2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/int-64bit.h>
40 #include <epan/packet.h>
41 #include <epan/conversation.h>
43 #include <epan/strutil.h>
45 #include "reassemble.h"
47 #include "packet-ipx.h"
49 #include "packet-windows-common.h"
50 #include "packet-smb-common.h"
51 #include "packet-smb-mailslot.h"
52 #include "packet-smb-pipe.h"
53 #include "packet-dcerpc.h"
54 #include "packet-ntlmssp.h"
57 * Various specifications and documents about SMB can be found in
59 * ftp://ftp.microsoft.com/developr/drg/CIFS/
61 * and a CIFS specification from the Storage Networking Industry Association
62 * can be found on a link from the page at
64 * http://www.snia.org/tech_activities/CIFS
66 * (it supercedes the document at
68 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
72 * There are also some Open Group publications documenting CIFS available
73 * for download; catalog entries for them are at:
75 * http://www.opengroup.org/products/publications/catalog/c209.htm
77 * http://www.opengroup.org/products/publications/catalog/c195.htm
79 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
82 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
84 * (or, presumably a similar path under the Samba mirrors). As the
85 * ".doc" indicates, it's a Word document. Some of the specs from the
86 * Microsoft FTP site can be found in the
88 * http://www.samba.org/samba/ftp/specs/
92 * Beware - these specs may have errors.
94 static int proto_smb = -1;
95 static int hf_smb_cmd = -1;
96 static int hf_smb_key = -1;
97 static int hf_smb_session_id = -1;
98 static int hf_smb_sequence_num = -1;
99 static int hf_smb_group_id = -1;
100 static int hf_smb_pid = -1;
101 static int hf_smb_tid = -1;
102 static int hf_smb_uid = -1;
103 static int hf_smb_mid = -1;
104 static int hf_smb_pid_high = -1;
105 static int hf_smb_sig = -1;
106 static int hf_smb_response_to = -1;
107 static int hf_smb_time = -1;
108 static int hf_smb_response_in = -1;
109 static int hf_smb_continuation_to = -1;
110 static int hf_smb_nt_status = -1;
111 static int hf_smb_error_class = -1;
112 static int hf_smb_error_code = -1;
113 static int hf_smb_reserved = -1;
114 static int hf_smb_flags_lock = -1;
115 static int hf_smb_flags_receive_buffer = -1;
116 static int hf_smb_flags_caseless = -1;
117 static int hf_smb_flags_canon = -1;
118 static int hf_smb_flags_oplock = -1;
119 static int hf_smb_flags_notify = -1;
120 static int hf_smb_flags_response = -1;
121 static int hf_smb_flags2_long_names_allowed = -1;
122 static int hf_smb_flags2_ea = -1;
123 static int hf_smb_flags2_sec_sig = -1;
124 static int hf_smb_flags2_long_names_used = -1;
125 static int hf_smb_flags2_esn = -1;
126 static int hf_smb_flags2_dfs = -1;
127 static int hf_smb_flags2_roe = -1;
128 static int hf_smb_flags2_nt_error = -1;
129 static int hf_smb_flags2_string = -1;
130 static int hf_smb_word_count = -1;
131 static int hf_smb_byte_count = -1;
132 static int hf_smb_buffer_format = -1;
133 static int hf_smb_dialect_name = -1;
134 static int hf_smb_dialect_index = -1;
135 static int hf_smb_max_trans_buf_size = -1;
136 static int hf_smb_max_mpx_count = -1;
137 static int hf_smb_max_vcs_num = -1;
138 static int hf_smb_session_key = -1;
139 static int hf_smb_server_timezone = -1;
140 static int hf_smb_encryption_key_length = -1;
141 static int hf_smb_encryption_key = -1;
142 static int hf_smb_primary_domain = -1;
143 static int hf_smb_server = -1;
144 static int hf_smb_max_raw_buf_size = -1;
145 static int hf_smb_server_guid = -1;
146 static int hf_smb_security_blob_len = -1;
147 static int hf_smb_security_blob = -1;
148 static int hf_smb_sm_mode16 = -1;
149 static int hf_smb_sm_password16 = -1;
150 static int hf_smb_sm_mode = -1;
151 static int hf_smb_sm_password = -1;
152 static int hf_smb_sm_signatures = -1;
153 static int hf_smb_sm_sig_required = -1;
154 static int hf_smb_rm_read = -1;
155 static int hf_smb_rm_write = -1;
156 static int hf_smb_server_date_time = -1;
157 static int hf_smb_server_smb_date = -1;
158 static int hf_smb_server_smb_time = -1;
159 static int hf_smb_server_cap_raw_mode = -1;
160 static int hf_smb_server_cap_mpx_mode = -1;
161 static int hf_smb_server_cap_unicode = -1;
162 static int hf_smb_server_cap_large_files = -1;
163 static int hf_smb_server_cap_nt_smbs = -1;
164 static int hf_smb_server_cap_rpc_remote_apis = -1;
165 static int hf_smb_server_cap_nt_status = -1;
166 static int hf_smb_server_cap_level_ii_oplocks = -1;
167 static int hf_smb_server_cap_lock_and_read = -1;
168 static int hf_smb_server_cap_nt_find = -1;
169 static int hf_smb_server_cap_dfs = -1;
170 static int hf_smb_server_cap_infolevel_passthru = -1;
171 static int hf_smb_server_cap_large_readx = -1;
172 static int hf_smb_server_cap_large_writex = -1;
173 static int hf_smb_server_cap_unix = -1;
174 static int hf_smb_server_cap_reserved = -1;
175 static int hf_smb_server_cap_bulk_transfer = -1;
176 static int hf_smb_server_cap_compressed_data = -1;
177 static int hf_smb_server_cap_extended_security = -1;
178 static int hf_smb_system_time = -1;
179 static int hf_smb_unknown = -1;
180 static int hf_smb_dir_name = -1;
181 static int hf_smb_echo_count = -1;
182 static int hf_smb_echo_data = -1;
183 static int hf_smb_echo_seq_num = -1;
184 static int hf_smb_max_buf_size = -1;
185 static int hf_smb_password = -1;
186 static int hf_smb_password_len = -1;
187 static int hf_smb_ansi_password = -1;
188 static int hf_smb_ansi_password_len = -1;
189 static int hf_smb_unicode_password = -1;
190 static int hf_smb_unicode_password_len = -1;
191 static int hf_smb_path = -1;
192 static int hf_smb_service = -1;
193 static int hf_smb_move_flags_file = -1;
194 static int hf_smb_move_flags_dir = -1;
195 static int hf_smb_move_flags_verify = -1;
196 static int hf_smb_files_moved = -1;
197 static int hf_smb_copy_flags_file = -1;
198 static int hf_smb_copy_flags_dir = -1;
199 static int hf_smb_copy_flags_dest_mode = -1;
200 static int hf_smb_copy_flags_source_mode = -1;
201 static int hf_smb_copy_flags_verify = -1;
202 static int hf_smb_copy_flags_tree_copy = -1;
203 static int hf_smb_copy_flags_ea_action = -1;
204 static int hf_smb_count = -1;
205 static int hf_smb_count_low = -1;
206 static int hf_smb_count_high = -1;
207 static int hf_smb_file_name = -1;
208 static int hf_smb_open_function_open = -1;
209 static int hf_smb_open_function_create = -1;
210 static int hf_smb_fid = -1;
211 static int hf_smb_file_attr_read_only_16bit = -1;
212 static int hf_smb_file_attr_read_only_8bit = -1;
213 static int hf_smb_file_attr_hidden_16bit = -1;
214 static int hf_smb_file_attr_hidden_8bit = -1;
215 static int hf_smb_file_attr_system_16bit = -1;
216 static int hf_smb_file_attr_system_8bit = -1;
217 static int hf_smb_file_attr_volume_16bit = -1;
218 static int hf_smb_file_attr_volume_8bit = -1;
219 static int hf_smb_file_attr_directory_16bit = -1;
220 static int hf_smb_file_attr_directory_8bit = -1;
221 static int hf_smb_file_attr_archive_16bit = -1;
222 static int hf_smb_file_attr_archive_8bit = -1;
223 static int hf_smb_file_attr_device = -1;
224 static int hf_smb_file_attr_normal = -1;
225 static int hf_smb_file_attr_temporary = -1;
226 static int hf_smb_file_attr_sparse = -1;
227 static int hf_smb_file_attr_reparse = -1;
228 static int hf_smb_file_attr_compressed = -1;
229 static int hf_smb_file_attr_offline = -1;
230 static int hf_smb_file_attr_not_content_indexed = -1;
231 static int hf_smb_file_attr_encrypted = -1;
232 static int hf_smb_file_size = -1;
233 static int hf_smb_search_attribute_read_only = -1;
234 static int hf_smb_search_attribute_hidden = -1;
235 static int hf_smb_search_attribute_system = -1;
236 static int hf_smb_search_attribute_volume = -1;
237 static int hf_smb_search_attribute_directory = -1;
238 static int hf_smb_search_attribute_archive = -1;
239 static int hf_smb_access_mode = -1;
240 static int hf_smb_access_sharing = -1;
241 static int hf_smb_access_locality = -1;
242 static int hf_smb_access_caching = -1;
243 static int hf_smb_access_writetru = -1;
244 static int hf_smb_create_time = -1;
245 static int hf_smb_modify_time = -1;
246 static int hf_smb_backup_time = -1;
247 static int hf_smb_mac_alloc_block_count = -1;
248 static int hf_smb_mac_alloc_block_size = -1;
249 static int hf_smb_mac_free_block_count = -1;
250 static int hf_smb_mac_fndrinfo = -1;
251 static int hf_smb_mac_root_file_count = -1;
252 static int hf_smb_mac_root_dir_count = -1;
253 static int hf_smb_mac_file_count = -1;
254 static int hf_smb_mac_dir_count = -1;
255 static int hf_smb_mac_support_flags = -1;
256 static int hf_smb_mac_sup_access_ctrl = -1;
257 static int hf_smb_mac_sup_getset_comments = -1;
258 static int hf_smb_mac_sup_desktopdb_calls = -1;
259 static int hf_smb_mac_sup_unique_ids = -1;
260 static int hf_smb_mac_sup_streams = -1;
261 static int hf_smb_create_dos_date = -1;
262 static int hf_smb_create_dos_time = -1;
263 static int hf_smb_last_write_time = -1;
264 static int hf_smb_last_write_dos_date = -1;
265 static int hf_smb_last_write_dos_time = -1;
266 static int hf_smb_access_time = -1;
267 static int hf_smb_access_dos_date = -1;
268 static int hf_smb_access_dos_time = -1;
269 static int hf_smb_old_file_name = -1;
270 static int hf_smb_offset = -1;
271 static int hf_smb_remaining = -1;
272 static int hf_smb_padding = -1;
273 static int hf_smb_file_data = -1;
274 static int hf_smb_total_data_len = -1;
275 static int hf_smb_data_len = -1;
276 static int hf_smb_data_len_low = -1;
277 static int hf_smb_data_len_high = -1;
278 static int hf_smb_seek_mode = -1;
279 static int hf_smb_data_size = -1;
280 static int hf_smb_alloc_size = -1;
281 static int hf_smb_alloc_size64 = -1;
282 static int hf_smb_max_count = -1;
283 static int hf_smb_max_count_low = -1;
284 static int hf_smb_max_count_high = -1;
285 static int hf_smb_min_count = -1;
286 static int hf_smb_timeout = -1;
287 static int hf_smb_high_offset = -1;
288 static int hf_smb_units = -1;
289 static int hf_smb_bpu = -1;
290 static int hf_smb_blocksize = -1;
291 static int hf_smb_freeunits = -1;
292 static int hf_smb_data_offset = -1;
293 static int hf_smb_dcm = -1;
294 static int hf_smb_request_mask = -1;
295 static int hf_smb_response_mask = -1;
296 static int hf_smb_search_id = -1;
297 static int hf_smb_write_mode_write_through = -1;
298 static int hf_smb_write_mode_return_remaining = -1;
299 static int hf_smb_write_mode_raw = -1;
300 static int hf_smb_write_mode_message_start = -1;
301 static int hf_smb_write_mode_connectionless = -1;
302 static int hf_smb_resume_key_len = -1;
303 static int hf_smb_resume_find_id = -1;
304 static int hf_smb_resume_server_cookie = -1;
305 static int hf_smb_resume_client_cookie = -1;
306 static int hf_smb_andxoffset = -1;
307 static int hf_smb_lock_type_large = -1;
308 static int hf_smb_lock_type_cancel = -1;
309 static int hf_smb_lock_type_change = -1;
310 static int hf_smb_lock_type_oplock = -1;
311 static int hf_smb_lock_type_shared = -1;
312 static int hf_smb_locking_ol = -1;
313 static int hf_smb_number_of_locks = -1;
314 static int hf_smb_number_of_unlocks = -1;
315 static int hf_smb_lock_long_offset = -1;
316 static int hf_smb_lock_long_length = -1;
317 static int hf_smb_file_type = -1;
318 static int hf_smb_ipc_state_nonblocking = -1;
319 static int hf_smb_ipc_state_endpoint = -1;
320 static int hf_smb_ipc_state_pipe_type = -1;
321 static int hf_smb_ipc_state_read_mode = -1;
322 static int hf_smb_ipc_state_icount = -1;
323 static int hf_smb_server_fid = -1;
324 static int hf_smb_open_flags_add_info = -1;
325 static int hf_smb_open_flags_ex_oplock = -1;
326 static int hf_smb_open_flags_batch_oplock = -1;
327 static int hf_smb_open_flags_ealen = -1;
328 static int hf_smb_open_action_open = -1;
329 static int hf_smb_open_action_lock = -1;
330 static int hf_smb_vc_num = -1;
331 static int hf_smb_account = -1;
332 static int hf_smb_os = -1;
333 static int hf_smb_lanman = -1;
334 static int hf_smb_setup_action_guest = -1;
335 static int hf_smb_fs = -1;
336 static int hf_smb_connect_flags_dtid = -1;
337 static int hf_smb_connect_support_search = -1;
338 static int hf_smb_connect_support_in_dfs = -1;
339 static int hf_smb_max_setup_count = -1;
340 static int hf_smb_total_param_count = -1;
341 static int hf_smb_total_data_count = -1;
342 static int hf_smb_max_param_count = -1;
343 static int hf_smb_max_data_count = -1;
344 static int hf_smb_param_disp16 = -1;
345 static int hf_smb_param_count16 = -1;
346 static int hf_smb_param_offset16 = -1;
347 static int hf_smb_param_disp32 = -1;
348 static int hf_smb_param_count32 = -1;
349 static int hf_smb_param_offset32 = -1;
350 static int hf_smb_data_disp16 = -1;
351 static int hf_smb_data_count16 = -1;
352 static int hf_smb_data_offset16 = -1;
353 static int hf_smb_data_disp32 = -1;
354 static int hf_smb_data_count32 = -1;
355 static int hf_smb_data_offset32 = -1;
356 static int hf_smb_setup_count = -1;
357 static int hf_smb_nt_trans_subcmd = -1;
358 static int hf_smb_nt_ioctl_function_code = -1;
359 static int hf_smb_nt_ioctl_isfsctl = -1;
360 static int hf_smb_nt_ioctl_flags_root_handle = -1;
361 static int hf_smb_nt_ioctl_data = -1;
362 #ifdef SMB_UNUSED_HANDLES
363 static int hf_smb_nt_security_information = -1;
365 static int hf_smb_nt_notify_action = -1;
366 static int hf_smb_nt_notify_watch_tree = -1;
367 static int hf_smb_nt_notify_stream_write = -1;
368 static int hf_smb_nt_notify_stream_size = -1;
369 static int hf_smb_nt_notify_stream_name = -1;
370 static int hf_smb_nt_notify_security = -1;
371 static int hf_smb_nt_notify_ea = -1;
372 static int hf_smb_nt_notify_creation = -1;
373 static int hf_smb_nt_notify_last_access = -1;
374 static int hf_smb_nt_notify_last_write = -1;
375 static int hf_smb_nt_notify_size = -1;
376 static int hf_smb_nt_notify_attributes = -1;
377 static int hf_smb_nt_notify_dir_name = -1;
378 static int hf_smb_nt_notify_file_name = -1;
379 static int hf_smb_root_dir_fid = -1;
380 static int hf_smb_nt_create_disposition = -1;
381 static int hf_smb_sd_length = -1;
382 static int hf_smb_ea_list_length = -1;
383 static int hf_smb_ea_flags = -1;
384 static int hf_smb_ea_name_length = -1;
385 static int hf_smb_ea_data_length = -1;
386 static int hf_smb_ea_name = -1;
387 static int hf_smb_ea_data = -1;
388 static int hf_smb_file_name_len = -1;
389 static int hf_smb_nt_impersonation_level = -1;
390 static int hf_smb_nt_security_flags_context_tracking = -1;
391 static int hf_smb_nt_security_flags_effective_only = -1;
392 static int hf_smb_nt_access_mask_generic_read = -1;
393 static int hf_smb_nt_access_mask_generic_write = -1;
394 static int hf_smb_nt_access_mask_generic_execute = -1;
395 static int hf_smb_nt_access_mask_generic_all = -1;
396 static int hf_smb_nt_access_mask_maximum_allowed = -1;
397 static int hf_smb_nt_access_mask_system_security = -1;
398 static int hf_smb_nt_access_mask_synchronize = -1;
399 static int hf_smb_nt_access_mask_write_owner = -1;
400 static int hf_smb_nt_access_mask_write_dac = -1;
401 static int hf_smb_nt_access_mask_read_control = -1;
402 static int hf_smb_nt_access_mask_delete = -1;
403 static int hf_smb_nt_access_mask_write_attributes = -1;
404 static int hf_smb_nt_access_mask_read_attributes = -1;
405 static int hf_smb_nt_access_mask_delete_child = -1;
406 static int hf_smb_nt_access_mask_execute = -1;
407 static int hf_smb_nt_access_mask_write_ea = -1;
408 static int hf_smb_nt_access_mask_read_ea = -1;
409 static int hf_smb_nt_access_mask_append = -1;
410 static int hf_smb_nt_access_mask_write = -1;
411 static int hf_smb_nt_access_mask_read = -1;
412 static int hf_smb_nt_create_bits_oplock = -1;
413 static int hf_smb_nt_create_bits_boplock = -1;
414 static int hf_smb_nt_create_bits_dir = -1;
415 static int hf_smb_nt_create_bits_ext_resp = -1;
416 static int hf_smb_nt_create_options_directory_file = -1;
417 static int hf_smb_nt_create_options_write_through = -1;
418 static int hf_smb_nt_create_options_sequential_only = -1;
419 static int hf_smb_nt_create_options_sync_io_alert = -1;
420 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
421 static int hf_smb_nt_create_options_non_directory_file = -1;
422 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
423 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
424 static int hf_smb_nt_create_options_random_access = -1;
425 static int hf_smb_nt_create_options_delete_on_close = -1;
426 static int hf_smb_nt_share_access_read = -1;
427 static int hf_smb_nt_share_access_write = -1;
428 static int hf_smb_nt_share_access_delete = -1;
429 static int hf_smb_file_eattr_read_only = -1;
430 static int hf_smb_file_eattr_hidden = -1;
431 static int hf_smb_file_eattr_system = -1;
432 static int hf_smb_file_eattr_volume = -1;
433 static int hf_smb_file_eattr_directory = -1;
434 static int hf_smb_file_eattr_archive = -1;
435 static int hf_smb_file_eattr_device = -1;
436 static int hf_smb_file_eattr_normal = -1;
437 static int hf_smb_file_eattr_temporary = -1;
438 static int hf_smb_file_eattr_sparse = -1;
439 static int hf_smb_file_eattr_reparse = -1;
440 static int hf_smb_file_eattr_compressed = -1;
441 static int hf_smb_file_eattr_offline = -1;
442 static int hf_smb_file_eattr_not_content_indexed = -1;
443 static int hf_smb_file_eattr_encrypted = -1;
444 static int hf_smb_sec_desc_len = -1;
445 static int hf_smb_nt_qsd_owner = -1;
446 static int hf_smb_nt_qsd_group = -1;
447 static int hf_smb_nt_qsd_dacl = -1;
448 static int hf_smb_nt_qsd_sacl = -1;
449 static int hf_smb_extended_attributes = -1;
450 static int hf_smb_oplock_level = -1;
451 static int hf_smb_create_action = -1;
452 static int hf_smb_file_id = -1;
453 static int hf_smb_ea_error_offset = -1;
454 static int hf_smb_end_of_file = -1;
455 static int hf_smb_replace = -1;
456 static int hf_smb_root_dir_handle = -1;
457 static int hf_smb_target_name_len = -1;
458 static int hf_smb_target_name = -1;
459 static int hf_smb_device_type = -1;
460 static int hf_smb_is_directory = -1;
461 static int hf_smb_next_entry_offset = -1;
462 static int hf_smb_change_time = -1;
463 static int hf_smb_setup_len = -1;
464 static int hf_smb_print_mode = -1;
465 static int hf_smb_print_identifier = -1;
466 static int hf_smb_restart_index = -1;
467 static int hf_smb_print_queue_date = -1;
468 static int hf_smb_print_queue_dos_date = -1;
469 static int hf_smb_print_queue_dos_time = -1;
470 static int hf_smb_print_status = -1;
471 static int hf_smb_print_spool_file_number = -1;
472 static int hf_smb_print_spool_file_size = -1;
473 static int hf_smb_print_spool_file_name = -1;
474 static int hf_smb_start_index = -1;
475 static int hf_smb_originator_name = -1;
476 static int hf_smb_destination_name = -1;
477 static int hf_smb_message_len = -1;
478 static int hf_smb_message = -1;
479 static int hf_smb_mgid = -1;
480 static int hf_smb_forwarded_name = -1;
481 static int hf_smb_machine_name = -1;
482 static int hf_smb_cancel_to = -1;
483 static int hf_smb_trans2_subcmd = -1;
484 static int hf_smb_trans_name = -1;
485 static int hf_smb_transaction_flags_dtid = -1;
486 static int hf_smb_transaction_flags_owt = -1;
487 static int hf_smb_search_count = -1;
488 static int hf_smb_search_pattern = -1;
489 static int hf_smb_ff2_backup = -1;
490 static int hf_smb_ff2_continue = -1;
491 static int hf_smb_ff2_resume = -1;
492 static int hf_smb_ff2_close_eos = -1;
493 static int hf_smb_ff2_close = -1;
494 static int hf_smb_ff2_information_level = -1;
495 static int hf_smb_qpi_loi = -1;
496 static int hf_smb_spi_loi = -1;
498 static int hf_smb_sfi_writetru = -1;
499 static int hf_smb_sfi_caching = -1;
501 static int hf_smb_storage_type = -1;
502 static int hf_smb_resume = -1;
503 static int hf_smb_max_referral_level = -1;
504 static int hf_smb_qfsi_information_level = -1;
505 static int hf_smb_number_of_links = -1;
506 static int hf_smb_delete_pending = -1;
507 static int hf_smb_index_number = -1;
508 static int hf_smb_current_offset = -1;
509 static int hf_smb_t2_alignment = -1;
510 static int hf_smb_t2_stream_name_length = -1;
511 static int hf_smb_t2_stream_size = -1;
512 static int hf_smb_t2_stream_name = -1;
513 static int hf_smb_t2_compressed_file_size = -1;
514 static int hf_smb_t2_compressed_format = -1;
515 static int hf_smb_t2_compressed_unit_shift = -1;
516 static int hf_smb_t2_compressed_chunk_shift = -1;
517 static int hf_smb_t2_compressed_cluster_shift = -1;
518 static int hf_smb_t2_marked_for_deletion = -1;
519 static int hf_smb_dfs_path_consumed = -1;
520 static int hf_smb_dfs_num_referrals = -1;
521 static int hf_smb_get_dfs_server_hold_storage = -1;
522 static int hf_smb_get_dfs_fielding = -1;
523 static int hf_smb_dfs_referral_version = -1;
524 static int hf_smb_dfs_referral_size = -1;
525 static int hf_smb_dfs_referral_server_type = -1;
526 static int hf_smb_dfs_referral_flags_strip = -1;
527 static int hf_smb_dfs_referral_node_offset = -1;
528 static int hf_smb_dfs_referral_node = -1;
529 static int hf_smb_dfs_referral_proximity = -1;
530 static int hf_smb_dfs_referral_ttl = -1;
531 static int hf_smb_dfs_referral_path_offset = -1;
532 static int hf_smb_dfs_referral_path = -1;
533 static int hf_smb_dfs_referral_alt_path_offset = -1;
534 static int hf_smb_dfs_referral_alt_path = -1;
535 static int hf_smb_end_of_search = -1;
536 static int hf_smb_last_name_offset = -1;
537 static int hf_smb_fn_information_level = -1;
538 static int hf_smb_monitor_handle = -1;
539 static int hf_smb_change_count = -1;
540 static int hf_smb_file_index = -1;
541 static int hf_smb_short_file_name = -1;
542 static int hf_smb_short_file_name_len = -1;
543 static int hf_smb_fs_id = -1;
544 static int hf_smb_fs_guid = -1;
545 static int hf_smb_sector_unit = -1;
546 static int hf_smb_fs_units = -1;
547 static int hf_smb_fs_sector = -1;
548 static int hf_smb_avail_units = -1;
549 static int hf_smb_volume_serial_num = -1;
550 static int hf_smb_volume_label_len = -1;
551 static int hf_smb_volume_label = -1;
552 static int hf_smb_free_alloc_units64 = -1;
553 static int hf_smb_caller_free_alloc_units64 = -1;
554 static int hf_smb_actual_free_alloc_units64 = -1;
555 static int hf_smb_max_name_len = -1;
556 static int hf_smb_fs_name_len = -1;
557 static int hf_smb_fs_name = -1;
558 static int hf_smb_device_char_removable = -1;
559 static int hf_smb_device_char_read_only = -1;
560 static int hf_smb_device_char_floppy = -1;
561 static int hf_smb_device_char_write_once = -1;
562 static int hf_smb_device_char_remote = -1;
563 static int hf_smb_device_char_mounted = -1;
564 static int hf_smb_device_char_virtual = -1;
565 static int hf_smb_fs_attr_css = -1;
566 static int hf_smb_fs_attr_cpn = -1;
567 static int hf_smb_fs_attr_uod = -1;
568 static int hf_smb_fs_attr_pacls = -1;
569 static int hf_smb_fs_attr_fc = -1;
570 static int hf_smb_fs_attr_vq = -1;
571 static int hf_smb_fs_attr_ssf = -1;
572 static int hf_smb_fs_attr_srp = -1;
573 static int hf_smb_fs_attr_srs = -1;
574 static int hf_smb_fs_attr_sla = -1;
575 static int hf_smb_fs_attr_vic = -1;
576 static int hf_smb_fs_attr_soids = -1;
577 static int hf_smb_fs_attr_se = -1;
578 static int hf_smb_fs_attr_ns = -1;
579 static int hf_smb_fs_attr_rov = -1;
580 static int hf_smb_quota_flags_enabled = -1;
581 static int hf_smb_quota_flags_deny_disk = -1;
582 static int hf_smb_quota_flags_log_limit = -1;
583 static int hf_smb_quota_flags_log_warning = -1;
584 static int hf_smb_soft_quota_limit = -1;
585 static int hf_smb_hard_quota_limit = -1;
586 static int hf_smb_user_quota_used = -1;
587 static int hf_smb_user_quota_offset = -1;
588 static int hf_smb_nt_rename_level = -1;
589 static int hf_smb_cluster_count = -1;
590 static int hf_smb_segments = -1;
591 static int hf_smb_segment = -1;
592 static int hf_smb_segment_overlap = -1;
593 static int hf_smb_segment_overlap_conflict = -1;
594 static int hf_smb_segment_multiple_tails = -1;
595 static int hf_smb_segment_too_long_fragment = -1;
596 static int hf_smb_segment_error = -1;
597 static int hf_smb_pipe_write_len = -1;
598 static int hf_smb_unix_major_version = -1;
599 static int hf_smb_unix_minor_version = -1;
600 static int hf_smb_unix_capability_fcntl = -1;
601 static int hf_smb_unix_capability_posix_acl = -1;
602 static int hf_smb_unix_file_size = -1;
603 static int hf_smb_unix_file_num_bytes = -1;
604 static int hf_smb_unix_file_last_status = -1;
605 static int hf_smb_unix_file_last_access = -1;
606 static int hf_smb_unix_file_last_change = -1;
607 static int hf_smb_unix_file_uid = -1;
608 static int hf_smb_unix_file_gid = -1;
609 static int hf_smb_unix_file_type = -1;
610 static int hf_smb_unix_file_dev_major = -1;
611 static int hf_smb_unix_file_dev_minor = -1;
612 static int hf_smb_unix_file_unique_id = -1;
613 static int hf_smb_unix_file_permissions = -1;
614 static int hf_smb_unix_file_nlinks = -1;
615 static int hf_smb_unix_file_link_dest = -1;
616 static int hf_smb_unix_find_file_nextoffset = -1;
617 static int hf_smb_unix_find_file_resumekey = -1;
619 static gint ett_smb = -1;
620 static gint ett_smb_hdr = -1;
621 static gint ett_smb_command = -1;
622 static gint ett_smb_fileattributes = -1;
623 static gint ett_smb_capabilities = -1;
624 static gint ett_smb_aflags = -1;
625 static gint ett_smb_dialect = -1;
626 static gint ett_smb_dialects = -1;
627 static gint ett_smb_mode = -1;
628 static gint ett_smb_rawmode = -1;
629 static gint ett_smb_flags = -1;
630 static gint ett_smb_flags2 = -1;
631 static gint ett_smb_desiredaccess = -1;
632 static gint ett_smb_search = -1;
633 static gint ett_smb_file = -1;
634 static gint ett_smb_openfunction = -1;
635 static gint ett_smb_filetype = -1;
636 static gint ett_smb_openaction = -1;
637 static gint ett_smb_writemode = -1;
638 static gint ett_smb_lock_type = -1;
639 static gint ett_smb_ssetupandxaction = -1;
640 static gint ett_smb_optionsup = -1;
641 static gint ett_smb_time_date = -1;
642 static gint ett_smb_move_copy_flags = -1;
643 static gint ett_smb_file_attributes = -1;
644 static gint ett_smb_search_resume_key = -1;
645 static gint ett_smb_search_dir_info = -1;
646 static gint ett_smb_unlocks = -1;
647 static gint ett_smb_unlock = -1;
648 static gint ett_smb_locks = -1;
649 static gint ett_smb_lock = -1;
650 static gint ett_smb_open_flags = -1;
651 static gint ett_smb_ipc_state = -1;
652 static gint ett_smb_open_action = -1;
653 static gint ett_smb_setup_action = -1;
654 static gint ett_smb_connect_flags = -1;
655 static gint ett_smb_connect_support_bits = -1;
656 static gint ett_smb_nt_access_mask = -1;
657 static gint ett_smb_nt_create_bits = -1;
658 static gint ett_smb_nt_create_options = -1;
659 static gint ett_smb_nt_share_access = -1;
660 static gint ett_smb_nt_security_flags = -1;
661 static gint ett_smb_nt_trans_setup = -1;
662 static gint ett_smb_nt_trans_data = -1;
663 static gint ett_smb_nt_trans_param = -1;
664 static gint ett_smb_nt_notify_completion_filter = -1;
665 static gint ett_smb_nt_ioctl_flags = -1;
666 static gint ett_smb_security_information_mask = -1;
667 static gint ett_smb_print_queue_entry = -1;
668 static gint ett_smb_transaction_flags = -1;
669 static gint ett_smb_transaction_params = -1;
670 static gint ett_smb_find_first2_flags = -1;
671 static gint ett_smb_mac_support_flags = -1;
673 static gint ett_smb_ioflag = -1;
675 static gint ett_smb_transaction_data = -1;
676 static gint ett_smb_stream_info = -1;
677 static gint ett_smb_dfs_referrals = -1;
678 static gint ett_smb_dfs_referral = -1;
679 static gint ett_smb_dfs_referral_flags = -1;
680 static gint ett_smb_get_dfs_flags = -1;
681 static gint ett_smb_ff2_data = -1;
682 static gint ett_smb_device_characteristics = -1;
683 static gint ett_smb_fs_attributes = -1;
684 static gint ett_smb_segments = -1;
685 static gint ett_smb_segment = -1;
686 static gint ett_smb_quotaflags = -1;
687 static gint ett_smb_secblob = -1;
688 static gint ett_smb_unicode_password = -1;
689 static gint ett_smb_ea = -1;
690 static gint ett_smb_unix_capabilities = -1;
692 static int smb_tap = -1;
694 static dissector_handle_t gssapi_handle = NULL;
695 static dissector_handle_t ntlmssp_handle = NULL;
697 static const fragment_items smb_frag_items = {
703 &hf_smb_segment_overlap,
704 &hf_smb_segment_overlap_conflict,
705 &hf_smb_segment_multiple_tails,
706 &hf_smb_segment_too_long_fragment,
707 &hf_smb_segment_error,
713 proto_tree *top_tree=NULL; /* ugly */
715 static char *decode_smb_name(guint8);
716 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu);
719 * Macros for use in the main dissector routines for an SMB.
724 wc = tvb_get_guint8(tvb, offset); \
725 proto_tree_add_uint(tree, hf_smb_word_count, \
726 tvb, offset, 1, wc); \
728 if(wc==0) goto bytecount;
732 bc = tvb_get_letohs(tvb, offset); \
733 proto_tree_add_uint(tree, hf_smb_byte_count, \
734 tvb, offset, 2, bc); \
736 if(bc==0) goto endofcommand;
738 #define CHECK_BYTE_COUNT(len) \
739 if (bc < len) goto endofcommand;
741 #define COUNT_BYTES(len) {\
751 bc_remaining=tvb_length_remaining(tvb, offset); \
752 if( ((gint)bc) > bc_remaining){ \
756 proto_tree_add_text(tree, tvb, offset, bc, \
757 "Extra byte parameters"); \
764 * Macros for use in routines called by them.
766 #define CHECK_BYTE_COUNT_SUBR(len) \
772 #define CHECK_STRING_SUBR(fn) \
778 #define COUNT_BYTES_SUBR(len) \
783 * Macros for use when dissecting transaction parameters and data
785 #define CHECK_BYTE_COUNT_TRANS(len) \
786 if (bc < len) return offset;
788 #define CHECK_STRING_TRANS(fn) \
789 if (fn == NULL) return offset;
791 #define COUNT_BYTES_TRANS(len) \
796 * Macros for use in subrroutines dissecting transaction parameters or data
798 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
799 if (*bcp < len) return offset;
801 #define CHECK_STRING_TRANS_SUBR(fn) \
802 if (fn == NULL) return offset;
804 #define COUNT_BYTES_TRANS_SUBR(len) \
809 gboolean sid_name_snooping = FALSE;
811 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
812 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
813 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
814 static gboolean smb_trans_reassembly = FALSE;
815 gboolean smb_dcerpc_reassembly = FALSE;
817 static GHashTable *smb_trans_fragment_table = NULL;
820 smb_trans_reassembly_init(void)
822 fragment_table_init(&smb_trans_fragment_table);
825 static fragment_data *
826 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
827 int offset, int count, int pos, int totlen)
829 fragment_data *fd_head=NULL;
833 more_frags=totlen>(pos+count);
835 si = (smb_info_t *)pinfo->private_data;
836 if (si->sip == NULL) {
838 * We don't have the frame number of the request.
840 * XXX - is there truly nothing we can do here?
841 * Can we not separately keep track of the original
842 * transaction and its continuations, as we did
845 * It is probably not much point in even trying to do something here
846 * if we have never seen the initial request. Without the initial
847 * request we probably miss all parameters and the begining of data
848 * so we cant even call a subdissector since we can not determine
849 * which type of transaction call this is.
854 if(!pinfo->fd->flags.visited){
855 fd_head = fragment_add(tvb, offset, pinfo,
856 si->sip->frame_req, smb_trans_fragment_table,
857 pos, count, more_frags);
859 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
862 /* we only show the defragmented packet for the first fragment,
863 or else we might end up with dissecting one HUGE transaction PDU
864 a LOT of times. (first fragment is the only one containing the setup
866 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
867 SMBs. Takes a LOT of time dissecting and is not fun.
869 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
880 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
881 These variables and functions are used to match
883 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
885 * The information we need to save about a request in order to show the
886 * frame number of the request in the dissection of the reply.
891 } smb_saved_info_key_t;
893 static GMemChunk *smb_saved_info_key_chunk = NULL;
894 static GMemChunk *smb_saved_info_chunk = NULL;
895 static int smb_saved_info_init_count = 200;
897 /* unmatched smb_saved_info structures.
898 For unmatched smb_saved_info structures we store the smb_saved_info
899 structure using the MID and the PID as the key.
901 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
902 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
903 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
906 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
908 register guint32 key1 = (guint32)k1;
909 register guint32 key2 = (guint32)k2;
913 smb_saved_info_hash_unmatched(gconstpointer k)
915 register guint32 key = (guint32)k;
919 /* matched smb_saved_info structures.
920 For matched smb_saved_info structures we store the smb_saved_info
921 structure twice in the table using the frame number, and a combination
922 of the MID and the PID, as the key.
923 The frame number is guaranteed to be unique but if ever someone makes
924 some change that will renumber the frames in a capture we are in BIG trouble.
925 This is not likely though since that would break (among other things) all the
926 reassembly routines as well.
928 We also need the MID as there may be more than one SMB request or reply
929 in a single frame, and we also need the PID as there may be more than
930 one outstanding request with the same MID and different PIDs.
933 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
935 const smb_saved_info_key_t *key1 = k1;
936 const smb_saved_info_key_t *key2 = k2;
937 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
940 smb_saved_info_hash_matched(gconstpointer k)
942 const smb_saved_info_key_t *key = k;
943 return key->frame + key->pid_mid;
946 static GMemChunk *smb_nt_transact_info_chunk = NULL;
947 static int smb_nt_transact_info_init_count = 200;
949 static GMemChunk *smb_transact2_info_chunk = NULL;
950 static int smb_transact2_info_init_count = 200;
953 * The information we need to save about a Transaction request in order
954 * to dissect the reply; this includes information for use by the
955 * Remote API dissector.
957 static GMemChunk *smb_transact_info_chunk = NULL;
958 static int smb_transact_info_init_count = 200;
960 static GMemChunk *conv_tables_chunk = NULL;
961 static GSList *conv_tables = NULL;
962 static int conv_tables_count = 10;
965 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
966 End of request/response matching functions
967 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
969 static const value_string buffer_format_vals[] = {
974 {5, "Variable Block"},
979 * UTIME - this is *almost* like a UNIX time stamp, except that it's
980 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
981 * January 1, 1970, 00:00:00 GMT.
983 * This means we have to do some extra work to convert it. This code is
984 * based on the Samba code:
986 * Unix SMB/Netbios implementation.
988 * time handling functions
989 * Copyright (C) Andrew Tridgell 1992-1998
993 * Yield the difference between *A and *B, in seconds, ignoring leap
996 #define TM_YEAR_BASE 1900
999 tm_diff(struct tm *a, struct tm *b)
1001 int ay = a->tm_year + (TM_YEAR_BASE - 1);
1002 int by = b->tm_year + (TM_YEAR_BASE - 1);
1003 int intervening_leap_days =
1004 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
1005 int years = ay - by;
1007 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
1008 int hours = 24*days + (a->tm_hour - b->tm_hour);
1009 int minutes = 60*hours + (a->tm_min - b->tm_min);
1010 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
1016 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
1022 struct tm *tm = gmtime(&t);
1031 return tm_diff(&tm_utc,tm);
1035 * Return the same value as TimeZone, but it should be more efficient.
1037 * We keep a table of DST offsets to prevent calling localtime() on each
1038 * call of this function. This saves a LOT of time on many unixes.
1040 * Updated by Paul Eggert <eggert@twinsun.com>
1047 #define TIME_T_MIN ((time_t) ((time_t)0 < (time_t) -1 ? (time_t) 0 \
1048 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1)))
1051 #define TIME_T_MAX ((time_t) (~ (time_t) 0 - TIME_T_MIN))
1055 TimeZoneFaster(time_t t)
1057 static struct dst_table {time_t start,end; int zone;} *tdt;
1058 static struct dst_table *dst_table = NULL;
1059 static int table_size = 0;
1066 /* Tunis has a 8 day DST region, we need to be careful ... */
1067 #define MAX_DST_WIDTH (365*24*60*60)
1068 #define MAX_DST_SKIP (7*24*60*60)
1070 for (i = 0; i < table_size; i++) {
1071 if (t >= dst_table[i].start && t <= dst_table[i].end)
1075 if (i < table_size) {
1076 zone = dst_table[i].zone;
1081 if (dst_table == NULL)
1082 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1084 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1093 dst_table[i].zone = zone;
1094 dst_table[i].start = dst_table[i].end = t;
1096 /* no entry will cover more than 6 months */
1097 low = t - MAX_DST_WIDTH/2;
1101 high = t + MAX_DST_WIDTH/2;
1106 * Widen the new entry using two bisection searches.
1108 while (low+60*60 < dst_table[i].start) {
1109 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1110 t = dst_table[i].start - MAX_DST_SKIP;
1112 t = low + (dst_table[i].start-low)/2;
1113 if (TimeZone(t) == zone)
1114 dst_table[i].start = t;
1119 while (high-60*60 > dst_table[i].end) {
1120 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1121 t = dst_table[i].end + MAX_DST_SKIP;
1123 t = high - (high-dst_table[i].end)/2;
1124 if (TimeZone(t) == zone)
1125 dst_table[i].end = t;
1135 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1136 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1137 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1138 * daylight savings transitions because some local times are ambiguous.
1139 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1142 LocTimeDiff(time_t lt)
1144 int d = TimeZoneFaster(lt);
1147 /* if overflow occurred, ignore all the adjustments so far */
1148 if (((t < lt) ^ (d < 0)))
1152 * Now t should be close enough to the true UTC to yield the
1155 return TimeZoneFaster(t);
1159 dissect_smb_UTIME(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1164 timeval = tvb_get_letohl(tvb, offset);
1165 if (timeval == 0xffffffff) {
1166 proto_tree_add_text(tree, tvb, offset, 4,
1167 "%s: No time specified (0xffffffff)",
1168 proto_registrar_get_name(hf_date));
1174 * We add the local time offset.
1176 ts.secs = timeval + LocTimeDiff(timeval);
1179 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1186 dissect_smb_datetime(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1187 int hf_date, int hf_dos_date, int hf_dos_time, gboolean time_first)
1189 guint16 dos_time, dos_date;
1190 proto_item *item = NULL;
1191 proto_tree *tree = NULL;
1194 static const int mday_noleap[12] = {
1195 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1197 static const int mday_leap[12] = {
1198 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1200 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1204 dos_time = tvb_get_letohs(tvb, offset);
1205 dos_date = tvb_get_letohs(tvb, offset+2);
1207 dos_date = tvb_get_letohs(tvb, offset);
1208 dos_time = tvb_get_letohs(tvb, offset+2);
1211 if ((dos_date == 0xffff && dos_time == 0xffff) ||
1212 (dos_date == 0 && dos_time == 0)) {
1214 * No date/time specified.
1217 proto_tree_add_text(parent_tree, tvb, offset, 4,
1218 "%s: No time specified (0x%08x)",
1219 proto_registrar_get_name(hf_date),
1220 (dos_date << 16) | dos_time);
1226 tm.tm_sec = (dos_time&0x1f)*2;
1227 tm.tm_min = (dos_time>>5)&0x3f;
1228 tm.tm_hour = (dos_time>>11)&0x1f;
1229 tm.tm_mday = dos_date&0x1f;
1230 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1231 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1235 * Do some sanity checks before calling "mktime()";
1236 * "mktime()" doesn't do them, it "normalizes" out-of-range
1239 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1240 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1241 (ISLEAP(tm.tm_year + 1900) ?
1242 tm.tm_mday > mday_leap[tm.tm_mon] :
1243 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1244 (t = mktime(&tm)) == -1) {
1246 * Invalid date/time.
1249 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1251 proto_registrar_get_name(hf_date));
1252 tree = proto_item_add_subtree(item, ett_smb_time_date);
1254 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1255 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1257 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1258 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1269 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1270 tree = proto_item_add_subtree(item, ett_smb_time_date);
1272 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1273 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1275 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1276 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1286 static const value_string da_access_vals[] = {
1287 { 0, "Open for reading"},
1288 { 1, "Open for writing"},
1289 { 2, "Open for reading and writing"},
1290 { 3, "Open for execute"},
1293 static const value_string da_sharing_vals[] = {
1294 { 0, "Compatibility mode"},
1295 { 1, "Deny read/write/execute (exclusive)"},
1297 { 3, "Deny read/execute"},
1301 static const value_string da_locality_vals[] = {
1302 { 0, "Locality of reference unknown"},
1303 { 1, "Mainly sequential access"},
1304 { 2, "Mainly random access"},
1305 { 3, "Random access with some locality"},
1308 static const true_false_string tfs_da_caching = {
1309 "Do not cache this file",
1310 "Caching permitted on this file"
1312 static const true_false_string tfs_da_writetru = {
1313 "Write through enabled",
1314 "Write through disabled"
1317 dissect_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset, char *type)
1320 proto_item *item = NULL;
1321 proto_tree *tree = NULL;
1323 mask = tvb_get_letohs(tvb, offset);
1326 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1327 "%s Access: 0x%04x", type, mask);
1328 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1331 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1332 tvb, offset, 2, mask);
1333 proto_tree_add_boolean(tree, hf_smb_access_caching,
1334 tvb, offset, 2, mask);
1335 proto_tree_add_uint(tree, hf_smb_access_locality,
1336 tvb, offset, 2, mask);
1337 proto_tree_add_uint(tree, hf_smb_access_sharing,
1338 tvb, offset, 2, mask);
1339 proto_tree_add_uint(tree, hf_smb_access_mode,
1340 tvb, offset, 2, mask);
1347 #define SMB_FILE_ATTRIBUTE_READ_ONLY 0x00000001
1348 #define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
1349 #define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
1350 #define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
1351 #define SMB_FILE_ATTRIBUTE_DIRECTORY 0x00000010
1352 #define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
1353 #define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
1354 #define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
1355 #define SMB_FILE_ATTRIBUTE_TEMPORARY 0x00000100
1356 #define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
1357 #define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
1358 #define SMB_FILE_ATTRIBUTE_COMPRESSED 0x00000800
1359 #define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
1360 #define SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1361 #define SMB_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1363 static const true_false_string tfs_file_attribute_read_only = {
1364 "This file is READ ONLY",
1365 "This file is NOT read only",
1367 static const true_false_string tfs_file_attribute_hidden = {
1368 "This is a HIDDEN file",
1369 "This is NOT a hidden file"
1371 static const true_false_string tfs_file_attribute_system = {
1372 "This is a SYSTEM file",
1373 "This is NOT a system file"
1375 static const true_false_string tfs_file_attribute_volume = {
1376 "This is a VOLUME ID",
1377 "This is NOT a volume ID"
1379 static const true_false_string tfs_file_attribute_directory = {
1380 "This is a DIRECTORY",
1381 "This is NOT a directory"
1383 static const true_false_string tfs_file_attribute_archive = {
1384 "This file has been modified since last ARCHIVE",
1385 "This file has NOT been modified since last archive"
1387 static const true_false_string tfs_file_attribute_device = {
1389 "This is NOT a device"
1391 static const true_false_string tfs_file_attribute_normal = {
1392 "This file is an ordinary file",
1393 "This file has some attribute set"
1395 static const true_false_string tfs_file_attribute_temporary = {
1396 "This is a TEMPORARY file",
1397 "This is NOT a temporary file"
1399 static const true_false_string tfs_file_attribute_sparse = {
1400 "This is a SPARSE file",
1401 "This is NOT a sparse file"
1403 static const true_false_string tfs_file_attribute_reparse = {
1404 "This file has an associated REPARSE POINT",
1405 "This file does NOT have an associated reparse point"
1407 static const true_false_string tfs_file_attribute_compressed = {
1408 "This is a COMPRESSED file",
1409 "This is NOT a compressed file"
1411 static const true_false_string tfs_file_attribute_offline = {
1412 "This file is OFFLINE",
1413 "This file is NOT offline"
1415 static const true_false_string tfs_file_attribute_not_content_indexed = {
1416 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1417 "This file MAY be indexed by the content indexing service"
1419 static const true_false_string tfs_file_attribute_encrypted = {
1420 "This is an ENCRYPTED file",
1421 "This is NOT an encrypted file"
1425 * In some places in the CIFS_TR_1p00.pdf, from SNIA, file attributes are
1426 * listed as USHORT, and seem to be in packets in the wild, while in other
1427 * places they are listed as ULONG, and also seem to be.
1429 * So, I (Richard Sharpe), added a parameter to allow us to specify how many
1434 dissect_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1438 proto_item *item = NULL;
1439 proto_tree *tree = NULL;
1441 if (bytes != 2 && bytes != 4) {
1443 fprintf(stderr, "Incorrect number of bytes passed to dissect_file_attributes.\nMust be 2 or 4, was %d\n", bytes);
1449 * The actual bits of interest appear to only be a USHORT
1451 /* FIXME if this ever changes! */
1452 mask = tvb_get_letohs(tvb, offset);
1455 item = proto_tree_add_text(parent_tree, tvb, offset, bytes,
1456 "File Attributes: 0x%08x", mask);
1457 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1459 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1460 tvb, offset, bytes, mask);
1461 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1462 tvb, offset, bytes, mask);
1463 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1464 tvb, offset, bytes, mask);
1465 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1466 tvb, offset, bytes, mask);
1467 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1468 tvb, offset, bytes, mask);
1469 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1470 tvb, offset, bytes, mask);
1471 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1472 tvb, offset, bytes, mask);
1473 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1474 tvb, offset, bytes, mask);
1475 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1476 tvb, offset, bytes, mask);
1477 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1478 tvb, offset, bytes, mask);
1479 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1480 tvb, offset, bytes, mask);
1481 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1482 tvb, offset, bytes, mask);
1483 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1484 tvb, offset, bytes, mask);
1485 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1486 tvb, offset, bytes, mask);
1487 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1488 tvb, offset, bytes, mask);
1497 dissect_file_ext_attr(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1500 proto_item *item = NULL;
1501 proto_tree *tree = NULL;
1503 mask = tvb_get_letohl(tvb, offset);
1506 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1507 "File Attributes: 0x%08x", mask);
1508 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1512 * XXX - Network Monitor disagrees on some of the
1513 * bits, e.g. the bits above temporary are "atomic write"
1514 * and "transaction write", and it says nothing about the
1517 * Does the Win32 API documentation, or the NT Native API book,
1520 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1521 tvb, offset, 4, mask);
1522 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1523 tvb, offset, 4, mask);
1524 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1525 tvb, offset, 4, mask);
1526 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1527 tvb, offset, 4, mask);
1528 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1529 tvb, offset, 4, mask);
1530 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1531 tvb, offset, 4, mask);
1532 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1533 tvb, offset, 4, mask);
1534 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1535 tvb, offset, 4, mask);
1536 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1537 tvb, offset, 4, mask);
1538 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1539 tvb, offset, 4, mask);
1540 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1541 tvb, offset, 4, mask);
1542 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1543 tvb, offset, 4, mask);
1544 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1545 tvb, offset, 4, mask);
1546 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1547 tvb, offset, 4, mask);
1548 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1549 tvb, offset, 4, mask);
1557 dissect_dir_info_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1560 proto_item *item = NULL;
1561 proto_tree *tree = NULL;
1563 mask = tvb_get_guint8(tvb, offset);
1566 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1567 "File Attributes: 0x%02x", mask);
1568 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1570 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1571 tvb, offset, 1, mask);
1572 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1573 tvb, offset, 1, mask);
1574 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1575 tvb, offset, 1, mask);
1576 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1577 tvb, offset, 1, mask);
1578 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1579 tvb, offset, 1, mask);
1580 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1581 tvb, offset, 1, mask);
1588 static const true_false_string tfs_search_attribute_read_only = {
1589 "Include READ ONLY files in search results",
1590 "Do NOT include read only files in search results",
1592 static const true_false_string tfs_search_attribute_hidden = {
1593 "Include HIDDEN files in search results",
1594 "Do NOT include hidden files in search results"
1596 static const true_false_string tfs_search_attribute_system = {
1597 "Include SYSTEM files in search results",
1598 "Do NOT include system files in search results"
1600 static const true_false_string tfs_search_attribute_volume = {
1601 "Include VOLUME IDs in search results",
1602 "Do NOT include volume IDs in search results"
1604 static const true_false_string tfs_search_attribute_directory = {
1605 "Include DIRECTORIES in search results",
1606 "Do NOT include directories in search results"
1608 static const true_false_string tfs_search_attribute_archive = {
1609 "Include ARCHIVE files in search results",
1610 "Do NOT include archive files in search results"
1614 dissect_search_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1617 proto_item *item = NULL;
1618 proto_tree *tree = NULL;
1620 mask = tvb_get_letohs(tvb, offset);
1623 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1624 "Search Attributes: 0x%04x", mask);
1625 tree = proto_item_add_subtree(item, ett_smb_search);
1628 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1629 tvb, offset, 2, mask);
1630 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1631 tvb, offset, 2, mask);
1632 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1633 tvb, offset, 2, mask);
1634 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1635 tvb, offset, 2, mask);
1636 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1637 tvb, offset, 2, mask);
1638 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1639 tvb, offset, 2, mask);
1647 * XXX - this isn't used.
1648 * Is this used for anything? NT Create AndX doesn't use it.
1649 * Is there some 16-bit attribute field with more bits than Read Only,
1650 * Hidden, System, Volume ID, Directory, and Archive?
1653 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1656 proto_item *item = NULL;
1657 proto_tree *tree = NULL;
1659 mask = tvb_get_letohl(tvb, offset);
1662 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1663 "File Attributes: 0x%08x", mask);
1664 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1666 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1667 tvb, offset, 2, mask);
1668 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1669 tvb, offset, 2, mask);
1670 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1671 tvb, offset, 2, mask);
1672 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1673 tvb, offset, 2, mask);
1674 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1675 tvb, offset, 2, mask);
1676 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1677 tvb, offset, 2, mask);
1678 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1679 tvb, offset, 2, mask);
1680 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1681 tvb, offset, 2, mask);
1682 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1683 tvb, offset, 2, mask);
1684 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1685 tvb, offset, 2, mask);
1686 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1687 tvb, offset, 2, mask);
1688 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1689 tvb, offset, 2, mask);
1690 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1691 tvb, offset, 2, mask);
1692 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1693 tvb, offset, 2, mask);
1694 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1695 tvb, offset, 2, mask);
1704 #define SERVER_CAP_RAW_MODE 0x00000001
1705 #define SERVER_CAP_MPX_MODE 0x00000002
1706 #define SERVER_CAP_UNICODE 0x00000004
1707 #define SERVER_CAP_LARGE_FILES 0x00000008
1708 #define SERVER_CAP_NT_SMBS 0x00000010
1709 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1710 #define SERVER_CAP_STATUS32 0x00000040
1711 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1712 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1713 #define SERVER_CAP_NT_FIND 0x00000200
1714 #define SERVER_CAP_DFS 0x00001000
1715 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1716 #define SERVER_CAP_LARGE_READX 0x00004000
1717 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1718 #define SERVER_CAP_UNIX 0x00800000
1719 #define SERVER_CAP_RESERVED 0x02000000
1720 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1721 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1722 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1723 static const true_false_string tfs_server_cap_raw_mode = {
1724 "Read Raw and Write Raw are supported",
1725 "Read Raw and Write Raw are not supported"
1727 static const true_false_string tfs_server_cap_mpx_mode = {
1728 "Read Mpx and Write Mpx are supported",
1729 "Read Mpx and Write Mpx are not supported"
1731 static const true_false_string tfs_server_cap_unicode = {
1732 "Unicode strings are supported",
1733 "Unicode strings are not supported"
1735 static const true_false_string tfs_server_cap_large_files = {
1736 "Large files are supported",
1737 "Large files are not supported",
1739 static const true_false_string tfs_server_cap_nt_smbs = {
1740 "NT SMBs are supported",
1741 "NT SMBs are not supported"
1743 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1744 "RPC remote APIs are supported",
1745 "RPC remote APIs are not supported"
1747 static const true_false_string tfs_server_cap_nt_status = {
1748 "NT status codes are supported",
1749 "NT status codes are not supported"
1751 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1752 "Level 2 oplocks are supported",
1753 "Level 2 oplocks are not supported"
1755 static const true_false_string tfs_server_cap_lock_and_read = {
1756 "Lock and Read is supported",
1757 "Lock and Read is not supported"
1759 static const true_false_string tfs_server_cap_nt_find = {
1760 "NT Find is supported",
1761 "NT Find is not supported"
1763 static const true_false_string tfs_server_cap_dfs = {
1765 "Dfs is not supported"
1767 static const true_false_string tfs_server_cap_infolevel_passthru = {
1768 "NT information level request passthrough is supported",
1769 "NT information level request passthrough is not supported"
1771 static const true_false_string tfs_server_cap_large_readx = {
1772 "Large Read andX is supported",
1773 "Large Read andX is not supported"
1775 static const true_false_string tfs_server_cap_large_writex = {
1776 "Large Write andX is supported",
1777 "Large Write andX is not supported"
1779 static const true_false_string tfs_server_cap_unix = {
1780 "UNIX extensions are supported",
1781 "UNIX extensions are not supported"
1783 static const true_false_string tfs_server_cap_reserved = {
1787 static const true_false_string tfs_server_cap_bulk_transfer = {
1788 "Bulk Read and Bulk Write are supported",
1789 "Bulk Read and Bulk Write are not supported"
1791 static const true_false_string tfs_server_cap_compressed_data = {
1792 "Compressed data transfer is supported",
1793 "Compressed data transfer is not supported"
1795 static const true_false_string tfs_server_cap_extended_security = {
1796 "Extended security exchanges are supported",
1797 "Extended security exchanges are not supported"
1800 dissect_negprot_capabilities(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1803 proto_item *item = NULL;
1804 proto_tree *tree = NULL;
1806 mask = tvb_get_letohl(tvb, offset);
1809 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1810 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1813 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1814 tvb, offset, 4, mask);
1815 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1816 tvb, offset, 4, mask);
1817 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1818 tvb, offset, 4, mask);
1819 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1820 tvb, offset, 4, mask);
1821 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1822 tvb, offset, 4, mask);
1823 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1824 tvb, offset, 4, mask);
1825 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1826 tvb, offset, 4, mask);
1827 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1828 tvb, offset, 4, mask);
1829 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1830 tvb, offset, 4, mask);
1831 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1832 tvb, offset, 4, mask);
1833 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1834 tvb, offset, 4, mask);
1835 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1836 tvb, offset, 4, mask);
1837 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1838 tvb, offset, 4, mask);
1839 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1840 tvb, offset, 4, mask);
1841 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1842 tvb, offset, 4, mask);
1843 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1844 tvb, offset, 4, mask);
1845 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1846 tvb, offset, 4, mask);
1847 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1848 tvb, offset, 4, mask);
1849 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1850 tvb, offset, 4, mask);
1855 #define RAWMODE_READ 0x01
1856 #define RAWMODE_WRITE 0x02
1857 static const true_false_string tfs_rm_read = {
1858 "Read Raw is supported",
1859 "Read Raw is not supported"
1861 static const true_false_string tfs_rm_write = {
1862 "Write Raw is supported",
1863 "Write Raw is not supported"
1867 dissect_negprot_rawmode(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1870 proto_item *item = NULL;
1871 proto_tree *tree = NULL;
1873 mask = tvb_get_letohs(tvb, offset);
1876 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
1877 tree = proto_item_add_subtree(item, ett_smb_rawmode);
1880 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
1881 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
1888 #define SECURITY_MODE_MODE 0x01
1889 #define SECURITY_MODE_PASSWORD 0x02
1890 #define SECURITY_MODE_SIGNATURES 0x04
1891 #define SECURITY_MODE_SIG_REQUIRED 0x08
1892 static const true_false_string tfs_sm_mode = {
1893 "USER security mode",
1894 "SHARE security mode"
1896 static const true_false_string tfs_sm_password = {
1897 "ENCRYPTED password. Use challenge/response",
1898 "PLAINTEXT password"
1900 static const true_false_string tfs_sm_signatures = {
1901 "Security signatures ENABLED",
1902 "Security signatures NOT enabled"
1904 static const true_false_string tfs_sm_sig_required = {
1905 "Security signatures REQUIRED",
1906 "Security signatures NOT required"
1910 dissect_negprot_security_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int wc)
1913 proto_item *item = NULL;
1914 proto_tree *tree = NULL;
1918 mask = tvb_get_letohs(tvb, offset);
1919 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1920 "Security Mode: 0x%04x", mask);
1921 tree = proto_item_add_subtree(item, ett_smb_mode);
1922 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
1923 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
1928 mask = tvb_get_guint8(tvb, offset);
1929 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1930 "Security Mode: 0x%02x", mask);
1931 tree = proto_item_add_subtree(item, ett_smb_mode);
1932 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
1933 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
1934 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
1935 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
1944 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
1946 proto_item *it = NULL;
1947 proto_tree *tr = NULL;
1956 it = proto_tree_add_text(tree, tvb, offset, bc,
1957 "Requested Dialects");
1958 tr = proto_item_add_subtree(it, ett_smb_dialects);
1964 proto_item *dit = NULL;
1965 proto_tree *dtr = NULL;
1967 /* XXX - what if this runs past bc? */
1968 len = tvb_strsize(tvb, offset+1);
1969 str = tvb_get_ptr(tvb, offset+1, len);
1972 dit = proto_tree_add_text(tr, tvb, offset, len+1,
1973 "Dialect: %s", str);
1974 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
1978 CHECK_BYTE_COUNT(1);
1979 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
1984 CHECK_BYTE_COUNT(len);
1985 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
1996 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
1998 smb_info_t *si = pinfo->private_data;
2011 dialect = tvb_get_letohs(tvb, offset);
2014 if(dialect==0xffff){
2015 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2016 tvb, offset, 2, dialect,
2017 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2019 proto_tree_add_uint(tree, hf_smb_dialect_index,
2020 tvb, offset, 2, dialect);
2024 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2025 tvb, offset, 2, dialect,
2026 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2029 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2030 tvb, offset, 2, dialect,
2031 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2034 proto_tree_add_text(tree, tvb, offset, wc*2,
2035 "Words for unknown response format");
2044 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2046 /* Maximum Transmit Buffer Size */
2047 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2048 tvb, offset, 2, TRUE);
2051 /* Maximum Multiplex Count */
2052 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2053 tvb, offset, 2, TRUE);
2056 /* Maximum Vcs Number */
2057 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2058 tvb, offset, 2, TRUE);
2062 offset = dissect_negprot_rawmode(tvb, tree, offset);
2065 proto_tree_add_item(tree, hf_smb_session_key,
2066 tvb, offset, 4, TRUE);
2069 /* current time and date at server */
2070 offset = dissect_smb_datetime(tvb, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2074 tz = tvb_get_letohs(tvb, offset);
2075 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2078 /* encryption key length */
2079 ekl = tvb_get_letohs(tvb, offset);
2080 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2083 /* 2 reserved bytes */
2084 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2091 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2093 /* Maximum Multiplex Count */
2094 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2095 tvb, offset, 2, TRUE);
2098 /* Maximum Vcs Number */
2099 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2100 tvb, offset, 2, TRUE);
2103 /* Maximum Transmit Buffer Size */
2104 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2105 tvb, offset, 4, TRUE);
2108 /* maximum raw buffer size */
2109 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2110 tvb, offset, 4, TRUE);
2114 proto_tree_add_item(tree, hf_smb_session_key,
2115 tvb, offset, 4, TRUE);
2118 /* server capabilities */
2119 caps = dissect_negprot_capabilities(tvb, tree, offset);
2123 offset = dissect_nt_64bit_time(tvb, tree, offset,
2124 hf_smb_system_time);
2127 tz = tvb_get_letohs(tvb, offset);
2128 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2130 "Server Time Zone: %d min from UTC", tz);
2133 /* encryption key length */
2134 ekl = tvb_get_guint8(tvb, offset);
2135 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2136 tvb, offset, 1, ekl);
2146 /* challenge/response encryption key */
2148 CHECK_BYTE_COUNT(ekl);
2149 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2156 * XXX - not present if negotiated dialect isn't
2157 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
2158 * have to see the request, or assume what dialect strings
2159 * were sent, to determine that.
2161 * Is this something other than a primary domain if the
2162 * negotiated dialect is Windows for Workgroups 3.1a?
2163 * It appears to be 8 bytes of binary data in at least
2164 * one capture - is that an encryption key or something
2167 dn = get_unicode_or_ascii_string(tvb, &offset,
2168 si->unicode, &dn_len, FALSE, FALSE, &bc);
2171 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2173 COUNT_BYTES(dn_len);
2177 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2178 /* challenge/response encryption key */
2179 /* XXX - is this aligned on an even boundary? */
2181 CHECK_BYTE_COUNT(ekl);
2182 proto_tree_add_item(tree, hf_smb_encryption_key,
2183 tvb, offset, ekl, TRUE);
2188 /* this string is special, unicode is flagged in caps */
2189 /* This string is NOT padded to be 16bit aligned.
2190 (seen in actual capture)
2191 XXX - I've seen a capture where it appears to be
2192 so aligned, but I've also seen captures where
2193 it is. The captures where it appeared to be
2194 aligned may have been from buggy servers. */
2195 /* However, don't get rid of existing setting */
2196 si->unicode = (caps&SERVER_CAP_UNICODE) ||
2199 dn = get_unicode_or_ascii_string(tvb,
2200 &offset, si->unicode, &dn_len, TRUE, FALSE,
2204 proto_tree_add_string(tree, hf_smb_primary_domain,
2205 tvb, offset, dn_len, dn);
2206 COUNT_BYTES(dn_len);
2208 /* server name, seen in w2k pro capture */
2209 dn = get_unicode_or_ascii_string(tvb,
2210 &offset, si->unicode, &dn_len, TRUE, FALSE,
2214 proto_tree_add_string(tree, hf_smb_server,
2215 tvb, offset, dn_len, dn);
2216 COUNT_BYTES(dn_len);
2219 proto_item *blob_item;
2223 /* XXX - show it in the standard Microsoft format
2225 CHECK_BYTE_COUNT(16);
2226 proto_tree_add_item(tree, hf_smb_server_guid,
2227 tvb, offset, 16, TRUE);
2231 /* If it runs past the end of the captured data, don't
2232 * try to put all of it into the protocol tree as the
2233 * raw security blob; we might get an exception on
2234 * short frames and then we will not see anything at all
2235 * of the security blob.
2238 if(sbloblen>tvb_length_remaining(tvb, offset)){
2239 sbloblen=tvb_length_remaining(tvb,offset);
2241 blob_item = proto_tree_add_item(
2242 tree, hf_smb_security_blob,
2243 tvb, offset, sbloblen, TRUE);
2246 * If Extended security and BCC == 16, then raw
2247 * NTLMSSP is in use. We need to save this info
2251 tvbuff_t *gssapi_tvb;
2252 proto_tree *gssapi_tree;
2254 gssapi_tree = proto_item_add_subtree(
2255 blob_item, ett_smb_secblob);
2258 * Set the reported length of this to
2259 * the reported length of the blob,
2260 * rather than the amount of data
2261 * available from the blob, so that
2262 * we'll throw the right exception if
2265 gssapi_tvb = tvb_new_subset(
2266 tvb, offset, sbloblen, bc);
2269 gssapi_handle, gssapi_tvb, pinfo,
2273 si->ct->raw_ntlmssp = 0;
2280 * There is no blob. We just have to make sure
2281 * that subsequent routines know to call the
2286 si->ct->raw_ntlmssp = 1;
2300 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2302 smb_info_t *si = pinfo->private_data;
2313 CHECK_BYTE_COUNT(1);
2314 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2318 dn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &dn_len,
2322 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2324 COUNT_BYTES(dn_len);
2326 if (check_col(pinfo->cinfo, COL_INFO)) {
2327 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s",
2328 format_text(dn, strlen(dn)));
2337 dissect_empty(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2352 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2360 ec = tvb_get_letohs(tvb, offset);
2361 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2368 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2378 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2385 /* echo sequence number */
2386 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2393 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2403 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2405 smb_info_t *si = pinfo->private_data;
2416 CHECK_BYTE_COUNT(1);
2417 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2421 an = get_unicode_or_ascii_string(tvb, &offset,
2422 si->unicode, &an_len, FALSE, FALSE, &bc);
2425 proto_tree_add_string(tree, hf_smb_path, tvb,
2426 offset, an_len, an);
2427 COUNT_BYTES(an_len);
2429 if (check_col(pinfo->cinfo, COL_INFO)) {
2430 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
2431 format_text(an, strlen(an)));
2435 CHECK_BYTE_COUNT(1);
2436 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2439 /* password, ANSI */
2440 /* XXX - what if this runs past bc? */
2441 pwlen = tvb_strsize(tvb, offset);
2442 CHECK_BYTE_COUNT(pwlen);
2443 proto_tree_add_item(tree, hf_smb_password,
2444 tvb, offset, pwlen, TRUE);
2448 CHECK_BYTE_COUNT(1);
2449 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2454 * XXX - the SNIA CIFS spec "Strings that are never passed in
2455 * Unicode are: ... The service name string in the
2456 * Tree_Connect_AndX SMB". Is that claim false?
2458 an = get_unicode_or_ascii_string(tvb, &offset,
2459 si->unicode, &an_len, FALSE, FALSE, &bc);
2462 proto_tree_add_string(tree, hf_smb_service, tvb,
2463 offset, an_len, an);
2464 COUNT_BYTES(an_len);
2472 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2479 /* Maximum Buffer Size */
2480 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2484 proto_tree_add_item(tree, hf_smb_tid, tvb, offset, 2, TRUE);
2495 static const true_false_string tfs_of_create = {
2496 "Create file if it does not exist",
2497 "Fail if file does not exist"
2499 static const value_string of_open[] = {
2500 { 0, "Fail if file exists"},
2501 { 1, "Open file if it exists"},
2502 { 2, "Truncate file if it exists"},
2506 dissect_open_function(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2509 proto_item *item = NULL;
2510 proto_tree *tree = NULL;
2512 mask = tvb_get_letohs(tvb, offset);
2515 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2516 "Open Function: 0x%04x", mask);
2517 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2520 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2521 tvb, offset, 2, mask);
2522 proto_tree_add_uint(tree, hf_smb_open_function_open,
2523 tvb, offset, 2, mask);
2531 static const true_false_string tfs_mf_file = {
2532 "Target must be a file",
2533 "Target needn't be a file"
2535 static const true_false_string tfs_mf_dir = {
2536 "Target must be a directory",
2537 "Target needn't be a directory"
2539 static const true_false_string tfs_mf_verify = {
2540 "MUST verify all writes",
2541 "Don't have to verify writes"
2544 dissect_move_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2547 proto_item *item = NULL;
2548 proto_tree *tree = NULL;
2550 mask = tvb_get_letohs(tvb, offset);
2553 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2554 "Flags: 0x%04x", mask);
2555 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2558 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2559 tvb, offset, 2, mask);
2560 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2561 tvb, offset, 2, mask);
2562 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2563 tvb, offset, 2, mask);
2570 static const true_false_string tfs_cf_mode = {
2574 static const true_false_string tfs_cf_tree_copy = {
2575 "Copy is a tree copy",
2576 "Copy is a file copy"
2578 static const true_false_string tfs_cf_ea_action = {
2583 dissect_copy_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2586 proto_item *item = NULL;
2587 proto_tree *tree = NULL;
2589 mask = tvb_get_letohs(tvb, offset);
2592 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2593 "Flags: 0x%04x", mask);
2594 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2597 proto_tree_add_boolean(tree, hf_smb_copy_flags_ea_action,
2598 tvb, offset, 2, mask);
2599 proto_tree_add_boolean(tree, hf_smb_copy_flags_tree_copy,
2600 tvb, offset, 2, mask);
2601 proto_tree_add_boolean(tree, hf_smb_copy_flags_verify,
2602 tvb, offset, 2, mask);
2603 proto_tree_add_boolean(tree, hf_smb_copy_flags_source_mode,
2604 tvb, offset, 2, mask);
2605 proto_tree_add_boolean(tree, hf_smb_copy_flags_dest_mode,
2606 tvb, offset, 2, mask);
2607 proto_tree_add_boolean(tree, hf_smb_copy_flags_dir,
2608 tvb, offset, 2, mask);
2609 proto_tree_add_boolean(tree, hf_smb_copy_flags_file,
2610 tvb, offset, 2, mask);
2618 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2620 smb_info_t *si = pinfo->private_data;
2630 tid = tvb_get_letohs(tvb, offset);
2631 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2632 "TID (target): 0x%04x", tid);
2636 offset = dissect_open_function(tvb, tree, offset);
2639 offset = dissect_move_flags(tvb, tree, offset);
2644 CHECK_BYTE_COUNT(1);
2645 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2649 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2653 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2654 fn_len, fn, "Old File Name: %s", format_text(fn, strlen(fn)));
2655 COUNT_BYTES(fn_len);
2657 if (check_col(pinfo->cinfo, COL_INFO)) {
2658 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
2659 format_text(fn, strlen(fn)));
2663 CHECK_BYTE_COUNT(1);
2664 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2668 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2672 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2673 fn_len, fn, "New File Name: %s", format_text(fn, strlen(fn)));
2674 COUNT_BYTES(fn_len);
2676 if (check_col(pinfo->cinfo, COL_INFO)) {
2677 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
2678 format_text(fn, strlen(fn)));
2687 dissect_copy_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2689 smb_info_t *si = pinfo->private_data;
2699 tid = tvb_get_letohs(tvb, offset);
2700 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2701 "TID (target): 0x%04x", tid);
2705 offset = dissect_open_function(tvb, tree, offset);
2708 offset = dissect_copy_flags(tvb, tree, offset);
2713 CHECK_BYTE_COUNT(1);
2714 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2718 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2722 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2723 fn_len, fn, "Source File Name: %s", format_text(fn, strlen(fn)));
2724 COUNT_BYTES(fn_len);
2726 if (check_col(pinfo->cinfo, COL_INFO)) {
2727 col_append_fstr(pinfo->cinfo, COL_INFO, ", Source Name: %s",
2728 format_text(fn, strlen(fn)));
2732 CHECK_BYTE_COUNT(1);
2733 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2737 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2741 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2742 fn_len, fn, "Destination File Name: %s",
2743 format_text(fn, strlen(fn)));
2744 COUNT_BYTES(fn_len);
2746 if (check_col(pinfo->cinfo, COL_INFO)) {
2747 col_append_fstr(pinfo->cinfo, COL_INFO, ", Destination Name: %s",
2748 format_text(fn, strlen(fn)));
2757 dissect_move_copy_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2759 smb_info_t *si = pinfo->private_data;
2767 /* # of files moved */
2768 proto_tree_add_item(tree, hf_smb_files_moved, tvb, offset, 2, TRUE);
2774 CHECK_BYTE_COUNT(1);
2775 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2779 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2783 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2785 COUNT_BYTES(fn_len);
2793 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2795 smb_info_t *si = pinfo->private_data;
2803 /* desired access */
2804 offset = dissect_access(tvb, tree, offset, "Desired");
2806 /* Search Attributes */
2807 offset = dissect_search_attributes(tvb, tree, offset);
2812 CHECK_BYTE_COUNT(1);
2813 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2817 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2821 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2823 COUNT_BYTES(fn_len);
2825 if (check_col(pinfo->cinfo, COL_INFO)) {
2826 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
2827 format_text(fn, strlen(fn)));
2836 add_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
2837 int len, guint16 fid)
2839 proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
2840 if (check_col(pinfo->cinfo, COL_INFO))
2841 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
2845 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2854 fid = tvb_get_letohs(tvb, offset);
2855 add_fid(tvb, pinfo, tree, offset, 2, fid);
2858 /* File Attributes */
2859 offset = dissect_file_attributes(tvb, tree, offset, 2);
2861 /* last write time */
2862 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
2865 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2868 /* granted access */
2869 offset = dissect_access(tvb, tree, offset, "Granted");
2879 dissect_fid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2888 fid = tvb_get_letohs(tvb, offset);
2889 add_fid(tvb, pinfo, tree, offset, 2, fid);
2900 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2902 smb_info_t *si = pinfo->private_data;
2910 /* file attributes */
2911 offset = dissect_file_attributes(tvb, tree, offset, 2);
2914 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
2919 CHECK_BYTE_COUNT(1);
2920 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2924 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2928 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2930 COUNT_BYTES(fn_len);
2932 if (check_col(pinfo->cinfo, COL_INFO)) {
2933 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
2934 format_text(fn, strlen(fn)));
2943 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2951 fid = tvb_get_letohs(tvb, offset);
2952 add_fid(tvb, pinfo, tree, offset, 2, fid);
2955 /* last write time */
2956 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
2966 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2968 smb_info_t *si = pinfo->private_data;
2976 /* search attributes */
2977 offset = dissect_search_attributes(tvb, tree, offset);
2982 CHECK_BYTE_COUNT(1);
2983 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2987 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2991 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2993 COUNT_BYTES(fn_len);
2995 if (check_col(pinfo->cinfo, COL_INFO)) {
2996 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
2997 format_text(fn, strlen(fn)));
3006 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3008 smb_info_t *si = pinfo->private_data;
3016 /* search attributes */
3017 offset = dissect_search_attributes(tvb, tree, offset);
3022 CHECK_BYTE_COUNT(1);
3023 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3027 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3031 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3033 COUNT_BYTES(fn_len);
3035 if (check_col(pinfo->cinfo, COL_INFO)) {
3036 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
3037 format_text(fn, strlen(fn)));
3041 CHECK_BYTE_COUNT(1);
3042 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3046 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3050 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3052 COUNT_BYTES(fn_len);
3054 if (check_col(pinfo->cinfo, COL_INFO)) {
3055 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
3056 format_text(fn, strlen(fn)));
3065 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3067 smb_info_t *si = pinfo->private_data;
3075 /* search attributes */
3076 offset = dissect_search_attributes(tvb, tree, offset);
3078 proto_tree_add_uint(tree, hf_smb_nt_rename_level, tvb, offset, 2, tvb_get_letohs(tvb, offset));
3081 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, TRUE);
3087 CHECK_BYTE_COUNT(1);
3088 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3092 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3096 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3098 COUNT_BYTES(fn_len);
3100 if (check_col(pinfo->cinfo, COL_INFO)) {
3101 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
3102 format_text(fn, strlen(fn)));
3106 CHECK_BYTE_COUNT(1);
3107 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3111 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3115 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3117 COUNT_BYTES(fn_len);
3119 if (check_col(pinfo->cinfo, COL_INFO)) {
3120 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
3121 format_text(fn, strlen(fn)));
3131 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3133 smb_info_t *si = pinfo->private_data;
3144 CHECK_BYTE_COUNT(1);
3145 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3149 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3153 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3155 COUNT_BYTES(fn_len);
3157 if (check_col(pinfo->cinfo, COL_INFO)) {
3158 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3159 format_text(fn, strlen(fn)));
3168 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3175 /* File Attributes */
3176 offset = dissect_file_attributes(tvb, tree, offset, 2);
3178 /* Last Write Time */
3179 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3182 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3185 /* 10 reserved bytes */
3186 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3197 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3199 smb_info_t *si = pinfo->private_data;
3207 /* file attributes */
3208 offset = dissect_file_attributes(tvb, tree, offset, 2);
3210 /* last write time */
3211 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3213 /* 10 reserved bytes */
3214 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3220 CHECK_BYTE_COUNT(1);
3221 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3225 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3229 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3231 COUNT_BYTES(fn_len);
3233 if (check_col(pinfo->cinfo, COL_INFO)) {
3234 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3235 format_text(fn, strlen(fn)));
3244 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3255 fid = tvb_get_letohs(tvb, offset);
3256 add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
3258 if (!pinfo->fd->flags.visited) {
3259 /* remember the FID for the processing of the response */
3260 si = (smb_info_t *)pinfo->private_data;
3261 si->sip->extra_info=(void *)fid;
3265 cnt = tvb_get_letohs(tvb, offset);
3266 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3270 ofs = tvb_get_letohl(tvb, offset);
3271 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3274 if (check_col(pinfo->cinfo, COL_INFO))
3275 col_append_fstr(pinfo->cinfo, COL_INFO,
3276 ", %u byte%s at offset %u", cnt,
3277 (cnt == 1) ? "" : "s", ofs);
3280 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3291 dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
3296 /* We have some initial padding bytes. */
3297 /* XXX - use the data offset here instead? */
3298 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3300 offset += bc-datalen;
3303 tvblen = tvb_length_remaining(tvb, offset);
3305 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
3308 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
3315 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3316 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
3319 tvbuff_t *dcerpc_tvb;
3322 /* We have some initial padding bytes. */
3323 /* XXX - use the data offset here instead? */
3324 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3326 offset += bc-datalen;
3329 tvblen = tvb_length_remaining(tvb, offset);
3330 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
3331 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
3340 * transporting DCERPC over SMB seems to be implemented in various
3341 * ways. We might just assume it can be done by an almost random
3342 * mix of Trans/Read/Write calls
3344 * if we suspect dcerpc, just send them all down to packet-smb-pipe.c
3345 * and let him sort them out
3348 dissect_file_data_maybe_dcerpc(tvbuff_t *tvb, packet_info *pinfo,
3349 proto_tree *tree, proto_tree *top_tree, int offset, guint16 bc,
3350 guint16 datalen, guint32 ofs, guint16 fid)
3352 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3354 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
3356 return dissect_file_data_dcerpc(tvb, pinfo, tree,
3357 top_tree, offset, bc, datalen, fid);
3359 /* ordinary file data */
3360 return dissect_file_data(tvb, tree, offset, bc, datalen);
3365 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3369 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3375 cnt = tvb_get_letohs(tvb, offset);
3376 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3379 /* 8 reserved bytes */
3380 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3383 /* If we have seen the request, then print which FID this refers to */
3384 /* first check if we have seen the request */
3385 if(si->sip != NULL && si->sip->frame_req>0){
3386 fid=(int)si->sip->extra_info;
3387 add_fid(tvb, pinfo, tree, 0, 0, (guint16) fid);
3393 CHECK_BYTE_COUNT(1);
3394 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3398 CHECK_BYTE_COUNT(2);
3399 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3402 /* file data, might be DCERPC on a pipe */
3404 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3405 top_tree, offset, bc, bc, 0, (guint16) fid);
3415 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3423 cnt = tvb_get_letohs(tvb, offset);
3424 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3427 /* 8 reserved bytes */
3428 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3434 CHECK_BYTE_COUNT(1);
3435 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3439 CHECK_BYTE_COUNT(2);
3440 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3450 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3453 guint16 cnt=0, bc, fid=0;
3459 fid = tvb_get_letohs(tvb, offset);
3460 add_fid(tvb, pinfo, tree, offset, 2, fid);
3464 cnt = tvb_get_letohs(tvb, offset);
3465 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3469 ofs = tvb_get_letohl(tvb, offset);
3470 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3473 if (check_col(pinfo->cinfo, COL_INFO))
3474 col_append_fstr(pinfo->cinfo, COL_INFO,
3475 ", %u byte%s at offset %u", cnt,
3476 (cnt == 1) ? "" : "s", ofs);
3479 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3485 CHECK_BYTE_COUNT(1);
3486 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3490 CHECK_BYTE_COUNT(2);
3491 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3494 /* file data, might be DCERPC on a pipe */
3496 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3497 top_tree, offset, bc, bc, ofs, fid);
3507 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3515 cnt = tvb_get_letohs(tvb, offset);
3516 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3519 if (check_col(pinfo->cinfo, COL_INFO))
3520 col_append_fstr(pinfo->cinfo, COL_INFO,
3521 ", %u byte%s", cnt, (cnt == 1) ? "" : "s");
3531 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3539 fid = tvb_get_letohs(tvb, offset);
3540 add_fid(tvb, pinfo, tree, offset, 2, fid);
3544 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
3548 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3559 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3561 smb_info_t *si = pinfo->private_data;
3569 /* 2 reserved bytes */
3570 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3574 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3579 CHECK_BYTE_COUNT(1);
3580 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3583 /* directory name */
3584 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3588 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
3590 COUNT_BYTES(fn_len);
3592 if (check_col(pinfo->cinfo, COL_INFO)) {
3593 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3594 format_text(fn, strlen(fn)));
3603 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3605 smb_info_t *si = pinfo->private_data;
3614 fid = tvb_get_letohs(tvb, offset);
3615 add_fid(tvb, pinfo, tree, offset, 2, fid);
3621 CHECK_BYTE_COUNT(1);
3622 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3626 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3630 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3632 COUNT_BYTES(fn_len);
3639 static const value_string seek_mode_vals[] = {
3640 {0, "From Start Of File"},
3641 {1, "From Current Position"},
3642 {2, "From End Of File"},
3647 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3655 fid = tvb_get_letohs(tvb, offset);
3656 add_fid(tvb, pinfo, tree, offset, 2, fid);
3660 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
3664 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3675 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3683 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3694 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3702 fid = tvb_get_letohs(tvb, offset);
3703 add_fid(tvb, pinfo, tree, offset, 2, fid);
3707 offset = dissect_smb_datetime(tvb, tree, offset,
3709 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3712 offset = dissect_smb_datetime(tvb, tree, offset,
3714 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3716 /* last write time */
3717 offset = dissect_smb_datetime(tvb, tree, offset,
3718 hf_smb_last_write_time,
3719 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3729 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3737 offset = dissect_smb_datetime(tvb, tree, offset,
3739 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3742 offset = dissect_smb_datetime(tvb, tree, offset,
3744 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3746 /* last write time */
3747 offset = dissect_smb_datetime(tvb, tree, offset,
3748 hf_smb_last_write_time,
3749 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3752 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
3755 /* allocation size */
3756 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
3759 /* File Attributes */
3760 offset = dissect_file_attributes(tvb, tree, offset, 2);
3770 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3779 fid = tvb_get_letohs(tvb, offset);
3780 add_fid(tvb, pinfo, tree, offset, 2, fid);
3784 cnt = tvb_get_letohs(tvb, offset);
3785 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3789 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3792 /* last write time */
3793 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3796 /* 12 reserved bytes */
3797 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
3804 CHECK_BYTE_COUNT(1);
3805 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
3808 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
3817 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3825 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3836 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3845 fid = tvb_get_letohs(tvb, offset);
3846 add_fid(tvb, pinfo, tree, offset, 2, fid);
3850 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3854 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3858 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3862 to = tvb_get_letohl(tvb, offset);
3863 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3866 /* 2 reserved bytes */
3867 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3872 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
3884 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3892 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
3896 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
3900 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
3904 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
3907 /* 2 reserved bytes */
3908 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3919 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3927 fid = tvb_get_letohs(tvb, offset);
3928 add_fid(tvb, pinfo, tree, offset, 2, fid);
3932 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3936 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3940 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3943 /* 6 reserved bytes */
3944 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
3955 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3957 guint16 datalen=0, bc;
3963 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3967 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3970 /* 2 reserved bytes */
3971 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3974 /* data compaction mode */
3975 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
3978 /* 2 reserved bytes */
3979 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3983 datalen = tvb_get_letohs(tvb, offset);
3984 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
3988 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
3994 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4003 static const true_false_string tfs_write_mode_write_through = {
4004 "WRITE THROUGH requested",
4005 "Write through not requested"
4007 static const true_false_string tfs_write_mode_return_remaining = {
4008 "RETURN REMAINING (pipe/dev) requested",
4009 "DON'T return remaining (pipe/dev)"
4011 static const true_false_string tfs_write_mode_raw = {
4012 "Use WriteRawNamedPipe (pipe)",
4013 "DON'T use WriteRawNamedPipe (pipe)"
4015 static const true_false_string tfs_write_mode_message_start = {
4016 "This is the START of a MESSAGE (pipe)",
4017 "This is NOT the start of a message (pipe)"
4019 static const true_false_string tfs_write_mode_connectionless = {
4020 "CONNECTIONLESS mode requested",
4021 "Connectionless mode NOT requested"
4024 #define WRITE_MODE_CONNECTIONLESS 0x0080
4025 #define WRITE_MODE_MESSAGE_START 0x0008
4026 #define WRITE_MODE_RAW 0x0004
4027 #define WRITE_MODE_RETURN_REMAINING 0x0002
4028 #define WRITE_MODE_WRITE_THROUGH 0x0001
4031 dissect_write_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4034 proto_item *item = NULL;
4035 proto_tree *tree = NULL;
4037 mask = tvb_get_letohs(tvb, offset);
4040 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4041 "Write Mode: 0x%04x", mask);
4042 tree = proto_item_add_subtree(item, ett_smb_rawmode);
4045 if(bm&WRITE_MODE_CONNECTIONLESS){
4046 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
4047 tvb, offset, 2, mask);
4049 if(bm&WRITE_MODE_MESSAGE_START){
4050 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
4051 tvb, offset, 2, mask);
4053 if(bm&WRITE_MODE_RAW){
4054 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
4055 tvb, offset, 2, mask);
4057 if(bm&WRITE_MODE_RETURN_REMAINING){
4058 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
4059 tvb, offset, 2, mask);
4061 if(bm&WRITE_MODE_WRITE_THROUGH){
4062 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
4063 tvb, offset, 2, mask);
4071 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4074 guint16 datalen=0, bc, fid;
4080 fid = tvb_get_letohs(tvb, offset);
4081 add_fid(tvb, pinfo, tree, offset, 2, fid);
4084 /* total data length */
4085 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4088 /* 2 reserved bytes */
4089 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4093 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4097 to = tvb_get_letohl(tvb, offset);
4098 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4102 offset = dissect_write_mode(tvb, tree, offset, 0x0003);
4104 /* 4 reserved bytes */
4105 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4109 datalen = tvb_get_letohs(tvb, offset);
4110 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4114 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4120 /* XXX - use the data offset to determine where the data starts? */
4121 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4130 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4138 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4149 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4152 guint16 datalen=0, bc, fid;
4158 fid = tvb_get_letohs(tvb, offset);
4159 add_fid(tvb, pinfo, tree, offset, 2, fid);
4162 /* total data length */
4163 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4166 /* 2 reserved bytes */
4167 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4171 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4175 to = tvb_get_letohl(tvb, offset);
4176 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4180 offset = dissect_write_mode(tvb, tree, offset, 0x0083);
4183 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
4187 datalen = tvb_get_letohs(tvb, offset);
4188 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4192 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4198 /* XXX - use the data offset to determine where the data starts? */
4199 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4208 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4216 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
4227 dissect_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4235 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
4246 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
4247 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4248 gboolean has_find_id)
4250 proto_item *item = NULL;
4251 proto_tree *tree = NULL;
4252 smb_info_t *si = pinfo->private_data;
4258 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
4260 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
4264 CHECK_BYTE_COUNT_SUBR(1);
4265 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4266 COUNT_BYTES_SUBR(1);
4270 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4272 CHECK_STRING_SUBR(fn);
4273 /* ensure that it's null-terminated */
4274 strncpy(fname, fn, 11);
4276 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
4278 COUNT_BYTES_SUBR(fn_len);
4281 CHECK_BYTE_COUNT_SUBR(1);
4282 proto_tree_add_item(tree, hf_smb_resume_find_id, tvb, offset, 1, TRUE);
4283 COUNT_BYTES_SUBR(1);
4286 CHECK_BYTE_COUNT_SUBR(4);
4287 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 4, TRUE);
4288 COUNT_BYTES_SUBR(4);
4291 CHECK_BYTE_COUNT_SUBR(5);
4292 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
4293 COUNT_BYTES_SUBR(5);
4297 CHECK_BYTE_COUNT_SUBR(4);
4298 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
4299 COUNT_BYTES_SUBR(4);
4306 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
4307 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4308 gboolean has_find_id)
4310 proto_item *item = NULL;
4311 proto_tree *tree = NULL;
4312 smb_info_t *si = pinfo->private_data;
4318 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
4319 "Directory Information");
4320 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
4324 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp,
4325 trunc, has_find_id);
4329 /* File Attributes */
4330 CHECK_BYTE_COUNT_SUBR(1);
4331 offset = dissect_dir_info_file_attributes(tvb, tree, offset);
4334 /* last write time */
4335 CHECK_BYTE_COUNT_SUBR(4);
4336 offset = dissect_smb_datetime(tvb, tree, offset,
4337 hf_smb_last_write_time,
4338 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
4343 CHECK_BYTE_COUNT_SUBR(4);
4344 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4345 COUNT_BYTES_SUBR(4);
4349 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4351 CHECK_STRING_SUBR(fn);
4352 /* ensure that it's null-terminated */
4353 strncpy(fname, fn, 13);
4355 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4357 COUNT_BYTES_SUBR(fn_len);
4365 dissect_search_find_request(tvbuff_t *tvb, packet_info *pinfo,
4366 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4367 gboolean has_find_id)
4369 smb_info_t *si = pinfo->private_data;
4380 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4383 /* Search Attributes */
4384 offset = dissect_search_attributes(tvb, tree, offset);
4389 CHECK_BYTE_COUNT(1);
4390 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4394 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4398 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4400 COUNT_BYTES(fn_len);
4402 if (check_col(pinfo->cinfo, COL_INFO)) {
4403 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
4404 format_text(fn, strlen(fn)));
4408 CHECK_BYTE_COUNT(1);
4409 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4412 /* resume key length */
4413 CHECK_BYTE_COUNT(2);
4414 rkl = tvb_get_letohs(tvb, offset);
4415 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
4420 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
4421 &bc, &trunc, has_find_id);
4432 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4433 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4435 return dissect_search_find_request(tvb, pinfo, tree, offset,
4440 dissect_find_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4441 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4443 return dissect_search_find_request(tvb, pinfo, tree, offset,
4448 dissect_find_close_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4449 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4451 return dissect_search_find_request(tvb, pinfo, tree, offset,
4456 dissect_search_find_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4457 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4458 gboolean has_find_id)
4468 count = tvb_get_letohs(tvb, offset);
4469 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
4475 CHECK_BYTE_COUNT(1);
4476 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4480 CHECK_BYTE_COUNT(2);
4481 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4485 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
4486 &bc, &trunc, has_find_id);
4497 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4499 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4504 dissect_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4506 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4511 dissect_find_close_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4512 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4521 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4527 CHECK_BYTE_COUNT(1);
4528 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4532 CHECK_BYTE_COUNT(2);
4533 data_len = tvb_get_ntohs(tvb, offset);
4534 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, data_len);
4537 if (data_len != 0) {
4538 CHECK_BYTE_COUNT(data_len);
4539 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset,
4541 COUNT_BYTES(data_len);
4549 static const value_string locking_ol_vals[] = {
4550 {0, "Client is not holding oplock on this file"},
4551 {1, "Level 2 oplock currently held by client"},
4555 static const true_false_string tfs_lock_type_large = {
4556 "Large file locking format requested",
4557 "Large file locking format not requested"
4559 static const true_false_string tfs_lock_type_cancel = {
4560 "Cancel outstanding lock request",
4561 "Don't cancel outstanding lock request"
4563 static const true_false_string tfs_lock_type_change = {
4565 "Don't change lock type"
4567 static const true_false_string tfs_lock_type_oplock = {
4568 "This is an oplock break notification/response",
4569 "This is not an oplock break notification/response"
4571 static const true_false_string tfs_lock_type_shared = {
4572 "This is a shared lock",
4573 "This is an exclusive lock"
4576 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4578 guint8 wc, cmd=0xff, lt=0;
4579 guint16 andxoffset=0, un=0, ln=0, bc, fid;
4581 proto_item *litem = NULL;
4582 proto_tree *ltree = NULL;
4583 proto_item *it = NULL;
4584 proto_tree *tr = NULL;
4585 int old_offset = offset;
4589 /* next smb command */
4590 cmd = tvb_get_guint8(tvb, offset);
4592 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4594 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
4599 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4603 andxoffset = tvb_get_letohs(tvb, offset);
4604 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4608 fid = tvb_get_letohs(tvb, offset);
4609 add_fid(tvb, pinfo, tree, offset, 2, fid);
4613 lt = tvb_get_guint8(tvb, offset);
4615 litem = proto_tree_add_text(tree, tvb, offset, 1,
4616 "Lock Type: 0x%02x", lt);
4617 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
4619 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
4620 tvb, offset, 1, lt);
4621 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
4622 tvb, offset, 1, lt);
4623 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
4624 tvb, offset, 1, lt);
4625 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
4626 tvb, offset, 1, lt);
4627 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
4628 tvb, offset, 1, lt);
4632 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
4636 to = tvb_get_letohl(tvb, offset);
4638 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
4639 else if (to == 0xffffffff)
4640 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
4642 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4645 /* number of unlocks */
4646 un = tvb_get_letohs(tvb, offset);
4647 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
4650 /* number of locks */
4651 ln = tvb_get_letohs(tvb, offset);
4652 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
4659 old_offset = offset;
4661 it = proto_tree_add_text(tree, tvb, offset, -1,
4663 tr = proto_item_add_subtree(it, ett_smb_unlocks);
4665 proto_item *litem = NULL;
4666 proto_tree *ltree = NULL;
4671 /* large lock format */
4672 litem = proto_tree_add_text(tr, tvb, offset, 20,
4674 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4677 CHECK_BYTE_COUNT(2);
4678 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4681 /* 2 reserved bytes */
4682 CHECK_BYTE_COUNT(2);
4683 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4687 CHECK_BYTE_COUNT(8);
4688 val=tvb_get_letohl(tvb, offset);
4689 buf[3]=(val>>24)&0xff;
4690 buf[2]=(val>>16)&0xff;
4691 buf[1]=(val>> 8)&0xff;
4693 val=tvb_get_letohl(tvb, offset+4);
4694 buf[7]=(val>>24)&0xff;
4695 buf[6]=(val>>16)&0xff;
4696 buf[5]=(val>> 8)&0xff;
4698 proto_tree_add_string(ltree, hf_smb_lock_long_offset, tvb, offset, 8, u64toa(buf));
4702 CHECK_BYTE_COUNT(8);
4703 val=tvb_get_letohl(tvb, offset);
4704 buf[3]=(val>>24)&0xff;
4705 buf[2]=(val>>16)&0xff;
4706 buf[1]=(val>> 8)&0xff;
4708 val=tvb_get_letohl(tvb, offset+4);
4709 buf[7]=(val>>24)&0xff;
4710 buf[6]=(val>>16)&0xff;
4711 buf[5]=(val>> 8)&0xff;
4713 proto_tree_add_string(ltree, hf_smb_lock_long_length, tvb, offset, 8, u64toa(buf));
4716 /* normal lock format */
4717 litem = proto_tree_add_text(tr, tvb, offset, 10,
4719 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4722 CHECK_BYTE_COUNT(2);
4723 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4727 CHECK_BYTE_COUNT(4);
4728 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4732 CHECK_BYTE_COUNT(4);
4733 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4737 proto_item_set_len(it, offset-old_offset);
4743 old_offset = offset;
4745 it = proto_tree_add_text(tree, tvb, offset, -1,
4747 tr = proto_item_add_subtree(it, ett_smb_locks);
4749 proto_item *litem = NULL;
4750 proto_tree *ltree = NULL;
4755 /* large lock format */
4756 litem = proto_tree_add_text(tr, tvb, offset, 20,
4758 ltree = proto_item_add_subtree(litem, ett_smb_lock);
4761 CHECK_BYTE_COUNT(2);
4762 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4765 /* 2 reserved bytes */
4766 CHECK_BYTE_COUNT(2);
4767 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4771 CHECK_BYTE_COUNT(8);
4772 val=tvb_get_letohl(tvb, offset);
4774 buf[2]=(val>> 8)&0xff;
4775 buf[1]=(val>>16)&0xff;
4776 buf[0]=(val>>24)&0xff;
4777 val=tvb_get_letohl(tvb, offset+4);
4779 buf[6]=(val>> 8)&0xff;
4780 buf[5]=(val>>16)&0xff;
4781 buf[4]=(val>>24)&0xff;
4782 proto_tree_add_string(ltree, hf_smb_lock_long_offset, tvb, offset, 8, u64toa(buf));
4786 CHECK_BYTE_COUNT(8);
4787 val=tvb_get_letohl(tvb, offset);
4789 buf[2]=(val>> 8)&0xff;
4790 buf[1]=(val>>16)&0xff;
4791 buf[0]=(val>>24)&0xff;
4792 val=tvb_get_letohl(tvb, offset+4);
4794 buf[6]=(val>> 8)&0xff;
4795 buf[5]=(val>>16)&0xff;
4796 buf[4]=(val>>24)&0xff;
4797 proto_tree_add_string(ltree, hf_smb_lock_long_length, tvb, offset, 8, u64toa(buf));
4800 /* normal lock format */
4801 litem = proto_tree_add_text(tr, tvb, offset, 10,
4803 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4806 CHECK_BYTE_COUNT(2);
4807 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4811 CHECK_BYTE_COUNT(4);
4812 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4816 CHECK_BYTE_COUNT(4);
4817 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4821 proto_item_set_len(it, offset-old_offset);
4829 * We ran out of byte count in the middle of dissecting
4830 * the locks or the unlocks; set the site of the item
4831 * we were dissecting.
4833 proto_item_set_len(it, offset-old_offset);
4836 /* call AndXCommand (if there are any) */
4837 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4843 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4845 guint8 wc, cmd=0xff;
4846 guint16 andxoffset=0;
4851 /* next smb command */
4852 cmd = tvb_get_guint8(tvb, offset);
4854 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4856 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
4861 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4865 andxoffset = tvb_get_letohs(tvb, offset);
4866 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4873 /* call AndXCommand (if there are any) */
4874 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4880 static const value_string oa_open_vals[] = {
4881 { 0, "No action taken?"},
4882 { 1, "The file existed and was opened"},
4883 { 2, "The file did not exist but was created"},
4884 { 3, "The file existed and was truncated"},
4885 { 0x8001, "The file existed and was opened, and an OpLock was granted"},
4886 { 0x8002, "The file did not exist but was created, and an OpLock was granted"},
4887 { 0x8002, "The file existed and was truncated, and an OpLock was granted"},
4890 static const true_false_string tfs_oa_lock = {
4891 "File is currently opened only by this user",
4892 "File is opened by another user (or mode not supported by server)"
4895 dissect_open_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
4898 proto_item *item = NULL;
4899 proto_tree *tree = NULL;
4901 mask = tvb_get_letohs(tvb, offset);
4904 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4905 "Action: 0x%04x", mask);
4906 tree = proto_item_add_subtree(item, ett_smb_open_action);
4909 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
4910 tvb, offset, 2, mask);
4911 proto_tree_add_uint(tree, hf_smb_open_action_open,
4912 tvb, offset, 2, mask);
4919 static const true_false_string tfs_open_flags_add_info = {
4920 "Additional information requested",
4921 "Additional information not requested"
4923 static const true_false_string tfs_open_flags_ex_oplock = {
4924 "Exclusive oplock requested",
4925 "Exclusive oplock not requested"
4927 static const true_false_string tfs_open_flags_batch_oplock = {
4928 "Batch oplock requested",
4929 "Batch oplock not requested"
4931 static const true_false_string tfs_open_flags_ealen = {
4932 "Total length of EAs requested",
4933 "Total length of EAs not requested"
4936 dissect_open_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4939 proto_item *item = NULL;
4940 proto_tree *tree = NULL;
4942 mask = tvb_get_letohs(tvb, offset);
4945 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4946 "Flags: 0x%04x", mask);
4947 tree = proto_item_add_subtree(item, ett_smb_open_flags);
4951 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
4952 tvb, offset, 2, mask);
4955 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
4956 tvb, offset, 2, mask);
4959 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
4960 tvb, offset, 2, mask);
4963 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
4964 tvb, offset, 2, mask);
4972 static const value_string filetype_vals[] = {
4973 { 0, "Disk file or directory"},
4974 { 1, "Named pipe in byte mode"},
4975 { 2, "Named pipe in message mode"},
4976 { 3, "Spooled printer"},
4980 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4982 guint8 wc, cmd=0xff;
4983 guint16 andxoffset=0, bc;
4984 smb_info_t *si = pinfo->private_data;
4990 /* next smb command */
4991 cmd = tvb_get_guint8(tvb, offset);
4993 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4995 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5000 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5004 andxoffset = tvb_get_letohs(tvb, offset);
5005 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5009 offset = dissect_open_flags(tvb, tree, offset, 0x0007);
5011 /* desired access */
5012 offset = dissect_access(tvb, tree, offset, "Desired");
5014 /* Search Attributes */
5015 offset = dissect_search_attributes(tvb, tree, offset);
5017 /* File Attributes */
5018 offset = dissect_file_attributes(tvb, tree, offset, 2);
5021 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
5024 offset = dissect_open_function(tvb, tree, offset);
5026 /* allocation size */
5027 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
5030 /* 8 reserved bytes */
5031 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
5037 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5041 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5043 COUNT_BYTES(fn_len);
5045 if (check_col(pinfo->cinfo, COL_INFO)) {
5046 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
5047 format_text(fn, strlen(fn)));
5052 /* call AndXCommand (if there are any) */
5053 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5058 static const true_false_string tfs_ipc_state_nonblocking = {
5059 "Reads/writes return immediately if no data available",
5060 "Reads/writes block if no data available"
5062 static const value_string ipc_state_endpoint_vals[] = {
5063 { 0, "Consumer end of pipe"},
5064 { 1, "Server end of pipe"},
5067 static const value_string ipc_state_pipe_type_vals[] = {
5068 { 0, "Byte stream pipe"},
5069 { 1, "Message pipe"},
5072 static const value_string ipc_state_read_mode_vals[] = {
5073 { 0, "Read pipe as a byte stream"},
5074 { 1, "Read messages from pipe"},
5079 dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
5083 proto_item *item = NULL;
5084 proto_tree *tree = NULL;
5086 mask = tvb_get_letohs(tvb, offset);
5089 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5090 "IPC State: 0x%04x", mask);
5091 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
5094 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
5095 tvb, offset, 2, mask);
5097 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
5098 tvb, offset, 2, mask);
5099 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
5100 tvb, offset, 2, mask);
5102 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
5103 tvb, offset, 2, mask);
5105 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
5106 tvb, offset, 2, mask);
5115 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5117 guint8 wc, cmd=0xff;
5118 guint16 andxoffset=0, bc;
5123 /* next smb command */
5124 cmd = tvb_get_guint8(tvb, offset);
5126 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5128 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5133 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5137 andxoffset = tvb_get_letohs(tvb, offset);
5138 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5142 fid = tvb_get_letohs(tvb, offset);
5143 add_fid(tvb, pinfo, tree, offset, 2, fid);
5146 /* File Attributes */
5147 offset = dissect_file_attributes(tvb, tree, offset, 2);
5149 /* last write time */
5150 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
5153 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
5156 /* granted access */
5157 offset = dissect_access(tvb, tree, offset, "Granted");
5160 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
5164 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
5167 offset = dissect_open_action(tvb, tree, offset);
5170 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
5173 /* 2 reserved bytes */
5174 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5181 /* call AndXCommand (if there are any) */
5182 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5188 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5190 guint8 wc, cmd=0xff;
5191 guint16 andxoffset=0, bc, maxcnt_low;
5192 guint32 maxcnt_high;
5200 /* next smb command */
5201 cmd = tvb_get_guint8(tvb, offset);
5203 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5205 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5210 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5214 andxoffset = tvb_get_letohs(tvb, offset);
5215 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5219 fid = tvb_get_letohs(tvb, offset);
5220 add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
5222 if (!pinfo->fd->flags.visited) {
5223 /* remember the FID for the processing of the response */
5224 si = (smb_info_t *)pinfo->private_data;
5225 si->sip->extra_info=(void *)fid;
5229 ofs = tvb_get_letohl(tvb, offset);
5230 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5234 maxcnt_low = tvb_get_letohs(tvb, offset);
5235 proto_tree_add_uint(tree, hf_smb_max_count_low, tvb, offset, 2, maxcnt_low);
5239 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
5245 * XXX - we should really only do this in case we have seen
5246 * LARGE FILE being negotiated. Unfortunately, we might not
5247 * have seen the negotiation phase in the capture....
5249 * XXX - this is shown as a ULONG in the SNIA SMB spec, i.e.
5250 * it's 32 bits, but the description says "High 16 bits of
5251 * MaxCount if CAP_LARGE_READX".
5253 * The SMB File Sharing Protocol Extensions Version 2.0,
5254 * Document Version 3.3 spec doesn't speak of an extra 16
5255 * bits in max count, but it does show a 32-bit timeout
5256 * after the min count field.
5258 * Perhaps the 32-bit timeout field was hijacked as a 16-bit
5259 * high count and a 16-bit reserved field.
5261 * We fetch and display it as 32 bits.
5263 * XXX if maxcount high is 0xFFFFFFFF we assume it is just padding
5264 * bytes and we just ignore it.
5266 maxcnt_high = tvb_get_letohl(tvb, offset);
5267 if(maxcnt_high==0xffffffff){
5270 proto_tree_add_uint(tree, hf_smb_max_count_high, tvb, offset, 4, maxcnt_high);
5276 maxcnt=(maxcnt<<16)|maxcnt_low;
5278 if (check_col(pinfo->cinfo, COL_INFO))
5279 col_append_fstr(pinfo->cinfo, COL_INFO,
5280 ", %u byte%s at offset %u", maxcnt,
5281 (maxcnt == 1) ? "" : "s", ofs);
5284 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5289 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5297 /* call AndXCommand (if there are any) */
5298 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5304 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5306 guint8 wc, cmd=0xff;
5307 guint16 andxoffset=0, bc, datalen_low, dataoffset=0;
5308 guint32 datalen=0, datalen_high;
5309 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5314 /* next smb command */
5315 cmd = tvb_get_guint8(tvb, offset);
5317 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5319 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5324 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5328 andxoffset = tvb_get_letohs(tvb, offset);
5329 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5332 /* If we have seen the request, then print which FID this refers to */
5333 /* first check if we have seen the request */
5334 if(si->sip != NULL && si->sip->frame_req>0){
5335 fid=(int)si->sip->extra_info;
5336 add_fid(tvb, pinfo, tree, 0, 0, (guint16) fid);
5340 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5343 /* data compaction mode */
5344 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
5347 /* 2 reserved bytes */
5348 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5352 datalen_low = tvb_get_letohs(tvb, offset);
5353 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
5357 dataoffset=tvb_get_letohs(tvb, offset);
5358 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5361 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5362 /* data length high */
5363 datalen_high = tvb_get_letohl(tvb, offset);
5364 if(datalen_high==0xffffffff){
5367 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 4, datalen_high);
5371 datalen=datalen_high;
5372 datalen=(datalen<<16)|datalen_low;
5375 if (check_col(pinfo->cinfo, COL_INFO))
5376 col_append_fstr(pinfo->cinfo, COL_INFO,
5377 ", %u byte%s", datalen,
5378 (datalen == 1) ? "" : "s");
5381 /* 6 reserved bytes */
5382 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
5387 /* file data, might be DCERPC on a pipe */
5389 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5390 top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
5396 /* call AndXCommand (if there are any) */
5397 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5403 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5406 guint8 wc, cmd=0xff;
5407 guint16 andxoffset=0, bc, dataoffset=0, datalen_low, datalen_high;
5409 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5415 /* next smb command */
5416 cmd = tvb_get_guint8(tvb, offset);
5418 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5420 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5425 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5429 andxoffset = tvb_get_letohs(tvb, offset);
5430 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5434 fid = tvb_get_letohs(tvb, offset);
5435 add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
5437 if (!pinfo->fd->flags.visited) {
5438 /* remember the FID for the processing of the response */
5439 si->sip->extra_info=(void *)fid;
5443 ofs = tvb_get_letohl(tvb, offset);
5444 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5448 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5452 mode = tvb_get_letohs(tvb, offset);
5453 offset = dissect_write_mode(tvb, tree, offset, 0x000f);
5456 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5459 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5460 /* data length high */
5461 datalen_high = tvb_get_letohs(tvb, offset);
5462 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 2, datalen_high);
5466 datalen_low = tvb_get_letohs(tvb, offset);
5467 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
5470 datalen=datalen_high;
5471 datalen=(datalen<<16)|datalen_low;
5474 dataoffset=tvb_get_letohs(tvb, offset);
5475 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5478 /* FIXME: handle Large (48-bit) byte/offset to COL_INFO */
5479 if (check_col(pinfo->cinfo, COL_INFO))
5480 col_append_fstr(pinfo->cinfo, COL_INFO,
5481 ", %u byte%s at offset %u", datalen,
5482 (datalen == 1) ? "" : "s", ofs);
5486 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5492 /* if both the MessageStart and the WriteRawNamedPipe flags are set
5493 the first two bytes of the payload is the length of the data.
5494 Assume that all WriteAndX PDUs that have MESSAGE_START set to
5495 be over the IPC$ share and thus they all transport DCERPC.
5496 (if we didnt already know that from the TreeConnect call)
5498 if(mode&WRITE_MODE_MESSAGE_START){
5499 if(mode&WRITE_MODE_RAW){
5500 proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE);
5506 if(!pinfo->fd->flags.visited){
5507 /* In case we did not see the TreeConnect call,
5508 store this TID here as well as a IPC TID
5509 so we know that future Read/Writes to this
5510 TID is (probably) DCERPC.
5512 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
5513 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
5515 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
5518 si->sip->flags|=SMB_SIF_TID_IS_IPC;
5522 /* file data, might be DCERPC on a pipe */
5524 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5525 top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
5531 /* call AndXCommand (if there are any) */
5532 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5538 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5540 guint8 wc, cmd=0xff;
5541 guint16 andxoffset=0, bc, count_low, count_high;
5547 /* next smb command */
5548 cmd = tvb_get_guint8(tvb, offset);
5550 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5552 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5557 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5561 andxoffset = tvb_get_letohs(tvb, offset);
5562 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5565 /* If we have seen the request, then print which FID this refers to */
5566 si = (smb_info_t *)pinfo->private_data;
5567 /* first check if we have seen the request */
5568 if(si->sip != NULL && si->sip->frame_req>0){
5569 add_fid(tvb, pinfo, tree, 0, 0, (guint16) GPOINTER_TO_UINT(si->sip->extra_info));
5572 /* write count low */
5573 count_low = tvb_get_letohs(tvb, offset);
5574 proto_tree_add_uint(tree, hf_smb_count_low, tvb, offset, 2, count_low);
5578 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5581 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5582 /* write count high */
5583 count_high = tvb_get_letohs(tvb, offset);
5584 proto_tree_add_uint(tree, hf_smb_count_high, tvb, offset, 2, count_high);
5588 count=(count<<16)|count_low;
5590 if (check_col(pinfo->cinfo, COL_INFO))
5591 col_append_fstr(pinfo->cinfo, COL_INFO,
5592 ", %u byte%s", count,
5593 (count == 1) ? "" : "s");
5595 /* 2 reserved bytes */
5596 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5603 /* call AndXCommand (if there are any) */
5604 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5610 static const true_false_string tfs_setup_action_guest = {
5611 "Logged in as GUEST",
5612 "Not logged in as GUEST"
5615 dissect_setup_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
5618 proto_item *item = NULL;
5619 proto_tree *tree = NULL;
5621 mask = tvb_get_letohs(tvb, offset);
5624 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5625 "Action: 0x%04x", mask);
5626 tree = proto_item_add_subtree(item, ett_smb_setup_action);
5629 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
5630 tvb, offset, 2, mask);
5639 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5641 guint8 wc, cmd=0xff;
5643 guint16 andxoffset=0;
5644 smb_info_t *si = pinfo->private_data;
5650 guint16 sbloblen=0, sbloblen_short;
5651 guint16 apwlen=0, upwlen=0;
5652 gboolean unicodeflag;
5656 /* next smb command */
5657 cmd = tvb_get_guint8(tvb, offset);
5659 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5661 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5666 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5670 andxoffset = tvb_get_letohs(tvb, offset);
5671 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5674 /* Maximum Buffer Size */
5675 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
5678 /* Maximum Multiplex Count */
5679 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
5683 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
5687 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
5692 /* password length, ASCII*/
5693 pwlen = tvb_get_letohs(tvb, offset);
5694 proto_tree_add_uint(tree, hf_smb_password_len,
5695 tvb, offset, 2, pwlen);
5698 /* 4 reserved bytes */
5699 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5705 /* security blob length */
5706 sbloblen = tvb_get_letohs(tvb, offset);
5707 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5710 /* 4 reserved bytes */
5711 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5715 dissect_negprot_capabilities(tvb, tree, offset);
5721 /* password length, ANSI*/
5722 apwlen = tvb_get_letohs(tvb, offset);
5723 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
5724 tvb, offset, 2, apwlen);
5727 /* password length, Unicode*/
5728 upwlen = tvb_get_letohs(tvb, offset);
5729 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
5730 tvb, offset, 2, upwlen);
5733 /* 4 reserved bytes */
5734 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5738 dissect_negprot_capabilities(tvb, tree, offset);
5747 proto_item *blob_item;
5750 /* If it runs past the end of the captured data, don't
5751 * try to put all of it into the protocol tree as the
5752 * raw security blob; we might get an exception on
5753 * short frames and then we will not see anything at all
5754 * of the security blob.
5756 sbloblen_short = sbloblen;
5757 if(sbloblen_short>tvb_length_remaining(tvb,offset)){
5758 sbloblen_short=tvb_length_remaining(tvb,offset);
5760 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
5761 tvb, offset, sbloblen_short,
5764 /* As an optimization, because Windows is perverse,
5765 we check to see if NTLMSSP is the first part of the
5766 blob, and if so, call the NTLMSSP dissector,
5767 otherwise we call the GSS-API dissector. This is because
5768 Windows can request RAW NTLMSSP, but will happily handle
5769 a client that wraps NTLMSSP in SPNEGO
5774 proto_tree *blob_tree;
5776 blob_tree = proto_item_add_subtree(blob_item,
5778 CHECK_BYTE_COUNT(sbloblen);
5781 * Set the reported length of this to the reported
5782 * length of the blob, rather than the amount of
5783 * data available from the blob, so that we'll
5784 * throw the right exception if it's too short.
5786 blob_tvb = tvb_new_subset(tvb, offset, sbloblen_short,
5789 if (si && si->ct && si->ct->raw_ntlmssp &&
5790 tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) {
5791 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
5796 call_dissector(gssapi_handle, blob_tvb,
5800 COUNT_BYTES(sbloblen);
5804 * Eventhough this field should honour the unicode flag
5805 * some ms clients gets this wrong.
5806 * At least XP SP1 sends this in ASCII
5807 * even when the unicode flag is on.
5808 * Test if the first three bytes are "Win"
5809 * and if so just override the flag.
5811 unicodeflag=si->unicode;
5812 if( tvb_strneql(tvb, offset, "Win", 3) == 0 ){
5815 an = get_unicode_or_ascii_string(tvb, &offset,
5816 unicodeflag, &an_len, FALSE, FALSE, &bc);
5819 proto_tree_add_string(tree, hf_smb_os, tvb,
5820 offset, an_len, an);
5821 COUNT_BYTES(an_len);
5824 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5825 * padding/null string/whatever in front of this. W2K doesn't
5826 * appear to. I suspect that's a bug that got fixed; I also
5827 * suspect that, in practice, nobody ever looks at that field
5828 * because the bug didn't appear to get fixed until NT 5.0....
5830 * Eventhough this field should honour the unicode flag
5831 * some ms clients gets this wrong.
5832 * At least XP SP1 sends this in ASCII
5833 * even when the unicode flag is on.
5834 * Test if the first three bytes are "Win"
5835 * and if so just override the flag.
5837 unicodeflag=si->unicode;
5838 if( tvb_strneql(tvb, offset, "Win", 3) == 0 ){
5841 an = get_unicode_or_ascii_string(tvb, &offset,
5842 unicodeflag, &an_len, FALSE, FALSE, &bc);
5845 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5846 offset, an_len, an);
5847 COUNT_BYTES(an_len);
5849 /* Primary domain */
5850 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5851 * byte in front of this, at least if all the strings are
5852 * ASCII and the account name is empty. Another bug?
5854 dn = get_unicode_or_ascii_string(tvb, &offset,
5855 si->unicode, &dn_len, FALSE, FALSE, &bc);
5858 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5859 offset, dn_len, dn);
5860 COUNT_BYTES(dn_len);
5866 /* password, ASCII */
5867 CHECK_BYTE_COUNT(pwlen);
5868 proto_tree_add_item(tree, hf_smb_password,
5869 tvb, offset, pwlen, TRUE);
5877 /* password, ANSI */
5878 CHECK_BYTE_COUNT(apwlen);
5879 proto_tree_add_item(tree, hf_smb_ansi_password,
5880 tvb, offset, apwlen, TRUE);
5881 COUNT_BYTES(apwlen);
5887 /* password, Unicode */
5888 CHECK_BYTE_COUNT(upwlen);
5889 item = proto_tree_add_item(tree, hf_smb_unicode_password,
5890 tvb, offset, upwlen, TRUE);
5893 proto_tree *subtree;
5895 subtree = proto_item_add_subtree(item, ett_smb_unicode_password);
5897 dissect_ntlmv2_response(
5898 tvb, subtree, offset, upwlen);
5901 COUNT_BYTES(upwlen);
5908 an = get_unicode_or_ascii_string(tvb, &offset,
5909 si->unicode, &an_len, FALSE, FALSE, &bc);
5912 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
5914 COUNT_BYTES(an_len);
5916 /* Primary domain */
5917 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5918 * byte in front of this, at least if all the strings are
5919 * ASCII and the account name is empty. Another bug?
5921 dn = get_unicode_or_ascii_string(tvb, &offset,
5922 si->unicode, &dn_len, FALSE, FALSE, &bc);
5925 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5926 offset, dn_len, dn);
5927 COUNT_BYTES(dn_len);
5929 if (check_col(pinfo->cinfo, COL_INFO)) {
5930 col_append_fstr(pinfo->cinfo, COL_INFO, ", User: ");
5932 if (!dn[0] && !an[0])
5933 col_append_fstr(pinfo->cinfo, COL_INFO,
5936 col_append_fstr(pinfo->cinfo, COL_INFO,
5938 format_text(dn, strlen(dn)),
5939 format_text(an, strlen(an)));
5943 an = get_unicode_or_ascii_string(tvb, &offset,
5944 si->unicode, &an_len, FALSE, FALSE, &bc);
5947 proto_tree_add_string(tree, hf_smb_os, tvb,
5948 offset, an_len, an);
5949 COUNT_BYTES(an_len);
5952 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5953 * padding/null string/whatever in front of this. W2K doesn't
5954 * appear to. I suspect that's a bug that got fixed; I also
5955 * suspect that, in practice, nobody ever looks at that field
5956 * because the bug didn't appear to get fixed until NT 5.0....
5958 an = get_unicode_or_ascii_string(tvb, &offset,
5959 si->unicode, &an_len, FALSE, FALSE, &bc);
5962 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5963 offset, an_len, an);
5964 COUNT_BYTES(an_len);
5969 /* call AndXCommand (if there are any) */
5970 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5976 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5978 guint8 wc, cmd=0xff;
5979 guint16 andxoffset=0, bc;
5981 smb_info_t *si = pinfo->private_data;
5987 /* next smb command */
5988 cmd = tvb_get_guint8(tvb, offset);
5990 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5992 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5997 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6001 andxoffset = tvb_get_letohs(tvb, offset);
6002 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6006 offset = dissect_setup_action(tvb, tree, offset);
6009 /* security blob length */
6010 sbloblen = tvb_get_letohs(tvb, offset);
6011 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
6018 proto_item *blob_item;
6021 /* dont try to eat too much of we might get an exception on
6022 * short frames and then we will not see anything at all
6023 * of the security blob.
6025 if(sbloblen>tvb_length_remaining(tvb,offset)){
6026 sbloblen=tvb_length_remaining(tvb,offset);
6028 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
6029 tvb, offset, sbloblen, TRUE);
6033 proto_tree *blob_tree;
6035 blob_tree = proto_item_add_subtree(blob_item,
6037 CHECK_BYTE_COUNT(sbloblen);
6039 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
6042 if (si && si->ct && si->ct->raw_ntlmssp &&
6043 tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) {
6044 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
6049 call_dissector(gssapi_handle, blob_tvb, pinfo,
6054 COUNT_BYTES(sbloblen);
6059 an = get_unicode_or_ascii_string(tvb, &offset,
6060 si->unicode, &an_len, FALSE, FALSE, &bc);
6063 proto_tree_add_string(tree, hf_smb_os, tvb,
6064 offset, an_len, an);
6065 COUNT_BYTES(an_len);
6068 an = get_unicode_or_ascii_string(tvb, &offset,
6069 si->unicode, &an_len, FALSE, FALSE, &bc);
6072 proto_tree_add_string(tree, hf_smb_lanman, tvb,
6073 offset, an_len, an);
6074 COUNT_BYTES(an_len);
6077 /* Primary domain */
6078 an = get_unicode_or_ascii_string(tvb, &offset,
6079 si->unicode, &an_len, FALSE, FALSE, &bc);
6082 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
6083 offset, an_len, an);
6084 COUNT_BYTES(an_len);
6089 /* call AndXCommand (if there are any) */
6090 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6097 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6099 guint8 wc, cmd=0xff;
6100 guint16 andxoffset=0;
6105 /* next smb command */
6106 cmd = tvb_get_guint8(tvb, offset);
6108 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6110 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6115 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6119 andxoffset = tvb_get_letohs(tvb, offset);
6120 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6127 /* call AndXCommand (if there are any) */
6128 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6134 static const true_false_string tfs_connect_support_search = {
6135 "Exclusive search bits supported",
6136 "Exclusive search bits not supported"
6138 static const true_false_string tfs_connect_support_in_dfs = {
6140 "Share isn't in Dfs"
6144 dissect_connect_support_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6147 proto_item *item = NULL;
6148 proto_tree *tree = NULL;
6150 mask = tvb_get_letohs(tvb, offset);
6153 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6154 "Optional Support: 0x%04x", mask);
6155 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
6158 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
6159 tvb, offset, 2, mask);
6160 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
6161 tvb, offset, 2, mask);
6168 static const true_false_string tfs_disconnect_tid = {
6170 "Do NOT disconnect TID"
6174 dissect_connect_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6177 proto_item *item = NULL;
6178 proto_tree *tree = NULL;
6180 mask = tvb_get_letohs(tvb, offset);
6183 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6184 "Flags: 0x%04x", mask);
6185 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
6188 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
6189 tvb, offset, 2, mask);
6197 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6199 guint8 wc, cmd=0xff;
6201 guint16 andxoffset=0, pwlen=0;
6202 smb_info_t *si = pinfo->private_data;
6208 /* next smb command */
6209 cmd = tvb_get_guint8(tvb, offset);
6211 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6213 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6218 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6222 andxoffset = tvb_get_letohs(tvb, offset);
6223 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6227 offset = dissect_connect_flags(tvb, tree, offset);
6229 /* password length*/
6230 pwlen = tvb_get_letohs(tvb, offset);
6231 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
6237 CHECK_BYTE_COUNT(pwlen);
6238 proto_tree_add_item(tree, hf_smb_password,
6239 tvb, offset, pwlen, TRUE);
6243 an = get_unicode_or_ascii_string(tvb, &offset,
6244 si->unicode, &an_len, FALSE, FALSE, &bc);
6247 proto_tree_add_string(tree, hf_smb_path, tvb,
6248 offset, an_len, an);
6249 COUNT_BYTES(an_len);
6251 if (check_col(pinfo->cinfo, COL_INFO)) {
6252 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
6253 format_text(an, strlen(an)));
6257 * NOTE: the Service string is always ASCII, even if the
6258 * "strings are Unicode" bit is set in the flags2 field
6263 /* XXX - what if this runs past bc? */
6264 an_len = tvb_strsize(tvb, offset);
6265 CHECK_BYTE_COUNT(an_len);
6266 an = tvb_get_ptr(tvb, offset, an_len);
6267 proto_tree_add_string(tree, hf_smb_service, tvb,
6268 offset, an_len, an);
6269 COUNT_BYTES(an_len);
6273 /* call AndXCommand (if there are any) */
6274 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6281 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6283 guint8 wc, wleft, cmd=0xff;
6284 guint16 andxoffset=0;
6288 smb_info_t *si = pinfo->private_data;
6292 wleft = wc; /* this is at least 1 */
6294 /* next smb command */
6295 cmd = tvb_get_guint8(tvb, offset);
6297 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6299 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6304 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6312 andxoffset = tvb_get_letohs(tvb, offset);
6313 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6320 offset = dissect_connect_support_bits(tvb, tree, offset);
6323 /* XXX - I've seen captures where this is 7, but I have no
6324 idea how to dissect it. I'm guessing the third word
6325 contains connect support bits, which looks plausible
6326 from the values I've seen. */
6328 while (wleft != 0) {
6329 proto_tree_add_text(tree, tvb, offset, 2,
6330 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
6338 * NOTE: even though the SNIA CIFS spec doesn't say there's
6339 * a "Service" string if there's a word count of 2, the
6342 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
6344 * (it's in an ugly format - text intended to be sent to a
6345 * printer, with backspaces and overstrikes used for boldfacing
6346 * and underlining; UNIX "col -b" can be used to strip the
6347 * overstrikes out) says there's a "Service" string there, and
6348 * some network traffic has it.
6352 * NOTE: the Service string is always ASCII, even if the
6353 * "strings are Unicode" bit is set in the flags2 field
6358 /* XXX - what if this runs past bc? */
6359 an_len = tvb_strsize(tvb, offset);
6360 CHECK_BYTE_COUNT(an_len);
6361 an = tvb_get_ptr(tvb, offset, an_len);
6362 proto_tree_add_string(tree, hf_smb_service, tvb,
6363 offset, an_len, an);
6364 COUNT_BYTES(an_len);
6366 /* Now when we know the service type, store it so that we know it for later commands down
6368 if(!pinfo->fd->flags.visited){
6369 /* Remove any previous entry for this TID */
6370 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
6371 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
6373 if(strcmp(an,"IPC") == 0){
6374 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
6376 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_NORMAL);
6384 * Sometimes this isn't present.
6388 an = get_unicode_or_ascii_string(tvb, &offset,
6389 si->unicode, &an_len, /*TRUE*/FALSE, FALSE,
6393 proto_tree_add_string(tree, hf_smb_fs, tvb,
6394 offset, an_len, an);
6395 COUNT_BYTES(an_len);
6401 /* call AndXCommand (if there are any) */
6402 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6409 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6410 NT Transaction command begins here
6411 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
6412 #define NT_TRANS_CREATE 1
6413 #define NT_TRANS_IOCTL 2
6414 #define NT_TRANS_SSD 3
6415 #define NT_TRANS_NOTIFY 4
6416 #define NT_TRANS_RENAME 5
6417 #define NT_TRANS_QSD 6
6418 #define NT_TRANS_GET_USER_QUOTA 7
6419 #define NT_TRANS_SET_USER_QUOTA 8
6420 const value_string nt_cmd_vals[] = {
6421 {NT_TRANS_CREATE, "NT CREATE"},
6422 {NT_TRANS_IOCTL, "NT IOCTL"},
6423 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
6424 {NT_TRANS_NOTIFY, "NT NOTIFY"},
6425 {NT_TRANS_RENAME, "NT RENAME"},
6426 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
6427 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
6428 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
6432 static const value_string nt_ioctl_isfsctl_vals[] = {
6433 {0, "Device IOCTL"},
6434 {1, "FS control : FSCTL"},
6438 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
6439 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
6440 "Apply the command to share root handle (MUST BE Dfs)",
6441 "Apply to this share",
6444 static const value_string nt_notify_action_vals[] = {
6445 {1, "ADDED (object was added"},
6446 {2, "REMOVED (object was removed)"},
6447 {3, "MODIFIED (object was modified)"},
6448 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
6449 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
6450 {6, "ADDED_STREAM (a stream was added)"},
6451 {7, "REMOVED_STREAM (a stream was removed)"},
6452 {8, "MODIFIED_STREAM (a stream was modified)"},
6456 static const value_string watch_tree_vals[] = {
6457 {0, "Current directory only"},
6458 {1, "Subdirectories also"},
6462 #define NT_NOTIFY_STREAM_WRITE 0x00000800
6463 #define NT_NOTIFY_STREAM_SIZE 0x00000400
6464 #define NT_NOTIFY_STREAM_NAME 0x00000200
6465 #define NT_NOTIFY_SECURITY 0x00000100
6466 #define NT_NOTIFY_EA 0x00000080
6467 #define NT_NOTIFY_CREATION 0x00000040
6468 #define NT_NOTIFY_LAST_ACCESS 0x00000020
6469 #define NT_NOTIFY_LAST_WRITE 0x00000010
6470 #define NT_NOTIFY_SIZE 0x00000008
6471 #define NT_NOTIFY_ATTRIBUTES 0x00000004
6472 #define NT_NOTIFY_DIR_NAME 0x00000002
6473 #define NT_NOTIFY_FILE_NAME 0x00000001
6474 static const true_false_string tfs_nt_notify_stream_write = {
6475 "Notify on changes to STREAM WRITE",
6476 "Do NOT notify on changes to stream write",
6478 static const true_false_string tfs_nt_notify_stream_size = {
6479 "Notify on changes to STREAM SIZE",
6480 "Do NOT notify on changes to stream size",
6482 static const true_false_string tfs_nt_notify_stream_name = {
6483 "Notify on changes to STREAM NAME",
6484 "Do NOT notify on changes to stream name",
6486 static const true_false_string tfs_nt_notify_security = {
6487 "Notify on changes to SECURITY",
6488 "Do NOT notify on changes to security",
6490 static const true_false_string tfs_nt_notify_ea = {
6491 "Notify on changes to EA",
6492 "Do NOT notify on changes to EA",
6494 static const true_false_string tfs_nt_notify_creation = {
6495 "Notify on changes to CREATION TIME",
6496 "Do NOT notify on changes to creation time",
6498 static const true_false_string tfs_nt_notify_last_access = {
6499 "Notify on changes to LAST ACCESS TIME",
6500 "Do NOT notify on changes to last access time",
6502 static const true_false_string tfs_nt_notify_last_write = {
6503 "Notify on changes to LAST WRITE TIME",
6504 "Do NOT notify on changes to last write time",
6506 static const true_false_string tfs_nt_notify_size = {
6507 "Notify on changes to SIZE",
6508 "Do NOT notify on changes to size",
6510 static const true_false_string tfs_nt_notify_attributes = {
6511 "Notify on changes to ATTRIBUTES",
6512 "Do NOT notify on changes to attributes",
6514 static const true_false_string tfs_nt_notify_dir_name = {
6515 "Notify on changes to DIR NAME",
6516 "Do NOT notify on changes to dir name",
6518 static const true_false_string tfs_nt_notify_file_name = {
6519 "Notify on changes to FILE NAME",
6520 "Do NOT notify on changes to file name",
6523 static const value_string create_disposition_vals[] = {
6524 {0, "Supersede (supersede existing file (if it exists))"},
6525 {1, "Open (if file exists open it, else fail)"},
6526 {2, "Create (if file exists fail, else create it)"},
6527 {3, "Open If (if file exists open it, else create it)"},
6528 {4, "Overwrite (if file exists overwrite, else fail)"},
6529 {5, "Overwrite If (if file exists overwrite, else create it)"},
6533 static const value_string impersonation_level_vals[] = {
6535 {1, "Identification"},
6536 {2, "Impersonation"},
6541 static const true_false_string tfs_nt_security_flags_context_tracking = {
6542 "Security tracking mode is DYNAMIC",
6543 "Security tracking mode is STATIC",
6546 static const true_false_string tfs_nt_security_flags_effective_only = {
6547 "ONLY ENABLED aspects of the client's security context are available",
6548 "ALL aspects of the client's security context are available",
6551 static const true_false_string tfs_nt_create_bits_oplock = {
6552 "Requesting OPLOCK",
6553 "Does NOT request oplock"
6556 static const true_false_string tfs_nt_create_bits_boplock = {
6557 "Requesting BATCH OPLOCK",
6558 "Does NOT request batch oplock"
6562 * XXX - must be a directory, and can be a file, or can be a directory,
6563 * and must be a file?
6565 static const true_false_string tfs_nt_create_bits_dir = {
6566 "Target of open MUST be a DIRECTORY",
6567 "Target of open can be a file"
6570 static const true_false_string tfs_nt_create_bits_ext_resp = {
6571 "Extended responses required",
6572 "Extended responses NOT required"
6575 static const true_false_string tfs_nt_access_mask_generic_read = {
6576 "GENERIC READ is set",
6577 "Generic read is NOT set"
6579 static const true_false_string tfs_nt_access_mask_generic_write = {
6580 "GENERIC WRITE is set",
6581 "Generic write is NOT set"
6583 static const true_false_string tfs_nt_access_mask_generic_execute = {
6584 "GENERIC EXECUTE is set",
6585 "Generic execute is NOT set"
6587 static const true_false_string tfs_nt_access_mask_generic_all = {
6588 "GENERIC ALL is set",
6589 "Generic all is NOT set"
6591 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
6592 "MAXIMUM ALLOWED is set",
6593 "Maximum allowed is NOT set"
6595 static const true_false_string tfs_nt_access_mask_system_security = {
6596 "SYSTEM SECURITY is set",
6597 "System security is NOT set"
6599 static const true_false_string tfs_nt_access_mask_synchronize = {
6600 "Can wait on handle to SYNCHRONIZE on completion of I/O",
6601 "Can NOT wait on handle to synchronize on completion of I/O"
6603 static const true_false_string tfs_nt_access_mask_write_owner = {
6604 "Can WRITE OWNER (take ownership)",
6605 "Can NOT write owner (take ownership)"
6607 static const true_false_string tfs_nt_access_mask_write_dac = {
6608 "OWNER may WRITE the DAC",
6609 "Owner may NOT write to the DAC"
6611 static const true_false_string tfs_nt_access_mask_read_control = {
6612 "READ ACCESS to owner, group and ACL of the SID",
6613 "Read access is NOT granted to owner, group and ACL of the SID"
6615 static const true_false_string tfs_nt_access_mask_delete = {
6619 static const true_false_string tfs_nt_access_mask_write_attributes = {
6620 "WRITE ATTRIBUTES access",
6621 "NO write attributes access"
6623 static const true_false_string tfs_nt_access_mask_read_attributes = {
6624 "READ ATTRIBUTES access",
6625 "NO read attributes access"
6627 static const true_false_string tfs_nt_access_mask_delete_child = {
6628 "DELETE CHILD access",
6629 "NO delete child access"
6631 static const true_false_string tfs_nt_access_mask_execute = {
6635 static const true_false_string tfs_nt_access_mask_write_ea = {
6636 "WRITE EXTENDED ATTRIBUTES access",
6637 "NO write extended attributes access"
6639 static const true_false_string tfs_nt_access_mask_read_ea = {
6640 "READ EXTENDED ATTRIBUTES access",
6641 "NO read extended attributes access"
6643 static const true_false_string tfs_nt_access_mask_append = {
6647 static const true_false_string tfs_nt_access_mask_write = {
6651 static const true_false_string tfs_nt_access_mask_read = {
6656 static const true_false_string tfs_nt_share_access_delete = {
6657 "Object can be shared for DELETE",
6658 "Object can NOT be shared for delete"
6660 static const true_false_string tfs_nt_share_access_write = {
6661 "Object can be shared for WRITE",
6662 "Object can NOT be shared for write"
6664 static const true_false_string tfs_nt_share_access_read = {
6665 "Object can be shared for READ",
6666 "Object can NOT be shared for read"
6669 static const value_string oplock_level_vals[] = {
6670 {0, "No oplock granted"},
6671 {1, "Exclusive oplock granted"},
6672 {2, "Batch oplock granted"},
6673 {3, "Level II oplock granted"},
6677 static const value_string device_type_vals[] = {
6678 {0x00000001, "Beep"},
6679 {0x00000002, "CDROM"},
6680 {0x00000003, "CDROM Filesystem"},
6681 {0x00000004, "Controller"},
6682 {0x00000005, "Datalink"},
6683 {0x00000006, "Dfs"},
6684 {0x00000007, "Disk"},
6685 {0x00000008, "Disk Filesystem"},
6686 {0x00000009, "Filesystem"},
6687 {0x0000000a, "Inport Port"},
6688 {0x0000000b, "Keyboard"},
6689 {0x0000000c, "Mailslot"},
6690 {0x0000000d, "MIDI-In"},
6691 {0x0000000e, "MIDI-Out"},
6692 {0x0000000f, "Mouse"},
6693 {0x00000010, "Multi UNC Provider"},
6694 {0x00000011, "Named Pipe"},
6695 {0x00000012, "Network"},
6696 {0x00000013, "Network Browser"},
6697 {0x00000014, "Network Filesystem"},
6698 {0x00000015, "NULL"},
6699 {0x00000016, "Parallel Port"},
6700 {0x00000017, "Physical card"},
6701 {0x00000018, "Printer"},
6702 {0x00000019, "Scanner"},
6703 {0x0000001a, "Serial Mouse port"},
6704 {0x0000001b, "Serial port"},
6705 {0x0000001c, "Screen"},
6706 {0x0000001d, "Sound"},
6707 {0x0000001e, "Streams"},
6708 {0x0000001f, "Tape"},
6709 {0x00000020, "Tape Filesystem"},
6710 {0x00000021, "Transport"},
6711 {0x00000022, "Unknown"},
6712 {0x00000023, "Video"},
6713 {0x00000024, "Virtual Disk"},
6714 {0x00000025, "WAVE-In"},
6715 {0x00000026, "WAVE-Out"},
6716 {0x00000027, "8042 Port"},
6717 {0x00000028, "Network Redirector"},
6718 {0x00000029, "Battery"},
6719 {0x0000002a, "Bus Extender"},
6720 {0x0000002b, "Modem"},
6721 {0x0000002c, "VDM"},
6725 static const value_string is_directory_vals[] = {
6726 {0, "This is NOT a directory"},
6727 {1, "This is a DIRECTORY"},
6731 typedef struct _nt_trans_data {
6740 dissect_nt_security_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6743 proto_item *item = NULL;
6744 proto_tree *tree = NULL;
6746 mask = tvb_get_guint8(tvb, offset);
6749 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6750 "Security Flags: 0x%02x", mask);
6751 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
6754 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
6755 tvb, offset, 1, mask);
6756 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
6757 tvb, offset, 1, mask);
6765 dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6768 proto_item *item = NULL;
6769 proto_tree *tree = NULL;
6771 mask = tvb_get_letohl(tvb, offset);
6774 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6775 "Share Access: 0x%08x", mask);
6776 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
6779 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
6780 tvb, offset, 4, mask);
6781 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
6782 tvb, offset, 4, mask);
6783 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
6784 tvb, offset, 4, mask);
6791 /* FIXME: need to call dissect_nt_access_mask() instead */
6794 dissect_smb_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6797 proto_item *item = NULL;
6798 proto_tree *tree = NULL;
6800 mask = tvb_get_letohl(tvb, offset);
6803 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6804 "Access Mask: 0x%08x", mask);
6805 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
6809 * Some of these bits come from
6811 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6813 * and others come from the section on ZwOpenFile in "Windows(R)
6814 * NT(R)/2000 Native API Reference".
6816 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
6817 tvb, offset, 4, mask);
6818 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
6819 tvb, offset, 4, mask);
6820 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
6821 tvb, offset, 4, mask);
6822 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
6823 tvb, offset, 4, mask);
6824 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
6825 tvb, offset, 4, mask);
6826 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
6827 tvb, offset, 4, mask);
6828 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
6829 tvb, offset, 4, mask);
6830 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
6831 tvb, offset, 4, mask);
6832 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
6833 tvb, offset, 4, mask);
6834 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
6835 tvb, offset, 4, mask);
6836 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
6837 tvb, offset, 4, mask);
6838 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
6839 tvb, offset, 4, mask);
6840 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
6841 tvb, offset, 4, mask);
6842 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
6843 tvb, offset, 4, mask);
6844 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
6845 tvb, offset, 4, mask);
6846 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
6847 tvb, offset, 4, mask);
6848 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
6849 tvb, offset, 4, mask);
6850 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
6851 tvb, offset, 4, mask);
6852 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
6853 tvb, offset, 4, mask);
6854 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
6855 tvb, offset, 4, mask);
6863 dissect_nt_create_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6866 proto_item *item = NULL;
6867 proto_tree *tree = NULL;
6869 mask = tvb_get_letohl(tvb, offset);
6872 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6873 "Create Flags: 0x%08x", mask);
6874 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
6878 * XXX - it's 0x00000016 in at least one capture, but
6879 * Network Monitor doesn't say what the 0x00000010 bit is.
6880 * Does the Win32 API documentation, or NT Native API book,
6883 * That is the extended response desired bit ... RJS, from Samba
6884 * Well, maybe. Samba thinks it is, and uses it to encode
6885 * OpLock granted as the high order bit of the Action field
6886 * in the response. However, Windows does not do that. Or at least
6889 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_ext_resp,
6890 tvb, offset, 4, mask);
6891 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
6892 tvb, offset, 4, mask);
6893 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
6894 tvb, offset, 4, mask);
6895 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
6896 tvb, offset, 4, mask);
6904 * XXX - there are some more flags in the description of "ZwOpenFile()"
6905 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
6906 * the wire as well? (The spec at
6908 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6910 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
6911 * via the SMB protocol. The NT redirector should convert this option
6912 * to FILE_WRITE_THROUGH."
6914 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
6915 * values one would infer from their position in the list of flags for
6916 * "ZwOpenFile()". Most of the others probably have those values
6917 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
6918 * which might go over the wire (for the benefit of backup/restore software).
6920 static const true_false_string tfs_nt_create_options_directory = {
6921 "File being created/opened must be a directory",
6922 "File being created/opened must not be a directory"
6924 static const true_false_string tfs_nt_create_options_write_through = {
6925 "Writes should flush buffered data before completing",
6926 "Writes need not flush buffered data before completing"
6928 static const true_false_string tfs_nt_create_options_sequential_only = {
6929 "The file will only be accessed sequentially",
6930 "The file might not only be accessed sequentially"
6932 static const true_false_string tfs_nt_create_options_sync_io_alert = {
6933 "All operations SYNCHRONOUS, waits subject to termination from alert",
6934 "Operations NOT necessarily synchronous"
6936 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
6937 "All operations SYNCHRONOUS, waits not subject to alert",
6938 "Operations NOT necessarily synchronous"
6940 static const true_false_string tfs_nt_create_options_non_directory = {
6941 "File being created/opened must not be a directory",
6942 "File being created/opened must be a directory"
6944 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
6945 "The client does not understand extended attributes",
6946 "The client understands extended attributes"
6948 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
6949 "The client understands only 8.3 file names",
6950 "The client understands long file names"
6952 static const true_false_string tfs_nt_create_options_random_access = {
6953 "The file will be accessed randomly",
6954 "The file will not be accessed randomly"
6956 static const true_false_string tfs_nt_create_options_delete_on_close = {
6957 "The file should be deleted when it is closed",
6958 "The file should not be deleted when it is closed"
6962 dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6965 proto_item *item = NULL;
6966 proto_tree *tree = NULL;
6968 mask = tvb_get_letohl(tvb, offset);
6971 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6972 "Create Options: 0x%08x", mask);
6973 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
6979 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6981 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
6982 tvb, offset, 4, mask);
6983 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
6984 tvb, offset, 4, mask);
6985 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
6986 tvb, offset, 4, mask);
6987 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
6988 tvb, offset, 4, mask);
6989 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
6990 tvb, offset, 4, mask);
6991 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
6992 tvb, offset, 4, mask);
6993 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
6994 tvb, offset, 4, mask);
6995 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
6996 tvb, offset, 4, mask);
6997 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
6998 tvb, offset, 4, mask);
6999 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
7000 tvb, offset, 4, mask);
7008 dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7011 proto_item *item = NULL;
7012 proto_tree *tree = NULL;
7014 mask = tvb_get_letohl(tvb, offset);
7017 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7018 "Completion Filter: 0x%08x", mask);
7019 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
7022 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
7023 tvb, offset, 4, mask);
7024 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
7025 tvb, offset, 4, mask);
7026 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
7027 tvb, offset, 4, mask);
7028 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
7029 tvb, offset, 4, mask);
7030 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
7031 tvb, offset, 4, mask);
7032 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
7033 tvb, offset, 4, mask);
7034 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
7035 tvb, offset, 4, mask);
7036 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
7037 tvb, offset, 4, mask);
7038 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
7039 tvb, offset, 4, mask);
7040 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
7041 tvb, offset, 4, mask);
7042 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
7043 tvb, offset, 4, mask);
7044 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
7045 tvb, offset, 4, mask);
7052 dissect_nt_ioctl_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7055 proto_item *item = NULL;
7056 proto_tree *tree = NULL;
7058 mask = tvb_get_guint8(tvb, offset);
7061 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7062 "Completion Filter: 0x%02x", mask);
7063 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
7066 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
7067 tvb, offset, 1, mask);
7074 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
7075 * Native API Reference".
7077 static const true_false_string tfs_nt_qsd_owner = {
7078 "Requesting OWNER security information",
7079 "NOT requesting owner security information",
7082 static const true_false_string tfs_nt_qsd_group = {
7083 "Requesting GROUP security information",
7084 "NOT requesting group security information",
7087 static const true_false_string tfs_nt_qsd_dacl = {
7088 "Requesting DACL security information",
7089 "NOT requesting DACL security information",
7092 static const true_false_string tfs_nt_qsd_sacl = {
7093 "Requesting SACL security information",
7094 "NOT requesting SACL security information",
7097 #define NT_QSD_OWNER 0x00000001
7098 #define NT_QSD_GROUP 0x00000002
7099 #define NT_QSD_DACL 0x00000004
7100 #define NT_QSD_SACL 0x00000008
7103 dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7106 proto_item *item = NULL;
7107 proto_tree *tree = NULL;
7109 mask = tvb_get_letohl(tvb, offset);
7112 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7113 "Security Information: 0x%08x", mask);
7114 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
7117 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
7118 tvb, offset, 4, mask);
7119 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
7120 tvb, offset, 4, mask);
7121 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
7122 tvb, offset, 4, mask);
7123 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
7124 tvb, offset, 4, mask);
7132 dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
7134 int old_offset, old_sid_offset;
7140 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7141 qsize=tvb_get_letohl(tvb, offset);
7142 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
7143 COUNT_BYTES_TRANS_SUBR(4);
7145 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7147 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7148 COUNT_BYTES_TRANS_SUBR(4);
7150 /* 16 unknown bytes */
7151 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7152 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7154 COUNT_BYTES_TRANS_SUBR(8);
7156 /* number of bytes for used quota */
7157 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7158 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
7159 COUNT_BYTES_TRANS_SUBR(8);
7161 /* number of bytes for quota warning */
7162 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7163 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
7164 COUNT_BYTES_TRANS_SUBR(8);
7166 /* number of bytes for quota limit */
7167 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7168 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
7169 COUNT_BYTES_TRANS_SUBR(8);
7171 /* SID of the user */
7172 old_sid_offset=offset;
7173 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
7174 *bcp -= (offset-old_sid_offset);
7177 offset = old_offset+qsize;
7187 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd)
7189 proto_item *item = NULL;
7190 proto_tree *tree = NULL;
7192 int old_offset = offset;
7193 guint16 bcp=bc; /* XXX fixme */
7195 si = (smb_info_t *)pinfo->private_data;
7198 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
7200 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7201 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7204 switch(ntd->subcmd){
7205 case NT_TRANS_CREATE:
7206 /* security descriptor */
7208 offset = dissect_nt_sec_desc(
7209 tvb, offset, pinfo, tree, NULL, ntd->sd_len,
7213 /* extended attributes */
7215 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
7216 offset += ntd->ea_len;
7220 case NT_TRANS_IOCTL:
7222 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, bc, TRUE);
7227 offset = dissect_nt_sec_desc(
7228 tvb, offset, pinfo, tree, NULL, bc, NULL);
7230 case NT_TRANS_NOTIFY:
7232 case NT_TRANS_RENAME:
7233 /* XXX not documented */
7237 case NT_TRANS_GET_USER_QUOTA:
7238 /* unknown 4 bytes */
7239 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7244 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7247 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
7249 case NT_TRANS_SET_USER_QUOTA:
7250 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
7254 /* ooops there were data we didnt know how to process */
7255 if((offset-old_offset) < bc){
7256 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
7257 bc - (offset-old_offset), TRUE);
7258 offset += bc - (offset-old_offset);
7265 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7267 proto_item *item = NULL;
7268 proto_tree *tree = NULL;
7273 si = (smb_info_t *)pinfo->private_data;
7276 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7278 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7279 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7282 switch(ntd->subcmd){
7283 case NT_TRANS_CREATE:
7285 offset = dissect_nt_create_bits(tvb, tree, offset);
7288 /* root directory fid */
7289 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
7292 /* nt access mask */
7293 offset = dissect_smb_access_mask(tvb, tree, offset);
7296 /* allocation size */
7297 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7300 /* Extended File Attributes */
7301 offset = dissect_file_ext_attr(tvb, tree, offset);
7305 offset = dissect_nt_share_access(tvb, tree, offset);
7308 /* create disposition */
7309 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
7312 /* create options */
7313 offset = dissect_nt_create_options(tvb, tree, offset);
7317 ntd->sd_len = tvb_get_letohl(tvb, offset);
7318 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
7322 ntd->ea_len = tvb_get_letohl(tvb, offset);
7323 proto_tree_add_uint(tree, hf_smb_ea_list_length, tvb, offset, 4, ntd->ea_len);
7327 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7328 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7331 /* impersonation level */
7332 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
7335 /* security flags */
7336 offset = dissect_nt_security_flags(tvb, tree, offset);
7340 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
7342 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7344 COUNT_BYTES(fn_len);
7348 case NT_TRANS_IOCTL:
7350 case NT_TRANS_SSD: {
7354 fid = tvb_get_letohs(tvb, offset);
7355 add_fid(tvb, pinfo, tree, offset, 2, fid);
7358 /* 2 reserved bytes */
7359 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7362 /* security information */
7363 offset = dissect_security_information_mask(tvb, tree, offset);
7366 case NT_TRANS_NOTIFY:
7368 case NT_TRANS_RENAME:
7369 /* XXX not documented */
7371 case NT_TRANS_QSD: {
7375 fid = tvb_get_letohs(tvb, offset);
7376 add_fid(tvb, pinfo, tree, offset, 2, fid);
7379 /* 2 reserved bytes */
7380 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7383 /* security information */
7384 offset = dissect_security_information_mask(tvb, tree, offset);
7387 case NT_TRANS_GET_USER_QUOTA:
7388 /* not decoded yet */
7390 case NT_TRANS_SET_USER_QUOTA:
7391 /* not decoded yet */
7399 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7401 proto_item *item = NULL;
7402 proto_tree *tree = NULL;
7404 int old_offset = offset;
7406 si = (smb_info_t *)pinfo->private_data;
7409 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7411 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7412 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7415 switch(ntd->subcmd){
7416 case NT_TRANS_CREATE:
7418 case NT_TRANS_IOCTL: {
7422 proto_tree_add_item(tree, hf_smb_nt_ioctl_function_code, tvb, offset, 4, TRUE);
7426 fid = tvb_get_letohs(tvb, offset);
7427 add_fid(tvb, pinfo, tree, offset, 2, fid);
7431 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
7435 offset = dissect_nt_ioctl_flags(tvb, tree, offset);
7441 case NT_TRANS_NOTIFY: {
7444 /* completion filter */
7445 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
7448 fid = tvb_get_letohs(tvb, offset);
7449 add_fid(tvb, pinfo, tree, offset, 2, fid);
7453 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
7457 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7462 case NT_TRANS_RENAME:
7463 /* XXX not documented */
7467 case NT_TRANS_GET_USER_QUOTA:
7468 /* not decoded yet */
7470 case NT_TRANS_SET_USER_QUOTA:
7471 /* not decoded yet */
7475 return old_offset+len;
7480 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
7483 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
7485 smb_saved_info_t *sip;
7490 smb_nt_transact_info_t *nti;
7492 si = (smb_info_t *)pinfo->private_data;
7498 /* primary request */
7499 /* max setup count */
7500 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
7503 /* 2 reserved bytes */
7504 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7507 /* secondary request */
7508 /* 3 reserved bytes */
7509 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
7514 /* total param count */
7515 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
7518 /* total data count */
7519 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
7523 /* primary request */
7524 /* max param count */
7525 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
7528 /* max data count */
7529 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
7534 pc = tvb_get_letohl(tvb, offset);
7535 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
7539 po = tvb_get_letohl(tvb, offset);
7540 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
7543 /* param displacement */
7545 /* primary request*/
7548 /* secondary request */
7549 pd = tvb_get_letohl(tvb, offset);
7550 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
7555 dc = tvb_get_letohl(tvb, offset);
7556 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
7560 od = tvb_get_letohl(tvb, offset);
7561 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
7564 /* data displacement */
7566 /* primary request */
7569 /* secondary request */
7570 dd = tvb_get_letohl(tvb, offset);
7571 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
7577 /* primary request */
7578 sc = tvb_get_guint8(tvb, offset);
7579 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
7582 /* secondary request */
7588 /* primary request */
7589 subcmd = tvb_get_letohs(tvb, offset);
7590 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
7591 if(check_col(pinfo->cinfo, COL_INFO)){
7592 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
7593 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
7595 ntd.subcmd = subcmd;
7597 if(!pinfo->fd->flags.visited){
7599 * Allocate a new smb_nt_transact_info_t
7602 nti = g_mem_chunk_alloc(smb_nt_transact_info_chunk);
7603 nti->subcmd = subcmd;
7604 sip->extra_info = nti;
7608 /* secondary request */
7609 if(check_col(pinfo->cinfo, COL_INFO)){
7610 col_append_fstr(pinfo->cinfo, COL_INFO, " (secondary request)");
7615 /* this is a padding byte */
7618 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
7622 /* if there were any setup bytes, decode them */
7624 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
7631 if(po>(guint32)offset){
7632 /* We have some initial padding bytes.
7637 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7638 COUNT_BYTES(padcnt);
7641 CHECK_BYTE_COUNT(pc);
7642 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc);
7647 if(od>(guint32)offset){
7648 /* We have some initial padding bytes.
7653 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7654 COUNT_BYTES(padcnt);
7657 CHECK_BYTE_COUNT(dc);
7658 dissect_nt_trans_data_request(
7659 tvb, pinfo, offset, tree, dc, &ntd);
7671 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
7672 int offset, proto_tree *parent_tree, int len,
7673 nt_trans_data *ntd _U_)
7675 proto_item *item = NULL;
7676 proto_tree *tree = NULL;
7678 smb_nt_transact_info_t *nti;
7681 si = (smb_info_t *)pinfo->private_data;
7682 if (si->sip != NULL)
7683 nti = si->sip->extra_info;
7689 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7691 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7694 * We never saw the request to which this is a
7697 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7698 "Unknown NT Transaction Data (matching request not seen)");
7700 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7707 switch(nti->subcmd){
7708 case NT_TRANS_CREATE:
7710 case NT_TRANS_IOCTL:
7712 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, len, TRUE);
7718 case NT_TRANS_NOTIFY:
7720 case NT_TRANS_RENAME:
7721 /* XXX not documented */
7723 case NT_TRANS_QSD: {
7725 * XXX - this is probably a SECURITY_DESCRIPTOR structure,
7726 * which may be documented in the Win32 documentation
7729 offset = dissect_nt_sec_desc(
7730 tvb, offset, pinfo, tree, NULL, len, NULL);
7733 case NT_TRANS_GET_USER_QUOTA:
7735 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
7737 case NT_TRANS_SET_USER_QUOTA:
7738 /* not decoded yet */
7746 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
7747 int offset, proto_tree *parent_tree,
7748 int len, nt_trans_data *ntd _U_, guint16 bc)
7750 proto_item *item = NULL;
7751 proto_tree *tree = NULL;
7755 smb_nt_transact_info_t *nti;
7761 si = (smb_info_t *)pinfo->private_data;
7762 if (si->sip != NULL)
7763 nti = si->sip->extra_info;
7769 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7771 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7774 * We never saw the request to which this is a
7777 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7778 "Unknown NT Transaction Parameters (matching request not seen)");
7780 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7787 switch(nti->subcmd){
7788 case NT_TRANS_CREATE:
7790 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
7794 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7798 fid = tvb_get_letohs(tvb, offset);
7799 add_fid(tvb, pinfo, tree, offset, 2, fid);
7803 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
7806 /* ea error offset */
7807 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
7811 offset = dissect_nt_64bit_time(tvb, tree, offset,
7812 hf_smb_create_time);
7815 offset = dissect_nt_64bit_time(tvb, tree, offset,
7816 hf_smb_access_time);
7818 /* last write time */
7819 offset = dissect_nt_64bit_time(tvb, tree, offset,
7820 hf_smb_last_write_time);
7822 /* last change time */
7823 offset = dissect_nt_64bit_time(tvb, tree, offset,
7824 hf_smb_change_time);
7826 /* Extended File Attributes */
7827 offset = dissect_file_ext_attr(tvb, tree, offset);
7829 /* allocation size */
7830 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7834 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
7838 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
7842 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
7845 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
7848 case NT_TRANS_IOCTL:
7852 case NT_TRANS_NOTIFY:
7854 old_offset = offset;
7856 /* next entry offset */
7857 neo = tvb_get_letohl(tvb, offset);
7858 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
7861 /* broken implementations */
7865 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
7868 /* broken implementations */
7872 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7873 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7876 /* broken implementations */
7880 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
7883 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7885 COUNT_BYTES(fn_len);
7887 /* broken implementations */
7891 break; /* no more structures */
7893 /* skip to next structure */
7894 padcnt = (old_offset + neo) - offset;
7897 * XXX - this is bogus; flag it?
7902 COUNT_BYTES(padcnt);
7904 /* broken implementations */
7909 case NT_TRANS_RENAME:
7910 /* XXX not documented */
7914 * This appears to be the size of the security
7915 * descriptor; the calling sequence of
7916 * "ZwQuerySecurityObject()" suggests that it would
7917 * be. The actual security descriptor wouldn't
7918 * follow if the max data count in the request
7919 * was smaller; this lets the client know how
7920 * big a buffer it needs to provide.
7922 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
7925 case NT_TRANS_GET_USER_QUOTA:
7926 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
7927 tvb_get_letohl(tvb, offset));
7930 case NT_TRANS_SET_USER_QUOTA:
7931 /* not decoded yet */
7939 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
7940 int offset, proto_tree *parent_tree,
7941 int len, nt_trans_data *ntd _U_)
7943 proto_item *item = NULL;
7944 proto_tree *tree = NULL;
7946 smb_nt_transact_info_t *nti;
7948 si = (smb_info_t *)pinfo->private_data;
7949 if (si->sip != NULL)
7950 nti = si->sip->extra_info;
7956 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7958 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7961 * We never saw the request to which this is a
7964 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7965 "Unknown NT Transaction Setup (matching request not seen)");
7967 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7974 switch(nti->subcmd){
7975 case NT_TRANS_CREATE:
7977 case NT_TRANS_IOCTL:
7981 case NT_TRANS_NOTIFY:
7983 case NT_TRANS_RENAME:
7984 /* XXX not documented */
7988 case NT_TRANS_GET_USER_QUOTA:
7989 /* not decoded yet */
7991 case NT_TRANS_SET_USER_QUOTA:
7992 /* not decoded yet */
8000 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8003 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
8006 smb_nt_transact_info_t *nti;
8007 static nt_trans_data ntd;
8010 fragment_data *r_fd = NULL;
8011 tvbuff_t *pd_tvb=NULL;
8012 gboolean save_fragmented;
8014 si = (smb_info_t *)pinfo->private_data;
8015 if (si->sip != NULL)
8016 nti = si->sip->extra_info;
8020 /* primary request */
8022 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
8023 if(check_col(pinfo->cinfo, COL_INFO)){
8024 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8025 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
8028 proto_tree_add_text(tree, tvb, offset, 0,
8029 "Function: <unknown function - could not find matching request>");
8030 if(check_col(pinfo->cinfo, COL_INFO)){
8031 col_append_fstr(pinfo->cinfo, COL_INFO, ", <unknown>");
8037 /* 3 reserved bytes */
8038 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8041 /* total param count */
8042 tp = tvb_get_letohl(tvb, offset);
8043 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
8046 /* total data count */
8047 td = tvb_get_letohl(tvb, offset);
8048 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
8052 pc = tvb_get_letohl(tvb, offset);
8053 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8057 po = tvb_get_letohl(tvb, offset);
8058 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8061 /* param displacement */
8062 pd = tvb_get_letohl(tvb, offset);
8063 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8067 dc = tvb_get_letohl(tvb, offset);
8068 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8072 od = tvb_get_letohl(tvb, offset);
8073 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8076 /* data displacement */
8077 dd = tvb_get_letohl(tvb, offset);
8078 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8082 sc = tvb_get_guint8(tvb, offset);
8083 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8088 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
8094 /* reassembly of SMB NT Transaction data payload.
8095 In this section we do reassembly of both the data and parameters
8096 blocks of the SMB transaction command.
8098 save_fragmented = pinfo->fragmented;
8099 /* do we need reassembly? */
8100 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
8101 /* oh yeah, either data or parameter section needs
8104 pinfo->fragmented = TRUE;
8105 if(smb_trans_reassembly){
8106 /* ...and we were told to do reassembly */
8107 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
8108 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8112 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
8113 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8114 od, dc, dd+tp, td+tp);
8119 /* if we got a reassembled fd structure from the reassembly routine we
8120 must create pd_tvb from it
8123 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
8125 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
8126 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
8128 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
8133 /* we have reassembled data, grab param and data from there */
8134 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
8135 &ntd, (guint16) tvb_length(pd_tvb));
8136 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
8138 /* we do not have reassembled data, just use what we have in the
8139 packet as well as we can */
8141 if(po>(guint32)offset){
8142 /* We have some initial padding bytes.
8147 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8148 COUNT_BYTES(padcnt);
8151 CHECK_BYTE_COUNT(pc);
8152 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
8157 if(od>(guint32)offset){
8158 /* We have some initial padding bytes.
8163 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8164 COUNT_BYTES(padcnt);
8167 CHECK_BYTE_COUNT(dc);
8168 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd);
8172 pinfo->fragmented = save_fragmented;
8179 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8180 NT Transaction command ends here
8181 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8183 static const value_string print_mode_vals[] = {
8185 {1, "Graphics Mode"},
8190 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8192 smb_info_t *si = pinfo->private_data;
8201 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
8205 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
8211 CHECK_BYTE_COUNT(1);
8212 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8215 /* print identifier */
8216 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, FALSE, &bc);
8219 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
8221 COUNT_BYTES(fn_len);
8230 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8239 fid = tvb_get_letohs(tvb, offset);
8240 add_fid(tvb, pinfo, tree, offset, 2, fid);
8246 CHECK_BYTE_COUNT(1);
8247 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8251 CHECK_BYTE_COUNT(2);
8252 cnt = tvb_get_letohs(tvb, offset);
8253 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
8257 offset = dissect_file_data(tvb, tree, offset, (guint16) cnt, (guint16) cnt);
8265 static const value_string print_status_vals[] = {
8266 {1, "Held or Stopped"},
8268 {3, "Awaiting print"},
8269 {4, "In intercept"},
8270 {5, "File had error"},
8271 {6, "Printer error"},
8276 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8284 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
8288 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
8299 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
8300 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
8302 proto_item *item = NULL;
8303 proto_tree *tree = NULL;
8304 smb_info_t *si = pinfo->private_data;
8309 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
8311 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
8315 CHECK_BYTE_COUNT_SUBR(4);
8316 offset = dissect_smb_datetime(tvb, tree, offset,
8317 hf_smb_print_queue_date,
8318 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
8322 CHECK_BYTE_COUNT_SUBR(1);
8323 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
8324 COUNT_BYTES_SUBR(1);
8326 /* spool file number */
8327 CHECK_BYTE_COUNT_SUBR(2);
8328 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
8329 COUNT_BYTES_SUBR(2);
8331 /* spool file size */
8332 CHECK_BYTE_COUNT_SUBR(4);
8333 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
8334 COUNT_BYTES_SUBR(4);
8337 CHECK_BYTE_COUNT_SUBR(1);
8338 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8339 COUNT_BYTES_SUBR(1);
8343 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
8344 CHECK_STRING_SUBR(fn);
8345 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
8347 COUNT_BYTES_SUBR(fn_len);
8354 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8364 cnt = tvb_get_letohs(tvb, offset);
8365 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
8369 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
8375 CHECK_BYTE_COUNT(1);
8376 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8380 CHECK_BYTE_COUNT(2);
8381 len = tvb_get_letohs(tvb, offset);
8382 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
8385 /* queue elements */
8387 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
8400 dissect_send_single_block_message_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8405 guint16 message_len;
8412 CHECK_BYTE_COUNT(1);
8413 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8416 /* originator name */
8417 /* XXX - what if this runs past bc? */
8418 name_len = tvb_strsize(tvb, offset);
8419 CHECK_BYTE_COUNT(name_len);
8420 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
8422 COUNT_BYTES(name_len);
8425 CHECK_BYTE_COUNT(1);
8426 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8429 /* destination name */
8430 /* XXX - what if this runs past bc? */
8431 name_len = tvb_strsize(tvb, offset);
8432 CHECK_BYTE_COUNT(name_len);
8433 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
8435 COUNT_BYTES(name_len);
8438 CHECK_BYTE_COUNT(1);
8439 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8443 CHECK_BYTE_COUNT(2);
8444 message_len = tvb_get_letohs(tvb, offset);
8445 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
8450 CHECK_BYTE_COUNT(message_len);
8451 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
8453 COUNT_BYTES(message_len);
8461 dissect_send_multi_block_message_start_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8472 CHECK_BYTE_COUNT(1);
8473 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8476 /* originator name */
8477 /* XXX - what if this runs past bc? */
8478 name_len = tvb_strsize(tvb, offset);
8479 CHECK_BYTE_COUNT(name_len);
8480 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
8482 COUNT_BYTES(name_len);
8485 CHECK_BYTE_COUNT(1);
8486 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8489 /* destination name */
8490 /* XXX - what if this runs past bc? */
8491 name_len = tvb_strsize(tvb, offset);
8492 CHECK_BYTE_COUNT(name_len);
8493 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
8495 COUNT_BYTES(name_len);
8503 dissect_message_group_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8510 /* message group ID */
8511 proto_tree_add_item(tree, hf_smb_mgid, tvb, offset, 2, TRUE);
8522 dissect_send_multi_block_message_text_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8526 guint16 message_len;
8533 CHECK_BYTE_COUNT(1);
8534 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8538 CHECK_BYTE_COUNT(2);
8539 message_len = tvb_get_letohs(tvb, offset);
8540 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
8545 CHECK_BYTE_COUNT(message_len);
8546 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
8548 COUNT_BYTES(message_len);
8556 dissect_forwarded_name(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8567 CHECK_BYTE_COUNT(1);
8568 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8571 /* forwarded name */
8572 /* XXX - what if this runs past bc? */
8573 name_len = tvb_strsize(tvb, offset);
8574 CHECK_BYTE_COUNT(name_len);
8575 proto_tree_add_item(tree, hf_smb_forwarded_name, tvb, offset,
8577 COUNT_BYTES(name_len);
8585 dissect_get_machine_name_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8596 CHECK_BYTE_COUNT(1);
8597 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8601 /* XXX - what if this runs past bc? */
8602 name_len = tvb_strsize(tvb, offset);
8603 CHECK_BYTE_COUNT(name_len);
8604 proto_tree_add_item(tree, hf_smb_machine_name, tvb, offset,
8606 COUNT_BYTES(name_len);
8615 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8617 guint8 wc, cmd=0xff;
8618 guint16 andxoffset=0;
8620 smb_info_t *si = pinfo->private_data;
8626 /* next smb command */
8627 cmd = tvb_get_guint8(tvb, offset);
8629 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8631 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
8636 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8640 andxoffset = tvb_get_letohs(tvb, offset);
8641 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8645 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8649 fn_len = tvb_get_letohs(tvb, offset);
8650 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
8654 offset = dissect_nt_create_bits(tvb, tree, offset);
8656 /* root directory fid */
8657 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
8660 /* nt access mask */
8661 offset = dissect_smb_access_mask(tvb, tree, offset);
8663 /* allocation size */
8664 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8667 /* Extended File Attributes */
8668 offset = dissect_file_ext_attr(tvb, tree, offset);
8671 offset = dissect_nt_share_access(tvb, tree, offset);
8673 /* create disposition */
8674 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
8677 /* create options */
8678 offset = dissect_nt_create_options(tvb, tree, offset);
8680 /* impersonation level */
8681 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8684 /* security flags */
8685 offset = dissect_nt_security_flags(tvb, tree, offset);
8690 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
8693 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8695 COUNT_BYTES(fn_len);
8697 if (check_col(pinfo->cinfo, COL_INFO)) {
8698 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
8699 format_text(fn, strlen(fn)));
8704 /* call AndXCommand (if there are any) */
8705 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
8712 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8714 guint8 wc, cmd=0xff;
8715 guint16 andxoffset=0;
8721 /* next smb command */
8722 cmd = tvb_get_guint8(tvb, offset);
8724 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8726 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
8731 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8735 andxoffset = tvb_get_letohs(tvb, offset);
8736 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8740 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8744 fid = tvb_get_letohs(tvb, offset);
8745 add_fid(tvb, pinfo, tree, offset, 2, fid);
8749 /*XXX is this really the same as create disposition in the request? it looks so*/
8750 /* No, it is not. It is the same as the create action from an Open&X request ... RJS */
8751 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8755 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
8758 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
8760 /* last write time */
8761 offset = dissect_nt_64bit_time(tvb, tree, offset,
8762 hf_smb_last_write_time);
8764 /* last change time */
8765 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
8767 /* Extended File Attributes */
8768 offset = dissect_file_ext_attr(tvb, tree, offset);
8770 /* allocation size */
8771 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8775 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8779 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8783 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
8786 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8793 /* call AndXCommand (if there are any) */
8794 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
8801 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8815 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8816 BEGIN Transaction/Transaction2 Primary and secondary requests
8817 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8820 const value_string trans2_cmd_vals[] = {
8822 { 0x01, "FIND_FIRST2" },
8823 { 0x02, "FIND_NEXT2" },
8824 { 0x03, "QUERY_FS_INFO" },
8825 { 0x04, "SET_FS_QUOTA" },
8826 { 0x05, "QUERY_PATH_INFO" },
8827 { 0x06, "SET_PATH_INFO" },
8828 { 0x07, "QUERY_FILE_INFO" },
8829 { 0x08, "SET_FILE_INFO" },
8832 { 0x0B, "FIND_NOTIFY_FIRST" },
8833 { 0x0C, "FIND_NOTIFY_NEXT" },
8834 { 0x0D, "CREATE_DIRECTORY" },
8835 { 0x0E, "SESSION_SETUP" },
8836 { 0x10, "GET_DFS_REFERRAL" },
8837 { 0x11, "REPORT_DFS_INCONSISTENCY" },
8841 static const true_false_string tfs_tf_dtid = {
8842 "Also DISCONNECT TID",
8843 "Do NOT disconnect TID"
8845 static const true_false_string tfs_tf_owt = {
8846 "One Way Transaction (NO RESPONSE)",
8847 "Two way transaction"
8850 static const true_false_string tfs_ff2_backup = {
8851 "Find WITH backup intent",
8854 static const true_false_string tfs_ff2_continue = {
8855 "CONTINUE search from previous position",
8856 "New search, do NOT continue from previous position"
8858 static const true_false_string tfs_ff2_resume = {
8859 "Return RESUME keys",
8860 "Do NOT return resume keys"
8862 static const true_false_string tfs_ff2_close_eos = {
8863 "CLOSE search if END OF SEARCH is reached",
8864 "Do NOT close search if end of search reached"
8866 static const true_false_string tfs_ff2_close = {
8867 "CLOSE search after this request",
8868 "Do NOT close search after this request"
8874 static const value_string ff2_il_vals[] = {
8875 { 1, "Info Standard"},
8876 { 2, "Info Query EA Size"},
8877 { 3, "Info Query EAs From List"},
8878 { 0x0101, "Find File Directory Info"},
8879 { 0x0102, "Find File Full Directory Info"},
8880 { 0x0103, "Find File Names Info"},
8881 { 0x0104, "Find File Both Directory Info"},
8882 { 0x0202, "Find File UNIX"},
8887 TRANS2_QUERY_PATH_INFORMATION
8888 TRANS2_QUERY_FILE_INFORMATION
8890 static const value_string qpi_loi_vals[] = {
8891 { 1, "Info Standard"},
8892 { 2, "Info Query EA Size"},
8893 { 3, "Info Query EAs From List"},
8894 { 4, "Info Query All EAs"},
8895 { 6, "Info Is Name Valid"},
8896 { 0x0101, "Query File Basic Info"},
8897 { 0x0102, "Query File Standard Info"},
8898 { 0x0103, "Query File EA Info"},
8899 { 0x0104, "Query File Name Info"},
8900 { 0x0107, "Query File All Info"},
8901 { 0x0108, "Query File Alt Name Info"},
8902 { 0x0109, "Query File Stream Info"},
8903 { 0x010b, "Query File Compression Info"},
8904 { 0x0200, "Query File Unix Basic"},
8905 { 0x0201, "Query File Unix Link"},
8906 { 1004, "Query File Basic Info"},
8907 { 1005, "Query File Standard Info"},
8908 { 1006, "Query File Internal Info"},
8909 { 1007, "Query File EA Info"},
8910 { 1009, "Query File Name Info"},
8911 { 1010, "Query File Rename Info"},
8912 { 1011, "Query File Link Info"},
8913 { 1012, "Query File Names Info"},
8914 { 1013, "Query File Disposition Info"},
8915 { 1014, "Query File Position Info"},
8916 { 1015, "Query File Full EA Info"},
8917 { 1016, "Query File Mode Info"},
8918 { 1017, "Query File Alignment Info"},
8919 { 1018, "Query File All Info"},
8920 { 1019, "Query File Allocation Info"},
8921 { 1020, "Query File End of File Info"},
8922 { 1021, "Query File Alt Name Info"},
8923 { 1022, "Query File Stream Info"},
8924 { 1023, "Query File Pipe Info"},
8925 { 1024, "Query File Pipe Local Info"},
8926 { 1025, "Query File Pipe Remote Info"},
8927 { 1026, "Query File Mailslot Query Info"},
8928 { 1027, "Query File Mailslot Set Info"},
8929 { 1028, "Query File Compression Info"},
8930 { 1029, "Query File ObjectID Info"},
8931 { 1030, "Query File Completion Info"},
8932 { 1031, "Query File Move Cluster Info"},
8933 { 1032, "Query File Quota Info"},
8934 { 1033, "Query File Reparsepoint Info"},
8935 { 1034, "Query File Network Open Info"},
8936 { 1035, "Query File Attribute Tag Info"},
8937 { 1036, "Query File Tracking Info"},
8938 { 1037, "Query File Maximum Info"},
8943 TRANS2_SET_PATH_INFORMATION
8944 TRANS2_SET_FILE_INFORMATION
8945 (the SNIA CIFS spec lists some only for TRANS2_SET_FILE_INFORMATION,
8946 but I'm assuming they apply to TRANS2_SET_PATH_INFORMATION as
8947 well; note that they're different from the QUERY_PATH_INFORMATION
8948 and QUERY_FILE_INFORMATION values!)
8950 static const value_string spi_loi_vals[] = {
8951 { 1, "Info Standard"},
8952 { 2, "Info Query EA Size"},
8953 { 4, "Info Query All EAs"},
8954 { 0x0101, "Set File Basic Info"},
8955 { 0x0102, "Set File Disposition Info"},
8956 { 0x0103, "Set File Allocation Info"},
8957 { 0x0104, "Set File End Of File Info"},
8958 { 0x0200, "Set File Unix Basic"},
8959 { 0x0201, "Set File Unix Link"},
8960 { 0x0202, "Set File Unix HardLink"},
8961 { 1004, "Set File Basic Info"},
8962 { 1010, "Set Rename Information"},
8963 { 1013, "Set Disposition Information"},
8964 { 1014, "Set Position Information"},
8965 { 1016, "Set Mode Information"},
8966 { 1019, "Set Allocation Information"},
8967 { 1020, "Set EOF Information"},
8968 { 1023, "Set File Pipe Information"},
8969 { 1025, "Set File Pipe Remote Information"},
8970 { 1029, "Set Copy On Write Information"},
8971 { 1032, "Set OLE Class ID Information"},
8972 { 1039, "Set Inherit Context Index Information"},
8973 { 1040, "Set OLE Information (?)"},
8977 static const value_string qfsi_vals[] = {
8978 { 1, "Info Allocation"},
8979 { 2, "Info Volume"},
8980 { 0x0101, "Query FS Label Info"},
8981 { 0x0102, "Query FS Volume Info"},
8982 { 0x0103, "Query FS Size Info"},
8983 { 0x0104, "Query FS Device Info"},
8984 { 0x0105, "Query FS Attribute Info"},
8985 { 0x0200, "Unix Query FS Info"},
8986 { 0x0301, "Mac Query FS Info"},
8987 { 1001, "Query FS Label Info"},
8988 { 1002, "Query FS Volume Info"},
8989 { 1003, "Query FS Size Info"},
8990 { 1004, "Query FS Device Info"},
8991 { 1005, "Query FS Attribute Info"},
8992 { 1006, "Query FS Quota Info"},
8993 { 1007, "Query Full FS Size Info"},
8994 { 1008, "Object ID Information"},
8998 static const value_string nt_rename_vals[] = {
8999 { 0x0103, "Create Hard Link"},
9004 static const value_string delete_pending_vals[] = {
9005 {0, "Normal, no pending delete"},
9006 {1, "This object has DELETE PENDING"},
9010 static const value_string alignment_vals[] = {
9011 {0, "Byte alignment"},
9012 {1, "Word (16bit) alignment"},
9013 {3, "Long (32bit) alignment"},
9014 {7, "8 byte boundary alignment"},
9015 {0x0f, "16 byte boundary alignment"},
9016 {0x1f, "32 byte boundary alignment"},
9017 {0x3f, "64 byte boundary alignment"},
9018 {0x7f, "128 byte boundary alignment"},
9019 {0xff, "256 byte boundary alignment"},
9020 {0x1ff, "512 byte boundary alignment"},
9024 static const true_false_string tfs_marked_for_deletion = {
9025 "File is MARKED FOR DELETION",
9026 "File is NOT marked for deletion"
9029 static const true_false_string tfs_get_dfs_server_hold_storage = {
9030 "Referral SERVER HOLDS STORAGE for the file",
9031 "Referral server does NOT hold storage for the file"
9033 static const true_false_string tfs_get_dfs_fielding = {
9034 "The server in referral is FIELDING CAPABLE",
9035 "The server in referrals is NOT fielding capable"
9038 static const true_false_string tfs_dfs_referral_flags_strip = {
9039 "STRIP off pathconsumed characters before submitting",
9040 "Do NOT strip off any characters"
9043 static const value_string dfs_referral_server_type_vals[] = {
9046 {2, "Netware Server"},
9047 {3, "Domain Server"},
9052 static const true_false_string tfs_device_char_removable = {
9053 "This is a REMOVABLE device",
9054 "This is NOT a removable device"
9056 static const true_false_string tfs_device_char_read_only = {
9057 "This is a READ-ONLY device",
9058 "This is NOT a read-only device"
9060 static const true_false_string tfs_device_char_floppy = {
9061 "This is a FLOPPY DISK device",
9062 "This is NOT a floppy disk device"
9064 static const true_false_string tfs_device_char_write_once = {
9065 "This is a WRITE-ONCE device",
9066 "This is NOT a write-once device"
9068 static const true_false_string tfs_device_char_remote = {
9069 "This is a REMOTE device",
9070 "This is NOT a remote device"
9072 static const true_false_string tfs_device_char_mounted = {
9073 "This device is MOUNTED",
9074 "This device is NOT mounted"
9076 static const true_false_string tfs_device_char_virtual = {
9077 "This is a VIRTUAL device",
9078 "This is NOT a virtual device"
9082 static const true_false_string tfs_fs_attr_css = {
9083 "This FS supports CASE SENSITIVE SEARCHes",
9084 "This FS does NOT support case sensitive searches"
9086 static const true_false_string tfs_fs_attr_cpn = {
9087 "This FS supports CASE PRESERVED NAMES",
9088 "This FS does NOT support case preserved names"
9090 static const true_false_string tfs_fs_attr_uod = {
9091 "This FS supports UNICODE NAMES",
9092 "This FS does NOT support unicode names"
9094 static const true_false_string tfs_fs_attr_pacls = {
9095 "This FS supports PERSISTENT ACLs",
9096 "This FS does NOT support persistent acls"
9098 static const true_false_string tfs_fs_attr_fc = {
9099 "This FS supports COMPRESSED FILES",
9100 "This FS does NOT support compressed files"
9102 static const true_false_string tfs_fs_attr_vq = {
9103 "This FS supports VOLUME QUOTAS",
9104 "This FS does NOT support volume quotas"
9106 static const true_false_string tfs_fs_attr_srp = {
9107 "This FS supports REPARSE POINTS",
9108 "This FS does NOT support reparse points"
9110 static const true_false_string tfs_fs_attr_srs = {
9111 "This FS supports REMOTE STORAGE",
9112 "This FS does NOT support remote storage"
9114 static const true_false_string tfs_fs_attr_ssf = {
9115 "This FS supports SPARSE FILES",
9116 "This FS does NOT support sparse files"
9118 static const true_false_string tfs_fs_attr_sla = {
9119 "This FS supports LFN APIs",
9120 "This FS does NOT support lfn apis"
9122 static const true_false_string tfs_fs_attr_vic = {
9123 "This FS VOLUME IS COMPRESSED",
9124 "This FS volume is NOT compressed"
9126 static const true_false_string tfs_fs_attr_soids = {
9127 "This FS supports OIDs",
9128 "This FS does NOT support OIDs"
9130 static const true_false_string tfs_fs_attr_se = {
9131 "This FS supports ENCRYPTION",
9132 "This FS does NOT support encryption"
9134 static const true_false_string tfs_fs_attr_ns = {
9135 "This FS supports NAMED STREAMS",
9136 "This FS does NOT support named streams"
9138 static const true_false_string tfs_fs_attr_rov = {
9139 "This is a READ ONLY VOLUME",
9140 "This is a read/write volume"
9143 #define FF2_RESUME 0x0004
9146 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9149 proto_item *item = NULL;
9150 proto_tree *tree = NULL;
9152 smb_transact2_info_t *t2i;
9154 mask = tvb_get_letohs(tvb, offset);
9156 si = (smb_info_t *)pinfo->private_data;
9157 if (si->sip != NULL) {
9158 t2i = si->sip->extra_info;
9160 if (!pinfo->fd->flags.visited)
9161 t2i->resume_keys = (mask & FF2_RESUME);
9166 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9167 "Flags: 0x%04x", mask);
9168 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
9171 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
9172 tvb, offset, 2, mask);
9173 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
9174 tvb, offset, 2, mask);
9175 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
9176 tvb, offset, 2, mask);
9177 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
9178 tvb, offset, 2, mask);
9179 proto_tree_add_boolean(tree, hf_smb_ff2_close,
9180 tvb, offset, 2, mask);
9189 dissect_sfi_ioflag(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9192 proto_item *item = NULL;
9193 proto_tree *tree = NULL;
9195 mask = tvb_get_letohs(tvb, offset);
9198 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9199 "IO Flag: 0x%04x", mask);
9200 tree = proto_item_add_subtree(item, ett_smb_ioflag);
9203 proto_tree_add_boolean(tree, hf_smb_sfi_writetru,
9204 tvb, offset, 2, mask);
9205 proto_tree_add_boolean(tree, hf_smb_sfi_caching,
9206 tvb, offset, 2, mask);
9215 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
9216 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
9218 proto_item *item = NULL;
9219 proto_tree *tree = NULL;
9221 smb_transact2_info_t *t2i;
9225 si = (smb_info_t *)pinfo->private_data;
9226 if (si->sip != NULL)
9227 t2i = si->sip->extra_info;
9232 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
9234 val_to_str(subcmd, trans2_cmd_vals,
9235 "Unknown (0x%02x)"));
9236 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
9240 case 0x00: /*TRANS2_OPEN2*/
9242 CHECK_BYTE_COUNT_TRANS(2);
9243 offset = dissect_open_flags(tvb, tree, offset, 0x000f);
9246 /* desired access */
9247 CHECK_BYTE_COUNT_TRANS(2);
9248 offset = dissect_access(tvb, tree, offset, "Desired");
9251 /* Search Attributes */
9252 CHECK_BYTE_COUNT_TRANS(2);
9253 offset = dissect_search_attributes(tvb, tree, offset);
9256 /* File Attributes */
9257 CHECK_BYTE_COUNT_TRANS(2);
9258 offset = dissect_file_attributes(tvb, tree, offset, 2);
9262 CHECK_BYTE_COUNT_TRANS(4);
9263 offset = dissect_smb_datetime(tvb, tree, offset,
9265 hf_smb_create_dos_date, hf_smb_create_dos_time,
9270 CHECK_BYTE_COUNT_TRANS(2);
9271 offset = dissect_open_function(tvb, tree, offset);
9274 /* allocation size */
9275 CHECK_BYTE_COUNT_TRANS(4);
9276 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
9277 COUNT_BYTES_TRANS(4);
9279 /* 10 reserved bytes */
9280 CHECK_BYTE_COUNT_TRANS(10);
9281 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
9282 COUNT_BYTES_TRANS(10);
9285 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9286 CHECK_STRING_TRANS(fn);
9287 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9289 COUNT_BYTES_TRANS(fn_len);
9291 if (check_col(pinfo->cinfo, COL_INFO)) {
9292 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9293 format_text(fn, strlen(fn)));
9296 case 0x01: /*TRANS2_FIND_FIRST2*/
9297 /* Search Attributes */
9298 CHECK_BYTE_COUNT_TRANS(2);
9299 offset = dissect_search_attributes(tvb, tree, offset);
9303 CHECK_BYTE_COUNT_TRANS(2);
9304 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
9305 COUNT_BYTES_TRANS(2);
9307 /* Find First2 flags */
9308 CHECK_BYTE_COUNT_TRANS(2);
9309 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
9312 /* Find First2 information level */
9313 CHECK_BYTE_COUNT_TRANS(2);
9314 si->info_level = tvb_get_letohs(tvb, offset);
9315 if (!pinfo->fd->flags.visited)
9316 t2i->info_level = si->info_level;
9317 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
9318 COUNT_BYTES_TRANS(2);
9321 CHECK_BYTE_COUNT_TRANS(4);
9322 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
9323 COUNT_BYTES_TRANS(4);
9325 /* search pattern */
9326 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9327 CHECK_STRING_TRANS(fn);
9328 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
9330 COUNT_BYTES_TRANS(fn_len);
9332 if (check_col(pinfo->cinfo, COL_INFO)) {
9333 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
9334 format_text(fn, strlen(fn)));
9338 case 0x02: /*TRANS2_FIND_NEXT2*/
9340 CHECK_BYTE_COUNT_TRANS(2);
9341 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
9342 COUNT_BYTES_TRANS(2);
9345 CHECK_BYTE_COUNT_TRANS(2);
9346 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
9347 COUNT_BYTES_TRANS(2);
9349 /* Find First2 information level */
9350 CHECK_BYTE_COUNT_TRANS(2);
9351 si->info_level = tvb_get_letohs(tvb, offset);
9352 if (!pinfo->fd->flags.visited)
9353 t2i->info_level = si->info_level;
9354 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
9355 COUNT_BYTES_TRANS(2);
9358 CHECK_BYTE_COUNT_TRANS(4);
9359 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
9360 COUNT_BYTES_TRANS(4);
9362 /* Find First2 flags */
9363 CHECK_BYTE_COUNT_TRANS(2);
9364 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
9368 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9369 CHECK_STRING_TRANS(fn);
9370 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9372 COUNT_BYTES_TRANS(fn_len);
9374 if (check_col(pinfo->cinfo, COL_INFO)) {
9375 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
9376 format_text(fn, strlen(fn)));
9380 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
9381 /* level of interest */
9382 CHECK_BYTE_COUNT_TRANS(2);
9383 si->info_level = tvb_get_letohs(tvb, offset);
9384 if (!pinfo->fd->flags.visited)
9385 t2i->info_level = si->info_level;
9386 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
9387 COUNT_BYTES_TRANS(2);
9389 if (check_col(pinfo->cinfo, COL_INFO))
9390 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
9391 val_to_str(si->info_level, qfsi_vals,
9392 "Unknown (0x%02x)"));
9395 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
9396 /* level of interest */
9397 CHECK_BYTE_COUNT_TRANS(2);
9398 si->info_level = tvb_get_letohs(tvb, offset);
9399 if (!pinfo->fd->flags.visited)
9400 t2i->info_level = si->info_level;
9401 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9402 COUNT_BYTES_TRANS(2);
9404 if (check_col(pinfo->cinfo, COL_INFO)) {
9406 pinfo->cinfo, COL_INFO, ", %s",
9407 val_to_str(si->info_level, qpi_loi_vals,
9411 /* 4 reserved bytes */
9412 CHECK_BYTE_COUNT_TRANS(4);
9413 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9414 COUNT_BYTES_TRANS(4);
9417 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9418 CHECK_STRING_TRANS(fn);
9419 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9421 COUNT_BYTES_TRANS(fn_len);
9423 if (check_col(pinfo->cinfo, COL_INFO)) {
9424 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9425 format_text(fn, strlen(fn)));
9429 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
9430 /* level of interest */
9431 CHECK_BYTE_COUNT_TRANS(2);
9432 si->info_level = tvb_get_letohs(tvb, offset);
9433 if (!pinfo->fd->flags.visited)
9434 t2i->info_level = si->info_level;
9435 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
9436 COUNT_BYTES_TRANS(2);
9438 /* 4 reserved bytes */
9439 CHECK_BYTE_COUNT_TRANS(4);
9440 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9441 COUNT_BYTES_TRANS(4);
9444 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9445 CHECK_STRING_TRANS(fn);
9446 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9448 COUNT_BYTES_TRANS(fn_len);
9450 if (check_col(pinfo->cinfo, COL_INFO)) {
9451 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9452 format_text(fn, strlen(fn)));
9456 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
9460 CHECK_BYTE_COUNT_TRANS(2);
9461 fid = tvb_get_letohs(tvb, offset);
9462 add_fid(tvb, pinfo, tree, offset, 2, fid);
9463 COUNT_BYTES_TRANS(2);
9465 /* level of interest */
9466 CHECK_BYTE_COUNT_TRANS(2);
9467 si->info_level = tvb_get_letohs(tvb, offset);
9468 if (!pinfo->fd->flags.visited)
9469 t2i->info_level = si->info_level;
9470 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9471 COUNT_BYTES_TRANS(2);
9473 if (check_col(pinfo->cinfo, COL_INFO)) {
9475 pinfo->cinfo, COL_INFO, ", %s",
9476 val_to_str(si->info_level, qpi_loi_vals,
9482 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
9486 CHECK_BYTE_COUNT_TRANS(2);
9487 fid = tvb_get_letohs(tvb, offset);
9488 add_fid(tvb, pinfo, tree, offset, 2, fid);
9489 COUNT_BYTES_TRANS(2);
9491 /* level of interest */
9492 CHECK_BYTE_COUNT_TRANS(2);
9493 si->info_level = tvb_get_letohs(tvb, offset);
9494 if (!pinfo->fd->flags.visited)
9495 t2i->info_level = si->info_level;
9496 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
9497 COUNT_BYTES_TRANS(2);
9501 * XXX - "Microsoft Networks SMB File Sharing Protocol
9502 * Extensions Version 3.0, Document Version 1.11,
9503 * July 19, 1990" says this is I/O flags, but it's
9504 * reserved in the SNIA spec, and some clients appear
9505 * to leave junk in it.
9507 * Is this some field used only if a particular
9508 * dialect was negotiated, so that clients can feel
9509 * safe not setting it if they haven't negotiated that
9510 * dialect? Or do the (non-OS/2) clients simply not care
9511 * about that particular OS/2-oriented dialect?
9515 CHECK_BYTE_COUNT_TRANS(2);
9516 offset = dissect_sfi_ioflag(tvb, tree, offset);
9519 /* 2 reserved bytes */
9520 CHECK_BYTE_COUNT_TRANS(2);
9521 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
9522 COUNT_BYTES_TRANS(2);
9527 case 0x09: /*TRANS2_FSCTL*/
9528 /* this call has no parameter block in the request */
9531 * XXX - "Microsoft Networks SMB File Sharing Protocol
9532 * Extensions Version 3.0, Document Version 1.11,
9533 * July 19, 1990" says this this contains a
9534 * "File system specific parameter block". (That means
9535 * we may not be able to dissect it in any case.)
9538 case 0x0a: /*TRANS2_IOCTL2*/
9539 /* this call has no parameter block in the request */
9542 * XXX - "Microsoft Networks SMB File Sharing Protocol
9543 * Extensions Version 3.0, Document Version 1.11,
9544 * July 19, 1990" says this this contains a
9545 * "Device/function specific parameter block". (That
9546 * means we may not be able to dissect it in any case.)
9549 case 0x0b: { /*TRANS2_FIND_NOTIFY_FIRST*/
9550 /* Search Attributes */
9551 CHECK_BYTE_COUNT_TRANS(2);
9552 offset = dissect_search_attributes(tvb, tree, offset);
9555 /* Number of changes to wait for */
9556 CHECK_BYTE_COUNT_TRANS(2);
9557 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
9558 COUNT_BYTES_TRANS(2);
9560 /* Find Notify information level */
9561 CHECK_BYTE_COUNT_TRANS(2);
9562 si->info_level = tvb_get_letohs(tvb, offset);
9563 if (!pinfo->fd->flags.visited)
9564 t2i->info_level = si->info_level;
9565 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, offset, 2, si->info_level);
9566 COUNT_BYTES_TRANS(2);
9568 /* 4 reserved bytes */
9569 CHECK_BYTE_COUNT_TRANS(4);
9570 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9571 COUNT_BYTES_TRANS(4);
9574 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9575 CHECK_STRING_TRANS(fn);
9576 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9578 COUNT_BYTES_TRANS(fn_len);
9580 if (check_col(pinfo->cinfo, COL_INFO)) {
9581 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9582 format_text(fn, strlen(fn)));
9587 case 0x0c: { /*TRANS2_FIND_NOTIFY_NEXT*/
9588 /* Monitor handle */
9589 CHECK_BYTE_COUNT_TRANS(2);
9590 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
9591 COUNT_BYTES_TRANS(2);
9593 /* Number of changes to wait for */
9594 CHECK_BYTE_COUNT_TRANS(2);
9595 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
9596 COUNT_BYTES_TRANS(2);
9600 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
9601 /* 4 reserved bytes */
9602 CHECK_BYTE_COUNT_TRANS(4);
9603 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9604 COUNT_BYTES_TRANS(4);
9607 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
9609 CHECK_STRING_TRANS(fn);
9610 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
9612 COUNT_BYTES_TRANS(fn_len);
9614 if (check_col(pinfo->cinfo, COL_INFO)) {
9615 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
9616 format_text(fn, strlen(fn)));
9619 case 0x0e: /*TRANS2_SESSION_SETUP*/
9620 /* XXX unknown structure*/
9622 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
9623 /* referral level */
9624 CHECK_BYTE_COUNT_TRANS(2);
9625 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
9626 COUNT_BYTES_TRANS(2);
9629 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9630 CHECK_STRING_TRANS(fn);
9631 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9633 COUNT_BYTES_TRANS(fn_len);
9635 if (check_col(pinfo->cinfo, COL_INFO)) {
9636 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9637 format_text(fn, strlen(fn)));
9641 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
9643 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9644 CHECK_STRING_TRANS(fn);
9645 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9647 COUNT_BYTES_TRANS(fn_len);
9649 if (check_col(pinfo->cinfo, COL_INFO)) {
9650 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9651 format_text(fn, strlen(fn)));
9657 /* ooops there were data we didnt know how to process */
9659 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, bc, TRUE);
9667 * XXX - just use "dissect_connect_flags()" here?
9670 dissect_transaction_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9673 proto_item *item = NULL;
9674 proto_tree *tree = NULL;
9676 mask = tvb_get_letohs(tvb, offset);
9679 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9680 "Flags: 0x%04x", mask);
9681 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
9684 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
9685 tvb, offset, 2, mask);
9686 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
9687 tvb, offset, 2, mask);
9694 dissect_get_dfs_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9697 proto_item *item = NULL;
9698 proto_tree *tree = NULL;
9700 mask = tvb_get_letohs(tvb, offset);
9703 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9704 "Flags: 0x%04x", mask);
9705 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
9708 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
9709 tvb, offset, 2, mask);
9710 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
9711 tvb, offset, 2, mask);
9718 dissect_dfs_referral_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9721 proto_item *item = NULL;
9722 proto_tree *tree = NULL;
9724 mask = tvb_get_letohs(tvb, offset);
9727 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9728 "Flags: 0x%04x", mask);
9729 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
9732 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
9733 tvb, offset, 2, mask);
9741 /* dfs inconsistency data (4.4.2)
9744 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
9745 proto_tree *tree, int offset, guint16 *bcp)
9747 smb_info_t *si = pinfo->private_data;
9751 /*XXX shouldn this data hold version and size? unclear from doc*/
9752 /* referral version */
9753 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9754 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
9755 COUNT_BYTES_TRANS_SUBR(2);
9758 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9759 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
9760 COUNT_BYTES_TRANS_SUBR(2);
9762 /* referral server type */
9763 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9764 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9765 COUNT_BYTES_TRANS_SUBR(2);
9767 /* referral flags */
9768 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9769 offset = dissect_dfs_referral_flags(tvb, tree, offset);
9773 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
9774 CHECK_STRING_TRANS_SUBR(fn);
9775 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9777 COUNT_BYTES_TRANS_SUBR(fn_len);
9782 /* get dfs referral data (4.4.1)
9785 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
9786 proto_tree *tree, int offset, guint16 *bcp)
9788 smb_info_t *si = pinfo->private_data;
9792 guint16 altpathoffset;
9804 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9805 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
9806 COUNT_BYTES_TRANS_SUBR(2);
9809 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9810 numref = tvb_get_letohs(tvb, offset);
9811 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
9812 COUNT_BYTES_TRANS_SUBR(2);
9815 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9816 offset = dissect_get_dfs_flags(tvb, tree, offset);
9819 /* XXX - in at least one capture there appears to be 2 bytes
9820 of stuff after the Dfs flags, perhaps so that the header
9821 in front of the referral list is a multiple of 4 bytes long. */
9822 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9823 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
9824 COUNT_BYTES_TRANS_SUBR(2);
9826 /* if there are any referrals */
9828 proto_item *ref_item = NULL;
9829 proto_tree *ref_tree = NULL;
9830 int old_offset=offset;
9833 ref_item = proto_tree_add_text(tree,
9834 tvb, offset, *bcp, "Referrals");
9835 ref_tree = proto_item_add_subtree(ref_item,
9836 ett_smb_dfs_referrals);
9841 proto_item *ri = NULL;
9842 proto_tree *rt = NULL;
9843 int old_offset=offset;
9847 ri = proto_tree_add_text(ref_tree,
9848 tvb, offset, *bcp, "Referral");
9849 rt = proto_item_add_subtree(ri,
9850 ett_smb_dfs_referral);
9853 /* referral version */
9854 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9855 version = tvb_get_letohs(tvb, offset);
9856 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
9857 tvb, offset, 2, version);
9858 COUNT_BYTES_TRANS_SUBR(2);
9861 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9862 refsize = tvb_get_letohs(tvb, offset);
9863 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
9864 COUNT_BYTES_TRANS_SUBR(2);
9866 /* referral server type */
9867 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9868 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9869 COUNT_BYTES_TRANS_SUBR(2);
9871 /* referral flags */
9872 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9873 offset = dissect_dfs_referral_flags(tvb, rt, offset);
9880 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
9881 CHECK_STRING_TRANS_SUBR(fn);
9882 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9884 COUNT_BYTES_TRANS_SUBR(fn_len);
9888 case 3: /* XXX - like version 2, but not identical;
9889 seen in a capture, but the format isn't
9892 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9893 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
9894 COUNT_BYTES_TRANS_SUBR(2);
9897 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9898 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
9899 COUNT_BYTES_TRANS_SUBR(2);
9902 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9903 pathoffset = tvb_get_letohs(tvb, offset);
9904 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
9905 COUNT_BYTES_TRANS_SUBR(2);
9907 /* alt path offset */
9908 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9909 altpathoffset = tvb_get_letohs(tvb, offset);
9910 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
9911 COUNT_BYTES_TRANS_SUBR(2);
9914 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9915 nodeoffset = tvb_get_letohs(tvb, offset);
9916 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
9917 COUNT_BYTES_TRANS_SUBR(2);
9920 if (pathoffset != 0) {
9921 stroffset = old_offset + pathoffset;
9922 offsetoffset = stroffset - offset;
9923 if (offsetoffset > 0 &&
9924 *bcp > offsetoffset) {
9926 *bcp -= offsetoffset;
9927 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
9928 CHECK_STRING_TRANS_SUBR(fn);
9929 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
9931 stroffset += fn_len;
9932 if (ucstring_end < stroffset)
9933 ucstring_end = stroffset;
9939 if (altpathoffset != 0) {
9940 stroffset = old_offset + altpathoffset;
9941 offsetoffset = stroffset - offset;
9942 if (offsetoffset > 0 &&
9943 *bcp > offsetoffset) {
9945 *bcp -= offsetoffset;
9946 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
9947 CHECK_STRING_TRANS_SUBR(fn);
9948 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
9950 stroffset += fn_len;
9951 if (ucstring_end < stroffset)
9952 ucstring_end = stroffset;
9958 if (nodeoffset != 0) {
9959 stroffset = old_offset + nodeoffset;
9960 offsetoffset = stroffset - offset;
9961 if (offsetoffset > 0 &&
9962 *bcp > offsetoffset) {
9964 *bcp -= offsetoffset;
9965 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
9966 CHECK_STRING_TRANS_SUBR(fn);
9967 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
9969 stroffset += fn_len;
9970 if (ucstring_end < stroffset)
9971 ucstring_end = stroffset;
9979 * Show anything beyond the length of the referral
9982 unklen = (old_offset + refsize) - offset;
9985 * XXX - the length is bogus.
9990 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
9991 proto_tree_add_item(rt, hf_smb_unknown, tvb,
9992 offset, unklen, TRUE);
9993 COUNT_BYTES_TRANS_SUBR(unklen);
9996 proto_item_set_len(ri, offset-old_offset);
10000 * Treat the offset past the end of the last Unicode
10001 * string after the referrals (if any) as the last
10004 if (ucstring_end > offset) {
10005 ucstring_len = ucstring_end - offset;
10006 if (*bcp < ucstring_len)
10007 ucstring_len = *bcp;
10008 offset += ucstring_len;
10009 *bcp -= ucstring_len;
10011 proto_item_set_len(ref_item, offset-old_offset);
10018 /* this dissects the SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE
10019 as described in 4.2.16.1
10022 dissect_4_2_16_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10023 int offset, guint16 *bcp, gboolean *trunc)
10026 CHECK_BYTE_COUNT_SUBR(4);
10027 offset = dissect_smb_datetime(tvb, tree, offset,
10028 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
10033 CHECK_BYTE_COUNT_SUBR(4);
10034 offset = dissect_smb_datetime(tvb, tree, offset,
10035 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
10039 /* last write time */
10040 CHECK_BYTE_COUNT_SUBR(4);
10041 offset = dissect_smb_datetime(tvb, tree, offset,
10042 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
10047 CHECK_BYTE_COUNT_SUBR(4);
10048 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10049 COUNT_BYTES_SUBR(4);
10051 /* allocation size */
10052 CHECK_BYTE_COUNT_SUBR(4);
10053 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10054 COUNT_BYTES_SUBR(4);
10056 /* File Attributes */
10057 CHECK_BYTE_COUNT_SUBR(2);
10058 offset = dissect_file_attributes(tvb, tree, offset, 2);
10062 CHECK_BYTE_COUNT_SUBR(4);
10063 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
10064 COUNT_BYTES_SUBR(4);
10070 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
10071 as described in 4.2.16.2
10074 dissect_4_2_16_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10075 int offset, guint16 *bcp, gboolean *trunc)
10081 CHECK_BYTE_COUNT_SUBR(4);
10082 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
10083 COUNT_BYTES_SUBR(4);
10087 proto_tree *subtree;
10088 int start_offset = offset;
10091 item = proto_tree_add_text(
10092 tree, tvb, offset, 0, "Extended Attribute");
10093 subtree = proto_item_add_subtree(item, ett_smb_ea);
10097 CHECK_BYTE_COUNT_SUBR(1);
10098 proto_tree_add_item(
10099 subtree, hf_smb_ea_flags, tvb, offset, 1, TRUE);
10100 COUNT_BYTES_SUBR(1);
10102 /* EA name length */
10104 name_len = tvb_get_guint8(tvb, offset);
10106 CHECK_BYTE_COUNT_SUBR(1);
10107 proto_tree_add_item(
10108 subtree, hf_smb_ea_name_length, tvb, offset, 1, TRUE);
10109 COUNT_BYTES_SUBR(1);
10111 /* EA data length */
10113 data_len = tvb_get_letohs(tvb, offset);
10115 CHECK_BYTE_COUNT_SUBR(2);
10116 proto_tree_add_item(
10117 subtree, hf_smb_ea_data_length, tvb, offset, 2, TRUE);
10118 COUNT_BYTES_SUBR(2);
10122 name = tvb_get_string(tvb, offset, name_len);
10123 proto_item_append_text(item, ": %s", format_text(name, strlen(name)));
10126 CHECK_BYTE_COUNT_SUBR(name_len + 1);
10127 proto_tree_add_item(
10128 subtree, hf_smb_ea_name, tvb, offset, name_len + 1,
10130 COUNT_BYTES_SUBR(name_len + 1);
10134 CHECK_BYTE_COUNT_SUBR(data_len);
10135 proto_tree_add_item(
10136 subtree, hf_smb_ea_data, tvb, offset, data_len, TRUE);
10137 COUNT_BYTES_SUBR(data_len);
10139 proto_item_set_len(item, offset - start_offset);
10146 /* this dissects the SMB_INFO_IS_NAME_VALID
10147 as described in 4.2.16.3
10150 dissect_4_2_16_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10151 int offset, guint16 *bcp, gboolean *trunc)
10153 smb_info_t *si = pinfo->private_data;
10158 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10159 CHECK_STRING_SUBR(fn);
10160 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10162 COUNT_BYTES_SUBR(fn_len);
10168 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
10169 as described in 4.2.16.4
10172 dissect_4_2_16_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10173 int offset, guint16 *bcp, gboolean *trunc)
10176 CHECK_BYTE_COUNT_SUBR(8);
10177 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
10181 CHECK_BYTE_COUNT_SUBR(8);
10182 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
10185 /* last write time */
10186 CHECK_BYTE_COUNT_SUBR(8);
10187 offset = dissect_nt_64bit_time(tvb, tree, offset,
10188 hf_smb_last_write_time);
10191 /* last change time */
10192 CHECK_BYTE_COUNT_SUBR(8);
10193 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
10196 /* File Attributes */
10197 CHECK_BYTE_COUNT_SUBR(4);
10198 offset = dissect_file_attributes(tvb, tree, offset, 4);
10205 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
10206 as described in 4.2.16.5
10209 dissect_4_2_16_5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10210 int offset, guint16 *bcp, gboolean *trunc)
10212 /* allocation size */
10213 CHECK_BYTE_COUNT_SUBR(8);
10214 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10215 COUNT_BYTES_SUBR(8);
10218 CHECK_BYTE_COUNT_SUBR(8);
10219 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10220 COUNT_BYTES_SUBR(8);
10222 /* number of links */
10223 CHECK_BYTE_COUNT_SUBR(4);
10224 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
10225 COUNT_BYTES_SUBR(4);
10227 /* delete pending */
10228 CHECK_BYTE_COUNT_SUBR(1);
10229 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, TRUE);
10230 COUNT_BYTES_SUBR(1);
10233 CHECK_BYTE_COUNT_SUBR(1);
10234 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
10235 COUNT_BYTES_SUBR(1);
10241 /* this dissects the SMB_QUERY_FILE_EA_INFO
10242 as described in 4.2.16.6
10245 dissect_4_2_16_6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10246 int offset, guint16 *bcp, gboolean *trunc)
10249 CHECK_BYTE_COUNT_SUBR(4);
10250 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
10251 COUNT_BYTES_SUBR(4);
10257 /* this dissects the SMB_QUERY_FILE_NAME_INFO
10258 as described in 4.2.16.7
10259 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
10260 as described in 4.2.16.9
10263 dissect_4_2_16_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10264 int offset, guint16 *bcp, gboolean *trunc)
10266 smb_info_t *si = pinfo->private_data;
10270 /* file name len */
10271 CHECK_BYTE_COUNT_SUBR(4);
10272 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
10273 COUNT_BYTES_SUBR(4);
10276 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10277 CHECK_STRING_SUBR(fn);
10278 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10280 COUNT_BYTES_SUBR(fn_len);
10286 /* this dissects the SMB_QUERY_FILE_ALL_INFO
10287 as described in 4.2.16.8
10290 dissect_4_2_16_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10291 int offset, guint16 *bcp, gboolean *trunc)
10294 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp, trunc);
10298 offset = dissect_4_2_16_5(tvb, pinfo, tree, offset, bcp, trunc);
10304 CHECK_BYTE_COUNT_SUBR(8);
10305 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
10306 COUNT_BYTES_SUBR(8);
10308 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp, trunc);
10313 CHECK_BYTE_COUNT_SUBR(4);
10314 offset = dissect_smb_access_mask(tvb, tree, offset);
10315 COUNT_BYTES_SUBR(4);
10318 CHECK_BYTE_COUNT_SUBR(8);
10319 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
10320 COUNT_BYTES_SUBR(8);
10322 /* current offset */
10323 CHECK_BYTE_COUNT_SUBR(8);
10324 proto_tree_add_item(tree, hf_smb_current_offset, tvb, offset, 8, TRUE);
10325 COUNT_BYTES_SUBR(8);
10328 CHECK_BYTE_COUNT_SUBR(4);
10329 offset = dissect_nt_create_options(tvb, tree, offset);
10333 CHECK_BYTE_COUNT_SUBR(4);
10334 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
10335 COUNT_BYTES_SUBR(4);
10337 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp, trunc);
10342 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
10343 as described in 4.2.16.10
10346 dissect_4_2_16_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10347 int offset, guint16 *bcp, gboolean *trunc)
10353 smb_info_t *si = pinfo->private_data;
10359 old_offset = offset;
10361 /* next entry offset */
10362 CHECK_BYTE_COUNT_SUBR(4);
10364 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
10365 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10371 neo = tvb_get_letohl(tvb, offset);
10372 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10373 COUNT_BYTES_SUBR(4);
10375 /* stream name len */
10376 CHECK_BYTE_COUNT_SUBR(4);
10377 fn_len = tvb_get_letohl(tvb, offset);
10378 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
10379 COUNT_BYTES_SUBR(4);
10382 CHECK_BYTE_COUNT_SUBR(8);
10383 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
10384 COUNT_BYTES_SUBR(8);
10386 /* allocation size */
10387 CHECK_BYTE_COUNT_SUBR(8);
10388 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10389 COUNT_BYTES_SUBR(8);
10392 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
10393 CHECK_STRING_SUBR(fn);
10394 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
10396 COUNT_BYTES_SUBR(fn_len);
10398 proto_item_append_text(item, ": %s", format_text(fn, strlen(fn)));
10399 proto_item_set_len(item, offset-old_offset);
10402 break; /* no more structures */
10404 /* skip to next structure */
10405 padcnt = (old_offset + neo) - offset;
10408 * XXX - this is bogus; flag it?
10413 CHECK_BYTE_COUNT_SUBR(padcnt);
10414 COUNT_BYTES_SUBR(padcnt);
10422 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
10423 as described in 4.2.16.11
10426 dissect_4_2_16_11(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10427 int offset, guint16 *bcp, gboolean *trunc)
10429 /* compressed file size */
10430 CHECK_BYTE_COUNT_SUBR(8);
10431 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
10432 COUNT_BYTES_SUBR(8);
10434 /* compression format */
10435 CHECK_BYTE_COUNT_SUBR(2);
10436 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
10437 COUNT_BYTES_SUBR(2);
10439 /* compression unit shift */
10440 CHECK_BYTE_COUNT_SUBR(1);
10441 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
10442 COUNT_BYTES_SUBR(1);
10444 /* compression chunk shift */
10445 CHECK_BYTE_COUNT_SUBR(1);
10446 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
10447 COUNT_BYTES_SUBR(1);
10449 /* compression cluster shift */
10450 CHECK_BYTE_COUNT_SUBR(1);
10451 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
10452 COUNT_BYTES_SUBR(1);
10454 /* 3 reserved bytes */
10455 CHECK_BYTE_COUNT_SUBR(3);
10456 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
10457 COUNT_BYTES_SUBR(3);
10463 /* 4.2.16.12 - SMB_QUERY_FILE_UNIX_BASIC */
10465 static const value_string unix_file_type_vals[] = {
10467 { 1, "Directory" },
10468 { 2, "Symbolic link" },
10469 { 3, "Character device" },
10470 { 4, "Block device" },
10477 dissect_4_2_16_12(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10478 int offset, guint16 *bcp, gboolean *trunc)
10480 /* End of file (file size) */
10481 CHECK_BYTE_COUNT_SUBR(8);
10482 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
10483 COUNT_BYTES_SUBR(8);
10485 /* Number of bytes */
10486 CHECK_BYTE_COUNT_SUBR(8);
10487 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
10488 COUNT_BYTES_SUBR(8);
10490 /* Last status change */
10491 CHECK_BYTE_COUNT_SUBR(8);
10492 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
10493 *bcp -= 8; /* dissect_nt_64bit_time() increments offset */
10495 /* Last access time */
10496 CHECK_BYTE_COUNT_SUBR(8);
10497 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
10500 /* Last modification time */
10501 CHECK_BYTE_COUNT_SUBR(8);
10502 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
10505 /* File owner uid */
10506 CHECK_BYTE_COUNT_SUBR(8);
10507 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
10508 COUNT_BYTES_SUBR(8);
10510 /* File group gid */
10511 CHECK_BYTE_COUNT_SUBR(8);
10512 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
10513 COUNT_BYTES_SUBR(8);
10516 CHECK_BYTE_COUNT_SUBR(4);
10517 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
10518 COUNT_BYTES_SUBR(4);
10520 /* Major device number */
10521 CHECK_BYTE_COUNT_SUBR(8);
10522 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
10523 COUNT_BYTES_SUBR(8);
10525 /* Minor device number */
10526 CHECK_BYTE_COUNT_SUBR(8);
10527 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
10528 COUNT_BYTES_SUBR(8);
10531 CHECK_BYTE_COUNT_SUBR(8);
10532 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
10533 COUNT_BYTES_SUBR(8);
10536 CHECK_BYTE_COUNT_SUBR(8);
10537 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
10538 COUNT_BYTES_SUBR(8);
10541 CHECK_BYTE_COUNT_SUBR(8);
10542 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
10543 COUNT_BYTES_SUBR(8);
10545 /* Sometimes there is one extra byte in the data field which I
10546 guess could be padding, but we are only using 4 or 8 byte
10547 data types so this is a bit confusing. -tpot */
10553 /* 4.2.16.13 - SMB_QUERY_FILE_UNIX_LINK */
10556 dissect_4_2_16_13(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10557 int offset, guint16 *bcp, gboolean *trunc)
10559 smb_info_t *si = pinfo->private_data;
10563 /* Link destination */
10565 fn = get_unicode_or_ascii_string(
10566 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
10568 CHECK_STRING_SUBR(fn);
10569 proto_tree_add_string(
10570 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
10571 COUNT_BYTES_SUBR(fn_len);
10577 /* this dissects the SMB_SET_FILE_DISPOSITION_INFO
10578 as described in 4.2.19.2
10581 dissect_4_2_19_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10582 int offset, guint16 *bcp, gboolean *trunc)
10584 /* marked for deletion? */
10585 CHECK_BYTE_COUNT_SUBR(1);
10586 proto_tree_add_item(tree, hf_smb_t2_marked_for_deletion, tvb, offset, 1, TRUE);
10587 COUNT_BYTES_SUBR(1);
10593 /* this dissects the SMB_SET_FILE_ALLOCATION_INFO
10594 as described in 4.2.19.3
10597 dissect_4_2_19_3(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10598 int offset, guint16 *bcp, gboolean *trunc)
10600 /* file allocation size */
10601 CHECK_BYTE_COUNT_SUBR(8);
10602 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10603 COUNT_BYTES_SUBR(8);
10609 /* this dissects the SMB_SET_FILE_END_OF_FILE_INFO
10610 as described in 4.2.19.4
10613 dissect_4_2_19_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10614 int offset, guint16 *bcp, gboolean *trunc)
10616 /* file end of file offset */
10617 CHECK_BYTE_COUNT_SUBR(8);
10618 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10619 COUNT_BYTES_SUBR(8);
10625 /* Set File Rename Info */
10627 static const true_false_string tfs_smb_replace = {
10628 "Remove target file if it exists",
10629 "Do NOT remove target file if it exists",
10633 dissect_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10634 int offset, guint16 *bcp, gboolean *trunc)
10636 smb_info_t *si = pinfo->private_data;
10638 guint32 target_name_len;
10642 CHECK_BYTE_COUNT_SUBR(4);
10643 proto_tree_add_item(tree, hf_smb_replace, tvb, offset, 4, TRUE);
10644 COUNT_BYTES_SUBR(4);
10646 /* Root directory handle */
10647 CHECK_BYTE_COUNT_SUBR(4);
10648 proto_tree_add_item(tree, hf_smb_root_dir_handle, tvb, offset, 4, TRUE);
10649 COUNT_BYTES_SUBR(4);
10651 /* Target name length */
10652 CHECK_BYTE_COUNT_SUBR(4);
10653 target_name_len = tvb_get_letohl(tvb, offset);
10654 proto_tree_add_uint(tree, hf_smb_target_name_len, tvb, offset, 4, target_name_len);
10655 COUNT_BYTES_SUBR(4);
10658 fn_len = target_name_len;
10659 fn = get_unicode_or_ascii_string(
10660 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
10662 CHECK_STRING_SUBR(fn);
10663 proto_tree_add_string(
10664 tree, hf_smb_target_name, tvb, offset, fn_len, fn);
10665 COUNT_BYTES_SUBR(fn_len);
10671 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION and
10672 TRANS2_QUERY_FILE_INFORMATION*/
10674 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
10675 int offset, guint16 *bcp)
10684 si = (smb_info_t *)pinfo->private_data;
10685 switch(si->info_level){
10686 case 1: /*Info Standard*/
10688 case 2: /*Info Query EA Size*/
10689 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
10692 case 3: /*Info Query EAs From List*/
10693 case 4: /*Info Query All EAs*/
10694 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
10697 case 6: /*Info Is Name Valid*/
10698 offset = dissect_4_2_16_3(tvb, pinfo, tree, offset, bcp,
10701 case 0x0101: /*Query File Basic Info*/
10702 case 1004: /* SMB_FILE_BASIC_INFORMATION */
10703 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
10706 case 0x0102: /*Query File Standard Info*/
10707 case 1005: /* SMB_FILE_STANDARD_INFORMATION */
10708 offset = dissect_4_2_16_5(tvb, pinfo, tree, offset, bcp,
10711 case 0x0103: /*Query File EA Info*/
10712 case 1007: /* SMB_FILE_EA_INFORMATION */
10713 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp,
10716 case 0x0104: /*Query File Name Info*/
10717 case 1009: /* SMB_FILE_NAME_INFORMATION */
10718 offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp,
10721 case 0x0107: /*Query File All Info*/
10722 case 1018: /* SMB_FILE_ALL_INFORMATION */
10723 offset = dissect_4_2_16_8(tvb, pinfo, tree, offset, bcp,
10726 case 0x0108: /*Query File Alt File Info*/
10727 case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
10728 offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp,
10731 case 1022: /* SMB_FILE_STREAM_INFORMATION */
10732 ((smb_info_t *)(pinfo->private_data))->unicode = TRUE;
10733 case 0x0109: /*Query File Stream Info*/
10734 offset = dissect_4_2_16_10(tvb, pinfo, tree, offset, bcp,
10737 case 0x010b: /*Query File Compression Info*/
10738 case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
10739 offset = dissect_4_2_16_11(tvb, pinfo, tree, offset, bcp,
10742 case 0x0200: /* Query File Unix Basic*/
10743 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
10746 case 0x0201: /* Query File Unix Link*/
10747 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
10750 case 0x0202: /* Query File Unix HardLink*/
10751 /* XXX add this from the SNIA doc */
10758 /*dissect the data block for TRANS2_SET_PATH_INFORMATION and
10759 TRANS2_SET_FILE_INFORMATION*/
10761 dissect_spi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
10762 int offset, guint16 *bcp)
10771 si = (smb_info_t *)pinfo->private_data;
10772 switch(si->info_level){
10773 case 1: /*Info Standard*/
10775 case 2: /*Info Query EA Size*/
10776 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
10779 case 4: /*Info Query All EAs*/
10780 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
10783 case 0x0101: /*Set File Basic Info*/
10784 case 1004: /* SMB_FILE_BASIC_INFORMATION */
10785 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
10788 case 0x0102: /*Set File Disposition Info*/
10789 offset = dissect_4_2_19_2(tvb, pinfo, tree, offset, bcp,
10792 case 0x0103: /*Set File Allocation Info*/
10793 offset = dissect_4_2_19_3(tvb, pinfo, tree, offset, bcp,
10796 case 0x0104: /*Set End Of File Info*/
10797 offset = dissect_4_2_19_4(tvb, pinfo, tree, offset, bcp,
10800 case 0x0200: /*Set File Unix Basic. Same as query. */
10801 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
10804 case 0x0201: /*Set File Unix Link. Same as query. */
10805 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
10808 case 0x0203: /*Set File Unix HardLink. Same as link query. */
10809 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
10812 case 1010: /* Set File Rename */
10813 offset = dissect_rename_info(tvb, pinfo, tree, offset, bcp,
10827 /* XXX: TODO, extra levels discovered by tridge */
10835 static const true_false_string tfs_quota_flags_deny_disk = {
10836 "DENY DISK SPACE for users exceeding quota limit",
10837 "Do NOT deny disk space for users exceeding quota limit"
10839 static const true_false_string tfs_quota_flags_log_limit = {
10840 "LOG EVENT when a user exceeds their QUOTA LIMIT",
10841 "Do NOT log event when a user exceeds their quota limit"
10843 static const true_false_string tfs_quota_flags_log_warning = {
10844 "LOG EVENT when a user exceeds their WARNING LEVEL",
10845 "Do NOT log event when a user exceeds their warning level"
10847 static const true_false_string tfs_quota_flags_enabled = {
10848 "Quotas are ENABLED of this fs",
10849 "Quotas are NOT enabled on this fs"
10852 dissect_quota_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10855 proto_item *item = NULL;
10856 proto_tree *tree = NULL;
10858 mask = tvb_get_guint8(tvb, offset);
10861 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
10862 "Quota Flags: 0x%02x %s", mask,
10863 mask?"Enabled":"Disabled");
10864 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
10867 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
10868 tvb, offset, 1, mask);
10869 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
10870 tvb, offset, 1, mask);
10871 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
10872 tvb, offset, 1, mask);
10874 if(mask && (!(mask&0x01))){
10875 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
10876 tvb, offset, 1, 0x01);
10878 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
10879 tvb, offset, 1, mask);
10885 dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
10887 /* first 24 bytes are unknown */
10888 CHECK_BYTE_COUNT_TRANS_SUBR(24);
10889 proto_tree_add_item(tree, hf_smb_unknown, tvb,
10891 COUNT_BYTES_TRANS_SUBR(24);
10893 /* number of bytes for quota warning */
10894 CHECK_BYTE_COUNT_TRANS_SUBR(8);
10895 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
10896 COUNT_BYTES_TRANS_SUBR(8);
10898 /* number of bytes for quota limit */
10899 CHECK_BYTE_COUNT_TRANS_SUBR(8);
10900 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
10901 COUNT_BYTES_TRANS_SUBR(8);
10903 /* one byte of quota flags */
10904 CHECK_BYTE_COUNT_TRANS_SUBR(1);
10905 dissect_quota_flags(tvb, tree, offset);
10906 COUNT_BYTES_TRANS_SUBR(1);
10908 /* these 7 bytes are unknown */
10909 CHECK_BYTE_COUNT_TRANS_SUBR(7);
10910 proto_tree_add_item(tree, hf_smb_unknown, tvb,
10912 COUNT_BYTES_TRANS_SUBR(7);
10918 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
10919 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
10921 proto_item *item = NULL;
10922 proto_tree *tree = NULL;
10925 si = (smb_info_t *)pinfo->private_data;
10928 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
10930 val_to_str(subcmd, trans2_cmd_vals,
10931 "Unknown (0x%02x)"));
10932 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
10936 case 0x00: /*TRANS2_OPEN2*/
10937 /* XXX dont know how to decode FEAList */
10939 case 0x01: /*TRANS2_FIND_FIRST2*/
10940 /* XXX dont know how to decode FEAList */
10942 case 0x02: /*TRANS2_FIND_NEXT2*/
10943 /* XXX dont know how to decode FEAList */
10945 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
10946 /* no data field in this request */
10948 case 0x04: /* TRANS2_SET_QUOTA */
10949 offset = dissect_nt_quota(tvb, tree, offset, &dc);
10951 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
10952 /* no data field in this request */
10954 * XXX - "Microsoft Networks SMB File Sharing Protocol
10955 * Extensions Version 3.0, Document Version 1.11,
10956 * July 19, 1990" says there may be "Additional
10957 * FileInfoLevel dependent information" here.
10959 * Was that just a cut-and-pasteo?
10960 * TRANS2_SET_PATH_INFORMATION *does* have that information
10964 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
10965 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
10967 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
10968 /* no data field in this request */
10970 * XXX - "Microsoft Networks SMB File Sharing Protocol
10971 * Extensions Version 3.0, Document Version 1.11,
10972 * July 19, 1990" says there may be "Additional
10973 * FileInfoLevel dependent information" here.
10975 * Was that just a cut-and-pasteo?
10976 * TRANS2_SET_FILE_INFORMATION *does* have that information
10980 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
10981 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
10983 case 0x09: /*TRANS2_FSCTL*/
10984 /*XXX dont know how to decode this yet */
10987 * XXX - "Microsoft Networks SMB File Sharing Protocol
10988 * Extensions Version 3.0, Document Version 1.11,
10989 * July 19, 1990" says this this contains a
10990 * "File system specific data block". (That means we
10991 * may not be able to dissect it in any case.)
10994 case 0x0a: /*TRANS2_IOCTL2*/
10995 /*XXX dont know how to decode this yet */
10998 * XXX - "Microsoft Networks SMB File Sharing Protocol
10999 * Extensions Version 3.0, Document Version 1.11,
11000 * July 19, 1990" says this this contains a
11001 * "Device/function specific data block". (That
11002 * means we may not be able to dissect it in any case.)
11005 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11006 /*XXX dont know how to decode this yet */
11009 * XXX - "Microsoft Networks SMB File Sharing Protocol
11010 * Extensions Version 3.0, Document Version 1.11,
11011 * July 19, 1990" says this this contains "additional
11012 * level dependent match data".
11015 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11016 /*XXX dont know how to decode this yet */
11019 * XXX - "Microsoft Networks SMB File Sharing Protocol
11020 * Extensions Version 3.0, Document Version 1.11,
11021 * July 19, 1990" says this this contains "additional
11022 * level dependent monitor information".
11025 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11026 /* XXX optional FEAList, unknown what FEAList looks like*/
11028 case 0x0e: /*TRANS2_SESSION_SETUP*/
11029 /*XXX dont know how to decode this yet */
11031 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11032 /* no data field in this request */
11034 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11035 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
11039 /* ooops there were data we didnt know how to process */
11041 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
11050 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
11058 * Show the setup words.
11060 if (s_tvb != NULL) {
11061 length = tvb_reported_length(s_tvb);
11062 for (i = 0, offset = 0; length >= 2;
11063 i++, offset += 2, length -= 2) {
11065 * XXX - add a setup word filterable field?
11067 proto_tree_add_text(tree, s_tvb, offset, 2,
11068 "Setup Word %d: 0x%04x", i,
11069 tvb_get_letohs(s_tvb, offset));
11074 * Show the parameters, if any.
11076 if (p_tvb != NULL) {
11077 length = tvb_reported_length(p_tvb);
11079 proto_tree_add_text(tree, p_tvb, 0, length,
11081 tvb_bytes_to_str(p_tvb, 0, length));
11086 * Show the data, if any.
11088 if (d_tvb != NULL) {
11089 length = tvb_reported_length(d_tvb);
11091 proto_tree_add_text(tree, d_tvb, 0, length,
11092 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
11097 /* This routine handles the following 4 calls
11099 Transaction Secondary 0x26
11101 Transaction2 Secondary 0x33
11104 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
11111 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
11115 const char *an = NULL;
11117 smb_transact2_info_t *t2i;
11118 smb_transact_info_t *tri;
11121 gboolean dissected_trans;
11123 si = (smb_info_t *)pinfo->private_data;
11128 /*secondary client request*/
11130 /* total param count, only a 16bit integer here*/
11131 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11134 /* total data count , only 16bit integer here*/
11135 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11139 pc = tvb_get_letohs(tvb, offset);
11140 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11144 po = tvb_get_letohs(tvb, offset);
11145 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11149 pd = tvb_get_letohs(tvb, offset);
11150 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
11154 dc = tvb_get_letohs(tvb, offset);
11155 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11159 od = tvb_get_letohs(tvb, offset);
11160 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11164 dd = tvb_get_letohs(tvb, offset);
11165 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
11168 if(si->cmd==SMB_COM_TRANSACTION2){
11172 fid = tvb_get_letohs(tvb, offset);
11173 add_fid(tvb, pinfo, tree, offset, 2, fid);
11178 /* There are no setup words. */
11183 /* it is not a secondary request */
11185 /* total param count , only a 16 bit integer here*/
11186 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11189 /* total data count , only 16bit integer here*/
11190 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11193 /* max param count , only 16bit integer here*/
11194 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11197 /* max data count, only 16bit integer here*/
11198 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11201 /* max setup count, only 16bit integer here*/
11202 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
11205 /* reserved byte */
11206 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11209 /* transaction flags */
11210 tf = dissect_transaction_flags(tvb, tree, offset);
11214 to = tvb_get_letohl(tvb, offset);
11216 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
11217 else if (to == 0xffffffff)
11218 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
11220 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
11223 /* 2 reserved bytes */
11224 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11228 pc = tvb_get_letohs(tvb, offset);
11229 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11233 po = tvb_get_letohs(tvb, offset);
11234 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11237 /* param displacement is zero here */
11241 dc = tvb_get_letohs(tvb, offset);
11242 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11246 od = tvb_get_letohs(tvb, offset);
11247 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11250 /* data displacement is zero here */
11254 sc = tvb_get_guint8(tvb, offset);
11255 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
11258 /* reserved byte */
11259 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11262 /* this is where the setup bytes, if any start */
11266 /* if there were any setup bytes, decode them */
11270 case SMB_COM_TRANSACTION2:
11271 /* TRANSACTION2 only has one setup word and
11272 that is the subcommand code.
11274 XXX - except for TRANS2_FSCTL
11275 and TRANS2_IOCTL. */
11276 subcmd = tvb_get_letohs(tvb, offset);
11277 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
11278 tvb, offset, 2, subcmd);
11279 if (check_col(pinfo->cinfo, COL_INFO)) {
11280 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
11281 val_to_str(subcmd, trans2_cmd_vals,
11282 "Unknown (0x%02x)"));
11285 if(!pinfo->fd->flags.visited){
11288 * smb_transact2_info_t
11291 t2i = g_mem_chunk_alloc(smb_transact2_info_chunk);
11292 t2i->subcmd = subcmd;
11293 t2i->info_level = -1;
11294 t2i->resume_keys = FALSE;
11295 si->sip->extra_info = t2i;
11300 * XXX - process TRANS2_FSCTL and
11301 * TRANS2_IOCTL setup words here.
11305 case SMB_COM_TRANSACTION:
11306 /* TRANSACTION setup words processed below */
11317 /* primary request */
11318 /* name is NULL if transaction2 */
11319 if(si->cmd == SMB_COM_TRANSACTION){
11320 /* Transaction Name */
11321 an = get_unicode_or_ascii_string(tvb, &offset,
11322 si->unicode, &an_len, FALSE, FALSE, &bc);
11325 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
11326 offset, an_len, an);
11327 COUNT_BYTES(an_len);
11332 * The pipe or mailslot arguments for Transaction start with
11333 * the first setup word (or where the first setup word would
11334 * be if there were any setup words), and run to the current
11335 * offset (which could mean that there aren't any).
11338 spc = offset - spo;
11342 /* We have some initial padding bytes.
11344 padcnt = po-offset;
11347 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11348 COUNT_BYTES(padcnt);
11351 CHECK_BYTE_COUNT(pc);
11354 case SMB_COM_TRANSACTION2:
11355 /* TRANSACTION2 parameters*/
11356 offset = dissect_transaction2_request_parameters(tvb,
11357 pinfo, tree, offset, subcmd, pc);
11361 case SMB_COM_TRANSACTION:
11362 /* TRANSACTION parameters processed below */
11370 /* We have some initial padding bytes.
11372 padcnt = od-offset;
11375 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11376 COUNT_BYTES(padcnt);
11379 CHECK_BYTE_COUNT(dc);
11382 case SMB_COM_TRANSACTION2:
11383 /* TRANSACTION2 data*/
11384 offset = dissect_transaction2_request_data(tvb, pinfo,
11385 tree, offset, subcmd, dc);
11389 case SMB_COM_TRANSACTION:
11390 /* TRANSACTION data processed below */
11396 /*TRANSACTION request parameters */
11397 if(si->cmd==SMB_COM_TRANSACTION){
11398 /*XXX replace this block with a function and use that one
11399 for both requests/responses*/
11401 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
11402 tvbuff_t *sp_tvb, *pd_tvb;
11405 if(pc>tvb_length_remaining(tvb, po)){
11406 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
11408 p_tvb = tvb_new_subset(tvb, po, pc, pc);
11414 if(dc>tvb_length_remaining(tvb, od)){
11415 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
11417 d_tvb = tvb_new_subset(tvb, od, dc, dc);
11423 if(sl>tvb_length_remaining(tvb, so)){
11424 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
11426 s_tvb = tvb_new_subset(tvb, so, sl, sl);
11433 if(!pinfo->fd->flags.visited){
11435 * Allocate a new smb_transact_info_t
11438 tri = g_mem_chunk_alloc(smb_transact_info_chunk);
11440 tri->trans_subcmd = -1;
11441 tri->function = -1;
11443 tri->lanman_cmd = 0;
11444 tri->param_descrip = NULL;
11445 tri->data_descrip = NULL;
11446 tri->aux_data_descrip = NULL;
11447 tri->info_level = -1;
11448 si->sip->extra_info = tri;
11451 * We already filled the structure
11452 * in; don't bother doing so again.
11458 * This is a unidirectional message, for
11459 * which there will be no reply; don't
11460 * bother allocating an "smb_transact_info_t"
11461 * structure for it.
11465 dissected_trans = FALSE;
11466 if(strncmp("\\PIPE\\", an, 6) == 0){
11468 tri->subcmd=TRANSACTION_PIPE;
11471 * A tvbuff containing the setup words and
11474 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
11477 * A tvbuff containing the parameters and the
11480 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
11482 dissected_trans = dissect_pipe_smb(sp_tvb,
11483 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
11486 /* In case we did not see the TreeConnect call,
11487 store this TID here as well as a IPC TID
11488 so we know that future Read/Writes to this
11489 TID is (probably) DCERPC.
11491 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
11492 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
11494 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
11495 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
11497 tri->subcmd=TRANSACTION_MAILSLOT;
11500 * A tvbuff containing the setup words and
11501 * the mailslot path.
11503 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
11504 dissected_trans = dissect_mailslot_smb(sp_tvb,
11505 s_tvb, d_tvb, an+10, pinfo, top_tree);
11507 if (!dissected_trans)
11508 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
11510 if(check_col(pinfo->cinfo, COL_INFO)){
11511 col_append_str(pinfo->cinfo, COL_INFO,
11512 "[transact continuation]");
11525 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11526 int offset, guint16 *bcp, gboolean *trunc)
11530 int old_offset = offset;
11531 proto_item *item = NULL;
11532 proto_tree *tree = NULL;
11534 smb_transact2_info_t *t2i;
11535 gboolean resume_keys = FALSE;
11537 si = (smb_info_t *)pinfo->private_data;
11538 if (si->sip != NULL) {
11539 t2i = si->sip->extra_info;
11541 resume_keys = t2i->resume_keys;
11545 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11546 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11547 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11552 CHECK_BYTE_COUNT_SUBR(4);
11553 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
11554 COUNT_BYTES_SUBR(4);
11558 CHECK_BYTE_COUNT_SUBR(4);
11559 offset = dissect_smb_datetime(tvb, tree, offset,
11560 hf_smb_create_time,
11561 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
11565 CHECK_BYTE_COUNT_SUBR(4);
11566 offset = dissect_smb_datetime(tvb, tree, offset,
11567 hf_smb_access_time,
11568 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
11571 /* last write time */
11572 CHECK_BYTE_COUNT_SUBR(4);
11573 offset = dissect_smb_datetime(tvb, tree, offset,
11574 hf_smb_last_write_time,
11575 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
11579 CHECK_BYTE_COUNT_SUBR(4);
11580 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11581 COUNT_BYTES_SUBR(4);
11583 /* allocation size */
11584 CHECK_BYTE_COUNT_SUBR(4);
11585 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11586 COUNT_BYTES_SUBR(4);
11588 /* File Attributes */
11589 CHECK_BYTE_COUNT_SUBR(2);
11590 offset = dissect_file_attributes(tvb, tree, offset, 2);
11593 /* file name len */
11594 CHECK_BYTE_COUNT_SUBR(1);
11595 fn_len = tvb_get_guint8(tvb, offset);
11596 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
11597 COUNT_BYTES_SUBR(1);
11599 fn_len += 2; /* include terminating '\0' */
11601 fn_len++; /* include terminating '\0' */
11604 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11605 CHECK_STRING_SUBR(fn);
11606 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11608 COUNT_BYTES_SUBR(fn_len);
11610 if (check_col(pinfo->cinfo, COL_INFO)) {
11611 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11612 format_text(fn, strlen(fn)));
11615 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
11616 proto_item_set_len(item, offset-old_offset);
11623 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11624 int offset, guint16 *bcp, gboolean *trunc)
11628 int old_offset = offset;
11629 proto_item *item = NULL;
11630 proto_tree *tree = NULL;
11632 smb_transact2_info_t *t2i;
11633 gboolean resume_keys = FALSE;
11635 si = (smb_info_t *)pinfo->private_data;
11636 if (si->sip != NULL) {
11637 t2i = si->sip->extra_info;
11639 resume_keys = t2i->resume_keys;
11643 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11644 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11645 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11650 CHECK_BYTE_COUNT_SUBR(4);
11651 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
11652 COUNT_BYTES_SUBR(4);
11656 CHECK_BYTE_COUNT_SUBR(4);
11657 offset = dissect_smb_datetime(tvb, tree, offset,
11658 hf_smb_create_time,
11659 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
11663 CHECK_BYTE_COUNT_SUBR(4);
11664 offset = dissect_smb_datetime(tvb, tree, offset,
11665 hf_smb_access_time,
11666 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
11669 /* last write time */
11670 CHECK_BYTE_COUNT_SUBR(4);
11671 offset = dissect_smb_datetime(tvb, tree, offset,
11672 hf_smb_last_write_time,
11673 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
11677 CHECK_BYTE_COUNT_SUBR(4);
11678 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11679 COUNT_BYTES_SUBR(4);
11681 /* allocation size */
11682 CHECK_BYTE_COUNT_SUBR(4);
11683 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11684 COUNT_BYTES_SUBR(4);
11686 /* File Attributes */
11687 CHECK_BYTE_COUNT_SUBR(2);
11688 offset = dissect_file_attributes(tvb, tree, offset, 2);
11692 CHECK_BYTE_COUNT_SUBR(4);
11693 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11694 COUNT_BYTES_SUBR(4);
11696 /* file name len */
11697 CHECK_BYTE_COUNT_SUBR(1);
11698 fn_len = tvb_get_guint8(tvb, offset);
11699 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
11700 COUNT_BYTES_SUBR(1);
11702 fn_len += 2; /* include terminating '\0' */
11704 fn_len++; /* include terminating '\0' */
11707 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11708 CHECK_STRING_SUBR(fn);
11709 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11711 COUNT_BYTES_SUBR(fn_len);
11713 if (check_col(pinfo->cinfo, COL_INFO)) {
11714 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11715 format_text(fn, strlen(fn)));
11718 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
11719 proto_item_set_len(item, offset-old_offset);
11726 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11727 int offset, guint16 *bcp, gboolean *trunc)
11731 int old_offset = offset;
11732 proto_item *item = NULL;
11733 proto_tree *tree = NULL;
11738 si = (smb_info_t *)pinfo->private_data;
11741 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11742 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11743 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11747 * We assume that the presence of a next entry offset implies the
11748 * absence of a resume key, as appears to be the case for 4.3.4.6.
11751 /* next entry offset */
11752 CHECK_BYTE_COUNT_SUBR(4);
11753 neo = tvb_get_letohl(tvb, offset);
11754 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11755 COUNT_BYTES_SUBR(4);
11758 CHECK_BYTE_COUNT_SUBR(4);
11759 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11760 COUNT_BYTES_SUBR(4);
11763 CHECK_BYTE_COUNT_SUBR(8);
11764 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
11768 CHECK_BYTE_COUNT_SUBR(8);
11769 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
11772 /* last write time */
11773 CHECK_BYTE_COUNT_SUBR(8);
11774 offset = dissect_nt_64bit_time(tvb, tree, offset,
11775 hf_smb_last_write_time);
11778 /* last change time */
11779 CHECK_BYTE_COUNT_SUBR(8);
11780 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
11784 CHECK_BYTE_COUNT_SUBR(8);
11785 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11786 COUNT_BYTES_SUBR(8);
11788 /* allocation size */
11789 CHECK_BYTE_COUNT_SUBR(8);
11790 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11791 COUNT_BYTES_SUBR(8);
11793 /* Extended File Attributes */
11794 CHECK_BYTE_COUNT_SUBR(4);
11795 offset = dissect_file_ext_attr(tvb, tree, offset);
11798 /* file name len */
11799 CHECK_BYTE_COUNT_SUBR(4);
11800 fn_len = tvb_get_letohl(tvb, offset);
11801 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11802 COUNT_BYTES_SUBR(4);
11805 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11806 CHECK_STRING_SUBR(fn);
11807 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11809 COUNT_BYTES_SUBR(fn_len);
11811 if (check_col(pinfo->cinfo, COL_INFO)) {
11812 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11813 format_text(fn, strlen(fn)));
11816 /* skip to next structure */
11818 padcnt = (old_offset + neo) - offset;
11821 * XXX - this is bogus; flag it?
11826 CHECK_BYTE_COUNT_SUBR(padcnt);
11827 COUNT_BYTES_SUBR(padcnt);
11831 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
11832 proto_item_set_len(item, offset-old_offset);
11839 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11840 int offset, guint16 *bcp, gboolean *trunc)
11844 int old_offset = offset;
11845 proto_item *item = NULL;
11846 proto_tree *tree = NULL;
11851 si = (smb_info_t *)pinfo->private_data;
11854 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11855 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11856 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11860 * We assume that the presence of a next entry offset implies the
11861 * absence of a resume key, as appears to be the case for 4.3.4.6.
11864 /* next entry offset */
11865 CHECK_BYTE_COUNT_SUBR(4);
11866 neo = tvb_get_letohl(tvb, offset);
11867 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11868 COUNT_BYTES_SUBR(4);
11871 CHECK_BYTE_COUNT_SUBR(4);
11872 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11873 COUNT_BYTES_SUBR(4);
11876 CHECK_BYTE_COUNT_SUBR(8);
11877 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
11881 CHECK_BYTE_COUNT_SUBR(8);
11882 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
11885 /* last write time */
11886 CHECK_BYTE_COUNT_SUBR(8);
11887 offset = dissect_nt_64bit_time(tvb, tree, offset,
11888 hf_smb_last_write_time);
11891 /* last change time */
11892 CHECK_BYTE_COUNT_SUBR(8);
11893 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
11897 CHECK_BYTE_COUNT_SUBR(8);
11898 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11899 COUNT_BYTES_SUBR(8);
11901 /* allocation size */
11902 CHECK_BYTE_COUNT_SUBR(8);
11903 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11904 COUNT_BYTES_SUBR(8);
11906 /* Extended File Attributes */
11907 CHECK_BYTE_COUNT_SUBR(4);
11908 offset = dissect_file_ext_attr(tvb, tree, offset);
11911 /* file name len */
11912 CHECK_BYTE_COUNT_SUBR(4);
11913 fn_len = tvb_get_letohl(tvb, offset);
11914 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11915 COUNT_BYTES_SUBR(4);
11918 CHECK_BYTE_COUNT_SUBR(4);
11919 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11920 COUNT_BYTES_SUBR(4);
11923 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11924 CHECK_STRING_SUBR(fn);
11925 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11927 COUNT_BYTES_SUBR(fn_len);
11929 if (check_col(pinfo->cinfo, COL_INFO)) {
11930 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11931 format_text(fn, strlen(fn)));
11934 /* skip to next structure */
11936 padcnt = (old_offset + neo) - offset;
11939 * XXX - this is bogus; flag it?
11944 CHECK_BYTE_COUNT_SUBR(padcnt);
11945 COUNT_BYTES_SUBR(padcnt);
11949 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
11950 proto_item_set_len(item, offset-old_offset);
11957 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11958 int offset, guint16 *bcp, gboolean *trunc)
11960 int fn_len, sfn_len;
11961 const char *fn, *sfn;
11962 int old_offset = offset;
11963 proto_item *item = NULL;
11964 proto_tree *tree = NULL;
11969 si = (smb_info_t *)pinfo->private_data;
11972 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11973 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11974 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11978 * XXX - I have not seen any of these that contain a resume
11979 * key, even though some of the requests had the "return resume
11983 /* next entry offset */
11984 CHECK_BYTE_COUNT_SUBR(4);
11985 neo = tvb_get_letohl(tvb, offset);
11986 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11987 COUNT_BYTES_SUBR(4);
11990 CHECK_BYTE_COUNT_SUBR(4);
11991 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11992 COUNT_BYTES_SUBR(4);
11995 CHECK_BYTE_COUNT_SUBR(8);
11996 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
12000 CHECK_BYTE_COUNT_SUBR(8);
12001 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
12004 /* last write time */
12005 CHECK_BYTE_COUNT_SUBR(8);
12006 offset = dissect_nt_64bit_time(tvb, tree, offset,
12007 hf_smb_last_write_time);
12010 /* last change time */
12011 CHECK_BYTE_COUNT_SUBR(8);
12012 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
12016 CHECK_BYTE_COUNT_SUBR(8);
12017 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12018 COUNT_BYTES_SUBR(8);
12020 /* allocation size */
12021 CHECK_BYTE_COUNT_SUBR(8);
12022 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12023 COUNT_BYTES_SUBR(8);
12025 /* Extended File Attributes */
12026 CHECK_BYTE_COUNT_SUBR(4);
12027 offset = dissect_file_ext_attr(tvb, tree, offset);
12030 /* file name len */
12031 CHECK_BYTE_COUNT_SUBR(4);
12032 fn_len = tvb_get_letohl(tvb, offset);
12033 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12034 COUNT_BYTES_SUBR(4);
12039 * XXX - in one captures, this has the topmost bit set, and the
12040 * rest of the bits have the value 7. Is the topmost bit being
12041 * set some indication that the value *isn't* the length of
12044 CHECK_BYTE_COUNT_SUBR(4);
12045 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
12046 COUNT_BYTES_SUBR(4);
12048 /* short file name len */
12049 CHECK_BYTE_COUNT_SUBR(1);
12050 sfn_len = tvb_get_guint8(tvb, offset);
12051 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
12052 COUNT_BYTES_SUBR(1);
12054 /* reserved byte */
12055 CHECK_BYTE_COUNT_SUBR(1);
12056 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12057 COUNT_BYTES_SUBR(1);
12059 /* short file name - it's not always in Unicode */
12060 sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
12061 CHECK_STRING_SUBR(sfn);
12062 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
12064 COUNT_BYTES_SUBR(24);
12067 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12068 CHECK_STRING_SUBR(fn);
12069 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12071 COUNT_BYTES_SUBR(fn_len);
12073 if (check_col(pinfo->cinfo, COL_INFO)) {
12074 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12075 format_text(fn, strlen(fn)));
12078 /* skip to next structure */
12080 padcnt = (old_offset + neo) - offset;
12083 * XXX - this is bogus; flag it?
12088 CHECK_BYTE_COUNT_SUBR(padcnt);
12089 COUNT_BYTES_SUBR(padcnt);
12093 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
12094 proto_item_set_len(item, offset-old_offset);
12101 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12102 int offset, guint16 *bcp, gboolean *trunc)
12106 int old_offset = offset;
12107 proto_item *item = NULL;
12108 proto_tree *tree = NULL;
12113 si = (smb_info_t *)pinfo->private_data;
12116 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12117 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12118 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12122 * We assume that the presence of a next entry offset implies the
12123 * absence of a resume key, as appears to be the case for 4.3.4.6.
12126 /* next entry offset */
12127 CHECK_BYTE_COUNT_SUBR(4);
12128 neo = tvb_get_letohl(tvb, offset);
12129 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12130 COUNT_BYTES_SUBR(4);
12133 CHECK_BYTE_COUNT_SUBR(4);
12134 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12135 COUNT_BYTES_SUBR(4);
12137 /* file name len */
12138 CHECK_BYTE_COUNT_SUBR(4);
12139 fn_len = tvb_get_letohl(tvb, offset);
12140 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12141 COUNT_BYTES_SUBR(4);
12144 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12145 CHECK_STRING_SUBR(fn);
12146 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12148 COUNT_BYTES_SUBR(fn_len);
12150 if (check_col(pinfo->cinfo, COL_INFO)) {
12151 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12152 format_text(fn, strlen(fn)));
12155 /* skip to next structure */
12157 padcnt = (old_offset + neo) - offset;
12160 * XXX - this is bogus; flag it?
12165 CHECK_BYTE_COUNT_SUBR(padcnt);
12166 COUNT_BYTES_SUBR(padcnt);
12170 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
12171 proto_item_set_len(item, offset-old_offset);
12177 /* 4.3.4.8 - SMB_FIND_FILE_UNIX */
12180 dissect_4_3_4_8(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
12181 proto_tree *tree, int offset, guint16 *bcp,
12184 smb_info_t *si = pinfo->private_data;
12188 /* NextEntryOffset */
12189 CHECK_BYTE_COUNT_SUBR(4);
12190 proto_tree_add_item(tree, hf_smb_unix_find_file_nextoffset, tvb, offset, 4, TRUE);
12191 COUNT_BYTES_SUBR(4);
12194 CHECK_BYTE_COUNT_SUBR(4);
12195 proto_tree_add_item(tree, hf_smb_unix_find_file_resumekey, tvb, offset, 4, TRUE);
12196 COUNT_BYTES_SUBR(4);
12198 /* End of file (file size) */
12199 CHECK_BYTE_COUNT_SUBR(8);
12200 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
12201 COUNT_BYTES_SUBR(8);
12203 /* Number of bytes */
12204 CHECK_BYTE_COUNT_SUBR(8);
12205 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
12206 COUNT_BYTES_SUBR(8);
12208 /* Last status change */
12209 CHECK_BYTE_COUNT_SUBR(8);
12210 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
12213 /* Last access time */
12214 CHECK_BYTE_COUNT_SUBR(8);
12215 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
12218 /* Last modification time */
12219 CHECK_BYTE_COUNT_SUBR(8);
12220 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
12223 /* File owner uid */
12224 CHECK_BYTE_COUNT_SUBR(8);
12225 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
12226 COUNT_BYTES_SUBR(8);
12228 /* File group gid */
12229 CHECK_BYTE_COUNT_SUBR(8);
12230 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
12231 COUNT_BYTES_SUBR(8);
12234 CHECK_BYTE_COUNT_SUBR(4);
12235 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
12236 COUNT_BYTES_SUBR(4);
12238 /* Major device number */
12239 CHECK_BYTE_COUNT_SUBR(8);
12240 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
12241 COUNT_BYTES_SUBR(8);
12243 /* Minor device number */
12244 CHECK_BYTE_COUNT_SUBR(8);
12245 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
12246 COUNT_BYTES_SUBR(8);
12249 CHECK_BYTE_COUNT_SUBR(8);
12250 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
12251 COUNT_BYTES_SUBR(8);
12254 CHECK_BYTE_COUNT_SUBR(8);
12255 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
12256 COUNT_BYTES_SUBR(8);
12259 CHECK_BYTE_COUNT_SUBR(8);
12260 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
12261 COUNT_BYTES_SUBR(8);
12265 fn = get_unicode_or_ascii_string(
12266 tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
12268 CHECK_STRING_SUBR(fn);
12269 proto_tree_add_string(
12270 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
12271 COUNT_BYTES_SUBR(fn_len);
12273 /* Pad to 4 bytes */
12276 offset += 4 - (offset % 4);
12282 /*dissect the data block for TRANS2_FIND_FIRST2*/
12284 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
12285 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
12293 si = (smb_info_t *)pinfo->private_data;
12294 switch(si->info_level){
12295 case 1: /*Info Standard*/
12296 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
12299 case 2: /*Info Query EA Size*/
12300 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
12303 case 3: /*Info Query EAs From List same as
12305 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
12308 case 0x0101: /*Find File Directory Info*/
12309 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
12312 case 0x0102: /*Find File Full Directory Info*/
12313 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
12316 case 0x0103: /*Find File Names Info*/
12317 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
12320 case 0x0104: /*Find File Both Directory Info*/
12321 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
12324 case 0x0202: /*Find File UNIX*/
12325 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
12328 default: /* unknown info level */
12336 /* is this one just wrong and should be dissect_fs0105_attributes above ? */
12338 dissect_fs_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12341 proto_item *item = NULL;
12342 proto_tree *tree = NULL;
12344 mask = tvb_get_letohl(tvb, offset);
12347 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
12348 "FS Attributes: 0x%08x", mask);
12349 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
12352 /* case sensitive search */
12353 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
12354 tvb, offset, 4, mask);
12355 /* case preserved names */
12356 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
12357 tvb, offset, 4, mask);
12358 /* unicode on disk */
12359 proto_tree_add_boolean(tree, hf_smb_fs_attr_uod,
12360 tvb, offset, 4, mask);
12361 /* persistent acls */
12362 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
12363 tvb, offset, 4, mask);
12364 /* file compression */
12365 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
12366 tvb, offset, 4, mask);
12367 /* volume quotas */
12368 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
12369 tvb, offset, 4, mask);
12371 proto_tree_add_boolean(tree, hf_smb_fs_attr_ssf,
12372 tvb, offset, 4, mask);
12373 /* reparse points */
12374 proto_tree_add_boolean(tree, hf_smb_fs_attr_srp,
12375 tvb, offset, 4, mask);
12376 /* remote storage */
12377 proto_tree_add_boolean(tree, hf_smb_fs_attr_srs,
12378 tvb, offset, 4, mask);
12380 proto_tree_add_boolean(tree, hf_smb_fs_attr_sla,
12381 tvb, offset, 4, mask);
12382 /* volume is compressed */
12383 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
12384 tvb, offset, 4, mask);
12386 proto_tree_add_boolean(tree, hf_smb_fs_attr_soids,
12387 tvb, offset, 4, mask);
12389 proto_tree_add_boolean(tree, hf_smb_fs_attr_se,
12390 tvb, offset, 4, mask);
12391 /* named streams */
12392 proto_tree_add_boolean(tree, hf_smb_fs_attr_ns,
12393 tvb, offset, 4, mask);
12394 /* read only volume */
12395 proto_tree_add_boolean(tree, hf_smb_fs_attr_rov,
12396 tvb, offset, 4, mask);
12405 dissect_device_characteristics(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12408 proto_item *item = NULL;
12409 proto_tree *tree = NULL;
12411 mask = tvb_get_letohl(tvb, offset);
12414 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
12415 "Device Characteristics: 0x%08x", mask);
12416 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
12419 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
12420 tvb, offset, 4, mask);
12421 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
12422 tvb, offset, 4, mask);
12423 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
12424 tvb, offset, 4, mask);
12425 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
12426 tvb, offset, 4, mask);
12427 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
12428 tvb, offset, 4, mask);
12429 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
12430 tvb, offset, 4, mask);
12431 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
12432 tvb, offset, 4, mask);
12438 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
12440 static const true_false_string tfs_smb_mac_access_ctrl = {
12441 "Macintosh Access Control Supported",
12442 "Macintosh Access Control Not Supported"
12445 static const true_false_string tfs_smb_mac_getset_comments = {
12446 "Macintosh Get & Set Comments Supported",
12447 "Macintosh Get & Set Comments Not Supported"
12450 static const true_false_string tfs_smb_mac_desktopdb_calls = {
12451 "Macintosh Get & Set Desktop Database Info Supported",
12452 "Macintosh Get & Set Desktop Database Info Supported"
12455 static const true_false_string tfs_smb_mac_unique_ids = {
12456 "Macintosh Unique IDs Supported",
12457 "Macintosh Unique IDs Not Supported"
12460 static const true_false_string tfs_smb_mac_streams = {
12461 "Macintosh and Streams Extensions Not Supported",
12462 "Macintosh and Streams Extensions Supported"
12466 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
12467 int offset, guint16 *bcp)
12470 int fn_len, vll, fnl;
12473 proto_item *item = NULL;
12474 proto_tree *ti = NULL;
12480 si = (smb_info_t *)pinfo->private_data;
12481 switch(si->info_level){
12482 case 1: /* SMB_INFO_ALLOCATION */
12483 /* filesystem id */
12484 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12485 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
12486 COUNT_BYTES_TRANS_SUBR(4);
12488 /* sectors per unit */
12489 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12490 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12491 COUNT_BYTES_TRANS_SUBR(4);
12494 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12495 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
12496 COUNT_BYTES_TRANS_SUBR(4);
12499 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12500 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
12501 COUNT_BYTES_TRANS_SUBR(4);
12503 /* bytes per sector, only 16bit integer here */
12504 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12505 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12506 COUNT_BYTES_TRANS_SUBR(2);
12509 case 2: /* SMB_INFO_VOLUME */
12510 /* volume serial number */
12511 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12512 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
12513 COUNT_BYTES_TRANS_SUBR(4);
12515 /* volume label length, only one byte here */
12516 CHECK_BYTE_COUNT_TRANS_SUBR(1);
12517 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
12518 COUNT_BYTES_TRANS_SUBR(1);
12521 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
12522 CHECK_STRING_TRANS_SUBR(fn);
12523 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12525 COUNT_BYTES_TRANS_SUBR(fn_len);
12528 case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
12529 case 1002: /* SMB_FS_LABEL_INFORMATION */
12530 /* volume label length */
12531 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12532 vll = tvb_get_letohl(tvb, offset);
12533 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
12534 COUNT_BYTES_TRANS_SUBR(4);
12538 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12539 CHECK_STRING_TRANS_SUBR(fn);
12540 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12542 COUNT_BYTES_TRANS_SUBR(fn_len);
12545 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
12546 case 1001: /* SMB_FS_VOLUME_INFORMATION */
12548 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12549 offset = dissect_nt_64bit_time(tvb, tree, offset,
12550 hf_smb_create_time);
12553 /* volume serial number */
12554 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12555 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
12556 COUNT_BYTES_TRANS_SUBR(4);
12558 /* volume label length */
12559 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12560 vll = tvb_get_letohl(tvb, offset);
12561 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
12562 COUNT_BYTES_TRANS_SUBR(4);
12564 /* 2 reserved bytes */
12565 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12566 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
12567 COUNT_BYTES_TRANS_SUBR(2);
12571 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12572 CHECK_STRING_TRANS_SUBR(fn);
12573 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12575 COUNT_BYTES_TRANS_SUBR(fn_len);
12578 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
12579 case 1003: /* SMB_FS_SIZE_INFORMATION */
12580 /* allocation size */
12581 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12582 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12583 COUNT_BYTES_TRANS_SUBR(8);
12585 /* free allocation units */
12586 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12587 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
12588 COUNT_BYTES_TRANS_SUBR(8);
12590 /* sectors per unit */
12591 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12592 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12593 COUNT_BYTES_TRANS_SUBR(4);
12595 /* bytes per sector */
12596 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12597 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
12598 COUNT_BYTES_TRANS_SUBR(4);
12601 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
12602 case 1004: /* SMB_FS_DEVICE_INFORMATION */
12604 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12605 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
12606 COUNT_BYTES_TRANS_SUBR(4);
12608 /* device characteristics */
12609 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12610 offset = dissect_device_characteristics(tvb, tree, offset);
12614 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
12615 case 1005: /* SMB_FS_ATTRIBUTE_INFORMATION */
12616 /* FS attributes */
12617 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12618 offset = dissect_fs_attributes(tvb, tree, offset);
12622 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12623 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
12624 COUNT_BYTES_TRANS_SUBR(4);
12626 /* fs name length */
12627 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12628 fnl = tvb_get_letohl(tvb, offset);
12629 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
12630 COUNT_BYTES_TRANS_SUBR(4);
12634 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12635 CHECK_STRING_TRANS_SUBR(fn);
12636 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
12638 COUNT_BYTES_TRANS_SUBR(fn_len);
12641 case 0x200: { /* SMB_QUERY_CIFS_UNIX_INFO */
12642 proto_item *item = NULL;
12643 proto_tree *subtree = NULL;
12644 guint32 caps_lo, caps_hi;
12646 /* MajorVersionNumber */
12647 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12648 proto_tree_add_item(tree, hf_smb_unix_major_version, tvb, offset, 2, TRUE);
12649 COUNT_BYTES_TRANS_SUBR(2);
12651 /* MinorVersionNumber */
12652 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12653 proto_tree_add_item(tree, hf_smb_unix_minor_version, tvb, offset, 2, TRUE);
12654 COUNT_BYTES_TRANS_SUBR(2);
12658 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12660 caps_lo = tvb_get_letohl(tvb, offset);
12661 caps_hi = tvb_get_letohl(tvb, offset + 4);
12664 item = proto_tree_add_text(
12665 tree, tvb, offset, 8, "Capabilities: 0x%08x%08x",
12667 subtree = proto_item_add_subtree(
12668 item, ett_smb_unix_capabilities);
12671 proto_tree_add_boolean(
12672 subtree, hf_smb_unix_capability_fcntl, tvb, offset, 8,
12675 proto_tree_add_boolean(
12676 subtree, hf_smb_unix_capability_posix_acl, tvb, offset, 8,
12679 COUNT_BYTES_TRANS_SUBR(8);
12683 case 0x301: /* MAC_QUERY_FS_INFO */
12685 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12686 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
12689 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12690 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_modify_time);
12693 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12694 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_backup_time);
12696 /* Allocation blocks */
12697 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12698 proto_tree_add_item(tree, hf_smb_mac_alloc_block_count, tvb,
12701 COUNT_BYTES_TRANS_SUBR(4);
12702 /* Allocation Block Size */
12703 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12704 proto_tree_add_item(tree, hf_smb_mac_alloc_block_size, tvb,
12706 COUNT_BYTES_TRANS_SUBR(4);
12707 /* Free Block Count */
12708 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12709 proto_tree_add_item(tree, hf_smb_mac_free_block_count, tvb,
12711 COUNT_BYTES_TRANS_SUBR(4);
12712 /* Finder Info ... */
12713 CHECK_BYTE_COUNT_TRANS_SUBR(32);
12714 proto_tree_add_bytes_format(tree, hf_smb_mac_fndrinfo, tvb,
12716 tvb_get_ptr(tvb, offset,32),
12718 tvb_format_text(tvb, offset, 32));
12719 COUNT_BYTES_TRANS_SUBR(32);
12721 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12722 proto_tree_add_item(tree, hf_smb_mac_root_file_count, tvb,
12724 COUNT_BYTES_TRANS_SUBR(4);
12725 /* Number of Root Directories */
12726 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12727 proto_tree_add_item(tree, hf_smb_mac_root_dir_count, tvb,
12729 COUNT_BYTES_TRANS_SUBR(4);
12730 /* Number of files */
12731 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12732 proto_tree_add_item(tree, hf_smb_mac_file_count, tvb,
12734 COUNT_BYTES_TRANS_SUBR(4);
12736 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12737 proto_tree_add_item(tree, hf_smb_mac_dir_count, tvb,
12739 COUNT_BYTES_TRANS_SUBR(4);
12740 /* Mac Support Flags */
12741 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12742 support = tvb_get_ntohl(tvb, offset);
12743 item = proto_tree_add_text(tree, tvb, offset, 4,
12744 "Mac Support Flags: 0x%08x", support);
12745 ti = proto_item_add_subtree(item, ett_smb_mac_support_flags);
12746 proto_tree_add_boolean(ti, hf_smb_mac_sup_access_ctrl,
12747 tvb, offset, 4, support);
12748 proto_tree_add_boolean(ti, hf_smb_mac_sup_getset_comments,
12749 tvb, offset, 4, support);
12750 proto_tree_add_boolean(ti, hf_smb_mac_sup_desktopdb_calls,
12751 tvb, offset, 4, support);
12752 proto_tree_add_boolean(ti, hf_smb_mac_sup_unique_ids,
12753 tvb, offset, 4, support);
12754 proto_tree_add_boolean(ti, hf_smb_mac_sup_streams,
12755 tvb, offset, 4, support);
12756 COUNT_BYTES_TRANS_SUBR(4);
12758 case 1006: /* QUERY_FS_QUOTA_INFO */
12759 offset = dissect_nt_quota(tvb, tree, offset, bcp);
12761 case 1007: /* SMB_FS_FULL_SIZE_INFORMATION */
12762 /* allocation size */
12763 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12764 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12765 COUNT_BYTES_TRANS_SUBR(8);
12767 /* caller free allocation units */
12768 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12769 proto_tree_add_item(tree, hf_smb_caller_free_alloc_units64, tvb, offset, 8, TRUE);
12770 COUNT_BYTES_TRANS_SUBR(8);
12772 /* actual free allocation units */
12773 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12774 proto_tree_add_item(tree, hf_smb_actual_free_alloc_units64, tvb, offset, 8, TRUE);
12775 COUNT_BYTES_TRANS_SUBR(8);
12777 /* sectors per unit */
12778 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12779 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12780 COUNT_BYTES_TRANS_SUBR(4);
12782 /* bytes per sector */
12783 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12784 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
12785 COUNT_BYTES_TRANS_SUBR(4);
12787 case 1008: /* Query Object ID is GUID plus unknown data */ {
12789 char uuid_str[DCERPC_UUID_STR_LEN];
12791 guint8 drep = 0x10;
12793 CHECK_BYTE_COUNT_TRANS_SUBR(16);
12795 dcerpc_tvb_get_uuid (tvb, offset, &drep, &fs_id);
12797 uuid_str_len = snprintf(
12798 uuid_str, DCERPC_UUID_STR_LEN,
12799 "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
12800 fs_id.Data1, fs_id.Data2, fs_id.Data3,
12801 fs_id.Data4[0], fs_id.Data4[1],
12802 fs_id.Data4[2], fs_id.Data4[3],
12803 fs_id.Data4[4], fs_id.Data4[5],
12804 fs_id.Data4[6], fs_id.Data4[7]);
12806 proto_tree_add_string_format(
12807 tree, hf_smb_fs_guid, tvb,
12808 offset, 16, uuid_str, "GUID: %s", uuid_str);
12810 COUNT_BYTES_TRANS_SUBR(16);
12819 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
12820 proto_tree *parent_tree)
12822 proto_item *item = NULL;
12823 proto_tree *tree = NULL;
12825 smb_transact2_info_t *t2i;
12831 dc = tvb_reported_length(tvb);
12833 si = (smb_info_t *)pinfo->private_data;
12834 if (si->sip != NULL)
12835 t2i = si->sip->extra_info;
12840 if (t2i != NULL && t2i->subcmd != -1) {
12841 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
12843 val_to_str(t2i->subcmd, trans2_cmd_vals,
12844 "Unknown (0x%02x)"));
12845 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
12847 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
12848 "Unknown Transaction2 Data");
12856 switch(t2i->subcmd){
12857 case 0x00: /*TRANS2_OPEN2*/
12858 /* XXX not implemented yet. See SNIA doc */
12860 case 0x01: /*TRANS2_FIND_FIRST2*/
12861 /* returned data */
12862 count = si->info_count;
12864 if (count && check_col(pinfo->cinfo, COL_INFO)) {
12865 col_append_fstr(pinfo->cinfo, COL_INFO,
12870 offset = dissect_ff2_response_data(tvb, pinfo, tree,
12871 offset, &dc, &trunc);
12876 case 0x02: /*TRANS2_FIND_NEXT2*/
12877 /* returned data */
12878 count = si->info_count;
12880 if (count && check_col(pinfo->cinfo, COL_INFO)) {
12881 col_append_fstr(pinfo->cinfo, COL_INFO,
12886 offset = dissect_ff2_response_data(tvb, pinfo, tree,
12887 offset, &dc, &trunc);
12892 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
12893 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
12895 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
12896 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
12898 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
12899 /* no data in this response */
12901 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
12902 /* identical to QUERY_PATH_INFO */
12903 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
12905 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
12906 /* no data in this response */
12908 case 0x09: /*TRANS2_FSCTL*/
12909 /* XXX dont know how to dissect this one (yet)*/
12912 * XXX - "Microsoft Networks SMB File Sharing Protocol
12913 * Extensions Version 3.0, Document Version 1.11,
12914 * July 19, 1990" says this this contains a
12915 * "File system specific return data block".
12916 * (That means we may not be able to dissect it in any
12920 case 0x0a: /*TRANS2_IOCTL2*/
12921 /* XXX dont know how to dissect this one (yet)*/
12924 * XXX - "Microsoft Networks SMB File Sharing Protocol
12925 * Extensions Version 3.0, Document Version 1.11,
12926 * July 19, 1990" says this this contains a
12927 * "Device/function specific return data block".
12928 * (That means we may not be able to dissect it in any
12932 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
12933 /* XXX dont know how to dissect this one (yet)*/
12936 * XXX - "Microsoft Networks SMB File Sharing Protocol
12937 * Extensions Version 3.0, Document Version 1.11,
12938 * July 19, 1990" says this this contains "the level
12939 * dependent information about the changes which
12943 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
12944 /* XXX dont know how to dissect this one (yet)*/
12947 * XXX - "Microsoft Networks SMB File Sharing Protocol
12948 * Extensions Version 3.0, Document Version 1.11,
12949 * July 19, 1990" says this this contains "the level
12950 * dependent information about the changes which
12954 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
12955 /* no data in this response */
12957 case 0x0e: /*TRANS2_SESSION_SETUP*/
12958 /* XXX dont know how to dissect this one (yet)*/
12960 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
12961 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
12963 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
12964 /* the SNIA spec appears to say the response has no data */
12968 * We don't know what the matching request was; don't
12969 * bother putting anything else into the tree for the data.
12976 /* ooops there were data we didnt know how to process */
12978 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
12987 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
12989 proto_item *item = NULL;
12990 proto_tree *tree = NULL;
12992 smb_transact2_info_t *t2i;
12998 pc = tvb_reported_length(tvb);
13000 si = (smb_info_t *)pinfo->private_data;
13001 if (si->sip != NULL)
13002 t2i = si->sip->extra_info;
13007 if (t2i != NULL && t2i->subcmd != -1) {
13008 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
13010 val_to_str(t2i->subcmd, trans2_cmd_vals,
13011 "Unknown (0x%02x)"));
13012 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
13014 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
13015 "Unknown Transaction2 Parameters");
13023 switch(t2i->subcmd){
13024 case 0x00: /*TRANS2_OPEN2*/
13026 fid = tvb_get_letohs(tvb, offset);
13027 add_fid(tvb, pinfo, tree, offset, 2, fid);
13031 * XXX - Microsoft Networks SMB File Sharing Protocol
13032 * Extensions Version 3.0, Document Version 1.11,
13033 * July 19, 1990 says that the file attributes, create
13034 * time (which it says is the last modification time),
13035 * data size, granted access, file type, and IPC state
13036 * are returned only if bit 0 is set in the open flags,
13037 * and that the EA length is returned only if bit 3
13038 * is set in the open flags. Does that mean that,
13039 * at least in that SMB dialect, those fields are not
13040 * present in the reply parameters if the bits in
13041 * question aren't set?
13044 /* File Attributes */
13045 offset = dissect_file_attributes(tvb, tree, offset, 2);
13048 offset = dissect_smb_datetime(tvb, tree, offset,
13049 hf_smb_create_time,
13050 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
13053 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
13056 /* granted access */
13057 offset = dissect_access(tvb, tree, offset, "Granted");
13060 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
13064 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
13067 offset = dissect_open_action(tvb, tree, offset);
13069 /* server unique file ID */
13070 proto_tree_add_item(tree, hf_smb_file_id, tvb, offset, 4, TRUE);
13073 /* ea error offset, only a 16 bit integer here */
13074 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13078 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13082 case 0x01: /*TRANS2_FIND_FIRST2*/
13083 /* Find First2 information level */
13084 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
13087 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
13091 si->info_count = tvb_get_letohs(tvb, offset);
13092 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13095 /* end of search */
13096 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13099 /* ea error offset, only a 16 bit integer here */
13100 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13103 /* last name offset */
13104 lno = tvb_get_letohs(tvb, offset);
13105 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13109 case 0x02: /*TRANS2_FIND_NEXT2*/
13111 si->info_count = tvb_get_letohs(tvb, offset);
13112 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13115 /* end of search */
13116 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13119 /* ea_error_offset, only a 16 bit integer here*/
13120 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13123 /* last name offset */
13124 lno = tvb_get_letohs(tvb, offset);
13125 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13129 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
13130 /* no parameter block here */
13132 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
13133 /* ea_error_offset, only a 16 bit integer here*/
13134 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13138 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
13139 /* ea_error_offset, only a 16 bit integer here*/
13140 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13144 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
13145 /* ea_error_offset, only a 16 bit integer here*/
13146 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13150 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
13151 /* ea_error_offset, only a 16 bit integer here*/
13152 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13156 case 0x09: /*TRANS2_FSCTL*/
13157 /* XXX dont know how to dissect this one (yet)*/
13160 * XXX - "Microsoft Networks SMB File Sharing Protocol
13161 * Extensions Version 3.0, Document Version 1.11,
13162 * July 19, 1990" says this this contains a
13163 * "File system specific return parameter block".
13164 * (That means we may not be able to dissect it in any
13168 case 0x0a: /*TRANS2_IOCTL2*/
13169 /* XXX dont know how to dissect this one (yet)*/
13172 * XXX - "Microsoft Networks SMB File Sharing Protocol
13173 * Extensions Version 3.0, Document Version 1.11,
13174 * July 19, 1990" says this this contains a
13175 * "Device/function specific return parameter block".
13176 * (That means we may not be able to dissect it in any
13180 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
13181 /* Find Notify information level */
13182 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13184 /* Monitor handle */
13185 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13189 si->info_count = tvb_get_letohs(tvb, offset);
13190 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13193 /* ea_error_offset, only a 16 bit integer here*/
13194 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13198 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
13199 /* Find Notify information level */
13200 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13203 si->info_count = tvb_get_letohs(tvb, offset);
13204 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13207 /* ea_error_offset, only a 16 bit integer here*/
13208 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13212 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
13213 /* ea error offset, only a 16 bit integer here */
13214 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13218 case 0x0e: /*TRANS2_SESSION_SETUP*/
13219 /* XXX dont know how to dissect this one (yet)*/
13221 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
13222 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
13224 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
13225 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
13229 * We don't know what the matching request was; don't
13230 * bother putting anything else into the tree for the data.
13236 /* ooops there were data we didnt know how to process */
13238 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
13239 offset += pc-offset;
13245 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13248 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
13250 smb_transact2_info_t *t2i = NULL;
13253 gboolean dissected_trans;
13254 fragment_data *r_fd = NULL;
13255 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
13256 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
13257 gboolean save_fragmented;
13259 si = (smb_info_t *)pinfo->private_data;
13262 case SMB_COM_TRANSACTION2:
13264 if (si->sip != NULL) {
13265 t2i = si->sip->extra_info;
13270 * We didn't see the matching request, so we don't
13271 * know what type of transaction this is.
13273 proto_tree_add_text(tree, tvb, 0, 0,
13274 "Subcommand: <UNKNOWN> since request packet wasn't seen");
13275 if (check_col(pinfo->cinfo, COL_INFO)) {
13276 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
13279 si->info_level = t2i->info_level;
13280 if (t2i->subcmd == -1) {
13282 * We didn't manage to extract the subcommand
13283 * from the matching request (perhaps because
13284 * the frame was short), so we don't know what
13285 * type of transaction this is.
13287 proto_tree_add_text(tree, tvb, 0, 0,
13288 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
13289 if (check_col(pinfo->cinfo, COL_INFO)) {
13290 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
13293 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
13294 if (check_col(pinfo->cinfo, COL_INFO)) {
13295 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
13296 val_to_str(t2i->subcmd,
13298 "<unknown (0x%02x)>"));
13307 /* total param count, only a 16bit integer here */
13308 tp = tvb_get_letohs(tvb, offset);
13309 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
13312 /* total data count, only a 16 bit integer here */
13313 td = tvb_get_letohs(tvb, offset);
13314 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
13317 /* 2 reserved bytes */
13318 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
13322 pc = tvb_get_letohs(tvb, offset);
13323 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
13327 po = tvb_get_letohs(tvb, offset);
13328 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
13332 pd = tvb_get_letohs(tvb, offset);
13333 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
13337 dc = tvb_get_letohs(tvb, offset);
13338 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
13342 od = tvb_get_letohs(tvb, offset);
13343 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
13347 dd = tvb_get_letohs(tvb, offset);
13348 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
13352 sc = tvb_get_guint8(tvb, offset);
13353 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
13356 /* reserved byte */
13357 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
13361 /* if there were any setup bytes, put them in a tvb for later */
13363 if((2*sc)>tvb_length_remaining(tvb, offset)){
13364 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
13366 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
13368 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
13379 /* reassembly of SMB Transaction data payload.
13380 In this section we do reassembly of both the data and parameters
13381 blocks of the SMB transaction command.
13383 save_fragmented = pinfo->fragmented;
13384 /* do we need reassembly? */
13385 if( (td!=dc) || (tp!=pc) ){
13386 /* oh yeah, either data or parameter section needs
13389 pinfo->fragmented = TRUE;
13390 if(smb_trans_reassembly){
13391 /* ...and we were told to do reassembly */
13392 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
13393 r_fd = smb_trans_defragment(tree, pinfo, tvb,
13394 po, pc, pd, td+tp);
13397 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
13398 r_fd = smb_trans_defragment(tree, pinfo, tvb,
13399 od, dc, dd+tp, td+tp);
13404 /* if we got a reassembled fd structure from the reassembly routine we must
13405 create pd_tvb from it
13408 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
13410 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
13411 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
13412 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
13417 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
13419 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
13422 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
13425 /* It was not reassembled. Do as best as we can.
13426 * in this case we always try to dissect the stuff if
13427 * data and param displacement is 0. i.e. for the first
13428 * (and maybe only) packet.
13430 if( (pd==0) && (dd==0) ){
13433 min = MIN(pc,tvb_length_remaining(tvb,po));
13434 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
13435 if(min && reported_min) {
13436 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
13438 min = MIN(dc,tvb_length_remaining(tvb,od));
13439 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
13440 if(min && reported_min) {
13441 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
13444 * A tvbuff containing the parameters
13446 * XXX - check pc and dc as well?
13448 if (tvb_length_remaining(tvb, po)){
13449 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
13458 /* We have some padding bytes.
13460 padcnt = po-offset;
13463 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13464 COUNT_BYTES(padcnt);
13466 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
13467 /* TRANSACTION2 parameters*/
13468 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
13475 /* We have some initial padding bytes.
13477 padcnt = od-offset;
13480 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13481 COUNT_BYTES(padcnt);
13484 * If the data count is bigger than the count of bytes
13485 * remaining, clamp it so that the count of bytes remaining
13486 * doesn't go negative.
13494 /* from now on, everything is in separate tvbuffs so we dont count
13495 the bytes with COUNT_BYTES any more.
13496 neither do we reference offset any more (which by now points to the
13497 first byte AFTER this PDU */
13500 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
13501 /* TRANSACTION2 parameters*/
13502 dissect_transaction2_response_data(d_tvb, pinfo, tree);
13506 if(si->cmd==SMB_COM_TRANSACTION){
13507 smb_transact_info_t *tri;
13509 dissected_trans = FALSE;
13510 if (si->sip != NULL)
13511 tri = si->sip->extra_info;
13515 switch(tri->subcmd){
13517 case TRANSACTION_PIPE:
13518 /* This function is safe to call for
13519 s_tvb==sp_tvb==NULL, i.e. if we don't
13520 know them at this point.
13521 It's also safe to call if "p_tvb"
13522 or "d_tvb" are null.
13525 dissected_trans = dissect_pipe_smb(
13526 sp_tvb, s_tvb, pd_tvb, p_tvb,
13527 d_tvb, NULL, pinfo, top_tree);
13531 case TRANSACTION_MAILSLOT:
13532 /* This one should be safe to call
13533 even if s_tvb and sp_tvb is NULL
13536 dissected_trans = dissect_mailslot_smb(
13537 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
13543 if (!dissected_trans) {
13544 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
13545 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
13550 if( (p_tvb==0) && (d_tvb==0) ){
13551 if(check_col(pinfo->cinfo, COL_INFO)){
13552 col_append_str(pinfo->cinfo, COL_INFO,
13553 "[transact continuation]");
13557 pinfo->fragmented = save_fragmented;
13565 dissect_find_notify_close(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13572 /* Monitor handle */
13573 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13583 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13584 END Transaction/Transaction2 Primary and secondary requests
13585 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
13589 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13597 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
13604 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
13614 typedef struct _smb_function {
13615 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13616 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13619 static smb_function smb_dissector[256] = {
13620 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
13621 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
13622 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
13623 /* 0x03 Create File*/ {dissect_create_file_request, dissect_fid},
13624 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
13625 /* 0x05 Flush File*/ {dissect_fid, dissect_empty},
13626 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
13627 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_empty},
13628 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
13629 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
13630 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
13631 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
13632 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
13633 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
13634 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
13635 /* 0x0f Create New*/ {dissect_create_file_request, dissect_fid},
13637 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
13638 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
13639 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
13640 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
13641 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
13642 /* 0x15 */ {dissect_unknown, dissect_unknown},
13643 /* 0x16 */ {dissect_unknown, dissect_unknown},
13644 /* 0x17 */ {dissect_unknown, dissect_unknown},
13645 /* 0x18 */ {dissect_unknown, dissect_unknown},
13646 /* 0x19 */ {dissect_unknown, dissect_unknown},
13647 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
13648 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
13649 /* 0x1c Read MPX Secondary*/ {dissect_unknown, dissect_unknown},
13650 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
13651 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
13652 /* 0x1f Write MPX Secondary*/ {dissect_unknown, dissect_unknown},
13654 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
13655 /* 0x21 */ {dissect_unknown, dissect_unknown},
13656 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
13657 /* 0x23 Query Info2*/ {dissect_fid, dissect_query_information2_response},
13658 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
13659 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
13660 /* 0x26 Transaction Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
13661 /* 0x27 IOCTL*/ {dissect_unknown, dissect_unknown},
13662 /* 0x28 IOCTL Secondary*/ {dissect_unknown, dissect_unknown},
13663 /* 0x29 Copy File*/ {dissect_copy_request, dissect_move_copy_response},
13664 /* 0x2a Move File*/ {dissect_move_request, dissect_move_copy_response},
13665 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
13666 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
13667 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
13668 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
13669 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
13671 /* 0x30 */ {dissect_unknown, dissect_unknown},
13672 /* 0x31 Close And Tree Disconnect */ {dissect_close_file_request, dissect_empty},
13673 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
13674 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
13675 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
13676 /* 0x35 Find Notify Close*/ {dissect_find_notify_close, dissect_empty},
13677 /* 0x36 */ {dissect_unknown, dissect_unknown},
13678 /* 0x37 */ {dissect_unknown, dissect_unknown},
13679 /* 0x38 */ {dissect_unknown, dissect_unknown},
13680 /* 0x39 */ {dissect_unknown, dissect_unknown},
13681 /* 0x3a */ {dissect_unknown, dissect_unknown},
13682 /* 0x3b */ {dissect_unknown, dissect_unknown},
13683 /* 0x3c */ {dissect_unknown, dissect_unknown},
13684 /* 0x3d */ {dissect_unknown, dissect_unknown},
13685 /* 0x3e */ {dissect_unknown, dissect_unknown},
13686 /* 0x3f */ {dissect_unknown, dissect_unknown},
13688 /* 0x40 */ {dissect_unknown, dissect_unknown},
13689 /* 0x41 */ {dissect_unknown, dissect_unknown},
13690 /* 0x42 */ {dissect_unknown, dissect_unknown},
13691 /* 0x43 */ {dissect_unknown, dissect_unknown},
13692 /* 0x44 */ {dissect_unknown, dissect_unknown},
13693 /* 0x45 */ {dissect_unknown, dissect_unknown},
13694 /* 0x46 */ {dissect_unknown, dissect_unknown},
13695 /* 0x47 */ {dissect_unknown, dissect_unknown},
13696 /* 0x48 */ {dissect_unknown, dissect_unknown},
13697 /* 0x49 */ {dissect_unknown, dissect_unknown},
13698 /* 0x4a */ {dissect_unknown, dissect_unknown},
13699 /* 0x4b */ {dissect_unknown, dissect_unknown},
13700 /* 0x4c */ {dissect_unknown, dissect_unknown},
13701 /* 0x4d */ {dissect_unknown, dissect_unknown},
13702 /* 0x4e */ {dissect_unknown, dissect_unknown},
13703 /* 0x4f */ {dissect_unknown, dissect_unknown},
13705 /* 0x50 */ {dissect_unknown, dissect_unknown},
13706 /* 0x51 */ {dissect_unknown, dissect_unknown},
13707 /* 0x52 */ {dissect_unknown, dissect_unknown},
13708 /* 0x53 */ {dissect_unknown, dissect_unknown},
13709 /* 0x54 */ {dissect_unknown, dissect_unknown},
13710 /* 0x55 */ {dissect_unknown, dissect_unknown},
13711 /* 0x56 */ {dissect_unknown, dissect_unknown},
13712 /* 0x57 */ {dissect_unknown, dissect_unknown},
13713 /* 0x58 */ {dissect_unknown, dissect_unknown},
13714 /* 0x59 */ {dissect_unknown, dissect_unknown},
13715 /* 0x5a */ {dissect_unknown, dissect_unknown},
13716 /* 0x5b */ {dissect_unknown, dissect_unknown},
13717 /* 0x5c */ {dissect_unknown, dissect_unknown},
13718 /* 0x5d */ {dissect_unknown, dissect_unknown},
13719 /* 0x5e */ {dissect_unknown, dissect_unknown},
13720 /* 0x5f */ {dissect_unknown, dissect_unknown},
13722 /* 0x60 */ {dissect_unknown, dissect_unknown},
13723 /* 0x61 */ {dissect_unknown, dissect_unknown},
13724 /* 0x62 */ {dissect_unknown, dissect_unknown},
13725 /* 0x63 */ {dissect_unknown, dissect_unknown},
13726 /* 0x64 */ {dissect_unknown, dissect_unknown},
13727 /* 0x65 */ {dissect_unknown, dissect_unknown},
13728 /* 0x66 */ {dissect_unknown, dissect_unknown},
13729 /* 0x67 */ {dissect_unknown, dissect_unknown},
13730 /* 0x68 */ {dissect_unknown, dissect_unknown},
13731 /* 0x69 */ {dissect_unknown, dissect_unknown},
13732 /* 0x6a */ {dissect_unknown, dissect_unknown},
13733 /* 0x6b */ {dissect_unknown, dissect_unknown},
13734 /* 0x6c */ {dissect_unknown, dissect_unknown},
13735 /* 0x6d */ {dissect_unknown, dissect_unknown},
13736 /* 0x6e */ {dissect_unknown, dissect_unknown},
13737 /* 0x6f */ {dissect_unknown, dissect_unknown},
13739 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
13740 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
13741 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
13742 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
13743 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
13744 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
13745 /* 0x76 */ {dissect_unknown, dissect_unknown},
13746 /* 0x77 */ {dissect_unknown, dissect_unknown},
13747 /* 0x78 */ {dissect_unknown, dissect_unknown},
13748 /* 0x79 */ {dissect_unknown, dissect_unknown},
13749 /* 0x7a */ {dissect_unknown, dissect_unknown},
13750 /* 0x7b */ {dissect_unknown, dissect_unknown},
13751 /* 0x7c */ {dissect_unknown, dissect_unknown},
13752 /* 0x7d */ {dissect_unknown, dissect_unknown},
13753 /* 0x7e */ {dissect_unknown, dissect_unknown},
13754 /* 0x7f */ {dissect_unknown, dissect_unknown},
13756 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
13757 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
13758 /* 0x82 Find*/ {dissect_find_request, dissect_find_response},
13759 /* 0x83 Find Unique*/ {dissect_find_request, dissect_find_response},
13760 /* 0x84 Find Close*/ {dissect_find_close_request, dissect_find_close_response},
13761 /* 0x85 */ {dissect_unknown, dissect_unknown},
13762 /* 0x86 */ {dissect_unknown, dissect_unknown},
13763 /* 0x87 */ {dissect_unknown, dissect_unknown},
13764 /* 0x88 */ {dissect_unknown, dissect_unknown},
13765 /* 0x89 */ {dissect_unknown, dissect_unknown},
13766 /* 0x8a */ {dissect_unknown, dissect_unknown},
13767 /* 0x8b */ {dissect_unknown, dissect_unknown},
13768 /* 0x8c */ {dissect_unknown, dissect_unknown},
13769 /* 0x8d */ {dissect_unknown, dissect_unknown},
13770 /* 0x8e */ {dissect_unknown, dissect_unknown},
13771 /* 0x8f */ {dissect_unknown, dissect_unknown},
13773 /* 0x90 */ {dissect_unknown, dissect_unknown},
13774 /* 0x91 */ {dissect_unknown, dissect_unknown},
13775 /* 0x92 */ {dissect_unknown, dissect_unknown},
13776 /* 0x93 */ {dissect_unknown, dissect_unknown},
13777 /* 0x94 */ {dissect_unknown, dissect_unknown},
13778 /* 0x95 */ {dissect_unknown, dissect_unknown},
13779 /* 0x96 */ {dissect_unknown, dissect_unknown},
13780 /* 0x97 */ {dissect_unknown, dissect_unknown},
13781 /* 0x98 */ {dissect_unknown, dissect_unknown},
13782 /* 0x99 */ {dissect_unknown, dissect_unknown},
13783 /* 0x9a */ {dissect_unknown, dissect_unknown},
13784 /* 0x9b */ {dissect_unknown, dissect_unknown},
13785 /* 0x9c */ {dissect_unknown, dissect_unknown},
13786 /* 0x9d */ {dissect_unknown, dissect_unknown},
13787 /* 0x9e */ {dissect_unknown, dissect_unknown},
13788 /* 0x9f */ {dissect_unknown, dissect_unknown},
13790 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
13791 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
13792 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
13793 /* 0xa3 */ {dissect_unknown, dissect_unknown},
13794 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
13795 /* 0xa5 NT Rename*/ {dissect_nt_rename_file_request, dissect_empty},
13796 /* 0xa6 */ {dissect_unknown, dissect_unknown},
13797 /* 0xa7 */ {dissect_unknown, dissect_unknown},
13798 /* 0xa8 */ {dissect_unknown, dissect_unknown},
13799 /* 0xa9 */ {dissect_unknown, dissect_unknown},
13800 /* 0xaa */ {dissect_unknown, dissect_unknown},
13801 /* 0xab */ {dissect_unknown, dissect_unknown},
13802 /* 0xac */ {dissect_unknown, dissect_unknown},
13803 /* 0xad */ {dissect_unknown, dissect_unknown},
13804 /* 0xae */ {dissect_unknown, dissect_unknown},
13805 /* 0xaf */ {dissect_unknown, dissect_unknown},
13807 /* 0xb0 */ {dissect_unknown, dissect_unknown},
13808 /* 0xb1 */ {dissect_unknown, dissect_unknown},
13809 /* 0xb2 */ {dissect_unknown, dissect_unknown},
13810 /* 0xb3 */ {dissect_unknown, dissect_unknown},
13811 /* 0xb4 */ {dissect_unknown, dissect_unknown},
13812 /* 0xb5 */ {dissect_unknown, dissect_unknown},
13813 /* 0xb6 */ {dissect_unknown, dissect_unknown},
13814 /* 0xb7 */ {dissect_unknown, dissect_unknown},
13815 /* 0xb8 */ {dissect_unknown, dissect_unknown},
13816 /* 0xb9 */ {dissect_unknown, dissect_unknown},
13817 /* 0xba */ {dissect_unknown, dissect_unknown},
13818 /* 0xbb */ {dissect_unknown, dissect_unknown},
13819 /* 0xbc */ {dissect_unknown, dissect_unknown},
13820 /* 0xbd */ {dissect_unknown, dissect_unknown},
13821 /* 0xbe */ {dissect_unknown, dissect_unknown},
13822 /* 0xbf */ {dissect_unknown, dissect_unknown},
13824 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_fid},
13825 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
13826 /* 0xc2 Close Print File*/ {dissect_fid, dissect_empty},
13827 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
13828 /* 0xc4 */ {dissect_unknown, dissect_unknown},
13829 /* 0xc5 */ {dissect_unknown, dissect_unknown},
13830 /* 0xc6 */ {dissect_unknown, dissect_unknown},
13831 /* 0xc7 */ {dissect_unknown, dissect_unknown},
13832 /* 0xc8 */ {dissect_unknown, dissect_unknown},
13833 /* 0xc9 */ {dissect_unknown, dissect_unknown},
13834 /* 0xca */ {dissect_unknown, dissect_unknown},
13835 /* 0xcb */ {dissect_unknown, dissect_unknown},
13836 /* 0xcc */ {dissect_unknown, dissect_unknown},
13837 /* 0xcd */ {dissect_unknown, dissect_unknown},
13838 /* 0xce */ {dissect_unknown, dissect_unknown},
13839 /* 0xcf */ {dissect_unknown, dissect_unknown},
13841 /* 0xd0 Send Single Block Message*/ {dissect_send_single_block_message_request, dissect_empty},
13842 /* 0xd1 Send Broadcast Message*/ {dissect_send_single_block_message_request, dissect_empty},
13843 /* 0xd2 Forward User Name*/ {dissect_forwarded_name, dissect_empty},
13844 /* 0xd3 Cancel Forward*/ {dissect_forwarded_name, dissect_empty},
13845 /* 0xd4 Get Machine Name*/ {dissect_empty, dissect_get_machine_name_response},
13846 /* 0xd5 Send Start of Multi-block Message*/ {dissect_send_multi_block_message_start_request, dissect_message_group_id},
13847 /* 0xd6 Send End of Multi-block Message*/ {dissect_message_group_id, dissect_empty},
13848 /* 0xd7 Send Text of Multi-block Message*/ {dissect_send_multi_block_message_text_request, dissect_empty},
13849 /* 0xd8 SMBreadbulk*/ {dissect_unknown, dissect_unknown},
13850 /* 0xd9 SMBwritebulk*/ {dissect_unknown, dissect_unknown},
13851 /* 0xda SMBwritebulkdata*/ {dissect_unknown, dissect_unknown},
13852 /* 0xdb */ {dissect_unknown, dissect_unknown},
13853 /* 0xdc */ {dissect_unknown, dissect_unknown},
13854 /* 0xdd */ {dissect_unknown, dissect_unknown},
13855 /* 0xde */ {dissect_unknown, dissect_unknown},
13856 /* 0xdf */ {dissect_unknown, dissect_unknown},
13858 /* 0xe0 */ {dissect_unknown, dissect_unknown},
13859 /* 0xe1 */ {dissect_unknown, dissect_unknown},
13860 /* 0xe2 */ {dissect_unknown, dissect_unknown},
13861 /* 0xe3 */ {dissect_unknown, dissect_unknown},
13862 /* 0xe4 */ {dissect_unknown, dissect_unknown},
13863 /* 0xe5 */ {dissect_unknown, dissect_unknown},
13864 /* 0xe6 */ {dissect_unknown, dissect_unknown},
13865 /* 0xe7 */ {dissect_unknown, dissect_unknown},
13866 /* 0xe8 */ {dissect_unknown, dissect_unknown},
13867 /* 0xe9 */ {dissect_unknown, dissect_unknown},
13868 /* 0xea */ {dissect_unknown, dissect_unknown},
13869 /* 0xeb */ {dissect_unknown, dissect_unknown},
13870 /* 0xec */ {dissect_unknown, dissect_unknown},
13871 /* 0xed */ {dissect_unknown, dissect_unknown},
13872 /* 0xee */ {dissect_unknown, dissect_unknown},
13873 /* 0xef */ {dissect_unknown, dissect_unknown},
13875 /* 0xf0 */ {dissect_unknown, dissect_unknown},
13876 /* 0xf1 */ {dissect_unknown, dissect_unknown},
13877 /* 0xf2 */ {dissect_unknown, dissect_unknown},
13878 /* 0xf3 */ {dissect_unknown, dissect_unknown},
13879 /* 0xf4 */ {dissect_unknown, dissect_unknown},
13880 /* 0xf5 */ {dissect_unknown, dissect_unknown},
13881 /* 0xf6 */ {dissect_unknown, dissect_unknown},
13882 /* 0xf7 */ {dissect_unknown, dissect_unknown},
13883 /* 0xf8 */ {dissect_unknown, dissect_unknown},
13884 /* 0xf9 */ {dissect_unknown, dissect_unknown},
13885 /* 0xfa */ {dissect_unknown, dissect_unknown},
13886 /* 0xfb */ {dissect_unknown, dissect_unknown},
13887 /* 0xfc */ {dissect_unknown, dissect_unknown},
13888 /* 0xfd */ {dissect_unknown, dissect_unknown},
13889 /* 0xfe */ {dissect_unknown, dissect_unknown},
13890 /* 0xff */ {dissect_unknown, dissect_unknown},
13894 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu)
13898 si = pinfo->private_data;
13900 proto_item *cmd_item;
13901 proto_tree *cmd_tree;
13902 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13904 if (check_col(pinfo->cinfo, COL_INFO)) {
13906 col_append_fstr(pinfo->cinfo, COL_INFO,
13908 decode_smb_name(cmd),
13909 (si->request)? "Request" : "Response");
13911 col_append_fstr(pinfo->cinfo, COL_INFO,
13913 decode_smb_name(cmd));
13918 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
13920 decode_smb_name(cmd),
13921 (si->request)?"Request":"Response",
13924 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
13926 dissector = (si->request)?
13927 smb_dissector[cmd].request:smb_dissector[cmd].response;
13929 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
13930 proto_item_set_end(cmd_item, tvb, offset);
13936 /* NOTE: this value_string array will also be used to access data directly by
13937 * index instead of val_to_str() since
13938 * 1, the array will always span every value from 0x00 to 0xff and
13939 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
13940 * This means that this value_string array MUST always
13941 * 1, contain all entries 0x00 to 0xff
13942 * 2, all entries must be in order.
13944 const value_string smb_cmd_vals[] = {
13945 { 0x00, "Create Directory" },
13946 { 0x01, "Delete Directory" },
13948 { 0x03, "Create" },
13951 { 0x06, "Delete" },
13952 { 0x07, "Rename" },
13953 { 0x08, "Query Information" },
13954 { 0x09, "Set Information" },
13957 { 0x0C, "Lock Byte Range" },
13958 { 0x0D, "Unlock Byte Range" },
13959 { 0x0E, "Create Temp" },
13960 { 0x0F, "Create New" },
13961 { 0x10, "Check Directory" },
13962 { 0x11, "Process Exit" },
13964 { 0x13, "Lock And Read" },
13965 { 0x14, "Write And Unlock" },
13966 { 0x15, "unknown-0x15" },
13967 { 0x16, "unknown-0x16" },
13968 { 0x17, "unknown-0x17" },
13969 { 0x18, "unknown-0x18" },
13970 { 0x19, "unknown-0x19" },
13971 { 0x1A, "Read Raw" },
13972 { 0x1B, "Read MPX" },
13973 { 0x1C, "Read MPX Secondary" },
13974 { 0x1D, "Write Raw" },
13975 { 0x1E, "Write MPX" },
13976 { 0x1F, "Write MPX Secondary" },
13977 { 0x20, "Write Complete" },
13978 { 0x21, "unknown-0x21" },
13979 { 0x22, "Set Information2" },
13980 { 0x23, "Query Information2" },
13981 { 0x24, "Locking AndX" },
13983 { 0x26, "Trans Secondary" },
13985 { 0x28, "IOCTL Secondary" },
13989 { 0x2C, "Write And Close" },
13990 { 0x2D, "Open AndX" },
13991 { 0x2E, "Read AndX" },
13992 { 0x2F, "Write AndX" },
13993 { 0x30, "unknown-0x30" },
13994 { 0x31, "Close And Tree Disconnect" },
13995 { 0x32, "Trans2" },
13996 { 0x33, "Trans2 Secondary" },
13997 { 0x34, "Find Close2" },
13998 { 0x35, "Find Notify Close" },
13999 { 0x36, "unknown-0x36" },
14000 { 0x37, "unknown-0x37" },
14001 { 0x38, "unknown-0x38" },
14002 { 0x39, "unknown-0x39" },
14003 { 0x3A, "unknown-0x3A" },
14004 { 0x3B, "unknown-0x3B" },
14005 { 0x3C, "unknown-0x3C" },
14006 { 0x3D, "unknown-0x3D" },
14007 { 0x3E, "unknown-0x3E" },
14008 { 0x3F, "unknown-0x3F" },
14009 { 0x40, "unknown-0x40" },
14010 { 0x41, "unknown-0x41" },
14011 { 0x42, "unknown-0x42" },
14012 { 0x43, "unknown-0x43" },
14013 { 0x44, "unknown-0x44" },
14014 { 0x45, "unknown-0x45" },
14015 { 0x46, "unknown-0x46" },
14016 { 0x47, "unknown-0x47" },
14017 { 0x48, "unknown-0x48" },
14018 { 0x49, "unknown-0x49" },
14019 { 0x4A, "unknown-0x4A" },
14020 { 0x4B, "unknown-0x4B" },
14021 { 0x4C, "unknown-0x4C" },
14022 { 0x4D, "unknown-0x4D" },
14023 { 0x4E, "unknown-0x4E" },
14024 { 0x4F, "unknown-0x4F" },
14025 { 0x50, "unknown-0x50" },
14026 { 0x51, "unknown-0x51" },
14027 { 0x52, "unknown-0x52" },
14028 { 0x53, "unknown-0x53" },
14029 { 0x54, "unknown-0x54" },
14030 { 0x55, "unknown-0x55" },
14031 { 0x56, "unknown-0x56" },
14032 { 0x57, "unknown-0x57" },
14033 { 0x58, "unknown-0x58" },
14034 { 0x59, "unknown-0x59" },
14035 { 0x5A, "unknown-0x5A" },
14036 { 0x5B, "unknown-0x5B" },
14037 { 0x5C, "unknown-0x5C" },
14038 { 0x5D, "unknown-0x5D" },
14039 { 0x5E, "unknown-0x5E" },
14040 { 0x5F, "unknown-0x5F" },
14041 { 0x60, "unknown-0x60" },
14042 { 0x61, "unknown-0x61" },
14043 { 0x62, "unknown-0x62" },
14044 { 0x63, "unknown-0x63" },
14045 { 0x64, "unknown-0x64" },
14046 { 0x65, "unknown-0x65" },
14047 { 0x66, "unknown-0x66" },
14048 { 0x67, "unknown-0x67" },
14049 { 0x68, "unknown-0x68" },
14050 { 0x69, "unknown-0x69" },
14051 { 0x6A, "unknown-0x6A" },
14052 { 0x6B, "unknown-0x6B" },
14053 { 0x6C, "unknown-0x6C" },
14054 { 0x6D, "unknown-0x6D" },
14055 { 0x6E, "unknown-0x6E" },
14056 { 0x6F, "unknown-0x6F" },
14057 { 0x70, "Tree Connect" },
14058 { 0x71, "Tree Disconnect" },
14059 { 0x72, "Negotiate Protocol" },
14060 { 0x73, "Session Setup AndX" },
14061 { 0x74, "Logoff AndX" },
14062 { 0x75, "Tree Connect AndX" },
14063 { 0x76, "unknown-0x76" },
14064 { 0x77, "unknown-0x77" },
14065 { 0x78, "unknown-0x78" },
14066 { 0x79, "unknown-0x79" },
14067 { 0x7A, "unknown-0x7A" },
14068 { 0x7B, "unknown-0x7B" },
14069 { 0x7C, "unknown-0x7C" },
14070 { 0x7D, "unknown-0x7D" },
14071 { 0x7E, "unknown-0x7E" },
14072 { 0x7F, "unknown-0x7F" },
14073 { 0x80, "Query Information Disk" },
14074 { 0x81, "Search" },
14076 { 0x83, "Find Unique" },
14077 { 0x84, "Find Close" },
14078 { 0x85, "unknown-0x85" },
14079 { 0x86, "unknown-0x86" },
14080 { 0x87, "unknown-0x87" },
14081 { 0x88, "unknown-0x88" },
14082 { 0x89, "unknown-0x89" },
14083 { 0x8A, "unknown-0x8A" },
14084 { 0x8B, "unknown-0x8B" },
14085 { 0x8C, "unknown-0x8C" },
14086 { 0x8D, "unknown-0x8D" },
14087 { 0x8E, "unknown-0x8E" },
14088 { 0x8F, "unknown-0x8F" },
14089 { 0x90, "unknown-0x90" },
14090 { 0x91, "unknown-0x91" },
14091 { 0x92, "unknown-0x92" },
14092 { 0x93, "unknown-0x93" },
14093 { 0x94, "unknown-0x94" },
14094 { 0x95, "unknown-0x95" },
14095 { 0x96, "unknown-0x96" },
14096 { 0x97, "unknown-0x97" },
14097 { 0x98, "unknown-0x98" },
14098 { 0x99, "unknown-0x99" },
14099 { 0x9A, "unknown-0x9A" },
14100 { 0x9B, "unknown-0x9B" },
14101 { 0x9C, "unknown-0x9C" },
14102 { 0x9D, "unknown-0x9D" },
14103 { 0x9E, "unknown-0x9E" },
14104 { 0x9F, "unknown-0x9F" },
14105 { 0xA0, "NT Trans" },
14106 { 0xA1, "NT Trans Secondary" },
14107 { 0xA2, "NT Create AndX" },
14108 { 0xA3, "unknown-0xA3" },
14109 { 0xA4, "NT Cancel" },
14110 { 0xA5, "NT Rename" },
14111 { 0xA6, "unknown-0xA6" },
14112 { 0xA7, "unknown-0xA7" },
14113 { 0xA8, "unknown-0xA8" },
14114 { 0xA9, "unknown-0xA9" },
14115 { 0xAA, "unknown-0xAA" },
14116 { 0xAB, "unknown-0xAB" },
14117 { 0xAC, "unknown-0xAC" },
14118 { 0xAD, "unknown-0xAD" },
14119 { 0xAE, "unknown-0xAE" },
14120 { 0xAF, "unknown-0xAF" },
14121 { 0xB0, "unknown-0xB0" },
14122 { 0xB1, "unknown-0xB1" },
14123 { 0xB2, "unknown-0xB2" },
14124 { 0xB3, "unknown-0xB3" },
14125 { 0xB4, "unknown-0xB4" },
14126 { 0xB5, "unknown-0xB5" },
14127 { 0xB6, "unknown-0xB6" },
14128 { 0xB7, "unknown-0xB7" },
14129 { 0xB8, "unknown-0xB8" },
14130 { 0xB9, "unknown-0xB9" },
14131 { 0xBA, "unknown-0xBA" },
14132 { 0xBB, "unknown-0xBB" },
14133 { 0xBC, "unknown-0xBC" },
14134 { 0xBD, "unknown-0xBD" },
14135 { 0xBE, "unknown-0xBE" },
14136 { 0xBF, "unknown-0xBF" },
14137 { 0xC0, "Open Print File" },
14138 { 0xC1, "Write Print File" },
14139 { 0xC2, "Close Print File" },
14140 { 0xC3, "Get Print Queue" },
14141 { 0xC4, "unknown-0xC4" },
14142 { 0xC5, "unknown-0xC5" },
14143 { 0xC6, "unknown-0xC6" },
14144 { 0xC7, "unknown-0xC7" },
14145 { 0xC8, "unknown-0xC8" },
14146 { 0xC9, "unknown-0xC9" },
14147 { 0xCA, "unknown-0xCA" },
14148 { 0xCB, "unknown-0xCB" },
14149 { 0xCC, "unknown-0xCC" },
14150 { 0xCD, "unknown-0xCD" },
14151 { 0xCE, "unknown-0xCE" },
14152 { 0xCF, "unknown-0xCF" },
14153 { 0xD0, "Send Single Block Message" },
14154 { 0xD1, "Send Broadcast Message" },
14155 { 0xD2, "Forward User Name" },
14156 { 0xD3, "Cancel Forward" },
14157 { 0xD4, "Get Machine Name" },
14158 { 0xD5, "Send Start of Multi-block Message" },
14159 { 0xD6, "Send End of Multi-block Message" },
14160 { 0xD7, "Send Text of Multi-block Message" },
14161 { 0xD8, "SMBreadbulk" },
14162 { 0xD9, "SMBwritebulk" },
14163 { 0xDA, "SMBwritebulkdata" },
14164 { 0xDB, "unknown-0xDB" },
14165 { 0xDC, "unknown-0xDC" },
14166 { 0xDD, "unknown-0xDD" },
14167 { 0xDE, "unknown-0xDE" },
14168 { 0xDF, "unknown-0xDF" },
14169 { 0xE0, "unknown-0xE0" },
14170 { 0xE1, "unknown-0xE1" },
14171 { 0xE2, "unknown-0xE2" },
14172 { 0xE3, "unknown-0xE3" },
14173 { 0xE4, "unknown-0xE4" },
14174 { 0xE5, "unknown-0xE5" },
14175 { 0xE6, "unknown-0xE6" },
14176 { 0xE7, "unknown-0xE7" },
14177 { 0xE8, "unknown-0xE8" },
14178 { 0xE9, "unknown-0xE9" },
14179 { 0xEA, "unknown-0xEA" },
14180 { 0xEB, "unknown-0xEB" },
14181 { 0xEC, "unknown-0xEC" },
14182 { 0xED, "unknown-0xED" },
14183 { 0xEE, "unknown-0xEE" },
14184 { 0xEF, "unknown-0xEF" },
14185 { 0xF0, "unknown-0xF0" },
14186 { 0xF1, "unknown-0xF1" },
14187 { 0xF2, "unknown-0xF2" },
14188 { 0xF3, "unknown-0xF3" },
14189 { 0xF4, "unknown-0xF4" },
14190 { 0xF5, "unknown-0xF5" },
14191 { 0xF6, "unknown-0xF6" },
14192 { 0xF7, "unknown-0xF7" },
14193 { 0xF8, "unknown-0xF8" },
14194 { 0xF9, "unknown-0xF9" },
14195 { 0xFA, "unknown-0xFA" },
14196 { 0xFB, "unknown-0xFB" },
14197 { 0xFC, "unknown-0xFC" },
14198 { 0xFD, "unknown-0xFD" },
14199 { 0xFE, "SMBinvalid" },
14200 { 0xFF, "unknown-0xFF" },
14204 static char *decode_smb_name(guint8 cmd)
14206 return(smb_cmd_vals[cmd].strptr);
14211 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14212 * Everything TVBUFFIFIED above this line
14213 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
14217 free_hash_tables(gpointer ctarg, gpointer user_data _U_)
14219 conv_tables_t *ct = ctarg;
14222 g_hash_table_destroy(ct->unmatched);
14224 g_hash_table_destroy(ct->matched);
14225 if (ct->tid_service)
14226 g_hash_table_destroy(ct->tid_service);
14230 smb_init_protocol(void)
14232 if (smb_saved_info_key_chunk)
14233 g_mem_chunk_destroy(smb_saved_info_key_chunk);
14234 if (smb_saved_info_chunk)
14235 g_mem_chunk_destroy(smb_saved_info_chunk);
14236 if (smb_nt_transact_info_chunk)
14237 g_mem_chunk_destroy(smb_nt_transact_info_chunk);
14238 if (smb_transact2_info_chunk)
14239 g_mem_chunk_destroy(smb_transact2_info_chunk);
14240 if (smb_transact_info_chunk)
14241 g_mem_chunk_destroy(smb_transact_info_chunk);
14244 * Free the hash tables attached to the conversation table
14245 * structures, and then free the list of conversation table
14246 * data structures (which doesn't free the data structures
14247 * themselves; that's done by destroying the chunk from
14248 * which they were allocated).
14251 g_slist_foreach(conv_tables, free_hash_tables, NULL);
14252 g_slist_free(conv_tables);
14253 conv_tables = NULL;
14257 * Now destroy the chunk from which the conversation table
14258 * structures were allocated.
14260 if (conv_tables_chunk)
14261 g_mem_chunk_destroy(conv_tables_chunk);
14263 smb_saved_info_chunk = g_mem_chunk_new("smb_saved_info_chunk",
14264 sizeof(smb_saved_info_t),
14265 smb_saved_info_init_count * sizeof(smb_saved_info_t),
14267 smb_saved_info_key_chunk = g_mem_chunk_new("smb_saved_info_key_chunk",
14268 sizeof(smb_saved_info_key_t),
14269 smb_saved_info_init_count * sizeof(smb_saved_info_key_t),
14271 smb_nt_transact_info_chunk = g_mem_chunk_new("smb_nt_transact_info_chunk",
14272 sizeof(smb_nt_transact_info_t),
14273 smb_nt_transact_info_init_count * sizeof(smb_nt_transact_info_t),
14275 smb_transact2_info_chunk = g_mem_chunk_new("smb_transact2_info_chunk",
14276 sizeof(smb_transact2_info_t),
14277 smb_transact2_info_init_count * sizeof(smb_transact2_info_t),
14279 smb_transact_info_chunk = g_mem_chunk_new("smb_transact_info_chunk",
14280 sizeof(smb_transact_info_t),
14281 smb_transact_info_init_count * sizeof(smb_transact_info_t),
14283 conv_tables_chunk = g_mem_chunk_new("conv_tables_chunk",
14284 sizeof(conv_tables_t),
14285 conv_tables_count * sizeof(conv_tables_t),
14289 static const value_string errcls_types[] = {
14290 { SMB_SUCCESS, "Success"},
14291 { SMB_ERRDOS, "DOS Error"},
14292 { SMB_ERRSRV, "Server Error"},
14293 { SMB_ERRHRD, "Hardware Error"},
14294 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
14298 /* Error codes for the ERRSRV class */
14300 static const value_string SRV_errors[] = {
14301 {SMBE_error, "Non specific error code"},
14302 {SMBE_badpw, "Bad password"},
14303 {SMBE_badtype, "Reserved"},
14304 {SMBE_access, "No permissions to perform the requested operation"},
14305 {SMBE_invnid, "TID invalid"},
14306 {SMBE_invnetname, "Invalid network name. Service not found"},
14307 {SMBE_invdevice, "Invalid device"},
14308 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
14309 {SMBE_qfull, "Print queue full"},
14310 {SMBE_qtoobig, "Queued item too big"},
14311 {SMBE_qeof, "EOF on print queue dump"},
14312 {SMBE_invpfid, "Invalid print file in smb_fid"},
14313 {SMBE_smbcmd, "Unrecognised command"},
14314 {SMBE_srverror, "SMB server internal error"},
14315 {SMBE_filespecs, "Fid and pathname invalid combination"},
14316 {SMBE_badlink, "Bad link in request ???"},
14317 {SMBE_badpermits, "Access specified for a file is not valid"},
14318 {SMBE_badpid, "Bad process id in request"},
14319 {SMBE_setattrmode, "Attribute mode invalid"},
14320 {SMBE_paused, "Message server paused"},
14321 {SMBE_msgoff, "Not receiving messages"},
14322 {SMBE_noroom, "No room for message"},
14323 {SMBE_rmuns, "Too many remote usernames"},
14324 {SMBE_timeout, "Operation timed out"},
14325 {SMBE_noresource, "No resources currently available for request."},
14326 {SMBE_toomanyuids, "Too many userids"},
14327 {SMBE_baduid, "Bad userid"},
14328 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
14329 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
14330 {SMBE_contMPX, "Resume MPX mode"},
14331 {SMBE_badPW, "Bad Password???"},
14332 {SMBE_nosupport, "Operation not supported"},
14336 /* Error codes for the ERRHRD class */
14338 static const value_string HRD_errors[] = {
14339 {SMBE_nowrite, "Read only media"},
14340 {SMBE_badunit, "Unknown device"},
14341 {SMBE_notready, "Drive not ready"},
14342 {SMBE_badcmd, "Unknown command"},
14343 {SMBE_data, "Data (CRC) error"},
14344 {SMBE_badreq, "Bad request structure length"},
14345 {SMBE_seek, "Seek error"},
14346 {SMBE_badmedia, "Unknown media type"},
14347 {SMBE_badsector, "Sector not found"},
14348 {SMBE_nopaper, "Printer out of paper"},
14349 {SMBE_write, "Write fault"},
14350 {SMBE_read, "Read fault"},
14351 {SMBE_general, "General failure"},
14352 {SMBE_badshare, "A open conflicts with an existing open"},
14353 {SMBE_lock, "Lock conflict/invalid mode, or unlock of another process's lock"},
14354 {SMBE_wrongdisk, "The wrong disk was found in a drive"},
14355 {SMBE_FCBunavail, "No FCBs are available to process request"},
14356 {SMBE_sharebufexc, "A sharing buffer has been exceeded"},
14357 {SMBE_diskfull, "Disk full???"},
14361 static char *decode_smb_error(guint8 errcls, guint16 errcode)
14368 return("No Error"); /* No error ??? */
14373 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
14378 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
14383 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
14388 return("Unknown error class!");
14394 static const true_false_string tfs_smb_flags_lock = {
14395 "Lock&Read, Write&Unlock are supported",
14396 "Lock&Read, Write&Unlock are not supported"
14398 static const true_false_string tfs_smb_flags_receive_buffer = {
14399 "Receive buffer has been posted",
14400 "Receive buffer has not been posted"
14402 static const true_false_string tfs_smb_flags_caseless = {
14403 "Path names are caseless",
14404 "Path names are case sensitive"
14406 static const true_false_string tfs_smb_flags_canon = {
14407 "Pathnames are canonicalized",
14408 "Pathnames are not canonicalized"
14410 static const true_false_string tfs_smb_flags_oplock = {
14411 "OpLock requested/granted",
14412 "OpLock not requested/granted"
14414 static const true_false_string tfs_smb_flags_notify = {
14415 "Notify client on all modifications",
14416 "Notify client only on open"
14418 static const true_false_string tfs_smb_flags_response = {
14419 "Message is a response to the client/redirector",
14420 "Message is a request to the server"
14424 dissect_smb_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
14427 proto_item *item = NULL;
14428 proto_tree *tree = NULL;
14430 mask = tvb_get_guint8(tvb, offset);
14433 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
14434 "Flags: 0x%02x", mask);
14435 tree = proto_item_add_subtree(item, ett_smb_flags);
14437 proto_tree_add_boolean(tree, hf_smb_flags_response,
14438 tvb, offset, 1, mask);
14439 proto_tree_add_boolean(tree, hf_smb_flags_notify,
14440 tvb, offset, 1, mask);
14441 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
14442 tvb, offset, 1, mask);
14443 proto_tree_add_boolean(tree, hf_smb_flags_canon,
14444 tvb, offset, 1, mask);
14445 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
14446 tvb, offset, 1, mask);
14447 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
14448 tvb, offset, 1, mask);
14449 proto_tree_add_boolean(tree, hf_smb_flags_lock,
14450 tvb, offset, 1, mask);
14457 static const true_false_string tfs_smb_flags2_long_names_allowed = {
14458 "Long file names are allowed in the response",
14459 "Long file names are not allowed in the response"
14461 static const true_false_string tfs_smb_flags2_ea = {
14462 "Extended attributes are supported",
14463 "Extended attributes are not supported"
14465 static const true_false_string tfs_smb_flags2_sec_sig = {
14466 "Security signatures are supported",
14467 "Security signatures are not supported"
14469 static const true_false_string tfs_smb_flags2_long_names_used = {
14470 "Path names in request are long file names",
14471 "Path names in request are not long file names"
14473 static const true_false_string tfs_smb_flags2_esn = {
14474 "Extended security negotiation is supported",
14475 "Extended security negotiation is not supported"
14477 static const true_false_string tfs_smb_flags2_dfs = {
14478 "Resolve pathnames with Dfs",
14479 "Don't resolve pathnames with Dfs"
14481 static const true_false_string tfs_smb_flags2_roe = {
14482 "Permit reads if execute-only",
14483 "Don't permit reads if execute-only"
14485 static const true_false_string tfs_smb_flags2_nt_error = {
14486 "Error codes are NT error codes",
14487 "Error codes are DOS error codes"
14489 static const true_false_string tfs_smb_flags2_string = {
14490 "Strings are Unicode",
14491 "Strings are ASCII"
14494 dissect_smb_flags2(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
14497 proto_item *item = NULL;
14498 proto_tree *tree = NULL;
14500 mask = tvb_get_letohs(tvb, offset);
14503 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
14504 "Flags2: 0x%04x", mask);
14505 tree = proto_item_add_subtree(item, ett_smb_flags2);
14508 proto_tree_add_boolean(tree, hf_smb_flags2_string,
14509 tvb, offset, 2, mask);
14510 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
14511 tvb, offset, 2, mask);
14512 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
14513 tvb, offset, 2, mask);
14514 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
14515 tvb, offset, 2, mask);
14516 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
14517 tvb, offset, 2, mask);
14518 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
14519 tvb, offset, 2, mask);
14520 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
14521 tvb, offset, 2, mask);
14522 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
14523 tvb, offset, 2, mask);
14524 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
14525 tvb, offset, 2, mask);
14533 #define SMB_FLAGS_DIRN 0x80
14537 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
14540 proto_item *item = NULL, *hitem = NULL;
14541 proto_tree *tree = NULL, *htree = NULL;
14544 static smb_info_t si_arr[20];
14545 static int si_counter=0;
14547 smb_saved_info_t *sip = NULL;
14548 smb_saved_info_key_t key;
14549 smb_saved_info_key_t *new_key;
14550 guint32 nt_status = 0;
14551 guint8 errclass = 0;
14552 guint16 errcode = 0;
14554 conversation_t *conversation;
14558 if(si_counter==20){
14561 si=&si_arr[si_counter];
14563 top_tree=parent_tree;
14565 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
14566 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
14568 if (check_col(pinfo->cinfo, COL_INFO)){
14569 col_clear(pinfo->cinfo, COL_INFO);
14572 /* start off using the local variable, we will allocate a new one if we
14574 si->cmd = tvb_get_guint8(tvb, offset+4);
14575 flags = tvb_get_guint8(tvb, offset+9);
14577 * XXX - in some SMB-over-OSI-transport and SMB-over-Vines traffic,
14578 * the direction flag appears never to be set, even for what appear
14579 * to be replies. Do some SMB servers fail to set that flag,
14580 * under the assumption that the client knows it's a reply because
14583 si->request = !(flags&SMB_FLAGS_DIRN);
14584 flags2 = tvb_get_letohs(tvb, offset+10);
14585 if(flags2 & 0x8000){
14586 si->unicode = TRUE; /* Mark them as Unicode */
14588 si->unicode = FALSE;
14590 si->tid = tvb_get_letohs(tvb, offset+24);
14591 si->pid = tvb_get_letohs(tvb, offset+26);
14592 si->uid = tvb_get_letohs(tvb, offset+28);
14593 si->mid = tvb_get_letohs(tvb, offset+30);
14594 pid_mid = (si->pid << 16) | si->mid;
14595 si->info_level = -1;
14596 si->info_count = -1;
14599 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
14601 tree = proto_item_add_subtree(item, ett_smb);
14603 hitem = proto_tree_add_text(tree, tvb, offset, 32,
14606 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
14609 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
14610 offset += 4; /* Skip the marker */
14612 /* find which conversation we are part of and get the tables for that
14614 conversation = find_conversation(&pinfo->src, &pinfo->dst,
14615 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
14617 /* OK this is a new conversation so lets create it */
14618 conversation = conversation_new(&pinfo->src, &pinfo->dst,
14619 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
14621 /* see if we already have the smb data for this conversation */
14622 si->ct=conversation_get_proto_data(conversation, proto_smb);
14624 /* No, not yet. create it and attach it to the conversation */
14625 si->ct = g_mem_chunk_alloc(conv_tables_chunk);
14626 conv_tables = g_slist_prepend(conv_tables, si->ct);
14627 si->ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
14628 smb_saved_info_equal_matched);
14629 si->ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
14630 smb_saved_info_equal_unmatched);
14631 si->ct->tid_service=g_hash_table_new(
14632 smb_saved_info_hash_unmatched,
14633 smb_saved_info_equal_unmatched);
14634 conversation_add_proto_data(conversation, proto_smb, si->ct);
14642 /* this is a broadcast SMB packet, there will not be a reply.
14643 We dont need to do anything
14646 } else if( (si->cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
14647 ||(si->cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
14648 ||(si->cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
14649 ||(si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
14650 /* Ok, we got a special request type. This request is either
14651 an NT Cancel or a continuation relative to a real request
14652 in an earlier packet. In either case, we don't expect any
14653 responses to this packet. For continuations, any later
14654 responses we see really just belong to the original request.
14655 Anyway, we want to remember this packet somehow and
14656 remember which original request it is associated with so
14657 we can say nice things such as "This is a Cancellation to
14658 the request in frame x", but we don't want the
14659 request/response matching to get messed up.
14661 The only thing we do in this case is trying to find which original
14662 request we match with and insert an entry for this "special"
14663 request for later reference. We continue to reference the original
14664 requests smb_saved_info_t but we dont touch it or change anything
14668 si->unidir = TRUE; /*we dont expect an answer to this one*/
14670 if(!pinfo->fd->flags.visited){
14671 /* try to find which original call we match and if we
14672 find it add us to the matched table. Dont touch
14673 anything else since we dont want this one to mess
14674 up the request/response matching. We still consider
14675 the initial call the real request and this is only
14676 some sort of continuation.
14678 /* we only check the unmatched table and assume that the
14679 last seen MID matching ours is the right one.
14680 This can fail but is better than nothing
14682 sip=g_hash_table_lookup(si->ct->unmatched, (void *)pid_mid);
14684 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14685 new_key->frame = pinfo->fd->num;
14686 new_key->pid_mid = pid_mid;
14687 g_hash_table_insert(si->ct->matched, new_key,
14691 /* we have seen this packet before; check the
14694 key.frame = pinfo->fd->num;
14695 key.pid_mid = pid_mid;
14696 sip=g_hash_table_lookup(si->ct->matched, &key);
14700 Too bad, unfortunately there is not really much we can
14701 do now since this means that we never saw the initial
14708 if(sip && sip->frame_req){
14710 case SMB_COM_NT_CANCEL:
14711 proto_tree_add_uint(htree, hf_smb_cancel_to,
14712 tvb, 0, 0, sip->frame_req);
14714 case SMB_COM_TRANSACTION_SECONDARY:
14715 case SMB_COM_TRANSACTION2_SECONDARY:
14716 case SMB_COM_NT_TRANSACT_SECONDARY:
14717 proto_tree_add_uint(htree, hf_smb_continuation_to,
14718 tvb, 0, 0, sip->frame_req);
14723 case SMB_COM_NT_CANCEL:
14724 proto_tree_add_text(htree, tvb, 0, 0,
14725 "Cancellation to: <unknown frame>");
14727 case SMB_COM_TRANSACTION_SECONDARY:
14728 case SMB_COM_TRANSACTION2_SECONDARY:
14729 case SMB_COM_NT_TRANSACT_SECONDARY:
14730 proto_tree_add_text(htree, tvb, 0, 0,
14731 "Continuation to: <unknown frame>");
14735 } else { /* normal bidirectional request or response */
14736 si->unidir = FALSE;
14738 if(!pinfo->fd->flags.visited){
14739 /* first see if we find an unmatched smb "equal" to
14742 sip=g_hash_table_lookup(si->ct->unmatched, (void *)pid_mid);
14744 gboolean cmd_match=FALSE;
14747 * Make sure the SMB we found was the
14748 * same command, or a different command
14749 * that's another valid type of reply
14752 if(si->cmd==sip->cmd){
14755 else if(si->cmd==SMB_COM_NT_CANCEL){
14758 else if((si->cmd==SMB_COM_TRANSACTION_SECONDARY)
14759 && (sip->cmd==SMB_COM_TRANSACTION)){
14762 else if((si->cmd==SMB_COM_TRANSACTION2_SECONDARY)
14763 && (sip->cmd==SMB_COM_TRANSACTION2)){
14766 else if((si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)
14767 && (sip->cmd==SMB_COM_NT_TRANSACT)){
14771 if( (si->request) || (!cmd_match) ) {
14772 /* If we are processing an SMB request but there was already
14773 another "identical" smb resuest we had not matched yet.
14774 This must mean that either we have a retransmission or that the
14775 response to the previous one was lost and the client has reused
14776 the MID for this conversation. In either case it's not much more
14777 we can do than forget the old request and concentrate on the
14778 present one instead.
14780 We also do this cleanup if we see that the cmd in the original
14781 request in sip->cmd is not compatible with the current cmd.
14782 This is to prevent matching errors such as if there were two
14783 SMBs of different cmds but with identical MID and PID values and
14784 if ethereal lost the first reply and the second request.
14786 g_hash_table_remove(si->ct->unmatched, (void *)pid_mid);
14787 sip=NULL; /* XXX should free it as well */
14789 /* we have found a response to some request we have seen earlier.
14790 What we do now depends on whether this is the first response
14791 to that request we see (id frame_res==0) or not.
14793 if(sip->frame_res==0){
14794 /* ok it is the first response we have seen to this packet */
14795 sip->frame_res = pinfo->fd->num;
14796 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14797 new_key->frame = sip->frame_res;
14798 new_key->pid_mid = pid_mid;
14799 g_hash_table_insert(si->ct->matched, new_key, sip);
14801 /* We have already seen another response to this MID.
14802 Since the MID in reality is only something like 10 bits
14803 this probably means that we just have a MID that is being
14804 reused due to the small MID space and that this is a new
14805 command we did not see the original request for.
14812 sip = g_mem_chunk_alloc(smb_saved_info_chunk);
14813 sip->frame_req = pinfo->fd->num;
14814 sip->frame_res = 0;
14815 sip->req_time.secs=pinfo->fd->abs_secs;
14816 sip->req_time.nsecs=pinfo->fd->abs_usecs*1000;
14818 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)
14819 == (void *)TID_IPC) {
14820 sip->flags |= SMB_SIF_TID_IS_IPC;
14822 sip->cmd = si->cmd;
14823 sip->extra_info = NULL;
14824 g_hash_table_insert(si->ct->unmatched, (void *)pid_mid, sip);
14825 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14826 new_key->frame = sip->frame_req;
14827 new_key->pid_mid = pid_mid;
14828 g_hash_table_insert(si->ct->matched, new_key, sip);
14831 /* we have seen this packet before; check the
14833 If we haven't yet seen the reply, we won't
14834 find the info for it; we don't need it, as
14835 we only use it to save information, and, as
14836 we've seen this packet before, we've already
14837 saved the information.
14839 key.frame = pinfo->fd->num;
14840 key.pid_mid = pid_mid;
14841 sip=g_hash_table_lookup(si->ct->matched, &key);
14846 * Pass the "sip" on to subdissectors through "si".
14852 * Put in fields for the frame number of the frame to which
14853 * this is a response or the frame with the response to this
14854 * frame - if we know the frame number (i.e., it's not 0).
14857 if (sip->frame_res != 0)
14858 proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
14860 if (sip->frame_req != 0) {
14861 proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
14862 ns.secs = pinfo->fd->abs_secs - sip->req_time.secs;
14863 ns.nsecs = pinfo->fd->abs_usecs*1000 - sip->req_time.nsecs;
14865 ns.nsecs+=1000000000;
14868 proto_tree_add_time(htree, hf_smb_time, tvb,
14875 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si->cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si->cmd), si->cmd);
14878 if(flags2 & 0x4000){
14879 /* handle NT 32 bit error code */
14881 nt_status = tvb_get_letohl(tvb, offset);
14883 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
14888 /* handle DOS error code & class */
14889 errclass = tvb_get_guint8(tvb, offset);
14890 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
14894 /* reserved byte */
14895 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
14899 /* XXX - the type of this field depends on the value of
14900 * "errcls", so there is isn't a single value_string array
14901 * fo it, so there can't be a single field for it.
14903 errcode = tvb_get_letohs(tvb, offset);
14904 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
14905 offset, 2, errcode, "Error Code: %s",
14906 decode_smb_error(errclass, errcode));
14911 offset = dissect_smb_flags(tvb, htree, offset);
14914 offset = dissect_smb_flags2(tvb, htree, offset);
14919 * http://www.samba.org/samba/ftp/specs/smbpub.txt
14921 * (a text version of "Microsoft Networks SMB FILE SHARING
14922 * PROTOCOL, Document Version 6.0p") says that:
14924 * the first 2 bytes of these 12 bytes are, for NT Create and X,
14925 * the "High Part of PID";
14927 * the next four bytes are reserved;
14929 * the next four bytes are, for SMB-over-IPX (with no
14930 * NetBIOS involved) two bytes of Session ID and two bytes
14931 * of SequenceNumber.
14933 * Network Monitor 2.x dissects the four bytes before the Session ID
14934 * as a "Key", and the two bytes after the SequenceNumber as
14937 * The "High Part of PID" has been seen in calls other than NT
14938 * Create and X, although most of them appear to be I/O on DCE RPC
14939 * pipes opened with the NT Create and X in question.
14941 proto_tree_add_item(htree, hf_smb_pid_high, tvb, offset, 2, TRUE);
14944 if (pinfo->ptype == PT_IPX &&
14945 (pinfo->match_port == IPX_SOCKET_NWLINK_SMB_SERVER ||
14946 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_REDIR ||
14947 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_MESSENGER)) {
14949 * This is SMB-over-IPX.
14950 * XXX - do we have to worry about "sequenced commands",
14951 * as per the Samba document? They say that for
14952 * "unsequenced commands" (with a sequence number of 0),
14953 * the Mid must be unique, but perhaps the Mid doesn't
14954 * have to be unique for sequenced commands. In at least
14955 * one capture with SMB-over-IPX, however, the Mids
14956 * are unique even for sequenced commands.
14959 proto_tree_add_item(htree, hf_smb_key, tvb, offset, 4,
14964 proto_tree_add_item(htree, hf_smb_session_id, tvb, offset, 2,
14968 /* Sequence number */
14969 proto_tree_add_item(htree, hf_smb_sequence_num, tvb, offset, 2,
14974 proto_tree_add_item(htree, hf_smb_group_id, tvb, offset, 2,
14979 * According to http://ubiqx.org/cifs/SMB.html#SMB.4.2.1
14980 * and http://ubiqx.org/cifs/SMB.html#SMB.5.5.1 the 8
14981 * bytes after the "High part of PID" are an 8-byte
14984 proto_tree_add_item(htree, hf_smb_sig, tvb, offset, 8, TRUE);
14987 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2, TRUE);
14992 proto_tree_add_uint(htree, hf_smb_tid, tvb, offset, 2, si->tid);
14996 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si->pid);
15000 proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si->uid);
15004 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid);
15007 pinfo->private_data = si;
15009 /* tap the packet before the dissectors are called so we still get
15010 the tap listener called even if there is an exception.
15012 tap_queue_packet(smb_tap, pinfo, si);
15013 dissect_smb_command(tvb, pinfo, offset, tree, si->cmd, TRUE);
15015 /* Append error info from this packet to info string. */
15016 if (!si->request && check_col(pinfo->cinfo, COL_INFO)) {
15017 if (flags2 & 0x4000) {
15019 * The status is an NT status code; was there
15022 if ((nt_status & 0xC0000000) == 0xC0000000) {
15027 pinfo->cinfo, COL_INFO, ", Error: %s",
15028 val_to_str(nt_status, NT_errors,
15029 "Unknown (0x%08X)"));
15033 * The status is a DOS error class and code; was
15036 if (errclass != SMB_SUCCESS) {
15041 pinfo->cinfo, COL_INFO, ", Error: %s",
15042 decode_smb_error(errclass, errcode));
15049 dissect_smb_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
15051 /* must check that this really is a smb packet */
15052 if (!tvb_bytes_exist(tvb, 0, 4))
15055 if( (tvb_get_guint8(tvb, 0) != 0xff)
15056 || (tvb_get_guint8(tvb, 1) != 'S')
15057 || (tvb_get_guint8(tvb, 2) != 'M')
15058 || (tvb_get_guint8(tvb, 3) != 'B') ){
15062 dissect_smb(tvb, pinfo, parent_tree);
15067 proto_register_smb(void)
15069 static hf_register_info hf[] = {
15071 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
15072 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
15074 { &hf_smb_word_count,
15075 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
15076 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
15078 { &hf_smb_byte_count,
15079 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
15080 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
15082 { &hf_smb_response_to,
15083 { "Response to", "smb.response_to", FT_FRAMENUM, BASE_NONE,
15084 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
15087 { "Time from request", "smb.time", FT_RELATIVE_TIME, BASE_NONE,
15088 NULL, 0, "Time between Request and Response for SMB cmds", HFILL }},
15090 { &hf_smb_response_in,
15091 { "Response in", "smb.response_in", FT_FRAMENUM, BASE_NONE,
15092 NULL, 0, "The response to this packet is in this packet", HFILL }},
15094 { &hf_smb_continuation_to,
15095 { "Continuation to", "smb.continuation_to", FT_FRAMENUM, BASE_NONE,
15096 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
15098 { &hf_smb_nt_status,
15099 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
15100 VALS(NT_errors), 0, "NT Status code", HFILL }},
15102 { &hf_smb_error_class,
15103 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
15104 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
15106 { &hf_smb_error_code,
15107 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
15108 NULL, 0, "DOS Error Code", HFILL }},
15110 { &hf_smb_reserved,
15111 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
15112 NULL, 0, "Reserved bytes, must be zero", HFILL }},
15115 { "Signature", "smb.signature", FT_BYTES, BASE_HEX,
15116 NULL, 0, "Signature bytes", HFILL }},
15119 { "Key", "smb.key", FT_UINT32, BASE_HEX,
15120 NULL, 0, "SMB-over-IPX Key", HFILL }},
15122 { &hf_smb_session_id,
15123 { "Session ID", "smb.sessid", FT_UINT16, BASE_DEC,
15124 NULL, 0, "SMB-over-IPX Session ID", HFILL }},
15126 { &hf_smb_sequence_num,
15127 { "Sequence Number", "smb.sequence_num", FT_UINT16, BASE_DEC,
15128 NULL, 0, "SMB-over-IPX Sequence Number", HFILL }},
15130 { &hf_smb_group_id,
15131 { "Group ID", "smb.group_id", FT_UINT16, BASE_DEC,
15132 NULL, 0, "SMB-over-IPX Group ID", HFILL }},
15135 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
15136 NULL, 0, "Process ID", HFILL }},
15138 { &hf_smb_pid_high,
15139 { "Process ID High", "smb.pid.high", FT_UINT16, BASE_DEC,
15140 NULL, 0, "Process ID High Bytes", HFILL }},
15143 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
15144 NULL, 0, "Tree ID", HFILL }},
15147 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
15148 NULL, 0, "User ID", HFILL }},
15151 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
15152 NULL, 0, "Multiplex ID", HFILL }},
15154 { &hf_smb_flags_lock,
15155 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
15156 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
15158 { &hf_smb_flags_receive_buffer,
15159 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
15160 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
15162 { &hf_smb_flags_caseless,
15163 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
15164 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
15166 { &hf_smb_flags_canon,
15167 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
15168 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
15170 { &hf_smb_flags_oplock,
15171 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
15172 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
15174 { &hf_smb_flags_notify,
15175 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
15176 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
15178 { &hf_smb_flags_response,
15179 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
15180 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
15182 { &hf_smb_flags2_long_names_allowed,
15183 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
15184 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
15186 { &hf_smb_flags2_ea,
15187 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
15188 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
15190 { &hf_smb_flags2_sec_sig,
15191 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
15192 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
15194 { &hf_smb_flags2_long_names_used,
15195 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
15196 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
15198 { &hf_smb_flags2_esn,
15199 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
15200 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
15202 { &hf_smb_flags2_dfs,
15203 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
15204 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
15206 { &hf_smb_flags2_roe,
15207 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
15208 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
15210 { &hf_smb_flags2_nt_error,
15211 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
15212 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
15214 { &hf_smb_flags2_string,
15215 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
15216 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
15218 { &hf_smb_buffer_format,
15219 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
15220 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
15222 { &hf_smb_dialect_name,
15223 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
15224 NULL, 0, "Name of dialect", HFILL }},
15226 { &hf_smb_dialect_index,
15227 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
15228 NULL, 0, "Index of selected dialect", HFILL }},
15230 { &hf_smb_max_trans_buf_size,
15231 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
15232 NULL, 0, "Maximum transmit buffer size", HFILL }},
15234 { &hf_smb_max_mpx_count,
15235 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
15236 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
15238 { &hf_smb_max_vcs_num,
15239 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
15240 NULL, 0, "Maximum VCs between client and server", HFILL }},
15242 { &hf_smb_session_key,
15243 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
15244 NULL, 0, "Unique token identifying this session", HFILL }},
15246 { &hf_smb_server_timezone,
15247 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
15248 NULL, 0, "Current timezone at server.", HFILL }},
15250 { &hf_smb_encryption_key_length,
15251 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
15252 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
15254 { &hf_smb_encryption_key,
15255 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
15256 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
15258 { &hf_smb_primary_domain,
15259 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
15260 NULL, 0, "The server's primary domain", HFILL }},
15263 { "Server", "smb.server", FT_STRING, BASE_NONE,
15264 NULL, 0, "The name of the DC/server", HFILL }},
15266 { &hf_smb_max_raw_buf_size,
15267 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
15268 NULL, 0, "Maximum raw buffer size", HFILL }},
15270 { &hf_smb_server_guid,
15271 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
15272 NULL, 0, "Globally unique identifier for this server", HFILL }},
15274 { &hf_smb_security_blob_len,
15275 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
15276 NULL, 0, "Security blob length", HFILL }},
15278 { &hf_smb_security_blob,
15279 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
15280 NULL, 0, "Security blob", HFILL }},
15282 { &hf_smb_sm_mode16,
15283 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
15284 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
15286 { &hf_smb_sm_password16,
15287 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
15288 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
15291 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
15292 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
15294 { &hf_smb_sm_password,
15295 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
15296 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
15298 { &hf_smb_sm_signatures,
15299 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
15300 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
15302 { &hf_smb_sm_sig_required,
15303 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
15304 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
15307 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
15308 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
15310 { &hf_smb_rm_write,
15311 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
15312 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
15314 { &hf_smb_server_date_time,
15315 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
15316 NULL, 0, "Current date and time at server", HFILL }},
15318 { &hf_smb_server_smb_date,
15319 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
15320 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
15322 { &hf_smb_server_smb_time,
15323 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
15324 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
15326 { &hf_smb_server_cap_raw_mode,
15327 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
15328 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
15330 { &hf_smb_server_cap_mpx_mode,
15331 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
15332 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
15334 { &hf_smb_server_cap_unicode,
15335 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
15336 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
15338 { &hf_smb_server_cap_large_files,
15339 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
15340 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
15342 { &hf_smb_server_cap_nt_smbs,
15343 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
15344 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
15346 { &hf_smb_server_cap_rpc_remote_apis,
15347 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
15348 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
15350 { &hf_smb_server_cap_nt_status,
15351 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
15352 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
15354 { &hf_smb_server_cap_level_ii_oplocks,
15355 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
15356 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
15358 { &hf_smb_server_cap_lock_and_read,
15359 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
15360 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
15362 { &hf_smb_server_cap_nt_find,
15363 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
15364 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
15366 { &hf_smb_server_cap_dfs,
15367 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
15368 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
15370 { &hf_smb_server_cap_infolevel_passthru,
15371 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
15372 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
15374 { &hf_smb_server_cap_large_readx,
15375 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
15376 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
15378 { &hf_smb_server_cap_large_writex,
15379 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
15380 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
15382 { &hf_smb_server_cap_unix,
15383 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
15384 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
15386 { &hf_smb_server_cap_reserved,
15387 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
15388 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
15390 { &hf_smb_server_cap_bulk_transfer,
15391 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
15392 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
15394 { &hf_smb_server_cap_compressed_data,
15395 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
15396 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
15398 { &hf_smb_server_cap_extended_security,
15399 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
15400 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
15402 { &hf_smb_system_time,
15403 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
15404 NULL, 0, "System Time", HFILL }},
15407 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
15408 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
15410 { &hf_smb_dir_name,
15411 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
15412 NULL, 0, "SMB Directory Name", HFILL }},
15414 { &hf_smb_echo_count,
15415 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
15416 NULL, 0, "Number of times to echo data back", HFILL }},
15418 { &hf_smb_echo_data,
15419 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
15420 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
15422 { &hf_smb_echo_seq_num,
15423 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
15424 NULL, 0, "Sequence number for this echo response", HFILL }},
15426 { &hf_smb_max_buf_size,
15427 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
15428 NULL, 0, "Max client buffer size", HFILL }},
15431 { "Path", "smb.path", FT_STRING, BASE_NONE,
15432 NULL, 0, "Path. Server name and share name", HFILL }},
15435 { "Service", "smb.service", FT_STRING, BASE_NONE,
15436 NULL, 0, "Service name", HFILL }},
15438 { &hf_smb_password,
15439 { "Password", "smb.password", FT_BYTES, BASE_NONE,
15440 NULL, 0, "Password", HFILL }},
15442 { &hf_smb_ansi_password,
15443 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
15444 NULL, 0, "ANSI Password", HFILL }},
15446 { &hf_smb_unicode_password,
15447 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
15448 NULL, 0, "Unicode Password", HFILL }},
15450 { &hf_smb_move_flags_file,
15451 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
15452 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
15454 { &hf_smb_move_flags_dir,
15455 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
15456 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
15458 { &hf_smb_move_flags_verify,
15459 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
15460 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
15462 { &hf_smb_files_moved,
15463 { "Files Moved", "smb.files_moved", FT_UINT16, BASE_DEC,
15464 NULL, 0, "Number of files moved", HFILL }},
15466 { &hf_smb_copy_flags_file,
15467 { "Must be file", "smb.copy.flags.file", FT_BOOLEAN, 16,
15468 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
15470 { &hf_smb_copy_flags_dir,
15471 { "Must be directory", "smb.copy.flags.dir", FT_BOOLEAN, 16,
15472 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
15474 { &hf_smb_copy_flags_dest_mode,
15475 { "Destination mode", "smb.copy.flags.dest_mode", FT_BOOLEAN, 16,
15476 TFS(&tfs_cf_mode), 0x0004, "Is destination in ASCII?", HFILL }},
15478 { &hf_smb_copy_flags_source_mode,
15479 { "Source mode", "smb.copy.flags.source_mode", FT_BOOLEAN, 16,
15480 TFS(&tfs_cf_mode), 0x0008, "Is source in ASCII?", HFILL }},
15482 { &hf_smb_copy_flags_verify,
15483 { "Verify writes", "smb.copy.flags.verify", FT_BOOLEAN, 16,
15484 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
15486 { &hf_smb_copy_flags_tree_copy,
15487 { "Tree copy", "smb.copy.flags.tree_copy", FT_BOOLEAN, 16,
15488 TFS(&tfs_cf_tree_copy), 0x0010, "Is copy a tree copy?", HFILL }},
15490 { &hf_smb_copy_flags_ea_action,
15491 { "EA action if EAs not supported on dest", "smb.copy.flags.ea_action", FT_BOOLEAN, 16,
15492 TFS(&tfs_cf_ea_action), 0x0010, "Fail copy if source file has EAs and dest doesn't support EAs?", HFILL }},
15495 { "Count", "smb.count", FT_UINT32, BASE_DEC,
15496 NULL, 0, "Count number of items/bytes", HFILL }},
15498 { &hf_smb_count_low,
15499 { "Count Low", "smb.count_low", FT_UINT16, BASE_DEC,
15500 NULL, 0, "Count number of items/bytes, Low 16 bits", HFILL }},
15502 { &hf_smb_count_high,
15503 { "Count High (multiply with 64K)", "smb.count_high", FT_UINT16, BASE_DEC,
15504 NULL, 0, "Count number of items/bytes, High 16 bits", HFILL }},
15506 { &hf_smb_file_name,
15507 { "File Name", "smb.file", FT_STRING, BASE_NONE,
15508 NULL, 0, "File Name", HFILL }},
15510 { &hf_smb_open_function_create,
15511 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
15512 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
15514 { &hf_smb_open_function_open,
15515 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
15516 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
15519 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
15520 NULL, 0, "FID: File ID", HFILL }},
15522 { &hf_smb_file_attr_read_only_16bit,
15523 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
15524 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15526 { &hf_smb_file_attr_read_only_8bit,
15527 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
15528 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15530 { &hf_smb_file_attr_hidden_16bit,
15531 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
15532 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15534 { &hf_smb_file_attr_hidden_8bit,
15535 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
15536 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15538 { &hf_smb_file_attr_system_16bit,
15539 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
15540 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15542 { &hf_smb_file_attr_system_8bit,
15543 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
15544 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15546 { &hf_smb_file_attr_volume_16bit,
15547 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
15548 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
15550 { &hf_smb_file_attr_volume_8bit,
15551 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
15552 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
15554 { &hf_smb_file_attr_directory_16bit,
15555 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
15556 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15558 { &hf_smb_file_attr_directory_8bit,
15559 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
15560 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15562 { &hf_smb_file_attr_archive_16bit,
15563 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
15564 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15566 { &hf_smb_file_attr_archive_8bit,
15567 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
15568 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15570 { &hf_smb_file_attr_device,
15571 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
15572 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
15574 { &hf_smb_file_attr_normal,
15575 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
15576 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
15578 { &hf_smb_file_attr_temporary,
15579 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
15580 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
15582 { &hf_smb_file_attr_sparse,
15583 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
15584 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
15586 { &hf_smb_file_attr_reparse,
15587 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
15588 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
15590 { &hf_smb_file_attr_compressed,
15591 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
15592 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
15594 { &hf_smb_file_attr_offline,
15595 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
15596 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
15598 { &hf_smb_file_attr_not_content_indexed,
15599 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
15600 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
15602 { &hf_smb_file_attr_encrypted,
15603 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
15604 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
15606 { &hf_smb_file_size,
15607 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
15608 NULL, 0, "File Size", HFILL }},
15610 { &hf_smb_search_attribute_read_only,
15611 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
15612 TFS(&tfs_search_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
15614 { &hf_smb_search_attribute_hidden,
15615 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
15616 TFS(&tfs_search_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
15618 { &hf_smb_search_attribute_system,
15619 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
15620 TFS(&tfs_search_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
15622 { &hf_smb_search_attribute_volume,
15623 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
15624 TFS(&tfs_search_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
15626 { &hf_smb_search_attribute_directory,
15627 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
15628 TFS(&tfs_search_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
15630 { &hf_smb_search_attribute_archive,
15631 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
15632 TFS(&tfs_search_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
15634 { &hf_smb_access_mode,
15635 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
15636 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
15638 { &hf_smb_access_sharing,
15639 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
15640 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
15642 { &hf_smb_access_locality,
15643 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
15644 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
15646 { &hf_smb_access_caching,
15647 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
15648 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
15650 { &hf_smb_access_writetru,
15651 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
15652 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
15654 { &hf_smb_create_time,
15655 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
15656 NULL, 0, "Creation Time", HFILL }},
15658 { &hf_smb_modify_time,
15659 { "Modified", "smb.modify.time", FT_ABSOLUTE_TIME, BASE_NONE,
15660 NULL, 0, "Modification Time", HFILL }},
15662 { &hf_smb_backup_time,
15663 { "Backed-up", "smb.backup.time", FT_ABSOLUTE_TIME, BASE_NONE,
15664 NULL, 0, "Backup time", HFILL}},
15666 { &hf_smb_mac_alloc_block_count,
15667 { "Allocation Block Count", "smb.alloc.count", FT_UINT32, BASE_DEC,
15668 NULL, 0, "Allocation Block Count", HFILL}},
15670 { &hf_smb_mac_alloc_block_size,
15671 { "Allocation Block Count", "smb.alloc.size", FT_UINT32, BASE_DEC,
15672 NULL, 0, "Allocation Block Size", HFILL}},
15674 { &hf_smb_mac_free_block_count,
15675 { "Free Block Count", "smb.free_block.count", FT_UINT32, BASE_DEC,
15676 NULL, 0, "Free Block Count", HFILL}},
15678 { &hf_smb_mac_root_file_count,
15679 { "Root File Count", "smb.root.file.count", FT_UINT32, BASE_DEC,
15680 NULL, 0, "Root File Count", HFILL}},
15682 { &hf_smb_mac_root_dir_count,
15683 { "Root Directory Count", "smb.root.dir.count", FT_UINT32, BASE_DEC,
15684 NULL, 0, "Root Directory Count", HFILL}},
15686 { &hf_smb_mac_file_count,
15687 { "Root File Count", "smb.file.count", FT_UINT32, BASE_DEC,
15688 NULL, 0, "File Count", HFILL}},
15690 { &hf_smb_mac_dir_count,
15691 { "Root Directory Count", "smb.dir.count", FT_UINT32, BASE_DEC,
15692 NULL, 0, "Directory Count", HFILL}},
15694 { &hf_smb_mac_support_flags,
15695 { "Mac Support Flags", "smb.mac.support.flags", FT_UINT32, BASE_DEC,
15696 NULL, 0, "Mac Support Flags", HFILL}},
15698 { &hf_smb_mac_sup_access_ctrl,
15699 { "Mac Access Control", "smb.mac.access_control", FT_BOOLEAN, 32,
15700 TFS(&tfs_smb_mac_access_ctrl), 0x0010, "Are Mac Access Control Supported", HFILL }},
15702 { &hf_smb_mac_sup_getset_comments,
15703 { "Get Set Comments", "smb.mac.get_set_comments", FT_BOOLEAN, 32,
15704 TFS(&tfs_smb_mac_getset_comments), 0x0020, "Are Mac Get Set Comments supported?", HFILL }},
15706 { &hf_smb_mac_sup_desktopdb_calls,
15707 { "Desktop DB Calls", "smb.mac.desktop_db_calls", FT_BOOLEAN, 32,
15708 TFS(&tfs_smb_mac_desktopdb_calls), 0x0040, "Are Macintosh Desktop DB Calls Supported?", HFILL }},
15710 { &hf_smb_mac_sup_unique_ids,
15711 { "Macintosh Unique IDs", "smb.mac.uids", FT_BOOLEAN, 32,
15712 TFS(&tfs_smb_mac_unique_ids), 0x0080, "Are Unique IDs supported", HFILL }},
15714 { &hf_smb_mac_sup_streams,
15715 { "Mac Streams", "smb.mac.streams_support", FT_BOOLEAN, 32,
15716 TFS(&tfs_smb_mac_streams), 0x0100, "Are Mac Extensions and streams supported?", HFILL }},
15718 { &hf_smb_create_dos_date,
15719 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
15720 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
15722 { &hf_smb_create_dos_time,
15723 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
15724 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
15726 { &hf_smb_last_write_time,
15727 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
15728 NULL, 0, "Time this file was last written to", HFILL }},
15730 { &hf_smb_last_write_dos_date,
15731 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
15732 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
15734 { &hf_smb_last_write_dos_time,
15735 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
15736 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
15738 { &hf_smb_old_file_name,
15739 { "Old File Name", "smb.file", FT_STRING, BASE_NONE,
15740 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
15743 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
15744 NULL, 0, "Offset in file", HFILL }},
15746 { &hf_smb_remaining,
15747 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
15748 NULL, 0, "Remaining number of bytes", HFILL }},
15751 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
15752 NULL, 0, "Padding or unknown data", HFILL }},
15754 { &hf_smb_file_data,
15755 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
15756 NULL, 0, "Data read/written to the file", HFILL }},
15758 { &hf_smb_mac_fndrinfo,
15759 { "Finder Info", "smb.mac.finderinfo", FT_BYTES, BASE_HEX,
15760 NULL, 0, "Finder Info", HFILL}},
15762 { &hf_smb_total_data_len,
15763 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
15764 NULL, 0, "Total length of data", HFILL }},
15766 { &hf_smb_data_len,
15767 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
15768 NULL, 0, "Length of data", HFILL }},
15770 { &hf_smb_data_len_low,
15771 { "Data Length Low", "smb.data_len_low", FT_UINT16, BASE_DEC,
15772 NULL, 0, "Length of data, Low 16 bits", HFILL }},
15774 { &hf_smb_data_len_high,
15775 { "Data Length High (multiply with 64K)", "smb.data_len_high", FT_UINT16, BASE_DEC,
15776 NULL, 0, "Length of data, High 16 bits", HFILL }},
15778 { &hf_smb_seek_mode,
15779 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
15780 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
15782 { &hf_smb_access_time,
15783 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
15784 NULL, 0, "Last Access Time", HFILL }},
15786 { &hf_smb_access_dos_date,
15787 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
15788 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
15790 { &hf_smb_access_dos_time,
15791 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
15792 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
15794 { &hf_smb_data_size,
15795 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
15796 NULL, 0, "Data Size", HFILL }},
15798 { &hf_smb_alloc_size,
15799 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
15800 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
15802 { &hf_smb_max_count,
15803 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
15804 NULL, 0, "Maximum Count", HFILL }},
15806 { &hf_smb_max_count_low,
15807 { "Max Count Low", "smb.maxcount_low", FT_UINT16, BASE_DEC,
15808 NULL, 0, "Maximum Count, Low 16 bits", HFILL }},
15810 { &hf_smb_max_count_high,
15811 { "Max Count High (multiply with 64K)", "smb.maxcount_high", FT_UINT16, BASE_DEC,
15812 NULL, 0, "Maximum Count, High 16 bits", HFILL }},
15814 { &hf_smb_min_count,
15815 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
15816 NULL, 0, "Minimum Count", HFILL }},
15819 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
15820 NULL, 0, "Timeout in miliseconds", HFILL }},
15822 { &hf_smb_high_offset,
15823 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
15824 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
15827 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
15828 NULL, 0, "Total number of units at server", HFILL }},
15831 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
15832 NULL, 0, "Blocks per unit at server", HFILL }},
15834 { &hf_smb_blocksize,
15835 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
15836 NULL, 0, "Block size (in bytes) at server", HFILL }},
15838 { &hf_smb_freeunits,
15839 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
15840 NULL, 0, "Number of free units at server", HFILL }},
15842 { &hf_smb_data_offset,
15843 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
15844 NULL, 0, "Data Offset", HFILL }},
15847 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
15848 NULL, 0, "Data Compaction Mode", HFILL }},
15850 { &hf_smb_request_mask,
15851 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
15852 NULL, 0, "Connectionless mode mask", HFILL }},
15854 { &hf_smb_response_mask,
15855 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
15856 NULL, 0, "Connectionless mode mask", HFILL }},
15858 { &hf_smb_search_id,
15859 { "Search ID", "smb.search_id", FT_UINT16, BASE_HEX,
15860 NULL, 0, "Search ID, handle for find operations", HFILL }},
15862 { &hf_smb_write_mode_write_through,
15863 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
15864 TFS(&tfs_write_mode_write_through), WRITE_MODE_WRITE_THROUGH, "Write through mode requested?", HFILL }},
15866 { &hf_smb_write_mode_return_remaining,
15867 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
15868 TFS(&tfs_write_mode_return_remaining), WRITE_MODE_RETURN_REMAINING, "Return remaining data responses?", HFILL }},
15870 { &hf_smb_write_mode_raw,
15871 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
15872 TFS(&tfs_write_mode_raw), WRITE_MODE_RAW, "Use WriteRawNamedPipe?", HFILL }},
15874 { &hf_smb_write_mode_message_start,
15875 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
15876 TFS(&tfs_write_mode_message_start), WRITE_MODE_MESSAGE_START, "Is this the start of a message?", HFILL }},
15878 { &hf_smb_write_mode_connectionless,
15879 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
15880 TFS(&tfs_write_mode_connectionless), WRITE_MODE_CONNECTIONLESS, "Connectionless mode requested?", HFILL }},
15882 { &hf_smb_resume_key_len,
15883 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
15884 NULL, 0, "Resume Key length", HFILL }},
15886 { &hf_smb_resume_find_id,
15887 { "Find ID", "smb.resume.find_id", FT_UINT8, BASE_HEX,
15888 NULL, 0, "Handle for Find operation", HFILL }},
15890 { &hf_smb_resume_server_cookie,
15891 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
15892 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
15894 { &hf_smb_resume_client_cookie,
15895 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
15896 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
15898 { &hf_smb_andxoffset,
15899 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
15900 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
15902 { &hf_smb_lock_type_large,
15903 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
15904 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
15906 { &hf_smb_lock_type_cancel,
15907 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
15908 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
15910 { &hf_smb_lock_type_change,
15911 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
15912 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
15914 { &hf_smb_lock_type_oplock,
15915 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
15916 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
15918 { &hf_smb_lock_type_shared,
15919 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
15920 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
15922 { &hf_smb_locking_ol,
15923 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
15924 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
15926 { &hf_smb_number_of_locks,
15927 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
15928 NULL, 0, "Number of lock requests in this request", HFILL }},
15930 { &hf_smb_number_of_unlocks,
15931 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
15932 NULL, 0, "Number of unlock requests in this request", HFILL }},
15934 { &hf_smb_lock_long_length,
15935 { "Length", "smb.lock.length", FT_STRING, BASE_DEC,
15936 NULL, 0, "Length of lock/unlock region", HFILL }},
15938 { &hf_smb_lock_long_offset,
15939 { "Offset", "smb.lock.offset", FT_STRING, BASE_DEC,
15940 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
15942 { &hf_smb_file_type,
15943 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
15944 VALS(filetype_vals), 0, "Type of file", HFILL }},
15946 { &hf_smb_ipc_state_nonblocking,
15947 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
15948 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
15950 { &hf_smb_ipc_state_endpoint,
15951 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
15952 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
15954 { &hf_smb_ipc_state_pipe_type,
15955 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
15956 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
15958 { &hf_smb_ipc_state_read_mode,
15959 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
15960 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
15962 { &hf_smb_ipc_state_icount,
15963 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
15964 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
15966 { &hf_smb_server_fid,
15967 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
15968 NULL, 0, "Server unique File ID", HFILL }},
15970 { &hf_smb_open_flags_add_info,
15971 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
15972 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
15974 { &hf_smb_open_flags_ex_oplock,
15975 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
15976 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
15978 { &hf_smb_open_flags_batch_oplock,
15979 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
15980 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
15982 { &hf_smb_open_flags_ealen,
15983 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
15984 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
15986 { &hf_smb_open_action_open,
15987 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
15988 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
15990 { &hf_smb_open_action_lock,
15991 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
15992 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
15995 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
15996 NULL, 0, "VC Number", HFILL }},
15998 { &hf_smb_password_len,
15999 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
16000 NULL, 0, "Length of password", HFILL }},
16002 { &hf_smb_ansi_password_len,
16003 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
16004 NULL, 0, "Length of ANSI password", HFILL }},
16006 { &hf_smb_unicode_password_len,
16007 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
16008 NULL, 0, "Length of Unicode password", HFILL }},
16011 { "Account", "smb.account", FT_STRING, BASE_NONE,
16012 NULL, 0, "Account, username", HFILL }},
16015 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
16016 NULL, 0, "Which OS we are running", HFILL }},
16019 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
16020 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
16022 { &hf_smb_setup_action_guest,
16023 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
16024 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
16027 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
16028 NULL, 0, "Native File System", HFILL }},
16030 { &hf_smb_connect_flags_dtid,
16031 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
16032 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
16034 { &hf_smb_connect_support_search,
16035 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
16036 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
16038 { &hf_smb_connect_support_in_dfs,
16039 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
16040 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
16042 { &hf_smb_max_setup_count,
16043 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
16044 NULL, 0, "Maximum number of setup words to return", HFILL }},
16046 { &hf_smb_total_param_count,
16047 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
16048 NULL, 0, "Total number of parameter bytes", HFILL }},
16050 { &hf_smb_total_data_count,
16051 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
16052 NULL, 0, "Total number of data bytes", HFILL }},
16054 { &hf_smb_max_param_count,
16055 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
16056 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
16058 { &hf_smb_max_data_count,
16059 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
16060 NULL, 0, "Maximum number of data bytes to return", HFILL }},
16062 { &hf_smb_param_disp16,
16063 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
16064 NULL, 0, "Displacement of these parameter bytes", HFILL }},
16066 { &hf_smb_param_count16,
16067 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
16068 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
16070 { &hf_smb_param_offset16,
16071 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
16072 NULL, 0, "Offset (from header start) to parameters", HFILL }},
16074 { &hf_smb_param_disp32,
16075 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
16076 NULL, 0, "Displacement of these parameter bytes", HFILL }},
16078 { &hf_smb_param_count32,
16079 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
16080 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
16082 { &hf_smb_param_offset32,
16083 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
16084 NULL, 0, "Offset (from header start) to parameters", HFILL }},
16086 { &hf_smb_data_count16,
16087 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
16088 NULL, 0, "Number of data bytes in this buffer", HFILL }},
16090 { &hf_smb_data_disp16,
16091 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
16092 NULL, 0, "Data Displacement", HFILL }},
16094 { &hf_smb_data_offset16,
16095 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
16096 NULL, 0, "Data Offset", HFILL }},
16098 { &hf_smb_data_count32,
16099 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
16100 NULL, 0, "Number of data bytes in this buffer", HFILL }},
16102 { &hf_smb_data_disp32,
16103 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
16104 NULL, 0, "Data Displacement", HFILL }},
16106 { &hf_smb_data_offset32,
16107 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
16108 NULL, 0, "Data Offset", HFILL }},
16110 { &hf_smb_setup_count,
16111 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
16112 NULL, 0, "Number of setup words in this buffer", HFILL }},
16114 { &hf_smb_nt_trans_subcmd,
16115 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
16116 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
16118 { &hf_smb_nt_ioctl_function_code,
16119 { "Function", "smb.nt.ioctl.function", FT_UINT32, BASE_HEX,
16120 NULL, 0, "NT IOCTL function code", HFILL }},
16122 { &hf_smb_nt_ioctl_isfsctl,
16123 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
16124 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
16126 { &hf_smb_nt_ioctl_flags_root_handle,
16127 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
16128 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
16130 { &hf_smb_nt_ioctl_data,
16131 { "IOCTL Data", "smb.nt.ioctl.data", FT_BYTES, BASE_HEX,
16132 NULL, 0, "Data for the IOCTL call", HFILL }},
16134 { &hf_smb_nt_notify_action,
16135 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
16136 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
16138 { &hf_smb_nt_notify_watch_tree,
16139 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
16140 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
16142 { &hf_smb_nt_notify_stream_write,
16143 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
16144 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
16146 { &hf_smb_nt_notify_stream_size,
16147 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
16148 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
16150 { &hf_smb_nt_notify_stream_name,
16151 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
16152 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
16154 { &hf_smb_nt_notify_security,
16155 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
16156 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
16158 { &hf_smb_nt_notify_ea,
16159 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
16160 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
16162 { &hf_smb_nt_notify_creation,
16163 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
16164 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
16166 { &hf_smb_nt_notify_last_access,
16167 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
16168 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
16170 { &hf_smb_nt_notify_last_write,
16171 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
16172 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
16174 { &hf_smb_nt_notify_size,
16175 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
16176 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
16178 { &hf_smb_nt_notify_attributes,
16179 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
16180 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
16182 { &hf_smb_nt_notify_dir_name,
16183 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
16184 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
16186 { &hf_smb_nt_notify_file_name,
16187 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
16188 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
16190 { &hf_smb_root_dir_fid,
16191 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
16192 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
16194 { &hf_smb_alloc_size64,
16195 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
16196 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
16198 { &hf_smb_nt_create_disposition,
16199 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
16200 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
16202 { &hf_smb_sd_length,
16203 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
16204 NULL, 0, "Total length of security descriptor", HFILL }},
16206 { &hf_smb_ea_list_length,
16207 { "EA List Length", "smb.ea.list_length", FT_UINT32, BASE_DEC,
16208 NULL, 0, "Total length of extended attributes", HFILL }},
16210 { &hf_smb_ea_flags,
16211 { "EA Flags", "smb.ea.flags", FT_UINT8, BASE_HEX,
16212 NULL, 0, "EA Flags", HFILL }},
16214 { &hf_smb_ea_name_length,
16215 { "EA Name Length", "smb.ea.name_length", FT_UINT8, BASE_DEC,
16216 NULL, 0, "EA Name Length", HFILL }},
16218 { &hf_smb_ea_data_length,
16219 { "EA Data Length", "smb.ea.data_length", FT_UINT16, BASE_DEC,
16220 NULL, 0, "EA Data Length", HFILL }},
16223 { "EA Name", "smb.ea.name", FT_STRING, BASE_NONE,
16224 NULL, 0, "EA Name", HFILL }},
16227 { "EA Data", "smb.ea.data", FT_BYTES, BASE_NONE,
16228 NULL, 0, "EA Data", HFILL }},
16230 { &hf_smb_file_name_len,
16231 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
16232 NULL, 0, "Length of File Name", HFILL }},
16234 { &hf_smb_nt_impersonation_level,
16235 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
16236 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
16238 { &hf_smb_nt_security_flags_context_tracking,
16239 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
16240 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
16242 { &hf_smb_nt_security_flags_effective_only,
16243 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
16244 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
16246 { &hf_smb_nt_access_mask_generic_read,
16247 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
16248 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
16250 { &hf_smb_nt_access_mask_generic_write,
16251 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
16252 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
16254 { &hf_smb_nt_access_mask_generic_execute,
16255 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
16256 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
16258 { &hf_smb_nt_access_mask_generic_all,
16259 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
16260 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
16262 { &hf_smb_nt_access_mask_maximum_allowed,
16263 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
16264 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
16266 { &hf_smb_nt_access_mask_system_security,
16267 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
16268 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
16270 { &hf_smb_nt_access_mask_synchronize,
16271 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
16272 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
16274 { &hf_smb_nt_access_mask_write_owner,
16275 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
16276 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
16278 { &hf_smb_nt_access_mask_write_dac,
16279 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
16280 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
16282 { &hf_smb_nt_access_mask_read_control,
16283 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
16284 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
16286 { &hf_smb_nt_access_mask_delete,
16287 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
16288 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
16290 { &hf_smb_nt_access_mask_write_attributes,
16291 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
16292 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
16294 { &hf_smb_nt_access_mask_read_attributes,
16295 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
16296 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
16298 { &hf_smb_nt_access_mask_delete_child,
16299 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
16300 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
16303 * "Execute" for files, "traverse" for directories.
16305 { &hf_smb_nt_access_mask_execute,
16306 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
16307 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
16309 { &hf_smb_nt_access_mask_write_ea,
16310 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
16311 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
16313 { &hf_smb_nt_access_mask_read_ea,
16314 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
16315 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
16318 * "Append data" for files, "add subdirectory" for directories,
16319 * "create pipe instance" for named pipes.
16321 { &hf_smb_nt_access_mask_append,
16322 { "Append", "smb.access.append", FT_BOOLEAN, 32,
16323 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
16326 * "Write data" for files and pipes, "add file" for directory.
16328 { &hf_smb_nt_access_mask_write,
16329 { "Write", "smb.access.write", FT_BOOLEAN, 32,
16330 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
16333 * "Read data" for files and pipes, "list directory" for directory.
16335 { &hf_smb_nt_access_mask_read,
16336 { "Read", "smb.access.read", FT_BOOLEAN, 32,
16337 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
16339 { &hf_smb_nt_create_bits_oplock,
16340 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
16341 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
16343 { &hf_smb_nt_create_bits_boplock,
16344 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
16345 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
16347 { &hf_smb_nt_create_bits_dir,
16348 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
16349 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
16351 { &hf_smb_nt_create_bits_ext_resp,
16352 { "Extended Response", "smb.nt.create.ext", FT_BOOLEAN, 32,
16353 TFS(&tfs_nt_create_bits_ext_resp), 0x00000010, "Extended response required?", HFILL }},
16355 { &hf_smb_nt_create_options_directory_file,
16356 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
16357 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
16359 { &hf_smb_nt_create_options_write_through,
16360 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
16361 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
16363 { &hf_smb_nt_create_options_sequential_only,
16364 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
16365 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
16367 { &hf_smb_nt_create_options_sync_io_alert,
16368 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
16369 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
16371 { &hf_smb_nt_create_options_sync_io_nonalert,
16372 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
16373 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
16375 { &hf_smb_nt_create_options_non_directory_file,
16376 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
16377 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
16379 /* 0x00000080 is "tree connect", at least in "NtCreateFile()"
16380 and "NtOpenFile()"; is that sent over the wire? Network
16381 Monitor thinks so, but its author may just have grabbed
16382 the flag bits from a system header file. */
16384 /* 0x00000100 is "complete if oplocked", at least in "NtCreateFile()"
16385 and "NtOpenFile()"; is that sent over the wire? NetMon
16386 thinks so, but see previous comment. */
16388 { &hf_smb_nt_create_options_no_ea_knowledge,
16389 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
16390 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
16392 { &hf_smb_nt_create_options_eight_dot_three_only,
16393 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
16394 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
16396 { &hf_smb_nt_create_options_random_access,
16397 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
16398 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
16400 { &hf_smb_nt_create_options_delete_on_close,
16401 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
16402 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
16404 /* 0x00002000 is "open by FID", or something such as that (which
16405 I suspect is like "open by inumber" on UNIX), at least in
16406 "NtCreateFile()" and "NtOpenFile()"; is that sent over the
16407 wire? NetMon thinks so, but see previous comment. */
16409 /* 0x00004000 is "open for backup", at least in "NtCreateFile()"
16410 and "NtOpenFile()"; is that sent over the wire? NetMon
16411 thinks so, but see previous comment. */
16413 { &hf_smb_nt_share_access_read,
16414 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
16415 TFS(&tfs_nt_share_access_read), 0x00000001, "Can the object be shared for reading?", HFILL }},
16417 { &hf_smb_nt_share_access_write,
16418 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
16419 TFS(&tfs_nt_share_access_write), 0x00000002, "Can the object be shared for write?", HFILL }},
16421 { &hf_smb_nt_share_access_delete,
16422 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
16423 TFS(&tfs_nt_share_access_delete), 0x00000004, "", HFILL }},
16425 { &hf_smb_file_eattr_read_only,
16426 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
16427 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
16429 { &hf_smb_file_eattr_hidden,
16430 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
16431 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
16433 { &hf_smb_file_eattr_system,
16434 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
16435 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
16437 { &hf_smb_file_eattr_volume,
16438 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
16439 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
16441 { &hf_smb_file_eattr_directory,
16442 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
16443 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
16445 { &hf_smb_file_eattr_archive,
16446 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
16447 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
16449 { &hf_smb_file_eattr_device,
16450 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
16451 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
16453 { &hf_smb_file_eattr_normal,
16454 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
16455 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
16457 { &hf_smb_file_eattr_temporary,
16458 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
16459 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
16461 { &hf_smb_file_eattr_sparse,
16462 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
16463 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
16465 { &hf_smb_file_eattr_reparse,
16466 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
16467 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
16469 { &hf_smb_file_eattr_compressed,
16470 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
16471 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
16473 { &hf_smb_file_eattr_offline,
16474 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
16475 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
16477 { &hf_smb_file_eattr_not_content_indexed,
16478 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
16479 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
16481 { &hf_smb_file_eattr_encrypted,
16482 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
16483 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
16485 { &hf_smb_sec_desc_len,
16486 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
16487 NULL, 0, "Security Descriptor Length", HFILL }},
16489 { &hf_smb_nt_qsd_owner,
16490 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
16491 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
16493 { &hf_smb_nt_qsd_group,
16494 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
16495 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
16497 { &hf_smb_nt_qsd_dacl,
16498 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
16499 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
16501 { &hf_smb_nt_qsd_sacl,
16502 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
16503 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
16505 { &hf_smb_extended_attributes,
16506 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
16507 NULL, 0, "Extended Attributes", HFILL }},
16509 { &hf_smb_oplock_level,
16510 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
16511 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
16513 { &hf_smb_create_action,
16514 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
16515 VALS(oa_open_vals), 0, "Type of action taken", HFILL }},
16518 { "Server unique file ID", "smb.create.file_id", FT_UINT32, BASE_HEX,
16519 NULL, 0, "Server unique file ID", HFILL }},
16521 { &hf_smb_ea_error_offset,
16522 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
16523 NULL, 0, "Offset into EA list if EA error", HFILL }},
16525 { &hf_smb_end_of_file,
16526 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
16527 NULL, 0, "Offset to the first free byte in the file", HFILL }},
16530 { "Replace", "smb.replace", FT_BOOLEAN, BASE_NONE,
16531 TFS(&tfs_smb_replace), 0x0, "Remove target if it exists?", HFILL }},
16533 { &hf_smb_root_dir_handle,
16534 { "Root Directory Handle", "smb.root_dir_handle", FT_UINT32, BASE_HEX,
16535 NULL, 0, "Root directory handle", HFILL }},
16537 { &hf_smb_target_name_len,
16538 { "Target name length", "smb.target_name_len", FT_UINT32, BASE_DEC,
16539 NULL, 0, "Length of target file name", HFILL }},
16541 { &hf_smb_target_name,
16542 { "Target name", "smb.target_name", FT_STRING, BASE_NONE,
16543 NULL, 0, "Target file name", HFILL }},
16545 { &hf_smb_device_type,
16546 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
16547 VALS(device_type_vals), 0, "Type of device", HFILL }},
16549 { &hf_smb_is_directory,
16550 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
16551 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
16553 { &hf_smb_next_entry_offset,
16554 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
16555 NULL, 0, "Offset to next entry", HFILL }},
16557 { &hf_smb_change_time,
16558 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
16559 NULL, 0, "Last Change Time", HFILL }},
16561 { &hf_smb_setup_len,
16562 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
16563 NULL, 0, "Length of printer setup data", HFILL }},
16565 { &hf_smb_print_mode,
16566 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
16567 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
16569 { &hf_smb_print_identifier,
16570 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
16571 NULL, 0, "Identifier string for this print job", HFILL }},
16573 { &hf_smb_restart_index,
16574 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
16575 NULL, 0, "Index of entry after last returned", HFILL }},
16577 { &hf_smb_print_queue_date,
16578 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
16579 NULL, 0, "Date when this entry was queued", HFILL }},
16581 { &hf_smb_print_queue_dos_date,
16582 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
16583 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
16585 { &hf_smb_print_queue_dos_time,
16586 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
16587 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
16589 { &hf_smb_print_status,
16590 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
16591 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
16593 { &hf_smb_print_spool_file_number,
16594 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
16595 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
16597 { &hf_smb_print_spool_file_size,
16598 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
16599 NULL, 0, "Number of bytes in spool file", HFILL }},
16601 { &hf_smb_print_spool_file_name,
16602 { "Name", "smb.print.spool.name", FT_BYTES, BASE_HEX,
16603 NULL, 0, "Name of client that submitted this job", HFILL }},
16605 { &hf_smb_start_index,
16606 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
16607 NULL, 0, "First queue entry to return", HFILL }},
16609 { &hf_smb_originator_name,
16610 { "Originator Name", "smb.originator_name", FT_STRINGZ, BASE_NONE,
16611 NULL, 0, "Name of sender of message", HFILL }},
16613 { &hf_smb_destination_name,
16614 { "Destination Name", "smb.destination_name", FT_STRINGZ, BASE_NONE,
16615 NULL, 0, "Name of recipient of message", HFILL }},
16617 { &hf_smb_message_len,
16618 { "Message Len", "smb.message.len", FT_UINT16, BASE_DEC,
16619 NULL, 0, "Length of message", HFILL }},
16622 { "Message", "smb.message", FT_STRING, BASE_NONE,
16623 NULL, 0, "Message text", HFILL }},
16626 { "Message Group ID", "smb.mgid", FT_UINT16, BASE_DEC,
16627 NULL, 0, "Message group ID for multi-block messages", HFILL }},
16629 { &hf_smb_forwarded_name,
16630 { "Forwarded Name", "smb.forwarded_name", FT_STRINGZ, BASE_NONE,
16631 NULL, 0, "Recipient name being forwarded", HFILL }},
16633 { &hf_smb_machine_name,
16634 { "Machine Name", "smb.machine_name", FT_STRINGZ, BASE_NONE,
16635 NULL, 0, "Name of target machine", HFILL }},
16637 { &hf_smb_cancel_to,
16638 { "Cancel to", "smb.cancel_to", FT_FRAMENUM, BASE_NONE,
16639 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
16641 { &hf_smb_trans2_subcmd,
16642 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
16643 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
16645 { &hf_smb_trans_name,
16646 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
16647 NULL, 0, "Name of transaction", HFILL }},
16649 { &hf_smb_transaction_flags_dtid,
16650 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
16651 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
16653 { &hf_smb_transaction_flags_owt,
16654 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
16655 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
16657 { &hf_smb_search_count,
16658 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
16659 NULL, 0, "Maximum number of search entries to return", HFILL }},
16661 { &hf_smb_search_pattern,
16662 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
16663 NULL, 0, "Search Pattern", HFILL }},
16665 { &hf_smb_ff2_backup,
16666 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
16667 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
16669 { &hf_smb_ff2_continue,
16670 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
16671 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
16673 { &hf_smb_ff2_resume,
16674 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
16675 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
16677 { &hf_smb_ff2_close_eos,
16678 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
16679 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
16681 { &hf_smb_ff2_close,
16682 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
16683 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
16685 { &hf_smb_ff2_information_level,
16686 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
16687 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
16690 { "Level of Interest", "smb.qpi_loi", FT_UINT16, BASE_DEC,
16691 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] QUERY_{FILE,PATH}_INFO commands", HFILL }},
16694 { "Level of Interest", "smb.spi_loi", FT_UINT16, BASE_DEC,
16695 VALS(spi_loi_vals), 0, "Level of interest for TRANSACTION[2] SET_{FILE,PATH}_INFO commands", HFILL }},
16698 { &hf_smb_sfi_writetru,
16699 { "Writethrough", "smb.sfi_writethrough", FT_BOOLEAN, 16,
16700 TFS(&tfs_da_writetru), 0x0010, "Writethrough mode?", HFILL }},
16702 { &hf_smb_sfi_caching,
16703 { "Caching", "smb.sfi_caching", FT_BOOLEAN, 16,
16704 TFS(&tfs_da_caching), 0x0020, "Caching mode?", HFILL }},
16707 { &hf_smb_storage_type,
16708 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
16709 NULL, 0, "Type of storage", HFILL }},
16712 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
16713 NULL, 0, "Resume Key", HFILL }},
16715 { &hf_smb_max_referral_level,
16716 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
16717 NULL, 0, "Latest referral version number understood", HFILL }},
16719 { &hf_smb_qfsi_information_level,
16720 { "Level of Interest", "smb.qfi_loi", FT_UINT16, BASE_HEX,
16721 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
16723 { &hf_smb_nt_rename_level,
16724 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
16725 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
16727 { &hf_smb_cluster_count,
16728 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
16729 NULL, 0, "Number of clusters", HFILL }},
16731 { &hf_smb_number_of_links,
16732 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
16733 NULL, 0, "Number of hard links to the file", HFILL }},
16735 { &hf_smb_delete_pending,
16736 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
16737 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
16739 { &hf_smb_index_number,
16740 { "Index Number", "smb.index_number", FT_UINT64, BASE_DEC,
16741 NULL, 0, "File system unique identifier", HFILL }},
16743 { &hf_smb_current_offset,
16744 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
16745 NULL, 0, "Current offset in the file", HFILL }},
16747 { &hf_smb_t2_alignment,
16748 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
16749 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
16751 { &hf_smb_t2_stream_name_length,
16752 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
16753 NULL, 0, "Length of stream name", HFILL }},
16755 { &hf_smb_t2_stream_size,
16756 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
16757 NULL, 0, "Size of the stream in number of bytes", HFILL }},
16759 { &hf_smb_t2_stream_name,
16760 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
16761 NULL, 0, "Name of the stream", HFILL }},
16763 { &hf_smb_t2_compressed_file_size,
16764 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
16765 NULL, 0, "Size of the compressed file", HFILL }},
16767 { &hf_smb_t2_compressed_format,
16768 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
16769 NULL, 0, "Compression algorithm used", HFILL }},
16771 { &hf_smb_t2_compressed_unit_shift,
16772 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
16773 NULL, 0, "Size of the stream in number of bytes", HFILL }},
16775 { &hf_smb_t2_compressed_chunk_shift,
16776 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
16777 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
16779 { &hf_smb_t2_compressed_cluster_shift,
16780 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
16781 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
16783 { &hf_smb_t2_marked_for_deletion,
16784 { "Marked for Deletion", "smb.marked_for_deletion", FT_BOOLEAN, BASE_NONE,
16785 TFS(&tfs_marked_for_deletion), 0x0, "Marked for deletion?", HFILL }},
16787 { &hf_smb_dfs_path_consumed,
16788 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
16789 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
16791 { &hf_smb_dfs_num_referrals,
16792 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
16793 NULL, 0, "Number of referrals in this pdu", HFILL }},
16795 { &hf_smb_get_dfs_server_hold_storage,
16796 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
16797 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
16799 { &hf_smb_get_dfs_fielding,
16800 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
16801 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
16803 { &hf_smb_dfs_referral_version,
16804 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
16805 NULL, 0, "Version of referral element", HFILL }},
16807 { &hf_smb_dfs_referral_size,
16808 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
16809 NULL, 0, "Size of referral element", HFILL }},
16811 { &hf_smb_dfs_referral_server_type,
16812 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
16813 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
16815 { &hf_smb_dfs_referral_flags_strip,
16816 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
16817 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
16819 { &hf_smb_dfs_referral_node_offset,
16820 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
16821 NULL, 0, "Offset of name of entity to visit next", HFILL }},
16823 { &hf_smb_dfs_referral_node,
16824 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
16825 NULL, 0, "Name of entity to visit next", HFILL }},
16827 { &hf_smb_dfs_referral_proximity,
16828 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
16829 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
16831 { &hf_smb_dfs_referral_ttl,
16832 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
16833 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
16835 { &hf_smb_dfs_referral_path_offset,
16836 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
16837 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
16839 { &hf_smb_dfs_referral_path,
16840 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
16841 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
16843 { &hf_smb_dfs_referral_alt_path_offset,
16844 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
16845 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
16847 { &hf_smb_dfs_referral_alt_path,
16848 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
16849 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
16851 { &hf_smb_end_of_search,
16852 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
16853 NULL, 0, "Was last entry returned?", HFILL }},
16855 { &hf_smb_last_name_offset,
16856 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
16857 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
16859 { &hf_smb_fn_information_level,
16860 { "Level of Interest", "smb.fn_loi", FT_UINT16, BASE_DEC,
16861 NULL, 0, "Level of interest for FIND_NOTIFY command", HFILL }},
16863 { &hf_smb_monitor_handle,
16864 { "Monitor Handle", "smb.monitor_handle", FT_UINT16, BASE_HEX,
16865 NULL, 0, "Handle for Find Notify operations", HFILL }},
16867 { &hf_smb_change_count,
16868 { "Change Count", "smb.change_count", FT_UINT16, BASE_DEC,
16869 NULL, 0, "Number of changes to wait for", HFILL }},
16871 { &hf_smb_file_index,
16872 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
16873 NULL, 0, "File index", HFILL }},
16875 { &hf_smb_short_file_name,
16876 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
16877 NULL, 0, "Short (8.3) File Name", HFILL }},
16879 { &hf_smb_short_file_name_len,
16880 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
16881 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
16884 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
16885 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
16888 { "FS GUID", "smb.fs_guid", FT_STRING, BASE_NONE,
16889 NULL, 0, "File System GUID", HFILL }},
16891 { &hf_smb_sector_unit,
16892 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
16893 NULL, 0, "Sectors per allocation unit", HFILL }},
16895 { &hf_smb_fs_units,
16896 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
16897 NULL, 0, "Total number of units on this filesystem", HFILL }},
16899 { &hf_smb_fs_sector,
16900 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
16901 NULL, 0, "Bytes per sector", HFILL }},
16903 { &hf_smb_avail_units,
16904 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
16905 NULL, 0, "Total number of available units on this filesystem", HFILL }},
16907 { &hf_smb_volume_serial_num,
16908 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
16909 NULL, 0, "Volume serial number", HFILL }},
16911 { &hf_smb_volume_label_len,
16912 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
16913 NULL, 0, "Length of volume label", HFILL }},
16915 { &hf_smb_volume_label,
16916 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
16917 NULL, 0, "Volume label", HFILL }},
16919 { &hf_smb_free_alloc_units64,
16920 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
16921 NULL, 0, "Number of free allocation units", HFILL }},
16923 { &hf_smb_caller_free_alloc_units64,
16924 { "Caller Free Units", "smb.caller_free_alloc_units", FT_UINT64, BASE_DEC,
16925 NULL, 0, "Number of caller free allocation units", HFILL }},
16927 { &hf_smb_actual_free_alloc_units64,
16928 { "Actual Free Units", "smb.actual_free_alloc_units", FT_UINT64, BASE_DEC,
16929 NULL, 0, "Number of actual free allocation units", HFILL }},
16931 { &hf_smb_soft_quota_limit,
16932 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
16933 NULL, 0, "Soft Quota treshold", HFILL }},
16935 { &hf_smb_hard_quota_limit,
16936 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
16937 NULL, 0, "Hard Quota limit", HFILL }},
16939 { &hf_smb_user_quota_used,
16940 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
16941 NULL, 0, "How much Quota is used by this user", HFILL }},
16943 { &hf_smb_max_name_len,
16944 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
16945 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
16947 { &hf_smb_fs_name_len,
16948 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
16949 NULL, 0, "Length of filesystem name in bytes", HFILL }},
16952 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
16953 NULL, 0, "Name of filesystem", HFILL }},
16955 { &hf_smb_device_char_removable,
16956 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
16957 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
16959 { &hf_smb_device_char_read_only,
16960 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
16961 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
16963 { &hf_smb_device_char_floppy,
16964 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
16965 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
16967 { &hf_smb_device_char_write_once,
16968 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
16969 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
16971 { &hf_smb_device_char_remote,
16972 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
16973 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
16975 { &hf_smb_device_char_mounted,
16976 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
16977 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
16979 { &hf_smb_device_char_virtual,
16980 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
16981 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
16983 { &hf_smb_fs_attr_css,
16984 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
16985 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
16987 { &hf_smb_fs_attr_cpn,
16988 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
16989 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
16991 { &hf_smb_fs_attr_uod,
16992 { "Unicode On Disk", "smb.fs_attr.uod", FT_BOOLEAN, 32,
16993 TFS(&tfs_fs_attr_uod), 0x00000004, "Does this FS support Unicode On Disk?", HFILL }},
16995 { &hf_smb_fs_attr_pacls,
16996 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
16997 TFS(&tfs_fs_attr_pacls), 0x00000008, "Does this FS support Persistent ACLs?", HFILL }},
16999 { &hf_smb_fs_attr_fc,
17000 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
17001 TFS(&tfs_fs_attr_fc), 0x00000010, "Does this FS support File Compression?", HFILL }},
17003 { &hf_smb_fs_attr_vq,
17004 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
17005 TFS(&tfs_fs_attr_vq), 0x00000020, "Does this FS support Volume Quotas?", HFILL }},
17007 { &hf_smb_fs_attr_ssf,
17008 { "Sparse Files", "smb.fs_attr.ssf", FT_BOOLEAN, 32,
17009 TFS(&tfs_fs_attr_ssf), 0x00000040, "Does this FS support SPARSE FILES?", HFILL }},
17011 { &hf_smb_fs_attr_srp,
17012 { "Reparse Points", "smb.fs_attr.srp", FT_BOOLEAN, 32,
17013 TFS(&tfs_fs_attr_srp), 0x00000080, "Does this FS support REPARSE POINTS?", HFILL }},
17015 { &hf_smb_fs_attr_srs,
17016 { "Remote Storage", "smb.fs_attr.srs", FT_BOOLEAN, 32,
17017 TFS(&tfs_fs_attr_srs), 0x00000100, "Does this FS support REMOTE STORAGE?", HFILL }},
17019 { &hf_smb_fs_attr_sla,
17020 { "LFN APIs", "smb.fs_attr.sla", FT_BOOLEAN, 32,
17021 TFS(&tfs_fs_attr_sla), 0x00004000, "Does this FS support LFN APIs?", HFILL }},
17023 { &hf_smb_fs_attr_vic,
17024 { "Volume Is Compressed", "smb.fs_attr.vis", FT_BOOLEAN, 32,
17025 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS on a compressed volume?", HFILL }},
17027 { &hf_smb_fs_attr_soids,
17028 { "Supports OIDs", "smb.fs_attr.soids", FT_BOOLEAN, 32,
17029 TFS(&tfs_fs_attr_soids), 0x00010000, "Does this FS support OIDs?", HFILL }},
17031 { &hf_smb_fs_attr_se,
17032 { "Supports Encryption", "smb.fs_attr.se", FT_BOOLEAN, 32,
17033 TFS(&tfs_fs_attr_se), 0x00020000, "Does this FS support encryption?", HFILL }},
17035 { &hf_smb_fs_attr_ns,
17036 { "Named Streams", "smb.fs_attr.ns", FT_BOOLEAN, 32,
17037 TFS(&tfs_fs_attr_ns), 0x00040000, "Does this FS support named streams?", HFILL }},
17039 { &hf_smb_fs_attr_rov,
17040 { "Read Only Volume", "smb.fs_attr.rov", FT_BOOLEAN, 32,
17041 TFS(&tfs_fs_attr_rov), 0x00080000, "Is this FS on a read only volume?", HFILL }},
17043 { &hf_smb_user_quota_offset,
17044 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
17045 NULL, 0, "Relative offset to next user quota structure", HFILL }},
17047 { &hf_smb_pipe_write_len,
17048 { "Pipe Write Len", "smb.pipe.write_len", FT_UINT16, BASE_DEC,
17049 NULL, 0, "Number of bytes written to pipe", HFILL }},
17051 { &hf_smb_quota_flags_deny_disk,
17052 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
17053 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
17055 { &hf_smb_quota_flags_log_limit,
17056 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
17057 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
17059 { &hf_smb_quota_flags_log_warning,
17060 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
17061 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
17063 { &hf_smb_quota_flags_enabled,
17064 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
17065 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
17067 { &hf_smb_segment_overlap,
17068 { "Fragment overlap", "smb.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17069 "Fragment overlaps with other fragments", HFILL }},
17071 { &hf_smb_segment_overlap_conflict,
17072 { "Conflicting data in fragment overlap", "smb.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17073 "Overlapping fragments contained conflicting data", HFILL }},
17075 { &hf_smb_segment_multiple_tails,
17076 { "Multiple tail fragments found", "smb.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17077 "Several tails were found when defragmenting the packet", HFILL }},
17079 { &hf_smb_segment_too_long_fragment,
17080 { "Fragment too long", "smb.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17081 "Fragment contained data past end of packet", HFILL }},
17083 { &hf_smb_segment_error,
17084 { "Defragmentation error", "smb.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
17085 "Defragmentation error due to illegal fragments", HFILL }},
17088 { "SMB Segment", "smb.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
17089 "SMB Segment", HFILL }},
17091 { &hf_smb_segments,
17092 { "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
17093 "SMB Segments", HFILL }},
17095 { &hf_smb_unix_major_version,
17096 { "Major Version", "smb.unix.major_version", FT_UINT16, BASE_DEC,
17097 NULL, 0, "UNIX Major Version", HFILL }},
17099 { &hf_smb_unix_minor_version,
17100 { "Minor Version", "smb.unix.minor_version", FT_UINT16, BASE_DEC,
17101 NULL, 0, "UNIX Minor Version", HFILL }},
17103 { &hf_smb_unix_capability_fcntl,
17104 { "FCNTL Capability", "smb.unix.capability.fcntl", FT_BOOLEAN, 32,
17105 TFS(&flags_set_truth), 0x00000001, "", HFILL }},
17107 { &hf_smb_unix_capability_posix_acl,
17108 { "POSIX ACL Capability", "smb.unix.capability.posix_acl", FT_BOOLEAN, 32,
17109 TFS(&flags_set_truth), 0x00000002, "", HFILL }},
17111 { &hf_smb_unix_file_size,
17112 { "File size", "smb.unix.file.size", FT_UINT64, BASE_DEC,
17113 NULL, 0, "", HFILL }},
17115 { &hf_smb_unix_file_num_bytes,
17116 { "Number of bytes", "smb.unix.file.num_bytes", FT_UINT64, BASE_DEC,
17117 NULL, 0, "Number of bytes used to store the file", HFILL }},
17119 { &hf_smb_unix_file_last_status,
17120 { "Last status change", "smb.unix.file.stime", FT_ABSOLUTE_TIME, BASE_NONE,
17121 NULL, 0, "", HFILL }},
17123 { &hf_smb_unix_file_last_access,
17124 { "Last access", "smb.unix.file.atime", FT_ABSOLUTE_TIME, BASE_NONE,
17125 NULL, 0, "", HFILL }},
17127 { &hf_smb_unix_file_last_change,
17128 { "Last modification", "smb.unix.file.mtime", FT_ABSOLUTE_TIME, BASE_NONE,
17129 NULL, 0, "", HFILL }},
17131 { &hf_smb_unix_file_uid,
17132 { "UID", "smb.unix.file.uid", FT_UINT64, BASE_DEC,
17133 NULL, 0, "", HFILL }},
17135 { &hf_smb_unix_file_gid,
17136 { "GID", "smb.unix.file.gid", FT_UINT64, BASE_DEC,
17137 NULL, 0, "", HFILL }},
17139 { &hf_smb_unix_file_type,
17140 { "File type", "smb.unix.file.file_type", FT_UINT32, BASE_DEC,
17141 VALS(unix_file_type_vals), 0, "", HFILL }},
17143 { &hf_smb_unix_file_dev_major,
17144 { "Major device", "smb.unix.file.dev_major", FT_UINT64, BASE_HEX,
17145 NULL, 0, "", HFILL }},
17147 { &hf_smb_unix_file_dev_minor,
17148 { "Minor device", "smb.unix.file.dev_minor", FT_UINT64, BASE_HEX,
17149 NULL, 0, "", HFILL }},
17151 { &hf_smb_unix_file_unique_id,
17152 { "Unique ID", "smb.unix.file.unique_id", FT_UINT64, BASE_HEX,
17153 NULL, 0, "", HFILL }},
17155 { &hf_smb_unix_file_permissions,
17156 { "File permissions", "smb.unix.file.perms", FT_UINT64, BASE_HEX,
17157 NULL, 0, "", HFILL }},
17159 { &hf_smb_unix_file_nlinks,
17160 { "Num links", "smb.unix.file.num_links", FT_UINT64, BASE_DEC,
17161 NULL, 0, "", HFILL }},
17163 { &hf_smb_unix_file_link_dest,
17164 { "Link destination", "smb.unix.file.link_dest", FT_STRING,
17165 BASE_NONE, NULL, 0, "", HFILL }},
17167 { &hf_smb_unix_find_file_nextoffset,
17168 { "Next entry offset", "smb.unix.find_file.next_offset", FT_UINT32, BASE_DEC,
17169 NULL, 0, "", HFILL }},
17171 { &hf_smb_unix_find_file_resumekey,
17172 { "Resume key", "smb.unix.find_file.resume_key", FT_UINT32, BASE_DEC,
17173 NULL, 0, "", HFILL }},
17176 static gint *ett[] = {
17180 &ett_smb_fileattributes,
17181 &ett_smb_capabilities,
17189 &ett_smb_desiredaccess,
17192 &ett_smb_openfunction,
17194 &ett_smb_openaction,
17195 &ett_smb_writemode,
17196 &ett_smb_lock_type,
17197 &ett_smb_ssetupandxaction,
17198 &ett_smb_optionsup,
17199 &ett_smb_time_date,
17200 &ett_smb_move_copy_flags,
17201 &ett_smb_file_attributes,
17202 &ett_smb_search_resume_key,
17203 &ett_smb_search_dir_info,
17208 &ett_smb_open_flags,
17209 &ett_smb_ipc_state,
17210 &ett_smb_open_action,
17211 &ett_smb_setup_action,
17212 &ett_smb_connect_flags,
17213 &ett_smb_connect_support_bits,
17214 &ett_smb_nt_access_mask,
17215 &ett_smb_nt_create_bits,
17216 &ett_smb_nt_create_options,
17217 &ett_smb_nt_share_access,
17218 &ett_smb_nt_security_flags,
17219 &ett_smb_nt_trans_setup,
17220 &ett_smb_nt_trans_data,
17221 &ett_smb_nt_trans_param,
17222 &ett_smb_nt_notify_completion_filter,
17223 &ett_smb_nt_ioctl_flags,
17224 &ett_smb_security_information_mask,
17225 &ett_smb_print_queue_entry,
17226 &ett_smb_transaction_flags,
17227 &ett_smb_transaction_params,
17228 &ett_smb_find_first2_flags,
17232 &ett_smb_transaction_data,
17233 &ett_smb_stream_info,
17234 &ett_smb_dfs_referrals,
17235 &ett_smb_dfs_referral,
17236 &ett_smb_dfs_referral_flags,
17237 &ett_smb_get_dfs_flags,
17239 &ett_smb_device_characteristics,
17240 &ett_smb_fs_attributes,
17243 &ett_smb_quotaflags,
17245 &ett_smb_mac_support_flags,
17246 &ett_smb_unicode_password,
17248 &ett_smb_unix_capabilities
17250 module_t *smb_module;
17252 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
17254 proto_register_subtree_array(ett, array_length(ett));
17255 proto_register_field_array(proto_smb, hf, array_length(hf));
17257 proto_do_register_windows_common(proto_smb);
17259 register_init_routine(&smb_init_protocol);
17260 smb_module = prefs_register_protocol(proto_smb, NULL);
17261 prefs_register_bool_preference(smb_module, "trans_reassembly",
17262 "Reassemble SMB Transaction payload",
17263 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
17264 &smb_trans_reassembly);
17265 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
17266 "Reassemble DCERPC over SMB",
17267 "Whether the dissector should reassemble DCERPC over SMB commands",
17268 &smb_dcerpc_reassembly);
17269 prefs_register_bool_preference(smb_module, "sid_name_snooping",
17270 "Snoop SID to Name mappings",
17271 "Whether the dissector should snoop SMB and related CIFS protocols to discover and display Names associated with SIDs",
17272 &sid_name_snooping);
17274 register_init_routine(smb_trans_reassembly_init);
17275 smb_tap = register_tap("smb");
17279 proto_reg_handoff_smb(void)
17281 dissector_handle_t smb_handle;
17283 gssapi_handle = find_dissector("gssapi");
17284 ntlmssp_handle = find_dissector("ntlmssp");
17286 heur_dissector_add("netbios", dissect_smb_heur, proto_smb);
17287 heur_dissector_add("cotp", dissect_smb_heur, proto_smb);
17288 heur_dissector_add("vines_spp", dissect_smb_heur, proto_smb);
17289 smb_handle = create_dissector_handle(dissect_smb, proto_smb);
17290 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_SERVER, smb_handle);
17291 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_REDIR, smb_handle);
17292 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_MESSENGER,