share Access: 0x%08x", mask);
6212 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
6215 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
6216 tvb, offset, 4, mask);
6217 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
6218 tvb, offset, 4, mask);
6219 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
6220 tvb, offset, 4, mask);
6229 dissect_nt_access_mask(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6232 proto_item *item = NULL;
6233 proto_tree *tree = NULL;
6235 mask = tvb_get_letohl(tvb, offset);
6238 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6239 "Access Mask: 0x%08x", mask);
6240 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
6244 * Some of these bits come from
6246 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6248 * and others come from the section on ZwOpenFile in "Windows(R)
6249 * NT(R)/2000 Native API Reference".
6251 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
6252 tvb, offset, 4, mask);
6253 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
6254 tvb, offset, 4, mask);
6255 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
6256 tvb, offset, 4, mask);
6257 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
6258 tvb, offset, 4, mask);
6259 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
6260 tvb, offset, 4, mask);
6261 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
6262 tvb, offset, 4, mask);
6263 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
6264 tvb, offset, 4, mask);
6265 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
6266 tvb, offset, 4, mask);
6267 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
6268 tvb, offset, 4, mask);
6269 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
6270 tvb, offset, 4, mask);
6271 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
6272 tvb, offset, 4, mask);
6273 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
6274 tvb, offset, 4, mask);
6275 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
6276 tvb, offset, 4, mask);
6277 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
6278 tvb, offset, 4, mask);
6279 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
6280 tvb, offset, 4, mask);
6281 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
6282 tvb, offset, 4, mask);
6283 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
6284 tvb, offset, 4, mask);
6285 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
6286 tvb, offset, 4, mask);
6287 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
6288 tvb, offset, 4, mask);
6289 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
6290 tvb, offset, 4, mask);
6298 dissect_nt_create_bits(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6301 proto_item *item = NULL;
6302 proto_tree *tree = NULL;
6304 mask = tvb_get_letohl(tvb, offset);
6307 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6308 "Create Flags: 0x%08x", mask);
6309 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
6313 * XXX - it's 0x00000016 in at least one capture, but
6314 * Network Monitor doesn't say what the 0x00000010 bit is.
6315 * Does the Win32 API documentation, or NT Native API book,
6318 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
6319 tvb, offset, 4, mask);
6320 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
6321 tvb, offset, 4, mask);
6322 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
6323 tvb, offset, 4, mask);
6331 * XXX - there are some more flags in the description of "ZwOpenFile()"
6332 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
6333 * the wire as well? (The spec at
6335 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6337 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
6338 * via the SMB protocol. The NT redirector should convert this option
6339 * to FILE_WRITE_THROUGH."
6341 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
6342 * values one would infer from their position in the list of flags for
6343 * "ZwOpenFile()". Most of the others probably have those values
6344 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
6345 * which might go over the wire (for the benefit of backup/restore software).
6347 static const true_false_string tfs_nt_create_options_directory = {
6348 "File being created/opened must be a directory",
6349 "File being created/opened must not be a directory"
6351 static const true_false_string tfs_nt_create_options_write_through = {
6352 "Writes should flush buffered data before completing",
6353 "Writes need not flush buffered data before completing"
6355 static const true_false_string tfs_nt_create_options_sequential_only = {
6356 "The file will only be accessed sequentially",
6357 "The file might not only be accessed sequentially"
6359 static const true_false_string tfs_nt_create_options_sync_io_alert = {
6360 "All operations SYNCHRONOUS, waits subject to termination from alert",
6361 "Operations NOT necessarily synchronous"
6363 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
6364 "All operations SYNCHRONOUS, waits not subject to alert",
6365 "Operations NOT necessarily synchronous"
6367 static const true_false_string tfs_nt_create_options_non_directory = {
6368 "File being created/opened must not be a directory",
6369 "File being created/opened must be a directory"
6371 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
6372 "The client does not understand extended attributes",
6373 "The client understands extended attributes"
6375 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
6376 "The client understands only 8.3 file names",
6377 "The client understands long file names"
6379 static const true_false_string tfs_nt_create_options_random_access = {
6380 "The file will be accessed randomly",
6381 "The file will not be accessed randomly"
6383 static const true_false_string tfs_nt_create_options_delete_on_close = {
6384 "The file should be deleted when it is closed",
6385 "The file should not be deleted when it is closed"
6389 dissect_nt_create_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6392 proto_item *item = NULL;
6393 proto_tree *tree = NULL;
6395 mask = tvb_get_letohl(tvb, offset);
6398 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6399 "Create Options: 0x%08x", mask);
6400 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
6406 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6408 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
6409 tvb, offset, 4, mask);
6410 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
6411 tvb, offset, 4, mask);
6412 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
6413 tvb, offset, 4, mask);
6414 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
6415 tvb, offset, 4, mask);
6416 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
6417 tvb, offset, 4, mask);
6418 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
6419 tvb, offset, 4, mask);
6420 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
6421 tvb, offset, 4, mask);
6422 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
6423 tvb, offset, 4, mask);
6424 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
6425 tvb, offset, 4, mask);
6426 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
6427 tvb, offset, 4, mask);
6435 dissect_nt_notify_completion_filter(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6438 proto_item *item = NULL;
6439 proto_tree *tree = NULL;
6441 mask = tvb_get_letohl(tvb, offset);
6444 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6445 "Completion Filter: 0x%08x", mask);
6446 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
6449 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
6450 tvb, offset, 4, mask);
6451 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
6452 tvb, offset, 4, mask);
6453 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
6454 tvb, offset, 4, mask);
6455 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
6456 tvb, offset, 4, mask);
6457 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
6458 tvb, offset, 4, mask);
6459 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
6460 tvb, offset, 4, mask);
6461 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
6462 tvb, offset, 4, mask);
6463 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
6464 tvb, offset, 4, mask);
6465 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
6466 tvb, offset, 4, mask);
6467 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
6468 tvb, offset, 4, mask);
6469 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
6470 tvb, offset, 4, mask);
6471 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
6472 tvb, offset, 4, mask);
6479 dissect_nt_ioctl_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6482 proto_item *item = NULL;
6483 proto_tree *tree = NULL;
6485 mask = tvb_get_guint8(tvb, offset);
6488 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6489 "Completion Filter: 0x%02x", mask);
6490 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
6493 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
6494 tvb, offset, 1, mask);
6501 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
6502 * Native API Reference".
6504 static const true_false_string tfs_nt_qsd_owner = {
6505 "Requesting OWNER security information",
6506 "NOT requesting owner security information",
6509 static const true_false_string tfs_nt_qsd_group = {
6510 "Requesting GROUP security information",
6511 "NOT requesting group security information",
6514 static const true_false_string tfs_nt_qsd_dacl = {
6515 "Requesting DACL security information",
6516 "NOT requesting DACL security information",
6519 static const true_false_string tfs_nt_qsd_sacl = {
6520 "Requesting SACL security information",
6521 "NOT requesting SACL security information",
6524 #define NT_QSD_OWNER 0x00000001
6525 #define NT_QSD_GROUP 0x00000002
6526 #define NT_QSD_DACL 0x00000004
6527 #define NT_QSD_SACL 0x00000008
6530 dissect_security_information_mask(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6533 proto_item *item = NULL;
6534 proto_tree *tree = NULL;
6536 mask = tvb_get_letohl(tvb, offset);
6539 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6540 "Security Information: 0x%08x", mask);
6541 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
6544 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
6545 tvb, offset, 4, mask);
6546 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
6547 tvb, offset, 4, mask);
6548 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
6549 tvb, offset, 4, mask);
6550 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
6551 tvb, offset, 4, mask);
6559 free_g_string(void *arg)
6561 GString *gstring = arg;
6563 g_string_free(arg, TRUE);
6567 dissect_nt_sid(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name)
6569 proto_item *item = NULL;
6570 proto_tree *tree = NULL;
6571 int old_offset = offset, sa_offset = offset;
6572 guint *s_auths = NULL;
6576 guint auth = 0; /* FIXME: What if it is larger than 32-bits */
6581 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
6583 tree = proto_item_add_subtree(item, ett_smb_sid);
6586 /* revision of sid */
6587 revision = tvb_get_guint8(tvb, offset);
6588 proto_tree_add_item(tree, hf_smb_sid_revision, tvb, offset, 1, TRUE);
6593 case 2: /* Not sure what the different revision numbers mean */
6594 /* number of authorities*/
6595 num_auth = tvb_get_guint8(tvb, offset);
6596 proto_tree_add_item(tree, hf_smb_sid_num_auth, tvb, offset, 1, TRUE);
6599 /* XXX perhaps we should have these thing searchable?
6600 a new FT_xxx thingie? SMB is quite common!*/
6601 /* identifier authorities */
6603 /* FIXME: We should dynamically allocate the authorities array,
6604 which is only one thing. Then we don't have to allocate two
6605 strings below etc ...
6609 auth = (auth << 8) + tvb_get_guint8(tvb, offset);
6614 proto_tree_add_text(tree, tvb, offset - 6, 6, "Authority: %u", auth);
6618 CLEANUP_PUSH(free, s_auths);
6620 s_auths = g_malloc(sizeof(guint) * num_auth);
6622 /* sub authorities, leave RID to last */
6623 /* FIXME: If we take an exception now, we lose the whole
6624 sub-authorities string thang */
6625 for(i=0; i < (num_auth > 4?(num_auth - 1):num_auth); i++){
6626 /* XXX should not be letohl but native byteorder according to
6627 samba header files. considering that all non-x86 NT ports
6628 are dead we can (?) assume that non le byte encodings
6629 will be "uncommon"?*/
6630 s_auths[i] = tvb_get_letohl(tvb, offset);
6634 CLEANUP_CALL_AND_POP;
6636 gstr = g_string_new("");
6638 for (i = 0; i < (num_auth>4?(num_auth - 1):num_auth); i++)
6639 g_string_sprintfa(gstr, (i>0 ? "-%u" : "%u"), s_auths[i]);
6641 proto_tree_add_text(tree, tvb, sa_offset, num_auth * 4, "Sub-authorities: %s", gstr->str);
6644 rid = tvb_get_letohl(tvb, offset);
6645 proto_tree_add_text(tree, tvb, offset, 4, "RID: %u", rid);
6646 proto_item_append_text(item, ": S-1-%u-%s-%u", auth, gstr->str, rid);
6650 proto_item_append_text(item, ": S-1-%u-%s", auth, gstr->str);
6655 proto_item_set_len(item, offset-old_offset);
6660 static const value_string ace_type_vals[] = {
6661 { 0, "Access Allowed"},
6662 { 1, "Access Denied"},
6663 { 2, "System Audit"},
6664 { 3, "System Alarm"},
6667 static const true_false_string tfs_ace_flags_object_inherit = {
6668 "Subordinate files will inherit this ACE",
6669 "Subordinate files will not inherit this ACE"
6671 static const true_false_string tfs_ace_flags_container_inherit = {
6672 "Subordinate containers will inherit this ACE",
6673 "Subordinate containers will not inherit this ACE"
6675 static const true_false_string tfs_ace_flags_non_propagate_inherit = {
6676 "Subordinate object will not propagate the inherited ACE further",
6677 "Subordinate object will propagate the inherited ACE further"
6679 static const true_false_string tfs_ace_flags_inherit_only = {
6680 "This ACE does not apply to the current object",
6681 "This ACE applies to the current object"
6683 static const true_false_string tfs_ace_flags_inherited_ace = {
6684 "This ACE was inherited from its parent object",
6685 "This ACE was not inherited from its parent object"
6687 static const true_false_string tfs_ace_flags_successful_access = {
6688 "Successful accesses will be audited",
6689 "Successful accesses will not be audited"
6691 static const true_false_string tfs_ace_flags_failed_access = {
6692 "Failed accesses will be audited",
6693 "Failed accesses will not be audited"
6696 #define APPEND_ACE_TEXT(flag, item, string) \
6699 proto_item_append_text(item, string, sep); \
6704 dissect_nt_v2_ace_flags(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
6706 proto_item *item = NULL;
6707 proto_tree *tree = NULL;
6711 mask = tvb_get_guint8(tvb, offset);
6713 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6714 "NT ACE Flags: 0x%02x", mask);
6715 tree = proto_item_add_subtree(item, ett_smb_ace_flags);
6718 proto_tree_add_boolean(tree, hf_smb_ace_flags_failed_access,
6719 tvb, offset, 1, mask);
6720 APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access");
6722 proto_tree_add_boolean(tree, hf_smb_ace_flags_successful_access,
6723 tvb, offset, 1, mask);
6724 APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access");
6726 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherited_ace,
6727 tvb, offset, 1, mask);
6728 APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE");
6730 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherit_only,
6731 tvb, offset, 1, mask);
6732 APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only");
6734 proto_tree_add_boolean(tree, hf_smb_ace_flags_non_propagate_inherit,
6735 tvb, offset, 1, mask);
6736 APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit");
6738 proto_tree_add_boolean(tree, hf_smb_ace_flags_container_inherit,
6739 tvb, offset, 1, mask);
6740 APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit");
6742 proto_tree_add_boolean(tree, hf_smb_ace_flags_object_inherit,
6743 tvb, offset, 1, mask);
6744 APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit");
6752 dissect_nt_v2_ace(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
6754 proto_item *item = NULL;
6755 proto_tree *tree = NULL;
6756 int old_offset = offset;
6759 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
6761 tree = proto_item_add_subtree(item, ett_smb_ace);
6766 proto_item_append_text(item, val_to_str(tvb_get_guint8(tvb, offset), ace_type_vals, "Unknown ACE type (%u)"));
6768 proto_tree_add_item(tree, hf_smb_ace_type, tvb, offset, 1, TRUE);
6772 offset = dissect_nt_v2_ace_flags(tvb, pinfo, offset, tree);
6775 proto_tree_add_item(tree, hf_smb_ace_size, tvb, offset, 2, TRUE);
6779 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
6782 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "ACE");
6784 proto_item_set_len(item, offset-old_offset);
6789 dissect_nt_acl(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name)
6791 proto_item *item = NULL;
6792 proto_tree *tree = NULL;
6793 int old_offset = offset;
6794 guint16 revision, size;
6798 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
6800 tree = proto_item_add_subtree(item, ett_smb_acl);
6804 revision = tvb_get_letohs(tvb, offset);
6805 proto_tree_add_uint(tree, hf_smb_acl_revision,
6806 tvb, offset, 2, revision);
6810 case 2: /* only version we will ever see of this structure?*/
6813 proto_tree_add_item(tree, hf_smb_acl_size, tvb, offset, 2, TRUE);
6816 /* number of ace structures */
6817 num_aces = tvb_get_letohl(tvb, offset);
6818 proto_tree_add_uint(tree, hf_smb_acl_num_aces,
6819 tvb, offset, 4, num_aces);
6823 offset=dissect_nt_v2_ace(tvb, pinfo, offset, tree);
6827 proto_item_set_len(item, offset-old_offset);
6831 static const true_false_string tfs_sec_desc_type_owner_defaulted = {
6832 "OWNER is DEFAULTED",
6833 "Owner is NOT defaulted"
6835 static const true_false_string tfs_sec_desc_type_group_defaulted = {
6836 "GROUP is DEFAULTED",
6837 "Group is NOT defaulted"
6839 static const true_false_string tfs_sec_desc_type_dacl_present = {
6841 "DACL is NOT present"
6843 static const true_false_string tfs_sec_desc_type_dacl_defaulted = {
6844 "DACL is DEFAULTED",
6845 "DACL is NOT defaulted"
6847 static const true_false_string tfs_sec_desc_type_sacl_present = {
6849 "SACL is NOT present"
6851 static const true_false_string tfs_sec_desc_type_sacl_defaulted = {
6852 "SACL is DEFAULTED",
6853 "SACL is NOT defaulted"
6855 static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = {
6856 "DACL has AUTO INHERIT REQUIRED",
6857 "DACL does NOT require auto inherit"
6859 static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = {
6860 "SACL has AUTO INHERIT REQUIRED",
6861 "SACL does NOT require auto inherit"
6863 static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = {
6864 "DACL is AUTO INHERITED",
6865 "DACL is NOT auto inherited"
6867 static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = {
6868 "SACL is AUTO INHERITED",
6869 "SACL is NOT auto inherited"
6871 static const true_false_string tfs_sec_desc_type_dacl_protected = {
6872 "The DACL is PROTECTED",
6873 "The DACL is NOT protected"
6875 static const true_false_string tfs_sec_desc_type_sacl_protected = {
6876 "The SACL is PROTECTED",
6877 "The SACL is NOT protected"
6879 static const true_false_string tfs_sec_desc_type_self_relative = {
6880 "This SecDesc is SELF RELATIVE",
6881 "This SecDesc is NOT self relative"
6886 dissect_nt_sec_desc_type(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
6888 proto_item *item = NULL;
6889 proto_tree *tree = NULL;
6892 mask = tvb_get_letohs(tvb, offset);
6894 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6895 "Type: 0x%04x", mask);
6896 tree = proto_item_add_subtree(item, ett_smb_sec_desc_type);
6899 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_self_relative,
6900 tvb, offset, 2, mask);
6901 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_protected,
6902 tvb, offset, 2, mask);
6903 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_protected,
6904 tvb, offset, 2, mask);
6905 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherited,
6906 tvb, offset, 2, mask);
6907 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherited,
6908 tvb, offset, 2, mask);
6909 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherit_req,
6910 tvb, offset, 2, mask);
6911 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherit_req,
6912 tvb, offset, 2, mask);
6913 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_defaulted,
6914 tvb, offset, 2, mask);
6915 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_present,
6916 tvb, offset, 2, mask);
6917 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_defaulted,
6918 tvb, offset, 2, mask);
6919 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_present,
6920 tvb, offset, 2, mask);
6921 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_group_defaulted,
6922 tvb, offset, 2, mask);
6923 proto_tree_add_boolean(tree, hf_smb_sec_desc_type_owner_defaulted,
6924 tvb, offset, 2, mask);
6933 dissect_nt_sec_desc(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len)
6935 proto_item *item = NULL;
6936 proto_tree *tree = NULL;
6938 int old_offset = offset;
6939 guint32 owner_sid_offset;
6940 guint32 group_sid_offset;
6941 guint32 sacl_offset;
6942 guint32 dacl_offset;
6945 item = proto_tree_add_text(parent_tree, tvb, offset, len,
6946 "NT Security Descriptor");
6947 tree = proto_item_add_subtree(item, ett_smb_sec_desc);
6951 revision = tvb_get_letohs(tvb, offset);
6952 proto_tree_add_uint(tree, hf_smb_sec_desc_revision,
6953 tvb, offset, 2, revision);
6957 case 1: /* only version we will ever see of this structure?*/
6959 offset = dissect_nt_sec_desc_type(tvb, pinfo, offset, tree);
6961 /* offset to owner sid */
6962 owner_sid_offset = tvb_get_letohl(tvb, offset);
6963 proto_tree_add_text(tree, tvb, offset, 4, "Offset to owner SID: %d", owner_sid_offset);
6966 /* offset to group sid */
6967 group_sid_offset = tvb_get_letohl(tvb, offset);
6968 proto_tree_add_text(tree, tvb, offset, 4, "Offset to group SID: %d", group_sid_offset);
6971 /* offset to sacl */
6972 sacl_offset = tvb_get_letohl(tvb, offset);
6973 proto_tree_add_text(tree, tvb, offset, 4, "Offset to SACL: %d", sacl_offset);
6976 /* offset to dacl */
6977 dacl_offset = tvb_get_letohl(tvb, offset);
6978 proto_tree_add_text(tree, tvb, offset, 4, "Offset to DACL: %d", dacl_offset);
6982 if(owner_sid_offset){
6983 dissect_nt_sid(tvb, pinfo, old_offset+owner_sid_offset, tree, "Owner");
6987 if(group_sid_offset){
6988 dissect_nt_sid(tvb, pinfo, old_offset+group_sid_offset, tree, "Group");
6993 dissect_nt_acl(tvb, pinfo, old_offset+sacl_offset, tree, "System (SACL)");
6998 dissect_nt_acl(tvb, pinfo, old_offset+dacl_offset, tree, "User (DACL)");
7007 dissect_nt_user_quota(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp)
7009 int old_offset, old_sid_offset;
7015 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7016 qsize=tvb_get_letohl(tvb, offset);
7017 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
7018 COUNT_BYTES_TRANS_SUBR(4);
7020 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7022 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7023 COUNT_BYTES_TRANS_SUBR(4);
7025 /* 16 unknown bytes */
7026 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7027 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7029 COUNT_BYTES_TRANS_SUBR(8);
7031 /* number of bytes for used quota */
7032 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7033 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
7034 COUNT_BYTES_TRANS_SUBR(8);
7036 /* number of bytes for quota warning */
7037 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7038 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
7039 COUNT_BYTES_TRANS_SUBR(8);
7041 /* number of bytes for quota limit */
7042 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7043 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
7044 COUNT_BYTES_TRANS_SUBR(8);
7046 /* SID of the user */
7047 old_sid_offset=offset;
7048 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Quota");
7049 *bcp -= (offset-old_sid_offset);
7052 offset = old_offset+qsize;
7062 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd)
7064 proto_item *item = NULL;
7065 proto_tree *tree = NULL;
7067 int old_offset = offset;
7068 guint16 bcp=bc; /* XXX fixme */
7070 si = (smb_info_t *)pinfo->private_data;
7073 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
7075 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7076 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7079 switch(ntd->subcmd){
7080 case NT_TRANS_CREATE:
7081 /* security descriptor */
7083 offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, ntd->sd_len);
7086 /* extended attributes */
7088 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
7089 offset += ntd->ea_len;
7093 case NT_TRANS_IOCTL:
7095 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, bc, TRUE);
7100 offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, bc);
7102 case NT_TRANS_NOTIFY:
7104 case NT_TRANS_RENAME:
7105 /* XXX not documented */
7109 case NT_TRANS_GET_USER_QUOTA:
7110 /* unknown 4 bytes */
7111 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7116 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7119 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Quota");
7121 case NT_TRANS_SET_USER_QUOTA:
7122 offset = dissect_nt_user_quota(tvb, pinfo, tree, offset, &bcp);
7126 /* ooops there were data we didnt know how to process */
7127 if((offset-old_offset) < bc){
7128 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
7129 bc - (offset-old_offset), TRUE);
7130 offset += bc - (offset-old_offset);
7137 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7139 proto_item *item = NULL;
7140 proto_tree *tree = NULL;
7145 si = (smb_info_t *)pinfo->private_data;
7148 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7150 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7151 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7154 switch(ntd->subcmd){
7155 case NT_TRANS_CREATE:
7157 offset = dissect_nt_create_bits(tvb, pinfo, tree, offset);
7160 /* root directory fid */
7161 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
7164 /* nt access mask */
7165 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
7168 /* allocation size */
7169 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7172 /* Extended File Attributes */
7173 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
7177 offset = dissect_nt_share_access(tvb, pinfo, tree, offset);
7180 /* create disposition */
7181 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
7184 /* create options */
7185 offset = dissect_nt_create_options(tvb, pinfo, tree, offset);
7189 ntd->sd_len = tvb_get_letohl(tvb, offset);
7190 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
7194 ntd->ea_len = tvb_get_letohl(tvb, offset);
7195 proto_tree_add_uint(tree, hf_smb_ea_length, tvb, offset, 4, ntd->ea_len);
7199 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7200 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7203 /* impersonation level */
7204 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
7207 /* security flags */
7208 offset = dissect_nt_security_flags(tvb, pinfo, tree, offset);
7212 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, TRUE, &bc);
7214 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7216 COUNT_BYTES(fn_len);
7220 case NT_TRANS_IOCTL:
7222 case NT_TRANS_SSD: {
7226 fid = tvb_get_letohs(tvb, offset);
7227 add_fid(tvb, pinfo, tree, offset, 2, fid);
7230 /* 2 reserved bytes */
7231 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7234 /* security information */
7235 offset = dissect_security_information_mask(tvb, pinfo, tree, offset);
7238 case NT_TRANS_NOTIFY:
7240 case NT_TRANS_RENAME:
7241 /* XXX not documented */
7243 case NT_TRANS_QSD: {
7247 fid = tvb_get_letohs(tvb, offset);
7248 add_fid(tvb, pinfo, tree, offset, 2, fid);
7251 /* 2 reserved bytes */
7252 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7255 /* security information */
7256 offset = dissect_security_information_mask(tvb, pinfo, tree, offset);
7259 case NT_TRANS_GET_USER_QUOTA:
7260 /* not decoded yet */
7262 case NT_TRANS_SET_USER_QUOTA:
7263 /* not decoded yet */
7271 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7273 proto_item *item = NULL;
7274 proto_tree *tree = NULL;
7276 int old_offset = offset;
7278 si = (smb_info_t *)pinfo->private_data;
7281 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7283 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7284 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7287 switch(ntd->subcmd){
7288 case NT_TRANS_CREATE:
7290 case NT_TRANS_IOCTL: {
7294 proto_tree_add_item(tree, hf_smb_nt_ioctl_function_code, tvb, offset, 4, TRUE);
7298 fid = tvb_get_letohs(tvb, offset);
7299 add_fid(tvb, pinfo, tree, offset, 2, fid);
7303 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
7307 offset = dissect_nt_ioctl_flags(tvb, pinfo, tree, offset);
7313 case NT_TRANS_NOTIFY: {
7316 /* completion filter */
7317 offset = dissect_nt_notify_completion_filter(tvb, pinfo, tree, offset);
7320 fid = tvb_get_letohs(tvb, offset);
7321 add_fid(tvb, pinfo, tree, offset, 2, fid);
7325 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
7329 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7334 case NT_TRANS_RENAME:
7335 /* XXX not documented */
7339 case NT_TRANS_GET_USER_QUOTA:
7340 /* not decoded yet */
7342 case NT_TRANS_SET_USER_QUOTA:
7343 /* not decoded yet */
7347 return old_offset+len;
7352 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7355 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
7357 smb_saved_info_t *sip;
7362 smb_nt_transact_info_t *nti;
7364 si = (smb_info_t *)pinfo->private_data;
7370 /* primary request */
7371 /* max setup count */
7372 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
7375 /* 2 reserved bytes */
7376 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7379 /* secondary request */
7380 /* 3 reserved bytes */
7381 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
7386 /* total param count */
7387 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
7390 /* total data count */
7391 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
7395 /* primary request */
7396 /* max param count */
7397 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
7400 /* max data count */
7401 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
7406 pc = tvb_get_letohl(tvb, offset);
7407 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
7411 po = tvb_get_letohl(tvb, offset);
7412 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
7415 /* param displacement */
7417 /* primary request*/
7420 /* secondary request */
7421 pd = tvb_get_letohl(tvb, offset);
7422 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
7427 dc = tvb_get_letohl(tvb, offset);
7428 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
7432 od = tvb_get_letohl(tvb, offset);
7433 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
7436 /* data displacement */
7438 /* primary request */
7441 /* secondary request */
7442 dd = tvb_get_letohl(tvb, offset);
7443 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
7449 /* primary request */
7450 sc = tvb_get_guint8(tvb, offset);
7451 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
7454 /* secondary request */
7460 /* primary request */
7461 subcmd = tvb_get_letohs(tvb, offset);
7462 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
7463 if(check_col(pinfo->cinfo, COL_INFO)){
7464 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
7465 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
7467 ntd.subcmd = subcmd;
7469 if(!pinfo->fd->flags.visited){
7471 * Allocate a new smb_nt_transact_info_t
7474 nti = g_mem_chunk_alloc(smb_nt_transact_info_chunk);
7475 nti->subcmd = subcmd;
7476 sip->extra_info = nti;
7480 /* secondary request */
7481 if(check_col(pinfo->cinfo, COL_INFO)){
7482 col_append_fstr(pinfo->cinfo, COL_INFO, " (secondary request)");
7487 /* this is a padding byte */
7490 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
7494 /* if there were any setup bytes, decode them */
7496 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
7503 if(po>(guint32)offset){
7504 /* We have some initial padding bytes.
7509 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7510 COUNT_BYTES(padcnt);
7513 CHECK_BYTE_COUNT(pc);
7514 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc);
7519 if(od>(guint32)offset){
7520 /* We have some initial padding bytes.
7525 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7526 COUNT_BYTES(padcnt);
7529 CHECK_BYTE_COUNT(dc);
7530 dissect_nt_trans_data_request(tvb, pinfo, offset, tree, dc, &ntd);
7542 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7544 proto_item *item = NULL;
7545 proto_tree *tree = NULL;
7547 smb_nt_transact_info_t *nti;
7550 si = (smb_info_t *)pinfo->private_data;
7551 if (si->sip != NULL)
7552 nti = si->sip->extra_info;
7558 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7560 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7563 * We never saw the request to which this is a
7566 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7567 "Unknown NT Transaction Data (matching request not seen)");
7569 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7576 switch(nti->subcmd){
7577 case NT_TRANS_CREATE:
7579 case NT_TRANS_IOCTL:
7581 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, len, TRUE);
7587 case NT_TRANS_NOTIFY:
7589 case NT_TRANS_RENAME:
7590 /* XXX not documented */
7594 * XXX - this is probably a SECURITY_DESCRIPTOR structure,
7595 * which may be documented in the Win32 documentation
7598 offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, len);
7600 case NT_TRANS_GET_USER_QUOTA:
7602 offset = dissect_nt_user_quota(tvb, pinfo, tree, offset, &bcp);
7604 case NT_TRANS_SET_USER_QUOTA:
7605 /* not decoded yet */
7613 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7615 proto_item *item = NULL;
7616 proto_tree *tree = NULL;
7620 smb_nt_transact_info_t *nti;
7623 si = (smb_info_t *)pinfo->private_data;
7624 if (si->sip != NULL)
7625 nti = si->sip->extra_info;
7631 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7633 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7636 * We never saw the request to which this is a
7639 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7640 "Unknown NT Transaction Parameters (matching request not seen)");
7642 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7649 switch(nti->subcmd){
7650 case NT_TRANS_CREATE:
7652 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
7656 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7660 fid = tvb_get_letohs(tvb, offset);
7661 add_fid(tvb, pinfo, tree, offset, 2, fid);
7665 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
7668 /* ea error offset */
7669 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
7673 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7674 hf_smb_create_time);
7677 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7678 hf_smb_access_time);
7680 /* last write time */
7681 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7682 hf_smb_last_write_time);
7684 /* last change time */
7685 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7686 hf_smb_change_time);
7688 /* Extended File Attributes */
7689 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
7691 /* allocation size */
7692 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7696 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
7700 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
7704 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
7707 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
7710 case NT_TRANS_IOCTL:
7714 case NT_TRANS_NOTIFY:
7716 /* next entry offset */
7717 proto_tree_add_item(tree, hf_smb_next_entry_offset, tvb, offset, 4, TRUE);
7720 /* broken implementations */
7724 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
7727 /* broken implementations */
7731 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7732 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7735 /* broken implementations */
7739 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, TRUE, &bc);
7742 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7744 COUNT_BYTES(fn_len);
7746 /* broken implementations */
7751 case NT_TRANS_RENAME:
7752 /* XXX not documented */
7756 * This appears to be the size of the security
7757 * descriptor; the calling sequence of
7758 * "ZwQuerySecurityObject()" suggests that it would
7759 * be. The actual security descriptor wouldn't
7760 * follow if the max data count in the request
7761 * was smaller; this lets the client know how
7762 * big a buffer it needs to provide.
7764 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
7767 case NT_TRANS_GET_USER_QUOTA:
7768 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
7769 tvb_get_letohl(tvb, offset));
7772 case NT_TRANS_SET_USER_QUOTA:
7773 /* not decoded yet */
7781 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7783 proto_item *item = NULL;
7784 proto_tree *tree = NULL;
7786 smb_nt_transact_info_t *nti;
7788 si = (smb_info_t *)pinfo->private_data;
7789 if (si->sip != NULL)
7790 nti = si->sip->extra_info;
7796 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7798 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7801 * We never saw the request to which this is a
7804 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7805 "Unknown NT Transaction Setup (matching request not seen)");
7807 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7814 switch(nti->subcmd){
7815 case NT_TRANS_CREATE:
7817 case NT_TRANS_IOCTL:
7821 case NT_TRANS_NOTIFY:
7823 case NT_TRANS_RENAME:
7824 /* XXX not documented */
7828 case NT_TRANS_GET_USER_QUOTA:
7829 /* not decoded yet */
7831 case NT_TRANS_SET_USER_QUOTA:
7832 /* not decoded yet */
7840 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7843 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
7846 smb_nt_transact_info_t *nti;
7847 static nt_trans_data ntd;
7850 fragment_data *r_fd = NULL;
7851 tvbuff_t *pd_tvb=NULL;
7852 gboolean save_fragmented;
7854 si = (smb_info_t *)pinfo->private_data;
7855 if (si->sip != NULL)
7856 nti = si->sip->extra_info;
7860 /* primary request */
7862 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
7863 if(check_col(pinfo->cinfo, COL_INFO)){
7864 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
7865 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
7868 proto_tree_add_text(tree, tvb, offset, 0,
7869 "Function: <unknown function - could not find matching request>");
7870 if(check_col(pinfo->cinfo, COL_INFO)){
7871 col_append_fstr(pinfo->cinfo, COL_INFO, ", <unknown>");
7877 /* 3 reserved bytes */
7878 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
7881 /* total param count */
7882 tp = tvb_get_letohl(tvb, offset);
7883 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
7886 /* total data count */
7887 td = tvb_get_letohl(tvb, offset);
7888 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
7892 pc = tvb_get_letohl(tvb, offset);
7893 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
7897 po = tvb_get_letohl(tvb, offset);
7898 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
7901 /* param displacement */
7902 pd = tvb_get_letohl(tvb, offset);
7903 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
7907 dc = tvb_get_letohl(tvb, offset);
7908 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
7912 od = tvb_get_letohl(tvb, offset);
7913 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
7916 /* data displacement */
7917 dd = tvb_get_letohl(tvb, offset);
7918 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
7922 sc = tvb_get_guint8(tvb, offset);
7923 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
7928 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
7934 /* reassembly of SMB NT Transaction data payload.
7935 In this section we do reassembly of both the data and parameters
7936 blocks of the SMB transaction command.
7938 save_fragmented = pinfo->fragmented;
7939 /* do we need reassembly? */
7940 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
7941 /* oh yeah, either data or parameter section needs
7944 pinfo->fragmented = TRUE;
7945 if(smb_trans_reassembly){
7946 /* ...and we were told to do reassembly */
7947 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
7948 r_fd = smb_trans_defragment(tree, pinfo, tvb,
7952 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
7953 r_fd = smb_trans_defragment(tree, pinfo, tvb,
7954 od, dc, dd+tp, td+tp);
7959 /* if we got a reassembled fd structure from the reassembly routine we
7960 must create pd_tvb from it
7967 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
7969 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
7970 add_new_data_source(pinfo->fd, pd_tvb, "Reassembled SMB");
7971 pinfo->fragmented = FALSE;
7973 it = proto_tree_add_text(tree, pd_tvb, 0, -1, "Fragments");
7974 tr = proto_item_add_subtree(it, ett_smb_segments);
7975 for(fd=r_fd->next;fd;fd=fd->next){
7976 proto_tree_add_text(tr, pd_tvb, fd->offset, fd->len,
7977 "Frame:%u Data:%u-%u",
7978 fd->frame, fd->offset,
7979 fd->offset+fd->len-1);
7985 /* we have reassembled data, grab param and data from there */
7986 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
7987 &ntd, tvb_length(pd_tvb));
7988 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
7990 /* we do not have reassembled data, just use what we have in the
7991 packet as well as we can */
7993 if(po>(guint32)offset){
7994 /* We have some initial padding bytes.
7999 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8000 COUNT_BYTES(padcnt);
8003 CHECK_BYTE_COUNT(pc);
8004 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
8009 if(od>(guint32)offset){
8010 /* We have some initial padding bytes.
8015 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8016 COUNT_BYTES(padcnt);
8019 CHECK_BYTE_COUNT(dc);
8020 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd);
8024 pinfo->fragmented = save_fragmented;
8031 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8032 NT Transaction command ends here
8033 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8035 static const value_string print_mode_vals[] = {
8037 {1, "Graphics Mode"},
8042 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8052 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
8056 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
8062 CHECK_BYTE_COUNT(1);
8063 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8066 /* print identifier */
8067 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, FALSE, &bc);
8070 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
8072 COUNT_BYTES(fn_len);
8081 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8090 fid = tvb_get_letohs(tvb, offset);
8091 add_fid(tvb, pinfo, tree, offset, 2, fid);
8097 CHECK_BYTE_COUNT(1);
8098 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8102 CHECK_BYTE_COUNT(2);
8103 cnt = tvb_get_letohs(tvb, offset);
8104 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
8108 offset = dissect_file_data(tvb, pinfo, tree, offset, cnt, cnt);
8116 static const value_string print_status_vals[] = {
8117 {1, "Held or Stopped"},
8119 {3, "Awaiting print"},
8120 {4, "In intercept"},
8121 {5, "File had error"},
8122 {6, "Printer error"},
8127 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8135 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
8139 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
8150 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
8151 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
8153 proto_item *item = NULL;
8154 proto_tree *tree = NULL;
8159 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
8161 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
8165 CHECK_BYTE_COUNT_SUBR(4);
8166 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
8167 hf_smb_print_queue_date,
8168 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
8172 CHECK_BYTE_COUNT_SUBR(1);
8173 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
8174 COUNT_BYTES_SUBR(1);
8176 /* spool file number */
8177 CHECK_BYTE_COUNT_SUBR(2);
8178 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
8179 COUNT_BYTES_SUBR(2);
8181 /* spool file size */
8182 CHECK_BYTE_COUNT_SUBR(4);
8183 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
8184 COUNT_BYTES_SUBR(4);
8187 CHECK_BYTE_COUNT_SUBR(1);
8188 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8189 COUNT_BYTES_SUBR(1);
8193 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, TRUE, bcp);
8194 CHECK_STRING_SUBR(fn);
8195 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
8197 COUNT_BYTES_SUBR(fn_len);
8204 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8214 cnt = tvb_get_letohs(tvb, offset);
8215 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
8219 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
8225 CHECK_BYTE_COUNT(1);
8226 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8230 CHECK_BYTE_COUNT(2);
8231 len = tvb_get_letohs(tvb, offset);
8232 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
8235 /* queue elements */
8237 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
8250 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8252 guint8 wc, cmd=0xff;
8253 guint16 andxoffset=0;
8260 /* next smb command */
8261 cmd = tvb_get_guint8(tvb, offset);
8263 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8265 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
8270 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8274 andxoffset = tvb_get_letohs(tvb, offset);
8275 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8279 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8283 fn_len = tvb_get_letohs(tvb, offset);
8284 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
8288 offset = dissect_nt_create_bits(tvb, pinfo, tree, offset);
8290 /* root directory fid */
8291 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
8294 /* nt access mask */
8295 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
8297 /* allocation size */
8298 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8301 /* Extended File Attributes */
8302 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
8305 offset = dissect_nt_share_access(tvb, pinfo, tree, offset);
8307 /* create disposition */
8308 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
8311 /* create options */
8312 offset = dissect_nt_create_options(tvb, pinfo, tree, offset);
8314 /* impersonation level */
8315 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8318 /* security flags */
8319 offset = dissect_nt_security_flags(tvb, pinfo, tree, offset);
8324 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8327 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8329 COUNT_BYTES(fn_len);
8331 if (check_col(pinfo->cinfo, COL_INFO)) {
8332 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
8337 /* call AndXCommand (if there are any) */
8338 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
8345 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8347 guint8 wc, cmd=0xff;
8348 guint16 andxoffset=0;
8354 /* next smb command */
8355 cmd = tvb_get_guint8(tvb, offset);
8357 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8359 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
8364 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8368 andxoffset = tvb_get_letohs(tvb, offset);
8369 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8373 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8377 fid = tvb_get_letohs(tvb, offset);
8378 add_fid(tvb, pinfo, tree, offset, 2, fid);
8382 /*XXX is this really the same as create disposition in the request? it looks so*/
8383 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8387 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8388 hf_smb_create_time);
8391 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8392 hf_smb_access_time);
8394 /* last write time */
8395 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8396 hf_smb_last_write_time);
8398 /* last change time */
8399 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8400 hf_smb_change_time);
8402 /* Extended File Attributes */
8403 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
8405 /* allocation size */
8406 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8410 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8414 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8418 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
8421 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8428 /* call AndXCommand (if there are any) */
8429 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
8436 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8450 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8451 BEGIN Transaction/Transaction2 Primary and secondary requests
8452 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8455 static const value_string trans2_cmd_vals[] = {
8457 { 0x01, "FIND_FIRST2" },
8458 { 0x02, "FIND_NEXT2" },
8459 { 0x03, "QUERY_FS_INFORMATION" },
8460 { 0x04, "SET_FS_QUOTA" },
8461 { 0x05, "QUERY_PATH_INFORMATION" },
8462 { 0x06, "SET_PATH_INFORMATION" },
8463 { 0x07, "QUERY_FILE_INFORMATION" },
8464 { 0x08, "SET_FILE_INFORMATION" },
8467 { 0x0B, "FIND_NOTIFY_FIRST" },
8468 { 0x0C, "FIND_NOTIFY_NEXT" },
8469 { 0x0D, "CREATE_DIRECTORY" },
8470 { 0x0E, "SESSION_SETUP" },
8471 { 0x10, "GET_DFS_REFERRAL" },
8472 { 0x11, "REPORT_DFS_INCONSISTENCY" },
8476 static const true_false_string tfs_tf_dtid = {
8477 "Also DISCONNECT TID",
8478 "Do NOT disconnect TID"
8480 static const true_false_string tfs_tf_owt = {
8481 "One Way Transaction (NO RESPONSE)",
8482 "Two way transaction"
8485 static const true_false_string tfs_ff2_backup = {
8486 "Find WITH backup intent",
8489 static const true_false_string tfs_ff2_continue = {
8490 "CONTINUE search from previous position",
8491 "New search, do NOT continue from previous position"
8493 static const true_false_string tfs_ff2_resume = {
8494 "Return RESUME keys",
8495 "Do NOT return resume keys"
8497 static const true_false_string tfs_ff2_close_eos = {
8498 "CLOSE search if END OF SEARCH is reached",
8499 "Do NOT close search if end of search reached"
8501 static const true_false_string tfs_ff2_close = {
8502 "CLOSE search after this request",
8503 "Do NOT close search after this request"
8509 static const value_string ff2_il_vals[] = {
8510 { 1, "Info Standard (4.3.4.1)"},
8511 { 2, "Info Query EA Size (4.3.4.2)"},
8512 { 3, "Info Query EAs From List (4.3.4.2)"},
8513 { 0x0101, "Find File Directory Info (4.3.4.4)"},
8514 { 0x0102, "Find File Full Directory Info (4.3.4.5)"},
8515 { 0x0103, "Find File Names Info (4.3.4.7)"},
8516 { 0x0104, "Find File Both Directory Info (4.3.4.6)"},
8517 { 0x0202, "Find File UNIX (4.3.4.8)"},
8522 TRANS2_QUERY_PATH_INFORMATION
8523 TRANS2_SET_PATH_INFORMATION
8525 static const value_string qpi_loi_vals[] = {
8526 { 1, "Info Standard (4.2.14.1)"},
8527 { 2, "Info Query EA Size (4.2.14.1)"},
8528 { 3, "Info Query EAs From List (4.2.14.2)"},
8529 { 4, "Info Query All EAs (4.2.14.2)"},
8530 { 6, "Info Is Name Valid (4.2.14.3)"},
8531 { 0x0101, "Query File Basic Info (4.2.14.4)"},
8532 { 0x0102, "Query File Standard Info (4.2.14.5)"},
8533 { 0x0103, "Query File EA Info (4.2.14.6)"},
8534 { 0x0104, "Query File Name Info (4.2.14.7)"},
8535 { 0x0107, "Query File All Info (4.2.14.8)"},
8536 { 0x0108, "Query File Alt File Info (4.2.14.7)"},
8537 { 0x0109, "Query File Stream Info (4.2.14.10)"},
8538 { 0x010b, "Query File Compression Info (4.2.14.11)"},
8539 { 0x0200, "Set File Unix Basic"},
8540 { 0x0201, "Set File Unix Link"},
8541 { 0x0202, "Set File Unix HardLink"},
8545 static const value_string qfsi_vals[] = {
8546 { 1, "Info Allocation"},
8547 { 2, "Info Volume"},
8548 { 0x0102, "Query FS Volume Info"},
8549 { 0x0103, "Query FS Size Info"},
8550 { 0x0104, "Query FS Device Info"},
8551 { 0x0105, "Query FS Attribute Info"},
8552 { 1006, "Query FS Quota Info"},
8556 static const value_string delete_pending_vals[] = {
8557 {0, "Normal, no pending delete"},
8558 {1, "This object has DELETE PENDING"},
8562 static const value_string alignment_vals[] = {
8563 {0, "Byte alignment"},
8564 {1, "Word (16bit) alignment"},
8565 {3, "Long (32bit) alignment"},
8566 {7, "8 byte boundary alignment"},
8567 {0x0f, "16 byte boundary alignment"},
8568 {0x1f, "32 byte boundary alignment"},
8569 {0x3f, "64 byte boundary alignment"},
8570 {0x7f, "128 byte boundary alignment"},
8571 {0xff, "256 byte boundary alignment"},
8572 {0x1ff, "512 byte boundary alignment"},
8577 static const true_false_string tfs_get_dfs_server_hold_storage = {
8578 "Referral SERVER HOLDS STORAGE for the file",
8579 "Referral server does NOT hold storage for the file"
8581 static const true_false_string tfs_get_dfs_fielding = {
8582 "The server in referral is FIELDING CAPABLE",
8583 "The server in referrals is NOT fielding capable"
8586 static const true_false_string tfs_dfs_referral_flags_strip = {
8587 "STRIP off pathconsumed characters before submitting",
8588 "Do NOT strip off any characters"
8591 static const value_string dfs_referral_server_type_vals[] = {
8594 {2, "Netware Server"},
8595 {3, "Domain Server"},
8600 static const true_false_string tfs_device_char_removable = {
8601 "This is a REMOVABLE device",
8602 "This is NOT a removable device"
8604 static const true_false_string tfs_device_char_read_only = {
8605 "This is a READ-ONLY device",
8606 "This is NOT a read-only device"
8608 static const true_false_string tfs_device_char_floppy = {
8609 "This is a FLOPPY DISK device",
8610 "This is NOT a floppy disk device"
8612 static const true_false_string tfs_device_char_write_once = {
8613 "This is a WRITE-ONCE device",
8614 "This is NOT a write-once device"
8616 static const true_false_string tfs_device_char_remote = {
8617 "This is a REMOTE device",
8618 "This is NOT a remote device"
8620 static const true_false_string tfs_device_char_mounted = {
8621 "This device is MOUNTED",
8622 "This device is NOT mounted"
8624 static const true_false_string tfs_device_char_virtual = {
8625 "This is a VIRTUAL device",
8626 "This is NOT a virtual device"
8630 static const true_false_string tfs_fs_attr_css = {
8631 "This FS supports CASE SENSITIVE SEARCHes",
8632 "This FS does NOT support case sensitive searches"
8634 static const true_false_string tfs_fs_attr_cpn = {
8635 "This FS supports CASE PRESERVED NAMES",
8636 "This FS does NOT support case preserved names"
8638 static const true_false_string tfs_fs_attr_pacls = {
8639 "This FS supports PERSISTENT ACLs",
8640 "This FS does NOT support persistent acls"
8642 static const true_false_string tfs_fs_attr_fc = {
8643 "This FS supports COMPRESSED FILES",
8644 "This FS does NOT support compressed files"
8646 static const true_false_string tfs_fs_attr_vq = {
8647 "This FS supports VOLUME QUOTAS",
8648 "This FS does NOT support volume quotas"
8650 static const true_false_string tfs_fs_attr_dim = {
8651 "This FS is on a MOUNTED DEVICE",
8652 "This FS is NOT on a mounted device"
8654 static const true_false_string tfs_fs_attr_vic = {
8655 "This FS is on a COMPRESSED VOLUME",
8656 "This FS is NOT on a compressed volume"
8662 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
8665 proto_item *item = NULL;
8666 proto_tree *tree = NULL;
8668 mask = tvb_get_letohs(tvb, offset);
8671 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
8672 "Flags: 0x%04x", mask);
8673 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
8676 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
8677 tvb, offset, 2, mask);
8678 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
8679 tvb, offset, 2, mask);
8680 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
8681 tvb, offset, 2, mask);
8682 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
8683 tvb, offset, 2, mask);
8684 proto_tree_add_boolean(tree, hf_smb_ff2_close,
8685 tvb, offset, 2, mask);
8693 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
8694 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
8696 proto_item *item = NULL;
8697 proto_tree *tree = NULL;
8699 smb_transact2_info_t *t2i;
8702 int old_offset = offset;
8704 si = (smb_info_t *)pinfo->private_data;
8705 if (si->sip != NULL)
8706 t2i = si->sip->extra_info;
8711 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
8713 val_to_str(subcmd, trans2_cmd_vals,
8714 "Unknown (0x%02x)"));
8715 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
8719 case 0x00: /*TRANS2_OPEN2*/
8721 CHECK_BYTE_COUNT_TRANS(2);
8722 offset = dissect_open_flags(tvb, pinfo, tree, offset, 0x000f);
8725 /* desired access */
8726 CHECK_BYTE_COUNT_TRANS(2);
8727 offset = dissect_access(tvb, pinfo, tree, offset, "Desired");
8730 /* 2 reserved bytes */
8731 CHECK_BYTE_COUNT_TRANS(2);
8732 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8733 COUNT_BYTES_TRANS(2);
8735 /* File Attributes */
8736 CHECK_BYTE_COUNT_TRANS(2);
8737 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
8741 CHECK_BYTE_COUNT_TRANS(4);
8742 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
8744 hf_smb_create_dos_date, hf_smb_create_dos_time,
8749 CHECK_BYTE_COUNT_TRANS(2);
8750 offset = dissect_open_function(tvb, pinfo, tree, offset);
8753 /* allocation size */
8754 CHECK_BYTE_COUNT_TRANS(4);
8755 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
8756 COUNT_BYTES_TRANS(4);
8758 /* 10 reserved bytes */
8759 CHECK_BYTE_COUNT_TRANS(10);
8760 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
8761 COUNT_BYTES_TRANS(10);
8764 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8765 CHECK_STRING_TRANS(fn);
8766 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8768 COUNT_BYTES_TRANS(fn_len);
8770 if (check_col(pinfo->cinfo, COL_INFO)) {
8771 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
8775 /* XXX dont know how to decode FEAList */
8777 case 0x01: /*TRANS2_FIND_FIRST2*/
8778 /* Search Attributes */
8779 CHECK_BYTE_COUNT_TRANS(2);
8780 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
8784 CHECK_BYTE_COUNT_TRANS(2);
8785 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
8786 COUNT_BYTES_TRANS(2);
8788 /* Find First2 flags */
8789 CHECK_BYTE_COUNT_TRANS(2);
8790 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
8793 /* Find First2 information level */
8794 CHECK_BYTE_COUNT_TRANS(2);
8795 si->info_level = tvb_get_letohs(tvb, offset);
8796 if (!pinfo->fd->flags.visited)
8797 t2i->info_level = si->info_level;
8798 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
8799 COUNT_BYTES_TRANS(2);
8802 CHECK_BYTE_COUNT_TRANS(4);
8803 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
8804 COUNT_BYTES_TRANS(4);
8806 /* search pattern */
8807 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8808 CHECK_STRING_TRANS(fn);
8809 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
8811 COUNT_BYTES_TRANS(fn_len);
8813 if (check_col(pinfo->cinfo, COL_INFO)) {
8814 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
8818 /* XXX dont know how to decode FEAList */
8821 case 0x02: /*TRANS2_FIND_NEXT2*/
8823 CHECK_BYTE_COUNT_TRANS(2);
8824 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
8825 COUNT_BYTES_TRANS(2);
8828 CHECK_BYTE_COUNT_TRANS(2);
8829 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
8830 COUNT_BYTES_TRANS(2);
8832 /* Find First2 information level */
8833 CHECK_BYTE_COUNT_TRANS(2);
8834 si->info_level = tvb_get_letohs(tvb, offset);
8835 if (!pinfo->fd->flags.visited)
8836 t2i->info_level = si->info_level;
8837 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
8838 COUNT_BYTES_TRANS(2);
8841 CHECK_BYTE_COUNT_TRANS(4);
8842 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
8843 COUNT_BYTES_TRANS(4);
8845 /* Find First2 flags */
8846 CHECK_BYTE_COUNT_TRANS(2);
8847 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
8851 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8852 CHECK_STRING_TRANS(fn);
8853 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8855 COUNT_BYTES_TRANS(fn_len);
8857 if (check_col(pinfo->cinfo, COL_INFO)) {
8858 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
8863 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
8864 /* level of interest */
8865 CHECK_BYTE_COUNT_TRANS(2);
8866 si->info_level = tvb_get_letohs(tvb, offset);
8867 if (!pinfo->fd->flags.visited)
8868 t2i->info_level = si->info_level;
8869 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
8870 COUNT_BYTES_TRANS(2);
8873 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
8874 /* level of interest */
8875 CHECK_BYTE_COUNT_TRANS(2);
8876 si->info_level = tvb_get_letohs(tvb, offset);
8877 if (!pinfo->fd->flags.visited)
8878 t2i->info_level = si->info_level;
8879 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
8880 COUNT_BYTES_TRANS(2);
8882 /* 4 reserved bytes */
8883 CHECK_BYTE_COUNT_TRANS(4);
8884 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
8885 COUNT_BYTES_TRANS(4);
8888 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8889 CHECK_STRING_TRANS(fn);
8890 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8892 COUNT_BYTES_TRANS(fn_len);
8894 if (check_col(pinfo->cinfo, COL_INFO)) {
8895 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
8900 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
8901 /* level of interest */
8902 CHECK_BYTE_COUNT_TRANS(2);
8903 si->info_level = tvb_get_letohs(tvb, offset);
8904 if (!pinfo->fd->flags.visited)
8905 t2i->info_level = si->info_level;
8906 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
8907 COUNT_BYTES_TRANS(2);
8909 /* 4 reserved bytes */
8910 CHECK_BYTE_COUNT_TRANS(4);
8911 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
8912 COUNT_BYTES_TRANS(4);
8915 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8916 CHECK_STRING_TRANS(fn);
8917 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8919 COUNT_BYTES_TRANS(fn_len);
8921 if (check_col(pinfo->cinfo, COL_INFO)) {
8922 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
8927 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
8931 CHECK_BYTE_COUNT_TRANS(2);
8932 fid = tvb_get_letohs(tvb, offset);
8933 add_fid(tvb, pinfo, tree, offset, 2, fid);
8934 COUNT_BYTES_TRANS(2);
8936 /* level of interest */
8937 CHECK_BYTE_COUNT_TRANS(2);
8938 si->info_level = tvb_get_letohs(tvb, offset);
8939 if (!pinfo->fd->flags.visited)
8940 t2i->info_level = si->info_level;
8941 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
8942 COUNT_BYTES_TRANS(2);
8946 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
8950 CHECK_BYTE_COUNT_TRANS(2);
8951 fid = tvb_get_letohs(tvb, offset);
8952 add_fid(tvb, pinfo, tree, offset, 2, fid);
8953 COUNT_BYTES_TRANS(2);
8955 /* level of interest */
8956 CHECK_BYTE_COUNT_TRANS(2);
8957 si->info_level = tvb_get_letohs(tvb, offset);
8958 if (!pinfo->fd->flags.visited)
8959 t2i->info_level = si->info_level;
8960 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
8961 COUNT_BYTES_TRANS(2);
8963 /* 2 reserved bytes */
8964 CHECK_BYTE_COUNT_TRANS(2);
8965 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8966 COUNT_BYTES_TRANS(2);
8970 case 0x09: /*TRANS2_FSCTL*/
8971 case 0x0a: /*TRANS2_IOCTL2*/
8972 /* these calls have no parameter block in the request */
8974 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
8975 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
8976 /* XXX unknown structure*/
8978 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
8979 /* 4 reserved bytes */
8980 CHECK_BYTE_COUNT_TRANS(4);
8981 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
8982 COUNT_BYTES_TRANS(4);
8985 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
8987 CHECK_STRING_TRANS(fn);
8988 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
8990 COUNT_BYTES_TRANS(fn_len);
8992 if (check_col(pinfo->cinfo, COL_INFO)) {
8993 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
8997 /* XXX optional FEAList, unknown what FEAList looks like*/
8999 case 0x0e: /*TRANS2_SESSION_SETUP*/
9000 /* XXX unknown structure*/
9002 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
9003 /* referral level */
9004 CHECK_BYTE_COUNT_TRANS(2);
9005 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
9006 COUNT_BYTES_TRANS(2);
9009 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
9010 CHECK_STRING_TRANS(fn);
9011 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9013 COUNT_BYTES_TRANS(fn_len);
9015 if (check_col(pinfo->cinfo, COL_INFO)) {
9016 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9021 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
9023 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
9024 CHECK_STRING_TRANS(fn);
9025 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9027 COUNT_BYTES_TRANS(fn_len);
9029 if (check_col(pinfo->cinfo, COL_INFO)) {
9030 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9037 /* ooops there were data we didnt know how to process */
9038 if((offset-old_offset) < bc){
9039 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
9040 bc - (offset-old_offset), TRUE);
9041 offset += bc - (offset-old_offset);
9048 * XXX - just use "dissect_connect_flags()" here?
9051 dissect_transaction_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9054 proto_item *item = NULL;
9055 proto_tree *tree = NULL;
9057 mask = tvb_get_letohs(tvb, offset);
9060 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9061 "Flags: 0x%04x", mask);
9062 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
9065 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
9066 tvb, offset, 2, mask);
9067 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
9068 tvb, offset, 2, mask);
9075 dissect_get_dfs_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9078 proto_item *item = NULL;
9079 proto_tree *tree = NULL;
9081 mask = tvb_get_letohs(tvb, offset);
9084 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9085 "Flags: 0x%04x", mask);
9086 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
9089 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
9090 tvb, offset, 2, mask);
9091 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
9092 tvb, offset, 2, mask);
9099 dissect_dfs_referral_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9102 proto_item *item = NULL;
9103 proto_tree *tree = NULL;
9105 mask = tvb_get_letohs(tvb, offset);
9108 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9109 "Flags: 0x%04x", mask);
9110 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
9113 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
9114 tvb, offset, 2, mask);
9122 /* dfs inconsistency data (4.4.2)
9125 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
9126 proto_tree *tree, int offset, guint16 *bcp)
9131 /*XXX shouldn this data hold version and size? unclear from doc*/
9132 /* referral version */
9133 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9134 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
9135 COUNT_BYTES_TRANS_SUBR(2);
9138 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9139 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
9140 COUNT_BYTES_TRANS_SUBR(2);
9142 /* referral server type */
9143 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9144 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9145 COUNT_BYTES_TRANS_SUBR(2);
9147 /* referral flags */
9148 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9149 offset = dissect_dfs_referral_flags(tvb, pinfo, tree, offset);
9153 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9154 CHECK_STRING_TRANS_SUBR(fn);
9155 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9157 COUNT_BYTES_TRANS_SUBR(fn_len);
9162 /* get dfs referral data (4.4.1)
9165 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
9166 proto_tree *tree, int offset, guint16 *bcp)
9171 guint16 altpathoffset;
9183 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9184 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
9185 COUNT_BYTES_TRANS_SUBR(2);
9188 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9189 numref = tvb_get_letohs(tvb, offset);
9190 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
9191 COUNT_BYTES_TRANS_SUBR(2);
9194 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9195 offset = dissect_get_dfs_flags(tvb, pinfo, tree, offset);
9198 /* XXX - in at least one capture there appears to be 2 bytes
9199 of stuff after the Dfs flags, perhaps so that the header
9200 in front of the referral list is a multiple of 4 bytes long. */
9201 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9202 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
9203 COUNT_BYTES_TRANS_SUBR(2);
9205 /* if there are any referrals */
9207 proto_item *ref_item = NULL;
9208 proto_tree *ref_tree = NULL;
9209 int old_offset=offset;
9212 ref_item = proto_tree_add_text(tree,
9213 tvb, offset, *bcp, "Referrals");
9214 ref_tree = proto_item_add_subtree(ref_item,
9215 ett_smb_dfs_referrals);
9220 proto_item *ri = NULL;
9221 proto_tree *rt = NULL;
9222 int old_offset=offset;
9226 ri = proto_tree_add_text(ref_tree,
9227 tvb, offset, *bcp, "Referral");
9228 rt = proto_item_add_subtree(ri,
9229 ett_smb_dfs_referral);
9232 /* referral version */
9233 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9234 version = tvb_get_letohs(tvb, offset);
9235 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
9236 tvb, offset, 2, version);
9237 COUNT_BYTES_TRANS_SUBR(2);
9240 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9241 refsize = tvb_get_letohs(tvb, offset);
9242 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
9243 COUNT_BYTES_TRANS_SUBR(2);
9245 /* referral server type */
9246 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9247 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9248 COUNT_BYTES_TRANS_SUBR(2);
9250 /* referral flags */
9251 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9252 offset = dissect_dfs_referral_flags(tvb, pinfo, rt, offset);
9259 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9260 CHECK_STRING_TRANS_SUBR(fn);
9261 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9263 COUNT_BYTES_TRANS_SUBR(fn_len);
9267 case 3: /* XXX - like version 2, but not identical;
9268 seen in a capture, but the format isn't
9271 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9272 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
9273 COUNT_BYTES_TRANS_SUBR(2);
9276 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9277 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
9278 COUNT_BYTES_TRANS_SUBR(2);
9281 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9282 pathoffset = tvb_get_letohs(tvb, offset);
9283 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
9284 COUNT_BYTES_TRANS_SUBR(2);
9286 /* alt path offset */
9287 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9288 altpathoffset = tvb_get_letohs(tvb, offset);
9289 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
9290 COUNT_BYTES_TRANS_SUBR(2);
9293 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9294 nodeoffset = tvb_get_letohs(tvb, offset);
9295 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
9296 COUNT_BYTES_TRANS_SUBR(2);
9299 if (pathoffset != 0) {
9300 stroffset = old_offset + pathoffset;
9301 offsetoffset = stroffset - offset;
9302 if (offsetoffset > 0 &&
9303 *bcp > offsetoffset) {
9305 *bcp -= offsetoffset;
9306 fn = get_unicode_or_ascii_string(tvb, &stroffset, pinfo, &fn_len, FALSE, FALSE, bcp);
9307 CHECK_STRING_TRANS_SUBR(fn);
9308 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
9310 stroffset += fn_len;
9311 if (ucstring_end < stroffset)
9312 ucstring_end = stroffset;
9318 if (altpathoffset != 0) {
9319 stroffset = old_offset + altpathoffset;
9320 offsetoffset = stroffset - offset;
9321 if (offsetoffset > 0 &&
9322 *bcp > offsetoffset) {
9324 *bcp -= offsetoffset;
9325 fn = get_unicode_or_ascii_string(tvb, &stroffset, pinfo, &fn_len, FALSE, FALSE, bcp);
9326 CHECK_STRING_TRANS_SUBR(fn);
9327 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
9329 stroffset += fn_len;
9330 if (ucstring_end < stroffset)
9331 ucstring_end = stroffset;
9337 if (nodeoffset != 0) {
9338 stroffset = old_offset + nodeoffset;
9339 offsetoffset = stroffset - offset;
9340 if (offsetoffset > 0 &&
9341 *bcp > offsetoffset) {
9343 *bcp -= offsetoffset;
9344 fn = get_unicode_or_ascii_string(tvb, &stroffset, pinfo, &fn_len, FALSE, FALSE, bcp);
9345 CHECK_STRING_TRANS_SUBR(fn);
9346 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
9348 stroffset += fn_len;
9349 if (ucstring_end < stroffset)
9350 ucstring_end = stroffset;
9358 * Show anything beyond the length of the referral
9361 unklen = (old_offset + refsize) - offset;
9364 * XXX - the length is bogus.
9369 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
9370 proto_tree_add_item(rt, hf_smb_unknown, tvb,
9371 offset, unklen, TRUE);
9372 COUNT_BYTES_TRANS_SUBR(unklen);
9375 proto_item_set_len(ri, offset-old_offset);
9379 * Treat the offset past the end of the last Unicode
9380 * string after the referrals (if any) as the last
9383 if (ucstring_end > offset) {
9384 ucstring_len = ucstring_end - offset;
9385 if (*bcp < ucstring_len)
9386 ucstring_len = *bcp;
9387 offset += ucstring_len;
9388 *bcp -= ucstring_len;
9390 proto_item_set_len(ref_item, offset-old_offset);
9397 /* this dissects the SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE
9398 as described in 4.2.14.1
9401 dissect_4_2_14_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9402 int offset, guint16 *bcp, gboolean *trunc)
9405 CHECK_BYTE_COUNT_SUBR(4);
9406 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
9407 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
9412 CHECK_BYTE_COUNT_SUBR(4);
9413 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
9414 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
9418 /* last write time */
9419 CHECK_BYTE_COUNT_SUBR(4);
9420 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
9421 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
9426 CHECK_BYTE_COUNT_SUBR(4);
9427 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
9428 COUNT_BYTES_SUBR(4);
9430 /* allocation size */
9431 CHECK_BYTE_COUNT_SUBR(4);
9432 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
9433 COUNT_BYTES_SUBR(4);
9435 /* File Attributes */
9436 CHECK_BYTE_COUNT_SUBR(2);
9437 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
9441 CHECK_BYTE_COUNT_SUBR(4);
9442 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
9443 COUNT_BYTES_SUBR(4);
9449 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
9450 as described in 4.2.14.2
9453 dissect_4_2_14_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9454 int offset, guint16 *bcp, gboolean *trunc)
9457 CHECK_BYTE_COUNT_SUBR(4);
9458 proto_tree_add_item(tree, hf_smb_list_length, tvb, offset, 4, TRUE);
9459 COUNT_BYTES_SUBR(4);
9465 /* this dissects the SMB_INFO_IS_NAME_VALID
9466 as described in 4.2.14.3
9469 dissect_4_2_14_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9470 int offset, guint16 *bcp, gboolean *trunc)
9476 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9477 CHECK_STRING_SUBR(fn);
9478 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9480 COUNT_BYTES_SUBR(fn_len);
9486 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
9487 as described in 4.2.14.4
9490 dissect_4_2_14_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9491 int offset, guint16 *bcp, gboolean *trunc)
9494 CHECK_BYTE_COUNT_SUBR(8);
9495 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9496 hf_smb_create_time);
9500 CHECK_BYTE_COUNT_SUBR(8);
9501 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9502 hf_smb_access_time);
9505 /* last write time */
9506 CHECK_BYTE_COUNT_SUBR(8);
9507 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9508 hf_smb_last_write_time);
9511 /* last change time */
9512 CHECK_BYTE_COUNT_SUBR(8);
9513 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9514 hf_smb_change_time);
9517 /* File Attributes */
9518 CHECK_BYTE_COUNT_SUBR(2);
9519 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
9526 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
9527 as described in 4.2.14.5
9530 dissect_4_2_14_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9531 int offset, guint16 *bcp, gboolean *trunc)
9533 /* allocation size */
9534 CHECK_BYTE_COUNT_SUBR(8);
9535 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9536 COUNT_BYTES_SUBR(8);
9539 CHECK_BYTE_COUNT_SUBR(8);
9540 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
9541 COUNT_BYTES_SUBR(8);
9543 /* number of links */
9544 CHECK_BYTE_COUNT_SUBR(4);
9545 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
9546 COUNT_BYTES_SUBR(4);
9548 /* delete pending */
9549 CHECK_BYTE_COUNT_SUBR(2);
9550 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 2, TRUE);
9551 COUNT_BYTES_SUBR(2);
9554 CHECK_BYTE_COUNT_SUBR(1);
9555 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
9556 COUNT_BYTES_SUBR(1);
9562 /* this dissects the SMB_QUERY_FILE_EA_INFO
9563 as described in 4.2.14.6
9566 dissect_4_2_14_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9567 int offset, guint16 *bcp, gboolean *trunc)
9570 CHECK_BYTE_COUNT_SUBR(4);
9571 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
9572 COUNT_BYTES_SUBR(4);
9578 /* this dissects the SMB_QUERY_FILE_NAME_INFO
9579 as described in 4.2.14.7
9580 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
9581 as described in 4.2.14.9
9584 dissect_4_2_14_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9585 int offset, guint16 *bcp, gboolean *trunc)
9591 CHECK_BYTE_COUNT_SUBR(4);
9592 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
9593 COUNT_BYTES_SUBR(4);
9596 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9597 CHECK_STRING_SUBR(fn);
9598 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9600 COUNT_BYTES_SUBR(fn_len);
9606 /* this dissects the SMB_QUERY_FILE_ALL_INFO
9607 as described in 4.2.14.8
9610 dissect_4_2_14_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9611 int offset, guint16 *bcp, gboolean *trunc)
9614 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp, trunc);
9617 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp, trunc);
9622 CHECK_BYTE_COUNT_SUBR(8);
9623 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
9624 COUNT_BYTES_SUBR(8);
9626 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
9631 CHECK_BYTE_COUNT_SUBR(4);
9632 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
9633 COUNT_BYTES_SUBR(4);
9636 CHECK_BYTE_COUNT_SUBR(8);
9637 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
9638 COUNT_BYTES_SUBR(8);
9640 /* current offset */
9641 CHECK_BYTE_COUNT_SUBR(8);
9642 proto_tree_add_item(tree, hf_smb_current_offset, tvb, offset, 8, TRUE);
9643 COUNT_BYTES_SUBR(8);
9646 CHECK_BYTE_COUNT_SUBR(4);
9647 offset = dissect_nt_create_options(tvb, pinfo, tree, offset);
9651 CHECK_BYTE_COUNT_SUBR(4);
9652 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
9653 COUNT_BYTES_SUBR(4);
9655 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
9660 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
9661 as described in 4.2.14.10
9664 dissect_4_2_14_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
9665 int offset, guint16 *bcp, gboolean *trunc)
9676 old_offset = offset;
9678 /* next entry offset */
9679 CHECK_BYTE_COUNT_SUBR(4);
9681 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
9682 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
9688 neo = tvb_get_letohl(tvb, offset);
9689 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
9690 COUNT_BYTES_SUBR(4);
9692 /* stream name len */
9693 CHECK_BYTE_COUNT_SUBR(4);
9694 fn_len = tvb_get_letohl(tvb, offset);
9695 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
9696 COUNT_BYTES_SUBR(4);
9699 CHECK_BYTE_COUNT_SUBR(8);
9700 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
9701 COUNT_BYTES_SUBR(8);
9703 /* allocation size */
9704 CHECK_BYTE_COUNT_SUBR(8);
9705 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9706 COUNT_BYTES_SUBR(8);
9709 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
9710 CHECK_STRING_SUBR(fn);
9711 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
9713 COUNT_BYTES_SUBR(fn_len);
9715 proto_item_append_text(item, ": %s", fn);
9716 proto_item_set_len(item, offset-old_offset);
9719 break; /* no more structures */
9721 /* skip to next structure */
9722 padcnt = (old_offset + neo) - offset;
9725 * XXX - this is bogus; flag it?
9730 CHECK_BYTE_COUNT_SUBR(padcnt);
9731 COUNT_BYTES_SUBR(padcnt);
9739 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
9740 as described in 4.2.14.11
9743 dissect_4_2_14_11(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9744 int offset, guint16 *bcp, gboolean *trunc)
9746 /* compressed file size */
9747 CHECK_BYTE_COUNT_SUBR(8);
9748 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
9749 COUNT_BYTES_SUBR(8);
9751 /* compression format */
9752 CHECK_BYTE_COUNT_SUBR(2);
9753 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
9754 COUNT_BYTES_SUBR(2);
9756 /* compression unit shift */
9757 CHECK_BYTE_COUNT_SUBR(1);
9758 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
9759 COUNT_BYTES_SUBR(1);
9761 /* compression chunk shift */
9762 CHECK_BYTE_COUNT_SUBR(1);
9763 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
9764 COUNT_BYTES_SUBR(1);
9766 /* compression cluster shift */
9767 CHECK_BYTE_COUNT_SUBR(1);
9768 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
9769 COUNT_BYTES_SUBR(1);
9771 /* 3 reserved bytes */
9772 CHECK_BYTE_COUNT_SUBR(3);
9773 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
9774 COUNT_BYTES_SUBR(3);
9782 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION*/
9784 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
9785 int offset, guint16 *bcp)
9794 si = (smb_info_t *)pinfo->private_data;
9795 switch(si->info_level){
9796 case 1: /*Info Standard*/
9797 case 2: /*Info Query EA Size*/
9798 offset = dissect_4_2_14_1(tvb, pinfo, tree, offset, bcp,
9801 case 3: /*Info Query EAs From List*/
9802 case 4: /*Info Query All EAs*/
9803 offset = dissect_4_2_14_2(tvb, pinfo, tree, offset, bcp,
9806 case 6: /*Info Is Name Valid*/
9807 offset = dissect_4_2_14_3(tvb, pinfo, tree, offset, bcp,
9810 case 0x0101: /*Query File Basic Info*/
9811 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp,
9814 case 0x0102: /*Query File Standard Info*/
9815 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp,
9818 case 0x0103: /*Query File EA Info*/
9819 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp,
9822 case 0x0104: /*Query File Name Info*/
9823 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
9826 case 0x0107: /*Query File All Info*/
9827 offset = dissect_4_2_14_8(tvb, pinfo, tree, offset, bcp,
9830 case 0x0108: /*Query File Alt File Info*/
9831 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
9834 case 0x0109: /*Query File Stream Info*/
9835 offset = dissect_4_2_14_10(tvb, pinfo, tree, offset, bcp,
9838 case 0x010b: /*Query File Compression Info*/
9839 offset = dissect_4_2_14_11(tvb, pinfo, tree, offset, bcp,
9842 case 0x0200: /*Set File Unix Basic*/
9843 /* XXX add this from the SNIA doc */
9845 case 0x0201: /*Set File Unix Link*/
9846 /* XXX add this from the SNIA doc */
9848 case 0x0202: /*Set File Unix HardLink*/
9849 /* XXX add this from the SNIA doc */
9857 static const true_false_string tfs_quota_flags_deny_disk = {
9858 "DENY DISK SPACE for users exceeding quota limit",
9859 "Do NOT deny disk space for users exceeding quota limit"
9861 static const true_false_string tfs_quota_flags_log_limit = {
9862 "LOG EVENT when a user exceeds their QUOTA LIMIT",
9863 "Do NOT log event when a user exceeds their quota limit"
9865 static const true_false_string tfs_quota_flags_log_warning = {
9866 "LOG EVENT when a user exceeds their WARNING LEVEL",
9867 "Do NOT log event when a user exceeds their warning level"
9869 static const true_false_string tfs_quota_flags_enabled = {
9870 "Quotas are ENABLED of this fs",
9871 "Quotas are NOT enabled on this fs"
9874 dissect_quota_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9877 proto_item *item = NULL;
9878 proto_tree *tree = NULL;
9880 mask = tvb_get_guint8(tvb, offset);
9883 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
9884 "Quota Flags: 0x%02x %s", mask,
9885 mask?"Enabled":"Disabled");
9886 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
9889 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
9890 tvb, offset, 1, mask);
9891 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
9892 tvb, offset, 1, mask);
9893 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
9894 tvb, offset, 1, mask);
9896 if(mask && (!(mask&0x01))){
9897 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
9898 tvb, offset, 1, 0x01);
9900 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
9901 tvb, offset, 1, mask);
9907 dissect_nt_quota(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp)
9909 /* first 24 bytes are unknown */
9910 CHECK_BYTE_COUNT_TRANS_SUBR(24);
9911 proto_tree_add_item(tree, hf_smb_unknown, tvb,
9913 COUNT_BYTES_TRANS_SUBR(24);
9915 /* number of bytes for quota warning */
9916 CHECK_BYTE_COUNT_TRANS_SUBR(8);
9917 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
9918 COUNT_BYTES_TRANS_SUBR(8);
9920 /* number of bytes for quota limit */
9921 CHECK_BYTE_COUNT_TRANS_SUBR(8);
9922 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
9923 COUNT_BYTES_TRANS_SUBR(8);
9925 /* one byte of quota flags */
9926 CHECK_BYTE_COUNT_TRANS_SUBR(1);
9927 dissect_quota_flags(tvb, pinfo, tree, offset);
9928 COUNT_BYTES_TRANS_SUBR(1);
9930 /* these 7 bytes are unknown */
9931 CHECK_BYTE_COUNT_TRANS_SUBR(7);
9932 proto_tree_add_item(tree, hf_smb_unknown, tvb,
9934 COUNT_BYTES_TRANS_SUBR(7);
9940 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
9941 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
9943 proto_item *item = NULL;
9944 proto_tree *tree = NULL;
9947 si = (smb_info_t *)pinfo->private_data;
9950 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
9952 val_to_str(subcmd, trans2_cmd_vals,
9953 "Unknown (0x%02x)"));
9954 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
9958 case 0x00: /*TRANS2_OPEN2*/
9959 /* XXX FAEList here?*/
9961 case 0x01: /*TRANS2_FIND_FIRST2*/
9962 /* XXX FAEList here?*/
9964 case 0x02: /*TRANS2_FIND_NEXT2*/
9965 /* no data field in this request */
9967 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
9968 /* no data field in this request */
9970 case 0x04: /* TRANS2_SET_QUOTA */
9971 offset = dissect_nt_quota(tvb, pinfo, tree, offset, &dc);
9973 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
9974 /* no data field in this request */
9976 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
9977 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
9979 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
9980 /* no data field in this request */
9982 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
9983 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
9985 case 0x09: /*TRANS2_FSCTL*/
9986 /*XXX dont know how to decode this yet */
9988 case 0x0a: /*TRANS2_IOCTL2*/
9989 /*XXX dont know how to decode this yet */
9991 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
9992 /*XXX dont know how to decode this yet */
9994 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
9995 /*XXX dont know how to decode this yet */
9997 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
9998 /* no data block for this one */
10000 case 0x0e: /*TRANS2_SESSION_SETUP*/
10001 /*XXX dont know how to decode this yet */
10003 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
10004 /* no data field in this request */
10006 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
10007 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
10011 /* ooops there were data we didnt know how to process */
10013 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
10022 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
10023 packet_info *pinfo, proto_tree *tree)
10030 * Show the setup words.
10032 if (s_tvb != NULL) {
10033 length = tvb_reported_length(s_tvb);
10034 for (i = 0, offset = 0; length >= 2;
10035 i++, offset += 2, length -= 2) {
10037 * XXX - add a setup word filterable field?
10039 proto_tree_add_text(tree, s_tvb, offset, 2,
10040 "Setup Word %d: 0x%04x", i,
10041 tvb_get_letohs(s_tvb, offset));
10046 * Show the parameters, if any.
10048 if (p_tvb != NULL) {
10049 length = tvb_reported_length(p_tvb);
10051 proto_tree_add_text(tree, p_tvb, 0, length,
10053 tvb_bytes_to_str(p_tvb, 0, length));
10058 * Show the data, if any.
10060 if (d_tvb != NULL) {
10061 length = tvb_reported_length(d_tvb);
10063 proto_tree_add_text(tree, d_tvb, 0, length,
10064 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
10069 /* This routine handles the following 4 calls
10071 Transaction Secondary 0x26
10073 Transaction2 Secondary 0x33
10076 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
10083 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
10087 const char *an = NULL;
10089 smb_transact2_info_t *t2i;
10090 smb_transact_info_t *tri;
10093 gboolean dissected_trans;
10095 si = (smb_info_t *)pinfo->private_data;
10100 /*secondary client request*/
10102 /* total param count, only a 16bit integer here*/
10103 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10106 /* total data count , only 16bit integer here*/
10107 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10111 pc = tvb_get_letohs(tvb, offset);
10112 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
10116 po = tvb_get_letohs(tvb, offset);
10117 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
10121 pd = tvb_get_letohs(tvb, offset);
10122 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
10126 dc = tvb_get_letohs(tvb, offset);
10127 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
10131 od = tvb_get_letohs(tvb, offset);
10132 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
10136 dd = tvb_get_letohs(tvb, offset);
10137 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
10140 if(si->cmd==SMB_COM_TRANSACTION2){
10144 fid = tvb_get_letohs(tvb, offset);
10145 add_fid(tvb, pinfo, tree, offset, 2, fid);
10150 /* There are no setup words. */
10155 /* it is not a secondary request */
10157 /* total param count , only a 16 bit integer here*/
10158 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10161 /* total data count , only 16bit integer here*/
10162 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10165 /* max param count , only 16bit integer here*/
10166 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10169 /* max data count, only 16bit integer here*/
10170 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10173 /* max setup count, only 16bit integer here*/
10174 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
10177 /* reserved byte */
10178 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
10181 /* transaction flags */
10182 tf = dissect_transaction_flags(tvb, pinfo, tree, offset);
10186 to = tvb_get_letohl(tvb, offset);
10188 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
10189 else if (to == 0xffffffff)
10190 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
10192 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
10195 /* 2 reserved bytes */
10196 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
10200 pc = tvb_get_letohs(tvb, offset);
10201 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
10205 po = tvb_get_letohs(tvb, offset);
10206 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
10209 /* param displacement is zero here */
10213 dc = tvb_get_letohs(tvb, offset);
10214 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
10218 od = tvb_get_letohs(tvb, offset);
10219 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
10222 /* data displacement is zero here */
10226 sc = tvb_get_guint8(tvb, offset);
10227 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
10230 /* reserved byte */
10231 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
10234 /* this is where the setup bytes, if any start */
10238 /* if there were any setup bytes, decode them */
10242 case SMB_COM_TRANSACTION2:
10243 /* TRANSACTION2 only has one setup word and
10244 that is the subcommand code. */
10245 subcmd = tvb_get_letohs(tvb, offset);
10246 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
10247 tvb, offset, 2, subcmd);
10248 if (check_col(pinfo->cinfo, COL_INFO)) {
10249 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10250 val_to_str(subcmd, trans2_cmd_vals,
10251 "Unknown (0x%02x)"));
10254 if(!pinfo->fd->flags.visited){
10257 * smb_transact2_info_t
10260 t2i = g_mem_chunk_alloc(smb_transact2_info_chunk);
10261 t2i->subcmd = subcmd;
10262 t2i->info_level = -1;
10263 si->sip->extra_info = t2i;
10268 case SMB_COM_TRANSACTION:
10269 /* TRANSACTION setup words processed below */
10280 /* primary request */
10281 /* name is NULL if transaction2 */
10282 if(si->cmd == SMB_COM_TRANSACTION){
10283 /* Transaction Name */
10284 an = get_unicode_or_ascii_string(tvb, &offset,
10285 pinfo, &an_len, FALSE, FALSE, &bc);
10288 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
10289 offset, an_len, an);
10290 COUNT_BYTES(an_len);
10295 * The pipe or mailslot arguments for Transaction start with
10296 * the first setup word (or where the first setup word would
10297 * be if there were any setup words), and run to the current
10298 * offset (which could mean that there aren't any).
10301 spc = offset - spo;
10305 /* We have some initial padding bytes.
10307 padcnt = po-offset;
10310 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
10311 COUNT_BYTES(padcnt);
10314 CHECK_BYTE_COUNT(pc);
10317 case SMB_COM_TRANSACTION2:
10318 /* TRANSACTION2 parameters*/
10319 offset = dissect_transaction2_request_parameters(tvb,
10320 pinfo, tree, offset, subcmd, pc);
10324 case SMB_COM_TRANSACTION:
10325 /* TRANSACTION parameters processed below */
10333 /* We have some initial padding bytes.
10335 padcnt = od-offset;
10338 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
10339 COUNT_BYTES(padcnt);
10342 CHECK_BYTE_COUNT(dc);
10345 case SMB_COM_TRANSACTION2:
10346 /* TRANSACTION2 data*/
10347 offset = dissect_transaction2_request_data(tvb, pinfo,
10348 tree, offset, subcmd, dc);
10352 case SMB_COM_TRANSACTION:
10353 /* TRANSACTION data processed below */
10359 /*TRANSACTION request parameters */
10360 if(si->cmd==SMB_COM_TRANSACTION){
10361 /*XXX replace this block with a function and use that one
10362 for both requests/responses*/
10364 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
10365 tvbuff_t *sp_tvb, *pd_tvb;
10368 if(pc>tvb_length_remaining(tvb, po)){
10369 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
10371 p_tvb = tvb_new_subset(tvb, po, pc, pc);
10377 if(dc>tvb_length_remaining(tvb, od)){
10378 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
10380 d_tvb = tvb_new_subset(tvb, od, dc, dc);
10386 if(sl>tvb_length_remaining(tvb, so)){
10387 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
10389 s_tvb = tvb_new_subset(tvb, so, sl, sl);
10396 if(!pinfo->fd->flags.visited){
10398 * Allocate a new smb_transact_info_t
10401 tri = g_mem_chunk_alloc(smb_transact_info_chunk);
10403 tri->trans_subcmd = -1;
10404 tri->function = -1;
10406 tri->lanman_cmd = 0;
10407 tri->param_descrip = NULL;
10408 tri->data_descrip = NULL;
10409 tri->aux_data_descrip = NULL;
10410 tri->info_level = -1;
10411 si->sip->extra_info = tri;
10414 * We already filled the structure
10415 * in; don't bother doing so again.
10421 * This is a unidirectional message, for
10422 * which there will be no reply; don't
10423 * bother allocating an "smb_transact_info_t"
10424 * structure for it.
10428 dissected_trans = FALSE;
10429 if(strncmp("\\PIPE\\", an, 6) == 0){
10431 tri->subcmd=TRANSACTION_PIPE;
10434 * A tvbuff containing the setup words and
10437 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
10440 * A tvbuff containing the parameters and the
10443 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
10445 dissected_trans = dissect_pipe_smb(sp_tvb,
10446 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
10448 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
10450 tri->subcmd=TRANSACTION_MAILSLOT;
10453 * A tvbuff containing the setup words and
10454 * the mailslot path.
10456 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
10457 dissected_trans = dissect_mailslot_smb(sp_tvb,
10458 s_tvb, d_tvb, an+10, pinfo, top_tree);
10460 if (!dissected_trans) {
10461 dissect_trans_data(s_tvb, p_tvb, d_tvb,
10465 if(check_col(pinfo->cinfo, COL_INFO)){
10466 col_append_str(pinfo->cinfo, COL_INFO,
10467 "[transact continuation]");
10480 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10481 int offset, guint16 *bcp, gboolean *trunc)
10485 int old_offset = offset;
10486 proto_item *item = NULL;
10487 proto_tree *tree = NULL;
10490 si = (smb_info_t *)pinfo->private_data;
10493 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10494 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10495 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10499 CHECK_BYTE_COUNT_SUBR(4);
10500 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10501 hf_smb_create_time,
10502 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
10506 CHECK_BYTE_COUNT_SUBR(4);
10507 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10508 hf_smb_access_time,
10509 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
10512 /* last write time */
10513 CHECK_BYTE_COUNT_SUBR(4);
10514 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10515 hf_smb_last_write_time,
10516 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
10520 CHECK_BYTE_COUNT_SUBR(4);
10521 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10522 COUNT_BYTES_SUBR(4);
10524 /* allocation size */
10525 CHECK_BYTE_COUNT_SUBR(4);
10526 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10527 COUNT_BYTES_SUBR(4);
10529 /* File Attributes */
10530 CHECK_BYTE_COUNT_SUBR(2);
10531 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
10534 /* file name len */
10535 CHECK_BYTE_COUNT_SUBR(1);
10536 fn_len = tvb_get_guint8(tvb, offset);
10537 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
10538 COUNT_BYTES_SUBR(1);
10541 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10542 CHECK_STRING_SUBR(fn);
10543 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10545 COUNT_BYTES_SUBR(fn_len);
10547 if (check_col(pinfo->cinfo, COL_INFO)) {
10548 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10552 proto_item_append_text(item, " File: %s", fn);
10553 proto_item_set_len(item, offset-old_offset);
10560 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10561 int offset, guint16 *bcp, gboolean *trunc)
10565 int old_offset = offset;
10566 proto_item *item = NULL;
10567 proto_tree *tree = NULL;
10570 si = (smb_info_t *)pinfo->private_data;
10573 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10574 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10575 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10579 CHECK_BYTE_COUNT_SUBR(4);
10580 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10581 hf_smb_create_time,
10582 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
10586 CHECK_BYTE_COUNT_SUBR(4);
10587 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10588 hf_smb_access_time,
10589 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
10592 /* last write time */
10593 CHECK_BYTE_COUNT_SUBR(4);
10594 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10595 hf_smb_last_write_time,
10596 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
10600 CHECK_BYTE_COUNT_SUBR(4);
10601 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10602 COUNT_BYTES_SUBR(4);
10604 /* allocation size */
10605 CHECK_BYTE_COUNT_SUBR(4);
10606 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10607 COUNT_BYTES_SUBR(4);
10609 /* File Attributes */
10610 CHECK_BYTE_COUNT_SUBR(2);
10611 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
10615 CHECK_BYTE_COUNT_SUBR(4);
10616 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10617 COUNT_BYTES_SUBR(4);
10619 /* file name len */
10620 CHECK_BYTE_COUNT_SUBR(1);
10621 fn_len = tvb_get_guint8(tvb, offset);
10622 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
10623 COUNT_BYTES_SUBR(1);
10626 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10627 CHECK_STRING_SUBR(fn);
10628 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10630 COUNT_BYTES_SUBR(fn_len);
10632 if (check_col(pinfo->cinfo, COL_INFO)) {
10633 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10637 proto_item_append_text(item, " File: %s", fn);
10638 proto_item_set_len(item, offset-old_offset);
10645 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10646 int offset, guint16 *bcp, gboolean *trunc)
10650 int old_offset = offset;
10651 proto_item *item = NULL;
10652 proto_tree *tree = NULL;
10657 si = (smb_info_t *)pinfo->private_data;
10660 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10661 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10662 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10665 /* next entry offset */
10666 CHECK_BYTE_COUNT_SUBR(4);
10667 neo = tvb_get_letohl(tvb, offset);
10668 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10669 COUNT_BYTES_SUBR(4);
10672 CHECK_BYTE_COUNT_SUBR(4);
10673 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
10674 COUNT_BYTES_SUBR(4);
10677 CHECK_BYTE_COUNT_SUBR(8);
10678 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10679 hf_smb_create_time);
10683 CHECK_BYTE_COUNT_SUBR(8);
10684 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10685 hf_smb_access_time);
10688 /* last write time */
10689 CHECK_BYTE_COUNT_SUBR(8);
10690 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10691 hf_smb_last_write_time);
10694 /* last change time */
10695 CHECK_BYTE_COUNT_SUBR(8);
10696 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10697 hf_smb_change_time);
10701 CHECK_BYTE_COUNT_SUBR(8);
10702 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10703 COUNT_BYTES_SUBR(8);
10705 /* allocation size */
10706 CHECK_BYTE_COUNT_SUBR(8);
10707 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10708 COUNT_BYTES_SUBR(8);
10710 /* Extended File Attributes */
10711 CHECK_BYTE_COUNT_SUBR(4);
10712 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
10715 /* file name len */
10716 CHECK_BYTE_COUNT_SUBR(4);
10717 fn_len = tvb_get_letohl(tvb, offset);
10718 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
10719 COUNT_BYTES_SUBR(4);
10722 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10723 CHECK_STRING_SUBR(fn);
10724 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10726 COUNT_BYTES_SUBR(fn_len);
10728 if (check_col(pinfo->cinfo, COL_INFO)) {
10729 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10733 /* skip to next structure */
10735 padcnt = (old_offset + neo) - offset;
10738 * XXX - this is bogus; flag it?
10743 CHECK_BYTE_COUNT_SUBR(padcnt);
10744 COUNT_BYTES_SUBR(padcnt);
10748 proto_item_append_text(item, " File: %s", fn);
10749 proto_item_set_len(item, offset-old_offset);
10756 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10757 int offset, guint16 *bcp, gboolean *trunc)
10761 int old_offset = offset;
10762 proto_item *item = NULL;
10763 proto_tree *tree = NULL;
10768 si = (smb_info_t *)pinfo->private_data;
10771 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10772 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10773 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10776 /* next entry offset */
10777 CHECK_BYTE_COUNT_SUBR(4);
10778 neo = tvb_get_letohl(tvb, offset);
10779 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10780 COUNT_BYTES_SUBR(4);
10783 CHECK_BYTE_COUNT_SUBR(4);
10784 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
10785 COUNT_BYTES_SUBR(4);
10788 CHECK_BYTE_COUNT_SUBR(8);
10789 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10790 hf_smb_create_time);
10794 CHECK_BYTE_COUNT_SUBR(8);
10795 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10796 hf_smb_access_time);
10799 /* last write time */
10800 CHECK_BYTE_COUNT_SUBR(8);
10801 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10802 hf_smb_last_write_time);
10805 /* last change time */
10806 CHECK_BYTE_COUNT_SUBR(8);
10807 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10808 hf_smb_change_time);
10812 CHECK_BYTE_COUNT_SUBR(8);
10813 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10814 COUNT_BYTES_SUBR(8);
10816 /* allocation size */
10817 CHECK_BYTE_COUNT_SUBR(8);
10818 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10819 COUNT_BYTES_SUBR(8);
10821 /* Extended File Attributes */
10822 CHECK_BYTE_COUNT_SUBR(4);
10823 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
10826 /* file name len */
10827 CHECK_BYTE_COUNT_SUBR(4);
10828 fn_len = tvb_get_letohl(tvb, offset);
10829 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
10830 COUNT_BYTES_SUBR(4);
10833 CHECK_BYTE_COUNT_SUBR(4);
10834 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10835 COUNT_BYTES_SUBR(4);
10838 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10839 CHECK_STRING_SUBR(fn);
10840 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10842 COUNT_BYTES_SUBR(fn_len);
10844 if (check_col(pinfo->cinfo, COL_INFO)) {
10845 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10849 /* skip to next structure */
10851 padcnt = (old_offset + neo) - offset;
10854 * XXX - this is bogus; flag it?
10859 CHECK_BYTE_COUNT_SUBR(padcnt);
10860 COUNT_BYTES_SUBR(padcnt);
10864 proto_item_append_text(item, " File: %s", fn);
10865 proto_item_set_len(item, offset-old_offset);
10872 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10873 int offset, guint16 *bcp, gboolean *trunc)
10875 int fn_len, sfn_len;
10876 const char *fn, *sfn;
10877 int old_offset = offset;
10878 proto_item *item = NULL;
10879 proto_tree *tree = NULL;
10884 si = (smb_info_t *)pinfo->private_data;
10887 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10888 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10889 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10892 /* next entry offset */
10893 CHECK_BYTE_COUNT_SUBR(4);
10894 neo = tvb_get_letohl(tvb, offset);
10895 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10896 COUNT_BYTES_SUBR(4);
10899 CHECK_BYTE_COUNT_SUBR(4);
10900 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
10901 COUNT_BYTES_SUBR(4);
10904 CHECK_BYTE_COUNT_SUBR(8);
10905 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10906 hf_smb_create_time);
10910 CHECK_BYTE_COUNT_SUBR(8);
10911 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10912 hf_smb_access_time);
10915 /* last write time */
10916 CHECK_BYTE_COUNT_SUBR(8);
10917 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10918 hf_smb_last_write_time);
10921 /* last change time */
10922 CHECK_BYTE_COUNT_SUBR(8);
10923 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10924 hf_smb_change_time);
10928 CHECK_BYTE_COUNT_SUBR(8);
10929 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10930 COUNT_BYTES_SUBR(8);
10932 /* allocation size */
10933 CHECK_BYTE_COUNT_SUBR(8);
10934 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10935 COUNT_BYTES_SUBR(8);
10937 /* Extended File Attributes */
10938 CHECK_BYTE_COUNT_SUBR(4);
10939 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
10942 /* file name len */
10943 CHECK_BYTE_COUNT_SUBR(4);
10944 fn_len = tvb_get_letohl(tvb, offset);
10945 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
10946 COUNT_BYTES_SUBR(4);
10949 CHECK_BYTE_COUNT_SUBR(4);
10950 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10951 COUNT_BYTES_SUBR(4);
10953 /* short file name len */
10954 CHECK_BYTE_COUNT_SUBR(1);
10955 sfn_len = tvb_get_guint8(tvb, offset);
10956 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
10957 COUNT_BYTES_SUBR(1);
10959 /* reserved byte */
10960 CHECK_BYTE_COUNT_SUBR(1);
10961 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
10962 COUNT_BYTES_SUBR(1);
10964 /* short file name */
10965 sfn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &sfn_len, FALSE, TRUE, bcp);
10966 CHECK_STRING_SUBR(sfn);
10967 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
10969 COUNT_BYTES_SUBR(24);
10972 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10973 CHECK_STRING_SUBR(fn);
10974 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10976 COUNT_BYTES_SUBR(fn_len);
10978 if (check_col(pinfo->cinfo, COL_INFO)) {
10979 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10983 /* skip to next structure */
10985 padcnt = (old_offset + neo) - offset;
10988 * XXX - this is bogus; flag it?
10993 CHECK_BYTE_COUNT_SUBR(padcnt);
10994 COUNT_BYTES_SUBR(padcnt);
10998 proto_item_append_text(item, " File: %s", fn);
10999 proto_item_set_len(item, offset-old_offset);
11006 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11007 int offset, guint16 *bcp, gboolean *trunc)
11011 int old_offset = offset;
11012 proto_item *item = NULL;
11013 proto_tree *tree = NULL;
11018 si = (smb_info_t *)pinfo->private_data;
11021 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11022 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11023 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11026 /* next entry offset */
11027 CHECK_BYTE_COUNT_SUBR(4);
11028 neo = tvb_get_letohl(tvb, offset);
11029 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11030 COUNT_BYTES_SUBR(4);
11033 CHECK_BYTE_COUNT_SUBR(4);
11034 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11035 COUNT_BYTES_SUBR(4);
11037 /* file name len */
11038 CHECK_BYTE_COUNT_SUBR(4);
11039 fn_len = tvb_get_letohl(tvb, offset);
11040 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11041 COUNT_BYTES_SUBR(4);
11044 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11045 CHECK_STRING_SUBR(fn);
11046 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11048 COUNT_BYTES_SUBR(fn_len);
11050 if (check_col(pinfo->cinfo, COL_INFO)) {
11051 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11055 /* skip to next structure */
11057 padcnt = (old_offset + neo) - offset;
11060 * XXX - this is bogus; flag it?
11065 CHECK_BYTE_COUNT_SUBR(padcnt);
11066 COUNT_BYTES_SUBR(padcnt);
11070 proto_item_append_text(item, " File: %s", fn);
11071 proto_item_set_len(item, offset-old_offset);
11078 dissect_4_3_4_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11079 int offset, guint16 *bcp, gboolean *trunc)
11081 /*XXX im lazy. i havnt implemented this */
11088 /*dissect the data block for TRANS2_FIND_FIRST2*/
11090 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
11091 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
11099 si = (smb_info_t *)pinfo->private_data;
11100 switch(si->info_level){
11101 case 1: /*Info Standard*/
11102 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
11105 case 2: /*Info Query EA Size*/
11106 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
11109 case 3: /*Info Query EAs From List same as
11111 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
11114 case 0x0101: /*Find File Directory Info*/
11115 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
11118 case 0x0102: /*Find File Full Directory Info*/
11119 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
11122 case 0x0103: /*Find File Names Info*/
11123 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
11126 case 0x0104: /*Find File Both Directory Info*/
11127 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
11130 case 0x0202: /*Find File UNIX*/
11131 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
11134 default: /* unknown info level */
11143 dissect_fs_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
11146 proto_item *item = NULL;
11147 proto_tree *tree = NULL;
11149 mask = tvb_get_letohl(tvb, offset);
11152 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
11153 "FS Attributes: 0x%08x", mask);
11154 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
11157 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
11158 tvb, offset, 4, mask);
11159 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
11160 tvb, offset, 4, mask);
11161 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
11162 tvb, offset, 4, mask);
11163 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
11164 tvb, offset, 4, mask);
11165 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
11166 tvb, offset, 4, mask);
11167 proto_tree_add_boolean(tree, hf_smb_fs_attr_dim,
11168 tvb, offset, 4, mask);
11169 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
11170 tvb, offset, 4, mask);
11178 dissect_device_characteristics(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
11181 proto_item *item = NULL;
11182 proto_tree *tree = NULL;
11184 mask = tvb_get_letohl(tvb, offset);
11187 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
11188 "Device Characteristics: 0x%08x", mask);
11189 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
11192 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
11193 tvb, offset, 4, mask);
11194 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
11195 tvb, offset, 4, mask);
11196 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
11197 tvb, offset, 4, mask);
11198 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
11199 tvb, offset, 4, mask);
11200 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
11201 tvb, offset, 4, mask);
11202 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
11203 tvb, offset, 4, mask);
11204 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
11205 tvb, offset, 4, mask);
11211 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
11213 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
11214 int offset, guint16 *bcp)
11217 int fn_len, vll, fnl;
11224 si = (smb_info_t *)pinfo->private_data;
11225 switch(si->info_level){
11226 case 1: /* SMB_INFO_ALLOCATION */
11227 /* filesystem id */
11228 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11229 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
11230 COUNT_BYTES_TRANS_SUBR(4);
11232 /* sectors per unit */
11233 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11234 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
11235 COUNT_BYTES_TRANS_SUBR(4);
11238 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11239 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
11240 COUNT_BYTES_TRANS_SUBR(4);
11243 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11244 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
11245 COUNT_BYTES_TRANS_SUBR(4);
11247 /* bytes per sector, only 16bit integer here */
11248 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11249 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11250 COUNT_BYTES_TRANS_SUBR(2);
11253 case 2: /* SMB_INFO_VOLUME */
11254 /* volume serial number */
11255 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11256 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
11257 COUNT_BYTES_TRANS_SUBR(4);
11259 /* volume label length, only one byte here */
11260 CHECK_BYTE_COUNT_TRANS_SUBR(1);
11261 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
11262 COUNT_BYTES_TRANS_SUBR(1);
11265 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
11266 CHECK_STRING_TRANS_SUBR(fn);
11267 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
11269 COUNT_BYTES_TRANS_SUBR(fn_len);
11272 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
11274 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11275 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
11276 hf_smb_create_time);
11279 /* volume serial number */
11280 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11281 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
11282 COUNT_BYTES_TRANS_SUBR(4);
11284 /* volume label length */
11285 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11286 vll = tvb_get_letohl(tvb, offset);
11287 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
11288 COUNT_BYTES_TRANS_SUBR(4);
11290 /* 2 reserved bytes */
11291 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11292 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11293 COUNT_BYTES_TRANS_SUBR(2);
11297 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11298 CHECK_STRING_TRANS_SUBR(fn);
11299 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
11301 COUNT_BYTES_TRANS_SUBR(fn_len);
11304 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
11305 /* allocation size */
11306 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11307 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11308 COUNT_BYTES_TRANS_SUBR(8);
11310 /* free allocation units */
11311 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11312 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
11313 COUNT_BYTES_TRANS_SUBR(8);
11315 /* sectors per unit */
11316 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11317 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
11318 COUNT_BYTES_TRANS_SUBR(4);
11320 /* bytes per sector */
11321 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11322 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
11323 COUNT_BYTES_TRANS_SUBR(4);
11326 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
11328 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11329 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
11330 COUNT_BYTES_TRANS_SUBR(4);
11332 /* device characteristics */
11333 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11334 offset = dissect_device_characteristics(tvb, pinfo, tree, offset);
11338 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
11339 /* FS attributes */
11340 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11341 offset = dissect_fs_attributes(tvb, pinfo, tree, offset);
11345 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11346 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
11347 COUNT_BYTES_TRANS_SUBR(4);
11349 /* fs name length */
11350 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11351 fnl = tvb_get_letohl(tvb, offset);
11352 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
11353 COUNT_BYTES_TRANS_SUBR(4);
11357 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11358 CHECK_STRING_TRANS_SUBR(fn);
11359 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
11361 COUNT_BYTES_TRANS_SUBR(fn_len);
11364 case 1006: /* QUERY_FS_QUOTA_INFO */
11365 offset = dissect_nt_quota(tvb, pinfo, tree, offset, bcp);
11372 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
11373 proto_tree *parent_tree)
11375 proto_item *item = NULL;
11376 proto_tree *tree = NULL;
11378 smb_transact2_info_t *t2i;
11384 dc = tvb_reported_length(tvb);
11386 si = (smb_info_t *)pinfo->private_data;
11387 if (si->sip != NULL)
11388 t2i = si->sip->extra_info;
11393 if (t2i != NULL && t2i->subcmd != -1) {
11394 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11396 val_to_str(t2i->subcmd, trans2_cmd_vals,
11397 "Unknown (0x%02x)"));
11398 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
11400 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11401 "Unknown Transaction2 Data");
11409 switch(t2i->subcmd){
11410 case 0x00: /*TRANS2_OPEN2*/
11411 /* XXX not implemented yet. See SNIA doc */
11413 case 0x01: /*TRANS2_FIND_FIRST2*/
11414 /* returned data */
11415 count = si->info_count;
11417 if (count && check_col(pinfo->cinfo, COL_INFO)) {
11418 col_append_fstr(pinfo->cinfo, COL_INFO,
11423 offset = dissect_ff2_response_data(tvb, pinfo, tree,
11424 offset, &dc, &trunc);
11429 case 0x02: /*TRANS2_FIND_NEXT2*/
11430 /* returned data */
11431 count = si->info_count;
11433 if (count && check_col(pinfo->cinfo, COL_INFO)) {
11434 col_append_fstr(pinfo->cinfo, COL_INFO,
11439 offset = dissect_ff2_response_data(tvb, pinfo, tree,
11440 offset, &dc, &trunc);
11445 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11446 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
11448 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11449 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
11451 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11452 /* no data in this response */
11454 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11455 /* identical to QUERY_PATH_INFO */
11456 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
11458 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11459 /* no data in this response */
11461 case 0x09: /*TRANS2_FSCTL*/
11462 /* XXX dont know how to dissect this one (yet)*/
11464 case 0x0a: /*TRANS2_IOCTL2*/
11465 /* XXX dont know how to dissect this one (yet)*/
11467 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11468 /* XXX dont know how to dissect this one (yet)*/
11470 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11471 /* XXX dont know how to dissect this one (yet)*/
11473 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11474 /* no data in this response */
11476 case 0x0e: /*TRANS2_SESSION_SETUP*/
11477 /* XXX dont know how to dissect this one (yet)*/
11479 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11480 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
11482 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11483 /* the SNIA spec appears to say the response has no data */
11487 * We don't know what the matching request was; don't
11488 * bother putting anything else into the tree for the data.
11495 /* ooops there were data we didnt know how to process */
11497 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
11506 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
11508 proto_item *item = NULL;
11509 proto_tree *tree = NULL;
11511 smb_transact2_info_t *t2i;
11517 pc = tvb_reported_length(tvb);
11519 si = (smb_info_t *)pinfo->private_data;
11520 if (si->sip != NULL)
11521 t2i = si->sip->extra_info;
11526 if (t2i != NULL && t2i->subcmd != -1) {
11527 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
11529 val_to_str(t2i->subcmd, trans2_cmd_vals,
11530 "Unknown (0x%02x)"));
11531 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
11533 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
11534 "Unknown Transaction2 Parameters");
11542 switch(t2i->subcmd){
11543 case 0x00: /*TRANS2_OPEN2*/
11545 fid = tvb_get_letohs(tvb, offset);
11546 add_fid(tvb, pinfo, tree, offset, 2, fid);
11549 /* File Attributes */
11550 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
11553 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
11554 hf_smb_create_time,
11555 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
11558 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11561 /* granted access */
11562 offset = dissect_access(tvb, pinfo, tree, offset, "Granted");
11565 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
11569 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
11572 offset = dissect_open_action(tvb, pinfo, tree, offset);
11574 /* 4 reserved bytes */
11575 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
11578 /* ea error offset, only a 16 bit integer here */
11579 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11583 proto_tree_add_item(tree, hf_smb_ea_length, tvb, offset, 4, TRUE);
11587 case 0x01: /*TRANS2_FIND_FIRST2*/
11588 /* Find First2 information level */
11589 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
11592 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
11596 si->info_count = tvb_get_letohs(tvb, offset);
11597 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
11600 /* end of search */
11601 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
11604 /* ea error offset, only a 16 bit integer here */
11605 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11608 /* last name offset */
11609 lno = tvb_get_letohs(tvb, offset);
11610 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
11614 case 0x02: /*TRANS2_FIND_NEXT2*/
11616 si->info_count = tvb_get_letohs(tvb, offset);
11617 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
11620 /* end of search */
11621 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
11624 /* ea error offset , only a 16 bit integer here*/
11625 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11628 /* last name offset */
11629 lno = tvb_get_letohs(tvb, offset);
11630 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
11634 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11635 /* no parameter block here */
11637 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11638 /* no parameter block here */
11640 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11641 /* no parameter block here */
11643 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11644 /* no parameter block here */
11646 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11647 /* no parameter block here */
11649 case 0x09: /*TRANS2_FSCTL*/
11650 /* XXX dont know how to dissect this one (yet)*/
11652 case 0x0a: /*TRANS2_IOCTL2*/
11653 /* XXX dont know how to dissect this one (yet)*/
11655 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11656 /* XXX dont know how to dissect this one (yet)*/
11658 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11659 /* XXX dont know how to dissect this one (yet)*/
11661 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11662 /* ea error offset, only a 16 bit integer here */
11663 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11667 case 0x0e: /*TRANS2_SESSION_SETUP*/
11668 /* XXX dont know how to dissect this one (yet)*/
11670 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11671 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
11673 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11674 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
11678 * We don't know what the matching request was; don't
11679 * bother putting anything else into the tree for the data.
11685 /* ooops there were data we didnt know how to process */
11687 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
11688 offset += pc-offset;
11694 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
11697 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
11698 gboolean reassembled = FALSE;
11700 smb_transact2_info_t *t2i = NULL;
11703 gboolean dissected_trans;
11704 fragment_data *r_fd = NULL;
11705 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
11706 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
11707 gboolean save_fragmented;
11709 si = (smb_info_t *)pinfo->private_data;
11712 case SMB_COM_TRANSACTION2:
11714 if (si->sip != NULL) {
11715 t2i = si->sip->extra_info;
11720 * We didn't see the matching request, so we don't
11721 * know what type of transaction this is.
11723 proto_tree_add_text(tree, tvb, 0, 0,
11724 "Subcommand: <UNKNOWN> since request packet wasn't seen");
11725 if (check_col(pinfo->cinfo, COL_INFO)) {
11726 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
11729 si->info_level = t2i->info_level;
11730 if (t2i->subcmd == -1) {
11732 * We didn't manage to extract the subcommand
11733 * from the matching request (perhaps because
11734 * the frame was short), so we don't know what
11735 * type of transaction this is.
11737 proto_tree_add_text(tree, tvb, 0, 0,
11738 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
11739 if (check_col(pinfo->cinfo, COL_INFO)) {
11740 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
11743 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
11744 if (check_col(pinfo->cinfo, COL_INFO)) {
11745 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11746 val_to_str(t2i->subcmd,
11748 "<unknown (0x%02x)>"));
11757 /* total param count, only a 16bit integer here */
11758 tp = tvb_get_letohs(tvb, offset);
11759 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
11762 /* total data count, only a 16 bit integer here */
11763 td = tvb_get_letohs(tvb, offset);
11764 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
11767 /* 2 reserved bytes */
11768 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11772 pc = tvb_get_letohs(tvb, offset);
11773 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11777 po = tvb_get_letohs(tvb, offset);
11778 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11782 pd = tvb_get_letohs(tvb, offset);
11783 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
11787 dc = tvb_get_letohs(tvb, offset);
11788 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11792 od = tvb_get_letohs(tvb, offset);
11793 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11797 dd = tvb_get_letohs(tvb, offset);
11798 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
11802 sc = tvb_get_guint8(tvb, offset);
11803 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
11806 /* reserved byte */
11807 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11811 /* if there were any setup bytes, put them in a tvb for later */
11813 if((2*sc)>tvb_length_remaining(tvb, offset)){
11814 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
11816 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
11818 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
11829 /* reassembly of SMB Transaction data payload.
11830 In this section we do reassembly of both the data and parameters
11831 blocks of the SMB transaction command.
11833 save_fragmented = pinfo->fragmented;
11834 /* do we need reassembly? */
11835 if( (td!=dc) || (tp!=pc) ){
11836 /* oh yeah, either data or parameter section needs
11839 pinfo->fragmented = TRUE;
11840 if(smb_trans_reassembly){
11841 /* ...and we were told to do reassembly */
11842 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
11843 r_fd = smb_trans_defragment(tree, pinfo, tvb,
11844 po, pc, pd, td+tp);
11847 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
11848 r_fd = smb_trans_defragment(tree, pinfo, tvb,
11849 od, dc, dd+tp, td+tp);
11854 /* if we got a reassembled fd structure from the reassembly routine we must
11855 create pd_tvb from it
11862 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
11864 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
11865 add_new_data_source(pinfo->fd, pd_tvb, "Reassembled SMB");
11866 pinfo->fragmented = FALSE;
11868 it = proto_tree_add_text(tree, pd_tvb, 0, -1, "Fragments");
11869 tr = proto_item_add_subtree(it, ett_smb_segments);
11870 for(fd=r_fd->next;fd;fd=fd->next){
11871 proto_tree_add_text(tr, pd_tvb, fd->offset, fd->len,
11872 "Frame:%u Data:%u-%u",
11873 fd->frame, fd->offset,
11874 fd->offset+fd->len-1);
11880 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
11882 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
11885 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
11888 /* It was not reassembled. Do as best as we can.
11889 * in this case we always try to dissect the stuff if
11890 * data and param displacement is 0. i.e. for the first
11891 * (and maybe only) packet.
11893 if( (pd==0) && (dd==0) ){
11896 min = MIN(pc,tvb_length_remaining(tvb,po));
11897 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
11898 if(min && reported_min) {
11899 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
11901 min = MIN(dc,tvb_length_remaining(tvb,od));
11902 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
11903 if(min && reported_min) {
11904 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
11907 * A tvbuff containing the parameters
11909 * XXX - check pc and dc as well?
11911 if (tvb_length_remaining(tvb, po)){
11912 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
11921 /* We have some padding bytes.
11923 padcnt = po-offset;
11926 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11927 COUNT_BYTES(padcnt);
11929 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
11930 /* TRANSACTION2 parameters*/
11931 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
11938 /* We have some initial padding bytes.
11940 padcnt = od-offset;
11943 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11944 COUNT_BYTES(padcnt);
11947 * If the data count is bigger than the count of bytes
11948 * remaining, clamp it so that the count of bytes remaining
11949 * doesn't go negative.
11957 /* from now on, everything is in separate tvbuffs so we dont count
11958 the bytes with COUNT_BYTES any more.
11959 neither do we reference offset any more (which by now points to the
11960 first byte AFTER this PDU */
11963 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
11964 /* TRANSACTION2 parameters*/
11965 dissect_transaction2_response_data(d_tvb, pinfo, tree);
11969 if(si->cmd==SMB_COM_TRANSACTION){
11970 smb_transact_info_t *tri;
11972 dissected_trans = FALSE;
11973 if (si->sip != NULL)
11974 tri = si->sip->extra_info;
11978 switch(tri->subcmd){
11980 case TRANSACTION_PIPE:
11981 /* This function is safe to call for
11982 s_tvb==sp_tvb==NULL, i.e. if we don't
11983 know them at this point.
11984 It's also safe to call if "p_tvb"
11985 or "d_tvb" are null.
11988 dissected_trans = dissect_pipe_smb(
11989 sp_tvb, s_tvb, pd_tvb, p_tvb,
11990 d_tvb, NULL, pinfo, top_tree);
11994 case TRANSACTION_MAILSLOT:
11995 /* This one should be safe to call
11996 even if s_tvb and sp_tvb is NULL
11999 dissected_trans = dissect_mailslot_smb(
12000 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
12006 if (!dissected_trans) {
12007 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
12008 dissect_trans_data(s_tvb, p_tvb, d_tvb,
12014 if( (p_tvb==0) && (d_tvb==0) ){
12015 if(check_col(pinfo->cinfo, COL_INFO)){
12016 col_append_str(pinfo->cinfo, COL_INFO,
12017 "[transact continuation]");
12021 pinfo->fragmented = save_fragmented;
12028 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12029 END Transaction/Transaction2 Primary and secondary requests
12030 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
12034 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
12042 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
12047 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
12054 typedef struct _smb_function {
12055 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
12056 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
12059 static smb_function smb_dissector[256] = {
12060 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
12061 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
12062 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
12063 /* 0x03 Create File*/ {dissect_create_file_request, dissect_fid},
12064 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
12065 /* 0x05 Flush File*/ {dissect_fid, dissect_empty},
12066 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
12067 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_empty},
12068 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
12069 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
12070 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
12071 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
12072 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
12073 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
12074 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
12075 /* 0x0f Create New*/ {dissect_create_file_request, dissect_fid},
12077 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
12078 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
12079 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
12080 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
12081 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
12082 /* 0x15 */ {dissect_unknown, dissect_unknown},
12083 /* 0x16 */ {dissect_unknown, dissect_unknown},
12084 /* 0x17 */ {dissect_unknown, dissect_unknown},
12085 /* 0x18 */ {dissect_unknown, dissect_unknown},
12086 /* 0x19 */ {dissect_unknown, dissect_unknown},
12087 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
12088 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
12089 /* 0x1c */ {dissect_unknown, dissect_unknown},
12090 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
12091 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
12092 /* 0x1f */ {dissect_unknown, dissect_unknown},
12094 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
12095 /* 0x21 */ {dissect_unknown, dissect_unknown},
12096 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
12097 /* 0x23 Query Info2*/ {dissect_fid, dissect_query_information2_response},
12098 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
12099 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
12100 /* 0x26 Transaction Secondary */ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
12101 /* 0x27 */ {dissect_unknown, dissect_unknown},
12102 /* 0x28 */ {dissect_unknown, dissect_unknown},
12103 /* 0x29 */ {dissect_unknown, dissect_unknown},
12104 /* 0x2a Move File*/ {dissect_move_request, dissect_move_response},
12105 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
12106 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
12107 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
12108 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
12109 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
12111 /* 0x30 */ {dissect_unknown, dissect_unknown},
12112 /* 0x31 */ {dissect_unknown, dissect_unknown},
12113 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
12114 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
12115 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
12116 /* 0x35 */ {dissect_unknown, dissect_unknown},
12117 /* 0x36 */ {dissect_unknown, dissect_unknown},
12118 /* 0x37 */ {dissect_unknown, dissect_unknown},
12119 /* 0x38 */ {dissect_unknown, dissect_unknown},
12120 /* 0x39 */ {dissect_unknown, dissect_unknown},
12121 /* 0x3a */ {dissect_unknown, dissect_unknown},
12122 /* 0x3b */ {dissect_unknown, dissect_unknown},
12123 /* 0x3c */ {dissect_unknown, dissect_unknown},
12124 /* 0x3d */ {dissect_unknown, dissect_unknown},
12125 /* 0x3e */ {dissect_unknown, dissect_unknown},
12126 /* 0x3f */ {dissect_unknown, dissect_unknown},
12128 /* 0x40 */ {dissect_unknown, dissect_unknown},
12129 /* 0x41 */ {dissect_unknown, dissect_unknown},
12130 /* 0x42 */ {dissect_unknown, dissect_unknown},
12131 /* 0x43 */ {dissect_unknown, dissect_unknown},
12132 /* 0x44 */ {dissect_unknown, dissect_unknown},
12133 /* 0x45 */ {dissect_unknown, dissect_unknown},
12134 /* 0x46 */ {dissect_unknown, dissect_unknown},
12135 /* 0x47 */ {dissect_unknown, dissect_unknown},
12136 /* 0x48 */ {dissect_unknown, dissect_unknown},
12137 /* 0x49 */ {dissect_unknown, dissect_unknown},
12138 /* 0x4a */ {dissect_unknown, dissect_unknown},
12139 /* 0x4b */ {dissect_unknown, dissect_unknown},
12140 /* 0x4c */ {dissect_unknown, dissect_unknown},
12141 /* 0x4d */ {dissect_unknown, dissect_unknown},
12142 /* 0x4e */ {dissect_unknown, dissect_unknown},
12143 /* 0x4f */ {dissect_unknown, dissect_unknown},
12145 /* 0x50 */ {dissect_unknown, dissect_unknown},
12146 /* 0x51 */ {dissect_unknown, dissect_unknown},
12147 /* 0x52 */ {dissect_unknown, dissect_unknown},
12148 /* 0x53 */ {dissect_unknown, dissect_unknown},
12149 /* 0x54 */ {dissect_unknown, dissect_unknown},
12150 /* 0x55 */ {dissect_unknown, dissect_unknown},
12151 /* 0x56 */ {dissect_unknown, dissect_unknown},
12152 /* 0x57 */ {dissect_unknown, dissect_unknown},
12153 /* 0x58 */ {dissect_unknown, dissect_unknown},
12154 /* 0x59 */ {dissect_unknown, dissect_unknown},
12155 /* 0x5a */ {dissect_unknown, dissect_unknown},
12156 /* 0x5b */ {dissect_unknown, dissect_unknown},
12157 /* 0x5c */ {dissect_unknown, dissect_unknown},
12158 /* 0x5d */ {dissect_unknown, dissect_unknown},
12159 /* 0x5e */ {dissect_unknown, dissect_unknown},
12160 /* 0x5f */ {dissect_unknown, dissect_unknown},
12162 /* 0x60 */ {dissect_unknown, dissect_unknown},
12163 /* 0x61 */ {dissect_unknown, dissect_unknown},
12164 /* 0x62 */ {dissect_unknown, dissect_unknown},
12165 /* 0x63 */ {dissect_unknown, dissect_unknown},
12166 /* 0x64 */ {dissect_unknown, dissect_unknown},
12167 /* 0x65 */ {dissect_unknown, dissect_unknown},
12168 /* 0x66 */ {dissect_unknown, dissect_unknown},
12169 /* 0x67 */ {dissect_unknown, dissect_unknown},
12170 /* 0x68 */ {dissect_unknown, dissect_unknown},
12171 /* 0x69 */ {dissect_unknown, dissect_unknown},
12172 /* 0x6a */ {dissect_unknown, dissect_unknown},
12173 /* 0x6b */ {dissect_unknown, dissect_unknown},
12174 /* 0x6c */ {dissect_unknown, dissect_unknown},
12175 /* 0x6d */ {dissect_unknown, dissect_unknown},
12176 /* 0x6e */ {dissect_unknown, dissect_unknown},
12177 /* 0x6f */ {dissect_unknown, dissect_unknown},
12179 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
12180 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
12181 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
12182 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
12183 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
12184 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
12185 /* 0x76 */ {dissect_unknown, dissect_unknown},
12186 /* 0x77 */ {dissect_unknown, dissect_unknown},
12187 /* 0x78 */ {dissect_unknown, dissect_unknown},
12188 /* 0x79 */ {dissect_unknown, dissect_unknown},
12189 /* 0x7a */ {dissect_unknown, dissect_unknown},
12190 /* 0x7b */ {dissect_unknown, dissect_unknown},
12191 /* 0x7c */ {dissect_unknown, dissect_unknown},
12192 /* 0x7d */ {dissect_unknown, dissect_unknown},
12193 /* 0x7e */ {dissect_unknown, dissect_unknown},
12194 /* 0x7f */ {dissect_unknown, dissect_unknown},
12196 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
12197 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
12198 /* 0x82 */ {dissect_unknown, dissect_unknown},
12199 /* 0x83 */ {dissect_unknown, dissect_unknown},
12200 /* 0x84 */ {dissect_unknown, dissect_unknown},
12201 /* 0x85 */ {dissect_unknown, dissect_unknown},
12202 /* 0x86 */ {dissect_unknown, dissect_unknown},
12203 /* 0x87 */ {dissect_unknown, dissect_unknown},
12204 /* 0x88 */ {dissect_unknown, dissect_unknown},
12205 /* 0x89 */ {dissect_unknown, dissect_unknown},
12206 /* 0x8a */ {dissect_unknown, dissect_unknown},
12207 /* 0x8b */ {dissect_unknown, dissect_unknown},
12208 /* 0x8c */ {dissect_unknown, dissect_unknown},
12209 /* 0x8d */ {dissect_unknown, dissect_unknown},
12210 /* 0x8e */ {dissect_unknown, dissect_unknown},
12211 /* 0x8f */ {dissect_unknown, dissect_unknown},
12213 /* 0x90 */ {dissect_unknown, dissect_unknown},
12214 /* 0x91 */ {dissect_unknown, dissect_unknown},
12215 /* 0x92 */ {dissect_unknown, dissect_unknown},
12216 /* 0x93 */ {dissect_unknown, dissect_unknown},
12217 /* 0x94 */ {dissect_unknown, dissect_unknown},
12218 /* 0x95 */ {dissect_unknown, dissect_unknown},
12219 /* 0x96 */ {dissect_unknown, dissect_unknown},
12220 /* 0x97 */ {dissect_unknown, dissect_unknown},
12221 /* 0x98 */ {dissect_unknown, dissect_unknown},
12222 /* 0x99 */ {dissect_unknown, dissect_unknown},
12223 /* 0x9a */ {dissect_unknown, dissect_unknown},
12224 /* 0x9b */ {dissect_unknown, dissect_unknown},
12225 /* 0x9c */ {dissect_unknown, dissect_unknown},
12226 /* 0x9d */ {dissect_unknown, dissect_unknown},
12227 /* 0x9e */ {dissect_unknown, dissect_unknown},
12228 /* 0x9f */ {dissect_unknown, dissect_unknown},
12229 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
12230 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
12231 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
12232 /* 0xa3 */ {dissect_unknown, dissect_unknown},
12233 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
12234 /* 0xa5 */ {dissect_unknown, dissect_unknown},
12235 /* 0xa6 */ {dissect_unknown, dissect_unknown},
12236 /* 0xa7 */ {dissect_unknown, dissect_unknown},
12237 /* 0xa8 */ {dissect_unknown, dissect_unknown},
12238 /* 0xa9 */ {dissect_unknown, dissect_unknown},
12239 /* 0xaa */ {dissect_unknown, dissect_unknown},
12240 /* 0xab */ {dissect_unknown, dissect_unknown},
12241 /* 0xac */ {dissect_unknown, dissect_unknown},
12242 /* 0xad */ {dissect_unknown, dissect_unknown},
12243 /* 0xae */ {dissect_unknown, dissect_unknown},
12244 /* 0xaf */ {dissect_unknown, dissect_unknown},
12246 /* 0xb0 */ {dissect_unknown, dissect_unknown},
12247 /* 0xb1 */ {dissect_unknown, dissect_unknown},
12248 /* 0xb2 */ {dissect_unknown, dissect_unknown},
12249 /* 0xb3 */ {dissect_unknown, dissect_unknown},
12250 /* 0xb4 */ {dissect_unknown, dissect_unknown},
12251 /* 0xb5 */ {dissect_unknown, dissect_unknown},
12252 /* 0xb6 */ {dissect_unknown, dissect_unknown},
12253 /* 0xb7 */ {dissect_unknown, dissect_unknown},
12254 /* 0xb8 */ {dissect_unknown, dissect_unknown},
12255 /* 0xb9 */ {dissect_unknown, dissect_unknown},
12256 /* 0xba */ {dissect_unknown, dissect_unknown},
12257 /* 0xbb */ {dissect_unknown, dissect_unknown},
12258 /* 0xbc */ {dissect_unknown, dissect_unknown},
12259 /* 0xbd */ {dissect_unknown, dissect_unknown},
12260 /* 0xbe */ {dissect_unknown, dissect_unknown},
12261 /* 0xbf */ {dissect_unknown, dissect_unknown},
12262 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_fid},
12263 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
12264 /* 0xc2 Close Print File*/ {dissect_fid, dissect_empty},
12265 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
12266 /* 0xc4 */ {dissect_unknown, dissect_unknown},
12267 /* 0xc5 */ {dissect_unknown, dissect_unknown},
12268 /* 0xc6 */ {dissect_unknown, dissect_unknown},
12269 /* 0xc7 */ {dissect_unknown, dissect_unknown},
12270 /* 0xc8 */ {dissect_unknown, dissect_unknown},
12271 /* 0xc9 */ {dissect_unknown, dissect_unknown},
12272 /* 0xca */ {dissect_unknown, dissect_unknown},
12273 /* 0xcb */ {dissect_unknown, dissect_unknown},
12274 /* 0xcc */ {dissect_unknown, dissect_unknown},
12275 /* 0xcd */ {dissect_unknown, dissect_unknown},
12276 /* 0xce */ {dissect_unknown, dissect_unknown},
12277 /* 0xcf */ {dissect_unknown, dissect_unknown},
12279 /* 0xd0 */ {dissect_unknown, dissect_unknown},
12280 /* 0xd1 */ {dissect_unknown, dissect_unknown},
12281 /* 0xd2 */ {dissect_unknown, dissect_unknown},
12282 /* 0xd3 */ {dissect_unknown, dissect_unknown},
12283 /* 0xd4 */ {dissect_unknown, dissect_unknown},
12284 /* 0xd5 */ {dissect_unknown, dissect_unknown},
12285 /* 0xd6 */ {dissect_unknown, dissect_unknown},
12286 /* 0xd7 */ {dissect_unknown, dissect_unknown},
12287 /* 0xd8 */ {dissect_unknown, dissect_unknown},
12288 /* 0xd9 */ {dissect_unknown, dissect_unknown},
12289 /* 0xda */ {dissect_unknown, dissect_unknown},
12290 /* 0xdb */ {dissect_unknown, dissect_unknown},
12291 /* 0xdc */ {dissect_unknown, dissect_unknown},
12292 /* 0xdd */ {dissect_unknown, dissect_unknown},
12293 /* 0xde */ {dissect_unknown, dissect_unknown},
12294 /* 0xdf */ {dissect_unknown, dissect_unknown},
12296 /* 0xe0 */ {dissect_unknown, dissect_unknown},
12297 /* 0xe1 */ {dissect_unknown, dissect_unknown},
12298 /* 0xe2 */ {dissect_unknown, dissect_unknown},
12299 /* 0xe3 */ {dissect_unknown, dissect_unknown},
12300 /* 0xe4 */ {dissect_unknown, dissect_unknown},
12301 /* 0xe5 */ {dissect_unknown, dissect_unknown},
12302 /* 0xe6 */ {dissect_unknown, dissect_unknown},
12303 /* 0xe7 */ {dissect_unknown, dissect_unknown},
12304 /* 0xe8 */ {dissect_unknown, dissect_unknown},
12305 /* 0xe9 */ {dissect_unknown, dissect_unknown},
12306 /* 0xea */ {dissect_unknown, dissect_unknown},
12307 /* 0xeb */ {dissect_unknown, dissect_unknown},
12308 /* 0xec */ {dissect_unknown, dissect_unknown},
12309 /* 0xed */ {dissect_unknown, dissect_unknown},
12310 /* 0xee */ {dissect_unknown, dissect_unknown},
12311 /* 0xef */ {dissect_unknown, dissect_unknown},
12313 /* 0xf0 */ {dissect_unknown, dissect_unknown},
12314 /* 0xf1 */ {dissect_unknown, dissect_unknown},
12315 /* 0xf2 */ {dissect_unknown, dissect_unknown},
12316 /* 0xf3 */ {dissect_unknown, dissect_unknown},
12317 /* 0xf4 */ {dissect_unknown, dissect_unknown},
12318 /* 0xf5 */ {dissect_unknown, dissect_unknown},
12319 /* 0xf6 */ {dissect_unknown, dissect_unknown},
12320 /* 0xf7 */ {dissect_unknown, dissect_unknown},
12321 /* 0xf8 */ {dissect_unknown, dissect_unknown},
12322 /* 0xf9 */ {dissect_unknown, dissect_unknown},
12323 /* 0xfa */ {dissect_unknown, dissect_unknown},
12324 /* 0xfb */ {dissect_unknown, dissect_unknown},
12325 /* 0xfc */ {dissect_unknown, dissect_unknown},
12326 /* 0xfd */ {dissect_unknown, dissect_unknown},
12327 /* 0xfe */ {dissect_unknown, dissect_unknown},
12328 /* 0xff */ {dissect_unknown, dissect_unknown},
12332 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree, int offset, proto_tree *smb_tree, guint8 cmd)
12334 int old_offset = offset;
12337 si = pinfo->private_data;
12339 proto_item *cmd_item;
12340 proto_tree *cmd_tree;
12341 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
12343 if (check_col(pinfo->cinfo, COL_INFO)) {
12344 col_add_fstr(pinfo->cinfo, COL_INFO, "%s %s",
12345 decode_smb_name(cmd),
12346 (si->request)? "Request" : "Response");
12349 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
12351 decode_smb_name(cmd),
12352 (si->request)?"Request":"Response",
12355 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
12357 dissector = (si->request)?
12358 smb_dissector[cmd].request:smb_dissector[cmd].response;
12360 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
12361 proto_item_set_len(cmd_item, offset-old_offset);
12367 /* NOTE: this value_string array will also be used to access data directly by
12368 * index instead of val_to_str() since
12369 * 1, the array will always span every value from 0x00 to 0xff and
12370 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
12371 * This means that this value_string array MUST always
12372 * 1, contain all entries 0x00 to 0xff
12373 * 2, all entries must be in order.
12375 static const value_string smb_cmd_vals[] = {
12376 { 0x00, "Create Directory" },
12377 { 0x01, "Delete Directory" },
12379 { 0x03, "Create" },
12382 { 0x06, "Delete" },
12383 { 0x07, "Rename" },
12384 { 0x08, "Query Information" },
12385 { 0x09, "Set Information" },
12388 { 0x0C, "Lock Byte Range" },
12389 { 0x0D, "Unlock Byte Range" },
12390 { 0x0E, "Create Temp" },
12391 { 0x0F, "Create New" },
12392 { 0x10, "Check Directory" },
12393 { 0x11, "Process Exit" },
12395 { 0x13, "Lock And Read" },
12396 { 0x14, "Write And Unlock" },
12397 { 0x15, "unknown-0x15" },
12398 { 0x16, "unknown-0x16" },
12399 { 0x17, "unknown-0x17" },
12400 { 0x18, "unknown-0x18" },
12401 { 0x19, "unknown-0x19" },
12402 { 0x1A, "Read Raw" },
12403 { 0x1B, "Read MPX" },
12404 { 0x1C, "Read MPX Secondary" },
12405 { 0x1D, "Write Raw" },
12406 { 0x1E, "Write MPX" },
12407 { 0x1F, "SMBwriteBs" },
12408 { 0x20, "Write Complete" },
12409 { 0x21, "unknown-0x21" },
12410 { 0x22, "Set Information2" },
12411 { 0x23, "Query Information2" },
12412 { 0x24, "Locking AndX" },
12413 { 0x25, "Transaction" },
12414 { 0x26, "Transaction Secondary" },
12416 { 0x28, "IOCTL Secondary" },
12420 { 0x2C, "Write And Close" },
12421 { 0x2D, "Open AndX" },
12422 { 0x2E, "Read AndX" },
12423 { 0x2F, "Write AndX" },
12424 { 0x30, "unknown-0x30" },
12425 { 0x31, "Close And Tree Discover" },
12426 { 0x32, "Transaction2" },
12427 { 0x33, "Transaction2 Secondary" },
12428 { 0x34, "Find Close2" },
12429 { 0x35, "Find Notify Close" },
12430 { 0x36, "unknown-0x36" },
12431 { 0x37, "unknown-0x37" },
12432 { 0x38, "unknown-0x38" },
12433 { 0x39, "unknown-0x39" },
12434 { 0x3A, "unknown-0x3A" },
12435 { 0x3B, "unknown-0x3B" },
12436 { 0x3C, "unknown-0x3C" },
12437 { 0x3D, "unknown-0x3D" },
12438 { 0x3E, "unknown-0x3E" },
12439 { 0x3F, "unknown-0x3F" },
12440 { 0x40, "unknown-0x40" },
12441 { 0x41, "unknown-0x41" },
12442 { 0x42, "unknown-0x42" },
12443 { 0x43, "unknown-0x43" },
12444 { 0x44, "unknown-0x44" },
12445 { 0x45, "unknown-0x45" },
12446 { 0x46, "unknown-0x46" },
12447 { 0x47, "unknown-0x47" },
12448 { 0x48, "unknown-0x48" },
12449 { 0x49, "unknown-0x49" },
12450 { 0x4A, "unknown-0x4A" },
12451 { 0x4B, "unknown-0x4B" },
12452 { 0x4C, "unknown-0x4C" },
12453 { 0x4D, "unknown-0x4D" },
12454 { 0x4E, "unknown-0x4E" },
12455 { 0x4F, "unknown-0x4F" },
12456 { 0x50, "unknown-0x50" },
12457 { 0x51, "unknown-0x51" },
12458 { 0x52, "unknown-0x52" },
12459 { 0x53, "unknown-0x53" },
12460 { 0x54, "unknown-0x54" },
12461 { 0x55, "unknown-0x55" },
12462 { 0x56, "unknown-0x56" },
12463 { 0x57, "unknown-0x57" },
12464 { 0x58, "unknown-0x58" },
12465 { 0x59, "unknown-0x59" },
12466 { 0x5A, "unknown-0x5A" },
12467 { 0x5B, "unknown-0x5B" },
12468 { 0x5C, "unknown-0x5C" },
12469 { 0x5D, "unknown-0x5D" },
12470 { 0x5E, "unknown-0x5E" },
12471 { 0x5F, "unknown-0x5F" },
12472 { 0x60, "unknown-0x60" },
12473 { 0x61, "unknown-0x61" },
12474 { 0x62, "unknown-0x62" },
12475 { 0x63, "unknown-0x63" },
12476 { 0x64, "unknown-0x64" },
12477 { 0x65, "unknown-0x65" },
12478 { 0x66, "unknown-0x66" },
12479 { 0x67, "unknown-0x67" },
12480 { 0x68, "unknown-0x68" },
12481 { 0x69, "unknown-0x69" },
12482 { 0x6A, "unknown-0x6A" },
12483 { 0x6B, "unknown-0x6B" },
12484 { 0x6C, "unknown-0x6C" },
12485 { 0x6D, "unknown-0x6D" },
12486 { 0x6E, "unknown-0x6E" },
12487 { 0x6F, "unknown-0x6F" },
12488 { 0x70, "Tree Connect" },
12489 { 0x71, "Tree Disconnect" },
12490 { 0x72, "Negotiate Protocol" },
12491 { 0x73, "Session Setup AndX" },
12492 { 0x74, "Logoff AndX" },
12493 { 0x75, "Tree Connect AndX" },
12494 { 0x76, "unknown-0x76" },
12495 { 0x77, "unknown-0x77" },
12496 { 0x78, "unknown-0x78" },
12497 { 0x79, "unknown-0x79" },
12498 { 0x7A, "unknown-0x7A" },
12499 { 0x7B, "unknown-0x7B" },
12500 { 0x7C, "unknown-0x7C" },
12501 { 0x7D, "unknown-0x7D" },
12502 { 0x7E, "unknown-0x7E" },
12503 { 0x7F, "unknown-0x7F" },
12504 { 0x80, "Query Information Disk" },
12505 { 0x81, "Search" },
12507 { 0x83, "Find Unique" },
12508 { 0x84, "SMBfclose" },
12509 { 0x85, "unknown-0x85" },
12510 { 0x86, "unknown-0x86" },
12511 { 0x87, "unknown-0x87" },
12512 { 0x88, "unknown-0x88" },
12513 { 0x89, "unknown-0x89" },
12514 { 0x8A, "unknown-0x8A" },
12515 { 0x8B, "unknown-0x8B" },
12516 { 0x8C, "unknown-0x8C" },
12517 { 0x8D, "unknown-0x8D" },
12518 { 0x8E, "unknown-0x8E" },
12519 { 0x8F, "unknown-0x8F" },
12520 { 0x90, "unknown-0x90" },
12521 { 0x91, "unknown-0x91" },
12522 { 0x92, "unknown-0x92" },
12523 { 0x93, "unknown-0x93" },
12524 { 0x94, "unknown-0x94" },
12525 { 0x95, "unknown-0x95" },
12526 { 0x96, "unknown-0x96" },
12527 { 0x97, "unknown-0x97" },
12528 { 0x98, "unknown-0x98" },
12529 { 0x99, "unknown-0x99" },
12530 { 0x9A, "unknown-0x9A" },
12531 { 0x9B, "unknown-0x9B" },
12532 { 0x9C, "unknown-0x9C" },
12533 { 0x9D, "unknown-0x9D" },
12534 { 0x9E, "unknown-0x9E" },
12535 { 0x9F, "unknown-0x9F" },
12536 { 0xA0, "NT Transact" },
12537 { 0xA1, "NT Transact Secondary" },
12538 { 0xA2, "NT Create AndX" },
12539 { 0xA3, "unknown-0xA3" },
12540 { 0xA4, "NT Cancel" },
12541 { 0xA5, "unknown-0xA5" },
12542 { 0xA6, "unknown-0xA6" },
12543 { 0xA7, "unknown-0xA7" },
12544 { 0xA8, "unknown-0xA8" },
12545 { 0xA9, "unknown-0xA9" },
12546 { 0xAA, "unknown-0xAA" },
12547 { 0xAB, "unknown-0xAB" },
12548 { 0xAC, "unknown-0xAC" },
12549 { 0xAD, "unknown-0xAD" },
12550 { 0xAE, "unknown-0xAE" },
12551 { 0xAF, "unknown-0xAF" },
12552 { 0xB0, "unknown-0xB0" },
12553 { 0xB1, "unknown-0xB1" },
12554 { 0xB2, "unknown-0xB2" },
12555 { 0xB3, "unknown-0xB3" },
12556 { 0xB4, "unknown-0xB4" },
12557 { 0xB5, "unknown-0xB5" },
12558 { 0xB6, "unknown-0xB6" },
12559 { 0xB7, "unknown-0xB7" },
12560 { 0xB8, "unknown-0xB8" },
12561 { 0xB9, "unknown-0xB9" },
12562 { 0xBA, "unknown-0xBA" },
12563 { 0xBB, "unknown-0xBB" },
12564 { 0xBC, "unknown-0xBC" },
12565 { 0xBD, "unknown-0xBD" },
12566 { 0xBE, "unknown-0xBE" },
12567 { 0xBF, "unknown-0xBF" },
12568 { 0xC0, "Open Print File" },
12569 { 0xC1, "Write Print File" },
12570 { 0xC2, "Close Print File" },
12571 { 0xC3, "Get Print Queue" },
12572 { 0xC4, "unknown-0xC4" },
12573 { 0xC5, "unknown-0xC5" },
12574 { 0xC6, "unknown-0xC6" },
12575 { 0xC7, "unknown-0xC7" },
12576 { 0xC8, "unknown-0xC8" },
12577 { 0xC9, "unknown-0xC9" },
12578 { 0xCA, "unknown-0xCA" },
12579 { 0xCB, "unknown-0xCB" },
12580 { 0xCC, "unknown-0xCC" },
12581 { 0xCD, "unknown-0xCD" },
12582 { 0xCE, "unknown-0xCE" },
12583 { 0xCF, "unknown-0xCF" },
12584 { 0xD0, "SMBsends" },
12585 { 0xD1, "SMBsendb" },
12586 { 0xD2, "SMBfwdname" },
12587 { 0xD3, "SMBcancelf" },
12588 { 0xD4, "SMBgetmac" },
12589 { 0xD5, "SMBsendstrt" },
12590 { 0xD6, "SMBsendend" },
12591 { 0xD7, "SMBsendtxt" },
12592 { 0xD8, "SMBreadbulk" },
12593 { 0xD9, "SMBwritebulk" },
12594 { 0xDA, "SMBwritebulkdata" },
12595 { 0xDB, "unknown-0xDB" },
12596 { 0xDC, "unknown-0xDC" },
12597 { 0xDD, "unknown-0xDD" },
12598 { 0xDE, "unknown-0xDE" },
12599 { 0xDF, "unknown-0xDF" },
12600 { 0xE0, "unknown-0xE0" },
12601 { 0xE1, "unknown-0xE1" },
12602 { 0xE2, "unknown-0xE2" },
12603 { 0xE3, "unknown-0xE3" },
12604 { 0xE4, "unknown-0xE4" },
12605 { 0xE5, "unknown-0xE5" },
12606 { 0xE6, "unknown-0xE6" },
12607 { 0xE7, "unknown-0xE7" },
12608 { 0xE8, "unknown-0xE8" },
12609 { 0xE9, "unknown-0xE9" },
12610 { 0xEA, "unknown-0xEA" },
12611 { 0xEB, "unknown-0xEB" },
12612 { 0xEC, "unknown-0xEC" },
12613 { 0xED, "unknown-0xED" },
12614 { 0xEE, "unknown-0xEE" },
12615 { 0xEF, "unknown-0xEF" },
12616 { 0xF0, "unknown-0xF0" },
12617 { 0xF1, "unknown-0xF1" },
12618 { 0xF2, "unknown-0xF2" },
12619 { 0xF3, "unknown-0xF3" },
12620 { 0xF4, "unknown-0xF4" },
12621 { 0xF5, "unknown-0xF5" },
12622 { 0xF6, "unknown-0xF6" },
12623 { 0xF7, "unknown-0xF7" },
12624 { 0xF8, "unknown-0xF8" },
12625 { 0xF9, "unknown-0xF9" },
12626 { 0xFA, "unknown-0xFA" },
12627 { 0xFB, "unknown-0xFB" },
12628 { 0xFC, "unknown-0xFC" },
12629 { 0xFD, "unknown-0xFD" },
12630 { 0xFE, "SMBinvalid" },
12631 { 0xFF, "unknown-0xFF" },
12635 static char *decode_smb_name(unsigned char cmd)
12637 return(smb_cmd_vals[cmd].strptr);
12642 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12643 * Everything TVBUFFIFIED above this line
12644 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
12648 free_hash_tables(gpointer ctarg, gpointer user_data)
12650 conv_tables_t *ct = ctarg;
12653 g_hash_table_destroy(ct->unmatched);
12655 g_hash_table_destroy(ct->matched);
12656 if (ct->dcerpc_fid_to_frame)
12657 g_hash_table_destroy(ct->dcerpc_fid_to_frame);
12658 if (ct->tid_service)
12659 g_hash_table_destroy(ct->tid_service);
12663 smb_init_protocol(void)
12665 if (smb_saved_info_key_chunk)
12666 g_mem_chunk_destroy(smb_saved_info_key_chunk);
12667 if (smb_saved_info_chunk)
12668 g_mem_chunk_destroy(smb_saved_info_chunk);
12669 if (smb_nt_transact_info_chunk)
12670 g_mem_chunk_destroy(smb_nt_transact_info_chunk);
12671 if (smb_transact2_info_chunk)
12672 g_mem_chunk_destroy(smb_transact2_info_chunk);
12673 if (smb_transact_info_chunk)
12674 g_mem_chunk_destroy(smb_transact_info_chunk);
12677 * Free the hash tables attached to the conversation table
12678 * structures, and then free the list of conversation table
12679 * data structures (which doesn't free the data structures
12680 * themselves; that's done by destroying the chunk from
12681 * which they were allocated).
12684 g_slist_foreach(conv_tables, free_hash_tables, NULL);
12685 g_slist_free(conv_tables);
12686 conv_tables = NULL;
12690 * Now destroy the chunk from which the conversation table
12691 * structures were allocated.
12693 if (conv_tables_chunk)
12694 g_mem_chunk_destroy(conv_tables_chunk);
12696 smb_saved_info_chunk = g_mem_chunk_new("smb_saved_info_chunk",
12697 sizeof(smb_saved_info_t),
12698 smb_saved_info_init_count * sizeof(smb_saved_info_t),
12700 smb_saved_info_key_chunk = g_mem_chunk_new("smb_saved_info_key_chunk",
12701 sizeof(smb_saved_info_key_t),
12702 smb_saved_info_init_count * sizeof(smb_saved_info_key_t),
12704 smb_nt_transact_info_chunk = g_mem_chunk_new("smb_nt_transact_info_chunk",
12705 sizeof(smb_nt_transact_info_t),
12706 smb_nt_transact_info_init_count * sizeof(smb_nt_transact_info_t),
12708 smb_transact2_info_chunk = g_mem_chunk_new("smb_transact2_info_chunk",
12709 sizeof(smb_transact2_info_t),
12710 smb_transact2_info_init_count * sizeof(smb_transact2_info_t),
12712 smb_transact_info_chunk = g_mem_chunk_new("smb_transact_info_chunk",
12713 sizeof(smb_transact_info_t),
12714 smb_transact_info_init_count * sizeof(smb_transact_info_t),
12716 conv_tables_chunk = g_mem_chunk_new("conv_tables_chunk",
12717 sizeof(conv_tables_t),
12718 conv_tables_count * sizeof(conv_tables_t),
12722 /* Max string length for displaying Unicode strings. */
12723 #define MAX_UNICODE_STR_LEN 256
12726 /* Turn a little-endian Unicode '\0'-terminated string into a string we
12728 XXX - for now, we just handle the ISO 8859-1 characters.
12729 If exactlen==TRUE then us_lenp contains the exact len of the string in
12730 bytes. It might not be null terminated !
12731 bc specifies the number of bytes in the byte parameters; Windows 2000,
12732 at least, appears, in some cases, to put only 1 byte of 0 at the end
12733 of a Unicode string if the byte count
12736 unicode_to_str(tvbuff_t *tvb, int offset, int *us_lenp, gboolean exactlen,
12739 static gchar str[3][MAX_UNICODE_STR_LEN+3+1];
12747 if (cur == &str[0][0]) {
12749 } else if (cur == &str[1][0]) {
12755 len = MAX_UNICODE_STR_LEN;
12761 /* XXX - explain this */
12763 us_len += 1; /* this is a one-byte null terminator */
12766 uchar = tvb_get_letohs(tvb, offset);
12768 us_len += 2; /* this is a two-byte null terminator */
12772 if ((uchar & 0xFF00) == 0)
12773 *p++ = uchar; /* ISO 8859-1 */
12775 *p++ = '?'; /* not 8859-1 */
12783 if(us_len>= *us_lenp){
12789 /* Note that we're not showing the full string. */
12800 /* nopad == TRUE : Do not add any padding before this string
12801 * exactlen == TRUE : len contains the exact len of the string in bytes.
12802 * bc: pointer to variable with amount of data left in the byte parameters
12805 static const gchar *
12806 get_unicode_or_ascii_string(tvbuff_t *tvb, int *offsetp,
12807 packet_info *pinfo, int *len, gboolean nopad, gboolean exactlen,
12810 static gchar str[3][MAX_UNICODE_STR_LEN+3+1];
12812 const gchar *string;
12815 unsigned int copylen;
12818 /* Not enough data in buffer */
12821 si = pinfo->private_data;
12823 if ((!nopad) && (*offsetp % 2)) {
12825 * XXX - this should be an offset relative to the beginning of the SMB,
12826 * not an offset relative to the beginning of the frame; if the stuff
12827 * before the SMB has an odd number of bytes, an offset relative to
12828 * the beginning of the frame will give the wrong answer.
12830 (*offsetp)++; /* Looks like a pad byte there sometimes */
12833 /* Not enough data in buffer */
12839 string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
12841 string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
12846 * The string we return must be null-terminated.
12848 if (cur == &str[0][0]) {
12850 } else if (cur == &str[1][0]) {
12856 if (copylen > MAX_UNICODE_STR_LEN)
12857 copylen = MAX_UNICODE_STR_LEN;
12858 tvb_memcpy(tvb, (guint8 *)cur, *offsetp, copylen);
12859 cur[copylen] = '\0';
12860 if (copylen > MAX_UNICODE_STR_LEN)
12861 strcat(cur, "...");
12865 string_len = tvb_strsize(tvb, *offsetp);
12866 string = tvb_get_ptr(tvb, *offsetp, string_len);
12875 static const value_string errcls_types[] = {
12876 { SMB_SUCCESS, "Success"},
12877 { SMB_ERRDOS, "DOS Error"},
12878 { SMB_ERRSRV, "Server Error"},
12879 { SMB_ERRHRD, "Hardware Error"},
12880 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
12884 const value_string DOS_errors[] = {
12886 {SMBE_insufficientbuffer, "Insufficient buffer"},
12887 {SMBE_badfunc, "Invalid function (or system call)"},
12888 {SMBE_badfile, "File not found (pathname error)"},
12889 {SMBE_badpath, "Directory not found"},
12890 {SMBE_nofids, "Too many open files"},
12891 {SMBE_noaccess, "Access denied"},
12892 {SMBE_badfid, "Invalid fid"},
12893 {SMBE_nomem, "Out of memory"},
12894 {SMBE_badmem, "Invalid memory block address"},
12895 {SMBE_badenv, "Invalid environment"},
12896 {SMBE_badaccess, "Invalid open mode"},
12897 {SMBE_baddata, "Invalid data (only from ioctl call)"},
12898 {SMBE_res, "Reserved error code?"},
12899 {SMBE_baddrive, "Invalid drive"},
12900 {SMBE_remcd, "Attempt to delete current directory"},
12901 {SMBE_diffdevice, "Rename/move across different filesystems"},
12902 {SMBE_nofiles, "No more files found in file search"},
12903 {SMBE_badshare, "Share mode on file conflict with open mode"},
12904 {SMBE_lock, "Lock request conflicts with existing lock"},
12905 {SMBE_unsup, "Request unsupported, returned by Win 95"},
12906 {SMBE_nosuchshare, "Requested share does not exist"},
12907 {SMBE_filexists, "File in operation already exists"},
12908 {SMBE_cannotopen, "Cannot open the file specified"},
12909 {SMBE_unknownlevel, "Unknown info level"},
12910 {SMBE_invalidname, "Invalid name"},
12911 {SMBE_badpipe, "Named pipe invalid"},
12912 {SMBE_pipebusy, "All instances of pipe are busy"},
12913 {SMBE_pipeclosing, "Named pipe close in progress"},
12914 {SMBE_notconnected, "No process on other end of named pipe"},
12915 {SMBE_moredata, "More data to be returned"},
12916 {SMBE_baddirectory, "Invalid directory name in a path."},
12917 {SMBE_eas_didnt_fit, "Extended attributes didn't fit"},
12918 {SMBE_eas_nsup, "Extended attributes not supported"},
12919 {SMBE_notify_buf_small, "Buffer too small to return change notify."},
12920 {SMBE_unknownipc, "Unknown IPC Operation"},
12921 {SMBE_noipc, "Don't support ipc"},
12922 {SMBE_alreadyexists, "File already exists"},
12923 {SMBE_unknownprinterdriver, "Unknown printer driver"},
12924 {SMBE_invalidprintername, "Invalid printer name"},
12925 {SMBE_printeralreadyexists, "Printer already exists"},
12926 {SMBE_invaliddatatype, "Invalid data type"},
12927 {SMBE_invalidenvironment, "Invalid environment"},
12928 {SMBE_printerdriverinuse, "Printer driver in use"},
12929 {SMBE_invalidparam, "Invalid parameter"},
12930 {SMBE_invalidformsize, "Invalid form size"},
12934 /* Error codes for the ERRSRV class */
12936 static const value_string SRV_errors[] = {
12937 {SMBE_error, "Non specific error code"},
12938 {SMBE_badpw, "Bad password"},
12939 {SMBE_badtype, "Reserved"},
12940 {SMBE_access, "No permissions to perform the requested operation"},
12941 {SMBE_invnid, "TID invalid"},
12942 {SMBE_invnetname, "Invalid network name. Service not found"},
12943 {SMBE_invdevice, "Invalid device"},
12944 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
12945 {SMBE_qfull, "Print queue full"},
12946 {SMBE_qtoobig, "Queued item too big"},
12947 {SMBE_qeof, "EOF on print queue dump"},
12948 {SMBE_invpfid, "Invalid print file in smb_fid"},
12949 {SMBE_smbcmd, "Unrecognised command"},
12950 {SMBE_srverror, "SMB server internal error"},
12951 {SMBE_filespecs, "Fid and pathname invalid combination"},
12952 {SMBE_badlink, "Bad link in request ???"},
12953 {SMBE_badpermits, "Access specified for a file is not valid"},
12954 {SMBE_badpid, "Bad process id in request"},
12955 {SMBE_setattrmode, "Attribute mode invalid"},
12956 {SMBE_paused, "Message server paused"},
12957 {SMBE_msgoff, "Not receiving messages"},
12958 {SMBE_noroom, "No room for message"},
12959 {SMBE_rmuns, "Too many remote usernames"},
12960 {SMBE_timeout, "Operation timed out"},
12961 {SMBE_noresource, "No resources currently available for request."},
12962 {SMBE_toomanyuids, "Too many userids"},
12963 {SMBE_baduid, "Bad userid"},
12964 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
12965 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
12966 {SMBE_contMPX, "Resume MPX mode"},
12967 {SMBE_badPW, "Bad Password???"},
12968 {SMBE_nosupport, "Operation not supported"},
12972 /* Error codes for the ERRHRD class */
12974 static const value_string HRD_errors[] = {
12975 {SMBE_nowrite, "Read only media"},
12976 {SMBE_badunit, "Unknown device"},
12977 {SMBE_notready, "Drive not ready"},
12978 {SMBE_badcmd, "Unknown command"},
12979 {SMBE_data, "Data (CRC) error"},
12980 {SMBE_badreq, "Bad request structure length"},
12981 {SMBE_seek, "Seek error???"},
12982 {SMBE_badmedia, "Bad media???"},
12983 {SMBE_badsector, "Bad sector???"},
12984 {SMBE_nopaper, "No paper in printer???"},
12985 {SMBE_write, "Write error???"},
12986 {SMBE_read, "Read error???"},
12987 {SMBE_general, "General error???"},
12988 {SMBE_badshare, "A open conflicts with an existing open"},
12989 {SMBE_lock, "Lock/unlock error"},
12990 {SMBE_wrongdisk, "Wrong disk???"},
12991 {SMBE_FCBunavail, "FCB unavailable???"},
12992 {SMBE_sharebufexc, "Share buffer excluded???"},
12993 {SMBE_diskfull, "Disk full???"},
12997 static char *decode_smb_error(guint8 errcls, guint16 errcode)
13004 return("No Error"); /* No error ??? */
13009 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
13014 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
13019 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
13024 return("Unknown error class!");
13031 /* These are the MS country codes from
13033 http://www.unicode.org/unicode/onlinedat/countries.html
13035 For countries that share the same number, I choose to use only the
13036 name of the largest country. Apologies for this. If this offends you,
13037 here is the table to change that.
13039 This also includes the code of 0 for "Default", which isn't in
13040 that list, but is in Microsoft's SDKs and the Cygnus "winnls.h"
13041 header file. Presumably it means "don't override the setting
13042 on the user's machine".
13044 Future versions of Microsoft's "winnls.h" header file might include
13045 additional codes; the current version matches the Unicode Consortium's
13048 const value_string ms_country_codes[] = {
13054 { 27, "South Africa"},
13056 { 31, "Netherlands"},
13063 { 41, "Switzerland"},
13065 { 44, "United Kingdom"},
13073 { 54, "Argentina"},
13077 { 58, "Venezuela"},
13079 { 61, "Australia"},
13080 { 62, "Indonesia"},
13081 { 63, "Philippines"},
13082 { 64, "New Zealand"},
13083 { 65, "Singapore"},
13086 { 82, "South Korea"},
13098 {298, "Faroe Islands"},
13100 {352, "Luxembourg"},
13106 {370, "Lithuania"},
13115 {389, "Macedonia"},
13116 {420, "Czech Republic"},
13117 {421, "Slovak Republic"},
13119 {502, "Guatemala"},
13120 {503, "El Salvador"},
13122 {505, "Nicaragua"},
13123 {506, "Costa Rica"},
13129 {673, "Brunei Darussalam"},
13130 {852, "Hong Kong"},
13139 {966, "Saudi Arabia"},
13142 {971, "United Arab Emirates"},
13148 {994, "Azerbaijan"},
13150 {996, "Kyrgyzstan"},
13160 * http://www.wildpackets.com/elements/SMB_NT_Status_Codes.txt
13162 const value_string NT_errors[] = {
13163 { 0x00000000, "STATUS_SUCCESS" },
13164 { 0x00000000, "STATUS_WAIT_0" },
13165 { 0x00000001, "STATUS_WAIT_1" },
13166 { 0x00000002, "STATUS_WAIT_2" },
13167 { 0x00000003, "STATUS_WAIT_3" },
13168 { 0x0000003F, "STATUS_WAIT_63" },
13169 { 0x00000080, "STATUS_ABANDONED" },
13170 { 0x00000080, "STATUS_ABANDONED_WAIT_0" },
13171 { 0x000000BF, "STATUS_ABANDONED_WAIT_63" },
13172 { 0x000000C0, "STATUS_USER_APC" },
13173 { 0x00000100, "STATUS_KERNEL_APC" },
13174 { 0x00000101, "STATUS_ALERTED" },
13175 { 0x00000102, "STATUS_TIMEOUT" },
13176 { 0x00000103, "STATUS_PENDING" },
13177 { 0x00000104, "STATUS_REPARSE" },
13178 { 0x00000105, "STATUS_MORE_ENTRIES" },
13179 { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" },
13180 { 0x00000107, "STATUS_SOME_NOT_MAPPED" },
13181 { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" },
13182 { 0x00000109, "STATUS_VOLUME_MOUNTED" },
13183 { 0x0000010A, "STATUS_RXACT_COMMITTED" },
13184 { 0x0000010B, "STATUS_NOTIFY_CLEANUP" },
13185 { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" },
13186 { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" },
13187 { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" },
13188 { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" },
13189 { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" },
13190 { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" },
13191 { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" },
13192 { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" },
13193 { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" },
13194 { 0x00000116, "STATUS_CRASH_DUMP" },
13195 { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
13196 { 0x00000118, "STATUS_REPARSE_OBJECT" },
13197 { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
13198 { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
13199 { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
13200 { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" },
13201 { 0x40000004, "STATUS_RXACT_STATE_CREATED" },
13202 { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" },
13203 { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" },
13204 { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" },
13205 { 0x40000008, "STATUS_SERIAL_MORE_WRITES" },
13206 { 0x40000009, "STATUS_REGISTRY_RECOVERED" },
13207 { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" },
13208 { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" },
13209 { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" },
13210 { 0x4000000D, "STATUS_NULL_LM_PASSWORD" },
13211 { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" },
13212 { 0x4000000F, "STATUS_RECEIVE_PARTIAL" },
13213 { 0x40000010, "STATUS_RECEIVE_EXPEDITED" },
13214 { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" },
13215 { 0x40000012, "STATUS_EVENT_DONE" },
13216 { 0x40000013, "STATUS_EVENT_PENDING" },
13217 { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" },
13218 { 0x40000015, "STATUS_FATAL_APP_EXIT" },
13219 { 0x40000016, "STATUS_PREDEFINED_HANDLE" },
13220 { 0x40000017, "STATUS_WAS_UNLOCKED" },
13221 { 0x40000018, "STATUS_SERVICE_NOTIFICATION" },
13222 { 0x40000019, "STATUS_WAS_LOCKED" },
13223 { 0x4000001A, "STATUS_LOG_HARD_ERROR" },
13224 { 0x4000001B, "STATUS_ALREADY_WIN32" },
13225 { 0x4000001C, "STATUS_WX86_UNSIMULATE" },
13226 { 0x4000001D, "STATUS_WX86_CONTINUE" },
13227 { 0x4000001E, "STATUS_WX86_SINGLE_STEP" },
13228 { 0x4000001F, "STATUS_WX86_BREAKPOINT" },
13229 { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" },
13230 { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" },
13231 { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" },
13232 { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" },
13233 { 0x40000024, "STATUS_NO_YIELD_PERFORMED" },
13234 { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" },
13235 { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" },
13236 { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" },
13237 { 0x80000003, "STATUS_BREAKPOINT" },
13238 { 0x80000004, "STATUS_SINGLE_STEP" },
13239 { 0x80000005, "STATUS_BUFFER_OVERFLOW" },
13240 { 0x80000006, "STATUS_NO_MORE_FILES" },
13241 { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" },
13242 { 0x8000000A, "STATUS_HANDLES_CLOSED" },
13243 { 0x8000000B, "STATUS_NO_INHERITANCE" },
13244 { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" },
13245 { 0x8000000D, "STATUS_PARTIAL_COPY" },
13246 { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" },
13247 { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" },
13248 { 0x80000010, "STATUS_DEVICE_OFF_LINE" },
13249 { 0x80000011, "STATUS_DEVICE_BUSY" },
13250 { 0x80000012, "STATUS_NO_MORE_EAS" },
13251 { 0x80000013, "STATUS_INVALID_EA_NAME" },
13252 { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" },
13253 { 0x80000015, "STATUS_INVALID_EA_FLAG" },
13254 { 0x80000016, "STATUS_VERIFY_REQUIRED" },
13255 { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" },
13256 { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" },
13257 { 0x8000001A, "STATUS_NO_MORE_ENTRIES" },
13258 { 0x8000001B, "STATUS_FILEMARK_DETECTED" },
13259 { 0x8000001C, "STATUS_MEDIA_CHANGED" },
13260 { 0x8000001D, "STATUS_BUS_RESET" },
13261 { 0x8000001E, "STATUS_END_OF_MEDIA" },
13262 { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" },
13263 { 0x80000020, "STATUS_MEDIA_CHECK" },
13264 { 0x80000021, "STATUS_SETMARK_DETECTED" },
13265 { 0x80000022, "STATUS_NO_DATA_DETECTED" },
13266 { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" },
13267 { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" },
13268 { 0x80000025, "STATUS_ALREADY_DISCONNECTED" },
13269 { 0x80000026, "STATUS_LONGJUMP" },
13270 { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" },
13271 { 0x80090301, "SEC_E_INVALID_HANDLE" },
13272 { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" },
13273 { 0x8009030B, "SEC_E_NO_IMPERSONATION" },
13274 { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" },
13275 { 0x8009030E, "SEC_E_NO_CREDENTIALS" },
13276 { 0x8009030F, "SEC_E_MESSAGE_ALTERED" },
13277 { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" },
13278 { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" },
13279 { 0xC0000001, "STATUS_UNSUCCESSFUL" },
13280 { 0xC0000002, "STATUS_NOT_IMPLEMENTED" },
13281 { 0xC0000003, "STATUS_INVALID_INFO_CLASS" },
13282 { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" },
13283 { 0xC0000005, "STATUS_ACCESS_VIOLATION" },
13284 { 0xC0000006, "STATUS_IN_PAGE_ERROR" },
13285 { 0xC0000007, "STATUS_PAGEFILE_QUOTA" },
13286 { 0xC0000008, "STATUS_INVALID_HANDLE" },
13287 { 0xC0000009, "STATUS_BAD_INITIAL_STACK" },
13288 { 0xC000000A, "STATUS_BAD_INITIAL_PC" },
13289 { 0xC000000B, "STATUS_INVALID_CID" },
13290 { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" },
13291 { 0xC000000D, "STATUS_INVALID_PARAMETER" },
13292 { 0xC000000E, "STATUS_NO_SUCH_DEVICE" },
13293 { 0xC000000F, "STATUS_NO_SUCH_FILE" },
13294 { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" },
13295 { 0xC0000011, "STATUS_END_OF_FILE" },
13296 { 0xC0000012, "STATUS_WRONG_VOLUME" },
13297 { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" },
13298 { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" },
13299 { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" },
13300 { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" },
13301 { 0xC0000017, "STATUS_NO_MEMORY" },
13302 { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" },
13303 { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" },
13304 { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" },
13305 { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" },
13306 { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" },
13307 { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" },
13308 { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" },
13309 { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" },
13310 { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" },
13311 { 0xC0000021, "STATUS_ALREADY_COMMITTED" },
13312 { 0xC0000022, "STATUS_ACCESS_DENIED" },
13313 { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" },
13314 { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" },
13315 { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" },
13316 { 0xC0000026, "STATUS_INVALID_DISPOSITION" },
13317 { 0xC0000027, "STATUS_UNWIND" },
13318 { 0xC0000028, "STATUS_BAD_STACK" },
13319 { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" },
13320 { 0xC000002A, "STATUS_NOT_LOCKED" },
13321 { 0xC000002B, "STATUS_PARITY_ERROR" },
13322 { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" },
13323 { 0xC000002D, "STATUS_NOT_COMMITTED" },
13324 { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" },
13325 { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" },
13326 { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" },
13327 { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" },
13328 { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" },
13329 { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" },
13330 { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" },
13331 { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" },
13332 { 0xC0000037, "STATUS_PORT_DISCONNECTED" },
13333 { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" },
13334 { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" },
13335 { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" },
13336 { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" },
13337 { 0xC000003C, "STATUS_DATA_OVERRUN" },
13338 { 0xC000003D, "STATUS_DATA_LATE_ERROR" },
13339 { 0xC000003E, "STATUS_DATA_ERROR" },
13340 { 0xC000003F, "STATUS_CRC_ERROR" },
13341 { 0xC0000040, "STATUS_SECTION_TOO_BIG" },
13342 { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" },
13343 { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" },
13344 { 0xC0000043, "STATUS_SHARING_VIOLATION" },
13345 { 0xC0000044, "STATUS_QUOTA_EXCEEDED" },
13346 { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" },
13347 { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" },
13348 { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" },
13349 { 0xC0000048, "STATUS_PORT_ALREADY_SET" },
13350 { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" },
13351 { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" },
13352 { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" },
13353 { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" },
13354 { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" },
13355 { 0xC000004E, "STATUS_SECTION_PROTECTION" },
13356 { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" },
13357 { 0xC0000050, "STATUS_EA_TOO_LARGE" },
13358 { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" },
13359 { 0xC0000052, "STATUS_NO_EAS_ON_FILE" },
13360 { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" },
13361 { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" },
13362 { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" },
13363 { 0xC0000056, "STATUS_DELETE_PENDING" },
13364 { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" },
13365 { 0xC0000058, "STATUS_UNKNOWN_REVISION" },
13366 { 0xC0000059, "STATUS_REVISION_MISMATCH" },
13367 { 0xC000005A, "STATUS_INVALID_OWNER" },
13368 { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" },
13369 { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" },
13370 { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" },
13371 { 0xC000005E, "STATUS_NO_LOGON_SERVERS" },
13372 { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" },
13373 { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" },
13374 { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" },
13375 { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" },
13376 { 0xC0000063, "STATUS_USER_EXISTS" },
13377 { 0xC0000064, "STATUS_NO_SUCH_USER" },
13378 { 0xC0000065, "STATUS_GROUP_EXISTS" },
13379 { 0xC0000066, "STATUS_NO_SUCH_GROUP" },
13380 { 0xC0000067, "STATUS_MEMBER_IN_GROUP" },
13381 { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" },
13382 { 0xC0000069, "STATUS_LAST_ADMIN" },
13383 { 0xC000006A, "STATUS_WRONG_PASSWORD" },
13384 { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" },
13385 { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" },
13386 { 0xC000006D, "STATUS_LOGON_FAILURE" },
13387 { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" },
13388 { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" },
13389 { 0xC0000070, "STATUS_INVALID_WORKSTATION" },
13390 { 0xC0000071, "STATUS_PASSWORD_EXPIRED" },
13391 { 0xC0000072, "STATUS_ACCOUNT_DISABLED" },
13392 { 0xC0000073, "STATUS_NONE_MAPPED" },
13393 { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" },
13394 { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" },
13395 { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" },
13396 { 0xC0000077, "STATUS_INVALID_ACL" },
13397 { 0xC0000078, "STATUS_INVALID_SID" },
13398 { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" },
13399 { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" },
13400 { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" },
13401 { 0xC000007C, "STATUS_NO_TOKEN" },
13402 { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" },
13403 { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" },
13404 { 0xC000007F, "STATUS_DISK_FULL" },
13405 { 0xC0000080, "STATUS_SERVER_DISABLED" },
13406 { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" },
13407 { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" },
13408 { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" },
13409 { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" },
13410 { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" },
13411 { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" },
13412 { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" },
13413 { 0xC0000088, "STATUS_NOT_MAPPED_DATA" },
13414 { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" },
13415 { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" },
13416 { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" },
13417 { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" },
13418 { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" },
13419 { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" },
13420 { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" },
13421 { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" },
13422 { 0xC0000091, "STATUS_FLOAT_OVERFLOW" },
13423 { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" },
13424 { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" },
13425 { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" },
13426 { 0xC0000095, "STATUS_INTEGER_OVERFLOW" },
13427 { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" },
13428 { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" },
13429 { 0xC0000098, "STATUS_FILE_INVALID" },
13430 { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" },
13431 { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" },
13432 { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" },
13433 { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" },
13434 { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" },
13435 { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" },
13436 { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" },
13437 { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" },
13438 { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" },
13439 { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" },
13440 { 0xC00000A3, "STATUS_DEVICE_NOT_READY" },
13441 { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" },
13442 { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" },
13443 { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" },
13444 { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" },
13445 { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" },
13446 { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" },
13447 { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" },
13448 { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" },
13449 { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" },
13450 { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" },
13451 { 0xC00000AE, "STATUS_PIPE_BUSY" },
13452 { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" },
13453 { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" },
13454 { 0xC00000B1, "STATUS_PIPE_CLOSING" },
13455 { 0xC00000B2, "STATUS_PIPE_CONNECTED" },
13456 { 0xC00000B3, "STATUS_PIPE_LISTENING" },
13457 { 0xC00000B4, "STATUS_INVALID_READ_MODE" },
13458 { 0xC00000B5, "STATUS_IO_TIMEOUT" },
13459 { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" },
13460 { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" },
13461 { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" },
13462 { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" },
13463 { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" },
13464 { 0xC00000BB, "STATUS_NOT_SUPPORTED" },
13465 { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" },
13466 { 0xC00000BD, "STATUS_DUPLICATE_NAME" },
13467 { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" },
13468 { 0xC00000BF, "STATUS_NETWORK_BUSY" },
13469 { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" },
13470 { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" },
13471 { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" },
13472 { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" },
13473 { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" },
13474 { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" },
13475 { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" },
13476 { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" },
13477 { 0xC00000C8, "STATUS_PRINT_CANCELLED" },
13478 { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" },
13479 { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" },
13480 { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" },
13481 { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" },
13482 { 0xC00000CD, "STATUS_TOO_MANY_NAMES" },
13483 { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" },
13484 { 0xC00000CF, "STATUS_SHARING_PAUSED" },
13485 { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" },
13486 { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" },
13487 { 0xC00000D2, "STATUS_NET_WRITE_FAULT" },
13488 { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" },
13489 { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" },
13490 { 0xC00000D5, "STATUS_FILE_RENAMED" },
13491 { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" },
13492 { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" },
13493 { 0xC00000D8, "STATUS_CANT_WAIT" },
13494 { 0xC00000D9, "STATUS_PIPE_EMPTY" },
13495 { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" },
13496 { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" },
13497 { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" },
13498 { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" },
13499 { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" },
13500 { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" },
13501 { 0xC00000E0, "STATUS_DOMAIN_EXISTS" },
13502 { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" },
13503 { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" },
13504 { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" },
13505 { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" },
13506 { 0xC00000E5, "STATUS_INTERNAL_ERROR" },
13507 { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" },
13508 { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" },
13509 { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" },
13510 { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" },
13511 { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" },
13512 { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" },
13513 { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" },
13514 { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" },
13515 { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" },
13516 { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" },
13517 { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" },
13518 { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" },
13519 { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" },
13520 { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" },
13521 { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" },
13522 { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" },
13523 { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" },
13524 { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" },
13525 { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" },
13526 { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" },
13527 { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" },
13528 { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" },
13529 { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" },
13530 { 0xC00000FD, "STATUS_STACK_OVERFLOW" },
13531 { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" },
13532 { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" },
13533 { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" },
13534 { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" },
13535 { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" },
13536 { 0xC0000103, "STATUS_NOT_A_DIRECTORY" },
13537 { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" },
13538 { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" },
13539 { 0xC0000106, "STATUS_NAME_TOO_LONG" },
13540 { 0xC0000107, "STATUS_FILES_OPEN" },
13541 { 0xC0000108, "STATUS_CONNECTION_IN_USE" },
13542 { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" },
13543 { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" },
13544 { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" },
13545 { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" },
13546 { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" },
13547 { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" },
13548 { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" },
13549 { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" },
13550 { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" },
13551 { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" },
13552 { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" },
13553 { 0xC0000114, "STATUS_ABIOS_INVALID_LID" },
13554 { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" },
13555 { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" },
13556 { 0xC0000117, "STATUS_NO_LDT" },
13557 { 0xC0000118, "STATUS_INVALID_LDT_SIZE" },
13558 { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" },
13559 { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" },
13560 { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" },
13561 { 0xC000011C, "STATUS_RXACT_INVALID_STATE" },
13562 { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" },
13563 { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" },
13564 { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" },
13565 { 0xC0000120, "STATUS_CANCELLED" },
13566 { 0xC0000121, "STATUS_CANNOT_DELETE" },
13567 { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" },
13568 { 0xC0000123, "STATUS_FILE_DELETED" },
13569 { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" },
13570 { 0xC0000125, "STATUS_SPECIAL_GROUP" },
13571 { 0xC0000126, "STATUS_SPECIAL_USER" },
13572 { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" },
13573 { 0xC0000128, "STATUS_FILE_CLOSED" },
13574 { 0xC0000129, "STATUS_TOO_MANY_THREADS" },
13575 { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" },
13576 { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" },
13577 { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" },
13578 { 0xC000012D, "STATUS_COMMITMENT_LIMIT" },
13579 { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" },
13580 { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" },
13581 { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" },
13582 { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" },
13583 { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" },
13584 { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" },
13585 { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" },
13586 { 0xC0000135, "STATUS_DLL_NOT_FOUND" },
13587 { 0xC0000136, "STATUS_OPEN_FAILED" },
13588 { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" },
13589 { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" },
13590 { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" },
13591 { 0xC000013A, "STATUS_CONTROL_C_EXIT" },
13592 { 0xC000013B, "STATUS_LOCAL_DISCONNECT" },
13593 { 0xC000013C, "STATUS_REMOTE_DISCONNECT" },
13594 { 0xC000013D, "STATUS_REMOTE_RESOURCES" },
13595 { 0xC000013E, "STATUS_LINK_FAILED" },
13596 { 0xC000013F, "STATUS_LINK_TIMEOUT" },
13597 { 0xC0000140, "STATUS_INVALID_CONNECTION" },
13598 { 0xC0000141, "STATUS_INVALID_ADDRESS" },
13599 { 0xC0000142, "STATUS_DLL_INIT_FAILED" },
13600 { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" },
13601 { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" },
13602 { 0xC0000145, "STATUS_APP_INIT_FAILURE" },
13603 { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" },
13604 { 0xC0000147, "STATUS_NO_PAGEFILE" },
13605 { 0xC0000148, "STATUS_INVALID_LEVEL" },
13606 { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" },
13607 { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" },
13608 { 0xC000014B, "STATUS_PIPE_BROKEN" },
13609 { 0xC000014C, "STATUS_REGISTRY_CORRUPT" },
13610 { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" },
13611 { 0xC000014E, "STATUS_NO_EVENT_PAIR" },
13612 { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" },
13613 { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" },
13614 { 0xC0000151, "STATUS_NO_SUCH_ALIAS" },
13615 { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" },
13616 { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" },
13617 { 0xC0000154, "STATUS_ALIAS_EXISTS" },
13618 { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" },
13619 { 0xC0000156, "STATUS_TOO_MANY_SECRETS" },
13620 { 0xC0000157, "STATUS_SECRET_TOO_LONG" },
13621 { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" },
13622 { 0xC0000159, "STATUS_FULLSCREEN_MODE" },
13623 { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" },
13624 { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" },
13625 { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" },
13626 { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" },
13627 { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" },
13628 { 0xC000015F, "STATUS_FT_MISSING_MEMBER" },
13629 { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" },
13630 { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" },
13631 { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" },
13632 { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" },
13633 { 0xC0000164, "STATUS_FLOPPY_VOLUME" },
13634 { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" },
13635 { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" },
13636 { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" },
13637 { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" },
13638 { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" },
13639 { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" },
13640 { 0xC000016B, "STATUS_DISK_RESET_FAILED" },
13641 { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" },
13642 { 0xC000016D, "STATUS_FT_ORPHANING" },
13643 { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" },
13644 { 0xC0000172, "STATUS_PARTITION_FAILURE" },
13645 { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" },
13646 { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" },
13647 { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" },
13648 { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" },
13649 { 0xC0000177, "STATUS_EOM_OVERFLOW" },
13650 { 0xC0000178, "STATUS_NO_MEDIA" },
13651 { 0xC000017A, "STATUS_NO_SUCH_MEMBER" },
13652 { 0xC000017B, "STATUS_INVALID_MEMBER" },
13653 { 0xC000017C, "STATUS_KEY_DELETED" },
13654 { 0xC000017D, "STATUS_NO_LOG_SPACE" },
13655 { 0xC000017E, "STATUS_TOO_MANY_SIDS" },
13656 { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" },
13657 { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" },
13658 { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" },
13659 { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" },
13660 { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" },
13661 { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" },
13662 { 0xC0000185, "STATUS_IO_DEVICE_ERROR" },
13663 { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" },
13664 { 0xC0000187, "STATUS_BACKUP_CONTROLLER" },
13665 { 0xC0000188, "STATUS_LOG_FILE_FULL" },
13666 { 0xC0000189, "STATUS_TOO_LATE" },
13667 { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" },
13668 { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" },
13669 { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" },
13670 { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" },
13671 { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" },
13672 { 0xC000018F, "STATUS_EVENTLOG_CANT_START" },
13673 { 0xC0000190, "STATUS_TRUST_FAILURE" },
13674 { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" },
13675 { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" },
13676 { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" },
13677 { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" },
13678 { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" },
13679 { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" },
13680 { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" },
13681 { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" },
13682 { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" },
13683 { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" },
13684 { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" },
13685 { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" },
13686 { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" },
13687 { 0xC0000203, "STATUS_USER_SESSION_DELETED" },
13688 { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" },
13689 { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" },
13690 { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" },
13691 { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" },
13692 { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" },
13693 { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" },
13694 { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" },
13695 { 0xC000020B, "STATUS_ADDRESS_CLOSED" },
13696 { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" },
13697 { 0xC000020D, "STATUS_CONNECTION_RESET" },
13698 { 0xC000020E, "STATUS_TOO_MANY_NODES" },
13699 { 0xC000020F, "STATUS_TRANSACTION_ABORTED" },
13700 { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" },
13701 { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" },
13702 { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" },
13703 { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" },
13704 { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" },
13705 { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" },
13706 { 0xC0000216, "STATUS_NOT_SERVER_SESSION" },
13707 { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" },
13708 { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" },
13709 { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" },
13710 { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" },
13711 { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" },
13712 { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" },
13713 { 0xC000021D, "STATUS_VDM_HARD_ERROR" },
13714 { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" },
13715 { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" },
13716 { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" },
13717 { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" },
13718 { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" },
13719 { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" },
13720 { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" },
13721 { 0xC0000225, "STATUS_NOT_FOUND" },
13722 { 0xC0000226, "STATUS_NOT_TINY_STREAM" },
13723 { 0xC0000227, "STATUS_RECOVERY_FAILURE" },
13724 { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" },
13725 { 0xC0000229, "STATUS_FAIL_CHECK" },
13726 { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" },
13727 { 0xC000022B, "STATUS_OBJECTID_EXISTS" },
13728 { 0xC000022C, "STATUS_CONVERT_TO_LARGE" },
13729 { 0xC000022D, "STATUS_RETRY" },
13730 { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" },
13731 { 0xC000022F, "STATUS_ALLOCATE_BUCKET" },
13732 { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" },
13733 { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" },
13734 { 0xC0000232, "STATUS_INVALID_VARIANT" },
13735 { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" },
13736 { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" },
13737 { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" },
13738 { 0xC0000236, "STATUS_CONNECTION_REFUSED" },
13739 { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" },
13740 { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" },
13741 { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" },
13742 { 0xC000023A, "STATUS_CONNECTION_INVALID" },
13743 { 0xC000023B, "STATUS_CONNECTION_ACTIVE" },
13744 { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" },
13745 { 0xC000023D, "STATUS_HOST_UNREACHABLE" },
13746 { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" },
13747 { 0xC000023F, "STATUS_PORT_UNREACHABLE" },
13748 { 0xC0000240, "STATUS_REQUEST_ABORTED" },
13749 { 0xC0000241, "STATUS_CONNECTION_ABORTED" },
13750 { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" },
13751 { 0xC0000243, "STATUS_USER_MAPPED_FILE" },
13752 { 0xC0000244, "STATUS_AUDIT_FAILED" },
13753 { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" },
13754 { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" },
13755 { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" },
13756 { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" },
13757 { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" },
13758 { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" },
13759 { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" },
13760 { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" },
13761 { 0xC0000253, "STATUS_LPC_REPLY_LOST" },
13762 { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" },
13763 { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" },
13764 { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" },
13765 { 0xC0000257, "STATUS_PATH_NOT_COVERED" },
13766 { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" },
13767 { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" },
13768 { 0xC000025A, "STATUS_PWD_TOO_SHORT" },
13769 { 0xC000025B, "STATUS_PWD_TOO_RECENT" },
13770 { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" },
13771 { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" },
13772 { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" },
13773 { 0xC0000260, "STATUS_INVALID_HW_PROFILE" },
13774 { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" },
13775 { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" },
13776 { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" },
13777 { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" },
13778 { 0xC0000265, "STATUS_TOO_MANY_LINKS" },
13779 { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" },
13780 { 0xC0000267, "STATUS_FILE_IS_OFFLINE" },
13781 { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" },
13782 { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" },
13783 { 0xC000026A, "STATUS_LICENSE_VIOLATION" },
13784 { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" },
13785 { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" },
13786 { 0xC000026D, "STATUS_DFS_UNAVAILABLE" },
13787 { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" },
13788 { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" },
13789 { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" },
13790 { 0xC0000271, "STATUS_VALIDATE_CONTINUE" },
13791 { 0xC0000272, "STATUS_NO_MATCH" },
13792 { 0xC0000273, "STATUS_NO_MORE_MATCHES" },
13793 { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" },
13794 { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" },
13795 { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" },
13796 { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" },
13797 { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" },
13798 { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" },
13799 { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" },
13800 { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" },
13801 { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" },
13802 { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" },
13803 { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" },
13804 { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" },
13805 { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" },
13806 { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" },
13807 { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" },
13808 { 0xC000028A, "STATUS_ENCRYPTION_FAILED" },
13809 { 0xC000028B, "STATUS_DECRYPTION_FAILED" },
13810 { 0xC000028C, "STATUS_RANGE_NOT_FOUND" },
13811 { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" },
13812 { 0xC000028E, "STATUS_NO_EFS" },
13813 { 0xC000028F, "STATUS_WRONG_EFS" },
13814 { 0xC0000290, "STATUS_NO_USER_KEYS" },
13815 { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" },
13816 { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" },
13817 { 0xC0000293, "STATUS_FILE_ENCRYPTED" },
13818 { 0x40000294, "STATUS_WAKE_SYSTEM" },
13819 { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" },
13820 { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" },
13821 { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" },
13822 { 0xC0000298, "STATUS_WMI_TRY_AGAIN" },
13823 { 0xC0000299, "STATUS_SHARED_POLICY" },
13824 { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" },
13825 { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" },
13826 { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" },
13827 { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" },
13828 { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" },
13829 { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" },
13830 { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" },
13831 { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" },
13832 { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" },
13833 { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" },
13834 { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" },
13835 { 0xC00002A5, "STATUS_DS_BUSY" },
13836 { 0xC00002A6, "STATUS_DS_UNAVAILABLE" },
13837 { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" },
13838 { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" },
13839 { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" },
13840 { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" },
13841 { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" },
13842 { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" },
13843 { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" },
13844 { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" },
13845 { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" },
13846 { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" },
13847 { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" },
13848 { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" },
13849 { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" },
13850 { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" },
13851 { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" },
13852 { 0xC00002B6, "STATUS_DEVICE_REMOVED" },
13853 { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" },
13854 { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" },
13855 { 0xC00002B9, "STATUS_NOINTERFACE" },
13856 { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" },
13857 { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" },
13858 { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" },
13859 { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" },
13860 { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" },
13861 { 0xC00002C6, "STATUS_WMI_READ_ONLY" },
13862 { 0xC00002C7, "STATUS_WMI_SET_FAILURE" },
13863 { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" },
13864 { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" },
13865 { 0xC00002CA, "STATUS_TRANSPORT_FULL" },
13866 { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" },
13867 { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" },
13868 { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" },
13869 { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" },
13870 { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" },
13871 { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" },
13872 { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" },
13873 { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" },
13874 { 0xC00002D3, "STATUS_POWER_STATE_INVALID" },
13875 { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" },
13876 { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" },
13877 { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" },
13878 { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" },
13879 { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" },
13880 { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" },
13881 { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" },
13882 { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" },
13883 { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" },
13884 { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" },
13885 { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" },
13886 { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" },
13887 { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" },
13888 { 0xC00002E1, "STATUS_DS_CANT_START" },
13889 { 0xC00002E2, "STATUS_DS_INIT_FAILURE" },
13890 { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" },
13891 { 0xC00002E4, "STATUS_DS_GC_REQUIRED" },
13892 { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" },
13893 { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" },
13894 { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" },
13895 { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" },
13896 { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" },
13897 { 0xC0009898, "STATUS_WOW_ASSERTION" },
13898 { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" },
13899 { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" },
13900 { 0xC0020003, "RPC_NT_INVALID_BINDING" },
13901 { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" },
13902 { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" },
13903 { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" },
13904 { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" },
13905 { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" },
13906 { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" },
13907 { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" },
13908 { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" },
13909 { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" },
13910 { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" },
13911 { 0xC002000E, "RPC_NT_ALREADY_LISTENING" },
13912 { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" },
13913 { 0xC0020010, "RPC_NT_NOT_LISTENING" },
13914 { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" },
13915 { 0xC0020012, "RPC_NT_UNKNOWN_IF" },
13916 { 0xC0020013, "RPC_NT_NO_BINDINGS" },
13917 { 0xC0020014, "RPC_NT_NO_PROTSEQS" },
13918 { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" },
13919 { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" },
13920 { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" },
13921 { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" },
13922 { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" },
13923 { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" },
13924 { 0xC002001B, "RPC_NT_CALL_FAILED" },
13925 { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" },
13926 { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" },
13927 { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" },
13928 { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" },
13929 { 0xC0020022, "RPC_NT_INVALID_TAG" },
13930 { 0xC0020023, "RPC_NT_INVALID_BOUND" },
13931 { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" },
13932 { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" },
13933 { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" },
13934 { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" },
13935 { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" },
13936 { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" },
13937 { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" },
13938 { 0xC002002C, "RPC_NT_STRING_TOO_LONG" },
13939 { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" },
13940 { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" },
13941 { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" },
13942 { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" },
13943 { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" },
13944 { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" },
13945 { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" },
13946 { 0xC0020034, "EPT_NT_INVALID_ENTRY" },
13947 { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" },
13948 { 0xC0020036, "EPT_NT_NOT_REGISTERED" },
13949 { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" },
13950 { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" },
13951 { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" },
13952 { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" },
13953 { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" },
13954 { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" },
13955 { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" },
13956 { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" },
13957 { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" },
13958 { 0xC0020040, "RPC_NT_INVALID_NAF_ID" },
13959 { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" },
13960 { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" },
13961 { 0xC0020043, "RPC_NT_INTERNAL_ERROR" },
13962 { 0xC0020044, "RPC_NT_ZERO_DIVIDE" },
13963 { 0xC0020045, "RPC_NT_ADDRESS_ERROR" },
13964 { 0xC0020046, "RPC_NT_FP_DIV_ZERO" },
13965 { 0xC0020047, "RPC_NT_FP_UNDERFLOW" },
13966 { 0xC0020048, "RPC_NT_FP_OVERFLOW" },
13967 { 0xC0021007, "RPC_P_RECEIVE_ALERTED" },
13968 { 0xC0021008, "RPC_P_CONNECTION_CLOSED" },
13969 { 0xC0021009, "RPC_P_RECEIVE_FAILED" },
13970 { 0xC002100A, "RPC_P_SEND_FAILED" },
13971 { 0xC002100B, "RPC_P_TIMEOUT" },
13972 { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" },
13973 { 0xC002100E, "RPC_P_EXCEPTION_OCCURED" },
13974 { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" },
13975 { 0xC0021015, "RPC_P_THREAD_LISTENING" },
13976 { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" },
13977 { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" },
13978 { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" },
13979 { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" },
13980 { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" },
13981 { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" },
13982 { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" },
13983 { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" },
13984 { 0xC0030009, "RPC_NT_NULL_REF_POINTER" },
13985 { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" },
13986 { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" },
13987 { 0xC003000C, "RPC_NT_BAD_STUB_DATA" },
13988 { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" },
13989 { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" },
13990 { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" },
13991 { 0xC002004C, "EPT_NT_CANT_CREATE" },
13992 { 0xC002004D, "RPC_NT_INVALID_OBJECT" },
13993 { 0xC002004F, "RPC_NT_NO_INTERFACES" },
13994 { 0xC0020050, "RPC_NT_CALL_CANCELLED" },
13995 { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" },
13996 { 0xC0020052, "RPC_NT_COMM_FAILURE" },
13997 { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" },
13998 { 0xC0020054, "RPC_NT_NO_PRINC_NAME" },
13999 { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" },
14000 { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" },
14001 { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" },
14002 { 0xC0020058, "RPC_NT_NOT_CANCELLED" },
14003 { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" },
14004 { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" },
14005 { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" },
14006 { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" },
14007 { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" },
14008 { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" },
14009 { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" },
14015 static const true_false_string tfs_smb_flags_lock = {
14016 "Lock&Read, Write&Unlock are supported",
14017 "Lock&Read, Write&Unlock are not supported"
14019 static const true_false_string tfs_smb_flags_receive_buffer = {
14020 "Receive buffer has been posted",
14021 "Receive buffer has not been posted"
14023 static const true_false_string tfs_smb_flags_caseless = {
14024 "Path names are caseless",
14025 "Path names are case sensitive"
14027 static const true_false_string tfs_smb_flags_canon = {
14028 "Pathnames are canonicalized",
14029 "Pathnames are not canonicalized"
14031 static const true_false_string tfs_smb_flags_oplock = {
14032 "OpLock requested/granted",
14033 "OpLock not requested/granted"
14035 static const true_false_string tfs_smb_flags_notify = {
14036 "Notify client on all modifications",
14037 "Notify client only on open"
14039 static const true_false_string tfs_smb_flags_response = {
14040 "Message is a response to the client/redirector",
14041 "Message is a request to the server"
14045 dissect_smb_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
14048 proto_item *item = NULL;
14049 proto_tree *tree = NULL;
14051 mask = tvb_get_guint8(tvb, offset);
14054 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
14055 "Flags: 0x%02x", mask);
14056 tree = proto_item_add_subtree(item, ett_smb_flags);
14058 proto_tree_add_boolean(tree, hf_smb_flags_response,
14059 tvb, offset, 1, mask);
14060 proto_tree_add_boolean(tree, hf_smb_flags_notify,
14061 tvb, offset, 1, mask);
14062 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
14063 tvb, offset, 1, mask);
14064 proto_tree_add_boolean(tree, hf_smb_flags_canon,
14065 tvb, offset, 1, mask);
14066 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
14067 tvb, offset, 1, mask);
14068 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
14069 tvb, offset, 1, mask);
14070 proto_tree_add_boolean(tree, hf_smb_flags_lock,
14071 tvb, offset, 1, mask);
14078 static const true_false_string tfs_smb_flags2_long_names_allowed = {
14079 "Long file names are allowed in the response",
14080 "Long file names are not allowed in the response"
14082 static const true_false_string tfs_smb_flags2_ea = {
14083 "Extended attributes are supported",
14084 "Extended attributes are not supported"
14086 static const true_false_string tfs_smb_flags2_sec_sig = {
14087 "Security signatures are supported",
14088 "Security signatures are not supported"
14090 static const true_false_string tfs_smb_flags2_long_names_used = {
14091 "Path names in request are long file names",
14092 "Path names in request are not long file names"
14094 static const true_false_string tfs_smb_flags2_esn = {
14095 "Extended security negotiation is supported",
14096 "Extended security negotiation is not supported"
14098 static const true_false_string tfs_smb_flags2_dfs = {
14099 "Resolve pathnames with Dfs",
14100 "Don't resolve pathnames with Dfs"
14102 static const true_false_string tfs_smb_flags2_roe = {
14103 "Permit reads if execute-only",
14104 "Don't permit reads if execute-only"
14106 static const true_false_string tfs_smb_flags2_nt_error = {
14107 "Error codes are NT error codes",
14108 "Error codes are DOS error codes"
14110 static const true_false_string tfs_smb_flags2_string = {
14111 "Strings are Unicode",
14112 "Strings are ASCII"
14115 dissect_smb_flags2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
14118 proto_item *item = NULL;
14119 proto_tree *tree = NULL;
14121 mask = tvb_get_letohs(tvb, offset);
14124 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
14125 "Flags2: 0x%04x", mask);
14126 tree = proto_item_add_subtree(item, ett_smb_flags2);
14129 proto_tree_add_boolean(tree, hf_smb_flags2_string,
14130 tvb, offset, 2, mask);
14131 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
14132 tvb, offset, 2, mask);
14133 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
14134 tvb, offset, 2, mask);
14135 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
14136 tvb, offset, 2, mask);
14137 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
14138 tvb, offset, 2, mask);
14139 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
14140 tvb, offset, 2, mask);
14141 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
14142 tvb, offset, 2, mask);
14143 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
14144 tvb, offset, 2, mask);
14145 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
14146 tvb, offset, 2, mask);
14154 #define SMB_FLAGS_DIRN 0x80
14158 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
14161 proto_item *item = NULL, *hitem = NULL;
14162 proto_tree *tree = NULL, *htree = NULL;
14166 smb_saved_info_t *sip = NULL;
14167 smb_saved_info_key_t key;
14168 smb_saved_info_key_t *new_key;
14169 guint32 nt_status = 0;
14170 guint8 errclass = 0;
14171 guint16 errcode = 0;
14173 conversation_t *conversation;
14175 top_tree=parent_tree;
14177 /* must check that this really is a smb packet */
14178 if (!tvb_bytes_exist(tvb, 0, 4))
14181 if( (tvb_get_guint8(tvb, 0) != 0xff)
14182 || (tvb_get_guint8(tvb, 1) != 'S')
14183 || (tvb_get_guint8(tvb, 2) != 'M')
14184 || (tvb_get_guint8(tvb, 3) != 'B') ){
14188 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
14189 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
14191 if (check_col(pinfo->cinfo, COL_INFO)){
14192 col_clear(pinfo->cinfo, COL_INFO);
14195 /* start off using the local variable, we will allocate a new one if we
14197 si.cmd = tvb_get_guint8(tvb, offset+4);
14198 flags = tvb_get_guint8(tvb, offset+9);
14199 si.request = !(flags&SMB_FLAGS_DIRN);
14200 flags2 = tvb_get_letohs(tvb, offset+10);
14201 if(flags2 & 0x8000){
14202 si.unicode = TRUE; /* Mark them as Unicode */
14204 si.unicode = FALSE;
14206 si.tid = tvb_get_letohs(tvb, offset+24);
14207 si.pid = tvb_get_letohs(tvb, offset+26);
14208 si.uid = tvb_get_letohs(tvb, offset+28);
14209 si.mid = tvb_get_letohs(tvb, offset+30);
14210 pid_mid = (si.pid << 16) | si.mid;
14211 si.info_level = -1;
14212 si.info_count = -1;
14215 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
14217 tree = proto_item_add_subtree(item, ett_smb);
14219 hitem = proto_tree_add_text(tree, tvb, offset, 32,
14222 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
14225 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
14226 offset += 4; /* Skip the marker */
14228 /* find which conversation we are part of and get the tables for that
14230 conversation = find_conversation(&pinfo->src, &pinfo->dst,
14231 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
14233 si.ct=conversation_get_proto_data(conversation, proto_smb);
14235 /* OK this is a new conversation, we must create it
14236 and attach appropriate data (matched and unmatched
14237 table for this conversation)
14239 conversation = conversation_new(&pinfo->src, &pinfo->dst,
14240 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
14241 si.ct = g_mem_chunk_alloc(conv_tables_chunk);
14242 conv_tables = g_slist_prepend(conv_tables, si.ct);
14243 si.ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
14244 smb_saved_info_equal_matched);
14245 si.ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
14246 smb_saved_info_equal_unmatched);
14247 si.ct->dcerpc_fid_to_frame=g_hash_table_new(
14248 smb_saved_info_hash_unmatched,
14249 smb_saved_info_equal_unmatched);
14250 si.ct->tid_service=g_hash_table_new(
14251 smb_saved_info_hash_unmatched,
14252 smb_saved_info_equal_unmatched);
14253 conversation_add_proto_data(conversation, proto_smb, si.ct);
14261 /* this is a broadcast SMB packet, there will not be a reply.
14262 We dont need to do anything
14265 } else if( (si.cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
14266 ||(si.cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
14267 ||(si.cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
14268 ||(si.cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
14269 /* Ok, we got a special request type. This request is either
14270 an NT Cancel or a continuation relative to a real request
14271 in an earlier packet. In either case, we don't expect any
14272 responses to this packet. For continuations, any later
14273 responses we see really just belong to the original request.
14274 Anyway, we want to remember this packet somehow and
14275 remember which original request it is associated with so
14276 we can say nice things such as "This is a Cancellation to
14277 the request in frame x", but we don't want the
14278 request/response matching to get messed up.
14280 The only thing we do in this case is trying to find which original
14281 request we match with and insert an entry for this "special"
14282 request for later reference. We continue to reference the original
14283 requests smb_saved_info_t but we dont touch it or change anything
14287 si.unidir = TRUE; /*we dont expect an answer to this one*/
14289 if(!pinfo->fd->flags.visited){
14290 /* try to find which original call we match and if we
14291 find it add us to the matched table. Dont touch
14292 anything else since we dont want this one to mess
14293 up the request/response matching. We still consider
14294 the initial call the real request and this is only
14295 some sort of continuation.
14297 /* we only check the unmatched table and assume that the
14298 last seen MID matching ours is the right one.
14299 This can fail but is better than nothing
14301 sip=g_hash_table_lookup(si.ct->unmatched, (void *)pid_mid);
14303 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14304 new_key->frame = pinfo->fd->num;
14305 new_key->pid_mid = pid_mid;
14306 g_hash_table_insert(si.ct->matched, new_key,
14310 /* we have seen this packet before; check the
14313 key.frame = pinfo->fd->num;
14314 key.pid_mid = pid_mid;
14315 sip=g_hash_table_lookup(si.ct->matched, &key);
14319 Too bad, unfortunately there is not really much we can
14320 do now since this means that we never saw the initial
14327 if(sip && sip->frame_req){
14329 case SMB_COM_NT_CANCEL:
14330 proto_tree_add_uint(htree, hf_smb_cancel_to,
14331 tvb, 0, 0, sip->frame_req);
14333 case SMB_COM_TRANSACTION_SECONDARY:
14334 case SMB_COM_TRANSACTION2_SECONDARY:
14335 case SMB_COM_NT_TRANSACT_SECONDARY:
14336 proto_tree_add_uint(htree, hf_smb_continuation_to,
14337 tvb, 0, 0, sip->frame_req);
14342 case SMB_COM_NT_CANCEL:
14343 proto_tree_add_text(htree, tvb, 0, 0,
14344 "Cancellation to: <unknown frame>");
14346 case SMB_COM_TRANSACTION_SECONDARY:
14347 case SMB_COM_TRANSACTION2_SECONDARY:
14348 case SMB_COM_NT_TRANSACT_SECONDARY:
14349 proto_tree_add_text(htree, tvb, 0, 0,
14350 "Continuation to: <unknown frame>");
14354 } else { /* normal bidirectional request or response */
14357 if(!pinfo->fd->flags.visited){
14358 /* first see if we find an unmatched smb "equal" to
14361 sip=g_hash_table_lookup(si.ct->unmatched, (void *)pid_mid);
14363 gboolean cmd_match=FALSE;
14366 * Make sure the SMB we found was the
14367 * same command, or a different command
14368 * that's another valid type of reply
14371 if(si.cmd==sip->cmd){
14374 else if(si.cmd==SMB_COM_NT_CANCEL){
14377 else if((si.cmd==SMB_COM_TRANSACTION_SECONDARY)
14378 && (sip->cmd==SMB_COM_TRANSACTION)){
14381 else if((si.cmd==SMB_COM_TRANSACTION2_SECONDARY)
14382 && (sip->cmd==SMB_COM_TRANSACTION2)){
14385 else if((si.cmd==SMB_COM_NT_TRANSACT_SECONDARY)
14386 && (sip->cmd==SMB_COM_NT_TRANSACT)){
14390 if( (si.request) || (!cmd_match) ) {
14391 /* If we are processing an SMB request but there was already
14392 another "identical" smb resuest we had not matched yet.
14393 This must mean that either we have a retransmission or that the
14394 response to the previous one was lost and the client has reused
14395 the MID for this conversation. In either case it's not much more
14396 we can do than forget the old request and concentrate on the
14397 present one instead.
14399 We also do this cleanup if we see that the cmd in the original
14400 request in sip->cmd is not compatible with the current cmd.
14401 This is to prevent matching errors such as if there were two
14402 SMBs of different cmds but with identical MID and PID values and
14403 if ethereal lost the first reply and the second request.
14405 g_hash_table_remove(si.ct->unmatched, (void *)pid_mid);
14406 sip=NULL; /* XXX should free it as well */
14408 /* we have found a response to some request we have seen earlier.
14409 What we do now depends on whether this is the first response
14410 to that request we see (id frame_res==0) or not.
14412 if(sip->frame_res==0){
14413 /* ok it is the first response we have seen to this packet */
14414 sip->frame_res = pinfo->fd->num;
14415 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14416 new_key->frame = sip->frame_req;
14417 new_key->pid_mid = pid_mid;
14418 g_hash_table_insert(si.ct->matched, new_key, sip);
14419 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14420 new_key->frame = sip->frame_res;
14421 new_key->pid_mid = pid_mid;
14422 g_hash_table_insert(si.ct->matched, new_key, sip);
14424 /* we have already seen another response to this one, but
14425 register it anyway so we see which request it matches
14427 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14428 new_key->frame = pinfo->fd->num;
14429 new_key->pid_mid = pid_mid;
14430 g_hash_table_insert(si.ct->matched, new_key, sip);
14435 sip = g_mem_chunk_alloc(smb_saved_info_chunk);
14436 sip->frame_req = pinfo->fd->num;
14437 sip->frame_res = 0;
14439 if(g_hash_table_lookup(si.ct->tid_service, (void *)si.tid)
14440 == (void *)TID_IPC) {
14441 sip->flags |= SMB_SIF_TID_IS_IPC;
14444 sip->extra_info = NULL;
14445 g_hash_table_insert(si.ct->unmatched, (void *)pid_mid, sip);
14448 /* we have seen this packet before; check the
14450 If we haven't yet seen the reply, we won't
14451 find the info for it; we don't need it, as
14452 we only use it to save information, and, as
14453 we've seen this packet before, we've already
14454 saved the information.
14456 key.frame = pinfo->fd->num;
14457 key.pid_mid = pid_mid;
14458 sip=g_hash_table_lookup(si.ct->matched, &key);
14463 * Pass the "sip" on to subdissectors through "si".
14469 * Put in fields for the frame number of the frame to which
14470 * this is a response or the frame with the response to this
14471 * frame - if we know the frame number (i.e., it's not 0).
14474 if (sip->frame_res != 0)
14475 proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
14477 if (sip->frame_req != 0)
14478 proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
14483 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si.cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si.cmd), si.cmd);
14486 if(flags2 & 0x4000){
14487 /* handle NT 32 bit error code */
14489 nt_status = tvb_get_letohl(tvb, offset);
14491 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
14496 /* handle DOS error code & class */
14497 errclass = tvb_get_guint8(tvb, offset);
14498 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
14502 /* reserved byte */
14503 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
14507 /* XXX - the type of this field depends on the value of
14508 * "errcls", so there is isn't a single value_string array
14509 * fo it, so there can't be a single field for it.
14511 errcode = tvb_get_letohs(tvb, offset);
14512 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
14513 offset, 2, errcode, "Error Code: %s",
14514 decode_smb_error(errclass, errcode));
14519 offset = dissect_smb_flags(tvb, pinfo, htree, offset);
14522 offset = dissect_smb_flags2(tvb, pinfo, htree, offset);
14527 * http://www.samba.org/samba/ftp/specs/smbpub.txt
14529 * (a text version of "Microsoft Networks SMB FILE SHARING
14530 * PROTOCOL, Document Version 6.0p") says that:
14532 * the first 2 bytes of these 12 bytes are, for NT Create and X,
14533 * the "High Part of PID";
14535 * the next four bytes are reserved;
14537 * the next four bytes are, for SMB-over-IPX (with no
14538 * NetBIOS involved) two bytes of Session ID and two bytes
14539 * of SequenceNumber.
14541 * If we ever implement SMB-over-IPX (which I suspect goes over
14542 * IPX sockets 0x0550, 0x0552, and maybe 0x0554, as per the
14543 * document in question), we'd probably want to have some way
14544 * to determine whether this is SMB-over-IPX or not (which could
14545 * be done by adding a PT_IPXSOCKET port type, having the
14546 * IPX dissector set "pinfo->srcport" and "pinfo->destport",
14547 * and having the SMB dissector check for a port type of
14548 * PT_IPXSOCKET and for "pinfo->match_port" being either
14549 * IPX_SOCKET_NWLINK_SMB_SERVER or IPX_SOCKET_NWLINK_SMB_REDIR
14550 * or, if it also uses 0x0554, IPX_SOCKET_NWLINK_SMB_MESSENGER).
14553 /* 12 reserved bytes */
14554 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 12, TRUE);
14558 proto_tree_add_uint(htree, hf_smb_tid, tvb, offset, 2, si.tid);
14562 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si.pid);
14566 proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si.uid);
14570 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si.mid);
14573 pinfo->private_data = &si;
14574 dissect_smb_command(tvb, pinfo, parent_tree, offset, tree, si.cmd);
14576 /* Append error info from this packet to info string. */
14577 if (!si.request && check_col(pinfo->cinfo, COL_INFO)) {
14578 if (flags2 & 0x4000) {
14580 * The status is an NT status code; was there
14583 if (nt_status != 0) {
14588 pinfo->cinfo, COL_INFO, ", Error: %s",
14589 val_to_str(nt_status, NT_errors,
14590 "Unknown (0x%08X)"));
14594 * The status is a DOS error class and code; was
14597 if (errclass != SMB_SUCCESS) {
14602 pinfo->cinfo, COL_INFO, ", Error: %s",
14603 decode_smb_error(errclass, errcode));
14612 proto_register_smb(void)
14614 static hf_register_info hf[] = {
14616 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
14617 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
14619 { &hf_smb_word_count,
14620 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
14621 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
14623 { &hf_smb_byte_count,
14624 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
14625 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
14627 { &hf_smb_response_to,
14628 { "Response to", "smb.response_to", FT_UINT32, BASE_DEC,
14629 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
14631 { &hf_smb_response_in,
14632 { "Response in", "smb.response_in", FT_UINT32, BASE_DEC,
14633 NULL, 0, "The response to this packet is in this packet", HFILL }},
14635 { &hf_smb_continuation_to,
14636 { "Continuation to", "smb.continuation_to", FT_UINT32, BASE_DEC,
14637 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
14639 { &hf_smb_nt_status,
14640 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
14641 VALS(NT_errors), 0, "NT Status code", HFILL }},
14643 { &hf_smb_error_class,
14644 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
14645 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
14647 { &hf_smb_error_code,
14648 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
14649 NULL, 0, "DOS Error Code", HFILL }},
14651 { &hf_smb_reserved,
14652 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
14653 NULL, 0, "Reserved bytes, must be zero", HFILL }},
14656 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
14657 NULL, 0, "Process ID", HFILL }},
14660 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
14661 NULL, 0, "Tree ID", HFILL }},
14664 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
14665 NULL, 0, "User ID", HFILL }},
14668 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
14669 NULL, 0, "Multiplex ID", HFILL }},
14671 { &hf_smb_flags_lock,
14672 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
14673 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
14675 { &hf_smb_flags_receive_buffer,
14676 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
14677 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
14679 { &hf_smb_flags_caseless,
14680 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
14681 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
14683 { &hf_smb_flags_canon,
14684 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
14685 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
14687 { &hf_smb_flags_oplock,
14688 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
14689 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
14691 { &hf_smb_flags_notify,
14692 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
14693 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
14695 { &hf_smb_flags_response,
14696 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
14697 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
14699 { &hf_smb_flags2_long_names_allowed,
14700 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
14701 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
14703 { &hf_smb_flags2_ea,
14704 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
14705 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
14707 { &hf_smb_flags2_sec_sig,
14708 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
14709 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
14711 { &hf_smb_flags2_long_names_used,
14712 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
14713 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
14715 { &hf_smb_flags2_esn,
14716 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
14717 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
14719 { &hf_smb_flags2_dfs,
14720 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
14721 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
14723 { &hf_smb_flags2_roe,
14724 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
14725 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
14727 { &hf_smb_flags2_nt_error,
14728 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
14729 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
14731 { &hf_smb_flags2_string,
14732 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
14733 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
14735 { &hf_smb_buffer_format,
14736 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
14737 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
14739 { &hf_smb_dialect_name,
14740 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
14741 NULL, 0, "Name of dialect", HFILL }},
14743 { &hf_smb_dialect_index,
14744 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
14745 NULL, 0, "Index of selected dialect", HFILL }},
14747 { &hf_smb_max_trans_buf_size,
14748 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
14749 NULL, 0, "Maximum transmit buffer size", HFILL }},
14751 { &hf_smb_max_mpx_count,
14752 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
14753 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
14755 { &hf_smb_max_vcs_num,
14756 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
14757 NULL, 0, "Maximum VCs between client and server", HFILL }},
14759 { &hf_smb_session_key,
14760 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
14761 NULL, 0, "Unique token identifying this session", HFILL }},
14763 { &hf_smb_server_timezone,
14764 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
14765 NULL, 0, "Current timezone at server.", HFILL }},
14767 { &hf_smb_encryption_key_length,
14768 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
14769 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
14771 { &hf_smb_encryption_key,
14772 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
14773 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
14775 { &hf_smb_primary_domain,
14776 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
14777 NULL, 0, "The server's primary domain", HFILL }},
14779 { &hf_smb_max_raw_buf_size,
14780 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
14781 NULL, 0, "Maximum raw buffer size", HFILL }},
14783 { &hf_smb_server_guid,
14784 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
14785 NULL, 0, "Globally unique identifier for this server", HFILL }},
14787 { &hf_smb_security_blob_len,
14788 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
14789 NULL, 0, "Security blob length", HFILL }},
14791 { &hf_smb_security_blob,
14792 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
14793 NULL, 0, "Security blob", HFILL }},
14795 { &hf_smb_sm_mode16,
14796 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
14797 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
14799 { &hf_smb_sm_password16,
14800 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
14801 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
14804 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
14805 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
14807 { &hf_smb_sm_password,
14808 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
14809 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
14811 { &hf_smb_sm_signatures,
14812 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
14813 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
14815 { &hf_smb_sm_sig_required,
14816 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
14817 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
14820 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
14821 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
14823 { &hf_smb_rm_write,
14824 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
14825 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
14827 { &hf_smb_server_date_time,
14828 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
14829 NULL, 0, "Current date and time at server", HFILL }},
14831 { &hf_smb_server_smb_date,
14832 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
14833 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
14835 { &hf_smb_server_smb_time,
14836 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
14837 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
14839 { &hf_smb_server_cap_raw_mode,
14840 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
14841 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
14843 { &hf_smb_server_cap_mpx_mode,
14844 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
14845 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
14847 { &hf_smb_server_cap_unicode,
14848 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
14849 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
14851 { &hf_smb_server_cap_large_files,
14852 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
14853 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
14855 { &hf_smb_server_cap_nt_smbs,
14856 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
14857 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
14859 { &hf_smb_server_cap_rpc_remote_apis,
14860 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
14861 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
14863 { &hf_smb_server_cap_nt_status,
14864 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
14865 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
14867 { &hf_smb_server_cap_level_ii_oplocks,
14868 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
14869 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
14871 { &hf_smb_server_cap_lock_and_read,
14872 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
14873 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
14875 { &hf_smb_server_cap_nt_find,
14876 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
14877 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
14879 { &hf_smb_server_cap_dfs,
14880 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
14881 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
14883 { &hf_smb_server_cap_infolevel_passthru,
14884 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
14885 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
14887 { &hf_smb_server_cap_large_readx,
14888 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
14889 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
14891 { &hf_smb_server_cap_large_writex,
14892 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
14893 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
14895 { &hf_smb_server_cap_unix,
14896 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
14897 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
14899 { &hf_smb_server_cap_reserved,
14900 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
14901 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
14903 { &hf_smb_server_cap_bulk_transfer,
14904 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
14905 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
14907 { &hf_smb_server_cap_compressed_data,
14908 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
14909 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
14911 { &hf_smb_server_cap_extended_security,
14912 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
14913 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
14915 { &hf_smb_system_time,
14916 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
14917 NULL, 0, "System Time", HFILL }},
14920 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
14921 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
14923 { &hf_smb_dir_name,
14924 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
14925 NULL, 0, "SMB Directory Name", HFILL }},
14927 { &hf_smb_echo_count,
14928 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
14929 NULL, 0, "Number of times to echo data back", HFILL }},
14931 { &hf_smb_echo_data,
14932 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
14933 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
14935 { &hf_smb_echo_seq_num,
14936 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
14937 NULL, 0, "Sequence number for this echo response", HFILL }},
14939 { &hf_smb_max_buf_size,
14940 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
14941 NULL, 0, "Max client buffer size", HFILL }},
14944 { "Path", "smb.path", FT_STRING, BASE_NONE,
14945 NULL, 0, "Path. Server name and share name", HFILL }},
14948 { "Service", "smb.service", FT_STRING, BASE_NONE,
14949 NULL, 0, "Service name", HFILL }},
14951 { &hf_smb_password,
14952 { "Password", "smb.password", FT_BYTES, BASE_NONE,
14953 NULL, 0, "Password", HFILL }},
14955 { &hf_smb_ansi_password,
14956 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
14957 NULL, 0, "ANSI Password", HFILL }},
14959 { &hf_smb_unicode_password,
14960 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
14961 NULL, 0, "Unicode Password", HFILL }},
14963 { &hf_smb_move_flags_file,
14964 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
14965 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
14967 { &hf_smb_move_flags_dir,
14968 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
14969 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
14971 { &hf_smb_move_flags_verify,
14972 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
14973 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
14975 { &hf_smb_move_files_moved,
14976 { "Files Moved", "smb.move.files_moved", FT_UINT16, BASE_DEC,
14977 NULL, 0, "Number of files moved", HFILL }},
14980 { "Count", "smb.count", FT_UINT32, BASE_DEC,
14981 NULL, 0, "Count number of items/bytes", HFILL }},
14983 { &hf_smb_file_name,
14984 { "File Name", "smb.file", FT_STRING, BASE_NONE,
14985 NULL, 0, "File Name", HFILL }},
14987 { &hf_smb_open_function_create,
14988 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
14989 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
14991 { &hf_smb_open_function_open,
14992 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
14993 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
14996 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
14997 NULL, 0, "FID: File ID", HFILL }},
14999 { &hf_smb_file_attr_read_only_16bit,
15000 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
15001 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15003 { &hf_smb_file_attr_read_only_8bit,
15004 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
15005 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15007 { &hf_smb_file_attr_hidden_16bit,
15008 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
15009 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15011 { &hf_smb_file_attr_hidden_8bit,
15012 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
15013 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15015 { &hf_smb_file_attr_system_16bit,
15016 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
15017 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15019 { &hf_smb_file_attr_system_8bit,
15020 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
15021 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15023 { &hf_smb_file_attr_volume_16bit,
15024 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
15025 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
15027 { &hf_smb_file_attr_volume_8bit,
15028 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
15029 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
15031 { &hf_smb_file_attr_directory_16bit,
15032 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
15033 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15035 { &hf_smb_file_attr_directory_8bit,
15036 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
15037 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15039 { &hf_smb_file_attr_archive_16bit,
15040 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
15041 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15043 { &hf_smb_file_attr_archive_8bit,
15044 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
15045 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15047 { &hf_smb_file_attr_device,
15048 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
15049 TFS(&tfs_file_attribute_device), FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
15051 { &hf_smb_file_attr_normal,
15052 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
15053 TFS(&tfs_file_attribute_normal), FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
15055 { &hf_smb_file_attr_temporary,
15056 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
15057 TFS(&tfs_file_attribute_temporary), FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
15059 { &hf_smb_file_attr_sparse,
15060 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
15061 TFS(&tfs_file_attribute_sparse), FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
15063 { &hf_smb_file_attr_reparse,
15064 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
15065 TFS(&tfs_file_attribute_reparse), FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
15067 { &hf_smb_file_attr_compressed,
15068 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
15069 TFS(&tfs_file_attribute_compressed), FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
15071 { &hf_smb_file_attr_offline,
15072 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
15073 TFS(&tfs_file_attribute_offline), FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
15075 { &hf_smb_file_attr_not_content_indexed,
15076 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
15077 TFS(&tfs_file_attribute_not_content_indexed), FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
15079 { &hf_smb_file_attr_encrypted,
15080 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
15081 TFS(&tfs_file_attribute_encrypted), FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
15083 { &hf_smb_file_size,
15084 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
15085 NULL, 0, "File Size", HFILL }},
15087 { &hf_smb_search_attribute_read_only,
15088 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
15089 TFS(&tfs_search_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
15091 { &hf_smb_search_attribute_hidden,
15092 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
15093 TFS(&tfs_search_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
15095 { &hf_smb_search_attribute_system,
15096 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
15097 TFS(&tfs_search_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
15099 { &hf_smb_search_attribute_volume,
15100 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
15101 TFS(&tfs_search_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
15103 { &hf_smb_search_attribute_directory,
15104 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
15105 TFS(&tfs_search_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
15107 { &hf_smb_search_attribute_archive,
15108 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
15109 TFS(&tfs_search_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
15111 { &hf_smb_access_mode,
15112 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
15113 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
15115 { &hf_smb_access_sharing,
15116 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
15117 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
15119 { &hf_smb_access_locality,
15120 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
15121 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
15123 { &hf_smb_access_caching,
15124 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
15125 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
15127 { &hf_smb_access_writetru,
15128 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
15129 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
15131 { &hf_smb_create_time,
15132 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
15133 NULL, 0, "Creation Time", HFILL }},
15135 { &hf_smb_create_dos_date,
15136 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
15137 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
15139 { &hf_smb_create_dos_time,
15140 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
15141 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
15143 { &hf_smb_last_write_time,
15144 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
15145 NULL, 0, "Time this file was last written to", HFILL }},
15147 { &hf_smb_last_write_dos_date,
15148 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
15149 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
15151 { &hf_smb_last_write_dos_time,
15152 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
15153 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
15155 { &hf_smb_old_file_name,
15156 { "Old File Name", "smb.file", FT_STRING, BASE_NONE,
15157 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
15160 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
15161 NULL, 0, "Offset in file", HFILL }},
15163 { &hf_smb_remaining,
15164 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
15165 NULL, 0, "Remaining number of bytes", HFILL }},
15168 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
15169 NULL, 0, "Padding or unknown data", HFILL }},
15171 { &hf_smb_file_data,
15172 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
15173 NULL, 0, "Data read/written to the file", HFILL }},
15175 { &hf_smb_total_data_len,
15176 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
15177 NULL, 0, "Total length of data", HFILL }},
15179 { &hf_smb_data_len,
15180 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
15181 NULL, 0, "Length of data", HFILL }},
15183 { &hf_smb_seek_mode,
15184 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
15185 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
15187 { &hf_smb_access_time,
15188 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
15189 NULL, 0, "Last Access Time", HFILL }},
15191 { &hf_smb_access_dos_date,
15192 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
15193 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
15195 { &hf_smb_access_dos_time,
15196 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
15197 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
15199 { &hf_smb_data_size,
15200 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
15201 NULL, 0, "Data Size", HFILL }},
15203 { &hf_smb_alloc_size,
15204 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
15205 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
15207 { &hf_smb_max_count,
15208 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
15209 NULL, 0, "Maximum Count", HFILL }},
15211 { &hf_smb_min_count,
15212 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
15213 NULL, 0, "Minimum Count", HFILL }},
15216 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
15217 NULL, 0, "Timeout in miliseconds", HFILL }},
15219 { &hf_smb_high_offset,
15220 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
15221 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
15224 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
15225 NULL, 0, "Total number of units at server", HFILL }},
15228 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
15229 NULL, 0, "Blocks per unit at server", HFILL }},
15231 { &hf_smb_blocksize,
15232 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
15233 NULL, 0, "Block size (in bytes) at server", HFILL }},
15235 { &hf_smb_freeunits,
15236 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
15237 NULL, 0, "Number of free units at server", HFILL }},
15239 { &hf_smb_data_offset,
15240 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
15241 NULL, 0, "Data Offset", HFILL }},
15244 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
15245 NULL, 0, "Data Compaction Mode", HFILL }},
15247 { &hf_smb_request_mask,
15248 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
15249 NULL, 0, "Connectionless mode mask", HFILL }},
15251 { &hf_smb_response_mask,
15252 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
15253 NULL, 0, "Connectionless mode mask", HFILL }},
15256 { "SID", "smb.sid", FT_UINT16, BASE_HEX,
15257 NULL, 0, "SID: Search ID, handle for find operations", HFILL }},
15259 { &hf_smb_write_mode_write_through,
15260 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
15261 TFS(&tfs_write_mode_write_through), 0x0001, "Write through mode requested?", HFILL }},
15263 { &hf_smb_write_mode_return_remaining,
15264 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
15265 TFS(&tfs_write_mode_return_remaining), 0x0002, "Return remaining data responses?", HFILL }},
15267 { &hf_smb_write_mode_raw,
15268 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
15269 TFS(&tfs_write_mode_raw), 0x0004, "Use WriteRawNamedPipe?", HFILL }},
15271 { &hf_smb_write_mode_message_start,
15272 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
15273 TFS(&tfs_write_mode_message_start), 0x0008, "Is this the start of a message?", HFILL }},
15275 { &hf_smb_write_mode_connectionless,
15276 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
15277 TFS(&tfs_write_mode_connectionless), 0x0080, "Connectionless mode requested?", HFILL }},
15279 { &hf_smb_resume_key_len,
15280 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
15281 NULL, 0, "Resume Key length", HFILL }},
15283 { &hf_smb_resume_server_cookie,
15284 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
15285 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
15287 { &hf_smb_resume_client_cookie,
15288 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
15289 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
15291 { &hf_smb_andxoffset,
15292 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
15293 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
15295 { &hf_smb_lock_type_large,
15296 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
15297 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
15299 { &hf_smb_lock_type_cancel,
15300 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
15301 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
15303 { &hf_smb_lock_type_change,
15304 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
15305 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
15307 { &hf_smb_lock_type_oplock,
15308 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
15309 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
15311 { &hf_smb_lock_type_shared,
15312 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
15313 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
15315 { &hf_smb_locking_ol,
15316 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
15317 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
15319 { &hf_smb_number_of_locks,
15320 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
15321 NULL, 0, "Number of lock requests in this request", HFILL }},
15323 { &hf_smb_number_of_unlocks,
15324 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
15325 NULL, 0, "Number of unlock requests in this request", HFILL }},
15327 { &hf_smb_lock_long_length,
15328 { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
15329 NULL, 0, "Length of lock/unlock region", HFILL }},
15331 { &hf_smb_lock_long_offset,
15332 { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
15333 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
15335 { &hf_smb_file_type,
15336 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
15337 VALS(filetype_vals), 0, "Type of file", HFILL }},
15339 { &hf_smb_ipc_state_nonblocking,
15340 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
15341 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
15343 { &hf_smb_ipc_state_endpoint,
15344 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
15345 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
15347 { &hf_smb_ipc_state_pipe_type,
15348 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
15349 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
15351 { &hf_smb_ipc_state_read_mode,
15352 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
15353 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
15355 { &hf_smb_ipc_state_icount,
15356 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
15357 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
15359 { &hf_smb_server_fid,
15360 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
15361 NULL, 0, "Server unique File ID", HFILL }},
15363 { &hf_smb_open_flags_add_info,
15364 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
15365 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
15367 { &hf_smb_open_flags_ex_oplock,
15368 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
15369 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
15371 { &hf_smb_open_flags_batch_oplock,
15372 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
15373 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
15375 { &hf_smb_open_flags_ealen,
15376 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
15377 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
15379 { &hf_smb_open_action_open,
15380 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
15381 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
15383 { &hf_smb_open_action_lock,
15384 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
15385 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
15388 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
15389 NULL, 0, "VC Number", HFILL }},
15391 { &hf_smb_password_len,
15392 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
15393 NULL, 0, "Length of password", HFILL }},
15395 { &hf_smb_ansi_password_len,
15396 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
15397 NULL, 0, "Length of ANSI password", HFILL }},
15399 { &hf_smb_unicode_password_len,
15400 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
15401 NULL, 0, "Length of Unicode password", HFILL }},
15404 { "Account", "smb.account", FT_STRING, BASE_NONE,
15405 NULL, 0, "Account, username", HFILL }},
15408 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
15409 NULL, 0, "Which OS we are running", HFILL }},
15412 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
15413 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
15415 { &hf_smb_setup_action_guest,
15416 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
15417 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
15420 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
15421 NULL, 0, "Native File System", HFILL }},
15423 { &hf_smb_connect_flags_dtid,
15424 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
15425 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
15427 { &hf_smb_connect_support_search,
15428 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
15429 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
15431 { &hf_smb_connect_support_in_dfs,
15432 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
15433 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
15435 { &hf_smb_max_setup_count,
15436 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
15437 NULL, 0, "Maximum number of setup words to return", HFILL }},
15439 { &hf_smb_total_param_count,
15440 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
15441 NULL, 0, "Total number of parameter bytes", HFILL }},
15443 { &hf_smb_total_data_count,
15444 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
15445 NULL, 0, "Total number of data bytes", HFILL }},
15447 { &hf_smb_max_param_count,
15448 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
15449 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
15451 { &hf_smb_max_data_count,
15452 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
15453 NULL, 0, "Maximum number of data bytes to return", HFILL }},
15455 { &hf_smb_param_disp16,
15456 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
15457 NULL, 0, "Displacement of these parameter bytes", HFILL }},
15459 { &hf_smb_param_count16,
15460 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
15461 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
15463 { &hf_smb_param_offset16,
15464 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
15465 NULL, 0, "Offset (from header start) to parameters", HFILL }},
15467 { &hf_smb_param_disp32,
15468 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
15469 NULL, 0, "Displacement of these parameter bytes", HFILL }},
15471 { &hf_smb_param_count32,
15472 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
15473 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
15475 { &hf_smb_param_offset32,
15476 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
15477 NULL, 0, "Offset (from header start) to parameters", HFILL }},
15479 { &hf_smb_data_count16,
15480 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
15481 NULL, 0, "Number of data bytes in this buffer", HFILL }},
15483 { &hf_smb_data_disp16,
15484 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
15485 NULL, 0, "Data Displacement", HFILL }},
15487 { &hf_smb_data_offset16,
15488 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
15489 NULL, 0, "Data Offset", HFILL }},
15491 { &hf_smb_data_count32,
15492 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
15493 NULL, 0, "Number of data bytes in this buffer", HFILL }},
15495 { &hf_smb_data_disp32,
15496 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
15497 NULL, 0, "Data Displacement", HFILL }},
15499 { &hf_smb_data_offset32,
15500 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
15501 NULL, 0, "Data Offset", HFILL }},
15503 { &hf_smb_setup_count,
15504 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
15505 NULL, 0, "Number of setup words in this buffer", HFILL }},
15507 { &hf_smb_nt_trans_subcmd,
15508 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
15509 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
15511 { &hf_smb_nt_ioctl_function_code,
15512 { "Function", "smb.nt.ioctl.function", FT_UINT32, BASE_HEX,
15513 NULL, 0, "NT IOCTL function code", HFILL }},
15515 { &hf_smb_nt_ioctl_isfsctl,
15516 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
15517 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
15519 { &hf_smb_nt_ioctl_flags_root_handle,
15520 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
15521 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
15523 { &hf_smb_nt_ioctl_data,
15524 { "IOCTL Data", "smb.nt.ioctl.data", FT_BYTES, BASE_HEX,
15525 NULL, 0, "Data for the IOCTL call", HFILL }},
15527 { &hf_smb_nt_notify_action,
15528 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
15529 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
15531 { &hf_smb_nt_notify_watch_tree,
15532 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
15533 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
15535 { &hf_smb_nt_notify_stream_write,
15536 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
15537 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
15539 { &hf_smb_nt_notify_stream_size,
15540 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
15541 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
15543 { &hf_smb_nt_notify_stream_name,
15544 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
15545 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
15547 { &hf_smb_nt_notify_security,
15548 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
15549 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
15551 { &hf_smb_nt_notify_ea,
15552 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
15553 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
15555 { &hf_smb_nt_notify_creation,
15556 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
15557 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
15559 { &hf_smb_nt_notify_last_access,
15560 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
15561 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
15563 { &hf_smb_nt_notify_last_write,
15564 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
15565 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
15567 { &hf_smb_nt_notify_size,
15568 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
15569 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
15571 { &hf_smb_nt_notify_attributes,
15572 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
15573 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
15575 { &hf_smb_nt_notify_dir_name,
15576 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
15577 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
15579 { &hf_smb_nt_notify_file_name,
15580 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
15581 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
15583 { &hf_smb_root_dir_fid,
15584 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
15585 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
15587 { &hf_smb_alloc_size64,
15588 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
15589 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
15591 { &hf_smb_nt_create_disposition,
15592 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
15593 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
15595 { &hf_smb_sd_length,
15596 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
15597 NULL, 0, "Total length of security descriptor", HFILL }},
15599 { &hf_smb_ea_length,
15600 { "EA Length", "smb.ea.length", FT_UINT32, BASE_DEC,
15601 NULL, 0, "Total EA length for opened file", HFILL }},
15603 { &hf_smb_file_name_len,
15604 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
15605 NULL, 0, "Length of File Name", HFILL }},
15607 { &hf_smb_nt_impersonation_level,
15608 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
15609 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
15611 { &hf_smb_nt_security_flags_context_tracking,
15612 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
15613 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
15615 { &hf_smb_nt_security_flags_effective_only,
15616 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
15617 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
15619 { &hf_smb_nt_access_mask_generic_read,
15620 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
15621 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
15623 { &hf_smb_nt_access_mask_generic_write,
15624 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
15625 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
15627 { &hf_smb_nt_access_mask_generic_execute,
15628 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
15629 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
15631 { &hf_smb_nt_access_mask_generic_all,
15632 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
15633 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
15635 { &hf_smb_nt_access_mask_maximum_allowed,
15636 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
15637 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
15639 { &hf_smb_nt_access_mask_system_security,
15640 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
15641 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
15643 { &hf_smb_nt_access_mask_synchronize,
15644 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
15645 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
15647 { &hf_smb_nt_access_mask_write_owner,
15648 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
15649 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
15651 { &hf_smb_nt_access_mask_write_dac,
15652 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
15653 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
15655 { &hf_smb_nt_access_mask_read_control,
15656 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
15657 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
15659 { &hf_smb_nt_access_mask_delete,
15660 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
15661 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
15663 { &hf_smb_nt_access_mask_write_attributes,
15664 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
15665 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
15667 { &hf_smb_nt_access_mask_read_attributes,
15668 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
15669 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
15671 { &hf_smb_nt_access_mask_delete_child,
15672 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
15673 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
15676 * "Execute" for files, "traverse" for directories.
15678 { &hf_smb_nt_access_mask_execute,
15679 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
15680 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
15682 { &hf_smb_nt_access_mask_write_ea,
15683 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
15684 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
15686 { &hf_smb_nt_access_mask_read_ea,
15687 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
15688 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
15691 * "Append data" for files, "add subdirectory" for directories,
15692 * "create pipe instance" for named pipes.
15694 { &hf_smb_nt_access_mask_append,
15695 { "Append", "smb.access.append", FT_BOOLEAN, 32,
15696 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
15699 * "Write data" for files and pipes, "add file" for directory.
15701 { &hf_smb_nt_access_mask_write,
15702 { "Write", "smb.access.write", FT_BOOLEAN, 32,
15703 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
15706 * "Read data" for files and pipes, "list directory" for directory.
15708 { &hf_smb_nt_access_mask_read,
15709 { "Read", "smb.access.read", FT_BOOLEAN, 32,
15710 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
15712 { &hf_smb_nt_create_bits_oplock,
15713 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
15714 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
15716 { &hf_smb_nt_create_bits_boplock,
15717 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
15718 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
15720 { &hf_smb_nt_create_bits_dir,
15721 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
15722 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
15724 { &hf_smb_nt_create_options_directory_file,
15725 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
15726 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
15728 { &hf_smb_nt_create_options_write_through,
15729 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
15730 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
15732 { &hf_smb_nt_create_options_sequential_only,
15733 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
15734 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
15736 { &hf_smb_nt_create_options_sync_io_alert,
15737 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
15738 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
15740 { &hf_smb_nt_create_options_sync_io_nonalert,
15741 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
15742 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
15744 { &hf_smb_nt_create_options_non_directory_file,
15745 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
15746 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
15748 /* 0x00000080 is "tree connect", at least in "NtCreateFile()"
15749 and "NtOpenFile()"; is that sent over the wire? Network
15750 Monitor thinks so, but its author may just have grabbed
15751 the flag bits from a system header file. */
15753 /* 0x00000100 is "complete if oplocked", at least in "NtCreateFile()"
15754 and "NtOpenFile()"; is that sent over the wire? NetMon
15755 thinks so, but see previous comment. */
15757 { &hf_smb_nt_create_options_no_ea_knowledge,
15758 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
15759 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
15761 { &hf_smb_nt_create_options_eight_dot_three_only,
15762 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
15763 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
15765 { &hf_smb_nt_create_options_random_access,
15766 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
15767 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
15769 { &hf_smb_nt_create_options_delete_on_close,
15770 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
15771 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
15773 /* 0x00002000 is "open by FID", or something such as that (which
15774 I suspect is like "open by inumber" on UNIX), at least in
15775 "NtCreateFile()" and "NtOpenFile()"; is that sent over the
15776 wire? NetMon thinks so, but see previous comment. */
15778 /* 0x00004000 is "open for backup", at least in "NtCreateFile()"
15779 and "NtOpenFile()"; is that sent over the wire? NetMon
15780 thinks so, but see previous comment. */
15782 { &hf_smb_nt_share_access_read,
15783 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
15784 TFS(&tfs_nt_share_access_read), 0x00000001, "Can the object be shared for reading?", HFILL }},
15786 { &hf_smb_nt_share_access_write,
15787 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
15788 TFS(&tfs_nt_share_access_write), 0x00000002, "Can the object be shared for write?", HFILL }},
15790 { &hf_smb_nt_share_access_delete,
15791 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
15792 TFS(&tfs_nt_share_access_delete), 0x00000004, "", HFILL }},
15794 { &hf_smb_file_eattr_read_only,
15795 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
15796 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15798 { &hf_smb_file_eattr_hidden,
15799 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
15800 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15802 { &hf_smb_file_eattr_system,
15803 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
15804 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15806 { &hf_smb_file_eattr_volume,
15807 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
15808 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
15810 { &hf_smb_file_eattr_directory,
15811 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
15812 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15814 { &hf_smb_file_eattr_archive,
15815 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
15816 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15818 { &hf_smb_file_eattr_device,
15819 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
15820 TFS(&tfs_file_attribute_device), FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
15822 { &hf_smb_file_eattr_normal,
15823 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
15824 TFS(&tfs_file_attribute_normal), FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
15826 { &hf_smb_file_eattr_temporary,
15827 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
15828 TFS(&tfs_file_attribute_temporary), FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
15830 { &hf_smb_file_eattr_sparse,
15831 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
15832 TFS(&tfs_file_attribute_sparse), FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
15834 { &hf_smb_file_eattr_reparse,
15835 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
15836 TFS(&tfs_file_attribute_reparse), FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
15838 { &hf_smb_file_eattr_compressed,
15839 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
15840 TFS(&tfs_file_attribute_compressed), FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
15842 { &hf_smb_file_eattr_offline,
15843 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
15844 TFS(&tfs_file_attribute_offline), FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
15846 { &hf_smb_file_eattr_not_content_indexed,
15847 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
15848 TFS(&tfs_file_attribute_not_content_indexed), FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
15850 { &hf_smb_file_eattr_encrypted,
15851 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
15852 TFS(&tfs_file_attribute_encrypted), FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
15854 { &hf_smb_file_eattr_write_through,
15855 { "Write Through", "smb.file_attribute.write_through", FT_BOOLEAN, 32,
15856 TFS(&tfs_file_attribute_write_through), FILE_ATTRIBUTE_WRITE_THROUGH, "Does this object need write through?", HFILL }},
15858 { &hf_smb_file_eattr_no_buffering,
15859 { "No Buffering", "smb.file_attribute.no_buffering", FT_BOOLEAN, 32,
15860 TFS(&tfs_file_attribute_no_buffering), FILE_ATTRIBUTE_NO_BUFFERING, "May the server buffer this object?", HFILL }},
15862 { &hf_smb_file_eattr_random_access,
15863 { "Random Access", "smb.file_attribute.random_access", FT_BOOLEAN, 32,
15864 TFS(&tfs_file_attribute_random_access), FILE_ATTRIBUTE_RANDOM_ACCESS, "Optimize for random access", HFILL }},
15866 { &hf_smb_file_eattr_sequential_scan,
15867 { "Sequential Scan", "smb.file_attribute.sequential_scan", FT_BOOLEAN, 32,
15868 TFS(&tfs_file_attribute_sequential_scan), FILE_ATTRIBUTE_SEQUENTIAL_SCAN, "Optimize for sequential scan", HFILL }},
15870 { &hf_smb_file_eattr_delete_on_close,
15871 { "Delete on Close", "smb.file_attribute.delete_on_close", FT_BOOLEAN, 32,
15872 TFS(&tfs_file_attribute_delete_on_close), FILE_ATTRIBUTE_DELETE_ON_CLOSE, "Should this object be deleted on close?", HFILL }},
15874 { &hf_smb_file_eattr_backup_semantics,
15875 { "Backup", "smb.file_attribute.backup_semantics", FT_BOOLEAN, 32,
15876 TFS(&tfs_file_attribute_backup_semantics), FILE_ATTRIBUTE_BACKUP_SEMANTICS, "Does this object need/support backup semantics", HFILL }},
15878 { &hf_smb_file_eattr_posix_semantics,
15879 { "Posix", "smb.file_attribute.posix_semantics", FT_BOOLEAN, 32,
15880 TFS(&tfs_file_attribute_posix_semantics), FILE_ATTRIBUTE_POSIX_SEMANTICS, "Does this object need/support POSIX semantics?", HFILL }},
15882 { &hf_smb_sec_desc_len,
15883 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
15884 NULL, 0, "Security Descriptor Length", HFILL }},
15886 { &hf_smb_nt_qsd_owner,
15887 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
15888 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
15890 { &hf_smb_nt_qsd_group,
15891 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
15892 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
15894 { &hf_smb_nt_qsd_dacl,
15895 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
15896 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
15898 { &hf_smb_nt_qsd_sacl,
15899 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
15900 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
15902 { &hf_smb_extended_attributes,
15903 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
15904 NULL, 0, "Extended Attributes", HFILL }},
15906 { &hf_smb_oplock_level,
15907 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
15908 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
15910 { &hf_smb_create_action,
15911 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
15912 VALS(create_disposition_vals), 0, "Type of action taken", HFILL }},
15914 { &hf_smb_ea_error_offset,
15915 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
15916 NULL, 0, "Offset into EA list if EA error", HFILL }},
15918 { &hf_smb_end_of_file,
15919 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
15920 NULL, 0, "Offset to the first free byte in the file", HFILL }},
15922 { &hf_smb_device_type,
15923 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
15924 VALS(device_type_vals), 0, "Type of device", HFILL }},
15926 { &hf_smb_is_directory,
15927 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
15928 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
15930 { &hf_smb_next_entry_offset,
15931 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
15932 NULL, 0, "Offset to next entry", HFILL }},
15934 { &hf_smb_change_time,
15935 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
15936 NULL, 0, "Last Change Time", HFILL }},
15938 { &hf_smb_setup_len,
15939 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
15940 NULL, 0, "Length of prionter setup data", HFILL }},
15942 { &hf_smb_print_mode,
15943 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
15944 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
15946 { &hf_smb_print_identifier,
15947 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
15948 NULL, 0, "Identifier string for this print job", HFILL }},
15950 { &hf_smb_restart_index,
15951 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
15952 NULL, 0, "Index of entry after last returned", HFILL }},
15954 { &hf_smb_print_queue_date,
15955 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
15956 NULL, 0, "Date when this entry was queued", HFILL }},
15958 { &hf_smb_print_queue_dos_date,
15959 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
15960 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
15962 { &hf_smb_print_queue_dos_time,
15963 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
15964 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
15966 { &hf_smb_print_status,
15967 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
15968 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
15970 { &hf_smb_print_spool_file_number,
15971 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
15972 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
15974 { &hf_smb_print_spool_file_size,
15975 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
15976 NULL, 0, "Number of bytes in spool file", HFILL }},
15978 { &hf_smb_print_spool_file_name,
15979 { "Name", "smb.print.spool.name", FT_BYTES, BASE_HEX,
15980 NULL, 0, "Name of client that submitted this job", HFILL }},
15982 { &hf_smb_start_index,
15983 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
15984 NULL, 0, "First queue entry to return", HFILL }},
15986 { &hf_smb_cancel_to,
15987 { "Cancel to", "smb.cancel_to", FT_UINT32, BASE_DEC,
15988 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
15990 { &hf_smb_trans2_subcmd,
15991 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
15992 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
15994 { &hf_smb_trans_name,
15995 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
15996 NULL, 0, "Name of transaction", HFILL }},
15998 { &hf_smb_transaction_flags_dtid,
15999 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
16000 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
16002 { &hf_smb_transaction_flags_owt,
16003 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
16004 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
16006 { &hf_smb_search_count,
16007 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
16008 NULL, 0, "Maximum number of search entries to return", HFILL }},
16010 { &hf_smb_search_pattern,
16011 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
16012 NULL, 0, "Search Pattern", HFILL }},
16014 { &hf_smb_ff2_backup,
16015 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
16016 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
16018 { &hf_smb_ff2_continue,
16019 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
16020 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
16022 { &hf_smb_ff2_resume,
16023 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
16024 TFS(&tfs_ff2_resume), 0x0004, "Return resume keys for each entry found", HFILL }},
16026 { &hf_smb_ff2_close_eos,
16027 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
16028 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
16030 { &hf_smb_ff2_close,
16031 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
16032 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
16034 { &hf_smb_ff2_information_level,
16035 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
16036 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
16039 { "Level of Interest", "smb.loi", FT_UINT16, BASE_DEC,
16040 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] commands", HFILL }},
16042 { &hf_smb_storage_type,
16043 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
16044 NULL, 0, "Type of storage", HFILL }},
16047 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
16048 NULL, 0, "Resume Key", HFILL }},
16050 { &hf_smb_max_referral_level,
16051 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
16052 NULL, 0, "Latest referral version number understood", HFILL }},
16054 { &hf_smb_qfsi_information_level,
16055 { "Level of Interest", "smb.qfi_loi", FT_UINT16, BASE_DEC,
16056 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
16059 { "EA Size", "smb.ea_size", FT_UINT32, BASE_DEC,
16060 NULL, 0, "Size of file's EA information", HFILL }},
16062 { &hf_smb_list_length,
16063 { "ListLength", "smb.list_len", FT_UINT32, BASE_DEC,
16064 NULL, 0, "Length of the remaining data", HFILL }},
16066 { &hf_smb_number_of_links,
16067 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
16068 NULL, 0, "Number of hard links to the file", HFILL }},
16070 { &hf_smb_delete_pending,
16071 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
16072 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
16074 { &hf_smb_index_number,
16075 { "Index Number", "smb.index_number", FT_UINT64, BASE_DEC,
16076 NULL, 0, "File system unique identifier", HFILL }},
16078 { &hf_smb_current_offset,
16079 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
16080 NULL, 0, "Current offset in the file", HFILL }},
16082 { &hf_smb_t2_alignment,
16083 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
16084 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
16086 { &hf_smb_t2_stream_name_length,
16087 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
16088 NULL, 0, "Length of stream name", HFILL }},
16090 { &hf_smb_t2_stream_size,
16091 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
16092 NULL, 0, "Size of the stream in number of bytes", HFILL }},
16094 { &hf_smb_t2_stream_name,
16095 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
16096 NULL, 0, "Name of the stream", HFILL }},
16098 { &hf_smb_t2_compressed_file_size,
16099 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
16100 NULL, 0, "Size of the compressed file", HFILL }},
16102 { &hf_smb_t2_compressed_format,
16103 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
16104 NULL, 0, "Compression algorithm used", HFILL }},
16106 { &hf_smb_t2_compressed_unit_shift,
16107 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
16108 NULL, 0, "Size of the stream in number of bytes", HFILL }},
16110 { &hf_smb_t2_compressed_chunk_shift,
16111 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
16112 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
16114 { &hf_smb_t2_compressed_cluster_shift,
16115 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
16116 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
16118 { &hf_smb_dfs_path_consumed,
16119 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
16120 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
16122 { &hf_smb_dfs_num_referrals,
16123 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
16124 NULL, 0, "Number of referrals in this pdu", HFILL }},
16126 { &hf_smb_get_dfs_server_hold_storage,
16127 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
16128 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
16130 { &hf_smb_get_dfs_fielding,
16131 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
16132 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
16134 { &hf_smb_dfs_referral_version,
16135 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
16136 NULL, 0, "Version of referral element", HFILL }},
16138 { &hf_smb_dfs_referral_size,
16139 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
16140 NULL, 0, "Size of referral element", HFILL }},
16142 { &hf_smb_dfs_referral_server_type,
16143 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
16144 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
16146 { &hf_smb_dfs_referral_flags_strip,
16147 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
16148 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
16150 { &hf_smb_dfs_referral_node_offset,
16151 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
16152 NULL, 0, "Offset of name of entity to visit next", HFILL }},
16154 { &hf_smb_dfs_referral_node,
16155 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
16156 NULL, 0, "Name of entity to visit next", HFILL }},
16158 { &hf_smb_dfs_referral_proximity,
16159 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
16160 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
16162 { &hf_smb_dfs_referral_ttl,
16163 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
16164 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
16166 { &hf_smb_dfs_referral_path_offset,
16167 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
16168 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
16170 { &hf_smb_dfs_referral_path,
16171 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
16172 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
16174 { &hf_smb_dfs_referral_alt_path_offset,
16175 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
16176 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
16178 { &hf_smb_dfs_referral_alt_path,
16179 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
16180 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
16182 { &hf_smb_end_of_search,
16183 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
16184 NULL, 0, "Was last entry returned?", HFILL }},
16186 { &hf_smb_last_name_offset,
16187 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
16188 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
16190 { &hf_smb_file_index,
16191 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
16192 NULL, 0, "File index", HFILL }},
16194 { &hf_smb_short_file_name,
16195 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
16196 NULL, 0, "Short (8.3) File Name", HFILL }},
16198 { &hf_smb_short_file_name_len,
16199 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
16200 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
16203 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
16204 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
16206 { &hf_smb_sector_unit,
16207 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
16208 NULL, 0, "Sectors per allocation unit", HFILL }},
16210 { &hf_smb_fs_units,
16211 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
16212 NULL, 0, "Total number of units on this filesystem", HFILL }},
16214 { &hf_smb_fs_sector,
16215 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
16216 NULL, 0, "Bytes per sector", HFILL }},
16218 { &hf_smb_avail_units,
16219 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
16220 NULL, 0, "Total number of available units on this filesystem", HFILL }},
16222 { &hf_smb_volume_serial_num,
16223 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
16224 NULL, 0, "Volume serial number", HFILL }},
16226 { &hf_smb_volume_label_len,
16227 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
16228 NULL, 0, "Length of volume label", HFILL }},
16230 { &hf_smb_volume_label,
16231 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
16232 NULL, 0, "Volume label", HFILL }},
16234 { &hf_smb_free_alloc_units64,
16235 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
16236 NULL, 0, "Number of free allocation units", HFILL }},
16238 { &hf_smb_soft_quota_limit,
16239 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
16240 NULL, 0, "Soft Quota treshold", HFILL }},
16242 { &hf_smb_hard_quota_limit,
16243 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
16244 NULL, 0, "Hard Quota limit", HFILL }},
16246 { &hf_smb_user_quota_used,
16247 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
16248 NULL, 0, "How much Quota is used by this user", HFILL }},
16250 { &hf_smb_max_name_len,
16251 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
16252 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
16254 { &hf_smb_fs_name_len,
16255 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
16256 NULL, 0, "Length of filesystem name in bytes", HFILL }},
16259 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
16260 NULL, 0, "Name of filesystem", HFILL }},
16262 { &hf_smb_device_char_removable,
16263 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
16264 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
16266 { &hf_smb_device_char_read_only,
16267 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
16268 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
16270 { &hf_smb_device_char_floppy,
16271 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
16272 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
16274 { &hf_smb_device_char_write_once,
16275 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
16276 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
16278 { &hf_smb_device_char_remote,
16279 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
16280 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
16282 { &hf_smb_device_char_mounted,
16283 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
16284 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
16286 { &hf_smb_device_char_virtual,
16287 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
16288 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
16290 { &hf_smb_fs_attr_css,
16291 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
16292 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
16294 { &hf_smb_fs_attr_cpn,
16295 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
16296 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
16298 { &hf_smb_fs_attr_pacls,
16299 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
16300 TFS(&tfs_fs_attr_pacls), 0x00000004, "Does this FS support Persistent ACLs?", HFILL }},
16302 { &hf_smb_fs_attr_fc,
16303 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
16304 TFS(&tfs_fs_attr_fc), 0x00000008, "Does this FS support File Compression?", HFILL }},
16306 { &hf_smb_fs_attr_vq,
16307 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
16308 TFS(&tfs_fs_attr_vq), 0x00000010, "Does this FS support Volume Quotas?", HFILL }},
16310 { &hf_smb_fs_attr_dim,
16311 { "Mounted", "smb.fs_attr.dim", FT_BOOLEAN, 32,
16312 TFS(&tfs_fs_attr_dim), 0x00000020, "Is this FS a Mounted Device?", HFILL }},
16314 { &hf_smb_fs_attr_vic,
16315 { "Compressed", "smb.fs_attr.vic", FT_BOOLEAN, 32,
16316 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS Compressed?", HFILL }},
16318 { &hf_smb_sec_desc_revision,
16319 { "Revision", "smb.sec_desc.revision", FT_UINT16, BASE_DEC,
16320 NULL, 0, "Version of NT Security Descriptor structure", HFILL }},
16322 { &hf_smb_sid_revision,
16323 { "Revision", "smb.sid.revision", FT_UINT8, BASE_DEC,
16324 NULL, 0, "Version of SID structure", HFILL }},
16326 { &hf_smb_sid_num_auth,
16327 { "Num Auth", "smb.sid.num_auth", FT_UINT8, BASE_DEC,
16328 NULL, 0, "Number of authorities for this SID", HFILL }},
16330 { &hf_smb_acl_revision,
16331 { "Revision", "smb.acl.revision", FT_UINT16, BASE_DEC,
16332 NULL, 0, "Version of NT ACL structure", HFILL }},
16334 { &hf_smb_acl_size,
16335 { "Size", "smb.acl.size", FT_UINT16, BASE_DEC,
16336 NULL, 0, "Size of NT ACL structure", HFILL }},
16338 { &hf_smb_acl_num_aces,
16339 { "Num ACEs", "smb.acl.num_aces", FT_UINT32, BASE_DEC,
16340 NULL, 0, "Number of ACE structures for this ACL", HFILL }},
16342 { &hf_smb_user_quota_offset,
16343 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
16344 NULL, 0, "Relative offset to next user quota structure", HFILL }},
16346 { &hf_smb_ace_type,
16347 { "Type", "smb.ace.type", FT_UINT8, BASE_DEC,
16348 VALS(ace_type_vals), 0, "Type of ACE", HFILL }},
16350 { &hf_smb_ace_size,
16351 { "Size", "smb.ace.size", FT_UINT16, BASE_DEC,
16352 NULL, 0, "Size of this ACE", HFILL }},
16354 { &hf_smb_ace_flags_object_inherit,
16355 { "Object Inherit", "smb.ace.flags.object_inherit", FT_BOOLEAN, 8,
16356 TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }},
16358 { &hf_smb_ace_flags_container_inherit,
16359 { "Container Inherit", "smb.ace.flags.container_inherit", FT_BOOLEAN, 8,
16360 TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }},
16362 { &hf_smb_ace_flags_non_propagate_inherit,
16363 { "Non-Propagate Inherit", "smb.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8,
16364 TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }},
16366 { &hf_smb_ace_flags_inherit_only,
16367 { "Inherit Only", "smb.ace.flags.inherit_only", FT_BOOLEAN, 8,
16368 TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }},
16370 { &hf_smb_ace_flags_inherited_ace,
16371 { "Inherited ACE", "smb.ace.flags.inherited_ace", FT_BOOLEAN, 8,
16372 TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }},
16374 { &hf_smb_ace_flags_successful_access,
16375 { "Audit Successful Accesses", "smb.ace.flags.successful_access", FT_BOOLEAN, 8,
16376 TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }},
16378 { &hf_smb_ace_flags_failed_access,
16379 { "Audit Failed Accesses", "smb.ace.flags.failed_access", FT_BOOLEAN, 8,
16380 TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }},
16382 { &hf_smb_sec_desc_type_owner_defaulted,
16383 { "Owner Defaulted", "smb.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16,
16384 TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }},
16386 { &hf_smb_sec_desc_type_group_defaulted,
16387 { "Group Defaulted", "smb.sec_desc.type.group_defaulted", FT_BOOLEAN, 16,
16388 TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }},
16390 { &hf_smb_sec_desc_type_dacl_present,
16391 { "DACL Present", "smb.sec_desc.type.dacl_present", FT_BOOLEAN, 16,
16392 TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }},
16394 { &hf_smb_sec_desc_type_dacl_defaulted,
16395 { "DACL Defaulted", "smb.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16,
16396 TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }},
16398 { &hf_smb_sec_desc_type_sacl_present,
16399 { "SACL Present", "smb.sec_desc.type.sacl_present", FT_BOOLEAN, 16,
16400 TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }},
16402 { &hf_smb_sec_desc_type_sacl_defaulted,
16403 { "SACL Defaulted", "smb.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16,
16404 TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }},
16406 { &hf_smb_sec_desc_type_dacl_auto_inherit_req,
16407 { "DACL Auto Inherit Required", "smb.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16,
16408 TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }},
16410 { &hf_smb_sec_desc_type_sacl_auto_inherit_req,
16411 { "SACL Auto Inherit Required", "smb.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16,
16412 TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }},
16414 { &hf_smb_sec_desc_type_dacl_auto_inherited,
16415 { "DACL Auto Inherited", "smb.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16,
16416 TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }},
16418 { &hf_smb_sec_desc_type_sacl_auto_inherited,
16419 { "SACL Auto Inherited", "smb.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16,
16420 TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }},
16422 { &hf_smb_sec_desc_type_dacl_protected,
16423 { "DACL Protected", "smb.sec_desc.type.dacl_protected", FT_BOOLEAN, 16,
16424 TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }},
16426 { &hf_smb_sec_desc_type_sacl_protected,
16427 { "SACL Protected", "smb.sec_desc.type.sacl_protected", FT_BOOLEAN, 16,
16428 TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }},
16430 { &hf_smb_sec_desc_type_self_relative,
16431 { "Self Relative", "smb.sec_desc.type.self_relative", FT_BOOLEAN, 16,
16432 TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }},
16434 { &hf_smb_quota_flags_deny_disk,
16435 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
16436 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
16438 { &hf_smb_quota_flags_log_limit,
16439 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
16440 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
16442 { &hf_smb_quota_flags_log_warning,
16443 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
16444 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
16446 { &hf_smb_quota_flags_enabled,
16447 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
16448 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
16451 static gint *ett[] = {
16455 &ett_smb_fileattributes,
16456 &ett_smb_capabilities,
16464 &ett_smb_desiredaccess,
16467 &ett_smb_openfunction,
16469 &ett_smb_openaction,
16470 &ett_smb_writemode,
16471 &ett_smb_lock_type,
16472 &ett_smb_ssetupandxaction,
16473 &ett_smb_optionsup,
16474 &ett_smb_time_date,
16475 &ett_smb_move_flags,
16476 &ett_smb_file_attributes,
16477 &ett_smb_search_resume_key,
16478 &ett_smb_search_dir_info,
16483 &ett_smb_open_flags,
16484 &ett_smb_ipc_state,
16485 &ett_smb_open_action,
16486 &ett_smb_setup_action,
16487 &ett_smb_connect_flags,
16488 &ett_smb_connect_support_bits,
16489 &ett_smb_nt_access_mask,
16490 &ett_smb_nt_create_bits,
16491 &ett_smb_nt_create_options,
16492 &ett_smb_nt_share_access,
16493 &ett_smb_nt_security_flags,
16494 &ett_smb_nt_trans_setup,
16495 &ett_smb_nt_trans_data,
16496 &ett_smb_nt_trans_param,
16497 &ett_smb_nt_notify_completion_filter,
16498 &ett_smb_nt_ioctl_flags,
16499 &ett_smb_security_information_mask,
16500 &ett_smb_print_queue_entry,
16501 &ett_smb_transaction_flags,
16502 &ett_smb_transaction_params,
16503 &ett_smb_find_first2_flags,
16504 &ett_smb_transaction_data,
16505 &ett_smb_stream_info,
16506 &ett_smb_dfs_referrals,
16507 &ett_smb_dfs_referral,
16508 &ett_smb_dfs_referral_flags,
16509 &ett_smb_get_dfs_flags,
16511 &ett_smb_device_characteristics,
16512 &ett_smb_fs_attributes,
16518 &ett_smb_ace_flags,
16519 &ett_smb_sec_desc_type,
16520 &ett_smb_quotaflags,
16522 module_t *smb_module;
16524 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
16526 proto_register_subtree_array(ett, array_length(ett));
16527 proto_register_field_array(proto_smb, hf, array_length(hf));
16528 register_init_routine(&smb_init_protocol);
16529 smb_module = prefs_register_protocol(proto_smb, NULL);
16530 prefs_register_bool_preference(smb_module, "trans_reassembly",
16531 "Reassemble SMB Transaction payload",
16532 "Whether the dissector should do reassembly the payload of SMB Transaction commands spanning multiple SMB PDUs",
16533 &smb_trans_reassembly);
16534 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
16535 "Reassemble DCERPC over SMB",
16536 "Whether the dissector should do reassembly of DCERPC over SMB commands",
16537 &smb_dcerpc_reassembly);
16538 register_init_routine(smb_trans_reassembly_init);
16539 register_init_routine(smb_dcerpc_reassembly_init);
16543 proto_reg_handoff_smb(void)
16545 heur_dissector_add("netbios", dissect_smb, proto_smb);