2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
6 * $Id: packet-smb.c,v 1.284 2002/08/28 21:00:31 jmayer Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/packet.h>
40 #include <epan/conversation.h>
42 #include "alignment.h"
43 #include <epan/strutil.h>
45 #include "reassemble.h"
47 #include "packet-smb-common.h"
48 #include "packet-smb-mailslot.h"
49 #include "packet-smb-pipe.h"
52 * Various specifications and documents about SMB can be found in
54 * ftp://ftp.microsoft.com/developr/drg/CIFS/
56 * and a CIFS specification from the Storage Networking Industry Association
57 * can be found on a link from the page at
59 * http://www.snia.org/English/Collaterals/Work_Group_Docs/NAS/CIFS/CIFS_Technical_Reference.pdf
61 * (it supercedes the document at
63 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
67 * There are also some Open Group publications documenting CIFS for sale;
68 * catalog entries for them are at:
70 * http://www.opengroup.org/products/publications/catalog/c209.htm
72 * http://www.opengroup.org/products/publications/catalog/c195.htm
74 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
77 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
79 * (or, presumably a similar path under the Samba mirrors). As the
80 * ".doc" indicates, it's a Word document. Some of the specs from the
81 * Microsoft FTP site can be found in the
83 * http://www.samba.org/samba/ftp/specs/
87 * Beware - these specs may have errors.
89 static int proto_smb = -1;
90 static int hf_smb_cmd = -1;
91 static int hf_smb_pid = -1;
92 static int hf_smb_tid = -1;
93 static int hf_smb_uid = -1;
94 static int hf_smb_mid = -1;
95 static int hf_smb_response_to = -1;
96 static int hf_smb_time = -1;
97 static int hf_smb_response_in = -1;
98 static int hf_smb_continuation_to = -1;
99 static int hf_smb_nt_status = -1;
100 static int hf_smb_error_class = -1;
101 static int hf_smb_error_code = -1;
102 static int hf_smb_reserved = -1;
103 static int hf_smb_flags_lock = -1;
104 static int hf_smb_flags_receive_buffer = -1;
105 static int hf_smb_flags_caseless = -1;
106 static int hf_smb_flags_canon = -1;
107 static int hf_smb_flags_oplock = -1;
108 static int hf_smb_flags_notify = -1;
109 static int hf_smb_flags_response = -1;
110 static int hf_smb_flags2_long_names_allowed = -1;
111 static int hf_smb_flags2_ea = -1;
112 static int hf_smb_flags2_sec_sig = -1;
113 static int hf_smb_flags2_long_names_used = -1;
114 static int hf_smb_flags2_esn = -1;
115 static int hf_smb_flags2_dfs = -1;
116 static int hf_smb_flags2_roe = -1;
117 static int hf_smb_flags2_nt_error = -1;
118 static int hf_smb_flags2_string = -1;
119 static int hf_smb_word_count = -1;
120 static int hf_smb_byte_count = -1;
121 static int hf_smb_buffer_format = -1;
122 static int hf_smb_dialect_name = -1;
123 static int hf_smb_dialect_index = -1;
124 static int hf_smb_max_trans_buf_size = -1;
125 static int hf_smb_max_mpx_count = -1;
126 static int hf_smb_max_vcs_num = -1;
127 static int hf_smb_session_key = -1;
128 static int hf_smb_server_timezone = -1;
129 static int hf_smb_encryption_key_length = -1;
130 static int hf_smb_encryption_key = -1;
131 static int hf_smb_primary_domain = -1;
132 static int hf_smb_server = -1;
133 static int hf_smb_max_raw_buf_size = -1;
134 static int hf_smb_server_guid = -1;
135 static int hf_smb_security_blob_len = -1;
136 static int hf_smb_security_blob = -1;
137 static int hf_smb_sm_mode16 = -1;
138 static int hf_smb_sm_password16 = -1;
139 static int hf_smb_sm_mode = -1;
140 static int hf_smb_sm_password = -1;
141 static int hf_smb_sm_signatures = -1;
142 static int hf_smb_sm_sig_required = -1;
143 static int hf_smb_rm_read = -1;
144 static int hf_smb_rm_write = -1;
145 static int hf_smb_server_date_time = -1;
146 static int hf_smb_server_smb_date = -1;
147 static int hf_smb_server_smb_time = -1;
148 static int hf_smb_server_cap_raw_mode = -1;
149 static int hf_smb_server_cap_mpx_mode = -1;
150 static int hf_smb_server_cap_unicode = -1;
151 static int hf_smb_server_cap_large_files = -1;
152 static int hf_smb_server_cap_nt_smbs = -1;
153 static int hf_smb_server_cap_rpc_remote_apis = -1;
154 static int hf_smb_server_cap_nt_status = -1;
155 static int hf_smb_server_cap_level_ii_oplocks = -1;
156 static int hf_smb_server_cap_lock_and_read = -1;
157 static int hf_smb_server_cap_nt_find = -1;
158 static int hf_smb_server_cap_dfs = -1;
159 static int hf_smb_server_cap_infolevel_passthru = -1;
160 static int hf_smb_server_cap_large_readx = -1;
161 static int hf_smb_server_cap_large_writex = -1;
162 static int hf_smb_server_cap_unix = -1;
163 static int hf_smb_server_cap_reserved = -1;
164 static int hf_smb_server_cap_bulk_transfer = -1;
165 static int hf_smb_server_cap_compressed_data = -1;
166 static int hf_smb_server_cap_extended_security = -1;
167 static int hf_smb_system_time = -1;
168 static int hf_smb_unknown = -1;
169 static int hf_smb_dir_name = -1;
170 static int hf_smb_echo_count = -1;
171 static int hf_smb_echo_data = -1;
172 static int hf_smb_echo_seq_num = -1;
173 static int hf_smb_max_buf_size = -1;
174 static int hf_smb_password = -1;
175 static int hf_smb_password_len = -1;
176 static int hf_smb_ansi_password = -1;
177 static int hf_smb_ansi_password_len = -1;
178 static int hf_smb_unicode_password = -1;
179 static int hf_smb_unicode_password_len = -1;
180 static int hf_smb_path = -1;
181 static int hf_smb_service = -1;
182 static int hf_smb_move_flags_file = -1;
183 static int hf_smb_move_flags_dir = -1;
184 static int hf_smb_move_flags_verify = -1;
185 static int hf_smb_files_moved = -1;
186 static int hf_smb_copy_flags_file = -1;
187 static int hf_smb_copy_flags_dir = -1;
188 static int hf_smb_copy_flags_dest_mode = -1;
189 static int hf_smb_copy_flags_source_mode = -1;
190 static int hf_smb_copy_flags_verify = -1;
191 static int hf_smb_copy_flags_tree_copy = -1;
192 static int hf_smb_copy_flags_ea_action = -1;
193 static int hf_smb_count = -1;
194 static int hf_smb_file_name = -1;
195 static int hf_smb_open_function_open = -1;
196 static int hf_smb_open_function_create = -1;
197 static int hf_smb_fid = -1;
198 static int hf_smb_file_attr_read_only_16bit = -1;
199 static int hf_smb_file_attr_read_only_8bit = -1;
200 static int hf_smb_file_attr_hidden_16bit = -1;
201 static int hf_smb_file_attr_hidden_8bit = -1;
202 static int hf_smb_file_attr_system_16bit = -1;
203 static int hf_smb_file_attr_system_8bit = -1;
204 static int hf_smb_file_attr_volume_16bit = -1;
205 static int hf_smb_file_attr_volume_8bit = -1;
206 static int hf_smb_file_attr_directory_16bit = -1;
207 static int hf_smb_file_attr_directory_8bit = -1;
208 static int hf_smb_file_attr_archive_16bit = -1;
209 static int hf_smb_file_attr_archive_8bit = -1;
210 static int hf_smb_file_attr_device = -1;
211 static int hf_smb_file_attr_normal = -1;
212 static int hf_smb_file_attr_temporary = -1;
213 static int hf_smb_file_attr_sparse = -1;
214 static int hf_smb_file_attr_reparse = -1;
215 static int hf_smb_file_attr_compressed = -1;
216 static int hf_smb_file_attr_offline = -1;
217 static int hf_smb_file_attr_not_content_indexed = -1;
218 static int hf_smb_file_attr_encrypted = -1;
219 static int hf_smb_file_size = -1;
220 static int hf_smb_search_attribute_read_only = -1;
221 static int hf_smb_search_attribute_hidden = -1;
222 static int hf_smb_search_attribute_system = -1;
223 static int hf_smb_search_attribute_volume = -1;
224 static int hf_smb_search_attribute_directory = -1;
225 static int hf_smb_search_attribute_archive = -1;
226 static int hf_smb_access_mode = -1;
227 static int hf_smb_access_sharing = -1;
228 static int hf_smb_access_locality = -1;
229 static int hf_smb_access_caching = -1;
230 static int hf_smb_access_writetru = -1;
231 static int hf_smb_create_time = -1;
232 static int hf_smb_modify_time = -1;
233 static int hf_smb_backup_time = -1;
234 static int hf_smb_mac_alloc_block_count = -1;
235 static int hf_smb_mac_alloc_block_size = -1;
236 static int hf_smb_mac_free_block_count = -1;
237 static int hf_smb_mac_fndrinfo = -1;
238 static int hf_smb_mac_root_file_count = -1;
239 static int hf_smb_mac_root_dir_count = -1;
240 static int hf_smb_mac_file_count = -1;
241 static int hf_smb_mac_dir_count = -1;
242 static int hf_smb_mac_support_flags = -1;
243 static int hf_smb_mac_sup_access_ctrl = -1;
244 static int hf_smb_mac_sup_getset_comments = -1;
245 static int hf_smb_mac_sup_desktopdb_calls = -1;
246 static int hf_smb_mac_sup_unique_ids = -1;
247 static int hf_smb_mac_sup_streams = -1;
248 static int hf_smb_create_dos_date = -1;
249 static int hf_smb_create_dos_time = -1;
250 static int hf_smb_last_write_time = -1;
251 static int hf_smb_last_write_dos_date = -1;
252 static int hf_smb_last_write_dos_time = -1;
253 static int hf_smb_access_time = -1;
254 static int hf_smb_access_dos_date = -1;
255 static int hf_smb_access_dos_time = -1;
256 static int hf_smb_old_file_name = -1;
257 static int hf_smb_offset = -1;
258 static int hf_smb_remaining = -1;
259 static int hf_smb_padding = -1;
260 static int hf_smb_file_data = -1;
261 static int hf_smb_total_data_len = -1;
262 static int hf_smb_data_len = -1;
263 static int hf_smb_seek_mode = -1;
264 static int hf_smb_data_size = -1;
265 static int hf_smb_alloc_size = -1;
266 static int hf_smb_alloc_size64 = -1;
267 static int hf_smb_max_count = -1;
268 static int hf_smb_min_count = -1;
269 static int hf_smb_timeout = -1;
270 static int hf_smb_high_offset = -1;
271 static int hf_smb_units = -1;
272 static int hf_smb_bpu = -1;
273 static int hf_smb_blocksize = -1;
274 static int hf_smb_freeunits = -1;
275 static int hf_smb_data_offset = -1;
276 static int hf_smb_dcm = -1;
277 static int hf_smb_request_mask = -1;
278 static int hf_smb_response_mask = -1;
279 static int hf_smb_sid = -1;
280 static int hf_smb_write_mode_write_through = -1;
281 static int hf_smb_write_mode_return_remaining = -1;
282 static int hf_smb_write_mode_raw = -1;
283 static int hf_smb_write_mode_message_start = -1;
284 static int hf_smb_write_mode_connectionless = -1;
285 static int hf_smb_resume_key_len = -1;
286 static int hf_smb_resume_find_id = -1;
287 static int hf_smb_resume_server_cookie = -1;
288 static int hf_smb_resume_client_cookie = -1;
289 static int hf_smb_andxoffset = -1;
290 static int hf_smb_lock_type_large = -1;
291 static int hf_smb_lock_type_cancel = -1;
292 static int hf_smb_lock_type_change = -1;
293 static int hf_smb_lock_type_oplock = -1;
294 static int hf_smb_lock_type_shared = -1;
295 static int hf_smb_locking_ol = -1;
296 static int hf_smb_number_of_locks = -1;
297 static int hf_smb_number_of_unlocks = -1;
298 static int hf_smb_lock_long_offset = -1;
299 static int hf_smb_lock_long_length = -1;
300 static int hf_smb_file_type = -1;
301 static int hf_smb_ipc_state_nonblocking = -1;
302 static int hf_smb_ipc_state_endpoint = -1;
303 static int hf_smb_ipc_state_pipe_type = -1;
304 static int hf_smb_ipc_state_read_mode = -1;
305 static int hf_smb_ipc_state_icount = -1;
306 static int hf_smb_server_fid = -1;
307 static int hf_smb_open_flags_add_info = -1;
308 static int hf_smb_open_flags_ex_oplock = -1;
309 static int hf_smb_open_flags_batch_oplock = -1;
310 static int hf_smb_open_flags_ealen = -1;
311 static int hf_smb_open_action_open = -1;
312 static int hf_smb_open_action_lock = -1;
313 static int hf_smb_vc_num = -1;
314 static int hf_smb_account = -1;
315 static int hf_smb_os = -1;
316 static int hf_smb_lanman = -1;
317 static int hf_smb_setup_action_guest = -1;
318 static int hf_smb_fs = -1;
319 static int hf_smb_connect_flags_dtid = -1;
320 static int hf_smb_connect_support_search = -1;
321 static int hf_smb_connect_support_in_dfs = -1;
322 static int hf_smb_max_setup_count = -1;
323 static int hf_smb_total_param_count = -1;
324 static int hf_smb_total_data_count = -1;
325 static int hf_smb_max_param_count = -1;
326 static int hf_smb_max_data_count = -1;
327 static int hf_smb_param_disp16 = -1;
328 static int hf_smb_param_count16 = -1;
329 static int hf_smb_param_offset16 = -1;
330 static int hf_smb_param_disp32 = -1;
331 static int hf_smb_param_count32 = -1;
332 static int hf_smb_param_offset32 = -1;
333 static int hf_smb_data_disp16 = -1;
334 static int hf_smb_data_count16 = -1;
335 static int hf_smb_data_offset16 = -1;
336 static int hf_smb_data_disp32 = -1;
337 static int hf_smb_data_count32 = -1;
338 static int hf_smb_data_offset32 = -1;
339 static int hf_smb_setup_count = -1;
340 static int hf_smb_nt_trans_subcmd = -1;
341 static int hf_smb_nt_ioctl_function_code = -1;
342 static int hf_smb_nt_ioctl_isfsctl = -1;
343 static int hf_smb_nt_ioctl_flags_root_handle = -1;
344 static int hf_smb_nt_ioctl_data = -1;
345 #ifdef SMB_UNUSED_HANDLES
346 static int hf_smb_nt_security_information = -1;
348 static int hf_smb_nt_notify_action = -1;
349 static int hf_smb_nt_notify_watch_tree = -1;
350 static int hf_smb_nt_notify_stream_write = -1;
351 static int hf_smb_nt_notify_stream_size = -1;
352 static int hf_smb_nt_notify_stream_name = -1;
353 static int hf_smb_nt_notify_security = -1;
354 static int hf_smb_nt_notify_ea = -1;
355 static int hf_smb_nt_notify_creation = -1;
356 static int hf_smb_nt_notify_last_access = -1;
357 static int hf_smb_nt_notify_last_write = -1;
358 static int hf_smb_nt_notify_size = -1;
359 static int hf_smb_nt_notify_attributes = -1;
360 static int hf_smb_nt_notify_dir_name = -1;
361 static int hf_smb_nt_notify_file_name = -1;
362 static int hf_smb_root_dir_fid = -1;
363 static int hf_smb_nt_create_disposition = -1;
364 static int hf_smb_sd_length = -1;
365 static int hf_smb_ea_length = -1;
366 static int hf_smb_file_name_len = -1;
367 static int hf_smb_nt_impersonation_level = -1;
368 static int hf_smb_nt_security_flags_context_tracking = -1;
369 static int hf_smb_nt_security_flags_effective_only = -1;
370 static int hf_smb_nt_access_mask_generic_read = -1;
371 static int hf_smb_nt_access_mask_generic_write = -1;
372 static int hf_smb_nt_access_mask_generic_execute = -1;
373 static int hf_smb_nt_access_mask_generic_all = -1;
374 static int hf_smb_nt_access_mask_maximum_allowed = -1;
375 static int hf_smb_nt_access_mask_system_security = -1;
376 static int hf_smb_nt_access_mask_synchronize = -1;
377 static int hf_smb_nt_access_mask_write_owner = -1;
378 static int hf_smb_nt_access_mask_write_dac = -1;
379 static int hf_smb_nt_access_mask_read_control = -1;
380 static int hf_smb_nt_access_mask_delete = -1;
381 static int hf_smb_nt_access_mask_write_attributes = -1;
382 static int hf_smb_nt_access_mask_read_attributes = -1;
383 static int hf_smb_nt_access_mask_delete_child = -1;
384 static int hf_smb_nt_access_mask_execute = -1;
385 static int hf_smb_nt_access_mask_write_ea = -1;
386 static int hf_smb_nt_access_mask_read_ea = -1;
387 static int hf_smb_nt_access_mask_append = -1;
388 static int hf_smb_nt_access_mask_write = -1;
389 static int hf_smb_nt_access_mask_read = -1;
390 static int hf_smb_nt_create_bits_oplock = -1;
391 static int hf_smb_nt_create_bits_boplock = -1;
392 static int hf_smb_nt_create_bits_dir = -1;
393 static int hf_smb_nt_create_options_directory_file = -1;
394 static int hf_smb_nt_create_options_write_through = -1;
395 static int hf_smb_nt_create_options_sequential_only = -1;
396 static int hf_smb_nt_create_options_sync_io_alert = -1;
397 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
398 static int hf_smb_nt_create_options_non_directory_file = -1;
399 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
400 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
401 static int hf_smb_nt_create_options_random_access = -1;
402 static int hf_smb_nt_create_options_delete_on_close = -1;
403 static int hf_smb_nt_share_access_read = -1;
404 static int hf_smb_nt_share_access_write = -1;
405 static int hf_smb_nt_share_access_delete = -1;
406 static int hf_smb_file_eattr_read_only = -1;
407 static int hf_smb_file_eattr_hidden = -1;
408 static int hf_smb_file_eattr_system = -1;
409 static int hf_smb_file_eattr_volume = -1;
410 static int hf_smb_file_eattr_directory = -1;
411 static int hf_smb_file_eattr_archive = -1;
412 static int hf_smb_file_eattr_device = -1;
413 static int hf_smb_file_eattr_normal = -1;
414 static int hf_smb_file_eattr_temporary = -1;
415 static int hf_smb_file_eattr_sparse = -1;
416 static int hf_smb_file_eattr_reparse = -1;
417 static int hf_smb_file_eattr_compressed = -1;
418 static int hf_smb_file_eattr_offline = -1;
419 static int hf_smb_file_eattr_not_content_indexed = -1;
420 static int hf_smb_file_eattr_encrypted = -1;
421 static int hf_smb_file_eattr_write_through = -1;
422 static int hf_smb_file_eattr_no_buffering = -1;
423 static int hf_smb_file_eattr_random_access = -1;
424 static int hf_smb_file_eattr_sequential_scan = -1;
425 static int hf_smb_file_eattr_delete_on_close = -1;
426 static int hf_smb_file_eattr_backup_semantics = -1;
427 static int hf_smb_file_eattr_posix_semantics = -1;
428 static int hf_smb_sec_desc_len = -1;
429 static int hf_smb_sec_desc_revision = -1;
430 static int hf_smb_sec_desc_type_owner_defaulted = -1;
431 static int hf_smb_sec_desc_type_group_defaulted = -1;
432 static int hf_smb_sec_desc_type_dacl_present = -1;
433 static int hf_smb_sec_desc_type_dacl_defaulted = -1;
434 static int hf_smb_sec_desc_type_sacl_present = -1;
435 static int hf_smb_sec_desc_type_sacl_defaulted = -1;
436 static int hf_smb_sec_desc_type_dacl_auto_inherit_req = -1;
437 static int hf_smb_sec_desc_type_sacl_auto_inherit_req = -1;
438 static int hf_smb_sec_desc_type_dacl_auto_inherited = -1;
439 static int hf_smb_sec_desc_type_sacl_auto_inherited = -1;
440 static int hf_smb_sec_desc_type_dacl_protected = -1;
441 static int hf_smb_sec_desc_type_sacl_protected = -1;
442 static int hf_smb_sec_desc_type_self_relative = -1;
443 static int hf_smb_sid_revision = -1;
444 static int hf_smb_sid_num_auth = -1;
445 static int hf_smb_acl_revision = -1;
446 static int hf_smb_acl_size = -1;
447 static int hf_smb_acl_num_aces = -1;
448 static int hf_smb_ace_type = -1;
449 static int hf_smb_ace_size = -1;
450 static int hf_smb_ace_flags_object_inherit = -1;
451 static int hf_smb_ace_flags_container_inherit = -1;
452 static int hf_smb_ace_flags_non_propagate_inherit = -1;
453 static int hf_smb_ace_flags_inherit_only = -1;
454 static int hf_smb_ace_flags_inherited_ace = -1;
455 static int hf_smb_ace_flags_successful_access = -1;
456 static int hf_smb_ace_flags_failed_access = -1;
457 static int hf_smb_nt_qsd_owner = -1;
458 static int hf_smb_nt_qsd_group = -1;
459 static int hf_smb_nt_qsd_dacl = -1;
460 static int hf_smb_nt_qsd_sacl = -1;
461 static int hf_smb_extended_attributes = -1;
462 static int hf_smb_oplock_level = -1;
463 static int hf_smb_create_action = -1;
464 static int hf_smb_file_id = -1;
465 static int hf_smb_ea_error_offset = -1;
466 static int hf_smb_end_of_file = -1;
467 static int hf_smb_device_type = -1;
468 static int hf_smb_is_directory = -1;
469 static int hf_smb_next_entry_offset = -1;
470 static int hf_smb_change_time = -1;
471 static int hf_smb_setup_len = -1;
472 static int hf_smb_print_mode = -1;
473 static int hf_smb_print_identifier = -1;
474 static int hf_smb_restart_index = -1;
475 static int hf_smb_print_queue_date = -1;
476 static int hf_smb_print_queue_dos_date = -1;
477 static int hf_smb_print_queue_dos_time = -1;
478 static int hf_smb_print_status = -1;
479 static int hf_smb_print_spool_file_number = -1;
480 static int hf_smb_print_spool_file_size = -1;
481 static int hf_smb_print_spool_file_name = -1;
482 static int hf_smb_start_index = -1;
483 static int hf_smb_originator_name = -1;
484 static int hf_smb_destination_name = -1;
485 static int hf_smb_message_len = -1;
486 static int hf_smb_message = -1;
487 static int hf_smb_mgid = -1;
488 static int hf_smb_forwarded_name = -1;
489 static int hf_smb_machine_name = -1;
490 static int hf_smb_cancel_to = -1;
491 static int hf_smb_trans2_subcmd = -1;
492 static int hf_smb_trans_name = -1;
493 static int hf_smb_transaction_flags_dtid = -1;
494 static int hf_smb_transaction_flags_owt = -1;
495 static int hf_smb_search_count = -1;
496 static int hf_smb_search_pattern = -1;
497 static int hf_smb_ff2_backup = -1;
498 static int hf_smb_ff2_continue = -1;
499 static int hf_smb_ff2_resume = -1;
500 static int hf_smb_ff2_close_eos = -1;
501 static int hf_smb_ff2_close = -1;
502 static int hf_smb_ff2_information_level = -1;
503 static int hf_smb_qpi_loi = -1;
505 static int hf_smb_sfi_writetru = -1;
506 static int hf_smb_sfi_caching = -1;
508 static int hf_smb_storage_type = -1;
509 static int hf_smb_resume = -1;
510 static int hf_smb_max_referral_level = -1;
511 static int hf_smb_qfsi_information_level = -1;
512 static int hf_smb_ea_size = -1;
513 static int hf_smb_list_length = -1;
514 static int hf_smb_number_of_links = -1;
515 static int hf_smb_delete_pending = -1;
516 static int hf_smb_index_number = -1;
517 static int hf_smb_current_offset = -1;
518 static int hf_smb_t2_alignment = -1;
519 static int hf_smb_t2_stream_name_length = -1;
520 static int hf_smb_t2_stream_size = -1;
521 static int hf_smb_t2_stream_name = -1;
522 static int hf_smb_t2_compressed_file_size = -1;
523 static int hf_smb_t2_compressed_format = -1;
524 static int hf_smb_t2_compressed_unit_shift = -1;
525 static int hf_smb_t2_compressed_chunk_shift = -1;
526 static int hf_smb_t2_compressed_cluster_shift = -1;
527 static int hf_smb_dfs_path_consumed = -1;
528 static int hf_smb_dfs_num_referrals = -1;
529 static int hf_smb_get_dfs_server_hold_storage = -1;
530 static int hf_smb_get_dfs_fielding = -1;
531 static int hf_smb_dfs_referral_version = -1;
532 static int hf_smb_dfs_referral_size = -1;
533 static int hf_smb_dfs_referral_server_type = -1;
534 static int hf_smb_dfs_referral_flags_strip = -1;
535 static int hf_smb_dfs_referral_node_offset = -1;
536 static int hf_smb_dfs_referral_node = -1;
537 static int hf_smb_dfs_referral_proximity = -1;
538 static int hf_smb_dfs_referral_ttl = -1;
539 static int hf_smb_dfs_referral_path_offset = -1;
540 static int hf_smb_dfs_referral_path = -1;
541 static int hf_smb_dfs_referral_alt_path_offset = -1;
542 static int hf_smb_dfs_referral_alt_path = -1;
543 static int hf_smb_end_of_search = -1;
544 static int hf_smb_last_name_offset = -1;
545 static int hf_smb_fn_information_level = -1;
546 static int hf_smb_monitor_handle = -1;
547 static int hf_smb_change_count = -1;
548 static int hf_smb_file_index = -1;
549 static int hf_smb_short_file_name = -1;
550 static int hf_smb_short_file_name_len = -1;
551 static int hf_smb_fs_id = -1;
552 static int hf_smb_sector_unit = -1;
553 static int hf_smb_fs_units = -1;
554 static int hf_smb_fs_sector = -1;
555 static int hf_smb_avail_units = -1;
556 static int hf_smb_volume_serial_num = -1;
557 static int hf_smb_volume_label_len = -1;
558 static int hf_smb_volume_label = -1;
559 static int hf_smb_free_alloc_units64 = -1;
560 static int hf_smb_caller_free_alloc_units64 = -1;
561 static int hf_smb_actual_free_alloc_units64 = -1;
562 static int hf_smb_max_name_len = -1;
563 static int hf_smb_fs_name_len = -1;
564 static int hf_smb_fs_name = -1;
565 static int hf_smb_device_char_removable = -1;
566 static int hf_smb_device_char_read_only = -1;
567 static int hf_smb_device_char_floppy = -1;
568 static int hf_smb_device_char_write_once = -1;
569 static int hf_smb_device_char_remote = -1;
570 static int hf_smb_device_char_mounted = -1;
571 static int hf_smb_device_char_virtual = -1;
572 static int hf_smb_fs_attr_css = -1;
573 static int hf_smb_fs_attr_cpn = -1;
574 static int hf_smb_fs_attr_pacls = -1;
575 static int hf_smb_fs_attr_fc = -1;
576 static int hf_smb_fs_attr_vq = -1;
577 static int hf_smb_fs_attr_dim = -1;
578 static int hf_smb_fs_attr_vic = -1;
579 static int hf_smb_quota_flags_enabled = -1;
580 static int hf_smb_quota_flags_deny_disk = -1;
581 static int hf_smb_quota_flags_log_limit = -1;
582 static int hf_smb_quota_flags_log_warning = -1;
583 static int hf_smb_soft_quota_limit = -1;
584 static int hf_smb_hard_quota_limit = -1;
585 static int hf_smb_user_quota_used = -1;
586 static int hf_smb_user_quota_offset = -1;
587 static int hf_smb_nt_rename_level = -1;
588 static int hf_smb_cluster_count = -1;
589 static int hf_smb_segments = -1;
590 static int hf_smb_segment = -1;
591 static int hf_smb_segment_overlap = -1;
592 static int hf_smb_segment_overlap_conflict = -1;
593 static int hf_smb_segment_multiple_tails = -1;
594 static int hf_smb_segment_too_long_fragment = -1;
595 static int hf_smb_segment_error = -1;
597 static gint ett_smb = -1;
598 static gint ett_smb_hdr = -1;
599 static gint ett_smb_command = -1;
600 static gint ett_smb_fileattributes = -1;
601 static gint ett_smb_capabilities = -1;
602 static gint ett_smb_aflags = -1;
603 static gint ett_smb_dialect = -1;
604 static gint ett_smb_dialects = -1;
605 static gint ett_smb_mode = -1;
606 static gint ett_smb_rawmode = -1;
607 static gint ett_smb_flags = -1;
608 static gint ett_smb_flags2 = -1;
609 static gint ett_smb_desiredaccess = -1;
610 static gint ett_smb_search = -1;
611 static gint ett_smb_file = -1;
612 static gint ett_smb_openfunction = -1;
613 static gint ett_smb_filetype = -1;
614 static gint ett_smb_openaction = -1;
615 static gint ett_smb_writemode = -1;
616 static gint ett_smb_lock_type = -1;
617 static gint ett_smb_ssetupandxaction = -1;
618 static gint ett_smb_optionsup = -1;
619 static gint ett_smb_time_date = -1;
620 static gint ett_smb_move_copy_flags = -1;
621 static gint ett_smb_file_attributes = -1;
622 static gint ett_smb_search_resume_key = -1;
623 static gint ett_smb_search_dir_info = -1;
624 static gint ett_smb_unlocks = -1;
625 static gint ett_smb_unlock = -1;
626 static gint ett_smb_locks = -1;
627 static gint ett_smb_lock = -1;
628 static gint ett_smb_open_flags = -1;
629 static gint ett_smb_ipc_state = -1;
630 static gint ett_smb_open_action = -1;
631 static gint ett_smb_setup_action = -1;
632 static gint ett_smb_connect_flags = -1;
633 static gint ett_smb_connect_support_bits = -1;
634 static gint ett_smb_nt_access_mask = -1;
635 static gint ett_smb_nt_create_bits = -1;
636 static gint ett_smb_nt_create_options = -1;
637 static gint ett_smb_nt_share_access = -1;
638 static gint ett_smb_nt_security_flags = -1;
639 static gint ett_smb_nt_trans_setup = -1;
640 static gint ett_smb_nt_trans_data = -1;
641 static gint ett_smb_nt_trans_param = -1;
642 static gint ett_smb_nt_notify_completion_filter = -1;
643 static gint ett_smb_nt_ioctl_flags = -1;
644 static gint ett_smb_security_information_mask = -1;
645 static gint ett_smb_print_queue_entry = -1;
646 static gint ett_smb_transaction_flags = -1;
647 static gint ett_smb_transaction_params = -1;
648 static gint ett_smb_find_first2_flags = -1;
649 static gint ett_smb_mac_support_flags = -1;
651 static gint ett_smb_ioflag = -1;
653 static gint ett_smb_transaction_data = -1;
654 static gint ett_smb_stream_info = -1;
655 static gint ett_smb_dfs_referrals = -1;
656 static gint ett_smb_dfs_referral = -1;
657 static gint ett_smb_dfs_referral_flags = -1;
658 static gint ett_smb_get_dfs_flags = -1;
659 static gint ett_smb_ff2_data = -1;
660 static gint ett_smb_device_characteristics = -1;
661 static gint ett_smb_fs_attributes = -1;
662 static gint ett_smb_segments = -1;
663 static gint ett_smb_segment = -1;
664 static gint ett_smb_sec_desc = -1;
665 static gint ett_smb_sid = -1;
666 static gint ett_smb_acl = -1;
667 static gint ett_smb_ace = -1;
668 static gint ett_smb_ace_flags = -1;
669 static gint ett_smb_sec_desc_type = -1;
670 static gint ett_smb_quotaflags = -1;
671 static gint ett_smb_gssapi = -1;
673 static dissector_handle_t gssapi_handle = NULL;
675 fragment_items smb_frag_items = {
681 &hf_smb_segment_overlap,
682 &hf_smb_segment_overlap_conflict,
683 &hf_smb_segment_multiple_tails,
684 &hf_smb_segment_too_long_fragment,
685 &hf_smb_segment_error,
690 proto_tree *top_tree=NULL; /* ugly */
692 static char *decode_smb_name(unsigned char);
693 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu);
696 * Macros for use in the main dissector routines for an SMB.
701 wc = tvb_get_guint8(tvb, offset); \
702 proto_tree_add_uint(tree, hf_smb_word_count, \
703 tvb, offset, 1, wc); \
705 if(wc==0) goto bytecount;
709 bc = tvb_get_letohs(tvb, offset); \
710 proto_tree_add_uint(tree, hf_smb_byte_count, \
711 tvb, offset, 2, bc); \
713 if(bc==0) goto endofcommand;
715 #define CHECK_BYTE_COUNT(len) \
716 if (bc < len) goto endofcommand;
718 #define COUNT_BYTES(len) {\
727 proto_tree_add_text(tree, tvb, offset, bc, \
728 "Extra byte parameters"); \
734 * Macros for use in routines called by them.
736 #define CHECK_BYTE_COUNT_SUBR(len) \
742 #define CHECK_STRING_SUBR(fn) \
748 #define COUNT_BYTES_SUBR(len) \
753 * Macros for use when dissecting transaction parameters and data
755 #define CHECK_BYTE_COUNT_TRANS(len) \
756 if (bc < len) return offset;
758 #define CHECK_STRING_TRANS(fn) \
759 if (fn == NULL) return offset;
761 #define COUNT_BYTES_TRANS(len) \
766 * Macros for use in subrroutines dissecting transaction parameters or data
768 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
769 if (*bcp < len) return offset;
771 #define CHECK_STRING_TRANS_SUBR(fn) \
772 if (fn == NULL) return offset;
774 #define COUNT_BYTES_TRANS_SUBR(len) \
779 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
780 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
781 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
782 static gboolean smb_trans_reassembly = FALSE;
783 gboolean smb_dcerpc_reassembly = FALSE;
785 static GHashTable *smb_trans_fragment_table = NULL;
786 GHashTable *dcerpc_fragment_table = NULL;
789 smb_trans_reassembly_init(void)
791 fragment_table_init(&smb_trans_fragment_table);
794 smb_dcerpc_reassembly_init(void)
796 fragment_table_init(&dcerpc_fragment_table);
800 static fragment_data *
801 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
802 int offset, int count, int pos, int totlen)
804 fragment_data *fd_head=NULL;
808 more_frags=totlen>(pos+count);
810 si = (smb_info_t *)pinfo->private_data;
811 if (si->sip == NULL) {
813 * We don't have the frame number of the request.
815 * XXX - is there truly nothing we can do here?
816 * Can we not separately keep track of the original
817 * transaction and its continuations, as we did
820 * It is probably not much point in even trying to do something here
821 * if we have never seen the initial request. Without the initial
822 * request we probably miss all parameters and the begining of data
823 * so we cant even call a subdissector since we can not determine
824 * which type of transaction call this is.
829 if(!pinfo->fd->flags.visited){
830 fd_head = fragment_add(tvb, offset, pinfo,
831 si->sip->frame_req, smb_trans_fragment_table,
832 pos, count, more_frags);
834 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
837 /* we only show the defragmented packet for the first fragment,
838 or else we might end up with dissecting one HUGE transaction PDU
839 a LOT of times. (first fragment is the only one containing the setup
841 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
842 SMBs. Takes a LOT of time dissecting and is not fun.
844 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
855 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
856 These variables and functions are used to match
858 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
860 * The information we need to save about a request in order to show the
861 * frame number of the request in the dissection of the reply.
866 } smb_saved_info_key_t;
868 static GMemChunk *smb_saved_info_key_chunk = NULL;
869 static GMemChunk *smb_saved_info_chunk = NULL;
870 static int smb_saved_info_init_count = 200;
872 /* unmatched smb_saved_info structures.
873 For unmatched smb_saved_info structures we store the smb_saved_info
874 structure using the MID and the PID as the key.
876 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
877 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
878 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
881 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
883 register guint32 key1 = (guint32)k1;
884 register guint32 key2 = (guint32)k2;
888 smb_saved_info_hash_unmatched(gconstpointer k)
890 register guint32 key = (guint32)k;
894 /* matched smb_saved_info structures.
895 For matched smb_saved_info structures we store the smb_saved_info
896 structure twice in the table using the frame number, and a combination
897 of the MID and the PID, as the key.
898 The frame number is guaranteed to be unique but if ever someone makes
899 some change that will renumber the frames in a capture we are in BIG trouble.
900 This is not likely though since that would break (among other things) all the
901 reassembly routines as well.
903 We also need the MID as there may be more than one SMB request or reply
904 in a single frame, and we also need the PID as there may be more than
905 one outstanding request with the same MID and different PIDs.
908 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
910 const smb_saved_info_key_t *key1 = k1;
911 const smb_saved_info_key_t *key2 = k2;
912 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
915 smb_saved_info_hash_matched(gconstpointer k)
917 const smb_saved_info_key_t *key = k;
918 return key->frame + key->pid_mid;
922 * The information we need to save about an NT Transaction request in order
923 * to dissect the reply.
927 } smb_nt_transact_info_t;
929 static GMemChunk *smb_nt_transact_info_chunk = NULL;
930 static int smb_nt_transact_info_init_count = 200;
933 * The information we need to save about a Transaction2 request in order
934 * to dissect the reply.
939 gboolean resume_keys; /* if "return resume" keys set in T2 FIND_FIRST request */
940 } smb_transact2_info_t;
942 static GMemChunk *smb_transact2_info_chunk = NULL;
943 static int smb_transact2_info_init_count = 200;
946 * The information we need to save about a Transaction request in order
947 * to dissect the reply; this includes information for use by the
948 * Remote API dissector.
950 static GMemChunk *smb_transact_info_chunk = NULL;
951 static int smb_transact_info_init_count = 200;
953 static GMemChunk *conv_tables_chunk = NULL;
954 static GSList *conv_tables = NULL;
955 static int conv_tables_count = 10;
958 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
959 End of request/response matching functions
960 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
962 static const value_string buffer_format_vals[] = {
967 {5, "Variable Block"},
972 * UTIME - this is *almost* like a UNIX time stamp, except that it's
973 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
974 * January 1, 1970, 00:00:00 GMT.
976 * This means we have to do some extra work to convert it. This code is
977 * based on the Samba code:
979 * Unix SMB/Netbios implementation.
981 * time handling functions
982 * Copyright (C) Andrew Tridgell 1992-1998
986 * Yield the difference between *A and *B, in seconds, ignoring leap
989 #define TM_YEAR_BASE 1900
992 tm_diff(struct tm *a, struct tm *b)
994 int ay = a->tm_year + (TM_YEAR_BASE - 1);
995 int by = b->tm_year + (TM_YEAR_BASE - 1);
996 int intervening_leap_days =
997 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
1000 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
1001 int hours = 24*days + (a->tm_hour - b->tm_hour);
1002 int minutes = 60*hours + (a->tm_min - b->tm_min);
1003 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
1009 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
1015 struct tm *tm = gmtime(&t);
1024 return tm_diff(&tm_utc,tm);
1028 * Return the same value as TimeZone, but it should be more efficient.
1030 * We keep a table of DST offsets to prevent calling localtime() on each
1031 * call of this function. This saves a LOT of time on many unixes.
1033 * Updated by Paul Eggert <eggert@twinsun.com>
1040 #define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
1041 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
1044 #define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
1048 TimeZoneFaster(time_t t)
1050 static struct dst_table {time_t start,end; int zone;} *tdt;
1051 static struct dst_table *dst_table = NULL;
1052 static int table_size = 0;
1059 /* Tunis has a 8 day DST region, we need to be careful ... */
1060 #define MAX_DST_WIDTH (365*24*60*60)
1061 #define MAX_DST_SKIP (7*24*60*60)
1063 for (i = 0; i < table_size; i++) {
1064 if (t >= dst_table[i].start && t <= dst_table[i].end)
1068 if (i < table_size) {
1069 zone = dst_table[i].zone;
1074 if (dst_table == NULL)
1075 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1077 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1086 dst_table[i].zone = zone;
1087 dst_table[i].start = dst_table[i].end = t;
1089 /* no entry will cover more than 6 months */
1090 low = t - MAX_DST_WIDTH/2;
1094 high = t + MAX_DST_WIDTH/2;
1099 * Widen the new entry using two bisection searches.
1101 while (low+60*60 < dst_table[i].start) {
1102 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1103 t = dst_table[i].start - MAX_DST_SKIP;
1105 t = low + (dst_table[i].start-low)/2;
1106 if (TimeZone(t) == zone)
1107 dst_table[i].start = t;
1112 while (high-60*60 > dst_table[i].end) {
1113 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1114 t = dst_table[i].end + MAX_DST_SKIP;
1116 t = high - (high-dst_table[i].end)/2;
1117 if (TimeZone(t) == zone)
1118 dst_table[i].end = t;
1128 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1129 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1130 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1131 * daylight savings transitions because some local times are ambiguous.
1132 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1135 LocTimeDiff(time_t lt)
1137 int d = TimeZoneFaster(lt);
1140 /* if overflow occurred, ignore all the adjustments so far */
1141 if (((t < lt) ^ (d < 0)))
1145 * Now t should be close enough to the true UTC to yield the
1148 return TimeZoneFaster(t);
1152 dissect_smb_UTIME(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1157 timeval = tvb_get_letohl(tvb, offset);
1158 if (timeval == 0xffffffff) {
1159 proto_tree_add_text(tree, tvb, offset, 4,
1160 "%s: No time specified (0xffffffff)",
1161 proto_registrar_get_name(hf_date));
1167 * We add the local time offset.
1169 ts.secs = timeval + LocTimeDiff(timeval);
1172 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1178 #define TIME_FIXUP_CONSTANT (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
1181 * Translate an 8-byte FILETIME value, given as the upper and lower 32 bits,
1183 * A FILETIME is a 64-bit integer, giving the time since Jan 1, 1601,
1184 * midnight "UTC", in 100ns units.
1185 * Return TRUE if the conversion succeeds, FALSE otherwise.
1187 * According to the Samba code, it appears to be kludge-GMT (at least for
1188 * file listings). This means it's the GMT you get by taking a local time
1189 * and adding the server time zone offset. This is NOT the same as GMT in
1190 * some cases. However, we don't know the server time zone, so we don't
1191 * do that adjustment.
1193 * This code is based on the Samba code:
1195 * Unix SMB/Netbios implementation.
1197 * time handling functions
1198 * Copyright (C) Andrew Tridgell 1992-1998
1201 nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
1204 /* The next two lines are a fix needed for the
1205 broken SCO compiler. JRA. */
1206 time_t l_time_min = TIME_T_MIN;
1207 time_t l_time_max = TIME_T_MAX;
1209 if (filetime_high == 0)
1213 * Get the time as a double, in seconds and fractional seconds.
1215 d = ((double)filetime_high)*4.0*(double)(1<<30);
1219 /* Now adjust by 369 years, to make the seconds since 1970. */
1220 d -= TIME_FIXUP_CONSTANT;
1222 if (!(l_time_min <= d && d <= l_time_max))
1226 * Get the time as seconds and nanoseconds.
1229 tv->nsecs = (d - tv->secs)*1000000000;
1235 dissect_smb_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1237 guint32 filetime_high, filetime_low;
1240 /* XXX there seems also to be another special time value which is fairly common :
1242 the meaning of this one is yet unknown
1245 filetime_low = tvb_get_letohl(tvb, offset);
1246 filetime_high = tvb_get_letohl(tvb, offset + 4);
1247 if (filetime_low == 0 && filetime_high == 0) {
1248 proto_tree_add_text(tree, tvb, offset, 8,
1249 "%s: No time specified (0)",
1250 proto_registrar_get_name(hf_date));
1251 } else if(filetime_low==0 && filetime_high==0x80000000){
1252 proto_tree_add_text(tree, tvb, offset, 8,
1253 "%s: Infinity (relative time)",
1254 proto_registrar_get_name(hf_date));
1255 } else if(filetime_low==0xffffffff && filetime_high==0x7fffffff){
1256 proto_tree_add_text(tree, tvb, offset, 8,
1257 "%s: Infinity (absolute time)",
1258 proto_registrar_get_name(hf_date));
1260 if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
1261 proto_tree_add_time(tree, hf_date, tvb,
1264 proto_tree_add_text(tree, tvb, offset, 8,
1265 "%s: Time can't be converted",
1266 proto_registrar_get_name(hf_date));
1276 dissect_smb_datetime(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1277 int hf_date, int hf_dos_date, int hf_dos_time, gboolean time_first)
1279 guint16 dos_time, dos_date;
1280 proto_item *item = NULL;
1281 proto_tree *tree = NULL;
1284 static const int mday_noleap[12] = {
1285 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1287 static const int mday_leap[12] = {
1288 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1290 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1294 dos_time = tvb_get_letohs(tvb, offset);
1295 dos_date = tvb_get_letohs(tvb, offset+2);
1297 dos_date = tvb_get_letohs(tvb, offset);
1298 dos_time = tvb_get_letohs(tvb, offset+2);
1301 if ((dos_date == 0xffff && dos_time == 0xffff) ||
1302 (dos_date == 0 && dos_time == 0)) {
1304 * No date/time specified.
1307 proto_tree_add_text(parent_tree, tvb, offset, 4,
1308 "%s: No time specified (0x%08x)",
1309 proto_registrar_get_name(hf_date),
1310 (dos_date << 16) | dos_time);
1316 tm.tm_sec = (dos_time&0x1f)*2;
1317 tm.tm_min = (dos_time>>5)&0x3f;
1318 tm.tm_hour = (dos_time>>11)&0x1f;
1319 tm.tm_mday = dos_date&0x1f;
1320 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1321 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1325 * Do some sanity checks before calling "mktime()";
1326 * "mktime()" doesn't do them, it "normalizes" out-of-range
1329 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1330 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1331 (ISLEAP(tm.tm_year + 1900) ?
1332 tm.tm_mday > mday_leap[tm.tm_mon] :
1333 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1334 (t = mktime(&tm)) == -1) {
1336 * Invalid date/time.
1339 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1341 proto_registrar_get_name(hf_date));
1342 tree = proto_item_add_subtree(item, ett_smb_time_date);
1344 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1345 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1347 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1348 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1359 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1360 tree = proto_item_add_subtree(item, ett_smb_time_date);
1362 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1363 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1365 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1366 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1376 static const value_string da_access_vals[] = {
1377 { 0, "Open for reading"},
1378 { 1, "Open for writing"},
1379 { 2, "Open for reading and writing"},
1380 { 3, "Open for execute"},
1383 static const value_string da_sharing_vals[] = {
1384 { 0, "Compatibility mode"},
1385 { 1, "Deny read/write/execute (exclusive)"},
1387 { 3, "Deny read/execute"},
1391 static const value_string da_locality_vals[] = {
1392 { 0, "Locality of reference unknown"},
1393 { 1, "Mainly sequential access"},
1394 { 2, "Mainly random access"},
1395 { 3, "Random access with some locality"},
1398 static const true_false_string tfs_da_caching = {
1399 "Do not cache this file",
1400 "Caching permitted on this file"
1402 static const true_false_string tfs_da_writetru = {
1403 "Write through enabled",
1404 "Write through disabled"
1407 dissect_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset, char *type)
1410 proto_item *item = NULL;
1411 proto_tree *tree = NULL;
1413 mask = tvb_get_letohs(tvb, offset);
1416 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1417 "%s Access: 0x%04x", type, mask);
1418 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1421 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1422 tvb, offset, 2, mask);
1423 proto_tree_add_boolean(tree, hf_smb_access_caching,
1424 tvb, offset, 2, mask);
1425 proto_tree_add_uint(tree, hf_smb_access_locality,
1426 tvb, offset, 2, mask);
1427 proto_tree_add_uint(tree, hf_smb_access_sharing,
1428 tvb, offset, 2, mask);
1429 proto_tree_add_uint(tree, hf_smb_access_mode,
1430 tvb, offset, 2, mask);
1437 #define FILE_ATTRIBUTE_READ_ONLY 0x00000001
1438 #define FILE_ATTRIBUTE_HIDDEN 0x00000002
1439 #define FILE_ATTRIBUTE_SYSTEM 0x00000004
1440 #define FILE_ATTRIBUTE_VOLUME 0x00000008
1441 #define FILE_ATTRIBUTE_DIRECTORY 0x00000010
1442 #define FILE_ATTRIBUTE_ARCHIVE 0x00000020
1443 #define FILE_ATTRIBUTE_DEVICE 0x00000040
1444 #define FILE_ATTRIBUTE_NORMAL 0x00000080
1445 #define FILE_ATTRIBUTE_TEMPORARY 0x00000100
1446 #define FILE_ATTRIBUTE_SPARSE 0x00000200
1447 #define FILE_ATTRIBUTE_REPARSE 0x00000400
1448 #define FILE_ATTRIBUTE_COMPRESSED 0x00000800
1449 #define FILE_ATTRIBUTE_OFFLINE 0x00001000
1450 #define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1451 #define FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1454 * These are flags to be used in NT Create operations.
1456 #define FILE_ATTRIBUTE_WRITE_THROUGH 0x80000000
1457 #define FILE_ATTRIBUTE_NO_BUFFERING 0x20000000
1458 #define FILE_ATTRIBUTE_RANDOM_ACCESS 0x10000000
1459 #define FILE_ATTRIBUTE_SEQUENTIAL_SCAN 0x08000000
1460 #define FILE_ATTRIBUTE_DELETE_ON_CLOSE 0x04000000
1461 #define FILE_ATTRIBUTE_BACKUP_SEMANTICS 0x02000000
1462 #define FILE_ATTRIBUTE_POSIX_SEMANTICS 0x01000000
1464 static const true_false_string tfs_file_attribute_write_through = {
1465 "This object requires WRITE THROUGH",
1466 "This object does NOT require write through",
1468 static const true_false_string tfs_file_attribute_no_buffering = {
1469 "This object requires NO BUFFERING",
1470 "This object can be buffered",
1472 static const true_false_string tfs_file_attribute_random_access = {
1473 "This object will be RANDOM ACCESSed",
1474 "Random access is NOT requested",
1476 static const true_false_string tfs_file_attribute_sequential_scan = {
1477 "This object is optimized for SEQUENTIAL SCAN",
1478 "This object is NOT optimized for sequential scan",
1480 static const true_false_string tfs_file_attribute_delete_on_close = {
1481 "This object will be DELETED ON CLOSE",
1482 "This object will not be deleted on close",
1484 static const true_false_string tfs_file_attribute_backup_semantics = {
1485 "This object supports BACKUP SEMANTICS",
1486 "This object does NOT support backup semantics",
1488 static const true_false_string tfs_file_attribute_posix_semantics = {
1489 "This object supports POSIX SEMANTICS",
1490 "This object does NOT support POSIX semantics",
1492 static const true_false_string tfs_file_attribute_read_only = {
1493 "This file is READ ONLY",
1494 "This file is NOT read only",
1496 static const true_false_string tfs_file_attribute_hidden = {
1497 "This is a HIDDEN file",
1498 "This is NOT a hidden file"
1500 static const true_false_string tfs_file_attribute_system = {
1501 "This is a SYSTEM file",
1502 "This is NOT a system file"
1504 static const true_false_string tfs_file_attribute_volume = {
1505 "This is a VOLUME ID",
1506 "This is NOT a volume ID"
1508 static const true_false_string tfs_file_attribute_directory = {
1509 "This is a DIRECTORY",
1510 "This is NOT a directory"
1512 static const true_false_string tfs_file_attribute_archive = {
1513 "This is an ARCHIVE file",
1514 "This is NOT an archive file"
1516 static const true_false_string tfs_file_attribute_device = {
1518 "This is NOT a device"
1520 static const true_false_string tfs_file_attribute_normal = {
1521 "This file is an ordinary file",
1522 "This file has some attribute set"
1524 static const true_false_string tfs_file_attribute_temporary = {
1525 "This is a TEMPORARY file",
1526 "This is NOT a temporary file"
1528 static const true_false_string tfs_file_attribute_sparse = {
1529 "This is a SPARSE file",
1530 "This is NOT a sparse file"
1532 static const true_false_string tfs_file_attribute_reparse = {
1533 "This file has an associated REPARSE POINT",
1534 "This file does NOT have an associated reparse point"
1536 static const true_false_string tfs_file_attribute_compressed = {
1537 "This is a COMPRESSED file",
1538 "This is NOT a compressed file"
1540 static const true_false_string tfs_file_attribute_offline = {
1541 "This file is OFFLINE",
1542 "This file is NOT offline"
1544 static const true_false_string tfs_file_attribute_not_content_indexed = {
1545 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1546 "This file MAY be indexed by the content indexing service"
1548 static const true_false_string tfs_file_attribute_encrypted = {
1549 "This is an ENCRYPTED file",
1550 "This is NOT an encrypted file"
1554 dissect_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1557 proto_item *item = NULL;
1558 proto_tree *tree = NULL;
1560 mask = tvb_get_letohs(tvb, offset);
1563 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1564 "File Attributes: 0x%04x", mask);
1565 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1567 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1568 tvb, offset, 2, mask);
1569 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1570 tvb, offset, 2, mask);
1571 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1572 tvb, offset, 2, mask);
1573 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1574 tvb, offset, 2, mask);
1575 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1576 tvb, offset, 2, mask);
1577 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1578 tvb, offset, 2, mask);
1587 dissect_file_ext_attr(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1590 proto_item *item = NULL;
1591 proto_tree *tree = NULL;
1593 mask = tvb_get_letohl(tvb, offset);
1596 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1597 "File Attributes: 0x%08x", mask);
1598 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1602 * XXX - Network Monitor disagrees on some of the
1603 * bits, e.g. the bits above temporary are "atomic write"
1604 * and "transaction write", and it says nothing about the
1607 * Does the Win32 API documentation, or the NT Native API book,
1610 proto_tree_add_boolean(tree, hf_smb_file_eattr_write_through,
1611 tvb, offset, 4, mask);
1612 proto_tree_add_boolean(tree, hf_smb_file_eattr_no_buffering,
1613 tvb, offset, 4, mask);
1614 proto_tree_add_boolean(tree, hf_smb_file_eattr_random_access,
1615 tvb, offset, 4, mask);
1616 proto_tree_add_boolean(tree, hf_smb_file_eattr_sequential_scan,
1617 tvb, offset, 4, mask);
1618 proto_tree_add_boolean(tree, hf_smb_file_eattr_delete_on_close,
1619 tvb, offset, 4, mask);
1620 proto_tree_add_boolean(tree, hf_smb_file_eattr_backup_semantics,
1621 tvb, offset, 4, mask);
1622 proto_tree_add_boolean(tree, hf_smb_file_eattr_posix_semantics,
1623 tvb, offset, 4, mask);
1624 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1625 tvb, offset, 4, mask);
1626 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1627 tvb, offset, 4, mask);
1628 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1629 tvb, offset, 4, mask);
1630 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1631 tvb, offset, 4, mask);
1632 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1633 tvb, offset, 4, mask);
1634 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1635 tvb, offset, 4, mask);
1636 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1637 tvb, offset, 4, mask);
1638 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1639 tvb, offset, 4, mask);
1640 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1641 tvb, offset, 4, mask);
1642 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1643 tvb, offset, 4, mask);
1644 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1645 tvb, offset, 4, mask);
1646 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1647 tvb, offset, 4, mask);
1648 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1649 tvb, offset, 4, mask);
1650 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1651 tvb, offset, 4, mask);
1652 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1653 tvb, offset, 4, mask);
1661 dissect_dir_info_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1664 proto_item *item = NULL;
1665 proto_tree *tree = NULL;
1667 mask = tvb_get_guint8(tvb, offset);
1670 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1671 "File Attributes: 0x%02x", mask);
1672 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1674 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1675 tvb, offset, 1, mask);
1676 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1677 tvb, offset, 1, mask);
1678 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1679 tvb, offset, 1, mask);
1680 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1681 tvb, offset, 1, mask);
1682 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1683 tvb, offset, 1, mask);
1684 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1685 tvb, offset, 1, mask);
1692 static const true_false_string tfs_search_attribute_read_only = {
1693 "Include READ ONLY files in search results",
1694 "Do NOT include read only files in search results",
1696 static const true_false_string tfs_search_attribute_hidden = {
1697 "Include HIDDEN files in search results",
1698 "Do NOT include hidden files in search results"
1700 static const true_false_string tfs_search_attribute_system = {
1701 "Include SYSTEM files in search results",
1702 "Do NOT include system files in search results"
1704 static const true_false_string tfs_search_attribute_volume = {
1705 "Include VOLUME IDs in search results",
1706 "Do NOT include volume IDs in search results"
1708 static const true_false_string tfs_search_attribute_directory = {
1709 "Include DIRECTORIES in search results",
1710 "Do NOT include directories in search results"
1712 static const true_false_string tfs_search_attribute_archive = {
1713 "Include ARCHIVE files in search results",
1714 "Do NOT include archive files in search results"
1718 dissect_search_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1721 proto_item *item = NULL;
1722 proto_tree *tree = NULL;
1724 mask = tvb_get_letohs(tvb, offset);
1727 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1728 "Search Attributes: 0x%04x", mask);
1729 tree = proto_item_add_subtree(item, ett_smb_search);
1732 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1733 tvb, offset, 2, mask);
1734 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1735 tvb, offset, 2, mask);
1736 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1737 tvb, offset, 2, mask);
1738 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1739 tvb, offset, 2, mask);
1740 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1741 tvb, offset, 2, mask);
1742 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1743 tvb, offset, 2, mask);
1751 * XXX - this isn't used.
1752 * Is this used for anything? NT Create AndX doesn't use it.
1753 * Is there some 16-bit attribute field with more bits than Read Only,
1754 * Hidden, System, Volume ID, Directory, and Archive?
1757 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1760 proto_item *item = NULL;
1761 proto_tree *tree = NULL;
1763 mask = tvb_get_letohl(tvb, offset);
1766 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1767 "File Attributes: 0x%08x", mask);
1768 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1770 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1771 tvb, offset, 2, mask);
1772 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1773 tvb, offset, 2, mask);
1774 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1775 tvb, offset, 2, mask);
1776 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1777 tvb, offset, 2, mask);
1778 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1779 tvb, offset, 2, mask);
1780 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1781 tvb, offset, 2, mask);
1782 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1783 tvb, offset, 2, mask);
1784 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1785 tvb, offset, 2, mask);
1786 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1787 tvb, offset, 2, mask);
1788 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1789 tvb, offset, 2, mask);
1790 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1791 tvb, offset, 2, mask);
1792 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1793 tvb, offset, 2, mask);
1794 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1795 tvb, offset, 2, mask);
1796 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1797 tvb, offset, 2, mask);
1798 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1799 tvb, offset, 2, mask);
1808 #define SERVER_CAP_RAW_MODE 0x00000001
1809 #define SERVER_CAP_MPX_MODE 0x00000002
1810 #define SERVER_CAP_UNICODE 0x00000004
1811 #define SERVER_CAP_LARGE_FILES 0x00000008
1812 #define SERVER_CAP_NT_SMBS 0x00000010
1813 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1814 #define SERVER_CAP_STATUS32 0x00000040
1815 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1816 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1817 #define SERVER_CAP_NT_FIND 0x00000200
1818 #define SERVER_CAP_DFS 0x00001000
1819 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1820 #define SERVER_CAP_LARGE_READX 0x00004000
1821 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1822 #define SERVER_CAP_UNIX 0x00800000
1823 #define SERVER_CAP_RESERVED 0x02000000
1824 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1825 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1826 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1827 static const true_false_string tfs_server_cap_raw_mode = {
1828 "Read Raw and Write Raw are supported",
1829 "Read Raw and Write Raw are not supported"
1831 static const true_false_string tfs_server_cap_mpx_mode = {
1832 "Read Mpx and Write Mpx are supported",
1833 "Read Mpx and Write Mpx are not supported"
1835 static const true_false_string tfs_server_cap_unicode = {
1836 "Unicode strings are supported",
1837 "Unicode strings are not supported"
1839 static const true_false_string tfs_server_cap_large_files = {
1840 "Large files are supported",
1841 "Large files are not supported",
1843 static const true_false_string tfs_server_cap_nt_smbs = {
1844 "NT SMBs are supported",
1845 "NT SMBs are not supported"
1847 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1848 "RPC remote APIs are supported",
1849 "RPC remote APIs are not supported"
1851 static const true_false_string tfs_server_cap_nt_status = {
1852 "NT status codes are supported",
1853 "NT status codes are not supported"
1855 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1856 "Level 2 oplocks are supported",
1857 "Level 2 oplocks are not supported"
1859 static const true_false_string tfs_server_cap_lock_and_read = {
1860 "Lock and Read is supported",
1861 "Lock and Read is not supported"
1863 static const true_false_string tfs_server_cap_nt_find = {
1864 "NT Find is supported",
1865 "NT Find is not supported"
1867 static const true_false_string tfs_server_cap_dfs = {
1869 "Dfs is not supported"
1871 static const true_false_string tfs_server_cap_infolevel_passthru = {
1872 "NT information level request passthrough is supported",
1873 "NT information level request passthrough is not supported"
1875 static const true_false_string tfs_server_cap_large_readx = {
1876 "Large Read andX is supported",
1877 "Large Read andX is not supported"
1879 static const true_false_string tfs_server_cap_large_writex = {
1880 "Large Write andX is supported",
1881 "Large Write andX is not supported"
1883 static const true_false_string tfs_server_cap_unix = {
1884 "UNIX extensions are supported",
1885 "UNIX extensions are not supported"
1887 static const true_false_string tfs_server_cap_reserved = {
1891 static const true_false_string tfs_server_cap_bulk_transfer = {
1892 "Bulk Read and Bulk Write are supported",
1893 "Bulk Read and Bulk Write are not supported"
1895 static const true_false_string tfs_server_cap_compressed_data = {
1896 "Compressed data transfer is supported",
1897 "Compressed data transfer is not supported"
1899 static const true_false_string tfs_server_cap_extended_security = {
1900 "Extended security exchanges are supported",
1901 "Extended security exchanges are not supported"
1904 dissect_negprot_capabilities(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1907 proto_item *item = NULL;
1908 proto_tree *tree = NULL;
1910 mask = tvb_get_letohl(tvb, offset);
1913 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1914 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1917 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1918 tvb, offset, 4, mask);
1919 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1920 tvb, offset, 4, mask);
1921 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1922 tvb, offset, 4, mask);
1923 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1924 tvb, offset, 4, mask);
1925 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1926 tvb, offset, 4, mask);
1927 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1928 tvb, offset, 4, mask);
1929 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1930 tvb, offset, 4, mask);
1931 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1932 tvb, offset, 4, mask);
1933 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1934 tvb, offset, 4, mask);
1935 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1936 tvb, offset, 4, mask);
1937 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1938 tvb, offset, 4, mask);
1939 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1940 tvb, offset, 4, mask);
1941 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1942 tvb, offset, 4, mask);
1943 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1944 tvb, offset, 4, mask);
1945 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1946 tvb, offset, 4, mask);
1947 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1948 tvb, offset, 4, mask);
1949 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1950 tvb, offset, 4, mask);
1951 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1952 tvb, offset, 4, mask);
1953 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1954 tvb, offset, 4, mask);
1959 #define RAWMODE_READ 0x01
1960 #define RAWMODE_WRITE 0x02
1961 static const true_false_string tfs_rm_read = {
1962 "Read Raw is supported",
1963 "Read Raw is not supported"
1965 static const true_false_string tfs_rm_write = {
1966 "Write Raw is supported",
1967 "Write Raw is not supported"
1971 dissect_negprot_rawmode(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1974 proto_item *item = NULL;
1975 proto_tree *tree = NULL;
1977 mask = tvb_get_letohs(tvb, offset);
1980 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
1981 tree = proto_item_add_subtree(item, ett_smb_rawmode);
1984 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
1985 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
1992 #define SECURITY_MODE_MODE 0x01
1993 #define SECURITY_MODE_PASSWORD 0x02
1994 #define SECURITY_MODE_SIGNATURES 0x04
1995 #define SECURITY_MODE_SIG_REQUIRED 0x08
1996 static const true_false_string tfs_sm_mode = {
1997 "USER security mode",
1998 "SHARE security mode"
2000 static const true_false_string tfs_sm_password = {
2001 "ENCRYPTED password. Use challenge/response",
2002 "PLAINTEXT password"
2004 static const true_false_string tfs_sm_signatures = {
2005 "Security signatures ENABLED",
2006 "Security signatures NOT enabled"
2008 static const true_false_string tfs_sm_sig_required = {
2009 "Security signatures REQUIRED",
2010 "Security signatures NOT required"
2014 dissect_negprot_security_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int wc)
2017 proto_item *item = NULL;
2018 proto_tree *tree = NULL;
2022 mask = tvb_get_letohs(tvb, offset);
2023 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2024 "Security Mode: 0x%04x", mask);
2025 tree = proto_item_add_subtree(item, ett_smb_mode);
2026 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
2027 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
2032 mask = tvb_get_guint8(tvb, offset);
2033 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
2034 "Security Mode: 0x%02x", mask);
2035 tree = proto_item_add_subtree(item, ett_smb_mode);
2036 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
2037 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
2038 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
2039 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
2048 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2050 proto_item *it = NULL;
2051 proto_tree *tr = NULL;
2060 it = proto_tree_add_text(tree, tvb, offset, bc,
2061 "Requested Dialects");
2062 tr = proto_item_add_subtree(it, ett_smb_dialects);
2068 proto_item *dit = NULL;
2069 proto_tree *dtr = NULL;
2071 /* XXX - what if this runs past bc? */
2072 len = tvb_strsize(tvb, offset+1);
2073 str = tvb_get_ptr(tvb, offset+1, len);
2076 dit = proto_tree_add_text(tr, tvb, offset, len+1,
2077 "Dialect: %s", str);
2078 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2082 CHECK_BYTE_COUNT(1);
2083 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2088 CHECK_BYTE_COUNT(len);
2089 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
2100 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2102 smb_info_t *si = pinfo->private_data;
2115 dialect = tvb_get_letohs(tvb, offset);
2118 if(dialect==0xffff){
2119 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2120 tvb, offset, 2, dialect,
2121 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2123 proto_tree_add_uint(tree, hf_smb_dialect_index,
2124 tvb, offset, 2, dialect);
2128 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2129 tvb, offset, 2, dialect,
2130 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2133 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2134 tvb, offset, 2, dialect,
2135 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2138 proto_tree_add_text(tree, tvb, offset, wc*2,
2139 "Words for unknown response format");
2148 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2150 /* Maximum Transmit Buffer Size */
2151 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2152 tvb, offset, 2, TRUE);
2155 /* Maximum Multiplex Count */
2156 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2157 tvb, offset, 2, TRUE);
2160 /* Maximum Vcs Number */
2161 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2162 tvb, offset, 2, TRUE);
2166 offset = dissect_negprot_rawmode(tvb, tree, offset);
2169 proto_tree_add_item(tree, hf_smb_session_key,
2170 tvb, offset, 4, TRUE);
2173 /* current time and date at server */
2174 offset = dissect_smb_datetime(tvb, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2178 tz = tvb_get_letohs(tvb, offset);
2179 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2182 /* encryption key length */
2183 ekl = tvb_get_letohs(tvb, offset);
2184 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2187 /* 2 reserved bytes */
2188 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2195 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2197 /* Maximum Multiplex Count */
2198 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2199 tvb, offset, 2, TRUE);
2202 /* Maximum Vcs Number */
2203 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2204 tvb, offset, 2, TRUE);
2207 /* Maximum Transmit Buffer Size */
2208 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2209 tvb, offset, 4, TRUE);
2212 /* maximum raw buffer size */
2213 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2214 tvb, offset, 4, TRUE);
2218 proto_tree_add_item(tree, hf_smb_session_key,
2219 tvb, offset, 4, TRUE);
2222 /* server capabilities */
2223 caps = dissect_negprot_capabilities(tvb, tree, offset);
2227 offset = dissect_smb_64bit_time(tvb, tree, offset,
2228 hf_smb_system_time);
2231 tz = tvb_get_letohs(tvb, offset);
2232 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2234 "Server Time Zone: %d min from UTC", tz);
2237 /* encryption key length */
2238 ekl = tvb_get_guint8(tvb, offset);
2239 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2240 tvb, offset, 1, ekl);
2250 /* challenge/response encryption key */
2252 CHECK_BYTE_COUNT(ekl);
2253 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2260 * XXX - not present if negotiated dialect isn't
2261 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
2262 * have to see the request, or assume what dialect strings
2263 * were sent, to determine that.
2265 * Is this something other than a primary domain if the
2266 * negotiated dialect is Windows for Workgroups 3.1a?
2267 * It appears to be 8 bytes of binary data in at least
2268 * one capture - is that an encryption key or something
2271 dn = get_unicode_or_ascii_string(tvb, &offset,
2272 si->unicode, &dn_len, FALSE, FALSE, &bc);
2275 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2277 COUNT_BYTES(dn_len);
2281 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2282 /* challenge/response encryption key */
2283 /* XXX - is this aligned on an even boundary? */
2285 CHECK_BYTE_COUNT(ekl);
2286 proto_tree_add_item(tree, hf_smb_encryption_key,
2287 tvb, offset, ekl, TRUE);
2292 /* this string is special, unicode is flagged in caps */
2293 /* This string is NOT padded to be 16bit aligned.
2294 (seen in actual capture)
2295 XXX - I've seen a capture where it appears to be
2296 so aligned, but I've also seen captures where
2297 it is. The captures where it appeared to be
2298 aligned may have been from buggy servers. */
2299 si->unicode = (caps&SERVER_CAP_UNICODE);
2300 dn = get_unicode_or_ascii_string(tvb,
2301 &offset, si->unicode, &dn_len, TRUE, FALSE,
2305 proto_tree_add_string(tree, hf_smb_primary_domain,
2306 tvb, offset, dn_len, dn);
2307 COUNT_BYTES(dn_len);
2309 /* server name, seen in w2k pro capture */
2310 dn = get_unicode_or_ascii_string(tvb,
2311 &offset, si->unicode, &dn_len, TRUE, FALSE,
2315 proto_tree_add_string(tree, hf_smb_server,
2316 tvb, offset, dn_len, dn);
2317 COUNT_BYTES(dn_len);
2320 proto_item *blob_item;
2323 /* XXX - show it in the standard Microsoft format
2325 CHECK_BYTE_COUNT(16);
2326 proto_tree_add_item(tree, hf_smb_server_guid,
2327 tvb, offset, 16, TRUE);
2330 blob_item = proto_tree_add_item(
2331 tree, hf_smb_security_blob,
2332 tvb, offset, bc, TRUE);
2336 tvbuff_t *gssapi_tvb;
2337 proto_tree *gssapi_tree;
2339 gssapi_tree = proto_item_add_subtree(
2340 blob_item, ett_smb_gssapi);
2342 gssapi_tvb = tvb_new_subset(
2343 tvb, offset, bc, bc);
2346 gssapi_handle, gssapi_tvb, pinfo,
2362 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2364 smb_info_t *si = pinfo->private_data;
2375 CHECK_BYTE_COUNT(1);
2376 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2380 dn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &dn_len,
2384 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2386 COUNT_BYTES(dn_len);
2388 if (check_col(pinfo->cinfo, COL_INFO)) {
2389 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s", dn);
2398 dissect_empty(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2413 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2421 ec = tvb_get_letohs(tvb, offset);
2422 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2429 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2439 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2446 /* echo sequence number */
2447 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2454 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2464 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2466 smb_info_t *si = pinfo->private_data;
2477 CHECK_BYTE_COUNT(1);
2478 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2482 an = get_unicode_or_ascii_string(tvb, &offset,
2483 si->unicode, &an_len, FALSE, FALSE, &bc);
2486 proto_tree_add_string(tree, hf_smb_path, tvb,
2487 offset, an_len, an);
2488 COUNT_BYTES(an_len);
2490 if (check_col(pinfo->cinfo, COL_INFO)) {
2491 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
2495 CHECK_BYTE_COUNT(1);
2496 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2499 /* password, ANSI */
2500 /* XXX - what if this runs past bc? */
2501 pwlen = tvb_strsize(tvb, offset);
2502 CHECK_BYTE_COUNT(pwlen);
2503 proto_tree_add_item(tree, hf_smb_password,
2504 tvb, offset, pwlen, TRUE);
2508 CHECK_BYTE_COUNT(1);
2509 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2513 an = get_unicode_or_ascii_string(tvb, &offset,
2514 si->unicode, &an_len, FALSE, FALSE, &bc);
2517 proto_tree_add_string(tree, hf_smb_service, tvb,
2518 offset, an_len, an);
2519 COUNT_BYTES(an_len);
2527 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2534 /* Maximum Buffer Size */
2535 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2539 proto_tree_add_item(tree, hf_smb_tid, tvb, offset, 2, TRUE);
2550 static const true_false_string tfs_of_create = {
2551 "Create file if it does not exist",
2552 "Fail if file does not exist"
2554 static const value_string of_open[] = {
2555 { 0, "Fail if file exists"},
2556 { 1, "Open file if it exists"},
2557 { 2, "Truncate file if it exists"},
2561 dissect_open_function(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2564 proto_item *item = NULL;
2565 proto_tree *tree = NULL;
2567 mask = tvb_get_letohs(tvb, offset);
2570 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2571 "Open Function: 0x%04x", mask);
2572 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2575 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2576 tvb, offset, 2, mask);
2577 proto_tree_add_uint(tree, hf_smb_open_function_open,
2578 tvb, offset, 2, mask);
2586 static const true_false_string tfs_mf_file = {
2587 "Target must be a file",
2588 "Target needn't be a file"
2590 static const true_false_string tfs_mf_dir = {
2591 "Target must be a directory",
2592 "Target needn't be a directory"
2594 static const true_false_string tfs_mf_verify = {
2595 "MUST verify all writes",
2596 "Don't have to verify writes"
2599 dissect_move_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2602 proto_item *item = NULL;
2603 proto_tree *tree = NULL;
2605 mask = tvb_get_letohs(tvb, offset);
2608 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2609 "Flags: 0x%04x", mask);
2610 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2613 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2614 tvb, offset, 2, mask);
2615 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2616 tvb, offset, 2, mask);
2617 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2618 tvb, offset, 2, mask);
2625 static const true_false_string tfs_cf_mode = {
2629 static const true_false_string tfs_cf_tree_copy = {
2630 "Copy is a tree copy",
2631 "Copy is a file copy"
2633 static const true_false_string tfs_cf_ea_action = {
2638 dissect_copy_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2641 proto_item *item = NULL;
2642 proto_tree *tree = NULL;
2644 mask = tvb_get_letohs(tvb, offset);
2647 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2648 "Flags: 0x%04x", mask);
2649 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2652 proto_tree_add_boolean(tree, hf_smb_copy_flags_ea_action,
2653 tvb, offset, 2, mask);
2654 proto_tree_add_boolean(tree, hf_smb_copy_flags_tree_copy,
2655 tvb, offset, 2, mask);
2656 proto_tree_add_boolean(tree, hf_smb_copy_flags_verify,
2657 tvb, offset, 2, mask);
2658 proto_tree_add_boolean(tree, hf_smb_copy_flags_source_mode,
2659 tvb, offset, 2, mask);
2660 proto_tree_add_boolean(tree, hf_smb_copy_flags_dest_mode,
2661 tvb, offset, 2, mask);
2662 proto_tree_add_boolean(tree, hf_smb_copy_flags_dir,
2663 tvb, offset, 2, mask);
2664 proto_tree_add_boolean(tree, hf_smb_copy_flags_file,
2665 tvb, offset, 2, mask);
2673 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2675 smb_info_t *si = pinfo->private_data;
2685 tid = tvb_get_letohs(tvb, offset);
2686 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2687 "TID (target): 0x%04x", tid);
2691 offset = dissect_open_function(tvb, tree, offset);
2694 offset = dissect_move_flags(tvb, tree, offset);
2699 CHECK_BYTE_COUNT(1);
2700 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2704 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2708 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2709 fn_len, fn, "Old File Name: %s", fn);
2710 COUNT_BYTES(fn_len);
2712 if (check_col(pinfo->cinfo, COL_INFO)) {
2713 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2717 CHECK_BYTE_COUNT(1);
2718 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2722 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2726 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2727 fn_len, fn, "New File Name: %s", fn);
2728 COUNT_BYTES(fn_len);
2730 if (check_col(pinfo->cinfo, COL_INFO)) {
2731 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2740 dissect_copy_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2742 smb_info_t *si = pinfo->private_data;
2752 tid = tvb_get_letohs(tvb, offset);
2753 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2754 "TID (target): 0x%04x", tid);
2758 offset = dissect_open_function(tvb, tree, offset);
2761 offset = dissect_copy_flags(tvb, tree, offset);
2766 CHECK_BYTE_COUNT(1);
2767 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2771 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2775 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2776 fn_len, fn, "Source File Name: %s", fn);
2777 COUNT_BYTES(fn_len);
2779 if (check_col(pinfo->cinfo, COL_INFO)) {
2780 col_append_fstr(pinfo->cinfo, COL_INFO, ", Source Name: %s", fn);
2784 CHECK_BYTE_COUNT(1);
2785 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2789 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2793 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2794 fn_len, fn, "Destination File Name: %s", fn);
2795 COUNT_BYTES(fn_len);
2797 if (check_col(pinfo->cinfo, COL_INFO)) {
2798 col_append_fstr(pinfo->cinfo, COL_INFO, ", Destination Name: %s", fn);
2807 dissect_move_copy_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2809 smb_info_t *si = pinfo->private_data;
2817 /* # of files moved */
2818 proto_tree_add_item(tree, hf_smb_files_moved, tvb, offset, 2, TRUE);
2824 CHECK_BYTE_COUNT(1);
2825 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2829 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2833 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2835 COUNT_BYTES(fn_len);
2843 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2845 smb_info_t *si = pinfo->private_data;
2853 /* desired access */
2854 offset = dissect_access(tvb, tree, offset, "Desired");
2856 /* Search Attributes */
2857 offset = dissect_search_attributes(tvb, tree, offset);
2862 CHECK_BYTE_COUNT(1);
2863 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2867 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2871 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2873 COUNT_BYTES(fn_len);
2875 if (check_col(pinfo->cinfo, COL_INFO)) {
2876 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2885 add_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
2886 int len, guint16 fid)
2888 proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
2889 if (check_col(pinfo->cinfo, COL_INFO))
2890 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
2894 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2903 fid = tvb_get_letohs(tvb, offset);
2904 add_fid(tvb, pinfo, tree, offset, 2, fid);
2907 /* File Attributes */
2908 offset = dissect_file_attributes(tvb, tree, offset);
2910 /* last write time */
2911 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
2914 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2917 /* granted access */
2918 offset = dissect_access(tvb, tree, offset, "Granted");
2928 dissect_fid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2937 fid = tvb_get_letohs(tvb, offset);
2938 add_fid(tvb, pinfo, tree, offset, 2, fid);
2949 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2951 smb_info_t *si = pinfo->private_data;
2959 /* file attributes */
2960 offset = dissect_file_attributes(tvb, tree, offset);
2963 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
2968 CHECK_BYTE_COUNT(1);
2969 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2973 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2977 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2979 COUNT_BYTES(fn_len);
2981 if (check_col(pinfo->cinfo, COL_INFO)) {
2982 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2991 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2999 fid = tvb_get_letohs(tvb, offset);
3000 add_fid(tvb, pinfo, tree, offset, 2, fid);
3003 /* last write time */
3004 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3014 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3016 smb_info_t *si = pinfo->private_data;
3024 /* search attributes */
3025 offset = dissect_search_attributes(tvb, tree, offset);
3030 CHECK_BYTE_COUNT(1);
3031 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3035 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3039 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3041 COUNT_BYTES(fn_len);
3043 if (check_col(pinfo->cinfo, COL_INFO)) {
3044 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3053 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3055 smb_info_t *si = pinfo->private_data;
3063 /* search attributes */
3064 offset = dissect_search_attributes(tvb, tree, offset);
3069 CHECK_BYTE_COUNT(1);
3070 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3074 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3078 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3080 COUNT_BYTES(fn_len);
3082 if (check_col(pinfo->cinfo, COL_INFO)) {
3083 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
3087 CHECK_BYTE_COUNT(1);
3088 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3092 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3096 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3098 COUNT_BYTES(fn_len);
3100 if (check_col(pinfo->cinfo, COL_INFO)) {
3101 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
3110 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3112 smb_info_t *si = pinfo->private_data;
3120 /* search attributes */
3121 offset = dissect_search_attributes(tvb, tree, offset);
3123 proto_tree_add_uint(tree, hf_smb_nt_rename_level, tvb, offset, 2, tvb_get_letohs(tvb, offset));
3126 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, TRUE);
3132 CHECK_BYTE_COUNT(1);
3133 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3137 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3141 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3143 COUNT_BYTES(fn_len);
3145 if (check_col(pinfo->cinfo, COL_INFO)) {
3146 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
3150 CHECK_BYTE_COUNT(1);
3151 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3155 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3159 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3161 COUNT_BYTES(fn_len);
3163 if (check_col(pinfo->cinfo, COL_INFO)) {
3164 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
3174 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3176 smb_info_t *si = pinfo->private_data;
3187 CHECK_BYTE_COUNT(1);
3188 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3192 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3196 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3198 COUNT_BYTES(fn_len);
3200 if (check_col(pinfo->cinfo, COL_INFO)) {
3201 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3210 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3217 /* File Attributes */
3218 offset = dissect_file_attributes(tvb, tree, offset);
3220 /* Last Write Time */
3221 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3224 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3227 /* 10 reserved bytes */
3228 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3239 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3241 smb_info_t *si = pinfo->private_data;
3249 /* file attributes */
3250 offset = dissect_file_attributes(tvb, tree, offset);
3252 /* last write time */
3253 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3255 /* 10 reserved bytes */
3256 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3262 CHECK_BYTE_COUNT(1);
3263 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3267 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3271 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3273 COUNT_BYTES(fn_len);
3275 if (check_col(pinfo->cinfo, COL_INFO)) {
3276 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3285 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3295 fid = tvb_get_letohs(tvb, offset);
3296 add_fid(tvb, pinfo, tree, offset, 2, fid);
3298 if (!pinfo->fd->flags.visited) {
3299 /* remember the FID for the processing of the response */
3300 si = (smb_info_t *)pinfo->private_data;
3301 si->sip->extra_info=(void *)fid;
3305 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3309 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3313 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3324 dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
3329 /* We have some initial padding bytes. */
3330 /* XXX - use the data offset here instead? */
3331 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3333 offset += bc-datalen;
3336 tvblen = tvb_length_remaining(tvb, offset);
3338 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
3341 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
3348 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3349 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
3352 tvbuff_t *dcerpc_tvb;
3355 /* We have some initial padding bytes. */
3356 /* XXX - use the data offset here instead? */
3357 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3359 offset += bc-datalen;
3362 tvblen = tvb_length_remaining(tvb, offset);
3363 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
3364 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
3373 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3377 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3383 cnt = tvb_get_letohs(tvb, offset);
3384 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3387 /* 8 reserved bytes */
3388 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3391 /* If we have seen the request, then print which FID this refers to */
3392 /* first check if we have seen the request */
3393 if(si->sip != NULL && si->sip->frame_req>0){
3394 fid=(int)si->sip->extra_info;
3395 add_fid(tvb, pinfo, tree, 0, 0, fid);
3401 CHECK_BYTE_COUNT(1);
3402 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3406 CHECK_BYTE_COUNT(2);
3407 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3410 /* another way to transport DCERPC over SMB is to skip Transaction completely and just
3413 if(si->sip != NULL && si->sip->flags&SMB_SIF_TID_IS_IPC){
3415 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
3416 top_tree, offset, bc, bc, fid);
3418 /* ordinary file data, or we didn't see the request,
3419 so we don't know whether this is a DCERPC call
3421 offset = dissect_file_data(tvb, tree, offset, bc, bc);
3432 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3440 cnt = tvb_get_letohs(tvb, offset);
3441 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3444 /* 8 reserved bytes */
3445 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3451 CHECK_BYTE_COUNT(1);
3452 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3456 CHECK_BYTE_COUNT(2);
3457 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3467 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3470 guint16 cnt=0, bc, fid=0;
3472 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3477 fid = tvb_get_letohs(tvb, offset);
3478 add_fid(tvb, pinfo, tree, offset, 2, fid);
3482 cnt = tvb_get_letohs(tvb, offset);
3483 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3487 ofs = tvb_get_letohl(tvb, offset);
3488 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3491 if (check_col(pinfo->cinfo, COL_INFO))
3492 col_append_fstr(pinfo->cinfo, COL_INFO,
3493 ", %u byte%s at offset %u", cnt,
3494 (cnt == 1) ? "" : "s", ofs);
3497 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3503 CHECK_BYTE_COUNT(1);
3504 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3508 CHECK_BYTE_COUNT(2);
3509 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3513 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
3515 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
3516 top_tree, offset, bc, bc, fid);
3518 /* ordinary file data */
3519 offset = dissect_file_data(tvb, tree, offset, bc, bc);
3530 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3538 cnt = tvb_get_letohs(tvb, offset);
3539 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3542 if (check_col(pinfo->cinfo, COL_INFO))
3543 col_append_fstr(pinfo->cinfo, COL_INFO,
3544 ", %u byte%s", cnt, (cnt == 1) ? "" : "s");
3554 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3562 fid = tvb_get_letohs(tvb, offset);
3563 add_fid(tvb, pinfo, tree, offset, 2, fid);
3567 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
3571 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3582 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3584 smb_info_t *si = pinfo->private_data;
3592 /* 2 reserved bytes */
3593 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3597 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3602 CHECK_BYTE_COUNT(1);
3603 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3606 /* directory name */
3607 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3611 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
3613 COUNT_BYTES(fn_len);
3615 if (check_col(pinfo->cinfo, COL_INFO)) {
3616 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3625 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3627 smb_info_t *si = pinfo->private_data;
3636 fid = tvb_get_letohs(tvb, offset);
3637 add_fid(tvb, pinfo, tree, offset, 2, fid);
3643 CHECK_BYTE_COUNT(1);
3644 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3648 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3652 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3654 COUNT_BYTES(fn_len);
3661 static const value_string seek_mode_vals[] = {
3662 {0, "From Start Of File"},
3663 {1, "From Current Position"},
3664 {2, "From End Of File"},
3669 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3677 fid = tvb_get_letohs(tvb, offset);
3678 add_fid(tvb, pinfo, tree, offset, 2, fid);
3682 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
3686 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3697 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3705 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3716 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3724 fid = tvb_get_letohs(tvb, offset);
3725 add_fid(tvb, pinfo, tree, offset, 2, fid);
3729 offset = dissect_smb_datetime(tvb, tree, offset,
3731 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3734 offset = dissect_smb_datetime(tvb, tree, offset,
3736 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3738 /* last write time */
3739 offset = dissect_smb_datetime(tvb, tree, offset,
3740 hf_smb_last_write_time,
3741 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3751 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3759 offset = dissect_smb_datetime(tvb, tree, offset,
3761 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3764 offset = dissect_smb_datetime(tvb, tree, offset,
3766 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3768 /* last write time */
3769 offset = dissect_smb_datetime(tvb, tree, offset,
3770 hf_smb_last_write_time,
3771 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3774 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
3777 /* allocation size */
3778 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
3781 /* File Attributes */
3782 offset = dissect_file_attributes(tvb, tree, offset);
3792 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3801 fid = tvb_get_letohs(tvb, offset);
3802 add_fid(tvb, pinfo, tree, offset, 2, fid);
3806 cnt = tvb_get_letohs(tvb, offset);
3807 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3811 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3814 /* last write time */
3815 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3818 /* 12 reserved bytes */
3819 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
3826 CHECK_BYTE_COUNT(1);
3827 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
3830 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
3839 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3847 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3858 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3867 fid = tvb_get_letohs(tvb, offset);
3868 add_fid(tvb, pinfo, tree, offset, 2, fid);
3872 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3876 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3880 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3884 to = tvb_get_letohl(tvb, offset);
3885 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3888 /* 2 reserved bytes */
3889 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3894 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
3906 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3914 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
3918 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
3922 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
3926 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
3929 /* 2 reserved bytes */
3930 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3941 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3949 fid = tvb_get_letohs(tvb, offset);
3950 add_fid(tvb, pinfo, tree, offset, 2, fid);
3954 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3958 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3962 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3965 /* 6 reserved bytes */
3966 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
3977 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3979 guint16 datalen=0, bc;
3985 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3989 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3992 /* 2 reserved bytes */
3993 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3996 /* data compaction mode */
3997 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4000 /* 2 reserved bytes */
4001 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4005 datalen = tvb_get_letohs(tvb, offset);
4006 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4010 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4016 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4025 static const true_false_string tfs_write_mode_write_through = {
4026 "WRITE THROUGH requested",
4027 "Write through not requested"
4029 static const true_false_string tfs_write_mode_return_remaining = {
4030 "RETURN REMAINING (pipe/dev) requested",
4031 "DON'T return remaining (pipe/dev)"
4033 static const true_false_string tfs_write_mode_raw = {
4034 "Use WriteRawNamedPipe (pipe)",
4035 "DON'T use WriteRawNamedPipe (pipe)"
4037 static const true_false_string tfs_write_mode_message_start = {
4038 "This is the START of a MESSAGE (pipe)",
4039 "This is NOT the start of a message (pipe)"
4041 static const true_false_string tfs_write_mode_connectionless = {
4042 "CONNECTIONLESS mode requested",
4043 "Connectionless mode NOT requested"
4046 dissect_write_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4049 proto_item *item = NULL;
4050 proto_tree *tree = NULL;
4052 mask = tvb_get_letohs(tvb, offset);
4055 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4056 "Write Mode: 0x%04x", mask);
4057 tree = proto_item_add_subtree(item, ett_smb_rawmode);
4061 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
4062 tvb, offset, 2, mask);
4065 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
4066 tvb, offset, 2, mask);
4069 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
4070 tvb, offset, 2, mask);
4073 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
4074 tvb, offset, 2, mask);
4077 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
4078 tvb, offset, 2, mask);
4086 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4089 guint16 datalen=0, bc, fid;
4095 fid = tvb_get_letohs(tvb, offset);
4096 add_fid(tvb, pinfo, tree, offset, 2, fid);
4099 /* total data length */
4100 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4103 /* 2 reserved bytes */
4104 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4108 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4112 to = tvb_get_letohl(tvb, offset);
4113 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4117 offset = dissect_write_mode(tvb, tree, offset, 0x0003);
4119 /* 4 reserved bytes */
4120 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4124 datalen = tvb_get_letohs(tvb, offset);
4125 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4129 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4135 /* XXX - use the data offset to determine where the data starts? */
4136 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4145 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4153 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4164 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4167 guint16 datalen=0, bc, fid;
4173 fid = tvb_get_letohs(tvb, offset);
4174 add_fid(tvb, pinfo, tree, offset, 2, fid);
4177 /* total data length */
4178 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4181 /* 2 reserved bytes */
4182 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4186 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4190 to = tvb_get_letohl(tvb, offset);
4191 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4195 offset = dissect_write_mode(tvb, tree, offset, 0x0083);
4198 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
4202 datalen = tvb_get_letohs(tvb, offset);
4203 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4207 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4213 /* XXX - use the data offset to determine where the data starts? */
4214 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4223 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4231 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
4242 dissect_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4250 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
4261 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
4262 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4263 gboolean has_find_id)
4265 proto_item *item = NULL;
4266 proto_tree *tree = NULL;
4267 smb_info_t *si = pinfo->private_data;
4273 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
4275 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
4279 CHECK_BYTE_COUNT_SUBR(1);
4280 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4281 COUNT_BYTES_SUBR(1);
4285 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4287 CHECK_STRING_SUBR(fn);
4288 /* ensure that it's null-terminated */
4289 strncpy(fname, fn, 11);
4291 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
4293 COUNT_BYTES_SUBR(fn_len);
4296 CHECK_BYTE_COUNT_SUBR(1);
4297 proto_tree_add_item(tree, hf_smb_resume_find_id, tvb, offset, 1, TRUE);
4298 COUNT_BYTES_SUBR(1);
4301 CHECK_BYTE_COUNT_SUBR(4);
4302 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 4, TRUE);
4303 COUNT_BYTES_SUBR(4);
4306 CHECK_BYTE_COUNT_SUBR(5);
4307 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
4308 COUNT_BYTES_SUBR(5);
4312 CHECK_BYTE_COUNT_SUBR(4);
4313 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
4314 COUNT_BYTES_SUBR(4);
4321 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
4322 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4323 gboolean has_find_id)
4325 proto_item *item = NULL;
4326 proto_tree *tree = NULL;
4327 smb_info_t *si = pinfo->private_data;
4333 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
4334 "Directory Information");
4335 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
4339 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp,
4340 trunc, has_find_id);
4344 /* File Attributes */
4345 CHECK_BYTE_COUNT_SUBR(1);
4346 offset = dissect_dir_info_file_attributes(tvb, tree, offset);
4349 /* last write time */
4350 CHECK_BYTE_COUNT_SUBR(4);
4351 offset = dissect_smb_datetime(tvb, tree, offset,
4352 hf_smb_last_write_time,
4353 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
4358 CHECK_BYTE_COUNT_SUBR(4);
4359 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4360 COUNT_BYTES_SUBR(4);
4364 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4366 CHECK_STRING_SUBR(fn);
4367 /* ensure that it's null-terminated */
4368 strncpy(fname, fn, 13);
4370 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4372 COUNT_BYTES_SUBR(fn_len);
4380 dissect_search_find_request(tvbuff_t *tvb, packet_info *pinfo,
4381 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4382 gboolean has_find_id)
4384 smb_info_t *si = pinfo->private_data;
4395 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4398 /* Search Attributes */
4399 offset = dissect_search_attributes(tvb, tree, offset);
4404 CHECK_BYTE_COUNT(1);
4405 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4409 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4413 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4415 COUNT_BYTES(fn_len);
4417 if (check_col(pinfo->cinfo, COL_INFO)) {
4418 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s", fn);
4422 CHECK_BYTE_COUNT(1);
4423 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4426 /* resume key length */
4427 CHECK_BYTE_COUNT(2);
4428 rkl = tvb_get_letohs(tvb, offset);
4429 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
4434 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
4435 &bc, &trunc, has_find_id);
4446 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4447 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4449 return dissect_search_find_request(tvb, pinfo, tree, offset,
4454 dissect_find_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4455 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4457 return dissect_search_find_request(tvb, pinfo, tree, offset,
4462 dissect_find_close_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4463 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4465 return dissect_search_find_request(tvb, pinfo, tree, offset,
4470 dissect_search_find_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4471 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4472 gboolean has_find_id)
4482 count = tvb_get_letohs(tvb, offset);
4483 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
4489 CHECK_BYTE_COUNT(1);
4490 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4494 CHECK_BYTE_COUNT(2);
4495 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4499 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
4500 &bc, &trunc, has_find_id);
4511 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4513 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4518 dissect_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4520 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4525 dissect_find_close_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4526 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4535 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4541 CHECK_BYTE_COUNT(1);
4542 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4546 CHECK_BYTE_COUNT(2);
4547 data_len = tvb_get_ntohs(tvb, offset);
4548 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, data_len);
4551 if (data_len != 0) {
4552 CHECK_BYTE_COUNT(data_len);
4553 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset,
4555 COUNT_BYTES(data_len);
4563 static const value_string locking_ol_vals[] = {
4564 {0, "Client is not holding oplock on this file"},
4565 {1, "Level 2 oplock currently held by client"},
4569 static const true_false_string tfs_lock_type_large = {
4570 "Large file locking format requested",
4571 "Large file locking format not requested"
4573 static const true_false_string tfs_lock_type_cancel = {
4574 "Cancel outstanding lock request",
4575 "Don't cancel outstanding lock request"
4577 static const true_false_string tfs_lock_type_change = {
4579 "Don't change lock type"
4581 static const true_false_string tfs_lock_type_oplock = {
4582 "This is an oplock break notification/response",
4583 "This is not an oplock break notification/response"
4585 static const true_false_string tfs_lock_type_shared = {
4586 "This is a shared lock",
4587 "This is an exclusive lock"
4590 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4592 guint8 wc, cmd=0xff, lt=0;
4593 guint16 andxoffset=0, un=0, ln=0, bc, fid;
4595 proto_item *litem = NULL;
4596 proto_tree *ltree = NULL;
4597 proto_item *it = NULL;
4598 proto_tree *tr = NULL;
4599 int old_offset = offset;
4603 /* next smb command */
4604 cmd = tvb_get_guint8(tvb, offset);
4606 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4608 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4613 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4617 andxoffset = tvb_get_letohs(tvb, offset);
4618 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4622 fid = tvb_get_letohs(tvb, offset);
4623 add_fid(tvb, pinfo, tree, offset, 2, fid);
4627 lt = tvb_get_guint8(tvb, offset);
4629 litem = proto_tree_add_text(tree, tvb, offset, 1,
4630 "Lock Type: 0x%02x", lt);
4631 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
4633 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
4634 tvb, offset, 1, lt);
4635 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
4636 tvb, offset, 1, lt);
4637 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
4638 tvb, offset, 1, lt);
4639 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
4640 tvb, offset, 1, lt);
4641 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
4642 tvb, offset, 1, lt);
4646 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
4650 to = tvb_get_letohl(tvb, offset);
4652 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
4653 else if (to == 0xffffffff)
4654 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
4656 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4659 /* number of unlocks */
4660 un = tvb_get_letohs(tvb, offset);
4661 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
4664 /* number of locks */
4665 ln = tvb_get_letohs(tvb, offset);
4666 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
4673 old_offset = offset;
4675 it = proto_tree_add_text(tree, tvb, offset, -1,
4677 tr = proto_item_add_subtree(it, ett_smb_unlocks);
4679 proto_item *litem = NULL;
4680 proto_tree *ltree = NULL;
4682 /* large lock format */
4683 litem = proto_tree_add_text(tr, tvb, offset, 20,
4685 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4688 CHECK_BYTE_COUNT(2);
4689 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4692 /* 2 reserved bytes */
4693 CHECK_BYTE_COUNT(2);
4694 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4698 CHECK_BYTE_COUNT(8);
4699 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4703 CHECK_BYTE_COUNT(8);
4704 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4707 /* normal lock format */
4708 litem = proto_tree_add_text(tr, tvb, offset, 10,
4710 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4713 CHECK_BYTE_COUNT(2);
4714 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4718 CHECK_BYTE_COUNT(4);
4719 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4723 CHECK_BYTE_COUNT(4);
4724 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4728 proto_item_set_len(it, offset-old_offset);
4734 old_offset = offset;
4736 it = proto_tree_add_text(tree, tvb, offset, -1,
4738 tr = proto_item_add_subtree(it, ett_smb_locks);
4740 proto_item *litem = NULL;
4741 proto_tree *ltree = NULL;
4743 /* large lock format */
4744 litem = proto_tree_add_text(tr, tvb, offset, 20,
4746 ltree = proto_item_add_subtree(litem, ett_smb_lock);
4749 CHECK_BYTE_COUNT(2);
4750 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4753 /* 2 reserved bytes */
4754 CHECK_BYTE_COUNT(2);
4755 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4759 CHECK_BYTE_COUNT(8);
4760 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4764 CHECK_BYTE_COUNT(8);
4765 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4768 /* normal lock format */
4769 litem = proto_tree_add_text(tr, tvb, offset, 10,
4771 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4774 CHECK_BYTE_COUNT(2);
4775 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4779 CHECK_BYTE_COUNT(4);
4780 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4784 CHECK_BYTE_COUNT(4);
4785 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4789 proto_item_set_len(it, offset-old_offset);
4797 * We ran out of byte count in the middle of dissecting
4798 * the locks or the unlocks; set the site of the item
4799 * we were dissecting.
4801 proto_item_set_len(it, offset-old_offset);
4804 /* call AndXCommand (if there are any) */
4805 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4811 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4813 guint8 wc, cmd=0xff;
4814 guint16 andxoffset=0;
4819 /* next smb command */
4820 cmd = tvb_get_guint8(tvb, offset);
4822 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4824 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4829 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4833 andxoffset = tvb_get_letohs(tvb, offset);
4834 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4841 /* call AndXCommand (if there are any) */
4842 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4848 static const value_string oa_open_vals[] = {
4849 { 0, "No action taken?"},
4850 { 1, "The file existed and was opened"},
4851 { 2, "The file did not exist but was created"},
4852 { 3, "The file existed and was truncated"},
4855 static const true_false_string tfs_oa_lock = {
4856 "File is currently opened only by this user",
4857 "File is opened by another user (or mode not supported by server)"
4860 dissect_open_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
4863 proto_item *item = NULL;
4864 proto_tree *tree = NULL;
4866 mask = tvb_get_letohs(tvb, offset);
4869 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4870 "Action: 0x%04x", mask);
4871 tree = proto_item_add_subtree(item, ett_smb_open_action);
4874 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
4875 tvb, offset, 2, mask);
4876 proto_tree_add_uint(tree, hf_smb_open_action_open,
4877 tvb, offset, 2, mask);
4884 static const true_false_string tfs_open_flags_add_info = {
4885 "Additional information requested",
4886 "Additional information not requested"
4888 static const true_false_string tfs_open_flags_ex_oplock = {
4889 "Exclusive oplock requested",
4890 "Exclusive oplock not requested"
4892 static const true_false_string tfs_open_flags_batch_oplock = {
4893 "Batch oplock requested",
4894 "Batch oplock not requested"
4896 static const true_false_string tfs_open_flags_ealen = {
4897 "Total length of EAs requested",
4898 "Total length of EAs not requested"
4901 dissect_open_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4904 proto_item *item = NULL;
4905 proto_tree *tree = NULL;
4907 mask = tvb_get_letohs(tvb, offset);
4910 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4911 "Flags: 0x%04x", mask);
4912 tree = proto_item_add_subtree(item, ett_smb_open_flags);
4916 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
4917 tvb, offset, 2, mask);
4920 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
4921 tvb, offset, 2, mask);
4924 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
4925 tvb, offset, 2, mask);
4928 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
4929 tvb, offset, 2, mask);
4937 static const value_string filetype_vals[] = {
4938 { 0, "Disk file or directory"},
4939 { 1, "Named pipe in byte mode"},
4940 { 2, "Named pipe in message mode"},
4941 { 3, "Spooled printer"},
4945 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4947 guint8 wc, cmd=0xff;
4948 guint16 andxoffset=0, bc;
4949 smb_info_t *si = pinfo->private_data;
4955 /* next smb command */
4956 cmd = tvb_get_guint8(tvb, offset);
4958 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4960 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4965 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4969 andxoffset = tvb_get_letohs(tvb, offset);
4970 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4974 offset = dissect_open_flags(tvb, tree, offset, 0x0007);
4976 /* desired access */
4977 offset = dissect_access(tvb, tree, offset, "Desired");
4979 /* Search Attributes */
4980 offset = dissect_search_attributes(tvb, tree, offset);
4982 /* File Attributes */
4983 offset = dissect_file_attributes(tvb, tree, offset);
4986 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
4989 offset = dissect_open_function(tvb, tree, offset);
4991 /* allocation size */
4992 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
4995 /* 8 reserved bytes */
4996 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
5002 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5006 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5008 COUNT_BYTES(fn_len);
5010 if (check_col(pinfo->cinfo, COL_INFO)) {
5011 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
5016 /* call AndXCommand (if there are any) */
5017 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5022 static const true_false_string tfs_ipc_state_nonblocking = {
5023 "Reads/writes return immediately if no data available",
5024 "Reads/writes block if no data available"
5026 static const value_string ipc_state_endpoint_vals[] = {
5027 { 0, "Consumer end of pipe"},
5028 { 1, "Server end of pipe"},
5031 static const value_string ipc_state_pipe_type_vals[] = {
5032 { 0, "Byte stream pipe"},
5033 { 1, "Message pipe"},
5036 static const value_string ipc_state_read_mode_vals[] = {
5037 { 0, "Read pipe as a byte stream"},
5038 { 1, "Read messages from pipe"},
5043 dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
5047 proto_item *item = NULL;
5048 proto_tree *tree = NULL;
5050 mask = tvb_get_letohs(tvb, offset);
5053 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5054 "IPC State: 0x%04x", mask);
5055 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
5058 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
5059 tvb, offset, 2, mask);
5061 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
5062 tvb, offset, 2, mask);
5063 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
5064 tvb, offset, 2, mask);
5066 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
5067 tvb, offset, 2, mask);
5069 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
5070 tvb, offset, 2, mask);
5079 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5081 guint8 wc, cmd=0xff;
5082 guint16 andxoffset=0, bc;
5087 /* next smb command */
5088 cmd = tvb_get_guint8(tvb, offset);
5090 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5092 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5097 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5101 andxoffset = tvb_get_letohs(tvb, offset);
5102 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5106 fid = tvb_get_letohs(tvb, offset);
5107 add_fid(tvb, pinfo, tree, offset, 2, fid);
5110 /* File Attributes */
5111 offset = dissect_file_attributes(tvb, tree, offset);
5113 /* last write time */
5114 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
5117 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
5120 /* granted access */
5121 offset = dissect_access(tvb, tree, offset, "Granted");
5124 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
5128 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
5131 offset = dissect_open_action(tvb, tree, offset);
5134 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
5137 /* 2 reserved bytes */
5138 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5145 /* call AndXCommand (if there are any) */
5146 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5152 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5154 guint8 wc, cmd=0xff;
5155 guint16 andxoffset=0, bc, maxcnt = 0;
5162 /* next smb command */
5163 cmd = tvb_get_guint8(tvb, offset);
5165 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5167 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5172 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5176 andxoffset = tvb_get_letohs(tvb, offset);
5177 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5181 fid = tvb_get_letohs(tvb, offset);
5182 add_fid(tvb, pinfo, tree, offset, 2, fid);
5184 if (!pinfo->fd->flags.visited) {
5185 /* remember the FID for the processing of the response */
5186 si = (smb_info_t *)pinfo->private_data;
5187 si->sip->extra_info=(void *)fid;
5191 ofs = tvb_get_letohl(tvb, offset);
5192 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5196 maxcnt = tvb_get_letohs(tvb, offset);
5197 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
5200 if (check_col(pinfo->cinfo, COL_INFO))
5201 col_append_fstr(pinfo->cinfo, COL_INFO,
5202 ", %u byte%s at offset %u", maxcnt,
5203 (maxcnt == 1) ? "" : "s", ofs);
5206 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
5209 /* XXX - max count high */
5210 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5214 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5219 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5227 /* call AndXCommand (if there are any) */
5228 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5234 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5236 guint8 wc, cmd=0xff;
5237 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
5238 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5243 /* next smb command */
5244 cmd = tvb_get_guint8(tvb, offset);
5246 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5248 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5253 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5257 andxoffset = tvb_get_letohs(tvb, offset);
5258 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5261 /* If we have seen the request, then print which FID this refers to */
5262 /* first check if we have seen the request */
5263 if(si->sip != NULL && si->sip->frame_req>0){
5264 fid=(int)si->sip->extra_info;
5265 add_fid(tvb, pinfo, tree, 0, 0, fid);
5269 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5272 /* data compaction mode */
5273 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
5276 /* 2 reserved bytes */
5277 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5281 datalen = tvb_get_letohs(tvb, offset);
5282 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5285 if (check_col(pinfo->cinfo, COL_INFO))
5286 col_append_fstr(pinfo->cinfo, COL_INFO,
5287 ", %u byte%s", datalen,
5288 (datalen == 1) ? "" : "s");
5291 dataoffset=tvb_get_letohs(tvb, offset);
5292 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5295 /* 10 reserved bytes */
5296 /* XXX - first 2 bytes are data length high, not reserved */
5297 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
5302 /* is this part of DCERPC over SMB reassembly?*/
5303 if(smb_dcerpc_reassembly && !pinfo->fd->flags.visited
5304 && (bc<=tvb_length_remaining(tvb, offset)) ){
5305 gpointer hash_value;
5306 if (si->sip != NULL && (hash_value = g_hash_table_lookup(
5307 si->ct->dcerpc_fid_to_frame,
5308 si->sip->extra_info)) != NULL) {
5309 fragment_data *fd_head;
5310 guint32 frame = GPOINTER_TO_UINT(hash_value);
5312 /* first fragment is always from a SMB Trans command and
5313 offset 0 of the following read/write SMB commands start
5314 BEYOND the first Trans SMB payload. Look for offset
5315 in first read fragment */
5316 fd_head=fragment_get(pinfo, frame, dcerpc_fragment_table);
5318 /* skip to last fragment and add this data there*/
5319 while(fd_head->next){
5320 fd_head=fd_head->next;
5322 /* if dataoffset was not specified in the SMB command
5323 then we try to guess it as good as we can
5326 dataoffset=offset+bc-datalen;
5328 fd_head=fragment_add(tvb, dataoffset, pinfo,
5329 frame, dcerpc_fragment_table,
5330 fd_head->offset+fd_head->len,
5332 /* we completed reassembly, abort searching for more
5335 g_hash_table_remove(si->ct->dcerpc_fid_to_frame,
5336 si->sip->extra_info);
5342 /* another way to transport DCERPC over SMB is to skip Transaction completely and just
5345 if(si->sip != NULL && si->sip->flags&SMB_SIF_TID_IS_IPC){
5347 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
5348 top_tree, offset, bc, datalen, fid);
5350 /* ordinary file data, or we didn't see the request,
5351 so we don't know whether this is a DCERPC call
5353 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
5360 /* call AndXCommand (if there are any) */
5361 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5367 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5370 guint8 wc, cmd=0xff;
5371 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
5372 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5377 /* next smb command */
5378 cmd = tvb_get_guint8(tvb, offset);
5380 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5382 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5387 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5391 andxoffset = tvb_get_letohs(tvb, offset);
5392 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5396 fid = tvb_get_letohs(tvb, offset);
5397 add_fid(tvb, pinfo, tree, offset, 2, fid);
5399 if (!pinfo->fd->flags.visited) {
5400 /* remember the FID for the processing of the response */
5401 si->sip->extra_info=(void *)fid;
5405 ofs = tvb_get_letohl(tvb, offset);
5406 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5410 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5414 offset = dissect_write_mode(tvb, tree, offset, 0x000f);
5417 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5420 /* XXX - data length high */
5421 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5425 datalen = tvb_get_letohs(tvb, offset);
5426 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5430 dataoffset=tvb_get_letohs(tvb, offset);
5431 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5434 /* FIXME: add byte/offset to COL_INFO */
5438 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5444 /* is this part of DCERPC over SMB reassembly?*/
5445 if(smb_dcerpc_reassembly && !pinfo->fd->flags.visited && (bc<=tvb_length_remaining(tvb, offset)) ){
5446 gpointer hash_value;
5447 hash_value = g_hash_table_lookup(si->ct->dcerpc_fid_to_frame,
5448 si->sip->extra_info);
5450 fragment_data *fd_head;
5451 guint32 frame = GPOINTER_TO_UINT(hash_value);
5453 /* first fragment is always from a SMB Trans command and
5454 offset 0 of the following read/write SMB commands start
5455 BEYOND the first Trans SMB payload. Look for offset
5456 in first read fragment */
5457 fd_head=fragment_get(pinfo, frame, dcerpc_fragment_table);
5459 /* skip to last fragment and add this data there*/
5460 while(fd_head->next){
5461 fd_head=fd_head->next;
5463 /* if dataoffset was not specified in the SMB command
5464 then we try to guess it as good as we can
5467 dataoffset=offset+bc-datalen;
5469 fd_head=fragment_add(tvb, dataoffset, pinfo,
5470 frame, dcerpc_fragment_table,
5471 fd_head->offset+fd_head->len,
5473 /* we completed reassembly, abort searching for more
5476 g_hash_table_remove(si->ct->dcerpc_fid_to_frame,
5477 si->sip->extra_info);
5485 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
5487 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
5488 top_tree, offset, bc, datalen, fid);
5490 /* ordinary file data */
5491 offset = dissect_file_data(tvb, tree, offset,
5499 /* call AndXCommand (if there are any) */
5500 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5506 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5508 guint8 wc, cmd=0xff;
5509 guint16 andxoffset=0, bc;
5514 /* next smb command */
5515 cmd = tvb_get_guint8(tvb, offset);
5517 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5519 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5524 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5528 andxoffset = tvb_get_letohs(tvb, offset);
5529 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5532 /* If we have seen the request, then print which FID this refers to */
5533 si = (smb_info_t *)pinfo->private_data;
5534 /* first check if we have seen the request */
5535 if(si->sip != NULL && si->sip->frame_req>0){
5536 add_fid(tvb, pinfo, tree, 0, 0, (int)si->sip->extra_info);
5540 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
5544 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5547 /* 4 reserved bytes */
5548 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5555 /* call AndXCommand (if there are any) */
5556 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5562 static const true_false_string tfs_setup_action_guest = {
5563 "Logged in as GUEST",
5564 "Not logged in as GUEST"
5567 dissect_setup_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
5570 proto_item *item = NULL;
5571 proto_tree *tree = NULL;
5573 mask = tvb_get_letohs(tvb, offset);
5576 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5577 "Action: 0x%04x", mask);
5578 tree = proto_item_add_subtree(item, ett_smb_setup_action);
5581 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
5582 tvb, offset, 2, mask);
5591 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5593 guint8 wc, cmd=0xff;
5595 guint16 andxoffset=0;
5596 smb_info_t *si = pinfo->private_data;
5603 guint16 apwlen=0, upwlen=0;
5607 /* next smb command */
5608 cmd = tvb_get_guint8(tvb, offset);
5610 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5612 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5617 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5621 andxoffset = tvb_get_letohs(tvb, offset);
5622 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5625 /* Maximum Buffer Size */
5626 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
5629 /* Maximum Multiplex Count */
5630 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
5634 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
5638 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
5643 /* password length, ASCII*/
5644 pwlen = tvb_get_letohs(tvb, offset);
5645 proto_tree_add_uint(tree, hf_smb_password_len,
5646 tvb, offset, 2, pwlen);
5649 /* 4 reserved bytes */
5650 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5656 /* security blob length */
5657 sbloblen = tvb_get_letohs(tvb, offset);
5658 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5661 /* 4 reserved bytes */
5662 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5666 dissect_negprot_capabilities(tvb, tree, offset);
5672 /* password length, ANSI*/
5673 apwlen = tvb_get_letohs(tvb, offset);
5674 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
5675 tvb, offset, 2, apwlen);
5678 /* password length, Unicode*/
5679 upwlen = tvb_get_letohs(tvb, offset);
5680 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
5681 tvb, offset, 2, upwlen);
5684 /* 4 reserved bytes */
5685 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5689 dissect_negprot_capabilities(tvb, tree, offset);
5698 proto_item *blob_item;
5702 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
5703 tvb, offset, sbloblen, TRUE);
5706 tvbuff_t *gssapi_tvb;
5707 proto_tree *gssapi_tree;
5709 CHECK_BYTE_COUNT(sbloblen);
5711 gssapi_tree = proto_item_add_subtree(
5712 blob_item, ett_smb_gssapi);
5714 gssapi_tvb = tvb_new_subset(
5715 tvb, offset, sbloblen, sbloblen);
5718 gssapi_handle, gssapi_tvb, pinfo, gssapi_tree);
5720 COUNT_BYTES(sbloblen);
5724 an = get_unicode_or_ascii_string(tvb, &offset,
5725 si->unicode, &an_len, FALSE, FALSE, &bc);
5728 proto_tree_add_string(tree, hf_smb_os, tvb,
5729 offset, an_len, an);
5730 COUNT_BYTES(an_len);
5733 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5734 * padding/null string/whatever in front of this. W2K doesn't
5735 * appear to. I suspect that's a bug that got fixed; I also
5736 * suspect that, in practice, nobody ever looks at that field
5737 * because the bug didn't appear to get fixed until NT 5.0....
5739 an = get_unicode_or_ascii_string(tvb, &offset,
5740 si->unicode, &an_len, FALSE, FALSE, &bc);
5743 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5744 offset, an_len, an);
5745 COUNT_BYTES(an_len);
5747 /* Primary domain */
5748 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5749 * byte in front of this, at least if all the strings are
5750 * ASCII and the account name is empty. Another bug?
5752 dn = get_unicode_or_ascii_string(tvb, &offset,
5753 si->unicode, &dn_len, FALSE, FALSE, &bc);
5756 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5757 offset, dn_len, dn);
5758 COUNT_BYTES(dn_len);
5764 /* password, ASCII */
5765 CHECK_BYTE_COUNT(pwlen);
5766 proto_tree_add_item(tree, hf_smb_password,
5767 tvb, offset, pwlen, TRUE);
5775 /* password, ANSI */
5776 CHECK_BYTE_COUNT(apwlen);
5777 proto_tree_add_item(tree, hf_smb_ansi_password,
5778 tvb, offset, apwlen, TRUE);
5779 COUNT_BYTES(apwlen);
5783 /* password, Unicode */
5784 CHECK_BYTE_COUNT(upwlen);
5785 proto_tree_add_item(tree, hf_smb_unicode_password,
5786 tvb, offset, upwlen, TRUE);
5787 COUNT_BYTES(upwlen);
5794 an = get_unicode_or_ascii_string(tvb, &offset,
5795 si->unicode, &an_len, FALSE, FALSE, &bc);
5798 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
5800 COUNT_BYTES(an_len);
5802 /* Primary domain */
5803 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5804 * byte in front of this, at least if all the strings are
5805 * ASCII and the account name is empty. Another bug?
5807 dn = get_unicode_or_ascii_string(tvb, &offset,
5808 si->unicode, &dn_len, FALSE, FALSE, &bc);
5811 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5812 offset, dn_len, dn);
5813 COUNT_BYTES(dn_len);
5815 if (check_col(pinfo->cinfo, COL_INFO)) {
5816 col_append_fstr(pinfo->cinfo, COL_INFO, ", User: ");
5818 if (!dn[0] && !an[0])
5819 col_append_fstr(pinfo->cinfo, COL_INFO,
5822 col_append_fstr(pinfo->cinfo, COL_INFO,
5827 an = get_unicode_or_ascii_string(tvb, &offset,
5828 si->unicode, &an_len, FALSE, FALSE, &bc);
5831 proto_tree_add_string(tree, hf_smb_os, tvb,
5832 offset, an_len, an);
5833 COUNT_BYTES(an_len);
5836 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5837 * padding/null string/whatever in front of this. W2K doesn't
5838 * appear to. I suspect that's a bug that got fixed; I also
5839 * suspect that, in practice, nobody ever looks at that field
5840 * because the bug didn't appear to get fixed until NT 5.0....
5842 an = get_unicode_or_ascii_string(tvb, &offset,
5843 si->unicode, &an_len, FALSE, FALSE, &bc);
5846 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5847 offset, an_len, an);
5848 COUNT_BYTES(an_len);
5853 /* call AndXCommand (if there are any) */
5854 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5860 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5862 guint8 wc, cmd=0xff;
5863 guint16 andxoffset=0, bc;
5865 smb_info_t *si = pinfo->private_data;
5871 /* next smb command */
5872 cmd = tvb_get_guint8(tvb, offset);
5874 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5876 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5881 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5885 andxoffset = tvb_get_letohs(tvb, offset);
5886 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5890 offset = dissect_setup_action(tvb, tree, offset);
5893 /* security blob length */
5894 sbloblen = tvb_get_letohs(tvb, offset);
5895 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5902 proto_item *blob_item;
5906 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
5907 tvb, offset, sbloblen, TRUE);
5910 tvbuff_t *gssapi_tvb;
5911 proto_tree *gssapi_tree;
5913 CHECK_BYTE_COUNT(sbloblen);
5915 gssapi_tree = proto_item_add_subtree(
5916 blob_item, ett_smb_gssapi);
5918 gssapi_tvb = tvb_new_subset(
5919 tvb, offset, sbloblen, sbloblen);
5922 gssapi_handle, gssapi_tvb, pinfo, gssapi_tree);
5924 COUNT_BYTES(sbloblen);
5929 an = get_unicode_or_ascii_string(tvb, &offset,
5930 si->unicode, &an_len, FALSE, FALSE, &bc);
5933 proto_tree_add_string(tree, hf_smb_os, tvb,
5934 offset, an_len, an);
5935 COUNT_BYTES(an_len);
5938 an = get_unicode_or_ascii_string(tvb, &offset,
5939 si->unicode, &an_len, FALSE, FALSE, &bc);
5942 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5943 offset, an_len, an);
5944 COUNT_BYTES(an_len);
5947 /* Primary domain */
5948 an = get_unicode_or_ascii_string(tvb, &offset,
5949 si->unicode, &an_len, FALSE, FALSE, &bc);
5952 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5953 offset, an_len, an);
5954 COUNT_BYTES(an_len);
5959 /* call AndXCommand (if there are any) */
5960 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5967 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5969 guint8 wc, cmd=0xff;
5970 guint16 andxoffset=0;
5975 /* next smb command */
5976 cmd = tvb_get_guint8(tvb, offset);
5978 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5980 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5985 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5989 andxoffset = tvb_get_letohs(tvb, offset);
5990 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5997 /* call AndXCommand (if there are any) */
5998 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6004 static const true_false_string tfs_connect_support_search = {
6005 "Exclusive search bits supported",
6006 "Exclusive search bits not supported"
6008 static const true_false_string tfs_connect_support_in_dfs = {
6010 "Share isn't in Dfs"
6014 dissect_connect_support_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6017 proto_item *item = NULL;
6018 proto_tree *tree = NULL;
6020 mask = tvb_get_letohs(tvb, offset);
6023 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6024 "Optional Support: 0x%04x", mask);
6025 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
6028 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
6029 tvb, offset, 2, mask);
6030 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
6031 tvb, offset, 2, mask);
6038 static const true_false_string tfs_disconnect_tid = {
6040 "Do NOT disconnect TID"
6044 dissect_connect_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6047 proto_item *item = NULL;
6048 proto_tree *tree = NULL;
6050 mask = tvb_get_letohs(tvb, offset);
6053 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6054 "Flags: 0x%04x", mask);
6055 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
6058 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
6059 tvb, offset, 2, mask);
6067 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6069 guint8 wc, cmd=0xff;
6071 guint16 andxoffset=0, pwlen=0;
6072 smb_info_t *si = pinfo->private_data;
6078 /* next smb command */
6079 cmd = tvb_get_guint8(tvb, offset);
6081 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6083 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
6088 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6092 andxoffset = tvb_get_letohs(tvb, offset);
6093 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6097 offset = dissect_connect_flags(tvb, tree, offset);
6099 /* password length*/
6100 pwlen = tvb_get_letohs(tvb, offset);
6101 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
6107 CHECK_BYTE_COUNT(pwlen);
6108 proto_tree_add_item(tree, hf_smb_password,
6109 tvb, offset, pwlen, TRUE);
6113 an = get_unicode_or_ascii_string(tvb, &offset,
6114 si->unicode, &an_len, FALSE, FALSE, &bc);
6117 proto_tree_add_string(tree, hf_smb_path, tvb,
6118 offset, an_len, an);
6119 COUNT_BYTES(an_len);
6121 if (check_col(pinfo->cinfo, COL_INFO)) {
6122 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
6126 * NOTE: the Service string is always ASCII, even if the
6127 * "strings are Unicode" bit is set in the flags2 field
6132 /* XXX - what if this runs past bc? */
6133 an_len = tvb_strsize(tvb, offset);
6134 CHECK_BYTE_COUNT(an_len);
6135 an = tvb_get_ptr(tvb, offset, an_len);
6136 proto_tree_add_string(tree, hf_smb_service, tvb,
6137 offset, an_len, an);
6138 COUNT_BYTES(an_len);
6142 /* call AndXCommand (if there are any) */
6143 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6150 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6152 guint8 wc, wleft, cmd=0xff;
6153 guint16 andxoffset=0;
6157 smb_info_t *si = pinfo->private_data;
6161 wleft = wc; /* this is at least 1 */
6163 /* next smb command */
6164 cmd = tvb_get_guint8(tvb, offset);
6166 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6168 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
6173 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6181 andxoffset = tvb_get_letohs(tvb, offset);
6182 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6189 offset = dissect_connect_support_bits(tvb, tree, offset);
6192 /* XXX - I've seen captures where this is 7, but I have no
6193 idea how to dissect it. I'm guessing the third word
6194 contains connect support bits, which looks plausible
6195 from the values I've seen. */
6197 while (wleft != 0) {
6198 proto_tree_add_text(tree, tvb, offset, 2,
6199 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
6207 * NOTE: even though the SNIA CIFS spec doesn't say there's
6208 * a "Service" string if there's a word count of 2, the
6211 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
6213 * (it's in an ugly format - text intended to be sent to a
6214 * printer, with backspaces and overstrikes used for boldfacing
6215 * and underlining; UNIX "col -b" can be used to strip the
6216 * overstrikes out) says there's a "Service" string there, and
6217 * some network traffic has it.
6221 * NOTE: the Service string is always ASCII, even if the
6222 * "strings are Unicode" bit is set in the flags2 field
6227 /* XXX - what if this runs past bc? */
6228 an_len = tvb_strsize(tvb, offset);
6229 CHECK_BYTE_COUNT(an_len);
6230 an = tvb_get_ptr(tvb, offset, an_len);
6231 proto_tree_add_string(tree, hf_smb_service, tvb,
6232 offset, an_len, an);
6233 COUNT_BYTES(an_len);
6235 /* Now when we know the service type, store it so that we know it for later commands down
6237 if(!pinfo->fd->flags.visited){
6238 /* Remove any previous entry for this TID */
6239 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
6240 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
6242 if(strcmp(an,"IPC") == 0){
6243 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
6245 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_NORMAL);
6253 * Sometimes this isn't present.
6257 an = get_unicode_or_ascii_string(tvb, &offset,
6258 si->unicode, &an_len, /*TRUE*/FALSE, FALSE,
6262 proto_tree_add_string(tree, hf_smb_fs, tvb,
6263 offset, an_len, an);
6264 COUNT_BYTES(an_len);
6270 /* call AndXCommand (if there are any) */
6271 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6278 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6279 NT Transaction command begins here
6280 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
6281 #define NT_TRANS_CREATE 1
6282 #define NT_TRANS_IOCTL 2
6283 #define NT_TRANS_SSD 3
6284 #define NT_TRANS_NOTIFY 4
6285 #define NT_TRANS_RENAME 5
6286 #define NT_TRANS_QSD 6
6287 #define NT_TRANS_GET_USER_QUOTA 7
6288 #define NT_TRANS_SET_USER_QUOTA 8
6289 static const value_string nt_cmd_vals[] = {
6290 {NT_TRANS_CREATE, "NT CREATE"},
6291 {NT_TRANS_IOCTL, "NT IOCTL"},
6292 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
6293 {NT_TRANS_NOTIFY, "NT NOTIFY"},
6294 {NT_TRANS_RENAME, "NT RENAME"},
6295 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
6296 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
6297 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
6301 static const value_string nt_ioctl_isfsctl_vals[] = {
6302 {0, "Device IOCTL"},
6303 {1, "FS control : FSCTL"},
6307 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
6308 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
6309 "Apply the command to share root handle (MUST BE Dfs)",
6310 "Apply to this share",
6313 static const value_string nt_notify_action_vals[] = {
6314 {1, "ADDED (object was added"},
6315 {2, "REMOVED (object was removed)"},
6316 {3, "MODIFIED (object was modified)"},
6317 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
6318 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
6319 {6, "ADDED_STREAM (a stream was added)"},
6320 {7, "REMOVED_STREAM (a stream was removed)"},
6321 {8, "MODIFIED_STREAM (a stream was modified)"},
6325 static const value_string watch_tree_vals[] = {
6326 {0, "Current directory only"},
6327 {1, "Subdirectories also"},
6331 #define NT_NOTIFY_STREAM_WRITE 0x00000800
6332 #define NT_NOTIFY_STREAM_SIZE 0x00000400
6333 #define NT_NOTIFY_STREAM_NAME 0x00000200
6334 #define NT_NOTIFY_SECURITY 0x00000100
6335 #define NT_NOTIFY_EA 0x00000080
6336 #define NT_NOTIFY_CREATION 0x00000040
6337 #define NT_NOTIFY_LAST_ACCESS 0x00000020
6338 #define NT_NOTIFY_LAST_WRITE 0x00000010
6339 #define NT_NOTIFY_SIZE 0x00000008
6340 #define NT_NOTIFY_ATTRIBUTES 0x00000004
6341 #define NT_NOTIFY_DIR_NAME 0x00000002
6342 #define NT_NOTIFY_FILE_NAME 0x00000001
6343 static const true_false_string tfs_nt_notify_stream_write = {
6344 "Notify on changes to STREAM WRITE",
6345 "Do NOT notify on changes to stream write",
6347 static const true_false_string tfs_nt_notify_stream_size = {
6348 "Notify on changes to STREAM SIZE",
6349 "Do NOT notify on changes to stream size",
6351 static const true_false_string tfs_nt_notify_stream_name = {
6352 "Notify on changes to STREAM NAME",
6353 "Do NOT notify on changes to stream name",
6355 static const true_false_string tfs_nt_notify_security = {
6356 "Notify on changes to SECURITY",
6357 "Do NOT notify on changes to security",
6359 static const true_false_string tfs_nt_notify_ea = {
6360 "Notify on changes to EA",
6361 "Do NOT notify on changes to EA",
6363 static const true_false_string tfs_nt_notify_creation = {
6364 "Notify on changes to CREATION TIME",
6365 "Do NOT notify on changes to creation time",
6367 static const true_false_string tfs_nt_notify_last_access = {
6368 "Notify on changes to LAST ACCESS TIME",
6369 "Do NOT notify on changes to last access time",
6371 static const true_false_string tfs_nt_notify_last_write = {
6372 "Notify on changes to LAST WRITE TIME",
6373 "Do NOT notify on changes to last write time",
6375 static const true_false_string tfs_nt_notify_size = {
6376 "Notify on changes to SIZE",
6377 "Do NOT notify on changes to size",
6379 static const true_false_string tfs_nt_notify_attributes = {
6380 "Notify on changes to ATTRIBUTES",
6381 "Do NOT notify on changes to attributes",
6383 static const true_false_string tfs_nt_notify_dir_name = {
6384 "Notify on changes to DIR NAME",
6385 "Do NOT notify on changes to dir name",
6387 static const true_false_string tfs_nt_notify_file_name = {
6388 "Notify on changes to FILE NAME",
6389 "Do NOT notify on changes to file name",
6392 static const value_string create_disposition_vals[] = {
6393 {0, "Supersede (supersede existing file (if it exists))"},
6394 {1, "Open (if file exists open it, else fail)"},
6395 {2, "Create (if file exists fail, else create it)"},
6396 {3, "Open If (if file exists open it, else create it)"},
6397 {4, "Overwrite (if file exists overwrite, else fail)"},
6398 {5, "Overwrite If (if file exists overwrite, else create it)"},
6402 static const value_string impersonation_level_vals[] = {
6404 {1, "Identification"},
6405 {2, "Impersonation"},
6410 static const true_false_string tfs_nt_security_flags_context_tracking = {
6411 "Security tracking mode is DYNAMIC",
6412 "Security tracking mode is STATIC",
6415 static const true_false_string tfs_nt_security_flags_effective_only = {
6416 "ONLY ENABLED aspects of the client's security context are available",
6417 "ALL aspects of the client's security context are available",
6420 static const true_false_string tfs_nt_create_bits_oplock = {
6421 "Requesting OPLOCK",
6422 "Does NOT request oplock"
6425 static const true_false_string tfs_nt_create_bits_boplock = {
6426 "Requesting BATCH OPLOCK",
6427 "Does NOT request batch oplock"
6431 * XXX - must be a directory, and can be a file, or can be a directory,
6432 * and must be a file?
6434 static const true_false_string tfs_nt_create_bits_dir = {
6435 "Target of open MUST be a DIRECTORY",
6436 "Target of open can be a file"
6439 static const true_false_string tfs_nt_access_mask_generic_read = {
6440 "GENERIC READ is set",
6441 "Generic read is NOT set"
6443 static const true_false_string tfs_nt_access_mask_generic_write = {
6444 "GENERIC WRITE is set",
6445 "Generic write is NOT set"
6447 static const true_false_string tfs_nt_access_mask_generic_execute = {
6448 "GENERIC EXECUTE is set",
6449 "Generic execute is NOT set"
6451 static const true_false_string tfs_nt_access_mask_generic_all = {
6452 "GENERIC ALL is set",
6453 "Generic all is NOT set"
6455 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
6456 "MAXIMUM ALLOWED is set",
6457 "Maximum allowed is NOT set"
6459 static const true_false_string tfs_nt_access_mask_system_security = {
6460 "SYSTEM SECURITY is set",
6461 "System security is NOT set"
6463 static const true_false_string tfs_nt_access_mask_synchronize = {
6464 "Can wait on handle to SYNCHRONIZE on completion of I/O",
6465 "Can NOT wait on handle to synchronize on completion of I/O"
6467 static const true_false_string tfs_nt_access_mask_write_owner = {
6468 "Can WRITE OWNER (take ownership)",
6469 "Can NOT write owner (take ownership)"
6471 static const true_false_string tfs_nt_access_mask_write_dac = {
6472 "OWNER may WRITE the DAC",
6473 "Owner may NOT write to the DAC"
6475 static const true_false_string tfs_nt_access_mask_read_control = {
6476 "READ ACCESS to owner, group and ACL of the SID",
6477 "Read access is NOT granted to owner, group and ACL of the SID"
6479 static const true_false_string tfs_nt_access_mask_delete = {
6483 static const true_false_string tfs_nt_access_mask_write_attributes = {
6484 "WRITE ATTRIBUTES access",
6485 "NO write attributes access"
6487 static const true_false_string tfs_nt_access_mask_read_attributes = {
6488 "READ ATTRIBUTES access",
6489 "NO read attributes access"
6491 static const true_false_string tfs_nt_access_mask_delete_child = {
6492 "DELETE CHILD access",
6493 "NO delete child access"
6495 static const true_false_string tfs_nt_access_mask_execute = {
6499 static const true_false_string tfs_nt_access_mask_write_ea = {
6500 "WRITE EXTENDED ATTRIBUTES access",
6501 "NO write extended attributes access"
6503 static const true_false_string tfs_nt_access_mask_read_ea = {
6504 "READ EXTENDED ATTRIBUTES access",
6505 "NO read extended attributes access"
6507 static const true_false_string tfs_nt_access_mask_append = {
6511 static const true_false_string tfs_nt_access_mask_write = {
6515 static const true_false_string tfs_nt_access_mask_read = {
6520 static const true_false_string tfs_nt_share_access_delete = {
6521 "Object can be shared for DELETE",
6522 "Object can NOT be shared for delete"
6524 static const true_false_string tfs_nt_share_access_write = {
6525 "Object can be shared for WRITE",
6526 "Object can NOT be shared for write"
6528 static const true_false_string tfs_nt_share_access_read = {
6529 "Object can be shared for READ",
6530 "Object can NOT be shared for read"
6533 static const value_string oplock_level_vals[] = {
6534 {0, "No oplock granted"},
6535 {1, "Exclusive oplock granted"},
6536 {2, "Batch oplock granted"},
6537 {3, "Level II oplock granted"},
6541 static const value_string device_type_vals[] = {
6542 {0x00000001, "Beep"},
6543 {0x00000002, "CDROM"},
6544 {0x00000003, "CDROM Filesystem"},
6545 {0x00000004, "Controller"},
6546 {0x00000005, "Datalink"},
6547 {0x00000006, "Dfs"},
6548 {0x00000007, "Disk"},
6549 {0x00000008, "Disk Filesystem"},
6550 {0x00000009, "Filesystem"},
6551 {0x0000000a, "Inport Port"},
6552 {0x0000000b, "Keyboard"},
6553 {0x0000000c, "Mailslot"},
6554 {0x0000000d, "MIDI-In"},
6555 {0x0000000e, "MIDI-Out"},
6556 {0x0000000f, "Mouse"},
6557 {0x00000010, "Multi UNC Provider"},
6558 {0x00000011, "Named Pipe"},
6559 {0x00000012, "Network"},
6560 {0x00000013, "Network Browser"},
6561 {0x00000014, "Network Filesystem"},
6562 {0x00000015, "NULL"},
6563 {0x00000016, "Parallel Port"},
6564 {0x00000017, "Physical card"},
6565 {0x00000018, "Printer"},
6566 {0x00000019, "Scanner"},
6567 {0x0000001a, "Serial Mouse port"},
6568 {0x0000001b, "Serial port"},
6569 {0x0000001c, "Screen"},
6570 {0x0000001d, "Sound"},
6571 {0x0000001e, "Streams"},
6572 {0x0000001f, "Tape"},
6573 {0x00000020, "Tape Filesystem"},
6574 {0x00000021, "Transport"},
6575 {0x00000022, "Unknown"},
6576 {0x00000023, "Video"},
6577 {0x00000024, "Virtual Disk"},
6578 {0x00000025, "WAVE-In"},
6579 {0x00000026, "WAVE-Out"},
6580 {0x00000027, "8042 Port"},
6581 {0x00000028, "Network Redirector"},
6582 {0x00000029, "Battery"},
6583 {0x0000002a, "Bus Extender"},
6584 {0x0000002b, "Modem"},
6585 {0x0000002c, "VDM"},
6589 static const value_string is_directory_vals[] = {
6590 {0, "This is NOT a directory"},
6591 {1, "This is a DIRECTORY"},
6595 typedef struct _nt_trans_data {
6604 dissect_nt_security_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6607 proto_item *item = NULL;
6608 proto_tree *tree = NULL;
6610 mask = tvb_get_guint8(tvb, offset);
6613 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6614 "Security Flags: 0x%02x", mask);
6615 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
6618 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
6619 tvb, offset, 1, mask);
6620 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
6621 tvb, offset, 1, mask);
6629 dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6632 proto_item *item = NULL;
6633 proto_tree *tree = NULL;
6635 mask = tvb_get_letohl(tvb, offset);
6638 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6639 "Share Access: 0x%08x", mask);
6640 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
6643 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
6644 tvb, offset, 4, mask);
6645 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
6646 tvb, offset, 4, mask);
6647 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
6648 tvb, offset, 4, mask);
6657 dissect_nt_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6660 proto_item *item = NULL;
6661 proto_tree *tree = NULL;
6663 mask = tvb_get_letohl(tvb, offset);
6666 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6667 "Access Mask: 0x%08x", mask);
6668 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
6672 * Some of these bits come from
6674 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6676 * and others come from the section on ZwOpenFile in "Windows(R)
6677 * NT(R)/2000 Native API Reference".
6679 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
6680 tvb, offset, 4, mask);
6681 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
6682 tvb, offset, 4, mask);
6683 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
6684 tvb, offset, 4, mask);
6685 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
6686 tvb, offset, 4, mask);
6687 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
6688 tvb, offset, 4, mask);
6689 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
6690 tvb, offset, 4, mask);
6691 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
6692 tvb, offset, 4, mask);
6693 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
6694 tvb, offset, 4, mask);
6695 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
6696 tvb, offset, 4, mask);
6697 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
6698 tvb, offset, 4, mask);
6699 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
6700 tvb, offset, 4, mask);
6701 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
6702 tvb, offset, 4, mask);
6703 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
6704 tvb, offset, 4, mask);
6705 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
6706 tvb, offset, 4, mask);
6707 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
6708 tvb, offset, 4, mask);
6709 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
6710 tvb, offset, 4, mask);
6711 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
6712 tvb, offset, 4, mask);
6713 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
6714 tvb, offset, 4, mask);
6715 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
6716 tvb, offset, 4, mask);
6717 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
6718 tvb, offset, 4, mask);
6726 dissect_nt_create_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6729 proto_item *item = NULL;
6730 proto_tree *tree = NULL;
6732 mask = tvb_get_letohl(tvb, offset);
6735 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6736 "Create Flags: 0x%08x", mask);
6737 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
6741 * XXX - it's 0x00000016 in at least one capture, but
6742 * Network Monitor doesn't say what the 0x00000010 bit is.
6743 * Does the Win32 API documentation, or NT Native API book,
6746 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
6747 tvb, offset, 4, mask);
6748 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
6749 tvb, offset, 4, mask);
6750 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
6751 tvb, offset, 4, mask);
6759 * XXX - there are some more flags in the description of "ZwOpenFile()"
6760 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
6761 * the wire as well? (The spec at
6763 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6765 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
6766 * via the SMB protocol. The NT redirector should convert this option
6767 * to FILE_WRITE_THROUGH."
6769 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
6770 * values one would infer from their position in the list of flags for
6771 * "ZwOpenFile()". Most of the others probably have those values
6772 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
6773 * which might go over the wire (for the benefit of backup/restore software).
6775 static const true_false_string tfs_nt_create_options_directory = {
6776 "File being created/opened must be a directory",
6777 "File being created/opened must not be a directory"
6779 static const true_false_string tfs_nt_create_options_write_through = {
6780 "Writes should flush buffered data before completing",
6781 "Writes need not flush buffered data before completing"
6783 static const true_false_string tfs_nt_create_options_sequential_only = {
6784 "The file will only be accessed sequentially",
6785 "The file might not only be accessed sequentially"
6787 static const true_false_string tfs_nt_create_options_sync_io_alert = {
6788 "All operations SYNCHRONOUS, waits subject to termination from alert",
6789 "Operations NOT necessarily synchronous"
6791 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
6792 "All operations SYNCHRONOUS, waits not subject to alert",
6793 "Operations NOT necessarily synchronous"
6795 static const true_false_string tfs_nt_create_options_non_directory = {
6796 "File being created/opened must not be a directory",
6797 "File being created/opened must be a directory"
6799 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
6800 "The client does not understand extended attributes",
6801 "The client understands extended attributes"
6803 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
6804 "The client understands only 8.3 file names",
6805 "The client understands long file names"
6807 static const true_false_string tfs_nt_create_options_random_access = {
6808 "The file will be accessed randomly",
6809 "The file will not be accessed randomly"
6811 static const true_false_string tfs_nt_create_options_delete_on_close = {
6812 "The file should be deleted when it is closed",
6813 "The file should not be deleted when it is closed"
6817 dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6820 proto_item *item = NULL;
6821 proto_tree *tree = NULL;
6823 mask = tvb_get_letohl(tvb, offset);
6826 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6827 "Create Options: 0x%08x", mask);
6828 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
6834 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6836 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
6837 tvb, offset, 4, mask);
6838 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
6839 tvb, offset, 4, mask);
6840 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
6841 tvb, offset, 4, mask);
6842 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
6843 tvb, offset, 4, mask);
6844 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
6845 tvb, offset, 4, mask);
6846 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
6847 tvb, offset, 4, mask);
6848 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
6849 tvb, offset, 4, mask);
6850 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
6851 tvb, offset, 4, mask);
6852 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
6853 tvb, offset, 4, mask);
6854 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
6855 tvb, offset, 4, mask);
6863 dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6866 proto_item *item = NULL;
6867 proto_tree *tree = NULL;
6869 mask = tvb_get_letohl(tvb, offset);
6872 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6873 "Completion Filter: 0x%08x", mask);
6874 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
6877 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
6878 tvb, offset, 4, mask);
6879 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
6880 tvb, offset, 4, mask);
6881 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
6882 tvb, offset, 4, mask);
6883 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
6884 tvb, offset, 4, mask);
6885 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
6886 tvb, offset, 4, mask);
6887 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
6888 tvb, offset, 4, mask);
6889 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
6890 tvb, offset, 4, mask);
6891 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
6892 tvb, offset, 4, mask);
6893 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
6894 tvb, offset, 4, mask);
6895 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
6896 tvb, offset, 4, mask);
6897 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
6898 tvb, offset, 4, mask);
6899 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
6900 tvb, offset, 4, mask);
6907 dissect_nt_ioctl_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6910 proto_item *item = NULL;
6911 proto_tree *tree = NULL;
6913 mask = tvb_get_guint8(tvb, offset);
6916 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6917 "Completion Filter: 0x%02x", mask);
6918 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
6921 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
6922 tvb, offset, 1, mask);
6929 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
6930 * Native API Reference".
6932 static const true_false_string tfs_nt_qsd_owner = {
6933 "Requesting OWNER security information",
6934 "NOT requesting owner security information",
6937 static const true_false_string tfs_nt_qsd_group = {
6938 "Requesting GROUP security information",
6939 "NOT requesting group security information",
6942 static const true_false_string tfs_nt_qsd_dacl = {
6943 "Requesting DACL security information",
6944 "NOT requesting DACL security information",
6947 static const true_false_string tfs_nt_qsd_sacl = {
6948 "Requesting SACL security information",
6949 "NOT requesting SACL security information",
6952 #define NT_QSD_OWNER 0x00000001
6953 #define NT_QSD_GROUP 0x00000002
6954 #define NT_QSD_DACL 0x00000004
6955 #define NT_QSD_SACL 0x00000008
6958 dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6961 proto_item *item = NULL;
6962 proto_tree *tree = NULL;
6964 mask = tvb_get_letohl(tvb, offset);
6967 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6968 "Security Information: 0x%08x", mask);
6969 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
6972 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
6973 tvb, offset, 4, mask);
6974 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
6975 tvb, offset, 4, mask);
6976 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
6977 tvb, offset, 4, mask);
6978 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
6979 tvb, offset, 4, mask);
6987 free_g_string(void *arg)
6989 g_string_free(arg, TRUE);
6993 dissect_nt_sid(tvbuff_t *tvb, int offset, proto_tree *parent_tree, char *name)
6995 proto_item *item = NULL;
6996 proto_tree *tree = NULL;
6997 int old_offset = offset, sa_offset = offset;
7001 guint auth = 0; /* FIXME: What if it is larger than 32-bits */
7006 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7008 tree = proto_item_add_subtree(item, ett_smb_sid);
7011 /* revision of sid */
7012 revision = tvb_get_guint8(tvb, offset);
7013 proto_tree_add_item(tree, hf_smb_sid_revision, tvb, offset, 1, TRUE);
7018 case 2: /* Not sure what the different revision numbers mean */
7019 /* number of authorities*/
7020 num_auth = tvb_get_guint8(tvb, offset);
7021 proto_tree_add_item(tree, hf_smb_sid_num_auth, tvb, offset, 1, TRUE);
7024 /* XXX perhaps we should have these thing searchable?
7025 a new FT_xxx thingie? SMB is quite common!*/
7026 /* identifier authorities */
7029 auth = (auth << 8) + tvb_get_guint8(tvb, offset);
7034 proto_tree_add_text(tree, tvb, offset - 6, 6, "Authority: %u", auth);
7038 gstr = g_string_new("");
7040 CLEANUP_PUSH(free_g_string, gstr);
7042 /* sub authorities, leave RID to last */
7043 for(i=0; i < (num_auth > 4?(num_auth - 1):num_auth); i++){
7045 * XXX should not be letohl but native byteorder according to
7046 * Samba header files.
7048 * However, considering that there were never any NT ports
7049 * to big-endian platforms (PowerPC and MIPS ran little-endian,
7050 * and IA-64 runs little-endian, as does x86-64), we can (?)
7051 * assume that non le byte encodings will be "uncommon"?
7053 g_string_sprintfa(gstr, (i>0 ? "-%u" : "%u"),
7054 tvb_get_letohl(tvb, offset));
7058 proto_tree_add_text(tree, tvb, sa_offset, num_auth * 4, "Sub-authorities: %s", gstr->str);
7061 rid = tvb_get_letohl(tvb, offset);
7062 proto_tree_add_text(tree, tvb, offset, 4, "RID: %u", rid);
7063 proto_item_append_text(item, ": S-1-%u-%s-%u", auth, gstr->str, rid);
7067 proto_item_append_text(item, ": S-1-%u-%s", auth, gstr->str);
7070 CLEANUP_CALL_AND_POP;
7074 proto_item_set_len(item, offset-old_offset);
7079 static const value_string ace_type_vals[] = {
7080 { 0, "Access Allowed"},
7081 { 1, "Access Denied"},
7082 { 2, "System Audit"},
7083 { 3, "System Alarm"},
7086 static const true_false_string tfs_ace_flags_object_inherit = {
7087 "Subordinate files will inherit this ACE",
7088 "Subordinate files will not inherit this ACE"
7090 static const true_false_string tfs_ace_flags_container_inherit = {
7091 "Subordinate containers will inherit this ACE",
7092 "Subordinate containers will not inherit this ACE"
7094 static const true_false_string tfs_ace_flags_non_propagate_inherit = {
7095 "Subordinate object will not propagate the inherited ACE further",
7096 "Subordinate object will propagate the inherited ACE further"
7098 static const true_false_string tfs_ace_flags_inherit_only = {
7099 "This ACE does not apply to the current object",
7100 "This ACE applies to the current object"
7102 static const true_false_string tfs_ace_flags_inherited_ace = {
7103 "This ACE was inherited from its parent object",
7104 "This ACE was not inherited from its parent object"
7106 static const true_false_string tfs_ace_flags_successful_access = {
7107 "Successful accesses will be audited",
7108 "Successful accesses will not be audited"
7110 static const true_false_string tfs_ace_flags_failed_access = {
7111 "Failed accesses will be audited",
7112 "Failed accesses will not be audited"
7115 #define APPEND_ACE_TEXT(flag, item, string) \
7118 proto_item_append_text(item, string, sep); \
7123 dissect_nt_v2_ace_flags(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
7125 proto_item *item = NULL;
7126 proto_tree *tree = NULL;
7130 mask = tvb_get_guint8(tvb, offset);
7132 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7133 "NT ACE Flags: 0x%02x", mask);
7134 tree = proto_item_add_subtree(item, ett_smb_ace_flags);
7137 proto_tree_add_boolean(tree, hf_smb_ace_flags_failed_access,
7138 tvb, offset, 1, mask);
7139 APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access");
7141 proto_tree_add_boolean(tree, hf_smb_ace_flags_successful_access,
7142 tvb, offset, 1, mask);
7143 APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access");
7145 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherited_ace,
7146 tvb, offset, 1, mask);
7147 APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE");
7149 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherit_only,
7150 tvb, offset, 1, mask);
7151 APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only");
7153 proto_tree_add_boolean(tree, hf_smb_ace_flags_non_propagate_inherit,
7154 tvb, offset, 1, mask);
7155 APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit");
7157 proto_tree_add_boolean(tree, hf_smb_ace_flags_container_inherit,
7158 tvb, offset, 1, mask);
7159 APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit");
7161 proto_tree_add_boolean(tree, hf_smb_ace_flags_object_inherit,
7162 tvb, offset, 1, mask);
7163 APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit");
7171 dissect_nt_v2_ace(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
7173 proto_item *item = NULL;
7174 proto_tree *tree = NULL;
7175 int old_offset = offset;
7179 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7181 tree = proto_item_add_subtree(item, ett_smb_ace);
7186 proto_item_append_text(item, val_to_str(tvb_get_guint8(tvb, offset), ace_type_vals, "Unknown ACE type (%u)"));
7188 proto_tree_add_item(tree, hf_smb_ace_type, tvb, offset, 1, TRUE);
7192 offset = dissect_nt_v2_ace_flags(tvb, offset, tree);
7195 size = tvb_get_letohs(tvb, offset);
7196 proto_tree_add_uint(tree, hf_smb_ace_size, tvb, offset, 2, size);
7200 offset = dissect_nt_access_mask(tvb, tree, offset);
7203 offset = dissect_nt_sid(tvb, offset, tree, "ACE");
7205 proto_item_set_len(item, offset-old_offset);
7207 /* Sometimes there is some spare space at the end of the ACE so use
7208 the size field to work out where the end is. */
7210 return old_offset + size;
7214 dissect_nt_acl(tvbuff_t *tvb, int offset, proto_tree *parent_tree, char *name)
7216 proto_item *item = NULL;
7217 proto_tree *tree = NULL;
7218 int old_offset = offset;
7223 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7225 tree = proto_item_add_subtree(item, ett_smb_acl);
7229 revision = tvb_get_letohs(tvb, offset);
7230 proto_tree_add_uint(tree, hf_smb_acl_revision,
7231 tvb, offset, 2, revision);
7235 case 2: /* only version we will ever see of this structure?*/
7238 proto_tree_add_item(tree, hf_smb_acl_size, tvb, offset, 2, TRUE);
7241 /* number of ace structures */
7242 num_aces = tvb_get_letohl(tvb, offset);
7243 proto_tree_add_uint(tree, hf_smb_acl_num_aces,
7244 tvb, offset, 4, num_aces);
7248 offset=dissect_nt_v2_ace(tvb, offset, tree);
7252 proto_item_set_len(item, offset-old_offset);
7256 static const true_false_string tfs_sec_desc_type_owner_defaulted = {
7257 "OWNER is DEFAULTED",
7258 "Owner is NOT defaulted"
7260 static const true_false_string tfs_sec_desc_type_group_defaulted = {
7261 "GROUP is DEFAULTED",
7262 "Group is NOT defaulted"
7264 static const true_false_string tfs_sec_desc_type_dacl_present = {
7266 "DACL is NOT present"
7268 static const true_false_string tfs_sec_desc_type_dacl_defaulted = {
7269 "DACL is DEFAULTED",
7270 "DACL is NOT defaulted"
7272 static const true_false_string tfs_sec_desc_type_sacl_present = {
7274 "SACL is NOT present"
7276 static const true_false_string tfs_sec_desc_type_sacl_defaulted = {
7277 "SACL is DEFAULTED",
7278 "SACL is NOT defaulted"
7280 static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = {
7281 "DACL has AUTO INHERIT REQUIRED",
7282 "DACL does NOT require auto inherit"
7284 static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = {
7285 "SACL has AUTO INHERIT REQUIRED",
7286 "SACL does NOT require auto inherit"
7288 static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = {
7289 "DACL is AUTO INHERITED",
7290 "DACL is NOT auto inherited"
7292 static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = {
7293 "SACL is AUTO INHERITED",
7294 "SACL is NOT auto inherited"
7296 static const true_false_string tfs_sec_desc_type_dacl_protected = {
7297 "The DACL is PROTECTED",
7298 "The DACL is NOT protected"
7300 static const true_false_string tfs_sec_desc_type_sacl_protected = {
7301 "The SACL is PROTECTED",
7302 "The SACL is NOT protected"
7304 static const true_false_string tfs_sec_desc_type_self_relative = {
7305 "This SecDesc is SELF RELATIVE",
7306 "This SecDesc is NOT self relative"
7311 dissect_nt_sec_desc_type(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
7313 proto_item *item = NULL;
7314 proto_tree *tree = NULL;
7317 mask = tvb_get_letohs(tvb, offset);
7319 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
7320 "Type: 0x%04x", mask);
7321 tree = proto_item_add_subtree(item, ett_smb_sec_desc_type);
7324 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_self_relative,
7325 tvb, offset, 2, mask);
7326 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_protected,
7327 tvb, offset, 2, mask);
7328 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_protected,
7329 tvb, offset, 2, mask);
7330 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherited,
7331 tvb, offset, 2, mask);
7332 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherited,
7333 tvb, offset, 2, mask);
7334 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherit_req,
7335 tvb, offset, 2, mask);
7336 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherit_req,
7337 tvb, offset, 2, mask);
7338 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_defaulted,
7339 tvb, offset, 2, mask);
7340 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_present,
7341 tvb, offset, 2, mask);
7342 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_defaulted,
7343 tvb, offset, 2, mask);
7344 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_present,
7345 tvb, offset, 2, mask);
7346 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_group_defaulted,
7347 tvb, offset, 2, mask);
7348 proto_tree_add_boolean(tree, hf_smb_sec_desc_type_owner_defaulted,
7349 tvb, offset, 2, mask);
7357 dissect_nt_sec_desc(tvbuff_t *tvb, int offset, proto_tree *parent_tree, int len)
7359 proto_item *item = NULL;
7360 proto_tree *tree = NULL;
7362 int old_offset = offset;
7363 guint32 owner_sid_offset;
7364 guint32 group_sid_offset;
7365 guint32 sacl_offset;
7366 guint32 dacl_offset;
7369 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7370 "NT Security Descriptor");
7371 tree = proto_item_add_subtree(item, ett_smb_sec_desc);
7375 revision = tvb_get_letohs(tvb, offset);
7376 proto_tree_add_uint(tree, hf_smb_sec_desc_revision,
7377 tvb, offset, 2, revision);
7381 case 1: /* only version we will ever see of this structure?*/
7383 offset = dissect_nt_sec_desc_type(tvb, offset, tree);
7385 /* offset to owner sid */
7386 owner_sid_offset = tvb_get_letohl(tvb, offset);
7387 proto_tree_add_text(tree, tvb, offset, 4, "Offset to owner SID: %d", owner_sid_offset);
7390 /* offset to group sid */
7391 group_sid_offset = tvb_get_letohl(tvb, offset);
7392 proto_tree_add_text(tree, tvb, offset, 4, "Offset to group SID: %d", group_sid_offset);
7395 /* offset to sacl */
7396 sacl_offset = tvb_get_letohl(tvb, offset);
7397 proto_tree_add_text(tree, tvb, offset, 4, "Offset to SACL: %d", sacl_offset);
7400 /* offset to dacl */
7401 dacl_offset = tvb_get_letohl(tvb, offset);
7402 proto_tree_add_text(tree, tvb, offset, 4, "Offset to DACL: %d", dacl_offset);
7406 if(owner_sid_offset){
7408 offset = dissect_nt_sid(tvb, offset, tree, "Owner");
7410 dissect_nt_sid(tvb, old_offset+owner_sid_offset, tree, "Owner");
7414 if(group_sid_offset){
7415 dissect_nt_sid(tvb, old_offset+group_sid_offset, tree, "Group");
7420 dissect_nt_acl(tvb, old_offset+sacl_offset, tree, "System (SACL)");
7425 dissect_nt_acl(tvb, old_offset+dacl_offset, tree, "User (DACL)");
7434 dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
7436 int old_offset, old_sid_offset;
7442 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7443 qsize=tvb_get_letohl(tvb, offset);
7444 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
7445 COUNT_BYTES_TRANS_SUBR(4);
7447 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7449 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7450 COUNT_BYTES_TRANS_SUBR(4);
7452 /* 16 unknown bytes */
7453 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7454 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7456 COUNT_BYTES_TRANS_SUBR(8);
7458 /* number of bytes for used quota */
7459 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7460 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
7461 COUNT_BYTES_TRANS_SUBR(8);
7463 /* number of bytes for quota warning */
7464 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7465 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
7466 COUNT_BYTES_TRANS_SUBR(8);
7468 /* number of bytes for quota limit */
7469 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7470 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
7471 COUNT_BYTES_TRANS_SUBR(8);
7473 /* SID of the user */
7474 old_sid_offset=offset;
7475 offset = dissect_nt_sid(tvb, offset, tree, "Quota");
7476 *bcp -= (offset-old_sid_offset);
7479 offset = old_offset+qsize;
7489 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd)
7491 proto_item *item = NULL;
7492 proto_tree *tree = NULL;
7494 int old_offset = offset;
7495 guint16 bcp=bc; /* XXX fixme */
7497 si = (smb_info_t *)pinfo->private_data;
7500 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
7502 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7503 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7506 switch(ntd->subcmd){
7507 case NT_TRANS_CREATE:
7508 /* security descriptor */
7510 offset = dissect_nt_sec_desc(tvb, offset, tree, ntd->sd_len);
7513 /* extended attributes */
7515 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
7516 offset += ntd->ea_len;
7520 case NT_TRANS_IOCTL:
7522 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, bc, TRUE);
7527 offset = dissect_nt_sec_desc(tvb, offset, tree, bc);
7529 case NT_TRANS_NOTIFY:
7531 case NT_TRANS_RENAME:
7532 /* XXX not documented */
7536 case NT_TRANS_GET_USER_QUOTA:
7537 /* unknown 4 bytes */
7538 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7543 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7546 offset = dissect_nt_sid(tvb, offset, tree, "Quota");
7548 case NT_TRANS_SET_USER_QUOTA:
7549 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
7553 /* ooops there were data we didnt know how to process */
7554 if((offset-old_offset) < bc){
7555 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
7556 bc - (offset-old_offset), TRUE);
7557 offset += bc - (offset-old_offset);
7564 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7566 proto_item *item = NULL;
7567 proto_tree *tree = NULL;
7572 si = (smb_info_t *)pinfo->private_data;
7575 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7577 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7578 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7581 switch(ntd->subcmd){
7582 case NT_TRANS_CREATE:
7584 offset = dissect_nt_create_bits(tvb, tree, offset);
7587 /* root directory fid */
7588 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
7591 /* nt access mask */
7592 offset = dissect_nt_access_mask(tvb, tree, offset);
7595 /* allocation size */
7596 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7599 /* Extended File Attributes */
7600 offset = dissect_file_ext_attr(tvb, tree, offset);
7604 offset = dissect_nt_share_access(tvb, tree, offset);
7607 /* create disposition */
7608 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
7611 /* create options */
7612 offset = dissect_nt_create_options(tvb, tree, offset);
7616 ntd->sd_len = tvb_get_letohl(tvb, offset);
7617 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
7621 ntd->ea_len = tvb_get_letohl(tvb, offset);
7622 proto_tree_add_uint(tree, hf_smb_ea_length, tvb, offset, 4, ntd->ea_len);
7626 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7627 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7630 /* impersonation level */
7631 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
7634 /* security flags */
7635 offset = dissect_nt_security_flags(tvb, tree, offset);
7639 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
7641 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7643 COUNT_BYTES(fn_len);
7647 case NT_TRANS_IOCTL:
7649 case NT_TRANS_SSD: {
7653 fid = tvb_get_letohs(tvb, offset);
7654 add_fid(tvb, pinfo, tree, offset, 2, fid);
7657 /* 2 reserved bytes */
7658 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7661 /* security information */
7662 offset = dissect_security_information_mask(tvb, tree, offset);
7665 case NT_TRANS_NOTIFY:
7667 case NT_TRANS_RENAME:
7668 /* XXX not documented */
7670 case NT_TRANS_QSD: {
7674 fid = tvb_get_letohs(tvb, offset);
7675 add_fid(tvb, pinfo, tree, offset, 2, fid);
7678 /* 2 reserved bytes */
7679 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7682 /* security information */
7683 offset = dissect_security_information_mask(tvb, tree, offset);
7686 case NT_TRANS_GET_USER_QUOTA:
7687 /* not decoded yet */
7689 case NT_TRANS_SET_USER_QUOTA:
7690 /* not decoded yet */
7698 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7700 proto_item *item = NULL;
7701 proto_tree *tree = NULL;
7703 int old_offset = offset;
7705 si = (smb_info_t *)pinfo->private_data;
7708 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7710 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7711 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7714 switch(ntd->subcmd){
7715 case NT_TRANS_CREATE:
7717 case NT_TRANS_IOCTL: {
7721 proto_tree_add_item(tree, hf_smb_nt_ioctl_function_code, tvb, offset, 4, TRUE);
7725 fid = tvb_get_letohs(tvb, offset);
7726 add_fid(tvb, pinfo, tree, offset, 2, fid);
7730 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
7734 offset = dissect_nt_ioctl_flags(tvb, tree, offset);
7740 case NT_TRANS_NOTIFY: {
7743 /* completion filter */
7744 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
7747 fid = tvb_get_letohs(tvb, offset);
7748 add_fid(tvb, pinfo, tree, offset, 2, fid);
7752 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
7756 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7761 case NT_TRANS_RENAME:
7762 /* XXX not documented */
7766 case NT_TRANS_GET_USER_QUOTA:
7767 /* not decoded yet */
7769 case NT_TRANS_SET_USER_QUOTA:
7770 /* not decoded yet */
7774 return old_offset+len;
7779 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
7782 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
7784 smb_saved_info_t *sip;
7789 smb_nt_transact_info_t *nti;
7791 si = (smb_info_t *)pinfo->private_data;
7797 /* primary request */
7798 /* max setup count */
7799 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
7802 /* 2 reserved bytes */
7803 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7806 /* secondary request */
7807 /* 3 reserved bytes */
7808 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
7813 /* total param count */
7814 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
7817 /* total data count */
7818 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
7822 /* primary request */
7823 /* max param count */
7824 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
7827 /* max data count */
7828 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
7833 pc = tvb_get_letohl(tvb, offset);
7834 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
7838 po = tvb_get_letohl(tvb, offset);
7839 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
7842 /* param displacement */
7844 /* primary request*/
7847 /* secondary request */
7848 pd = tvb_get_letohl(tvb, offset);
7849 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
7854 dc = tvb_get_letohl(tvb, offset);
7855 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
7859 od = tvb_get_letohl(tvb, offset);
7860 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
7863 /* data displacement */
7865 /* primary request */
7868 /* secondary request */
7869 dd = tvb_get_letohl(tvb, offset);
7870 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
7876 /* primary request */
7877 sc = tvb_get_guint8(tvb, offset);
7878 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
7881 /* secondary request */
7887 /* primary request */
7888 subcmd = tvb_get_letohs(tvb, offset);
7889 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
7890 if(check_col(pinfo->cinfo, COL_INFO)){
7891 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
7892 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
7894 ntd.subcmd = subcmd;
7896 if(!pinfo->fd->flags.visited){
7898 * Allocate a new smb_nt_transact_info_t
7901 nti = g_mem_chunk_alloc(smb_nt_transact_info_chunk);
7902 nti->subcmd = subcmd;
7903 sip->extra_info = nti;
7907 /* secondary request */
7908 if(check_col(pinfo->cinfo, COL_INFO)){
7909 col_append_fstr(pinfo->cinfo, COL_INFO, " (secondary request)");
7914 /* this is a padding byte */
7917 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
7921 /* if there were any setup bytes, decode them */
7923 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
7930 if(po>(guint32)offset){
7931 /* We have some initial padding bytes.
7936 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7937 COUNT_BYTES(padcnt);
7940 CHECK_BYTE_COUNT(pc);
7941 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc);
7946 if(od>(guint32)offset){
7947 /* We have some initial padding bytes.
7952 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7953 COUNT_BYTES(padcnt);
7956 CHECK_BYTE_COUNT(dc);
7957 dissect_nt_trans_data_request(tvb, pinfo, offset, tree, dc, &ntd);
7969 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
7970 int offset, proto_tree *parent_tree, int len,
7971 nt_trans_data *ntd _U_)
7973 proto_item *item = NULL;
7974 proto_tree *tree = NULL;
7976 smb_nt_transact_info_t *nti;
7979 si = (smb_info_t *)pinfo->private_data;
7980 if (si->sip != NULL)
7981 nti = si->sip->extra_info;
7987 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7989 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7992 * We never saw the request to which this is a
7995 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7996 "Unknown NT Transaction Data (matching request not seen)");
7998 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8005 switch(nti->subcmd){
8006 case NT_TRANS_CREATE:
8008 case NT_TRANS_IOCTL:
8010 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, len, TRUE);
8016 case NT_TRANS_NOTIFY:
8018 case NT_TRANS_RENAME:
8019 /* XXX not documented */
8023 * XXX - this is probably a SECURITY_DESCRIPTOR structure,
8024 * which may be documented in the Win32 documentation
8027 offset = dissect_nt_sec_desc(tvb, offset, tree, len);
8029 case NT_TRANS_GET_USER_QUOTA:
8031 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8033 case NT_TRANS_SET_USER_QUOTA:
8034 /* not decoded yet */
8042 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
8043 int offset, proto_tree *parent_tree,
8044 int len, nt_trans_data *ntd _U_, guint16 bc)
8046 proto_item *item = NULL;
8047 proto_tree *tree = NULL;
8051 smb_nt_transact_info_t *nti;
8057 si = (smb_info_t *)pinfo->private_data;
8058 if (si->sip != NULL)
8059 nti = si->sip->extra_info;
8065 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8067 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8070 * We never saw the request to which this is a
8073 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8074 "Unknown NT Transaction Parameters (matching request not seen)");
8076 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8083 switch(nti->subcmd){
8084 case NT_TRANS_CREATE:
8086 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8090 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8094 fid = tvb_get_letohs(tvb, offset);
8095 add_fid(tvb, pinfo, tree, offset, 2, fid);
8099 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8102 /* ea error offset */
8103 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
8107 offset = dissect_smb_64bit_time(tvb, tree, offset,
8108 hf_smb_create_time);
8111 offset = dissect_smb_64bit_time(tvb, tree, offset,
8112 hf_smb_access_time);
8114 /* last write time */
8115 offset = dissect_smb_64bit_time(tvb, tree, offset,
8116 hf_smb_last_write_time);
8118 /* last change time */
8119 offset = dissect_smb_64bit_time(tvb, tree, offset,
8120 hf_smb_change_time);
8122 /* Extended File Attributes */
8123 offset = dissect_file_ext_attr(tvb, tree, offset);
8125 /* allocation size */
8126 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8130 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8134 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8138 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
8141 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8144 case NT_TRANS_IOCTL:
8148 case NT_TRANS_NOTIFY:
8150 old_offset = offset;
8152 /* next entry offset */
8153 neo = tvb_get_letohl(tvb, offset);
8154 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
8157 /* broken implementations */
8161 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
8164 /* broken implementations */
8168 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8169 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8172 /* broken implementations */
8176 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8179 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8181 COUNT_BYTES(fn_len);
8183 /* broken implementations */
8187 break; /* no more structures */
8189 /* skip to next structure */
8190 padcnt = (old_offset + neo) - offset;
8193 * XXX - this is bogus; flag it?
8198 COUNT_BYTES(padcnt);
8200 /* broken implementations */
8205 case NT_TRANS_RENAME:
8206 /* XXX not documented */
8210 * This appears to be the size of the security
8211 * descriptor; the calling sequence of
8212 * "ZwQuerySecurityObject()" suggests that it would
8213 * be. The actual security descriptor wouldn't
8214 * follow if the max data count in the request
8215 * was smaller; this lets the client know how
8216 * big a buffer it needs to provide.
8218 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
8221 case NT_TRANS_GET_USER_QUOTA:
8222 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
8223 tvb_get_letohl(tvb, offset));
8226 case NT_TRANS_SET_USER_QUOTA:
8227 /* not decoded yet */
8235 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
8236 int offset, proto_tree *parent_tree,
8237 int len, nt_trans_data *ntd _U_)
8239 proto_item *item = NULL;
8240 proto_tree *tree = NULL;
8242 smb_nt_transact_info_t *nti;
8244 si = (smb_info_t *)pinfo->private_data;
8245 if (si->sip != NULL)
8246 nti = si->sip->extra_info;
8252 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8254 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8257 * We never saw the request to which this is a
8260 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8261 "Unknown NT Transaction Setup (matching request not seen)");
8263 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8270 switch(nti->subcmd){
8271 case NT_TRANS_CREATE:
8273 case NT_TRANS_IOCTL:
8277 case NT_TRANS_NOTIFY:
8279 case NT_TRANS_RENAME:
8280 /* XXX not documented */
8284 case NT_TRANS_GET_USER_QUOTA:
8285 /* not decoded yet */
8287 case NT_TRANS_SET_USER_QUOTA:
8288 /* not decoded yet */
8296 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8299 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
8302 smb_nt_transact_info_t *nti;
8303 static nt_trans_data ntd;
8306 fragment_data *r_fd = NULL;
8307 tvbuff_t *pd_tvb=NULL;
8308 gboolean save_fragmented;
8310 si = (smb_info_t *)pinfo->private_data;
8311 if (si->sip != NULL)
8312 nti = si->sip->extra_info;
8316 /* primary request */
8318 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
8319 if(check_col(pinfo->cinfo, COL_INFO)){
8320 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8321 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
8324 proto_tree_add_text(tree, tvb, offset, 0,
8325 "Function: <unknown function - could not find matching request>");
8326 if(check_col(pinfo->cinfo, COL_INFO)){
8327 col_append_fstr(pinfo->cinfo, COL_INFO, ", <unknown>");
8333 /* 3 reserved bytes */
8334 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8337 /* total param count */
8338 tp = tvb_get_letohl(tvb, offset);
8339 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
8342 /* total data count */
8343 td = tvb_get_letohl(tvb, offset);
8344 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
8348 pc = tvb_get_letohl(tvb, offset);
8349 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8353 po = tvb_get_letohl(tvb, offset);
8354 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8357 /* param displacement */
8358 pd = tvb_get_letohl(tvb, offset);
8359 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8363 dc = tvb_get_letohl(tvb, offset);
8364 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8368 od = tvb_get_letohl(tvb, offset);
8369 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8372 /* data displacement */
8373 dd = tvb_get_letohl(tvb, offset);
8374 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8378 sc = tvb_get_guint8(tvb, offset);
8379 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8384 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
8390 /* reassembly of SMB NT Transaction data payload.
8391 In this section we do reassembly of both the data and parameters
8392 blocks of the SMB transaction command.
8394 save_fragmented = pinfo->fragmented;
8395 /* do we need reassembly? */
8396 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
8397 /* oh yeah, either data or parameter section needs
8400 pinfo->fragmented = TRUE;
8401 if(smb_trans_reassembly){
8402 /* ...and we were told to do reassembly */
8403 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
8404 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8408 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
8409 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8410 od, dc, dd+tp, td+tp);
8415 /* if we got a reassembled fd structure from the reassembly routine we
8416 must create pd_tvb from it
8419 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
8421 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
8422 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
8424 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
8429 /* we have reassembled data, grab param and data from there */
8430 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
8431 &ntd, tvb_length(pd_tvb));
8432 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
8434 /* we do not have reassembled data, just use what we have in the
8435 packet as well as we can */
8437 if(po>(guint32)offset){
8438 /* We have some initial padding bytes.
8443 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8444 COUNT_BYTES(padcnt);
8447 CHECK_BYTE_COUNT(pc);
8448 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
8453 if(od>(guint32)offset){
8454 /* We have some initial padding bytes.
8459 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8460 COUNT_BYTES(padcnt);
8463 CHECK_BYTE_COUNT(dc);
8464 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd);
8468 pinfo->fragmented = save_fragmented;
8475 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8476 NT Transaction command ends here
8477 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8479 static const value_string print_mode_vals[] = {
8481 {1, "Graphics Mode"},
8486 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8488 smb_info_t *si = pinfo->private_data;
8497 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
8501 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
8507 CHECK_BYTE_COUNT(1);
8508 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8511 /* print identifier */
8512 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, FALSE, &bc);
8515 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
8517 COUNT_BYTES(fn_len);
8526 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8535 fid = tvb_get_letohs(tvb, offset);
8536 add_fid(tvb, pinfo, tree, offset, 2, fid);
8542 CHECK_BYTE_COUNT(1);
8543 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8547 CHECK_BYTE_COUNT(2);
8548 cnt = tvb_get_letohs(tvb, offset);
8549 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
8553 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
8561 static const value_string print_status_vals[] = {
8562 {1, "Held or Stopped"},
8564 {3, "Awaiting print"},
8565 {4, "In intercept"},
8566 {5, "File had error"},
8567 {6, "Printer error"},
8572 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8580 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
8584 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
8595 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
8596 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
8598 proto_item *item = NULL;
8599 proto_tree *tree = NULL;
8600 smb_info_t *si = pinfo->private_data;
8605 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
8607 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
8611 CHECK_BYTE_COUNT_SUBR(4);
8612 offset = dissect_smb_datetime(tvb, tree, offset,
8613 hf_smb_print_queue_date,
8614 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
8618 CHECK_BYTE_COUNT_SUBR(1);
8619 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
8620 COUNT_BYTES_SUBR(1);
8622 /* spool file number */
8623 CHECK_BYTE_COUNT_SUBR(2);
8624 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
8625 COUNT_BYTES_SUBR(2);
8627 /* spool file size */
8628 CHECK_BYTE_COUNT_SUBR(4);
8629 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
8630 COUNT_BYTES_SUBR(4);
8633 CHECK_BYTE_COUNT_SUBR(1);
8634 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8635 COUNT_BYTES_SUBR(1);
8639 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
8640 CHECK_STRING_SUBR(fn);
8641 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
8643 COUNT_BYTES_SUBR(fn_len);
8650 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8660 cnt = tvb_get_letohs(tvb, offset);
8661 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
8665 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
8671 CHECK_BYTE_COUNT(1);
8672 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8676 CHECK_BYTE_COUNT(2);
8677 len = tvb_get_letohs(tvb, offset);
8678 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
8681 /* queue elements */
8683 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
8696 dissect_send_single_block_message_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8701 guint16 message_len;
8708 CHECK_BYTE_COUNT(1);
8709 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8712 /* originator name */
8713 /* XXX - what if this runs past bc? */
8714 name_len = tvb_strsize(tvb, offset);
8715 CHECK_BYTE_COUNT(name_len);
8716 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
8718 COUNT_BYTES(name_len);
8721 CHECK_BYTE_COUNT(1);
8722 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8725 /* destination name */
8726 /* XXX - what if this runs past bc? */
8727 name_len = tvb_strsize(tvb, offset);
8728 CHECK_BYTE_COUNT(name_len);
8729 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
8731 COUNT_BYTES(name_len);
8734 CHECK_BYTE_COUNT(1);
8735 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8739 CHECK_BYTE_COUNT(2);
8740 message_len = tvb_get_letohs(tvb, offset);
8741 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
8746 CHECK_BYTE_COUNT(message_len);
8747 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
8749 COUNT_BYTES(message_len);
8757 dissect_send_multi_block_message_start_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8768 CHECK_BYTE_COUNT(1);
8769 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8772 /* originator name */
8773 /* XXX - what if this runs past bc? */
8774 name_len = tvb_strsize(tvb, offset);
8775 CHECK_BYTE_COUNT(name_len);
8776 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
8778 COUNT_BYTES(name_len);
8781 CHECK_BYTE_COUNT(1);
8782 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8785 /* destination name */
8786 /* XXX - what if this runs past bc? */
8787 name_len = tvb_strsize(tvb, offset);
8788 CHECK_BYTE_COUNT(name_len);
8789 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
8791 COUNT_BYTES(name_len);
8799 dissect_message_group_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8806 /* message group ID */
8807 proto_tree_add_item(tree, hf_smb_mgid, tvb, offset, 2, TRUE);
8818 dissect_send_multi_block_message_text_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8822 guint16 message_len;
8829 CHECK_BYTE_COUNT(1);
8830 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8834 CHECK_BYTE_COUNT(2);
8835 message_len = tvb_get_letohs(tvb, offset);
8836 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
8841 CHECK_BYTE_COUNT(message_len);
8842 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
8844 COUNT_BYTES(message_len);
8852 dissect_forwarded_name(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8863 CHECK_BYTE_COUNT(1);
8864 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8867 /* forwarded name */
8868 /* XXX - what if this runs past bc? */
8869 name_len = tvb_strsize(tvb, offset);
8870 CHECK_BYTE_COUNT(name_len);
8871 proto_tree_add_item(tree, hf_smb_forwarded_name, tvb, offset,
8873 COUNT_BYTES(name_len);
8881 dissect_get_machine_name_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8892 CHECK_BYTE_COUNT(1);
8893 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8897 /* XXX - what if this runs past bc? */
8898 name_len = tvb_strsize(tvb, offset);
8899 CHECK_BYTE_COUNT(name_len);
8900 proto_tree_add_item(tree, hf_smb_machine_name, tvb, offset,
8902 COUNT_BYTES(name_len);
8911 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8913 guint8 wc, cmd=0xff;
8914 guint16 andxoffset=0;
8916 smb_info_t *si = pinfo->private_data;
8922 /* next smb command */
8923 cmd = tvb_get_guint8(tvb, offset);
8925 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8927 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
8932 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8936 andxoffset = tvb_get_letohs(tvb, offset);
8937 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8941 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8945 fn_len = tvb_get_letohs(tvb, offset);
8946 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
8950 offset = dissect_nt_create_bits(tvb, tree, offset);
8952 /* root directory fid */
8953 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
8956 /* nt access mask */
8957 offset = dissect_nt_access_mask(tvb, tree, offset);
8959 /* allocation size */
8960 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8963 /* Extended File Attributes */
8964 offset = dissect_file_ext_attr(tvb, tree, offset);
8967 offset = dissect_nt_share_access(tvb, tree, offset);
8969 /* create disposition */
8970 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
8973 /* create options */
8974 offset = dissect_nt_create_options(tvb, tree, offset);
8976 /* impersonation level */
8977 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8980 /* security flags */
8981 offset = dissect_nt_security_flags(tvb, tree, offset);
8986 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
8989 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8991 COUNT_BYTES(fn_len);
8993 if (check_col(pinfo->cinfo, COL_INFO)) {
8994 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
8999 /* call AndXCommand (if there are any) */
9000 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9007 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9009 guint8 wc, cmd=0xff;
9010 guint16 andxoffset=0;
9016 /* next smb command */
9017 cmd = tvb_get_guint8(tvb, offset);
9019 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9021 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
9026 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9030 andxoffset = tvb_get_letohs(tvb, offset);
9031 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9035 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
9039 fid = tvb_get_letohs(tvb, offset);
9040 add_fid(tvb, pinfo, tree, offset, 2, fid);
9044 /*XXX is this really the same as create disposition in the request? it looks so*/
9045 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
9049 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
9052 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
9054 /* last write time */
9055 offset = dissect_smb_64bit_time(tvb, tree, offset,
9056 hf_smb_last_write_time);
9058 /* last change time */
9059 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
9061 /* Extended File Attributes */
9062 offset = dissect_file_ext_attr(tvb, tree, offset);
9064 /* allocation size */
9065 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9069 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
9073 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
9077 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
9080 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
9087 /* call AndXCommand (if there are any) */
9088 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9095 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9109 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9110 BEGIN Transaction/Transaction2 Primary and secondary requests
9111 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
9114 static const value_string trans2_cmd_vals[] = {
9116 { 0x01, "FIND_FIRST2" },
9117 { 0x02, "FIND_NEXT2" },
9118 { 0x03, "QUERY_FS_INFORMATION" },
9119 { 0x04, "SET_FS_QUOTA" },
9120 { 0x05, "QUERY_PATH_INFORMATION" },
9121 { 0x06, "SET_PATH_INFORMATION" },
9122 { 0x07, "QUERY_FILE_INFORMATION" },
9123 { 0x08, "SET_FILE_INFORMATION" },
9126 { 0x0B, "FIND_NOTIFY_FIRST" },
9127 { 0x0C, "FIND_NOTIFY_NEXT" },
9128 { 0x0D, "CREATE_DIRECTORY" },
9129 { 0x0E, "SESSION_SETUP" },
9130 { 0x10, "GET_DFS_REFERRAL" },
9131 { 0x11, "REPORT_DFS_INCONSISTENCY" },
9135 static const true_false_string tfs_tf_dtid = {
9136 "Also DISCONNECT TID",
9137 "Do NOT disconnect TID"
9139 static const true_false_string tfs_tf_owt = {
9140 "One Way Transaction (NO RESPONSE)",
9141 "Two way transaction"
9144 static const true_false_string tfs_ff2_backup = {
9145 "Find WITH backup intent",
9148 static const true_false_string tfs_ff2_continue = {
9149 "CONTINUE search from previous position",
9150 "New search, do NOT continue from previous position"
9152 static const true_false_string tfs_ff2_resume = {
9153 "Return RESUME keys",
9154 "Do NOT return resume keys"
9156 static const true_false_string tfs_ff2_close_eos = {
9157 "CLOSE search if END OF SEARCH is reached",
9158 "Do NOT close search if end of search reached"
9160 static const true_false_string tfs_ff2_close = {
9161 "CLOSE search after this request",
9162 "Do NOT close search after this request"
9168 static const value_string ff2_il_vals[] = {
9169 { 1, "Info Standard (4.3.4.1)"},
9170 { 2, "Info Query EA Size (4.3.4.2)"},
9171 { 3, "Info Query EAs From List (4.3.4.2)"},
9172 { 0x0101, "Find File Directory Info (4.3.4.4)"},
9173 { 0x0102, "Find File Full Directory Info (4.3.4.5)"},
9174 { 0x0103, "Find File Names Info (4.3.4.7)"},
9175 { 0x0104, "Find File Both Directory Info (4.3.4.6)"},
9176 { 0x0202, "Find File UNIX (4.3.4.8)"},
9181 TRANS2_QUERY_PATH_INFORMATION
9182 TRANS2_SET_PATH_INFORMATION
9184 static const value_string qpi_loi_vals[] = {
9185 { 1, "Info Standard (4.2.14.1)"},
9186 { 2, "Info Query EA Size (4.2.14.1)"},
9187 { 3, "Info Query EAs From List (4.2.14.2)"},
9188 { 4, "Info Query All EAs (4.2.14.2)"},
9189 { 6, "Info Is Name Valid (4.2.14.3)"},
9190 { 0x0101, "Query File Basic Info (4.2.14.4)"},
9191 { 0x0102, "Query File Standard Info (4.2.14.5)"},
9192 { 0x0103, "Query File EA Info (4.2.14.6)"},
9193 { 0x0104, "Query File Name Info (4.2.14.7)"},
9194 { 0x0107, "Query File All Info (4.2.14.8)"},
9195 { 0x0108, "Query File Alt Name Info (4.2.14.7)"},
9196 { 0x0109, "Query File Stream Info (4.2.14.10)"},
9197 { 0x010b, "Query File Compression Info (4.2.14.11)"},
9198 { 0x0200, "Set File Unix Basic"},
9199 { 0x0201, "Set File Unix Link"},
9200 { 0x0202, "Set File Unix HardLink"},
9201 { 1004, "Query File Basic Info (4.2.14.4)"},
9202 { 1005, "Query File Standard Info (4.2.14.5)"},
9203 { 1006, "Query File Internal Info (4.2.14.?)"},
9204 { 1007, "Query File EA Info (4.2.14.6)"},
9205 { 1009, "Query File Name Info (4.2.14.7)"},
9206 { 1010, "Query File Rename Info (4.2.14.?)"},
9207 { 1011, "Query File Link Info (4.2.14.?)"},
9208 { 1012, "Query File Names Info (4.2.14.?)"},
9209 { 1013, "Query File Disposition Info (4.2.14.?)"},
9210 { 1014, "Query File Position Info (4.2.14.?)"},
9211 { 1015, "Query File Full EA Info (4.2.14.?)"},
9212 { 1016, "Query File Mode Info (4.2.14.?)"},
9213 { 1017, "Query File Alignment Info (4.2.14.?)"},
9214 { 1018, "Query File All Info (4.2.14.8)"},
9215 { 1019, "Query File Allocation Info (4.2.14.?)"},
9216 { 1020, "Query File End of File Info (4.2.14.?)"},
9217 { 1021, "Query File Alt Name Info (4.2.14.7)"},
9218 { 1022, "Query File Stream Info (4.2.14.10)"},
9219 { 1023, "Query File Pipe Info (4.2.14.?)"},
9220 { 1024, "Query File Pipe Local Info (4.2.14.?)"},
9221 { 1025, "Query File Pipe Remote Info (4.2.14.?)"},
9222 { 1026, "Query File Mailslot Query Info (4.2.14.?)"},
9223 { 1027, "Query File Mailslot Set Info (4.2.14.?)"},
9224 { 1028, "Query File Compression Info (4.2.14.11)"},
9225 { 1029, "Query File ObjectID Info (4.2.14.?)"},
9226 { 1030, "Query File Completion Info (4.2.14.?)"},
9227 { 1031, "Query File Move Cluster Info (4.2.14.?)"},
9228 { 1032, "Query File Quota Info (4.2.14.?)"},
9229 { 1033, "Query File Reparsepoint Info (4.2.14.?)"},
9230 { 1034, "Query File Network Open Info (4.2.14.?)"},
9231 { 1035, "Query File Attribute Tag Info (4.2.14.?)"},
9232 { 1036, "Query File Tracking Info (4.2.14.?)"},
9233 { 1037, "Query File Maximum Info (4.2.14.?)"},
9237 static const value_string qfsi_vals[] = {
9238 { 1, "Info Allocation"},
9239 { 2, "Info Volume"},
9240 { 0x0101, "Query FS Label Info"},
9241 { 0x0102, "Query FS Volume Info"},
9242 { 0x0103, "Query FS Size Info"},
9243 { 0x0104, "Query FS Device Info"},
9244 { 0x0105, "Query FS Attribute Info"},
9245 { 0x0301, "Mac Query FS INFO"},
9246 { 1001, "Query FS Label Info"},
9247 { 1002, "Query FS Volume Info"},
9248 { 1003, "Query FS Size Info"},
9249 { 1004, "Query FS Device Info"},
9250 { 1005, "Query FS Attribute Info"},
9251 { 1006, "Query FS Quota Info"},
9252 { 1007, "Query Full FS Size Info"},
9256 static const value_string nt_rename_vals[] = {
9257 { 0x0103, "Create Hard Link"},
9262 static const value_string delete_pending_vals[] = {
9263 {0, "Normal, no pending delete"},
9264 {1, "This object has DELETE PENDING"},
9268 static const value_string alignment_vals[] = {
9269 {0, "Byte alignment"},
9270 {1, "Word (16bit) alignment"},
9271 {3, "Long (32bit) alignment"},
9272 {7, "8 byte boundary alignment"},
9273 {0x0f, "16 byte boundary alignment"},
9274 {0x1f, "32 byte boundary alignment"},
9275 {0x3f, "64 byte boundary alignment"},
9276 {0x7f, "128 byte boundary alignment"},
9277 {0xff, "256 byte boundary alignment"},
9278 {0x1ff, "512 byte boundary alignment"},
9283 static const true_false_string tfs_get_dfs_server_hold_storage = {
9284 "Referral SERVER HOLDS STORAGE for the file",
9285 "Referral server does NOT hold storage for the file"
9287 static const true_false_string tfs_get_dfs_fielding = {
9288 "The server in referral is FIELDING CAPABLE",
9289 "The server in referrals is NOT fielding capable"
9292 static const true_false_string tfs_dfs_referral_flags_strip = {
9293 "STRIP off pathconsumed characters before submitting",
9294 "Do NOT strip off any characters"
9297 static const value_string dfs_referral_server_type_vals[] = {
9300 {2, "Netware Server"},
9301 {3, "Domain Server"},
9306 static const true_false_string tfs_device_char_removable = {
9307 "This is a REMOVABLE device",
9308 "This is NOT a removable device"
9310 static const true_false_string tfs_device_char_read_only = {
9311 "This is a READ-ONLY device",
9312 "This is NOT a read-only device"
9314 static const true_false_string tfs_device_char_floppy = {
9315 "This is a FLOPPY DISK device",
9316 "This is NOT a floppy disk device"
9318 static const true_false_string tfs_device_char_write_once = {
9319 "This is a WRITE-ONCE device",
9320 "This is NOT a write-once device"
9322 static const true_false_string tfs_device_char_remote = {
9323 "This is a REMOTE device",
9324 "This is NOT a remote device"
9326 static const true_false_string tfs_device_char_mounted = {
9327 "This device is MOUNTED",
9328 "This device is NOT mounted"
9330 static const true_false_string tfs_device_char_virtual = {
9331 "This is a VIRTUAL device",
9332 "This is NOT a virtual device"
9336 static const true_false_string tfs_fs_attr_css = {
9337 "This FS supports CASE SENSITIVE SEARCHes",
9338 "This FS does NOT support case sensitive searches"
9340 static const true_false_string tfs_fs_attr_cpn = {
9341 "This FS supports CASE PRESERVED NAMES",
9342 "This FS does NOT support case preserved names"
9344 static const true_false_string tfs_fs_attr_pacls = {
9345 "This FS supports PERSISTENT ACLs",
9346 "This FS does NOT support persistent acls"
9348 static const true_false_string tfs_fs_attr_fc = {
9349 "This FS supports COMPRESSED FILES",
9350 "This FS does NOT support compressed files"
9352 static const true_false_string tfs_fs_attr_vq = {
9353 "This FS supports VOLUME QUOTAS",
9354 "This FS does NOT support volume quotas"
9356 static const true_false_string tfs_fs_attr_dim = {
9357 "This FS is on a MOUNTED DEVICE",
9358 "This FS is NOT on a mounted device"
9360 static const true_false_string tfs_fs_attr_vic = {
9361 "This FS is on a COMPRESSED VOLUME",
9362 "This FS is NOT on a compressed volume"
9365 #define FF2_RESUME 0x0004
9368 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9371 proto_item *item = NULL;
9372 proto_tree *tree = NULL;
9374 smb_transact2_info_t *t2i;
9376 mask = tvb_get_letohs(tvb, offset);
9378 si = (smb_info_t *)pinfo->private_data;
9379 if (si->sip != NULL) {
9380 t2i = si->sip->extra_info;
9382 if (!pinfo->fd->flags.visited)
9383 t2i->resume_keys = (mask & FF2_RESUME);
9388 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9389 "Flags: 0x%04x", mask);
9390 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
9393 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
9394 tvb, offset, 2, mask);
9395 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
9396 tvb, offset, 2, mask);
9397 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
9398 tvb, offset, 2, mask);
9399 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
9400 tvb, offset, 2, mask);
9401 proto_tree_add_boolean(tree, hf_smb_ff2_close,
9402 tvb, offset, 2, mask);
9411 dissect_sfi_ioflag(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9414 proto_item *item = NULL;
9415 proto_tree *tree = NULL;
9417 mask = tvb_get_letohs(tvb, offset);
9420 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9421 "IO Flag: 0x%04x", mask);
9422 tree = proto_item_add_subtree(item, ett_smb_ioflag);
9425 proto_tree_add_boolean(tree, hf_smb_sfi_writetru,
9426 tvb, offset, 2, mask);
9427 proto_tree_add_boolean(tree, hf_smb_sfi_caching,
9428 tvb, offset, 2, mask);
9437 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
9438 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
9440 proto_item *item = NULL;
9441 proto_tree *tree = NULL;
9443 smb_transact2_info_t *t2i;
9446 int old_offset = offset;
9448 si = (smb_info_t *)pinfo->private_data;
9449 if (si->sip != NULL)
9450 t2i = si->sip->extra_info;
9455 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
9457 val_to_str(subcmd, trans2_cmd_vals,
9458 "Unknown (0x%02x)"));
9459 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
9463 case 0x00: /*TRANS2_OPEN2*/
9465 CHECK_BYTE_COUNT_TRANS(2);
9466 offset = dissect_open_flags(tvb, tree, offset, 0x000f);
9469 /* desired access */
9470 CHECK_BYTE_COUNT_TRANS(2);
9471 offset = dissect_access(tvb, tree, offset, "Desired");
9474 /* Search Attributes */
9475 CHECK_BYTE_COUNT_TRANS(2);
9476 offset = dissect_search_attributes(tvb, tree, offset);
9479 /* File Attributes */
9480 CHECK_BYTE_COUNT_TRANS(2);
9481 offset = dissect_file_attributes(tvb, tree, offset);
9485 CHECK_BYTE_COUNT_TRANS(4);
9486 offset = dissect_smb_datetime(tvb, tree, offset,
9488 hf_smb_create_dos_date, hf_smb_create_dos_time,
9493 CHECK_BYTE_COUNT_TRANS(2);
9494 offset = dissect_open_function(tvb, tree, offset);
9497 /* allocation size */
9498 CHECK_BYTE_COUNT_TRANS(4);
9499 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
9500 COUNT_BYTES_TRANS(4);
9502 /* 10 reserved bytes */
9503 CHECK_BYTE_COUNT_TRANS(10);
9504 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
9505 COUNT_BYTES_TRANS(10);
9508 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9509 CHECK_STRING_TRANS(fn);
9510 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9512 COUNT_BYTES_TRANS(fn_len);
9514 if (check_col(pinfo->cinfo, COL_INFO)) {
9515 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9519 case 0x01: /*TRANS2_FIND_FIRST2*/
9520 /* Search Attributes */
9521 CHECK_BYTE_COUNT_TRANS(2);
9522 offset = dissect_search_attributes(tvb, tree, offset);
9526 CHECK_BYTE_COUNT_TRANS(2);
9527 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
9528 COUNT_BYTES_TRANS(2);
9530 /* Find First2 flags */
9531 CHECK_BYTE_COUNT_TRANS(2);
9532 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
9535 /* Find First2 information level */
9536 CHECK_BYTE_COUNT_TRANS(2);
9537 si->info_level = tvb_get_letohs(tvb, offset);
9538 if (!pinfo->fd->flags.visited)
9539 t2i->info_level = si->info_level;
9540 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
9541 COUNT_BYTES_TRANS(2);
9544 CHECK_BYTE_COUNT_TRANS(4);
9545 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
9546 COUNT_BYTES_TRANS(4);
9548 /* search pattern */
9549 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9550 CHECK_STRING_TRANS(fn);
9551 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
9553 COUNT_BYTES_TRANS(fn_len);
9555 if (check_col(pinfo->cinfo, COL_INFO)) {
9556 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
9561 case 0x02: /*TRANS2_FIND_NEXT2*/
9563 CHECK_BYTE_COUNT_TRANS(2);
9564 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
9565 COUNT_BYTES_TRANS(2);
9568 CHECK_BYTE_COUNT_TRANS(2);
9569 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
9570 COUNT_BYTES_TRANS(2);
9572 /* Find First2 information level */
9573 CHECK_BYTE_COUNT_TRANS(2);
9574 si->info_level = tvb_get_letohs(tvb, offset);
9575 if (!pinfo->fd->flags.visited)
9576 t2i->info_level = si->info_level;
9577 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
9578 COUNT_BYTES_TRANS(2);
9581 CHECK_BYTE_COUNT_TRANS(4);
9582 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
9583 COUNT_BYTES_TRANS(4);
9585 /* Find First2 flags */
9586 CHECK_BYTE_COUNT_TRANS(2);
9587 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
9591 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9592 CHECK_STRING_TRANS(fn);
9593 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9595 COUNT_BYTES_TRANS(fn_len);
9597 if (check_col(pinfo->cinfo, COL_INFO)) {
9598 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
9603 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
9604 /* level of interest */
9605 CHECK_BYTE_COUNT_TRANS(2);
9606 si->info_level = tvb_get_letohs(tvb, offset);
9607 if (!pinfo->fd->flags.visited)
9608 t2i->info_level = si->info_level;
9609 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
9610 COUNT_BYTES_TRANS(2);
9613 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
9614 /* level of interest */
9615 CHECK_BYTE_COUNT_TRANS(2);
9616 si->info_level = tvb_get_letohs(tvb, offset);
9617 if (!pinfo->fd->flags.visited)
9618 t2i->info_level = si->info_level;
9619 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9620 COUNT_BYTES_TRANS(2);
9622 /* 4 reserved bytes */
9623 CHECK_BYTE_COUNT_TRANS(4);
9624 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9625 COUNT_BYTES_TRANS(4);
9628 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9629 CHECK_STRING_TRANS(fn);
9630 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9632 COUNT_BYTES_TRANS(fn_len);
9634 if (check_col(pinfo->cinfo, COL_INFO)) {
9635 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9640 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
9641 /* level of interest */
9642 CHECK_BYTE_COUNT_TRANS(2);
9643 si->info_level = tvb_get_letohs(tvb, offset);
9644 if (!pinfo->fd->flags.visited)
9645 t2i->info_level = si->info_level;
9646 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9647 COUNT_BYTES_TRANS(2);
9649 /* 4 reserved bytes */
9650 CHECK_BYTE_COUNT_TRANS(4);
9651 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9652 COUNT_BYTES_TRANS(4);
9655 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9656 CHECK_STRING_TRANS(fn);
9657 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9659 COUNT_BYTES_TRANS(fn_len);
9661 if (check_col(pinfo->cinfo, COL_INFO)) {
9662 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9667 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
9671 CHECK_BYTE_COUNT_TRANS(2);
9672 fid = tvb_get_letohs(tvb, offset);
9673 add_fid(tvb, pinfo, tree, offset, 2, fid);
9674 COUNT_BYTES_TRANS(2);
9676 /* level of interest */
9677 CHECK_BYTE_COUNT_TRANS(2);
9678 si->info_level = tvb_get_letohs(tvb, offset);
9679 if (!pinfo->fd->flags.visited)
9680 t2i->info_level = si->info_level;
9681 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9682 COUNT_BYTES_TRANS(2);
9686 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
9690 CHECK_BYTE_COUNT_TRANS(2);
9691 fid = tvb_get_letohs(tvb, offset);
9692 add_fid(tvb, pinfo, tree, offset, 2, fid);
9693 COUNT_BYTES_TRANS(2);
9695 /* level of interest */
9696 CHECK_BYTE_COUNT_TRANS(2);
9697 si->info_level = tvb_get_letohs(tvb, offset);
9698 if (!pinfo->fd->flags.visited)
9699 t2i->info_level = si->info_level;
9700 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9701 COUNT_BYTES_TRANS(2);
9705 * XXX - "Microsoft Networks SMB File Sharing Protocol
9706 * Extensions Version 3.0, Document Version 1.11,
9707 * July 19, 1990" says this is I/O flags, but it's
9708 * reserved in the SNIA spec, and some clients appear
9709 * to leave junk in it.
9711 * Is this some field used only if a particular
9712 * dialect was negotiated, so that clients can feel
9713 * safe not setting it if they haven't negotiated that
9714 * dialect? Or do the (non-OS/2) clients simply not care
9715 * about that particular OS/2-oriented dialect?
9719 CHECK_BYTE_COUNT_TRANS(2);
9720 offset = dissect_sfi_ioflag(tvb, tree, offset);
9723 /* 2 reserved bytes */
9724 CHECK_BYTE_COUNT_TRANS(2);
9725 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
9726 COUNT_BYTES_TRANS(2);
9731 case 0x09: /*TRANS2_FSCTL*/
9732 /* this call has no parameter block in the request */
9735 * XXX - "Microsoft Networks SMB File Sharing Protocol
9736 * Extensions Version 3.0, Document Version 1.11,
9737 * July 19, 1990" says this this contains a
9738 * "File system specific parameter block". (That means
9739 * we may not be able to dissect it in any case.)
9742 case 0x0a: /*TRANS2_IOCTL2*/
9743 /* this call has no parameter block in the request */
9746 * XXX - "Microsoft Networks SMB File Sharing Protocol
9747 * Extensions Version 3.0, Document Version 1.11,
9748 * July 19, 1990" says this this contains a
9749 * "Device/function specific parameter block". (That
9750 * means we may not be able to dissect it in any case.)
9753 case 0x0b: { /*TRANS2_FIND_NOTIFY_FIRST*/
9754 /* Search Attributes */
9755 CHECK_BYTE_COUNT_TRANS(2);
9756 offset = dissect_search_attributes(tvb, tree, offset);
9759 /* Number of changes to wait for */
9760 CHECK_BYTE_COUNT_TRANS(2);
9761 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
9762 COUNT_BYTES_TRANS(2);
9764 /* Find Notify information level */
9765 CHECK_BYTE_COUNT_TRANS(2);
9766 si->info_level = tvb_get_letohs(tvb, offset);
9767 if (!pinfo->fd->flags.visited)
9768 t2i->info_level = si->info_level;
9769 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, offset, 2, si->info_level);
9770 COUNT_BYTES_TRANS(2);
9772 /* 4 reserved bytes */
9773 CHECK_BYTE_COUNT_TRANS(4);
9774 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9775 COUNT_BYTES_TRANS(4);
9778 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9779 CHECK_STRING_TRANS(fn);
9780 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9782 COUNT_BYTES_TRANS(fn_len);
9784 if (check_col(pinfo->cinfo, COL_INFO)) {
9785 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9791 case 0x0c: { /*TRANS2_FIND_NOTIFY_NEXT*/
9792 /* Monitor handle */
9793 CHECK_BYTE_COUNT_TRANS(2);
9794 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
9795 COUNT_BYTES_TRANS(2);
9797 /* Number of changes to wait for */
9798 CHECK_BYTE_COUNT_TRANS(2);
9799 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
9800 COUNT_BYTES_TRANS(2);
9804 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
9805 /* 4 reserved bytes */
9806 CHECK_BYTE_COUNT_TRANS(4);
9807 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9808 COUNT_BYTES_TRANS(4);
9811 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
9813 CHECK_STRING_TRANS(fn);
9814 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
9816 COUNT_BYTES_TRANS(fn_len);
9818 if (check_col(pinfo->cinfo, COL_INFO)) {
9819 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
9823 case 0x0e: /*TRANS2_SESSION_SETUP*/
9824 /* XXX unknown structure*/
9826 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
9827 /* referral level */
9828 CHECK_BYTE_COUNT_TRANS(2);
9829 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
9830 COUNT_BYTES_TRANS(2);
9833 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9834 CHECK_STRING_TRANS(fn);
9835 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9837 COUNT_BYTES_TRANS(fn_len);
9839 if (check_col(pinfo->cinfo, COL_INFO)) {
9840 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9845 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
9847 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9848 CHECK_STRING_TRANS(fn);
9849 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9851 COUNT_BYTES_TRANS(fn_len);
9853 if (check_col(pinfo->cinfo, COL_INFO)) {
9854 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9861 /* ooops there were data we didnt know how to process */
9862 if((offset-old_offset) < bc){
9863 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
9864 bc - (offset-old_offset), TRUE);
9865 offset += bc - (offset-old_offset);
9872 * XXX - just use "dissect_connect_flags()" here?
9875 dissect_transaction_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9878 proto_item *item = NULL;
9879 proto_tree *tree = NULL;
9881 mask = tvb_get_letohs(tvb, offset);
9884 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9885 "Flags: 0x%04x", mask);
9886 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
9889 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
9890 tvb, offset, 2, mask);
9891 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
9892 tvb, offset, 2, mask);
9899 dissect_get_dfs_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9902 proto_item *item = NULL;
9903 proto_tree *tree = NULL;
9905 mask = tvb_get_letohs(tvb, offset);
9908 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9909 "Flags: 0x%04x", mask);
9910 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
9913 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
9914 tvb, offset, 2, mask);
9915 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
9916 tvb, offset, 2, mask);
9923 dissect_dfs_referral_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
9926 proto_item *item = NULL;
9927 proto_tree *tree = NULL;
9929 mask = tvb_get_letohs(tvb, offset);
9932 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9933 "Flags: 0x%04x", mask);
9934 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
9937 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
9938 tvb, offset, 2, mask);
9946 /* dfs inconsistency data (4.4.2)
9949 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
9950 proto_tree *tree, int offset, guint16 *bcp)
9952 smb_info_t *si = pinfo->private_data;
9956 /*XXX shouldn this data hold version and size? unclear from doc*/
9957 /* referral version */
9958 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9959 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
9960 COUNT_BYTES_TRANS_SUBR(2);
9963 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9964 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
9965 COUNT_BYTES_TRANS_SUBR(2);
9967 /* referral server type */
9968 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9969 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9970 COUNT_BYTES_TRANS_SUBR(2);
9972 /* referral flags */
9973 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9974 offset = dissect_dfs_referral_flags(tvb, tree, offset);
9978 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
9979 CHECK_STRING_TRANS_SUBR(fn);
9980 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9982 COUNT_BYTES_TRANS_SUBR(fn_len);
9987 /* get dfs referral data (4.4.1)
9990 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
9991 proto_tree *tree, int offset, guint16 *bcp)
9993 smb_info_t *si = pinfo->private_data;
9997 guint16 altpathoffset;
10008 /* path consumed */
10009 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10010 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
10011 COUNT_BYTES_TRANS_SUBR(2);
10013 /* num referrals */
10014 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10015 numref = tvb_get_letohs(tvb, offset);
10016 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
10017 COUNT_BYTES_TRANS_SUBR(2);
10019 /* get dfs flags */
10020 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10021 offset = dissect_get_dfs_flags(tvb, tree, offset);
10024 /* XXX - in at least one capture there appears to be 2 bytes
10025 of stuff after the Dfs flags, perhaps so that the header
10026 in front of the referral list is a multiple of 4 bytes long. */
10027 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10028 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
10029 COUNT_BYTES_TRANS_SUBR(2);
10031 /* if there are any referrals */
10033 proto_item *ref_item = NULL;
10034 proto_tree *ref_tree = NULL;
10035 int old_offset=offset;
10038 ref_item = proto_tree_add_text(tree,
10039 tvb, offset, *bcp, "Referrals");
10040 ref_tree = proto_item_add_subtree(ref_item,
10041 ett_smb_dfs_referrals);
10046 proto_item *ri = NULL;
10047 proto_tree *rt = NULL;
10048 int old_offset=offset;
10052 ri = proto_tree_add_text(ref_tree,
10053 tvb, offset, *bcp, "Referral");
10054 rt = proto_item_add_subtree(ri,
10055 ett_smb_dfs_referral);
10058 /* referral version */
10059 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10060 version = tvb_get_letohs(tvb, offset);
10061 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
10062 tvb, offset, 2, version);
10063 COUNT_BYTES_TRANS_SUBR(2);
10065 /* referral size */
10066 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10067 refsize = tvb_get_letohs(tvb, offset);
10068 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
10069 COUNT_BYTES_TRANS_SUBR(2);
10071 /* referral server type */
10072 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10073 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10074 COUNT_BYTES_TRANS_SUBR(2);
10076 /* referral flags */
10077 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10078 offset = dissect_dfs_referral_flags(tvb, rt, offset);
10085 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10086 CHECK_STRING_TRANS_SUBR(fn);
10087 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10089 COUNT_BYTES_TRANS_SUBR(fn_len);
10093 case 3: /* XXX - like version 2, but not identical;
10094 seen in a capture, but the format isn't
10097 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10098 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
10099 COUNT_BYTES_TRANS_SUBR(2);
10102 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10103 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
10104 COUNT_BYTES_TRANS_SUBR(2);
10107 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10108 pathoffset = tvb_get_letohs(tvb, offset);
10109 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
10110 COUNT_BYTES_TRANS_SUBR(2);
10112 /* alt path offset */
10113 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10114 altpathoffset = tvb_get_letohs(tvb, offset);
10115 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
10116 COUNT_BYTES_TRANS_SUBR(2);
10119 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10120 nodeoffset = tvb_get_letohs(tvb, offset);
10121 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
10122 COUNT_BYTES_TRANS_SUBR(2);
10125 if (pathoffset != 0) {
10126 stroffset = old_offset + pathoffset;
10127 offsetoffset = stroffset - offset;
10128 if (offsetoffset > 0 &&
10129 *bcp > offsetoffset) {
10131 *bcp -= offsetoffset;
10132 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10133 CHECK_STRING_TRANS_SUBR(fn);
10134 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
10136 stroffset += fn_len;
10137 if (ucstring_end < stroffset)
10138 ucstring_end = stroffset;
10144 if (altpathoffset != 0) {
10145 stroffset = old_offset + altpathoffset;
10146 offsetoffset = stroffset - offset;
10147 if (offsetoffset > 0 &&
10148 *bcp > offsetoffset) {
10150 *bcp -= offsetoffset;
10151 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10152 CHECK_STRING_TRANS_SUBR(fn);
10153 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
10155 stroffset += fn_len;
10156 if (ucstring_end < stroffset)
10157 ucstring_end = stroffset;
10163 if (nodeoffset != 0) {
10164 stroffset = old_offset + nodeoffset;
10165 offsetoffset = stroffset - offset;
10166 if (offsetoffset > 0 &&
10167 *bcp > offsetoffset) {
10169 *bcp -= offsetoffset;
10170 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10171 CHECK_STRING_TRANS_SUBR(fn);
10172 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
10174 stroffset += fn_len;
10175 if (ucstring_end < stroffset)
10176 ucstring_end = stroffset;
10184 * Show anything beyond the length of the referral
10187 unklen = (old_offset + refsize) - offset;
10190 * XXX - the length is bogus.
10195 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
10196 proto_tree_add_item(rt, hf_smb_unknown, tvb,
10197 offset, unklen, TRUE);
10198 COUNT_BYTES_TRANS_SUBR(unklen);
10201 proto_item_set_len(ri, offset-old_offset);
10205 * Treat the offset past the end of the last Unicode
10206 * string after the referrals (if any) as the last
10209 if (ucstring_end > offset) {
10210 ucstring_len = ucstring_end - offset;
10211 if (*bcp < ucstring_len)
10212 ucstring_len = *bcp;
10213 offset += ucstring_len;
10214 *bcp -= ucstring_len;
10216 proto_item_set_len(ref_item, offset-old_offset);
10223 /* this dissects the SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE
10224 as described in 4.2.14.1
10227 dissect_4_2_14_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10228 int offset, guint16 *bcp, gboolean *trunc)
10231 CHECK_BYTE_COUNT_SUBR(4);
10232 offset = dissect_smb_datetime(tvb, tree, offset,
10233 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
10238 CHECK_BYTE_COUNT_SUBR(4);
10239 offset = dissect_smb_datetime(tvb, tree, offset,
10240 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
10244 /* last write time */
10245 CHECK_BYTE_COUNT_SUBR(4);
10246 offset = dissect_smb_datetime(tvb, tree, offset,
10247 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
10252 CHECK_BYTE_COUNT_SUBR(4);
10253 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10254 COUNT_BYTES_SUBR(4);
10256 /* allocation size */
10257 CHECK_BYTE_COUNT_SUBR(4);
10258 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10259 COUNT_BYTES_SUBR(4);
10261 /* File Attributes */
10262 CHECK_BYTE_COUNT_SUBR(2);
10263 offset = dissect_file_attributes(tvb, tree, offset);
10267 CHECK_BYTE_COUNT_SUBR(4);
10268 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10269 COUNT_BYTES_SUBR(4);
10275 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
10276 as described in 4.2.14.2
10279 dissect_4_2_14_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10280 int offset, guint16 *bcp, gboolean *trunc)
10283 CHECK_BYTE_COUNT_SUBR(4);
10284 proto_tree_add_item(tree, hf_smb_list_length, tvb, offset, 4, TRUE);
10285 COUNT_BYTES_SUBR(4);
10291 /* this dissects the SMB_INFO_IS_NAME_VALID
10292 as described in 4.2.14.3
10295 dissect_4_2_14_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10296 int offset, guint16 *bcp, gboolean *trunc)
10298 smb_info_t *si = pinfo->private_data;
10303 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10304 CHECK_STRING_SUBR(fn);
10305 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10307 COUNT_BYTES_SUBR(fn_len);
10313 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
10314 as described in 4.2.14.4
10317 dissect_4_2_14_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10318 int offset, guint16 *bcp, gboolean *trunc)
10321 CHECK_BYTE_COUNT_SUBR(8);
10322 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
10326 CHECK_BYTE_COUNT_SUBR(8);
10327 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
10330 /* last write time */
10331 CHECK_BYTE_COUNT_SUBR(8);
10332 offset = dissect_smb_64bit_time(tvb, tree, offset,
10333 hf_smb_last_write_time);
10336 /* last change time */
10337 CHECK_BYTE_COUNT_SUBR(8);
10338 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
10341 /* File Attributes */
10342 CHECK_BYTE_COUNT_SUBR(2);
10343 offset = dissect_file_attributes(tvb, tree, offset);
10350 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
10351 as described in 4.2.14.5
10354 dissect_4_2_14_5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10355 int offset, guint16 *bcp, gboolean *trunc)
10357 /* allocation size */
10358 CHECK_BYTE_COUNT_SUBR(8);
10359 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10360 COUNT_BYTES_SUBR(8);
10363 CHECK_BYTE_COUNT_SUBR(8);
10364 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10365 COUNT_BYTES_SUBR(8);
10367 /* number of links */
10368 CHECK_BYTE_COUNT_SUBR(4);
10369 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
10370 COUNT_BYTES_SUBR(4);
10372 /* delete pending */
10373 CHECK_BYTE_COUNT_SUBR(2);
10374 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 2, TRUE);
10375 COUNT_BYTES_SUBR(2);
10378 CHECK_BYTE_COUNT_SUBR(1);
10379 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
10380 COUNT_BYTES_SUBR(1);
10386 /* this dissects the SMB_QUERY_FILE_EA_INFO
10387 as described in 4.2.14.6
10390 dissect_4_2_14_6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10391 int offset, guint16 *bcp, gboolean *trunc)
10394 CHECK_BYTE_COUNT_SUBR(4);
10395 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10396 COUNT_BYTES_SUBR(4);
10402 /* this dissects the SMB_QUERY_FILE_NAME_INFO
10403 as described in 4.2.14.7
10404 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
10405 as described in 4.2.14.9
10408 dissect_4_2_14_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10409 int offset, guint16 *bcp, gboolean *trunc)
10411 smb_info_t *si = pinfo->private_data;
10415 /* file name len */
10416 CHECK_BYTE_COUNT_SUBR(4);
10417 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
10418 COUNT_BYTES_SUBR(4);
10421 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10422 CHECK_STRING_SUBR(fn);
10423 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10425 COUNT_BYTES_SUBR(fn_len);
10431 /* this dissects the SMB_QUERY_FILE_ALL_INFO
10432 as described in 4.2.14.8
10435 dissect_4_2_14_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10436 int offset, guint16 *bcp, gboolean *trunc)
10439 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp, trunc);
10443 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp, trunc);
10449 CHECK_BYTE_COUNT_SUBR(8);
10450 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
10451 COUNT_BYTES_SUBR(8);
10453 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
10458 CHECK_BYTE_COUNT_SUBR(4);
10459 offset = dissect_nt_access_mask(tvb, tree, offset);
10460 COUNT_BYTES_SUBR(4);
10463 CHECK_BYTE_COUNT_SUBR(8);
10464 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
10465 COUNT_BYTES_SUBR(8);
10467 /* current offset */
10468 CHECK_BYTE_COUNT_SUBR(8);
10469 proto_tree_add_item(tree, hf_smb_current_offset, tvb, offset, 8, TRUE);
10470 COUNT_BYTES_SUBR(8);
10473 CHECK_BYTE_COUNT_SUBR(4);
10474 offset = dissect_nt_create_options(tvb, tree, offset);
10478 CHECK_BYTE_COUNT_SUBR(4);
10479 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
10480 COUNT_BYTES_SUBR(4);
10482 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
10487 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
10488 as described in 4.2.14.10
10491 dissect_4_2_14_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10492 int offset, guint16 *bcp, gboolean *trunc)
10498 smb_info_t *si = pinfo->private_data;
10504 old_offset = offset;
10506 /* next entry offset */
10507 CHECK_BYTE_COUNT_SUBR(4);
10509 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
10510 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10516 neo = tvb_get_letohl(tvb, offset);
10517 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10518 COUNT_BYTES_SUBR(4);
10520 /* stream name len */
10521 CHECK_BYTE_COUNT_SUBR(4);
10522 fn_len = tvb_get_letohl(tvb, offset);
10523 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
10524 COUNT_BYTES_SUBR(4);
10527 CHECK_BYTE_COUNT_SUBR(8);
10528 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
10529 COUNT_BYTES_SUBR(8);
10531 /* allocation size */
10532 CHECK_BYTE_COUNT_SUBR(8);
10533 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10534 COUNT_BYTES_SUBR(8);
10537 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
10538 CHECK_STRING_SUBR(fn);
10539 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
10541 COUNT_BYTES_SUBR(fn_len);
10543 proto_item_append_text(item, ": %s", fn);
10544 proto_item_set_len(item, offset-old_offset);
10547 break; /* no more structures */
10549 /* skip to next structure */
10550 padcnt = (old_offset + neo) - offset;
10553 * XXX - this is bogus; flag it?
10558 CHECK_BYTE_COUNT_SUBR(padcnt);
10559 COUNT_BYTES_SUBR(padcnt);
10567 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
10568 as described in 4.2.14.11
10571 dissect_4_2_14_11(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10572 int offset, guint16 *bcp, gboolean *trunc)
10574 /* compressed file size */
10575 CHECK_BYTE_COUNT_SUBR(8);
10576 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
10577 COUNT_BYTES_SUBR(8);
10579 /* compression format */
10580 CHECK_BYTE_COUNT_SUBR(2);
10581 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
10582 COUNT_BYTES_SUBR(2);
10584 /* compression unit shift */
10585 CHECK_BYTE_COUNT_SUBR(1);
10586 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
10587 COUNT_BYTES_SUBR(1);
10589 /* compression chunk shift */
10590 CHECK_BYTE_COUNT_SUBR(1);
10591 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
10592 COUNT_BYTES_SUBR(1);
10594 /* compression cluster shift */
10595 CHECK_BYTE_COUNT_SUBR(1);
10596 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
10597 COUNT_BYTES_SUBR(1);
10599 /* 3 reserved bytes */
10600 CHECK_BYTE_COUNT_SUBR(3);
10601 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
10602 COUNT_BYTES_SUBR(3);
10610 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION*/
10612 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
10613 int offset, guint16 *bcp)
10622 si = (smb_info_t *)pinfo->private_data;
10623 switch(si->info_level){
10624 case 1: /*Info Standard*/
10625 case 2: /*Info Query EA Size*/
10626 offset = dissect_4_2_14_1(tvb, pinfo, tree, offset, bcp,
10629 case 3: /*Info Query EAs From List*/
10630 case 4: /*Info Query All EAs*/
10631 offset = dissect_4_2_14_2(tvb, pinfo, tree, offset, bcp,
10634 case 6: /*Info Is Name Valid*/
10635 offset = dissect_4_2_14_3(tvb, pinfo, tree, offset, bcp,
10638 case 0x0101: /*Query File Basic Info*/
10639 case 1004: /* SMB_FILE_BASIC_INFORMATION */
10640 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp,
10643 case 0x0102: /*Query File Standard Info*/
10644 case 1005: /* SMB_FILE_STANDARD_INFORMATION */
10645 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp,
10648 case 0x0103: /*Query File EA Info*/
10649 case 1007: /* SMB_FILE_EA_INFORMATION */
10650 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp,
10653 case 0x0104: /*Query File Name Info*/
10654 case 1009: /* SMB_FILE_NAME_INFORMATION */
10655 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
10658 case 0x0107: /*Query File All Info*/
10659 case 1018: /* SMB_FILE_ALL_INFORMATION */
10660 offset = dissect_4_2_14_8(tvb, pinfo, tree, offset, bcp,
10663 case 0x0108: /*Query File Alt File Info*/
10664 case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
10665 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
10668 case 1022: /* SMB_FILE_STREAM_INFORMATION */
10669 ((smb_info_t *)(pinfo->private_data))->unicode = TRUE;
10670 case 0x0109: /*Query File Stream Info*/
10671 offset = dissect_4_2_14_10(tvb, pinfo, tree, offset, bcp,
10674 case 0x010b: /*Query File Compression Info*/
10675 case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
10676 offset = dissect_4_2_14_11(tvb, pinfo, tree, offset, bcp,
10679 case 0x0200: /*Set File Unix Basic*/
10680 /* XXX add this from the SNIA doc */
10682 case 0x0201: /*Set File Unix Link*/
10683 /* XXX add this from the SNIA doc */
10685 case 0x0202: /*Set File Unix HardLink*/
10686 /* XXX add this from the SNIA doc */
10694 static const true_false_string tfs_quota_flags_deny_disk = {
10695 "DENY DISK SPACE for users exceeding quota limit",
10696 "Do NOT deny disk space for users exceeding quota limit"
10698 static const true_false_string tfs_quota_flags_log_limit = {
10699 "LOG EVENT when a user exceeds their QUOTA LIMIT",
10700 "Do NOT log event when a user exceeds their quota limit"
10702 static const true_false_string tfs_quota_flags_log_warning = {
10703 "LOG EVENT when a user exceeds their WARNING LEVEL",
10704 "Do NOT log event when a user exceeds their warning level"
10706 static const true_false_string tfs_quota_flags_enabled = {
10707 "Quotas are ENABLED of this fs",
10708 "Quotas are NOT enabled on this fs"
10711 dissect_quota_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10714 proto_item *item = NULL;
10715 proto_tree *tree = NULL;
10717 mask = tvb_get_guint8(tvb, offset);
10720 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
10721 "Quota Flags: 0x%02x %s", mask,
10722 mask?"Enabled":"Disabled");
10723 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
10726 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
10727 tvb, offset, 1, mask);
10728 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
10729 tvb, offset, 1, mask);
10730 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
10731 tvb, offset, 1, mask);
10733 if(mask && (!(mask&0x01))){
10734 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
10735 tvb, offset, 1, 0x01);
10737 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
10738 tvb, offset, 1, mask);
10744 dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
10746 /* first 24 bytes are unknown */
10747 CHECK_BYTE_COUNT_TRANS_SUBR(24);
10748 proto_tree_add_item(tree, hf_smb_unknown, tvb,
10750 COUNT_BYTES_TRANS_SUBR(24);
10752 /* number of bytes for quota warning */
10753 CHECK_BYTE_COUNT_TRANS_SUBR(8);
10754 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
10755 COUNT_BYTES_TRANS_SUBR(8);
10757 /* number of bytes for quota limit */
10758 CHECK_BYTE_COUNT_TRANS_SUBR(8);
10759 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
10760 COUNT_BYTES_TRANS_SUBR(8);
10762 /* one byte of quota flags */
10763 CHECK_BYTE_COUNT_TRANS_SUBR(1);
10764 dissect_quota_flags(tvb, tree, offset);
10765 COUNT_BYTES_TRANS_SUBR(1);
10767 /* these 7 bytes are unknown */
10768 CHECK_BYTE_COUNT_TRANS_SUBR(7);
10769 proto_tree_add_item(tree, hf_smb_unknown, tvb,
10771 COUNT_BYTES_TRANS_SUBR(7);
10777 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
10778 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
10780 proto_item *item = NULL;
10781 proto_tree *tree = NULL;
10784 si = (smb_info_t *)pinfo->private_data;
10787 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
10789 val_to_str(subcmd, trans2_cmd_vals,
10790 "Unknown (0x%02x)"));
10791 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
10795 case 0x00: /*TRANS2_OPEN2*/
10796 /* XXX dont know how to decode FEAList */
10798 case 0x01: /*TRANS2_FIND_FIRST2*/
10799 /* XXX dont know how to decode FEAList */
10801 case 0x02: /*TRANS2_FIND_NEXT2*/
10802 /* XXX dont know how to decode FEAList */
10804 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
10805 /* no data field in this request */
10807 case 0x04: /* TRANS2_SET_QUOTA */
10808 offset = dissect_nt_quota(tvb, tree, offset, &dc);
10810 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
10811 /* no data field in this request */
10813 * XXX - "Microsoft Networks SMB File Sharing Protocol
10814 * Extensions Version 3.0, Document Version 1.11,
10815 * July 19, 1990" says there may be "Additional
10816 * FileInfoLevel dependent information" here.
10818 * Was that just a cut-and-pasteo?
10819 * TRANS2_SET_PATH_INFORMATION *does* have that information
10823 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
10824 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
10826 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
10827 /* no data field in this request */
10829 * XXX - "Microsoft Networks SMB File Sharing Protocol
10830 * Extensions Version 3.0, Document Version 1.11,
10831 * July 19, 1990" says there may be "Additional
10832 * FileInfoLevel dependent information" here.
10834 * Was that just a cut-and-pasteo?
10835 * TRANS2_SET_FILE_INFORMATION *does* have that information
10839 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
10840 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
10842 case 0x09: /*TRANS2_FSCTL*/
10843 /*XXX dont know how to decode this yet */
10846 * XXX - "Microsoft Networks SMB File Sharing Protocol
10847 * Extensions Version 3.0, Document Version 1.11,
10848 * July 19, 1990" says this this contains a
10849 * "File system specific data block". (That means we
10850 * may not be able to dissect it in any case.)
10853 case 0x0a: /*TRANS2_IOCTL2*/
10854 /*XXX dont know how to decode this yet */
10857 * XXX - "Microsoft Networks SMB File Sharing Protocol
10858 * Extensions Version 3.0, Document Version 1.11,
10859 * July 19, 1990" says this this contains a
10860 * "Device/function specific data block". (That
10861 * means we may not be able to dissect it in any case.)
10864 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
10865 /*XXX dont know how to decode this yet */
10868 * XXX - "Microsoft Networks SMB File Sharing Protocol
10869 * Extensions Version 3.0, Document Version 1.11,
10870 * July 19, 1990" says this this contains "additional
10871 * level dependent match data".
10874 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
10875 /*XXX dont know how to decode this yet */
10878 * XXX - "Microsoft Networks SMB File Sharing Protocol
10879 * Extensions Version 3.0, Document Version 1.11,
10880 * July 19, 1990" says this this contains "additional
10881 * level dependent monitor information".
10884 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
10885 /* XXX optional FEAList, unknown what FEAList looks like*/
10887 case 0x0e: /*TRANS2_SESSION_SETUP*/
10888 /*XXX dont know how to decode this yet */
10890 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
10891 /* no data field in this request */
10893 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
10894 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
10898 /* ooops there were data we didnt know how to process */
10900 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
10909 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
10917 * Show the setup words.
10919 if (s_tvb != NULL) {
10920 length = tvb_reported_length(s_tvb);
10921 for (i = 0, offset = 0; length >= 2;
10922 i++, offset += 2, length -= 2) {
10924 * XXX - add a setup word filterable field?
10926 proto_tree_add_text(tree, s_tvb, offset, 2,
10927 "Setup Word %d: 0x%04x", i,
10928 tvb_get_letohs(s_tvb, offset));
10933 * Show the parameters, if any.
10935 if (p_tvb != NULL) {
10936 length = tvb_reported_length(p_tvb);
10938 proto_tree_add_text(tree, p_tvb, 0, length,
10940 tvb_bytes_to_str(p_tvb, 0, length));
10945 * Show the data, if any.
10947 if (d_tvb != NULL) {
10948 length = tvb_reported_length(d_tvb);
10950 proto_tree_add_text(tree, d_tvb, 0, length,
10951 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
10956 /* This routine handles the following 4 calls
10958 Transaction Secondary 0x26
10960 Transaction2 Secondary 0x33
10963 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
10970 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
10974 const char *an = NULL;
10976 smb_transact2_info_t *t2i;
10977 smb_transact_info_t *tri;
10980 gboolean dissected_trans;
10982 si = (smb_info_t *)pinfo->private_data;
10987 /*secondary client request*/
10989 /* total param count, only a 16bit integer here*/
10990 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10993 /* total data count , only 16bit integer here*/
10994 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10998 pc = tvb_get_letohs(tvb, offset);
10999 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11003 po = tvb_get_letohs(tvb, offset);
11004 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11008 pd = tvb_get_letohs(tvb, offset);
11009 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
11013 dc = tvb_get_letohs(tvb, offset);
11014 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11018 od = tvb_get_letohs(tvb, offset);
11019 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11023 dd = tvb_get_letohs(tvb, offset);
11024 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
11027 if(si->cmd==SMB_COM_TRANSACTION2){
11031 fid = tvb_get_letohs(tvb, offset);
11032 add_fid(tvb, pinfo, tree, offset, 2, fid);
11037 /* There are no setup words. */
11042 /* it is not a secondary request */
11044 /* total param count , only a 16 bit integer here*/
11045 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11048 /* total data count , only 16bit integer here*/
11049 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11052 /* max param count , only 16bit integer here*/
11053 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11056 /* max data count, only 16bit integer here*/
11057 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11060 /* max setup count, only 16bit integer here*/
11061 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
11064 /* reserved byte */
11065 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11068 /* transaction flags */
11069 tf = dissect_transaction_flags(tvb, tree, offset);
11073 to = tvb_get_letohl(tvb, offset);
11075 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
11076 else if (to == 0xffffffff)
11077 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
11079 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
11082 /* 2 reserved bytes */
11083 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11087 pc = tvb_get_letohs(tvb, offset);
11088 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11092 po = tvb_get_letohs(tvb, offset);
11093 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11096 /* param displacement is zero here */
11100 dc = tvb_get_letohs(tvb, offset);
11101 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11105 od = tvb_get_letohs(tvb, offset);
11106 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11109 /* data displacement is zero here */
11113 sc = tvb_get_guint8(tvb, offset);
11114 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
11117 /* reserved byte */
11118 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11121 /* this is where the setup bytes, if any start */
11125 /* if there were any setup bytes, decode them */
11129 case SMB_COM_TRANSACTION2:
11130 /* TRANSACTION2 only has one setup word and
11131 that is the subcommand code.
11133 XXX - except for TRANS2_FSCTL
11134 and TRANS2_IOCTL. */
11135 subcmd = tvb_get_letohs(tvb, offset);
11136 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
11137 tvb, offset, 2, subcmd);
11138 if (check_col(pinfo->cinfo, COL_INFO)) {
11139 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11140 val_to_str(subcmd, trans2_cmd_vals,
11141 "Unknown (0x%02x)"));
11144 if(!pinfo->fd->flags.visited){
11147 * smb_transact2_info_t
11150 t2i = g_mem_chunk_alloc(smb_transact2_info_chunk);
11151 t2i->subcmd = subcmd;
11152 t2i->info_level = -1;
11153 t2i->resume_keys = FALSE;
11154 si->sip->extra_info = t2i;
11159 * XXX - process TRANS2_FSCTL and
11160 * TRANS2_IOCTL setup words here.
11164 case SMB_COM_TRANSACTION:
11165 /* TRANSACTION setup words processed below */
11176 /* primary request */
11177 /* name is NULL if transaction2 */
11178 if(si->cmd == SMB_COM_TRANSACTION){
11179 /* Transaction Name */
11180 an = get_unicode_or_ascii_string(tvb, &offset,
11181 si->unicode, &an_len, FALSE, FALSE, &bc);
11184 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
11185 offset, an_len, an);
11186 COUNT_BYTES(an_len);
11191 * The pipe or mailslot arguments for Transaction start with
11192 * the first setup word (or where the first setup word would
11193 * be if there were any setup words), and run to the current
11194 * offset (which could mean that there aren't any).
11197 spc = offset - spo;
11201 /* We have some initial padding bytes.
11203 padcnt = po-offset;
11206 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11207 COUNT_BYTES(padcnt);
11210 CHECK_BYTE_COUNT(pc);
11213 case SMB_COM_TRANSACTION2:
11214 /* TRANSACTION2 parameters*/
11215 offset = dissect_transaction2_request_parameters(tvb,
11216 pinfo, tree, offset, subcmd, pc);
11220 case SMB_COM_TRANSACTION:
11221 /* TRANSACTION parameters processed below */
11229 /* We have some initial padding bytes.
11231 padcnt = od-offset;
11234 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11235 COUNT_BYTES(padcnt);
11238 CHECK_BYTE_COUNT(dc);
11241 case SMB_COM_TRANSACTION2:
11242 /* TRANSACTION2 data*/
11243 offset = dissect_transaction2_request_data(tvb, pinfo,
11244 tree, offset, subcmd, dc);
11248 case SMB_COM_TRANSACTION:
11249 /* TRANSACTION data processed below */
11255 /*TRANSACTION request parameters */
11256 if(si->cmd==SMB_COM_TRANSACTION){
11257 /*XXX replace this block with a function and use that one
11258 for both requests/responses*/
11260 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
11261 tvbuff_t *sp_tvb, *pd_tvb;
11264 if(pc>tvb_length_remaining(tvb, po)){
11265 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
11267 p_tvb = tvb_new_subset(tvb, po, pc, pc);
11273 if(dc>tvb_length_remaining(tvb, od)){
11274 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
11276 d_tvb = tvb_new_subset(tvb, od, dc, dc);
11282 if(sl>tvb_length_remaining(tvb, so)){
11283 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
11285 s_tvb = tvb_new_subset(tvb, so, sl, sl);
11292 if(!pinfo->fd->flags.visited){
11294 * Allocate a new smb_transact_info_t
11297 tri = g_mem_chunk_alloc(smb_transact_info_chunk);
11299 tri->trans_subcmd = -1;
11300 tri->function = -1;
11302 tri->lanman_cmd = 0;
11303 tri->param_descrip = NULL;
11304 tri->data_descrip = NULL;
11305 tri->aux_data_descrip = NULL;
11306 tri->info_level = -1;
11307 si->sip->extra_info = tri;
11310 * We already filled the structure
11311 * in; don't bother doing so again.
11317 * This is a unidirectional message, for
11318 * which there will be no reply; don't
11319 * bother allocating an "smb_transact_info_t"
11320 * structure for it.
11324 dissected_trans = FALSE;
11325 if(strncmp("\\PIPE\\", an, 6) == 0){
11327 tri->subcmd=TRANSACTION_PIPE;
11330 * A tvbuff containing the setup words and
11333 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
11336 * A tvbuff containing the parameters and the
11339 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
11341 dissected_trans = dissect_pipe_smb(sp_tvb,
11342 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
11344 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
11346 tri->subcmd=TRANSACTION_MAILSLOT;
11349 * A tvbuff containing the setup words and
11350 * the mailslot path.
11352 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
11353 dissected_trans = dissect_mailslot_smb(sp_tvb,
11354 s_tvb, d_tvb, an+10, pinfo, top_tree);
11356 if (!dissected_trans)
11357 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
11359 if(check_col(pinfo->cinfo, COL_INFO)){
11360 col_append_str(pinfo->cinfo, COL_INFO,
11361 "[transact continuation]");
11374 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11375 int offset, guint16 *bcp, gboolean *trunc)
11379 int old_offset = offset;
11380 proto_item *item = NULL;
11381 proto_tree *tree = NULL;
11383 smb_transact2_info_t *t2i;
11384 gboolean resume_keys = FALSE;
11386 si = (smb_info_t *)pinfo->private_data;
11387 if (si->sip != NULL) {
11388 t2i = si->sip->extra_info;
11390 resume_keys = t2i->resume_keys;
11394 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11395 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11396 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11401 CHECK_BYTE_COUNT_SUBR(4);
11402 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
11403 COUNT_BYTES_SUBR(4);
11407 CHECK_BYTE_COUNT_SUBR(4);
11408 offset = dissect_smb_datetime(tvb, tree, offset,
11409 hf_smb_create_time,
11410 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
11414 CHECK_BYTE_COUNT_SUBR(4);
11415 offset = dissect_smb_datetime(tvb, tree, offset,
11416 hf_smb_access_time,
11417 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
11420 /* last write time */
11421 CHECK_BYTE_COUNT_SUBR(4);
11422 offset = dissect_smb_datetime(tvb, tree, offset,
11423 hf_smb_last_write_time,
11424 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
11428 CHECK_BYTE_COUNT_SUBR(4);
11429 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11430 COUNT_BYTES_SUBR(4);
11432 /* allocation size */
11433 CHECK_BYTE_COUNT_SUBR(4);
11434 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11435 COUNT_BYTES_SUBR(4);
11437 /* File Attributes */
11438 CHECK_BYTE_COUNT_SUBR(2);
11439 offset = dissect_file_attributes(tvb, tree, offset);
11442 /* file name len */
11443 CHECK_BYTE_COUNT_SUBR(1);
11444 fn_len = tvb_get_guint8(tvb, offset);
11445 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
11446 COUNT_BYTES_SUBR(1);
11448 fn_len += 2; /* include terminating '\0' */
11450 fn_len++; /* include terminating '\0' */
11453 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11454 CHECK_STRING_SUBR(fn);
11455 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11457 COUNT_BYTES_SUBR(fn_len);
11459 if (check_col(pinfo->cinfo, COL_INFO)) {
11460 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11464 proto_item_append_text(item, " File: %s", fn);
11465 proto_item_set_len(item, offset-old_offset);
11472 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11473 int offset, guint16 *bcp, gboolean *trunc)
11477 int old_offset = offset;
11478 proto_item *item = NULL;
11479 proto_tree *tree = NULL;
11481 smb_transact2_info_t *t2i;
11482 gboolean resume_keys = FALSE;
11484 si = (smb_info_t *)pinfo->private_data;
11485 if (si->sip != NULL) {
11486 t2i = si->sip->extra_info;
11488 resume_keys = t2i->resume_keys;
11492 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11493 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11494 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11499 CHECK_BYTE_COUNT_SUBR(4);
11500 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
11501 COUNT_BYTES_SUBR(4);
11505 CHECK_BYTE_COUNT_SUBR(4);
11506 offset = dissect_smb_datetime(tvb, tree, offset,
11507 hf_smb_create_time,
11508 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
11512 CHECK_BYTE_COUNT_SUBR(4);
11513 offset = dissect_smb_datetime(tvb, tree, offset,
11514 hf_smb_access_time,
11515 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
11518 /* last write time */
11519 CHECK_BYTE_COUNT_SUBR(4);
11520 offset = dissect_smb_datetime(tvb, tree, offset,
11521 hf_smb_last_write_time,
11522 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
11526 CHECK_BYTE_COUNT_SUBR(4);
11527 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11528 COUNT_BYTES_SUBR(4);
11530 /* allocation size */
11531 CHECK_BYTE_COUNT_SUBR(4);
11532 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
11533 COUNT_BYTES_SUBR(4);
11535 /* File Attributes */
11536 CHECK_BYTE_COUNT_SUBR(2);
11537 offset = dissect_file_attributes(tvb, tree, offset);
11541 CHECK_BYTE_COUNT_SUBR(4);
11542 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
11543 COUNT_BYTES_SUBR(4);
11545 /* file name len */
11546 CHECK_BYTE_COUNT_SUBR(1);
11547 fn_len = tvb_get_guint8(tvb, offset);
11548 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
11549 COUNT_BYTES_SUBR(1);
11552 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11553 CHECK_STRING_SUBR(fn);
11554 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11556 COUNT_BYTES_SUBR(fn_len);
11558 fn_len += 2; /* include terminating '\0' */
11560 fn_len++; /* include terminating '\0' */
11562 if (check_col(pinfo->cinfo, COL_INFO)) {
11563 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11567 proto_item_append_text(item, " File: %s", fn);
11568 proto_item_set_len(item, offset-old_offset);
11575 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11576 int offset, guint16 *bcp, gboolean *trunc)
11580 int old_offset = offset;
11581 proto_item *item = NULL;
11582 proto_tree *tree = NULL;
11587 si = (smb_info_t *)pinfo->private_data;
11590 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11591 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11592 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11596 * We assume that the presence of a next entry offset implies the
11597 * absence of a resume key, as appears to be the case for 4.3.4.6.
11600 /* next entry offset */
11601 CHECK_BYTE_COUNT_SUBR(4);
11602 neo = tvb_get_letohl(tvb, offset);
11603 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11604 COUNT_BYTES_SUBR(4);
11607 CHECK_BYTE_COUNT_SUBR(4);
11608 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11609 COUNT_BYTES_SUBR(4);
11612 CHECK_BYTE_COUNT_SUBR(8);
11613 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
11617 CHECK_BYTE_COUNT_SUBR(8);
11618 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
11621 /* last write time */
11622 CHECK_BYTE_COUNT_SUBR(8);
11623 offset = dissect_smb_64bit_time(tvb, tree, offset,
11624 hf_smb_last_write_time);
11627 /* last change time */
11628 CHECK_BYTE_COUNT_SUBR(8);
11629 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
11633 CHECK_BYTE_COUNT_SUBR(8);
11634 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11635 COUNT_BYTES_SUBR(8);
11637 /* allocation size */
11638 CHECK_BYTE_COUNT_SUBR(8);
11639 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11640 COUNT_BYTES_SUBR(8);
11642 /* Extended File Attributes */
11643 CHECK_BYTE_COUNT_SUBR(4);
11644 offset = dissect_file_ext_attr(tvb, tree, offset);
11647 /* file name len */
11648 CHECK_BYTE_COUNT_SUBR(4);
11649 fn_len = tvb_get_letohl(tvb, offset);
11650 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11651 COUNT_BYTES_SUBR(4);
11654 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11655 CHECK_STRING_SUBR(fn);
11656 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11658 COUNT_BYTES_SUBR(fn_len);
11660 if (check_col(pinfo->cinfo, COL_INFO)) {
11661 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11665 /* skip to next structure */
11667 padcnt = (old_offset + neo) - offset;
11670 * XXX - this is bogus; flag it?
11675 CHECK_BYTE_COUNT_SUBR(padcnt);
11676 COUNT_BYTES_SUBR(padcnt);
11680 proto_item_append_text(item, " File: %s", fn);
11681 proto_item_set_len(item, offset-old_offset);
11688 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11689 int offset, guint16 *bcp, gboolean *trunc)
11693 int old_offset = offset;
11694 proto_item *item = NULL;
11695 proto_tree *tree = NULL;
11700 si = (smb_info_t *)pinfo->private_data;
11703 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11704 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11705 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11709 * We assume that the presence of a next entry offset implies the
11710 * absence of a resume key, as appears to be the case for 4.3.4.6.
11713 /* next entry offset */
11714 CHECK_BYTE_COUNT_SUBR(4);
11715 neo = tvb_get_letohl(tvb, offset);
11716 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11717 COUNT_BYTES_SUBR(4);
11720 CHECK_BYTE_COUNT_SUBR(4);
11721 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11722 COUNT_BYTES_SUBR(4);
11725 CHECK_BYTE_COUNT_SUBR(8);
11726 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
11730 CHECK_BYTE_COUNT_SUBR(8);
11731 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
11734 /* last write time */
11735 CHECK_BYTE_COUNT_SUBR(8);
11736 offset = dissect_smb_64bit_time(tvb, tree, offset,
11737 hf_smb_last_write_time);
11740 /* last change time */
11741 CHECK_BYTE_COUNT_SUBR(8);
11742 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
11746 CHECK_BYTE_COUNT_SUBR(8);
11747 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11748 COUNT_BYTES_SUBR(8);
11750 /* allocation size */
11751 CHECK_BYTE_COUNT_SUBR(8);
11752 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11753 COUNT_BYTES_SUBR(8);
11755 /* Extended File Attributes */
11756 CHECK_BYTE_COUNT_SUBR(4);
11757 offset = dissect_file_ext_attr(tvb, tree, offset);
11760 /* file name len */
11761 CHECK_BYTE_COUNT_SUBR(4);
11762 fn_len = tvb_get_letohl(tvb, offset);
11763 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11764 COUNT_BYTES_SUBR(4);
11767 CHECK_BYTE_COUNT_SUBR(4);
11768 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
11769 COUNT_BYTES_SUBR(4);
11772 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11773 CHECK_STRING_SUBR(fn);
11774 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11776 COUNT_BYTES_SUBR(fn_len);
11778 if (check_col(pinfo->cinfo, COL_INFO)) {
11779 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11783 /* skip to next structure */
11785 padcnt = (old_offset + neo) - offset;
11788 * XXX - this is bogus; flag it?
11793 CHECK_BYTE_COUNT_SUBR(padcnt);
11794 COUNT_BYTES_SUBR(padcnt);
11798 proto_item_append_text(item, " File: %s", fn);
11799 proto_item_set_len(item, offset-old_offset);
11806 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11807 int offset, guint16 *bcp, gboolean *trunc)
11809 int fn_len, sfn_len;
11810 const char *fn, *sfn;
11811 int old_offset = offset;
11812 proto_item *item = NULL;
11813 proto_tree *tree = NULL;
11818 si = (smb_info_t *)pinfo->private_data;
11821 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11822 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11823 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11827 * XXX - I have not seen any of these that contain a resume
11828 * key, even though some of the requests had the "return resume
11832 /* next entry offset */
11833 CHECK_BYTE_COUNT_SUBR(4);
11834 neo = tvb_get_letohl(tvb, offset);
11835 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11836 COUNT_BYTES_SUBR(4);
11839 CHECK_BYTE_COUNT_SUBR(4);
11840 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11841 COUNT_BYTES_SUBR(4);
11844 CHECK_BYTE_COUNT_SUBR(8);
11845 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
11849 CHECK_BYTE_COUNT_SUBR(8);
11850 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
11853 /* last write time */
11854 CHECK_BYTE_COUNT_SUBR(8);
11855 offset = dissect_smb_64bit_time(tvb, tree, offset,
11856 hf_smb_last_write_time);
11859 /* last change time */
11860 CHECK_BYTE_COUNT_SUBR(8);
11861 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
11865 CHECK_BYTE_COUNT_SUBR(8);
11866 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11867 COUNT_BYTES_SUBR(8);
11869 /* allocation size */
11870 CHECK_BYTE_COUNT_SUBR(8);
11871 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11872 COUNT_BYTES_SUBR(8);
11874 /* Extended File Attributes */
11875 CHECK_BYTE_COUNT_SUBR(4);
11876 offset = dissect_file_ext_attr(tvb, tree, offset);
11879 /* file name len */
11880 CHECK_BYTE_COUNT_SUBR(4);
11881 fn_len = tvb_get_letohl(tvb, offset);
11882 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11883 COUNT_BYTES_SUBR(4);
11886 CHECK_BYTE_COUNT_SUBR(4);
11887 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
11888 COUNT_BYTES_SUBR(4);
11890 /* short file name len */
11891 CHECK_BYTE_COUNT_SUBR(1);
11892 sfn_len = tvb_get_guint8(tvb, offset);
11893 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
11894 COUNT_BYTES_SUBR(1);
11896 /* reserved byte */
11897 CHECK_BYTE_COUNT_SUBR(1);
11898 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11899 COUNT_BYTES_SUBR(1);
11901 /* short file name */
11902 sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
11903 CHECK_STRING_SUBR(sfn);
11904 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
11906 COUNT_BYTES_SUBR(24);
11909 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11910 CHECK_STRING_SUBR(fn);
11911 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11913 COUNT_BYTES_SUBR(fn_len);
11915 if (check_col(pinfo->cinfo, COL_INFO)) {
11916 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11920 /* skip to next structure */
11922 padcnt = (old_offset + neo) - offset;
11925 * XXX - this is bogus; flag it?
11930 CHECK_BYTE_COUNT_SUBR(padcnt);
11931 COUNT_BYTES_SUBR(padcnt);
11935 proto_item_append_text(item, " File: %s", fn);
11936 proto_item_set_len(item, offset-old_offset);
11943 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11944 int offset, guint16 *bcp, gboolean *trunc)
11948 int old_offset = offset;
11949 proto_item *item = NULL;
11950 proto_tree *tree = NULL;
11955 si = (smb_info_t *)pinfo->private_data;
11958 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11959 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11960 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11964 * We assume that the presence of a next entry offset implies the
11965 * absence of a resume key, as appears to be the case for 4.3.4.6.
11968 /* next entry offset */
11969 CHECK_BYTE_COUNT_SUBR(4);
11970 neo = tvb_get_letohl(tvb, offset);
11971 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11972 COUNT_BYTES_SUBR(4);
11975 CHECK_BYTE_COUNT_SUBR(4);
11976 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11977 COUNT_BYTES_SUBR(4);
11979 /* file name len */
11980 CHECK_BYTE_COUNT_SUBR(4);
11981 fn_len = tvb_get_letohl(tvb, offset);
11982 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11983 COUNT_BYTES_SUBR(4);
11986 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11987 CHECK_STRING_SUBR(fn);
11988 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11990 COUNT_BYTES_SUBR(fn_len);
11992 if (check_col(pinfo->cinfo, COL_INFO)) {
11993 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11997 /* skip to next structure */
11999 padcnt = (old_offset + neo) - offset;
12002 * XXX - this is bogus; flag it?
12007 CHECK_BYTE_COUNT_SUBR(padcnt);
12008 COUNT_BYTES_SUBR(padcnt);
12012 proto_item_append_text(item, " File: %s", fn);
12013 proto_item_set_len(item, offset-old_offset);
12020 dissect_4_3_4_8(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
12021 proto_tree *parent_tree _U_, int offset, guint16 *bcp,
12024 /*XXX im lazy. i havnt implemented this */
12031 /*dissect the data block for TRANS2_FIND_FIRST2*/
12033 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
12034 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
12042 si = (smb_info_t *)pinfo->private_data;
12043 switch(si->info_level){
12044 case 1: /*Info Standard*/
12045 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
12048 case 2: /*Info Query EA Size*/
12049 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
12052 case 3: /*Info Query EAs From List same as
12054 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
12057 case 0x0101: /*Find File Directory Info*/
12058 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
12061 case 0x0102: /*Find File Full Directory Info*/
12062 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
12065 case 0x0103: /*Find File Names Info*/
12066 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
12069 case 0x0104: /*Find File Both Directory Info*/
12070 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
12073 case 0x0202: /*Find File UNIX*/
12074 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
12077 default: /* unknown info level */
12086 dissect_fs_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12089 proto_item *item = NULL;
12090 proto_tree *tree = NULL;
12092 mask = tvb_get_letohl(tvb, offset);
12095 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
12096 "FS Attributes: 0x%08x", mask);
12097 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
12100 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
12101 tvb, offset, 4, mask);
12102 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
12103 tvb, offset, 4, mask);
12104 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
12105 tvb, offset, 4, mask);
12106 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
12107 tvb, offset, 4, mask);
12108 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
12109 tvb, offset, 4, mask);
12110 proto_tree_add_boolean(tree, hf_smb_fs_attr_dim,
12111 tvb, offset, 4, mask);
12112 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
12113 tvb, offset, 4, mask);
12121 dissect_device_characteristics(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
12124 proto_item *item = NULL;
12125 proto_tree *tree = NULL;
12127 mask = tvb_get_letohl(tvb, offset);
12130 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
12131 "Device Characteristics: 0x%08x", mask);
12132 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
12135 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
12136 tvb, offset, 4, mask);
12137 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
12138 tvb, offset, 4, mask);
12139 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
12140 tvb, offset, 4, mask);
12141 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
12142 tvb, offset, 4, mask);
12143 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
12144 tvb, offset, 4, mask);
12145 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
12146 tvb, offset, 4, mask);
12147 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
12148 tvb, offset, 4, mask);
12154 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
12156 static const true_false_string tfs_smb_mac_access_ctrl = {
12157 "Macintosh Access Control Supported",
12158 "Macintosh Access Control Not Supported"
12161 static const true_false_string tfs_smb_mac_getset_comments = {
12162 "Macintosh Get & Set Comments Supported",
12163 "Macintosh Get & Set Comments Not Supported"
12166 static const true_false_string tfs_smb_mac_desktopdb_calls = {
12167 "Macintosh Get & Set Desktop Database Info Supported",
12168 "Macintosh Get & Set Desktop Database Info Supported"
12171 static const true_false_string tfs_smb_mac_unique_ids = {
12172 "Macintosh Unique IDs Supported",
12173 "Macintosh Unique IDs Not Supported"
12176 static const true_false_string tfs_smb_mac_streams = {
12177 "Macintosh and Streams Extensions Not Supported",
12178 "Macintosh and Streams Extensions Supported"
12182 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
12183 int offset, guint16 *bcp)
12186 int fn_len, vll, fnl;
12189 proto_item *item = NULL;
12190 proto_tree *ti = NULL;
12196 si = (smb_info_t *)pinfo->private_data;
12197 switch(si->info_level){
12198 case 1: /* SMB_INFO_ALLOCATION */
12199 /* filesystem id */
12200 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12201 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
12202 COUNT_BYTES_TRANS_SUBR(4);
12204 /* sectors per unit */
12205 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12206 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12207 COUNT_BYTES_TRANS_SUBR(4);
12210 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12211 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
12212 COUNT_BYTES_TRANS_SUBR(4);
12215 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12216 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
12217 COUNT_BYTES_TRANS_SUBR(4);
12219 /* bytes per sector, only 16bit integer here */
12220 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12221 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12222 COUNT_BYTES_TRANS_SUBR(2);
12225 case 2: /* SMB_INFO_VOLUME */
12226 /* volume serial number */
12227 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12228 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
12229 COUNT_BYTES_TRANS_SUBR(4);
12231 /* volume label length, only one byte here */
12232 CHECK_BYTE_COUNT_TRANS_SUBR(1);
12233 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
12234 COUNT_BYTES_TRANS_SUBR(1);
12237 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
12238 CHECK_STRING_TRANS_SUBR(fn);
12239 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12241 COUNT_BYTES_TRANS_SUBR(fn_len);
12244 case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
12245 case 1001: /* SMB_FS_LABEL_INFORMATION */
12246 /* volume label length */
12247 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12248 vll = tvb_get_letohl(tvb, offset);
12249 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
12250 COUNT_BYTES_TRANS_SUBR(4);
12254 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12255 CHECK_STRING_TRANS_SUBR(fn);
12256 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12258 COUNT_BYTES_TRANS_SUBR(fn_len);
12261 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
12262 case 1002: /* SMB_FS_VOLUME_INFORMATION */
12264 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12265 offset = dissect_smb_64bit_time(tvb, tree, offset,
12266 hf_smb_create_time);
12269 /* volume serial number */
12270 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12271 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
12272 COUNT_BYTES_TRANS_SUBR(4);
12274 /* volume label length */
12275 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12276 vll = tvb_get_letohl(tvb, offset);
12277 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
12278 COUNT_BYTES_TRANS_SUBR(4);
12280 /* 2 reserved bytes */
12281 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12282 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
12283 COUNT_BYTES_TRANS_SUBR(2);
12287 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12288 CHECK_STRING_TRANS_SUBR(fn);
12289 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
12291 COUNT_BYTES_TRANS_SUBR(fn_len);
12294 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
12295 case 1003: /* SMB_FS_SIZE_INFORMATION */
12296 /* allocation size */
12297 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12298 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12299 COUNT_BYTES_TRANS_SUBR(8);
12301 /* free allocation units */
12302 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12303 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
12304 COUNT_BYTES_TRANS_SUBR(8);
12306 /* sectors per unit */
12307 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12308 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12309 COUNT_BYTES_TRANS_SUBR(4);
12311 /* bytes per sector */
12312 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12313 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
12314 COUNT_BYTES_TRANS_SUBR(4);
12317 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
12318 case 1004: /* SMB_FS_DEVICE_INFORMATION */
12320 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12321 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
12322 COUNT_BYTES_TRANS_SUBR(4);
12324 /* device characteristics */
12325 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12326 offset = dissect_device_characteristics(tvb, tree, offset);
12330 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
12331 case 1005: /* SMB_FS_ATTRIBUTE_INFORMATION */
12332 /* FS attributes */
12333 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12334 offset = dissect_fs_attributes(tvb, tree, offset);
12338 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12339 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
12340 COUNT_BYTES_TRANS_SUBR(4);
12342 /* fs name length */
12343 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12344 fnl = tvb_get_letohl(tvb, offset);
12345 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
12346 COUNT_BYTES_TRANS_SUBR(4);
12350 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12351 CHECK_STRING_TRANS_SUBR(fn);
12352 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
12354 COUNT_BYTES_TRANS_SUBR(fn_len);
12357 case 0x301: /* MAC_QUERY_FS_INFO */
12359 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12360 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12363 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12364 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_modify_time);
12367 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12368 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_backup_time);
12370 /* Allocation blocks */
12371 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12372 proto_tree_add_item(tree, hf_smb_mac_alloc_block_count, tvb,
12375 COUNT_BYTES_TRANS_SUBR(4);
12376 /* Allocation Block Size */
12377 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12378 proto_tree_add_item(tree, hf_smb_mac_alloc_block_size, tvb,
12380 COUNT_BYTES_TRANS_SUBR(4);
12381 /* Free Block Count */
12382 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12383 proto_tree_add_item(tree, hf_smb_mac_free_block_count, tvb,
12385 COUNT_BYTES_TRANS_SUBR(4);
12386 /* Finder Info ... */
12387 CHECK_BYTE_COUNT_TRANS_SUBR(32);
12388 proto_tree_add_bytes_format(tree, hf_smb_mac_fndrinfo, tvb,
12390 tvb_get_ptr(tvb, offset,32),
12392 tvb_format_text(tvb, offset, 32));
12393 COUNT_BYTES_TRANS_SUBR(32);
12395 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12396 proto_tree_add_item(tree, hf_smb_mac_root_file_count, tvb,
12398 COUNT_BYTES_TRANS_SUBR(4);
12399 /* Number of Root Directories */
12400 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12401 proto_tree_add_item(tree, hf_smb_mac_root_dir_count, tvb,
12403 COUNT_BYTES_TRANS_SUBR(4);
12404 /* Number of files */
12405 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12406 proto_tree_add_item(tree, hf_smb_mac_file_count, tvb,
12408 COUNT_BYTES_TRANS_SUBR(4);
12410 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12411 proto_tree_add_item(tree, hf_smb_mac_dir_count, tvb,
12413 COUNT_BYTES_TRANS_SUBR(4);
12414 /* Mac Support Flags */
12415 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12416 support = tvb_get_ntohl(tvb, offset);
12417 item = proto_tree_add_text(tree, tvb, offset, 4,
12418 "Mac Support Flags: 0x%08x", support);
12419 ti = proto_item_add_subtree(item, ett_smb_mac_support_flags);
12420 proto_tree_add_boolean(ti, hf_smb_mac_sup_access_ctrl,
12421 tvb, offset, 4, support);
12422 proto_tree_add_boolean(ti, hf_smb_mac_sup_getset_comments,
12423 tvb, offset, 4, support);
12424 proto_tree_add_boolean(ti, hf_smb_mac_sup_desktopdb_calls,
12425 tvb, offset, 4, support);
12426 proto_tree_add_boolean(ti, hf_smb_mac_sup_unique_ids,
12427 tvb, offset, 4, support);
12428 proto_tree_add_boolean(ti, hf_smb_mac_sup_streams,
12429 tvb, offset, 4, support);
12430 COUNT_BYTES_TRANS_SUBR(4);
12432 case 1006: /* QUERY_FS_QUOTA_INFO */
12433 offset = dissect_nt_quota(tvb, tree, offset, bcp);
12435 case 1007: /* SMB_FS_FULL_SIZE_INFORMATION */
12436 /* allocation size */
12437 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12438 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12439 COUNT_BYTES_TRANS_SUBR(8);
12441 /* caller free allocation units */
12442 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12443 proto_tree_add_item(tree, hf_smb_caller_free_alloc_units64, tvb, offset, 8, TRUE);
12444 COUNT_BYTES_TRANS_SUBR(8);
12446 /* actual free allocation units */
12447 CHECK_BYTE_COUNT_TRANS_SUBR(8);
12448 proto_tree_add_item(tree, hf_smb_actual_free_alloc_units64, tvb, offset, 8, TRUE);
12449 COUNT_BYTES_TRANS_SUBR(8);
12451 /* sectors per unit */
12452 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12453 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
12454 COUNT_BYTES_TRANS_SUBR(4);
12456 /* bytes per sector */
12457 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12458 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
12459 COUNT_BYTES_TRANS_SUBR(4);
12467 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
12468 proto_tree *parent_tree)
12470 proto_item *item = NULL;
12471 proto_tree *tree = NULL;
12473 smb_transact2_info_t *t2i;
12479 dc = tvb_reported_length(tvb);
12481 si = (smb_info_t *)pinfo->private_data;
12482 if (si->sip != NULL)
12483 t2i = si->sip->extra_info;
12488 if (t2i != NULL && t2i->subcmd != -1) {
12489 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
12491 val_to_str(t2i->subcmd, trans2_cmd_vals,
12492 "Unknown (0x%02x)"));
12493 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
12495 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
12496 "Unknown Transaction2 Data");
12504 switch(t2i->subcmd){
12505 case 0x00: /*TRANS2_OPEN2*/
12506 /* XXX not implemented yet. See SNIA doc */
12508 case 0x01: /*TRANS2_FIND_FIRST2*/
12509 /* returned data */
12510 count = si->info_count;
12512 if (count && check_col(pinfo->cinfo, COL_INFO)) {
12513 col_append_fstr(pinfo->cinfo, COL_INFO,
12518 offset = dissect_ff2_response_data(tvb, pinfo, tree,
12519 offset, &dc, &trunc);
12524 case 0x02: /*TRANS2_FIND_NEXT2*/
12525 /* returned data */
12526 count = si->info_count;
12528 if (count && check_col(pinfo->cinfo, COL_INFO)) {
12529 col_append_fstr(pinfo->cinfo, COL_INFO,
12534 offset = dissect_ff2_response_data(tvb, pinfo, tree,
12535 offset, &dc, &trunc);
12540 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
12541 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
12543 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
12544 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
12546 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
12547 /* no data in this response */
12549 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
12550 /* identical to QUERY_PATH_INFO */
12551 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
12553 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
12554 /* no data in this response */
12556 case 0x09: /*TRANS2_FSCTL*/
12557 /* XXX dont know how to dissect this one (yet)*/
12560 * XXX - "Microsoft Networks SMB File Sharing Protocol
12561 * Extensions Version 3.0, Document Version 1.11,
12562 * July 19, 1990" says this this contains a
12563 * "File system specific return data block".
12564 * (That means we may not be able to dissect it in any
12568 case 0x0a: /*TRANS2_IOCTL2*/
12569 /* XXX dont know how to dissect this one (yet)*/
12572 * XXX - "Microsoft Networks SMB File Sharing Protocol
12573 * Extensions Version 3.0, Document Version 1.11,
12574 * July 19, 1990" says this this contains a
12575 * "Device/function specific return data block".
12576 * (That means we may not be able to dissect it in any
12580 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
12581 /* XXX dont know how to dissect this one (yet)*/
12584 * XXX - "Microsoft Networks SMB File Sharing Protocol
12585 * Extensions Version 3.0, Document Version 1.11,
12586 * July 19, 1990" says this this contains "the level
12587 * dependent information about the changes which
12591 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
12592 /* XXX dont know how to dissect this one (yet)*/
12595 * XXX - "Microsoft Networks SMB File Sharing Protocol
12596 * Extensions Version 3.0, Document Version 1.11,
12597 * July 19, 1990" says this this contains "the level
12598 * dependent information about the changes which
12602 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
12603 /* no data in this response */
12605 case 0x0e: /*TRANS2_SESSION_SETUP*/
12606 /* XXX dont know how to dissect this one (yet)*/
12608 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
12609 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
12611 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
12612 /* the SNIA spec appears to say the response has no data */
12616 * We don't know what the matching request was; don't
12617 * bother putting anything else into the tree for the data.
12624 /* ooops there were data we didnt know how to process */
12626 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
12635 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
12637 proto_item *item = NULL;
12638 proto_tree *tree = NULL;
12640 smb_transact2_info_t *t2i;
12646 pc = tvb_reported_length(tvb);
12648 si = (smb_info_t *)pinfo->private_data;
12649 if (si->sip != NULL)
12650 t2i = si->sip->extra_info;
12655 if (t2i != NULL && t2i->subcmd != -1) {
12656 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
12658 val_to_str(t2i->subcmd, trans2_cmd_vals,
12659 "Unknown (0x%02x)"));
12660 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
12662 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
12663 "Unknown Transaction2 Parameters");
12671 switch(t2i->subcmd){
12672 case 0x00: /*TRANS2_OPEN2*/
12674 fid = tvb_get_letohs(tvb, offset);
12675 add_fid(tvb, pinfo, tree, offset, 2, fid);
12679 * XXX - Microsoft Networks SMB File Sharing Protocol
12680 * Extensions Version 3.0, Document Version 1.11,
12681 * July 19, 1990 says that the file attributes, create
12682 * time (which it says is the last modification time),
12683 * data size, granted access, file type, and IPC state
12684 * are returned only if bit 0 is set in the open flags,
12685 * and that the EA length is returned only if bit 3
12686 * is set in the open flags. Does that mean that,
12687 * at least in that SMB dialect, those fields are not
12688 * present in the reply parameters if the bits in
12689 * question aren't set?
12692 /* File Attributes */
12693 offset = dissect_file_attributes(tvb, tree, offset);
12696 offset = dissect_smb_datetime(tvb, tree, offset,
12697 hf_smb_create_time,
12698 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
12701 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
12704 /* granted access */
12705 offset = dissect_access(tvb, tree, offset, "Granted");
12708 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
12712 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
12715 offset = dissect_open_action(tvb, tree, offset);
12717 /* server unique file ID */
12718 proto_tree_add_item(tree, hf_smb_file_id, tvb, offset, 4, TRUE);
12721 /* ea error offset, only a 16 bit integer here */
12722 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12726 proto_tree_add_item(tree, hf_smb_ea_length, tvb, offset, 4, TRUE);
12730 case 0x01: /*TRANS2_FIND_FIRST2*/
12731 /* Find First2 information level */
12732 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
12735 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
12739 si->info_count = tvb_get_letohs(tvb, offset);
12740 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
12743 /* end of search */
12744 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
12747 /* ea error offset, only a 16 bit integer here */
12748 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12751 /* last name offset */
12752 lno = tvb_get_letohs(tvb, offset);
12753 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
12757 case 0x02: /*TRANS2_FIND_NEXT2*/
12759 si->info_count = tvb_get_letohs(tvb, offset);
12760 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
12763 /* end of search */
12764 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
12767 /* ea_error_offset, only a 16 bit integer here*/
12768 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12771 /* last name offset */
12772 lno = tvb_get_letohs(tvb, offset);
12773 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
12777 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
12778 /* no parameter block here */
12780 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
12781 /* ea_error_offset, only a 16 bit integer here*/
12782 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12786 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
12787 /* ea_error_offset, only a 16 bit integer here*/
12788 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12792 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
12793 /* ea_error_offset, only a 16 bit integer here*/
12794 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12798 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
12799 /* ea_error_offset, only a 16 bit integer here*/
12800 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12804 case 0x09: /*TRANS2_FSCTL*/
12805 /* XXX dont know how to dissect this one (yet)*/
12808 * XXX - "Microsoft Networks SMB File Sharing Protocol
12809 * Extensions Version 3.0, Document Version 1.11,
12810 * July 19, 1990" says this this contains a
12811 * "File system specific return parameter block".
12812 * (That means we may not be able to dissect it in any
12816 case 0x0a: /*TRANS2_IOCTL2*/
12817 /* XXX dont know how to dissect this one (yet)*/
12820 * XXX - "Microsoft Networks SMB File Sharing Protocol
12821 * Extensions Version 3.0, Document Version 1.11,
12822 * July 19, 1990" says this this contains a
12823 * "Device/function specific return parameter block".
12824 * (That means we may not be able to dissect it in any
12828 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
12829 /* Find Notify information level */
12830 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
12832 /* Monitor handle */
12833 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
12837 si->info_count = tvb_get_letohs(tvb, offset);
12838 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
12841 /* ea_error_offset, only a 16 bit integer here*/
12842 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12846 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
12847 /* Find Notify information level */
12848 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
12851 si->info_count = tvb_get_letohs(tvb, offset);
12852 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
12855 /* ea_error_offset, only a 16 bit integer here*/
12856 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12860 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
12861 /* ea error offset, only a 16 bit integer here */
12862 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12866 case 0x0e: /*TRANS2_SESSION_SETUP*/
12867 /* XXX dont know how to dissect this one (yet)*/
12869 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
12870 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
12872 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
12873 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
12877 * We don't know what the matching request was; don't
12878 * bother putting anything else into the tree for the data.
12884 /* ooops there were data we didnt know how to process */
12886 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
12887 offset += pc-offset;
12893 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
12896 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
12898 smb_transact2_info_t *t2i = NULL;
12901 gboolean dissected_trans;
12902 fragment_data *r_fd = NULL;
12903 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
12904 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
12905 gboolean save_fragmented;
12907 si = (smb_info_t *)pinfo->private_data;
12910 case SMB_COM_TRANSACTION2:
12912 if (si->sip != NULL) {
12913 t2i = si->sip->extra_info;
12918 * We didn't see the matching request, so we don't
12919 * know what type of transaction this is.
12921 proto_tree_add_text(tree, tvb, 0, 0,
12922 "Subcommand: <UNKNOWN> since request packet wasn't seen");
12923 if (check_col(pinfo->cinfo, COL_INFO)) {
12924 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
12927 si->info_level = t2i->info_level;
12928 if (t2i->subcmd == -1) {
12930 * We didn't manage to extract the subcommand
12931 * from the matching request (perhaps because
12932 * the frame was short), so we don't know what
12933 * type of transaction this is.
12935 proto_tree_add_text(tree, tvb, 0, 0,
12936 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
12937 if (check_col(pinfo->cinfo, COL_INFO)) {
12938 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
12941 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
12942 if (check_col(pinfo->cinfo, COL_INFO)) {
12943 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12944 val_to_str(t2i->subcmd,
12946 "<unknown (0x%02x)>"));
12955 /* total param count, only a 16bit integer here */
12956 tp = tvb_get_letohs(tvb, offset);
12957 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
12960 /* total data count, only a 16 bit integer here */
12961 td = tvb_get_letohs(tvb, offset);
12962 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
12965 /* 2 reserved bytes */
12966 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
12970 pc = tvb_get_letohs(tvb, offset);
12971 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
12975 po = tvb_get_letohs(tvb, offset);
12976 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
12980 pd = tvb_get_letohs(tvb, offset);
12981 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
12985 dc = tvb_get_letohs(tvb, offset);
12986 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
12990 od = tvb_get_letohs(tvb, offset);
12991 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
12995 dd = tvb_get_letohs(tvb, offset);
12996 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
13000 sc = tvb_get_guint8(tvb, offset);
13001 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
13004 /* reserved byte */
13005 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
13009 /* if there were any setup bytes, put them in a tvb for later */
13011 if((2*sc)>tvb_length_remaining(tvb, offset)){
13012 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
13014 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
13016 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
13027 /* reassembly of SMB Transaction data payload.
13028 In this section we do reassembly of both the data and parameters
13029 blocks of the SMB transaction command.
13031 save_fragmented = pinfo->fragmented;
13032 /* do we need reassembly? */
13033 if( (td!=dc) || (tp!=pc) ){
13034 /* oh yeah, either data or parameter section needs
13037 pinfo->fragmented = TRUE;
13038 if(smb_trans_reassembly){
13039 /* ...and we were told to do reassembly */
13040 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
13041 r_fd = smb_trans_defragment(tree, pinfo, tvb,
13042 po, pc, pd, td+tp);
13045 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
13046 r_fd = smb_trans_defragment(tree, pinfo, tvb,
13047 od, dc, dd+tp, td+tp);
13052 /* if we got a reassembled fd structure from the reassembly routine we must
13053 create pd_tvb from it
13056 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
13058 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
13059 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
13060 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
13065 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
13067 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
13070 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
13073 /* It was not reassembled. Do as best as we can.
13074 * in this case we always try to dissect the stuff if
13075 * data and param displacement is 0. i.e. for the first
13076 * (and maybe only) packet.
13078 if( (pd==0) && (dd==0) ){
13081 min = MIN(pc,tvb_length_remaining(tvb,po));
13082 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
13083 if(min && reported_min) {
13084 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
13086 min = MIN(dc,tvb_length_remaining(tvb,od));
13087 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
13088 if(min && reported_min) {
13089 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
13092 * A tvbuff containing the parameters
13094 * XXX - check pc and dc as well?
13096 if (tvb_length_remaining(tvb, po)){
13097 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
13106 /* We have some padding bytes.
13108 padcnt = po-offset;
13111 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13112 COUNT_BYTES(padcnt);
13114 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
13115 /* TRANSACTION2 parameters*/
13116 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
13123 /* We have some initial padding bytes.
13125 padcnt = od-offset;
13128 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
13129 COUNT_BYTES(padcnt);
13132 * If the data count is bigger than the count of bytes
13133 * remaining, clamp it so that the count of bytes remaining
13134 * doesn't go negative.
13142 /* from now on, everything is in separate tvbuffs so we dont count
13143 the bytes with COUNT_BYTES any more.
13144 neither do we reference offset any more (which by now points to the
13145 first byte AFTER this PDU */
13148 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
13149 /* TRANSACTION2 parameters*/
13150 dissect_transaction2_response_data(d_tvb, pinfo, tree);
13154 if(si->cmd==SMB_COM_TRANSACTION){
13155 smb_transact_info_t *tri;
13157 dissected_trans = FALSE;
13158 if (si->sip != NULL)
13159 tri = si->sip->extra_info;
13163 switch(tri->subcmd){
13165 case TRANSACTION_PIPE:
13166 /* This function is safe to call for
13167 s_tvb==sp_tvb==NULL, i.e. if we don't
13168 know them at this point.
13169 It's also safe to call if "p_tvb"
13170 or "d_tvb" are null.
13173 dissected_trans = dissect_pipe_smb(
13174 sp_tvb, s_tvb, pd_tvb, p_tvb,
13175 d_tvb, NULL, pinfo, top_tree);
13179 case TRANSACTION_MAILSLOT:
13180 /* This one should be safe to call
13181 even if s_tvb and sp_tvb is NULL
13184 dissected_trans = dissect_mailslot_smb(
13185 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
13191 if (!dissected_trans) {
13192 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
13193 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
13198 if( (p_tvb==0) && (d_tvb==0) ){
13199 if(check_col(pinfo->cinfo, COL_INFO)){
13200 col_append_str(pinfo->cinfo, COL_INFO,
13201 "[transact continuation]");
13205 pinfo->fragmented = save_fragmented;
13213 dissect_find_notify_close(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13220 /* Monitor handle */
13221 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13231 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13232 END Transaction/Transaction2 Primary and secondary requests
13233 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
13237 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
13245 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
13252 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
13262 typedef struct _smb_function {
13263 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13264 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13267 static smb_function smb_dissector[256] = {
13268 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
13269 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
13270 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
13271 /* 0x03 Create File*/ {dissect_create_file_request, dissect_fid},
13272 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
13273 /* 0x05 Flush File*/ {dissect_fid, dissect_empty},
13274 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
13275 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_empty},
13276 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
13277 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
13278 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
13279 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
13280 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
13281 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
13282 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
13283 /* 0x0f Create New*/ {dissect_create_file_request, dissect_fid},
13285 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
13286 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
13287 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
13288 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
13289 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
13290 /* 0x15 */ {dissect_unknown, dissect_unknown},
13291 /* 0x16 */ {dissect_unknown, dissect_unknown},
13292 /* 0x17 */ {dissect_unknown, dissect_unknown},
13293 /* 0x18 */ {dissect_unknown, dissect_unknown},
13294 /* 0x19 */ {dissect_unknown, dissect_unknown},
13295 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
13296 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
13297 /* 0x1c Read MPX Secondary*/ {dissect_unknown, dissect_unknown},
13298 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
13299 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
13300 /* 0x1f Write MPX Secondary*/ {dissect_unknown, dissect_unknown},
13302 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
13303 /* 0x21 */ {dissect_unknown, dissect_unknown},
13304 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
13305 /* 0x23 Query Info2*/ {dissect_fid, dissect_query_information2_response},
13306 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
13307 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
13308 /* 0x26 Transaction Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
13309 /* 0x27 IOCTL*/ {dissect_unknown, dissect_unknown},
13310 /* 0x28 IOCTL Secondary*/ {dissect_unknown, dissect_unknown},
13311 /* 0x29 Copy File*/ {dissect_copy_request, dissect_move_copy_response},
13312 /* 0x2a Move File*/ {dissect_move_request, dissect_move_copy_response},
13313 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
13314 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
13315 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
13316 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
13317 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
13319 /* 0x30 */ {dissect_unknown, dissect_unknown},
13320 /* 0x31 Close And Tree Disconnect */ {dissect_close_file_request, dissect_empty},
13321 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
13322 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
13323 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
13324 /* 0x35 Find Notify Close*/ {dissect_find_notify_close, dissect_empty},
13325 /* 0x36 */ {dissect_unknown, dissect_unknown},
13326 /* 0x37 */ {dissect_unknown, dissect_unknown},
13327 /* 0x38 */ {dissect_unknown, dissect_unknown},
13328 /* 0x39 */ {dissect_unknown, dissect_unknown},
13329 /* 0x3a */ {dissect_unknown, dissect_unknown},
13330 /* 0x3b */ {dissect_unknown, dissect_unknown},
13331 /* 0x3c */ {dissect_unknown, dissect_unknown},
13332 /* 0x3d */ {dissect_unknown, dissect_unknown},
13333 /* 0x3e */ {dissect_unknown, dissect_unknown},
13334 /* 0x3f */ {dissect_unknown, dissect_unknown},
13336 /* 0x40 */ {dissect_unknown, dissect_unknown},
13337 /* 0x41 */ {dissect_unknown, dissect_unknown},
13338 /* 0x42 */ {dissect_unknown, dissect_unknown},
13339 /* 0x43 */ {dissect_unknown, dissect_unknown},
13340 /* 0x44 */ {dissect_unknown, dissect_unknown},
13341 /* 0x45 */ {dissect_unknown, dissect_unknown},
13342 /* 0x46 */ {dissect_unknown, dissect_unknown},
13343 /* 0x47 */ {dissect_unknown, dissect_unknown},
13344 /* 0x48 */ {dissect_unknown, dissect_unknown},
13345 /* 0x49 */ {dissect_unknown, dissect_unknown},
13346 /* 0x4a */ {dissect_unknown, dissect_unknown},
13347 /* 0x4b */ {dissect_unknown, dissect_unknown},
13348 /* 0x4c */ {dissect_unknown, dissect_unknown},
13349 /* 0x4d */ {dissect_unknown, dissect_unknown},
13350 /* 0x4e */ {dissect_unknown, dissect_unknown},
13351 /* 0x4f */ {dissect_unknown, dissect_unknown},
13353 /* 0x50 */ {dissect_unknown, dissect_unknown},
13354 /* 0x51 */ {dissect_unknown, dissect_unknown},
13355 /* 0x52 */ {dissect_unknown, dissect_unknown},
13356 /* 0x53 */ {dissect_unknown, dissect_unknown},
13357 /* 0x54 */ {dissect_unknown, dissect_unknown},
13358 /* 0x55 */ {dissect_unknown, dissect_unknown},
13359 /* 0x56 */ {dissect_unknown, dissect_unknown},
13360 /* 0x57 */ {dissect_unknown, dissect_unknown},
13361 /* 0x58 */ {dissect_unknown, dissect_unknown},
13362 /* 0x59 */ {dissect_unknown, dissect_unknown},
13363 /* 0x5a */ {dissect_unknown, dissect_unknown},
13364 /* 0x5b */ {dissect_unknown, dissect_unknown},
13365 /* 0x5c */ {dissect_unknown, dissect_unknown},
13366 /* 0x5d */ {dissect_unknown, dissect_unknown},
13367 /* 0x5e */ {dissect_unknown, dissect_unknown},
13368 /* 0x5f */ {dissect_unknown, dissect_unknown},
13370 /* 0x60 */ {dissect_unknown, dissect_unknown},
13371 /* 0x61 */ {dissect_unknown, dissect_unknown},
13372 /* 0x62 */ {dissect_unknown, dissect_unknown},
13373 /* 0x63 */ {dissect_unknown, dissect_unknown},
13374 /* 0x64 */ {dissect_unknown, dissect_unknown},
13375 /* 0x65 */ {dissect_unknown, dissect_unknown},
13376 /* 0x66 */ {dissect_unknown, dissect_unknown},
13377 /* 0x67 */ {dissect_unknown, dissect_unknown},
13378 /* 0x68 */ {dissect_unknown, dissect_unknown},
13379 /* 0x69 */ {dissect_unknown, dissect_unknown},
13380 /* 0x6a */ {dissect_unknown, dissect_unknown},
13381 /* 0x6b */ {dissect_unknown, dissect_unknown},
13382 /* 0x6c */ {dissect_unknown, dissect_unknown},
13383 /* 0x6d */ {dissect_unknown, dissect_unknown},
13384 /* 0x6e */ {dissect_unknown, dissect_unknown},
13385 /* 0x6f */ {dissect_unknown, dissect_unknown},
13387 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
13388 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
13389 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
13390 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
13391 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
13392 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
13393 /* 0x76 */ {dissect_unknown, dissect_unknown},
13394 /* 0x77 */ {dissect_unknown, dissect_unknown},
13395 /* 0x78 */ {dissect_unknown, dissect_unknown},
13396 /* 0x79 */ {dissect_unknown, dissect_unknown},
13397 /* 0x7a */ {dissect_unknown, dissect_unknown},
13398 /* 0x7b */ {dissect_unknown, dissect_unknown},
13399 /* 0x7c */ {dissect_unknown, dissect_unknown},
13400 /* 0x7d */ {dissect_unknown, dissect_unknown},
13401 /* 0x7e */ {dissect_unknown, dissect_unknown},
13402 /* 0x7f */ {dissect_unknown, dissect_unknown},
13404 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
13405 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
13406 /* 0x82 Find*/ {dissect_find_request, dissect_find_response},
13407 /* 0x83 Find Unique*/ {dissect_find_request, dissect_find_response},
13408 /* 0x84 Find Close*/ {dissect_find_close_request, dissect_find_close_response},
13409 /* 0x85 */ {dissect_unknown, dissect_unknown},
13410 /* 0x86 */ {dissect_unknown, dissect_unknown},
13411 /* 0x87 */ {dissect_unknown, dissect_unknown},
13412 /* 0x88 */ {dissect_unknown, dissect_unknown},
13413 /* 0x89 */ {dissect_unknown, dissect_unknown},
13414 /* 0x8a */ {dissect_unknown, dissect_unknown},
13415 /* 0x8b */ {dissect_unknown, dissect_unknown},
13416 /* 0x8c */ {dissect_unknown, dissect_unknown},
13417 /* 0x8d */ {dissect_unknown, dissect_unknown},
13418 /* 0x8e */ {dissect_unknown, dissect_unknown},
13419 /* 0x8f */ {dissect_unknown, dissect_unknown},
13421 /* 0x90 */ {dissect_unknown, dissect_unknown},
13422 /* 0x91 */ {dissect_unknown, dissect_unknown},
13423 /* 0x92 */ {dissect_unknown, dissect_unknown},
13424 /* 0x93 */ {dissect_unknown, dissect_unknown},
13425 /* 0x94 */ {dissect_unknown, dissect_unknown},
13426 /* 0x95 */ {dissect_unknown, dissect_unknown},
13427 /* 0x96 */ {dissect_unknown, dissect_unknown},
13428 /* 0x97 */ {dissect_unknown, dissect_unknown},
13429 /* 0x98 */ {dissect_unknown, dissect_unknown},
13430 /* 0x99 */ {dissect_unknown, dissect_unknown},
13431 /* 0x9a */ {dissect_unknown, dissect_unknown},
13432 /* 0x9b */ {dissect_unknown, dissect_unknown},
13433 /* 0x9c */ {dissect_unknown, dissect_unknown},
13434 /* 0x9d */ {dissect_unknown, dissect_unknown},
13435 /* 0x9e */ {dissect_unknown, dissect_unknown},
13436 /* 0x9f */ {dissect_unknown, dissect_unknown},
13438 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
13439 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
13440 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
13441 /* 0xa3 */ {dissect_unknown, dissect_unknown},
13442 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
13443 /* 0xa5 NT Rename*/ {dissect_nt_rename_file_request, dissect_empty},
13444 /* 0xa6 */ {dissect_unknown, dissect_unknown},
13445 /* 0xa7 */ {dissect_unknown, dissect_unknown},
13446 /* 0xa8 */ {dissect_unknown, dissect_unknown},
13447 /* 0xa9 */ {dissect_unknown, dissect_unknown},
13448 /* 0xaa */ {dissect_unknown, dissect_unknown},
13449 /* 0xab */ {dissect_unknown, dissect_unknown},
13450 /* 0xac */ {dissect_unknown, dissect_unknown},
13451 /* 0xad */ {dissect_unknown, dissect_unknown},
13452 /* 0xae */ {dissect_unknown, dissect_unknown},
13453 /* 0xaf */ {dissect_unknown, dissect_unknown},
13455 /* 0xb0 */ {dissect_unknown, dissect_unknown},
13456 /* 0xb1 */ {dissect_unknown, dissect_unknown},
13457 /* 0xb2 */ {dissect_unknown, dissect_unknown},
13458 /* 0xb3 */ {dissect_unknown, dissect_unknown},
13459 /* 0xb4 */ {dissect_unknown, dissect_unknown},
13460 /* 0xb5 */ {dissect_unknown, dissect_unknown},
13461 /* 0xb6 */ {dissect_unknown, dissect_unknown},
13462 /* 0xb7 */ {dissect_unknown, dissect_unknown},
13463 /* 0xb8 */ {dissect_unknown, dissect_unknown},
13464 /* 0xb9 */ {dissect_unknown, dissect_unknown},
13465 /* 0xba */ {dissect_unknown, dissect_unknown},
13466 /* 0xbb */ {dissect_unknown, dissect_unknown},
13467 /* 0xbc */ {dissect_unknown, dissect_unknown},
13468 /* 0xbd */ {dissect_unknown, dissect_unknown},
13469 /* 0xbe */ {dissect_unknown, dissect_unknown},
13470 /* 0xbf */ {dissect_unknown, dissect_unknown},
13472 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_fid},
13473 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
13474 /* 0xc2 Close Print File*/ {dissect_fid, dissect_empty},
13475 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
13476 /* 0xc4 */ {dissect_unknown, dissect_unknown},
13477 /* 0xc5 */ {dissect_unknown, dissect_unknown},
13478 /* 0xc6 */ {dissect_unknown, dissect_unknown},
13479 /* 0xc7 */ {dissect_unknown, dissect_unknown},
13480 /* 0xc8 */ {dissect_unknown, dissect_unknown},
13481 /* 0xc9 */ {dissect_unknown, dissect_unknown},
13482 /* 0xca */ {dissect_unknown, dissect_unknown},
13483 /* 0xcb */ {dissect_unknown, dissect_unknown},
13484 /* 0xcc */ {dissect_unknown, dissect_unknown},
13485 /* 0xcd */ {dissect_unknown, dissect_unknown},
13486 /* 0xce */ {dissect_unknown, dissect_unknown},
13487 /* 0xcf */ {dissect_unknown, dissect_unknown},
13489 /* 0xd0 Send Single Block Message*/ {dissect_send_single_block_message_request, dissect_empty},
13490 /* 0xd1 Send Broadcast Message*/ {dissect_send_single_block_message_request, dissect_empty},
13491 /* 0xd2 Forward User Name*/ {dissect_forwarded_name, dissect_empty},
13492 /* 0xd3 Cancel Forward*/ {dissect_forwarded_name, dissect_empty},
13493 /* 0xd4 Get Machine Name*/ {dissect_empty, dissect_get_machine_name_response},
13494 /* 0xd5 Send Start of Multi-block Message*/ {dissect_send_multi_block_message_start_request, dissect_message_group_id},
13495 /* 0xd6 Send End of Multi-block Message*/ {dissect_message_group_id, dissect_empty},
13496 /* 0xd7 Send Text of Multi-block Message*/ {dissect_send_multi_block_message_text_request, dissect_empty},
13497 /* 0xd8 SMBreadbulk*/ {dissect_unknown, dissect_unknown},
13498 /* 0xd9 SMBwritebulk*/ {dissect_unknown, dissect_unknown},
13499 /* 0xda SMBwritebulkdata*/ {dissect_unknown, dissect_unknown},
13500 /* 0xdb */ {dissect_unknown, dissect_unknown},
13501 /* 0xdc */ {dissect_unknown, dissect_unknown},
13502 /* 0xdd */ {dissect_unknown, dissect_unknown},
13503 /* 0xde */ {dissect_unknown, dissect_unknown},
13504 /* 0xdf */ {dissect_unknown, dissect_unknown},
13506 /* 0xe0 */ {dissect_unknown, dissect_unknown},
13507 /* 0xe1 */ {dissect_unknown, dissect_unknown},
13508 /* 0xe2 */ {dissect_unknown, dissect_unknown},
13509 /* 0xe3 */ {dissect_unknown, dissect_unknown},
13510 /* 0xe4 */ {dissect_unknown, dissect_unknown},
13511 /* 0xe5 */ {dissect_unknown, dissect_unknown},
13512 /* 0xe6 */ {dissect_unknown, dissect_unknown},
13513 /* 0xe7 */ {dissect_unknown, dissect_unknown},
13514 /* 0xe8 */ {dissect_unknown, dissect_unknown},
13515 /* 0xe9 */ {dissect_unknown, dissect_unknown},
13516 /* 0xea */ {dissect_unknown, dissect_unknown},
13517 /* 0xeb */ {dissect_unknown, dissect_unknown},
13518 /* 0xec */ {dissect_unknown, dissect_unknown},
13519 /* 0xed */ {dissect_unknown, dissect_unknown},
13520 /* 0xee */ {dissect_unknown, dissect_unknown},
13521 /* 0xef */ {dissect_unknown, dissect_unknown},
13523 /* 0xf0 */ {dissect_unknown, dissect_unknown},
13524 /* 0xf1 */ {dissect_unknown, dissect_unknown},
13525 /* 0xf2 */ {dissect_unknown, dissect_unknown},
13526 /* 0xf3 */ {dissect_unknown, dissect_unknown},
13527 /* 0xf4 */ {dissect_unknown, dissect_unknown},
13528 /* 0xf5 */ {dissect_unknown, dissect_unknown},
13529 /* 0xf6 */ {dissect_unknown, dissect_unknown},
13530 /* 0xf7 */ {dissect_unknown, dissect_unknown},
13531 /* 0xf8 */ {dissect_unknown, dissect_unknown},
13532 /* 0xf9 */ {dissect_unknown, dissect_unknown},
13533 /* 0xfa */ {dissect_unknown, dissect_unknown},
13534 /* 0xfb */ {dissect_unknown, dissect_unknown},
13535 /* 0xfc */ {dissect_unknown, dissect_unknown},
13536 /* 0xfd */ {dissect_unknown, dissect_unknown},
13537 /* 0xfe */ {dissect_unknown, dissect_unknown},
13538 /* 0xff */ {dissect_unknown, dissect_unknown},
13542 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu)
13544 int old_offset = offset;
13547 si = pinfo->private_data;
13549 proto_item *cmd_item;
13550 proto_tree *cmd_tree;
13551 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
13553 if (check_col(pinfo->cinfo, COL_INFO)) {
13555 col_append_fstr(pinfo->cinfo, COL_INFO,
13557 decode_smb_name(cmd),
13558 (si->request)? "Request" : "Response");
13560 col_append_fstr(pinfo->cinfo, COL_INFO,
13562 decode_smb_name(cmd));
13567 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
13569 decode_smb_name(cmd),
13570 (si->request)?"Request":"Response",
13573 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
13575 dissector = (si->request)?
13576 smb_dissector[cmd].request:smb_dissector[cmd].response;
13578 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
13579 proto_item_set_len(cmd_item, offset-old_offset);
13585 /* NOTE: this value_string array will also be used to access data directly by
13586 * index instead of val_to_str() since
13587 * 1, the array will always span every value from 0x00 to 0xff and
13588 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
13589 * This means that this value_string array MUST always
13590 * 1, contain all entries 0x00 to 0xff
13591 * 2, all entries must be in order.
13593 static const value_string smb_cmd_vals[] = {
13594 { 0x00, "Create Directory" },
13595 { 0x01, "Delete Directory" },
13597 { 0x03, "Create" },
13600 { 0x06, "Delete" },
13601 { 0x07, "Rename" },
13602 { 0x08, "Query Information" },
13603 { 0x09, "Set Information" },
13606 { 0x0C, "Lock Byte Range" },
13607 { 0x0D, "Unlock Byte Range" },
13608 { 0x0E, "Create Temp" },
13609 { 0x0F, "Create New" },
13610 { 0x10, "Check Directory" },
13611 { 0x11, "Process Exit" },
13613 { 0x13, "Lock And Read" },
13614 { 0x14, "Write And Unlock" },
13615 { 0x15, "unknown-0x15" },
13616 { 0x16, "unknown-0x16" },
13617 { 0x17, "unknown-0x17" },
13618 { 0x18, "unknown-0x18" },
13619 { 0x19, "unknown-0x19" },
13620 { 0x1A, "Read Raw" },
13621 { 0x1B, "Read MPX" },
13622 { 0x1C, "Read MPX Secondary" },
13623 { 0x1D, "Write Raw" },
13624 { 0x1E, "Write MPX" },
13625 { 0x1F, "Write MPX Secondary" },
13626 { 0x20, "Write Complete" },
13627 { 0x21, "unknown-0x21" },
13628 { 0x22, "Set Information2" },
13629 { 0x23, "Query Information2" },
13630 { 0x24, "Locking AndX" },
13631 { 0x25, "Transaction" },
13632 { 0x26, "Transaction Secondary" },
13634 { 0x28, "IOCTL Secondary" },
13638 { 0x2C, "Write And Close" },
13639 { 0x2D, "Open AndX" },
13640 { 0x2E, "Read AndX" },
13641 { 0x2F, "Write AndX" },
13642 { 0x30, "unknown-0x30" },
13643 { 0x31, "Close And Tree Disconnect" },
13644 { 0x32, "Transaction2" },
13645 { 0x33, "Transaction2 Secondary" },
13646 { 0x34, "Find Close2" },
13647 { 0x35, "Find Notify Close" },
13648 { 0x36, "unknown-0x36" },
13649 { 0x37, "unknown-0x37" },
13650 { 0x38, "unknown-0x38" },
13651 { 0x39, "unknown-0x39" },
13652 { 0x3A, "unknown-0x3A" },
13653 { 0x3B, "unknown-0x3B" },
13654 { 0x3C, "unknown-0x3C" },
13655 { 0x3D, "unknown-0x3D" },
13656 { 0x3E, "unknown-0x3E" },
13657 { 0x3F, "unknown-0x3F" },
13658 { 0x40, "unknown-0x40" },
13659 { 0x41, "unknown-0x41" },
13660 { 0x42, "unknown-0x42" },
13661 { 0x43, "unknown-0x43" },
13662 { 0x44, "unknown-0x44" },
13663 { 0x45, "unknown-0x45" },
13664 { 0x46, "unknown-0x46" },
13665 { 0x47, "unknown-0x47" },
13666 { 0x48, "unknown-0x48" },
13667 { 0x49, "unknown-0x49" },
13668 { 0x4A, "unknown-0x4A" },
13669 { 0x4B, "unknown-0x4B" },
13670 { 0x4C, "unknown-0x4C" },
13671 { 0x4D, "unknown-0x4D" },
13672 { 0x4E, "unknown-0x4E" },
13673 { 0x4F, "unknown-0x4F" },
13674 { 0x50, "unknown-0x50" },
13675 { 0x51, "unknown-0x51" },
13676 { 0x52, "unknown-0x52" },
13677 { 0x53, "unknown-0x53" },
13678 { 0x54, "unknown-0x54" },
13679 { 0x55, "unknown-0x55" },
13680 { 0x56, "unknown-0x56" },
13681 { 0x57, "unknown-0x57" },
13682 { 0x58, "unknown-0x58" },
13683 { 0x59, "unknown-0x59" },
13684 { 0x5A, "unknown-0x5A" },
13685 { 0x5B, "unknown-0x5B" },
13686 { 0x5C, "unknown-0x5C" },
13687 { 0x5D, "unknown-0x5D" },
13688 { 0x5E, "unknown-0x5E" },
13689 { 0x5F, "unknown-0x5F" },
13690 { 0x60, "unknown-0x60" },
13691 { 0x61, "unknown-0x61" },
13692 { 0x62, "unknown-0x62" },
13693 { 0x63, "unknown-0x63" },
13694 { 0x64, "unknown-0x64" },
13695 { 0x65, "unknown-0x65" },
13696 { 0x66, "unknown-0x66" },
13697 { 0x67, "unknown-0x67" },
13698 { 0x68, "unknown-0x68" },
13699 { 0x69, "unknown-0x69" },
13700 { 0x6A, "unknown-0x6A" },
13701 { 0x6B, "unknown-0x6B" },
13702 { 0x6C, "unknown-0x6C" },
13703 { 0x6D, "unknown-0x6D" },
13704 { 0x6E, "unknown-0x6E" },
13705 { 0x6F, "unknown-0x6F" },
13706 { 0x70, "Tree Connect" },
13707 { 0x71, "Tree Disconnect" },
13708 { 0x72, "Negotiate Protocol" },
13709 { 0x73, "Session Setup AndX" },
13710 { 0x74, "Logoff AndX" },
13711 { 0x75, "Tree Connect AndX" },
13712 { 0x76, "unknown-0x76" },
13713 { 0x77, "unknown-0x77" },
13714 { 0x78, "unknown-0x78" },
13715 { 0x79, "unknown-0x79" },
13716 { 0x7A, "unknown-0x7A" },
13717 { 0x7B, "unknown-0x7B" },
13718 { 0x7C, "unknown-0x7C" },
13719 { 0x7D, "unknown-0x7D" },
13720 { 0x7E, "unknown-0x7E" },
13721 { 0x7F, "unknown-0x7F" },
13722 { 0x80, "Query Information Disk" },
13723 { 0x81, "Search" },
13725 { 0x83, "Find Unique" },
13726 { 0x84, "Find Close" },
13727 { 0x85, "unknown-0x85" },
13728 { 0x86, "unknown-0x86" },
13729 { 0x87, "unknown-0x87" },
13730 { 0x88, "unknown-0x88" },
13731 { 0x89, "unknown-0x89" },
13732 { 0x8A, "unknown-0x8A" },
13733 { 0x8B, "unknown-0x8B" },
13734 { 0x8C, "unknown-0x8C" },
13735 { 0x8D, "unknown-0x8D" },
13736 { 0x8E, "unknown-0x8E" },
13737 { 0x8F, "unknown-0x8F" },
13738 { 0x90, "unknown-0x90" },
13739 { 0x91, "unknown-0x91" },
13740 { 0x92, "unknown-0x92" },
13741 { 0x93, "unknown-0x93" },
13742 { 0x94, "unknown-0x94" },
13743 { 0x95, "unknown-0x95" },
13744 { 0x96, "unknown-0x96" },
13745 { 0x97, "unknown-0x97" },
13746 { 0x98, "unknown-0x98" },
13747 { 0x99, "unknown-0x99" },
13748 { 0x9A, "unknown-0x9A" },
13749 { 0x9B, "unknown-0x9B" },
13750 { 0x9C, "unknown-0x9C" },
13751 { 0x9D, "unknown-0x9D" },
13752 { 0x9E, "unknown-0x9E" },
13753 { 0x9F, "unknown-0x9F" },
13754 { 0xA0, "NT Transact" },
13755 { 0xA1, "NT Transact Secondary" },
13756 { 0xA2, "NT Create AndX" },
13757 { 0xA3, "unknown-0xA3" },
13758 { 0xA4, "NT Cancel" },
13759 { 0xA5, "NT Rename" },
13760 { 0xA6, "unknown-0xA6" },
13761 { 0xA7, "unknown-0xA7" },
13762 { 0xA8, "unknown-0xA8" },
13763 { 0xA9, "unknown-0xA9" },
13764 { 0xAA, "unknown-0xAA" },
13765 { 0xAB, "unknown-0xAB" },
13766 { 0xAC, "unknown-0xAC" },
13767 { 0xAD, "unknown-0xAD" },
13768 { 0xAE, "unknown-0xAE" },
13769 { 0xAF, "unknown-0xAF" },
13770 { 0xB0, "unknown-0xB0" },
13771 { 0xB1, "unknown-0xB1" },
13772 { 0xB2, "unknown-0xB2" },
13773 { 0xB3, "unknown-0xB3" },
13774 { 0xB4, "unknown-0xB4" },
13775 { 0xB5, "unknown-0xB5" },
13776 { 0xB6, "unknown-0xB6" },
13777 { 0xB7, "unknown-0xB7" },
13778 { 0xB8, "unknown-0xB8" },
13779 { 0xB9, "unknown-0xB9" },
13780 { 0xBA, "unknown-0xBA" },
13781 { 0xBB, "unknown-0xBB" },
13782 { 0xBC, "unknown-0xBC" },
13783 { 0xBD, "unknown-0xBD" },
13784 { 0xBE, "unknown-0xBE" },
13785 { 0xBF, "unknown-0xBF" },
13786 { 0xC0, "Open Print File" },
13787 { 0xC1, "Write Print File" },
13788 { 0xC2, "Close Print File" },
13789 { 0xC3, "Get Print Queue" },
13790 { 0xC4, "unknown-0xC4" },
13791 { 0xC5, "unknown-0xC5" },
13792 { 0xC6, "unknown-0xC6" },
13793 { 0xC7, "unknown-0xC7" },
13794 { 0xC8, "unknown-0xC8" },
13795 { 0xC9, "unknown-0xC9" },
13796 { 0xCA, "unknown-0xCA" },
13797 { 0xCB, "unknown-0xCB" },
13798 { 0xCC, "unknown-0xCC" },
13799 { 0xCD, "unknown-0xCD" },
13800 { 0xCE, "unknown-0xCE" },
13801 { 0xCF, "unknown-0xCF" },
13802 { 0xD0, "Send Single Block Message" },
13803 { 0xD1, "Send Broadcast Message" },
13804 { 0xD2, "Forward User Name" },
13805 { 0xD3, "Cancel Forward" },
13806 { 0xD4, "Get Machine Name" },
13807 { 0xD5, "Send Start of Multi-block Message" },
13808 { 0xD6, "Send End of Multi-block Message" },
13809 { 0xD7, "Send Text of Multi-block Message" },
13810 { 0xD8, "SMBreadbulk" },
13811 { 0xD9, "SMBwritebulk" },
13812 { 0xDA, "SMBwritebulkdata" },
13813 { 0xDB, "unknown-0xDB" },
13814 { 0xDC, "unknown-0xDC" },
13815 { 0xDD, "unknown-0xDD" },
13816 { 0xDE, "unknown-0xDE" },
13817 { 0xDF, "unknown-0xDF" },
13818 { 0xE0, "unknown-0xE0" },
13819 { 0xE1, "unknown-0xE1" },
13820 { 0xE2, "unknown-0xE2" },
13821 { 0xE3, "unknown-0xE3" },
13822 { 0xE4, "unknown-0xE4" },
13823 { 0xE5, "unknown-0xE5" },
13824 { 0xE6, "unknown-0xE6" },
13825 { 0xE7, "unknown-0xE7" },
13826 { 0xE8, "unknown-0xE8" },
13827 { 0xE9, "unknown-0xE9" },
13828 { 0xEA, "unknown-0xEA" },
13829 { 0xEB, "unknown-0xEB" },
13830 { 0xEC, "unknown-0xEC" },
13831 { 0xED, "unknown-0xED" },
13832 { 0xEE, "unknown-0xEE" },
13833 { 0xEF, "unknown-0xEF" },
13834 { 0xF0, "unknown-0xF0" },
13835 { 0xF1, "unknown-0xF1" },
13836 { 0xF2, "unknown-0xF2" },
13837 { 0xF3, "unknown-0xF3" },
13838 { 0xF4, "unknown-0xF4" },
13839 { 0xF5, "unknown-0xF5" },
13840 { 0xF6, "unknown-0xF6" },
13841 { 0xF7, "unknown-0xF7" },
13842 { 0xF8, "unknown-0xF8" },
13843 { 0xF9, "unknown-0xF9" },
13844 { 0xFA, "unknown-0xFA" },
13845 { 0xFB, "unknown-0xFB" },
13846 { 0xFC, "unknown-0xFC" },
13847 { 0xFD, "unknown-0xFD" },
13848 { 0xFE, "SMBinvalid" },
13849 { 0xFF, "unknown-0xFF" },
13853 static char *decode_smb_name(unsigned char cmd)
13855 return(smb_cmd_vals[cmd].strptr);
13860 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13861 * Everything TVBUFFIFIED above this line
13862 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
13866 free_hash_tables(gpointer ctarg, gpointer user_data _U_)
13868 conv_tables_t *ct = ctarg;
13871 g_hash_table_destroy(ct->unmatched);
13873 g_hash_table_destroy(ct->matched);
13874 if (ct->dcerpc_fid_to_frame)
13875 g_hash_table_destroy(ct->dcerpc_fid_to_frame);
13876 if (ct->tid_service)
13877 g_hash_table_destroy(ct->tid_service);
13881 smb_init_protocol(void)
13883 if (smb_saved_info_key_chunk)
13884 g_mem_chunk_destroy(smb_saved_info_key_chunk);
13885 if (smb_saved_info_chunk)
13886 g_mem_chunk_destroy(smb_saved_info_chunk);
13887 if (smb_nt_transact_info_chunk)
13888 g_mem_chunk_destroy(smb_nt_transact_info_chunk);
13889 if (smb_transact2_info_chunk)
13890 g_mem_chunk_destroy(smb_transact2_info_chunk);
13891 if (smb_transact_info_chunk)
13892 g_mem_chunk_destroy(smb_transact_info_chunk);
13895 * Free the hash tables attached to the conversation table
13896 * structures, and then free the list of conversation table
13897 * data structures (which doesn't free the data structures
13898 * themselves; that's done by destroying the chunk from
13899 * which they were allocated).
13902 g_slist_foreach(conv_tables, free_hash_tables, NULL);
13903 g_slist_free(conv_tables);
13904 conv_tables = NULL;
13908 * Now destroy the chunk from which the conversation table
13909 * structures were allocated.
13911 if (conv_tables_chunk)
13912 g_mem_chunk_destroy(conv_tables_chunk);
13914 smb_saved_info_chunk = g_mem_chunk_new("smb_saved_info_chunk",
13915 sizeof(smb_saved_info_t),
13916 smb_saved_info_init_count * sizeof(smb_saved_info_t),
13918 smb_saved_info_key_chunk = g_mem_chunk_new("smb_saved_info_key_chunk",
13919 sizeof(smb_saved_info_key_t),
13920 smb_saved_info_init_count * sizeof(smb_saved_info_key_t),
13922 smb_nt_transact_info_chunk = g_mem_chunk_new("smb_nt_transact_info_chunk",
13923 sizeof(smb_nt_transact_info_t),
13924 smb_nt_transact_info_init_count * sizeof(smb_nt_transact_info_t),
13926 smb_transact2_info_chunk = g_mem_chunk_new("smb_transact2_info_chunk",
13927 sizeof(smb_transact2_info_t),
13928 smb_transact2_info_init_count * sizeof(smb_transact2_info_t),
13930 smb_transact_info_chunk = g_mem_chunk_new("smb_transact_info_chunk",
13931 sizeof(smb_transact_info_t),
13932 smb_transact_info_init_count * sizeof(smb_transact_info_t),
13934 conv_tables_chunk = g_mem_chunk_new("conv_tables_chunk",
13935 sizeof(conv_tables_t),
13936 conv_tables_count * sizeof(conv_tables_t),
13940 static const value_string errcls_types[] = {
13941 { SMB_SUCCESS, "Success"},
13942 { SMB_ERRDOS, "DOS Error"},
13943 { SMB_ERRSRV, "Server Error"},
13944 { SMB_ERRHRD, "Hardware Error"},
13945 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
13949 const value_string DOS_errors[] = {
13951 {SMBE_insufficientbuffer, "Insufficient buffer"},
13952 {SMBE_badfunc, "Invalid function (or system call)"},
13953 {SMBE_badfile, "File not found (pathname error)"},
13954 {SMBE_badpath, "Directory not found"},
13955 {SMBE_nofids, "Too many open files"},
13956 {SMBE_noaccess, "Access denied"},
13957 {SMBE_badfid, "Invalid fid"},
13958 {SMBE_nomem, "Out of memory"},
13959 {SMBE_badmem, "Invalid memory block address"},
13960 {SMBE_badenv, "Invalid environment"},
13961 {SMBE_badaccess, "Invalid open mode"},
13962 {SMBE_baddata, "Invalid data (only from ioctl call)"},
13963 {SMBE_res, "Reserved error code?"},
13964 {SMBE_baddrive, "Invalid drive"},
13965 {SMBE_remcd, "Attempt to delete current directory"},
13966 {SMBE_diffdevice, "Rename/move across different filesystems"},
13967 {SMBE_nofiles, "No more files found in file search"},
13968 {SMBE_badshare, "Share mode on file conflict with open mode"},
13969 {SMBE_lock, "Lock request conflicts with existing lock"},
13970 {SMBE_unsup, "Request unsupported, returned by Win 95"},
13971 {SMBE_nosuchshare, "Requested share does not exist"},
13972 {SMBE_filexists, "File in operation already exists"},
13973 {SMBE_cannotopen, "Cannot open the file specified"},
13974 {SMBE_unknownlevel, "Unknown info level"},
13975 {SMBE_invalidname, "Invalid name"},
13976 {SMBE_badpipe, "Named pipe invalid"},
13977 {SMBE_pipebusy, "All instances of pipe are busy"},
13978 {SMBE_pipeclosing, "Named pipe close in progress"},
13979 {SMBE_notconnected, "No process on other end of named pipe"},
13980 {SMBE_moredata, "More data to be returned"},
13981 {SMBE_baddirectory, "Invalid directory name in a path."},
13982 {SMBE_eas_didnt_fit, "Extended attributes didn't fit"},
13983 {SMBE_eas_nsup, "Extended attributes not supported"},
13984 {SMBE_notify_buf_small, "Buffer too small to return change notify."},
13985 {SMBE_unknownipc, "Unknown IPC Operation"},
13986 {SMBE_noipc, "Don't support ipc"},
13987 {SMBE_alreadyexists, "File already exists"},
13988 {SMBE_unknownprinterdriver, "Unknown printer driver"},
13989 {SMBE_invalidprintername, "Invalid printer name"},
13990 {SMBE_printeralreadyexists, "Printer already exists"},
13991 {SMBE_invaliddatatype, "Invalid data type"},
13992 {SMBE_invalidenvironment, "Invalid environment"},
13993 {SMBE_printerdriverinuse, "Printer driver in use"},
13994 {SMBE_invalidparam, "Invalid parameter"},
13995 {SMBE_invalidformsize, "Invalid form size"},
13996 {SMBE_invalidsecuritydescriptor, "Invalid security descriptor"},
13997 {SMBE_invalidowner, "Invalid owner"},
13998 {SMBE_nomoreitems, "No more items"},
14002 /* Error codes for the ERRSRV class */
14004 static const value_string SRV_errors[] = {
14005 {SMBE_error, "Non specific error code"},
14006 {SMBE_badpw, "Bad password"},
14007 {SMBE_badtype, "Reserved"},
14008 {SMBE_access, "No permissions to perform the requested operation"},
14009 {SMBE_invnid, "TID invalid"},
14010 {SMBE_invnetname, "Invalid network name. Service not found"},
14011 {SMBE_invdevice, "Invalid device"},
14012 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
14013 {SMBE_qfull, "Print queue full"},
14014 {SMBE_qtoobig, "Queued item too big"},
14015 {SMBE_qeof, "EOF on print queue dump"},
14016 {SMBE_invpfid, "Invalid print file in smb_fid"},
14017 {SMBE_smbcmd, "Unrecognised command"},
14018 {SMBE_srverror, "SMB server internal error"},
14019 {SMBE_filespecs, "Fid and pathname invalid combination"},
14020 {SMBE_badlink, "Bad link in request ???"},
14021 {SMBE_badpermits, "Access specified for a file is not valid"},
14022 {SMBE_badpid, "Bad process id in request"},
14023 {SMBE_setattrmode, "Attribute mode invalid"},
14024 {SMBE_paused, "Message server paused"},
14025 {SMBE_msgoff, "Not receiving messages"},
14026 {SMBE_noroom, "No room for message"},
14027 {SMBE_rmuns, "Too many remote usernames"},
14028 {SMBE_timeout, "Operation timed out"},
14029 {SMBE_noresource, "No resources currently available for request."},
14030 {SMBE_toomanyuids, "Too many userids"},
14031 {SMBE_baduid, "Bad userid"},
14032 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
14033 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
14034 {SMBE_contMPX, "Resume MPX mode"},
14035 {SMBE_badPW, "Bad Password???"},
14036 {SMBE_nosupport, "Operation not supported"},
14040 /* Error codes for the ERRHRD class */
14042 static const value_string HRD_errors[] = {
14043 {SMBE_nowrite, "Read only media"},
14044 {SMBE_badunit, "Unknown device"},
14045 {SMBE_notready, "Drive not ready"},
14046 {SMBE_badcmd, "Unknown command"},
14047 {SMBE_data, "Data (CRC) error"},
14048 {SMBE_badreq, "Bad request structure length"},
14049 {SMBE_seek, "Seek error"},
14050 {SMBE_badmedia, "Unknown media type"},
14051 {SMBE_badsector, "Sector not found"},
14052 {SMBE_nopaper, "Printer out of paper"},
14053 {SMBE_write, "Write fault"},
14054 {SMBE_read, "Read fault"},
14055 {SMBE_general, "General failure"},
14056 {SMBE_badshare, "A open conflicts with an existing open"},
14057 {SMBE_lock, "Lock conflict/invalid mode, or unlock of another process's lock"},
14058 {SMBE_wrongdisk, "The wrong disk was found in a drive"},
14059 {SMBE_FCBunavail, "No FCBs are available to process request"},
14060 {SMBE_sharebufexc, "A sharing buffer has been exceeded"},
14061 {SMBE_diskfull, "Disk full???"},
14065 static char *decode_smb_error(guint8 errcls, guint16 errcode)
14072 return("No Error"); /* No error ??? */
14077 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
14082 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
14087 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
14092 return("Unknown error class!");
14099 /* These are the MS country codes from
14101 http://www.unicode.org/unicode/onlinedat/countries.html
14103 For countries that share the same number, I choose to use only the
14104 name of the largest country. Apologies for this. If this offends you,
14105 here is the table to change that.
14107 This also includes the code of 0 for "Default", which isn't in
14108 that list, but is in Microsoft's SDKs and the Cygnus "winnls.h"
14109 header file. Presumably it means "don't override the setting
14110 on the user's machine".
14112 Future versions of Microsoft's "winnls.h" header file might include
14113 additional codes; the current version matches the Unicode Consortium's
14116 const value_string ms_country_codes[] = {
14122 { 27, "South Africa"},
14124 { 31, "Netherlands"},
14131 { 41, "Switzerland"},
14133 { 44, "United Kingdom"},
14141 { 54, "Argentina"},
14145 { 58, "Venezuela"},
14147 { 61, "Australia"},
14148 { 62, "Indonesia"},
14149 { 63, "Philippines"},
14150 { 64, "New Zealand"},
14151 { 65, "Singapore"},
14154 { 82, "South Korea"},
14166 {298, "Faroe Islands"},
14168 {352, "Luxembourg"},
14174 {370, "Lithuania"},
14183 {389, "Macedonia"},
14184 {420, "Czech Republic"},
14185 {421, "Slovak Republic"},
14187 {502, "Guatemala"},
14188 {503, "El Salvador"},
14190 {505, "Nicaragua"},
14191 {506, "Costa Rica"},
14197 {673, "Brunei Darussalam"},
14198 {852, "Hong Kong"},
14207 {966, "Saudi Arabia"},
14210 {971, "United Arab Emirates"},
14216 {994, "Azerbaijan"},
14218 {996, "Kyrgyzstan"},
14228 * http://www.wildpackets.com/elements/SMB_NT_Status_Codes.txt
14230 const value_string NT_errors[] = {
14231 { 0x00000000, "STATUS_SUCCESS" },
14232 { 0x00000000, "STATUS_WAIT_0" },
14233 { 0x00000001, "STATUS_WAIT_1" },
14234 { 0x00000002, "STATUS_WAIT_2" },
14235 { 0x00000003, "STATUS_WAIT_3" },
14236 { 0x0000003F, "STATUS_WAIT_63" },
14237 { 0x00000080, "STATUS_ABANDONED" },
14238 { 0x00000080, "STATUS_ABANDONED_WAIT_0" },
14239 { 0x000000BF, "STATUS_ABANDONED_WAIT_63" },
14240 { 0x000000C0, "STATUS_USER_APC" },
14241 { 0x00000100, "STATUS_KERNEL_APC" },
14242 { 0x00000101, "STATUS_ALERTED" },
14243 { 0x00000102, "STATUS_TIMEOUT" },
14244 { 0x00000103, "STATUS_PENDING" },
14245 { 0x00000104, "STATUS_REPARSE" },
14246 { 0x00000105, "STATUS_MORE_ENTRIES" },
14247 { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" },
14248 { 0x00000107, "STATUS_SOME_NOT_MAPPED" },
14249 { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" },
14250 { 0x00000109, "STATUS_VOLUME_MOUNTED" },
14251 { 0x0000010A, "STATUS_RXACT_COMMITTED" },
14252 { 0x0000010B, "STATUS_NOTIFY_CLEANUP" },
14253 { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" },
14254 { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" },
14255 { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" },
14256 { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" },
14257 { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" },
14258 { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" },
14259 { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" },
14260 { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" },
14261 { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" },
14262 { 0x00000116, "STATUS_CRASH_DUMP" },
14263 { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
14264 { 0x00000118, "STATUS_REPARSE_OBJECT" },
14265 { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
14266 { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
14267 { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
14268 { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" },
14269 { 0x40000004, "STATUS_RXACT_STATE_CREATED" },
14270 { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" },
14271 { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" },
14272 { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" },
14273 { 0x40000008, "STATUS_SERIAL_MORE_WRITES" },
14274 { 0x40000009, "STATUS_REGISTRY_RECOVERED" },
14275 { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" },
14276 { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" },
14277 { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" },
14278 { 0x4000000D, "STATUS_NULL_LM_PASSWORD" },
14279 { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" },
14280 { 0x4000000F, "STATUS_RECEIVE_PARTIAL" },
14281 { 0x40000010, "STATUS_RECEIVE_EXPEDITED" },
14282 { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" },
14283 { 0x40000012, "STATUS_EVENT_DONE" },
14284 { 0x40000013, "STATUS_EVENT_PENDING" },
14285 { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" },
14286 { 0x40000015, "STATUS_FATAL_APP_EXIT" },
14287 { 0x40000016, "STATUS_PREDEFINED_HANDLE" },
14288 { 0x40000017, "STATUS_WAS_UNLOCKED" },
14289 { 0x40000018, "STATUS_SERVICE_NOTIFICATION" },
14290 { 0x40000019, "STATUS_WAS_LOCKED" },
14291 { 0x4000001A, "STATUS_LOG_HARD_ERROR" },
14292 { 0x4000001B, "STATUS_ALREADY_WIN32" },
14293 { 0x4000001C, "STATUS_WX86_UNSIMULATE" },
14294 { 0x4000001D, "STATUS_WX86_CONTINUE" },
14295 { 0x4000001E, "STATUS_WX86_SINGLE_STEP" },
14296 { 0x4000001F, "STATUS_WX86_BREAKPOINT" },
14297 { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" },
14298 { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" },
14299 { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" },
14300 { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" },
14301 { 0x40000024, "STATUS_NO_YIELD_PERFORMED" },
14302 { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" },
14303 { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" },
14304 { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" },
14305 { 0x80000003, "STATUS_BREAKPOINT" },
14306 { 0x80000004, "STATUS_SINGLE_STEP" },
14307 { 0x80000005, "STATUS_BUFFER_OVERFLOW" },
14308 { 0x80000006, "STATUS_NO_MORE_FILES" },
14309 { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" },
14310 { 0x8000000A, "STATUS_HANDLES_CLOSED" },
14311 { 0x8000000B, "STATUS_NO_INHERITANCE" },
14312 { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" },
14313 { 0x8000000D, "STATUS_PARTIAL_COPY" },
14314 { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" },
14315 { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" },
14316 { 0x80000010, "STATUS_DEVICE_OFF_LINE" },
14317 { 0x80000011, "STATUS_DEVICE_BUSY" },
14318 { 0x80000012, "STATUS_NO_MORE_EAS" },
14319 { 0x80000013, "STATUS_INVALID_EA_NAME" },
14320 { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" },
14321 { 0x80000015, "STATUS_INVALID_EA_FLAG" },
14322 { 0x80000016, "STATUS_VERIFY_REQUIRED" },
14323 { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" },
14324 { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" },
14325 { 0x8000001A, "STATUS_NO_MORE_ENTRIES" },
14326 { 0x8000001B, "STATUS_FILEMARK_DETECTED" },
14327 { 0x8000001C, "STATUS_MEDIA_CHANGED" },
14328 { 0x8000001D, "STATUS_BUS_RESET" },
14329 { 0x8000001E, "STATUS_END_OF_MEDIA" },
14330 { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" },
14331 { 0x80000020, "STATUS_MEDIA_CHECK" },
14332 { 0x80000021, "STATUS_SETMARK_DETECTED" },
14333 { 0x80000022, "STATUS_NO_DATA_DETECTED" },
14334 { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" },
14335 { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" },
14336 { 0x80000025, "STATUS_ALREADY_DISCONNECTED" },
14337 { 0x80000026, "STATUS_LONGJUMP" },
14338 { 0x80040111, "MAPI_E_LOGON_FAILED" },
14339 { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" },
14340 { 0x80090301, "SEC_E_INVALID_HANDLE" },
14341 { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" },
14342 { 0x8009030B, "SEC_E_NO_IMPERSONATION" },
14343 { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" },
14344 { 0x8009030E, "SEC_E_NO_CREDENTIALS" },
14345 { 0x8009030F, "SEC_E_MESSAGE_ALTERED" },
14346 { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" },
14347 { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" },
14348 { 0xC0000001, "STATUS_UNSUCCESSFUL" },
14349 { 0xC0000002, "STATUS_NOT_IMPLEMENTED" },
14350 { 0xC0000003, "STATUS_INVALID_INFO_CLASS" },
14351 { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" },
14352 { 0xC0000005, "STATUS_ACCESS_VIOLATION" },
14353 { 0xC0000006, "STATUS_IN_PAGE_ERROR" },
14354 { 0xC0000007, "STATUS_PAGEFILE_QUOTA" },
14355 { 0xC0000008, "STATUS_INVALID_HANDLE" },
14356 { 0xC0000009, "STATUS_BAD_INITIAL_STACK" },
14357 { 0xC000000A, "STATUS_BAD_INITIAL_PC" },
14358 { 0xC000000B, "STATUS_INVALID_CID" },
14359 { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" },
14360 { 0xC000000D, "STATUS_INVALID_PARAMETER" },
14361 { 0xC000000E, "STATUS_NO_SUCH_DEVICE" },
14362 { 0xC000000F, "STATUS_NO_SUCH_FILE" },
14363 { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" },
14364 { 0xC0000011, "STATUS_END_OF_FILE" },
14365 { 0xC0000012, "STATUS_WRONG_VOLUME" },
14366 { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" },
14367 { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" },
14368 { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" },
14369 { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" },
14370 { 0xC0000017, "STATUS_NO_MEMORY" },
14371 { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" },
14372 { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" },
14373 { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" },
14374 { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" },
14375 { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" },
14376 { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" },
14377 { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" },
14378 { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" },
14379 { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" },
14380 { 0xC0000021, "STATUS_ALREADY_COMMITTED" },
14381 { 0xC0000022, "STATUS_ACCESS_DENIED" },
14382 { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" },
14383 { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" },
14384 { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" },
14385 { 0xC0000026, "STATUS_INVALID_DISPOSITION" },
14386 { 0xC0000027, "STATUS_UNWIND" },
14387 { 0xC0000028, "STATUS_BAD_STACK" },
14388 { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" },
14389 { 0xC000002A, "STATUS_NOT_LOCKED" },
14390 { 0xC000002B, "STATUS_PARITY_ERROR" },
14391 { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" },
14392 { 0xC000002D, "STATUS_NOT_COMMITTED" },
14393 { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" },
14394 { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" },
14395 { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" },
14396 { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" },
14397 { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" },
14398 { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" },
14399 { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" },
14400 { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" },
14401 { 0xC0000037, "STATUS_PORT_DISCONNECTED" },
14402 { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" },
14403 { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" },
14404 { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" },
14405 { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" },
14406 { 0xC000003C, "STATUS_DATA_OVERRUN" },
14407 { 0xC000003D, "STATUS_DATA_LATE_ERROR" },
14408 { 0xC000003E, "STATUS_DATA_ERROR" },
14409 { 0xC000003F, "STATUS_CRC_ERROR" },
14410 { 0xC0000040, "STATUS_SECTION_TOO_BIG" },
14411 { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" },
14412 { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" },
14413 { 0xC0000043, "STATUS_SHARING_VIOLATION" },
14414 { 0xC0000044, "STATUS_QUOTA_EXCEEDED" },
14415 { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" },
14416 { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" },
14417 { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" },
14418 { 0xC0000048, "STATUS_PORT_ALREADY_SET" },
14419 { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" },
14420 { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" },
14421 { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" },
14422 { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" },
14423 { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" },
14424 { 0xC000004E, "STATUS_SECTION_PROTECTION" },
14425 { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" },
14426 { 0xC0000050, "STATUS_EA_TOO_LARGE" },
14427 { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" },
14428 { 0xC0000052, "STATUS_NO_EAS_ON_FILE" },
14429 { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" },
14430 { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" },
14431 { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" },
14432 { 0xC0000056, "STATUS_DELETE_PENDING" },
14433 { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" },
14434 { 0xC0000058, "STATUS_UNKNOWN_REVISION" },
14435 { 0xC0000059, "STATUS_REVISION_MISMATCH" },
14436 { 0xC000005A, "STATUS_INVALID_OWNER" },
14437 { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" },
14438 { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" },
14439 { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" },
14440 { 0xC000005E, "STATUS_NO_LOGON_SERVERS" },
14441 { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" },
14442 { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" },
14443 { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" },
14444 { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" },
14445 { 0xC0000063, "STATUS_USER_EXISTS" },
14446 { 0xC0000064, "STATUS_NO_SUCH_USER" },
14447 { 0xC0000065, "STATUS_GROUP_EXISTS" },
14448 { 0xC0000066, "STATUS_NO_SUCH_GROUP" },
14449 { 0xC0000067, "STATUS_MEMBER_IN_GROUP" },
14450 { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" },
14451 { 0xC0000069, "STATUS_LAST_ADMIN" },
14452 { 0xC000006A, "STATUS_WRONG_PASSWORD" },
14453 { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" },
14454 { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" },
14455 { 0xC000006D, "STATUS_LOGON_FAILURE" },
14456 { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" },
14457 { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" },
14458 { 0xC0000070, "STATUS_INVALID_WORKSTATION" },
14459 { 0xC0000071, "STATUS_PASSWORD_EXPIRED" },
14460 { 0xC0000072, "STATUS_ACCOUNT_DISABLED" },
14461 { 0xC0000073, "STATUS_NONE_MAPPED" },
14462 { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" },
14463 { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" },
14464 { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" },
14465 { 0xC0000077, "STATUS_INVALID_ACL" },
14466 { 0xC0000078, "STATUS_INVALID_SID" },
14467 { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" },
14468 { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" },
14469 { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" },
14470 { 0xC000007C, "STATUS_NO_TOKEN" },
14471 { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" },
14472 { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" },
14473 { 0xC000007F, "STATUS_DISK_FULL" },
14474 { 0xC0000080, "STATUS_SERVER_DISABLED" },
14475 { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" },
14476 { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" },
14477 { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" },
14478 { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" },
14479 { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" },
14480 { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" },
14481 { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" },
14482 { 0xC0000088, "STATUS_NOT_MAPPED_DATA" },
14483 { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" },
14484 { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" },
14485 { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" },
14486 { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" },
14487 { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" },
14488 { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" },
14489 { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" },
14490 { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" },
14491 { 0xC0000091, "STATUS_FLOAT_OVERFLOW" },
14492 { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" },
14493 { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" },
14494 { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" },
14495 { 0xC0000095, "STATUS_INTEGER_OVERFLOW" },
14496 { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" },
14497 { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" },
14498 { 0xC0000098, "STATUS_FILE_INVALID" },
14499 { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" },
14500 { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" },
14501 { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" },
14502 { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" },
14503 { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" },
14504 { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" },
14505 { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" },
14506 { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" },
14507 { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" },
14508 { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" },
14509 { 0xC00000A3, "STATUS_DEVICE_NOT_READY" },
14510 { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" },
14511 { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" },
14512 { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" },
14513 { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" },
14514 { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" },
14515 { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" },
14516 { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" },
14517 { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" },
14518 { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" },
14519 { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" },
14520 { 0xC00000AE, "STATUS_PIPE_BUSY" },
14521 { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" },
14522 { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" },
14523 { 0xC00000B1, "STATUS_PIPE_CLOSING" },
14524 { 0xC00000B2, "STATUS_PIPE_CONNECTED" },
14525 { 0xC00000B3, "STATUS_PIPE_LISTENING" },
14526 { 0xC00000B4, "STATUS_INVALID_READ_MODE" },
14527 { 0xC00000B5, "STATUS_IO_TIMEOUT" },
14528 { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" },
14529 { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" },
14530 { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" },
14531 { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" },
14532 { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" },
14533 { 0xC00000BB, "STATUS_NOT_SUPPORTED" },
14534 { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" },
14535 { 0xC00000BD, "STATUS_DUPLICATE_NAME" },
14536 { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" },
14537 { 0xC00000BF, "STATUS_NETWORK_BUSY" },
14538 { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" },
14539 { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" },
14540 { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" },
14541 { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" },
14542 { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" },
14543 { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" },
14544 { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" },
14545 { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" },
14546 { 0xC00000C8, "STATUS_PRINT_CANCELLED" },
14547 { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" },
14548 { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" },
14549 { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" },
14550 { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" },
14551 { 0xC00000CD, "STATUS_TOO_MANY_NAMES" },
14552 { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" },
14553 { 0xC00000CF, "STATUS_SHARING_PAUSED" },
14554 { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" },
14555 { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" },
14556 { 0xC00000D2, "STATUS_NET_WRITE_FAULT" },
14557 { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" },
14558 { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" },
14559 { 0xC00000D5, "STATUS_FILE_RENAMED" },
14560 { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" },
14561 { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" },
14562 { 0xC00000D8, "STATUS_CANT_WAIT" },
14563 { 0xC00000D9, "STATUS_PIPE_EMPTY" },
14564 { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" },
14565 { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" },
14566 { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" },
14567 { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" },
14568 { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" },
14569 { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" },
14570 { 0xC00000E0, "STATUS_DOMAIN_EXISTS" },
14571 { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" },
14572 { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" },
14573 { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" },
14574 { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" },
14575 { 0xC00000E5, "STATUS_INTERNAL_ERROR" },
14576 { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" },
14577 { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" },
14578 { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" },
14579 { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" },
14580 { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" },
14581 { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" },
14582 { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" },
14583 { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" },
14584 { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" },
14585 { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" },
14586 { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" },
14587 { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" },
14588 { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" },
14589 { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" },
14590 { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" },
14591 { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" },
14592 { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" },
14593 { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" },
14594 { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" },
14595 { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" },
14596 { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" },
14597 { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" },
14598 { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" },
14599 { 0xC00000FD, "STATUS_STACK_OVERFLOW" },
14600 { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" },
14601 { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" },
14602 { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" },
14603 { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" },
14604 { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" },
14605 { 0xC0000103, "STATUS_NOT_A_DIRECTORY" },
14606 { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" },
14607 { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" },
14608 { 0xC0000106, "STATUS_NAME_TOO_LONG" },
14609 { 0xC0000107, "STATUS_FILES_OPEN" },
14610 { 0xC0000108, "STATUS_CONNECTION_IN_USE" },
14611 { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" },
14612 { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" },
14613 { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" },
14614 { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" },
14615 { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" },
14616 { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" },
14617 { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" },
14618 { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" },
14619 { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" },
14620 { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" },
14621 { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" },
14622 { 0xC0000114, "STATUS_ABIOS_INVALID_LID" },
14623 { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" },
14624 { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" },
14625 { 0xC0000117, "STATUS_NO_LDT" },
14626 { 0xC0000118, "STATUS_INVALID_LDT_SIZE" },
14627 { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" },
14628 { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" },
14629 { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" },
14630 { 0xC000011C, "STATUS_RXACT_INVALID_STATE" },
14631 { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" },
14632 { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" },
14633 { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" },
14634 { 0xC0000120, "STATUS_CANCELLED" },
14635 { 0xC0000121, "STATUS_CANNOT_DELETE" },
14636 { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" },
14637 { 0xC0000123, "STATUS_FILE_DELETED" },
14638 { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" },
14639 { 0xC0000125, "STATUS_SPECIAL_GROUP" },
14640 { 0xC0000126, "STATUS_SPECIAL_USER" },
14641 { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" },
14642 { 0xC0000128, "STATUS_FILE_CLOSED" },
14643 { 0xC0000129, "STATUS_TOO_MANY_THREADS" },
14644 { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" },
14645 { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" },
14646 { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" },
14647 { 0xC000012D, "STATUS_COMMITMENT_LIMIT" },
14648 { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" },
14649 { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" },
14650 { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" },
14651 { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" },
14652 { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" },
14653 { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" },
14654 { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" },
14655 { 0xC0000135, "STATUS_DLL_NOT_FOUND" },
14656 { 0xC0000136, "STATUS_OPEN_FAILED" },
14657 { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" },
14658 { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" },
14659 { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" },
14660 { 0xC000013A, "STATUS_CONTROL_C_EXIT" },
14661 { 0xC000013B, "STATUS_LOCAL_DISCONNECT" },
14662 { 0xC000013C, "STATUS_REMOTE_DISCONNECT" },
14663 { 0xC000013D, "STATUS_REMOTE_RESOURCES" },
14664 { 0xC000013E, "STATUS_LINK_FAILED" },
14665 { 0xC000013F, "STATUS_LINK_TIMEOUT" },
14666 { 0xC0000140, "STATUS_INVALID_CONNECTION" },
14667 { 0xC0000141, "STATUS_INVALID_ADDRESS" },
14668 { 0xC0000142, "STATUS_DLL_INIT_FAILED" },
14669 { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" },
14670 { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" },
14671 { 0xC0000145, "STATUS_APP_INIT_FAILURE" },
14672 { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" },
14673 { 0xC0000147, "STATUS_NO_PAGEFILE" },
14674 { 0xC0000148, "STATUS_INVALID_LEVEL" },
14675 { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" },
14676 { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" },
14677 { 0xC000014B, "STATUS_PIPE_BROKEN" },
14678 { 0xC000014C, "STATUS_REGISTRY_CORRUPT" },
14679 { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" },
14680 { 0xC000014E, "STATUS_NO_EVENT_PAIR" },
14681 { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" },
14682 { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" },
14683 { 0xC0000151, "STATUS_NO_SUCH_ALIAS" },
14684 { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" },
14685 { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" },
14686 { 0xC0000154, "STATUS_ALIAS_EXISTS" },
14687 { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" },
14688 { 0xC0000156, "STATUS_TOO_MANY_SECRETS" },
14689 { 0xC0000157, "STATUS_SECRET_TOO_LONG" },
14690 { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" },
14691 { 0xC0000159, "STATUS_FULLSCREEN_MODE" },
14692 { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" },
14693 { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" },
14694 { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" },
14695 { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" },
14696 { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" },
14697 { 0xC000015F, "STATUS_FT_MISSING_MEMBER" },
14698 { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" },
14699 { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" },
14700 { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" },
14701 { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" },
14702 { 0xC0000164, "STATUS_FLOPPY_VOLUME" },
14703 { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" },
14704 { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" },
14705 { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" },
14706 { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" },
14707 { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" },
14708 { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" },
14709 { 0xC000016B, "STATUS_DISK_RESET_FAILED" },
14710 { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" },
14711 { 0xC000016D, "STATUS_FT_ORPHANING" },
14712 { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" },
14713 { 0xC0000172, "STATUS_PARTITION_FAILURE" },
14714 { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" },
14715 { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" },
14716 { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" },
14717 { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" },
14718 { 0xC0000177, "STATUS_EOM_OVERFLOW" },
14719 { 0xC0000178, "STATUS_NO_MEDIA" },
14720 { 0xC000017A, "STATUS_NO_SUCH_MEMBER" },
14721 { 0xC000017B, "STATUS_INVALID_MEMBER" },
14722 { 0xC000017C, "STATUS_KEY_DELETED" },
14723 { 0xC000017D, "STATUS_NO_LOG_SPACE" },
14724 { 0xC000017E, "STATUS_TOO_MANY_SIDS" },
14725 { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" },
14726 { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" },
14727 { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" },
14728 { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" },
14729 { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" },
14730 { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" },
14731 { 0xC0000185, "STATUS_IO_DEVICE_ERROR" },
14732 { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" },
14733 { 0xC0000187, "STATUS_BACKUP_CONTROLLER" },
14734 { 0xC0000188, "STATUS_LOG_FILE_FULL" },
14735 { 0xC0000189, "STATUS_TOO_LATE" },
14736 { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" },
14737 { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" },
14738 { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" },
14739 { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" },
14740 { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" },
14741 { 0xC000018F, "STATUS_EVENTLOG_CANT_START" },
14742 { 0xC0000190, "STATUS_TRUST_FAILURE" },
14743 { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" },
14744 { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" },
14745 { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" },
14746 { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" },
14747 { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" },
14748 { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" },
14749 { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" },
14750 { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" },
14751 { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" },
14752 { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" },
14753 { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" },
14754 { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" },
14755 { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" },
14756 { 0xC0000203, "STATUS_USER_SESSION_DELETED" },
14757 { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" },
14758 { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" },
14759 { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" },
14760 { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" },
14761 { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" },
14762 { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" },
14763 { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" },
14764 { 0xC000020B, "STATUS_ADDRESS_CLOSED" },
14765 { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" },
14766 { 0xC000020D, "STATUS_CONNECTION_RESET" },
14767 { 0xC000020E, "STATUS_TOO_MANY_NODES" },
14768 { 0xC000020F, "STATUS_TRANSACTION_ABORTED" },
14769 { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" },
14770 { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" },
14771 { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" },
14772 { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" },
14773 { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" },
14774 { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" },
14775 { 0xC0000216, "STATUS_NOT_SERVER_SESSION" },
14776 { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" },
14777 { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" },
14778 { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" },
14779 { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" },
14780 { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" },
14781 { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" },
14782 { 0xC000021D, "STATUS_VDM_HARD_ERROR" },
14783 { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" },
14784 { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" },
14785 { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" },
14786 { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" },
14787 { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" },
14788 { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" },
14789 { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" },
14790 { 0xC0000225, "STATUS_NOT_FOUND" },
14791 { 0xC0000226, "STATUS_NOT_TINY_STREAM" },
14792 { 0xC0000227, "STATUS_RECOVERY_FAILURE" },
14793 { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" },
14794 { 0xC0000229, "STATUS_FAIL_CHECK" },
14795 { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" },
14796 { 0xC000022B, "STATUS_OBJECTID_EXISTS" },
14797 { 0xC000022C, "STATUS_CONVERT_TO_LARGE" },
14798 { 0xC000022D, "STATUS_RETRY" },
14799 { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" },
14800 { 0xC000022F, "STATUS_ALLOCATE_BUCKET" },
14801 { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" },
14802 { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" },
14803 { 0xC0000232, "STATUS_INVALID_VARIANT" },
14804 { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" },
14805 { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" },
14806 { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" },
14807 { 0xC0000236, "STATUS_CONNECTION_REFUSED" },
14808 { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" },
14809 { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" },
14810 { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" },
14811 { 0xC000023A, "STATUS_CONNECTION_INVALID" },
14812 { 0xC000023B, "STATUS_CONNECTION_ACTIVE" },
14813 { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" },
14814 { 0xC000023D, "STATUS_HOST_UNREACHABLE" },
14815 { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" },
14816 { 0xC000023F, "STATUS_PORT_UNREACHABLE" },
14817 { 0xC0000240, "STATUS_REQUEST_ABORTED" },
14818 { 0xC0000241, "STATUS_CONNECTION_ABORTED" },
14819 { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" },
14820 { 0xC0000243, "STATUS_USER_MAPPED_FILE" },
14821 { 0xC0000244, "STATUS_AUDIT_FAILED" },
14822 { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" },
14823 { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" },
14824 { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" },
14825 { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" },
14826 { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" },
14827 { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" },
14828 { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" },
14829 { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" },
14830 { 0xC0000253, "STATUS_LPC_REPLY_LOST" },
14831 { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" },
14832 { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" },
14833 { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" },
14834 { 0xC0000257, "STATUS_PATH_NOT_COVERED" },
14835 { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" },
14836 { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" },
14837 { 0xC000025A, "STATUS_PWD_TOO_SHORT" },
14838 { 0xC000025B, "STATUS_PWD_TOO_RECENT" },
14839 { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" },
14840 { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" },
14841 { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" },
14842 { 0xC0000260, "STATUS_INVALID_HW_PROFILE" },
14843 { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" },
14844 { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" },
14845 { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" },
14846 { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" },
14847 { 0xC0000265, "STATUS_TOO_MANY_LINKS" },
14848 { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" },
14849 { 0xC0000267, "STATUS_FILE_IS_OFFLINE" },
14850 { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" },
14851 { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" },
14852 { 0xC000026A, "STATUS_LICENSE_VIOLATION" },
14853 { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" },
14854 { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" },
14855 { 0xC000026D, "STATUS_DFS_UNAVAILABLE" },
14856 { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" },
14857 { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" },
14858 { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" },
14859 { 0xC0000271, "STATUS_VALIDATE_CONTINUE" },
14860 { 0xC0000272, "STATUS_NO_MATCH" },
14861 { 0xC0000273, "STATUS_NO_MORE_MATCHES" },
14862 { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" },
14863 { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" },
14864 { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" },
14865 { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" },
14866 { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" },
14867 { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" },
14868 { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" },
14869 { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" },
14870 { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" },
14871 { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" },
14872 { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" },
14873 { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" },
14874 { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" },
14875 { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" },
14876 { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" },
14877 { 0xC000028A, "STATUS_ENCRYPTION_FAILED" },
14878 { 0xC000028B, "STATUS_DECRYPTION_FAILED" },
14879 { 0xC000028C, "STATUS_RANGE_NOT_FOUND" },
14880 { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" },
14881 { 0xC000028E, "STATUS_NO_EFS" },
14882 { 0xC000028F, "STATUS_WRONG_EFS" },
14883 { 0xC0000290, "STATUS_NO_USER_KEYS" },
14884 { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" },
14885 { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" },
14886 { 0xC0000293, "STATUS_FILE_ENCRYPTED" },
14887 { 0x40000294, "STATUS_WAKE_SYSTEM" },
14888 { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" },
14889 { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" },
14890 { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" },
14891 { 0xC0000298, "STATUS_WMI_TRY_AGAIN" },
14892 { 0xC0000299, "STATUS_SHARED_POLICY" },
14893 { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" },
14894 { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" },
14895 { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" },
14896 { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" },
14897 { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" },
14898 { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" },
14899 { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" },
14900 { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" },
14901 { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" },
14902 { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" },
14903 { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" },
14904 { 0xC00002A5, "STATUS_DS_BUSY" },
14905 { 0xC00002A6, "STATUS_DS_UNAVAILABLE" },
14906 { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" },
14907 { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" },
14908 { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" },
14909 { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" },
14910 { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" },
14911 { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" },
14912 { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" },
14913 { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" },
14914 { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" },
14915 { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" },
14916 { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" },
14917 { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" },
14918 { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" },
14919 { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" },
14920 { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" },
14921 { 0xC00002B6, "STATUS_DEVICE_REMOVED" },
14922 { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" },
14923 { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" },
14924 { 0xC00002B9, "STATUS_NOINTERFACE" },
14925 { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" },
14926 { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" },
14927 { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" },
14928 { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" },
14929 { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" },
14930 { 0xC00002C6, "STATUS_WMI_READ_ONLY" },
14931 { 0xC00002C7, "STATUS_WMI_SET_FAILURE" },
14932 { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" },
14933 { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" },
14934 { 0xC00002CA, "STATUS_TRANSPORT_FULL" },
14935 { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" },
14936 { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" },
14937 { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" },
14938 { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" },
14939 { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" },
14940 { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" },
14941 { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" },
14942 { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" },
14943 { 0xC00002D3, "STATUS_POWER_STATE_INVALID" },
14944 { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" },
14945 { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" },
14946 { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" },
14947 { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" },
14948 { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" },
14949 { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" },
14950 { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" },
14951 { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" },
14952 { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" },
14953 { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" },
14954 { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" },
14955 { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" },
14956 { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" },
14957 { 0xC00002E1, "STATUS_DS_CANT_START" },
14958 { 0xC00002E2, "STATUS_DS_INIT_FAILURE" },
14959 { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" },
14960 { 0xC00002E4, "STATUS_DS_GC_REQUIRED" },
14961 { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" },
14962 { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" },
14963 { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" },
14964 { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" },
14965 { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" },
14966 { 0xC0009898, "STATUS_WOW_ASSERTION" },
14967 { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" },
14968 { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" },
14969 { 0xC0020003, "RPC_NT_INVALID_BINDING" },
14970 { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" },
14971 { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" },
14972 { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" },
14973 { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" },
14974 { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" },
14975 { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" },
14976 { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" },
14977 { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" },
14978 { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" },
14979 { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" },
14980 { 0xC002000E, "RPC_NT_ALREADY_LISTENING" },
14981 { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" },
14982 { 0xC0020010, "RPC_NT_NOT_LISTENING" },
14983 { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" },
14984 { 0xC0020012, "RPC_NT_UNKNOWN_IF" },
14985 { 0xC0020013, "RPC_NT_NO_BINDINGS" },
14986 { 0xC0020014, "RPC_NT_NO_PROTSEQS" },
14987 { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" },
14988 { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" },
14989 { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" },
14990 { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" },
14991 { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" },
14992 { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" },
14993 { 0xC002001B, "RPC_NT_CALL_FAILED" },
14994 { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" },
14995 { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" },
14996 { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" },
14997 { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" },
14998 { 0xC0020022, "RPC_NT_INVALID_TAG" },
14999 { 0xC0020023, "RPC_NT_INVALID_BOUND" },
15000 { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" },
15001 { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" },
15002 { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" },
15003 { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" },
15004 { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" },
15005 { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" },
15006 { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" },
15007 { 0xC002002C, "RPC_NT_STRING_TOO_LONG" },
15008 { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" },
15009 { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" },
15010 { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" },
15011 { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" },
15012 { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" },
15013 { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" },
15014 { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" },
15015 { 0xC0020034, "EPT_NT_INVALID_ENTRY" },
15016 { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" },
15017 { 0xC0020036, "EPT_NT_NOT_REGISTERED" },
15018 { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" },
15019 { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" },
15020 { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" },
15021 { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" },
15022 { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" },
15023 { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" },
15024 { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" },
15025 { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" },
15026 { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" },
15027 { 0xC0020040, "RPC_NT_INVALID_NAF_ID" },
15028 { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" },
15029 { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" },
15030 { 0xC0020043, "RPC_NT_INTERNAL_ERROR" },
15031 { 0xC0020044, "RPC_NT_ZERO_DIVIDE" },
15032 { 0xC0020045, "RPC_NT_ADDRESS_ERROR" },
15033 { 0xC0020046, "RPC_NT_FP_DIV_ZERO" },
15034 { 0xC0020047, "RPC_NT_FP_UNDERFLOW" },
15035 { 0xC0020048, "RPC_NT_FP_OVERFLOW" },
15036 { 0xC0021007, "RPC_P_RECEIVE_ALERTED" },
15037 { 0xC0021008, "RPC_P_CONNECTION_CLOSED" },
15038 { 0xC0021009, "RPC_P_RECEIVE_FAILED" },
15039 { 0xC002100A, "RPC_P_SEND_FAILED" },
15040 { 0xC002100B, "RPC_P_TIMEOUT" },
15041 { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" },
15042 { 0xC002100E, "RPC_P_EXCEPTION_OCCURED" },
15043 { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" },
15044 { 0xC0021015, "RPC_P_THREAD_LISTENING" },
15045 { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" },
15046 { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" },
15047 { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" },
15048 { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" },
15049 { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" },
15050 { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" },
15051 { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" },
15052 { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" },
15053 { 0xC0030009, "RPC_NT_NULL_REF_POINTER" },
15054 { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" },
15055 { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" },
15056 { 0xC003000C, "RPC_NT_BAD_STUB_DATA" },
15057 { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" },
15058 { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" },
15059 { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" },
15060 { 0xC002004C, "EPT_NT_CANT_CREATE" },
15061 { 0xC002004D, "RPC_NT_INVALID_OBJECT" },
15062 { 0xC002004F, "RPC_NT_NO_INTERFACES" },
15063 { 0xC0020050, "RPC_NT_CALL_CANCELLED" },
15064 { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" },
15065 { 0xC0020052, "RPC_NT_COMM_FAILURE" },
15066 { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" },
15067 { 0xC0020054, "RPC_NT_NO_PRINC_NAME" },
15068 { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" },
15069 { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" },
15070 { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" },
15071 { 0xC0020058, "RPC_NT_NOT_CANCELLED" },
15072 { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" },
15073 { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" },
15074 { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" },
15075 { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" },
15076 { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" },
15077 { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" },
15078 { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" },
15084 static const true_false_string tfs_smb_flags_lock = {
15085 "Lock&Read, Write&Unlock are supported",
15086 "Lock&Read, Write&Unlock are not supported"
15088 static const true_false_string tfs_smb_flags_receive_buffer = {
15089 "Receive buffer has been posted",
15090 "Receive buffer has not been posted"
15092 static const true_false_string tfs_smb_flags_caseless = {
15093 "Path names are caseless",
15094 "Path names are case sensitive"
15096 static const true_false_string tfs_smb_flags_canon = {
15097 "Pathnames are canonicalized",
15098 "Pathnames are not canonicalized"
15100 static const true_false_string tfs_smb_flags_oplock = {
15101 "OpLock requested/granted",
15102 "OpLock not requested/granted"
15104 static const true_false_string tfs_smb_flags_notify = {
15105 "Notify client on all modifications",
15106 "Notify client only on open"
15108 static const true_false_string tfs_smb_flags_response = {
15109 "Message is a response to the client/redirector",
15110 "Message is a request to the server"
15114 dissect_smb_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
15117 proto_item *item = NULL;
15118 proto_tree *tree = NULL;
15120 mask = tvb_get_guint8(tvb, offset);
15123 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
15124 "Flags: 0x%02x", mask);
15125 tree = proto_item_add_subtree(item, ett_smb_flags);
15127 proto_tree_add_boolean(tree, hf_smb_flags_response,
15128 tvb, offset, 1, mask);
15129 proto_tree_add_boolean(tree, hf_smb_flags_notify,
15130 tvb, offset, 1, mask);
15131 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
15132 tvb, offset, 1, mask);
15133 proto_tree_add_boolean(tree, hf_smb_flags_canon,
15134 tvb, offset, 1, mask);
15135 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
15136 tvb, offset, 1, mask);
15137 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
15138 tvb, offset, 1, mask);
15139 proto_tree_add_boolean(tree, hf_smb_flags_lock,
15140 tvb, offset, 1, mask);
15147 static const true_false_string tfs_smb_flags2_long_names_allowed = {
15148 "Long file names are allowed in the response",
15149 "Long file names are not allowed in the response"
15151 static const true_false_string tfs_smb_flags2_ea = {
15152 "Extended attributes are supported",
15153 "Extended attributes are not supported"
15155 static const true_false_string tfs_smb_flags2_sec_sig = {
15156 "Security signatures are supported",
15157 "Security signatures are not supported"
15159 static const true_false_string tfs_smb_flags2_long_names_used = {
15160 "Path names in request are long file names",
15161 "Path names in request are not long file names"
15163 static const true_false_string tfs_smb_flags2_esn = {
15164 "Extended security negotiation is supported",
15165 "Extended security negotiation is not supported"
15167 static const true_false_string tfs_smb_flags2_dfs = {
15168 "Resolve pathnames with Dfs",
15169 "Don't resolve pathnames with Dfs"
15171 static const true_false_string tfs_smb_flags2_roe = {
15172 "Permit reads if execute-only",
15173 "Don't permit reads if execute-only"
15175 static const true_false_string tfs_smb_flags2_nt_error = {
15176 "Error codes are NT error codes",
15177 "Error codes are DOS error codes"
15179 static const true_false_string tfs_smb_flags2_string = {
15180 "Strings are Unicode",
15181 "Strings are ASCII"
15184 dissect_smb_flags2(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
15187 proto_item *item = NULL;
15188 proto_tree *tree = NULL;
15190 mask = tvb_get_letohs(tvb, offset);
15193 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
15194 "Flags2: 0x%04x", mask);
15195 tree = proto_item_add_subtree(item, ett_smb_flags2);
15198 proto_tree_add_boolean(tree, hf_smb_flags2_string,
15199 tvb, offset, 2, mask);
15200 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
15201 tvb, offset, 2, mask);
15202 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
15203 tvb, offset, 2, mask);
15204 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
15205 tvb, offset, 2, mask);
15206 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
15207 tvb, offset, 2, mask);
15208 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
15209 tvb, offset, 2, mask);
15210 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
15211 tvb, offset, 2, mask);
15212 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
15213 tvb, offset, 2, mask);
15214 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
15215 tvb, offset, 2, mask);
15223 #define SMB_FLAGS_DIRN 0x80
15227 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
15230 proto_item *item = NULL, *hitem = NULL;
15231 proto_tree *tree = NULL, *htree = NULL;
15235 smb_saved_info_t *sip = NULL;
15236 smb_saved_info_key_t key;
15237 smb_saved_info_key_t *new_key;
15238 guint32 nt_status = 0;
15239 guint8 errclass = 0;
15240 guint16 errcode = 0;
15242 conversation_t *conversation;
15245 top_tree=parent_tree;
15247 /* must check that this really is a smb packet */
15248 if (!tvb_bytes_exist(tvb, 0, 4))
15251 if( (tvb_get_guint8(tvb, 0) != 0xff)
15252 || (tvb_get_guint8(tvb, 1) != 'S')
15253 || (tvb_get_guint8(tvb, 2) != 'M')
15254 || (tvb_get_guint8(tvb, 3) != 'B') ){
15258 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
15259 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
15261 if (check_col(pinfo->cinfo, COL_INFO)){
15262 col_clear(pinfo->cinfo, COL_INFO);
15265 /* start off using the local variable, we will allocate a new one if we
15267 si.cmd = tvb_get_guint8(tvb, offset+4);
15268 flags = tvb_get_guint8(tvb, offset+9);
15269 si.request = !(flags&SMB_FLAGS_DIRN);
15270 flags2 = tvb_get_letohs(tvb, offset+10);
15271 if(flags2 & 0x8000){
15272 si.unicode = TRUE; /* Mark them as Unicode */
15274 si.unicode = FALSE;
15276 si.tid = tvb_get_letohs(tvb, offset+24);
15277 si.pid = tvb_get_letohs(tvb, offset+26);
15278 si.uid = tvb_get_letohs(tvb, offset+28);
15279 si.mid = tvb_get_letohs(tvb, offset+30);
15280 pid_mid = (si.pid << 16) | si.mid;
15281 si.info_level = -1;
15282 si.info_count = -1;
15285 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
15287 tree = proto_item_add_subtree(item, ett_smb);
15289 hitem = proto_tree_add_text(tree, tvb, offset, 32,
15292 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
15295 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
15296 offset += 4; /* Skip the marker */
15298 /* find which conversation we are part of and get the tables for that
15300 conversation = find_conversation(&pinfo->src, &pinfo->dst,
15301 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
15303 /* OK this is a new conversation so lets create it */
15304 conversation = conversation_new(&pinfo->src, &pinfo->dst,
15305 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
15307 /* see if we already have the smb data for this conversation */
15308 si.ct=conversation_get_proto_data(conversation, proto_smb);
15310 /* No, not yet. create it and attach it to the conversation */
15311 si.ct = g_mem_chunk_alloc(conv_tables_chunk);
15312 conv_tables = g_slist_prepend(conv_tables, si.ct);
15313 si.ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
15314 smb_saved_info_equal_matched);
15315 si.ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
15316 smb_saved_info_equal_unmatched);
15317 si.ct->dcerpc_fid_to_frame=g_hash_table_new(
15318 smb_saved_info_hash_unmatched,
15319 smb_saved_info_equal_unmatched);
15320 si.ct->tid_service=g_hash_table_new(
15321 smb_saved_info_hash_unmatched,
15322 smb_saved_info_equal_unmatched);
15323 conversation_add_proto_data(conversation, proto_smb, si.ct);
15331 /* this is a broadcast SMB packet, there will not be a reply.
15332 We dont need to do anything
15335 } else if( (si.cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
15336 ||(si.cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
15337 ||(si.cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
15338 ||(si.cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
15339 /* Ok, we got a special request type. This request is either
15340 an NT Cancel or a continuation relative to a real request
15341 in an earlier packet. In either case, we don't expect any
15342 responses to this packet. For continuations, any later
15343 responses we see really just belong to the original request.
15344 Anyway, we want to remember this packet somehow and
15345 remember which original request it is associated with so
15346 we can say nice things such as "This is a Cancellation to
15347 the request in frame x", but we don't want the
15348 request/response matching to get messed up.
15350 The only thing we do in this case is trying to find which original
15351 request we match with and insert an entry for this "special"
15352 request for later reference. We continue to reference the original
15353 requests smb_saved_info_t but we dont touch it or change anything
15357 si.unidir = TRUE; /*we dont expect an answer to this one*/
15359 if(!pinfo->fd->flags.visited){
15360 /* try to find which original call we match and if we
15361 find it add us to the matched table. Dont touch
15362 anything else since we dont want this one to mess
15363 up the request/response matching. We still consider
15364 the initial call the real request and this is only
15365 some sort of continuation.
15367 /* we only check the unmatched table and assume that the
15368 last seen MID matching ours is the right one.
15369 This can fail but is better than nothing
15371 sip=g_hash_table_lookup(si.ct->unmatched, (void *)pid_mid);
15373 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15374 new_key->frame = pinfo->fd->num;
15375 new_key->pid_mid = pid_mid;
15376 g_hash_table_insert(si.ct->matched, new_key,
15380 /* we have seen this packet before; check the
15383 key.frame = pinfo->fd->num;
15384 key.pid_mid = pid_mid;
15385 sip=g_hash_table_lookup(si.ct->matched, &key);
15389 Too bad, unfortunately there is not really much we can
15390 do now since this means that we never saw the initial
15397 if(sip && sip->frame_req){
15399 case SMB_COM_NT_CANCEL:
15400 proto_tree_add_uint(htree, hf_smb_cancel_to,
15401 tvb, 0, 0, sip->frame_req);
15403 case SMB_COM_TRANSACTION_SECONDARY:
15404 case SMB_COM_TRANSACTION2_SECONDARY:
15405 case SMB_COM_NT_TRANSACT_SECONDARY:
15406 proto_tree_add_uint(htree, hf_smb_continuation_to,
15407 tvb, 0, 0, sip->frame_req);
15412 case SMB_COM_NT_CANCEL:
15413 proto_tree_add_text(htree, tvb, 0, 0,
15414 "Cancellation to: <unknown frame>");
15416 case SMB_COM_TRANSACTION_SECONDARY:
15417 case SMB_COM_TRANSACTION2_SECONDARY:
15418 case SMB_COM_NT_TRANSACT_SECONDARY:
15419 proto_tree_add_text(htree, tvb, 0, 0,
15420 "Continuation to: <unknown frame>");
15424 } else { /* normal bidirectional request or response */
15427 if(!pinfo->fd->flags.visited){
15428 /* first see if we find an unmatched smb "equal" to
15431 sip=g_hash_table_lookup(si.ct->unmatched, (void *)pid_mid);
15433 gboolean cmd_match=FALSE;
15436 * Make sure the SMB we found was the
15437 * same command, or a different command
15438 * that's another valid type of reply
15441 if(si.cmd==sip->cmd){
15444 else if(si.cmd==SMB_COM_NT_CANCEL){
15447 else if((si.cmd==SMB_COM_TRANSACTION_SECONDARY)
15448 && (sip->cmd==SMB_COM_TRANSACTION)){
15451 else if((si.cmd==SMB_COM_TRANSACTION2_SECONDARY)
15452 && (sip->cmd==SMB_COM_TRANSACTION2)){
15455 else if((si.cmd==SMB_COM_NT_TRANSACT_SECONDARY)
15456 && (sip->cmd==SMB_COM_NT_TRANSACT)){
15460 if( (si.request) || (!cmd_match) ) {
15461 /* If we are processing an SMB request but there was already
15462 another "identical" smb resuest we had not matched yet.
15463 This must mean that either we have a retransmission or that the
15464 response to the previous one was lost and the client has reused
15465 the MID for this conversation. In either case it's not much more
15466 we can do than forget the old request and concentrate on the
15467 present one instead.
15469 We also do this cleanup if we see that the cmd in the original
15470 request in sip->cmd is not compatible with the current cmd.
15471 This is to prevent matching errors such as if there were two
15472 SMBs of different cmds but with identical MID and PID values and
15473 if ethereal lost the first reply and the second request.
15475 g_hash_table_remove(si.ct->unmatched, (void *)pid_mid);
15476 sip=NULL; /* XXX should free it as well */
15478 /* we have found a response to some request we have seen earlier.
15479 What we do now depends on whether this is the first response
15480 to that request we see (id frame_res==0) or not.
15482 if(sip->frame_res==0){
15483 /* ok it is the first response we have seen to this packet */
15484 sip->frame_res = pinfo->fd->num;
15485 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15486 new_key->frame = sip->frame_res;
15487 new_key->pid_mid = pid_mid;
15488 g_hash_table_insert(si.ct->matched, new_key, sip);
15490 /* we have already seen another response to this one, but
15491 register it anyway so we see which request it matches
15493 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15494 new_key->frame = pinfo->fd->num;
15495 new_key->pid_mid = pid_mid;
15496 g_hash_table_insert(si.ct->matched, new_key, sip);
15501 sip = g_mem_chunk_alloc(smb_saved_info_chunk);
15502 sip->frame_req = pinfo->fd->num;
15503 sip->frame_res = 0;
15504 sip->req_time.secs=pinfo->fd->abs_secs;
15505 sip->req_time.nsecs=pinfo->fd->abs_usecs*1000;
15507 if(g_hash_table_lookup(si.ct->tid_service, (void *)si.tid)
15508 == (void *)TID_IPC) {
15509 sip->flags |= SMB_SIF_TID_IS_IPC;
15512 sip->extra_info = NULL;
15513 g_hash_table_insert(si.ct->unmatched, (void *)pid_mid, sip);
15514 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
15515 new_key->frame = sip->frame_req;
15516 new_key->pid_mid = pid_mid;
15517 g_hash_table_insert(si.ct->matched, new_key, sip);
15520 /* we have seen this packet before; check the
15522 If we haven't yet seen the reply, we won't
15523 find the info for it; we don't need it, as
15524 we only use it to save information, and, as
15525 we've seen this packet before, we've already
15526 saved the information.
15528 key.frame = pinfo->fd->num;
15529 key.pid_mid = pid_mid;
15530 sip=g_hash_table_lookup(si.ct->matched, &key);
15535 * Pass the "sip" on to subdissectors through "si".
15541 * Put in fields for the frame number of the frame to which
15542 * this is a response or the frame with the response to this
15543 * frame - if we know the frame number (i.e., it's not 0).
15546 if (sip->frame_res != 0)
15547 proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
15549 if (sip->frame_req != 0) {
15550 proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
15551 ns.secs = pinfo->fd->abs_secs - sip->req_time.secs;
15552 ns.nsecs = pinfo->fd->abs_usecs*1000 - sip->req_time.nsecs;
15554 ns.nsecs+=1000000000;
15557 proto_tree_add_time(htree, hf_smb_time, tvb,
15564 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si.cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si.cmd), si.cmd);
15567 if(flags2 & 0x4000){
15568 /* handle NT 32 bit error code */
15570 nt_status = tvb_get_letohl(tvb, offset);
15572 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
15577 /* handle DOS error code & class */
15578 errclass = tvb_get_guint8(tvb, offset);
15579 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
15583 /* reserved byte */
15584 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
15588 /* XXX - the type of this field depends on the value of
15589 * "errcls", so there is isn't a single value_string array
15590 * fo it, so there can't be a single field for it.
15592 errcode = tvb_get_letohs(tvb, offset);
15593 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
15594 offset, 2, errcode, "Error Code: %s",
15595 decode_smb_error(errclass, errcode));
15600 offset = dissect_smb_flags(tvb, htree, offset);
15603 offset = dissect_smb_flags2(tvb, htree, offset);
15608 * http://www.samba.org/samba/ftp/specs/smbpub.txt
15610 * (a text version of "Microsoft Networks SMB FILE SHARING
15611 * PROTOCOL, Document Version 6.0p") says that:
15613 * the first 2 bytes of these 12 bytes are, for NT Create and X,
15614 * the "High Part of PID";
15616 * the next four bytes are reserved;
15618 * the next four bytes are, for SMB-over-IPX (with no
15619 * NetBIOS involved) two bytes of Session ID and two bytes
15620 * of SequenceNumber.
15622 * If we ever implement SMB-over-IPX (which I suspect goes over
15623 * IPX sockets 0x0550, 0x0552, and maybe 0x0554, as per the
15624 * document in question), we'd probably want to have some way
15625 * to determine whether this is SMB-over-IPX or not (which could
15626 * be done by adding a PT_IPXSOCKET port type, having the
15627 * IPX dissector set "pinfo->srcport" and "pinfo->destport",
15628 * and having the SMB dissector check for a port type of
15629 * PT_IPXSOCKET and for "pinfo->match_port" being either
15630 * IPX_SOCKET_NWLINK_SMB_SERVER or IPX_SOCKET_NWLINK_SMB_REDIR
15631 * or, if it also uses 0x0554, IPX_SOCKET_NWLINK_SMB_MESSENGER).
15634 /* 12 reserved bytes */
15635 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 12, TRUE);
15639 proto_tree_add_uint(htree, hf_smb_tid, tvb, offset, 2, si.tid);
15643 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si.pid);
15647 proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si.uid);
15651 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si.mid);
15654 pinfo->private_data = &si;
15655 dissect_smb_command(tvb, pinfo, offset, tree, si.cmd, TRUE);
15657 /* Append error info from this packet to info string. */
15658 if (!si.request && check_col(pinfo->cinfo, COL_INFO)) {
15659 if (flags2 & 0x4000) {
15661 * The status is an NT status code; was there
15664 if (nt_status != 0) {
15669 pinfo->cinfo, COL_INFO, ", Error: %s",
15670 val_to_str(nt_status, NT_errors,
15671 "Unknown (0x%08X)"));
15675 * The status is a DOS error class and code; was
15678 if (errclass != SMB_SUCCESS) {
15683 pinfo->cinfo, COL_INFO, ", Error: %s",
15684 decode_smb_error(errclass, errcode));
15693 proto_register_smb(void)
15695 static hf_register_info hf[] = {
15697 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
15698 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
15700 { &hf_smb_word_count,
15701 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
15702 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
15704 { &hf_smb_byte_count,
15705 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
15706 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
15708 { &hf_smb_response_to,
15709 { "Response to", "smb.response_to", FT_UINT32, BASE_DEC,
15710 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
15713 { "Time from request", "smb.time", FT_RELATIVE_TIME, BASE_NONE,
15714 NULL, 0, "Time between Request and Response for SMB cmds", HFILL }},
15716 { &hf_smb_response_in,
15717 { "Response in", "smb.response_in", FT_UINT32, BASE_DEC,
15718 NULL, 0, "The response to this packet is in this packet", HFILL }},
15720 { &hf_smb_continuation_to,
15721 { "Continuation to", "smb.continuation_to", FT_UINT32, BASE_DEC,
15722 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
15724 { &hf_smb_nt_status,
15725 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
15726 VALS(NT_errors), 0, "NT Status code", HFILL }},
15728 { &hf_smb_error_class,
15729 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
15730 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
15732 { &hf_smb_error_code,
15733 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
15734 NULL, 0, "DOS Error Code", HFILL }},
15736 { &hf_smb_reserved,
15737 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
15738 NULL, 0, "Reserved bytes, must be zero", HFILL }},
15741 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
15742 NULL, 0, "Process ID", HFILL }},
15745 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
15746 NULL, 0, "Tree ID", HFILL }},
15749 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
15750 NULL, 0, "User ID", HFILL }},
15753 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
15754 NULL, 0, "Multiplex ID", HFILL }},
15756 { &hf_smb_flags_lock,
15757 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
15758 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
15760 { &hf_smb_flags_receive_buffer,
15761 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
15762 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
15764 { &hf_smb_flags_caseless,
15765 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
15766 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
15768 { &hf_smb_flags_canon,
15769 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
15770 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
15772 { &hf_smb_flags_oplock,
15773 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
15774 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
15776 { &hf_smb_flags_notify,
15777 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
15778 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
15780 { &hf_smb_flags_response,
15781 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
15782 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
15784 { &hf_smb_flags2_long_names_allowed,
15785 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
15786 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
15788 { &hf_smb_flags2_ea,
15789 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
15790 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
15792 { &hf_smb_flags2_sec_sig,
15793 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
15794 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
15796 { &hf_smb_flags2_long_names_used,
15797 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
15798 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
15800 { &hf_smb_flags2_esn,
15801 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
15802 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
15804 { &hf_smb_flags2_dfs,
15805 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
15806 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
15808 { &hf_smb_flags2_roe,
15809 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
15810 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
15812 { &hf_smb_flags2_nt_error,
15813 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
15814 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
15816 { &hf_smb_flags2_string,
15817 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
15818 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
15820 { &hf_smb_buffer_format,
15821 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
15822 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
15824 { &hf_smb_dialect_name,
15825 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
15826 NULL, 0, "Name of dialect", HFILL }},
15828 { &hf_smb_dialect_index,
15829 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
15830 NULL, 0, "Index of selected dialect", HFILL }},
15832 { &hf_smb_max_trans_buf_size,
15833 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
15834 NULL, 0, "Maximum transmit buffer size", HFILL }},
15836 { &hf_smb_max_mpx_count,
15837 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
15838 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
15840 { &hf_smb_max_vcs_num,
15841 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
15842 NULL, 0, "Maximum VCs between client and server", HFILL }},
15844 { &hf_smb_session_key,
15845 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
15846 NULL, 0, "Unique token identifying this session", HFILL }},
15848 { &hf_smb_server_timezone,
15849 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
15850 NULL, 0, "Current timezone at server.", HFILL }},
15852 { &hf_smb_encryption_key_length,
15853 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
15854 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
15856 { &hf_smb_encryption_key,
15857 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
15858 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
15860 { &hf_smb_primary_domain,
15861 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
15862 NULL, 0, "The server's primary domain", HFILL }},
15865 { "Server", "smb.server", FT_STRING, BASE_NONE,
15866 NULL, 0, "The name of the DC/server", HFILL }},
15868 { &hf_smb_max_raw_buf_size,
15869 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
15870 NULL, 0, "Maximum raw buffer size", HFILL }},
15872 { &hf_smb_server_guid,
15873 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
15874 NULL, 0, "Globally unique identifier for this server", HFILL }},
15876 { &hf_smb_security_blob_len,
15877 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
15878 NULL, 0, "Security blob length", HFILL }},
15880 { &hf_smb_security_blob,
15881 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
15882 NULL, 0, "Security blob", HFILL }},
15884 { &hf_smb_sm_mode16,
15885 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
15886 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
15888 { &hf_smb_sm_password16,
15889 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
15890 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
15893 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
15894 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
15896 { &hf_smb_sm_password,
15897 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
15898 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
15900 { &hf_smb_sm_signatures,
15901 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
15902 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
15904 { &hf_smb_sm_sig_required,
15905 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
15906 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
15909 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
15910 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
15912 { &hf_smb_rm_write,
15913 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
15914 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
15916 { &hf_smb_server_date_time,
15917 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
15918 NULL, 0, "Current date and time at server", HFILL }},
15920 { &hf_smb_server_smb_date,
15921 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
15922 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
15924 { &hf_smb_server_smb_time,
15925 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
15926 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
15928 { &hf_smb_server_cap_raw_mode,
15929 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
15930 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
15932 { &hf_smb_server_cap_mpx_mode,
15933 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
15934 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
15936 { &hf_smb_server_cap_unicode,
15937 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
15938 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
15940 { &hf_smb_server_cap_large_files,
15941 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
15942 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
15944 { &hf_smb_server_cap_nt_smbs,
15945 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
15946 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
15948 { &hf_smb_server_cap_rpc_remote_apis,
15949 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
15950 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
15952 { &hf_smb_server_cap_nt_status,
15953 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
15954 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
15956 { &hf_smb_server_cap_level_ii_oplocks,
15957 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
15958 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
15960 { &hf_smb_server_cap_lock_and_read,
15961 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
15962 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
15964 { &hf_smb_server_cap_nt_find,
15965 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
15966 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
15968 { &hf_smb_server_cap_dfs,
15969 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
15970 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
15972 { &hf_smb_server_cap_infolevel_passthru,
15973 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
15974 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
15976 { &hf_smb_server_cap_large_readx,
15977 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
15978 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
15980 { &hf_smb_server_cap_large_writex,
15981 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
15982 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
15984 { &hf_smb_server_cap_unix,
15985 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
15986 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
15988 { &hf_smb_server_cap_reserved,
15989 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
15990 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
15992 { &hf_smb_server_cap_bulk_transfer,
15993 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
15994 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
15996 { &hf_smb_server_cap_compressed_data,
15997 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
15998 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
16000 { &hf_smb_server_cap_extended_security,
16001 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
16002 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
16004 { &hf_smb_system_time,
16005 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
16006 NULL, 0, "System Time", HFILL }},
16009 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
16010 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
16012 { &hf_smb_dir_name,
16013 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
16014 NULL, 0, "SMB Directory Name", HFILL }},
16016 { &hf_smb_echo_count,
16017 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
16018 NULL, 0, "Number of times to echo data back", HFILL }},
16020 { &hf_smb_echo_data,
16021 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
16022 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
16024 { &hf_smb_echo_seq_num,
16025 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
16026 NULL, 0, "Sequence number for this echo response", HFILL }},
16028 { &hf_smb_max_buf_size,
16029 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
16030 NULL, 0, "Max client buffer size", HFILL }},
16033 { "Path", "smb.path", FT_STRING, BASE_NONE,
16034 NULL, 0, "Path. Server name and share name", HFILL }},
16037 { "Service", "smb.service", FT_STRING, BASE_NONE,
16038 NULL, 0, "Service name", HFILL }},
16040 { &hf_smb_password,
16041 { "Password", "smb.password", FT_BYTES, BASE_NONE,
16042 NULL, 0, "Password", HFILL }},
16044 { &hf_smb_ansi_password,
16045 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
16046 NULL, 0, "ANSI Password", HFILL }},
16048 { &hf_smb_unicode_password,
16049 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
16050 NULL, 0, "Unicode Password", HFILL }},
16052 { &hf_smb_move_flags_file,
16053 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
16054 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
16056 { &hf_smb_move_flags_dir,
16057 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
16058 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
16060 { &hf_smb_move_flags_verify,
16061 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
16062 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
16064 { &hf_smb_files_moved,
16065 { "Files Moved", "smb.files_moved", FT_UINT16, BASE_DEC,
16066 NULL, 0, "Number of files moved", HFILL }},
16068 { &hf_smb_copy_flags_file,
16069 { "Must be file", "smb.copy.flags.file", FT_BOOLEAN, 16,
16070 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
16072 { &hf_smb_copy_flags_dir,
16073 { "Must be directory", "smb.copy.flags.dir", FT_BOOLEAN, 16,
16074 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
16076 { &hf_smb_copy_flags_dest_mode,
16077 { "Destination mode", "smb.copy.flags.dest_mode", FT_BOOLEAN, 16,
16078 TFS(&tfs_cf_mode), 0x0004, "Is destination in ASCII?", HFILL }},
16080 { &hf_smb_copy_flags_source_mode,
16081 { "Source mode", "smb.copy.flags.source_mode", FT_BOOLEAN, 16,
16082 TFS(&tfs_cf_mode), 0x0008, "Is source in ASCII?", HFILL }},
16084 { &hf_smb_copy_flags_verify,
16085 { "Verify writes", "smb.copy.flags.verify", FT_BOOLEAN, 16,
16086 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
16088 { &hf_smb_copy_flags_tree_copy,
16089 { "Tree copy", "smb.copy.flags.tree_copy", FT_BOOLEAN, 16,
16090 TFS(&tfs_cf_tree_copy), 0x0010, "Is copy a tree copy?", HFILL }},
16092 { &hf_smb_copy_flags_ea_action,
16093 { "EA action if EAs not supported on dest", "smb.copy.flags.ea_action", FT_BOOLEAN, 16,
16094 TFS(&tfs_cf_ea_action), 0x0010, "Fail copy if source file has EAs and dest doesn't support EAs?", HFILL }},
16097 { "Count", "smb.count", FT_UINT32, BASE_DEC,
16098 NULL, 0, "Count number of items/bytes", HFILL }},
16100 { &hf_smb_file_name,
16101 { "File Name", "smb.file", FT_STRING, BASE_NONE,
16102 NULL, 0, "File Name", HFILL }},
16104 { &hf_smb_open_function_create,
16105 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
16106 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
16108 { &hf_smb_open_function_open,
16109 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
16110 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
16113 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
16114 NULL, 0, "FID: File ID", HFILL }},
16116 { &hf_smb_file_attr_read_only_16bit,
16117 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
16118 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
16120 { &hf_smb_file_attr_read_only_8bit,
16121 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
16122 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
16124 { &hf_smb_file_attr_hidden_16bit,
16125 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
16126 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
16128 { &hf_smb_file_attr_hidden_8bit,
16129 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
16130 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
16132 { &hf_smb_file_attr_system_16bit,
16133 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
16134 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
16136 { &hf_smb_file_attr_system_8bit,
16137 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
16138 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
16140 { &hf_smb_file_attr_volume_16bit,
16141 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
16142 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
16144 { &hf_smb_file_attr_volume_8bit,
16145 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
16146 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
16148 { &hf_smb_file_attr_directory_16bit,
16149 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
16150 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
16152 { &hf_smb_file_attr_directory_8bit,
16153 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
16154 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
16156 { &hf_smb_file_attr_archive_16bit,
16157 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
16158 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
16160 { &hf_smb_file_attr_archive_8bit,
16161 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
16162 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
16164 { &hf_smb_file_attr_device,
16165 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
16166 TFS(&tfs_file_attribute_device), FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
16168 { &hf_smb_file_attr_normal,
16169 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
16170 TFS(&tfs_file_attribute_normal), FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
16172 { &hf_smb_file_attr_temporary,
16173 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
16174 TFS(&tfs_file_attribute_temporary), FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
16176 { &hf_smb_file_attr_sparse,
16177 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
16178 TFS(&tfs_file_attribute_sparse), FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
16180 { &hf_smb_file_attr_reparse,
16181 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
16182 TFS(&tfs_file_attribute_reparse), FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
16184 { &hf_smb_file_attr_compressed,
16185 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
16186 TFS(&tfs_file_attribute_compressed), FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
16188 { &hf_smb_file_attr_offline,
16189 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
16190 TFS(&tfs_file_attribute_offline), FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
16192 { &hf_smb_file_attr_not_content_indexed,
16193 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
16194 TFS(&tfs_file_attribute_not_content_indexed), FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
16196 { &hf_smb_file_attr_encrypted,
16197 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
16198 TFS(&tfs_file_attribute_encrypted), FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
16200 { &hf_smb_file_size,
16201 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
16202 NULL, 0, "File Size", HFILL }},
16204 { &hf_smb_search_attribute_read_only,
16205 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
16206 TFS(&tfs_search_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
16208 { &hf_smb_search_attribute_hidden,
16209 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
16210 TFS(&tfs_search_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
16212 { &hf_smb_search_attribute_system,
16213 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
16214 TFS(&tfs_search_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
16216 { &hf_smb_search_attribute_volume,
16217 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
16218 TFS(&tfs_search_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
16220 { &hf_smb_search_attribute_directory,
16221 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
16222 TFS(&tfs_search_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
16224 { &hf_smb_search_attribute_archive,
16225 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
16226 TFS(&tfs_search_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
16228 { &hf_smb_access_mode,
16229 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
16230 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
16232 { &hf_smb_access_sharing,
16233 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
16234 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
16236 { &hf_smb_access_locality,
16237 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
16238 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
16240 { &hf_smb_access_caching,
16241 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
16242 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
16244 { &hf_smb_access_writetru,
16245 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
16246 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
16248 { &hf_smb_create_time,
16249 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
16250 NULL, 0, "Creation Time", HFILL }},
16252 { &hf_smb_modify_time,
16253 { "Modified", "smb.modify.time", FT_ABSOLUTE_TIME, BASE_NONE,
16254 NULL, 0, "Modification Time", HFILL }},
16256 { &hf_smb_backup_time,
16257 { "Backed-up", "smb.backup.time", FT_ABSOLUTE_TIME, BASE_NONE,
16258 NULL, 0, "Backup time", HFILL}},
16260 { &hf_smb_mac_alloc_block_count,
16261 { "Allocation Block Count", "smb.alloc.count", FT_UINT32, BASE_DEC,
16262 NULL, 0, "Allocation Block Count", HFILL}},
16264 { &hf_smb_mac_alloc_block_size,
16265 { "Allocation Block Count", "smb.alloc.size", FT_UINT32, BASE_DEC,
16266 NULL, 0, "Allocation Block Size", HFILL}},
16268 { &hf_smb_mac_free_block_count,
16269 { "Free Block Count", "smb.free_block.count", FT_UINT32, BASE_DEC,
16270 NULL, 0, "Free Block Count", HFILL}},
16272 { &hf_smb_mac_root_file_count,
16273 { "Root File Count", "smb.root.file.count", FT_UINT32, BASE_DEC,
16274 NULL, 0, "Root File Count", HFILL}},
16276 { &hf_smb_mac_root_dir_count,
16277 { "Root Directory Count", "smb.root.dir.count", FT_UINT32, BASE_DEC,
16278 NULL, 0, "Root Directory Count", HFILL}},
16280 { &hf_smb_mac_file_count,
16281 { "Root File Count", "smb.file.count", FT_UINT32, BASE_DEC,
16282 NULL, 0, "File Count", HFILL}},
16284 { &hf_smb_mac_dir_count,
16285 { "Root Directory Count", "smb.dir.count", FT_UINT32, BASE_DEC,
16286 NULL, 0, "Directory Count", HFILL}},
16288 { &hf_smb_mac_support_flags,
16289 { "Mac Support Flags", "smb.mac.support.flags", FT_UINT32, BASE_DEC,
16290 NULL, 0, "Mac Support Flags", HFILL}},
16292 { &hf_smb_mac_sup_access_ctrl,
16293 { "Mac Access Control", "smb.mac.access_control", FT_BOOLEAN, 32,
16294 TFS(&tfs_smb_mac_access_ctrl), 0x0010, "Are Mac Access Control Supported", HFILL }},
16296 { &hf_smb_mac_sup_getset_comments,
16297 { "Get Set Comments", "smb.mac.get_set_comments", FT_BOOLEAN, 32,
16298 TFS(&tfs_smb_mac_getset_comments), 0x0020, "Are Mac Get Set Comments supported?", HFILL }},
16300 { &hf_smb_mac_sup_desktopdb_calls,
16301 { "Desktop DB Calls", "smb.mac.desktop_db_calls", FT_BOOLEAN, 32,
16302 TFS(&tfs_smb_mac_desktopdb_calls), 0x0040, "Are Macintosh Desktop DB Calls Supported?", HFILL }},
16304 { &hf_smb_mac_sup_unique_ids,
16305 { "Macintosh Unique IDs", "smb.mac.uids", FT_BOOLEAN, 32,
16306 TFS(&tfs_smb_mac_unique_ids), 0x0080, "Are Unique IDs supported", HFILL }},
16308 { &hf_smb_mac_sup_streams,
16309 { "Mac Streams", "smb.mac.streams_support", FT_BOOLEAN, 32,
16310 TFS(&tfs_smb_mac_streams), 0x0100, "Are Mac Extensions and streams supported?", HFILL }},
16312 { &hf_smb_create_dos_date,
16313 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
16314 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
16316 { &hf_smb_create_dos_time,
16317 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
16318 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
16320 { &hf_smb_last_write_time,
16321 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
16322 NULL, 0, "Time this file was last written to", HFILL }},
16324 { &hf_smb_last_write_dos_date,
16325 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
16326 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
16328 { &hf_smb_last_write_dos_time,
16329 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
16330 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
16332 { &hf_smb_old_file_name,
16333 { "Old File Name", "smb.file", FT_STRING, BASE_NONE,
16334 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
16337 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
16338 NULL, 0, "Offset in file", HFILL }},
16340 { &hf_smb_remaining,
16341 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
16342 NULL, 0, "Remaining number of bytes", HFILL }},
16345 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
16346 NULL, 0, "Padding or unknown data", HFILL }},
16348 { &hf_smb_file_data,
16349 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
16350 NULL, 0, "Data read/written to the file", HFILL }},
16352 { &hf_smb_mac_fndrinfo,
16353 { "Finder Info", "smb.mac.finderinfo", FT_BYTES, BASE_HEX,
16354 NULL, 0, "Finder Info", HFILL}},
16356 { &hf_smb_total_data_len,
16357 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
16358 NULL, 0, "Total length of data", HFILL }},
16360 { &hf_smb_data_len,
16361 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
16362 NULL, 0, "Length of data", HFILL }},
16364 { &hf_smb_seek_mode,
16365 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
16366 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
16368 { &hf_smb_access_time,
16369 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
16370 NULL, 0, "Last Access Time", HFILL }},
16372 { &hf_smb_access_dos_date,
16373 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
16374 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
16376 { &hf_smb_access_dos_time,
16377 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
16378 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
16380 { &hf_smb_data_size,
16381 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
16382 NULL, 0, "Data Size", HFILL }},
16384 { &hf_smb_alloc_size,
16385 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
16386 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
16388 { &hf_smb_max_count,
16389 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
16390 NULL, 0, "Maximum Count", HFILL }},
16392 { &hf_smb_min_count,
16393 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
16394 NULL, 0, "Minimum Count", HFILL }},
16397 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
16398 NULL, 0, "Timeout in miliseconds", HFILL }},
16400 { &hf_smb_high_offset,
16401 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
16402 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
16405 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
16406 NULL, 0, "Total number of units at server", HFILL }},
16409 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
16410 NULL, 0, "Blocks per unit at server", HFILL }},
16412 { &hf_smb_blocksize,
16413 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
16414 NULL, 0, "Block size (in bytes) at server", HFILL }},
16416 { &hf_smb_freeunits,
16417 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
16418 NULL, 0, "Number of free units at server", HFILL }},
16420 { &hf_smb_data_offset,
16421 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
16422 NULL, 0, "Data Offset", HFILL }},
16425 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
16426 NULL, 0, "Data Compaction Mode", HFILL }},
16428 { &hf_smb_request_mask,
16429 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
16430 NULL, 0, "Connectionless mode mask", HFILL }},
16432 { &hf_smb_response_mask,
16433 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
16434 NULL, 0, "Connectionless mode mask", HFILL }},
16437 { "SID", "smb.sid", FT_UINT16, BASE_HEX,
16438 NULL, 0, "SID: Search ID, handle for find operations", HFILL }},
16440 { &hf_smb_write_mode_write_through,
16441 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
16442 TFS(&tfs_write_mode_write_through), 0x0001, "Write through mode requested?", HFILL }},
16444 { &hf_smb_write_mode_return_remaining,
16445 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
16446 TFS(&tfs_write_mode_return_remaining), 0x0002, "Return remaining data responses?", HFILL }},
16448 { &hf_smb_write_mode_raw,
16449 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
16450 TFS(&tfs_write_mode_raw), 0x0004, "Use WriteRawNamedPipe?", HFILL }},
16452 { &hf_smb_write_mode_message_start,
16453 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
16454 TFS(&tfs_write_mode_message_start), 0x0008, "Is this the start of a message?", HFILL }},
16456 { &hf_smb_write_mode_connectionless,
16457 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
16458 TFS(&tfs_write_mode_connectionless), 0x0080, "Connectionless mode requested?", HFILL }},
16460 { &hf_smb_resume_key_len,
16461 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
16462 NULL, 0, "Resume Key length", HFILL }},
16464 { &hf_smb_resume_find_id,
16465 { "Find ID", "smb.resume.find_id", FT_UINT8, BASE_HEX,
16466 NULL, 0, "Handle for Find operation", HFILL }},
16468 { &hf_smb_resume_server_cookie,
16469 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
16470 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
16472 { &hf_smb_resume_client_cookie,
16473 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
16474 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
16476 { &hf_smb_andxoffset,
16477 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
16478 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
16480 { &hf_smb_lock_type_large,
16481 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
16482 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
16484 { &hf_smb_lock_type_cancel,
16485 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
16486 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
16488 { &hf_smb_lock_type_change,
16489 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
16490 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
16492 { &hf_smb_lock_type_oplock,
16493 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
16494 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
16496 { &hf_smb_lock_type_shared,
16497 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
16498 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
16500 { &hf_smb_locking_ol,
16501 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
16502 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
16504 { &hf_smb_number_of_locks,
16505 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
16506 NULL, 0, "Number of lock requests in this request", HFILL }},
16508 { &hf_smb_number_of_unlocks,
16509 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
16510 NULL, 0, "Number of unlock requests in this request", HFILL }},
16512 { &hf_smb_lock_long_length,
16513 { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
16514 NULL, 0, "Length of lock/unlock region", HFILL }},
16516 { &hf_smb_lock_long_offset,
16517 { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
16518 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
16520 { &hf_smb_file_type,
16521 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
16522 VALS(filetype_vals), 0, "Type of file", HFILL }},
16524 { &hf_smb_ipc_state_nonblocking,
16525 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
16526 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
16528 { &hf_smb_ipc_state_endpoint,
16529 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
16530 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
16532 { &hf_smb_ipc_state_pipe_type,
16533 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
16534 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
16536 { &hf_smb_ipc_state_read_mode,
16537 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
16538 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
16540 { &hf_smb_ipc_state_icount,
16541 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
16542 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
16544 { &hf_smb_server_fid,
16545 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
16546 NULL, 0, "Server unique File ID", HFILL }},
16548 { &hf_smb_open_flags_add_info,
16549 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
16550 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
16552 { &hf_smb_open_flags_ex_oplock,
16553 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
16554 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
16556 { &hf_smb_open_flags_batch_oplock,
16557 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
16558 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
16560 { &hf_smb_open_flags_ealen,
16561 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
16562 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
16564 { &hf_smb_open_action_open,
16565 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
16566 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
16568 { &hf_smb_open_action_lock,
16569 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
16570 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
16573 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
16574 NULL, 0, "VC Number", HFILL }},
16576 { &hf_smb_password_len,
16577 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
16578 NULL, 0, "Length of password", HFILL }},
16580 { &hf_smb_ansi_password_len,
16581 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
16582 NULL, 0, "Length of ANSI password", HFILL }},
16584 { &hf_smb_unicode_password_len,
16585 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
16586 NULL, 0, "Length of Unicode password", HFILL }},
16589 { "Account", "smb.account", FT_STRING, BASE_NONE,
16590 NULL, 0, "Account, username", HFILL }},
16593 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
16594 NULL, 0, "Which OS we are running", HFILL }},
16597 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
16598 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
16600 { &hf_smb_setup_action_guest,
16601 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
16602 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
16605 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
16606 NULL, 0, "Native File System", HFILL }},
16608 { &hf_smb_connect_flags_dtid,
16609 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
16610 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
16612 { &hf_smb_connect_support_search,
16613 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
16614 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
16616 { &hf_smb_connect_support_in_dfs,
16617 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
16618 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
16620 { &hf_smb_max_setup_count,
16621 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
16622 NULL, 0, "Maximum number of setup words to return", HFILL }},
16624 { &hf_smb_total_param_count,
16625 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
16626 NULL, 0, "Total number of parameter bytes", HFILL }},
16628 { &hf_smb_total_data_count,
16629 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
16630 NULL, 0, "Total number of data bytes", HFILL }},
16632 { &hf_smb_max_param_count,
16633 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
16634 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
16636 { &hf_smb_max_data_count,
16637 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
16638 NULL, 0, "Maximum number of data bytes to return", HFILL }},
16640 { &hf_smb_param_disp16,
16641 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
16642 NULL, 0, "Displacement of these parameter bytes", HFILL }},
16644 { &hf_smb_param_count16,
16645 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
16646 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
16648 { &hf_smb_param_offset16,
16649 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
16650 NULL, 0, "Offset (from header start) to parameters", HFILL }},
16652 { &hf_smb_param_disp32,
16653 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
16654 NULL, 0, "Displacement of these parameter bytes", HFILL }},
16656 { &hf_smb_param_count32,
16657 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
16658 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
16660 { &hf_smb_param_offset32,
16661 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
16662 NULL, 0, "Offset (from header start) to parameters", HFILL }},
16664 { &hf_smb_data_count16,
16665 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
16666 NULL, 0, "Number of data bytes in this buffer", HFILL }},
16668 { &hf_smb_data_disp16,
16669 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
16670 NULL, 0, "Data Displacement", HFILL }},
16672 { &hf_smb_data_offset16,
16673 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
16674 NULL, 0, "Data Offset", HFILL }},
16676 { &hf_smb_data_count32,
16677 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
16678 NULL, 0, "Number of data bytes in this buffer", HFILL }},
16680 { &hf_smb_data_disp32,
16681 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
16682 NULL, 0, "Data Displacement", HFILL }},
16684 { &hf_smb_data_offset32,
16685 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
16686 NULL, 0, "Data Offset", HFILL }},
16688 { &hf_smb_setup_count,
16689 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
16690 NULL, 0, "Number of setup words in this buffer", HFILL }},
16692 { &hf_smb_nt_trans_subcmd,
16693 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
16694 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
16696 { &hf_smb_nt_ioctl_function_code,
16697 { "Function", "smb.nt.ioctl.function", FT_UINT32, BASE_HEX,
16698 NULL, 0, "NT IOCTL function code", HFILL }},
16700 { &hf_smb_nt_ioctl_isfsctl,
16701 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
16702 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
16704 { &hf_smb_nt_ioctl_flags_root_handle,
16705 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
16706 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
16708 { &hf_smb_nt_ioctl_data,
16709 { "IOCTL Data", "smb.nt.ioctl.data", FT_BYTES, BASE_HEX,
16710 NULL, 0, "Data for the IOCTL call", HFILL }},
16712 { &hf_smb_nt_notify_action,
16713 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
16714 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
16716 { &hf_smb_nt_notify_watch_tree,
16717 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
16718 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
16720 { &hf_smb_nt_notify_stream_write,
16721 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
16722 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
16724 { &hf_smb_nt_notify_stream_size,
16725 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
16726 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
16728 { &hf_smb_nt_notify_stream_name,
16729 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
16730 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
16732 { &hf_smb_nt_notify_security,
16733 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
16734 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
16736 { &hf_smb_nt_notify_ea,
16737 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
16738 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
16740 { &hf_smb_nt_notify_creation,
16741 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
16742 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
16744 { &hf_smb_nt_notify_last_access,
16745 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
16746 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
16748 { &hf_smb_nt_notify_last_write,
16749 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
16750 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
16752 { &hf_smb_nt_notify_size,
16753 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
16754 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
16756 { &hf_smb_nt_notify_attributes,
16757 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
16758 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
16760 { &hf_smb_nt_notify_dir_name,
16761 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
16762 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
16764 { &hf_smb_nt_notify_file_name,
16765 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
16766 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
16768 { &hf_smb_root_dir_fid,
16769 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
16770 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
16772 { &hf_smb_alloc_size64,
16773 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
16774 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
16776 { &hf_smb_nt_create_disposition,
16777 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
16778 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
16780 { &hf_smb_sd_length,
16781 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
16782 NULL, 0, "Total length of security descriptor", HFILL }},
16784 { &hf_smb_ea_length,
16785 { "EA Length", "smb.ea.length", FT_UINT32, BASE_DEC,
16786 NULL, 0, "Total EA length for opened file", HFILL }},
16788 { &hf_smb_file_name_len,
16789 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
16790 NULL, 0, "Length of File Name", HFILL }},
16792 { &hf_smb_nt_impersonation_level,
16793 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
16794 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
16796 { &hf_smb_nt_security_flags_context_tracking,
16797 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
16798 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
16800 { &hf_smb_nt_security_flags_effective_only,
16801 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
16802 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
16804 { &hf_smb_nt_access_mask_generic_read,
16805 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
16806 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
16808 { &hf_smb_nt_access_mask_generic_write,
16809 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
16810 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
16812 { &hf_smb_nt_access_mask_generic_execute,
16813 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
16814 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
16816 { &hf_smb_nt_access_mask_generic_all,
16817 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
16818 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
16820 { &hf_smb_nt_access_mask_maximum_allowed,
16821 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
16822 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
16824 { &hf_smb_nt_access_mask_system_security,
16825 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
16826 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
16828 { &hf_smb_nt_access_mask_synchronize,
16829 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
16830 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
16832 { &hf_smb_nt_access_mask_write_owner,
16833 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
16834 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
16836 { &hf_smb_nt_access_mask_write_dac,
16837 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
16838 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
16840 { &hf_smb_nt_access_mask_read_control,
16841 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
16842 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
16844 { &hf_smb_nt_access_mask_delete,
16845 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
16846 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
16848 { &hf_smb_nt_access_mask_write_attributes,
16849 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
16850 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
16852 { &hf_smb_nt_access_mask_read_attributes,
16853 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
16854 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
16856 { &hf_smb_nt_access_mask_delete_child,
16857 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
16858 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
16861 * "Execute" for files, "traverse" for directories.
16863 { &hf_smb_nt_access_mask_execute,
16864 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
16865 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
16867 { &hf_smb_nt_access_mask_write_ea,
16868 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
16869 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
16871 { &hf_smb_nt_access_mask_read_ea,
16872 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
16873 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
16876 * "Append data" for files, "add subdirectory" for directories,
16877 * "create pipe instance" for named pipes.
16879 { &hf_smb_nt_access_mask_append,
16880 { "Append", "smb.access.append", FT_BOOLEAN, 32,
16881 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
16884 * "Write data" for files and pipes, "add file" for directory.
16886 { &hf_smb_nt_access_mask_write,
16887 { "Write", "smb.access.write", FT_BOOLEAN, 32,
16888 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
16891 * "Read data" for files and pipes, "list directory" for directory.
16893 { &hf_smb_nt_access_mask_read,
16894 { "Read", "smb.access.read", FT_BOOLEAN, 32,
16895 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
16897 { &hf_smb_nt_create_bits_oplock,
16898 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
16899 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
16901 { &hf_smb_nt_create_bits_boplock,
16902 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
16903 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
16905 { &hf_smb_nt_create_bits_dir,
16906 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
16907 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
16909 { &hf_smb_nt_create_options_directory_file,
16910 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
16911 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
16913 { &hf_smb_nt_create_options_write_through,
16914 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
16915 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
16917 { &hf_smb_nt_create_options_sequential_only,
16918 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
16919 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
16921 { &hf_smb_nt_create_options_sync_io_alert,
16922 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
16923 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
16925 { &hf_smb_nt_create_options_sync_io_nonalert,
16926 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
16927 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
16929 { &hf_smb_nt_create_options_non_directory_file,
16930 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
16931 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
16933 /* 0x00000080 is "tree connect", at least in "NtCreateFile()"
16934 and "NtOpenFile()"; is that sent over the wire? Network
16935 Monitor thinks so, but its author may just have grabbed
16936 the flag bits from a system header file. */
16938 /* 0x00000100 is "complete if oplocked", at least in "NtCreateFile()"
16939 and "NtOpenFile()"; is that sent over the wire? NetMon
16940 thinks so, but see previous comment. */
16942 { &hf_smb_nt_create_options_no_ea_knowledge,
16943 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
16944 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
16946 { &hf_smb_nt_create_options_eight_dot_three_only,
16947 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
16948 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
16950 { &hf_smb_nt_create_options_random_access,
16951 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
16952 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
16954 { &hf_smb_nt_create_options_delete_on_close,
16955 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
16956 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
16958 /* 0x00002000 is "open by FID", or something such as that (which
16959 I suspect is like "open by inumber" on UNIX), at least in
16960 "NtCreateFile()" and "NtOpenFile()"; is that sent over the
16961 wire? NetMon thinks so, but see previous comment. */
16963 /* 0x00004000 is "open for backup", at least in "NtCreateFile()"
16964 and "NtOpenFile()"; is that sent over the wire? NetMon
16965 thinks so, but see previous comment. */
16967 { &hf_smb_nt_share_access_read,
16968 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
16969 TFS(&tfs_nt_share_access_read), 0x00000001, "Can the object be shared for reading?", HFILL }},
16971 { &hf_smb_nt_share_access_write,
16972 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
16973 TFS(&tfs_nt_share_access_write), 0x00000002, "Can the object be shared for write?", HFILL }},
16975 { &hf_smb_nt_share_access_delete,
16976 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
16977 TFS(&tfs_nt_share_access_delete), 0x00000004, "", HFILL }},
16979 { &hf_smb_file_eattr_read_only,
16980 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
16981 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
16983 { &hf_smb_file_eattr_hidden,
16984 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
16985 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
16987 { &hf_smb_file_eattr_system,
16988 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
16989 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
16991 { &hf_smb_file_eattr_volume,
16992 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
16993 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
16995 { &hf_smb_file_eattr_directory,
16996 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
16997 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
16999 { &hf_smb_file_eattr_archive,
17000 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
17001 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17003 { &hf_smb_file_eattr_device,
17004 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
17005 TFS(&tfs_file_attribute_device), FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
17007 { &hf_smb_file_eattr_normal,
17008 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
17009 TFS(&tfs_file_attribute_normal), FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
17011 { &hf_smb_file_eattr_temporary,
17012 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
17013 TFS(&tfs_file_attribute_temporary), FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
17015 { &hf_smb_file_eattr_sparse,
17016 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
17017 TFS(&tfs_file_attribute_sparse), FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
17019 { &hf_smb_file_eattr_reparse,
17020 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
17021 TFS(&tfs_file_attribute_reparse), FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
17023 { &hf_smb_file_eattr_compressed,
17024 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
17025 TFS(&tfs_file_attribute_compressed), FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
17027 { &hf_smb_file_eattr_offline,
17028 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
17029 TFS(&tfs_file_attribute_offline), FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
17031 { &hf_smb_file_eattr_not_content_indexed,
17032 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
17033 TFS(&tfs_file_attribute_not_content_indexed), FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
17035 { &hf_smb_file_eattr_encrypted,
17036 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
17037 TFS(&tfs_file_attribute_encrypted), FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
17039 { &hf_smb_file_eattr_write_through,
17040 { "Write Through", "smb.file_attribute.write_through", FT_BOOLEAN, 32,
17041 TFS(&tfs_file_attribute_write_through), FILE_ATTRIBUTE_WRITE_THROUGH, "Does this object need write through?", HFILL }},
17043 { &hf_smb_file_eattr_no_buffering,
17044 { "No Buffering", "smb.file_attribute.no_buffering", FT_BOOLEAN, 32,
17045 TFS(&tfs_file_attribute_no_buffering), FILE_ATTRIBUTE_NO_BUFFERING, "May the server buffer this object?", HFILL }},
17047 { &hf_smb_file_eattr_random_access,
17048 { "Random Access", "smb.file_attribute.random_access", FT_BOOLEAN, 32,
17049 TFS(&tfs_file_attribute_random_access), FILE_ATTRIBUTE_RANDOM_ACCESS, "Optimize for random access", HFILL }},
17051 { &hf_smb_file_eattr_sequential_scan,
17052 { "Sequential Scan", "smb.file_attribute.sequential_scan", FT_BOOLEAN, 32,
17053 TFS(&tfs_file_attribute_sequential_scan), FILE_ATTRIBUTE_SEQUENTIAL_SCAN, "Optimize for sequential scan", HFILL }},
17055 { &hf_smb_file_eattr_delete_on_close,
17056 { "Delete on Close", "smb.file_attribute.delete_on_close", FT_BOOLEAN, 32,
17057 TFS(&tfs_file_attribute_delete_on_close), FILE_ATTRIBUTE_DELETE_ON_CLOSE, "Should this object be deleted on close?", HFILL }},
17059 { &hf_smb_file_eattr_backup_semantics,
17060 { "Backup", "smb.file_attribute.backup_semantics", FT_BOOLEAN, 32,
17061 TFS(&tfs_file_attribute_backup_semantics), FILE_ATTRIBUTE_BACKUP_SEMANTICS, "Does this object need/support backup semantics", HFILL }},
17063 { &hf_smb_file_eattr_posix_semantics,
17064 { "Posix", "smb.file_attribute.posix_semantics", FT_BOOLEAN, 32,
17065 TFS(&tfs_file_attribute_posix_semantics), FILE_ATTRIBUTE_POSIX_SEMANTICS, "Does this object need/support POSIX semantics?", HFILL }},
17067 { &hf_smb_sec_desc_len,
17068 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
17069 NULL, 0, "Security Descriptor Length", HFILL }},
17071 { &hf_smb_nt_qsd_owner,
17072 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
17073 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
17075 { &hf_smb_nt_qsd_group,
17076 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
17077 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
17079 { &hf_smb_nt_qsd_dacl,
17080 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
17081 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
17083 { &hf_smb_nt_qsd_sacl,
17084 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
17085 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
17087 { &hf_smb_extended_attributes,
17088 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
17089 NULL, 0, "Extended Attributes", HFILL }},
17091 { &hf_smb_oplock_level,
17092 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
17093 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
17095 { &hf_smb_create_action,
17096 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
17097 VALS(create_disposition_vals), 0, "Type of action taken", HFILL }},
17100 { "Server unique file ID", "smb.create.file_id", FT_UINT32, BASE_HEX,
17101 NULL, 0, "Server unique file ID", HFILL }},
17103 { &hf_smb_ea_error_offset,
17104 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
17105 NULL, 0, "Offset into EA list if EA error", HFILL }},
17107 { &hf_smb_end_of_file,
17108 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
17109 NULL, 0, "Offset to the first free byte in the file", HFILL }},
17111 { &hf_smb_device_type,
17112 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
17113 VALS(device_type_vals), 0, "Type of device", HFILL }},
17115 { &hf_smb_is_directory,
17116 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
17117 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
17119 { &hf_smb_next_entry_offset,
17120 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
17121 NULL, 0, "Offset to next entry", HFILL }},
17123 { &hf_smb_change_time,
17124 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
17125 NULL, 0, "Last Change Time", HFILL }},
17127 { &hf_smb_setup_len,
17128 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
17129 NULL, 0, "Length of printer setup data", HFILL }},
17131 { &hf_smb_print_mode,
17132 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
17133 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
17135 { &hf_smb_print_identifier,
17136 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
17137 NULL, 0, "Identifier string for this print job", HFILL }},
17139 { &hf_smb_restart_index,
17140 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
17141 NULL, 0, "Index of entry after last returned", HFILL }},
17143 { &hf_smb_print_queue_date,
17144 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
17145 NULL, 0, "Date when this entry was queued", HFILL }},
17147 { &hf_smb_print_queue_dos_date,
17148 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
17149 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
17151 { &hf_smb_print_queue_dos_time,
17152 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
17153 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
17155 { &hf_smb_print_status,
17156 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
17157 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
17159 { &hf_smb_print_spool_file_number,
17160 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
17161 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
17163 { &hf_smb_print_spool_file_size,
17164 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
17165 NULL, 0, "Number of bytes in spool file", HFILL }},
17167 { &hf_smb_print_spool_file_name,
17168 { "Name", "smb.print.spool.name", FT_BYTES, BASE_HEX,
17169 NULL, 0, "Name of client that submitted this job", HFILL }},
17171 { &hf_smb_start_index,
17172 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
17173 NULL, 0, "First queue entry to return", HFILL }},
17175 { &hf_smb_originator_name,
17176 { "Originator Name", "smb.originator_name", FT_STRINGZ, BASE_NONE,
17177 NULL, 0, "Name of sender of message", HFILL }},
17179 { &hf_smb_destination_name,
17180 { "Destination Name", "smb.destination_name", FT_STRINGZ, BASE_NONE,
17181 NULL, 0, "Name of recipient of message", HFILL }},
17183 { &hf_smb_message_len,
17184 { "Message Len", "smb.message.len", FT_UINT16, BASE_DEC,
17185 NULL, 0, "Length of message", HFILL }},
17188 { "Message", "smb.message", FT_STRING, BASE_NONE,
17189 NULL, 0, "Message text", HFILL }},
17192 { "Message Group ID", "smb.mgid", FT_UINT16, BASE_DEC,
17193 NULL, 0, "Message group ID for multi-block messages", HFILL }},
17195 { &hf_smb_forwarded_name,
17196 { "Forwarded Name", "smb.forwarded_name", FT_STRINGZ, BASE_NONE,
17197 NULL, 0, "Recipient name being forwarded", HFILL }},
17199 { &hf_smb_machine_name,
17200 { "Machine Name", "smb.machine_name", FT_STRINGZ, BASE_NONE,
17201 NULL, 0, "Name of target machine", HFILL }},
17203 { &hf_smb_cancel_to,
17204 { "Cancel to", "smb.cancel_to", FT_UINT32, BASE_DEC,
17205 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
17207 { &hf_smb_trans2_subcmd,
17208 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
17209 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
17211 { &hf_smb_trans_name,
17212 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
17213 NULL, 0, "Name of transaction", HFILL }},
17215 { &hf_smb_transaction_flags_dtid,
17216 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
17217 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
17219 { &hf_smb_transaction_flags_owt,
17220 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
17221 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
17223 { &hf_smb_search_count,
17224 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
17225 NULL, 0, "Maximum number of search entries to return", HFILL }},
17227 { &hf_smb_search_pattern,
17228 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
17229 NULL, 0, "Search Pattern", HFILL }},
17231 { &hf_smb_ff2_backup,
17232 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
17233 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
17235 { &hf_smb_ff2_continue,
17236 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
17237 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
17239 { &hf_smb_ff2_resume,
17240 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
17241 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
17243 { &hf_smb_ff2_close_eos,
17244 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
17245 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
17247 { &hf_smb_ff2_close,
17248 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
17249 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
17251 { &hf_smb_ff2_information_level,
17252 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
17253 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
17256 { "Level of Interest", "smb.loi", FT_UINT16, BASE_DEC,
17257 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] commands", HFILL }},
17260 { &hf_smb_sfi_writetru,
17261 { "Writethrough", "smb.sfi_writethrough", FT_BOOLEAN, 16,
17262 TFS(&tfs_da_writetru), 0x0010, "Writethrough mode?", HFILL }},
17264 { &hf_smb_sfi_caching,
17265 { "Caching", "smb.sfi_caching", FT_BOOLEAN, 16,
17266 TFS(&tfs_da_caching), 0x0020, "Caching mode?", HFILL }},
17269 { &hf_smb_storage_type,
17270 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
17271 NULL, 0, "Type of storage", HFILL }},
17274 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
17275 NULL, 0, "Resume Key", HFILL }},
17277 { &hf_smb_max_referral_level,
17278 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
17279 NULL, 0, "Latest referral version number understood", HFILL }},
17281 { &hf_smb_qfsi_information_level,
17282 { "Level of Interest", "smb.qfi_loi", FT_UINT16, BASE_HEX,
17283 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
17285 { &hf_smb_nt_rename_level,
17286 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
17287 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
17289 { &hf_smb_cluster_count,
17290 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
17291 NULL, 0, "Number of clusters", HFILL }},
17294 { "EA Size", "smb.ea_size", FT_UINT32, BASE_DEC,
17295 NULL, 0, "Size of file's EA information", HFILL }},
17297 { &hf_smb_list_length,
17298 { "ListLength", "smb.list_len", FT_UINT32, BASE_DEC,
17299 NULL, 0, "Length of the remaining data", HFILL }},
17301 { &hf_smb_number_of_links,
17302 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
17303 NULL, 0, "Number of hard links to the file", HFILL }},
17305 { &hf_smb_delete_pending,
17306 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
17307 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
17309 { &hf_smb_index_number,
17310 { "Index Number", "smb.index_number", FT_UINT64, BASE_DEC,
17311 NULL, 0, "File system unique identifier", HFILL }},
17313 { &hf_smb_current_offset,
17314 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
17315 NULL, 0, "Current offset in the file", HFILL }},
17317 { &hf_smb_t2_alignment,
17318 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
17319 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
17321 { &hf_smb_t2_stream_name_length,
17322 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
17323 NULL, 0, "Length of stream name", HFILL }},
17325 { &hf_smb_t2_stream_size,
17326 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
17327 NULL, 0, "Size of the stream in number of bytes", HFILL }},
17329 { &hf_smb_t2_stream_name,
17330 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
17331 NULL, 0, "Name of the stream", HFILL }},
17333 { &hf_smb_t2_compressed_file_size,
17334 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
17335 NULL, 0, "Size of the compressed file", HFILL }},
17337 { &hf_smb_t2_compressed_format,
17338 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
17339 NULL, 0, "Compression algorithm used", HFILL }},
17341 { &hf_smb_t2_compressed_unit_shift,
17342 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
17343 NULL, 0, "Size of the stream in number of bytes", HFILL }},
17345 { &hf_smb_t2_compressed_chunk_shift,
17346 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
17347 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
17349 { &hf_smb_t2_compressed_cluster_shift,
17350 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
17351 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
17353 { &hf_smb_dfs_path_consumed,
17354 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
17355 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
17357 { &hf_smb_dfs_num_referrals,
17358 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
17359 NULL, 0, "Number of referrals in this pdu", HFILL }},
17361 { &hf_smb_get_dfs_server_hold_storage,
17362 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
17363 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
17365 { &hf_smb_get_dfs_fielding,
17366 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
17367 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
17369 { &hf_smb_dfs_referral_version,
17370 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
17371 NULL, 0, "Version of referral element", HFILL }},
17373 { &hf_smb_dfs_referral_size,
17374 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
17375 NULL, 0, "Size of referral element", HFILL }},
17377 { &hf_smb_dfs_referral_server_type,
17378 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
17379 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
17381 { &hf_smb_dfs_referral_flags_strip,
17382 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
17383 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
17385 { &hf_smb_dfs_referral_node_offset,
17386 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
17387 NULL, 0, "Offset of name of entity to visit next", HFILL }},
17389 { &hf_smb_dfs_referral_node,
17390 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
17391 NULL, 0, "Name of entity to visit next", HFILL }},
17393 { &hf_smb_dfs_referral_proximity,
17394 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
17395 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
17397 { &hf_smb_dfs_referral_ttl,
17398 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
17399 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
17401 { &hf_smb_dfs_referral_path_offset,
17402 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
17403 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
17405 { &hf_smb_dfs_referral_path,
17406 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
17407 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
17409 { &hf_smb_dfs_referral_alt_path_offset,
17410 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
17411 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
17413 { &hf_smb_dfs_referral_alt_path,
17414 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
17415 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
17417 { &hf_smb_end_of_search,
17418 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
17419 NULL, 0, "Was last entry returned?", HFILL }},
17421 { &hf_smb_last_name_offset,
17422 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
17423 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
17425 { &hf_smb_fn_information_level,
17426 { "Level of Interest", "smb.fn_loi", FT_UINT16, BASE_DEC,
17427 NULL, 0, "Level of interest for FIND_NOTIFY command", HFILL }},
17429 { &hf_smb_monitor_handle,
17430 { "Monitor Handle", "smb.monitor_handle", FT_UINT16, BASE_HEX,
17431 NULL, 0, "Handle for Find Notify operations", HFILL }},
17433 { &hf_smb_change_count,
17434 { "Change Count", "smb.change_count", FT_UINT16, BASE_DEC,
17435 NULL, 0, "Number of changes to wait for", HFILL }},
17437 { &hf_smb_file_index,
17438 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
17439 NULL, 0, "File index", HFILL }},
17441 { &hf_smb_short_file_name,
17442 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
17443 NULL, 0, "Short (8.3) File Name", HFILL }},
17445 { &hf_smb_short_file_name_len,
17446 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
17447 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
17450 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
17451 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
17453 { &hf_smb_sector_unit,
17454 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
17455 NULL, 0, "Sectors per allocation unit", HFILL }},
17457 { &hf_smb_fs_units,
17458 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
17459 NULL, 0, "Total number of units on this filesystem", HFILL }},
17461 { &hf_smb_fs_sector,
17462 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
17463 NULL, 0, "Bytes per sector", HFILL }},
17465 { &hf_smb_avail_units,
17466 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
17467 NULL, 0, "Total number of available units on this filesystem", HFILL }},
17469 { &hf_smb_volume_serial_num,
17470 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
17471 NULL, 0, "Volume serial number", HFILL }},
17473 { &hf_smb_volume_label_len,
17474 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
17475 NULL, 0, "Length of volume label", HFILL }},
17477 { &hf_smb_volume_label,
17478 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
17479 NULL, 0, "Volume label", HFILL }},
17481 { &hf_smb_free_alloc_units64,
17482 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
17483 NULL, 0, "Number of free allocation units", HFILL }},
17485 { &hf_smb_caller_free_alloc_units64,
17486 { "Caller Free Units", "smb.caller_free_alloc_units", FT_UINT64, BASE_DEC,
17487 NULL, 0, "Number of caller free allocation units", HFILL }},
17489 { &hf_smb_actual_free_alloc_units64,
17490 { "Actual Free Units", "smb.actual_free_alloc_units", FT_UINT64, BASE_DEC,
17491 NULL, 0, "Number of actual free allocation units", HFILL }},
17493 { &hf_smb_soft_quota_limit,
17494 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
17495 NULL, 0, "Soft Quota treshold", HFILL }},
17497 { &hf_smb_hard_quota_limit,
17498 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
17499 NULL, 0, "Hard Quota limit", HFILL }},
17501 { &hf_smb_user_quota_used,
17502 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
17503 NULL, 0, "How much Quota is used by this user", HFILL }},
17505 { &hf_smb_max_name_len,
17506 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
17507 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
17509 { &hf_smb_fs_name_len,
17510 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
17511 NULL, 0, "Length of filesystem name in bytes", HFILL }},
17514 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
17515 NULL, 0, "Name of filesystem", HFILL }},
17517 { &hf_smb_device_char_removable,
17518 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
17519 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
17521 { &hf_smb_device_char_read_only,
17522 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
17523 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
17525 { &hf_smb_device_char_floppy,
17526 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
17527 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
17529 { &hf_smb_device_char_write_once,
17530 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
17531 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
17533 { &hf_smb_device_char_remote,
17534 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
17535 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
17537 { &hf_smb_device_char_mounted,
17538 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
17539 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
17541 { &hf_smb_device_char_virtual,
17542 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
17543 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
17545 { &hf_smb_fs_attr_css,
17546 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
17547 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
17549 { &hf_smb_fs_attr_cpn,
17550 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
17551 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
17553 { &hf_smb_fs_attr_pacls,
17554 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
17555 TFS(&tfs_fs_attr_pacls), 0x00000004, "Does this FS support Persistent ACLs?", HFILL }},
17557 { &hf_smb_fs_attr_fc,
17558 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
17559 TFS(&tfs_fs_attr_fc), 0x00000008, "Does this FS support File Compression?", HFILL }},
17561 { &hf_smb_fs_attr_vq,
17562 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
17563 TFS(&tfs_fs_attr_vq), 0x00000010, "Does this FS support Volume Quotas?", HFILL }},
17565 { &hf_smb_fs_attr_dim,
17566 { "Mounted", "smb.fs_attr.dim", FT_BOOLEAN, 32,
17567 TFS(&tfs_fs_attr_dim), 0x00000020, "Is this FS a Mounted Device?", HFILL }},
17569 { &hf_smb_fs_attr_vic,
17570 { "Compressed", "smb.fs_attr.vic", FT_BOOLEAN, 32,
17571 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS Compressed?", HFILL }},
17573 { &hf_smb_sec_desc_revision,
17574 { "Revision", "smb.sec_desc.revision", FT_UINT16, BASE_DEC,
17575 NULL, 0, "Version of NT Security Descriptor structure", HFILL }},
17577 { &hf_smb_sid_revision,
17578 { "Revision", "smb.sid.revision", FT_UINT8, BASE_DEC,
17579 NULL, 0, "Version of SID structure", HFILL }},
17581 { &hf_smb_sid_num_auth,
17582 { "Num Auth", "smb.sid.num_auth", FT_UINT8, BASE_DEC,
17583 NULL, 0, "Number of authorities for this SID", HFILL }},
17585 { &hf_smb_acl_revision,
17586 { "Revision", "smb.acl.revision", FT_UINT16, BASE_DEC,
17587 NULL, 0, "Version of NT ACL structure", HFILL }},
17589 { &hf_smb_acl_size,
17590 { "Size", "smb.acl.size", FT_UINT16, BASE_DEC,
17591 NULL, 0, "Size of NT ACL structure", HFILL }},
17593 { &hf_smb_acl_num_aces,
17594 { "Num ACEs", "smb.acl.num_aces", FT_UINT32, BASE_DEC,
17595 NULL, 0, "Number of ACE structures for this ACL", HFILL }},
17597 { &hf_smb_user_quota_offset,
17598 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
17599 NULL, 0, "Relative offset to next user quota structure", HFILL }},
17601 { &hf_smb_ace_type,
17602 { "Type", "smb.ace.type", FT_UINT8, BASE_DEC,
17603 VALS(ace_type_vals), 0, "Type of ACE", HFILL }},
17605 { &hf_smb_ace_size,
17606 { "Size", "smb.ace.size", FT_UINT16, BASE_DEC,
17607 NULL, 0, "Size of this ACE", HFILL }},
17609 { &hf_smb_ace_flags_object_inherit,
17610 { "Object Inherit", "smb.ace.flags.object_inherit", FT_BOOLEAN, 8,
17611 TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }},
17613 { &hf_smb_ace_flags_container_inherit,
17614 { "Container Inherit", "smb.ace.flags.container_inherit", FT_BOOLEAN, 8,
17615 TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }},
17617 { &hf_smb_ace_flags_non_propagate_inherit,
17618 { "Non-Propagate Inherit", "smb.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8,
17619 TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }},
17621 { &hf_smb_ace_flags_inherit_only,
17622 { "Inherit Only", "smb.ace.flags.inherit_only", FT_BOOLEAN, 8,
17623 TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }},
17625 { &hf_smb_ace_flags_inherited_ace,
17626 { "Inherited ACE", "smb.ace.flags.inherited_ace", FT_BOOLEAN, 8,
17627 TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }},
17629 { &hf_smb_ace_flags_successful_access,
17630 { "Audit Successful Accesses", "smb.ace.flags.successful_access", FT_BOOLEAN, 8,
17631 TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }},
17633 { &hf_smb_ace_flags_failed_access,
17634 { "Audit Failed Accesses", "smb.ace.flags.failed_access", FT_BOOLEAN, 8,
17635 TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }},
17637 { &hf_smb_sec_desc_type_owner_defaulted,
17638 { "Owner Defaulted", "smb.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16,
17639 TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }},
17641 { &hf_smb_sec_desc_type_group_defaulted,
17642 { "Group Defaulted", "smb.sec_desc.type.group_defaulted", FT_BOOLEAN, 16,
17643 TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }},
17645 { &hf_smb_sec_desc_type_dacl_present,
17646 { "DACL Present", "smb.sec_desc.type.dacl_present", FT_BOOLEAN, 16,
17647 TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }},
17649 { &hf_smb_sec_desc_type_dacl_defaulted,
17650 { "DACL Defaulted", "smb.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16,
17651 TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }},
17653 { &hf_smb_sec_desc_type_sacl_present,
17654 { "SACL Present", "smb.sec_desc.type.sacl_present", FT_BOOLEAN, 16,
17655 TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }},
17657 { &hf_smb_sec_desc_type_sacl_defaulted,
17658 { "SACL Defaulted", "smb.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16,
17659 TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }},
17661 { &hf_smb_sec_desc_type_dacl_auto_inherit_req,
17662 { "DACL Auto Inherit Required", "smb.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16,
17663 TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }},
17665 { &hf_smb_sec_desc_type_sacl_auto_inherit_req,
17666 { "SACL Auto Inherit Required", "smb.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16,
17667 TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }},
17669 { &hf_smb_sec_desc_type_dacl_auto_inherited,
17670 { "DACL Auto Inherited", "smb.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16,
17671 TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }},
17673 { &hf_smb_sec_desc_type_sacl_auto_inherited,
17674 { "SACL Auto Inherited", "smb.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16,
17675 TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }},
17677 { &hf_smb_sec_desc_type_dacl_protected,
17678 { "DACL Protected", "smb.sec_desc.type.dacl_protected", FT_BOOLEAN, 16,
17679 TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }},
17681 { &hf_smb_sec_desc_type_sacl_protected,
17682 { "SACL Protected", "smb.sec_desc.type.sacl_protected", FT_BOOLEAN, 16,
17683 TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }},
17685 { &hf_smb_sec_desc_type_self_relative,
17686 { "Self Relative", "smb.sec_desc.type.self_relative", FT_BOOLEAN, 16,
17687 TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }},
17689 { &hf_smb_quota_flags_deny_disk,
17690 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
17691 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
17693 { &hf_smb_quota_flags_log_limit,
17694 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
17695 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
17697 { &hf_smb_quota_flags_log_warning,
17698 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
17699 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
17701 { &hf_smb_quota_flags_enabled,
17702 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
17703 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
17705 { &hf_smb_segment_overlap,
17706 { "Fragment overlap", "smb.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17707 "Fragment overlaps with other fragments", HFILL }},
17709 { &hf_smb_segment_overlap_conflict,
17710 { "Conflicting data in fragment overlap", "smb.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17711 "Overlapping fragments contained conflicting data", HFILL }},
17713 { &hf_smb_segment_multiple_tails,
17714 { "Multiple tail fragments found", "smb.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17715 "Several tails were found when defragmenting the packet", HFILL }},
17717 { &hf_smb_segment_too_long_fragment,
17718 { "Fragment too long", "smb.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
17719 "Fragment contained data past end of packet", HFILL }},
17721 { &hf_smb_segment_error,
17722 { "Defragmentation error", "smb.segment.error", FT_NONE, BASE_NONE, NULL, 0x0,
17723 "Defragmentation error due to illegal fragments", HFILL }},
17726 { "SMB Segment", "smb.segment", FT_NONE, BASE_NONE, NULL, 0x0,
17727 "SMB Segment", HFILL }},
17729 { &hf_smb_segments,
17730 { "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
17731 "SMB Segments", HFILL }},
17733 static gint *ett[] = {
17737 &ett_smb_fileattributes,
17738 &ett_smb_capabilities,
17746 &ett_smb_desiredaccess,
17749 &ett_smb_openfunction,
17751 &ett_smb_openaction,
17752 &ett_smb_writemode,
17753 &ett_smb_lock_type,
17754 &ett_smb_ssetupandxaction,
17755 &ett_smb_optionsup,
17756 &ett_smb_time_date,
17757 &ett_smb_move_copy_flags,
17758 &ett_smb_file_attributes,
17759 &ett_smb_search_resume_key,
17760 &ett_smb_search_dir_info,
17765 &ett_smb_open_flags,
17766 &ett_smb_ipc_state,
17767 &ett_smb_open_action,
17768 &ett_smb_setup_action,
17769 &ett_smb_connect_flags,
17770 &ett_smb_connect_support_bits,
17771 &ett_smb_nt_access_mask,
17772 &ett_smb_nt_create_bits,
17773 &ett_smb_nt_create_options,
17774 &ett_smb_nt_share_access,
17775 &ett_smb_nt_security_flags,
17776 &ett_smb_nt_trans_setup,
17777 &ett_smb_nt_trans_data,
17778 &ett_smb_nt_trans_param,
17779 &ett_smb_nt_notify_completion_filter,
17780 &ett_smb_nt_ioctl_flags,
17781 &ett_smb_security_information_mask,
17782 &ett_smb_print_queue_entry,
17783 &ett_smb_transaction_flags,
17784 &ett_smb_transaction_params,
17785 &ett_smb_find_first2_flags,
17789 &ett_smb_transaction_data,
17790 &ett_smb_stream_info,
17791 &ett_smb_dfs_referrals,
17792 &ett_smb_dfs_referral,
17793 &ett_smb_dfs_referral_flags,
17794 &ett_smb_get_dfs_flags,
17796 &ett_smb_device_characteristics,
17797 &ett_smb_fs_attributes,
17804 &ett_smb_ace_flags,
17805 &ett_smb_sec_desc_type,
17806 &ett_smb_quotaflags,
17808 &ett_smb_mac_support_flags,
17810 module_t *smb_module;
17812 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
17814 proto_register_subtree_array(ett, array_length(ett));
17815 proto_register_field_array(proto_smb, hf, array_length(hf));
17816 register_init_routine(&smb_init_protocol);
17817 smb_module = prefs_register_protocol(proto_smb, NULL);
17818 prefs_register_bool_preference(smb_module, "trans_reassembly",
17819 "Reassemble SMB Transaction payload",
17820 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
17821 &smb_trans_reassembly);
17822 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
17823 "Reassemble DCERPC over SMB",
17824 "Whether the dissector should reassemble DCERPC over SMB commands",
17825 &smb_dcerpc_reassembly);
17826 register_init_routine(smb_trans_reassembly_init);
17827 register_init_routine(smb_dcerpc_reassembly_init);
17831 proto_reg_handoff_smb(void)
17833 heur_dissector_add("netbios", dissect_smb, proto_smb);
17834 gssapi_handle = find_dissector("gssapi");