2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
6 * $Id: packet-smb.c,v 1.250 2002/04/27 21:23:48 guy Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_NETINET_IN_H
40 # include <netinet/in.h>
47 #include <epan/packet.h>
48 #include <epan/conversation.h>
50 #include "alignment.h"
51 #include <epan/strutil.h>
53 #include "reassemble.h"
55 #include "packet-smb-mailslot.h"
56 #include "packet-smb-pipe.h"
59 * Various specifications and documents about SMB can be found in
61 * ftp://ftp.microsoft.com/developr/drg/CIFS/
63 * and a CIFS draft from the Storage Networking Industry Association
64 * can be found on a link from the page at
66 * http://www.snia.org/English/Work_Groups/NAS/CIFS/WG_CIFS_Docs.html
68 * (it supercedes the document at
70 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
74 * There are also some Open Group publications documenting CIFS for sale;
75 * catalog entries for them are at:
77 * http://www.opengroup.org/products/publications/catalog/c209.htm
79 * http://www.opengroup.org/products/publications/catalog/c195.htm
81 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
84 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
86 * (or, presumably a similar path under the Samba mirrors). As the
87 * ".doc" indicates, it's a Word document. Some of the specs from the
88 * Microsoft FTP site can be found in the
90 * http://www.samba.org/samba/ftp/specs/
94 * Beware - these specs may have errors.
96 static int proto_smb = -1;
97 static int hf_smb_cmd = -1;
98 static int hf_smb_pid = -1;
99 static int hf_smb_tid = -1;
100 static int hf_smb_uid = -1;
101 static int hf_smb_mid = -1;
102 static int hf_smb_response_to = -1;
103 static int hf_smb_response_in = -1;
104 static int hf_smb_continuation_to = -1;
105 static int hf_smb_nt_status = -1;
106 static int hf_smb_error_class = -1;
107 static int hf_smb_error_code = -1;
108 static int hf_smb_reserved = -1;
109 static int hf_smb_flags_lock = -1;
110 static int hf_smb_flags_receive_buffer = -1;
111 static int hf_smb_flags_caseless = -1;
112 static int hf_smb_flags_canon = -1;
113 static int hf_smb_flags_oplock = -1;
114 static int hf_smb_flags_notify = -1;
115 static int hf_smb_flags_response = -1;
116 static int hf_smb_flags2_long_names_allowed = -1;
117 static int hf_smb_flags2_ea = -1;
118 static int hf_smb_flags2_sec_sig = -1;
119 static int hf_smb_flags2_long_names_used = -1;
120 static int hf_smb_flags2_esn = -1;
121 static int hf_smb_flags2_dfs = -1;
122 static int hf_smb_flags2_roe = -1;
123 static int hf_smb_flags2_nt_error = -1;
124 static int hf_smb_flags2_string = -1;
125 static int hf_smb_word_count = -1;
126 static int hf_smb_byte_count = -1;
127 static int hf_smb_buffer_format = -1;
128 static int hf_smb_dialect_name = -1;
129 static int hf_smb_dialect_index = -1;
130 static int hf_smb_max_trans_buf_size = -1;
131 static int hf_smb_max_mpx_count = -1;
132 static int hf_smb_max_vcs_num = -1;
133 static int hf_smb_session_key = -1;
134 static int hf_smb_server_timezone = -1;
135 static int hf_smb_encryption_key_length = -1;
136 static int hf_smb_encryption_key = -1;
137 static int hf_smb_primary_domain = -1;
138 static int hf_smb_max_raw_buf_size = -1;
139 static int hf_smb_server_guid = -1;
140 static int hf_smb_security_blob_len = -1;
141 static int hf_smb_security_blob = -1;
142 static int hf_smb_sm_mode16 = -1;
143 static int hf_smb_sm_password16 = -1;
144 static int hf_smb_sm_mode = -1;
145 static int hf_smb_sm_password = -1;
146 static int hf_smb_sm_signatures = -1;
147 static int hf_smb_sm_sig_required = -1;
148 static int hf_smb_rm_read = -1;
149 static int hf_smb_rm_write = -1;
150 static int hf_smb_server_date_time = -1;
151 static int hf_smb_server_smb_date = -1;
152 static int hf_smb_server_smb_time = -1;
153 static int hf_smb_server_cap_raw_mode = -1;
154 static int hf_smb_server_cap_mpx_mode = -1;
155 static int hf_smb_server_cap_unicode = -1;
156 static int hf_smb_server_cap_large_files = -1;
157 static int hf_smb_server_cap_nt_smbs = -1;
158 static int hf_smb_server_cap_rpc_remote_apis = -1;
159 static int hf_smb_server_cap_nt_status = -1;
160 static int hf_smb_server_cap_level_ii_oplocks = -1;
161 static int hf_smb_server_cap_lock_and_read = -1;
162 static int hf_smb_server_cap_nt_find = -1;
163 static int hf_smb_server_cap_dfs = -1;
164 static int hf_smb_server_cap_infolevel_passthru = -1;
165 static int hf_smb_server_cap_large_readx = -1;
166 static int hf_smb_server_cap_large_writex = -1;
167 static int hf_smb_server_cap_unix = -1;
168 static int hf_smb_server_cap_reserved = -1;
169 static int hf_smb_server_cap_bulk_transfer = -1;
170 static int hf_smb_server_cap_compressed_data = -1;
171 static int hf_smb_server_cap_extended_security = -1;
172 static int hf_smb_system_time = -1;
173 static int hf_smb_unknown = -1;
174 static int hf_smb_dir_name = -1;
175 static int hf_smb_echo_count = -1;
176 static int hf_smb_echo_data = -1;
177 static int hf_smb_echo_seq_num = -1;
178 static int hf_smb_max_buf_size = -1;
179 static int hf_smb_password = -1;
180 static int hf_smb_password_len = -1;
181 static int hf_smb_ansi_password = -1;
182 static int hf_smb_ansi_password_len = -1;
183 static int hf_smb_unicode_password = -1;
184 static int hf_smb_unicode_password_len = -1;
185 static int hf_smb_path = -1;
186 static int hf_smb_service = -1;
187 static int hf_smb_move_flags_file = -1;
188 static int hf_smb_move_flags_dir = -1;
189 static int hf_smb_move_flags_verify = -1;
190 static int hf_smb_move_files_moved = -1;
191 static int hf_smb_count = -1;
192 static int hf_smb_file_name = -1;
193 static int hf_smb_open_function_open = -1;
194 static int hf_smb_open_function_create = -1;
195 static int hf_smb_fid = -1;
196 static int hf_smb_file_attr_read_only_16bit = -1;
197 static int hf_smb_file_attr_read_only_8bit = -1;
198 static int hf_smb_file_attr_hidden_16bit = -1;
199 static int hf_smb_file_attr_hidden_8bit = -1;
200 static int hf_smb_file_attr_system_16bit = -1;
201 static int hf_smb_file_attr_system_8bit = -1;
202 static int hf_smb_file_attr_volume_16bit = -1;
203 static int hf_smb_file_attr_volume_8bit = -1;
204 static int hf_smb_file_attr_directory_16bit = -1;
205 static int hf_smb_file_attr_directory_8bit = -1;
206 static int hf_smb_file_attr_archive_16bit = -1;
207 static int hf_smb_file_attr_archive_8bit = -1;
208 static int hf_smb_file_attr_device = -1;
209 static int hf_smb_file_attr_normal = -1;
210 static int hf_smb_file_attr_temporary = -1;
211 static int hf_smb_file_attr_sparse = -1;
212 static int hf_smb_file_attr_reparse = -1;
213 static int hf_smb_file_attr_compressed = -1;
214 static int hf_smb_file_attr_offline = -1;
215 static int hf_smb_file_attr_not_content_indexed = -1;
216 static int hf_smb_file_attr_encrypted = -1;
217 static int hf_smb_file_size = -1;
218 static int hf_smb_search_attribute_read_only = -1;
219 static int hf_smb_search_attribute_hidden = -1;
220 static int hf_smb_search_attribute_system = -1;
221 static int hf_smb_search_attribute_volume = -1;
222 static int hf_smb_search_attribute_directory = -1;
223 static int hf_smb_search_attribute_archive = -1;
224 static int hf_smb_access_mode = -1;
225 static int hf_smb_access_sharing = -1;
226 static int hf_smb_access_locality = -1;
227 static int hf_smb_access_caching = -1;
228 static int hf_smb_access_writetru = -1;
229 static int hf_smb_create_time = -1;
230 static int hf_smb_create_dos_date = -1;
231 static int hf_smb_create_dos_time = -1;
232 static int hf_smb_last_write_time = -1;
233 static int hf_smb_last_write_dos_date = -1;
234 static int hf_smb_last_write_dos_time = -1;
235 static int hf_smb_access_time = -1;
236 static int hf_smb_access_dos_date = -1;
237 static int hf_smb_access_dos_time = -1;
238 static int hf_smb_old_file_name = -1;
239 static int hf_smb_offset = -1;
240 static int hf_smb_remaining = -1;
241 static int hf_smb_padding = -1;
242 static int hf_smb_file_data = -1;
243 static int hf_smb_total_data_len = -1;
244 static int hf_smb_data_len = -1;
245 static int hf_smb_seek_mode = -1;
246 static int hf_smb_data_size = -1;
247 static int hf_smb_alloc_size = -1;
248 static int hf_smb_alloc_size64 = -1;
249 static int hf_smb_max_count = -1;
250 static int hf_smb_min_count = -1;
251 static int hf_smb_timeout = -1;
252 static int hf_smb_high_offset = -1;
253 static int hf_smb_units = -1;
254 static int hf_smb_bpu = -1;
255 static int hf_smb_blocksize = -1;
256 static int hf_smb_freeunits = -1;
257 static int hf_smb_data_offset = -1;
258 static int hf_smb_dcm = -1;
259 static int hf_smb_request_mask = -1;
260 static int hf_smb_response_mask = -1;
261 static int hf_smb_sid = -1;
262 static int hf_smb_write_mode_write_through = -1;
263 static int hf_smb_write_mode_return_remaining = -1;
264 static int hf_smb_write_mode_raw = -1;
265 static int hf_smb_write_mode_message_start = -1;
266 static int hf_smb_write_mode_connectionless = -1;
267 static int hf_smb_resume_key_len = -1;
268 static int hf_smb_resume_server_cookie = -1;
269 static int hf_smb_resume_client_cookie = -1;
270 static int hf_smb_andxoffset = -1;
271 static int hf_smb_lock_type_large = -1;
272 static int hf_smb_lock_type_cancel = -1;
273 static int hf_smb_lock_type_change = -1;
274 static int hf_smb_lock_type_oplock = -1;
275 static int hf_smb_lock_type_shared = -1;
276 static int hf_smb_locking_ol = -1;
277 static int hf_smb_number_of_locks = -1;
278 static int hf_smb_number_of_unlocks = -1;
279 static int hf_smb_lock_long_offset = -1;
280 static int hf_smb_lock_long_length = -1;
281 static int hf_smb_file_type = -1;
282 static int hf_smb_ipc_state_nonblocking = -1;
283 static int hf_smb_ipc_state_endpoint = -1;
284 static int hf_smb_ipc_state_pipe_type = -1;
285 static int hf_smb_ipc_state_read_mode = -1;
286 static int hf_smb_ipc_state_icount = -1;
287 static int hf_smb_server_fid = -1;
288 static int hf_smb_open_flags_add_info = -1;
289 static int hf_smb_open_flags_ex_oplock = -1;
290 static int hf_smb_open_flags_batch_oplock = -1;
291 static int hf_smb_open_flags_ealen = -1;
292 static int hf_smb_open_action_open = -1;
293 static int hf_smb_open_action_lock = -1;
294 static int hf_smb_vc_num = -1;
295 static int hf_smb_account = -1;
296 static int hf_smb_os = -1;
297 static int hf_smb_lanman = -1;
298 static int hf_smb_setup_action_guest = -1;
299 static int hf_smb_fs = -1;
300 static int hf_smb_connect_flags_dtid = -1;
301 static int hf_smb_connect_support_search = -1;
302 static int hf_smb_connect_support_in_dfs = -1;
303 static int hf_smb_max_setup_count = -1;
304 static int hf_smb_total_param_count = -1;
305 static int hf_smb_total_data_count = -1;
306 static int hf_smb_max_param_count = -1;
307 static int hf_smb_max_data_count = -1;
308 static int hf_smb_param_disp16 = -1;
309 static int hf_smb_param_count16 = -1;
310 static int hf_smb_param_offset16 = -1;
311 static int hf_smb_param_disp32 = -1;
312 static int hf_smb_param_count32 = -1;
313 static int hf_smb_param_offset32 = -1;
314 static int hf_smb_data_disp16 = -1;
315 static int hf_smb_data_count16 = -1;
316 static int hf_smb_data_offset16 = -1;
317 static int hf_smb_data_disp32 = -1;
318 static int hf_smb_data_count32 = -1;
319 static int hf_smb_data_offset32 = -1;
320 static int hf_smb_setup_count = -1;
321 static int hf_smb_nt_trans_subcmd = -1;
322 static int hf_smb_nt_ioctl_function_code = -1;
323 static int hf_smb_nt_ioctl_isfsctl = -1;
324 static int hf_smb_nt_ioctl_flags_root_handle = -1;
325 static int hf_smb_nt_ioctl_data = -1;
326 static int hf_smb_nt_security_information = -1;
327 static int hf_smb_nt_notify_action = -1;
328 static int hf_smb_nt_notify_watch_tree = -1;
329 static int hf_smb_nt_notify_stream_write = -1;
330 static int hf_smb_nt_notify_stream_size = -1;
331 static int hf_smb_nt_notify_stream_name = -1;
332 static int hf_smb_nt_notify_security = -1;
333 static int hf_smb_nt_notify_ea = -1;
334 static int hf_smb_nt_notify_creation = -1;
335 static int hf_smb_nt_notify_last_access = -1;
336 static int hf_smb_nt_notify_last_write = -1;
337 static int hf_smb_nt_notify_size = -1;
338 static int hf_smb_nt_notify_attributes = -1;
339 static int hf_smb_nt_notify_dir_name = -1;
340 static int hf_smb_nt_notify_file_name = -1;
341 static int hf_smb_root_dir_fid = -1;
342 static int hf_smb_nt_create_disposition = -1;
343 static int hf_smb_sd_length = -1;
344 static int hf_smb_ea_length = -1;
345 static int hf_smb_file_name_len = -1;
346 static int hf_smb_nt_impersonation_level = -1;
347 static int hf_smb_nt_security_flags_context_tracking = -1;
348 static int hf_smb_nt_security_flags_effective_only = -1;
349 static int hf_smb_nt_access_mask_generic_read = -1;
350 static int hf_smb_nt_access_mask_generic_write = -1;
351 static int hf_smb_nt_access_mask_generic_execute = -1;
352 static int hf_smb_nt_access_mask_generic_all = -1;
353 static int hf_smb_nt_access_mask_maximum_allowed = -1;
354 static int hf_smb_nt_access_mask_system_security = -1;
355 static int hf_smb_nt_access_mask_synchronize = -1;
356 static int hf_smb_nt_access_mask_write_owner = -1;
357 static int hf_smb_nt_access_mask_write_dac = -1;
358 static int hf_smb_nt_access_mask_read_control = -1;
359 static int hf_smb_nt_access_mask_delete = -1;
360 static int hf_smb_nt_access_mask_write_attributes = -1;
361 static int hf_smb_nt_access_mask_read_attributes = -1;
362 static int hf_smb_nt_access_mask_delete_child = -1;
363 static int hf_smb_nt_access_mask_execute = -1;
364 static int hf_smb_nt_access_mask_write_ea = -1;
365 static int hf_smb_nt_access_mask_read_ea = -1;
366 static int hf_smb_nt_access_mask_append = -1;
367 static int hf_smb_nt_access_mask_write = -1;
368 static int hf_smb_nt_access_mask_read = -1;
369 static int hf_smb_nt_create_bits_oplock = -1;
370 static int hf_smb_nt_create_bits_boplock = -1;
371 static int hf_smb_nt_create_bits_dir = -1;
372 static int hf_smb_nt_create_options_directory_file = -1;
373 static int hf_smb_nt_create_options_write_through = -1;
374 static int hf_smb_nt_create_options_sequential_only = -1;
375 static int hf_smb_nt_create_options_sync_io_alert = -1;
376 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
377 static int hf_smb_nt_create_options_non_directory_file = -1;
378 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
379 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
380 static int hf_smb_nt_create_options_random_access = -1;
381 static int hf_smb_nt_create_options_delete_on_close = -1;
382 static int hf_smb_nt_share_access_read = -1;
383 static int hf_smb_nt_share_access_write = -1;
384 static int hf_smb_nt_share_access_delete = -1;
385 static int hf_smb_file_eattr_read_only = -1;
386 static int hf_smb_file_eattr_hidden = -1;
387 static int hf_smb_file_eattr_system = -1;
388 static int hf_smb_file_eattr_volume = -1;
389 static int hf_smb_file_eattr_directory = -1;
390 static int hf_smb_file_eattr_archive = -1;
391 static int hf_smb_file_eattr_device = -1;
392 static int hf_smb_file_eattr_normal = -1;
393 static int hf_smb_file_eattr_temporary = -1;
394 static int hf_smb_file_eattr_sparse = -1;
395 static int hf_smb_file_eattr_reparse = -1;
396 static int hf_smb_file_eattr_compressed = -1;
397 static int hf_smb_file_eattr_offline = -1;
398 static int hf_smb_file_eattr_not_content_indexed = -1;
399 static int hf_smb_file_eattr_encrypted = -1;
400 static int hf_smb_file_eattr_write_through = -1;
401 static int hf_smb_file_eattr_no_buffering = -1;
402 static int hf_smb_file_eattr_random_access = -1;
403 static int hf_smb_file_eattr_sequential_scan = -1;
404 static int hf_smb_file_eattr_delete_on_close = -1;
405 static int hf_smb_file_eattr_backup_semantics = -1;
406 static int hf_smb_file_eattr_posix_semantics = -1;
407 static int hf_smb_sec_desc_len = -1;
408 static int hf_smb_sec_desc_revision = -1;
409 static int hf_smb_sec_desc_type_owner_defaulted = -1;
410 static int hf_smb_sec_desc_type_group_defaulted = -1;
411 static int hf_smb_sec_desc_type_dacl_present = -1;
412 static int hf_smb_sec_desc_type_dacl_defaulted = -1;
413 static int hf_smb_sec_desc_type_sacl_present = -1;
414 static int hf_smb_sec_desc_type_sacl_defaulted = -1;
415 static int hf_smb_sec_desc_type_dacl_auto_inherit_req = -1;
416 static int hf_smb_sec_desc_type_sacl_auto_inherit_req = -1;
417 static int hf_smb_sec_desc_type_dacl_auto_inherited = -1;
418 static int hf_smb_sec_desc_type_sacl_auto_inherited = -1;
419 static int hf_smb_sec_desc_type_dacl_protected = -1;
420 static int hf_smb_sec_desc_type_sacl_protected = -1;
421 static int hf_smb_sec_desc_type_self_relative = -1;
422 static int hf_smb_sid_revision = -1;
423 static int hf_smb_sid_num_auth = -1;
424 static int hf_smb_acl_revision = -1;
425 static int hf_smb_acl_size = -1;
426 static int hf_smb_acl_num_aces = -1;
427 static int hf_smb_ace_type = -1;
428 static int hf_smb_ace_size = -1;
429 static int hf_smb_ace_flags_object_inherit = -1;
430 static int hf_smb_ace_flags_container_inherit = -1;
431 static int hf_smb_ace_flags_non_propagate_inherit = -1;
432 static int hf_smb_ace_flags_inherit_only = -1;
433 static int hf_smb_ace_flags_inherited_ace = -1;
434 static int hf_smb_ace_flags_successful_access = -1;
435 static int hf_smb_ace_flags_failed_access = -1;
436 static int hf_smb_nt_qsd_owner = -1;
437 static int hf_smb_nt_qsd_group = -1;
438 static int hf_smb_nt_qsd_dacl = -1;
439 static int hf_smb_nt_qsd_sacl = -1;
440 static int hf_smb_extended_attributes = -1;
441 static int hf_smb_oplock_level = -1;
442 static int hf_smb_create_action = -1;
443 static int hf_smb_ea_error_offset = -1;
444 static int hf_smb_end_of_file = -1;
445 static int hf_smb_device_type = -1;
446 static int hf_smb_is_directory = -1;
447 static int hf_smb_next_entry_offset = -1;
448 static int hf_smb_change_time = -1;
449 static int hf_smb_setup_len = -1;
450 static int hf_smb_print_mode = -1;
451 static int hf_smb_print_identifier = -1;
452 static int hf_smb_restart_index = -1;
453 static int hf_smb_print_queue_date = -1;
454 static int hf_smb_print_queue_dos_date = -1;
455 static int hf_smb_print_queue_dos_time = -1;
456 static int hf_smb_print_status = -1;
457 static int hf_smb_print_spool_file_number = -1;
458 static int hf_smb_print_spool_file_size = -1;
459 static int hf_smb_print_spool_file_name = -1;
460 static int hf_smb_start_index = -1;
461 static int hf_smb_cancel_to = -1;
462 static int hf_smb_trans2_subcmd = -1;
463 static int hf_smb_trans_name = -1;
464 static int hf_smb_transaction_flags_dtid = -1;
465 static int hf_smb_transaction_flags_owt = -1;
466 static int hf_smb_search_count = -1;
467 static int hf_smb_search_pattern = -1;
468 static int hf_smb_ff2_backup = -1;
469 static int hf_smb_ff2_continue = -1;
470 static int hf_smb_ff2_resume = -1;
471 static int hf_smb_ff2_close_eos = -1;
472 static int hf_smb_ff2_close = -1;
473 static int hf_smb_ff2_information_level = -1;
474 static int hf_smb_qpi_loi = -1;
475 static int hf_smb_storage_type = -1;
476 static int hf_smb_resume = -1;
477 static int hf_smb_max_referral_level = -1;
478 static int hf_smb_qfsi_information_level = -1;
479 static int hf_smb_ea_size = -1;
480 static int hf_smb_list_length = -1;
481 static int hf_smb_number_of_links = -1;
482 static int hf_smb_delete_pending = -1;
483 static int hf_smb_index_number = -1;
484 static int hf_smb_current_offset = -1;
485 static int hf_smb_t2_alignment = -1;
486 static int hf_smb_t2_stream_name_length = -1;
487 static int hf_smb_t2_stream_size = -1;
488 static int hf_smb_t2_stream_name = -1;
489 static int hf_smb_t2_compressed_file_size = -1;
490 static int hf_smb_t2_compressed_format = -1;
491 static int hf_smb_t2_compressed_unit_shift = -1;
492 static int hf_smb_t2_compressed_chunk_shift = -1;
493 static int hf_smb_t2_compressed_cluster_shift = -1;
494 static int hf_smb_dfs_path_consumed = -1;
495 static int hf_smb_dfs_num_referrals = -1;
496 static int hf_smb_get_dfs_server_hold_storage = -1;
497 static int hf_smb_get_dfs_fielding = -1;
498 static int hf_smb_dfs_referral_version = -1;
499 static int hf_smb_dfs_referral_size = -1;
500 static int hf_smb_dfs_referral_server_type = -1;
501 static int hf_smb_dfs_referral_flags_strip = -1;
502 static int hf_smb_dfs_referral_node_offset = -1;
503 static int hf_smb_dfs_referral_node = -1;
504 static int hf_smb_dfs_referral_proximity = -1;
505 static int hf_smb_dfs_referral_ttl = -1;
506 static int hf_smb_dfs_referral_path_offset = -1;
507 static int hf_smb_dfs_referral_path = -1;
508 static int hf_smb_dfs_referral_alt_path_offset = -1;
509 static int hf_smb_dfs_referral_alt_path = -1;
510 static int hf_smb_end_of_search = -1;
511 static int hf_smb_last_name_offset = -1;
512 static int hf_smb_file_index = -1;
513 static int hf_smb_short_file_name = -1;
514 static int hf_smb_short_file_name_len = -1;
515 static int hf_smb_fs_id = -1;
516 static int hf_smb_sector_unit = -1;
517 static int hf_smb_fs_units = -1;
518 static int hf_smb_fs_sector = -1;
519 static int hf_smb_avail_units = -1;
520 static int hf_smb_volume_serial_num = -1;
521 static int hf_smb_volume_label_len = -1;
522 static int hf_smb_volume_label = -1;
523 static int hf_smb_free_alloc_units64 = -1;
524 static int hf_smb_max_name_len = -1;
525 static int hf_smb_fs_name_len = -1;
526 static int hf_smb_fs_name = -1;
527 static int hf_smb_device_char_removable = -1;
528 static int hf_smb_device_char_read_only = -1;
529 static int hf_smb_device_char_floppy = -1;
530 static int hf_smb_device_char_write_once = -1;
531 static int hf_smb_device_char_remote = -1;
532 static int hf_smb_device_char_mounted = -1;
533 static int hf_smb_device_char_virtual = -1;
534 static int hf_smb_fs_attr_css = -1;
535 static int hf_smb_fs_attr_cpn = -1;
536 static int hf_smb_fs_attr_pacls = -1;
537 static int hf_smb_fs_attr_fc = -1;
538 static int hf_smb_fs_attr_vq = -1;
539 static int hf_smb_fs_attr_dim = -1;
540 static int hf_smb_fs_attr_vic = -1;
541 static int hf_smb_quota_flags_enabled = -1;
542 static int hf_smb_quota_flags_deny_disk = -1;
543 static int hf_smb_quota_flags_log_limit = -1;
544 static int hf_smb_quota_flags_log_warning = -1;
545 static int hf_smb_soft_quota_limit = -1;
546 static int hf_smb_hard_quota_limit = -1;
547 static int hf_smb_user_quota_used = -1;
548 static int hf_smb_user_quota_offset = -1;
549 static int hf_smb_nt_rename_level = -1;
550 static int hf_smb_cluster_count = -1;
552 static gint ett_smb = -1;
553 static gint ett_smb_hdr = -1;
554 static gint ett_smb_command = -1;
555 static gint ett_smb_fileattributes = -1;
556 static gint ett_smb_capabilities = -1;
557 static gint ett_smb_aflags = -1;
558 static gint ett_smb_dialect = -1;
559 static gint ett_smb_dialects = -1;
560 static gint ett_smb_mode = -1;
561 static gint ett_smb_rawmode = -1;
562 static gint ett_smb_flags = -1;
563 static gint ett_smb_flags2 = -1;
564 static gint ett_smb_desiredaccess = -1;
565 static gint ett_smb_search = -1;
566 static gint ett_smb_file = -1;
567 static gint ett_smb_openfunction = -1;
568 static gint ett_smb_filetype = -1;
569 static gint ett_smb_openaction = -1;
570 static gint ett_smb_writemode = -1;
571 static gint ett_smb_lock_type = -1;
572 static gint ett_smb_ssetupandxaction = -1;
573 static gint ett_smb_optionsup = -1;
574 static gint ett_smb_time_date = -1;
575 static gint ett_smb_move_flags = -1;
576 static gint ett_smb_file_attributes = -1;
577 static gint ett_smb_search_resume_key = -1;
578 static gint ett_smb_search_dir_info = -1;
579 static gint ett_smb_unlocks = -1;
580 static gint ett_smb_unlock = -1;
581 static gint ett_smb_locks = -1;
582 static gint ett_smb_lock = -1;
583 static gint ett_smb_open_flags = -1;
584 static gint ett_smb_ipc_state = -1;
585 static gint ett_smb_open_action = -1;
586 static gint ett_smb_setup_action = -1;
587 static gint ett_smb_connect_flags = -1;
588 static gint ett_smb_connect_support_bits = -1;
589 static gint ett_smb_nt_access_mask = -1;
590 static gint ett_smb_nt_create_bits = -1;
591 static gint ett_smb_nt_create_options = -1;
592 static gint ett_smb_nt_share_access = -1;
593 static gint ett_smb_nt_security_flags = -1;
594 static gint ett_smb_nt_trans_setup = -1;
595 static gint ett_smb_nt_trans_data = -1;
596 static gint ett_smb_nt_trans_param = -1;
597 static gint ett_smb_nt_notify_completion_filter = -1;
598 static gint ett_smb_nt_ioctl_flags = -1;
599 static gint ett_smb_security_information_mask = -1;
600 static gint ett_smb_print_queue_entry = -1;
601 static gint ett_smb_transaction_flags = -1;
602 static gint ett_smb_transaction_params = -1;
603 static gint ett_smb_find_first2_flags = -1;
604 static gint ett_smb_transaction_data = -1;
605 static gint ett_smb_stream_info = -1;
606 static gint ett_smb_dfs_referrals = -1;
607 static gint ett_smb_dfs_referral = -1;
608 static gint ett_smb_dfs_referral_flags = -1;
609 static gint ett_smb_get_dfs_flags = -1;
610 static gint ett_smb_ff2_data = -1;
611 static gint ett_smb_device_characteristics = -1;
612 static gint ett_smb_fs_attributes = -1;
613 static gint ett_smb_segments = -1;
614 static gint ett_smb_sec_desc = -1;
615 static gint ett_smb_sid = -1;
616 static gint ett_smb_acl = -1;
617 static gint ett_smb_ace = -1;
618 static gint ett_smb_ace_flags = -1;
619 static gint ett_smb_sec_desc_type = -1;
620 static gint ett_smb_quotaflags = -1;
622 proto_tree *top_tree=NULL; /* ugly */
624 static char *decode_smb_name(unsigned char);
625 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, guint8 cmd);
626 static const gchar *get_unicode_or_ascii_string(tvbuff_t *tvb,
627 int *offsetp, packet_info *pinfo, int *len, gboolean nopad,
628 gboolean exactlen, guint16 *bcp);
631 * Macros for use in the main dissector routines for an SMB.
636 wc = tvb_get_guint8(tvb, offset); \
637 proto_tree_add_uint(tree, hf_smb_word_count, \
638 tvb, offset, 1, wc); \
640 if(wc==0) goto bytecount;
644 bc = tvb_get_letohs(tvb, offset); \
645 proto_tree_add_uint(tree, hf_smb_byte_count, \
646 tvb, offset, 2, bc); \
648 if(bc==0) goto endofcommand;
650 #define CHECK_BYTE_COUNT(len) \
651 if (bc < len) goto endofcommand;
653 #define COUNT_BYTES(len) {\
662 proto_tree_add_text(tree, tvb, offset, bc, \
663 "Extra byte parameters"); \
669 * Macros for use in routines called by them.
671 #define CHECK_BYTE_COUNT_SUBR(len) \
677 #define CHECK_STRING_SUBR(fn) \
683 #define COUNT_BYTES_SUBR(len) \
688 * Macros for use when dissecting transaction parameters and data
690 #define CHECK_BYTE_COUNT_TRANS(len) \
691 if (bc < len) return offset;
693 #define CHECK_STRING_TRANS(fn) \
694 if (fn == NULL) return offset;
696 #define COUNT_BYTES_TRANS(len) \
701 * Macros for use in subrroutines dissecting transaction parameters or data
703 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
704 if (*bcp < len) return offset;
706 #define CHECK_STRING_TRANS_SUBR(fn) \
707 if (fn == NULL) return offset;
709 #define COUNT_BYTES_TRANS_SUBR(len) \
714 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
715 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
716 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
717 static gboolean smb_trans_reassembly = FALSE;
718 gboolean smb_dcerpc_reassembly = FALSE;
720 static GHashTable *smb_trans_fragment_table = NULL;
721 GHashTable *dcerpc_fragment_table = NULL;
724 smb_trans_reassembly_init(void)
726 fragment_table_init(&smb_trans_fragment_table);
729 smb_dcerpc_reassembly_init(void)
731 fragment_table_init(&dcerpc_fragment_table);
735 static fragment_data *
736 smb_trans_defragment(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
737 int offset, int count, int pos, int totlen)
739 fragment_data *fd_head=NULL;
743 more_frags=totlen>(pos+count);
745 si = (smb_info_t *)pinfo->private_data;
746 if (si->sip == NULL) {
748 * We don't have the frame number of the request.
750 * XXX - is there truly nothing we can do here?
751 * Can we not separately keep track of the original
752 * transaction and its continuations, as we did
755 * It is probably not much point in even trying to do something here
756 * if we have never seen the initial request. Without the initial
757 * request we probably miss all parameters and the begining of data
758 * so we cant even call a subdissector since we can not determine
759 * which type of transaction call this is.
764 if(!pinfo->fd->flags.visited){
765 fd_head = fragment_add(tvb, offset, pinfo,
766 si->sip->frame_req, smb_trans_fragment_table,
767 pos, count, more_frags);
769 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
772 /* we only show the defragmented packet for the first fragment,
773 or else we might end up with dissecting one HUGE transaction PDU
774 a LOT of times. (first fragment is the only one containing the setup
776 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
777 SMBs. Takes a LOT of time dissecting and is not fun.
779 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
790 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
791 These variables and functions are used to match
793 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
795 * The information we need to save about a request in order to show the
796 * frame number of the request in the dissection of the reply.
801 } smb_saved_info_key_t;
803 static GMemChunk *smb_saved_info_key_chunk = NULL;
804 static GMemChunk *smb_saved_info_chunk = NULL;
805 static int smb_saved_info_init_count = 200;
807 /* unmatched smb_saved_info structures.
808 For unmatched smb_saved_info structures we store the smb_saved_info
809 structure using the MID and the PID as the key.
811 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
812 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
813 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
816 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
818 register guint32 key1 = (guint32)k1;
819 register guint32 key2 = (guint32)k2;
823 smb_saved_info_hash_unmatched(gconstpointer k)
825 register guint32 key = (guint32)k;
829 /* matched smb_saved_info structures.
830 For matched smb_saved_info structures we store the smb_saved_info
831 structure twice in the table using the frame number, and a combination
832 of the MID and the PID, as the key.
833 The frame number is guaranteed to be unique but if ever someone makes
834 some change that will renumber the frames in a capture we are in BIG trouble.
835 This is not likely though since that would break (among other things) all the
836 reassembly routines as well.
838 We also need the MID as there may be more than one SMB request or reply
839 in a single frame, and we also need the PID as there may be more than
840 one outstanding request with the same MID and different PIDs.
843 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
845 const smb_saved_info_key_t *key1 = k1;
846 const smb_saved_info_key_t *key2 = k2;
847 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
850 smb_saved_info_hash_matched(gconstpointer k)
852 const smb_saved_info_key_t *key = k;
853 return key->frame + key->pid_mid;
857 * The information we need to save about an NT Transaction request in order
858 * to dissect the reply.
862 } smb_nt_transact_info_t;
864 static GMemChunk *smb_nt_transact_info_chunk = NULL;
865 static int smb_nt_transact_info_init_count = 200;
868 * The information we need to save about a Transaction2 request in order
869 * to dissect the reply.
874 gboolean resume_keys; /* if "return resume" keys set in T2 FIND_FIRST request */
875 } smb_transact2_info_t;
877 static GMemChunk *smb_transact2_info_chunk = NULL;
878 static int smb_transact2_info_init_count = 200;
881 * The information we need to save about a Transaction request in order
882 * to dissect the reply; this includes information for use by the
883 * Remote API dissector.
885 static GMemChunk *smb_transact_info_chunk = NULL;
886 static int smb_transact_info_init_count = 200;
888 static GMemChunk *conv_tables_chunk = NULL;
889 static GSList *conv_tables = NULL;
890 static int conv_tables_count = 10;
893 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
894 End of request/response matching functions
895 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
897 static const value_string buffer_format_vals[] = {
902 {5, "Variable Block"},
907 * UTIME - this is *almost* like a UNIX time stamp, except that it's
908 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
909 * January 1, 1970, 00:00:00 GMT.
911 * This means we have to do some extra work to convert it. This code is
912 * based on the Samba code:
914 * Unix SMB/Netbios implementation.
916 * time handling functions
917 * Copyright (C) Andrew Tridgell 1992-1998
921 * Yield the difference between *A and *B, in seconds, ignoring leap
924 #define TM_YEAR_BASE 1900
927 tm_diff(struct tm *a, struct tm *b)
929 int ay = a->tm_year + (TM_YEAR_BASE - 1);
930 int by = b->tm_year + (TM_YEAR_BASE - 1);
931 int intervening_leap_days =
932 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
935 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
936 int hours = 24*days + (a->tm_hour - b->tm_hour);
937 int minutes = 60*hours + (a->tm_min - b->tm_min);
938 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
944 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
950 struct tm *tm = gmtime(&t);
959 return tm_diff(&tm_utc,tm);
963 * Return the same value as TimeZone, but it should be more efficient.
965 * We keep a table of DST offsets to prevent calling localtime() on each
966 * call of this function. This saves a LOT of time on many unixes.
968 * Updated by Paul Eggert <eggert@twinsun.com>
975 #define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
976 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
979 #define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
983 TimeZoneFaster(time_t t)
985 static struct dst_table {time_t start,end; int zone;} *tdt;
986 static struct dst_table *dst_table = NULL;
987 static int table_size = 0;
994 /* Tunis has a 8 day DST region, we need to be careful ... */
995 #define MAX_DST_WIDTH (365*24*60*60)
996 #define MAX_DST_SKIP (7*24*60*60)
998 for (i = 0; i < table_size; i++) {
999 if (t >= dst_table[i].start && t <= dst_table[i].end)
1003 if (i < table_size) {
1004 zone = dst_table[i].zone;
1009 if (dst_table == NULL)
1010 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1012 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1021 dst_table[i].zone = zone;
1022 dst_table[i].start = dst_table[i].end = t;
1024 /* no entry will cover more than 6 months */
1025 low = t - MAX_DST_WIDTH/2;
1029 high = t + MAX_DST_WIDTH/2;
1034 * Widen the new entry using two bisection searches.
1036 while (low+60*60 < dst_table[i].start) {
1037 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1038 t = dst_table[i].start - MAX_DST_SKIP;
1040 t = low + (dst_table[i].start-low)/2;
1041 if (TimeZone(t) == zone)
1042 dst_table[i].start = t;
1047 while (high-60*60 > dst_table[i].end) {
1048 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1049 t = dst_table[i].end + MAX_DST_SKIP;
1051 t = high - (high-dst_table[i].end)/2;
1052 if (TimeZone(t) == zone)
1053 dst_table[i].end = t;
1063 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1064 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1065 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1066 * daylight savings transitions because some local times are ambiguous.
1067 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1070 LocTimeDiff(time_t lt)
1072 int d = TimeZoneFaster(lt);
1075 /* if overflow occurred, ignore all the adjustments so far */
1076 if (((t < lt) ^ (d < 0)))
1080 * Now t should be close enough to the true UTC to yield the
1083 return TimeZoneFaster(t);
1087 dissect_smb_UTIME(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_date)
1092 timeval = tvb_get_letohl(tvb, offset);
1093 if (timeval == 0xffffffff) {
1094 proto_tree_add_text(tree, tvb, offset, 4,
1095 "%s: No time specified (0xffffffff)",
1096 proto_registrar_get_name(hf_date));
1102 * We add the local time offset.
1104 ts.secs = timeval + LocTimeDiff(timeval);
1107 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1113 #define TIME_FIXUP_CONSTANT (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
1116 * Translate an 8-byte FILETIME value, given as the upper and lower 32 bits,
1118 * A FILETIME is a 64-bit integer, giving the time since Jan 1, 1601,
1119 * midnight "UTC", in 100ns units.
1120 * Return TRUE if the conversion succeeds, FALSE otherwise.
1122 * According to the Samba code, it appears to be kludge-GMT (at least for
1123 * file listings). This means it's the GMT you get by taking a local time
1124 * and adding the server time zone offset. This is NOT the same as GMT in
1125 * some cases. However, we don't know the server time zone, so we don't
1126 * do that adjustment.
1128 * This code is based on the Samba code:
1130 * Unix SMB/Netbios implementation.
1132 * time handling functions
1133 * Copyright (C) Andrew Tridgell 1992-1998
1136 nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
1139 /* The next two lines are a fix needed for the
1140 broken SCO compiler. JRA. */
1141 time_t l_time_min = TIME_T_MIN;
1142 time_t l_time_max = TIME_T_MAX;
1144 if (filetime_high == 0)
1148 * Get the time as a double, in seconds and fractional seconds.
1150 d = ((double)filetime_high)*4.0*(double)(1<<30);
1154 /* Now adjust by 369 years, to make the seconds since 1970. */
1155 d -= TIME_FIXUP_CONSTANT;
1157 if (!(l_time_min <= d && d <= l_time_max))
1161 * Get the time as seconds and nanoseconds.
1164 tv->nsecs = (d - tv->secs)*1000000000;
1170 dissect_smb_64bit_time(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_date)
1172 guint32 filetime_high, filetime_low;
1175 /* XXX there seems also to be another special time value which is fairly common :
1177 the meaning of this one is yet unknown
1180 filetime_low = tvb_get_letohl(tvb, offset);
1181 filetime_high = tvb_get_letohl(tvb, offset + 4);
1182 if (filetime_low == 0 && filetime_high == 0) {
1183 proto_tree_add_text(tree, tvb, offset, 8,
1184 "%s: No time specified (0)",
1185 proto_registrar_get_name(hf_date));
1186 } else if(filetime_low==0 && filetime_high==0x80000000){
1187 proto_tree_add_text(tree, tvb, offset, 8,
1188 "%s: Infinity (relative time)",
1189 proto_registrar_get_name(hf_date));
1190 } else if(filetime_low==0xffffffff && filetime_high==0x7fffffff){
1191 proto_tree_add_text(tree, tvb, offset, 8,
1192 "%s: Infinity (absolute time)",
1193 proto_registrar_get_name(hf_date));
1195 if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
1196 proto_tree_add_time(tree, hf_date, tvb,
1199 proto_tree_add_text(tree, tvb, offset, 8,
1200 "%s: Time can't be converted",
1201 proto_registrar_get_name(hf_date));
1211 dissect_smb_datetime(tvbuff_t *tvb, packet_info *pinfo,
1212 proto_tree *parent_tree, int offset, int hf_date, int hf_dos_date,
1213 int hf_dos_time, gboolean time_first)
1215 guint16 dos_time, dos_date;
1216 proto_item *item = NULL;
1217 proto_tree *tree = NULL;
1220 static const int mday_noleap[12] = {
1221 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1223 static const int mday_leap[12] = {
1224 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1226 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1230 dos_time = tvb_get_letohs(tvb, offset);
1231 dos_date = tvb_get_letohs(tvb, offset+2);
1233 dos_date = tvb_get_letohs(tvb, offset);
1234 dos_time = tvb_get_letohs(tvb, offset+2);
1237 if ((dos_date == 0xffff && dos_time == 0xffff) ||
1238 (dos_date == 0 && dos_time == 0)) {
1240 * No date/time specified.
1243 proto_tree_add_text(parent_tree, tvb, offset, 4,
1244 "%s: No time specified (0x%08x)",
1245 proto_registrar_get_name(hf_date),
1246 (dos_date << 16) | dos_time);
1252 tm.tm_sec = (dos_time&0x1f)*2;
1253 tm.tm_min = (dos_time>>5)&0x3f;
1254 tm.tm_hour = (dos_time>>11)&0x1f;
1255 tm.tm_mday = dos_date&0x1f;
1256 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1257 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1261 * Do some sanity checks before calling "mktime()";
1262 * "mktime()" doesn't do them, it "normalizes" out-of-range
1265 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1266 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1267 (ISLEAP(tm.tm_year + 1900) ?
1268 tm.tm_mday > mday_leap[tm.tm_mon] :
1269 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1270 (t = mktime(&tm)) == -1) {
1272 * Invalid date/time.
1275 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1277 proto_registrar_get_name(hf_date));
1278 tree = proto_item_add_subtree(item, ett_smb_time_date);
1280 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1281 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1283 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1284 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1295 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1296 tree = proto_item_add_subtree(item, ett_smb_time_date);
1298 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1299 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1301 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1302 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1312 static const value_string da_access_vals[] = {
1313 { 0, "Open for reading"},
1314 { 1, "Open for writing"},
1315 { 2, "Open for reading and writing"},
1316 { 3, "Open for execute"},
1319 static const value_string da_sharing_vals[] = {
1320 { 0, "Compatibility mode"},
1321 { 1, "Deny read/write/execute (exclusive)"},
1323 { 3, "Deny read/execute"},
1327 static const value_string da_locality_vals[] = {
1328 { 0, "Locality of reference unknown"},
1329 { 1, "Mainly sequential access"},
1330 { 2, "Mainly random access"},
1331 { 3, "Random access with some locality"},
1334 static const true_false_string tfs_da_caching = {
1335 "Do not cache this file",
1336 "Caching permitted on this file"
1338 static const true_false_string tfs_da_writetru = {
1339 "Write through enabled",
1340 "Write through disabled"
1343 dissect_access(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, char *type)
1346 proto_item *item = NULL;
1347 proto_tree *tree = NULL;
1349 mask = tvb_get_letohs(tvb, offset);
1352 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1353 "%s Access: 0x%04x", type, mask);
1354 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1357 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1358 tvb, offset, 2, mask);
1359 proto_tree_add_boolean(tree, hf_smb_access_caching,
1360 tvb, offset, 2, mask);
1361 proto_tree_add_uint(tree, hf_smb_access_locality,
1362 tvb, offset, 2, mask);
1363 proto_tree_add_uint(tree, hf_smb_access_sharing,
1364 tvb, offset, 2, mask);
1365 proto_tree_add_uint(tree, hf_smb_access_mode,
1366 tvb, offset, 2, mask);
1373 #define FILE_ATTRIBUTE_READ_ONLY 0x00000001
1374 #define FILE_ATTRIBUTE_HIDDEN 0x00000002
1375 #define FILE_ATTRIBUTE_SYSTEM 0x00000004
1376 #define FILE_ATTRIBUTE_VOLUME 0x00000008
1377 #define FILE_ATTRIBUTE_DIRECTORY 0x00000010
1378 #define FILE_ATTRIBUTE_ARCHIVE 0x00000020
1379 #define FILE_ATTRIBUTE_DEVICE 0x00000040
1380 #define FILE_ATTRIBUTE_NORMAL 0x00000080
1381 #define FILE_ATTRIBUTE_TEMPORARY 0x00000100
1382 #define FILE_ATTRIBUTE_SPARSE 0x00000200
1383 #define FILE_ATTRIBUTE_REPARSE 0x00000400
1384 #define FILE_ATTRIBUTE_COMPRESSED 0x00000800
1385 #define FILE_ATTRIBUTE_OFFLINE 0x00001000
1386 #define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1387 #define FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1390 * These are flags to be used in NT Create operations.
1392 #define FILE_ATTRIBUTE_WRITE_THROUGH 0x80000000
1393 #define FILE_ATTRIBUTE_NO_BUFFERING 0x20000000
1394 #define FILE_ATTRIBUTE_RANDOM_ACCESS 0x10000000
1395 #define FILE_ATTRIBUTE_SEQUENTIAL_SCAN 0x08000000
1396 #define FILE_ATTRIBUTE_DELETE_ON_CLOSE 0x04000000
1397 #define FILE_ATTRIBUTE_BACKUP_SEMANTICS 0x02000000
1398 #define FILE_ATTRIBUTE_POSIX_SEMANTICS 0x01000000
1400 static const true_false_string tfs_file_attribute_write_through = {
1401 "This object requires WRITE THROUGH",
1402 "This object does NOT require write through",
1404 static const true_false_string tfs_file_attribute_no_buffering = {
1405 "This object requires NO BUFFERING",
1406 "This object can be buffered",
1408 static const true_false_string tfs_file_attribute_random_access = {
1409 "This object will be RANDOM ACCESSed",
1410 "Random access is NOT requested",
1412 static const true_false_string tfs_file_attribute_sequential_scan = {
1413 "This object is optimized for SEQUENTIAL SCAN",
1414 "This object is NOT optimized for sequential scan",
1416 static const true_false_string tfs_file_attribute_delete_on_close = {
1417 "This object will be DELETED ON CLOSE",
1418 "This object will not be deleted on close",
1420 static const true_false_string tfs_file_attribute_backup_semantics = {
1421 "This object supports BACKUP SEMANTICS",
1422 "This object does NOT support backup semantics",
1424 static const true_false_string tfs_file_attribute_posix_semantics = {
1425 "This object supports POSIX SEMANTICS",
1426 "This object does NOT support POSIX semantics",
1428 static const true_false_string tfs_file_attribute_read_only = {
1429 "This file is READ ONLY",
1430 "This file is NOT read only",
1432 static const true_false_string tfs_file_attribute_hidden = {
1433 "This is a HIDDEN file",
1434 "This is NOT a hidden file"
1436 static const true_false_string tfs_file_attribute_system = {
1437 "This is a SYSTEM file",
1438 "This is NOT a system file"
1440 static const true_false_string tfs_file_attribute_volume = {
1441 "This is a VOLUME ID",
1442 "This is NOT a volume ID"
1444 static const true_false_string tfs_file_attribute_directory = {
1445 "This is a DIRECTORY",
1446 "This is NOT a directory"
1448 static const true_false_string tfs_file_attribute_archive = {
1449 "This is an ARCHIVE file",
1450 "This is NOT an archive file"
1452 static const true_false_string tfs_file_attribute_device = {
1454 "This is NOT a device"
1456 static const true_false_string tfs_file_attribute_normal = {
1457 "This file is an ordinary file",
1458 "This file has some attribute set"
1460 static const true_false_string tfs_file_attribute_temporary = {
1461 "This is a TEMPORARY file",
1462 "This is NOT a temporary file"
1464 static const true_false_string tfs_file_attribute_sparse = {
1465 "This is a SPARSE file",
1466 "This is NOT a sparse file"
1468 static const true_false_string tfs_file_attribute_reparse = {
1469 "This file has an associated REPARSE POINT",
1470 "This file does NOT have an associated reparse point"
1472 static const true_false_string tfs_file_attribute_compressed = {
1473 "This is a COMPRESSED file",
1474 "This is NOT a compressed file"
1476 static const true_false_string tfs_file_attribute_offline = {
1477 "This file is OFFLINE",
1478 "This file is NOT offline"
1480 static const true_false_string tfs_file_attribute_not_content_indexed = {
1481 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1482 "This file MAY be indexed by the content indexing service"
1484 static const true_false_string tfs_file_attribute_encrypted = {
1485 "This is an ENCRYPTED file",
1486 "This is NOT an encrypted file"
1490 dissect_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1493 proto_item *item = NULL;
1494 proto_tree *tree = NULL;
1496 mask = tvb_get_letohs(tvb, offset);
1499 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1500 "File Attributes: 0x%04x", mask);
1501 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1503 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1504 tvb, offset, 2, mask);
1505 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1506 tvb, offset, 2, mask);
1507 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1508 tvb, offset, 2, mask);
1509 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1510 tvb, offset, 2, mask);
1511 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1512 tvb, offset, 2, mask);
1513 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1514 tvb, offset, 2, mask);
1523 dissect_file_ext_attr(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1526 proto_item *item = NULL;
1527 proto_tree *tree = NULL;
1529 mask = tvb_get_letohl(tvb, offset);
1532 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1533 "File Attributes: 0x%08x", mask);
1534 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1538 * XXX - Network Monitor disagrees on some of the
1539 * bits, e.g. the bits above temporary are "atomic write"
1540 * and "transaction write", and it says nothing about the
1543 * Does the Win32 API documentation, or the NT Native API book,
1546 proto_tree_add_boolean(tree, hf_smb_file_eattr_write_through,
1547 tvb, offset, 4, mask);
1548 proto_tree_add_boolean(tree, hf_smb_file_eattr_no_buffering,
1549 tvb, offset, 4, mask);
1550 proto_tree_add_boolean(tree, hf_smb_file_eattr_random_access,
1551 tvb, offset, 4, mask);
1552 proto_tree_add_boolean(tree, hf_smb_file_eattr_sequential_scan,
1553 tvb, offset, 4, mask);
1554 proto_tree_add_boolean(tree, hf_smb_file_eattr_delete_on_close,
1555 tvb, offset, 4, mask);
1556 proto_tree_add_boolean(tree, hf_smb_file_eattr_backup_semantics,
1557 tvb, offset, 4, mask);
1558 proto_tree_add_boolean(tree, hf_smb_file_eattr_posix_semantics,
1559 tvb, offset, 4, mask);
1560 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1561 tvb, offset, 4, mask);
1562 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1563 tvb, offset, 4, mask);
1564 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1565 tvb, offset, 4, mask);
1566 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1567 tvb, offset, 4, mask);
1568 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1569 tvb, offset, 4, mask);
1570 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1571 tvb, offset, 4, mask);
1572 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1573 tvb, offset, 4, mask);
1574 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1575 tvb, offset, 4, mask);
1576 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1577 tvb, offset, 4, mask);
1578 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1579 tvb, offset, 4, mask);
1580 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1581 tvb, offset, 4, mask);
1582 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1583 tvb, offset, 4, mask);
1584 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1585 tvb, offset, 4, mask);
1586 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1587 tvb, offset, 4, mask);
1588 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1589 tvb, offset, 4, mask);
1597 dissect_dir_info_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1600 proto_item *item = NULL;
1601 proto_tree *tree = NULL;
1603 mask = tvb_get_guint8(tvb, offset);
1606 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1607 "File Attributes: 0x%02x", mask);
1608 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1610 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1611 tvb, offset, 1, mask);
1612 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1613 tvb, offset, 1, mask);
1614 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1615 tvb, offset, 1, mask);
1616 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1617 tvb, offset, 1, mask);
1618 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1619 tvb, offset, 1, mask);
1620 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1621 tvb, offset, 1, mask);
1628 static const true_false_string tfs_search_attribute_read_only = {
1629 "Include READ ONLY files in search results",
1630 "Do NOT include read only files in search results",
1632 static const true_false_string tfs_search_attribute_hidden = {
1633 "Include HIDDEN files in search results",
1634 "Do NOT include hidden files in search results"
1636 static const true_false_string tfs_search_attribute_system = {
1637 "Include SYSTEM files in search results",
1638 "Do NOT include system files in search results"
1640 static const true_false_string tfs_search_attribute_volume = {
1641 "Include VOLUME IDs in search results",
1642 "Do NOT include volume IDs in search results"
1644 static const true_false_string tfs_search_attribute_directory = {
1645 "Include DIRECTORIES in search results",
1646 "Do NOT include directories in search results"
1648 static const true_false_string tfs_search_attribute_archive = {
1649 "Include ARCHIVE files in search results",
1650 "Do NOT include archive files in search results"
1654 dissect_search_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1657 proto_item *item = NULL;
1658 proto_tree *tree = NULL;
1660 mask = tvb_get_letohs(tvb, offset);
1663 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1664 "Search Attributes: 0x%04x", mask);
1665 tree = proto_item_add_subtree(item, ett_smb_search);
1668 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1669 tvb, offset, 2, mask);
1670 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1671 tvb, offset, 2, mask);
1672 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1673 tvb, offset, 2, mask);
1674 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1675 tvb, offset, 2, mask);
1676 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1677 tvb, offset, 2, mask);
1678 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1679 tvb, offset, 2, mask);
1687 * XXX - this isn't used.
1688 * Is this used for anything? NT Create AndX doesn't use it.
1689 * Is there some 16-bit attribute field with more bits than Read Only,
1690 * Hidden, System, Volume ID, Directory, and Archive?
1693 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1696 proto_item *item = NULL;
1697 proto_tree *tree = NULL;
1699 mask = tvb_get_letohl(tvb, offset);
1702 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1703 "File Attributes: 0x%08x", mask);
1704 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1706 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1707 tvb, offset, 2, mask);
1708 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1709 tvb, offset, 2, mask);
1710 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1711 tvb, offset, 2, mask);
1712 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1713 tvb, offset, 2, mask);
1714 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1715 tvb, offset, 2, mask);
1716 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1717 tvb, offset, 2, mask);
1718 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1719 tvb, offset, 2, mask);
1720 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1721 tvb, offset, 2, mask);
1722 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1723 tvb, offset, 2, mask);
1724 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1725 tvb, offset, 2, mask);
1726 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1727 tvb, offset, 2, mask);
1728 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1729 tvb, offset, 2, mask);
1730 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1731 tvb, offset, 2, mask);
1732 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1733 tvb, offset, 2, mask);
1734 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1735 tvb, offset, 2, mask);
1744 #define SERVER_CAP_RAW_MODE 0x00000001
1745 #define SERVER_CAP_MPX_MODE 0x00000002
1746 #define SERVER_CAP_UNICODE 0x00000004
1747 #define SERVER_CAP_LARGE_FILES 0x00000008
1748 #define SERVER_CAP_NT_SMBS 0x00000010
1749 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1750 #define SERVER_CAP_STATUS32 0x00000040
1751 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1752 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1753 #define SERVER_CAP_NT_FIND 0x00000200
1754 #define SERVER_CAP_DFS 0x00001000
1755 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1756 #define SERVER_CAP_LARGE_READX 0x00004000
1757 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1758 #define SERVER_CAP_UNIX 0x00800000
1759 #define SERVER_CAP_RESERVED 0x02000000
1760 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1761 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1762 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1763 static const true_false_string tfs_server_cap_raw_mode = {
1764 "Read Raw and Write Raw are supported",
1765 "Read Raw and Write Raw are not supported"
1767 static const true_false_string tfs_server_cap_mpx_mode = {
1768 "Read Mpx and Write Mpx are supported",
1769 "Read Mpx and Write Mpx are not supported"
1771 static const true_false_string tfs_server_cap_unicode = {
1772 "Unicode strings are supported",
1773 "Unicode strings are not supported"
1775 static const true_false_string tfs_server_cap_large_files = {
1776 "Large files are supported",
1777 "Large files are not supported",
1779 static const true_false_string tfs_server_cap_nt_smbs = {
1780 "NT SMBs are supported",
1781 "NT SMBs are not supported"
1783 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1784 "RPC remote APIs are supported",
1785 "RPC remote APIs are not supported"
1787 static const true_false_string tfs_server_cap_nt_status = {
1788 "NT status codes are supported",
1789 "NT status codes are not supported"
1791 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1792 "Level 2 oplocks are supported",
1793 "Level 2 oplocks are not supported"
1795 static const true_false_string tfs_server_cap_lock_and_read = {
1796 "Lock and Read is supported",
1797 "Lock and Read is not supported"
1799 static const true_false_string tfs_server_cap_nt_find = {
1800 "NT Find is supported",
1801 "NT Find is not supported"
1803 static const true_false_string tfs_server_cap_dfs = {
1805 "Dfs is not supported"
1807 static const true_false_string tfs_server_cap_infolevel_passthru = {
1808 "NT information level request passthrough is supported",
1809 "NT information level request passthrough is not supported"
1811 static const true_false_string tfs_server_cap_large_readx = {
1812 "Large Read andX is supported",
1813 "Large Read andX is not supported"
1815 static const true_false_string tfs_server_cap_large_writex = {
1816 "Large Write andX is supported",
1817 "Large Write andX is not supported"
1819 static const true_false_string tfs_server_cap_unix = {
1820 "UNIX extensions are supported",
1821 "UNIX extensions are not supported"
1823 static const true_false_string tfs_server_cap_reserved = {
1827 static const true_false_string tfs_server_cap_bulk_transfer = {
1828 "Bulk Read and Bulk Write are supported",
1829 "Bulk Read and Bulk Write are not supported"
1831 static const true_false_string tfs_server_cap_compressed_data = {
1832 "Compressed data transfer is supported",
1833 "Compressed data transfer is not supported"
1835 static const true_false_string tfs_server_cap_extended_security = {
1836 "Extended security exchanges are supported",
1837 "Extended security exchanges are not supported"
1840 dissect_negprot_capabilities(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1843 proto_item *item = NULL;
1844 proto_tree *tree = NULL;
1846 mask = tvb_get_letohl(tvb, offset);
1849 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1850 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1853 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1854 tvb, offset, 4, mask);
1855 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1856 tvb, offset, 4, mask);
1857 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1858 tvb, offset, 4, mask);
1859 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1860 tvb, offset, 4, mask);
1861 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1862 tvb, offset, 4, mask);
1863 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1864 tvb, offset, 4, mask);
1865 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1866 tvb, offset, 4, mask);
1867 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1868 tvb, offset, 4, mask);
1869 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1870 tvb, offset, 4, mask);
1871 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1872 tvb, offset, 4, mask);
1873 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1874 tvb, offset, 4, mask);
1875 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1876 tvb, offset, 4, mask);
1877 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1878 tvb, offset, 4, mask);
1879 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1880 tvb, offset, 4, mask);
1881 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1882 tvb, offset, 4, mask);
1883 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1884 tvb, offset, 4, mask);
1885 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1886 tvb, offset, 4, mask);
1887 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1888 tvb, offset, 4, mask);
1889 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1890 tvb, offset, 4, mask);
1895 #define RAWMODE_READ 0x01
1896 #define RAWMODE_WRITE 0x02
1897 static const true_false_string tfs_rm_read = {
1898 "Read Raw is supported",
1899 "Read Raw is not supported"
1901 static const true_false_string tfs_rm_write = {
1902 "Write Raw is supported",
1903 "Write Raw is not supported"
1907 dissect_negprot_rawmode(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1910 proto_item *item = NULL;
1911 proto_tree *tree = NULL;
1913 mask = tvb_get_letohs(tvb, offset);
1916 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
1917 tree = proto_item_add_subtree(item, ett_smb_rawmode);
1920 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
1921 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
1928 #define SECURITY_MODE_MODE 0x01
1929 #define SECURITY_MODE_PASSWORD 0x02
1930 #define SECURITY_MODE_SIGNATURES 0x04
1931 #define SECURITY_MODE_SIG_REQUIRED 0x08
1932 static const true_false_string tfs_sm_mode = {
1933 "USER security mode",
1934 "SHARE security mode"
1936 static const true_false_string tfs_sm_password = {
1937 "ENCRYPTED password. Use challenge/response",
1938 "PLAINTEXT password"
1940 static const true_false_string tfs_sm_signatures = {
1941 "Security signatures ENABLED",
1942 "Security signatures NOT enabled"
1944 static const true_false_string tfs_sm_sig_required = {
1945 "Security signatures REQUIRED",
1946 "Security signatures NOT required"
1950 dissect_negprot_security_mode(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int wc)
1953 proto_item *item = NULL;
1954 proto_tree *tree = NULL;
1958 mask = tvb_get_letohs(tvb, offset);
1959 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1960 "Security Mode: 0x%04x", mask);
1961 tree = proto_item_add_subtree(item, ett_smb_mode);
1962 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
1963 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
1968 mask = tvb_get_guint8(tvb, offset);
1969 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1970 "Security Mode: 0x%02x", mask);
1971 tree = proto_item_add_subtree(item, ett_smb_mode);
1972 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
1973 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
1974 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
1975 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
1984 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
1986 proto_item *it = NULL;
1987 proto_tree *tr = NULL;
1996 it = proto_tree_add_text(tree, tvb, offset, bc,
1997 "Requested Dialects");
1998 tr = proto_item_add_subtree(it, ett_smb_dialects);
2004 proto_item *dit = NULL;
2005 proto_tree *dtr = NULL;
2007 /* XXX - what if this runs past bc? */
2008 len = tvb_strsize(tvb, offset+1);
2009 str = tvb_get_ptr(tvb, offset+1, len);
2012 dit = proto_tree_add_text(tr, tvb, offset, len+1,
2013 "Dialect: %s", str);
2014 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2018 CHECK_BYTE_COUNT(1);
2019 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2024 CHECK_BYTE_COUNT(len);
2025 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
2036 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2050 dialect = tvb_get_letohs(tvb, offset);
2053 if(dialect==0xffff){
2054 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2055 tvb, offset, 2, dialect,
2056 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2058 proto_tree_add_uint(tree, hf_smb_dialect_index,
2059 tvb, offset, 2, dialect);
2063 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2064 tvb, offset, 2, dialect,
2065 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2068 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2069 tvb, offset, 2, dialect,
2070 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2073 proto_tree_add_text(tree, tvb, offset, wc*2,
2074 "Words for unknown response format");
2083 offset = dissect_negprot_security_mode(tvb, pinfo, tree, offset,
2086 /* Maximum Transmit Buffer Size */
2087 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2088 tvb, offset, 2, TRUE);
2091 /* Maximum Multiplex Count */
2092 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2093 tvb, offset, 2, TRUE);
2096 /* Maximum Vcs Number */
2097 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2098 tvb, offset, 2, TRUE);
2102 offset = dissect_negprot_rawmode(tvb, pinfo, tree, offset);
2105 proto_tree_add_item(tree, hf_smb_session_key,
2106 tvb, offset, 4, TRUE);
2109 /* current time and date at server */
2110 offset = dissect_smb_datetime(tvb, pinfo, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2114 tz = tvb_get_letohs(tvb, offset);
2115 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2118 /* encryption key length */
2119 ekl = tvb_get_letohs(tvb, offset);
2120 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2123 /* 2 reserved bytes */
2124 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2131 offset = dissect_negprot_security_mode(tvb, pinfo, tree, offset, wc);
2133 /* Maximum Multiplex Count */
2134 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2135 tvb, offset, 2, TRUE);
2138 /* Maximum Vcs Number */
2139 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2140 tvb, offset, 2, TRUE);
2143 /* Maximum Transmit Buffer Size */
2144 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2145 tvb, offset, 4, TRUE);
2148 /* maximum raw buffer size */
2149 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2150 tvb, offset, 4, TRUE);
2154 proto_tree_add_item(tree, hf_smb_session_key,
2155 tvb, offset, 4, TRUE);
2158 /* server capabilities */
2159 caps = dissect_negprot_capabilities(tvb, pinfo, tree, offset);
2163 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
2164 hf_smb_system_time);
2167 tz = tvb_get_letohs(tvb, offset);
2168 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2170 "Server Time Zone: %d min from UTC", tz);
2173 /* encryption key length */
2174 ekl = tvb_get_guint8(tvb, offset);
2175 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2176 tvb, offset, 1, ekl);
2186 /* challenge/response encryption key */
2188 CHECK_BYTE_COUNT(ekl);
2189 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2196 * XXX - not present if negotiated dialect isn't
2197 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
2198 * have to see the request, or assume what dialect strings
2199 * were sent, to determine that.
2201 dn = get_unicode_or_ascii_string(tvb, &offset,
2202 pinfo, &dn_len, FALSE, FALSE, &bc);
2205 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2207 COUNT_BYTES(dn_len);
2211 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2214 /* challenge/response encryption key */
2215 /* XXX - is this aligned on an even boundary? */
2217 CHECK_BYTE_COUNT(ekl);
2218 proto_tree_add_item(tree, hf_smb_encryption_key,
2219 tvb, offset, ekl, TRUE);
2224 /* this string is special, unicode is flagged in caps */
2225 /* This string is NOT padded to be 16bit aligned. (seen in actual capture) */
2226 si = pinfo->private_data;
2227 si->unicode = (caps&SERVER_CAP_UNICODE);
2228 dn = get_unicode_or_ascii_string(tvb,
2229 &offset, pinfo, &dn_len, TRUE, FALSE,
2233 proto_tree_add_string(tree, hf_smb_primary_domain,
2234 tvb, offset, dn_len, dn);
2235 COUNT_BYTES(dn_len);
2238 /* XXX - show it in the standard Microsoft format
2240 CHECK_BYTE_COUNT(16);
2241 proto_tree_add_item(tree, hf_smb_server_guid,
2242 tvb, offset, 16, TRUE);
2246 /* XXX - is this ASN.1-encoded? Is it a Kerberos
2247 data structure, at least in NT 5.0-and-later
2250 proto_tree_add_item(tree, hf_smb_security_blob,
2251 tvb, offset, bc, TRUE);
2265 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2277 CHECK_BYTE_COUNT(1);
2278 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2282 dn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &dn_len,
2286 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2288 COUNT_BYTES(dn_len);
2290 if (check_col(pinfo->cinfo, COL_INFO)) {
2291 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s", dn);
2300 dissect_empty(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2315 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2323 ec = tvb_get_letohs(tvb, offset);
2324 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2331 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2341 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2348 /* echo sequence number */
2349 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2356 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2366 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2378 CHECK_BYTE_COUNT(1);
2379 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2383 an = get_unicode_or_ascii_string(tvb, &offset,
2384 pinfo, &an_len, FALSE, FALSE, &bc);
2387 proto_tree_add_string(tree, hf_smb_path, tvb,
2388 offset, an_len, an);
2389 COUNT_BYTES(an_len);
2391 if (check_col(pinfo->cinfo, COL_INFO)) {
2392 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
2396 CHECK_BYTE_COUNT(1);
2397 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2400 /* password, ANSI */
2401 /* XXX - what if this runs past bc? */
2402 pwlen = tvb_strsize(tvb, offset);
2403 CHECK_BYTE_COUNT(pwlen);
2404 proto_tree_add_item(tree, hf_smb_password,
2405 tvb, offset, pwlen, TRUE);
2409 CHECK_BYTE_COUNT(1);
2410 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2414 an = get_unicode_or_ascii_string(tvb, &offset,
2415 pinfo, &an_len, FALSE, FALSE, &bc);
2418 proto_tree_add_string(tree, hf_smb_service, tvb,
2419 offset, an_len, an);
2420 COUNT_BYTES(an_len);
2428 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2435 /* Maximum Buffer Size */
2436 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2440 proto_tree_add_item(tree, hf_smb_tid, tvb, offset, 2, TRUE);
2451 static const true_false_string tfs_of_create = {
2452 "Create file if it does not exist",
2453 "Fail if file does not exist"
2455 static const value_string of_open[] = {
2456 { 0, "Fail if file exists"},
2457 { 1, "Open file if it exists"},
2458 { 2, "Truncate file if it exists"},
2462 dissect_open_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
2465 proto_item *item = NULL;
2466 proto_tree *tree = NULL;
2468 mask = tvb_get_letohs(tvb, offset);
2471 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2472 "Open Function: 0x%04x", mask);
2473 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2476 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2477 tvb, offset, 2, mask);
2478 proto_tree_add_uint(tree, hf_smb_open_function_open,
2479 tvb, offset, 2, mask);
2487 static const true_false_string tfs_mf_file = {
2488 "Target must be a file",
2489 "Target needn't be a file"
2491 static const true_false_string tfs_mf_dir = {
2492 "Target must be a directory",
2493 "Target needn't be a directory"
2495 static const true_false_string tfs_mf_verify = {
2496 "MUST verify all writes",
2497 "Don't have to verify writes"
2500 dissect_move_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
2503 proto_item *item = NULL;
2504 proto_tree *tree = NULL;
2506 mask = tvb_get_letohs(tvb, offset);
2509 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2510 "Flags: 0x%04x", mask);
2511 tree = proto_item_add_subtree(item, ett_smb_move_flags);
2514 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2515 tvb, offset, 2, mask);
2516 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2517 tvb, offset, 2, mask);
2518 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2519 tvb, offset, 2, mask);
2527 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2538 tid = tvb_get_letohs(tvb, offset);
2539 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2540 "TID (target): 0x%04x", tid);
2544 offset = dissect_open_function(tvb, pinfo, tree, offset);
2547 offset = dissect_move_flags(tvb, pinfo, tree, offset);
2552 CHECK_BYTE_COUNT(1);
2553 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2557 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2561 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2562 fn_len, fn, "Old File Name: %s", fn);
2563 COUNT_BYTES(fn_len);
2565 if (check_col(pinfo->cinfo, COL_INFO)) {
2566 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2570 CHECK_BYTE_COUNT(1);
2571 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2575 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2579 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2580 fn_len, fn, "New File Name: %s", fn);
2581 COUNT_BYTES(fn_len);
2583 if (check_col(pinfo->cinfo, COL_INFO)) {
2584 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2593 dissect_move_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2602 /* # of files moved */
2603 proto_tree_add_item(tree, hf_smb_move_files_moved, tvb, offset, 2, TRUE);
2609 CHECK_BYTE_COUNT(1);
2610 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2614 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2618 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2620 COUNT_BYTES(fn_len);
2628 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2637 /* desired access */
2638 offset = dissect_access(tvb, pinfo, tree, offset, "Desired");
2640 /* Search Attributes */
2641 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
2646 CHECK_BYTE_COUNT(1);
2647 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2651 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2655 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2657 COUNT_BYTES(fn_len);
2659 if (check_col(pinfo->cinfo, COL_INFO)) {
2660 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2669 add_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
2670 int len, guint16 fid)
2672 proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
2673 if (check_col(pinfo->cinfo, COL_INFO))
2674 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
2678 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2687 fid = tvb_get_letohs(tvb, offset);
2688 add_fid(tvb, pinfo, tree, offset, 2, fid);
2691 /* File Attributes */
2692 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2694 /* last write time */
2695 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
2698 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2701 /* granted access */
2702 offset = dissect_access(tvb, pinfo, tree, offset, "Granted");
2712 dissect_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2721 fid = tvb_get_letohs(tvb, offset);
2722 add_fid(tvb, pinfo, tree, offset, 2, fid);
2733 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2742 /* file attributes */
2743 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2746 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_create_time);
2751 CHECK_BYTE_COUNT(1);
2752 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2756 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2760 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2762 COUNT_BYTES(fn_len);
2764 if (check_col(pinfo->cinfo, COL_INFO)) {
2765 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2774 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2782 fid = tvb_get_letohs(tvb, offset);
2783 add_fid(tvb, pinfo, tree, offset, 2, fid);
2786 /* last write time */
2787 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
2797 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2806 /* search attributes */
2807 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
2812 CHECK_BYTE_COUNT(1);
2813 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2817 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2821 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2823 COUNT_BYTES(fn_len);
2825 if (check_col(pinfo->cinfo, COL_INFO)) {
2826 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2835 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2844 /* search attributes */
2845 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
2850 CHECK_BYTE_COUNT(1);
2851 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2855 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2859 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
2861 COUNT_BYTES(fn_len);
2863 if (check_col(pinfo->cinfo, COL_INFO)) {
2864 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2868 CHECK_BYTE_COUNT(1);
2869 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2873 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2877 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2879 COUNT_BYTES(fn_len);
2881 if (check_col(pinfo->cinfo, COL_INFO)) {
2882 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2891 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2900 /* search attributes */
2901 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
2903 proto_tree_add_uint(tree, hf_smb_nt_rename_level, tvb, offset, 2, tvb_get_letohs(tvb, offset));
2906 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, TRUE);
2912 CHECK_BYTE_COUNT(1);
2913 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2917 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2921 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
2923 COUNT_BYTES(fn_len);
2925 if (check_col(pinfo->cinfo, COL_INFO)) {
2926 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2930 CHECK_BYTE_COUNT(1);
2931 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2935 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2939 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2941 COUNT_BYTES(fn_len);
2943 if (check_col(pinfo->cinfo, COL_INFO)) {
2944 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2954 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2966 CHECK_BYTE_COUNT(1);
2967 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2971 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2975 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2977 COUNT_BYTES(fn_len);
2979 if (check_col(pinfo->cinfo, COL_INFO)) {
2980 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2989 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2996 /* File Attributes */
2997 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2999 /* Last Write Time */
3000 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
3003 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3006 /* 10 reserved bytes */
3007 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3018 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3027 /* file attributes */
3028 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
3030 /* last write time */
3031 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
3033 /* 10 reserved bytes */
3034 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3040 CHECK_BYTE_COUNT(1);
3041 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3045 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
3049 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3051 COUNT_BYTES(fn_len);
3053 if (check_col(pinfo->cinfo, COL_INFO)) {
3054 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3063 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3073 fid = tvb_get_letohs(tvb, offset);
3074 add_fid(tvb, pinfo, tree, offset, 2, fid);
3076 if (!pinfo->fd->flags.visited) {
3077 /* remember the FID for the processing of the response */
3078 si = (smb_info_t *)pinfo->private_data;
3079 si->sip->extra_info=(void *)fid;
3083 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3087 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3091 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3102 dissect_file_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
3107 /* We have some initial padding bytes. */
3108 /* XXX - use the data offset here instead? */
3109 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3111 offset += bc-datalen;
3114 tvblen = tvb_length_remaining(tvb, offset);
3116 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
3119 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
3126 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3127 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
3130 tvbuff_t *dcerpc_tvb;
3133 /* We have some initial padding bytes. */
3134 /* XXX - use the data offset here instead? */
3135 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3137 offset += bc-datalen;
3140 tvblen = tvb_length_remaining(tvb, offset);
3141 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
3142 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
3151 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3155 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3161 cnt = tvb_get_letohs(tvb, offset);
3162 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3165 /* 8 reserved bytes */
3166 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3169 /* If we have seen the request, then print which FID this refers to */
3170 /* first check if we have seen the request */
3171 if(si->sip != NULL && si->sip->frame_req>0){
3172 fid=(int)si->sip->extra_info;
3173 add_fid(tvb, pinfo, tree, 0, 0, fid);
3179 CHECK_BYTE_COUNT(1);
3180 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3184 CHECK_BYTE_COUNT(2);
3185 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3188 /* another way to transport DCERPC over SMB is to skip Transaction completely and just
3191 if(si->sip != NULL && si->sip->flags&SMB_SIF_TID_IS_IPC){
3193 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
3194 top_tree, offset, bc, bc, fid);
3196 /* ordinary file data, or we didn't see the request,
3197 so we don't know whether this is a DCERPC call
3199 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, bc);
3210 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3218 cnt = tvb_get_letohs(tvb, offset);
3219 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3222 /* 8 reserved bytes */
3223 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3229 CHECK_BYTE_COUNT(1);
3230 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3234 CHECK_BYTE_COUNT(2);
3235 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3245 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3248 guint16 cnt=0, bc, fid=0;
3250 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3255 fid = tvb_get_letohs(tvb, offset);
3256 add_fid(tvb, pinfo, tree, offset, 2, fid);
3260 cnt = tvb_get_letohs(tvb, offset);
3261 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3265 ofs = tvb_get_letohl(tvb, offset);
3266 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3269 if (check_col(pinfo->cinfo, COL_INFO))
3270 col_append_fstr(pinfo->cinfo, COL_INFO,
3271 ", %d byte%s at offset %d", cnt,
3272 (cnt == 1) ? "" : "s", ofs);
3275 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3281 CHECK_BYTE_COUNT(1);
3282 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3286 CHECK_BYTE_COUNT(2);
3287 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3291 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
3293 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
3294 top_tree, offset, bc, bc, fid);
3296 /* ordinary file data */
3297 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, bc);
3308 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3316 cnt = tvb_get_letohs(tvb, offset);
3317 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3320 if (check_col(pinfo->cinfo, COL_INFO))
3321 col_append_fstr(pinfo->cinfo, COL_INFO,
3322 ", %d byte%s", cnt, (cnt == 1) ? "" : "s");
3332 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3340 fid = tvb_get_letohs(tvb, offset);
3341 add_fid(tvb, pinfo, tree, offset, 2, fid);
3345 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
3349 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3360 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3369 /* 2 reserved bytes */
3370 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3374 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_create_time);
3379 CHECK_BYTE_COUNT(1);
3380 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3383 /* directory name */
3384 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
3388 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
3390 COUNT_BYTES(fn_len);
3392 if (check_col(pinfo->cinfo, COL_INFO)) {
3393 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3402 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3412 fid = tvb_get_letohs(tvb, offset);
3413 add_fid(tvb, pinfo, tree, offset, 2, fid);
3419 CHECK_BYTE_COUNT(1);
3420 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3424 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
3428 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3430 COUNT_BYTES(fn_len);
3437 static const value_string seek_mode_vals[] = {
3438 {0, "From Start Of File"},
3439 {1, "From Current Position"},
3440 {2, "From End Of File"},
3445 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3453 fid = tvb_get_letohs(tvb, offset);
3454 add_fid(tvb, pinfo, tree, offset, 2, fid);
3458 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
3462 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3473 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3481 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3492 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3500 fid = tvb_get_letohs(tvb, offset);
3501 add_fid(tvb, pinfo, tree, offset, 2, fid);
3505 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3507 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3510 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3512 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3514 /* last write time */
3515 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3516 hf_smb_last_write_time,
3517 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3527 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3535 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3537 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3540 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3542 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3544 /* last write time */
3545 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3546 hf_smb_last_write_time,
3547 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3550 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
3553 /* allocation size */
3554 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
3557 /* File Attributes */
3558 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
3568 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3577 fid = tvb_get_letohs(tvb, offset);
3578 add_fid(tvb, pinfo, tree, offset, 2, fid);
3582 cnt = tvb_get_letohs(tvb, offset);
3583 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3587 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3590 /* last write time */
3591 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
3594 /* 12 reserved bytes */
3595 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
3602 CHECK_BYTE_COUNT(1);
3603 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
3606 offset = dissect_file_data(tvb, pinfo, tree, offset, cnt, cnt);
3615 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3623 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3634 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3643 fid = tvb_get_letohs(tvb, offset);
3644 add_fid(tvb, pinfo, tree, offset, 2, fid);
3648 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3652 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3656 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3660 to = tvb_get_letohl(tvb, offset);
3661 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3664 /* 2 reserved bytes */
3665 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3670 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
3682 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3690 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
3694 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
3698 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
3702 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
3705 /* 2 reserved bytes */
3706 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3717 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3725 fid = tvb_get_letohs(tvb, offset);
3726 add_fid(tvb, pinfo, tree, offset, 2, fid);
3730 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3734 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3738 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3741 /* 6 reserved bytes */
3742 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
3753 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3755 guint16 datalen=0, bc;
3761 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3765 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3768 /* 2 reserved bytes */
3769 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3772 /* data compaction mode */
3773 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
3776 /* 2 reserved bytes */
3777 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3781 datalen = tvb_get_letohs(tvb, offset);
3782 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
3786 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
3792 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
3801 static const true_false_string tfs_write_mode_write_through = {
3802 "WRITE THROUGH requested",
3803 "Write through not requested"
3805 static const true_false_string tfs_write_mode_return_remaining = {
3806 "RETURN REMAINING (pipe/dev) requested",
3807 "DON'T return remaining (pipe/dev)"
3809 static const true_false_string tfs_write_mode_raw = {
3810 "Use WriteRawNamedPipe (pipe)",
3811 "DON'T use WriteRawNamedPipe (pipe)"
3813 static const true_false_string tfs_write_mode_message_start = {
3814 "This is the START of a MESSAGE (pipe)",
3815 "This is NOT the start of a message (pipe)"
3817 static const true_false_string tfs_write_mode_connectionless = {
3818 "CONNECTIONLESS mode requested",
3819 "Connectionless mode NOT requested"
3822 dissect_write_mode(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int bm)
3825 proto_item *item = NULL;
3826 proto_tree *tree = NULL;
3828 mask = tvb_get_letohs(tvb, offset);
3831 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
3832 "Write Mode: 0x%04x", mask);
3833 tree = proto_item_add_subtree(item, ett_smb_rawmode);
3837 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
3838 tvb, offset, 2, mask);
3841 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
3842 tvb, offset, 2, mask);
3845 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
3846 tvb, offset, 2, mask);
3849 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
3850 tvb, offset, 2, mask);
3853 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
3854 tvb, offset, 2, mask);
3862 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3865 guint16 datalen=0, bc, fid;
3871 fid = tvb_get_letohs(tvb, offset);
3872 add_fid(tvb, pinfo, tree, offset, 2, fid);
3875 /* total data length */
3876 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
3879 /* 2 reserved bytes */
3880 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3884 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3888 to = tvb_get_letohl(tvb, offset);
3889 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3893 offset = dissect_write_mode(tvb, pinfo, tree, offset, 0x0003);
3895 /* 4 reserved bytes */
3896 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
3900 datalen = tvb_get_letohs(tvb, offset);
3901 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
3905 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
3911 /* XXX - use the data offset to determine where the data starts? */
3912 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
3921 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3929 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3940 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3943 guint16 datalen=0, bc, fid;
3949 fid = tvb_get_letohs(tvb, offset);
3950 add_fid(tvb, pinfo, tree, offset, 2, fid);
3953 /* total data length */
3954 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
3957 /* 2 reserved bytes */
3958 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3962 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3966 to = tvb_get_letohl(tvb, offset);
3967 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3971 offset = dissect_write_mode(tvb, pinfo, tree, offset, 0x0083);
3974 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
3978 datalen = tvb_get_letohs(tvb, offset);
3979 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
3983 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
3989 /* XXX - use the data offset to determine where the data starts? */
3990 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
3999 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4007 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
4018 dissect_sid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4026 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
4037 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
4038 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
4040 proto_item *item = NULL;
4041 proto_tree *tree = NULL;
4047 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
4049 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
4053 CHECK_BYTE_COUNT_SUBR(1);
4054 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4055 COUNT_BYTES_SUBR(1);
4059 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
4061 CHECK_STRING_SUBR(fn);
4062 /* ensure that it's null-terminated */
4063 strncpy(fname, fn, 11);
4065 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
4067 COUNT_BYTES_SUBR(fn_len);
4070 CHECK_BYTE_COUNT_SUBR(5);
4071 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
4072 COUNT_BYTES_SUBR(5);
4075 CHECK_BYTE_COUNT_SUBR(4);
4076 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
4077 COUNT_BYTES_SUBR(4);
4084 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
4085 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
4087 proto_item *item = NULL;
4088 proto_tree *tree = NULL;
4094 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
4095 "Directory Information");
4096 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
4100 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp, trunc);
4104 /* File Attributes */
4105 CHECK_BYTE_COUNT_SUBR(1);
4106 offset = dissect_dir_info_file_attributes(tvb, pinfo, tree, offset);
4109 /* last write time */
4110 CHECK_BYTE_COUNT_SUBR(4);
4111 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
4112 hf_smb_last_write_time,
4113 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
4118 CHECK_BYTE_COUNT_SUBR(4);
4119 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4120 COUNT_BYTES_SUBR(4);
4124 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
4126 CHECK_STRING_SUBR(fn);
4127 /* ensure that it's null-terminated */
4128 strncpy(fname, fn, 13);
4130 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4132 COUNT_BYTES_SUBR(fn_len);
4140 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4152 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4155 /* Search Attributes */
4156 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
4161 CHECK_BYTE_COUNT(1);
4162 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4166 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
4170 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4172 COUNT_BYTES(fn_len);
4174 if (check_col(pinfo->cinfo, COL_INFO)) {
4175 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s", fn);
4179 CHECK_BYTE_COUNT(1);
4180 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4183 /* resume key length */
4184 CHECK_BYTE_COUNT(2);
4185 rkl = tvb_get_letohs(tvb, offset);
4186 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
4191 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
4203 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4213 count = tvb_get_letohs(tvb, offset);
4214 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
4220 CHECK_BYTE_COUNT(1);
4221 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4225 CHECK_BYTE_COUNT(2);
4226 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4230 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
4241 static const value_string locking_ol_vals[] = {
4242 {0, "Client is not holding oplock on this file"},
4243 {1, "Level 2 oplock currently held by client"},
4247 static const true_false_string tfs_lock_type_large = {
4248 "Large file locking format requested",
4249 "Large file locking format not requested"
4251 static const true_false_string tfs_lock_type_cancel = {
4252 "Cancel outstanding lock request",
4253 "Don't cancel outstanding lock request"
4255 static const true_false_string tfs_lock_type_change = {
4257 "Don't change lock type"
4259 static const true_false_string tfs_lock_type_oplock = {
4260 "This is an oplock break notification/response",
4261 "This is not an oplock break notification/response"
4263 static const true_false_string tfs_lock_type_shared = {
4264 "This is a shared lock",
4265 "This is an exclusive lock"
4268 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4270 guint8 wc, cmd=0xff, lt=0;
4271 guint16 andxoffset=0, un=0, ln=0, bc, fid;
4273 proto_item *litem = NULL;
4274 proto_tree *ltree = NULL;
4275 proto_item *it = NULL;
4276 proto_tree *tr = NULL;
4277 int old_offset = offset;
4281 /* next smb command */
4282 cmd = tvb_get_guint8(tvb, offset);
4284 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4286 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4291 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4295 andxoffset = tvb_get_letohs(tvb, offset);
4296 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4300 fid = tvb_get_letohs(tvb, offset);
4301 add_fid(tvb, pinfo, tree, offset, 2, fid);
4305 lt = tvb_get_guint8(tvb, offset);
4307 litem = proto_tree_add_text(tree, tvb, offset, 1,
4308 "Lock Type: 0x%02x", lt);
4309 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
4311 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
4312 tvb, offset, 1, lt);
4313 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
4314 tvb, offset, 1, lt);
4315 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
4316 tvb, offset, 1, lt);
4317 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
4318 tvb, offset, 1, lt);
4319 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
4320 tvb, offset, 1, lt);
4324 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
4328 to = tvb_get_letohl(tvb, offset);
4330 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
4331 else if (to == 0xffffffff)
4332 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
4334 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4337 /* number of unlocks */
4338 un = tvb_get_letohs(tvb, offset);
4339 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
4342 /* number of locks */
4343 ln = tvb_get_letohs(tvb, offset);
4344 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
4351 old_offset = offset;
4353 it = proto_tree_add_text(tree, tvb, offset, -1,
4355 tr = proto_item_add_subtree(it, ett_smb_unlocks);
4357 proto_item *litem = NULL;
4358 proto_tree *ltree = NULL;
4360 /* large lock format */
4361 litem = proto_tree_add_text(tr, tvb, offset, 20,
4363 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4366 CHECK_BYTE_COUNT(2);
4367 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4370 /* 2 reserved bytes */
4371 CHECK_BYTE_COUNT(2);
4372 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4376 CHECK_BYTE_COUNT(8);
4377 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4381 CHECK_BYTE_COUNT(8);
4382 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4385 /* normal lock format */
4386 litem = proto_tree_add_text(tr, tvb, offset, 10,
4388 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4391 CHECK_BYTE_COUNT(2);
4392 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4396 CHECK_BYTE_COUNT(4);
4397 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4401 CHECK_BYTE_COUNT(4);
4402 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4406 proto_item_set_len(it, offset-old_offset);
4412 old_offset = offset;
4414 it = proto_tree_add_text(tree, tvb, offset, -1,
4416 tr = proto_item_add_subtree(it, ett_smb_locks);
4418 proto_item *litem = NULL;
4419 proto_tree *ltree = NULL;
4421 /* large lock format */
4422 litem = proto_tree_add_text(tr, tvb, offset, 20,
4424 ltree = proto_item_add_subtree(litem, ett_smb_lock);
4427 CHECK_BYTE_COUNT(2);
4428 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4431 /* 2 reserved bytes */
4432 CHECK_BYTE_COUNT(2);
4433 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4437 CHECK_BYTE_COUNT(8);
4438 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4442 CHECK_BYTE_COUNT(8);
4443 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4446 /* normal lock format */
4447 litem = proto_tree_add_text(tr, tvb, offset, 10,
4449 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4452 CHECK_BYTE_COUNT(2);
4453 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4457 CHECK_BYTE_COUNT(4);
4458 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4462 CHECK_BYTE_COUNT(4);
4463 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4467 proto_item_set_len(it, offset-old_offset);
4475 * We ran out of byte count in the middle of dissecting
4476 * the locks or the unlocks; set the site of the item
4477 * we were dissecting.
4479 proto_item_set_len(it, offset-old_offset);
4482 /* call AndXCommand (if there are any) */
4483 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4489 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4491 guint8 wc, cmd=0xff;
4492 guint16 andxoffset=0;
4497 /* next smb command */
4498 cmd = tvb_get_guint8(tvb, offset);
4500 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4502 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4507 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4511 andxoffset = tvb_get_letohs(tvb, offset);
4512 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4519 /* call AndXCommand (if there are any) */
4520 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4526 static const value_string oa_open_vals[] = {
4527 { 0, "No action taken?"},
4528 { 1, "The file existed and was opened"},
4529 { 2, "The file did not exist but was created"},
4530 { 3, "The file existed and was truncated"},
4533 static const true_false_string tfs_oa_lock = {
4534 "File is currently opened only by this user",
4535 "File is opened by another user (or mode not supported by server)"
4538 dissect_open_action(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
4541 proto_item *item = NULL;
4542 proto_tree *tree = NULL;
4544 mask = tvb_get_letohs(tvb, offset);
4547 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4548 "Action: 0x%04x", mask);
4549 tree = proto_item_add_subtree(item, ett_smb_open_action);
4552 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
4553 tvb, offset, 2, mask);
4554 proto_tree_add_uint(tree, hf_smb_open_action_open,
4555 tvb, offset, 2, mask);
4562 static const true_false_string tfs_open_flags_add_info = {
4563 "Additional information requested",
4564 "Additional information not requested"
4566 static const true_false_string tfs_open_flags_ex_oplock = {
4567 "Exclusive oplock requested",
4568 "Exclusive oplock not requested"
4570 static const true_false_string tfs_open_flags_batch_oplock = {
4571 "Batch oplock requested",
4572 "Batch oplock not requested"
4574 static const true_false_string tfs_open_flags_ealen = {
4575 "Total length of EAs requested",
4576 "Total length of EAs not requested"
4579 dissect_open_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int bm)
4582 proto_item *item = NULL;
4583 proto_tree *tree = NULL;
4585 mask = tvb_get_letohs(tvb, offset);
4588 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4589 "Flags: 0x%04x", mask);
4590 tree = proto_item_add_subtree(item, ett_smb_open_flags);
4594 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
4595 tvb, offset, 2, mask);
4598 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
4599 tvb, offset, 2, mask);
4602 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
4603 tvb, offset, 2, mask);
4606 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
4607 tvb, offset, 2, mask);
4615 static const value_string filetype_vals[] = {
4616 { 0, "Disk file or directory"},
4617 { 1, "Named pipe in byte mode"},
4618 { 2, "Named pipe in message mode"},
4619 { 3, "Spooled printer"},
4623 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4625 guint8 wc, cmd=0xff;
4626 guint16 andxoffset=0, bc;
4632 /* next smb command */
4633 cmd = tvb_get_guint8(tvb, offset);
4635 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4637 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4642 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4646 andxoffset = tvb_get_letohs(tvb, offset);
4647 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4651 offset = dissect_open_flags(tvb, pinfo, tree, offset, 0x0007);
4653 /* desired access */
4654 offset = dissect_access(tvb, pinfo, tree, offset, "Desired");
4656 /* Search Attributes */
4657 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
4659 /* File Attributes */
4660 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
4663 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_create_time);
4666 offset = dissect_open_function(tvb, pinfo, tree, offset);
4668 /* allocation size */
4669 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
4672 /* 8 reserved bytes */
4673 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
4679 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
4683 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4685 COUNT_BYTES(fn_len);
4687 if (check_col(pinfo->cinfo, COL_INFO)) {
4688 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
4693 /* call AndXCommand (if there are any) */
4694 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4699 static const true_false_string tfs_ipc_state_nonblocking = {
4700 "Reads/writes return immediately if no data available",
4701 "Reads/writes block if no data available"
4703 static const value_string ipc_state_endpoint_vals[] = {
4704 { 0, "Consumer end of pipe"},
4705 { 1, "Server end of pipe"},
4708 static const value_string ipc_state_pipe_type_vals[] = {
4709 { 0, "Byte stream pipe"},
4710 { 1, "Message pipe"},
4713 static const value_string ipc_state_read_mode_vals[] = {
4714 { 0, "Read pipe as a byte stream"},
4715 { 1, "Read messages from pipe"},
4720 dissect_ipc_state(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
4721 int offset, gboolean setstate)
4724 proto_item *item = NULL;
4725 proto_tree *tree = NULL;
4727 mask = tvb_get_letohs(tvb, offset);
4730 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4731 "IPC State: 0x%04x", mask);
4732 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
4735 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
4736 tvb, offset, 2, mask);
4738 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
4739 tvb, offset, 2, mask);
4740 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
4741 tvb, offset, 2, mask);
4743 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
4744 tvb, offset, 2, mask);
4746 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
4747 tvb, offset, 2, mask);
4756 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4758 guint8 wc, cmd=0xff;
4759 guint16 andxoffset=0, bc;
4764 /* next smb command */
4765 cmd = tvb_get_guint8(tvb, offset);
4767 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4769 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4774 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4778 andxoffset = tvb_get_letohs(tvb, offset);
4779 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4783 fid = tvb_get_letohs(tvb, offset);
4784 add_fid(tvb, pinfo, tree, offset, 2, fid);
4787 /* File Attributes */
4788 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
4790 /* last write time */
4791 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
4794 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4797 /* granted access */
4798 offset = dissect_access(tvb, pinfo, tree, offset, "Granted");
4801 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
4805 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
4808 offset = dissect_open_action(tvb, pinfo, tree, offset);
4811 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
4814 /* 2 reserved bytes */
4815 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4822 /* call AndXCommand (if there are any) */
4823 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4829 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4831 guint8 wc, cmd=0xff;
4832 guint16 andxoffset=0, bc, maxcnt = 0;
4839 /* next smb command */
4840 cmd = tvb_get_guint8(tvb, offset);
4842 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4844 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4849 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4853 andxoffset = tvb_get_letohs(tvb, offset);
4854 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4858 fid = tvb_get_letohs(tvb, offset);
4859 add_fid(tvb, pinfo, tree, offset, 2, fid);
4861 if (!pinfo->fd->flags.visited) {
4862 /* remember the FID for the processing of the response */
4863 si = (smb_info_t *)pinfo->private_data;
4864 si->sip->extra_info=(void *)fid;
4868 ofs = tvb_get_letohl(tvb, offset);
4869 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4873 maxcnt = tvb_get_letohs(tvb, offset);
4874 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4877 if (check_col(pinfo->cinfo, COL_INFO))
4878 col_append_fstr(pinfo->cinfo, COL_INFO,
4879 ", %d byte%s at offset %d", maxcnt,
4880 (maxcnt == 1) ? "" : "s", ofs);
4883 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
4886 /* XXX - max count high */
4887 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4891 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4896 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
4904 /* call AndXCommand (if there are any) */
4905 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4911 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4913 guint8 wc, cmd=0xff;
4914 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
4915 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4920 /* next smb command */
4921 cmd = tvb_get_guint8(tvb, offset);
4923 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4925 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4930 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4934 andxoffset = tvb_get_letohs(tvb, offset);
4935 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4938 /* If we have seen the request, then print which FID this refers to */
4939 /* first check if we have seen the request */
4940 if(si->sip != NULL && si->sip->frame_req>0){
4941 fid=(int)si->sip->extra_info;
4942 add_fid(tvb, pinfo, tree, 0, 0, fid);
4946 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4949 /* data compaction mode */
4950 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4953 /* 2 reserved bytes */
4954 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4958 datalen = tvb_get_letohs(tvb, offset);
4959 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4962 if (check_col(pinfo->cinfo, COL_INFO))
4963 col_append_fstr(pinfo->cinfo, COL_INFO,
4964 ", %d byte%s", datalen,
4965 (datalen == 1) ? "" : "s");
4968 dataoffset=tvb_get_letohs(tvb, offset);
4969 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
4972 /* 10 reserved bytes */
4973 /* XXX - first 2 bytes are data length high, not reserved */
4974 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
4979 /* is this part of DCERPC over SMB reassembly?*/
4980 if(smb_dcerpc_reassembly && !pinfo->fd->flags.visited
4981 && (bc<=tvb_length_remaining(tvb, offset)) ){
4982 gpointer hash_value;
4983 if (si->sip != NULL && (hash_value = g_hash_table_lookup(
4984 si->ct->dcerpc_fid_to_frame,
4985 si->sip->extra_info)) != NULL) {
4986 fragment_data *fd_head;
4987 guint32 frame = GPOINTER_TO_UINT(hash_value);
4989 /* first fragment is always from a SMB Trans command and
4990 offset 0 of the following read/write SMB commands start
4991 BEYOND the first Trans SMB payload. Look for offset
4992 in first read fragment */
4993 fd_head=fragment_get(pinfo, frame, dcerpc_fragment_table);
4995 /* skip to last fragment and add this data there*/
4996 while(fd_head->next){
4997 fd_head=fd_head->next;
4999 /* if dataoffset was not specified in the SMB command
5000 then we try to guess it as good as we can
5003 dataoffset=offset+bc-datalen;
5005 fd_head=fragment_add(tvb, dataoffset, pinfo,
5006 frame, dcerpc_fragment_table,
5007 fd_head->offset+fd_head->len,
5009 /* we completed reassembly, abort searching for more
5012 g_hash_table_remove(si->ct->dcerpc_fid_to_frame,
5013 si->sip->extra_info);
5019 /* another way to transport DCERPC over SMB is to skip Transaction completely and just
5022 if(si->sip != NULL && si->sip->flags&SMB_SIF_TID_IS_IPC){
5024 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
5025 top_tree, offset, bc, datalen, fid);
5027 /* ordinary file data, or we didn't see the request,
5028 so we don't know whether this is a DCERPC call
5030 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
5037 /* call AndXCommand (if there are any) */
5038 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5044 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5047 guint8 wc, cmd=0xff;
5048 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
5049 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5054 /* next smb command */
5055 cmd = tvb_get_guint8(tvb, offset);
5057 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5059 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5064 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5068 andxoffset = tvb_get_letohs(tvb, offset);
5069 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5073 fid = tvb_get_letohs(tvb, offset);
5074 add_fid(tvb, pinfo, tree, offset, 2, fid);
5076 if (!pinfo->fd->flags.visited) {
5077 /* remember the FID for the processing of the response */
5078 si->sip->extra_info=(void *)fid;
5082 ofs = tvb_get_letohl(tvb, offset);
5083 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5087 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5091 offset = dissect_write_mode(tvb, pinfo, tree, offset, 0x000f);
5094 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5097 /* XXX - data length high */
5098 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5102 datalen = tvb_get_letohs(tvb, offset);
5103 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5107 dataoffset=tvb_get_letohs(tvb, offset);
5108 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5111 /* FIXME: add byte/offset to COL_INFO */
5115 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5121 /* is this part of DCERPC over SMB reassembly?*/
5122 if(smb_dcerpc_reassembly && !pinfo->fd->flags.visited && (bc<=tvb_length_remaining(tvb, offset)) ){
5123 gpointer hash_value;
5124 hash_value = g_hash_table_lookup(si->ct->dcerpc_fid_to_frame,
5125 si->sip->extra_info);
5127 fragment_data *fd_head;
5128 guint32 frame = GPOINTER_TO_UINT(hash_value);
5130 /* first fragment is always from a SMB Trans command and
5131 offset 0 of the following read/write SMB commands start
5132 BEYOND the first Trans SMB payload. Look for offset
5133 in first read fragment */
5134 fd_head=fragment_get(pinfo, frame, dcerpc_fragment_table);
5136 /* skip to last fragment and add this data there*/
5137 while(fd_head->next){
5138 fd_head=fd_head->next;
5140 /* if dataoffset was not specified in the SMB command
5141 then we try to guess it as good as we can
5144 dataoffset=offset+bc-datalen;
5146 fd_head=fragment_add(tvb, dataoffset, pinfo,
5147 frame, dcerpc_fragment_table,
5148 fd_head->offset+fd_head->len,
5150 /* we completed reassembly, abort searching for more
5153 g_hash_table_remove(si->ct->dcerpc_fid_to_frame,
5154 si->sip->extra_info);
5162 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
5164 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
5165 top_tree, offset, bc, datalen, fid);
5167 /* ordinary file data */
5168 offset = dissect_file_data(tvb, pinfo, tree, offset,
5176 /* call AndXCommand (if there are any) */
5177 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5183 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5185 guint8 wc, cmd=0xff;
5186 guint16 andxoffset=0, bc;
5191 /* next smb command */
5192 cmd = tvb_get_guint8(tvb, offset);
5194 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5196 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5201 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5205 andxoffset = tvb_get_letohs(tvb, offset);
5206 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5209 /* If we have seen the request, then print which FID this refers to */
5210 si = (smb_info_t *)pinfo->private_data;
5211 /* first check if we have seen the request */
5212 if(si->sip != NULL && si->sip->frame_req>0){
5213 add_fid(tvb, pinfo, tree, 0, 0, (int)si->sip->extra_info);
5217 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
5221 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5224 /* 4 reserved bytes */
5225 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5232 /* call AndXCommand (if there are any) */
5233 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5239 static const true_false_string tfs_setup_action_guest = {
5240 "Logged in as GUEST",
5241 "Not logged in as GUEST"
5244 dissect_setup_action(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5247 proto_item *item = NULL;
5248 proto_tree *tree = NULL;
5250 mask = tvb_get_letohs(tvb, offset);
5253 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5254 "Action: 0x%04x", mask);
5255 tree = proto_item_add_subtree(item, ett_smb_setup_action);
5258 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
5259 tvb, offset, 2, mask);
5268 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5270 guint8 wc, cmd=0xff;
5272 guint16 andxoffset=0;
5279 guint16 apwlen=0, upwlen=0;
5283 /* next smb command */
5284 cmd = tvb_get_guint8(tvb, offset);
5286 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5288 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5293 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5297 andxoffset = tvb_get_letohs(tvb, offset);
5298 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5301 /* Maximum Buffer Size */
5302 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
5305 /* Maximum Multiplex Count */
5306 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
5310 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
5314 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
5319 /* password length, ASCII*/
5320 pwlen = tvb_get_letohs(tvb, offset);
5321 proto_tree_add_uint(tree, hf_smb_password_len,
5322 tvb, offset, 2, pwlen);
5325 /* 4 reserved bytes */
5326 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5332 /* security blob length */
5333 sbloblen = tvb_get_letohs(tvb, offset);
5334 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5337 /* 4 reserved bytes */
5338 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5342 dissect_negprot_capabilities(tvb, pinfo, tree, offset);
5348 /* password length, ANSI*/
5349 apwlen = tvb_get_letohs(tvb, offset);
5350 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
5351 tvb, offset, 2, apwlen);
5354 /* password length, Unicode*/
5355 upwlen = tvb_get_letohs(tvb, offset);
5356 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
5357 tvb, offset, 2, upwlen);
5360 /* 4 reserved bytes */
5361 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5365 dissect_negprot_capabilities(tvb, pinfo, tree, offset);
5375 /* XXX - is this ASN.1-encoded? Is it a Kerberos
5376 data structure, at least in NT 5.0-and-later
5379 CHECK_BYTE_COUNT(sbloblen);
5380 proto_tree_add_item(tree, hf_smb_security_blob,
5381 tvb, offset, sbloblen, TRUE);
5382 COUNT_BYTES(sbloblen);
5386 an = get_unicode_or_ascii_string(tvb, &offset,
5387 pinfo, &an_len, FALSE, FALSE, &bc);
5390 proto_tree_add_string(tree, hf_smb_os, tvb,
5391 offset, an_len, an);
5392 COUNT_BYTES(an_len);
5395 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5396 * padding/null string/whatever in front of this. W2K doesn't
5397 * appear to. I suspect that's a bug that got fixed; I also
5398 * suspect that, in practice, nobody ever looks at that field
5399 * because the bug didn't appear to get fixed until NT 5.0....
5401 an = get_unicode_or_ascii_string(tvb, &offset,
5402 pinfo, &an_len, FALSE, FALSE, &bc);
5405 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5406 offset, an_len, an);
5407 COUNT_BYTES(an_len);
5409 /* Primary domain */
5410 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5411 * byte in front of this, at least if all the strings are
5412 * ASCII and the account name is empty. Another bug?
5414 dn = get_unicode_or_ascii_string(tvb, &offset,
5415 pinfo, &dn_len, FALSE, FALSE, &bc);
5418 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5419 offset, dn_len, dn);
5420 COUNT_BYTES(dn_len);
5426 /* password, ASCII */
5427 CHECK_BYTE_COUNT(pwlen);
5428 proto_tree_add_item(tree, hf_smb_password,
5429 tvb, offset, pwlen, TRUE);
5437 /* password, ANSI */
5438 CHECK_BYTE_COUNT(apwlen);
5439 proto_tree_add_item(tree, hf_smb_ansi_password,
5440 tvb, offset, apwlen, TRUE);
5441 COUNT_BYTES(apwlen);
5445 /* password, Unicode */
5446 CHECK_BYTE_COUNT(upwlen);
5447 proto_tree_add_item(tree, hf_smb_unicode_password,
5448 tvb, offset, upwlen, TRUE);
5449 COUNT_BYTES(upwlen);
5456 an = get_unicode_or_ascii_string(tvb, &offset,
5457 pinfo, &an_len, FALSE, FALSE, &bc);
5460 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
5462 COUNT_BYTES(an_len);
5464 /* Primary domain */
5465 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5466 * byte in front of this, at least if all the strings are
5467 * ASCII and the account name is empty. Another bug?
5469 dn = get_unicode_or_ascii_string(tvb, &offset,
5470 pinfo, &dn_len, FALSE, FALSE, &bc);
5473 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5474 offset, dn_len, dn);
5475 COUNT_BYTES(dn_len);
5477 if (check_col(pinfo->cinfo, COL_INFO)) {
5478 col_append_fstr(pinfo->cinfo, COL_INFO, ", User: ");
5480 if (!dn[0] && !an[0])
5481 col_append_fstr(pinfo->cinfo, COL_INFO,
5484 col_append_fstr(pinfo->cinfo, COL_INFO,
5489 an = get_unicode_or_ascii_string(tvb, &offset,
5490 pinfo, &an_len, FALSE, FALSE, &bc);
5493 proto_tree_add_string(tree, hf_smb_os, tvb,
5494 offset, an_len, an);
5495 COUNT_BYTES(an_len);
5498 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5499 * padding/null string/whatever in front of this. W2K doesn't
5500 * appear to. I suspect that's a bug that got fixed; I also
5501 * suspect that, in practice, nobody ever looks at that field
5502 * because the bug didn't appear to get fixed until NT 5.0....
5504 an = get_unicode_or_ascii_string(tvb, &offset,
5505 pinfo, &an_len, FALSE, FALSE, &bc);
5508 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5509 offset, an_len, an);
5510 COUNT_BYTES(an_len);
5515 /* call AndXCommand (if there are any) */
5516 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5522 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5524 guint8 wc, cmd=0xff;
5525 guint16 andxoffset=0, bc;
5532 /* next smb command */
5533 cmd = tvb_get_guint8(tvb, offset);
5535 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5537 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5542 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5546 andxoffset = tvb_get_letohs(tvb, offset);
5547 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5551 offset = dissect_setup_action(tvb, pinfo, tree, offset);
5554 /* security blob length */
5555 sbloblen = tvb_get_letohs(tvb, offset);
5556 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5564 /* XXX - is this ASN.1-encoded? Is it a Kerberos
5565 data structure, at least in NT 5.0-and-later
5568 CHECK_BYTE_COUNT(sbloblen);
5569 proto_tree_add_item(tree, hf_smb_security_blob,
5570 tvb, offset, sbloblen, TRUE);
5571 COUNT_BYTES(sbloblen);
5576 an = get_unicode_or_ascii_string(tvb, &offset,
5577 pinfo, &an_len, FALSE, FALSE, &bc);
5580 proto_tree_add_string(tree, hf_smb_os, tvb,
5581 offset, an_len, an);
5582 COUNT_BYTES(an_len);
5585 an = get_unicode_or_ascii_string(tvb, &offset,
5586 pinfo, &an_len, FALSE, FALSE, &bc);
5589 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5590 offset, an_len, an);
5591 COUNT_BYTES(an_len);
5594 /* Primary domain */
5595 an = get_unicode_or_ascii_string(tvb, &offset,
5596 pinfo, &an_len, FALSE, FALSE, &bc);
5599 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5600 offset, an_len, an);
5601 COUNT_BYTES(an_len);
5606 /* call AndXCommand (if there are any) */
5607 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5614 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5616 guint8 wc, cmd=0xff;
5617 guint16 andxoffset=0;
5622 /* next smb command */
5623 cmd = tvb_get_guint8(tvb, offset);
5625 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5627 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5632 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5636 andxoffset = tvb_get_letohs(tvb, offset);
5637 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5644 /* call AndXCommand (if there are any) */
5645 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5651 static const true_false_string tfs_connect_support_search = {
5652 "Exclusive search bits supported",
5653 "Exclusive search bits not supported"
5655 static const true_false_string tfs_connect_support_in_dfs = {
5657 "Share isn't in Dfs"
5661 dissect_connect_support_bits(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5664 proto_item *item = NULL;
5665 proto_tree *tree = NULL;
5667 mask = tvb_get_letohs(tvb, offset);
5670 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5671 "Optional Support: 0x%04x", mask);
5672 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
5675 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
5676 tvb, offset, 2, mask);
5677 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
5678 tvb, offset, 2, mask);
5685 static const true_false_string tfs_disconnect_tid = {
5687 "Do NOT disconnect TID"
5691 dissect_connect_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5694 proto_item *item = NULL;
5695 proto_tree *tree = NULL;
5697 mask = tvb_get_letohs(tvb, offset);
5700 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5701 "Flags: 0x%04x", mask);
5702 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
5705 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
5706 tvb, offset, 2, mask);
5714 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5716 guint8 wc, cmd=0xff;
5718 guint16 andxoffset=0, pwlen=0;
5724 /* next smb command */
5725 cmd = tvb_get_guint8(tvb, offset);
5727 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5729 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
5734 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5738 andxoffset = tvb_get_letohs(tvb, offset);
5739 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5743 offset = dissect_connect_flags(tvb, pinfo, tree, offset);
5745 /* password length*/
5746 pwlen = tvb_get_letohs(tvb, offset);
5747 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
5753 CHECK_BYTE_COUNT(pwlen);
5754 proto_tree_add_item(tree, hf_smb_password,
5755 tvb, offset, pwlen, TRUE);
5759 an = get_unicode_or_ascii_string(tvb, &offset,
5760 pinfo, &an_len, FALSE, FALSE, &bc);
5763 proto_tree_add_string(tree, hf_smb_path, tvb,
5764 offset, an_len, an);
5765 COUNT_BYTES(an_len);
5767 if (check_col(pinfo->cinfo, COL_INFO)) {
5768 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
5772 * NOTE: the Service string is always ASCII, even if the
5773 * "strings are Unicode" bit is set in the flags2 field
5778 /* XXX - what if this runs past bc? */
5779 an_len = tvb_strsize(tvb, offset);
5780 CHECK_BYTE_COUNT(an_len);
5781 an = tvb_get_ptr(tvb, offset, an_len);
5782 proto_tree_add_string(tree, hf_smb_service, tvb,
5783 offset, an_len, an);
5784 COUNT_BYTES(an_len);
5788 /* call AndXCommand (if there are any) */
5789 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5796 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5798 guint8 wc, wleft, cmd=0xff;
5799 guint16 andxoffset=0;
5806 wleft = wc; /* this is at least 1 */
5808 /* next smb command */
5809 cmd = tvb_get_guint8(tvb, offset);
5811 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5813 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
5818 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5826 andxoffset = tvb_get_letohs(tvb, offset);
5827 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5834 offset = dissect_connect_support_bits(tvb, pinfo, tree, offset);
5837 /* XXX - I've seen captures where this is 7, but I have no
5838 idea how to dissect it. I'm guessing the third word
5839 contains connect support bits, which looks plausible
5840 from the values I've seen. */
5842 while (wleft != 0) {
5843 proto_tree_add_text(tree, tvb, offset, 2,
5844 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
5852 * NOTE: even though the SNIA CIFS spec doesn't say there's
5853 * a "Service" string if there's a word count of 2, the
5856 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
5858 * (it's in an ugly format - text intended to be sent to a
5859 * printer, with backspaces and overstrikes used for boldfacing
5860 * and underlining; UNIX "col -b" can be used to strip the
5861 * overstrikes out) says there's a "Service" string there, and
5862 * some network traffic has it.
5866 * NOTE: the Service string is always ASCII, even if the
5867 * "strings are Unicode" bit is set in the flags2 field
5872 /* XXX - what if this runs past bc? */
5873 an_len = tvb_strsize(tvb, offset);
5874 CHECK_BYTE_COUNT(an_len);
5875 an = tvb_get_ptr(tvb, offset, an_len);
5876 proto_tree_add_string(tree, hf_smb_service, tvb,
5877 offset, an_len, an);
5878 COUNT_BYTES(an_len);
5880 /* Now when we know the service type, store it so that we know it for later commands down
5882 if(!pinfo->fd->flags.visited){
5883 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5884 /* Remove any previous entry for this TID */
5885 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
5886 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
5888 if(strcmp(an,"IPC") == 0){
5889 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
5891 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_NORMAL);
5899 * Sometimes this isn't present.
5903 an = get_unicode_or_ascii_string(tvb, &offset,
5904 pinfo, &an_len, /*TRUE*/FALSE, FALSE, &bc);
5907 proto_tree_add_string(tree, hf_smb_fs, tvb,
5908 offset, an_len, an);
5909 COUNT_BYTES(an_len);
5915 /* call AndXCommand (if there are any) */
5916 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5923 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5924 NT Transaction command begins here
5925 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
5926 #define NT_TRANS_CREATE 1
5927 #define NT_TRANS_IOCTL 2
5928 #define NT_TRANS_SSD 3
5929 #define NT_TRANS_NOTIFY 4
5930 #define NT_TRANS_RENAME 5
5931 #define NT_TRANS_QSD 6
5932 #define NT_TRANS_GET_USER_QUOTA 7
5933 #define NT_TRANS_SET_USER_QUOTA 8
5934 static const value_string nt_cmd_vals[] = {
5935 {NT_TRANS_CREATE, "NT CREATE"},
5936 {NT_TRANS_IOCTL, "NT IOCTL"},
5937 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
5938 {NT_TRANS_NOTIFY, "NT NOTIFY"},
5939 {NT_TRANS_RENAME, "NT RENAME"},
5940 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
5941 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
5942 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
5946 static const value_string nt_ioctl_isfsctl_vals[] = {
5947 {0, "Device IOCTL"},
5948 {1, "FS control : FSCTL"},
5952 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
5953 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
5954 "Apply the command to share root handle (MUST BE Dfs)",
5955 "Apply to this share",
5958 static const value_string nt_notify_action_vals[] = {
5959 {1, "ADDED (object was added"},
5960 {2, "REMOVED (object was removed)"},
5961 {3, "MODIFIED (object was modified)"},
5962 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
5963 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
5964 {6, "ADDED_STREAM (a stream was added)"},
5965 {7, "REMOVED_STREAM (a stream was removed)"},
5966 {8, "MODIFIED_STREAM (a stream was modified)"},
5970 static const value_string watch_tree_vals[] = {
5971 {0, "Current directory only"},
5972 {1, "Subdirectories also"},
5976 #define NT_NOTIFY_STREAM_WRITE 0x00000800
5977 #define NT_NOTIFY_STREAM_SIZE 0x00000400
5978 #define NT_NOTIFY_STREAM_NAME 0x00000200
5979 #define NT_NOTIFY_SECURITY 0x00000100
5980 #define NT_NOTIFY_EA 0x00000080
5981 #define NT_NOTIFY_CREATION 0x00000040
5982 #define NT_NOTIFY_LAST_ACCESS 0x00000020
5983 #define NT_NOTIFY_LAST_WRITE 0x00000010
5984 #define NT_NOTIFY_SIZE 0x00000008
5985 #define NT_NOTIFY_ATTRIBUTES 0x00000004
5986 #define NT_NOTIFY_DIR_NAME 0x00000002
5987 #define NT_NOTIFY_FILE_NAME 0x00000001
5988 static const true_false_string tfs_nt_notify_stream_write = {
5989 "Notify on changes to STREAM WRITE",
5990 "Do NOT notify on changes to stream write",
5992 static const true_false_string tfs_nt_notify_stream_size = {
5993 "Notify on changes to STREAM SIZE",
5994 "Do NOT notify on changes to stream size",
5996 static const true_false_string tfs_nt_notify_stream_name = {
5997 "Notify on changes to STREAM NAME",
5998 "Do NOT notify on changes to stream name",
6000 static const true_false_string tfs_nt_notify_security = {
6001 "Notify on changes to SECURITY",
6002 "Do NOT notify on changes to security",
6004 static const true_false_string tfs_nt_notify_ea = {
6005 "Notify on changes to EA",
6006 "Do NOT notify on changes to EA",
6008 static const true_false_string tfs_nt_notify_creation = {
6009 "Notify on changes to CREATION TIME",
6010 "Do NOT notify on changes to creation time",
6012 static const true_false_string tfs_nt_notify_last_access = {
6013 "Notify on changes to LAST ACCESS TIME",
6014 "Do NOT notify on changes to last access time",
6016 static const true_false_string tfs_nt_notify_last_write = {
6017 "Notify on changes to LAST WRITE TIME",
6018 "Do NOT notify on changes to last write time",
6020 static const true_false_string tfs_nt_notify_size = {
6021 "Notify on changes to SIZE",
6022 "Do NOT notify on changes to size",
6024 static const true_false_string tfs_nt_notify_attributes = {
6025 "Notify on changes to ATTRIBUTES",
6026 "Do NOT notify on changes to attributes",
6028 static const true_false_string tfs_nt_notify_dir_name = {
6029 "Notify on changes to DIR NAME",
6030 "Do NOT notify on changes to dir name",
6032 static const true_false_string tfs_nt_notify_file_name = {
6033 "Notify on changes to FILE NAME",
6034 "Do NOT notify on changes to file name",
6037 static const value_string create_disposition_vals[] = {
6038 {0, "Supersede (supersede existing file (if it exists))"},
6039 {1, "Open (if file exists open it, else fail)"},
6040 {2, "Create (if file exists fail, else create it)"},
6041 {3, "Open If (if file exists open it, else create it)"},
6042 {4, "Overwrite (if file exists overwrite, else fail)"},
6043 {5, "Overwrite If (if file exists overwrite, else create it)"},
6047 static const value_string impersonation_level_vals[] = {
6049 {1, "Identification"},
6050 {2, "Impersonation"},
6055 static const true_false_string tfs_nt_security_flags_context_tracking = {
6056 "Security tracking mode is DYNAMIC",
6057 "Security tracking mode is STATIC",
6060 static const true_false_string tfs_nt_security_flags_effective_only = {
6061 "ONLY ENABLED aspects of the client's security context are available",
6062 "ALL aspects of the client's security context are available",
6065 static const true_false_string tfs_nt_create_bits_oplock = {
6066 "Requesting OPLOCK",
6067 "Does NOT request oplock"
6070 static const true_false_string tfs_nt_create_bits_boplock = {
6071 "Requesting BATCH OPLOCK",
6072 "Does NOT request batch oplock"
6076 * XXX - must be a directory, and can be a file, or can be a directory,
6077 * and must be a file?
6079 static const true_false_string tfs_nt_create_bits_dir = {
6080 "Target of open MUST be a DIRECTORY",
6081 "Target of open can be a file"
6084 static const true_false_string tfs_nt_access_mask_generic_read = {
6085 "GENERIC READ is set",
6086 "Generic read is NOT set"
6088 static const true_false_string tfs_nt_access_mask_generic_write = {
6089 "GENERIC WRITE is set",
6090 "Generic write is NOT set"
6092 static const true_false_string tfs_nt_access_mask_generic_execute = {
6093 "GENERIC EXECUTE is set",
6094 "Generic execute is NOT set"
6096 static const true_false_string tfs_nt_access_mask_generic_all = {
6097 "GENERIC ALL is set",
6098 "Generic all is NOT set"
6100 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
6101 "MAXIMUM ALLOWED is set",
6102 "Maximum allowed is NOT set"
6104 static const true_false_string tfs_nt_access_mask_system_security = {
6105 "SYSTEM SECURITY is set",
6106 "System security is NOT set"
6108 static const true_false_string tfs_nt_access_mask_synchronize = {
6109 "Can wait on handle to SYNCHRONIZE on completion of I/O",
6110 "Can NOT wait on handle to synchronize on completion of I/O"
6112 static const true_false_string tfs_nt_access_mask_write_owner = {
6113 "Can WRITE OWNER (take ownership)",
6114 "Can NOT write owner (take ownership)"
6116 static const true_false_string tfs_nt_access_mask_write_dac = {
6117 "OWNER may WRITE the DAC",
6118 "Owner may NOT write to the DAC"
6120 static const true_false_string tfs_nt_access_mask_read_control = {
6121 "READ ACCESS to owner, group and ACL of the SID",
6122 "Read access is NOT granted to owner, group and ACL of the SID"
6124 static const true_false_string tfs_nt_access_mask_delete = {
6128 static const true_false_string tfs_nt_access_mask_write_attributes = {
6129 "WRITE ATTRIBUTES access",
6130 "NO write attributes access"
6132 static const true_false_string tfs_nt_access_mask_read_attributes = {
6133 "READ ATTRIBUTES access",
6134 "NO read attributes access"
6136 static const true_false_string tfs_nt_access_mask_delete_child = {
6137 "DELETE CHILD access",
6138 "NO delete child access"
6140 static const true_false_string tfs_nt_access_mask_execute = {
6144 static const true_false_string tfs_nt_access_mask_write_ea = {
6145 "WRITE EXTENDED ATTRIBUTES access",
6146 "NO write extended attributes access"
6148 static const true_false_string tfs_nt_access_mask_read_ea = {
6149 "READ EXTENDED ATTRIBUTES access",
6150 "NO read extended attributes access"
6152 static const true_false_string tfs_nt_access_mask_append = {
6156 static const true_false_string tfs_nt_access_mask_write = {
6160 static const true_false_string tfs_nt_access_mask_read = {
6165 static const true_false_string tfs_nt_share_access_delete = {
6166 "Object can be shared for DELETE",
6167 "Object can NOT be shared for delete"
6169 static const true_false_string tfs_nt_share_access_write = {
6170 "Object can be shared for WRITE",
6171 "Object can NOT be shared for write"
6173 static const true_false_string tfs_nt_share_access_read = {
6174 "Object can be shared for READ",
6175 "Object can NOT be shared for delete"
6178 static const value_string oplock_level_vals[] = {
6179 {0, "No oplock granted"},
6180 {1, "Exclusive oplock granted"},
6181 {2, "Batch oplock granted"},
6182 {3, "Level II oplock granted"},
6186 static const value_string device_type_vals[] = {
6187 {0x00000001, "Beep"},
6188 {0x00000002, "CDROM"},
6189 {0x00000003, "CDROM Filesystem"},
6190 {0x00000004, "Controller"},
6191 {0x00000005, "Datalink"},
6192 {0x00000006, "Dfs"},
6193 {0x00000007, "Disk"},
6194 {0x00000008, "Disk Filesystem"},
6195 {0x00000009, "Filesystem"},
6196 {0x0000000a, "Inport Port"},
6197 {0x0000000b, "Keyboard"},
6198 {0x0000000c, "Mailslot"},
6199 {0x0000000d, "MIDI-In"},
6200 {0x0000000e, "MIDI-Out"},
6201 {0x0000000f, "Mouse"},
6202 {0x00000010, "Multi UNC Provider"},
6203 {0x00000011, "Named Pipe"},
6204 {0x00000012, "Network"},
6205 {0x00000013, "Network Browser"},
6206 {0x00000014, "Network Filesystem"},
6207 {0x00000015, "NULL"},
6208 {0x00000016, "Parallel Port"},
6209 {0x00000017, "Physical card"},
6210 {0x00000018, "Printer"},
6211 {0x00000019, "Scanner"},
6212 {0x0000001a, "Serial Mouse port"},
6213 {0x0000001b, "Serial port"},
6214 {0x0000001c, "Screen"},
6215 {0x0000001d, "Sound"},
6216 {0x0000001e, "Streams"},
6217 {0x0000001f, "Tape"},
6218 {0x00000020, "Tape Filesystem"},
6219 {0x00000021, "Transport"},
6220 {0x00000022, "Unknown"},
6221 {0x00000023, "Video"},
6222 {0x00000024, "Virtual Disk"},
6223 {0x00000025, "WAVE-In"},
6224 {0x00000026, "WAVE-Out"},
6225 {0x00000027, "8042 Port"},
6226 {0x00000028, "Network Redirector"},
6227 {0x00000029, "Battery"},
6228 {0x0000002a, "Bus Extender"},
6229 {0x0000002b, "Modem"},
6230 {0x0000002c, "VDM"},
6234 static const value_string is_directory_vals[] = {
6235 {0, "This is NOT a directory"},
6236 {1, "This is a DIRECTORY"},
6240 typedef struct _nt_trans_data {
6249 dissect_nt_security_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6252 proto_item *item = NULL;
6253 proto_tree *tree = NULL;
6255 mask = tvb_get_guint8(tvb, offset);
6258 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6259 "Security Flags: 0x%02x", mask);
6260 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
6263 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
6264 tvb, offset, 1, mask);
6265 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
6266 tvb, offset, 1, mask);
6274 dissect_nt_share_access(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6277 proto_item *item = NULL;
6278 proto_tree *tree = NULL;
6280 mask = tvb_get_letohl(tvb, offset);
6283 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6284 "Share Access: 0x%08x", mask);
6285 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
6288 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
6289 tvb, offset, 4, mask);
6290 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
6291 tvb, offset, 4, mask);
6292 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
6293 tvb, offset, 4, mask);
6302 dissect_nt_access_mask(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6305 proto_item *item = NULL;
6306 proto_tree *tree = NULL;
6308 mask = tvb_get_letohl(tvb, offset);
6311 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6312 "Access Mask: 0x%08x", mask);
6313 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
6317 * Some of these bits come from
6319 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6321 * and others come from the section on ZwOpenFile in "Windows(R)
6322 * NT(R)/2000 Native API Reference".
6324 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
6325 tvb, offset, 4, mask);
6326 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
6327 tvb, offset, 4, mask);
6328 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
6329 tvb, offset, 4, mask);
6330 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
6331 tvb, offset, 4, mask);
6332 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
6333 tvb, offset, 4, mask);
6334 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
6335 tvb, offset, 4, mask);
6336 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
6337 tvb, offset, 4, mask);
6338 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
6339 tvb, offset, 4, mask);
6340 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
6341 tvb, offset, 4, mask);
6342 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
6343 tvb, offset, 4, mask);
6344 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
6345 tvb, offset, 4, mask);
6346 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
6347 tvb, offset, 4, mask);
6348 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
6349 tvb, offset, 4, mask);
6350 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
6351 tvb, offset, 4, mask);
6352 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
6353 tvb, offset, 4, mask);
6354 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
6355 tvb, offset, 4, mask);
6356 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
6357 tvb, offset, 4, mask);
6358 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
6359 tvb, offset, 4, mask);
6360 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
6361 tvb, offset, 4, mask);
6362 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
6363 tvb, offset, 4, mask);
6371 dissect_nt_create_bits(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6374 proto_item *item = NULL;
6375 proto_tree *tree = NULL;
6377 mask = tvb_get_letohl(tvb, offset);
6380 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6381 "Create Flags: 0x%08x", mask);
6382 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
6386 * XXX - it's 0x00000016 in at least one capture, but
6387 * Network Monitor doesn't say what the 0x00000010 bit is.
6388 * Does the Win32 API documentation, or NT Native API book,
6391 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
6392 tvb, offset, 4, mask);
6393 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
6394 tvb, offset, 4, mask);
6395 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
6396 tvb, offset, 4, mask);
6404 * XXX - there are some more flags in the description of "ZwOpenFile()"
6405 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
6406 * the wire as well? (The spec at
6408 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6410 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
6411 * via the SMB protocol. The NT redirector should convert this option
6412 * to FILE_WRITE_THROUGH."
6414 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
6415 * values one would infer from their position in the list of flags for
6416 * "ZwOpenFile()". Most of the others probably have those values
6417 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
6418 * which might go over the wire (for the benefit of backup/restore software).
6420 static const true_false_string tfs_nt_create_options_directory = {
6421 "File being created/opened must be a directory",
6422 "File being created/opened must not be a directory"
6424 static const true_false_string tfs_nt_create_options_write_through = {
6425 "Writes should flush buffered data before completing",
6426 "Writes need not flush buffered data before completing"
6428 static const true_false_string tfs_nt_create_options_sequential_only = {
6429 "The file will only be accessed sequentially",
6430 "The file might not only be accessed sequentially"
6432 static const true_false_string tfs_nt_create_options_sync_io_alert = {
6433 "All operations SYNCHRONOUS, waits subject to termination from alert",
6434 "Operations NOT necessarily synchronous"
6436 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
6437 "All operations SYNCHRONOUS, waits not subject to alert",
6438 "Operations NOT necessarily synchronous"
6440 static const true_false_string tfs_nt_create_options_non_directory = {
6441 "File being created/opened must not be a directory",
6442 "File being created/opened must be a directory"
6444 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
6445 "The client does not understand extended attributes",
6446 "The client understands extended attributes"
6448 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
6449 "The client understands only 8.3 file names",
6450 "The client understands long file names"
6452 static const true_false_string tfs_nt_create_options_random_access = {
6453 "The file will be accessed randomly",
6454 "The file will not be accessed randomly"
6456 static const true_false_string tfs_nt_create_options_delete_on_close = {
6457 "The file should be deleted when it is closed",
6458 "The file should not be deleted when it is closed"
6462 dissect_nt_create_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6465 proto_item *item = NULL;
6466 proto_tree *tree = NULL;
6468 mask = tvb_get_letohl(tvb, offset);
6471 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6472 "Create Options: 0x%08x", mask);
6473 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
6479 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6481 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
6482 tvb, offset, 4, mask);
6483 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
6484 tvb, offset, 4, mask);
6485 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
6486 tvb, offset, 4, mask);
6487 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
6488 tvb, offset, 4, mask);
6489 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
6490 tvb, offset, 4, mask);
6491 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
6492 tvb, offset, 4, mask);
6493 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
6494 tvb, offset, 4, mask);
6495 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
6496 tvb, offset, 4, mask);
6497 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
6498 tvb, offset, 4, mask);
6499 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
6500 tvb, offset, 4, mask);
6508 dissect_nt_notify_completion_filter(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6511 proto_item *item = NULL;
6512 proto_tree *tree = NULL;
6514 mask = tvb_get_letohl(tvb, offset);
6517 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6518 "Completion Filter: 0x%08x", mask);
6519 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
6522 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
6523 tvb, offset, 4, mask);
6524 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
6525 tvb, offset, 4, mask);
6526 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
6527 tvb, offset, 4, mask);
6528 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
6529 tvb, offset, 4, mask);
6530 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
6531 tvb, offset, 4, mask);
6532 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
6533 tvb, offset, 4, mask);
6534 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
6535 tvb, offset, 4, mask);
6536 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
6537 tvb, offset, 4, mask);
6538 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
6539 tvb, offset, 4, mask);
6540 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
6541 tvb, offset, 4, mask);
6542 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
6543 tvb, offset, 4, mask);
6544 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
6545 tvb, offset, 4, mask);
6552 dissect_nt_ioctl_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6555 proto_item *item = NULL;
6556 proto_tree *tree = NULL;
6558 mask = tvb_get_guint8(tvb, offset);
6561 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6562 "Completion Filter: 0x%02x", mask);
6563 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
6566 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
6567 tvb, offset, 1, mask);
6574 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
6575 * Native API Reference".
6577 static const true_false_string tfs_nt_qsd_owner = {
6578 "Requesting OWNER security information",
6579 "NOT requesting owner security information",
6582 static const true_false_string tfs_nt_qsd_group = {
6583 "Requesting GROUP security information",
6584 "NOT requesting group security information",
6587 static const true_false_string tfs_nt_qsd_dacl = {
6588 "Requesting DACL security information",
6589 "NOT requesting DACL security information",
6592 static const true_false_string tfs_nt_qsd_sacl = {
6593 "Requesting SACL security information",
6594 "NOT requesting SACL security information",
6597 #define NT_QSD_OWNER 0x00000001
6598 #define NT_QSD_GROUP 0x00000002
6599 #define NT_QSD_DACL 0x00000004
6600 #define NT_QSD_SACL 0x00000008
6603 dissect_security_information_mask(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6606 proto_item *item = NULL;
6607 proto_tree *tree = NULL;
6609 mask = tvb_get_letohl(tvb, offset);
6612 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6613 "Security Information: 0x%08x", mask);
6614 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
6617 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
6618 tvb, offset, 4, mask);
6619 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
6620 tvb, offset, 4, mask);
6621 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
6622 tvb, offset, 4, mask);
6623 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
6624 tvb, offset, 4, mask);
6632 free_g_string(void *arg)
6634 GString *gstring = arg;
6636 g_string_free(arg, TRUE);
6640 dissect_nt_sid(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name)
6642 proto_item *item = NULL;
6643 proto_tree *tree = NULL;
6644 int old_offset = offset, sa_offset = offset;
6645 guint *s_auths = NULL;
6649 guint auth = 0; /* FIXME: What if it is larger than 32-bits */
6654 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
6656 tree = proto_item_add_subtree(item, ett_smb_sid);
6659 /* revision of sid */
6660 revision = tvb_get_guint8(tvb, offset);
6661 proto_tree_add_item(tree, hf_smb_sid_revision, tvb, offset, 1, TRUE);
6666 case 2: /* Not sure what the different revision numbers mean */
6667 /* number of authorities*/
6668 num_auth = tvb_get_guint8(tvb, offset);
6669 proto_tree_add_item(tree, hf_smb_sid_num_auth, tvb, offset, 1, TRUE);
6672 /* XXX perhaps we should have these thing searchable?
6673 a new FT_xxx thingie? SMB is quite common!*/
6674 /* identifier authorities */
6676 /* FIXME: We should dynamically allocate the authorities array,
6677 which is only one thing. Then we don't have to allocate two
6678 strings below etc ...
6682 auth = (auth << 8) + tvb_get_guint8(tvb, offset);
6687 proto_tree_add_text(tree, tvb, offset - 6, 6, "Authority: %u", auth);
6691 CLEANUP_PUSH(free, s_auths);
6693 s_auths = g_malloc(sizeof(guint) * num_auth);
6695 /* sub authorities, leave RID to last */
6696 /* FIXME: If we take an exception now, we lose the whole
6697 sub-authorities string thang */
6698 for(i=0; i < (num_auth > 4?(num_auth - 1):num_auth); i++){
6699 /* XXX should not be letohl but native byteorder according to
6700 samba header files. considering that all non-x86 NT ports
6701 are dead we can (?) assume that non le byte encodings
6702 will be "uncommon"?*/
6703 s_auths[i] = tvb_get_letohl(tvb, offset);
6707 CLEANUP_CALL_AND_POP;
6709 gstr = g_string_new("");
6711 for (i = 0; i < (num_auth>4?(num_auth - 1):num_auth); i++)
6712 g_string_sprintfa(gstr, (i>0 ? "-%u" : "%u"), s_auths[i]);
6714 proto_tree_add_text(tree, tvb, sa_offset, num_auth * 4, "Sub-authorities: %s", gstr->str);
6717 rid = tvb_get_letohl(tvb, offset);
6718 proto_tree_add_text(tree, tvb, offset, 4, "RID: %u", rid);
6719 proto_item_append_text(item, ": S-1-%u-%s-%u", auth, gstr->str, rid);
6723 proto_item_append_text(item, ": S-1-%u-%s", auth, gstr->str);
6728 proto_item_set_len(item, offset-old_offset);
6733 static const value_string ace_type_vals[] = {
6734 { 0, "Access Allowed"},
6735 { 1, "Access Denied"},
6736 { 2, "System Audit"},
6737 { 3, "System Alarm"},
6740 static const true_false_string tfs_ace_flags_object_inherit = {
6741 "Subordinate files will inherit this ACE",
6742 "Subordinate files will not inherit this ACE"
6744 static const true_false_string tfs_ace_flags_container_inherit = {
6745 "Subordinate containers will inherit this ACE",
6746 "Subordinate containers will not inherit this ACE"
6748 static const true_false_string tfs_ace_flags_non_propagate_inherit = {
6749 "Subordinate object will not propagate the inherited ACE further",
6750 "Subordinate object will propagate the inherited ACE further"
6752 static const true_false_string tfs_ace_flags_inherit_only = {
6753 "This ACE does not apply to the current object",
6754 "This ACE applies to the current object"
6756 static const true_false_string tfs_ace_flags_inherited_ace = {
6757 "This ACE was inherited from its parent object",
6758 "This ACE was not inherited from its parent object"
6760 static const true_false_string tfs_ace_flags_successful_access = {
6761 "Successful accesses will be audited",
6762 "Successful accesses will not be audited"
6764 static const true_false_string tfs_ace_flags_failed_access = {
6765 "Failed accesses will be audited",
6766 "Failed accesses will not be audited"
6769 #define APPEND_ACE_TEXT(flag, item, string) \
6772 proto_item_append_text(item, string, sep); \
6777 dissect_nt_v2_ace_flags(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
6779 proto_item *item = NULL;
6780 proto_tree *tree = NULL;
6784 mask = tvb_get_guint8(tvb, offset);
6786 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6787 "NT ACE Flags: 0x%02x", mask);
6788 tree = proto_item_add_subtree(item, ett_smb_ace_flags);
6791 proto_tree_add_boolean(tree, hf_smb_ace_flags_failed_access,
6792 tvb, offset, 1, mask);
6793 APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access");
6795 proto_tree_add_boolean(tree, hf_smb_ace_flags_successful_access,
6796 tvb, offset, 1, mask);
6797 APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access");
6799 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherited_ace,
6800 tvb, offset, 1, mask);
6801 APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE");
6803 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherit_only,
6804 tvb, offset, 1, mask);
6805 APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only");
6807 proto_tree_add_boolean(tree, hf_smb_ace_flags_non_propagate_inherit,
6808 tvb, offset, 1, mask);
6809 APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit");
6811 proto_tree_add_boolean(tree, hf_smb_ace_flags_container_inherit,
6812 tvb, offset, 1, mask);
6813 APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit");
6815 proto_tree_add_boolean(tree, hf_smb_ace_flags_object_inherit,
6816 tvb, offset, 1, mask);
6817 APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit");
6825 dissect_nt_v2_ace(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
6827 proto_item *item = NULL;
6828 proto_tree *tree = NULL;
6829 int old_offset = offset;
6833 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
6835 tree = proto_item_add_subtree(item, ett_smb_ace);
6840 proto_item_append_text(item, val_to_str(tvb_get_guint8(tvb, offset), ace_type_vals, "Unknown ACE type (%u)"));
6842 proto_tree_add_item(tree, hf_smb_ace_type, tvb, offset, 1, TRUE);
6846 offset = dissect_nt_v2_ace_flags(tvb, pinfo, offset, tree);
6849 size = tvb_get_letohs(tvb, offset);
6850 proto_tree_add_uint(tree, hf_smb_ace_size, tvb, offset, 2, size);
6854 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
6857 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "ACE");
6859 proto_item_set_len(item, offset-old_offset);
6861 /* Sometimes there is some spare space at the end of the ACE so use
6862 the size field to work out where the end is. */
6864 return old_offset + size;
6868 dissect_nt_acl(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name)
6870 proto_item *item = NULL;
6871 proto_tree *tree = NULL;
6872 int old_offset = offset;
6873 guint16 revision, size;
6877 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
6879 tree = proto_item_add_subtree(item, ett_smb_acl);
6883 revision = tvb_get_letohs(tvb, offset);
6884 proto_tree_add_uint(tree, hf_smb_acl_revision,
6885 tvb, offset, 2, revision);
6889 case 2: /* only version we will ever see of this structure?*/
6892 proto_tree_add_item(tree, hf_smb_acl_size, tvb, offset, 2, TRUE);
6895 /* number of ace structures */
6896 num_aces = tvb_get_letohl(tvb, offset);
6897 proto_tree_add_uint(tree, hf_smb_acl_num_aces,
6898 tvb, offset, 4, num_aces);
6902 offset=dissect_nt_v2_ace(tvb, pinfo, offset, tree);
6906 proto_item_set_len(item, offset-old_offset);
6910 static const true_false_string tfs_sec_desc_type_owner_defaulted = {
6911 "OWNER is DEFAULTED",
6912 "Owner is NOT defaulted"
6914 static const true_false_string tfs_sec_desc_type_group_defaulted = {
6915 "GROUP is DEFAULTED",
6916 "Group is NOT defaulted"
6918 static const true_false_string tfs_sec_desc_type_dacl_present = {
6920 "DACL is NOT present"
6922 static const true_false_string tfs_sec_desc_type_dacl_defaulted = {
6923 "DACL is DEFAULTED",
6924 "DACL is NOT defaulted"
6926 static const true_false_string tfs_sec_desc_type_sacl_present = {
6928 "SACL is NOT present"
6930 static const true_false_string tfs_sec_desc_type_sacl_defaulted = {
6931 "SACL is DEFAULTED",
6932 "SACL is NOT defaulted"
6934 static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = {
6935 "DACL has AUTO INHERIT REQUIRED",
6936 "DACL does NOT require auto inherit"
6938 static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = {
6939 "SACL has AUTO INHERIT REQUIRED",
6940 "SACL does NOT require auto inherit"
6942 static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = {
6943 "DACL is AUTO INHERITED",
6944 "DACL is NOT auto inherited"
6946 static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = {
6947 "SACL is AUTO INHERITED",
6948 "SACL is NOT auto inherited"
6950 static const true_false_string tfs_sec_desc_type_dacl_protected = {
6951 "The DACL is PROTECTED",
6952 "The DACL is NOT protected"
6954 static const true_false_string tfs_sec_desc_type_sacl_protected = {
6955 "The SACL is PROTECTED",
6956 "The SACL is NOT protected"
6958 static const true_false_string tfs_sec_desc_type_self_relative = {
6959 "This SecDesc is SELF RELATIVE",
6960 "This SecDesc is NOT self relative"
6965 dissect_nt_sec_desc_type(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
6967 proto_item *item = NULL;
6968 proto_tree *tree = NULL;
6971 mask = tvb_get_letohs(tvb, offset);
6973 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6974 "Type: 0x%04x", mask);
6975 tree = proto_item_add_subtree(item, ett_smb_sec_desc_type);
6978 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_self_relative,
6979 tvb, offset, 2, mask);
6980 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_protected,
6981 tvb, offset, 2, mask);
6982 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_protected,
6983 tvb, offset, 2, mask);
6984 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherited,
6985 tvb, offset, 2, mask);
6986 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherited,
6987 tvb, offset, 2, mask);
6988 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherit_req,
6989 tvb, offset, 2, mask);
6990 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherit_req,
6991 tvb, offset, 2, mask);
6992 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_defaulted,
6993 tvb, offset, 2, mask);
6994 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_present,
6995 tvb, offset, 2, mask);
6996 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_defaulted,
6997 tvb, offset, 2, mask);
6998 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_present,
6999 tvb, offset, 2, mask);
7000 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_group_defaulted,
7001 tvb, offset, 2, mask);
7002 proto_tree_add_boolean(tree, hf_smb_sec_desc_type_owner_defaulted,
7003 tvb, offset, 2, mask);
7010 /* This function is also called from DCREPC services; it may be that, in
7011 some cases, the NDR syntax must be followed, but that's not the case,
7012 for example, for the security descriptor inside an LSA Security
7013 Descriptor structure.
7015 A "len" of -1 means that the NDR syntax must be followed.
7016 In that case, we assume that owner SID, group SID, SACL, and DACL objects
7017 are always stored in order (when present) and that all of them are aligned
7018 on a 4 byte boundary, and we no longer use the xxx_offset other than to
7019 check that they are non-NULL to be compatible with DCERPC NDR Unique.
7021 Otherwise, we use the offsets to see where the owner SID, group SID,
7022 SACL, and DACL are stored. */
7024 dissect_nt_sec_desc(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len)
7026 proto_item *item = NULL;
7027 proto_tree *tree = NULL;
7029 int old_offset = offset;
7030 guint32 owner_sid_offset;
7031 guint32 group_sid_offset;
7032 guint32 sacl_offset;
7033 guint32 dacl_offset;
7036 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7037 "NT Security Descriptor");
7038 tree = proto_item_add_subtree(item, ett_smb_sec_desc);
7042 revision = tvb_get_letohs(tvb, offset);
7043 proto_tree_add_uint(tree, hf_smb_sec_desc_revision,
7044 tvb, offset, 2, revision);
7048 case 1: /* only version we will ever see of this structure?*/
7050 offset = dissect_nt_sec_desc_type(tvb, pinfo, offset, tree);
7052 /* offset to owner sid */
7053 owner_sid_offset = tvb_get_letohl(tvb, offset);
7054 proto_tree_add_text(tree, tvb, offset, 4, "Offset to owner SID: %d", owner_sid_offset);
7057 /* offset to group sid */
7058 group_sid_offset = tvb_get_letohl(tvb, offset);
7059 proto_tree_add_text(tree, tvb, offset, 4, "Offset to group SID: %d", group_sid_offset);
7062 /* offset to sacl */
7063 sacl_offset = tvb_get_letohl(tvb, offset);
7064 proto_tree_add_text(tree, tvb, offset, 4, "Offset to SACL: %d", sacl_offset);
7067 /* offset to dacl */
7068 dacl_offset = tvb_get_letohl(tvb, offset);
7069 proto_tree_add_text(tree, tvb, offset, 4, "Offset to DACL: %d", dacl_offset);
7073 if(owner_sid_offset){
7075 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Owner");
7077 dissect_nt_sid(tvb, pinfo, old_offset+owner_sid_offset, tree, "Owner");
7081 if(group_sid_offset){
7083 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Group");
7085 dissect_nt_sid(tvb, pinfo, old_offset+group_sid_offset, tree, "Group");
7091 offset = dissect_nt_acl(tvb, pinfo, offset, tree, "System (SACL)");
7093 dissect_nt_acl(tvb, pinfo, old_offset+sacl_offset, tree, "System (SACL)");
7099 offset = dissect_nt_acl(tvb, pinfo, offset, tree, "User (DACL)");
7101 dissect_nt_acl(tvb, pinfo, old_offset+dacl_offset, tree, "User (DACL)");
7107 proto_item_set_len(item, offset-old_offset);
7114 dissect_nt_user_quota(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp)
7116 int old_offset, old_sid_offset;
7122 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7123 qsize=tvb_get_letohl(tvb, offset);
7124 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
7125 COUNT_BYTES_TRANS_SUBR(4);
7127 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7129 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7130 COUNT_BYTES_TRANS_SUBR(4);
7132 /* 16 unknown bytes */
7133 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7134 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7136 COUNT_BYTES_TRANS_SUBR(8);
7138 /* number of bytes for used quota */
7139 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7140 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
7141 COUNT_BYTES_TRANS_SUBR(8);
7143 /* number of bytes for quota warning */
7144 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7145 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
7146 COUNT_BYTES_TRANS_SUBR(8);
7148 /* number of bytes for quota limit */
7149 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7150 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
7151 COUNT_BYTES_TRANS_SUBR(8);
7153 /* SID of the user */
7154 old_sid_offset=offset;
7155 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Quota");
7156 *bcp -= (offset-old_sid_offset);
7159 offset = old_offset+qsize;
7169 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd)
7171 proto_item *item = NULL;
7172 proto_tree *tree = NULL;
7174 int old_offset = offset;
7175 guint16 bcp=bc; /* XXX fixme */
7177 si = (smb_info_t *)pinfo->private_data;
7180 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
7182 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7183 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7186 switch(ntd->subcmd){
7187 case NT_TRANS_CREATE:
7188 /* security descriptor */
7190 offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, ntd->sd_len);
7193 /* extended attributes */
7195 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
7196 offset += ntd->ea_len;
7200 case NT_TRANS_IOCTL:
7202 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, bc, TRUE);
7207 offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, bc);
7209 case NT_TRANS_NOTIFY:
7211 case NT_TRANS_RENAME:
7212 /* XXX not documented */
7216 case NT_TRANS_GET_USER_QUOTA:
7217 /* unknown 4 bytes */
7218 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7223 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7226 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Quota");
7228 case NT_TRANS_SET_USER_QUOTA:
7229 offset = dissect_nt_user_quota(tvb, pinfo, tree, offset, &bcp);
7233 /* ooops there were data we didnt know how to process */
7234 if((offset-old_offset) < bc){
7235 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
7236 bc - (offset-old_offset), TRUE);
7237 offset += bc - (offset-old_offset);
7244 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7246 proto_item *item = NULL;
7247 proto_tree *tree = NULL;
7252 si = (smb_info_t *)pinfo->private_data;
7255 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7257 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7258 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7261 switch(ntd->subcmd){
7262 case NT_TRANS_CREATE:
7264 offset = dissect_nt_create_bits(tvb, pinfo, tree, offset);
7267 /* root directory fid */
7268 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
7271 /* nt access mask */
7272 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
7275 /* allocation size */
7276 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7279 /* Extended File Attributes */
7280 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
7284 offset = dissect_nt_share_access(tvb, pinfo, tree, offset);
7287 /* create disposition */
7288 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
7291 /* create options */
7292 offset = dissect_nt_create_options(tvb, pinfo, tree, offset);
7296 ntd->sd_len = tvb_get_letohl(tvb, offset);
7297 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
7301 ntd->ea_len = tvb_get_letohl(tvb, offset);
7302 proto_tree_add_uint(tree, hf_smb_ea_length, tvb, offset, 4, ntd->ea_len);
7306 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7307 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7310 /* impersonation level */
7311 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
7314 /* security flags */
7315 offset = dissect_nt_security_flags(tvb, pinfo, tree, offset);
7319 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, TRUE, &bc);
7321 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7323 COUNT_BYTES(fn_len);
7327 case NT_TRANS_IOCTL:
7329 case NT_TRANS_SSD: {
7333 fid = tvb_get_letohs(tvb, offset);
7334 add_fid(tvb, pinfo, tree, offset, 2, fid);
7337 /* 2 reserved bytes */
7338 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7341 /* security information */
7342 offset = dissect_security_information_mask(tvb, pinfo, tree, offset);
7345 case NT_TRANS_NOTIFY:
7347 case NT_TRANS_RENAME:
7348 /* XXX not documented */
7350 case NT_TRANS_QSD: {
7354 fid = tvb_get_letohs(tvb, offset);
7355 add_fid(tvb, pinfo, tree, offset, 2, fid);
7358 /* 2 reserved bytes */
7359 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7362 /* security information */
7363 offset = dissect_security_information_mask(tvb, pinfo, tree, offset);
7366 case NT_TRANS_GET_USER_QUOTA:
7367 /* not decoded yet */
7369 case NT_TRANS_SET_USER_QUOTA:
7370 /* not decoded yet */
7378 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7380 proto_item *item = NULL;
7381 proto_tree *tree = NULL;
7383 int old_offset = offset;
7385 si = (smb_info_t *)pinfo->private_data;
7388 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7390 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7391 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7394 switch(ntd->subcmd){
7395 case NT_TRANS_CREATE:
7397 case NT_TRANS_IOCTL: {
7401 proto_tree_add_item(tree, hf_smb_nt_ioctl_function_code, tvb, offset, 4, TRUE);
7405 fid = tvb_get_letohs(tvb, offset);
7406 add_fid(tvb, pinfo, tree, offset, 2, fid);
7410 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
7414 offset = dissect_nt_ioctl_flags(tvb, pinfo, tree, offset);
7420 case NT_TRANS_NOTIFY: {
7423 /* completion filter */
7424 offset = dissect_nt_notify_completion_filter(tvb, pinfo, tree, offset);
7427 fid = tvb_get_letohs(tvb, offset);
7428 add_fid(tvb, pinfo, tree, offset, 2, fid);
7432 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
7436 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7441 case NT_TRANS_RENAME:
7442 /* XXX not documented */
7446 case NT_TRANS_GET_USER_QUOTA:
7447 /* not decoded yet */
7449 case NT_TRANS_SET_USER_QUOTA:
7450 /* not decoded yet */
7454 return old_offset+len;
7459 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7462 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
7464 smb_saved_info_t *sip;
7469 smb_nt_transact_info_t *nti;
7471 si = (smb_info_t *)pinfo->private_data;
7477 /* primary request */
7478 /* max setup count */
7479 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
7482 /* 2 reserved bytes */
7483 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7486 /* secondary request */
7487 /* 3 reserved bytes */
7488 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
7493 /* total param count */
7494 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
7497 /* total data count */
7498 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
7502 /* primary request */
7503 /* max param count */
7504 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
7507 /* max data count */
7508 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
7513 pc = tvb_get_letohl(tvb, offset);
7514 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
7518 po = tvb_get_letohl(tvb, offset);
7519 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
7522 /* param displacement */
7524 /* primary request*/
7527 /* secondary request */
7528 pd = tvb_get_letohl(tvb, offset);
7529 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
7534 dc = tvb_get_letohl(tvb, offset);
7535 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
7539 od = tvb_get_letohl(tvb, offset);
7540 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
7543 /* data displacement */
7545 /* primary request */
7548 /* secondary request */
7549 dd = tvb_get_letohl(tvb, offset);
7550 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
7556 /* primary request */
7557 sc = tvb_get_guint8(tvb, offset);
7558 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
7561 /* secondary request */
7567 /* primary request */
7568 subcmd = tvb_get_letohs(tvb, offset);
7569 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
7570 if(check_col(pinfo->cinfo, COL_INFO)){
7571 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
7572 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
7574 ntd.subcmd = subcmd;
7576 if(!pinfo->fd->flags.visited){
7578 * Allocate a new smb_nt_transact_info_t
7581 nti = g_mem_chunk_alloc(smb_nt_transact_info_chunk);
7582 nti->subcmd = subcmd;
7583 sip->extra_info = nti;
7587 /* secondary request */
7588 if(check_col(pinfo->cinfo, COL_INFO)){
7589 col_append_fstr(pinfo->cinfo, COL_INFO, " (secondary request)");
7594 /* this is a padding byte */
7597 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
7601 /* if there were any setup bytes, decode them */
7603 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
7610 if(po>(guint32)offset){
7611 /* We have some initial padding bytes.
7616 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7617 COUNT_BYTES(padcnt);
7620 CHECK_BYTE_COUNT(pc);
7621 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc);
7626 if(od>(guint32)offset){
7627 /* We have some initial padding bytes.
7632 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7633 COUNT_BYTES(padcnt);
7636 CHECK_BYTE_COUNT(dc);
7637 dissect_nt_trans_data_request(tvb, pinfo, offset, tree, dc, &ntd);
7649 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7651 proto_item *item = NULL;
7652 proto_tree *tree = NULL;
7654 smb_nt_transact_info_t *nti;
7657 si = (smb_info_t *)pinfo->private_data;
7658 if (si->sip != NULL)
7659 nti = si->sip->extra_info;
7665 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7667 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7670 * We never saw the request to which this is a
7673 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7674 "Unknown NT Transaction Data (matching request not seen)");
7676 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7683 switch(nti->subcmd){
7684 case NT_TRANS_CREATE:
7686 case NT_TRANS_IOCTL:
7688 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, len, TRUE);
7694 case NT_TRANS_NOTIFY:
7696 case NT_TRANS_RENAME:
7697 /* XXX not documented */
7701 * XXX - this is probably a SECURITY_DESCRIPTOR structure,
7702 * which may be documented in the Win32 documentation
7705 offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, len);
7707 case NT_TRANS_GET_USER_QUOTA:
7709 offset = dissect_nt_user_quota(tvb, pinfo, tree, offset, &bcp);
7711 case NT_TRANS_SET_USER_QUOTA:
7712 /* not decoded yet */
7720 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7722 proto_item *item = NULL;
7723 proto_tree *tree = NULL;
7727 smb_nt_transact_info_t *nti;
7733 si = (smb_info_t *)pinfo->private_data;
7734 if (si->sip != NULL)
7735 nti = si->sip->extra_info;
7741 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7743 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7746 * We never saw the request to which this is a
7749 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7750 "Unknown NT Transaction Parameters (matching request not seen)");
7752 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7759 switch(nti->subcmd){
7760 case NT_TRANS_CREATE:
7762 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
7766 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7770 fid = tvb_get_letohs(tvb, offset);
7771 add_fid(tvb, pinfo, tree, offset, 2, fid);
7775 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
7778 /* ea error offset */
7779 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
7783 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7784 hf_smb_create_time);
7787 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7788 hf_smb_access_time);
7790 /* last write time */
7791 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7792 hf_smb_last_write_time);
7794 /* last change time */
7795 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7796 hf_smb_change_time);
7798 /* Extended File Attributes */
7799 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
7801 /* allocation size */
7802 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7806 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
7810 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
7814 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
7817 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
7820 case NT_TRANS_IOCTL:
7824 case NT_TRANS_NOTIFY:
7826 old_offset = offset;
7828 /* next entry offset */
7829 neo = tvb_get_letohl(tvb, offset);
7830 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
7833 /* broken implementations */
7837 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
7840 /* broken implementations */
7844 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7845 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7848 /* broken implementations */
7852 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, TRUE, &bc);
7855 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7857 COUNT_BYTES(fn_len);
7859 /* broken implementations */
7863 break; /* no more structures */
7865 /* skip to next structure */
7866 padcnt = (old_offset + neo) - offset;
7869 * XXX - this is bogus; flag it?
7874 COUNT_BYTES(padcnt);
7876 /* broken implementations */
7881 case NT_TRANS_RENAME:
7882 /* XXX not documented */
7886 * This appears to be the size of the security
7887 * descriptor; the calling sequence of
7888 * "ZwQuerySecurityObject()" suggests that it would
7889 * be. The actual security descriptor wouldn't
7890 * follow if the max data count in the request
7891 * was smaller; this lets the client know how
7892 * big a buffer it needs to provide.
7894 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
7897 case NT_TRANS_GET_USER_QUOTA:
7898 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
7899 tvb_get_letohl(tvb, offset));
7902 case NT_TRANS_SET_USER_QUOTA:
7903 /* not decoded yet */
7911 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7913 proto_item *item = NULL;
7914 proto_tree *tree = NULL;
7916 smb_nt_transact_info_t *nti;
7918 si = (smb_info_t *)pinfo->private_data;
7919 if (si->sip != NULL)
7920 nti = si->sip->extra_info;
7926 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7928 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7931 * We never saw the request to which this is a
7934 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7935 "Unknown NT Transaction Setup (matching request not seen)");
7937 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7944 switch(nti->subcmd){
7945 case NT_TRANS_CREATE:
7947 case NT_TRANS_IOCTL:
7951 case NT_TRANS_NOTIFY:
7953 case NT_TRANS_RENAME:
7954 /* XXX not documented */
7958 case NT_TRANS_GET_USER_QUOTA:
7959 /* not decoded yet */
7961 case NT_TRANS_SET_USER_QUOTA:
7962 /* not decoded yet */
7970 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7973 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
7976 smb_nt_transact_info_t *nti;
7977 static nt_trans_data ntd;
7980 fragment_data *r_fd = NULL;
7981 tvbuff_t *pd_tvb=NULL;
7982 gboolean save_fragmented;
7984 si = (smb_info_t *)pinfo->private_data;
7985 if (si->sip != NULL)
7986 nti = si->sip->extra_info;
7990 /* primary request */
7992 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
7993 if(check_col(pinfo->cinfo, COL_INFO)){
7994 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
7995 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
7998 proto_tree_add_text(tree, tvb, offset, 0,
7999 "Function: <unknown function - could not find matching request>");
8000 if(check_col(pinfo->cinfo, COL_INFO)){
8001 col_append_fstr(pinfo->cinfo, COL_INFO, ", <unknown>");
8007 /* 3 reserved bytes */
8008 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8011 /* total param count */
8012 tp = tvb_get_letohl(tvb, offset);
8013 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
8016 /* total data count */
8017 td = tvb_get_letohl(tvb, offset);
8018 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
8022 pc = tvb_get_letohl(tvb, offset);
8023 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8027 po = tvb_get_letohl(tvb, offset);
8028 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8031 /* param displacement */
8032 pd = tvb_get_letohl(tvb, offset);
8033 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8037 dc = tvb_get_letohl(tvb, offset);
8038 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8042 od = tvb_get_letohl(tvb, offset);
8043 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8046 /* data displacement */
8047 dd = tvb_get_letohl(tvb, offset);
8048 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8052 sc = tvb_get_guint8(tvb, offset);
8053 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8058 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
8064 /* reassembly of SMB NT Transaction data payload.
8065 In this section we do reassembly of both the data and parameters
8066 blocks of the SMB transaction command.
8068 save_fragmented = pinfo->fragmented;
8069 /* do we need reassembly? */
8070 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
8071 /* oh yeah, either data or parameter section needs
8074 pinfo->fragmented = TRUE;
8075 if(smb_trans_reassembly){
8076 /* ...and we were told to do reassembly */
8077 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
8078 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8082 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
8083 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8084 od, dc, dd+tp, td+tp);
8089 /* if we got a reassembled fd structure from the reassembly routine we
8090 must create pd_tvb from it
8097 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
8099 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
8100 add_new_data_source(pinfo->fd, pd_tvb, "Reassembled SMB");
8101 pinfo->fragmented = FALSE;
8103 it = proto_tree_add_text(tree, pd_tvb, 0, -1, "Fragments");
8104 tr = proto_item_add_subtree(it, ett_smb_segments);
8105 for(fd=r_fd->next;fd;fd=fd->next){
8106 proto_tree_add_text(tr, pd_tvb, fd->offset, fd->len,
8107 "Frame:%u Data:%u-%u",
8108 fd->frame, fd->offset,
8109 fd->offset+fd->len-1);
8115 /* we have reassembled data, grab param and data from there */
8116 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
8117 &ntd, tvb_length(pd_tvb));
8118 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
8120 /* we do not have reassembled data, just use what we have in the
8121 packet as well as we can */
8123 if(po>(guint32)offset){
8124 /* We have some initial padding bytes.
8129 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8130 COUNT_BYTES(padcnt);
8133 CHECK_BYTE_COUNT(pc);
8134 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
8139 if(od>(guint32)offset){
8140 /* We have some initial padding bytes.
8145 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8146 COUNT_BYTES(padcnt);
8149 CHECK_BYTE_COUNT(dc);
8150 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd);
8154 pinfo->fragmented = save_fragmented;
8161 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8162 NT Transaction command ends here
8163 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8165 static const value_string print_mode_vals[] = {
8167 {1, "Graphics Mode"},
8172 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8182 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
8186 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
8192 CHECK_BYTE_COUNT(1);
8193 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8196 /* print identifier */
8197 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, FALSE, &bc);
8200 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
8202 COUNT_BYTES(fn_len);
8211 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8220 fid = tvb_get_letohs(tvb, offset);
8221 add_fid(tvb, pinfo, tree, offset, 2, fid);
8227 CHECK_BYTE_COUNT(1);
8228 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8232 CHECK_BYTE_COUNT(2);
8233 cnt = tvb_get_letohs(tvb, offset);
8234 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
8238 offset = dissect_file_data(tvb, pinfo, tree, offset, cnt, cnt);
8246 static const value_string print_status_vals[] = {
8247 {1, "Held or Stopped"},
8249 {3, "Awaiting print"},
8250 {4, "In intercept"},
8251 {5, "File had error"},
8252 {6, "Printer error"},
8257 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8265 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
8269 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
8280 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
8281 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
8283 proto_item *item = NULL;
8284 proto_tree *tree = NULL;
8289 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
8291 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
8295 CHECK_BYTE_COUNT_SUBR(4);
8296 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
8297 hf_smb_print_queue_date,
8298 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
8302 CHECK_BYTE_COUNT_SUBR(1);
8303 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
8304 COUNT_BYTES_SUBR(1);
8306 /* spool file number */
8307 CHECK_BYTE_COUNT_SUBR(2);
8308 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
8309 COUNT_BYTES_SUBR(2);
8311 /* spool file size */
8312 CHECK_BYTE_COUNT_SUBR(4);
8313 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
8314 COUNT_BYTES_SUBR(4);
8317 CHECK_BYTE_COUNT_SUBR(1);
8318 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8319 COUNT_BYTES_SUBR(1);
8323 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, TRUE, bcp);
8324 CHECK_STRING_SUBR(fn);
8325 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
8327 COUNT_BYTES_SUBR(fn_len);
8334 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8344 cnt = tvb_get_letohs(tvb, offset);
8345 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
8349 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
8355 CHECK_BYTE_COUNT(1);
8356 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8360 CHECK_BYTE_COUNT(2);
8361 len = tvb_get_letohs(tvb, offset);
8362 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
8365 /* queue elements */
8367 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
8380 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8382 guint8 wc, cmd=0xff;
8383 guint16 andxoffset=0;
8390 /* next smb command */
8391 cmd = tvb_get_guint8(tvb, offset);
8393 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8395 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
8400 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8404 andxoffset = tvb_get_letohs(tvb, offset);
8405 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8409 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8413 fn_len = tvb_get_letohs(tvb, offset);
8414 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
8418 offset = dissect_nt_create_bits(tvb, pinfo, tree, offset);
8420 /* root directory fid */
8421 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
8424 /* nt access mask */
8425 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
8427 /* allocation size */
8428 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8431 /* Extended File Attributes */
8432 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
8435 offset = dissect_nt_share_access(tvb, pinfo, tree, offset);
8437 /* create disposition */
8438 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
8441 /* create options */
8442 offset = dissect_nt_create_options(tvb, pinfo, tree, offset);
8444 /* impersonation level */
8445 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8448 /* security flags */
8449 offset = dissect_nt_security_flags(tvb, pinfo, tree, offset);
8454 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8457 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8459 COUNT_BYTES(fn_len);
8461 if (check_col(pinfo->cinfo, COL_INFO)) {
8462 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
8467 /* call AndXCommand (if there are any) */
8468 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
8475 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8477 guint8 wc, cmd=0xff;
8478 guint16 andxoffset=0;
8484 /* next smb command */
8485 cmd = tvb_get_guint8(tvb, offset);
8487 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8489 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
8494 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8498 andxoffset = tvb_get_letohs(tvb, offset);
8499 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8503 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8507 fid = tvb_get_letohs(tvb, offset);
8508 add_fid(tvb, pinfo, tree, offset, 2, fid);
8512 /*XXX is this really the same as create disposition in the request? it looks so*/
8513 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8517 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8518 hf_smb_create_time);
8521 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8522 hf_smb_access_time);
8524 /* last write time */
8525 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8526 hf_smb_last_write_time);
8528 /* last change time */
8529 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8530 hf_smb_change_time);
8532 /* Extended File Attributes */
8533 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
8535 /* allocation size */
8536 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8540 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8544 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8548 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
8551 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8558 /* call AndXCommand (if there are any) */
8559 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
8566 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8580 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8581 BEGIN Transaction/Transaction2 Primary and secondary requests
8582 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8585 static const value_string trans2_cmd_vals[] = {
8587 { 0x01, "FIND_FIRST2" },
8588 { 0x02, "FIND_NEXT2" },
8589 { 0x03, "QUERY_FS_INFORMATION" },
8590 { 0x04, "SET_FS_QUOTA" },
8591 { 0x05, "QUERY_PATH_INFORMATION" },
8592 { 0x06, "SET_PATH_INFORMATION" },
8593 { 0x07, "QUERY_FILE_INFORMATION" },
8594 { 0x08, "SET_FILE_INFORMATION" },
8597 { 0x0B, "FIND_NOTIFY_FIRST" },
8598 { 0x0C, "FIND_NOTIFY_NEXT" },
8599 { 0x0D, "CREATE_DIRECTORY" },
8600 { 0x0E, "SESSION_SETUP" },
8601 { 0x10, "GET_DFS_REFERRAL" },
8602 { 0x11, "REPORT_DFS_INCONSISTENCY" },
8606 static const true_false_string tfs_tf_dtid = {
8607 "Also DISCONNECT TID",
8608 "Do NOT disconnect TID"
8610 static const true_false_string tfs_tf_owt = {
8611 "One Way Transaction (NO RESPONSE)",
8612 "Two way transaction"
8615 static const true_false_string tfs_ff2_backup = {
8616 "Find WITH backup intent",
8619 static const true_false_string tfs_ff2_continue = {
8620 "CONTINUE search from previous position",
8621 "New search, do NOT continue from previous position"
8623 static const true_false_string tfs_ff2_resume = {
8624 "Return RESUME keys",
8625 "Do NOT return resume keys"
8627 static const true_false_string tfs_ff2_close_eos = {
8628 "CLOSE search if END OF SEARCH is reached",
8629 "Do NOT close search if end of search reached"
8631 static const true_false_string tfs_ff2_close = {
8632 "CLOSE search after this request",
8633 "Do NOT close search after this request"
8639 static const value_string ff2_il_vals[] = {
8640 { 1, "Info Standard (4.3.4.1)"},
8641 { 2, "Info Query EA Size (4.3.4.2)"},
8642 { 3, "Info Query EAs From List (4.3.4.2)"},
8643 { 0x0101, "Find File Directory Info (4.3.4.4)"},
8644 { 0x0102, "Find File Full Directory Info (4.3.4.5)"},
8645 { 0x0103, "Find File Names Info (4.3.4.7)"},
8646 { 0x0104, "Find File Both Directory Info (4.3.4.6)"},
8647 { 0x0202, "Find File UNIX (4.3.4.8)"},
8652 TRANS2_QUERY_PATH_INFORMATION
8653 TRANS2_SET_PATH_INFORMATION
8655 static const value_string qpi_loi_vals[] = {
8656 { 1, "Info Standard (4.2.14.1)"},
8657 { 2, "Info Query EA Size (4.2.14.1)"},
8658 { 3, "Info Query EAs From List (4.2.14.2)"},
8659 { 4, "Info Query All EAs (4.2.14.2)"},
8660 { 6, "Info Is Name Valid (4.2.14.3)"},
8661 { 0x0101, "Query File Basic Info (4.2.14.4)"},
8662 { 0x0102, "Query File Standard Info (4.2.14.5)"},
8663 { 0x0103, "Query File EA Info (4.2.14.6)"},
8664 { 0x0104, "Query File Name Info (4.2.14.7)"},
8665 { 0x0107, "Query File All Info (4.2.14.8)"},
8666 { 0x0108, "Query File Alt File Info (4.2.14.7)"},
8667 { 0x0109, "Query File Stream Info (4.2.14.10)"},
8668 { 0x010b, "Query File Compression Info (4.2.14.11)"},
8669 { 0x0200, "Set File Unix Basic"},
8670 { 0x0201, "Set File Unix Link"},
8671 { 0x0202, "Set File Unix HardLink"},
8675 static const value_string qfsi_vals[] = {
8676 { 1, "Info Allocation"},
8677 { 2, "Info Volume"},
8678 { 0x0102, "Query FS Volume Info"},
8679 { 0x0103, "Query FS Size Info"},
8680 { 0x0104, "Query FS Device Info"},
8681 { 0x0105, "Query FS Attribute Info"},
8682 { 1006, "Query FS Quota Info"},
8686 static const value_string nt_rename_vals[] = {
8687 { 0x0103, "Create Hard Link"},
8692 static const value_string delete_pending_vals[] = {
8693 {0, "Normal, no pending delete"},
8694 {1, "This object has DELETE PENDING"},
8698 static const value_string alignment_vals[] = {
8699 {0, "Byte alignment"},
8700 {1, "Word (16bit) alignment"},
8701 {3, "Long (32bit) alignment"},
8702 {7, "8 byte boundary alignment"},
8703 {0x0f, "16 byte boundary alignment"},
8704 {0x1f, "32 byte boundary alignment"},
8705 {0x3f, "64 byte boundary alignment"},
8706 {0x7f, "128 byte boundary alignment"},
8707 {0xff, "256 byte boundary alignment"},
8708 {0x1ff, "512 byte boundary alignment"},
8713 static const true_false_string tfs_get_dfs_server_hold_storage = {
8714 "Referral SERVER HOLDS STORAGE for the file",
8715 "Referral server does NOT hold storage for the file"
8717 static const true_false_string tfs_get_dfs_fielding = {
8718 "The server in referral is FIELDING CAPABLE",
8719 "The server in referrals is NOT fielding capable"
8722 static const true_false_string tfs_dfs_referral_flags_strip = {
8723 "STRIP off pathconsumed characters before submitting",
8724 "Do NOT strip off any characters"
8727 static const value_string dfs_referral_server_type_vals[] = {
8730 {2, "Netware Server"},
8731 {3, "Domain Server"},
8736 static const true_false_string tfs_device_char_removable = {
8737 "This is a REMOVABLE device",
8738 "This is NOT a removable device"
8740 static const true_false_string tfs_device_char_read_only = {
8741 "This is a READ-ONLY device",
8742 "This is NOT a read-only device"
8744 static const true_false_string tfs_device_char_floppy = {
8745 "This is a FLOPPY DISK device",
8746 "This is NOT a floppy disk device"
8748 static const true_false_string tfs_device_char_write_once = {
8749 "This is a WRITE-ONCE device",
8750 "This is NOT a write-once device"
8752 static const true_false_string tfs_device_char_remote = {
8753 "This is a REMOTE device",
8754 "This is NOT a remote device"
8756 static const true_false_string tfs_device_char_mounted = {
8757 "This device is MOUNTED",
8758 "This device is NOT mounted"
8760 static const true_false_string tfs_device_char_virtual = {
8761 "This is a VIRTUAL device",
8762 "This is NOT a virtual device"
8766 static const true_false_string tfs_fs_attr_css = {
8767 "This FS supports CASE SENSITIVE SEARCHes",
8768 "This FS does NOT support case sensitive searches"
8770 static const true_false_string tfs_fs_attr_cpn = {
8771 "This FS supports CASE PRESERVED NAMES",
8772 "This FS does NOT support case preserved names"
8774 static const true_false_string tfs_fs_attr_pacls = {
8775 "This FS supports PERSISTENT ACLs",
8776 "This FS does NOT support persistent acls"
8778 static const true_false_string tfs_fs_attr_fc = {
8779 "This FS supports COMPRESSED FILES",
8780 "This FS does NOT support compressed files"
8782 static const true_false_string tfs_fs_attr_vq = {
8783 "This FS supports VOLUME QUOTAS",
8784 "This FS does NOT support volume quotas"
8786 static const true_false_string tfs_fs_attr_dim = {
8787 "This FS is on a MOUNTED DEVICE",
8788 "This FS is NOT on a mounted device"
8790 static const true_false_string tfs_fs_attr_vic = {
8791 "This FS is on a COMPRESSED VOLUME",
8792 "This FS is NOT on a compressed volume"
8795 #define FF2_RESUME 0x0004
8798 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
8801 proto_item *item = NULL;
8802 proto_tree *tree = NULL;
8804 smb_transact2_info_t *t2i;
8806 mask = tvb_get_letohs(tvb, offset);
8808 si = (smb_info_t *)pinfo->private_data;
8809 if (si->sip != NULL) {
8810 t2i = si->sip->extra_info;
8812 if (!pinfo->fd->flags.visited)
8813 t2i->resume_keys = (mask & FF2_RESUME);
8818 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
8819 "Flags: 0x%04x", mask);
8820 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
8823 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
8824 tvb, offset, 2, mask);
8825 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
8826 tvb, offset, 2, mask);
8827 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
8828 tvb, offset, 2, mask);
8829 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
8830 tvb, offset, 2, mask);
8831 proto_tree_add_boolean(tree, hf_smb_ff2_close,
8832 tvb, offset, 2, mask);
8840 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
8841 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
8843 proto_item *item = NULL;
8844 proto_tree *tree = NULL;
8846 smb_transact2_info_t *t2i;
8849 int old_offset = offset;
8851 si = (smb_info_t *)pinfo->private_data;
8852 if (si->sip != NULL)
8853 t2i = si->sip->extra_info;
8858 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
8860 val_to_str(subcmd, trans2_cmd_vals,
8861 "Unknown (0x%02x)"));
8862 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
8866 case 0x00: /*TRANS2_OPEN2*/
8868 CHECK_BYTE_COUNT_TRANS(2);
8869 offset = dissect_open_flags(tvb, pinfo, tree, offset, 0x000f);
8872 /* desired access */
8873 CHECK_BYTE_COUNT_TRANS(2);
8874 offset = dissect_access(tvb, pinfo, tree, offset, "Desired");
8877 /* 2 reserved bytes */
8878 CHECK_BYTE_COUNT_TRANS(2);
8879 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8880 COUNT_BYTES_TRANS(2);
8882 /* File Attributes */
8883 CHECK_BYTE_COUNT_TRANS(2);
8884 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
8888 CHECK_BYTE_COUNT_TRANS(4);
8889 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
8891 hf_smb_create_dos_date, hf_smb_create_dos_time,
8896 CHECK_BYTE_COUNT_TRANS(2);
8897 offset = dissect_open_function(tvb, pinfo, tree, offset);
8900 /* allocation size */
8901 CHECK_BYTE_COUNT_TRANS(4);
8902 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
8903 COUNT_BYTES_TRANS(4);
8905 /* 10 reserved bytes */
8906 CHECK_BYTE_COUNT_TRANS(10);
8907 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
8908 COUNT_BYTES_TRANS(10);
8911 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8912 CHECK_STRING_TRANS(fn);
8913 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8915 COUNT_BYTES_TRANS(fn_len);
8917 if (check_col(pinfo->cinfo, COL_INFO)) {
8918 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
8922 /* XXX dont know how to decode FEAList */
8924 case 0x01: /*TRANS2_FIND_FIRST2*/
8925 /* Search Attributes */
8926 CHECK_BYTE_COUNT_TRANS(2);
8927 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
8931 CHECK_BYTE_COUNT_TRANS(2);
8932 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
8933 COUNT_BYTES_TRANS(2);
8935 /* Find First2 flags */
8936 CHECK_BYTE_COUNT_TRANS(2);
8937 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
8940 /* Find First2 information level */
8941 CHECK_BYTE_COUNT_TRANS(2);
8942 si->info_level = tvb_get_letohs(tvb, offset);
8943 if (!pinfo->fd->flags.visited)
8944 t2i->info_level = si->info_level;
8945 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
8946 COUNT_BYTES_TRANS(2);
8949 CHECK_BYTE_COUNT_TRANS(4);
8950 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
8951 COUNT_BYTES_TRANS(4);
8953 /* search pattern */
8954 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8955 CHECK_STRING_TRANS(fn);
8956 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
8958 COUNT_BYTES_TRANS(fn_len);
8960 if (check_col(pinfo->cinfo, COL_INFO)) {
8961 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
8965 /* XXX dont know how to decode FEAList */
8968 case 0x02: /*TRANS2_FIND_NEXT2*/
8970 CHECK_BYTE_COUNT_TRANS(2);
8971 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
8972 COUNT_BYTES_TRANS(2);
8975 CHECK_BYTE_COUNT_TRANS(2);
8976 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
8977 COUNT_BYTES_TRANS(2);
8979 /* Find First2 information level */
8980 CHECK_BYTE_COUNT_TRANS(2);
8981 si->info_level = tvb_get_letohs(tvb, offset);
8982 if (!pinfo->fd->flags.visited)
8983 t2i->info_level = si->info_level;
8984 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
8985 COUNT_BYTES_TRANS(2);
8988 CHECK_BYTE_COUNT_TRANS(4);
8989 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
8990 COUNT_BYTES_TRANS(4);
8992 /* Find First2 flags */
8993 CHECK_BYTE_COUNT_TRANS(2);
8994 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
8998 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8999 CHECK_STRING_TRANS(fn);
9000 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9002 COUNT_BYTES_TRANS(fn_len);
9004 if (check_col(pinfo->cinfo, COL_INFO)) {
9005 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
9010 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
9011 /* level of interest */
9012 CHECK_BYTE_COUNT_TRANS(2);
9013 si->info_level = tvb_get_letohs(tvb, offset);
9014 if (!pinfo->fd->flags.visited)
9015 t2i->info_level = si->info_level;
9016 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
9017 COUNT_BYTES_TRANS(2);
9020 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
9021 /* level of interest */
9022 CHECK_BYTE_COUNT_TRANS(2);
9023 si->info_level = tvb_get_letohs(tvb, offset);
9024 if (!pinfo->fd->flags.visited)
9025 t2i->info_level = si->info_level;
9026 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9027 COUNT_BYTES_TRANS(2);
9029 /* 4 reserved bytes */
9030 CHECK_BYTE_COUNT_TRANS(4);
9031 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9032 COUNT_BYTES_TRANS(4);
9035 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
9036 CHECK_STRING_TRANS(fn);
9037 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9039 COUNT_BYTES_TRANS(fn_len);
9041 if (check_col(pinfo->cinfo, COL_INFO)) {
9042 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9047 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
9048 /* level of interest */
9049 CHECK_BYTE_COUNT_TRANS(2);
9050 si->info_level = tvb_get_letohs(tvb, offset);
9051 if (!pinfo->fd->flags.visited)
9052 t2i->info_level = si->info_level;
9053 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9054 COUNT_BYTES_TRANS(2);
9056 /* 4 reserved bytes */
9057 CHECK_BYTE_COUNT_TRANS(4);
9058 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9059 COUNT_BYTES_TRANS(4);
9062 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
9063 CHECK_STRING_TRANS(fn);
9064 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9066 COUNT_BYTES_TRANS(fn_len);
9068 if (check_col(pinfo->cinfo, COL_INFO)) {
9069 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
9074 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
9078 CHECK_BYTE_COUNT_TRANS(2);
9079 fid = tvb_get_letohs(tvb, offset);
9080 add_fid(tvb, pinfo, tree, offset, 2, fid);
9081 COUNT_BYTES_TRANS(2);
9083 /* level of interest */
9084 CHECK_BYTE_COUNT_TRANS(2);
9085 si->info_level = tvb_get_letohs(tvb, offset);
9086 if (!pinfo->fd->flags.visited)
9087 t2i->info_level = si->info_level;
9088 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9089 COUNT_BYTES_TRANS(2);
9093 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
9097 CHECK_BYTE_COUNT_TRANS(2);
9098 fid = tvb_get_letohs(tvb, offset);
9099 add_fid(tvb, pinfo, tree, offset, 2, fid);
9100 COUNT_BYTES_TRANS(2);
9102 /* level of interest */
9103 CHECK_BYTE_COUNT_TRANS(2);
9104 si->info_level = tvb_get_letohs(tvb, offset);
9105 if (!pinfo->fd->flags.visited)
9106 t2i->info_level = si->info_level;
9107 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
9108 COUNT_BYTES_TRANS(2);
9110 /* 2 reserved bytes */
9111 CHECK_BYTE_COUNT_TRANS(2);
9112 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
9113 COUNT_BYTES_TRANS(2);
9117 case 0x09: /*TRANS2_FSCTL*/
9118 case 0x0a: /*TRANS2_IOCTL2*/
9119 /* these calls have no parameter block in the request */
9121 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
9122 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
9123 /* XXX unknown structure*/
9125 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
9126 /* 4 reserved bytes */
9127 CHECK_BYTE_COUNT_TRANS(4);
9128 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
9129 COUNT_BYTES_TRANS(4);
9132 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
9134 CHECK_STRING_TRANS(fn);
9135 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
9137 COUNT_BYTES_TRANS(fn_len);
9139 if (check_col(pinfo->cinfo, COL_INFO)) {
9140 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
9144 /* XXX optional FEAList, unknown what FEAList looks like*/
9146 case 0x0e: /*TRANS2_SESSION_SETUP*/
9147 /* XXX unknown structure*/
9149 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
9150 /* referral level */
9151 CHECK_BYTE_COUNT_TRANS(2);
9152 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
9153 COUNT_BYTES_TRANS(2);
9156 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
9157 CHECK_STRING_TRANS(fn);
9158 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9160 COUNT_BYTES_TRANS(fn_len);
9162 if (check_col(pinfo->cinfo, COL_INFO)) {
9163 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9168 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
9170 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
9171 CHECK_STRING_TRANS(fn);
9172 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9174 COUNT_BYTES_TRANS(fn_len);
9176 if (check_col(pinfo->cinfo, COL_INFO)) {
9177 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9184 /* ooops there were data we didnt know how to process */
9185 if((offset-old_offset) < bc){
9186 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
9187 bc - (offset-old_offset), TRUE);
9188 offset += bc - (offset-old_offset);
9195 * XXX - just use "dissect_connect_flags()" here?
9198 dissect_transaction_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9201 proto_item *item = NULL;
9202 proto_tree *tree = NULL;
9204 mask = tvb_get_letohs(tvb, offset);
9207 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9208 "Flags: 0x%04x", mask);
9209 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
9212 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
9213 tvb, offset, 2, mask);
9214 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
9215 tvb, offset, 2, mask);
9222 dissect_get_dfs_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9225 proto_item *item = NULL;
9226 proto_tree *tree = NULL;
9228 mask = tvb_get_letohs(tvb, offset);
9231 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9232 "Flags: 0x%04x", mask);
9233 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
9236 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
9237 tvb, offset, 2, mask);
9238 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
9239 tvb, offset, 2, mask);
9246 dissect_dfs_referral_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9249 proto_item *item = NULL;
9250 proto_tree *tree = NULL;
9252 mask = tvb_get_letohs(tvb, offset);
9255 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9256 "Flags: 0x%04x", mask);
9257 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
9260 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
9261 tvb, offset, 2, mask);
9269 /* dfs inconsistency data (4.4.2)
9272 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
9273 proto_tree *tree, int offset, guint16 *bcp)
9278 /*XXX shouldn this data hold version and size? unclear from doc*/
9279 /* referral version */
9280 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9281 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
9282 COUNT_BYTES_TRANS_SUBR(2);
9285 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9286 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
9287 COUNT_BYTES_TRANS_SUBR(2);
9289 /* referral server type */
9290 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9291 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9292 COUNT_BYTES_TRANS_SUBR(2);
9294 /* referral flags */
9295 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9296 offset = dissect_dfs_referral_flags(tvb, pinfo, tree, offset);
9300 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9301 CHECK_STRING_TRANS_SUBR(fn);
9302 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9304 COUNT_BYTES_TRANS_SUBR(fn_len);
9309 /* get dfs referral data (4.4.1)
9312 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
9313 proto_tree *tree, int offset, guint16 *bcp)
9318 guint16 altpathoffset;
9330 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9331 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
9332 COUNT_BYTES_TRANS_SUBR(2);
9335 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9336 numref = tvb_get_letohs(tvb, offset);
9337 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
9338 COUNT_BYTES_TRANS_SUBR(2);
9341 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9342 offset = dissect_get_dfs_flags(tvb, pinfo, tree, offset);
9345 /* XXX - in at least one capture there appears to be 2 bytes
9346 of stuff after the Dfs flags, perhaps so that the header
9347 in front of the referral list is a multiple of 4 bytes long. */
9348 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9349 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
9350 COUNT_BYTES_TRANS_SUBR(2);
9352 /* if there are any referrals */
9354 proto_item *ref_item = NULL;
9355 proto_tree *ref_tree = NULL;
9356 int old_offset=offset;
9359 ref_item = proto_tree_add_text(tree,
9360 tvb, offset, *bcp, "Referrals");
9361 ref_tree = proto_item_add_subtree(ref_item,
9362 ett_smb_dfs_referrals);
9367 proto_item *ri = NULL;
9368 proto_tree *rt = NULL;
9369 int old_offset=offset;
9373 ri = proto_tree_add_text(ref_tree,
9374 tvb, offset, *bcp, "Referral");
9375 rt = proto_item_add_subtree(ri,
9376 ett_smb_dfs_referral);
9379 /* referral version */
9380 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9381 version = tvb_get_letohs(tvb, offset);
9382 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
9383 tvb, offset, 2, version);
9384 COUNT_BYTES_TRANS_SUBR(2);
9387 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9388 refsize = tvb_get_letohs(tvb, offset);
9389 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
9390 COUNT_BYTES_TRANS_SUBR(2);
9392 /* referral server type */
9393 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9394 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9395 COUNT_BYTES_TRANS_SUBR(2);
9397 /* referral flags */
9398 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9399 offset = dissect_dfs_referral_flags(tvb, pinfo, rt, offset);
9406 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9407 CHECK_STRING_TRANS_SUBR(fn);
9408 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9410 COUNT_BYTES_TRANS_SUBR(fn_len);
9414 case 3: /* XXX - like version 2, but not identical;
9415 seen in a capture, but the format isn't
9418 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9419 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
9420 COUNT_BYTES_TRANS_SUBR(2);
9423 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9424 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
9425 COUNT_BYTES_TRANS_SUBR(2);
9428 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9429 pathoffset = tvb_get_letohs(tvb, offset);
9430 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
9431 COUNT_BYTES_TRANS_SUBR(2);
9433 /* alt path offset */
9434 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9435 altpathoffset = tvb_get_letohs(tvb, offset);
9436 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
9437 COUNT_BYTES_TRANS_SUBR(2);
9440 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9441 nodeoffset = tvb_get_letohs(tvb, offset);
9442 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
9443 COUNT_BYTES_TRANS_SUBR(2);
9446 if (pathoffset != 0) {
9447 stroffset = old_offset + pathoffset;
9448 offsetoffset = stroffset - offset;
9449 if (offsetoffset > 0 &&
9450 *bcp > offsetoffset) {
9452 *bcp -= offsetoffset;
9453 fn = get_unicode_or_ascii_string(tvb, &stroffset, pinfo, &fn_len, FALSE, FALSE, bcp);
9454 CHECK_STRING_TRANS_SUBR(fn);
9455 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
9457 stroffset += fn_len;
9458 if (ucstring_end < stroffset)
9459 ucstring_end = stroffset;
9465 if (altpathoffset != 0) {
9466 stroffset = old_offset + altpathoffset;
9467 offsetoffset = stroffset - offset;
9468 if (offsetoffset > 0 &&
9469 *bcp > offsetoffset) {
9471 *bcp -= offsetoffset;
9472 fn = get_unicode_or_ascii_string(tvb, &stroffset, pinfo, &fn_len, FALSE, FALSE, bcp);
9473 CHECK_STRING_TRANS_SUBR(fn);
9474 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
9476 stroffset += fn_len;
9477 if (ucstring_end < stroffset)
9478 ucstring_end = stroffset;
9484 if (nodeoffset != 0) {
9485 stroffset = old_offset + nodeoffset;
9486 offsetoffset = stroffset - offset;
9487 if (offsetoffset > 0 &&
9488 *bcp > offsetoffset) {
9490 *bcp -= offsetoffset;
9491 fn = get_unicode_or_ascii_string(tvb, &stroffset, pinfo, &fn_len, FALSE, FALSE, bcp);
9492 CHECK_STRING_TRANS_SUBR(fn);
9493 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
9495 stroffset += fn_len;
9496 if (ucstring_end < stroffset)
9497 ucstring_end = stroffset;
9505 * Show anything beyond the length of the referral
9508 unklen = (old_offset + refsize) - offset;
9511 * XXX - the length is bogus.
9516 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
9517 proto_tree_add_item(rt, hf_smb_unknown, tvb,
9518 offset, unklen, TRUE);
9519 COUNT_BYTES_TRANS_SUBR(unklen);
9522 proto_item_set_len(ri, offset-old_offset);
9526 * Treat the offset past the end of the last Unicode
9527 * string after the referrals (if any) as the last
9530 if (ucstring_end > offset) {
9531 ucstring_len = ucstring_end - offset;
9532 if (*bcp < ucstring_len)
9533 ucstring_len = *bcp;
9534 offset += ucstring_len;
9535 *bcp -= ucstring_len;
9537 proto_item_set_len(ref_item, offset-old_offset);
9544 /* this dissects the SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE
9545 as described in 4.2.14.1
9548 dissect_4_2_14_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9549 int offset, guint16 *bcp, gboolean *trunc)
9552 CHECK_BYTE_COUNT_SUBR(4);
9553 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
9554 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
9559 CHECK_BYTE_COUNT_SUBR(4);
9560 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
9561 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
9565 /* last write time */
9566 CHECK_BYTE_COUNT_SUBR(4);
9567 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
9568 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
9573 CHECK_BYTE_COUNT_SUBR(4);
9574 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
9575 COUNT_BYTES_SUBR(4);
9577 /* allocation size */
9578 CHECK_BYTE_COUNT_SUBR(4);
9579 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
9580 COUNT_BYTES_SUBR(4);
9582 /* File Attributes */
9583 CHECK_BYTE_COUNT_SUBR(2);
9584 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
9588 CHECK_BYTE_COUNT_SUBR(4);
9589 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
9590 COUNT_BYTES_SUBR(4);
9596 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
9597 as described in 4.2.14.2
9600 dissect_4_2_14_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9601 int offset, guint16 *bcp, gboolean *trunc)
9604 CHECK_BYTE_COUNT_SUBR(4);
9605 proto_tree_add_item(tree, hf_smb_list_length, tvb, offset, 4, TRUE);
9606 COUNT_BYTES_SUBR(4);
9612 /* this dissects the SMB_INFO_IS_NAME_VALID
9613 as described in 4.2.14.3
9616 dissect_4_2_14_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9617 int offset, guint16 *bcp, gboolean *trunc)
9623 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9624 CHECK_STRING_SUBR(fn);
9625 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9627 COUNT_BYTES_SUBR(fn_len);
9633 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
9634 as described in 4.2.14.4
9637 dissect_4_2_14_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9638 int offset, guint16 *bcp, gboolean *trunc)
9641 CHECK_BYTE_COUNT_SUBR(8);
9642 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9643 hf_smb_create_time);
9647 CHECK_BYTE_COUNT_SUBR(8);
9648 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9649 hf_smb_access_time);
9652 /* last write time */
9653 CHECK_BYTE_COUNT_SUBR(8);
9654 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9655 hf_smb_last_write_time);
9658 /* last change time */
9659 CHECK_BYTE_COUNT_SUBR(8);
9660 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9661 hf_smb_change_time);
9664 /* File Attributes */
9665 CHECK_BYTE_COUNT_SUBR(2);
9666 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
9673 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
9674 as described in 4.2.14.5
9677 dissect_4_2_14_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9678 int offset, guint16 *bcp, gboolean *trunc)
9680 /* allocation size */
9681 CHECK_BYTE_COUNT_SUBR(8);
9682 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9683 COUNT_BYTES_SUBR(8);
9686 CHECK_BYTE_COUNT_SUBR(8);
9687 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
9688 COUNT_BYTES_SUBR(8);
9690 /* number of links */
9691 CHECK_BYTE_COUNT_SUBR(4);
9692 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
9693 COUNT_BYTES_SUBR(4);
9695 /* delete pending */
9696 CHECK_BYTE_COUNT_SUBR(2);
9697 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 2, TRUE);
9698 COUNT_BYTES_SUBR(2);
9701 CHECK_BYTE_COUNT_SUBR(1);
9702 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
9703 COUNT_BYTES_SUBR(1);
9709 /* this dissects the SMB_QUERY_FILE_EA_INFO
9710 as described in 4.2.14.6
9713 dissect_4_2_14_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9714 int offset, guint16 *bcp, gboolean *trunc)
9717 CHECK_BYTE_COUNT_SUBR(4);
9718 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
9719 COUNT_BYTES_SUBR(4);
9725 /* this dissects the SMB_QUERY_FILE_NAME_INFO
9726 as described in 4.2.14.7
9727 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
9728 as described in 4.2.14.9
9731 dissect_4_2_14_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9732 int offset, guint16 *bcp, gboolean *trunc)
9738 CHECK_BYTE_COUNT_SUBR(4);
9739 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
9740 COUNT_BYTES_SUBR(4);
9743 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9744 CHECK_STRING_SUBR(fn);
9745 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9747 COUNT_BYTES_SUBR(fn_len);
9753 /* this dissects the SMB_QUERY_FILE_ALL_INFO
9754 as described in 4.2.14.8
9757 dissect_4_2_14_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9758 int offset, guint16 *bcp, gboolean *trunc)
9761 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp, trunc);
9764 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp, trunc);
9769 CHECK_BYTE_COUNT_SUBR(8);
9770 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
9771 COUNT_BYTES_SUBR(8);
9773 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
9778 CHECK_BYTE_COUNT_SUBR(4);
9779 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
9780 COUNT_BYTES_SUBR(4);
9783 CHECK_BYTE_COUNT_SUBR(8);
9784 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
9785 COUNT_BYTES_SUBR(8);
9787 /* current offset */
9788 CHECK_BYTE_COUNT_SUBR(8);
9789 proto_tree_add_item(tree, hf_smb_current_offset, tvb, offset, 8, TRUE);
9790 COUNT_BYTES_SUBR(8);
9793 CHECK_BYTE_COUNT_SUBR(4);
9794 offset = dissect_nt_create_options(tvb, pinfo, tree, offset);
9798 CHECK_BYTE_COUNT_SUBR(4);
9799 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
9800 COUNT_BYTES_SUBR(4);
9802 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
9807 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
9808 as described in 4.2.14.10
9811 dissect_4_2_14_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
9812 int offset, guint16 *bcp, gboolean *trunc)
9823 old_offset = offset;
9825 /* next entry offset */
9826 CHECK_BYTE_COUNT_SUBR(4);
9828 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
9829 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
9835 neo = tvb_get_letohl(tvb, offset);
9836 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
9837 COUNT_BYTES_SUBR(4);
9839 /* stream name len */
9840 CHECK_BYTE_COUNT_SUBR(4);
9841 fn_len = tvb_get_letohl(tvb, offset);
9842 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
9843 COUNT_BYTES_SUBR(4);
9846 CHECK_BYTE_COUNT_SUBR(8);
9847 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
9848 COUNT_BYTES_SUBR(8);
9850 /* allocation size */
9851 CHECK_BYTE_COUNT_SUBR(8);
9852 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9853 COUNT_BYTES_SUBR(8);
9856 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
9857 CHECK_STRING_SUBR(fn);
9858 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
9860 COUNT_BYTES_SUBR(fn_len);
9862 proto_item_append_text(item, ": %s", fn);
9863 proto_item_set_len(item, offset-old_offset);
9866 break; /* no more structures */
9868 /* skip to next structure */
9869 padcnt = (old_offset + neo) - offset;
9872 * XXX - this is bogus; flag it?
9877 CHECK_BYTE_COUNT_SUBR(padcnt);
9878 COUNT_BYTES_SUBR(padcnt);
9886 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
9887 as described in 4.2.14.11
9890 dissect_4_2_14_11(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9891 int offset, guint16 *bcp, gboolean *trunc)
9893 /* compressed file size */
9894 CHECK_BYTE_COUNT_SUBR(8);
9895 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
9896 COUNT_BYTES_SUBR(8);
9898 /* compression format */
9899 CHECK_BYTE_COUNT_SUBR(2);
9900 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
9901 COUNT_BYTES_SUBR(2);
9903 /* compression unit shift */
9904 CHECK_BYTE_COUNT_SUBR(1);
9905 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
9906 COUNT_BYTES_SUBR(1);
9908 /* compression chunk shift */
9909 CHECK_BYTE_COUNT_SUBR(1);
9910 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
9911 COUNT_BYTES_SUBR(1);
9913 /* compression cluster shift */
9914 CHECK_BYTE_COUNT_SUBR(1);
9915 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
9916 COUNT_BYTES_SUBR(1);
9918 /* 3 reserved bytes */
9919 CHECK_BYTE_COUNT_SUBR(3);
9920 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
9921 COUNT_BYTES_SUBR(3);
9929 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION*/
9931 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
9932 int offset, guint16 *bcp)
9941 si = (smb_info_t *)pinfo->private_data;
9942 switch(si->info_level){
9943 case 1: /*Info Standard*/
9944 case 2: /*Info Query EA Size*/
9945 offset = dissect_4_2_14_1(tvb, pinfo, tree, offset, bcp,
9948 case 3: /*Info Query EAs From List*/
9949 case 4: /*Info Query All EAs*/
9950 offset = dissect_4_2_14_2(tvb, pinfo, tree, offset, bcp,
9953 case 6: /*Info Is Name Valid*/
9954 offset = dissect_4_2_14_3(tvb, pinfo, tree, offset, bcp,
9957 case 0x0101: /*Query File Basic Info*/
9958 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp,
9961 case 0x0102: /*Query File Standard Info*/
9962 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp,
9965 case 0x0103: /*Query File EA Info*/
9966 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp,
9969 case 0x0104: /*Query File Name Info*/
9970 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
9973 case 0x0107: /*Query File All Info*/
9974 offset = dissect_4_2_14_8(tvb, pinfo, tree, offset, bcp,
9977 case 0x0108: /*Query File Alt File Info*/
9978 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
9981 case 0x0109: /*Query File Stream Info*/
9982 offset = dissect_4_2_14_10(tvb, pinfo, tree, offset, bcp,
9985 case 0x010b: /*Query File Compression Info*/
9986 offset = dissect_4_2_14_11(tvb, pinfo, tree, offset, bcp,
9989 case 0x0200: /*Set File Unix Basic*/
9990 /* XXX add this from the SNIA doc */
9992 case 0x0201: /*Set File Unix Link*/
9993 /* XXX add this from the SNIA doc */
9995 case 0x0202: /*Set File Unix HardLink*/
9996 /* XXX add this from the SNIA doc */
10004 static const true_false_string tfs_quota_flags_deny_disk = {
10005 "DENY DISK SPACE for users exceeding quota limit",
10006 "Do NOT deny disk space for users exceeding quota limit"
10008 static const true_false_string tfs_quota_flags_log_limit = {
10009 "LOG EVENT when a user exceeds their QUOTA LIMIT",
10010 "Do NOT log event when a user exceeds their quota limit"
10012 static const true_false_string tfs_quota_flags_log_warning = {
10013 "LOG EVENT when a user exceeds their WARNING LEVEL",
10014 "Do NOT log event when a user exceeds their warning level"
10016 static const true_false_string tfs_quota_flags_enabled = {
10017 "Quotas are ENABLED of this fs",
10018 "Quotas are NOT enabled on this fs"
10021 dissect_quota_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
10024 proto_item *item = NULL;
10025 proto_tree *tree = NULL;
10027 mask = tvb_get_guint8(tvb, offset);
10030 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
10031 "Quota Flags: 0x%02x %s", mask,
10032 mask?"Enabled":"Disabled");
10033 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
10036 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
10037 tvb, offset, 1, mask);
10038 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
10039 tvb, offset, 1, mask);
10040 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
10041 tvb, offset, 1, mask);
10043 if(mask && (!(mask&0x01))){
10044 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
10045 tvb, offset, 1, 0x01);
10047 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
10048 tvb, offset, 1, mask);
10054 dissect_nt_quota(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp)
10056 /* first 24 bytes are unknown */
10057 CHECK_BYTE_COUNT_TRANS_SUBR(24);
10058 proto_tree_add_item(tree, hf_smb_unknown, tvb,
10060 COUNT_BYTES_TRANS_SUBR(24);
10062 /* number of bytes for quota warning */
10063 CHECK_BYTE_COUNT_TRANS_SUBR(8);
10064 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
10065 COUNT_BYTES_TRANS_SUBR(8);
10067 /* number of bytes for quota limit */
10068 CHECK_BYTE_COUNT_TRANS_SUBR(8);
10069 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
10070 COUNT_BYTES_TRANS_SUBR(8);
10072 /* one byte of quota flags */
10073 CHECK_BYTE_COUNT_TRANS_SUBR(1);
10074 dissect_quota_flags(tvb, pinfo, tree, offset);
10075 COUNT_BYTES_TRANS_SUBR(1);
10077 /* these 7 bytes are unknown */
10078 CHECK_BYTE_COUNT_TRANS_SUBR(7);
10079 proto_tree_add_item(tree, hf_smb_unknown, tvb,
10081 COUNT_BYTES_TRANS_SUBR(7);
10087 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
10088 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
10090 proto_item *item = NULL;
10091 proto_tree *tree = NULL;
10094 si = (smb_info_t *)pinfo->private_data;
10097 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
10099 val_to_str(subcmd, trans2_cmd_vals,
10100 "Unknown (0x%02x)"));
10101 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
10105 case 0x00: /*TRANS2_OPEN2*/
10106 /* XXX FAEList here?*/
10108 case 0x01: /*TRANS2_FIND_FIRST2*/
10109 /* XXX FAEList here?*/
10111 case 0x02: /*TRANS2_FIND_NEXT2*/
10112 /* no data field in this request */
10114 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
10115 /* no data field in this request */
10117 case 0x04: /* TRANS2_SET_QUOTA */
10118 offset = dissect_nt_quota(tvb, pinfo, tree, offset, &dc);
10120 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
10121 /* no data field in this request */
10123 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
10124 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
10126 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
10127 /* no data field in this request */
10129 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
10130 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
10132 case 0x09: /*TRANS2_FSCTL*/
10133 /*XXX dont know how to decode this yet */
10135 case 0x0a: /*TRANS2_IOCTL2*/
10136 /*XXX dont know how to decode this yet */
10138 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
10139 /*XXX dont know how to decode this yet */
10141 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
10142 /*XXX dont know how to decode this yet */
10144 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
10145 /* no data block for this one */
10147 case 0x0e: /*TRANS2_SESSION_SETUP*/
10148 /*XXX dont know how to decode this yet */
10150 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
10151 /* no data field in this request */
10153 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
10154 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
10158 /* ooops there were data we didnt know how to process */
10160 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
10169 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
10170 packet_info *pinfo, proto_tree *tree)
10177 * Show the setup words.
10179 if (s_tvb != NULL) {
10180 length = tvb_reported_length(s_tvb);
10181 for (i = 0, offset = 0; length >= 2;
10182 i++, offset += 2, length -= 2) {
10184 * XXX - add a setup word filterable field?
10186 proto_tree_add_text(tree, s_tvb, offset, 2,
10187 "Setup Word %d: 0x%04x", i,
10188 tvb_get_letohs(s_tvb, offset));
10193 * Show the parameters, if any.
10195 if (p_tvb != NULL) {
10196 length = tvb_reported_length(p_tvb);
10198 proto_tree_add_text(tree, p_tvb, 0, length,
10200 tvb_bytes_to_str(p_tvb, 0, length));
10205 * Show the data, if any.
10207 if (d_tvb != NULL) {
10208 length = tvb_reported_length(d_tvb);
10210 proto_tree_add_text(tree, d_tvb, 0, length,
10211 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
10216 /* This routine handles the following 4 calls
10218 Transaction Secondary 0x26
10220 Transaction2 Secondary 0x33
10223 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
10230 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
10234 const char *an = NULL;
10236 smb_transact2_info_t *t2i;
10237 smb_transact_info_t *tri;
10240 gboolean dissected_trans;
10242 si = (smb_info_t *)pinfo->private_data;
10247 /*secondary client request*/
10249 /* total param count, only a 16bit integer here*/
10250 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10253 /* total data count , only 16bit integer here*/
10254 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10258 pc = tvb_get_letohs(tvb, offset);
10259 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
10263 po = tvb_get_letohs(tvb, offset);
10264 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
10268 pd = tvb_get_letohs(tvb, offset);
10269 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
10273 dc = tvb_get_letohs(tvb, offset);
10274 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
10278 od = tvb_get_letohs(tvb, offset);
10279 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
10283 dd = tvb_get_letohs(tvb, offset);
10284 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
10287 if(si->cmd==SMB_COM_TRANSACTION2){
10291 fid = tvb_get_letohs(tvb, offset);
10292 add_fid(tvb, pinfo, tree, offset, 2, fid);
10297 /* There are no setup words. */
10302 /* it is not a secondary request */
10304 /* total param count , only a 16 bit integer here*/
10305 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10308 /* total data count , only 16bit integer here*/
10309 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10312 /* max param count , only 16bit integer here*/
10313 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10316 /* max data count, only 16bit integer here*/
10317 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10320 /* max setup count, only 16bit integer here*/
10321 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
10324 /* reserved byte */
10325 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
10328 /* transaction flags */
10329 tf = dissect_transaction_flags(tvb, pinfo, tree, offset);
10333 to = tvb_get_letohl(tvb, offset);
10335 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
10336 else if (to == 0xffffffff)
10337 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
10339 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
10342 /* 2 reserved bytes */
10343 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
10347 pc = tvb_get_letohs(tvb, offset);
10348 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
10352 po = tvb_get_letohs(tvb, offset);
10353 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
10356 /* param displacement is zero here */
10360 dc = tvb_get_letohs(tvb, offset);
10361 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
10365 od = tvb_get_letohs(tvb, offset);
10366 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
10369 /* data displacement is zero here */
10373 sc = tvb_get_guint8(tvb, offset);
10374 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
10377 /* reserved byte */
10378 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
10381 /* this is where the setup bytes, if any start */
10385 /* if there were any setup bytes, decode them */
10389 case SMB_COM_TRANSACTION2:
10390 /* TRANSACTION2 only has one setup word and
10391 that is the subcommand code. */
10392 subcmd = tvb_get_letohs(tvb, offset);
10393 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
10394 tvb, offset, 2, subcmd);
10395 if (check_col(pinfo->cinfo, COL_INFO)) {
10396 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10397 val_to_str(subcmd, trans2_cmd_vals,
10398 "Unknown (0x%02x)"));
10401 if(!pinfo->fd->flags.visited){
10404 * smb_transact2_info_t
10407 t2i = g_mem_chunk_alloc(smb_transact2_info_chunk);
10408 t2i->subcmd = subcmd;
10409 t2i->info_level = -1;
10410 t2i->resume_keys = FALSE;
10411 si->sip->extra_info = t2i;
10416 case SMB_COM_TRANSACTION:
10417 /* TRANSACTION setup words processed below */
10428 /* primary request */
10429 /* name is NULL if transaction2 */
10430 if(si->cmd == SMB_COM_TRANSACTION){
10431 /* Transaction Name */
10432 an = get_unicode_or_ascii_string(tvb, &offset,
10433 pinfo, &an_len, FALSE, FALSE, &bc);
10436 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
10437 offset, an_len, an);
10438 COUNT_BYTES(an_len);
10443 * The pipe or mailslot arguments for Transaction start with
10444 * the first setup word (or where the first setup word would
10445 * be if there were any setup words), and run to the current
10446 * offset (which could mean that there aren't any).
10449 spc = offset - spo;
10453 /* We have some initial padding bytes.
10455 padcnt = po-offset;
10458 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
10459 COUNT_BYTES(padcnt);
10462 CHECK_BYTE_COUNT(pc);
10465 case SMB_COM_TRANSACTION2:
10466 /* TRANSACTION2 parameters*/
10467 offset = dissect_transaction2_request_parameters(tvb,
10468 pinfo, tree, offset, subcmd, pc);
10472 case SMB_COM_TRANSACTION:
10473 /* TRANSACTION parameters processed below */
10481 /* We have some initial padding bytes.
10483 padcnt = od-offset;
10486 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
10487 COUNT_BYTES(padcnt);
10490 CHECK_BYTE_COUNT(dc);
10493 case SMB_COM_TRANSACTION2:
10494 /* TRANSACTION2 data*/
10495 offset = dissect_transaction2_request_data(tvb, pinfo,
10496 tree, offset, subcmd, dc);
10500 case SMB_COM_TRANSACTION:
10501 /* TRANSACTION data processed below */
10507 /*TRANSACTION request parameters */
10508 if(si->cmd==SMB_COM_TRANSACTION){
10509 /*XXX replace this block with a function and use that one
10510 for both requests/responses*/
10512 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
10513 tvbuff_t *sp_tvb, *pd_tvb;
10516 if(pc>tvb_length_remaining(tvb, po)){
10517 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
10519 p_tvb = tvb_new_subset(tvb, po, pc, pc);
10525 if(dc>tvb_length_remaining(tvb, od)){
10526 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
10528 d_tvb = tvb_new_subset(tvb, od, dc, dc);
10534 if(sl>tvb_length_remaining(tvb, so)){
10535 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
10537 s_tvb = tvb_new_subset(tvb, so, sl, sl);
10544 if(!pinfo->fd->flags.visited){
10546 * Allocate a new smb_transact_info_t
10549 tri = g_mem_chunk_alloc(smb_transact_info_chunk);
10551 tri->trans_subcmd = -1;
10552 tri->function = -1;
10554 tri->lanman_cmd = 0;
10555 tri->param_descrip = NULL;
10556 tri->data_descrip = NULL;
10557 tri->aux_data_descrip = NULL;
10558 tri->info_level = -1;
10559 si->sip->extra_info = tri;
10562 * We already filled the structure
10563 * in; don't bother doing so again.
10569 * This is a unidirectional message, for
10570 * which there will be no reply; don't
10571 * bother allocating an "smb_transact_info_t"
10572 * structure for it.
10576 dissected_trans = FALSE;
10577 if(strncmp("\\PIPE\\", an, 6) == 0){
10579 tri->subcmd=TRANSACTION_PIPE;
10582 * A tvbuff containing the setup words and
10585 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
10588 * A tvbuff containing the parameters and the
10591 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
10593 dissected_trans = dissect_pipe_smb(sp_tvb,
10594 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
10596 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
10598 tri->subcmd=TRANSACTION_MAILSLOT;
10601 * A tvbuff containing the setup words and
10602 * the mailslot path.
10604 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
10605 dissected_trans = dissect_mailslot_smb(sp_tvb,
10606 s_tvb, d_tvb, an+10, pinfo, top_tree);
10608 if (!dissected_trans) {
10609 dissect_trans_data(s_tvb, p_tvb, d_tvb,
10613 if(check_col(pinfo->cinfo, COL_INFO)){
10614 col_append_str(pinfo->cinfo, COL_INFO,
10615 "[transact continuation]");
10628 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10629 int offset, guint16 *bcp, gboolean *trunc)
10633 int old_offset = offset;
10634 proto_item *item = NULL;
10635 proto_tree *tree = NULL;
10637 smb_transact2_info_t *t2i;
10638 gboolean resume_keys = FALSE;
10640 si = (smb_info_t *)pinfo->private_data;
10641 if (si->sip != NULL) {
10642 t2i = si->sip->extra_info;
10644 resume_keys = t2i->resume_keys;
10648 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10649 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10650 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10655 CHECK_BYTE_COUNT_SUBR(4);
10656 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
10657 COUNT_BYTES_SUBR(4);
10661 CHECK_BYTE_COUNT_SUBR(4);
10662 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10663 hf_smb_create_time,
10664 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
10668 CHECK_BYTE_COUNT_SUBR(4);
10669 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10670 hf_smb_access_time,
10671 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
10674 /* last write time */
10675 CHECK_BYTE_COUNT_SUBR(4);
10676 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10677 hf_smb_last_write_time,
10678 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
10682 CHECK_BYTE_COUNT_SUBR(4);
10683 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10684 COUNT_BYTES_SUBR(4);
10686 /* allocation size */
10687 CHECK_BYTE_COUNT_SUBR(4);
10688 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10689 COUNT_BYTES_SUBR(4);
10691 /* File Attributes */
10692 CHECK_BYTE_COUNT_SUBR(2);
10693 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
10696 /* file name len */
10697 CHECK_BYTE_COUNT_SUBR(1);
10698 fn_len = tvb_get_guint8(tvb, offset);
10699 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
10700 COUNT_BYTES_SUBR(1);
10702 fn_len += 2; /* include terminating '\0' */
10704 fn_len++; /* include terminating '\0' */
10707 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10708 CHECK_STRING_SUBR(fn);
10709 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10711 COUNT_BYTES_SUBR(fn_len);
10713 if (check_col(pinfo->cinfo, COL_INFO)) {
10714 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10718 proto_item_append_text(item, " File: %s", fn);
10719 proto_item_set_len(item, offset-old_offset);
10726 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10727 int offset, guint16 *bcp, gboolean *trunc)
10731 int old_offset = offset;
10732 proto_item *item = NULL;
10733 proto_tree *tree = NULL;
10735 smb_transact2_info_t *t2i;
10736 gboolean resume_keys = FALSE;
10738 si = (smb_info_t *)pinfo->private_data;
10739 if (si->sip != NULL) {
10740 t2i = si->sip->extra_info;
10742 resume_keys = t2i->resume_keys;
10746 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10747 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10748 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10753 CHECK_BYTE_COUNT_SUBR(4);
10754 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
10755 COUNT_BYTES_SUBR(4);
10759 CHECK_BYTE_COUNT_SUBR(4);
10760 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10761 hf_smb_create_time,
10762 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
10766 CHECK_BYTE_COUNT_SUBR(4);
10767 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10768 hf_smb_access_time,
10769 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
10772 /* last write time */
10773 CHECK_BYTE_COUNT_SUBR(4);
10774 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10775 hf_smb_last_write_time,
10776 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
10780 CHECK_BYTE_COUNT_SUBR(4);
10781 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10782 COUNT_BYTES_SUBR(4);
10784 /* allocation size */
10785 CHECK_BYTE_COUNT_SUBR(4);
10786 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10787 COUNT_BYTES_SUBR(4);
10789 /* File Attributes */
10790 CHECK_BYTE_COUNT_SUBR(2);
10791 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
10795 CHECK_BYTE_COUNT_SUBR(4);
10796 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10797 COUNT_BYTES_SUBR(4);
10799 /* file name len */
10800 CHECK_BYTE_COUNT_SUBR(1);
10801 fn_len = tvb_get_guint8(tvb, offset);
10802 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
10803 COUNT_BYTES_SUBR(1);
10806 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10807 CHECK_STRING_SUBR(fn);
10808 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10810 COUNT_BYTES_SUBR(fn_len);
10812 fn_len += 2; /* include terminating '\0' */
10814 fn_len++; /* include terminating '\0' */
10816 if (check_col(pinfo->cinfo, COL_INFO)) {
10817 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10821 proto_item_append_text(item, " File: %s", fn);
10822 proto_item_set_len(item, offset-old_offset);
10829 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10830 int offset, guint16 *bcp, gboolean *trunc)
10834 int old_offset = offset;
10835 proto_item *item = NULL;
10836 proto_tree *tree = NULL;
10841 si = (smb_info_t *)pinfo->private_data;
10844 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10845 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10846 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10850 * We assume that the presence of a next entry offset implies the
10851 * absence of a resume key, as appears to be the case for 4.3.4.6.
10854 /* next entry offset */
10855 CHECK_BYTE_COUNT_SUBR(4);
10856 neo = tvb_get_letohl(tvb, offset);
10857 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10858 COUNT_BYTES_SUBR(4);
10861 CHECK_BYTE_COUNT_SUBR(4);
10862 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
10863 COUNT_BYTES_SUBR(4);
10866 CHECK_BYTE_COUNT_SUBR(8);
10867 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10868 hf_smb_create_time);
10872 CHECK_BYTE_COUNT_SUBR(8);
10873 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10874 hf_smb_access_time);
10877 /* last write time */
10878 CHECK_BYTE_COUNT_SUBR(8);
10879 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10880 hf_smb_last_write_time);
10883 /* last change time */
10884 CHECK_BYTE_COUNT_SUBR(8);
10885 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10886 hf_smb_change_time);
10890 CHECK_BYTE_COUNT_SUBR(8);
10891 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10892 COUNT_BYTES_SUBR(8);
10894 /* allocation size */
10895 CHECK_BYTE_COUNT_SUBR(8);
10896 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10897 COUNT_BYTES_SUBR(8);
10899 /* Extended File Attributes */
10900 CHECK_BYTE_COUNT_SUBR(4);
10901 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
10904 /* file name len */
10905 CHECK_BYTE_COUNT_SUBR(4);
10906 fn_len = tvb_get_letohl(tvb, offset);
10907 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
10908 COUNT_BYTES_SUBR(4);
10911 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10912 CHECK_STRING_SUBR(fn);
10913 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10915 COUNT_BYTES_SUBR(fn_len);
10917 if (check_col(pinfo->cinfo, COL_INFO)) {
10918 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10922 /* skip to next structure */
10924 padcnt = (old_offset + neo) - offset;
10927 * XXX - this is bogus; flag it?
10932 CHECK_BYTE_COUNT_SUBR(padcnt);
10933 COUNT_BYTES_SUBR(padcnt);
10937 proto_item_append_text(item, " File: %s", fn);
10938 proto_item_set_len(item, offset-old_offset);
10945 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10946 int offset, guint16 *bcp, gboolean *trunc)
10950 int old_offset = offset;
10951 proto_item *item = NULL;
10952 proto_tree *tree = NULL;
10957 si = (smb_info_t *)pinfo->private_data;
10960 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10961 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10962 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10966 * We assume that the presence of a next entry offset implies the
10967 * absence of a resume key, as appears to be the case for 4.3.4.6.
10970 /* next entry offset */
10971 CHECK_BYTE_COUNT_SUBR(4);
10972 neo = tvb_get_letohl(tvb, offset);
10973 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10974 COUNT_BYTES_SUBR(4);
10977 CHECK_BYTE_COUNT_SUBR(4);
10978 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
10979 COUNT_BYTES_SUBR(4);
10982 CHECK_BYTE_COUNT_SUBR(8);
10983 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10984 hf_smb_create_time);
10988 CHECK_BYTE_COUNT_SUBR(8);
10989 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10990 hf_smb_access_time);
10993 /* last write time */
10994 CHECK_BYTE_COUNT_SUBR(8);
10995 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10996 hf_smb_last_write_time);
10999 /* last change time */
11000 CHECK_BYTE_COUNT_SUBR(8);
11001 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
11002 hf_smb_change_time);
11006 CHECK_BYTE_COUNT_SUBR(8);
11007 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11008 COUNT_BYTES_SUBR(8);
11010 /* allocation size */
11011 CHECK_BYTE_COUNT_SUBR(8);
11012 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11013 COUNT_BYTES_SUBR(8);
11015 /* Extended File Attributes */
11016 CHECK_BYTE_COUNT_SUBR(4);
11017 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
11020 /* file name len */
11021 CHECK_BYTE_COUNT_SUBR(4);
11022 fn_len = tvb_get_letohl(tvb, offset);
11023 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11024 COUNT_BYTES_SUBR(4);
11027 CHECK_BYTE_COUNT_SUBR(4);
11028 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
11029 COUNT_BYTES_SUBR(4);
11032 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11033 CHECK_STRING_SUBR(fn);
11034 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11036 COUNT_BYTES_SUBR(fn_len);
11038 if (check_col(pinfo->cinfo, COL_INFO)) {
11039 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11043 /* skip to next structure */
11045 padcnt = (old_offset + neo) - offset;
11048 * XXX - this is bogus; flag it?
11053 CHECK_BYTE_COUNT_SUBR(padcnt);
11054 COUNT_BYTES_SUBR(padcnt);
11058 proto_item_append_text(item, " File: %s", fn);
11059 proto_item_set_len(item, offset-old_offset);
11066 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11067 int offset, guint16 *bcp, gboolean *trunc)
11069 int fn_len, sfn_len;
11070 const char *fn, *sfn;
11071 int old_offset = offset;
11072 proto_item *item = NULL;
11073 proto_tree *tree = NULL;
11078 si = (smb_info_t *)pinfo->private_data;
11081 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11082 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11083 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11087 * XXX - I have not seen any of these that contain a resume
11088 * key, even though some of the requests had the "return resume
11092 /* next entry offset */
11093 CHECK_BYTE_COUNT_SUBR(4);
11094 neo = tvb_get_letohl(tvb, offset);
11095 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11096 COUNT_BYTES_SUBR(4);
11099 CHECK_BYTE_COUNT_SUBR(4);
11100 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11101 COUNT_BYTES_SUBR(4);
11104 CHECK_BYTE_COUNT_SUBR(8);
11105 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
11106 hf_smb_create_time);
11110 CHECK_BYTE_COUNT_SUBR(8);
11111 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
11112 hf_smb_access_time);
11115 /* last write time */
11116 CHECK_BYTE_COUNT_SUBR(8);
11117 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
11118 hf_smb_last_write_time);
11121 /* last change time */
11122 CHECK_BYTE_COUNT_SUBR(8);
11123 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
11124 hf_smb_change_time);
11128 CHECK_BYTE_COUNT_SUBR(8);
11129 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11130 COUNT_BYTES_SUBR(8);
11132 /* allocation size */
11133 CHECK_BYTE_COUNT_SUBR(8);
11134 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11135 COUNT_BYTES_SUBR(8);
11137 /* Extended File Attributes */
11138 CHECK_BYTE_COUNT_SUBR(4);
11139 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
11142 /* file name len */
11143 CHECK_BYTE_COUNT_SUBR(4);
11144 fn_len = tvb_get_letohl(tvb, offset);
11145 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11146 COUNT_BYTES_SUBR(4);
11149 CHECK_BYTE_COUNT_SUBR(4);
11150 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
11151 COUNT_BYTES_SUBR(4);
11153 /* short file name len */
11154 CHECK_BYTE_COUNT_SUBR(1);
11155 sfn_len = tvb_get_guint8(tvb, offset);
11156 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
11157 COUNT_BYTES_SUBR(1);
11159 /* reserved byte */
11160 CHECK_BYTE_COUNT_SUBR(1);
11161 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11162 COUNT_BYTES_SUBR(1);
11164 /* short file name */
11165 sfn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &sfn_len, FALSE, TRUE, bcp);
11166 CHECK_STRING_SUBR(sfn);
11167 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
11169 COUNT_BYTES_SUBR(24);
11172 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11173 CHECK_STRING_SUBR(fn);
11174 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11176 COUNT_BYTES_SUBR(fn_len);
11178 if (check_col(pinfo->cinfo, COL_INFO)) {
11179 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11183 /* skip to next structure */
11185 padcnt = (old_offset + neo) - offset;
11188 * XXX - this is bogus; flag it?
11193 CHECK_BYTE_COUNT_SUBR(padcnt);
11194 COUNT_BYTES_SUBR(padcnt);
11198 proto_item_append_text(item, " File: %s", fn);
11199 proto_item_set_len(item, offset-old_offset);
11206 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11207 int offset, guint16 *bcp, gboolean *trunc)
11211 int old_offset = offset;
11212 proto_item *item = NULL;
11213 proto_tree *tree = NULL;
11218 si = (smb_info_t *)pinfo->private_data;
11221 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11222 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11223 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11227 * We assume that the presence of a next entry offset implies the
11228 * absence of a resume key, as appears to be the case for 4.3.4.6.
11231 /* next entry offset */
11232 CHECK_BYTE_COUNT_SUBR(4);
11233 neo = tvb_get_letohl(tvb, offset);
11234 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11235 COUNT_BYTES_SUBR(4);
11238 CHECK_BYTE_COUNT_SUBR(4);
11239 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11240 COUNT_BYTES_SUBR(4);
11242 /* file name len */
11243 CHECK_BYTE_COUNT_SUBR(4);
11244 fn_len = tvb_get_letohl(tvb, offset);
11245 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11246 COUNT_BYTES_SUBR(4);
11249 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11250 CHECK_STRING_SUBR(fn);
11251 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11253 COUNT_BYTES_SUBR(fn_len);
11255 if (check_col(pinfo->cinfo, COL_INFO)) {
11256 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11260 /* skip to next structure */
11262 padcnt = (old_offset + neo) - offset;
11265 * XXX - this is bogus; flag it?
11270 CHECK_BYTE_COUNT_SUBR(padcnt);
11271 COUNT_BYTES_SUBR(padcnt);
11275 proto_item_append_text(item, " File: %s", fn);
11276 proto_item_set_len(item, offset-old_offset);
11283 dissect_4_3_4_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11284 int offset, guint16 *bcp, gboolean *trunc)
11286 /*XXX im lazy. i havnt implemented this */
11293 /*dissect the data block for TRANS2_FIND_FIRST2*/
11295 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
11296 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
11304 si = (smb_info_t *)pinfo->private_data;
11305 switch(si->info_level){
11306 case 1: /*Info Standard*/
11307 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
11310 case 2: /*Info Query EA Size*/
11311 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
11314 case 3: /*Info Query EAs From List same as
11316 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
11319 case 0x0101: /*Find File Directory Info*/
11320 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
11323 case 0x0102: /*Find File Full Directory Info*/
11324 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
11327 case 0x0103: /*Find File Names Info*/
11328 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
11331 case 0x0104: /*Find File Both Directory Info*/
11332 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
11335 case 0x0202: /*Find File UNIX*/
11336 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
11339 default: /* unknown info level */
11348 dissect_fs_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
11351 proto_item *item = NULL;
11352 proto_tree *tree = NULL;
11354 mask = tvb_get_letohl(tvb, offset);
11357 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
11358 "FS Attributes: 0x%08x", mask);
11359 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
11362 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
11363 tvb, offset, 4, mask);
11364 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
11365 tvb, offset, 4, mask);
11366 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
11367 tvb, offset, 4, mask);
11368 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
11369 tvb, offset, 4, mask);
11370 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
11371 tvb, offset, 4, mask);
11372 proto_tree_add_boolean(tree, hf_smb_fs_attr_dim,
11373 tvb, offset, 4, mask);
11374 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
11375 tvb, offset, 4, mask);
11383 dissect_device_characteristics(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
11386 proto_item *item = NULL;
11387 proto_tree *tree = NULL;
11389 mask = tvb_get_letohl(tvb, offset);
11392 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
11393 "Device Characteristics: 0x%08x", mask);
11394 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
11397 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
11398 tvb, offset, 4, mask);
11399 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
11400 tvb, offset, 4, mask);
11401 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
11402 tvb, offset, 4, mask);
11403 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
11404 tvb, offset, 4, mask);
11405 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
11406 tvb, offset, 4, mask);
11407 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
11408 tvb, offset, 4, mask);
11409 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
11410 tvb, offset, 4, mask);
11416 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
11418 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
11419 int offset, guint16 *bcp)
11422 int fn_len, vll, fnl;
11429 si = (smb_info_t *)pinfo->private_data;
11430 switch(si->info_level){
11431 case 1: /* SMB_INFO_ALLOCATION */
11432 /* filesystem id */
11433 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11434 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
11435 COUNT_BYTES_TRANS_SUBR(4);
11437 /* sectors per unit */
11438 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11439 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
11440 COUNT_BYTES_TRANS_SUBR(4);
11443 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11444 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
11445 COUNT_BYTES_TRANS_SUBR(4);
11448 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11449 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
11450 COUNT_BYTES_TRANS_SUBR(4);
11452 /* bytes per sector, only 16bit integer here */
11453 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11454 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11455 COUNT_BYTES_TRANS_SUBR(2);
11458 case 2: /* SMB_INFO_VOLUME */
11459 /* volume serial number */
11460 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11461 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
11462 COUNT_BYTES_TRANS_SUBR(4);
11464 /* volume label length, only one byte here */
11465 CHECK_BYTE_COUNT_TRANS_SUBR(1);
11466 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
11467 COUNT_BYTES_TRANS_SUBR(1);
11470 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
11471 CHECK_STRING_TRANS_SUBR(fn);
11472 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
11474 COUNT_BYTES_TRANS_SUBR(fn_len);
11477 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
11479 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11480 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
11481 hf_smb_create_time);
11484 /* volume serial number */
11485 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11486 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
11487 COUNT_BYTES_TRANS_SUBR(4);
11489 /* volume label length */
11490 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11491 vll = tvb_get_letohl(tvb, offset);
11492 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
11493 COUNT_BYTES_TRANS_SUBR(4);
11495 /* 2 reserved bytes */
11496 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11497 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11498 COUNT_BYTES_TRANS_SUBR(2);
11502 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11503 CHECK_STRING_TRANS_SUBR(fn);
11504 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
11506 COUNT_BYTES_TRANS_SUBR(fn_len);
11509 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
11510 /* allocation size */
11511 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11512 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11513 COUNT_BYTES_TRANS_SUBR(8);
11515 /* free allocation units */
11516 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11517 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
11518 COUNT_BYTES_TRANS_SUBR(8);
11520 /* sectors per unit */
11521 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11522 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
11523 COUNT_BYTES_TRANS_SUBR(4);
11525 /* bytes per sector */
11526 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11527 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
11528 COUNT_BYTES_TRANS_SUBR(4);
11531 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
11533 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11534 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
11535 COUNT_BYTES_TRANS_SUBR(4);
11537 /* device characteristics */
11538 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11539 offset = dissect_device_characteristics(tvb, pinfo, tree, offset);
11543 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
11544 /* FS attributes */
11545 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11546 offset = dissect_fs_attributes(tvb, pinfo, tree, offset);
11550 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11551 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
11552 COUNT_BYTES_TRANS_SUBR(4);
11554 /* fs name length */
11555 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11556 fnl = tvb_get_letohl(tvb, offset);
11557 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
11558 COUNT_BYTES_TRANS_SUBR(4);
11562 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11563 CHECK_STRING_TRANS_SUBR(fn);
11564 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
11566 COUNT_BYTES_TRANS_SUBR(fn_len);
11569 case 1006: /* QUERY_FS_QUOTA_INFO */
11570 offset = dissect_nt_quota(tvb, pinfo, tree, offset, bcp);
11577 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
11578 proto_tree *parent_tree)
11580 proto_item *item = NULL;
11581 proto_tree *tree = NULL;
11583 smb_transact2_info_t *t2i;
11589 dc = tvb_reported_length(tvb);
11591 si = (smb_info_t *)pinfo->private_data;
11592 if (si->sip != NULL)
11593 t2i = si->sip->extra_info;
11598 if (t2i != NULL && t2i->subcmd != -1) {
11599 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11601 val_to_str(t2i->subcmd, trans2_cmd_vals,
11602 "Unknown (0x%02x)"));
11603 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
11605 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11606 "Unknown Transaction2 Data");
11614 switch(t2i->subcmd){
11615 case 0x00: /*TRANS2_OPEN2*/
11616 /* XXX not implemented yet. See SNIA doc */
11618 case 0x01: /*TRANS2_FIND_FIRST2*/
11619 /* returned data */
11620 count = si->info_count;
11622 if (count && check_col(pinfo->cinfo, COL_INFO)) {
11623 col_append_fstr(pinfo->cinfo, COL_INFO,
11628 offset = dissect_ff2_response_data(tvb, pinfo, tree,
11629 offset, &dc, &trunc);
11634 case 0x02: /*TRANS2_FIND_NEXT2*/
11635 /* returned data */
11636 count = si->info_count;
11638 if (count && check_col(pinfo->cinfo, COL_INFO)) {
11639 col_append_fstr(pinfo->cinfo, COL_INFO,
11644 offset = dissect_ff2_response_data(tvb, pinfo, tree,
11645 offset, &dc, &trunc);
11650 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11651 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
11653 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11654 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
11656 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11657 /* no data in this response */
11659 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11660 /* identical to QUERY_PATH_INFO */
11661 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
11663 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11664 /* no data in this response */
11666 case 0x09: /*TRANS2_FSCTL*/
11667 /* XXX dont know how to dissect this one (yet)*/
11669 case 0x0a: /*TRANS2_IOCTL2*/
11670 /* XXX dont know how to dissect this one (yet)*/
11672 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11673 /* XXX dont know how to dissect this one (yet)*/
11675 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11676 /* XXX dont know how to dissect this one (yet)*/
11678 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11679 /* no data in this response */
11681 case 0x0e: /*TRANS2_SESSION_SETUP*/
11682 /* XXX dont know how to dissect this one (yet)*/
11684 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11685 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
11687 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11688 /* the SNIA spec appears to say the response has no data */
11692 * We don't know what the matching request was; don't
11693 * bother putting anything else into the tree for the data.
11700 /* ooops there were data we didnt know how to process */
11702 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
11711 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
11713 proto_item *item = NULL;
11714 proto_tree *tree = NULL;
11716 smb_transact2_info_t *t2i;
11722 pc = tvb_reported_length(tvb);
11724 si = (smb_info_t *)pinfo->private_data;
11725 if (si->sip != NULL)
11726 t2i = si->sip->extra_info;
11731 if (t2i != NULL && t2i->subcmd != -1) {
11732 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
11734 val_to_str(t2i->subcmd, trans2_cmd_vals,
11735 "Unknown (0x%02x)"));
11736 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
11738 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
11739 "Unknown Transaction2 Parameters");
11747 switch(t2i->subcmd){
11748 case 0x00: /*TRANS2_OPEN2*/
11750 fid = tvb_get_letohs(tvb, offset);
11751 add_fid(tvb, pinfo, tree, offset, 2, fid);
11754 /* File Attributes */
11755 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
11758 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
11759 hf_smb_create_time,
11760 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
11763 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11766 /* granted access */
11767 offset = dissect_access(tvb, pinfo, tree, offset, "Granted");
11770 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
11774 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
11777 offset = dissect_open_action(tvb, pinfo, tree, offset);
11779 /* 4 reserved bytes */
11780 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
11783 /* ea error offset, only a 16 bit integer here */
11784 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11788 proto_tree_add_item(tree, hf_smb_ea_length, tvb, offset, 4, TRUE);
11792 case 0x01: /*TRANS2_FIND_FIRST2*/
11793 /* Find First2 information level */
11794 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
11797 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
11801 si->info_count = tvb_get_letohs(tvb, offset);
11802 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
11805 /* end of search */
11806 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
11809 /* ea error offset, only a 16 bit integer here */
11810 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11813 /* last name offset */
11814 lno = tvb_get_letohs(tvb, offset);
11815 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
11819 case 0x02: /*TRANS2_FIND_NEXT2*/
11821 si->info_count = tvb_get_letohs(tvb, offset);
11822 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
11825 /* end of search */
11826 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
11829 /* ea error offset , only a 16 bit integer here*/
11830 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11833 /* last name offset */
11834 lno = tvb_get_letohs(tvb, offset);
11835 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
11839 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11840 /* no parameter block here */
11842 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11843 /* no parameter block here */
11845 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11846 /* no parameter block here */
11848 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11849 /* no parameter block here */
11851 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11852 /* no parameter block here */
11854 case 0x09: /*TRANS2_FSCTL*/
11855 /* XXX dont know how to dissect this one (yet)*/
11857 case 0x0a: /*TRANS2_IOCTL2*/
11858 /* XXX dont know how to dissect this one (yet)*/
11860 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11861 /* XXX dont know how to dissect this one (yet)*/
11863 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11864 /* XXX dont know how to dissect this one (yet)*/
11866 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11867 /* ea error offset, only a 16 bit integer here */
11868 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11872 case 0x0e: /*TRANS2_SESSION_SETUP*/
11873 /* XXX dont know how to dissect this one (yet)*/
11875 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11876 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
11878 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11879 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
11883 * We don't know what the matching request was; don't
11884 * bother putting anything else into the tree for the data.
11890 /* ooops there were data we didnt know how to process */
11892 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
11893 offset += pc-offset;
11899 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
11902 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
11903 gboolean reassembled = FALSE;
11905 smb_transact2_info_t *t2i = NULL;
11908 gboolean dissected_trans;
11909 fragment_data *r_fd = NULL;
11910 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
11911 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
11912 gboolean save_fragmented;
11914 si = (smb_info_t *)pinfo->private_data;
11917 case SMB_COM_TRANSACTION2:
11919 if (si->sip != NULL) {
11920 t2i = si->sip->extra_info;
11925 * We didn't see the matching request, so we don't
11926 * know what type of transaction this is.
11928 proto_tree_add_text(tree, tvb, 0, 0,
11929 "Subcommand: <UNKNOWN> since request packet wasn't seen");
11930 if (check_col(pinfo->cinfo, COL_INFO)) {
11931 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
11934 si->info_level = t2i->info_level;
11935 if (t2i->subcmd == -1) {
11937 * We didn't manage to extract the subcommand
11938 * from the matching request (perhaps because
11939 * the frame was short), so we don't know what
11940 * type of transaction this is.
11942 proto_tree_add_text(tree, tvb, 0, 0,
11943 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
11944 if (check_col(pinfo->cinfo, COL_INFO)) {
11945 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
11948 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
11949 if (check_col(pinfo->cinfo, COL_INFO)) {
11950 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11951 val_to_str(t2i->subcmd,
11953 "<unknown (0x%02x)>"));
11962 /* total param count, only a 16bit integer here */
11963 tp = tvb_get_letohs(tvb, offset);
11964 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
11967 /* total data count, only a 16 bit integer here */
11968 td = tvb_get_letohs(tvb, offset);
11969 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
11972 /* 2 reserved bytes */
11973 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11977 pc = tvb_get_letohs(tvb, offset);
11978 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11982 po = tvb_get_letohs(tvb, offset);
11983 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11987 pd = tvb_get_letohs(tvb, offset);
11988 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
11992 dc = tvb_get_letohs(tvb, offset);
11993 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11997 od = tvb_get_letohs(tvb, offset);
11998 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
12002 dd = tvb_get_letohs(tvb, offset);
12003 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
12007 sc = tvb_get_guint8(tvb, offset);
12008 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
12011 /* reserved byte */
12012 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12016 /* if there were any setup bytes, put them in a tvb for later */
12018 if((2*sc)>tvb_length_remaining(tvb, offset)){
12019 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
12021 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
12023 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
12034 /* reassembly of SMB Transaction data payload.
12035 In this section we do reassembly of both the data and parameters
12036 blocks of the SMB transaction command.
12038 save_fragmented = pinfo->fragmented;
12039 /* do we need reassembly? */
12040 if( (td!=dc) || (tp!=pc) ){
12041 /* oh yeah, either data or parameter section needs
12044 pinfo->fragmented = TRUE;
12045 if(smb_trans_reassembly){
12046 /* ...and we were told to do reassembly */
12047 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
12048 r_fd = smb_trans_defragment(tree, pinfo, tvb,
12049 po, pc, pd, td+tp);
12052 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
12053 r_fd = smb_trans_defragment(tree, pinfo, tvb,
12054 od, dc, dd+tp, td+tp);
12059 /* if we got a reassembled fd structure from the reassembly routine we must
12060 create pd_tvb from it
12067 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
12069 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
12070 add_new_data_source(pinfo->fd, pd_tvb, "Reassembled SMB");
12071 pinfo->fragmented = FALSE;
12073 it = proto_tree_add_text(tree, pd_tvb, 0, -1, "Fragments");
12074 tr = proto_item_add_subtree(it, ett_smb_segments);
12075 for(fd=r_fd->next;fd;fd=fd->next){
12076 proto_tree_add_text(tr, pd_tvb, fd->offset, fd->len,
12077 "Frame:%u Data:%u-%u",
12078 fd->frame, fd->offset,
12079 fd->offset+fd->len-1);
12085 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
12087 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
12090 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
12093 /* It was not reassembled. Do as best as we can.
12094 * in this case we always try to dissect the stuff if
12095 * data and param displacement is 0. i.e. for the first
12096 * (and maybe only) packet.
12098 if( (pd==0) && (dd==0) ){
12101 min = MIN(pc,tvb_length_remaining(tvb,po));
12102 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
12103 if(min && reported_min) {
12104 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
12106 min = MIN(dc,tvb_length_remaining(tvb,od));
12107 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
12108 if(min && reported_min) {
12109 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
12112 * A tvbuff containing the parameters
12114 * XXX - check pc and dc as well?
12116 if (tvb_length_remaining(tvb, po)){
12117 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
12126 /* We have some padding bytes.
12128 padcnt = po-offset;
12131 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
12132 COUNT_BYTES(padcnt);
12134 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
12135 /* TRANSACTION2 parameters*/
12136 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
12143 /* We have some initial padding bytes.
12145 padcnt = od-offset;
12148 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
12149 COUNT_BYTES(padcnt);
12152 * If the data count is bigger than the count of bytes
12153 * remaining, clamp it so that the count of bytes remaining
12154 * doesn't go negative.
12162 /* from now on, everything is in separate tvbuffs so we dont count
12163 the bytes with COUNT_BYTES any more.
12164 neither do we reference offset any more (which by now points to the
12165 first byte AFTER this PDU */
12168 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
12169 /* TRANSACTION2 parameters*/
12170 dissect_transaction2_response_data(d_tvb, pinfo, tree);
12174 if(si->cmd==SMB_COM_TRANSACTION){
12175 smb_transact_info_t *tri;
12177 dissected_trans = FALSE;
12178 if (si->sip != NULL)
12179 tri = si->sip->extra_info;
12183 switch(tri->subcmd){
12185 case TRANSACTION_PIPE:
12186 /* This function is safe to call for
12187 s_tvb==sp_tvb==NULL, i.e. if we don't
12188 know them at this point.
12189 It's also safe to call if "p_tvb"
12190 or "d_tvb" are null.
12193 dissected_trans = dissect_pipe_smb(
12194 sp_tvb, s_tvb, pd_tvb, p_tvb,
12195 d_tvb, NULL, pinfo, top_tree);
12199 case TRANSACTION_MAILSLOT:
12200 /* This one should be safe to call
12201 even if s_tvb and sp_tvb is NULL
12204 dissected_trans = dissect_mailslot_smb(
12205 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
12211 if (!dissected_trans) {
12212 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
12213 dissect_trans_data(s_tvb, p_tvb, d_tvb,
12219 if( (p_tvb==0) && (d_tvb==0) ){
12220 if(check_col(pinfo->cinfo, COL_INFO)){
12221 col_append_str(pinfo->cinfo, COL_INFO,
12222 "[transact continuation]");
12226 pinfo->fragmented = save_fragmented;
12233 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12234 END Transaction/Transaction2 Primary and secondary requests
12235 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
12239 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
12247 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
12252 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
12259 typedef struct _smb_function {
12260 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
12261 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
12264 static smb_function smb_dissector[256] = {
12265 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
12266 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
12267 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
12268 /* 0x03 Create File*/ {dissect_create_file_request, dissect_fid},
12269 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
12270 /* 0x05 Flush File*/ {dissect_fid, dissect_empty},
12271 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
12272 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_empty},
12273 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
12274 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
12275 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
12276 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
12277 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
12278 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
12279 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
12280 /* 0x0f Create New*/ {dissect_create_file_request, dissect_fid},
12282 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
12283 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
12284 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
12285 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
12286 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
12287 /* 0x15 */ {dissect_unknown, dissect_unknown},
12288 /* 0x16 */ {dissect_unknown, dissect_unknown},
12289 /* 0x17 */ {dissect_unknown, dissect_unknown},
12290 /* 0x18 */ {dissect_unknown, dissect_unknown},
12291 /* 0x19 */ {dissect_unknown, dissect_unknown},
12292 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
12293 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
12294 /* 0x1c */ {dissect_unknown, dissect_unknown},
12295 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
12296 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
12297 /* 0x1f */ {dissect_unknown, dissect_unknown},
12299 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
12300 /* 0x21 */ {dissect_unknown, dissect_unknown},
12301 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
12302 /* 0x23 Query Info2*/ {dissect_fid, dissect_query_information2_response},
12303 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
12304 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
12305 /* 0x26 Transaction Secondary */ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
12306 /* 0x27 */ {dissect_unknown, dissect_unknown},
12307 /* 0x28 */ {dissect_unknown, dissect_unknown},
12308 /* 0x29 */ {dissect_unknown, dissect_unknown},
12309 /* 0x2a Move File*/ {dissect_move_request, dissect_move_response},
12310 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
12311 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
12312 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
12313 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
12314 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
12316 /* 0x30 */ {dissect_unknown, dissect_unknown},
12317 /* 0x31 */ {dissect_unknown, dissect_unknown},
12318 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
12319 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
12320 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
12321 /* 0x35 */ {dissect_unknown, dissect_unknown},
12322 /* 0x36 */ {dissect_unknown, dissect_unknown},
12323 /* 0x37 */ {dissect_unknown, dissect_unknown},
12324 /* 0x38 */ {dissect_unknown, dissect_unknown},
12325 /* 0x39 */ {dissect_unknown, dissect_unknown},
12326 /* 0x3a */ {dissect_unknown, dissect_unknown},
12327 /* 0x3b */ {dissect_unknown, dissect_unknown},
12328 /* 0x3c */ {dissect_unknown, dissect_unknown},
12329 /* 0x3d */ {dissect_unknown, dissect_unknown},
12330 /* 0x3e */ {dissect_unknown, dissect_unknown},
12331 /* 0x3f */ {dissect_unknown, dissect_unknown},
12333 /* 0x40 */ {dissect_unknown, dissect_unknown},
12334 /* 0x41 */ {dissect_unknown, dissect_unknown},
12335 /* 0x42 */ {dissect_unknown, dissect_unknown},
12336 /* 0x43 */ {dissect_unknown, dissect_unknown},
12337 /* 0x44 */ {dissect_unknown, dissect_unknown},
12338 /* 0x45 */ {dissect_unknown, dissect_unknown},
12339 /* 0x46 */ {dissect_unknown, dissect_unknown},
12340 /* 0x47 */ {dissect_unknown, dissect_unknown},
12341 /* 0x48 */ {dissect_unknown, dissect_unknown},
12342 /* 0x49 */ {dissect_unknown, dissect_unknown},
12343 /* 0x4a */ {dissect_unknown, dissect_unknown},
12344 /* 0x4b */ {dissect_unknown, dissect_unknown},
12345 /* 0x4c */ {dissect_unknown, dissect_unknown},
12346 /* 0x4d */ {dissect_unknown, dissect_unknown},
12347 /* 0x4e */ {dissect_unknown, dissect_unknown},
12348 /* 0x4f */ {dissect_unknown, dissect_unknown},
12350 /* 0x50 */ {dissect_unknown, dissect_unknown},
12351 /* 0x51 */ {dissect_unknown, dissect_unknown},
12352 /* 0x52 */ {dissect_unknown, dissect_unknown},
12353 /* 0x53 */ {dissect_unknown, dissect_unknown},
12354 /* 0x54 */ {dissect_unknown, dissect_unknown},
12355 /* 0x55 */ {dissect_unknown, dissect_unknown},
12356 /* 0x56 */ {dissect_unknown, dissect_unknown},
12357 /* 0x57 */ {dissect_unknown, dissect_unknown},
12358 /* 0x58 */ {dissect_unknown, dissect_unknown},
12359 /* 0x59 */ {dissect_unknown, dissect_unknown},
12360 /* 0x5a */ {dissect_unknown, dissect_unknown},
12361 /* 0x5b */ {dissect_unknown, dissect_unknown},
12362 /* 0x5c */ {dissect_unknown, dissect_unknown},
12363 /* 0x5d */ {dissect_unknown, dissect_unknown},
12364 /* 0x5e */ {dissect_unknown, dissect_unknown},
12365 /* 0x5f */ {dissect_unknown, dissect_unknown},
12367 /* 0x60 */ {dissect_unknown, dissect_unknown},
12368 /* 0x61 */ {dissect_unknown, dissect_unknown},
12369 /* 0x62 */ {dissect_unknown, dissect_unknown},
12370 /* 0x63 */ {dissect_unknown, dissect_unknown},
12371 /* 0x64 */ {dissect_unknown, dissect_unknown},
12372 /* 0x65 */ {dissect_unknown, dissect_unknown},
12373 /* 0x66 */ {dissect_unknown, dissect_unknown},
12374 /* 0x67 */ {dissect_unknown, dissect_unknown},
12375 /* 0x68 */ {dissect_unknown, dissect_unknown},
12376 /* 0x69 */ {dissect_unknown, dissect_unknown},
12377 /* 0x6a */ {dissect_unknown, dissect_unknown},
12378 /* 0x6b */ {dissect_unknown, dissect_unknown},
12379 /* 0x6c */ {dissect_unknown, dissect_unknown},
12380 /* 0x6d */ {dissect_unknown, dissect_unknown},
12381 /* 0x6e */ {dissect_unknown, dissect_unknown},
12382 /* 0x6f */ {dissect_unknown, dissect_unknown},
12384 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
12385 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
12386 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
12387 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
12388 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
12389 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
12390 /* 0x76 */ {dissect_unknown, dissect_unknown},
12391 /* 0x77 */ {dissect_unknown, dissect_unknown},
12392 /* 0x78 */ {dissect_unknown, dissect_unknown},
12393 /* 0x79 */ {dissect_unknown, dissect_unknown},
12394 /* 0x7a */ {dissect_unknown, dissect_unknown},
12395 /* 0x7b */ {dissect_unknown, dissect_unknown},
12396 /* 0x7c */ {dissect_unknown, dissect_unknown},
12397 /* 0x7d */ {dissect_unknown, dissect_unknown},
12398 /* 0x7e */ {dissect_unknown, dissect_unknown},
12399 /* 0x7f */ {dissect_unknown, dissect_unknown},
12401 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
12402 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
12403 /* 0x82 */ {dissect_unknown, dissect_unknown},
12404 /* 0x83 */ {dissect_unknown, dissect_unknown},
12405 /* 0x84 */ {dissect_unknown, dissect_unknown},
12406 /* 0x85 */ {dissect_unknown, dissect_unknown},
12407 /* 0x86 */ {dissect_unknown, dissect_unknown},
12408 /* 0x87 */ {dissect_unknown, dissect_unknown},
12409 /* 0x88 */ {dissect_unknown, dissect_unknown},
12410 /* 0x89 */ {dissect_unknown, dissect_unknown},
12411 /* 0x8a */ {dissect_unknown, dissect_unknown},
12412 /* 0x8b */ {dissect_unknown, dissect_unknown},
12413 /* 0x8c */ {dissect_unknown, dissect_unknown},
12414 /* 0x8d */ {dissect_unknown, dissect_unknown},
12415 /* 0x8e */ {dissect_unknown, dissect_unknown},
12416 /* 0x8f */ {dissect_unknown, dissect_unknown},
12418 /* 0x90 */ {dissect_unknown, dissect_unknown},
12419 /* 0x91 */ {dissect_unknown, dissect_unknown},
12420 /* 0x92 */ {dissect_unknown, dissect_unknown},
12421 /* 0x93 */ {dissect_unknown, dissect_unknown},
12422 /* 0x94 */ {dissect_unknown, dissect_unknown},
12423 /* 0x95 */ {dissect_unknown, dissect_unknown},
12424 /* 0x96 */ {dissect_unknown, dissect_unknown},
12425 /* 0x97 */ {dissect_unknown, dissect_unknown},
12426 /* 0x98 */ {dissect_unknown, dissect_unknown},
12427 /* 0x99 */ {dissect_unknown, dissect_unknown},
12428 /* 0x9a */ {dissect_unknown, dissect_unknown},
12429 /* 0x9b */ {dissect_unknown, dissect_unknown},
12430 /* 0x9c */ {dissect_unknown, dissect_unknown},
12431 /* 0x9d */ {dissect_unknown, dissect_unknown},
12432 /* 0x9e */ {dissect_unknown, dissect_unknown},
12433 /* 0x9f */ {dissect_unknown, dissect_unknown},
12434 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
12435 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
12436 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
12437 /* 0xa3 */ {dissect_unknown, dissect_unknown},
12438 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
12439 /* 0xa5 */ {dissect_nt_rename_file_request, dissect_empty},
12440 /* 0xa6 */ {dissect_unknown, dissect_unknown},
12441 /* 0xa7 */ {dissect_unknown, dissect_unknown},
12442 /* 0xa8 */ {dissect_unknown, dissect_unknown},
12443 /* 0xa9 */ {dissect_unknown, dissect_unknown},
12444 /* 0xaa */ {dissect_unknown, dissect_unknown},
12445 /* 0xab */ {dissect_unknown, dissect_unknown},
12446 /* 0xac */ {dissect_unknown, dissect_unknown},
12447 /* 0xad */ {dissect_unknown, dissect_unknown},
12448 /* 0xae */ {dissect_unknown, dissect_unknown},
12449 /* 0xaf */ {dissect_unknown, dissect_unknown},
12451 /* 0xb0 */ {dissect_unknown, dissect_unknown},
12452 /* 0xb1 */ {dissect_unknown, dissect_unknown},
12453 /* 0xb2 */ {dissect_unknown, dissect_unknown},
12454 /* 0xb3 */ {dissect_unknown, dissect_unknown},
12455 /* 0xb4 */ {dissect_unknown, dissect_unknown},
12456 /* 0xb5 */ {dissect_unknown, dissect_unknown},
12457 /* 0xb6 */ {dissect_unknown, dissect_unknown},
12458 /* 0xb7 */ {dissect_unknown, dissect_unknown},
12459 /* 0xb8 */ {dissect_unknown, dissect_unknown},
12460 /* 0xb9 */ {dissect_unknown, dissect_unknown},
12461 /* 0xba */ {dissect_unknown, dissect_unknown},
12462 /* 0xbb */ {dissect_unknown, dissect_unknown},
12463 /* 0xbc */ {dissect_unknown, dissect_unknown},
12464 /* 0xbd */ {dissect_unknown, dissect_unknown},
12465 /* 0xbe */ {dissect_unknown, dissect_unknown},
12466 /* 0xbf */ {dissect_unknown, dissect_unknown},
12467 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_fid},
12468 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
12469 /* 0xc2 Close Print File*/ {dissect_fid, dissect_empty},
12470 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
12471 /* 0xc4 */ {dissect_unknown, dissect_unknown},
12472 /* 0xc5 */ {dissect_unknown, dissect_unknown},
12473 /* 0xc6 */ {dissect_unknown, dissect_unknown},
12474 /* 0xc7 */ {dissect_unknown, dissect_unknown},
12475 /* 0xc8 */ {dissect_unknown, dissect_unknown},
12476 /* 0xc9 */ {dissect_unknown, dissect_unknown},
12477 /* 0xca */ {dissect_unknown, dissect_unknown},
12478 /* 0xcb */ {dissect_unknown, dissect_unknown},
12479 /* 0xcc */ {dissect_unknown, dissect_unknown},
12480 /* 0xcd */ {dissect_unknown, dissect_unknown},
12481 /* 0xce */ {dissect_unknown, dissect_unknown},
12482 /* 0xcf */ {dissect_unknown, dissect_unknown},
12484 /* 0xd0 */ {dissect_unknown, dissect_unknown},
12485 /* 0xd1 */ {dissect_unknown, dissect_unknown},
12486 /* 0xd2 */ {dissect_unknown, dissect_unknown},
12487 /* 0xd3 */ {dissect_unknown, dissect_unknown},
12488 /* 0xd4 */ {dissect_unknown, dissect_unknown},
12489 /* 0xd5 */ {dissect_unknown, dissect_unknown},
12490 /* 0xd6 */ {dissect_unknown, dissect_unknown},
12491 /* 0xd7 */ {dissect_unknown, dissect_unknown},
12492 /* 0xd8 */ {dissect_unknown, dissect_unknown},
12493 /* 0xd9 */ {dissect_unknown, dissect_unknown},
12494 /* 0xda */ {dissect_unknown, dissect_unknown},
12495 /* 0xdb */ {dissect_unknown, dissect_unknown},
12496 /* 0xdc */ {dissect_unknown, dissect_unknown},
12497 /* 0xdd */ {dissect_unknown, dissect_unknown},
12498 /* 0xde */ {dissect_unknown, dissect_unknown},
12499 /* 0xdf */ {dissect_unknown, dissect_unknown},
12501 /* 0xe0 */ {dissect_unknown, dissect_unknown},
12502 /* 0xe1 */ {dissect_unknown, dissect_unknown},
12503 /* 0xe2 */ {dissect_unknown, dissect_unknown},
12504 /* 0xe3 */ {dissect_unknown, dissect_unknown},
12505 /* 0xe4 */ {dissect_unknown, dissect_unknown},
12506 /* 0xe5 */ {dissect_unknown, dissect_unknown},
12507 /* 0xe6 */ {dissect_unknown, dissect_unknown},
12508 /* 0xe7 */ {dissect_unknown, dissect_unknown},
12509 /* 0xe8 */ {dissect_unknown, dissect_unknown},
12510 /* 0xe9 */ {dissect_unknown, dissect_unknown},
12511 /* 0xea */ {dissect_unknown, dissect_unknown},
12512 /* 0xeb */ {dissect_unknown, dissect_unknown},
12513 /* 0xec */ {dissect_unknown, dissect_unknown},
12514 /* 0xed */ {dissect_unknown, dissect_unknown},
12515 /* 0xee */ {dissect_unknown, dissect_unknown},
12516 /* 0xef */ {dissect_unknown, dissect_unknown},
12518 /* 0xf0 */ {dissect_unknown, dissect_unknown},
12519 /* 0xf1 */ {dissect_unknown, dissect_unknown},
12520 /* 0xf2 */ {dissect_unknown, dissect_unknown},
12521 /* 0xf3 */ {dissect_unknown, dissect_unknown},
12522 /* 0xf4 */ {dissect_unknown, dissect_unknown},
12523 /* 0xf5 */ {dissect_unknown, dissect_unknown},
12524 /* 0xf6 */ {dissect_unknown, dissect_unknown},
12525 /* 0xf7 */ {dissect_unknown, dissect_unknown},
12526 /* 0xf8 */ {dissect_unknown, dissect_unknown},
12527 /* 0xf9 */ {dissect_unknown, dissect_unknown},
12528 /* 0xfa */ {dissect_unknown, dissect_unknown},
12529 /* 0xfb */ {dissect_unknown, dissect_unknown},
12530 /* 0xfc */ {dissect_unknown, dissect_unknown},
12531 /* 0xfd */ {dissect_unknown, dissect_unknown},
12532 /* 0xfe */ {dissect_unknown, dissect_unknown},
12533 /* 0xff */ {dissect_unknown, dissect_unknown},
12537 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree, int offset, proto_tree *smb_tree, guint8 cmd)
12539 int old_offset = offset;
12542 si = pinfo->private_data;
12544 proto_item *cmd_item;
12545 proto_tree *cmd_tree;
12546 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
12548 if (check_col(pinfo->cinfo, COL_INFO)) {
12549 col_add_fstr(pinfo->cinfo, COL_INFO, "%s %s",
12550 decode_smb_name(cmd),
12551 (si->request)? "Request" : "Response");
12554 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
12556 decode_smb_name(cmd),
12557 (si->request)?"Request":"Response",
12560 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
12562 dissector = (si->request)?
12563 smb_dissector[cmd].request:smb_dissector[cmd].response;
12565 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
12566 proto_item_set_len(cmd_item, offset-old_offset);
12572 /* NOTE: this value_string array will also be used to access data directly by
12573 * index instead of val_to_str() since
12574 * 1, the array will always span every value from 0x00 to 0xff and
12575 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
12576 * This means that this value_string array MUST always
12577 * 1, contain all entries 0x00 to 0xff
12578 * 2, all entries must be in order.
12580 static const value_string smb_cmd_vals[] = {
12581 { 0x00, "Create Directory" },
12582 { 0x01, "Delete Directory" },
12584 { 0x03, "Create" },
12587 { 0x06, "Delete" },
12588 { 0x07, "Rename" },
12589 { 0x08, "Query Information" },
12590 { 0x09, "Set Information" },
12593 { 0x0C, "Lock Byte Range" },
12594 { 0x0D, "Unlock Byte Range" },
12595 { 0x0E, "Create Temp" },
12596 { 0x0F, "Create New" },
12597 { 0x10, "Check Directory" },
12598 { 0x11, "Process Exit" },
12600 { 0x13, "Lock And Read" },
12601 { 0x14, "Write And Unlock" },
12602 { 0x15, "unknown-0x15" },
12603 { 0x16, "unknown-0x16" },
12604 { 0x17, "unknown-0x17" },
12605 { 0x18, "unknown-0x18" },
12606 { 0x19, "unknown-0x19" },
12607 { 0x1A, "Read Raw" },
12608 { 0x1B, "Read MPX" },
12609 { 0x1C, "Read MPX Secondary" },
12610 { 0x1D, "Write Raw" },
12611 { 0x1E, "Write MPX" },
12612 { 0x1F, "SMBwriteBs" },
12613 { 0x20, "Write Complete" },
12614 { 0x21, "unknown-0x21" },
12615 { 0x22, "Set Information2" },
12616 { 0x23, "Query Information2" },
12617 { 0x24, "Locking AndX" },
12618 { 0x25, "Transaction" },
12619 { 0x26, "Transaction Secondary" },
12621 { 0x28, "IOCTL Secondary" },
12625 { 0x2C, "Write And Close" },
12626 { 0x2D, "Open AndX" },
12627 { 0x2E, "Read AndX" },
12628 { 0x2F, "Write AndX" },
12629 { 0x30, "unknown-0x30" },
12630 { 0x31, "Close And Tree Discover" },
12631 { 0x32, "Transaction2" },
12632 { 0x33, "Transaction2 Secondary" },
12633 { 0x34, "Find Close2" },
12634 { 0x35, "Find Notify Close" },
12635 { 0x36, "unknown-0x36" },
12636 { 0x37, "unknown-0x37" },
12637 { 0x38, "unknown-0x38" },
12638 { 0x39, "unknown-0x39" },
12639 { 0x3A, "unknown-0x3A" },
12640 { 0x3B, "unknown-0x3B" },
12641 { 0x3C, "unknown-0x3C" },
12642 { 0x3D, "unknown-0x3D" },
12643 { 0x3E, "unknown-0x3E" },
12644 { 0x3F, "unknown-0x3F" },
12645 { 0x40, "unknown-0x40" },
12646 { 0x41, "unknown-0x41" },
12647 { 0x42, "unknown-0x42" },
12648 { 0x43, "unknown-0x43" },
12649 { 0x44, "unknown-0x44" },
12650 { 0x45, "unknown-0x45" },
12651 { 0x46, "unknown-0x46" },
12652 { 0x47, "unknown-0x47" },
12653 { 0x48, "unknown-0x48" },
12654 { 0x49, "unknown-0x49" },
12655 { 0x4A, "unknown-0x4A" },
12656 { 0x4B, "unknown-0x4B" },
12657 { 0x4C, "unknown-0x4C" },
12658 { 0x4D, "unknown-0x4D" },
12659 { 0x4E, "unknown-0x4E" },
12660 { 0x4F, "unknown-0x4F" },
12661 { 0x50, "unknown-0x50" },
12662 { 0x51, "unknown-0x51" },
12663 { 0x52, "unknown-0x52" },
12664 { 0x53, "unknown-0x53" },
12665 { 0x54, "unknown-0x54" },
12666 { 0x55, "unknown-0x55" },
12667 { 0x56, "unknown-0x56" },
12668 { 0x57, "unknown-0x57" },
12669 { 0x58, "unknown-0x58" },
12670 { 0x59, "unknown-0x59" },
12671 { 0x5A, "unknown-0x5A" },
12672 { 0x5B, "unknown-0x5B" },
12673 { 0x5C, "unknown-0x5C" },
12674 { 0x5D, "unknown-0x5D" },
12675 { 0x5E, "unknown-0x5E" },
12676 { 0x5F, "unknown-0x5F" },
12677 { 0x60, "unknown-0x60" },
12678 { 0x61, "unknown-0x61" },
12679 { 0x62, "unknown-0x62" },
12680 { 0x63, "unknown-0x63" },
12681 { 0x64, "unknown-0x64" },
12682 { 0x65, "unknown-0x65" },
12683 { 0x66, "unknown-0x66" },
12684 { 0x67, "unknown-0x67" },
12685 { 0x68, "unknown-0x68" },
12686 { 0x69, "unknown-0x69" },
12687 { 0x6A, "unknown-0x6A" },
12688 { 0x6B, "unknown-0x6B" },
12689 { 0x6C, "unknown-0x6C" },
12690 { 0x6D, "unknown-0x6D" },
12691 { 0x6E, "unknown-0x6E" },
12692 { 0x6F, "unknown-0x6F" },
12693 { 0x70, "Tree Connect" },
12694 { 0x71, "Tree Disconnect" },
12695 { 0x72, "Negotiate Protocol" },
12696 { 0x73, "Session Setup AndX" },
12697 { 0x74, "Logoff AndX" },
12698 { 0x75, "Tree Connect AndX" },
12699 { 0x76, "unknown-0x76" },
12700 { 0x77, "unknown-0x77" },
12701 { 0x78, "unknown-0x78" },
12702 { 0x79, "unknown-0x79" },
12703 { 0x7A, "unknown-0x7A" },
12704 { 0x7B, "unknown-0x7B" },
12705 { 0x7C, "unknown-0x7C" },
12706 { 0x7D, "unknown-0x7D" },
12707 { 0x7E, "unknown-0x7E" },
12708 { 0x7F, "unknown-0x7F" },
12709 { 0x80, "Query Information Disk" },
12710 { 0x81, "Search" },
12712 { 0x83, "Find Unique" },
12713 { 0x84, "SMBfclose" },
12714 { 0x85, "unknown-0x85" },
12715 { 0x86, "unknown-0x86" },
12716 { 0x87, "unknown-0x87" },
12717 { 0x88, "unknown-0x88" },
12718 { 0x89, "unknown-0x89" },
12719 { 0x8A, "unknown-0x8A" },
12720 { 0x8B, "unknown-0x8B" },
12721 { 0x8C, "unknown-0x8C" },
12722 { 0x8D, "unknown-0x8D" },
12723 { 0x8E, "unknown-0x8E" },
12724 { 0x8F, "unknown-0x8F" },
12725 { 0x90, "unknown-0x90" },
12726 { 0x91, "unknown-0x91" },
12727 { 0x92, "unknown-0x92" },
12728 { 0x93, "unknown-0x93" },
12729 { 0x94, "unknown-0x94" },
12730 { 0x95, "unknown-0x95" },
12731 { 0x96, "unknown-0x96" },
12732 { 0x97, "unknown-0x97" },
12733 { 0x98, "unknown-0x98" },
12734 { 0x99, "unknown-0x99" },
12735 { 0x9A, "unknown-0x9A" },
12736 { 0x9B, "unknown-0x9B" },
12737 { 0x9C, "unknown-0x9C" },
12738 { 0x9D, "unknown-0x9D" },
12739 { 0x9E, "unknown-0x9E" },
12740 { 0x9F, "unknown-0x9F" },
12741 { 0xA0, "NT Transact" },
12742 { 0xA1, "NT Transact Secondary" },
12743 { 0xA2, "NT Create AndX" },
12744 { 0xA3, "unknown-0xA3" },
12745 { 0xA4, "NT Cancel" },
12746 { 0xA5, "NT Rename" },
12747 { 0xA6, "unknown-0xA6" },
12748 { 0xA7, "unknown-0xA7" },
12749 { 0xA8, "unknown-0xA8" },
12750 { 0xA9, "unknown-0xA9" },
12751 { 0xAA, "unknown-0xAA" },
12752 { 0xAB, "unknown-0xAB" },
12753 { 0xAC, "unknown-0xAC" },
12754 { 0xAD, "unknown-0xAD" },
12755 { 0xAE, "unknown-0xAE" },
12756 { 0xAF, "unknown-0xAF" },
12757 { 0xB0, "unknown-0xB0" },
12758 { 0xB1, "unknown-0xB1" },
12759 { 0xB2, "unknown-0xB2" },
12760 { 0xB3, "unknown-0xB3" },
12761 { 0xB4, "unknown-0xB4" },
12762 { 0xB5, "unknown-0xB5" },
12763 { 0xB6, "unknown-0xB6" },
12764 { 0xB7, "unknown-0xB7" },
12765 { 0xB8, "unknown-0xB8" },
12766 { 0xB9, "unknown-0xB9" },
12767 { 0xBA, "unknown-0xBA" },
12768 { 0xBB, "unknown-0xBB" },
12769 { 0xBC, "unknown-0xBC" },
12770 { 0xBD, "unknown-0xBD" },
12771 { 0xBE, "unknown-0xBE" },
12772 { 0xBF, "unknown-0xBF" },
12773 { 0xC0, "Open Print File" },
12774 { 0xC1, "Write Print File" },
12775 { 0xC2, "Close Print File" },
12776 { 0xC3, "Get Print Queue" },
12777 { 0xC4, "unknown-0xC4" },
12778 { 0xC5, "unknown-0xC5" },
12779 { 0xC6, "unknown-0xC6" },
12780 { 0xC7, "unknown-0xC7" },
12781 { 0xC8, "unknown-0xC8" },
12782 { 0xC9, "unknown-0xC9" },
12783 { 0xCA, "unknown-0xCA" },
12784 { 0xCB, "unknown-0xCB" },
12785 { 0xCC, "unknown-0xCC" },
12786 { 0xCD, "unknown-0xCD" },
12787 { 0xCE, "unknown-0xCE" },
12788 { 0xCF, "unknown-0xCF" },
12789 { 0xD0, "SMBsends" },
12790 { 0xD1, "SMBsendb" },
12791 { 0xD2, "SMBfwdname" },
12792 { 0xD3, "SMBcancelf" },
12793 { 0xD4, "SMBgetmac" },
12794 { 0xD5, "SMBsendstrt" },
12795 { 0xD6, "SMBsendend" },
12796 { 0xD7, "SMBsendtxt" },
12797 { 0xD8, "SMBreadbulk" },
12798 { 0xD9, "SMBwritebulk" },
12799 { 0xDA, "SMBwritebulkdata" },
12800 { 0xDB, "unknown-0xDB" },
12801 { 0xDC, "unknown-0xDC" },
12802 { 0xDD, "unknown-0xDD" },
12803 { 0xDE, "unknown-0xDE" },
12804 { 0xDF, "unknown-0xDF" },
12805 { 0xE0, "unknown-0xE0" },
12806 { 0xE1, "unknown-0xE1" },
12807 { 0xE2, "unknown-0xE2" },
12808 { 0xE3, "unknown-0xE3" },
12809 { 0xE4, "unknown-0xE4" },
12810 { 0xE5, "unknown-0xE5" },
12811 { 0xE6, "unknown-0xE6" },
12812 { 0xE7, "unknown-0xE7" },
12813 { 0xE8, "unknown-0xE8" },
12814 { 0xE9, "unknown-0xE9" },
12815 { 0xEA, "unknown-0xEA" },
12816 { 0xEB, "unknown-0xEB" },
12817 { 0xEC, "unknown-0xEC" },
12818 { 0xED, "unknown-0xED" },
12819 { 0xEE, "unknown-0xEE" },
12820 { 0xEF, "unknown-0xEF" },
12821 { 0xF0, "unknown-0xF0" },
12822 { 0xF1, "unknown-0xF1" },
12823 { 0xF2, "unknown-0xF2" },
12824 { 0xF3, "unknown-0xF3" },
12825 { 0xF4, "unknown-0xF4" },
12826 { 0xF5, "unknown-0xF5" },
12827 { 0xF6, "unknown-0xF6" },
12828 { 0xF7, "unknown-0xF7" },
12829 { 0xF8, "unknown-0xF8" },
12830 { 0xF9, "unknown-0xF9" },
12831 { 0xFA, "unknown-0xFA" },
12832 { 0xFB, "unknown-0xFB" },
12833 { 0xFC, "unknown-0xFC" },
12834 { 0xFD, "unknown-0xFD" },
12835 { 0xFE, "SMBinvalid" },
12836 { 0xFF, "unknown-0xFF" },
12840 static char *decode_smb_name(unsigned char cmd)
12842 return(smb_cmd_vals[cmd].strptr);
12847 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12848 * Everything TVBUFFIFIED above this line
12849 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
12853 free_hash_tables(gpointer ctarg, gpointer user_data)
12855 conv_tables_t *ct = ctarg;
12858 g_hash_table_destroy(ct->unmatched);
12860 g_hash_table_destroy(ct->matched);
12861 if (ct->dcerpc_fid_to_frame)
12862 g_hash_table_destroy(ct->dcerpc_fid_to_frame);
12863 if (ct->tid_service)
12864 g_hash_table_destroy(ct->tid_service);
12868 smb_init_protocol(void)
12870 if (smb_saved_info_key_chunk)
12871 g_mem_chunk_destroy(smb_saved_info_key_chunk);
12872 if (smb_saved_info_chunk)
12873 g_mem_chunk_destroy(smb_saved_info_chunk);
12874 if (smb_nt_transact_info_chunk)
12875 g_mem_chunk_destroy(smb_nt_transact_info_chunk);
12876 if (smb_transact2_info_chunk)
12877 g_mem_chunk_destroy(smb_transact2_info_chunk);
12878 if (smb_transact_info_chunk)
12879 g_mem_chunk_destroy(smb_transact_info_chunk);
12882 * Free the hash tables attached to the conversation table
12883 * structures, and then free the list of conversation table
12884 * data structures (which doesn't free the data structures
12885 * themselves; that's done by destroying the chunk from
12886 * which they were allocated).
12889 g_slist_foreach(conv_tables, free_hash_tables, NULL);
12890 g_slist_free(conv_tables);
12891 conv_tables = NULL;
12895 * Now destroy the chunk from which the conversation table
12896 * structures were allocated.
12898 if (conv_tables_chunk)
12899 g_mem_chunk_destroy(conv_tables_chunk);
12901 smb_saved_info_chunk = g_mem_chunk_new("smb_saved_info_chunk",
12902 sizeof(smb_saved_info_t),
12903 smb_saved_info_init_count * sizeof(smb_saved_info_t),
12905 smb_saved_info_key_chunk = g_mem_chunk_new("smb_saved_info_key_chunk",
12906 sizeof(smb_saved_info_key_t),
12907 smb_saved_info_init_count * sizeof(smb_saved_info_key_t),
12909 smb_nt_transact_info_chunk = g_mem_chunk_new("smb_nt_transact_info_chunk",
12910 sizeof(smb_nt_transact_info_t),
12911 smb_nt_transact_info_init_count * sizeof(smb_nt_transact_info_t),
12913 smb_transact2_info_chunk = g_mem_chunk_new("smb_transact2_info_chunk",
12914 sizeof(smb_transact2_info_t),
12915 smb_transact2_info_init_count * sizeof(smb_transact2_info_t),
12917 smb_transact_info_chunk = g_mem_chunk_new("smb_transact_info_chunk",
12918 sizeof(smb_transact_info_t),
12919 smb_transact_info_init_count * sizeof(smb_transact_info_t),
12921 conv_tables_chunk = g_mem_chunk_new("conv_tables_chunk",
12922 sizeof(conv_tables_t),
12923 conv_tables_count * sizeof(conv_tables_t),
12927 /* Max string length for displaying Unicode strings. */
12928 #define MAX_UNICODE_STR_LEN 256
12931 /* Turn a little-endian Unicode '\0'-terminated string into a string we
12933 XXX - for now, we just handle the ISO 8859-1 characters.
12934 If exactlen==TRUE then us_lenp contains the exact len of the string in
12935 bytes. It might not be null terminated !
12936 bc specifies the number of bytes in the byte parameters; Windows 2000,
12937 at least, appears, in some cases, to put only 1 byte of 0 at the end
12938 of a Unicode string if the byte count
12941 unicode_to_str(tvbuff_t *tvb, int offset, int *us_lenp, gboolean exactlen,
12944 static gchar str[3][MAX_UNICODE_STR_LEN+3+1];
12952 if (cur == &str[0][0]) {
12954 } else if (cur == &str[1][0]) {
12960 len = MAX_UNICODE_STR_LEN;
12966 /* XXX - explain this */
12968 us_len += 1; /* this is a one-byte null terminator */
12971 uchar = tvb_get_letohs(tvb, offset);
12973 us_len += 2; /* this is a two-byte null terminator */
12977 if ((uchar & 0xFF00) == 0)
12978 *p++ = uchar; /* ISO 8859-1 */
12980 *p++ = '?'; /* not 8859-1 */
12988 if(us_len>= *us_lenp){
12994 /* Note that we're not showing the full string. */
13005 /* nopad == TRUE : Do not add any padding before this string
13006 * exactlen == TRUE : len contains the exact len of the string in bytes.
13007 * bc: pointer to variable with amount of data left in the byte parameters
13010 static const gchar *
13011 get_unicode_or_ascii_string(tvbuff_t *tvb, int *offsetp,
13012 packet_info *pinfo, int *len, gboolean nopad, gboolean exactlen,
13015 static gchar str[3][MAX_UNICODE_STR_LEN+3+1];
13017 const gchar *string;
13020 unsigned int copylen;
13023 /* Not enough data in buffer */
13026 si = pinfo->private_data;
13028 if ((!nopad) && (*offsetp % 2)) {
13030 * XXX - this should be an offset relative to the beginning of the SMB,
13031 * not an offset relative to the beginning of the frame; if the stuff
13032 * before the SMB has an odd number of bytes, an offset relative to
13033 * the beginning of the frame will give the wrong answer.
13035 (*offsetp)++; /* Looks like a pad byte there sometimes */
13038 /* Not enough data in buffer */
13044 string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
13046 string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
13051 * The string we return must be null-terminated.
13053 if (cur == &str[0][0]) {
13055 } else if (cur == &str[1][0]) {
13061 if (copylen > MAX_UNICODE_STR_LEN)
13062 copylen = MAX_UNICODE_STR_LEN;
13063 tvb_memcpy(tvb, (guint8 *)cur, *offsetp, copylen);
13064 cur[copylen] = '\0';
13065 if (copylen > MAX_UNICODE_STR_LEN)
13066 strcat(cur, "...");
13070 string_len = tvb_strsize(tvb, *offsetp);
13071 string = tvb_get_ptr(tvb, *offsetp, string_len);
13080 static const value_string errcls_types[] = {
13081 { SMB_SUCCESS, "Success"},
13082 { SMB_ERRDOS, "DOS Error"},
13083 { SMB_ERRSRV, "Server Error"},
13084 { SMB_ERRHRD, "Hardware Error"},
13085 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
13089 const value_string DOS_errors[] = {
13091 {SMBE_insufficientbuffer, "Insufficient buffer"},
13092 {SMBE_badfunc, "Invalid function (or system call)"},
13093 {SMBE_badfile, "File not found (pathname error)"},
13094 {SMBE_badpath, "Directory not found"},
13095 {SMBE_nofids, "Too many open files"},
13096 {SMBE_noaccess, "Access denied"},
13097 {SMBE_badfid, "Invalid fid"},
13098 {SMBE_nomem, "Out of memory"},
13099 {SMBE_badmem, "Invalid memory block address"},
13100 {SMBE_badenv, "Invalid environment"},
13101 {SMBE_badaccess, "Invalid open mode"},
13102 {SMBE_baddata, "Invalid data (only from ioctl call)"},
13103 {SMBE_res, "Reserved error code?"},
13104 {SMBE_baddrive, "Invalid drive"},
13105 {SMBE_remcd, "Attempt to delete current directory"},
13106 {SMBE_diffdevice, "Rename/move across different filesystems"},
13107 {SMBE_nofiles, "No more files found in file search"},
13108 {SMBE_badshare, "Share mode on file conflict with open mode"},
13109 {SMBE_lock, "Lock request conflicts with existing lock"},
13110 {SMBE_unsup, "Request unsupported, returned by Win 95"},
13111 {SMBE_nosuchshare, "Requested share does not exist"},
13112 {SMBE_filexists, "File in operation already exists"},
13113 {SMBE_cannotopen, "Cannot open the file specified"},
13114 {SMBE_unknownlevel, "Unknown info level"},
13115 {SMBE_invalidname, "Invalid name"},
13116 {SMBE_badpipe, "Named pipe invalid"},
13117 {SMBE_pipebusy, "All instances of pipe are busy"},
13118 {SMBE_pipeclosing, "Named pipe close in progress"},
13119 {SMBE_notconnected, "No process on other end of named pipe"},
13120 {SMBE_moredata, "More data to be returned"},
13121 {SMBE_baddirectory, "Invalid directory name in a path."},
13122 {SMBE_eas_didnt_fit, "Extended attributes didn't fit"},
13123 {SMBE_eas_nsup, "Extended attributes not supported"},
13124 {SMBE_notify_buf_small, "Buffer too small to return change notify."},
13125 {SMBE_unknownipc, "Unknown IPC Operation"},
13126 {SMBE_noipc, "Don't support ipc"},
13127 {SMBE_alreadyexists, "File already exists"},
13128 {SMBE_unknownprinterdriver, "Unknown printer driver"},
13129 {SMBE_invalidprintername, "Invalid printer name"},
13130 {SMBE_printeralreadyexists, "Printer already exists"},
13131 {SMBE_invaliddatatype, "Invalid data type"},
13132 {SMBE_invalidenvironment, "Invalid environment"},
13133 {SMBE_printerdriverinuse, "Printer driver in use"},
13134 {SMBE_invalidparam, "Invalid parameter"},
13135 {SMBE_invalidformsize, "Invalid form size"},
13136 {SMBE_invalidsecuritydescriptor, "Invalid security descriptor"},
13140 /* Error codes for the ERRSRV class */
13142 static const value_string SRV_errors[] = {
13143 {SMBE_error, "Non specific error code"},
13144 {SMBE_badpw, "Bad password"},
13145 {SMBE_badtype, "Reserved"},
13146 {SMBE_access, "No permissions to perform the requested operation"},
13147 {SMBE_invnid, "TID invalid"},
13148 {SMBE_invnetname, "Invalid network name. Service not found"},
13149 {SMBE_invdevice, "Invalid device"},
13150 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
13151 {SMBE_qfull, "Print queue full"},
13152 {SMBE_qtoobig, "Queued item too big"},
13153 {SMBE_qeof, "EOF on print queue dump"},
13154 {SMBE_invpfid, "Invalid print file in smb_fid"},
13155 {SMBE_smbcmd, "Unrecognised command"},
13156 {SMBE_srverror, "SMB server internal error"},
13157 {SMBE_filespecs, "Fid and pathname invalid combination"},
13158 {SMBE_badlink, "Bad link in request ???"},
13159 {SMBE_badpermits, "Access specified for a file is not valid"},
13160 {SMBE_badpid, "Bad process id in request"},
13161 {SMBE_setattrmode, "Attribute mode invalid"},
13162 {SMBE_paused, "Message server paused"},
13163 {SMBE_msgoff, "Not receiving messages"},
13164 {SMBE_noroom, "No room for message"},
13165 {SMBE_rmuns, "Too many remote usernames"},
13166 {SMBE_timeout, "Operation timed out"},
13167 {SMBE_noresource, "No resources currently available for request."},
13168 {SMBE_toomanyuids, "Too many userids"},
13169 {SMBE_baduid, "Bad userid"},
13170 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
13171 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
13172 {SMBE_contMPX, "Resume MPX mode"},
13173 {SMBE_badPW, "Bad Password???"},
13174 {SMBE_nosupport, "Operation not supported"},
13178 /* Error codes for the ERRHRD class */
13180 static const value_string HRD_errors[] = {
13181 {SMBE_nowrite, "Read only media"},
13182 {SMBE_badunit, "Unknown device"},
13183 {SMBE_notready, "Drive not ready"},
13184 {SMBE_badcmd, "Unknown command"},
13185 {SMBE_data, "Data (CRC) error"},
13186 {SMBE_badreq, "Bad request structure length"},
13187 {SMBE_seek, "Seek error???"},
13188 {SMBE_badmedia, "Bad media???"},
13189 {SMBE_badsector, "Bad sector???"},
13190 {SMBE_nopaper, "No paper in printer???"},
13191 {SMBE_write, "Write error???"},
13192 {SMBE_read, "Read error???"},
13193 {SMBE_general, "General error???"},
13194 {SMBE_badshare, "A open conflicts with an existing open"},
13195 {SMBE_lock, "Lock/unlock error"},
13196 {SMBE_wrongdisk, "Wrong disk???"},
13197 {SMBE_FCBunavail, "FCB unavailable???"},
13198 {SMBE_sharebufexc, "Share buffer excluded???"},
13199 {SMBE_diskfull, "Disk full???"},
13203 static char *decode_smb_error(guint8 errcls, guint16 errcode)
13210 return("No Error"); /* No error ??? */
13215 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
13220 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
13225 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
13230 return("Unknown error class!");
13237 /* These are the MS country codes from
13239 http://www.unicode.org/unicode/onlinedat/countries.html
13241 For countries that share the same number, I choose to use only the
13242 name of the largest country. Apologies for this. If this offends you,
13243 here is the table to change that.
13245 This also includes the code of 0 for "Default", which isn't in
13246 that list, but is in Microsoft's SDKs and the Cygnus "winnls.h"
13247 header file. Presumably it means "don't override the setting
13248 on the user's machine".
13250 Future versions of Microsoft's "winnls.h" header file might include
13251 additional codes; the current version matches the Unicode Consortium's
13254 const value_string ms_country_codes[] = {
13260 { 27, "South Africa"},
13262 { 31, "Netherlands"},
13269 { 41, "Switzerland"},
13271 { 44, "United Kingdom"},
13279 { 54, "Argentina"},
13283 { 58, "Venezuela"},
13285 { 61, "Australia"},
13286 { 62, "Indonesia"},
13287 { 63, "Philippines"},
13288 { 64, "New Zealand"},
13289 { 65, "Singapore"},
13292 { 82, "South Korea"},
13304 {298, "Faroe Islands"},
13306 {352, "Luxembourg"},
13312 {370, "Lithuania"},
13321 {389, "Macedonia"},
13322 {420, "Czech Republic"},
13323 {421, "Slovak Republic"},
13325 {502, "Guatemala"},
13326 {503, "El Salvador"},
13328 {505, "Nicaragua"},
13329 {506, "Costa Rica"},
13335 {673, "Brunei Darussalam"},
13336 {852, "Hong Kong"},
13345 {966, "Saudi Arabia"},
13348 {971, "United Arab Emirates"},
13354 {994, "Azerbaijan"},
13356 {996, "Kyrgyzstan"},
13366 * http://www.wildpackets.com/elements/SMB_NT_Status_Codes.txt
13368 const value_string NT_errors[] = {
13369 { 0x00000000, "STATUS_SUCCESS" },
13370 { 0x00000000, "STATUS_WAIT_0" },
13371 { 0x00000001, "STATUS_WAIT_1" },
13372 { 0x00000002, "STATUS_WAIT_2" },
13373 { 0x00000003, "STATUS_WAIT_3" },
13374 { 0x0000003F, "STATUS_WAIT_63" },
13375 { 0x00000080, "STATUS_ABANDONED" },
13376 { 0x00000080, "STATUS_ABANDONED_WAIT_0" },
13377 { 0x000000BF, "STATUS_ABANDONED_WAIT_63" },
13378 { 0x000000C0, "STATUS_USER_APC" },
13379 { 0x00000100, "STATUS_KERNEL_APC" },
13380 { 0x00000101, "STATUS_ALERTED" },
13381 { 0x00000102, "STATUS_TIMEOUT" },
13382 { 0x00000103, "STATUS_PENDING" },
13383 { 0x00000104, "STATUS_REPARSE" },
13384 { 0x00000105, "STATUS_MORE_ENTRIES" },
13385 { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" },
13386 { 0x00000107, "STATUS_SOME_NOT_MAPPED" },
13387 { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" },
13388 { 0x00000109, "STATUS_VOLUME_MOUNTED" },
13389 { 0x0000010A, "STATUS_RXACT_COMMITTED" },
13390 { 0x0000010B, "STATUS_NOTIFY_CLEANUP" },
13391 { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" },
13392 { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" },
13393 { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" },
13394 { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" },
13395 { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" },
13396 { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" },
13397 { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" },
13398 { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" },
13399 { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" },
13400 { 0x00000116, "STATUS_CRASH_DUMP" },
13401 { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
13402 { 0x00000118, "STATUS_REPARSE_OBJECT" },
13403 { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
13404 { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
13405 { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
13406 { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" },
13407 { 0x40000004, "STATUS_RXACT_STATE_CREATED" },
13408 { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" },
13409 { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" },
13410 { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" },
13411 { 0x40000008, "STATUS_SERIAL_MORE_WRITES" },
13412 { 0x40000009, "STATUS_REGISTRY_RECOVERED" },
13413 { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" },
13414 { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" },
13415 { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" },
13416 { 0x4000000D, "STATUS_NULL_LM_PASSWORD" },
13417 { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" },
13418 { 0x4000000F, "STATUS_RECEIVE_PARTIAL" },
13419 { 0x40000010, "STATUS_RECEIVE_EXPEDITED" },
13420 { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" },
13421 { 0x40000012, "STATUS_EVENT_DONE" },
13422 { 0x40000013, "STATUS_EVENT_PENDING" },
13423 { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" },
13424 { 0x40000015, "STATUS_FATAL_APP_EXIT" },
13425 { 0x40000016, "STATUS_PREDEFINED_HANDLE" },
13426 { 0x40000017, "STATUS_WAS_UNLOCKED" },
13427 { 0x40000018, "STATUS_SERVICE_NOTIFICATION" },
13428 { 0x40000019, "STATUS_WAS_LOCKED" },
13429 { 0x4000001A, "STATUS_LOG_HARD_ERROR" },
13430 { 0x4000001B, "STATUS_ALREADY_WIN32" },
13431 { 0x4000001C, "STATUS_WX86_UNSIMULATE" },
13432 { 0x4000001D, "STATUS_WX86_CONTINUE" },
13433 { 0x4000001E, "STATUS_WX86_SINGLE_STEP" },
13434 { 0x4000001F, "STATUS_WX86_BREAKPOINT" },
13435 { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" },
13436 { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" },
13437 { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" },
13438 { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" },
13439 { 0x40000024, "STATUS_NO_YIELD_PERFORMED" },
13440 { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" },
13441 { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" },
13442 { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" },
13443 { 0x80000003, "STATUS_BREAKPOINT" },
13444 { 0x80000004, "STATUS_SINGLE_STEP" },
13445 { 0x80000005, "STATUS_BUFFER_OVERFLOW" },
13446 { 0x80000006, "STATUS_NO_MORE_FILES" },
13447 { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" },
13448 { 0x8000000A, "STATUS_HANDLES_CLOSED" },
13449 { 0x8000000B, "STATUS_NO_INHERITANCE" },
13450 { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" },
13451 { 0x8000000D, "STATUS_PARTIAL_COPY" },
13452 { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" },
13453 { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" },
13454 { 0x80000010, "STATUS_DEVICE_OFF_LINE" },
13455 { 0x80000011, "STATUS_DEVICE_BUSY" },
13456 { 0x80000012, "STATUS_NO_MORE_EAS" },
13457 { 0x80000013, "STATUS_INVALID_EA_NAME" },
13458 { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" },
13459 { 0x80000015, "STATUS_INVALID_EA_FLAG" },
13460 { 0x80000016, "STATUS_VERIFY_REQUIRED" },
13461 { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" },
13462 { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" },
13463 { 0x8000001A, "STATUS_NO_MORE_ENTRIES" },
13464 { 0x8000001B, "STATUS_FILEMARK_DETECTED" },
13465 { 0x8000001C, "STATUS_MEDIA_CHANGED" },
13466 { 0x8000001D, "STATUS_BUS_RESET" },
13467 { 0x8000001E, "STATUS_END_OF_MEDIA" },
13468 { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" },
13469 { 0x80000020, "STATUS_MEDIA_CHECK" },
13470 { 0x80000021, "STATUS_SETMARK_DETECTED" },
13471 { 0x80000022, "STATUS_NO_DATA_DETECTED" },
13472 { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" },
13473 { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" },
13474 { 0x80000025, "STATUS_ALREADY_DISCONNECTED" },
13475 { 0x80000026, "STATUS_LONGJUMP" },
13476 { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" },
13477 { 0x80090301, "SEC_E_INVALID_HANDLE" },
13478 { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" },
13479 { 0x8009030B, "SEC_E_NO_IMPERSONATION" },
13480 { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" },
13481 { 0x8009030E, "SEC_E_NO_CREDENTIALS" },
13482 { 0x8009030F, "SEC_E_MESSAGE_ALTERED" },
13483 { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" },
13484 { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" },
13485 { 0xC0000001, "STATUS_UNSUCCESSFUL" },
13486 { 0xC0000002, "STATUS_NOT_IMPLEMENTED" },
13487 { 0xC0000003, "STATUS_INVALID_INFO_CLASS" },
13488 { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" },
13489 { 0xC0000005, "STATUS_ACCESS_VIOLATION" },
13490 { 0xC0000006, "STATUS_IN_PAGE_ERROR" },
13491 { 0xC0000007, "STATUS_PAGEFILE_QUOTA" },
13492 { 0xC0000008, "STATUS_INVALID_HANDLE" },
13493 { 0xC0000009, "STATUS_BAD_INITIAL_STACK" },
13494 { 0xC000000A, "STATUS_BAD_INITIAL_PC" },
13495 { 0xC000000B, "STATUS_INVALID_CID" },
13496 { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" },
13497 { 0xC000000D, "STATUS_INVALID_PARAMETER" },
13498 { 0xC000000E, "STATUS_NO_SUCH_DEVICE" },
13499 { 0xC000000F, "STATUS_NO_SUCH_FILE" },
13500 { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" },
13501 { 0xC0000011, "STATUS_END_OF_FILE" },
13502 { 0xC0000012, "STATUS_WRONG_VOLUME" },
13503 { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" },
13504 { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" },
13505 { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" },
13506 { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" },
13507 { 0xC0000017, "STATUS_NO_MEMORY" },
13508 { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" },
13509 { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" },
13510 { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" },
13511 { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" },
13512 { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" },
13513 { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" },
13514 { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" },
13515 { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" },
13516 { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" },
13517 { 0xC0000021, "STATUS_ALREADY_COMMITTED" },
13518 { 0xC0000022, "STATUS_ACCESS_DENIED" },
13519 { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" },
13520 { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" },
13521 { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" },
13522 { 0xC0000026, "STATUS_INVALID_DISPOSITION" },
13523 { 0xC0000027, "STATUS_UNWIND" },
13524 { 0xC0000028, "STATUS_BAD_STACK" },
13525 { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" },
13526 { 0xC000002A, "STATUS_NOT_LOCKED" },
13527 { 0xC000002B, "STATUS_PARITY_ERROR" },
13528 { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" },
13529 { 0xC000002D, "STATUS_NOT_COMMITTED" },
13530 { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" },
13531 { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" },
13532 { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" },
13533 { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" },
13534 { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" },
13535 { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" },
13536 { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" },
13537 { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" },
13538 { 0xC0000037, "STATUS_PORT_DISCONNECTED" },
13539 { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" },
13540 { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" },
13541 { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" },
13542 { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" },
13543 { 0xC000003C, "STATUS_DATA_OVERRUN" },
13544 { 0xC000003D, "STATUS_DATA_LATE_ERROR" },
13545 { 0xC000003E, "STATUS_DATA_ERROR" },
13546 { 0xC000003F, "STATUS_CRC_ERROR" },
13547 { 0xC0000040, "STATUS_SECTION_TOO_BIG" },
13548 { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" },
13549 { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" },
13550 { 0xC0000043, "STATUS_SHARING_VIOLATION" },
13551 { 0xC0000044, "STATUS_QUOTA_EXCEEDED" },
13552 { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" },
13553 { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" },
13554 { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" },
13555 { 0xC0000048, "STATUS_PORT_ALREADY_SET" },
13556 { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" },
13557 { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" },
13558 { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" },
13559 { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" },
13560 { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" },
13561 { 0xC000004E, "STATUS_SECTION_PROTECTION" },
13562 { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" },
13563 { 0xC0000050, "STATUS_EA_TOO_LARGE" },
13564 { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" },
13565 { 0xC0000052, "STATUS_NO_EAS_ON_FILE" },
13566 { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" },
13567 { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" },
13568 { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" },
13569 { 0xC0000056, "STATUS_DELETE_PENDING" },
13570 { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" },
13571 { 0xC0000058, "STATUS_UNKNOWN_REVISION" },
13572 { 0xC0000059, "STATUS_REVISION_MISMATCH" },
13573 { 0xC000005A, "STATUS_INVALID_OWNER" },
13574 { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" },
13575 { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" },
13576 { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" },
13577 { 0xC000005E, "STATUS_NO_LOGON_SERVERS" },
13578 { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" },
13579 { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" },
13580 { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" },
13581 { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" },
13582 { 0xC0000063, "STATUS_USER_EXISTS" },
13583 { 0xC0000064, "STATUS_NO_SUCH_USER" },
13584 { 0xC0000065, "STATUS_GROUP_EXISTS" },
13585 { 0xC0000066, "STATUS_NO_SUCH_GROUP" },
13586 { 0xC0000067, "STATUS_MEMBER_IN_GROUP" },
13587 { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" },
13588 { 0xC0000069, "STATUS_LAST_ADMIN" },
13589 { 0xC000006A, "STATUS_WRONG_PASSWORD" },
13590 { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" },
13591 { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" },
13592 { 0xC000006D, "STATUS_LOGON_FAILURE" },
13593 { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" },
13594 { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" },
13595 { 0xC0000070, "STATUS_INVALID_WORKSTATION" },
13596 { 0xC0000071, "STATUS_PASSWORD_EXPIRED" },
13597 { 0xC0000072, "STATUS_ACCOUNT_DISABLED" },
13598 { 0xC0000073, "STATUS_NONE_MAPPED" },
13599 { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" },
13600 { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" },
13601 { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" },
13602 { 0xC0000077, "STATUS_INVALID_ACL" },
13603 { 0xC0000078, "STATUS_INVALID_SID" },
13604 { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" },
13605 { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" },
13606 { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" },
13607 { 0xC000007C, "STATUS_NO_TOKEN" },
13608 { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" },
13609 { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" },
13610 { 0xC000007F, "STATUS_DISK_FULL" },
13611 { 0xC0000080, "STATUS_SERVER_DISABLED" },
13612 { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" },
13613 { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" },
13614 { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" },
13615 { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" },
13616 { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" },
13617 { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" },
13618 { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" },
13619 { 0xC0000088, "STATUS_NOT_MAPPED_DATA" },
13620 { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" },
13621 { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" },
13622 { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" },
13623 { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" },
13624 { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" },
13625 { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" },
13626 { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" },
13627 { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" },
13628 { 0xC0000091, "STATUS_FLOAT_OVERFLOW" },
13629 { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" },
13630 { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" },
13631 { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" },
13632 { 0xC0000095, "STATUS_INTEGER_OVERFLOW" },
13633 { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" },
13634 { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" },
13635 { 0xC0000098, "STATUS_FILE_INVALID" },
13636 { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" },
13637 { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" },
13638 { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" },
13639 { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" },
13640 { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" },
13641 { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" },
13642 { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" },
13643 { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" },
13644 { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" },
13645 { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" },
13646 { 0xC00000A3, "STATUS_DEVICE_NOT_READY" },
13647 { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" },
13648 { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" },
13649 { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" },
13650 { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" },
13651 { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" },
13652 { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" },
13653 { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" },
13654 { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" },
13655 { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" },
13656 { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" },
13657 { 0xC00000AE, "STATUS_PIPE_BUSY" },
13658 { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" },
13659 { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" },
13660 { 0xC00000B1, "STATUS_PIPE_CLOSING" },
13661 { 0xC00000B2, "STATUS_PIPE_CONNECTED" },
13662 { 0xC00000B3, "STATUS_PIPE_LISTENING" },
13663 { 0xC00000B4, "STATUS_INVALID_READ_MODE" },
13664 { 0xC00000B5, "STATUS_IO_TIMEOUT" },
13665 { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" },
13666 { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" },
13667 { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" },
13668 { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" },
13669 { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" },
13670 { 0xC00000BB, "STATUS_NOT_SUPPORTED" },
13671 { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" },
13672 { 0xC00000BD, "STATUS_DUPLICATE_NAME" },
13673 { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" },
13674 { 0xC00000BF, "STATUS_NETWORK_BUSY" },
13675 { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" },
13676 { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" },
13677 { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" },
13678 { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" },
13679 { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" },
13680 { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" },
13681 { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" },
13682 { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" },
13683 { 0xC00000C8, "STATUS_PRINT_CANCELLED" },
13684 { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" },
13685 { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" },
13686 { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" },
13687 { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" },
13688 { 0xC00000CD, "STATUS_TOO_MANY_NAMES" },
13689 { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" },
13690 { 0xC00000CF, "STATUS_SHARING_PAUSED" },
13691 { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" },
13692 { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" },
13693 { 0xC00000D2, "STATUS_NET_WRITE_FAULT" },
13694 { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" },
13695 { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" },
13696 { 0xC00000D5, "STATUS_FILE_RENAMED" },
13697 { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" },
13698 { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" },
13699 { 0xC00000D8, "STATUS_CANT_WAIT" },
13700 { 0xC00000D9, "STATUS_PIPE_EMPTY" },
13701 { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" },
13702 { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" },
13703 { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" },
13704 { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" },
13705 { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" },
13706 { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" },
13707 { 0xC00000E0, "STATUS_DOMAIN_EXISTS" },
13708 { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" },
13709 { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" },
13710 { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" },
13711 { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" },
13712 { 0xC00000E5, "STATUS_INTERNAL_ERROR" },
13713 { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" },
13714 { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" },
13715 { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" },
13716 { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" },
13717 { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" },
13718 { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" },
13719 { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" },
13720 { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" },
13721 { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" },
13722 { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" },
13723 { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" },
13724 { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" },
13725 { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" },
13726 { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" },
13727 { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" },
13728 { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" },
13729 { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" },
13730 { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" },
13731 { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" },
13732 { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" },
13733 { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" },
13734 { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" },
13735 { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" },
13736 { 0xC00000FD, "STATUS_STACK_OVERFLOW" },
13737 { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" },
13738 { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" },
13739 { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" },
13740 { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" },
13741 { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" },
13742 { 0xC0000103, "STATUS_NOT_A_DIRECTORY" },
13743 { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" },
13744 { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" },
13745 { 0xC0000106, "STATUS_NAME_TOO_LONG" },
13746 { 0xC0000107, "STATUS_FILES_OPEN" },
13747 { 0xC0000108, "STATUS_CONNECTION_IN_USE" },
13748 { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" },
13749 { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" },
13750 { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" },
13751 { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" },
13752 { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" },
13753 { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" },
13754 { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" },
13755 { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" },
13756 { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" },
13757 { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" },
13758 { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" },
13759 { 0xC0000114, "STATUS_ABIOS_INVALID_LID" },
13760 { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" },
13761 { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" },
13762 { 0xC0000117, "STATUS_NO_LDT" },
13763 { 0xC0000118, "STATUS_INVALID_LDT_SIZE" },
13764 { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" },
13765 { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" },
13766 { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" },
13767 { 0xC000011C, "STATUS_RXACT_INVALID_STATE" },
13768 { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" },
13769 { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" },
13770 { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" },
13771 { 0xC0000120, "STATUS_CANCELLED" },
13772 { 0xC0000121, "STATUS_CANNOT_DELETE" },
13773 { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" },
13774 { 0xC0000123, "STATUS_FILE_DELETED" },
13775 { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" },
13776 { 0xC0000125, "STATUS_SPECIAL_GROUP" },
13777 { 0xC0000126, "STATUS_SPECIAL_USER" },
13778 { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" },
13779 { 0xC0000128, "STATUS_FILE_CLOSED" },
13780 { 0xC0000129, "STATUS_TOO_MANY_THREADS" },
13781 { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" },
13782 { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" },
13783 { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" },
13784 { 0xC000012D, "STATUS_COMMITMENT_LIMIT" },
13785 { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" },
13786 { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" },
13787 { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" },
13788 { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" },
13789 { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" },
13790 { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" },
13791 { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" },
13792 { 0xC0000135, "STATUS_DLL_NOT_FOUND" },
13793 { 0xC0000136, "STATUS_OPEN_FAILED" },
13794 { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" },
13795 { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" },
13796 { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" },
13797 { 0xC000013A, "STATUS_CONTROL_C_EXIT" },
13798 { 0xC000013B, "STATUS_LOCAL_DISCONNECT" },
13799 { 0xC000013C, "STATUS_REMOTE_DISCONNECT" },
13800 { 0xC000013D, "STATUS_REMOTE_RESOURCES" },
13801 { 0xC000013E, "STATUS_LINK_FAILED" },
13802 { 0xC000013F, "STATUS_LINK_TIMEOUT" },
13803 { 0xC0000140, "STATUS_INVALID_CONNECTION" },
13804 { 0xC0000141, "STATUS_INVALID_ADDRESS" },
13805 { 0xC0000142, "STATUS_DLL_INIT_FAILED" },
13806 { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" },
13807 { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" },
13808 { 0xC0000145, "STATUS_APP_INIT_FAILURE" },
13809 { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" },
13810 { 0xC0000147, "STATUS_NO_PAGEFILE" },
13811 { 0xC0000148, "STATUS_INVALID_LEVEL" },
13812 { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" },
13813 { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" },
13814 { 0xC000014B, "STATUS_PIPE_BROKEN" },
13815 { 0xC000014C, "STATUS_REGISTRY_CORRUPT" },
13816 { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" },
13817 { 0xC000014E, "STATUS_NO_EVENT_PAIR" },
13818 { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" },
13819 { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" },
13820 { 0xC0000151, "STATUS_NO_SUCH_ALIAS" },
13821 { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" },
13822 { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" },
13823 { 0xC0000154, "STATUS_ALIAS_EXISTS" },
13824 { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" },
13825 { 0xC0000156, "STATUS_TOO_MANY_SECRETS" },
13826 { 0xC0000157, "STATUS_SECRET_TOO_LONG" },
13827 { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" },
13828 { 0xC0000159, "STATUS_FULLSCREEN_MODE" },
13829 { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" },
13830 { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" },
13831 { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" },
13832 { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" },
13833 { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" },
13834 { 0xC000015F, "STATUS_FT_MISSING_MEMBER" },
13835 { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" },
13836 { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" },
13837 { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" },
13838 { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" },
13839 { 0xC0000164, "STATUS_FLOPPY_VOLUME" },
13840 { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" },
13841 { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" },
13842 { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" },
13843 { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" },
13844 { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" },
13845 { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" },
13846 { 0xC000016B, "STATUS_DISK_RESET_FAILED" },
13847 { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" },
13848 { 0xC000016D, "STATUS_FT_ORPHANING" },
13849 { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" },
13850 { 0xC0000172, "STATUS_PARTITION_FAILURE" },
13851 { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" },
13852 { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" },
13853 { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" },
13854 { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" },
13855 { 0xC0000177, "STATUS_EOM_OVERFLOW" },
13856 { 0xC0000178, "STATUS_NO_MEDIA" },
13857 { 0xC000017A, "STATUS_NO_SUCH_MEMBER" },
13858 { 0xC000017B, "STATUS_INVALID_MEMBER" },
13859 { 0xC000017C, "STATUS_KEY_DELETED" },
13860 { 0xC000017D, "STATUS_NO_LOG_SPACE" },
13861 { 0xC000017E, "STATUS_TOO_MANY_SIDS" },
13862 { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" },
13863 { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" },
13864 { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" },
13865 { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" },
13866 { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" },
13867 { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" },
13868 { 0xC0000185, "STATUS_IO_DEVICE_ERROR" },
13869 { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" },
13870 { 0xC0000187, "STATUS_BACKUP_CONTROLLER" },
13871 { 0xC0000188, "STATUS_LOG_FILE_FULL" },
13872 { 0xC0000189, "STATUS_TOO_LATE" },
13873 { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" },
13874 { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" },
13875 { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" },
13876 { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" },
13877 { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" },
13878 { 0xC000018F, "STATUS_EVENTLOG_CANT_START" },
13879 { 0xC0000190, "STATUS_TRUST_FAILURE" },
13880 { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" },
13881 { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" },
13882 { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" },
13883 { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" },
13884 { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" },
13885 { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" },
13886 { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" },
13887 { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" },
13888 { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" },
13889 { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" },
13890 { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" },
13891 { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" },
13892 { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" },
13893 { 0xC0000203, "STATUS_USER_SESSION_DELETED" },
13894 { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" },
13895 { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" },
13896 { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" },
13897 { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" },
13898 { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" },
13899 { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" },
13900 { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" },
13901 { 0xC000020B, "STATUS_ADDRESS_CLOSED" },
13902 { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" },
13903 { 0xC000020D, "STATUS_CONNECTION_RESET" },
13904 { 0xC000020E, "STATUS_TOO_MANY_NODES" },
13905 { 0xC000020F, "STATUS_TRANSACTION_ABORTED" },
13906 { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" },
13907 { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" },
13908 { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" },
13909 { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" },
13910 { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" },
13911 { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" },
13912 { 0xC0000216, "STATUS_NOT_SERVER_SESSION" },
13913 { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" },
13914 { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" },
13915 { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" },
13916 { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" },
13917 { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" },
13918 { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" },
13919 { 0xC000021D, "STATUS_VDM_HARD_ERROR" },
13920 { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" },
13921 { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" },
13922 { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" },
13923 { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" },
13924 { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" },
13925 { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" },
13926 { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" },
13927 { 0xC0000225, "STATUS_NOT_FOUND" },
13928 { 0xC0000226, "STATUS_NOT_TINY_STREAM" },
13929 { 0xC0000227, "STATUS_RECOVERY_FAILURE" },
13930 { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" },
13931 { 0xC0000229, "STATUS_FAIL_CHECK" },
13932 { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" },
13933 { 0xC000022B, "STATUS_OBJECTID_EXISTS" },
13934 { 0xC000022C, "STATUS_CONVERT_TO_LARGE" },
13935 { 0xC000022D, "STATUS_RETRY" },
13936 { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" },
13937 { 0xC000022F, "STATUS_ALLOCATE_BUCKET" },
13938 { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" },
13939 { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" },
13940 { 0xC0000232, "STATUS_INVALID_VARIANT" },
13941 { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" },
13942 { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" },
13943 { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" },
13944 { 0xC0000236, "STATUS_CONNECTION_REFUSED" },
13945 { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" },
13946 { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" },
13947 { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" },
13948 { 0xC000023A, "STATUS_CONNECTION_INVALID" },
13949 { 0xC000023B, "STATUS_CONNECTION_ACTIVE" },
13950 { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" },
13951 { 0xC000023D, "STATUS_HOST_UNREACHABLE" },
13952 { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" },
13953 { 0xC000023F, "STATUS_PORT_UNREACHABLE" },
13954 { 0xC0000240, "STATUS_REQUEST_ABORTED" },
13955 { 0xC0000241, "STATUS_CONNECTION_ABORTED" },
13956 { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" },
13957 { 0xC0000243, "STATUS_USER_MAPPED_FILE" },
13958 { 0xC0000244, "STATUS_AUDIT_FAILED" },
13959 { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" },
13960 { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" },
13961 { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" },
13962 { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" },
13963 { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" },
13964 { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" },
13965 { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" },
13966 { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" },
13967 { 0xC0000253, "STATUS_LPC_REPLY_LOST" },
13968 { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" },
13969 { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" },
13970 { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" },
13971 { 0xC0000257, "STATUS_PATH_NOT_COVERED" },
13972 { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" },
13973 { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" },
13974 { 0xC000025A, "STATUS_PWD_TOO_SHORT" },
13975 { 0xC000025B, "STATUS_PWD_TOO_RECENT" },
13976 { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" },
13977 { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" },
13978 { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" },
13979 { 0xC0000260, "STATUS_INVALID_HW_PROFILE" },
13980 { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" },
13981 { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" },
13982 { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" },
13983 { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" },
13984 { 0xC0000265, "STATUS_TOO_MANY_LINKS" },
13985 { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" },
13986 { 0xC0000267, "STATUS_FILE_IS_OFFLINE" },
13987 { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" },
13988 { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" },
13989 { 0xC000026A, "STATUS_LICENSE_VIOLATION" },
13990 { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" },
13991 { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" },
13992 { 0xC000026D, "STATUS_DFS_UNAVAILABLE" },
13993 { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" },
13994 { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" },
13995 { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" },
13996 { 0xC0000271, "STATUS_VALIDATE_CONTINUE" },
13997 { 0xC0000272, "STATUS_NO_MATCH" },
13998 { 0xC0000273, "STATUS_NO_MORE_MATCHES" },
13999 { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" },
14000 { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" },
14001 { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" },
14002 { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" },
14003 { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" },
14004 { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" },
14005 { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" },
14006 { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" },
14007 { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" },
14008 { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" },
14009 { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" },
14010 { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" },
14011 { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" },
14012 { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" },
14013 { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" },
14014 { 0xC000028A, "STATUS_ENCRYPTION_FAILED" },
14015 { 0xC000028B, "STATUS_DECRYPTION_FAILED" },
14016 { 0xC000028C, "STATUS_RANGE_NOT_FOUND" },
14017 { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" },
14018 { 0xC000028E, "STATUS_NO_EFS" },
14019 { 0xC000028F, "STATUS_WRONG_EFS" },
14020 { 0xC0000290, "STATUS_NO_USER_KEYS" },
14021 { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" },
14022 { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" },
14023 { 0xC0000293, "STATUS_FILE_ENCRYPTED" },
14024 { 0x40000294, "STATUS_WAKE_SYSTEM" },
14025 { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" },
14026 { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" },
14027 { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" },
14028 { 0xC0000298, "STATUS_WMI_TRY_AGAIN" },
14029 { 0xC0000299, "STATUS_SHARED_POLICY" },
14030 { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" },
14031 { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" },
14032 { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" },
14033 { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" },
14034 { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" },
14035 { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" },
14036 { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" },
14037 { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" },
14038 { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" },
14039 { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" },
14040 { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" },
14041 { 0xC00002A5, "STATUS_DS_BUSY" },
14042 { 0xC00002A6, "STATUS_DS_UNAVAILABLE" },
14043 { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" },
14044 { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" },
14045 { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" },
14046 { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" },
14047 { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" },
14048 { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" },
14049 { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" },
14050 { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" },
14051 { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" },
14052 { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" },
14053 { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" },
14054 { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" },
14055 { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" },
14056 { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" },
14057 { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" },
14058 { 0xC00002B6, "STATUS_DEVICE_REMOVED" },
14059 { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" },
14060 { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" },
14061 { 0xC00002B9, "STATUS_NOINTERFACE" },
14062 { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" },
14063 { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" },
14064 { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" },
14065 { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" },
14066 { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" },
14067 { 0xC00002C6, "STATUS_WMI_READ_ONLY" },
14068 { 0xC00002C7, "STATUS_WMI_SET_FAILURE" },
14069 { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" },
14070 { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" },
14071 { 0xC00002CA, "STATUS_TRANSPORT_FULL" },
14072 { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" },
14073 { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" },
14074 { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" },
14075 { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" },
14076 { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" },
14077 { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" },
14078 { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" },
14079 { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" },
14080 { 0xC00002D3, "STATUS_POWER_STATE_INVALID" },
14081 { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" },
14082 { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" },
14083 { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" },
14084 { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" },
14085 { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" },
14086 { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" },
14087 { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" },
14088 { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" },
14089 { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" },
14090 { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" },
14091 { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" },
14092 { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" },
14093 { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" },
14094 { 0xC00002E1, "STATUS_DS_CANT_START" },
14095 { 0xC00002E2, "STATUS_DS_INIT_FAILURE" },
14096 { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" },
14097 { 0xC00002E4, "STATUS_DS_GC_REQUIRED" },
14098 { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" },
14099 { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" },
14100 { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" },
14101 { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" },
14102 { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" },
14103 { 0xC0009898, "STATUS_WOW_ASSERTION" },
14104 { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" },
14105 { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" },
14106 { 0xC0020003, "RPC_NT_INVALID_BINDING" },
14107 { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" },
14108 { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" },
14109 { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" },
14110 { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" },
14111 { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" },
14112 { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" },
14113 { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" },
14114 { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" },
14115 { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" },
14116 { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" },
14117 { 0xC002000E, "RPC_NT_ALREADY_LISTENING" },
14118 { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" },
14119 { 0xC0020010, "RPC_NT_NOT_LISTENING" },
14120 { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" },
14121 { 0xC0020012, "RPC_NT_UNKNOWN_IF" },
14122 { 0xC0020013, "RPC_NT_NO_BINDINGS" },
14123 { 0xC0020014, "RPC_NT_NO_PROTSEQS" },
14124 { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" },
14125 { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" },
14126 { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" },
14127 { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" },
14128 { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" },
14129 { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" },
14130 { 0xC002001B, "RPC_NT_CALL_FAILED" },
14131 { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" },
14132 { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" },
14133 { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" },
14134 { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" },
14135 { 0xC0020022, "RPC_NT_INVALID_TAG" },
14136 { 0xC0020023, "RPC_NT_INVALID_BOUND" },
14137 { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" },
14138 { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" },
14139 { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" },
14140 { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" },
14141 { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" },
14142 { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" },
14143 { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" },
14144 { 0xC002002C, "RPC_NT_STRING_TOO_LONG" },
14145 { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" },
14146 { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" },
14147 { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" },
14148 { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" },
14149 { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" },
14150 { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" },
14151 { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" },
14152 { 0xC0020034, "EPT_NT_INVALID_ENTRY" },
14153 { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" },
14154 { 0xC0020036, "EPT_NT_NOT_REGISTERED" },
14155 { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" },
14156 { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" },
14157 { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" },
14158 { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" },
14159 { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" },
14160 { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" },
14161 { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" },
14162 { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" },
14163 { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" },
14164 { 0xC0020040, "RPC_NT_INVALID_NAF_ID" },
14165 { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" },
14166 { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" },
14167 { 0xC0020043, "RPC_NT_INTERNAL_ERROR" },
14168 { 0xC0020044, "RPC_NT_ZERO_DIVIDE" },
14169 { 0xC0020045, "RPC_NT_ADDRESS_ERROR" },
14170 { 0xC0020046, "RPC_NT_FP_DIV_ZERO" },
14171 { 0xC0020047, "RPC_NT_FP_UNDERFLOW" },
14172 { 0xC0020048, "RPC_NT_FP_OVERFLOW" },
14173 { 0xC0021007, "RPC_P_RECEIVE_ALERTED" },
14174 { 0xC0021008, "RPC_P_CONNECTION_CLOSED" },
14175 { 0xC0021009, "RPC_P_RECEIVE_FAILED" },
14176 { 0xC002100A, "RPC_P_SEND_FAILED" },
14177 { 0xC002100B, "RPC_P_TIMEOUT" },
14178 { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" },
14179 { 0xC002100E, "RPC_P_EXCEPTION_OCCURED" },
14180 { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" },
14181 { 0xC0021015, "RPC_P_THREAD_LISTENING" },
14182 { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" },
14183 { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" },
14184 { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" },
14185 { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" },
14186 { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" },
14187 { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" },
14188 { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" },
14189 { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" },
14190 { 0xC0030009, "RPC_NT_NULL_REF_POINTER" },
14191 { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" },
14192 { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" },
14193 { 0xC003000C, "RPC_NT_BAD_STUB_DATA" },
14194 { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" },
14195 { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" },
14196 { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" },
14197 { 0xC002004C, "EPT_NT_CANT_CREATE" },
14198 { 0xC002004D, "RPC_NT_INVALID_OBJECT" },
14199 { 0xC002004F, "RPC_NT_NO_INTERFACES" },
14200 { 0xC0020050, "RPC_NT_CALL_CANCELLED" },
14201 { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" },
14202 { 0xC0020052, "RPC_NT_COMM_FAILURE" },
14203 { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" },
14204 { 0xC0020054, "RPC_NT_NO_PRINC_NAME" },
14205 { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" },
14206 { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" },
14207 { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" },
14208 { 0xC0020058, "RPC_NT_NOT_CANCELLED" },
14209 { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" },
14210 { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" },
14211 { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" },
14212 { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" },
14213 { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" },
14214 { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" },
14215 { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" },
14221 static const true_false_string tfs_smb_flags_lock = {
14222 "Lock&Read, Write&Unlock are supported",
14223 "Lock&Read, Write&Unlock are not supported"
14225 static const true_false_string tfs_smb_flags_receive_buffer = {
14226 "Receive buffer has been posted",
14227 "Receive buffer has not been posted"
14229 static const true_false_string tfs_smb_flags_caseless = {
14230 "Path names are caseless",
14231 "Path names are case sensitive"
14233 static const true_false_string tfs_smb_flags_canon = {
14234 "Pathnames are canonicalized",
14235 "Pathnames are not canonicalized"
14237 static const true_false_string tfs_smb_flags_oplock = {
14238 "OpLock requested/granted",
14239 "OpLock not requested/granted"
14241 static const true_false_string tfs_smb_flags_notify = {
14242 "Notify client on all modifications",
14243 "Notify client only on open"
14245 static const true_false_string tfs_smb_flags_response = {
14246 "Message is a response to the client/redirector",
14247 "Message is a request to the server"
14251 dissect_smb_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
14254 proto_item *item = NULL;
14255 proto_tree *tree = NULL;
14257 mask = tvb_get_guint8(tvb, offset);
14260 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
14261 "Flags: 0x%02x", mask);
14262 tree = proto_item_add_subtree(item, ett_smb_flags);
14264 proto_tree_add_boolean(tree, hf_smb_flags_response,
14265 tvb, offset, 1, mask);
14266 proto_tree_add_boolean(tree, hf_smb_flags_notify,
14267 tvb, offset, 1, mask);
14268 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
14269 tvb, offset, 1, mask);
14270 proto_tree_add_boolean(tree, hf_smb_flags_canon,
14271 tvb, offset, 1, mask);
14272 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
14273 tvb, offset, 1, mask);
14274 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
14275 tvb, offset, 1, mask);
14276 proto_tree_add_boolean(tree, hf_smb_flags_lock,
14277 tvb, offset, 1, mask);
14284 static const true_false_string tfs_smb_flags2_long_names_allowed = {
14285 "Long file names are allowed in the response",
14286 "Long file names are not allowed in the response"
14288 static const true_false_string tfs_smb_flags2_ea = {
14289 "Extended attributes are supported",
14290 "Extended attributes are not supported"
14292 static const true_false_string tfs_smb_flags2_sec_sig = {
14293 "Security signatures are supported",
14294 "Security signatures are not supported"
14296 static const true_false_string tfs_smb_flags2_long_names_used = {
14297 "Path names in request are long file names",
14298 "Path names in request are not long file names"
14300 static const true_false_string tfs_smb_flags2_esn = {
14301 "Extended security negotiation is supported",
14302 "Extended security negotiation is not supported"
14304 static const true_false_string tfs_smb_flags2_dfs = {
14305 "Resolve pathnames with Dfs",
14306 "Don't resolve pathnames with Dfs"
14308 static const true_false_string tfs_smb_flags2_roe = {
14309 "Permit reads if execute-only",
14310 "Don't permit reads if execute-only"
14312 static const true_false_string tfs_smb_flags2_nt_error = {
14313 "Error codes are NT error codes",
14314 "Error codes are DOS error codes"
14316 static const true_false_string tfs_smb_flags2_string = {
14317 "Strings are Unicode",
14318 "Strings are ASCII"
14321 dissect_smb_flags2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
14324 proto_item *item = NULL;
14325 proto_tree *tree = NULL;
14327 mask = tvb_get_letohs(tvb, offset);
14330 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
14331 "Flags2: 0x%04x", mask);
14332 tree = proto_item_add_subtree(item, ett_smb_flags2);
14335 proto_tree_add_boolean(tree, hf_smb_flags2_string,
14336 tvb, offset, 2, mask);
14337 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
14338 tvb, offset, 2, mask);
14339 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
14340 tvb, offset, 2, mask);
14341 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
14342 tvb, offset, 2, mask);
14343 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
14344 tvb, offset, 2, mask);
14345 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
14346 tvb, offset, 2, mask);
14347 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
14348 tvb, offset, 2, mask);
14349 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
14350 tvb, offset, 2, mask);
14351 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
14352 tvb, offset, 2, mask);
14360 #define SMB_FLAGS_DIRN 0x80
14364 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
14367 proto_item *item = NULL, *hitem = NULL;
14368 proto_tree *tree = NULL, *htree = NULL;
14372 smb_saved_info_t *sip = NULL;
14373 smb_saved_info_key_t key;
14374 smb_saved_info_key_t *new_key;
14375 guint32 nt_status = 0;
14376 guint8 errclass = 0;
14377 guint16 errcode = 0;
14379 conversation_t *conversation;
14381 top_tree=parent_tree;
14383 /* must check that this really is a smb packet */
14384 if (!tvb_bytes_exist(tvb, 0, 4))
14387 if( (tvb_get_guint8(tvb, 0) != 0xff)
14388 || (tvb_get_guint8(tvb, 1) != 'S')
14389 || (tvb_get_guint8(tvb, 2) != 'M')
14390 || (tvb_get_guint8(tvb, 3) != 'B') ){
14394 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
14395 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
14397 if (check_col(pinfo->cinfo, COL_INFO)){
14398 col_clear(pinfo->cinfo, COL_INFO);
14401 /* start off using the local variable, we will allocate a new one if we
14403 si.cmd = tvb_get_guint8(tvb, offset+4);
14404 flags = tvb_get_guint8(tvb, offset+9);
14405 si.request = !(flags&SMB_FLAGS_DIRN);
14406 flags2 = tvb_get_letohs(tvb, offset+10);
14407 if(flags2 & 0x8000){
14408 si.unicode = TRUE; /* Mark them as Unicode */
14410 si.unicode = FALSE;
14412 si.tid = tvb_get_letohs(tvb, offset+24);
14413 si.pid = tvb_get_letohs(tvb, offset+26);
14414 si.uid = tvb_get_letohs(tvb, offset+28);
14415 si.mid = tvb_get_letohs(tvb, offset+30);
14416 pid_mid = (si.pid << 16) | si.mid;
14417 si.info_level = -1;
14418 si.info_count = -1;
14421 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
14423 tree = proto_item_add_subtree(item, ett_smb);
14425 hitem = proto_tree_add_text(tree, tvb, offset, 32,
14428 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
14431 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
14432 offset += 4; /* Skip the marker */
14434 /* find which conversation we are part of and get the tables for that
14436 conversation = find_conversation(&pinfo->src, &pinfo->dst,
14437 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
14439 si.ct=conversation_get_proto_data(conversation, proto_smb);
14441 /* OK this is a new conversation, we must create it
14442 and attach appropriate data (matched and unmatched
14443 table for this conversation)
14445 conversation = conversation_new(&pinfo->src, &pinfo->dst,
14446 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
14447 si.ct = g_mem_chunk_alloc(conv_tables_chunk);
14448 conv_tables = g_slist_prepend(conv_tables, si.ct);
14449 si.ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
14450 smb_saved_info_equal_matched);
14451 si.ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
14452 smb_saved_info_equal_unmatched);
14453 si.ct->dcerpc_fid_to_frame=g_hash_table_new(
14454 smb_saved_info_hash_unmatched,
14455 smb_saved_info_equal_unmatched);
14456 si.ct->tid_service=g_hash_table_new(
14457 smb_saved_info_hash_unmatched,
14458 smb_saved_info_equal_unmatched);
14459 conversation_add_proto_data(conversation, proto_smb, si.ct);
14467 /* this is a broadcast SMB packet, there will not be a reply.
14468 We dont need to do anything
14471 } else if( (si.cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
14472 ||(si.cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
14473 ||(si.cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
14474 ||(si.cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
14475 /* Ok, we got a special request type. This request is either
14476 an NT Cancel or a continuation relative to a real request
14477 in an earlier packet. In either case, we don't expect any
14478 responses to this packet. For continuations, any later
14479 responses we see really just belong to the original request.
14480 Anyway, we want to remember this packet somehow and
14481 remember which original request it is associated with so
14482 we can say nice things such as "This is a Cancellation to
14483 the request in frame x", but we don't want the
14484 request/response matching to get messed up.
14486 The only thing we do in this case is trying to find which original
14487 request we match with and insert an entry for this "special"
14488 request for later reference. We continue to reference the original
14489 requests smb_saved_info_t but we dont touch it or change anything
14493 si.unidir = TRUE; /*we dont expect an answer to this one*/
14495 if(!pinfo->fd->flags.visited){
14496 /* try to find which original call we match and if we
14497 find it add us to the matched table. Dont touch
14498 anything else since we dont want this one to mess
14499 up the request/response matching. We still consider
14500 the initial call the real request and this is only
14501 some sort of continuation.
14503 /* we only check the unmatched table and assume that the
14504 last seen MID matching ours is the right one.
14505 This can fail but is better than nothing
14507 sip=g_hash_table_lookup(si.ct->unmatched, (void *)pid_mid);
14509 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14510 new_key->frame = pinfo->fd->num;
14511 new_key->pid_mid = pid_mid;
14512 g_hash_table_insert(si.ct->matched, new_key,
14516 /* we have seen this packet before; check the
14519 key.frame = pinfo->fd->num;
14520 key.pid_mid = pid_mid;
14521 sip=g_hash_table_lookup(si.ct->matched, &key);
14525 Too bad, unfortunately there is not really much we can
14526 do now since this means that we never saw the initial
14533 if(sip && sip->frame_req){
14535 case SMB_COM_NT_CANCEL:
14536 proto_tree_add_uint(htree, hf_smb_cancel_to,
14537 tvb, 0, 0, sip->frame_req);
14539 case SMB_COM_TRANSACTION_SECONDARY:
14540 case SMB_COM_TRANSACTION2_SECONDARY:
14541 case SMB_COM_NT_TRANSACT_SECONDARY:
14542 proto_tree_add_uint(htree, hf_smb_continuation_to,
14543 tvb, 0, 0, sip->frame_req);
14548 case SMB_COM_NT_CANCEL:
14549 proto_tree_add_text(htree, tvb, 0, 0,
14550 "Cancellation to: <unknown frame>");
14552 case SMB_COM_TRANSACTION_SECONDARY:
14553 case SMB_COM_TRANSACTION2_SECONDARY:
14554 case SMB_COM_NT_TRANSACT_SECONDARY:
14555 proto_tree_add_text(htree, tvb, 0, 0,
14556 "Continuation to: <unknown frame>");
14560 } else { /* normal bidirectional request or response */
14563 if(!pinfo->fd->flags.visited){
14564 /* first see if we find an unmatched smb "equal" to
14567 sip=g_hash_table_lookup(si.ct->unmatched, (void *)pid_mid);
14569 gboolean cmd_match=FALSE;
14572 * Make sure the SMB we found was the
14573 * same command, or a different command
14574 * that's another valid type of reply
14577 if(si.cmd==sip->cmd){
14580 else if(si.cmd==SMB_COM_NT_CANCEL){
14583 else if((si.cmd==SMB_COM_TRANSACTION_SECONDARY)
14584 && (sip->cmd==SMB_COM_TRANSACTION)){
14587 else if((si.cmd==SMB_COM_TRANSACTION2_SECONDARY)
14588 && (sip->cmd==SMB_COM_TRANSACTION2)){
14591 else if((si.cmd==SMB_COM_NT_TRANSACT_SECONDARY)
14592 && (sip->cmd==SMB_COM_NT_TRANSACT)){
14596 if( (si.request) || (!cmd_match) ) {
14597 /* If we are processing an SMB request but there was already
14598 another "identical" smb resuest we had not matched yet.
14599 This must mean that either we have a retransmission or that the
14600 response to the previous one was lost and the client has reused
14601 the MID for this conversation. In either case it's not much more
14602 we can do than forget the old request and concentrate on the
14603 present one instead.
14605 We also do this cleanup if we see that the cmd in the original
14606 request in sip->cmd is not compatible with the current cmd.
14607 This is to prevent matching errors such as if there were two
14608 SMBs of different cmds but with identical MID and PID values and
14609 if ethereal lost the first reply and the second request.
14611 g_hash_table_remove(si.ct->unmatched, (void *)pid_mid);
14612 sip=NULL; /* XXX should free it as well */
14614 /* we have found a response to some request we have seen earlier.
14615 What we do now depends on whether this is the first response
14616 to that request we see (id frame_res==0) or not.
14618 if(sip->frame_res==0){
14619 /* ok it is the first response we have seen to this packet */
14620 sip->frame_res = pinfo->fd->num;
14621 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14622 new_key->frame = sip->frame_req;
14623 new_key->pid_mid = pid_mid;
14624 g_hash_table_insert(si.ct->matched, new_key, sip);
14625 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14626 new_key->frame = sip->frame_res;
14627 new_key->pid_mid = pid_mid;
14628 g_hash_table_insert(si.ct->matched, new_key, sip);
14630 /* we have already seen another response to this one, but
14631 register it anyway so we see which request it matches
14633 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14634 new_key->frame = pinfo->fd->num;
14635 new_key->pid_mid = pid_mid;
14636 g_hash_table_insert(si.ct->matched, new_key, sip);
14641 sip = g_mem_chunk_alloc(smb_saved_info_chunk);
14642 sip->frame_req = pinfo->fd->num;
14643 sip->frame_res = 0;
14645 if(g_hash_table_lookup(si.ct->tid_service, (void *)si.tid)
14646 == (void *)TID_IPC) {
14647 sip->flags |= SMB_SIF_TID_IS_IPC;
14650 sip->extra_info = NULL;
14651 g_hash_table_insert(si.ct->unmatched, (void *)pid_mid, sip);
14654 /* we have seen this packet before; check the
14656 If we haven't yet seen the reply, we won't
14657 find the info for it; we don't need it, as
14658 we only use it to save information, and, as
14659 we've seen this packet before, we've already
14660 saved the information.
14662 key.frame = pinfo->fd->num;
14663 key.pid_mid = pid_mid;
14664 sip=g_hash_table_lookup(si.ct->matched, &key);
14669 * Pass the "sip" on to subdissectors through "si".
14675 * Put in fields for the frame number of the frame to which
14676 * this is a response or the frame with the response to this
14677 * frame - if we know the frame number (i.e., it's not 0).
14680 if (sip->frame_res != 0)
14681 proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
14683 if (sip->frame_req != 0)
14684 proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
14689 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si.cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si.cmd), si.cmd);
14692 if(flags2 & 0x4000){
14693 /* handle NT 32 bit error code */
14695 nt_status = tvb_get_letohl(tvb, offset);
14697 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
14702 /* handle DOS error code & class */
14703 errclass = tvb_get_guint8(tvb, offset);
14704 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
14708 /* reserved byte */
14709 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
14713 /* XXX - the type of this field depends on the value of
14714 * "errcls", so there is isn't a single value_string array
14715 * fo it, so there can't be a single field for it.
14717 errcode = tvb_get_letohs(tvb, offset);
14718 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
14719 offset, 2, errcode, "Error Code: %s",
14720 decode_smb_error(errclass, errcode));
14725 offset = dissect_smb_flags(tvb, pinfo, htree, offset);
14728 offset = dissect_smb_flags2(tvb, pinfo, htree, offset);
14733 * http://www.samba.org/samba/ftp/specs/smbpub.txt
14735 * (a text version of "Microsoft Networks SMB FILE SHARING
14736 * PROTOCOL, Document Version 6.0p") says that:
14738 * the first 2 bytes of these 12 bytes are, for NT Create and X,
14739 * the "High Part of PID";
14741 * the next four bytes are reserved;
14743 * the next four bytes are, for SMB-over-IPX (with no
14744 * NetBIOS involved) two bytes of Session ID and two bytes
14745 * of SequenceNumber.
14747 * If we ever implement SMB-over-IPX (which I suspect goes over
14748 * IPX sockets 0x0550, 0x0552, and maybe 0x0554, as per the
14749 * document in question), we'd probably want to have some way
14750 * to determine whether this is SMB-over-IPX or not (which could
14751 * be done by adding a PT_IPXSOCKET port type, having the
14752 * IPX dissector set "pinfo->srcport" and "pinfo->destport",
14753 * and having the SMB dissector check for a port type of
14754 * PT_IPXSOCKET and for "pinfo->match_port" being either
14755 * IPX_SOCKET_NWLINK_SMB_SERVER or IPX_SOCKET_NWLINK_SMB_REDIR
14756 * or, if it also uses 0x0554, IPX_SOCKET_NWLINK_SMB_MESSENGER).
14759 /* 12 reserved bytes */
14760 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 12, TRUE);
14764 proto_tree_add_uint(htree, hf_smb_tid, tvb, offset, 2, si.tid);
14768 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si.pid);
14772 proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si.uid);
14776 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si.mid);
14779 pinfo->private_data = &si;
14780 dissect_smb_command(tvb, pinfo, parent_tree, offset, tree, si.cmd);
14782 /* Append error info from this packet to info string. */
14783 if (!si.request && check_col(pinfo->cinfo, COL_INFO)) {
14784 if (flags2 & 0x4000) {
14786 * The status is an NT status code; was there
14789 if (nt_status != 0) {
14794 pinfo->cinfo, COL_INFO, ", Error: %s",
14795 val_to_str(nt_status, NT_errors,
14796 "Unknown (0x%08X)"));
14800 * The status is a DOS error class and code; was
14803 if (errclass != SMB_SUCCESS) {
14808 pinfo->cinfo, COL_INFO, ", Error: %s",
14809 decode_smb_error(errclass, errcode));
14818 proto_register_smb(void)
14820 static hf_register_info hf[] = {
14822 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
14823 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
14825 { &hf_smb_word_count,
14826 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
14827 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
14829 { &hf_smb_byte_count,
14830 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
14831 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
14833 { &hf_smb_response_to,
14834 { "Response to", "smb.response_to", FT_UINT32, BASE_DEC,
14835 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
14837 { &hf_smb_response_in,
14838 { "Response in", "smb.response_in", FT_UINT32, BASE_DEC,
14839 NULL, 0, "The response to this packet is in this packet", HFILL }},
14841 { &hf_smb_continuation_to,
14842 { "Continuation to", "smb.continuation_to", FT_UINT32, BASE_DEC,
14843 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
14845 { &hf_smb_nt_status,
14846 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
14847 VALS(NT_errors), 0, "NT Status code", HFILL }},
14849 { &hf_smb_error_class,
14850 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
14851 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
14853 { &hf_smb_error_code,
14854 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
14855 NULL, 0, "DOS Error Code", HFILL }},
14857 { &hf_smb_reserved,
14858 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
14859 NULL, 0, "Reserved bytes, must be zero", HFILL }},
14862 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
14863 NULL, 0, "Process ID", HFILL }},
14866 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
14867 NULL, 0, "Tree ID", HFILL }},
14870 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
14871 NULL, 0, "User ID", HFILL }},
14874 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
14875 NULL, 0, "Multiplex ID", HFILL }},
14877 { &hf_smb_flags_lock,
14878 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
14879 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
14881 { &hf_smb_flags_receive_buffer,
14882 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
14883 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
14885 { &hf_smb_flags_caseless,
14886 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
14887 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
14889 { &hf_smb_flags_canon,
14890 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
14891 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
14893 { &hf_smb_flags_oplock,
14894 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
14895 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
14897 { &hf_smb_flags_notify,
14898 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
14899 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
14901 { &hf_smb_flags_response,
14902 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
14903 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
14905 { &hf_smb_flags2_long_names_allowed,
14906 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
14907 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
14909 { &hf_smb_flags2_ea,
14910 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
14911 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
14913 { &hf_smb_flags2_sec_sig,
14914 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
14915 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
14917 { &hf_smb_flags2_long_names_used,
14918 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
14919 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
14921 { &hf_smb_flags2_esn,
14922 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
14923 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
14925 { &hf_smb_flags2_dfs,
14926 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
14927 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
14929 { &hf_smb_flags2_roe,
14930 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
14931 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
14933 { &hf_smb_flags2_nt_error,
14934 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
14935 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
14937 { &hf_smb_flags2_string,
14938 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
14939 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
14941 { &hf_smb_buffer_format,
14942 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
14943 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
14945 { &hf_smb_dialect_name,
14946 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
14947 NULL, 0, "Name of dialect", HFILL }},
14949 { &hf_smb_dialect_index,
14950 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
14951 NULL, 0, "Index of selected dialect", HFILL }},
14953 { &hf_smb_max_trans_buf_size,
14954 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
14955 NULL, 0, "Maximum transmit buffer size", HFILL }},
14957 { &hf_smb_max_mpx_count,
14958 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
14959 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
14961 { &hf_smb_max_vcs_num,
14962 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
14963 NULL, 0, "Maximum VCs between client and server", HFILL }},
14965 { &hf_smb_session_key,
14966 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
14967 NULL, 0, "Unique token identifying this session", HFILL }},
14969 { &hf_smb_server_timezone,
14970 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
14971 NULL, 0, "Current timezone at server.", HFILL }},
14973 { &hf_smb_encryption_key_length,
14974 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
14975 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
14977 { &hf_smb_encryption_key,
14978 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
14979 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
14981 { &hf_smb_primary_domain,
14982 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
14983 NULL, 0, "The server's primary domain", HFILL }},
14985 { &hf_smb_max_raw_buf_size,
14986 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
14987 NULL, 0, "Maximum raw buffer size", HFILL }},
14989 { &hf_smb_server_guid,
14990 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
14991 NULL, 0, "Globally unique identifier for this server", HFILL }},
14993 { &hf_smb_security_blob_len,
14994 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
14995 NULL, 0, "Security blob length", HFILL }},
14997 { &hf_smb_security_blob,
14998 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
14999 NULL, 0, "Security blob", HFILL }},
15001 { &hf_smb_sm_mode16,
15002 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
15003 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
15005 { &hf_smb_sm_password16,
15006 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
15007 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
15010 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
15011 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
15013 { &hf_smb_sm_password,
15014 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
15015 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
15017 { &hf_smb_sm_signatures,
15018 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
15019 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
15021 { &hf_smb_sm_sig_required,
15022 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
15023 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
15026 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
15027 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
15029 { &hf_smb_rm_write,
15030 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
15031 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
15033 { &hf_smb_server_date_time,
15034 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
15035 NULL, 0, "Current date and time at server", HFILL }},
15037 { &hf_smb_server_smb_date,
15038 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
15039 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
15041 { &hf_smb_server_smb_time,
15042 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
15043 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
15045 { &hf_smb_server_cap_raw_mode,
15046 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
15047 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
15049 { &hf_smb_server_cap_mpx_mode,
15050 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
15051 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
15053 { &hf_smb_server_cap_unicode,
15054 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
15055 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
15057 { &hf_smb_server_cap_large_files,
15058 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
15059 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
15061 { &hf_smb_server_cap_nt_smbs,
15062 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
15063 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
15065 { &hf_smb_server_cap_rpc_remote_apis,
15066 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
15067 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
15069 { &hf_smb_server_cap_nt_status,
15070 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
15071 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
15073 { &hf_smb_server_cap_level_ii_oplocks,
15074 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
15075 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
15077 { &hf_smb_server_cap_lock_and_read,
15078 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
15079 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
15081 { &hf_smb_server_cap_nt_find,
15082 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
15083 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
15085 { &hf_smb_server_cap_dfs,
15086 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
15087 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
15089 { &hf_smb_server_cap_infolevel_passthru,
15090 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
15091 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
15093 { &hf_smb_server_cap_large_readx,
15094 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
15095 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
15097 { &hf_smb_server_cap_large_writex,
15098 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
15099 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
15101 { &hf_smb_server_cap_unix,
15102 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
15103 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
15105 { &hf_smb_server_cap_reserved,
15106 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
15107 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
15109 { &hf_smb_server_cap_bulk_transfer,
15110 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
15111 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
15113 { &hf_smb_server_cap_compressed_data,
15114 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
15115 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
15117 { &hf_smb_server_cap_extended_security,
15118 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
15119 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
15121 { &hf_smb_system_time,
15122 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
15123 NULL, 0, "System Time", HFILL }},
15126 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
15127 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
15129 { &hf_smb_dir_name,
15130 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
15131 NULL, 0, "SMB Directory Name", HFILL }},
15133 { &hf_smb_echo_count,
15134 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
15135 NULL, 0, "Number of times to echo data back", HFILL }},
15137 { &hf_smb_echo_data,
15138 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
15139 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
15141 { &hf_smb_echo_seq_num,
15142 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
15143 NULL, 0, "Sequence number for this echo response", HFILL }},
15145 { &hf_smb_max_buf_size,
15146 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
15147 NULL, 0, "Max client buffer size", HFILL }},
15150 { "Path", "smb.path", FT_STRING, BASE_NONE,
15151 NULL, 0, "Path. Server name and share name", HFILL }},
15154 { "Service", "smb.service", FT_STRING, BASE_NONE,
15155 NULL, 0, "Service name", HFILL }},
15157 { &hf_smb_password,
15158 { "Password", "smb.password", FT_BYTES, BASE_NONE,
15159 NULL, 0, "Password", HFILL }},
15161 { &hf_smb_ansi_password,
15162 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
15163 NULL, 0, "ANSI Password", HFILL }},
15165 { &hf_smb_unicode_password,
15166 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
15167 NULL, 0, "Unicode Password", HFILL }},
15169 { &hf_smb_move_flags_file,
15170 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
15171 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
15173 { &hf_smb_move_flags_dir,
15174 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
15175 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
15177 { &hf_smb_move_flags_verify,
15178 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
15179 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
15181 { &hf_smb_move_files_moved,
15182 { "Files Moved", "smb.move.files_moved", FT_UINT16, BASE_DEC,
15183 NULL, 0, "Number of files moved", HFILL }},
15186 { "Count", "smb.count", FT_UINT32, BASE_DEC,
15187 NULL, 0, "Count number of items/bytes", HFILL }},
15189 { &hf_smb_file_name,
15190 { "File Name", "smb.file", FT_STRING, BASE_NONE,
15191 NULL, 0, "File Name", HFILL }},
15193 { &hf_smb_open_function_create,
15194 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
15195 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
15197 { &hf_smb_open_function_open,
15198 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
15199 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
15202 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
15203 NULL, 0, "FID: File ID", HFILL }},
15205 { &hf_smb_file_attr_read_only_16bit,
15206 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
15207 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15209 { &hf_smb_file_attr_read_only_8bit,
15210 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
15211 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15213 { &hf_smb_file_attr_hidden_16bit,
15214 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
15215 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15217 { &hf_smb_file_attr_hidden_8bit,
15218 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
15219 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15221 { &hf_smb_file_attr_system_16bit,
15222 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
15223 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15225 { &hf_smb_file_attr_system_8bit,
15226 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
15227 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15229 { &hf_smb_file_attr_volume_16bit,
15230 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
15231 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
15233 { &hf_smb_file_attr_volume_8bit,
15234 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
15235 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
15237 { &hf_smb_file_attr_directory_16bit,
15238 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
15239 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15241 { &hf_smb_file_attr_directory_8bit,
15242 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
15243 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15245 { &hf_smb_file_attr_archive_16bit,
15246 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
15247 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15249 { &hf_smb_file_attr_archive_8bit,
15250 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
15251 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15253 { &hf_smb_file_attr_device,
15254 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
15255 TFS(&tfs_file_attribute_device), FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
15257 { &hf_smb_file_attr_normal,
15258 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
15259 TFS(&tfs_file_attribute_normal), FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
15261 { &hf_smb_file_attr_temporary,
15262 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
15263 TFS(&tfs_file_attribute_temporary), FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
15265 { &hf_smb_file_attr_sparse,
15266 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
15267 TFS(&tfs_file_attribute_sparse), FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
15269 { &hf_smb_file_attr_reparse,
15270 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
15271 TFS(&tfs_file_attribute_reparse), FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
15273 { &hf_smb_file_attr_compressed,
15274 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
15275 TFS(&tfs_file_attribute_compressed), FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
15277 { &hf_smb_file_attr_offline,
15278 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
15279 TFS(&tfs_file_attribute_offline), FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
15281 { &hf_smb_file_attr_not_content_indexed,
15282 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
15283 TFS(&tfs_file_attribute_not_content_indexed), FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
15285 { &hf_smb_file_attr_encrypted,
15286 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
15287 TFS(&tfs_file_attribute_encrypted), FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
15289 { &hf_smb_file_size,
15290 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
15291 NULL, 0, "File Size", HFILL }},
15293 { &hf_smb_search_attribute_read_only,
15294 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
15295 TFS(&tfs_search_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
15297 { &hf_smb_search_attribute_hidden,
15298 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
15299 TFS(&tfs_search_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
15301 { &hf_smb_search_attribute_system,
15302 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
15303 TFS(&tfs_search_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
15305 { &hf_smb_search_attribute_volume,
15306 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
15307 TFS(&tfs_search_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
15309 { &hf_smb_search_attribute_directory,
15310 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
15311 TFS(&tfs_search_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
15313 { &hf_smb_search_attribute_archive,
15314 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
15315 TFS(&tfs_search_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
15317 { &hf_smb_access_mode,
15318 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
15319 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
15321 { &hf_smb_access_sharing,
15322 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
15323 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
15325 { &hf_smb_access_locality,
15326 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
15327 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
15329 { &hf_smb_access_caching,
15330 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
15331 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
15333 { &hf_smb_access_writetru,
15334 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
15335 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
15337 { &hf_smb_create_time,
15338 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
15339 NULL, 0, "Creation Time", HFILL }},
15341 { &hf_smb_create_dos_date,
15342 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
15343 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
15345 { &hf_smb_create_dos_time,
15346 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
15347 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
15349 { &hf_smb_last_write_time,
15350 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
15351 NULL, 0, "Time this file was last written to", HFILL }},
15353 { &hf_smb_last_write_dos_date,
15354 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
15355 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
15357 { &hf_smb_last_write_dos_time,
15358 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
15359 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
15361 { &hf_smb_old_file_name,
15362 { "Old File Name", "smb.file", FT_STRING, BASE_NONE,
15363 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
15366 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
15367 NULL, 0, "Offset in file", HFILL }},
15369 { &hf_smb_remaining,
15370 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
15371 NULL, 0, "Remaining number of bytes", HFILL }},
15374 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
15375 NULL, 0, "Padding or unknown data", HFILL }},
15377 { &hf_smb_file_data,
15378 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
15379 NULL, 0, "Data read/written to the file", HFILL }},
15381 { &hf_smb_total_data_len,
15382 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
15383 NULL, 0, "Total length of data", HFILL }},
15385 { &hf_smb_data_len,
15386 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
15387 NULL, 0, "Length of data", HFILL }},
15389 { &hf_smb_seek_mode,
15390 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
15391 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
15393 { &hf_smb_access_time,
15394 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
15395 NULL, 0, "Last Access Time", HFILL }},
15397 { &hf_smb_access_dos_date,
15398 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
15399 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
15401 { &hf_smb_access_dos_time,
15402 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
15403 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
15405 { &hf_smb_data_size,
15406 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
15407 NULL, 0, "Data Size", HFILL }},
15409 { &hf_smb_alloc_size,
15410 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
15411 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
15413 { &hf_smb_max_count,
15414 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
15415 NULL, 0, "Maximum Count", HFILL }},
15417 { &hf_smb_min_count,
15418 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
15419 NULL, 0, "Minimum Count", HFILL }},
15422 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
15423 NULL, 0, "Timeout in miliseconds", HFILL }},
15425 { &hf_smb_high_offset,
15426 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
15427 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
15430 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
15431 NULL, 0, "Total number of units at server", HFILL }},
15434 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
15435 NULL, 0, "Blocks per unit at server", HFILL }},
15437 { &hf_smb_blocksize,
15438 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
15439 NULL, 0, "Block size (in bytes) at server", HFILL }},
15441 { &hf_smb_freeunits,
15442 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
15443 NULL, 0, "Number of free units at server", HFILL }},
15445 { &hf_smb_data_offset,
15446 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
15447 NULL, 0, "Data Offset", HFILL }},
15450 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
15451 NULL, 0, "Data Compaction Mode", HFILL }},
15453 { &hf_smb_request_mask,
15454 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
15455 NULL, 0, "Connectionless mode mask", HFILL }},
15457 { &hf_smb_response_mask,
15458 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
15459 NULL, 0, "Connectionless mode mask", HFILL }},
15462 { "SID", "smb.sid", FT_UINT16, BASE_HEX,
15463 NULL, 0, "SID: Search ID, handle for find operations", HFILL }},
15465 { &hf_smb_write_mode_write_through,
15466 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
15467 TFS(&tfs_write_mode_write_through), 0x0001, "Write through mode requested?", HFILL }},
15469 { &hf_smb_write_mode_return_remaining,
15470 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
15471 TFS(&tfs_write_mode_return_remaining), 0x0002, "Return remaining data responses?", HFILL }},
15473 { &hf_smb_write_mode_raw,
15474 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
15475 TFS(&tfs_write_mode_raw), 0x0004, "Use WriteRawNamedPipe?", HFILL }},
15477 { &hf_smb_write_mode_message_start,
15478 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
15479 TFS(&tfs_write_mode_message_start), 0x0008, "Is this the start of a message?", HFILL }},
15481 { &hf_smb_write_mode_connectionless,
15482 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
15483 TFS(&tfs_write_mode_connectionless), 0x0080, "Connectionless mode requested?", HFILL }},
15485 { &hf_smb_resume_key_len,
15486 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
15487 NULL, 0, "Resume Key length", HFILL }},
15489 { &hf_smb_resume_server_cookie,
15490 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
15491 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
15493 { &hf_smb_resume_client_cookie,
15494 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
15495 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
15497 { &hf_smb_andxoffset,
15498 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
15499 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
15501 { &hf_smb_lock_type_large,
15502 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
15503 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
15505 { &hf_smb_lock_type_cancel,
15506 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
15507 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
15509 { &hf_smb_lock_type_change,
15510 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
15511 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
15513 { &hf_smb_lock_type_oplock,
15514 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
15515 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
15517 { &hf_smb_lock_type_shared,
15518 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
15519 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
15521 { &hf_smb_locking_ol,
15522 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
15523 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
15525 { &hf_smb_number_of_locks,
15526 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
15527 NULL, 0, "Number of lock requests in this request", HFILL }},
15529 { &hf_smb_number_of_unlocks,
15530 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
15531 NULL, 0, "Number of unlock requests in this request", HFILL }},
15533 { &hf_smb_lock_long_length,
15534 { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
15535 NULL, 0, "Length of lock/unlock region", HFILL }},
15537 { &hf_smb_lock_long_offset,
15538 { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
15539 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
15541 { &hf_smb_file_type,
15542 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
15543 VALS(filetype_vals), 0, "Type of file", HFILL }},
15545 { &hf_smb_ipc_state_nonblocking,
15546 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
15547 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
15549 { &hf_smb_ipc_state_endpoint,
15550 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
15551 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
15553 { &hf_smb_ipc_state_pipe_type,
15554 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
15555 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
15557 { &hf_smb_ipc_state_read_mode,
15558 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
15559 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
15561 { &hf_smb_ipc_state_icount,
15562 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
15563 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
15565 { &hf_smb_server_fid,
15566 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
15567 NULL, 0, "Server unique File ID", HFILL }},
15569 { &hf_smb_open_flags_add_info,
15570 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
15571 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
15573 { &hf_smb_open_flags_ex_oplock,
15574 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
15575 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
15577 { &hf_smb_open_flags_batch_oplock,
15578 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
15579 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
15581 { &hf_smb_open_flags_ealen,
15582 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
15583 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
15585 { &hf_smb_open_action_open,
15586 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
15587 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
15589 { &hf_smb_open_action_lock,
15590 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
15591 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
15594 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
15595 NULL, 0, "VC Number", HFILL }},
15597 { &hf_smb_password_len,
15598 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
15599 NULL, 0, "Length of password", HFILL }},
15601 { &hf_smb_ansi_password_len,
15602 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
15603 NULL, 0, "Length of ANSI password", HFILL }},
15605 { &hf_smb_unicode_password_len,
15606 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
15607 NULL, 0, "Length of Unicode password", HFILL }},
15610 { "Account", "smb.account", FT_STRING, BASE_NONE,
15611 NULL, 0, "Account, username", HFILL }},
15614 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
15615 NULL, 0, "Which OS we are running", HFILL }},
15618 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
15619 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
15621 { &hf_smb_setup_action_guest,
15622 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
15623 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
15626 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
15627 NULL, 0, "Native File System", HFILL }},
15629 { &hf_smb_connect_flags_dtid,
15630 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
15631 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
15633 { &hf_smb_connect_support_search,
15634 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
15635 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
15637 { &hf_smb_connect_support_in_dfs,
15638 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
15639 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
15641 { &hf_smb_max_setup_count,
15642 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
15643 NULL, 0, "Maximum number of setup words to return", HFILL }},
15645 { &hf_smb_total_param_count,
15646 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
15647 NULL, 0, "Total number of parameter bytes", HFILL }},
15649 { &hf_smb_total_data_count,
15650 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
15651 NULL, 0, "Total number of data bytes", HFILL }},
15653 { &hf_smb_max_param_count,
15654 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
15655 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
15657 { &hf_smb_max_data_count,
15658 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
15659 NULL, 0, "Maximum number of data bytes to return", HFILL }},
15661 { &hf_smb_param_disp16,
15662 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
15663 NULL, 0, "Displacement of these parameter bytes", HFILL }},
15665 { &hf_smb_param_count16,
15666 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
15667 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
15669 { &hf_smb_param_offset16,
15670 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
15671 NULL, 0, "Offset (from header start) to parameters", HFILL }},
15673 { &hf_smb_param_disp32,
15674 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
15675 NULL, 0, "Displacement of these parameter bytes", HFILL }},
15677 { &hf_smb_param_count32,
15678 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
15679 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
15681 { &hf_smb_param_offset32,
15682 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
15683 NULL, 0, "Offset (from header start) to parameters", HFILL }},
15685 { &hf_smb_data_count16,
15686 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
15687 NULL, 0, "Number of data bytes in this buffer", HFILL }},
15689 { &hf_smb_data_disp16,
15690 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
15691 NULL, 0, "Data Displacement", HFILL }},
15693 { &hf_smb_data_offset16,
15694 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
15695 NULL, 0, "Data Offset", HFILL }},
15697 { &hf_smb_data_count32,
15698 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
15699 NULL, 0, "Number of data bytes in this buffer", HFILL }},
15701 { &hf_smb_data_disp32,
15702 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
15703 NULL, 0, "Data Displacement", HFILL }},
15705 { &hf_smb_data_offset32,
15706 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
15707 NULL, 0, "Data Offset", HFILL }},
15709 { &hf_smb_setup_count,
15710 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
15711 NULL, 0, "Number of setup words in this buffer", HFILL }},
15713 { &hf_smb_nt_trans_subcmd,
15714 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
15715 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
15717 { &hf_smb_nt_ioctl_function_code,
15718 { "Function", "smb.nt.ioctl.function", FT_UINT32, BASE_HEX,
15719 NULL, 0, "NT IOCTL function code", HFILL }},
15721 { &hf_smb_nt_ioctl_isfsctl,
15722 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
15723 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
15725 { &hf_smb_nt_ioctl_flags_root_handle,
15726 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
15727 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
15729 { &hf_smb_nt_ioctl_data,
15730 { "IOCTL Data", "smb.nt.ioctl.data", FT_BYTES, BASE_HEX,
15731 NULL, 0, "Data for the IOCTL call", HFILL }},
15733 { &hf_smb_nt_notify_action,
15734 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
15735 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
15737 { &hf_smb_nt_notify_watch_tree,
15738 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
15739 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
15741 { &hf_smb_nt_notify_stream_write,
15742 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
15743 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
15745 { &hf_smb_nt_notify_stream_size,
15746 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
15747 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
15749 { &hf_smb_nt_notify_stream_name,
15750 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
15751 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
15753 { &hf_smb_nt_notify_security,
15754 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
15755 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
15757 { &hf_smb_nt_notify_ea,
15758 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
15759 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
15761 { &hf_smb_nt_notify_creation,
15762 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
15763 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
15765 { &hf_smb_nt_notify_last_access,
15766 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
15767 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
15769 { &hf_smb_nt_notify_last_write,
15770 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
15771 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
15773 { &hf_smb_nt_notify_size,
15774 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
15775 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
15777 { &hf_smb_nt_notify_attributes,
15778 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
15779 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
15781 { &hf_smb_nt_notify_dir_name,
15782 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
15783 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
15785 { &hf_smb_nt_notify_file_name,
15786 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
15787 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
15789 { &hf_smb_root_dir_fid,
15790 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
15791 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
15793 { &hf_smb_alloc_size64,
15794 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
15795 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
15797 { &hf_smb_nt_create_disposition,
15798 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
15799 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
15801 { &hf_smb_sd_length,
15802 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
15803 NULL, 0, "Total length of security descriptor", HFILL }},
15805 { &hf_smb_ea_length,
15806 { "EA Length", "smb.ea.length", FT_UINT32, BASE_DEC,
15807 NULL, 0, "Total EA length for opened file", HFILL }},
15809 { &hf_smb_file_name_len,
15810 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
15811 NULL, 0, "Length of File Name", HFILL }},
15813 { &hf_smb_nt_impersonation_level,
15814 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
15815 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
15817 { &hf_smb_nt_security_flags_context_tracking,
15818 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
15819 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
15821 { &hf_smb_nt_security_flags_effective_only,
15822 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
15823 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
15825 { &hf_smb_nt_access_mask_generic_read,
15826 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
15827 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
15829 { &hf_smb_nt_access_mask_generic_write,
15830 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
15831 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
15833 { &hf_smb_nt_access_mask_generic_execute,
15834 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
15835 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
15837 { &hf_smb_nt_access_mask_generic_all,
15838 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
15839 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
15841 { &hf_smb_nt_access_mask_maximum_allowed,
15842 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
15843 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
15845 { &hf_smb_nt_access_mask_system_security,
15846 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
15847 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
15849 { &hf_smb_nt_access_mask_synchronize,
15850 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
15851 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
15853 { &hf_smb_nt_access_mask_write_owner,
15854 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
15855 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
15857 { &hf_smb_nt_access_mask_write_dac,
15858 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
15859 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
15861 { &hf_smb_nt_access_mask_read_control,
15862 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
15863 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
15865 { &hf_smb_nt_access_mask_delete,
15866 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
15867 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
15869 { &hf_smb_nt_access_mask_write_attributes,
15870 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
15871 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
15873 { &hf_smb_nt_access_mask_read_attributes,
15874 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
15875 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
15877 { &hf_smb_nt_access_mask_delete_child,
15878 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
15879 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
15882 * "Execute" for files, "traverse" for directories.
15884 { &hf_smb_nt_access_mask_execute,
15885 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
15886 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
15888 { &hf_smb_nt_access_mask_write_ea,
15889 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
15890 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
15892 { &hf_smb_nt_access_mask_read_ea,
15893 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
15894 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
15897 * "Append data" for files, "add subdirectory" for directories,
15898 * "create pipe instance" for named pipes.
15900 { &hf_smb_nt_access_mask_append,
15901 { "Append", "smb.access.append", FT_BOOLEAN, 32,
15902 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
15905 * "Write data" for files and pipes, "add file" for directory.
15907 { &hf_smb_nt_access_mask_write,
15908 { "Write", "smb.access.write", FT_BOOLEAN, 32,
15909 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
15912 * "Read data" for files and pipes, "list directory" for directory.
15914 { &hf_smb_nt_access_mask_read,
15915 { "Read", "smb.access.read", FT_BOOLEAN, 32,
15916 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
15918 { &hf_smb_nt_create_bits_oplock,
15919 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
15920 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
15922 { &hf_smb_nt_create_bits_boplock,
15923 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
15924 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
15926 { &hf_smb_nt_create_bits_dir,
15927 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
15928 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
15930 { &hf_smb_nt_create_options_directory_file,
15931 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
15932 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
15934 { &hf_smb_nt_create_options_write_through,
15935 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
15936 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
15938 { &hf_smb_nt_create_options_sequential_only,
15939 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
15940 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
15942 { &hf_smb_nt_create_options_sync_io_alert,
15943 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
15944 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
15946 { &hf_smb_nt_create_options_sync_io_nonalert,
15947 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
15948 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
15950 { &hf_smb_nt_create_options_non_directory_file,
15951 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
15952 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
15954 /* 0x00000080 is "tree connect", at least in "NtCreateFile()"
15955 and "NtOpenFile()"; is that sent over the wire? Network
15956 Monitor thinks so, but its author may just have grabbed
15957 the flag bits from a system header file. */
15959 /* 0x00000100 is "complete if oplocked", at least in "NtCreateFile()"
15960 and "NtOpenFile()"; is that sent over the wire? NetMon
15961 thinks so, but see previous comment. */
15963 { &hf_smb_nt_create_options_no_ea_knowledge,
15964 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
15965 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
15967 { &hf_smb_nt_create_options_eight_dot_three_only,
15968 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
15969 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
15971 { &hf_smb_nt_create_options_random_access,
15972 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
15973 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
15975 { &hf_smb_nt_create_options_delete_on_close,
15976 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
15977 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
15979 /* 0x00002000 is "open by FID", or something such as that (which
15980 I suspect is like "open by inumber" on UNIX), at least in
15981 "NtCreateFile()" and "NtOpenFile()"; is that sent over the
15982 wire? NetMon thinks so, but see previous comment. */
15984 /* 0x00004000 is "open for backup", at least in "NtCreateFile()"
15985 and "NtOpenFile()"; is that sent over the wire? NetMon
15986 thinks so, but see previous comment. */
15988 { &hf_smb_nt_share_access_read,
15989 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
15990 TFS(&tfs_nt_share_access_read), 0x00000001, "Can the object be shared for reading?", HFILL }},
15992 { &hf_smb_nt_share_access_write,
15993 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
15994 TFS(&tfs_nt_share_access_write), 0x00000002, "Can the object be shared for write?", HFILL }},
15996 { &hf_smb_nt_share_access_delete,
15997 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
15998 TFS(&tfs_nt_share_access_delete), 0x00000004, "", HFILL }},
16000 { &hf_smb_file_eattr_read_only,
16001 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
16002 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
16004 { &hf_smb_file_eattr_hidden,
16005 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
16006 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
16008 { &hf_smb_file_eattr_system,
16009 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
16010 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
16012 { &hf_smb_file_eattr_volume,
16013 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
16014 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
16016 { &hf_smb_file_eattr_directory,
16017 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
16018 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
16020 { &hf_smb_file_eattr_archive,
16021 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
16022 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
16024 { &hf_smb_file_eattr_device,
16025 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
16026 TFS(&tfs_file_attribute_device), FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
16028 { &hf_smb_file_eattr_normal,
16029 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
16030 TFS(&tfs_file_attribute_normal), FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
16032 { &hf_smb_file_eattr_temporary,
16033 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
16034 TFS(&tfs_file_attribute_temporary), FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
16036 { &hf_smb_file_eattr_sparse,
16037 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
16038 TFS(&tfs_file_attribute_sparse), FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
16040 { &hf_smb_file_eattr_reparse,
16041 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
16042 TFS(&tfs_file_attribute_reparse), FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
16044 { &hf_smb_file_eattr_compressed,
16045 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
16046 TFS(&tfs_file_attribute_compressed), FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
16048 { &hf_smb_file_eattr_offline,
16049 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
16050 TFS(&tfs_file_attribute_offline), FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
16052 { &hf_smb_file_eattr_not_content_indexed,
16053 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
16054 TFS(&tfs_file_attribute_not_content_indexed), FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
16056 { &hf_smb_file_eattr_encrypted,
16057 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
16058 TFS(&tfs_file_attribute_encrypted), FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
16060 { &hf_smb_file_eattr_write_through,
16061 { "Write Through", "smb.file_attribute.write_through", FT_BOOLEAN, 32,
16062 TFS(&tfs_file_attribute_write_through), FILE_ATTRIBUTE_WRITE_THROUGH, "Does this object need write through?", HFILL }},
16064 { &hf_smb_file_eattr_no_buffering,
16065 { "No Buffering", "smb.file_attribute.no_buffering", FT_BOOLEAN, 32,
16066 TFS(&tfs_file_attribute_no_buffering), FILE_ATTRIBUTE_NO_BUFFERING, "May the server buffer this object?", HFILL }},
16068 { &hf_smb_file_eattr_random_access,
16069 { "Random Access", "smb.file_attribute.random_access", FT_BOOLEAN, 32,
16070 TFS(&tfs_file_attribute_random_access), FILE_ATTRIBUTE_RANDOM_ACCESS, "Optimize for random access", HFILL }},
16072 { &hf_smb_file_eattr_sequential_scan,
16073 { "Sequential Scan", "smb.file_attribute.sequential_scan", FT_BOOLEAN, 32,
16074 TFS(&tfs_file_attribute_sequential_scan), FILE_ATTRIBUTE_SEQUENTIAL_SCAN, "Optimize for sequential scan", HFILL }},
16076 { &hf_smb_file_eattr_delete_on_close,
16077 { "Delete on Close", "smb.file_attribute.delete_on_close", FT_BOOLEAN, 32,
16078 TFS(&tfs_file_attribute_delete_on_close), FILE_ATTRIBUTE_DELETE_ON_CLOSE, "Should this object be deleted on close?", HFILL }},
16080 { &hf_smb_file_eattr_backup_semantics,
16081 { "Backup", "smb.file_attribute.backup_semantics", FT_BOOLEAN, 32,
16082 TFS(&tfs_file_attribute_backup_semantics), FILE_ATTRIBUTE_BACKUP_SEMANTICS, "Does this object need/support backup semantics", HFILL }},
16084 { &hf_smb_file_eattr_posix_semantics,
16085 { "Posix", "smb.file_attribute.posix_semantics", FT_BOOLEAN, 32,
16086 TFS(&tfs_file_attribute_posix_semantics), FILE_ATTRIBUTE_POSIX_SEMANTICS, "Does this object need/support POSIX semantics?", HFILL }},
16088 { &hf_smb_sec_desc_len,
16089 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
16090 NULL, 0, "Security Descriptor Length", HFILL }},
16092 { &hf_smb_nt_qsd_owner,
16093 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
16094 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
16096 { &hf_smb_nt_qsd_group,
16097 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
16098 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
16100 { &hf_smb_nt_qsd_dacl,
16101 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
16102 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
16104 { &hf_smb_nt_qsd_sacl,
16105 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
16106 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
16108 { &hf_smb_extended_attributes,
16109 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
16110 NULL, 0, "Extended Attributes", HFILL }},
16112 { &hf_smb_oplock_level,
16113 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
16114 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
16116 { &hf_smb_create_action,
16117 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
16118 VALS(create_disposition_vals), 0, "Type of action taken", HFILL }},
16120 { &hf_smb_ea_error_offset,
16121 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
16122 NULL, 0, "Offset into EA list if EA error", HFILL }},
16124 { &hf_smb_end_of_file,
16125 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
16126 NULL, 0, "Offset to the first free byte in the file", HFILL }},
16128 { &hf_smb_device_type,
16129 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
16130 VALS(device_type_vals), 0, "Type of device", HFILL }},
16132 { &hf_smb_is_directory,
16133 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
16134 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
16136 { &hf_smb_next_entry_offset,
16137 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
16138 NULL, 0, "Offset to next entry", HFILL }},
16140 { &hf_smb_change_time,
16141 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
16142 NULL, 0, "Last Change Time", HFILL }},
16144 { &hf_smb_setup_len,
16145 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
16146 NULL, 0, "Length of prionter setup data", HFILL }},
16148 { &hf_smb_print_mode,
16149 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
16150 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
16152 { &hf_smb_print_identifier,
16153 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
16154 NULL, 0, "Identifier string for this print job", HFILL }},
16156 { &hf_smb_restart_index,
16157 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
16158 NULL, 0, "Index of entry after last returned", HFILL }},
16160 { &hf_smb_print_queue_date,
16161 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
16162 NULL, 0, "Date when this entry was queued", HFILL }},
16164 { &hf_smb_print_queue_dos_date,
16165 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
16166 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
16168 { &hf_smb_print_queue_dos_time,
16169 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
16170 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
16172 { &hf_smb_print_status,
16173 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
16174 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
16176 { &hf_smb_print_spool_file_number,
16177 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
16178 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
16180 { &hf_smb_print_spool_file_size,
16181 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
16182 NULL, 0, "Number of bytes in spool file", HFILL }},
16184 { &hf_smb_print_spool_file_name,
16185 { "Name", "smb.print.spool.name", FT_BYTES, BASE_HEX,
16186 NULL, 0, "Name of client that submitted this job", HFILL }},
16188 { &hf_smb_start_index,
16189 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
16190 NULL, 0, "First queue entry to return", HFILL }},
16192 { &hf_smb_cancel_to,
16193 { "Cancel to", "smb.cancel_to", FT_UINT32, BASE_DEC,
16194 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
16196 { &hf_smb_trans2_subcmd,
16197 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
16198 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
16200 { &hf_smb_trans_name,
16201 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
16202 NULL, 0, "Name of transaction", HFILL }},
16204 { &hf_smb_transaction_flags_dtid,
16205 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
16206 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
16208 { &hf_smb_transaction_flags_owt,
16209 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
16210 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
16212 { &hf_smb_search_count,
16213 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
16214 NULL, 0, "Maximum number of search entries to return", HFILL }},
16216 { &hf_smb_search_pattern,
16217 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
16218 NULL, 0, "Search Pattern", HFILL }},
16220 { &hf_smb_ff2_backup,
16221 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
16222 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
16224 { &hf_smb_ff2_continue,
16225 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
16226 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
16228 { &hf_smb_ff2_resume,
16229 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
16230 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
16232 { &hf_smb_ff2_close_eos,
16233 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
16234 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
16236 { &hf_smb_ff2_close,
16237 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
16238 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
16240 { &hf_smb_ff2_information_level,
16241 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
16242 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
16245 { "Level of Interest", "smb.loi", FT_UINT16, BASE_DEC,
16246 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] commands", HFILL }},
16248 { &hf_smb_storage_type,
16249 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
16250 NULL, 0, "Type of storage", HFILL }},
16253 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
16254 NULL, 0, "Resume Key", HFILL }},
16256 { &hf_smb_max_referral_level,
16257 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
16258 NULL, 0, "Latest referral version number understood", HFILL }},
16260 { &hf_smb_qfsi_information_level,
16261 { "Level of Interest", "smb.qfi_loi", FT_UINT16, BASE_DEC,
16262 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
16264 { &hf_smb_nt_rename_level,
16265 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
16266 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
16268 { &hf_smb_cluster_count,
16269 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
16270 NULL, 0, "Number of clusters", HFILL }},
16273 { "EA Size", "smb.ea_size", FT_UINT32, BASE_DEC,
16274 NULL, 0, "Size of file's EA information", HFILL }},
16276 { &hf_smb_list_length,
16277 { "ListLength", "smb.list_len", FT_UINT32, BASE_DEC,
16278 NULL, 0, "Length of the remaining data", HFILL }},
16280 { &hf_smb_number_of_links,
16281 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
16282 NULL, 0, "Number of hard links to the file", HFILL }},
16284 { &hf_smb_delete_pending,
16285 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
16286 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
16288 { &hf_smb_index_number,
16289 { "Index Number", "smb.index_number", FT_UINT64, BASE_DEC,
16290 NULL, 0, "File system unique identifier", HFILL }},
16292 { &hf_smb_current_offset,
16293 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
16294 NULL, 0, "Current offset in the file", HFILL }},
16296 { &hf_smb_t2_alignment,
16297 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
16298 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
16300 { &hf_smb_t2_stream_name_length,
16301 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
16302 NULL, 0, "Length of stream name", HFILL }},
16304 { &hf_smb_t2_stream_size,
16305 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
16306 NULL, 0, "Size of the stream in number of bytes", HFILL }},
16308 { &hf_smb_t2_stream_name,
16309 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
16310 NULL, 0, "Name of the stream", HFILL }},
16312 { &hf_smb_t2_compressed_file_size,
16313 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
16314 NULL, 0, "Size of the compressed file", HFILL }},
16316 { &hf_smb_t2_compressed_format,
16317 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
16318 NULL, 0, "Compression algorithm used", HFILL }},
16320 { &hf_smb_t2_compressed_unit_shift,
16321 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
16322 NULL, 0, "Size of the stream in number of bytes", HFILL }},
16324 { &hf_smb_t2_compressed_chunk_shift,
16325 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
16326 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
16328 { &hf_smb_t2_compressed_cluster_shift,
16329 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
16330 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
16332 { &hf_smb_dfs_path_consumed,
16333 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
16334 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
16336 { &hf_smb_dfs_num_referrals,
16337 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
16338 NULL, 0, "Number of referrals in this pdu", HFILL }},
16340 { &hf_smb_get_dfs_server_hold_storage,
16341 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
16342 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
16344 { &hf_smb_get_dfs_fielding,
16345 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
16346 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
16348 { &hf_smb_dfs_referral_version,
16349 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
16350 NULL, 0, "Version of referral element", HFILL }},
16352 { &hf_smb_dfs_referral_size,
16353 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
16354 NULL, 0, "Size of referral element", HFILL }},
16356 { &hf_smb_dfs_referral_server_type,
16357 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
16358 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
16360 { &hf_smb_dfs_referral_flags_strip,
16361 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
16362 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
16364 { &hf_smb_dfs_referral_node_offset,
16365 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
16366 NULL, 0, "Offset of name of entity to visit next", HFILL }},
16368 { &hf_smb_dfs_referral_node,
16369 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
16370 NULL, 0, "Name of entity to visit next", HFILL }},
16372 { &hf_smb_dfs_referral_proximity,
16373 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
16374 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
16376 { &hf_smb_dfs_referral_ttl,
16377 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
16378 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
16380 { &hf_smb_dfs_referral_path_offset,
16381 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
16382 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
16384 { &hf_smb_dfs_referral_path,
16385 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
16386 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
16388 { &hf_smb_dfs_referral_alt_path_offset,
16389 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
16390 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
16392 { &hf_smb_dfs_referral_alt_path,
16393 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
16394 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
16396 { &hf_smb_end_of_search,
16397 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
16398 NULL, 0, "Was last entry returned?", HFILL }},
16400 { &hf_smb_last_name_offset,
16401 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
16402 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
16404 { &hf_smb_file_index,
16405 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
16406 NULL, 0, "File index", HFILL }},
16408 { &hf_smb_short_file_name,
16409 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
16410 NULL, 0, "Short (8.3) File Name", HFILL }},
16412 { &hf_smb_short_file_name_len,
16413 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
16414 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
16417 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
16418 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
16420 { &hf_smb_sector_unit,
16421 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
16422 NULL, 0, "Sectors per allocation unit", HFILL }},
16424 { &hf_smb_fs_units,
16425 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
16426 NULL, 0, "Total number of units on this filesystem", HFILL }},
16428 { &hf_smb_fs_sector,
16429 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
16430 NULL, 0, "Bytes per sector", HFILL }},
16432 { &hf_smb_avail_units,
16433 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
16434 NULL, 0, "Total number of available units on this filesystem", HFILL }},
16436 { &hf_smb_volume_serial_num,
16437 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
16438 NULL, 0, "Volume serial number", HFILL }},
16440 { &hf_smb_volume_label_len,
16441 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
16442 NULL, 0, "Length of volume label", HFILL }},
16444 { &hf_smb_volume_label,
16445 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
16446 NULL, 0, "Volume label", HFILL }},
16448 { &hf_smb_free_alloc_units64,
16449 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
16450 NULL, 0, "Number of free allocation units", HFILL }},
16452 { &hf_smb_soft_quota_limit,
16453 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
16454 NULL, 0, "Soft Quota treshold", HFILL }},
16456 { &hf_smb_hard_quota_limit,
16457 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
16458 NULL, 0, "Hard Quota limit", HFILL }},
16460 { &hf_smb_user_quota_used,
16461 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
16462 NULL, 0, "How much Quota is used by this user", HFILL }},
16464 { &hf_smb_max_name_len,
16465 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
16466 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
16468 { &hf_smb_fs_name_len,
16469 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
16470 NULL, 0, "Length of filesystem name in bytes", HFILL }},
16473 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
16474 NULL, 0, "Name of filesystem", HFILL }},
16476 { &hf_smb_device_char_removable,
16477 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
16478 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
16480 { &hf_smb_device_char_read_only,
16481 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
16482 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
16484 { &hf_smb_device_char_floppy,
16485 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
16486 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
16488 { &hf_smb_device_char_write_once,
16489 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
16490 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
16492 { &hf_smb_device_char_remote,
16493 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
16494 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
16496 { &hf_smb_device_char_mounted,
16497 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
16498 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
16500 { &hf_smb_device_char_virtual,
16501 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
16502 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
16504 { &hf_smb_fs_attr_css,
16505 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
16506 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
16508 { &hf_smb_fs_attr_cpn,
16509 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
16510 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
16512 { &hf_smb_fs_attr_pacls,
16513 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
16514 TFS(&tfs_fs_attr_pacls), 0x00000004, "Does this FS support Persistent ACLs?", HFILL }},
16516 { &hf_smb_fs_attr_fc,
16517 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
16518 TFS(&tfs_fs_attr_fc), 0x00000008, "Does this FS support File Compression?", HFILL }},
16520 { &hf_smb_fs_attr_vq,
16521 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
16522 TFS(&tfs_fs_attr_vq), 0x00000010, "Does this FS support Volume Quotas?", HFILL }},
16524 { &hf_smb_fs_attr_dim,
16525 { "Mounted", "smb.fs_attr.dim", FT_BOOLEAN, 32,
16526 TFS(&tfs_fs_attr_dim), 0x00000020, "Is this FS a Mounted Device?", HFILL }},
16528 { &hf_smb_fs_attr_vic,
16529 { "Compressed", "smb.fs_attr.vic", FT_BOOLEAN, 32,
16530 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS Compressed?", HFILL }},
16532 { &hf_smb_sec_desc_revision,
16533 { "Revision", "smb.sec_desc.revision", FT_UINT16, BASE_DEC,
16534 NULL, 0, "Version of NT Security Descriptor structure", HFILL }},
16536 { &hf_smb_sid_revision,
16537 { "Revision", "smb.sid.revision", FT_UINT8, BASE_DEC,
16538 NULL, 0, "Version of SID structure", HFILL }},
16540 { &hf_smb_sid_num_auth,
16541 { "Num Auth", "smb.sid.num_auth", FT_UINT8, BASE_DEC,
16542 NULL, 0, "Number of authorities for this SID", HFILL }},
16544 { &hf_smb_acl_revision,
16545 { "Revision", "smb.acl.revision", FT_UINT16, BASE_DEC,
16546 NULL, 0, "Version of NT ACL structure", HFILL }},
16548 { &hf_smb_acl_size,
16549 { "Size", "smb.acl.size", FT_UINT16, BASE_DEC,
16550 NULL, 0, "Size of NT ACL structure", HFILL }},
16552 { &hf_smb_acl_num_aces,
16553 { "Num ACEs", "smb.acl.num_aces", FT_UINT32, BASE_DEC,
16554 NULL, 0, "Number of ACE structures for this ACL", HFILL }},
16556 { &hf_smb_user_quota_offset,
16557 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
16558 NULL, 0, "Relative offset to next user quota structure", HFILL }},
16560 { &hf_smb_ace_type,
16561 { "Type", "smb.ace.type", FT_UINT8, BASE_DEC,
16562 VALS(ace_type_vals), 0, "Type of ACE", HFILL }},
16564 { &hf_smb_ace_size,
16565 { "Size", "smb.ace.size", FT_UINT16, BASE_DEC,
16566 NULL, 0, "Size of this ACE", HFILL }},
16568 { &hf_smb_ace_flags_object_inherit,
16569 { "Object Inherit", "smb.ace.flags.object_inherit", FT_BOOLEAN, 8,
16570 TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }},
16572 { &hf_smb_ace_flags_container_inherit,
16573 { "Container Inherit", "smb.ace.flags.container_inherit", FT_BOOLEAN, 8,
16574 TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }},
16576 { &hf_smb_ace_flags_non_propagate_inherit,
16577 { "Non-Propagate Inherit", "smb.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8,
16578 TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }},
16580 { &hf_smb_ace_flags_inherit_only,
16581 { "Inherit Only", "smb.ace.flags.inherit_only", FT_BOOLEAN, 8,
16582 TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }},
16584 { &hf_smb_ace_flags_inherited_ace,
16585 { "Inherited ACE", "smb.ace.flags.inherited_ace", FT_BOOLEAN, 8,
16586 TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }},
16588 { &hf_smb_ace_flags_successful_access,
16589 { "Audit Successful Accesses", "smb.ace.flags.successful_access", FT_BOOLEAN, 8,
16590 TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }},
16592 { &hf_smb_ace_flags_failed_access,
16593 { "Audit Failed Accesses", "smb.ace.flags.failed_access", FT_BOOLEAN, 8,
16594 TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }},
16596 { &hf_smb_sec_desc_type_owner_defaulted,
16597 { "Owner Defaulted", "smb.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16,
16598 TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }},
16600 { &hf_smb_sec_desc_type_group_defaulted,
16601 { "Group Defaulted", "smb.sec_desc.type.group_defaulted", FT_BOOLEAN, 16,
16602 TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }},
16604 { &hf_smb_sec_desc_type_dacl_present,
16605 { "DACL Present", "smb.sec_desc.type.dacl_present", FT_BOOLEAN, 16,
16606 TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }},
16608 { &hf_smb_sec_desc_type_dacl_defaulted,
16609 { "DACL Defaulted", "smb.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16,
16610 TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }},
16612 { &hf_smb_sec_desc_type_sacl_present,
16613 { "SACL Present", "smb.sec_desc.type.sacl_present", FT_BOOLEAN, 16,
16614 TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }},
16616 { &hf_smb_sec_desc_type_sacl_defaulted,
16617 { "SACL Defaulted", "smb.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16,
16618 TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }},
16620 { &hf_smb_sec_desc_type_dacl_auto_inherit_req,
16621 { "DACL Auto Inherit Required", "smb.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16,
16622 TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }},
16624 { &hf_smb_sec_desc_type_sacl_auto_inherit_req,
16625 { "SACL Auto Inherit Required", "smb.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16,
16626 TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }},
16628 { &hf_smb_sec_desc_type_dacl_auto_inherited,
16629 { "DACL Auto Inherited", "smb.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16,
16630 TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }},
16632 { &hf_smb_sec_desc_type_sacl_auto_inherited,
16633 { "SACL Auto Inherited", "smb.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16,
16634 TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }},
16636 { &hf_smb_sec_desc_type_dacl_protected,
16637 { "DACL Protected", "smb.sec_desc.type.dacl_protected", FT_BOOLEAN, 16,
16638 TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }},
16640 { &hf_smb_sec_desc_type_sacl_protected,
16641 { "SACL Protected", "smb.sec_desc.type.sacl_protected", FT_BOOLEAN, 16,
16642 TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }},
16644 { &hf_smb_sec_desc_type_self_relative,
16645 { "Self Relative", "smb.sec_desc.type.self_relative", FT_BOOLEAN, 16,
16646 TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }},
16648 { &hf_smb_quota_flags_deny_disk,
16649 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
16650 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
16652 { &hf_smb_quota_flags_log_limit,
16653 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
16654 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
16656 { &hf_smb_quota_flags_log_warning,
16657 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
16658 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
16660 { &hf_smb_quota_flags_enabled,
16661 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
16662 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
16665 static gint *ett[] = {
16669 &ett_smb_fileattributes,
16670 &ett_smb_capabilities,
16678 &ett_smb_desiredaccess,
16681 &ett_smb_openfunction,
16683 &ett_smb_openaction,
16684 &ett_smb_writemode,
16685 &ett_smb_lock_type,
16686 &ett_smb_ssetupandxaction,
16687 &ett_smb_optionsup,
16688 &ett_smb_time_date,
16689 &ett_smb_move_flags,
16690 &ett_smb_file_attributes,
16691 &ett_smb_search_resume_key,
16692 &ett_smb_search_dir_info,
16697 &ett_smb_open_flags,
16698 &ett_smb_ipc_state,
16699 &ett_smb_open_action,
16700 &ett_smb_setup_action,
16701 &ett_smb_connect_flags,
16702 &ett_smb_connect_support_bits,
16703 &ett_smb_nt_access_mask,
16704 &ett_smb_nt_create_bits,
16705 &ett_smb_nt_create_options,
16706 &ett_smb_nt_share_access,
16707 &ett_smb_nt_security_flags,
16708 &ett_smb_nt_trans_setup,
16709 &ett_smb_nt_trans_data,
16710 &ett_smb_nt_trans_param,
16711 &ett_smb_nt_notify_completion_filter,
16712 &ett_smb_nt_ioctl_flags,
16713 &ett_smb_security_information_mask,
16714 &ett_smb_print_queue_entry,
16715 &ett_smb_transaction_flags,
16716 &ett_smb_transaction_params,
16717 &ett_smb_find_first2_flags,
16718 &ett_smb_transaction_data,
16719 &ett_smb_stream_info,
16720 &ett_smb_dfs_referrals,
16721 &ett_smb_dfs_referral,
16722 &ett_smb_dfs_referral_flags,
16723 &ett_smb_get_dfs_flags,
16725 &ett_smb_device_characteristics,
16726 &ett_smb_fs_attributes,
16732 &ett_smb_ace_flags,
16733 &ett_smb_sec_desc_type,
16734 &ett_smb_quotaflags,
16736 module_t *smb_module;
16738 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
16740 proto_register_subtree_array(ett, array_length(ett));
16741 proto_register_field_array(proto_smb, hf, array_length(hf));
16742 register_init_routine(&smb_init_protocol);
16743 smb_module = prefs_register_protocol(proto_smb, NULL);
16744 prefs_register_bool_preference(smb_module, "trans_reassembly",
16745 "Reassemble SMB Transaction payload",
16746 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
16747 &smb_trans_reassembly);
16748 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
16749 "Reassemble DCERPC over SMB",
16750 "Whether the dissector should reassemble DCERPC over SMB commands",
16751 &smb_dcerpc_reassembly);
16752 register_init_routine(smb_trans_reassembly_init);
16753 register_init_routine(smb_dcerpc_reassembly_init);
16757 proto_reg_handoff_smb(void)
16759 heur_dissector_add("netbios", dissect_smb, proto_smb);