2 * Common routines for smb packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
5 * $Id: packet-smb-common.c,v 1.19 2004/01/05 19:31:44 ulfl Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * Copied from packet-pop.c
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
28 #include "packet-smb-common.h"
31 * Share type values - used in LANMAN and in SRVSVC.
33 * XXX - should we dissect share type values, at least in SRVSVC, as
34 * a subtree with bitfields, as the 0x80000000 bit appears to be a
35 * hidden bit, with some number of bits at the bottom being the share
38 * Does LANMAN use that bit?
40 const value_string share_type_vals[] = {
41 {0, "Directory tree"},
43 {2, "Communications device"},
45 {0x80000000, "Hidden Directory tree"},
46 {0x80000001, "Hidden Printer queue"},
47 {0x80000002, "Hidden Communications device"},
48 {0x80000003, "Hidden IPC"},
52 int display_ms_string(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_index, char **data)
57 /* display a string from the tree and return the new offset */
59 str = tvb_get_stringz(tvb, offset, &len);
60 proto_tree_add_string(tree, hf_index, tvb, offset, len, str);
62 /* Return a copy of the string if requested */
73 int display_unicode_string(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_index, char **data)
80 /* display a unicode string from the tree and return new offset */
83 * Get the length of the string.
84 * XXX - is it a bug or a feature that this will throw an exception
85 * if we don't find the '\0'? I think it's a feature.
88 while ((character = tvb_get_letohs(tvb, offset + len)) != '\0')
90 len += 2; /* count the '\0' too */
93 * Allocate a buffer for the string; "len" is the length in
94 * bytes, not the length in characters.
96 str = g_malloc(len/2);
99 * XXX - this assumes the string is just ISO 8859-1; we need
100 * to better handle multiple character sets in Ethereal,
101 * including Unicode/ISO 10646, and multiple encodings of
102 * that character set (UCS-2, UTF-8, etc.).
106 while ((character = tvb_get_letohs(tvb, charoffset)) != '\0') {
107 *p++ = (char) character;
112 proto_tree_add_string(tree, hf_index, tvb, offset, len, str);
122 /* Max string length for displaying Unicode strings. */
123 #define MAX_UNICODE_STR_LEN 256
125 /* Turn a little-endian Unicode '\0'-terminated string into a string we
127 XXX - for now, we just handle the ISO 8859-1 characters.
128 If exactlen==TRUE then us_lenp contains the exact len of the string in
129 bytes. It might not be null terminated !
130 bc specifies the number of bytes in the byte parameters; Windows 2000,
131 at least, appears, in some cases, to put only 1 byte of 0 at the end
132 of a Unicode string if the byte count
135 unicode_to_str(tvbuff_t *tvb, int offset, int *us_lenp, gboolean exactlen,
138 static gchar str[3][MAX_UNICODE_STR_LEN+3+1];
146 if (cur == &str[0][0]) {
148 } else if (cur == &str[1][0]) {
154 len = MAX_UNICODE_STR_LEN;
160 /* XXX - explain this */
162 us_len += 1; /* this is a one-byte null terminator */
165 uchar = tvb_get_letohs(tvb, offset);
167 us_len += 2; /* this is a two-byte null terminator */
171 if ((uchar & 0xFF00) == 0)
172 *p++ = (gchar) uchar; /* ISO 8859-1 */
174 *p++ = '?'; /* not 8859-1 */
182 if(us_len>= *us_lenp){
188 /* Note that we're not showing the full string. */
198 /* nopad == TRUE : Do not add any padding before this string
199 * exactlen == TRUE : len contains the exact len of the string in bytes.
200 * bc: pointer to variable with amount of data left in the byte parameters
204 get_unicode_or_ascii_string(tvbuff_t *tvb, int *offsetp,
205 gboolean useunicode, int *len, gboolean nopad, gboolean exactlen,
208 static gchar str[3][MAX_UNICODE_STR_LEN+3+1];
212 unsigned int copylen;
215 /* Not enough data in buffer */
219 if ((!nopad) && (*offsetp % 2)) {
221 * XXX - this should be an offset relative to the beginning of the SMB,
222 * not an offset relative to the beginning of the frame; if the stuff
223 * before the SMB has an odd number of bytes, an offset relative to
224 * the beginning of the frame will give the wrong answer.
226 (*offsetp)++; /* Looks like a pad byte there sometimes */
229 /* Not enough data in buffer */
236 string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
240 * The string we return must be null-terminated.
242 if (cur == &str[0][0]) {
244 } else if (cur == &str[1][0]) {
250 if (copylen > MAX_UNICODE_STR_LEN)
251 copylen = MAX_UNICODE_STR_LEN;
252 tvb_memcpy(tvb, (guint8 *)cur, *offsetp, copylen);
254 if (copylen > MAX_UNICODE_STR_LEN)
259 string_len = tvb_strsize(tvb, *offsetp);
260 string = tvb_get_ptr(tvb, *offsetp, string_len);
268 dissect_smb_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
270 /* display data as unknown */
272 proto_tree_add_text(tree, tvb, offset, -1, "Data (%u bytes)",
273 tvb_reported_length_remaining(tvb, offset));
275 return offset+tvb_length_remaining(tvb, offset);
278 /* Dissect a NTLM response. This is documented at
279 http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3 */
281 static int hf_ntlmv2_response = -1;
282 static int hf_ntlmv2_response_hmac = -1;
283 static int hf_ntlmv2_response_header = -1;
284 static int hf_ntlmv2_response_reserved = -1;
285 static int hf_ntlmv2_response_time = -1;
286 static int hf_ntlmv2_response_chal = -1;
287 static int hf_ntlmv2_response_unknown = -1;
288 static int hf_ntlmv2_response_name = -1;
289 static int hf_ntlmv2_response_name_type = -1;
290 static int hf_ntlmv2_response_name_len = -1;
292 static gint ett_ntlmv2_response = -1;
293 static gint ett_ntlmv2_response_name = -1;
297 const value_string ntlm_name_types[] = {
298 { NTLM_NAME_END, "End of list" },
299 { NTLM_NAME_NB_HOST, "NetBIOS host name" },
300 { NTLM_NAME_NB_DOMAIN, "NetBIOS domain name" },
301 { NTLM_NAME_DNS_HOST, "DNS host name" },
302 { NTLM_NAME_DNS_DOMAIN, "DNS domain name" },
307 dissect_ntlmv2_response(tvbuff_t *tvb, proto_tree *tree, int offset, int len)
309 proto_item *ntlmv2_item = NULL;
310 proto_tree *ntlmv2_tree = NULL;
312 /* Dissect NTLMv2 bits&pieces */
315 ntlmv2_item = proto_tree_add_item(
316 tree, hf_ntlmv2_response, tvb,
318 ntlmv2_tree = proto_item_add_subtree(
319 ntlmv2_item, ett_ntlmv2_response);
323 ntlmv2_tree, hf_ntlmv2_response_hmac, tvb,
329 ntlmv2_tree, hf_ntlmv2_response_header, tvb,
335 ntlmv2_tree, hf_ntlmv2_response_reserved, tvb,
340 offset = dissect_smb_64bit_time(
341 tvb, ntlmv2_tree, offset, hf_ntlmv2_response_time);
344 ntlmv2_tree, hf_ntlmv2_response_chal, tvb,
350 ntlmv2_tree, hf_ntlmv2_response_unknown, tvb,
355 /* Variable length list of names */
358 guint16 name_type = tvb_get_letohs(tvb, offset);
359 guint16 name_len = tvb_get_letohs(tvb, offset + 2);
360 proto_tree *name_tree = NULL;
361 proto_item *name_item = NULL;
365 name_item = proto_tree_add_item(
366 ntlmv2_tree, hf_ntlmv2_response_name,
367 tvb, offset, 0, TRUE);
368 name_tree = proto_item_add_subtree(
369 name_item, ett_ntlmv2_response_name);
372 /* Dissect name header */
375 name_tree, hf_ntlmv2_response_name_type, tvb,
381 name_tree, hf_ntlmv2_response_name_len, tvb,
389 name = tvb_fake_unicode(
390 tvb, offset, name_len / 2, TRUE);
393 name_tree, tvb, offset, name_len,
396 name = g_strdup("NULL");
399 proto_item_append_text(
401 val_to_str(name_type, ntlm_name_types,
404 proto_item_append_text(
406 val_to_str(name_type, ntlm_name_types,
413 proto_item_set_len(name_item, name_len + 4);
415 if (name_type == 0) /* End of list */
422 void register_smb_common(int proto_smb)
424 static hf_register_info hf[] = {
426 { &hf_ntlmv2_response,
427 { "NTLMv2 Response", "smb.ntlmv2response", FT_BYTES,
428 BASE_HEX, NULL, 0x0, "", HFILL }},
430 { &hf_ntlmv2_response_hmac,
431 { "HMAC", "smb.ntlmv2response.hmac", FT_BYTES, BASE_HEX,
432 NULL, 0x0, "", HFILL }},
434 { &hf_ntlmv2_response_header,
435 { "Header", "smb.ntlmv2response.header", FT_UINT32,
436 BASE_HEX, NULL, 0x0, "", HFILL }},
438 { &hf_ntlmv2_response_reserved,
439 { "Reserved", "smb.ntlmv2response.reserved", FT_UINT32,
440 BASE_HEX, NULL, 0x0, "", HFILL }},
442 { &hf_ntlmv2_response_time,
443 { "Time", "smb.ntlmv2response.time", FT_ABSOLUTE_TIME,
444 BASE_NONE, NULL, 0, "", HFILL }},
446 { &hf_ntlmv2_response_chal,
447 { "Client challenge", "smb.ntlmv2response.chal", FT_BYTES,
448 BASE_HEX, NULL, 0x0, "", HFILL }},
450 { &hf_ntlmv2_response_unknown,
451 { "Unknown", "smb.ntlmv2response.unknown", FT_UINT32,
452 BASE_HEX, NULL, 0x0, "", HFILL }},
454 { &hf_ntlmv2_response_name,
455 { "Name", "smb.ntlmv2response.name", FT_STRING, BASE_NONE,
456 NULL, 0x0, "", HFILL }},
458 { &hf_ntlmv2_response_name_type,
459 { "Name type", "smb.ntlmv2response.name.type", FT_UINT32,
460 BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }},
462 { &hf_ntlmv2_response_name_len,
463 { "Name len", "smb.ntlmv2response.name.len", FT_UINT32,
464 BASE_DEC, NULL, 0x0, "", HFILL }}
467 static gint *ett[] = {
468 &ett_ntlmv2_response,
469 &ett_ntlmv2_response_name
472 proto_register_subtree_array(ett, array_length(ett));
473 proto_register_field_array(proto_smb, hf, array_length(hf));