2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/packet.h>
40 #include <epan/conversation.h>
41 #include <epan/emem.h>
42 #include <epan/dissectors/packet-smb.h>
43 #include <epan/strutil.h>
44 #include <epan/prefs.h>
45 #include <epan/reassemble.h>
47 #include "packet-ipx.h"
48 #include "packet-idp.h"
50 #include "packet-windows-common.h"
51 #include "packet-smb-common.h"
52 #include "packet-smb-mailslot.h"
53 #include "packet-smb-pipe.h"
54 #include "packet-dcerpc.h"
55 #include "packet-ntlmssp.h"
56 #include "packet-smb2.h"
59 * Various specifications and documents about SMB can be found in
61 * ftp://ftp.microsoft.com/developr/drg/CIFS/
63 * and a CIFS specification from the Storage Networking Industry Association
64 * can be found on a link from the page at
66 * http://www.snia.org/tech_activities/CIFS
68 * (it supercedes the document at
70 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
74 * There are also some Open Group publications documenting CIFS available
75 * for download; catalog entries for them are at:
77 * http://www.opengroup.org/products/publications/catalog/c209.htm
79 * http://www.opengroup.org/products/publications/catalog/c195.htm
81 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
84 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
86 * (or, presumably a similar path under the Samba mirrors). As the
87 * ".doc" indicates, it's a Word document. Some of the specs from the
88 * Microsoft FTP site can be found in the
90 * http://www.samba.org/samba/ftp/specs/
94 * Beware - these specs may have errors.
96 static int proto_smb = -1;
97 static int hf_smb_cmd = -1;
98 static int hf_smb_mapped_in = -1;
99 static int hf_smb_unmapped_in = -1;
100 static int hf_smb_opened_in = -1;
101 static int hf_smb_closed_in = -1;
102 static int hf_smb_key = -1;
103 static int hf_smb_session_id = -1;
104 static int hf_smb_sequence_num = -1;
105 static int hf_smb_group_id = -1;
106 static int hf_smb_pid = -1;
107 static int hf_smb_tid = -1;
108 static int hf_smb_uid = -1;
109 static int hf_smb_mid = -1;
110 static int hf_smb_pid_high = -1;
111 static int hf_smb_sig = -1;
112 static int hf_smb_response_to = -1;
113 static int hf_smb_time = -1;
114 static int hf_smb_response_in = -1;
115 static int hf_smb_continuation_to = -1;
116 static int hf_smb_nt_status = -1;
117 static int hf_smb_error_class = -1;
118 static int hf_smb_error_code = -1;
119 static int hf_smb_reserved = -1;
120 static int hf_smb_create_flags = -1;
121 static int hf_smb_create_options = -1;
122 static int hf_smb_share_access = -1;
123 static int hf_smb_access_mask = -1;
124 static int hf_smb_flags_lock = -1;
125 static int hf_smb_flags_receive_buffer = -1;
126 static int hf_smb_flags_caseless = -1;
127 static int hf_smb_flags_canon = -1;
128 static int hf_smb_flags_oplock = -1;
129 static int hf_smb_flags_notify = -1;
130 static int hf_smb_flags_response = -1;
131 static int hf_smb_flags2_long_names_allowed = -1;
132 static int hf_smb_flags2_ea = -1;
133 static int hf_smb_flags2_sec_sig = -1;
134 static int hf_smb_flags2_long_names_used = -1;
135 static int hf_smb_flags2_esn = -1;
136 static int hf_smb_flags2_dfs = -1;
137 static int hf_smb_flags2_roe = -1;
138 static int hf_smb_flags2_nt_error = -1;
139 static int hf_smb_flags2_string = -1;
140 static int hf_smb_word_count = -1;
141 static int hf_smb_byte_count = -1;
142 static int hf_smb_buffer_format = -1;
143 static int hf_smb_dialect_name = -1;
144 static int hf_smb_dialect_index = -1;
145 static int hf_smb_max_trans_buf_size = -1;
146 static int hf_smb_max_mpx_count = -1;
147 static int hf_smb_max_vcs_num = -1;
148 static int hf_smb_session_key = -1;
149 static int hf_smb_server_timezone = -1;
150 static int hf_smb_encryption_key_length = -1;
151 static int hf_smb_encryption_key = -1;
152 static int hf_smb_primary_domain = -1;
153 static int hf_smb_server = -1;
154 static int hf_smb_max_raw_buf_size = -1;
155 static int hf_smb_server_guid = -1;
156 static int hf_smb_security_blob_len = -1;
157 static int hf_smb_security_blob = -1;
158 static int hf_smb_sm_mode16 = -1;
159 static int hf_smb_sm_password16 = -1;
160 static int hf_smb_sm_mode = -1;
161 static int hf_smb_sm_password = -1;
162 static int hf_smb_sm_signatures = -1;
163 static int hf_smb_sm_sig_required = -1;
164 static int hf_smb_rm_read = -1;
165 static int hf_smb_rm_write = -1;
166 static int hf_smb_server_date_time = -1;
167 static int hf_smb_server_smb_date = -1;
168 static int hf_smb_server_smb_time = -1;
169 static int hf_smb_server_cap_raw_mode = -1;
170 static int hf_smb_server_cap_mpx_mode = -1;
171 static int hf_smb_server_cap_unicode = -1;
172 static int hf_smb_server_cap_large_files = -1;
173 static int hf_smb_server_cap_nt_smbs = -1;
174 static int hf_smb_server_cap_rpc_remote_apis = -1;
175 static int hf_smb_server_cap_nt_status = -1;
176 static int hf_smb_server_cap_level_ii_oplocks = -1;
177 static int hf_smb_server_cap_lock_and_read = -1;
178 static int hf_smb_server_cap_nt_find = -1;
179 static int hf_smb_server_cap_dfs = -1;
180 static int hf_smb_server_cap_infolevel_passthru = -1;
181 static int hf_smb_server_cap_large_readx = -1;
182 static int hf_smb_server_cap_large_writex = -1;
183 static int hf_smb_server_cap_unix = -1;
184 static int hf_smb_server_cap_reserved = -1;
185 static int hf_smb_server_cap_bulk_transfer = -1;
186 static int hf_smb_server_cap_compressed_data = -1;
187 static int hf_smb_server_cap_extended_security = -1;
188 static int hf_smb_system_time = -1;
189 static int hf_smb_unknown = -1;
190 static int hf_smb_dir_name = -1;
191 static int hf_smb_echo_count = -1;
192 static int hf_smb_echo_data = -1;
193 static int hf_smb_echo_seq_num = -1;
194 static int hf_smb_max_buf_size = -1;
195 static int hf_smb_password = -1;
196 static int hf_smb_password_len = -1;
197 static int hf_smb_ansi_password = -1;
198 static int hf_smb_ansi_password_len = -1;
199 static int hf_smb_unicode_password = -1;
200 static int hf_smb_unicode_password_len = -1;
201 static int hf_smb_path = -1;
202 static int hf_smb_service = -1;
203 static int hf_smb_move_flags_file = -1;
204 static int hf_smb_move_flags_dir = -1;
205 static int hf_smb_move_flags_verify = -1;
206 static int hf_smb_files_moved = -1;
207 static int hf_smb_file_access_mask_read_data = -1;
208 static int hf_smb_file_access_mask_write_data = -1;
209 static int hf_smb_file_access_mask_append_data = -1;
210 static int hf_smb_file_access_mask_read_ea = -1;
211 static int hf_smb_file_access_mask_write_ea = -1;
212 static int hf_smb_file_access_mask_execute = -1;
213 static int hf_smb_file_access_mask_read_attribute = -1;
214 static int hf_smb_file_access_mask_write_attribute = -1;
215 static int hf_smb_dir_access_mask_list = -1;
216 static int hf_smb_dir_access_mask_add_file = -1;
217 static int hf_smb_dir_access_mask_add_subdir = -1;
218 static int hf_smb_dir_access_mask_read_ea = -1;
219 static int hf_smb_dir_access_mask_write_ea = -1;
220 static int hf_smb_dir_access_mask_traverse = -1;
221 static int hf_smb_dir_access_mask_delete_child = -1;
222 static int hf_smb_dir_access_mask_read_attribute = -1;
223 static int hf_smb_dir_access_mask_write_attribute = -1;
224 static int hf_smb_copy_flags_file = -1;
225 static int hf_smb_copy_flags_dir = -1;
226 static int hf_smb_copy_flags_dest_mode = -1;
227 static int hf_smb_copy_flags_source_mode = -1;
228 static int hf_smb_copy_flags_verify = -1;
229 static int hf_smb_copy_flags_tree_copy = -1;
230 static int hf_smb_copy_flags_ea_action = -1;
231 static int hf_smb_count = -1;
232 static int hf_smb_count_low = -1;
233 static int hf_smb_count_high = -1;
234 static int hf_smb_file_name = -1;
235 static int hf_smb_open_function_open = -1;
236 static int hf_smb_open_function_create = -1;
237 static int hf_smb_fid = -1;
238 static int hf_smb_file_attr_read_only_16bit = -1;
239 static int hf_smb_file_attr_read_only_8bit = -1;
240 static int hf_smb_file_attr_hidden_16bit = -1;
241 static int hf_smb_file_attr_hidden_8bit = -1;
242 static int hf_smb_file_attr_system_16bit = -1;
243 static int hf_smb_file_attr_system_8bit = -1;
244 static int hf_smb_file_attr_volume_16bit = -1;
245 static int hf_smb_file_attr_volume_8bit = -1;
246 static int hf_smb_file_attr_directory_16bit = -1;
247 static int hf_smb_file_attr_directory_8bit = -1;
248 static int hf_smb_file_attr_archive_16bit = -1;
249 static int hf_smb_file_attr_archive_8bit = -1;
250 static int hf_smb_file_attr_device = -1;
251 static int hf_smb_file_attr_normal = -1;
252 static int hf_smb_file_attr_temporary = -1;
253 static int hf_smb_file_attr_sparse = -1;
254 static int hf_smb_file_attr_reparse = -1;
255 static int hf_smb_file_attr_compressed = -1;
256 static int hf_smb_file_attr_offline = -1;
257 static int hf_smb_file_attr_not_content_indexed = -1;
258 static int hf_smb_file_attr_encrypted = -1;
259 static int hf_smb_file_size = -1;
260 static int hf_smb_search_attribute_read_only = -1;
261 static int hf_smb_search_attribute_hidden = -1;
262 static int hf_smb_search_attribute_system = -1;
263 static int hf_smb_search_attribute_volume = -1;
264 static int hf_smb_search_attribute_directory = -1;
265 static int hf_smb_search_attribute_archive = -1;
266 static int hf_smb_access_mode = -1;
267 static int hf_smb_access_sharing = -1;
268 static int hf_smb_access_locality = -1;
269 static int hf_smb_access_caching = -1;
270 static int hf_smb_access_writetru = -1;
271 static int hf_smb_create_time = -1;
272 static int hf_smb_modify_time = -1;
273 static int hf_smb_backup_time = -1;
274 static int hf_smb_mac_alloc_block_count = -1;
275 static int hf_smb_mac_alloc_block_size = -1;
276 static int hf_smb_mac_free_block_count = -1;
277 static int hf_smb_mac_fndrinfo = -1;
278 static int hf_smb_mac_root_file_count = -1;
279 static int hf_smb_mac_root_dir_count = -1;
280 static int hf_smb_mac_file_count = -1;
281 static int hf_smb_mac_dir_count = -1;
282 static int hf_smb_mac_support_flags = -1;
283 static int hf_smb_mac_sup_access_ctrl = -1;
284 static int hf_smb_mac_sup_getset_comments = -1;
285 static int hf_smb_mac_sup_desktopdb_calls = -1;
286 static int hf_smb_mac_sup_unique_ids = -1;
287 static int hf_smb_mac_sup_streams = -1;
288 static int hf_smb_create_dos_date = -1;
289 static int hf_smb_create_dos_time = -1;
290 static int hf_smb_last_write_time = -1;
291 static int hf_smb_last_write_dos_date = -1;
292 static int hf_smb_last_write_dos_time = -1;
293 static int hf_smb_access_time = -1;
294 static int hf_smb_access_dos_date = -1;
295 static int hf_smb_access_dos_time = -1;
296 static int hf_smb_old_file_name = -1;
297 static int hf_smb_offset = -1;
298 static int hf_smb_remaining = -1;
299 static int hf_smb_padding = -1;
300 static int hf_smb_file_data = -1;
301 static int hf_smb_total_data_len = -1;
302 static int hf_smb_data_len = -1;
303 static int hf_smb_data_len_low = -1;
304 static int hf_smb_data_len_high = -1;
305 static int hf_smb_seek_mode = -1;
306 static int hf_smb_data_size = -1;
307 static int hf_smb_alloc_size = -1;
308 static int hf_smb_alloc_size64 = -1;
309 static int hf_smb_max_count = -1;
310 static int hf_smb_max_count_low = -1;
311 static int hf_smb_max_count_high = -1;
312 static int hf_smb_min_count = -1;
313 static int hf_smb_timeout = -1;
314 static int hf_smb_high_offset = -1;
315 static int hf_smb_units = -1;
316 static int hf_smb_bpu = -1;
317 static int hf_smb_blocksize = -1;
318 static int hf_smb_freeunits = -1;
319 static int hf_smb_data_offset = -1;
320 static int hf_smb_dcm = -1;
321 static int hf_smb_request_mask = -1;
322 static int hf_smb_response_mask = -1;
323 static int hf_smb_search_id = -1;
324 static int hf_smb_write_mode_write_through = -1;
325 static int hf_smb_write_mode_return_remaining = -1;
326 static int hf_smb_write_mode_raw = -1;
327 static int hf_smb_write_mode_message_start = -1;
328 static int hf_smb_write_mode_connectionless = -1;
329 static int hf_smb_resume_key_len = -1;
330 static int hf_smb_resume_find_id = -1;
331 static int hf_smb_resume_server_cookie = -1;
332 static int hf_smb_resume_client_cookie = -1;
333 static int hf_smb_andxoffset = -1;
334 static int hf_smb_lock_type_large = -1;
335 static int hf_smb_lock_type_cancel = -1;
336 static int hf_smb_lock_type_change = -1;
337 static int hf_smb_lock_type_oplock = -1;
338 static int hf_smb_lock_type_shared = -1;
339 static int hf_smb_locking_ol = -1;
340 static int hf_smb_number_of_locks = -1;
341 static int hf_smb_number_of_unlocks = -1;
342 static int hf_smb_lock_long_offset = -1;
343 static int hf_smb_lock_long_length = -1;
344 static int hf_smb_file_type = -1;
345 static int hf_smb_ipc_state_nonblocking = -1;
346 static int hf_smb_ipc_state_endpoint = -1;
347 static int hf_smb_ipc_state_pipe_type = -1;
348 static int hf_smb_ipc_state_read_mode = -1;
349 static int hf_smb_ipc_state_icount = -1;
350 static int hf_smb_server_fid = -1;
351 static int hf_smb_open_flags_add_info = -1;
352 static int hf_smb_open_flags_ex_oplock = -1;
353 static int hf_smb_open_flags_batch_oplock = -1;
354 static int hf_smb_open_flags_ealen = -1;
355 static int hf_smb_open_action_open = -1;
356 static int hf_smb_open_action_lock = -1;
357 static int hf_smb_vc_num = -1;
358 static int hf_smb_account = -1;
359 static int hf_smb_os = -1;
360 static int hf_smb_lanman = -1;
361 static int hf_smb_setup_action_guest = -1;
362 static int hf_smb_fs = -1;
363 static int hf_smb_connect_flags_dtid = -1;
364 static int hf_smb_connect_support_search = -1;
365 static int hf_smb_connect_support_in_dfs = -1;
366 static int hf_smb_max_setup_count = -1;
367 static int hf_smb_total_param_count = -1;
368 static int hf_smb_total_data_count = -1;
369 static int hf_smb_max_param_count = -1;
370 static int hf_smb_max_data_count = -1;
371 static int hf_smb_param_disp16 = -1;
372 static int hf_smb_param_count16 = -1;
373 static int hf_smb_param_offset16 = -1;
374 static int hf_smb_param_disp32 = -1;
375 static int hf_smb_param_count32 = -1;
376 static int hf_smb_param_offset32 = -1;
377 static int hf_smb_data_disp16 = -1;
378 static int hf_smb_data_count16 = -1;
379 static int hf_smb_data_offset16 = -1;
380 static int hf_smb_data_disp32 = -1;
381 static int hf_smb_data_count32 = -1;
382 static int hf_smb_data_offset32 = -1;
383 static int hf_smb_setup_count = -1;
384 static int hf_smb_nt_trans_subcmd = -1;
385 static int hf_smb_nt_ioctl_isfsctl = -1;
386 static int hf_smb_nt_ioctl_flags_root_handle = -1;
387 #ifdef SMB_UNUSED_HANDLES
388 static int hf_smb_nt_security_information = -1;
390 static int hf_smb_nt_notify_action = -1;
391 static int hf_smb_nt_notify_watch_tree = -1;
392 static int hf_smb_nt_notify_stream_write = -1;
393 static int hf_smb_nt_notify_stream_size = -1;
394 static int hf_smb_nt_notify_stream_name = -1;
395 static int hf_smb_nt_notify_security = -1;
396 static int hf_smb_nt_notify_ea = -1;
397 static int hf_smb_nt_notify_creation = -1;
398 static int hf_smb_nt_notify_last_access = -1;
399 static int hf_smb_nt_notify_last_write = -1;
400 static int hf_smb_nt_notify_size = -1;
401 static int hf_smb_nt_notify_attributes = -1;
402 static int hf_smb_nt_notify_dir_name = -1;
403 static int hf_smb_nt_notify_file_name = -1;
404 static int hf_smb_root_dir_fid = -1;
405 static int hf_smb_nt_create_disposition = -1;
406 static int hf_smb_sd_length = -1;
407 static int hf_smb_ea_list_length = -1;
408 static int hf_smb_ea_flags = -1;
409 static int hf_smb_ea_name_length = -1;
410 static int hf_smb_ea_data_length = -1;
411 static int hf_smb_ea_name = -1;
412 static int hf_smb_ea_data = -1;
413 static int hf_smb_file_name_len = -1;
414 static int hf_smb_nt_impersonation_level = -1;
415 static int hf_smb_nt_security_flags_context_tracking = -1;
416 static int hf_smb_nt_security_flags_effective_only = -1;
417 static int hf_smb_nt_access_mask_generic_read = -1;
418 static int hf_smb_nt_access_mask_generic_write = -1;
419 static int hf_smb_nt_access_mask_generic_execute = -1;
420 static int hf_smb_nt_access_mask_generic_all = -1;
421 static int hf_smb_nt_access_mask_maximum_allowed = -1;
422 static int hf_smb_nt_access_mask_system_security = -1;
423 static int hf_smb_nt_access_mask_synchronize = -1;
424 static int hf_smb_nt_access_mask_write_owner = -1;
425 static int hf_smb_nt_access_mask_write_dac = -1;
426 static int hf_smb_nt_access_mask_read_control = -1;
427 static int hf_smb_nt_access_mask_delete = -1;
428 static int hf_smb_nt_access_mask_write_attributes = -1;
429 static int hf_smb_nt_access_mask_read_attributes = -1;
430 static int hf_smb_nt_access_mask_delete_child = -1;
431 static int hf_smb_nt_access_mask_execute = -1;
432 static int hf_smb_nt_access_mask_write_ea = -1;
433 static int hf_smb_nt_access_mask_read_ea = -1;
434 static int hf_smb_nt_access_mask_append = -1;
435 static int hf_smb_nt_access_mask_write = -1;
436 static int hf_smb_nt_access_mask_read = -1;
437 static int hf_smb_nt_create_bits_oplock = -1;
438 static int hf_smb_nt_create_bits_boplock = -1;
439 static int hf_smb_nt_create_bits_dir = -1;
440 static int hf_smb_nt_create_bits_ext_resp = -1;
441 static int hf_smb_nt_create_options_directory_file = -1;
442 static int hf_smb_nt_create_options_write_through = -1;
443 static int hf_smb_nt_create_options_sequential_only = -1;
444 static int hf_smb_nt_create_options_no_intermediate_buffering = -1;
445 static int hf_smb_nt_create_options_sync_io_alert = -1;
446 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
447 static int hf_smb_nt_create_options_non_directory_file = -1;
448 static int hf_smb_nt_create_options_create_tree_connection = -1;
449 static int hf_smb_nt_create_options_complete_if_oplocked = -1;
450 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
451 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
452 static int hf_smb_nt_create_options_random_access = -1;
453 static int hf_smb_nt_create_options_delete_on_close = -1;
454 static int hf_smb_nt_create_options_open_by_fileid = -1;
455 static int hf_smb_nt_create_options_backup_intent = -1;
456 static int hf_smb_nt_create_options_no_compression = -1;
457 static int hf_smb_nt_create_options_reserve_opfilter = -1;
458 static int hf_smb_nt_create_options_open_reparse_point = -1;
459 static int hf_smb_nt_create_options_open_no_recall = -1;
460 static int hf_smb_nt_create_options_open_for_free_space_query = -1;
461 static int hf_smb_nt_share_access_read = -1;
462 static int hf_smb_nt_share_access_write = -1;
463 static int hf_smb_nt_share_access_delete = -1;
464 static int hf_smb_file_eattr_read_only = -1;
465 static int hf_smb_file_eattr_hidden = -1;
466 static int hf_smb_file_eattr_system = -1;
467 static int hf_smb_file_eattr_volume = -1;
468 static int hf_smb_file_eattr_directory = -1;
469 static int hf_smb_file_eattr_archive = -1;
470 static int hf_smb_file_eattr_device = -1;
471 static int hf_smb_file_eattr_normal = -1;
472 static int hf_smb_file_eattr_temporary = -1;
473 static int hf_smb_file_eattr_sparse = -1;
474 static int hf_smb_file_eattr_reparse = -1;
475 static int hf_smb_file_eattr_compressed = -1;
476 static int hf_smb_file_eattr_offline = -1;
477 static int hf_smb_file_eattr_not_content_indexed = -1;
478 static int hf_smb_file_eattr_encrypted = -1;
479 static int hf_smb_sec_desc_len = -1;
480 static int hf_smb_nt_qsd_owner = -1;
481 static int hf_smb_nt_qsd_group = -1;
482 static int hf_smb_nt_qsd_dacl = -1;
483 static int hf_smb_nt_qsd_sacl = -1;
484 static int hf_smb_extended_attributes = -1;
485 static int hf_smb_oplock_level = -1;
486 static int hf_smb_create_action = -1;
487 static int hf_smb_file_id = -1;
488 static int hf_smb_ea_error_offset = -1;
489 static int hf_smb_end_of_file = -1;
490 static int hf_smb_replace = -1;
491 static int hf_smb_root_dir_handle = -1;
492 static int hf_smb_target_name_len = -1;
493 static int hf_smb_target_name = -1;
494 static int hf_smb_device_type = -1;
495 static int hf_smb_is_directory = -1;
496 static int hf_smb_next_entry_offset = -1;
497 static int hf_smb_change_time = -1;
498 static int hf_smb_setup_len = -1;
499 static int hf_smb_print_mode = -1;
500 static int hf_smb_print_identifier = -1;
501 static int hf_smb_restart_index = -1;
502 static int hf_smb_print_queue_date = -1;
503 static int hf_smb_print_queue_dos_date = -1;
504 static int hf_smb_print_queue_dos_time = -1;
505 static int hf_smb_print_status = -1;
506 static int hf_smb_print_spool_file_number = -1;
507 static int hf_smb_print_spool_file_size = -1;
508 static int hf_smb_print_spool_file_name = -1;
509 static int hf_smb_start_index = -1;
510 static int hf_smb_originator_name = -1;
511 static int hf_smb_destination_name = -1;
512 static int hf_smb_message_len = -1;
513 static int hf_smb_message = -1;
514 static int hf_smb_mgid = -1;
515 static int hf_smb_forwarded_name = -1;
516 static int hf_smb_machine_name = -1;
517 static int hf_smb_cancel_to = -1;
518 static int hf_smb_trans2_subcmd = -1;
519 static int hf_smb_trans_name = -1;
520 static int hf_smb_transaction_flags_dtid = -1;
521 static int hf_smb_transaction_flags_owt = -1;
522 static int hf_smb_search_count = -1;
523 static int hf_smb_search_pattern = -1;
524 static int hf_smb_ff2_backup = -1;
525 static int hf_smb_ff2_continue = -1;
526 static int hf_smb_ff2_resume = -1;
527 static int hf_smb_ff2_close_eos = -1;
528 static int hf_smb_ff2_close = -1;
529 static int hf_smb_ff2_information_level = -1;
530 static int hf_smb_qpi_loi = -1;
531 static int hf_smb_spi_loi = -1;
533 static int hf_smb_sfi_writetru = -1;
534 static int hf_smb_sfi_caching = -1;
536 static int hf_smb_storage_type = -1;
537 static int hf_smb_resume = -1;
538 static int hf_smb_max_referral_level = -1;
539 static int hf_smb_qfsi_information_level = -1;
540 static int hf_smb_number_of_links = -1;
541 static int hf_smb_delete_pending = -1;
542 static int hf_smb_index_number = -1;
543 static int hf_smb_position = -1;
544 static int hf_smb_current_offset = -1;
545 static int hf_smb_t2_alignment = -1;
546 static int hf_smb_t2_stream_name_length = -1;
547 static int hf_smb_t2_stream_size = -1;
548 static int hf_smb_t2_stream_name = -1;
549 static int hf_smb_t2_compressed_file_size = -1;
550 static int hf_smb_t2_compressed_format = -1;
551 static int hf_smb_t2_compressed_unit_shift = -1;
552 static int hf_smb_t2_compressed_chunk_shift = -1;
553 static int hf_smb_t2_compressed_cluster_shift = -1;
554 static int hf_smb_t2_marked_for_deletion = -1;
555 static int hf_smb_dfs_path_consumed = -1;
556 static int hf_smb_dfs_num_referrals = -1;
557 static int hf_smb_get_dfs_server_hold_storage = -1;
558 static int hf_smb_get_dfs_fielding = -1;
559 static int hf_smb_dfs_referral_version = -1;
560 static int hf_smb_dfs_referral_size = -1;
561 static int hf_smb_dfs_referral_server_type = -1;
562 static int hf_smb_dfs_referral_flags_strip = -1;
563 static int hf_smb_dfs_referral_node_offset = -1;
564 static int hf_smb_dfs_referral_node = -1;
565 static int hf_smb_dfs_referral_proximity = -1;
566 static int hf_smb_dfs_referral_ttl = -1;
567 static int hf_smb_dfs_referral_path_offset = -1;
568 static int hf_smb_dfs_referral_path = -1;
569 static int hf_smb_dfs_referral_alt_path_offset = -1;
570 static int hf_smb_dfs_referral_alt_path = -1;
571 static int hf_smb_end_of_search = -1;
572 static int hf_smb_last_name_offset = -1;
573 static int hf_smb_fn_information_level = -1;
574 static int hf_smb_monitor_handle = -1;
575 static int hf_smb_change_count = -1;
576 static int hf_smb_file_index = -1;
577 static int hf_smb_short_file_name = -1;
578 static int hf_smb_short_file_name_len = -1;
579 static int hf_smb_fs_id = -1;
580 static int hf_smb_sector_unit = -1;
581 static int hf_smb_fs_units = -1;
582 static int hf_smb_fs_sector = -1;
583 static int hf_smb_avail_units = -1;
584 static int hf_smb_volume_serial_num = -1;
585 static int hf_smb_volume_label_len = -1;
586 static int hf_smb_volume_label = -1;
587 static int hf_smb_free_alloc_units64 = -1;
588 static int hf_smb_caller_free_alloc_units64 = -1;
589 static int hf_smb_actual_free_alloc_units64 = -1;
590 static int hf_smb_max_name_len = -1;
591 static int hf_smb_fs_name_len = -1;
592 static int hf_smb_fs_name = -1;
593 static int hf_smb_device_char_removable = -1;
594 static int hf_smb_device_char_read_only = -1;
595 static int hf_smb_device_char_floppy = -1;
596 static int hf_smb_device_char_write_once = -1;
597 static int hf_smb_device_char_remote = -1;
598 static int hf_smb_device_char_mounted = -1;
599 static int hf_smb_device_char_virtual = -1;
600 static int hf_smb_fs_attr_css = -1;
601 static int hf_smb_fs_attr_cpn = -1;
602 static int hf_smb_fs_attr_uod = -1;
603 static int hf_smb_fs_attr_pacls = -1;
604 static int hf_smb_fs_attr_fc = -1;
605 static int hf_smb_fs_attr_vq = -1;
606 static int hf_smb_fs_attr_ssf = -1;
607 static int hf_smb_fs_attr_srp = -1;
608 static int hf_smb_fs_attr_srs = -1;
609 static int hf_smb_fs_attr_sla = -1;
610 static int hf_smb_fs_attr_vic = -1;
611 static int hf_smb_fs_attr_soids = -1;
612 static int hf_smb_fs_attr_se = -1;
613 static int hf_smb_fs_attr_ns = -1;
614 static int hf_smb_fs_attr_rov = -1;
615 static int hf_smb_quota_flags_enabled = -1;
616 static int hf_smb_quota_flags_deny_disk = -1;
617 static int hf_smb_quota_flags_log_limit = -1;
618 static int hf_smb_quota_flags_log_warning = -1;
619 static int hf_smb_soft_quota_limit = -1;
620 static int hf_smb_hard_quota_limit = -1;
621 static int hf_smb_user_quota_used = -1;
622 static int hf_smb_user_quota_offset = -1;
623 static int hf_smb_nt_rename_level = -1;
624 static int hf_smb_cluster_count = -1;
625 static int hf_smb_segments = -1;
626 static int hf_smb_segment = -1;
627 static int hf_smb_segment_overlap = -1;
628 static int hf_smb_segment_overlap_conflict = -1;
629 static int hf_smb_segment_multiple_tails = -1;
630 static int hf_smb_segment_too_long_fragment = -1;
631 static int hf_smb_segment_error = -1;
632 static int hf_smb_pipe_write_len = -1;
633 static int hf_smb_unix_major_version = -1;
634 static int hf_smb_unix_minor_version = -1;
635 static int hf_smb_unix_capability_fcntl = -1;
636 static int hf_smb_unix_capability_posix_acl = -1;
637 static int hf_smb_unix_file_size = -1;
638 static int hf_smb_unix_file_num_bytes = -1;
639 static int hf_smb_unix_file_last_status = -1;
640 static int hf_smb_unix_file_last_access = -1;
641 static int hf_smb_unix_file_last_change = -1;
642 static int hf_smb_unix_file_uid = -1;
643 static int hf_smb_unix_file_gid = -1;
644 static int hf_smb_unix_file_type = -1;
645 static int hf_smb_unix_file_dev_major = -1;
646 static int hf_smb_unix_file_dev_minor = -1;
647 static int hf_smb_unix_file_unique_id = -1;
648 static int hf_smb_unix_file_permissions = -1;
649 static int hf_smb_unix_file_nlinks = -1;
650 static int hf_smb_unix_file_link_dest = -1;
651 static int hf_smb_unix_find_file_nextoffset = -1;
652 static int hf_smb_unix_find_file_resumekey = -1;
653 static int hf_smb_network_unknown = -1;
654 static int hf_smb_disposition_delete_on_close = -1;
655 static int hf_smb_pipe_info_flag = -1;
656 static int hf_smb_mode = -1;
657 static int hf_smb_attribute = -1;
658 static int hf_smb_reparse_tag = -1;
659 static int hf_smb_logged_in = -1;
660 static int hf_smb_logged_out = -1;
661 static int hf_smb_file_rw_offset = -1;
662 static int hf_smb_file_rw_length = -1;
663 static int hf_smb_posix_acl_version = -1;
664 static int hf_smb_posix_num_file_aces = -1;
665 static int hf_smb_posix_num_def_aces = -1;
666 static int hf_smb_posix_ace_type = -1;
667 static int hf_smb_posix_ace_flags = -1;
668 static int hf_smb_posix_ace_perm_read = -1;
669 static int hf_smb_posix_ace_perm_write = -1;
670 static int hf_smb_posix_ace_perm_execute = -1;
671 static int hf_smb_posix_ace_perm_owner_uid = -1;
672 static int hf_smb_posix_ace_perm_owner_gid = -1;
673 static int hf_smb_posix_ace_perm_uid = -1;
674 static int hf_smb_posix_ace_perm_gid = -1;
676 static gint ett_smb = -1;
677 static gint ett_smb_fid = -1;
678 static gint ett_smb_tid = -1;
679 static gint ett_smb_uid = -1;
680 static gint ett_smb_hdr = -1;
681 static gint ett_smb_command = -1;
682 static gint ett_smb_fileattributes = -1;
683 static gint ett_smb_capabilities = -1;
684 static gint ett_smb_aflags = -1;
685 static gint ett_smb_dialect = -1;
686 static gint ett_smb_dialects = -1;
687 static gint ett_smb_mode = -1;
688 static gint ett_smb_rawmode = -1;
689 static gint ett_smb_flags = -1;
690 static gint ett_smb_flags2 = -1;
691 static gint ett_smb_desiredaccess = -1;
692 static gint ett_smb_search = -1;
693 static gint ett_smb_file = -1;
694 static gint ett_smb_openfunction = -1;
695 static gint ett_smb_filetype = -1;
696 static gint ett_smb_openaction = -1;
697 static gint ett_smb_writemode = -1;
698 static gint ett_smb_lock_type = -1;
699 static gint ett_smb_ssetupandxaction = -1;
700 static gint ett_smb_optionsup = -1;
701 static gint ett_smb_time_date = -1;
702 static gint ett_smb_move_copy_flags = -1;
703 static gint ett_smb_file_attributes = -1;
704 static gint ett_smb_search_resume_key = -1;
705 static gint ett_smb_search_dir_info = -1;
706 static gint ett_smb_unlocks = -1;
707 static gint ett_smb_unlock = -1;
708 static gint ett_smb_locks = -1;
709 static gint ett_smb_lock = -1;
710 static gint ett_smb_open_flags = -1;
711 static gint ett_smb_ipc_state = -1;
712 static gint ett_smb_open_action = -1;
713 static gint ett_smb_setup_action = -1;
714 static gint ett_smb_connect_flags = -1;
715 static gint ett_smb_connect_support_bits = -1;
716 static gint ett_smb_nt_access_mask = -1;
717 static gint ett_smb_nt_create_bits = -1;
718 static gint ett_smb_nt_create_options = -1;
719 static gint ett_smb_nt_share_access = -1;
720 static gint ett_smb_nt_security_flags = -1;
721 static gint ett_smb_nt_trans_setup = -1;
722 static gint ett_smb_nt_trans_data = -1;
723 static gint ett_smb_nt_trans_param = -1;
724 static gint ett_smb_nt_notify_completion_filter = -1;
725 static gint ett_smb_nt_ioctl_flags = -1;
726 static gint ett_smb_security_information_mask = -1;
727 static gint ett_smb_print_queue_entry = -1;
728 static gint ett_smb_transaction_flags = -1;
729 static gint ett_smb_transaction_params = -1;
730 static gint ett_smb_find_first2_flags = -1;
731 static gint ett_smb_mac_support_flags = -1;
733 static gint ett_smb_ioflag = -1;
735 static gint ett_smb_transaction_data = -1;
736 static gint ett_smb_stream_info = -1;
737 static gint ett_smb_dfs_referrals = -1;
738 static gint ett_smb_dfs_referral = -1;
739 static gint ett_smb_dfs_referral_flags = -1;
740 static gint ett_smb_get_dfs_flags = -1;
741 static gint ett_smb_ff2_data = -1;
742 static gint ett_smb_device_characteristics = -1;
743 static gint ett_smb_fs_attributes = -1;
744 static gint ett_smb_segments = -1;
745 static gint ett_smb_segment = -1;
746 static gint ett_smb_quotaflags = -1;
747 static gint ett_smb_secblob = -1;
748 static gint ett_smb_unicode_password = -1;
749 static gint ett_smb_ea = -1;
750 static gint ett_smb_unix_capabilities = -1;
751 static gint ett_smb_posic_ace = -1;
752 static gint ett_smb_posix_ace_perms = -1;
754 static int smb_tap = -1;
756 static dissector_handle_t gssapi_handle = NULL;
757 static dissector_handle_t ntlmssp_handle = NULL;
759 static const fragment_items smb_frag_items = {
765 &hf_smb_segment_overlap,
766 &hf_smb_segment_overlap_conflict,
767 &hf_smb_segment_multiple_tails,
768 &hf_smb_segment_too_long_fragment,
769 &hf_smb_segment_error,
775 static proto_tree *top_tree=NULL; /* ugly */
777 static const char *decode_smb_name(guint8);
778 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu);
781 * Macros for use in the main dissector routines for an SMB.
786 wc = tvb_get_guint8(tvb, offset); \
787 proto_tree_add_uint(tree, hf_smb_word_count, \
788 tvb, offset, 1, wc); \
790 if(wc==0) goto bytecount;
794 bc = tvb_get_letohs(tvb, offset); \
795 proto_tree_add_uint(tree, hf_smb_byte_count, \
796 tvb, offset, 2, bc); \
798 if(bc==0) goto endofcommand;
800 #define CHECK_BYTE_COUNT(len) \
801 if (bc < len) goto endofcommand;
803 #define COUNT_BYTES(len) {\
813 bc_remaining=tvb_length_remaining(tvb, offset); \
814 if( ((gint)bc) > bc_remaining){ \
818 tvb_ensure_bytes_exist(tvb, offset, bc); \
819 proto_tree_add_text(tree, tvb, offset, bc, \
820 "Extra byte parameters"); \
827 * Macros for use in routines called by them.
829 #define CHECK_BYTE_COUNT_SUBR(len) \
835 #define CHECK_STRING_SUBR(fn) \
841 #define COUNT_BYTES_SUBR(len) \
846 * Macros for use when dissecting transaction parameters and data
848 #define CHECK_BYTE_COUNT_TRANS(len) \
849 if (bc < len) return offset;
851 #define CHECK_STRING_TRANS(fn) \
852 if (fn == NULL) return offset;
854 #define COUNT_BYTES_TRANS(len) \
859 * Macros for use in subrroutines dissecting transaction parameters or data
861 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
862 if (*bcp < len) return offset;
864 #define CHECK_STRING_TRANS_SUBR(fn) \
865 if (fn == NULL) return offset;
867 #define COUNT_BYTES_TRANS_SUBR(len) \
872 gboolean sid_name_snooping = FALSE;
874 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
875 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
876 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
877 static gboolean smb_trans_reassembly = TRUE;
878 gboolean smb_dcerpc_reassembly = TRUE;
880 static GHashTable *smb_trans_fragment_table = NULL;
883 smb_trans_reassembly_init(void)
885 fragment_table_init(&smb_trans_fragment_table);
889 * XXX - This keeps us from allocating huge amounts of memory as shown in
890 * bug 421. It may need to be increased.
892 #define MAX_FRAGMENT_SIZE 65536
893 static fragment_data *
894 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
895 int offset, int count, int pos, int totlen)
897 fragment_data *fd_head=NULL;
901 if (count > MAX_FRAGMENT_SIZE || count < 0) {
902 THROW(ReportedBoundsError);
905 more_frags=totlen>(pos+count);
907 si = (smb_info_t *)pinfo->private_data;
908 DISSECTOR_ASSERT(si);
910 if (si->sip == NULL) {
912 * We don't have the frame number of the request.
917 if(!pinfo->fd->flags.visited){
918 fd_head = fragment_add(tvb, offset, pinfo,
919 si->sip->frame_req, smb_trans_fragment_table,
920 pos, count, more_frags);
922 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
925 if (!fd_head || !(fd_head->flags&FD_DEFRAGMENTED)){
926 /* This is continued - mark it as such, so we recognize
927 continuation responses.
929 si->sip->flags |= SMB_SIF_IS_CONTINUED;
931 /* We've finished reassembling, so there are no more
932 continuation responses.
934 si->sip->flags &= ~SMB_SIF_IS_CONTINUED;
937 /* we only show the defragmented packet for the first fragment,
938 or else we might end up with dissecting one HUGE transaction PDU
939 a LOT of times. (first fragment is the only one containing the setup
941 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
942 SMBs. Takes a LOT of time dissecting and is not fun.
944 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
955 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
956 These variables and functions are used to match
958 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
960 * The information we need to save about a request in order to show the
961 * frame number of the request in the dissection of the reply.
966 } smb_saved_info_key_t;
968 /* unmatched smb_saved_info structures.
969 For unmatched smb_saved_info structures we store the smb_saved_info
970 structure using the MID and the PID as the key.
972 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
973 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
974 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
977 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
979 register guint32 key1 = GPOINTER_TO_UINT(k1);
980 register guint32 key2 = GPOINTER_TO_UINT(k2);
984 smb_saved_info_hash_unmatched(gconstpointer k)
986 register guint32 key = GPOINTER_TO_UINT(k);
990 /* matched smb_saved_info structures.
991 For matched smb_saved_info structures we store the smb_saved_info
992 structure twice in the table using the frame number, and a combination
993 of the MID and the PID, as the key.
994 The frame number is guaranteed to be unique but if ever someone makes
995 some change that will renumber the frames in a capture we are in BIG trouble.
996 This is not likely though since that would break (among other things) all the
997 reassembly routines as well.
999 We also need the MID as there may be more than one SMB request or reply
1000 in a single frame, and we also need the PID as there may be more than
1001 one outstanding request with the same MID and different PIDs.
1004 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
1006 const smb_saved_info_key_t *key1 = k1;
1007 const smb_saved_info_key_t *key2 = k2;
1008 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
1011 smb_saved_info_hash_matched(gconstpointer k)
1013 const smb_saved_info_key_t *key = k;
1014 return key->frame + key->pid_mid;
1017 static GSList *conv_tables = NULL;
1020 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
1021 End of request/response matching functions
1022 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
1026 typedef struct _smb_uid_t {
1034 smb_file_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 mask)
1037 if(mask==0x000001ff){
1038 proto_tree_add_text(tree, tvb, offset, 4, "[FULL CONTROL]");
1042 proto_tree_add_boolean(tree, hf_smb_file_access_mask_write_attribute, tvb, offset, 4, mask);
1043 proto_tree_add_boolean(tree, hf_smb_file_access_mask_read_attribute, tvb, offset, 4, mask);
1044 proto_tree_add_boolean(tree, hf_smb_file_access_mask_execute, tvb, offset, 4, mask);
1045 proto_tree_add_boolean(tree, hf_smb_file_access_mask_write_ea, tvb, offset, 4, mask);
1046 proto_tree_add_boolean(tree, hf_smb_file_access_mask_read_ea, tvb, offset, 4, mask);
1047 proto_tree_add_boolean(tree, hf_smb_file_access_mask_append_data, tvb, offset, 4, mask);
1048 proto_tree_add_boolean(tree, hf_smb_file_access_mask_write_data, tvb, offset, 4, mask);
1049 proto_tree_add_boolean(tree, hf_smb_file_access_mask_read_data, tvb, offset, 4, mask);
1051 struct access_mask_info smb_file_access_mask_info = {
1052 "FILE", /* Name of specific rights */
1053 smb_file_specific_rights, /* Dissection function */
1054 NULL, /* Generic mapping table */
1055 NULL /* Standard mapping table */
1060 smb_dir_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 mask)
1063 if(mask==0x000001ff){
1064 proto_tree_add_text(tree, tvb, offset, 4, "[FULL CONTROL]");
1068 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_write_attribute, tvb, offset, 4, mask);
1069 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_read_attribute, tvb, offset, 4, mask);
1070 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_delete_child, tvb, offset, 4, mask);
1071 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_traverse, tvb, offset, 4, mask);
1072 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_write_ea, tvb, offset, 4, mask);
1073 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_read_ea, tvb, offset, 4, mask);
1074 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_add_subdir, tvb, offset, 4, mask);
1075 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_add_file, tvb, offset, 4, mask);
1076 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_list, tvb, offset, 4, mask);
1078 struct access_mask_info smb_dir_access_mask_info = {
1079 "DIR", /* Name of specific rights */
1080 smb_dir_specific_rights, /* Dissection function */
1081 NULL, /* Generic mapping table */
1082 NULL /* Standard mapping table */
1087 static const value_string buffer_format_vals[] = {
1092 {5, "Variable Block"},
1096 #define POSIX_ACE_TYPE_USER_OBJ 0x01
1097 #define POSIX_ACE_TYPE_USER 0x02
1098 #define POSIX_ACE_TYPE_GROUP_OBJ 0x04
1099 #define POSIX_ACE_TYPE_GROUP 0x08
1100 #define POSIX_ACE_TYPE_MASK 0x10
1101 #define POSIX_ACE_TYPE_OTHER 0x20
1102 static const value_string ace_type_vals[] = {
1103 {POSIX_ACE_TYPE_USER_OBJ, "User Obj"},
1104 {POSIX_ACE_TYPE_USER, "User"},
1105 {POSIX_ACE_TYPE_GROUP_OBJ, "Group Obj"},
1106 {POSIX_ACE_TYPE_GROUP, "Group"},
1107 {POSIX_ACE_TYPE_MASK, "Mask"},
1108 {POSIX_ACE_TYPE_OTHER, "Other"},
1113 * UTIME - this is *almost* like a UNIX time stamp, except that it's
1114 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
1115 * January 1, 1970, 00:00:00 GMT.
1117 * This means we have to do some extra work to convert it. This code is
1118 * based on the Samba code:
1120 * Unix SMB/Netbios implementation.
1122 * time handling functions
1123 * Copyright (C) Andrew Tridgell 1992-1998
1127 * Yield the difference between *A and *B, in seconds, ignoring leap
1130 #define TM_YEAR_BASE 1900
1133 tm_diff(struct tm *a, struct tm *b)
1135 int ay = a->tm_year + (TM_YEAR_BASE - 1);
1136 int by = b->tm_year + (TM_YEAR_BASE - 1);
1137 int intervening_leap_days =
1138 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
1139 int years = ay - by;
1141 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
1142 int hours = 24*days + (a->tm_hour - b->tm_hour);
1143 int minutes = 60*hours + (a->tm_min - b->tm_min);
1144 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
1150 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
1156 struct tm *tm = gmtime(&t);
1165 return tm_diff(&tm_utc,tm);
1169 * Return the same value as TimeZone, but it should be more efficient.
1171 * We keep a table of DST offsets to prevent calling localtime() on each
1172 * call of this function. This saves a LOT of time on many unixes.
1174 * Updated by Paul Eggert <eggert@twinsun.com>
1181 #define TIME_T_MIN ((time_t) ((time_t)0 < (time_t) -1 ? (time_t) 0 \
1182 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1)))
1185 #define TIME_T_MAX ((time_t) (~ (time_t) 0 - TIME_T_MIN))
1189 TimeZoneFaster(time_t t)
1191 static struct dst_table {time_t start,end; int zone;} *tdt;
1192 static struct dst_table *dst_table = NULL;
1193 static int table_size = 0;
1200 /* Tunis has a 8 day DST region, we need to be careful ... */
1201 #define MAX_DST_WIDTH (365*24*60*60)
1202 #define MAX_DST_SKIP (7*24*60*60)
1204 for (i = 0; i < table_size; i++) {
1205 if (t >= dst_table[i].start && t <= dst_table[i].end)
1209 if (i < table_size) {
1210 zone = dst_table[i].zone;
1215 if (dst_table == NULL)
1216 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1218 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1227 dst_table[i].zone = zone;
1228 dst_table[i].start = dst_table[i].end = t;
1230 /* no entry will cover more than 6 months */
1231 low = t - MAX_DST_WIDTH/2;
1233 high = t + MAX_DST_WIDTH/2;
1236 * Widen the new entry using two bisection searches.
1238 while (low+60*60 < dst_table[i].start) {
1239 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1240 t = dst_table[i].start - MAX_DST_SKIP;
1242 t = low + (dst_table[i].start-low)/2;
1243 if (TimeZone(t) == zone)
1244 dst_table[i].start = t;
1249 while (high-60*60 > dst_table[i].end) {
1250 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1251 t = dst_table[i].end + MAX_DST_SKIP;
1253 t = high - (high-dst_table[i].end)/2;
1254 if (TimeZone(t) == zone)
1255 dst_table[i].end = t;
1265 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1266 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1267 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1268 * daylight savings transitions because some local times are ambiguous.
1269 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1272 LocTimeDiff(time_t lt)
1274 int d = TimeZoneFaster(lt);
1277 /* if overflow occurred, ignore all the adjustments so far */
1278 if (((t < lt) ^ (d < 0)))
1282 * Now t should be close enough to the true UTC to yield the
1285 return TimeZoneFaster(t);
1289 dissect_smb_UTIME(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1294 timeval = tvb_get_letohl(tvb, offset);
1295 if (timeval == 0xffffffff) {
1296 proto_tree_add_text(tree, tvb, offset, 4,
1297 "%s: No time specified (0xffffffff)",
1298 proto_registrar_get_name(hf_date));
1304 * We add the local time offset.
1306 ts.secs = timeval + LocTimeDiff(timeval);
1309 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1316 dissect_smb_datetime(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1317 int hf_date, int hf_dos_date, int hf_dos_time, gboolean time_first)
1319 guint16 dos_time, dos_date;
1320 proto_item *item = NULL;
1321 proto_tree *tree = NULL;
1324 static const int mday_noleap[12] = {
1325 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1327 static const int mday_leap[12] = {
1328 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1330 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1334 dos_time = tvb_get_letohs(tvb, offset);
1335 dos_date = tvb_get_letohs(tvb, offset+2);
1337 dos_date = tvb_get_letohs(tvb, offset);
1338 dos_time = tvb_get_letohs(tvb, offset+2);
1341 if ((dos_date == 0xffff && dos_time == 0xffff) ||
1342 (dos_date == 0 && dos_time == 0)) {
1344 * No date/time specified.
1347 proto_tree_add_text(parent_tree, tvb, offset, 4,
1348 "%s: No time specified (0x%08x)",
1349 proto_registrar_get_name(hf_date),
1350 (dos_date << 16) | dos_time);
1356 tm.tm_sec = (dos_time&0x1f)*2;
1357 tm.tm_min = (dos_time>>5)&0x3f;
1358 tm.tm_hour = (dos_time>>11)&0x1f;
1359 tm.tm_mday = dos_date&0x1f;
1360 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1361 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1365 * Do some sanity checks before calling "mktime()";
1366 * "mktime()" doesn't do them, it "normalizes" out-of-range
1369 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1370 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1371 (ISLEAP(tm.tm_year + 1900) ?
1372 tm.tm_mday > mday_leap[tm.tm_mon] :
1373 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1374 (t = mktime(&tm)) == -1) {
1376 * Invalid date/time.
1379 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1381 proto_registrar_get_name(hf_date));
1382 tree = proto_item_add_subtree(item, ett_smb_time_date);
1384 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1385 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1387 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1388 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1399 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1400 tree = proto_item_add_subtree(item, ett_smb_time_date);
1402 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1403 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1405 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1406 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1415 static const true_false_string tfs_disposition_delete_on_close = {
1416 "DELETE this file when closed",
1417 "Normal access, do not delete on close"
1420 static const true_false_string tfs_pipe_info_flag = {
1421 "SET NAMED PIPE mode",
1422 "Clear NAMED PIPE mode"
1426 static const value_string da_access_vals[] = {
1427 { 0, "Open for reading"},
1428 { 1, "Open for writing"},
1429 { 2, "Open for reading and writing"},
1430 { 3, "Open for execute"},
1433 static const value_string da_sharing_vals[] = {
1434 { 0, "Compatibility mode"},
1435 { 1, "Deny read/write/execute (exclusive)"},
1437 { 3, "Deny read/execute"},
1441 static const value_string da_locality_vals[] = {
1442 { 0, "Locality of reference unknown"},
1443 { 1, "Mainly sequential access"},
1444 { 2, "Mainly random access"},
1445 { 3, "Random access with some locality"},
1448 static const true_false_string tfs_da_caching = {
1449 "Do not cache this file",
1450 "Caching permitted on this file"
1452 static const true_false_string tfs_da_writetru = {
1453 "Write through enabled",
1454 "Write through disabled"
1457 dissect_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset, const char *type)
1463 mask = tvb_get_letohs(tvb, offset);
1466 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1467 "%s Access: 0x%04x", type, mask);
1468 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1470 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1471 tvb, offset, 2, mask);
1472 proto_tree_add_boolean(tree, hf_smb_access_caching,
1473 tvb, offset, 2, mask);
1474 proto_tree_add_uint(tree, hf_smb_access_locality,
1475 tvb, offset, 2, mask);
1476 proto_tree_add_uint(tree, hf_smb_access_sharing,
1477 tvb, offset, 2, mask);
1478 proto_tree_add_uint(tree, hf_smb_access_mode,
1479 tvb, offset, 2, mask);
1487 #define SMB_FILE_ATTRIBUTE_READ_ONLY 0x00000001
1488 #define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
1489 #define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
1490 #define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
1491 #define SMB_FILE_ATTRIBUTE_DIRECTORY 0x00000010
1492 #define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
1493 #define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
1494 #define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
1495 #define SMB_FILE_ATTRIBUTE_TEMPORARY 0x00000100
1496 #define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
1497 #define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
1498 #define SMB_FILE_ATTRIBUTE_COMPRESSED 0x00000800
1499 #define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
1500 #define SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1501 #define SMB_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1503 static const true_false_string tfs_file_attribute_read_only = {
1504 "This file is READ ONLY",
1505 "This file is NOT read only",
1507 static const true_false_string tfs_file_attribute_hidden = {
1508 "This is a HIDDEN file",
1509 "This is NOT a hidden file"
1511 static const true_false_string tfs_file_attribute_system = {
1512 "This is a SYSTEM file",
1513 "This is NOT a system file"
1515 static const true_false_string tfs_file_attribute_volume = {
1516 "This is a VOLUME ID",
1517 "This is NOT a volume ID"
1519 static const true_false_string tfs_file_attribute_directory = {
1520 "This is a DIRECTORY",
1521 "This is NOT a directory"
1523 static const true_false_string tfs_file_attribute_archive = {
1524 "This file has been modified since last ARCHIVE",
1525 "This file has NOT been modified since last archive"
1527 static const true_false_string tfs_file_attribute_device = {
1529 "This is NOT a device"
1531 static const true_false_string tfs_file_attribute_normal = {
1532 "This file is an ordinary file",
1533 "This file has some attribute set"
1535 static const true_false_string tfs_file_attribute_temporary = {
1536 "This is a TEMPORARY file",
1537 "This is NOT a temporary file"
1539 static const true_false_string tfs_file_attribute_sparse = {
1540 "This is a SPARSE file",
1541 "This is NOT a sparse file"
1543 static const true_false_string tfs_file_attribute_reparse = {
1544 "This file has an associated REPARSE POINT",
1545 "This file does NOT have an associated reparse point"
1547 static const true_false_string tfs_file_attribute_compressed = {
1548 "This is a COMPRESSED file",
1549 "This is NOT a compressed file"
1551 static const true_false_string tfs_file_attribute_offline = {
1552 "This file is OFFLINE",
1553 "This file is NOT offline"
1555 static const true_false_string tfs_file_attribute_not_content_indexed = {
1556 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1557 "This file MAY be indexed by the content indexing service"
1559 static const true_false_string tfs_file_attribute_encrypted = {
1560 "This is an ENCRYPTED file",
1561 "This is NOT an encrypted file"
1565 * In some places in the CIFS_TR_1p00.pdf, from SNIA, file attributes are
1566 * listed as USHORT, and seem to be in packets in the wild, while in other
1567 * places they are listed as ULONG, and also seem to be.
1569 * So, I (Richard Sharpe), added a parameter to allow us to specify how many
1574 dissect_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1581 if (bytes != 2 && bytes != 4) {
1582 THROW(ReportedBoundsError);
1586 * The actual bits of interest appear to only be a USHORT
1588 /* FIXME if this ever changes! */
1589 mask = tvb_get_letohs(tvb, offset);
1592 item = proto_tree_add_text(parent_tree, tvb, offset, bytes,
1593 "File Attributes: 0x%08x", mask);
1594 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1596 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1597 tvb, offset, bytes, mask);
1598 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1599 tvb, offset, bytes, mask);
1600 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1601 tvb, offset, bytes, mask);
1602 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1603 tvb, offset, bytes, mask);
1604 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1605 tvb, offset, bytes, mask);
1606 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1607 tvb, offset, bytes, mask);
1608 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1609 tvb, offset, bytes, mask);
1610 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1611 tvb, offset, bytes, mask);
1612 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1613 tvb, offset, bytes, mask);
1614 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1615 tvb, offset, bytes, mask);
1616 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1617 tvb, offset, bytes, mask);
1618 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1619 tvb, offset, bytes, mask);
1620 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1621 tvb, offset, bytes, mask);
1622 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1623 tvb, offset, bytes, mask);
1624 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1625 tvb, offset, bytes, mask);
1635 dissect_file_ext_attr_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1636 int len, guint32 mask)
1642 item = proto_tree_add_text(parent_tree, tvb, offset, len,
1643 "File Attributes: 0x%08x", mask);
1644 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1647 * XXX - Network Monitor disagrees on some of the
1648 * bits, e.g. the bits above temporary are "atomic write"
1649 * and "transaction write", and it says nothing about the
1652 * Does the Win32 API documentation, or the NT Native API book,
1655 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1656 tvb, offset, len, mask);
1657 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1658 tvb, offset, len, mask);
1659 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1660 tvb, offset, len, mask);
1661 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1662 tvb, offset, len, mask);
1663 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1664 tvb, offset, len, mask);
1665 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1666 tvb, offset, len, mask);
1667 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1668 tvb, offset, len, mask);
1669 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1670 tvb, offset, len, mask);
1671 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1672 tvb, offset, len, mask);
1673 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1674 tvb, offset, len, mask);
1675 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1676 tvb, offset, len, mask);
1677 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1678 tvb, offset, len, mask);
1679 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1680 tvb, offset, len, mask);
1681 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1682 tvb, offset, len, mask);
1683 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1684 tvb, offset, len, mask);
1694 dissect_file_ext_attr(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1698 mask = tvb_get_letohl(tvb, offset);
1700 offset = dissect_file_ext_attr_bits(tvb, parent_tree, offset, 4, mask);
1706 dissect_dir_info_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1712 mask = tvb_get_guint8(tvb, offset);
1715 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1716 "File Attributes: 0x%02x", mask);
1717 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1719 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1720 tvb, offset, 1, mask);
1721 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1722 tvb, offset, 1, mask);
1723 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1724 tvb, offset, 1, mask);
1725 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1726 tvb, offset, 1, mask);
1727 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1728 tvb, offset, 1, mask);
1729 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1730 tvb, offset, 1, mask);
1738 static const true_false_string tfs_search_attribute_read_only = {
1739 "Include READ ONLY files in search results",
1740 "Do NOT include read only files in search results",
1742 static const true_false_string tfs_search_attribute_hidden = {
1743 "Include HIDDEN files in search results",
1744 "Do NOT include hidden files in search results"
1746 static const true_false_string tfs_search_attribute_system = {
1747 "Include SYSTEM files in search results",
1748 "Do NOT include system files in search results"
1750 static const true_false_string tfs_search_attribute_volume = {
1751 "Include VOLUME IDs in search results",
1752 "Do NOT include volume IDs in search results"
1754 static const true_false_string tfs_search_attribute_directory = {
1755 "Include DIRECTORIES in search results",
1756 "Do NOT include directories in search results"
1758 static const true_false_string tfs_search_attribute_archive = {
1759 "Include ARCHIVE files in search results",
1760 "Do NOT include archive files in search results"
1764 dissect_search_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1770 mask = tvb_get_letohs(tvb, offset);
1773 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1774 "Search Attributes: 0x%04x", mask);
1775 tree = proto_item_add_subtree(item, ett_smb_search);
1777 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1778 tvb, offset, 2, mask);
1779 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1780 tvb, offset, 2, mask);
1781 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1782 tvb, offset, 2, mask);
1783 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1784 tvb, offset, 2, mask);
1785 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1786 tvb, offset, 2, mask);
1787 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1788 tvb, offset, 2, mask);
1797 * XXX - this isn't used.
1798 * Is this used for anything? NT Create AndX doesn't use it.
1799 * Is there some 16-bit attribute field with more bits than Read Only,
1800 * Hidden, System, Volume ID, Directory, and Archive?
1803 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1809 mask = tvb_get_letohl(tvb, offset);
1812 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1813 "File Attributes: 0x%08x", mask);
1814 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1816 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1817 tvb, offset, 2, mask);
1818 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1819 tvb, offset, 2, mask);
1820 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1821 tvb, offset, 2, mask);
1822 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1823 tvb, offset, 2, mask);
1824 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1825 tvb, offset, 2, mask);
1826 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1827 tvb, offset, 2, mask);
1828 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1829 tvb, offset, 2, mask);
1830 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1831 tvb, offset, 2, mask);
1832 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1833 tvb, offset, 2, mask);
1834 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1835 tvb, offset, 2, mask);
1836 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1837 tvb, offset, 2, mask);
1838 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1839 tvb, offset, 2, mask);
1840 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1841 tvb, offset, 2, mask);
1842 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1843 tvb, offset, 2, mask);
1844 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1845 tvb, offset, 2, mask);
1854 #define SERVER_CAP_RAW_MODE 0x00000001
1855 #define SERVER_CAP_MPX_MODE 0x00000002
1856 #define SERVER_CAP_UNICODE 0x00000004
1857 #define SERVER_CAP_LARGE_FILES 0x00000008
1858 #define SERVER_CAP_NT_SMBS 0x00000010
1859 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1860 #define SERVER_CAP_STATUS32 0x00000040
1861 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1862 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1863 #define SERVER_CAP_NT_FIND 0x00000200
1864 #define SERVER_CAP_DFS 0x00001000
1865 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1866 #define SERVER_CAP_LARGE_READX 0x00004000
1867 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1868 #define SERVER_CAP_UNIX 0x00800000
1869 #define SERVER_CAP_RESERVED 0x02000000
1870 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1871 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1872 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1873 static const true_false_string tfs_server_cap_raw_mode = {
1874 "Read Raw and Write Raw are supported",
1875 "Read Raw and Write Raw are not supported"
1877 static const true_false_string tfs_server_cap_mpx_mode = {
1878 "Read Mpx and Write Mpx are supported",
1879 "Read Mpx and Write Mpx are not supported"
1881 static const true_false_string tfs_server_cap_unicode = {
1882 "Unicode strings are supported",
1883 "Unicode strings are not supported"
1885 static const true_false_string tfs_server_cap_large_files = {
1886 "Large files are supported",
1887 "Large files are not supported",
1889 static const true_false_string tfs_server_cap_nt_smbs = {
1890 "NT SMBs are supported",
1891 "NT SMBs are not supported"
1893 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1894 "RPC remote APIs are supported",
1895 "RPC remote APIs are not supported"
1897 static const true_false_string tfs_server_cap_nt_status = {
1898 "NT status codes are supported",
1899 "NT status codes are not supported"
1901 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1902 "Level 2 oplocks are supported",
1903 "Level 2 oplocks are not supported"
1905 static const true_false_string tfs_server_cap_lock_and_read = {
1906 "Lock and Read is supported",
1907 "Lock and Read is not supported"
1909 static const true_false_string tfs_server_cap_nt_find = {
1910 "NT Find is supported",
1911 "NT Find is not supported"
1913 static const true_false_string tfs_server_cap_dfs = {
1915 "Dfs is not supported"
1917 static const true_false_string tfs_server_cap_infolevel_passthru = {
1918 "NT information level request passthrough is supported",
1919 "NT information level request passthrough is not supported"
1921 static const true_false_string tfs_server_cap_large_readx = {
1922 "Large Read andX is supported",
1923 "Large Read andX is not supported"
1925 static const true_false_string tfs_server_cap_large_writex = {
1926 "Large Write andX is supported",
1927 "Large Write andX is not supported"
1929 static const true_false_string tfs_server_cap_unix = {
1930 "UNIX extensions are supported",
1931 "UNIX extensions are not supported"
1933 static const true_false_string tfs_server_cap_reserved = {
1937 static const true_false_string tfs_server_cap_bulk_transfer = {
1938 "Bulk Read and Bulk Write are supported",
1939 "Bulk Read and Bulk Write are not supported"
1941 static const true_false_string tfs_server_cap_compressed_data = {
1942 "Compressed data transfer is supported",
1943 "Compressed data transfer is not supported"
1945 static const true_false_string tfs_server_cap_extended_security = {
1946 "Extended security exchanges are supported",
1947 "Extended security exchanges are not supported"
1950 dissect_negprot_capabilities(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1956 mask = tvb_get_letohl(tvb, offset);
1959 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1960 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1962 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1963 tvb, offset, 4, mask);
1964 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1965 tvb, offset, 4, mask);
1966 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1967 tvb, offset, 4, mask);
1968 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1969 tvb, offset, 4, mask);
1970 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1971 tvb, offset, 4, mask);
1972 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1973 tvb, offset, 4, mask);
1974 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1975 tvb, offset, 4, mask);
1976 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1977 tvb, offset, 4, mask);
1978 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1979 tvb, offset, 4, mask);
1980 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1981 tvb, offset, 4, mask);
1982 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1983 tvb, offset, 4, mask);
1984 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1985 tvb, offset, 4, mask);
1986 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1987 tvb, offset, 4, mask);
1988 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1989 tvb, offset, 4, mask);
1990 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1991 tvb, offset, 4, mask);
1992 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1993 tvb, offset, 4, mask);
1994 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1995 tvb, offset, 4, mask);
1996 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1997 tvb, offset, 4, mask);
1998 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1999 tvb, offset, 4, mask);
2005 #define RAWMODE_READ 0x01
2006 #define RAWMODE_WRITE 0x02
2007 static const true_false_string tfs_rm_read = {
2008 "Read Raw is supported",
2009 "Read Raw is not supported"
2011 static const true_false_string tfs_rm_write = {
2012 "Write Raw is supported",
2013 "Write Raw is not supported"
2017 dissect_negprot_rawmode(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2023 mask = tvb_get_letohs(tvb, offset);
2026 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
2027 tree = proto_item_add_subtree(item, ett_smb_rawmode);
2029 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
2030 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
2038 #define SECURITY_MODE_MODE 0x01
2039 #define SECURITY_MODE_PASSWORD 0x02
2040 #define SECURITY_MODE_SIGNATURES 0x04
2041 #define SECURITY_MODE_SIG_REQUIRED 0x08
2042 static const true_false_string tfs_sm_mode = {
2043 "USER security mode",
2044 "SHARE security mode"
2046 static const true_false_string tfs_sm_password = {
2047 "ENCRYPTED password. Use challenge/response",
2048 "PLAINTEXT password"
2050 static const true_false_string tfs_sm_signatures = {
2051 "Security signatures ENABLED",
2052 "Security signatures NOT enabled"
2054 static const true_false_string tfs_sm_sig_required = {
2055 "Security signatures REQUIRED",
2056 "Security signatures NOT required"
2060 dissect_negprot_security_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int wc)
2063 proto_item *item = NULL;
2064 proto_tree *tree = NULL;
2068 mask = tvb_get_letohs(tvb, offset);
2069 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2070 "Security Mode: 0x%04x", mask);
2071 tree = proto_item_add_subtree(item, ett_smb_mode);
2072 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
2073 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
2078 mask = tvb_get_guint8(tvb, offset);
2079 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
2080 "Security Mode: 0x%02x", mask);
2081 tree = proto_item_add_subtree(item, ett_smb_mode);
2082 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
2083 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
2084 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
2085 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
2094 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2096 proto_item *it = NULL;
2097 proto_tree *tr = NULL;
2106 tvb_ensure_bytes_exist(tvb, offset, bc);
2107 it = proto_tree_add_text(tree, tvb, offset, bc,
2108 "Requested Dialects");
2109 tr = proto_item_add_subtree(it, ett_smb_dialects);
2115 proto_item *dit = NULL;
2116 proto_tree *dtr = NULL;
2118 /* XXX - what if this runs past bc? */
2119 tvb_ensure_bytes_exist(tvb, offset+1, 1);
2120 len = tvb_strsize(tvb, offset+1);
2121 str = tvb_get_ptr(tvb, offset+1, len);
2124 dit = proto_tree_add_text(tr, tvb, offset, len+1,
2125 "Dialect: %s", str);
2126 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2130 CHECK_BYTE_COUNT(1);
2131 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2136 CHECK_BYTE_COUNT(len);
2137 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
2148 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2150 smb_info_t *si = pinfo->private_data;
2160 DISSECTOR_ASSERT(si);
2165 dialect = tvb_get_letohs(tvb, offset);
2168 if(dialect==0xffff){
2169 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2170 tvb, offset, 2, dialect,
2171 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2173 proto_tree_add_uint(tree, hf_smb_dialect_index,
2174 tvb, offset, 2, dialect);
2178 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2179 tvb, offset, 2, dialect,
2180 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2183 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2184 tvb, offset, 2, dialect,
2185 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2188 tvb_ensure_bytes_exist(tvb, offset, wc*2);
2189 proto_tree_add_text(tree, tvb, offset, wc*2,
2190 "Words for unknown response format");
2199 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2201 /* Maximum Transmit Buffer Size */
2202 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2203 tvb, offset, 2, TRUE);
2206 /* Maximum Multiplex Count */
2207 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2208 tvb, offset, 2, TRUE);
2211 /* Maximum Vcs Number */
2212 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2213 tvb, offset, 2, TRUE);
2217 offset = dissect_negprot_rawmode(tvb, tree, offset);
2220 proto_tree_add_item(tree, hf_smb_session_key,
2221 tvb, offset, 4, TRUE);
2224 /* current time and date at server */
2225 offset = dissect_smb_datetime(tvb, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2229 tz = tvb_get_letohs(tvb, offset);
2230 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2233 /* encryption key length */
2234 ekl = tvb_get_letohs(tvb, offset);
2235 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2238 /* 2 reserved bytes */
2239 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2246 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2248 /* Maximum Multiplex Count */
2249 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2250 tvb, offset, 2, TRUE);
2253 /* Maximum Vcs Number */
2254 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2255 tvb, offset, 2, TRUE);
2258 /* Maximum Transmit Buffer Size */
2259 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2260 tvb, offset, 4, TRUE);
2263 /* maximum raw buffer size */
2264 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2265 tvb, offset, 4, TRUE);
2269 proto_tree_add_item(tree, hf_smb_session_key,
2270 tvb, offset, 4, TRUE);
2273 /* server capabilities */
2274 caps = dissect_negprot_capabilities(tvb, tree, offset);
2278 offset = dissect_nt_64bit_time(tvb, tree, offset,
2279 hf_smb_system_time);
2282 tz = tvb_get_letohs(tvb, offset);
2283 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2285 "Server Time Zone: %d min from UTC", tz);
2288 /* encryption key length */
2289 ekl = tvb_get_guint8(tvb, offset);
2290 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2291 tvb, offset, 1, ekl);
2301 /* challenge/response encryption key */
2303 CHECK_BYTE_COUNT(ekl);
2304 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2311 * XXX - not present if negotiated dialect isn't
2312 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
2313 * have to see the request, or assume what dialect strings
2314 * were sent, to determine that.
2316 * Is this something other than a primary domain if the
2317 * negotiated dialect is Windows for Workgroups 3.1a?
2318 * It appears to be 8 bytes of binary data in at least
2319 * one capture - is that an encryption key or something
2322 dn = get_unicode_or_ascii_string(tvb, &offset,
2323 si->unicode, &dn_len, FALSE, FALSE, &bc);
2326 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2328 COUNT_BYTES(dn_len);
2332 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2333 /* challenge/response encryption key */
2334 /* XXX - is this aligned on an even boundary? */
2336 CHECK_BYTE_COUNT(ekl);
2337 proto_tree_add_item(tree, hf_smb_encryption_key,
2338 tvb, offset, ekl, TRUE);
2343 /* this string is special, unicode is flagged in caps */
2344 /* This string is NOT padded to be 16bit aligned.
2345 (seen in actual capture)
2346 XXX - I've seen a capture where it appears to be
2347 so aligned, but I've also seen captures where
2348 it is. The captures where it appeared to be
2349 aligned may have been from buggy servers. */
2350 /* However, don't get rid of existing setting */
2351 si->unicode = (caps&SERVER_CAP_UNICODE) ||
2354 dn = get_unicode_or_ascii_string(tvb,
2355 &offset, si->unicode, &dn_len, TRUE, FALSE,
2359 proto_tree_add_string(tree, hf_smb_primary_domain,
2360 tvb, offset, dn_len, dn);
2361 COUNT_BYTES(dn_len);
2363 /* server name, seen in w2k pro capture */
2364 dn = get_unicode_or_ascii_string(tvb,
2365 &offset, si->unicode, &dn_len, TRUE, FALSE,
2369 proto_tree_add_string(tree, hf_smb_server,
2370 tvb, offset, dn_len, dn);
2371 COUNT_BYTES(dn_len);
2374 proto_item *blob_item;
2378 /* XXX - show it in the standard Microsoft format
2380 CHECK_BYTE_COUNT(16);
2381 proto_tree_add_item(tree, hf_smb_server_guid,
2382 tvb, offset, 16, TRUE);
2386 /* If it runs past the end of the captured data, don't
2387 * try to put all of it into the protocol tree as the
2388 * raw security blob; we might get an exception on
2389 * short frames and then we will not see anything at all
2390 * of the security blob.
2393 if(sbloblen>tvb_length_remaining(tvb, offset)){
2394 sbloblen=tvb_length_remaining(tvb,offset);
2396 blob_item = proto_tree_add_item(
2397 tree, hf_smb_security_blob,
2398 tvb, offset, sbloblen, TRUE);
2401 * If Extended security and BCC == 16, then raw
2402 * NTLMSSP is in use. We need to save this info
2406 tvbuff_t *gssapi_tvb;
2407 proto_tree *gssapi_tree;
2409 gssapi_tree = proto_item_add_subtree(
2410 blob_item, ett_smb_secblob);
2413 * Set the reported length of this to
2414 * the reported length of the blob,
2415 * rather than the amount of data
2416 * available from the blob, so that
2417 * we'll throw the right exception if
2420 gssapi_tvb = tvb_new_subset(
2421 tvb, offset, sbloblen, bc);
2424 gssapi_handle, gssapi_tvb, pinfo,
2428 si->ct->raw_ntlmssp = 0;
2435 * There is no blob. We just have to make sure
2436 * that subsequent routines know to call the
2441 si->ct->raw_ntlmssp = 1;
2455 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2457 smb_info_t *si = pinfo->private_data;
2463 DISSECTOR_ASSERT(si);
2470 CHECK_BYTE_COUNT(1);
2471 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2475 dn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &dn_len,
2479 si->sip->extra_info_type=SMB_EI_FILENAME;
2480 si->sip->extra_info=se_strdup(dn);
2485 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2487 COUNT_BYTES(dn_len);
2489 if (check_col(pinfo->cinfo, COL_INFO)) {
2490 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s",
2491 format_text(dn, strlen(dn)));
2500 dissect_empty(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2504 smb_info_t *si = pinfo->private_data;
2505 proto_item *item=NULL;
2507 DISSECTOR_ASSERT(si);
2509 if(si->sip && si->sip->extra_info_type==SMB_EI_FILENAME){
2510 item=proto_tree_add_string(tree, hf_smb_file_name, tvb, 0, 0, si->sip->extra_info);
2511 PROTO_ITEM_SET_GENERATED(item);
2525 dissect_rename_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2529 smb_info_t *si = pinfo->private_data;
2530 proto_item *item=NULL;
2532 DISSECTOR_ASSERT(si);
2534 if(si->sip && si->sip->extra_info_type==SMB_EI_RENAMEDATA){
2535 smb_rename_saved_info_t *rni=si->sip->extra_info;
2537 item=proto_tree_add_string(tree, hf_smb_old_file_name, tvb, 0, 0, rni->old_name);
2538 PROTO_ITEM_SET_GENERATED(item);
2539 item=proto_tree_add_string(tree, hf_smb_file_name, tvb, 0, 0, rni->new_name);
2540 PROTO_ITEM_SET_GENERATED(item);
2554 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2562 ec = tvb_get_letohs(tvb, offset);
2563 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2570 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2580 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2587 /* echo sequence number */
2588 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2595 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2605 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2607 smb_info_t *si = pinfo->private_data;
2613 DISSECTOR_ASSERT(si);
2620 CHECK_BYTE_COUNT(1);
2621 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2625 an = get_unicode_or_ascii_string(tvb, &offset,
2626 si->unicode, &an_len, FALSE, FALSE, &bc);
2629 proto_tree_add_string(tree, hf_smb_path, tvb,
2630 offset, an_len, an);
2631 COUNT_BYTES(an_len);
2633 if (check_col(pinfo->cinfo, COL_INFO)) {
2634 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
2635 format_text(an, strlen(an)));
2639 CHECK_BYTE_COUNT(1);
2640 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2643 /* password, ANSI */
2644 /* XXX - what if this runs past bc? */
2645 pwlen = tvb_strsize(tvb, offset);
2646 CHECK_BYTE_COUNT(pwlen);
2647 proto_tree_add_item(tree, hf_smb_password,
2648 tvb, offset, pwlen, TRUE);
2652 CHECK_BYTE_COUNT(1);
2653 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2658 * XXX - the SNIA CIFS spec "Strings that are never passed in
2659 * Unicode are: ... The service name string in the
2660 * Tree_Connect_AndX SMB". Is that claim false?
2662 an = get_unicode_or_ascii_string(tvb, &offset,
2663 si->unicode, &an_len, FALSE, FALSE, &bc);
2666 proto_tree_add_string(tree, hf_smb_service, tvb,
2667 offset, an_len, an);
2668 COUNT_BYTES(an_len);
2676 dissect_smb_uid(tvbuff_t *tvb, proto_tree *parent_tree, int offset, smb_info_t *si)
2678 proto_item *item, *subitem;
2680 smb_uid_t *smb_uid=NULL;
2682 item=proto_tree_add_uint(parent_tree, hf_smb_uid, tvb, offset, 2, si->uid);
2683 tree=proto_item_add_subtree(item, ett_smb_uid);
2685 smb_uid=se_tree_lookup32(si->ct->uid_tree, si->uid);
2687 if(smb_uid->domain && smb_uid->account)
2688 proto_item_append_text(item, " (");
2689 if(smb_uid->domain){
2690 proto_item_append_text(item, "%s", smb_uid->domain);
2691 subitem=proto_tree_add_string(tree, hf_smb_primary_domain, tvb, 0, 0, smb_uid->domain);
2692 PROTO_ITEM_SET_GENERATED(subitem);
2694 if(smb_uid->account){
2695 proto_item_append_text(item, "\\%s", smb_uid->account);
2696 subitem=proto_tree_add_string(tree, hf_smb_account, tvb, 0, 0, smb_uid->account);
2697 PROTO_ITEM_SET_GENERATED(subitem);
2699 if(smb_uid->domain && smb_uid->account)
2700 proto_item_append_text(item, ")");
2701 if(smb_uid->logged_in>0){
2702 subitem=proto_tree_add_uint(tree, hf_smb_logged_in, tvb, 0, 0, smb_uid->logged_in);
2703 PROTO_ITEM_SET_GENERATED(subitem);
2705 if(smb_uid->logged_out>0){
2706 subitem=proto_tree_add_uint(tree, hf_smb_logged_out, tvb, 0, 0, smb_uid->logged_out);
2707 PROTO_ITEM_SET_GENERATED(subitem);
2716 dissect_smb_tid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 tid, gboolean is_created, gboolean is_closed)
2718 smb_info_t *si = pinfo->private_data;
2721 smb_tid_info_t *tid_info=NULL;
2723 DISSECTOR_ASSERT(si);
2726 it=proto_tree_add_uint(tree, hf_smb_tid, tvb, offset, 2, tid);
2727 tr=proto_item_add_subtree(it, ett_smb_tid);
2730 if((!pinfo->fd->flags.visited) && is_created){
2731 tid_info=se_alloc(sizeof(smb_tid_info_t));
2732 tid_info->opened_in=pinfo->fd->num;
2733 tid_info->closed_in=0;
2734 tid_info->type=SMB_FID_TYPE_UNKNOWN;
2735 if(si->sip && (si->sip->extra_info_type==SMB_EI_TIDNAME)){
2736 tid_info->filename=si->sip->extra_info;
2738 tid_info->filename=NULL;
2740 se_tree_insert32(si->ct->tid_tree, tid, tid_info);
2744 tid_info=se_tree_lookup32_le(si->ct->tid_tree, tid);
2750 if((!pinfo->fd->flags.visited) && is_closed){
2751 tid_info->closed_in=pinfo->fd->num;
2754 if(tid_info->opened_in){
2755 if(tid_info->filename){
2756 proto_item_append_text(it, " (%s)", tid_info->filename);
2758 it=proto_tree_add_string(tr, hf_smb_path, tvb, 0, 0, tid_info->filename);
2759 PROTO_ITEM_SET_GENERATED(it);
2762 it=proto_tree_add_uint(tr, hf_smb_mapped_in, tvb, 0, 0, tid_info->opened_in);
2763 PROTO_ITEM_SET_GENERATED(it);
2765 if(tid_info->closed_in){
2766 it=proto_tree_add_uint(tr, hf_smb_unmapped_in, tvb, 0, 0, tid_info->closed_in);
2767 PROTO_ITEM_SET_GENERATED(it);
2775 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2782 /* Maximum Buffer Size */
2783 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2787 offset=dissect_smb_tid(tvb, pinfo, tree, offset, tvb_get_letohs(tvb, offset), TRUE, FALSE);
2797 static const true_false_string tfs_of_create = {
2798 "Create file if it does not exist",
2799 "Fail if file does not exist"
2801 static const value_string of_open[] = {
2802 { 0, "Fail if file exists"},
2803 { 1, "Open file if it exists"},
2804 { 2, "Truncate file if it exists"},
2808 dissect_open_function(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2811 proto_item *item = NULL;
2812 proto_tree *tree = NULL;
2814 mask = tvb_get_letohs(tvb, offset);
2817 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2818 "Open Function: 0x%04x", mask);
2819 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2822 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2823 tvb, offset, 2, mask);
2824 proto_tree_add_uint(tree, hf_smb_open_function_open,
2825 tvb, offset, 2, mask);
2833 static const true_false_string tfs_mf_file = {
2834 "Target must be a file",
2835 "Target needn't be a file"
2837 static const true_false_string tfs_mf_dir = {
2838 "Target must be a directory",
2839 "Target needn't be a directory"
2841 static const true_false_string tfs_mf_verify = {
2842 "MUST verify all writes",
2843 "Don't have to verify writes"
2846 dissect_move_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2849 proto_item *item = NULL;
2850 proto_tree *tree = NULL;
2852 mask = tvb_get_letohs(tvb, offset);
2855 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2856 "Flags: 0x%04x", mask);
2857 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2860 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2861 tvb, offset, 2, mask);
2862 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2863 tvb, offset, 2, mask);
2864 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2865 tvb, offset, 2, mask);
2872 static const true_false_string tfs_cf_mode = {
2876 static const true_false_string tfs_cf_tree_copy = {
2877 "Copy is a tree copy",
2878 "Copy is a file copy"
2880 static const true_false_string tfs_cf_ea_action = {
2885 dissect_copy_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2888 proto_item *item = NULL;
2889 proto_tree *tree = NULL;
2891 mask = tvb_get_letohs(tvb, offset);
2894 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2895 "Flags: 0x%04x", mask);
2896 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2899 proto_tree_add_boolean(tree, hf_smb_copy_flags_ea_action,
2900 tvb, offset, 2, mask);
2901 proto_tree_add_boolean(tree, hf_smb_copy_flags_tree_copy,
2902 tvb, offset, 2, mask);
2903 proto_tree_add_boolean(tree, hf_smb_copy_flags_verify,
2904 tvb, offset, 2, mask);
2905 proto_tree_add_boolean(tree, hf_smb_copy_flags_source_mode,
2906 tvb, offset, 2, mask);
2907 proto_tree_add_boolean(tree, hf_smb_copy_flags_dest_mode,
2908 tvb, offset, 2, mask);
2909 proto_tree_add_boolean(tree, hf_smb_copy_flags_dir,
2910 tvb, offset, 2, mask);
2911 proto_tree_add_boolean(tree, hf_smb_copy_flags_file,
2912 tvb, offset, 2, mask);
2920 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2922 smb_info_t *si = pinfo->private_data;
2929 DISSECTOR_ASSERT(si);
2934 tid = tvb_get_letohs(tvb, offset);
2935 offset=dissect_smb_tid(tvb, pinfo, tree, offset, tid, FALSE, FALSE);
2938 offset = dissect_open_function(tvb, tree, offset);
2941 offset = dissect_move_flags(tvb, tree, offset);
2946 CHECK_BYTE_COUNT(1);
2947 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2951 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2955 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2956 fn_len, fn, "Old File Name: %s", format_text(fn, strlen(fn)));
2957 COUNT_BYTES(fn_len);
2959 if (check_col(pinfo->cinfo, COL_INFO)) {
2960 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
2961 format_text(fn, strlen(fn)));
2965 CHECK_BYTE_COUNT(1);
2966 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2970 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2974 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2975 fn_len, fn, "New File Name: %s", format_text(fn, strlen(fn)));
2976 COUNT_BYTES(fn_len);
2978 if (check_col(pinfo->cinfo, COL_INFO)) {
2979 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
2980 format_text(fn, strlen(fn)));
2989 dissect_copy_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2991 smb_info_t *si = pinfo->private_data;
2998 DISSECTOR_ASSERT(si);
3003 tid = tvb_get_letohs(tvb, offset);
3004 offset=dissect_smb_tid(tvb, pinfo, tree, offset, tid, FALSE, FALSE);
3007 offset = dissect_open_function(tvb, tree, offset);
3010 offset = dissect_copy_flags(tvb, tree, offset);
3015 CHECK_BYTE_COUNT(1);
3016 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3020 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3024 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
3025 fn_len, fn, "Source File Name: %s", format_text(fn, strlen(fn)));
3026 COUNT_BYTES(fn_len);
3028 if (check_col(pinfo->cinfo, COL_INFO)) {
3029 col_append_fstr(pinfo->cinfo, COL_INFO, ", Source Name: %s",
3030 format_text(fn, strlen(fn)));
3034 CHECK_BYTE_COUNT(1);
3035 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3039 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3043 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
3044 fn_len, fn, "Destination File Name: %s",
3045 format_text(fn, strlen(fn)));
3046 COUNT_BYTES(fn_len);
3048 if (check_col(pinfo->cinfo, COL_INFO)) {
3049 col_append_fstr(pinfo->cinfo, COL_INFO, ", Destination Name: %s", format_text(fn, strlen(fn)));
3058 dissect_move_copy_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3060 smb_info_t *si = pinfo->private_data;
3066 DISSECTOR_ASSERT(si);
3070 /* # of files moved */
3071 proto_tree_add_item(tree, hf_smb_files_moved, tvb, offset, 2, TRUE);
3077 CHECK_BYTE_COUNT(1);
3078 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3082 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3086 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3088 COUNT_BYTES(fn_len);
3096 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3098 smb_info_t *si = pinfo->private_data;
3104 DISSECTOR_ASSERT(si);
3108 /* desired access */
3109 offset = dissect_access(tvb, tree, offset, "Desired");
3111 /* Search Attributes */
3112 offset = dissect_search_attributes(tvb, tree, offset);
3117 CHECK_BYTE_COUNT(1);
3118 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3122 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3126 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3128 COUNT_BYTES(fn_len);
3130 if (check_col(pinfo->cinfo, COL_INFO)) {
3131 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3132 format_text(fn, strlen(fn)));
3143 dissect_nt_create_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
3144 int len, guint32 mask)
3146 proto_item *item = NULL;
3147 proto_tree *tree = NULL;
3150 item = proto_tree_add_uint(parent_tree, hf_smb_create_flags, tvb, offset, len, mask);
3152 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
3156 * XXX - it's 0x00000016 in at least one capture, but
3157 * Network Monitor doesn't say what the 0x00000010 bit is.
3158 * Does the Win32 API documentation, or NT Native API book,
3161 * That is the extended response desired bit ... RJS, from Samba
3162 * Well, maybe. Samba thinks it is, and uses it to encode
3163 * OpLock granted as the high order bit of the Action field
3164 * in the response. However, Windows does not do that. Or at least
3167 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_ext_resp,
3168 tvb, offset, len, mask);
3169 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
3170 tvb, offset, len, mask);
3171 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
3172 tvb, offset, len, mask);
3173 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
3174 tvb, offset, len, mask);
3181 /* FIXME: need to call dissect_nt_access_mask() instead */
3183 dissect_smb_access_mask_bits(tvbuff_t *tvb, proto_tree *parent_tree,
3184 int offset, int len, guint32 mask)
3190 item = proto_tree_add_uint(parent_tree, hf_smb_access_mask, tvb, offset, len, mask);
3191 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
3194 * Some of these bits come from
3196 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
3198 * and others come from the section on ZwOpenFile in "Windows(R)
3199 * NT(R)/2000 Native API Reference".
3201 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
3202 tvb, offset, len, mask);
3203 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
3204 tvb, offset, len, mask);
3205 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
3206 tvb, offset, len, mask);
3207 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
3208 tvb, offset, len, mask);
3209 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
3210 tvb, offset, len, mask);
3211 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
3212 tvb, offset, len, mask);
3213 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
3214 tvb, offset, len, mask);
3215 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
3216 tvb, offset, len, mask);
3217 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
3218 tvb, offset, len, mask);
3219 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
3220 tvb, offset, len, mask);
3221 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
3222 tvb, offset, len, mask);
3223 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
3224 tvb, offset, len, mask);
3225 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
3226 tvb, offset, len, mask);
3227 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
3228 tvb, offset, len, mask);
3229 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
3230 tvb, offset, len, mask);
3231 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
3232 tvb, offset, len, mask);
3233 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
3234 tvb, offset, len, mask);
3235 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
3236 tvb, offset, len, mask);
3237 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
3238 tvb, offset, len, mask);
3239 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
3240 tvb, offset, len, mask);
3248 dissect_smb_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
3252 mask = tvb_get_letohl(tvb, offset);
3254 offset = dissect_smb_access_mask_bits(tvb, parent_tree, offset, 4, mask);
3260 #define SHARE_ACCESS_DELETE 0x00000004
3261 #define SHARE_ACCESS_WRITE 0x00000002
3262 #define SHARE_ACCESS_READ 0x00000001
3265 dissect_nt_share_access_bits(tvbuff_t *tvb, proto_tree *parent_tree,
3266 int offset, int len, guint32 mask)
3272 item = proto_tree_add_uint(parent_tree, hf_smb_share_access, tvb, offset, len, mask);
3273 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
3275 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
3276 tvb, offset, len, mask);
3277 if(mask&SHARE_ACCESS_DELETE){
3278 proto_item_append_text(item, " SHARE_DELETE");
3281 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
3282 tvb, offset, len, mask);
3283 if(mask&SHARE_ACCESS_WRITE){
3284 proto_item_append_text(item, " SHARE_WRITE");
3287 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
3288 tvb, offset, len, mask);
3289 if(mask&SHARE_ACCESS_READ){
3290 proto_item_append_text(item, " SHARE_READ");
3300 dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
3304 mask = tvb_get_letohl(tvb, offset);
3306 offset = dissect_nt_share_access_bits(tvb, parent_tree, offset, 4, mask);
3313 dissect_nt_create_options_bits(tvbuff_t *tvb, proto_tree *parent_tree,
3314 int offset, int len, guint32 mask)
3320 item = proto_tree_add_uint(parent_tree, hf_smb_create_options, tvb, offset, len, mask);
3321 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
3326 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
3328 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
3329 tvb, offset, len, mask);
3330 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
3331 tvb, offset, len, mask);
3332 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
3333 tvb, offset, len, mask);
3334 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_intermediate_buffering,
3335 tvb, offset, len, mask);
3336 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
3337 tvb, offset, len, mask);
3338 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
3339 tvb, offset, len, mask);
3340 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
3341 tvb, offset, len, mask);
3342 proto_tree_add_boolean(tree, hf_smb_nt_create_options_create_tree_connection,
3343 tvb, offset, len, mask);
3344 proto_tree_add_boolean(tree, hf_smb_nt_create_options_complete_if_oplocked,
3345 tvb, offset, len, mask);
3346 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
3347 tvb, offset, len, mask);
3348 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
3349 tvb, offset, len, mask);
3350 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
3351 tvb, offset, len, mask);
3352 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
3353 tvb, offset, len, mask);
3354 proto_tree_add_boolean(tree, hf_smb_nt_create_options_open_by_fileid,
3355 tvb, offset, len, mask);
3356 proto_tree_add_boolean(tree, hf_smb_nt_create_options_backup_intent,
3357 tvb, offset, len, mask);
3358 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_compression,
3359 tvb, offset, len, mask);
3360 proto_tree_add_boolean(tree, hf_smb_nt_create_options_reserve_opfilter,
3361 tvb, offset, len, mask);
3362 proto_tree_add_boolean(tree, hf_smb_nt_create_options_open_reparse_point,
3363 tvb, offset, len, mask);
3364 proto_tree_add_boolean(tree, hf_smb_nt_create_options_open_no_recall,
3365 tvb, offset, len, mask);
3366 proto_tree_add_boolean(tree, hf_smb_nt_create_options_open_for_free_space_query,
3367 tvb, offset, len, mask);
3375 dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
3379 mask = tvb_get_letohl(tvb, offset);
3381 offset = dissect_nt_create_options_bits(tvb, parent_tree, offset, 4, mask);
3387 /* fids are scoped by tcp session */
3389 dissect_smb_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
3390 int len, guint16 fid, gboolean is_created, gboolean is_closed, gboolean is_generated)
3392 smb_info_t *si = pinfo->private_data;
3393 smb_saved_info_t *sip = si->sip;
3396 smb_fid_info_t *fid_info=NULL;
3398 DISSECTOR_ASSERT(si);
3400 it=proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
3402 PROTO_ITEM_SET_GENERATED(it);
3404 tr=proto_item_add_subtree(it, ett_smb_fid);
3405 if (check_col(pinfo->cinfo, COL_INFO))
3406 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
3408 if((!pinfo->fd->flags.visited) && is_created){
3409 fid_info=se_alloc(sizeof(smb_fid_info_t));
3410 fid_info->opened_in=pinfo->fd->num;
3411 fid_info->closed_in=0;
3412 fid_info->type=SMB_FID_TYPE_UNKNOWN;
3413 if(si->sip && (si->sip->extra_info_type==SMB_EI_FILEDATA)){
3414 fid_info->fsi=si->sip->extra_info;
3419 se_tree_insert32(si->ct->fid_tree, fid, fid_info);
3423 fid_info=se_tree_lookup32(si->ct->fid_tree, fid);
3429 /* Store the fid in the transaction structure and remember if
3430 it was in the request or in the reply we saw it
3432 if(sip && (!is_generated) && (!pinfo->fd->flags.visited)) {
3435 sip->fid_seen_in_request=TRUE;
3437 sip->fid_seen_in_request=FALSE;
3441 if((!pinfo->fd->flags.visited) && is_closed){
3442 fid_info->closed_in=pinfo->fd->num;
3445 if(fid_info->opened_in){
3446 it=proto_tree_add_uint(tr, hf_smb_opened_in, tvb, 0, 0, fid_info->opened_in);
3447 PROTO_ITEM_SET_GENERATED(it);
3450 if(fid_info->closed_in){
3451 it=proto_tree_add_uint(tr, hf_smb_closed_in, tvb, 0, 0, fid_info->closed_in);
3452 PROTO_ITEM_SET_GENERATED(it);
3456 if(fid_info->opened_in){
3457 if(fid_info->fsi && fid_info->fsi->filename){
3458 it=proto_tree_add_string(tr, hf_smb_file_name, tvb, 0, 0, fid_info->fsi->filename);
3459 PROTO_ITEM_SET_GENERATED(it);
3460 proto_item_append_text(tr, " (%s)", fid_info->fsi->filename);
3461 dissect_nt_create_bits(tvb, tr, 0, 0, fid_info->fsi->create_flags);
3462 dissect_smb_access_mask_bits(tvb, tr, 0, 0, fid_info->fsi->access_mask);
3463 dissect_file_ext_attr_bits(tvb, tr, 0, 0, fid_info->fsi->file_attributes);
3464 dissect_nt_share_access_bits(tvb, tr, 0, 0, fid_info->fsi->share_access);
3465 dissect_nt_create_options_bits(tvb, tr, 0, 0, fid_info->fsi->create_options);
3466 it=proto_tree_add_uint(tr, hf_smb_nt_create_disposition, tvb, 0, 0, fid_info->fsi->create_disposition);
3467 PROTO_ITEM_SET_GENERATED(it);
3475 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3484 fid = tvb_get_letohs(tvb, offset);
3485 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
3488 /* File Attributes */
3489 offset = dissect_file_attributes(tvb, tree, offset, 2);
3491 /* last write time */
3492 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3495 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3498 /* granted access */
3499 offset = dissect_access(tvb, tree, offset, "Granted");
3509 dissect_query_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3518 fid = tvb_get_letohs(tvb, offset);
3519 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
3530 dissect_close_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3539 fid = tvb_get_letohs(tvb, offset);
3540 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, TRUE, FALSE);
3551 dissect_open_print_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3560 fid = tvb_get_letohs(tvb, offset);
3561 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
3572 dissect_create_new_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3581 fid = tvb_get_letohs(tvb, offset);
3582 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
3593 dissect_flush_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3602 fid = tvb_get_letohs(tvb, offset);
3603 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
3614 dissect_create_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3623 fid = tvb_get_letohs(tvb, offset);
3624 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
3635 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3637 smb_info_t *si = pinfo->private_data;
3643 DISSECTOR_ASSERT(si);
3647 /* file attributes */
3648 offset = dissect_file_attributes(tvb, tree, offset, 2);
3651 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3656 CHECK_BYTE_COUNT(1);
3657 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3661 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3665 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3667 COUNT_BYTES(fn_len);
3669 if (check_col(pinfo->cinfo, COL_INFO)) {
3670 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3671 format_text(fn, strlen(fn)));
3680 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3688 fid = tvb_get_letohs(tvb, offset);
3689 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, TRUE, FALSE);
3692 /* last write time */
3693 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3703 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3705 smb_info_t *si = pinfo->private_data;
3711 DISSECTOR_ASSERT(si);
3715 /* search attributes */
3716 offset = dissect_search_attributes(tvb, tree, offset);
3721 CHECK_BYTE_COUNT(1);
3722 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3726 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3730 si->sip->extra_info_type=SMB_EI_FILENAME;
3731 si->sip->extra_info=se_strdup(fn);
3736 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3738 COUNT_BYTES(fn_len);
3740 if (check_col(pinfo->cinfo, COL_INFO)) {
3741 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3742 format_text(fn, strlen(fn)));
3751 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3753 smb_info_t *si = pinfo->private_data;
3755 const char *fn, *old_name=NULL, *new_name=NULL;
3758 smb_rename_saved_info_t *rni=NULL;
3760 DISSECTOR_ASSERT(si);
3764 /* search attributes */
3765 offset = dissect_search_attributes(tvb, tree, offset);
3770 CHECK_BYTE_COUNT(1);
3771 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3775 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3780 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3782 COUNT_BYTES(fn_len);
3784 if (check_col(pinfo->cinfo, COL_INFO)) {
3785 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
3786 format_text(fn, strlen(fn)));
3790 CHECK_BYTE_COUNT(1);
3791 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3795 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3800 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3802 COUNT_BYTES(fn_len);
3804 if (check_col(pinfo->cinfo, COL_INFO)) {
3805 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
3806 format_text(fn, strlen(fn)));
3811 /* save the offset/len for this transaction */
3812 if(si->sip && !pinfo->fd->flags.visited){
3813 rni=se_alloc(sizeof(smb_rename_saved_info_t));
3814 rni->old_name=se_strdup(old_name);
3815 rni->new_name=se_strdup(new_name);
3817 si->sip->extra_info_type=SMB_EI_RENAMEDATA;
3818 si->sip->extra_info=rni;
3825 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3827 smb_info_t *si = pinfo->private_data;
3833 DISSECTOR_ASSERT(si);
3837 /* search attributes */
3838 offset = dissect_search_attributes(tvb, tree, offset);
3840 proto_tree_add_uint(tree, hf_smb_nt_rename_level, tvb, offset, 2, tvb_get_letohs(tvb, offset));
3843 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, TRUE);
3849 CHECK_BYTE_COUNT(1);
3850 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3854 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3858 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3860 COUNT_BYTES(fn_len);
3862 if (check_col(pinfo->cinfo, COL_INFO)) {
3863 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
3864 format_text(fn, strlen(fn)));
3868 CHECK_BYTE_COUNT(1);
3869 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3873 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3877 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3879 COUNT_BYTES(fn_len);
3881 if (check_col(pinfo->cinfo, COL_INFO)) {
3882 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
3883 format_text(fn, strlen(fn)));
3893 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3895 smb_info_t *si = pinfo->private_data;
3901 DISSECTOR_ASSERT(si);
3908 CHECK_BYTE_COUNT(1);
3909 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3913 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3917 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3919 COUNT_BYTES(fn_len);
3921 if (check_col(pinfo->cinfo, COL_INFO)) {
3922 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3923 format_text(fn, strlen(fn)));
3932 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3939 /* File Attributes */
3940 offset = dissect_file_attributes(tvb, tree, offset, 2);
3942 /* Last Write Time */
3943 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3946 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3949 /* 10 reserved bytes */
3950 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3961 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3963 smb_info_t *si = pinfo->private_data;
3969 DISSECTOR_ASSERT(si);
3973 /* file attributes */
3974 offset = dissect_file_attributes(tvb, tree, offset, 2);
3976 /* last write time */
3977 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3979 /* 10 reserved bytes */
3980 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3986 CHECK_BYTE_COUNT(1);
3987 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3991 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3995 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3997 COUNT_BYTES(fn_len);
3999 if (check_col(pinfo->cinfo, COL_INFO)) {
4000 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
4001 format_text(fn, strlen(fn)));
4010 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4020 fid = tvb_get_letohs(tvb, offset);
4021 dissect_smb_fid(tvb, pinfo, tree, offset, 2, (guint16) fid, FALSE, FALSE, FALSE);
4025 cnt = tvb_get_letohs(tvb, offset);
4026 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4030 ofs = tvb_get_letohl(tvb, offset);
4031 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4034 if (check_col(pinfo->cinfo, COL_INFO))
4035 col_append_fstr(pinfo->cinfo, COL_INFO,
4036 ", %u byte%s at offset %u", cnt,
4037 (cnt == 1) ? "" : "s", ofs);
4040 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4051 dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
4056 /* We have some initial padding bytes. */
4057 /* XXX - use the data offset here instead? */
4058 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
4060 offset += bc-datalen;
4063 tvblen = tvb_length_remaining(tvb, offset);
4065 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
4068 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
4075 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
4076 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
4079 tvbuff_t *dcerpc_tvb;
4082 /* We have some initial padding bytes. */
4083 /* XXX - use the data offset here instead? */
4084 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
4086 offset += bc-datalen;
4089 tvblen = tvb_length_remaining(tvb, offset);
4090 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
4091 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
4100 * transporting DCERPC over SMB seems to be implemented in various
4101 * ways. We might just assume it can be done by an almost random
4102 * mix of Trans/Read/Write calls
4104 * if we suspect dcerpc, just send them all down to packet-smb-pipe.c
4105 * and let him sort them out
4108 dissect_file_data_maybe_dcerpc(tvbuff_t *tvb, packet_info *pinfo,
4109 proto_tree *tree, proto_tree *top_tree, int offset, guint16 bc,
4110 guint16 datalen, guint32 ofs, guint16 fid)
4112 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4114 DISSECTOR_ASSERT(si);
4116 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
4118 return dissect_file_data_dcerpc(tvb, pinfo, tree,
4119 top_tree, offset, bc, datalen, fid);
4121 /* ordinary file data */
4122 return dissect_file_data(tvb, tree, offset, bc, datalen);
4127 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4131 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4134 DISSECTOR_ASSERT(si);
4139 cnt = tvb_get_letohs(tvb, offset);
4140 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
4143 /* 8 reserved bytes */
4144 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
4149 CHECK_BYTE_COUNT(1);
4150 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4154 CHECK_BYTE_COUNT(2);
4155 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4158 /* file data, might be DCERPC on a pipe */
4160 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
4161 top_tree, offset, bc, bc, 0, (guint16) fid);
4171 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4179 cnt = tvb_get_letohs(tvb, offset);
4180 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
4183 /* 8 reserved bytes */
4184 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
4190 CHECK_BYTE_COUNT(1);
4191 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4195 CHECK_BYTE_COUNT(2);
4196 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4204 typedef struct _rw_info_t {
4212 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4215 guint16 cnt=0, bc, fid=0;
4217 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4218 rw_info_t *rwi=NULL;
4220 DISSECTOR_ASSERT(si);
4225 fid = tvb_get_letohs(tvb, offset);
4226 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4230 cnt = tvb_get_letohs(tvb, offset);
4231 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
4235 ofs = tvb_get_letohl(tvb, offset);
4236 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4239 if (check_col(pinfo->cinfo, COL_INFO))
4240 col_append_fstr(pinfo->cinfo, COL_INFO,
4241 ", %u byte%s at offset %u", cnt,
4242 (cnt == 1) ? "" : "s", ofs);
4244 /* save the offset/len for this transaction */
4245 if(si->sip && !pinfo->fd->flags.visited){
4246 rwi=se_alloc(sizeof(rw_info_t));
4251 si->sip->extra_info_type=SMB_EI_RWINFO;
4252 si->sip->extra_info=rwi;
4254 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
4255 rwi=si->sip->extra_info;
4260 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
4262 PROTO_ITEM_SET_GENERATED(it);
4263 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
4264 PROTO_ITEM_SET_GENERATED(it);
4268 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4274 CHECK_BYTE_COUNT(1);
4275 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4279 CHECK_BYTE_COUNT(2);
4280 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4283 /* file data, might be DCERPC on a pipe */
4285 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
4286 top_tree, offset, bc, bc, ofs, fid);
4296 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4300 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4301 rw_info_t *rwi=NULL;
4303 DISSECTOR_ASSERT(si);
4308 cnt = tvb_get_letohs(tvb, offset);
4309 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4312 if (check_col(pinfo->cinfo, COL_INFO))
4313 col_append_fstr(pinfo->cinfo, COL_INFO,
4314 ", %u byte%s", cnt, (cnt == 1) ? "" : "s");
4316 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
4317 rwi=si->sip->extra_info;
4322 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
4324 PROTO_ITEM_SET_GENERATED(it);
4325 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
4326 PROTO_ITEM_SET_GENERATED(it);
4337 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4345 fid = tvb_get_letohs(tvb, offset);
4346 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4350 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
4354 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4365 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4367 smb_info_t *si = pinfo->private_data;
4373 DISSECTOR_ASSERT(si);
4377 /* 2 reserved bytes */
4378 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4382 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
4387 CHECK_BYTE_COUNT(1);
4388 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4391 /* directory name */
4392 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4396 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
4398 COUNT_BYTES(fn_len);
4400 if (check_col(pinfo->cinfo, COL_INFO)) {
4401 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
4402 format_text(fn, strlen(fn)));
4411 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4413 smb_info_t *si = pinfo->private_data;
4419 DISSECTOR_ASSERT(si);
4424 fid = tvb_get_letohs(tvb, offset);
4425 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
4431 CHECK_BYTE_COUNT(1);
4432 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4436 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4440 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4442 COUNT_BYTES(fn_len);
4449 static const value_string seek_mode_vals[] = {
4450 {0, "From Start Of File"},
4451 {1, "From Current Position"},
4452 {2, "From End Of File"},
4457 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4465 fid = tvb_get_letohs(tvb, offset);
4466 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4470 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
4474 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4485 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4493 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4504 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4512 fid = tvb_get_letohs(tvb, offset);
4513 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4517 offset = dissect_smb_datetime(tvb, tree, offset,
4519 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
4522 offset = dissect_smb_datetime(tvb, tree, offset,
4524 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
4526 /* last write time */
4527 offset = dissect_smb_datetime(tvb, tree, offset,
4528 hf_smb_last_write_time,
4529 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
4539 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4547 offset = dissect_smb_datetime(tvb, tree, offset,
4549 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
4552 offset = dissect_smb_datetime(tvb, tree, offset,
4554 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
4556 /* last write time */
4557 offset = dissect_smb_datetime(tvb, tree, offset,
4558 hf_smb_last_write_time,
4559 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
4562 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
4565 /* allocation size */
4566 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
4569 /* File Attributes */
4570 offset = dissect_file_attributes(tvb, tree, offset, 2);
4580 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4589 fid = tvb_get_letohs(tvb, offset);
4590 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, TRUE, FALSE);
4594 cnt = tvb_get_letohs(tvb, offset);
4595 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
4599 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4602 /* last write time */
4603 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
4606 /* 12 reserved bytes */
4607 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
4614 CHECK_BYTE_COUNT(1);
4615 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
4618 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
4627 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4635 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4645 /* Timeout is defined on page 117 of SMB Protocol Extensions version 2.0
4646 available at http://us1.samba.org/samba/ftp/SMB-info/DOSEXTP.TXT
4649 smbext20_timeout_msecs_to_str(gint32 time)
4652 #define SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN 60
4655 buf=ep_alloc(SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1);
4657 g_snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Return immediately (0)");
4658 } else if (time == -1) {
4659 g_snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Wait indefinitely (-1)");
4660 } else if (time == -2) {
4661 g_snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Use default timeout (-2)");
4663 g_snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Unknown reserved value (%d)", time);
4668 return time_msecs_to_str(time);
4672 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4681 fid = tvb_get_letohs(tvb, offset);
4682 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4686 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4690 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4694 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
4698 to = tvb_get_letohl(tvb, offset);
4699 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
4702 /* 2 reserved bytes */
4703 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4708 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
4720 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4728 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
4732 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
4736 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
4740 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
4743 /* 2 reserved bytes */
4744 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4755 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4763 fid = tvb_get_letohs(tvb, offset);
4764 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4768 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4772 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4776 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
4779 /* 6 reserved bytes */
4780 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
4791 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4793 guint16 datalen=0, bc;
4799 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4803 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4806 /* 2 reserved bytes */
4807 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4810 /* data compaction mode */
4811 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4814 /* 2 reserved bytes */
4815 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4819 datalen = tvb_get_letohs(tvb, offset);
4820 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4824 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4830 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4839 static const true_false_string tfs_write_mode_write_through = {
4840 "WRITE THROUGH requested",
4841 "Write through not requested"
4843 static const true_false_string tfs_write_mode_return_remaining = {
4844 "RETURN REMAINING (pipe/dev) requested",
4845 "DON'T return remaining (pipe/dev)"
4847 static const true_false_string tfs_write_mode_raw = {
4848 "Use WriteRawNamedPipe (pipe)",
4849 "DON'T use WriteRawNamedPipe (pipe)"
4851 static const true_false_string tfs_write_mode_message_start = {
4852 "This is the START of a MESSAGE (pipe)",
4853 "This is NOT the start of a message (pipe)"
4855 static const true_false_string tfs_write_mode_connectionless = {
4856 "CONNECTIONLESS mode requested",
4857 "Connectionless mode NOT requested"
4860 #define WRITE_MODE_CONNECTIONLESS 0x0080
4861 #define WRITE_MODE_MESSAGE_START 0x0008
4862 #define WRITE_MODE_RAW 0x0004
4863 #define WRITE_MODE_RETURN_REMAINING 0x0002
4864 #define WRITE_MODE_WRITE_THROUGH 0x0001
4867 dissect_write_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4873 mask = tvb_get_letohs(tvb, offset);
4876 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4877 "Write Mode: 0x%04x", mask);
4878 tree = proto_item_add_subtree(item, ett_smb_rawmode);
4880 if(bm&WRITE_MODE_CONNECTIONLESS){
4881 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
4882 tvb, offset, 2, mask);
4884 if(bm&WRITE_MODE_MESSAGE_START){
4885 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
4886 tvb, offset, 2, mask);
4888 if(bm&WRITE_MODE_RAW){
4889 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
4890 tvb, offset, 2, mask);
4892 if(bm&WRITE_MODE_RETURN_REMAINING){
4893 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
4894 tvb, offset, 2, mask);
4896 if(bm&WRITE_MODE_WRITE_THROUGH){
4897 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
4898 tvb, offset, 2, mask);
4907 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4910 guint16 datalen=0, bc, fid;
4916 fid = tvb_get_letohs(tvb, offset);
4917 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4920 /* total data length */
4921 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4924 /* 2 reserved bytes */
4925 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4929 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4933 to = tvb_get_letohl(tvb, offset);
4934 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
4938 offset = dissect_write_mode(tvb, tree, offset, 0x0003);
4940 /* 4 reserved bytes */
4941 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4945 datalen = tvb_get_letohs(tvb, offset);
4946 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4950 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4956 /* XXX - use the data offset to determine where the data starts? */
4957 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4966 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4974 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4985 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4988 guint16 datalen=0, bc, fid;
4994 fid = tvb_get_letohs(tvb, offset);
4995 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4998 /* total data length */
4999 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
5002 /* 2 reserved bytes */
5003 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5007 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5011 to = tvb_get_letohl(tvb, offset);
5012 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
5016 offset = dissect_write_mode(tvb, tree, offset, 0x0083);
5019 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
5023 datalen = tvb_get_letohs(tvb, offset);
5024 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5028 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
5034 /* XXX - use the data offset to determine where the data starts? */
5035 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
5044 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5052 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
5063 dissect_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5071 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
5082 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
5083 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
5084 gboolean has_find_id)
5086 proto_item *item = NULL;
5087 proto_tree *tree = NULL;
5088 smb_info_t *si = pinfo->private_data;
5093 DISSECTOR_ASSERT(si);
5096 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
5098 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
5102 CHECK_BYTE_COUNT_SUBR(1);
5103 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5104 COUNT_BYTES_SUBR(1);
5108 fn = get_unicode_or_ascii_string(tvb, &offset, FALSE/*never Unicode*/, &fn_len,
5110 CHECK_STRING_SUBR(fn);
5111 /* ensure that it's null-terminated */
5112 g_strlcpy(fname, fn, 11+1);
5113 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
5115 COUNT_BYTES_SUBR(fn_len);
5118 CHECK_BYTE_COUNT_SUBR(1);
5119 proto_tree_add_item(tree, hf_smb_resume_find_id, tvb, offset, 1, TRUE);
5120 COUNT_BYTES_SUBR(1);
5123 CHECK_BYTE_COUNT_SUBR(4);
5124 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 4, TRUE);
5125 COUNT_BYTES_SUBR(4);
5128 CHECK_BYTE_COUNT_SUBR(5);
5129 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
5130 COUNT_BYTES_SUBR(5);
5134 CHECK_BYTE_COUNT_SUBR(4);
5135 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
5136 COUNT_BYTES_SUBR(4);
5143 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
5144 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
5145 gboolean has_find_id)
5147 proto_item *item = NULL;
5148 proto_tree *tree = NULL;
5149 smb_info_t *si = pinfo->private_data;
5154 DISSECTOR_ASSERT(si);
5157 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
5158 "Directory Information");
5159 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
5163 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp,
5164 trunc, has_find_id);
5168 /* File Attributes */
5169 CHECK_BYTE_COUNT_SUBR(1);
5170 offset = dissect_dir_info_file_attributes(tvb, tree, offset);
5173 /* last write time */
5174 CHECK_BYTE_COUNT_SUBR(4);
5175 offset = dissect_smb_datetime(tvb, tree, offset,
5176 hf_smb_last_write_time,
5177 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
5182 CHECK_BYTE_COUNT_SUBR(4);
5183 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
5184 COUNT_BYTES_SUBR(4);
5188 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5190 CHECK_STRING_SUBR(fn);
5191 /* ensure that it's null-terminated */
5192 g_strlcpy(fname, fn, 13+1);
5193 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5195 COUNT_BYTES_SUBR(fn_len);
5203 dissect_search_find_request(tvbuff_t *tvb, packet_info *pinfo,
5204 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
5205 gboolean has_find_id)
5207 smb_info_t *si = pinfo->private_data;
5215 DISSECTOR_ASSERT(si);
5220 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
5223 /* Search Attributes */
5224 offset = dissect_search_attributes(tvb, tree, offset);
5229 CHECK_BYTE_COUNT(1);
5230 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
5234 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5238 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5240 COUNT_BYTES(fn_len);
5242 if (check_col(pinfo->cinfo, COL_INFO)) {
5243 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
5244 format_text(fn, strlen(fn)));
5248 CHECK_BYTE_COUNT(1);
5249 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
5252 /* resume key length */
5253 CHECK_BYTE_COUNT(2);
5254 rkl = tvb_get_letohs(tvb, offset);
5255 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
5260 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
5261 &bc, &trunc, has_find_id);
5272 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_,
5273 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5275 return dissect_search_find_request(tvb, pinfo, tree, offset,
5280 dissect_find_request(tvbuff_t *tvb, packet_info *pinfo _U_,
5281 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5283 return dissect_search_find_request(tvb, pinfo, tree, offset,
5288 dissect_find_close_request(tvbuff_t *tvb, packet_info *pinfo _U_,
5289 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5291 return dissect_search_find_request(tvb, pinfo, tree, offset,
5296 dissect_search_find_response(tvbuff_t *tvb, packet_info *pinfo _U_,
5297 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
5298 gboolean has_find_id)
5308 count = tvb_get_letohs(tvb, offset);
5309 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
5315 CHECK_BYTE_COUNT(1);
5316 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
5320 CHECK_BYTE_COUNT(2);
5321 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
5325 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
5326 &bc, &trunc, has_find_id);
5337 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5339 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
5344 dissect_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5346 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
5351 dissect_find_close_response(tvbuff_t *tvb, packet_info *pinfo _U_,
5352 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5361 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5367 CHECK_BYTE_COUNT(1);
5368 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
5372 CHECK_BYTE_COUNT(2);
5373 data_len = tvb_get_ntohs(tvb, offset);
5374 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, data_len);
5377 if (data_len != 0) {
5378 CHECK_BYTE_COUNT(data_len);
5379 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset,
5381 COUNT_BYTES(data_len);
5389 static const value_string locking_ol_vals[] = {
5390 {0, "Client is not holding oplock on this file"},
5391 {1, "Level 2 oplock currently held by client"},
5395 static const true_false_string tfs_lock_type_large = {
5396 "Large file locking format requested",
5397 "Large file locking format not requested"
5399 static const true_false_string tfs_lock_type_cancel = {
5400 "Cancel outstanding lock request",
5401 "Don't cancel outstanding lock request"
5403 static const true_false_string tfs_lock_type_change = {
5405 "Don't change lock type"
5407 static const true_false_string tfs_lock_type_oplock = {
5408 "This is an oplock break notification/response",
5409 "This is not an oplock break notification/response"
5411 static const true_false_string tfs_lock_type_shared = {
5412 "This is a shared lock",
5413 "This is an exclusive lock"
5416 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
5418 guint8 wc, cmd=0xff, lt=0, ol=0;
5419 guint16 andxoffset=0, un=0, ln=0, bc, fid, num_lock=0, num_unlock=0;
5421 proto_item *litem = NULL;
5422 proto_tree *ltree = NULL;
5423 proto_item *it = NULL;
5424 proto_tree *tr = NULL;
5425 int old_offset = offset;
5426 smb_info_t *si = pinfo->private_data;
5427 smb_locking_saved_info_t *ld=NULL;
5430 DISSECTOR_ASSERT(si);
5434 /* next smb command */
5435 cmd = tvb_get_guint8(tvb, offset);
5437 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5439 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5444 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5448 andxoffset = tvb_get_letohs(tvb, offset);
5449 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5453 fid = tvb_get_letohs(tvb, offset);
5454 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
5458 lt = tvb_get_guint8(tvb, offset);
5460 litem = proto_tree_add_text(tree, tvb, offset, 1,
5461 "Lock Type: 0x%02x", lt);
5462 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
5464 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
5465 tvb, offset, 1, lt);
5466 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
5467 tvb, offset, 1, lt);
5468 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
5469 tvb, offset, 1, lt);
5470 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
5471 tvb, offset, 1, lt);
5472 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
5473 tvb, offset, 1, lt);
5478 ol = tvb_get_guint8(tvb, offset);
5479 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
5483 to = tvb_get_letohl(tvb, offset);
5484 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
5487 /* number of unlocks */
5488 un = tvb_get_letohs(tvb, offset);
5490 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
5493 /* number of locks */
5494 ln = tvb_get_letohs(tvb, offset);
5496 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
5501 /* store the locking data for the response */
5502 if((!pinfo->fd->flags.visited) && si->sip){
5503 ld=se_alloc(sizeof(smb_locking_saved_info_t));
5505 ld->oplock_level= ol;
5506 ld->num_lock=num_lock;
5507 ld->num_unlock=num_unlock;
5510 si->sip->extra_info_type=SMB_EI_LOCKDATA;
5511 si->sip->extra_info=ld;
5516 old_offset = offset;
5518 it = proto_tree_add_text(tree, tvb, offset, -1,
5520 tr = proto_item_add_subtree(it, ett_smb_unlocks);
5522 proto_item *litem = NULL;
5523 proto_tree *ltree = NULL;
5527 guint64 lock_offset;
5528 guint64 lock_length;
5530 /* large lock format */
5531 litem = proto_tree_add_text(tr, tvb, offset, 20,
5533 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
5536 CHECK_BYTE_COUNT(2);
5537 lock_pid=tvb_get_letohs(tvb, offset);
5538 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
5541 /* 2 reserved bytes */
5542 CHECK_BYTE_COUNT(2);
5543 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
5547 CHECK_BYTE_COUNT(8);
5548 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
5549 | tvb_get_letohl(tvb, offset+4);
5551 proto_tree_add_uint64(ltree, hf_smb_lock_long_offset, tvb, offset, 8, val);
5555 CHECK_BYTE_COUNT(8);
5556 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
5557 | tvb_get_letohl(tvb, offset+4);
5559 proto_tree_add_uint64(ltree, hf_smb_lock_long_length, tvb, offset, 8, val);
5562 /* remember the unlock for the reply */
5564 smb_lock_info_t *li;
5565 li=se_alloc(sizeof(smb_lock_info_t));
5566 li->next=ld->unlocks;
5569 li->offset=lock_offset;
5570 li->length=lock_length;
5573 /* normal lock format */
5574 litem = proto_tree_add_text(tr, tvb, offset, 10,
5576 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
5579 CHECK_BYTE_COUNT(2);
5580 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
5584 CHECK_BYTE_COUNT(4);
5585 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
5589 CHECK_BYTE_COUNT(4);
5590 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
5594 proto_item_set_len(it, offset-old_offset);
5600 old_offset = offset;
5602 it = proto_tree_add_text(tree, tvb, offset, -1,
5604 tr = proto_item_add_subtree(it, ett_smb_locks);
5606 proto_item *litem = NULL;
5607 proto_tree *ltree = NULL;
5611 guint64 lock_offset;
5612 guint64 lock_length;
5614 /* large lock format */
5615 litem = proto_tree_add_text(tr, tvb, offset, 20,
5617 ltree = proto_item_add_subtree(litem, ett_smb_lock);
5620 CHECK_BYTE_COUNT(2);
5621 lock_pid=tvb_get_letohs(tvb, offset);
5622 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
5625 /* 2 reserved bytes */
5626 CHECK_BYTE_COUNT(2);
5627 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
5631 CHECK_BYTE_COUNT(8);
5632 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
5633 | tvb_get_letohl(tvb, offset+4);
5635 proto_tree_add_uint64(ltree, hf_smb_lock_long_offset, tvb, offset, 8, val);
5639 CHECK_BYTE_COUNT(8);
5640 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
5641 | tvb_get_letohl(tvb, offset+4);
5643 proto_tree_add_uint64(ltree, hf_smb_lock_long_length, tvb, offset, 8, val);
5646 /* remember the lock for the reply */
5648 smb_lock_info_t *li;
5649 li=se_alloc(sizeof(smb_lock_info_t));
5653 li->offset=lock_offset;
5654 li->length=lock_length;
5657 /* normal lock format */
5658 litem = proto_tree_add_text(tr, tvb, offset, 10,
5660 ltree = proto_item_add_subtree(litem, ett_smb_lock);
5663 CHECK_BYTE_COUNT(2);
5664 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
5668 CHECK_BYTE_COUNT(4);
5669 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
5673 CHECK_BYTE_COUNT(4);
5674 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
5678 proto_item_set_len(it, offset-old_offset);
5686 * We ran out of byte count in the middle of dissecting
5687 * the locks or the unlocks; set the site of the item
5688 * we were dissecting.
5690 proto_item_set_len(it, offset-old_offset);
5693 if (cmd != 0xff) { /* there is an andX command */
5694 if (andxoffset < offset)
5695 THROW(ReportedBoundsError);
5696 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5703 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
5705 guint8 wc, cmd=0xff;
5706 guint16 andxoffset=0;
5710 si = (smb_info_t *)pinfo->private_data;
5711 DISSECTOR_ASSERT(si);
5713 /* print the lock info from the request */
5714 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_LOCKDATA) {
5715 smb_locking_saved_info_t *ld;
5716 proto_item *litem = NULL;
5717 proto_tree *ltree = NULL;
5719 ld = si->sip->extra_info;
5723 smb_lock_info_t *li;
5725 litem = proto_tree_add_text(tree, tvb, 0, 0,
5726 "Lock Type: 0x%02x", ld->type);
5727 PROTO_ITEM_SET_GENERATED(litem);
5728 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
5730 proto_tree_add_boolean(ltree, hf_smb_lock_type_large, tvb, 0, 0, ld->type);
5731 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel, tvb, 0, 0, ld->type);
5732 proto_tree_add_boolean(ltree, hf_smb_lock_type_change, tvb, 0, 0, ld->type);
5733 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock, tvb, 0, 0, ld->type);
5734 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared, tvb, 0, 0, ld->type);
5735 proto_tree_add_uint(ltree, hf_smb_locking_ol, tvb, 0, 0, ld->oplock_level);
5736 proto_tree_add_uint(ltree, hf_smb_number_of_unlocks, tvb, 0, 0, ld->num_unlock);
5737 proto_tree_add_uint(ltree, hf_smb_number_of_locks, tvb, 0, 0, ld->num_lock);
5739 lit = proto_tree_add_text(ltree, tvb, 0, 0, "Locks");
5740 ltr = proto_item_add_subtree(lit, ett_smb_lock);
5743 proto_tree_add_uint(ltr, hf_smb_pid, tvb, 0, 0, li->pid);
5744 proto_tree_add_uint64(ltr, hf_smb_lock_long_offset, tvb, 0, 0, li->offset);
5745 proto_tree_add_uint64(ltr, hf_smb_lock_long_length, tvb, 0, 0, li->length);
5748 lit = proto_tree_add_text(ltree, tvb, 0, 0, "Unlocks");
5749 ltr = proto_item_add_subtree(lit, ett_smb_unlock);
5752 proto_tree_add_uint(ltr, hf_smb_pid, tvb, 0, 0, li->pid);
5753 proto_tree_add_uint64(ltr, hf_smb_lock_long_offset, tvb, 0, 0, li->offset);
5754 proto_tree_add_uint64(ltr, hf_smb_lock_long_length, tvb, 0, 0, li->length);
5763 /* next smb command */
5764 cmd = tvb_get_guint8(tvb, offset);
5766 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5768 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5773 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5777 andxoffset = tvb_get_letohs(tvb, offset);
5778 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5785 if (cmd != 0xff) { /* there is an andX command */
5786 if (andxoffset < offset)
5787 THROW(ReportedBoundsError);
5788 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5795 const value_string oa_open_vals[] = {
5796 { 0, "No action taken?"},
5797 { 1, "The file existed and was opened"},
5798 { 2, "The file did not exist but was created"},
5799 { 3, "The file existed and was truncated"},
5800 { 0x8001, "The file existed and was opened, and an OpLock was granted"},
5801 { 0x8002, "The file did not exist but was created, and an OpLock was granted"},
5802 { 0x8003, "The file existed and was truncated, and an OpLock was granted"},
5805 static const true_false_string tfs_oa_lock = {
5806 "File is currently opened only by this user",
5807 "File is opened by another user (or mode not supported by server)"
5810 dissect_open_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
5816 mask = tvb_get_letohs(tvb, offset);
5819 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5820 "Action: 0x%04x", mask);
5821 tree = proto_item_add_subtree(item, ett_smb_open_action);
5823 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
5824 tvb, offset, 2, mask);
5825 proto_tree_add_uint(tree, hf_smb_open_action_open,
5826 tvb, offset, 2, mask);
5833 static const true_false_string tfs_open_flags_add_info = {
5834 "Additional information requested",
5835 "Additional information not requested"
5837 static const true_false_string tfs_open_flags_ex_oplock = {
5838 "Exclusive oplock requested",
5839 "Exclusive oplock not requested"
5841 static const true_false_string tfs_open_flags_batch_oplock = {
5842 "Batch oplock requested",
5843 "Batch oplock not requested"
5845 static const true_false_string tfs_open_flags_ealen = {
5846 "Total length of EAs requested",
5847 "Total length of EAs not requested"
5850 dissect_open_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
5856 mask = tvb_get_letohs(tvb, offset);
5859 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5860 "Flags: 0x%04x", mask);
5861 tree = proto_item_add_subtree(item, ett_smb_open_flags);
5864 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
5865 tvb, offset, 2, mask);
5868 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
5869 tvb, offset, 2, mask);
5872 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
5873 tvb, offset, 2, mask);
5876 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
5877 tvb, offset, 2, mask);
5886 static const value_string filetype_vals[] = {
5887 { 0, "Disk file or directory"},
5888 { 1, "Named pipe in byte mode"},
5889 { 2, "Named pipe in message mode"},
5890 { 3, "Spooled printer"},
5894 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5896 guint8 wc, cmd=0xff;
5897 guint16 andxoffset=0, bc;
5899 smb_info_t *si = pinfo->private_data;
5903 DISSECTOR_ASSERT(si);
5907 /* next smb command */
5908 cmd = tvb_get_guint8(tvb, offset);
5910 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5912 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5917 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5921 andxoffset = tvb_get_letohs(tvb, offset);
5922 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5926 offset = dissect_open_flags(tvb, tree, offset, 0x0007);
5928 /* desired access */
5929 offset = dissect_access(tvb, tree, offset, "Desired");
5931 /* Search Attributes */
5932 offset = dissect_search_attributes(tvb, tree, offset);
5934 /* File Attributes */
5935 offset = dissect_file_attributes(tvb, tree, offset, 2);
5938 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
5941 offset = dissect_open_function(tvb, tree, offset);
5943 /* allocation size */
5944 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
5947 /* timeout, described at http://us1.samba.org/samba/ftp/SMB-info/DOSEXTP.TXT */
5948 to = tvb_get_letohl(tvb, offset);
5949 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
5952 /* 4 reserved bytes */
5953 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5959 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5963 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5965 COUNT_BYTES(fn_len);
5967 if (check_col(pinfo->cinfo, COL_INFO)) {
5968 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
5969 format_text(fn, strlen(fn)));
5974 if (cmd != 0xff) { /* there is an andX command */
5975 if (andxoffset < offset)
5976 THROW(ReportedBoundsError);
5977 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5983 static const true_false_string tfs_ipc_state_nonblocking = {
5984 "Reads/writes return immediately if no data available",
5985 "Reads/writes block if no data available"
5987 static const value_string ipc_state_endpoint_vals[] = {
5988 { 0, "Consumer end of pipe"},
5989 { 1, "Server end of pipe"},
5992 static const value_string ipc_state_pipe_type_vals[] = {
5993 { 0, "Byte stream pipe"},
5994 { 1, "Message pipe"},
5997 static const value_string ipc_state_read_mode_vals[] = {
5998 { 0, "Read pipe as a byte stream"},
5999 { 1, "Read messages from pipe"},
6004 dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
6011 mask = tvb_get_letohs(tvb, offset);
6014 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6015 "IPC State: 0x%04x", mask);
6016 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
6018 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
6019 tvb, offset, 2, mask);
6021 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
6022 tvb, offset, 2, mask);
6023 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
6024 tvb, offset, 2, mask);
6026 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
6027 tvb, offset, 2, mask);
6029 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
6030 tvb, offset, 2, mask);
6040 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6042 guint8 wc, cmd=0xff;
6043 guint16 andxoffset=0, bc;
6048 /* next smb command */
6049 cmd = tvb_get_guint8(tvb, offset);
6051 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6053 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6058 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6062 andxoffset = tvb_get_letohs(tvb, offset);
6063 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6067 fid = tvb_get_letohs(tvb, offset);
6068 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
6071 /* File Attributes */
6072 offset = dissect_file_attributes(tvb, tree, offset, 2);
6074 /* last write time */
6075 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
6078 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
6081 /* granted access */
6082 offset = dissect_access(tvb, tree, offset, "Granted");
6085 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
6089 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
6092 offset = dissect_open_action(tvb, tree, offset);
6095 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
6098 /* 2 reserved bytes */
6099 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
6106 if (cmd != 0xff) { /* there is an andX command */
6107 if (andxoffset < offset)
6108 THROW(ReportedBoundsError);
6109 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6116 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6118 guint8 wc, cmd=0xff;
6119 guint16 andxoffset=0, bc, maxcnt_low;
6120 guint32 maxcnt_high;
6123 smb_info_t *si= (smb_info_t *)pinfo->private_data;
6125 rw_info_t *rwi=NULL;
6128 DISSECTOR_ASSERT(si);
6132 /* next smb command */
6133 cmd = tvb_get_guint8(tvb, offset);
6135 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6137 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6142 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6146 andxoffset = tvb_get_letohs(tvb, offset);
6147 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6151 fid = tvb_get_letohs(tvb, offset);
6152 dissect_smb_fid(tvb, pinfo, tree, offset, 2, (guint16) fid, FALSE, FALSE, FALSE);
6156 ofs = tvb_get_letohl(tvb, offset);
6157 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
6161 maxcnt_low = tvb_get_letohs(tvb, offset);
6162 proto_tree_add_uint(tree, hf_smb_max_count_low, tvb, offset, 2, maxcnt_low);
6166 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
6172 * XXX - we should really only do this in case we have seen
6173 * LARGE FILE being negotiated. Unfortunately, we might not
6174 * have seen the negotiation phase in the capture....
6176 * XXX - this is shown as a ULONG in the SNIA SMB spec, i.e.
6177 * it's 32 bits, but the description says "High 16 bits of
6178 * MaxCount if CAP_LARGE_READX".
6180 * The SMB File Sharing Protocol Extensions Version 2.0,
6181 * Document Version 3.3 spec doesn't speak of an extra 16
6182 * bits in max count, but it does show a 32-bit timeout
6183 * after the min count field.
6185 * Perhaps the 32-bit timeout field was hijacked as a 16-bit
6186 * high count and a 16-bit reserved field.
6188 * We fetch and display it as 32 bits.
6190 * XXX if maxcount high is 0xFFFFFFFF we assume it is just padding
6191 * bytes and we just ignore it.
6193 maxcnt_high = tvb_get_letohl(tvb, offset);
6194 if(maxcnt_high==0xffffffff){
6197 proto_tree_add_uint(tree, hf_smb_max_count_high, tvb, offset, 4, maxcnt_high);
6203 maxcnt=(maxcnt<<16)|maxcnt_low;
6205 if (check_col(pinfo->cinfo, COL_INFO))
6206 col_append_fstr(pinfo->cinfo, COL_INFO,
6207 ", %u byte%s at offset %u", maxcnt,
6208 (maxcnt == 1) ? "" : "s", ofs);
6210 /* save the offset/len for this transaction */
6211 if(si->sip && !pinfo->fd->flags.visited){
6212 rwi=se_alloc(sizeof(rw_info_t));
6217 si->sip->extra_info_type=SMB_EI_RWINFO;
6218 si->sip->extra_info=rwi;
6220 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
6221 rwi=si->sip->extra_info;
6226 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
6228 PROTO_ITEM_SET_GENERATED(it);
6229 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
6230 PROTO_ITEM_SET_GENERATED(it);
6234 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
6239 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
6247 if (cmd != 0xff) { /* there is an andX command */
6248 if (andxoffset < offset)
6249 THROW(ReportedBoundsError);
6250 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6257 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6259 guint8 wc, cmd=0xff;
6260 guint16 andxoffset=0, bc, datalen_low, dataoffset=0;
6261 guint32 datalen=0, datalen_high;
6262 smb_info_t *si = (smb_info_t *)pinfo->private_data;
6264 rw_info_t *rwi=NULL;
6266 DISSECTOR_ASSERT(si);
6270 /* next smb command */
6271 cmd = tvb_get_guint8(tvb, offset);
6273 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6275 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6280 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6284 andxoffset = tvb_get_letohs(tvb, offset);
6285 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6288 /* If we have seen the request, then print which FID this refers to */
6289 /* first check if we have seen the request */
6290 if(si->sip != NULL && si->sip->frame_req>0 && si->sip->extra_info_type==SMB_EI_FID){
6291 fid=GPOINTER_TO_INT(si->sip->extra_info);
6292 dissect_smb_fid(tvb, pinfo, tree, 0, 0, (guint16) fid, FALSE, FALSE, FALSE);
6295 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
6296 rwi=si->sip->extra_info;
6301 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
6303 PROTO_ITEM_SET_GENERATED(it);
6304 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
6305 PROTO_ITEM_SET_GENERATED(it);
6307 /* we need the fid for the call to dcerpc below */
6312 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
6315 /* data compaction mode */
6316 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
6319 /* 2 reserved bytes */
6320 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
6324 datalen_low = tvb_get_letohs(tvb, offset);
6325 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
6329 dataoffset=tvb_get_letohs(tvb, offset);
6330 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
6333 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
6334 /* data length high */
6335 datalen_high = tvb_get_letohl(tvb, offset);
6336 if(datalen_high==0xffffffff){
6339 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 4, datalen_high);
6343 datalen=datalen_high;
6344 datalen=(datalen<<16)|datalen_low;
6347 if (check_col(pinfo->cinfo, COL_INFO))
6348 col_append_fstr(pinfo->cinfo, COL_INFO,
6349 ", %u byte%s", datalen,
6350 (datalen == 1) ? "" : "s");
6353 /* 6 reserved bytes */
6354 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
6359 /* file data, might be DCERPC on a pipe */
6361 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
6362 top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
6368 if (cmd != 0xff) { /* there is an andX command */
6369 if (andxoffset < offset)
6370 THROW(ReportedBoundsError);
6371 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6378 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6381 guint8 wc, cmd=0xff;
6382 guint16 andxoffset=0, bc, dataoffset=0, datalen_low, datalen_high;
6384 smb_info_t *si = (smb_info_t *)pinfo->private_data;
6387 rw_info_t *rwi=NULL;
6390 DISSECTOR_ASSERT(si);
6394 /* next smb command */
6395 cmd = tvb_get_guint8(tvb, offset);
6397 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6399 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6404 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6408 andxoffset = tvb_get_letohs(tvb, offset);
6409 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6413 fid = tvb_get_letohs(tvb, offset);
6414 dissect_smb_fid(tvb, pinfo, tree, offset, 2, (guint16) fid, FALSE, FALSE, FALSE);
6418 ofs = tvb_get_letohl(tvb, offset);
6419 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
6423 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
6427 mode = tvb_get_letohs(tvb, offset);
6428 offset = dissect_write_mode(tvb, tree, offset, 0x000f);
6431 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
6434 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
6435 /* data length high */
6436 datalen_high = tvb_get_letohs(tvb, offset);
6437 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 2, datalen_high);
6441 datalen_low = tvb_get_letohs(tvb, offset);
6442 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
6445 datalen=datalen_high;
6446 datalen=(datalen<<16)|datalen_low;
6449 dataoffset=tvb_get_letohs(tvb, offset);
6450 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
6453 /* FIXME: handle Large (48-bit) byte/offset to COL_INFO */
6454 if (check_col(pinfo->cinfo, COL_INFO))
6455 col_append_fstr(pinfo->cinfo, COL_INFO,
6456 ", %u byte%s at offset %u", datalen,
6457 (datalen == 1) ? "" : "s", ofs);
6459 /* save the offset/len for this transaction */
6460 if(si->sip && !pinfo->fd->flags.visited){
6461 rwi=se_alloc(sizeof(rw_info_t));
6466 si->sip->extra_info_type=SMB_EI_RWINFO;
6467 si->sip->extra_info=rwi;
6469 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
6470 rwi=si->sip->extra_info;
6475 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
6477 PROTO_ITEM_SET_GENERATED(it);
6478 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
6479 PROTO_ITEM_SET_GENERATED(it);
6485 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
6491 /* if both the MessageStart and the WriteRawNamedPipe flags are set
6492 the first two bytes of the payload is the length of the data.
6493 Assume that all WriteAndX PDUs that have MESSAGE_START set to
6494 be over the IPC$ share and thus they all transport DCERPC.
6495 (if we didnt already know that from the TreeConnect call)
6497 if(mode&WRITE_MODE_MESSAGE_START){
6498 if(mode&WRITE_MODE_RAW){
6499 proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE);
6505 if(!pinfo->fd->flags.visited){
6506 /* In case we did not see the TreeConnect call,
6507 store this TID here as well as a IPC TID
6508 so we know that future Read/Writes to this
6509 TID is (probably) DCERPC.
6511 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))){
6512 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
6514 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
6517 si->sip->flags|=SMB_SIF_TID_IS_IPC;
6521 /* file data, might be DCERPC on a pipe */
6523 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
6524 top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
6530 if (cmd != 0xff) { /* there is an andX command */
6531 if (andxoffset < offset)
6532 THROW(ReportedBoundsError);
6533 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6540 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6542 guint8 wc, cmd=0xff;
6543 guint16 andxoffset=0, bc, count_low, count_high;
6545 smb_info_t *si = (smb_info_t *)pinfo->private_data;
6546 rw_info_t *rwi=NULL;
6548 DISSECTOR_ASSERT(si);
6552 /* next smb command */
6553 cmd = tvb_get_guint8(tvb, offset);
6555 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6557 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6562 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6566 andxoffset = tvb_get_letohs(tvb, offset);
6567 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6571 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
6572 rwi=si->sip->extra_info;
6577 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
6579 PROTO_ITEM_SET_GENERATED(it);
6580 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
6581 PROTO_ITEM_SET_GENERATED(it);
6585 /* write count low */
6586 count_low = tvb_get_letohs(tvb, offset);
6587 proto_tree_add_uint(tree, hf_smb_count_low, tvb, offset, 2, count_low);
6591 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
6594 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
6595 /* write count high */
6596 count_high = tvb_get_letohs(tvb, offset);
6597 proto_tree_add_uint(tree, hf_smb_count_high, tvb, offset, 2, count_high);
6601 count=(count<<16)|count_low;
6603 if (check_col(pinfo->cinfo, COL_INFO))
6604 col_append_fstr(pinfo->cinfo, COL_INFO,
6605 ", %u byte%s", count,
6606 (count == 1) ? "" : "s");
6608 /* 2 reserved bytes */
6609 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
6616 if (cmd != 0xff) { /* there is an andX command */
6617 if (andxoffset < offset)
6618 THROW(ReportedBoundsError);
6619 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6626 static const true_false_string tfs_setup_action_guest = {
6627 "Logged in as GUEST",
6628 "Not logged in as GUEST"
6631 dissect_setup_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6637 mask = tvb_get_letohs(tvb, offset);
6640 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6641 "Action: 0x%04x", mask);
6642 tree = proto_item_add_subtree(item, ett_smb_setup_action);
6644 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
6645 tvb, offset, 2, mask);
6654 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6656 guint8 wc, cmd=0xff;
6658 guint16 andxoffset=0;
6659 smb_info_t *si = pinfo->private_data;
6665 guint16 sbloblen=0, sbloblen_short;
6666 guint16 apwlen=0, upwlen=0;
6667 gboolean unicodeflag;
6668 static int ntlmssp_tap_id = 0;
6669 const ntlmssp_header_t *ntlmssph;
6671 if(!ntlmssp_tap_id){
6672 GString *error_string;
6673 /* We dont specify any callbacks at all.
6674 * Instead we manually fetch the tapped data after the
6675 * security blob has been fully dissected and before
6676 * we exit from this dissector.
6678 error_string=register_tap_listener("ntlmssp", NULL, NULL, NULL, NULL, NULL);
6680 ntlmssp_tap_id=find_tap_id("ntlmssp");
6684 DISSECTOR_ASSERT(si);
6688 /* next smb command */
6689 cmd = tvb_get_guint8(tvb, offset);
6691 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6693 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6698 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6702 andxoffset = tvb_get_letohs(tvb, offset);
6703 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6706 /* Maximum Buffer Size */
6707 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
6710 /* Maximum Multiplex Count */
6711 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
6715 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
6719 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
6724 /* password length, ASCII*/
6725 pwlen = tvb_get_letohs(tvb, offset);
6726 proto_tree_add_uint(tree, hf_smb_password_len,
6727 tvb, offset, 2, pwlen);
6730 /* 4 reserved bytes */
6731 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
6737 /* security blob length */
6738 sbloblen = tvb_get_letohs(tvb, offset);
6739 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
6742 /* 4 reserved bytes */
6743 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
6747 dissect_negprot_capabilities(tvb, tree, offset);
6753 /* password length, ANSI*/
6754 apwlen = tvb_get_letohs(tvb, offset);
6755 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
6756 tvb, offset, 2, apwlen);
6759 /* password length, Unicode*/
6760 upwlen = tvb_get_letohs(tvb, offset);
6761 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
6762 tvb, offset, 2, upwlen);
6765 /* 4 reserved bytes */
6766 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
6770 dissect_negprot_capabilities(tvb, tree, offset);
6779 proto_item *blob_item;
6782 /* If it runs past the end of the captured data, don't
6783 * try to put all of it into the protocol tree as the
6784 * raw security blob; we might get an exception on
6785 * short frames and then we will not see anything at all
6786 * of the security blob.
6788 sbloblen_short = sbloblen;
6789 if(sbloblen_short>tvb_length_remaining(tvb,offset)){
6790 sbloblen_short=tvb_length_remaining(tvb,offset);
6792 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
6793 tvb, offset, sbloblen_short,
6796 /* As an optimization, because Windows is perverse,
6797 we check to see if NTLMSSP is the first part of the
6798 blob, and if so, call the NTLMSSP dissector,
6799 otherwise we call the GSS-API dissector. This is because
6800 Windows can request RAW NTLMSSP, but will happily handle
6801 a client that wraps NTLMSSP in SPNEGO
6806 proto_tree *blob_tree;
6808 blob_tree = proto_item_add_subtree(blob_item,
6810 CHECK_BYTE_COUNT(sbloblen);
6813 * Set the reported length of this to the reported
6814 * length of the blob, rather than the amount of
6815 * data available from the blob, so that we'll
6816 * throw the right exception if it's too short.
6818 blob_tvb = tvb_new_subset(tvb, offset, sbloblen_short,
6821 if (si && si->ct && si->ct->raw_ntlmssp &&
6822 tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) {
6823 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
6828 call_dissector(gssapi_handle, blob_tvb,
6832 /* If we have found a uid->acct_name mapping, store it */
6833 if(!pinfo->fd->flags.visited && si->sip){
6835 if((ntlmssph=fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL){
6836 if(ntlmssph && ntlmssph->type==3){
6839 smb_uid=se_alloc(sizeof(smb_uid_t));
6840 smb_uid->logged_in=-1;
6841 smb_uid->logged_out=-1;
6842 smb_uid->domain=se_strdup(ntlmssph->domain_name);
6843 smb_uid->account=se_strdup(ntlmssph->acct_name);
6845 si->sip->extra_info=smb_uid;
6846 si->sip->extra_info_type=SMB_EI_UID;
6851 COUNT_BYTES(sbloblen);
6855 * Eventhough this field should honour the unicode flag
6856 * some ms clients gets this wrong.
6857 * At least XP SP1 sends this in ASCII
6858 * even when the unicode flag is on.
6859 * Test if the first three bytes are "Win"
6860 * and if so just override the flag.
6862 unicodeflag=si->unicode;
6863 if( tvb_strneql(tvb, offset, "Win", 3) == 0 ){
6866 an = get_unicode_or_ascii_string(tvb, &offset,
6867 unicodeflag, &an_len, FALSE, FALSE, &bc);
6870 proto_tree_add_string(tree, hf_smb_os, tvb,
6871 offset, an_len, an);
6872 COUNT_BYTES(an_len);
6875 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
6876 * padding/null string/whatever in front of this. W2K doesn't
6877 * appear to. I suspect that's a bug that got fixed; I also
6878 * suspect that, in practice, nobody ever looks at that field
6879 * because the bug didn't appear to get fixed until NT 5.0....
6881 * Eventhough this field should honour the unicode flag
6882 * some ms clients gets this wrong.
6883 * At least XP SP1 sends this in ASCII
6884 * even when the unicode flag is on.
6885 * Test if the first three bytes are "Win"
6886 * and if so just override the flag.
6888 unicodeflag=si->unicode;
6889 if( tvb_strneql(tvb, offset, "Win", 3) == 0 ){
6892 an = get_unicode_or_ascii_string(tvb, &offset,
6893 unicodeflag, &an_len, FALSE, FALSE, &bc);
6896 proto_tree_add_string(tree, hf_smb_lanman, tvb,
6897 offset, an_len, an);
6898 COUNT_BYTES(an_len);
6900 /* Primary domain */
6901 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
6902 * byte in front of this, at least if all the strings are
6903 * ASCII and the account name is empty. Another bug?
6905 dn = get_unicode_or_ascii_string(tvb, &offset,
6906 si->unicode, &dn_len, FALSE, FALSE, &bc);
6909 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
6910 offset, dn_len, dn);
6911 COUNT_BYTES(dn_len);
6917 /* password, ASCII */
6918 CHECK_BYTE_COUNT(pwlen);
6919 proto_tree_add_item(tree, hf_smb_password,
6920 tvb, offset, pwlen, TRUE);
6928 /* password, ANSI */
6929 CHECK_BYTE_COUNT(apwlen);
6930 proto_tree_add_item(tree, hf_smb_ansi_password,
6931 tvb, offset, apwlen, TRUE);
6932 COUNT_BYTES(apwlen);
6938 /* password, Unicode */
6939 CHECK_BYTE_COUNT(upwlen);
6940 item = proto_tree_add_item(tree, hf_smb_unicode_password,
6941 tvb, offset, upwlen, TRUE);
6944 proto_tree *subtree;
6946 subtree = proto_item_add_subtree(item, ett_smb_unicode_password);
6948 dissect_ntlmv2_response(
6949 tvb, subtree, offset, upwlen);
6952 COUNT_BYTES(upwlen);
6959 an = get_unicode_or_ascii_string(tvb, &offset,
6960 si->unicode, &an_len, FALSE, FALSE, &bc);
6963 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
6965 COUNT_BYTES(an_len);
6967 /* Primary domain */
6968 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
6969 * byte in front of this, at least if all the strings are
6970 * ASCII and the account name is empty. Another bug?
6972 dn = get_unicode_or_ascii_string(tvb, &offset,
6973 si->unicode, &dn_len, FALSE, FALSE, &bc);
6976 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
6977 offset, dn_len, dn);
6978 COUNT_BYTES(dn_len);
6980 if (check_col(pinfo->cinfo, COL_INFO)) {
6981 col_append_str(pinfo->cinfo, COL_INFO, ", User: ");
6983 if (!dn[0] && !an[0])
6984 col_append_str(pinfo->cinfo, COL_INFO,
6987 col_append_fstr(pinfo->cinfo, COL_INFO,
6989 format_text(dn, strlen(dn)),
6990 format_text(an, strlen(an)));
6994 an = get_unicode_or_ascii_string(tvb, &offset,
6995 si->unicode, &an_len, FALSE, FALSE, &bc);
6998 proto_tree_add_string(tree, hf_smb_os, tvb,
6999 offset, an_len, an);
7000 COUNT_BYTES(an_len);
7003 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
7004 * padding/null string/whatever in front of this. W2K doesn't
7005 * appear to. I suspect that's a bug that got fixed; I also
7006 * suspect that, in practice, nobody ever looks at that field
7007 * because the bug didn't appear to get fixed until NT 5.0....
7009 an = get_unicode_or_ascii_string(tvb, &offset,
7010 si->unicode, &an_len, FALSE, FALSE, &bc);
7013 proto_tree_add_string(tree, hf_smb_lanman, tvb,
7014 offset, an_len, an);
7015 COUNT_BYTES(an_len);
7020 if (cmd != 0xff) { /* there is an andX command */
7021 if (andxoffset < offset)
7022 THROW(ReportedBoundsError);
7023 pinfo->private_data = si;
7024 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
7031 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7033 guint8 wc, cmd=0xff;
7034 guint16 andxoffset=0, bc;
7036 smb_info_t *si = pinfo->private_data;
7040 DISSECTOR_ASSERT(si);
7044 if(!pinfo->fd->flags.visited && si->sip && si->sip->extra_info &&
7045 si->sip->extra_info_type==SMB_EI_UID){
7048 smb_uid=si->sip->extra_info;
7049 smb_uid->logged_in=pinfo->fd->num;
7050 se_tree_insert32(si->ct->uid_tree, si->uid, smb_uid);
7053 /* next smb command */
7054 cmd = tvb_get_guint8(tvb, offset);
7056 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
7058 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
7063 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7067 andxoffset = tvb_get_letohs(tvb, offset);
7068 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7072 offset = dissect_setup_action(tvb, tree, offset);
7075 /* security blob length */
7076 sbloblen = tvb_get_letohs(tvb, offset);
7077 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
7084 proto_item *blob_item;
7087 /* dont try to eat too much of we might get an exception on
7088 * short frames and then we will not see anything at all
7089 * of the security blob.
7091 if(sbloblen>tvb_length_remaining(tvb,offset)){
7092 sbloblen=tvb_length_remaining(tvb,offset);
7094 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
7095 tvb, offset, sbloblen, TRUE);
7099 proto_tree *blob_tree;
7101 blob_tree = proto_item_add_subtree(blob_item,
7103 CHECK_BYTE_COUNT(sbloblen);
7105 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
7108 if (si && si->ct && si->ct->raw_ntlmssp &&
7109 tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) {
7110 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
7115 call_dissector(gssapi_handle, blob_tvb, pinfo,
7120 COUNT_BYTES(sbloblen);
7125 an = get_unicode_or_ascii_string(tvb, &offset,
7126 si->unicode, &an_len, FALSE, FALSE, &bc);
7129 proto_tree_add_string(tree, hf_smb_os, tvb,
7130 offset, an_len, an);
7131 COUNT_BYTES(an_len);
7134 an = get_unicode_or_ascii_string(tvb, &offset,
7135 si->unicode, &an_len, FALSE, FALSE, &bc);
7138 proto_tree_add_string(tree, hf_smb_lanman, tvb,
7139 offset, an_len, an);
7140 COUNT_BYTES(an_len);
7142 if((wc==3)||(wc==4)) {
7143 /* Primary domain */
7144 an = get_unicode_or_ascii_string(tvb, &offset,
7145 si->unicode, &an_len, FALSE, FALSE, &bc);
7148 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
7149 offset, an_len, an);
7150 COUNT_BYTES(an_len);
7155 if (cmd != 0xff) { /* there is an andX command */
7156 if (andxoffset < offset)
7157 THROW(ReportedBoundsError);
7158 pinfo->private_data = si;
7159 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
7167 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7169 guint8 wc, cmd=0xff;
7170 guint16 andxoffset=0;
7175 /* next smb command */
7176 cmd = tvb_get_guint8(tvb, offset);
7178 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
7180 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
7185 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7189 andxoffset = tvb_get_letohs(tvb, offset);
7190 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7197 if (cmd != 0xff) { /* there is an andX command */
7198 if (andxoffset < offset)
7199 THROW(ReportedBoundsError);
7200 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
7207 static const true_false_string tfs_connect_support_search = {
7208 "Exclusive search bits supported",
7209 "Exclusive search bits not supported"
7211 static const true_false_string tfs_connect_support_in_dfs = {
7213 "Share isn't in Dfs"
7217 dissect_connect_support_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7223 mask = tvb_get_letohs(tvb, offset);
7226 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
7227 "Optional Support: 0x%04x", mask);
7228 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
7230 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
7231 tvb, offset, 2, mask);
7232 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
7233 tvb, offset, 2, mask);
7241 static const true_false_string tfs_disconnect_tid = {
7243 "Do NOT disconnect TID"
7247 dissect_connect_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7253 mask = tvb_get_letohs(tvb, offset);
7256 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
7257 "Flags: 0x%04x", mask);
7258 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
7260 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
7261 tvb, offset, 2, mask);
7270 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7272 guint8 wc, cmd=0xff;
7274 guint16 andxoffset=0, pwlen=0;
7275 smb_info_t *si = pinfo->private_data;
7279 DISSECTOR_ASSERT(si);
7283 /* next smb command */
7284 cmd = tvb_get_guint8(tvb, offset);
7286 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
7288 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
7293 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7297 andxoffset = tvb_get_letohs(tvb, offset);
7298 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7302 offset = dissect_connect_flags(tvb, tree, offset);
7304 /* password length*/
7305 pwlen = tvb_get_letohs(tvb, offset);
7306 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
7312 CHECK_BYTE_COUNT(pwlen);
7313 proto_tree_add_item(tree, hf_smb_password,
7314 tvb, offset, pwlen, TRUE);
7318 an = get_unicode_or_ascii_string(tvb, &offset,
7319 si->unicode, &an_len, FALSE, FALSE, &bc);
7322 proto_tree_add_string(tree, hf_smb_path, tvb,
7323 offset, an_len, an);
7324 COUNT_BYTES(an_len);
7326 /* store it for the tid->name/openframe/closeframe matching in
7327 * dissect_smb_tid() called from the response.
7329 if((!pinfo->fd->flags.visited) && si->sip && an){
7330 si->sip->extra_info_type=SMB_EI_TIDNAME;
7331 si->sip->extra_info=se_strdup(an);
7334 if (check_col(pinfo->cinfo, COL_INFO)) {
7335 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
7336 format_text(an, strlen(an)));
7340 * NOTE: the Service string is always ASCII, even if the
7341 * "strings are Unicode" bit is set in the flags2 field
7346 /* XXX - what if this runs past bc? */
7347 an_len = tvb_strsize(tvb, offset);
7348 CHECK_BYTE_COUNT(an_len);
7349 an = tvb_get_ptr(tvb, offset, an_len);
7350 proto_tree_add_string(tree, hf_smb_service, tvb,
7351 offset, an_len, an);
7352 COUNT_BYTES(an_len);
7356 if (cmd != 0xff) { /* there is an andX command */
7357 if (andxoffset < offset)
7358 THROW(ReportedBoundsError);
7359 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
7367 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7369 guint8 wc, wleft, cmd=0xff;
7370 guint16 andxoffset=0;
7374 smb_info_t *si = pinfo->private_data;
7376 DISSECTOR_ASSERT(si);
7380 wleft = wc; /* this is at least 1 */
7382 /* next smb command */
7383 cmd = tvb_get_guint8(tvb, offset);
7385 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
7387 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
7392 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7400 andxoffset = tvb_get_letohs(tvb, offset);
7401 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7408 offset = dissect_connect_support_bits(tvb, tree, offset);
7411 /* XXX - I've seen captures where this is 7, but I have no
7412 idea how to dissect it. I'm guessing the third word
7413 contains connect support bits, which looks plausible
7414 from the values I've seen. */
7416 while (wleft != 0) {
7417 proto_tree_add_text(tree, tvb, offset, 2,
7418 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
7426 * NOTE: even though the SNIA CIFS spec doesn't say there's
7427 * a "Service" string if there's a word count of 2, the
7430 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
7432 * (it's in an ugly format - text intended to be sent to a
7433 * printer, with backspaces and overstrikes used for boldfacing
7434 * and underlining; UNIX "col -b" can be used to strip the
7435 * overstrikes out) says there's a "Service" string there, and
7436 * some network traffic has it.
7440 * NOTE: the Service string is always ASCII, even if the
7441 * "strings are Unicode" bit is set in the flags2 field
7446 /* XXX - what if this runs past bc? */
7447 an_len = tvb_strsize(tvb, offset);
7448 CHECK_BYTE_COUNT(an_len);
7449 an = tvb_get_ptr(tvb, offset, an_len);
7450 proto_tree_add_string(tree, hf_smb_service, tvb,
7451 offset, an_len, an);
7452 COUNT_BYTES(an_len);
7454 /* Now when we know the service type, store it so that we know it for later commands down
7456 if(!pinfo->fd->flags.visited){
7457 /* Remove any previous entry for this TID */
7458 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))){
7459 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
7461 if(strcmp(an,"IPC") == 0){
7462 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
7464 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_NORMAL);
7472 * Sometimes this isn't present.
7476 an = get_unicode_or_ascii_string(tvb, &offset,
7477 si->unicode, &an_len, /*TRUE*/FALSE, FALSE,
7481 proto_tree_add_string(tree, hf_smb_fs, tvb,
7482 offset, an_len, an);
7483 COUNT_BYTES(an_len);
7489 if (cmd != 0xff) { /* there is an andX command */
7490 if (andxoffset < offset)
7491 THROW(ReportedBoundsError);
7492 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
7500 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7501 NT Transaction command begins here
7502 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
7503 #define NT_TRANS_CREATE 1
7504 #define NT_TRANS_IOCTL 2
7505 #define NT_TRANS_SSD 3
7506 #define NT_TRANS_NOTIFY 4
7507 #define NT_TRANS_RENAME 5
7508 #define NT_TRANS_QSD 6
7509 #define NT_TRANS_GET_USER_QUOTA 7
7510 #define NT_TRANS_SET_USER_QUOTA 8
7511 const value_string nt_cmd_vals[] = {
7512 {NT_TRANS_CREATE, "NT CREATE"},
7513 {NT_TRANS_IOCTL, "NT IOCTL"},
7514 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
7515 {NT_TRANS_NOTIFY, "NT NOTIFY"},
7516 {NT_TRANS_RENAME, "NT RENAME"},
7517 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
7518 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
7519 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
7523 static const value_string nt_ioctl_isfsctl_vals[] = {
7524 {0, "Device IOCTL"},
7525 {1, "FS control : FSCTL"},
7529 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
7530 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
7531 "Apply the command to share root handle (MUST BE Dfs)",
7532 "Apply to this share",
7535 static const value_string nt_notify_action_vals[] = {
7536 {1, "ADDED (object was added"},
7537 {2, "REMOVED (object was removed)"},
7538 {3, "MODIFIED (object was modified)"},
7539 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
7540 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
7541 {6, "ADDED_STREAM (a stream was added)"},
7542 {7, "REMOVED_STREAM (a stream was removed)"},
7543 {8, "MODIFIED_STREAM (a stream was modified)"},
7547 static const value_string watch_tree_vals[] = {
7548 {0, "Current directory only"},
7549 {1, "Subdirectories also"},
7553 #define NT_NOTIFY_STREAM_WRITE 0x00000800
7554 #define NT_NOTIFY_STREAM_SIZE 0x00000400
7555 #define NT_NOTIFY_STREAM_NAME 0x00000200
7556 #define NT_NOTIFY_SECURITY 0x00000100
7557 #define NT_NOTIFY_EA 0x00000080
7558 #define NT_NOTIFY_CREATION 0x00000040
7559 #define NT_NOTIFY_LAST_ACCESS 0x00000020
7560 #define NT_NOTIFY_LAST_WRITE 0x00000010
7561 #define NT_NOTIFY_SIZE 0x00000008
7562 #define NT_NOTIFY_ATTRIBUTES 0x00000004
7563 #define NT_NOTIFY_DIR_NAME 0x00000002
7564 #define NT_NOTIFY_FILE_NAME 0x00000001
7565 static const true_false_string tfs_nt_notify_stream_write = {
7566 "Notify on changes to STREAM WRITE",
7567 "Do NOT notify on changes to stream write",
7569 static const true_false_string tfs_nt_notify_stream_size = {
7570 "Notify on changes to STREAM SIZE",
7571 "Do NOT notify on changes to stream size",
7573 static const true_false_string tfs_nt_notify_stream_name = {
7574 "Notify on changes to STREAM NAME",
7575 "Do NOT notify on changes to stream name",
7577 static const true_false_string tfs_nt_notify_security = {
7578 "Notify on changes to SECURITY",
7579 "Do NOT notify on changes to security",
7581 static const true_false_string tfs_nt_notify_ea = {
7582 "Notify on changes to EA",
7583 "Do NOT notify on changes to EA",
7585 static const true_false_string tfs_nt_notify_creation = {
7586 "Notify on changes to CREATION TIME",
7587 "Do NOT notify on changes to creation time",
7589 static const true_false_string tfs_nt_notify_last_access = {
7590 "Notify on changes to LAST ACCESS TIME",
7591 "Do NOT notify on changes to last access time",
7593 static const true_false_string tfs_nt_notify_last_write = {
7594 "Notify on changes to LAST WRITE TIME",
7595 "Do NOT notify on changes to last write time",
7597 static const true_false_string tfs_nt_notify_size = {
7598 "Notify on changes to SIZE",
7599 "Do NOT notify on changes to size",
7601 static const true_false_string tfs_nt_notify_attributes = {
7602 "Notify on changes to ATTRIBUTES",
7603 "Do NOT notify on changes to attributes",
7605 static const true_false_string tfs_nt_notify_dir_name = {
7606 "Notify on changes to DIR NAME",
7607 "Do NOT notify on changes to dir name",
7609 static const true_false_string tfs_nt_notify_file_name = {
7610 "Notify on changes to FILE NAME",
7611 "Do NOT notify on changes to file name",
7614 const value_string create_disposition_vals[] = {
7615 {0, "Supersede (supersede existing file (if it exists))"},
7616 {1, "Open (if file exists open it, else fail)"},
7617 {2, "Create (if file exists fail, else create it)"},
7618 {3, "Open If (if file exists open it, else create it)"},
7619 {4, "Overwrite (if file exists overwrite, else fail)"},
7620 {5, "Overwrite If (if file exists overwrite, else create it)"},
7624 const value_string impersonation_level_vals[] = {
7626 {1, "Identification"},
7627 {2, "Impersonation"},
7632 static const true_false_string tfs_nt_security_flags_context_tracking = {
7633 "Security tracking mode is DYNAMIC",
7634 "Security tracking mode is STATIC",
7637 static const true_false_string tfs_nt_security_flags_effective_only = {
7638 "ONLY ENABLED aspects of the client's security context are available",
7639 "ALL aspects of the client's security context are available",
7642 static const true_false_string tfs_nt_create_bits_oplock = {
7643 "Requesting OPLOCK",
7644 "Does NOT request oplock"
7647 static const true_false_string tfs_nt_create_bits_boplock = {
7648 "Requesting BATCH OPLOCK",
7649 "Does NOT request batch oplock"
7653 * XXX - must be a directory, and can be a file, or can be a directory,
7654 * and must be a file?
7656 static const true_false_string tfs_nt_create_bits_dir = {
7657 "Target of open MUST be a DIRECTORY",
7658 "Target of open can be a file"
7661 static const true_false_string tfs_nt_create_bits_ext_resp = {
7662 "Extended responses required",
7663 "Extended responses NOT required"
7666 static const true_false_string tfs_nt_access_mask_generic_read = {
7667 "GENERIC READ is set",
7668 "Generic read is NOT set"
7670 static const true_false_string tfs_nt_access_mask_generic_write = {
7671 "GENERIC WRITE is set",
7672 "Generic write is NOT set"
7674 static const true_false_string tfs_nt_access_mask_generic_execute = {
7675 "GENERIC EXECUTE is set",
7676 "Generic execute is NOT set"
7678 static const true_false_string tfs_nt_access_mask_generic_all = {
7679 "GENERIC ALL is set",
7680 "Generic all is NOT set"
7682 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
7683 "MAXIMUM ALLOWED is set",
7684 "Maximum allowed is NOT set"
7686 static const true_false_string tfs_nt_access_mask_system_security = {
7687 "SYSTEM SECURITY is set",
7688 "System security is NOT set"
7690 static const true_false_string tfs_nt_access_mask_synchronize = {
7691 "Can wait on handle to SYNCHRONIZE on completion of I/O",
7692 "Can NOT wait on handle to synchronize on completion of I/O"
7694 static const true_false_string tfs_nt_access_mask_write_owner = {
7695 "Can WRITE OWNER (take ownership)",
7696 "Can NOT write owner (take ownership)"
7698 static const true_false_string tfs_nt_access_mask_write_dac = {
7699 "OWNER may WRITE the DAC",
7700 "Owner may NOT write to the DAC"
7702 static const true_false_string tfs_nt_access_mask_read_control = {
7703 "READ ACCESS to owner, group and ACL of the SID",
7704 "Read access is NOT granted to owner, group and ACL of the SID"
7706 static const true_false_string tfs_nt_access_mask_delete = {
7710 static const true_false_string tfs_nt_access_mask_write_attributes = {
7711 "WRITE ATTRIBUTES access",
7712 "NO write attributes access"
7714 static const true_false_string tfs_nt_access_mask_read_attributes = {
7715 "READ ATTRIBUTES access",
7716 "NO read attributes access"
7718 static const true_false_string tfs_nt_access_mask_delete_child = {
7719 "DELETE CHILD access",
7720 "NO delete child access"
7722 static const true_false_string tfs_nt_access_mask_execute = {
7726 static const true_false_string tfs_nt_access_mask_write_ea = {
7727 "WRITE EXTENDED ATTRIBUTES access",
7728 "NO write extended attributes access"
7730 static const true_false_string tfs_nt_access_mask_read_ea = {
7731 "READ EXTENDED ATTRIBUTES access",
7732 "NO read extended attributes access"
7734 static const true_false_string tfs_nt_access_mask_append = {
7738 static const true_false_string tfs_nt_access_mask_write = {
7742 static const true_false_string tfs_nt_access_mask_read = {
7747 static const true_false_string tfs_nt_share_access_delete = {
7748 "Object can be shared for DELETE",
7749 "Object can NOT be shared for delete"
7751 static const true_false_string tfs_nt_share_access_write = {
7752 "Object can be shared for WRITE",
7753 "Object can NOT be shared for write"
7755 static const true_false_string tfs_nt_share_access_read = {
7756 "Object can be shared for READ",
7757 "Object can NOT be shared for read"
7760 static const value_string oplock_level_vals[] = {
7761 {0, "No oplock granted"},
7762 {1, "Exclusive oplock granted"},
7763 {2, "Batch oplock granted"},
7764 {3, "Level II oplock granted"},
7768 static const value_string device_type_vals[] = {
7769 {0x00000001, "Beep"},
7770 {0x00000002, "CDROM"},
7771 {0x00000003, "CDROM Filesystem"},
7772 {0x00000004, "Controller"},
7773 {0x00000005, "Datalink"},
7774 {0x00000006, "Dfs"},
7775 {0x00000007, "Disk"},
7776 {0x00000008, "Disk Filesystem"},
7777 {0x00000009, "Filesystem"},
7778 {0x0000000a, "Inport Port"},
7779 {0x0000000b, "Keyboard"},
7780 {0x0000000c, "Mailslot"},
7781 {0x0000000d, "MIDI-In"},
7782 {0x0000000e, "MIDI-Out"},
7783 {0x0000000f, "Mouse"},
7784 {0x00000010, "Multi UNC Provider"},
7785 {0x00000011, "Named Pipe"},
7786 {0x00000012, "Network"},
7787 {0x00000013, "Network Browser"},
7788 {0x00000014, "Network Filesystem"},
7789 {0x00000015, "NULL"},
7790 {0x00000016, "Parallel Port"},
7791 {0x00000017, "Physical card"},
7792 {0x00000018, "Printer"},
7793 {0x00000019, "Scanner"},
7794 {0x0000001a, "Serial Mouse port"},
7795 {0x0000001b, "Serial port"},
7796 {0x0000001c, "Screen"},
7797 {0x0000001d, "Sound"},
7798 {0x0000001e, "Streams"},
7799 {0x0000001f, "Tape"},
7800 {0x00000020, "Tape Filesystem"},
7801 {0x00000021, "Transport"},
7802 {0x00000022, "Unknown"},
7803 {0x00000023, "Video"},
7804 {0x00000024, "Virtual Disk"},
7805 {0x00000025, "WAVE-In"},
7806 {0x00000026, "WAVE-Out"},
7807 {0x00000027, "8042 Port"},
7808 {0x00000028, "Network Redirector"},
7809 {0x00000029, "Battery"},
7810 {0x0000002a, "Bus Extender"},
7811 {0x0000002b, "Modem"},
7812 {0x0000002c, "VDM"},
7816 static const value_string is_directory_vals[] = {
7817 {0, "This is NOT a directory"},
7818 {1, "This is a DIRECTORY"},
7822 typedef struct _nt_trans_data {
7831 dissect_nt_security_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7837 mask = tvb_get_guint8(tvb, offset);
7840 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7841 "Security Flags: 0x%02x", mask);
7842 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
7844 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
7845 tvb, offset, 1, mask);
7846 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
7847 tvb, offset, 1, mask);
7856 * XXX - there are some more flags in the description of "ZwOpenFile()"
7857 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
7858 * the wire as well? (The spec at
7860 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
7862 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
7863 * via the SMB protocol. The NT redirector should convert this option
7864 * to FILE_WRITE_THROUGH."
7866 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
7867 * values one would infer from their position in the list of flags for
7868 * "ZwOpenFile()". Most of the others probably have those values
7869 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
7870 * which might go over the wire (for the benefit of backup/restore software).
7872 static const true_false_string tfs_nt_create_options_directory = {
7873 "File being created/opened must be a directory",
7874 "File being created/opened must not be a directory"
7876 static const true_false_string tfs_nt_create_options_write_through = {
7877 "Writes should flush buffered data before completing",
7878 "Writes need not flush buffered data before completing"
7880 static const true_false_string tfs_nt_create_options_sequential_only = {
7881 "The file will only be accessed sequentially",
7882 "The file might not only be accessed sequentially"
7884 static const true_false_string tfs_nt_create_options_no_intermediate_buffering = {
7885 "NO intermediate buffering is allowed",
7886 "Intermediate buffering is allowed"
7888 static const true_false_string tfs_nt_create_options_sync_io_alert = {
7889 "All operations SYNCHRONOUS, waits subject to termination from alert",
7890 "Operations NOT necessarily synchronous"
7892 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
7893 "All operations SYNCHRONOUS, waits not subject to alert",
7894 "Operations NOT necessarily synchronous"
7896 static const true_false_string tfs_nt_create_options_non_directory = {
7897 "File being created/opened must not be a directory",
7898 "File being created/opened must be a directory"
7900 static const true_false_string tfs_nt_create_options_create_tree_connection = {
7901 "Create Tree Connections is SET",
7902 "Create Tree Connections is NOT set"
7904 static const true_false_string tfs_nt_create_options_complete_if_oplocked = {
7905 "Complete if oplocked is SET",
7906 "Complete if oplocked is NOT set"
7908 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
7909 "The client does not understand extended attributes",
7910 "The client understands extended attributes"
7912 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
7913 "The client understands only 8.3 file names",
7914 "The client understands long file names"
7916 static const true_false_string tfs_nt_create_options_random_access = {
7917 "The file will be accessed randomly",
7918 "The file will not be accessed randomly"
7920 static const true_false_string tfs_nt_create_options_delete_on_close = {
7921 "The file should be deleted when it is closed",
7922 "The file should not be deleted when it is closed"
7924 static const true_false_string tfs_nt_create_options_open_by_fileid = {
7925 "OpenByFileID bit is SET",
7926 "OpenByFileID is NOT set"
7928 static const true_false_string tfs_nt_create_options_backup_intent = {
7929 "This is a create with BACKUP INTENT",
7930 "This is a normal create"
7932 static const true_false_string tfs_nt_create_options_no_compression = {
7933 "Open/Create with NO Compression",
7934 "Compression is allowed for Open/Create"
7936 static const true_false_string tfs_nt_create_options_reserve_opfilter = {
7937 "Reserve Opfilter is SET",
7938 "Reserve Opfilter is NOT set"
7940 static const true_false_string tfs_nt_create_options_open_reparse_point = {
7941 "Open a Reparse Point",
7944 static const true_false_string tfs_nt_create_options_open_no_recall = {
7945 "Open No Recall is SET",
7946 "Open no recall is NOT set"
7948 static const true_false_string tfs_nt_create_options_open_for_free_space_query = {
7949 "This is an OPEN FOR FREE SPACE QUERY",
7950 "This is NOT an open for free space query"
7954 dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7960 mask = tvb_get_letohl(tvb, offset);
7963 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7964 "Completion Filter: 0x%08x", mask);
7965 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
7967 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
7968 tvb, offset, 4, mask);
7969 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
7970 tvb, offset, 4, mask);
7971 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
7972 tvb, offset, 4, mask);
7973 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
7974 tvb, offset, 4, mask);
7975 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
7976 tvb, offset, 4, mask);
7977 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
7978 tvb, offset, 4, mask);
7979 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
7980 tvb, offset, 4, mask);
7981 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
7982 tvb, offset, 4, mask);
7983 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
7984 tvb, offset, 4, mask);
7985 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
7986 tvb, offset, 4, mask);
7987 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
7988 tvb, offset, 4, mask);
7989 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
7990 tvb, offset, 4, mask);
7998 dissect_nt_ioctl_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8004 mask = tvb_get_guint8(tvb, offset);
8007 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
8008 "Completion Filter: 0x%02x", mask);
8009 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
8011 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
8012 tvb, offset, 1, mask);
8020 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
8021 * Native API Reference".
8023 static const true_false_string tfs_nt_qsd_owner = {
8024 "Requesting OWNER security information",
8025 "NOT requesting owner security information",
8028 static const true_false_string tfs_nt_qsd_group = {
8029 "Requesting GROUP security information",
8030 "NOT requesting group security information",
8033 static const true_false_string tfs_nt_qsd_dacl = {
8034 "Requesting DACL security information",
8035 "NOT requesting DACL security information",
8038 static const true_false_string tfs_nt_qsd_sacl = {
8039 "Requesting SACL security information",
8040 "NOT requesting SACL security information",
8043 #define NT_QSD_OWNER 0x00000001
8044 #define NT_QSD_GROUP 0x00000002
8045 #define NT_QSD_DACL 0x00000004
8046 #define NT_QSD_SACL 0x00000008
8049 dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8055 mask = tvb_get_letohl(tvb, offset);
8058 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
8059 "Security Information: 0x%08x", mask);
8060 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
8062 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
8063 tvb, offset, 4, mask);
8064 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
8065 tvb, offset, 4, mask);
8066 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
8067 tvb, offset, 4, mask);
8068 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
8069 tvb, offset, 4, mask);
8078 dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
8080 int old_offset, old_sid_offset;
8086 CHECK_BYTE_COUNT_TRANS_SUBR(4);
8087 qsize=tvb_get_letohl(tvb, offset);
8088 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
8089 COUNT_BYTES_TRANS_SUBR(4);
8091 CHECK_BYTE_COUNT_TRANS_SUBR(4);
8093 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
8094 COUNT_BYTES_TRANS_SUBR(4);
8096 /* 16 unknown bytes */
8097 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8098 proto_tree_add_item(tree, hf_smb_unknown, tvb,
8100 COUNT_BYTES_TRANS_SUBR(8);
8102 /* number of bytes for used quota */
8103 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8104 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
8105 COUNT_BYTES_TRANS_SUBR(8);
8107 /* number of bytes for quota warning */
8108 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8109 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
8110 COUNT_BYTES_TRANS_SUBR(8);
8112 /* number of bytes for quota limit */
8113 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8114 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
8115 COUNT_BYTES_TRANS_SUBR(8);
8117 /* SID of the user */
8118 old_sid_offset=offset;
8119 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
8120 *bcp -= (offset-old_sid_offset);
8123 offset = old_offset+qsize;
8133 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd, smb_nt_transact_info_t *nti)
8135 proto_item *item = NULL;
8136 proto_tree *tree = NULL;
8138 int old_offset = offset;
8139 guint16 bcp=bc; /* XXX fixme */
8140 struct access_mask_info *ami=NULL;
8141 tvbuff_t *ioctl_tvb;
8143 si = (smb_info_t *)pinfo->private_data;
8145 DISSECTOR_ASSERT(si);
8148 tvb_ensure_bytes_exist(tvb, offset, bc);
8149 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
8151 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8152 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8155 switch(ntd->subcmd){
8156 case NT_TRANS_CREATE:
8157 /* security descriptor */
8159 offset = dissect_nt_sec_desc(
8160 tvb, offset, pinfo, tree, NULL, TRUE,
8164 /* extended attributes */
8166 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
8167 offset += ntd->ea_len;
8171 case NT_TRANS_IOCTL:
8173 ioctl_tvb=tvb_new_subset(tvb, offset, MIN((int)bc, tvb_length_remaining(tvb, offset)), bc);
8174 dissect_smb2_ioctl_data(ioctl_tvb, pinfo, tree, top_tree, nti->ioctl_function, TRUE);
8182 switch(nti->fid_type){
8183 case SMB_FID_TYPE_FILE:
8184 ami= &smb_file_access_mask_info;
8186 case SMB_FID_TYPE_DIR:
8187 ami= &smb_dir_access_mask_info;
8192 offset = dissect_nt_sec_desc(
8193 tvb, offset, pinfo, tree, NULL, TRUE, bc, ami);
8195 case NT_TRANS_NOTIFY:
8197 case NT_TRANS_RENAME:
8198 /* XXX not documented */
8202 case NT_TRANS_GET_USER_QUOTA:
8203 /* unknown 4 bytes */
8204 proto_tree_add_item(tree, hf_smb_unknown, tvb,
8209 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
8212 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
8214 case NT_TRANS_SET_USER_QUOTA:
8215 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8219 /* ooops there were data we didnt know how to process */
8220 if((offset-old_offset) < bc){
8221 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
8222 bc - (offset-old_offset), TRUE);
8223 offset += bc - (offset-old_offset);
8230 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc, smb_nt_transact_info_t *nti)
8232 proto_item *item = NULL;
8233 proto_tree *tree = NULL;
8235 guint32 fn_len, create_flags, access_mask, file_attributes, share_access, create_options, create_disposition;
8238 si = (smb_info_t *)pinfo->private_data;
8240 DISSECTOR_ASSERT(si);
8243 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8245 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8246 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8249 switch(ntd->subcmd){
8250 case NT_TRANS_CREATE:
8252 create_flags=tvb_get_letohl(tvb, offset);
8253 offset = dissect_nt_create_bits(tvb, tree, offset, 4, create_flags);
8256 /* root directory fid */
8257 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
8260 /* nt access mask */
8261 access_mask=tvb_get_letohl(tvb, offset);
8262 offset = dissect_smb_access_mask_bits(tvb, tree, offset, 4, access_mask);
8265 /* allocation size */
8266 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8269 /* Extended File Attributes */
8270 file_attributes=tvb_get_letohl(tvb, offset);
8271 offset = dissect_file_ext_attr_bits(tvb, tree, offset, 4, file_attributes);
8275 share_access=tvb_get_letohl(tvb, offset);
8276 offset = dissect_nt_share_access_bits(tvb, tree, offset, 4, share_access);
8279 /* create disposition */
8280 create_disposition=tvb_get_letohl(tvb, offset);
8281 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
8284 /* create options */
8285 create_options=tvb_get_letohl(tvb, offset);
8286 offset = dissect_nt_create_options_bits(tvb, tree, offset, 4, create_options);
8290 ntd->sd_len = tvb_get_letohl(tvb, offset);
8291 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
8295 ntd->ea_len = tvb_get_letohl(tvb, offset);
8296 proto_tree_add_uint(tree, hf_smb_ea_list_length, tvb, offset, 4, ntd->ea_len);
8300 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8301 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8304 /* impersonation level */
8305 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8308 /* security flags */
8309 offset = dissect_nt_security_flags(tvb, tree, offset);
8313 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8315 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8317 COUNT_BYTES(fn_len);
8321 case NT_TRANS_IOCTL:
8323 case NT_TRANS_SSD: {
8325 smb_fid_info_t *fid_info;
8328 fid = tvb_get_letohs(tvb, offset);
8329 fid_info=dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
8333 nti->fid_type=fid_info->type;
8335 nti->fid_type=SMB_FID_TYPE_UNKNOWN;
8339 /* 2 reserved bytes */
8340 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8343 /* security information */
8344 offset = dissect_security_information_mask(tvb, tree, offset);
8347 case NT_TRANS_NOTIFY:
8349 case NT_TRANS_RENAME:
8350 /* XXX not documented */
8352 case NT_TRANS_QSD: {
8354 smb_fid_info_t *fid_info;
8357 fid = tvb_get_letohs(tvb, offset);
8358 fid_info=dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
8362 nti->fid_type=fid_info->type;
8364 nti->fid_type=SMB_FID_TYPE_UNKNOWN;
8368 /* 2 reserved bytes */
8369 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8372 /* security information */
8373 offset = dissect_security_information_mask(tvb, tree, offset);
8376 case NT_TRANS_GET_USER_QUOTA:
8377 /* not decoded yet */
8379 case NT_TRANS_SET_USER_QUOTA:
8380 /* not decoded yet */
8388 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
8390 proto_item *item = NULL;
8391 proto_tree *tree = NULL;
8392 int old_offset = offset;
8394 smb_nt_transact_info_t *nti;
8395 smb_saved_info_t *sip;
8398 si = (smb_info_t *)pinfo->private_data;
8399 DISSECTOR_ASSERT(si);
8401 DISSECTOR_ASSERT(sip);
8402 nti=sip->extra_info;
8406 tvb_ensure_bytes_exist(tvb, offset, len);
8407 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8409 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8410 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8413 switch(ntd->subcmd){
8414 case NT_TRANS_CREATE:
8416 case NT_TRANS_IOCTL: {
8420 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &nti->ioctl_function);
8423 fid = tvb_get_letohs(tvb, offset);
8424 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
8428 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
8432 offset = dissect_nt_ioctl_flags(tvb, tree, offset);
8438 case NT_TRANS_NOTIFY: {
8441 /* completion filter */
8442 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
8445 fid = tvb_get_letohs(tvb, offset);
8446 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
8450 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
8454 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8459 case NT_TRANS_RENAME:
8460 /* XXX not documented */
8464 case NT_TRANS_GET_USER_QUOTA:
8465 /* not decoded yet */
8467 case NT_TRANS_SET_USER_QUOTA:
8468 /* not decoded yet */
8472 return old_offset+len;
8477 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8480 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
8482 smb_saved_info_t *sip;
8487 smb_nt_transact_info_t *nti=NULL;
8489 ntd.subcmd = ntd.sd_len = ntd.ea_len = 0;
8491 si = (smb_info_t *)pinfo->private_data;
8492 DISSECTOR_ASSERT(si);
8498 /* primary request */
8499 /* max setup count */
8500 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
8503 /* 2 reserved bytes */
8504 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8507 /* secondary request */
8508 /* 3 reserved bytes */
8509 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8514 /* total param count */
8515 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
8518 /* total data count */
8519 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
8523 /* primary request */
8524 /* max param count */
8525 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
8528 /* max data count */
8529 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
8534 pc = tvb_get_letohl(tvb, offset);
8535 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8539 po = tvb_get_letohl(tvb, offset);
8540 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8543 /* param displacement */
8545 /* primary request*/
8548 /* secondary request */
8549 pd = tvb_get_letohl(tvb, offset);
8550 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8555 dc = tvb_get_letohl(tvb, offset);
8556 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8560 od = tvb_get_letohl(tvb, offset);
8561 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8564 /* data displacement */
8566 /* primary request */
8569 /* secondary request */
8570 dd = tvb_get_letohl(tvb, offset);
8571 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8577 /* primary request */
8578 sc = tvb_get_guint8(tvb, offset);
8579 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8582 /* secondary request */
8588 /* primary request */
8589 subcmd = tvb_get_letohs(tvb, offset);
8590 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
8591 if(check_col(pinfo->cinfo, COL_INFO)){
8592 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8593 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
8595 ntd.subcmd = subcmd;
8596 if (!si->unidir && sip) {
8597 if(!pinfo->fd->flags.visited){
8599 * Allocate a new smb_nt_transact_info_t
8602 nti = se_alloc(sizeof(smb_nt_transact_info_t));
8603 nti->subcmd = subcmd;
8604 nti->fid_type=SMB_FID_TYPE_UNKNOWN;
8605 sip->extra_info = nti;
8606 sip->extra_info_type = SMB_EI_NTI;
8608 if(sip->extra_info_type == SMB_EI_NTI){
8609 nti=sip->extra_info;
8614 /* secondary request */
8615 if(check_col(pinfo->cinfo, COL_INFO)){
8616 col_append_str(pinfo->cinfo, COL_INFO, " (secondary request)");
8621 /* this is a padding byte */
8624 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
8628 /* if there were any setup bytes, decode them */
8630 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
8637 if(po>(guint32)offset){
8638 /* We have some initial padding bytes.
8643 CHECK_BYTE_COUNT(padcnt);
8644 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8645 COUNT_BYTES(padcnt);
8648 CHECK_BYTE_COUNT(pc);
8649 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc, nti);
8654 if(od>(guint32)offset){
8655 /* We have some initial padding bytes.
8660 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8661 COUNT_BYTES(padcnt);
8664 CHECK_BYTE_COUNT(dc);
8665 dissect_nt_trans_data_request(
8666 tvb, pinfo, offset, tree, dc, &ntd, nti);
8678 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
8679 int offset, proto_tree *parent_tree, int len,
8680 nt_trans_data *ntd _U_,
8681 smb_nt_transact_info_t *nti)
8683 proto_item *item = NULL;
8684 proto_tree *tree = NULL;
8687 struct access_mask_info *ami=NULL;
8688 tvbuff_t *ioctl_tvb;
8690 si = (smb_info_t *)pinfo->private_data;
8691 DISSECTOR_ASSERT(si);
8694 tvb_ensure_bytes_exist(tvb, offset, len);
8696 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8698 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8701 * We never saw the request to which this is a
8704 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8705 "Unknown NT Transaction Data (matching request not seen)");
8707 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8714 switch(nti->subcmd){
8715 case NT_TRANS_CREATE:
8717 case NT_TRANS_IOCTL:
8719 ioctl_tvb=tvb_new_subset(tvb, offset, MIN((int)len, tvb_length_remaining(tvb, offset)), len);
8720 dissect_smb2_ioctl_data(ioctl_tvb, pinfo, tree, top_tree, nti->ioctl_function, FALSE);
8727 case NT_TRANS_NOTIFY:
8729 case NT_TRANS_RENAME:
8730 /* XXX not documented */
8734 switch(nti->fid_type){
8735 case SMB_FID_TYPE_FILE:
8736 ami= &smb_file_access_mask_info;
8738 case SMB_FID_TYPE_DIR:
8739 ami= &smb_dir_access_mask_info;
8743 offset = dissect_nt_sec_desc(
8744 tvb, offset, pinfo, tree, NULL, TRUE, len, ami);
8746 case NT_TRANS_GET_USER_QUOTA:
8748 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8750 case NT_TRANS_SET_USER_QUOTA:
8751 /* not decoded yet */
8759 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
8760 int offset, proto_tree *parent_tree,
8761 int len, nt_trans_data *ntd _U_, guint16 bc)
8763 proto_item *item = NULL;
8764 proto_tree *tree = NULL;
8768 smb_nt_transact_info_t *nti;
8773 smb_fid_info_t *fid_info=NULL;
8777 si = (smb_info_t *)pinfo->private_data;
8778 DISSECTOR_ASSERT(si);
8780 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
8781 nti = si->sip->extra_info;
8786 tvb_ensure_bytes_exist(tvb, offset, len);
8788 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8790 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8793 * We never saw the request to which this is a
8796 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8797 "Unknown NT Transaction Parameters (matching request not seen)");
8799 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8806 switch(nti->subcmd){
8807 case NT_TRANS_CREATE:
8809 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8813 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8817 fid = tvb_get_letohs(tvb, offset);
8818 fid_info=dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
8822 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8825 /* ea error offset */
8826 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
8830 offset = dissect_nt_64bit_time(tvb, tree, offset,
8831 hf_smb_create_time);
8834 offset = dissect_nt_64bit_time(tvb, tree, offset,
8835 hf_smb_access_time);
8837 /* last write time */
8838 offset = dissect_nt_64bit_time(tvb, tree, offset,
8839 hf_smb_last_write_time);
8841 /* last change time */
8842 offset = dissect_nt_64bit_time(tvb, tree, offset,
8843 hf_smb_change_time);
8845 /* Extended File Attributes */
8846 offset = dissect_file_ext_attr(tvb, tree, offset);
8848 /* allocation size */
8849 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8853 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8857 ftype=tvb_get_letohs(tvb, offset);
8858 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8862 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
8865 isdir=tvb_get_guint8(tvb, offset);
8866 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8869 /* Try to remember the type of this fid so that we can dissect
8870 * any future security descriptor (access mask) properly
8875 fid_info->type=SMB_FID_TYPE_FILE;
8879 fid_info->type=SMB_FID_TYPE_DIR;
8885 fid_info->type=SMB_FID_TYPE_PIPE;
8889 case NT_TRANS_IOCTL:
8893 case NT_TRANS_NOTIFY:
8895 old_offset = offset;
8897 /* next entry offset */
8898 neo = tvb_get_letohl(tvb, offset);
8899 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
8902 /* broken implementations */
8906 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
8909 /* broken implementations */
8913 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8914 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8917 /* broken implementations */
8921 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8924 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8926 COUNT_BYTES(fn_len);
8928 /* broken implementations */
8932 break; /* no more structures */
8934 /* skip to next structure */
8935 padcnt = (old_offset + neo) - offset;
8938 * XXX - this is bogus; flag it?
8943 COUNT_BYTES(padcnt);
8945 /* broken implementations */
8950 case NT_TRANS_RENAME:
8951 /* XXX not documented */
8955 * This appears to be the size of the security
8956 * descriptor; the calling sequence of
8957 * "ZwQuerySecurityObject()" suggests that it would
8958 * be. The actual security descriptor wouldn't
8959 * follow if the max data count in the request
8960 * was smaller; this lets the client know how
8961 * big a buffer it needs to provide.
8963 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
8966 case NT_TRANS_GET_USER_QUOTA:
8967 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
8968 tvb_get_letohl(tvb, offset));
8971 case NT_TRANS_SET_USER_QUOTA:
8972 /* not decoded yet */
8980 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
8981 int offset, proto_tree *parent_tree,
8982 int len, nt_trans_data *ntd _U_)
8984 proto_item *item = NULL;
8985 proto_tree *tree = NULL;
8987 smb_nt_transact_info_t *nti;
8989 si = (smb_info_t *)pinfo->private_data;
8990 DISSECTOR_ASSERT(si);
8992 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
8993 nti = si->sip->extra_info;
8998 tvb_ensure_bytes_exist(tvb, offset, len);
9000 item = proto_tree_add_text(parent_tree, tvb, offset, len,
9002 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
9005 * We never saw the request to which this is a
9008 item = proto_tree_add_text(parent_tree, tvb, offset, len,
9009 "Unknown NT Transaction Setup (matching request not seen)");
9011 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
9018 switch(nti->subcmd){
9019 case NT_TRANS_CREATE:
9021 case NT_TRANS_IOCTL:
9025 case NT_TRANS_NOTIFY:
9027 case NT_TRANS_RENAME:
9028 /* XXX not documented */
9032 case NT_TRANS_GET_USER_QUOTA:
9033 /* not decoded yet */
9035 case NT_TRANS_SET_USER_QUOTA:
9036 /* not decoded yet */
9044 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9047 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
9050 smb_nt_transact_info_t *nti=NULL;
9051 static nt_trans_data ntd;
9054 fragment_data *r_fd = NULL;
9055 tvbuff_t *pd_tvb=NULL;
9056 gboolean save_fragmented;
9058 si = (smb_info_t *)pinfo->private_data;
9059 DISSECTOR_ASSERT(si);
9061 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
9062 nti = si->sip->extra_info;
9066 /* primary request */
9068 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
9069 if(check_col(pinfo->cinfo, COL_INFO)){
9070 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
9071 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
9074 proto_tree_add_text(tree, tvb, offset, 0,
9075 "Function: <unknown function - could not find matching request>");
9076 if(check_col(pinfo->cinfo, COL_INFO)){
9077 col_append_str(pinfo->cinfo, COL_INFO, ", <unknown>");
9083 /* 3 reserved bytes */
9084 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
9087 /* total param count */
9088 tp = tvb_get_letohl(tvb, offset);
9089 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
9092 /* total data count */
9093 td = tvb_get_letohl(tvb, offset);
9094 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
9098 pc = tvb_get_letohl(tvb, offset);
9099 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
9103 po = tvb_get_letohl(tvb, offset);
9104 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
9107 /* param displacement */
9108 pd = tvb_get_letohl(tvb, offset);
9109 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
9113 dc = tvb_get_letohl(tvb, offset);
9114 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
9118 od = tvb_get_letohl(tvb, offset);
9119 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
9122 /* data displacement */
9123 dd = tvb_get_letohl(tvb, offset);
9124 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
9128 sc = tvb_get_guint8(tvb, offset);
9129 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
9134 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
9140 /* reassembly of SMB NT Transaction data payload.
9141 In this section we do reassembly of both the data and parameters
9142 blocks of the SMB transaction command.
9144 save_fragmented = pinfo->fragmented;
9145 /* do we need reassembly? */
9146 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
9147 /* oh yeah, either data or parameter section needs
9150 pinfo->fragmented = TRUE;
9151 if(smb_trans_reassembly){
9152 /* ...and we were told to do reassembly */
9153 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
9154 r_fd = smb_trans_defragment(tree, pinfo, tvb,
9158 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
9159 r_fd = smb_trans_defragment(tree, pinfo, tvb,
9160 od, dc, dd+tp, td+tp);
9165 /* if we got a reassembled fd structure from the reassembly routine we
9166 must create pd_tvb from it
9169 proto_item *frag_tree_item;
9171 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
9173 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
9174 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
9176 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb, &frag_tree_item);
9181 /* we have reassembled data, grab param and data from there */
9182 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
9183 &ntd, (guint16) tvb_length(pd_tvb));
9184 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd, nti);
9186 /* we do not have reassembled data, just use what we have in the
9187 packet as well as we can */
9189 if(po>(guint32)offset){
9190 /* We have some initial padding bytes.
9195 CHECK_BYTE_COUNT(padcnt);
9196 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
9197 COUNT_BYTES(padcnt);
9200 CHECK_BYTE_COUNT(pc);
9201 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
9206 if(od>(guint32)offset){
9207 /* We have some initial padding bytes.
9212 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
9213 COUNT_BYTES(padcnt);
9216 CHECK_BYTE_COUNT(dc);
9217 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd, nti);
9221 pinfo->fragmented = save_fragmented;
9228 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9229 NT Transaction command ends here
9230 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
9232 static const value_string print_mode_vals[] = {
9234 {1, "Graphics Mode"},
9239 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9241 smb_info_t *si = pinfo->private_data;
9247 DISSECTOR_ASSERT(si);
9252 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
9256 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
9262 CHECK_BYTE_COUNT(1);
9263 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9266 /* print identifier */
9267 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, FALSE, &bc);
9270 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
9272 COUNT_BYTES(fn_len);
9281 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9290 fid = tvb_get_letohs(tvb, offset);
9291 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
9297 CHECK_BYTE_COUNT(1);
9298 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9302 CHECK_BYTE_COUNT(2);
9303 cnt = tvb_get_letohs(tvb, offset);
9304 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
9308 offset = dissect_file_data(tvb, tree, offset, (guint16) cnt, (guint16) cnt);
9316 static const value_string print_status_vals[] = {
9317 {1, "Held or Stopped"},
9319 {3, "Awaiting print"},
9320 {4, "In intercept"},
9321 {5, "File had error"},
9322 {6, "Printer error"},
9327 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9335 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
9339 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
9350 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
9351 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
9353 proto_item *item = NULL;
9354 proto_tree *tree = NULL;
9355 smb_info_t *si = pinfo->private_data;
9359 DISSECTOR_ASSERT(si);
9362 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
9364 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
9368 CHECK_BYTE_COUNT_SUBR(4);
9369 offset = dissect_smb_datetime(tvb, tree, offset,
9370 hf_smb_print_queue_date,
9371 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
9375 CHECK_BYTE_COUNT_SUBR(1);
9376 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
9377 COUNT_BYTES_SUBR(1);
9379 /* spool file number */
9380 CHECK_BYTE_COUNT_SUBR(2);
9381 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
9382 COUNT_BYTES_SUBR(2);
9384 /* spool file size */
9385 CHECK_BYTE_COUNT_SUBR(4);
9386 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
9387 COUNT_BYTES_SUBR(4);
9390 CHECK_BYTE_COUNT_SUBR(1);
9391 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9392 COUNT_BYTES_SUBR(1);
9396 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
9397 CHECK_STRING_SUBR(fn);
9398 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
9400 COUNT_BYTES_SUBR(fn_len);
9407 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9417 cnt = tvb_get_letohs(tvb, offset);
9418 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
9422 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
9428 CHECK_BYTE_COUNT(1);
9429 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9433 CHECK_BYTE_COUNT(2);
9434 len = tvb_get_letohs(tvb, offset);
9435 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
9438 /* queue elements */
9440 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
9453 dissect_send_single_block_message_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9458 guint16 message_len;
9465 CHECK_BYTE_COUNT(1);
9466 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9469 /* originator name */
9470 /* XXX - what if this runs past bc? */
9471 name_len = tvb_strsize(tvb, offset);
9472 CHECK_BYTE_COUNT(name_len);
9473 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9475 COUNT_BYTES(name_len);
9478 CHECK_BYTE_COUNT(1);
9479 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9482 /* destination name */
9483 /* XXX - what if this runs past bc? */
9484 name_len = tvb_strsize(tvb, offset);
9485 CHECK_BYTE_COUNT(name_len);
9486 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9488 COUNT_BYTES(name_len);
9491 CHECK_BYTE_COUNT(1);
9492 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9496 CHECK_BYTE_COUNT(2);
9497 message_len = tvb_get_letohs(tvb, offset);
9498 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9503 CHECK_BYTE_COUNT(message_len);
9504 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9506 COUNT_BYTES(message_len);
9514 dissect_send_multi_block_message_start_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9525 CHECK_BYTE_COUNT(1);
9526 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9529 /* originator name */
9530 /* XXX - what if this runs past bc? */
9531 name_len = tvb_strsize(tvb, offset);
9532 CHECK_BYTE_COUNT(name_len);
9533 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9535 COUNT_BYTES(name_len);
9538 CHECK_BYTE_COUNT(1);
9539 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9542 /* destination name */
9543 /* XXX - what if this runs past bc? */
9544 name_len = tvb_strsize(tvb, offset);
9545 CHECK_BYTE_COUNT(name_len);
9546 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9548 COUNT_BYTES(name_len);
9556 dissect_message_group_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9563 /* message group ID */
9564 proto_tree_add_item(tree, hf_smb_mgid, tvb, offset, 2, TRUE);
9575 dissect_send_multi_block_message_text_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9579 guint16 message_len;
9586 CHECK_BYTE_COUNT(1);
9587 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9591 CHECK_BYTE_COUNT(2);
9592 message_len = tvb_get_letohs(tvb, offset);
9593 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9598 CHECK_BYTE_COUNT(message_len);
9599 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9601 COUNT_BYTES(message_len);
9609 dissect_forwarded_name(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9620 CHECK_BYTE_COUNT(1);
9621 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9624 /* forwarded name */
9625 /* XXX - what if this runs past bc? */
9626 name_len = tvb_strsize(tvb, offset);
9627 CHECK_BYTE_COUNT(name_len);
9628 proto_tree_add_item(tree, hf_smb_forwarded_name, tvb, offset,
9630 COUNT_BYTES(name_len);
9638 dissect_get_machine_name_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9649 CHECK_BYTE_COUNT(1);
9650 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9654 /* XXX - what if this runs past bc? */
9655 name_len = tvb_strsize(tvb, offset);
9656 CHECK_BYTE_COUNT(name_len);
9657 proto_tree_add_item(tree, hf_smb_machine_name, tvb, offset,
9659 COUNT_BYTES(name_len);
9668 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9670 guint8 wc, cmd=0xff;
9671 guint16 andxoffset=0;
9673 smb_info_t *si = pinfo->private_data;
9676 guint32 create_flags=0, access_mask=0, file_attributes=0, share_access=0, create_options=0, create_disposition=0;
9678 DISSECTOR_ASSERT(si);
9682 /* next smb command */
9683 cmd = tvb_get_guint8(tvb, offset);
9685 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9687 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
9692 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9696 andxoffset = tvb_get_letohs(tvb, offset);
9697 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9701 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9705 fn_len = tvb_get_letohs(tvb, offset);
9706 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
9710 create_flags=tvb_get_letohl(tvb, offset);
9711 offset = dissect_nt_create_bits(tvb, tree, offset, 4, create_flags);
9713 /* root directory fid */
9714 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
9717 /* nt access mask */
9718 access_mask=tvb_get_letohl(tvb, offset);
9719 offset = dissect_smb_access_mask_bits(tvb, tree, offset, 4, access_mask);
9721 /* allocation size */
9722 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9725 /* Extended File Attributes */
9726 file_attributes=tvb_get_letohl(tvb, offset);
9727 offset = dissect_file_ext_attr_bits(tvb, tree, offset, 4, file_attributes);
9730 share_access=tvb_get_letohl(tvb, offset);
9731 offset = dissect_nt_share_access_bits(tvb, tree, offset, 4, share_access);
9733 /* create disposition */
9734 create_disposition=tvb_get_letohl(tvb, offset);
9735 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
9738 /* create options */
9739 create_options=tvb_get_letohl(tvb, offset);
9740 offset = dissect_nt_create_options_bits(tvb, tree, offset, 4, create_options);
9742 /* impersonation level */
9743 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
9746 /* security flags */
9747 offset = dissect_nt_security_flags(tvb, tree, offset);
9752 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9755 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9757 COUNT_BYTES(fn_len);
9759 /* store it for the fid->name/openframe/closeframe matching in
9760 * dissect_smb_fid() called from the response.
9762 if((!pinfo->fd->flags.visited) && si->sip && fn){
9763 smb_fid_saved_info_t *fsi;
9765 fsi=se_alloc(sizeof(smb_fid_saved_info_t));
9766 fsi->filename=se_strdup(fn);
9767 fsi->create_flags=create_flags;
9768 fsi->access_mask=access_mask;
9769 fsi->file_attributes=file_attributes;
9770 fsi->share_access=share_access;
9771 fsi->create_options=create_options;
9772 fsi->create_disposition=create_disposition;
9774 si->sip->extra_info_type=SMB_EI_FILEDATA;
9775 si->sip->extra_info=fsi;
9778 if (check_col(pinfo->cinfo, COL_INFO)) {
9779 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9780 format_text(fn, strlen(fn)));
9785 if (cmd != 0xff) { /* there is an andX command */
9786 if (andxoffset < offset)
9787 THROW(ReportedBoundsError);
9788 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9796 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9798 guint8 wc, cmd=0xff;
9799 guint16 andxoffset=0;
9804 smb_fid_info_t *fid_info=NULL;
9807 si = pinfo->private_data;
9811 /* next smb command */
9812 cmd = tvb_get_guint8(tvb, offset);
9814 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9816 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
9821 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9825 andxoffset = tvb_get_letohs(tvb, offset);
9826 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9830 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
9834 fid = tvb_get_letohs(tvb, offset);
9835 fid_info=dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
9839 /*XXX is this really the same as create disposition in the request? it looks so*/
9840 /* No, it is not. It is the same as the create action from an Open&X request ... RJS */
9841 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
9845 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
9848 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
9850 /* last write time */
9851 offset = dissect_nt_64bit_time(tvb, tree, offset,
9852 hf_smb_last_write_time);
9854 /* last change time */
9855 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
9857 /* Extended File Attributes */
9858 offset = dissect_file_ext_attr(tvb, tree, offset);
9860 /* allocation size */
9861 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9865 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
9869 ftype=tvb_get_letohs(tvb, offset);
9870 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
9874 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
9877 isdir=tvb_get_guint8(tvb, offset);
9878 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
9881 /* Try to remember the type of this fid so that we can dissect
9882 * any future security descriptor (access mask) properly
9887 fid_info->type=SMB_FID_TYPE_FILE;
9891 fid_info->type=SMB_FID_TYPE_DIR;
9897 fid_info->type=SMB_FID_TYPE_PIPE;
9905 if (cmd != 0xff) { /* there is an andX command */
9906 if (andxoffset < offset)
9907 THROW(ReportedBoundsError);
9908 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9911 /* if there was an error, add a generated filename to the tree */
9913 dissect_smb_fid(tvb, pinfo, tree, 0, 0, fid, TRUE, TRUE, TRUE);
9921 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9935 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9936 BEGIN Transaction/Transaction2 Primary and secondary requests
9937 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
9940 const value_string trans2_cmd_vals[] = {
9942 { 0x01, "FIND_FIRST2" },
9943 { 0x02, "FIND_NEXT2" },
9944 { 0x03, "QUERY_FS_INFO" },
9945 { 0x04, "SET_FS_QUOTA" },
9946 { 0x05, "QUERY_PATH_INFO" },
9947 { 0x06, "SET_PATH_INFO" },
9948 { 0x07, "QUERY_FILE_INFO" },
9949 { 0x08, "SET_FILE_INFO" },
9952 { 0x0B, "FIND_NOTIFY_FIRST" },
9953 { 0x0C, "FIND_NOTIFY_NEXT" },
9954 { 0x0D, "CREATE_DIRECTORY" },
9955 { 0x0E, "SESSION_SETUP" },
9956 { 0x10, "GET_DFS_REFERRAL" },
9957 { 0x11, "REPORT_DFS_INCONSISTENCY" },
9961 static const true_false_string tfs_tf_dtid = {
9962 "Also DISCONNECT TID",
9963 "Do NOT disconnect TID"
9965 static const true_false_string tfs_tf_owt = {
9966 "One Way Transaction (NO RESPONSE)",
9967 "Two way transaction"
9970 static const true_false_string tfs_ff2_backup = {
9971 "Find WITH backup intent",
9974 static const true_false_string tfs_ff2_continue = {
9975 "CONTINUE search from previous position",
9976 "New search, do NOT continue from previous position"
9978 static const true_false_string tfs_ff2_resume = {
9979 "Return RESUME keys",
9980 "Do NOT return resume keys"
9982 static const true_false_string tfs_ff2_close_eos = {
9983 "CLOSE search if END OF SEARCH is reached",
9984 "Do NOT close search if end of search reached"
9986 static const true_false_string tfs_ff2_close = {
9987 "CLOSE search after this request",
9988 "Do NOT close search after this request"
9994 static const value_string ff2_il_vals[] = {
9995 { 1, "Info Standard"},
9996 { 2, "Info Query EA Size"},
9997 { 3, "Info Query EAs From List"},
9998 { 0x0101, "Find File Directory Info"},
9999 { 0x0102, "Find File Full Directory Info"},
10000 { 0x0103, "Find File Names Info"},
10001 { 0x0104, "Find File Both Directory Info"},
10002 { 0x0202, "Find File UNIX"},
10006 /* values used by :
10007 TRANS2_QUERY_PATH_INFORMATION
10008 TRANS2_QUERY_FILE_INFORMATION
10010 static const value_string qpi_loi_vals[] = {
10011 { 1, "Info Standard"},
10012 { 2, "Info Query EA Size"},
10013 { 3, "Info Query EAs From List"},
10014 { 4, "Info Query All EAs"},
10015 { 6, "Info Is Name Valid"},
10016 { 0x0101, "Query File Basic Info"},
10017 { 0x0102, "Query File Standard Info"},
10018 { 0x0103, "Query File EA Info"},
10019 { 0x0104, "Query File Name Info"},
10020 { 0x0107, "Query File All Info"},
10021 { 0x0108, "Query File Alt Name Info"},
10022 { 0x0109, "Query File Stream Info"},
10023 { 0x010b, "Query File Compression Info"},
10024 { 0x0200, "Query File Unix Basic"},
10025 { 0x0201, "Query File Unix Link"},
10026 { 0x0202, "Query File Unix Hardlink"},
10027 { 0x0204, "Query File Posix ACL"},
10028 { 0x0205, "Query File Posix XATTR"},
10029 { 0x0206, "Query File Posix Attr Flags"},
10030 { 0x0207, "Query File Posix Permissions"},
10031 { 0x0208, "Query File Posix Lock"},
10032 { 1004, "Query File Basic Info"},
10033 { 1005, "Query File Standard Info"},
10034 { 1006, "Query File Internal Info"},
10035 { 1007, "Query File EA Info"},
10036 { 1009, "Query File Name Info"},
10037 { 1010, "Query File Rename Info"},
10038 { 1011, "Query File Link Info"},
10039 { 1012, "Query File Names Info"},
10040 { 1013, "Query File Disposition Info"},
10041 { 1014, "Query File Position Info"},
10042 { 1015, "Query File Full EA Info"},
10043 { 1016, "Query File Mode Info"},
10044 { 1017, "Query File Alignment Info"},
10045 { 1018, "Query File All Info"},
10046 { 1019, "Query File Allocation Info"},
10047 { 1020, "Query File End of File Info"},
10048 { 1021, "Query File Alt Name Info"},
10049 { 1022, "Query File Stream Info"},
10050 { 1023, "Query File Pipe Info"},
10051 { 1024, "Query File Pipe Local Info"},
10052 { 1025, "Query File Pipe Remote Info"},
10053 { 1026, "Query File Mailslot Query Info"},
10054 { 1027, "Query File Mailslot Set Info"},
10055 { 1028, "Query File Compression Info"},
10056 { 1029, "Query File ObjectID Info"},
10057 { 1030, "Query File Completion Info"},
10058 { 1031, "Query File Move Cluster Info"},
10059 { 1032, "Query File Quota Info"},
10060 { 1033, "Query File Reparsepoint Info"},
10061 { 1034, "Query File Network Open Info"},
10062 { 1035, "Query File Attribute Tag Info"},
10063 { 1036, "Query File Tracking Info"},
10064 { 1037, "Query File Maximum Info"},
10068 /* values used by :
10069 TRANS2_SET_PATH_INFORMATION
10070 TRANS2_SET_FILE_INFORMATION
10071 (the SNIA CIFS spec lists some only for TRANS2_SET_FILE_INFORMATION,
10072 but I'm assuming they apply to TRANS2_SET_PATH_INFORMATION as
10073 well; note that they're different from the QUERY_PATH_INFORMATION
10074 and QUERY_FILE_INFORMATION values!)
10076 static const value_string spi_loi_vals[] = {
10077 { 1, "Info Standard"},
10078 { 2, "Info Query EA Size"},
10079 { 4, "Info Query All EAs"},
10080 { 0x0101, "Set File Basic Info"},
10081 { 0x0102, "Set File Disposition Info"},
10082 { 0x0103, "Set File Allocation Info"},
10083 { 0x0104, "Set File End Of File Info"},
10084 { 0x0200, "Set File Unix Basic"},
10085 { 0x0201, "Set File Unix Link"},
10086 { 0x0202, "Set File Unix HardLink"},
10087 { 0x0204, "Set File Unix ACL"},
10088 { 0x0205, "Set File Unix XATTR"},
10089 { 0x0206, "Set File Unix Attr Flags"},
10090 { 0x0208, "Set File Posix Lock"},
10091 { 0x0209, "Set File Posix Open"},
10092 { 0x020a, "Set File Posix Unlink"},
10093 { 1004, "Set File Basic Info"},
10094 { 1010, "Set Rename Information"},
10095 { 1013, "Set Disposition Information"},
10096 { 1014, "Set Position Information"},
10097 { 1016, "Set Mode Information"},
10098 { 1019, "Set Allocation Information"},
10099 { 1020, "Set EOF Information"},
10100 { 1023, "Set File Pipe Information"},
10101 { 1025, "Set File Pipe Remote Information"},
10102 { 1029, "Set Copy On Write Information"},
10103 { 1032, "Set OLE Class ID Information"},
10104 { 1039, "Set Inherit Context Index Information"},
10105 { 1040, "Set OLE Information (?)"},
10109 static const value_string qfsi_vals[] = {
10110 { 1, "Info Allocation"},
10111 { 2, "Info Volume"},
10112 { 0x0101, "Query FS Label Info"},
10113 { 0x0102, "Query FS Volume Info"},
10114 { 0x0103, "Query FS Size Info"},
10115 { 0x0104, "Query FS Device Info"},
10116 { 0x0105, "Query FS Attribute Info"},
10117 { 0x0200, "Unix Query FS Info"},
10118 { 0x0301, "Mac Query FS Info"},
10119 { 1001, "Query FS Label Info"},
10120 { 1002, "Query FS Volume Info"},
10121 { 1003, "Query FS Size Info"},
10122 { 1004, "Query FS Device Info"},
10123 { 1005, "Query FS Attribute Info"},
10124 { 1006, "Query FS Quota Info"},
10125 { 1007, "Query Full FS Size Info"},
10126 { 1008, "Object ID Information"},
10130 static const value_string nt_rename_vals[] = {
10131 { 0x0103, "Create Hard Link"},
10136 static const value_string delete_pending_vals[] = {
10137 {0, "Normal, no pending delete"},
10138 {1, "This object has DELETE PENDING"},
10142 static const value_string alignment_vals[] = {
10143 {0, "Byte alignment"},
10144 {1, "Word (16bit) alignment"},
10145 {3, "Long (32bit) alignment"},
10146 {7, "8 byte boundary alignment"},
10147 {0x0f, "16 byte boundary alignment"},
10148 {0x1f, "32 byte boundary alignment"},
10149 {0x3f, "64 byte boundary alignment"},
10150 {0x7f, "128 byte boundary alignment"},
10151 {0xff, "256 byte boundary alignment"},
10152 {0x1ff, "512 byte boundary alignment"},
10156 static const true_false_string tfs_marked_for_deletion = {
10157 "File is MARKED FOR DELETION",
10158 "File is NOT marked for deletion"
10161 static const true_false_string tfs_get_dfs_server_hold_storage = {
10162 "Referral SERVER HOLDS STORAGE for the file",
10163 "Referral server does NOT hold storage for the file"
10165 static const true_false_string tfs_get_dfs_fielding = {
10166 "The server in referral is FIELDING CAPABLE",
10167 "The server in referrals is NOT fielding capable"
10170 static const true_false_string tfs_dfs_referral_flags_strip = {
10171 "STRIP off pathconsumed characters before submitting",
10172 "Do NOT strip off any characters"
10175 static const value_string dfs_referral_server_type_vals[] = {
10178 {2, "Netware Server"},
10179 {3, "Domain Server"},
10184 static const true_false_string tfs_device_char_removable = {
10185 "This is a REMOVABLE device",
10186 "This is NOT a removable device"
10188 static const true_false_string tfs_device_char_read_only = {
10189 "This is a READ-ONLY device",
10190 "This is NOT a read-only device"
10192 static const true_false_string tfs_device_char_floppy = {
10193 "This is a FLOPPY DISK device",
10194 "This is NOT a floppy disk device"
10196 static const true_false_string tfs_device_char_write_once = {
10197 "This is a WRITE-ONCE device",
10198 "This is NOT a write-once device"
10200 static const true_false_string tfs_device_char_remote = {
10201 "This is a REMOTE device",
10202 "This is NOT a remote device"
10204 static const true_false_string tfs_device_char_mounted = {
10205 "This device is MOUNTED",
10206 "This device is NOT mounted"
10208 static const true_false_string tfs_device_char_virtual = {
10209 "This is a VIRTUAL device",
10210 "This is NOT a virtual device"
10214 static const true_false_string tfs_fs_attr_css = {
10215 "This FS supports CASE SENSITIVE SEARCHes",
10216 "This FS does NOT support case sensitive searches"
10218 static const true_false_string tfs_fs_attr_cpn = {
10219 "This FS supports CASE PRESERVED NAMES",
10220 "This FS does NOT support case preserved names"
10222 static const true_false_string tfs_fs_attr_uod = {
10223 "This FS supports UNICODE NAMES",
10224 "This FS does NOT support unicode names"
10226 static const true_false_string tfs_fs_attr_pacls = {
10227 "This FS supports PERSISTENT ACLs",
10228 "This FS does NOT support persistent acls"
10230 static const true_false_string tfs_fs_attr_fc = {
10231 "This FS supports COMPRESSED FILES",
10232 "This FS does NOT support compressed files"
10234 static const true_false_string tfs_fs_attr_vq = {
10235 "This FS supports VOLUME QUOTAS",
10236 "This FS does NOT support volume quotas"
10238 static const true_false_string tfs_fs_attr_srp = {
10239 "This FS supports REPARSE POINTS",
10240 "This FS does NOT support reparse points"
10242 static const true_false_string tfs_fs_attr_srs = {
10243 "This FS supports REMOTE STORAGE",
10244 "This FS does NOT support remote storage"
10246 static const true_false_string tfs_fs_attr_ssf = {
10247 "This FS supports SPARSE FILES",
10248 "This FS does NOT support sparse files"
10250 static const true_false_string tfs_fs_attr_sla = {
10251 "This FS supports LFN APIs",
10252 "This FS does NOT support lfn apis"
10254 static const true_false_string tfs_fs_attr_vic = {
10255 "This FS VOLUME IS COMPRESSED",
10256 "This FS volume is NOT compressed"
10258 static const true_false_string tfs_fs_attr_soids = {
10259 "This FS supports OIDs",
10260 "This FS does NOT support OIDs"
10262 static const true_false_string tfs_fs_attr_se = {
10263 "This FS supports ENCRYPTION",
10264 "This FS does NOT support encryption"
10266 static const true_false_string tfs_fs_attr_ns = {
10267 "This FS supports NAMED STREAMS",
10268 "This FS does NOT support named streams"
10270 static const true_false_string tfs_fs_attr_rov = {
10271 "This is a READ ONLY VOLUME",
10272 "This is a read/write volume"
10275 #define FF2_RESUME 0x0004
10278 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
10281 proto_item *item = NULL;
10282 proto_tree *tree = NULL;
10284 smb_transact2_info_t *t2i;
10286 mask = tvb_get_letohs(tvb, offset);
10288 si = (smb_info_t *)pinfo->private_data;
10289 DISSECTOR_ASSERT(si);
10291 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
10292 t2i = si->sip->extra_info;
10294 if (!pinfo->fd->flags.visited)
10295 t2i->resume_keys = (mask & FF2_RESUME);
10300 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10301 "Flags: 0x%04x", mask);
10302 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
10304 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
10305 tvb, offset, 2, mask);
10306 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
10307 tvb, offset, 2, mask);
10308 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
10309 tvb, offset, 2, mask);
10310 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
10311 tvb, offset, 2, mask);
10312 proto_tree_add_boolean(tree, hf_smb_ff2_close,
10313 tvb, offset, 2, mask);
10323 dissect_sfi_ioflag(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10329 mask = tvb_get_letohs(tvb, offset);
10332 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10333 "IO Flag: 0x%04x", mask);
10334 tree = proto_item_add_subtree(item, ett_smb_ioflag);
10336 proto_tree_add_boolean(tree, hf_smb_sfi_writetru,
10337 tvb, offset, 2, mask);
10338 proto_tree_add_boolean(tree, hf_smb_sfi_caching,
10339 tvb, offset, 2, mask);
10349 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
10350 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
10352 proto_item *item = NULL;
10353 proto_tree *tree = NULL;
10355 smb_transact2_info_t *t2i;
10359 si = (smb_info_t *)pinfo->private_data;
10360 DISSECTOR_ASSERT(si);
10362 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
10363 t2i = si->sip->extra_info;
10368 tvb_ensure_bytes_exist(tvb, offset, bc);
10369 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
10371 val_to_str(subcmd, trans2_cmd_vals,
10372 "Unknown (0x%02x)"));
10373 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
10377 case 0x00: /*TRANS2_OPEN2*/
10379 CHECK_BYTE_COUNT_TRANS(2);
10380 offset = dissect_open_flags(tvb, tree, offset, 0x000f);
10383 /* desired access */
10384 CHECK_BYTE_COUNT_TRANS(2);
10385 offset = dissect_access(tvb, tree, offset, "Desired");
10388 /* Search Attributes */
10389 CHECK_BYTE_COUNT_TRANS(2);
10390 offset = dissect_search_attributes(tvb, tree, offset);
10393 /* File Attributes */
10394 CHECK_BYTE_COUNT_TRANS(2);
10395 offset = dissect_file_attributes(tvb, tree, offset, 2);
10399 CHECK_BYTE_COUNT_TRANS(4);
10400 offset = dissect_smb_datetime(tvb, tree, offset,
10401 hf_smb_create_time,
10402 hf_smb_create_dos_date, hf_smb_create_dos_time,
10406 /* open function */
10407 CHECK_BYTE_COUNT_TRANS(2);
10408 offset = dissect_open_function(tvb, tree, offset);
10411 /* allocation size */
10412 CHECK_BYTE_COUNT_TRANS(4);
10413 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10414 COUNT_BYTES_TRANS(4);
10416 /* 10 reserved bytes */
10417 CHECK_BYTE_COUNT_TRANS(10);
10418 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
10419 COUNT_BYTES_TRANS(10);
10422 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10423 CHECK_STRING_TRANS(fn);
10424 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10426 COUNT_BYTES_TRANS(fn_len);
10428 if (check_col(pinfo->cinfo, COL_INFO)) {
10429 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10430 format_text(fn, strlen(fn)));
10433 case 0x01: /*TRANS2_FIND_FIRST2*/
10434 /* Search Attributes */
10435 CHECK_BYTE_COUNT_TRANS(2);
10436 offset = dissect_search_attributes(tvb, tree, offset);
10440 CHECK_BYTE_COUNT_TRANS(2);
10441 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
10442 COUNT_BYTES_TRANS(2);
10444 /* Find First2 flags */
10445 CHECK_BYTE_COUNT_TRANS(2);
10446 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
10449 /* Find First2 information level */
10450 CHECK_BYTE_COUNT_TRANS(2);
10451 si->info_level = tvb_get_letohs(tvb, offset);
10452 if (t2i != NULL && !pinfo->fd->flags.visited)
10453 t2i->info_level = si->info_level;
10454 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
10455 COUNT_BYTES_TRANS(2);
10458 CHECK_BYTE_COUNT_TRANS(4);
10459 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
10460 COUNT_BYTES_TRANS(4);
10462 /* search pattern */
10463 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10464 CHECK_STRING_TRANS(fn);
10465 if(t2i && !t2i->name){
10466 t2i->name = se_strdup(fn);
10468 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
10470 COUNT_BYTES_TRANS(fn_len);
10472 if (check_col(pinfo->cinfo, COL_INFO)) {
10473 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
10474 format_text(fn, strlen(fn)));
10478 case 0x02: /*TRANS2_FIND_NEXT2*/
10480 CHECK_BYTE_COUNT_TRANS(2);
10481 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
10482 COUNT_BYTES_TRANS(2);
10485 CHECK_BYTE_COUNT_TRANS(2);
10486 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
10487 COUNT_BYTES_TRANS(2);
10489 /* Find First2 information level */
10490 CHECK_BYTE_COUNT_TRANS(2);
10491 si->info_level = tvb_get_letohs(tvb, offset);
10492 if (t2i != NULL && !pinfo->fd->flags.visited)
10493 t2i->info_level = si->info_level;
10494 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
10495 COUNT_BYTES_TRANS(2);
10498 CHECK_BYTE_COUNT_TRANS(4);
10499 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
10500 COUNT_BYTES_TRANS(4);
10502 /* Find First2 flags */
10503 CHECK_BYTE_COUNT_TRANS(2);
10504 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
10508 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10509 CHECK_STRING_TRANS(fn);
10510 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10512 COUNT_BYTES_TRANS(fn_len);
10514 if (check_col(pinfo->cinfo, COL_INFO)) {
10515 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
10516 format_text(fn, strlen(fn)));
10520 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
10521 /* level of interest */
10522 CHECK_BYTE_COUNT_TRANS(2);
10523 si->info_level = tvb_get_letohs(tvb, offset);
10524 if (t2i != NULL && !pinfo->fd->flags.visited)
10525 t2i->info_level = si->info_level;
10526 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
10527 COUNT_BYTES_TRANS(2);
10529 if (check_col(pinfo->cinfo, COL_INFO))
10530 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
10531 val_to_str(si->info_level, qfsi_vals,
10532 "Unknown (0x%02x)"));
10535 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
10536 /* level of interest */
10537 CHECK_BYTE_COUNT_TRANS(2);
10538 si->info_level = tvb_get_letohs(tvb, offset);
10539 if (t2i != NULL && !pinfo->fd->flags.visited)
10540 t2i->info_level = si->info_level;
10541 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10542 COUNT_BYTES_TRANS(2);
10544 if (check_col(pinfo->cinfo, COL_INFO)) {
10546 pinfo->cinfo, COL_INFO, ", %s",
10547 val_to_str(si->info_level, qpi_loi_vals,
10551 /* 4 reserved bytes */
10552 CHECK_BYTE_COUNT_TRANS(4);
10553 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10554 COUNT_BYTES_TRANS(4);
10557 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10558 CHECK_STRING_TRANS(fn);
10559 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10561 COUNT_BYTES_TRANS(fn_len);
10562 if(t2i && !t2i->name){
10563 t2i->name = se_strdup(fn);
10566 if (check_col(pinfo->cinfo, COL_INFO)) {
10567 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10568 format_text(fn, strlen(fn)));
10572 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
10573 /* level of interest */
10574 CHECK_BYTE_COUNT_TRANS(2);
10575 si->info_level = tvb_get_letohs(tvb, offset);
10576 if (t2i != NULL && !pinfo->fd->flags.visited)
10577 t2i->info_level = si->info_level;
10578 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
10579 COUNT_BYTES_TRANS(2);
10581 /* 4 reserved bytes */
10582 CHECK_BYTE_COUNT_TRANS(4);
10583 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10584 COUNT_BYTES_TRANS(4);
10587 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10588 CHECK_STRING_TRANS(fn);
10589 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10591 COUNT_BYTES_TRANS(fn_len);
10593 if (check_col(pinfo->cinfo, COL_INFO)) {
10594 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10595 format_text(fn, strlen(fn)));
10599 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
10603 CHECK_BYTE_COUNT_TRANS(2);
10604 fid = tvb_get_letohs(tvb, offset);
10605 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
10606 COUNT_BYTES_TRANS(2);
10608 /* level of interest */
10609 CHECK_BYTE_COUNT_TRANS(2);
10610 si->info_level = tvb_get_letohs(tvb, offset);
10611 if (t2i != NULL && !pinfo->fd->flags.visited)
10612 t2i->info_level = si->info_level;
10613 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10614 COUNT_BYTES_TRANS(2);
10616 if (check_col(pinfo->cinfo, COL_INFO)) {
10618 pinfo->cinfo, COL_INFO, ", %s",
10619 val_to_str(si->info_level, qpi_loi_vals,
10625 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
10629 CHECK_BYTE_COUNT_TRANS(2);
10630 fid = tvb_get_letohs(tvb, offset);
10631 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
10632 COUNT_BYTES_TRANS(2);
10634 /* level of interest */
10635 CHECK_BYTE_COUNT_TRANS(2);
10636 si->info_level = tvb_get_letohs(tvb, offset);
10637 if (t2i != NULL && !pinfo->fd->flags.visited)
10638 t2i->info_level = si->info_level;
10639 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
10640 COUNT_BYTES_TRANS(2);
10644 * XXX - "Microsoft Networks SMB File Sharing Protocol
10645 * Extensions Version 3.0, Document Version 1.11,
10646 * July 19, 1990" says this is I/O flags, but it's
10647 * reserved in the SNIA spec, and some clients appear
10648 * to leave junk in it.
10650 * Is this some field used only if a particular
10651 * dialect was negotiated, so that clients can feel
10652 * safe not setting it if they haven't negotiated that
10653 * dialect? Or do the (non-OS/2) clients simply not care
10654 * about that particular OS/2-oriented dialect?
10658 CHECK_BYTE_COUNT_TRANS(2);
10659 offset = dissect_sfi_ioflag(tvb, tree, offset);
10662 /* 2 reserved bytes */
10663 CHECK_BYTE_COUNT_TRANS(2);
10664 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
10665 COUNT_BYTES_TRANS(2);
10670 case 0x09: /*TRANS2_FSCTL*/
10671 /* this call has no parameter block in the request */
10674 * XXX - "Microsoft Networks SMB File Sharing Protocol
10675 * Extensions Version 3.0, Document Version 1.11,
10676 * July 19, 1990" says this this contains a
10677 * "File system specific parameter block". (That means
10678 * we may not be able to dissect it in any case.)
10681 case 0x0a: /*TRANS2_IOCTL2*/
10682 /* this call has no parameter block in the request */
10685 * XXX - "Microsoft Networks SMB File Sharing Protocol
10686 * Extensions Version 3.0, Document Version 1.11,
10687 * July 19, 1990" says this this contains a
10688 * "Device/function specific parameter block". (That
10689 * means we may not be able to dissect it in any case.)
10692 case 0x0b: { /*TRANS2_FIND_NOTIFY_FIRST*/
10693 /* Search Attributes */
10694 CHECK_BYTE_COUNT_TRANS(2);
10695 offset = dissect_search_attributes(tvb, tree, offset);
10698 /* Number of changes to wait for */
10699 CHECK_BYTE_COUNT_TRANS(2);
10700 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10701 COUNT_BYTES_TRANS(2);
10703 /* Find Notify information level */
10704 CHECK_BYTE_COUNT_TRANS(2);
10705 si->info_level = tvb_get_letohs(tvb, offset);
10706 if (t2i != NULL && !pinfo->fd->flags.visited)
10707 t2i->info_level = si->info_level;
10708 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, offset, 2, si->info_level);
10709 COUNT_BYTES_TRANS(2);
10711 /* 4 reserved bytes */
10712 CHECK_BYTE_COUNT_TRANS(4);
10713 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10714 COUNT_BYTES_TRANS(4);
10717 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10718 CHECK_STRING_TRANS(fn);
10719 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10721 COUNT_BYTES_TRANS(fn_len);
10723 if (check_col(pinfo->cinfo, COL_INFO)) {
10724 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10725 format_text(fn, strlen(fn)));
10730 case 0x0c: { /*TRANS2_FIND_NOTIFY_NEXT*/
10731 /* Monitor handle */
10732 CHECK_BYTE_COUNT_TRANS(2);
10733 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
10734 COUNT_BYTES_TRANS(2);
10736 /* Number of changes to wait for */
10737 CHECK_BYTE_COUNT_TRANS(2);
10738 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10739 COUNT_BYTES_TRANS(2);
10743 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
10744 /* 4 reserved bytes */
10745 CHECK_BYTE_COUNT_TRANS(4);
10746 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10747 COUNT_BYTES_TRANS(4);
10750 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
10751 FALSE, FALSE, &bc);
10752 CHECK_STRING_TRANS(fn);
10753 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
10755 COUNT_BYTES_TRANS(fn_len);
10757 if (check_col(pinfo->cinfo, COL_INFO)) {
10758 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
10759 format_text(fn, strlen(fn)));
10762 case 0x0e: /*TRANS2_SESSION_SETUP*/
10763 /* XXX unknown structure*/
10765 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
10766 /* referral level */
10767 CHECK_BYTE_COUNT_TRANS(2);
10768 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
10769 COUNT_BYTES_TRANS(2);
10772 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10773 CHECK_STRING_TRANS(fn);
10774 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10776 COUNT_BYTES_TRANS(fn_len);
10778 if (check_col(pinfo->cinfo, COL_INFO)) {
10779 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10780 format_text(fn, strlen(fn)));
10784 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
10786 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10787 CHECK_STRING_TRANS(fn);
10788 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10790 COUNT_BYTES_TRANS(fn_len);
10792 if (check_col(pinfo->cinfo, COL_INFO)) {
10793 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10794 format_text(fn, strlen(fn)));
10800 /* ooops there were data we didnt know how to process */
10802 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, bc, TRUE);
10810 * XXX - just use "dissect_connect_flags()" here?
10813 dissect_transaction_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10819 mask = tvb_get_letohs(tvb, offset);
10822 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10823 "Flags: 0x%04x", mask);
10824 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
10826 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
10827 tvb, offset, 2, mask);
10828 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
10829 tvb, offset, 2, mask);
10837 dissect_get_dfs_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10843 mask = tvb_get_letohs(tvb, offset);
10846 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10847 "Flags: 0x%04x", mask);
10848 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
10850 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
10851 tvb, offset, 2, mask);
10852 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
10853 tvb, offset, 2, mask);
10861 dissect_dfs_referral_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10867 mask = tvb_get_letohs(tvb, offset);
10870 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10871 "Flags: 0x%04x", mask);
10872 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
10874 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
10875 tvb, offset, 2, mask);
10884 /* dfs inconsistency data (4.4.2)
10887 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
10888 proto_tree *tree, int offset, guint16 *bcp)
10890 smb_info_t *si = pinfo->private_data;
10894 DISSECTOR_ASSERT(si);
10896 /*XXX shouldn this data hold version and size? unclear from doc*/
10897 /* referral version */
10898 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10899 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
10900 COUNT_BYTES_TRANS_SUBR(2);
10902 /* referral size */
10903 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10904 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
10905 COUNT_BYTES_TRANS_SUBR(2);
10907 /* referral server type */
10908 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10909 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10910 COUNT_BYTES_TRANS_SUBR(2);
10912 /* referral flags */
10913 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10914 offset = dissect_dfs_referral_flags(tvb, tree, offset);
10918 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10919 CHECK_STRING_TRANS_SUBR(fn);
10920 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10922 COUNT_BYTES_TRANS_SUBR(fn_len);
10927 /* get dfs referral data (4.4.1)
10930 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
10931 proto_tree *tree, int offset, guint16 *bcp)
10933 smb_info_t *si = pinfo->private_data;
10936 guint16 pathoffset;
10937 guint16 altpathoffset;
10938 guint16 nodeoffset;
10948 DISSECTOR_ASSERT(si);
10950 /* path consumed */
10951 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10952 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
10953 COUNT_BYTES_TRANS_SUBR(2);
10955 /* num referrals */
10956 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10957 numref = tvb_get_letohs(tvb, offset);
10958 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
10959 COUNT_BYTES_TRANS_SUBR(2);
10961 /* get dfs flags */
10962 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10963 offset = dissect_get_dfs_flags(tvb, tree, offset);
10966 /* XXX - in at least one capture there appears to be 2 bytes
10967 of stuff after the Dfs flags, perhaps so that the header
10968 in front of the referral list is a multiple of 4 bytes long. */
10969 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10970 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
10971 COUNT_BYTES_TRANS_SUBR(2);
10973 /* if there are any referrals */
10975 proto_item *ref_item = NULL;
10976 proto_tree *ref_tree = NULL;
10977 int old_offset=offset;
10980 tvb_ensure_bytes_exist(tvb, offset, *bcp);
10981 ref_item = proto_tree_add_text(tree,
10982 tvb, offset, *bcp, "Referrals");
10983 ref_tree = proto_item_add_subtree(ref_item,
10984 ett_smb_dfs_referrals);
10989 proto_item *ri = NULL;
10990 proto_tree *rt = NULL;
10991 int old_offset=offset;
10995 tvb_ensure_bytes_exist(tvb, offset, *bcp);
10996 ri = proto_tree_add_text(ref_tree,
10997 tvb, offset, *bcp, "Referral");
10998 rt = proto_item_add_subtree(ri,
10999 ett_smb_dfs_referral);
11002 /* referral version */
11003 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11004 version = tvb_get_letohs(tvb, offset);
11005 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
11006 tvb, offset, 2, version);
11007 COUNT_BYTES_TRANS_SUBR(2);
11009 /* referral size */
11010 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11011 refsize = tvb_get_letohs(tvb, offset);
11012 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
11013 COUNT_BYTES_TRANS_SUBR(2);
11015 /* referral server type */
11016 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11017 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
11018 COUNT_BYTES_TRANS_SUBR(2);
11020 /* referral flags */
11021 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11022 offset = dissect_dfs_referral_flags(tvb, rt, offset);
11029 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11030 CHECK_STRING_TRANS_SUBR(fn);
11031 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
11033 COUNT_BYTES_TRANS_SUBR(fn_len);
11037 case 3: /* XXX - like version 2, but not identical;
11038 seen in a capture, but the format isn't
11041 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11042 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
11043 COUNT_BYTES_TRANS_SUBR(2);
11046 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11047 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
11048 COUNT_BYTES_TRANS_SUBR(2);
11051 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11052 pathoffset = tvb_get_letohs(tvb, offset);
11053 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
11054 COUNT_BYTES_TRANS_SUBR(2);
11056 /* alt path offset */
11057 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11058 altpathoffset = tvb_get_letohs(tvb, offset);
11059 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
11060 COUNT_BYTES_TRANS_SUBR(2);
11063 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11064 nodeoffset = tvb_get_letohs(tvb, offset);
11065 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
11066 COUNT_BYTES_TRANS_SUBR(2);
11069 if (pathoffset != 0) {
11070 stroffset = old_offset + pathoffset;
11071 offsetoffset = stroffset - offset;
11072 if (offsetoffset > 0 &&
11073 *bcp > offsetoffset) {
11075 *bcp -= offsetoffset;
11076 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11077 CHECK_STRING_TRANS_SUBR(fn);
11078 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
11080 stroffset += fn_len;
11081 if (ucstring_end < stroffset)
11082 ucstring_end = stroffset;
11088 if (altpathoffset != 0) {
11089 stroffset = old_offset + altpathoffset;
11090 offsetoffset = stroffset - offset;
11091 if (offsetoffset > 0 &&
11092 *bcp > offsetoffset) {
11094 *bcp -= offsetoffset;
11095 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11096 CHECK_STRING_TRANS_SUBR(fn);
11097 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
11099 stroffset += fn_len;
11100 if (ucstring_end < stroffset)
11101 ucstring_end = stroffset;
11107 if (nodeoffset != 0) {
11108 stroffset = old_offset + nodeoffset;
11109 offsetoffset = stroffset - offset;
11110 if (offsetoffset > 0 &&
11111 *bcp > offsetoffset) {
11113 *bcp -= offsetoffset;
11114 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11115 CHECK_STRING_TRANS_SUBR(fn);
11116 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
11118 stroffset += fn_len;
11119 if (ucstring_end < stroffset)
11120 ucstring_end = stroffset;
11128 * Show anything beyond the length of the referral
11131 unklen = (old_offset + refsize) - offset;
11134 * XXX - the length is bogus.
11139 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
11140 proto_tree_add_item(rt, hf_smb_unknown, tvb,
11141 offset, unklen, TRUE);
11142 COUNT_BYTES_TRANS_SUBR(unklen);
11145 proto_item_set_len(ri, offset-old_offset);
11149 * Treat the offset past the end of the last Unicode
11150 * string after the referrals (if any) as the last
11153 if (ucstring_end > offset) {
11154 ucstring_len = ucstring_end - offset;
11155 if (*bcp < ucstring_len)
11156 ucstring_len = *bcp;
11157 offset += ucstring_len;
11158 *bcp -= ucstring_len;
11160 proto_item_set_len(ref_item, offset-old_offset);
11166 /* This dissects the standard four 8-byte Windows timestamps ...
11169 dissect_smb_standard_8byte_timestamps(tvbuff_t *tvb,
11170 packet_info *pinfo _U_, proto_tree *tree,
11171 int offset, guint16 *bcp, gboolean *trunc)
11174 CHECK_BYTE_COUNT_SUBR(8);
11175 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
11179 CHECK_BYTE_COUNT_SUBR(8);
11180 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
11183 /* last write time */
11184 CHECK_BYTE_COUNT_SUBR(8);
11185 offset = dissect_nt_64bit_time(tvb, tree, offset,
11186 hf_smb_last_write_time);
11189 /* last change time */
11190 CHECK_BYTE_COUNT_SUBR(8);
11191 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
11198 /* this dissects the SMB_INFO_STANDARD
11199 as described in 4.2.16.1
11202 dissect_4_2_16_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11203 int offset, guint16 *bcp, gboolean *trunc)
11206 CHECK_BYTE_COUNT_SUBR(4);
11207 offset = dissect_smb_datetime(tvb, tree, offset,
11208 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
11213 CHECK_BYTE_COUNT_SUBR(4);
11214 offset = dissect_smb_datetime(tvb, tree, offset,
11215 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
11219 /* last write time */
11220 CHECK_BYTE_COUNT_SUBR(4);
11221 offset = dissect_smb_datetime(tvb, tree, offset,
11222 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
11227 CHECK_BYTE_COUNT_SUBR(4);
11228 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11229 COUNT_BYTES_SUBR(4);
11231 /* allocation size */
11232 CHECK_BYTE_COUNT_SUBR(4);
11233 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11234 COUNT_BYTES_SUBR(4);
11236 /* File Attributes */
11237 CHECK_BYTE_COUNT_SUBR(2);
11238 offset = dissect_file_attributes(tvb, tree, offset, 2);
11242 CHECK_BYTE_COUNT_SUBR(4);
11243 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11244 COUNT_BYTES_SUBR(4);
11250 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
11251 as described in 4.2.16.2
11254 dissect_4_2_16_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11255 int offset, guint16 *bcp, gboolean *trunc)
11261 CHECK_BYTE_COUNT_SUBR(4);
11262 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11263 COUNT_BYTES_SUBR(4);
11267 proto_tree *subtree;
11268 int start_offset = offset;
11271 item = proto_tree_add_text(
11272 tree, tvb, offset, 0, "Extended Attribute");
11273 subtree = proto_item_add_subtree(item, ett_smb_ea);
11277 CHECK_BYTE_COUNT_SUBR(1);
11278 proto_tree_add_item(
11279 subtree, hf_smb_ea_flags, tvb, offset, 1, TRUE);
11280 COUNT_BYTES_SUBR(1);
11282 /* EA name length */
11284 name_len = tvb_get_guint8(tvb, offset);
11286 CHECK_BYTE_COUNT_SUBR(1);
11287 proto_tree_add_item(
11288 subtree, hf_smb_ea_name_length, tvb, offset, 1, TRUE);
11289 COUNT_BYTES_SUBR(1);
11291 /* EA data length */
11293 data_len = tvb_get_letohs(tvb, offset);
11295 CHECK_BYTE_COUNT_SUBR(2);
11296 proto_tree_add_item(
11297 subtree, hf_smb_ea_data_length, tvb, offset, 2, TRUE);
11298 COUNT_BYTES_SUBR(2);
11302 name = tvb_get_ephemeral_string(tvb, offset, name_len);
11303 proto_item_append_text(item, ": %s", format_text(name, strlen(name)));
11305 CHECK_BYTE_COUNT_SUBR(name_len + 1);
11306 proto_tree_add_item(
11307 subtree, hf_smb_ea_name, tvb, offset, name_len + 1,
11309 COUNT_BYTES_SUBR(name_len + 1);
11313 CHECK_BYTE_COUNT_SUBR(data_len);
11314 proto_tree_add_item(
11315 subtree, hf_smb_ea_data, tvb, offset, data_len, TRUE);
11316 COUNT_BYTES_SUBR(data_len);
11318 proto_item_set_len(item, offset - start_offset);
11325 /* this dissects the SMB_INFO_IS_NAME_VALID
11326 as described in 4.2.16.3
11329 dissect_4_2_16_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
11330 int offset, guint16 *bcp, gboolean *trunc)
11332 smb_info_t *si = pinfo->private_data;
11336 DISSECTOR_ASSERT(si);
11339 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11340 CHECK_STRING_SUBR(fn);
11341 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11343 COUNT_BYTES_SUBR(fn_len);
11349 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
11350 as described in 4.2.16.4
11353 dissect_4_2_16_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11354 int offset, guint16 *bcp, gboolean *trunc)
11357 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
11362 /* File Attributes */
11363 CHECK_BYTE_COUNT_SUBR(4);
11364 offset = dissect_file_attributes(tvb, tree, offset, 4);
11371 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
11372 as described in 4.2.16.5
11375 dissect_qfi_SMB_FILE_STANDARD_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11376 int offset, guint16 *bcp, gboolean *trunc)
11378 /* allocation size */
11379 CHECK_BYTE_COUNT_SUBR(8);
11380 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11381 COUNT_BYTES_SUBR(8);
11384 CHECK_BYTE_COUNT_SUBR(8);
11385 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11386 COUNT_BYTES_SUBR(8);
11388 /* number of links */
11389 CHECK_BYTE_COUNT_SUBR(4);
11390 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
11391 COUNT_BYTES_SUBR(4);
11393 /* delete pending */
11394 CHECK_BYTE_COUNT_SUBR(1);
11395 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, TRUE);
11396 COUNT_BYTES_SUBR(1);
11399 CHECK_BYTE_COUNT_SUBR(1);
11400 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
11401 COUNT_BYTES_SUBR(1);
11407 /* this dissects the SMB_QUERY_FILE_INTERNAL_INFO
11410 dissect_qfi_SMB_FILE_INTERNAL_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11411 int offset, guint16 *bcp, gboolean *trunc)
11414 CHECK_BYTE_COUNT_SUBR(8);
11415 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
11416 COUNT_BYTES_SUBR(8);
11422 /* this dissects the SMB_QUERY_FILE_POSITION_INFO
11425 dissect_qfi_SMB_FILE_POSITION_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11426 int offset, guint16 *bcp, gboolean *trunc)
11429 CHECK_BYTE_COUNT_SUBR(8);
11430 proto_tree_add_item(tree, hf_smb_position, tvb, offset, 8, TRUE);
11431 COUNT_BYTES_SUBR(8);
11437 /* this dissects the SMB_QUERY_FILE_MODE_INFO
11440 dissect_qfi_SMB_FILE_MODE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11441 int offset, guint16 *bcp, gboolean *trunc)
11444 CHECK_BYTE_COUNT_SUBR(4);
11445 proto_tree_add_item(tree, hf_smb_mode, tvb, offset, 4, TRUE);
11446 COUNT_BYTES_SUBR(4);
11452 /* this dissects the SMB_QUERY_FILE_ALIGNMENT_INFO
11455 dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11456 int offset, guint16 *bcp, gboolean *trunc)
11459 CHECK_BYTE_COUNT_SUBR(4);
11460 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
11461 COUNT_BYTES_SUBR(4);
11467 /* this dissects the SMB_QUERY_FILE_EA_INFO
11468 as described in 4.2.16.6
11471 dissect_qfi_SMB_FILE_EA_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11472 int offset, guint16 *bcp, gboolean *trunc)
11475 CHECK_BYTE_COUNT_SUBR(4);
11476 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11477 COUNT_BYTES_SUBR(4);
11483 /* this dissects the SMB_QUERY_FILE_ALLOCATION_INFO
11486 dissect_qfi_SMB_FILE_ALLOCATION_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11487 int offset, guint16 *bcp, gboolean *trunc)
11489 /* allocation size */
11490 CHECK_BYTE_COUNT_SUBR(8);
11491 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11492 COUNT_BYTES_SUBR(8);
11498 /* this dissects the SMB_QUERY_FILE_ENDOFFILE_INFO
11501 dissect_qfi_SMB_FILE_ENDOFFILE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11502 int offset, guint16 *bcp, gboolean *trunc)
11505 CHECK_BYTE_COUNT_SUBR(8);
11506 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11507 COUNT_BYTES_SUBR(8);
11513 /* this dissects the SMB_QUERY_FILE_NAME_INFO
11514 as described in 4.2.16.7
11515 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
11516 as described in 4.2.16.9
11519 dissect_qfi_SMB_FILE_ALTERNATE_NAME_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
11520 int offset, guint16 *bcp, gboolean *trunc)
11522 smb_info_t *si = pinfo->private_data;
11526 DISSECTOR_ASSERT(si);
11528 /* file name len */
11529 CHECK_BYTE_COUNT_SUBR(4);
11530 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
11531 COUNT_BYTES_SUBR(4);
11534 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11535 CHECK_STRING_SUBR(fn);
11536 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11538 COUNT_BYTES_SUBR(fn_len);
11544 /* this dissects the SMB_QUERY_FILE_ALL_INFO
11545 but not as described in 4.2.16.8 since CNIA spec is wrong
11548 dissect_qfi_SMB_FILE_ALL_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
11549 int offset, guint16 *bcp, gboolean *trunc)
11555 si = (smb_info_t *)pinfo->private_data;
11557 DISSECTOR_ASSERT(si);
11559 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
11564 /* File Attributes */
11565 CHECK_BYTE_COUNT_SUBR(4);
11566 offset = dissect_file_attributes(tvb, tree, offset, 4);
11573 /* allocation size */
11574 CHECK_BYTE_COUNT_SUBR(8);
11575 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11576 COUNT_BYTES_SUBR(8);
11579 CHECK_BYTE_COUNT_SUBR(8);
11580 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11581 COUNT_BYTES_SUBR(8);
11583 /* number of links */
11584 CHECK_BYTE_COUNT_SUBR(4);
11585 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
11586 COUNT_BYTES_SUBR(4);
11588 /* delete pending */
11589 CHECK_BYTE_COUNT_SUBR(1);
11590 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, TRUE);
11591 COUNT_BYTES_SUBR(1);
11594 CHECK_BYTE_COUNT_SUBR(1);
11595 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
11596 COUNT_BYTES_SUBR(1);
11603 CHECK_BYTE_COUNT_SUBR(4);
11604 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11605 COUNT_BYTES_SUBR(4);
11607 /* file name len */
11608 CHECK_BYTE_COUNT_SUBR(4);
11609 fn_len = (guint32)tvb_get_letohl(tvb, offset);
11610 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11611 COUNT_BYTES_SUBR(4);
11615 CHECK_BYTE_COUNT_SUBR(fn_len);
11616 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
11618 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11620 COUNT_BYTES_SUBR(fn_len);
11630 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
11631 as described in 4.2.16.10
11634 dissect_qfi_SMB_FILE_STREAM_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree,
11635 int offset, guint16 *bcp, gboolean *trunc, int unicode)
11647 old_offset = offset;
11649 /* next entry offset */
11650 CHECK_BYTE_COUNT_SUBR(4);
11652 tvb_ensure_bytes_exist(tvb, offset, *bcp);
11653 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
11654 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11660 neo = tvb_get_letohl(tvb, offset);
11661 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11662 COUNT_BYTES_SUBR(4);
11664 /* stream name len */
11665 CHECK_BYTE_COUNT_SUBR(4);
11666 fn_len = tvb_get_letohl(tvb, offset);
11667 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
11668 COUNT_BYTES_SUBR(4);
11671 CHECK_BYTE_COUNT_SUBR(8);
11672 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
11673 COUNT_BYTES_SUBR(8);
11675 /* allocation size */
11676 CHECK_BYTE_COUNT_SUBR(8);
11677 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11678 COUNT_BYTES_SUBR(8);
11681 fn = get_unicode_or_ascii_string(tvb, &offset, unicode, &fn_len, FALSE, TRUE, bcp);
11682 CHECK_STRING_SUBR(fn);
11683 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
11685 COUNT_BYTES_SUBR(fn_len);
11687 proto_item_append_text(item, ": %s", format_text(fn, strlen(fn)));
11688 proto_item_set_len(item, offset-old_offset);
11691 break; /* no more structures */
11693 /* skip to next structure */
11694 padcnt = (old_offset + neo) - offset;
11697 * XXX - this is bogus; flag it?
11702 CHECK_BYTE_COUNT_SUBR(padcnt);
11703 COUNT_BYTES_SUBR(padcnt);
11711 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
11712 as described in 4.2.16.11
11715 dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11716 int offset, guint16 *bcp, gboolean *trunc)
11718 /* compressed file size */
11719 CHECK_BYTE_COUNT_SUBR(8);
11720 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
11721 COUNT_BYTES_SUBR(8);
11723 /* compression format */
11724 CHECK_BYTE_COUNT_SUBR(2);
11725 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
11726 COUNT_BYTES_SUBR(2);
11728 /* compression unit shift */
11729 CHECK_BYTE_COUNT_SUBR(1);
11730 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
11731 COUNT_BYTES_SUBR(1);
11733 /* compression chunk shift */
11734 CHECK_BYTE_COUNT_SUBR(1);
11735 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
11736 COUNT_BYTES_SUBR(1);
11738 /* compression cluster shift */
11739 CHECK_BYTE_COUNT_SUBR(1);
11740 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
11741 COUNT_BYTES_SUBR(1);
11743 /* 3 reserved bytes */
11744 CHECK_BYTE_COUNT_SUBR(3);
11745 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
11746 COUNT_BYTES_SUBR(3);
11752 /* 4.2.16.12 - SMB_QUERY_FILE_UNIX_BASIC */
11754 static const value_string unix_file_type_vals[] = {
11756 { 1, "Directory" },
11757 { 2, "Symbolic link" },
11758 { 3, "Character device" },
11759 { 4, "Block device" },
11766 dissect_4_2_16_12(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11767 int offset, guint16 *bcp, gboolean *trunc)
11769 /* End of file (file size) */
11770 CHECK_BYTE_COUNT_SUBR(8);
11771 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
11772 COUNT_BYTES_SUBR(8);
11774 /* Number of bytes */
11775 CHECK_BYTE_COUNT_SUBR(8);
11776 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
11777 COUNT_BYTES_SUBR(8);
11779 /* Last status change */
11780 CHECK_BYTE_COUNT_SUBR(8);
11781 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
11782 *bcp -= 8; /* dissect_nt_64bit_time() increments offset */
11784 /* Last access time */
11785 CHECK_BYTE_COUNT_SUBR(8);
11786 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
11789 /* Last modification time */
11790 CHECK_BYTE_COUNT_SUBR(8);
11791 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
11794 /* File owner uid */
11795 CHECK_BYTE_COUNT_SUBR(8);
11796 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
11797 COUNT_BYTES_SUBR(8);
11799 /* File group gid */
11800 CHECK_BYTE_COUNT_SUBR(8);
11801 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
11802 COUNT_BYTES_SUBR(8);
11805 CHECK_BYTE_COUNT_SUBR(4);
11806 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
11807 COUNT_BYTES_SUBR(4);
11809 /* Major device number */
11810 CHECK_BYTE_COUNT_SUBR(8);
11811 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
11812 COUNT_BYTES_SUBR(8);
11814 /* Minor device number */
11815 CHECK_BYTE_COUNT_SUBR(8);
11816 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
11817 COUNT_BYTES_SUBR(8);
11820 CHECK_BYTE_COUNT_SUBR(8);
11821 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
11822 COUNT_BYTES_SUBR(8);
11825 CHECK_BYTE_COUNT_SUBR(8);
11826 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
11827 COUNT_BYTES_SUBR(8);
11830 CHECK_BYTE_COUNT_SUBR(8);
11831 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
11832 COUNT_BYTES_SUBR(8);
11834 /* Sometimes there is one extra byte in the data field which I
11835 guess could be padding, but we are only using 4 or 8 byte
11836 data types so this is a bit confusing. -tpot */
11842 /* 4.2.16.13 - SMB_QUERY_FILE_UNIX_LINK */
11845 dissect_4_2_16_13(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11846 int offset, guint16 *bcp, gboolean *trunc)
11848 smb_info_t *si = pinfo->private_data;
11852 DISSECTOR_ASSERT(si);
11854 /* Link destination */
11856 fn = get_unicode_or_ascii_string(
11857 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11859 CHECK_STRING_SUBR(fn);
11860 proto_tree_add_string(
11861 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
11862 COUNT_BYTES_SUBR(fn_len);
11871 dissect_qpi_unix_acl(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11872 int offset, guint16 *bcp, gboolean *trunc)
11874 guint16 version, num_file_aces, num_def_aces;
11875 static const int *perm_fields[] = {
11876 &hf_smb_posix_ace_perm_read,
11877 &hf_smb_posix_ace_perm_write,
11878 &hf_smb_posix_ace_perm_execute,
11883 CHECK_BYTE_COUNT_SUBR(2);
11884 version = tvb_get_letohs(tvb, offset);
11885 proto_tree_add_item(tree, hf_smb_posix_acl_version, tvb, offset, 2, TRUE);
11886 COUNT_BYTES_SUBR(2);
11888 /* num file acls */
11889 CHECK_BYTE_COUNT_SUBR(2);
11890 num_file_aces = tvb_get_letohs(tvb, offset);
11891 proto_tree_add_item(tree, hf_smb_posix_num_file_aces, tvb, offset, 2, TRUE);
11892 COUNT_BYTES_SUBR(2);
11894 /* num default acls */
11895 CHECK_BYTE_COUNT_SUBR(2);
11896 num_def_aces = tvb_get_letohs(tvb, offset);
11897 proto_tree_add_item(tree, hf_smb_posix_num_def_aces, tvb, offset, 2, TRUE);
11898 COUNT_BYTES_SUBR(2);
11900 while(num_file_aces--){
11903 int old_offset = offset;
11906 it = proto_tree_add_text(tree, tvb, offset, 0, "ACE");
11907 tr = proto_item_add_subtree(it, ett_smb_posic_ace);
11910 CHECK_BYTE_COUNT_SUBR(1);
11911 ace_type = tvb_get_guint8(tvb, offset);
11912 proto_tree_add_item(tr, hf_smb_posix_ace_type, tvb, offset, 1, TRUE);
11913 COUNT_BYTES_SUBR(1);
11915 CHECK_BYTE_COUNT_SUBR(1);
11916 proto_tree_add_bitmask(tr, tvb, offset, hf_smb_posix_ace_flags, ett_smb_posix_ace_perms, perm_fields, FALSE);
11917 COUNT_BYTES_SUBR(1);
11920 case POSIX_ACE_TYPE_USER_OBJ:
11921 CHECK_BYTE_COUNT_SUBR(4);
11922 proto_tree_add_item(tr, hf_smb_posix_ace_perm_owner_uid, tvb, offset, 4, TRUE);
11923 COUNT_BYTES_SUBR(4);
11925 CHECK_BYTE_COUNT_SUBR(4);
11926 /* 4 reserved bytes */
11927 COUNT_BYTES_SUBR(4);
11929 case POSIX_ACE_TYPE_GROUP_OBJ:
11930 CHECK_BYTE_COUNT_SUBR(4);
11931 proto_tree_add_item(tr, hf_smb_posix_ace_perm_owner_gid, tvb, offset, 4, TRUE);
11932 COUNT_BYTES_SUBR(4);
11934 CHECK_BYTE_COUNT_SUBR(4);
11935 /* 4 reserved bytes */
11936 COUNT_BYTES_SUBR(4);
11939 case POSIX_ACE_TYPE_MASK:
11940 case POSIX_ACE_TYPE_OTHER:
11941 CHECK_BYTE_COUNT_SUBR(8);
11942 /* 8 reserved bytes */
11943 COUNT_BYTES_SUBR(8);
11946 case POSIX_ACE_TYPE_USER:
11947 CHECK_BYTE_COUNT_SUBR(4);
11948 proto_tree_add_item(tr, hf_smb_posix_ace_perm_uid, tvb, offset, 4, TRUE);
11949 COUNT_BYTES_SUBR(4);
11951 CHECK_BYTE_COUNT_SUBR(4);
11952 /* 4 reserved bytes */
11953 COUNT_BYTES_SUBR(4);
11956 case POSIX_ACE_TYPE_GROUP:
11957 CHECK_BYTE_COUNT_SUBR(4);
11958 proto_tree_add_item(tr, hf_smb_posix_ace_perm_gid, tvb, offset, 4, TRUE);
11959 COUNT_BYTES_SUBR(4);
11961 CHECK_BYTE_COUNT_SUBR(4);
11962 /* 4 reserved bytes */
11963 COUNT_BYTES_SUBR(4);
11966 proto_tree_add_text(tr, tvb, offset, 0, "Unknown posix ace type");
11967 CHECK_BYTE_COUNT_SUBR(8);
11969 COUNT_BYTES_SUBR(8);
11972 proto_item_set_len(it, offset-old_offset);
11979 dissect_qpi_unix_xattr(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
11980 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
11982 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
11988 dissect_qpi_unix_attr_flags(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
11989 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
11991 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
11997 dissect_qpi_unix_permissions(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
11998 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
12000 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
12006 dissect_qpi_unix_lock(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
12007 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
12009 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
12015 dissect_qpi_unix_open(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
12016 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
12018 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
12024 dissect_qpi_unix_unlink(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
12025 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
12027 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
12032 /* this dissects the SMB_QUERY_FILE_NETWORK_OPEN_INFO
12035 dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvbuff_t *tvb,
12036 packet_info *pinfo, proto_tree *tree,
12037 int offset, guint16 *bcp, gboolean *trunc)
12040 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
12045 /* allocation size */
12046 CHECK_BYTE_COUNT_SUBR(8);
12047 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12048 COUNT_BYTES_SUBR(8);
12051 CHECK_BYTE_COUNT_SUBR(8);
12052 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12053 COUNT_BYTES_SUBR(8);
12055 /* File Attributes */
12056 CHECK_BYTE_COUNT_SUBR(4);
12057 offset = dissect_file_attributes(tvb, tree, offset, 4);
12060 /* Unknown, possibly count of network accessors ... */
12061 CHECK_BYTE_COUNT_SUBR(4);
12062 proto_tree_add_item(tree, hf_smb_network_unknown, tvb, offset, 4, TRUE);
12063 COUNT_BYTES_SUBR(4);
12069 /* this dissects the SMB_FILE_ATTRIBUTE_TAG_INFO
12072 dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvbuff_t *tvb,
12073 packet_info *pinfo _U_, proto_tree *tree,
12074 int offset, guint16 *bcp, gboolean *trunc)
12077 CHECK_BYTE_COUNT_SUBR(4);
12078 proto_tree_add_item(tree, hf_smb_attribute, tvb, offset, 4, TRUE);
12079 COUNT_BYTES_SUBR(4);
12082 CHECK_BYTE_COUNT_SUBR(4);
12083 proto_tree_add_item(tree, hf_smb_reparse_tag, tvb, offset, 4, TRUE);
12084 COUNT_BYTES_SUBR(4);
12090 /* this dissects the SMB_SET_FILE_DISPOSITION_INFO
12091 as described in 4.2.19.2
12094 dissect_4_2_19_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12095 int offset, guint16 *bcp, gboolean *trunc)
12097 /* marked for deletion? */
12098 CHECK_BYTE_COUNT_SUBR(1);
12099 proto_tree_add_item(tree, hf_smb_t2_marked_for_deletion, tvb, offset, 1, TRUE);
12100 COUNT_BYTES_SUBR(1);
12106 /* this dissects the SMB_SET_FILE_ALLOCATION_INFO
12107 as described in 4.2.19.3
12110 dissect_4_2_19_3(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12111 int offset, guint16 *bcp, gboolean *trunc)
12113 /* file allocation size */
12114 CHECK_BYTE_COUNT_SUBR(8);
12115 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12116 COUNT_BYTES_SUBR(8);
12122 /* this dissects the SMB_SET_FILE_END_OF_FILE_INFO
12123 as described in 4.2.19.4
12126 dissect_4_2_19_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12127 int offset, guint16 *bcp, gboolean *trunc)
12129 /* file end of file offset */
12130 CHECK_BYTE_COUNT_SUBR(8);
12131 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12132 COUNT_BYTES_SUBR(8);
12138 /* Set File Rename Info */
12140 static const true_false_string tfs_smb_replace = {
12141 "Remove target file if it exists",
12142 "Do NOT remove target file if it exists",
12146 dissect_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12147 int offset, guint16 *bcp, gboolean *trunc)
12149 smb_info_t *si = pinfo->private_data;
12151 guint32 target_name_len;
12154 DISSECTOR_ASSERT(si);
12157 CHECK_BYTE_COUNT_SUBR(4);
12158 proto_tree_add_item(tree, hf_smb_replace, tvb, offset, 4, TRUE);
12159 COUNT_BYTES_SUBR(4);
12161 /* Root directory handle */
12162 CHECK_BYTE_COUNT_SUBR(4);
12163 proto_tree_add_item(tree, hf_smb_root_dir_handle, tvb, offset, 4, TRUE);
12164 COUNT_BYTES_SUBR(4);
12166 /* Target name length */
12167 CHECK_BYTE_COUNT_SUBR(4);
12168 target_name_len = tvb_get_letohl(tvb, offset);
12169 proto_tree_add_uint(tree, hf_smb_target_name_len, tvb, offset, 4, target_name_len);
12170 COUNT_BYTES_SUBR(4);
12173 fn_len = target_name_len;
12174 fn = get_unicode_or_ascii_string(
12175 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12177 CHECK_STRING_SUBR(fn);
12178 proto_tree_add_string(
12179 tree, hf_smb_target_name, tvb, offset, fn_len, fn);
12180 COUNT_BYTES_SUBR(fn_len);
12187 dissect_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12188 int offset, guint16 *bcp, gboolean *trunc)
12190 smb_info_t *si = pinfo->private_data;
12191 /* const char *fn;*/
12192 /* guint32 target_name_len;*/
12195 DISSECTOR_ASSERT(si);
12197 /* Disposition flags */
12198 CHECK_BYTE_COUNT_SUBR(1);
12199 proto_tree_add_item(tree, hf_smb_disposition_delete_on_close, tvb, offset, 1, TRUE);
12200 COUNT_BYTES_SUBR(1);
12207 dissect_sfi_SMB_FILE_PIPE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12208 int offset, guint16 *bcp, gboolean *trunc)
12210 smb_info_t *si = pinfo->private_data;
12212 DISSECTOR_ASSERT(si);
12214 /* pipe info flag */
12215 CHECK_BYTE_COUNT_SUBR(1);
12216 proto_tree_add_item(tree, hf_smb_pipe_info_flag, tvb, offset, 1, TRUE);
12217 COUNT_BYTES_SUBR(1);
12223 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION and
12224 TRANS2_QUERY_FILE_INFORMATION*/
12226 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
12227 int offset, guint16 *bcp)
12236 si = (smb_info_t *)pinfo->private_data;
12237 DISSECTOR_ASSERT(si);
12239 switch(si->info_level){
12240 case 1: /*Info Standard*/
12241 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
12245 case 2: /*Info Query EA Size*/
12246 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
12249 case 3: /*Info Query EAs From List*/
12250 case 4: /*Info Query All EAs*/
12251 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
12254 case 6: /*Info Is Name Valid*/
12255 offset = dissect_4_2_16_3(tvb, pinfo, tree, offset, bcp,
12258 case 0x0101: /*Query File Basic Info*/
12259 case 1004: /* SMB_FILE_BASIC_INFORMATION */
12260 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
12263 case 0x0102: /*Query File Standard Info*/
12264 case 1005: /* SMB_FILE_STANDARD_INFORMATION */
12265 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, bcp,
12268 case 1006: /* SMB_FILE_INTERNAL_INFORMATION */
12269 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, bcp,
12272 case 0x0103: /*Query File EA Info*/
12273 case 1007: /* SMB_FILE_EA_INFORMATION */
12274 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, bcp,
12277 case 0x0104: /*Query File Name Info*/
12278 case 1009: /* SMB_FILE_NAME_INFORMATION */
12279 offset = dissect_qfi_SMB_FILE_ALTERNATE_NAME_INFO(tvb, pinfo, tree, offset, bcp,
12282 case 1014: /* SMB_FILE_POSITION_INFORMATION */
12283 offset = dissect_qfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, bcp,
12286 case 1016: /* SMB_FILE_MODE_INFORMATION */
12287 offset = dissect_qfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, bcp,
12290 case 1017: /* SMB_FILE_ALIGNMENT_INFORMATION */
12291 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, bcp,
12294 case 0x0107: /*Query File All Info*/
12295 case 1018: /* SMB_FILE_ALL_INFORMATION */
12296 offset = dissect_qfi_SMB_FILE_ALL_INFO(tvb, pinfo, tree, offset, bcp,
12299 case 1019: /* SMB_FILE_ALLOCATION_INFORMATION */
12300 offset = dissect_qfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, bcp,
12303 case 1020: /* SMB_FILE_ENDOFFILE_INFORMATION */
12304 offset = dissect_qfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, bcp,
12307 case 0x0108: /*Query File Alt File Info*/
12308 case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
12309 offset = dissect_qfi_SMB_FILE_ALTERNATE_NAME_INFO(tvb, pinfo, tree, offset, bcp,
12312 case 1022: /* SMB_FILE_STREAM_INFORMATION */
12313 si->unicode = TRUE;
12314 case 0x0109: /*Query File Stream Info*/
12315 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, bcp,
12316 &trunc, si->unicode);
12318 case 0x010b: /*Query File Compression Info*/
12319 case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
12320 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, bcp,
12323 case 1034: /* SMB_FILE_NETWORK_OPEN_INFO */
12324 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, bcp, &trunc);
12326 case 1035: /* SMB_FILE_ATTRIBUTE_TAG_INFO */
12327 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, bcp, &trunc);
12329 case 0x0200: /* Query File Unix Basic*/
12330 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
12333 case 0x0201: /* Query File Unix Link*/
12334 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
12337 case 0x0202: /* Query File Unix HardLink*/
12338 /* XXX add this from the SNIA doc */
12340 case 0x0204: /* Query File Unix ACL*/
12341 offset = dissect_qpi_unix_acl(tvb, pinfo, tree, offset, bcp,
12344 case 0x0205: /* Query File Unix XATTR*/
12345 offset = dissect_qpi_unix_xattr(tvb, pinfo, tree, offset, bcp,
12348 case 0x0206: /* Query File Unix Attr Flags*/
12349 offset = dissect_qpi_unix_attr_flags(tvb, pinfo, tree, offset, bcp,
12352 case 0x0207: /* Query File Unix Permissions*/
12353 offset = dissect_qpi_unix_permissions(tvb, pinfo, tree, offset, bcp,
12356 case 0x0208: /* Query File Unix Lock*/
12357 offset = dissect_qpi_unix_lock(tvb, pinfo, tree, offset, bcp,
12365 /*dissect the data block for TRANS2_SET_PATH_INFORMATION and
12366 TRANS2_SET_FILE_INFORMATION*/
12368 dissect_spi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
12369 int offset, guint16 *bcp)
12378 si = (smb_info_t *)pinfo->private_data;
12379 DISSECTOR_ASSERT(si);
12381 switch(si->info_level){
12382 case 1: /*Info Standard*/
12383 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
12386 case 2: /*Info Query EA Size*/
12387 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
12390 case 4: /*Info Query All EAs*/
12391 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
12394 case 0x0101: /*Set File Basic Info*/
12395 case 1004: /* SMB_FILE_BASIC_INFORMATION */
12396 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
12399 case 0x0102: /*Set File Disposition Info*/
12400 offset = dissect_4_2_19_2(tvb, pinfo, tree, offset, bcp,
12403 case 0x0103: /*Set File Allocation Info*/
12404 offset = dissect_4_2_19_3(tvb, pinfo, tree, offset, bcp,
12407 case 0x0104: /*Set End Of File Info*/
12408 offset = dissect_4_2_19_4(tvb, pinfo, tree, offset, bcp,
12411 case 0x0200: /*Set File Unix Basic. Same as query. */
12412 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
12415 case 0x0201: /*Set File Unix Link. Same as query. */
12416 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
12419 case 0x0202: /*Set File Unix HardLink. Same as link query. */
12420 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
12423 case 0x0204: /* Set File Unix ACL*/
12424 offset = dissect_qpi_unix_acl(tvb, pinfo, tree, offset, bcp,
12427 case 0x0205: /* Set File Unix XATTR*/
12428 offset = dissect_qpi_unix_xattr(tvb, pinfo, tree, offset, bcp,
12431 case 0x0206: /* Set File Unix Attr Flags*/
12432 offset = dissect_qpi_unix_attr_flags(tvb, pinfo, tree, offset, bcp,
12435 case 0x0208: /* Set File Unix Lock*/
12436 offset = dissect_qpi_unix_lock(tvb, pinfo, tree, offset, bcp,
12439 case 0x0209: /* Set File Unix Open*/
12440 offset = dissect_qpi_unix_open(tvb, pinfo, tree, offset, bcp,
12443 case 0x020a: /* Set File Unix Unlink*/
12444 offset = dissect_qpi_unix_unlink(tvb, pinfo, tree, offset, bcp,
12447 case 1010: /* Set File Rename */
12448 offset = dissect_rename_info(tvb, pinfo, tree, offset, bcp,
12451 case 1013: /* Set Disposition Information */
12452 offset = dissect_disposition_info(tvb, pinfo, tree, offset, bcp,
12455 case 1023: /* Set Pipe Info */
12456 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, bcp,
12468 /* XXX: TODO, extra levels discovered by tridge */
12476 static const true_false_string tfs_quota_flags_deny_disk = {
12477 "DENY DISK SPACE for users exceeding quota limit",
12478 "Do NOT deny disk space for users exceeding quota limit"
12480 static const true_false_string tfs_quota_flags_log_limit = {
12481 "LOG EVENT when a user exceeds their QUOTA LIMIT",
12482 "Do NOT log event when a user exceeds their quota limit"
12484 static const true_false_string tfs_quota_flags_log_warning = {
12485 "LOG EVENT when a user exceeds their WARNING LEVEL",
12486 "Do NOT log event when a user exceeds their warning level"
12488 static const true_false_string tfs_quota_flags_enabled = {
12489 "Quotas are ENABLED of this fs",
12490 "Quotas are NOT enabled on this fs"
12493 dissect_quota_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12499 mask = tvb_get_guint8(tvb, offset);
12502 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
12503 "Quota Flags: 0x%02x %s", mask,
12504 mask?"Enabled":"Disabled");
12505 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
12507 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
12508 tvb, offset, 1, mask);
12509 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
12510 tvb, offset, 1, mask);
12511 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
12512 tvb, offset, 1, mask);
12514 if(mask && (!(mask&0x01))){
12515 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
12516 tvb, offset, 1, 0x01);
12518 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
12519 tvb, offset, 1, mask);
12526 dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
12528 /* first 24 bytes are unknown */
12529 CHECK_BYTE_COUNT_TRANS_SUBR(24);
12530 proto_tree_add_item(tree, hf_smb_unknown, tvb,
12532 COUNT_BYTES_TRANS_SUBR(24);
12534 /* number of bytes for quota warning */
12535 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12536 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
12537 COUNT_BYTES_TRANS_SUBR(8);
12539 /* number of bytes for quota limit */
12540 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12541 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
12542 COUNT_BYTES_TRANS_SUBR(8);
12544 /* one byte of quota flags */
12545 CHECK_BYTE_COUNT_TRANS_SUBR(1);
12546 dissect_quota_flags(tvb, tree, offset);
12547 COUNT_BYTES_TRANS_SUBR(1);
12549 /* these 7 bytes are unknown */
12550 CHECK_BYTE_COUNT_TRANS_SUBR(7);
12551 proto_tree_add_item(tree, hf_smb_unknown, tvb,
12553 COUNT_BYTES_TRANS_SUBR(7);
12559 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
12560 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
12562 proto_item *item = NULL;
12563 proto_tree *tree = NULL;
12566 si = (smb_info_t *)pinfo->private_data;
12567 DISSECTOR_ASSERT(si);
12570 tvb_ensure_bytes_exist(tvb, offset, dc);
12571 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
12573 val_to_str(subcmd, trans2_cmd_vals,
12574 "Unknown (0x%02x)"));
12575 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
12579 case 0x00: /*TRANS2_OPEN2*/
12580 /* XXX dont know how to decode FEAList */
12582 case 0x01: /*TRANS2_FIND_FIRST2*/
12583 /* XXX dont know how to decode FEAList */
12585 case 0x02: /*TRANS2_FIND_NEXT2*/
12586 /* XXX dont know how to decode FEAList */
12588 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
12589 /* no data field in this request */
12591 case 0x04: /* TRANS2_SET_QUOTA */
12592 offset = dissect_nt_quota(tvb, tree, offset, &dc);
12594 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
12595 /* no data field in this request */
12597 * XXX - "Microsoft Networks SMB File Sharing Protocol
12598 * Extensions Version 3.0, Document Version 1.11,
12599 * July 19, 1990" says there may be "Additional
12600 * FileInfoLevel dependent information" here.
12602 * Was that just a cut-and-pasteo?
12603 * TRANS2_SET_PATH_INFORMATION *does* have that information
12607 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
12608 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
12610 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
12611 /* no data field in this request */
12613 * XXX - "Microsoft Networks SMB File Sharing Protocol
12614 * Extensions Version 3.0, Document Version 1.11,
12615 * July 19, 1990" says there may be "Additional
12616 * FileInfoLevel dependent information" here.
12618 * Was that just a cut-and-pasteo?
12619 * TRANS2_SET_FILE_INFORMATION *does* have that information
12623 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
12624 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
12626 case 0x09: /*TRANS2_FSCTL*/
12627 /*XXX dont know how to decode this yet */
12630 * XXX - "Microsoft Networks SMB File Sharing Protocol
12631 * Extensions Version 3.0, Document Version 1.11,
12632 * July 19, 1990" says this this contains a
12633 * "File system specific data block". (That means we
12634 * may not be able to dissect it in any case.)
12637 case 0x0a: /*TRANS2_IOCTL2*/
12638 /*XXX dont know how to decode this yet */
12641 * XXX - "Microsoft Networks SMB File Sharing Protocol
12642 * Extensions Version 3.0, Document Version 1.11,
12643 * July 19, 1990" says this this contains a
12644 * "Device/function specific data block". (That
12645 * means we may not be able to dissect it in any case.)
12648 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
12649 /*XXX dont know how to decode this yet */
12652 * XXX - "Microsoft Networks SMB File Sharing Protocol
12653 * Extensions Version 3.0, Document Version 1.11,
12654 * July 19, 1990" says this this contains "additional
12655 * level dependent match data".
12658 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
12659 /*XXX dont know how to decode this yet */
12662 * XXX - "Microsoft Networks SMB File Sharing Protocol
12663 * Extensions Version 3.0, Document Version 1.11,
12664 * July 19, 1990" says this this contains "additional
12665 * level dependent monitor information".
12668 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
12669 /* XXX optional FEAList, unknown what FEAList looks like*/
12671 case 0x0e: /*TRANS2_SESSION_SETUP*/
12672 /*XXX dont know how to decode this yet */
12674 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
12675 /* no data field in this request */
12677 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
12678 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
12682 /* ooops there were data we didnt know how to process */
12684 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
12693 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
12701 * Show the setup words.
12703 if (s_tvb != NULL) {
12704 length = tvb_reported_length(s_tvb);
12705 for (i = 0, offset = 0; length >= 2;
12706 i++, offset += 2, length -= 2) {
12708 * XXX - add a setup word filterable field?
12710 proto_tree_add_text(tree, s_tvb, offset, 2,
12711 "Setup Word %d: 0x%04x", i,
12712 tvb_get_letohs(s_tvb, offset));
12717 * Show the parameters, if any.
12719 if (p_tvb != NULL) {
12720 length = tvb_reported_length(p_tvb);
12722 proto_tree_add_text(tree, p_tvb, 0, length,
12724 tvb_bytes_to_str(p_tvb, 0, length));
12729 * Show the data, if any.
12731 if (d_tvb != NULL) {
12732 length = tvb_reported_length(d_tvb);
12734 proto_tree_add_text(tree, d_tvb, 0, length,
12735 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
12740 /* This routine handles the following 4 calls
12742 Transaction Secondary 0x26
12744 Transaction2 Secondary 0x33
12747 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
12754 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
12758 const char *an = NULL;
12760 smb_transact2_info_t *t2i;
12761 smb_transact_info_t *tri;
12764 gboolean dissected_trans;
12766 si = (smb_info_t *)pinfo->private_data;
12767 DISSECTOR_ASSERT(si);
12772 /*secondary client request*/
12774 /* total param count, only a 16bit integer here*/
12775 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12778 /* total data count , only 16bit integer here*/
12779 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12783 pc = tvb_get_letohs(tvb, offset);
12784 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
12788 po = tvb_get_letohs(tvb, offset);
12789 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
12793 pd = tvb_get_letohs(tvb, offset);
12794 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
12798 dc = tvb_get_letohs(tvb, offset);
12799 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
12803 od = tvb_get_letohs(tvb, offset);
12804 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
12808 dd = tvb_get_letohs(tvb, offset);
12809 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
12812 if(si->cmd==SMB_COM_TRANSACTION2){
12816 fid = tvb_get_letohs(tvb, offset);
12817 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
12822 /* There are no setup words. */
12827 /* it is not a secondary request */
12829 /* total param count , only a 16 bit integer here*/
12830 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12833 /* total data count , only 16bit integer here*/
12834 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12837 /* max param count , only 16bit integer here*/
12838 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12841 /* max data count, only 16bit integer here*/
12842 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12845 /* max setup count, only 16bit integer here*/
12846 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
12849 /* reserved byte */
12850 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12853 /* transaction flags */
12854 tf = dissect_transaction_flags(tvb, tree, offset);
12858 to = tvb_get_letohl(tvb, offset);
12859 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
12862 /* 2 reserved bytes */
12863 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
12867 pc = tvb_get_letohs(tvb, offset);
12868 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
12872 po = tvb_get_letohs(tvb, offset);
12873 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
12876 /* param displacement is zero here */
12880 dc = tvb_get_letohs(tvb, offset);
12881 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
12885 od = tvb_get_letohs(tvb, offset);
12886 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
12889 /* data displacement is zero here */
12893 sc = tvb_get_guint8(tvb, offset);
12894 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
12897 /* reserved byte */
12898 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12901 /* this is where the setup bytes, if any start */
12905 /* if there were any setup bytes, decode them */
12909 case SMB_COM_TRANSACTION2:
12910 /* TRANSACTION2 only has one setup word and
12911 that is the subcommand code.
12913 XXX - except for TRANS2_FSCTL
12914 and TRANS2_IOCTL. */
12915 subcmd = tvb_get_letohs(tvb, offset);
12916 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
12917 tvb, offset, 2, subcmd);
12918 if (check_col(pinfo->cinfo, COL_INFO)) {
12919 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
12920 val_to_str(subcmd, trans2_cmd_vals,
12921 "Unknown (0x%02x)"));
12924 if(!pinfo->fd->flags.visited && si->sip){
12927 * smb_transact2_info_t
12930 t2i = se_alloc(sizeof(smb_transact2_info_t));
12931 t2i->subcmd = subcmd;
12932 t2i->info_level = -1;
12933 t2i->resume_keys = FALSE;
12935 si->sip->extra_info = t2i;
12936 si->sip->extra_info_type = SMB_EI_T2I;
12941 * XXX - process TRANS2_FSCTL and
12942 * TRANS2_IOCTL setup words here.
12946 case SMB_COM_TRANSACTION:
12947 /* TRANSACTION setup words processed below */
12958 /* primary request */
12959 /* name is NULL if transaction2 */
12960 if(si->cmd == SMB_COM_TRANSACTION){
12961 /* Transaction Name */
12962 an = get_unicode_or_ascii_string(tvb, &offset,
12963 si->unicode, &an_len, FALSE, FALSE, &bc);
12966 tvb_ensure_bytes_exist(tvb, offset, an_len);
12967 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
12968 offset, an_len, an);
12969 COUNT_BYTES(an_len);
12974 * The pipe or mailslot arguments for Transaction start with
12975 * the first setup word (or where the first setup word would
12976 * be if there were any setup words), and run to the current
12977 * offset (which could mean that there aren't any).
12980 spc = offset - spo;
12984 /* We have some initial padding bytes.
12986 padcnt = po-offset;
12989 tvb_ensure_bytes_exist(tvb, offset, padcnt);
12990 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
12991 COUNT_BYTES(padcnt);
12994 CHECK_BYTE_COUNT(pc);
12997 case SMB_COM_TRANSACTION2:
12998 /* TRANSACTION2 parameters*/
12999 offset = dissect_transaction2_request_parameters(tvb,
13000 pinfo, tree, offset, subcmd, pc);
13004 case SMB_COM_TRANSACTION:
13005 /* TRANSACTION parameters processed below */
13013 /* We have some initial padding bytes.
13015 padcnt = od-offset;
13018 tvb_ensure_bytes_exist(tvb, offset, padcnt);
13019 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13020 COUNT_BYTES(padcnt);
13023 CHECK_BYTE_COUNT(dc);
13026 case SMB_COM_TRANSACTION2:
13027 /* TRANSACTION2 data*/
13028 offset = dissect_transaction2_request_data(tvb, pinfo,
13029 tree, offset, subcmd, dc);
13033 case SMB_COM_TRANSACTION:
13034 /* TRANSACTION data processed below */
13040 /*TRANSACTION request parameters */
13041 if(si->cmd==SMB_COM_TRANSACTION){
13042 /*XXX replace this block with a function and use that one
13043 for both requests/responses*/
13045 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
13046 tvbuff_t *sp_tvb, *pd_tvb;
13049 if(pc>tvb_length_remaining(tvb, po)){
13050 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
13052 p_tvb = tvb_new_subset(tvb, po, pc, pc);
13058 if(dc>tvb_length_remaining(tvb, od)){
13059 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
13061 d_tvb = tvb_new_subset(tvb, od, dc, dc);
13067 if(sl>tvb_length_remaining(tvb, so)){
13068 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
13070 s_tvb = tvb_new_subset(tvb, so, sl, sl);
13077 if(!pinfo->fd->flags.visited && si->sip){
13079 * Allocate a new smb_transact_info_t
13082 tri = se_alloc(sizeof(smb_transact_info_t));
13084 tri->trans_subcmd = -1;
13085 tri->function = -1;
13087 tri->lanman_cmd = 0;
13088 tri->param_descrip = NULL;
13089 tri->data_descrip = NULL;
13090 tri->aux_data_descrip = NULL;
13091 tri->info_level = -1;
13092 si->sip->extra_info = tri;
13093 si->sip->extra_info_type = SMB_EI_TRI;
13096 * We already filled the structure
13097 * in; don't bother doing so again.
13103 * This is a unidirectional message, for
13104 * which there will be no reply; don't
13105 * bother allocating an "smb_transact_info_t"
13106 * structure for it.
13110 dissected_trans = FALSE;
13113 if(strncmp("\\PIPE\\", an, 6) == 0){
13115 tri->subcmd=TRANSACTION_PIPE;
13118 * A tvbuff containing the setup words and
13121 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
13124 * A tvbuff containing the parameters and the
13127 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
13129 dissected_trans = dissect_pipe_smb(sp_tvb,
13130 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
13133 /* In case we did not see the TreeConnect call,
13134 store this TID here as well as a IPC TID
13135 so we know that future Read/Writes to this
13136 TID is (probably) DCERPC.
13138 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))){
13139 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
13141 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
13142 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
13144 tri->subcmd=TRANSACTION_MAILSLOT;
13147 * A tvbuff containing the setup words and
13148 * the mailslot path.
13150 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
13151 dissected_trans = dissect_mailslot_smb(sp_tvb,
13152 s_tvb, d_tvb, an+10, pinfo, top_tree);
13154 if (!dissected_trans)
13155 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
13157 if(check_col(pinfo->cinfo, COL_INFO)){
13158 col_append_str(pinfo->cinfo, COL_INFO,
13159 "[transact continuation]");
13172 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13173 int offset, guint16 *bcp, gboolean *trunc)
13177 int old_offset = offset;
13178 proto_item *item = NULL;
13179 proto_tree *tree = NULL;
13181 smb_transact2_info_t *t2i;
13182 gboolean resume_keys = FALSE;
13184 si = (smb_info_t *)pinfo->private_data;
13185 DISSECTOR_ASSERT(si);
13187 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
13188 t2i = si->sip->extra_info;
13190 resume_keys = t2i->resume_keys;
13194 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13195 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13196 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13197 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13202 CHECK_BYTE_COUNT_SUBR(4);
13203 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
13204 COUNT_BYTES_SUBR(4);
13208 CHECK_BYTE_COUNT_SUBR(4);
13209 offset = dissect_smb_datetime(tvb, tree, offset,
13210 hf_smb_create_time,
13211 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
13215 CHECK_BYTE_COUNT_SUBR(4);
13216 offset = dissect_smb_datetime(tvb, tree, offset,
13217 hf_smb_access_time,
13218 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
13221 /* last write time */
13222 CHECK_BYTE_COUNT_SUBR(4);
13223 offset = dissect_smb_datetime(tvb, tree, offset,
13224 hf_smb_last_write_time,
13225 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
13229 CHECK_BYTE_COUNT_SUBR(4);
13230 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
13231 COUNT_BYTES_SUBR(4);
13233 /* allocation size */
13234 CHECK_BYTE_COUNT_SUBR(4);
13235 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
13236 COUNT_BYTES_SUBR(4);
13238 /* File Attributes */
13239 CHECK_BYTE_COUNT_SUBR(2);
13240 offset = dissect_file_attributes(tvb, tree, offset, 2);
13243 /* file name len */
13244 CHECK_BYTE_COUNT_SUBR(1);
13245 fn_len = tvb_get_guint8(tvb, offset);
13246 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
13247 COUNT_BYTES_SUBR(1);
13249 fn_len += 2; /* include terminating '\0' */
13251 fn_len++; /* include terminating '\0' */
13254 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13255 CHECK_STRING_SUBR(fn);
13256 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13258 COUNT_BYTES_SUBR(fn_len);
13260 if (check_col(pinfo->cinfo, COL_INFO)) {
13261 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13262 format_text(fn, strlen(fn)));
13265 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13266 proto_item_set_len(item, offset-old_offset);
13273 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13274 int offset, guint16 *bcp, gboolean *trunc)
13278 int old_offset = offset;
13279 proto_item *item = NULL;
13280 proto_tree *tree = NULL;
13282 smb_transact2_info_t *t2i;
13283 gboolean resume_keys = FALSE;
13285 si = (smb_info_t *)pinfo->private_data;
13286 DISSECTOR_ASSERT(si);
13288 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
13289 t2i = si->sip->extra_info;
13291 resume_keys = t2i->resume_keys;
13295 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13296 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13297 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13298 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13303 CHECK_BYTE_COUNT_SUBR(4);
13304 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
13305 COUNT_BYTES_SUBR(4);
13309 CHECK_BYTE_COUNT_SUBR(4);
13310 offset = dissect_smb_datetime(tvb, tree, offset,
13311 hf_smb_create_time,
13312 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
13316 CHECK_BYTE_COUNT_SUBR(4);
13317 offset = dissect_smb_datetime(tvb, tree, offset,
13318 hf_smb_access_time,
13319 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
13322 /* last write time */
13323 CHECK_BYTE_COUNT_SUBR(4);
13324 offset = dissect_smb_datetime(tvb, tree, offset,
13325 hf_smb_last_write_time,
13326 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
13330 CHECK_BYTE_COUNT_SUBR(4);
13331 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
13332 COUNT_BYTES_SUBR(4);
13334 /* allocation size */
13335 CHECK_BYTE_COUNT_SUBR(4);
13336 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
13337 COUNT_BYTES_SUBR(4);
13339 /* File Attributes */
13340 CHECK_BYTE_COUNT_SUBR(2);
13341 offset = dissect_file_attributes(tvb, tree, offset, 2);
13345 CHECK_BYTE_COUNT_SUBR(4);
13346 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13347 COUNT_BYTES_SUBR(4);
13349 /* file name len */
13350 CHECK_BYTE_COUNT_SUBR(1);
13351 fn_len = tvb_get_guint8(tvb, offset);
13352 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
13353 COUNT_BYTES_SUBR(1);
13355 fn_len += 2; /* include terminating '\0' */
13357 fn_len++; /* include terminating '\0' */
13360 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13361 CHECK_STRING_SUBR(fn);
13362 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13364 COUNT_BYTES_SUBR(fn_len);
13366 if (check_col(pinfo->cinfo, COL_INFO)) {
13367 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13368 format_text(fn, strlen(fn)));
13371 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13372 proto_item_set_len(item, offset-old_offset);
13379 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13380 int offset, guint16 *bcp, gboolean *trunc)
13384 int old_offset = offset;
13385 proto_item *item = NULL;
13386 proto_tree *tree = NULL;
13391 si = (smb_info_t *)pinfo->private_data;
13392 DISSECTOR_ASSERT(si);
13395 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13396 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13397 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13398 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13402 * We assume that the presence of a next entry offset implies the
13403 * absence of a resume key, as appears to be the case for 4.3.4.6.
13406 /* next entry offset */
13407 CHECK_BYTE_COUNT_SUBR(4);
13408 neo = tvb_get_letohl(tvb, offset);
13409 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
13410 COUNT_BYTES_SUBR(4);
13413 CHECK_BYTE_COUNT_SUBR(4);
13414 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
13415 COUNT_BYTES_SUBR(4);
13417 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
13423 CHECK_BYTE_COUNT_SUBR(8);
13424 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
13425 COUNT_BYTES_SUBR(8);
13427 /* allocation size */
13428 CHECK_BYTE_COUNT_SUBR(8);
13429 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13430 COUNT_BYTES_SUBR(8);
13432 /* Extended File Attributes */
13433 CHECK_BYTE_COUNT_SUBR(4);
13434 offset = dissect_file_ext_attr(tvb, tree, offset);
13437 /* file name len */
13438 CHECK_BYTE_COUNT_SUBR(4);
13439 fn_len = tvb_get_letohl(tvb, offset);
13440 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
13441 COUNT_BYTES_SUBR(4);
13444 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13445 CHECK_STRING_SUBR(fn);
13446 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13448 COUNT_BYTES_SUBR(fn_len);
13450 if (check_col(pinfo->cinfo, COL_INFO)) {
13451 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13452 format_text(fn, strlen(fn)));
13455 /* skip to next structure */
13457 padcnt = (old_offset + neo) - offset;
13460 * XXX - this is bogus; flag it?
13465 CHECK_BYTE_COUNT_SUBR(padcnt);
13466 COUNT_BYTES_SUBR(padcnt);
13470 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13471 proto_item_set_len(item, offset-old_offset);
13478 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13479 int offset, guint16 *bcp, gboolean *trunc)
13483 int old_offset = offset;
13484 proto_item *item = NULL;
13485 proto_tree *tree = NULL;
13490 si = (smb_info_t *)pinfo->private_data;
13491 DISSECTOR_ASSERT(si);
13494 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13495 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13496 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13497 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13501 * We assume that the presence of a next entry offset implies the
13502 * absence of a resume key, as appears to be the case for 4.3.4.6.
13505 /* next entry offset */
13506 CHECK_BYTE_COUNT_SUBR(4);
13507 neo = tvb_get_letohl(tvb, offset);
13508 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
13509 COUNT_BYTES_SUBR(4);
13512 CHECK_BYTE_COUNT_SUBR(4);
13513 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
13514 COUNT_BYTES_SUBR(4);
13516 /* standard 8-byte timestamps */
13517 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
13523 CHECK_BYTE_COUNT_SUBR(8);
13524 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
13525 COUNT_BYTES_SUBR(8);
13527 /* allocation size */
13528 CHECK_BYTE_COUNT_SUBR(8);
13529 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13530 COUNT_BYTES_SUBR(8);
13532 /* Extended File Attributes */
13533 CHECK_BYTE_COUNT_SUBR(4);
13534 offset = dissect_file_ext_attr(tvb, tree, offset);
13537 /* file name len */
13538 CHECK_BYTE_COUNT_SUBR(4);
13539 fn_len = tvb_get_letohl(tvb, offset);
13540 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
13541 COUNT_BYTES_SUBR(4);
13544 CHECK_BYTE_COUNT_SUBR(4);
13545 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13546 COUNT_BYTES_SUBR(4);
13549 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13550 CHECK_STRING_SUBR(fn);
13551 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13553 COUNT_BYTES_SUBR(fn_len);
13555 if (check_col(pinfo->cinfo, COL_INFO)) {
13556 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13557 format_text(fn, strlen(fn)));
13560 /* skip to next structure */
13562 padcnt = (old_offset + neo) - offset;
13565 * XXX - this is bogus; flag it?
13570 CHECK_BYTE_COUNT_SUBR(padcnt);
13571 COUNT_BYTES_SUBR(padcnt);
13575 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13576 proto_item_set_len(item, offset-old_offset);
13583 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13584 int offset, guint16 *bcp, gboolean *trunc)
13586 int fn_len, sfn_len;
13587 const char *fn, *sfn;
13588 int old_offset = offset;
13589 proto_item *item = NULL;
13590 proto_tree *tree = NULL;
13595 si = (smb_info_t *)pinfo->private_data;
13596 DISSECTOR_ASSERT(si);
13599 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13600 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13601 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13602 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13606 * XXX - I have not seen any of these that contain a resume
13607 * key, even though some of the requests had the "return resume
13611 /* next entry offset */
13612 CHECK_BYTE_COUNT_SUBR(4);
13613 neo = tvb_get_letohl(tvb, offset);
13614 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
13615 COUNT_BYTES_SUBR(4);
13618 CHECK_BYTE_COUNT_SUBR(4);
13619 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
13620 COUNT_BYTES_SUBR(4);
13622 /* dissect standard 8-byte timestamps */
13623 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
13629 CHECK_BYTE_COUNT_SUBR(8);
13630 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
13631 COUNT_BYTES_SUBR(8);
13633 /* allocation size */
13634 CHECK_BYTE_COUNT_SUBR(8);
13635 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13636 COUNT_BYTES_SUBR(8);
13638 /* Extended File Attributes */
13639 CHECK_BYTE_COUNT_SUBR(4);
13640 offset = dissect_file_ext_attr(tvb, tree, offset);
13643 /* file name len */
13644 CHECK_BYTE_COUNT_SUBR(4);
13645 fn_len = tvb_get_letohl(tvb, offset);
13646 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
13647 COUNT_BYTES_SUBR(4);
13652 * XXX - in one captures, this has the topmost bit set, and the
13653 * rest of the bits have the value 7. Is the topmost bit being
13654 * set some indication that the value *isn't* the length of
13657 CHECK_BYTE_COUNT_SUBR(4);
13658 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13659 COUNT_BYTES_SUBR(4);
13661 /* short file name len */
13662 CHECK_BYTE_COUNT_SUBR(1);
13663 sfn_len = tvb_get_guint8(tvb, offset);
13664 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
13665 COUNT_BYTES_SUBR(1);
13667 /* reserved byte */
13668 CHECK_BYTE_COUNT_SUBR(1);
13669 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
13670 COUNT_BYTES_SUBR(1);
13672 /* short file name - it's not always in Unicode */
13673 sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
13674 CHECK_STRING_SUBR(sfn);
13675 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
13677 COUNT_BYTES_SUBR(24);
13680 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13681 CHECK_STRING_SUBR(fn);
13682 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13684 COUNT_BYTES_SUBR(fn_len);
13686 if (check_col(pinfo->cinfo, COL_INFO)) {
13687 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13688 format_text(fn, strlen(fn)));
13691 /* skip to next structure */
13693 padcnt = (old_offset + neo) - offset;
13696 * XXX - this is bogus; flag it?
13701 CHECK_BYTE_COUNT_SUBR(padcnt);
13702 COUNT_BYTES_SUBR(padcnt);
13706 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13707 proto_item_set_len(item, offset-old_offset);
13714 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13715 int offset, guint16 *bcp, gboolean *trunc)
13719 int old_offset = offset;
13720 proto_item *item = NULL;
13721 proto_tree *tree = NULL;
13726 si = (smb_info_t *)pinfo->private_data;
13727 DISSECTOR_ASSERT(si);
13730 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13731 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13732 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13733 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13737 * We assume that the presence of a next entry offset implies the
13738 * absence of a resume key, as appears to be the case for 4.3.4.6.
13741 /* next entry offset */
13742 CHECK_BYTE_COUNT_SUBR(4);
13743 neo = tvb_get_letohl(tvb, offset);
13744 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
13745 COUNT_BYTES_SUBR(4);
13748 CHECK_BYTE_COUNT_SUBR(4);
13749 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
13750 COUNT_BYTES_SUBR(4);
13752 /* file name len */
13753 CHECK_BYTE_COUNT_SUBR(4);
13754 fn_len = tvb_get_letohl(tvb, offset);
13755 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
13756 COUNT_BYTES_SUBR(4);
13759 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13760 CHECK_STRING_SUBR(fn);
13761 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13763 COUNT_BYTES_SUBR(fn_len);
13765 if (check_col(pinfo->cinfo, COL_INFO)) {
13766 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13767 format_text(fn, strlen(fn)));
13770 /* skip to next structure */
13772 padcnt = (old_offset + neo) - offset;
13775 * XXX - this is bogus; flag it?
13780 CHECK_BYTE_COUNT_SUBR(padcnt);
13781 COUNT_BYTES_SUBR(padcnt);
13785 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13786 proto_item_set_len(item, offset-old_offset);
13792 /* 4.3.4.8 - SMB_FIND_FILE_UNIX */
13795 dissect_4_3_4_8(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
13796 proto_tree *tree, int offset, guint16 *bcp,
13799 smb_info_t *si = pinfo->private_data;
13803 DISSECTOR_ASSERT(si);
13805 /* NextEntryOffset */
13806 CHECK_BYTE_COUNT_SUBR(4);
13807 proto_tree_add_item(tree, hf_smb_unix_find_file_nextoffset, tvb, offset, 4, TRUE);
13808 COUNT_BYTES_SUBR(4);
13811 CHECK_BYTE_COUNT_SUBR(4);
13812 proto_tree_add_item(tree, hf_smb_unix_find_file_resumekey, tvb, offset, 4, TRUE);
13813 COUNT_BYTES_SUBR(4);
13815 /* End of file (file size) */
13816 CHECK_BYTE_COUNT_SUBR(8);
13817 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
13818 COUNT_BYTES_SUBR(8);
13820 /* Number of bytes */
13821 CHECK_BYTE_COUNT_SUBR(8);
13822 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
13823 COUNT_BYTES_SUBR(8);
13825 /* Last status change */
13826 CHECK_BYTE_COUNT_SUBR(8);
13827 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
13830 /* Last access time */
13831 CHECK_BYTE_COUNT_SUBR(8);
13832 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
13835 /* Last modification time */
13836 CHECK_BYTE_COUNT_SUBR(8);
13837 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
13840 /* File owner uid */
13841 CHECK_BYTE_COUNT_SUBR(8);
13842 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
13843 COUNT_BYTES_SUBR(8);
13845 /* File group gid */
13846 CHECK_BYTE_COUNT_SUBR(8);
13847 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
13848 COUNT_BYTES_SUBR(8);
13851 CHECK_BYTE_COUNT_SUBR(4);
13852 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
13853 COUNT_BYTES_SUBR(4);
13855 /* Major device number */
13856 CHECK_BYTE_COUNT_SUBR(8);
13857 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
13858 COUNT_BYTES_SUBR(8);
13860 /* Minor device number */
13861 CHECK_BYTE_COUNT_SUBR(8);
13862 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
13863 COUNT_BYTES_SUBR(8);
13866 CHECK_BYTE_COUNT_SUBR(8);
13867 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
13868 COUNT_BYTES_SUBR(8);
13871 CHECK_BYTE_COUNT_SUBR(8);
13872 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
13873 COUNT_BYTES_SUBR(8);
13876 CHECK_BYTE_COUNT_SUBR(8);
13877 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
13878 COUNT_BYTES_SUBR(8);
13882 fn = get_unicode_or_ascii_string(
13883 tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
13885 CHECK_STRING_SUBR(fn);
13886 proto_tree_add_string(
13887 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
13888 COUNT_BYTES_SUBR(fn_len);
13890 /* Pad to 4 bytes */
13893 offset += 4 - (offset % 4);
13899 /*dissect the data block for TRANS2_FIND_FIRST2*/
13901 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
13902 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
13910 si = (smb_info_t *)pinfo->private_data;
13911 DISSECTOR_ASSERT(si);
13913 switch(si->info_level){
13914 case 1: /*Info Standard*/
13915 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
13918 case 2: /*Info Query EA Size*/
13919 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
13922 case 3: /*Info Query EAs From List same as
13924 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
13927 case 0x0101: /*Find File Directory Info*/
13928 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
13931 case 0x0102: /*Find File Full Directory Info*/
13932 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
13935 case 0x0103: /*Find File Names Info*/
13936 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
13939 case 0x0104: /*Find File Both Directory Info*/
13940 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
13943 case 0x0202: /*Find File UNIX*/
13944 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
13947 default: /* unknown info level */
13955 /* is this one just wrong and should be dissect_fs0105_attributes above ? */
13957 dissect_fs_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
13963 mask = tvb_get_letohl(tvb, offset);
13966 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
13967 "FS Attributes: 0x%08x", mask);
13968 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
13970 /* case sensitive search */
13971 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
13972 tvb, offset, 4, mask);
13973 /* case preserved names */
13974 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
13975 tvb, offset, 4, mask);
13976 /* unicode on disk */
13977 proto_tree_add_boolean(tree, hf_smb_fs_attr_uod,
13978 tvb, offset, 4, mask);
13979 /* persistent acls */
13980 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
13981 tvb, offset, 4, mask);
13982 /* file compression */
13983 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
13984 tvb, offset, 4, mask);
13985 /* volume quotas */
13986 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
13987 tvb, offset, 4, mask);
13989 proto_tree_add_boolean(tree, hf_smb_fs_attr_ssf,
13990 tvb, offset, 4, mask);
13991 /* reparse points */
13992 proto_tree_add_boolean(tree, hf_smb_fs_attr_srp,
13993 tvb, offset, 4, mask);
13994 /* remote storage */
13995 proto_tree_add_boolean(tree, hf_smb_fs_attr_srs,
13996 tvb, offset, 4, mask);
13998 proto_tree_add_boolean(tree, hf_smb_fs_attr_sla,
13999 tvb, offset, 4, mask);
14000 /* volume is compressed */
14001 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
14002 tvb, offset, 4, mask);
14004 proto_tree_add_boolean(tree, hf_smb_fs_attr_soids,
14005 tvb, offset, 4, mask);
14007 proto_tree_add_boolean(tree, hf_smb_fs_attr_se,
14008 tvb, offset, 4, mask);
14009 /* named streams */
14010 proto_tree_add_boolean(tree, hf_smb_fs_attr_ns,
14011 tvb, offset, 4, mask);
14012 /* read only volume */
14013 proto_tree_add_boolean(tree, hf_smb_fs_attr_rov,
14014 tvb, offset, 4, mask);
14023 dissect_device_characteristics(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
14029 mask = tvb_get_letohl(tvb, offset);
14032 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
14033 "Device Characteristics: 0x%08x", mask);
14034 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
14036 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
14037 tvb, offset, 4, mask);
14038 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
14039 tvb, offset, 4, mask);
14040 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
14041 tvb, offset, 4, mask);
14042 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
14043 tvb, offset, 4, mask);
14044 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
14045 tvb, offset, 4, mask);
14046 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
14047 tvb, offset, 4, mask);
14048 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
14049 tvb, offset, 4, mask);
14056 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
14058 static const true_false_string tfs_smb_mac_access_ctrl = {
14059 "Macintosh Access Control Supported",
14060 "Macintosh Access Control Not Supported"
14063 static const true_false_string tfs_smb_mac_getset_comments = {
14064 "Macintosh Get & Set Comments Supported",
14065 "Macintosh Get & Set Comments Not Supported"
14068 static const true_false_string tfs_smb_mac_desktopdb_calls = {
14069 "Macintosh Get & Set Desktop Database Info Supported",
14070 "Macintosh Get & Set Desktop Database Info Supported"
14073 static const true_false_string tfs_smb_mac_unique_ids = {
14074 "Macintosh Unique IDs Supported",
14075 "Macintosh Unique IDs Not Supported"
14078 static const true_false_string tfs_smb_mac_streams = {
14079 "Macintosh and Streams Extensions Not Supported",
14080 "Macintosh and Streams Extensions Supported"
14084 dissect_qfsi_FS_VOLUME_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, guint16 *bcp, int unicode)
14090 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14091 offset = dissect_nt_64bit_time(tvb, tree, offset,
14092 hf_smb_create_time);
14095 /* volume serial number */
14096 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14097 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
14098 COUNT_BYTES_TRANS_SUBR(4);
14100 /* volume label length */
14101 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14102 vll = tvb_get_letohl(tvb, offset);
14103 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
14104 COUNT_BYTES_TRANS_SUBR(4);
14106 /* 2 reserved bytes */
14107 CHECK_BYTE_COUNT_TRANS_SUBR(2);
14108 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
14109 COUNT_BYTES_TRANS_SUBR(2);
14113 fn = get_unicode_or_ascii_string(tvb, &offset, unicode, &fn_len, FALSE, TRUE, bcp);
14114 CHECK_STRING_TRANS_SUBR(fn);
14115 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
14117 COUNT_BYTES_TRANS_SUBR(fn_len);
14123 dissect_qfsi_FS_SIZE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, guint16 *bcp)
14125 /* allocation size */
14126 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14127 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
14128 COUNT_BYTES_TRANS_SUBR(8);
14130 /* free allocation units */
14131 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14132 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
14133 COUNT_BYTES_TRANS_SUBR(8);
14135 /* sectors per unit */
14136 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14137 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
14138 COUNT_BYTES_TRANS_SUBR(4);
14140 /* bytes per sector */
14141 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14142 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
14143 COUNT_BYTES_TRANS_SUBR(4);
14149 dissect_qfsi_FS_DEVICE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, guint16 *bcp)
14152 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14153 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
14154 COUNT_BYTES_TRANS_SUBR(4);
14156 /* device characteristics */
14157 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14158 offset = dissect_device_characteristics(tvb, tree, offset);
14165 dissect_qfsi_FS_ATTRIBUTE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, guint16 *bcp, int unicode)
14170 /* FS attributes */
14171 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14172 offset = dissect_fs_attributes(tvb, tree, offset);
14176 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14177 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
14178 COUNT_BYTES_TRANS_SUBR(4);
14180 /* fs name length */
14181 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14182 fnl = tvb_get_letohl(tvb, offset);
14183 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
14184 COUNT_BYTES_TRANS_SUBR(4);
14188 fn = get_unicode_or_ascii_string(tvb, &offset, unicode, &fn_len, FALSE, TRUE, bcp);
14189 CHECK_STRING_TRANS_SUBR(fn);
14190 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
14192 COUNT_BYTES_TRANS_SUBR(fn_len);
14198 dissect_qfsi_FS_OBJECTID_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, guint16 *bcp)
14200 CHECK_BYTE_COUNT_TRANS_SUBR(64);
14202 dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
14204 COUNT_BYTES_TRANS_SUBR(64);
14210 dissect_qfsi_FS_FULL_SIZE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, guint16 *bcp)
14212 /* allocation size */
14213 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14214 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
14215 COUNT_BYTES_TRANS_SUBR(8);
14217 /* caller free allocation units */
14218 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14219 proto_tree_add_item(tree, hf_smb_caller_free_alloc_units64, tvb, offset, 8, TRUE);
14220 COUNT_BYTES_TRANS_SUBR(8);
14222 /* actual free allocation units */
14223 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14224 proto_tree_add_item(tree, hf_smb_actual_free_alloc_units64, tvb, offset, 8, TRUE);
14225 COUNT_BYTES_TRANS_SUBR(8);
14227 /* sectors per unit */
14228 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14229 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
14230 COUNT_BYTES_TRANS_SUBR(4);
14232 /* bytes per sector */
14233 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14234 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
14235 COUNT_BYTES_TRANS_SUBR(4);
14241 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
14242 int offset, guint16 *bcp)
14248 proto_item *item = NULL;
14249 proto_tree *ti = NULL;
14255 si = (smb_info_t *)pinfo->private_data;
14256 DISSECTOR_ASSERT(si);
14258 switch(si->info_level){
14259 case 1: /* SMB_INFO_ALLOCATION */
14260 /* filesystem id */
14261 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14262 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
14263 COUNT_BYTES_TRANS_SUBR(4);
14265 /* sectors per unit */
14266 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14267 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
14268 COUNT_BYTES_TRANS_SUBR(4);
14271 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14272 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
14273 COUNT_BYTES_TRANS_SUBR(4);
14276 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14277 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
14278 COUNT_BYTES_TRANS_SUBR(4);
14280 /* bytes per sector, only 16bit integer here */
14281 CHECK_BYTE_COUNT_TRANS_SUBR(2);
14282 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14283 COUNT_BYTES_TRANS_SUBR(2);
14286 case 2: /* SMB_INFO_VOLUME */
14287 /* volume serial number */
14288 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14289 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
14290 COUNT_BYTES_TRANS_SUBR(4);
14292 /* volume label length, only one byte here */
14293 CHECK_BYTE_COUNT_TRANS_SUBR(1);
14294 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
14295 COUNT_BYTES_TRANS_SUBR(1);
14298 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
14299 CHECK_STRING_TRANS_SUBR(fn);
14300 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
14302 COUNT_BYTES_TRANS_SUBR(fn_len);
14305 case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
14306 case 1002: /* SMB_FS_LABEL_INFORMATION */
14307 /* volume label length */
14308 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14309 vll = tvb_get_letohl(tvb, offset);
14310 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
14311 COUNT_BYTES_TRANS_SUBR(4);
14315 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
14316 CHECK_STRING_TRANS_SUBR(fn);
14317 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
14319 COUNT_BYTES_TRANS_SUBR(fn_len);
14322 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
14323 case 1001: /* SMB_FS_VOLUME_INFORMATION */
14324 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, bcp, si->unicode);
14326 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
14327 case 1003: /* SMB_FS_SIZE_INFORMATION */
14328 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, bcp);
14330 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
14331 case 1004: /* SMB_FS_DEVICE_INFORMATION */
14332 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, bcp);
14334 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
14335 case 1005: /* SMB_FS_ATTRIBUTE_INFORMATION */
14336 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, bcp, si->unicode);
14338 case 0x200: { /* SMB_QUERY_CIFS_UNIX_INFO */
14339 proto_item *item = NULL;
14340 proto_tree *subtree = NULL;
14341 guint32 caps_lo, caps_hi;
14343 /* MajorVersionNumber */
14344 CHECK_BYTE_COUNT_TRANS_SUBR(2);
14345 proto_tree_add_item(tree, hf_smb_unix_major_version, tvb, offset, 2, TRUE);
14346 COUNT_BYTES_TRANS_SUBR(2);
14348 /* MinorVersionNumber */
14349 CHECK_BYTE_COUNT_TRANS_SUBR(2);
14350 proto_tree_add_item(tree, hf_smb_unix_minor_version, tvb, offset, 2, TRUE);
14351 COUNT_BYTES_TRANS_SUBR(2);
14355 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14357 caps_lo = tvb_get_letohl(tvb, offset);
14358 caps_hi = tvb_get_letohl(tvb, offset + 4);
14361 item = proto_tree_add_text(
14362 tree, tvb, offset, 8, "Capabilities: 0x%08x%08x",
14364 subtree = proto_item_add_subtree(
14365 item, ett_smb_unix_capabilities);
14368 proto_tree_add_boolean(
14369 subtree, hf_smb_unix_capability_fcntl, tvb, offset, 8,
14372 proto_tree_add_boolean(
14373 subtree, hf_smb_unix_capability_posix_acl, tvb, offset, 8,
14376 COUNT_BYTES_TRANS_SUBR(8);
14380 case 0x301: /* MAC_QUERY_FS_INFO */
14382 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14383 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
14386 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14387 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_modify_time);
14390 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14391 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_backup_time);
14393 /* Allocation blocks */
14394 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14395 proto_tree_add_item(tree, hf_smb_mac_alloc_block_count, tvb,
14398 COUNT_BYTES_TRANS_SUBR(4);
14399 /* Allocation Block Size */
14400 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14401 proto_tree_add_item(tree, hf_smb_mac_alloc_block_size, tvb,
14403 COUNT_BYTES_TRANS_SUBR(4);
14404 /* Free Block Count */
14405 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14406 proto_tree_add_item(tree, hf_smb_mac_free_block_count, tvb,
14408 COUNT_BYTES_TRANS_SUBR(4);
14409 /* Finder Info ... */
14410 CHECK_BYTE_COUNT_TRANS_SUBR(32);
14411 proto_tree_add_bytes_format(tree, hf_smb_mac_fndrinfo, tvb,
14413 tvb_get_ptr(tvb, offset,32),
14415 tvb_format_text(tvb, offset, 32));
14416 COUNT_BYTES_TRANS_SUBR(32);
14418 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14419 proto_tree_add_item(tree, hf_smb_mac_root_file_count, tvb,
14421 COUNT_BYTES_TRANS_SUBR(4);
14422 /* Number of Root Directories */
14423 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14424 proto_tree_add_item(tree, hf_smb_mac_root_dir_count, tvb,
14426 COUNT_BYTES_TRANS_SUBR(4);
14427 /* Number of files */
14428 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14429 proto_tree_add_item(tree, hf_smb_mac_file_count, tvb,
14431 COUNT_BYTES_TRANS_SUBR(4);
14433 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14434 proto_tree_add_item(tree, hf_smb_mac_dir_count, tvb,
14436 COUNT_BYTES_TRANS_SUBR(4);
14437 /* Mac Support Flags */
14438 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14439 support = tvb_get_ntohl(tvb, offset);
14440 item = proto_tree_add_text(tree, tvb, offset, 4,
14441 "Mac Support Flags: 0x%08x", support);
14442 ti = proto_item_add_subtree(item, ett_smb_mac_support_flags);
14443 proto_tree_add_boolean(ti, hf_smb_mac_sup_access_ctrl,
14444 tvb, offset, 4, support);
14445 proto_tree_add_boolean(ti, hf_smb_mac_sup_getset_comments,
14446 tvb, offset, 4, support);
14447 proto_tree_add_boolean(ti, hf_smb_mac_sup_desktopdb_calls,
14448 tvb, offset, 4, support);
14449 proto_tree_add_boolean(ti, hf_smb_mac_sup_unique_ids,
14450 tvb, offset, 4, support);
14451 proto_tree_add_boolean(ti, hf_smb_mac_sup_streams,
14452 tvb, offset, 4, support);
14453 COUNT_BYTES_TRANS_SUBR(4);
14455 case 1006: /* QUERY_FS_QUOTA_INFO */
14456 offset = dissect_nt_quota(tvb, tree, offset, bcp);
14458 case 1007: /* SMB_FS_FULL_SIZE_INFORMATION */
14459 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, bcp);
14461 case 1008: /* Query Object ID */ {
14462 offset = dissect_qfsi_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, bcp);
14471 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
14472 proto_tree *parent_tree)
14474 proto_item *item = NULL;
14475 proto_tree *tree = NULL;
14477 smb_transact2_info_t *t2i;
14483 dc = tvb_reported_length(tvb);
14485 si = (smb_info_t *)pinfo->private_data;
14486 DISSECTOR_ASSERT(si);
14488 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
14489 t2i = si->sip->extra_info;
14494 if (t2i != NULL && t2i->subcmd != -1) {
14495 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
14497 val_to_str(t2i->subcmd, trans2_cmd_vals,
14498 "Unknown (0x%02x)"));
14499 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
14501 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
14502 "Unknown Transaction2 Data");
14510 switch(t2i->subcmd){
14511 case 0x00: /*TRANS2_OPEN2*/
14512 /* XXX not implemented yet. See SNIA doc */
14514 case 0x01: /*TRANS2_FIND_FIRST2*/
14515 /* returned data */
14516 count = si->info_count;
14521 if (count && check_col(pinfo->cinfo, COL_INFO)) {
14522 col_append_str(pinfo->cinfo, COL_INFO,
14527 offset = dissect_ff2_response_data(tvb, pinfo, tree,
14528 offset, &dc, &trunc);
14533 case 0x02: /*TRANS2_FIND_NEXT2*/
14534 /* returned data */
14535 count = si->info_count;
14540 if (count && check_col(pinfo->cinfo, COL_INFO)) {
14541 col_append_str(pinfo->cinfo, COL_INFO,
14546 offset = dissect_ff2_response_data(tvb, pinfo, tree,
14547 offset, &dc, &trunc);
14552 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
14553 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
14555 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
14556 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
14558 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
14559 /* no data in this response */
14561 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
14562 /* identical to QUERY_PATH_INFO */
14563 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
14565 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
14566 /* no data in this response */
14568 case 0x09: /*TRANS2_FSCTL*/
14569 /* XXX dont know how to dissect this one (yet)*/
14572 * XXX - "Microsoft Networks SMB File Sharing Protocol
14573 * Extensions Version 3.0, Document Version 1.11,
14574 * July 19, 1990" says this this contains a
14575 * "File system specific return data block".
14576 * (That means we may not be able to dissect it in any
14580 case 0x0a: /*TRANS2_IOCTL2*/
14581 /* XXX dont know how to dissect this one (yet)*/
14584 * XXX - "Microsoft Networks SMB File Sharing Protocol
14585 * Extensions Version 3.0, Document Version 1.11,
14586 * July 19, 1990" says this this contains a
14587 * "Device/function specific return data block".
14588 * (That means we may not be able to dissect it in any
14592 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
14593 /* XXX dont know how to dissect this one (yet)*/
14596 * XXX - "Microsoft Networks SMB File Sharing Protocol
14597 * Extensions Version 3.0, Document Version 1.11,
14598 * July 19, 1990" says this this contains "the level
14599 * dependent information about the changes which
14603 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
14604 /* XXX dont know how to dissect this one (yet)*/
14607 * XXX - "Microsoft Networks SMB File Sharing Protocol
14608 * Extensions Version 3.0, Document Version 1.11,
14609 * July 19, 1990" says this this contains "the level
14610 * dependent information about the changes which
14614 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
14615 /* no data in this response */
14617 case 0x0e: /*TRANS2_SESSION_SETUP*/
14618 /* XXX dont know how to dissect this one (yet)*/
14620 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
14621 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
14623 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
14624 /* the SNIA spec appears to say the response has no data */
14628 * We don't know what the matching request was; don't
14629 * bother putting anything else into the tree for the data.
14636 /* ooops there were data we didnt know how to process */
14638 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
14647 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
14649 proto_item *item = NULL;
14650 proto_tree *tree = NULL;
14652 smb_transact2_info_t *t2i;
14658 pc = tvb_reported_length(tvb);
14660 si = (smb_info_t *)pinfo->private_data;
14661 DISSECTOR_ASSERT(si);
14663 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
14664 t2i = si->sip->extra_info;
14669 if (t2i != NULL && t2i->subcmd != -1) {
14670 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
14672 val_to_str(t2i->subcmd, trans2_cmd_vals,
14673 "Unknown (0x%02x)"));
14674 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
14676 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
14677 "Unknown Transaction2 Parameters");
14685 switch(t2i->subcmd){
14686 case 0x00: /*TRANS2_OPEN2*/
14688 fid = tvb_get_letohs(tvb, offset);
14689 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
14693 * XXX - Microsoft Networks SMB File Sharing Protocol
14694 * Extensions Version 3.0, Document Version 1.11,
14695 * July 19, 1990 says that the file attributes, create
14696 * time (which it says is the last modification time),
14697 * data size, granted access, file type, and IPC state
14698 * are returned only if bit 0 is set in the open flags,
14699 * and that the EA length is returned only if bit 3
14700 * is set in the open flags. Does that mean that,
14701 * at least in that SMB dialect, those fields are not
14702 * present in the reply parameters if the bits in
14703 * question aren't set?
14706 /* File Attributes */
14707 offset = dissect_file_attributes(tvb, tree, offset, 2);
14710 offset = dissect_smb_datetime(tvb, tree, offset,
14711 hf_smb_create_time,
14712 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
14715 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
14718 /* granted access */
14719 offset = dissect_access(tvb, tree, offset, "Granted");
14722 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
14726 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
14729 offset = dissect_open_action(tvb, tree, offset);
14731 /* server unique file ID */
14732 proto_tree_add_item(tree, hf_smb_file_id, tvb, offset, 4, TRUE);
14735 /* ea error offset, only a 16 bit integer here */
14736 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14740 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
14744 case 0x01: /*TRANS2_FIND_FIRST2*/
14745 /* Find First2 information level */
14746 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
14749 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
14753 si->info_count = tvb_get_letohs(tvb, offset);
14754 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
14757 /* end of search */
14758 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
14761 /* ea error offset, only a 16 bit integer here */
14762 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14765 /* last name offset */
14766 lno = tvb_get_letohs(tvb, offset);
14767 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
14771 case 0x02: /*TRANS2_FIND_NEXT2*/
14773 si->info_count = tvb_get_letohs(tvb, offset);
14774 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
14777 /* end of search */
14778 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
14781 /* ea_error_offset, only a 16 bit integer here*/
14782 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14785 /* last name offset */
14786 lno = tvb_get_letohs(tvb, offset);
14787 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
14791 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
14792 /* no parameter block here */
14794 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
14795 /* ea_error_offset, only a 16 bit integer here*/
14796 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14800 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
14801 /* ea_error_offset, only a 16 bit integer here*/
14802 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14806 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
14807 /* ea_error_offset, only a 16 bit integer here*/
14808 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14812 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
14813 /* ea_error_offset, only a 16 bit integer here*/
14814 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14818 case 0x09: /*TRANS2_FSCTL*/
14819 /* XXX dont know how to dissect this one (yet)*/
14822 * XXX - "Microsoft Networks SMB File Sharing Protocol
14823 * Extensions Version 3.0, Document Version 1.11,
14824 * July 19, 1990" says this this contains a
14825 * "File system specific return parameter block".
14826 * (That means we may not be able to dissect it in any
14830 case 0x0a: /*TRANS2_IOCTL2*/
14831 /* XXX dont know how to dissect this one (yet)*/
14834 * XXX - "Microsoft Networks SMB File Sharing Protocol
14835 * Extensions Version 3.0, Document Version 1.11,
14836 * July 19, 1990" says this this contains a
14837 * "Device/function specific return parameter block".
14838 * (That means we may not be able to dissect it in any
14842 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
14843 /* Find Notify information level */
14844 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
14846 /* Monitor handle */
14847 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
14851 si->info_count = tvb_get_letohs(tvb, offset);
14852 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
14855 /* ea_error_offset, only a 16 bit integer here*/
14856 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14860 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
14861 /* Find Notify information level */
14862 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
14865 si->info_count = tvb_get_letohs(tvb, offset);
14866 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
14869 /* ea_error_offset, only a 16 bit integer here*/
14870 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14874 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
14875 /* ea error offset, only a 16 bit integer here */
14876 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14880 case 0x0e: /*TRANS2_SESSION_SETUP*/
14881 /* XXX dont know how to dissect this one (yet)*/
14883 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
14884 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
14886 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
14887 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
14891 * We don't know what the matching request was; don't
14892 * bother putting anything else into the tree for the data.
14898 /* ooops there were data we didnt know how to process */
14900 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
14901 offset += pc-offset;
14907 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
14910 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
14912 smb_transact2_info_t *t2i = NULL;
14915 gboolean dissected_trans;
14916 fragment_data *r_fd = NULL;
14917 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
14918 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
14919 gboolean save_fragmented;
14922 si = (smb_info_t *)pinfo->private_data;
14923 DISSECTOR_ASSERT(si);
14926 case SMB_COM_TRANSACTION2:
14928 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
14929 t2i = si->sip->extra_info;
14934 * We didn't see the matching request, so we don't
14935 * know what type of transaction this is.
14937 proto_tree_add_text(tree, tvb, 0, 0,
14938 "Subcommand: <UNKNOWN> since request packet wasn't seen");
14939 if (check_col(pinfo->cinfo, COL_INFO)) {
14940 col_append_str(pinfo->cinfo, COL_INFO, "<unknown>");
14943 si->info_level = t2i->info_level;
14944 if (t2i->subcmd == -1) {
14946 * We didn't manage to extract the subcommand
14947 * from the matching request (perhaps because
14948 * the frame was short), so we don't know what
14949 * type of transaction this is.
14951 proto_tree_add_text(tree, tvb, 0, 0,
14952 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
14953 if (check_col(pinfo->cinfo, COL_INFO)) {
14954 col_append_str(pinfo->cinfo, COL_INFO, "<unknown>");
14957 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
14959 if(t2i && t2i->subcmd==0x0001){
14960 item=proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, t2i->info_level);
14961 PROTO_ITEM_SET_GENERATED(item);
14963 item=proto_tree_add_string(tree, hf_smb_search_pattern, tvb, 0, 0, t2i->name);
14964 PROTO_ITEM_SET_GENERATED(item);
14968 /* QUERY_PATH_INFORMATION */
14969 if(t2i && t2i->subcmd==0x0005){
14970 item=proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, 0, 0, t2i->info_level);
14971 PROTO_ITEM_SET_GENERATED(item);
14973 item=proto_tree_add_string(tree, hf_smb_file_name, tvb, 0, 0, t2i->name);
14974 PROTO_ITEM_SET_GENERATED(item);
14977 /* QUERY_FILE_INFORMATION */
14978 if(t2i && t2i->subcmd==0x0007){
14979 item=proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, 0, 0, t2i->info_level);
14980 PROTO_ITEM_SET_GENERATED(item);
14982 /* QUERY_FS_INFORMATION */
14983 if(t2i && t2i->subcmd==0x0003){
14984 item=proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, 0, 0, si->info_level);
14985 PROTO_ITEM_SET_GENERATED(item);
14988 if (t2i && check_col(pinfo->cinfo, COL_INFO)) {
14989 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
14990 val_to_str(t2i->subcmd,
14992 "<unknown (0x%02x)>"));
15001 /* total param count, only a 16bit integer here */
15002 tp = tvb_get_letohs(tvb, offset);
15003 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
15006 /* total data count, only a 16 bit integer here */
15007 td = tvb_get_letohs(tvb, offset);
15008 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
15011 /* 2 reserved bytes */
15012 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
15016 pc = tvb_get_letohs(tvb, offset);
15017 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
15021 po = tvb_get_letohs(tvb, offset);
15022 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
15026 pd = tvb_get_letohs(tvb, offset);
15027 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
15031 dc = tvb_get_letohs(tvb, offset);
15032 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
15036 od = tvb_get_letohs(tvb, offset);
15037 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
15041 dd = tvb_get_letohs(tvb, offset);
15042 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
15046 sc = tvb_get_guint8(tvb, offset);
15047 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
15050 /* reserved byte */
15051 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
15055 /* if there were any setup bytes, put them in a tvb for later */
15057 if((2*sc)>tvb_length_remaining(tvb, offset)){
15058 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
15060 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
15062 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
15073 /* reassembly of SMB Transaction data payload.
15074 In this section we do reassembly of both the data and parameters
15075 blocks of the SMB transaction command.
15077 save_fragmented = pinfo->fragmented;
15078 /* do we need reassembly? */
15079 if( (td!=dc) || (tp!=pc) ){
15080 /* oh yeah, either data or parameter section needs
15083 pinfo->fragmented = TRUE;
15084 if(smb_trans_reassembly){
15085 /* ...and we were told to do reassembly */
15086 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
15087 r_fd = smb_trans_defragment(tree, pinfo, tvb,
15088 po, pc, pd, td+tp);
15091 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
15092 r_fd = smb_trans_defragment(tree, pinfo, tvb,
15093 od, dc, dd+tp, td+tp);
15098 /* if we got a reassembled fd structure from the reassembly routine we must
15099 create pd_tvb from it
15102 proto_item *frag_tree_item;
15104 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
15106 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
15107 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
15108 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb, &frag_tree_item);
15113 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
15115 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
15118 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
15121 /* It was not reassembled. Do as best as we can.
15122 * in this case we always try to dissect the stuff if
15123 * data and param displacement is 0. i.e. for the first
15124 * (and maybe only) packet.
15126 if( (pd==0) && (dd==0) ){
15129 min = MIN(pc,tvb_length_remaining(tvb,po));
15130 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
15131 if(min && reported_min) {
15132 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
15134 min = MIN(dc,tvb_length_remaining(tvb,od));
15135 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
15136 if(min && reported_min) {
15137 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
15140 * A tvbuff containing the parameters
15142 * XXX - check pc and dc as well?
15144 if (tvb_length_remaining(tvb, po)){
15145 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
15154 /* We have some padding bytes.
15156 padcnt = po-offset;
15159 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
15160 COUNT_BYTES(padcnt);
15162 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
15163 /* TRANSACTION2 parameters*/
15164 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
15171 /* We have some initial padding bytes.
15173 padcnt = od-offset;
15176 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
15177 COUNT_BYTES(padcnt);
15180 * If the data count is bigger than the count of bytes
15181 * remaining, clamp it so that the count of bytes remaining
15182 * doesn't go negative.
15190 /* from now on, everything is in separate tvbuffs so we dont count
15191 the bytes with COUNT_BYTES any more.
15192 neither do we reference offset any more (which by now points to the
15193 first byte AFTER this PDU */
15196 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
15197 /* TRANSACTION2 parameters*/
15198 dissect_transaction2_response_data(d_tvb, pinfo, tree);
15202 if(si->cmd==SMB_COM_TRANSACTION){
15203 smb_transact_info_t *tri;
15205 dissected_trans = FALSE;
15206 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_TRI)
15207 tri = si->sip->extra_info;
15211 switch(tri->subcmd){
15213 case TRANSACTION_PIPE:
15214 /* This function is safe to call for
15215 s_tvb==sp_tvb==NULL, i.e. if we don't
15216 know them at this point.
15217 It's also safe to call if "p_tvb"
15218 or "d_tvb" are null.
15221 dissected_trans = dissect_pipe_smb(
15222 sp_tvb, s_tvb, pd_tvb, p_tvb,
15223 d_tvb, NULL, pinfo, top_tree);
15227 case TRANSACTION_MAILSLOT:
15228 /* This one should be safe to call
15229 even if s_tvb and sp_tvb is NULL
15232 dissected_trans = dissect_mailslot_smb(
15233 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
15239 if (!dissected_trans) {
15240 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
15241 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
15246 if( (p_tvb==0) && (d_tvb==0) ){
15247 if(check_col(pinfo->cinfo, COL_INFO)){
15248 col_append_str(pinfo->cinfo, COL_INFO,
15249 "[transact continuation]");
15253 pinfo->fragmented = save_fragmented;
15261 dissect_find_notify_close(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
15268 /* Monitor handle */
15269 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
15279 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
15280 END Transaction/Transaction2 Primary and secondary requests
15281 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
15285 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
15293 tvb_ensure_bytes_exist(tvb, offset, wc*2);
15294 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
15301 tvb_ensure_bytes_exist(tvb, offset, bc);
15302 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
15312 typedef struct _smb_function {
15313 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
15314 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
15317 static smb_function smb_dissector[256] = {
15318 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
15319 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
15320 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
15321 /* 0x03 Create File*/ {dissect_create_file_request, dissect_create_file_response},
15322 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
15323 /* 0x05 Flush File*/ {dissect_flush_file_request, dissect_empty},
15324 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
15325 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_rename_file_response},
15326 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
15327 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
15328 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
15329 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
15330 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
15331 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
15332 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
15333 /* 0x0f Create New*/ {dissect_create_file_request, dissect_create_new_response},
15335 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
15336 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
15337 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
15338 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
15339 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
15340 /* 0x15 */ {dissect_unknown, dissect_unknown},
15341 /* 0x16 */ {dissect_unknown, dissect_unknown},
15342 /* 0x17 */ {dissect_unknown, dissect_unknown},
15343 /* 0x18 */ {dissect_unknown, dissect_unknown},
15344 /* 0x19 */ {dissect_unknown, dissect_unknown},
15345 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
15346 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
15347 /* 0x1c Read MPX Secondary*/ {dissect_unknown, dissect_unknown},
15348 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
15349 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
15350 /* 0x1f Write MPX Secondary*/ {dissect_unknown, dissect_unknown},
15352 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
15353 /* 0x21 */ {dissect_unknown, dissect_unknown},
15354 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
15355 /* 0x23 Query Info2*/ {dissect_query_information2_request, dissect_query_information2_response},
15356 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
15357 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
15358 /* 0x26 Transaction Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
15359 /* 0x27 IOCTL*/ {dissect_unknown, dissect_unknown},
15360 /* 0x28 IOCTL Secondary*/ {dissect_unknown, dissect_unknown},
15361 /* 0x29 Copy File*/ {dissect_copy_request, dissect_move_copy_response},
15362 /* 0x2a Move File*/ {dissect_move_request, dissect_move_copy_response},
15363 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
15364 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
15365 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
15366 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
15367 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
15369 /* 0x30 */ {dissect_unknown, dissect_unknown},
15370 /* 0x31 Close And Tree Disconnect */ {dissect_close_file_request, dissect_empty},
15371 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
15372 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
15373 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
15374 /* 0x35 Find Notify Close*/ {dissect_find_notify_close, dissect_empty},
15375 /* 0x36 */ {dissect_unknown, dissect_unknown},
15376 /* 0x37 */ {dissect_unknown, dissect_unknown},
15377 /* 0x38 */ {dissect_unknown, dissect_unknown},
15378 /* 0x39 */ {dissect_unknown, dissect_unknown},
15379 /* 0x3a */ {dissect_unknown, dissect_unknown},
15380 /* 0x3b */ {dissect_unknown, dissect_unknown},
15381 /* 0x3c */ {dissect_unknown, dissect_unknown},
15382 /* 0x3d */ {dissect_unknown, dissect_unknown},
15383 /* 0x3e */ {dissect_unknown, dissect_unknown},
15384 /* 0x3f */ {dissect_unknown, dissect_unknown},
15386 /* 0x40 */ {dissect_unknown, dissect_unknown},
15387 /* 0x41 */ {dissect_unknown, dissect_unknown},
15388 /* 0x42 */ {dissect_unknown, dissect_unknown},
15389 /* 0x43 */ {dissect_unknown, dissect_unknown},
15390 /* 0x44 */ {dissect_unknown, dissect_unknown},
15391 /* 0x45 */ {dissect_unknown, dissect_unknown},
15392 /* 0x46 */ {dissect_unknown, dissect_unknown},
15393 /* 0x47 */ {dissect_unknown, dissect_unknown},
15394 /* 0x48 */ {dissect_unknown, dissect_unknown},
15395 /* 0x49 */ {dissect_unknown, dissect_unknown},
15396 /* 0x4a */ {dissect_unknown, dissect_unknown},
15397 /* 0x4b */ {dissect_unknown, dissect_unknown},
15398 /* 0x4c */ {dissect_unknown, dissect_unknown},
15399 /* 0x4d */ {dissect_unknown, dissect_unknown},
15400 /* 0x4e */ {dissect_unknown, dissect_unknown},
15401 /* 0x4f */ {dissect_unknown, dissect_unknown},
15403 /* 0x50 */ {dissect_unknown, dissect_unknown},
15404 /* 0x51 */ {dissect_unknown, dissect_unknown},
15405 /* 0x52 */ {dissect_unknown, dissect_unknown},
15406 /* 0x53 */ {dissect_unknown, dissect_unknown},
15407 /* 0x54 */ {dissect_unknown, dissect_unknown},
15408 /* 0x55 */ {dissect_unknown, dissect_unknown},
15409 /* 0x56 */ {dissect_unknown, dissect_unknown},
15410 /* 0x57 */ {dissect_unknown, dissect_unknown},
15411 /* 0x58 */ {dissect_unknown, dissect_unknown},
15412 /* 0x59 */ {dissect_unknown, dissect_unknown},
15413 /* 0x5a */ {dissect_unknown, dissect_unknown},
15414 /* 0x5b */ {dissect_unknown, dissect_unknown},
15415 /* 0x5c */ {dissect_unknown, dissect_unknown},
15416 /* 0x5d */ {dissect_unknown, dissect_unknown},
15417 /* 0x5e */ {dissect_unknown, dissect_unknown},
15418 /* 0x5f */ {dissect_unknown, dissect_unknown},
15420 /* 0x60 */ {dissect_unknown, dissect_unknown},
15421 /* 0x61 */ {dissect_unknown, dissect_unknown},
15422 /* 0x62 */ {dissect_unknown, dissect_unknown},
15423 /* 0x63 */ {dissect_unknown, dissect_unknown},
15424 /* 0x64 */ {dissect_unknown, dissect_unknown},
15425 /* 0x65 */ {dissect_unknown, dissect_unknown},
15426 /* 0x66 */ {dissect_unknown, dissect_unknown},
15427 /* 0x67 */ {dissect_unknown, dissect_unknown},
15428 /* 0x68 */ {dissect_unknown, dissect_unknown},
15429 /* 0x69 */ {dissect_unknown, dissect_unknown},
15430 /* 0x6a */ {dissect_unknown, dissect_unknown},
15431 /* 0x6b */ {dissect_unknown, dissect_unknown},
15432 /* 0x6c */ {dissect_unknown, dissect_unknown},
15433 /* 0x6d */ {dissect_unknown, dissect_unknown},
15434 /* 0x6e */ {dissect_unknown, dissect_unknown},
15435 /* 0x6f */ {dissect_unknown, dissect_unknown},
15437 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
15438 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
15439 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
15440 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
15441 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
15442 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
15443 /* 0x76 */ {dissect_unknown, dissect_unknown},
15444 /* 0x77 */ {dissect_unknown, dissect_unknown},
15445 /* 0x78 */ {dissect_unknown, dissect_unknown},
15446 /* 0x79 */ {dissect_unknown, dissect_unknown},
15447 /* 0x7a */ {dissect_unknown, dissect_unknown},
15448 /* 0x7b */ {dissect_unknown, dissect_unknown},
15449 /* 0x7c */ {dissect_unknown, dissect_unknown},
15450 /* 0x7d */ {dissect_unknown, dissect_unknown},
15451 /* 0x7e */ {dissect_unknown, dissect_unknown},
15452 /* 0x7f */ {dissect_unknown, dissect_unknown},
15454 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
15455 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
15456 /* 0x82 Find*/ {dissect_find_request, dissect_find_response},
15457 /* 0x83 Find Unique*/ {dissect_find_request, dissect_find_response},
15458 /* 0x84 Find Close*/ {dissect_find_close_request, dissect_find_close_response},
15459 /* 0x85 */ {dissect_unknown, dissect_unknown},
15460 /* 0x86 */ {dissect_unknown, dissect_unknown},
15461 /* 0x87 */ {dissect_unknown, dissect_unknown},
15462 /* 0x88 */ {dissect_unknown, dissect_unknown},
15463 /* 0x89 */ {dissect_unknown, dissect_unknown},
15464 /* 0x8a */ {dissect_unknown, dissect_unknown},
15465 /* 0x8b */ {dissect_unknown, dissect_unknown},
15466 /* 0x8c */ {dissect_unknown, dissect_unknown},
15467 /* 0x8d */ {dissect_unknown, dissect_unknown},
15468 /* 0x8e */ {dissect_unknown, dissect_unknown},
15469 /* 0x8f */ {dissect_unknown, dissect_unknown},
15471 /* 0x90 */ {dissect_unknown, dissect_unknown},
15472 /* 0x91 */ {dissect_unknown, dissect_unknown},
15473 /* 0x92 */ {dissect_unknown, dissect_unknown},
15474 /* 0x93 */ {dissect_unknown, dissect_unknown},
15475 /* 0x94 */ {dissect_unknown, dissect_unknown},
15476 /* 0x95 */ {dissect_unknown, dissect_unknown},
15477 /* 0x96 */ {dissect_unknown, dissect_unknown},
15478 /* 0x97 */ {dissect_unknown, dissect_unknown},
15479 /* 0x98 */ {dissect_unknown, dissect_unknown},
15480 /* 0x99 */ {dissect_unknown, dissect_unknown},
15481 /* 0x9a */ {dissect_unknown, dissect_unknown},
15482 /* 0x9b */ {dissect_unknown, dissect_unknown},
15483 /* 0x9c */ {dissect_unknown, dissect_unknown},
15484 /* 0x9d */ {dissect_unknown, dissect_unknown},
15485 /* 0x9e */ {dissect_unknown, dissect_unknown},
15486 /* 0x9f */ {dissect_unknown, dissect_unknown},
15488 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
15489 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
15490 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
15491 /* 0xa3 */ {dissect_unknown, dissect_unknown},
15492 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
15493 /* 0xa5 NT Rename*/ {dissect_nt_rename_file_request, dissect_empty},
15494 /* 0xa6 */ {dissect_unknown, dissect_unknown},
15495 /* 0xa7 */ {dissect_unknown, dissect_unknown},
15496 /* 0xa8 */ {dissect_unknown, dissect_unknown},
15497 /* 0xa9 */ {dissect_unknown, dissect_unknown},
15498 /* 0xaa */ {dissect_unknown, dissect_unknown},
15499 /* 0xab */ {dissect_unknown, dissect_unknown},
15500 /* 0xac */ {dissect_unknown, dissect_unknown},
15501 /* 0xad */ {dissect_unknown, dissect_unknown},
15502 /* 0xae */ {dissect_unknown, dissect_unknown},
15503 /* 0xaf */ {dissect_unknown, dissect_unknown},
15505 /* 0xb0 */ {dissect_unknown, dissect_unknown},
15506 /* 0xb1 */ {dissect_unknown, dissect_unknown},
15507 /* 0xb2 */ {dissect_unknown, dissect_unknown},
15508 /* 0xb3 */ {dissect_unknown, dissect_unknown},
15509 /* 0xb4 */ {dissect_unknown, dissect_unknown},
15510 /* 0xb5 */ {dissect_unknown, dissect_unknown},
15511 /* 0xb6 */ {dissect_unknown, dissect_unknown},
15512 /* 0xb7 */ {dissect_unknown, dissect_unknown},
15513 /* 0xb8 */ {dissect_unknown, dissect_unknown},
15514 /* 0xb9 */ {dissect_unknown, dissect_unknown},
15515 /* 0xba */ {dissect_unknown, dissect_unknown},
15516 /* 0xbb */ {dissect_unknown, dissect_unknown},
15517 /* 0xbc */ {dissect_unknown, dissect_unknown},
15518 /* 0xbd */ {dissect_unknown, dissect_unknown},
15519 /* 0xbe */ {dissect_unknown, dissect_unknown},
15520 /* 0xbf */ {dissect_unknown, dissect_unknown},
15522 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_open_print_file_response},
15523 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
15524 /* 0xc2 Close Print File*/ {dissect_close_print_file_request, dissect_empty},
15525 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
15526 /* 0xc4 */ {dissect_unknown, dissect_unknown},
15527 /* 0xc5 */ {dissect_unknown, dissect_unknown},
15528 /* 0xc6 */ {dissect_unknown, dissect_unknown},
15529 /* 0xc7 */ {dissect_unknown, dissect_unknown},
15530 /* 0xc8 */ {dissect_unknown, dissect_unknown},
15531 /* 0xc9 */ {dissect_unknown, dissect_unknown},
15532 /* 0xca */ {dissect_unknown, dissect_unknown},
15533 /* 0xcb */ {dissect_unknown, dissect_unknown},
15534 /* 0xcc */ {dissect_unknown, dissect_unknown},
15535 /* 0xcd */ {dissect_unknown, dissect_unknown},
15536 /* 0xce */ {dissect_unknown, dissect_unknown},
15537 /* 0xcf */ {dissect_unknown, dissect_unknown},
15539 /* 0xd0 Send Single Block Message*/ {dissect_send_single_block_message_request, dissect_empty},
15540 /* 0xd1 Send Broadcast Message*/ {dissect_send_single_block_message_request, dissect_empty},
15541 /* 0xd2 Forward User Name*/ {dissect_forwarded_name, dissect_empty},
15542 /* 0xd3 Cancel Forward*/ {dissect_forwarded_name, dissect_empty},
15543 /* 0xd4 Get Machine Name*/ {dissect_empty, dissect_get_machine_name_response},
15544 /* 0xd5 Send Start of Multi-block Message*/ {dissect_send_multi_block_message_start_request, dissect_message_group_id},
15545 /* 0xd6 Send End of Multi-block Message*/ {dissect_message_group_id, dissect_empty},
15546 /* 0xd7 Send Text of Multi-block Message*/ {dissect_send_multi_block_message_text_request, dissect_empty},
15547 /* 0xd8 SMBreadbulk*/ {dissect_unknown, dissect_unknown},
15548 /* 0xd9 SMBwritebulk*/ {dissect_unknown, dissect_unknown},
15549 /* 0xda SMBwritebulkdata*/ {dissect_unknown, dissect_unknown},
15550 /* 0xdb */ {dissect_unknown, dissect_unknown},
15551 /* 0xdc */ {dissect_unknown, dissect_unknown},
15552 /* 0xdd */ {dissect_unknown, dissect_unknown},
15553 /* 0xde */ {dissect_unknown, dissect_unknown},
15554 /* 0xdf */ {dissect_unknown, dissect_unknown},
15556 /* 0xe0 */ {dissect_unknown, dissect_unknown},
15557 /* 0xe1 */ {dissect_unknown, dissect_unknown},
15558 /* 0xe2 */ {dissect_unknown, dissect_unknown},
15559 /* 0xe3 */ {dissect_unknown, dissect_unknown},
15560 /* 0xe4 */ {dissect_unknown, dissect_unknown},
15561 /* 0xe5 */ {dissect_unknown, dissect_unknown},
15562 /* 0xe6 */ {dissect_unknown, dissect_unknown},
15563 /* 0xe7 */ {dissect_unknown, dissect_unknown},
15564 /* 0xe8 */ {dissect_unknown, dissect_unknown},
15565 /* 0xe9 */ {dissect_unknown, dissect_unknown},
15566 /* 0xea */ {dissect_unknown, dissect_unknown},
15567 /* 0xeb */ {dissect_unknown, dissect_unknown},
15568 /* 0xec */ {dissect_unknown, dissect_unknown},
15569 /* 0xed */ {dissect_unknown, dissect_unknown},
15570 /* 0xee */ {dissect_unknown, dissect_unknown},
15571 /* 0xef */ {dissect_unknown, dissect_unknown},
15573 /* 0xf0 */ {dissect_unknown, dissect_unknown},
15574 /* 0xf1 */ {dissect_unknown, dissect_unknown},
15575 /* 0xf2 */ {dissect_unknown, dissect_unknown},
15576 /* 0xf3 */ {dissect_unknown, dissect_unknown},
15577 /* 0xf4 */ {dissect_unknown, dissect_unknown},
15578 /* 0xf5 */ {dissect_unknown, dissect_unknown},
15579 /* 0xf6 */ {dissect_unknown, dissect_unknown},
15580 /* 0xf7 */ {dissect_unknown, dissect_unknown},
15581 /* 0xf8 */ {dissect_unknown, dissect_unknown},
15582 /* 0xf9 */ {dissect_unknown, dissect_unknown},
15583 /* 0xfa */ {dissect_unknown, dissect_unknown},
15584 /* 0xfb */ {dissect_unknown, dissect_unknown},
15585 /* 0xfc */ {dissect_unknown, dissect_unknown},
15586 /* 0xfd */ {dissect_unknown, dissect_unknown},
15587 /* 0xfe */ {dissect_unknown, dissect_unknown},
15588 /* 0xff */ {dissect_unknown, dissect_unknown},
15592 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu)
15595 smb_saved_info_t *sip;
15597 si = pinfo->private_data;
15598 DISSECTOR_ASSERT(si);
15601 proto_item *cmd_item;
15602 proto_tree *cmd_tree;
15603 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
15605 if (check_col(pinfo->cinfo, COL_INFO)) {
15607 col_append_fstr(pinfo->cinfo, COL_INFO,
15609 decode_smb_name(cmd),
15610 (si->request)? "Request" : "Response");
15612 col_append_fstr(pinfo->cinfo, COL_INFO,
15614 decode_smb_name(cmd));
15619 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
15621 decode_smb_name(cmd),
15622 (si->request)?"Request":"Response",
15625 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
15627 /* we track FIDs on a per transaction basis.
15628 if this was a request and the fid was seen in a reply
15629 we add a "generated" fid tree for this pdu and v.v.
15632 if (sip && sip->fid) {
15633 if( (si->request && (!sip->fid_seen_in_request))
15634 ||((!si->request) && sip->fid_seen_in_request) ){
15635 dissect_smb_fid(tvb, pinfo, cmd_tree, offset, 0, sip->fid, FALSE, FALSE, TRUE);
15639 dissector = (si->request)?
15640 smb_dissector[cmd].request:smb_dissector[cmd].response;
15642 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
15643 proto_item_set_end(cmd_item, tvb, offset);
15649 /* NOTE: this value_string array will also be used to access data directly by
15650 * index instead of val_to_str() since
15651 * 1, the array will always span every value from 0x00 to 0xff and
15652 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
15653 * This means that this value_string array MUST always
15654 * 1, contain all entries 0x00 to 0xff
15655 * 2, all entries must be in order.
15657 const value_string smb_cmd_vals[] = {
15658 { 0x00, "Create Directory" },
15659 { 0x01, "Delete Directory" },
15661 { 0x03, "Create" },
15664 { 0x06, "Delete" },
15665 { 0x07, "Rename" },
15666 { 0x08, "Query Information" },
15667 { 0x09, "Set Information" },
15670 { 0x0C, "Lock Byte Range" },
15671 { 0x0D, "Unlock Byte Range" },
15672 { 0x0E, "Create Temp" },
15673 { 0x0F, "Create New" },
15674 { 0x10, "Check Directory" },
15675 { 0x11, "Process Exit" },
15677 { 0x13, "Lock And Read" },
15678 { 0x14, "Write And Unlock" },
15679 { 0x15, "unknown-0x15" },
15680 { 0x16, "unknown-0x16" },
15681 { 0x17, "unknown-0x17" },
15682 { 0x18, "unknown-0x18" },
15683 { 0x19, "unknown-0x19" },
15684 { 0x1A, "Read Raw" },
15685 { 0x1B, "Read MPX" },
15686 { 0x1C, "Read MPX Secondary" },
15687 { 0x1D, "Write Raw" },
15688 { 0x1E, "Write MPX" },
15689 { 0x1F, "Write MPX Secondary" },
15690 { 0x20, "Write Complete" },
15691 { 0x21, "unknown-0x21" },
15692 { 0x22, "Set Information2" },
15693 { 0x23, "Query Information2" },
15694 { 0x24, "Locking AndX" },
15696 { 0x26, "Trans Secondary" },
15698 { 0x28, "IOCTL Secondary" },
15702 { 0x2C, "Write And Close" },
15703 { 0x2D, "Open AndX" },
15704 { 0x2E, "Read AndX" },
15705 { 0x2F, "Write AndX" },
15706 { 0x30, "unknown-0x30" },
15707 { 0x31, "Close And Tree Disconnect" },
15708 { 0x32, "Trans2" },
15709 { 0x33, "Trans2 Secondary" },
15710 { 0x34, "Find Close2" },
15711 { 0x35, "Find Notify Close" },
15712 { 0x36, "unknown-0x36" },
15713 { 0x37, "unknown-0x37" },
15714 { 0x38, "unknown-0x38" },
15715 { 0x39, "unknown-0x39" },
15716 { 0x3A, "unknown-0x3A" },
15717 { 0x3B, "unknown-0x3B" },
15718 { 0x3C, "unknown-0x3C" },
15719 { 0x3D, "unknown-0x3D" },
15720 { 0x3E, "unknown-0x3E" },
15721 { 0x3F, "unknown-0x3F" },
15722 { 0x40, "unknown-0x40" },
15723 { 0x41, "unknown-0x41" },
15724 { 0x42, "unknown-0x42" },
15725 { 0x43, "unknown-0x43" },
15726 { 0x44, "unknown-0x44" },
15727 { 0x45, "unknown-0x45" },
15728 { 0x46, "unknown-0x46" },
15729 { 0x47, "unknown-0x47" },
15730 { 0x48, "unknown-0x48" },
15731 { 0x49, "unknown-0x49" },
15732 { 0x4A, "unknown-0x4A" },
15733 { 0x4B, "unknown-0x4B" },
15734 { 0x4C, "unknown-0x4C" },
15735 { 0x4D, "unknown-0x4D" },
15736 { 0x4E, "unknown-0x4E" },
15737 { 0x4F, "unknown-0x4F" },
15738 { 0x50, "unknown-0x50" },
15739 { 0x51, "unknown-0x51" },
15740 { 0x52, "unknown-0x52" },
15741 { 0x53, "unknown-0x53" },
15742 { 0x54, "unknown-0x54" },
15743 { 0x55, "unknown-0x55" },
15744 { 0x56, "unknown-0x56" },
15745 { 0x57, "unknown-0x57" },
15746 { 0x58, "unknown-0x58" },
15747 { 0x59, "unknown-0x59" },
15748 { 0x5A, "unknown-0x5A" },
15749 { 0x5B, "unknown-0x5B" },
15750 { 0x5C, "unknown-0x5C" },
15751 { 0x5D, "unknown-0x5D" },
15752 { 0x5E, "unknown-0x5E" },
15753 { 0x5F, "unknown-0x5F" },
15754 { 0x60, "unknown-0x60" },
15755 { 0x61, "unknown-0x61" },
15756 { 0x62, "unknown-0x62" },
15757 { 0x63, "unknown-0x63" },
15758 { 0x64, "unknown-0x64" },
15759 { 0x65, "unknown-0x65" },
15760 { 0x66, "unknown-0x66" },
15761 { 0x67, "unknown-0x67" },
15762 { 0x68, "unknown-0x68" },
15763 { 0x69, "unknown-0x69" },
15764 { 0x6A, "unknown-0x6A" },
15765 { 0x6B, "unknown-0x6B" },
15766 { 0x6C, "unknown-0x6C" },
15767 { 0x6D, "unknown-0x6D" },
15768 { 0x6E, "unknown-0x6E" },
15769 { 0x6F, "unknown-0x6F" },
15770 { 0x70, "Tree Connect" },
15771 { 0x71, "Tree Disconnect" },
15772 { 0x72, "Negotiate Protocol" },
15773 { 0x73, "Session Setup AndX" },
15774 { 0x74, "Logoff AndX" },
15775 { 0x75, "Tree Connect AndX" },
15776 { 0x76, "unknown-0x76" },
15777 { 0x77, "unknown-0x77" },
15778 { 0x78, "unknown-0x78" },
15779 { 0x79, "unknown-0x79" },
15780 { 0x7A, "unknown-0x7A" },
15781 { 0x7B, "unknown-0x7B" },
15782 { 0x7C, "unknown-0x7C" },
15783 { 0x7D, "unknown-0x7D" },
15784 { 0x7E, "unknown-0x7E" },
15785 { 0x7F, "unknown-0x7F" },
15786 { 0x80, "Query Information Disk" },
15787 { 0x81, "Search" },
15789 { 0x83, "Find Unique" },
15790 { 0x84, "Find Close" },
15791 { 0x85, "unknown-0x85" },
15792 { 0x86, "unknown-0x86" },
15793 { 0x87, "unknown-0x87" },
15794 { 0x88, "unknown-0x88" },
15795 { 0x89, "unknown-0x89" },
15796 { 0x8A, "unknown-0x8A" },
15797 { 0x8B, "unknown-0x8B" },
15798 { 0x8C, "unknown-0x8C" },
15799 { 0x8D, "unknown-0x8D" },
15800 { 0x8E, "unknown-0x8E" },
15801 { 0x8F, "unknown-0x8F" },
15802 { 0x90, "unknown-0x90" },
15803 { 0x91, "unknown-0x91" },
15804 { 0x92, "unknown-0x92" },
15805 { 0x93, "unknown-0x93" },
15806 { 0x94, "unknown-0x94" },
15807 { 0x95, "unknown-0x95" },
15808 { 0x96, "unknown-0x96" },
15809 { 0x97, "unknown-0x97" },
15810 { 0x98, "unknown-0x98" },
15811 { 0x99, "unknown-0x99" },
15812 { 0x9A, "unknown-0x9A" },
15813 { 0x9B, "unknown-0x9B" },
15814 { 0x9C, "unknown-0x9C" },
15815 { 0x9D, "unknown-0x9D" },
15816 { 0x9E, "unknown-0x9E" },
15817 { 0x9F, "unknown-0x9F" },
15818 { 0xA0, "NT Trans" },
15819 { 0xA1, "NT Trans Secondary" },
15820 { 0xA2, "NT Create AndX" },
15821 { 0xA3, "unknown-0xA3" },
15822 { 0xA4, "NT Cancel" },
15823 { 0xA5, "NT Rename" },
15824 { 0xA6, "unknown-0xA6" },
15825 { 0xA7, "unknown-0xA7" },
15826 { 0xA8, "unknown-0xA8" },
15827 { 0xA9, "unknown-0xA9" },
15828 { 0xAA, "unknown-0xAA" },
15829 { 0xAB, "unknown-0xAB" },
15830 { 0xAC, "unknown-0xAC" },
15831 { 0xAD, "unknown-0xAD" },
15832 { 0xAE, "unknown-0xAE" },
15833 { 0xAF, "unknown-0xAF" },
15834 { 0xB0, "unknown-0xB0" },
15835 { 0xB1, "unknown-0xB1" },
15836 { 0xB2, "unknown-0xB2" },
15837 { 0xB3, "unknown-0xB3" },
15838 { 0xB4, "unknown-0xB4" },
15839 { 0xB5, "unknown-0xB5" },
15840 { 0xB6, "unknown-0xB6" },
15841 { 0xB7, "unknown-0xB7" },
15842 { 0xB8, "unknown-0xB8" },
15843 { 0xB9, "unknown-0xB9" },
15844 { 0xBA, "unknown-0xBA" },
15845 { 0xBB, "unknown-0xBB" },
15846 { 0xBC, "unknown-0xBC" },
15847 { 0xBD, "unknown-0xBD" },
15848 { 0xBE, "unknown-0xBE" },
15849 { 0xBF, "unknown-0xBF" },
15850 { 0xC0, "Open Print File" },
15851 { 0xC1, "Write Print File" },
15852 { 0xC2, "Close Print File" },
15853 { 0xC3, "Get Print Queue" },
15854 { 0xC4, "unknown-0xC4" },
15855 { 0xC5, "unknown-0xC5" },
15856 { 0xC6, "unknown-0xC6" },
15857 { 0xC7, "unknown-0xC7" },
15858 { 0xC8, "unknown-0xC8" },
15859 { 0xC9, "unknown-0xC9" },
15860 { 0xCA, "unknown-0xCA" },
15861 { 0xCB, "unknown-0xCB" },
15862 { 0xCC, "unknown-0xCC" },
15863 { 0xCD, "unknown-0xCD" },
15864 { 0xCE, "unknown-0xCE" },
15865 { 0xCF, "unknown-0xCF" },
15866 { 0xD0, "Send Single Block Message" },
15867 { 0xD1, "Send Broadcast Message" },
15868 { 0xD2, "Forward User Name" },
15869 { 0xD3, "Cancel Forward" },
15870 { 0xD4, "Get Machine Name" },
15871 { 0xD5, "Send Start of Multi-block Message" },
15872 { 0xD6, "Send End of Multi-block Message" },
15873 { 0xD7, "Send Text of Multi-block Message" },
15874 { 0xD8, "SMBreadbulk" },
15875 { 0xD9, "SMBwritebulk" },
15876 { 0xDA, "SMBwritebulkdata" },
15877 { 0xDB, "unknown-0xDB" },
15878 { 0xDC, "unknown-0xDC" },
15879 { 0xDD, "unknown-0xDD" },
15880 { 0xDE, "unknown-0xDE" },
15881 { 0xDF, "unknown-0xDF" },
15882 { 0xE0, "unknown-0xE0" },
15883 { 0xE1, "unknown-0xE1" },
15884 { 0xE2, "unknown-0xE2" },
15885 { 0xE3, "unknown-0xE3" },
15886 { 0xE4, "unknown-0xE4" },
15887 { 0xE5, "unknown-0xE5" },
15888 { 0xE6, "unknown-0xE6" },
15889 { 0xE7, "unknown-0xE7" },
15890 { 0xE8, "unknown-0xE8" },
15891 { 0xE9, "unknown-0xE9" },
15892 { 0xEA, "unknown-0xEA" },
15893 { 0xEB, "unknown-0xEB" },
15894 { 0xEC, "unknown-0xEC" },
15895 { 0xED, "unknown-0xED" },
15896 { 0xEE, "unknown-0xEE" },
15897 { 0xEF, "unknown-0xEF" },
15898 { 0xF0, "unknown-0xF0" },
15899 { 0xF1, "unknown-0xF1" },
15900 { 0xF2, "unknown-0xF2" },
15901 { 0xF3, "unknown-0xF3" },
15902 { 0xF4, "unknown-0xF4" },
15903 { 0xF5, "unknown-0xF5" },
15904 { 0xF6, "unknown-0xF6" },
15905 { 0xF7, "unknown-0xF7" },
15906 { 0xF8, "unknown-0xF8" },
15907 { 0xF9, "unknown-0xF9" },
15908 { 0xFA, "unknown-0xFA" },
15909 { 0xFB, "unknown-0xFB" },
15910 { 0xFC, "unknown-0xFC" },
15911 { 0xFD, "unknown-0xFD" },
15912 { 0xFE, "SMBinvalid" },
15913 { 0xFF, "unknown-0xFF" },
15917 static const char *decode_smb_name(guint8 cmd)
15919 return(smb_cmd_vals[cmd].strptr);
15924 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
15925 * Everything TVBUFFIFIED above this line
15926 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
15930 free_hash_tables(gpointer ctarg, gpointer user_data _U_)
15932 conv_tables_t *ct = ctarg;
15935 g_hash_table_destroy(ct->unmatched);
15937 g_hash_table_destroy(ct->matched);
15938 if (ct->tid_service)
15939 g_hash_table_destroy(ct->tid_service);
15944 smb_init_protocol(void)
15947 * Free the hash tables attached to the conversation table
15948 * structures, and then free the list of conversation table
15952 g_slist_foreach(conv_tables, free_hash_tables, NULL);
15953 g_slist_free(conv_tables);
15954 conv_tables = NULL;
15958 static const value_string errcls_types[] = {
15959 { SMB_SUCCESS, "Success"},
15960 { SMB_ERRDOS, "DOS Error"},
15961 { SMB_ERRSRV, "Server Error"},
15962 { SMB_ERRHRD, "Hardware Error"},
15963 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
15967 /* Error codes for the ERRSRV class */
15969 static const value_string SRV_errors[] = {
15970 {SMBE_error, "Non specific error code"},
15971 {SMBE_badpw, "Bad password"},
15972 {SMBE_badtype, "Reserved"},
15973 {SMBE_access, "No permissions to perform the requested operation"},
15974 {SMBE_invnid, "TID invalid"},
15975 {SMBE_invnetname, "Invalid network name. Service not found"},
15976 {SMBE_invdevice, "Invalid device"},
15977 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
15978 {SMBE_qfull, "Print queue full"},
15979 {SMBE_qtoobig, "Queued item too big"},
15980 {SMBE_qeof, "EOF on print queue dump"},
15981 {SMBE_invpfid, "Invalid print file in smb_fid"},
15982 {SMBE_smbcmd, "Unrecognised command"},
15983 {SMBE_srverror, "SMB server internal error"},
15984 {SMBE_filespecs, "Fid and pathname invalid combination"},
15985 {SMBE_badlink, "Bad link in request ???"},
15986 {SMBE_badpermits, "Access specified for a file is not valid"},
15987 {SMBE_badpid, "Bad process id in request"},
15988 {SMBE_setattrmode, "Attribute mode invalid"},
15989 {SMBE_paused, "Message server paused"},
15990 {SMBE_msgoff, "Not receiving messages"},
15991 {SMBE_noroom, "No room for message"},
15992 {SMBE_rmuns, "Too many remote usernames"},
15993 {SMBE_timeout, "Operation timed out"},
15994 {SMBE_noresource, "No resources currently available for request."},
15995 {SMBE_toomanyuids, "Too many userids"},
15996 {SMBE_baduid, "Bad userid"},
15997 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
15998 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
15999 {SMBE_contMPX, "Resume MPX mode"},
16000 {SMBE_badPW, "Bad Password???"},
16001 {SMBE_nosupport, "Operation not supported"},
16005 /* Error codes for the ERRHRD class */
16007 static const value_string HRD_errors[] = {
16008 {SMBE_nowrite, "Read only media"},
16009 {SMBE_badunit, "Unknown device"},
16010 {SMBE_notready, "Drive not ready"},
16011 {SMBE_badcmd, "Unknown command"},
16012 {SMBE_data, "Data (CRC) error"},
16013 {SMBE_badreq, "Bad request structure length"},
16014 {SMBE_seek, "Seek error"},
16015 {SMBE_badmedia, "Unknown media type"},
16016 {SMBE_badsector, "Sector not found"},
16017 {SMBE_nopaper, "Printer out of paper"},
16018 {SMBE_write, "Write fault"},
16019 {SMBE_read, "Read fault"},
16020 {SMBE_general, "General failure"},
16021 {SMBE_badshare, "A open conflicts with an existing open"},
16022 {SMBE_lock, "Lock conflict/invalid mode, or unlock of another process's lock"},
16023 {SMBE_wrongdisk, "The wrong disk was found in a drive"},
16024 {SMBE_FCBunavail, "No FCBs are available to process request"},
16025 {SMBE_sharebufexc, "A sharing buffer has been exceeded"},
16026 {SMBE_diskfull, "Disk full???"},
16030 static const char *decode_smb_error(guint8 errcls, guint16 errcode)
16037 return("No Error"); /* No error ??? */
16041 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
16045 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
16049 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
16053 return("Unknown error class!");
16059 static const true_false_string tfs_smb_flags_lock = {
16060 "Lock&Read, Write&Unlock are supported",
16061 "Lock&Read, Write&Unlock are not supported"
16063 static const true_false_string tfs_smb_flags_receive_buffer = {
16064 "Receive buffer has been posted",
16065 "Receive buffer has not been posted"
16067 static const true_false_string tfs_smb_flags_caseless = {
16068 "Path names are caseless",
16069 "Path names are case sensitive"
16071 static const true_false_string tfs_smb_flags_canon = {
16072 "Pathnames are canonicalized",
16073 "Pathnames are not canonicalized"
16075 static const true_false_string tfs_smb_flags_oplock = {
16076 "OpLock requested/granted",
16077 "OpLock not requested/granted"
16079 static const true_false_string tfs_smb_flags_notify = {
16080 "Notify client on all modifications",
16081 "Notify client only on open"
16083 static const true_false_string tfs_smb_flags_response = {
16084 "Message is a response to the client/redirector",
16085 "Message is a request to the server"
16089 dissect_smb_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
16095 mask = tvb_get_guint8(tvb, offset);
16098 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
16099 "Flags: 0x%02x", mask);
16100 tree = proto_item_add_subtree(item, ett_smb_flags);
16102 proto_tree_add_boolean(tree, hf_smb_flags_response,
16103 tvb, offset, 1, mask);
16104 proto_tree_add_boolean(tree, hf_smb_flags_notify,
16105 tvb, offset, 1, mask);
16106 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
16107 tvb, offset, 1, mask);
16108 proto_tree_add_boolean(tree, hf_smb_flags_canon,
16109 tvb, offset, 1, mask);
16110 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
16111 tvb, offset, 1, mask);
16112 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
16113 tvb, offset, 1, mask);
16114 proto_tree_add_boolean(tree, hf_smb_flags_lock,
16115 tvb, offset, 1, mask);
16124 static const true_false_string tfs_smb_flags2_long_names_allowed = {
16125 "Long file names are allowed in the response",
16126 "Long file names are not allowed in the response"
16128 static const true_false_string tfs_smb_flags2_ea = {
16129 "Extended attributes are supported",
16130 "Extended attributes are not supported"
16132 static const true_false_string tfs_smb_flags2_sec_sig = {
16133 "Security signatures are supported",
16134 "Security signatures are not supported"
16136 static const true_false_string tfs_smb_flags2_long_names_used = {
16137 "Path names in request are long file names",
16138 "Path names in request are not long file names"
16140 static const true_false_string tfs_smb_flags2_esn = {
16141 "Extended security negotiation is supported",
16142 "Extended security negotiation is not supported"
16144 static const true_false_string tfs_smb_flags2_dfs = {
16145 "Resolve pathnames with Dfs",
16146 "Don't resolve pathnames with Dfs"
16148 static const true_false_string tfs_smb_flags2_roe = {
16149 "Permit reads if execute-only",
16150 "Don't permit reads if execute-only"
16152 static const true_false_string tfs_smb_flags2_nt_error = {
16153 "Error codes are NT error codes",
16154 "Error codes are DOS error codes"
16156 static const true_false_string tfs_smb_flags2_string = {
16157 "Strings are Unicode",
16158 "Strings are ASCII"
16161 dissect_smb_flags2(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
16167 mask = tvb_get_letohs(tvb, offset);
16170 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
16171 "Flags2: 0x%04x", mask);
16172 tree = proto_item_add_subtree(item, ett_smb_flags2);
16174 proto_tree_add_boolean(tree, hf_smb_flags2_string,
16175 tvb, offset, 2, mask);
16176 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
16177 tvb, offset, 2, mask);
16178 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
16179 tvb, offset, 2, mask);
16180 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
16181 tvb, offset, 2, mask);
16182 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
16183 tvb, offset, 2, mask);
16184 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
16185 tvb, offset, 2, mask);
16186 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
16187 tvb, offset, 2, mask);
16188 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
16189 tvb, offset, 2, mask);
16190 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
16191 tvb, offset, 2, mask);
16199 #define SMB_FLAGS_DIRN 0x80
16203 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
16206 proto_item *item = NULL, *hitem = NULL;
16207 proto_tree *tree = NULL, *htree = NULL;
16208 proto_item *tmp_item=NULL;
16212 smb_saved_info_t *sip = NULL;
16213 smb_saved_info_key_t key;
16214 smb_saved_info_key_t *new_key;
16215 guint8 errclass = 0;
16216 guint16 errcode = 0;
16218 conversation_t *conversation;
16219 nstime_t t, deltat;
16221 si=ep_alloc(sizeof(smb_info_t));
16223 top_tree=parent_tree;
16225 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
16226 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
16228 if (check_col(pinfo->cinfo, COL_INFO)){
16229 col_clear(pinfo->cinfo, COL_INFO);
16232 /* start off using the local variable, we will allocate a new one if we
16234 si->cmd = tvb_get_guint8(tvb, offset+4);
16235 flags = tvb_get_guint8(tvb, offset+9);
16237 * XXX - in some SMB-over-OSI-transport and SMB-over-Vines traffic,
16238 * the direction flag appears never to be set, even for what appear
16239 * to be replies. Do some SMB servers fail to set that flag,
16240 * under the assumption that the client knows it's a reply because
16243 si->request = !(flags&SMB_FLAGS_DIRN);
16244 flags2 = tvb_get_letohs(tvb, offset+10);
16245 if(flags2 & 0x8000){
16246 si->unicode = TRUE; /* Mark them as Unicode */
16248 si->unicode = FALSE;
16250 si->tid = tvb_get_letohs(tvb, offset+24);
16251 si->pid = tvb_get_letohs(tvb, offset+26);
16252 si->uid = tvb_get_letohs(tvb, offset+28);
16253 si->mid = tvb_get_letohs(tvb, offset+30);
16254 pid_mid = (si->pid << 16) | si->mid;
16255 si->info_level = -1;
16256 si->info_count = -1;
16259 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
16261 tree = proto_item_add_subtree(item, ett_smb);
16263 hitem = proto_tree_add_text(tree, tvb, offset, 32,
16266 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
16269 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
16270 offset += 4; /* Skip the marker */
16272 /* find which conversation we are part of and get the tables for that
16274 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst,
16275 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
16277 /* OK this is a new conversation so lets create it */
16278 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst,
16279 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
16281 /* see if we already have the smb data for this conversation */
16282 si->ct=conversation_get_proto_data(conversation, proto_smb);
16284 /* No, not yet. create it and attach it to the conversation */
16285 si->ct = g_malloc(sizeof(conv_tables_t));
16287 conv_tables = g_slist_prepend(conv_tables, si->ct);
16288 si->ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
16289 smb_saved_info_equal_matched);
16290 si->ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
16291 smb_saved_info_equal_unmatched);
16292 si->ct->tid_service=g_hash_table_new(
16293 smb_saved_info_hash_unmatched,
16294 smb_saved_info_equal_unmatched);
16295 si->ct->raw_ntlmssp = 0;
16297 si->ct->fid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB fid_tree");
16298 si->ct->tid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB tid_tree");
16299 si->ct->uid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB uid_tree");
16300 conversation_add_proto_data(conversation, proto_smb, si->ct);
16308 /* this is a broadcast SMB packet, there will not be a reply.
16309 We dont need to do anything
16312 } else if( (si->cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
16313 ||(si->cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
16314 ||(si->cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
16315 ||(si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
16316 /* Ok, we got a special request type. This request is either
16317 an NT Cancel or a continuation relative to a real request
16318 in an earlier packet. In either case, we don't expect any
16319 responses to this packet. For continuations, any later
16320 responses we see really just belong to the original request.
16321 Anyway, we want to remember this packet somehow and
16322 remember which original request it is associated with so
16323 we can say nice things such as "This is a Cancellation to
16324 the request in frame x", but we don't want the
16325 request/response matching to get messed up.
16327 The only thing we do in this case is trying to find which original
16328 request we match with and insert an entry for this "special"
16329 request for later reference. We continue to reference the original
16330 requests smb_saved_info_t but we dont touch it or change anything
16334 si->unidir = TRUE; /*we dont expect an answer to this one*/
16336 if(!pinfo->fd->flags.visited){
16337 /* try to find which original call we match and if we
16338 find it add us to the matched table. Dont touch
16339 anything else since we dont want this one to mess
16340 up the request/response matching. We still consider
16341 the initial call the real request and this is only
16342 some sort of continuation.
16344 /* we only check the unmatched table and assume that the
16345 last seen MID matching ours is the right one.
16346 This can fail but is better than nothing
16348 sip=g_hash_table_lookup(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
16350 new_key = se_alloc(sizeof(smb_saved_info_key_t));
16351 new_key->frame = pinfo->fd->num;
16352 new_key->pid_mid = pid_mid;
16353 g_hash_table_insert(si->ct->matched, new_key,
16357 /* we have seen this packet before; check the
16360 key.frame = pinfo->fd->num;
16361 key.pid_mid = pid_mid;
16362 sip=g_hash_table_lookup(si->ct->matched, &key);
16366 Too bad, unfortunately there is not really much we can
16367 do now since this means that we never saw the initial
16374 if(sip && sip->frame_req){
16376 case SMB_COM_NT_CANCEL:
16377 tmp_item=proto_tree_add_uint(htree, hf_smb_cancel_to,
16378 tvb, 0, 0, sip->frame_req);
16379 PROTO_ITEM_SET_GENERATED(tmp_item);
16381 case SMB_COM_TRANSACTION_SECONDARY:
16382 case SMB_COM_TRANSACTION2_SECONDARY:
16383 case SMB_COM_NT_TRANSACT_SECONDARY:
16384 tmp_item=proto_tree_add_uint(htree, hf_smb_continuation_to,
16385 tvb, 0, 0, sip->frame_req);
16386 PROTO_ITEM_SET_GENERATED(tmp_item);
16391 case SMB_COM_NT_CANCEL:
16392 proto_tree_add_text(htree, tvb, 0, 0,
16393 "Cancellation to: <unknown frame>");
16395 case SMB_COM_TRANSACTION_SECONDARY:
16396 case SMB_COM_TRANSACTION2_SECONDARY:
16397 case SMB_COM_NT_TRANSACT_SECONDARY:
16398 proto_tree_add_text(htree, tvb, 0, 0,
16399 "Continuation to: <unknown frame>");
16403 } else { /* normal bidirectional request or response */
16404 si->unidir = FALSE;
16406 if(!pinfo->fd->flags.visited){
16407 /* first see if we find an unmatched smb "equal" to
16410 sip=g_hash_table_lookup(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
16412 gboolean cmd_match=FALSE;
16415 * Make sure the SMB we found was the
16416 * same command, or a different command
16417 * that's another valid type of reply
16420 if(si->cmd==sip->cmd){
16423 else if(si->cmd==SMB_COM_NT_CANCEL){
16426 else if((si->cmd==SMB_COM_TRANSACTION_SECONDARY)
16427 && (sip->cmd==SMB_COM_TRANSACTION)){
16430 else if((si->cmd==SMB_COM_TRANSACTION2_SECONDARY)
16431 && (sip->cmd==SMB_COM_TRANSACTION2)){
16434 else if((si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)
16435 && (sip->cmd==SMB_COM_NT_TRANSACT)){
16439 if( (si->request) || (!cmd_match) ) {
16440 /* We are processing an SMB request but there was already
16441 another "identical" smb request we had not matched yet.
16442 This must mean that either we have a retransmission or that the
16443 response to the previous one was lost and the client has reused
16444 the MID for this conversation. In either case it's not much more
16445 we can do than forget the old request and concentrate on the
16446 present one instead.
16448 We also do this cleanup if we see that the cmd in the original
16449 request in sip->cmd is not compatible with the current cmd.
16450 This is to prevent matching errors such as if there were two
16451 SMBs of different cmds but with identical MID and PID values and
16452 if wireshark lost the first reply and the second request.
16454 g_hash_table_remove(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
16455 sip=NULL; /* XXX should free it as well */
16457 /* we have found a response to some
16458 request we have seen earlier.
16459 What we do now depends on whether
16460 this is the first response to that
16461 request we see (id frame_res==0) or
16462 if it's a response to a request
16463 for which we've seen an earlier
16464 response that's continued.
16466 if(sip->frame_res==0 ||
16467 sip->flags & SMB_SIF_IS_CONTINUED){
16468 /* OK, it is the first response
16469 we have seen to this packet,
16470 or it's a continuation of
16471 a response we've seen. */
16472 sip->frame_res = pinfo->fd->num;
16473 new_key = se_alloc(sizeof(smb_saved_info_key_t));
16474 new_key->frame = sip->frame_res;
16475 new_key->pid_mid = pid_mid;
16476 g_hash_table_insert(si->ct->matched, new_key, sip);
16477 /* We remove the entry for unmatched since we have found a match.
16478 * We have to do this since the MID value wraps so quickly (effective only 10 bits)
16479 * and if there is packetloss in the trace (maybe due to large holes
16480 * created by a sniffer device not being able to keep up
16481 * with the line rate.
16482 * There is a real possibility that the following would occur which is painful :
16483 * 1, -> Request MID:5
16484 * 2, <- Response MID:5
16485 * 3, ->Request MID:5 (missing from capture)
16486 * 4, <- Response MID:5
16487 * We DONT want #4 to be presented as a response to #1
16489 g_hash_table_remove(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
16491 /* We have already seen another response to this MID.
16492 Since the MID in reality is only something like 10 bits
16493 this probably means that we just have a MID that is being
16494 reused due to the small MID space and that this is a new
16495 command we did not see the original request for.
16502 sip = se_alloc(sizeof(smb_saved_info_t));
16503 sip->frame_req = pinfo->fd->num;
16504 sip->frame_res = 0;
16505 sip->req_time = pinfo->fd->abs_ts;
16507 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))
16508 == (void *)TID_IPC) {
16509 sip->flags |= SMB_SIF_TID_IS_IPC;
16511 sip->cmd = si->cmd;
16512 sip->extra_info = NULL;
16513 sip->extra_info_type = SMB_EI_NONE;
16515 sip->fid_seen_in_request=0;
16516 g_hash_table_insert(si->ct->unmatched, GUINT_TO_POINTER(pid_mid), sip);
16517 new_key = se_alloc(sizeof(smb_saved_info_key_t));
16518 new_key->frame = sip->frame_req;
16519 new_key->pid_mid = pid_mid;
16520 g_hash_table_insert(si->ct->matched, new_key, sip);
16523 /* we have seen this packet before; check the
16525 If we haven't yet seen the reply, we won't
16526 find the info for it; we don't need it, as
16527 we only use it to save information, and, as
16528 we've seen this packet before, we've already
16529 saved the information.
16531 key.frame = pinfo->fd->num;
16532 key.pid_mid = pid_mid;
16533 sip=g_hash_table_lookup(si->ct->matched, &key);
16538 * Pass the "sip" on to subdissectors through "si".
16544 * Put in fields for the frame number of the frame to which
16545 * this is a response or the frame with the response to this
16546 * frame - if we know the frame number (i.e., it's not 0).
16549 if (sip->frame_res != 0) {
16550 tmp_item=proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
16551 PROTO_ITEM_SET_GENERATED(tmp_item);
16554 if (sip->frame_req != 0) {
16555 tmp_item=proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
16556 PROTO_ITEM_SET_GENERATED(tmp_item);
16557 t = pinfo->fd->abs_ts;
16558 nstime_delta(&deltat, &t, &sip->req_time);
16559 tmp_item=proto_tree_add_time(htree, hf_smb_time, tvb,
16561 PROTO_ITEM_SET_GENERATED(tmp_item);
16567 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si->cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si->cmd), si->cmd);
16570 if(flags2 & 0x4000){
16571 /* handle NT 32 bit error code */
16573 si->nt_status = tvb_get_letohl(tvb, offset);
16575 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
16580 /* handle DOS error code & class */
16581 errclass = tvb_get_guint8(tvb, offset);
16582 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
16586 /* reserved byte */
16587 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
16591 /* XXX - the type of this field depends on the value of
16592 * "errcls", so there is isn't a single value_string array
16593 * fo it, so there can't be a single field for it.
16595 errcode = tvb_get_letohs(tvb, offset);
16596 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
16597 offset, 2, errcode, "Error Code: %s",
16598 decode_smb_error(errclass, errcode));
16603 offset = dissect_smb_flags(tvb, htree, offset);
16606 offset = dissect_smb_flags2(tvb, htree, offset);
16611 * http://www.samba.org/samba/ftp/specs/smbpub.txt
16613 * (a text version of "Microsoft Networks SMB FILE SHARING
16614 * PROTOCOL, Document Version 6.0p") says that:
16616 * the first 2 bytes of these 12 bytes are, for NT Create and X,
16617 * the "High Part of PID";
16619 * the next four bytes are reserved;
16621 * the next four bytes are, for SMB-over-IPX (with no
16622 * NetBIOS involved) two bytes of Session ID and two bytes
16623 * of SequenceNumber.
16625 * Network Monitor 2.x dissects the four bytes before the Session ID
16626 * as a "Key", and the two bytes after the SequenceNumber as
16629 * The "High Part of PID" has been seen in calls other than NT
16630 * Create and X, although most of them appear to be I/O on DCE RPC
16631 * pipes opened with the NT Create and X in question.
16633 proto_tree_add_item(htree, hf_smb_pid_high, tvb, offset, 2, TRUE);
16636 if (pinfo->ptype == PT_IPX &&
16637 (pinfo->match_port == IPX_SOCKET_NWLINK_SMB_SERVER ||
16638 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_REDIR ||
16639 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_MESSENGER)) {
16641 * This is SMB-over-IPX.
16642 * XXX - do we have to worry about "sequenced commands",
16643 * as per the Samba document? They say that for
16644 * "unsequenced commands" (with a sequence number of 0),
16645 * the Mid must be unique, but perhaps the Mid doesn't
16646 * have to be unique for sequenced commands. In at least
16647 * one capture with SMB-over-IPX, however, the Mids
16648 * are unique even for sequenced commands.
16651 proto_tree_add_item(htree, hf_smb_key, tvb, offset, 4,
16656 proto_tree_add_item(htree, hf_smb_session_id, tvb, offset, 2,
16660 /* Sequence number */
16661 proto_tree_add_item(htree, hf_smb_sequence_num, tvb, offset, 2,
16666 proto_tree_add_item(htree, hf_smb_group_id, tvb, offset, 2,
16671 * According to http://ubiqx.org/cifs/SMB.html#SMB.4.2.1
16672 * and http://ubiqx.org/cifs/SMB.html#SMB.5.5.1 the 8
16673 * bytes after the "High part of PID" are an 8-byte
16676 proto_tree_add_item(htree, hf_smb_sig, tvb, offset, 8, TRUE);
16679 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2, TRUE);
16683 pinfo->private_data = si;
16686 * TreeConnectAndX(0x75) is special, here it is the mere fact of
16687 * having a response that means that the share was mapped and we
16690 if(!pinfo->fd->flags.visited && si->cmd==0x75 && !si->request){
16691 offset=dissect_smb_tid(tvb, pinfo, htree, offset, (guint16)si->tid, TRUE, FALSE);
16693 offset=dissect_smb_tid(tvb, pinfo, htree, offset, (guint16)si->tid, FALSE, FALSE);
16697 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si->pid);
16701 offset=dissect_smb_uid(tvb, htree, offset, si);
16704 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid);
16707 /* tap the packet before the dissectors are called so we still get
16708 the tap listener called even if there is an exception.
16710 tap_queue_packet(smb_tap, pinfo, si);
16711 dissect_smb_command(tvb, pinfo, offset, tree, si->cmd, TRUE);
16713 /* Append error info from this packet to info string. */
16714 if (!si->request && check_col(pinfo->cinfo, COL_INFO)) {
16715 if (flags2 & 0x4000) {
16717 * The status is an NT status code; was there
16720 if ((si->nt_status & 0xC0000000) == 0xC0000000) {
16725 pinfo->cinfo, COL_INFO, ", Error: %s",
16726 val_to_str(si->nt_status, NT_errors,
16727 "Unknown (0x%08X)"));
16731 * The status is a DOS error class and code; was
16734 if (errclass != SMB_SUCCESS) {
16739 pinfo->cinfo, COL_INFO, ", Error: %s",
16740 decode_smb_error(errclass, errcode));
16747 dissect_smb_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
16749 /* must check that this really is a smb packet */
16750 if (tvb_length(tvb) < 4)
16753 if( (tvb_get_guint8(tvb, 0) != 0xff)
16754 || (tvb_get_guint8(tvb, 1) != 'S')
16755 || (tvb_get_guint8(tvb, 2) != 'M')
16756 || (tvb_get_guint8(tvb, 3) != 'B') ){
16760 dissect_smb(tvb, pinfo, parent_tree);
16765 proto_register_smb(void)
16767 static hf_register_info hf[] = {
16769 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
16770 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
16772 { &hf_smb_trans2_subcmd,
16773 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
16774 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
16776 { &hf_smb_nt_trans_subcmd,
16777 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
16778 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
16780 { &hf_smb_word_count,
16781 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
16782 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
16784 { &hf_smb_byte_count,
16785 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
16786 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
16788 { &hf_smb_response_to,
16789 { "Response to", "smb.response_to", FT_FRAMENUM, BASE_NONE,
16790 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
16793 { "Time from request", "smb.time", FT_RELATIVE_TIME, BASE_NONE,
16794 NULL, 0, "Time between Request and Response for SMB cmds", HFILL }},
16796 { &hf_smb_response_in,
16797 { "Response in", "smb.response_in", FT_FRAMENUM, BASE_NONE,
16798 NULL, 0, "The response to this packet is in this packet", HFILL }},
16800 { &hf_smb_continuation_to,
16801 { "Continuation to", "smb.continuation_to", FT_FRAMENUM, BASE_NONE,
16802 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
16804 { &hf_smb_nt_status,
16805 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
16806 VALS(NT_errors), 0, "NT Status code", HFILL }},
16808 { &hf_smb_error_class,
16809 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
16810 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
16812 { &hf_smb_error_code,
16813 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
16814 NULL, 0, "DOS Error Code", HFILL }},
16816 { &hf_smb_reserved,
16817 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
16818 NULL, 0, "Reserved bytes, must be zero", HFILL }},
16821 { "Signature", "smb.signature", FT_BYTES, BASE_HEX,
16822 NULL, 0, "Signature bytes", HFILL }},
16825 { "Key", "smb.key", FT_UINT32, BASE_HEX,
16826 NULL, 0, "SMB-over-IPX Key", HFILL }},
16828 { &hf_smb_session_id,
16829 { "Session ID", "smb.sessid", FT_UINT16, BASE_DEC,
16830 NULL, 0, "SMB-over-IPX Session ID", HFILL }},
16832 { &hf_smb_sequence_num,
16833 { "Sequence Number", "smb.sequence_num", FT_UINT16, BASE_DEC,
16834 NULL, 0, "SMB-over-IPX Sequence Number", HFILL }},
16836 { &hf_smb_group_id,
16837 { "Group ID", "smb.group_id", FT_UINT16, BASE_DEC,
16838 NULL, 0, "SMB-over-IPX Group ID", HFILL }},
16841 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
16842 NULL, 0, "Process ID", HFILL }},
16844 { &hf_smb_pid_high,
16845 { "Process ID High", "smb.pid.high", FT_UINT16, BASE_DEC,
16846 NULL, 0, "Process ID High Bytes", HFILL }},
16849 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
16850 NULL, 0, "Tree ID", HFILL }},
16853 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
16854 NULL, 0, "User ID", HFILL }},
16857 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
16858 NULL, 0, "Multiplex ID", HFILL }},
16860 { &hf_smb_flags_lock,
16861 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
16862 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
16864 { &hf_smb_flags_receive_buffer,
16865 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
16866 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
16868 { &hf_smb_flags_caseless,
16869 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
16870 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
16872 { &hf_smb_flags_canon,
16873 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
16874 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
16876 { &hf_smb_flags_oplock,
16877 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
16878 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
16880 { &hf_smb_flags_notify,
16881 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
16882 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
16884 { &hf_smb_flags_response,
16885 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
16886 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
16888 { &hf_smb_flags2_long_names_allowed,
16889 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
16890 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
16892 { &hf_smb_flags2_ea,
16893 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
16894 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
16896 { &hf_smb_flags2_sec_sig,
16897 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
16898 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
16900 { &hf_smb_flags2_long_names_used,
16901 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
16902 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
16904 { &hf_smb_flags2_esn,
16905 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
16906 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
16908 { &hf_smb_flags2_dfs,
16909 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
16910 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
16912 { &hf_smb_flags2_roe,
16913 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
16914 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
16916 { &hf_smb_flags2_nt_error,
16917 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
16918 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
16920 { &hf_smb_flags2_string,
16921 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
16922 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
16924 { &hf_smb_buffer_format,
16925 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
16926 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
16928 { &hf_smb_dialect_name,
16929 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
16930 NULL, 0, "Name of dialect", HFILL }},
16932 { &hf_smb_dialect_index,
16933 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
16934 NULL, 0, "Index of selected dialect", HFILL }},
16936 { &hf_smb_max_trans_buf_size,
16937 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
16938 NULL, 0, "Maximum transmit buffer size", HFILL }},
16940 { &hf_smb_max_mpx_count,
16941 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
16942 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
16944 { &hf_smb_max_vcs_num,
16945 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
16946 NULL, 0, "Maximum VCs between client and server", HFILL }},
16948 { &hf_smb_session_key,
16949 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
16950 NULL, 0, "Unique token identifying this session", HFILL }},
16952 { &hf_smb_server_timezone,
16953 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
16954 NULL, 0, "Current timezone at server.", HFILL }},
16956 { &hf_smb_encryption_key_length,
16957 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
16958 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
16960 { &hf_smb_encryption_key,
16961 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
16962 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
16964 { &hf_smb_primary_domain,
16965 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
16966 NULL, 0, "The server's primary domain", HFILL }},
16969 { "Server", "smb.server", FT_STRING, BASE_NONE,
16970 NULL, 0, "The name of the DC/server", HFILL }},
16972 { &hf_smb_max_raw_buf_size,
16973 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
16974 NULL, 0, "Maximum raw buffer size", HFILL }},
16976 { &hf_smb_server_guid,
16977 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
16978 NULL, 0, "Globally unique identifier for this server", HFILL }},
16980 { &hf_smb_security_blob_len,
16981 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
16982 NULL, 0, "Security blob length", HFILL }},
16984 { &hf_smb_security_blob,
16985 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
16986 NULL, 0, "Security blob", HFILL }},
16988 { &hf_smb_sm_mode16,
16989 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
16990 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
16992 { &hf_smb_sm_password16,
16993 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
16994 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
16997 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
16998 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
17000 { &hf_smb_sm_password,
17001 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
17002 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
17004 { &hf_smb_sm_signatures,
17005 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
17006 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
17008 { &hf_smb_sm_sig_required,
17009 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
17010 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
17013 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
17014 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
17016 { &hf_smb_rm_write,
17017 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
17018 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
17020 { &hf_smb_server_date_time,
17021 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
17022 NULL, 0, "Current date and time at server", HFILL }},
17024 { &hf_smb_server_smb_date,
17025 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
17026 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
17028 { &hf_smb_server_smb_time,
17029 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
17030 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
17032 { &hf_smb_server_cap_raw_mode,
17033 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
17034 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
17036 { &hf_smb_server_cap_mpx_mode,
17037 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
17038 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
17040 { &hf_smb_server_cap_unicode,
17041 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
17042 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
17044 { &hf_smb_server_cap_large_files,
17045 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
17046 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
17048 { &hf_smb_server_cap_nt_smbs,
17049 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
17050 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
17052 { &hf_smb_server_cap_rpc_remote_apis,
17053 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
17054 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
17056 { &hf_smb_server_cap_nt_status,
17057 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
17058 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
17060 { &hf_smb_server_cap_level_ii_oplocks,
17061 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
17062 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
17064 { &hf_smb_server_cap_lock_and_read,
17065 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
17066 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
17068 { &hf_smb_server_cap_nt_find,
17069 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
17070 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
17072 { &hf_smb_server_cap_dfs,
17073 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
17074 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
17076 { &hf_smb_server_cap_infolevel_passthru,
17077 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
17078 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
17080 { &hf_smb_server_cap_large_readx,
17081 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
17082 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
17084 { &hf_smb_server_cap_large_writex,
17085 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
17086 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
17088 { &hf_smb_server_cap_unix,
17089 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
17090 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
17092 { &hf_smb_server_cap_reserved,
17093 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
17094 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
17096 { &hf_smb_server_cap_bulk_transfer,
17097 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
17098 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
17100 { &hf_smb_server_cap_compressed_data,
17101 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
17102 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
17104 { &hf_smb_server_cap_extended_security,
17105 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
17106 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
17108 { &hf_smb_system_time,
17109 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
17110 NULL, 0, "System Time", HFILL }},
17113 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
17114 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
17116 { &hf_smb_dir_name,
17117 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
17118 NULL, 0, "SMB Directory Name", HFILL }},
17120 { &hf_smb_echo_count,
17121 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
17122 NULL, 0, "Number of times to echo data back", HFILL }},
17124 { &hf_smb_echo_data,
17125 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
17126 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
17128 { &hf_smb_echo_seq_num,
17129 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
17130 NULL, 0, "Sequence number for this echo response", HFILL }},
17132 { &hf_smb_max_buf_size,
17133 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
17134 NULL, 0, "Max client buffer size", HFILL }},
17137 { "Path", "smb.path", FT_STRING, BASE_NONE,
17138 NULL, 0, "Path. Server name and share name", HFILL }},
17141 { "Service", "smb.service", FT_STRING, BASE_NONE,
17142 NULL, 0, "Service name", HFILL }},
17144 { &hf_smb_password,
17145 { "Password", "smb.password", FT_BYTES, BASE_NONE,
17146 NULL, 0, "Password", HFILL }},
17148 { &hf_smb_ansi_password,
17149 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
17150 NULL, 0, "ANSI Password", HFILL }},
17152 { &hf_smb_unicode_password,
17153 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
17154 NULL, 0, "Unicode Password", HFILL }},
17156 { &hf_smb_move_flags_file,
17157 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
17158 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
17160 { &hf_smb_move_flags_dir,
17161 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
17162 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
17164 { &hf_smb_move_flags_verify,
17165 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
17166 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
17168 { &hf_smb_files_moved,
17169 { "Files Moved", "smb.files_moved", FT_UINT16, BASE_DEC,
17170 NULL, 0, "Number of files moved", HFILL }},
17172 { &hf_smb_copy_flags_file,
17173 { "Must be file", "smb.copy.flags.file", FT_BOOLEAN, 16,
17174 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
17176 { &hf_smb_copy_flags_dir,
17177 { "Must be directory", "smb.copy.flags.dir", FT_BOOLEAN, 16,
17178 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
17180 { &hf_smb_copy_flags_dest_mode,
17181 { "Destination mode", "smb.copy.flags.dest_mode", FT_BOOLEAN, 16,
17182 TFS(&tfs_cf_mode), 0x0004, "Is destination in ASCII?", HFILL }},
17184 { &hf_smb_copy_flags_source_mode,
17185 { "Source mode", "smb.copy.flags.source_mode", FT_BOOLEAN, 16,
17186 TFS(&tfs_cf_mode), 0x0008, "Is source in ASCII?", HFILL }},
17188 { &hf_smb_copy_flags_verify,
17189 { "Verify writes", "smb.copy.flags.verify", FT_BOOLEAN, 16,
17190 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
17192 { &hf_smb_copy_flags_tree_copy,
17193 { "Tree copy", "smb.copy.flags.tree_copy", FT_BOOLEAN, 16,
17194 TFS(&tfs_cf_tree_copy), 0x0010, "Is copy a tree copy?", HFILL }},
17196 { &hf_smb_copy_flags_ea_action,
17197 { "EA action if EAs not supported on dest", "smb.copy.flags.ea_action", FT_BOOLEAN, 16,
17198 TFS(&tfs_cf_ea_action), 0x0010, "Fail copy if source file has EAs and dest doesn't support EAs?", HFILL }},
17201 { "Count", "smb.count", FT_UINT32, BASE_DEC,
17202 NULL, 0, "Count number of items/bytes", HFILL }},
17204 { &hf_smb_count_low,
17205 { "Count Low", "smb.count_low", FT_UINT16, BASE_DEC,
17206 NULL, 0, "Count number of items/bytes, Low 16 bits", HFILL }},
17208 { &hf_smb_count_high,
17209 { "Count High (multiply with 64K)", "smb.count_high", FT_UINT16, BASE_DEC,
17210 NULL, 0, "Count number of items/bytes, High 16 bits", HFILL }},
17212 { &hf_smb_file_name,
17213 { "File Name", "smb.file", FT_STRING, BASE_NONE,
17214 NULL, 0, "File Name", HFILL }},
17216 { &hf_smb_open_function_create,
17217 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
17218 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
17220 { &hf_smb_open_function_open,
17221 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
17222 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
17225 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
17226 NULL, 0, "FID: File ID", HFILL }},
17228 { &hf_smb_file_attr_read_only_16bit,
17229 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
17230 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
17232 { &hf_smb_file_attr_read_only_8bit,
17233 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
17234 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
17236 { &hf_smb_file_attr_hidden_16bit,
17237 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
17238 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
17240 { &hf_smb_file_attr_hidden_8bit,
17241 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
17242 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
17244 { &hf_smb_file_attr_system_16bit,
17245 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
17246 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
17248 { &hf_smb_file_attr_system_8bit,
17249 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
17250 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
17252 { &hf_smb_file_attr_volume_16bit,
17253 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
17254 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
17256 { &hf_smb_file_attr_volume_8bit,
17257 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
17258 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
17260 { &hf_smb_file_attr_directory_16bit,
17261 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
17262 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
17264 { &hf_smb_file_attr_directory_8bit,
17265 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
17266 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
17268 { &hf_smb_file_attr_archive_16bit,
17269 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
17270 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17272 { &hf_smb_file_attr_archive_8bit,
17273 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
17274 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17276 { &hf_smb_file_attr_device,
17277 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
17278 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
17280 { &hf_smb_file_attr_normal,
17281 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
17282 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
17284 { &hf_smb_file_attr_temporary,
17285 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
17286 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
17288 { &hf_smb_file_attr_sparse,
17289 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
17290 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
17292 { &hf_smb_file_attr_reparse,
17293 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
17294 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
17296 { &hf_smb_file_attr_compressed,
17297 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
17298 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
17300 { &hf_smb_file_attr_offline,
17301 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
17302 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
17304 { &hf_smb_file_attr_not_content_indexed,
17305 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
17306 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
17308 { &hf_smb_file_attr_encrypted,
17309 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
17310 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
17312 { &hf_smb_file_size,
17313 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
17314 NULL, 0, "File Size", HFILL }},
17316 { &hf_smb_search_attribute_read_only,
17317 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
17318 TFS(&tfs_search_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
17320 { &hf_smb_search_attribute_hidden,
17321 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
17322 TFS(&tfs_search_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
17324 { &hf_smb_search_attribute_system,
17325 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
17326 TFS(&tfs_search_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
17328 { &hf_smb_search_attribute_volume,
17329 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
17330 TFS(&tfs_search_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
17332 { &hf_smb_search_attribute_directory,
17333 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
17334 TFS(&tfs_search_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
17336 { &hf_smb_search_attribute_archive,
17337 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
17338 TFS(&tfs_search_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
17340 { &hf_smb_access_mode,
17341 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
17342 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
17344 { &hf_smb_access_sharing,
17345 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
17346 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
17348 { &hf_smb_access_locality,
17349 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
17350 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
17352 { &hf_smb_access_caching,
17353 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
17354 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
17356 { &hf_smb_access_writetru,
17357 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
17358 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
17360 { &hf_smb_create_time,
17361 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
17362 NULL, 0, "Creation Time", HFILL }},
17364 { &hf_smb_modify_time,
17365 { "Modified", "smb.modify.time", FT_ABSOLUTE_TIME, BASE_NONE,
17366 NULL, 0, "Modification Time", HFILL }},
17368 { &hf_smb_backup_time,
17369 { "Backed-up", "smb.backup.time", FT_ABSOLUTE_TIME, BASE_NONE,
17370 NULL, 0, "Backup time", HFILL}},
17372 { &hf_smb_mac_alloc_block_count,
17373 { "Allocation Block Count", "smb.alloc.count", FT_UINT32, BASE_DEC,
17374 NULL, 0, "Allocation Block Count", HFILL}},
17376 { &hf_smb_mac_alloc_block_size,
17377 { "Allocation Block Count", "smb.alloc.size", FT_UINT32, BASE_DEC,
17378 NULL, 0, "Allocation Block Size", HFILL}},
17380 { &hf_smb_mac_free_block_count,
17381 { "Free Block Count", "smb.free_block.count", FT_UINT32, BASE_DEC,
17382 NULL, 0, "Free Block Count", HFILL}},
17384 { &hf_smb_mac_root_file_count,
17385 { "Root File Count", "smb.root.file.count", FT_UINT32, BASE_DEC,
17386 NULL, 0, "Root File Count", HFILL}},
17388 { &hf_smb_mac_root_dir_count,
17389 { "Root Directory Count", "smb.root.dir.count", FT_UINT32, BASE_DEC,
17390 NULL, 0, "Root Directory Count", HFILL}},
17392 { &hf_smb_mac_file_count,
17393 { "Root File Count", "smb.file.count", FT_UINT32, BASE_DEC,
17394 NULL, 0, "File Count", HFILL}},
17396 { &hf_smb_mac_dir_count,
17397 { "Root Directory Count", "smb.dir.count", FT_UINT32, BASE_DEC,
17398 NULL, 0, "Directory Count", HFILL}},
17400 { &hf_smb_mac_support_flags,
17401 { "Mac Support Flags", "smb.mac.support.flags", FT_UINT32, BASE_DEC,
17402 NULL, 0, "Mac Support Flags", HFILL}},
17404 { &hf_smb_mac_sup_access_ctrl,
17405 { "Mac Access Control", "smb.mac.access_control", FT_BOOLEAN, 32,
17406 TFS(&tfs_smb_mac_access_ctrl), 0x0010, "Are Mac Access Control Supported", HFILL }},
17408 { &hf_smb_mac_sup_getset_comments,
17409 { "Get Set Comments", "smb.mac.get_set_comments", FT_BOOLEAN, 32,
17410 TFS(&tfs_smb_mac_getset_comments), 0x0020, "Are Mac Get Set Comments supported?", HFILL }},
17412 { &hf_smb_mac_sup_desktopdb_calls,
17413 { "Desktop DB Calls", "smb.mac.desktop_db_calls", FT_BOOLEAN, 32,
17414 TFS(&tfs_smb_mac_desktopdb_calls), 0x0040, "Are Macintosh Desktop DB Calls Supported?", HFILL }},
17416 { &hf_smb_mac_sup_unique_ids,
17417 { "Macintosh Unique IDs", "smb.mac.uids", FT_BOOLEAN, 32,
17418 TFS(&tfs_smb_mac_unique_ids), 0x0080, "Are Unique IDs supported", HFILL }},
17420 { &hf_smb_mac_sup_streams,
17421 { "Mac Streams", "smb.mac.streams_support", FT_BOOLEAN, 32,
17422 TFS(&tfs_smb_mac_streams), 0x0100, "Are Mac Extensions and streams supported?", HFILL }},
17424 { &hf_smb_create_dos_date,
17425 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
17426 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
17428 { &hf_smb_create_dos_time,
17429 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
17430 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
17432 { &hf_smb_last_write_time,
17433 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
17434 NULL, 0, "Time this file was last written to", HFILL }},
17436 { &hf_smb_last_write_dos_date,
17437 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
17438 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
17440 { &hf_smb_last_write_dos_time,
17441 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
17442 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
17444 { &hf_smb_old_file_name,
17445 { "Old File Name", "smb.old_file", FT_STRING, BASE_NONE,
17446 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
17449 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
17450 NULL, 0, "Offset in file", HFILL }},
17452 { &hf_smb_remaining,
17453 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
17454 NULL, 0, "Remaining number of bytes", HFILL }},
17457 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
17458 NULL, 0, "Padding or unknown data", HFILL }},
17460 { &hf_smb_file_data,
17461 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
17462 NULL, 0, "Data read/written to the file", HFILL }},
17464 { &hf_smb_mac_fndrinfo,
17465 { "Finder Info", "smb.mac.finderinfo", FT_BYTES, BASE_HEX,
17466 NULL, 0, "Finder Info", HFILL}},
17468 { &hf_smb_total_data_len,
17469 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
17470 NULL, 0, "Total length of data", HFILL }},
17472 { &hf_smb_data_len,
17473 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
17474 NULL, 0, "Length of data", HFILL }},
17476 { &hf_smb_data_len_low,
17477 { "Data Length Low", "smb.data_len_low", FT_UINT16, BASE_DEC,
17478 NULL, 0, "Length of data, Low 16 bits", HFILL }},
17480 { &hf_smb_data_len_high,
17481 { "Data Length High (multiply with 64K)", "smb.data_len_high", FT_UINT16, BASE_DEC,
17482 NULL, 0, "Length of data, High 16 bits", HFILL }},
17484 { &hf_smb_seek_mode,
17485 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
17486 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
17488 { &hf_smb_access_time,
17489 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
17490 NULL, 0, "Last Access Time", HFILL }},
17492 { &hf_smb_access_dos_date,
17493 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
17494 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
17496 { &hf_smb_access_dos_time,
17497 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
17498 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
17500 { &hf_smb_data_size,
17501 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
17502 NULL, 0, "Data Size", HFILL }},
17504 { &hf_smb_alloc_size,
17505 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
17506 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
17508 { &hf_smb_max_count,
17509 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
17510 NULL, 0, "Maximum Count", HFILL }},
17512 { &hf_smb_max_count_low,
17513 { "Max Count Low", "smb.maxcount_low", FT_UINT16, BASE_DEC,
17514 NULL, 0, "Maximum Count, Low 16 bits", HFILL }},
17516 { &hf_smb_max_count_high,
17517 { "Max Count High (multiply with 64K)", "smb.maxcount_high", FT_UINT16, BASE_DEC,
17518 NULL, 0, "Maximum Count, High 16 bits", HFILL }},
17520 { &hf_smb_min_count,
17521 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
17522 NULL, 0, "Minimum Count", HFILL }},
17525 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
17526 NULL, 0, "Timeout in miliseconds", HFILL }},
17528 { &hf_smb_high_offset,
17529 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
17530 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
17533 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
17534 NULL, 0, "Total number of units at server", HFILL }},
17537 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
17538 NULL, 0, "Blocks per unit at server", HFILL }},
17540 { &hf_smb_blocksize,
17541 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
17542 NULL, 0, "Block size (in bytes) at server", HFILL }},
17544 { &hf_smb_freeunits,
17545 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
17546 NULL, 0, "Number of free units at server", HFILL }},
17548 { &hf_smb_data_offset,
17549 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
17550 NULL, 0, "Data Offset", HFILL }},
17553 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
17554 NULL, 0, "Data Compaction Mode", HFILL }},
17556 { &hf_smb_request_mask,
17557 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
17558 NULL, 0, "Connectionless mode mask", HFILL }},
17560 { &hf_smb_response_mask,
17561 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
17562 NULL, 0, "Connectionless mode mask", HFILL }},
17564 { &hf_smb_search_id,
17565 { "Search ID", "smb.search_id", FT_UINT16, BASE_HEX,
17566 NULL, 0, "Search ID, handle for find operations", HFILL }},
17568 { &hf_smb_write_mode_write_through,
17569 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
17570 TFS(&tfs_write_mode_write_through), WRITE_MODE_WRITE_THROUGH, "Write through mode requested?", HFILL }},
17572 { &hf_smb_write_mode_return_remaining,
17573 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
17574 TFS(&tfs_write_mode_return_remaining), WRITE_MODE_RETURN_REMAINING, "Return remaining data responses?", HFILL }},
17576 { &hf_smb_write_mode_raw,
17577 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
17578 TFS(&tfs_write_mode_raw), WRITE_MODE_RAW, "Use WriteRawNamedPipe?", HFILL }},
17580 { &hf_smb_write_mode_message_start,
17581 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
17582 TFS(&tfs_write_mode_message_start), WRITE_MODE_MESSAGE_START, "Is this the start of a message?", HFILL }},
17584 { &hf_smb_write_mode_connectionless,
17585 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
17586 TFS(&tfs_write_mode_connectionless), WRITE_MODE_CONNECTIONLESS, "Connectionless mode requested?", HFILL }},
17588 { &hf_smb_resume_key_len,
17589 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
17590 NULL, 0, "Resume Key length", HFILL }},
17592 { &hf_smb_resume_find_id,
17593 { "Find ID", "smb.resume.find_id", FT_UINT8, BASE_HEX,
17594 NULL, 0, "Handle for Find operation", HFILL }},
17596 { &hf_smb_resume_server_cookie,
17597 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
17598 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
17600 { &hf_smb_resume_client_cookie,
17601 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
17602 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
17604 { &hf_smb_andxoffset,
17605 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
17606 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
17608 { &hf_smb_lock_type_large,
17609 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
17610 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
17612 { &hf_smb_lock_type_cancel,
17613 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
17614 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
17616 { &hf_smb_lock_type_change,
17617 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
17618 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
17620 { &hf_smb_lock_type_oplock,
17621 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
17622 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
17624 { &hf_smb_lock_type_shared,
17625 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
17626 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
17628 { &hf_smb_locking_ol,
17629 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
17630 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
17632 { &hf_smb_number_of_locks,
17633 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
17634 NULL, 0, "Number of lock requests in this request", HFILL }},
17636 { &hf_smb_number_of_unlocks,
17637 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
17638 NULL, 0, "Number of unlock requests in this request", HFILL }},
17640 { &hf_smb_lock_long_length,
17641 { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
17642 NULL, 0, "Length of lock/unlock region", HFILL }},
17644 { &hf_smb_lock_long_offset,
17645 { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
17646 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
17648 { &hf_smb_file_type,
17649 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
17650 VALS(filetype_vals), 0, "Type of file", HFILL }},
17652 { &hf_smb_ipc_state_nonblocking,
17653 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
17654 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
17656 { &hf_smb_ipc_state_endpoint,
17657 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
17658 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
17660 { &hf_smb_ipc_state_pipe_type,
17661 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
17662 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
17664 { &hf_smb_ipc_state_read_mode,
17665 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
17666 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
17668 { &hf_smb_ipc_state_icount,
17669 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
17670 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
17672 { &hf_smb_server_fid,
17673 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
17674 NULL, 0, "Server unique File ID", HFILL }},
17676 { &hf_smb_open_flags_add_info,
17677 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
17678 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
17680 { &hf_smb_open_flags_ex_oplock,
17681 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
17682 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
17684 { &hf_smb_open_flags_batch_oplock,
17685 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
17686 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
17688 { &hf_smb_open_flags_ealen,
17689 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
17690 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
17692 { &hf_smb_open_action_open,
17693 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
17694 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
17696 { &hf_smb_open_action_lock,
17697 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
17698 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
17701 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
17702 NULL, 0, "VC Number", HFILL }},
17704 { &hf_smb_password_len,
17705 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
17706 NULL, 0, "Length of password", HFILL }},
17708 { &hf_smb_ansi_password_len,
17709 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
17710 NULL, 0, "Length of ANSI password", HFILL }},
17712 { &hf_smb_unicode_password_len,
17713 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
17714 NULL, 0, "Length of Unicode password", HFILL }},
17717 { "Account", "smb.account", FT_STRING, BASE_NONE,
17718 NULL, 0, "Account, username", HFILL }},
17721 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
17722 NULL, 0, "Which OS we are running", HFILL }},
17725 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
17726 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
17728 { &hf_smb_setup_action_guest,
17729 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
17730 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
17733 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
17734 NULL, 0, "Native File System", HFILL }},
17736 { &hf_smb_connect_flags_dtid,
17737 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
17738 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
17740 { &hf_smb_connect_support_search,
17741 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
17742 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
17744 { &hf_smb_connect_support_in_dfs,
17745 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
17746 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
17748 { &hf_smb_max_setup_count,
17749 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
17750 NULL, 0, "Maximum number of setup words to return", HFILL }},
17752 { &hf_smb_total_param_count,
17753 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
17754 NULL, 0, "Total number of parameter bytes", HFILL }},
17756 { &hf_smb_total_data_count,
17757 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
17758 NULL, 0, "Total number of data bytes", HFILL }},
17760 { &hf_smb_max_param_count,
17761 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
17762 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
17764 { &hf_smb_max_data_count,
17765 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
17766 NULL, 0, "Maximum number of data bytes to return", HFILL }},
17768 { &hf_smb_param_disp16,
17769 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
17770 NULL, 0, "Displacement of these parameter bytes", HFILL }},
17772 { &hf_smb_param_count16,
17773 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
17774 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
17776 { &hf_smb_param_offset16,
17777 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
17778 NULL, 0, "Offset (from header start) to parameters", HFILL }},
17780 { &hf_smb_param_disp32,
17781 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
17782 NULL, 0, "Displacement of these parameter bytes", HFILL }},
17784 { &hf_smb_param_count32,
17785 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
17786 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
17788 { &hf_smb_param_offset32,
17789 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
17790 NULL, 0, "Offset (from header start) to parameters", HFILL }},
17792 { &hf_smb_data_count16,
17793 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
17794 NULL, 0, "Number of data bytes in this buffer", HFILL }},
17796 { &hf_smb_data_disp16,
17797 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
17798 NULL, 0, "Data Displacement", HFILL }},
17800 { &hf_smb_data_offset16,
17801 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
17802 NULL, 0, "Data Offset", HFILL }},
17804 { &hf_smb_data_count32,
17805 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
17806 NULL, 0, "Number of data bytes in this buffer", HFILL }},
17808 { &hf_smb_data_disp32,
17809 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
17810 NULL, 0, "Data Displacement", HFILL }},
17812 { &hf_smb_data_offset32,
17813 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
17814 NULL, 0, "Data Offset", HFILL }},
17816 { &hf_smb_setup_count,
17817 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
17818 NULL, 0, "Number of setup words in this buffer", HFILL }},
17820 { &hf_smb_nt_ioctl_isfsctl,
17821 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
17822 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
17824 { &hf_smb_nt_ioctl_flags_root_handle,
17825 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
17826 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
17828 { &hf_smb_nt_notify_action,
17829 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
17830 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
17832 { &hf_smb_nt_notify_watch_tree,
17833 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
17834 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
17836 { &hf_smb_nt_notify_stream_write,
17837 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
17838 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
17840 { &hf_smb_nt_notify_stream_size,
17841 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
17842 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
17844 { &hf_smb_nt_notify_stream_name,
17845 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
17846 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
17848 { &hf_smb_nt_notify_security,
17849 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
17850 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
17852 { &hf_smb_nt_notify_ea,
17853 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
17854 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
17856 { &hf_smb_nt_notify_creation,
17857 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
17858 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
17860 { &hf_smb_nt_notify_last_access,
17861 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
17862 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
17864 { &hf_smb_nt_notify_last_write,
17865 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
17866 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
17868 { &hf_smb_nt_notify_size,
17869 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
17870 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
17872 { &hf_smb_nt_notify_attributes,
17873 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
17874 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
17876 { &hf_smb_nt_notify_dir_name,
17877 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
17878 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
17880 { &hf_smb_nt_notify_file_name,
17881 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
17882 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
17884 { &hf_smb_root_dir_fid,
17885 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
17886 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
17888 { &hf_smb_alloc_size64,
17889 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
17890 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
17892 { &hf_smb_nt_create_disposition,
17893 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
17894 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
17896 { &hf_smb_sd_length,
17897 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
17898 NULL, 0, "Total length of security descriptor", HFILL }},
17900 { &hf_smb_ea_list_length,
17901 { "EA List Length", "smb.ea.list_length", FT_UINT32, BASE_DEC,
17902 NULL, 0, "Total length of extended attributes", HFILL }},
17904 { &hf_smb_ea_flags,
17905 { "EA Flags", "smb.ea.flags", FT_UINT8, BASE_HEX,
17906 NULL, 0, "EA Flags", HFILL }},
17908 { &hf_smb_ea_name_length,
17909 { "EA Name Length", "smb.ea.name_length", FT_UINT8, BASE_DEC,
17910 NULL, 0, "EA Name Length", HFILL }},
17912 { &hf_smb_ea_data_length,
17913 { "EA Data Length", "smb.ea.data_length", FT_UINT16, BASE_DEC,
17914 NULL, 0, "EA Data Length", HFILL }},
17917 { "EA Name", "smb.ea.name", FT_STRING, BASE_NONE,
17918 NULL, 0, "EA Name", HFILL }},
17921 { "EA Data", "smb.ea.data", FT_BYTES, BASE_NONE,
17922 NULL, 0, "EA Data", HFILL }},
17924 { &hf_smb_file_name_len,
17925 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
17926 NULL, 0, "Length of File Name", HFILL }},
17928 { &hf_smb_nt_impersonation_level,
17929 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
17930 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
17932 { &hf_smb_nt_security_flags_context_tracking,
17933 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
17934 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
17936 { &hf_smb_nt_security_flags_effective_only,
17937 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
17938 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
17940 { &hf_smb_nt_access_mask_generic_read,
17941 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
17942 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
17944 { &hf_smb_nt_access_mask_generic_write,
17945 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
17946 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
17948 { &hf_smb_nt_access_mask_generic_execute,
17949 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
17950 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
17952 { &hf_smb_nt_access_mask_generic_all,
17953 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
17954 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
17956 { &hf_smb_nt_access_mask_maximum_allowed,
17957 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
17958 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
17960 { &hf_smb_nt_access_mask_system_security,
17961 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
17962 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
17964 { &hf_smb_nt_access_mask_synchronize,
17965 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
17966 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
17968 { &hf_smb_nt_access_mask_write_owner,
17969 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
17970 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
17972 { &hf_smb_nt_access_mask_write_dac,
17973 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
17974 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
17976 { &hf_smb_nt_access_mask_read_control,
17977 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
17978 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
17980 { &hf_smb_nt_access_mask_delete,
17981 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
17982 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
17984 { &hf_smb_nt_access_mask_write_attributes,
17985 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
17986 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
17988 { &hf_smb_nt_access_mask_read_attributes,
17989 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
17990 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
17992 { &hf_smb_nt_access_mask_delete_child,
17993 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
17994 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
17997 * "Execute" for files, "traverse" for directories.
17999 { &hf_smb_nt_access_mask_execute,
18000 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
18001 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
18003 { &hf_smb_nt_access_mask_write_ea,
18004 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
18005 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
18007 { &hf_smb_nt_access_mask_read_ea,
18008 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
18009 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
18012 * "Append data" for files, "add subdirectory" for directories,
18013 * "create pipe instance" for named pipes.
18015 { &hf_smb_nt_access_mask_append,
18016 { "Append", "smb.access.append", FT_BOOLEAN, 32,
18017 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
18020 * "Write data" for files and pipes, "add file" for directory.
18022 { &hf_smb_nt_access_mask_write,
18023 { "Write", "smb.access.write", FT_BOOLEAN, 32,
18024 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
18027 * "Read data" for files and pipes, "list directory" for directory.
18029 { &hf_smb_nt_access_mask_read,
18030 { "Read", "smb.access.read", FT_BOOLEAN, 32,
18031 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
18033 { &hf_smb_nt_create_bits_oplock,
18034 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
18035 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
18037 { &hf_smb_nt_create_bits_boplock,
18038 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
18039 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
18041 { &hf_smb_nt_create_bits_dir,
18042 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
18043 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
18045 { &hf_smb_nt_create_bits_ext_resp,
18046 { "Extended Response", "smb.nt.create.ext", FT_BOOLEAN, 32,
18047 TFS(&tfs_nt_create_bits_ext_resp), 0x00000010, "Extended response required?", HFILL }},
18049 { &hf_smb_nt_create_options_directory_file,
18050 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
18051 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
18053 { &hf_smb_nt_create_options_write_through,
18054 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
18055 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
18057 { &hf_smb_nt_create_options_sequential_only,
18058 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
18059 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
18061 { &hf_smb_nt_create_options_no_intermediate_buffering,
18062 { "Intermediate Buffering", "smb.nt.create_options.intermediate_buffering", FT_BOOLEAN, 32,
18063 TFS(&tfs_nt_create_options_no_intermediate_buffering), 0x00000008, "Is intermediate buffering allowed?", HFILL }},
18065 { &hf_smb_nt_create_options_sync_io_alert,
18066 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
18067 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
18069 { &hf_smb_nt_create_options_sync_io_nonalert,
18070 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
18071 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
18073 { &hf_smb_nt_create_options_non_directory_file,
18074 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
18075 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
18077 { &hf_smb_nt_create_options_create_tree_connection,
18078 { "Create Tree Connection", "smb.nt.create_options.create_tree_connection", FT_BOOLEAN, 32,
18079 TFS(&tfs_nt_create_options_create_tree_connection), 0x00000080, "Create Tree Connection flag", HFILL }},
18081 { &hf_smb_nt_create_options_complete_if_oplocked,
18082 { "Complete If Oplocked", "smb.nt.create_options.complete_if_oplocked", FT_BOOLEAN, 32,
18083 TFS(&tfs_nt_create_options_complete_if_oplocked), 0x00000100, "Complete if oplocked flag", HFILL }},
18085 { &hf_smb_nt_create_options_no_ea_knowledge,
18086 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
18087 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
18089 { &hf_smb_nt_create_options_eight_dot_three_only,
18090 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
18091 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
18093 { &hf_smb_nt_create_options_random_access,
18094 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
18095 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
18097 { &hf_smb_nt_create_options_delete_on_close,
18098 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
18099 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
18100 { &hf_smb_nt_create_options_open_by_fileid,
18101 { "Open By FileID", "smb.nt.create_options.open_by_fileid", FT_BOOLEAN, 32,
18102 TFS(&tfs_nt_create_options_open_by_fileid), 0x00002000, "Open file by inode", HFILL }},
18104 { &hf_smb_nt_create_options_backup_intent,
18105 { "Backup Intent", "smb.nt.create_options.backup_intent", FT_BOOLEAN, 32,
18106 TFS(&tfs_nt_create_options_backup_intent), 0x00004000, "Is this opened by BACKUP ADMIN for backup intent?", HFILL }},
18108 { &hf_smb_nt_create_options_no_compression,
18109 { "No Compression", "smb.nt.create_options.no_compression", FT_BOOLEAN, 32,
18110 TFS(&tfs_nt_create_options_no_compression), 0x00008000, "Is compression allowed?", HFILL }},
18112 { &hf_smb_nt_create_options_reserve_opfilter,
18113 { "Reserve Opfilter", "smb.nt.create_options.reserve_opfilter", FT_BOOLEAN, 32,
18114 TFS(&tfs_nt_create_options_reserve_opfilter), 0x00100000, "Reserve Opfilter flag", HFILL }},
18116 { &hf_smb_nt_create_options_open_reparse_point,
18117 { "Open Reparse Point", "smb.nt.create_options.open_reparse_point", FT_BOOLEAN, 32,
18118 TFS(&tfs_nt_create_options_open_reparse_point), 0x00200000, "Is this an open of a reparse point or of the normal file?", HFILL }},
18120 { &hf_smb_nt_create_options_open_no_recall,
18121 { "Open No Recall", "smb.nt.create_options.open_no_recall", FT_BOOLEAN, 32,
18122 TFS(&tfs_nt_create_options_open_no_recall), 0x00400000, "Open no recall flag", HFILL }},
18124 { &hf_smb_nt_create_options_open_for_free_space_query,
18125 { "Open For Free Space query", "smb.nt.create_options.open_for_free_space_query", FT_BOOLEAN, 32,
18126 TFS(&tfs_nt_create_options_open_for_free_space_query), 0x00800000, "Open For Free Space Query flag", HFILL }},
18128 { &hf_smb_nt_share_access_read,
18129 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
18130 TFS(&tfs_nt_share_access_read), SHARE_ACCESS_READ, "Can the object be shared for reading?", HFILL }},
18132 { &hf_smb_nt_share_access_write,
18133 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
18134 TFS(&tfs_nt_share_access_write), SHARE_ACCESS_WRITE, "Can the object be shared for write?", HFILL }},
18136 { &hf_smb_nt_share_access_delete,
18137 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
18138 TFS(&tfs_nt_share_access_delete), SHARE_ACCESS_DELETE, "", HFILL }},
18140 { &hf_smb_file_eattr_read_only,
18141 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
18142 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
18144 { &hf_smb_file_eattr_hidden,
18145 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
18146 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
18148 { &hf_smb_file_eattr_system,
18149 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
18150 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
18152 { &hf_smb_file_eattr_volume,
18153 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
18154 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
18156 { &hf_smb_file_eattr_directory,
18157 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
18158 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
18160 { &hf_smb_file_eattr_archive,
18161 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
18162 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
18164 { &hf_smb_file_eattr_device,
18165 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
18166 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
18168 { &hf_smb_file_eattr_normal,
18169 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
18170 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
18172 { &hf_smb_file_eattr_temporary,
18173 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
18174 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
18176 { &hf_smb_file_eattr_sparse,
18177 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
18178 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
18180 { &hf_smb_file_eattr_reparse,
18181 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
18182 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
18184 { &hf_smb_file_eattr_compressed,
18185 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
18186 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
18188 { &hf_smb_file_eattr_offline,
18189 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
18190 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
18192 { &hf_smb_file_eattr_not_content_indexed,
18193 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
18194 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
18196 { &hf_smb_file_eattr_encrypted,
18197 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
18198 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
18200 { &hf_smb_sec_desc_len,
18201 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
18202 NULL, 0, "Security Descriptor Length", HFILL }},
18204 { &hf_smb_nt_qsd_owner,
18205 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
18206 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
18208 { &hf_smb_nt_qsd_group,
18209 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
18210 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
18212 { &hf_smb_nt_qsd_dacl,
18213 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
18214 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
18216 { &hf_smb_nt_qsd_sacl,
18217 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
18218 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
18220 { &hf_smb_extended_attributes,
18221 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
18222 NULL, 0, "Extended Attributes", HFILL }},
18224 { &hf_smb_oplock_level,
18225 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
18226 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
18228 { &hf_smb_create_action,
18229 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
18230 VALS(oa_open_vals), 0, "Type of action taken", HFILL }},
18233 { "Server unique file ID", "smb.create.file_id", FT_UINT32, BASE_HEX,
18234 NULL, 0, "Server unique file ID", HFILL }},
18236 { &hf_smb_ea_error_offset,
18237 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
18238 NULL, 0, "Offset into EA list if EA error", HFILL }},
18240 { &hf_smb_end_of_file,
18241 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
18242 NULL, 0, "Offset to the first free byte in the file", HFILL }},
18245 { "Replace", "smb.replace", FT_BOOLEAN, BASE_NONE,
18246 TFS(&tfs_smb_replace), 0x0, "Remove target if it exists?", HFILL }},
18248 { &hf_smb_root_dir_handle,
18249 { "Root Directory Handle", "smb.root_dir_handle", FT_UINT32, BASE_HEX,
18250 NULL, 0, "Root directory handle", HFILL }},
18252 { &hf_smb_target_name_len,
18253 { "Target name length", "smb.target_name_len", FT_UINT32, BASE_DEC,
18254 NULL, 0, "Length of target file name", HFILL }},
18256 { &hf_smb_target_name,
18257 { "Target name", "smb.target_name", FT_STRING, BASE_NONE,
18258 NULL, 0, "Target file name", HFILL }},
18260 { &hf_smb_device_type,
18261 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
18262 VALS(device_type_vals), 0, "Type of device", HFILL }},
18264 { &hf_smb_is_directory,
18265 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
18266 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
18268 { &hf_smb_next_entry_offset,
18269 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
18270 NULL, 0, "Offset to next entry", HFILL }},
18272 { &hf_smb_change_time,
18273 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
18274 NULL, 0, "Last Change Time", HFILL }},
18276 { &hf_smb_setup_len,
18277 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
18278 NULL, 0, "Length of printer setup data", HFILL }},
18280 { &hf_smb_print_mode,
18281 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
18282 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
18284 { &hf_smb_print_identifier,
18285 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
18286 NULL, 0, "Identifier string for this print job", HFILL }},
18288 { &hf_smb_restart_index,
18289 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
18290 NULL, 0, "Index of entry after last returned", HFILL }},
18292 { &hf_smb_print_queue_date,
18293 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
18294 NULL, 0, "Date when this entry was queued", HFILL }},
18296 { &hf_smb_print_queue_dos_date,
18297 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
18298 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
18300 { &hf_smb_print_queue_dos_time,
18301 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
18302 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
18304 { &hf_smb_print_status,
18305 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
18306 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
18308 { &hf_smb_print_spool_file_number,
18309 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
18310 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
18312 { &hf_smb_print_spool_file_size,
18313 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
18314 NULL, 0, "Number of bytes in spool file", HFILL }},
18316 { &hf_smb_print_spool_file_name,
18317 { "Name", "smb.print.spool.name", FT_STRINGZ, BASE_NONE,
18318 NULL, 0, "Name of client that submitted this job", HFILL }},
18320 { &hf_smb_start_index,
18321 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
18322 NULL, 0, "First queue entry to return", HFILL }},
18324 { &hf_smb_originator_name,
18325 { "Originator Name", "smb.originator_name", FT_STRINGZ, BASE_NONE,
18326 NULL, 0, "Name of sender of message", HFILL }},
18328 { &hf_smb_destination_name,
18329 { "Destination Name", "smb.destination_name", FT_STRINGZ, BASE_NONE,
18330 NULL, 0, "Name of recipient of message", HFILL }},
18332 { &hf_smb_message_len,
18333 { "Message Len", "smb.message.len", FT_UINT16, BASE_DEC,
18334 NULL, 0, "Length of message", HFILL }},
18337 { "Message", "smb.message", FT_STRING, BASE_NONE,
18338 NULL, 0, "Message text", HFILL }},
18341 { "Message Group ID", "smb.mgid", FT_UINT16, BASE_DEC,
18342 NULL, 0, "Message group ID for multi-block messages", HFILL }},
18344 { &hf_smb_forwarded_name,
18345 { "Forwarded Name", "smb.forwarded_name", FT_STRINGZ, BASE_NONE,
18346 NULL, 0, "Recipient name being forwarded", HFILL }},
18348 { &hf_smb_machine_name,
18349 { "Machine Name", "smb.machine_name", FT_STRINGZ, BASE_NONE,
18350 NULL, 0, "Name of target machine", HFILL }},
18352 { &hf_smb_cancel_to,
18353 { "Cancel to", "smb.cancel_to", FT_FRAMENUM, BASE_NONE,
18354 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
18356 { &hf_smb_trans_name,
18357 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
18358 NULL, 0, "Name of transaction", HFILL }},
18360 { &hf_smb_transaction_flags_dtid,
18361 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
18362 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
18364 { &hf_smb_transaction_flags_owt,
18365 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
18366 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
18368 { &hf_smb_search_count,
18369 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
18370 NULL, 0, "Maximum number of search entries to return", HFILL }},
18372 { &hf_smb_search_pattern,
18373 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
18374 NULL, 0, "Search Pattern", HFILL }},
18376 { &hf_smb_ff2_backup,
18377 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
18378 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
18380 { &hf_smb_ff2_continue,
18381 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
18382 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
18384 { &hf_smb_ff2_resume,
18385 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
18386 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
18388 { &hf_smb_ff2_close_eos,
18389 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
18390 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
18392 { &hf_smb_ff2_close,
18393 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
18394 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
18396 { &hf_smb_ff2_information_level,
18397 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
18398 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
18401 { "Level of Interest", "smb.qpi_loi", FT_UINT16, BASE_DEC,
18402 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] QUERY_{FILE,PATH}_INFO commands", HFILL }},
18405 { "Level of Interest", "smb.spi_loi", FT_UINT16, BASE_DEC,
18406 VALS(spi_loi_vals), 0, "Level of interest for TRANSACTION[2] SET_{FILE,PATH}_INFO commands", HFILL }},
18409 { &hf_smb_sfi_writetru,
18410 { "Writethrough", "smb.sfi_writethrough", FT_BOOLEAN, 16,
18411 TFS(&tfs_da_writetru), 0x0010, "Writethrough mode?", HFILL }},
18413 { &hf_smb_sfi_caching,
18414 { "Caching", "smb.sfi_caching", FT_BOOLEAN, 16,
18415 TFS(&tfs_da_caching), 0x0020, "Caching mode?", HFILL }},
18418 { &hf_smb_storage_type,
18419 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
18420 NULL, 0, "Type of storage", HFILL }},
18423 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
18424 NULL, 0, "Resume Key", HFILL }},
18426 { &hf_smb_max_referral_level,
18427 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
18428 NULL, 0, "Latest referral version number understood", HFILL }},
18430 { &hf_smb_qfsi_information_level,
18431 { "Level of Interest", "smb.qfsi_loi", FT_UINT16, BASE_HEX,
18432 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
18434 { &hf_smb_nt_rename_level,
18435 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
18436 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
18438 { &hf_smb_cluster_count,
18439 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
18440 NULL, 0, "Number of clusters", HFILL }},
18442 { &hf_smb_number_of_links,
18443 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
18444 NULL, 0, "Number of hard links to the file", HFILL }},
18446 { &hf_smb_delete_pending,
18447 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
18448 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
18450 { &hf_smb_index_number,
18451 { "Index Number", "smb.index_number", FT_UINT64, BASE_HEX,
18452 NULL, 0, "File system unique identifier", HFILL }},
18454 { &hf_smb_position,
18455 { "Position", "smb.position", FT_UINT64, BASE_DEC,
18456 NULL, 0, "File position", HFILL }},
18458 { &hf_smb_current_offset,
18459 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
18460 NULL, 0, "Current offset in the file", HFILL }},
18462 { &hf_smb_t2_alignment,
18463 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
18464 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
18466 { &hf_smb_t2_stream_name_length,
18467 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
18468 NULL, 0, "Length of stream name", HFILL }},
18470 { &hf_smb_t2_stream_size,
18471 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
18472 NULL, 0, "Size of the stream in number of bytes", HFILL }},
18474 { &hf_smb_t2_stream_name,
18475 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
18476 NULL, 0, "Name of the stream", HFILL }},
18478 { &hf_smb_t2_compressed_file_size,
18479 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
18480 NULL, 0, "Size of the compressed file", HFILL }},
18482 { &hf_smb_t2_compressed_format,
18483 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
18484 NULL, 0, "Compression algorithm used", HFILL }},
18486 { &hf_smb_t2_compressed_unit_shift,
18487 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
18488 NULL, 0, "Size of the stream in number of bytes", HFILL }},
18490 { &hf_smb_t2_compressed_chunk_shift,
18491 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
18492 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
18494 { &hf_smb_t2_compressed_cluster_shift,
18495 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
18496 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
18498 { &hf_smb_t2_marked_for_deletion,
18499 { "Marked for Deletion", "smb.marked_for_deletion", FT_BOOLEAN, BASE_NONE,
18500 TFS(&tfs_marked_for_deletion), 0x0, "Marked for deletion?", HFILL }},
18502 { &hf_smb_dfs_path_consumed,
18503 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
18504 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
18506 { &hf_smb_dfs_num_referrals,
18507 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
18508 NULL, 0, "Number of referrals in this pdu", HFILL }},
18510 { &hf_smb_get_dfs_server_hold_storage,
18511 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
18512 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
18514 { &hf_smb_get_dfs_fielding,
18515 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
18516 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
18518 { &hf_smb_dfs_referral_version,
18519 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
18520 NULL, 0, "Version of referral element", HFILL }},
18522 { &hf_smb_dfs_referral_size,
18523 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
18524 NULL, 0, "Size of referral element", HFILL }},
18526 { &hf_smb_dfs_referral_server_type,
18527 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
18528 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
18530 { &hf_smb_dfs_referral_flags_strip,
18531 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
18532 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
18534 { &hf_smb_dfs_referral_node_offset,
18535 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
18536 NULL, 0, "Offset of name of entity to visit next", HFILL }},
18538 { &hf_smb_dfs_referral_node,
18539 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
18540 NULL, 0, "Name of entity to visit next", HFILL }},
18542 { &hf_smb_dfs_referral_proximity,
18543 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
18544 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
18546 { &hf_smb_dfs_referral_ttl,
18547 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
18548 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
18550 { &hf_smb_dfs_referral_path_offset,
18551 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
18552 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
18554 { &hf_smb_dfs_referral_path,
18555 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
18556 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
18558 { &hf_smb_dfs_referral_alt_path_offset,
18559 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
18560 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
18562 { &hf_smb_dfs_referral_alt_path,
18563 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
18564 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
18566 { &hf_smb_end_of_search,
18567 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
18568 NULL, 0, "Was last entry returned?", HFILL }},
18570 { &hf_smb_last_name_offset,
18571 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
18572 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
18574 { &hf_smb_fn_information_level,
18575 { "Level of Interest", "smb.fn_loi", FT_UINT16, BASE_DEC,
18576 NULL, 0, "Level of interest for FIND_NOTIFY command", HFILL }},
18578 { &hf_smb_monitor_handle,
18579 { "Monitor Handle", "smb.monitor_handle", FT_UINT16, BASE_HEX,
18580 NULL, 0, "Handle for Find Notify operations", HFILL }},
18582 { &hf_smb_change_count,
18583 { "Change Count", "smb.change_count", FT_UINT16, BASE_DEC,
18584 NULL, 0, "Number of changes to wait for", HFILL }},
18586 { &hf_smb_file_index,
18587 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
18588 NULL, 0, "File index", HFILL }},
18590 { &hf_smb_short_file_name,
18591 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
18592 NULL, 0, "Short (8.3) File Name", HFILL }},
18594 { &hf_smb_short_file_name_len,
18595 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
18596 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
18599 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
18600 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
18602 { &hf_smb_sector_unit,
18603 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
18604 NULL, 0, "Sectors per allocation unit", HFILL }},
18606 { &hf_smb_fs_units,
18607 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
18608 NULL, 0, "Total number of units on this filesystem", HFILL }},
18610 { &hf_smb_fs_sector,
18611 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
18612 NULL, 0, "Bytes per sector", HFILL }},
18614 { &hf_smb_avail_units,
18615 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
18616 NULL, 0, "Total number of available units on this filesystem", HFILL }},
18618 { &hf_smb_volume_serial_num,
18619 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
18620 NULL, 0, "Volume serial number", HFILL }},
18622 { &hf_smb_volume_label_len,
18623 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
18624 NULL, 0, "Length of volume label", HFILL }},
18626 { &hf_smb_volume_label,
18627 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
18628 NULL, 0, "Volume label", HFILL }},
18630 { &hf_smb_free_alloc_units64,
18631 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
18632 NULL, 0, "Number of free allocation units", HFILL }},
18634 { &hf_smb_caller_free_alloc_units64,
18635 { "Caller Free Units", "smb.caller_free_alloc_units", FT_UINT64, BASE_DEC,
18636 NULL, 0, "Number of caller free allocation units", HFILL }},
18638 { &hf_smb_actual_free_alloc_units64,
18639 { "Actual Free Units", "smb.actual_free_alloc_units", FT_UINT64, BASE_DEC,
18640 NULL, 0, "Number of actual free allocation units", HFILL }},
18642 { &hf_smb_soft_quota_limit,
18643 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
18644 NULL, 0, "Soft Quota treshold", HFILL }},
18646 { &hf_smb_hard_quota_limit,
18647 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
18648 NULL, 0, "Hard Quota limit", HFILL }},
18650 { &hf_smb_user_quota_used,
18651 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
18652 NULL, 0, "How much Quota is used by this user", HFILL }},
18654 { &hf_smb_max_name_len,
18655 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
18656 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
18658 { &hf_smb_fs_name_len,
18659 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
18660 NULL, 0, "Length of filesystem name in bytes", HFILL }},
18663 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
18664 NULL, 0, "Name of filesystem", HFILL }},
18666 { &hf_smb_device_char_removable,
18667 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
18668 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
18670 { &hf_smb_device_char_read_only,
18671 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
18672 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
18674 { &hf_smb_device_char_floppy,
18675 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
18676 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
18678 { &hf_smb_device_char_write_once,
18679 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
18680 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
18682 { &hf_smb_device_char_remote,
18683 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
18684 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
18686 { &hf_smb_device_char_mounted,
18687 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
18688 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
18690 { &hf_smb_device_char_virtual,
18691 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
18692 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
18694 { &hf_smb_fs_attr_css,
18695 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
18696 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
18698 { &hf_smb_fs_attr_cpn,
18699 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
18700 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
18702 { &hf_smb_fs_attr_uod,
18703 { "Unicode On Disk", "smb.fs_attr.uod", FT_BOOLEAN, 32,
18704 TFS(&tfs_fs_attr_uod), 0x00000004, "Does this FS support Unicode On Disk?", HFILL }},
18706 { &hf_smb_fs_attr_pacls,
18707 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
18708 TFS(&tfs_fs_attr_pacls), 0x00000008, "Does this FS support Persistent ACLs?", HFILL }},
18710 { &hf_smb_fs_attr_fc,
18711 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
18712 TFS(&tfs_fs_attr_fc), 0x00000010, "Does this FS support File Compression?", HFILL }},
18714 { &hf_smb_fs_attr_vq,
18715 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
18716 TFS(&tfs_fs_attr_vq), 0x00000020, "Does this FS support Volume Quotas?", HFILL }},
18718 { &hf_smb_fs_attr_ssf,
18719 { "Sparse Files", "smb.fs_attr.ssf", FT_BOOLEAN, 32,
18720 TFS(&tfs_fs_attr_ssf), 0x00000040, "Does this FS support SPARSE FILES?", HFILL }},
18722 { &hf_smb_fs_attr_srp,
18723 { "Reparse Points", "smb.fs_attr.srp", FT_BOOLEAN, 32,
18724 TFS(&tfs_fs_attr_srp), 0x00000080, "Does this FS support REPARSE POINTS?", HFILL }},
18726 { &hf_smb_fs_attr_srs,
18727 { "Remote Storage", "smb.fs_attr.srs", FT_BOOLEAN, 32,
18728 TFS(&tfs_fs_attr_srs), 0x00000100, "Does this FS support REMOTE STORAGE?", HFILL }},
18730 { &hf_smb_fs_attr_sla,
18731 { "LFN APIs", "smb.fs_attr.sla", FT_BOOLEAN, 32,
18732 TFS(&tfs_fs_attr_sla), 0x00004000, "Does this FS support LFN APIs?", HFILL }},
18734 { &hf_smb_fs_attr_vic,
18735 { "Volume Is Compressed", "smb.fs_attr.vis", FT_BOOLEAN, 32,
18736 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS on a compressed volume?", HFILL }},
18738 { &hf_smb_fs_attr_soids,
18739 { "Supports OIDs", "smb.fs_attr.soids", FT_BOOLEAN, 32,
18740 TFS(&tfs_fs_attr_soids), 0x00010000, "Does this FS support OIDs?", HFILL }},
18742 { &hf_smb_fs_attr_se,
18743 { "Supports Encryption", "smb.fs_attr.se", FT_BOOLEAN, 32,
18744 TFS(&tfs_fs_attr_se), 0x00020000, "Does this FS support encryption?", HFILL }},
18746 { &hf_smb_fs_attr_ns,
18747 { "Named Streams", "smb.fs_attr.ns", FT_BOOLEAN, 32,
18748 TFS(&tfs_fs_attr_ns), 0x00040000, "Does this FS support named streams?", HFILL }},
18750 { &hf_smb_fs_attr_rov,
18751 { "Read Only Volume", "smb.fs_attr.rov", FT_BOOLEAN, 32,
18752 TFS(&tfs_fs_attr_rov), 0x00080000, "Is this FS on a read only volume?", HFILL }},
18754 { &hf_smb_user_quota_offset,
18755 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
18756 NULL, 0, "Relative offset to next user quota structure", HFILL }},
18758 { &hf_smb_pipe_write_len,
18759 { "Pipe Write Len", "smb.pipe.write_len", FT_UINT16, BASE_DEC,
18760 NULL, 0, "Number of bytes written to pipe", HFILL }},
18762 { &hf_smb_quota_flags_deny_disk,
18763 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
18764 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
18766 { &hf_smb_quota_flags_log_limit,
18767 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
18768 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
18770 { &hf_smb_quota_flags_log_warning,
18771 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
18772 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
18774 { &hf_smb_quota_flags_enabled,
18775 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
18776 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
18778 { &hf_smb_segment_overlap,
18779 { "Fragment overlap", "smb.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18780 "Fragment overlaps with other fragments", HFILL }},
18782 { &hf_smb_segment_overlap_conflict,
18783 { "Conflicting data in fragment overlap", "smb.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18784 "Overlapping fragments contained conflicting data", HFILL }},
18786 { &hf_smb_segment_multiple_tails,
18787 { "Multiple tail fragments found", "smb.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18788 "Several tails were found when defragmenting the packet", HFILL }},
18790 { &hf_smb_segment_too_long_fragment,
18791 { "Fragment too long", "smb.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18792 "Fragment contained data past end of packet", HFILL }},
18794 { &hf_smb_segment_error,
18795 { "Defragmentation error", "smb.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18796 "Defragmentation error due to illegal fragments", HFILL }},
18798 { &hf_smb_opened_in,
18799 { "Opened in", "smb.fid.opened_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18800 "The frame this fid was opened", HFILL }},
18802 { &hf_smb_closed_in,
18803 { "Closed in", "smb.fid.closed_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18804 "The frame this fid was closed", HFILL }},
18806 { &hf_smb_mapped_in,
18807 { "Mapped in", "smb.fid.mapped_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18808 "The frame this share was mapped", HFILL }},
18810 { &hf_smb_unmapped_in,
18811 { "Unmapped in", "smb.fid.unmapped_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18812 "The frame this share was unmapped", HFILL }},
18815 { "SMB Segment", "smb.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18816 "SMB Segment", HFILL }},
18818 { &hf_smb_segments,
18819 { "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
18820 "SMB Segments", HFILL }},
18822 { &hf_smb_unix_major_version,
18823 { "Major Version", "smb.unix.major_version", FT_UINT16, BASE_DEC,
18824 NULL, 0, "UNIX Major Version", HFILL }},
18826 { &hf_smb_unix_minor_version,
18827 { "Minor Version", "smb.unix.minor_version", FT_UINT16, BASE_DEC,
18828 NULL, 0, "UNIX Minor Version", HFILL }},
18830 { &hf_smb_unix_capability_fcntl,
18831 { "FCNTL Capability", "smb.unix.capability.fcntl", FT_BOOLEAN, 32,
18832 TFS(&flags_set_truth), 0x00000001, "", HFILL }},
18834 { &hf_smb_unix_capability_posix_acl,
18835 { "POSIX ACL Capability", "smb.unix.capability.posix_acl", FT_BOOLEAN, 32,
18836 TFS(&flags_set_truth), 0x00000002, "", HFILL }},
18838 { &hf_smb_file_access_mask_read_data,
18839 { "Read Data", "smb.file.accessmask.read_data", FT_BOOLEAN, 32,
18840 TFS(&flags_set_truth), 0x00000001, "", HFILL }},
18842 { &hf_smb_file_access_mask_write_data,
18843 { "Write Data", "smb.file.accessmask.write_data", FT_BOOLEAN, 32,
18844 TFS(&flags_set_truth), 0x00000002, "", HFILL }},
18846 { &hf_smb_file_access_mask_append_data,
18847 { "Append Data", "smb.file.accessmask.append_data", FT_BOOLEAN, 32,
18848 TFS(&flags_set_truth), 0x00000004, "", HFILL }},
18850 { &hf_smb_file_access_mask_read_ea,
18851 { "Read EA", "smb.file.accessmask.read_ea", FT_BOOLEAN, 32,
18852 TFS(&flags_set_truth), 0x00000008, "", HFILL }},
18854 { &hf_smb_file_access_mask_write_ea,
18855 { "Write EA", "smb.file.accessmask.write_ea", FT_BOOLEAN, 32,
18856 TFS(&flags_set_truth), 0x00000010, "", HFILL }},
18858 { &hf_smb_file_access_mask_execute,
18859 { "Execute", "smb.file.accessmask.execute", FT_BOOLEAN, 32,
18860 TFS(&flags_set_truth), 0x00000020, "", HFILL }},
18862 { &hf_smb_file_access_mask_read_attribute,
18863 { "Read Attribute", "smb.file.accessmask.read_attribute", FT_BOOLEAN, 32,
18864 TFS(&flags_set_truth), 0x00000080, "", HFILL }},
18866 { &hf_smb_file_access_mask_write_attribute,
18867 { "Write Attribute", "smb.file.accessmask.write_attribute", FT_BOOLEAN, 32,
18868 TFS(&flags_set_truth), 0x00000100, "", HFILL }},
18870 { &hf_smb_dir_access_mask_list,
18871 { "List", "smb.dir.accessmask.list", FT_BOOLEAN, 32,
18872 TFS(&flags_set_truth), 0x00000001, "", HFILL }},
18874 { &hf_smb_dir_access_mask_add_file,
18875 { "Add File", "smb.dir.accessmask.add_file", FT_BOOLEAN, 32,
18876 TFS(&flags_set_truth), 0x00000002, "", HFILL }},
18878 { &hf_smb_dir_access_mask_add_subdir,
18879 { "Add Subdir", "smb.dir.accessmask.add_subdir", FT_BOOLEAN, 32,
18880 TFS(&flags_set_truth), 0x00000004, "", HFILL }},
18882 { &hf_smb_dir_access_mask_read_ea,
18883 { "Read EA", "smb.dir.accessmask.read_ea", FT_BOOLEAN, 32,
18884 TFS(&flags_set_truth), 0x00000008, "", HFILL }},
18886 { &hf_smb_dir_access_mask_write_ea,
18887 { "Write EA", "smb.dir.accessmask.write_ea", FT_BOOLEAN, 32,
18888 TFS(&flags_set_truth), 0x00000010, "", HFILL }},
18890 { &hf_smb_dir_access_mask_traverse,
18891 { "Traverse", "smb.dir.accessmask.traverse", FT_BOOLEAN, 32,
18892 TFS(&flags_set_truth), 0x00000020, "", HFILL }},
18894 { &hf_smb_dir_access_mask_delete_child,
18895 { "Delete Child", "smb.dir.accessmask.delete_child", FT_BOOLEAN, 32,
18896 TFS(&flags_set_truth), 0x00000040, "", HFILL }},
18898 { &hf_smb_dir_access_mask_read_attribute,
18899 { "Read Attribute", "smb.dir.accessmask.read_attribute", FT_BOOLEAN, 32,
18900 TFS(&flags_set_truth), 0x00000080, "", HFILL }},
18902 { &hf_smb_dir_access_mask_write_attribute,
18903 { "Write Attribute", "smb.dir.accessmask.write_attribute", FT_BOOLEAN, 32,
18904 TFS(&flags_set_truth), 0x00000100, "", HFILL }},
18906 { &hf_smb_unix_file_size,
18907 { "File size", "smb.unix.file.size", FT_UINT64, BASE_DEC,
18908 NULL, 0, "", HFILL }},
18910 { &hf_smb_unix_file_num_bytes,
18911 { "Number of bytes", "smb.unix.file.num_bytes", FT_UINT64, BASE_DEC,
18912 NULL, 0, "Number of bytes used to store the file", HFILL }},
18914 { &hf_smb_unix_file_last_status,
18915 { "Last status change", "smb.unix.file.stime", FT_ABSOLUTE_TIME, BASE_NONE,
18916 NULL, 0, "", HFILL }},
18918 { &hf_smb_unix_file_last_access,
18919 { "Last access", "smb.unix.file.atime", FT_ABSOLUTE_TIME, BASE_NONE,
18920 NULL, 0, "", HFILL }},
18922 { &hf_smb_unix_file_last_change,
18923 { "Last modification", "smb.unix.file.mtime", FT_ABSOLUTE_TIME, BASE_NONE,
18924 NULL, 0, "", HFILL }},
18926 { &hf_smb_unix_file_uid,
18927 { "UID", "smb.unix.file.uid", FT_UINT64, BASE_DEC,
18928 NULL, 0, "", HFILL }},
18930 { &hf_smb_unix_file_gid,
18931 { "GID", "smb.unix.file.gid", FT_UINT64, BASE_DEC,
18932 NULL, 0, "", HFILL }},
18934 { &hf_smb_unix_file_type,
18935 { "File type", "smb.unix.file.file_type", FT_UINT32, BASE_DEC,
18936 VALS(unix_file_type_vals), 0, "", HFILL }},
18938 { &hf_smb_unix_file_dev_major,
18939 { "Major device", "smb.unix.file.dev_major", FT_UINT64, BASE_HEX,
18940 NULL, 0, "", HFILL }},
18942 { &hf_smb_unix_file_dev_minor,
18943 { "Minor device", "smb.unix.file.dev_minor", FT_UINT64, BASE_HEX,
18944 NULL, 0, "", HFILL }},
18946 { &hf_smb_unix_file_unique_id,
18947 { "Unique ID", "smb.unix.file.unique_id", FT_UINT64, BASE_HEX,
18948 NULL, 0, "", HFILL }},
18950 { &hf_smb_unix_file_permissions,
18951 { "File permissions", "smb.unix.file.perms", FT_UINT64, BASE_HEX,
18952 NULL, 0, "", HFILL }},
18954 { &hf_smb_unix_file_nlinks,
18955 { "Num links", "smb.unix.file.num_links", FT_UINT64, BASE_DEC,
18956 NULL, 0, "", HFILL }},
18958 { &hf_smb_unix_file_link_dest,
18959 { "Link destination", "smb.unix.file.link_dest", FT_STRING,
18960 BASE_NONE, NULL, 0, "", HFILL }},
18962 { &hf_smb_unix_find_file_nextoffset,
18963 { "Next entry offset", "smb.unix.find_file.next_offset", FT_UINT32, BASE_DEC,
18964 NULL, 0, "", HFILL }},
18966 { &hf_smb_unix_find_file_resumekey,
18967 { "Resume key", "smb.unix.find_file.resume_key", FT_UINT32, BASE_DEC,
18968 NULL, 0, "", HFILL }},
18970 { &hf_smb_network_unknown,
18971 { "Unknown field", "smb.unknown", FT_UINT32, BASE_HEX,
18972 NULL, 0, "", HFILL }},
18974 { &hf_smb_create_flags,
18975 { "Create Flags", "smb.create_flags", FT_UINT32, BASE_HEX,
18976 NULL, 0, "", HFILL }},
18978 { &hf_smb_create_options,
18979 { "Create Options", "smb.create_options", FT_UINT32, BASE_HEX,
18980 NULL, 0, "", HFILL }},
18982 { &hf_smb_share_access,
18983 { "Share Access", "smb.share_access", FT_UINT32, BASE_HEX,
18984 NULL, 0, "", HFILL }},
18986 { &hf_smb_access_mask,
18987 { "Access Mask", "smb.access_mask", FT_UINT32, BASE_HEX,
18988 NULL, 0, "", HFILL }},
18991 { "Mode", "smb.mode", FT_UINT32, BASE_HEX,
18992 NULL, 0, "", HFILL }},
18994 { &hf_smb_attribute,
18995 { "Attribute", "smb.attribute", FT_UINT32, BASE_HEX,
18996 NULL, 0, "", HFILL }},
18998 { &hf_smb_reparse_tag,
18999 { "Reparse Tag", "smb.reparse_tag", FT_UINT32, BASE_HEX,
19000 NULL, 0, "", HFILL }},
19002 { &hf_smb_disposition_delete_on_close,
19003 { "Delete on close", "smb.disposition.delete_on_close", FT_BOOLEAN, 8,
19004 TFS(&tfs_disposition_delete_on_close), 0x01, "", HFILL }},
19006 { &hf_smb_pipe_info_flag,
19007 { "Pipe Info", "smb.pipe_info_flag", FT_BOOLEAN, 8,
19008 TFS(&tfs_pipe_info_flag), 0x01, "", HFILL }},
19010 { &hf_smb_logged_in,
19011 { "Logged In", "smb.logged_in", FT_FRAMENUM, BASE_DEC,
19012 NULL, 0, "", HFILL }},
19014 { &hf_smb_logged_out,
19015 { "Logged Out", "smb.logged_out", FT_FRAMENUM, BASE_DEC,
19016 NULL, 0, "", HFILL }},
19018 { &hf_smb_file_rw_offset,
19019 { "File Offset", "smb.file.rw.offset", FT_UINT32, BASE_DEC,
19020 NULL, 0, "", HFILL }},
19022 { &hf_smb_file_rw_length,
19023 { "File RW Length", "smb.file.rw.length", FT_UINT32, BASE_DEC,
19024 NULL, 0, "", HFILL }},
19026 { &hf_smb_posix_acl_version,
19027 { "Posix ACL version", "smb.posix_acl.version", FT_UINT16, BASE_DEC,
19028 NULL, 0, "", HFILL }},
19030 { &hf_smb_posix_num_file_aces,
19031 { "Number of file ACEs", "smb.posix_acl.num_file_aces", FT_UINT16, BASE_DEC,
19032 NULL, 0, "", HFILL }},
19034 { &hf_smb_posix_num_def_aces,
19035 { "Number of default ACEs", "smb.posix_acl.num_def_aces", FT_UINT16, BASE_DEC,
19036 NULL, 0, "", HFILL }},
19038 { &hf_smb_posix_ace_type,
19039 { "ACE Type", "smb.posix_acl.ace_type", FT_UINT8, BASE_DEC,
19040 VALS(&ace_type_vals), 0, "", HFILL }},
19042 { &hf_smb_posix_ace_flags,
19043 { "Permissions", "smb.posix_acl.ace_perms", FT_UINT8, BASE_HEX,
19044 NULL, 0, "", HFILL }},
19046 { &hf_smb_posix_ace_perm_read,
19047 {"READ", "smb.posix_acl.ace_perms.read", FT_BOOLEAN, 8,
19048 NULL, 0x04, "", HFILL}},
19050 { &hf_smb_posix_ace_perm_write,
19051 {"WRITE", "smb.posix_acl.ace_perms.write", FT_BOOLEAN, 8,
19052 NULL, 0x02, "", HFILL}},
19054 { &hf_smb_posix_ace_perm_execute,
19055 {"EXECUTE", "smb.posix_acl.ace_perms.execute", FT_BOOLEAN, 8,
19056 NULL, 0x01, "", HFILL}},
19058 { &hf_smb_posix_ace_perm_owner_uid,
19059 { "Owner UID", "smb.posix_acl.ace_perms.owner_uid", FT_UINT32, BASE_DEC,
19060 NULL, 0, "", HFILL }},
19062 { &hf_smb_posix_ace_perm_owner_gid,
19063 { "Owner GID", "smb.posix_acl.ace_perms.owner_gid", FT_UINT32, BASE_DEC,
19064 NULL, 0, "", HFILL }},
19066 { &hf_smb_posix_ace_perm_uid,
19067 { "UID", "smb.posix_acl.ace_perms.uid", FT_UINT32, BASE_DEC,
19068 NULL, 0, "", HFILL }},
19070 { &hf_smb_posix_ace_perm_gid,
19071 { "GID", "smb.posix_acl.ace_perms.gid", FT_UINT32, BASE_DEC,
19072 NULL, 0, "", HFILL }},
19076 static gint *ett[] = {
19083 &ett_smb_fileattributes,
19084 &ett_smb_capabilities,
19092 &ett_smb_desiredaccess,
19095 &ett_smb_openfunction,
19097 &ett_smb_openaction,
19098 &ett_smb_writemode,
19099 &ett_smb_lock_type,
19100 &ett_smb_ssetupandxaction,
19101 &ett_smb_optionsup,
19102 &ett_smb_time_date,
19103 &ett_smb_move_copy_flags,
19104 &ett_smb_file_attributes,
19105 &ett_smb_search_resume_key,
19106 &ett_smb_search_dir_info,
19111 &ett_smb_open_flags,
19112 &ett_smb_ipc_state,
19113 &ett_smb_open_action,
19114 &ett_smb_setup_action,
19115 &ett_smb_connect_flags,
19116 &ett_smb_connect_support_bits,
19117 &ett_smb_nt_access_mask,
19118 &ett_smb_nt_create_bits,
19119 &ett_smb_nt_create_options,
19120 &ett_smb_nt_share_access,
19121 &ett_smb_nt_security_flags,
19122 &ett_smb_nt_trans_setup,
19123 &ett_smb_nt_trans_data,
19124 &ett_smb_nt_trans_param,
19125 &ett_smb_nt_notify_completion_filter,
19126 &ett_smb_nt_ioctl_flags,
19127 &ett_smb_security_information_mask,
19128 &ett_smb_print_queue_entry,
19129 &ett_smb_transaction_flags,
19130 &ett_smb_transaction_params,
19131 &ett_smb_find_first2_flags,
19135 &ett_smb_transaction_data,
19136 &ett_smb_stream_info,
19137 &ett_smb_dfs_referrals,
19138 &ett_smb_dfs_referral,
19139 &ett_smb_dfs_referral_flags,
19140 &ett_smb_get_dfs_flags,
19142 &ett_smb_device_characteristics,
19143 &ett_smb_fs_attributes,
19146 &ett_smb_quotaflags,
19148 &ett_smb_mac_support_flags,
19149 &ett_smb_unicode_password,
19151 &ett_smb_unix_capabilities,
19152 &ett_smb_posic_ace,
19153 &ett_smb_posix_ace_perms
19155 module_t *smb_module;
19157 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
19159 proto_register_subtree_array(ett, array_length(ett));
19160 proto_register_field_array(proto_smb, hf, array_length(hf));
19162 proto_do_register_windows_common(proto_smb);
19164 register_init_routine(&smb_init_protocol);
19165 smb_module = prefs_register_protocol(proto_smb, NULL);
19166 prefs_register_bool_preference(smb_module, "trans_reassembly",
19167 "Reassemble SMB Transaction payload",
19168 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
19169 &smb_trans_reassembly);
19170 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
19171 "Reassemble DCERPC over SMB",
19172 "Whether the dissector should reassemble DCERPC over SMB commands",
19173 &smb_dcerpc_reassembly);
19174 prefs_register_bool_preference(smb_module, "sid_name_snooping",
19175 "Snoop SID to Name mappings",
19176 "Whether the dissector should snoop SMB and related CIFS protocols to discover and display Names associated with SIDs",
19177 &sid_name_snooping);
19179 register_init_routine(smb_trans_reassembly_init);
19180 smb_tap = register_tap("smb");
19184 proto_reg_handoff_smb(void)
19186 dissector_handle_t smb_handle;
19188 gssapi_handle = find_dissector("gssapi");
19189 ntlmssp_handle = find_dissector("ntlmssp");
19191 heur_dissector_add("netbios", dissect_smb_heur, proto_smb);
19192 heur_dissector_add("cotp", dissect_smb_heur, proto_smb);
19193 heur_dissector_add("vines_spp", dissect_smb_heur, proto_smb);
19194 smb_handle = create_dissector_handle(dissect_smb, proto_smb);
19195 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_SERVER, smb_handle);
19196 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_REDIR, smb_handle);
19197 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_MESSENGER,
19199 dissector_add("spp.socket", IDP_SOCKET_SMB, smb_handle);