2 * Routines for NetBIOS protocol packet disassembly
3 * Jeff Foster <jfoste@woodward.com>
4 * Copyright 1999 Jeffrey C. Foster
6 * derived from the packet-nbns.c
8 * $Id: packet-netbios.c,v 1.39 2001/09/29 20:32:29 guy Exp $
10 * Ethereal - Network traffic analyzer
11 * By Gerald Combs <gerald@ethereal.com>
12 * Copyright 1998 Gerald Combs
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
33 #ifdef HAVE_SYS_TYPES_H
34 # include <sys/types.h>
43 #include "packet-netbios.h"
45 /* Netbios command numbers */
46 #define NB_ADD_GROUP 0x00
47 #define NB_ADD_NAME 0x01
48 #define NB_NAME_IN_CONFLICT 0x02
49 #define NB_STATUS_QUERY 0x03
50 #define NB_TERMINATE_TRACE_R 0x07
51 #define NB_DATAGRAM 0x08
52 #define NB_DATAGRAM_BCAST 0x09
53 #define NB_NAME_QUERY 0x0a
54 #define NB_ADD_NAME_RESP 0x0d
55 #define NB_NAME_RESP 0x0e
56 #define NB_STATUS_RESP 0x0f
57 #define NB_TERMINATE_TRACE_LR 0x13
58 #define NB_DATA_ACK 0x14
59 #define NB_DATA_FIRST_MIDDLE 0x15
60 #define NB_DATA_ONLY_LAST 0x16
61 #define NB_SESSION_CONFIRM 0x17
62 #define NB_SESSION_END 0x18
63 #define NB_SESSION_INIT 0x19
64 #define NB_NO_RECEIVE 0x1a
65 #define NB_RECEIVE_OUTSTANDING 0x1b
66 #define NB_RECEIVE_CONTINUE 0x1c
67 #define NB_KEEP_ALIVE 0x1f
69 /* Offsets of fields in the NetBIOS header. */
71 #define NB_DELIMITER 2
77 #define NB_CALL_NAME_TYPE 7
78 #define NB_XMIT_CORL 8
79 #define NB_RESP_CORL 10
81 #define NB_LOCAL_SES 13
82 #define NB_RECVER_NAME 12
83 #define NB_SENDER_NAME 28
86 static int proto_netbios = -1;
87 static int hf_netb_cmd = -1;
88 static int hf_netb_hdr_len = -1;
89 static int hf_netb_xmit_corrl = -1;
90 static int hf_netb_resp_corrl = -1;
91 static int hf_netb_call_name_type = -1;
92 static int hf_netb_ack = -1;
93 static int hf_netb_ack_with_data = -1;
94 static int hf_netb_ack_expected = -1;
95 static int hf_netb_recv_cont_req = -1;
96 static int hf_netb_send_no_ack = -1;
97 static int hf_netb_version = -1;
98 static int hf_netb_largest_frame = -1;
99 static int hf_netb_name = -1;
100 static int hf_netb_name_type = -1;
101 static int hf_netb_local_ses_no = -1;
102 static int hf_netb_remote_ses_no = -1;
103 static int hf_netb_data2 = -1;
105 static gint ett_netb = -1;
106 static gint ett_netb_name = -1;
107 static gint ett_netb_flags = -1;
108 static gint ett_netb_status = -1;
110 /* The strings for the station type, used by get_netbios_name function;
111 many of them came from the file "NetBIOS.txt" in the Zip archive at
113 http://www.net3group.com/ftp/browser.zip
116 static const value_string name_type_vals[] = {
117 {0x00, "Workstation/Redirector"},
119 {0x02, "Workstation/Redirector"},
120 /* not sure what 0x02 is, I'm seeing alot of them however */
121 /* i'm seeing them with workstation/redirection host
123 {0x03, "Messenger service/Main name"},
124 {0x05, "Forwarded name"},
125 {0x06, "RAS Server service"},
126 {0x1b, "Domain Master Browser"},
127 {0x1c, "Domain Controllers"},
128 {0x1d, "Local Master Browser"},
129 {0x1e, "Browser Election Service"},
130 {0x1f, "Net DDE Service"},
131 {0x20, "Server service"},
132 {0x21, "RAS client service"},
133 {0x22, "Exchange Interchange (MSMail Connector)"},
134 {0x23, "Exchange Store"},
135 {0x24, "Exchange Directory"},
136 {0x2b, "Lotus Notes Server service"},
137 {0x30, "Modem sharing server service"},
138 {0x31, "Modem sharing client service"},
139 {0x43, "SMS Clients Remote Control"},
140 {0x44, "SMS Administrators Remote Control Tool"},
141 {0x45, "SMS Clients Remote Chat"},
142 {0x46, "SMS Clients Remote Transfer"},
143 {0x4c, "DEC Pathworks TCP/IP Service on Windows NT"},
144 {0x52, "DEC Pathworks TCP/IP Service on Windows NT"},
145 {0x6a, "Microsoft Exchange IMC"},
146 {0x87, "Microsoft Exchange MTA"},
147 {0xbe, "Network Monitor Agent"},
148 {0xbf, "Network Monitor Analyzer"},
154 http://www.s390.ibm.com/bookmgr-cgi/bookmgr.cmd/BOOKS/BK8P7001/CCONTENTS
158 http://ourworld.compuserve.com/homepages/TimothyDEvans/contents.htm
160 for information about the NetBIOS Frame Protocol (which is what this
163 /* the strings for the command types */
165 static char *CommandName[] = {
166 "Add Group Name Query", /* 0x00 */
167 "Add Name Query", /* 0x01 */
168 "Name In Conflict", /* 0x02 */
169 "Status Query", /* 0x03 */
173 "Terminate Trace", /* 0x07 */
174 "Datagram", /* 0x08 */
175 "Broadcast Datagram", /* 0x09 */
176 "Name Query", /* 0x0A */
179 "Add Name Response", /* 0x0D */
180 "Name Recognized", /* 0x0E */
181 "Status Response", /* 0x0F */
185 "Terminate Trace", /* 0x13 */
186 "Data Ack", /* 0x14 */
187 "Data First Middle", /* 0x15 */
188 "Data Only Last", /* 0x16 */
189 "Session Confirm", /* 0x17 */
190 "Session End", /* 0x18 */
191 "Session Initialize", /* 0x19 */
192 "No Receive", /* 0x1a */
193 "Receive Outstanding", /* 0x1b */
194 "Receive Continue", /* 0x1c */
197 "Session Alive", /* 0x1f */
202 static const true_false_string flags_set = {
206 static const true_false_string flags_allowed = {
210 static const true_false_string flags_yes_no = {
215 static const true_false_string netb_version_str = {
221 void capture_netbios(const u_char *pd, int offset, packet_counts *ld)
228 process_netbios_name(const u_char *name_ptr, char *name_ret)
231 int name_type = *(name_ptr + NETBIOS_NAME_LEN - 1);
233 static const char hex_digits[16] = "0123456789abcdef";
235 for (i = 0; i < NETBIOS_NAME_LEN - 1; i++) {
236 name_char = *name_ptr++;
237 if (name_char >= ' ' && name_char <= '~')
238 *name_ret++ = name_char;
240 /* It's not printable; show it as <XX>, where
241 XX is the value in hex. */
243 *name_ret++ = hex_digits[(name_char >> 4)];
244 *name_ret++ = hex_digits[(name_char & 0x0F)];
253 int get_netbios_name( tvbuff_t *tvb, int offset, char *name_ret)
255 {/* Extract the name string and name type. Return the name string in */
256 /* name_ret and return the name_type. */
258 return process_netbios_name( tvb_get_ptr( tvb, offset, NETBIOS_NAME_LEN ), name_ret);
263 * Get a string describing the type of a NetBIOS name.
266 netbios_name_type_descr(int name_type)
268 return val_to_str(name_type, name_type_vals, "Unknown");
271 void netbios_add_name(char* label, tvbuff_t *tvb, int offset,
274 {/* add a name field display tree. Display the name and station type in sub-tree */
276 proto_tree *field_tree;
278 char name_str[(NETBIOS_NAME_LEN - 1)*4 + 1];
282 /* decode the name field */
283 name_type = get_netbios_name( tvb, offset, name_str);
284 name_type_str = netbios_name_type_descr(name_type);
285 tf = proto_tree_add_text( tree, tvb, offset, NETBIOS_NAME_LEN,
286 "%s: %s<%02x> (%s)", label, name_str, name_type, name_type_str);
288 field_tree = proto_item_add_subtree( tf, ett_netb_name);
289 proto_tree_add_string_format( field_tree, hf_netb_name, tvb, offset,
290 15, name_str, "%s", name_str);
291 proto_tree_add_uint_format( field_tree, hf_netb_name_type, tvb, offset + 15, 1, name_type,
292 "0x%02x (%s)", name_type, name_type_str);
296 static void netbios_data_first_middle_flags( tvbuff_t *tvb, proto_tree *tree, int offset)
299 proto_tree *field_tree;
301 guint flags = tvb_get_guint8( tvb, offset);
303 /* decode the flag field for Data First Middle packet*/
305 tf = proto_tree_add_text(tree, tvb, offset, 1,
306 "Flags: 0x%02x", flags);
307 field_tree = proto_item_add_subtree(tf, ett_netb_flags);
309 proto_tree_add_boolean( field_tree, hf_netb_ack, tvb, offset, 1, flags);
311 proto_tree_add_boolean( field_tree, hf_netb_ack_expected, tvb, offset, 1, flags);
313 proto_tree_add_boolean( field_tree, hf_netb_recv_cont_req, tvb, offset, 1, flags);
316 static void netbios_data_only_flags( tvbuff_t *tvb, proto_tree *tree,
319 proto_tree *field_tree;
321 guint flags = tvb_get_guint8( tvb, offset);
323 /* decode the flag field for Data Only Last packet*/
325 tf = proto_tree_add_text(tree, tvb, offset, 1,
326 "Flags: 0x%02x", flags);
327 field_tree = proto_item_add_subtree(tf, ett_netb_flags);
329 proto_tree_add_boolean( field_tree, hf_netb_ack, tvb, offset, 1, flags);
331 proto_tree_add_boolean( field_tree, hf_netb_ack_with_data, tvb, offset, 1, flags);
333 proto_tree_add_boolean( field_tree, hf_netb_ack_expected, tvb, offset, 1, flags);
338 static void netbios_add_ses_confirm_flags( tvbuff_t *tvb, proto_tree *tree,
341 proto_tree *field_tree;
343 guint flags = tvb_get_guint8( tvb, offset);
345 /* decode the flag field for Session Confirm packet */
346 tf = proto_tree_add_text(tree, tvb, offset, 1,
347 "Flags: 0x%02x", flags);
348 field_tree = proto_item_add_subtree( tf, ett_netb_flags);
350 proto_tree_add_boolean( field_tree, hf_netb_send_no_ack, tvb, offset, 1, flags);
352 proto_tree_add_boolean( field_tree, hf_netb_version, tvb, offset, 1, flags);
356 static void netbios_add_session_init_flags( tvbuff_t *tvb, proto_tree *tree,
359 proto_tree *field_tree;
361 guint flags = tvb_get_guint8( tvb, offset);
362 /* decode the flag field for Session Init packet */
364 tf = proto_tree_add_text(tree, tvb, offset, 1,
365 "Flags: 0x%02x", flags);
366 field_tree = proto_item_add_subtree(tf, ett_netb_flags);
368 proto_tree_add_boolean( field_tree, hf_netb_send_no_ack, tvb, offset, 1, flags);
370 proto_tree_add_uint( field_tree, hf_netb_largest_frame, tvb, offset, 1,
373 proto_tree_add_boolean( field_tree, hf_netb_version, tvb, offset, 1, flags);
377 static void netbios_no_receive_flags( tvbuff_t *tvb, proto_tree *tree,
381 proto_tree *field_tree;
383 guint flags = tvb_get_guint8( tvb, offset);
385 /* decode the flag field for No Receive packet*/
387 tf = proto_tree_add_text(tree, tvb, offset, 1,
388 "Flags: 0x%02x", flags);
391 field_tree = proto_item_add_subtree(tf, ett_netb_flags);
392 proto_tree_add_text(field_tree, tvb, offset, 1, "%s",
393 decode_boolean_bitfield(flags, 0x02, 8,
394 "SEND.NO.ACK data not received", NULL));
399 /************************************************************************/
401 /* The routines to display the netbios field values in the tree */
403 /************************************************************************/
406 static void nb_xmit_corrl( tvbuff_t *tvb, int offset, proto_tree *tree)
408 {/* display the transmit correlator */
410 proto_tree_add_int( tree, hf_netb_xmit_corrl, tvb, offset + NB_XMIT_CORL,
411 2, tvb_get_letohs( tvb, offset + NB_XMIT_CORL));
415 static void nb_resp_corrl( tvbuff_t *tvb, int offset, proto_tree *tree)
417 {/* display the response correlator */
419 proto_tree_add_int( tree, hf_netb_resp_corrl, tvb, offset + NB_RESP_CORL,
420 2, tvb_get_letohs( tvb, offset + NB_RESP_CORL));
424 static void nb_call_name_type( tvbuff_t *tvb, int offset, proto_tree *tree)
426 {/* display the call name type */
429 int name_type_value = tvb_get_guint8( tvb, offset + NB_CALL_NAME_TYPE);
431 switch (name_type_value) {
434 proto_tree_add_int_format( tree, hf_netb_call_name_type, tvb, offset + NB_CALL_NAME_TYPE,
435 2, tvb_get_letohs( tvb, offset + NB_CALL_NAME_TYPE), "Caller's Name Type: Unique name");
439 proto_tree_add_int_format( tree, hf_netb_call_name_type, tvb, offset + NB_CALL_NAME_TYPE,
440 2, tvb_get_letohs( tvb, offset + NB_CALL_NAME_TYPE), "Caller's Name Type: Group name");
444 proto_tree_add_int_format( tree, hf_netb_call_name_type, tvb, offset + NB_CALL_NAME_TYPE,
445 2, tvb_get_letohs( tvb, offset + NB_CALL_NAME_TYPE),
446 "Caller's Name Type: 0x%02x (should be 0 or 1)", name_type_value);
452 static void nb_local_session( tvbuff_t *tvb, int offset, proto_tree *tree)
454 {/* add the local session to tree */
456 proto_tree_add_uint( tree, hf_netb_local_ses_no, tvb, offset + NB_LOCAL_SES, 1,
457 tvb_get_guint8( tvb, offset + NB_LOCAL_SES));
462 static void nb_remote_session( tvbuff_t *tvb, int offset, proto_tree *tree)
464 {/* add the remote session to tree */
466 proto_tree_add_uint( tree, hf_netb_remote_ses_no, tvb, offset + NB_RMT_SES, 1,
467 tvb_get_guint8( tvb, offset + NB_RMT_SES));
472 static void nb_data2(char *label, int len, tvbuff_t *tvb, int offset,
475 {/* add the DATA2 to tree with format string = label and length of len */
477 int value = (len == 1 ? tvb_get_guint8( tvb, offset + NB_DATA2)
478 : tvb_get_letohs( tvb, offset + NB_DATA2));
480 proto_tree_add_uint( tree, hf_netb_data2, tvb, offset + NB_DATA2, 2, value);
485 static void nb_resync_indicator( tvbuff_t *tvb, int offset, proto_tree *tree, char *cmd_str)
487 guint16 resync_indicator = tvb_get_letohs( tvb, offset + NB_DATA2);
490 switch (resync_indicator) {
493 proto_tree_add_text(tree, tvb, offset + NB_DATA2, 2,
494 "Re-sync indicator: No re-sync");
498 proto_tree_add_text(tree, tvb, offset + NB_DATA2, 2,
499 "Re-sync indicator: First '%s' following 'Receive Outstanding'", cmd_str);
503 proto_tree_add_text(tree, tvb, offset + NB_DATA2, 2,
504 "Re-sync indicator: 0x%04x", resync_indicator);
509 /************************************************************************/
511 /* The routines called by the top level to handle individual commands */
513 /************************************************************************/
515 static void dissect_netb_unknown( tvbuff_t *tvb, int offset, proto_tree *tree)
517 {/* Handle any unknow commands, do nothing */
519 /* dissect_data( tvb, offset + NB_COMMAND + 1, pinfo, tree); */
523 static void dissect_netb_add_group_name( tvbuff_t *tvb, int offset,
526 {/* Handle the ADD GROUP NAME QUERY command */
528 nb_resp_corrl( tvb, offset, tree);
530 netbios_add_name("Group name to add", tvb, offset + NB_SENDER_NAME,
535 static void dissect_netb_add_name( tvbuff_t *tvb, int offset,
538 {/* Handle the ADD NAME QUERY command */
540 nb_resp_corrl( tvb, offset, tree);
542 netbios_add_name("Name to add", tvb, offset + NB_SENDER_NAME, tree);
546 static void dissect_netb_name_in_conflict( tvbuff_t *tvb, int offset,
549 {/* Handle the NAME IN CONFLICT command */
551 netbios_add_name("Name In Conflict", tvb, offset + NB_RECVER_NAME,
553 netbios_add_name("Sender's Name", tvb, offset + NB_SENDER_NAME, tree);
557 static void dissect_netb_status_query( tvbuff_t *tvb, int offset, proto_tree *tree)
559 {/* Handle the STATUS QUERY command */
561 guint8 status_request = tvb_get_guint8( tvb, offset + NB_DATA1);
563 switch (status_request) {
566 proto_tree_add_text(tree, tvb, offset + NB_DATA1, 1,
567 "Status request: NetBIOS 1.x or 2.0");
571 proto_tree_add_text(tree, tvb, offset + NB_DATA1, 1,
572 "Status request: NetBIOS 2.1, initial status request");
576 proto_tree_add_text(tree, tvb, offset + NB_DATA1, 1,
577 "Status request: NetBIOS 2.1, %u names received so far",
581 nb_data2("Length of status buffer: %u", 2, tvb, offset, tree);
582 nb_resp_corrl( tvb, offset, tree);
583 netbios_add_name("Receiver's Name", tvb, offset + NB_RECVER_NAME, tree);
584 netbios_add_name("Sender's Name", tvb, offset + NB_SENDER_NAME,
589 static u_char zeroes[10];
591 static void dissect_netb_datagram( tvbuff_t *tvb, int offset, proto_tree *tree)
593 {/* Handle the DATAGRAM command */
595 netbios_add_name("Receiver's Name", tvb, offset + NB_RECVER_NAME, tree);
596 /* Weird. In some datagrams, this is 10 octets of 0, followed
597 by a MAC address.... */
599 if (memcmp( tvb_get_ptr( tvb,offset + NB_SENDER_NAME, 10), zeroes, 10) == 0) {
600 proto_tree_add_text( tree, tvb, offset + NB_SENDER_NAME + 10, 6,
601 "Sender's MAC Address: %s",
602 ether_to_str( tvb_get_ptr( tvb,offset + NB_SENDER_NAME + 10, 6)));
604 netbios_add_name("Sender's Name", tvb, offset + NB_SENDER_NAME,
610 static void dissect_netb_datagram_bcast( tvbuff_t *tvb, int offset,
613 {/* Handle the DATAGRAM BROADCAST command */
615 /* We assume the same weirdness can happen here.... */
616 if ( memcmp( tvb_get_ptr( tvb,offset + NB_SENDER_NAME + 10, 6), zeroes, 10) == 0) {
617 proto_tree_add_text( tree, tvb, offset + NB_SENDER_NAME + 10, 6,
618 "Sender's Node Address: %s",
619 ether_to_str( tvb_get_ptr( tvb,offset + NB_SENDER_NAME + 10, 6)));
621 netbios_add_name("Sender's Name", tvb, offset + NB_SENDER_NAME,
627 static void dissect_netb_name_query( tvbuff_t *tvb, int offset, proto_tree *tree)
629 {/* Handle the NAME QUERY command */
630 guint8 local_session_number = tvb_get_guint8( tvb, offset + NB_DATA2);
632 if (local_session_number == 0) {
633 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 1,
634 "Local Session No.: 0 (FIND.NAME request)");
636 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 1,
637 "Local Session No.: 0x%02x", local_session_number);
639 nb_call_name_type( tvb, offset, tree);
640 nb_resp_corrl( tvb, offset, tree);
641 netbios_add_name("Query Name", tvb, offset + NB_RECVER_NAME, tree);
642 if (local_session_number != 0) {
643 netbios_add_name("Sender's Name", tvb, offset + NB_SENDER_NAME,
649 static void dissect_netb_add_name_resp( tvbuff_t *tvb, int offset,
652 {/* Handle the ADD NAME RESPONSE command */
653 guint8 status = tvb_get_guint8( tvb, offset + NB_DATA1);
654 guint16 name_type = tvb_get_letohs( tvb, offset + NB_DATA2);
659 proto_tree_add_text( tree, tvb, offset + NB_DATA1, 1,
660 "Status: Add name not in process");
664 proto_tree_add_text( tree, tvb, offset + NB_DATA1, 1,
665 "Status: Add name in process");
669 proto_tree_add_text( tree, tvb, offset + NB_DATA1, 1,
670 "Status: 0x%02x (should be 0 or 1)", status);
677 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 2,
678 "Name type: Unique name");
682 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 2,
683 "Name type: Group name");
687 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 2,
688 "Name type: 0x%04x (should be 0 or 1)", name_type);
692 nb_xmit_corrl( tvb, offset, tree);
693 netbios_add_name("Name to be added", tvb, offset + NB_RECVER_NAME,
695 netbios_add_name("Name to be added", tvb, offset + NB_SENDER_NAME,
700 static void dissect_netb_name_resp( tvbuff_t *tvb, int offset,
703 {/* Handle the NAME RECOGNIZED command */
704 guint8 local_session_number = tvb_get_guint8( tvb, offset + NB_DATA2);
706 switch (local_session_number) {
709 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 1,
710 "State of name: No LISTEN pending, or FIND.NAME response");
714 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 1,
715 "State of name: LISTEN pending, but insufficient resources to establish session");
719 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 1,
720 "Local Session No.: 0x%02x", local_session_number);
723 nb_call_name_type( tvb, offset, tree);
724 nb_xmit_corrl( tvb, offset, tree);
725 if (local_session_number != 0x00 && local_session_number != 0xFF)
726 nb_resp_corrl(tvb, offset, tree);
727 netbios_add_name("Receiver's Name", tvb, offset + NB_RECVER_NAME, tree);
728 if (local_session_number != 0x00 && local_session_number != 0xFF) {
729 netbios_add_name("Sender's Name", tvb, offset + NB_SENDER_NAME,
735 static void dissect_netb_status_resp( tvbuff_t *tvb, int offset, proto_tree *tree)
737 {/* Handle the STATUS RESPONSE command */
738 guint8 status_response = tvb_get_guint8( tvb, offset + NB_DATA1);
740 proto_tree *data2_tree;
743 nb_call_name_type( tvb, offset, tree);
744 if (status_response == 0) {
745 proto_tree_add_text(tree, tvb, offset + NB_DATA1, 1,
746 "Status response: NetBIOS 1.x or 2.0");
748 proto_tree_add_text(tree, tvb, offset + NB_DATA1, 1,
749 "Status response: NetBIOS 2.1, %u names sent so far",
752 data2 = tvb_get_letohs( tvb, offset + NB_DATA2);
754 td2 = proto_tree_add_text(tree, tvb, offset + NB_DATA2, 2, "Status: 0x%04x",
756 data2_tree = proto_item_add_subtree(td2, ett_netb_status);
757 if (data2 & 0x8000) {
758 proto_tree_add_text(data2_tree, tvb, offset, 2, "%s",
759 decode_boolean_bitfield(data2, 0x8000, 8*2,
760 "Data length exceeds maximum frame size", NULL));
762 if (data2 & 0x4000) {
763 proto_tree_add_text(data2_tree, tvb, offset, 2, "%s",
764 decode_boolean_bitfield(data2, 0x4000, 8*2,
765 "Data length exceeds user's buffer", NULL));
767 proto_tree_add_text(data2_tree, tvb, offset, 2, "%s",
768 decode_numeric_bitfield(data2, 0x3FFF, 2*8,
769 "Status data length = %u"));
770 nb_xmit_corrl( tvb, offset, tree);
771 netbios_add_name("Receiver's Name", tvb, offset + NB_RECVER_NAME, tree);
772 netbios_add_name("Sender's Name", tvb, offset + NB_SENDER_NAME,
777 static void dissect_netb_data_ack( tvbuff_t* tvb, int offset, proto_tree *tree)
779 {/* Handle the DATA ACK command */
781 nb_xmit_corrl( tvb, offset, tree);
782 nb_remote_session( tvb, offset, tree);
783 nb_local_session( tvb, offset, tree);
787 static void dissect_netb_data_first_middle( tvbuff_t *tvb, int offset,
790 {/* Handle the DATA FIRST MIDDLE command */
792 netbios_data_first_middle_flags( tvb, tree, offset + NB_FLAGS);
794 nb_resync_indicator( tvb, offset, tree, "DATA FIRST MIDDLE");
795 nb_xmit_corrl( tvb, offset, tree);
796 nb_resp_corrl( tvb, offset, tree);
797 nb_remote_session( tvb, offset, tree);
798 nb_local_session( tvb, offset, tree);
802 static void dissect_netb_data_only_last( tvbuff_t *tvb, int offset,
805 {/* Handle the DATA ONLY LAST command */
807 netbios_data_only_flags( tvb, tree, offset + NB_FLAGS);
809 nb_resync_indicator( tvb, offset, tree, "DATA ONLY LAST");
810 nb_xmit_corrl( tvb, offset, tree);
811 nb_resp_corrl( tvb, offset, tree);
812 nb_remote_session( tvb, offset, tree);
813 nb_local_session( tvb, offset, tree);
817 static void dissect_netb_session_confirm( tvbuff_t *tvb, int offset,
820 {/* Handle the SESSION CONFIRM command */
822 netbios_add_ses_confirm_flags( tvb, tree, offset + NB_FLAGS);
824 nb_data2("Max data recv size: %u", 2, tvb, offset, tree);
825 nb_xmit_corrl( tvb, offset, tree);
826 nb_resp_corrl( tvb, offset, tree);
827 nb_remote_session( tvb, offset, tree);
828 nb_local_session( tvb, offset, tree);
832 static void dissect_netb_session_end( tvbuff_t *tvb, int offset,
835 {/* Handle the SESSION END command */
836 guint16 termination_indicator = tvb_get_letohs( tvb, offset + NB_DATA2);
838 switch (termination_indicator) {
841 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 2,
842 "Termination indicator: Normal session end");
846 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 2,
847 "Termination indicator: Abormal session end");
851 proto_tree_add_text( tree, tvb, offset + NB_DATA2, 2,
852 "Termination indicator: 0x%04x (should be 0x0000 or 0x0001)",
853 termination_indicator);
857 nb_remote_session( tvb, offset, tree);
858 nb_local_session( tvb, offset, tree);
862 static void dissect_netb_session_init( tvbuff_t *tvb, int offset,
865 {/* Handle the SESSION INITIALIZE command */
867 netbios_add_session_init_flags( tvb, tree, offset + NB_FLAGS);
869 nb_data2("Max data recv size: %u", 2, tvb, offset, tree);
870 nb_resp_corrl( tvb, offset, tree);
871 nb_xmit_corrl( tvb, offset, tree);
872 nb_remote_session( tvb, offset, tree);
873 nb_local_session( tvb, offset, tree);
876 static void dissect_netb_no_receive( tvbuff_t *tvb, int offset,
879 {/* Handle the NO RECEIVE command */
881 netbios_no_receive_flags( tvb, tree, offset + NB_FLAGS);
883 nb_data2("Number of data bytes accepted: %u", 2, tvb, offset, tree);
884 nb_remote_session( tvb, offset, tree);
885 nb_local_session( tvb, offset, tree);
889 static void dissect_netb_receive_outstanding( tvbuff_t *tvb, int offset,
892 {/* Handle the RECEIVE OUTSTANDING command */
894 nb_data2("Number of data bytes accepted: %u", 2, tvb, offset, tree);
895 nb_remote_session( tvb, offset, tree);
896 nb_local_session( tvb, offset, tree);
900 static void dissect_netb_receive_continue( tvbuff_t *tvb, int offset,
903 {/* Handle the RECEIVE CONTINUE command */
905 nb_xmit_corrl( tvb, offset, tree);
906 nb_remote_session( tvb, offset, tree);
907 nb_local_session( tvb, offset, tree);
911 /************************************************************************/
913 /* The table routines called by the top level to handle commands */
915 /************************************************************************/
918 void (*dissect_netb[])(tvbuff_t *, int, proto_tree *) = {
920 dissect_netb_add_group_name, /* Add Group Name 0x00 */
921 dissect_netb_add_name, /* Add Name 0x01 */
922 dissect_netb_name_in_conflict,/* Name In Conflict 0x02 */
923 dissect_netb_status_query, /* Status Query 0x03 */
924 dissect_netb_unknown, /* unknown 0x04 */
925 dissect_netb_unknown, /* unknown 0x05 */
926 dissect_netb_unknown, /* unknown 0x06 */
927 dissect_netb_unknown, /* Terminate Trace 0x07 */
928 dissect_netb_datagram, /* Datagram 0x08 */
929 dissect_netb_datagram_bcast, /* Datagram Broadcast 0x09 */
930 dissect_netb_name_query, /* Name Query 0x0A */
931 dissect_netb_unknown, /* unknown 0x0B */
932 dissect_netb_unknown, /* unknown 0x0C */
933 dissect_netb_add_name_resp, /* Add Name Response 0x0D */
934 dissect_netb_name_resp, /* Name Recognized 0x0E */
935 dissect_netb_status_resp, /* Status Response 0x0F */
936 dissect_netb_unknown, /* unknown 0x10 */
937 dissect_netb_unknown, /* unknown 0x11 */
938 dissect_netb_unknown, /* unknown 0x12 */
939 dissect_netb_unknown, /* Terminate Trace 0x13 */
940 dissect_netb_data_ack, /* Data Ack 0x14 */
941 dissect_netb_data_first_middle,/* Data First Middle 0x15 */
942 dissect_netb_data_only_last, /* Data Only Last 0x16 */
943 dissect_netb_session_confirm, /* Session Confirm 0x17 */
944 dissect_netb_session_end, /* Session End 0x18 */
945 dissect_netb_session_init, /* Session Initialize 0x19 */
946 dissect_netb_no_receive, /* No Receive 0x1A */
947 dissect_netb_receive_outstanding,/* Receive Outstanding 0x1B */
948 dissect_netb_receive_continue,/* Receive Continue 0x1C */
949 dissect_netb_unknown, /* unknown 0x1D */
950 dissect_netb_unknown, /* unknown 0x1E */
952 dissect_netb_unknown, /* Session Alive 0x1f (nothing to do) */
953 dissect_netb_unknown,
956 static heur_dissector_list_t netbios_heur_subdissector_list;
959 dissect_netbios_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
962 * Try the heuristic dissectors for NetBIOS; if none of them
963 * accept the packet, dissect it as data.
965 if (!dissector_try_heuristic(netbios_heur_subdissector_list,
967 dissect_data(tvb, 0, pinfo, tree);
971 dissect_netbios(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
974 proto_tree *netb_tree;
976 guint16 hdr_len, command;
977 char name[(NETBIOS_NAME_LEN - 1)*4 + 1];
983 /* load the display labels */
984 if (check_col(pinfo->fd, COL_PROTOCOL))
985 col_set_str(pinfo->fd, COL_PROTOCOL, "NetBIOS");
988 /* Find NetBIOS marker EFFF, this is done because I have seen an extra LLC */
989 /* byte on our network. This only checks for one extra LLC byte. */
991 if ( 0xefff != tvb_get_letohs(tvb, 2)){
993 if ( 0xefff != tvb_get_letohs(tvb, 3)){
995 if (check_col( pinfo->fd, COL_INFO)) /* print bad packet */
996 col_set_str( pinfo->fd, COL_INFO, "Bad packet, no 0xEFFF marker");
998 return; /* this is an unknow packet, no marker */
1003 hdr_len = tvb_get_letohs(tvb, offset + NB_LENGTH);
1004 command = tvb_get_guint8( tvb, offset + NB_COMMAND);
1005 /* limit command so no table overflows */
1006 command = MIN( command, sizeof( dissect_netb)/ sizeof(void *));
1008 if (check_col( pinfo->fd, COL_INFO)) { /* print command name */
1009 switch ( command ) {
1011 name_type = get_netbios_name( tvb, offset + 12, name);
1012 col_add_fstr( pinfo->fd, COL_INFO, "%s for %s<%02x>",
1013 CommandName[ command], name, name_type);
1019 name_type = get_netbios_name( tvb, offset + 28, name);
1020 col_add_fstr( pinfo->fd, COL_INFO, "%s - %s<%02x>",
1021 CommandName[ command], name, name_type);
1025 col_add_fstr( pinfo->fd, COL_INFO, "%s", CommandName[ command]);
1031 ti = proto_tree_add_item(tree, proto_netbios, tvb, 0, hdr_len, FALSE);
1032 netb_tree = proto_item_add_subtree(ti, ett_netb);
1034 proto_tree_add_uint_format(netb_tree, hf_netb_hdr_len, tvb, offset, 2, hdr_len,
1035 "Length: %d bytes", hdr_len);
1037 proto_tree_add_text(netb_tree, tvb, offset + 2, 2,
1038 "Delimiter: EFFF (NetBIOS)");
1040 proto_tree_add_uint_format(netb_tree, hf_netb_cmd, tvb, offset + NB_COMMAND, 1, command,
1041 "Command: 0x%02x (%s)", command, CommandName[ command]);
1043 /* if command in table range */
1044 if ( command < sizeof( dissect_netb)/ sizeof(void *))
1046 /* branch to handle commands */
1047 (dissect_netb[ command])( tvb, offset, netb_tree);
1050 offset += hdr_len; /* move past header */
1052 next_tvb = tvb_new_subset(tvb, offset, -1, -1);
1053 dissect_netbios_payload(next_tvb, pinfo, tree);
1057 void proto_register_netbios(void)
1059 static gint *ett[] = {
1066 static hf_register_info hf_netb[] = {
1068 { "Command", "netbios.command", FT_UINT16, BASE_HEX, NULL, 0x0,
1071 { "Header Length", "netbios.hdr_len", FT_UINT16, BASE_DEC, NULL, 0x0,
1074 { &hf_netb_xmit_corrl,
1075 { "Transmit Correlator", "netbios.xmit_corrl", FT_INT16, BASE_HEX, NULL, 0x0,
1078 { &hf_netb_resp_corrl,
1079 { "Response Correlator", "netbios.resp_corrl", FT_INT16, BASE_HEX, NULL, 0x0,
1081 { &hf_netb_call_name_type,
1082 { "Call Name Type", "netbios.call_name_type", FT_INT16, BASE_HEX, NULL, 0x0,
1084 { &hf_netb_name_type,
1085 { "Netbios Name Type", "netbios.name_type", FT_UINT16, BASE_HEX, NULL, 0x0,
1088 { "Netbios Name", "netbios.name", FT_STRING, BASE_NONE, NULL, 0x0,
1092 { "Acknowledge", "netbios.ack", FT_BOOLEAN, 8, TFS( &flags_set), 0x08,
1095 { &hf_netb_ack_with_data,
1096 { "Acknowledge with data", "netbios.ack_with_data", FT_BOOLEAN, 8, TFS( &flags_allowed), 0x04,
1099 { &hf_netb_ack_expected,
1100 { "Acknowledge expected", "netbios.ack_expected", FT_BOOLEAN, 8,
1101 TFS( &flags_yes_no), 0x02, "", HFILL }},
1103 { &hf_netb_recv_cont_req,
1104 { "RECEIVE_CONTINUE requested", "netbios.recv_cont_req", FT_BOOLEAN, 8,
1105 TFS( &flags_yes_no), 0x01, "", HFILL }},
1107 { &hf_netb_send_no_ack,
1108 { "Handle SEND.NO.ACK", "netbios.send_no_ack", FT_BOOLEAN, 8,
1109 TFS( &flags_yes_no), 0x80, "", HFILL }},
1112 { "NetBIOS Version", "netbios.version", FT_BOOLEAN, 8,
1113 TFS( &netb_version_str), 0x01, "", HFILL }},
1115 { &hf_netb_largest_frame,
1116 { "Largest Frame", "netbios.largest_frame", FT_UINT8, BASE_HEX, NULL, 0x0E,
1119 { &hf_netb_local_ses_no,
1120 { "Local Session No. ", "netbios.local_session", FT_UINT8, BASE_HEX, NULL, 0x0,
1123 { &hf_netb_remote_ses_no,
1124 { "Remote Session No. ", "netbios.remote_session", FT_UINT8, BASE_HEX, NULL, 0x0,
1128 { "DATA2 value ", "netbios.data2", FT_UINT16, BASE_HEX, NULL, 0x0,
1132 proto_netbios = proto_register_protocol("NetBIOS", "NetBIOS", "netbios");
1133 proto_register_subtree_array(ett, array_length(ett));
1134 proto_register_field_array(proto_netbios, hf_netb, array_length(hf_netb));
1136 register_heur_dissector_list("netbios", &netbios_heur_subdissector_list);
1140 proto_reg_handoff_netbios(void)
1142 dissector_add("llc.dsap", SAP_NETBIOS, dissect_netbios, proto_netbios);
git.samba.org / obnox / wireshark / wip.git / blob