2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/packet.h>
40 #include <epan/conversation.h>
41 #include <epan/emem.h>
42 #include <epan/dissectors/packet-smb.h>
43 #include <epan/strutil.h>
44 #include <epan/prefs.h>
45 #include <epan/reassemble.h>
47 #include "packet-ipx.h"
48 #include "packet-idp.h"
50 #include "packet-windows-common.h"
51 #include "packet-smb-common.h"
52 #include "packet-smb-mailslot.h"
53 #include "packet-smb-pipe.h"
54 #include "packet-dcerpc.h"
55 #include "packet-ntlmssp.h"
56 #include "packet-smb2.h"
59 * Various specifications and documents about SMB can be found in
61 * ftp://ftp.microsoft.com/developr/drg/CIFS/
63 * and a CIFS specification from the Storage Networking Industry Association
64 * can be found on a link from the page at
66 * http://www.snia.org/tech_activities/CIFS
68 * (it supercedes the document at
70 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
74 * There are also some Open Group publications documenting CIFS available
75 * for download; catalog entries for them are at:
77 * http://www.opengroup.org/products/publications/catalog/c209.htm
79 * http://www.opengroup.org/products/publications/catalog/c195.htm
81 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
84 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
86 * (or, presumably a similar path under the Samba mirrors). As the
87 * ".doc" indicates, it's a Word document. Some of the specs from the
88 * Microsoft FTP site can be found in the
90 * http://www.samba.org/samba/ftp/specs/
94 * Beware - these specs may have errors.
97 /* DFS referral entry flags */
98 #define REFENT_FLAGS_NAME_LIST_REFERRAL 0x0002
99 #define REFENT_FLAGS_TARGET_SET_BOUNDARY 0x0004
102 static int proto_smb = -1;
103 static int hf_smb_cmd = -1;
104 static int hf_smb_mapped_in = -1;
105 static int hf_smb_unmapped_in = -1;
106 static int hf_smb_opened_in = -1;
107 static int hf_smb_closed_in = -1;
108 static int hf_smb_key = -1;
109 static int hf_smb_session_id = -1;
110 static int hf_smb_sequence_num = -1;
111 static int hf_smb_group_id = -1;
112 static int hf_smb_pid = -1;
113 static int hf_smb_tid = -1;
114 static int hf_smb_uid = -1;
115 static int hf_smb_mid = -1;
116 static int hf_smb_pid_high = -1;
117 static int hf_smb_sig = -1;
118 static int hf_smb_response_to = -1;
119 static int hf_smb_time = -1;
120 static int hf_smb_response_in = -1;
121 static int hf_smb_continuation_to = -1;
122 static int hf_smb_nt_status = -1;
123 static int hf_smb_error_class = -1;
124 static int hf_smb_error_code = -1;
125 static int hf_smb_reserved = -1;
126 static int hf_smb_create_flags = -1;
127 static int hf_smb_create_options = -1;
128 static int hf_smb_share_access = -1;
129 static int hf_smb_access_mask = -1;
130 static int hf_smb_flags_lock = -1;
131 static int hf_smb_flags_receive_buffer = -1;
132 static int hf_smb_flags_caseless = -1;
133 static int hf_smb_flags_canon = -1;
134 static int hf_smb_flags_oplock = -1;
135 static int hf_smb_flags_notify = -1;
136 static int hf_smb_flags_response = -1;
137 static int hf_smb_flags2_long_names_allowed = -1;
138 static int hf_smb_flags2_ea = -1;
139 static int hf_smb_flags2_sec_sig = -1;
140 static int hf_smb_flags2_long_names_used = -1;
141 static int hf_smb_flags2_esn = -1;
142 static int hf_smb_flags2_dfs = -1;
143 static int hf_smb_flags2_roe = -1;
144 static int hf_smb_flags2_nt_error = -1;
145 static int hf_smb_flags2_string = -1;
146 static int hf_smb_word_count = -1;
147 static int hf_smb_byte_count = -1;
148 static int hf_smb_buffer_format = -1;
149 static int hf_smb_dialect_name = -1;
150 static int hf_smb_dialect_index = -1;
151 static int hf_smb_max_trans_buf_size = -1;
152 static int hf_smb_max_mpx_count = -1;
153 static int hf_smb_max_vcs_num = -1;
154 static int hf_smb_session_key = -1;
155 static int hf_smb_server_timezone = -1;
156 static int hf_smb_encryption_key_length = -1;
157 static int hf_smb_encryption_key = -1;
158 static int hf_smb_primary_domain = -1;
159 static int hf_smb_server = -1;
160 static int hf_smb_max_raw_buf_size = -1;
161 static int hf_smb_server_guid = -1;
162 static int hf_smb_security_blob_len = -1;
163 static int hf_smb_security_blob = -1;
164 static int hf_smb_sm_mode16 = -1;
165 static int hf_smb_sm_password16 = -1;
166 static int hf_smb_sm_mode = -1;
167 static int hf_smb_sm_password = -1;
168 static int hf_smb_sm_signatures = -1;
169 static int hf_smb_sm_sig_required = -1;
170 static int hf_smb_rm_read = -1;
171 static int hf_smb_rm_write = -1;
172 static int hf_smb_server_date_time = -1;
173 static int hf_smb_server_smb_date = -1;
174 static int hf_smb_server_smb_time = -1;
175 static int hf_smb_server_cap_raw_mode = -1;
176 static int hf_smb_server_cap_mpx_mode = -1;
177 static int hf_smb_server_cap_unicode = -1;
178 static int hf_smb_server_cap_large_files = -1;
179 static int hf_smb_server_cap_nt_smbs = -1;
180 static int hf_smb_server_cap_rpc_remote_apis = -1;
181 static int hf_smb_server_cap_nt_status = -1;
182 static int hf_smb_server_cap_level_ii_oplocks = -1;
183 static int hf_smb_server_cap_lock_and_read = -1;
184 static int hf_smb_server_cap_nt_find = -1;
185 static int hf_smb_server_cap_dfs = -1;
186 static int hf_smb_server_cap_infolevel_passthru = -1;
187 static int hf_smb_server_cap_large_readx = -1;
188 static int hf_smb_server_cap_large_writex = -1;
189 static int hf_smb_server_cap_unix = -1;
190 static int hf_smb_server_cap_reserved = -1;
191 static int hf_smb_server_cap_bulk_transfer = -1;
192 static int hf_smb_server_cap_compressed_data = -1;
193 static int hf_smb_server_cap_extended_security = -1;
194 static int hf_smb_system_time = -1;
195 static int hf_smb_unknown = -1;
196 static int hf_smb_dir_name = -1;
197 static int hf_smb_echo_count = -1;
198 static int hf_smb_echo_data = -1;
199 static int hf_smb_echo_seq_num = -1;
200 static int hf_smb_max_buf_size = -1;
201 static int hf_smb_password = -1;
202 static int hf_smb_password_len = -1;
203 static int hf_smb_ansi_password = -1;
204 static int hf_smb_ansi_password_len = -1;
205 static int hf_smb_unicode_password = -1;
206 static int hf_smb_unicode_password_len = -1;
207 static int hf_smb_path = -1;
208 static int hf_smb_service = -1;
209 static int hf_smb_move_flags_file = -1;
210 static int hf_smb_move_flags_dir = -1;
211 static int hf_smb_move_flags_verify = -1;
212 static int hf_smb_files_moved = -1;
213 static int hf_smb_file_access_mask_read_data = -1;
214 static int hf_smb_file_access_mask_write_data = -1;
215 static int hf_smb_file_access_mask_append_data = -1;
216 static int hf_smb_file_access_mask_read_ea = -1;
217 static int hf_smb_file_access_mask_write_ea = -1;
218 static int hf_smb_file_access_mask_execute = -1;
219 static int hf_smb_file_access_mask_read_attribute = -1;
220 static int hf_smb_file_access_mask_write_attribute = -1;
221 static int hf_smb_dir_access_mask_list = -1;
222 static int hf_smb_dir_access_mask_add_file = -1;
223 static int hf_smb_dir_access_mask_add_subdir = -1;
224 static int hf_smb_dir_access_mask_read_ea = -1;
225 static int hf_smb_dir_access_mask_write_ea = -1;
226 static int hf_smb_dir_access_mask_traverse = -1;
227 static int hf_smb_dir_access_mask_delete_child = -1;
228 static int hf_smb_dir_access_mask_read_attribute = -1;
229 static int hf_smb_dir_access_mask_write_attribute = -1;
230 static int hf_smb_copy_flags_file = -1;
231 static int hf_smb_copy_flags_dir = -1;
232 static int hf_smb_copy_flags_dest_mode = -1;
233 static int hf_smb_copy_flags_source_mode = -1;
234 static int hf_smb_copy_flags_verify = -1;
235 static int hf_smb_copy_flags_tree_copy = -1;
236 static int hf_smb_copy_flags_ea_action = -1;
237 static int hf_smb_count = -1;
238 static int hf_smb_count_low = -1;
239 static int hf_smb_count_high = -1;
240 static int hf_smb_file_name = -1;
241 static int hf_smb_open_function_open = -1;
242 static int hf_smb_open_function_create = -1;
243 static int hf_smb_fid = -1;
244 static int hf_smb_file_attr_read_only_16bit = -1;
245 static int hf_smb_file_attr_read_only_8bit = -1;
246 static int hf_smb_file_attr_hidden_16bit = -1;
247 static int hf_smb_file_attr_hidden_8bit = -1;
248 static int hf_smb_file_attr_system_16bit = -1;
249 static int hf_smb_file_attr_system_8bit = -1;
250 static int hf_smb_file_attr_volume_16bit = -1;
251 static int hf_smb_file_attr_volume_8bit = -1;
252 static int hf_smb_file_attr_directory_16bit = -1;
253 static int hf_smb_file_attr_directory_8bit = -1;
254 static int hf_smb_file_attr_archive_16bit = -1;
255 static int hf_smb_file_attr_archive_8bit = -1;
256 static int hf_smb_file_attr_device = -1;
257 static int hf_smb_file_attr_normal = -1;
258 static int hf_smb_file_attr_temporary = -1;
259 static int hf_smb_file_attr_sparse = -1;
260 static int hf_smb_file_attr_reparse = -1;
261 static int hf_smb_file_attr_compressed = -1;
262 static int hf_smb_file_attr_offline = -1;
263 static int hf_smb_file_attr_not_content_indexed = -1;
264 static int hf_smb_file_attr_encrypted = -1;
265 static int hf_smb_file_size = -1;
266 static int hf_smb_search_attribute_read_only = -1;
267 static int hf_smb_search_attribute_hidden = -1;
268 static int hf_smb_search_attribute_system = -1;
269 static int hf_smb_search_attribute_volume = -1;
270 static int hf_smb_search_attribute_directory = -1;
271 static int hf_smb_search_attribute_archive = -1;
272 static int hf_smb_access_mode = -1;
273 static int hf_smb_access_sharing = -1;
274 static int hf_smb_access_locality = -1;
275 static int hf_smb_access_caching = -1;
276 static int hf_smb_access_writetru = -1;
277 static int hf_smb_create_time = -1;
278 static int hf_smb_modify_time = -1;
279 static int hf_smb_backup_time = -1;
280 static int hf_smb_mac_alloc_block_count = -1;
281 static int hf_smb_mac_alloc_block_size = -1;
282 static int hf_smb_mac_free_block_count = -1;
283 static int hf_smb_mac_fndrinfo = -1;
284 static int hf_smb_mac_root_file_count = -1;
285 static int hf_smb_mac_root_dir_count = -1;
286 static int hf_smb_mac_file_count = -1;
287 static int hf_smb_mac_dir_count = -1;
288 static int hf_smb_mac_support_flags = -1;
289 static int hf_smb_mac_sup_access_ctrl = -1;
290 static int hf_smb_mac_sup_getset_comments = -1;
291 static int hf_smb_mac_sup_desktopdb_calls = -1;
292 static int hf_smb_mac_sup_unique_ids = -1;
293 static int hf_smb_mac_sup_streams = -1;
294 static int hf_smb_create_dos_date = -1;
295 static int hf_smb_create_dos_time = -1;
296 static int hf_smb_last_write_time = -1;
297 static int hf_smb_last_write_dos_date = -1;
298 static int hf_smb_last_write_dos_time = -1;
299 static int hf_smb_access_time = -1;
300 static int hf_smb_access_dos_date = -1;
301 static int hf_smb_access_dos_time = -1;
302 static int hf_smb_old_file_name = -1;
303 static int hf_smb_offset = -1;
304 static int hf_smb_remaining = -1;
305 static int hf_smb_padding = -1;
306 static int hf_smb_file_data = -1;
307 static int hf_smb_total_data_len = -1;
308 static int hf_smb_data_len = -1;
309 static int hf_smb_data_len_low = -1;
310 static int hf_smb_data_len_high = -1;
311 static int hf_smb_seek_mode = -1;
312 static int hf_smb_data_size = -1;
313 static int hf_smb_alloc_size = -1;
314 static int hf_smb_alloc_size64 = -1;
315 static int hf_smb_max_count = -1;
316 static int hf_smb_max_count_low = -1;
317 static int hf_smb_max_count_high = -1;
318 static int hf_smb_min_count = -1;
319 static int hf_smb_timeout = -1;
320 static int hf_smb_high_offset = -1;
321 static int hf_smb_units = -1;
322 static int hf_smb_bpu = -1;
323 static int hf_smb_blocksize = -1;
324 static int hf_smb_freeunits = -1;
325 static int hf_smb_data_offset = -1;
326 static int hf_smb_dcm = -1;
327 static int hf_smb_request_mask = -1;
328 static int hf_smb_response_mask = -1;
329 static int hf_smb_search_id = -1;
330 static int hf_smb_write_mode_write_through = -1;
331 static int hf_smb_write_mode_return_remaining = -1;
332 static int hf_smb_write_mode_raw = -1;
333 static int hf_smb_write_mode_message_start = -1;
334 static int hf_smb_write_mode_connectionless = -1;
335 static int hf_smb_resume_key_len = -1;
336 static int hf_smb_resume_find_id = -1;
337 static int hf_smb_resume_server_cookie = -1;
338 static int hf_smb_resume_client_cookie = -1;
339 static int hf_smb_andxoffset = -1;
340 static int hf_smb_lock_type_large = -1;
341 static int hf_smb_lock_type_cancel = -1;
342 static int hf_smb_lock_type_change = -1;
343 static int hf_smb_lock_type_oplock = -1;
344 static int hf_smb_lock_type_shared = -1;
345 static int hf_smb_locking_ol = -1;
346 static int hf_smb_number_of_locks = -1;
347 static int hf_smb_number_of_unlocks = -1;
348 static int hf_smb_lock_long_offset = -1;
349 static int hf_smb_lock_long_length = -1;
350 static int hf_smb_file_type = -1;
351 static int hf_smb_ipc_state_nonblocking = -1;
352 static int hf_smb_ipc_state_endpoint = -1;
353 static int hf_smb_ipc_state_pipe_type = -1;
354 static int hf_smb_ipc_state_read_mode = -1;
355 static int hf_smb_ipc_state_icount = -1;
356 static int hf_smb_server_fid = -1;
357 static int hf_smb_open_flags_add_info = -1;
358 static int hf_smb_open_flags_ex_oplock = -1;
359 static int hf_smb_open_flags_batch_oplock = -1;
360 static int hf_smb_open_flags_ealen = -1;
361 static int hf_smb_open_action_open = -1;
362 static int hf_smb_open_action_lock = -1;
363 static int hf_smb_vc_num = -1;
364 static int hf_smb_account = -1;
365 static int hf_smb_os = -1;
366 static int hf_smb_lanman = -1;
367 static int hf_smb_setup_action_guest = -1;
368 static int hf_smb_fs = -1;
369 static int hf_smb_connect_flags_dtid = -1;
370 static int hf_smb_connect_support_search = -1;
371 static int hf_smb_connect_support_in_dfs = -1;
372 static int hf_smb_max_setup_count = -1;
373 static int hf_smb_total_param_count = -1;
374 static int hf_smb_total_data_count = -1;
375 static int hf_smb_max_param_count = -1;
376 static int hf_smb_max_data_count = -1;
377 static int hf_smb_param_disp16 = -1;
378 static int hf_smb_param_count16 = -1;
379 static int hf_smb_param_offset16 = -1;
380 static int hf_smb_param_disp32 = -1;
381 static int hf_smb_param_count32 = -1;
382 static int hf_smb_param_offset32 = -1;
383 static int hf_smb_data_disp16 = -1;
384 static int hf_smb_data_count16 = -1;
385 static int hf_smb_data_offset16 = -1;
386 static int hf_smb_data_disp32 = -1;
387 static int hf_smb_data_count32 = -1;
388 static int hf_smb_data_offset32 = -1;
389 static int hf_smb_setup_count = -1;
390 static int hf_smb_nt_trans_subcmd = -1;
391 static int hf_smb_nt_ioctl_isfsctl = -1;
392 static int hf_smb_nt_ioctl_flags_root_handle = -1;
393 #ifdef SMB_UNUSED_HANDLES
394 static int hf_smb_nt_security_information = -1;
396 static int hf_smb_nt_notify_action = -1;
397 static int hf_smb_nt_notify_watch_tree = -1;
398 static int hf_smb_nt_notify_stream_write = -1;
399 static int hf_smb_nt_notify_stream_size = -1;
400 static int hf_smb_nt_notify_stream_name = -1;
401 static int hf_smb_nt_notify_security = -1;
402 static int hf_smb_nt_notify_ea = -1;
403 static int hf_smb_nt_notify_creation = -1;
404 static int hf_smb_nt_notify_last_access = -1;
405 static int hf_smb_nt_notify_last_write = -1;
406 static int hf_smb_nt_notify_size = -1;
407 static int hf_smb_nt_notify_attributes = -1;
408 static int hf_smb_nt_notify_dir_name = -1;
409 static int hf_smb_nt_notify_file_name = -1;
410 static int hf_smb_root_dir_fid = -1;
411 static int hf_smb_nt_create_disposition = -1;
412 static int hf_smb_sd_length = -1;
413 static int hf_smb_ea_list_length = -1;
414 static int hf_smb_ea_flags = -1;
415 static int hf_smb_ea_name_length = -1;
416 static int hf_smb_ea_data_length = -1;
417 static int hf_smb_ea_name = -1;
418 static int hf_smb_ea_data = -1;
419 static int hf_smb_file_name_len = -1;
420 static int hf_smb_nt_impersonation_level = -1;
421 static int hf_smb_nt_security_flags_context_tracking = -1;
422 static int hf_smb_nt_security_flags_effective_only = -1;
423 static int hf_smb_nt_access_mask_generic_read = -1;
424 static int hf_smb_nt_access_mask_generic_write = -1;
425 static int hf_smb_nt_access_mask_generic_execute = -1;
426 static int hf_smb_nt_access_mask_generic_all = -1;
427 static int hf_smb_nt_access_mask_maximum_allowed = -1;
428 static int hf_smb_nt_access_mask_system_security = -1;
429 static int hf_smb_nt_access_mask_synchronize = -1;
430 static int hf_smb_nt_access_mask_write_owner = -1;
431 static int hf_smb_nt_access_mask_write_dac = -1;
432 static int hf_smb_nt_access_mask_read_control = -1;
433 static int hf_smb_nt_access_mask_delete = -1;
434 static int hf_smb_nt_access_mask_write_attributes = -1;
435 static int hf_smb_nt_access_mask_read_attributes = -1;
436 static int hf_smb_nt_access_mask_delete_child = -1;
437 static int hf_smb_nt_access_mask_execute = -1;
438 static int hf_smb_nt_access_mask_write_ea = -1;
439 static int hf_smb_nt_access_mask_read_ea = -1;
440 static int hf_smb_nt_access_mask_append = -1;
441 static int hf_smb_nt_access_mask_write = -1;
442 static int hf_smb_nt_access_mask_read = -1;
443 static int hf_smb_nt_create_bits_oplock = -1;
444 static int hf_smb_nt_create_bits_boplock = -1;
445 static int hf_smb_nt_create_bits_dir = -1;
446 static int hf_smb_nt_create_bits_ext_resp = -1;
447 static int hf_smb_nt_create_options_directory_file = -1;
448 static int hf_smb_nt_create_options_write_through = -1;
449 static int hf_smb_nt_create_options_sequential_only = -1;
450 static int hf_smb_nt_create_options_no_intermediate_buffering = -1;
451 static int hf_smb_nt_create_options_sync_io_alert = -1;
452 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
453 static int hf_smb_nt_create_options_non_directory_file = -1;
454 static int hf_smb_nt_create_options_create_tree_connection = -1;
455 static int hf_smb_nt_create_options_complete_if_oplocked = -1;
456 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
457 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
458 static int hf_smb_nt_create_options_random_access = -1;
459 static int hf_smb_nt_create_options_delete_on_close = -1;
460 static int hf_smb_nt_create_options_open_by_fileid = -1;
461 static int hf_smb_nt_create_options_backup_intent = -1;
462 static int hf_smb_nt_create_options_no_compression = -1;
463 static int hf_smb_nt_create_options_reserve_opfilter = -1;
464 static int hf_smb_nt_create_options_open_reparse_point = -1;
465 static int hf_smb_nt_create_options_open_no_recall = -1;
466 static int hf_smb_nt_create_options_open_for_free_space_query = -1;
467 static int hf_smb_nt_share_access_read = -1;
468 static int hf_smb_nt_share_access_write = -1;
469 static int hf_smb_nt_share_access_delete = -1;
470 static int hf_smb_file_eattr_read_only = -1;
471 static int hf_smb_file_eattr_hidden = -1;
472 static int hf_smb_file_eattr_system = -1;
473 static int hf_smb_file_eattr_volume = -1;
474 static int hf_smb_file_eattr_directory = -1;
475 static int hf_smb_file_eattr_archive = -1;
476 static int hf_smb_file_eattr_device = -1;
477 static int hf_smb_file_eattr_normal = -1;
478 static int hf_smb_file_eattr_temporary = -1;
479 static int hf_smb_file_eattr_sparse = -1;
480 static int hf_smb_file_eattr_reparse = -1;
481 static int hf_smb_file_eattr_compressed = -1;
482 static int hf_smb_file_eattr_offline = -1;
483 static int hf_smb_file_eattr_not_content_indexed = -1;
484 static int hf_smb_file_eattr_encrypted = -1;
485 static int hf_smb_sec_desc_len = -1;
486 static int hf_smb_nt_qsd_owner = -1;
487 static int hf_smb_nt_qsd_group = -1;
488 static int hf_smb_nt_qsd_dacl = -1;
489 static int hf_smb_nt_qsd_sacl = -1;
490 static int hf_smb_extended_attributes = -1;
491 static int hf_smb_oplock_level = -1;
492 static int hf_smb_create_action = -1;
493 static int hf_smb_file_id = -1;
494 static int hf_smb_ea_error_offset = -1;
495 static int hf_smb_end_of_file = -1;
496 static int hf_smb_replace = -1;
497 static int hf_smb_root_dir_handle = -1;
498 static int hf_smb_target_name_len = -1;
499 static int hf_smb_target_name = -1;
500 static int hf_smb_device_type = -1;
501 static int hf_smb_is_directory = -1;
502 static int hf_smb_next_entry_offset = -1;
503 static int hf_smb_change_time = -1;
504 static int hf_smb_setup_len = -1;
505 static int hf_smb_print_mode = -1;
506 static int hf_smb_print_identifier = -1;
507 static int hf_smb_restart_index = -1;
508 static int hf_smb_print_queue_date = -1;
509 static int hf_smb_print_queue_dos_date = -1;
510 static int hf_smb_print_queue_dos_time = -1;
511 static int hf_smb_print_status = -1;
512 static int hf_smb_print_spool_file_number = -1;
513 static int hf_smb_print_spool_file_size = -1;
514 static int hf_smb_print_spool_file_name = -1;
515 static int hf_smb_start_index = -1;
516 static int hf_smb_originator_name = -1;
517 static int hf_smb_destination_name = -1;
518 static int hf_smb_message_len = -1;
519 static int hf_smb_message = -1;
520 static int hf_smb_mgid = -1;
521 static int hf_smb_forwarded_name = -1;
522 static int hf_smb_machine_name = -1;
523 static int hf_smb_cancel_to = -1;
524 static int hf_smb_trans2_subcmd = -1;
525 static int hf_smb_trans_name = -1;
526 static int hf_smb_transaction_flags_dtid = -1;
527 static int hf_smb_transaction_flags_owt = -1;
528 static int hf_smb_search_count = -1;
529 static int hf_smb_search_pattern = -1;
530 static int hf_smb_ff2_backup = -1;
531 static int hf_smb_ff2_continue = -1;
532 static int hf_smb_ff2_resume = -1;
533 static int hf_smb_ff2_close_eos = -1;
534 static int hf_smb_ff2_close = -1;
535 static int hf_smb_ff2_information_level = -1;
536 static int hf_smb_qpi_loi = -1;
537 static int hf_smb_spi_loi = -1;
539 static int hf_smb_sfi_writetru = -1;
540 static int hf_smb_sfi_caching = -1;
542 static int hf_smb_storage_type = -1;
543 static int hf_smb_resume = -1;
544 static int hf_smb_max_referral_level = -1;
545 static int hf_smb_qfsi_information_level = -1;
546 static int hf_smb_number_of_links = -1;
547 static int hf_smb_delete_pending = -1;
548 static int hf_smb_index_number = -1;
549 static int hf_smb_position = -1;
550 static int hf_smb_current_offset = -1;
551 static int hf_smb_t2_alignment = -1;
552 static int hf_smb_t2_stream_name_length = -1;
553 static int hf_smb_t2_stream_size = -1;
554 static int hf_smb_t2_stream_name = -1;
555 static int hf_smb_t2_compressed_file_size = -1;
556 static int hf_smb_t2_compressed_format = -1;
557 static int hf_smb_t2_compressed_unit_shift = -1;
558 static int hf_smb_t2_compressed_chunk_shift = -1;
559 static int hf_smb_t2_compressed_cluster_shift = -1;
560 static int hf_smb_t2_marked_for_deletion = -1;
561 static int hf_smb_dfs_path_consumed = -1;
562 static int hf_smb_dfs_num_referrals = -1;
563 static int hf_smb_get_dfs_server_hold_storage = -1;
564 static int hf_smb_get_dfs_fielding = -1;
565 static int hf_smb_dfs_referral_version = -1;
566 static int hf_smb_dfs_referral_size = -1;
567 static int hf_smb_dfs_referral_server_type = -1;
568 static int hf_smb_dfs_referral_flags_name_list_referral = -1;
569 static int hf_smb_dfs_referral_flags_target_set_boundary = -1;
570 static int hf_smb_dfs_referral_node_offset = -1;
571 static int hf_smb_dfs_referral_node = -1;
572 static int hf_smb_dfs_referral_proximity = -1;
573 static int hf_smb_dfs_referral_ttl = -1;
574 static int hf_smb_dfs_referral_path_offset = -1;
575 static int hf_smb_dfs_referral_path = -1;
576 static int hf_smb_dfs_referral_alt_path_offset = -1;
577 static int hf_smb_dfs_referral_alt_path = -1;
578 static int hf_smb_dfs_referral_domain_offset = -1;
579 static int hf_smb_dfs_referral_number_of_expnames = -1;
580 static int hf_smb_dfs_referral_expnames_offset = -1;
581 static int hf_smb_dfs_referral_domain_name = -1;
582 static int hf_smb_dfs_referral_expname = -1;
583 static int hf_smb_dfs_referral_server_guid = -1;
584 static int hf_smb_end_of_search = -1;
585 static int hf_smb_last_name_offset = -1;
586 static int hf_smb_fn_information_level = -1;
587 static int hf_smb_monitor_handle = -1;
588 static int hf_smb_change_count = -1;
589 static int hf_smb_file_index = -1;
590 static int hf_smb_short_file_name = -1;
591 static int hf_smb_short_file_name_len = -1;
592 static int hf_smb_fs_id = -1;
593 static int hf_smb_sector_unit = -1;
594 static int hf_smb_fs_units = -1;
595 static int hf_smb_fs_sector = -1;
596 static int hf_smb_avail_units = -1;
597 static int hf_smb_volume_serial_num = -1;
598 static int hf_smb_volume_label_len = -1;
599 static int hf_smb_volume_label = -1;
600 static int hf_smb_free_alloc_units64 = -1;
601 static int hf_smb_caller_free_alloc_units64 = -1;
602 static int hf_smb_actual_free_alloc_units64 = -1;
603 static int hf_smb_max_name_len = -1;
604 static int hf_smb_fs_name_len = -1;
605 static int hf_smb_fs_name = -1;
606 static int hf_smb_device_char_removable = -1;
607 static int hf_smb_device_char_read_only = -1;
608 static int hf_smb_device_char_floppy = -1;
609 static int hf_smb_device_char_write_once = -1;
610 static int hf_smb_device_char_remote = -1;
611 static int hf_smb_device_char_mounted = -1;
612 static int hf_smb_device_char_virtual = -1;
613 static int hf_smb_fs_attr_css = -1;
614 static int hf_smb_fs_attr_cpn = -1;
615 static int hf_smb_fs_attr_uod = -1;
616 static int hf_smb_fs_attr_pacls = -1;
617 static int hf_smb_fs_attr_fc = -1;
618 static int hf_smb_fs_attr_vq = -1;
619 static int hf_smb_fs_attr_ssf = -1;
620 static int hf_smb_fs_attr_srp = -1;
621 static int hf_smb_fs_attr_srs = -1;
622 static int hf_smb_fs_attr_sla = -1;
623 static int hf_smb_fs_attr_vic = -1;
624 static int hf_smb_fs_attr_soids = -1;
625 static int hf_smb_fs_attr_se = -1;
626 static int hf_smb_fs_attr_ns = -1;
627 static int hf_smb_fs_attr_rov = -1;
628 static int hf_smb_quota_flags_enabled = -1;
629 static int hf_smb_quota_flags_deny_disk = -1;
630 static int hf_smb_quota_flags_log_limit = -1;
631 static int hf_smb_quota_flags_log_warning = -1;
632 static int hf_smb_soft_quota_limit = -1;
633 static int hf_smb_hard_quota_limit = -1;
634 static int hf_smb_user_quota_used = -1;
635 static int hf_smb_user_quota_offset = -1;
636 static int hf_smb_nt_rename_level = -1;
637 static int hf_smb_cluster_count = -1;
638 static int hf_smb_segments = -1;
639 static int hf_smb_segment = -1;
640 static int hf_smb_segment_overlap = -1;
641 static int hf_smb_segment_overlap_conflict = -1;
642 static int hf_smb_segment_multiple_tails = -1;
643 static int hf_smb_segment_too_long_fragment = -1;
644 static int hf_smb_segment_error = -1;
645 static int hf_smb_pipe_write_len = -1;
646 static int hf_smb_unix_major_version = -1;
647 static int hf_smb_unix_minor_version = -1;
648 static int hf_smb_unix_capability_fcntl = -1;
649 static int hf_smb_unix_capability_posix_acl = -1;
650 static int hf_smb_unix_file_size = -1;
651 static int hf_smb_unix_file_num_bytes = -1;
652 static int hf_smb_unix_file_last_status = -1;
653 static int hf_smb_unix_file_last_access = -1;
654 static int hf_smb_unix_file_last_change = -1;
655 static int hf_smb_unix_file_uid = -1;
656 static int hf_smb_unix_file_gid = -1;
657 static int hf_smb_unix_file_type = -1;
658 static int hf_smb_unix_file_dev_major = -1;
659 static int hf_smb_unix_file_dev_minor = -1;
660 static int hf_smb_unix_file_unique_id = -1;
661 static int hf_smb_unix_file_permissions = -1;
662 static int hf_smb_unix_file_nlinks = -1;
663 static int hf_smb_unix_file_link_dest = -1;
664 static int hf_smb_unix_find_file_nextoffset = -1;
665 static int hf_smb_unix_find_file_resumekey = -1;
666 static int hf_smb_network_unknown = -1;
667 static int hf_smb_disposition_delete_on_close = -1;
668 static int hf_smb_pipe_info_flag = -1;
669 static int hf_smb_mode = -1;
670 static int hf_smb_attribute = -1;
671 static int hf_smb_reparse_tag = -1;
672 static int hf_smb_logged_in = -1;
673 static int hf_smb_logged_out = -1;
674 static int hf_smb_file_rw_offset = -1;
675 static int hf_smb_file_rw_length = -1;
676 static int hf_smb_posix_acl_version = -1;
677 static int hf_smb_posix_num_file_aces = -1;
678 static int hf_smb_posix_num_def_aces = -1;
679 static int hf_smb_posix_ace_type = -1;
680 static int hf_smb_posix_ace_flags = -1;
681 static int hf_smb_posix_ace_perm_read = -1;
682 static int hf_smb_posix_ace_perm_write = -1;
683 static int hf_smb_posix_ace_perm_execute = -1;
684 static int hf_smb_posix_ace_perm_owner_uid = -1;
685 static int hf_smb_posix_ace_perm_owner_gid = -1;
686 static int hf_smb_posix_ace_perm_uid = -1;
687 static int hf_smb_posix_ace_perm_gid = -1;
689 static gint ett_smb = -1;
690 static gint ett_smb_fid = -1;
691 static gint ett_smb_tid = -1;
692 static gint ett_smb_uid = -1;
693 static gint ett_smb_hdr = -1;
694 static gint ett_smb_command = -1;
695 static gint ett_smb_fileattributes = -1;
696 static gint ett_smb_capabilities = -1;
697 static gint ett_smb_aflags = -1;
698 static gint ett_smb_dialect = -1;
699 static gint ett_smb_dialects = -1;
700 static gint ett_smb_mode = -1;
701 static gint ett_smb_rawmode = -1;
702 static gint ett_smb_flags = -1;
703 static gint ett_smb_flags2 = -1;
704 static gint ett_smb_desiredaccess = -1;
705 static gint ett_smb_search = -1;
706 static gint ett_smb_file = -1;
707 static gint ett_smb_openfunction = -1;
708 static gint ett_smb_filetype = -1;
709 static gint ett_smb_openaction = -1;
710 static gint ett_smb_writemode = -1;
711 static gint ett_smb_lock_type = -1;
712 static gint ett_smb_ssetupandxaction = -1;
713 static gint ett_smb_optionsup = -1;
714 static gint ett_smb_time_date = -1;
715 static gint ett_smb_move_copy_flags = -1;
716 static gint ett_smb_file_attributes = -1;
717 static gint ett_smb_search_resume_key = -1;
718 static gint ett_smb_search_dir_info = -1;
719 static gint ett_smb_unlocks = -1;
720 static gint ett_smb_unlock = -1;
721 static gint ett_smb_locks = -1;
722 static gint ett_smb_lock = -1;
723 static gint ett_smb_open_flags = -1;
724 static gint ett_smb_ipc_state = -1;
725 static gint ett_smb_open_action = -1;
726 static gint ett_smb_setup_action = -1;
727 static gint ett_smb_connect_flags = -1;
728 static gint ett_smb_connect_support_bits = -1;
729 static gint ett_smb_nt_access_mask = -1;
730 static gint ett_smb_nt_create_bits = -1;
731 static gint ett_smb_nt_create_options = -1;
732 static gint ett_smb_nt_share_access = -1;
733 static gint ett_smb_nt_security_flags = -1;
734 static gint ett_smb_nt_trans_setup = -1;
735 static gint ett_smb_nt_trans_data = -1;
736 static gint ett_smb_nt_trans_param = -1;
737 static gint ett_smb_nt_notify_completion_filter = -1;
738 static gint ett_smb_nt_ioctl_flags = -1;
739 static gint ett_smb_security_information_mask = -1;
740 static gint ett_smb_print_queue_entry = -1;
741 static gint ett_smb_transaction_flags = -1;
742 static gint ett_smb_transaction_params = -1;
743 static gint ett_smb_find_first2_flags = -1;
744 static gint ett_smb_mac_support_flags = -1;
746 static gint ett_smb_ioflag = -1;
748 static gint ett_smb_transaction_data = -1;
749 static gint ett_smb_stream_info = -1;
750 static gint ett_smb_dfs_referrals = -1;
751 static gint ett_smb_dfs_referral = -1;
752 static gint ett_smb_dfs_referral_flags = -1;
753 static gint ett_smb_dfs_referral_expnames = -1;
754 static gint ett_smb_get_dfs_flags = -1;
755 static gint ett_smb_ff2_data = -1;
756 static gint ett_smb_device_characteristics = -1;
757 static gint ett_smb_fs_attributes = -1;
758 static gint ett_smb_segments = -1;
759 static gint ett_smb_segment = -1;
760 static gint ett_smb_quotaflags = -1;
761 static gint ett_smb_secblob = -1;
762 static gint ett_smb_unicode_password = -1;
763 static gint ett_smb_ea = -1;
764 static gint ett_smb_unix_capabilities = -1;
765 static gint ett_smb_posic_ace = -1;
766 static gint ett_smb_posix_ace_perms = -1;
768 static int smb_tap = -1;
770 static dissector_handle_t gssapi_handle;
771 static dissector_handle_t ntlmssp_handle;
773 static const fragment_items smb_frag_items = {
779 &hf_smb_segment_overlap,
780 &hf_smb_segment_overlap_conflict,
781 &hf_smb_segment_multiple_tails,
782 &hf_smb_segment_too_long_fragment,
783 &hf_smb_segment_error,
789 static proto_tree *top_tree=NULL; /* ugly */
791 static const char *decode_smb_name(guint8);
792 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu);
795 * Macros for use in the main dissector routines for an SMB.
800 wc = tvb_get_guint8(tvb, offset); \
801 proto_tree_add_uint(tree, hf_smb_word_count, \
802 tvb, offset, 1, wc); \
804 if(wc==0) goto bytecount;
808 bc = tvb_get_letohs(tvb, offset); \
809 proto_tree_add_uint(tree, hf_smb_byte_count, \
810 tvb, offset, 2, bc); \
812 if(bc==0) goto endofcommand;
814 #define CHECK_BYTE_COUNT(len) \
815 if (bc < len) goto endofcommand;
817 #define COUNT_BYTES(len) {\
827 bc_remaining=tvb_length_remaining(tvb, offset); \
828 if( ((gint)bc) > bc_remaining){ \
832 tvb_ensure_bytes_exist(tvb, offset, bc); \
833 proto_tree_add_text(tree, tvb, offset, bc, \
834 "Extra byte parameters"); \
841 * Macros for use in routines called by them.
843 #define CHECK_BYTE_COUNT_SUBR(len) \
849 #define CHECK_STRING_SUBR(fn) \
855 #define COUNT_BYTES_SUBR(len) \
860 * Macros for use when dissecting transaction parameters and data
862 #define CHECK_BYTE_COUNT_TRANS(len) \
863 if (bc < len) return offset;
865 #define CHECK_STRING_TRANS(fn) \
866 if (fn == NULL) return offset;
868 #define COUNT_BYTES_TRANS(len) \
873 * Macros for use in subrroutines dissecting transaction parameters or data
875 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
876 if (*bcp < len) return offset;
878 #define CHECK_STRING_TRANS_SUBR(fn) \
879 if (fn == NULL) return offset;
881 #define COUNT_BYTES_TRANS_SUBR(len) \
886 gboolean sid_name_snooping = FALSE;
888 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
889 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
890 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
891 static gboolean smb_trans_reassembly = TRUE;
892 gboolean smb_dcerpc_reassembly = TRUE;
894 static GHashTable *smb_trans_fragment_table = NULL;
897 smb_trans_reassembly_init(void)
899 fragment_table_init(&smb_trans_fragment_table);
903 * XXX - This keeps us from allocating huge amounts of memory as shown in
904 * bug 421. It may need to be increased.
906 #define MAX_FRAGMENT_SIZE 65536
907 static fragment_data *
908 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
909 int offset, int count, int pos, int totlen)
911 fragment_data *fd_head=NULL;
915 if (count > MAX_FRAGMENT_SIZE || count < 0) {
916 THROW(ReportedBoundsError);
919 more_frags=totlen>(pos+count);
921 si = (smb_info_t *)pinfo->private_data;
922 DISSECTOR_ASSERT(si);
924 if (si->sip == NULL) {
926 * We don't have the frame number of the request.
931 if(!pinfo->fd->flags.visited){
932 fd_head = fragment_add(tvb, offset, pinfo,
933 si->sip->frame_req, smb_trans_fragment_table,
934 pos, count, more_frags);
936 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
939 if (!fd_head || !(fd_head->flags&FD_DEFRAGMENTED)){
940 /* This is continued - mark it as such, so we recognize
941 continuation responses.
943 si->sip->flags |= SMB_SIF_IS_CONTINUED;
945 /* We've finished reassembling, so there are no more
946 continuation responses.
948 si->sip->flags &= ~SMB_SIF_IS_CONTINUED;
951 /* we only show the defragmented packet for the first fragment,
952 or else we might end up with dissecting one HUGE transaction PDU
953 a LOT of times. (first fragment is the only one containing the setup
955 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
956 SMBs. Takes a LOT of time dissecting and is not fun.
958 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
969 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
970 These variables and functions are used to match
972 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
974 * The information we need to save about a request in order to show the
975 * frame number of the request in the dissection of the reply.
980 } smb_saved_info_key_t;
982 /* unmatched smb_saved_info structures.
983 For unmatched smb_saved_info structures we store the smb_saved_info
984 structure using the MID and the PID as the key.
986 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
987 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
988 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
991 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
993 register guint32 key1 = GPOINTER_TO_UINT(k1);
994 register guint32 key2 = GPOINTER_TO_UINT(k2);
998 smb_saved_info_hash_unmatched(gconstpointer k)
1000 register guint32 key = GPOINTER_TO_UINT(k);
1004 /* matched smb_saved_info structures.
1005 For matched smb_saved_info structures we store the smb_saved_info
1006 structure twice in the table using the frame number, and a combination
1007 of the MID and the PID, as the key.
1008 The frame number is guaranteed to be unique but if ever someone makes
1009 some change that will renumber the frames in a capture we are in BIG trouble.
1010 This is not likely though since that would break (among other things) all the
1011 reassembly routines as well.
1013 We also need the MID as there may be more than one SMB request or reply
1014 in a single frame, and we also need the PID as there may be more than
1015 one outstanding request with the same MID and different PIDs.
1018 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
1020 const smb_saved_info_key_t *key1 = k1;
1021 const smb_saved_info_key_t *key2 = k2;
1022 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
1025 smb_saved_info_hash_matched(gconstpointer k)
1027 const smb_saved_info_key_t *key = k;
1028 return key->frame + key->pid_mid;
1031 static GSList *conv_tables = NULL;
1034 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
1035 End of request/response matching functions
1036 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
1040 typedef struct _smb_uid_t {
1048 smb_file_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 mask)
1051 if(mask==0x000001ff){
1052 proto_tree_add_text(tree, tvb, offset, 4, "[FULL CONTROL]");
1056 proto_tree_add_boolean(tree, hf_smb_file_access_mask_write_attribute, tvb, offset, 4, mask);
1057 proto_tree_add_boolean(tree, hf_smb_file_access_mask_read_attribute, tvb, offset, 4, mask);
1058 proto_tree_add_boolean(tree, hf_smb_file_access_mask_execute, tvb, offset, 4, mask);
1059 proto_tree_add_boolean(tree, hf_smb_file_access_mask_write_ea, tvb, offset, 4, mask);
1060 proto_tree_add_boolean(tree, hf_smb_file_access_mask_read_ea, tvb, offset, 4, mask);
1061 proto_tree_add_boolean(tree, hf_smb_file_access_mask_append_data, tvb, offset, 4, mask);
1062 proto_tree_add_boolean(tree, hf_smb_file_access_mask_write_data, tvb, offset, 4, mask);
1063 proto_tree_add_boolean(tree, hf_smb_file_access_mask_read_data, tvb, offset, 4, mask);
1065 struct access_mask_info smb_file_access_mask_info = {
1066 "FILE", /* Name of specific rights */
1067 smb_file_specific_rights, /* Dissection function */
1068 NULL, /* Generic mapping table */
1069 NULL /* Standard mapping table */
1074 smb_dir_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 mask)
1077 if(mask==0x000001ff){
1078 proto_tree_add_text(tree, tvb, offset, 4, "[FULL CONTROL]");
1082 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_write_attribute, tvb, offset, 4, mask);
1083 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_read_attribute, tvb, offset, 4, mask);
1084 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_delete_child, tvb, offset, 4, mask);
1085 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_traverse, tvb, offset, 4, mask);
1086 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_write_ea, tvb, offset, 4, mask);
1087 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_read_ea, tvb, offset, 4, mask);
1088 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_add_subdir, tvb, offset, 4, mask);
1089 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_add_file, tvb, offset, 4, mask);
1090 proto_tree_add_boolean(tree, hf_smb_dir_access_mask_list, tvb, offset, 4, mask);
1092 struct access_mask_info smb_dir_access_mask_info = {
1093 "DIR", /* Name of specific rights */
1094 smb_dir_specific_rights, /* Dissection function */
1095 NULL, /* Generic mapping table */
1096 NULL /* Standard mapping table */
1101 static const value_string buffer_format_vals[] = {
1106 {5, "Variable Block"},
1110 #define POSIX_ACE_TYPE_USER_OBJ 0x01
1111 #define POSIX_ACE_TYPE_USER 0x02
1112 #define POSIX_ACE_TYPE_GROUP_OBJ 0x04
1113 #define POSIX_ACE_TYPE_GROUP 0x08
1114 #define POSIX_ACE_TYPE_MASK 0x10
1115 #define POSIX_ACE_TYPE_OTHER 0x20
1116 static const value_string ace_type_vals[] = {
1117 {POSIX_ACE_TYPE_USER_OBJ, "User Obj"},
1118 {POSIX_ACE_TYPE_USER, "User"},
1119 {POSIX_ACE_TYPE_GROUP_OBJ, "Group Obj"},
1120 {POSIX_ACE_TYPE_GROUP, "Group"},
1121 {POSIX_ACE_TYPE_MASK, "Mask"},
1122 {POSIX_ACE_TYPE_OTHER, "Other"},
1127 * UTIME - this is *almost* like a UNIX time stamp, except that it's
1128 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
1129 * January 1, 1970, 00:00:00 GMT.
1131 * This means we have to do some extra work to convert it. This code is
1132 * based on the Samba code:
1134 * Unix SMB/Netbios implementation.
1136 * time handling functions
1137 * Copyright (C) Andrew Tridgell 1992-1998
1141 * Yield the difference between *A and *B, in seconds, ignoring leap
1144 #define TM_YEAR_BASE 1900
1147 tm_diff(struct tm *a, struct tm *b)
1149 int ay = a->tm_year + (TM_YEAR_BASE - 1);
1150 int by = b->tm_year + (TM_YEAR_BASE - 1);
1151 int intervening_leap_days =
1152 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
1153 int years = ay - by;
1155 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
1156 int hours = 24*days + (a->tm_hour - b->tm_hour);
1157 int minutes = 60*hours + (a->tm_min - b->tm_min);
1158 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
1164 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
1170 struct tm *tm = gmtime(&t);
1179 return tm_diff(&tm_utc,tm);
1183 * Return the same value as TimeZone, but it should be more efficient.
1185 * We keep a table of DST offsets to prevent calling localtime() on each
1186 * call of this function. This saves a LOT of time on many unixes.
1188 * Updated by Paul Eggert <eggert@twinsun.com>
1195 #define TIME_T_MIN ((time_t) ((time_t)0 < (time_t) -1 ? (time_t) 0 \
1196 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1)))
1199 #define TIME_T_MAX ((time_t) (~ (time_t) 0 - TIME_T_MIN))
1203 TimeZoneFaster(time_t t)
1205 static struct dst_table {time_t start,end; int zone;} *tdt;
1206 static struct dst_table *dst_table = NULL;
1207 static int table_size = 0;
1214 /* Tunis has a 8 day DST region, we need to be careful ... */
1215 #define MAX_DST_WIDTH (365*24*60*60)
1216 #define MAX_DST_SKIP (7*24*60*60)
1218 for (i = 0; i < table_size; i++) {
1219 if (t >= dst_table[i].start && t <= dst_table[i].end)
1223 if (i < table_size) {
1224 zone = dst_table[i].zone;
1229 if (dst_table == NULL)
1230 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1232 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1240 dst_table[i].zone = zone;
1241 dst_table[i].start = dst_table[i].end = t;
1243 /* no entry will cover more than 6 months */
1244 low = t - MAX_DST_WIDTH/2;
1245 /* XXX - what if t < MAX_DST_WIDTH/2? */
1247 high = t + MAX_DST_WIDTH/2;
1248 /* XXX - what if this overflows? */
1251 * Widen the new entry using two bisection searches.
1253 while (low+60*60 < dst_table[i].start) {
1254 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1255 t = dst_table[i].start - MAX_DST_SKIP;
1257 t = low + (dst_table[i].start-low)/2;
1258 if (TimeZone(t) == zone)
1259 dst_table[i].start = t;
1264 while (high-60*60 > dst_table[i].end) {
1265 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1266 t = dst_table[i].end + MAX_DST_SKIP;
1268 t = high - (high-dst_table[i].end)/2;
1269 if (TimeZone(t) == zone)
1270 dst_table[i].end = t;
1280 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1281 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1282 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1283 * daylight savings transitions because some local times are ambiguous.
1284 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1287 LocTimeDiff(time_t lt)
1289 int d = TimeZoneFaster(lt);
1292 /* if overflow occurred, ignore all the adjustments so far */
1293 if (((t < lt) ^ (d < 0)))
1297 * Now t should be close enough to the true UTC to yield the
1300 return TimeZoneFaster(t);
1304 dissect_smb_UTIME(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1309 timeval = tvb_get_letohl(tvb, offset);
1310 if (timeval == 0xffffffff) {
1311 proto_tree_add_text(tree, tvb, offset, 4,
1312 "%s: No time specified (0xffffffff)",
1313 proto_registrar_get_name(hf_date));
1319 * We add the local time offset.
1321 ts.secs = timeval + LocTimeDiff(timeval);
1324 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1331 dissect_smb_datetime(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1332 int hf_date, int hf_dos_date, int hf_dos_time, gboolean time_first)
1334 guint16 dos_time, dos_date;
1335 proto_item *item = NULL;
1336 proto_tree *tree = NULL;
1339 static const int mday_noleap[12] = {
1340 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1342 static const int mday_leap[12] = {
1343 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1345 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1349 dos_time = tvb_get_letohs(tvb, offset);
1350 dos_date = tvb_get_letohs(tvb, offset+2);
1352 dos_date = tvb_get_letohs(tvb, offset);
1353 dos_time = tvb_get_letohs(tvb, offset+2);
1356 if ((dos_date == 0xffff && dos_time == 0xffff) ||
1357 (dos_date == 0 && dos_time == 0)) {
1359 * No date/time specified.
1362 proto_tree_add_text(parent_tree, tvb, offset, 4,
1363 "%s: No time specified (0x%08x)",
1364 proto_registrar_get_name(hf_date),
1365 (dos_date << 16) | dos_time);
1371 tm.tm_sec = (dos_time&0x1f)*2;
1372 tm.tm_min = (dos_time>>5)&0x3f;
1373 tm.tm_hour = (dos_time>>11)&0x1f;
1374 tm.tm_mday = dos_date&0x1f;
1375 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1376 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1380 * Do some sanity checks before calling "mktime()";
1381 * "mktime()" doesn't do them, it "normalizes" out-of-range
1384 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1385 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1386 (ISLEAP(tm.tm_year + 1900) ?
1387 tm.tm_mday > mday_leap[tm.tm_mon] :
1388 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1389 (t = mktime(&tm)) == -1) {
1391 * Invalid date/time.
1394 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1396 proto_registrar_get_name(hf_date));
1397 tree = proto_item_add_subtree(item, ett_smb_time_date);
1399 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1400 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1402 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1403 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1414 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1415 tree = proto_item_add_subtree(item, ett_smb_time_date);
1417 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1418 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1420 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1421 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1430 static const true_false_string tfs_disposition_delete_on_close = {
1431 "DELETE this file when closed",
1432 "Normal access, do not delete on close"
1435 static const true_false_string tfs_pipe_info_flag = {
1436 "SET NAMED PIPE mode",
1437 "Clear NAMED PIPE mode"
1441 static const value_string da_access_vals[] = {
1442 { 0, "Open for reading"},
1443 { 1, "Open for writing"},
1444 { 2, "Open for reading and writing"},
1445 { 3, "Open for execute"},
1448 static const value_string da_sharing_vals[] = {
1449 { 0, "Compatibility mode"},
1450 { 1, "Deny read/write/execute (exclusive)"},
1452 { 3, "Deny read/execute"},
1456 static const value_string da_locality_vals[] = {
1457 { 0, "Locality of reference unknown"},
1458 { 1, "Mainly sequential access"},
1459 { 2, "Mainly random access"},
1460 { 3, "Random access with some locality"},
1463 static const true_false_string tfs_da_caching = {
1464 "Do not cache this file",
1465 "Caching permitted on this file"
1467 static const true_false_string tfs_da_writetru = {
1468 "Write through enabled",
1469 "Write through disabled"
1472 dissect_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset, const char *type)
1478 mask = tvb_get_letohs(tvb, offset);
1481 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1482 "%s Access: 0x%04x", type, mask);
1483 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1485 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1486 tvb, offset, 2, mask);
1487 proto_tree_add_boolean(tree, hf_smb_access_caching,
1488 tvb, offset, 2, mask);
1489 proto_tree_add_uint(tree, hf_smb_access_locality,
1490 tvb, offset, 2, mask);
1491 proto_tree_add_uint(tree, hf_smb_access_sharing,
1492 tvb, offset, 2, mask);
1493 proto_tree_add_uint(tree, hf_smb_access_mode,
1494 tvb, offset, 2, mask);
1502 #define SMB_FILE_ATTRIBUTE_READ_ONLY 0x00000001
1503 #define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
1504 #define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
1505 #define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
1506 #define SMB_FILE_ATTRIBUTE_DIRECTORY 0x00000010
1507 #define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
1508 #define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
1509 #define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
1510 #define SMB_FILE_ATTRIBUTE_TEMPORARY 0x00000100
1511 #define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
1512 #define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
1513 #define SMB_FILE_ATTRIBUTE_COMPRESSED 0x00000800
1514 #define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
1515 #define SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1516 #define SMB_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1518 static const true_false_string tfs_file_attribute_read_only = {
1519 "This file is READ ONLY",
1520 "This file is NOT read only",
1522 static const true_false_string tfs_file_attribute_hidden = {
1523 "This is a HIDDEN file",
1524 "This is NOT a hidden file"
1526 static const true_false_string tfs_file_attribute_system = {
1527 "This is a SYSTEM file",
1528 "This is NOT a system file"
1530 static const true_false_string tfs_file_attribute_volume = {
1531 "This is a VOLUME ID",
1532 "This is NOT a volume ID"
1534 static const true_false_string tfs_file_attribute_directory = {
1535 "This is a DIRECTORY",
1536 "This is NOT a directory"
1538 static const true_false_string tfs_file_attribute_archive = {
1539 "This file has been modified since last ARCHIVE",
1540 "This file has NOT been modified since last archive"
1542 static const true_false_string tfs_file_attribute_device = {
1544 "This is NOT a device"
1546 static const true_false_string tfs_file_attribute_normal = {
1547 "This file is an ordinary file",
1548 "This file has some attribute set"
1550 static const true_false_string tfs_file_attribute_temporary = {
1551 "This is a TEMPORARY file",
1552 "This is NOT a temporary file"
1554 static const true_false_string tfs_file_attribute_sparse = {
1555 "This is a SPARSE file",
1556 "This is NOT a sparse file"
1558 static const true_false_string tfs_file_attribute_reparse = {
1559 "This file has an associated REPARSE POINT",
1560 "This file does NOT have an associated reparse point"
1562 static const true_false_string tfs_file_attribute_compressed = {
1563 "This is a COMPRESSED file",
1564 "This is NOT a compressed file"
1566 static const true_false_string tfs_file_attribute_offline = {
1567 "This file is OFFLINE",
1568 "This file is NOT offline"
1570 static const true_false_string tfs_file_attribute_not_content_indexed = {
1571 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1572 "This file MAY be indexed by the content indexing service"
1574 static const true_false_string tfs_file_attribute_encrypted = {
1575 "This is an ENCRYPTED file",
1576 "This is NOT an encrypted file"
1580 * In some places in the CIFS_TR_1p00.pdf, from SNIA, file attributes are
1581 * listed as USHORT, and seem to be in packets in the wild, while in other
1582 * places they are listed as ULONG, and also seem to be.
1584 * So, I (Richard Sharpe), added a parameter to allow us to specify how many
1589 dissect_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1596 if (bytes != 2 && bytes != 4) {
1597 THROW(ReportedBoundsError);
1601 * The actual bits of interest appear to only be a USHORT
1603 /* FIXME if this ever changes! */
1604 mask = tvb_get_letohs(tvb, offset);
1607 item = proto_tree_add_text(parent_tree, tvb, offset, bytes,
1608 "File Attributes: 0x%08x", mask);
1609 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1611 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1612 tvb, offset, bytes, mask);
1613 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1614 tvb, offset, bytes, mask);
1615 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1616 tvb, offset, bytes, mask);
1617 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1618 tvb, offset, bytes, mask);
1619 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1620 tvb, offset, bytes, mask);
1621 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1622 tvb, offset, bytes, mask);
1623 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1624 tvb, offset, bytes, mask);
1625 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1626 tvb, offset, bytes, mask);
1627 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1628 tvb, offset, bytes, mask);
1629 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1630 tvb, offset, bytes, mask);
1631 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1632 tvb, offset, bytes, mask);
1633 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1634 tvb, offset, bytes, mask);
1635 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1636 tvb, offset, bytes, mask);
1637 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1638 tvb, offset, bytes, mask);
1639 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1640 tvb, offset, bytes, mask);
1650 dissect_file_ext_attr_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1651 int len, guint32 mask)
1657 item = proto_tree_add_text(parent_tree, tvb, offset, len,
1658 "File Attributes: 0x%08x", mask);
1659 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1662 * XXX - Network Monitor disagrees on some of the
1663 * bits, e.g. the bits above temporary are "atomic write"
1664 * and "transaction write", and it says nothing about the
1667 * Does the Win32 API documentation, or the NT Native API book,
1670 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1671 tvb, offset, len, mask);
1672 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1673 tvb, offset, len, mask);
1674 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1675 tvb, offset, len, mask);
1676 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1677 tvb, offset, len, mask);
1678 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1679 tvb, offset, len, mask);
1680 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1681 tvb, offset, len, mask);
1682 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1683 tvb, offset, len, mask);
1684 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1685 tvb, offset, len, mask);
1686 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1687 tvb, offset, len, mask);
1688 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1689 tvb, offset, len, mask);
1690 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1691 tvb, offset, len, mask);
1692 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1693 tvb, offset, len, mask);
1694 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1695 tvb, offset, len, mask);
1696 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1697 tvb, offset, len, mask);
1698 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1699 tvb, offset, len, mask);
1709 dissect_file_ext_attr(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1713 mask = tvb_get_letohl(tvb, offset);
1715 offset = dissect_file_ext_attr_bits(tvb, parent_tree, offset, 4, mask);
1721 dissect_dir_info_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1727 mask = tvb_get_guint8(tvb, offset);
1730 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1731 "File Attributes: 0x%02x", mask);
1732 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1734 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1735 tvb, offset, 1, mask);
1736 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1737 tvb, offset, 1, mask);
1738 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1739 tvb, offset, 1, mask);
1740 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1741 tvb, offset, 1, mask);
1742 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1743 tvb, offset, 1, mask);
1744 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1745 tvb, offset, 1, mask);
1753 static const true_false_string tfs_search_attribute_read_only = {
1754 "Include READ ONLY files in search results",
1755 "Do NOT include read only files in search results",
1757 static const true_false_string tfs_search_attribute_hidden = {
1758 "Include HIDDEN files in search results",
1759 "Do NOT include hidden files in search results"
1761 static const true_false_string tfs_search_attribute_system = {
1762 "Include SYSTEM files in search results",
1763 "Do NOT include system files in search results"
1765 static const true_false_string tfs_search_attribute_volume = {
1766 "Include VOLUME IDs in search results",
1767 "Do NOT include volume IDs in search results"
1769 static const true_false_string tfs_search_attribute_directory = {
1770 "Include DIRECTORIES in search results",
1771 "Do NOT include directories in search results"
1773 static const true_false_string tfs_search_attribute_archive = {
1774 "Include ARCHIVE files in search results",
1775 "Do NOT include archive files in search results"
1779 dissect_search_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1785 mask = tvb_get_letohs(tvb, offset);
1788 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1789 "Search Attributes: 0x%04x", mask);
1790 tree = proto_item_add_subtree(item, ett_smb_search);
1792 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1793 tvb, offset, 2, mask);
1794 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1795 tvb, offset, 2, mask);
1796 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1797 tvb, offset, 2, mask);
1798 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1799 tvb, offset, 2, mask);
1800 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1801 tvb, offset, 2, mask);
1802 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1803 tvb, offset, 2, mask);
1812 * XXX - this isn't used.
1813 * Is this used for anything? NT Create AndX doesn't use it.
1814 * Is there some 16-bit attribute field with more bits than Read Only,
1815 * Hidden, System, Volume ID, Directory, and Archive?
1818 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1824 mask = tvb_get_letohl(tvb, offset);
1827 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1828 "File Attributes: 0x%08x", mask);
1829 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1831 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1832 tvb, offset, 2, mask);
1833 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1834 tvb, offset, 2, mask);
1835 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1836 tvb, offset, 2, mask);
1837 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1838 tvb, offset, 2, mask);
1839 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1840 tvb, offset, 2, mask);
1841 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1842 tvb, offset, 2, mask);
1843 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1844 tvb, offset, 2, mask);
1845 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1846 tvb, offset, 2, mask);
1847 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1848 tvb, offset, 2, mask);
1849 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1850 tvb, offset, 2, mask);
1851 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1852 tvb, offset, 2, mask);
1853 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1854 tvb, offset, 2, mask);
1855 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1856 tvb, offset, 2, mask);
1857 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1858 tvb, offset, 2, mask);
1859 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1860 tvb, offset, 2, mask);
1869 #define SERVER_CAP_RAW_MODE 0x00000001
1870 #define SERVER_CAP_MPX_MODE 0x00000002
1871 #define SERVER_CAP_UNICODE 0x00000004
1872 #define SERVER_CAP_LARGE_FILES 0x00000008
1873 #define SERVER_CAP_NT_SMBS 0x00000010
1874 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1875 #define SERVER_CAP_STATUS32 0x00000040
1876 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1877 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1878 #define SERVER_CAP_NT_FIND 0x00000200
1879 #define SERVER_CAP_DFS 0x00001000
1880 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1881 #define SERVER_CAP_LARGE_READX 0x00004000
1882 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1883 #define SERVER_CAP_UNIX 0x00800000
1884 #define SERVER_CAP_RESERVED 0x02000000
1885 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1886 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1887 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1888 static const true_false_string tfs_server_cap_raw_mode = {
1889 "Read Raw and Write Raw are supported",
1890 "Read Raw and Write Raw are not supported"
1892 static const true_false_string tfs_server_cap_mpx_mode = {
1893 "Read Mpx and Write Mpx are supported",
1894 "Read Mpx and Write Mpx are not supported"
1896 static const true_false_string tfs_server_cap_unicode = {
1897 "Unicode strings are supported",
1898 "Unicode strings are not supported"
1900 static const true_false_string tfs_server_cap_large_files = {
1901 "Large files are supported",
1902 "Large files are not supported",
1904 static const true_false_string tfs_server_cap_nt_smbs = {
1905 "NT SMBs are supported",
1906 "NT SMBs are not supported"
1908 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1909 "RPC remote APIs are supported",
1910 "RPC remote APIs are not supported"
1912 static const true_false_string tfs_server_cap_nt_status = {
1913 "NT status codes are supported",
1914 "NT status codes are not supported"
1916 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1917 "Level 2 oplocks are supported",
1918 "Level 2 oplocks are not supported"
1920 static const true_false_string tfs_server_cap_lock_and_read = {
1921 "Lock and Read is supported",
1922 "Lock and Read is not supported"
1924 static const true_false_string tfs_server_cap_nt_find = {
1925 "NT Find is supported",
1926 "NT Find is not supported"
1928 static const true_false_string tfs_server_cap_dfs = {
1930 "Dfs is not supported"
1932 static const true_false_string tfs_server_cap_infolevel_passthru = {
1933 "NT information level request passthrough is supported",
1934 "NT information level request passthrough is not supported"
1936 static const true_false_string tfs_server_cap_large_readx = {
1937 "Large Read andX is supported",
1938 "Large Read andX is not supported"
1940 static const true_false_string tfs_server_cap_large_writex = {
1941 "Large Write andX is supported",
1942 "Large Write andX is not supported"
1944 static const true_false_string tfs_server_cap_unix = {
1945 "UNIX extensions are supported",
1946 "UNIX extensions are not supported"
1948 static const true_false_string tfs_server_cap_reserved = {
1952 static const true_false_string tfs_server_cap_bulk_transfer = {
1953 "Bulk Read and Bulk Write are supported",
1954 "Bulk Read and Bulk Write are not supported"
1956 static const true_false_string tfs_server_cap_compressed_data = {
1957 "Compressed data transfer is supported",
1958 "Compressed data transfer is not supported"
1960 static const true_false_string tfs_server_cap_extended_security = {
1961 "Extended security exchanges are supported",
1962 "Extended security exchanges are not supported"
1965 dissect_negprot_capabilities(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1971 mask = tvb_get_letohl(tvb, offset);
1974 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1975 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1977 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1978 tvb, offset, 4, mask);
1979 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1980 tvb, offset, 4, mask);
1981 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1982 tvb, offset, 4, mask);
1983 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1984 tvb, offset, 4, mask);
1985 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1986 tvb, offset, 4, mask);
1987 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1988 tvb, offset, 4, mask);
1989 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1990 tvb, offset, 4, mask);
1991 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1992 tvb, offset, 4, mask);
1993 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1994 tvb, offset, 4, mask);
1995 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1996 tvb, offset, 4, mask);
1997 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1998 tvb, offset, 4, mask);
1999 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
2000 tvb, offset, 4, mask);
2001 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
2002 tvb, offset, 4, mask);
2003 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
2004 tvb, offset, 4, mask);
2005 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
2006 tvb, offset, 4, mask);
2007 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
2008 tvb, offset, 4, mask);
2009 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
2010 tvb, offset, 4, mask);
2011 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
2012 tvb, offset, 4, mask);
2013 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
2014 tvb, offset, 4, mask);
2020 #define RAWMODE_READ 0x01
2021 #define RAWMODE_WRITE 0x02
2022 static const true_false_string tfs_rm_read = {
2023 "Read Raw is supported",
2024 "Read Raw is not supported"
2026 static const true_false_string tfs_rm_write = {
2027 "Write Raw is supported",
2028 "Write Raw is not supported"
2032 dissect_negprot_rawmode(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2038 mask = tvb_get_letohs(tvb, offset);
2041 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
2042 tree = proto_item_add_subtree(item, ett_smb_rawmode);
2044 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
2045 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
2053 #define SECURITY_MODE_MODE 0x01
2054 #define SECURITY_MODE_PASSWORD 0x02
2055 #define SECURITY_MODE_SIGNATURES 0x04
2056 #define SECURITY_MODE_SIG_REQUIRED 0x08
2057 static const true_false_string tfs_sm_mode = {
2058 "USER security mode",
2059 "SHARE security mode"
2061 static const true_false_string tfs_sm_password = {
2062 "ENCRYPTED password. Use challenge/response",
2063 "PLAINTEXT password"
2065 static const true_false_string tfs_sm_signatures = {
2066 "Security signatures ENABLED",
2067 "Security signatures NOT enabled"
2069 static const true_false_string tfs_sm_sig_required = {
2070 "Security signatures REQUIRED",
2071 "Security signatures NOT required"
2075 dissect_negprot_security_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int wc)
2078 proto_item *item = NULL;
2079 proto_tree *tree = NULL;
2083 mask = tvb_get_letohs(tvb, offset);
2084 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2085 "Security Mode: 0x%04x", mask);
2086 tree = proto_item_add_subtree(item, ett_smb_mode);
2087 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
2088 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
2093 mask = tvb_get_guint8(tvb, offset);
2094 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
2095 "Security Mode: 0x%02x", mask);
2096 tree = proto_item_add_subtree(item, ett_smb_mode);
2097 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
2098 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
2099 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
2100 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
2108 #define MAX_DIALECTS 20
2109 struct negprot_dialects {
2111 char *name[MAX_DIALECTS+1];
2115 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2117 proto_item *it = NULL;
2118 proto_tree *tr = NULL;
2121 struct negprot_dialects *dialects = NULL;
2124 si = (smb_info_t *)pinfo->private_data;
2125 DISSECTOR_ASSERT(si);
2132 tvb_ensure_bytes_exist(tvb, offset, bc);
2133 it = proto_tree_add_text(tree, tvb, offset, bc,
2134 "Requested Dialects");
2135 tr = proto_item_add_subtree(it, ett_smb_dialects);
2138 if (!pinfo->fd->flags.visited && si->sip) {
2139 dialects = se_alloc(sizeof(struct negprot_dialects));
2141 si->sip->extra_info_type = SMB_EI_DIALECTS;
2142 si->sip->extra_info = dialects;
2148 proto_item *dit = NULL;
2149 proto_tree *dtr = NULL;
2151 /* XXX - what if this runs past bc? */
2152 tvb_ensure_bytes_exist(tvb, offset+1, 1);
2153 len = tvb_strsize(tvb, offset+1);
2154 str = tvb_get_ptr(tvb, offset+1, len);
2157 dit = proto_tree_add_text(tr, tvb, offset, len+1,
2158 "Dialect: %s", str);
2159 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2163 CHECK_BYTE_COUNT(1);
2164 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2169 CHECK_BYTE_COUNT(len);
2170 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
2174 if (!pinfo->fd->flags.visited && dialects && dialects->num<MAX_DIALECTS) {
2175 dialects->name[dialects->num++] = se_strdup(str);
2186 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2188 smb_info_t *si = pinfo->private_data;
2197 struct negprot_dialects *dialects = NULL;
2198 const char *dialect_name = NULL;
2200 DISSECTOR_ASSERT(si);
2205 dialect = tvb_get_letohs(tvb, offset);
2207 if (si->sip && si->sip->extra_info_type==SMB_EI_DIALECTS) {
2208 dialects = si->sip->extra_info;
2209 if (dialect < dialects->num) {
2210 dialect_name = dialects->name[dialect];
2213 if (!dialect_name) {
2214 dialect_name = "unknown";
2219 if(dialect==0xffff){
2220 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2221 tvb, offset, 2, dialect,
2222 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2224 proto_tree_add_uint(tree, hf_smb_dialect_index,
2225 tvb, offset, 2, dialect);
2229 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2230 tvb, offset, 2, dialect,
2231 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2234 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2235 tvb, offset, 2, dialect,
2236 "Dialect Index: %u: %s", dialect, dialect_name);
2239 tvb_ensure_bytes_exist(tvb, offset, wc*2);
2240 proto_tree_add_text(tree, tvb, offset, wc*2,
2241 "Words for unknown response format");
2250 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2252 /* Maximum Transmit Buffer Size */
2253 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2254 tvb, offset, 2, TRUE);
2257 /* Maximum Multiplex Count */
2258 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2259 tvb, offset, 2, TRUE);
2262 /* Maximum Vcs Number */
2263 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2264 tvb, offset, 2, TRUE);
2268 offset = dissect_negprot_rawmode(tvb, tree, offset);
2271 proto_tree_add_item(tree, hf_smb_session_key,
2272 tvb, offset, 4, TRUE);
2275 /* current time and date at server */
2276 offset = dissect_smb_datetime(tvb, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2280 tz = tvb_get_letohs(tvb, offset);
2281 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2284 /* encryption key length */
2285 ekl = tvb_get_letohs(tvb, offset);
2286 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2289 /* 2 reserved bytes */
2290 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2297 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2299 /* Maximum Multiplex Count */
2300 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2301 tvb, offset, 2, TRUE);
2304 /* Maximum Vcs Number */
2305 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2306 tvb, offset, 2, TRUE);
2309 /* Maximum Transmit Buffer Size */
2310 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2311 tvb, offset, 4, TRUE);
2314 /* maximum raw buffer size */
2315 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2316 tvb, offset, 4, TRUE);
2320 proto_tree_add_item(tree, hf_smb_session_key,
2321 tvb, offset, 4, TRUE);
2324 /* server capabilities */
2325 caps = dissect_negprot_capabilities(tvb, tree, offset);
2329 offset = dissect_nt_64bit_time(tvb, tree, offset,
2330 hf_smb_system_time);
2333 tz = tvb_get_letohs(tvb, offset);
2334 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2336 "Server Time Zone: %d min from UTC", tz);
2339 /* encryption key length */
2340 ekl = tvb_get_guint8(tvb, offset);
2341 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2342 tvb, offset, 1, ekl);
2352 /* challenge/response encryption key */
2354 CHECK_BYTE_COUNT(ekl);
2355 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2362 * XXX - not present if negotiated dialect isn't
2363 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
2364 * have to see the request, or assume what dialect strings
2365 * were sent, to determine that.
2367 * Is this something other than a primary domain if the
2368 * negotiated dialect is Windows for Workgroups 3.1a?
2369 * It appears to be 8 bytes of binary data in at least
2370 * one capture - is that an encryption key or something
2373 dn = get_unicode_or_ascii_string(tvb, &offset,
2374 si->unicode, &dn_len, FALSE, FALSE, &bc);
2377 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2379 COUNT_BYTES(dn_len);
2383 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2384 /* challenge/response encryption key */
2385 /* XXX - is this aligned on an even boundary? */
2387 CHECK_BYTE_COUNT(ekl);
2388 proto_tree_add_item(tree, hf_smb_encryption_key,
2389 tvb, offset, ekl, TRUE);
2394 /* this string is special, unicode is flagged in caps */
2395 /* This string is NOT padded to be 16bit aligned.
2396 (seen in actual capture)
2397 XXX - I've seen a capture where it appears to be
2398 so aligned, but I've also seen captures where
2399 it is. The captures where it appeared to be
2400 aligned may have been from buggy servers. */
2401 /* However, don't get rid of existing setting */
2402 si->unicode = (caps&SERVER_CAP_UNICODE) ||
2405 dn = get_unicode_or_ascii_string(tvb,
2406 &offset, si->unicode, &dn_len, TRUE, FALSE,
2410 proto_tree_add_string(tree, hf_smb_primary_domain,
2411 tvb, offset, dn_len, dn);
2412 COUNT_BYTES(dn_len);
2414 /* server name, seen in w2k pro capture */
2415 dn = get_unicode_or_ascii_string(tvb,
2416 &offset, si->unicode, &dn_len, TRUE, FALSE,
2420 proto_tree_add_string(tree, hf_smb_server,
2421 tvb, offset, dn_len, dn);
2422 COUNT_BYTES(dn_len);
2425 proto_item *blob_item;
2429 /* XXX - show it in the standard Microsoft format
2431 CHECK_BYTE_COUNT(16);
2432 proto_tree_add_item(tree, hf_smb_server_guid,
2433 tvb, offset, 16, TRUE);
2437 /* If it runs past the end of the captured data, don't
2438 * try to put all of it into the protocol tree as the
2439 * raw security blob; we might get an exception on
2440 * short frames and then we will not see anything at all
2441 * of the security blob.
2444 if(sbloblen>tvb_length_remaining(tvb, offset)){
2445 sbloblen=tvb_length_remaining(tvb,offset);
2447 blob_item = proto_tree_add_item(
2448 tree, hf_smb_security_blob,
2449 tvb, offset, sbloblen, TRUE);
2452 * If Extended security and BCC == 16, then raw
2453 * NTLMSSP is in use. We need to save this info
2457 tvbuff_t *gssapi_tvb;
2458 proto_tree *gssapi_tree;
2460 gssapi_tree = proto_item_add_subtree(
2461 blob_item, ett_smb_secblob);
2464 * Set the reported length of this to
2465 * the reported length of the blob,
2466 * rather than the amount of data
2467 * available from the blob, so that
2468 * we'll throw the right exception if
2471 gssapi_tvb = tvb_new_subset(
2472 tvb, offset, sbloblen, bc);
2475 gssapi_handle, gssapi_tvb, pinfo,
2479 si->ct->raw_ntlmssp = 0;
2486 * There is no blob. We just have to make sure
2487 * that subsequent routines know to call the
2492 si->ct->raw_ntlmssp = 1;
2506 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2508 smb_info_t *si = pinfo->private_data;
2514 DISSECTOR_ASSERT(si);
2521 CHECK_BYTE_COUNT(1);
2522 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2526 dn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &dn_len,
2529 if((!pinfo->fd->flags.visited) && si->sip){
2530 si->sip->extra_info_type=SMB_EI_FILENAME;
2531 si->sip->extra_info=se_strdup(dn);
2536 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2538 COUNT_BYTES(dn_len);
2540 if (check_col(pinfo->cinfo, COL_INFO)) {
2541 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s",
2542 format_text(dn, strlen(dn)));
2551 dissect_empty(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2555 smb_info_t *si = pinfo->private_data;
2556 proto_item *item=NULL;
2558 DISSECTOR_ASSERT(si);
2560 if(si->sip && si->sip->extra_info_type==SMB_EI_FILENAME){
2561 item=proto_tree_add_string(tree, hf_smb_file_name, tvb, 0, 0, si->sip->extra_info);
2562 PROTO_ITEM_SET_GENERATED(item);
2576 dissect_rename_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2580 smb_info_t *si = pinfo->private_data;
2581 proto_item *item=NULL;
2583 DISSECTOR_ASSERT(si);
2585 if(si->sip && si->sip->extra_info_type==SMB_EI_RENAMEDATA){
2586 smb_rename_saved_info_t *rni=si->sip->extra_info;
2588 item=proto_tree_add_string(tree, hf_smb_old_file_name, tvb, 0, 0, rni->old_name);
2589 PROTO_ITEM_SET_GENERATED(item);
2590 item=proto_tree_add_string(tree, hf_smb_file_name, tvb, 0, 0, rni->new_name);
2591 PROTO_ITEM_SET_GENERATED(item);
2605 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2613 ec = tvb_get_letohs(tvb, offset);
2614 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2621 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2631 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2638 /* echo sequence number */
2639 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2646 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2656 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2658 smb_info_t *si = pinfo->private_data;
2664 DISSECTOR_ASSERT(si);
2671 CHECK_BYTE_COUNT(1);
2672 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2676 an = get_unicode_or_ascii_string(tvb, &offset,
2677 si->unicode, &an_len, FALSE, FALSE, &bc);
2680 proto_tree_add_string(tree, hf_smb_path, tvb,
2681 offset, an_len, an);
2682 COUNT_BYTES(an_len);
2684 if (check_col(pinfo->cinfo, COL_INFO)) {
2685 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
2686 format_text(an, strlen(an)));
2690 CHECK_BYTE_COUNT(1);
2691 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2694 /* password, ANSI */
2695 /* XXX - what if this runs past bc? */
2696 pwlen = tvb_strsize(tvb, offset);
2697 CHECK_BYTE_COUNT(pwlen);
2698 proto_tree_add_item(tree, hf_smb_password,
2699 tvb, offset, pwlen, TRUE);
2703 CHECK_BYTE_COUNT(1);
2704 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2709 * XXX - the SNIA CIFS spec "Strings that are never passed in
2710 * Unicode are: ... The service name string in the
2711 * Tree_Connect_AndX SMB". Is that claim false?
2713 an = get_unicode_or_ascii_string(tvb, &offset,
2714 si->unicode, &an_len, FALSE, FALSE, &bc);
2717 proto_tree_add_string(tree, hf_smb_service, tvb,
2718 offset, an_len, an);
2719 COUNT_BYTES(an_len);
2727 dissect_smb_uid(tvbuff_t *tvb, proto_tree *parent_tree, int offset, smb_info_t *si)
2729 proto_item *item, *subitem;
2731 smb_uid_t *smb_uid=NULL;
2733 item=proto_tree_add_uint(parent_tree, hf_smb_uid, tvb, offset, 2, si->uid);
2734 tree=proto_item_add_subtree(item, ett_smb_uid);
2736 smb_uid=se_tree_lookup32(si->ct->uid_tree, si->uid);
2738 if(smb_uid->domain && smb_uid->account)
2739 proto_item_append_text(item, " (");
2740 if(smb_uid->domain){
2741 proto_item_append_text(item, "%s", smb_uid->domain);
2742 subitem=proto_tree_add_string(tree, hf_smb_primary_domain, tvb, 0, 0, smb_uid->domain);
2743 PROTO_ITEM_SET_GENERATED(subitem);
2745 if(smb_uid->account){
2746 proto_item_append_text(item, "\\%s", smb_uid->account);
2747 subitem=proto_tree_add_string(tree, hf_smb_account, tvb, 0, 0, smb_uid->account);
2748 PROTO_ITEM_SET_GENERATED(subitem);
2750 if(smb_uid->domain && smb_uid->account)
2751 proto_item_append_text(item, ")");
2752 if(smb_uid->logged_in>0){
2753 subitem=proto_tree_add_uint(tree, hf_smb_logged_in, tvb, 0, 0, smb_uid->logged_in);
2754 PROTO_ITEM_SET_GENERATED(subitem);
2756 if(smb_uid->logged_out>0){
2757 subitem=proto_tree_add_uint(tree, hf_smb_logged_out, tvb, 0, 0, smb_uid->logged_out);
2758 PROTO_ITEM_SET_GENERATED(subitem);
2767 dissect_smb_tid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 tid, gboolean is_created, gboolean is_closed)
2769 smb_info_t *si = pinfo->private_data;
2772 smb_tid_info_t *tid_info=NULL;
2774 DISSECTOR_ASSERT(si);
2777 it=proto_tree_add_uint(tree, hf_smb_tid, tvb, offset, 2, tid);
2778 tr=proto_item_add_subtree(it, ett_smb_tid);
2781 if((!pinfo->fd->flags.visited) && is_created){
2782 tid_info=se_alloc(sizeof(smb_tid_info_t));
2783 tid_info->opened_in=pinfo->fd->num;
2784 tid_info->closed_in=0;
2785 tid_info->type=SMB_FID_TYPE_UNKNOWN;
2786 if(si->sip && (si->sip->extra_info_type==SMB_EI_TIDNAME)){
2787 tid_info->filename=si->sip->extra_info;
2789 tid_info->filename=NULL;
2791 se_tree_insert32(si->ct->tid_tree, tid, tid_info);
2795 tid_info=se_tree_lookup32_le(si->ct->tid_tree, tid);
2801 if((!pinfo->fd->flags.visited) && is_closed){
2802 tid_info->closed_in=pinfo->fd->num;
2805 if(tid_info->opened_in){
2806 if(tid_info->filename){
2807 proto_item_append_text(it, " (%s)", tid_info->filename);
2809 it=proto_tree_add_string(tr, hf_smb_path, tvb, 0, 0, tid_info->filename);
2810 PROTO_ITEM_SET_GENERATED(it);
2813 it=proto_tree_add_uint(tr, hf_smb_mapped_in, tvb, 0, 0, tid_info->opened_in);
2814 PROTO_ITEM_SET_GENERATED(it);
2816 if(tid_info->closed_in){
2817 it=proto_tree_add_uint(tr, hf_smb_unmapped_in, tvb, 0, 0, tid_info->closed_in);
2818 PROTO_ITEM_SET_GENERATED(it);
2826 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2833 /* Maximum Buffer Size */
2834 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2838 offset=dissect_smb_tid(tvb, pinfo, tree, offset, tvb_get_letohs(tvb, offset), TRUE, FALSE);
2848 static const true_false_string tfs_of_create = {
2849 "Create file if it does not exist",
2850 "Fail if file does not exist"
2852 static const value_string of_open[] = {
2853 { 0, "Fail if file exists"},
2854 { 1, "Open file if it exists"},
2855 { 2, "Truncate file if it exists"},
2859 dissect_open_function(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2862 proto_item *item = NULL;
2863 proto_tree *tree = NULL;
2865 mask = tvb_get_letohs(tvb, offset);
2868 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2869 "Open Function: 0x%04x", mask);
2870 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2873 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2874 tvb, offset, 2, mask);
2875 proto_tree_add_uint(tree, hf_smb_open_function_open,
2876 tvb, offset, 2, mask);
2884 static const true_false_string tfs_mf_file = {
2885 "Target must be a file",
2886 "Target needn't be a file"
2888 static const true_false_string tfs_mf_dir = {
2889 "Target must be a directory",
2890 "Target needn't be a directory"
2892 static const true_false_string tfs_mf_verify = {
2893 "MUST verify all writes",
2894 "Don't have to verify writes"
2897 dissect_move_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2900 proto_item *item = NULL;
2901 proto_tree *tree = NULL;
2903 mask = tvb_get_letohs(tvb, offset);
2906 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2907 "Flags: 0x%04x", mask);
2908 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2911 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2912 tvb, offset, 2, mask);
2913 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2914 tvb, offset, 2, mask);
2915 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2916 tvb, offset, 2, mask);
2923 static const true_false_string tfs_cf_mode = {
2927 static const true_false_string tfs_cf_tree_copy = {
2928 "Copy is a tree copy",
2929 "Copy is a file copy"
2931 static const true_false_string tfs_cf_ea_action = {
2936 dissect_copy_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2939 proto_item *item = NULL;
2940 proto_tree *tree = NULL;
2942 mask = tvb_get_letohs(tvb, offset);
2945 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2946 "Flags: 0x%04x", mask);
2947 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2950 proto_tree_add_boolean(tree, hf_smb_copy_flags_ea_action,
2951 tvb, offset, 2, mask);
2952 proto_tree_add_boolean(tree, hf_smb_copy_flags_tree_copy,
2953 tvb, offset, 2, mask);
2954 proto_tree_add_boolean(tree, hf_smb_copy_flags_verify,
2955 tvb, offset, 2, mask);
2956 proto_tree_add_boolean(tree, hf_smb_copy_flags_source_mode,
2957 tvb, offset, 2, mask);
2958 proto_tree_add_boolean(tree, hf_smb_copy_flags_dest_mode,
2959 tvb, offset, 2, mask);
2960 proto_tree_add_boolean(tree, hf_smb_copy_flags_dir,
2961 tvb, offset, 2, mask);
2962 proto_tree_add_boolean(tree, hf_smb_copy_flags_file,
2963 tvb, offset, 2, mask);
2971 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2973 smb_info_t *si = pinfo->private_data;
2980 DISSECTOR_ASSERT(si);
2985 tid = tvb_get_letohs(tvb, offset);
2986 offset=dissect_smb_tid(tvb, pinfo, tree, offset, tid, FALSE, FALSE);
2989 offset = dissect_open_function(tvb, tree, offset);
2992 offset = dissect_move_flags(tvb, tree, offset);
2997 CHECK_BYTE_COUNT(1);
2998 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3002 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3006 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
3007 fn_len, fn, "Old File Name: %s", format_text(fn, strlen(fn)));
3008 COUNT_BYTES(fn_len);
3010 if (check_col(pinfo->cinfo, COL_INFO)) {
3011 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
3012 format_text(fn, strlen(fn)));
3016 CHECK_BYTE_COUNT(1);
3017 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3021 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3025 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
3026 fn_len, fn, "New File Name: %s", format_text(fn, strlen(fn)));
3027 COUNT_BYTES(fn_len);
3029 if (check_col(pinfo->cinfo, COL_INFO)) {
3030 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
3031 format_text(fn, strlen(fn)));
3040 dissect_copy_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3042 smb_info_t *si = pinfo->private_data;
3049 DISSECTOR_ASSERT(si);
3054 tid = tvb_get_letohs(tvb, offset);
3055 offset=dissect_smb_tid(tvb, pinfo, tree, offset, tid, FALSE, FALSE);
3058 offset = dissect_open_function(tvb, tree, offset);
3061 offset = dissect_copy_flags(tvb, tree, offset);
3066 CHECK_BYTE_COUNT(1);
3067 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3071 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3075 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
3076 fn_len, fn, "Source File Name: %s", format_text(fn, strlen(fn)));
3077 COUNT_BYTES(fn_len);
3079 if (check_col(pinfo->cinfo, COL_INFO)) {
3080 col_append_fstr(pinfo->cinfo, COL_INFO, ", Source Name: %s",
3081 format_text(fn, strlen(fn)));
3085 CHECK_BYTE_COUNT(1);
3086 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3090 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3094 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
3095 fn_len, fn, "Destination File Name: %s",
3096 format_text(fn, strlen(fn)));
3097 COUNT_BYTES(fn_len);
3099 if (check_col(pinfo->cinfo, COL_INFO)) {
3100 col_append_fstr(pinfo->cinfo, COL_INFO, ", Destination Name: %s", format_text(fn, strlen(fn)));
3109 dissect_move_copy_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3111 smb_info_t *si = pinfo->private_data;
3117 DISSECTOR_ASSERT(si);
3121 /* # of files moved */
3122 proto_tree_add_item(tree, hf_smb_files_moved, tvb, offset, 2, TRUE);
3128 CHECK_BYTE_COUNT(1);
3129 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3133 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3137 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3139 COUNT_BYTES(fn_len);
3147 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3149 smb_info_t *si = pinfo->private_data;
3155 DISSECTOR_ASSERT(si);
3159 /* desired access */
3160 offset = dissect_access(tvb, tree, offset, "Desired");
3162 /* Search Attributes */
3163 offset = dissect_search_attributes(tvb, tree, offset);
3168 CHECK_BYTE_COUNT(1);
3169 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3173 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3177 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3179 COUNT_BYTES(fn_len);
3181 if (check_col(pinfo->cinfo, COL_INFO)) {
3182 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3183 format_text(fn, strlen(fn)));
3194 dissect_nt_create_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
3195 int len, guint32 mask)
3197 proto_item *item = NULL;
3198 proto_tree *tree = NULL;
3201 item = proto_tree_add_uint(parent_tree, hf_smb_create_flags, tvb, offset, len, mask);
3203 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
3207 * XXX - it's 0x00000016 in at least one capture, but
3208 * Network Monitor doesn't say what the 0x00000010 bit is.
3209 * Does the Win32 API documentation, or NT Native API book,
3212 * That is the extended response desired bit ... RJS, from Samba
3213 * Well, maybe. Samba thinks it is, and uses it to encode
3214 * OpLock granted as the high order bit of the Action field
3215 * in the response. However, Windows does not do that. Or at least
3218 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_ext_resp,
3219 tvb, offset, len, mask);
3220 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
3221 tvb, offset, len, mask);
3222 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
3223 tvb, offset, len, mask);
3224 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
3225 tvb, offset, len, mask);
3232 /* FIXME: need to call dissect_nt_access_mask() instead */
3234 dissect_smb_access_mask_bits(tvbuff_t *tvb, proto_tree *parent_tree,
3235 int offset, int len, guint32 mask)
3241 item = proto_tree_add_uint(parent_tree, hf_smb_access_mask, tvb, offset, len, mask);
3242 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
3245 * Some of these bits come from
3247 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
3249 * and others come from the section on ZwOpenFile in "Windows(R)
3250 * NT(R)/2000 Native API Reference".
3252 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
3253 tvb, offset, len, mask);
3254 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
3255 tvb, offset, len, mask);
3256 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
3257 tvb, offset, len, mask);
3258 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
3259 tvb, offset, len, mask);
3260 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
3261 tvb, offset, len, mask);
3262 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
3263 tvb, offset, len, mask);
3264 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
3265 tvb, offset, len, mask);
3266 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
3267 tvb, offset, len, mask);
3268 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
3269 tvb, offset, len, mask);
3270 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
3271 tvb, offset, len, mask);
3272 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
3273 tvb, offset, len, mask);
3274 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
3275 tvb, offset, len, mask);
3276 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
3277 tvb, offset, len, mask);
3278 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
3279 tvb, offset, len, mask);
3280 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
3281 tvb, offset, len, mask);
3282 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
3283 tvb, offset, len, mask);
3284 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
3285 tvb, offset, len, mask);
3286 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
3287 tvb, offset, len, mask);
3288 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
3289 tvb, offset, len, mask);
3290 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
3291 tvb, offset, len, mask);
3299 dissect_smb_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
3303 mask = tvb_get_letohl(tvb, offset);
3305 offset = dissect_smb_access_mask_bits(tvb, parent_tree, offset, 4, mask);
3311 #define SHARE_ACCESS_DELETE 0x00000004
3312 #define SHARE_ACCESS_WRITE 0x00000002
3313 #define SHARE_ACCESS_READ 0x00000001
3316 dissect_nt_share_access_bits(tvbuff_t *tvb, proto_tree *parent_tree,
3317 int offset, int len, guint32 mask)
3323 item = proto_tree_add_uint(parent_tree, hf_smb_share_access, tvb, offset, len, mask);
3324 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
3326 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
3327 tvb, offset, len, mask);
3328 if(mask&SHARE_ACCESS_DELETE){
3329 proto_item_append_text(item, " SHARE_DELETE");
3332 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
3333 tvb, offset, len, mask);
3334 if(mask&SHARE_ACCESS_WRITE){
3335 proto_item_append_text(item, " SHARE_WRITE");
3338 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
3339 tvb, offset, len, mask);
3340 if(mask&SHARE_ACCESS_READ){
3341 proto_item_append_text(item, " SHARE_READ");
3351 dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
3355 mask = tvb_get_letohl(tvb, offset);
3357 offset = dissect_nt_share_access_bits(tvb, parent_tree, offset, 4, mask);
3364 dissect_nt_create_options_bits(tvbuff_t *tvb, proto_tree *parent_tree,
3365 int offset, int len, guint32 mask)
3371 item = proto_tree_add_uint(parent_tree, hf_smb_create_options, tvb, offset, len, mask);
3372 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
3377 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
3379 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
3380 tvb, offset, len, mask);
3381 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
3382 tvb, offset, len, mask);
3383 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
3384 tvb, offset, len, mask);
3385 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_intermediate_buffering,
3386 tvb, offset, len, mask);
3387 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
3388 tvb, offset, len, mask);
3389 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
3390 tvb, offset, len, mask);
3391 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
3392 tvb, offset, len, mask);
3393 proto_tree_add_boolean(tree, hf_smb_nt_create_options_create_tree_connection,
3394 tvb, offset, len, mask);
3395 proto_tree_add_boolean(tree, hf_smb_nt_create_options_complete_if_oplocked,
3396 tvb, offset, len, mask);
3397 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
3398 tvb, offset, len, mask);
3399 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
3400 tvb, offset, len, mask);
3401 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
3402 tvb, offset, len, mask);
3403 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
3404 tvb, offset, len, mask);
3405 proto_tree_add_boolean(tree, hf_smb_nt_create_options_open_by_fileid,
3406 tvb, offset, len, mask);
3407 proto_tree_add_boolean(tree, hf_smb_nt_create_options_backup_intent,
3408 tvb, offset, len, mask);
3409 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_compression,
3410 tvb, offset, len, mask);
3411 proto_tree_add_boolean(tree, hf_smb_nt_create_options_reserve_opfilter,
3412 tvb, offset, len, mask);
3413 proto_tree_add_boolean(tree, hf_smb_nt_create_options_open_reparse_point,
3414 tvb, offset, len, mask);
3415 proto_tree_add_boolean(tree, hf_smb_nt_create_options_open_no_recall,
3416 tvb, offset, len, mask);
3417 proto_tree_add_boolean(tree, hf_smb_nt_create_options_open_for_free_space_query,
3418 tvb, offset, len, mask);
3426 dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
3430 mask = tvb_get_letohl(tvb, offset);
3432 offset = dissect_nt_create_options_bits(tvb, parent_tree, offset, 4, mask);
3438 /* fids are scoped by tcp session */
3440 dissect_smb_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
3441 int len, guint16 fid, gboolean is_created, gboolean is_closed, gboolean is_generated)
3443 smb_info_t *si = pinfo->private_data;
3444 smb_saved_info_t *sip = si->sip;
3447 smb_fid_info_t *fid_info=NULL;
3449 DISSECTOR_ASSERT(si);
3451 it=proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
3453 PROTO_ITEM_SET_GENERATED(it);
3455 tr=proto_item_add_subtree(it, ett_smb_fid);
3456 if (check_col(pinfo->cinfo, COL_INFO))
3457 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
3459 if((!pinfo->fd->flags.visited) && is_created){
3460 fid_info=se_alloc(sizeof(smb_fid_info_t));
3461 fid_info->opened_in=pinfo->fd->num;
3462 fid_info->closed_in=0;
3463 fid_info->type=SMB_FID_TYPE_UNKNOWN;
3464 if(si->sip && (si->sip->extra_info_type==SMB_EI_FILEDATA)){
3465 fid_info->fsi=si->sip->extra_info;
3470 se_tree_insert32(si->ct->fid_tree, fid, fid_info);
3474 fid_info=se_tree_lookup32(si->ct->fid_tree, fid);
3480 /* Store the fid in the transaction structure and remember if
3481 it was in the request or in the reply we saw it
3483 if(sip && (!is_generated) && (!pinfo->fd->flags.visited)) {
3486 sip->fid_seen_in_request=TRUE;
3488 sip->fid_seen_in_request=FALSE;
3492 if((!pinfo->fd->flags.visited) && is_closed){
3493 fid_info->closed_in=pinfo->fd->num;
3496 if(fid_info->opened_in){
3497 it=proto_tree_add_uint(tr, hf_smb_opened_in, tvb, 0, 0, fid_info->opened_in);
3498 PROTO_ITEM_SET_GENERATED(it);
3501 if(fid_info->closed_in){
3502 it=proto_tree_add_uint(tr, hf_smb_closed_in, tvb, 0, 0, fid_info->closed_in);
3503 PROTO_ITEM_SET_GENERATED(it);
3507 if(fid_info->opened_in){
3508 if(fid_info->fsi && fid_info->fsi->filename){
3509 it=proto_tree_add_string(tr, hf_smb_file_name, tvb, 0, 0, fid_info->fsi->filename);
3510 PROTO_ITEM_SET_GENERATED(it);
3511 proto_item_append_text(tr, " (%s)", fid_info->fsi->filename);
3512 dissect_nt_create_bits(tvb, tr, 0, 0, fid_info->fsi->create_flags);
3513 dissect_smb_access_mask_bits(tvb, tr, 0, 0, fid_info->fsi->access_mask);
3514 dissect_file_ext_attr_bits(tvb, tr, 0, 0, fid_info->fsi->file_attributes);
3515 dissect_nt_share_access_bits(tvb, tr, 0, 0, fid_info->fsi->share_access);
3516 dissect_nt_create_options_bits(tvb, tr, 0, 0, fid_info->fsi->create_options);
3517 it=proto_tree_add_uint(tr, hf_smb_nt_create_disposition, tvb, 0, 0, fid_info->fsi->create_disposition);
3518 PROTO_ITEM_SET_GENERATED(it);
3526 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3535 fid = tvb_get_letohs(tvb, offset);
3536 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
3539 /* File Attributes */
3540 offset = dissect_file_attributes(tvb, tree, offset, 2);
3542 /* last write time */
3543 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3546 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3549 /* granted access */
3550 offset = dissect_access(tvb, tree, offset, "Granted");
3560 dissect_query_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3569 fid = tvb_get_letohs(tvb, offset);
3570 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
3581 dissect_close_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3590 fid = tvb_get_letohs(tvb, offset);
3591 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, TRUE, FALSE);
3602 dissect_open_print_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3611 fid = tvb_get_letohs(tvb, offset);
3612 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
3623 dissect_create_new_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3632 fid = tvb_get_letohs(tvb, offset);
3633 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
3644 dissect_flush_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3653 fid = tvb_get_letohs(tvb, offset);
3654 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
3665 dissect_create_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3674 fid = tvb_get_letohs(tvb, offset);
3675 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
3686 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3688 smb_info_t *si = pinfo->private_data;
3694 DISSECTOR_ASSERT(si);
3698 /* file attributes */
3699 offset = dissect_file_attributes(tvb, tree, offset, 2);
3702 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3707 CHECK_BYTE_COUNT(1);
3708 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3712 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3716 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3718 COUNT_BYTES(fn_len);
3720 if (check_col(pinfo->cinfo, COL_INFO)) {
3721 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3722 format_text(fn, strlen(fn)));
3731 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3739 fid = tvb_get_letohs(tvb, offset);
3740 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, TRUE, FALSE);
3743 /* last write time */
3744 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3754 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3756 smb_info_t *si = pinfo->private_data;
3762 DISSECTOR_ASSERT(si);
3766 /* search attributes */
3767 offset = dissect_search_attributes(tvb, tree, offset);
3772 CHECK_BYTE_COUNT(1);
3773 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3777 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3780 if((!pinfo->fd->flags.visited) && si->sip){
3781 si->sip->extra_info_type=SMB_EI_FILENAME;
3782 si->sip->extra_info=se_strdup(fn);
3787 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3789 COUNT_BYTES(fn_len);
3791 if (check_col(pinfo->cinfo, COL_INFO)) {
3792 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3793 format_text(fn, strlen(fn)));
3802 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3804 smb_info_t *si = pinfo->private_data;
3806 const char *fn, *old_name=NULL, *new_name=NULL;
3809 smb_rename_saved_info_t *rni=NULL;
3811 DISSECTOR_ASSERT(si);
3815 /* search attributes */
3816 offset = dissect_search_attributes(tvb, tree, offset);
3821 CHECK_BYTE_COUNT(1);
3822 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3826 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3831 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3833 COUNT_BYTES(fn_len);
3835 if (check_col(pinfo->cinfo, COL_INFO)) {
3836 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
3837 format_text(fn, strlen(fn)));
3841 CHECK_BYTE_COUNT(1);
3842 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3846 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3851 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3853 COUNT_BYTES(fn_len);
3855 if (check_col(pinfo->cinfo, COL_INFO)) {
3856 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
3857 format_text(fn, strlen(fn)));
3862 /* save the offset/len for this transaction */
3863 if(si->sip && !pinfo->fd->flags.visited){
3864 rni=se_alloc(sizeof(smb_rename_saved_info_t));
3865 rni->old_name=se_strdup(old_name);
3866 rni->new_name=se_strdup(new_name);
3868 si->sip->extra_info_type=SMB_EI_RENAMEDATA;
3869 si->sip->extra_info=rni;
3876 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3878 smb_info_t *si = pinfo->private_data;
3884 DISSECTOR_ASSERT(si);
3888 /* search attributes */
3889 offset = dissect_search_attributes(tvb, tree, offset);
3891 proto_tree_add_uint(tree, hf_smb_nt_rename_level, tvb, offset, 2, tvb_get_letohs(tvb, offset));
3894 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, TRUE);
3900 CHECK_BYTE_COUNT(1);
3901 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3905 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3909 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3911 COUNT_BYTES(fn_len);
3913 if (check_col(pinfo->cinfo, COL_INFO)) {
3914 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
3915 format_text(fn, strlen(fn)));
3919 CHECK_BYTE_COUNT(1);
3920 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3924 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3928 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3930 COUNT_BYTES(fn_len);
3932 if (check_col(pinfo->cinfo, COL_INFO)) {
3933 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
3934 format_text(fn, strlen(fn)));
3944 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3946 smb_info_t *si = pinfo->private_data;
3952 DISSECTOR_ASSERT(si);
3959 CHECK_BYTE_COUNT(1);
3960 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3964 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3968 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3970 COUNT_BYTES(fn_len);
3972 if (check_col(pinfo->cinfo, COL_INFO)) {
3973 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3974 format_text(fn, strlen(fn)));
3983 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3990 /* File Attributes */
3991 offset = dissect_file_attributes(tvb, tree, offset, 2);
3993 /* Last Write Time */
3994 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3997 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4000 /* 10 reserved bytes */
4001 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
4012 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4014 smb_info_t *si = pinfo->private_data;
4020 DISSECTOR_ASSERT(si);
4024 /* file attributes */
4025 offset = dissect_file_attributes(tvb, tree, offset, 2);
4027 /* last write time */
4028 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
4030 /* 10 reserved bytes */
4031 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
4037 CHECK_BYTE_COUNT(1);
4038 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4042 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4046 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4048 COUNT_BYTES(fn_len);
4050 if (check_col(pinfo->cinfo, COL_INFO)) {
4051 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
4052 format_text(fn, strlen(fn)));
4061 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4071 fid = tvb_get_letohs(tvb, offset);
4072 dissect_smb_fid(tvb, pinfo, tree, offset, 2, (guint16) fid, FALSE, FALSE, FALSE);
4076 cnt = tvb_get_letohs(tvb, offset);
4077 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4081 ofs = tvb_get_letohl(tvb, offset);
4082 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4085 if (check_col(pinfo->cinfo, COL_INFO))
4086 col_append_fstr(pinfo->cinfo, COL_INFO,
4087 ", %u byte%s at offset %u", cnt,
4088 (cnt == 1) ? "" : "s", ofs);
4091 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4102 dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
4107 /* We have some initial padding bytes. */
4108 /* XXX - use the data offset here instead? */
4109 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
4111 offset += bc-datalen;
4114 tvblen = tvb_length_remaining(tvb, offset);
4116 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
4119 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
4126 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
4127 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
4130 tvbuff_t *dcerpc_tvb;
4133 /* We have some initial padding bytes. */
4134 /* XXX - use the data offset here instead? */
4135 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
4137 offset += bc-datalen;
4140 tvblen = tvb_length_remaining(tvb, offset);
4141 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
4142 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
4151 * transporting DCERPC over SMB seems to be implemented in various
4152 * ways. We might just assume it can be done by an almost random
4153 * mix of Trans/Read/Write calls
4155 * if we suspect dcerpc, just send them all down to packet-smb-pipe.c
4156 * and let him sort them out
4159 dissect_file_data_maybe_dcerpc(tvbuff_t *tvb, packet_info *pinfo,
4160 proto_tree *tree, proto_tree *top_tree, int offset, guint16 bc,
4161 guint16 datalen, guint32 ofs, guint16 fid)
4163 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4165 DISSECTOR_ASSERT(si);
4167 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
4169 return dissect_file_data_dcerpc(tvb, pinfo, tree,
4170 top_tree, offset, bc, datalen, fid);
4172 /* ordinary file data */
4173 return dissect_file_data(tvb, tree, offset, bc, datalen);
4178 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4182 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4185 DISSECTOR_ASSERT(si);
4190 cnt = tvb_get_letohs(tvb, offset);
4191 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
4194 /* 8 reserved bytes */
4195 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
4200 CHECK_BYTE_COUNT(1);
4201 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4205 CHECK_BYTE_COUNT(2);
4206 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4209 /* file data, might be DCERPC on a pipe */
4211 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
4212 top_tree, offset, bc, bc, 0, (guint16) fid);
4222 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4230 cnt = tvb_get_letohs(tvb, offset);
4231 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
4234 /* 8 reserved bytes */
4235 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
4241 CHECK_BYTE_COUNT(1);
4242 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4246 CHECK_BYTE_COUNT(2);
4247 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4255 typedef struct _rw_info_t {
4263 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4266 guint16 cnt=0, bc, fid=0;
4268 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4269 rw_info_t *rwi=NULL;
4271 DISSECTOR_ASSERT(si);
4276 fid = tvb_get_letohs(tvb, offset);
4277 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4281 cnt = tvb_get_letohs(tvb, offset);
4282 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
4286 ofs = tvb_get_letohl(tvb, offset);
4287 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4290 if (check_col(pinfo->cinfo, COL_INFO))
4291 col_append_fstr(pinfo->cinfo, COL_INFO,
4292 ", %u byte%s at offset %u", cnt,
4293 (cnt == 1) ? "" : "s", ofs);
4295 /* save the offset/len for this transaction */
4296 if(si->sip && !pinfo->fd->flags.visited){
4297 rwi=se_alloc(sizeof(rw_info_t));
4302 si->sip->extra_info_type=SMB_EI_RWINFO;
4303 si->sip->extra_info=rwi;
4305 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
4306 rwi=si->sip->extra_info;
4311 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
4313 PROTO_ITEM_SET_GENERATED(it);
4314 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
4315 PROTO_ITEM_SET_GENERATED(it);
4319 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4325 CHECK_BYTE_COUNT(1);
4326 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4330 CHECK_BYTE_COUNT(2);
4331 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4334 /* file data, might be DCERPC on a pipe */
4336 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
4337 top_tree, offset, bc, bc, ofs, fid);
4347 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4351 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4352 rw_info_t *rwi=NULL;
4354 DISSECTOR_ASSERT(si);
4359 cnt = tvb_get_letohs(tvb, offset);
4360 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4363 if (check_col(pinfo->cinfo, COL_INFO))
4364 col_append_fstr(pinfo->cinfo, COL_INFO,
4365 ", %u byte%s", cnt, (cnt == 1) ? "" : "s");
4367 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
4368 rwi=si->sip->extra_info;
4373 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
4375 PROTO_ITEM_SET_GENERATED(it);
4376 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
4377 PROTO_ITEM_SET_GENERATED(it);
4388 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4396 fid = tvb_get_letohs(tvb, offset);
4397 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4401 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
4405 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4416 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4418 smb_info_t *si = pinfo->private_data;
4424 DISSECTOR_ASSERT(si);
4428 /* 2 reserved bytes */
4429 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4433 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
4438 CHECK_BYTE_COUNT(1);
4439 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4442 /* directory name */
4443 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4447 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
4449 COUNT_BYTES(fn_len);
4451 if (check_col(pinfo->cinfo, COL_INFO)) {
4452 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
4453 format_text(fn, strlen(fn)));
4462 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4464 smb_info_t *si = pinfo->private_data;
4470 DISSECTOR_ASSERT(si);
4475 fid = tvb_get_letohs(tvb, offset);
4476 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
4482 CHECK_BYTE_COUNT(1);
4483 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4487 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4491 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4493 COUNT_BYTES(fn_len);
4500 static const value_string seek_mode_vals[] = {
4501 {0, "From Start Of File"},
4502 {1, "From Current Position"},
4503 {2, "From End Of File"},
4508 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4516 fid = tvb_get_letohs(tvb, offset);
4517 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4521 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
4525 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4536 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4544 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4555 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4563 fid = tvb_get_letohs(tvb, offset);
4564 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4568 offset = dissect_smb_datetime(tvb, tree, offset,
4570 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
4573 offset = dissect_smb_datetime(tvb, tree, offset,
4575 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
4577 /* last write time */
4578 offset = dissect_smb_datetime(tvb, tree, offset,
4579 hf_smb_last_write_time,
4580 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
4590 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4598 offset = dissect_smb_datetime(tvb, tree, offset,
4600 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
4603 offset = dissect_smb_datetime(tvb, tree, offset,
4605 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
4607 /* last write time */
4608 offset = dissect_smb_datetime(tvb, tree, offset,
4609 hf_smb_last_write_time,
4610 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
4613 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
4616 /* allocation size */
4617 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
4620 /* File Attributes */
4621 offset = dissect_file_attributes(tvb, tree, offset, 2);
4631 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4640 fid = tvb_get_letohs(tvb, offset);
4641 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, TRUE, FALSE);
4645 cnt = tvb_get_letohs(tvb, offset);
4646 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
4650 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4653 /* last write time */
4654 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
4657 /* 12 reserved bytes */
4658 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
4665 CHECK_BYTE_COUNT(1);
4666 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
4669 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
4678 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4686 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4696 /* Timeout is defined on page 117 of SMB Protocol Extensions version 2.0
4697 available at http://us1.samba.org/samba/ftp/SMB-info/DOSEXTP.TXT
4700 smbext20_timeout_msecs_to_str(gint32 time)
4703 #define SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN 60
4706 buf=ep_alloc(SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1);
4708 g_snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Return immediately (0)");
4709 } else if (time == -1) {
4710 g_snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Wait indefinitely (-1)");
4711 } else if (time == -2) {
4712 g_snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Use default timeout (-2)");
4714 g_snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Unknown reserved value (%d)", time);
4719 return time_msecs_to_str(time);
4723 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4732 fid = tvb_get_letohs(tvb, offset);
4733 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4737 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4741 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4745 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
4749 to = tvb_get_letohl(tvb, offset);
4750 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
4753 /* 2 reserved bytes */
4754 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4759 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
4771 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4779 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
4783 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
4787 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
4791 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
4794 /* 2 reserved bytes */
4795 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4806 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4814 fid = tvb_get_letohs(tvb, offset);
4815 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4819 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4823 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4827 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
4830 /* 6 reserved bytes */
4831 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
4842 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4844 guint16 datalen=0, bc;
4850 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4854 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4857 /* 2 reserved bytes */
4858 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4861 /* data compaction mode */
4862 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4865 /* 2 reserved bytes */
4866 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4870 datalen = tvb_get_letohs(tvb, offset);
4871 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4875 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4881 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4890 static const true_false_string tfs_write_mode_write_through = {
4891 "WRITE THROUGH requested",
4892 "Write through not requested"
4894 static const true_false_string tfs_write_mode_return_remaining = {
4895 "RETURN REMAINING (pipe/dev) requested",
4896 "DON'T return remaining (pipe/dev)"
4898 static const true_false_string tfs_write_mode_raw = {
4899 "Use WriteRawNamedPipe (pipe)",
4900 "DON'T use WriteRawNamedPipe (pipe)"
4902 static const true_false_string tfs_write_mode_message_start = {
4903 "This is the START of a MESSAGE (pipe)",
4904 "This is NOT the start of a message (pipe)"
4906 static const true_false_string tfs_write_mode_connectionless = {
4907 "CONNECTIONLESS mode requested",
4908 "Connectionless mode NOT requested"
4911 #define WRITE_MODE_CONNECTIONLESS 0x0080
4912 #define WRITE_MODE_MESSAGE_START 0x0008
4913 #define WRITE_MODE_RAW 0x0004
4914 #define WRITE_MODE_RETURN_REMAINING 0x0002
4915 #define WRITE_MODE_WRITE_THROUGH 0x0001
4918 dissect_write_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4924 mask = tvb_get_letohs(tvb, offset);
4927 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4928 "Write Mode: 0x%04x", mask);
4929 tree = proto_item_add_subtree(item, ett_smb_rawmode);
4931 if(bm&WRITE_MODE_CONNECTIONLESS){
4932 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
4933 tvb, offset, 2, mask);
4935 if(bm&WRITE_MODE_MESSAGE_START){
4936 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
4937 tvb, offset, 2, mask);
4939 if(bm&WRITE_MODE_RAW){
4940 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
4941 tvb, offset, 2, mask);
4943 if(bm&WRITE_MODE_RETURN_REMAINING){
4944 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
4945 tvb, offset, 2, mask);
4947 if(bm&WRITE_MODE_WRITE_THROUGH){
4948 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
4949 tvb, offset, 2, mask);
4958 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4961 guint16 datalen=0, bc, fid;
4967 fid = tvb_get_letohs(tvb, offset);
4968 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
4971 /* total data length */
4972 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4975 /* 2 reserved bytes */
4976 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4980 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4984 to = tvb_get_letohl(tvb, offset);
4985 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
4989 offset = dissect_write_mode(tvb, tree, offset, 0x0003);
4991 /* 4 reserved bytes */
4992 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4996 datalen = tvb_get_letohs(tvb, offset);
4997 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5001 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
5007 /* XXX - use the data offset to determine where the data starts? */
5008 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
5017 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5025 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5036 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5039 guint16 datalen=0, bc, fid;
5045 fid = tvb_get_letohs(tvb, offset);
5046 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
5049 /* total data length */
5050 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
5053 /* 2 reserved bytes */
5054 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5058 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5062 to = tvb_get_letohl(tvb, offset);
5063 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
5067 offset = dissect_write_mode(tvb, tree, offset, 0x0083);
5070 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
5074 datalen = tvb_get_letohs(tvb, offset);
5075 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5079 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
5085 /* XXX - use the data offset to determine where the data starts? */
5086 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
5095 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5103 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
5114 dissect_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5122 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
5133 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
5134 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
5135 gboolean has_find_id)
5137 proto_item *item = NULL;
5138 proto_tree *tree = NULL;
5139 smb_info_t *si = pinfo->private_data;
5144 DISSECTOR_ASSERT(si);
5147 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
5149 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
5153 CHECK_BYTE_COUNT_SUBR(1);
5154 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5155 COUNT_BYTES_SUBR(1);
5159 fn = get_unicode_or_ascii_string(tvb, &offset, FALSE/*never Unicode*/, &fn_len,
5161 CHECK_STRING_SUBR(fn);
5162 /* ensure that it's null-terminated */
5163 g_strlcpy(fname, fn, 11+1);
5164 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
5166 COUNT_BYTES_SUBR(fn_len);
5169 CHECK_BYTE_COUNT_SUBR(1);
5170 proto_tree_add_item(tree, hf_smb_resume_find_id, tvb, offset, 1, TRUE);
5171 COUNT_BYTES_SUBR(1);
5174 CHECK_BYTE_COUNT_SUBR(4);
5175 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 4, TRUE);
5176 COUNT_BYTES_SUBR(4);
5179 CHECK_BYTE_COUNT_SUBR(5);
5180 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
5181 COUNT_BYTES_SUBR(5);
5185 CHECK_BYTE_COUNT_SUBR(4);
5186 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
5187 COUNT_BYTES_SUBR(4);
5194 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
5195 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
5196 gboolean has_find_id)
5198 proto_item *item = NULL;
5199 proto_tree *tree = NULL;
5200 smb_info_t *si = pinfo->private_data;
5205 DISSECTOR_ASSERT(si);
5208 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
5209 "Directory Information");
5210 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
5214 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp,
5215 trunc, has_find_id);
5219 /* File Attributes */
5220 CHECK_BYTE_COUNT_SUBR(1);
5221 offset = dissect_dir_info_file_attributes(tvb, tree, offset);
5224 /* last write time */
5225 CHECK_BYTE_COUNT_SUBR(4);
5226 offset = dissect_smb_datetime(tvb, tree, offset,
5227 hf_smb_last_write_time,
5228 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
5233 CHECK_BYTE_COUNT_SUBR(4);
5234 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
5235 COUNT_BYTES_SUBR(4);
5239 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5241 CHECK_STRING_SUBR(fn);
5242 /* ensure that it's null-terminated */
5243 g_strlcpy(fname, fn, 13+1);
5244 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5246 COUNT_BYTES_SUBR(fn_len);
5254 dissect_search_find_request(tvbuff_t *tvb, packet_info *pinfo,
5255 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
5256 gboolean has_find_id)
5258 smb_info_t *si = pinfo->private_data;
5266 DISSECTOR_ASSERT(si);
5271 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
5274 /* Search Attributes */
5275 offset = dissect_search_attributes(tvb, tree, offset);
5280 CHECK_BYTE_COUNT(1);
5281 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
5285 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5289 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5291 COUNT_BYTES(fn_len);
5293 if (check_col(pinfo->cinfo, COL_INFO)) {
5294 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
5295 format_text(fn, strlen(fn)));
5299 CHECK_BYTE_COUNT(1);
5300 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
5303 /* resume key length */
5304 CHECK_BYTE_COUNT(2);
5305 rkl = tvb_get_letohs(tvb, offset);
5306 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
5311 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
5312 &bc, &trunc, has_find_id);
5323 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_,
5324 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5326 return dissect_search_find_request(tvb, pinfo, tree, offset,
5331 dissect_find_request(tvbuff_t *tvb, packet_info *pinfo _U_,
5332 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5334 return dissect_search_find_request(tvb, pinfo, tree, offset,
5339 dissect_find_close_request(tvbuff_t *tvb, packet_info *pinfo _U_,
5340 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5342 return dissect_search_find_request(tvb, pinfo, tree, offset,
5347 dissect_search_find_response(tvbuff_t *tvb, packet_info *pinfo _U_,
5348 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
5349 gboolean has_find_id)
5359 count = tvb_get_letohs(tvb, offset);
5360 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
5366 CHECK_BYTE_COUNT(1);
5367 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
5371 CHECK_BYTE_COUNT(2);
5372 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
5376 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
5377 &bc, &trunc, has_find_id);
5388 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5390 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
5395 dissect_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5397 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
5402 dissect_find_close_response(tvbuff_t *tvb, packet_info *pinfo _U_,
5403 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
5412 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5418 CHECK_BYTE_COUNT(1);
5419 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
5423 CHECK_BYTE_COUNT(2);
5424 data_len = tvb_get_ntohs(tvb, offset);
5425 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, data_len);
5428 if (data_len != 0) {
5429 CHECK_BYTE_COUNT(data_len);
5430 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset,
5432 COUNT_BYTES(data_len);
5440 static const value_string locking_ol_vals[] = {
5441 {0, "Client is not holding oplock on this file"},
5442 {1, "Level 2 oplock currently held by client"},
5446 static const true_false_string tfs_lock_type_large = {
5447 "Large file locking format requested",
5448 "Large file locking format not requested"
5450 static const true_false_string tfs_lock_type_cancel = {
5451 "Cancel outstanding lock request",
5452 "Don't cancel outstanding lock request"
5454 static const true_false_string tfs_lock_type_change = {
5456 "Don't change lock type"
5458 static const true_false_string tfs_lock_type_oplock = {
5459 "This is an oplock break notification/response",
5460 "This is not an oplock break notification/response"
5462 static const true_false_string tfs_lock_type_shared = {
5463 "This is a shared lock",
5464 "This is an exclusive lock"
5467 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
5469 guint8 wc, cmd=0xff, lt=0, ol=0;
5470 guint16 andxoffset=0, un=0, ln=0, bc, fid, num_lock=0, num_unlock=0;
5472 proto_item *litem = NULL;
5473 proto_tree *ltree = NULL;
5474 proto_item *it = NULL;
5475 proto_tree *tr = NULL;
5476 int old_offset = offset;
5477 smb_info_t *si = pinfo->private_data;
5478 smb_locking_saved_info_t *ld=NULL;
5481 DISSECTOR_ASSERT(si);
5485 /* next smb command */
5486 cmd = tvb_get_guint8(tvb, offset);
5488 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5490 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5495 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5499 andxoffset = tvb_get_letohs(tvb, offset);
5500 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5504 fid = tvb_get_letohs(tvb, offset);
5505 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
5509 lt = tvb_get_guint8(tvb, offset);
5511 litem = proto_tree_add_text(tree, tvb, offset, 1,
5512 "Lock Type: 0x%02x", lt);
5513 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
5515 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
5516 tvb, offset, 1, lt);
5517 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
5518 tvb, offset, 1, lt);
5519 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
5520 tvb, offset, 1, lt);
5521 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
5522 tvb, offset, 1, lt);
5523 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
5524 tvb, offset, 1, lt);
5529 ol = tvb_get_guint8(tvb, offset);
5530 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
5534 to = tvb_get_letohl(tvb, offset);
5535 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
5538 /* number of unlocks */
5539 un = tvb_get_letohs(tvb, offset);
5541 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
5544 /* number of locks */
5545 ln = tvb_get_letohs(tvb, offset);
5547 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
5552 /* store the locking data for the response */
5553 if((!pinfo->fd->flags.visited) && si->sip){
5554 ld=se_alloc(sizeof(smb_locking_saved_info_t));
5556 ld->oplock_level= ol;
5557 ld->num_lock=num_lock;
5558 ld->num_unlock=num_unlock;
5561 si->sip->extra_info_type=SMB_EI_LOCKDATA;
5562 si->sip->extra_info=ld;
5567 old_offset = offset;
5569 it = proto_tree_add_text(tree, tvb, offset, -1,
5571 tr = proto_item_add_subtree(it, ett_smb_unlocks);
5573 proto_item *litem = NULL;
5574 proto_tree *ltree = NULL;
5578 guint64 lock_offset;
5579 guint64 lock_length;
5581 /* large lock format */
5582 litem = proto_tree_add_text(tr, tvb, offset, 20,
5584 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
5587 CHECK_BYTE_COUNT(2);
5588 lock_pid=tvb_get_letohs(tvb, offset);
5589 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
5592 /* 2 reserved bytes */
5593 CHECK_BYTE_COUNT(2);
5594 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
5598 CHECK_BYTE_COUNT(8);
5599 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
5600 | tvb_get_letohl(tvb, offset+4);
5602 proto_tree_add_uint64(ltree, hf_smb_lock_long_offset, tvb, offset, 8, val);
5606 CHECK_BYTE_COUNT(8);
5607 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
5608 | tvb_get_letohl(tvb, offset+4);
5610 proto_tree_add_uint64(ltree, hf_smb_lock_long_length, tvb, offset, 8, val);
5613 /* remember the unlock for the reply */
5615 smb_lock_info_t *li;
5616 li=se_alloc(sizeof(smb_lock_info_t));
5617 li->next=ld->unlocks;
5620 li->offset=lock_offset;
5621 li->length=lock_length;
5624 /* normal lock format */
5625 litem = proto_tree_add_text(tr, tvb, offset, 10,
5627 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
5630 CHECK_BYTE_COUNT(2);
5631 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
5635 CHECK_BYTE_COUNT(4);
5636 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
5640 CHECK_BYTE_COUNT(4);
5641 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
5645 proto_item_set_len(it, offset-old_offset);
5651 old_offset = offset;
5653 it = proto_tree_add_text(tree, tvb, offset, -1,
5655 tr = proto_item_add_subtree(it, ett_smb_locks);
5657 proto_item *litem = NULL;
5658 proto_tree *ltree = NULL;
5662 guint64 lock_offset;
5663 guint64 lock_length;
5665 /* large lock format */
5666 litem = proto_tree_add_text(tr, tvb, offset, 20,
5668 ltree = proto_item_add_subtree(litem, ett_smb_lock);
5671 CHECK_BYTE_COUNT(2);
5672 lock_pid=tvb_get_letohs(tvb, offset);
5673 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
5676 /* 2 reserved bytes */
5677 CHECK_BYTE_COUNT(2);
5678 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
5682 CHECK_BYTE_COUNT(8);
5683 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
5684 | tvb_get_letohl(tvb, offset+4);
5686 proto_tree_add_uint64(ltree, hf_smb_lock_long_offset, tvb, offset, 8, val);
5690 CHECK_BYTE_COUNT(8);
5691 val=((guint64)tvb_get_letohl(tvb, offset)) << 32
5692 | tvb_get_letohl(tvb, offset+4);
5694 proto_tree_add_uint64(ltree, hf_smb_lock_long_length, tvb, offset, 8, val);
5697 /* remember the lock for the reply */
5699 smb_lock_info_t *li;
5700 li=se_alloc(sizeof(smb_lock_info_t));
5704 li->offset=lock_offset;
5705 li->length=lock_length;
5708 /* normal lock format */
5709 litem = proto_tree_add_text(tr, tvb, offset, 10,
5711 ltree = proto_item_add_subtree(litem, ett_smb_lock);
5714 CHECK_BYTE_COUNT(2);
5715 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
5719 CHECK_BYTE_COUNT(4);
5720 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
5724 CHECK_BYTE_COUNT(4);
5725 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
5729 proto_item_set_len(it, offset-old_offset);
5737 * We ran out of byte count in the middle of dissecting
5738 * the locks or the unlocks; set the site of the item
5739 * we were dissecting.
5741 proto_item_set_len(it, offset-old_offset);
5744 if (cmd != 0xff) { /* there is an andX command */
5745 if (andxoffset < offset)
5746 THROW(ReportedBoundsError);
5747 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5754 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
5756 guint8 wc, cmd=0xff;
5757 guint16 andxoffset=0;
5761 si = (smb_info_t *)pinfo->private_data;
5762 DISSECTOR_ASSERT(si);
5764 /* print the lock info from the request */
5765 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_LOCKDATA) {
5766 smb_locking_saved_info_t *ld;
5767 proto_item *litem = NULL;
5768 proto_tree *ltree = NULL;
5770 ld = si->sip->extra_info;
5774 smb_lock_info_t *li;
5776 litem = proto_tree_add_text(tree, tvb, 0, 0,
5777 "Lock Type: 0x%02x", ld->type);
5778 PROTO_ITEM_SET_GENERATED(litem);
5779 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
5781 proto_tree_add_boolean(ltree, hf_smb_lock_type_large, tvb, 0, 0, ld->type);
5782 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel, tvb, 0, 0, ld->type);
5783 proto_tree_add_boolean(ltree, hf_smb_lock_type_change, tvb, 0, 0, ld->type);
5784 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock, tvb, 0, 0, ld->type);
5785 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared, tvb, 0, 0, ld->type);
5786 proto_tree_add_uint(ltree, hf_smb_locking_ol, tvb, 0, 0, ld->oplock_level);
5787 proto_tree_add_uint(ltree, hf_smb_number_of_unlocks, tvb, 0, 0, ld->num_unlock);
5788 proto_tree_add_uint(ltree, hf_smb_number_of_locks, tvb, 0, 0, ld->num_lock);
5790 lit = proto_tree_add_text(ltree, tvb, 0, 0, "Locks");
5791 ltr = proto_item_add_subtree(lit, ett_smb_lock);
5794 proto_tree_add_uint(ltr, hf_smb_pid, tvb, 0, 0, li->pid);
5795 proto_tree_add_uint64(ltr, hf_smb_lock_long_offset, tvb, 0, 0, li->offset);
5796 proto_tree_add_uint64(ltr, hf_smb_lock_long_length, tvb, 0, 0, li->length);
5799 lit = proto_tree_add_text(ltree, tvb, 0, 0, "Unlocks");
5800 ltr = proto_item_add_subtree(lit, ett_smb_unlock);
5803 proto_tree_add_uint(ltr, hf_smb_pid, tvb, 0, 0, li->pid);
5804 proto_tree_add_uint64(ltr, hf_smb_lock_long_offset, tvb, 0, 0, li->offset);
5805 proto_tree_add_uint64(ltr, hf_smb_lock_long_length, tvb, 0, 0, li->length);
5814 /* next smb command */
5815 cmd = tvb_get_guint8(tvb, offset);
5817 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5819 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5824 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5828 andxoffset = tvb_get_letohs(tvb, offset);
5829 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5836 if (cmd != 0xff) { /* there is an andX command */
5837 if (andxoffset < offset)
5838 THROW(ReportedBoundsError);
5839 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5846 const value_string oa_open_vals[] = {
5847 { 0, "No action taken?"},
5848 { 1, "The file existed and was opened"},
5849 { 2, "The file did not exist but was created"},
5850 { 3, "The file existed and was truncated"},
5851 { 0x8001, "The file existed and was opened, and an OpLock was granted"},
5852 { 0x8002, "The file did not exist but was created, and an OpLock was granted"},
5853 { 0x8003, "The file existed and was truncated, and an OpLock was granted"},
5856 static const true_false_string tfs_oa_lock = {
5857 "File is currently opened only by this user",
5858 "File is opened by another user (or mode not supported by server)"
5861 dissect_open_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
5867 mask = tvb_get_letohs(tvb, offset);
5870 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5871 "Action: 0x%04x", mask);
5872 tree = proto_item_add_subtree(item, ett_smb_open_action);
5874 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
5875 tvb, offset, 2, mask);
5876 proto_tree_add_uint(tree, hf_smb_open_action_open,
5877 tvb, offset, 2, mask);
5884 static const true_false_string tfs_open_flags_add_info = {
5885 "Additional information requested",
5886 "Additional information not requested"
5888 static const true_false_string tfs_open_flags_ex_oplock = {
5889 "Exclusive oplock requested",
5890 "Exclusive oplock not requested"
5892 static const true_false_string tfs_open_flags_batch_oplock = {
5893 "Batch oplock requested",
5894 "Batch oplock not requested"
5896 static const true_false_string tfs_open_flags_ealen = {
5897 "Total length of EAs requested",
5898 "Total length of EAs not requested"
5901 dissect_open_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
5907 mask = tvb_get_letohs(tvb, offset);
5910 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5911 "Flags: 0x%04x", mask);
5912 tree = proto_item_add_subtree(item, ett_smb_open_flags);
5915 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
5916 tvb, offset, 2, mask);
5919 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
5920 tvb, offset, 2, mask);
5923 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
5924 tvb, offset, 2, mask);
5927 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
5928 tvb, offset, 2, mask);
5937 static const value_string filetype_vals[] = {
5938 { 0, "Disk file or directory"},
5939 { 1, "Named pipe in byte mode"},
5940 { 2, "Named pipe in message mode"},
5941 { 3, "Spooled printer"},
5945 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5947 guint8 wc, cmd=0xff;
5948 guint16 andxoffset=0, bc;
5950 smb_info_t *si = pinfo->private_data;
5954 DISSECTOR_ASSERT(si);
5958 /* next smb command */
5959 cmd = tvb_get_guint8(tvb, offset);
5961 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5963 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5968 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5972 andxoffset = tvb_get_letohs(tvb, offset);
5973 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5977 offset = dissect_open_flags(tvb, tree, offset, 0x0007);
5979 /* desired access */
5980 offset = dissect_access(tvb, tree, offset, "Desired");
5982 /* Search Attributes */
5983 offset = dissect_search_attributes(tvb, tree, offset);
5985 /* File Attributes */
5986 offset = dissect_file_attributes(tvb, tree, offset, 2);
5989 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
5992 offset = dissect_open_function(tvb, tree, offset);
5994 /* allocation size */
5995 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
5998 /* timeout, described at http://us1.samba.org/samba/ftp/SMB-info/DOSEXTP.TXT */
5999 to = tvb_get_letohl(tvb, offset);
6000 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
6003 /* 4 reserved bytes */
6004 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
6010 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
6014 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
6016 COUNT_BYTES(fn_len);
6018 if (check_col(pinfo->cinfo, COL_INFO)) {
6019 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
6020 format_text(fn, strlen(fn)));
6025 if (cmd != 0xff) { /* there is an andX command */
6026 if (andxoffset < offset)
6027 THROW(ReportedBoundsError);
6028 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6034 static const true_false_string tfs_ipc_state_nonblocking = {
6035 "Reads/writes return immediately if no data available",
6036 "Reads/writes block if no data available"
6038 static const value_string ipc_state_endpoint_vals[] = {
6039 { 0, "Consumer end of pipe"},
6040 { 1, "Server end of pipe"},
6043 static const value_string ipc_state_pipe_type_vals[] = {
6044 { 0, "Byte stream pipe"},
6045 { 1, "Message pipe"},
6048 static const value_string ipc_state_read_mode_vals[] = {
6049 { 0, "Read pipe as a byte stream"},
6050 { 1, "Read messages from pipe"},
6055 dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
6062 mask = tvb_get_letohs(tvb, offset);
6065 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6066 "IPC State: 0x%04x", mask);
6067 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
6069 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
6070 tvb, offset, 2, mask);
6072 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
6073 tvb, offset, 2, mask);
6074 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
6075 tvb, offset, 2, mask);
6077 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
6078 tvb, offset, 2, mask);
6080 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
6081 tvb, offset, 2, mask);
6091 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6093 guint8 wc, cmd=0xff;
6094 guint16 andxoffset=0, bc;
6099 /* next smb command */
6100 cmd = tvb_get_guint8(tvb, offset);
6102 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6104 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6109 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6113 andxoffset = tvb_get_letohs(tvb, offset);
6114 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6118 fid = tvb_get_letohs(tvb, offset);
6119 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
6122 /* File Attributes */
6123 offset = dissect_file_attributes(tvb, tree, offset, 2);
6125 /* last write time */
6126 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
6129 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
6132 /* granted access */
6133 offset = dissect_access(tvb, tree, offset, "Granted");
6136 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
6140 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
6143 offset = dissect_open_action(tvb, tree, offset);
6146 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
6149 /* 2 reserved bytes */
6150 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
6157 if (cmd != 0xff) { /* there is an andX command */
6158 if (andxoffset < offset)
6159 THROW(ReportedBoundsError);
6160 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6167 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6169 guint8 wc, cmd=0xff;
6170 guint16 andxoffset=0, bc, maxcnt_low;
6171 guint32 maxcnt_high;
6174 smb_info_t *si= (smb_info_t *)pinfo->private_data;
6176 rw_info_t *rwi=NULL;
6179 DISSECTOR_ASSERT(si);
6183 /* next smb command */
6184 cmd = tvb_get_guint8(tvb, offset);
6186 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6188 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6193 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6197 andxoffset = tvb_get_letohs(tvb, offset);
6198 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6202 fid = tvb_get_letohs(tvb, offset);
6203 dissect_smb_fid(tvb, pinfo, tree, offset, 2, (guint16) fid, FALSE, FALSE, FALSE);
6207 ofs = tvb_get_letohl(tvb, offset);
6208 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
6212 maxcnt_low = tvb_get_letohs(tvb, offset);
6213 proto_tree_add_uint(tree, hf_smb_max_count_low, tvb, offset, 2, maxcnt_low);
6217 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
6223 * XXX - we should really only do this in case we have seen
6224 * LARGE FILE being negotiated. Unfortunately, we might not
6225 * have seen the negotiation phase in the capture....
6227 * XXX - this is shown as a ULONG in the SNIA SMB spec, i.e.
6228 * it's 32 bits, but the description says "High 16 bits of
6229 * MaxCount if CAP_LARGE_READX".
6231 * The SMB File Sharing Protocol Extensions Version 2.0,
6232 * Document Version 3.3 spec doesn't speak of an extra 16
6233 * bits in max count, but it does show a 32-bit timeout
6234 * after the min count field.
6236 * Perhaps the 32-bit timeout field was hijacked as a 16-bit
6237 * high count and a 16-bit reserved field.
6239 * We fetch and display it as 32 bits.
6241 * XXX if maxcount high is 0xFFFFFFFF we assume it is just padding
6242 * bytes and we just ignore it.
6244 maxcnt_high = tvb_get_letohl(tvb, offset);
6245 if(maxcnt_high==0xffffffff){
6248 proto_tree_add_uint(tree, hf_smb_max_count_high, tvb, offset, 4, maxcnt_high);
6254 maxcnt=(maxcnt<<16)|maxcnt_low;
6256 if (check_col(pinfo->cinfo, COL_INFO))
6257 col_append_fstr(pinfo->cinfo, COL_INFO,
6258 ", %u byte%s at offset %u", maxcnt,
6259 (maxcnt == 1) ? "" : "s", ofs);
6261 /* save the offset/len for this transaction */
6262 if(si->sip && !pinfo->fd->flags.visited){
6263 rwi=se_alloc(sizeof(rw_info_t));
6268 si->sip->extra_info_type=SMB_EI_RWINFO;
6269 si->sip->extra_info=rwi;
6271 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
6272 rwi=si->sip->extra_info;
6277 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
6279 PROTO_ITEM_SET_GENERATED(it);
6280 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
6281 PROTO_ITEM_SET_GENERATED(it);
6285 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
6290 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
6298 if (cmd != 0xff) { /* there is an andX command */
6299 if (andxoffset < offset)
6300 THROW(ReportedBoundsError);
6301 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6308 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6310 guint8 wc, cmd=0xff;
6311 guint16 andxoffset=0, bc, datalen_low, dataoffset=0;
6312 guint32 datalen=0, datalen_high;
6313 smb_info_t *si = (smb_info_t *)pinfo->private_data;
6315 rw_info_t *rwi=NULL;
6317 DISSECTOR_ASSERT(si);
6321 /* next smb command */
6322 cmd = tvb_get_guint8(tvb, offset);
6324 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6326 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6331 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6335 andxoffset = tvb_get_letohs(tvb, offset);
6336 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6339 /* If we have seen the request, then print which FID this refers to */
6340 /* first check if we have seen the request */
6341 if(si->sip != NULL && si->sip->frame_req>0 && si->sip->extra_info_type==SMB_EI_FID){
6342 fid=GPOINTER_TO_INT(si->sip->extra_info);
6343 dissect_smb_fid(tvb, pinfo, tree, 0, 0, (guint16) fid, FALSE, FALSE, FALSE);
6346 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
6347 rwi=si->sip->extra_info;
6352 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
6354 PROTO_ITEM_SET_GENERATED(it);
6355 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
6356 PROTO_ITEM_SET_GENERATED(it);
6358 /* we need the fid for the call to dcerpc below */
6363 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
6366 /* data compaction mode */
6367 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
6370 /* 2 reserved bytes */
6371 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
6375 datalen_low = tvb_get_letohs(tvb, offset);
6376 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
6380 dataoffset=tvb_get_letohs(tvb, offset);
6381 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
6384 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
6385 /* data length high */
6386 datalen_high = tvb_get_letohl(tvb, offset);
6387 if(datalen_high==0xffffffff){
6390 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 4, datalen_high);
6394 datalen=datalen_high;
6395 datalen=(datalen<<16)|datalen_low;
6398 if (check_col(pinfo->cinfo, COL_INFO))
6399 col_append_fstr(pinfo->cinfo, COL_INFO,
6400 ", %u byte%s", datalen,
6401 (datalen == 1) ? "" : "s");
6404 /* 6 reserved bytes */
6405 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
6410 /* file data, might be DCERPC on a pipe */
6412 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
6413 top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
6419 if (cmd != 0xff) { /* there is an andX command */
6420 if (andxoffset < offset)
6421 THROW(ReportedBoundsError);
6422 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6429 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6432 guint8 wc, cmd=0xff;
6433 guint16 andxoffset=0, bc, dataoffset=0, datalen_low, datalen_high;
6435 smb_info_t *si = (smb_info_t *)pinfo->private_data;
6438 rw_info_t *rwi=NULL;
6441 DISSECTOR_ASSERT(si);
6445 /* next smb command */
6446 cmd = tvb_get_guint8(tvb, offset);
6448 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6450 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6455 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6459 andxoffset = tvb_get_letohs(tvb, offset);
6460 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6464 fid = tvb_get_letohs(tvb, offset);
6465 dissect_smb_fid(tvb, pinfo, tree, offset, 2, (guint16) fid, FALSE, FALSE, FALSE);
6469 ofs = tvb_get_letohl(tvb, offset);
6470 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
6474 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
6478 mode = tvb_get_letohs(tvb, offset);
6479 offset = dissect_write_mode(tvb, tree, offset, 0x000f);
6482 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
6485 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
6486 /* data length high */
6487 datalen_high = tvb_get_letohs(tvb, offset);
6488 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 2, datalen_high);
6492 datalen_low = tvb_get_letohs(tvb, offset);
6493 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
6496 datalen=datalen_high;
6497 datalen=(datalen<<16)|datalen_low;
6500 dataoffset=tvb_get_letohs(tvb, offset);
6501 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
6504 /* FIXME: handle Large (48-bit) byte/offset to COL_INFO */
6505 if (check_col(pinfo->cinfo, COL_INFO))
6506 col_append_fstr(pinfo->cinfo, COL_INFO,
6507 ", %u byte%s at offset %u", datalen,
6508 (datalen == 1) ? "" : "s", ofs);
6510 /* save the offset/len for this transaction */
6511 if(si->sip && !pinfo->fd->flags.visited){
6512 rwi=se_alloc(sizeof(rw_info_t));
6517 si->sip->extra_info_type=SMB_EI_RWINFO;
6518 si->sip->extra_info=rwi;
6520 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
6521 rwi=si->sip->extra_info;
6526 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
6528 PROTO_ITEM_SET_GENERATED(it);
6529 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
6530 PROTO_ITEM_SET_GENERATED(it);
6536 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
6542 /* if both the MessageStart and the WriteRawNamedPipe flags are set
6543 the first two bytes of the payload is the length of the data.
6544 Assume that all WriteAndX PDUs that have MESSAGE_START set to
6545 be over the IPC$ share and thus they all transport DCERPC.
6546 (if we didnt already know that from the TreeConnect call)
6548 if(mode&WRITE_MODE_MESSAGE_START){
6549 if(mode&WRITE_MODE_RAW){
6550 proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE);
6556 if(!pinfo->fd->flags.visited){
6557 /* In case we did not see the TreeConnect call,
6558 store this TID here as well as a IPC TID
6559 so we know that future Read/Writes to this
6560 TID is (probably) DCERPC.
6562 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))){
6563 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
6565 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
6568 si->sip->flags|=SMB_SIF_TID_IS_IPC;
6572 /* file data, might be DCERPC on a pipe */
6574 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
6575 top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
6581 if (cmd != 0xff) { /* there is an andX command */
6582 if (andxoffset < offset)
6583 THROW(ReportedBoundsError);
6584 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6591 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6593 guint8 wc, cmd=0xff;
6594 guint16 andxoffset=0, bc, count_low, count_high;
6596 smb_info_t *si = (smb_info_t *)pinfo->private_data;
6597 rw_info_t *rwi=NULL;
6599 DISSECTOR_ASSERT(si);
6603 /* next smb command */
6604 cmd = tvb_get_guint8(tvb, offset);
6606 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6608 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6613 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6617 andxoffset = tvb_get_letohs(tvb, offset);
6618 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6622 if(si->sip && si->sip->extra_info_type==SMB_EI_RWINFO){
6623 rwi=si->sip->extra_info;
6628 it=proto_tree_add_uint(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
6630 PROTO_ITEM_SET_GENERATED(it);
6631 it=proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
6632 PROTO_ITEM_SET_GENERATED(it);
6636 /* write count low */
6637 count_low = tvb_get_letohs(tvb, offset);
6638 proto_tree_add_uint(tree, hf_smb_count_low, tvb, offset, 2, count_low);
6642 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
6645 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
6646 /* write count high */
6647 count_high = tvb_get_letohs(tvb, offset);
6648 proto_tree_add_uint(tree, hf_smb_count_high, tvb, offset, 2, count_high);
6652 count=(count<<16)|count_low;
6654 if (check_col(pinfo->cinfo, COL_INFO))
6655 col_append_fstr(pinfo->cinfo, COL_INFO,
6656 ", %u byte%s", count,
6657 (count == 1) ? "" : "s");
6659 /* 2 reserved bytes */
6660 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
6667 if (cmd != 0xff) { /* there is an andX command */
6668 if (andxoffset < offset)
6669 THROW(ReportedBoundsError);
6670 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6677 static const true_false_string tfs_setup_action_guest = {
6678 "Logged in as GUEST",
6679 "Not logged in as GUEST"
6682 dissect_setup_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6688 mask = tvb_get_letohs(tvb, offset);
6691 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6692 "Action: 0x%04x", mask);
6693 tree = proto_item_add_subtree(item, ett_smb_setup_action);
6695 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
6696 tvb, offset, 2, mask);
6705 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6707 guint8 wc, cmd=0xff;
6709 guint16 andxoffset=0;
6710 smb_info_t *si = pinfo->private_data;
6716 guint16 sbloblen=0, sbloblen_short;
6717 guint16 apwlen=0, upwlen=0;
6718 gboolean unicodeflag;
6719 static int ntlmssp_tap_id = 0;
6720 const ntlmssp_header_t *ntlmssph;
6722 if(!ntlmssp_tap_id){
6723 GString *error_string;
6724 /* We dont specify any callbacks at all.
6725 * Instead we manually fetch the tapped data after the
6726 * security blob has been fully dissected and before
6727 * we exit from this dissector.
6729 error_string=register_tap_listener("ntlmssp", NULL, NULL,
6730 0, NULL, NULL, NULL);
6732 ntlmssp_tap_id=find_tap_id("ntlmssp");
6736 DISSECTOR_ASSERT(si);
6740 /* next smb command */
6741 cmd = tvb_get_guint8(tvb, offset);
6743 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6745 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6750 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6754 andxoffset = tvb_get_letohs(tvb, offset);
6755 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6758 /* Maximum Buffer Size */
6759 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
6762 /* Maximum Multiplex Count */
6763 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
6767 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
6771 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
6776 /* password length, ASCII*/
6777 pwlen = tvb_get_letohs(tvb, offset);
6778 proto_tree_add_uint(tree, hf_smb_password_len,
6779 tvb, offset, 2, pwlen);
6782 /* 4 reserved bytes */
6783 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
6789 /* security blob length */
6790 sbloblen = tvb_get_letohs(tvb, offset);
6791 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
6794 /* 4 reserved bytes */
6795 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
6799 dissect_negprot_capabilities(tvb, tree, offset);
6805 /* password length, ANSI*/
6806 apwlen = tvb_get_letohs(tvb, offset);
6807 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
6808 tvb, offset, 2, apwlen);
6811 /* password length, Unicode*/
6812 upwlen = tvb_get_letohs(tvb, offset);
6813 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
6814 tvb, offset, 2, upwlen);
6817 /* 4 reserved bytes */
6818 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
6822 dissect_negprot_capabilities(tvb, tree, offset);
6831 proto_item *blob_item;
6834 /* If it runs past the end of the captured data, don't
6835 * try to put all of it into the protocol tree as the
6836 * raw security blob; we might get an exception on
6837 * short frames and then we will not see anything at all
6838 * of the security blob.
6840 sbloblen_short = sbloblen;
6841 if(sbloblen_short>tvb_length_remaining(tvb,offset)){
6842 sbloblen_short=tvb_length_remaining(tvb,offset);
6844 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
6845 tvb, offset, sbloblen_short,
6848 /* As an optimization, because Windows is perverse,
6849 we check to see if NTLMSSP is the first part of the
6850 blob, and if so, call the NTLMSSP dissector,
6851 otherwise we call the GSS-API dissector. This is because
6852 Windows can request RAW NTLMSSP, but will happily handle
6853 a client that wraps NTLMSSP in SPNEGO
6858 proto_tree *blob_tree;
6860 blob_tree = proto_item_add_subtree(blob_item,
6862 CHECK_BYTE_COUNT(sbloblen);
6865 * Set the reported length of this to the reported
6866 * length of the blob, rather than the amount of
6867 * data available from the blob, so that we'll
6868 * throw the right exception if it's too short.
6870 blob_tvb = tvb_new_subset(tvb, offset, sbloblen_short,
6873 if (si && si->ct && si->ct->raw_ntlmssp &&
6874 tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) {
6875 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
6880 call_dissector(gssapi_handle, blob_tvb,
6884 /* If we have found a uid->acct_name mapping, store it */
6885 if(!pinfo->fd->flags.visited && si->sip){
6887 if((ntlmssph=fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL){
6888 if(ntlmssph && ntlmssph->type==3){
6891 smb_uid=se_alloc(sizeof(smb_uid_t));
6892 smb_uid->logged_in=-1;
6893 smb_uid->logged_out=-1;
6894 smb_uid->domain=se_strdup(ntlmssph->domain_name);
6895 smb_uid->account=se_strdup(ntlmssph->acct_name);
6897 si->sip->extra_info=smb_uid;
6898 si->sip->extra_info_type=SMB_EI_UID;
6903 COUNT_BYTES(sbloblen);
6907 * Eventhough this field should honour the unicode flag
6908 * some ms clients gets this wrong.
6909 * At least XP SP1 sends this in ASCII
6910 * even when the unicode flag is on.
6911 * Test if the first three bytes are "Win"
6912 * and if so just override the flag.
6914 unicodeflag=si->unicode;
6915 if( tvb_strneql(tvb, offset, "Win", 3) == 0 ){
6918 an = get_unicode_or_ascii_string(tvb, &offset,
6919 unicodeflag, &an_len, FALSE, FALSE, &bc);
6922 proto_tree_add_string(tree, hf_smb_os, tvb,
6923 offset, an_len, an);
6924 COUNT_BYTES(an_len);
6927 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
6928 * padding/null string/whatever in front of this. W2K doesn't
6929 * appear to. I suspect that's a bug that got fixed; I also
6930 * suspect that, in practice, nobody ever looks at that field
6931 * because the bug didn't appear to get fixed until NT 5.0....
6933 * Eventhough this field should honour the unicode flag
6934 * some ms clients gets this wrong.
6935 * At least XP SP1 sends this in ASCII
6936 * even when the unicode flag is on.
6937 * Test if the first three bytes are "Win"
6938 * and if so just override the flag.
6940 unicodeflag=si->unicode;
6941 if( tvb_strneql(tvb, offset, "Win", 3) == 0 ){
6944 an = get_unicode_or_ascii_string(tvb, &offset,
6945 unicodeflag, &an_len, FALSE, FALSE, &bc);
6948 proto_tree_add_string(tree, hf_smb_lanman, tvb,
6949 offset, an_len, an);
6950 COUNT_BYTES(an_len);
6952 /* Primary domain */
6953 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
6954 * byte in front of this, at least if all the strings are
6955 * ASCII and the account name is empty. Another bug?
6957 dn = get_unicode_or_ascii_string(tvb, &offset,
6958 si->unicode, &dn_len, FALSE, FALSE, &bc);
6961 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
6962 offset, dn_len, dn);
6963 COUNT_BYTES(dn_len);
6969 /* password, ASCII */
6970 CHECK_BYTE_COUNT(pwlen);
6971 proto_tree_add_item(tree, hf_smb_password,
6972 tvb, offset, pwlen, TRUE);
6980 /* password, ANSI */
6981 CHECK_BYTE_COUNT(apwlen);
6982 proto_tree_add_item(tree, hf_smb_ansi_password,
6983 tvb, offset, apwlen, TRUE);
6984 COUNT_BYTES(apwlen);
6990 /* password, Unicode */
6991 CHECK_BYTE_COUNT(upwlen);
6992 item = proto_tree_add_item(tree, hf_smb_unicode_password,
6993 tvb, offset, upwlen, TRUE);
6996 proto_tree *subtree;
6998 subtree = proto_item_add_subtree(item, ett_smb_unicode_password);
7000 dissect_ntlmv2_response(
7001 tvb, subtree, offset, upwlen);
7004 COUNT_BYTES(upwlen);
7011 an = get_unicode_or_ascii_string(tvb, &offset,
7012 si->unicode, &an_len, FALSE, FALSE, &bc);
7015 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
7017 COUNT_BYTES(an_len);
7019 /* Primary domain */
7020 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
7021 * byte in front of this, at least if all the strings are
7022 * ASCII and the account name is empty. Another bug?
7024 dn = get_unicode_or_ascii_string(tvb, &offset,
7025 si->unicode, &dn_len, FALSE, FALSE, &bc);
7028 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
7029 offset, dn_len, dn);
7030 COUNT_BYTES(dn_len);
7032 if (check_col(pinfo->cinfo, COL_INFO)) {
7033 col_append_str(pinfo->cinfo, COL_INFO, ", User: ");
7035 if (!dn[0] && !an[0])
7036 col_append_str(pinfo->cinfo, COL_INFO,
7039 col_append_fstr(pinfo->cinfo, COL_INFO,
7041 format_text(dn, strlen(dn)),
7042 format_text(an, strlen(an)));
7046 an = get_unicode_or_ascii_string(tvb, &offset,
7047 si->unicode, &an_len, FALSE, FALSE, &bc);
7050 proto_tree_add_string(tree, hf_smb_os, tvb,
7051 offset, an_len, an);
7052 COUNT_BYTES(an_len);
7055 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
7056 * padding/null string/whatever in front of this. W2K doesn't
7057 * appear to. I suspect that's a bug that got fixed; I also
7058 * suspect that, in practice, nobody ever looks at that field
7059 * because the bug didn't appear to get fixed until NT 5.0....
7061 an = get_unicode_or_ascii_string(tvb, &offset,
7062 si->unicode, &an_len, FALSE, FALSE, &bc);
7065 proto_tree_add_string(tree, hf_smb_lanman, tvb,
7066 offset, an_len, an);
7067 COUNT_BYTES(an_len);
7072 if (cmd != 0xff) { /* there is an andX command */
7073 if (andxoffset < offset)
7074 THROW(ReportedBoundsError);
7075 pinfo->private_data = si;
7076 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
7083 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7085 guint8 wc, cmd=0xff;
7086 guint16 andxoffset=0, bc;
7088 smb_info_t *si = pinfo->private_data;
7092 DISSECTOR_ASSERT(si);
7096 if(!pinfo->fd->flags.visited && si->sip && si->sip->extra_info &&
7097 si->sip->extra_info_type==SMB_EI_UID){
7100 smb_uid=si->sip->extra_info;
7101 smb_uid->logged_in=pinfo->fd->num;
7102 se_tree_insert32(si->ct->uid_tree, si->uid, smb_uid);
7105 /* next smb command */
7106 cmd = tvb_get_guint8(tvb, offset);
7108 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
7110 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
7115 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7119 andxoffset = tvb_get_letohs(tvb, offset);
7120 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7124 offset = dissect_setup_action(tvb, tree, offset);
7127 /* security blob length */
7128 sbloblen = tvb_get_letohs(tvb, offset);
7129 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
7136 proto_item *blob_item;
7139 /* dont try to eat too much of we might get an exception on
7140 * short frames and then we will not see anything at all
7141 * of the security blob.
7143 if(sbloblen>tvb_length_remaining(tvb,offset)){
7144 sbloblen=tvb_length_remaining(tvb,offset);
7146 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
7147 tvb, offset, sbloblen, TRUE);
7151 proto_tree *blob_tree;
7153 blob_tree = proto_item_add_subtree(blob_item,
7155 CHECK_BYTE_COUNT(sbloblen);
7157 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
7160 if (si && si->ct && si->ct->raw_ntlmssp &&
7161 tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) {
7162 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
7167 call_dissector(gssapi_handle, blob_tvb, pinfo,
7172 COUNT_BYTES(sbloblen);
7177 an = get_unicode_or_ascii_string(tvb, &offset,
7178 si->unicode, &an_len, FALSE, FALSE, &bc);
7181 proto_tree_add_string(tree, hf_smb_os, tvb,
7182 offset, an_len, an);
7183 COUNT_BYTES(an_len);
7186 an = get_unicode_or_ascii_string(tvb, &offset,
7187 si->unicode, &an_len, FALSE, FALSE, &bc);
7190 proto_tree_add_string(tree, hf_smb_lanman, tvb,
7191 offset, an_len, an);
7192 COUNT_BYTES(an_len);
7194 if((wc==3)||(wc==4)) {
7195 /* Primary domain */
7196 an = get_unicode_or_ascii_string(tvb, &offset,
7197 si->unicode, &an_len, FALSE, FALSE, &bc);
7200 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
7201 offset, an_len, an);
7202 COUNT_BYTES(an_len);
7207 if (cmd != 0xff) { /* there is an andX command */
7208 if (andxoffset < offset)
7209 THROW(ReportedBoundsError);
7210 pinfo->private_data = si;
7211 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
7219 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7221 guint8 wc, cmd=0xff;
7222 guint16 andxoffset=0;
7227 /* next smb command */
7228 cmd = tvb_get_guint8(tvb, offset);
7230 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
7232 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
7237 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7241 andxoffset = tvb_get_letohs(tvb, offset);
7242 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7249 if (cmd != 0xff) { /* there is an andX command */
7250 if (andxoffset < offset)
7251 THROW(ReportedBoundsError);
7252 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
7259 static const true_false_string tfs_connect_support_search = {
7260 "Exclusive search bits supported",
7261 "Exclusive search bits not supported"
7263 static const true_false_string tfs_connect_support_in_dfs = {
7265 "Share isn't in Dfs"
7269 dissect_connect_support_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7275 mask = tvb_get_letohs(tvb, offset);
7278 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
7279 "Optional Support: 0x%04x", mask);
7280 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
7282 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
7283 tvb, offset, 2, mask);
7284 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
7285 tvb, offset, 2, mask);
7293 static const true_false_string tfs_disconnect_tid = {
7295 "Do NOT disconnect TID"
7299 dissect_connect_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7305 mask = tvb_get_letohs(tvb, offset);
7308 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
7309 "Flags: 0x%04x", mask);
7310 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
7312 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
7313 tvb, offset, 2, mask);
7322 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7324 guint8 wc, cmd=0xff;
7326 guint16 andxoffset=0, pwlen=0;
7327 smb_info_t *si = pinfo->private_data;
7331 DISSECTOR_ASSERT(si);
7335 /* next smb command */
7336 cmd = tvb_get_guint8(tvb, offset);
7338 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
7340 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
7345 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7349 andxoffset = tvb_get_letohs(tvb, offset);
7350 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7354 offset = dissect_connect_flags(tvb, tree, offset);
7356 /* password length*/
7357 pwlen = tvb_get_letohs(tvb, offset);
7358 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
7364 CHECK_BYTE_COUNT(pwlen);
7365 proto_tree_add_item(tree, hf_smb_password,
7366 tvb, offset, pwlen, TRUE);
7370 an = get_unicode_or_ascii_string(tvb, &offset,
7371 si->unicode, &an_len, FALSE, FALSE, &bc);
7374 proto_tree_add_string(tree, hf_smb_path, tvb,
7375 offset, an_len, an);
7376 COUNT_BYTES(an_len);
7378 /* store it for the tid->name/openframe/closeframe matching in
7379 * dissect_smb_tid() called from the response.
7381 if((!pinfo->fd->flags.visited) && si->sip && an){
7382 si->sip->extra_info_type=SMB_EI_TIDNAME;
7383 si->sip->extra_info=se_strdup(an);
7386 if (check_col(pinfo->cinfo, COL_INFO)) {
7387 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
7388 format_text(an, strlen(an)));
7392 * NOTE: the Service string is always ASCII, even if the
7393 * "strings are Unicode" bit is set in the flags2 field
7398 /* XXX - what if this runs past bc? */
7399 an_len = tvb_strsize(tvb, offset);
7400 CHECK_BYTE_COUNT(an_len);
7401 an = tvb_get_ptr(tvb, offset, an_len);
7402 proto_tree_add_string(tree, hf_smb_service, tvb,
7403 offset, an_len, an);
7404 COUNT_BYTES(an_len);
7408 if (cmd != 0xff) { /* there is an andX command */
7409 if (andxoffset < offset)
7410 THROW(ReportedBoundsError);
7411 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
7419 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7421 guint8 wc, wleft, cmd=0xff;
7422 guint16 andxoffset=0;
7426 smb_info_t *si = pinfo->private_data;
7428 DISSECTOR_ASSERT(si);
7432 wleft = wc; /* this is at least 1 */
7434 /* next smb command */
7435 cmd = tvb_get_guint8(tvb, offset);
7437 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
7439 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
7444 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7452 andxoffset = tvb_get_letohs(tvb, offset);
7453 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7460 offset = dissect_connect_support_bits(tvb, tree, offset);
7463 /* XXX - I've seen captures where this is 7, but I have no
7464 idea how to dissect it. I'm guessing the third word
7465 contains connect support bits, which looks plausible
7466 from the values I've seen. */
7468 while (wleft != 0) {
7469 proto_tree_add_text(tree, tvb, offset, 2,
7470 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
7478 * NOTE: even though the SNIA CIFS spec doesn't say there's
7479 * a "Service" string if there's a word count of 2, the
7482 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
7484 * (it's in an ugly format - text intended to be sent to a
7485 * printer, with backspaces and overstrikes used for boldfacing
7486 * and underlining; UNIX "col -b" can be used to strip the
7487 * overstrikes out) says there's a "Service" string there, and
7488 * some network traffic has it.
7492 * NOTE: the Service string is always ASCII, even if the
7493 * "strings are Unicode" bit is set in the flags2 field
7498 /* XXX - what if this runs past bc? */
7499 an_len = tvb_strsize(tvb, offset);
7500 CHECK_BYTE_COUNT(an_len);
7501 an = tvb_get_ptr(tvb, offset, an_len);
7502 proto_tree_add_string(tree, hf_smb_service, tvb,
7503 offset, an_len, an);
7504 COUNT_BYTES(an_len);
7506 /* Now when we know the service type, store it so that we know it for later commands down
7508 if(!pinfo->fd->flags.visited){
7509 /* Remove any previous entry for this TID */
7510 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))){
7511 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
7513 if(strcmp(an,"IPC") == 0){
7514 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
7516 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_NORMAL);
7524 * Sometimes this isn't present.
7528 an = get_unicode_or_ascii_string(tvb, &offset,
7529 si->unicode, &an_len, /*TRUE*/FALSE, FALSE,
7533 proto_tree_add_string(tree, hf_smb_fs, tvb,
7534 offset, an_len, an);
7535 COUNT_BYTES(an_len);
7541 if (cmd != 0xff) { /* there is an andX command */
7542 if (andxoffset < offset)
7543 THROW(ReportedBoundsError);
7544 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
7552 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7553 NT Transaction command begins here
7554 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
7555 #define NT_TRANS_CREATE 1
7556 #define NT_TRANS_IOCTL 2
7557 #define NT_TRANS_SSD 3
7558 #define NT_TRANS_NOTIFY 4
7559 #define NT_TRANS_RENAME 5
7560 #define NT_TRANS_QSD 6
7561 #define NT_TRANS_GET_USER_QUOTA 7
7562 #define NT_TRANS_SET_USER_QUOTA 8
7563 const value_string nt_cmd_vals[] = {
7564 {NT_TRANS_CREATE, "NT CREATE"},
7565 {NT_TRANS_IOCTL, "NT IOCTL"},
7566 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
7567 {NT_TRANS_NOTIFY, "NT NOTIFY"},
7568 {NT_TRANS_RENAME, "NT RENAME"},
7569 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
7570 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
7571 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
7575 static const value_string nt_ioctl_isfsctl_vals[] = {
7576 {0, "Device IOCTL"},
7577 {1, "FS control : FSCTL"},
7581 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
7582 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
7583 "Apply the command to share root handle (MUST BE Dfs)",
7584 "Apply to this share",
7587 static const value_string nt_notify_action_vals[] = {
7588 {1, "ADDED (object was added"},
7589 {2, "REMOVED (object was removed)"},
7590 {3, "MODIFIED (object was modified)"},
7591 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
7592 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
7593 {6, "ADDED_STREAM (a stream was added)"},
7594 {7, "REMOVED_STREAM (a stream was removed)"},
7595 {8, "MODIFIED_STREAM (a stream was modified)"},
7599 static const value_string watch_tree_vals[] = {
7600 {0, "Current directory only"},
7601 {1, "Subdirectories also"},
7605 #define NT_NOTIFY_STREAM_WRITE 0x00000800
7606 #define NT_NOTIFY_STREAM_SIZE 0x00000400
7607 #define NT_NOTIFY_STREAM_NAME 0x00000200
7608 #define NT_NOTIFY_SECURITY 0x00000100
7609 #define NT_NOTIFY_EA 0x00000080
7610 #define NT_NOTIFY_CREATION 0x00000040
7611 #define NT_NOTIFY_LAST_ACCESS 0x00000020
7612 #define NT_NOTIFY_LAST_WRITE 0x00000010
7613 #define NT_NOTIFY_SIZE 0x00000008
7614 #define NT_NOTIFY_ATTRIBUTES 0x00000004
7615 #define NT_NOTIFY_DIR_NAME 0x00000002
7616 #define NT_NOTIFY_FILE_NAME 0x00000001
7617 static const true_false_string tfs_nt_notify_stream_write = {
7618 "Notify on changes to STREAM WRITE",
7619 "Do NOT notify on changes to stream write",
7621 static const true_false_string tfs_nt_notify_stream_size = {
7622 "Notify on changes to STREAM SIZE",
7623 "Do NOT notify on changes to stream size",
7625 static const true_false_string tfs_nt_notify_stream_name = {
7626 "Notify on changes to STREAM NAME",
7627 "Do NOT notify on changes to stream name",
7629 static const true_false_string tfs_nt_notify_security = {
7630 "Notify on changes to SECURITY",
7631 "Do NOT notify on changes to security",
7633 static const true_false_string tfs_nt_notify_ea = {
7634 "Notify on changes to EA",
7635 "Do NOT notify on changes to EA",
7637 static const true_false_string tfs_nt_notify_creation = {
7638 "Notify on changes to CREATION TIME",
7639 "Do NOT notify on changes to creation time",
7641 static const true_false_string tfs_nt_notify_last_access = {
7642 "Notify on changes to LAST ACCESS TIME",
7643 "Do NOT notify on changes to last access time",
7645 static const true_false_string tfs_nt_notify_last_write = {
7646 "Notify on changes to LAST WRITE TIME",
7647 "Do NOT notify on changes to last write time",
7649 static const true_false_string tfs_nt_notify_size = {
7650 "Notify on changes to SIZE",
7651 "Do NOT notify on changes to size",
7653 static const true_false_string tfs_nt_notify_attributes = {
7654 "Notify on changes to ATTRIBUTES",
7655 "Do NOT notify on changes to attributes",
7657 static const true_false_string tfs_nt_notify_dir_name = {
7658 "Notify on changes to DIR NAME",
7659 "Do NOT notify on changes to dir name",
7661 static const true_false_string tfs_nt_notify_file_name = {
7662 "Notify on changes to FILE NAME",
7663 "Do NOT notify on changes to file name",
7666 const value_string create_disposition_vals[] = {
7667 {0, "Supersede (supersede existing file (if it exists))"},
7668 {1, "Open (if file exists open it, else fail)"},
7669 {2, "Create (if file exists fail, else create it)"},
7670 {3, "Open If (if file exists open it, else create it)"},
7671 {4, "Overwrite (if file exists overwrite, else fail)"},
7672 {5, "Overwrite If (if file exists overwrite, else create it)"},
7676 const value_string impersonation_level_vals[] = {
7678 {1, "Identification"},
7679 {2, "Impersonation"},
7684 static const true_false_string tfs_nt_security_flags_context_tracking = {
7685 "Security tracking mode is DYNAMIC",
7686 "Security tracking mode is STATIC",
7689 static const true_false_string tfs_nt_security_flags_effective_only = {
7690 "ONLY ENABLED aspects of the client's security context are available",
7691 "ALL aspects of the client's security context are available",
7694 static const true_false_string tfs_nt_create_bits_oplock = {
7695 "Requesting OPLOCK",
7696 "Does NOT request oplock"
7699 static const true_false_string tfs_nt_create_bits_boplock = {
7700 "Requesting BATCH OPLOCK",
7701 "Does NOT request batch oplock"
7705 * XXX - must be a directory, and can be a file, or can be a directory,
7706 * and must be a file?
7708 static const true_false_string tfs_nt_create_bits_dir = {
7709 "Target of open MUST be a DIRECTORY",
7710 "Target of open can be a file"
7713 static const true_false_string tfs_nt_create_bits_ext_resp = {
7714 "Extended responses required",
7715 "Extended responses NOT required"
7718 static const true_false_string tfs_nt_access_mask_generic_read = {
7719 "GENERIC READ is set",
7720 "Generic read is NOT set"
7722 static const true_false_string tfs_nt_access_mask_generic_write = {
7723 "GENERIC WRITE is set",
7724 "Generic write is NOT set"
7726 static const true_false_string tfs_nt_access_mask_generic_execute = {
7727 "GENERIC EXECUTE is set",
7728 "Generic execute is NOT set"
7730 static const true_false_string tfs_nt_access_mask_generic_all = {
7731 "GENERIC ALL is set",
7732 "Generic all is NOT set"
7734 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
7735 "MAXIMUM ALLOWED is set",
7736 "Maximum allowed is NOT set"
7738 static const true_false_string tfs_nt_access_mask_system_security = {
7739 "SYSTEM SECURITY is set",
7740 "System security is NOT set"
7742 static const true_false_string tfs_nt_access_mask_synchronize = {
7743 "Can wait on handle to SYNCHRONIZE on completion of I/O",
7744 "Can NOT wait on handle to synchronize on completion of I/O"
7746 static const true_false_string tfs_nt_access_mask_write_owner = {
7747 "Can WRITE OWNER (take ownership)",
7748 "Can NOT write owner (take ownership)"
7750 static const true_false_string tfs_nt_access_mask_write_dac = {
7751 "OWNER may WRITE the DAC",
7752 "Owner may NOT write to the DAC"
7754 static const true_false_string tfs_nt_access_mask_read_control = {
7755 "READ ACCESS to owner, group and ACL of the SID",
7756 "Read access is NOT granted to owner, group and ACL of the SID"
7758 static const true_false_string tfs_nt_access_mask_delete = {
7762 static const true_false_string tfs_nt_access_mask_write_attributes = {
7763 "WRITE ATTRIBUTES access",
7764 "NO write attributes access"
7766 static const true_false_string tfs_nt_access_mask_read_attributes = {
7767 "READ ATTRIBUTES access",
7768 "NO read attributes access"
7770 static const true_false_string tfs_nt_access_mask_delete_child = {
7771 "DELETE CHILD access",
7772 "NO delete child access"
7774 static const true_false_string tfs_nt_access_mask_execute = {
7778 static const true_false_string tfs_nt_access_mask_write_ea = {
7779 "WRITE EXTENDED ATTRIBUTES access",
7780 "NO write extended attributes access"
7782 static const true_false_string tfs_nt_access_mask_read_ea = {
7783 "READ EXTENDED ATTRIBUTES access",
7784 "NO read extended attributes access"
7786 static const true_false_string tfs_nt_access_mask_append = {
7790 static const true_false_string tfs_nt_access_mask_write = {
7794 static const true_false_string tfs_nt_access_mask_read = {
7799 static const true_false_string tfs_nt_share_access_delete = {
7800 "Object can be shared for DELETE",
7801 "Object can NOT be shared for delete"
7803 static const true_false_string tfs_nt_share_access_write = {
7804 "Object can be shared for WRITE",
7805 "Object can NOT be shared for write"
7807 static const true_false_string tfs_nt_share_access_read = {
7808 "Object can be shared for READ",
7809 "Object can NOT be shared for read"
7812 static const value_string oplock_level_vals[] = {
7813 {0, "No oplock granted"},
7814 {1, "Exclusive oplock granted"},
7815 {2, "Batch oplock granted"},
7816 {3, "Level II oplock granted"},
7820 static const value_string device_type_vals[] = {
7821 {0x00000001, "Beep"},
7822 {0x00000002, "CDROM"},
7823 {0x00000003, "CDROM Filesystem"},
7824 {0x00000004, "Controller"},
7825 {0x00000005, "Datalink"},
7826 {0x00000006, "Dfs"},
7827 {0x00000007, "Disk"},
7828 {0x00000008, "Disk Filesystem"},
7829 {0x00000009, "Filesystem"},
7830 {0x0000000a, "Inport Port"},
7831 {0x0000000b, "Keyboard"},
7832 {0x0000000c, "Mailslot"},
7833 {0x0000000d, "MIDI-In"},
7834 {0x0000000e, "MIDI-Out"},
7835 {0x0000000f, "Mouse"},
7836 {0x00000010, "Multi UNC Provider"},
7837 {0x00000011, "Named Pipe"},
7838 {0x00000012, "Network"},
7839 {0x00000013, "Network Browser"},
7840 {0x00000014, "Network Filesystem"},
7841 {0x00000015, "NULL"},
7842 {0x00000016, "Parallel Port"},
7843 {0x00000017, "Physical card"},
7844 {0x00000018, "Printer"},
7845 {0x00000019, "Scanner"},
7846 {0x0000001a, "Serial Mouse port"},
7847 {0x0000001b, "Serial port"},
7848 {0x0000001c, "Screen"},
7849 {0x0000001d, "Sound"},
7850 {0x0000001e, "Streams"},
7851 {0x0000001f, "Tape"},
7852 {0x00000020, "Tape Filesystem"},
7853 {0x00000021, "Transport"},
7854 {0x00000022, "Unknown"},
7855 {0x00000023, "Video"},
7856 {0x00000024, "Virtual Disk"},
7857 {0x00000025, "WAVE-In"},
7858 {0x00000026, "WAVE-Out"},
7859 {0x00000027, "8042 Port"},
7860 {0x00000028, "Network Redirector"},
7861 {0x00000029, "Battery"},
7862 {0x0000002a, "Bus Extender"},
7863 {0x0000002b, "Modem"},
7864 {0x0000002c, "VDM"},
7868 static const value_string is_directory_vals[] = {
7869 {0, "This is NOT a directory"},
7870 {1, "This is a DIRECTORY"},
7874 typedef struct _nt_trans_data {
7883 dissect_nt_security_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7889 mask = tvb_get_guint8(tvb, offset);
7892 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7893 "Security Flags: 0x%02x", mask);
7894 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
7896 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
7897 tvb, offset, 1, mask);
7898 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
7899 tvb, offset, 1, mask);
7908 * XXX - there are some more flags in the description of "ZwOpenFile()"
7909 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
7910 * the wire as well? (The spec at
7912 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
7914 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
7915 * via the SMB protocol. The NT redirector should convert this option
7916 * to FILE_WRITE_THROUGH."
7918 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
7919 * values one would infer from their position in the list of flags for
7920 * "ZwOpenFile()". Most of the others probably have those values
7921 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
7922 * which might go over the wire (for the benefit of backup/restore software).
7924 static const true_false_string tfs_nt_create_options_directory = {
7925 "File being created/opened must be a directory",
7926 "File being created/opened must not be a directory"
7928 static const true_false_string tfs_nt_create_options_write_through = {
7929 "Writes should flush buffered data before completing",
7930 "Writes need not flush buffered data before completing"
7932 static const true_false_string tfs_nt_create_options_sequential_only = {
7933 "The file will only be accessed sequentially",
7934 "The file might not only be accessed sequentially"
7936 static const true_false_string tfs_nt_create_options_no_intermediate_buffering = {
7937 "NO intermediate buffering is allowed",
7938 "Intermediate buffering is allowed"
7940 static const true_false_string tfs_nt_create_options_sync_io_alert = {
7941 "All operations SYNCHRONOUS, waits subject to termination from alert",
7942 "Operations NOT necessarily synchronous"
7944 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
7945 "All operations SYNCHRONOUS, waits not subject to alert",
7946 "Operations NOT necessarily synchronous"
7948 static const true_false_string tfs_nt_create_options_non_directory = {
7949 "File being created/opened must not be a directory",
7950 "File being created/opened must be a directory"
7952 static const true_false_string tfs_nt_create_options_create_tree_connection = {
7953 "Create Tree Connections is SET",
7954 "Create Tree Connections is NOT set"
7956 static const true_false_string tfs_nt_create_options_complete_if_oplocked = {
7957 "Complete if oplocked is SET",
7958 "Complete if oplocked is NOT set"
7960 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
7961 "The client does not understand extended attributes",
7962 "The client understands extended attributes"
7964 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
7965 "The client understands only 8.3 file names",
7966 "The client understands long file names"
7968 static const true_false_string tfs_nt_create_options_random_access = {
7969 "The file will be accessed randomly",
7970 "The file will not be accessed randomly"
7972 static const true_false_string tfs_nt_create_options_delete_on_close = {
7973 "The file should be deleted when it is closed",
7974 "The file should not be deleted when it is closed"
7976 static const true_false_string tfs_nt_create_options_open_by_fileid = {
7977 "OpenByFileID bit is SET",
7978 "OpenByFileID is NOT set"
7980 static const true_false_string tfs_nt_create_options_backup_intent = {
7981 "This is a create with BACKUP INTENT",
7982 "This is a normal create"
7984 static const true_false_string tfs_nt_create_options_no_compression = {
7985 "Open/Create with NO Compression",
7986 "Compression is allowed for Open/Create"
7988 static const true_false_string tfs_nt_create_options_reserve_opfilter = {
7989 "Reserve Opfilter is SET",
7990 "Reserve Opfilter is NOT set"
7992 static const true_false_string tfs_nt_create_options_open_reparse_point = {
7993 "Open a Reparse Point",
7996 static const true_false_string tfs_nt_create_options_open_no_recall = {
7997 "Open No Recall is SET",
7998 "Open no recall is NOT set"
8000 static const true_false_string tfs_nt_create_options_open_for_free_space_query = {
8001 "This is an OPEN FOR FREE SPACE QUERY",
8002 "This is NOT an open for free space query"
8006 dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8012 mask = tvb_get_letohl(tvb, offset);
8015 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
8016 "Completion Filter: 0x%08x", mask);
8017 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
8019 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
8020 tvb, offset, 4, mask);
8021 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
8022 tvb, offset, 4, mask);
8023 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
8024 tvb, offset, 4, mask);
8025 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
8026 tvb, offset, 4, mask);
8027 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
8028 tvb, offset, 4, mask);
8029 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
8030 tvb, offset, 4, mask);
8031 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
8032 tvb, offset, 4, mask);
8033 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
8034 tvb, offset, 4, mask);
8035 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
8036 tvb, offset, 4, mask);
8037 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
8038 tvb, offset, 4, mask);
8039 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
8040 tvb, offset, 4, mask);
8041 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
8042 tvb, offset, 4, mask);
8050 dissect_nt_ioctl_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8056 mask = tvb_get_guint8(tvb, offset);
8059 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
8060 "Completion Filter: 0x%02x", mask);
8061 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
8063 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
8064 tvb, offset, 1, mask);
8072 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
8073 * Native API Reference".
8075 static const true_false_string tfs_nt_qsd_owner = {
8076 "Requesting OWNER security information",
8077 "NOT requesting owner security information",
8080 static const true_false_string tfs_nt_qsd_group = {
8081 "Requesting GROUP security information",
8082 "NOT requesting group security information",
8085 static const true_false_string tfs_nt_qsd_dacl = {
8086 "Requesting DACL security information",
8087 "NOT requesting DACL security information",
8090 static const true_false_string tfs_nt_qsd_sacl = {
8091 "Requesting SACL security information",
8092 "NOT requesting SACL security information",
8095 #define NT_QSD_OWNER 0x00000001
8096 #define NT_QSD_GROUP 0x00000002
8097 #define NT_QSD_DACL 0x00000004
8098 #define NT_QSD_SACL 0x00000008
8101 dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8107 mask = tvb_get_letohl(tvb, offset);
8110 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
8111 "Security Information: 0x%08x", mask);
8112 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
8114 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
8115 tvb, offset, 4, mask);
8116 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
8117 tvb, offset, 4, mask);
8118 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
8119 tvb, offset, 4, mask);
8120 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
8121 tvb, offset, 4, mask);
8130 dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
8132 int old_offset, old_sid_offset;
8138 CHECK_BYTE_COUNT_TRANS_SUBR(4);
8139 qsize=tvb_get_letohl(tvb, offset);
8140 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
8141 COUNT_BYTES_TRANS_SUBR(4);
8143 CHECK_BYTE_COUNT_TRANS_SUBR(4);
8145 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
8146 COUNT_BYTES_TRANS_SUBR(4);
8148 /* 16 unknown bytes */
8149 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8150 proto_tree_add_item(tree, hf_smb_unknown, tvb,
8152 COUNT_BYTES_TRANS_SUBR(8);
8154 /* number of bytes for used quota */
8155 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8156 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
8157 COUNT_BYTES_TRANS_SUBR(8);
8159 /* number of bytes for quota warning */
8160 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8161 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
8162 COUNT_BYTES_TRANS_SUBR(8);
8164 /* number of bytes for quota limit */
8165 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8166 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
8167 COUNT_BYTES_TRANS_SUBR(8);
8169 /* SID of the user */
8170 old_sid_offset=offset;
8171 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
8172 *bcp -= (offset-old_sid_offset);
8175 offset = old_offset+qsize;
8185 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd, smb_nt_transact_info_t *nti)
8187 proto_item *item = NULL;
8188 proto_tree *tree = NULL;
8190 int old_offset = offset;
8191 guint16 bcp=bc; /* XXX fixme */
8192 struct access_mask_info *ami=NULL;
8193 tvbuff_t *ioctl_tvb;
8195 si = (smb_info_t *)pinfo->private_data;
8197 DISSECTOR_ASSERT(si);
8200 tvb_ensure_bytes_exist(tvb, offset, bc);
8201 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
8203 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8204 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8207 switch(ntd->subcmd){
8208 case NT_TRANS_CREATE:
8209 /* security descriptor */
8211 offset = dissect_nt_sec_desc(
8212 tvb, offset, pinfo, tree, NULL, TRUE,
8216 /* extended attributes */
8218 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
8219 offset += ntd->ea_len;
8223 case NT_TRANS_IOCTL:
8225 ioctl_tvb=tvb_new_subset(tvb, offset, MIN((int)bc, tvb_length_remaining(tvb, offset)), bc);
8226 dissect_smb2_ioctl_data(ioctl_tvb, pinfo, tree, top_tree, nti->ioctl_function, TRUE);
8234 switch(nti->fid_type){
8235 case SMB_FID_TYPE_FILE:
8236 ami= &smb_file_access_mask_info;
8238 case SMB_FID_TYPE_DIR:
8239 ami= &smb_dir_access_mask_info;
8244 offset = dissect_nt_sec_desc(
8245 tvb, offset, pinfo, tree, NULL, TRUE, bc, ami);
8247 case NT_TRANS_NOTIFY:
8249 case NT_TRANS_RENAME:
8250 /* XXX not documented */
8254 case NT_TRANS_GET_USER_QUOTA:
8255 /* unknown 4 bytes */
8256 proto_tree_add_item(tree, hf_smb_unknown, tvb,
8261 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
8264 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
8266 case NT_TRANS_SET_USER_QUOTA:
8267 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8271 /* ooops there were data we didnt know how to process */
8272 if((offset-old_offset) < bc){
8273 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
8274 bc - (offset-old_offset), TRUE);
8275 offset += bc - (offset-old_offset);
8282 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc, smb_nt_transact_info_t *nti)
8284 proto_item *item = NULL;
8285 proto_tree *tree = NULL;
8287 guint32 fn_len, create_flags, access_mask, file_attributes, share_access, create_options, create_disposition;
8290 si = (smb_info_t *)pinfo->private_data;
8292 DISSECTOR_ASSERT(si);
8295 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8297 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8298 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8301 switch(ntd->subcmd){
8302 case NT_TRANS_CREATE:
8304 create_flags=tvb_get_letohl(tvb, offset);
8305 offset = dissect_nt_create_bits(tvb, tree, offset, 4, create_flags);
8308 /* root directory fid */
8309 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
8312 /* nt access mask */
8313 access_mask=tvb_get_letohl(tvb, offset);
8314 offset = dissect_smb_access_mask_bits(tvb, tree, offset, 4, access_mask);
8317 /* allocation size */
8318 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8321 /* Extended File Attributes */
8322 file_attributes=tvb_get_letohl(tvb, offset);
8323 offset = dissect_file_ext_attr_bits(tvb, tree, offset, 4, file_attributes);
8327 share_access=tvb_get_letohl(tvb, offset);
8328 offset = dissect_nt_share_access_bits(tvb, tree, offset, 4, share_access);
8331 /* create disposition */
8332 create_disposition=tvb_get_letohl(tvb, offset);
8333 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
8336 /* create options */
8337 create_options=tvb_get_letohl(tvb, offset);
8338 offset = dissect_nt_create_options_bits(tvb, tree, offset, 4, create_options);
8342 ntd->sd_len = tvb_get_letohl(tvb, offset);
8343 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
8347 ntd->ea_len = tvb_get_letohl(tvb, offset);
8348 proto_tree_add_uint(tree, hf_smb_ea_list_length, tvb, offset, 4, ntd->ea_len);
8352 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8353 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8356 /* impersonation level */
8357 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8360 /* security flags */
8361 offset = dissect_nt_security_flags(tvb, tree, offset);
8365 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8367 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8369 COUNT_BYTES(fn_len);
8373 case NT_TRANS_IOCTL:
8375 case NT_TRANS_SSD: {
8377 smb_fid_info_t *fid_info;
8380 fid = tvb_get_letohs(tvb, offset);
8381 fid_info=dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
8385 nti->fid_type=fid_info->type;
8387 nti->fid_type=SMB_FID_TYPE_UNKNOWN;
8391 /* 2 reserved bytes */
8392 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8395 /* security information */
8396 offset = dissect_security_information_mask(tvb, tree, offset);
8399 case NT_TRANS_NOTIFY:
8401 case NT_TRANS_RENAME:
8402 /* XXX not documented */
8404 case NT_TRANS_QSD: {
8406 smb_fid_info_t *fid_info;
8409 fid = tvb_get_letohs(tvb, offset);
8410 fid_info=dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
8414 nti->fid_type=fid_info->type;
8416 nti->fid_type=SMB_FID_TYPE_UNKNOWN;
8420 /* 2 reserved bytes */
8421 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8424 /* security information */
8425 offset = dissect_security_information_mask(tvb, tree, offset);
8428 case NT_TRANS_GET_USER_QUOTA:
8429 /* not decoded yet */
8431 case NT_TRANS_SET_USER_QUOTA:
8432 /* not decoded yet */
8440 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
8442 proto_item *item = NULL;
8443 proto_tree *tree = NULL;
8444 int old_offset = offset;
8446 smb_nt_transact_info_t *nti;
8447 smb_saved_info_t *sip;
8450 si = (smb_info_t *)pinfo->private_data;
8451 DISSECTOR_ASSERT(si);
8453 DISSECTOR_ASSERT(sip);
8454 nti=sip->extra_info;
8458 tvb_ensure_bytes_exist(tvb, offset, len);
8459 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8461 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8462 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8465 switch(ntd->subcmd){
8466 case NT_TRANS_CREATE:
8468 case NT_TRANS_IOCTL: {
8472 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &nti->ioctl_function);
8475 fid = tvb_get_letohs(tvb, offset);
8476 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
8480 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
8484 offset = dissect_nt_ioctl_flags(tvb, tree, offset);
8490 case NT_TRANS_NOTIFY: {
8493 /* completion filter */
8494 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
8497 fid = tvb_get_letohs(tvb, offset);
8498 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
8502 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
8506 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8511 case NT_TRANS_RENAME:
8512 /* XXX not documented */
8516 case NT_TRANS_GET_USER_QUOTA:
8517 /* not decoded yet */
8519 case NT_TRANS_SET_USER_QUOTA:
8520 /* not decoded yet */
8524 return old_offset+len;
8529 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8532 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
8534 smb_saved_info_t *sip;
8539 smb_nt_transact_info_t *nti=NULL;
8541 ntd.subcmd = ntd.sd_len = ntd.ea_len = 0;
8543 si = (smb_info_t *)pinfo->private_data;
8544 DISSECTOR_ASSERT(si);
8550 /* primary request */
8551 /* max setup count */
8552 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
8555 /* 2 reserved bytes */
8556 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8559 /* secondary request */
8560 /* 3 reserved bytes */
8561 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8566 /* total param count */
8567 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
8570 /* total data count */
8571 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
8575 /* primary request */
8576 /* max param count */
8577 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
8580 /* max data count */
8581 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
8586 pc = tvb_get_letohl(tvb, offset);
8587 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8591 po = tvb_get_letohl(tvb, offset);
8592 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8595 /* param displacement */
8597 /* primary request*/
8600 /* secondary request */
8601 pd = tvb_get_letohl(tvb, offset);
8602 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8607 dc = tvb_get_letohl(tvb, offset);
8608 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8612 od = tvb_get_letohl(tvb, offset);
8613 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8616 /* data displacement */
8618 /* primary request */
8621 /* secondary request */
8622 dd = tvb_get_letohl(tvb, offset);
8623 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8629 /* primary request */
8630 sc = tvb_get_guint8(tvb, offset);
8631 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8634 /* secondary request */
8640 /* primary request */
8641 subcmd = tvb_get_letohs(tvb, offset);
8642 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
8643 if(check_col(pinfo->cinfo, COL_INFO)){
8644 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8645 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
8647 ntd.subcmd = subcmd;
8648 if (!si->unidir && sip) {
8649 if(!pinfo->fd->flags.visited){
8651 * Allocate a new smb_nt_transact_info_t
8654 nti = se_alloc(sizeof(smb_nt_transact_info_t));
8655 nti->subcmd = subcmd;
8656 nti->fid_type=SMB_FID_TYPE_UNKNOWN;
8657 sip->extra_info = nti;
8658 sip->extra_info_type = SMB_EI_NTI;
8660 if(sip->extra_info_type == SMB_EI_NTI){
8661 nti=sip->extra_info;
8666 /* secondary request */
8667 col_append_str(pinfo->cinfo, COL_INFO, " (secondary request)");
8671 /* this is a padding byte */
8674 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
8678 /* if there were any setup bytes, decode them */
8680 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
8687 if(po>(guint32)offset){
8688 /* We have some initial padding bytes.
8693 CHECK_BYTE_COUNT(padcnt);
8694 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8695 COUNT_BYTES(padcnt);
8698 CHECK_BYTE_COUNT(pc);
8699 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc, nti);
8704 if(od>(guint32)offset){
8705 /* We have some initial padding bytes.
8710 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8711 COUNT_BYTES(padcnt);
8714 CHECK_BYTE_COUNT(dc);
8715 dissect_nt_trans_data_request(
8716 tvb, pinfo, offset, tree, dc, &ntd, nti);
8728 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
8729 int offset, proto_tree *parent_tree, int len,
8730 nt_trans_data *ntd _U_,
8731 smb_nt_transact_info_t *nti)
8733 proto_item *item = NULL;
8734 proto_tree *tree = NULL;
8737 struct access_mask_info *ami=NULL;
8738 tvbuff_t *ioctl_tvb;
8740 si = (smb_info_t *)pinfo->private_data;
8741 DISSECTOR_ASSERT(si);
8744 tvb_ensure_bytes_exist(tvb, offset, len);
8746 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8748 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8751 * We never saw the request to which this is a
8754 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8755 "Unknown NT Transaction Data (matching request not seen)");
8757 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8764 switch(nti->subcmd){
8765 case NT_TRANS_CREATE:
8767 case NT_TRANS_IOCTL:
8769 ioctl_tvb=tvb_new_subset(tvb, offset, MIN((int)len, tvb_length_remaining(tvb, offset)), len);
8770 dissect_smb2_ioctl_data(ioctl_tvb, pinfo, tree, top_tree, nti->ioctl_function, FALSE);
8777 case NT_TRANS_NOTIFY:
8779 case NT_TRANS_RENAME:
8780 /* XXX not documented */
8784 switch(nti->fid_type){
8785 case SMB_FID_TYPE_FILE:
8786 ami= &smb_file_access_mask_info;
8788 case SMB_FID_TYPE_DIR:
8789 ami= &smb_dir_access_mask_info;
8793 offset = dissect_nt_sec_desc(
8794 tvb, offset, pinfo, tree, NULL, TRUE, len, ami);
8796 case NT_TRANS_GET_USER_QUOTA:
8798 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8800 case NT_TRANS_SET_USER_QUOTA:
8801 /* not decoded yet */
8809 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
8810 int offset, proto_tree *parent_tree,
8811 int len, nt_trans_data *ntd _U_, guint16 bc)
8813 proto_item *item = NULL;
8814 proto_tree *tree = NULL;
8818 smb_nt_transact_info_t *nti;
8823 smb_fid_info_t *fid_info=NULL;
8827 si = (smb_info_t *)pinfo->private_data;
8828 DISSECTOR_ASSERT(si);
8830 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
8831 nti = si->sip->extra_info;
8836 tvb_ensure_bytes_exist(tvb, offset, len);
8838 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8840 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8843 * We never saw the request to which this is a
8846 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8847 "Unknown NT Transaction Parameters (matching request not seen)");
8849 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8856 switch(nti->subcmd){
8857 case NT_TRANS_CREATE:
8859 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8863 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8867 fid = tvb_get_letohs(tvb, offset);
8868 fid_info=dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
8872 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8875 /* ea error offset */
8876 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
8880 offset = dissect_nt_64bit_time(tvb, tree, offset,
8881 hf_smb_create_time);
8884 offset = dissect_nt_64bit_time(tvb, tree, offset,
8885 hf_smb_access_time);
8887 /* last write time */
8888 offset = dissect_nt_64bit_time(tvb, tree, offset,
8889 hf_smb_last_write_time);
8891 /* last change time */
8892 offset = dissect_nt_64bit_time(tvb, tree, offset,
8893 hf_smb_change_time);
8895 /* Extended File Attributes */
8896 offset = dissect_file_ext_attr(tvb, tree, offset);
8898 /* allocation size */
8899 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8903 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8907 ftype=tvb_get_letohs(tvb, offset);
8908 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8912 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
8915 isdir=tvb_get_guint8(tvb, offset);
8916 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8919 /* Try to remember the type of this fid so that we can dissect
8920 * any future security descriptor (access mask) properly
8925 fid_info->type=SMB_FID_TYPE_FILE;
8929 fid_info->type=SMB_FID_TYPE_DIR;
8935 fid_info->type=SMB_FID_TYPE_PIPE;
8939 case NT_TRANS_IOCTL:
8943 case NT_TRANS_NOTIFY:
8945 old_offset = offset;
8947 /* next entry offset */
8948 neo = tvb_get_letohl(tvb, offset);
8949 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
8952 /* broken implementations */
8956 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
8959 /* broken implementations */
8963 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8964 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8967 /* broken implementations */
8971 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8974 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8976 COUNT_BYTES(fn_len);
8978 /* broken implementations */
8982 break; /* no more structures */
8984 /* skip to next structure */
8985 padcnt = (old_offset + neo) - offset;
8988 * XXX - this is bogus; flag it?
8993 COUNT_BYTES(padcnt);
8995 /* broken implementations */
9000 case NT_TRANS_RENAME:
9001 /* XXX not documented */
9005 * This appears to be the size of the security
9006 * descriptor; the calling sequence of
9007 * "ZwQuerySecurityObject()" suggests that it would
9008 * be. The actual security descriptor wouldn't
9009 * follow if the max data count in the request
9010 * was smaller; this lets the client know how
9011 * big a buffer it needs to provide.
9013 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
9016 case NT_TRANS_GET_USER_QUOTA:
9017 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
9018 tvb_get_letohl(tvb, offset));
9021 case NT_TRANS_SET_USER_QUOTA:
9022 /* not decoded yet */
9030 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
9031 int offset, proto_tree *parent_tree,
9032 int len, nt_trans_data *ntd _U_)
9034 proto_item *item = NULL;
9035 proto_tree *tree = NULL;
9037 smb_nt_transact_info_t *nti;
9039 si = (smb_info_t *)pinfo->private_data;
9040 DISSECTOR_ASSERT(si);
9042 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
9043 nti = si->sip->extra_info;
9048 tvb_ensure_bytes_exist(tvb, offset, len);
9050 item = proto_tree_add_text(parent_tree, tvb, offset, len,
9052 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
9055 * We never saw the request to which this is a
9058 item = proto_tree_add_text(parent_tree, tvb, offset, len,
9059 "Unknown NT Transaction Setup (matching request not seen)");
9061 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
9068 switch(nti->subcmd){
9069 case NT_TRANS_CREATE:
9071 case NT_TRANS_IOCTL:
9075 case NT_TRANS_NOTIFY:
9077 case NT_TRANS_RENAME:
9078 /* XXX not documented */
9082 case NT_TRANS_GET_USER_QUOTA:
9083 /* not decoded yet */
9085 case NT_TRANS_SET_USER_QUOTA:
9086 /* not decoded yet */
9094 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9097 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
9100 smb_nt_transact_info_t *nti=NULL;
9101 static nt_trans_data ntd;
9104 fragment_data *r_fd = NULL;
9105 tvbuff_t *pd_tvb=NULL;
9106 gboolean save_fragmented;
9108 si = (smb_info_t *)pinfo->private_data;
9109 DISSECTOR_ASSERT(si);
9111 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
9112 nti = si->sip->extra_info;
9116 /* primary request */
9118 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
9119 if(check_col(pinfo->cinfo, COL_INFO)){
9120 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
9121 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
9124 proto_tree_add_text(tree, tvb, offset, 0,
9125 "Function: <unknown function - could not find matching request>");
9126 col_append_str(pinfo->cinfo, COL_INFO, ", <unknown>");
9131 /* 3 reserved bytes */
9132 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
9135 /* total param count */
9136 tp = tvb_get_letohl(tvb, offset);
9137 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
9140 /* total data count */
9141 td = tvb_get_letohl(tvb, offset);
9142 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
9146 pc = tvb_get_letohl(tvb, offset);
9147 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
9151 po = tvb_get_letohl(tvb, offset);
9152 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
9155 /* param displacement */
9156 pd = tvb_get_letohl(tvb, offset);
9157 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
9161 dc = tvb_get_letohl(tvb, offset);
9162 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
9166 od = tvb_get_letohl(tvb, offset);
9167 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
9170 /* data displacement */
9171 dd = tvb_get_letohl(tvb, offset);
9172 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
9176 sc = tvb_get_guint8(tvb, offset);
9177 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
9182 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
9188 /* reassembly of SMB NT Transaction data payload.
9189 In this section we do reassembly of both the data and parameters
9190 blocks of the SMB transaction command.
9192 save_fragmented = pinfo->fragmented;
9193 /* do we need reassembly? */
9194 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
9195 /* oh yeah, either data or parameter section needs
9198 pinfo->fragmented = TRUE;
9199 if(smb_trans_reassembly){
9200 /* ...and we were told to do reassembly */
9201 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
9202 r_fd = smb_trans_defragment(tree, pinfo, tvb,
9206 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
9207 r_fd = smb_trans_defragment(tree, pinfo, tvb,
9208 od, dc, dd+tp, td+tp);
9213 /* if we got a reassembled fd structure from the reassembly routine we
9214 must create pd_tvb from it
9217 proto_item *frag_tree_item;
9219 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
9221 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
9222 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
9224 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb, &frag_tree_item);
9229 /* we have reassembled data, grab param and data from there */
9230 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
9231 &ntd, (guint16) tvb_length(pd_tvb));
9232 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd, nti);
9234 /* we do not have reassembled data, just use what we have in the
9235 packet as well as we can */
9237 if(po>(guint32)offset){
9238 /* We have some initial padding bytes.
9243 CHECK_BYTE_COUNT(padcnt);
9244 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
9245 COUNT_BYTES(padcnt);
9248 CHECK_BYTE_COUNT(pc);
9249 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
9254 if(od>(guint32)offset){
9255 /* We have some initial padding bytes.
9260 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
9261 COUNT_BYTES(padcnt);
9264 CHECK_BYTE_COUNT(dc);
9265 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd, nti);
9269 pinfo->fragmented = save_fragmented;
9276 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9277 NT Transaction command ends here
9278 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
9280 static const value_string print_mode_vals[] = {
9282 {1, "Graphics Mode"},
9287 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9289 smb_info_t *si = pinfo->private_data;
9295 DISSECTOR_ASSERT(si);
9300 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
9304 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
9310 CHECK_BYTE_COUNT(1);
9311 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9314 /* print identifier */
9315 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, FALSE, &bc);
9318 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
9320 COUNT_BYTES(fn_len);
9329 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9338 fid = tvb_get_letohs(tvb, offset);
9339 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
9345 CHECK_BYTE_COUNT(1);
9346 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9350 CHECK_BYTE_COUNT(2);
9351 cnt = tvb_get_letohs(tvb, offset);
9352 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
9356 offset = dissect_file_data(tvb, tree, offset, (guint16) cnt, (guint16) cnt);
9364 static const value_string print_status_vals[] = {
9365 {1, "Held or Stopped"},
9367 {3, "Awaiting print"},
9368 {4, "In intercept"},
9369 {5, "File had error"},
9370 {6, "Printer error"},
9375 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9383 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
9387 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
9398 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
9399 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
9401 proto_item *item = NULL;
9402 proto_tree *tree = NULL;
9403 smb_info_t *si = pinfo->private_data;
9407 DISSECTOR_ASSERT(si);
9410 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
9412 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
9416 CHECK_BYTE_COUNT_SUBR(4);
9417 offset = dissect_smb_datetime(tvb, tree, offset,
9418 hf_smb_print_queue_date,
9419 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
9423 CHECK_BYTE_COUNT_SUBR(1);
9424 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
9425 COUNT_BYTES_SUBR(1);
9427 /* spool file number */
9428 CHECK_BYTE_COUNT_SUBR(2);
9429 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
9430 COUNT_BYTES_SUBR(2);
9432 /* spool file size */
9433 CHECK_BYTE_COUNT_SUBR(4);
9434 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
9435 COUNT_BYTES_SUBR(4);
9438 CHECK_BYTE_COUNT_SUBR(1);
9439 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9440 COUNT_BYTES_SUBR(1);
9444 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
9445 CHECK_STRING_SUBR(fn);
9446 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
9448 COUNT_BYTES_SUBR(fn_len);
9455 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9465 cnt = tvb_get_letohs(tvb, offset);
9466 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
9470 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
9476 CHECK_BYTE_COUNT(1);
9477 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9481 CHECK_BYTE_COUNT(2);
9482 len = tvb_get_letohs(tvb, offset);
9483 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
9486 /* queue elements */
9488 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
9501 dissect_send_single_block_message_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9506 guint16 message_len;
9513 CHECK_BYTE_COUNT(1);
9514 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9517 /* originator name */
9518 /* XXX - what if this runs past bc? */
9519 name_len = tvb_strsize(tvb, offset);
9520 CHECK_BYTE_COUNT(name_len);
9521 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9523 COUNT_BYTES(name_len);
9526 CHECK_BYTE_COUNT(1);
9527 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9530 /* destination name */
9531 /* XXX - what if this runs past bc? */
9532 name_len = tvb_strsize(tvb, offset);
9533 CHECK_BYTE_COUNT(name_len);
9534 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9536 COUNT_BYTES(name_len);
9539 CHECK_BYTE_COUNT(1);
9540 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9544 CHECK_BYTE_COUNT(2);
9545 message_len = tvb_get_letohs(tvb, offset);
9546 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9551 CHECK_BYTE_COUNT(message_len);
9552 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9554 COUNT_BYTES(message_len);
9562 dissect_send_multi_block_message_start_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9573 CHECK_BYTE_COUNT(1);
9574 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9577 /* originator name */
9578 /* XXX - what if this runs past bc? */
9579 name_len = tvb_strsize(tvb, offset);
9580 CHECK_BYTE_COUNT(name_len);
9581 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9583 COUNT_BYTES(name_len);
9586 CHECK_BYTE_COUNT(1);
9587 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9590 /* destination name */
9591 /* XXX - what if this runs past bc? */
9592 name_len = tvb_strsize(tvb, offset);
9593 CHECK_BYTE_COUNT(name_len);
9594 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9596 COUNT_BYTES(name_len);
9604 dissect_message_group_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9611 /* message group ID */
9612 proto_tree_add_item(tree, hf_smb_mgid, tvb, offset, 2, TRUE);
9623 dissect_send_multi_block_message_text_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9627 guint16 message_len;
9634 CHECK_BYTE_COUNT(1);
9635 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9639 CHECK_BYTE_COUNT(2);
9640 message_len = tvb_get_letohs(tvb, offset);
9641 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9646 CHECK_BYTE_COUNT(message_len);
9647 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9649 COUNT_BYTES(message_len);
9657 dissect_forwarded_name(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9668 CHECK_BYTE_COUNT(1);
9669 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9672 /* forwarded name */
9673 /* XXX - what if this runs past bc? */
9674 name_len = tvb_strsize(tvb, offset);
9675 CHECK_BYTE_COUNT(name_len);
9676 proto_tree_add_item(tree, hf_smb_forwarded_name, tvb, offset,
9678 COUNT_BYTES(name_len);
9686 dissect_get_machine_name_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9697 CHECK_BYTE_COUNT(1);
9698 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9702 /* XXX - what if this runs past bc? */
9703 name_len = tvb_strsize(tvb, offset);
9704 CHECK_BYTE_COUNT(name_len);
9705 proto_tree_add_item(tree, hf_smb_machine_name, tvb, offset,
9707 COUNT_BYTES(name_len);
9716 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9718 guint8 wc, cmd=0xff;
9719 guint16 andxoffset=0;
9721 smb_info_t *si = pinfo->private_data;
9724 guint32 create_flags=0, access_mask=0, file_attributes=0, share_access=0, create_options=0, create_disposition=0;
9726 DISSECTOR_ASSERT(si);
9730 /* next smb command */
9731 cmd = tvb_get_guint8(tvb, offset);
9733 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9735 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
9740 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9744 andxoffset = tvb_get_letohs(tvb, offset);
9745 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9749 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9753 fn_len = tvb_get_letohs(tvb, offset);
9754 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
9758 create_flags=tvb_get_letohl(tvb, offset);
9759 offset = dissect_nt_create_bits(tvb, tree, offset, 4, create_flags);
9761 /* root directory fid */
9762 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
9765 /* nt access mask */
9766 access_mask=tvb_get_letohl(tvb, offset);
9767 offset = dissect_smb_access_mask_bits(tvb, tree, offset, 4, access_mask);
9769 /* allocation size */
9770 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9773 /* Extended File Attributes */
9774 file_attributes=tvb_get_letohl(tvb, offset);
9775 offset = dissect_file_ext_attr_bits(tvb, tree, offset, 4, file_attributes);
9778 share_access=tvb_get_letohl(tvb, offset);
9779 offset = dissect_nt_share_access_bits(tvb, tree, offset, 4, share_access);
9781 /* create disposition */
9782 create_disposition=tvb_get_letohl(tvb, offset);
9783 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
9786 /* create options */
9787 create_options=tvb_get_letohl(tvb, offset);
9788 offset = dissect_nt_create_options_bits(tvb, tree, offset, 4, create_options);
9790 /* impersonation level */
9791 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
9794 /* security flags */
9795 offset = dissect_nt_security_flags(tvb, tree, offset);
9800 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9803 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9805 COUNT_BYTES(fn_len);
9807 /* store it for the fid->name/openframe/closeframe matching in
9808 * dissect_smb_fid() called from the response.
9810 if((!pinfo->fd->flags.visited) && si->sip && fn){
9811 smb_fid_saved_info_t *fsi;
9813 fsi=se_alloc(sizeof(smb_fid_saved_info_t));
9814 fsi->filename=se_strdup(fn);
9815 fsi->create_flags=create_flags;
9816 fsi->access_mask=access_mask;
9817 fsi->file_attributes=file_attributes;
9818 fsi->share_access=share_access;
9819 fsi->create_options=create_options;
9820 fsi->create_disposition=create_disposition;
9822 si->sip->extra_info_type=SMB_EI_FILEDATA;
9823 si->sip->extra_info=fsi;
9826 if (check_col(pinfo->cinfo, COL_INFO)) {
9827 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9828 format_text(fn, strlen(fn)));
9833 if (cmd != 0xff) { /* there is an andX command */
9834 if (andxoffset < offset)
9835 THROW(ReportedBoundsError);
9836 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9844 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9846 guint8 wc, cmd=0xff;
9847 guint16 andxoffset=0;
9852 smb_fid_info_t *fid_info=NULL;
9855 si = pinfo->private_data;
9859 /* next smb command */
9860 cmd = tvb_get_guint8(tvb, offset);
9862 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9864 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
9869 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9873 andxoffset = tvb_get_letohs(tvb, offset);
9874 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9878 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
9882 fid = tvb_get_letohs(tvb, offset);
9883 fid_info=dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
9887 /*XXX is this really the same as create disposition in the request? it looks so*/
9888 /* No, it is not. It is the same as the create action from an Open&X request ... RJS */
9889 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
9893 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
9896 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
9898 /* last write time */
9899 offset = dissect_nt_64bit_time(tvb, tree, offset,
9900 hf_smb_last_write_time);
9902 /* last change time */
9903 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
9905 /* Extended File Attributes */
9906 offset = dissect_file_ext_attr(tvb, tree, offset);
9908 /* allocation size */
9909 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9913 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
9917 ftype=tvb_get_letohs(tvb, offset);
9918 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
9922 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
9925 isdir=tvb_get_guint8(tvb, offset);
9926 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
9929 /* Try to remember the type of this fid so that we can dissect
9930 * any future security descriptor (access mask) properly
9935 fid_info->type=SMB_FID_TYPE_FILE;
9939 fid_info->type=SMB_FID_TYPE_DIR;
9945 fid_info->type=SMB_FID_TYPE_PIPE;
9953 if (cmd != 0xff) { /* there is an andX command */
9954 if (andxoffset < offset)
9955 THROW(ReportedBoundsError);
9956 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9959 /* if there was an error, add a generated filename to the tree */
9961 dissect_smb_fid(tvb, pinfo, tree, 0, 0, fid, TRUE, TRUE, TRUE);
9969 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9983 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9984 BEGIN Transaction/Transaction2 Primary and secondary requests
9985 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
9988 const value_string trans2_cmd_vals[] = {
9990 { 0x01, "FIND_FIRST2" },
9991 { 0x02, "FIND_NEXT2" },
9992 { 0x03, "QUERY_FS_INFO" },
9993 { 0x04, "SET_FS_QUOTA" },
9994 { 0x05, "QUERY_PATH_INFO" },
9995 { 0x06, "SET_PATH_INFO" },
9996 { 0x07, "QUERY_FILE_INFO" },
9997 { 0x08, "SET_FILE_INFO" },
10000 { 0x0B, "FIND_NOTIFY_FIRST" },
10001 { 0x0C, "FIND_NOTIFY_NEXT" },
10002 { 0x0D, "CREATE_DIRECTORY" },
10003 { 0x0E, "SESSION_SETUP" },
10004 { 0x10, "GET_DFS_REFERRAL" },
10005 { 0x11, "REPORT_DFS_INCONSISTENCY" },
10009 static const true_false_string tfs_tf_dtid = {
10010 "Also DISCONNECT TID",
10011 "Do NOT disconnect TID"
10013 static const true_false_string tfs_tf_owt = {
10014 "One Way Transaction (NO RESPONSE)",
10015 "Two way transaction"
10018 static const true_false_string tfs_ff2_backup = {
10019 "Find WITH backup intent",
10022 static const true_false_string tfs_ff2_continue = {
10023 "CONTINUE search from previous position",
10024 "New search, do NOT continue from previous position"
10026 static const true_false_string tfs_ff2_resume = {
10027 "Return RESUME keys",
10028 "Do NOT return resume keys"
10030 static const true_false_string tfs_ff2_close_eos = {
10031 "CLOSE search if END OF SEARCH is reached",
10032 "Do NOT close search if end of search reached"
10034 static const true_false_string tfs_ff2_close = {
10035 "CLOSE search after this request",
10036 "Do NOT close search after this request"
10042 static const value_string ff2_il_vals[] = {
10043 { 1, "Info Standard"},
10044 { 2, "Info Query EA Size"},
10045 { 3, "Info Query EAs From List"},
10046 { 0x0101, "Find File Directory Info"},
10047 { 0x0102, "Find File Full Directory Info"},
10048 { 0x0103, "Find File Names Info"},
10049 { 0x0104, "Find File Both Directory Info"},
10050 { 0x0105, "Find File Full Directory Info"},
10051 { 0x0106, "Find File Id Both Directory Info"},
10052 { 0x0202, "Find File UNIX"},
10056 /* values used by :
10057 TRANS2_QUERY_PATH_INFORMATION
10058 TRANS2_QUERY_FILE_INFORMATION
10060 static const value_string qpi_loi_vals[] = {
10061 { 1, "Info Standard"},
10062 { 2, "Info Query EA Size"},
10063 { 3, "Info Query EAs From List"},
10064 { 4, "Info Query All EAs"},
10065 { 6, "Info Is Name Valid"},
10066 { 0x0101, "Query File Basic Info"},
10067 { 0x0102, "Query File Standard Info"},
10068 { 0x0103, "Query File EA Info"},
10069 { 0x0104, "Query File Name Info"},
10070 { 0x0107, "Query File All Info"},
10071 { 0x0108, "Query File Alt Name Info"},
10072 { 0x0109, "Query File Stream Info"},
10073 { 0x010b, "Query File Compression Info"},
10074 { 0x0200, "Query File Unix Basic"},
10075 { 0x0201, "Query File Unix Link"},
10076 { 0x0202, "Query File Unix Hardlink"},
10077 { 0x0204, "Query File Posix ACL"},
10078 { 0x0205, "Query File Posix XATTR"},
10079 { 0x0206, "Query File Posix Attr Flags"},
10080 { 0x0207, "Query File Posix Permissions"},
10081 { 0x0208, "Query File Posix Lock"},
10082 { 1004, "Query File Basic Info"},
10083 { 1005, "Query File Standard Info"},
10084 { 1006, "Query File Internal Info"},
10085 { 1007, "Query File EA Info"},
10086 { 1009, "Query File Name Info"},
10087 { 1010, "Query File Rename Info"},
10088 { 1011, "Query File Link Info"},
10089 { 1012, "Query File Names Info"},
10090 { 1013, "Query File Disposition Info"},
10091 { 1014, "Query File Position Info"},
10092 { 1015, "Query File Full EA Info"},
10093 { 1016, "Query File Mode Info"},
10094 { 1017, "Query File Alignment Info"},
10095 { 1018, "Query File All Info"},
10096 { 1019, "Query File Allocation Info"},
10097 { 1020, "Query File End of File Info"},
10098 { 1021, "Query File Alt Name Info"},
10099 { 1022, "Query File Stream Info"},
10100 { 1023, "Query File Pipe Info"},
10101 { 1024, "Query File Pipe Local Info"},
10102 { 1025, "Query File Pipe Remote Info"},
10103 { 1026, "Query File Mailslot Query Info"},
10104 { 1027, "Query File Mailslot Set Info"},
10105 { 1028, "Query File Compression Info"},
10106 { 1029, "Query File ObjectID Info"},
10107 { 1030, "Query File Completion Info"},
10108 { 1031, "Query File Move Cluster Info"},
10109 { 1032, "Query File Quota Info"},
10110 { 1033, "Query File Reparsepoint Info"},
10111 { 1034, "Query File Network Open Info"},
10112 { 1035, "Query File Attribute Tag Info"},
10113 { 1036, "Query File Tracking Info"},
10114 { 1037, "Query File Maximum Info"},
10118 /* values used by :
10119 TRANS2_SET_PATH_INFORMATION
10120 TRANS2_SET_FILE_INFORMATION
10121 (the SNIA CIFS spec lists some only for TRANS2_SET_FILE_INFORMATION,
10122 but I'm assuming they apply to TRANS2_SET_PATH_INFORMATION as
10123 well; note that they're different from the QUERY_PATH_INFORMATION
10124 and QUERY_FILE_INFORMATION values!)
10126 static const value_string spi_loi_vals[] = {
10127 { 1, "Info Standard"},
10128 { 2, "Info Query EA Size"},
10129 { 4, "Info Query All EAs"},
10130 { 0x0101, "Set File Basic Info"},
10131 { 0x0102, "Set File Disposition Info"},
10132 { 0x0103, "Set File Allocation Info"},
10133 { 0x0104, "Set File End Of File Info"},
10134 { 0x0200, "Set File Unix Basic"},
10135 { 0x0201, "Set File Unix Link"},
10136 { 0x0202, "Set File Unix HardLink"},
10137 { 0x0204, "Set File Unix ACL"},
10138 { 0x0205, "Set File Unix XATTR"},
10139 { 0x0206, "Set File Unix Attr Flags"},
10140 { 0x0208, "Set File Posix Lock"},
10141 { 0x0209, "Set File Posix Open"},
10142 { 0x020a, "Set File Posix Unlink"},
10143 { 1004, "Set File Basic Info"},
10144 { 1010, "Set Rename Information"},
10145 { 1013, "Set Disposition Information"},
10146 { 1014, "Set Position Information"},
10147 { 1016, "Set Mode Information"},
10148 { 1019, "Set Allocation Information"},
10149 { 1020, "Set EOF Information"},
10150 { 1023, "Set File Pipe Information"},
10151 { 1025, "Set File Pipe Remote Information"},
10152 { 1029, "Set Copy On Write Information"},
10153 { 1032, "Set OLE Class ID Information"},
10154 { 1039, "Set Inherit Context Index Information"},
10155 { 1040, "Set OLE Information (?)"},
10159 static const value_string qfsi_vals[] = {
10160 { 1, "Info Allocation"},
10161 { 2, "Info Volume"},
10162 { 0x0101, "Query FS Label Info"},
10163 { 0x0102, "Query FS Volume Info"},
10164 { 0x0103, "Query FS Size Info"},
10165 { 0x0104, "Query FS Device Info"},
10166 { 0x0105, "Query FS Attribute Info"},
10167 { 0x0200, "Unix Query FS Info"},
10168 { 0x0301, "Mac Query FS Info"},
10169 { 1001, "Query FS Label Info"},
10170 { 1002, "Query FS Volume Info"},
10171 { 1003, "Query FS Size Info"},
10172 { 1004, "Query FS Device Info"},
10173 { 1005, "Query FS Attribute Info"},
10174 { 1006, "Query FS Quota Info"},
10175 { 1007, "Query Full FS Size Info"},
10176 { 1008, "Object ID Information"},
10180 static const value_string nt_rename_vals[] = {
10181 { 0x0103, "Create Hard Link"},
10186 static const value_string delete_pending_vals[] = {
10187 {0, "Normal, no pending delete"},
10188 {1, "This object has DELETE PENDING"},
10192 static const value_string alignment_vals[] = {
10193 {0, "Byte alignment"},
10194 {1, "Word (16bit) alignment"},
10195 {3, "Long (32bit) alignment"},
10196 {7, "8 byte boundary alignment"},
10197 {0x0f, "16 byte boundary alignment"},
10198 {0x1f, "32 byte boundary alignment"},
10199 {0x3f, "64 byte boundary alignment"},
10200 {0x7f, "128 byte boundary alignment"},
10201 {0xff, "256 byte boundary alignment"},
10202 {0x1ff, "512 byte boundary alignment"},
10206 static const true_false_string tfs_marked_for_deletion = {
10207 "File is MARKED FOR DELETION",
10208 "File is NOT marked for deletion"
10211 static const true_false_string tfs_get_dfs_server_hold_storage = {
10212 "Referral SERVER HOLDS STORAGE for the file",
10213 "Referral server does NOT hold storage for the file"
10215 static const true_false_string tfs_get_dfs_fielding = {
10216 "The server in referral is FIELDING CAPABLE",
10217 "The server in referrals is NOT fielding capable"
10220 static const true_false_string tfs_dfs_referral_flags_name_list_referral = {
10221 "A domain/DC referral response",
10222 "NOT a domain/DC referral response"
10225 static const true_false_string tfs_dfs_referral_flags_target_set_boundary = {
10226 "The first target in the target set",
10227 "NOT the first target in the target set"
10230 static const value_string dfs_referral_server_type_vals[] = {
10231 {0, "Non-root targets returned"},
10232 {1, "Root targets returns"},
10237 static const true_false_string tfs_device_char_removable = {
10238 "This is a REMOVABLE device",
10239 "This is NOT a removable device"
10241 static const true_false_string tfs_device_char_read_only = {
10242 "This is a READ-ONLY device",
10243 "This is NOT a read-only device"
10245 static const true_false_string tfs_device_char_floppy = {
10246 "This is a FLOPPY DISK device",
10247 "This is NOT a floppy disk device"
10249 static const true_false_string tfs_device_char_write_once = {
10250 "This is a WRITE-ONCE device",
10251 "This is NOT a write-once device"
10253 static const true_false_string tfs_device_char_remote = {
10254 "This is a REMOTE device",
10255 "This is NOT a remote device"
10257 static const true_false_string tfs_device_char_mounted = {
10258 "This device is MOUNTED",
10259 "This device is NOT mounted"
10261 static const true_false_string tfs_device_char_virtual = {
10262 "This is a VIRTUAL device",
10263 "This is NOT a virtual device"
10267 static const true_false_string tfs_fs_attr_css = {
10268 "This FS supports CASE SENSITIVE SEARCHes",
10269 "This FS does NOT support case sensitive searches"
10271 static const true_false_string tfs_fs_attr_cpn = {
10272 "This FS supports CASE PRESERVED NAMES",
10273 "This FS does NOT support case preserved names"
10275 static const true_false_string tfs_fs_attr_uod = {
10276 "This FS supports UNICODE NAMES",
10277 "This FS does NOT support unicode names"
10279 static const true_false_string tfs_fs_attr_pacls = {
10280 "This FS supports PERSISTENT ACLs",
10281 "This FS does NOT support persistent acls"
10283 static const true_false_string tfs_fs_attr_fc = {
10284 "This FS supports COMPRESSED FILES",
10285 "This FS does NOT support compressed files"
10287 static const true_false_string tfs_fs_attr_vq = {
10288 "This FS supports VOLUME QUOTAS",
10289 "This FS does NOT support volume quotas"
10291 static const true_false_string tfs_fs_attr_srp = {
10292 "This FS supports REPARSE POINTS",
10293 "This FS does NOT support reparse points"
10295 static const true_false_string tfs_fs_attr_srs = {
10296 "This FS supports REMOTE STORAGE",
10297 "This FS does NOT support remote storage"
10299 static const true_false_string tfs_fs_attr_ssf = {
10300 "This FS supports SPARSE FILES",
10301 "This FS does NOT support sparse files"
10303 static const true_false_string tfs_fs_attr_sla = {
10304 "This FS supports LFN APIs",
10305 "This FS does NOT support lfn apis"
10307 static const true_false_string tfs_fs_attr_vic = {
10308 "This FS VOLUME IS COMPRESSED",
10309 "This FS volume is NOT compressed"
10311 static const true_false_string tfs_fs_attr_soids = {
10312 "This FS supports OIDs",
10313 "This FS does NOT support OIDs"
10315 static const true_false_string tfs_fs_attr_se = {
10316 "This FS supports ENCRYPTION",
10317 "This FS does NOT support encryption"
10319 static const true_false_string tfs_fs_attr_ns = {
10320 "This FS supports NAMED STREAMS",
10321 "This FS does NOT support named streams"
10323 static const true_false_string tfs_fs_attr_rov = {
10324 "This is a READ ONLY VOLUME",
10325 "This is a read/write volume"
10328 #define FF2_RESUME 0x0004
10331 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
10334 proto_item *item = NULL;
10335 proto_tree *tree = NULL;
10337 smb_transact2_info_t *t2i;
10339 mask = tvb_get_letohs(tvb, offset);
10341 si = (smb_info_t *)pinfo->private_data;
10342 DISSECTOR_ASSERT(si);
10344 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
10345 t2i = si->sip->extra_info;
10347 if (!pinfo->fd->flags.visited)
10348 t2i->resume_keys = (mask & FF2_RESUME);
10353 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10354 "Flags: 0x%04x", mask);
10355 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
10357 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
10358 tvb, offset, 2, mask);
10359 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
10360 tvb, offset, 2, mask);
10361 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
10362 tvb, offset, 2, mask);
10363 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
10364 tvb, offset, 2, mask);
10365 proto_tree_add_boolean(tree, hf_smb_ff2_close,
10366 tvb, offset, 2, mask);
10376 dissect_sfi_ioflag(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10382 mask = tvb_get_letohs(tvb, offset);
10385 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10386 "IO Flag: 0x%04x", mask);
10387 tree = proto_item_add_subtree(item, ett_smb_ioflag);
10389 proto_tree_add_boolean(tree, hf_smb_sfi_writetru,
10390 tvb, offset, 2, mask);
10391 proto_tree_add_boolean(tree, hf_smb_sfi_caching,
10392 tvb, offset, 2, mask);
10402 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
10403 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
10405 proto_item *item = NULL;
10406 proto_tree *tree = NULL;
10408 smb_transact2_info_t *t2i;
10412 si = (smb_info_t *)pinfo->private_data;
10413 DISSECTOR_ASSERT(si);
10415 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
10416 t2i = si->sip->extra_info;
10421 tvb_ensure_bytes_exist(tvb, offset, bc);
10422 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
10424 val_to_str(subcmd, trans2_cmd_vals,
10425 "Unknown (0x%02x)"));
10426 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
10430 case 0x00: /*TRANS2_OPEN2*/
10432 CHECK_BYTE_COUNT_TRANS(2);
10433 offset = dissect_open_flags(tvb, tree, offset, 0x000f);
10436 /* desired access */
10437 CHECK_BYTE_COUNT_TRANS(2);
10438 offset = dissect_access(tvb, tree, offset, "Desired");
10441 /* Search Attributes */
10442 CHECK_BYTE_COUNT_TRANS(2);
10443 offset = dissect_search_attributes(tvb, tree, offset);
10446 /* File Attributes */
10447 CHECK_BYTE_COUNT_TRANS(2);
10448 offset = dissect_file_attributes(tvb, tree, offset, 2);
10452 CHECK_BYTE_COUNT_TRANS(4);
10453 offset = dissect_smb_datetime(tvb, tree, offset,
10454 hf_smb_create_time,
10455 hf_smb_create_dos_date, hf_smb_create_dos_time,
10459 /* open function */
10460 CHECK_BYTE_COUNT_TRANS(2);
10461 offset = dissect_open_function(tvb, tree, offset);
10464 /* allocation size */
10465 CHECK_BYTE_COUNT_TRANS(4);
10466 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10467 COUNT_BYTES_TRANS(4);
10469 /* 10 reserved bytes */
10470 CHECK_BYTE_COUNT_TRANS(10);
10471 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
10472 COUNT_BYTES_TRANS(10);
10475 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10476 CHECK_STRING_TRANS(fn);
10477 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10479 COUNT_BYTES_TRANS(fn_len);
10481 if (check_col(pinfo->cinfo, COL_INFO)) {
10482 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10483 format_text(fn, strlen(fn)));
10486 case 0x01: /*TRANS2_FIND_FIRST2*/
10487 /* Search Attributes */
10488 CHECK_BYTE_COUNT_TRANS(2);
10489 offset = dissect_search_attributes(tvb, tree, offset);
10493 CHECK_BYTE_COUNT_TRANS(2);
10494 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
10495 COUNT_BYTES_TRANS(2);
10497 /* Find First2 flags */
10498 CHECK_BYTE_COUNT_TRANS(2);
10499 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
10502 /* Find First2 information level */
10503 CHECK_BYTE_COUNT_TRANS(2);
10504 si->info_level = tvb_get_letohs(tvb, offset);
10505 if (t2i != NULL && !pinfo->fd->flags.visited)
10506 t2i->info_level = si->info_level;
10507 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
10508 COUNT_BYTES_TRANS(2);
10511 CHECK_BYTE_COUNT_TRANS(4);
10512 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
10513 COUNT_BYTES_TRANS(4);
10515 /* search pattern */
10516 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10517 CHECK_STRING_TRANS(fn);
10518 if(t2i && !t2i->name){
10519 t2i->name = se_strdup(fn);
10521 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
10523 COUNT_BYTES_TRANS(fn_len);
10525 if (check_col(pinfo->cinfo, COL_INFO)) {
10526 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
10527 format_text(fn, strlen(fn)));
10531 case 0x02: /*TRANS2_FIND_NEXT2*/
10533 CHECK_BYTE_COUNT_TRANS(2);
10534 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
10535 COUNT_BYTES_TRANS(2);
10538 CHECK_BYTE_COUNT_TRANS(2);
10539 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
10540 COUNT_BYTES_TRANS(2);
10542 /* Find First2 information level */
10543 CHECK_BYTE_COUNT_TRANS(2);
10544 si->info_level = tvb_get_letohs(tvb, offset);
10545 if (t2i != NULL && !pinfo->fd->flags.visited)
10546 t2i->info_level = si->info_level;
10547 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
10548 COUNT_BYTES_TRANS(2);
10551 CHECK_BYTE_COUNT_TRANS(4);
10552 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
10553 COUNT_BYTES_TRANS(4);
10555 /* Find First2 flags */
10556 CHECK_BYTE_COUNT_TRANS(2);
10557 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
10561 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10562 CHECK_STRING_TRANS(fn);
10563 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10565 COUNT_BYTES_TRANS(fn_len);
10567 if (check_col(pinfo->cinfo, COL_INFO)) {
10568 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
10569 format_text(fn, strlen(fn)));
10573 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
10574 /* level of interest */
10575 CHECK_BYTE_COUNT_TRANS(2);
10576 si->info_level = tvb_get_letohs(tvb, offset);
10577 if (t2i != NULL && !pinfo->fd->flags.visited)
10578 t2i->info_level = si->info_level;
10579 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
10580 COUNT_BYTES_TRANS(2);
10582 if (check_col(pinfo->cinfo, COL_INFO))
10583 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
10584 val_to_str(si->info_level, qfsi_vals,
10585 "Unknown (0x%02x)"));
10588 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
10589 /* level of interest */
10590 CHECK_BYTE_COUNT_TRANS(2);
10591 si->info_level = tvb_get_letohs(tvb, offset);
10592 if (t2i != NULL && !pinfo->fd->flags.visited)
10593 t2i->info_level = si->info_level;
10594 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10595 COUNT_BYTES_TRANS(2);
10597 if (check_col(pinfo->cinfo, COL_INFO)) {
10599 pinfo->cinfo, COL_INFO, ", %s",
10600 val_to_str(si->info_level, qpi_loi_vals,
10604 /* 4 reserved bytes */
10605 CHECK_BYTE_COUNT_TRANS(4);
10606 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10607 COUNT_BYTES_TRANS(4);
10610 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10611 CHECK_STRING_TRANS(fn);
10612 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10614 COUNT_BYTES_TRANS(fn_len);
10615 if(t2i && !t2i->name){
10616 t2i->name = se_strdup(fn);
10619 if (check_col(pinfo->cinfo, COL_INFO)) {
10620 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10621 format_text(fn, strlen(fn)));
10625 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
10626 /* level of interest */
10627 CHECK_BYTE_COUNT_TRANS(2);
10628 si->info_level = tvb_get_letohs(tvb, offset);
10629 if (t2i != NULL && !pinfo->fd->flags.visited)
10630 t2i->info_level = si->info_level;
10631 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
10632 COUNT_BYTES_TRANS(2);
10634 /* 4 reserved bytes */
10635 CHECK_BYTE_COUNT_TRANS(4);
10636 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10637 COUNT_BYTES_TRANS(4);
10640 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10641 CHECK_STRING_TRANS(fn);
10642 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10644 COUNT_BYTES_TRANS(fn_len);
10646 if (check_col(pinfo->cinfo, COL_INFO)) {
10647 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10648 format_text(fn, strlen(fn)));
10652 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
10656 CHECK_BYTE_COUNT_TRANS(2);
10657 fid = tvb_get_letohs(tvb, offset);
10658 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
10659 COUNT_BYTES_TRANS(2);
10661 /* level of interest */
10662 CHECK_BYTE_COUNT_TRANS(2);
10663 si->info_level = tvb_get_letohs(tvb, offset);
10664 if (t2i != NULL && !pinfo->fd->flags.visited)
10665 t2i->info_level = si->info_level;
10666 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10667 COUNT_BYTES_TRANS(2);
10669 if (check_col(pinfo->cinfo, COL_INFO)) {
10671 pinfo->cinfo, COL_INFO, ", %s",
10672 val_to_str(si->info_level, qpi_loi_vals,
10678 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
10682 CHECK_BYTE_COUNT_TRANS(2);
10683 fid = tvb_get_letohs(tvb, offset);
10684 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
10685 COUNT_BYTES_TRANS(2);
10687 /* level of interest */
10688 CHECK_BYTE_COUNT_TRANS(2);
10689 si->info_level = tvb_get_letohs(tvb, offset);
10690 if (t2i != NULL && !pinfo->fd->flags.visited)
10691 t2i->info_level = si->info_level;
10692 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
10693 COUNT_BYTES_TRANS(2);
10697 * XXX - "Microsoft Networks SMB File Sharing Protocol
10698 * Extensions Version 3.0, Document Version 1.11,
10699 * July 19, 1990" says this is I/O flags, but it's
10700 * reserved in the SNIA spec, and some clients appear
10701 * to leave junk in it.
10703 * Is this some field used only if a particular
10704 * dialect was negotiated, so that clients can feel
10705 * safe not setting it if they haven't negotiated that
10706 * dialect? Or do the (non-OS/2) clients simply not care
10707 * about that particular OS/2-oriented dialect?
10711 CHECK_BYTE_COUNT_TRANS(2);
10712 offset = dissect_sfi_ioflag(tvb, tree, offset);
10715 /* 2 reserved bytes */
10716 CHECK_BYTE_COUNT_TRANS(2);
10717 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
10718 COUNT_BYTES_TRANS(2);
10723 case 0x09: /*TRANS2_FSCTL*/
10724 /* this call has no parameter block in the request */
10727 * XXX - "Microsoft Networks SMB File Sharing Protocol
10728 * Extensions Version 3.0, Document Version 1.11,
10729 * July 19, 1990" says this this contains a
10730 * "File system specific parameter block". (That means
10731 * we may not be able to dissect it in any case.)
10734 case 0x0a: /*TRANS2_IOCTL2*/
10735 /* this call has no parameter block in the request */
10738 * XXX - "Microsoft Networks SMB File Sharing Protocol
10739 * Extensions Version 3.0, Document Version 1.11,
10740 * July 19, 1990" says this this contains a
10741 * "Device/function specific parameter block". (That
10742 * means we may not be able to dissect it in any case.)
10745 case 0x0b: { /*TRANS2_FIND_NOTIFY_FIRST*/
10746 /* Search Attributes */
10747 CHECK_BYTE_COUNT_TRANS(2);
10748 offset = dissect_search_attributes(tvb, tree, offset);
10751 /* Number of changes to wait for */
10752 CHECK_BYTE_COUNT_TRANS(2);
10753 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10754 COUNT_BYTES_TRANS(2);
10756 /* Find Notify information level */
10757 CHECK_BYTE_COUNT_TRANS(2);
10758 si->info_level = tvb_get_letohs(tvb, offset);
10759 if (t2i != NULL && !pinfo->fd->flags.visited)
10760 t2i->info_level = si->info_level;
10761 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, offset, 2, si->info_level);
10762 COUNT_BYTES_TRANS(2);
10764 /* 4 reserved bytes */
10765 CHECK_BYTE_COUNT_TRANS(4);
10766 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10767 COUNT_BYTES_TRANS(4);
10770 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10771 CHECK_STRING_TRANS(fn);
10772 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10774 COUNT_BYTES_TRANS(fn_len);
10776 if (check_col(pinfo->cinfo, COL_INFO)) {
10777 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10778 format_text(fn, strlen(fn)));
10783 case 0x0c: { /*TRANS2_FIND_NOTIFY_NEXT*/
10784 /* Monitor handle */
10785 CHECK_BYTE_COUNT_TRANS(2);
10786 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
10787 COUNT_BYTES_TRANS(2);
10789 /* Number of changes to wait for */
10790 CHECK_BYTE_COUNT_TRANS(2);
10791 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10792 COUNT_BYTES_TRANS(2);
10796 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
10797 /* 4 reserved bytes */
10798 CHECK_BYTE_COUNT_TRANS(4);
10799 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10800 COUNT_BYTES_TRANS(4);
10803 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
10804 FALSE, FALSE, &bc);
10805 CHECK_STRING_TRANS(fn);
10806 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
10808 COUNT_BYTES_TRANS(fn_len);
10810 if (check_col(pinfo->cinfo, COL_INFO)) {
10811 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
10812 format_text(fn, strlen(fn)));
10815 case 0x0e: /*TRANS2_SESSION_SETUP*/
10816 /* XXX unknown structure*/
10818 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
10819 /* referral level */
10820 CHECK_BYTE_COUNT_TRANS(2);
10821 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
10822 COUNT_BYTES_TRANS(2);
10825 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10826 CHECK_STRING_TRANS(fn);
10827 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10829 COUNT_BYTES_TRANS(fn_len);
10831 if (check_col(pinfo->cinfo, COL_INFO)) {
10832 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10833 format_text(fn, strlen(fn)));
10837 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
10839 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10840 CHECK_STRING_TRANS(fn);
10841 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10843 COUNT_BYTES_TRANS(fn_len);
10845 if (check_col(pinfo->cinfo, COL_INFO)) {
10846 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10847 format_text(fn, strlen(fn)));
10853 /* ooops there were data we didnt know how to process */
10855 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, bc, TRUE);
10863 * XXX - just use "dissect_connect_flags()" here?
10866 dissect_transaction_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10872 mask = tvb_get_letohs(tvb, offset);
10875 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10876 "Flags: 0x%04x", mask);
10877 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
10879 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
10880 tvb, offset, 2, mask);
10881 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
10882 tvb, offset, 2, mask);
10890 dissect_get_dfs_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10896 mask = tvb_get_letohs(tvb, offset);
10899 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10900 "Flags: 0x%04x", mask);
10901 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
10903 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
10904 tvb, offset, 2, mask);
10905 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
10906 tvb, offset, 2, mask);
10914 dissect_dfs_referral_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10920 mask = tvb_get_letohs(tvb, offset);
10923 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10924 "Flags: 0x%04x", mask);
10925 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
10927 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_name_list_referral,
10928 tvb, offset, 2, mask);
10929 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_target_set_boundary,
10930 tvb, offset, 2, mask);
10939 /* dfs inconsistency data (4.4.2)
10942 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
10943 proto_tree *tree, int offset, guint16 *bcp)
10945 smb_info_t *si = pinfo->private_data;
10949 DISSECTOR_ASSERT(si);
10951 /*XXX shouldn this data hold version and size? unclear from doc*/
10952 /* referral version */
10953 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10954 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
10955 COUNT_BYTES_TRANS_SUBR(2);
10957 /* referral size */
10958 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10959 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
10960 COUNT_BYTES_TRANS_SUBR(2);
10962 /* referral server type */
10963 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10964 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10965 COUNT_BYTES_TRANS_SUBR(2);
10967 /* referral flags */
10968 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10969 offset = dissect_dfs_referral_flags(tvb, tree, offset);
10973 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10974 CHECK_STRING_TRANS_SUBR(fn);
10975 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10977 COUNT_BYTES_TRANS_SUBR(fn_len);
10983 dissect_dfs_referral_strings(tvbuff_t *tvb, proto_tree *tree, int hfindex,
10984 int nstring, int stroffset, int oldoffset, int offset,
10985 guint16 bc, gboolean unicode, int *end)
10989 int str_len; /* string length including the terminating NULL. */
10991 if (stroffset <= oldoffset)
10994 bc -= (stroffset - offset);
10995 for (istring=0; istring<nstring; istring++) {
10996 if ((gint16)bc > 0) {
10997 str = get_unicode_or_ascii_string(tvb, &stroffset, unicode, &str_len, FALSE, FALSE, &bc);
10998 CHECK_STRING_TRANS_SUBR(str);
10999 proto_tree_add_string(tree, hfindex, tvb, stroffset, str_len, str);
11000 stroffset += str_len;
11002 if (end && (*end < stroffset))
11012 dissect_dfs_referral_string(tvbuff_t *tvb, proto_tree *tree, int hfindex,
11013 int stroffset, int oldoffset, int offset,
11014 guint16 bc, gboolean unicode, int *end)
11016 return dissect_dfs_referral_strings(tvb, tree, hfindex,
11017 1, stroffset, oldoffset, offset,
11022 dissect_dfs_referral_entry_v2(tvbuff_t *tvb, proto_tree *tree, int oldoffset, int offset,
11023 guint16 refflags _U_, guint16 *bcp, gboolean unicode, int *ucstring_end)
11026 guint16 pathoffset;
11027 guint16 altpathoffset;
11028 guint16 nodeoffset;
11031 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11032 proto_tree_add_item(tree, hf_smb_dfs_referral_proximity, tvb, offset, 4, TRUE);
11033 COUNT_BYTES_TRANS_SUBR(4);
11036 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11037 proto_tree_add_item(tree, hf_smb_dfs_referral_ttl, tvb, offset, 4, TRUE);
11038 COUNT_BYTES_TRANS_SUBR(4);
11041 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11042 pathoffset = tvb_get_letohs(tvb, offset);
11043 proto_tree_add_uint(tree, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
11044 COUNT_BYTES_TRANS_SUBR(2);
11046 /* alt path offset */
11047 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11048 altpathoffset = tvb_get_letohs(tvb, offset);
11049 proto_tree_add_uint(tree, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
11050 COUNT_BYTES_TRANS_SUBR(2);
11053 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11054 nodeoffset = tvb_get_letohs(tvb, offset);
11055 proto_tree_add_uint(tree, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
11056 COUNT_BYTES_TRANS_SUBR(2);
11060 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_path,
11061 pathoffset+oldoffset, oldoffset, offset,
11062 *bcp, unicode, ucstring_end);
11066 if (altpathoffset) {
11067 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_alt_path,
11068 altpathoffset+oldoffset, oldoffset, offset,
11069 *bcp, unicode, ucstring_end);
11074 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_node,
11075 nodeoffset+oldoffset, oldoffset, offset,
11076 *bcp, unicode, ucstring_end);
11085 dissect_dfs_referral_entry_v3(tvbuff_t *tvb, proto_tree *tree, int oldoffset, int offset,
11086 guint16 refflags, guint16 *bcp, gboolean unicode, int *ucstring_end)
11091 guint16 pathoffset;
11092 guint16 altpathoffset;
11093 guint16 nodeoffset;
11096 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11097 proto_tree_add_item(tree, hf_smb_dfs_referral_ttl, tvb, offset, 4, TRUE);
11098 COUNT_BYTES_TRANS_SUBR(4);
11100 if (refflags & REFENT_FLAGS_NAME_LIST_REFERRAL) {
11101 /* domain name offset */
11102 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11103 domoffset = tvb_get_letohs(tvb, offset);
11104 proto_tree_add_uint(tree, hf_smb_dfs_referral_domain_offset, tvb, offset, 2, domoffset);
11105 COUNT_BYTES_TRANS_SUBR(2);
11107 /* number of expanded names*/
11108 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11109 nexpnames = tvb_get_letohs(tvb, offset);
11110 proto_tree_add_uint(tree, hf_smb_dfs_referral_number_of_expnames, tvb, offset, 2, nexpnames);
11111 COUNT_BYTES_TRANS_SUBR(2);
11113 /* expanded names offset */
11114 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11115 expoffset = tvb_get_letohs(tvb, offset);
11116 proto_tree_add_uint(tree, hf_smb_dfs_referral_expnames_offset, tvb, offset, 2, expoffset);
11117 COUNT_BYTES_TRANS_SUBR(2);
11119 /* padding: zero or 16 bytes, which should be ignored by clients.
11120 * we ignore them too.
11125 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_domain_name,
11126 domoffset+oldoffset, oldoffset, offset,
11127 *bcp, unicode, ucstring_end);
11129 /* expanded names */
11131 proto_item *expitem = NULL;
11132 proto_tree *exptree = NULL;
11134 expitem = proto_tree_add_text(tree, tvb, offset, *bcp, "Expanded Names");
11135 exptree = proto_item_add_subtree(expitem, ett_smb_dfs_referral_expnames);
11137 dissect_dfs_referral_strings(tvb, exptree, hf_smb_dfs_referral_expname,
11138 nexpnames, expoffset+oldoffset, oldoffset, offset,
11139 *bcp, unicode, ucstring_end);
11143 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11144 pathoffset = tvb_get_letohs(tvb, offset);
11145 proto_tree_add_uint(tree, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
11146 COUNT_BYTES_TRANS_SUBR(2);
11148 /* alt path offset */
11149 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11150 altpathoffset = tvb_get_letohs(tvb, offset);
11151 proto_tree_add_uint(tree, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
11152 COUNT_BYTES_TRANS_SUBR(2);
11155 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11156 nodeoffset = tvb_get_letohs(tvb, offset);
11157 proto_tree_add_uint(tree, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
11158 COUNT_BYTES_TRANS_SUBR(2);
11160 /* service site guid */
11161 CHECK_BYTE_COUNT_TRANS_SUBR(16);
11162 proto_tree_add_item(tree, hf_smb_dfs_referral_server_guid, tvb, offset, 16, TRUE);
11163 COUNT_BYTES_TRANS_SUBR(16);
11167 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_path,
11168 pathoffset+oldoffset, oldoffset, offset,
11169 *bcp, unicode, ucstring_end);
11173 if (altpathoffset) {
11174 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_alt_path,
11175 altpathoffset+oldoffset, oldoffset, offset,
11176 *bcp, unicode, ucstring_end);
11181 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_node,
11182 nodeoffset+oldoffset, oldoffset, offset,
11183 *bcp, unicode, ucstring_end);
11191 /* get dfs referral data (4.4.1)
11194 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
11195 proto_tree *tree, int offset, guint16 *bcp)
11197 smb_info_t *si = pinfo->private_data;
11207 DISSECTOR_ASSERT(si);
11209 /* path consumed */
11210 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11211 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
11212 COUNT_BYTES_TRANS_SUBR(2);
11214 /* num referrals */
11215 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11216 numref = tvb_get_letohs(tvb, offset);
11217 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
11218 COUNT_BYTES_TRANS_SUBR(2);
11220 /* get dfs flags */
11221 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11222 offset = dissect_get_dfs_flags(tvb, tree, offset);
11225 /* XXX - in at least one capture there appears to be 2 bytes
11226 of stuff after the Dfs flags, perhaps so that the header
11227 in front of the referral list is a multiple of 4 bytes long. */
11228 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11229 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
11230 COUNT_BYTES_TRANS_SUBR(2);
11232 /* if there are any referrals */
11234 proto_item *ref_item = NULL;
11235 proto_tree *ref_tree = NULL;
11236 int old_offset=offset;
11239 tvb_ensure_bytes_exist(tvb, offset, *bcp);
11240 ref_item = proto_tree_add_text(tree,
11241 tvb, offset, *bcp, "Referrals");
11242 ref_tree = proto_item_add_subtree(ref_item,
11243 ett_smb_dfs_referrals);
11248 proto_item *ri = NULL;
11249 proto_tree *rt = NULL;
11250 int old_offset=offset;
11254 tvb_ensure_bytes_exist(tvb, offset, *bcp);
11255 ri = proto_tree_add_text(ref_tree,
11256 tvb, offset, *bcp, "Referral");
11257 rt = proto_item_add_subtree(ri,
11258 ett_smb_dfs_referral);
11261 /* referral version */
11262 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11263 version = tvb_get_letohs(tvb, offset);
11264 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
11265 tvb, offset, 2, version);
11266 COUNT_BYTES_TRANS_SUBR(2);
11268 /* referral size */
11269 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11270 refsize = tvb_get_letohs(tvb, offset);
11271 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
11272 COUNT_BYTES_TRANS_SUBR(2);
11274 /* referral server type */
11275 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11276 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
11277 COUNT_BYTES_TRANS_SUBR(2);
11279 /* referral flags */
11280 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11281 refflags = tvb_get_letohs(tvb, offset);
11282 offset = dissect_dfs_referral_flags(tvb, rt, offset);
11289 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11290 CHECK_STRING_TRANS_SUBR(fn);
11291 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
11293 COUNT_BYTES_TRANS_SUBR(fn_len);
11297 offset = dissect_dfs_referral_entry_v2(tvb, rt, old_offset, offset,
11298 refflags, bcp, si->unicode, &ucstring_end);
11301 offset = dissect_dfs_referral_entry_v3(tvb, rt, old_offset, offset,
11302 refflags, bcp, si->unicode, &ucstring_end);
11305 /* V4 is extactly same as V3, except the version number and
11306 * one more ReferralEntryFlags */
11307 offset = dissect_dfs_referral_entry_v3(tvb, rt, old_offset, offset,
11308 refflags, bcp, si->unicode, &ucstring_end);
11313 * Show anything beyond the length of the referral
11316 unklen = (old_offset + refsize) - offset;
11319 * XXX - the length is bogus.
11324 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
11325 proto_tree_add_item(rt, hf_smb_unknown, tvb,
11326 offset, unklen, TRUE);
11327 COUNT_BYTES_TRANS_SUBR(unklen);
11330 proto_item_set_len(ri, offset-old_offset);
11334 * Treat the offset past the end of the last Unicode
11335 * string after the referrals (if any) as the last
11338 if (ucstring_end > offset) {
11339 ucstring_len = ucstring_end - offset;
11340 if (*bcp < ucstring_len)
11341 ucstring_len = *bcp;
11342 offset += ucstring_len;
11343 *bcp -= ucstring_len;
11345 proto_item_set_len(ref_item, offset-old_offset);
11351 /* This dissects the standard four 8-byte Windows timestamps ...
11354 dissect_smb_standard_8byte_timestamps(tvbuff_t *tvb,
11355 packet_info *pinfo _U_, proto_tree *tree,
11356 int offset, guint16 *bcp, gboolean *trunc)
11359 CHECK_BYTE_COUNT_SUBR(8);
11360 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
11364 CHECK_BYTE_COUNT_SUBR(8);
11365 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_access_time);
11368 /* last write time */
11369 CHECK_BYTE_COUNT_SUBR(8);
11370 offset = dissect_nt_64bit_time(tvb, tree, offset,
11371 hf_smb_last_write_time);
11374 /* last change time */
11375 CHECK_BYTE_COUNT_SUBR(8);
11376 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_change_time);
11383 /* this dissects the SMB_INFO_STANDARD
11384 as described in 4.2.16.1
11387 dissect_4_2_16_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11388 int offset, guint16 *bcp, gboolean *trunc)
11391 CHECK_BYTE_COUNT_SUBR(4);
11392 offset = dissect_smb_datetime(tvb, tree, offset,
11393 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
11398 CHECK_BYTE_COUNT_SUBR(4);
11399 offset = dissect_smb_datetime(tvb, tree, offset,
11400 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
11404 /* last write time */
11405 CHECK_BYTE_COUNT_SUBR(4);
11406 offset = dissect_smb_datetime(tvb, tree, offset,
11407 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
11412 CHECK_BYTE_COUNT_SUBR(4);
11413 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11414 COUNT_BYTES_SUBR(4);
11416 /* allocation size */
11417 CHECK_BYTE_COUNT_SUBR(4);
11418 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11419 COUNT_BYTES_SUBR(4);
11421 /* File Attributes */
11422 CHECK_BYTE_COUNT_SUBR(2);
11423 offset = dissect_file_attributes(tvb, tree, offset, 2);
11427 CHECK_BYTE_COUNT_SUBR(4);
11428 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11429 COUNT_BYTES_SUBR(4);
11435 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
11436 as described in 4.2.16.2
11439 dissect_4_2_16_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11440 int offset, guint16 *bcp, gboolean *trunc)
11446 CHECK_BYTE_COUNT_SUBR(4);
11447 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11448 COUNT_BYTES_SUBR(4);
11452 proto_tree *subtree;
11453 int start_offset = offset;
11456 item = proto_tree_add_text(
11457 tree, tvb, offset, 0, "Extended Attribute");
11458 subtree = proto_item_add_subtree(item, ett_smb_ea);
11462 CHECK_BYTE_COUNT_SUBR(1);
11463 proto_tree_add_item(
11464 subtree, hf_smb_ea_flags, tvb, offset, 1, TRUE);
11465 COUNT_BYTES_SUBR(1);
11467 /* EA name length */
11469 name_len = tvb_get_guint8(tvb, offset);
11471 CHECK_BYTE_COUNT_SUBR(1);
11472 proto_tree_add_item(
11473 subtree, hf_smb_ea_name_length, tvb, offset, 1, TRUE);
11474 COUNT_BYTES_SUBR(1);
11476 /* EA data length */
11478 data_len = tvb_get_letohs(tvb, offset);
11480 CHECK_BYTE_COUNT_SUBR(2);
11481 proto_tree_add_item(
11482 subtree, hf_smb_ea_data_length, tvb, offset, 2, TRUE);
11483 COUNT_BYTES_SUBR(2);
11487 name = tvb_get_ephemeral_string(tvb, offset, name_len);
11488 proto_item_append_text(item, ": %s", format_text(name, strlen(name)));
11490 CHECK_BYTE_COUNT_SUBR(name_len + 1);
11491 proto_tree_add_item(
11492 subtree, hf_smb_ea_name, tvb, offset, name_len + 1,
11494 COUNT_BYTES_SUBR(name_len + 1);
11498 CHECK_BYTE_COUNT_SUBR(data_len);
11499 proto_tree_add_item(
11500 subtree, hf_smb_ea_data, tvb, offset, data_len, TRUE);
11501 COUNT_BYTES_SUBR(data_len);
11503 proto_item_set_len(item, offset - start_offset);
11510 /* this dissects the SMB_INFO_IS_NAME_VALID
11511 as described in 4.2.16.3
11514 dissect_4_2_16_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
11515 int offset, guint16 *bcp, gboolean *trunc)
11517 smb_info_t *si = pinfo->private_data;
11521 DISSECTOR_ASSERT(si);
11524 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11525 CHECK_STRING_SUBR(fn);
11526 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11528 COUNT_BYTES_SUBR(fn_len);
11534 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
11535 as described in 4.2.16.4
11538 dissect_4_2_16_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11539 int offset, guint16 *bcp, gboolean *trunc)
11542 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
11547 /* File Attributes */
11548 CHECK_BYTE_COUNT_SUBR(4);
11549 offset = dissect_file_attributes(tvb, tree, offset, 4);
11556 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
11557 as described in 4.2.16.5
11560 dissect_qfi_SMB_FILE_STANDARD_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11561 int offset, guint16 *bcp, gboolean *trunc)
11563 /* allocation size */
11564 CHECK_BYTE_COUNT_SUBR(8);
11565 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11566 COUNT_BYTES_SUBR(8);
11569 CHECK_BYTE_COUNT_SUBR(8);
11570 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11571 COUNT_BYTES_SUBR(8);
11573 /* number of links */
11574 CHECK_BYTE_COUNT_SUBR(4);
11575 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
11576 COUNT_BYTES_SUBR(4);
11578 /* delete pending */
11579 CHECK_BYTE_COUNT_SUBR(1);
11580 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, TRUE);
11581 COUNT_BYTES_SUBR(1);
11584 CHECK_BYTE_COUNT_SUBR(1);
11585 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
11586 COUNT_BYTES_SUBR(1);
11592 /* this dissects the SMB_QUERY_FILE_INTERNAL_INFO
11595 dissect_qfi_SMB_FILE_INTERNAL_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11596 int offset, guint16 *bcp, gboolean *trunc)
11599 CHECK_BYTE_COUNT_SUBR(8);
11600 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
11601 COUNT_BYTES_SUBR(8);
11607 /* this dissects the SMB_QUERY_FILE_POSITION_INFO
11610 dissect_qfi_SMB_FILE_POSITION_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11611 int offset, guint16 *bcp, gboolean *trunc)
11614 CHECK_BYTE_COUNT_SUBR(8);
11615 proto_tree_add_item(tree, hf_smb_position, tvb, offset, 8, TRUE);
11616 COUNT_BYTES_SUBR(8);
11622 /* this dissects the SMB_QUERY_FILE_MODE_INFO
11625 dissect_qfi_SMB_FILE_MODE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11626 int offset, guint16 *bcp, gboolean *trunc)
11629 CHECK_BYTE_COUNT_SUBR(4);
11630 proto_tree_add_item(tree, hf_smb_mode, tvb, offset, 4, TRUE);
11631 COUNT_BYTES_SUBR(4);
11637 /* this dissects the SMB_QUERY_FILE_ALIGNMENT_INFO
11640 dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11641 int offset, guint16 *bcp, gboolean *trunc)
11644 CHECK_BYTE_COUNT_SUBR(4);
11645 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
11646 COUNT_BYTES_SUBR(4);
11652 /* this dissects the SMB_QUERY_FILE_EA_INFO
11653 as described in 4.2.16.6
11656 dissect_qfi_SMB_FILE_EA_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11657 int offset, guint16 *bcp, gboolean *trunc)
11660 CHECK_BYTE_COUNT_SUBR(4);
11661 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11662 COUNT_BYTES_SUBR(4);
11668 /* this dissects the SMB_QUERY_FILE_ALLOCATION_INFO
11671 dissect_qfi_SMB_FILE_ALLOCATION_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11672 int offset, guint16 *bcp, gboolean *trunc)
11674 /* allocation size */
11675 CHECK_BYTE_COUNT_SUBR(8);
11676 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11677 COUNT_BYTES_SUBR(8);
11683 /* this dissects the SMB_QUERY_FILE_ENDOFFILE_INFO
11686 dissect_qfi_SMB_FILE_ENDOFFILE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11687 int offset, guint16 *bcp, gboolean *trunc)
11690 CHECK_BYTE_COUNT_SUBR(8);
11691 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11692 COUNT_BYTES_SUBR(8);
11698 /* this dissects the SMB_QUERY_FILE_NAME_INFO
11699 as described in 4.2.16.7
11700 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
11701 as described in 4.2.16.9
11704 dissect_qfi_SMB_FILE_ALTERNATE_NAME_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
11705 int offset, guint16 *bcp, gboolean *trunc)
11707 smb_info_t *si = pinfo->private_data;
11711 DISSECTOR_ASSERT(si);
11713 /* file name len */
11714 CHECK_BYTE_COUNT_SUBR(4);
11715 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
11716 COUNT_BYTES_SUBR(4);
11719 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11720 CHECK_STRING_SUBR(fn);
11721 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11723 COUNT_BYTES_SUBR(fn_len);
11729 /* this dissects the SMB_QUERY_FILE_ALL_INFO
11730 but not as described in 4.2.16.8 since CNIA spec is wrong
11733 dissect_qfi_SMB_FILE_ALL_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
11734 int offset, guint16 *bcp, gboolean *trunc)
11740 si = (smb_info_t *)pinfo->private_data;
11742 DISSECTOR_ASSERT(si);
11744 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
11749 /* File Attributes */
11750 CHECK_BYTE_COUNT_SUBR(4);
11751 offset = dissect_file_attributes(tvb, tree, offset, 4);
11758 /* allocation size */
11759 CHECK_BYTE_COUNT_SUBR(8);
11760 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11761 COUNT_BYTES_SUBR(8);
11764 CHECK_BYTE_COUNT_SUBR(8);
11765 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11766 COUNT_BYTES_SUBR(8);
11768 /* number of links */
11769 CHECK_BYTE_COUNT_SUBR(4);
11770 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
11771 COUNT_BYTES_SUBR(4);
11773 /* delete pending */
11774 CHECK_BYTE_COUNT_SUBR(1);
11775 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, TRUE);
11776 COUNT_BYTES_SUBR(1);
11779 CHECK_BYTE_COUNT_SUBR(1);
11780 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
11781 COUNT_BYTES_SUBR(1);
11788 CHECK_BYTE_COUNT_SUBR(4);
11789 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11790 COUNT_BYTES_SUBR(4);
11792 /* file name len */
11793 CHECK_BYTE_COUNT_SUBR(4);
11794 fn_len = (guint32)tvb_get_letohl(tvb, offset);
11795 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11796 COUNT_BYTES_SUBR(4);
11800 CHECK_BYTE_COUNT_SUBR(fn_len);
11801 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
11803 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11805 COUNT_BYTES_SUBR(fn_len);
11815 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
11816 as described in 4.2.16.10
11819 dissect_qfi_SMB_FILE_STREAM_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree,
11820 int offset, guint16 *bcp, gboolean *trunc, int unicode)
11832 old_offset = offset;
11834 /* next entry offset */
11835 CHECK_BYTE_COUNT_SUBR(4);
11837 tvb_ensure_bytes_exist(tvb, offset, *bcp);
11838 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
11839 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11845 neo = tvb_get_letohl(tvb, offset);
11846 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11847 COUNT_BYTES_SUBR(4);
11849 /* stream name len */
11850 CHECK_BYTE_COUNT_SUBR(4);
11851 fn_len = tvb_get_letohl(tvb, offset);
11852 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
11853 COUNT_BYTES_SUBR(4);
11856 CHECK_BYTE_COUNT_SUBR(8);
11857 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
11858 COUNT_BYTES_SUBR(8);
11860 /* allocation size */
11861 CHECK_BYTE_COUNT_SUBR(8);
11862 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11863 COUNT_BYTES_SUBR(8);
11866 fn = get_unicode_or_ascii_string(tvb, &offset, unicode, &fn_len, FALSE, TRUE, bcp);
11867 CHECK_STRING_SUBR(fn);
11868 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
11870 COUNT_BYTES_SUBR(fn_len);
11872 proto_item_append_text(item, ": %s", format_text(fn, strlen(fn)));
11873 proto_item_set_len(item, offset-old_offset);
11876 break; /* no more structures */
11878 /* skip to next structure */
11879 padcnt = (old_offset + neo) - offset;
11882 * XXX - this is bogus; flag it?
11887 CHECK_BYTE_COUNT_SUBR(padcnt);
11888 COUNT_BYTES_SUBR(padcnt);
11896 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
11897 as described in 4.2.16.11
11900 dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11901 int offset, guint16 *bcp, gboolean *trunc)
11903 /* compressed file size */
11904 CHECK_BYTE_COUNT_SUBR(8);
11905 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
11906 COUNT_BYTES_SUBR(8);
11908 /* compression format */
11909 CHECK_BYTE_COUNT_SUBR(2);
11910 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
11911 COUNT_BYTES_SUBR(2);
11913 /* compression unit shift */
11914 CHECK_BYTE_COUNT_SUBR(1);
11915 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
11916 COUNT_BYTES_SUBR(1);
11918 /* compression chunk shift */
11919 CHECK_BYTE_COUNT_SUBR(1);
11920 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
11921 COUNT_BYTES_SUBR(1);
11923 /* compression cluster shift */
11924 CHECK_BYTE_COUNT_SUBR(1);
11925 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
11926 COUNT_BYTES_SUBR(1);
11928 /* 3 reserved bytes */
11929 CHECK_BYTE_COUNT_SUBR(3);
11930 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
11931 COUNT_BYTES_SUBR(3);
11937 /* 4.2.16.12 - SMB_QUERY_FILE_UNIX_BASIC */
11939 static const value_string unix_file_type_vals[] = {
11941 { 1, "Directory" },
11942 { 2, "Symbolic link" },
11943 { 3, "Character device" },
11944 { 4, "Block device" },
11951 dissect_4_2_16_12(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11952 int offset, guint16 *bcp, gboolean *trunc)
11954 /* End of file (file size) */
11955 CHECK_BYTE_COUNT_SUBR(8);
11956 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
11957 COUNT_BYTES_SUBR(8);
11959 /* Number of bytes */
11960 CHECK_BYTE_COUNT_SUBR(8);
11961 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
11962 COUNT_BYTES_SUBR(8);
11964 /* Last status change */
11965 CHECK_BYTE_COUNT_SUBR(8);
11966 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
11967 *bcp -= 8; /* dissect_nt_64bit_time() increments offset */
11969 /* Last access time */
11970 CHECK_BYTE_COUNT_SUBR(8);
11971 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
11974 /* Last modification time */
11975 CHECK_BYTE_COUNT_SUBR(8);
11976 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
11979 /* File owner uid */
11980 CHECK_BYTE_COUNT_SUBR(8);
11981 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
11982 COUNT_BYTES_SUBR(8);
11984 /* File group gid */
11985 CHECK_BYTE_COUNT_SUBR(8);
11986 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
11987 COUNT_BYTES_SUBR(8);
11990 CHECK_BYTE_COUNT_SUBR(4);
11991 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
11992 COUNT_BYTES_SUBR(4);
11994 /* Major device number */
11995 CHECK_BYTE_COUNT_SUBR(8);
11996 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
11997 COUNT_BYTES_SUBR(8);
11999 /* Minor device number */
12000 CHECK_BYTE_COUNT_SUBR(8);
12001 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
12002 COUNT_BYTES_SUBR(8);
12005 CHECK_BYTE_COUNT_SUBR(8);
12006 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
12007 COUNT_BYTES_SUBR(8);
12010 CHECK_BYTE_COUNT_SUBR(8);
12011 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
12012 COUNT_BYTES_SUBR(8);
12015 CHECK_BYTE_COUNT_SUBR(8);
12016 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
12017 COUNT_BYTES_SUBR(8);
12019 /* Sometimes there is one extra byte in the data field which I
12020 guess could be padding, but we are only using 4 or 8 byte
12021 data types so this is a bit confusing. -tpot */
12027 /* 4.2.16.13 - SMB_QUERY_FILE_UNIX_LINK */
12030 dissect_4_2_16_13(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12031 int offset, guint16 *bcp, gboolean *trunc)
12033 smb_info_t *si = pinfo->private_data;
12037 DISSECTOR_ASSERT(si);
12039 /* Link destination */
12041 fn = get_unicode_or_ascii_string(
12042 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12044 CHECK_STRING_SUBR(fn);
12045 proto_tree_add_string(
12046 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
12047 COUNT_BYTES_SUBR(fn_len);
12056 dissect_qpi_unix_acl(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12057 int offset, guint16 *bcp, gboolean *trunc)
12059 guint16 version, num_file_aces, num_def_aces;
12060 static const int *perm_fields[] = {
12061 &hf_smb_posix_ace_perm_read,
12062 &hf_smb_posix_ace_perm_write,
12063 &hf_smb_posix_ace_perm_execute,
12068 CHECK_BYTE_COUNT_SUBR(2);
12069 version = tvb_get_letohs(tvb, offset);
12070 proto_tree_add_item(tree, hf_smb_posix_acl_version, tvb, offset, 2, TRUE);
12071 COUNT_BYTES_SUBR(2);
12073 /* num file acls */
12074 CHECK_BYTE_COUNT_SUBR(2);
12075 num_file_aces = tvb_get_letohs(tvb, offset);
12076 proto_tree_add_item(tree, hf_smb_posix_num_file_aces, tvb, offset, 2, TRUE);
12077 COUNT_BYTES_SUBR(2);
12079 /* num default acls */
12080 CHECK_BYTE_COUNT_SUBR(2);
12081 num_def_aces = tvb_get_letohs(tvb, offset);
12082 proto_tree_add_item(tree, hf_smb_posix_num_def_aces, tvb, offset, 2, TRUE);
12083 COUNT_BYTES_SUBR(2);
12085 while(num_file_aces--){
12088 int old_offset = offset;
12091 it = proto_tree_add_text(tree, tvb, offset, 0, "ACE");
12092 tr = proto_item_add_subtree(it, ett_smb_posic_ace);
12095 CHECK_BYTE_COUNT_SUBR(1);
12096 ace_type = tvb_get_guint8(tvb, offset);
12097 proto_tree_add_item(tr, hf_smb_posix_ace_type, tvb, offset, 1, TRUE);
12098 COUNT_BYTES_SUBR(1);
12100 CHECK_BYTE_COUNT_SUBR(1);
12101 proto_tree_add_bitmask(tr, tvb, offset, hf_smb_posix_ace_flags, ett_smb_posix_ace_perms, perm_fields, FALSE);
12102 COUNT_BYTES_SUBR(1);
12105 case POSIX_ACE_TYPE_USER_OBJ:
12106 CHECK_BYTE_COUNT_SUBR(4);
12107 proto_tree_add_item(tr, hf_smb_posix_ace_perm_owner_uid, tvb, offset, 4, TRUE);
12108 COUNT_BYTES_SUBR(4);
12110 CHECK_BYTE_COUNT_SUBR(4);
12111 /* 4 reserved bytes */
12112 COUNT_BYTES_SUBR(4);
12114 case POSIX_ACE_TYPE_GROUP_OBJ:
12115 CHECK_BYTE_COUNT_SUBR(4);
12116 proto_tree_add_item(tr, hf_smb_posix_ace_perm_owner_gid, tvb, offset, 4, TRUE);
12117 COUNT_BYTES_SUBR(4);
12119 CHECK_BYTE_COUNT_SUBR(4);
12120 /* 4 reserved bytes */
12121 COUNT_BYTES_SUBR(4);
12124 case POSIX_ACE_TYPE_MASK:
12125 case POSIX_ACE_TYPE_OTHER:
12126 CHECK_BYTE_COUNT_SUBR(8);
12127 /* 8 reserved bytes */
12128 COUNT_BYTES_SUBR(8);
12131 case POSIX_ACE_TYPE_USER:
12132 CHECK_BYTE_COUNT_SUBR(4);
12133 proto_tree_add_item(tr, hf_smb_posix_ace_perm_uid, tvb, offset, 4, TRUE);
12134 COUNT_BYTES_SUBR(4);
12136 CHECK_BYTE_COUNT_SUBR(4);
12137 /* 4 reserved bytes */
12138 COUNT_BYTES_SUBR(4);
12141 case POSIX_ACE_TYPE_GROUP:
12142 CHECK_BYTE_COUNT_SUBR(4);
12143 proto_tree_add_item(tr, hf_smb_posix_ace_perm_gid, tvb, offset, 4, TRUE);
12144 COUNT_BYTES_SUBR(4);
12146 CHECK_BYTE_COUNT_SUBR(4);
12147 /* 4 reserved bytes */
12148 COUNT_BYTES_SUBR(4);
12151 proto_tree_add_text(tr, tvb, offset, 0, "Unknown posix ace type");
12152 CHECK_BYTE_COUNT_SUBR(8);
12154 COUNT_BYTES_SUBR(8);
12157 proto_item_set_len(it, offset-old_offset);
12164 dissect_qpi_unix_xattr(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
12165 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
12167 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
12173 dissect_qpi_unix_attr_flags(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
12174 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
12176 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
12182 dissect_qpi_unix_permissions(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
12183 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
12185 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
12191 dissect_qpi_unix_lock(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
12192 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
12194 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
12200 dissect_qpi_unix_open(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
12201 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
12203 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
12209 dissect_qpi_unix_unlink(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_,
12210 int offset _U_, guint16 *bcp _U_, gboolean *trunc _U_)
12212 proto_tree_add_text(tree, tvb, offset, 0, "Not Implemented yet");
12217 /* this dissects the SMB_QUERY_FILE_NETWORK_OPEN_INFO
12220 dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvbuff_t *tvb,
12221 packet_info *pinfo, proto_tree *tree,
12222 int offset, guint16 *bcp, gboolean *trunc)
12225 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
12230 /* allocation size */
12231 CHECK_BYTE_COUNT_SUBR(8);
12232 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12233 COUNT_BYTES_SUBR(8);
12236 CHECK_BYTE_COUNT_SUBR(8);
12237 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12238 COUNT_BYTES_SUBR(8);
12240 /* File Attributes */
12241 CHECK_BYTE_COUNT_SUBR(4);
12242 offset = dissect_file_attributes(tvb, tree, offset, 4);
12245 /* Unknown, possibly count of network accessors ... */
12246 CHECK_BYTE_COUNT_SUBR(4);
12247 proto_tree_add_item(tree, hf_smb_network_unknown, tvb, offset, 4, TRUE);
12248 COUNT_BYTES_SUBR(4);
12254 /* this dissects the SMB_FILE_ATTRIBUTE_TAG_INFO
12257 dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvbuff_t *tvb,
12258 packet_info *pinfo _U_, proto_tree *tree,
12259 int offset, guint16 *bcp, gboolean *trunc)
12262 CHECK_BYTE_COUNT_SUBR(4);
12263 proto_tree_add_item(tree, hf_smb_attribute, tvb, offset, 4, TRUE);
12264 COUNT_BYTES_SUBR(4);
12267 CHECK_BYTE_COUNT_SUBR(4);
12268 proto_tree_add_item(tree, hf_smb_reparse_tag, tvb, offset, 4, TRUE);
12269 COUNT_BYTES_SUBR(4);
12275 /* this dissects the SMB_SET_FILE_DISPOSITION_INFO
12276 as described in 4.2.19.2
12279 dissect_4_2_19_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12280 int offset, guint16 *bcp, gboolean *trunc)
12282 /* marked for deletion? */
12283 CHECK_BYTE_COUNT_SUBR(1);
12284 proto_tree_add_item(tree, hf_smb_t2_marked_for_deletion, tvb, offset, 1, TRUE);
12285 COUNT_BYTES_SUBR(1);
12291 /* this dissects the SMB_SET_FILE_ALLOCATION_INFO
12292 as described in 4.2.19.3
12295 dissect_4_2_19_3(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12296 int offset, guint16 *bcp, gboolean *trunc)
12298 /* file allocation size */
12299 CHECK_BYTE_COUNT_SUBR(8);
12300 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12301 COUNT_BYTES_SUBR(8);
12307 /* this dissects the SMB_SET_FILE_END_OF_FILE_INFO
12308 as described in 4.2.19.4
12311 dissect_4_2_19_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12312 int offset, guint16 *bcp, gboolean *trunc)
12314 /* file end of file offset */
12315 CHECK_BYTE_COUNT_SUBR(8);
12316 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12317 COUNT_BYTES_SUBR(8);
12323 /* Set File Rename Info */
12325 static const true_false_string tfs_smb_replace = {
12326 "Remove target file if it exists",
12327 "Do NOT remove target file if it exists",
12331 dissect_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12332 int offset, guint16 *bcp, gboolean *trunc)
12334 smb_info_t *si = pinfo->private_data;
12336 guint32 target_name_len;
12339 DISSECTOR_ASSERT(si);
12342 CHECK_BYTE_COUNT_SUBR(4);
12343 proto_tree_add_item(tree, hf_smb_replace, tvb, offset, 4, TRUE);
12344 COUNT_BYTES_SUBR(4);
12346 /* Root directory handle */
12347 CHECK_BYTE_COUNT_SUBR(4);
12348 proto_tree_add_item(tree, hf_smb_root_dir_handle, tvb, offset, 4, TRUE);
12349 COUNT_BYTES_SUBR(4);
12351 /* Target name length */
12352 CHECK_BYTE_COUNT_SUBR(4);
12353 target_name_len = tvb_get_letohl(tvb, offset);
12354 proto_tree_add_uint(tree, hf_smb_target_name_len, tvb, offset, 4, target_name_len);
12355 COUNT_BYTES_SUBR(4);
12358 fn_len = target_name_len;
12359 fn = get_unicode_or_ascii_string(
12360 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12362 CHECK_STRING_SUBR(fn);
12363 proto_tree_add_string(
12364 tree, hf_smb_target_name, tvb, offset, fn_len, fn);
12365 COUNT_BYTES_SUBR(fn_len);
12372 dissect_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12373 int offset, guint16 *bcp, gboolean *trunc)
12375 smb_info_t *si = pinfo->private_data;
12376 /* const char *fn;*/
12377 /* guint32 target_name_len;*/
12380 DISSECTOR_ASSERT(si);
12382 /* Disposition flags */
12383 CHECK_BYTE_COUNT_SUBR(1);
12384 proto_tree_add_item(tree, hf_smb_disposition_delete_on_close, tvb, offset, 1, TRUE);
12385 COUNT_BYTES_SUBR(1);
12392 dissect_sfi_SMB_FILE_PIPE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12393 int offset, guint16 *bcp, gboolean *trunc)
12395 smb_info_t *si = pinfo->private_data;
12397 DISSECTOR_ASSERT(si);
12399 /* pipe info flag */
12400 CHECK_BYTE_COUNT_SUBR(1);
12401 proto_tree_add_item(tree, hf_smb_pipe_info_flag, tvb, offset, 1, TRUE);
12402 COUNT_BYTES_SUBR(1);
12408 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION and
12409 TRANS2_QUERY_FILE_INFORMATION*/
12411 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
12412 int offset, guint16 *bcp)
12421 si = (smb_info_t *)pinfo->private_data;
12422 DISSECTOR_ASSERT(si);
12424 switch(si->info_level){
12425 case 1: /*Info Standard*/
12426 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
12430 case 2: /*Info Query EA Size*/
12431 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
12434 case 3: /*Info Query EAs From List*/
12435 case 4: /*Info Query All EAs*/
12436 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
12439 case 6: /*Info Is Name Valid*/
12440 offset = dissect_4_2_16_3(tvb, pinfo, tree, offset, bcp,
12443 case 0x0101: /*Query File Basic Info*/
12444 case 1004: /* SMB_FILE_BASIC_INFORMATION */
12445 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
12448 case 0x0102: /*Query File Standard Info*/
12449 case 1005: /* SMB_FILE_STANDARD_INFORMATION */
12450 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, bcp,
12453 case 1006: /* SMB_FILE_INTERNAL_INFORMATION */
12454 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, bcp,
12457 case 0x0103: /*Query File EA Info*/
12458 case 1007: /* SMB_FILE_EA_INFORMATION */
12459 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, bcp,
12462 case 0x0104: /*Query File Name Info*/
12463 case 1009: /* SMB_FILE_NAME_INFORMATION */
12464 offset = dissect_qfi_SMB_FILE_ALTERNATE_NAME_INFO(tvb, pinfo, tree, offset, bcp,
12467 case 1014: /* SMB_FILE_POSITION_INFORMATION */
12468 offset = dissect_qfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, bcp,
12471 case 1016: /* SMB_FILE_MODE_INFORMATION */
12472 offset = dissect_qfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, bcp,
12475 case 1017: /* SMB_FILE_ALIGNMENT_INFORMATION */
12476 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, bcp,
12479 case 0x0107: /*Query File All Info*/
12480 case 1018: /* SMB_FILE_ALL_INFORMATION */
12481 offset = dissect_qfi_SMB_FILE_ALL_INFO(tvb, pinfo, tree, offset, bcp,
12484 case 1019: /* SMB_FILE_ALLOCATION_INFORMATION */
12485 offset = dissect_qfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, bcp,
12488 case 1020: /* SMB_FILE_ENDOFFILE_INFORMATION */
12489 offset = dissect_qfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, bcp,
12492 case 0x0108: /*Query File Alt File Info*/
12493 case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
12494 offset = dissect_qfi_SMB_FILE_ALTERNATE_NAME_INFO(tvb, pinfo, tree, offset, bcp,
12497 case 1022: /* SMB_FILE_STREAM_INFORMATION */
12498 si->unicode = TRUE;
12499 case 0x0109: /*Query File Stream Info*/
12500 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, bcp,
12501 &trunc, si->unicode);
12503 case 0x010b: /*Query File Compression Info*/
12504 case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
12505 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, bcp,
12508 case 1034: /* SMB_FILE_NETWORK_OPEN_INFO */
12509 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, bcp, &trunc);
12511 case 1035: /* SMB_FILE_ATTRIBUTE_TAG_INFO */
12512 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, bcp, &trunc);
12514 case 0x0200: /* Query File Unix Basic*/
12515 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
12518 case 0x0201: /* Query File Unix Link*/
12519 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
12522 case 0x0202: /* Query File Unix HardLink*/
12523 /* XXX add this from the SNIA doc */
12525 case 0x0204: /* Query File Unix ACL*/
12526 offset = dissect_qpi_unix_acl(tvb, pinfo, tree, offset, bcp,
12529 case 0x0205: /* Query File Unix XATTR*/
12530 offset = dissect_qpi_unix_xattr(tvb, pinfo, tree, offset, bcp,
12533 case 0x0206: /* Query File Unix Attr Flags*/
12534 offset = dissect_qpi_unix_attr_flags(tvb, pinfo, tree, offset, bcp,
12537 case 0x0207: /* Query File Unix Permissions*/
12538 offset = dissect_qpi_unix_permissions(tvb, pinfo, tree, offset, bcp,
12541 case 0x0208: /* Query File Unix Lock*/
12542 offset = dissect_qpi_unix_lock(tvb, pinfo, tree, offset, bcp,
12550 /*dissect the data block for TRANS2_SET_PATH_INFORMATION and
12551 TRANS2_SET_FILE_INFORMATION*/
12553 dissect_spi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
12554 int offset, guint16 *bcp)
12563 si = (smb_info_t *)pinfo->private_data;
12564 DISSECTOR_ASSERT(si);
12566 switch(si->info_level){
12567 case 1: /*Info Standard*/
12568 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
12571 case 2: /*Info Query EA Size*/
12572 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
12575 case 4: /*Info Query All EAs*/
12576 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
12579 case 0x0101: /*Set File Basic Info*/
12580 case 1004: /* SMB_FILE_BASIC_INFORMATION */
12581 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
12584 case 0x0102: /*Set File Disposition Info*/
12585 offset = dissect_4_2_19_2(tvb, pinfo, tree, offset, bcp,
12588 case 0x0103: /*Set File Allocation Info*/
12589 offset = dissect_4_2_19_3(tvb, pinfo, tree, offset, bcp,
12592 case 0x0104: /*Set End Of File Info*/
12593 offset = dissect_4_2_19_4(tvb, pinfo, tree, offset, bcp,
12596 case 0x0200: /*Set File Unix Basic. Same as query. */
12597 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
12600 case 0x0201: /*Set File Unix Link. Same as query. */
12601 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
12604 case 0x0202: /*Set File Unix HardLink. Same as link query. */
12605 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
12608 case 0x0204: /* Set File Unix ACL*/
12609 offset = dissect_qpi_unix_acl(tvb, pinfo, tree, offset, bcp,
12612 case 0x0205: /* Set File Unix XATTR*/
12613 offset = dissect_qpi_unix_xattr(tvb, pinfo, tree, offset, bcp,
12616 case 0x0206: /* Set File Unix Attr Flags*/
12617 offset = dissect_qpi_unix_attr_flags(tvb, pinfo, tree, offset, bcp,
12620 case 0x0208: /* Set File Unix Lock*/
12621 offset = dissect_qpi_unix_lock(tvb, pinfo, tree, offset, bcp,
12624 case 0x0209: /* Set File Unix Open*/
12625 offset = dissect_qpi_unix_open(tvb, pinfo, tree, offset, bcp,
12628 case 0x020a: /* Set File Unix Unlink*/
12629 offset = dissect_qpi_unix_unlink(tvb, pinfo, tree, offset, bcp,
12632 case 1010: /* Set File Rename */
12633 offset = dissect_rename_info(tvb, pinfo, tree, offset, bcp,
12636 case 1013: /* Set Disposition Information */
12637 offset = dissect_disposition_info(tvb, pinfo, tree, offset, bcp,
12640 case 1023: /* Set Pipe Info */
12641 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, bcp,
12653 /* XXX: TODO, extra levels discovered by tridge */
12661 static const true_false_string tfs_quota_flags_deny_disk = {
12662 "DENY DISK SPACE for users exceeding quota limit",
12663 "Do NOT deny disk space for users exceeding quota limit"
12665 static const true_false_string tfs_quota_flags_log_limit = {
12666 "LOG EVENT when a user exceeds their QUOTA LIMIT",
12667 "Do NOT log event when a user exceeds their quota limit"
12669 static const true_false_string tfs_quota_flags_log_warning = {
12670 "LOG EVENT when a user exceeds their WARNING LEVEL",
12671 "Do NOT log event when a user exceeds their warning level"
12673 static const true_false_string tfs_quota_flags_enabled = {
12674 "Quotas are ENABLED of this fs",
12675 "Quotas are NOT enabled on this fs"
12678 dissect_quota_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12684 mask = tvb_get_guint8(tvb, offset);
12687 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
12688 "Quota Flags: 0x%02x %s", mask,
12689 mask?"Enabled":"Disabled");
12690 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
12692 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
12693 tvb, offset, 1, mask);
12694 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
12695 tvb, offset, 1, mask);
12696 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
12697 tvb, offset, 1, mask);
12699 if(mask && (!(mask&0x01))){
12700 proto_item *hidden_item;
12701 hidden_item = proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
12702 tvb, offset, 1, 0x01);
12703 PROTO_ITEM_SET_HIDDEN(hidden_item);
12705 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
12706 tvb, offset, 1, mask);
12713 dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
12715 /* first 24 bytes are unknown */
12716 CHECK_BYTE_COUNT_TRANS_SUBR(24);
12717 proto_tree_add_item(tree, hf_smb_unknown, tvb,
12719 COUNT_BYTES_TRANS_SUBR(24);
12721 /* number of bytes for quota warning */
12722 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12723 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
12724 COUNT_BYTES_TRANS_SUBR(8);
12726 /* number of bytes for quota limit */
12727 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12728 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
12729 COUNT_BYTES_TRANS_SUBR(8);
12731 /* one byte of quota flags */
12732 CHECK_BYTE_COUNT_TRANS_SUBR(1);
12733 dissect_quota_flags(tvb, tree, offset);
12734 COUNT_BYTES_TRANS_SUBR(1);
12736 /* these 7 bytes are unknown */
12737 CHECK_BYTE_COUNT_TRANS_SUBR(7);
12738 proto_tree_add_item(tree, hf_smb_unknown, tvb,
12740 COUNT_BYTES_TRANS_SUBR(7);
12746 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
12747 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
12749 proto_item *item = NULL;
12750 proto_tree *tree = NULL;
12753 si = (smb_info_t *)pinfo->private_data;
12754 DISSECTOR_ASSERT(si);
12757 tvb_ensure_bytes_exist(tvb, offset, dc);
12758 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
12760 val_to_str(subcmd, trans2_cmd_vals,
12761 "Unknown (0x%02x)"));
12762 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
12766 case 0x00: /*TRANS2_OPEN2*/
12767 /* XXX dont know how to decode FEAList */
12769 case 0x01: /*TRANS2_FIND_FIRST2*/
12770 /* XXX dont know how to decode FEAList */
12772 case 0x02: /*TRANS2_FIND_NEXT2*/
12773 /* XXX dont know how to decode FEAList */
12775 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
12776 /* no data field in this request */
12778 case 0x04: /* TRANS2_SET_QUOTA */
12779 offset = dissect_nt_quota(tvb, tree, offset, &dc);
12781 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
12782 /* no data field in this request */
12784 * XXX - "Microsoft Networks SMB File Sharing Protocol
12785 * Extensions Version 3.0, Document Version 1.11,
12786 * July 19, 1990" says there may be "Additional
12787 * FileInfoLevel dependent information" here.
12789 * Was that just a cut-and-pasteo?
12790 * TRANS2_SET_PATH_INFORMATION *does* have that information
12794 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
12795 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
12797 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
12798 /* no data field in this request */
12800 * XXX - "Microsoft Networks SMB File Sharing Protocol
12801 * Extensions Version 3.0, Document Version 1.11,
12802 * July 19, 1990" says there may be "Additional
12803 * FileInfoLevel dependent information" here.
12805 * Was that just a cut-and-pasteo?
12806 * TRANS2_SET_FILE_INFORMATION *does* have that information
12810 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
12811 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
12813 case 0x09: /*TRANS2_FSCTL*/
12814 /*XXX dont know how to decode this yet */
12817 * XXX - "Microsoft Networks SMB File Sharing Protocol
12818 * Extensions Version 3.0, Document Version 1.11,
12819 * July 19, 1990" says this this contains a
12820 * "File system specific data block". (That means we
12821 * may not be able to dissect it in any case.)
12824 case 0x0a: /*TRANS2_IOCTL2*/
12825 /*XXX dont know how to decode this yet */
12828 * XXX - "Microsoft Networks SMB File Sharing Protocol
12829 * Extensions Version 3.0, Document Version 1.11,
12830 * July 19, 1990" says this this contains a
12831 * "Device/function specific data block". (That
12832 * means we may not be able to dissect it in any case.)
12835 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
12836 /*XXX dont know how to decode this yet */
12839 * XXX - "Microsoft Networks SMB File Sharing Protocol
12840 * Extensions Version 3.0, Document Version 1.11,
12841 * July 19, 1990" says this this contains "additional
12842 * level dependent match data".
12845 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
12846 /*XXX dont know how to decode this yet */
12849 * XXX - "Microsoft Networks SMB File Sharing Protocol
12850 * Extensions Version 3.0, Document Version 1.11,
12851 * July 19, 1990" says this this contains "additional
12852 * level dependent monitor information".
12855 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
12856 /* XXX optional FEAList, unknown what FEAList looks like*/
12858 case 0x0e: /*TRANS2_SESSION_SETUP*/
12859 /*XXX dont know how to decode this yet */
12861 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
12862 /* no data field in this request */
12864 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
12865 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
12869 /* ooops there were data we didnt know how to process */
12871 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
12880 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
12888 * Show the setup words.
12890 if (s_tvb != NULL) {
12891 length = tvb_reported_length(s_tvb);
12892 for (i = 0, offset = 0; length >= 2;
12893 i++, offset += 2, length -= 2) {
12895 * XXX - add a setup word filterable field?
12897 proto_tree_add_text(tree, s_tvb, offset, 2,
12898 "Setup Word %d: 0x%04x", i,
12899 tvb_get_letohs(s_tvb, offset));
12904 * Show the parameters, if any.
12906 if (p_tvb != NULL) {
12907 length = tvb_reported_length(p_tvb);
12909 proto_tree_add_text(tree, p_tvb, 0, length,
12911 tvb_bytes_to_str(p_tvb, 0, length));
12916 * Show the data, if any.
12918 if (d_tvb != NULL) {
12919 length = tvb_reported_length(d_tvb);
12921 proto_tree_add_text(tree, d_tvb, 0, length,
12922 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
12927 /* This routine handles the following 4 calls
12929 Transaction Secondary 0x26
12931 Transaction2 Secondary 0x33
12934 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
12941 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
12945 const char *an = NULL;
12947 smb_transact2_info_t *t2i;
12948 smb_transact_info_t *tri;
12951 gboolean dissected_trans;
12953 si = (smb_info_t *)pinfo->private_data;
12954 DISSECTOR_ASSERT(si);
12959 /*secondary client request*/
12961 /* total param count, only a 16bit integer here*/
12962 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12965 /* total data count , only 16bit integer here*/
12966 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12970 pc = tvb_get_letohs(tvb, offset);
12971 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
12975 po = tvb_get_letohs(tvb, offset);
12976 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
12980 pd = tvb_get_letohs(tvb, offset);
12981 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
12985 dc = tvb_get_letohs(tvb, offset);
12986 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
12990 od = tvb_get_letohs(tvb, offset);
12991 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
12995 dd = tvb_get_letohs(tvb, offset);
12996 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
12999 if(si->cmd==SMB_COM_TRANSACTION2){
13003 fid = tvb_get_letohs(tvb, offset);
13004 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, FALSE, FALSE, FALSE);
13009 /* There are no setup words. */
13014 /* it is not a secondary request */
13016 /* total param count , only a 16 bit integer here*/
13017 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13020 /* total data count , only 16bit integer here*/
13021 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13024 /* max param count , only 16bit integer here*/
13025 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13028 /* max data count, only 16bit integer here*/
13029 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13032 /* max setup count, only 16bit integer here*/
13033 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
13036 /* reserved byte */
13037 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
13040 /* transaction flags */
13041 tf = dissect_transaction_flags(tvb, tree, offset);
13045 to = tvb_get_letohl(tvb, offset);
13046 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", smbext20_timeout_msecs_to_str(to));
13049 /* 2 reserved bytes */
13050 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
13054 pc = tvb_get_letohs(tvb, offset);
13055 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
13059 po = tvb_get_letohs(tvb, offset);
13060 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
13063 /* param displacement is zero here */
13067 dc = tvb_get_letohs(tvb, offset);
13068 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
13072 od = tvb_get_letohs(tvb, offset);
13073 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
13076 /* data displacement is zero here */
13080 sc = tvb_get_guint8(tvb, offset);
13081 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
13084 /* reserved byte */
13085 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
13088 /* this is where the setup bytes, if any start */
13092 /* if there were any setup bytes, decode them */
13096 case SMB_COM_TRANSACTION2:
13097 /* TRANSACTION2 only has one setup word and
13098 that is the subcommand code.
13100 XXX - except for TRANS2_FSCTL
13101 and TRANS2_IOCTL. */
13102 subcmd = tvb_get_letohs(tvb, offset);
13103 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
13104 tvb, offset, 2, subcmd);
13105 if (check_col(pinfo->cinfo, COL_INFO)) {
13106 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
13107 val_to_str(subcmd, trans2_cmd_vals,
13108 "Unknown (0x%02x)"));
13111 if(!pinfo->fd->flags.visited && si->sip){
13114 * smb_transact2_info_t
13117 t2i = se_alloc(sizeof(smb_transact2_info_t));
13118 t2i->subcmd = subcmd;
13119 t2i->info_level = -1;
13120 t2i->resume_keys = FALSE;
13122 si->sip->extra_info = t2i;
13123 si->sip->extra_info_type = SMB_EI_T2I;
13128 * XXX - process TRANS2_FSCTL and
13129 * TRANS2_IOCTL setup words here.
13133 case SMB_COM_TRANSACTION:
13134 /* TRANSACTION setup words processed below */
13145 /* primary request */
13146 /* name is NULL if transaction2 */
13147 if(si->cmd == SMB_COM_TRANSACTION){
13148 /* Transaction Name */
13149 an = get_unicode_or_ascii_string(tvb, &offset,
13150 si->unicode, &an_len, FALSE, FALSE, &bc);
13153 tvb_ensure_bytes_exist(tvb, offset, an_len);
13154 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
13155 offset, an_len, an);
13156 COUNT_BYTES(an_len);
13161 * The pipe or mailslot arguments for Transaction start with
13162 * the first setup word (or where the first setup word would
13163 * be if there were any setup words), and run to the current
13164 * offset (which could mean that there aren't any).
13167 spc = offset - spo;
13171 /* We have some initial padding bytes.
13173 padcnt = po-offset;
13176 tvb_ensure_bytes_exist(tvb, offset, padcnt);
13177 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13178 COUNT_BYTES(padcnt);
13181 CHECK_BYTE_COUNT(pc);
13184 case SMB_COM_TRANSACTION2:
13185 /* TRANSACTION2 parameters*/
13186 offset = dissect_transaction2_request_parameters(tvb,
13187 pinfo, tree, offset, subcmd, pc);
13191 case SMB_COM_TRANSACTION:
13192 /* TRANSACTION parameters processed below */
13200 /* We have some initial padding bytes.
13202 padcnt = od-offset;
13205 tvb_ensure_bytes_exist(tvb, offset, padcnt);
13206 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13207 COUNT_BYTES(padcnt);
13210 CHECK_BYTE_COUNT(dc);
13213 case SMB_COM_TRANSACTION2:
13214 /* TRANSACTION2 data*/
13215 offset = dissect_transaction2_request_data(tvb, pinfo,
13216 tree, offset, subcmd, dc);
13220 case SMB_COM_TRANSACTION:
13221 /* TRANSACTION data processed below */
13227 /*TRANSACTION request parameters */
13228 if(si->cmd==SMB_COM_TRANSACTION){
13229 /*XXX replace this block with a function and use that one
13230 for both requests/responses*/
13232 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
13233 tvbuff_t *sp_tvb, *pd_tvb;
13236 if(pc>tvb_length_remaining(tvb, po)){
13237 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
13239 p_tvb = tvb_new_subset(tvb, po, pc, pc);
13245 if(dc>tvb_length_remaining(tvb, od)){
13246 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
13248 d_tvb = tvb_new_subset(tvb, od, dc, dc);
13254 if(sl>tvb_length_remaining(tvb, so)){
13255 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
13257 s_tvb = tvb_new_subset(tvb, so, sl, sl);
13264 if(!pinfo->fd->flags.visited && si->sip){
13266 * Allocate a new smb_transact_info_t
13269 tri = se_alloc(sizeof(smb_transact_info_t));
13271 tri->trans_subcmd = -1;
13272 tri->function = -1;
13274 tri->lanman_cmd = 0;
13275 tri->param_descrip = NULL;
13276 tri->data_descrip = NULL;
13277 tri->aux_data_descrip = NULL;
13278 tri->info_level = -1;
13279 si->sip->extra_info = tri;
13280 si->sip->extra_info_type = SMB_EI_TRI;
13283 * We already filled the structure
13284 * in; don't bother doing so again.
13290 * This is a unidirectional message, for
13291 * which there will be no reply; don't
13292 * bother allocating an "smb_transact_info_t"
13293 * structure for it.
13297 dissected_trans = FALSE;
13300 if(strncmp("\\PIPE\\", an, 6) == 0){
13302 tri->subcmd=TRANSACTION_PIPE;
13305 * A tvbuff containing the setup words and
13308 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
13311 * A tvbuff containing the parameters and the
13314 pd_tvb = tvb_new_subset_remaining(tvb, po);
13316 dissected_trans = dissect_pipe_smb(sp_tvb,
13317 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
13320 /* In case we did not see the TreeConnect call,
13321 store this TID here as well as a IPC TID
13322 so we know that future Read/Writes to this
13323 TID is (probably) DCERPC.
13325 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))){
13326 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
13328 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
13329 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
13331 tri->subcmd=TRANSACTION_MAILSLOT;
13334 * A tvbuff containing the setup words and
13335 * the mailslot path.
13337 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
13338 dissected_trans = dissect_mailslot_smb(sp_tvb,
13339 s_tvb, d_tvb, an+10, pinfo, top_tree);
13341 if (!dissected_trans)
13342 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
13344 col_append_str(pinfo->cinfo, COL_INFO,
13345 "[transact continuation]");
13357 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13358 int offset, guint16 *bcp, gboolean *trunc)
13362 int old_offset = offset;
13363 proto_item *item = NULL;
13364 proto_tree *tree = NULL;
13366 smb_transact2_info_t *t2i;
13367 gboolean resume_keys = FALSE;
13369 si = (smb_info_t *)pinfo->private_data;
13370 DISSECTOR_ASSERT(si);
13372 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
13373 t2i = si->sip->extra_info;
13375 resume_keys = t2i->resume_keys;
13379 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13380 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13381 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13382 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13387 CHECK_BYTE_COUNT_SUBR(4);
13388 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
13389 COUNT_BYTES_SUBR(4);
13393 CHECK_BYTE_COUNT_SUBR(4);
13394 offset = dissect_smb_datetime(tvb, tree, offset,
13395 hf_smb_create_time,
13396 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
13400 CHECK_BYTE_COUNT_SUBR(4);
13401 offset = dissect_smb_datetime(tvb, tree, offset,
13402 hf_smb_access_time,
13403 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
13406 /* last write time */
13407 CHECK_BYTE_COUNT_SUBR(4);
13408 offset = dissect_smb_datetime(tvb, tree, offset,
13409 hf_smb_last_write_time,
13410 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
13414 CHECK_BYTE_COUNT_SUBR(4);
13415 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
13416 COUNT_BYTES_SUBR(4);
13418 /* allocation size */
13419 CHECK_BYTE_COUNT_SUBR(4);
13420 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
13421 COUNT_BYTES_SUBR(4);
13423 /* File Attributes */
13424 CHECK_BYTE_COUNT_SUBR(2);
13425 offset = dissect_file_attributes(tvb, tree, offset, 2);
13428 /* file name len */
13429 CHECK_BYTE_COUNT_SUBR(1);
13430 fn_len = tvb_get_guint8(tvb, offset);
13431 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
13432 COUNT_BYTES_SUBR(1);
13434 fn_len += 2; /* include terminating '\0' */
13436 fn_len++; /* include terminating '\0' */
13439 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13440 CHECK_STRING_SUBR(fn);
13441 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13443 COUNT_BYTES_SUBR(fn_len);
13445 if (check_col(pinfo->cinfo, COL_INFO)) {
13446 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13447 format_text(fn, strlen(fn)));
13450 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13451 proto_item_set_len(item, offset-old_offset);
13458 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13459 int offset, guint16 *bcp, gboolean *trunc)
13463 int old_offset = offset;
13464 proto_item *item = NULL;
13465 proto_tree *tree = NULL;
13467 smb_transact2_info_t *t2i;
13468 gboolean resume_keys = FALSE;
13470 si = (smb_info_t *)pinfo->private_data;
13471 DISSECTOR_ASSERT(si);
13473 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
13474 t2i = si->sip->extra_info;
13476 resume_keys = t2i->resume_keys;
13480 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13481 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13482 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13483 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13488 CHECK_BYTE_COUNT_SUBR(4);
13489 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
13490 COUNT_BYTES_SUBR(4);
13494 CHECK_BYTE_COUNT_SUBR(4);
13495 offset = dissect_smb_datetime(tvb, tree, offset,
13496 hf_smb_create_time,
13497 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
13501 CHECK_BYTE_COUNT_SUBR(4);
13502 offset = dissect_smb_datetime(tvb, tree, offset,
13503 hf_smb_access_time,
13504 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
13507 /* last write time */
13508 CHECK_BYTE_COUNT_SUBR(4);
13509 offset = dissect_smb_datetime(tvb, tree, offset,
13510 hf_smb_last_write_time,
13511 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
13515 CHECK_BYTE_COUNT_SUBR(4);
13516 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
13517 COUNT_BYTES_SUBR(4);
13519 /* allocation size */
13520 CHECK_BYTE_COUNT_SUBR(4);
13521 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
13522 COUNT_BYTES_SUBR(4);
13524 /* File Attributes */
13525 CHECK_BYTE_COUNT_SUBR(2);
13526 offset = dissect_file_attributes(tvb, tree, offset, 2);
13530 CHECK_BYTE_COUNT_SUBR(4);
13531 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13532 COUNT_BYTES_SUBR(4);
13534 /* file name len */
13535 CHECK_BYTE_COUNT_SUBR(1);
13536 fn_len = tvb_get_guint8(tvb, offset);
13537 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
13538 COUNT_BYTES_SUBR(1);
13540 fn_len += 2; /* include terminating '\0' */
13542 fn_len++; /* include terminating '\0' */
13545 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13546 CHECK_STRING_SUBR(fn);
13547 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13549 COUNT_BYTES_SUBR(fn_len);
13551 if (check_col(pinfo->cinfo, COL_INFO)) {
13552 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13553 format_text(fn, strlen(fn)));
13556 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13557 proto_item_set_len(item, offset-old_offset);
13564 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13565 int offset, guint16 *bcp, gboolean *trunc)
13569 int old_offset = offset;
13570 proto_item *item = NULL;
13571 proto_tree *tree = NULL;
13576 si = (smb_info_t *)pinfo->private_data;
13577 DISSECTOR_ASSERT(si);
13580 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13581 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13582 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13583 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13587 * We assume that the presence of a next entry offset implies the
13588 * absence of a resume key, as appears to be the case for 4.3.4.6.
13591 /* next entry offset */
13592 CHECK_BYTE_COUNT_SUBR(4);
13593 neo = tvb_get_letohl(tvb, offset);
13594 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
13595 COUNT_BYTES_SUBR(4);
13598 CHECK_BYTE_COUNT_SUBR(4);
13599 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
13600 COUNT_BYTES_SUBR(4);
13602 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
13608 CHECK_BYTE_COUNT_SUBR(8);
13609 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
13610 COUNT_BYTES_SUBR(8);
13612 /* allocation size */
13613 CHECK_BYTE_COUNT_SUBR(8);
13614 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13615 COUNT_BYTES_SUBR(8);
13617 /* Extended File Attributes */
13618 CHECK_BYTE_COUNT_SUBR(4);
13619 offset = dissect_file_ext_attr(tvb, tree, offset);
13622 /* file name len */
13623 CHECK_BYTE_COUNT_SUBR(4);
13624 fn_len = tvb_get_letohl(tvb, offset);
13625 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
13626 COUNT_BYTES_SUBR(4);
13629 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13630 CHECK_STRING_SUBR(fn);
13631 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13633 COUNT_BYTES_SUBR(fn_len);
13635 if (check_col(pinfo->cinfo, COL_INFO)) {
13636 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13637 format_text(fn, strlen(fn)));
13640 /* skip to next structure */
13642 padcnt = (old_offset + neo) - offset;
13645 * XXX - this is bogus; flag it?
13650 CHECK_BYTE_COUNT_SUBR(padcnt);
13651 COUNT_BYTES_SUBR(padcnt);
13655 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13656 proto_item_set_len(item, offset-old_offset);
13663 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13664 int offset, guint16 *bcp, gboolean *trunc)
13668 int old_offset = offset;
13669 proto_item *item = NULL;
13670 proto_tree *tree = NULL;
13675 si = (smb_info_t *)pinfo->private_data;
13676 DISSECTOR_ASSERT(si);
13679 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13680 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13681 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13682 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13686 * We assume that the presence of a next entry offset implies the
13687 * absence of a resume key, as appears to be the case for 4.3.4.6.
13690 /* next entry offset */
13691 CHECK_BYTE_COUNT_SUBR(4);
13692 neo = tvb_get_letohl(tvb, offset);
13693 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
13694 COUNT_BYTES_SUBR(4);
13697 CHECK_BYTE_COUNT_SUBR(4);
13698 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
13699 COUNT_BYTES_SUBR(4);
13701 /* standard 8-byte timestamps */
13702 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
13708 CHECK_BYTE_COUNT_SUBR(8);
13709 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
13710 COUNT_BYTES_SUBR(8);
13712 /* allocation size */
13713 CHECK_BYTE_COUNT_SUBR(8);
13714 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13715 COUNT_BYTES_SUBR(8);
13717 /* Extended File Attributes */
13718 CHECK_BYTE_COUNT_SUBR(4);
13719 offset = dissect_file_ext_attr(tvb, tree, offset);
13722 /* file name len */
13723 CHECK_BYTE_COUNT_SUBR(4);
13724 fn_len = tvb_get_letohl(tvb, offset);
13725 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
13726 COUNT_BYTES_SUBR(4);
13729 CHECK_BYTE_COUNT_SUBR(4);
13730 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13731 COUNT_BYTES_SUBR(4);
13734 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13735 CHECK_STRING_SUBR(fn);
13736 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13738 COUNT_BYTES_SUBR(fn_len);
13740 if (check_col(pinfo->cinfo, COL_INFO)) {
13741 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13742 format_text(fn, strlen(fn)));
13745 /* skip to next structure */
13747 padcnt = (old_offset + neo) - offset;
13750 * XXX - this is bogus; flag it?
13755 CHECK_BYTE_COUNT_SUBR(padcnt);
13756 COUNT_BYTES_SUBR(padcnt);
13760 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13761 proto_item_set_len(item, offset-old_offset);
13768 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13769 int offset, guint16 *bcp, gboolean *trunc)
13771 int fn_len, sfn_len;
13772 const char *fn, *sfn;
13773 int old_offset = offset;
13774 proto_item *item = NULL;
13775 proto_tree *tree = NULL;
13780 si = (smb_info_t *)pinfo->private_data;
13781 DISSECTOR_ASSERT(si);
13784 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13785 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13786 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13787 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13791 * XXX - I have not seen any of these that contain a resume
13792 * key, even though some of the requests had the "return resume
13796 /* next entry offset */
13797 CHECK_BYTE_COUNT_SUBR(4);
13798 neo = tvb_get_letohl(tvb, offset);
13799 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
13800 COUNT_BYTES_SUBR(4);
13803 CHECK_BYTE_COUNT_SUBR(4);
13804 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
13805 COUNT_BYTES_SUBR(4);
13807 /* dissect standard 8-byte timestamps */
13808 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
13814 CHECK_BYTE_COUNT_SUBR(8);
13815 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
13816 COUNT_BYTES_SUBR(8);
13818 /* allocation size */
13819 CHECK_BYTE_COUNT_SUBR(8);
13820 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13821 COUNT_BYTES_SUBR(8);
13823 /* Extended File Attributes */
13824 CHECK_BYTE_COUNT_SUBR(4);
13825 offset = dissect_file_ext_attr(tvb, tree, offset);
13828 /* file name len */
13829 CHECK_BYTE_COUNT_SUBR(4);
13830 fn_len = tvb_get_letohl(tvb, offset);
13831 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
13832 COUNT_BYTES_SUBR(4);
13837 * XXX - in one captures, this has the topmost bit set, and the
13838 * rest of the bits have the value 7. Is the topmost bit being
13839 * set some indication that the value *isn't* the length of
13842 CHECK_BYTE_COUNT_SUBR(4);
13843 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13844 COUNT_BYTES_SUBR(4);
13846 /* short file name len */
13847 CHECK_BYTE_COUNT_SUBR(1);
13848 sfn_len = tvb_get_guint8(tvb, offset);
13849 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
13850 COUNT_BYTES_SUBR(1);
13852 /* reserved byte */
13853 CHECK_BYTE_COUNT_SUBR(1);
13854 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
13855 COUNT_BYTES_SUBR(1);
13857 /* short file name - it's not always in Unicode */
13858 sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
13859 CHECK_STRING_SUBR(sfn);
13860 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
13862 COUNT_BYTES_SUBR(24);
13865 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13866 CHECK_STRING_SUBR(fn);
13867 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13869 COUNT_BYTES_SUBR(fn_len);
13871 if (check_col(pinfo->cinfo, COL_INFO)) {
13872 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13873 format_text(fn, strlen(fn)));
13876 /* skip to next structure */
13878 padcnt = (old_offset + neo) - offset;
13881 * XXX - this is bogus; flag it?
13886 CHECK_BYTE_COUNT_SUBR(padcnt);
13887 COUNT_BYTES_SUBR(padcnt);
13891 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
13892 proto_item_set_len(item, offset-old_offset);
13899 dissect_4_3_4_6full(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
13900 int offset, guint16 *bcp, gboolean *trunc)
13904 int old_offset = offset;
13905 proto_item *item = NULL;
13906 proto_tree *tree = NULL;
13911 si = (smb_info_t *)pinfo->private_data;
13912 DISSECTOR_ASSERT(si);
13915 tvb_ensure_bytes_exist(tvb, offset, *bcp);
13916 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
13917 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
13918 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
13922 * XXX - I have not seen any of these that contain a resume
13923 * key, even though some of the requests had the "return resume
13927 /* next entry offset */
13928 CHECK_BYTE_COUNT_SUBR(4);
13929 neo = tvb_get_letohl(tvb, offset);
13930 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
13931 COUNT_BYTES_SUBR(4);
13934 CHECK_BYTE_COUNT_SUBR(4);
13935 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
13936 COUNT_BYTES_SUBR(4);
13938 /* dissect standard 8-byte timestamps */
13939 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
13945 CHECK_BYTE_COUNT_SUBR(8);
13946 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
13947 COUNT_BYTES_SUBR(8);
13949 /* allocation size */
13950 CHECK_BYTE_COUNT_SUBR(8);
13951 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13952 COUNT_BYTES_SUBR(8);
13954 /* Extended File Attributes */
13955 CHECK_BYTE_COUNT_SUBR(4);
13956 offset = dissect_file_ext_attr(tvb, tree, offset);
13959 /* file name len */
13960 CHECK_BYTE_COUNT_SUBR(4);
13961 fn_len = tvb_get_letohl(tvb, offset);
13962 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
13963 COUNT_BYTES_SUBR(4);
13968 * XXX - in one captures, this has the topmost bit set, and the
13969 * rest of the bits have the value 7. Is the topmost bit being
13970 * set some indication that the value *isn't* the length of
13973 CHECK_BYTE_COUNT_SUBR(4);
13974 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13975 COUNT_BYTES_SUBR(4);
13978 COUNT_BYTES_SUBR(4);
13980 CHECK_BYTE_COUNT_SUBR(8);
13981 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
13982 COUNT_BYTES_SUBR(8);
13985 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13986 CHECK_STRING_SUBR(fn);
13987 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
13989 COUNT_BYTES_SUBR(fn_len);
13991 if (check_col(pinfo->cinfo, COL_INFO)) {
13992 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
13993 format_text(fn, strlen(fn)));
13996 /* skip to next structure */
13998 padcnt = (old_offset + neo) - offset;
14001 * XXX - this is bogus; flag it?
14006 CHECK_BYTE_COUNT_SUBR(padcnt);
14007 COUNT_BYTES_SUBR(padcnt);
14011 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
14012 proto_item_set_len(item, offset-old_offset);
14019 dissect_4_3_4_6_id_both(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
14020 int offset, guint16 *bcp, gboolean *trunc)
14022 int fn_len, sfn_len;
14023 const char *fn, *sfn;
14024 int old_offset = offset;
14025 proto_item *item = NULL;
14026 proto_tree *tree = NULL;
14031 si = (smb_info_t *)pinfo->private_data;
14032 DISSECTOR_ASSERT(si);
14035 tvb_ensure_bytes_exist(tvb, offset, *bcp);
14036 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
14037 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
14038 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
14042 * XXX - I have not seen any of these that contain a resume
14043 * key, even though some of the requests had the "return resume
14047 /* next entry offset */
14048 CHECK_BYTE_COUNT_SUBR(4);
14049 neo = tvb_get_letohl(tvb, offset);
14050 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
14051 COUNT_BYTES_SUBR(4);
14054 CHECK_BYTE_COUNT_SUBR(4);
14055 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
14056 COUNT_BYTES_SUBR(4);
14058 /* dissect standard 8-byte timestamps */
14059 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
14065 CHECK_BYTE_COUNT_SUBR(8);
14066 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
14067 COUNT_BYTES_SUBR(8);
14069 /* allocation size */
14070 CHECK_BYTE_COUNT_SUBR(8);
14071 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
14072 COUNT_BYTES_SUBR(8);
14074 /* Extended File Attributes */
14075 CHECK_BYTE_COUNT_SUBR(4);
14076 offset = dissect_file_ext_attr(tvb, tree, offset);
14079 /* file name len */
14080 CHECK_BYTE_COUNT_SUBR(4);
14081 fn_len = tvb_get_letohl(tvb, offset);
14082 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
14083 COUNT_BYTES_SUBR(4);
14088 * XXX - in one captures, this has the topmost bit set, and the
14089 * rest of the bits have the value 7. Is the topmost bit being
14090 * set some indication that the value *isn't* the length of
14093 CHECK_BYTE_COUNT_SUBR(4);
14094 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
14095 COUNT_BYTES_SUBR(4);
14097 /* short file name len */
14098 CHECK_BYTE_COUNT_SUBR(1);
14099 sfn_len = tvb_get_guint8(tvb, offset);
14100 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
14101 COUNT_BYTES_SUBR(1);
14103 /* reserved byte */
14104 CHECK_BYTE_COUNT_SUBR(1);
14105 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
14106 COUNT_BYTES_SUBR(1);
14108 /* short file name - it's not always in Unicode */
14109 sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
14110 CHECK_STRING_SUBR(sfn);
14111 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
14113 COUNT_BYTES_SUBR(24);
14115 /* reserved bytes */
14116 CHECK_BYTE_COUNT_SUBR(2);
14117 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
14118 COUNT_BYTES_SUBR(2);
14121 CHECK_BYTE_COUNT_SUBR(8);
14122 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
14123 COUNT_BYTES_SUBR(8);
14126 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
14127 CHECK_STRING_SUBR(fn);
14128 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
14130 COUNT_BYTES_SUBR(fn_len);
14132 if (check_col(pinfo->cinfo, COL_INFO)) {
14133 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
14134 format_text(fn, strlen(fn)));
14137 /* skip to next structure */
14139 padcnt = (old_offset + neo) - offset;
14142 * XXX - this is bogus; flag it?
14147 CHECK_BYTE_COUNT_SUBR(padcnt);
14148 COUNT_BYTES_SUBR(padcnt);
14152 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
14153 proto_item_set_len(item, offset-old_offset);
14160 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
14161 int offset, guint16 *bcp, gboolean *trunc)
14165 int old_offset = offset;
14166 proto_item *item = NULL;
14167 proto_tree *tree = NULL;
14172 si = (smb_info_t *)pinfo->private_data;
14173 DISSECTOR_ASSERT(si);
14176 tvb_ensure_bytes_exist(tvb, offset, *bcp);
14177 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
14178 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
14179 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
14183 * We assume that the presence of a next entry offset implies the
14184 * absence of a resume key, as appears to be the case for 4.3.4.6.
14187 /* next entry offset */
14188 CHECK_BYTE_COUNT_SUBR(4);
14189 neo = tvb_get_letohl(tvb, offset);
14190 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
14191 COUNT_BYTES_SUBR(4);
14194 CHECK_BYTE_COUNT_SUBR(4);
14195 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
14196 COUNT_BYTES_SUBR(4);
14198 /* file name len */
14199 CHECK_BYTE_COUNT_SUBR(4);
14200 fn_len = tvb_get_letohl(tvb, offset);
14201 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
14202 COUNT_BYTES_SUBR(4);
14205 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
14206 CHECK_STRING_SUBR(fn);
14207 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
14209 COUNT_BYTES_SUBR(fn_len);
14211 if (check_col(pinfo->cinfo, COL_INFO)) {
14212 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
14213 format_text(fn, strlen(fn)));
14216 /* skip to next structure */
14218 padcnt = (old_offset + neo) - offset;
14221 * XXX - this is bogus; flag it?
14226 CHECK_BYTE_COUNT_SUBR(padcnt);
14227 COUNT_BYTES_SUBR(padcnt);
14231 proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
14232 proto_item_set_len(item, offset-old_offset);
14238 /* 4.3.4.8 - SMB_FIND_FILE_UNIX */
14241 dissect_4_3_4_8(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
14242 proto_tree *tree, int offset, guint16 *bcp,
14245 smb_info_t *si = pinfo->private_data;
14249 DISSECTOR_ASSERT(si);
14251 /* NextEntryOffset */
14252 CHECK_BYTE_COUNT_SUBR(4);
14253 proto_tree_add_item(tree, hf_smb_unix_find_file_nextoffset, tvb, offset, 4, TRUE);
14254 COUNT_BYTES_SUBR(4);
14257 CHECK_BYTE_COUNT_SUBR(4);
14258 proto_tree_add_item(tree, hf_smb_unix_find_file_resumekey, tvb, offset, 4, TRUE);
14259 COUNT_BYTES_SUBR(4);
14261 /* End of file (file size) */
14262 CHECK_BYTE_COUNT_SUBR(8);
14263 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
14264 COUNT_BYTES_SUBR(8);
14266 /* Number of bytes */
14267 CHECK_BYTE_COUNT_SUBR(8);
14268 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
14269 COUNT_BYTES_SUBR(8);
14271 /* Last status change */
14272 CHECK_BYTE_COUNT_SUBR(8);
14273 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
14276 /* Last access time */
14277 CHECK_BYTE_COUNT_SUBR(8);
14278 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
14281 /* Last modification time */
14282 CHECK_BYTE_COUNT_SUBR(8);
14283 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
14286 /* File owner uid */
14287 CHECK_BYTE_COUNT_SUBR(8);
14288 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
14289 COUNT_BYTES_SUBR(8);
14291 /* File group gid */
14292 CHECK_BYTE_COUNT_SUBR(8);
14293 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
14294 COUNT_BYTES_SUBR(8);
14297 CHECK_BYTE_COUNT_SUBR(4);
14298 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
14299 COUNT_BYTES_SUBR(4);
14301 /* Major device number */
14302 CHECK_BYTE_COUNT_SUBR(8);
14303 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
14304 COUNT_BYTES_SUBR(8);
14306 /* Minor device number */
14307 CHECK_BYTE_COUNT_SUBR(8);
14308 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
14309 COUNT_BYTES_SUBR(8);
14312 CHECK_BYTE_COUNT_SUBR(8);
14313 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
14314 COUNT_BYTES_SUBR(8);
14317 CHECK_BYTE_COUNT_SUBR(8);
14318 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
14319 COUNT_BYTES_SUBR(8);
14322 CHECK_BYTE_COUNT_SUBR(8);
14323 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
14324 COUNT_BYTES_SUBR(8);
14328 fn = get_unicode_or_ascii_string(
14329 tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
14331 CHECK_STRING_SUBR(fn);
14332 proto_tree_add_string(
14333 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
14334 COUNT_BYTES_SUBR(fn_len);
14336 /* Pad to 4 bytes */
14339 offset += 4 - (offset % 4);
14345 /*dissect the data block for TRANS2_FIND_FIRST2*/
14347 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
14348 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
14356 si = (smb_info_t *)pinfo->private_data;
14357 DISSECTOR_ASSERT(si);
14359 switch(si->info_level){
14360 case 1: /*Info Standard*/
14361 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
14364 case 2: /*Info Query EA Size*/
14365 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
14368 case 3: /*Info Query EAs From List same as
14370 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
14373 case 0x0101: /*Find File Directory Info*/
14374 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
14377 case 0x0102: /*Find File Full Directory Info*/
14378 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
14381 case 0x0103: /*Find File Names Info*/
14382 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
14385 case 0x0104: /*Find File Both Directory Info*/
14386 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
14389 case 0x0105: /*Find File Full Directory Info*/
14390 offset = dissect_4_3_4_6full(tvb, pinfo, tree, offset, bcp,
14393 case 0x0106: /*Find File Id Both Directory Info*/
14394 offset = dissect_4_3_4_6_id_both(tvb, pinfo, tree, offset, bcp,
14397 case 0x0202: /*Find File UNIX*/
14398 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
14401 default: /* unknown info level */
14409 /* is this one just wrong and should be dissect_fs0105_attributes above ? */
14411 dissect_fs_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
14417 mask = tvb_get_letohl(tvb, offset);
14420 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
14421 "FS Attributes: 0x%08x", mask);
14422 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
14424 /* case sensitive search */
14425 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
14426 tvb, offset, 4, mask);
14427 /* case preserved names */
14428 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
14429 tvb, offset, 4, mask);
14430 /* unicode on disk */
14431 proto_tree_add_boolean(tree, hf_smb_fs_attr_uod,
14432 tvb, offset, 4, mask);
14433 /* persistent acls */
14434 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
14435 tvb, offset, 4, mask);
14436 /* file compression */
14437 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
14438 tvb, offset, 4, mask);
14439 /* volume quotas */
14440 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
14441 tvb, offset, 4, mask);
14443 proto_tree_add_boolean(tree, hf_smb_fs_attr_ssf,
14444 tvb, offset, 4, mask);
14445 /* reparse points */
14446 proto_tree_add_boolean(tree, hf_smb_fs_attr_srp,
14447 tvb, offset, 4, mask);
14448 /* remote storage */
14449 proto_tree_add_boolean(tree, hf_smb_fs_attr_srs,
14450 tvb, offset, 4, mask);
14452 proto_tree_add_boolean(tree, hf_smb_fs_attr_sla,
14453 tvb, offset, 4, mask);
14454 /* volume is compressed */
14455 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
14456 tvb, offset, 4, mask);
14458 proto_tree_add_boolean(tree, hf_smb_fs_attr_soids,
14459 tvb, offset, 4, mask);
14461 proto_tree_add_boolean(tree, hf_smb_fs_attr_se,
14462 tvb, offset, 4, mask);
14463 /* named streams */
14464 proto_tree_add_boolean(tree, hf_smb_fs_attr_ns,
14465 tvb, offset, 4, mask);
14466 /* read only volume */
14467 proto_tree_add_boolean(tree, hf_smb_fs_attr_rov,
14468 tvb, offset, 4, mask);
14477 dissect_device_characteristics(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
14483 mask = tvb_get_letohl(tvb, offset);
14486 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
14487 "Device Characteristics: 0x%08x", mask);
14488 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
14490 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
14491 tvb, offset, 4, mask);
14492 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
14493 tvb, offset, 4, mask);
14494 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
14495 tvb, offset, 4, mask);
14496 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
14497 tvb, offset, 4, mask);
14498 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
14499 tvb, offset, 4, mask);
14500 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
14501 tvb, offset, 4, mask);
14502 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
14503 tvb, offset, 4, mask);
14510 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
14512 static const true_false_string tfs_smb_mac_access_ctrl = {
14513 "Macintosh Access Control Supported",
14514 "Macintosh Access Control Not Supported"
14517 static const true_false_string tfs_smb_mac_getset_comments = {
14518 "Macintosh Get & Set Comments Supported",
14519 "Macintosh Get & Set Comments Not Supported"
14522 static const true_false_string tfs_smb_mac_desktopdb_calls = {
14523 "Macintosh Get & Set Desktop Database Info Supported",
14524 "Macintosh Get & Set Desktop Database Info Supported"
14527 static const true_false_string tfs_smb_mac_unique_ids = {
14528 "Macintosh Unique IDs Supported",
14529 "Macintosh Unique IDs Not Supported"
14532 static const true_false_string tfs_smb_mac_streams = {
14533 "Macintosh and Streams Extensions Not Supported",
14534 "Macintosh and Streams Extensions Supported"
14538 dissect_qfsi_FS_VOLUME_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, guint16 *bcp, int unicode)
14544 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14545 offset = dissect_nt_64bit_time(tvb, tree, offset,
14546 hf_smb_create_time);
14549 /* volume serial number */
14550 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14551 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
14552 COUNT_BYTES_TRANS_SUBR(4);
14554 /* volume label length */
14555 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14556 vll = tvb_get_letohl(tvb, offset);
14557 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
14558 COUNT_BYTES_TRANS_SUBR(4);
14560 /* 2 reserved bytes */
14561 CHECK_BYTE_COUNT_TRANS_SUBR(2);
14562 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
14563 COUNT_BYTES_TRANS_SUBR(2);
14567 fn = get_unicode_or_ascii_string(tvb, &offset, unicode, &fn_len, FALSE, TRUE, bcp);
14568 CHECK_STRING_TRANS_SUBR(fn);
14569 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
14571 COUNT_BYTES_TRANS_SUBR(fn_len);
14577 dissect_qfsi_FS_SIZE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, guint16 *bcp)
14579 /* allocation size */
14580 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14581 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
14582 COUNT_BYTES_TRANS_SUBR(8);
14584 /* free allocation units */
14585 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14586 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
14587 COUNT_BYTES_TRANS_SUBR(8);
14589 /* sectors per unit */
14590 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14591 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
14592 COUNT_BYTES_TRANS_SUBR(4);
14594 /* bytes per sector */
14595 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14596 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
14597 COUNT_BYTES_TRANS_SUBR(4);
14603 dissect_qfsi_FS_DEVICE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, guint16 *bcp)
14606 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14607 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
14608 COUNT_BYTES_TRANS_SUBR(4);
14610 /* device characteristics */
14611 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14612 offset = dissect_device_characteristics(tvb, tree, offset);
14619 dissect_qfsi_FS_ATTRIBUTE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, guint16 *bcp, int unicode)
14624 /* FS attributes */
14625 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14626 offset = dissect_fs_attributes(tvb, tree, offset);
14630 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14631 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
14632 COUNT_BYTES_TRANS_SUBR(4);
14634 /* fs name length */
14635 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14636 fnl = tvb_get_letohl(tvb, offset);
14637 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
14638 COUNT_BYTES_TRANS_SUBR(4);
14642 fn = get_unicode_or_ascii_string(tvb, &offset, unicode, &fn_len, FALSE, TRUE, bcp);
14643 CHECK_STRING_TRANS_SUBR(fn);
14644 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
14646 COUNT_BYTES_TRANS_SUBR(fn_len);
14652 dissect_qfsi_FS_OBJECTID_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, guint16 *bcp)
14654 CHECK_BYTE_COUNT_TRANS_SUBR(64);
14656 dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
14658 COUNT_BYTES_TRANS_SUBR(64);
14664 dissect_qfsi_FS_FULL_SIZE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, guint16 *bcp)
14666 /* allocation size */
14667 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14668 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
14669 COUNT_BYTES_TRANS_SUBR(8);
14671 /* caller free allocation units */
14672 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14673 proto_tree_add_item(tree, hf_smb_caller_free_alloc_units64, tvb, offset, 8, TRUE);
14674 COUNT_BYTES_TRANS_SUBR(8);
14676 /* actual free allocation units */
14677 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14678 proto_tree_add_item(tree, hf_smb_actual_free_alloc_units64, tvb, offset, 8, TRUE);
14679 COUNT_BYTES_TRANS_SUBR(8);
14681 /* sectors per unit */
14682 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14683 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
14684 COUNT_BYTES_TRANS_SUBR(4);
14686 /* bytes per sector */
14687 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14688 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
14689 COUNT_BYTES_TRANS_SUBR(4);
14695 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
14696 int offset, guint16 *bcp)
14702 proto_item *item = NULL;
14703 proto_tree *ti = NULL;
14709 si = (smb_info_t *)pinfo->private_data;
14710 DISSECTOR_ASSERT(si);
14712 switch(si->info_level){
14713 case 1: /* SMB_INFO_ALLOCATION */
14714 /* filesystem id */
14715 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14716 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
14717 COUNT_BYTES_TRANS_SUBR(4);
14719 /* sectors per unit */
14720 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14721 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
14722 COUNT_BYTES_TRANS_SUBR(4);
14725 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14726 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
14727 COUNT_BYTES_TRANS_SUBR(4);
14730 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14731 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
14732 COUNT_BYTES_TRANS_SUBR(4);
14734 /* bytes per sector, only 16bit integer here */
14735 CHECK_BYTE_COUNT_TRANS_SUBR(2);
14736 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
14737 COUNT_BYTES_TRANS_SUBR(2);
14740 case 2: /* SMB_INFO_VOLUME */
14741 /* volume serial number */
14742 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14743 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
14744 COUNT_BYTES_TRANS_SUBR(4);
14746 /* volume label length, only one byte here */
14747 CHECK_BYTE_COUNT_TRANS_SUBR(1);
14748 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
14749 COUNT_BYTES_TRANS_SUBR(1);
14752 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
14753 CHECK_STRING_TRANS_SUBR(fn);
14754 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
14756 COUNT_BYTES_TRANS_SUBR(fn_len);
14759 case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
14760 case 1002: /* SMB_FS_LABEL_INFORMATION */
14761 /* volume label length */
14762 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14763 vll = tvb_get_letohl(tvb, offset);
14764 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
14765 COUNT_BYTES_TRANS_SUBR(4);
14769 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
14770 CHECK_STRING_TRANS_SUBR(fn);
14771 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
14773 COUNT_BYTES_TRANS_SUBR(fn_len);
14776 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
14777 case 1001: /* SMB_FS_VOLUME_INFORMATION */
14778 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, bcp, si->unicode);
14780 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
14781 case 1003: /* SMB_FS_SIZE_INFORMATION */
14782 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, bcp);
14784 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
14785 case 1004: /* SMB_FS_DEVICE_INFORMATION */
14786 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, bcp);
14788 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
14789 case 1005: /* SMB_FS_ATTRIBUTE_INFORMATION */
14790 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, bcp, si->unicode);
14792 case 0x200: { /* SMB_QUERY_CIFS_UNIX_INFO */
14793 proto_item *item = NULL;
14794 proto_tree *subtree = NULL;
14795 guint32 caps_lo, caps_hi;
14797 /* MajorVersionNumber */
14798 CHECK_BYTE_COUNT_TRANS_SUBR(2);
14799 proto_tree_add_item(tree, hf_smb_unix_major_version, tvb, offset, 2, TRUE);
14800 COUNT_BYTES_TRANS_SUBR(2);
14802 /* MinorVersionNumber */
14803 CHECK_BYTE_COUNT_TRANS_SUBR(2);
14804 proto_tree_add_item(tree, hf_smb_unix_minor_version, tvb, offset, 2, TRUE);
14805 COUNT_BYTES_TRANS_SUBR(2);
14809 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14811 caps_lo = tvb_get_letohl(tvb, offset);
14812 caps_hi = tvb_get_letohl(tvb, offset + 4);
14815 item = proto_tree_add_text(
14816 tree, tvb, offset, 8, "Capabilities: 0x%08x%08x",
14818 subtree = proto_item_add_subtree(
14819 item, ett_smb_unix_capabilities);
14822 proto_tree_add_boolean(
14823 subtree, hf_smb_unix_capability_fcntl, tvb, offset, 8,
14826 proto_tree_add_boolean(
14827 subtree, hf_smb_unix_capability_posix_acl, tvb, offset, 8,
14830 COUNT_BYTES_TRANS_SUBR(8);
14834 case 0x301: /* MAC_QUERY_FS_INFO */
14836 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14837 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_create_time);
14840 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14841 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_modify_time);
14844 CHECK_BYTE_COUNT_TRANS_SUBR(8);
14845 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb_backup_time);
14847 /* Allocation blocks */
14848 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14849 proto_tree_add_item(tree, hf_smb_mac_alloc_block_count, tvb,
14852 COUNT_BYTES_TRANS_SUBR(4);
14853 /* Allocation Block Size */
14854 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14855 proto_tree_add_item(tree, hf_smb_mac_alloc_block_size, tvb,
14857 COUNT_BYTES_TRANS_SUBR(4);
14858 /* Free Block Count */
14859 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14860 proto_tree_add_item(tree, hf_smb_mac_free_block_count, tvb,
14862 COUNT_BYTES_TRANS_SUBR(4);
14863 /* Finder Info ... */
14864 CHECK_BYTE_COUNT_TRANS_SUBR(32);
14865 proto_tree_add_bytes_format(tree, hf_smb_mac_fndrinfo, tvb,
14867 tvb_get_ptr(tvb, offset,32),
14869 tvb_format_text(tvb, offset, 32));
14870 COUNT_BYTES_TRANS_SUBR(32);
14872 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14873 proto_tree_add_item(tree, hf_smb_mac_root_file_count, tvb,
14875 COUNT_BYTES_TRANS_SUBR(4);
14876 /* Number of Root Directories */
14877 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14878 proto_tree_add_item(tree, hf_smb_mac_root_dir_count, tvb,
14880 COUNT_BYTES_TRANS_SUBR(4);
14881 /* Number of files */
14882 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14883 proto_tree_add_item(tree, hf_smb_mac_file_count, tvb,
14885 COUNT_BYTES_TRANS_SUBR(4);
14887 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14888 proto_tree_add_item(tree, hf_smb_mac_dir_count, tvb,
14890 COUNT_BYTES_TRANS_SUBR(4);
14891 /* Mac Support Flags */
14892 CHECK_BYTE_COUNT_TRANS_SUBR(4);
14893 support = tvb_get_ntohl(tvb, offset);
14894 item = proto_tree_add_text(tree, tvb, offset, 4,
14895 "Mac Support Flags: 0x%08x", support);
14896 ti = proto_item_add_subtree(item, ett_smb_mac_support_flags);
14897 proto_tree_add_boolean(ti, hf_smb_mac_sup_access_ctrl,
14898 tvb, offset, 4, support);
14899 proto_tree_add_boolean(ti, hf_smb_mac_sup_getset_comments,
14900 tvb, offset, 4, support);
14901 proto_tree_add_boolean(ti, hf_smb_mac_sup_desktopdb_calls,
14902 tvb, offset, 4, support);
14903 proto_tree_add_boolean(ti, hf_smb_mac_sup_unique_ids,
14904 tvb, offset, 4, support);
14905 proto_tree_add_boolean(ti, hf_smb_mac_sup_streams,
14906 tvb, offset, 4, support);
14907 COUNT_BYTES_TRANS_SUBR(4);
14909 case 1006: /* QUERY_FS_QUOTA_INFO */
14910 offset = dissect_nt_quota(tvb, tree, offset, bcp);
14912 case 1007: /* SMB_FS_FULL_SIZE_INFORMATION */
14913 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, bcp);
14915 case 1008: /* Query Object ID */ {
14916 offset = dissect_qfsi_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, bcp);
14925 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
14926 proto_tree *parent_tree)
14928 proto_item *item = NULL;
14929 proto_tree *tree = NULL;
14931 smb_transact2_info_t *t2i;
14937 dc = tvb_reported_length(tvb);
14939 si = (smb_info_t *)pinfo->private_data;
14940 DISSECTOR_ASSERT(si);
14942 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
14943 t2i = si->sip->extra_info;
14948 if (t2i != NULL && t2i->subcmd != -1) {
14949 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
14951 val_to_str(t2i->subcmd, trans2_cmd_vals,
14952 "Unknown (0x%02x)"));
14953 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
14955 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
14956 "Unknown Transaction2 Data");
14964 switch(t2i->subcmd){
14965 case 0x00: /*TRANS2_OPEN2*/
14966 /* XXX not implemented yet. See SNIA doc */
14968 case 0x01: /*TRANS2_FIND_FIRST2*/
14969 /* returned data */
14970 count = si->info_count;
14975 if (count && check_col(pinfo->cinfo, COL_INFO)) {
14976 col_append_str(pinfo->cinfo, COL_INFO,
14981 offset = dissect_ff2_response_data(tvb, pinfo, tree,
14982 offset, &dc, &trunc);
14987 case 0x02: /*TRANS2_FIND_NEXT2*/
14988 /* returned data */
14989 count = si->info_count;
14994 if (count && check_col(pinfo->cinfo, COL_INFO)) {
14995 col_append_str(pinfo->cinfo, COL_INFO,
15000 offset = dissect_ff2_response_data(tvb, pinfo, tree,
15001 offset, &dc, &trunc);
15006 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
15007 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
15009 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
15010 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
15012 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
15013 /* no data in this response */
15015 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
15016 /* identical to QUERY_PATH_INFO */
15017 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
15019 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
15020 /* no data in this response */
15022 case 0x09: /*TRANS2_FSCTL*/
15023 /* XXX dont know how to dissect this one (yet)*/
15026 * XXX - "Microsoft Networks SMB File Sharing Protocol
15027 * Extensions Version 3.0, Document Version 1.11,
15028 * July 19, 1990" says this this contains a
15029 * "File system specific return data block".
15030 * (That means we may not be able to dissect it in any
15034 case 0x0a: /*TRANS2_IOCTL2*/
15035 /* XXX dont know how to dissect this one (yet)*/
15038 * XXX - "Microsoft Networks SMB File Sharing Protocol
15039 * Extensions Version 3.0, Document Version 1.11,
15040 * July 19, 1990" says this this contains a
15041 * "Device/function specific return data block".
15042 * (That means we may not be able to dissect it in any
15046 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
15047 /* XXX dont know how to dissect this one (yet)*/
15050 * XXX - "Microsoft Networks SMB File Sharing Protocol
15051 * Extensions Version 3.0, Document Version 1.11,
15052 * July 19, 1990" says this this contains "the level
15053 * dependent information about the changes which
15057 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
15058 /* XXX dont know how to dissect this one (yet)*/
15061 * XXX - "Microsoft Networks SMB File Sharing Protocol
15062 * Extensions Version 3.0, Document Version 1.11,
15063 * July 19, 1990" says this this contains "the level
15064 * dependent information about the changes which
15068 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
15069 /* no data in this response */
15071 case 0x0e: /*TRANS2_SESSION_SETUP*/
15072 /* XXX dont know how to dissect this one (yet)*/
15074 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
15075 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
15077 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
15078 /* the SNIA spec appears to say the response has no data */
15082 * We don't know what the matching request was; don't
15083 * bother putting anything else into the tree for the data.
15090 /* ooops there were data we didnt know how to process */
15092 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
15101 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
15103 proto_item *item = NULL;
15104 proto_tree *tree = NULL;
15106 smb_transact2_info_t *t2i;
15112 pc = tvb_reported_length(tvb);
15114 si = (smb_info_t *)pinfo->private_data;
15115 DISSECTOR_ASSERT(si);
15117 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
15118 t2i = si->sip->extra_info;
15123 if (t2i != NULL && t2i->subcmd != -1) {
15124 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
15126 val_to_str(t2i->subcmd, trans2_cmd_vals,
15127 "Unknown (0x%02x)"));
15128 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
15130 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
15131 "Unknown Transaction2 Parameters");
15139 switch(t2i->subcmd){
15140 case 0x00: /*TRANS2_OPEN2*/
15142 fid = tvb_get_letohs(tvb, offset);
15143 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, TRUE, FALSE, FALSE);
15147 * XXX - Microsoft Networks SMB File Sharing Protocol
15148 * Extensions Version 3.0, Document Version 1.11,
15149 * July 19, 1990 says that the file attributes, create
15150 * time (which it says is the last modification time),
15151 * data size, granted access, file type, and IPC state
15152 * are returned only if bit 0 is set in the open flags,
15153 * and that the EA length is returned only if bit 3
15154 * is set in the open flags. Does that mean that,
15155 * at least in that SMB dialect, those fields are not
15156 * present in the reply parameters if the bits in
15157 * question aren't set?
15160 /* File Attributes */
15161 offset = dissect_file_attributes(tvb, tree, offset, 2);
15164 offset = dissect_smb_datetime(tvb, tree, offset,
15165 hf_smb_create_time,
15166 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
15169 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
15172 /* granted access */
15173 offset = dissect_access(tvb, tree, offset, "Granted");
15176 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
15180 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
15183 offset = dissect_open_action(tvb, tree, offset);
15185 /* server unique file ID */
15186 proto_tree_add_item(tree, hf_smb_file_id, tvb, offset, 4, TRUE);
15189 /* ea error offset, only a 16 bit integer here */
15190 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
15194 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
15198 case 0x01: /*TRANS2_FIND_FIRST2*/
15199 /* Find First2 information level */
15200 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
15203 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
15207 si->info_count = tvb_get_letohs(tvb, offset);
15208 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
15211 /* end of search */
15212 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
15215 /* ea error offset, only a 16 bit integer here */
15216 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
15219 /* last name offset */
15220 lno = tvb_get_letohs(tvb, offset);
15221 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
15225 case 0x02: /*TRANS2_FIND_NEXT2*/
15227 si->info_count = tvb_get_letohs(tvb, offset);
15228 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
15231 /* end of search */
15232 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
15235 /* ea_error_offset, only a 16 bit integer here*/
15236 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
15239 /* last name offset */
15240 lno = tvb_get_letohs(tvb, offset);
15241 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
15245 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
15246 /* no parameter block here */
15248 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
15249 /* ea_error_offset, only a 16 bit integer here*/
15250 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
15254 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
15255 /* ea_error_offset, only a 16 bit integer here*/
15256 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
15260 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
15261 /* ea_error_offset, only a 16 bit integer here*/
15262 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
15266 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
15267 /* ea_error_offset, only a 16 bit integer here*/
15268 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
15272 case 0x09: /*TRANS2_FSCTL*/
15273 /* XXX dont know how to dissect this one (yet)*/
15276 * XXX - "Microsoft Networks SMB File Sharing Protocol
15277 * Extensions Version 3.0, Document Version 1.11,
15278 * July 19, 1990" says this this contains a
15279 * "File system specific return parameter block".
15280 * (That means we may not be able to dissect it in any
15284 case 0x0a: /*TRANS2_IOCTL2*/
15285 /* XXX dont know how to dissect this one (yet)*/
15288 * XXX - "Microsoft Networks SMB File Sharing Protocol
15289 * Extensions Version 3.0, Document Version 1.11,
15290 * July 19, 1990" says this this contains a
15291 * "Device/function specific return parameter block".
15292 * (That means we may not be able to dissect it in any
15296 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
15297 /* Find Notify information level */
15298 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
15300 /* Monitor handle */
15301 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
15305 si->info_count = tvb_get_letohs(tvb, offset);
15306 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
15309 /* ea_error_offset, only a 16 bit integer here*/
15310 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
15314 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
15315 /* Find Notify information level */
15316 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
15319 si->info_count = tvb_get_letohs(tvb, offset);
15320 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
15323 /* ea_error_offset, only a 16 bit integer here*/
15324 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
15328 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
15329 /* ea error offset, only a 16 bit integer here */
15330 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
15334 case 0x0e: /*TRANS2_SESSION_SETUP*/
15335 /* XXX dont know how to dissect this one (yet)*/
15337 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
15338 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
15340 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
15341 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
15345 * We don't know what the matching request was; don't
15346 * bother putting anything else into the tree for the data.
15352 /* ooops there were data we didnt know how to process */
15354 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
15355 offset += pc-offset;
15361 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
15364 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
15366 smb_transact2_info_t *t2i = NULL;
15369 gboolean dissected_trans;
15370 fragment_data *r_fd = NULL;
15371 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
15372 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
15373 gboolean save_fragmented;
15376 si = (smb_info_t *)pinfo->private_data;
15377 DISSECTOR_ASSERT(si);
15380 case SMB_COM_TRANSACTION2:
15382 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
15383 t2i = si->sip->extra_info;
15388 * We didn't see the matching request, so we don't
15389 * know what type of transaction this is.
15391 proto_tree_add_text(tree, tvb, 0, 0,
15392 "Subcommand: <UNKNOWN> since request packet wasn't seen");
15393 col_append_str(pinfo->cinfo, COL_INFO, "<unknown>");
15395 si->info_level = t2i->info_level;
15396 if (t2i->subcmd == -1) {
15398 * We didn't manage to extract the subcommand
15399 * from the matching request (perhaps because
15400 * the frame was short), so we don't know what
15401 * type of transaction this is.
15403 proto_tree_add_text(tree, tvb, 0, 0,
15404 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
15405 col_append_str(pinfo->cinfo, COL_INFO, "<unknown>");
15407 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
15409 if(t2i && t2i->subcmd==0x0001){
15410 item=proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, t2i->info_level);
15411 PROTO_ITEM_SET_GENERATED(item);
15413 item=proto_tree_add_string(tree, hf_smb_search_pattern, tvb, 0, 0, t2i->name);
15414 PROTO_ITEM_SET_GENERATED(item);
15418 /* QUERY_PATH_INFORMATION */
15419 if(t2i && t2i->subcmd==0x0005){
15420 item=proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, 0, 0, t2i->info_level);
15421 PROTO_ITEM_SET_GENERATED(item);
15423 item=proto_tree_add_string(tree, hf_smb_file_name, tvb, 0, 0, t2i->name);
15424 PROTO_ITEM_SET_GENERATED(item);
15427 /* QUERY_FILE_INFORMATION */
15428 if(t2i && t2i->subcmd==0x0007){
15429 item=proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, 0, 0, t2i->info_level);
15430 PROTO_ITEM_SET_GENERATED(item);
15432 /* QUERY_FS_INFORMATION */
15433 if(t2i && t2i->subcmd==0x0003){
15434 item=proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, 0, 0, si->info_level);
15435 PROTO_ITEM_SET_GENERATED(item);
15438 if (t2i && check_col(pinfo->cinfo, COL_INFO)) {
15439 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
15440 val_to_str(t2i->subcmd,
15442 "<unknown (0x%02x)>"));
15451 /* total param count, only a 16bit integer here */
15452 tp = tvb_get_letohs(tvb, offset);
15453 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
15456 /* total data count, only a 16 bit integer here */
15457 td = tvb_get_letohs(tvb, offset);
15458 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
15461 /* 2 reserved bytes */
15462 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
15466 pc = tvb_get_letohs(tvb, offset);
15467 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
15471 po = tvb_get_letohs(tvb, offset);
15472 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
15476 pd = tvb_get_letohs(tvb, offset);
15477 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
15481 dc = tvb_get_letohs(tvb, offset);
15482 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
15486 od = tvb_get_letohs(tvb, offset);
15487 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
15491 dd = tvb_get_letohs(tvb, offset);
15492 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
15496 sc = tvb_get_guint8(tvb, offset);
15497 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
15500 /* reserved byte */
15501 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
15505 /* if there were any setup bytes, put them in a tvb for later */
15507 if((2*sc)>tvb_length_remaining(tvb, offset)){
15508 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
15510 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
15512 sp_tvb = tvb_new_subset_remaining(tvb, offset);
15523 /* reassembly of SMB Transaction data payload.
15524 In this section we do reassembly of both the data and parameters
15525 blocks of the SMB transaction command.
15527 save_fragmented = pinfo->fragmented;
15528 /* do we need reassembly? */
15529 if( (td!=dc) || (tp!=pc) ){
15530 /* oh yeah, either data or parameter section needs
15533 pinfo->fragmented = TRUE;
15534 if(smb_trans_reassembly){
15535 /* ...and we were told to do reassembly */
15536 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
15537 r_fd = smb_trans_defragment(tree, pinfo, tvb,
15538 po, pc, pd, td+tp);
15541 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
15542 r_fd = smb_trans_defragment(tree, pinfo, tvb,
15543 od, dc, dd+tp, td+tp);
15548 /* if we got a reassembled fd structure from the reassembly routine we must
15549 create pd_tvb from it
15552 proto_item *frag_tree_item;
15554 pd_tvb = tvb_new_child_real_data(tvb, r_fd->data, r_fd->datalen,
15556 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
15557 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb, &frag_tree_item);
15562 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
15564 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
15567 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
15570 /* It was not reassembled. Do as best as we can.
15571 * in this case we always try to dissect the stuff if
15572 * data and param displacement is 0. i.e. for the first
15573 * (and maybe only) packet.
15575 if( (pd==0) && (dd==0) ){
15578 min = MIN(pc,tvb_length_remaining(tvb,po));
15579 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
15580 if(min && reported_min) {
15581 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
15583 min = MIN(dc,tvb_length_remaining(tvb,od));
15584 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
15585 if(min && reported_min) {
15586 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
15589 * A tvbuff containing the parameters
15591 * XXX - check pc and dc as well?
15593 if (tvb_length_remaining(tvb, po)){
15594 pd_tvb = tvb_new_subset_remaining(tvb, po);
15603 /* We have some padding bytes.
15605 padcnt = po-offset;
15608 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
15609 COUNT_BYTES(padcnt);
15611 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
15612 /* TRANSACTION2 parameters*/
15613 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
15620 /* We have some initial padding bytes.
15622 padcnt = od-offset;
15625 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
15626 COUNT_BYTES(padcnt);
15629 * If the data count is bigger than the count of bytes
15630 * remaining, clamp it so that the count of bytes remaining
15631 * doesn't go negative.
15639 /* from now on, everything is in separate tvbuffs so we dont count
15640 the bytes with COUNT_BYTES any more.
15641 neither do we reference offset any more (which by now points to the
15642 first byte AFTER this PDU */
15645 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
15646 /* TRANSACTION2 parameters*/
15647 dissect_transaction2_response_data(d_tvb, pinfo, tree);
15651 if(si->cmd==SMB_COM_TRANSACTION){
15652 smb_transact_info_t *tri;
15654 dissected_trans = FALSE;
15655 if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_TRI)
15656 tri = si->sip->extra_info;
15660 switch(tri->subcmd){
15662 case TRANSACTION_PIPE:
15663 /* This function is safe to call for
15664 s_tvb==sp_tvb==NULL, i.e. if we don't
15665 know them at this point.
15666 It's also safe to call if "p_tvb"
15667 or "d_tvb" are null.
15670 dissected_trans = dissect_pipe_smb(
15671 sp_tvb, s_tvb, pd_tvb, p_tvb,
15672 d_tvb, NULL, pinfo, top_tree);
15676 case TRANSACTION_MAILSLOT:
15677 /* This one should be safe to call
15678 even if s_tvb and sp_tvb is NULL
15681 dissected_trans = dissect_mailslot_smb(
15682 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
15688 if (!dissected_trans) {
15689 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
15690 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
15695 if( (p_tvb==0) && (d_tvb==0) ){
15696 col_append_str(pinfo->cinfo, COL_INFO,
15697 "[transact continuation]");
15700 pinfo->fragmented = save_fragmented;
15708 dissect_find_notify_close(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
15715 /* Monitor handle */
15716 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
15726 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
15727 END Transaction/Transaction2 Primary and secondary requests
15728 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
15732 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
15740 tvb_ensure_bytes_exist(tvb, offset, wc*2);
15741 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
15748 tvb_ensure_bytes_exist(tvb, offset, bc);
15749 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
15759 typedef struct _smb_function {
15760 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
15761 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
15764 static smb_function smb_dissector[256] = {
15765 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
15766 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
15767 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
15768 /* 0x03 Create File*/ {dissect_create_file_request, dissect_create_file_response},
15769 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
15770 /* 0x05 Flush File*/ {dissect_flush_file_request, dissect_empty},
15771 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
15772 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_rename_file_response},
15773 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
15774 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
15775 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
15776 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
15777 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
15778 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
15779 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
15780 /* 0x0f Create New*/ {dissect_create_file_request, dissect_create_new_response},
15782 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
15783 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
15784 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
15785 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
15786 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
15787 /* 0x15 */ {dissect_unknown, dissect_unknown},
15788 /* 0x16 */ {dissect_unknown, dissect_unknown},
15789 /* 0x17 */ {dissect_unknown, dissect_unknown},
15790 /* 0x18 */ {dissect_unknown, dissect_unknown},
15791 /* 0x19 */ {dissect_unknown, dissect_unknown},
15792 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
15793 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
15794 /* 0x1c Read MPX Secondary*/ {dissect_unknown, dissect_unknown},
15795 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
15796 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
15797 /* 0x1f Write MPX Secondary*/ {dissect_unknown, dissect_unknown},
15799 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
15800 /* 0x21 */ {dissect_unknown, dissect_unknown},
15801 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
15802 /* 0x23 Query Info2*/ {dissect_query_information2_request, dissect_query_information2_response},
15803 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
15804 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
15805 /* 0x26 Transaction Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
15806 /* 0x27 IOCTL*/ {dissect_unknown, dissect_unknown},
15807 /* 0x28 IOCTL Secondary*/ {dissect_unknown, dissect_unknown},
15808 /* 0x29 Copy File*/ {dissect_copy_request, dissect_move_copy_response},
15809 /* 0x2a Move File*/ {dissect_move_request, dissect_move_copy_response},
15810 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
15811 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
15812 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
15813 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
15814 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
15816 /* 0x30 */ {dissect_unknown, dissect_unknown},
15817 /* 0x31 Close And Tree Disconnect */ {dissect_close_file_request, dissect_empty},
15818 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
15819 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
15820 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
15821 /* 0x35 Find Notify Close*/ {dissect_find_notify_close, dissect_empty},
15822 /* 0x36 */ {dissect_unknown, dissect_unknown},
15823 /* 0x37 */ {dissect_unknown, dissect_unknown},
15824 /* 0x38 */ {dissect_unknown, dissect_unknown},
15825 /* 0x39 */ {dissect_unknown, dissect_unknown},
15826 /* 0x3a */ {dissect_unknown, dissect_unknown},
15827 /* 0x3b */ {dissect_unknown, dissect_unknown},
15828 /* 0x3c */ {dissect_unknown, dissect_unknown},
15829 /* 0x3d */ {dissect_unknown, dissect_unknown},
15830 /* 0x3e */ {dissect_unknown, dissect_unknown},
15831 /* 0x3f */ {dissect_unknown, dissect_unknown},
15833 /* 0x40 */ {dissect_unknown, dissect_unknown},
15834 /* 0x41 */ {dissect_unknown, dissect_unknown},
15835 /* 0x42 */ {dissect_unknown, dissect_unknown},
15836 /* 0x43 */ {dissect_unknown, dissect_unknown},
15837 /* 0x44 */ {dissect_unknown, dissect_unknown},
15838 /* 0x45 */ {dissect_unknown, dissect_unknown},
15839 /* 0x46 */ {dissect_unknown, dissect_unknown},
15840 /* 0x47 */ {dissect_unknown, dissect_unknown},
15841 /* 0x48 */ {dissect_unknown, dissect_unknown},
15842 /* 0x49 */ {dissect_unknown, dissect_unknown},
15843 /* 0x4a */ {dissect_unknown, dissect_unknown},
15844 /* 0x4b */ {dissect_unknown, dissect_unknown},
15845 /* 0x4c */ {dissect_unknown, dissect_unknown},
15846 /* 0x4d */ {dissect_unknown, dissect_unknown},
15847 /* 0x4e */ {dissect_unknown, dissect_unknown},
15848 /* 0x4f */ {dissect_unknown, dissect_unknown},
15850 /* 0x50 */ {dissect_unknown, dissect_unknown},
15851 /* 0x51 */ {dissect_unknown, dissect_unknown},
15852 /* 0x52 */ {dissect_unknown, dissect_unknown},
15853 /* 0x53 */ {dissect_unknown, dissect_unknown},
15854 /* 0x54 */ {dissect_unknown, dissect_unknown},
15855 /* 0x55 */ {dissect_unknown, dissect_unknown},
15856 /* 0x56 */ {dissect_unknown, dissect_unknown},
15857 /* 0x57 */ {dissect_unknown, dissect_unknown},
15858 /* 0x58 */ {dissect_unknown, dissect_unknown},
15859 /* 0x59 */ {dissect_unknown, dissect_unknown},
15860 /* 0x5a */ {dissect_unknown, dissect_unknown},
15861 /* 0x5b */ {dissect_unknown, dissect_unknown},
15862 /* 0x5c */ {dissect_unknown, dissect_unknown},
15863 /* 0x5d */ {dissect_unknown, dissect_unknown},
15864 /* 0x5e */ {dissect_unknown, dissect_unknown},
15865 /* 0x5f */ {dissect_unknown, dissect_unknown},
15867 /* 0x60 */ {dissect_unknown, dissect_unknown},
15868 /* 0x61 */ {dissect_unknown, dissect_unknown},
15869 /* 0x62 */ {dissect_unknown, dissect_unknown},
15870 /* 0x63 */ {dissect_unknown, dissect_unknown},
15871 /* 0x64 */ {dissect_unknown, dissect_unknown},
15872 /* 0x65 */ {dissect_unknown, dissect_unknown},
15873 /* 0x66 */ {dissect_unknown, dissect_unknown},
15874 /* 0x67 */ {dissect_unknown, dissect_unknown},
15875 /* 0x68 */ {dissect_unknown, dissect_unknown},
15876 /* 0x69 */ {dissect_unknown, dissect_unknown},
15877 /* 0x6a */ {dissect_unknown, dissect_unknown},
15878 /* 0x6b */ {dissect_unknown, dissect_unknown},
15879 /* 0x6c */ {dissect_unknown, dissect_unknown},
15880 /* 0x6d */ {dissect_unknown, dissect_unknown},
15881 /* 0x6e */ {dissect_unknown, dissect_unknown},
15882 /* 0x6f */ {dissect_unknown, dissect_unknown},
15884 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
15885 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
15886 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
15887 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
15888 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
15889 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
15890 /* 0x76 */ {dissect_unknown, dissect_unknown},
15891 /* 0x77 */ {dissect_unknown, dissect_unknown},
15892 /* 0x78 */ {dissect_unknown, dissect_unknown},
15893 /* 0x79 */ {dissect_unknown, dissect_unknown},
15894 /* 0x7a */ {dissect_unknown, dissect_unknown},
15895 /* 0x7b */ {dissect_unknown, dissect_unknown},
15896 /* 0x7c */ {dissect_unknown, dissect_unknown},
15897 /* 0x7d */ {dissect_unknown, dissect_unknown},
15898 /* 0x7e */ {dissect_unknown, dissect_unknown},
15899 /* 0x7f */ {dissect_unknown, dissect_unknown},
15901 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
15902 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
15903 /* 0x82 Find*/ {dissect_find_request, dissect_find_response},
15904 /* 0x83 Find Unique*/ {dissect_find_request, dissect_find_response},
15905 /* 0x84 Find Close*/ {dissect_find_close_request, dissect_find_close_response},
15906 /* 0x85 */ {dissect_unknown, dissect_unknown},
15907 /* 0x86 */ {dissect_unknown, dissect_unknown},
15908 /* 0x87 */ {dissect_unknown, dissect_unknown},
15909 /* 0x88 */ {dissect_unknown, dissect_unknown},
15910 /* 0x89 */ {dissect_unknown, dissect_unknown},
15911 /* 0x8a */ {dissect_unknown, dissect_unknown},
15912 /* 0x8b */ {dissect_unknown, dissect_unknown},
15913 /* 0x8c */ {dissect_unknown, dissect_unknown},
15914 /* 0x8d */ {dissect_unknown, dissect_unknown},
15915 /* 0x8e */ {dissect_unknown, dissect_unknown},
15916 /* 0x8f */ {dissect_unknown, dissect_unknown},
15918 /* 0x90 */ {dissect_unknown, dissect_unknown},
15919 /* 0x91 */ {dissect_unknown, dissect_unknown},
15920 /* 0x92 */ {dissect_unknown, dissect_unknown},
15921 /* 0x93 */ {dissect_unknown, dissect_unknown},
15922 /* 0x94 */ {dissect_unknown, dissect_unknown},
15923 /* 0x95 */ {dissect_unknown, dissect_unknown},
15924 /* 0x96 */ {dissect_unknown, dissect_unknown},
15925 /* 0x97 */ {dissect_unknown, dissect_unknown},
15926 /* 0x98 */ {dissect_unknown, dissect_unknown},
15927 /* 0x99 */ {dissect_unknown, dissect_unknown},
15928 /* 0x9a */ {dissect_unknown, dissect_unknown},
15929 /* 0x9b */ {dissect_unknown, dissect_unknown},
15930 /* 0x9c */ {dissect_unknown, dissect_unknown},
15931 /* 0x9d */ {dissect_unknown, dissect_unknown},
15932 /* 0x9e */ {dissect_unknown, dissect_unknown},
15933 /* 0x9f */ {dissect_unknown, dissect_unknown},
15935 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
15936 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
15937 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
15938 /* 0xa3 */ {dissect_unknown, dissect_unknown},
15939 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
15940 /* 0xa5 NT Rename*/ {dissect_nt_rename_file_request, dissect_empty},
15941 /* 0xa6 */ {dissect_unknown, dissect_unknown},
15942 /* 0xa7 */ {dissect_unknown, dissect_unknown},
15943 /* 0xa8 */ {dissect_unknown, dissect_unknown},
15944 /* 0xa9 */ {dissect_unknown, dissect_unknown},
15945 /* 0xaa */ {dissect_unknown, dissect_unknown},
15946 /* 0xab */ {dissect_unknown, dissect_unknown},
15947 /* 0xac */ {dissect_unknown, dissect_unknown},
15948 /* 0xad */ {dissect_unknown, dissect_unknown},
15949 /* 0xae */ {dissect_unknown, dissect_unknown},
15950 /* 0xaf */ {dissect_unknown, dissect_unknown},
15952 /* 0xb0 */ {dissect_unknown, dissect_unknown},
15953 /* 0xb1 */ {dissect_unknown, dissect_unknown},
15954 /* 0xb2 */ {dissect_unknown, dissect_unknown},
15955 /* 0xb3 */ {dissect_unknown, dissect_unknown},
15956 /* 0xb4 */ {dissect_unknown, dissect_unknown},
15957 /* 0xb5 */ {dissect_unknown, dissect_unknown},
15958 /* 0xb6 */ {dissect_unknown, dissect_unknown},
15959 /* 0xb7 */ {dissect_unknown, dissect_unknown},
15960 /* 0xb8 */ {dissect_unknown, dissect_unknown},
15961 /* 0xb9 */ {dissect_unknown, dissect_unknown},
15962 /* 0xba */ {dissect_unknown, dissect_unknown},
15963 /* 0xbb */ {dissect_unknown, dissect_unknown},
15964 /* 0xbc */ {dissect_unknown, dissect_unknown},
15965 /* 0xbd */ {dissect_unknown, dissect_unknown},
15966 /* 0xbe */ {dissect_unknown, dissect_unknown},
15967 /* 0xbf */ {dissect_unknown, dissect_unknown},
15969 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_open_print_file_response},
15970 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
15971 /* 0xc2 Close Print File*/ {dissect_close_print_file_request, dissect_empty},
15972 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
15973 /* 0xc4 */ {dissect_unknown, dissect_unknown},
15974 /* 0xc5 */ {dissect_unknown, dissect_unknown},
15975 /* 0xc6 */ {dissect_unknown, dissect_unknown},
15976 /* 0xc7 */ {dissect_unknown, dissect_unknown},
15977 /* 0xc8 */ {dissect_unknown, dissect_unknown},
15978 /* 0xc9 */ {dissect_unknown, dissect_unknown},
15979 /* 0xca */ {dissect_unknown, dissect_unknown},
15980 /* 0xcb */ {dissect_unknown, dissect_unknown},
15981 /* 0xcc */ {dissect_unknown, dissect_unknown},
15982 /* 0xcd */ {dissect_unknown, dissect_unknown},
15983 /* 0xce */ {dissect_unknown, dissect_unknown},
15984 /* 0xcf */ {dissect_unknown, dissect_unknown},
15986 /* 0xd0 Send Single Block Message*/ {dissect_send_single_block_message_request, dissect_empty},
15987 /* 0xd1 Send Broadcast Message*/ {dissect_send_single_block_message_request, dissect_empty},
15988 /* 0xd2 Forward User Name*/ {dissect_forwarded_name, dissect_empty},
15989 /* 0xd3 Cancel Forward*/ {dissect_forwarded_name, dissect_empty},
15990 /* 0xd4 Get Machine Name*/ {dissect_empty, dissect_get_machine_name_response},
15991 /* 0xd5 Send Start of Multi-block Message*/ {dissect_send_multi_block_message_start_request, dissect_message_group_id},
15992 /* 0xd6 Send End of Multi-block Message*/ {dissect_message_group_id, dissect_empty},
15993 /* 0xd7 Send Text of Multi-block Message*/ {dissect_send_multi_block_message_text_request, dissect_empty},
15994 /* 0xd8 SMBreadbulk*/ {dissect_unknown, dissect_unknown},
15995 /* 0xd9 SMBwritebulk*/ {dissect_unknown, dissect_unknown},
15996 /* 0xda SMBwritebulkdata*/ {dissect_unknown, dissect_unknown},
15997 /* 0xdb */ {dissect_unknown, dissect_unknown},
15998 /* 0xdc */ {dissect_unknown, dissect_unknown},
15999 /* 0xdd */ {dissect_unknown, dissect_unknown},
16000 /* 0xde */ {dissect_unknown, dissect_unknown},
16001 /* 0xdf */ {dissect_unknown, dissect_unknown},
16003 /* 0xe0 */ {dissect_unknown, dissect_unknown},
16004 /* 0xe1 */ {dissect_unknown, dissect_unknown},
16005 /* 0xe2 */ {dissect_unknown, dissect_unknown},
16006 /* 0xe3 */ {dissect_unknown, dissect_unknown},
16007 /* 0xe4 */ {dissect_unknown, dissect_unknown},
16008 /* 0xe5 */ {dissect_unknown, dissect_unknown},
16009 /* 0xe6 */ {dissect_unknown, dissect_unknown},
16010 /* 0xe7 */ {dissect_unknown, dissect_unknown},
16011 /* 0xe8 */ {dissect_unknown, dissect_unknown},
16012 /* 0xe9 */ {dissect_unknown, dissect_unknown},
16013 /* 0xea */ {dissect_unknown, dissect_unknown},
16014 /* 0xeb */ {dissect_unknown, dissect_unknown},
16015 /* 0xec */ {dissect_unknown, dissect_unknown},
16016 /* 0xed */ {dissect_unknown, dissect_unknown},
16017 /* 0xee */ {dissect_unknown, dissect_unknown},
16018 /* 0xef */ {dissect_unknown, dissect_unknown},
16020 /* 0xf0 */ {dissect_unknown, dissect_unknown},
16021 /* 0xf1 */ {dissect_unknown, dissect_unknown},
16022 /* 0xf2 */ {dissect_unknown, dissect_unknown},
16023 /* 0xf3 */ {dissect_unknown, dissect_unknown},
16024 /* 0xf4 */ {dissect_unknown, dissect_unknown},
16025 /* 0xf5 */ {dissect_unknown, dissect_unknown},
16026 /* 0xf6 */ {dissect_unknown, dissect_unknown},
16027 /* 0xf7 */ {dissect_unknown, dissect_unknown},
16028 /* 0xf8 */ {dissect_unknown, dissect_unknown},
16029 /* 0xf9 */ {dissect_unknown, dissect_unknown},
16030 /* 0xfa */ {dissect_unknown, dissect_unknown},
16031 /* 0xfb */ {dissect_unknown, dissect_unknown},
16032 /* 0xfc */ {dissect_unknown, dissect_unknown},
16033 /* 0xfd */ {dissect_unknown, dissect_unknown},
16034 /* 0xfe */ {dissect_unknown, dissect_unknown},
16035 /* 0xff */ {dissect_unknown, dissect_unknown},
16039 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu)
16042 smb_saved_info_t *sip;
16044 si = pinfo->private_data;
16045 DISSECTOR_ASSERT(si);
16048 proto_item *cmd_item;
16049 proto_tree *cmd_tree;
16050 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
16052 if (check_col(pinfo->cinfo, COL_INFO)) {
16054 col_append_fstr(pinfo->cinfo, COL_INFO,
16056 decode_smb_name(cmd),
16057 (si->request)? "Request" : "Response");
16059 col_append_fstr(pinfo->cinfo, COL_INFO,
16061 decode_smb_name(cmd));
16066 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
16068 decode_smb_name(cmd),
16069 (si->request)?"Request":"Response",
16072 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
16074 /* we track FIDs on a per transaction basis.
16075 if this was a request and the fid was seen in a reply
16076 we add a "generated" fid tree for this pdu and v.v.
16079 if (sip && sip->fid) {
16080 if( (si->request && (!sip->fid_seen_in_request))
16081 ||((!si->request) && sip->fid_seen_in_request) ){
16082 dissect_smb_fid(tvb, pinfo, cmd_tree, offset, 0, sip->fid, FALSE, FALSE, TRUE);
16086 dissector = (si->request)?
16087 smb_dissector[cmd].request:smb_dissector[cmd].response;
16089 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
16090 proto_item_set_end(cmd_item, tvb, offset);
16096 /* NOTE: this value_string array will also be used to access data directly by
16097 * index instead of val_to_str() since
16098 * 1, the array will always span every value from 0x00 to 0xff and
16099 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
16100 * This means that this value_string array MUST always
16101 * 1, contain all entries 0x00 to 0xff
16102 * 2, all entries must be in order.
16104 const value_string smb_cmd_vals[] = {
16105 { 0x00, "Create Directory" },
16106 { 0x01, "Delete Directory" },
16108 { 0x03, "Create" },
16111 { 0x06, "Delete" },
16112 { 0x07, "Rename" },
16113 { 0x08, "Query Information" },
16114 { 0x09, "Set Information" },
16117 { 0x0C, "Lock Byte Range" },
16118 { 0x0D, "Unlock Byte Range" },
16119 { 0x0E, "Create Temp" },
16120 { 0x0F, "Create New" },
16121 { 0x10, "Check Directory" },
16122 { 0x11, "Process Exit" },
16124 { 0x13, "Lock And Read" },
16125 { 0x14, "Write And Unlock" },
16126 { 0x15, "unknown-0x15" },
16127 { 0x16, "unknown-0x16" },
16128 { 0x17, "unknown-0x17" },
16129 { 0x18, "unknown-0x18" },
16130 { 0x19, "unknown-0x19" },
16131 { 0x1A, "Read Raw" },
16132 { 0x1B, "Read MPX" },
16133 { 0x1C, "Read MPX Secondary" },
16134 { 0x1D, "Write Raw" },
16135 { 0x1E, "Write MPX" },
16136 { 0x1F, "Write MPX Secondary" },
16137 { 0x20, "Write Complete" },
16138 { 0x21, "unknown-0x21" },
16139 { 0x22, "Set Information2" },
16140 { 0x23, "Query Information2" },
16141 { 0x24, "Locking AndX" },
16143 { 0x26, "Trans Secondary" },
16145 { 0x28, "IOCTL Secondary" },
16149 { 0x2C, "Write And Close" },
16150 { 0x2D, "Open AndX" },
16151 { 0x2E, "Read AndX" },
16152 { 0x2F, "Write AndX" },
16153 { 0x30, "unknown-0x30" },
16154 { 0x31, "Close And Tree Disconnect" },
16155 { 0x32, "Trans2" },
16156 { 0x33, "Trans2 Secondary" },
16157 { 0x34, "Find Close2" },
16158 { 0x35, "Find Notify Close" },
16159 { 0x36, "unknown-0x36" },
16160 { 0x37, "unknown-0x37" },
16161 { 0x38, "unknown-0x38" },
16162 { 0x39, "unknown-0x39" },
16163 { 0x3A, "unknown-0x3A" },
16164 { 0x3B, "unknown-0x3B" },
16165 { 0x3C, "unknown-0x3C" },
16166 { 0x3D, "unknown-0x3D" },
16167 { 0x3E, "unknown-0x3E" },
16168 { 0x3F, "unknown-0x3F" },
16169 { 0x40, "unknown-0x40" },
16170 { 0x41, "unknown-0x41" },
16171 { 0x42, "unknown-0x42" },
16172 { 0x43, "unknown-0x43" },
16173 { 0x44, "unknown-0x44" },
16174 { 0x45, "unknown-0x45" },
16175 { 0x46, "unknown-0x46" },
16176 { 0x47, "unknown-0x47" },
16177 { 0x48, "unknown-0x48" },
16178 { 0x49, "unknown-0x49" },
16179 { 0x4A, "unknown-0x4A" },
16180 { 0x4B, "unknown-0x4B" },
16181 { 0x4C, "unknown-0x4C" },
16182 { 0x4D, "unknown-0x4D" },
16183 { 0x4E, "unknown-0x4E" },
16184 { 0x4F, "unknown-0x4F" },
16185 { 0x50, "unknown-0x50" },
16186 { 0x51, "unknown-0x51" },
16187 { 0x52, "unknown-0x52" },
16188 { 0x53, "unknown-0x53" },
16189 { 0x54, "unknown-0x54" },
16190 { 0x55, "unknown-0x55" },
16191 { 0x56, "unknown-0x56" },
16192 { 0x57, "unknown-0x57" },
16193 { 0x58, "unknown-0x58" },
16194 { 0x59, "unknown-0x59" },
16195 { 0x5A, "unknown-0x5A" },
16196 { 0x5B, "unknown-0x5B" },
16197 { 0x5C, "unknown-0x5C" },
16198 { 0x5D, "unknown-0x5D" },
16199 { 0x5E, "unknown-0x5E" },
16200 { 0x5F, "unknown-0x5F" },
16201 { 0x60, "unknown-0x60" },
16202 { 0x61, "unknown-0x61" },
16203 { 0x62, "unknown-0x62" },
16204 { 0x63, "unknown-0x63" },
16205 { 0x64, "unknown-0x64" },
16206 { 0x65, "unknown-0x65" },
16207 { 0x66, "unknown-0x66" },
16208 { 0x67, "unknown-0x67" },
16209 { 0x68, "unknown-0x68" },
16210 { 0x69, "unknown-0x69" },
16211 { 0x6A, "unknown-0x6A" },
16212 { 0x6B, "unknown-0x6B" },
16213 { 0x6C, "unknown-0x6C" },
16214 { 0x6D, "unknown-0x6D" },
16215 { 0x6E, "unknown-0x6E" },
16216 { 0x6F, "unknown-0x6F" },
16217 { 0x70, "Tree Connect" },
16218 { 0x71, "Tree Disconnect" },
16219 { 0x72, "Negotiate Protocol" },
16220 { 0x73, "Session Setup AndX" },
16221 { 0x74, "Logoff AndX" },
16222 { 0x75, "Tree Connect AndX" },
16223 { 0x76, "unknown-0x76" },
16224 { 0x77, "unknown-0x77" },
16225 { 0x78, "unknown-0x78" },
16226 { 0x79, "unknown-0x79" },
16227 { 0x7A, "unknown-0x7A" },
16228 { 0x7B, "unknown-0x7B" },
16229 { 0x7C, "unknown-0x7C" },
16230 { 0x7D, "unknown-0x7D" },
16231 { 0x7E, "unknown-0x7E" },
16232 { 0x7F, "unknown-0x7F" },
16233 { 0x80, "Query Information Disk" },
16234 { 0x81, "Search" },
16236 { 0x83, "Find Unique" },
16237 { 0x84, "Find Close" },
16238 { 0x85, "unknown-0x85" },
16239 { 0x86, "unknown-0x86" },
16240 { 0x87, "unknown-0x87" },
16241 { 0x88, "unknown-0x88" },
16242 { 0x89, "unknown-0x89" },
16243 { 0x8A, "unknown-0x8A" },
16244 { 0x8B, "unknown-0x8B" },
16245 { 0x8C, "unknown-0x8C" },
16246 { 0x8D, "unknown-0x8D" },
16247 { 0x8E, "unknown-0x8E" },
16248 { 0x8F, "unknown-0x8F" },
16249 { 0x90, "unknown-0x90" },
16250 { 0x91, "unknown-0x91" },
16251 { 0x92, "unknown-0x92" },
16252 { 0x93, "unknown-0x93" },
16253 { 0x94, "unknown-0x94" },
16254 { 0x95, "unknown-0x95" },
16255 { 0x96, "unknown-0x96" },
16256 { 0x97, "unknown-0x97" },
16257 { 0x98, "unknown-0x98" },
16258 { 0x99, "unknown-0x99" },
16259 { 0x9A, "unknown-0x9A" },
16260 { 0x9B, "unknown-0x9B" },
16261 { 0x9C, "unknown-0x9C" },
16262 { 0x9D, "unknown-0x9D" },
16263 { 0x9E, "unknown-0x9E" },
16264 { 0x9F, "unknown-0x9F" },
16265 { 0xA0, "NT Trans" },
16266 { 0xA1, "NT Trans Secondary" },
16267 { 0xA2, "NT Create AndX" },
16268 { 0xA3, "unknown-0xA3" },
16269 { 0xA4, "NT Cancel" },
16270 { 0xA5, "NT Rename" },
16271 { 0xA6, "unknown-0xA6" },
16272 { 0xA7, "unknown-0xA7" },
16273 { 0xA8, "unknown-0xA8" },
16274 { 0xA9, "unknown-0xA9" },
16275 { 0xAA, "unknown-0xAA" },
16276 { 0xAB, "unknown-0xAB" },
16277 { 0xAC, "unknown-0xAC" },
16278 { 0xAD, "unknown-0xAD" },
16279 { 0xAE, "unknown-0xAE" },
16280 { 0xAF, "unknown-0xAF" },
16281 { 0xB0, "unknown-0xB0" },
16282 { 0xB1, "unknown-0xB1" },
16283 { 0xB2, "unknown-0xB2" },
16284 { 0xB3, "unknown-0xB3" },
16285 { 0xB4, "unknown-0xB4" },
16286 { 0xB5, "unknown-0xB5" },
16287 { 0xB6, "unknown-0xB6" },
16288 { 0xB7, "unknown-0xB7" },
16289 { 0xB8, "unknown-0xB8" },
16290 { 0xB9, "unknown-0xB9" },
16291 { 0xBA, "unknown-0xBA" },
16292 { 0xBB, "unknown-0xBB" },
16293 { 0xBC, "unknown-0xBC" },
16294 { 0xBD, "unknown-0xBD" },
16295 { 0xBE, "unknown-0xBE" },
16296 { 0xBF, "unknown-0xBF" },
16297 { 0xC0, "Open Print File" },
16298 { 0xC1, "Write Print File" },
16299 { 0xC2, "Close Print File" },
16300 { 0xC3, "Get Print Queue" },
16301 { 0xC4, "unknown-0xC4" },
16302 { 0xC5, "unknown-0xC5" },
16303 { 0xC6, "unknown-0xC6" },
16304 { 0xC7, "unknown-0xC7" },
16305 { 0xC8, "unknown-0xC8" },
16306 { 0xC9, "unknown-0xC9" },
16307 { 0xCA, "unknown-0xCA" },
16308 { 0xCB, "unknown-0xCB" },
16309 { 0xCC, "unknown-0xCC" },
16310 { 0xCD, "unknown-0xCD" },
16311 { 0xCE, "unknown-0xCE" },
16312 { 0xCF, "unknown-0xCF" },
16313 { 0xD0, "Send Single Block Message" },
16314 { 0xD1, "Send Broadcast Message" },
16315 { 0xD2, "Forward User Name" },
16316 { 0xD3, "Cancel Forward" },
16317 { 0xD4, "Get Machine Name" },
16318 { 0xD5, "Send Start of Multi-block Message" },
16319 { 0xD6, "Send End of Multi-block Message" },
16320 { 0xD7, "Send Text of Multi-block Message" },
16321 { 0xD8, "SMBreadbulk" },
16322 { 0xD9, "SMBwritebulk" },
16323 { 0xDA, "SMBwritebulkdata" },
16324 { 0xDB, "unknown-0xDB" },
16325 { 0xDC, "unknown-0xDC" },
16326 { 0xDD, "unknown-0xDD" },
16327 { 0xDE, "unknown-0xDE" },
16328 { 0xDF, "unknown-0xDF" },
16329 { 0xE0, "unknown-0xE0" },
16330 { 0xE1, "unknown-0xE1" },
16331 { 0xE2, "unknown-0xE2" },
16332 { 0xE3, "unknown-0xE3" },
16333 { 0xE4, "unknown-0xE4" },
16334 { 0xE5, "unknown-0xE5" },
16335 { 0xE6, "unknown-0xE6" },
16336 { 0xE7, "unknown-0xE7" },
16337 { 0xE8, "unknown-0xE8" },
16338 { 0xE9, "unknown-0xE9" },
16339 { 0xEA, "unknown-0xEA" },
16340 { 0xEB, "unknown-0xEB" },
16341 { 0xEC, "unknown-0xEC" },
16342 { 0xED, "unknown-0xED" },
16343 { 0xEE, "unknown-0xEE" },
16344 { 0xEF, "unknown-0xEF" },
16345 { 0xF0, "unknown-0xF0" },
16346 { 0xF1, "unknown-0xF1" },
16347 { 0xF2, "unknown-0xF2" },
16348 { 0xF3, "unknown-0xF3" },
16349 { 0xF4, "unknown-0xF4" },
16350 { 0xF5, "unknown-0xF5" },
16351 { 0xF6, "unknown-0xF6" },
16352 { 0xF7, "unknown-0xF7" },
16353 { 0xF8, "unknown-0xF8" },
16354 { 0xF9, "unknown-0xF9" },
16355 { 0xFA, "unknown-0xFA" },
16356 { 0xFB, "unknown-0xFB" },
16357 { 0xFC, "unknown-0xFC" },
16358 { 0xFD, "unknown-0xFD" },
16359 { 0xFE, "SMBinvalid" },
16360 { 0xFF, "unknown-0xFF" },
16364 static const char *decode_smb_name(guint8 cmd)
16366 return(smb_cmd_vals[cmd].strptr);
16371 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
16372 * Everything TVBUFFIFIED above this line
16373 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
16377 free_hash_tables(gpointer ctarg, gpointer user_data _U_)
16379 conv_tables_t *ct = ctarg;
16382 g_hash_table_destroy(ct->unmatched);
16384 g_hash_table_destroy(ct->matched);
16385 if (ct->tid_service)
16386 g_hash_table_destroy(ct->tid_service);
16391 smb_init_protocol(void)
16394 * Free the hash tables attached to the conversation table
16395 * structures, and then free the list of conversation table
16399 g_slist_foreach(conv_tables, free_hash_tables, NULL);
16400 g_slist_free(conv_tables);
16401 conv_tables = NULL;
16405 static const value_string errcls_types[] = {
16406 { SMB_SUCCESS, "Success"},
16407 { SMB_ERRDOS, "DOS Error"},
16408 { SMB_ERRSRV, "Server Error"},
16409 { SMB_ERRHRD, "Hardware Error"},
16410 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
16414 /* Error codes for the ERRSRV class */
16416 static const value_string SRV_errors[] = {
16417 {SMBE_error, "Non specific error code"},
16418 {SMBE_badpw, "Bad password"},
16419 {SMBE_badtype, "Reserved"},
16420 {SMBE_access, "No permissions to perform the requested operation"},
16421 {SMBE_invnid, "TID invalid"},
16422 {SMBE_invnetname, "Invalid network name. Service not found"},
16423 {SMBE_invdevice, "Invalid device"},
16424 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
16425 {SMBE_qfull, "Print queue full"},
16426 {SMBE_qtoobig, "Queued item too big"},
16427 {SMBE_qeof, "EOF on print queue dump"},
16428 {SMBE_invpfid, "Invalid print file in smb_fid"},
16429 {SMBE_smbcmd, "Unrecognised command"},
16430 {SMBE_srverror, "SMB server internal error"},
16431 {SMBE_filespecs, "Fid and pathname invalid combination"},
16432 {SMBE_badlink, "Bad link in request ???"},
16433 {SMBE_badpermits, "Access specified for a file is not valid"},
16434 {SMBE_badpid, "Bad process id in request"},
16435 {SMBE_setattrmode, "Attribute mode invalid"},
16436 {SMBE_paused, "Message server paused"},
16437 {SMBE_msgoff, "Not receiving messages"},
16438 {SMBE_noroom, "No room for message"},
16439 {SMBE_rmuns, "Too many remote usernames"},
16440 {SMBE_timeout, "Operation timed out"},
16441 {SMBE_noresource, "No resources currently available for request."},
16442 {SMBE_toomanyuids, "Too many userids"},
16443 {SMBE_baduid, "Bad userid"},
16444 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
16445 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
16446 {SMBE_contMPX, "Resume MPX mode"},
16447 {SMBE_badPW, "Bad Password???"},
16448 {SMBE_nosupport, "Operation not supported"},
16452 /* Error codes for the ERRHRD class */
16454 static const value_string HRD_errors[] = {
16455 {SMBE_nowrite, "Read only media"},
16456 {SMBE_badunit, "Unknown device"},
16457 {SMBE_notready, "Drive not ready"},
16458 {SMBE_badcmd, "Unknown command"},
16459 {SMBE_data, "Data (CRC) error"},
16460 {SMBE_badreq, "Bad request structure length"},
16461 {SMBE_seek, "Seek error"},
16462 {SMBE_badmedia, "Unknown media type"},
16463 {SMBE_badsector, "Sector not found"},
16464 {SMBE_nopaper, "Printer out of paper"},
16465 {SMBE_write, "Write fault"},
16466 {SMBE_read, "Read fault"},
16467 {SMBE_general, "General failure"},
16468 {SMBE_badshare, "A open conflicts with an existing open"},
16469 {SMBE_lock, "Lock conflict/invalid mode, or unlock of another process's lock"},
16470 {SMBE_wrongdisk, "The wrong disk was found in a drive"},
16471 {SMBE_FCBunavail, "No FCBs are available to process request"},
16472 {SMBE_sharebufexc, "A sharing buffer has been exceeded"},
16473 {SMBE_diskfull, "Disk full???"},
16477 static const char *decode_smb_error(guint8 errcls, guint16 errcode)
16484 return("No Error"); /* No error ??? */
16488 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
16492 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
16496 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
16500 return("Unknown error class!");
16506 static const true_false_string tfs_smb_flags_lock = {
16507 "Lock&Read, Write&Unlock are supported",
16508 "Lock&Read, Write&Unlock are not supported"
16510 static const true_false_string tfs_smb_flags_receive_buffer = {
16511 "Receive buffer has been posted",
16512 "Receive buffer has not been posted"
16514 static const true_false_string tfs_smb_flags_caseless = {
16515 "Path names are caseless",
16516 "Path names are case sensitive"
16518 static const true_false_string tfs_smb_flags_canon = {
16519 "Pathnames are canonicalized",
16520 "Pathnames are not canonicalized"
16522 static const true_false_string tfs_smb_flags_oplock = {
16523 "OpLock requested/granted",
16524 "OpLock not requested/granted"
16526 static const true_false_string tfs_smb_flags_notify = {
16527 "Notify client on all modifications",
16528 "Notify client only on open"
16530 static const true_false_string tfs_smb_flags_response = {
16531 "Message is a response to the client/redirector",
16532 "Message is a request to the server"
16536 dissect_smb_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
16542 mask = tvb_get_guint8(tvb, offset);
16545 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
16546 "Flags: 0x%02x", mask);
16547 tree = proto_item_add_subtree(item, ett_smb_flags);
16549 proto_tree_add_boolean(tree, hf_smb_flags_response,
16550 tvb, offset, 1, mask);
16551 proto_tree_add_boolean(tree, hf_smb_flags_notify,
16552 tvb, offset, 1, mask);
16553 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
16554 tvb, offset, 1, mask);
16555 proto_tree_add_boolean(tree, hf_smb_flags_canon,
16556 tvb, offset, 1, mask);
16557 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
16558 tvb, offset, 1, mask);
16559 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
16560 tvb, offset, 1, mask);
16561 proto_tree_add_boolean(tree, hf_smb_flags_lock,
16562 tvb, offset, 1, mask);
16571 static const true_false_string tfs_smb_flags2_long_names_allowed = {
16572 "Long file names are allowed in the response",
16573 "Long file names are not allowed in the response"
16575 static const true_false_string tfs_smb_flags2_ea = {
16576 "Extended attributes are supported",
16577 "Extended attributes are not supported"
16579 static const true_false_string tfs_smb_flags2_sec_sig = {
16580 "Security signatures are supported",
16581 "Security signatures are not supported"
16583 static const true_false_string tfs_smb_flags2_long_names_used = {
16584 "Path names in request are long file names",
16585 "Path names in request are not long file names"
16587 static const true_false_string tfs_smb_flags2_esn = {
16588 "Extended security negotiation is supported",
16589 "Extended security negotiation is not supported"
16591 static const true_false_string tfs_smb_flags2_dfs = {
16592 "Resolve pathnames with Dfs",
16593 "Don't resolve pathnames with Dfs"
16595 static const true_false_string tfs_smb_flags2_roe = {
16596 "Permit reads if execute-only",
16597 "Don't permit reads if execute-only"
16599 static const true_false_string tfs_smb_flags2_nt_error = {
16600 "Error codes are NT error codes",
16601 "Error codes are DOS error codes"
16603 static const true_false_string tfs_smb_flags2_string = {
16604 "Strings are Unicode",
16605 "Strings are ASCII"
16608 dissect_smb_flags2(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
16614 mask = tvb_get_letohs(tvb, offset);
16617 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
16618 "Flags2: 0x%04x", mask);
16619 tree = proto_item_add_subtree(item, ett_smb_flags2);
16621 proto_tree_add_boolean(tree, hf_smb_flags2_string,
16622 tvb, offset, 2, mask);
16623 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
16624 tvb, offset, 2, mask);
16625 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
16626 tvb, offset, 2, mask);
16627 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
16628 tvb, offset, 2, mask);
16629 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
16630 tvb, offset, 2, mask);
16631 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
16632 tvb, offset, 2, mask);
16633 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
16634 tvb, offset, 2, mask);
16635 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
16636 tvb, offset, 2, mask);
16637 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
16638 tvb, offset, 2, mask);
16646 #define SMB_FLAGS_DIRN 0x80
16650 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
16653 proto_item *item = NULL, *hitem = NULL;
16654 proto_tree *tree = NULL, *htree = NULL;
16655 proto_item *tmp_item=NULL;
16659 smb_saved_info_t *sip = NULL;
16660 smb_saved_info_key_t key;
16661 smb_saved_info_key_t *new_key;
16662 guint8 errclass = 0;
16663 guint16 errcode = 0;
16665 conversation_t *conversation;
16666 nstime_t t, deltat;
16668 si=ep_alloc0(sizeof(smb_info_t));
16670 top_tree=parent_tree;
16672 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
16673 col_clear(pinfo->cinfo, COL_INFO);
16675 /* start off using the local variable, we will allocate a new one if we
16677 si->cmd = tvb_get_guint8(tvb, offset+4);
16678 flags = tvb_get_guint8(tvb, offset+9);
16680 * XXX - in some SMB-over-OSI-transport and SMB-over-Vines traffic,
16681 * the direction flag appears never to be set, even for what appear
16682 * to be replies. Do some SMB servers fail to set that flag,
16683 * under the assumption that the client knows it's a reply because
16686 si->request = !(flags&SMB_FLAGS_DIRN);
16687 flags2 = tvb_get_letohs(tvb, offset+10);
16688 if(flags2 & 0x8000){
16689 si->unicode = TRUE; /* Mark them as Unicode */
16691 si->unicode = FALSE;
16693 si->tid = tvb_get_letohs(tvb, offset+24);
16694 si->pid = tvb_get_letohs(tvb, offset+26);
16695 si->uid = tvb_get_letohs(tvb, offset+28);
16696 si->mid = tvb_get_letohs(tvb, offset+30);
16697 pid_mid = (si->pid << 16) | si->mid;
16698 si->info_level = -1;
16699 si->info_count = -1;
16702 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
16704 tree = proto_item_add_subtree(item, ett_smb);
16706 hitem = proto_tree_add_text(tree, tvb, offset, 32,
16709 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
16712 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
16713 offset += 4; /* Skip the marker */
16715 /* find which conversation we are part of and get the tables for that
16717 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst,
16718 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
16720 /* OK this is a new conversation so lets create it */
16721 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst,
16722 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
16724 /* see if we already have the smb data for this conversation */
16725 si->ct=conversation_get_proto_data(conversation, proto_smb);
16727 /* No, not yet. create it and attach it to the conversation */
16728 si->ct = g_malloc(sizeof(conv_tables_t));
16730 conv_tables = g_slist_prepend(conv_tables, si->ct);
16731 si->ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
16732 smb_saved_info_equal_matched);
16733 si->ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
16734 smb_saved_info_equal_unmatched);
16735 si->ct->tid_service=g_hash_table_new(
16736 smb_saved_info_hash_unmatched,
16737 smb_saved_info_equal_unmatched);
16738 si->ct->raw_ntlmssp = 0;
16740 si->ct->fid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB fid_tree");
16741 si->ct->tid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB tid_tree");
16742 si->ct->uid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB uid_tree");
16743 conversation_add_proto_data(conversation, proto_smb, si->ct);
16751 /* this is a broadcast SMB packet, there will not be a reply.
16752 We dont need to do anything
16755 } else if( (si->cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
16756 ||(si->cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
16757 ||(si->cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
16758 ||(si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
16759 /* Ok, we got a special request type. This request is either
16760 an NT Cancel or a continuation relative to a real request
16761 in an earlier packet. In either case, we don't expect any
16762 responses to this packet. For continuations, any later
16763 responses we see really just belong to the original request.
16764 Anyway, we want to remember this packet somehow and
16765 remember which original request it is associated with so
16766 we can say nice things such as "This is a Cancellation to
16767 the request in frame x", but we don't want the
16768 request/response matching to get messed up.
16770 The only thing we do in this case is trying to find which original
16771 request we match with and insert an entry for this "special"
16772 request for later reference. We continue to reference the original
16773 requests smb_saved_info_t but we dont touch it or change anything
16777 si->unidir = TRUE; /*we dont expect an answer to this one*/
16779 if(!pinfo->fd->flags.visited){
16780 /* try to find which original call we match and if we
16781 find it add us to the matched table. Dont touch
16782 anything else since we dont want this one to mess
16783 up the request/response matching. We still consider
16784 the initial call the real request and this is only
16785 some sort of continuation.
16787 /* we only check the unmatched table and assume that the
16788 last seen MID matching ours is the right one.
16789 This can fail but is better than nothing
16791 sip=g_hash_table_lookup(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
16793 new_key = se_alloc(sizeof(smb_saved_info_key_t));
16794 new_key->frame = pinfo->fd->num;
16795 new_key->pid_mid = pid_mid;
16796 g_hash_table_insert(si->ct->matched, new_key,
16800 /* we have seen this packet before; check the
16803 key.frame = pinfo->fd->num;
16804 key.pid_mid = pid_mid;
16805 sip=g_hash_table_lookup(si->ct->matched, &key);
16809 Too bad, unfortunately there is not really much we can
16810 do now since this means that we never saw the initial
16817 if(sip && sip->frame_req){
16819 case SMB_COM_NT_CANCEL:
16820 tmp_item=proto_tree_add_uint(htree, hf_smb_cancel_to,
16821 tvb, 0, 0, sip->frame_req);
16822 PROTO_ITEM_SET_GENERATED(tmp_item);
16824 case SMB_COM_TRANSACTION_SECONDARY:
16825 case SMB_COM_TRANSACTION2_SECONDARY:
16826 case SMB_COM_NT_TRANSACT_SECONDARY:
16827 tmp_item=proto_tree_add_uint(htree, hf_smb_continuation_to,
16828 tvb, 0, 0, sip->frame_req);
16829 PROTO_ITEM_SET_GENERATED(tmp_item);
16834 case SMB_COM_NT_CANCEL:
16835 proto_tree_add_text(htree, tvb, 0, 0,
16836 "Cancellation to: <unknown frame>");
16838 case SMB_COM_TRANSACTION_SECONDARY:
16839 case SMB_COM_TRANSACTION2_SECONDARY:
16840 case SMB_COM_NT_TRANSACT_SECONDARY:
16841 proto_tree_add_text(htree, tvb, 0, 0,
16842 "Continuation to: <unknown frame>");
16846 } else { /* normal bidirectional request or response */
16847 si->unidir = FALSE;
16849 if(!pinfo->fd->flags.visited){
16850 /* first see if we find an unmatched smb "equal" to
16853 sip=g_hash_table_lookup(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
16855 gboolean cmd_match=FALSE;
16858 * Make sure the SMB we found was the
16859 * same command, or a different command
16860 * that's another valid type of reply
16863 if(si->cmd==sip->cmd){
16866 else if(si->cmd==SMB_COM_NT_CANCEL){
16869 else if((si->cmd==SMB_COM_TRANSACTION_SECONDARY)
16870 && (sip->cmd==SMB_COM_TRANSACTION)){
16873 else if((si->cmd==SMB_COM_TRANSACTION2_SECONDARY)
16874 && (sip->cmd==SMB_COM_TRANSACTION2)){
16877 else if((si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)
16878 && (sip->cmd==SMB_COM_NT_TRANSACT)){
16882 if( (si->request) || (!cmd_match) ) {
16883 /* We are processing an SMB request but there was already
16884 another "identical" smb request we had not matched yet.
16885 This must mean that either we have a retransmission or that the
16886 response to the previous one was lost and the client has reused
16887 the MID for this conversation. In either case it's not much more
16888 we can do than forget the old request and concentrate on the
16889 present one instead.
16891 We also do this cleanup if we see that the cmd in the original
16892 request in sip->cmd is not compatible with the current cmd.
16893 This is to prevent matching errors such as if there were two
16894 SMBs of different cmds but with identical MID and PID values and
16895 if wireshark lost the first reply and the second request.
16897 g_hash_table_remove(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
16898 sip=NULL; /* XXX should free it as well */
16900 /* we have found a response to some
16901 request we have seen earlier.
16902 What we do now depends on whether
16903 this is the first response to that
16904 request we see (id frame_res==0) or
16905 if it's a response to a request
16906 for which we've seen an earlier
16907 response that's continued.
16909 if(sip->frame_res==0 ||
16910 sip->flags & SMB_SIF_IS_CONTINUED){
16911 /* OK, it is the first response
16912 we have seen to this packet,
16913 or it's a continuation of
16914 a response we've seen. */
16915 sip->frame_res = pinfo->fd->num;
16916 new_key = se_alloc(sizeof(smb_saved_info_key_t));
16917 new_key->frame = sip->frame_res;
16918 new_key->pid_mid = pid_mid;
16919 g_hash_table_insert(si->ct->matched, new_key, sip);
16920 /* We remove the entry for unmatched since we have found a match.
16921 * We have to do this since the MID value wraps so quickly (effective only 10 bits)
16922 * and if there is packetloss in the trace (maybe due to large holes
16923 * created by a sniffer device not being able to keep up
16924 * with the line rate.
16925 * There is a real possibility that the following would occur which is painful :
16926 * 1, -> Request MID:5
16927 * 2, <- Response MID:5
16928 * 3, ->Request MID:5 (missing from capture)
16929 * 4, <- Response MID:5
16930 * We DONT want #4 to be presented as a response to #1
16932 g_hash_table_remove(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
16934 /* We have already seen another response to this MID.
16935 Since the MID in reality is only something like 10 bits
16936 this probably means that we just have a MID that is being
16937 reused due to the small MID space and that this is a new
16938 command we did not see the original request for.
16945 sip = se_alloc(sizeof(smb_saved_info_t));
16946 sip->frame_req = pinfo->fd->num;
16947 sip->frame_res = 0;
16948 sip->req_time = pinfo->fd->abs_ts;
16950 if(g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))
16951 == (void *)TID_IPC) {
16952 sip->flags |= SMB_SIF_TID_IS_IPC;
16954 sip->cmd = si->cmd;
16955 sip->extra_info = NULL;
16956 sip->extra_info_type = SMB_EI_NONE;
16958 sip->fid_seen_in_request=0;
16959 g_hash_table_insert(si->ct->unmatched, GUINT_TO_POINTER(pid_mid), sip);
16960 new_key = se_alloc(sizeof(smb_saved_info_key_t));
16961 new_key->frame = sip->frame_req;
16962 new_key->pid_mid = pid_mid;
16963 g_hash_table_insert(si->ct->matched, new_key, sip);
16966 /* we have seen this packet before; check the
16968 If we haven't yet seen the reply, we won't
16969 find the info for it; we don't need it, as
16970 we only use it to save information, and, as
16971 we've seen this packet before, we've already
16972 saved the information.
16974 key.frame = pinfo->fd->num;
16975 key.pid_mid = pid_mid;
16976 sip=g_hash_table_lookup(si->ct->matched, &key);
16981 * Pass the "sip" on to subdissectors through "si".
16987 * Put in fields for the frame number of the frame to which
16988 * this is a response or the frame with the response to this
16989 * frame - if we know the frame number (i.e., it's not 0).
16992 if (sip->frame_res != 0) {
16993 tmp_item=proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
16994 PROTO_ITEM_SET_GENERATED(tmp_item);
16997 if (sip->frame_req != 0) {
16998 tmp_item=proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
16999 PROTO_ITEM_SET_GENERATED(tmp_item);
17000 t = pinfo->fd->abs_ts;
17001 nstime_delta(&deltat, &t, &sip->req_time);
17002 tmp_item=proto_tree_add_time(htree, hf_smb_time, tvb,
17004 PROTO_ITEM_SET_GENERATED(tmp_item);
17010 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si->cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si->cmd), si->cmd);
17013 if(flags2 & 0x4000){
17014 /* handle NT 32 bit error code */
17016 si->nt_status = tvb_get_letohl(tvb, offset);
17018 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
17023 /* handle DOS error code & class */
17024 errclass = tvb_get_guint8(tvb, offset);
17025 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
17029 /* reserved byte */
17030 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
17034 /* XXX - the type of this field depends on the value of
17035 * "errcls", so there is isn't a single value_string array
17036 * fo it, so there can't be a single field for it.
17038 errcode = tvb_get_letohs(tvb, offset);
17039 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
17040 offset, 2, errcode, "Error Code: %s",
17041 decode_smb_error(errclass, errcode));
17046 offset = dissect_smb_flags(tvb, htree, offset);
17049 offset = dissect_smb_flags2(tvb, htree, offset);
17054 * http://www.samba.org/samba/ftp/specs/smbpub.txt
17056 * (a text version of "Microsoft Networks SMB FILE SHARING
17057 * PROTOCOL, Document Version 6.0p") says that:
17059 * the first 2 bytes of these 12 bytes are, for NT Create and X,
17060 * the "High Part of PID";
17062 * the next four bytes are reserved;
17064 * the next four bytes are, for SMB-over-IPX (with no
17065 * NetBIOS involved) two bytes of Session ID and two bytes
17066 * of SequenceNumber.
17068 * Network Monitor 2.x dissects the four bytes before the Session ID
17069 * as a "Key", and the two bytes after the SequenceNumber as
17072 * The "High Part of PID" has been seen in calls other than NT
17073 * Create and X, although most of them appear to be I/O on DCE RPC
17074 * pipes opened with the NT Create and X in question.
17076 proto_tree_add_item(htree, hf_smb_pid_high, tvb, offset, 2, TRUE);
17079 if (pinfo->ptype == PT_IPX &&
17080 (pinfo->match_port == IPX_SOCKET_NWLINK_SMB_SERVER ||
17081 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_REDIR ||
17082 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_MESSENGER)) {
17084 * This is SMB-over-IPX.
17085 * XXX - do we have to worry about "sequenced commands",
17086 * as per the Samba document? They say that for
17087 * "unsequenced commands" (with a sequence number of 0),
17088 * the Mid must be unique, but perhaps the Mid doesn't
17089 * have to be unique for sequenced commands. In at least
17090 * one capture with SMB-over-IPX, however, the Mids
17091 * are unique even for sequenced commands.
17094 proto_tree_add_item(htree, hf_smb_key, tvb, offset, 4,
17099 proto_tree_add_item(htree, hf_smb_session_id, tvb, offset, 2,
17103 /* Sequence number */
17104 proto_tree_add_item(htree, hf_smb_sequence_num, tvb, offset, 2,
17109 proto_tree_add_item(htree, hf_smb_group_id, tvb, offset, 2,
17114 * According to http://ubiqx.org/cifs/SMB.html#SMB.4.2.1
17115 * and http://ubiqx.org/cifs/SMB.html#SMB.5.5.1 the 8
17116 * bytes after the "High part of PID" are an 8-byte
17119 proto_tree_add_item(htree, hf_smb_sig, tvb, offset, 8, TRUE);
17122 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2, TRUE);
17126 pinfo->private_data = si;
17129 * TreeConnectAndX(0x75) is special, here it is the mere fact of
17130 * having a response that means that the share was mapped and we
17133 if(!pinfo->fd->flags.visited && si->cmd==0x75 && !si->request){
17134 offset=dissect_smb_tid(tvb, pinfo, htree, offset, (guint16)si->tid, TRUE, FALSE);
17136 offset=dissect_smb_tid(tvb, pinfo, htree, offset, (guint16)si->tid, FALSE, FALSE);
17140 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si->pid);
17144 offset=dissect_smb_uid(tvb, htree, offset, si);
17147 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid);
17150 /* tap the packet before the dissectors are called so we still get
17151 the tap listener called even if there is an exception.
17153 tap_queue_packet(smb_tap, pinfo, si);
17154 dissect_smb_command(tvb, pinfo, offset, tree, si->cmd, TRUE);
17156 /* Append error info from this packet to info string. */
17157 if (!si->request && check_col(pinfo->cinfo, COL_INFO)) {
17158 if (flags2 & 0x4000) {
17160 * The status is an NT status code; was there
17163 if ((si->nt_status & 0xC0000000) == 0xC0000000) {
17168 pinfo->cinfo, COL_INFO, ", Error: %s",
17169 val_to_str(si->nt_status, NT_errors,
17170 "Unknown (0x%08X)"));
17174 * The status is a DOS error class and code; was
17177 if (errclass != SMB_SUCCESS) {
17182 pinfo->cinfo, COL_INFO, ", Error: %s",
17183 decode_smb_error(errclass, errcode));
17190 dissect_smb_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
17192 /* must check that this really is a smb packet */
17193 if (tvb_length(tvb) < 4)
17196 if( (tvb_get_guint8(tvb, 0) != 0xff)
17197 || (tvb_get_guint8(tvb, 1) != 'S')
17198 || (tvb_get_guint8(tvb, 2) != 'M')
17199 || (tvb_get_guint8(tvb, 3) != 'B') ){
17203 dissect_smb(tvb, pinfo, parent_tree);
17208 proto_register_smb(void)
17210 static hf_register_info hf[] = {
17212 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
17213 VALS(smb_cmd_vals), 0x0, NULL, HFILL }},
17215 { &hf_smb_trans2_subcmd,
17216 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
17217 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
17219 { &hf_smb_nt_trans_subcmd,
17220 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
17221 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
17223 { &hf_smb_word_count,
17224 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
17225 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
17227 { &hf_smb_byte_count,
17228 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
17229 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
17231 { &hf_smb_response_to,
17232 { "Response to", "smb.response_to", FT_FRAMENUM, BASE_NONE,
17233 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
17236 { "Time from request", "smb.time", FT_RELATIVE_TIME, BASE_NONE,
17237 NULL, 0, "Time between Request and Response for SMB cmds", HFILL }},
17239 { &hf_smb_response_in,
17240 { "Response in", "smb.response_in", FT_FRAMENUM, BASE_NONE,
17241 NULL, 0, "The response to this packet is in this packet", HFILL }},
17243 { &hf_smb_continuation_to,
17244 { "Continuation to", "smb.continuation_to", FT_FRAMENUM, BASE_NONE,
17245 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
17247 { &hf_smb_nt_status,
17248 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
17249 VALS(NT_errors), 0, "NT Status code", HFILL }},
17251 { &hf_smb_error_class,
17252 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
17253 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
17255 { &hf_smb_error_code,
17256 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
17257 NULL, 0, "DOS Error Code", HFILL }},
17259 { &hf_smb_reserved,
17260 { "Reserved", "smb.reserved", FT_BYTES, BASE_NONE,
17261 NULL, 0, "Reserved bytes, must be zero", HFILL }},
17264 { "Signature", "smb.signature", FT_BYTES, BASE_NONE,
17265 NULL, 0, "Signature bytes", HFILL }},
17268 { "Key", "smb.key", FT_UINT32, BASE_HEX,
17269 NULL, 0, "SMB-over-IPX Key", HFILL }},
17271 { &hf_smb_session_id,
17272 { "Session ID", "smb.sessid", FT_UINT16, BASE_DEC,
17273 NULL, 0, "SMB-over-IPX Session ID", HFILL }},
17275 { &hf_smb_sequence_num,
17276 { "Sequence Number", "smb.sequence_num", FT_UINT16, BASE_DEC,
17277 NULL, 0, "SMB-over-IPX Sequence Number", HFILL }},
17279 { &hf_smb_group_id,
17280 { "Group ID", "smb.group_id", FT_UINT16, BASE_DEC,
17281 NULL, 0, "SMB-over-IPX Group ID", HFILL }},
17284 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
17285 NULL, 0, NULL, HFILL }},
17287 { &hf_smb_pid_high,
17288 { "Process ID High", "smb.pid.high", FT_UINT16, BASE_DEC,
17289 NULL, 0, "Process ID High Bytes", HFILL }},
17292 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
17293 NULL, 0, NULL, HFILL }},
17296 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
17297 NULL, 0, NULL, HFILL }},
17300 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
17301 NULL, 0, NULL, HFILL }},
17303 { &hf_smb_flags_lock,
17304 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
17305 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
17307 { &hf_smb_flags_receive_buffer,
17308 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
17309 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
17311 { &hf_smb_flags_caseless,
17312 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
17313 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
17315 { &hf_smb_flags_canon,
17316 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
17317 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
17319 { &hf_smb_flags_oplock,
17320 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
17321 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
17323 { &hf_smb_flags_notify,
17324 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
17325 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
17327 { &hf_smb_flags_response,
17328 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
17329 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
17331 { &hf_smb_flags2_long_names_allowed,
17332 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
17333 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
17335 { &hf_smb_flags2_ea,
17336 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
17337 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
17339 { &hf_smb_flags2_sec_sig,
17340 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
17341 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
17343 { &hf_smb_flags2_long_names_used,
17344 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
17345 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
17347 { &hf_smb_flags2_esn,
17348 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
17349 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
17351 { &hf_smb_flags2_dfs,
17352 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
17353 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
17355 { &hf_smb_flags2_roe,
17356 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
17357 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
17359 { &hf_smb_flags2_nt_error,
17360 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
17361 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
17363 { &hf_smb_flags2_string,
17364 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
17365 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
17367 { &hf_smb_buffer_format,
17368 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
17369 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
17371 { &hf_smb_dialect_name,
17372 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
17373 NULL, 0, "Name of dialect", HFILL }},
17375 { &hf_smb_dialect_index,
17376 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
17377 NULL, 0, "Index of selected dialect", HFILL }},
17379 { &hf_smb_max_trans_buf_size,
17380 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
17381 NULL, 0, "Maximum transmit buffer size", HFILL }},
17383 { &hf_smb_max_mpx_count,
17384 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
17385 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
17387 { &hf_smb_max_vcs_num,
17388 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
17389 NULL, 0, "Maximum VCs between client and server", HFILL }},
17391 { &hf_smb_session_key,
17392 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
17393 NULL, 0, "Unique token identifying this session", HFILL }},
17395 { &hf_smb_server_timezone,
17396 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
17397 NULL, 0, "Current timezone at server.", HFILL }},
17399 { &hf_smb_encryption_key_length,
17400 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
17401 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
17403 { &hf_smb_encryption_key,
17404 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_NONE,
17405 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
17407 { &hf_smb_primary_domain,
17408 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
17409 NULL, 0, "The server's primary domain", HFILL }},
17412 { "Server", "smb.server", FT_STRING, BASE_NONE,
17413 NULL, 0, "The name of the DC/server", HFILL }},
17415 { &hf_smb_max_raw_buf_size,
17416 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
17417 NULL, 0, "Maximum raw buffer size", HFILL }},
17419 { &hf_smb_server_guid,
17420 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_NONE,
17421 NULL, 0, "Globally unique identifier for this server", HFILL }},
17423 { &hf_smb_security_blob_len,
17424 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
17425 NULL, 0, "Security blob length", HFILL }},
17427 { &hf_smb_security_blob,
17428 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_NONE,
17429 NULL, 0, "Security blob", HFILL }},
17431 { &hf_smb_sm_mode16,
17432 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
17433 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
17435 { &hf_smb_sm_password16,
17436 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
17437 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
17440 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
17441 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
17443 { &hf_smb_sm_password,
17444 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
17445 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
17447 { &hf_smb_sm_signatures,
17448 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
17449 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
17451 { &hf_smb_sm_sig_required,
17452 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
17453 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
17456 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
17457 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
17459 { &hf_smb_rm_write,
17460 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
17461 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
17463 { &hf_smb_server_date_time,
17464 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
17465 NULL, 0, "Current date and time at server", HFILL }},
17467 { &hf_smb_server_smb_date,
17468 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
17469 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
17471 { &hf_smb_server_smb_time,
17472 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
17473 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
17475 { &hf_smb_server_cap_raw_mode,
17476 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
17477 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
17479 { &hf_smb_server_cap_mpx_mode,
17480 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
17481 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
17483 { &hf_smb_server_cap_unicode,
17484 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
17485 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
17487 { &hf_smb_server_cap_large_files,
17488 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
17489 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
17491 { &hf_smb_server_cap_nt_smbs,
17492 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
17493 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
17495 { &hf_smb_server_cap_rpc_remote_apis,
17496 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
17497 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
17499 { &hf_smb_server_cap_nt_status,
17500 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
17501 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
17503 { &hf_smb_server_cap_level_ii_oplocks,
17504 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
17505 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
17507 { &hf_smb_server_cap_lock_and_read,
17508 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
17509 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
17511 { &hf_smb_server_cap_nt_find,
17512 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
17513 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
17515 { &hf_smb_server_cap_dfs,
17516 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
17517 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
17519 { &hf_smb_server_cap_infolevel_passthru,
17520 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
17521 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
17523 { &hf_smb_server_cap_large_readx,
17524 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
17525 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
17527 { &hf_smb_server_cap_large_writex,
17528 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
17529 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
17531 { &hf_smb_server_cap_unix,
17532 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
17533 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
17535 { &hf_smb_server_cap_reserved,
17536 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
17537 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
17539 { &hf_smb_server_cap_bulk_transfer,
17540 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
17541 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
17543 { &hf_smb_server_cap_compressed_data,
17544 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
17545 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
17547 { &hf_smb_server_cap_extended_security,
17548 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
17549 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
17551 { &hf_smb_system_time,
17552 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
17553 NULL, 0, NULL, HFILL }},
17556 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_NONE,
17557 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
17559 { &hf_smb_dir_name,
17560 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
17561 NULL, 0, "SMB Directory Name", HFILL }},
17563 { &hf_smb_echo_count,
17564 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
17565 NULL, 0, "Number of times to echo data back", HFILL }},
17567 { &hf_smb_echo_data,
17568 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_NONE,
17569 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
17571 { &hf_smb_echo_seq_num,
17572 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
17573 NULL, 0, "Sequence number for this echo response", HFILL }},
17575 { &hf_smb_max_buf_size,
17576 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
17577 NULL, 0, "Max client buffer size", HFILL }},
17580 { "Path", "smb.path", FT_STRING, BASE_NONE,
17581 NULL, 0, "Path. Server name and share name", HFILL }},
17584 { "Service", "smb.service", FT_STRING, BASE_NONE,
17585 NULL, 0, "Service name", HFILL }},
17587 { &hf_smb_password,
17588 { "Password", "smb.password", FT_BYTES, BASE_NONE,
17589 NULL, 0, NULL, HFILL }},
17591 { &hf_smb_ansi_password,
17592 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
17593 NULL, 0, NULL, HFILL }},
17595 { &hf_smb_unicode_password,
17596 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
17597 NULL, 0, NULL, HFILL }},
17599 { &hf_smb_move_flags_file,
17600 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
17601 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
17603 { &hf_smb_move_flags_dir,
17604 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
17605 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
17607 { &hf_smb_move_flags_verify,
17608 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
17609 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
17611 { &hf_smb_files_moved,
17612 { "Files Moved", "smb.files_moved", FT_UINT16, BASE_DEC,
17613 NULL, 0, "Number of files moved", HFILL }},
17615 { &hf_smb_copy_flags_file,
17616 { "Must be file", "smb.copy.flags.file", FT_BOOLEAN, 16,
17617 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
17619 { &hf_smb_copy_flags_dir,
17620 { "Must be directory", "smb.copy.flags.dir", FT_BOOLEAN, 16,
17621 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
17623 { &hf_smb_copy_flags_dest_mode,
17624 { "Destination mode", "smb.copy.flags.dest_mode", FT_BOOLEAN, 16,
17625 TFS(&tfs_cf_mode), 0x0004, "Is destination in ASCII?", HFILL }},
17627 { &hf_smb_copy_flags_source_mode,
17628 { "Source mode", "smb.copy.flags.source_mode", FT_BOOLEAN, 16,
17629 TFS(&tfs_cf_mode), 0x0008, "Is source in ASCII?", HFILL }},
17631 { &hf_smb_copy_flags_verify,
17632 { "Verify writes", "smb.copy.flags.verify", FT_BOOLEAN, 16,
17633 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
17635 { &hf_smb_copy_flags_tree_copy,
17636 { "Tree copy", "smb.copy.flags.tree_copy", FT_BOOLEAN, 16,
17637 TFS(&tfs_cf_tree_copy), 0x0010, "Is copy a tree copy?", HFILL }},
17639 { &hf_smb_copy_flags_ea_action,
17640 { "EA action if EAs not supported on dest", "smb.copy.flags.ea_action", FT_BOOLEAN, 16,
17641 TFS(&tfs_cf_ea_action), 0x0010, "Fail copy if source file has EAs and dest doesn't support EAs?", HFILL }},
17644 { "Count", "smb.count", FT_UINT32, BASE_DEC,
17645 NULL, 0, "Count number of items/bytes", HFILL }},
17647 { &hf_smb_count_low,
17648 { "Count Low", "smb.count_low", FT_UINT16, BASE_DEC,
17649 NULL, 0, "Count number of items/bytes, Low 16 bits", HFILL }},
17651 { &hf_smb_count_high,
17652 { "Count High (multiply with 64K)", "smb.count_high", FT_UINT16, BASE_DEC,
17653 NULL, 0, "Count number of items/bytes, High 16 bits", HFILL }},
17655 { &hf_smb_file_name,
17656 { "File Name", "smb.file", FT_STRING, BASE_NONE,
17657 NULL, 0, NULL, HFILL }},
17659 { &hf_smb_open_function_create,
17660 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
17661 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
17663 { &hf_smb_open_function_open,
17664 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
17665 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
17668 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
17669 NULL, 0, "FID: File ID", HFILL }},
17671 { &hf_smb_file_attr_read_only_16bit,
17672 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
17673 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
17675 { &hf_smb_file_attr_read_only_8bit,
17676 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
17677 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
17679 { &hf_smb_file_attr_hidden_16bit,
17680 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
17681 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
17683 { &hf_smb_file_attr_hidden_8bit,
17684 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
17685 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
17687 { &hf_smb_file_attr_system_16bit,
17688 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
17689 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
17691 { &hf_smb_file_attr_system_8bit,
17692 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
17693 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
17695 { &hf_smb_file_attr_volume_16bit,
17696 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
17697 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
17699 { &hf_smb_file_attr_volume_8bit,
17700 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
17701 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
17703 { &hf_smb_file_attr_directory_16bit,
17704 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
17705 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
17707 { &hf_smb_file_attr_directory_8bit,
17708 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
17709 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
17711 { &hf_smb_file_attr_archive_16bit,
17712 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
17713 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17715 { &hf_smb_file_attr_archive_8bit,
17716 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
17717 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17719 { &hf_smb_file_attr_device,
17720 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
17721 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
17723 { &hf_smb_file_attr_normal,
17724 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
17725 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
17727 { &hf_smb_file_attr_temporary,
17728 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
17729 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
17731 { &hf_smb_file_attr_sparse,
17732 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
17733 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
17735 { &hf_smb_file_attr_reparse,
17736 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
17737 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
17739 { &hf_smb_file_attr_compressed,
17740 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
17741 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
17743 { &hf_smb_file_attr_offline,
17744 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
17745 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
17747 { &hf_smb_file_attr_not_content_indexed,
17748 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
17749 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
17751 { &hf_smb_file_attr_encrypted,
17752 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
17753 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
17755 { &hf_smb_file_size,
17756 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
17757 NULL, 0, NULL, HFILL }},
17759 { &hf_smb_search_attribute_read_only,
17760 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
17761 TFS(&tfs_search_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
17763 { &hf_smb_search_attribute_hidden,
17764 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
17765 TFS(&tfs_search_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
17767 { &hf_smb_search_attribute_system,
17768 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
17769 TFS(&tfs_search_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
17771 { &hf_smb_search_attribute_volume,
17772 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
17773 TFS(&tfs_search_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
17775 { &hf_smb_search_attribute_directory,
17776 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
17777 TFS(&tfs_search_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
17779 { &hf_smb_search_attribute_archive,
17780 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
17781 TFS(&tfs_search_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
17783 { &hf_smb_access_mode,
17784 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
17785 VALS(da_access_vals), 0x0007, NULL, HFILL }},
17787 { &hf_smb_access_sharing,
17788 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
17789 VALS(da_sharing_vals), 0x0070, NULL, HFILL }},
17791 { &hf_smb_access_locality,
17792 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
17793 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
17795 { &hf_smb_access_caching,
17796 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
17797 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
17799 { &hf_smb_access_writetru,
17800 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
17801 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
17803 { &hf_smb_create_time,
17804 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
17805 NULL, 0, "Creation Time", HFILL }},
17807 { &hf_smb_modify_time,
17808 { "Modified", "smb.modify.time", FT_ABSOLUTE_TIME, BASE_NONE,
17809 NULL, 0, "Modification Time", HFILL }},
17811 { &hf_smb_backup_time,
17812 { "Backed-up", "smb.backup.time", FT_ABSOLUTE_TIME, BASE_NONE,
17813 NULL, 0, "Backup time", HFILL}},
17815 { &hf_smb_mac_alloc_block_count,
17816 { "Allocation Block Count", "smb.alloc.count", FT_UINT32, BASE_DEC,
17817 NULL, 0, NULL, HFILL}},
17819 { &hf_smb_mac_alloc_block_size,
17820 { "Allocation Block Count", "smb.alloc.size", FT_UINT32, BASE_DEC,
17821 NULL, 0, "Allocation Block Size", HFILL}},
17823 { &hf_smb_mac_free_block_count,
17824 { "Free Block Count", "smb.free_block.count", FT_UINT32, BASE_DEC,
17825 NULL, 0, NULL, HFILL}},
17827 { &hf_smb_mac_root_file_count,
17828 { "Root File Count", "smb.root.file.count", FT_UINT32, BASE_DEC,
17829 NULL, 0, NULL, HFILL}},
17831 { &hf_smb_mac_root_dir_count,
17832 { "Root Directory Count", "smb.root.dir.count", FT_UINT32, BASE_DEC,
17833 NULL, 0, NULL, HFILL}},
17835 { &hf_smb_mac_file_count,
17836 { "Root File Count", "smb.file.count", FT_UINT32, BASE_DEC,
17837 NULL, 0, "File Count", HFILL}},
17839 { &hf_smb_mac_dir_count,
17840 { "Root Directory Count", "smb.dir.count", FT_UINT32, BASE_DEC,
17841 NULL, 0, "Directory Count", HFILL}},
17843 { &hf_smb_mac_support_flags,
17844 { "Mac Support Flags", "smb.mac.support.flags", FT_UINT32, BASE_DEC,
17845 NULL, 0, NULL, HFILL}},
17847 { &hf_smb_mac_sup_access_ctrl,
17848 { "Mac Access Control", "smb.mac.access_control", FT_BOOLEAN, 32,
17849 TFS(&tfs_smb_mac_access_ctrl), 0x0010, "Are Mac Access Control Supported", HFILL }},
17851 { &hf_smb_mac_sup_getset_comments,
17852 { "Get Set Comments", "smb.mac.get_set_comments", FT_BOOLEAN, 32,
17853 TFS(&tfs_smb_mac_getset_comments), 0x0020, "Are Mac Get Set Comments supported?", HFILL }},
17855 { &hf_smb_mac_sup_desktopdb_calls,
17856 { "Desktop DB Calls", "smb.mac.desktop_db_calls", FT_BOOLEAN, 32,
17857 TFS(&tfs_smb_mac_desktopdb_calls), 0x0040, "Are Macintosh Desktop DB Calls Supported?", HFILL }},
17859 { &hf_smb_mac_sup_unique_ids,
17860 { "Macintosh Unique IDs", "smb.mac.uids", FT_BOOLEAN, 32,
17861 TFS(&tfs_smb_mac_unique_ids), 0x0080, "Are Unique IDs supported", HFILL }},
17863 { &hf_smb_mac_sup_streams,
17864 { "Mac Streams", "smb.mac.streams_support", FT_BOOLEAN, 32,
17865 TFS(&tfs_smb_mac_streams), 0x0100, "Are Mac Extensions and streams supported?", HFILL }},
17867 { &hf_smb_create_dos_date,
17868 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
17869 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
17871 { &hf_smb_create_dos_time,
17872 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
17873 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
17875 { &hf_smb_last_write_time,
17876 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
17877 NULL, 0, "Time this file was last written to", HFILL }},
17879 { &hf_smb_last_write_dos_date,
17880 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
17881 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
17883 { &hf_smb_last_write_dos_time,
17884 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
17885 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
17887 { &hf_smb_old_file_name,
17888 { "Old File Name", "smb.old_file", FT_STRING, BASE_NONE,
17889 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
17892 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
17893 NULL, 0, "Offset in file", HFILL }},
17895 { &hf_smb_remaining,
17896 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
17897 NULL, 0, "Remaining number of bytes", HFILL }},
17900 { "Padding", "smb.padding", FT_BYTES, BASE_NONE,
17901 NULL, 0, "Padding or unknown data", HFILL }},
17903 { &hf_smb_file_data,
17904 { "File Data", "smb.file_data", FT_BYTES, BASE_NONE,
17905 NULL, 0, "Data read/written to the file", HFILL }},
17907 { &hf_smb_mac_fndrinfo,
17908 { "Finder Info", "smb.mac.finderinfo", FT_BYTES, BASE_NONE,
17909 NULL, 0, NULL, HFILL}},
17911 { &hf_smb_total_data_len,
17912 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
17913 NULL, 0, "Total length of data", HFILL }},
17915 { &hf_smb_data_len,
17916 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
17917 NULL, 0, "Length of data", HFILL }},
17919 { &hf_smb_data_len_low,
17920 { "Data Length Low", "smb.data_len_low", FT_UINT16, BASE_DEC,
17921 NULL, 0, "Length of data, Low 16 bits", HFILL }},
17923 { &hf_smb_data_len_high,
17924 { "Data Length High (multiply with 64K)", "smb.data_len_high", FT_UINT16, BASE_DEC,
17925 NULL, 0, "Length of data, High 16 bits", HFILL }},
17927 { &hf_smb_seek_mode,
17928 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
17929 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
17931 { &hf_smb_access_time,
17932 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
17933 NULL, 0, "Last Access Time", HFILL }},
17935 { &hf_smb_access_dos_date,
17936 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
17937 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
17939 { &hf_smb_access_dos_time,
17940 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
17941 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
17943 { &hf_smb_data_size,
17944 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
17945 NULL, 0, NULL, HFILL }},
17947 { &hf_smb_alloc_size,
17948 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
17949 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
17951 { &hf_smb_max_count,
17952 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
17953 NULL, 0, "Maximum Count", HFILL }},
17955 { &hf_smb_max_count_low,
17956 { "Max Count Low", "smb.maxcount_low", FT_UINT16, BASE_DEC,
17957 NULL, 0, "Maximum Count, Low 16 bits", HFILL }},
17959 { &hf_smb_max_count_high,
17960 { "Max Count High (multiply with 64K)", "smb.maxcount_high", FT_UINT16, BASE_DEC,
17961 NULL, 0, "Maximum Count, High 16 bits", HFILL }},
17963 { &hf_smb_min_count,
17964 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
17965 NULL, 0, "Minimum Count", HFILL }},
17968 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
17969 NULL, 0, "Timeout in miliseconds", HFILL }},
17971 { &hf_smb_high_offset,
17972 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
17973 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
17976 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
17977 NULL, 0, "Total number of units at server", HFILL }},
17980 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
17981 NULL, 0, "Blocks per unit at server", HFILL }},
17983 { &hf_smb_blocksize,
17984 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
17985 NULL, 0, "Block size (in bytes) at server", HFILL }},
17987 { &hf_smb_freeunits,
17988 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
17989 NULL, 0, "Number of free units at server", HFILL }},
17991 { &hf_smb_data_offset,
17992 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
17993 NULL, 0, NULL, HFILL }},
17996 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
17997 NULL, 0, NULL, HFILL }},
17999 { &hf_smb_request_mask,
18000 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
18001 NULL, 0, "Connectionless mode mask", HFILL }},
18003 { &hf_smb_response_mask,
18004 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
18005 NULL, 0, "Connectionless mode mask", HFILL }},
18007 { &hf_smb_search_id,
18008 { "Search ID", "smb.search_id", FT_UINT16, BASE_HEX,
18009 NULL, 0, "Search ID, handle for find operations", HFILL }},
18011 { &hf_smb_write_mode_write_through,
18012 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
18013 TFS(&tfs_write_mode_write_through), WRITE_MODE_WRITE_THROUGH, "Write through mode requested?", HFILL }},
18015 { &hf_smb_write_mode_return_remaining,
18016 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
18017 TFS(&tfs_write_mode_return_remaining), WRITE_MODE_RETURN_REMAINING, "Return remaining data responses?", HFILL }},
18019 { &hf_smb_write_mode_raw,
18020 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
18021 TFS(&tfs_write_mode_raw), WRITE_MODE_RAW, "Use WriteRawNamedPipe?", HFILL }},
18023 { &hf_smb_write_mode_message_start,
18024 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
18025 TFS(&tfs_write_mode_message_start), WRITE_MODE_MESSAGE_START, "Is this the start of a message?", HFILL }},
18027 { &hf_smb_write_mode_connectionless,
18028 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
18029 TFS(&tfs_write_mode_connectionless), WRITE_MODE_CONNECTIONLESS, "Connectionless mode requested?", HFILL }},
18031 { &hf_smb_resume_key_len,
18032 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
18033 NULL, 0, "Resume Key length", HFILL }},
18035 { &hf_smb_resume_find_id,
18036 { "Find ID", "smb.resume.find_id", FT_UINT8, BASE_HEX,
18037 NULL, 0, "Handle for Find operation", HFILL }},
18039 { &hf_smb_resume_server_cookie,
18040 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_NONE,
18041 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
18043 { &hf_smb_resume_client_cookie,
18044 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_NONE,
18045 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
18047 { &hf_smb_andxoffset,
18048 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
18049 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
18051 { &hf_smb_lock_type_large,
18052 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
18053 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
18055 { &hf_smb_lock_type_cancel,
18056 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
18057 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
18059 { &hf_smb_lock_type_change,
18060 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
18061 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
18063 { &hf_smb_lock_type_oplock,
18064 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
18065 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
18067 { &hf_smb_lock_type_shared,
18068 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
18069 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
18071 { &hf_smb_locking_ol,
18072 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
18073 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
18075 { &hf_smb_number_of_locks,
18076 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
18077 NULL, 0, "Number of lock requests in this request", HFILL }},
18079 { &hf_smb_number_of_unlocks,
18080 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
18081 NULL, 0, "Number of unlock requests in this request", HFILL }},
18083 { &hf_smb_lock_long_length,
18084 { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
18085 NULL, 0, "Length of lock/unlock region", HFILL }},
18087 { &hf_smb_lock_long_offset,
18088 { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
18089 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
18091 { &hf_smb_file_type,
18092 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
18093 VALS(filetype_vals), 0, "Type of file", HFILL }},
18095 { &hf_smb_ipc_state_nonblocking,
18096 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
18097 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
18099 { &hf_smb_ipc_state_endpoint,
18100 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
18101 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
18103 { &hf_smb_ipc_state_pipe_type,
18104 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
18105 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
18107 { &hf_smb_ipc_state_read_mode,
18108 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
18109 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
18111 { &hf_smb_ipc_state_icount,
18112 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
18113 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
18115 { &hf_smb_server_fid,
18116 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
18117 NULL, 0, "Server unique File ID", HFILL }},
18119 { &hf_smb_open_flags_add_info,
18120 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
18121 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
18123 { &hf_smb_open_flags_ex_oplock,
18124 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
18125 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
18127 { &hf_smb_open_flags_batch_oplock,
18128 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
18129 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
18131 { &hf_smb_open_flags_ealen,
18132 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
18133 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
18135 { &hf_smb_open_action_open,
18136 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
18137 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
18139 { &hf_smb_open_action_lock,
18140 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
18141 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
18144 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
18145 NULL, 0, NULL, HFILL }},
18147 { &hf_smb_password_len,
18148 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
18149 NULL, 0, "Length of password", HFILL }},
18151 { &hf_smb_ansi_password_len,
18152 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
18153 NULL, 0, "Length of ANSI password", HFILL }},
18155 { &hf_smb_unicode_password_len,
18156 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
18157 NULL, 0, "Length of Unicode password", HFILL }},
18160 { "Account", "smb.account", FT_STRING, BASE_NONE,
18161 NULL, 0, "Account, username", HFILL }},
18164 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
18165 NULL, 0, "Which OS we are running", HFILL }},
18168 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
18169 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
18171 { &hf_smb_setup_action_guest,
18172 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
18173 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
18176 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
18177 NULL, 0, NULL, HFILL }},
18179 { &hf_smb_connect_flags_dtid,
18180 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
18181 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
18183 { &hf_smb_connect_support_search,
18184 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
18185 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
18187 { &hf_smb_connect_support_in_dfs,
18188 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
18189 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
18191 { &hf_smb_max_setup_count,
18192 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
18193 NULL, 0, "Maximum number of setup words to return", HFILL }},
18195 { &hf_smb_total_param_count,
18196 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
18197 NULL, 0, "Total number of parameter bytes", HFILL }},
18199 { &hf_smb_total_data_count,
18200 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
18201 NULL, 0, "Total number of data bytes", HFILL }},
18203 { &hf_smb_max_param_count,
18204 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
18205 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
18207 { &hf_smb_max_data_count,
18208 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
18209 NULL, 0, "Maximum number of data bytes to return", HFILL }},
18211 { &hf_smb_param_disp16,
18212 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
18213 NULL, 0, "Displacement of these parameter bytes", HFILL }},
18215 { &hf_smb_param_count16,
18216 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
18217 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
18219 { &hf_smb_param_offset16,
18220 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
18221 NULL, 0, "Offset (from header start) to parameters", HFILL }},
18223 { &hf_smb_param_disp32,
18224 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
18225 NULL, 0, "Displacement of these parameter bytes", HFILL }},
18227 { &hf_smb_param_count32,
18228 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
18229 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
18231 { &hf_smb_param_offset32,
18232 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
18233 NULL, 0, "Offset (from header start) to parameters", HFILL }},
18235 { &hf_smb_data_count16,
18236 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
18237 NULL, 0, "Number of data bytes in this buffer", HFILL }},
18239 { &hf_smb_data_disp16,
18240 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
18241 NULL, 0, NULL, HFILL }},
18243 { &hf_smb_data_offset16,
18244 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
18245 NULL, 0, NULL, HFILL }},
18247 { &hf_smb_data_count32,
18248 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
18249 NULL, 0, "Number of data bytes in this buffer", HFILL }},
18251 { &hf_smb_data_disp32,
18252 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
18253 NULL, 0, NULL, HFILL }},
18255 { &hf_smb_data_offset32,
18256 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
18257 NULL, 0, NULL, HFILL }},
18259 { &hf_smb_setup_count,
18260 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
18261 NULL, 0, "Number of setup words in this buffer", HFILL }},
18263 { &hf_smb_nt_ioctl_isfsctl,
18264 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
18265 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
18267 { &hf_smb_nt_ioctl_flags_root_handle,
18268 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
18269 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
18271 { &hf_smb_nt_notify_action,
18272 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
18273 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
18275 { &hf_smb_nt_notify_watch_tree,
18276 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
18277 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
18279 { &hf_smb_nt_notify_stream_write,
18280 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
18281 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
18283 { &hf_smb_nt_notify_stream_size,
18284 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
18285 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
18287 { &hf_smb_nt_notify_stream_name,
18288 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
18289 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
18291 { &hf_smb_nt_notify_security,
18292 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
18293 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
18295 { &hf_smb_nt_notify_ea,
18296 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
18297 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
18299 { &hf_smb_nt_notify_creation,
18300 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
18301 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
18303 { &hf_smb_nt_notify_last_access,
18304 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
18305 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
18307 { &hf_smb_nt_notify_last_write,
18308 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
18309 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
18311 { &hf_smb_nt_notify_size,
18312 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
18313 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
18315 { &hf_smb_nt_notify_attributes,
18316 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
18317 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
18319 { &hf_smb_nt_notify_dir_name,
18320 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
18321 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
18323 { &hf_smb_nt_notify_file_name,
18324 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
18325 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
18327 { &hf_smb_root_dir_fid,
18328 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
18329 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
18331 { &hf_smb_alloc_size64,
18332 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
18333 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
18335 { &hf_smb_nt_create_disposition,
18336 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
18337 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
18339 { &hf_smb_sd_length,
18340 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
18341 NULL, 0, "Total length of security descriptor", HFILL }},
18343 { &hf_smb_ea_list_length,
18344 { "EA List Length", "smb.ea.list_length", FT_UINT32, BASE_DEC,
18345 NULL, 0, "Total length of extended attributes", HFILL }},
18347 { &hf_smb_ea_flags,
18348 { "EA Flags", "smb.ea.flags", FT_UINT8, BASE_HEX,
18349 NULL, 0, NULL, HFILL }},
18351 { &hf_smb_ea_name_length,
18352 { "EA Name Length", "smb.ea.name_length", FT_UINT8, BASE_DEC,
18353 NULL, 0, NULL, HFILL }},
18355 { &hf_smb_ea_data_length,
18356 { "EA Data Length", "smb.ea.data_length", FT_UINT16, BASE_DEC,
18357 NULL, 0, NULL, HFILL }},
18360 { "EA Name", "smb.ea.name", FT_STRING, BASE_NONE,
18361 NULL, 0, NULL, HFILL }},
18364 { "EA Data", "smb.ea.data", FT_BYTES, BASE_NONE,
18365 NULL, 0, NULL, HFILL }},
18367 { &hf_smb_file_name_len,
18368 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
18369 NULL, 0, "Length of File Name", HFILL }},
18371 { &hf_smb_nt_impersonation_level,
18372 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
18373 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
18375 { &hf_smb_nt_security_flags_context_tracking,
18376 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
18377 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
18379 { &hf_smb_nt_security_flags_effective_only,
18380 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
18381 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
18383 { &hf_smb_nt_access_mask_generic_read,
18384 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
18385 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
18387 { &hf_smb_nt_access_mask_generic_write,
18388 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
18389 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
18391 { &hf_smb_nt_access_mask_generic_execute,
18392 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
18393 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
18395 { &hf_smb_nt_access_mask_generic_all,
18396 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
18397 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
18399 { &hf_smb_nt_access_mask_maximum_allowed,
18400 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
18401 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
18403 { &hf_smb_nt_access_mask_system_security,
18404 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
18405 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
18407 { &hf_smb_nt_access_mask_synchronize,
18408 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
18409 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
18411 { &hf_smb_nt_access_mask_write_owner,
18412 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
18413 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
18415 { &hf_smb_nt_access_mask_write_dac,
18416 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
18417 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
18419 { &hf_smb_nt_access_mask_read_control,
18420 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
18421 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
18423 { &hf_smb_nt_access_mask_delete,
18424 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
18425 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
18427 { &hf_smb_nt_access_mask_write_attributes,
18428 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
18429 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
18431 { &hf_smb_nt_access_mask_read_attributes,
18432 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
18433 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
18435 { &hf_smb_nt_access_mask_delete_child,
18436 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
18437 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
18440 * "Execute" for files, "traverse" for directories.
18442 { &hf_smb_nt_access_mask_execute,
18443 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
18444 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
18446 { &hf_smb_nt_access_mask_write_ea,
18447 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
18448 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
18450 { &hf_smb_nt_access_mask_read_ea,
18451 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
18452 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
18455 * "Append data" for files, "add subdirectory" for directories,
18456 * "create pipe instance" for named pipes.
18458 { &hf_smb_nt_access_mask_append,
18459 { "Append", "smb.access.append", FT_BOOLEAN, 32,
18460 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
18463 * "Write data" for files and pipes, "add file" for directory.
18465 { &hf_smb_nt_access_mask_write,
18466 { "Write", "smb.access.write", FT_BOOLEAN, 32,
18467 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
18470 * "Read data" for files and pipes, "list directory" for directory.
18472 { &hf_smb_nt_access_mask_read,
18473 { "Read", "smb.access.read", FT_BOOLEAN, 32,
18474 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
18476 { &hf_smb_nt_create_bits_oplock,
18477 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
18478 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
18480 { &hf_smb_nt_create_bits_boplock,
18481 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
18482 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
18484 { &hf_smb_nt_create_bits_dir,
18485 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
18486 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
18488 { &hf_smb_nt_create_bits_ext_resp,
18489 { "Extended Response", "smb.nt.create.ext", FT_BOOLEAN, 32,
18490 TFS(&tfs_nt_create_bits_ext_resp), 0x00000010, "Extended response required?", HFILL }},
18492 { &hf_smb_nt_create_options_directory_file,
18493 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
18494 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
18496 { &hf_smb_nt_create_options_write_through,
18497 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
18498 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
18500 { &hf_smb_nt_create_options_sequential_only,
18501 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
18502 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will access to thsis file only be sequential?", HFILL }},
18504 { &hf_smb_nt_create_options_no_intermediate_buffering,
18505 { "Intermediate Buffering", "smb.nt.create_options.intermediate_buffering", FT_BOOLEAN, 32,
18506 TFS(&tfs_nt_create_options_no_intermediate_buffering), 0x00000008, "Is intermediate buffering allowed?", HFILL }},
18508 { &hf_smb_nt_create_options_sync_io_alert,
18509 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
18510 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
18512 { &hf_smb_nt_create_options_sync_io_nonalert,
18513 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
18514 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
18516 { &hf_smb_nt_create_options_non_directory_file,
18517 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
18518 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
18520 { &hf_smb_nt_create_options_create_tree_connection,
18521 { "Create Tree Connection", "smb.nt.create_options.create_tree_connection", FT_BOOLEAN, 32,
18522 TFS(&tfs_nt_create_options_create_tree_connection), 0x00000080, "Create Tree Connection flag", HFILL }},
18524 { &hf_smb_nt_create_options_complete_if_oplocked,
18525 { "Complete If Oplocked", "smb.nt.create_options.complete_if_oplocked", FT_BOOLEAN, 32,
18526 TFS(&tfs_nt_create_options_complete_if_oplocked), 0x00000100, "Complete if oplocked flag", HFILL }},
18528 { &hf_smb_nt_create_options_no_ea_knowledge,
18529 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
18530 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
18532 { &hf_smb_nt_create_options_eight_dot_three_only,
18533 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
18534 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
18536 { &hf_smb_nt_create_options_random_access,
18537 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
18538 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
18540 { &hf_smb_nt_create_options_delete_on_close,
18541 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
18542 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
18543 { &hf_smb_nt_create_options_open_by_fileid,
18544 { "Open By FileID", "smb.nt.create_options.open_by_fileid", FT_BOOLEAN, 32,
18545 TFS(&tfs_nt_create_options_open_by_fileid), 0x00002000, "Open file by inode", HFILL }},
18547 { &hf_smb_nt_create_options_backup_intent,
18548 { "Backup Intent", "smb.nt.create_options.backup_intent", FT_BOOLEAN, 32,
18549 TFS(&tfs_nt_create_options_backup_intent), 0x00004000, "Is this opened by BACKUP ADMIN for backup intent?", HFILL }},
18551 { &hf_smb_nt_create_options_no_compression,
18552 { "No Compression", "smb.nt.create_options.no_compression", FT_BOOLEAN, 32,
18553 TFS(&tfs_nt_create_options_no_compression), 0x00008000, "Is compression allowed?", HFILL }},
18555 { &hf_smb_nt_create_options_reserve_opfilter,
18556 { "Reserve Opfilter", "smb.nt.create_options.reserve_opfilter", FT_BOOLEAN, 32,
18557 TFS(&tfs_nt_create_options_reserve_opfilter), 0x00100000, "Reserve Opfilter flag", HFILL }},
18559 { &hf_smb_nt_create_options_open_reparse_point,
18560 { "Open Reparse Point", "smb.nt.create_options.open_reparse_point", FT_BOOLEAN, 32,
18561 TFS(&tfs_nt_create_options_open_reparse_point), 0x00200000, "Is this an open of a reparse point or of the normal file?", HFILL }},
18563 { &hf_smb_nt_create_options_open_no_recall,
18564 { "Open No Recall", "smb.nt.create_options.open_no_recall", FT_BOOLEAN, 32,
18565 TFS(&tfs_nt_create_options_open_no_recall), 0x00400000, "Open no recall flag", HFILL }},
18567 { &hf_smb_nt_create_options_open_for_free_space_query,
18568 { "Open For Free Space query", "smb.nt.create_options.open_for_free_space_query", FT_BOOLEAN, 32,
18569 TFS(&tfs_nt_create_options_open_for_free_space_query), 0x00800000, "Open For Free Space Query flag", HFILL }},
18571 { &hf_smb_nt_share_access_read,
18572 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
18573 TFS(&tfs_nt_share_access_read), SHARE_ACCESS_READ, "Can the object be shared for reading?", HFILL }},
18575 { &hf_smb_nt_share_access_write,
18576 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
18577 TFS(&tfs_nt_share_access_write), SHARE_ACCESS_WRITE, "Can the object be shared for write?", HFILL }},
18579 { &hf_smb_nt_share_access_delete,
18580 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
18581 TFS(&tfs_nt_share_access_delete), SHARE_ACCESS_DELETE, NULL, HFILL }},
18583 { &hf_smb_file_eattr_read_only,
18584 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
18585 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
18587 { &hf_smb_file_eattr_hidden,
18588 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
18589 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
18591 { &hf_smb_file_eattr_system,
18592 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
18593 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
18595 { &hf_smb_file_eattr_volume,
18596 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
18597 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
18599 { &hf_smb_file_eattr_directory,
18600 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
18601 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
18603 { &hf_smb_file_eattr_archive,
18604 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
18605 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
18607 { &hf_smb_file_eattr_device,
18608 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
18609 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
18611 { &hf_smb_file_eattr_normal,
18612 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
18613 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
18615 { &hf_smb_file_eattr_temporary,
18616 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
18617 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
18619 { &hf_smb_file_eattr_sparse,
18620 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
18621 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
18623 { &hf_smb_file_eattr_reparse,
18624 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
18625 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
18627 { &hf_smb_file_eattr_compressed,
18628 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
18629 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
18631 { &hf_smb_file_eattr_offline,
18632 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
18633 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
18635 { &hf_smb_file_eattr_not_content_indexed,
18636 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
18637 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
18639 { &hf_smb_file_eattr_encrypted,
18640 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
18641 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
18643 { &hf_smb_sec_desc_len,
18644 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
18645 NULL, 0, "Security Descriptor Length", HFILL }},
18647 { &hf_smb_nt_qsd_owner,
18648 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
18649 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
18651 { &hf_smb_nt_qsd_group,
18652 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
18653 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
18655 { &hf_smb_nt_qsd_dacl,
18656 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
18657 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
18659 { &hf_smb_nt_qsd_sacl,
18660 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
18661 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
18663 { &hf_smb_extended_attributes,
18664 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_NONE,
18665 NULL, 0, NULL, HFILL }},
18667 { &hf_smb_oplock_level,
18668 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
18669 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
18671 { &hf_smb_create_action,
18672 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
18673 VALS(oa_open_vals), 0, "Type of action taken", HFILL }},
18676 { "Server unique file ID", "smb.create.file_id", FT_UINT32, BASE_HEX,
18677 NULL, 0, NULL, HFILL }},
18679 { &hf_smb_ea_error_offset,
18680 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
18681 NULL, 0, "Offset into EA list if EA error", HFILL }},
18683 { &hf_smb_end_of_file,
18684 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
18685 NULL, 0, "Offset to the first free byte in the file", HFILL }},
18688 { "Replace", "smb.replace", FT_BOOLEAN, BASE_NONE,
18689 TFS(&tfs_smb_replace), 0x0, "Remove target if it exists?", HFILL }},
18691 { &hf_smb_root_dir_handle,
18692 { "Root Directory Handle", "smb.root_dir_handle", FT_UINT32, BASE_HEX,
18693 NULL, 0, "Root directory handle", HFILL }},
18695 { &hf_smb_target_name_len,
18696 { "Target name length", "smb.target_name_len", FT_UINT32, BASE_DEC,
18697 NULL, 0, "Length of target file name", HFILL }},
18699 { &hf_smb_target_name,
18700 { "Target name", "smb.target_name", FT_STRING, BASE_NONE,
18701 NULL, 0, "Target file name", HFILL }},
18703 { &hf_smb_device_type,
18704 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
18705 VALS(device_type_vals), 0, "Type of device", HFILL }},
18707 { &hf_smb_is_directory,
18708 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
18709 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
18711 { &hf_smb_next_entry_offset,
18712 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
18713 NULL, 0, "Offset to next entry", HFILL }},
18715 { &hf_smb_change_time,
18716 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
18717 NULL, 0, "Last Change Time", HFILL }},
18719 { &hf_smb_setup_len,
18720 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
18721 NULL, 0, "Length of printer setup data", HFILL }},
18723 { &hf_smb_print_mode,
18724 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
18725 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
18727 { &hf_smb_print_identifier,
18728 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
18729 NULL, 0, "Identifier string for this print job", HFILL }},
18731 { &hf_smb_restart_index,
18732 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
18733 NULL, 0, "Index of entry after last returned", HFILL }},
18735 { &hf_smb_print_queue_date,
18736 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
18737 NULL, 0, "Date when this entry was queued", HFILL }},
18739 { &hf_smb_print_queue_dos_date,
18740 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
18741 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
18743 { &hf_smb_print_queue_dos_time,
18744 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
18745 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
18747 { &hf_smb_print_status,
18748 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
18749 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
18751 { &hf_smb_print_spool_file_number,
18752 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
18753 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
18755 { &hf_smb_print_spool_file_size,
18756 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
18757 NULL, 0, "Number of bytes in spool file", HFILL }},
18759 { &hf_smb_print_spool_file_name,
18760 { "Name", "smb.print.spool.name", FT_STRINGZ, BASE_NONE,
18761 NULL, 0, "Name of client that submitted this job", HFILL }},
18763 { &hf_smb_start_index,
18764 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
18765 NULL, 0, "First queue entry to return", HFILL }},
18767 { &hf_smb_originator_name,
18768 { "Originator Name", "smb.originator_name", FT_STRINGZ, BASE_NONE,
18769 NULL, 0, "Name of sender of message", HFILL }},
18771 { &hf_smb_destination_name,
18772 { "Destination Name", "smb.destination_name", FT_STRINGZ, BASE_NONE,
18773 NULL, 0, "Name of recipient of message", HFILL }},
18775 { &hf_smb_message_len,
18776 { "Message Len", "smb.message.len", FT_UINT16, BASE_DEC,
18777 NULL, 0, "Length of message", HFILL }},
18780 { "Message", "smb.message", FT_STRING, BASE_NONE,
18781 NULL, 0, "Message text", HFILL }},
18784 { "Message Group ID", "smb.mgid", FT_UINT16, BASE_DEC,
18785 NULL, 0, "Message group ID for multi-block messages", HFILL }},
18787 { &hf_smb_forwarded_name,
18788 { "Forwarded Name", "smb.forwarded_name", FT_STRINGZ, BASE_NONE,
18789 NULL, 0, "Recipient name being forwarded", HFILL }},
18791 { &hf_smb_machine_name,
18792 { "Machine Name", "smb.machine_name", FT_STRINGZ, BASE_NONE,
18793 NULL, 0, "Name of target machine", HFILL }},
18795 { &hf_smb_cancel_to,
18796 { "Cancel to", "smb.cancel_to", FT_FRAMENUM, BASE_NONE,
18797 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
18799 { &hf_smb_trans_name,
18800 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
18801 NULL, 0, "Name of transaction", HFILL }},
18803 { &hf_smb_transaction_flags_dtid,
18804 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
18805 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
18807 { &hf_smb_transaction_flags_owt,
18808 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
18809 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
18811 { &hf_smb_search_count,
18812 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
18813 NULL, 0, "Maximum number of search entries to return", HFILL }},
18815 { &hf_smb_search_pattern,
18816 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
18817 NULL, 0, NULL, HFILL }},
18819 { &hf_smb_ff2_backup,
18820 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
18821 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
18823 { &hf_smb_ff2_continue,
18824 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
18825 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
18827 { &hf_smb_ff2_resume,
18828 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
18829 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
18831 { &hf_smb_ff2_close_eos,
18832 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
18833 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
18835 { &hf_smb_ff2_close,
18836 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
18837 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
18839 { &hf_smb_ff2_information_level,
18840 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
18841 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
18844 { "Level of Interest", "smb.qpi_loi", FT_UINT16, BASE_DEC,
18845 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] QUERY_{FILE,PATH}_INFO commands", HFILL }},
18848 { "Level of Interest", "smb.spi_loi", FT_UINT16, BASE_DEC,
18849 VALS(spi_loi_vals), 0, "Level of interest for TRANSACTION[2] SET_{FILE,PATH}_INFO commands", HFILL }},
18852 { &hf_smb_sfi_writetru,
18853 { "Writethrough", "smb.sfi_writethrough", FT_BOOLEAN, 16,
18854 TFS(&tfs_da_writetru), 0x0010, "Writethrough mode?", HFILL }},
18856 { &hf_smb_sfi_caching,
18857 { "Caching", "smb.sfi_caching", FT_BOOLEAN, 16,
18858 TFS(&tfs_da_caching), 0x0020, "Caching mode?", HFILL }},
18861 { &hf_smb_storage_type,
18862 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
18863 NULL, 0, "Type of storage", HFILL }},
18866 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
18867 NULL, 0, NULL, HFILL }},
18869 { &hf_smb_max_referral_level,
18870 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
18871 NULL, 0, "Latest referral version number understood", HFILL }},
18873 { &hf_smb_qfsi_information_level,
18874 { "Level of Interest", "smb.qfsi_loi", FT_UINT16, BASE_HEX,
18875 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
18877 { &hf_smb_nt_rename_level,
18878 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
18879 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
18881 { &hf_smb_cluster_count,
18882 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
18883 NULL, 0, "Number of clusters", HFILL }},
18885 { &hf_smb_number_of_links,
18886 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
18887 NULL, 0, "Number of hard links to the file", HFILL }},
18889 { &hf_smb_delete_pending,
18890 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
18891 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
18893 { &hf_smb_index_number,
18894 { "Index Number", "smb.index_number", FT_UINT64, BASE_HEX,
18895 NULL, 0, "File system unique identifier", HFILL }},
18897 { &hf_smb_position,
18898 { "Position", "smb.position", FT_UINT64, BASE_DEC,
18899 NULL, 0, "File position", HFILL }},
18901 { &hf_smb_current_offset,
18902 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
18903 NULL, 0, "Current offset in the file", HFILL }},
18905 { &hf_smb_t2_alignment,
18906 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
18907 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
18909 { &hf_smb_t2_stream_name_length,
18910 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
18911 NULL, 0, "Length of stream name", HFILL }},
18913 { &hf_smb_t2_stream_size,
18914 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
18915 NULL, 0, "Size of the stream in number of bytes", HFILL }},
18917 { &hf_smb_t2_stream_name,
18918 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
18919 NULL, 0, "Name of the stream", HFILL }},
18921 { &hf_smb_t2_compressed_file_size,
18922 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
18923 NULL, 0, "Size of the compressed file", HFILL }},
18925 { &hf_smb_t2_compressed_format,
18926 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
18927 NULL, 0, "Compression algorithm used", HFILL }},
18929 { &hf_smb_t2_compressed_unit_shift,
18930 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
18931 NULL, 0, "Size of the stream in number of bytes", HFILL }},
18933 { &hf_smb_t2_compressed_chunk_shift,
18934 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
18935 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
18937 { &hf_smb_t2_compressed_cluster_shift,
18938 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
18939 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
18941 { &hf_smb_t2_marked_for_deletion,
18942 { "Marked for Deletion", "smb.marked_for_deletion", FT_BOOLEAN, BASE_NONE,
18943 TFS(&tfs_marked_for_deletion), 0x0, "Marked for deletion?", HFILL }},
18945 { &hf_smb_dfs_path_consumed,
18946 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
18947 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
18949 { &hf_smb_dfs_num_referrals,
18950 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
18951 NULL, 0, "Number of referrals in this pdu", HFILL }},
18953 { &hf_smb_get_dfs_server_hold_storage,
18954 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
18955 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
18957 { &hf_smb_get_dfs_fielding,
18958 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
18959 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
18961 { &hf_smb_dfs_referral_version,
18962 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
18963 NULL, 0, "Version of referral element", HFILL }},
18965 { &hf_smb_dfs_referral_size,
18966 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
18967 NULL, 0, "Size of referral element", HFILL }},
18969 { &hf_smb_dfs_referral_server_type,
18970 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
18971 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
18973 { &hf_smb_dfs_referral_flags_name_list_referral,
18974 { "NameListReferral", "smb.dfs.referral.flags.name_list_referral", FT_BOOLEAN, 16,
18975 TFS(&tfs_dfs_referral_flags_name_list_referral), REFENT_FLAGS_NAME_LIST_REFERRAL, "Is a domain/DC referral response?", HFILL }},
18977 { &hf_smb_dfs_referral_flags_target_set_boundary,
18978 { "TargetSetBoundary", "smb.dfs.referral.flags.target_set_boundary", FT_BOOLEAN, 16,
18979 TFS(&tfs_dfs_referral_flags_target_set_boundary), REFENT_FLAGS_TARGET_SET_BOUNDARY, "Is this a first target in the target set?", HFILL }},
18981 { &hf_smb_dfs_referral_node_offset,
18982 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
18983 NULL, 0, "Offset of name of entity to visit next", HFILL }},
18985 { &hf_smb_dfs_referral_node,
18986 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
18987 NULL, 0, "Name of entity to visit next", HFILL }},
18989 { &hf_smb_dfs_referral_proximity,
18990 { "Proximity", "smb.dfs.referral.proximity", FT_UINT32, BASE_DEC,
18991 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
18993 { &hf_smb_dfs_referral_ttl,
18994 { "TTL", "smb.dfs.referral.ttl", FT_UINT32, BASE_DEC,
18995 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
18997 { &hf_smb_dfs_referral_path_offset,
18998 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
18999 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
19001 { &hf_smb_dfs_referral_path,
19002 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
19003 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
19005 { &hf_smb_dfs_referral_alt_path_offset,
19006 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
19007 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
19009 { &hf_smb_dfs_referral_alt_path,
19010 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
19011 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
19013 { &hf_smb_dfs_referral_domain_offset,
19014 { "Domain Offset", "smb.dfs.referral.domain_offset", FT_UINT16, BASE_DEC,
19015 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
19017 { &hf_smb_dfs_referral_number_of_expnames,
19018 { "Number of Expanded Names", "smb.dfs.referral.number_of_expnames", FT_UINT16, BASE_DEC,
19019 NULL, 0, "Number of expanded names", HFILL }},
19021 { &hf_smb_dfs_referral_expnames_offset,
19022 { "Expanded Names Offset", "smb.dfs.referral.expnames_offset", FT_UINT16, BASE_DEC,
19023 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
19025 { &hf_smb_dfs_referral_domain_name,
19026 { "Domain Name", "smb.dfs.referral.domain_name", FT_STRING, BASE_NONE,
19027 NULL, 0, "Dfs referral domain name", HFILL }},
19029 { &hf_smb_dfs_referral_expname,
19030 { "Expanded Name", "smb.dfs.referral.expname", FT_STRING, BASE_NONE,
19031 NULL, 0, "Dfs expanded name", HFILL }},
19033 { &hf_smb_dfs_referral_server_guid,
19034 { "Server GUID", "smb.dfs.referral.server_guid", FT_BYTES, BASE_NONE,
19035 NULL, 0, "Globally unique identifier for this server", HFILL }},
19037 { &hf_smb_end_of_search,
19038 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
19039 NULL, 0, "Was last entry returned?", HFILL }},
19041 { &hf_smb_last_name_offset,
19042 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
19043 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
19045 { &hf_smb_fn_information_level,
19046 { "Level of Interest", "smb.fn_loi", FT_UINT16, BASE_DEC,
19047 NULL, 0, "Level of interest for FIND_NOTIFY command", HFILL }},
19049 { &hf_smb_monitor_handle,
19050 { "Monitor Handle", "smb.monitor_handle", FT_UINT16, BASE_HEX,
19051 NULL, 0, "Handle for Find Notify operations", HFILL }},
19053 { &hf_smb_change_count,
19054 { "Change Count", "smb.change_count", FT_UINT16, BASE_DEC,
19055 NULL, 0, "Number of changes to wait for", HFILL }},
19057 { &hf_smb_file_index,
19058 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
19059 NULL, 0, "File index", HFILL }},
19061 { &hf_smb_short_file_name,
19062 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
19063 NULL, 0, "Short (8.3) File Name", HFILL }},
19065 { &hf_smb_short_file_name_len,
19066 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
19067 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
19070 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
19071 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
19073 { &hf_smb_sector_unit,
19074 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
19075 NULL, 0, "Sectors per allocation unit", HFILL }},
19077 { &hf_smb_fs_units,
19078 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
19079 NULL, 0, "Total number of units on this filesystem", HFILL }},
19081 { &hf_smb_fs_sector,
19082 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
19083 NULL, 0, "Bytes per sector", HFILL }},
19085 { &hf_smb_avail_units,
19086 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
19087 NULL, 0, "Total number of available units on this filesystem", HFILL }},
19089 { &hf_smb_volume_serial_num,
19090 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
19091 NULL, 0, "Volume serial number", HFILL }},
19093 { &hf_smb_volume_label_len,
19094 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
19095 NULL, 0, "Length of volume label", HFILL }},
19097 { &hf_smb_volume_label,
19098 { "Label", "smb.volume.label", FT_STRING, BASE_NONE,
19099 NULL, 0, "Volume label", HFILL }},
19101 { &hf_smb_free_alloc_units64,
19102 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
19103 NULL, 0, "Number of free allocation units", HFILL }},
19105 { &hf_smb_caller_free_alloc_units64,
19106 { "Caller Free Units", "smb.caller_free_alloc_units", FT_UINT64, BASE_DEC,
19107 NULL, 0, "Number of caller free allocation units", HFILL }},
19109 { &hf_smb_actual_free_alloc_units64,
19110 { "Actual Free Units", "smb.actual_free_alloc_units", FT_UINT64, BASE_DEC,
19111 NULL, 0, "Number of actual free allocation units", HFILL }},
19113 { &hf_smb_soft_quota_limit,
19114 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
19115 NULL, 0, "Soft Quota treshold", HFILL }},
19117 { &hf_smb_hard_quota_limit,
19118 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
19119 NULL, 0, "Hard Quota limit", HFILL }},
19121 { &hf_smb_user_quota_used,
19122 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
19123 NULL, 0, "How much Quota is used by this user", HFILL }},
19125 { &hf_smb_max_name_len,
19126 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
19127 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
19129 { &hf_smb_fs_name_len,
19130 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
19131 NULL, 0, "Length of filesystem name in bytes", HFILL }},
19134 { "FS Name", "smb.fs_name", FT_STRING, BASE_NONE,
19135 NULL, 0, "Name of filesystem", HFILL }},
19137 { &hf_smb_device_char_removable,
19138 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
19139 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
19141 { &hf_smb_device_char_read_only,
19142 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
19143 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
19145 { &hf_smb_device_char_floppy,
19146 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
19147 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
19149 { &hf_smb_device_char_write_once,
19150 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
19151 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
19153 { &hf_smb_device_char_remote,
19154 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
19155 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
19157 { &hf_smb_device_char_mounted,
19158 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
19159 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
19161 { &hf_smb_device_char_virtual,
19162 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
19163 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
19165 { &hf_smb_fs_attr_css,
19166 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
19167 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
19169 { &hf_smb_fs_attr_cpn,
19170 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
19171 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
19173 { &hf_smb_fs_attr_uod,
19174 { "Unicode On Disk", "smb.fs_attr.uod", FT_BOOLEAN, 32,
19175 TFS(&tfs_fs_attr_uod), 0x00000004, "Does this FS support Unicode On Disk?", HFILL }},
19177 { &hf_smb_fs_attr_pacls,
19178 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
19179 TFS(&tfs_fs_attr_pacls), 0x00000008, "Does this FS support Persistent ACLs?", HFILL }},
19181 { &hf_smb_fs_attr_fc,
19182 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
19183 TFS(&tfs_fs_attr_fc), 0x00000010, "Does this FS support File Compression?", HFILL }},
19185 { &hf_smb_fs_attr_vq,
19186 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
19187 TFS(&tfs_fs_attr_vq), 0x00000020, "Does this FS support Volume Quotas?", HFILL }},
19189 { &hf_smb_fs_attr_ssf,
19190 { "Sparse Files", "smb.fs_attr.ssf", FT_BOOLEAN, 32,
19191 TFS(&tfs_fs_attr_ssf), 0x00000040, "Does this FS support SPARSE FILES?", HFILL }},
19193 { &hf_smb_fs_attr_srp,
19194 { "Reparse Points", "smb.fs_attr.srp", FT_BOOLEAN, 32,
19195 TFS(&tfs_fs_attr_srp), 0x00000080, "Does this FS support REPARSE POINTS?", HFILL }},
19197 { &hf_smb_fs_attr_srs,
19198 { "Remote Storage", "smb.fs_attr.srs", FT_BOOLEAN, 32,
19199 TFS(&tfs_fs_attr_srs), 0x00000100, "Does this FS support REMOTE STORAGE?", HFILL }},
19201 { &hf_smb_fs_attr_sla,
19202 { "LFN APIs", "smb.fs_attr.sla", FT_BOOLEAN, 32,
19203 TFS(&tfs_fs_attr_sla), 0x00004000, "Does this FS support LFN APIs?", HFILL }},
19205 { &hf_smb_fs_attr_vic,
19206 { "Volume Is Compressed", "smb.fs_attr.vis", FT_BOOLEAN, 32,
19207 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS on a compressed volume?", HFILL }},
19209 { &hf_smb_fs_attr_soids,
19210 { "Supports OIDs", "smb.fs_attr.soids", FT_BOOLEAN, 32,
19211 TFS(&tfs_fs_attr_soids), 0x00010000, "Does this FS support OIDs?", HFILL }},
19213 { &hf_smb_fs_attr_se,
19214 { "Supports Encryption", "smb.fs_attr.se", FT_BOOLEAN, 32,
19215 TFS(&tfs_fs_attr_se), 0x00020000, "Does this FS support encryption?", HFILL }},
19217 { &hf_smb_fs_attr_ns,
19218 { "Named Streams", "smb.fs_attr.ns", FT_BOOLEAN, 32,
19219 TFS(&tfs_fs_attr_ns), 0x00040000, "Does this FS support named streams?", HFILL }},
19221 { &hf_smb_fs_attr_rov,
19222 { "Read Only Volume", "smb.fs_attr.rov", FT_BOOLEAN, 32,
19223 TFS(&tfs_fs_attr_rov), 0x00080000, "Is this FS on a read only volume?", HFILL }},
19225 { &hf_smb_user_quota_offset,
19226 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
19227 NULL, 0, "Relative offset to next user quota structure", HFILL }},
19229 { &hf_smb_pipe_write_len,
19230 { "Pipe Write Len", "smb.pipe.write_len", FT_UINT16, BASE_DEC,
19231 NULL, 0, "Number of bytes written to pipe", HFILL }},
19233 { &hf_smb_quota_flags_deny_disk,
19234 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
19235 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
19237 { &hf_smb_quota_flags_log_limit,
19238 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
19239 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
19241 { &hf_smb_quota_flags_log_warning,
19242 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
19243 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
19245 { &hf_smb_quota_flags_enabled,
19246 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
19247 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
19249 { &hf_smb_segment_overlap,
19250 { "Fragment overlap", "smb.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
19251 "Fragment overlaps with other fragments", HFILL }},
19253 { &hf_smb_segment_overlap_conflict,
19254 { "Conflicting data in fragment overlap", "smb.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
19255 "Overlapping fragments contained conflicting data", HFILL }},
19257 { &hf_smb_segment_multiple_tails,
19258 { "Multiple tail fragments found", "smb.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
19259 "Several tails were found when defragmenting the packet", HFILL }},
19261 { &hf_smb_segment_too_long_fragment,
19262 { "Fragment too long", "smb.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
19263 "Fragment contained data past end of packet", HFILL }},
19265 { &hf_smb_segment_error,
19266 { "Defragmentation error", "smb.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
19267 "Defragmentation error due to illegal fragments", HFILL }},
19269 { &hf_smb_opened_in,
19270 { "Opened in", "smb.fid.opened_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
19271 "The frame this fid was opened", HFILL }},
19273 { &hf_smb_closed_in,
19274 { "Closed in", "smb.fid.closed_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
19275 "The frame this fid was closed", HFILL }},
19277 { &hf_smb_mapped_in,
19278 { "Mapped in", "smb.fid.mapped_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
19279 "The frame this share was mapped", HFILL }},
19281 { &hf_smb_unmapped_in,
19282 { "Unmapped in", "smb.fid.unmapped_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
19283 "The frame this share was unmapped", HFILL }},
19286 { "SMB Segment", "smb.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
19289 { &hf_smb_segments,
19290 { "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
19293 { &hf_smb_unix_major_version,
19294 { "Major Version", "smb.unix.major_version", FT_UINT16, BASE_DEC,
19295 NULL, 0, "UNIX Major Version", HFILL }},
19297 { &hf_smb_unix_minor_version,
19298 { "Minor Version", "smb.unix.minor_version", FT_UINT16, BASE_DEC,
19299 NULL, 0, "UNIX Minor Version", HFILL }},
19301 { &hf_smb_unix_capability_fcntl,
19302 { "FCNTL Capability", "smb.unix.capability.fcntl", FT_BOOLEAN, 32,
19303 TFS(&tfs_set_notset), 0x00000001, NULL, HFILL }},
19305 { &hf_smb_unix_capability_posix_acl,
19306 { "POSIX ACL Capability", "smb.unix.capability.posix_acl", FT_BOOLEAN, 32,
19307 TFS(&tfs_set_notset), 0x00000002, NULL, HFILL }},
19309 { &hf_smb_file_access_mask_read_data,
19310 { "Read Data", "smb.file.accessmask.read_data", FT_BOOLEAN, 32,
19311 TFS(&tfs_set_notset), 0x00000001, NULL, HFILL }},
19313 { &hf_smb_file_access_mask_write_data,
19314 { "Write Data", "smb.file.accessmask.write_data", FT_BOOLEAN, 32,
19315 TFS(&tfs_set_notset), 0x00000002, NULL, HFILL }},
19317 { &hf_smb_file_access_mask_append_data,
19318 { "Append Data", "smb.file.accessmask.append_data", FT_BOOLEAN, 32,
19319 TFS(&tfs_set_notset), 0x00000004, NULL, HFILL }},
19321 { &hf_smb_file_access_mask_read_ea,
19322 { "Read EA", "smb.file.accessmask.read_ea", FT_BOOLEAN, 32,
19323 TFS(&tfs_set_notset), 0x00000008, NULL, HFILL }},
19325 { &hf_smb_file_access_mask_write_ea,
19326 { "Write EA", "smb.file.accessmask.write_ea", FT_BOOLEAN, 32,
19327 TFS(&tfs_set_notset), 0x00000010, NULL, HFILL }},
19329 { &hf_smb_file_access_mask_execute,
19330 { "Execute", "smb.file.accessmask.execute", FT_BOOLEAN, 32,
19331 TFS(&tfs_set_notset), 0x00000020, NULL, HFILL }},
19333 { &hf_smb_file_access_mask_read_attribute,
19334 { "Read Attribute", "smb.file.accessmask.read_attribute", FT_BOOLEAN, 32,
19335 TFS(&tfs_set_notset), 0x00000080, NULL, HFILL }},
19337 { &hf_smb_file_access_mask_write_attribute,
19338 { "Write Attribute", "smb.file.accessmask.write_attribute", FT_BOOLEAN, 32,
19339 TFS(&tfs_set_notset), 0x00000100, NULL, HFILL }},
19341 { &hf_smb_dir_access_mask_list,
19342 { "List", "smb.dir.accessmask.list", FT_BOOLEAN, 32,
19343 TFS(&tfs_set_notset), 0x00000001, NULL, HFILL }},
19345 { &hf_smb_dir_access_mask_add_file,
19346 { "Add File", "smb.dir.accessmask.add_file", FT_BOOLEAN, 32,
19347 TFS(&tfs_set_notset), 0x00000002, NULL, HFILL }},
19349 { &hf_smb_dir_access_mask_add_subdir,
19350 { "Add Subdir", "smb.dir.accessmask.add_subdir", FT_BOOLEAN, 32,
19351 TFS(&tfs_set_notset), 0x00000004, NULL, HFILL }},
19353 { &hf_smb_dir_access_mask_read_ea,
19354 { "Read EA", "smb.dir.accessmask.read_ea", FT_BOOLEAN, 32,
19355 TFS(&tfs_set_notset), 0x00000008, NULL, HFILL }},
19357 { &hf_smb_dir_access_mask_write_ea,
19358 { "Write EA", "smb.dir.accessmask.write_ea", FT_BOOLEAN, 32,
19359 TFS(&tfs_set_notset), 0x00000010, NULL, HFILL }},
19361 { &hf_smb_dir_access_mask_traverse,
19362 { "Traverse", "smb.dir.accessmask.traverse", FT_BOOLEAN, 32,
19363 TFS(&tfs_set_notset), 0x00000020, NULL, HFILL }},
19365 { &hf_smb_dir_access_mask_delete_child,
19366 { "Delete Child", "smb.dir.accessmask.delete_child", FT_BOOLEAN, 32,
19367 TFS(&tfs_set_notset), 0x00000040, NULL, HFILL }},
19369 { &hf_smb_dir_access_mask_read_attribute,
19370 { "Read Attribute", "smb.dir.accessmask.read_attribute", FT_BOOLEAN, 32,
19371 TFS(&tfs_set_notset), 0x00000080, NULL, HFILL }},
19373 { &hf_smb_dir_access_mask_write_attribute,
19374 { "Write Attribute", "smb.dir.accessmask.write_attribute", FT_BOOLEAN, 32,
19375 TFS(&tfs_set_notset), 0x00000100, NULL, HFILL }},
19377 { &hf_smb_unix_file_size,
19378 { "File size", "smb.unix.file.size", FT_UINT64, BASE_DEC,
19379 NULL, 0, NULL, HFILL }},
19381 { &hf_smb_unix_file_num_bytes,
19382 { "Number of bytes", "smb.unix.file.num_bytes", FT_UINT64, BASE_DEC,
19383 NULL, 0, "Number of bytes used to store the file", HFILL }},
19385 { &hf_smb_unix_file_last_status,
19386 { "Last status change", "smb.unix.file.stime", FT_ABSOLUTE_TIME, BASE_NONE,
19387 NULL, 0, NULL, HFILL }},
19389 { &hf_smb_unix_file_last_access,
19390 { "Last access", "smb.unix.file.atime", FT_ABSOLUTE_TIME, BASE_NONE,
19391 NULL, 0, NULL, HFILL }},
19393 { &hf_smb_unix_file_last_change,
19394 { "Last modification", "smb.unix.file.mtime", FT_ABSOLUTE_TIME, BASE_NONE,
19395 NULL, 0, NULL, HFILL }},
19397 { &hf_smb_unix_file_uid,
19398 { "UID", "smb.unix.file.uid", FT_UINT64, BASE_DEC,
19399 NULL, 0, NULL, HFILL }},
19401 { &hf_smb_unix_file_gid,
19402 { "GID", "smb.unix.file.gid", FT_UINT64, BASE_DEC,
19403 NULL, 0, NULL, HFILL }},
19405 { &hf_smb_unix_file_type,
19406 { "File type", "smb.unix.file.file_type", FT_UINT32, BASE_DEC,
19407 VALS(unix_file_type_vals), 0, NULL, HFILL }},
19409 { &hf_smb_unix_file_dev_major,
19410 { "Major device", "smb.unix.file.dev_major", FT_UINT64, BASE_HEX,
19411 NULL, 0, NULL, HFILL }},
19413 { &hf_smb_unix_file_dev_minor,
19414 { "Minor device", "smb.unix.file.dev_minor", FT_UINT64, BASE_HEX,
19415 NULL, 0, NULL, HFILL }},
19417 { &hf_smb_unix_file_unique_id,
19418 { "Unique ID", "smb.unix.file.unique_id", FT_UINT64, BASE_HEX,
19419 NULL, 0, NULL, HFILL }},
19421 { &hf_smb_unix_file_permissions,
19422 { "File permissions", "smb.unix.file.perms", FT_UINT64, BASE_HEX,
19423 NULL, 0, NULL, HFILL }},
19425 { &hf_smb_unix_file_nlinks,
19426 { "Num links", "smb.unix.file.num_links", FT_UINT64, BASE_DEC,
19427 NULL, 0, NULL, HFILL }},
19429 { &hf_smb_unix_file_link_dest,
19430 { "Link destination", "smb.unix.file.link_dest", FT_STRING,
19431 BASE_NONE, NULL, 0, NULL, HFILL }},
19433 { &hf_smb_unix_find_file_nextoffset,
19434 { "Next entry offset", "smb.unix.find_file.next_offset", FT_UINT32, BASE_DEC,
19435 NULL, 0, NULL, HFILL }},
19437 { &hf_smb_unix_find_file_resumekey,
19438 { "Resume key", "smb.unix.find_file.resume_key", FT_UINT32, BASE_DEC,
19439 NULL, 0, NULL, HFILL }},
19441 { &hf_smb_network_unknown,
19442 { "Unknown field", "smb.unknown", FT_UINT32, BASE_HEX,
19443 NULL, 0, NULL, HFILL }},
19445 { &hf_smb_create_flags,
19446 { "Create Flags", "smb.create_flags", FT_UINT32, BASE_HEX,
19447 NULL, 0, NULL, HFILL }},
19449 { &hf_smb_create_options,
19450 { "Create Options", "smb.create_options", FT_UINT32, BASE_HEX,
19451 NULL, 0, NULL, HFILL }},
19453 { &hf_smb_share_access,
19454 { "Share Access", "smb.share_access", FT_UINT32, BASE_HEX,
19455 NULL, 0, NULL, HFILL }},
19457 { &hf_smb_access_mask,
19458 { "Access Mask", "smb.access_mask", FT_UINT32, BASE_HEX,
19459 NULL, 0, NULL, HFILL }},
19462 { "Mode", "smb.mode", FT_UINT32, BASE_HEX,
19463 NULL, 0, NULL, HFILL }},
19465 { &hf_smb_attribute,
19466 { "Attribute", "smb.attribute", FT_UINT32, BASE_HEX,
19467 NULL, 0, NULL, HFILL }},
19469 { &hf_smb_reparse_tag,
19470 { "Reparse Tag", "smb.reparse_tag", FT_UINT32, BASE_HEX,
19471 NULL, 0, NULL, HFILL }},
19473 { &hf_smb_disposition_delete_on_close,
19474 { "Delete on close", "smb.disposition.delete_on_close", FT_BOOLEAN, 8,
19475 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }},
19477 { &hf_smb_pipe_info_flag,
19478 { "Pipe Info", "smb.pipe_info_flag", FT_BOOLEAN, 8,
19479 TFS(&tfs_pipe_info_flag), 0x01, NULL, HFILL }},
19481 { &hf_smb_logged_in,
19482 { "Logged In", "smb.logged_in", FT_FRAMENUM, BASE_NONE,
19483 NULL, 0, NULL, HFILL }},
19485 { &hf_smb_logged_out,
19486 { "Logged Out", "smb.logged_out", FT_FRAMENUM, BASE_NONE,
19487 NULL, 0, NULL, HFILL }},
19489 { &hf_smb_file_rw_offset,
19490 { "File Offset", "smb.file.rw.offset", FT_UINT32, BASE_DEC,
19491 NULL, 0, NULL, HFILL }},
19493 { &hf_smb_file_rw_length,
19494 { "File RW Length", "smb.file.rw.length", FT_UINT32, BASE_DEC,
19495 NULL, 0, NULL, HFILL }},
19497 { &hf_smb_posix_acl_version,
19498 { "Posix ACL version", "smb.posix_acl.version", FT_UINT16, BASE_DEC,
19499 NULL, 0, NULL, HFILL }},
19501 { &hf_smb_posix_num_file_aces,
19502 { "Number of file ACEs", "smb.posix_acl.num_file_aces", FT_UINT16, BASE_DEC,
19503 NULL, 0, NULL, HFILL }},
19505 { &hf_smb_posix_num_def_aces,
19506 { "Number of default ACEs", "smb.posix_acl.num_def_aces", FT_UINT16, BASE_DEC,
19507 NULL, 0, NULL, HFILL }},
19509 { &hf_smb_posix_ace_type,
19510 { "ACE Type", "smb.posix_acl.ace_type", FT_UINT8, BASE_DEC,
19511 VALS(ace_type_vals), 0, NULL, HFILL }},
19513 { &hf_smb_posix_ace_flags,
19514 { "Permissions", "smb.posix_acl.ace_perms", FT_UINT8, BASE_HEX,
19515 NULL, 0, NULL, HFILL }},
19517 { &hf_smb_posix_ace_perm_read,
19518 {"READ", "smb.posix_acl.ace_perms.read", FT_BOOLEAN, 8,
19519 NULL, 0x04, NULL, HFILL}},
19521 { &hf_smb_posix_ace_perm_write,
19522 {"WRITE", "smb.posix_acl.ace_perms.write", FT_BOOLEAN, 8,
19523 NULL, 0x02, NULL, HFILL}},
19525 { &hf_smb_posix_ace_perm_execute,
19526 {"EXECUTE", "smb.posix_acl.ace_perms.execute", FT_BOOLEAN, 8,
19527 NULL, 0x01, NULL, HFILL}},
19529 { &hf_smb_posix_ace_perm_owner_uid,
19530 { "Owner UID", "smb.posix_acl.ace_perms.owner_uid", FT_UINT32, BASE_DEC,
19531 NULL, 0, NULL, HFILL }},
19533 { &hf_smb_posix_ace_perm_owner_gid,
19534 { "Owner GID", "smb.posix_acl.ace_perms.owner_gid", FT_UINT32, BASE_DEC,
19535 NULL, 0, NULL, HFILL }},
19537 { &hf_smb_posix_ace_perm_uid,
19538 { "UID", "smb.posix_acl.ace_perms.uid", FT_UINT32, BASE_DEC,
19539 NULL, 0, NULL, HFILL }},
19541 { &hf_smb_posix_ace_perm_gid,
19542 { "GID", "smb.posix_acl.ace_perms.gid", FT_UINT32, BASE_DEC,
19543 NULL, 0, NULL, HFILL }},
19547 static gint *ett[] = {
19554 &ett_smb_fileattributes,
19555 &ett_smb_capabilities,
19563 &ett_smb_desiredaccess,
19566 &ett_smb_openfunction,
19568 &ett_smb_openaction,
19569 &ett_smb_writemode,
19570 &ett_smb_lock_type,
19571 &ett_smb_ssetupandxaction,
19572 &ett_smb_optionsup,
19573 &ett_smb_time_date,
19574 &ett_smb_move_copy_flags,
19575 &ett_smb_file_attributes,
19576 &ett_smb_search_resume_key,
19577 &ett_smb_search_dir_info,
19582 &ett_smb_open_flags,
19583 &ett_smb_ipc_state,
19584 &ett_smb_open_action,
19585 &ett_smb_setup_action,
19586 &ett_smb_connect_flags,
19587 &ett_smb_connect_support_bits,
19588 &ett_smb_nt_access_mask,
19589 &ett_smb_nt_create_bits,
19590 &ett_smb_nt_create_options,
19591 &ett_smb_nt_share_access,
19592 &ett_smb_nt_security_flags,
19593 &ett_smb_nt_trans_setup,
19594 &ett_smb_nt_trans_data,
19595 &ett_smb_nt_trans_param,
19596 &ett_smb_nt_notify_completion_filter,
19597 &ett_smb_nt_ioctl_flags,
19598 &ett_smb_security_information_mask,
19599 &ett_smb_print_queue_entry,
19600 &ett_smb_transaction_flags,
19601 &ett_smb_transaction_params,
19602 &ett_smb_find_first2_flags,
19606 &ett_smb_transaction_data,
19607 &ett_smb_stream_info,
19608 &ett_smb_dfs_referrals,
19609 &ett_smb_dfs_referral,
19610 &ett_smb_dfs_referral_flags,
19611 &ett_smb_dfs_referral_expnames,
19612 &ett_smb_get_dfs_flags,
19614 &ett_smb_device_characteristics,
19615 &ett_smb_fs_attributes,
19618 &ett_smb_quotaflags,
19620 &ett_smb_mac_support_flags,
19621 &ett_smb_unicode_password,
19623 &ett_smb_unix_capabilities,
19624 &ett_smb_posic_ace,
19625 &ett_smb_posix_ace_perms
19627 module_t *smb_module;
19629 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
19631 proto_register_subtree_array(ett, array_length(ett));
19632 proto_register_field_array(proto_smb, hf, array_length(hf));
19634 proto_do_register_windows_common(proto_smb);
19636 register_init_routine(&smb_init_protocol);
19637 smb_module = prefs_register_protocol(proto_smb, NULL);
19638 prefs_register_bool_preference(smb_module, "trans_reassembly",
19639 "Reassemble SMB Transaction payload",
19640 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
19641 &smb_trans_reassembly);
19642 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
19643 "Reassemble DCERPC over SMB",
19644 "Whether the dissector should reassemble DCERPC over SMB commands",
19645 &smb_dcerpc_reassembly);
19646 prefs_register_bool_preference(smb_module, "sid_name_snooping",
19647 "Snoop SID to Name mappings",
19648 "Whether the dissector should snoop SMB and related CIFS protocols to discover and display Names associated with SIDs",
19649 &sid_name_snooping);
19651 register_init_routine(smb_trans_reassembly_init);
19652 smb_tap = register_tap("smb");
19654 register_dissector("smb", dissect_smb, proto_smb);
19658 proto_reg_handoff_smb(void)
19660 dissector_handle_t smb_handle;
19662 gssapi_handle = find_dissector("gssapi");
19663 ntlmssp_handle = find_dissector("ntlmssp");
19665 heur_dissector_add("netbios", dissect_smb_heur, proto_smb);
19666 heur_dissector_add("cotp", dissect_smb_heur, proto_smb);
19667 heur_dissector_add("vines_spp", dissect_smb_heur, proto_smb);
19669 smb_handle = find_dissector("smb");
19670 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_SERVER, smb_handle);
19671 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_REDIR, smb_handle);
19672 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_MESSENGER, smb_handle);
19673 dissector_add("spp.socket", IDP_SOCKET_SMB, smb_handle);