2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/packet.h>
40 #include <epan/conversation.h>
42 #include <epan/strutil.h>
43 #include <epan/prefs.h>
44 #include <epan/reassemble.h>
46 #include <epan/emem.h>
47 #include "packet-ipx.h"
48 #include "packet-idp.h"
50 #include "packet-windows-common.h"
51 #include "packet-smb-common.h"
52 #include "packet-smb-mailslot.h"
53 #include "packet-smb-pipe.h"
54 #include "packet-dcerpc.h"
55 #include "packet-ntlmssp.h"
58 * Various specifications and documents about SMB can be found in
60 * ftp://ftp.microsoft.com/developr/drg/CIFS/
62 * and a CIFS specification from the Storage Networking Industry Association
63 * can be found on a link from the page at
65 * http://www.snia.org/tech_activities/CIFS
67 * (it supercedes the document at
69 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
73 * There are also some Open Group publications documenting CIFS available
74 * for download; catalog entries for them are at:
76 * http://www.opengroup.org/products/publications/catalog/c209.htm
78 * http://www.opengroup.org/products/publications/catalog/c195.htm
80 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
83 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
85 * (or, presumably a similar path under the Samba mirrors). As the
86 * ".doc" indicates, it's a Word document. Some of the specs from the
87 * Microsoft FTP site can be found in the
89 * http://www.samba.org/samba/ftp/specs/
93 * Beware - these specs may have errors.
95 static int proto_smb = -1;
96 static int hf_smb_cmd = -1;
97 static int hf_smb_key = -1;
98 static int hf_smb_session_id = -1;
99 static int hf_smb_sequence_num = -1;
100 static int hf_smb_group_id = -1;
101 static int hf_smb_pid = -1;
102 static int hf_smb_tid = -1;
103 static int hf_smb_uid = -1;
104 static int hf_smb_mid = -1;
105 static int hf_smb_pid_high = -1;
106 static int hf_smb_sig = -1;
107 static int hf_smb_response_to = -1;
108 static int hf_smb_time = -1;
109 static int hf_smb_response_in = -1;
110 static int hf_smb_continuation_to = -1;
111 static int hf_smb_nt_status = -1;
112 static int hf_smb_error_class = -1;
113 static int hf_smb_error_code = -1;
114 static int hf_smb_reserved = -1;
115 static int hf_smb_flags_lock = -1;
116 static int hf_smb_flags_receive_buffer = -1;
117 static int hf_smb_flags_caseless = -1;
118 static int hf_smb_flags_canon = -1;
119 static int hf_smb_flags_oplock = -1;
120 static int hf_smb_flags_notify = -1;
121 static int hf_smb_flags_response = -1;
122 static int hf_smb_flags2_long_names_allowed = -1;
123 static int hf_smb_flags2_ea = -1;
124 static int hf_smb_flags2_sec_sig = -1;
125 static int hf_smb_flags2_long_names_used = -1;
126 static int hf_smb_flags2_esn = -1;
127 static int hf_smb_flags2_dfs = -1;
128 static int hf_smb_flags2_roe = -1;
129 static int hf_smb_flags2_nt_error = -1;
130 static int hf_smb_flags2_string = -1;
131 static int hf_smb_word_count = -1;
132 static int hf_smb_byte_count = -1;
133 static int hf_smb_buffer_format = -1;
134 static int hf_smb_dialect_name = -1;
135 static int hf_smb_dialect_index = -1;
136 static int hf_smb_max_trans_buf_size = -1;
137 static int hf_smb_max_mpx_count = -1;
138 static int hf_smb_max_vcs_num = -1;
139 static int hf_smb_session_key = -1;
140 static int hf_smb_server_timezone = -1;
141 static int hf_smb_encryption_key_length = -1;
142 static int hf_smb_encryption_key = -1;
143 static int hf_smb_primary_domain = -1;
144 static int hf_smb_server = -1;
145 static int hf_smb_max_raw_buf_size = -1;
146 static int hf_smb_server_guid = -1;
147 static int hf_smb_security_blob_len = -1;
148 static int hf_smb_security_blob = -1;
149 static int hf_smb_sm_mode16 = -1;
150 static int hf_smb_sm_password16 = -1;
151 static int hf_smb_sm_mode = -1;
152 static int hf_smb_sm_password = -1;
153 static int hf_smb_sm_signatures = -1;
154 static int hf_smb_sm_sig_required = -1;
155 static int hf_smb_rm_read = -1;
156 static int hf_smb_rm_write = -1;
157 static int hf_smb_server_date_time = -1;
158 static int hf_smb_server_smb_date = -1;
159 static int hf_smb_server_smb_time = -1;
160 static int hf_smb_server_cap_raw_mode = -1;
161 static int hf_smb_server_cap_mpx_mode = -1;
162 static int hf_smb_server_cap_unicode = -1;
163 static int hf_smb_server_cap_large_files = -1;
164 static int hf_smb_server_cap_nt_smbs = -1;
165 static int hf_smb_server_cap_rpc_remote_apis = -1;
166 static int hf_smb_server_cap_nt_status = -1;
167 static int hf_smb_server_cap_level_ii_oplocks = -1;
168 static int hf_smb_server_cap_lock_and_read = -1;
169 static int hf_smb_server_cap_nt_find = -1;
170 static int hf_smb_server_cap_dfs = -1;
171 static int hf_smb_server_cap_infolevel_passthru = -1;
172 static int hf_smb_server_cap_large_readx = -1;
173 static int hf_smb_server_cap_large_writex = -1;
174 static int hf_smb_server_cap_unix = -1;
175 static int hf_smb_server_cap_reserved = -1;
176 static int hf_smb_server_cap_bulk_transfer = -1;
177 static int hf_smb_server_cap_compressed_data = -1;
178 static int hf_smb_server_cap_extended_security = -1;
179 static int hf_smb_system_time = -1;
180 static int hf_smb_unknown = -1;
181 static int hf_smb_dir_name = -1;
182 static int hf_smb_echo_count = -1;
183 static int hf_smb_echo_data = -1;
184 static int hf_smb_echo_seq_num = -1;
185 static int hf_smb_max_buf_size = -1;
186 static int hf_smb_password = -1;
187 static int hf_smb_password_len = -1;
188 static int hf_smb_ansi_password = -1;
189 static int hf_smb_ansi_password_len = -1;
190 static int hf_smb_unicode_password = -1;
191 static int hf_smb_unicode_password_len = -1;
192 static int hf_smb_path = -1;
193 static int hf_smb_service = -1;
194 static int hf_smb_move_flags_file = -1;
195 static int hf_smb_move_flags_dir = -1;
196 static int hf_smb_move_flags_verify = -1;
197 static int hf_smb_files_moved = -1;
198 static int hf_smb_copy_flags_file = -1;
199 static int hf_smb_copy_flags_dir = -1;
200 static int hf_smb_copy_flags_dest_mode = -1;
201 static int hf_smb_copy_flags_source_mode = -1;
202 static int hf_smb_copy_flags_verify = -1;
203 static int hf_smb_copy_flags_tree_copy = -1;
204 static int hf_smb_copy_flags_ea_action = -1;
205 static int hf_smb_count = -1;
206 static int hf_smb_count_low = -1;
207 static int hf_smb_count_high = -1;
208 static int hf_smb_file_name = -1;
209 static int hf_smb_open_function_open = -1;
210 static int hf_smb_open_function_create = -1;
211 static int hf_smb_fid = -1;
212 static int hf_smb_file_attr_read_only_16bit = -1;
213 static int hf_smb_file_attr_read_only_8bit = -1;
214 static int hf_smb_file_attr_hidden_16bit = -1;
215 static int hf_smb_file_attr_hidden_8bit = -1;
216 static int hf_smb_file_attr_system_16bit = -1;
217 static int hf_smb_file_attr_system_8bit = -1;
218 static int hf_smb_file_attr_volume_16bit = -1;
219 static int hf_smb_file_attr_volume_8bit = -1;
220 static int hf_smb_file_attr_directory_16bit = -1;
221 static int hf_smb_file_attr_directory_8bit = -1;
222 static int hf_smb_file_attr_archive_16bit = -1;
223 static int hf_smb_file_attr_archive_8bit = -1;
224 static int hf_smb_file_attr_device = -1;
225 static int hf_smb_file_attr_normal = -1;
226 static int hf_smb_file_attr_temporary = -1;
227 static int hf_smb_file_attr_sparse = -1;
228 static int hf_smb_file_attr_reparse = -1;
229 static int hf_smb_file_attr_compressed = -1;
230 static int hf_smb_file_attr_offline = -1;
231 static int hf_smb_file_attr_not_content_indexed = -1;
232 static int hf_smb_file_attr_encrypted = -1;
233 static int hf_smb_file_size = -1;
234 static int hf_smb_search_attribute_read_only = -1;
235 static int hf_smb_search_attribute_hidden = -1;
236 static int hf_smb_search_attribute_system = -1;
237 static int hf_smb_search_attribute_volume = -1;
238 static int hf_smb_search_attribute_directory = -1;
239 static int hf_smb_search_attribute_archive = -1;
240 static int hf_smb_access_mode = -1;
241 static int hf_smb_access_sharing = -1;
242 static int hf_smb_access_locality = -1;
243 static int hf_smb_access_caching = -1;
244 static int hf_smb_access_writetru = -1;
245 static int hf_smb_create_time = -1;
246 static int hf_smb_modify_time = -1;
247 static int hf_smb_backup_time = -1;
248 static int hf_smb_mac_alloc_block_count = -1;
249 static int hf_smb_mac_alloc_block_size = -1;
250 static int hf_smb_mac_free_block_count = -1;
251 static int hf_smb_mac_fndrinfo = -1;
252 static int hf_smb_mac_root_file_count = -1;
253 static int hf_smb_mac_root_dir_count = -1;
254 static int hf_smb_mac_file_count = -1;
255 static int hf_smb_mac_dir_count = -1;
256 static int hf_smb_mac_support_flags = -1;
257 static int hf_smb_mac_sup_access_ctrl = -1;
258 static int hf_smb_mac_sup_getset_comments = -1;
259 static int hf_smb_mac_sup_desktopdb_calls = -1;
260 static int hf_smb_mac_sup_unique_ids = -1;
261 static int hf_smb_mac_sup_streams = -1;
262 static int hf_smb_create_dos_date = -1;
263 static int hf_smb_create_dos_time = -1;
264 static int hf_smb_last_write_time = -1;
265 static int hf_smb_last_write_dos_date = -1;
266 static int hf_smb_last_write_dos_time = -1;
267 static int hf_smb_access_time = -1;
268 static int hf_smb_access_dos_date = -1;
269 static int hf_smb_access_dos_time = -1;
270 static int hf_smb_old_file_name = -1;
271 static int hf_smb_offset = -1;
272 static int hf_smb_remaining = -1;
273 static int hf_smb_padding = -1;
274 static int hf_smb_file_data = -1;
275 static int hf_smb_total_data_len = -1;
276 static int hf_smb_data_len = -1;
277 static int hf_smb_data_len_low = -1;
278 static int hf_smb_data_len_high = -1;
279 static int hf_smb_seek_mode = -1;
280 static int hf_smb_data_size = -1;
281 static int hf_smb_alloc_size = -1;
282 static int hf_smb_alloc_size64 = -1;
283 static int hf_smb_max_count = -1;
284 static int hf_smb_max_count_low = -1;
285 static int hf_smb_max_count_high = -1;
286 static int hf_smb_min_count = -1;
287 static int hf_smb_timeout = -1;
288 static int hf_smb_high_offset = -1;
289 static int hf_smb_units = -1;
290 static int hf_smb_bpu = -1;
291 static int hf_smb_blocksize = -1;
292 static int hf_smb_freeunits = -1;
293 static int hf_smb_data_offset = -1;
294 static int hf_smb_dcm = -1;
295 static int hf_smb_request_mask = -1;
296 static int hf_smb_response_mask = -1;
297 static int hf_smb_search_id = -1;
298 static int hf_smb_write_mode_write_through = -1;
299 static int hf_smb_write_mode_return_remaining = -1;
300 static int hf_smb_write_mode_raw = -1;
301 static int hf_smb_write_mode_message_start = -1;
302 static int hf_smb_write_mode_connectionless = -1;
303 static int hf_smb_resume_key_len = -1;
304 static int hf_smb_resume_find_id = -1;
305 static int hf_smb_resume_server_cookie = -1;
306 static int hf_smb_resume_client_cookie = -1;
307 static int hf_smb_andxoffset = -1;
308 static int hf_smb_lock_type_large = -1;
309 static int hf_smb_lock_type_cancel = -1;
310 static int hf_smb_lock_type_change = -1;
311 static int hf_smb_lock_type_oplock = -1;
312 static int hf_smb_lock_type_shared = -1;
313 static int hf_smb_locking_ol = -1;
314 static int hf_smb_number_of_locks = -1;
315 static int hf_smb_number_of_unlocks = -1;
316 static int hf_smb_lock_long_offset = -1;
317 static int hf_smb_lock_long_length = -1;
318 static int hf_smb_file_type = -1;
319 static int hf_smb_ipc_state_nonblocking = -1;
320 static int hf_smb_ipc_state_endpoint = -1;
321 static int hf_smb_ipc_state_pipe_type = -1;
322 static int hf_smb_ipc_state_read_mode = -1;
323 static int hf_smb_ipc_state_icount = -1;
324 static int hf_smb_server_fid = -1;
325 static int hf_smb_open_flags_add_info = -1;
326 static int hf_smb_open_flags_ex_oplock = -1;
327 static int hf_smb_open_flags_batch_oplock = -1;
328 static int hf_smb_open_flags_ealen = -1;
329 static int hf_smb_open_action_open = -1;
330 static int hf_smb_open_action_lock = -1;
331 static int hf_smb_vc_num = -1;
332 static int hf_smb_account = -1;
333 static int hf_smb_os = -1;
334 static int hf_smb_lanman = -1;
335 static int hf_smb_setup_action_guest = -1;
336 static int hf_smb_fs = -1;
337 static int hf_smb_connect_flags_dtid = -1;
338 static int hf_smb_connect_support_search = -1;
339 static int hf_smb_connect_support_in_dfs = -1;
340 static int hf_smb_max_setup_count = -1;
341 static int hf_smb_total_param_count = -1;
342 static int hf_smb_total_data_count = -1;
343 static int hf_smb_max_param_count = -1;
344 static int hf_smb_max_data_count = -1;
345 static int hf_smb_param_disp16 = -1;
346 static int hf_smb_param_count16 = -1;
347 static int hf_smb_param_offset16 = -1;
348 static int hf_smb_param_disp32 = -1;
349 static int hf_smb_param_count32 = -1;
350 static int hf_smb_param_offset32 = -1;
351 static int hf_smb_data_disp16 = -1;
352 static int hf_smb_data_count16 = -1;
353 static int hf_smb_data_offset16 = -1;
354 static int hf_smb_data_disp32 = -1;
355 static int hf_smb_data_count32 = -1;
356 static int hf_smb_data_offset32 = -1;
357 static int hf_smb_setup_count = -1;
358 static int hf_smb_nt_trans_subcmd = -1;
359 static int hf_smb_nt_ioctl_function_code = -1;
360 static int hf_smb_nt_ioctl_isfsctl = -1;
361 static int hf_smb_nt_ioctl_flags_root_handle = -1;
362 static int hf_smb_nt_ioctl_data = -1;
363 #ifdef SMB_UNUSED_HANDLES
364 static int hf_smb_nt_security_information = -1;
366 static int hf_smb_nt_notify_action = -1;
367 static int hf_smb_nt_notify_watch_tree = -1;
368 static int hf_smb_nt_notify_stream_write = -1;
369 static int hf_smb_nt_notify_stream_size = -1;
370 static int hf_smb_nt_notify_stream_name = -1;
371 static int hf_smb_nt_notify_security = -1;
372 static int hf_smb_nt_notify_ea = -1;
373 static int hf_smb_nt_notify_creation = -1;
374 static int hf_smb_nt_notify_last_access = -1;
375 static int hf_smb_nt_notify_last_write = -1;
376 static int hf_smb_nt_notify_size = -1;
377 static int hf_smb_nt_notify_attributes = -1;
378 static int hf_smb_nt_notify_dir_name = -1;
379 static int hf_smb_nt_notify_file_name = -1;
380 static int hf_smb_root_dir_fid = -1;
381 static int hf_smb_nt_create_disposition = -1;
382 static int hf_smb_sd_length = -1;
383 static int hf_smb_ea_list_length = -1;
384 static int hf_smb_ea_flags = -1;
385 static int hf_smb_ea_name_length = -1;
386 static int hf_smb_ea_data_length = -1;
387 static int hf_smb_ea_name = -1;
388 static int hf_smb_ea_data = -1;
389 static int hf_smb_file_name_len = -1;
390 static int hf_smb_nt_impersonation_level = -1;
391 static int hf_smb_nt_security_flags_context_tracking = -1;
392 static int hf_smb_nt_security_flags_effective_only = -1;
393 static int hf_smb_nt_access_mask_generic_read = -1;
394 static int hf_smb_nt_access_mask_generic_write = -1;
395 static int hf_smb_nt_access_mask_generic_execute = -1;
396 static int hf_smb_nt_access_mask_generic_all = -1;
397 static int hf_smb_nt_access_mask_maximum_allowed = -1;
398 static int hf_smb_nt_access_mask_system_security = -1;
399 static int hf_smb_nt_access_mask_synchronize = -1;
400 static int hf_smb_nt_access_mask_write_owner = -1;
401 static int hf_smb_nt_access_mask_write_dac = -1;
402 static int hf_smb_nt_access_mask_read_control = -1;
403 static int hf_smb_nt_access_mask_delete = -1;
404 static int hf_smb_nt_access_mask_write_attributes = -1;
405 static int hf_smb_nt_access_mask_read_attributes = -1;
406 static int hf_smb_nt_access_mask_delete_child = -1;
407 static int hf_smb_nt_access_mask_execute = -1;
408 static int hf_smb_nt_access_mask_write_ea = -1;
409 static int hf_smb_nt_access_mask_read_ea = -1;
410 static int hf_smb_nt_access_mask_append = -1;
411 static int hf_smb_nt_access_mask_write = -1;
412 static int hf_smb_nt_access_mask_read = -1;
413 static int hf_smb_nt_create_bits_oplock = -1;
414 static int hf_smb_nt_create_bits_boplock = -1;
415 static int hf_smb_nt_create_bits_dir = -1;
416 static int hf_smb_nt_create_bits_ext_resp = -1;
417 static int hf_smb_nt_create_options_directory_file = -1;
418 static int hf_smb_nt_create_options_write_through = -1;
419 static int hf_smb_nt_create_options_sequential_only = -1;
420 static int hf_smb_nt_create_options_sync_io_alert = -1;
421 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
422 static int hf_smb_nt_create_options_non_directory_file = -1;
423 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
424 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
425 static int hf_smb_nt_create_options_random_access = -1;
426 static int hf_smb_nt_create_options_delete_on_close = -1;
427 static int hf_smb_nt_share_access_read = -1;
428 static int hf_smb_nt_share_access_write = -1;
429 static int hf_smb_nt_share_access_delete = -1;
430 static int hf_smb_file_eattr_read_only = -1;
431 static int hf_smb_file_eattr_hidden = -1;
432 static int hf_smb_file_eattr_system = -1;
433 static int hf_smb_file_eattr_volume = -1;
434 static int hf_smb_file_eattr_directory = -1;
435 static int hf_smb_file_eattr_archive = -1;
436 static int hf_smb_file_eattr_device = -1;
437 static int hf_smb_file_eattr_normal = -1;
438 static int hf_smb_file_eattr_temporary = -1;
439 static int hf_smb_file_eattr_sparse = -1;
440 static int hf_smb_file_eattr_reparse = -1;
441 static int hf_smb_file_eattr_compressed = -1;
442 static int hf_smb_file_eattr_offline = -1;
443 static int hf_smb_file_eattr_not_content_indexed = -1;
444 static int hf_smb_file_eattr_encrypted = -1;
445 static int hf_smb_sec_desc_len = -1;
446 static int hf_smb_nt_qsd_owner = -1;
447 static int hf_smb_nt_qsd_group = -1;
448 static int hf_smb_nt_qsd_dacl = -1;
449 static int hf_smb_nt_qsd_sacl = -1;
450 static int hf_smb_extended_attributes = -1;
451 static int hf_smb_oplock_level = -1;
452 static int hf_smb_create_action = -1;
453 static int hf_smb_file_id = -1;
454 static int hf_smb_ea_error_offset = -1;
455 static int hf_smb_end_of_file = -1;
456 static int hf_smb_replace = -1;
457 static int hf_smb_root_dir_handle = -1;
458 static int hf_smb_target_name_len = -1;
459 static int hf_smb_target_name = -1;
460 static int hf_smb_device_type = -1;
461 static int hf_smb_is_directory = -1;
462 static int hf_smb_next_entry_offset = -1;
463 static int hf_smb_change_time = -1;
464 static int hf_smb_setup_len = -1;
465 static int hf_smb_print_mode = -1;
466 static int hf_smb_print_identifier = -1;
467 static int hf_smb_restart_index = -1;
468 static int hf_smb_print_queue_date = -1;
469 static int hf_smb_print_queue_dos_date = -1;
470 static int hf_smb_print_queue_dos_time = -1;
471 static int hf_smb_print_status = -1;
472 static int hf_smb_print_spool_file_number = -1;
473 static int hf_smb_print_spool_file_size = -1;
474 static int hf_smb_print_spool_file_name = -1;
475 static int hf_smb_start_index = -1;
476 static int hf_smb_originator_name = -1;
477 static int hf_smb_destination_name = -1;
478 static int hf_smb_message_len = -1;
479 static int hf_smb_message = -1;
480 static int hf_smb_mgid = -1;
481 static int hf_smb_forwarded_name = -1;
482 static int hf_smb_machine_name = -1;
483 static int hf_smb_cancel_to = -1;
484 static int hf_smb_trans2_subcmd = -1;
485 static int hf_smb_trans_name = -1;
486 static int hf_smb_transaction_flags_dtid = -1;
487 static int hf_smb_transaction_flags_owt = -1;
488 static int hf_smb_search_count = -1;
489 static int hf_smb_search_pattern = -1;
490 static int hf_smb_ff2_backup = -1;
491 static int hf_smb_ff2_continue = -1;
492 static int hf_smb_ff2_resume = -1;
493 static int hf_smb_ff2_close_eos = -1;
494 static int hf_smb_ff2_close = -1;
495 static int hf_smb_ff2_information_level = -1;
496 static int hf_smb_qpi_loi = -1;
497 static int hf_smb_spi_loi = -1;
499 static int hf_smb_sfi_writetru = -1;
500 static int hf_smb_sfi_caching = -1;
502 static int hf_smb_storage_type = -1;
503 static int hf_smb_resume = -1;
504 static int hf_smb_max_referral_level = -1;
505 static int hf_smb_qfsi_information_level = -1;
506 static int hf_smb_number_of_links = -1;
507 static int hf_smb_delete_pending = -1;
508 static int hf_smb_index_number = -1;
509 static int hf_smb_current_offset = -1;
510 static int hf_smb_t2_alignment = -1;
511 static int hf_smb_t2_stream_name_length = -1;
512 static int hf_smb_t2_stream_size = -1;
513 static int hf_smb_t2_stream_name = -1;
514 static int hf_smb_t2_compressed_file_size = -1;
515 static int hf_smb_t2_compressed_format = -1;
516 static int hf_smb_t2_compressed_unit_shift = -1;
517 static int hf_smb_t2_compressed_chunk_shift = -1;
518 static int hf_smb_t2_compressed_cluster_shift = -1;
519 static int hf_smb_t2_marked_for_deletion = -1;
520 static int hf_smb_dfs_path_consumed = -1;
521 static int hf_smb_dfs_num_referrals = -1;
522 static int hf_smb_get_dfs_server_hold_storage = -1;
523 static int hf_smb_get_dfs_fielding = -1;
524 static int hf_smb_dfs_referral_version = -1;
525 static int hf_smb_dfs_referral_size = -1;
526 static int hf_smb_dfs_referral_server_type = -1;
527 static int hf_smb_dfs_referral_flags_strip = -1;
528 static int hf_smb_dfs_referral_node_offset = -1;
529 static int hf_smb_dfs_referral_node = -1;
530 static int hf_smb_dfs_referral_proximity = -1;
531 static int hf_smb_dfs_referral_ttl = -1;
532 static int hf_smb_dfs_referral_path_offset = -1;
533 static int hf_smb_dfs_referral_path = -1;
534 static int hf_smb_dfs_referral_alt_path_offset = -1;
535 static int hf_smb_dfs_referral_alt_path = -1;
536 static int hf_smb_end_of_search = -1;
537 static int hf_smb_last_name_offset = -1;
538 static int hf_smb_fn_information_level = -1;
539 static int hf_smb_monitor_handle = -1;
540 static int hf_smb_change_count = -1;
541 static int hf_smb_file_index = -1;
542 static int hf_smb_short_file_name = -1;
543 static int hf_smb_short_file_name_len = -1;
544 static int hf_smb_fs_id = -1;
545 static int hf_smb_fs_guid = -1;
546 static int hf_smb_sector_unit = -1;
547 static int hf_smb_fs_units = -1;
548 static int hf_smb_fs_sector = -1;
549 static int hf_smb_avail_units = -1;
550 static int hf_smb_volume_serial_num = -1;
551 static int hf_smb_volume_label_len = -1;
552 static int hf_smb_volume_label = -1;
553 static int hf_smb_free_alloc_units64 = -1;
554 static int hf_smb_caller_free_alloc_units64 = -1;
555 static int hf_smb_actual_free_alloc_units64 = -1;
556 static int hf_smb_max_name_len = -1;
557 static int hf_smb_fs_name_len = -1;
558 static int hf_smb_fs_name = -1;
559 static int hf_smb_device_char_removable = -1;
560 static int hf_smb_device_char_read_only = -1;
561 static int hf_smb_device_char_floppy = -1;
562 static int hf_smb_device_char_write_once = -1;
563 static int hf_smb_device_char_remote = -1;
564 static int hf_smb_device_char_mounted = -1;
565 static int hf_smb_device_char_virtual = -1;
566 static int hf_smb_fs_attr_css = -1;
567 static int hf_smb_fs_attr_cpn = -1;
568 static int hf_smb_fs_attr_uod = -1;
569 static int hf_smb_fs_attr_pacls = -1;
570 static int hf_smb_fs_attr_fc = -1;
571 static int hf_smb_fs_attr_vq = -1;
572 static int hf_smb_fs_attr_ssf = -1;
573 static int hf_smb_fs_attr_srp = -1;
574 static int hf_smb_fs_attr_srs = -1;
575 static int hf_smb_fs_attr_sla = -1;
576 static int hf_smb_fs_attr_vic = -1;
577 static int hf_smb_fs_attr_soids = -1;
578 static int hf_smb_fs_attr_se = -1;
579 static int hf_smb_fs_attr_ns = -1;
580 static int hf_smb_fs_attr_rov = -1;
581 static int hf_smb_quota_flags_enabled = -1;
582 static int hf_smb_quota_flags_deny_disk = -1;
583 static int hf_smb_quota_flags_log_limit = -1;
584 static int hf_smb_quota_flags_log_warning = -1;
585 static int hf_smb_soft_quota_limit = -1;
586 static int hf_smb_hard_quota_limit = -1;
587 static int hf_smb_user_quota_used = -1;
588 static int hf_smb_user_quota_offset = -1;
589 static int hf_smb_nt_rename_level = -1;
590 static int hf_smb_cluster_count = -1;
591 static int hf_smb_segments = -1;
592 static int hf_smb_segment = -1;
593 static int hf_smb_segment_overlap = -1;
594 static int hf_smb_segment_overlap_conflict = -1;
595 static int hf_smb_segment_multiple_tails = -1;
596 static int hf_smb_segment_too_long_fragment = -1;
597 static int hf_smb_segment_error = -1;
598 static int hf_smb_pipe_write_len = -1;
599 static int hf_smb_unix_major_version = -1;
600 static int hf_smb_unix_minor_version = -1;
601 static int hf_smb_unix_capability_fcntl = -1;
602 static int hf_smb_unix_capability_posix_acl = -1;
603 static int hf_smb_unix_file_size = -1;
604 static int hf_smb_unix_file_num_bytes = -1;
605 static int hf_smb_unix_file_last_status = -1;
606 static int hf_smb_unix_file_last_access = -1;
607 static int hf_smb_unix_file_last_change = -1;
608 static int hf_smb_unix_file_uid = -1;
609 static int hf_smb_unix_file_gid = -1;
610 static int hf_smb_unix_file_type = -1;
611 static int hf_smb_unix_file_dev_major = -1;
612 static int hf_smb_unix_file_dev_minor = -1;
613 static int hf_smb_unix_file_unique_id = -1;
614 static int hf_smb_unix_file_permissions = -1;
615 static int hf_smb_unix_file_nlinks = -1;
616 static int hf_smb_unix_file_link_dest = -1;
617 static int hf_smb_unix_find_file_nextoffset = -1;
618 static int hf_smb_unix_find_file_resumekey = -1;
619 static int hf_smb_network_unknown = -1;
620 static int hf_smb_disposition_delete_on_close = -1;
622 static gint ett_smb = -1;
623 static gint ett_smb_hdr = -1;
624 static gint ett_smb_command = -1;
625 static gint ett_smb_fileattributes = -1;
626 static gint ett_smb_capabilities = -1;
627 static gint ett_smb_aflags = -1;
628 static gint ett_smb_dialect = -1;
629 static gint ett_smb_dialects = -1;
630 static gint ett_smb_mode = -1;
631 static gint ett_smb_rawmode = -1;
632 static gint ett_smb_flags = -1;
633 static gint ett_smb_flags2 = -1;
634 static gint ett_smb_desiredaccess = -1;
635 static gint ett_smb_search = -1;
636 static gint ett_smb_file = -1;
637 static gint ett_smb_openfunction = -1;
638 static gint ett_smb_filetype = -1;
639 static gint ett_smb_openaction = -1;
640 static gint ett_smb_writemode = -1;
641 static gint ett_smb_lock_type = -1;
642 static gint ett_smb_ssetupandxaction = -1;
643 static gint ett_smb_optionsup = -1;
644 static gint ett_smb_time_date = -1;
645 static gint ett_smb_move_copy_flags = -1;
646 static gint ett_smb_file_attributes = -1;
647 static gint ett_smb_search_resume_key = -1;
648 static gint ett_smb_search_dir_info = -1;
649 static gint ett_smb_unlocks = -1;
650 static gint ett_smb_unlock = -1;
651 static gint ett_smb_locks = -1;
652 static gint ett_smb_lock = -1;
653 static gint ett_smb_open_flags = -1;
654 static gint ett_smb_ipc_state = -1;
655 static gint ett_smb_open_action = -1;
656 static gint ett_smb_setup_action = -1;
657 static gint ett_smb_connect_flags = -1;
658 static gint ett_smb_connect_support_bits = -1;
659 static gint ett_smb_nt_access_mask = -1;
660 static gint ett_smb_nt_create_bits = -1;
661 static gint ett_smb_nt_create_options = -1;
662 static gint ett_smb_nt_share_access = -1;
663 static gint ett_smb_nt_security_flags = -1;
664 static gint ett_smb_nt_trans_setup = -1;
665 static gint ett_smb_nt_trans_data = -1;
666 static gint ett_smb_nt_trans_param = -1;
667 static gint ett_smb_nt_notify_completion_filter = -1;
668 static gint ett_smb_nt_ioctl_flags = -1;
669 static gint ett_smb_security_information_mask = -1;
670 static gint ett_smb_print_queue_entry = -1;
671 static gint ett_smb_transaction_flags = -1;
672 static gint ett_smb_transaction_params = -1;
673 static gint ett_smb_find_first2_flags = -1;
674 static gint ett_smb_mac_support_flags = -1;
676 static gint ett_smb_ioflag = -1;
678 static gint ett_smb_transaction_data = -1;
679 static gint ett_smb_stream_info = -1;
680 static gint ett_smb_dfs_referrals = -1;
681 static gint ett_smb_dfs_referral = -1;
682 static gint ett_smb_dfs_referral_flags = -1;
683 static gint ett_smb_get_dfs_flags = -1;
684 static gint ett_smb_ff2_data = -1;
685 static gint ett_smb_device_characteristics = -1;
686 static gint ett_smb_fs_attributes = -1;
687 static gint ett_smb_segments = -1;
688 static gint ett_smb_segment = -1;
689 static gint ett_smb_quotaflags = -1;
690 static gint ett_smb_secblob = -1;
691 static gint ett_smb_unicode_password = -1;
692 static gint ett_smb_ea = -1;
693 static gint ett_smb_unix_capabilities = -1;
695 static int smb_tap = -1;
697 static dissector_handle_t gssapi_handle = NULL;
698 static dissector_handle_t ntlmssp_handle = NULL;
700 static const fragment_items smb_frag_items = {
706 &hf_smb_segment_overlap,
707 &hf_smb_segment_overlap_conflict,
708 &hf_smb_segment_multiple_tails,
709 &hf_smb_segment_too_long_fragment,
710 &hf_smb_segment_error,
716 proto_tree *top_tree=NULL; /* ugly */
718 static const char *decode_smb_name(guint8);
719 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu);
722 * Macros for use in the main dissector routines for an SMB.
727 wc = tvb_get_guint8(tvb, offset); \
728 proto_tree_add_uint(tree, hf_smb_word_count, \
729 tvb, offset, 1, wc); \
731 if(wc==0) goto bytecount;
735 bc = tvb_get_letohs(tvb, offset); \
736 proto_tree_add_uint(tree, hf_smb_byte_count, \
737 tvb, offset, 2, bc); \
739 if(bc==0) goto endofcommand;
741 #define CHECK_BYTE_COUNT(len) \
742 if (bc < len) goto endofcommand;
744 #define COUNT_BYTES(len) {\
754 bc_remaining=tvb_length_remaining(tvb, offset); \
755 if( ((gint)bc) > bc_remaining){ \
759 tvb_ensure_bytes_exist(tvb, offset, bc); \
760 proto_tree_add_text(tree, tvb, offset, bc, \
761 "Extra byte parameters"); \
768 * Macros for use in routines called by them.
770 #define CHECK_BYTE_COUNT_SUBR(len) \
776 #define CHECK_STRING_SUBR(fn) \
782 #define COUNT_BYTES_SUBR(len) \
787 * Macros for use when dissecting transaction parameters and data
789 #define CHECK_BYTE_COUNT_TRANS(len) \
790 if (bc < len) return offset;
792 #define CHECK_STRING_TRANS(fn) \
793 if (fn == NULL) return offset;
795 #define COUNT_BYTES_TRANS(len) \
800 * Macros for use in subrroutines dissecting transaction parameters or data
802 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
803 if (*bcp < len) return offset;
805 #define CHECK_STRING_TRANS_SUBR(fn) \
806 if (fn == NULL) return offset;
808 #define COUNT_BYTES_TRANS_SUBR(len) \
813 gboolean sid_name_snooping = FALSE;
815 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
816 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
817 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
818 static gboolean smb_trans_reassembly = FALSE;
819 gboolean smb_dcerpc_reassembly = FALSE;
821 static GHashTable *smb_trans_fragment_table = NULL;
824 smb_trans_reassembly_init(void)
826 fragment_table_init(&smb_trans_fragment_table);
829 static fragment_data *
830 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
831 int offset, int count, int pos, int totlen)
833 fragment_data *fd_head=NULL;
837 more_frags=totlen>(pos+count);
839 si = (smb_info_t *)pinfo->private_data;
840 DISSECTOR_ASSERT(si);
842 if (si->sip == NULL) {
844 * We don't have the frame number of the request.
849 if(!pinfo->fd->flags.visited){
850 fd_head = fragment_add(tvb, offset, pinfo,
851 si->sip->frame_req, smb_trans_fragment_table,
852 pos, count, more_frags);
854 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
857 if (!fd_head || !(fd_head->flags&FD_DEFRAGMENTED)){
858 /* This is continued - mark it as such, so we recognize
859 continuation responses.
861 si->sip->flags |= SMB_SIF_IS_CONTINUED;
863 /* We've finished reassembling, so there are no more
864 continuation responses.
866 si->sip->flags &= ~SMB_SIF_IS_CONTINUED;
869 /* we only show the defragmented packet for the first fragment,
870 or else we might end up with dissecting one HUGE transaction PDU
871 a LOT of times. (first fragment is the only one containing the setup
873 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
874 SMBs. Takes a LOT of time dissecting and is not fun.
876 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
887 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
888 These variables and functions are used to match
890 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
892 * The information we need to save about a request in order to show the
893 * frame number of the request in the dissection of the reply.
898 } smb_saved_info_key_t;
900 /* unmatched smb_saved_info structures.
901 For unmatched smb_saved_info structures we store the smb_saved_info
902 structure using the MID and the PID as the key.
904 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
905 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
906 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
909 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
911 register guint32 key1 = GPOINTER_TO_UINT(k1);
912 register guint32 key2 = GPOINTER_TO_UINT(k2);
916 smb_saved_info_hash_unmatched(gconstpointer k)
918 register guint32 key = GPOINTER_TO_UINT(k);
922 /* matched smb_saved_info structures.
923 For matched smb_saved_info structures we store the smb_saved_info
924 structure twice in the table using the frame number, and a combination
925 of the MID and the PID, as the key.
926 The frame number is guaranteed to be unique but if ever someone makes
927 some change that will renumber the frames in a capture we are in BIG trouble.
928 This is not likely though since that would break (among other things) all the
929 reassembly routines as well.
931 We also need the MID as there may be more than one SMB request or reply
932 in a single frame, and we also need the PID as there may be more than
933 one outstanding request with the same MID and different PIDs.
936 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
938 const smb_saved_info_key_t *key1 = k1;
939 const smb_saved_info_key_t *key2 = k2;
940 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
943 smb_saved_info_hash_matched(gconstpointer k)
945 const smb_saved_info_key_t *key = k;
946 return key->frame + key->pid_mid;
949 static GSList *conv_tables = NULL;
952 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
953 End of request/response matching functions
954 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
956 static const value_string buffer_format_vals[] = {
961 {5, "Variable Block"},
966 * UTIME - this is *almost* like a UNIX time stamp, except that it's
967 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
968 * January 1, 1970, 00:00:00 GMT.
970 * This means we have to do some extra work to convert it. This code is
971 * based on the Samba code:
973 * Unix SMB/Netbios implementation.
975 * time handling functions
976 * Copyright (C) Andrew Tridgell 1992-1998
980 * Yield the difference between *A and *B, in seconds, ignoring leap
983 #define TM_YEAR_BASE 1900
986 tm_diff(struct tm *a, struct tm *b)
988 int ay = a->tm_year + (TM_YEAR_BASE - 1);
989 int by = b->tm_year + (TM_YEAR_BASE - 1);
990 int intervening_leap_days =
991 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
994 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
995 int hours = 24*days + (a->tm_hour - b->tm_hour);
996 int minutes = 60*hours + (a->tm_min - b->tm_min);
997 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
1003 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
1009 struct tm *tm = gmtime(&t);
1018 return tm_diff(&tm_utc,tm);
1022 * Return the same value as TimeZone, but it should be more efficient.
1024 * We keep a table of DST offsets to prevent calling localtime() on each
1025 * call of this function. This saves a LOT of time on many unixes.
1027 * Updated by Paul Eggert <eggert@twinsun.com>
1034 #define TIME_T_MIN ((time_t) ((time_t)0 < (time_t) -1 ? (time_t) 0 \
1035 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1)))
1038 #define TIME_T_MAX ((time_t) (~ (time_t) 0 - TIME_T_MIN))
1042 TimeZoneFaster(time_t t)
1044 static struct dst_table {time_t start,end; int zone;} *tdt;
1045 static struct dst_table *dst_table = NULL;
1046 static int table_size = 0;
1053 /* Tunis has a 8 day DST region, we need to be careful ... */
1054 #define MAX_DST_WIDTH (365*24*60*60)
1055 #define MAX_DST_SKIP (7*24*60*60)
1057 for (i = 0; i < table_size; i++) {
1058 if (t >= dst_table[i].start && t <= dst_table[i].end)
1062 if (i < table_size) {
1063 zone = dst_table[i].zone;
1068 if (dst_table == NULL)
1069 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1071 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1080 dst_table[i].zone = zone;
1081 dst_table[i].start = dst_table[i].end = t;
1083 /* no entry will cover more than 6 months */
1084 low = t - MAX_DST_WIDTH/2;
1088 high = t + MAX_DST_WIDTH/2;
1093 * Widen the new entry using two bisection searches.
1095 while (low+60*60 < dst_table[i].start) {
1096 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1097 t = dst_table[i].start - MAX_DST_SKIP;
1099 t = low + (dst_table[i].start-low)/2;
1100 if (TimeZone(t) == zone)
1101 dst_table[i].start = t;
1106 while (high-60*60 > dst_table[i].end) {
1107 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1108 t = dst_table[i].end + MAX_DST_SKIP;
1110 t = high - (high-dst_table[i].end)/2;
1111 if (TimeZone(t) == zone)
1112 dst_table[i].end = t;
1122 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1123 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1124 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1125 * daylight savings transitions because some local times are ambiguous.
1126 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1129 LocTimeDiff(time_t lt)
1131 int d = TimeZoneFaster(lt);
1134 /* if overflow occurred, ignore all the adjustments so far */
1135 if (((t < lt) ^ (d < 0)))
1139 * Now t should be close enough to the true UTC to yield the
1142 return TimeZoneFaster(t);
1146 dissect_smb_UTIME(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1151 timeval = tvb_get_letohl(tvb, offset);
1152 if (timeval == 0xffffffff) {
1153 proto_tree_add_text(tree, tvb, offset, 4,
1154 "%s: No time specified (0xffffffff)",
1155 proto_registrar_get_name(hf_date));
1161 * We add the local time offset.
1163 ts.secs = timeval + LocTimeDiff(timeval);
1166 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1173 dissect_smb_datetime(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1174 int hf_date, int hf_dos_date, int hf_dos_time, gboolean time_first)
1176 guint16 dos_time, dos_date;
1177 proto_item *item = NULL;
1178 proto_tree *tree = NULL;
1181 static const int mday_noleap[12] = {
1182 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1184 static const int mday_leap[12] = {
1185 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1187 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1191 dos_time = tvb_get_letohs(tvb, offset);
1192 dos_date = tvb_get_letohs(tvb, offset+2);
1194 dos_date = tvb_get_letohs(tvb, offset);
1195 dos_time = tvb_get_letohs(tvb, offset+2);
1198 if ((dos_date == 0xffff && dos_time == 0xffff) ||
1199 (dos_date == 0 && dos_time == 0)) {
1201 * No date/time specified.
1204 proto_tree_add_text(parent_tree, tvb, offset, 4,
1205 "%s: No time specified (0x%08x)",
1206 proto_registrar_get_name(hf_date),
1207 (dos_date << 16) | dos_time);
1213 tm.tm_sec = (dos_time&0x1f)*2;
1214 tm.tm_min = (dos_time>>5)&0x3f;
1215 tm.tm_hour = (dos_time>>11)&0x1f;
1216 tm.tm_mday = dos_date&0x1f;
1217 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1218 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1222 * Do some sanity checks before calling "mktime()";
1223 * "mktime()" doesn't do them, it "normalizes" out-of-range
1226 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1227 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1228 (ISLEAP(tm.tm_year + 1900) ?
1229 tm.tm_mday > mday_leap[tm.tm_mon] :
1230 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1231 (t = mktime(&tm)) == -1) {
1233 * Invalid date/time.
1236 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1238 proto_registrar_get_name(hf_date));
1239 tree = proto_item_add_subtree(item, ett_smb_time_date);
1241 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1242 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1244 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1245 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1256 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1257 tree = proto_item_add_subtree(item, ett_smb_time_date);
1259 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1260 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1262 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1263 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1272 static const true_false_string tfs_disposition_delete_on_close = {
1273 "DELETE this file when closed",
1274 "Normal access, do not delete on close"
1278 static const value_string da_access_vals[] = {
1279 { 0, "Open for reading"},
1280 { 1, "Open for writing"},
1281 { 2, "Open for reading and writing"},
1282 { 3, "Open for execute"},
1285 static const value_string da_sharing_vals[] = {
1286 { 0, "Compatibility mode"},
1287 { 1, "Deny read/write/execute (exclusive)"},
1289 { 3, "Deny read/execute"},
1293 static const value_string da_locality_vals[] = {
1294 { 0, "Locality of reference unknown"},
1295 { 1, "Mainly sequential access"},
1296 { 2, "Mainly random access"},
1297 { 3, "Random access with some locality"},
1300 static const true_false_string tfs_da_caching = {
1301 "Do not cache this file",
1302 "Caching permitted on this file"
1304 static const true_false_string tfs_da_writetru = {
1305 "Write through enabled",
1306 "Write through disabled"
1309 dissect_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset, const char *type)
1312 proto_item *item = NULL;
1313 proto_tree *tree = NULL;
1315 mask = tvb_get_letohs(tvb, offset);
1318 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1319 "%s Access: 0x%04x", type, mask);
1320 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1323 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1324 tvb, offset, 2, mask);
1325 proto_tree_add_boolean(tree, hf_smb_access_caching,
1326 tvb, offset, 2, mask);
1327 proto_tree_add_uint(tree, hf_smb_access_locality,
1328 tvb, offset, 2, mask);
1329 proto_tree_add_uint(tree, hf_smb_access_sharing,
1330 tvb, offset, 2, mask);
1331 proto_tree_add_uint(tree, hf_smb_access_mode,
1332 tvb, offset, 2, mask);
1339 #define SMB_FILE_ATTRIBUTE_READ_ONLY 0x00000001
1340 #define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
1341 #define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
1342 #define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
1343 #define SMB_FILE_ATTRIBUTE_DIRECTORY 0x00000010
1344 #define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
1345 #define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
1346 #define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
1347 #define SMB_FILE_ATTRIBUTE_TEMPORARY 0x00000100
1348 #define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
1349 #define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
1350 #define SMB_FILE_ATTRIBUTE_COMPRESSED 0x00000800
1351 #define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
1352 #define SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1353 #define SMB_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1355 static const true_false_string tfs_file_attribute_read_only = {
1356 "This file is READ ONLY",
1357 "This file is NOT read only",
1359 static const true_false_string tfs_file_attribute_hidden = {
1360 "This is a HIDDEN file",
1361 "This is NOT a hidden file"
1363 static const true_false_string tfs_file_attribute_system = {
1364 "This is a SYSTEM file",
1365 "This is NOT a system file"
1367 static const true_false_string tfs_file_attribute_volume = {
1368 "This is a VOLUME ID",
1369 "This is NOT a volume ID"
1371 static const true_false_string tfs_file_attribute_directory = {
1372 "This is a DIRECTORY",
1373 "This is NOT a directory"
1375 static const true_false_string tfs_file_attribute_archive = {
1376 "This file has been modified since last ARCHIVE",
1377 "This file has NOT been modified since last archive"
1379 static const true_false_string tfs_file_attribute_device = {
1381 "This is NOT a device"
1383 static const true_false_string tfs_file_attribute_normal = {
1384 "This file is an ordinary file",
1385 "This file has some attribute set"
1387 static const true_false_string tfs_file_attribute_temporary = {
1388 "This is a TEMPORARY file",
1389 "This is NOT a temporary file"
1391 static const true_false_string tfs_file_attribute_sparse = {
1392 "This is a SPARSE file",
1393 "This is NOT a sparse file"
1395 static const true_false_string tfs_file_attribute_reparse = {
1396 "This file has an associated REPARSE POINT",
1397 "This file does NOT have an associated reparse point"
1399 static const true_false_string tfs_file_attribute_compressed = {
1400 "This is a COMPRESSED file",
1401 "This is NOT a compressed file"
1403 static const true_false_string tfs_file_attribute_offline = {
1404 "This file is OFFLINE",
1405 "This file is NOT offline"
1407 static const true_false_string tfs_file_attribute_not_content_indexed = {
1408 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1409 "This file MAY be indexed by the content indexing service"
1411 static const true_false_string tfs_file_attribute_encrypted = {
1412 "This is an ENCRYPTED file",
1413 "This is NOT an encrypted file"
1417 * In some places in the CIFS_TR_1p00.pdf, from SNIA, file attributes are
1418 * listed as USHORT, and seem to be in packets in the wild, while in other
1419 * places they are listed as ULONG, and also seem to be.
1421 * So, I (Richard Sharpe), added a parameter to allow us to specify how many
1426 dissect_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1430 proto_item *item = NULL;
1431 proto_tree *tree = NULL;
1433 if (bytes != 2 && bytes != 4) {
1434 THROW(ReportedBoundsError);
1438 * The actual bits of interest appear to only be a USHORT
1440 /* FIXME if this ever changes! */
1441 mask = tvb_get_letohs(tvb, offset);
1444 item = proto_tree_add_text(parent_tree, tvb, offset, bytes,
1445 "File Attributes: 0x%08x", mask);
1446 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1448 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1449 tvb, offset, bytes, mask);
1450 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1451 tvb, offset, bytes, mask);
1452 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1453 tvb, offset, bytes, mask);
1454 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1455 tvb, offset, bytes, mask);
1456 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1457 tvb, offset, bytes, mask);
1458 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1459 tvb, offset, bytes, mask);
1460 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1461 tvb, offset, bytes, mask);
1462 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1463 tvb, offset, bytes, mask);
1464 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1465 tvb, offset, bytes, mask);
1466 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1467 tvb, offset, bytes, mask);
1468 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1469 tvb, offset, bytes, mask);
1470 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1471 tvb, offset, bytes, mask);
1472 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1473 tvb, offset, bytes, mask);
1474 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1475 tvb, offset, bytes, mask);
1476 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1477 tvb, offset, bytes, mask);
1486 dissect_file_ext_attr(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1489 proto_item *item = NULL;
1490 proto_tree *tree = NULL;
1492 mask = tvb_get_letohl(tvb, offset);
1495 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1496 "File Attributes: 0x%08x", mask);
1497 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1501 * XXX - Network Monitor disagrees on some of the
1502 * bits, e.g. the bits above temporary are "atomic write"
1503 * and "transaction write", and it says nothing about the
1506 * Does the Win32 API documentation, or the NT Native API book,
1509 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1510 tvb, offset, 4, mask);
1511 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1512 tvb, offset, 4, mask);
1513 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1514 tvb, offset, 4, mask);
1515 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1516 tvb, offset, 4, mask);
1517 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1518 tvb, offset, 4, mask);
1519 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1520 tvb, offset, 4, mask);
1521 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1522 tvb, offset, 4, mask);
1523 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1524 tvb, offset, 4, mask);
1525 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1526 tvb, offset, 4, mask);
1527 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1528 tvb, offset, 4, mask);
1529 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1530 tvb, offset, 4, mask);
1531 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1532 tvb, offset, 4, mask);
1533 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1534 tvb, offset, 4, mask);
1535 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1536 tvb, offset, 4, mask);
1537 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1538 tvb, offset, 4, mask);
1546 dissect_dir_info_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1549 proto_item *item = NULL;
1550 proto_tree *tree = NULL;
1552 mask = tvb_get_guint8(tvb, offset);
1555 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1556 "File Attributes: 0x%02x", mask);
1557 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1559 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1560 tvb, offset, 1, mask);
1561 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1562 tvb, offset, 1, mask);
1563 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1564 tvb, offset, 1, mask);
1565 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1566 tvb, offset, 1, mask);
1567 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1568 tvb, offset, 1, mask);
1569 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1570 tvb, offset, 1, mask);
1577 static const true_false_string tfs_search_attribute_read_only = {
1578 "Include READ ONLY files in search results",
1579 "Do NOT include read only files in search results",
1581 static const true_false_string tfs_search_attribute_hidden = {
1582 "Include HIDDEN files in search results",
1583 "Do NOT include hidden files in search results"
1585 static const true_false_string tfs_search_attribute_system = {
1586 "Include SYSTEM files in search results",
1587 "Do NOT include system files in search results"
1589 static const true_false_string tfs_search_attribute_volume = {
1590 "Include VOLUME IDs in search results",
1591 "Do NOT include volume IDs in search results"
1593 static const true_false_string tfs_search_attribute_directory = {
1594 "Include DIRECTORIES in search results",
1595 "Do NOT include directories in search results"
1597 static const true_false_string tfs_search_attribute_archive = {
1598 "Include ARCHIVE files in search results",
1599 "Do NOT include archive files in search results"
1603 dissect_search_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1606 proto_item *item = NULL;
1607 proto_tree *tree = NULL;
1609 mask = tvb_get_letohs(tvb, offset);
1612 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1613 "Search Attributes: 0x%04x", mask);
1614 tree = proto_item_add_subtree(item, ett_smb_search);
1617 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1618 tvb, offset, 2, mask);
1619 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1620 tvb, offset, 2, mask);
1621 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1622 tvb, offset, 2, mask);
1623 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1624 tvb, offset, 2, mask);
1625 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1626 tvb, offset, 2, mask);
1627 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1628 tvb, offset, 2, mask);
1636 * XXX - this isn't used.
1637 * Is this used for anything? NT Create AndX doesn't use it.
1638 * Is there some 16-bit attribute field with more bits than Read Only,
1639 * Hidden, System, Volume ID, Directory, and Archive?
1642 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1645 proto_item *item = NULL;
1646 proto_tree *tree = NULL;
1648 mask = tvb_get_letohl(tvb, offset);
1651 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1652 "File Attributes: 0x%08x", mask);
1653 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1655 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1656 tvb, offset, 2, mask);
1657 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1658 tvb, offset, 2, mask);
1659 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1660 tvb, offset, 2, mask);
1661 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1662 tvb, offset, 2, mask);
1663 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1664 tvb, offset, 2, mask);
1665 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1666 tvb, offset, 2, mask);
1667 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1668 tvb, offset, 2, mask);
1669 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1670 tvb, offset, 2, mask);
1671 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1672 tvb, offset, 2, mask);
1673 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1674 tvb, offset, 2, mask);
1675 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1676 tvb, offset, 2, mask);
1677 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1678 tvb, offset, 2, mask);
1679 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1680 tvb, offset, 2, mask);
1681 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1682 tvb, offset, 2, mask);
1683 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1684 tvb, offset, 2, mask);
1693 #define SERVER_CAP_RAW_MODE 0x00000001
1694 #define SERVER_CAP_MPX_MODE 0x00000002
1695 #define SERVER_CAP_UNICODE 0x00000004
1696 #define SERVER_CAP_LARGE_FILES 0x00000008
1697 #define SERVER_CAP_NT_SMBS 0x00000010
1698 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1699 #define SERVER_CAP_STATUS32 0x00000040
1700 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1701 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1702 #define SERVER_CAP_NT_FIND 0x00000200
1703 #define SERVER_CAP_DFS 0x00001000
1704 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1705 #define SERVER_CAP_LARGE_READX 0x00004000
1706 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1707 #define SERVER_CAP_UNIX 0x00800000
1708 #define SERVER_CAP_RESERVED 0x02000000
1709 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1710 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1711 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1712 static const true_false_string tfs_server_cap_raw_mode = {
1713 "Read Raw and Write Raw are supported",
1714 "Read Raw and Write Raw are not supported"
1716 static const true_false_string tfs_server_cap_mpx_mode = {
1717 "Read Mpx and Write Mpx are supported",
1718 "Read Mpx and Write Mpx are not supported"
1720 static const true_false_string tfs_server_cap_unicode = {
1721 "Unicode strings are supported",
1722 "Unicode strings are not supported"
1724 static const true_false_string tfs_server_cap_large_files = {
1725 "Large files are supported",
1726 "Large files are not supported",
1728 static const true_false_string tfs_server_cap_nt_smbs = {
1729 "NT SMBs are supported",
1730 "NT SMBs are not supported"
1732 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1733 "RPC remote APIs are supported",
1734 "RPC remote APIs are not supported"
1736 static const true_false_string tfs_server_cap_nt_status = {
1737 "NT status codes are supported",
1738 "NT status codes are not supported"
1740 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1741 "Level 2 oplocks are supported",
1742 "Level 2 oplocks are not supported"
1744 static const true_false_string tfs_server_cap_lock_and_read = {
1745 "Lock and Read is supported",
1746 "Lock and Read is not supported"
1748 static const true_false_string tfs_server_cap_nt_find = {
1749 "NT Find is supported",
1750 "NT Find is not supported"
1752 static const true_false_string tfs_server_cap_dfs = {
1754 "Dfs is not supported"
1756 static const true_false_string tfs_server_cap_infolevel_passthru = {
1757 "NT information level request passthrough is supported",
1758 "NT information level request passthrough is not supported"
1760 static const true_false_string tfs_server_cap_large_readx = {
1761 "Large Read andX is supported",
1762 "Large Read andX is not supported"
1764 static const true_false_string tfs_server_cap_large_writex = {
1765 "Large Write andX is supported",
1766 "Large Write andX is not supported"
1768 static const true_false_string tfs_server_cap_unix = {
1769 "UNIX extensions are supported",
1770 "UNIX extensions are not supported"
1772 static const true_false_string tfs_server_cap_reserved = {
1776 static const true_false_string tfs_server_cap_bulk_transfer = {
1777 "Bulk Read and Bulk Write are supported",
1778 "Bulk Read and Bulk Write are not supported"
1780 static const true_false_string tfs_server_cap_compressed_data = {
1781 "Compressed data transfer is supported",
1782 "Compressed data transfer is not supported"
1784 static const true_false_string tfs_server_cap_extended_security = {
1785 "Extended security exchanges are supported",
1786 "Extended security exchanges are not supported"
1789 dissect_negprot_capabilities(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1792 proto_item *item = NULL;
1793 proto_tree *tree = NULL;
1795 mask = tvb_get_letohl(tvb, offset);
1798 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1799 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1802 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1803 tvb, offset, 4, mask);
1804 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1805 tvb, offset, 4, mask);
1806 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1807 tvb, offset, 4, mask);
1808 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1809 tvb, offset, 4, mask);
1810 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1811 tvb, offset, 4, mask);
1812 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1813 tvb, offset, 4, mask);
1814 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1815 tvb, offset, 4, mask);
1816 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1817 tvb, offset, 4, mask);
1818 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1819 tvb, offset, 4, mask);
1820 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1821 tvb, offset, 4, mask);
1822 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1823 tvb, offset, 4, mask);
1824 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1825 tvb, offset, 4, mask);
1826 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1827 tvb, offset, 4, mask);
1828 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1829 tvb, offset, 4, mask);
1830 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1831 tvb, offset, 4, mask);
1832 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1833 tvb, offset, 4, mask);
1834 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1835 tvb, offset, 4, mask);
1836 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1837 tvb, offset, 4, mask);
1838 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1839 tvb, offset, 4, mask);
1844 #define RAWMODE_READ 0x01
1845 #define RAWMODE_WRITE 0x02
1846 static const true_false_string tfs_rm_read = {
1847 "Read Raw is supported",
1848 "Read Raw is not supported"
1850 static const true_false_string tfs_rm_write = {
1851 "Write Raw is supported",
1852 "Write Raw is not supported"
1856 dissect_negprot_rawmode(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1859 proto_item *item = NULL;
1860 proto_tree *tree = NULL;
1862 mask = tvb_get_letohs(tvb, offset);
1865 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
1866 tree = proto_item_add_subtree(item, ett_smb_rawmode);
1869 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
1870 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
1877 #define SECURITY_MODE_MODE 0x01
1878 #define SECURITY_MODE_PASSWORD 0x02
1879 #define SECURITY_MODE_SIGNATURES 0x04
1880 #define SECURITY_MODE_SIG_REQUIRED 0x08
1881 static const true_false_string tfs_sm_mode = {
1882 "USER security mode",
1883 "SHARE security mode"
1885 static const true_false_string tfs_sm_password = {
1886 "ENCRYPTED password. Use challenge/response",
1887 "PLAINTEXT password"
1889 static const true_false_string tfs_sm_signatures = {
1890 "Security signatures ENABLED",
1891 "Security signatures NOT enabled"
1893 static const true_false_string tfs_sm_sig_required = {
1894 "Security signatures REQUIRED",
1895 "Security signatures NOT required"
1899 dissect_negprot_security_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int wc)
1902 proto_item *item = NULL;
1903 proto_tree *tree = NULL;
1907 mask = tvb_get_letohs(tvb, offset);
1908 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1909 "Security Mode: 0x%04x", mask);
1910 tree = proto_item_add_subtree(item, ett_smb_mode);
1911 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
1912 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
1917 mask = tvb_get_guint8(tvb, offset);
1918 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1919 "Security Mode: 0x%02x", mask);
1920 tree = proto_item_add_subtree(item, ett_smb_mode);
1921 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
1922 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
1923 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
1924 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
1933 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
1935 proto_item *it = NULL;
1936 proto_tree *tr = NULL;
1945 tvb_ensure_bytes_exist(tvb, offset, bc);
1946 it = proto_tree_add_text(tree, tvb, offset, bc,
1947 "Requested Dialects");
1948 tr = proto_item_add_subtree(it, ett_smb_dialects);
1954 proto_item *dit = NULL;
1955 proto_tree *dtr = NULL;
1957 /* XXX - what if this runs past bc? */
1958 tvb_ensure_bytes_exist(tvb, offset+1, 1);
1959 len = tvb_strsize(tvb, offset+1);
1960 str = tvb_get_ptr(tvb, offset+1, len);
1963 dit = proto_tree_add_text(tr, tvb, offset, len+1,
1964 "Dialect: %s", str);
1965 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
1969 CHECK_BYTE_COUNT(1);
1970 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
1975 CHECK_BYTE_COUNT(len);
1976 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
1987 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
1989 smb_info_t *si = pinfo->private_data;
1999 DISSECTOR_ASSERT(si);
2004 dialect = tvb_get_letohs(tvb, offset);
2007 if(dialect==0xffff){
2008 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2009 tvb, offset, 2, dialect,
2010 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2012 proto_tree_add_uint(tree, hf_smb_dialect_index,
2013 tvb, offset, 2, dialect);
2017 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2018 tvb, offset, 2, dialect,
2019 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2022 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2023 tvb, offset, 2, dialect,
2024 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2027 tvb_ensure_bytes_exist(tvb, offset, wc*2);
2028 proto_tree_add_text(tree, tvb, offset, wc*2,
2029 "Words for unknown response format");
2038 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2040 /* Maximum Transmit Buffer Size */
2041 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2042 tvb, offset, 2, TRUE);
2045 /* Maximum Multiplex Count */
2046 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2047 tvb, offset, 2, TRUE);
2050 /* Maximum Vcs Number */
2051 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2052 tvb, offset, 2, TRUE);
2056 offset = dissect_negprot_rawmode(tvb, tree, offset);
2059 proto_tree_add_item(tree, hf_smb_session_key,
2060 tvb, offset, 4, TRUE);
2063 /* current time and date at server */
2064 offset = dissect_smb_datetime(tvb, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2068 tz = tvb_get_letohs(tvb, offset);
2069 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2072 /* encryption key length */
2073 ekl = tvb_get_letohs(tvb, offset);
2074 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2077 /* 2 reserved bytes */
2078 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2085 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2087 /* Maximum Multiplex Count */
2088 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2089 tvb, offset, 2, TRUE);
2092 /* Maximum Vcs Number */
2093 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2094 tvb, offset, 2, TRUE);
2097 /* Maximum Transmit Buffer Size */
2098 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2099 tvb, offset, 4, TRUE);
2102 /* maximum raw buffer size */
2103 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2104 tvb, offset, 4, TRUE);
2108 proto_tree_add_item(tree, hf_smb_session_key,
2109 tvb, offset, 4, TRUE);
2112 /* server capabilities */
2113 caps = dissect_negprot_capabilities(tvb, tree, offset);
2117 offset = dissect_nt_64bit_time(tvb, tree, offset,
2118 hf_smb_system_time);
2121 tz = tvb_get_letohs(tvb, offset);
2122 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2124 "Server Time Zone: %d min from UTC", tz);
2127 /* encryption key length */
2128 ekl = tvb_get_guint8(tvb, offset);
2129 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2130 tvb, offset, 1, ekl);
2140 /* challenge/response encryption key */
2142 CHECK_BYTE_COUNT(ekl);
2143 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2150 * XXX - not present if negotiated dialect isn't
2151 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
2152 * have to see the request, or assume what dialect strings
2153 * were sent, to determine that.
2155 * Is this something other than a primary domain if the
2156 * negotiated dialect is Windows for Workgroups 3.1a?
2157 * It appears to be 8 bytes of binary data in at least
2158 * one capture - is that an encryption key or something
2161 dn = get_unicode_or_ascii_string(tvb, &offset,
2162 si->unicode, &dn_len, FALSE, FALSE, &bc);
2165 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2167 COUNT_BYTES(dn_len);
2171 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2172 /* challenge/response encryption key */
2173 /* XXX - is this aligned on an even boundary? */
2175 CHECK_BYTE_COUNT(ekl);
2176 proto_tree_add_item(tree, hf_smb_encryption_key,
2177 tvb, offset, ekl, TRUE);
2182 /* this string is special, unicode is flagged in caps */
2183 /* This string is NOT padded to be 16bit aligned.
2184 (seen in actual capture)
2185 XXX - I've seen a capture where it appears to be
2186 so aligned, but I've also seen captures where
2187 it is. The captures where it appeared to be
2188 aligned may have been from buggy servers. */
2189 /* However, don't get rid of existing setting */
2190 si->unicode = (caps&SERVER_CAP_UNICODE) ||
2193 dn = get_unicode_or_ascii_string(tvb,
2194 &offset, si->unicode, &dn_len, TRUE, FALSE,
2198 proto_tree_add_string(tree, hf_smb_primary_domain,
2199 tvb, offset, dn_len, dn);
2200 COUNT_BYTES(dn_len);
2202 /* server name, seen in w2k pro capture */
2203 dn = get_unicode_or_ascii_string(tvb,
2204 &offset, si->unicode, &dn_len, TRUE, FALSE,
2208 proto_tree_add_string(tree, hf_smb_server,
2209 tvb, offset, dn_len, dn);
2210 COUNT_BYTES(dn_len);
2213 proto_item *blob_item;
2217 /* XXX - show it in the standard Microsoft format
2219 CHECK_BYTE_COUNT(16);
2220 proto_tree_add_item(tree, hf_smb_server_guid,
2221 tvb, offset, 16, TRUE);
2225 /* If it runs past the end of the captured data, don't
2226 * try to put all of it into the protocol tree as the
2227 * raw security blob; we might get an exception on
2228 * short frames and then we will not see anything at all
2229 * of the security blob.
2232 if(sbloblen>tvb_length_remaining(tvb, offset)){
2233 sbloblen=tvb_length_remaining(tvb,offset);
2235 blob_item = proto_tree_add_item(
2236 tree, hf_smb_security_blob,
2237 tvb, offset, sbloblen, TRUE);
2240 * If Extended security and BCC == 16, then raw
2241 * NTLMSSP is in use. We need to save this info
2245 tvbuff_t *gssapi_tvb;
2246 proto_tree *gssapi_tree;
2248 gssapi_tree = proto_item_add_subtree(
2249 blob_item, ett_smb_secblob);
2252 * Set the reported length of this to
2253 * the reported length of the blob,
2254 * rather than the amount of data
2255 * available from the blob, so that
2256 * we'll throw the right exception if
2259 gssapi_tvb = tvb_new_subset(
2260 tvb, offset, sbloblen, bc);
2263 gssapi_handle, gssapi_tvb, pinfo,
2267 si->ct->raw_ntlmssp = 0;
2274 * There is no blob. We just have to make sure
2275 * that subsequent routines know to call the
2280 si->ct->raw_ntlmssp = 1;
2294 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2296 smb_info_t *si = pinfo->private_data;
2302 DISSECTOR_ASSERT(si);
2309 CHECK_BYTE_COUNT(1);
2310 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2314 dn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &dn_len,
2318 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2320 COUNT_BYTES(dn_len);
2322 if (check_col(pinfo->cinfo, COL_INFO)) {
2323 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s",
2324 format_text(dn, strlen(dn)));
2333 dissect_empty(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2348 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2356 ec = tvb_get_letohs(tvb, offset);
2357 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2364 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2374 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2381 /* echo sequence number */
2382 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2389 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2399 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2401 smb_info_t *si = pinfo->private_data;
2407 DISSECTOR_ASSERT(si);
2414 CHECK_BYTE_COUNT(1);
2415 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2419 an = get_unicode_or_ascii_string(tvb, &offset,
2420 si->unicode, &an_len, FALSE, FALSE, &bc);
2423 proto_tree_add_string(tree, hf_smb_path, tvb,
2424 offset, an_len, an);
2425 COUNT_BYTES(an_len);
2427 if (check_col(pinfo->cinfo, COL_INFO)) {
2428 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
2429 format_text(an, strlen(an)));
2433 CHECK_BYTE_COUNT(1);
2434 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2437 /* password, ANSI */
2438 /* XXX - what if this runs past bc? */
2439 pwlen = tvb_strsize(tvb, offset);
2440 CHECK_BYTE_COUNT(pwlen);
2441 proto_tree_add_item(tree, hf_smb_password,
2442 tvb, offset, pwlen, TRUE);
2446 CHECK_BYTE_COUNT(1);
2447 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2452 * XXX - the SNIA CIFS spec "Strings that are never passed in
2453 * Unicode are: ... The service name string in the
2454 * Tree_Connect_AndX SMB". Is that claim false?
2456 an = get_unicode_or_ascii_string(tvb, &offset,
2457 si->unicode, &an_len, FALSE, FALSE, &bc);
2460 proto_tree_add_string(tree, hf_smb_service, tvb,
2461 offset, an_len, an);
2462 COUNT_BYTES(an_len);
2470 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2477 /* Maximum Buffer Size */
2478 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2482 proto_tree_add_item(tree, hf_smb_tid, tvb, offset, 2, TRUE);
2493 static const true_false_string tfs_of_create = {
2494 "Create file if it does not exist",
2495 "Fail if file does not exist"
2497 static const value_string of_open[] = {
2498 { 0, "Fail if file exists"},
2499 { 1, "Open file if it exists"},
2500 { 2, "Truncate file if it exists"},
2504 dissect_open_function(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2507 proto_item *item = NULL;
2508 proto_tree *tree = NULL;
2510 mask = tvb_get_letohs(tvb, offset);
2513 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2514 "Open Function: 0x%04x", mask);
2515 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2518 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2519 tvb, offset, 2, mask);
2520 proto_tree_add_uint(tree, hf_smb_open_function_open,
2521 tvb, offset, 2, mask);
2529 static const true_false_string tfs_mf_file = {
2530 "Target must be a file",
2531 "Target needn't be a file"
2533 static const true_false_string tfs_mf_dir = {
2534 "Target must be a directory",
2535 "Target needn't be a directory"
2537 static const true_false_string tfs_mf_verify = {
2538 "MUST verify all writes",
2539 "Don't have to verify writes"
2542 dissect_move_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2545 proto_item *item = NULL;
2546 proto_tree *tree = NULL;
2548 mask = tvb_get_letohs(tvb, offset);
2551 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2552 "Flags: 0x%04x", mask);
2553 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2556 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2557 tvb, offset, 2, mask);
2558 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2559 tvb, offset, 2, mask);
2560 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2561 tvb, offset, 2, mask);
2568 static const true_false_string tfs_cf_mode = {
2572 static const true_false_string tfs_cf_tree_copy = {
2573 "Copy is a tree copy",
2574 "Copy is a file copy"
2576 static const true_false_string tfs_cf_ea_action = {
2581 dissect_copy_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2584 proto_item *item = NULL;
2585 proto_tree *tree = NULL;
2587 mask = tvb_get_letohs(tvb, offset);
2590 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2591 "Flags: 0x%04x", mask);
2592 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2595 proto_tree_add_boolean(tree, hf_smb_copy_flags_ea_action,
2596 tvb, offset, 2, mask);
2597 proto_tree_add_boolean(tree, hf_smb_copy_flags_tree_copy,
2598 tvb, offset, 2, mask);
2599 proto_tree_add_boolean(tree, hf_smb_copy_flags_verify,
2600 tvb, offset, 2, mask);
2601 proto_tree_add_boolean(tree, hf_smb_copy_flags_source_mode,
2602 tvb, offset, 2, mask);
2603 proto_tree_add_boolean(tree, hf_smb_copy_flags_dest_mode,
2604 tvb, offset, 2, mask);
2605 proto_tree_add_boolean(tree, hf_smb_copy_flags_dir,
2606 tvb, offset, 2, mask);
2607 proto_tree_add_boolean(tree, hf_smb_copy_flags_file,
2608 tvb, offset, 2, mask);
2616 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2618 smb_info_t *si = pinfo->private_data;
2625 DISSECTOR_ASSERT(si);
2630 tid = tvb_get_letohs(tvb, offset);
2631 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2632 "TID (target): 0x%04x", tid);
2636 offset = dissect_open_function(tvb, tree, offset);
2639 offset = dissect_move_flags(tvb, tree, offset);
2644 CHECK_BYTE_COUNT(1);
2645 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2649 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2653 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2654 fn_len, fn, "Old File Name: %s", format_text(fn, strlen(fn)));
2655 COUNT_BYTES(fn_len);
2657 if (check_col(pinfo->cinfo, COL_INFO)) {
2658 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
2659 format_text(fn, strlen(fn)));
2663 CHECK_BYTE_COUNT(1);
2664 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2668 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2672 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2673 fn_len, fn, "New File Name: %s", format_text(fn, strlen(fn)));
2674 COUNT_BYTES(fn_len);
2676 if (check_col(pinfo->cinfo, COL_INFO)) {
2677 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
2678 format_text(fn, strlen(fn)));
2687 dissect_copy_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2689 smb_info_t *si = pinfo->private_data;
2696 DISSECTOR_ASSERT(si);
2701 tid = tvb_get_letohs(tvb, offset);
2702 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2703 "TID (target): 0x%04x", tid);
2707 offset = dissect_open_function(tvb, tree, offset);
2710 offset = dissect_copy_flags(tvb, tree, offset);
2715 CHECK_BYTE_COUNT(1);
2716 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2720 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2724 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2725 fn_len, fn, "Source File Name: %s", format_text(fn, strlen(fn)));
2726 COUNT_BYTES(fn_len);
2728 if (check_col(pinfo->cinfo, COL_INFO)) {
2729 col_append_fstr(pinfo->cinfo, COL_INFO, ", Source Name: %s",
2730 format_text(fn, strlen(fn)));
2734 CHECK_BYTE_COUNT(1);
2735 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2739 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2743 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2744 fn_len, fn, "Destination File Name: %s",
2745 format_text(fn, strlen(fn)));
2746 COUNT_BYTES(fn_len);
2748 if (check_col(pinfo->cinfo, COL_INFO)) {
2749 col_append_fstr(pinfo->cinfo, COL_INFO, ", Destination Name: %s",
2750 format_text(fn, strlen(fn)));
2759 dissect_move_copy_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2761 smb_info_t *si = pinfo->private_data;
2767 DISSECTOR_ASSERT(si);
2771 /* # of files moved */
2772 proto_tree_add_item(tree, hf_smb_files_moved, tvb, offset, 2, TRUE);
2778 CHECK_BYTE_COUNT(1);
2779 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2783 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2787 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2789 COUNT_BYTES(fn_len);
2797 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2799 smb_info_t *si = pinfo->private_data;
2805 DISSECTOR_ASSERT(si);
2809 /* desired access */
2810 offset = dissect_access(tvb, tree, offset, "Desired");
2812 /* Search Attributes */
2813 offset = dissect_search_attributes(tvb, tree, offset);
2818 CHECK_BYTE_COUNT(1);
2819 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2823 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2827 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2829 COUNT_BYTES(fn_len);
2831 if (check_col(pinfo->cinfo, COL_INFO)) {
2832 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
2833 format_text(fn, strlen(fn)));
2842 add_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
2843 int len, guint16 fid)
2845 proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
2846 if (check_col(pinfo->cinfo, COL_INFO))
2847 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
2851 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2860 fid = tvb_get_letohs(tvb, offset);
2861 add_fid(tvb, pinfo, tree, offset, 2, fid);
2864 /* File Attributes */
2865 offset = dissect_file_attributes(tvb, tree, offset, 2);
2867 /* last write time */
2868 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
2871 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2874 /* granted access */
2875 offset = dissect_access(tvb, tree, offset, "Granted");
2885 dissect_fid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2894 fid = tvb_get_letohs(tvb, offset);
2895 add_fid(tvb, pinfo, tree, offset, 2, fid);
2906 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2908 smb_info_t *si = pinfo->private_data;
2914 DISSECTOR_ASSERT(si);
2918 /* file attributes */
2919 offset = dissect_file_attributes(tvb, tree, offset, 2);
2922 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
2927 CHECK_BYTE_COUNT(1);
2928 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2932 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2936 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2938 COUNT_BYTES(fn_len);
2940 if (check_col(pinfo->cinfo, COL_INFO)) {
2941 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
2942 format_text(fn, strlen(fn)));
2951 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2959 fid = tvb_get_letohs(tvb, offset);
2960 add_fid(tvb, pinfo, tree, offset, 2, fid);
2963 /* last write time */
2964 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
2974 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2976 smb_info_t *si = pinfo->private_data;
2982 DISSECTOR_ASSERT(si);
2986 /* search attributes */
2987 offset = dissect_search_attributes(tvb, tree, offset);
2992 CHECK_BYTE_COUNT(1);
2993 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2997 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3001 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3003 COUNT_BYTES(fn_len);
3005 if (check_col(pinfo->cinfo, COL_INFO)) {
3006 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3007 format_text(fn, strlen(fn)));
3016 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3018 smb_info_t *si = pinfo->private_data;
3024 DISSECTOR_ASSERT(si);
3028 /* search attributes */
3029 offset = dissect_search_attributes(tvb, tree, offset);
3034 CHECK_BYTE_COUNT(1);
3035 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3039 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3043 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3045 COUNT_BYTES(fn_len);
3047 if (check_col(pinfo->cinfo, COL_INFO)) {
3048 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
3049 format_text(fn, strlen(fn)));
3053 CHECK_BYTE_COUNT(1);
3054 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3058 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3062 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3064 COUNT_BYTES(fn_len);
3066 if (check_col(pinfo->cinfo, COL_INFO)) {
3067 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
3068 format_text(fn, strlen(fn)));
3077 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3079 smb_info_t *si = pinfo->private_data;
3085 DISSECTOR_ASSERT(si);
3089 /* search attributes */
3090 offset = dissect_search_attributes(tvb, tree, offset);
3092 proto_tree_add_uint(tree, hf_smb_nt_rename_level, tvb, offset, 2, tvb_get_letohs(tvb, offset));
3095 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, TRUE);
3101 CHECK_BYTE_COUNT(1);
3102 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3106 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3110 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3112 COUNT_BYTES(fn_len);
3114 if (check_col(pinfo->cinfo, COL_INFO)) {
3115 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
3116 format_text(fn, strlen(fn)));
3120 CHECK_BYTE_COUNT(1);
3121 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3125 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3129 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3131 COUNT_BYTES(fn_len);
3133 if (check_col(pinfo->cinfo, COL_INFO)) {
3134 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
3135 format_text(fn, strlen(fn)));
3145 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3147 smb_info_t *si = pinfo->private_data;
3153 DISSECTOR_ASSERT(si);
3160 CHECK_BYTE_COUNT(1);
3161 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3165 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3169 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3171 COUNT_BYTES(fn_len);
3173 if (check_col(pinfo->cinfo, COL_INFO)) {
3174 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3175 format_text(fn, strlen(fn)));
3184 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3191 /* File Attributes */
3192 offset = dissect_file_attributes(tvb, tree, offset, 2);
3194 /* Last Write Time */
3195 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3198 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3201 /* 10 reserved bytes */
3202 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3213 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3215 smb_info_t *si = pinfo->private_data;
3221 DISSECTOR_ASSERT(si);
3225 /* file attributes */
3226 offset = dissect_file_attributes(tvb, tree, offset, 2);
3228 /* last write time */
3229 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3231 /* 10 reserved bytes */
3232 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3238 CHECK_BYTE_COUNT(1);
3239 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3243 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3247 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3249 COUNT_BYTES(fn_len);
3251 if (check_col(pinfo->cinfo, COL_INFO)) {
3252 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3253 format_text(fn, strlen(fn)));
3262 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3273 fid = tvb_get_letohs(tvb, offset);
3274 add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
3276 if (!pinfo->fd->flags.visited) {
3277 /* remember the FID for the processing of the response */
3278 si = (smb_info_t *)pinfo->private_data;
3279 DISSECTOR_ASSERT(si);
3281 si->sip->extra_info=GUINT_TO_POINTER(fid);
3282 si->sip->extra_info_type=SMB_EI_FID;
3287 cnt = tvb_get_letohs(tvb, offset);
3288 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3292 ofs = tvb_get_letohl(tvb, offset);
3293 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3296 if (check_col(pinfo->cinfo, COL_INFO))
3297 col_append_fstr(pinfo->cinfo, COL_INFO,
3298 ", %u byte%s at offset %u", cnt,
3299 (cnt == 1) ? "" : "s", ofs);
3302 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3313 dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
3318 /* We have some initial padding bytes. */
3319 /* XXX - use the data offset here instead? */
3320 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3322 offset += bc-datalen;
3325 tvblen = tvb_length_remaining(tvb, offset);
3327 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
3330 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
3337 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3338 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
3341 tvbuff_t *dcerpc_tvb;
3344 /* We have some initial padding bytes. */
3345 /* XXX - use the data offset here instead? */
3346 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3348 offset += bc-datalen;
3351 tvblen = tvb_length_remaining(tvb, offset);
3352 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
3353 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
3362 * transporting DCERPC over SMB seems to be implemented in various
3363 * ways. We might just assume it can be done by an almost random
3364 * mix of Trans/Read/Write calls
3366 * if we suspect dcerpc, just send them all down to packet-smb-pipe.c
3367 * and let him sort them out
3370 dissect_file_data_maybe_dcerpc(tvbuff_t *tvb, packet_info *pinfo,
3371 proto_tree *tree, proto_tree *top_tree, int offset, guint16 bc,
3372 guint16 datalen, guint32 ofs, guint16 fid)
3374 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3376 DISSECTOR_ASSERT(si);
3378 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
3380 return dissect_file_data_dcerpc(tvb, pinfo, tree,
3381 top_tree, offset, bc, datalen, fid);
3383 /* ordinary file data */
3384 return dissect_file_data(tvb, tree, offset, bc, datalen);
3389 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3393 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3396 DISSECTOR_ASSERT(si);
3401 cnt = tvb_get_letohs(tvb, offset);
3402 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3405 /* 8 reserved bytes */
3406 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3409 /* If we have seen the request, then print which FID this refers to */
3410 /* first check if we have seen the request */
3411 if(si->sip != NULL && si->sip->frame_req>0 && si->sip->extra_info_type == SMB_EI_FID){
3412 fid=GPOINTER_TO_INT(si->sip->extra_info);
3413 add_fid(tvb, pinfo, tree, 0, 0, (guint16) fid);
3419 CHECK_BYTE_COUNT(1);
3420 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3424 CHECK_BYTE_COUNT(2);
3425 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3428 /* file data, might be DCERPC on a pipe */
3430 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3431 top_tree, offset, bc, bc, 0, (guint16) fid);
3441 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3449 cnt = tvb_get_letohs(tvb, offset);
3450 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3453 /* 8 reserved bytes */
3454 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3460 CHECK_BYTE_COUNT(1);
3461 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3465 CHECK_BYTE_COUNT(2);
3466 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3476 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3479 guint16 cnt=0, bc, fid=0;
3485 fid = tvb_get_letohs(tvb, offset);
3486 add_fid(tvb, pinfo, tree, offset, 2, fid);
3490 cnt = tvb_get_letohs(tvb, offset);
3491 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3495 ofs = tvb_get_letohl(tvb, offset);
3496 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3499 if (check_col(pinfo->cinfo, COL_INFO))
3500 col_append_fstr(pinfo->cinfo, COL_INFO,
3501 ", %u byte%s at offset %u", cnt,
3502 (cnt == 1) ? "" : "s", ofs);
3505 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3511 CHECK_BYTE_COUNT(1);
3512 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3516 CHECK_BYTE_COUNT(2);
3517 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3520 /* file data, might be DCERPC on a pipe */
3522 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3523 top_tree, offset, bc, bc, ofs, fid);
3533 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3541 cnt = tvb_get_letohs(tvb, offset);
3542 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3545 if (check_col(pinfo->cinfo, COL_INFO))
3546 col_append_fstr(pinfo->cinfo, COL_INFO,
3547 ", %u byte%s", cnt, (cnt == 1) ? "" : "s");
3557 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3565 fid = tvb_get_letohs(tvb, offset);
3566 add_fid(tvb, pinfo, tree, offset, 2, fid);
3570 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
3574 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3585 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3587 smb_info_t *si = pinfo->private_data;
3593 DISSECTOR_ASSERT(si);
3597 /* 2 reserved bytes */
3598 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3602 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3607 CHECK_BYTE_COUNT(1);
3608 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3611 /* directory name */
3612 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3616 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
3618 COUNT_BYTES(fn_len);
3620 if (check_col(pinfo->cinfo, COL_INFO)) {
3621 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3622 format_text(fn, strlen(fn)));
3631 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3633 smb_info_t *si = pinfo->private_data;
3639 DISSECTOR_ASSERT(si);
3644 fid = tvb_get_letohs(tvb, offset);
3645 add_fid(tvb, pinfo, tree, offset, 2, fid);
3651 CHECK_BYTE_COUNT(1);
3652 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3656 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3660 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3662 COUNT_BYTES(fn_len);
3669 static const value_string seek_mode_vals[] = {
3670 {0, "From Start Of File"},
3671 {1, "From Current Position"},
3672 {2, "From End Of File"},
3677 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3685 fid = tvb_get_letohs(tvb, offset);
3686 add_fid(tvb, pinfo, tree, offset, 2, fid);
3690 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
3694 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3705 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3713 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3724 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3732 fid = tvb_get_letohs(tvb, offset);
3733 add_fid(tvb, pinfo, tree, offset, 2, fid);
3737 offset = dissect_smb_datetime(tvb, tree, offset,
3739 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3742 offset = dissect_smb_datetime(tvb, tree, offset,
3744 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3746 /* last write time */
3747 offset = dissect_smb_datetime(tvb, tree, offset,
3748 hf_smb_last_write_time,
3749 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3759 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3767 offset = dissect_smb_datetime(tvb, tree, offset,
3769 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3772 offset = dissect_smb_datetime(tvb, tree, offset,
3774 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3776 /* last write time */
3777 offset = dissect_smb_datetime(tvb, tree, offset,
3778 hf_smb_last_write_time,
3779 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3782 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
3785 /* allocation size */
3786 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
3789 /* File Attributes */
3790 offset = dissect_file_attributes(tvb, tree, offset, 2);
3800 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3809 fid = tvb_get_letohs(tvb, offset);
3810 add_fid(tvb, pinfo, tree, offset, 2, fid);
3814 cnt = tvb_get_letohs(tvb, offset);
3815 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3819 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3822 /* last write time */
3823 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3826 /* 12 reserved bytes */
3827 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
3834 CHECK_BYTE_COUNT(1);
3835 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
3838 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
3847 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3855 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3866 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3875 fid = tvb_get_letohs(tvb, offset);
3876 add_fid(tvb, pinfo, tree, offset, 2, fid);
3880 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3884 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3888 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3892 to = tvb_get_letohl(tvb, offset);
3893 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3896 /* 2 reserved bytes */
3897 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3902 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
3914 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3922 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
3926 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
3930 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
3934 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
3937 /* 2 reserved bytes */
3938 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3949 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3957 fid = tvb_get_letohs(tvb, offset);
3958 add_fid(tvb, pinfo, tree, offset, 2, fid);
3962 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3966 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3970 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3973 /* 6 reserved bytes */
3974 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
3985 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3987 guint16 datalen=0, bc;
3993 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3997 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4000 /* 2 reserved bytes */
4001 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4004 /* data compaction mode */
4005 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4008 /* 2 reserved bytes */
4009 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4013 datalen = tvb_get_letohs(tvb, offset);
4014 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4018 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4024 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4033 static const true_false_string tfs_write_mode_write_through = {
4034 "WRITE THROUGH requested",
4035 "Write through not requested"
4037 static const true_false_string tfs_write_mode_return_remaining = {
4038 "RETURN REMAINING (pipe/dev) requested",
4039 "DON'T return remaining (pipe/dev)"
4041 static const true_false_string tfs_write_mode_raw = {
4042 "Use WriteRawNamedPipe (pipe)",
4043 "DON'T use WriteRawNamedPipe (pipe)"
4045 static const true_false_string tfs_write_mode_message_start = {
4046 "This is the START of a MESSAGE (pipe)",
4047 "This is NOT the start of a message (pipe)"
4049 static const true_false_string tfs_write_mode_connectionless = {
4050 "CONNECTIONLESS mode requested",
4051 "Connectionless mode NOT requested"
4054 #define WRITE_MODE_CONNECTIONLESS 0x0080
4055 #define WRITE_MODE_MESSAGE_START 0x0008
4056 #define WRITE_MODE_RAW 0x0004
4057 #define WRITE_MODE_RETURN_REMAINING 0x0002
4058 #define WRITE_MODE_WRITE_THROUGH 0x0001
4061 dissect_write_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4064 proto_item *item = NULL;
4065 proto_tree *tree = NULL;
4067 mask = tvb_get_letohs(tvb, offset);
4070 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4071 "Write Mode: 0x%04x", mask);
4072 tree = proto_item_add_subtree(item, ett_smb_rawmode);
4075 if(bm&WRITE_MODE_CONNECTIONLESS){
4076 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
4077 tvb, offset, 2, mask);
4079 if(bm&WRITE_MODE_MESSAGE_START){
4080 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
4081 tvb, offset, 2, mask);
4083 if(bm&WRITE_MODE_RAW){
4084 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
4085 tvb, offset, 2, mask);
4087 if(bm&WRITE_MODE_RETURN_REMAINING){
4088 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
4089 tvb, offset, 2, mask);
4091 if(bm&WRITE_MODE_WRITE_THROUGH){
4092 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
4093 tvb, offset, 2, mask);
4101 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4104 guint16 datalen=0, bc, fid;
4110 fid = tvb_get_letohs(tvb, offset);
4111 add_fid(tvb, pinfo, tree, offset, 2, fid);
4114 /* total data length */
4115 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4118 /* 2 reserved bytes */
4119 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4123 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4127 to = tvb_get_letohl(tvb, offset);
4128 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4132 offset = dissect_write_mode(tvb, tree, offset, 0x0003);
4134 /* 4 reserved bytes */
4135 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4139 datalen = tvb_get_letohs(tvb, offset);
4140 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4144 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4150 /* XXX - use the data offset to determine where the data starts? */
4151 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4160 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4168 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4179 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4182 guint16 datalen=0, bc, fid;
4188 fid = tvb_get_letohs(tvb, offset);
4189 add_fid(tvb, pinfo, tree, offset, 2, fid);
4192 /* total data length */
4193 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4196 /* 2 reserved bytes */
4197 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4201 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4205 to = tvb_get_letohl(tvb, offset);
4206 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4210 offset = dissect_write_mode(tvb, tree, offset, 0x0083);
4213 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
4217 datalen = tvb_get_letohs(tvb, offset);
4218 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4222 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4228 /* XXX - use the data offset to determine where the data starts? */
4229 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4238 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4246 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
4257 dissect_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4265 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
4276 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
4277 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4278 gboolean has_find_id)
4280 proto_item *item = NULL;
4281 proto_tree *tree = NULL;
4282 smb_info_t *si = pinfo->private_data;
4287 DISSECTOR_ASSERT(si);
4290 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
4292 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
4296 CHECK_BYTE_COUNT_SUBR(1);
4297 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4298 COUNT_BYTES_SUBR(1);
4302 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4304 CHECK_STRING_SUBR(fn);
4305 /* ensure that it's null-terminated */
4306 strncpy(fname, fn, 11);
4308 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
4310 COUNT_BYTES_SUBR(fn_len);
4313 CHECK_BYTE_COUNT_SUBR(1);
4314 proto_tree_add_item(tree, hf_smb_resume_find_id, tvb, offset, 1, TRUE);
4315 COUNT_BYTES_SUBR(1);
4318 CHECK_BYTE_COUNT_SUBR(4);
4319 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 4, TRUE);
4320 COUNT_BYTES_SUBR(4);
4323 CHECK_BYTE_COUNT_SUBR(5);
4324 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
4325 COUNT_BYTES_SUBR(5);
4329 CHECK_BYTE_COUNT_SUBR(4);
4330 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
4331 COUNT_BYTES_SUBR(4);
4338 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
4339 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4340 gboolean has_find_id)
4342 proto_item *item = NULL;
4343 proto_tree *tree = NULL;
4344 smb_info_t *si = pinfo->private_data;
4349 DISSECTOR_ASSERT(si);
4352 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
4353 "Directory Information");
4354 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
4358 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp,
4359 trunc, has_find_id);
4363 /* File Attributes */
4364 CHECK_BYTE_COUNT_SUBR(1);
4365 offset = dissect_dir_info_file_attributes(tvb, tree, offset);
4368 /* last write time */
4369 CHECK_BYTE_COUNT_SUBR(4);
4370 offset = dissect_smb_datetime(tvb, tree, offset,
4371 hf_smb_last_write_time,
4372 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
4377 CHECK_BYTE_COUNT_SUBR(4);
4378 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4379 COUNT_BYTES_SUBR(4);
4383 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4385 CHECK_STRING_SUBR(fn);
4386 /* ensure that it's null-terminated */
4387 strncpy(fname, fn, 13);
4389 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4391 COUNT_BYTES_SUBR(fn_len);
4399 dissect_search_find_request(tvbuff_t *tvb, packet_info *pinfo,
4400 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4401 gboolean has_find_id)
4403 smb_info_t *si = pinfo->private_data;
4411 DISSECTOR_ASSERT(si);
4416 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4419 /* Search Attributes */
4420 offset = dissect_search_attributes(tvb, tree, offset);
4425 CHECK_BYTE_COUNT(1);
4426 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4430 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4434 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4436 COUNT_BYTES(fn_len);
4438 if (check_col(pinfo->cinfo, COL_INFO)) {
4439 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
4440 format_text(fn, strlen(fn)));
4444 CHECK_BYTE_COUNT(1);
4445 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4448 /* resume key length */
4449 CHECK_BYTE_COUNT(2);
4450 rkl = tvb_get_letohs(tvb, offset);
4451 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
4456 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
4457 &bc, &trunc, has_find_id);
4468 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4469 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4471 return dissect_search_find_request(tvb, pinfo, tree, offset,
4476 dissect_find_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4477 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4479 return dissect_search_find_request(tvb, pinfo, tree, offset,
4484 dissect_find_close_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4485 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4487 return dissect_search_find_request(tvb, pinfo, tree, offset,
4492 dissect_search_find_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4493 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4494 gboolean has_find_id)
4504 count = tvb_get_letohs(tvb, offset);
4505 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
4511 CHECK_BYTE_COUNT(1);
4512 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4516 CHECK_BYTE_COUNT(2);
4517 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4521 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
4522 &bc, &trunc, has_find_id);
4533 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4535 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4540 dissect_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4542 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4547 dissect_find_close_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4548 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4557 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4563 CHECK_BYTE_COUNT(1);
4564 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4568 CHECK_BYTE_COUNT(2);
4569 data_len = tvb_get_ntohs(tvb, offset);
4570 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, data_len);
4573 if (data_len != 0) {
4574 CHECK_BYTE_COUNT(data_len);
4575 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset,
4577 COUNT_BYTES(data_len);
4585 static const value_string locking_ol_vals[] = {
4586 {0, "Client is not holding oplock on this file"},
4587 {1, "Level 2 oplock currently held by client"},
4591 static const true_false_string tfs_lock_type_large = {
4592 "Large file locking format requested",
4593 "Large file locking format not requested"
4595 static const true_false_string tfs_lock_type_cancel = {
4596 "Cancel outstanding lock request",
4597 "Don't cancel outstanding lock request"
4599 static const true_false_string tfs_lock_type_change = {
4601 "Don't change lock type"
4603 static const true_false_string tfs_lock_type_oplock = {
4604 "This is an oplock break notification/response",
4605 "This is not an oplock break notification/response"
4607 static const true_false_string tfs_lock_type_shared = {
4608 "This is a shared lock",
4609 "This is an exclusive lock"
4612 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4614 guint8 wc, cmd=0xff, lt=0;
4615 guint16 andxoffset=0, un=0, ln=0, bc, fid;
4617 proto_item *litem = NULL;
4618 proto_tree *ltree = NULL;
4619 proto_item *it = NULL;
4620 proto_tree *tr = NULL;
4621 int old_offset = offset;
4625 /* next smb command */
4626 cmd = tvb_get_guint8(tvb, offset);
4628 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4630 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
4635 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4639 andxoffset = tvb_get_letohs(tvb, offset);
4640 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4644 fid = tvb_get_letohs(tvb, offset);
4645 add_fid(tvb, pinfo, tree, offset, 2, fid);
4649 lt = tvb_get_guint8(tvb, offset);
4651 litem = proto_tree_add_text(tree, tvb, offset, 1,
4652 "Lock Type: 0x%02x", lt);
4653 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
4655 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
4656 tvb, offset, 1, lt);
4657 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
4658 tvb, offset, 1, lt);
4659 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
4660 tvb, offset, 1, lt);
4661 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
4662 tvb, offset, 1, lt);
4663 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
4664 tvb, offset, 1, lt);
4668 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
4672 to = tvb_get_letohl(tvb, offset);
4674 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
4675 else if (to == 0xffffffff)
4676 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
4678 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4681 /* number of unlocks */
4682 un = tvb_get_letohs(tvb, offset);
4683 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
4686 /* number of locks */
4687 ln = tvb_get_letohs(tvb, offset);
4688 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
4695 old_offset = offset;
4697 it = proto_tree_add_text(tree, tvb, offset, -1,
4699 tr = proto_item_add_subtree(it, ett_smb_unlocks);
4701 proto_item *litem = NULL;
4702 proto_tree *ltree = NULL;
4706 /* large lock format */
4707 litem = proto_tree_add_text(tr, tvb, offset, 20,
4709 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4712 CHECK_BYTE_COUNT(2);
4713 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4716 /* 2 reserved bytes */
4717 CHECK_BYTE_COUNT(2);
4718 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4722 CHECK_BYTE_COUNT(8);
4723 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
4724 | tvb_get_letohl(tvb, offset+4);
4725 proto_tree_add_uint64(ltree, hf_smb_lock_long_offset, tvb, offset, 8, val);
4729 CHECK_BYTE_COUNT(8);
4730 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
4731 | tvb_get_letohl(tvb, offset+4);
4732 proto_tree_add_uint64(ltree, hf_smb_lock_long_length, tvb, offset, 8, val);
4735 /* normal lock format */
4736 litem = proto_tree_add_text(tr, tvb, offset, 10,
4738 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4741 CHECK_BYTE_COUNT(2);
4742 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4746 CHECK_BYTE_COUNT(4);
4747 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4751 CHECK_BYTE_COUNT(4);
4752 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4756 proto_item_set_len(it, offset-old_offset);
4762 old_offset = offset;
4764 it = proto_tree_add_text(tree, tvb, offset, -1,
4766 tr = proto_item_add_subtree(it, ett_smb_locks);
4768 proto_item *litem = NULL;
4769 proto_tree *ltree = NULL;
4773 /* large lock format */
4774 litem = proto_tree_add_text(tr, tvb, offset, 20,
4776 ltree = proto_item_add_subtree(litem, ett_smb_lock);
4779 CHECK_BYTE_COUNT(2);
4780 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4783 /* 2 reserved bytes */
4784 CHECK_BYTE_COUNT(2);
4785 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4789 CHECK_BYTE_COUNT(8);
4790 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
4791 | tvb_get_letohl(tvb, offset+4);
4792 proto_tree_add_uint64(ltree, hf_smb_lock_long_offset, tvb, offset, 8, val);
4796 CHECK_BYTE_COUNT(8);
4797 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
4798 | tvb_get_letohl(tvb, offset+4);
4799 proto_tree_add_uint64(ltree, hf_smb_lock_long_length, tvb, offset, 8, val);
4802 /* normal lock format */
4803 litem = proto_tree_add_text(tr, tvb, offset, 10,
4805 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4808 CHECK_BYTE_COUNT(2);
4809 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4813 CHECK_BYTE_COUNT(4);
4814 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4818 CHECK_BYTE_COUNT(4);
4819 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4823 proto_item_set_len(it, offset-old_offset);
4831 * We ran out of byte count in the middle of dissecting
4832 * the locks or the unlocks; set the site of the item
4833 * we were dissecting.
4835 proto_item_set_len(it, offset-old_offset);
4838 if (andxoffset != 0 && andxoffset < offset)
4839 THROW(ReportedBoundsError);
4841 /* call AndXCommand (if there are any) */
4842 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4848 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4850 guint8 wc, cmd=0xff;
4851 guint16 andxoffset=0;
4856 /* next smb command */
4857 cmd = tvb_get_guint8(tvb, offset);
4859 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4861 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
4866 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4870 andxoffset = tvb_get_letohs(tvb, offset);
4871 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4878 if (andxoffset != 0 && andxoffset < offset)
4879 THROW(ReportedBoundsError);
4881 /* call AndXCommand (if there are any) */
4882 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4888 static const value_string oa_open_vals[] = {
4889 { 0, "No action taken?"},
4890 { 1, "The file existed and was opened"},
4891 { 2, "The file did not exist but was created"},
4892 { 3, "The file existed and was truncated"},
4893 { 0x8001, "The file existed and was opened, and an OpLock was granted"},
4894 { 0x8002, "The file did not exist but was created, and an OpLock was granted"},
4895 { 0x8003, "The file existed and was truncated, and an OpLock was granted"},
4898 static const true_false_string tfs_oa_lock = {
4899 "File is currently opened only by this user",
4900 "File is opened by another user (or mode not supported by server)"
4903 dissect_open_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
4906 proto_item *item = NULL;
4907 proto_tree *tree = NULL;
4909 mask = tvb_get_letohs(tvb, offset);
4912 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4913 "Action: 0x%04x", mask);
4914 tree = proto_item_add_subtree(item, ett_smb_open_action);
4917 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
4918 tvb, offset, 2, mask);
4919 proto_tree_add_uint(tree, hf_smb_open_action_open,
4920 tvb, offset, 2, mask);
4927 static const true_false_string tfs_open_flags_add_info = {
4928 "Additional information requested",
4929 "Additional information not requested"
4931 static const true_false_string tfs_open_flags_ex_oplock = {
4932 "Exclusive oplock requested",
4933 "Exclusive oplock not requested"
4935 static const true_false_string tfs_open_flags_batch_oplock = {
4936 "Batch oplock requested",
4937 "Batch oplock not requested"
4939 static const true_false_string tfs_open_flags_ealen = {
4940 "Total length of EAs requested",
4941 "Total length of EAs not requested"
4944 dissect_open_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4947 proto_item *item = NULL;
4948 proto_tree *tree = NULL;
4950 mask = tvb_get_letohs(tvb, offset);
4953 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4954 "Flags: 0x%04x", mask);
4955 tree = proto_item_add_subtree(item, ett_smb_open_flags);
4959 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
4960 tvb, offset, 2, mask);
4963 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
4964 tvb, offset, 2, mask);
4967 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
4968 tvb, offset, 2, mask);
4971 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
4972 tvb, offset, 2, mask);
4980 static const value_string filetype_vals[] = {
4981 { 0, "Disk file or directory"},
4982 { 1, "Named pipe in byte mode"},
4983 { 2, "Named pipe in message mode"},
4984 { 3, "Spooled printer"},
4988 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4990 guint8 wc, cmd=0xff;
4991 guint16 andxoffset=0, bc;
4992 smb_info_t *si = pinfo->private_data;
4996 DISSECTOR_ASSERT(si);
5000 /* next smb command */
5001 cmd = tvb_get_guint8(tvb, offset);
5003 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5005 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5010 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5014 andxoffset = tvb_get_letohs(tvb, offset);
5015 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5019 offset = dissect_open_flags(tvb, tree, offset, 0x0007);
5021 /* desired access */
5022 offset = dissect_access(tvb, tree, offset, "Desired");
5024 /* Search Attributes */
5025 offset = dissect_search_attributes(tvb, tree, offset);
5027 /* File Attributes */
5028 offset = dissect_file_attributes(tvb, tree, offset, 2);
5031 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
5034 offset = dissect_open_function(tvb, tree, offset);
5036 /* allocation size */
5037 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
5040 /* 8 reserved bytes */
5041 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
5047 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5051 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5053 COUNT_BYTES(fn_len);
5055 if (check_col(pinfo->cinfo, COL_INFO)) {
5056 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
5057 format_text(fn, strlen(fn)));
5062 if (andxoffset != 0 && andxoffset < offset)
5063 THROW(ReportedBoundsError);
5065 /* call AndXCommand (if there are any) */
5066 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5071 static const true_false_string tfs_ipc_state_nonblocking = {
5072 "Reads/writes return immediately if no data available",
5073 "Reads/writes block if no data available"
5075 static const value_string ipc_state_endpoint_vals[] = {
5076 { 0, "Consumer end of pipe"},
5077 { 1, "Server end of pipe"},
5080 static const value_string ipc_state_pipe_type_vals[] = {
5081 { 0, "Byte stream pipe"},
5082 { 1, "Message pipe"},
5085 static const value_string ipc_state_read_mode_vals[] = {
5086 { 0, "Read pipe as a byte stream"},
5087 { 1, "Read messages from pipe"},
5092 dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
5096 proto_item *item = NULL;
5097 proto_tree *tree = NULL;
5099 mask = tvb_get_letohs(tvb, offset);
5102 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5103 "IPC State: 0x%04x", mask);
5104 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
5107 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
5108 tvb, offset, 2, mask);
5110 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
5111 tvb, offset, 2, mask);
5112 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
5113 tvb, offset, 2, mask);
5115 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
5116 tvb, offset, 2, mask);
5118 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
5119 tvb, offset, 2, mask);
5128 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5130 guint8 wc, cmd=0xff;
5131 guint16 andxoffset=0, bc;
5136 /* next smb command */
5137 cmd = tvb_get_guint8(tvb, offset);
5139 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5141 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5146 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5150 andxoffset = tvb_get_letohs(tvb, offset);
5151 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5155 fid = tvb_get_letohs(tvb, offset);
5156 add_fid(tvb, pinfo, tree, offset, 2, fid);
5159 /* File Attributes */
5160 offset = dissect_file_attributes(tvb, tree, offset, 2);
5162 /* last write time */
5163 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
5166 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
5169 /* granted access */
5170 offset = dissect_access(tvb, tree, offset, "Granted");
5173 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
5177 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
5180 offset = dissect_open_action(tvb, tree, offset);
5183 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
5186 /* 2 reserved bytes */
5187 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5194 if (andxoffset != 0 && andxoffset < offset)
5195 THROW(ReportedBoundsError);
5197 /* call AndXCommand (if there are any) */
5198 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5204 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5206 guint8 wc, cmd=0xff;
5207 guint16 andxoffset=0, bc, maxcnt_low;
5208 guint32 maxcnt_high;
5216 /* next smb command */
5217 cmd = tvb_get_guint8(tvb, offset);
5219 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5221 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5226 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5230 andxoffset = tvb_get_letohs(tvb, offset);
5231 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5235 fid = tvb_get_letohs(tvb, offset);
5236 add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
5238 if (!pinfo->fd->flags.visited) {
5239 /* remember the FID for the processing of the response */
5240 si = (smb_info_t *)pinfo->private_data;
5241 DISSECTOR_ASSERT(si);
5243 si->sip->extra_info=GUINT_TO_POINTER(fid);
5244 si->sip->extra_info_type=SMB_EI_FID;
5249 ofs = tvb_get_letohl(tvb, offset);
5250 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5254 maxcnt_low = tvb_get_letohs(tvb, offset);
5255 proto_tree_add_uint(tree, hf_smb_max_count_low, tvb, offset, 2, maxcnt_low);
5259 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
5265 * XXX - we should really only do this in case we have seen
5266 * LARGE FILE being negotiated. Unfortunately, we might not
5267 * have seen the negotiation phase in the capture....
5269 * XXX - this is shown as a ULONG in the SNIA SMB spec, i.e.
5270 * it's 32 bits, but the description says "High 16 bits of
5271 * MaxCount if CAP_LARGE_READX".
5273 * The SMB File Sharing Protocol Extensions Version 2.0,
5274 * Document Version 3.3 spec doesn't speak of an extra 16
5275 * bits in max count, but it does show a 32-bit timeout
5276 * after the min count field.
5278 * Perhaps the 32-bit timeout field was hijacked as a 16-bit
5279 * high count and a 16-bit reserved field.
5281 * We fetch and display it as 32 bits.
5283 * XXX if maxcount high is 0xFFFFFFFF we assume it is just padding
5284 * bytes and we just ignore it.
5286 maxcnt_high = tvb_get_letohl(tvb, offset);
5287 if(maxcnt_high==0xffffffff){
5290 proto_tree_add_uint(tree, hf_smb_max_count_high, tvb, offset, 4, maxcnt_high);
5296 maxcnt=(maxcnt<<16)|maxcnt_low;
5298 if (check_col(pinfo->cinfo, COL_INFO))
5299 col_append_fstr(pinfo->cinfo, COL_INFO,
5300 ", %u byte%s at offset %u", maxcnt,
5301 (maxcnt == 1) ? "" : "s", ofs);
5304 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5309 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5317 if (andxoffset != 0 && andxoffset < offset)
5318 THROW(ReportedBoundsError);
5320 /* call AndXCommand (if there are any) */
5321 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5327 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5329 guint8 wc, cmd=0xff;
5330 guint16 andxoffset=0, bc, datalen_low, dataoffset=0;
5331 guint32 datalen=0, datalen_high;
5332 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5335 DISSECTOR_ASSERT(si);
5339 /* next smb command */
5340 cmd = tvb_get_guint8(tvb, offset);
5342 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5344 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5349 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5353 andxoffset = tvb_get_letohs(tvb, offset);
5354 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5357 /* If we have seen the request, then print which FID this refers to */
5358 /* first check if we have seen the request */
5359 if(si->sip != NULL && si->sip->frame_req>0 && si->sip->extra_info_type==SMB_EI_FID){
5360 fid=GPOINTER_TO_INT(si->sip->extra_info);
5361 add_fid(tvb, pinfo, tree, 0, 0, (guint16) fid);
5365 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5368 /* data compaction mode */
5369 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
5372 /* 2 reserved bytes */
5373 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5377 datalen_low = tvb_get_letohs(tvb, offset);
5378 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
5382 dataoffset=tvb_get_letohs(tvb, offset);
5383 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5386 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5387 /* data length high */
5388 datalen_high = tvb_get_letohl(tvb, offset);
5389 if(datalen_high==0xffffffff){
5392 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 4, datalen_high);
5396 datalen=datalen_high;
5397 datalen=(datalen<<16)|datalen_low;
5400 if (check_col(pinfo->cinfo, COL_INFO))
5401 col_append_fstr(pinfo->cinfo, COL_INFO,
5402 ", %u byte%s", datalen,
5403 (datalen == 1) ? "" : "s");
5406 /* 6 reserved bytes */
5407 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
5412 /* file data, might be DCERPC on a pipe */
5414 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5415 top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
5421 if (andxoffset != 0 && andxoffset < offset)
5422 THROW(ReportedBoundsError);
5424 /* call AndXCommand (if there are any) */
5425 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5431 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5434 guint8 wc, cmd=0xff;
5435 guint16 andxoffset=0, bc, dataoffset=0, datalen_low, datalen_high;
5437 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5441 DISSECTOR_ASSERT(si);
5445 /* next smb command */
5446 cmd = tvb_get_guint8(tvb, offset);
5448 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5450 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5455 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5459 andxoffset = tvb_get_letohs(tvb, offset);
5460 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5464 fid = tvb_get_letohs(tvb, offset);
5465 add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
5467 if (!pinfo->fd->flags.visited) {
5468 /* remember the FID for the processing of the response */
5470 si->sip->extra_info=GUINT_TO_POINTER(fid);
5471 si->sip->extra_info_type=SMB_EI_FID;
5476 ofs = tvb_get_letohl(tvb, offset);
5477 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5481 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5485 mode = tvb_get_letohs(tvb, offset);
5486 offset = dissect_write_mode(tvb, tree, offset, 0x000f);
5489 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5492 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5493 /* data length high */
5494 datalen_high = tvb_get_letohs(tvb, offset);
5495 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 2, datalen_high);
5499 datalen_low = tvb_get_letohs(tvb, offset);
5500 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
5503 datalen=datalen_high;
5504 datalen=(datalen<<16)|datalen_low;
5507 dataoffset=tvb_get_letohs(tvb, offset);
5508 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5511 /* FIXME: handle Large (48-bit) byte/offset to COL_INFO */
5512 if (check_col(pinfo->cinfo, COL_INFO))
5513 col_append_fstr(pinfo->cinfo, COL_INFO,
5514 ", %u byte%s at offset %u", datalen,
5515 (datalen == 1) ? "" : "s", ofs);
5519 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5525 /* if both the MessageStart and the WriteRawNamedPipe flags are set
5526 the first two bytes of the payload is the length of the data.
5527 Assume that all WriteAndX PDUs that have MESSAGE_START set to
5528 be over the IPC$ share and thus they all transport DCERPC.
5529 (if we didnt already know that from the TreeConnect call)
5531 if(mode&WRITE_MODE_MESSAGE_START){
5532 if(mode&WRITE_MODE_RAW){
5533 proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE);
5539 if(!pinfo->fd->flags.visited){
5540 /* In case we did not see the TreeConnect call,
5541 store this TID here as well as a IPC TID
5542 so we know that future Read/Writes to this
5543 TID is (probably) DCERPC.
5545 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))){
5546 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
5548 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
5551 si->sip->flags|=SMB_SIF_TID_IS_IPC;
5555 /* file data, might be DCERPC on a pipe */
5557 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5558 top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
5564 if (andxoffset != 0 && andxoffset < offset)
5565 THROW(ReportedBoundsError);
5567 /* call AndXCommand (if there are any) */
5568 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5574 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5576 guint8 wc, cmd=0xff;
5577 guint16 andxoffset=0, bc, count_low, count_high;
5583 /* next smb command */
5584 cmd = tvb_get_guint8(tvb, offset);
5586 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5588 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5593 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5597 andxoffset = tvb_get_letohs(tvb, offset);
5598 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5601 /* If we have seen the request, then print which FID this refers to */
5602 si = (smb_info_t *)pinfo->private_data;
5603 DISSECTOR_ASSERT(si);
5604 /* first check if we have seen the request */
5605 if(si->sip != NULL && si->sip->frame_req>0 && si->sip->extra_info_type==SMB_EI_FID){
5606 add_fid(tvb, pinfo, tree, 0, 0, (guint16) GPOINTER_TO_UINT(si->sip->extra_info));
5609 /* write count low */
5610 count_low = tvb_get_letohs(tvb, offset);
5611 proto_tree_add_uint(tree, hf_smb_count_low, tvb, offset, 2, count_low);
5615 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5618 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5619 /* write count high */
5620 count_high = tvb_get_letohs(tvb, offset);
5621 proto_tree_add_uint(tree, hf_smb_count_high, tvb, offset, 2, count_high);
5625 count=(count<<16)|count_low;
5627 if (check_col(pinfo->cinfo, COL_INFO))
5628 col_append_fstr(pinfo->cinfo, COL_INFO,
5629 ", %u byte%s", count,
5630 (count == 1) ? "" : "s");
5632 /* 2 reserved bytes */
5633 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5640 if (andxoffset != 0 && andxoffset < offset)
5641 THROW(ReportedBoundsError);
5643 /* call AndXCommand (if there are any) */
5644 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5650 static const true_false_string tfs_setup_action_guest = {
5651 "Logged in as GUEST",
5652 "Not logged in as GUEST"
5655 dissect_setup_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
5658 proto_item *item = NULL;
5659 proto_tree *tree = NULL;
5661 mask = tvb_get_letohs(tvb, offset);
5664 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5665 "Action: 0x%04x", mask);
5666 tree = proto_item_add_subtree(item, ett_smb_setup_action);
5669 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
5670 tvb, offset, 2, mask);
5679 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5681 guint8 wc, cmd=0xff;
5683 guint16 andxoffset=0;
5684 smb_info_t *si = pinfo->private_data;
5690 guint16 sbloblen=0, sbloblen_short;
5691 guint16 apwlen=0, upwlen=0;
5692 gboolean unicodeflag;
5694 DISSECTOR_ASSERT(si);
5698 /* next smb command */
5699 cmd = tvb_get_guint8(tvb, offset);
5701 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5703 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5708 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5712 andxoffset = tvb_get_letohs(tvb, offset);
5713 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5716 /* Maximum Buffer Size */
5717 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
5720 /* Maximum Multiplex Count */
5721 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
5725 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
5729 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
5734 /* password length, ASCII*/
5735 pwlen = tvb_get_letohs(tvb, offset);
5736 proto_tree_add_uint(tree, hf_smb_password_len,
5737 tvb, offset, 2, pwlen);
5740 /* 4 reserved bytes */
5741 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5747 /* security blob length */
5748 sbloblen = tvb_get_letohs(tvb, offset);
5749 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5752 /* 4 reserved bytes */
5753 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5757 dissect_negprot_capabilities(tvb, tree, offset);
5763 /* password length, ANSI*/
5764 apwlen = tvb_get_letohs(tvb, offset);
5765 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
5766 tvb, offset, 2, apwlen);
5769 /* password length, Unicode*/
5770 upwlen = tvb_get_letohs(tvb, offset);
5771 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
5772 tvb, offset, 2, upwlen);
5775 /* 4 reserved bytes */
5776 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5780 dissect_negprot_capabilities(tvb, tree, offset);
5789 proto_item *blob_item;
5792 /* If it runs past the end of the captured data, don't
5793 * try to put all of it into the protocol tree as the
5794 * raw security blob; we might get an exception on
5795 * short frames and then we will not see anything at all
5796 * of the security blob.
5798 sbloblen_short = sbloblen;
5799 if(sbloblen_short>tvb_length_remaining(tvb,offset)){
5800 sbloblen_short=tvb_length_remaining(tvb,offset);
5802 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
5803 tvb, offset, sbloblen_short,
5806 /* As an optimization, because Windows is perverse,
5807 we check to see if NTLMSSP is the first part of the
5808 blob, and if so, call the NTLMSSP dissector,
5809 otherwise we call the GSS-API dissector. This is because
5810 Windows can request RAW NTLMSSP, but will happily handle
5811 a client that wraps NTLMSSP in SPNEGO
5816 proto_tree *blob_tree;
5818 blob_tree = proto_item_add_subtree(blob_item,
5820 CHECK_BYTE_COUNT(sbloblen);
5823 * Set the reported length of this to the reported
5824 * length of the blob, rather than the amount of
5825 * data available from the blob, so that we'll
5826 * throw the right exception if it's too short.
5828 blob_tvb = tvb_new_subset(tvb, offset, sbloblen_short,
5831 if (si && si->ct && si->ct->raw_ntlmssp &&
5832 tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) {
5833 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
5838 call_dissector(gssapi_handle, blob_tvb,
5842 COUNT_BYTES(sbloblen);
5846 * Eventhough this field should honour the unicode flag
5847 * some ms clients gets this wrong.
5848 * At least XP SP1 sends this in ASCII
5849 * even when the unicode flag is on.
5850 * Test if the first three bytes are "Win"
5851 * and if so just override the flag.
5853 unicodeflag=si->unicode;
5854 if( tvb_strneql(tvb, offset, "Win", 3) == 0 ){
5857 an = get_unicode_or_ascii_string(tvb, &offset,
5858 unicodeflag, &an_len, FALSE, FALSE, &bc);
5861 proto_tree_add_string(tree, hf_smb_os, tvb,
5862 offset, an_len, an);
5863 COUNT_BYTES(an_len);
5866 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5867 * padding/null string/whatever in front of this. W2K doesn't
5868 * appear to. I suspect that's a bug that got fixed; I also
5869 * suspect that, in practice, nobody ever looks at that field
5870 * because the bug didn't appear to get fixed until NT 5.0....
5872 * Eventhough this field should honour the unicode flag
5873 * some ms clients gets this wrong.
5874 * At least XP SP1 sends this in ASCII
5875 * even when the unicode flag is on.
5876 * Test if the first three bytes are "Win"
5877 * and if so just override the flag.
5879 unicodeflag=si->unicode;
5880 if( tvb_strneql(tvb, offset, "Win", 3) == 0 ){
5883 an = get_unicode_or_ascii_string(tvb, &offset,
5884 unicodeflag, &an_len, FALSE, FALSE, &bc);
5887 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5888 offset, an_len, an);
5889 COUNT_BYTES(an_len);
5891 /* Primary domain */
5892 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5893 * byte in front of this, at least if all the strings are
5894 * ASCII and the account name is empty. Another bug?
5896 dn = get_unicode_or_ascii_string(tvb, &offset,
5897 si->unicode, &dn_len, FALSE, FALSE, &bc);
5900 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5901 offset, dn_len, dn);
5902 COUNT_BYTES(dn_len);
5908 /* password, ASCII */
5909 CHECK_BYTE_COUNT(pwlen);
5910 proto_tree_add_item(tree, hf_smb_password,
5911 tvb, offset, pwlen, TRUE);
5919 /* password, ANSI */
5920 CHECK_BYTE_COUNT(apwlen);
5921 proto_tree_add_item(tree, hf_smb_ansi_password,
5922 tvb, offset, apwlen, TRUE);
5923 COUNT_BYTES(apwlen);
5929 /* password, Unicode */
5930 CHECK_BYTE_COUNT(upwlen);
5931 item = proto_tree_add_item(tree, hf_smb_unicode_password,
5932 tvb, offset, upwlen, TRUE);
5935 proto_tree *subtree;
5937 subtree = proto_item_add_subtree(item, ett_smb_unicode_password);
5939 dissect_ntlmv2_response(
5940 tvb, subtree, offset, upwlen);
5943 COUNT_BYTES(upwlen);
5950 an = get_unicode_or_ascii_string(tvb, &offset,
5951 si->unicode, &an_len, FALSE, FALSE, &bc);
5954 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
5956 COUNT_BYTES(an_len);
5958 /* Primary domain */
5959 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5960 * byte in front of this, at least if all the strings are
5961 * ASCII and the account name is empty. Another bug?
5963 dn = get_unicode_or_ascii_string(tvb, &offset,
5964 si->unicode, &dn_len, FALSE, FALSE, &bc);
5967 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5968 offset, dn_len, dn);
5969 COUNT_BYTES(dn_len);
5971 if (check_col(pinfo->cinfo, COL_INFO)) {
5972 col_append_fstr(pinfo->cinfo, COL_INFO, ", User: ");
5974 if (!dn[0] && !an[0])
5975 col_append_fstr(pinfo->cinfo, COL_INFO,
5978 col_append_fstr(pinfo->cinfo, COL_INFO,
5980 format_text(dn, strlen(dn)),
5981 format_text(an, strlen(an)));
5985 an = get_unicode_or_ascii_string(tvb, &offset,
5986 si->unicode, &an_len, FALSE, FALSE, &bc);
5989 proto_tree_add_string(tree, hf_smb_os, tvb,
5990 offset, an_len, an);
5991 COUNT_BYTES(an_len);
5994 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5995 * padding/null string/whatever in front of this. W2K doesn't
5996 * appear to. I suspect that's a bug that got fixed; I also
5997 * suspect that, in practice, nobody ever looks at that field
5998 * because the bug didn't appear to get fixed until NT 5.0....
6000 an = get_unicode_or_ascii_string(tvb, &offset,
6001 si->unicode, &an_len, FALSE, FALSE, &bc);
6004 proto_tree_add_string(tree, hf_smb_lanman, tvb,
6005 offset, an_len, an);
6006 COUNT_BYTES(an_len);
6011 if (andxoffset != 0 && andxoffset < offset)
6012 THROW(ReportedBoundsError);
6014 /* call AndXCommand (if there are any) */
6015 pinfo->private_data = si;
6016 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6022 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6024 guint8 wc, cmd=0xff;
6025 guint16 andxoffset=0, bc;
6027 smb_info_t *si = pinfo->private_data;
6031 DISSECTOR_ASSERT(si);
6035 /* next smb command */
6036 cmd = tvb_get_guint8(tvb, offset);
6038 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6040 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6045 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6049 andxoffset = tvb_get_letohs(tvb, offset);
6050 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6054 offset = dissect_setup_action(tvb, tree, offset);
6057 /* security blob length */
6058 sbloblen = tvb_get_letohs(tvb, offset);
6059 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
6066 proto_item *blob_item;
6069 /* dont try to eat too much of we might get an exception on
6070 * short frames and then we will not see anything at all
6071 * of the security blob.
6073 if(sbloblen>tvb_length_remaining(tvb,offset)){
6074 sbloblen=tvb_length_remaining(tvb,offset);
6076 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
6077 tvb, offset, sbloblen, TRUE);
6081 proto_tree *blob_tree;
6083 blob_tree = proto_item_add_subtree(blob_item,
6085 CHECK_BYTE_COUNT(sbloblen);
6087 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
6090 if (si && si->ct && si->ct->raw_ntlmssp &&
6091 tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) {
6092 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
6097 call_dissector(gssapi_handle, blob_tvb, pinfo,
6102 COUNT_BYTES(sbloblen);
6107 an = get_unicode_or_ascii_string(tvb, &offset,
6108 si->unicode, &an_len, FALSE, FALSE, &bc);
6111 proto_tree_add_string(tree, hf_smb_os, tvb,
6112 offset, an_len, an);
6113 COUNT_BYTES(an_len);
6116 an = get_unicode_or_ascii_string(tvb, &offset,
6117 si->unicode, &an_len, FALSE, FALSE, &bc);
6120 proto_tree_add_string(tree, hf_smb_lanman, tvb,
6121 offset, an_len, an);
6122 COUNT_BYTES(an_len);
6125 /* Primary domain */
6126 an = get_unicode_or_ascii_string(tvb, &offset,
6127 si->unicode, &an_len, FALSE, FALSE, &bc);
6130 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
6131 offset, an_len, an);
6132 COUNT_BYTES(an_len);
6137 if (andxoffset != 0 && andxoffset < offset)
6138 THROW(ReportedBoundsError);
6140 /* call AndXCommand (if there are any) */
6141 pinfo->private_data = si;
6142 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6149 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6151 guint8 wc, cmd=0xff;
6152 guint16 andxoffset=0;
6157 /* next smb command */
6158 cmd = tvb_get_guint8(tvb, offset);
6160 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6162 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6167 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6171 andxoffset = tvb_get_letohs(tvb, offset);
6172 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6179 if (andxoffset != 0 && andxoffset < offset)
6180 THROW(ReportedBoundsError);
6182 /* call AndXCommand (if there are any) */
6183 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6189 static const true_false_string tfs_connect_support_search = {
6190 "Exclusive search bits supported",
6191 "Exclusive search bits not supported"
6193 static const true_false_string tfs_connect_support_in_dfs = {
6195 "Share isn't in Dfs"
6199 dissect_connect_support_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6202 proto_item *item = NULL;
6203 proto_tree *tree = NULL;
6205 mask = tvb_get_letohs(tvb, offset);
6208 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6209 "Optional Support: 0x%04x", mask);
6210 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
6213 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
6214 tvb, offset, 2, mask);
6215 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
6216 tvb, offset, 2, mask);
6223 static const true_false_string tfs_disconnect_tid = {
6225 "Do NOT disconnect TID"
6229 dissect_connect_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6232 proto_item *item = NULL;
6233 proto_tree *tree = NULL;
6235 mask = tvb_get_letohs(tvb, offset);
6238 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6239 "Flags: 0x%04x", mask);
6240 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
6243 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
6244 tvb, offset, 2, mask);
6252 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6254 guint8 wc, cmd=0xff;
6256 guint16 andxoffset=0, pwlen=0;
6257 smb_info_t *si = pinfo->private_data;
6261 DISSECTOR_ASSERT(si);
6265 /* next smb command */
6266 cmd = tvb_get_guint8(tvb, offset);
6268 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6270 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6275 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6279 andxoffset = tvb_get_letohs(tvb, offset);
6280 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6284 offset = dissect_connect_flags(tvb, tree, offset);
6286 /* password length*/
6287 pwlen = tvb_get_letohs(tvb, offset);
6288 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
6294 CHECK_BYTE_COUNT(pwlen);
6295 proto_tree_add_item(tree, hf_smb_password,
6296 tvb, offset, pwlen, TRUE);
6300 an = get_unicode_or_ascii_string(tvb, &offset,
6301 si->unicode, &an_len, FALSE, FALSE, &bc);
6304 proto_tree_add_string(tree, hf_smb_path, tvb,
6305 offset, an_len, an);
6306 COUNT_BYTES(an_len);
6308 if (check_col(pinfo->cinfo, COL_INFO)) {
6309 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
6310 format_text(an, strlen(an)));
6314 * NOTE: the Service string is always ASCII, even if the
6315 * "strings are Unicode" bit is set in the flags2 field
6320 /* XXX - what if this runs past bc? */
6321 an_len = tvb_strsize(tvb, offset);
6322 CHECK_BYTE_COUNT(an_len);
6323 an = tvb_get_ptr(tvb, offset, an_len);
6324 proto_tree_add_string(tree, hf_smb_service, tvb,
6325 offset, an_len, an);
6326 COUNT_BYTES(an_len);
6330 if (andxoffset != 0 && andxoffset < offset)
6331 THROW(ReportedBoundsError);
6333 /* call AndXCommand (if there are any) */
6334 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6341 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6343 guint8 wc, wleft, cmd=0xff;
6344 guint16 andxoffset=0;
6348 smb_info_t *si = pinfo->private_data;
6350 DISSECTOR_ASSERT(si);
6354 wleft = wc; /* this is at least 1 */
6356 /* next smb command */
6357 cmd = tvb_get_guint8(tvb, offset);
6359 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6361 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6366 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6374 andxoffset = tvb_get_letohs(tvb, offset);
6375 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6382 offset = dissect_connect_support_bits(tvb, tree, offset);
6385 /* XXX - I've seen captures where this is 7, but I have no
6386 idea how to dissect it. I'm guessing the third word
6387 contains connect support bits, which looks plausible
6388 from the values I've seen. */
6390 while (wleft != 0) {
6391 proto_tree_add_text(tree, tvb, offset, 2,
6392 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
6400 * NOTE: even though the SNIA CIFS spec doesn't say there's
6401 * a "Service" string if there's a word count of 2, the
6404 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
6406 * (it's in an ugly format - text intended to be sent to a
6407 * printer, with backspaces and overstrikes used for boldfacing
6408 * and underlining; UNIX "col -b" can be used to strip the
6409 * overstrikes out) says there's a "Service" string there, and
6410 * some network traffic has it.
6414 * NOTE: the Service string is always ASCII, even if the
6415 * "strings are Unicode" bit is set in the flags2 field
6420 /* XXX - what if this runs past bc? */
6421 an_len = tvb_strsize(tvb, offset);
6422 CHECK_BYTE_COUNT(an_len);
6423 an = tvb_get_ptr(tvb, offset, an_len);
6424 proto_tree_add_string(tree, hf_smb_service, tvb,
6425 offset, an_len, an);
6426 COUNT_BYTES(an_len);
6428 /* Now when we know the service type, store it so that we know it for later commands down
6430 if(!pinfo->fd->flags.visited){
6431 /* Remove any previous entry for this TID */
6432 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))){
6433 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
6435 if(strcmp(an,"IPC") == 0){
6436 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
6438 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_NORMAL);
6446 * Sometimes this isn't present.
6450 an = get_unicode_or_ascii_string(tvb, &offset,
6451 si->unicode, &an_len, /*TRUE*/FALSE, FALSE,
6455 proto_tree_add_string(tree, hf_smb_fs, tvb,
6456 offset, an_len, an);
6457 COUNT_BYTES(an_len);
6463 if (andxoffset != 0 && andxoffset < offset)
6464 THROW(ReportedBoundsError);
6466 /* call AndXCommand (if there are any) */
6467 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6474 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6475 NT Transaction command begins here
6476 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
6477 #define NT_TRANS_CREATE 1
6478 #define NT_TRANS_IOCTL 2
6479 #define NT_TRANS_SSD 3
6480 #define NT_TRANS_NOTIFY 4
6481 #define NT_TRANS_RENAME 5
6482 #define NT_TRANS_QSD 6
6483 #define NT_TRANS_GET_USER_QUOTA 7
6484 #define NT_TRANS_SET_USER_QUOTA 8
6485 const value_string nt_cmd_vals[] = {
6486 {NT_TRANS_CREATE, "NT CREATE"},
6487 {NT_TRANS_IOCTL, "NT IOCTL"},
6488 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
6489 {NT_TRANS_NOTIFY, "NT NOTIFY"},
6490 {NT_TRANS_RENAME, "NT RENAME"},
6491 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
6492 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
6493 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
6497 static const value_string nt_ioctl_isfsctl_vals[] = {
6498 {0, "Device IOCTL"},
6499 {1, "FS control : FSCTL"},
6503 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
6504 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
6505 "Apply the command to share root handle (MUST BE Dfs)",
6506 "Apply to this share",
6509 static const value_string nt_notify_action_vals[] = {
6510 {1, "ADDED (object was added"},
6511 {2, "REMOVED (object was removed)"},
6512 {3, "MODIFIED (object was modified)"},
6513 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
6514 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
6515 {6, "ADDED_STREAM (a stream was added)"},
6516 {7, "REMOVED_STREAM (a stream was removed)"},
6517 {8, "MODIFIED_STREAM (a stream was modified)"},
6521 static const value_string watch_tree_vals[] = {
6522 {0, "Current directory only"},
6523 {1, "Subdirectories also"},
6527 #define NT_NOTIFY_STREAM_WRITE 0x00000800
6528 #define NT_NOTIFY_STREAM_SIZE 0x00000400
6529 #define NT_NOTIFY_STREAM_NAME 0x00000200
6530 #define NT_NOTIFY_SECURITY 0x00000100
6531 #define NT_NOTIFY_EA 0x00000080
6532 #define NT_NOTIFY_CREATION 0x00000040
6533 #define NT_NOTIFY_LAST_ACCESS 0x00000020
6534 #define NT_NOTIFY_LAST_WRITE 0x00000010
6535 #define NT_NOTIFY_SIZE 0x00000008
6536 #define NT_NOTIFY_ATTRIBUTES 0x00000004
6537 #define NT_NOTIFY_DIR_NAME 0x00000002
6538 #define NT_NOTIFY_FILE_NAME 0x00000001
6539 static const true_false_string tfs_nt_notify_stream_write = {
6540 "Notify on changes to STREAM WRITE",
6541 "Do NOT notify on changes to stream write",
6543 static const true_false_string tfs_nt_notify_stream_size = {
6544 "Notify on changes to STREAM SIZE",
6545 "Do NOT notify on changes to stream size",
6547 static const true_false_string tfs_nt_notify_stream_name = {
6548 "Notify on changes to STREAM NAME",
6549 "Do NOT notify on changes to stream name",
6551 static const true_false_string tfs_nt_notify_security = {
6552 "Notify on changes to SECURITY",
6553 "Do NOT notify on changes to security",
6555 static const true_false_string tfs_nt_notify_ea = {
6556 "Notify on changes to EA",
6557 "Do NOT notify on changes to EA",
6559 static const true_false_string tfs_nt_notify_creation = {
6560 "Notify on changes to CREATION TIME",
6561 "Do NOT notify on changes to creation time",
6563 static const true_false_string tfs_nt_notify_last_access = {
6564 "Notify on changes to LAST ACCESS TIME",
6565 "Do NOT notify on changes to last access time",
6567 static const true_false_string tfs_nt_notify_last_write = {
6568 "Notify on changes to LAST WRITE TIME",
6569 "Do NOT notify on changes to last write time",
6571 static const true_false_string tfs_nt_notify_size = {
6572 "Notify on changes to SIZE",
6573 "Do NOT notify on changes to size",
6575 static const true_false_string tfs_nt_notify_attributes = {
6576 "Notify on changes to ATTRIBUTES",
6577 "Do NOT notify on changes to attributes",
6579 static const true_false_string tfs_nt_notify_dir_name = {
6580 "Notify on changes to DIR NAME",
6581 "Do NOT notify on changes to dir name",
6583 static const true_false_string tfs_nt_notify_file_name = {
6584 "Notify on changes to FILE NAME",
6585 "Do NOT notify on changes to file name",
6588 static const value_string create_disposition_vals[] = {
6589 {0, "Supersede (supersede existing file (if it exists))"},
6590 {1, "Open (if file exists open it, else fail)"},
6591 {2, "Create (if file exists fail, else create it)"},
6592 {3, "Open If (if file exists open it, else create it)"},
6593 {4, "Overwrite (if file exists overwrite, else fail)"},
6594 {5, "Overwrite If (if file exists overwrite, else create it)"},
6598 static const value_string impersonation_level_vals[] = {
6600 {1, "Identification"},
6601 {2, "Impersonation"},
6606 static const true_false_string tfs_nt_security_flags_context_tracking = {
6607 "Security tracking mode is DYNAMIC",
6608 "Security tracking mode is STATIC",
6611 static const true_false_string tfs_nt_security_flags_effective_only = {
6612 "ONLY ENABLED aspects of the client's security context are available",
6613 "ALL aspects of the client's security context are available",
6616 static const true_false_string tfs_nt_create_bits_oplock = {
6617 "Requesting OPLOCK",
6618 "Does NOT request oplock"
6621 static const true_false_string tfs_nt_create_bits_boplock = {
6622 "Requesting BATCH OPLOCK",
6623 "Does NOT request batch oplock"
6627 * XXX - must be a directory, and can be a file, or can be a directory,
6628 * and must be a file?
6630 static const true_false_string tfs_nt_create_bits_dir = {
6631 "Target of open MUST be a DIRECTORY",
6632 "Target of open can be a file"
6635 static const true_false_string tfs_nt_create_bits_ext_resp = {
6636 "Extended responses required",
6637 "Extended responses NOT required"
6640 static const true_false_string tfs_nt_access_mask_generic_read = {
6641 "GENERIC READ is set",
6642 "Generic read is NOT set"
6644 static const true_false_string tfs_nt_access_mask_generic_write = {
6645 "GENERIC WRITE is set",
6646 "Generic write is NOT set"
6648 static const true_false_string tfs_nt_access_mask_generic_execute = {
6649 "GENERIC EXECUTE is set",
6650 "Generic execute is NOT set"
6652 static const true_false_string tfs_nt_access_mask_generic_all = {
6653 "GENERIC ALL is set",
6654 "Generic all is NOT set"
6656 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
6657 "MAXIMUM ALLOWED is set",
6658 "Maximum allowed is NOT set"
6660 static const true_false_string tfs_nt_access_mask_system_security = {
6661 "SYSTEM SECURITY is set",
6662 "System security is NOT set"
6664 static const true_false_string tfs_nt_access_mask_synchronize = {
6665 "Can wait on handle to SYNCHRONIZE on completion of I/O",
6666 "Can NOT wait on handle to synchronize on completion of I/O"
6668 static const true_false_string tfs_nt_access_mask_write_owner = {
6669 "Can WRITE OWNER (take ownership)",
6670 "Can NOT write owner (take ownership)"
6672 static const true_false_string tfs_nt_access_mask_write_dac = {
6673 "OWNER may WRITE the DAC",
6674 "Owner may NOT write to the DAC"
6676 static const true_false_string tfs_nt_access_mask_read_control = {
6677 "READ ACCESS to owner, group and ACL of the SID",
6678 "Read access is NOT granted to owner, group and ACL of the SID"
6680 static const true_false_string tfs_nt_access_mask_delete = {
6684 static const true_false_string tfs_nt_access_mask_write_attributes = {
6685 "WRITE ATTRIBUTES access",
6686 "NO write attributes access"
6688 static const true_false_string tfs_nt_access_mask_read_attributes = {
6689 "READ ATTRIBUTES access",
6690 "NO read attributes access"
6692 static const true_false_string tfs_nt_access_mask_delete_child = {
6693 "DELETE CHILD access",
6694 "NO delete child access"
6696 static const true_false_string tfs_nt_access_mask_execute = {
6700 static const true_false_string tfs_nt_access_mask_write_ea = {
6701 "WRITE EXTENDED ATTRIBUTES access",
6702 "NO write extended attributes access"
6704 static const true_false_string tfs_nt_access_mask_read_ea = {
6705 "READ EXTENDED ATTRIBUTES access",
6706 "NO read extended attributes access"
6708 static const true_false_string tfs_nt_access_mask_append = {
6712 static const true_false_string tfs_nt_access_mask_write = {
6716 static const true_false_string tfs_nt_access_mask_read = {
6721 static const true_false_string tfs_nt_share_access_delete = {
6722 "Object can be shared for DELETE",
6723 "Object can NOT be shared for delete"
6725 static const true_false_string tfs_nt_share_access_write = {
6726 "Object can be shared for WRITE",
6727 "Object can NOT be shared for write"
6729 static const true_false_string tfs_nt_share_access_read = {
6730 "Object can be shared for READ",
6731 "Object can NOT be shared for read"
6734 static const value_string oplock_level_vals[] = {
6735 {0, "No oplock granted"},
6736 {1, "Exclusive oplock granted"},
6737 {2, "Batch oplock granted"},
6738 {3, "Level II oplock granted"},
6742 static const value_string device_type_vals[] = {
6743 {0x00000001, "Beep"},
6744 {0x00000002, "CDROM"},
6745 {0x00000003, "CDROM Filesystem"},
6746 {0x00000004, "Controller"},
6747 {0x00000005, "Datalink"},
6748 {0x00000006, "Dfs"},
6749 {0x00000007, "Disk"},
6750 {0x00000008, "Disk Filesystem"},
6751 {0x00000009, "Filesystem"},
6752 {0x0000000a, "Inport Port"},
6753 {0x0000000b, "Keyboard"},
6754 {0x0000000c, "Mailslot"},
6755 {0x0000000d, "MIDI-In"},
6756 {0x0000000e, "MIDI-Out"},
6757 {0x0000000f, "Mouse"},
6758 {0x00000010, "Multi UNC Provider"},
6759 {0x00000011, "Named Pipe"},
6760 {0x00000012, "Network"},
6761 {0x00000013, "Network Browser"},
6762 {0x00000014, "Network Filesystem"},
6763 {0x00000015, "NULL"},
6764 {0x00000016, "Parallel Port"},
6765 {0x00000017, "Physical card"},
6766 {0x00000018, "Printer"},
6767 {0x00000019, "Scanner"},
6768 {0x0000001a, "Serial Mouse port"},
6769 {0x0000001b, "Serial port"},
6770 {0x0000001c, "Screen"},
6771 {0x0000001d, "Sound"},
6772 {0x0000001e, "Streams"},
6773 {0x0000001f, "Tape"},
6774 {0x00000020, "Tape Filesystem"},
6775 {0x00000021, "Transport"},
6776 {0x00000022, "Unknown"},
6777 {0x00000023, "Video"},
6778 {0x00000024, "Virtual Disk"},
6779 {0x00000025, "WAVE-In"},
6780 {0x00000026, "WAVE-Out"},
6781 {0x00000027, "8042 Port"},
6782 {0x00000028, "Network Redirector"},
6783 {0x00000029, "Battery"},
6784 {0x0000002a, "Bus Extender"},
6785 {0x0000002b, "Modem"},
6786 {0x0000002c, "VDM"},
6790 static const value_string is_directory_vals[] = {
6791 {0, "This is NOT a directory"},
6792 {1, "This is a DIRECTORY"},
6796 typedef struct _nt_trans_data {
6805 dissect_nt_security_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6808 proto_item *item = NULL;
6809 proto_tree *tree = NULL;
6811 mask = tvb_get_guint8(tvb, offset);
6814 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6815 "Security Flags: 0x%02x", mask);
6816 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
6819 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
6820 tvb, offset, 1, mask);
6821 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
6822 tvb, offset, 1, mask);
6830 dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6833 proto_item *item = NULL;
6834 proto_tree *tree = NULL;
6836 mask = tvb_get_letohl(tvb, offset);
6839 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6840 "Share Access: 0x%08x", mask);
6841 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
6844 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
6845 tvb, offset, 4, mask);
6846 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
6847 tvb, offset, 4, mask);
6848 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
6849 tvb, offset, 4, mask);
6856 /* FIXME: need to call dissect_nt_access_mask() instead */
6859 dissect_smb_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6862 proto_item *item = NULL;
6863 proto_tree *tree = NULL;
6865 mask = tvb_get_letohl(tvb, offset);
6868 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6869 "Access Mask: 0x%08x", mask);
6870 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
6874 * Some of these bits come from
6876 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6878 * and others come from the section on ZwOpenFile in "Windows(R)
6879 * NT(R)/2000 Native API Reference".
6881 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
6882 tvb, offset, 4, mask);
6883 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
6884 tvb, offset, 4, mask);
6885 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
6886 tvb, offset, 4, mask);
6887 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
6888 tvb, offset, 4, mask);
6889 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
6890 tvb, offset, 4, mask);
6891 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
6892 tvb, offset, 4, mask);
6893 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
6894 tvb, offset, 4, mask);
6895 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
6896 tvb, offset, 4, mask);
6897 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
6898 tvb, offset, 4, mask);
6899 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
6900 tvb, offset, 4, mask);
6901 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
6902 tvb, offset, 4, mask);
6903 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
6904 tvb, offset, 4, mask);
6905 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
6906 tvb, offset, 4, mask);
6907 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
6908 tvb, offset, 4, mask);
6909 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
6910 tvb, offset, 4, mask);
6911 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
6912 tvb, offset, 4, mask);
6913 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
6914 tvb, offset, 4, mask);
6915 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
6916 tvb, offset, 4, mask);
6917 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
6918 tvb, offset, 4, mask);
6919 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
6920 tvb, offset, 4, mask);
6928 dissect_nt_create_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6931 proto_item *item = NULL;
6932 proto_tree *tree = NULL;
6934 mask = tvb_get_letohl(tvb, offset);
6937 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6938 "Create Flags: 0x%08x", mask);
6939 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
6943 * XXX - it's 0x00000016 in at least one capture, but
6944 * Network Monitor doesn't say what the 0x00000010 bit is.
6945 * Does the Win32 API documentation, or NT Native API book,
6948 * That is the extended response desired bit ... RJS, from Samba
6949 * Well, maybe. Samba thinks it is, and uses it to encode
6950 * OpLock granted as the high order bit of the Action field
6951 * in the response. However, Windows does not do that. Or at least
6954 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_ext_resp,
6955 tvb, offset, 4, mask);
6956 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
6957 tvb, offset, 4, mask);
6958 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
6959 tvb, offset, 4, mask);
6960 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
6961 tvb, offset, 4, mask);
6969 * XXX - there are some more flags in the description of "ZwOpenFile()"
6970 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
6971 * the wire as well? (The spec at
6973 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6975 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
6976 * via the SMB protocol. The NT redirector should convert this option
6977 * to FILE_WRITE_THROUGH."
6979 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
6980 * values one would infer from their position in the list of flags for
6981 * "ZwOpenFile()". Most of the others probably have those values
6982 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
6983 * which might go over the wire (for the benefit of backup/restore software).
6985 static const true_false_string tfs_nt_create_options_directory = {
6986 "File being created/opened must be a directory",
6987 "File being created/opened must not be a directory"
6989 static const true_false_string tfs_nt_create_options_write_through = {
6990 "Writes should flush buffered data before completing",
6991 "Writes need not flush buffered data before completing"
6993 static const true_false_string tfs_nt_create_options_sequential_only = {
6994 "The file will only be accessed sequentially",
6995 "The file might not only be accessed sequentially"
6997 static const true_false_string tfs_nt_create_options_sync_io_alert = {
6998 "All operations SYNCHRONOUS, waits subject to termination from alert",
6999 "Operations NOT necessarily synchronous"
7001 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
7002 "All operations SYNCHRONOUS, waits not subject to alert",
7003 "Operations NOT necessarily synchronous"
7005 static const true_false_string tfs_nt_create_options_non_directory = {
7006 "File being created/opened must not be a directory",
7007 "File being created/opened must be a directory"
7009 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
7010 "The client does not understand extended attributes",
7011 "The client understands extended attributes"
7013 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
7014 "The client understands only 8.3 file names",
7015 "The client understands long file names"
7017 static const true_false_string tfs_nt_create_options_random_access = {
7018 "The file will be accessed randomly",
7019 "The file will not be accessed randomly"
7021 static const true_false_string tfs_nt_create_options_delete_on_close = {
7022 "The file should be deleted when it is closed",
7023 "The file should not be deleted when it is closed"
7027 dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7030 proto_item *item = NULL;
7031 proto_tree *tree = NULL;
7033 mask = tvb_get_letohl(tvb, offset);
7036 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7037 "Create Options: 0x%08x", mask);
7038 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
7044 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
7046 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
7047 tvb, offset, 4, mask);
7048 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
7049 tvb, offset, 4, mask);
7050 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
7051 tvb, offset, 4, mask);
7052 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
7053 tvb, offset, 4, mask);
7054 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
7055 tvb, offset, 4, mask);
7056 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
7057 tvb, offset, 4, mask);
7058 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
7059 tvb, offset, 4, mask);
7060 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
7061 tvb, offset, 4, mask);
7062 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
7063 tvb, offset, 4, mask);
7064 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
7065 tvb, offset, 4, mask);
7073 dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7076 proto_item *item = NULL;
7077 proto_tree *tree = NULL;
7079 mask = tvb_get_letohl(tvb, offset);
7082 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7083 "Completion Filter: 0x%08x", mask);
7084 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
7087 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
7088 tvb, offset, 4, mask);
7089 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
7090 tvb, offset, 4, mask);
7091 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
7092 tvb, offset, 4, mask);
7093 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
7094 tvb, offset, 4, mask);
7095 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
7096 tvb, offset, 4, mask);
7097 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
7098 tvb, offset, 4, mask);
7099 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
7100 tvb, offset, 4, mask);
7101 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
7102 tvb, offset, 4, mask);
7103 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
7104 tvb, offset, 4, mask);
7105 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
7106 tvb, offset, 4, mask);
7107 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
7108 tvb, offset, 4, mask);
7109 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
7110 tvb, offset, 4, mask);
7117 dissect_nt_ioctl_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7120 proto_item *item = NULL;
7121 proto_tree *tree = NULL;
7123 mask = tvb_get_guint8(tvb, offset);
7126 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7127 "Completion Filter: 0x%02x", mask);
7128 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
7131 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
7132 tvb, offset, 1, mask);
7139 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
7140 * Native API Reference".
7142 static const true_false_string tfs_nt_qsd_owner = {
7143 "Requesting OWNER security information",
7144 "NOT requesting owner security information",
7147 static const true_false_string tfs_nt_qsd_group = {
7148 "Requesting GROUP security information",
7149 "NOT requesting group security information",
7152 static const true_false_string tfs_nt_qsd_dacl = {
7153 "Requesting DACL security information",
7154 "NOT requesting DACL security information",
7157 static const true_false_string tfs_nt_qsd_sacl = {
7158 "Requesting SACL security information",
7159 "NOT requesting SACL security information",
7162 #define NT_QSD_OWNER 0x00000001
7163 #define NT_QSD_GROUP 0x00000002
7164 #define NT_QSD_DACL 0x00000004
7165 #define NT_QSD_SACL 0x00000008
7168 dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7171 proto_item *item = NULL;
7172 proto_tree *tree = NULL;
7174 mask = tvb_get_letohl(tvb, offset);
7177 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7178 "Security Information: 0x%08x", mask);
7179 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
7182 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
7183 tvb, offset, 4, mask);
7184 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
7185 tvb, offset, 4, mask);
7186 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
7187 tvb, offset, 4, mask);
7188 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
7189 tvb, offset, 4, mask);
7197 dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
7199 int old_offset, old_sid_offset;
7205 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7206 qsize=tvb_get_letohl(tvb, offset);
7207 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
7208 COUNT_BYTES_TRANS_SUBR(4);
7210 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7212 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7213 COUNT_BYTES_TRANS_SUBR(4);
7215 /* 16 unknown bytes */
7216 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7217 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7219 COUNT_BYTES_TRANS_SUBR(8);
7221 /* number of bytes for used quota */
7222 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7223 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
7224 COUNT_BYTES_TRANS_SUBR(8);
7226 /* number of bytes for quota warning */
7227 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7228 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
7229 COUNT_BYTES_TRANS_SUBR(8);
7231 /* number of bytes for quota limit */
7232 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7233 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
7234 COUNT_BYTES_TRANS_SUBR(8);
7236 /* SID of the user */
7237 old_sid_offset=offset;
7238 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
7239 *bcp -= (offset-old_sid_offset);
7242 offset = old_offset+qsize;
7252 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd)
7254 proto_item *item = NULL;
7255 proto_tree *tree = NULL;
7257 int old_offset = offset;
7258 guint16 bcp=bc; /* XXX fixme */
7260 si = (smb_info_t *)pinfo->private_data;
7262 DISSECTOR_ASSERT(si);
7265 tvb_ensure_bytes_exist(tvb, offset, bc);
7266 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
7268 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7269 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7272 switch(ntd->subcmd){
7273 case NT_TRANS_CREATE:
7274 /* security descriptor */
7276 offset = dissect_nt_sec_desc(
7277 tvb, offset, pinfo, tree, NULL, ntd->sd_len,
7281 /* extended attributes */
7283 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
7284 offset += ntd->ea_len;
7288 case NT_TRANS_IOCTL:
7290 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, bc, TRUE);
7295 offset = dissect_nt_sec_desc(
7296 tvb, offset, pinfo, tree, NULL, bc, NULL);
7298 case NT_TRANS_NOTIFY:
7300 case NT_TRANS_RENAME:
7301 /* XXX not documented */
7305 case NT_TRANS_GET_USER_QUOTA:
7306 /* unknown 4 bytes */
7307 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7312 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7315 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
7317 case NT_TRANS_SET_USER_QUOTA:
7318 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
7322 /* ooops there were data we didnt know how to process */
7323 if((offset-old_offset) < bc){
7324 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
7325 bc - (offset-old_offset), TRUE);
7326 offset += bc - (offset-old_offset);
7333 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7335 proto_item *item = NULL;
7336 proto_tree *tree = NULL;
7341 si = (smb_info_t *)pinfo->private_data;
7343 DISSECTOR_ASSERT(si);
7346 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7348 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7349 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7352 switch(ntd->subcmd){
7353 case NT_TRANS_CREATE:
7355 offset = dissect_nt_create_bits(tvb, tree, offset);
7358 /* root directory fid */
7359 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
7362 /* nt access mask */
7363 offset = dissect_smb_access_mask(tvb, tree, offset);
7366 /* allocation size */
7367 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7370 /* Extended File Attributes */
7371 offset = dissect_file_ext_attr(tvb, tree, offset);
7375 offset = dissect_nt_share_access(tvb, tree, offset);
7378 /* create disposition */
7379 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
7382 /* create options */
7383 offset = dissect_nt_create_options(tvb, tree, offset);
7387 ntd->sd_len = tvb_get_letohl(tvb, offset);
7388 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
7392 ntd->ea_len = tvb_get_letohl(tvb, offset);
7393 proto_tree_add_uint(tree, hf_smb_ea_list_length, tvb, offset, 4, ntd->ea_len);
7397 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7398 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7401 /* impersonation level */
7402 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
7405 /* security flags */
7406 offset = dissect_nt_security_flags(tvb, tree, offset);
7410 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
7412 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7414 COUNT_BYTES(fn_len);
7418 case NT_TRANS_IOCTL:
7420 case NT_TRANS_SSD: {
7424 fid = tvb_get_letohs(tvb, offset);
7425 add_fid(tvb, pinfo, tree, offset, 2, fid);
7428 /* 2 reserved bytes */
7429 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7432 /* security information */
7433 offset = dissect_security_information_mask(tvb, tree, offset);
7436 case NT_TRANS_NOTIFY:
7438 case NT_TRANS_RENAME:
7439 /* XXX not documented */
7441 case NT_TRANS_QSD: {
7445 fid = tvb_get_letohs(tvb, offset);
7446 add_fid(tvb, pinfo, tree, offset, 2, fid);
7449 /* 2 reserved bytes */
7450 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7453 /* security information */
7454 offset = dissect_security_information_mask(tvb, tree, offset);
7457 case NT_TRANS_GET_USER_QUOTA:
7458 /* not decoded yet */
7460 case NT_TRANS_SET_USER_QUOTA:
7461 /* not decoded yet */
7469 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7471 proto_item *item = NULL;
7472 proto_tree *tree = NULL;
7474 int old_offset = offset;
7476 si = (smb_info_t *)pinfo->private_data;
7478 DISSECTOR_ASSERT(si);
7481 tvb_ensure_bytes_exist(tvb, offset, len);
7482 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7484 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7485 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7488 switch(ntd->subcmd){
7489 case NT_TRANS_CREATE:
7491 case NT_TRANS_IOCTL: {
7495 proto_tree_add_item(tree, hf_smb_nt_ioctl_function_code, tvb, offset, 4, TRUE);
7499 fid = tvb_get_letohs(tvb, offset);
7500 add_fid(tvb, pinfo, tree, offset, 2, fid);
7504 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
7508 offset = dissect_nt_ioctl_flags(tvb, tree, offset);
7514 case NT_TRANS_NOTIFY: {
7517 /* completion filter */
7518 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
7521 fid = tvb_get_letohs(tvb, offset);
7522 add_fid(tvb, pinfo, tree, offset, 2, fid);
7526 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
7530 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7535 case NT_TRANS_RENAME:
7536 /* XXX not documented */
7540 case NT_TRANS_GET_USER_QUOTA:
7541 /* not decoded yet */
7543 case NT_TRANS_SET_USER_QUOTA:
7544 /* not decoded yet */
7548 return old_offset+len;
7553 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
7556 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
7558 smb_saved_info_t *sip;
7563 smb_nt_transact_info_t *nti;
7565 si = (smb_info_t *)pinfo->private_data;
7566 DISSECTOR_ASSERT(si);
7572 /* primary request */
7573 /* max setup count */
7574 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
7577 /* 2 reserved bytes */
7578 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7581 /* secondary request */
7582 /* 3 reserved bytes */
7583 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
7588 /* total param count */
7589 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
7592 /* total data count */
7593 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
7597 /* primary request */
7598 /* max param count */
7599 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
7602 /* max data count */
7603 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
7608 pc = tvb_get_letohl(tvb, offset);
7609 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
7613 po = tvb_get_letohl(tvb, offset);
7614 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
7617 /* param displacement */
7619 /* primary request*/
7622 /* secondary request */
7623 pd = tvb_get_letohl(tvb, offset);
7624 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
7629 dc = tvb_get_letohl(tvb, offset);
7630 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
7634 od = tvb_get_letohl(tvb, offset);
7635 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
7638 /* data displacement */
7640 /* primary request */
7643 /* secondary request */
7644 dd = tvb_get_letohl(tvb, offset);
7645 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
7651 /* primary request */
7652 sc = tvb_get_guint8(tvb, offset);
7653 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
7656 /* secondary request */
7662 /* primary request */
7663 subcmd = tvb_get_letohs(tvb, offset);
7664 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
7665 if(check_col(pinfo->cinfo, COL_INFO)){
7666 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
7667 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
7669 ntd.subcmd = subcmd;
7671 if(!pinfo->fd->flags.visited && sip){
7673 * Allocate a new smb_nt_transact_info_t
7676 nti = se_alloc(sizeof(smb_nt_transact_info_t));
7677 nti->subcmd = subcmd;
7678 sip->extra_info = nti;
7679 sip->extra_info_type = SMB_EI_NTI;
7683 /* secondary request */
7684 if(check_col(pinfo->cinfo, COL_INFO)){
7685 col_append_fstr(pinfo->cinfo, COL_INFO, " (secondary request)");
7690 /* this is a padding byte */
7693 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
7697 /* if there were any setup bytes, decode them */
7699 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
7706 if(po>(guint32)offset){
7707 /* We have some initial padding bytes.
7712 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7713 COUNT_BYTES(padcnt);
7716 CHECK_BYTE_COUNT(pc);
7717 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc);
7722 if(od>(guint32)offset){
7723 /* We have some initial padding bytes.
7728 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7729 COUNT_BYTES(padcnt);
7732 CHECK_BYTE_COUNT(dc);
7733 dissect_nt_trans_data_request(
7734 tvb, pinfo, offset, tree, dc, &ntd);
7746 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
7747 int offset, proto_tree *parent_tree, int len,
7748 nt_trans_data *ntd _U_)
7750 proto_item *item = NULL;
7751 proto_tree *tree = NULL;
7753 smb_nt_transact_info_t *nti;
7756 si = (smb_info_t *)pinfo->private_data;
7757 DISSECTOR_ASSERT(si);
7759 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
7760 nti = si->sip->extra_info;
7765 tvb_ensure_bytes_exist(tvb, offset, len);
7767 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7769 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7772 * We never saw the request to which this is a
7775 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7776 "Unknown NT Transaction Data (matching request not seen)");
7778 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7785 switch(nti->subcmd){
7786 case NT_TRANS_CREATE:
7788 case NT_TRANS_IOCTL:
7790 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, len, TRUE);
7796 case NT_TRANS_NOTIFY:
7798 case NT_TRANS_RENAME:
7799 /* XXX not documented */
7801 case NT_TRANS_QSD: {
7803 * XXX - this is probably a SECURITY_DESCRIPTOR structure,
7804 * which may be documented in the Win32 documentation
7807 offset = dissect_nt_sec_desc(
7808 tvb, offset, pinfo, tree, NULL, len, NULL);
7811 case NT_TRANS_GET_USER_QUOTA:
7813 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
7815 case NT_TRANS_SET_USER_QUOTA:
7816 /* not decoded yet */
7824 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
7825 int offset, proto_tree *parent_tree,
7826 int len, nt_trans_data *ntd _U_, guint16 bc)
7828 proto_item *item = NULL;
7829 proto_tree *tree = NULL;
7833 smb_nt_transact_info_t *nti;
7839 si = (smb_info_t *)pinfo->private_data;
7840 DISSECTOR_ASSERT(si);
7842 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
7843 nti = si->sip->extra_info;
7848 tvb_ensure_bytes_exist(tvb, offset, len);
7850 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7852 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7855 * We never saw the request to which this is a
7858 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7859 "Unknown NT Transaction Parameters (matching request not seen)");
7861 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7868 switch(nti->subcmd){
7869 case NT_TRANS_CREATE:
7871 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
7875 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7879 fid = tvb_get_letohs(tvb, offset);
7880 add_fid(tvb, pinfo, tree, offset, 2, fid);
7884 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
7887 /* ea error offset */
7888 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
7892 offset = dissect_nt_64bit_time(tvb, tree, offset,
7893 hf_smb_create_time);
7896 offset = dissect_nt_64bit_time(tvb, tree, offset,
7897 hf_smb_access_time);
7899 /* last write time */
7900 offset = dissect_nt_64bit_time(tvb, tree, offset,
7901 hf_smb_last_write_time);
7903 /* last change time */
7904 offset = dissect_nt_64bit_time(tvb, tree, offset,
7905 hf_smb_change_time);
7907 /* Extended File Attributes */
7908 offset = dissect_file_ext_attr(tvb, tree, offset);
7910 /* allocation size */
7911 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7915 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
7919 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
7923 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
7926 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
7929 case NT_TRANS_IOCTL:
7933 case NT_TRANS_NOTIFY:
7935 old_offset = offset;
7937 /* next entry offset */
7938 neo = tvb_get_letohl(tvb, offset);
7939 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
7942 /* broken implementations */
7946 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
7949 /* broken implementations */
7953 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7954 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7957 /* broken implementations */
7961 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
7964 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7966 COUNT_BYTES(fn_len);
7968 /* broken implementations */
7972 break; /* no more structures */
7974 /* skip to next structure */
7975 padcnt = (old_offset + neo) - offset;
7978 * XXX - this is bogus; flag it?
7983 COUNT_BYTES(padcnt);
7985 /* broken implementations */
7990 case NT_TRANS_RENAME:
7991 /* XXX not documented */
7995 * This appears to be the size of the security
7996 * descriptor; the calling sequence of
7997 * "ZwQuerySecurityObject()" suggests that it would
7998 * be. The actual security descriptor wouldn't
7999 * follow if the max data count in the request
8000 * was smaller; this lets the client know how
8001 * big a buffer it needs to provide.
8003 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
8006 case NT_TRANS_GET_USER_QUOTA:
8007 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
8008 tvb_get_letohl(tvb, offset));
8011 case NT_TRANS_SET_USER_QUOTA:
8012 /* not decoded yet */
8020 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
8021 int offset, proto_tree *parent_tree,
8022 int len, nt_trans_data *ntd _U_)
8024 proto_item *item = NULL;
8025 proto_tree *tree = NULL;
8027 smb_nt_transact_info_t *nti;
8029 si = (smb_info_t *)pinfo->private_data;
8030 DISSECTOR_ASSERT(si);
8032 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
8033 nti = si->sip->extra_info;
8038 tvb_ensure_bytes_exist(tvb, offset, len);
8040 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8042 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8045 * We never saw the request to which this is a
8048 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8049 "Unknown NT Transaction Setup (matching request not seen)");
8051 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8058 switch(nti->subcmd){
8059 case NT_TRANS_CREATE:
8061 case NT_TRANS_IOCTL:
8065 case NT_TRANS_NOTIFY:
8067 case NT_TRANS_RENAME:
8068 /* XXX not documented */
8072 case NT_TRANS_GET_USER_QUOTA:
8073 /* not decoded yet */
8075 case NT_TRANS_SET_USER_QUOTA:
8076 /* not decoded yet */
8084 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8087 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
8090 smb_nt_transact_info_t *nti;
8091 static nt_trans_data ntd;
8094 fragment_data *r_fd = NULL;
8095 tvbuff_t *pd_tvb=NULL;
8096 gboolean save_fragmented;
8098 si = (smb_info_t *)pinfo->private_data;
8099 DISSECTOR_ASSERT(si);
8101 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
8102 nti = si->sip->extra_info;
8106 /* primary request */
8108 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
8109 if(check_col(pinfo->cinfo, COL_INFO)){
8110 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8111 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
8114 proto_tree_add_text(tree, tvb, offset, 0,
8115 "Function: <unknown function - could not find matching request>");
8116 if(check_col(pinfo->cinfo, COL_INFO)){
8117 col_append_fstr(pinfo->cinfo, COL_INFO, ", <unknown>");
8123 /* 3 reserved bytes */
8124 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8127 /* total param count */
8128 tp = tvb_get_letohl(tvb, offset);
8129 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
8132 /* total data count */
8133 td = tvb_get_letohl(tvb, offset);
8134 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
8138 pc = tvb_get_letohl(tvb, offset);
8139 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8143 po = tvb_get_letohl(tvb, offset);
8144 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8147 /* param displacement */
8148 pd = tvb_get_letohl(tvb, offset);
8149 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8153 dc = tvb_get_letohl(tvb, offset);
8154 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8158 od = tvb_get_letohl(tvb, offset);
8159 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8162 /* data displacement */
8163 dd = tvb_get_letohl(tvb, offset);
8164 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8168 sc = tvb_get_guint8(tvb, offset);
8169 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8174 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
8180 /* reassembly of SMB NT Transaction data payload.
8181 In this section we do reassembly of both the data and parameters
8182 blocks of the SMB transaction command.
8184 save_fragmented = pinfo->fragmented;
8185 /* do we need reassembly? */
8186 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
8187 /* oh yeah, either data or parameter section needs
8190 pinfo->fragmented = TRUE;
8191 if(smb_trans_reassembly){
8192 /* ...and we were told to do reassembly */
8193 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
8194 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8198 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
8199 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8200 od, dc, dd+tp, td+tp);
8205 /* if we got a reassembled fd structure from the reassembly routine we
8206 must create pd_tvb from it
8209 proto_item *frag_tree_item;
8211 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
8213 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
8214 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
8216 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb, &frag_tree_item);
8221 /* we have reassembled data, grab param and data from there */
8222 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
8223 &ntd, (guint16) tvb_length(pd_tvb));
8224 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
8226 /* we do not have reassembled data, just use what we have in the
8227 packet as well as we can */
8229 if(po>(guint32)offset){
8230 /* We have some initial padding bytes.
8235 tvb_ensure_bytes_exist(tvb, offset, padcnt);
8236 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8237 COUNT_BYTES(padcnt);
8240 CHECK_BYTE_COUNT(pc);
8241 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
8246 if(od>(guint32)offset){
8247 /* We have some initial padding bytes.
8252 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8253 COUNT_BYTES(padcnt);
8256 CHECK_BYTE_COUNT(dc);
8257 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd);
8261 pinfo->fragmented = save_fragmented;
8268 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8269 NT Transaction command ends here
8270 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8272 static const value_string print_mode_vals[] = {
8274 {1, "Graphics Mode"},
8279 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8281 smb_info_t *si = pinfo->private_data;
8287 DISSECTOR_ASSERT(si);
8292 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
8296 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
8302 CHECK_BYTE_COUNT(1);
8303 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8306 /* print identifier */
8307 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, FALSE, &bc);
8310 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
8312 COUNT_BYTES(fn_len);
8321 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8330 fid = tvb_get_letohs(tvb, offset);
8331 add_fid(tvb, pinfo, tree, offset, 2, fid);
8337 CHECK_BYTE_COUNT(1);
8338 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8342 CHECK_BYTE_COUNT(2);
8343 cnt = tvb_get_letohs(tvb, offset);
8344 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
8348 offset = dissect_file_data(tvb, tree, offset, (guint16) cnt, (guint16) cnt);
8356 static const value_string print_status_vals[] = {
8357 {1, "Held or Stopped"},
8359 {3, "Awaiting print"},
8360 {4, "In intercept"},
8361 {5, "File had error"},
8362 {6, "Printer error"},
8367 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8375 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
8379 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
8390 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
8391 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
8393 proto_item *item = NULL;
8394 proto_tree *tree = NULL;
8395 smb_info_t *si = pinfo->private_data;
8399 DISSECTOR_ASSERT(si);
8402 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
8404 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
8408 CHECK_BYTE_COUNT_SUBR(4);
8409 offset = dissect_smb_datetime(tvb, tree, offset,
8410 hf_smb_print_queue_date,
8411 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
8415 CHECK_BYTE_COUNT_SUBR(1);
8416 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
8417 COUNT_BYTES_SUBR(1);
8419 /* spool file number */
8420 CHECK_BYTE_COUNT_SUBR(2);
8421 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
8422 COUNT_BYTES_SUBR(2);
8424 /* spool file size */
8425 CHECK_BYTE_COUNT_SUBR(4);
8426 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
8427 COUNT_BYTES_SUBR(4);
8430 CHECK_BYTE_COUNT_SUBR(1);
8431 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8432 COUNT_BYTES_SUBR(1);
8436 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
8437 CHECK_STRING_SUBR(fn);
8438 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
8440 COUNT_BYTES_SUBR(fn_len);
8447 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8457 cnt = tvb_get_letohs(tvb, offset);
8458 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
8462 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
8468 CHECK_BYTE_COUNT(1);
8469 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8473 CHECK_BYTE_COUNT(2);
8474 len = tvb_get_letohs(tvb, offset);
8475 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
8478 /* queue elements */
8480 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
8493 dissect_send_single_block_message_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8498 guint16 message_len;
8505 CHECK_BYTE_COUNT(1);
8506 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8509 /* originator name */
8510 /* XXX - what if this runs past bc? */
8511 name_len = tvb_strsize(tvb, offset);
8512 CHECK_BYTE_COUNT(name_len);
8513 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
8515 COUNT_BYTES(name_len);
8518 CHECK_BYTE_COUNT(1);
8519 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8522 /* destination name */
8523 /* XXX - what if this runs past bc? */
8524 name_len = tvb_strsize(tvb, offset);
8525 CHECK_BYTE_COUNT(name_len);
8526 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
8528 COUNT_BYTES(name_len);
8531 CHECK_BYTE_COUNT(1);
8532 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8536 CHECK_BYTE_COUNT(2);
8537 message_len = tvb_get_letohs(tvb, offset);
8538 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
8543 CHECK_BYTE_COUNT(message_len);
8544 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
8546 COUNT_BYTES(message_len);
8554 dissect_send_multi_block_message_start_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8565 CHECK_BYTE_COUNT(1);
8566 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8569 /* originator name */
8570 /* XXX - what if this runs past bc? */
8571 name_len = tvb_strsize(tvb, offset);
8572 CHECK_BYTE_COUNT(name_len);
8573 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
8575 COUNT_BYTES(name_len);
8578 CHECK_BYTE_COUNT(1);
8579 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8582 /* destination name */
8583 /* XXX - what if this runs past bc? */
8584 name_len = tvb_strsize(tvb, offset);
8585 CHECK_BYTE_COUNT(name_len);
8586 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
8588 COUNT_BYTES(name_len);
8596 dissect_message_group_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8603 /* message group ID */
8604 proto_tree_add_item(tree, hf_smb_mgid, tvb, offset, 2, TRUE);
8615 dissect_send_multi_block_message_text_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8619 guint16 message_len;
8626 CHECK_BYTE_COUNT(1);
8627 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8631 CHECK_BYTE_COUNT(2);
8632 message_len = tvb_get_letohs(tvb, offset);
8633 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
8638 CHECK_BYTE_COUNT(message_len);
8639 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
8641 COUNT_BYTES(message_len);
8649 dissect_forwarded_name(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8660 CHECK_BYTE_COUNT(1);
8661 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8664 /* forwarded name */
8665 /* XXX - what if this runs past bc? */
8666 name_len = tvb_strsize(tvb, offset);
8667 CHECK_BYTE_COUNT(name_len);
8668 proto_tree_add_item(tree, hf_smb_forwarded_name, tvb, offset,
8670 COUNT_BYTES(name_len);
8678 dissect_get_machine_name_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8689 CHECK_BYTE_COUNT(1);
8690 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8694 /* XXX - what if this runs past bc? */
8695 name_len = tvb_strsize(tvb, offset);
8696 CHECK_BYTE_COUNT(name_len);
8697 proto_tree_add_item(tree, hf_smb_machine_name, tvb, offset,
8699 COUNT_BYTES(name_len);
8708 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8710 guint8 wc, cmd=0xff;
8711 guint16 andxoffset=0;
8713 smb_info_t *si = pinfo->private_data;
8717 DISSECTOR_ASSERT(si);
8721 /* next smb command */
8722 cmd = tvb_get_guint8(tvb, offset);
8724 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8726 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
8731 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8735 andxoffset = tvb_get_letohs(tvb, offset);
8736 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8740 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8744 fn_len = tvb_get_letohs(tvb, offset);
8745 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
8749 offset = dissect_nt_create_bits(tvb, tree, offset);
8751 /* root directory fid */
8752 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
8755 /* nt access mask */
8756 offset = dissect_smb_access_mask(tvb, tree, offset);
8758 /* allocation size */
8759 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8762 /* Extended File Attributes */
8763 offset = dissect_file_ext_attr(tvb, tree, offset);
8766 offset = dissect_nt_share_access(tvb, tree, offset);
8768 /* create disposition */
8769 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
8772 /* create options */
8773 offset = dissect_nt_create_options(tvb, tree, offset);
8775 /* impersonation level */
8776 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8779 /* security flags */
8780 offset = dissect_nt_security_flags(tvb, tree, offset);
8785 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
8788 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8790 COUNT_BYTES(fn_len);
8792 if (check_col(pinfo->cinfo, COL_INFO)) {
8793 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
8794 format_text(fn, strlen(fn)));
8799 if (andxoffset != 0 && andxoffset < offset)
8800 THROW(ReportedBoundsError);
8802 /* call AndXCommand (if there are any) */
8803 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
8810 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8812 guint8 wc, cmd=0xff;
8813 guint16 andxoffset=0;
8819 /* next smb command */
8820 cmd = tvb_get_guint8(tvb, offset);
8822 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8824 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
8829 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8833 andxoffset = tvb_get_letohs(tvb, offset);
8834 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8838 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8842 fid = tvb_get_letohs(tvb, offset);
8843 add_fid(tvb, pinfo, tree, offset, 2, fid);
8847 /*XXX is this really the same as create disposition in the request? it looks so*/
8848 /* No, it is not. It is the same as the create action from an Open&X request ... RJS */
8849 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8853 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
8856 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
8858 /* last write time */
8859 offset = dissect_nt_64bit_time(tvb, tree, offset,
8860 hf_smb_last_write_time);
8862 /* last change time */
8863 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
8865 /* Extended File Attributes */
8866 offset = dissect_file_ext_attr(tvb, tree, offset);
8868 /* allocation size */
8869 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8873 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8877 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8881 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
8884 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8891 if (andxoffset != 0 && andxoffset < offset)
8892 THROW(ReportedBoundsError);
8894 /* call AndXCommand (if there are any) */
8895 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
8902 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8916 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8917 BEGIN Transaction/Transaction2 Primary and secondary requests
8918 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8921 const value_string trans2_cmd_vals[] = {
8923 { 0x01, "FIND_FIRST2" },
8924 { 0x02, "FIND_NEXT2" },
8925 { 0x03, "QUERY_FS_INFO" },
8926 { 0x04, "SET_FS_QUOTA" },
8927 { 0x05, "QUERY_PATH_INFO" },
8928 { 0x06, "SET_PATH_INFO" },
8929 { 0x07, "QUERY_FILE_INFO" },
8930 { 0x08, "SET_FILE_INFO" },
8933 { 0x0B, "FIND_NOTIFY_FIRST" },
8934 { 0x0C, "FIND_NOTIFY_NEXT" },
8935 { 0x0D, "CREATE_DIRECTORY" },
8936 { 0x0E, "SESSION_SETUP" },
8937 { 0x10, "GET_DFS_REFERRAL" },
8938 { 0x11, "REPORT_DFS_INCONSISTENCY" },
8942 static const true_false_string tfs_tf_dtid = {
8943 "Also DISCONNECT TID",
8944 "Do NOT disconnect TID"
8946 static const true_false_string tfs_tf_owt = {
8947 "One Way Transaction (NO RESPONSE)",
8948 "Two way transaction"
8951 static const true_false_string tfs_ff2_backup = {
8952 "Find WITH backup intent",
8955 static const true_false_string tfs_ff2_continue = {
8956 "CONTINUE search from previous position",
8957 "New search, do NOT continue from previous position"
8959 static const true_false_string tfs_ff2_resume = {
8960 "Return RESUME keys",
8961 "Do NOT return resume keys"
8963 static const true_false_string tfs_ff2_close_eos = {
8964 "CLOSE search if END OF SEARCH is reached",
8965 "Do NOT close search if end of search reached"
8967 static const true_false_string tfs_ff2_close = {
8968 "CLOSE search after this request",
8969 "Do NOT close search after this request"
8975 static const value_string ff2_il_vals[] = {
8976 { 1, "Info Standard"},
8977 { 2, "Info Query EA Size"},
8978 { 3, "Info Query EAs From List"},
8979 { 0x0101, "Find File Directory Info"},
8980 { 0x0102, "Find File Full Directory Info"},
8981 { 0x0103, "Find File Names Info"},
8982 { 0x0104, "Find File Both Directory Info"},
8983 { 0x0202, "Find File UNIX"},
8988 TRANS2_QUERY_PATH_INFORMATION
8989 TRANS2_QUERY_FILE_INFORMATION
8991 static const value_string qpi_loi_vals[] = {
8992 { 1, "Info Standard"},
8993 { 2, "Info Query EA Size"},
8994 { 3, "Info Query EAs From List"},
8995 { 4, "Info Query All EAs"},
8996 { 6, "Info Is Name Valid"},
8997 { 0x0101, "Query File Basic Info"},
8998 { 0x0102, "Query File Standard Info"},
8999 { 0x0103, "Query File EA Info"},
9000 { 0x0104, "Query File Name Info"},
9001 { 0x0107, "Query File All Info"},
9002 { 0x0108, "Query File Alt Name Info"},
9003 { 0x0109, "Query File Stream Info"},
9004 { 0x010b, "Query File Compression Info"},
9005 { 0x0200, "Query File Unix Basic"},
9006 { 0x0201, "Query File Unix Link"},
9007 { 1004, "Query File Basic Info"},
9008 { 1005, "Query File Standard Info"},
9009 { 1006, "Query File Internal Info"},
9010 { 1007, "Query File EA Info"},
9011 { 1009, "Query File Name Info"},
9012 { 1010, "Query File Rename Info"},
9013 { 1011, "Query File Link Info"},
9014 { 1012, "Query File Names Info"},
9015 { 1013, "Query File Disposition Info"},
9016 { 1014, "Query File Position Info"},
9017 { 1015, "Query File Full EA Info"},
9018 { 1016, "Query File Mode Info"},
9019 { 1017, "Query File Alignment Info"},
9020 { 1018, "Query File All Info"},
9021 { 1019, "Query File Allocation Info"},
9022 { 1020, "Query File End of File Info"},
9023 { 1021, "Query File Alt Name Info"},
9024 { 1022, "Query File Stream Info"},
9025 { 1023, "Query File Pipe Info"},
9026 { 1024, "Query File Pipe Local Info"},
9027 { 1025, "Query File Pipe Remote Info"},
9028 { 1026, "Query File Mailslot Query Info"},
9029 { 1027, "Query File Mailslot Set Info"},
9030 { 1028, "Query File Compression Info"},
9031 { 1029, "Query File ObjectID Info"},
9032 { 1030, "Query File Completion Info"},
9033 { 1031, "Query File Move Cluster Info"},
9034 { 1032, "Query File Quota Info"},
9035 { 1033, "Query File Reparsepoint Info"},
9036 { 1034, "Query File Network Open Info"},
9037 { 1035, "Query File Attribute Tag Info"},
9038 { 1036, "Query File Tracking Info"},
9039 { 1037, "Query File Maximum Info"},
9044 TRANS2_SET_PATH_INFORMATION
9045 TRANS2_SET_FILE_INFORMATION
9046 (the SNIA CIFS spec lists some only for TRANS2_SET_FILE_INFORMATION,
9047 but I'm assuming they apply to TRANS2_SET_PATH_INFORMATION as
9048 well; note that they're different from the QUERY_PATH_INFORMATION
9049 and QUERY_FILE_INFORMATION values!)
9051 static const value_string spi_loi_vals[] = {
9052 { 1, "Info Standard"},
9053 { 2, "Info Query EA Size"},
9054 { 4, "Info Query All EAs"},
9055 { 0x0101, "Set File Basic Info"},
9056 { 0x0102, "Set File Disposition Info"},
9057 { 0x0103, "Set File Allocation Info"},
9058 { 0x0104, "Set File End Of File Info"},
9059 { 0x0200, "Set File Unix Basic"},
9060 { 0x0201, "Set File Unix Link"},
9061 { 0x0202, "Set File Unix HardLink"},
9062 { 1004, "Set File Basic Info"},
9063 { 1010, "Set Rename Information"},
9064 { 1013, "Set Disposition Information"},
9065 { 1014, "Set Position Information"},
9066 { 1016, "Set Mode Information"},
9067 { 1019, "Set Allocation Information"},
9068 { 1020, "Set EOF Information"},
9069 { 1023, "Set File Pipe Information"},
9070 { 1025, "Set File Pipe Remote Information"},
9071 { 1029, "Set Copy On Write Information"},
9072 { 1032, "Set OLE Class ID Information"},
9073 { 1039, "Set Inherit Context Index Information"},
9074 { 1040, "Set OLE Information (?)"},
9078 static const value_string qfsi_vals[] = {
9079 { 1, "Info Allocation"},
9080 { 2, "Info Volume"},
9081 { 0x0101, "Query FS Label Info"},
9082 { 0x0102, "Query FS Volume Info"},
9083 { 0x0103, "Query FS Size Info"},
9084 { 0x0104, "Query FS Device Info"},
9085 { 0x0105, "Query FS Attribute Info"},
9086 { 0x0200, "Unix Query FS Info"},
9087 { 0x0301, "Mac Query FS Info"},
9088 { 1001, "Query FS Label Info"},
9089 { 1002, "Query FS Volume Info"},
9090 { 1003, "Query FS Size Info"},
9091 { 1004, "Query FS Device Info"},
9092 { 1005, "Query FS Attribute Info"},
9093 { 1006, "Query FS Quota Info"},
9094 { 1007, "Query Full FS Size Info"},
9095 { 1008, "Object ID Information"},
9099 static const value_string nt_rename_vals[] = {
9100 { 0x0103, "Create Hard Link"},
9105 static const value_string delete_pending_vals[] = {
9106 {0, "Normal, no pending delete"},
9107 {1, "This object has DELETE PENDING"},
9111 static const value_string alignment_vals[] = {
9112 {0, "Byte alignment"},
9113 {1, "Word (16bit) alignment"},
9114 {3, "Long (32bit) alignment"},
9115 {7, "8 byte boundary alignment"},
9116 {0x0f, "16 byte boundary alignment"},
9117 {0x1f, "32 byte boundary alignment"},
9118 {0x3f, "64 byte boundary alignment"},
9119 {0x7f, "128 byte boundary alignment"},
9120 {0xff, "256 byte boundary alignment"},
9121 {0x1ff, "512 byte boundary alignment"},
9125 static const true_false_string tfs_marked_for_deletion = {
9126 "File is MARKED FOR DELETION",
9127 "File is NOT marked for deletion"
9130 static const true_false_string tfs_get_dfs_server_hold_storage = {
9131 "Referral SERVER HOLDS STORAGE for the file",
9132 "Referral server does NOT hold storage for the file"
9134 static const true_false_string tfs_get_dfs_fielding = {
9135 "The server in referral is FIELDING CAPABLE",
9136 "The server in referrals is NOT fielding capable"
9139 static const true_false_string tfs_dfs_referral_flags_strip = {
9140 "STRIP off pathconsumed characters before submitting",
9141 "Do NOT strip off any characters"
9144 static const value_string dfs_referral_server_type_vals[] = {
9147 {2, "Netware Server"},
9148 {3, "Domain Server"},
9153 static const true_false_string tfs_device_char_removable = {
9154 "This is a REMOVABLE device",
9155 "This is NOT a removable device"
9157 static const true_false_string tfs_device_char_read_only = {
9158 "This is a READ-ONLY device",
9159 "This is NOT a read-only device"
9161 static const true_false_string tfs_device_char_floppy = {
9162 "This is a FLOPPY DISK device",
9163 "This is NOT a floppy disk device"
9165 static const true_false_string tfs_device_char_write_once = {
9166 "This is a WRITE-ONCE device",
9167 "This is NOT a write-once device"
9169 static const true_false_string tfs_device_char_remote = {
9170 "This is a REMOTE device",
9171 "This is NOT a remote device"
9173 static const true_false_string tfs_device_char_mounted = {
9174 "This device is MOUNTED",
9175 "This device is NOT mounted"
9177 static const true_false_string tfs_device_char_virtual = {
9178 "This is a VIRTUAL device",
9179 "This is NOT a virtual device"
9183 static const true_false_string tfs_fs_attr_css = {
9184 "This FS supports CASE SENSITIVE SEARCHes",
9185 "This FS does NOT support case sensitive searches"
9187 static const true_false_string tfs_fs_attr_cpn = {
9188 "This FS supports CASE PRESERVED NAMES",
9189 "This FS does NOT support case preserved names"
9191 static const true_false_string tfs_fs_attr_uod = {
9192 "This FS supports UNICODE NAMES",
9193 "This FS does NOT support unicode names"
9195 static const true_false_string tfs_fs_attr_pacls = {
9196 "This FS supports PERSISTENT ACLs",
9197 "This FS does NOT support persistent acls"
9199 static const true_false_string tfs_fs_attr_fc = {
9200 "This FS supports COMPRESSED FILES",
9201 "This FS does NOT support compressed files"
9203 static const true_false_string tfs_fs_attr_vq = {
9204 "This FS supports VOLUME QUOTAS",
9205 "This FS does NOT support volume quotas"
9207 static const true_false_string tfs_fs_attr_srp = {
9208 "This FS supports REPARSE POINTS",
9209 "This FS does NOT support reparse points"
9211 static const true_false_string tfs_fs_attr_srs = {
9212 "This FS supports REMOTE STORAGE",
9213 "This FS does NOT support remote storage"
9215 static const true_false_string tfs_fs_attr_ssf = {
9216 "This FS supports SPARSE FILES",
9217 "This FS does NOT support sparse files"
9219 static const true_false_string tfs_fs_attr_sla = {
9220 "This FS supports LFN APIs",
9221 "This FS does NOT support lfn apis"
9223 static const true_false_string tfs_fs_attr_vic = {
9224 "This FS VOLUME IS COMPRESSED",
9225 "This FS volume is NOT compressed"
9227 static const true_false_string tfs_fs_attr_soids = {
9228 "This FS supports OIDs",
9229 "This FS does NOT support OIDs"
9231 static const true_false_string tfs_fs_attr_se = {
9232 "This FS supports ENCRYPTION",
9233 "This FS does NOT support encryption"
9235 static const true_false_string tfs_fs_attr_ns = {
9236 "This FS supports NAMED STREAMS",
9237 "This FS does NOT support named streams"
9239 static const true_false_string tfs_fs_attr_rov = {
9240 "This is a READ ONLY VOLUME",
9241 "This is a read/write volume"
9244 #define FF2_RESUME 0x0004
9247 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9250 proto_item *item = NULL;
9251 proto_tree *tree = NULL;
9253 smb_transact2_info_t *t2i;
9255 mask = tvb_get_letohs(tvb, offset);
9257 si = (smb_info_t *)pinfo->private_data;
9258 DISSECTOR_ASSERT(si);
9260 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
9261 t2i = si->sip->extra_info;
9263 if (!pinfo->fd->flags.visited)
9264 t2i->resume_keys = (mask & FF2_RESUME);
9269 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9270 "Flags: 0x%04x", mask);
9271 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
9274 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
9275 tvb, offset, 2, mask);
9276 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
9277 tvb, offset, 2, mask);
9278 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
9279 tvb, offset, 2, mask);
9280 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
9281 tvb, offset, 2, mask);
9282 proto_tree_add_boolean(tree, hf_smb_ff2_close,
9283 tvb, offset, 2, mask);
9292 dissect_sfi_ioflag(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9295 proto_item *item = NULL;
9296 proto_tree *tree = NULL;
9298 mask = tvb_get_letohs(tvb, offset);
9301 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9302 "IO Flag: 0x%04x", mask);
9303 tree = proto_item_add_subtree(item, ett_smb_ioflag);
9306 proto_tree_add_boolean(tree, hf_smb_sfi_writetru,
9307 tvb, offset, 2, mask);
9308 proto_tree_add_boolean(tree, hf_smb_sfi_caching,
9309 tvb, offset, 2, mask);
9318 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
9319 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
9321 proto_item *item = NULL;
9322 proto_tree *tree = NULL;
9324 smb_transact2_info_t *t2i;
9328 si = (smb_info_t *)pinfo->private_data;
9329 DISSECTOR_ASSERT(si);
9331 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
9332 t2i = si->sip->extra_info;
9337 tvb_ensure_bytes_exist(tvb, offset, bc);
9338 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
9340 val_to_str(subcmd, trans2_cmd_vals,
9341 "Unknown (0x%02x)"));
9342 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
9346 case 0x00: /*TRANS2_OPEN2*/
9348 CHECK_BYTE_COUNT_TRANS(2);
9349 offset = dissect_open_flags(tvb, tree, offset, 0x000f);
9352 /* desired access */
9353 CHECK_BYTE_COUNT_TRANS(2);
9354 offset = dissect_access(tvb, tree, offset, "Desired");
9357 /* Search Attributes */
9358 CHECK_BYTE_COUNT_TRANS(2);
9359 offset = dissect_search_attributes(tvb, tree, offset);
9362 /* File Attributes */
9363 CHECK_BYTE_COUNT_TRANS(2);
9364 offset = dissect_file_attributes(tvb, tree, offset, 2);
9368 CHECK_BYTE_COUNT_TRANS(4);
9369 offset = dissect_smb_datetime(tvb, tree, offset,
9371 hf_smb_create_dos_date, hf_smb_create_dos_time,
9376 CHECK_BYTE_COUNT_TRANS(2);
9377 offset = dissect_open_function(tvb, tree, offset);
9380 /* allocation size */
9381 CHECK_BYTE_COUNT_TRANS(4);
9382 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
9383 COUNT_BYTES_TRANS(4);
9385 /* 10 reserved bytes */
9386 CHECK_BYTE_COUNT_TRANS(10);
9387 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
9388 COUNT_BYTES_TRANS(10);
9391 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9392 CHECK_STRING_TRANS(fn);
9393 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9395 COUNT_BYTES_TRANS(fn_len);
9397 if (check_col(pinfo->cinfo, COL_INFO)) {
9398 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9399 format_text(fn, strlen(fn)));
9402 case 0x01: /*TRANS2_FIND_FIRST2*/
9403 /* Search Attributes */
9404 CHECK_BYTE_COUNT_TRANS(2);
9405 offset = dissect_search_attributes(tvb, tree, offset);
9409 CHECK_BYTE_COUNT_TRANS(2);
9410 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
9411 COUNT_BYTES_TRANS(2);
9413 /* Find First2 flags */
9414 CHECK_BYTE_COUNT_TRANS(2);
9415 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
9418 /* Find First2 information level */
9419 CHECK_BYTE_COUNT_TRANS(2);
9420 si->info_level = tvb_get_letohs(tvb, offset);
9421 if (t2i != NULL && !pinfo->fd->flags.visited)
9422 t2i->info_level = si->info_level;
9423 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
9424 COUNT_BYTES_TRANS(2);
9427 CHECK_BYTE_COUNT_TRANS(4);
9428 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
9429 COUNT_BYTES_TRANS(4);
9431 /* search pattern */
9432 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9433 CHECK_STRING_TRANS(fn);
9434 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
9436 COUNT_BYTES_TRANS(fn_len);
9438 if (check_col(pinfo->cinfo, COL_INFO)) {
9439 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
9440 format_text(fn, strlen(fn)));
9444 case 0x02: /*TRANS2_FIND_NEXT2*/
9446 CHECK_BYTE_COUNT_TRANS(2);
9447 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
9448 COUNT_BYTES_TRANS(2);
9451 CHECK_BYTE_COUNT_TRANS(2);
9452 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
9453 COUNT_BYTES_TRANS(2);
9455 /* Find First2 information level */
9456 CHECK_BYTE_COUNT_TRANS(2);
9457 si->info_level = tvb_get_letohs(tvb, offset);
9458 if (t2i != NULL && !pinfo->fd->flags.visited)
9459 t2i->info_level = si->info_level;
9460 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
9461 COUNT_BYTES_TRANS(2);
9464 CHECK_BYTE_COUNT_TRANS(4);
9465 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
9466 COUNT_BYTES_TRANS(4);
9468 /* Find First2 flags */
9469 CHECK_BYTE_COUNT_TRANS(2);
9470 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
9474 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9475 CHECK_STRING_TRANS(fn);
9476 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9478 COUNT_BYTES_TRANS(fn_len);
9480 if (check_col(pinfo->cinfo, COL_INFO)) {
9481 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
9482 format_text(fn, strlen(fn)));
9486 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
9487 /* level of interest */
9488 CHECK_BYTE_COUNT_TRANS(2);
9489 si->info_level = tvb_get_letohs(tvb, offset);
9490 if (t2i != NULL && !pinfo->fd->flags.visited)
9491 t2i->info_level = si->info_level;
9492 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
9493 COUNT_BYTES_TRANS(2);
9495 if (check_col(pinfo->cinfo, COL_INFO))
9496 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
9497 val_to_str(si->info_level, qfsi_vals,
9498 "Unknown (0x%02x)"));
9501 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
9502 /* level of interest */
9503 CHECK_BYTE_COUNT_TRANS(2);
9504 si->info_level = tvb_get_letohs(tvb, offset);
9505 if (t2i != NULL && !pinfo->fd->flags.visited)
9506 t2i->info_level = si->info_level;
9507 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9508 COUNT_BYTES_TRANS(2);
9510 if (check_col(pinfo->cinfo, COL_INFO)) {
9512 pinfo->cinfo, COL_INFO, ", %s",
9513 val_to_str(si->info_level, qpi_loi_vals,
9517 /* 4 reserved bytes */
9518 CHECK_BYTE_COUNT_TRANS(4);
9519 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9520 COUNT_BYTES_TRANS(4);
9523 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9524 CHECK_STRING_TRANS(fn);
9525 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9527 COUNT_BYTES_TRANS(fn_len);
9529 if (check_col(pinfo->cinfo, COL_INFO)) {
9530 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9531 format_text(fn, strlen(fn)));
9535 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
9536 /* level of interest */
9537 CHECK_BYTE_COUNT_TRANS(2);
9538 si->info_level = tvb_get_letohs(tvb, offset);
9539 if (t2i != NULL && !pinfo->fd->flags.visited)
9540 t2i->info_level = si->info_level;
9541 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
9542 COUNT_BYTES_TRANS(2);
9544 /* 4 reserved bytes */
9545 CHECK_BYTE_COUNT_TRANS(4);
9546 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9547 COUNT_BYTES_TRANS(4);
9550 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9551 CHECK_STRING_TRANS(fn);
9552 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9554 COUNT_BYTES_TRANS(fn_len);
9556 if (check_col(pinfo->cinfo, COL_INFO)) {
9557 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9558 format_text(fn, strlen(fn)));
9562 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
9566 CHECK_BYTE_COUNT_TRANS(2);
9567 fid = tvb_get_letohs(tvb, offset);
9568 add_fid(tvb, pinfo, tree, offset, 2, fid);
9569 COUNT_BYTES_TRANS(2);
9571 /* level of interest */
9572 CHECK_BYTE_COUNT_TRANS(2);
9573 si->info_level = tvb_get_letohs(tvb, offset);
9574 if (t2i != NULL && !pinfo->fd->flags.visited)
9575 t2i->info_level = si->info_level;
9576 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9577 COUNT_BYTES_TRANS(2);
9579 if (check_col(pinfo->cinfo, COL_INFO)) {
9581 pinfo->cinfo, COL_INFO, ", %s",
9582 val_to_str(si->info_level, qpi_loi_vals,
9588 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
9592 CHECK_BYTE_COUNT_TRANS(2);
9593 fid = tvb_get_letohs(tvb, offset);
9594 add_fid(tvb, pinfo, tree, offset, 2, fid);
9595 COUNT_BYTES_TRANS(2);
9597 /* level of interest */
9598 CHECK_BYTE_COUNT_TRANS(2);
9599 si->info_level = tvb_get_letohs(tvb, offset);
9600 if (t2i != NULL && !pinfo->fd->flags.visited)
9601 t2i->info_level = si->info_level;
9602 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
9603 COUNT_BYTES_TRANS(2);
9607 * XXX - "Microsoft Networks SMB File Sharing Protocol
9608 * Extensions Version 3.0, Document Version 1.11,
9609 * July 19, 1990" says this is I/O flags, but it's
9610 * reserved in the SNIA spec, and some clients appear
9611 * to leave junk in it.
9613 * Is this some field used only if a particular
9614 * dialect was negotiated, so that clients can feel
9615 * safe not setting it if they haven't negotiated that
9616 * dialect? Or do the (non-OS/2) clients simply not care
9617 * about that particular OS/2-oriented dialect?
9621 CHECK_BYTE_COUNT_TRANS(2);
9622 offset = dissect_sfi_ioflag(tvb, tree, offset);
9625 /* 2 reserved bytes */
9626 CHECK_BYTE_COUNT_TRANS(2);
9627 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
9628 COUNT_BYTES_TRANS(2);
9633 case 0x09: /*TRANS2_FSCTL*/
9634 /* this call has no parameter block in the request */
9637 * XXX - "Microsoft Networks SMB File Sharing Protocol
9638 * Extensions Version 3.0, Document Version 1.11,
9639 * July 19, 1990" says this this contains a
9640 * "File system specific parameter block". (That means
9641 * we may not be able to dissect it in any case.)
9644 case 0x0a: /*TRANS2_IOCTL2*/
9645 /* this call has no parameter block in the request */
9648 * XXX - "Microsoft Networks SMB File Sharing Protocol
9649 * Extensions Version 3.0, Document Version 1.11,
9650 * July 19, 1990" says this this contains a
9651 * "Device/function specific parameter block". (That
9652 * means we may not be able to dissect it in any case.)
9655 case 0x0b: { /*TRANS2_FIND_NOTIFY_FIRST*/
9656 /* Search Attributes */
9657 CHECK_BYTE_COUNT_TRANS(2);
9658 offset = dissect_search_attributes(tvb, tree, offset);
9661 /* Number of changes to wait for */
9662 CHECK_BYTE_COUNT_TRANS(2);
9663 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
9664 COUNT_BYTES_TRANS(2);
9666 /* Find Notify information level */
9667 CHECK_BYTE_COUNT_TRANS(2);
9668 si->info_level = tvb_get_letohs(tvb, offset);
9669 if (t2i != NULL && !pinfo->fd->flags.visited)
9670 t2i->info_level = si->info_level;
9671 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, offset, 2, si->info_level);
9672 COUNT_BYTES_TRANS(2);
9674 /* 4 reserved bytes */
9675 CHECK_BYTE_COUNT_TRANS(4);
9676 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9677 COUNT_BYTES_TRANS(4);
9680 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9681 CHECK_STRING_TRANS(fn);
9682 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9684 COUNT_BYTES_TRANS(fn_len);
9686 if (check_col(pinfo->cinfo, COL_INFO)) {
9687 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9688 format_text(fn, strlen(fn)));
9693 case 0x0c: { /*TRANS2_FIND_NOTIFY_NEXT*/
9694 /* Monitor handle */
9695 CHECK_BYTE_COUNT_TRANS(2);
9696 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
9697 COUNT_BYTES_TRANS(2);
9699 /* Number of changes to wait for */
9700 CHECK_BYTE_COUNT_TRANS(2);
9701 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
9702 COUNT_BYTES_TRANS(2);
9706 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
9707 /* 4 reserved bytes */
9708 CHECK_BYTE_COUNT_TRANS(4);
9709 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9710 COUNT_BYTES_TRANS(4);
9713 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
9715 CHECK_STRING_TRANS(fn);
9716 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
9718 COUNT_BYTES_TRANS(fn_len);
9720 if (check_col(pinfo->cinfo, COL_INFO)) {
9721 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
9722 format_text(fn, strlen(fn)));
9725 case 0x0e: /*TRANS2_SESSION_SETUP*/
9726 /* XXX unknown structure*/
9728 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
9729 /* referral level */
9730 CHECK_BYTE_COUNT_TRANS(2);
9731 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
9732 COUNT_BYTES_TRANS(2);
9735 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9736 CHECK_STRING_TRANS(fn);
9737 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9739 COUNT_BYTES_TRANS(fn_len);
9741 if (check_col(pinfo->cinfo, COL_INFO)) {
9742 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9743 format_text(fn, strlen(fn)));
9747 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
9749 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9750 CHECK_STRING_TRANS(fn);
9751 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9753 COUNT_BYTES_TRANS(fn_len);
9755 if (check_col(pinfo->cinfo, COL_INFO)) {
9756 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9757 format_text(fn, strlen(fn)));
9763 /* ooops there were data we didnt know how to process */
9765 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, bc, TRUE);
9773 * XXX - just use "dissect_connect_flags()" here?
9776 dissect_transaction_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9779 proto_item *item = NULL;
9780 proto_tree *tree = NULL;
9782 mask = tvb_get_letohs(tvb, offset);
9785 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9786 "Flags: 0x%04x", mask);
9787 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
9790 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
9791 tvb, offset, 2, mask);
9792 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
9793 tvb, offset, 2, mask);
9800 dissect_get_dfs_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9803 proto_item *item = NULL;
9804 proto_tree *tree = NULL;
9806 mask = tvb_get_letohs(tvb, offset);
9809 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9810 "Flags: 0x%04x", mask);
9811 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
9814 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
9815 tvb, offset, 2, mask);
9816 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
9817 tvb, offset, 2, mask);
9824 dissect_dfs_referral_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9827 proto_item *item = NULL;
9828 proto_tree *tree = NULL;
9830 mask = tvb_get_letohs(tvb, offset);
9833 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9834 "Flags: 0x%04x", mask);
9835 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
9838 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
9839 tvb, offset, 2, mask);
9847 /* dfs inconsistency data (4.4.2)
9850 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
9851 proto_tree *tree, int offset, guint16 *bcp)
9853 smb_info_t *si = pinfo->private_data;
9857 DISSECTOR_ASSERT(si);
9859 /*XXX shouldn this data hold version and size? unclear from doc*/
9860 /* referral version */
9861 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9862 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
9863 COUNT_BYTES_TRANS_SUBR(2);
9866 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9867 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
9868 COUNT_BYTES_TRANS_SUBR(2);
9870 /* referral server type */
9871 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9872 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9873 COUNT_BYTES_TRANS_SUBR(2);
9875 /* referral flags */
9876 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9877 offset = dissect_dfs_referral_flags(tvb, tree, offset);
9881 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
9882 CHECK_STRING_TRANS_SUBR(fn);
9883 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9885 COUNT_BYTES_TRANS_SUBR(fn_len);
9890 /* get dfs referral data (4.4.1)
9893 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
9894 proto_tree *tree, int offset, guint16 *bcp)
9896 smb_info_t *si = pinfo->private_data;
9900 guint16 altpathoffset;
9911 DISSECTOR_ASSERT(si);
9914 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9915 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
9916 COUNT_BYTES_TRANS_SUBR(2);
9919 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9920 numref = tvb_get_letohs(tvb, offset);
9921 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
9922 COUNT_BYTES_TRANS_SUBR(2);
9925 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9926 offset = dissect_get_dfs_flags(tvb, tree, offset);
9929 /* XXX - in at least one capture there appears to be 2 bytes
9930 of stuff after the Dfs flags, perhaps so that the header
9931 in front of the referral list is a multiple of 4 bytes long. */
9932 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9933 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
9934 COUNT_BYTES_TRANS_SUBR(2);
9936 /* if there are any referrals */
9938 proto_item *ref_item = NULL;
9939 proto_tree *ref_tree = NULL;
9940 int old_offset=offset;
9943 tvb_ensure_bytes_exist(tvb, offset, *bcp);
9944 ref_item = proto_tree_add_text(tree,
9945 tvb, offset, *bcp, "Referrals");
9946 ref_tree = proto_item_add_subtree(ref_item,
9947 ett_smb_dfs_referrals);
9952 proto_item *ri = NULL;
9953 proto_tree *rt = NULL;
9954 int old_offset=offset;
9958 tvb_ensure_bytes_exist(tvb, offset, *bcp);
9959 ri = proto_tree_add_text(ref_tree,
9960 tvb, offset, *bcp, "Referral");
9961 rt = proto_item_add_subtree(ri,
9962 ett_smb_dfs_referral);
9965 /* referral version */
9966 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9967 version = tvb_get_letohs(tvb, offset);
9968 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
9969 tvb, offset, 2, version);
9970 COUNT_BYTES_TRANS_SUBR(2);
9973 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9974 refsize = tvb_get_letohs(tvb, offset);
9975 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
9976 COUNT_BYTES_TRANS_SUBR(2);
9978 /* referral server type */
9979 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9980 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9981 COUNT_BYTES_TRANS_SUBR(2);
9983 /* referral flags */
9984 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9985 offset = dissect_dfs_referral_flags(tvb, rt, offset);
9992 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
9993 CHECK_STRING_TRANS_SUBR(fn);
9994 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9996 COUNT_BYTES_TRANS_SUBR(fn_len);
10000 case 3: /* XXX - like version 2, but not identical;
10001 seen in a capture, but the format isn't
10004 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10005 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
10006 COUNT_BYTES_TRANS_SUBR(2);
10009 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10010 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
10011 COUNT_BYTES_TRANS_SUBR(2);
10014 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10015 pathoffset = tvb_get_letohs(tvb, offset);
10016 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
10017 COUNT_BYTES_TRANS_SUBR(2);
10019 /* alt path offset */
10020 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10021 altpathoffset = tvb_get_letohs(tvb, offset);
10022 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
10023 COUNT_BYTES_TRANS_SUBR(2);
10026 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10027 nodeoffset = tvb_get_letohs(tvb, offset);
10028 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
10029 COUNT_BYTES_TRANS_SUBR(2);
10032 if (pathoffset != 0) {
10033 stroffset = old_offset + pathoffset;
10034 offsetoffset = stroffset - offset;
10035 if (offsetoffset > 0 &&
10036 *bcp > offsetoffset) {
10038 *bcp -= offsetoffset;
10039 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10040 CHECK_STRING_TRANS_SUBR(fn);
10041 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
10043 stroffset += fn_len;
10044 if (ucstring_end < stroffset)
10045 ucstring_end = stroffset;
10051 if (altpathoffset != 0) {
10052 stroffset = old_offset + altpathoffset;
10053 offsetoffset = stroffset - offset;
10054 if (offsetoffset > 0 &&
10055 *bcp > offsetoffset) {
10057 *bcp -= offsetoffset;
10058 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10059 CHECK_STRING_TRANS_SUBR(fn);
10060 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
10062 stroffset += fn_len;
10063 if (ucstring_end < stroffset)
10064 ucstring_end = stroffset;
10070 if (nodeoffset != 0) {
10071 stroffset = old_offset + nodeoffset;
10072 offsetoffset = stroffset - offset;
10073 if (offsetoffset > 0 &&
10074 *bcp > offsetoffset) {
10076 *bcp -= offsetoffset;
10077 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10078 CHECK_STRING_TRANS_SUBR(fn);
10079 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
10081 stroffset += fn_len;
10082 if (ucstring_end < stroffset)
10083 ucstring_end = stroffset;
10091 * Show anything beyond the length of the referral
10094 unklen = (old_offset + refsize) - offset;
10097 * XXX - the length is bogus.
10102 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
10103 proto_tree_add_item(rt, hf_smb_unknown, tvb,
10104 offset, unklen, TRUE);
10105 COUNT_BYTES_TRANS_SUBR(unklen);
10108 proto_item_set_len(ri, offset-old_offset);
10112 * Treat the offset past the end of the last Unicode
10113 * string after the referrals (if any) as the last
10116 if (ucstring_end > offset) {
10117 ucstring_len = ucstring_end - offset;
10118 if (*bcp < ucstring_len)
10119 ucstring_len = *bcp;
10120 offset += ucstring_len;
10121 *bcp -= ucstring_len;
10123 proto_item_set_len(ref_item, offset-old_offset);
10129 /* This dissects the standard four 8-byte Windows timestamps ...
10132 dissect_smb_standard_8byte_timestamps(tvbuff_t *tvb,
10133 packet_info *pinfo _U_, proto_tree *tree,
10134 int offset, guint16 *bcp, gboolean *trunc)
10137 CHECK_BYTE_COUNT_SUBR(8);
10138 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
10142 CHECK_BYTE_COUNT_SUBR(8);
10143 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
10146 /* last write time */
10147 CHECK_BYTE_COUNT_SUBR(8);
10148 offset = dissect_nt_64bit_time(tvb, tree, offset,
10149 hf_smb_last_write_time);
10152 /* last change time */
10153 CHECK_BYTE_COUNT_SUBR(8);
10154 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
10161 /* this dissects the SMB_INFO_STANDARD
10162 as described in 4.2.16.1
10165 dissect_4_2_16_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10166 int offset, guint16 *bcp, gboolean *trunc)
10169 CHECK_BYTE_COUNT_SUBR(4);
10170 offset = dissect_smb_datetime(tvb, tree, offset,
10171 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
10176 CHECK_BYTE_COUNT_SUBR(4);
10177 offset = dissect_smb_datetime(tvb, tree, offset,
10178 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
10182 /* last write time */
10183 CHECK_BYTE_COUNT_SUBR(4);
10184 offset = dissect_smb_datetime(tvb, tree, offset,
10185 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
10190 CHECK_BYTE_COUNT_SUBR(4);
10191 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10192 COUNT_BYTES_SUBR(4);
10194 /* allocation size */
10195 CHECK_BYTE_COUNT_SUBR(4);
10196 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10197 COUNT_BYTES_SUBR(4);
10199 /* File Attributes */
10200 CHECK_BYTE_COUNT_SUBR(2);
10201 offset = dissect_file_attributes(tvb, tree, offset, 2);
10205 CHECK_BYTE_COUNT_SUBR(4);
10206 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
10207 COUNT_BYTES_SUBR(4);
10213 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
10214 as described in 4.2.16.2
10217 dissect_4_2_16_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10218 int offset, guint16 *bcp, gboolean *trunc)
10224 CHECK_BYTE_COUNT_SUBR(4);
10225 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
10226 COUNT_BYTES_SUBR(4);
10230 proto_tree *subtree;
10231 int start_offset = offset;
10234 item = proto_tree_add_text(
10235 tree, tvb, offset, 0, "Extended Attribute");
10236 subtree = proto_item_add_subtree(item, ett_smb_ea);
10240 CHECK_BYTE_COUNT_SUBR(1);
10241 proto_tree_add_item(
10242 subtree, hf_smb_ea_flags, tvb, offset, 1, TRUE);
10243 COUNT_BYTES_SUBR(1);
10245 /* EA name length */
10247 name_len = tvb_get_guint8(tvb, offset);
10249 CHECK_BYTE_COUNT_SUBR(1);
10250 proto_tree_add_item(
10251 subtree, hf_smb_ea_name_length, tvb, offset, 1, TRUE);
10252 COUNT_BYTES_SUBR(1);
10254 /* EA data length */
10256 data_len = tvb_get_letohs(tvb, offset);
10258 CHECK_BYTE_COUNT_SUBR(2);
10259 proto_tree_add_item(
10260 subtree, hf_smb_ea_data_length, tvb, offset, 2, TRUE);
10261 COUNT_BYTES_SUBR(2);
10265 name = tvb_get_ephemeral_string(tvb, offset, name_len);
10266 proto_item_append_text(item, ": %s", format_text(name, strlen(name)));
10268 CHECK_BYTE_COUNT_SUBR(name_len + 1);
10269 proto_tree_add_item(
10270 subtree, hf_smb_ea_name, tvb, offset, name_len + 1,
10272 COUNT_BYTES_SUBR(name_len + 1);
10276 CHECK_BYTE_COUNT_SUBR(data_len);
10277 proto_tree_add_item(
10278 subtree, hf_smb_ea_data, tvb, offset, data_len, TRUE);
10279 COUNT_BYTES_SUBR(data_len);
10281 proto_item_set_len(item, offset - start_offset);
10288 /* this dissects the SMB_INFO_IS_NAME_VALID
10289 as described in 4.2.16.3
10292 dissect_4_2_16_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10293 int offset, guint16 *bcp, gboolean *trunc)
10295 smb_info_t *si = pinfo->private_data;
10299 DISSECTOR_ASSERT(si);
10302 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10303 CHECK_STRING_SUBR(fn);
10304 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10306 COUNT_BYTES_SUBR(fn_len);
10312 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
10313 as described in 4.2.16.4
10316 dissect_4_2_16_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10317 int offset, guint16 *bcp, gboolean *trunc)
10320 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
10325 /* File Attributes */
10326 CHECK_BYTE_COUNT_SUBR(4);
10327 offset = dissect_file_attributes(tvb, tree, offset, 4);
10334 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
10335 as described in 4.2.16.5
10338 dissect_4_2_16_5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10339 int offset, guint16 *bcp, gboolean *trunc)
10341 /* allocation size */
10342 CHECK_BYTE_COUNT_SUBR(8);
10343 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10344 COUNT_BYTES_SUBR(8);
10347 CHECK_BYTE_COUNT_SUBR(8);
10348 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10349 COUNT_BYTES_SUBR(8);
10351 /* number of links */
10352 CHECK_BYTE_COUNT_SUBR(4);
10353 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
10354 COUNT_BYTES_SUBR(4);
10356 /* delete pending */
10357 CHECK_BYTE_COUNT_SUBR(1);
10358 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, TRUE);
10359 COUNT_BYTES_SUBR(1);
10362 CHECK_BYTE_COUNT_SUBR(1);
10363 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
10364 COUNT_BYTES_SUBR(1);
10370 /* this dissects the SMB_QUERY_FILE_EA_INFO
10371 as described in 4.2.16.6
10374 dissect_4_2_16_6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10375 int offset, guint16 *bcp, gboolean *trunc)
10378 CHECK_BYTE_COUNT_SUBR(4);
10379 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
10380 COUNT_BYTES_SUBR(4);
10386 /* this dissects the SMB_QUERY_FILE_NAME_INFO
10387 as described in 4.2.16.7
10388 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
10389 as described in 4.2.16.9
10392 dissect_4_2_16_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10393 int offset, guint16 *bcp, gboolean *trunc)
10395 smb_info_t *si = pinfo->private_data;
10399 DISSECTOR_ASSERT(si);
10401 /* file name len */
10402 CHECK_BYTE_COUNT_SUBR(4);
10403 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
10404 COUNT_BYTES_SUBR(4);
10407 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10408 CHECK_STRING_SUBR(fn);
10409 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10411 COUNT_BYTES_SUBR(fn_len);
10417 /* this dissects the SMB_QUERY_FILE_ALL_INFO
10418 as described in 4.2.16.8
10421 dissect_4_2_16_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10422 int offset, guint16 *bcp, gboolean *trunc)
10425 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp, trunc);
10433 offset = dissect_4_2_16_5(tvb, pinfo, tree, offset, bcp, trunc);
10442 CHECK_BYTE_COUNT_SUBR(8);
10443 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
10444 COUNT_BYTES_SUBR(8);
10446 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp, trunc);
10451 CHECK_BYTE_COUNT_SUBR(4);
10452 offset = dissect_smb_access_mask(tvb, tree, offset);
10453 COUNT_BYTES_SUBR(4);
10456 CHECK_BYTE_COUNT_SUBR(8);
10457 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
10458 COUNT_BYTES_SUBR(8);
10460 /* current offset */
10461 CHECK_BYTE_COUNT_SUBR(8);
10462 proto_tree_add_item(tree, hf_smb_current_offset, tvb, offset, 8, TRUE);
10463 COUNT_BYTES_SUBR(8);
10466 CHECK_BYTE_COUNT_SUBR(4);
10467 offset = dissect_nt_create_options(tvb, tree, offset);
10471 CHECK_BYTE_COUNT_SUBR(4);
10472 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
10473 COUNT_BYTES_SUBR(4);
10475 offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp, trunc);
10480 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
10481 as described in 4.2.16.10
10484 dissect_4_2_16_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10485 int offset, guint16 *bcp, gboolean *trunc)
10491 smb_info_t *si = pinfo->private_data;
10496 DISSECTOR_ASSERT(si);
10499 old_offset = offset;
10501 /* next entry offset */
10502 CHECK_BYTE_COUNT_SUBR(4);
10504 tvb_ensure_bytes_exist(tvb, offset, *bcp);
10505 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
10506 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10512 neo = tvb_get_letohl(tvb, offset);
10513 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10514 COUNT_BYTES_SUBR(4);
10516 /* stream name len */
10517 CHECK_BYTE_COUNT_SUBR(4);
10518 fn_len = tvb_get_letohl(tvb, offset);
10519 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
10520 COUNT_BYTES_SUBR(4);
10523 CHECK_BYTE_COUNT_SUBR(8);
10524 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
10525 COUNT_BYTES_SUBR(8);
10527 /* allocation size */
10528 CHECK_BYTE_COUNT_SUBR(8);
10529 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10530 COUNT_BYTES_SUBR(8);
10533 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
10534 CHECK_STRING_SUBR(fn);
10535 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
10537 COUNT_BYTES_SUBR(fn_len);
10539 proto_item_append_text(item, ": %s", format_text(fn, strlen(fn)));
10540 proto_item_set_len(item, offset-old_offset);
10543 break; /* no more structures */
10545 /* skip to next structure */
10546 padcnt = (old_offset + neo) - offset;
10549 * XXX - this is bogus; flag it?
10554 CHECK_BYTE_COUNT_SUBR(padcnt);
10555 COUNT_BYTES_SUBR(padcnt);
10563 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
10564 as described in 4.2.16.11
10567 dissect_4_2_16_11(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10568 int offset, guint16 *bcp, gboolean *trunc)
10570 /* compressed file size */
10571 CHECK_BYTE_COUNT_SUBR(8);
10572 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
10573 COUNT_BYTES_SUBR(8);
10575 /* compression format */
10576 CHECK_BYTE_COUNT_SUBR(2);
10577 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
10578 COUNT_BYTES_SUBR(2);
10580 /* compression unit shift */
10581 CHECK_BYTE_COUNT_SUBR(1);
10582 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
10583 COUNT_BYTES_SUBR(1);
10585 /* compression chunk shift */
10586 CHECK_BYTE_COUNT_SUBR(1);
10587 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
10588 COUNT_BYTES_SUBR(1);
10590 /* compression cluster shift */
10591 CHECK_BYTE_COUNT_SUBR(1);
10592 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
10593 COUNT_BYTES_SUBR(1);
10595 /* 3 reserved bytes */
10596 CHECK_BYTE_COUNT_SUBR(3);
10597 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
10598 COUNT_BYTES_SUBR(3);
10604 /* 4.2.16.12 - SMB_QUERY_FILE_UNIX_BASIC */
10606 static const value_string unix_file_type_vals[] = {
10608 { 1, "Directory" },
10609 { 2, "Symbolic link" },
10610 { 3, "Character device" },
10611 { 4, "Block device" },
10618 dissect_4_2_16_12(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10619 int offset, guint16 *bcp, gboolean *trunc)
10621 /* End of file (file size) */
10622 CHECK_BYTE_COUNT_SUBR(8);
10623 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
10624 COUNT_BYTES_SUBR(8);
10626 /* Number of bytes */
10627 CHECK_BYTE_COUNT_SUBR(8);
10628 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
10629 COUNT_BYTES_SUBR(8);
10631 /* Last status change */
10632 CHECK_BYTE_COUNT_SUBR(8);
10633 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
10634 *bcp -= 8; /* dissect_nt_64bit_time() increments offset */
10636 /* Last access time */
10637 CHECK_BYTE_COUNT_SUBR(8);
10638 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
10641 /* Last modification time */
10642 CHECK_BYTE_COUNT_SUBR(8);
10643 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
10646 /* File owner uid */
10647 CHECK_BYTE_COUNT_SUBR(8);
10648 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
10649 COUNT_BYTES_SUBR(8);
10651 /* File group gid */
10652 CHECK_BYTE_COUNT_SUBR(8);
10653 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
10654 COUNT_BYTES_SUBR(8);
10657 CHECK_BYTE_COUNT_SUBR(4);
10658 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
10659 COUNT_BYTES_SUBR(4);
10661 /* Major device number */
10662 CHECK_BYTE_COUNT_SUBR(8);
10663 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
10664 COUNT_BYTES_SUBR(8);
10666 /* Minor device number */
10667 CHECK_BYTE_COUNT_SUBR(8);
10668 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
10669 COUNT_BYTES_SUBR(8);
10672 CHECK_BYTE_COUNT_SUBR(8);
10673 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
10674 COUNT_BYTES_SUBR(8);
10677 CHECK_BYTE_COUNT_SUBR(8);
10678 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
10679 COUNT_BYTES_SUBR(8);
10682 CHECK_BYTE_COUNT_SUBR(8);
10683 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
10684 COUNT_BYTES_SUBR(8);
10686 /* Sometimes there is one extra byte in the data field which I
10687 guess could be padding, but we are only using 4 or 8 byte
10688 data types so this is a bit confusing. -tpot */
10694 /* 4.2.16.13 - SMB_QUERY_FILE_UNIX_LINK */
10697 dissect_4_2_16_13(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10698 int offset, guint16 *bcp, gboolean *trunc)
10700 smb_info_t *si = pinfo->private_data;
10704 DISSECTOR_ASSERT(si);
10706 /* Link destination */
10708 fn = get_unicode_or_ascii_string(
10709 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
10711 CHECK_STRING_SUBR(fn);
10712 proto_tree_add_string(
10713 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
10714 COUNT_BYTES_SUBR(fn_len);
10720 /* this dissects the SMB_QUERY_FILE_NETWORK_OPEN_INFO
10723 dissect_smb_query_file_network_open_info(tvbuff_t *tvb,
10724 packet_info *pinfo, proto_tree *tree,
10725 int offset, guint16 *bcp, gboolean *trunc)
10728 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
10733 /* allocation size */
10734 CHECK_BYTE_COUNT_SUBR(8);
10735 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10736 COUNT_BYTES_SUBR(8);
10739 CHECK_BYTE_COUNT_SUBR(8);
10740 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10741 COUNT_BYTES_SUBR(8);
10743 /* File Attributes */
10744 CHECK_BYTE_COUNT_SUBR(4);
10745 offset = dissect_file_attributes(tvb, tree, offset, 4);
10748 /* Unknown, possibly count of network accessors ... */
10749 CHECK_BYTE_COUNT_SUBR(4);
10750 proto_tree_add_item(tree, hf_smb_network_unknown, tvb, offset, 4, TRUE);
10751 COUNT_BYTES_SUBR(4);
10757 /* this dissects the SMB_SET_FILE_DISPOSITION_INFO
10758 as described in 4.2.19.2
10761 dissect_4_2_19_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10762 int offset, guint16 *bcp, gboolean *trunc)
10764 /* marked for deletion? */
10765 CHECK_BYTE_COUNT_SUBR(1);
10766 proto_tree_add_item(tree, hf_smb_t2_marked_for_deletion, tvb, offset, 1, TRUE);
10767 COUNT_BYTES_SUBR(1);
10773 /* this dissects the SMB_SET_FILE_ALLOCATION_INFO
10774 as described in 4.2.19.3
10777 dissect_4_2_19_3(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10778 int offset, guint16 *bcp, gboolean *trunc)
10780 /* file allocation size */
10781 CHECK_BYTE_COUNT_SUBR(8);
10782 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10783 COUNT_BYTES_SUBR(8);
10789 /* this dissects the SMB_SET_FILE_END_OF_FILE_INFO
10790 as described in 4.2.19.4
10793 dissect_4_2_19_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10794 int offset, guint16 *bcp, gboolean *trunc)
10796 /* file end of file offset */
10797 CHECK_BYTE_COUNT_SUBR(8);
10798 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10799 COUNT_BYTES_SUBR(8);
10805 /* Set File Rename Info */
10807 static const true_false_string tfs_smb_replace = {
10808 "Remove target file if it exists",
10809 "Do NOT remove target file if it exists",
10813 dissect_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10814 int offset, guint16 *bcp, gboolean *trunc)
10816 smb_info_t *si = pinfo->private_data;
10818 guint32 target_name_len;
10821 DISSECTOR_ASSERT(si);
10824 CHECK_BYTE_COUNT_SUBR(4);
10825 proto_tree_add_item(tree, hf_smb_replace, tvb, offset, 4, TRUE);
10826 COUNT_BYTES_SUBR(4);
10828 /* Root directory handle */
10829 CHECK_BYTE_COUNT_SUBR(4);
10830 proto_tree_add_item(tree, hf_smb_root_dir_handle, tvb, offset, 4, TRUE);
10831 COUNT_BYTES_SUBR(4);
10833 /* Target name length */
10834 CHECK_BYTE_COUNT_SUBR(4);
10835 target_name_len = tvb_get_letohl(tvb, offset);
10836 proto_tree_add_uint(tree, hf_smb_target_name_len, tvb, offset, 4, target_name_len);
10837 COUNT_BYTES_SUBR(4);
10840 fn_len = target_name_len;
10841 fn = get_unicode_or_ascii_string(
10842 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
10844 CHECK_STRING_SUBR(fn);
10845 proto_tree_add_string(
10846 tree, hf_smb_target_name, tvb, offset, fn_len, fn);
10847 COUNT_BYTES_SUBR(fn_len);
10854 dissect_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10855 int offset, guint16 *bcp, gboolean *trunc)
10857 smb_info_t *si = pinfo->private_data;
10858 /* const char *fn;*/
10859 /* guint32 target_name_len;*/
10862 DISSECTOR_ASSERT(si);
10864 /* Disposition flags */
10865 CHECK_BYTE_COUNT_SUBR(1);
10866 proto_tree_add_item(tree, hf_smb_disposition_delete_on_close, tvb, offset, 1, TRUE);
10867 COUNT_BYTES_SUBR(1);
10873 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION and
10874 TRANS2_QUERY_FILE_INFORMATION*/
10876 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
10877 int offset, guint16 *bcp)
10886 si = (smb_info_t *)pinfo->private_data;
10887 DISSECTOR_ASSERT(si);
10889 switch(si->info_level){
10890 case 1: /*Info Standard*/
10891 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
10895 case 2: /*Info Query EA Size*/
10896 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
10899 case 3: /*Info Query EAs From List*/
10900 case 4: /*Info Query All EAs*/
10901 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
10904 case 6: /*Info Is Name Valid*/
10905 offset = dissect_4_2_16_3(tvb, pinfo, tree, offset, bcp,
10908 case 0x0101: /*Query File Basic Info*/
10909 case 1004: /* SMB_FILE_BASIC_INFORMATION */
10910 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
10913 case 0x0102: /*Query File Standard Info*/
10914 case 1005: /* SMB_FILE_STANDARD_INFORMATION */
10915 offset = dissect_4_2_16_5(tvb, pinfo, tree, offset, bcp,
10918 case 0x0103: /*Query File EA Info*/
10919 case 1007: /* SMB_FILE_EA_INFORMATION */
10920 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp,
10923 case 0x0104: /*Query File Name Info*/
10924 case 1009: /* SMB_FILE_NAME_INFORMATION */
10925 offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp,
10928 case 0x0107: /*Query File All Info*/
10929 case 1018: /* SMB_FILE_ALL_INFORMATION */
10930 offset = dissect_4_2_16_8(tvb, pinfo, tree, offset, bcp,
10933 case 0x0108: /*Query File Alt File Info*/
10934 case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
10935 offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp,
10938 case 1022: /* SMB_FILE_STREAM_INFORMATION */
10939 ((smb_info_t *)(pinfo->private_data))->unicode = TRUE;
10940 case 0x0109: /*Query File Stream Info*/
10941 offset = dissect_4_2_16_10(tvb, pinfo, tree, offset, bcp,
10944 case 0x010b: /*Query File Compression Info*/
10945 case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
10946 offset = dissect_4_2_16_11(tvb, pinfo, tree, offset, bcp,
10949 case 1034: /* SMB_FILE_NETWORK_OPEN_INFO */
10950 offset = dissect_smb_query_file_network_open_info(tvb, pinfo, tree, offset, bcp, &trunc);
10952 case 0x0200: /* Query File Unix Basic*/
10953 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
10956 case 0x0201: /* Query File Unix Link*/
10957 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
10960 case 0x0202: /* Query File Unix HardLink*/
10961 /* XXX add this from the SNIA doc */
10968 /*dissect the data block for TRANS2_SET_PATH_INFORMATION and
10969 TRANS2_SET_FILE_INFORMATION*/
10971 dissect_spi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
10972 int offset, guint16 *bcp)
10981 si = (smb_info_t *)pinfo->private_data;
10982 DISSECTOR_ASSERT(si);
10984 switch(si->info_level){
10985 case 1: /*Info Standard*/
10986 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
10989 case 2: /*Info Query EA Size*/
10990 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
10993 case 4: /*Info Query All EAs*/
10994 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
10997 case 0x0101: /*Set File Basic Info*/
10998 case 1004: /* SMB_FILE_BASIC_INFORMATION */
10999 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
11002 case 0x0102: /*Set File Disposition Info*/
11003 offset = dissect_4_2_19_2(tvb, pinfo, tree, offset, bcp,
11006 case 0x0103: /*Set File Allocation Info*/
11007 offset = dissect_4_2_19_3(tvb, pinfo, tree, offset, bcp,
11010 case 0x0104: /*Set End Of File Info*/
11011 offset = dissect_4_2_19_4(tvb, pinfo, tree, offset, bcp,
11014 case 0x0200: /*Set File Unix Basic. Same as query. */
11015 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
11018 case 0x0201: /*Set File Unix Link. Same as query. */
11019 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
11022 case 0x0203: /*Set File Unix HardLink. Same as link query. */
11023 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
11026 case 1010: /* Set File Rename */
11027 offset = dissect_rename_info(tvb, pinfo, tree, offset, bcp,
11030 case 1013: /* Set Disposition Information */
11031 offset = dissect_disposition_info(tvb, pinfo, tree, offset, bcp,
11044 /* XXX: TODO, extra levels discovered by tridge */
11052 static const true_false_string tfs_quota_flags_deny_disk = {
11053 "DENY DISK SPACE for users exceeding quota limit",
11054 "Do NOT deny disk space for users exceeding quota limit"
11056 static const true_false_string tfs_quota_flags_log_limit = {
11057 "LOG EVENT when a user exceeds their QUOTA LIMIT",
11058 "Do NOT log event when a user exceeds their quota limit"
11060 static const true_false_string tfs_quota_flags_log_warning = {
11061 "LOG EVENT when a user exceeds their WARNING LEVEL",
11062 "Do NOT log event when a user exceeds their warning level"
11064 static const true_false_string tfs_quota_flags_enabled = {
11065 "Quotas are ENABLED of this fs",
11066 "Quotas are NOT enabled on this fs"
11069 dissect_quota_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
11072 proto_item *item = NULL;
11073 proto_tree *tree = NULL;
11075 mask = tvb_get_guint8(tvb, offset);
11078 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
11079 "Quota Flags: 0x%02x %s", mask,
11080 mask?"Enabled":"Disabled");
11081 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
11084 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
11085 tvb, offset, 1, mask);
11086 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
11087 tvb, offset, 1, mask);
11088 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
11089 tvb, offset, 1, mask);
11091 if(mask && (!(mask&0x01))){
11092 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
11093 tvb, offset, 1, 0x01);
11095 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
11096 tvb, offset, 1, mask);
11102 dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
11104 /* first 24 bytes are unknown */
11105 CHECK_BYTE_COUNT_TRANS_SUBR(24);
11106 proto_tree_add_item(tree, hf_smb_unknown, tvb,
11108 COUNT_BYTES_TRANS_SUBR(24);
11110 /* number of bytes for quota warning */
11111 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11112 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
11113 COUNT_BYTES_TRANS_SUBR(8);
11115 /* number of bytes for quota limit */
11116 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11117 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
11118 COUNT_BYTES_TRANS_SUBR(8);
11120 /* one byte of quota flags */
11121 CHECK_BYTE_COUNT_TRANS_SUBR(1);
11122 dissect_quota_flags(tvb, tree, offset);
11123 COUNT_BYTES_TRANS_SUBR(1);
11125 /* these 7 bytes are unknown */
11126 CHECK_BYTE_COUNT_TRANS_SUBR(7);
11127 proto_tree_add_item(tree, hf_smb_unknown, tvb,
11129 COUNT_BYTES_TRANS_SUBR(7);
11135 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
11136 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
11138 proto_item *item = NULL;
11139 proto_tree *tree = NULL;
11142 si = (smb_info_t *)pinfo->private_data;
11143 DISSECTOR_ASSERT(si);
11146 tvb_ensure_bytes_exist(tvb, offset, dc);
11147 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11149 val_to_str(subcmd, trans2_cmd_vals,
11150 "Unknown (0x%02x)"));
11151 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
11155 case 0x00: /*TRANS2_OPEN2*/
11156 /* XXX dont know how to decode FEAList */
11158 case 0x01: /*TRANS2_FIND_FIRST2*/
11159 /* XXX dont know how to decode FEAList */
11161 case 0x02: /*TRANS2_FIND_NEXT2*/
11162 /* XXX dont know how to decode FEAList */
11164 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11165 /* no data field in this request */
11167 case 0x04: /* TRANS2_SET_QUOTA */
11168 offset = dissect_nt_quota(tvb, tree, offset, &dc);
11170 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11171 /* no data field in this request */
11173 * XXX - "Microsoft Networks SMB File Sharing Protocol
11174 * Extensions Version 3.0, Document Version 1.11,
11175 * July 19, 1990" says there may be "Additional
11176 * FileInfoLevel dependent information" here.
11178 * Was that just a cut-and-pasteo?
11179 * TRANS2_SET_PATH_INFORMATION *does* have that information
11183 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11184 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
11186 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11187 /* no data field in this request */
11189 * XXX - "Microsoft Networks SMB File Sharing Protocol
11190 * Extensions Version 3.0, Document Version 1.11,
11191 * July 19, 1990" says there may be "Additional
11192 * FileInfoLevel dependent information" here.
11194 * Was that just a cut-and-pasteo?
11195 * TRANS2_SET_FILE_INFORMATION *does* have that information
11199 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11200 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
11202 case 0x09: /*TRANS2_FSCTL*/
11203 /*XXX dont know how to decode this yet */
11206 * XXX - "Microsoft Networks SMB File Sharing Protocol
11207 * Extensions Version 3.0, Document Version 1.11,
11208 * July 19, 1990" says this this contains a
11209 * "File system specific data block". (That means we
11210 * may not be able to dissect it in any case.)
11213 case 0x0a: /*TRANS2_IOCTL2*/
11214 /*XXX dont know how to decode this yet */
11217 * XXX - "Microsoft Networks SMB File Sharing Protocol
11218 * Extensions Version 3.0, Document Version 1.11,
11219 * July 19, 1990" says this this contains a
11220 * "Device/function specific data block". (That
11221 * means we may not be able to dissect it in any case.)
11224 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11225 /*XXX dont know how to decode this yet */
11228 * XXX - "Microsoft Networks SMB File Sharing Protocol
11229 * Extensions Version 3.0, Document Version 1.11,
11230 * July 19, 1990" says this this contains "additional
11231 * level dependent match data".
11234 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11235 /*XXX dont know how to decode this yet */
11238 * XXX - "Microsoft Networks SMB File Sharing Protocol
11239 * Extensions Version 3.0, Document Version 1.11,
11240 * July 19, 1990" says this this contains "additional
11241 * level dependent monitor information".
11244 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11245 /* XXX optional FEAList, unknown what FEAList looks like*/
11247 case 0x0e: /*TRANS2_SESSION_SETUP*/
11248 /*XXX dont know how to decode this yet */
11250 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11251 /* no data field in this request */
11253 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11254 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
11258 /* ooops there were data we didnt know how to process */
11260 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
11269 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
11277 * Show the setup words.
11279 if (s_tvb != NULL) {
11280 length = tvb_reported_length(s_tvb);
11281 for (i = 0, offset = 0; length >= 2;
11282 i++, offset += 2, length -= 2) {
11284 * XXX - add a setup word filterable field?
11286 proto_tree_add_text(tree, s_tvb, offset, 2,
11287 "Setup Word %d: 0x%04x", i,
11288 tvb_get_letohs(s_tvb, offset));
11293 * Show the parameters, if any.
11295 if (p_tvb != NULL) {
11296 length = tvb_reported_length(p_tvb);
11298 proto_tree_add_text(tree, p_tvb, 0, length,
11300 tvb_bytes_to_str(p_tvb, 0, length));
11305 * Show the data, if any.
11307 if (d_tvb != NULL) {
11308 length = tvb_reported_length(d_tvb);
11310 proto_tree_add_text(tree, d_tvb, 0, length,
11311 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
11316 /* This routine handles the following 4 calls
11318 Transaction Secondary 0x26
11320 Transaction2 Secondary 0x33
11323 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
11330 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
11334 const char *an = NULL;
11336 smb_transact2_info_t *t2i;
11337 smb_transact_info_t *tri;
11340 gboolean dissected_trans;
11342 si = (smb_info_t *)pinfo->private_data;
11343 DISSECTOR_ASSERT(si);
11348 /*secondary client request*/
11350 /* total param count, only a 16bit integer here*/
11351 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11354 /* total data count , only 16bit integer here*/
11355 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11359 pc = tvb_get_letohs(tvb, offset);
11360 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11364 po = tvb_get_letohs(tvb, offset);
11365 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11369 pd = tvb_get_letohs(tvb, offset);
11370 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
11374 dc = tvb_get_letohs(tvb, offset);
11375 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11379 od = tvb_get_letohs(tvb, offset);
11380 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11384 dd = tvb_get_letohs(tvb, offset);
11385 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
11388 if(si->cmd==SMB_COM_TRANSACTION2){
11392 fid = tvb_get_letohs(tvb, offset);
11393 add_fid(tvb, pinfo, tree, offset, 2, fid);
11398 /* There are no setup words. */
11403 /* it is not a secondary request */
11405 /* total param count , only a 16 bit integer here*/
11406 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11409 /* total data count , only 16bit integer here*/
11410 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11413 /* max param count , only 16bit integer here*/
11414 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11417 /* max data count, only 16bit integer here*/
11418 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11421 /* max setup count, only 16bit integer here*/
11422 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
11425 /* reserved byte */
11426 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11429 /* transaction flags */
11430 tf = dissect_transaction_flags(tvb, tree, offset);
11434 to = tvb_get_letohl(tvb, offset);
11436 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
11437 else if (to == 0xffffffff)
11438 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
11440 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
11443 /* 2 reserved bytes */
11444 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11448 pc = tvb_get_letohs(tvb, offset);
11449 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11453 po = tvb_get_letohs(tvb, offset);
11454 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11457 /* param displacement is zero here */
11461 dc = tvb_get_letohs(tvb, offset);
11462 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11466 od = tvb_get_letohs(tvb, offset);
11467 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11470 /* data displacement is zero here */
11474 sc = tvb_get_guint8(tvb, offset);
11475 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
11478 /* reserved byte */
11479 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11482 /* this is where the setup bytes, if any start */
11486 /* if there were any setup bytes, decode them */
11490 case SMB_COM_TRANSACTION2:
11491 /* TRANSACTION2 only has one setup word and
11492 that is the subcommand code.
11494 XXX - except for TRANS2_FSCTL
11495 and TRANS2_IOCTL. */
11496 subcmd = tvb_get_letohs(tvb, offset);
11497 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
11498 tvb, offset, 2, subcmd);
11499 if (check_col(pinfo->cinfo, COL_INFO)) {
11500 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
11501 val_to_str(subcmd, trans2_cmd_vals,
11502 "Unknown (0x%02x)"));
11505 if(!pinfo->fd->flags.visited && si->sip){
11508 * smb_transact2_info_t
11511 t2i = se_alloc(sizeof(smb_transact2_info_t));
11512 t2i->subcmd = subcmd;
11513 t2i->info_level = -1;
11514 t2i->resume_keys = FALSE;
11515 si->sip->extra_info = t2i;
11516 si->sip->extra_info_type = SMB_EI_T2I;
11521 * XXX - process TRANS2_FSCTL and
11522 * TRANS2_IOCTL setup words here.
11526 case SMB_COM_TRANSACTION:
11527 /* TRANSACTION setup words processed below */
11538 /* primary request */
11539 /* name is NULL if transaction2 */
11540 if(si->cmd == SMB_COM_TRANSACTION){
11541 /* Transaction Name */
11542 an = get_unicode_or_ascii_string(tvb, &offset,
11543 si->unicode, &an_len, FALSE, FALSE, &bc);
11546 tvb_ensure_bytes_exist(tvb, offset, an_len);
11547 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
11548 offset, an_len, an);
11549 COUNT_BYTES(an_len);
11554 * The pipe or mailslot arguments for Transaction start with
11555 * the first setup word (or where the first setup word would
11556 * be if there were any setup words), and run to the current
11557 * offset (which could mean that there aren't any).
11560 spc = offset - spo;
11564 /* We have some initial padding bytes.
11566 padcnt = po-offset;
11569 tvb_ensure_bytes_exist(tvb, offset, padcnt);
11570 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11571 COUNT_BYTES(padcnt);
11574 CHECK_BYTE_COUNT(pc);
11577 case SMB_COM_TRANSACTION2:
11578 /* TRANSACTION2 parameters*/
11579 offset = dissect_transaction2_request_parameters(tvb,
11580 pinfo, tree, offset, subcmd, pc);
11584 case SMB_COM_TRANSACTION:
11585 /* TRANSACTION parameters processed below */
11593 /* We have some initial padding bytes.
11595 padcnt = od-offset;
11598 tvb_ensure_bytes_exist(tvb, offset, padcnt);
11599 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11600 COUNT_BYTES(padcnt);
11603 CHECK_BYTE_COUNT(dc);
11606 case SMB_COM_TRANSACTION2:
11607 /* TRANSACTION2 data*/
11608 offset = dissect_transaction2_request_data(tvb, pinfo,
11609 tree, offset, subcmd, dc);
11613 case SMB_COM_TRANSACTION:
11614 /* TRANSACTION data processed below */
11620 /*TRANSACTION request parameters */
11621 if(si->cmd==SMB_COM_TRANSACTION){
11622 /*XXX replace this block with a function and use that one
11623 for both requests/responses*/
11625 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
11626 tvbuff_t *sp_tvb, *pd_tvb;
11629 if(pc>tvb_length_remaining(tvb, po)){
11630 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
11632 p_tvb = tvb_new_subset(tvb, po, pc, pc);
11638 if(dc>tvb_length_remaining(tvb, od)){
11639 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
11641 d_tvb = tvb_new_subset(tvb, od, dc, dc);
11647 if(sl>tvb_length_remaining(tvb, so)){
11648 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
11650 s_tvb = tvb_new_subset(tvb, so, sl, sl);
11657 if(!pinfo->fd->flags.visited && si->sip){
11659 * Allocate a new smb_transact_info_t
11662 tri = se_alloc(sizeof(smb_transact_info_t));
11664 tri->trans_subcmd = -1;
11665 tri->function = -1;
11667 tri->lanman_cmd = 0;
11668 tri->param_descrip = NULL;
11669 tri->data_descrip = NULL;
11670 tri->aux_data_descrip = NULL;
11671 tri->info_level = -1;
11672 si->sip->extra_info = tri;
11673 si->sip->extra_info_type = SMB_EI_TRI;
11676 * We already filled the structure
11677 * in; don't bother doing so again.
11683 * This is a unidirectional message, for
11684 * which there will be no reply; don't
11685 * bother allocating an "smb_transact_info_t"
11686 * structure for it.
11690 dissected_trans = FALSE;
11693 if(strncmp("\\PIPE\\", an, 6) == 0){
11695 tri->subcmd=TRANSACTION_PIPE;
11698 * A tvbuff containing the setup words and
11701 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
11704 * A tvbuff containing the parameters and the
11707 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
11709 dissected_trans = dissect_pipe_smb(sp_tvb,
11710 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
11713 /* In case we did not see the TreeConnect call,
11714 store this TID here as well as a IPC TID
11715 so we know that future Read/Writes to this
11716 TID is (probably) DCERPC.
11718 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))){
11719 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
11721 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
11722 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
11724 tri->subcmd=TRANSACTION_MAILSLOT;
11727 * A tvbuff containing the setup words and
11728 * the mailslot path.
11730 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
11731 dissected_trans = dissect_mailslot_smb(sp_tvb,
11732 s_tvb, d_tvb, an+10, pinfo, top_tree);
11734 if (!dissected_trans)
11735 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
11737 if(check_col(pinfo->cinfo, COL_INFO)){
11738 col_append_str(pinfo->cinfo, COL_INFO,
11739 "[transact continuation]");
11752 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11753 int offset, guint16 *bcp, gboolean *trunc)
11757 int old_offset = offset;
11758 proto_item *item = NULL;
11759 proto_tree *tree = NULL;
11761 smb_transact2_info_t *t2i;
11762 gboolean resume_keys = FALSE;
11764 si = (smb_info_t *)pinfo->private_data;
11765 DISSECTOR_ASSERT(si);
11767 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
11768 t2i = si->sip->extra_info;
11770 resume_keys = t2i->resume_keys;
11774 tvb_ensure_bytes_exist(tvb, offset, *bcp);
11775 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11776 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11777 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11782 CHECK_BYTE_COUNT_SUBR(4);
11783 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
11784 COUNT_BYTES_SUBR(4);
11788 CHECK_BYTE_COUNT_SUBR(4);
11789 offset = dissect_smb_datetime(tvb, tree, offset,
11790 hf_smb_create_time,
11791 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
11795 CHECK_BYTE_COUNT_SUBR(4);
11796 offset = dissect_smb_datetime(tvb, tree, offset,
11797 hf_smb_access_time,
11798 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
11801 /* last write time */
11802 CHECK_BYTE_COUNT_SUBR(4);
11803 offset = dissect_smb_datetime(tvb, tree, offset,
11804 hf_smb_last_write_time,
11805 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
11809 CHECK_BYTE_COUNT_SUBR(4);
11810 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11811 COUNT_BYTES_SUBR(4);
11813 /* allocation size */
11814 CHECK_BYTE_COUNT_SUBR(4);
11815 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11816 COUNT_BYTES_SUBR(4);
11818 /* File Attributes */
11819 CHECK_BYTE_COUNT_SUBR(2);
11820 offset = dissect_file_attributes(tvb, tree, offset, 2);
11823 /* file name len */
11824 CHECK_BYTE_COUNT_SUBR(1);
11825 fn_len = tvb_get_guint8(tvb, offset);
11826 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
11827 COUNT_BYTES_SUBR(1);
11829 fn_len += 2; /* include terminating '\0' */
11831 fn_len++; /* include terminating '\0' */
11834 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11835 CHECK_STRING_SUBR(fn);
11836 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11838 COUNT_BYTES_SUBR(fn_len);
11840 if (check_col(pinfo->cinfo, COL_INFO)) {
11841 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11842 format_text(fn, strlen(fn)));
11845 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
11846 proto_item_set_len(item, offset-old_offset);
11853 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11854 int offset, guint16 *bcp, gboolean *trunc)
11858 int old_offset = offset;
11859 proto_item *item = NULL;
11860 proto_tree *tree = NULL;
11862 smb_transact2_info_t *t2i;
11863 gboolean resume_keys = FALSE;
11865 si = (smb_info_t *)pinfo->private_data;
11866 DISSECTOR_ASSERT(si);
11868 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
11869 t2i = si->sip->extra_info;
11871 resume_keys = t2i->resume_keys;
11875 tvb_ensure_bytes_exist(tvb, offset, *bcp);
11876 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11877 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11878 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11883 CHECK_BYTE_COUNT_SUBR(4);
11884 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
11885 COUNT_BYTES_SUBR(4);
11889 CHECK_BYTE_COUNT_SUBR(4);
11890 offset = dissect_smb_datetime(tvb, tree, offset,
11891 hf_smb_create_time,
11892 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
11896 CHECK_BYTE_COUNT_SUBR(4);
11897 offset = dissect_smb_datetime(tvb, tree, offset,
11898 hf_smb_access_time,
11899 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
11902 /* last write time */
11903 CHECK_BYTE_COUNT_SUBR(4);
11904 offset = dissect_smb_datetime(tvb, tree, offset,
11905 hf_smb_last_write_time,
11906 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
11910 CHECK_BYTE_COUNT_SUBR(4);
11911 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11912 COUNT_BYTES_SUBR(4);
11914 /* allocation size */
11915 CHECK_BYTE_COUNT_SUBR(4);
11916 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11917 COUNT_BYTES_SUBR(4);
11919 /* File Attributes */
11920 CHECK_BYTE_COUNT_SUBR(2);
11921 offset = dissect_file_attributes(tvb, tree, offset, 2);
11925 CHECK_BYTE_COUNT_SUBR(4);
11926 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11927 COUNT_BYTES_SUBR(4);
11929 /* file name len */
11930 CHECK_BYTE_COUNT_SUBR(1);
11931 fn_len = tvb_get_guint8(tvb, offset);
11932 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
11933 COUNT_BYTES_SUBR(1);
11935 fn_len += 2; /* include terminating '\0' */
11937 fn_len++; /* include terminating '\0' */
11940 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11941 CHECK_STRING_SUBR(fn);
11942 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11944 COUNT_BYTES_SUBR(fn_len);
11946 if (check_col(pinfo->cinfo, COL_INFO)) {
11947 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11948 format_text(fn, strlen(fn)));
11951 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
11952 proto_item_set_len(item, offset-old_offset);
11959 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11960 int offset, guint16 *bcp, gboolean *trunc)
11964 int old_offset = offset;
11965 proto_item *item = NULL;
11966 proto_tree *tree = NULL;
11971 si = (smb_info_t *)pinfo->private_data;
11972 DISSECTOR_ASSERT(si);
11975 tvb_ensure_bytes_exist(tvb, offset, *bcp);
11976 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11977 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11978 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11982 * We assume that the presence of a next entry offset implies the
11983 * absence of a resume key, as appears to be the case for 4.3.4.6.
11986 /* next entry offset */
11987 CHECK_BYTE_COUNT_SUBR(4);
11988 neo = tvb_get_letohl(tvb, offset);
11989 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11990 COUNT_BYTES_SUBR(4);
11993 CHECK_BYTE_COUNT_SUBR(4);
11994 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11995 COUNT_BYTES_SUBR(4);
11997 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
12003 CHECK_BYTE_COUNT_SUBR(8);
12004 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12005 COUNT_BYTES_SUBR(8);
12007 /* allocation size */
12008 CHECK_BYTE_COUNT_SUBR(8);
12009 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12010 COUNT_BYTES_SUBR(8);
12012 /* Extended File Attributes */
12013 CHECK_BYTE_COUNT_SUBR(4);
12014 offset = dissect_file_ext_attr(tvb, tree, offset);
12017 /* file name len */
12018 CHECK_BYTE_COUNT_SUBR(4);
12019 fn_len = tvb_get_letohl(tvb, offset);
12020 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12021 COUNT_BYTES_SUBR(4);
12024 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12025 CHECK_STRING_SUBR(fn);
12026 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12028 COUNT_BYTES_SUBR(fn_len);
12030 if (check_col(pinfo->cinfo, COL_INFO)) {
12031 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12032 format_text(fn, strlen(fn)));
12035 /* skip to next structure */
12037 padcnt = (old_offset + neo) - offset;
12040 * XXX - this is bogus; flag it?
12045 CHECK_BYTE_COUNT_SUBR(padcnt);
12046 COUNT_BYTES_SUBR(padcnt);
12050 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
12051 proto_item_set_len(item, offset-old_offset);
12058 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12059 int offset, guint16 *bcp, gboolean *trunc)
12063 int old_offset = offset;
12064 proto_item *item = NULL;
12065 proto_tree *tree = NULL;
12070 si = (smb_info_t *)pinfo->private_data;
12071 DISSECTOR_ASSERT(si);
12074 tvb_ensure_bytes_exist(tvb, offset, *bcp);
12075 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12076 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12077 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12081 * We assume that the presence of a next entry offset implies the
12082 * absence of a resume key, as appears to be the case for 4.3.4.6.
12085 /* next entry offset */
12086 CHECK_BYTE_COUNT_SUBR(4);
12087 neo = tvb_get_letohl(tvb, offset);
12088 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12089 COUNT_BYTES_SUBR(4);
12092 CHECK_BYTE_COUNT_SUBR(4);
12093 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12094 COUNT_BYTES_SUBR(4);
12096 /* standard 8-byte timestamps */
12097 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
12103 CHECK_BYTE_COUNT_SUBR(8);
12104 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12105 COUNT_BYTES_SUBR(8);
12107 /* allocation size */
12108 CHECK_BYTE_COUNT_SUBR(8);
12109 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12110 COUNT_BYTES_SUBR(8);
12112 /* Extended File Attributes */
12113 CHECK_BYTE_COUNT_SUBR(4);
12114 offset = dissect_file_ext_attr(tvb, tree, offset);
12117 /* file name len */
12118 CHECK_BYTE_COUNT_SUBR(4);
12119 fn_len = tvb_get_letohl(tvb, offset);
12120 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12121 COUNT_BYTES_SUBR(4);
12124 CHECK_BYTE_COUNT_SUBR(4);
12125 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
12126 COUNT_BYTES_SUBR(4);
12129 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12130 CHECK_STRING_SUBR(fn);
12131 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12133 COUNT_BYTES_SUBR(fn_len);
12135 if (check_col(pinfo->cinfo, COL_INFO)) {
12136 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12137 format_text(fn, strlen(fn)));
12140 /* skip to next structure */
12142 padcnt = (old_offset + neo) - offset;
12145 * XXX - this is bogus; flag it?
12150 CHECK_BYTE_COUNT_SUBR(padcnt);
12151 COUNT_BYTES_SUBR(padcnt);
12155 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
12156 proto_item_set_len(item, offset-old_offset);
12163 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12164 int offset, guint16 *bcp, gboolean *trunc)
12166 int fn_len, sfn_len;
12167 const char *fn, *sfn;
12168 int old_offset = offset;
12169 proto_item *item = NULL;
12170 proto_tree *tree = NULL;
12175 si = (smb_info_t *)pinfo->private_data;
12176 DISSECTOR_ASSERT(si);
12179 tvb_ensure_bytes_exist(tvb, offset, *bcp);
12180 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12181 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12182 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12186 * XXX - I have not seen any of these that contain a resume
12187 * key, even though some of the requests had the "return resume
12191 /* next entry offset */
12192 CHECK_BYTE_COUNT_SUBR(4);
12193 neo = tvb_get_letohl(tvb, offset);
12194 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12195 COUNT_BYTES_SUBR(4);
12198 CHECK_BYTE_COUNT_SUBR(4);
12199 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12200 COUNT_BYTES_SUBR(4);
12202 /* dissect standard 8-byte timestamps */
12203 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
12209 CHECK_BYTE_COUNT_SUBR(8);
12210 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12211 COUNT_BYTES_SUBR(8);
12213 /* allocation size */
12214 CHECK_BYTE_COUNT_SUBR(8);
12215 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12216 COUNT_BYTES_SUBR(8);
12218 /* Extended File Attributes */
12219 CHECK_BYTE_COUNT_SUBR(4);
12220 offset = dissect_file_ext_attr(tvb, tree, offset);
12223 /* file name len */
12224 CHECK_BYTE_COUNT_SUBR(4);
12225 fn_len = tvb_get_letohl(tvb, offset);
12226 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12227 COUNT_BYTES_SUBR(4);
12232 * XXX - in one captures, this has the topmost bit set, and the
12233 * rest of the bits have the value 7. Is the topmost bit being
12234 * set some indication that the value *isn't* the length of
12237 CHECK_BYTE_COUNT_SUBR(4);
12238 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
12239 COUNT_BYTES_SUBR(4);
12241 /* short file name len */
12242 CHECK_BYTE_COUNT_SUBR(1);
12243 sfn_len = tvb_get_guint8(tvb, offset);
12244 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
12245 COUNT_BYTES_SUBR(1);
12247 /* reserved byte */
12248 CHECK_BYTE_COUNT_SUBR(1);
12249 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12250 COUNT_BYTES_SUBR(1);
12252 /* short file name - it's not always in Unicode */
12253 sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
12254 CHECK_STRING_SUBR(sfn);
12255 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
12257 COUNT_BYTES_SUBR(24);
12260 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12261 CHECK_STRING_SUBR(fn);
12262 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12264 COUNT_BYTES_SUBR(fn_len);
12266 if (check_col(pinfo->cinfo, COL_INFO)) {
12267 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12268 format_text(fn, strlen(fn)));
12271 /* skip to next structure */
12273 padcnt = (old_offset + neo) - offset;
12276 * XXX - this is bogus; flag it?
12281 CHECK_BYTE_COUNT_SUBR(padcnt);
12282 COUNT_BYTES_SUBR(padcnt);
12286 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
12287 proto_item_set_len(item, offset-old_offset);
12294 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12295 int offset, guint16 *bcp, gboolean *trunc)
12299 int old_offset = offset;
12300 proto_item *item = NULL;
12301 proto_tree *tree = NULL;
12306 si = (smb_info_t *)pinfo->private_data;
12307 DISSECTOR_ASSERT(si);
12310 tvb_ensure_bytes_exist(tvb, offset, *bcp);
12311 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12312 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12313 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12317 * We assume that the presence of a next entry offset implies the
12318 * absence of a resume key, as appears to be the case for 4.3.4.6.
12321 /* next entry offset */
12322 CHECK_BYTE_COUNT_SUBR(4);
12323 neo = tvb_get_letohl(tvb, offset);
12324 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12325 COUNT_BYTES_SUBR(4);
12328 CHECK_BYTE_COUNT_SUBR(4);
12329 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12330 COUNT_BYTES_SUBR(4);
12332 /* file name len */
12333 CHECK_BYTE_COUNT_SUBR(4);
12334 fn_len = tvb_get_letohl(tvb, offset);
12335 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12336 COUNT_BYTES_SUBR(4);
12339 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12340 CHECK_STRING_SUBR(fn);
12341 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12343 COUNT_BYTES_SUBR(fn_len);
12345 if (check_col(pinfo->cinfo, COL_INFO)) {
12346 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12347 format_text(fn, strlen(fn)));
12350 /* skip to next structure */
12352 padcnt = (old_offset + neo) - offset;
12355 * XXX - this is bogus; flag it?
12360 CHECK_BYTE_COUNT_SUBR(padcnt);
12361 COUNT_BYTES_SUBR(padcnt);
12365 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
12366 proto_item_set_len(item, offset-old_offset);
12372 /* 4.3.4.8 - SMB_FIND_FILE_UNIX */
12375 dissect_4_3_4_8(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
12376 proto_tree *tree, int offset, guint16 *bcp,
12379 smb_info_t *si = pinfo->private_data;
12383 DISSECTOR_ASSERT(si);
12385 /* NextEntryOffset */
12386 CHECK_BYTE_COUNT_SUBR(4);
12387 proto_tree_add_item(tree, hf_smb_unix_find_file_nextoffset, tvb, offset, 4, TRUE);
12388 COUNT_BYTES_SUBR(4);
12391 CHECK_BYTE_COUNT_SUBR(4);
12392 proto_tree_add_item(tree, hf_smb_unix_find_file_resumekey, tvb, offset, 4, TRUE);
12393 COUNT_BYTES_SUBR(4);
12395 /* End of file (file size) */
12396 CHECK_BYTE_COUNT_SUBR(8);
12397 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
12398 COUNT_BYTES_SUBR(8);
12400 /* Number of bytes */
12401 CHECK_BYTE_COUNT_SUBR(8);
12402 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
12403 COUNT_BYTES_SUBR(8);
12405 /* Last status change */
12406 CHECK_BYTE_COUNT_SUBR(8);
12407 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
12410 /* Last access time */
12411 CHECK_BYTE_COUNT_SUBR(8);
12412 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
12415 /* Last modification time */
12416 CHECK_BYTE_COUNT_SUBR(8);
12417 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
12420 /* File owner uid */
12421 CHECK_BYTE_COUNT_SUBR(8);
12422 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
12423 COUNT_BYTES_SUBR(8);
12425 /* File group gid */
12426 CHECK_BYTE_COUNT_SUBR(8);
12427 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
12428 COUNT_BYTES_SUBR(8);
12431 CHECK_BYTE_COUNT_SUBR(4);
12432 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
12433 COUNT_BYTES_SUBR(4);
12435 /* Major device number */
12436 CHECK_BYTE_COUNT_SUBR(8);
12437 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
12438 COUNT_BYTES_SUBR(8);
12440 /* Minor device number */
12441 CHECK_BYTE_COUNT_SUBR(8);
12442 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
12443 COUNT_BYTES_SUBR(8);
12446 CHECK_BYTE_COUNT_SUBR(8);
12447 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
12448 COUNT_BYTES_SUBR(8);
12451 CHECK_BYTE_COUNT_SUBR(8);
12452 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
12453 COUNT_BYTES_SUBR(8);
12456 CHECK_BYTE_COUNT_SUBR(8);
12457 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
12458 COUNT_BYTES_SUBR(8);
12462 fn = get_unicode_or_ascii_string(
12463 tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
12465 CHECK_STRING_SUBR(fn);
12466 proto_tree_add_string(
12467 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
12468 COUNT_BYTES_SUBR(fn_len);
12470 /* Pad to 4 bytes */
12473 offset += 4 - (offset % 4);
12479 /*dissect the data block for TRANS2_FIND_FIRST2*/
12481 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
12482 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
12490 si = (smb_info_t *)pinfo->private_data;
12491 DISSECTOR_ASSERT(si);
12493 switch(si->info_level){
12494 case 1: /*Info Standard*/
12495 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
12498 case 2: /*Info Query EA Size*/
12499 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
12502 case 3: /*Info Query EAs From List same as
12504 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
12507 case 0x0101: /*Find File Directory Info*/
12508 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
12511 case 0x0102: /*Find File Full Directory Info*/
12512 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
12515 case 0x0103: /*Find File Names Info*/
12516 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
12519 case 0x0104: /*Find File Both Directory Info*/
12520 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
12523 case 0x0202: /*Find File UNIX*/
12524 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
12527 default: /* unknown info level */
12535 /* is this one just wrong and should be dissect_fs0105_attributes above ? */
12537 dissect_fs_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12540 proto_item *item = NULL;
12541 proto_tree *tree = NULL;
12543 mask = tvb_get_letohl(tvb, offset);
12546 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
12547 "FS Attributes: 0x%08x", mask);
12548 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
12551 /* case sensitive search */
12552 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
12553 tvb, offset, 4, mask);
12554 /* case preserved names */
12555 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
12556 tvb, offset, 4, mask);
12557 /* unicode on disk */
12558 proto_tree_add_boolean(tree, hf_smb_fs_attr_uod,
12559 tvb, offset, 4, mask);
12560 /* persistent acls */
12561 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
12562 tvb, offset, 4, mask);
12563 /* file compression */
12564 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
12565 tvb, offset, 4, mask);
12566 /* volume quotas */
12567 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
12568 tvb, offset, 4, mask);
12570 proto_tree_add_boolean(tree, hf_smb_fs_attr_ssf,
12571 tvb, offset, 4, mask);
12572 /* reparse points */
12573 proto_tree_add_boolean(tree, hf_smb_fs_attr_srp,
12574 tvb, offset, 4, mask);
12575 /* remote storage */
12576 proto_tree_add_boolean(tree, hf_smb_fs_attr_srs,
12577 tvb, offset, 4, mask);
12579 proto_tree_add_boolean(tree, hf_smb_fs_attr_sla,
12580 tvb, offset, 4, mask);
12581 /* volume is compressed */
12582 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
12583 tvb, offset, 4, mask);
12585 proto_tree_add_boolean(tree, hf_smb_fs_attr_soids,
12586 tvb, offset, 4, mask);
12588 proto_tree_add_boolean(tree, hf_smb_fs_attr_se,
12589 tvb, offset, 4, mask);
12590 /* named streams */
12591 proto_tree_add_boolean(tree, hf_smb_fs_attr_ns,
12592 tvb, offset, 4, mask);
12593 /* read only volume */
12594 proto_tree_add_boolean(tree, hf_smb_fs_attr_rov,
12595 tvb, offset, 4, mask);
12604 dissect_device_characteristics(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12607 proto_item *item = NULL;
12608 proto_tree *tree = NULL;
12610 mask = tvb_get_letohl(tvb, offset);
12613 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
12614 "Device Characteristics: 0x%08x", mask);
12615 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
12618 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
12619 tvb, offset, 4, mask);
12620 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
12621 tvb, offset, 4, mask);
12622 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
12623 tvb, offset, 4, mask);
12624 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
12625 tvb, offset, 4, mask);
12626 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
12627 tvb, offset, 4, mask);
12628 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
12629 tvb, offset, 4, mask);
12630 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
12631 tvb, offset, 4, mask);
12637 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
12639 static const true_false_string tfs_smb_mac_access_ctrl = {
12640 "Macintosh Access Control Supported",
12641 "Macintosh Access Control Not Supported"
12644 static const true_false_string tfs_smb_mac_getset_comments = {
12645 "Macintosh Get & Set Comments Supported",
12646 "Macintosh Get & Set Comments Not Supported"
12649 static const true_false_string tfs_smb_mac_desktopdb_calls = {
12650 "Macintosh Get & Set Desktop Database Info Supported",
12651 "Macintosh Get & Set Desktop Database Info Supported"
12654 static const true_false_string tfs_smb_mac_unique_ids = {
12655 "Macintosh Unique IDs Supported",
12656 "Macintosh Unique IDs Not Supported"
12659 static const true_false_string tfs_smb_mac_streams = {
12660 "Macintosh and Streams Extensions Not Supported",
12661 "Macintosh and Streams Extensions Supported"
12665 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
12666 int offset, guint16 *bcp)
12669 int fn_len, vll, fnl;
12672 proto_item *item = NULL;
12673 proto_tree *ti = NULL;
12679 si = (smb_info_t *)pinfo->private_data;
12680 DISSECTOR_ASSERT(si);
12682 switch(si->info_level){
12683 case 1: /* SMB_INFO_ALLOCATION */
12684 /* filesystem id */
12685 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12686 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
12687 COUNT_BYTES_TRANS_SUBR(4);
12689 /* sectors per unit */
12690 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12691 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12692 COUNT_BYTES_TRANS_SUBR(4);
12695 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12696 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
12697 COUNT_BYTES_TRANS_SUBR(4);
12700 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12701 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
12702 COUNT_BYTES_TRANS_SUBR(4);
12704 /* bytes per sector, only 16bit integer here */
12705 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12706 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12707 COUNT_BYTES_TRANS_SUBR(2);
12710 case 2: /* SMB_INFO_VOLUME */
12711 /* volume serial number */
12712 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12713 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
12714 COUNT_BYTES_TRANS_SUBR(4);
12716 /* volume label length, only one byte here */
12717 CHECK_BYTE_COUNT_TRANS_SUBR(1);
12718 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
12719 COUNT_BYTES_TRANS_SUBR(1);
12722 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
12723 CHECK_STRING_TRANS_SUBR(fn);
12724 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12726 COUNT_BYTES_TRANS_SUBR(fn_len);
12729 case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
12730 case 1002: /* SMB_FS_LABEL_INFORMATION */
12731 /* volume label length */
12732 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12733 vll = tvb_get_letohl(tvb, offset);
12734 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
12735 COUNT_BYTES_TRANS_SUBR(4);
12739 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12740 CHECK_STRING_TRANS_SUBR(fn);
12741 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12743 COUNT_BYTES_TRANS_SUBR(fn_len);
12746 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
12747 case 1001: /* SMB_FS_VOLUME_INFORMATION */
12749 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12750 offset = dissect_nt_64bit_time(tvb, tree, offset,
12751 hf_smb_create_time);
12754 /* volume serial number */
12755 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12756 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
12757 COUNT_BYTES_TRANS_SUBR(4);
12759 /* volume label length */
12760 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12761 vll = tvb_get_letohl(tvb, offset);
12762 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
12763 COUNT_BYTES_TRANS_SUBR(4);
12765 /* 2 reserved bytes */
12766 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12767 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
12768 COUNT_BYTES_TRANS_SUBR(2);
12772 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12773 CHECK_STRING_TRANS_SUBR(fn);
12774 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12776 COUNT_BYTES_TRANS_SUBR(fn_len);
12779 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
12780 case 1003: /* SMB_FS_SIZE_INFORMATION */
12781 /* allocation size */
12782 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12783 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12784 COUNT_BYTES_TRANS_SUBR(8);
12786 /* free allocation units */
12787 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12788 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
12789 COUNT_BYTES_TRANS_SUBR(8);
12791 /* sectors per unit */
12792 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12793 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12794 COUNT_BYTES_TRANS_SUBR(4);
12796 /* bytes per sector */
12797 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12798 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
12799 COUNT_BYTES_TRANS_SUBR(4);
12802 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
12803 case 1004: /* SMB_FS_DEVICE_INFORMATION */
12805 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12806 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
12807 COUNT_BYTES_TRANS_SUBR(4);
12809 /* device characteristics */
12810 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12811 offset = dissect_device_characteristics(tvb, tree, offset);
12815 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
12816 case 1005: /* SMB_FS_ATTRIBUTE_INFORMATION */
12817 /* FS attributes */
12818 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12819 offset = dissect_fs_attributes(tvb, tree, offset);
12823 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12824 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
12825 COUNT_BYTES_TRANS_SUBR(4);
12827 /* fs name length */
12828 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12829 fnl = tvb_get_letohl(tvb, offset);
12830 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
12831 COUNT_BYTES_TRANS_SUBR(4);
12835 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12836 CHECK_STRING_TRANS_SUBR(fn);
12837 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
12839 COUNT_BYTES_TRANS_SUBR(fn_len);
12842 case 0x200: { /* SMB_QUERY_CIFS_UNIX_INFO */
12843 proto_item *item = NULL;
12844 proto_tree *subtree = NULL;
12845 guint32 caps_lo, caps_hi;
12847 /* MajorVersionNumber */
12848 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12849 proto_tree_add_item(tree, hf_smb_unix_major_version, tvb, offset, 2, TRUE);
12850 COUNT_BYTES_TRANS_SUBR(2);
12852 /* MinorVersionNumber */
12853 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12854 proto_tree_add_item(tree, hf_smb_unix_minor_version, tvb, offset, 2, TRUE);
12855 COUNT_BYTES_TRANS_SUBR(2);
12859 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12861 caps_lo = tvb_get_letohl(tvb, offset);
12862 caps_hi = tvb_get_letohl(tvb, offset + 4);
12865 item = proto_tree_add_text(
12866 tree, tvb, offset, 8, "Capabilities: 0x%08x%08x",
12868 subtree = proto_item_add_subtree(
12869 item, ett_smb_unix_capabilities);
12872 proto_tree_add_boolean(
12873 subtree, hf_smb_unix_capability_fcntl, tvb, offset, 8,
12876 proto_tree_add_boolean(
12877 subtree, hf_smb_unix_capability_posix_acl, tvb, offset, 8,
12880 COUNT_BYTES_TRANS_SUBR(8);
12884 case 0x301: /* MAC_QUERY_FS_INFO */
12886 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12887 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
12890 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12891 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_modify_time);
12894 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12895 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_backup_time);
12897 /* Allocation blocks */
12898 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12899 proto_tree_add_item(tree, hf_smb_mac_alloc_block_count, tvb,
12902 COUNT_BYTES_TRANS_SUBR(4);
12903 /* Allocation Block Size */
12904 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12905 proto_tree_add_item(tree, hf_smb_mac_alloc_block_size, tvb,
12907 COUNT_BYTES_TRANS_SUBR(4);
12908 /* Free Block Count */
12909 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12910 proto_tree_add_item(tree, hf_smb_mac_free_block_count, tvb,
12912 COUNT_BYTES_TRANS_SUBR(4);
12913 /* Finder Info ... */
12914 CHECK_BYTE_COUNT_TRANS_SUBR(32);
12915 proto_tree_add_bytes_format(tree, hf_smb_mac_fndrinfo, tvb,
12917 tvb_get_ptr(tvb, offset,32),
12919 tvb_format_text(tvb, offset, 32));
12920 COUNT_BYTES_TRANS_SUBR(32);
12922 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12923 proto_tree_add_item(tree, hf_smb_mac_root_file_count, tvb,
12925 COUNT_BYTES_TRANS_SUBR(4);
12926 /* Number of Root Directories */
12927 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12928 proto_tree_add_item(tree, hf_smb_mac_root_dir_count, tvb,
12930 COUNT_BYTES_TRANS_SUBR(4);
12931 /* Number of files */
12932 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12933 proto_tree_add_item(tree, hf_smb_mac_file_count, tvb,
12935 COUNT_BYTES_TRANS_SUBR(4);
12937 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12938 proto_tree_add_item(tree, hf_smb_mac_dir_count, tvb,
12940 COUNT_BYTES_TRANS_SUBR(4);
12941 /* Mac Support Flags */
12942 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12943 support = tvb_get_ntohl(tvb, offset);
12944 item = proto_tree_add_text(tree, tvb, offset, 4,
12945 "Mac Support Flags: 0x%08x", support);
12946 ti = proto_item_add_subtree(item, ett_smb_mac_support_flags);
12947 proto_tree_add_boolean(ti, hf_smb_mac_sup_access_ctrl,
12948 tvb, offset, 4, support);
12949 proto_tree_add_boolean(ti, hf_smb_mac_sup_getset_comments,
12950 tvb, offset, 4, support);
12951 proto_tree_add_boolean(ti, hf_smb_mac_sup_desktopdb_calls,
12952 tvb, offset, 4, support);
12953 proto_tree_add_boolean(ti, hf_smb_mac_sup_unique_ids,
12954 tvb, offset, 4, support);
12955 proto_tree_add_boolean(ti, hf_smb_mac_sup_streams,
12956 tvb, offset, 4, support);
12957 COUNT_BYTES_TRANS_SUBR(4);
12959 case 1006: /* QUERY_FS_QUOTA_INFO */
12960 offset = dissect_nt_quota(tvb, tree, offset, bcp);
12962 case 1007: /* SMB_FS_FULL_SIZE_INFORMATION */
12963 /* allocation size */
12964 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12965 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12966 COUNT_BYTES_TRANS_SUBR(8);
12968 /* caller free allocation units */
12969 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12970 proto_tree_add_item(tree, hf_smb_caller_free_alloc_units64, tvb, offset, 8, TRUE);
12971 COUNT_BYTES_TRANS_SUBR(8);
12973 /* actual free allocation units */
12974 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12975 proto_tree_add_item(tree, hf_smb_actual_free_alloc_units64, tvb, offset, 8, TRUE);
12976 COUNT_BYTES_TRANS_SUBR(8);
12978 /* sectors per unit */
12979 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12980 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12981 COUNT_BYTES_TRANS_SUBR(4);
12983 /* bytes per sector */
12984 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12985 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
12986 COUNT_BYTES_TRANS_SUBR(4);
12988 case 1008: /* Query Object ID is GUID plus unknown data */ {
12990 char uuid_str[DCERPC_UUID_STR_LEN];
12991 guint8 drep = 0x10;
12993 CHECK_BYTE_COUNT_TRANS_SUBR(16);
12995 dcerpc_tvb_get_uuid (tvb, offset, &drep, &fs_id);
12998 uuid_str, DCERPC_UUID_STR_LEN,
12999 "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
13000 fs_id.Data1, fs_id.Data2, fs_id.Data3,
13001 fs_id.Data4[0], fs_id.Data4[1],
13002 fs_id.Data4[2], fs_id.Data4[3],
13003 fs_id.Data4[4], fs_id.Data4[5],
13004 fs_id.Data4[6], fs_id.Data4[7]);
13006 proto_tree_add_string_format(
13007 tree, hf_smb_fs_guid, tvb,
13008 offset, 16, uuid_str, "GUID: %s", uuid_str);
13010 COUNT_BYTES_TRANS_SUBR(16);
13019 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
13020 proto_tree *parent_tree)
13022 proto_item *item = NULL;
13023 proto_tree *tree = NULL;
13025 smb_transact2_info_t *t2i;
13031 dc = tvb_reported_length(tvb);
13033 si = (smb_info_t *)pinfo->private_data;
13034 DISSECTOR_ASSERT(si);
13036 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
13037 t2i = si->sip->extra_info;
13042 if (t2i != NULL && t2i->subcmd != -1) {
13043 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
13045 val_to_str(t2i->subcmd, trans2_cmd_vals,
13046 "Unknown (0x%02x)"));
13047 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
13049 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
13050 "Unknown Transaction2 Data");
13058 switch(t2i->subcmd){
13059 case 0x00: /*TRANS2_OPEN2*/
13060 /* XXX not implemented yet. See SNIA doc */
13062 case 0x01: /*TRANS2_FIND_FIRST2*/
13063 /* returned data */
13064 count = si->info_count;
13069 if (count && check_col(pinfo->cinfo, COL_INFO)) {
13070 col_append_fstr(pinfo->cinfo, COL_INFO,
13075 offset = dissect_ff2_response_data(tvb, pinfo, tree,
13076 offset, &dc, &trunc);
13081 case 0x02: /*TRANS2_FIND_NEXT2*/
13082 /* returned data */
13083 count = si->info_count;
13088 if (count && check_col(pinfo->cinfo, COL_INFO)) {
13089 col_append_fstr(pinfo->cinfo, COL_INFO,
13094 offset = dissect_ff2_response_data(tvb, pinfo, tree,
13095 offset, &dc, &trunc);
13100 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
13101 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
13103 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
13104 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
13106 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
13107 /* no data in this response */
13109 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
13110 /* identical to QUERY_PATH_INFO */
13111 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
13113 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
13114 /* no data in this response */
13116 case 0x09: /*TRANS2_FSCTL*/
13117 /* XXX dont know how to dissect this one (yet)*/
13120 * XXX - "Microsoft Networks SMB File Sharing Protocol
13121 * Extensions Version 3.0, Document Version 1.11,
13122 * July 19, 1990" says this this contains a
13123 * "File system specific return data block".
13124 * (That means we may not be able to dissect it in any
13128 case 0x0a: /*TRANS2_IOCTL2*/
13129 /* XXX dont know how to dissect this one (yet)*/
13132 * XXX - "Microsoft Networks SMB File Sharing Protocol
13133 * Extensions Version 3.0, Document Version 1.11,
13134 * July 19, 1990" says this this contains a
13135 * "Device/function specific return data block".
13136 * (That means we may not be able to dissect it in any
13140 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
13141 /* XXX dont know how to dissect this one (yet)*/
13144 * XXX - "Microsoft Networks SMB File Sharing Protocol
13145 * Extensions Version 3.0, Document Version 1.11,
13146 * July 19, 1990" says this this contains "the level
13147 * dependent information about the changes which
13151 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
13152 /* XXX dont know how to dissect this one (yet)*/
13155 * XXX - "Microsoft Networks SMB File Sharing Protocol
13156 * Extensions Version 3.0, Document Version 1.11,
13157 * July 19, 1990" says this this contains "the level
13158 * dependent information about the changes which
13162 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
13163 /* no data in this response */
13165 case 0x0e: /*TRANS2_SESSION_SETUP*/
13166 /* XXX dont know how to dissect this one (yet)*/
13168 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
13169 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
13171 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
13172 /* the SNIA spec appears to say the response has no data */
13176 * We don't know what the matching request was; don't
13177 * bother putting anything else into the tree for the data.
13184 /* ooops there were data we didnt know how to process */
13186 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
13195 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
13197 proto_item *item = NULL;
13198 proto_tree *tree = NULL;
13200 smb_transact2_info_t *t2i;
13206 pc = tvb_reported_length(tvb);
13208 si = (smb_info_t *)pinfo->private_data;
13209 DISSECTOR_ASSERT(si);
13211 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
13212 t2i = si->sip->extra_info;
13217 if (t2i != NULL && t2i->subcmd != -1) {
13218 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
13220 val_to_str(t2i->subcmd, trans2_cmd_vals,
13221 "Unknown (0x%02x)"));
13222 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
13224 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
13225 "Unknown Transaction2 Parameters");
13233 switch(t2i->subcmd){
13234 case 0x00: /*TRANS2_OPEN2*/
13236 fid = tvb_get_letohs(tvb, offset);
13237 add_fid(tvb, pinfo, tree, offset, 2, fid);
13241 * XXX - Microsoft Networks SMB File Sharing Protocol
13242 * Extensions Version 3.0, Document Version 1.11,
13243 * July 19, 1990 says that the file attributes, create
13244 * time (which it says is the last modification time),
13245 * data size, granted access, file type, and IPC state
13246 * are returned only if bit 0 is set in the open flags,
13247 * and that the EA length is returned only if bit 3
13248 * is set in the open flags. Does that mean that,
13249 * at least in that SMB dialect, those fields are not
13250 * present in the reply parameters if the bits in
13251 * question aren't set?
13254 /* File Attributes */
13255 offset = dissect_file_attributes(tvb, tree, offset, 2);
13258 offset = dissect_smb_datetime(tvb, tree, offset,
13259 hf_smb_create_time,
13260 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
13263 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
13266 /* granted access */
13267 offset = dissect_access(tvb, tree, offset, "Granted");
13270 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
13274 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
13277 offset = dissect_open_action(tvb, tree, offset);
13279 /* server unique file ID */
13280 proto_tree_add_item(tree, hf_smb_file_id, tvb, offset, 4, TRUE);
13283 /* ea error offset, only a 16 bit integer here */
13284 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13288 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13292 case 0x01: /*TRANS2_FIND_FIRST2*/
13293 /* Find First2 information level */
13294 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
13297 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
13301 si->info_count = tvb_get_letohs(tvb, offset);
13302 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13305 /* end of search */
13306 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13309 /* ea error offset, only a 16 bit integer here */
13310 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13313 /* last name offset */
13314 lno = tvb_get_letohs(tvb, offset);
13315 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13319 case 0x02: /*TRANS2_FIND_NEXT2*/
13321 si->info_count = tvb_get_letohs(tvb, offset);
13322 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13325 /* end of search */
13326 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13329 /* ea_error_offset, only a 16 bit integer here*/
13330 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13333 /* last name offset */
13334 lno = tvb_get_letohs(tvb, offset);
13335 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13339 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
13340 /* no parameter block here */
13342 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
13343 /* ea_error_offset, only a 16 bit integer here*/
13344 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13348 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
13349 /* ea_error_offset, only a 16 bit integer here*/
13350 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13354 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
13355 /* ea_error_offset, only a 16 bit integer here*/
13356 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13360 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
13361 /* ea_error_offset, only a 16 bit integer here*/
13362 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13366 case 0x09: /*TRANS2_FSCTL*/
13367 /* XXX dont know how to dissect this one (yet)*/
13370 * XXX - "Microsoft Networks SMB File Sharing Protocol
13371 * Extensions Version 3.0, Document Version 1.11,
13372 * July 19, 1990" says this this contains a
13373 * "File system specific return parameter block".
13374 * (That means we may not be able to dissect it in any
13378 case 0x0a: /*TRANS2_IOCTL2*/
13379 /* XXX dont know how to dissect this one (yet)*/
13382 * XXX - "Microsoft Networks SMB File Sharing Protocol
13383 * Extensions Version 3.0, Document Version 1.11,
13384 * July 19, 1990" says this this contains a
13385 * "Device/function specific return parameter block".
13386 * (That means we may not be able to dissect it in any
13390 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
13391 /* Find Notify information level */
13392 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13394 /* Monitor handle */
13395 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13399 si->info_count = tvb_get_letohs(tvb, offset);
13400 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13403 /* ea_error_offset, only a 16 bit integer here*/
13404 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13408 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
13409 /* Find Notify information level */
13410 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13413 si->info_count = tvb_get_letohs(tvb, offset);
13414 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13417 /* ea_error_offset, only a 16 bit integer here*/
13418 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13422 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
13423 /* ea error offset, only a 16 bit integer here */
13424 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13428 case 0x0e: /*TRANS2_SESSION_SETUP*/
13429 /* XXX dont know how to dissect this one (yet)*/
13431 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
13432 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
13434 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
13435 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
13439 * We don't know what the matching request was; don't
13440 * bother putting anything else into the tree for the data.
13446 /* ooops there were data we didnt know how to process */
13448 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
13449 offset += pc-offset;
13455 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13458 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
13460 smb_transact2_info_t *t2i = NULL;
13463 gboolean dissected_trans;
13464 fragment_data *r_fd = NULL;
13465 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
13466 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
13467 gboolean save_fragmented;
13469 si = (smb_info_t *)pinfo->private_data;
13470 DISSECTOR_ASSERT(si);
13473 case SMB_COM_TRANSACTION2:
13475 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
13476 t2i = si->sip->extra_info;
13481 * We didn't see the matching request, so we don't
13482 * know what type of transaction this is.
13484 proto_tree_add_text(tree, tvb, 0, 0,
13485 "Subcommand: <UNKNOWN> since request packet wasn't seen");
13486 if (check_col(pinfo->cinfo, COL_INFO)) {
13487 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
13490 si->info_level = t2i->info_level;
13491 if (t2i->subcmd == -1) {
13493 * We didn't manage to extract the subcommand
13494 * from the matching request (perhaps because
13495 * the frame was short), so we don't know what
13496 * type of transaction this is.
13498 proto_tree_add_text(tree, tvb, 0, 0,
13499 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
13500 if (check_col(pinfo->cinfo, COL_INFO)) {
13501 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
13504 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
13505 if (check_col(pinfo->cinfo, COL_INFO)) {
13506 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
13507 val_to_str(t2i->subcmd,
13509 "<unknown (0x%02x)>"));
13518 /* total param count, only a 16bit integer here */
13519 tp = tvb_get_letohs(tvb, offset);
13520 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
13523 /* total data count, only a 16 bit integer here */
13524 td = tvb_get_letohs(tvb, offset);
13525 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
13528 /* 2 reserved bytes */
13529 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
13533 pc = tvb_get_letohs(tvb, offset);
13534 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
13538 po = tvb_get_letohs(tvb, offset);
13539 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
13543 pd = tvb_get_letohs(tvb, offset);
13544 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
13548 dc = tvb_get_letohs(tvb, offset);
13549 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
13553 od = tvb_get_letohs(tvb, offset);
13554 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
13558 dd = tvb_get_letohs(tvb, offset);
13559 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
13563 sc = tvb_get_guint8(tvb, offset);
13564 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
13567 /* reserved byte */
13568 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
13572 /* if there were any setup bytes, put them in a tvb for later */
13574 if((2*sc)>tvb_length_remaining(tvb, offset)){
13575 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
13577 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
13579 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
13590 /* reassembly of SMB Transaction data payload.
13591 In this section we do reassembly of both the data and parameters
13592 blocks of the SMB transaction command.
13594 save_fragmented = pinfo->fragmented;
13595 /* do we need reassembly? */
13596 if( (td!=dc) || (tp!=pc) ){
13597 /* oh yeah, either data or parameter section needs
13600 pinfo->fragmented = TRUE;
13601 if(smb_trans_reassembly){
13602 /* ...and we were told to do reassembly */
13603 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
13604 r_fd = smb_trans_defragment(tree, pinfo, tvb,
13605 po, pc, pd, td+tp);
13608 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
13609 r_fd = smb_trans_defragment(tree, pinfo, tvb,
13610 od, dc, dd+tp, td+tp);
13615 /* if we got a reassembled fd structure from the reassembly routine we must
13616 create pd_tvb from it
13619 proto_item *frag_tree_item;
13621 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
13623 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
13624 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
13625 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb, &frag_tree_item);
13630 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
13632 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
13635 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
13638 /* It was not reassembled. Do as best as we can.
13639 * in this case we always try to dissect the stuff if
13640 * data and param displacement is 0. i.e. for the first
13641 * (and maybe only) packet.
13643 if( (pd==0) && (dd==0) ){
13646 min = MIN(pc,tvb_length_remaining(tvb,po));
13647 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
13648 if(min && reported_min) {
13649 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
13651 min = MIN(dc,tvb_length_remaining(tvb,od));
13652 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
13653 if(min && reported_min) {
13654 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
13657 * A tvbuff containing the parameters
13659 * XXX - check pc and dc as well?
13661 if (tvb_length_remaining(tvb, po)){
13662 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
13671 /* We have some padding bytes.
13673 padcnt = po-offset;
13676 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13677 COUNT_BYTES(padcnt);
13679 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
13680 /* TRANSACTION2 parameters*/
13681 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
13688 /* We have some initial padding bytes.
13690 padcnt = od-offset;
13693 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13694 COUNT_BYTES(padcnt);
13697 * If the data count is bigger than the count of bytes
13698 * remaining, clamp it so that the count of bytes remaining
13699 * doesn't go negative.
13707 /* from now on, everything is in separate tvbuffs so we dont count
13708 the bytes with COUNT_BYTES any more.
13709 neither do we reference offset any more (which by now points to the
13710 first byte AFTER this PDU */
13713 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
13714 /* TRANSACTION2 parameters*/
13715 dissect_transaction2_response_data(d_tvb, pinfo, tree);
13719 if(si->cmd==SMB_COM_TRANSACTION){
13720 smb_transact_info_t *tri;
13722 dissected_trans = FALSE;
13723 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_TRI)
13724 tri = si->sip->extra_info;
13728 switch(tri->subcmd){
13730 case TRANSACTION_PIPE:
13731 /* This function is safe to call for
13732 s_tvb==sp_tvb==NULL, i.e. if we don't
13733 know them at this point.
13734 It's also safe to call if "p_tvb"
13735 or "d_tvb" are null.
13738 dissected_trans = dissect_pipe_smb(
13739 sp_tvb, s_tvb, pd_tvb, p_tvb,
13740 d_tvb, NULL, pinfo, top_tree);
13744 case TRANSACTION_MAILSLOT:
13745 /* This one should be safe to call
13746 even if s_tvb and sp_tvb is NULL
13749 dissected_trans = dissect_mailslot_smb(
13750 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
13756 if (!dissected_trans) {
13757 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
13758 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
13763 if( (p_tvb==0) && (d_tvb==0) ){
13764 if(check_col(pinfo->cinfo, COL_INFO)){
13765 col_append_str(pinfo->cinfo, COL_INFO,
13766 "[transact continuation]");
13770 pinfo->fragmented = save_fragmented;
13778 dissect_find_notify_close(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13785 /* Monitor handle */
13786 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13796 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13797 END Transaction/Transaction2 Primary and secondary requests
13798 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
13802 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13810 tvb_ensure_bytes_exist(tvb, offset, wc*2);
13811 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
13818 tvb_ensure_bytes_exist(tvb, offset, bc);
13819 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
13829 typedef struct _smb_function {
13830 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13831 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13834 static smb_function smb_dissector[256] = {
13835 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
13836 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
13837 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
13838 /* 0x03 Create File*/ {dissect_create_file_request, dissect_fid},
13839 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
13840 /* 0x05 Flush File*/ {dissect_fid, dissect_empty},
13841 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
13842 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_empty},
13843 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
13844 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
13845 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
13846 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
13847 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
13848 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
13849 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
13850 /* 0x0f Create New*/ {dissect_create_file_request, dissect_fid},
13852 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
13853 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
13854 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
13855 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
13856 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
13857 /* 0x15 */ {dissect_unknown, dissect_unknown},
13858 /* 0x16 */ {dissect_unknown, dissect_unknown},
13859 /* 0x17 */ {dissect_unknown, dissect_unknown},
13860 /* 0x18 */ {dissect_unknown, dissect_unknown},
13861 /* 0x19 */ {dissect_unknown, dissect_unknown},
13862 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
13863 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
13864 /* 0x1c Read MPX Secondary*/ {dissect_unknown, dissect_unknown},
13865 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
13866 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
13867 /* 0x1f Write MPX Secondary*/ {dissect_unknown, dissect_unknown},
13869 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
13870 /* 0x21 */ {dissect_unknown, dissect_unknown},
13871 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
13872 /* 0x23 Query Info2*/ {dissect_fid, dissect_query_information2_response},
13873 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
13874 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
13875 /* 0x26 Transaction Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
13876 /* 0x27 IOCTL*/ {dissect_unknown, dissect_unknown},
13877 /* 0x28 IOCTL Secondary*/ {dissect_unknown, dissect_unknown},
13878 /* 0x29 Copy File*/ {dissect_copy_request, dissect_move_copy_response},
13879 /* 0x2a Move File*/ {dissect_move_request, dissect_move_copy_response},
13880 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
13881 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
13882 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
13883 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
13884 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
13886 /* 0x30 */ {dissect_unknown, dissect_unknown},
13887 /* 0x31 Close And Tree Disconnect */ {dissect_close_file_request, dissect_empty},
13888 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
13889 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
13890 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
13891 /* 0x35 Find Notify Close*/ {dissect_find_notify_close, dissect_empty},
13892 /* 0x36 */ {dissect_unknown, dissect_unknown},
13893 /* 0x37 */ {dissect_unknown, dissect_unknown},
13894 /* 0x38 */ {dissect_unknown, dissect_unknown},
13895 /* 0x39 */ {dissect_unknown, dissect_unknown},
13896 /* 0x3a */ {dissect_unknown, dissect_unknown},
13897 /* 0x3b */ {dissect_unknown, dissect_unknown},
13898 /* 0x3c */ {dissect_unknown, dissect_unknown},
13899 /* 0x3d */ {dissect_unknown, dissect_unknown},
13900 /* 0x3e */ {dissect_unknown, dissect_unknown},
13901 /* 0x3f */ {dissect_unknown, dissect_unknown},
13903 /* 0x40 */ {dissect_unknown, dissect_unknown},
13904 /* 0x41 */ {dissect_unknown, dissect_unknown},
13905 /* 0x42 */ {dissect_unknown, dissect_unknown},
13906 /* 0x43 */ {dissect_unknown, dissect_unknown},
13907 /* 0x44 */ {dissect_unknown, dissect_unknown},
13908 /* 0x45 */ {dissect_unknown, dissect_unknown},
13909 /* 0x46 */ {dissect_unknown, dissect_unknown},
13910 /* 0x47 */ {dissect_unknown, dissect_unknown},
13911 /* 0x48 */ {dissect_unknown, dissect_unknown},
13912 /* 0x49 */ {dissect_unknown, dissect_unknown},
13913 /* 0x4a */ {dissect_unknown, dissect_unknown},
13914 /* 0x4b */ {dissect_unknown, dissect_unknown},
13915 /* 0x4c */ {dissect_unknown, dissect_unknown},
13916 /* 0x4d */ {dissect_unknown, dissect_unknown},
13917 /* 0x4e */ {dissect_unknown, dissect_unknown},
13918 /* 0x4f */ {dissect_unknown, dissect_unknown},
13920 /* 0x50 */ {dissect_unknown, dissect_unknown},
13921 /* 0x51 */ {dissect_unknown, dissect_unknown},
13922 /* 0x52 */ {dissect_unknown, dissect_unknown},
13923 /* 0x53 */ {dissect_unknown, dissect_unknown},
13924 /* 0x54 */ {dissect_unknown, dissect_unknown},
13925 /* 0x55 */ {dissect_unknown, dissect_unknown},
13926 /* 0x56 */ {dissect_unknown, dissect_unknown},
13927 /* 0x57 */ {dissect_unknown, dissect_unknown},
13928 /* 0x58 */ {dissect_unknown, dissect_unknown},
13929 /* 0x59 */ {dissect_unknown, dissect_unknown},
13930 /* 0x5a */ {dissect_unknown, dissect_unknown},
13931 /* 0x5b */ {dissect_unknown, dissect_unknown},
13932 /* 0x5c */ {dissect_unknown, dissect_unknown},
13933 /* 0x5d */ {dissect_unknown, dissect_unknown},
13934 /* 0x5e */ {dissect_unknown, dissect_unknown},
13935 /* 0x5f */ {dissect_unknown, dissect_unknown},
13937 /* 0x60 */ {dissect_unknown, dissect_unknown},
13938 /* 0x61 */ {dissect_unknown, dissect_unknown},
13939 /* 0x62 */ {dissect_unknown, dissect_unknown},
13940 /* 0x63 */ {dissect_unknown, dissect_unknown},
13941 /* 0x64 */ {dissect_unknown, dissect_unknown},
13942 /* 0x65 */ {dissect_unknown, dissect_unknown},
13943 /* 0x66 */ {dissect_unknown, dissect_unknown},
13944 /* 0x67 */ {dissect_unknown, dissect_unknown},
13945 /* 0x68 */ {dissect_unknown, dissect_unknown},
13946 /* 0x69 */ {dissect_unknown, dissect_unknown},
13947 /* 0x6a */ {dissect_unknown, dissect_unknown},
13948 /* 0x6b */ {dissect_unknown, dissect_unknown},
13949 /* 0x6c */ {dissect_unknown, dissect_unknown},
13950 /* 0x6d */ {dissect_unknown, dissect_unknown},
13951 /* 0x6e */ {dissect_unknown, dissect_unknown},
13952 /* 0x6f */ {dissect_unknown, dissect_unknown},
13954 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
13955 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
13956 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
13957 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
13958 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
13959 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
13960 /* 0x76 */ {dissect_unknown, dissect_unknown},
13961 /* 0x77 */ {dissect_unknown, dissect_unknown},
13962 /* 0x78 */ {dissect_unknown, dissect_unknown},
13963 /* 0x79 */ {dissect_unknown, dissect_unknown},
13964 /* 0x7a */ {dissect_unknown, dissect_unknown},
13965 /* 0x7b */ {dissect_unknown, dissect_unknown},
13966 /* 0x7c */ {dissect_unknown, dissect_unknown},
13967 /* 0x7d */ {dissect_unknown, dissect_unknown},
13968 /* 0x7e */ {dissect_unknown, dissect_unknown},
13969 /* 0x7f */ {dissect_unknown, dissect_unknown},
13971 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
13972 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
13973 /* 0x82 Find*/ {dissect_find_request, dissect_find_response},
13974 /* 0x83 Find Unique*/ {dissect_find_request, dissect_find_response},
13975 /* 0x84 Find Close*/ {dissect_find_close_request, dissect_find_close_response},
13976 /* 0x85 */ {dissect_unknown, dissect_unknown},
13977 /* 0x86 */ {dissect_unknown, dissect_unknown},
13978 /* 0x87 */ {dissect_unknown, dissect_unknown},
13979 /* 0x88 */ {dissect_unknown, dissect_unknown},
13980 /* 0x89 */ {dissect_unknown, dissect_unknown},
13981 /* 0x8a */ {dissect_unknown, dissect_unknown},
13982 /* 0x8b */ {dissect_unknown, dissect_unknown},
13983 /* 0x8c */ {dissect_unknown, dissect_unknown},
13984 /* 0x8d */ {dissect_unknown, dissect_unknown},
13985 /* 0x8e */ {dissect_unknown, dissect_unknown},
13986 /* 0x8f */ {dissect_unknown, dissect_unknown},
13988 /* 0x90 */ {dissect_unknown, dissect_unknown},
13989 /* 0x91 */ {dissect_unknown, dissect_unknown},
13990 /* 0x92 */ {dissect_unknown, dissect_unknown},
13991 /* 0x93 */ {dissect_unknown, dissect_unknown},
13992 /* 0x94 */ {dissect_unknown, dissect_unknown},
13993 /* 0x95 */ {dissect_unknown, dissect_unknown},
13994 /* 0x96 */ {dissect_unknown, dissect_unknown},
13995 /* 0x97 */ {dissect_unknown, dissect_unknown},
13996 /* 0x98 */ {dissect_unknown, dissect_unknown},
13997 /* 0x99 */ {dissect_unknown, dissect_unknown},
13998 /* 0x9a */ {dissect_unknown, dissect_unknown},
13999 /* 0x9b */ {dissect_unknown, dissect_unknown},
14000 /* 0x9c */ {dissect_unknown, dissect_unknown},
14001 /* 0x9d */ {dissect_unknown, dissect_unknown},
14002 /* 0x9e */ {dissect_unknown, dissect_unknown},
14003 /* 0x9f */ {dissect_unknown, dissect_unknown},
14005 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
14006 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
14007 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
14008 /* 0xa3 */ {dissect_unknown, dissect_unknown},
14009 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
14010 /* 0xa5 NT Rename*/ {dissect_nt_rename_file_request, dissect_empty},
14011 /* 0xa6 */ {dissect_unknown, dissect_unknown},
14012 /* 0xa7 */ {dissect_unknown, dissect_unknown},
14013 /* 0xa8 */ {dissect_unknown, dissect_unknown},
14014 /* 0xa9 */ {dissect_unknown, dissect_unknown},
14015 /* 0xaa */ {dissect_unknown, dissect_unknown},
14016 /* 0xab */ {dissect_unknown, dissect_unknown},
14017 /* 0xac */ {dissect_unknown, dissect_unknown},
14018 /* 0xad */ {dissect_unknown, dissect_unknown},
14019 /* 0xae */ {dissect_unknown, dissect_unknown},
14020 /* 0xaf */ {dissect_unknown, dissect_unknown},
14022 /* 0xb0 */ {dissect_unknown, dissect_unknown},
14023 /* 0xb1 */ {dissect_unknown, dissect_unknown},
14024 /* 0xb2 */ {dissect_unknown, dissect_unknown},
14025 /* 0xb3 */ {dissect_unknown, dissect_unknown},
14026 /* 0xb4 */ {dissect_unknown, dissect_unknown},
14027 /* 0xb5 */ {dissect_unknown, dissect_unknown},
14028 /* 0xb6 */ {dissect_unknown, dissect_unknown},
14029 /* 0xb7 */ {dissect_unknown, dissect_unknown},
14030 /* 0xb8 */ {dissect_unknown, dissect_unknown},
14031 /* 0xb9 */ {dissect_unknown, dissect_unknown},
14032 /* 0xba */ {dissect_unknown, dissect_unknown},
14033 /* 0xbb */ {dissect_unknown, dissect_unknown},
14034 /* 0xbc */ {dissect_unknown, dissect_unknown},
14035 /* 0xbd */ {dissect_unknown, dissect_unknown},
14036 /* 0xbe */ {dissect_unknown, dissect_unknown},
14037 /* 0xbf */ {dissect_unknown, dissect_unknown},
14039 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_fid},
14040 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
14041 /* 0xc2 Close Print File*/ {dissect_fid, dissect_empty},
14042 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
14043 /* 0xc4 */ {dissect_unknown, dissect_unknown},
14044 /* 0xc5 */ {dissect_unknown, dissect_unknown},
14045 /* 0xc6 */ {dissect_unknown, dissect_unknown},
14046 /* 0xc7 */ {dissect_unknown, dissect_unknown},
14047 /* 0xc8 */ {dissect_unknown, dissect_unknown},
14048 /* 0xc9 */ {dissect_unknown, dissect_unknown},
14049 /* 0xca */ {dissect_unknown, dissect_unknown},
14050 /* 0xcb */ {dissect_unknown, dissect_unknown},
14051 /* 0xcc */ {dissect_unknown, dissect_unknown},
14052 /* 0xcd */ {dissect_unknown, dissect_unknown},
14053 /* 0xce */ {dissect_unknown, dissect_unknown},
14054 /* 0xcf */ {dissect_unknown, dissect_unknown},
14056 /* 0xd0 Send Single Block Message*/ {dissect_send_single_block_message_request, dissect_empty},
14057 /* 0xd1 Send Broadcast Message*/ {dissect_send_single_block_message_request, dissect_empty},
14058 /* 0xd2 Forward User Name*/ {dissect_forwarded_name, dissect_empty},
14059 /* 0xd3 Cancel Forward*/ {dissect_forwarded_name, dissect_empty},
14060 /* 0xd4 Get Machine Name*/ {dissect_empty, dissect_get_machine_name_response},
14061 /* 0xd5 Send Start of Multi-block Message*/ {dissect_send_multi_block_message_start_request, dissect_message_group_id},
14062 /* 0xd6 Send End of Multi-block Message*/ {dissect_message_group_id, dissect_empty},
14063 /* 0xd7 Send Text of Multi-block Message*/ {dissect_send_multi_block_message_text_request, dissect_empty},
14064 /* 0xd8 SMBreadbulk*/ {dissect_unknown, dissect_unknown},
14065 /* 0xd9 SMBwritebulk*/ {dissect_unknown, dissect_unknown},
14066 /* 0xda SMBwritebulkdata*/ {dissect_unknown, dissect_unknown},
14067 /* 0xdb */ {dissect_unknown, dissect_unknown},
14068 /* 0xdc */ {dissect_unknown, dissect_unknown},
14069 /* 0xdd */ {dissect_unknown, dissect_unknown},
14070 /* 0xde */ {dissect_unknown, dissect_unknown},
14071 /* 0xdf */ {dissect_unknown, dissect_unknown},
14073 /* 0xe0 */ {dissect_unknown, dissect_unknown},
14074 /* 0xe1 */ {dissect_unknown, dissect_unknown},
14075 /* 0xe2 */ {dissect_unknown, dissect_unknown},
14076 /* 0xe3 */ {dissect_unknown, dissect_unknown},
14077 /* 0xe4 */ {dissect_unknown, dissect_unknown},
14078 /* 0xe5 */ {dissect_unknown, dissect_unknown},
14079 /* 0xe6 */ {dissect_unknown, dissect_unknown},
14080 /* 0xe7 */ {dissect_unknown, dissect_unknown},
14081 /* 0xe8 */ {dissect_unknown, dissect_unknown},
14082 /* 0xe9 */ {dissect_unknown, dissect_unknown},
14083 /* 0xea */ {dissect_unknown, dissect_unknown},
14084 /* 0xeb */ {dissect_unknown, dissect_unknown},
14085 /* 0xec */ {dissect_unknown, dissect_unknown},
14086 /* 0xed */ {dissect_unknown, dissect_unknown},
14087 /* 0xee */ {dissect_unknown, dissect_unknown},
14088 /* 0xef */ {dissect_unknown, dissect_unknown},
14090 /* 0xf0 */ {dissect_unknown, dissect_unknown},
14091 /* 0xf1 */ {dissect_unknown, dissect_unknown},
14092 /* 0xf2 */ {dissect_unknown, dissect_unknown},
14093 /* 0xf3 */ {dissect_unknown, dissect_unknown},
14094 /* 0xf4 */ {dissect_unknown, dissect_unknown},
14095 /* 0xf5 */ {dissect_unknown, dissect_unknown},
14096 /* 0xf6 */ {dissect_unknown, dissect_unknown},
14097 /* 0xf7 */ {dissect_unknown, dissect_unknown},
14098 /* 0xf8 */ {dissect_unknown, dissect_unknown},
14099 /* 0xf9 */ {dissect_unknown, dissect_unknown},
14100 /* 0xfa */ {dissect_unknown, dissect_unknown},
14101 /* 0xfb */ {dissect_unknown, dissect_unknown},
14102 /* 0xfc */ {dissect_unknown, dissect_unknown},
14103 /* 0xfd */ {dissect_unknown, dissect_unknown},
14104 /* 0xfe */ {dissect_unknown, dissect_unknown},
14105 /* 0xff */ {dissect_unknown, dissect_unknown},
14109 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu)
14113 si = pinfo->private_data;
14114 DISSECTOR_ASSERT(si);
14117 proto_item *cmd_item;
14118 proto_tree *cmd_tree;
14119 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
14121 if (check_col(pinfo->cinfo, COL_INFO)) {
14123 col_append_fstr(pinfo->cinfo, COL_INFO,
14125 decode_smb_name(cmd),
14126 (si->request)? "Request" : "Response");
14128 col_append_fstr(pinfo->cinfo, COL_INFO,
14130 decode_smb_name(cmd));
14135 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
14137 decode_smb_name(cmd),
14138 (si->request)?"Request":"Response",
14141 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
14143 dissector = (si->request)?
14144 smb_dissector[cmd].request:smb_dissector[cmd].response;
14146 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
14147 proto_item_set_end(cmd_item, tvb, offset);
14153 /* NOTE: this value_string array will also be used to access data directly by
14154 * index instead of val_to_str() since
14155 * 1, the array will always span every value from 0x00 to 0xff and
14156 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
14157 * This means that this value_string array MUST always
14158 * 1, contain all entries 0x00 to 0xff
14159 * 2, all entries must be in order.
14161 const value_string smb_cmd_vals[] = {
14162 { 0x00, "Create Directory" },
14163 { 0x01, "Delete Directory" },
14165 { 0x03, "Create" },
14168 { 0x06, "Delete" },
14169 { 0x07, "Rename" },
14170 { 0x08, "Query Information" },
14171 { 0x09, "Set Information" },
14174 { 0x0C, "Lock Byte Range" },
14175 { 0x0D, "Unlock Byte Range" },
14176 { 0x0E, "Create Temp" },
14177 { 0x0F, "Create New" },
14178 { 0x10, "Check Directory" },
14179 { 0x11, "Process Exit" },
14181 { 0x13, "Lock And Read" },
14182 { 0x14, "Write And Unlock" },
14183 { 0x15, "unknown-0x15" },
14184 { 0x16, "unknown-0x16" },
14185 { 0x17, "unknown-0x17" },
14186 { 0x18, "unknown-0x18" },
14187 { 0x19, "unknown-0x19" },
14188 { 0x1A, "Read Raw" },
14189 { 0x1B, "Read MPX" },
14190 { 0x1C, "Read MPX Secondary" },
14191 { 0x1D, "Write Raw" },
14192 { 0x1E, "Write MPX" },
14193 { 0x1F, "Write MPX Secondary" },
14194 { 0x20, "Write Complete" },
14195 { 0x21, "unknown-0x21" },
14196 { 0x22, "Set Information2" },
14197 { 0x23, "Query Information2" },
14198 { 0x24, "Locking AndX" },
14200 { 0x26, "Trans Secondary" },
14202 { 0x28, "IOCTL Secondary" },
14206 { 0x2C, "Write And Close" },
14207 { 0x2D, "Open AndX" },
14208 { 0x2E, "Read AndX" },
14209 { 0x2F, "Write AndX" },
14210 { 0x30, "unknown-0x30" },
14211 { 0x31, "Close And Tree Disconnect" },
14212 { 0x32, "Trans2" },
14213 { 0x33, "Trans2 Secondary" },
14214 { 0x34, "Find Close2" },
14215 { 0x35, "Find Notify Close" },
14216 { 0x36, "unknown-0x36" },
14217 { 0x37, "unknown-0x37" },
14218 { 0x38, "unknown-0x38" },
14219 { 0x39, "unknown-0x39" },
14220 { 0x3A, "unknown-0x3A" },
14221 { 0x3B, "unknown-0x3B" },
14222 { 0x3C, "unknown-0x3C" },
14223 { 0x3D, "unknown-0x3D" },
14224 { 0x3E, "unknown-0x3E" },
14225 { 0x3F, "unknown-0x3F" },
14226 { 0x40, "unknown-0x40" },
14227 { 0x41, "unknown-0x41" },
14228 { 0x42, "unknown-0x42" },
14229 { 0x43, "unknown-0x43" },
14230 { 0x44, "unknown-0x44" },
14231 { 0x45, "unknown-0x45" },
14232 { 0x46, "unknown-0x46" },
14233 { 0x47, "unknown-0x47" },
14234 { 0x48, "unknown-0x48" },
14235 { 0x49, "unknown-0x49" },
14236 { 0x4A, "unknown-0x4A" },
14237 { 0x4B, "unknown-0x4B" },
14238 { 0x4C, "unknown-0x4C" },
14239 { 0x4D, "unknown-0x4D" },
14240 { 0x4E, "unknown-0x4E" },
14241 { 0x4F, "unknown-0x4F" },
14242 { 0x50, "unknown-0x50" },
14243 { 0x51, "unknown-0x51" },
14244 { 0x52, "unknown-0x52" },
14245 { 0x53, "unknown-0x53" },
14246 { 0x54, "unknown-0x54" },
14247 { 0x55, "unknown-0x55" },
14248 { 0x56, "unknown-0x56" },
14249 { 0x57, "unknown-0x57" },
14250 { 0x58, "unknown-0x58" },
14251 { 0x59, "unknown-0x59" },
14252 { 0x5A, "unknown-0x5A" },
14253 { 0x5B, "unknown-0x5B" },
14254 { 0x5C, "unknown-0x5C" },
14255 { 0x5D, "unknown-0x5D" },
14256 { 0x5E, "unknown-0x5E" },
14257 { 0x5F, "unknown-0x5F" },
14258 { 0x60, "unknown-0x60" },
14259 { 0x61, "unknown-0x61" },
14260 { 0x62, "unknown-0x62" },
14261 { 0x63, "unknown-0x63" },
14262 { 0x64, "unknown-0x64" },
14263 { 0x65, "unknown-0x65" },
14264 { 0x66, "unknown-0x66" },
14265 { 0x67, "unknown-0x67" },
14266 { 0x68, "unknown-0x68" },
14267 { 0x69, "unknown-0x69" },
14268 { 0x6A, "unknown-0x6A" },
14269 { 0x6B, "unknown-0x6B" },
14270 { 0x6C, "unknown-0x6C" },
14271 { 0x6D, "unknown-0x6D" },
14272 { 0x6E, "unknown-0x6E" },
14273 { 0x6F, "unknown-0x6F" },
14274 { 0x70, "Tree Connect" },
14275 { 0x71, "Tree Disconnect" },
14276 { 0x72, "Negotiate Protocol" },
14277 { 0x73, "Session Setup AndX" },
14278 { 0x74, "Logoff AndX" },
14279 { 0x75, "Tree Connect AndX" },
14280 { 0x76, "unknown-0x76" },
14281 { 0x77, "unknown-0x77" },
14282 { 0x78, "unknown-0x78" },
14283 { 0x79, "unknown-0x79" },
14284 { 0x7A, "unknown-0x7A" },
14285 { 0x7B, "unknown-0x7B" },
14286 { 0x7C, "unknown-0x7C" },
14287 { 0x7D, "unknown-0x7D" },
14288 { 0x7E, "unknown-0x7E" },
14289 { 0x7F, "unknown-0x7F" },
14290 { 0x80, "Query Information Disk" },
14291 { 0x81, "Search" },
14293 { 0x83, "Find Unique" },
14294 { 0x84, "Find Close" },
14295 { 0x85, "unknown-0x85" },
14296 { 0x86, "unknown-0x86" },
14297 { 0x87, "unknown-0x87" },
14298 { 0x88, "unknown-0x88" },
14299 { 0x89, "unknown-0x89" },
14300 { 0x8A, "unknown-0x8A" },
14301 { 0x8B, "unknown-0x8B" },
14302 { 0x8C, "unknown-0x8C" },
14303 { 0x8D, "unknown-0x8D" },
14304 { 0x8E, "unknown-0x8E" },
14305 { 0x8F, "unknown-0x8F" },
14306 { 0x90, "unknown-0x90" },
14307 { 0x91, "unknown-0x91" },
14308 { 0x92, "unknown-0x92" },
14309 { 0x93, "unknown-0x93" },
14310 { 0x94, "unknown-0x94" },
14311 { 0x95, "unknown-0x95" },
14312 { 0x96, "unknown-0x96" },
14313 { 0x97, "unknown-0x97" },
14314 { 0x98, "unknown-0x98" },
14315 { 0x99, "unknown-0x99" },
14316 { 0x9A, "unknown-0x9A" },
14317 { 0x9B, "unknown-0x9B" },
14318 { 0x9C, "unknown-0x9C" },
14319 { 0x9D, "unknown-0x9D" },
14320 { 0x9E, "unknown-0x9E" },
14321 { 0x9F, "unknown-0x9F" },
14322 { 0xA0, "NT Trans" },
14323 { 0xA1, "NT Trans Secondary" },
14324 { 0xA2, "NT Create AndX" },
14325 { 0xA3, "unknown-0xA3" },
14326 { 0xA4, "NT Cancel" },
14327 { 0xA5, "NT Rename" },
14328 { 0xA6, "unknown-0xA6" },
14329 { 0xA7, "unknown-0xA7" },
14330 { 0xA8, "unknown-0xA8" },
14331 { 0xA9, "unknown-0xA9" },
14332 { 0xAA, "unknown-0xAA" },
14333 { 0xAB, "unknown-0xAB" },
14334 { 0xAC, "unknown-0xAC" },
14335 { 0xAD, "unknown-0xAD" },
14336 { 0xAE, "unknown-0xAE" },
14337 { 0xAF, "unknown-0xAF" },
14338 { 0xB0, "unknown-0xB0" },
14339 { 0xB1, "unknown-0xB1" },
14340 { 0xB2, "unknown-0xB2" },
14341 { 0xB3, "unknown-0xB3" },
14342 { 0xB4, "unknown-0xB4" },
14343 { 0xB5, "unknown-0xB5" },
14344 { 0xB6, "unknown-0xB6" },
14345 { 0xB7, "unknown-0xB7" },
14346 { 0xB8, "unknown-0xB8" },
14347 { 0xB9, "unknown-0xB9" },
14348 { 0xBA, "unknown-0xBA" },
14349 { 0xBB, "unknown-0xBB" },
14350 { 0xBC, "unknown-0xBC" },
14351 { 0xBD, "unknown-0xBD" },
14352 { 0xBE, "unknown-0xBE" },
14353 { 0xBF, "unknown-0xBF" },
14354 { 0xC0, "Open Print File" },
14355 { 0xC1, "Write Print File" },
14356 { 0xC2, "Close Print File" },
14357 { 0xC3, "Get Print Queue" },
14358 { 0xC4, "unknown-0xC4" },
14359 { 0xC5, "unknown-0xC5" },
14360 { 0xC6, "unknown-0xC6" },
14361 { 0xC7, "unknown-0xC7" },
14362 { 0xC8, "unknown-0xC8" },
14363 { 0xC9, "unknown-0xC9" },
14364 { 0xCA, "unknown-0xCA" },
14365 { 0xCB, "unknown-0xCB" },
14366 { 0xCC, "unknown-0xCC" },
14367 { 0xCD, "unknown-0xCD" },
14368 { 0xCE, "unknown-0xCE" },
14369 { 0xCF, "unknown-0xCF" },
14370 { 0xD0, "Send Single Block Message" },
14371 { 0xD1, "Send Broadcast Message" },
14372 { 0xD2, "Forward User Name" },
14373 { 0xD3, "Cancel Forward" },
14374 { 0xD4, "Get Machine Name" },
14375 { 0xD5, "Send Start of Multi-block Message" },
14376 { 0xD6, "Send End of Multi-block Message" },
14377 { 0xD7, "Send Text of Multi-block Message" },
14378 { 0xD8, "SMBreadbulk" },
14379 { 0xD9, "SMBwritebulk" },
14380 { 0xDA, "SMBwritebulkdata" },
14381 { 0xDB, "unknown-0xDB" },
14382 { 0xDC, "unknown-0xDC" },
14383 { 0xDD, "unknown-0xDD" },
14384 { 0xDE, "unknown-0xDE" },
14385 { 0xDF, "unknown-0xDF" },
14386 { 0xE0, "unknown-0xE0" },
14387 { 0xE1, "unknown-0xE1" },
14388 { 0xE2, "unknown-0xE2" },
14389 { 0xE3, "unknown-0xE3" },
14390 { 0xE4, "unknown-0xE4" },
14391 { 0xE5, "unknown-0xE5" },
14392 { 0xE6, "unknown-0xE6" },
14393 { 0xE7, "unknown-0xE7" },
14394 { 0xE8, "unknown-0xE8" },
14395 { 0xE9, "unknown-0xE9" },
14396 { 0xEA, "unknown-0xEA" },
14397 { 0xEB, "unknown-0xEB" },
14398 { 0xEC, "unknown-0xEC" },
14399 { 0xED, "unknown-0xED" },
14400 { 0xEE, "unknown-0xEE" },
14401 { 0xEF, "unknown-0xEF" },
14402 { 0xF0, "unknown-0xF0" },
14403 { 0xF1, "unknown-0xF1" },
14404 { 0xF2, "unknown-0xF2" },
14405 { 0xF3, "unknown-0xF3" },
14406 { 0xF4, "unknown-0xF4" },
14407 { 0xF5, "unknown-0xF5" },
14408 { 0xF6, "unknown-0xF6" },
14409 { 0xF7, "unknown-0xF7" },
14410 { 0xF8, "unknown-0xF8" },
14411 { 0xF9, "unknown-0xF9" },
14412 { 0xFA, "unknown-0xFA" },
14413 { 0xFB, "unknown-0xFB" },
14414 { 0xFC, "unknown-0xFC" },
14415 { 0xFD, "unknown-0xFD" },
14416 { 0xFE, "SMBinvalid" },
14417 { 0xFF, "unknown-0xFF" },
14421 static const char *decode_smb_name(guint8 cmd)
14423 return(smb_cmd_vals[cmd].strptr);
14428 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14429 * Everything TVBUFFIFIED above this line
14430 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
14434 free_hash_tables(gpointer ctarg, gpointer user_data _U_)
14436 conv_tables_t *ct = ctarg;
14439 g_hash_table_destroy(ct->unmatched);
14441 g_hash_table_destroy(ct->matched);
14442 if (ct->tid_service)
14443 g_hash_table_destroy(ct->tid_service);
14447 smb_init_protocol(void)
14450 * Free the hash tables attached to the conversation table
14451 * structures, and then free the list of conversation table
14452 * data structures (which doesn't free the data structures
14453 * themselves; that's done by destroying the chunk from
14454 * which they were allocated).
14457 g_slist_foreach(conv_tables, free_hash_tables, NULL);
14458 g_slist_free(conv_tables);
14459 conv_tables = NULL;
14463 static const value_string errcls_types[] = {
14464 { SMB_SUCCESS, "Success"},
14465 { SMB_ERRDOS, "DOS Error"},
14466 { SMB_ERRSRV, "Server Error"},
14467 { SMB_ERRHRD, "Hardware Error"},
14468 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
14472 /* Error codes for the ERRSRV class */
14474 static const value_string SRV_errors[] = {
14475 {SMBE_error, "Non specific error code"},
14476 {SMBE_badpw, "Bad password"},
14477 {SMBE_badtype, "Reserved"},
14478 {SMBE_access, "No permissions to perform the requested operation"},
14479 {SMBE_invnid, "TID invalid"},
14480 {SMBE_invnetname, "Invalid network name. Service not found"},
14481 {SMBE_invdevice, "Invalid device"},
14482 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
14483 {SMBE_qfull, "Print queue full"},
14484 {SMBE_qtoobig, "Queued item too big"},
14485 {SMBE_qeof, "EOF on print queue dump"},
14486 {SMBE_invpfid, "Invalid print file in smb_fid"},
14487 {SMBE_smbcmd, "Unrecognised command"},
14488 {SMBE_srverror, "SMB server internal error"},
14489 {SMBE_filespecs, "Fid and pathname invalid combination"},
14490 {SMBE_badlink, "Bad link in request ???"},
14491 {SMBE_badpermits, "Access specified for a file is not valid"},
14492 {SMBE_badpid, "Bad process id in request"},
14493 {SMBE_setattrmode, "Attribute mode invalid"},
14494 {SMBE_paused, "Message server paused"},
14495 {SMBE_msgoff, "Not receiving messages"},
14496 {SMBE_noroom, "No room for message"},
14497 {SMBE_rmuns, "Too many remote usernames"},
14498 {SMBE_timeout, "Operation timed out"},
14499 {SMBE_noresource, "No resources currently available for request."},
14500 {SMBE_toomanyuids, "Too many userids"},
14501 {SMBE_baduid, "Bad userid"},
14502 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
14503 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
14504 {SMBE_contMPX, "Resume MPX mode"},
14505 {SMBE_badPW, "Bad Password???"},
14506 {SMBE_nosupport, "Operation not supported"},
14510 /* Error codes for the ERRHRD class */
14512 static const value_string HRD_errors[] = {
14513 {SMBE_nowrite, "Read only media"},
14514 {SMBE_badunit, "Unknown device"},
14515 {SMBE_notready, "Drive not ready"},
14516 {SMBE_badcmd, "Unknown command"},
14517 {SMBE_data, "Data (CRC) error"},
14518 {SMBE_badreq, "Bad request structure length"},
14519 {SMBE_seek, "Seek error"},
14520 {SMBE_badmedia, "Unknown media type"},
14521 {SMBE_badsector, "Sector not found"},
14522 {SMBE_nopaper, "Printer out of paper"},
14523 {SMBE_write, "Write fault"},
14524 {SMBE_read, "Read fault"},
14525 {SMBE_general, "General failure"},
14526 {SMBE_badshare, "A open conflicts with an existing open"},
14527 {SMBE_lock, "Lock conflict/invalid mode, or unlock of another process's lock"},
14528 {SMBE_wrongdisk, "The wrong disk was found in a drive"},
14529 {SMBE_FCBunavail, "No FCBs are available to process request"},
14530 {SMBE_sharebufexc, "A sharing buffer has been exceeded"},
14531 {SMBE_diskfull, "Disk full???"},
14535 static const char *decode_smb_error(guint8 errcls, guint16 errcode)
14542 return("No Error"); /* No error ??? */
14547 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
14552 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
14557 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
14562 return("Unknown error class!");
14568 static const true_false_string tfs_smb_flags_lock = {
14569 "Lock&Read, Write&Unlock are supported",
14570 "Lock&Read, Write&Unlock are not supported"
14572 static const true_false_string tfs_smb_flags_receive_buffer = {
14573 "Receive buffer has been posted",
14574 "Receive buffer has not been posted"
14576 static const true_false_string tfs_smb_flags_caseless = {
14577 "Path names are caseless",
14578 "Path names are case sensitive"
14580 static const true_false_string tfs_smb_flags_canon = {
14581 "Pathnames are canonicalized",
14582 "Pathnames are not canonicalized"
14584 static const true_false_string tfs_smb_flags_oplock = {
14585 "OpLock requested/granted",
14586 "OpLock not requested/granted"
14588 static const true_false_string tfs_smb_flags_notify = {
14589 "Notify client on all modifications",
14590 "Notify client only on open"
14592 static const true_false_string tfs_smb_flags_response = {
14593 "Message is a response to the client/redirector",
14594 "Message is a request to the server"
14598 dissect_smb_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
14601 proto_item *item = NULL;
14602 proto_tree *tree = NULL;
14604 mask = tvb_get_guint8(tvb, offset);
14607 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
14608 "Flags: 0x%02x", mask);
14609 tree = proto_item_add_subtree(item, ett_smb_flags);
14611 proto_tree_add_boolean(tree, hf_smb_flags_response,
14612 tvb, offset, 1, mask);
14613 proto_tree_add_boolean(tree, hf_smb_flags_notify,
14614 tvb, offset, 1, mask);
14615 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
14616 tvb, offset, 1, mask);
14617 proto_tree_add_boolean(tree, hf_smb_flags_canon,
14618 tvb, offset, 1, mask);
14619 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
14620 tvb, offset, 1, mask);
14621 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
14622 tvb, offset, 1, mask);
14623 proto_tree_add_boolean(tree, hf_smb_flags_lock,
14624 tvb, offset, 1, mask);
14631 static const true_false_string tfs_smb_flags2_long_names_allowed = {
14632 "Long file names are allowed in the response",
14633 "Long file names are not allowed in the response"
14635 static const true_false_string tfs_smb_flags2_ea = {
14636 "Extended attributes are supported",
14637 "Extended attributes are not supported"
14639 static const true_false_string tfs_smb_flags2_sec_sig = {
14640 "Security signatures are supported",
14641 "Security signatures are not supported"
14643 static const true_false_string tfs_smb_flags2_long_names_used = {
14644 "Path names in request are long file names",
14645 "Path names in request are not long file names"
14647 static const true_false_string tfs_smb_flags2_esn = {
14648 "Extended security negotiation is supported",
14649 "Extended security negotiation is not supported"
14651 static const true_false_string tfs_smb_flags2_dfs = {
14652 "Resolve pathnames with Dfs",
14653 "Don't resolve pathnames with Dfs"
14655 static const true_false_string tfs_smb_flags2_roe = {
14656 "Permit reads if execute-only",
14657 "Don't permit reads if execute-only"
14659 static const true_false_string tfs_smb_flags2_nt_error = {
14660 "Error codes are NT error codes",
14661 "Error codes are DOS error codes"
14663 static const true_false_string tfs_smb_flags2_string = {
14664 "Strings are Unicode",
14665 "Strings are ASCII"
14668 dissect_smb_flags2(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
14671 proto_item *item = NULL;
14672 proto_tree *tree = NULL;
14674 mask = tvb_get_letohs(tvb, offset);
14677 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
14678 "Flags2: 0x%04x", mask);
14679 tree = proto_item_add_subtree(item, ett_smb_flags2);
14682 proto_tree_add_boolean(tree, hf_smb_flags2_string,
14683 tvb, offset, 2, mask);
14684 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
14685 tvb, offset, 2, mask);
14686 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
14687 tvb, offset, 2, mask);
14688 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
14689 tvb, offset, 2, mask);
14690 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
14691 tvb, offset, 2, mask);
14692 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
14693 tvb, offset, 2, mask);
14694 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
14695 tvb, offset, 2, mask);
14696 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
14697 tvb, offset, 2, mask);
14698 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
14699 tvb, offset, 2, mask);
14707 #define SMB_FLAGS_DIRN 0x80
14711 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
14714 proto_item *item = NULL, *hitem = NULL;
14715 proto_tree *tree = NULL, *htree = NULL;
14716 proto_item *tmp_item=NULL;
14719 static smb_info_t si_arr[20];
14720 static int si_counter=0;
14722 smb_saved_info_t *sip = NULL;
14723 smb_saved_info_key_t key;
14724 smb_saved_info_key_t *new_key;
14725 guint32 nt_status = 0;
14726 guint8 errclass = 0;
14727 guint16 errcode = 0;
14729 conversation_t *conversation;
14730 nstime_t t, deltat;
14733 if(si_counter>=20){
14736 si=&si_arr[si_counter];
14738 top_tree=parent_tree;
14740 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
14741 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
14743 if (check_col(pinfo->cinfo, COL_INFO)){
14744 col_clear(pinfo->cinfo, COL_INFO);
14747 /* start off using the local variable, we will allocate a new one if we
14749 si->cmd = tvb_get_guint8(tvb, offset+4);
14750 flags = tvb_get_guint8(tvb, offset+9);
14752 * XXX - in some SMB-over-OSI-transport and SMB-over-Vines traffic,
14753 * the direction flag appears never to be set, even for what appear
14754 * to be replies. Do some SMB servers fail to set that flag,
14755 * under the assumption that the client knows it's a reply because
14758 si->request = !(flags&SMB_FLAGS_DIRN);
14759 flags2 = tvb_get_letohs(tvb, offset+10);
14760 if(flags2 & 0x8000){
14761 si->unicode = TRUE; /* Mark them as Unicode */
14763 si->unicode = FALSE;
14765 si->tid = tvb_get_letohs(tvb, offset+24);
14766 si->pid = tvb_get_letohs(tvb, offset+26);
14767 si->uid = tvb_get_letohs(tvb, offset+28);
14768 si->mid = tvb_get_letohs(tvb, offset+30);
14769 pid_mid = (si->pid << 16) | si->mid;
14770 si->info_level = -1;
14771 si->info_count = -1;
14774 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
14776 tree = proto_item_add_subtree(item, ett_smb);
14778 hitem = proto_tree_add_text(tree, tvb, offset, 32,
14781 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
14784 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
14785 offset += 4; /* Skip the marker */
14787 /* find which conversation we are part of and get the tables for that
14789 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst,
14790 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
14792 /* OK this is a new conversation so lets create it */
14793 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst,
14794 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
14796 /* see if we already have the smb data for this conversation */
14797 si->ct=conversation_get_proto_data(conversation, proto_smb);
14799 /* No, not yet. create it and attach it to the conversation */
14800 si->ct = se_alloc(sizeof(conv_tables_t));
14801 conv_tables = g_slist_prepend(conv_tables, si->ct);
14802 si->ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
14803 smb_saved_info_equal_matched);
14804 si->ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
14805 smb_saved_info_equal_unmatched);
14806 si->ct->tid_service=g_hash_table_new(
14807 smb_saved_info_hash_unmatched,
14808 smb_saved_info_equal_unmatched);
14809 si->ct->raw_ntlmssp = 0;
14810 conversation_add_proto_data(conversation, proto_smb, si->ct);
14818 /* this is a broadcast SMB packet, there will not be a reply.
14819 We dont need to do anything
14822 } else if( (si->cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
14823 ||(si->cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
14824 ||(si->cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
14825 ||(si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
14826 /* Ok, we got a special request type. This request is either
14827 an NT Cancel or a continuation relative to a real request
14828 in an earlier packet. In either case, we don't expect any
14829 responses to this packet. For continuations, any later
14830 responses we see really just belong to the original request.
14831 Anyway, we want to remember this packet somehow and
14832 remember which original request it is associated with so
14833 we can say nice things such as "This is a Cancellation to
14834 the request in frame x", but we don't want the
14835 request/response matching to get messed up.
14837 The only thing we do in this case is trying to find which original
14838 request we match with and insert an entry for this "special"
14839 request for later reference. We continue to reference the original
14840 requests smb_saved_info_t but we dont touch it or change anything
14844 si->unidir = TRUE; /*we dont expect an answer to this one*/
14846 if(!pinfo->fd->flags.visited){
14847 /* try to find which original call we match and if we
14848 find it add us to the matched table. Dont touch
14849 anything else since we dont want this one to mess
14850 up the request/response matching. We still consider
14851 the initial call the real request and this is only
14852 some sort of continuation.
14854 /* we only check the unmatched table and assume that the
14855 last seen MID matching ours is the right one.
14856 This can fail but is better than nothing
14858 sip=g_hash_table_lookup(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
14860 new_key = se_alloc(sizeof(smb_saved_info_key_t));
14861 new_key->frame = pinfo->fd->num;
14862 new_key->pid_mid = pid_mid;
14863 g_hash_table_insert(si->ct->matched, new_key,
14867 /* we have seen this packet before; check the
14870 key.frame = pinfo->fd->num;
14871 key.pid_mid = pid_mid;
14872 sip=g_hash_table_lookup(si->ct->matched, &key);
14876 Too bad, unfortunately there is not really much we can
14877 do now since this means that we never saw the initial
14884 if(sip && sip->frame_req){
14886 case SMB_COM_NT_CANCEL:
14887 tmp_item=proto_tree_add_uint(htree, hf_smb_cancel_to,
14888 tvb, 0, 0, sip->frame_req);
14889 PROTO_ITEM_SET_GENERATED(tmp_item);
14891 case SMB_COM_TRANSACTION_SECONDARY:
14892 case SMB_COM_TRANSACTION2_SECONDARY:
14893 case SMB_COM_NT_TRANSACT_SECONDARY:
14894 tmp_item=proto_tree_add_uint(htree, hf_smb_continuation_to,
14895 tvb, 0, 0, sip->frame_req);
14896 PROTO_ITEM_SET_GENERATED(tmp_item);
14901 case SMB_COM_NT_CANCEL:
14902 proto_tree_add_text(htree, tvb, 0, 0,
14903 "Cancellation to: <unknown frame>");
14905 case SMB_COM_TRANSACTION_SECONDARY:
14906 case SMB_COM_TRANSACTION2_SECONDARY:
14907 case SMB_COM_NT_TRANSACT_SECONDARY:
14908 proto_tree_add_text(htree, tvb, 0, 0,
14909 "Continuation to: <unknown frame>");
14913 } else { /* normal bidirectional request or response */
14914 si->unidir = FALSE;
14916 if(!pinfo->fd->flags.visited){
14917 /* first see if we find an unmatched smb "equal" to
14920 sip=g_hash_table_lookup(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
14922 gboolean cmd_match=FALSE;
14925 * Make sure the SMB we found was the
14926 * same command, or a different command
14927 * that's another valid type of reply
14930 if(si->cmd==sip->cmd){
14933 else if(si->cmd==SMB_COM_NT_CANCEL){
14936 else if((si->cmd==SMB_COM_TRANSACTION_SECONDARY)
14937 && (sip->cmd==SMB_COM_TRANSACTION)){
14940 else if((si->cmd==SMB_COM_TRANSACTION2_SECONDARY)
14941 && (sip->cmd==SMB_COM_TRANSACTION2)){
14944 else if((si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)
14945 && (sip->cmd==SMB_COM_NT_TRANSACT)){
14949 if( (si->request) || (!cmd_match) ) {
14950 /* We are processing an SMB request but there was already
14951 another "identical" smb request we had not matched yet.
14952 This must mean that either we have a retransmission or that the
14953 response to the previous one was lost and the client has reused
14954 the MID for this conversation. In either case it's not much more
14955 we can do than forget the old request and concentrate on the
14956 present one instead.
14958 We also do this cleanup if we see that the cmd in the original
14959 request in sip->cmd is not compatible with the current cmd.
14960 This is to prevent matching errors such as if there were two
14961 SMBs of different cmds but with identical MID and PID values and
14962 if ethereal lost the first reply and the second request.
14964 g_hash_table_remove(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
14965 sip=NULL; /* XXX should free it as well */
14967 /* we have found a response to some
14968 request we have seen earlier.
14969 What we do now depends on whether
14970 this is the first response to that
14971 request we see (id frame_res==0) or
14972 if it's a response to a request
14973 for which we've seen an earlier
14974 response that's continued.
14976 if(sip->frame_res==0 ||
14977 sip->flags & SMB_SIF_IS_CONTINUED){
14978 /* OK, it is the first response
14979 we have seen to this packet,
14980 or it's a continuation of
14981 a response we've seen. */
14982 sip->frame_res = pinfo->fd->num;
14983 new_key = se_alloc(sizeof(smb_saved_info_key_t));
14984 new_key->frame = sip->frame_res;
14985 new_key->pid_mid = pid_mid;
14986 g_hash_table_insert(si->ct->matched, new_key, sip);
14987 /* We remove the entry for unmatched since we have found a match.
14988 * We have to do this since the MID value wraps so quickly (effective only 10 bits)
14989 * and if there is packetloss in the trace (maybe due to large holes
14990 * created by a sniffer device not being able to keep up
14991 * with the line rate.
14992 * There is a real possibility that the following would occur which is painful :
14993 * 1, -> Request MID:5
14994 * 2, <- Response MID:5
14995 * 3, ->Request MID:5 (missing from capture)
14996 * 4, <- Response MID:5
14997 * We DONT want #4 to be presented as a response to #1
14999 g_hash_table_remove(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
15001 /* We have already seen another response to this MID.
15002 Since the MID in reality is only something like 10 bits
15003 this probably means that we just have a MID that is being
15004 reused due to the small MID space and that this is a new
15005 command we did not see the original request for.
15012 sip = se_alloc(sizeof(smb_saved_info_t));
15013 sip->frame_req = pinfo->fd->num;
15014 sip->frame_res = 0;
15015 sip->req_time.secs=pinfo->fd->abs_secs;
15016 sip->req_time.nsecs=pinfo->fd->abs_usecs*1000;
15018 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))
15019 == (void *)TID_IPC) {
15020 sip->flags |= SMB_SIF_TID_IS_IPC;
15022 sip->cmd = si->cmd;
15023 sip->extra_info = NULL;
15024 sip->extra_info_type = SMB_EI_NONE;
15025 g_hash_table_insert(si->ct->unmatched, GUINT_TO_POINTER(pid_mid), sip);
15026 new_key = se_alloc(sizeof(smb_saved_info_key_t));
15027 new_key->frame = sip->frame_req;
15028 new_key->pid_mid = pid_mid;
15029 g_hash_table_insert(si->ct->matched, new_key, sip);
15032 /* we have seen this packet before; check the
15034 If we haven't yet seen the reply, we won't
15035 find the info for it; we don't need it, as
15036 we only use it to save information, and, as
15037 we've seen this packet before, we've already
15038 saved the information.
15040 key.frame = pinfo->fd->num;
15041 key.pid_mid = pid_mid;
15042 sip=g_hash_table_lookup(si->ct->matched, &key);
15047 * Pass the "sip" on to subdissectors through "si".
15053 * Put in fields for the frame number of the frame to which
15054 * this is a response or the frame with the response to this
15055 * frame - if we know the frame number (i.e., it's not 0).
15058 if (sip->frame_res != 0) {
15059 tmp_item=proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
15060 PROTO_ITEM_SET_GENERATED(tmp_item);
15063 if (sip->frame_req != 0) {
15064 tmp_item=proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
15065 PROTO_ITEM_SET_GENERATED(tmp_item);
15066 t.secs = pinfo->fd->abs_secs;
15067 t.nsecs = pinfo->fd->abs_usecs*1000;
15068 get_timedelta(&deltat, &t, &sip->req_time);
15069 tmp_item=proto_tree_add_time(htree, hf_smb_time, tvb,
15071 PROTO_ITEM_SET_GENERATED(tmp_item);
15077 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si->cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si->cmd), si->cmd);
15080 if(flags2 & 0x4000){
15081 /* handle NT 32 bit error code */
15083 nt_status = tvb_get_letohl(tvb, offset);
15085 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
15090 /* handle DOS error code & class */
15091 errclass = tvb_get_guint8(tvb, offset);
15092 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
15096 /* reserved byte */
15097 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
15101 /* XXX - the type of this field depends on the value of
15102 * "errcls", so there is isn't a single value_string array
15103 * fo it, so there can't be a single field for it.
15105 errcode = tvb_get_letohs(tvb, offset);
15106 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
15107 offset, 2, errcode, "Error Code: %s",
15108 decode_smb_error(errclass, errcode));
15113 offset = dissect_smb_flags(tvb, htree, offset);
15116 offset = dissect_smb_flags2(tvb, htree, offset);
15121 * http://www.samba.org/samba/ftp/specs/smbpub.txt
15123 * (a text version of "Microsoft Networks SMB FILE SHARING
15124 * PROTOCOL, Document Version 6.0p") says that:
15126 * the first 2 bytes of these 12 bytes are, for NT Create and X,
15127 * the "High Part of PID";
15129 * the next four bytes are reserved;
15131 * the next four bytes are, for SMB-over-IPX (with no
15132 * NetBIOS involved) two bytes of Session ID and two bytes
15133 * of SequenceNumber.
15135 * Network Monitor 2.x dissects the four bytes before the Session ID
15136 * as a "Key", and the two bytes after the SequenceNumber as
15139 * The "High Part of PID" has been seen in calls other than NT
15140 * Create and X, although most of them appear to be I/O on DCE RPC
15141 * pipes opened with the NT Create and X in question.
15143 proto_tree_add_item(htree, hf_smb_pid_high, tvb, offset, 2, TRUE);
15146 if (pinfo->ptype == PT_IPX &&
15147 (pinfo->match_port == IPX_SOCKET_NWLINK_SMB_SERVER ||
15148 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_REDIR ||
15149 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_MESSENGER)) {
15151 * This is SMB-over-IPX.
15152 * XXX - do we have to worry about "sequenced commands",
15153 * as per the Samba document? They say that for
15154 * "unsequenced commands" (with a sequence number of 0),
15155 * the Mid must be unique, but perhaps the Mid doesn't
15156 * have to be unique for sequenced commands. In at least
15157 * one capture with SMB-over-IPX, however, the Mids
15158 * are unique even for sequenced commands.
15161 proto_tree_add_item(htree, hf_smb_key, tvb, offset, 4,
15166 proto_tree_add_item(htree, hf_smb_session_id, tvb, offset, 2,
15170 /* Sequence number */
15171 proto_tree_add_item(htree, hf_smb_sequence_num, tvb, offset, 2,
15176 proto_tree_add_item(htree, hf_smb_group_id, tvb, offset, 2,
15181 * According to http://ubiqx.org/cifs/SMB.html#SMB.4.2.1
15182 * and http://ubiqx.org/cifs/SMB.html#SMB.5.5.1 the 8
15183 * bytes after the "High part of PID" are an 8-byte
15186 proto_tree_add_item(htree, hf_smb_sig, tvb, offset, 8, TRUE);
15189 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2, TRUE);
15194 proto_tree_add_uint(htree, hf_smb_tid, tvb, offset, 2, si->tid);
15198 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si->pid);
15202 proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si->uid);
15206 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid);
15209 pinfo->private_data = si;
15211 /* tap the packet before the dissectors are called so we still get
15212 the tap listener called even if there is an exception.
15214 tap_queue_packet(smb_tap, pinfo, si);
15215 dissect_smb_command(tvb, pinfo, offset, tree, si->cmd, TRUE);
15217 /* Append error info from this packet to info string. */
15218 if (!si->request && check_col(pinfo->cinfo, COL_INFO)) {
15219 if (flags2 & 0x4000) {
15221 * The status is an NT status code; was there
15224 if ((nt_status & 0xC0000000) == 0xC0000000) {
15229 pinfo->cinfo, COL_INFO, ", Error: %s",
15230 val_to_str(nt_status, NT_errors,
15231 "Unknown (0x%08X)"));
15235 * The status is a DOS error class and code; was
15238 if (errclass != SMB_SUCCESS) {
15243 pinfo->cinfo, COL_INFO, ", Error: %s",
15244 decode_smb_error(errclass, errcode));
15251 dissect_smb_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
15253 /* must check that this really is a smb packet */
15254 if (!tvb_bytes_exist(tvb, 0, 4))
15257 if( (tvb_get_guint8(tvb, 0) != 0xff)
15258 || (tvb_get_guint8(tvb, 1) != 'S')
15259 || (tvb_get_guint8(tvb, 2) != 'M')
15260 || (tvb_get_guint8(tvb, 3) != 'B') ){
15264 dissect_smb(tvb, pinfo, parent_tree);
15269 proto_register_smb(void)
15271 static hf_register_info hf[] = {
15273 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
15274 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
15276 { &hf_smb_trans2_subcmd,
15277 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
15278 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
15280 { &hf_smb_nt_trans_subcmd,
15281 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
15282 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
15284 { &hf_smb_word_count,
15285 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
15286 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
15288 { &hf_smb_byte_count,
15289 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
15290 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
15292 { &hf_smb_response_to,
15293 { "Response to", "smb.response_to", FT_FRAMENUM, BASE_NONE,
15294 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
15297 { "Time from request", "smb.time", FT_RELATIVE_TIME, BASE_NONE,
15298 NULL, 0, "Time between Request and Response for SMB cmds", HFILL }},
15300 { &hf_smb_response_in,
15301 { "Response in", "smb.response_in", FT_FRAMENUM, BASE_NONE,
15302 NULL, 0, "The response to this packet is in this packet", HFILL }},
15304 { &hf_smb_continuation_to,
15305 { "Continuation to", "smb.continuation_to", FT_FRAMENUM, BASE_NONE,
15306 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
15308 { &hf_smb_nt_status,
15309 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
15310 VALS(NT_errors), 0, "NT Status code", HFILL }},
15312 { &hf_smb_error_class,
15313 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
15314 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
15316 { &hf_smb_error_code,
15317 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
15318 NULL, 0, "DOS Error Code", HFILL }},
15320 { &hf_smb_reserved,
15321 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
15322 NULL, 0, "Reserved bytes, must be zero", HFILL }},
15325 { "Signature", "smb.signature", FT_BYTES, BASE_HEX,
15326 NULL, 0, "Signature bytes", HFILL }},
15329 { "Key", "smb.key", FT_UINT32, BASE_HEX,
15330 NULL, 0, "SMB-over-IPX Key", HFILL }},
15332 { &hf_smb_session_id,
15333 { "Session ID", "smb.sessid", FT_UINT16, BASE_DEC,
15334 NULL, 0, "SMB-over-IPX Session ID", HFILL }},
15336 { &hf_smb_sequence_num,
15337 { "Sequence Number", "smb.sequence_num", FT_UINT16, BASE_DEC,
15338 NULL, 0, "SMB-over-IPX Sequence Number", HFILL }},
15340 { &hf_smb_group_id,
15341 { "Group ID", "smb.group_id", FT_UINT16, BASE_DEC,
15342 NULL, 0, "SMB-over-IPX Group ID", HFILL }},
15345 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
15346 NULL, 0, "Process ID", HFILL }},
15348 { &hf_smb_pid_high,
15349 { "Process ID High", "smb.pid.high", FT_UINT16, BASE_DEC,
15350 NULL, 0, "Process ID High Bytes", HFILL }},
15353 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
15354 NULL, 0, "Tree ID", HFILL }},
15357 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
15358 NULL, 0, "User ID", HFILL }},
15361 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
15362 NULL, 0, "Multiplex ID", HFILL }},
15364 { &hf_smb_flags_lock,
15365 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
15366 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
15368 { &hf_smb_flags_receive_buffer,
15369 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
15370 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
15372 { &hf_smb_flags_caseless,
15373 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
15374 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
15376 { &hf_smb_flags_canon,
15377 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
15378 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
15380 { &hf_smb_flags_oplock,
15381 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
15382 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
15384 { &hf_smb_flags_notify,
15385 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
15386 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
15388 { &hf_smb_flags_response,
15389 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
15390 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
15392 { &hf_smb_flags2_long_names_allowed,
15393 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
15394 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
15396 { &hf_smb_flags2_ea,
15397 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
15398 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
15400 { &hf_smb_flags2_sec_sig,
15401 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
15402 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
15404 { &hf_smb_flags2_long_names_used,
15405 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
15406 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
15408 { &hf_smb_flags2_esn,
15409 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
15410 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
15412 { &hf_smb_flags2_dfs,
15413 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
15414 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
15416 { &hf_smb_flags2_roe,
15417 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
15418 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
15420 { &hf_smb_flags2_nt_error,
15421 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
15422 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
15424 { &hf_smb_flags2_string,
15425 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
15426 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
15428 { &hf_smb_buffer_format,
15429 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
15430 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
15432 { &hf_smb_dialect_name,
15433 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
15434 NULL, 0, "Name of dialect", HFILL }},
15436 { &hf_smb_dialect_index,
15437 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
15438 NULL, 0, "Index of selected dialect", HFILL }},
15440 { &hf_smb_max_trans_buf_size,
15441 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
15442 NULL, 0, "Maximum transmit buffer size", HFILL }},
15444 { &hf_smb_max_mpx_count,
15445 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
15446 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
15448 { &hf_smb_max_vcs_num,
15449 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
15450 NULL, 0, "Maximum VCs between client and server", HFILL }},
15452 { &hf_smb_session_key,
15453 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
15454 NULL, 0, "Unique token identifying this session", HFILL }},
15456 { &hf_smb_server_timezone,
15457 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
15458 NULL, 0, "Current timezone at server.", HFILL }},
15460 { &hf_smb_encryption_key_length,
15461 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
15462 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
15464 { &hf_smb_encryption_key,
15465 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
15466 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
15468 { &hf_smb_primary_domain,
15469 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
15470 NULL, 0, "The server's primary domain", HFILL }},
15473 { "Server", "smb.server", FT_STRING, BASE_NONE,
15474 NULL, 0, "The name of the DC/server", HFILL }},
15476 { &hf_smb_max_raw_buf_size,
15477 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
15478 NULL, 0, "Maximum raw buffer size", HFILL }},
15480 { &hf_smb_server_guid,
15481 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
15482 NULL, 0, "Globally unique identifier for this server", HFILL }},
15484 { &hf_smb_security_blob_len,
15485 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
15486 NULL, 0, "Security blob length", HFILL }},
15488 { &hf_smb_security_blob,
15489 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
15490 NULL, 0, "Security blob", HFILL }},
15492 { &hf_smb_sm_mode16,
15493 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
15494 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
15496 { &hf_smb_sm_password16,
15497 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
15498 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
15501 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
15502 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
15504 { &hf_smb_sm_password,
15505 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
15506 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
15508 { &hf_smb_sm_signatures,
15509 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
15510 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
15512 { &hf_smb_sm_sig_required,
15513 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
15514 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
15517 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
15518 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
15520 { &hf_smb_rm_write,
15521 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
15522 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
15524 { &hf_smb_server_date_time,
15525 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
15526 NULL, 0, "Current date and time at server", HFILL }},
15528 { &hf_smb_server_smb_date,
15529 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
15530 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
15532 { &hf_smb_server_smb_time,
15533 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
15534 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
15536 { &hf_smb_server_cap_raw_mode,
15537 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
15538 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
15540 { &hf_smb_server_cap_mpx_mode,
15541 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
15542 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
15544 { &hf_smb_server_cap_unicode,
15545 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
15546 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
15548 { &hf_smb_server_cap_large_files,
15549 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
15550 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
15552 { &hf_smb_server_cap_nt_smbs,
15553 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
15554 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
15556 { &hf_smb_server_cap_rpc_remote_apis,
15557 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
15558 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
15560 { &hf_smb_server_cap_nt_status,
15561 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
15562 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
15564 { &hf_smb_server_cap_level_ii_oplocks,
15565 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
15566 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
15568 { &hf_smb_server_cap_lock_and_read,
15569 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
15570 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
15572 { &hf_smb_server_cap_nt_find,
15573 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
15574 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
15576 { &hf_smb_server_cap_dfs,
15577 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
15578 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
15580 { &hf_smb_server_cap_infolevel_passthru,
15581 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
15582 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
15584 { &hf_smb_server_cap_large_readx,
15585 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
15586 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
15588 { &hf_smb_server_cap_large_writex,
15589 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
15590 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
15592 { &hf_smb_server_cap_unix,
15593 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
15594 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
15596 { &hf_smb_server_cap_reserved,
15597 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
15598 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
15600 { &hf_smb_server_cap_bulk_transfer,
15601 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
15602 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
15604 { &hf_smb_server_cap_compressed_data,
15605 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
15606 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
15608 { &hf_smb_server_cap_extended_security,
15609 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
15610 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
15612 { &hf_smb_system_time,
15613 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
15614 NULL, 0, "System Time", HFILL }},
15617 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
15618 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
15620 { &hf_smb_dir_name,
15621 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
15622 NULL, 0, "SMB Directory Name", HFILL }},
15624 { &hf_smb_echo_count,
15625 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
15626 NULL, 0, "Number of times to echo data back", HFILL }},
15628 { &hf_smb_echo_data,
15629 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
15630 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
15632 { &hf_smb_echo_seq_num,
15633 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
15634 NULL, 0, "Sequence number for this echo response", HFILL }},
15636 { &hf_smb_max_buf_size,
15637 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
15638 NULL, 0, "Max client buffer size", HFILL }},
15641 { "Path", "smb.path", FT_STRING, BASE_NONE,
15642 NULL, 0, "Path. Server name and share name", HFILL }},
15645 { "Service", "smb.service", FT_STRING, BASE_NONE,
15646 NULL, 0, "Service name", HFILL }},
15648 { &hf_smb_password,
15649 { "Password", "smb.password", FT_BYTES, BASE_NONE,
15650 NULL, 0, "Password", HFILL }},
15652 { &hf_smb_ansi_password,
15653 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
15654 NULL, 0, "ANSI Password", HFILL }},
15656 { &hf_smb_unicode_password,
15657 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
15658 NULL, 0, "Unicode Password", HFILL }},
15660 { &hf_smb_move_flags_file,
15661 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
15662 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
15664 { &hf_smb_move_flags_dir,
15665 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
15666 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
15668 { &hf_smb_move_flags_verify,
15669 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
15670 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
15672 { &hf_smb_files_moved,
15673 { "Files Moved", "smb.files_moved", FT_UINT16, BASE_DEC,
15674 NULL, 0, "Number of files moved", HFILL }},
15676 { &hf_smb_copy_flags_file,
15677 { "Must be file", "smb.copy.flags.file", FT_BOOLEAN, 16,
15678 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
15680 { &hf_smb_copy_flags_dir,
15681 { "Must be directory", "smb.copy.flags.dir", FT_BOOLEAN, 16,
15682 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
15684 { &hf_smb_copy_flags_dest_mode,
15685 { "Destination mode", "smb.copy.flags.dest_mode", FT_BOOLEAN, 16,
15686 TFS(&tfs_cf_mode), 0x0004, "Is destination in ASCII?", HFILL }},
15688 { &hf_smb_copy_flags_source_mode,
15689 { "Source mode", "smb.copy.flags.source_mode", FT_BOOLEAN, 16,
15690 TFS(&tfs_cf_mode), 0x0008, "Is source in ASCII?", HFILL }},
15692 { &hf_smb_copy_flags_verify,
15693 { "Verify writes", "smb.copy.flags.verify", FT_BOOLEAN, 16,
15694 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
15696 { &hf_smb_copy_flags_tree_copy,
15697 { "Tree copy", "smb.copy.flags.tree_copy", FT_BOOLEAN, 16,
15698 TFS(&tfs_cf_tree_copy), 0x0010, "Is copy a tree copy?", HFILL }},
15700 { &hf_smb_copy_flags_ea_action,
15701 { "EA action if EAs not supported on dest", "smb.copy.flags.ea_action", FT_BOOLEAN, 16,
15702 TFS(&tfs_cf_ea_action), 0x0010, "Fail copy if source file has EAs and dest doesn't support EAs?", HFILL }},
15705 { "Count", "smb.count", FT_UINT32, BASE_DEC,
15706 NULL, 0, "Count number of items/bytes", HFILL }},
15708 { &hf_smb_count_low,
15709 { "Count Low", "smb.count_low", FT_UINT16, BASE_DEC,
15710 NULL, 0, "Count number of items/bytes, Low 16 bits", HFILL }},
15712 { &hf_smb_count_high,
15713 { "Count High (multiply with 64K)", "smb.count_high", FT_UINT16, BASE_DEC,
15714 NULL, 0, "Count number of items/bytes, High 16 bits", HFILL }},
15716 { &hf_smb_file_name,
15717 { "File Name", "smb.file", FT_STRING, BASE_NONE,
15718 NULL, 0, "File Name", HFILL }},
15720 { &hf_smb_open_function_create,
15721 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
15722 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
15724 { &hf_smb_open_function_open,
15725 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
15726 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
15729 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
15730 NULL, 0, "FID: File ID", HFILL }},
15732 { &hf_smb_file_attr_read_only_16bit,
15733 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
15734 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15736 { &hf_smb_file_attr_read_only_8bit,
15737 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
15738 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15740 { &hf_smb_file_attr_hidden_16bit,
15741 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
15742 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15744 { &hf_smb_file_attr_hidden_8bit,
15745 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
15746 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15748 { &hf_smb_file_attr_system_16bit,
15749 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
15750 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15752 { &hf_smb_file_attr_system_8bit,
15753 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
15754 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15756 { &hf_smb_file_attr_volume_16bit,
15757 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
15758 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
15760 { &hf_smb_file_attr_volume_8bit,
15761 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
15762 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
15764 { &hf_smb_file_attr_directory_16bit,
15765 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
15766 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15768 { &hf_smb_file_attr_directory_8bit,
15769 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
15770 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15772 { &hf_smb_file_attr_archive_16bit,
15773 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
15774 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15776 { &hf_smb_file_attr_archive_8bit,
15777 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
15778 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15780 { &hf_smb_file_attr_device,
15781 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
15782 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
15784 { &hf_smb_file_attr_normal,
15785 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
15786 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
15788 { &hf_smb_file_attr_temporary,
15789 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
15790 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
15792 { &hf_smb_file_attr_sparse,
15793 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
15794 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
15796 { &hf_smb_file_attr_reparse,
15797 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
15798 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
15800 { &hf_smb_file_attr_compressed,
15801 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
15802 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
15804 { &hf_smb_file_attr_offline,
15805 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
15806 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
15808 { &hf_smb_file_attr_not_content_indexed,
15809 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
15810 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
15812 { &hf_smb_file_attr_encrypted,
15813 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
15814 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
15816 { &hf_smb_file_size,
15817 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
15818 NULL, 0, "File Size", HFILL }},
15820 { &hf_smb_search_attribute_read_only,
15821 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
15822 TFS(&tfs_search_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
15824 { &hf_smb_search_attribute_hidden,
15825 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
15826 TFS(&tfs_search_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
15828 { &hf_smb_search_attribute_system,
15829 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
15830 TFS(&tfs_search_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
15832 { &hf_smb_search_attribute_volume,
15833 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
15834 TFS(&tfs_search_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
15836 { &hf_smb_search_attribute_directory,
15837 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
15838 TFS(&tfs_search_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
15840 { &hf_smb_search_attribute_archive,
15841 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
15842 TFS(&tfs_search_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
15844 { &hf_smb_access_mode,
15845 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
15846 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
15848 { &hf_smb_access_sharing,
15849 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
15850 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
15852 { &hf_smb_access_locality,
15853 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
15854 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
15856 { &hf_smb_access_caching,
15857 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
15858 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
15860 { &hf_smb_access_writetru,
15861 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
15862 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
15864 { &hf_smb_create_time,
15865 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
15866 NULL, 0, "Creation Time", HFILL }},
15868 { &hf_smb_modify_time,
15869 { "Modified", "smb.modify.time", FT_ABSOLUTE_TIME, BASE_NONE,
15870 NULL, 0, "Modification Time", HFILL }},
15872 { &hf_smb_backup_time,
15873 { "Backed-up", "smb.backup.time", FT_ABSOLUTE_TIME, BASE_NONE,
15874 NULL, 0, "Backup time", HFILL}},
15876 { &hf_smb_mac_alloc_block_count,
15877 { "Allocation Block Count", "smb.alloc.count", FT_UINT32, BASE_DEC,
15878 NULL, 0, "Allocation Block Count", HFILL}},
15880 { &hf_smb_mac_alloc_block_size,
15881 { "Allocation Block Count", "smb.alloc.size", FT_UINT32, BASE_DEC,
15882 NULL, 0, "Allocation Block Size", HFILL}},
15884 { &hf_smb_mac_free_block_count,
15885 { "Free Block Count", "smb.free_block.count", FT_UINT32, BASE_DEC,
15886 NULL, 0, "Free Block Count", HFILL}},
15888 { &hf_smb_mac_root_file_count,
15889 { "Root File Count", "smb.root.file.count", FT_UINT32, BASE_DEC,
15890 NULL, 0, "Root File Count", HFILL}},
15892 { &hf_smb_mac_root_dir_count,
15893 { "Root Directory Count", "smb.root.dir.count", FT_UINT32, BASE_DEC,
15894 NULL, 0, "Root Directory Count", HFILL}},
15896 { &hf_smb_mac_file_count,
15897 { "Root File Count", "smb.file.count", FT_UINT32, BASE_DEC,
15898 NULL, 0, "File Count", HFILL}},
15900 { &hf_smb_mac_dir_count,
15901 { "Root Directory Count", "smb.dir.count", FT_UINT32, BASE_DEC,
15902 NULL, 0, "Directory Count", HFILL}},
15904 { &hf_smb_mac_support_flags,
15905 { "Mac Support Flags", "smb.mac.support.flags", FT_UINT32, BASE_DEC,
15906 NULL, 0, "Mac Support Flags", HFILL}},
15908 { &hf_smb_mac_sup_access_ctrl,
15909 { "Mac Access Control", "smb.mac.access_control", FT_BOOLEAN, 32,
15910 TFS(&tfs_smb_mac_access_ctrl), 0x0010, "Are Mac Access Control Supported", HFILL }},
15912 { &hf_smb_mac_sup_getset_comments,
15913 { "Get Set Comments", "smb.mac.get_set_comments", FT_BOOLEAN, 32,
15914 TFS(&tfs_smb_mac_getset_comments), 0x0020, "Are Mac Get Set Comments supported?", HFILL }},
15916 { &hf_smb_mac_sup_desktopdb_calls,
15917 { "Desktop DB Calls", "smb.mac.desktop_db_calls", FT_BOOLEAN, 32,
15918 TFS(&tfs_smb_mac_desktopdb_calls), 0x0040, "Are Macintosh Desktop DB Calls Supported?", HFILL }},
15920 { &hf_smb_mac_sup_unique_ids,
15921 { "Macintosh Unique IDs", "smb.mac.uids", FT_BOOLEAN, 32,
15922 TFS(&tfs_smb_mac_unique_ids), 0x0080, "Are Unique IDs supported", HFILL }},
15924 { &hf_smb_mac_sup_streams,
15925 { "Mac Streams", "smb.mac.streams_support", FT_BOOLEAN, 32,
15926 TFS(&tfs_smb_mac_streams), 0x0100, "Are Mac Extensions and streams supported?", HFILL }},
15928 { &hf_smb_create_dos_date,
15929 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
15930 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
15932 { &hf_smb_create_dos_time,
15933 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
15934 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
15936 { &hf_smb_last_write_time,
15937 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
15938 NULL, 0, "Time this file was last written to", HFILL }},
15940 { &hf_smb_last_write_dos_date,
15941 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
15942 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
15944 { &hf_smb_last_write_dos_time,
15945 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
15946 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
15948 { &hf_smb_old_file_name,
15949 { "Old File Name", "smb.file", FT_STRING, BASE_NONE,
15950 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
15953 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
15954 NULL, 0, "Offset in file", HFILL }},
15956 { &hf_smb_remaining,
15957 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
15958 NULL, 0, "Remaining number of bytes", HFILL }},
15961 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
15962 NULL, 0, "Padding or unknown data", HFILL }},
15964 { &hf_smb_file_data,
15965 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
15966 NULL, 0, "Data read/written to the file", HFILL }},
15968 { &hf_smb_mac_fndrinfo,
15969 { "Finder Info", "smb.mac.finderinfo", FT_BYTES, BASE_HEX,
15970 NULL, 0, "Finder Info", HFILL}},
15972 { &hf_smb_total_data_len,
15973 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
15974 NULL, 0, "Total length of data", HFILL }},
15976 { &hf_smb_data_len,
15977 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
15978 NULL, 0, "Length of data", HFILL }},
15980 { &hf_smb_data_len_low,
15981 { "Data Length Low", "smb.data_len_low", FT_UINT16, BASE_DEC,
15982 NULL, 0, "Length of data, Low 16 bits", HFILL }},
15984 { &hf_smb_data_len_high,
15985 { "Data Length High (multiply with 64K)", "smb.data_len_high", FT_UINT16, BASE_DEC,
15986 NULL, 0, "Length of data, High 16 bits", HFILL }},
15988 { &hf_smb_seek_mode,
15989 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
15990 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
15992 { &hf_smb_access_time,
15993 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
15994 NULL, 0, "Last Access Time", HFILL }},
15996 { &hf_smb_access_dos_date,
15997 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
15998 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
16000 { &hf_smb_access_dos_time,
16001 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
16002 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
16004 { &hf_smb_data_size,
16005 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
16006 NULL, 0, "Data Size", HFILL }},
16008 { &hf_smb_alloc_size,
16009 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
16010 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
16012 { &hf_smb_max_count,
16013 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
16014 NULL, 0, "Maximum Count", HFILL }},
16016 { &hf_smb_max_count_low,
16017 { "Max Count Low", "smb.maxcount_low", FT_UINT16, BASE_DEC,
16018 NULL, 0, "Maximum Count, Low 16 bits", HFILL }},
16020 { &hf_smb_max_count_high,
16021 { "Max Count High (multiply with 64K)", "smb.maxcount_high", FT_UINT16, BASE_DEC,
16022 NULL, 0, "Maximum Count, High 16 bits", HFILL }},
16024 { &hf_smb_min_count,
16025 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
16026 NULL, 0, "Minimum Count", HFILL }},
16029 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
16030 NULL, 0, "Timeout in miliseconds", HFILL }},
16032 { &hf_smb_high_offset,
16033 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
16034 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
16037 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
16038 NULL, 0, "Total number of units at server", HFILL }},
16041 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
16042 NULL, 0, "Blocks per unit at server", HFILL }},
16044 { &hf_smb_blocksize,
16045 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
16046 NULL, 0, "Block size (in bytes) at server", HFILL }},
16048 { &hf_smb_freeunits,
16049 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
16050 NULL, 0, "Number of free units at server", HFILL }},
16052 { &hf_smb_data_offset,
16053 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
16054 NULL, 0, "Data Offset", HFILL }},
16057 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
16058 NULL, 0, "Data Compaction Mode", HFILL }},
16060 { &hf_smb_request_mask,
16061 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
16062 NULL, 0, "Connectionless mode mask", HFILL }},
16064 { &hf_smb_response_mask,
16065 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
16066 NULL, 0, "Connectionless mode mask", HFILL }},
16068 { &hf_smb_search_id,
16069 { "Search ID", "smb.search_id", FT_UINT16, BASE_HEX,
16070 NULL, 0, "Search ID, handle for find operations", HFILL }},
16072 { &hf_smb_write_mode_write_through,
16073 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
16074 TFS(&tfs_write_mode_write_through), WRITE_MODE_WRITE_THROUGH, "Write through mode requested?", HFILL }},
16076 { &hf_smb_write_mode_return_remaining,
16077 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
16078 TFS(&tfs_write_mode_return_remaining), WRITE_MODE_RETURN_REMAINING, "Return remaining data responses?", HFILL }},
16080 { &hf_smb_write_mode_raw,
16081 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
16082 TFS(&tfs_write_mode_raw), WRITE_MODE_RAW, "Use WriteRawNamedPipe?", HFILL }},
16084 { &hf_smb_write_mode_message_start,
16085 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
16086 TFS(&tfs_write_mode_message_start), WRITE_MODE_MESSAGE_START, "Is this the start of a message?", HFILL }},
16088 { &hf_smb_write_mode_connectionless,
16089 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
16090 TFS(&tfs_write_mode_connectionless), WRITE_MODE_CONNECTIONLESS, "Connectionless mode requested?", HFILL }},
16092 { &hf_smb_resume_key_len,
16093 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
16094 NULL, 0, "Resume Key length", HFILL }},
16096 { &hf_smb_resume_find_id,
16097 { "Find ID", "smb.resume.find_id", FT_UINT8, BASE_HEX,
16098 NULL, 0, "Handle for Find operation", HFILL }},
16100 { &hf_smb_resume_server_cookie,
16101 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
16102 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
16104 { &hf_smb_resume_client_cookie,
16105 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
16106 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
16108 { &hf_smb_andxoffset,
16109 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
16110 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
16112 { &hf_smb_lock_type_large,
16113 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
16114 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
16116 { &hf_smb_lock_type_cancel,
16117 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
16118 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
16120 { &hf_smb_lock_type_change,
16121 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
16122 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
16124 { &hf_smb_lock_type_oplock,
16125 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
16126 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
16128 { &hf_smb_lock_type_shared,
16129 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
16130 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
16132 { &hf_smb_locking_ol,
16133 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
16134 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
16136 { &hf_smb_number_of_locks,
16137 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
16138 NULL, 0, "Number of lock requests in this request", HFILL }},
16140 { &hf_smb_number_of_unlocks,
16141 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
16142 NULL, 0, "Number of unlock requests in this request", HFILL }},
16144 { &hf_smb_lock_long_length,
16145 { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
16146 NULL, 0, "Length of lock/unlock region", HFILL }},
16148 { &hf_smb_lock_long_offset,
16149 { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
16150 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
16152 { &hf_smb_file_type,
16153 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
16154 VALS(filetype_vals), 0, "Type of file", HFILL }},
16156 { &hf_smb_ipc_state_nonblocking,
16157 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
16158 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
16160 { &hf_smb_ipc_state_endpoint,
16161 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
16162 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
16164 { &hf_smb_ipc_state_pipe_type,
16165 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
16166 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
16168 { &hf_smb_ipc_state_read_mode,
16169 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
16170 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
16172 { &hf_smb_ipc_state_icount,
16173 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
16174 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
16176 { &hf_smb_server_fid,
16177 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
16178 NULL, 0, "Server unique File ID", HFILL }},
16180 { &hf_smb_open_flags_add_info,
16181 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
16182 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
16184 { &hf_smb_open_flags_ex_oplock,
16185 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
16186 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
16188 { &hf_smb_open_flags_batch_oplock,
16189 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
16190 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
16192 { &hf_smb_open_flags_ealen,
16193 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
16194 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
16196 { &hf_smb_open_action_open,
16197 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
16198 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
16200 { &hf_smb_open_action_lock,
16201 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
16202 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
16205 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
16206 NULL, 0, "VC Number", HFILL }},
16208 { &hf_smb_password_len,
16209 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
16210 NULL, 0, "Length of password", HFILL }},
16212 { &hf_smb_ansi_password_len,
16213 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
16214 NULL, 0, "Length of ANSI password", HFILL }},
16216 { &hf_smb_unicode_password_len,
16217 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
16218 NULL, 0, "Length of Unicode password", HFILL }},
16221 { "Account", "smb.account", FT_STRING, BASE_NONE,
16222 NULL, 0, "Account, username", HFILL }},
16225 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
16226 NULL, 0, "Which OS we are running", HFILL }},
16229 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
16230 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
16232 { &hf_smb_setup_action_guest,
16233 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
16234 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
16237 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
16238 NULL, 0, "Native File System", HFILL }},
16240 { &hf_smb_connect_flags_dtid,
16241 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
16242 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
16244 { &hf_smb_connect_support_search,
16245 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
16246 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
16248 { &hf_smb_connect_support_in_dfs,
16249 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
16250 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
16252 { &hf_smb_max_setup_count,
16253 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
16254 NULL, 0, "Maximum number of setup words to return", HFILL }},
16256 { &hf_smb_total_param_count,
16257 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
16258 NULL, 0, "Total number of parameter bytes", HFILL }},
16260 { &hf_smb_total_data_count,
16261 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
16262 NULL, 0, "Total number of data bytes", HFILL }},
16264 { &hf_smb_max_param_count,
16265 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
16266 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
16268 { &hf_smb_max_data_count,
16269 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
16270 NULL, 0, "Maximum number of data bytes to return", HFILL }},
16272 { &hf_smb_param_disp16,
16273 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
16274 NULL, 0, "Displacement of these parameter bytes", HFILL }},
16276 { &hf_smb_param_count16,
16277 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
16278 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
16280 { &hf_smb_param_offset16,
16281 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
16282 NULL, 0, "Offset (from header start) to parameters", HFILL }},
16284 { &hf_smb_param_disp32,
16285 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
16286 NULL, 0, "Displacement of these parameter bytes", HFILL }},
16288 { &hf_smb_param_count32,
16289 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
16290 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
16292 { &hf_smb_param_offset32,
16293 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
16294 NULL, 0, "Offset (from header start) to parameters", HFILL }},
16296 { &hf_smb_data_count16,
16297 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
16298 NULL, 0, "Number of data bytes in this buffer", HFILL }},
16300 { &hf_smb_data_disp16,
16301 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
16302 NULL, 0, "Data Displacement", HFILL }},
16304 { &hf_smb_data_offset16,
16305 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
16306 NULL, 0, "Data Offset", HFILL }},
16308 { &hf_smb_data_count32,
16309 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
16310 NULL, 0, "Number of data bytes in this buffer", HFILL }},
16312 { &hf_smb_data_disp32,
16313 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
16314 NULL, 0, "Data Displacement", HFILL }},
16316 { &hf_smb_data_offset32,
16317 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
16318 NULL, 0, "Data Offset", HFILL }},
16320 { &hf_smb_setup_count,
16321 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
16322 NULL, 0, "Number of setup words in this buffer", HFILL }},
16324 { &hf_smb_nt_ioctl_function_code,
16325 { "Function", "smb.nt.ioctl.function", FT_UINT32, BASE_HEX,
16326 NULL, 0, "NT IOCTL function code", HFILL }},
16328 { &hf_smb_nt_ioctl_isfsctl,
16329 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
16330 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
16332 { &hf_smb_nt_ioctl_flags_root_handle,
16333 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
16334 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
16336 { &hf_smb_nt_ioctl_data,
16337 { "IOCTL Data", "smb.nt.ioctl.data", FT_BYTES, BASE_HEX,
16338 NULL, 0, "Data for the IOCTL call", HFILL }},
16340 { &hf_smb_nt_notify_action,
16341 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
16342 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
16344 { &hf_smb_nt_notify_watch_tree,
16345 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
16346 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
16348 { &hf_smb_nt_notify_stream_write,
16349 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
16350 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
16352 { &hf_smb_nt_notify_stream_size,
16353 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
16354 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
16356 { &hf_smb_nt_notify_stream_name,
16357 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
16358 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
16360 { &hf_smb_nt_notify_security,
16361 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
16362 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
16364 { &hf_smb_nt_notify_ea,
16365 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
16366 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
16368 { &hf_smb_nt_notify_creation,
16369 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
16370 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
16372 { &hf_smb_nt_notify_last_access,
16373 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
16374 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
16376 { &hf_smb_nt_notify_last_write,
16377 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
16378 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
16380 { &hf_smb_nt_notify_size,
16381 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
16382 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
16384 { &hf_smb_nt_notify_attributes,
16385 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
16386 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
16388 { &hf_smb_nt_notify_dir_name,
16389 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
16390 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
16392 { &hf_smb_nt_notify_file_name,
16393 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
16394 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
16396 { &hf_smb_root_dir_fid,
16397 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
16398 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
16400 { &hf_smb_alloc_size64,
16401 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
16402 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
16404 { &hf_smb_nt_create_disposition,
16405 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
16406 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
16408 { &hf_smb_sd_length,
16409 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
16410 NULL, 0, "Total length of security descriptor", HFILL }},
16412 { &hf_smb_ea_list_length,
16413 { "EA List Length", "smb.ea.list_length", FT_UINT32, BASE_DEC,
16414 NULL, 0, "Total length of extended attributes", HFILL }},
16416 { &hf_smb_ea_flags,
16417 { "EA Flags", "smb.ea.flags", FT_UINT8, BASE_HEX,
16418 NULL, 0, "EA Flags", HFILL }},
16420 { &hf_smb_ea_name_length,
16421 { "EA Name Length", "smb.ea.name_length", FT_UINT8, BASE_DEC,
16422 NULL, 0, "EA Name Length", HFILL }},
16424 { &hf_smb_ea_data_length,
16425 { "EA Data Length", "smb.ea.data_length", FT_UINT16, BASE_DEC,
16426 NULL, 0, "EA Data Length", HFILL }},
16429 { "EA Name", "smb.ea.name", FT_STRING, BASE_NONE,
16430 NULL, 0, "EA Name", HFILL }},
16433 { "EA Data", "smb.ea.data", FT_BYTES, BASE_NONE,
16434 NULL, 0, "EA Data", HFILL }},
16436 { &hf_smb_file_name_len,
16437 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
16438 NULL, 0, "Length of File Name", HFILL }},
16440 { &hf_smb_nt_impersonation_level,
16441 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
16442 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
16444 { &hf_smb_nt_security_flags_context_tracking,
16445 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
16446 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
16448 { &hf_smb_nt_security_flags_effective_only,
16449 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
16450 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
16452 { &hf_smb_nt_access_mask_generic_read,
16453 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
16454 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
16456 { &hf_smb_nt_access_mask_generic_write,
16457 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
16458 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
16460 { &hf_smb_nt_access_mask_generic_execute,
16461 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
16462 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
16464 { &hf_smb_nt_access_mask_generic_all,
16465 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
16466 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
16468 { &hf_smb_nt_access_mask_maximum_allowed,
16469 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
16470 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
16472 { &hf_smb_nt_access_mask_system_security,
16473 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
16474 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
16476 { &hf_smb_nt_access_mask_synchronize,
16477 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
16478 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
16480 { &hf_smb_nt_access_mask_write_owner,
16481 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
16482 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
16484 { &hf_smb_nt_access_mask_write_dac,
16485 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
16486 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
16488 { &hf_smb_nt_access_mask_read_control,
16489 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
16490 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
16492 { &hf_smb_nt_access_mask_delete,
16493 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
16494 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
16496 { &hf_smb_nt_access_mask_write_attributes,
16497 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
16498 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
16500 { &hf_smb_nt_access_mask_read_attributes,
16501 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
16502 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
16504 { &hf_smb_nt_access_mask_delete_child,
16505 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
16506 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
16509 * "Execute" for files, "traverse" for directories.
16511 { &hf_smb_nt_access_mask_execute,
16512 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
16513 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
16515 { &hf_smb_nt_access_mask_write_ea,
16516 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
16517 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
16519 { &hf_smb_nt_access_mask_read_ea,
16520 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
16521 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
16524 * "Append data" for files, "add subdirectory" for directories,
16525 * "create pipe instance" for named pipes.
16527 { &hf_smb_nt_access_mask_append,
16528 { "Append", "smb.access.append", FT_BOOLEAN, 32,
16529 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
16532 * "Write data" for files and pipes, "add file" for directory.
16534 { &hf_smb_nt_access_mask_write,
16535 { "Write", "smb.access.write", FT_BOOLEAN, 32,
16536 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
16539 * "Read data" for files and pipes, "list directory" for directory.
16541 { &hf_smb_nt_access_mask_read,
16542 { "Read", "smb.access.read", FT_BOOLEAN, 32,
16543 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
16545 { &hf_smb_nt_create_bits_oplock,
16546 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
16547 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
16549 { &hf_smb_nt_create_bits_boplock,
16550 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
16551 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
16553 { &hf_smb_nt_create_bits_dir,
16554 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
16555 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
16557 { &hf_smb_nt_create_bits_ext_resp,
16558 { "Extended Response", "smb.nt.create.ext", FT_BOOLEAN, 32,
16559 TFS(&tfs_nt_create_bits_ext_resp), 0x00000010, "Extended response required?", HFILL }},
16561 { &hf_smb_nt_create_options_directory_file,
16562 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
16563 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
16565 { &hf_smb_nt_create_options_write_through,
16566 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
16567 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
16569 { &hf_smb_nt_create_options_sequential_only,
16570 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
16571 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
16573 { &hf_smb_nt_create_options_sync_io_alert,
16574 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
16575 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
16577 { &hf_smb_nt_create_options_sync_io_nonalert,
16578 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
16579 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
16581 { &hf_smb_nt_create_options_non_directory_file,
16582 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
16583 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
16585 /* 0x00000080 is "tree connect", at least in "NtCreateFile()"
16586 and "NtOpenFile()"; is that sent over the wire? Network
16587 Monitor thinks so, but its author may just have grabbed
16588 the flag bits from a system header file. */
16590 /* 0x00000100 is "complete if oplocked", at least in "NtCreateFile()"
16591 and "NtOpenFile()"; is that sent over the wire? NetMon
16592 thinks so, but see previous comment. */
16594 { &hf_smb_nt_create_options_no_ea_knowledge,
16595 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
16596 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
16598 { &hf_smb_nt_create_options_eight_dot_three_only,
16599 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
16600 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
16602 { &hf_smb_nt_create_options_random_access,
16603 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
16604 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
16606 { &hf_smb_nt_create_options_delete_on_close,
16607 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
16608 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
16610 /* 0x00002000 is "open by FID", or something such as that (which
16611 I suspect is like "open by inumber" on UNIX), at least in
16612 "NtCreateFile()" and "NtOpenFile()"; is that sent over the
16613 wire? NetMon thinks so, but see previous comment. */
16615 /* 0x00004000 is "open for backup", at least in "NtCreateFile()"
16616 and "NtOpenFile()"; is that sent over the wire? NetMon
16617 thinks so, but see previous comment. */
16619 { &hf_smb_nt_share_access_read,
16620 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
16621 TFS(&tfs_nt_share_access_read), 0x00000001, "Can the object be shared for reading?", HFILL }},
16623 { &hf_smb_nt_share_access_write,
16624 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
16625 TFS(&tfs_nt_share_access_write), 0x00000002, "Can the object be shared for write?", HFILL }},
16627 { &hf_smb_nt_share_access_delete,
16628 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
16629 TFS(&tfs_nt_share_access_delete), 0x00000004, "", HFILL }},
16631 { &hf_smb_file_eattr_read_only,
16632 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
16633 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
16635 { &hf_smb_file_eattr_hidden,
16636 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
16637 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
16639 { &hf_smb_file_eattr_system,
16640 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
16641 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
16643 { &hf_smb_file_eattr_volume,
16644 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
16645 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
16647 { &hf_smb_file_eattr_directory,
16648 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
16649 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
16651 { &hf_smb_file_eattr_archive,
16652 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
16653 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
16655 { &hf_smb_file_eattr_device,
16656 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
16657 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
16659 { &hf_smb_file_eattr_normal,
16660 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
16661 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
16663 { &hf_smb_file_eattr_temporary,
16664 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
16665 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
16667 { &hf_smb_file_eattr_sparse,
16668 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
16669 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
16671 { &hf_smb_file_eattr_reparse,
16672 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
16673 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
16675 { &hf_smb_file_eattr_compressed,
16676 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
16677 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
16679 { &hf_smb_file_eattr_offline,
16680 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
16681 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
16683 { &hf_smb_file_eattr_not_content_indexed,
16684 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
16685 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
16687 { &hf_smb_file_eattr_encrypted,
16688 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
16689 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
16691 { &hf_smb_sec_desc_len,
16692 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
16693 NULL, 0, "Security Descriptor Length", HFILL }},
16695 { &hf_smb_nt_qsd_owner,
16696 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
16697 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
16699 { &hf_smb_nt_qsd_group,
16700 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
16701 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
16703 { &hf_smb_nt_qsd_dacl,
16704 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
16705 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
16707 { &hf_smb_nt_qsd_sacl,
16708 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
16709 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
16711 { &hf_smb_extended_attributes,
16712 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
16713 NULL, 0, "Extended Attributes", HFILL }},
16715 { &hf_smb_oplock_level,
16716 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
16717 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
16719 { &hf_smb_create_action,
16720 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
16721 VALS(oa_open_vals), 0, "Type of action taken", HFILL }},
16724 { "Server unique file ID", "smb.create.file_id", FT_UINT32, BASE_HEX,
16725 NULL, 0, "Server unique file ID", HFILL }},
16727 { &hf_smb_ea_error_offset,
16728 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
16729 NULL, 0, "Offset into EA list if EA error", HFILL }},
16731 { &hf_smb_end_of_file,
16732 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
16733 NULL, 0, "Offset to the first free byte in the file", HFILL }},
16736 { "Replace", "smb.replace", FT_BOOLEAN, BASE_NONE,
16737 TFS(&tfs_smb_replace), 0x0, "Remove target if it exists?", HFILL }},
16739 { &hf_smb_root_dir_handle,
16740 { "Root Directory Handle", "smb.root_dir_handle", FT_UINT32, BASE_HEX,
16741 NULL, 0, "Root directory handle", HFILL }},
16743 { &hf_smb_target_name_len,
16744 { "Target name length", "smb.target_name_len", FT_UINT32, BASE_DEC,
16745 NULL, 0, "Length of target file name", HFILL }},
16747 { &hf_smb_target_name,
16748 { "Target name", "smb.target_name", FT_STRING, BASE_NONE,
16749 NULL, 0, "Target file name", HFILL }},
16751 { &hf_smb_device_type,
16752 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
16753 VALS(device_type_vals), 0, "Type of device", HFILL }},
16755 { &hf_smb_is_directory,
16756 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
16757 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
16759 { &hf_smb_next_entry_offset,
16760 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
16761 NULL, 0, "Offset to next entry", HFILL }},
16763 { &hf_smb_change_time,
16764 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
16765 NULL, 0, "Last Change Time", HFILL }},
16767 { &hf_smb_setup_len,
16768 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
16769 NULL, 0, "Length of printer setup data", HFILL }},
16771 { &hf_smb_print_mode,
16772 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
16773 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
16775 { &hf_smb_print_identifier,
16776 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
16777 NULL, 0, "Identifier string for this print job", HFILL }},
16779 { &hf_smb_restart_index,
16780 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
16781 NULL, 0, "Index of entry after last returned", HFILL }},
16783 { &hf_smb_print_queue_date,
16784 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
16785 NULL, 0, "Date when this entry was queued", HFILL }},
16787 { &hf_smb_print_queue_dos_date,
16788 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
16789 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
16791 { &hf_smb_print_queue_dos_time,
16792 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
16793 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
16795 { &hf_smb_print_status,
16796 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
16797 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
16799 { &hf_smb_print_spool_file_number,
16800 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
16801 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
16803 { &hf_smb_print_spool_file_size,
16804 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
16805 NULL, 0, "Number of bytes in spool file", HFILL }},
16807 { &hf_smb_print_spool_file_name,
16808 { "Name", "smb.print.spool.name", FT_STRINGZ, BASE_NONE,
16809 NULL, 0, "Name of client that submitted this job", HFILL }},
16811 { &hf_smb_start_index,
16812 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
16813 NULL, 0, "First queue entry to return", HFILL }},
16815 { &hf_smb_originator_name,
16816 { "Originator Name", "smb.originator_name", FT_STRINGZ, BASE_NONE,
16817 NULL, 0, "Name of sender of message", HFILL }},
16819 { &hf_smb_destination_name,
16820 { "Destination Name", "smb.destination_name", FT_STRINGZ, BASE_NONE,
16821 NULL, 0, "Name of recipient of message", HFILL }},
16823 { &hf_smb_message_len,
16824 { "Message Len", "smb.message.len", FT_UINT16, BASE_DEC,
16825 NULL, 0, "Length of message", HFILL }},
16828 { "Message", "smb.message", FT_STRING, BASE_NONE,
16829 NULL, 0, "Message text", HFILL }},
16832 { "Message Group ID", "smb.mgid", FT_UINT16, BASE_DEC,
16833 NULL, 0, "Message group ID for multi-block messages", HFILL }},
16835 { &hf_smb_forwarded_name,
16836 { "Forwarded Name", "smb.forwarded_name", FT_STRINGZ, BASE_NONE,
16837 NULL, 0, "Recipient name being forwarded", HFILL }},
16839 { &hf_smb_machine_name,
16840 { "Machine Name", "smb.machine_name", FT_STRINGZ, BASE_NONE,
16841 NULL, 0, "Name of target machine", HFILL }},
16843 { &hf_smb_cancel_to,
16844 { "Cancel to", "smb.cancel_to", FT_FRAMENUM, BASE_NONE,
16845 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
16847 { &hf_smb_trans_name,
16848 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
16849 NULL, 0, "Name of transaction", HFILL }},
16851 { &hf_smb_transaction_flags_dtid,
16852 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
16853 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
16855 { &hf_smb_transaction_flags_owt,
16856 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
16857 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
16859 { &hf_smb_search_count,
16860 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
16861 NULL, 0, "Maximum number of search entries to return", HFILL }},
16863 { &hf_smb_search_pattern,
16864 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
16865 NULL, 0, "Search Pattern", HFILL }},
16867 { &hf_smb_ff2_backup,
16868 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
16869 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
16871 { &hf_smb_ff2_continue,
16872 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
16873 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
16875 { &hf_smb_ff2_resume,
16876 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
16877 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
16879 { &hf_smb_ff2_close_eos,
16880 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
16881 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
16883 { &hf_smb_ff2_close,
16884 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
16885 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
16887 { &hf_smb_ff2_information_level,
16888 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
16889 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
16892 { "Level of Interest", "smb.qpi_loi", FT_UINT16, BASE_DEC,
16893 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] QUERY_{FILE,PATH}_INFO commands", HFILL }},
16896 { "Level of Interest", "smb.spi_loi", FT_UINT16, BASE_DEC,
16897 VALS(spi_loi_vals), 0, "Level of interest for TRANSACTION[2] SET_{FILE,PATH}_INFO commands", HFILL }},
16900 { &hf_smb_sfi_writetru,
16901 { "Writethrough", "smb.sfi_writethrough", FT_BOOLEAN, 16,
16902 TFS(&tfs_da_writetru), 0x0010, "Writethrough mode?", HFILL }},
16904 { &hf_smb_sfi_caching,
16905 { "Caching", "smb.sfi_caching", FT_BOOLEAN, 16,
16906 TFS(&tfs_da_caching), 0x0020, "Caching mode?", HFILL }},
16909 { &hf_smb_storage_type,
16910 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
16911 NULL, 0, "Type of storage", HFILL }},
16914 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
16915 NULL, 0, "Resume Key", HFILL }},
16917 { &hf_smb_max_referral_level,
16918 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
16919 NULL, 0, "Latest referral version number understood", HFILL }},
16921 { &hf_smb_qfsi_information_level,
16922 { "Level of Interest", "smb.qfi_loi", FT_UINT16, BASE_HEX,
16923 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
16925 { &hf_smb_nt_rename_level,
16926 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
16927 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
16929 { &hf_smb_cluster_count,
16930 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
16931 NULL, 0, "Number of clusters", HFILL }},
16933 { &hf_smb_number_of_links,
16934 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
16935 NULL, 0, "Number of hard links to the file", HFILL }},
16937 { &hf_smb_delete_pending,
16938 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
16939 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
16941 { &hf_smb_index_number,
16942 { "Index Number", "smb.index_number", FT_UINT64, BASE_DEC,
16943 NULL, 0, "File system unique identifier", HFILL }},
16945 { &hf_smb_current_offset,
16946 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
16947 NULL, 0, "Current offset in the file", HFILL }},
16949 { &hf_smb_t2_alignment,
16950 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
16951 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
16953 { &hf_smb_t2_stream_name_length,
16954 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
16955 NULL, 0, "Length of stream name", HFILL }},
16957 { &hf_smb_t2_stream_size,
16958 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
16959 NULL, 0, "Size of the stream in number of bytes", HFILL }},
16961 { &hf_smb_t2_stream_name,
16962 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
16963 NULL, 0, "Name of the stream", HFILL }},
16965 { &hf_smb_t2_compressed_file_size,
16966 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
16967 NULL, 0, "Size of the compressed file", HFILL }},
16969 { &hf_smb_t2_compressed_format,
16970 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
16971 NULL, 0, "Compression algorithm used", HFILL }},
16973 { &hf_smb_t2_compressed_unit_shift,
16974 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
16975 NULL, 0, "Size of the stream in number of bytes", HFILL }},
16977 { &hf_smb_t2_compressed_chunk_shift,
16978 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
16979 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
16981 { &hf_smb_t2_compressed_cluster_shift,
16982 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
16983 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
16985 { &hf_smb_t2_marked_for_deletion,
16986 { "Marked for Deletion", "smb.marked_for_deletion", FT_BOOLEAN, BASE_NONE,
16987 TFS(&tfs_marked_for_deletion), 0x0, "Marked for deletion?", HFILL }},
16989 { &hf_smb_dfs_path_consumed,
16990 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
16991 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
16993 { &hf_smb_dfs_num_referrals,
16994 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
16995 NULL, 0, "Number of referrals in this pdu", HFILL }},
16997 { &hf_smb_get_dfs_server_hold_storage,
16998 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
16999 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
17001 { &hf_smb_get_dfs_fielding,
17002 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
17003 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
17005 { &hf_smb_dfs_referral_version,
17006 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
17007 NULL, 0, "Version of referral element", HFILL }},
17009 { &hf_smb_dfs_referral_size,
17010 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
17011 NULL, 0, "Size of referral element", HFILL }},
17013 { &hf_smb_dfs_referral_server_type,
17014 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
17015 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
17017 { &hf_smb_dfs_referral_flags_strip,
17018 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
17019 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
17021 { &hf_smb_dfs_referral_node_offset,
17022 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
17023 NULL, 0, "Offset of name of entity to visit next", HFILL }},
17025 { &hf_smb_dfs_referral_node,
17026 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
17027 NULL, 0, "Name of entity to visit next", HFILL }},
17029 { &hf_smb_dfs_referral_proximity,
17030 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
17031 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
17033 { &hf_smb_dfs_referral_ttl,
17034 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
17035 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
17037 { &hf_smb_dfs_referral_path_offset,
17038 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
17039 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
17041 { &hf_smb_dfs_referral_path,
17042 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
17043 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
17045 { &hf_smb_dfs_referral_alt_path_offset,
17046 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
17047 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
17049 { &hf_smb_dfs_referral_alt_path,
17050 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
17051 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
17053 { &hf_smb_end_of_search,
17054 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
17055 NULL, 0, "Was last entry returned?", HFILL }},
17057 { &hf_smb_last_name_offset,
17058 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
17059 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
17061 { &hf_smb_fn_information_level,
17062 { "Level of Interest", "smb.fn_loi", FT_UINT16, BASE_DEC,
17063 NULL, 0, "Level of interest for FIND_NOTIFY command", HFILL }},
17065 { &hf_smb_monitor_handle,
17066 { "Monitor Handle", "smb.monitor_handle", FT_UINT16, BASE_HEX,
17067 NULL, 0, "Handle for Find Notify operations", HFILL }},
17069 { &hf_smb_change_count,
17070 { "Change Count", "smb.change_count", FT_UINT16, BASE_DEC,
17071 NULL, 0, "Number of changes to wait for", HFILL }},
17073 { &hf_smb_file_index,
17074 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
17075 NULL, 0, "File index", HFILL }},
17077 { &hf_smb_short_file_name,
17078 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
17079 NULL, 0, "Short (8.3) File Name", HFILL }},
17081 { &hf_smb_short_file_name_len,
17082 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
17083 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
17086 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
17087 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
17090 { "FS GUID", "smb.fs_guid", FT_STRING, BASE_NONE,
17091 NULL, 0, "File System GUID", HFILL }},
17093 { &hf_smb_sector_unit,
17094 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
17095 NULL, 0, "Sectors per allocation unit", HFILL }},
17097 { &hf_smb_fs_units,
17098 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
17099 NULL, 0, "Total number of units on this filesystem", HFILL }},
17101 { &hf_smb_fs_sector,
17102 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
17103 NULL, 0, "Bytes per sector", HFILL }},
17105 { &hf_smb_avail_units,
17106 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
17107 NULL, 0, "Total number of available units on this filesystem", HFILL }},
17109 { &hf_smb_volume_serial_num,
17110 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
17111 NULL, 0, "Volume serial number", HFILL }},
17113 { &hf_smb_volume_label_len,
17114 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
17115 NULL, 0, "Length of volume label", HFILL }},
17117 { &hf_smb_volume_label,
17118 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
17119 NULL, 0, "Volume label", HFILL }},
17121 { &hf_smb_free_alloc_units64,
17122 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
17123 NULL, 0, "Number of free allocation units", HFILL }},
17125 { &hf_smb_caller_free_alloc_units64,
17126 { "Caller Free Units", "smb.caller_free_alloc_units", FT_UINT64, BASE_DEC,
17127 NULL, 0, "Number of caller free allocation units", HFILL }},
17129 { &hf_smb_actual_free_alloc_units64,
17130 { "Actual Free Units", "smb.actual_free_alloc_units", FT_UINT64, BASE_DEC,
17131 NULL, 0, "Number of actual free allocation units", HFILL }},
17133 { &hf_smb_soft_quota_limit,
17134 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
17135 NULL, 0, "Soft Quota treshold", HFILL }},
17137 { &hf_smb_hard_quota_limit,
17138 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
17139 NULL, 0, "Hard Quota limit", HFILL }},
17141 { &hf_smb_user_quota_used,
17142 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
17143 NULL, 0, "How much Quota is used by this user", HFILL }},
17145 { &hf_smb_max_name_len,
17146 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
17147 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
17149 { &hf_smb_fs_name_len,
17150 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
17151 NULL, 0, "Length of filesystem name in bytes", HFILL }},
17154 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
17155 NULL, 0, "Name of filesystem", HFILL }},
17157 { &hf_smb_device_char_removable,
17158 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
17159 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
17161 { &hf_smb_device_char_read_only,
17162 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
17163 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
17165 { &hf_smb_device_char_floppy,
17166 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
17167 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
17169 { &hf_smb_device_char_write_once,
17170 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
17171 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
17173 { &hf_smb_device_char_remote,
17174 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
17175 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
17177 { &hf_smb_device_char_mounted,
17178 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
17179 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
17181 { &hf_smb_device_char_virtual,
17182 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
17183 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
17185 { &hf_smb_fs_attr_css,
17186 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
17187 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
17189 { &hf_smb_fs_attr_cpn,
17190 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
17191 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
17193 { &hf_smb_fs_attr_uod,
17194 { "Unicode On Disk", "smb.fs_attr.uod", FT_BOOLEAN, 32,
17195 TFS(&tfs_fs_attr_uod), 0x00000004, "Does this FS support Unicode On Disk?", HFILL }},
17197 { &hf_smb_fs_attr_pacls,
17198 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
17199 TFS(&tfs_fs_attr_pacls), 0x00000008, "Does this FS support Persistent ACLs?", HFILL }},
17201 { &hf_smb_fs_attr_fc,
17202 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
17203 TFS(&tfs_fs_attr_fc), 0x00000010, "Does this FS support File Compression?", HFILL }},
17205 { &hf_smb_fs_attr_vq,
17206 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
17207 TFS(&tfs_fs_attr_vq), 0x00000020, "Does this FS support Volume Quotas?", HFILL }},
17209 { &hf_smb_fs_attr_ssf,
17210 { "Sparse Files", "smb.fs_attr.ssf", FT_BOOLEAN, 32,
17211 TFS(&tfs_fs_attr_ssf), 0x00000040, "Does this FS support SPARSE FILES?", HFILL }},
17213 { &hf_smb_fs_attr_srp,
17214 { "Reparse Points", "smb.fs_attr.srp", FT_BOOLEAN, 32,
17215 TFS(&tfs_fs_attr_srp), 0x00000080, "Does this FS support REPARSE POINTS?", HFILL }},
17217 { &hf_smb_fs_attr_srs,
17218 { "Remote Storage", "smb.fs_attr.srs", FT_BOOLEAN, 32,
17219 TFS(&tfs_fs_attr_srs), 0x00000100, "Does this FS support REMOTE STORAGE?", HFILL }},
17221 { &hf_smb_fs_attr_sla,
17222 { "LFN APIs", "smb.fs_attr.sla", FT_BOOLEAN, 32,
17223 TFS(&tfs_fs_attr_sla), 0x00004000, "Does this FS support LFN APIs?", HFILL }},
17225 { &hf_smb_fs_attr_vic,
17226 { "Volume Is Compressed", "smb.fs_attr.vis", FT_BOOLEAN, 32,
17227 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS on a compressed volume?", HFILL }},
17229 { &hf_smb_fs_attr_soids,
17230 { "Supports OIDs", "smb.fs_attr.soids", FT_BOOLEAN, 32,
17231 TFS(&tfs_fs_attr_soids), 0x00010000, "Does this FS support OIDs?", HFILL }},
17233 { &hf_smb_fs_attr_se,
17234 { "Supports Encryption", "smb.fs_attr.se", FT_BOOLEAN, 32,
17235 TFS(&tfs_fs_attr_se), 0x00020000, "Does this FS support encryption?", HFILL }},
17237 { &hf_smb_fs_attr_ns,
17238 { "Named Streams", "smb.fs_attr.ns", FT_BOOLEAN, 32,
17239 TFS(&tfs_fs_attr_ns), 0x00040000, "Does this FS support named streams?", HFILL }},
17241 { &hf_smb_fs_attr_rov,
17242 { "Read Only Volume", "smb.fs_attr.rov", FT_BOOLEAN, 32,
17243 TFS(&tfs_fs_attr_rov), 0x00080000, "Is this FS on a read only volume?", HFILL }},
17245 { &hf_smb_user_quota_offset,
17246 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
17247 NULL, 0, "Relative offset to next user quota structure", HFILL }},
17249 { &hf_smb_pipe_write_len,
17250 { "Pipe Write Len", "smb.pipe.write_len", FT_UINT16, BASE_DEC,
17251 NULL, 0, "Number of bytes written to pipe", HFILL }},
17253 { &hf_smb_quota_flags_deny_disk,
17254 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
17255 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
17257 { &hf_smb_quota_flags_log_limit,
17258 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
17259 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
17261 { &hf_smb_quota_flags_log_warning,
17262 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
17263 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
17265 { &hf_smb_quota_flags_enabled,
17266 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
17267 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
17269 { &hf_smb_segment_overlap,
17270 { "Fragment overlap", "smb.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17271 "Fragment overlaps with other fragments", HFILL }},
17273 { &hf_smb_segment_overlap_conflict,
17274 { "Conflicting data in fragment overlap", "smb.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17275 "Overlapping fragments contained conflicting data", HFILL }},
17277 { &hf_smb_segment_multiple_tails,
17278 { "Multiple tail fragments found", "smb.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17279 "Several tails were found when defragmenting the packet", HFILL }},
17281 { &hf_smb_segment_too_long_fragment,
17282 { "Fragment too long", "smb.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17283 "Fragment contained data past end of packet", HFILL }},
17285 { &hf_smb_segment_error,
17286 { "Defragmentation error", "smb.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
17287 "Defragmentation error due to illegal fragments", HFILL }},
17290 { "SMB Segment", "smb.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
17291 "SMB Segment", HFILL }},
17293 { &hf_smb_segments,
17294 { "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
17295 "SMB Segments", HFILL }},
17297 { &hf_smb_unix_major_version,
17298 { "Major Version", "smb.unix.major_version", FT_UINT16, BASE_DEC,
17299 NULL, 0, "UNIX Major Version", HFILL }},
17301 { &hf_smb_unix_minor_version,
17302 { "Minor Version", "smb.unix.minor_version", FT_UINT16, BASE_DEC,
17303 NULL, 0, "UNIX Minor Version", HFILL }},
17305 { &hf_smb_unix_capability_fcntl,
17306 { "FCNTL Capability", "smb.unix.capability.fcntl", FT_BOOLEAN, 32,
17307 TFS(&flags_set_truth), 0x00000001, "", HFILL }},
17309 { &hf_smb_unix_capability_posix_acl,
17310 { "POSIX ACL Capability", "smb.unix.capability.posix_acl", FT_BOOLEAN, 32,
17311 TFS(&flags_set_truth), 0x00000002, "", HFILL }},
17313 { &hf_smb_unix_file_size,
17314 { "File size", "smb.unix.file.size", FT_UINT64, BASE_DEC,
17315 NULL, 0, "", HFILL }},
17317 { &hf_smb_unix_file_num_bytes,
17318 { "Number of bytes", "smb.unix.file.num_bytes", FT_UINT64, BASE_DEC,
17319 NULL, 0, "Number of bytes used to store the file", HFILL }},
17321 { &hf_smb_unix_file_last_status,
17322 { "Last status change", "smb.unix.file.stime", FT_ABSOLUTE_TIME, BASE_NONE,
17323 NULL, 0, "", HFILL }},
17325 { &hf_smb_unix_file_last_access,
17326 { "Last access", "smb.unix.file.atime", FT_ABSOLUTE_TIME, BASE_NONE,
17327 NULL, 0, "", HFILL }},
17329 { &hf_smb_unix_file_last_change,
17330 { "Last modification", "smb.unix.file.mtime", FT_ABSOLUTE_TIME, BASE_NONE,
17331 NULL, 0, "", HFILL }},
17333 { &hf_smb_unix_file_uid,
17334 { "UID", "smb.unix.file.uid", FT_UINT64, BASE_DEC,
17335 NULL, 0, "", HFILL }},
17337 { &hf_smb_unix_file_gid,
17338 { "GID", "smb.unix.file.gid", FT_UINT64, BASE_DEC,
17339 NULL, 0, "", HFILL }},
17341 { &hf_smb_unix_file_type,
17342 { "File type", "smb.unix.file.file_type", FT_UINT32, BASE_DEC,
17343 VALS(unix_file_type_vals), 0, "", HFILL }},
17345 { &hf_smb_unix_file_dev_major,
17346 { "Major device", "smb.unix.file.dev_major", FT_UINT64, BASE_HEX,
17347 NULL, 0, "", HFILL }},
17349 { &hf_smb_unix_file_dev_minor,
17350 { "Minor device", "smb.unix.file.dev_minor", FT_UINT64, BASE_HEX,
17351 NULL, 0, "", HFILL }},
17353 { &hf_smb_unix_file_unique_id,
17354 { "Unique ID", "smb.unix.file.unique_id", FT_UINT64, BASE_HEX,
17355 NULL, 0, "", HFILL }},
17357 { &hf_smb_unix_file_permissions,
17358 { "File permissions", "smb.unix.file.perms", FT_UINT64, BASE_HEX,
17359 NULL, 0, "", HFILL }},
17361 { &hf_smb_unix_file_nlinks,
17362 { "Num links", "smb.unix.file.num_links", FT_UINT64, BASE_DEC,
17363 NULL, 0, "", HFILL }},
17365 { &hf_smb_unix_file_link_dest,
17366 { "Link destination", "smb.unix.file.link_dest", FT_STRING,
17367 BASE_NONE, NULL, 0, "", HFILL }},
17369 { &hf_smb_unix_find_file_nextoffset,
17370 { "Next entry offset", "smb.unix.find_file.next_offset", FT_UINT32, BASE_DEC,
17371 NULL, 0, "", HFILL }},
17373 { &hf_smb_unix_find_file_resumekey,
17374 { "Resume key", "smb.unix.find_file.resume_key", FT_UINT32, BASE_DEC,
17375 NULL, 0, "", HFILL }},
17377 { &hf_smb_network_unknown,
17378 { "Unknown field", "smb.unknown", FT_UINT32, BASE_HEX,
17379 NULL, 0, "", HFILL }},
17381 { &hf_smb_disposition_delete_on_close,
17382 { "Delete on close", "smb.disposition.delete_on_close", FT_BOOLEAN, 8,
17383 TFS(&tfs_disposition_delete_on_close), 0x01, "", HFILL }},
17387 static gint *ett[] = {
17391 &ett_smb_fileattributes,
17392 &ett_smb_capabilities,
17400 &ett_smb_desiredaccess,
17403 &ett_smb_openfunction,
17405 &ett_smb_openaction,
17406 &ett_smb_writemode,
17407 &ett_smb_lock_type,
17408 &ett_smb_ssetupandxaction,
17409 &ett_smb_optionsup,
17410 &ett_smb_time_date,
17411 &ett_smb_move_copy_flags,
17412 &ett_smb_file_attributes,
17413 &ett_smb_search_resume_key,
17414 &ett_smb_search_dir_info,
17419 &ett_smb_open_flags,
17420 &ett_smb_ipc_state,
17421 &ett_smb_open_action,
17422 &ett_smb_setup_action,
17423 &ett_smb_connect_flags,
17424 &ett_smb_connect_support_bits,
17425 &ett_smb_nt_access_mask,
17426 &ett_smb_nt_create_bits,
17427 &ett_smb_nt_create_options,
17428 &ett_smb_nt_share_access,
17429 &ett_smb_nt_security_flags,
17430 &ett_smb_nt_trans_setup,
17431 &ett_smb_nt_trans_data,
17432 &ett_smb_nt_trans_param,
17433 &ett_smb_nt_notify_completion_filter,
17434 &ett_smb_nt_ioctl_flags,
17435 &ett_smb_security_information_mask,
17436 &ett_smb_print_queue_entry,
17437 &ett_smb_transaction_flags,
17438 &ett_smb_transaction_params,
17439 &ett_smb_find_first2_flags,
17443 &ett_smb_transaction_data,
17444 &ett_smb_stream_info,
17445 &ett_smb_dfs_referrals,
17446 &ett_smb_dfs_referral,
17447 &ett_smb_dfs_referral_flags,
17448 &ett_smb_get_dfs_flags,
17450 &ett_smb_device_characteristics,
17451 &ett_smb_fs_attributes,
17454 &ett_smb_quotaflags,
17456 &ett_smb_mac_support_flags,
17457 &ett_smb_unicode_password,
17459 &ett_smb_unix_capabilities
17461 module_t *smb_module;
17463 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
17465 proto_register_subtree_array(ett, array_length(ett));
17466 proto_register_field_array(proto_smb, hf, array_length(hf));
17468 proto_do_register_windows_common(proto_smb);
17470 register_init_routine(&smb_init_protocol);
17471 smb_module = prefs_register_protocol(proto_smb, NULL);
17472 prefs_register_bool_preference(smb_module, "trans_reassembly",
17473 "Reassemble SMB Transaction payload",
17474 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
17475 &smb_trans_reassembly);
17476 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
17477 "Reassemble DCERPC over SMB",
17478 "Whether the dissector should reassemble DCERPC over SMB commands",
17479 &smb_dcerpc_reassembly);
17480 prefs_register_bool_preference(smb_module, "sid_name_snooping",
17481 "Snoop SID to Name mappings",
17482 "Whether the dissector should snoop SMB and related CIFS protocols to discover and display Names associated with SIDs",
17483 &sid_name_snooping);
17485 register_init_routine(smb_trans_reassembly_init);
17486 smb_tap = register_tap("smb");
17490 proto_reg_handoff_smb(void)
17492 dissector_handle_t smb_handle;
17494 gssapi_handle = find_dissector("gssapi");
17495 ntlmssp_handle = find_dissector("ntlmssp");
17497 heur_dissector_add("netbios", dissect_smb_heur, proto_smb);
17498 heur_dissector_add("cotp", dissect_smb_heur, proto_smb);
17499 heur_dissector_add("vines_spp", dissect_smb_heur, proto_smb);
17500 smb_handle = create_dissector_handle(dissect_smb, proto_smb);
17501 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_SERVER, smb_handle);
17502 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_REDIR, smb_handle);
17503 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_MESSENGER,
17505 dissector_add("spp.socket", IDP_SOCKET_SMB, smb_handle);