2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
6 * $Id: packet-smb.c,v 1.387 2004/03/01 08:34:34 sahlberg Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/int-64bit.h>
40 #include <epan/packet.h>
41 #include <epan/conversation.h>
43 #include <epan/strutil.h>
45 #include "reassemble.h"
47 #include "packet-ipx.h"
49 #include "packet-smb-common.h"
50 #include "packet-smb-mailslot.h"
51 #include "packet-smb-pipe.h"
52 #include "packet-dcerpc.h"
53 #include "packet-smb-sidsnooping.h"
56 * Various specifications and documents about SMB can be found in
58 * ftp://ftp.microsoft.com/developr/drg/CIFS/
60 * and a CIFS specification from the Storage Networking Industry Association
61 * can be found on a link from the page at
63 * http://www.snia.org/tech_activities/CIFS
65 * (it supercedes the document at
67 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
71 * There are also some Open Group publications documenting CIFS available
72 * for download; catalog entries for them are at:
74 * http://www.opengroup.org/products/publications/catalog/c209.htm
76 * http://www.opengroup.org/products/publications/catalog/c195.htm
78 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
81 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
83 * (or, presumably a similar path under the Samba mirrors). As the
84 * ".doc" indicates, it's a Word document. Some of the specs from the
85 * Microsoft FTP site can be found in the
87 * http://www.samba.org/samba/ftp/specs/
91 * Beware - these specs may have errors.
93 static int proto_smb = -1;
94 static int hf_smb_cmd = -1;
95 static int hf_smb_key = -1;
96 static int hf_smb_session_id = -1;
97 static int hf_smb_sequence_num = -1;
98 static int hf_smb_group_id = -1;
99 static int hf_smb_pid = -1;
100 static int hf_smb_tid = -1;
101 static int hf_smb_uid = -1;
102 static int hf_smb_mid = -1;
103 static int hf_smb_pid_high = -1;
104 static int hf_smb_sig = -1;
105 static int hf_smb_response_to = -1;
106 static int hf_smb_time = -1;
107 static int hf_smb_response_in = -1;
108 static int hf_smb_continuation_to = -1;
109 static int hf_smb_nt_status = -1;
110 static int hf_smb_error_class = -1;
111 static int hf_smb_error_code = -1;
112 static int hf_smb_reserved = -1;
113 static int hf_smb_flags_lock = -1;
114 static int hf_smb_flags_receive_buffer = -1;
115 static int hf_smb_flags_caseless = -1;
116 static int hf_smb_flags_canon = -1;
117 static int hf_smb_flags_oplock = -1;
118 static int hf_smb_flags_notify = -1;
119 static int hf_smb_flags_response = -1;
120 static int hf_smb_flags2_long_names_allowed = -1;
121 static int hf_smb_flags2_ea = -1;
122 static int hf_smb_flags2_sec_sig = -1;
123 static int hf_smb_flags2_long_names_used = -1;
124 static int hf_smb_flags2_esn = -1;
125 static int hf_smb_flags2_dfs = -1;
126 static int hf_smb_flags2_roe = -1;
127 static int hf_smb_flags2_nt_error = -1;
128 static int hf_smb_flags2_string = -1;
129 static int hf_smb_word_count = -1;
130 static int hf_smb_byte_count = -1;
131 static int hf_smb_buffer_format = -1;
132 static int hf_smb_dialect_name = -1;
133 static int hf_smb_dialect_index = -1;
134 static int hf_smb_max_trans_buf_size = -1;
135 static int hf_smb_max_mpx_count = -1;
136 static int hf_smb_max_vcs_num = -1;
137 static int hf_smb_session_key = -1;
138 static int hf_smb_server_timezone = -1;
139 static int hf_smb_encryption_key_length = -1;
140 static int hf_smb_encryption_key = -1;
141 static int hf_smb_primary_domain = -1;
142 static int hf_smb_server = -1;
143 static int hf_smb_max_raw_buf_size = -1;
144 static int hf_smb_server_guid = -1;
145 static int hf_smb_security_blob_len = -1;
146 static int hf_smb_security_blob = -1;
147 static int hf_smb_sm_mode16 = -1;
148 static int hf_smb_sm_password16 = -1;
149 static int hf_smb_sm_mode = -1;
150 static int hf_smb_sm_password = -1;
151 static int hf_smb_sm_signatures = -1;
152 static int hf_smb_sm_sig_required = -1;
153 static int hf_smb_rm_read = -1;
154 static int hf_smb_rm_write = -1;
155 static int hf_smb_server_date_time = -1;
156 static int hf_smb_server_smb_date = -1;
157 static int hf_smb_server_smb_time = -1;
158 static int hf_smb_server_cap_raw_mode = -1;
159 static int hf_smb_server_cap_mpx_mode = -1;
160 static int hf_smb_server_cap_unicode = -1;
161 static int hf_smb_server_cap_large_files = -1;
162 static int hf_smb_server_cap_nt_smbs = -1;
163 static int hf_smb_server_cap_rpc_remote_apis = -1;
164 static int hf_smb_server_cap_nt_status = -1;
165 static int hf_smb_server_cap_level_ii_oplocks = -1;
166 static int hf_smb_server_cap_lock_and_read = -1;
167 static int hf_smb_server_cap_nt_find = -1;
168 static int hf_smb_server_cap_dfs = -1;
169 static int hf_smb_server_cap_infolevel_passthru = -1;
170 static int hf_smb_server_cap_large_readx = -1;
171 static int hf_smb_server_cap_large_writex = -1;
172 static int hf_smb_server_cap_unix = -1;
173 static int hf_smb_server_cap_reserved = -1;
174 static int hf_smb_server_cap_bulk_transfer = -1;
175 static int hf_smb_server_cap_compressed_data = -1;
176 static int hf_smb_server_cap_extended_security = -1;
177 static int hf_smb_system_time = -1;
178 static int hf_smb_unknown = -1;
179 static int hf_smb_dir_name = -1;
180 static int hf_smb_echo_count = -1;
181 static int hf_smb_echo_data = -1;
182 static int hf_smb_echo_seq_num = -1;
183 static int hf_smb_max_buf_size = -1;
184 static int hf_smb_password = -1;
185 static int hf_smb_password_len = -1;
186 static int hf_smb_ansi_password = -1;
187 static int hf_smb_ansi_password_len = -1;
188 static int hf_smb_unicode_password = -1;
189 static int hf_smb_unicode_password_len = -1;
190 static int hf_smb_path = -1;
191 static int hf_smb_service = -1;
192 static int hf_smb_move_flags_file = -1;
193 static int hf_smb_move_flags_dir = -1;
194 static int hf_smb_move_flags_verify = -1;
195 static int hf_smb_files_moved = -1;
196 static int hf_smb_copy_flags_file = -1;
197 static int hf_smb_copy_flags_dir = -1;
198 static int hf_smb_copy_flags_dest_mode = -1;
199 static int hf_smb_copy_flags_source_mode = -1;
200 static int hf_smb_copy_flags_verify = -1;
201 static int hf_smb_copy_flags_tree_copy = -1;
202 static int hf_smb_copy_flags_ea_action = -1;
203 static int hf_smb_count = -1;
204 static int hf_smb_count_low = -1;
205 static int hf_smb_count_high = -1;
206 static int hf_smb_file_name = -1;
207 static int hf_smb_open_function_open = -1;
208 static int hf_smb_open_function_create = -1;
209 static int hf_smb_fid = -1;
210 static int hf_smb_file_attr_read_only_16bit = -1;
211 static int hf_smb_file_attr_read_only_8bit = -1;
212 static int hf_smb_file_attr_hidden_16bit = -1;
213 static int hf_smb_file_attr_hidden_8bit = -1;
214 static int hf_smb_file_attr_system_16bit = -1;
215 static int hf_smb_file_attr_system_8bit = -1;
216 static int hf_smb_file_attr_volume_16bit = -1;
217 static int hf_smb_file_attr_volume_8bit = -1;
218 static int hf_smb_file_attr_directory_16bit = -1;
219 static int hf_smb_file_attr_directory_8bit = -1;
220 static int hf_smb_file_attr_archive_16bit = -1;
221 static int hf_smb_file_attr_archive_8bit = -1;
222 static int hf_smb_file_attr_device = -1;
223 static int hf_smb_file_attr_normal = -1;
224 static int hf_smb_file_attr_temporary = -1;
225 static int hf_smb_file_attr_sparse = -1;
226 static int hf_smb_file_attr_reparse = -1;
227 static int hf_smb_file_attr_compressed = -1;
228 static int hf_smb_file_attr_offline = -1;
229 static int hf_smb_file_attr_not_content_indexed = -1;
230 static int hf_smb_file_attr_encrypted = -1;
231 static int hf_smb_file_size = -1;
232 static int hf_smb_search_attribute_read_only = -1;
233 static int hf_smb_search_attribute_hidden = -1;
234 static int hf_smb_search_attribute_system = -1;
235 static int hf_smb_search_attribute_volume = -1;
236 static int hf_smb_search_attribute_directory = -1;
237 static int hf_smb_search_attribute_archive = -1;
238 static int hf_smb_access_mode = -1;
239 static int hf_smb_access_sharing = -1;
240 static int hf_smb_access_locality = -1;
241 static int hf_smb_access_caching = -1;
242 static int hf_smb_access_writetru = -1;
243 static int hf_smb_create_time = -1;
244 static int hf_smb_modify_time = -1;
245 static int hf_smb_backup_time = -1;
246 static int hf_smb_mac_alloc_block_count = -1;
247 static int hf_smb_mac_alloc_block_size = -1;
248 static int hf_smb_mac_free_block_count = -1;
249 static int hf_smb_mac_fndrinfo = -1;
250 static int hf_smb_mac_root_file_count = -1;
251 static int hf_smb_mac_root_dir_count = -1;
252 static int hf_smb_mac_file_count = -1;
253 static int hf_smb_mac_dir_count = -1;
254 static int hf_smb_mac_support_flags = -1;
255 static int hf_smb_mac_sup_access_ctrl = -1;
256 static int hf_smb_mac_sup_getset_comments = -1;
257 static int hf_smb_mac_sup_desktopdb_calls = -1;
258 static int hf_smb_mac_sup_unique_ids = -1;
259 static int hf_smb_mac_sup_streams = -1;
260 static int hf_smb_create_dos_date = -1;
261 static int hf_smb_create_dos_time = -1;
262 static int hf_smb_last_write_time = -1;
263 static int hf_smb_last_write_dos_date = -1;
264 static int hf_smb_last_write_dos_time = -1;
265 static int hf_smb_access_time = -1;
266 static int hf_smb_access_dos_date = -1;
267 static int hf_smb_access_dos_time = -1;
268 static int hf_smb_old_file_name = -1;
269 static int hf_smb_offset = -1;
270 static int hf_smb_remaining = -1;
271 static int hf_smb_padding = -1;
272 static int hf_smb_file_data = -1;
273 static int hf_smb_total_data_len = -1;
274 static int hf_smb_data_len = -1;
275 static int hf_smb_data_len_low = -1;
276 static int hf_smb_data_len_high = -1;
277 static int hf_smb_seek_mode = -1;
278 static int hf_smb_data_size = -1;
279 static int hf_smb_alloc_size = -1;
280 static int hf_smb_alloc_size64 = -1;
281 static int hf_smb_max_count = -1;
282 static int hf_smb_max_count_low = -1;
283 static int hf_smb_max_count_high = -1;
284 static int hf_smb_min_count = -1;
285 static int hf_smb_timeout = -1;
286 static int hf_smb_high_offset = -1;
287 static int hf_smb_units = -1;
288 static int hf_smb_bpu = -1;
289 static int hf_smb_blocksize = -1;
290 static int hf_smb_freeunits = -1;
291 static int hf_smb_data_offset = -1;
292 static int hf_smb_dcm = -1;
293 static int hf_smb_request_mask = -1;
294 static int hf_smb_response_mask = -1;
295 static int hf_smb_search_id = -1;
296 static int hf_smb_write_mode_write_through = -1;
297 static int hf_smb_write_mode_return_remaining = -1;
298 static int hf_smb_write_mode_raw = -1;
299 static int hf_smb_write_mode_message_start = -1;
300 static int hf_smb_write_mode_connectionless = -1;
301 static int hf_smb_resume_key_len = -1;
302 static int hf_smb_resume_find_id = -1;
303 static int hf_smb_resume_server_cookie = -1;
304 static int hf_smb_resume_client_cookie = -1;
305 static int hf_smb_andxoffset = -1;
306 static int hf_smb_lock_type_large = -1;
307 static int hf_smb_lock_type_cancel = -1;
308 static int hf_smb_lock_type_change = -1;
309 static int hf_smb_lock_type_oplock = -1;
310 static int hf_smb_lock_type_shared = -1;
311 static int hf_smb_locking_ol = -1;
312 static int hf_smb_number_of_locks = -1;
313 static int hf_smb_number_of_unlocks = -1;
314 static int hf_smb_lock_long_offset = -1;
315 static int hf_smb_lock_long_length = -1;
316 static int hf_smb_file_type = -1;
317 static int hf_smb_ipc_state_nonblocking = -1;
318 static int hf_smb_ipc_state_endpoint = -1;
319 static int hf_smb_ipc_state_pipe_type = -1;
320 static int hf_smb_ipc_state_read_mode = -1;
321 static int hf_smb_ipc_state_icount = -1;
322 static int hf_smb_server_fid = -1;
323 static int hf_smb_open_flags_add_info = -1;
324 static int hf_smb_open_flags_ex_oplock = -1;
325 static int hf_smb_open_flags_batch_oplock = -1;
326 static int hf_smb_open_flags_ealen = -1;
327 static int hf_smb_open_action_open = -1;
328 static int hf_smb_open_action_lock = -1;
329 static int hf_smb_vc_num = -1;
330 static int hf_smb_account = -1;
331 static int hf_smb_os = -1;
332 static int hf_smb_lanman = -1;
333 static int hf_smb_setup_action_guest = -1;
334 static int hf_smb_fs = -1;
335 static int hf_smb_connect_flags_dtid = -1;
336 static int hf_smb_connect_support_search = -1;
337 static int hf_smb_connect_support_in_dfs = -1;
338 static int hf_smb_max_setup_count = -1;
339 static int hf_smb_total_param_count = -1;
340 static int hf_smb_total_data_count = -1;
341 static int hf_smb_max_param_count = -1;
342 static int hf_smb_max_data_count = -1;
343 static int hf_smb_param_disp16 = -1;
344 static int hf_smb_param_count16 = -1;
345 static int hf_smb_param_offset16 = -1;
346 static int hf_smb_param_disp32 = -1;
347 static int hf_smb_param_count32 = -1;
348 static int hf_smb_param_offset32 = -1;
349 static int hf_smb_data_disp16 = -1;
350 static int hf_smb_data_count16 = -1;
351 static int hf_smb_data_offset16 = -1;
352 static int hf_smb_data_disp32 = -1;
353 static int hf_smb_data_count32 = -1;
354 static int hf_smb_data_offset32 = -1;
355 static int hf_smb_setup_count = -1;
356 static int hf_smb_nt_trans_subcmd = -1;
357 static int hf_smb_nt_ioctl_function_code = -1;
358 static int hf_smb_nt_ioctl_isfsctl = -1;
359 static int hf_smb_nt_ioctl_flags_root_handle = -1;
360 static int hf_smb_nt_ioctl_data = -1;
361 #ifdef SMB_UNUSED_HANDLES
362 static int hf_smb_nt_security_information = -1;
364 static int hf_smb_nt_notify_action = -1;
365 static int hf_smb_nt_notify_watch_tree = -1;
366 static int hf_smb_nt_notify_stream_write = -1;
367 static int hf_smb_nt_notify_stream_size = -1;
368 static int hf_smb_nt_notify_stream_name = -1;
369 static int hf_smb_nt_notify_security = -1;
370 static int hf_smb_nt_notify_ea = -1;
371 static int hf_smb_nt_notify_creation = -1;
372 static int hf_smb_nt_notify_last_access = -1;
373 static int hf_smb_nt_notify_last_write = -1;
374 static int hf_smb_nt_notify_size = -1;
375 static int hf_smb_nt_notify_attributes = -1;
376 static int hf_smb_nt_notify_dir_name = -1;
377 static int hf_smb_nt_notify_file_name = -1;
378 static int hf_smb_root_dir_fid = -1;
379 static int hf_smb_nt_create_disposition = -1;
380 static int hf_smb_sd_length = -1;
381 static int hf_smb_ea_list_length = -1;
382 static int hf_smb_ea_flags = -1;
383 static int hf_smb_ea_name_length = -1;
384 static int hf_smb_ea_data_length = -1;
385 static int hf_smb_ea_name = -1;
386 static int hf_smb_ea_data = -1;
387 static int hf_smb_file_name_len = -1;
388 static int hf_smb_nt_impersonation_level = -1;
389 static int hf_smb_nt_security_flags_context_tracking = -1;
390 static int hf_smb_nt_security_flags_effective_only = -1;
391 static int hf_smb_nt_access_mask_generic_read = -1;
392 static int hf_smb_nt_access_mask_generic_write = -1;
393 static int hf_smb_nt_access_mask_generic_execute = -1;
394 static int hf_smb_nt_access_mask_generic_all = -1;
395 static int hf_smb_nt_access_mask_maximum_allowed = -1;
396 static int hf_smb_nt_access_mask_system_security = -1;
397 static int hf_smb_nt_access_mask_synchronize = -1;
398 static int hf_smb_nt_access_mask_write_owner = -1;
399 static int hf_smb_nt_access_mask_write_dac = -1;
400 static int hf_smb_nt_access_mask_read_control = -1;
401 static int hf_smb_nt_access_mask_delete = -1;
402 static int hf_smb_nt_access_mask_write_attributes = -1;
403 static int hf_smb_nt_access_mask_read_attributes = -1;
404 static int hf_smb_nt_access_mask_delete_child = -1;
405 static int hf_smb_nt_access_mask_execute = -1;
406 static int hf_smb_nt_access_mask_write_ea = -1;
407 static int hf_smb_nt_access_mask_read_ea = -1;
408 static int hf_smb_nt_access_mask_append = -1;
409 static int hf_smb_nt_access_mask_write = -1;
410 static int hf_smb_nt_access_mask_read = -1;
411 static int hf_smb_nt_create_bits_oplock = -1;
412 static int hf_smb_nt_create_bits_boplock = -1;
413 static int hf_smb_nt_create_bits_dir = -1;
414 static int hf_smb_nt_create_bits_ext_resp = -1;
415 static int hf_smb_nt_create_options_directory_file = -1;
416 static int hf_smb_nt_create_options_write_through = -1;
417 static int hf_smb_nt_create_options_sequential_only = -1;
418 static int hf_smb_nt_create_options_sync_io_alert = -1;
419 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
420 static int hf_smb_nt_create_options_non_directory_file = -1;
421 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
422 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
423 static int hf_smb_nt_create_options_random_access = -1;
424 static int hf_smb_nt_create_options_delete_on_close = -1;
425 static int hf_smb_nt_share_access_read = -1;
426 static int hf_smb_nt_share_access_write = -1;
427 static int hf_smb_nt_share_access_delete = -1;
428 static int hf_smb_file_eattr_read_only = -1;
429 static int hf_smb_file_eattr_hidden = -1;
430 static int hf_smb_file_eattr_system = -1;
431 static int hf_smb_file_eattr_volume = -1;
432 static int hf_smb_file_eattr_directory = -1;
433 static int hf_smb_file_eattr_archive = -1;
434 static int hf_smb_file_eattr_device = -1;
435 static int hf_smb_file_eattr_normal = -1;
436 static int hf_smb_file_eattr_temporary = -1;
437 static int hf_smb_file_eattr_sparse = -1;
438 static int hf_smb_file_eattr_reparse = -1;
439 static int hf_smb_file_eattr_compressed = -1;
440 static int hf_smb_file_eattr_offline = -1;
441 static int hf_smb_file_eattr_not_content_indexed = -1;
442 static int hf_smb_file_eattr_encrypted = -1;
443 static int hf_smb_sec_desc_len = -1;
444 static int hf_smb_sec_desc_revision = -1;
445 static int hf_smb_sec_desc_type_owner_defaulted = -1;
446 static int hf_smb_sec_desc_type_group_defaulted = -1;
447 static int hf_smb_sec_desc_type_dacl_present = -1;
448 static int hf_smb_sec_desc_type_dacl_defaulted = -1;
449 static int hf_smb_sec_desc_type_sacl_present = -1;
450 static int hf_smb_sec_desc_type_sacl_defaulted = -1;
451 static int hf_smb_sec_desc_type_dacl_auto_inherit_req = -1;
452 static int hf_smb_sec_desc_type_sacl_auto_inherit_req = -1;
453 static int hf_smb_sec_desc_type_dacl_auto_inherited = -1;
454 static int hf_smb_sec_desc_type_sacl_auto_inherited = -1;
455 static int hf_smb_sec_desc_type_dacl_protected = -1;
456 static int hf_smb_sec_desc_type_sacl_protected = -1;
457 static int hf_smb_sec_desc_type_self_relative = -1;
458 static int hf_smb_sid = -1;
459 static int hf_smb_sid_revision = -1;
460 static int hf_smb_sid_num_auth = -1;
461 static int hf_smb_acl_revision = -1;
462 static int hf_smb_acl_size = -1;
463 static int hf_smb_acl_num_aces = -1;
464 static int hf_smb_ace_type = -1;
465 static int hf_smb_ace_size = -1;
466 static int hf_smb_ace_flags_object_inherit = -1;
467 static int hf_smb_ace_flags_container_inherit = -1;
468 static int hf_smb_ace_flags_non_propagate_inherit = -1;
469 static int hf_smb_ace_flags_inherit_only = -1;
470 static int hf_smb_ace_flags_inherited_ace = -1;
471 static int hf_smb_ace_flags_successful_access = -1;
472 static int hf_smb_ace_flags_failed_access = -1;
473 static int hf_smb_nt_qsd_owner = -1;
474 static int hf_smb_nt_qsd_group = -1;
475 static int hf_smb_nt_qsd_dacl = -1;
476 static int hf_smb_nt_qsd_sacl = -1;
477 static int hf_smb_extended_attributes = -1;
478 static int hf_smb_oplock_level = -1;
479 static int hf_smb_create_action = -1;
480 static int hf_smb_file_id = -1;
481 static int hf_smb_ea_error_offset = -1;
482 static int hf_smb_end_of_file = -1;
483 static int hf_smb_replace = -1;
484 static int hf_smb_root_dir_handle = -1;
485 static int hf_smb_target_name_len = -1;
486 static int hf_smb_target_name = -1;
487 static int hf_smb_device_type = -1;
488 static int hf_smb_is_directory = -1;
489 static int hf_smb_next_entry_offset = -1;
490 static int hf_smb_change_time = -1;
491 static int hf_smb_setup_len = -1;
492 static int hf_smb_print_mode = -1;
493 static int hf_smb_print_identifier = -1;
494 static int hf_smb_restart_index = -1;
495 static int hf_smb_print_queue_date = -1;
496 static int hf_smb_print_queue_dos_date = -1;
497 static int hf_smb_print_queue_dos_time = -1;
498 static int hf_smb_print_status = -1;
499 static int hf_smb_print_spool_file_number = -1;
500 static int hf_smb_print_spool_file_size = -1;
501 static int hf_smb_print_spool_file_name = -1;
502 static int hf_smb_start_index = -1;
503 static int hf_smb_originator_name = -1;
504 static int hf_smb_destination_name = -1;
505 static int hf_smb_message_len = -1;
506 static int hf_smb_message = -1;
507 static int hf_smb_mgid = -1;
508 static int hf_smb_forwarded_name = -1;
509 static int hf_smb_machine_name = -1;
510 static int hf_smb_cancel_to = -1;
511 static int hf_smb_trans2_subcmd = -1;
512 static int hf_smb_trans_name = -1;
513 static int hf_smb_transaction_flags_dtid = -1;
514 static int hf_smb_transaction_flags_owt = -1;
515 static int hf_smb_search_count = -1;
516 static int hf_smb_search_pattern = -1;
517 static int hf_smb_ff2_backup = -1;
518 static int hf_smb_ff2_continue = -1;
519 static int hf_smb_ff2_resume = -1;
520 static int hf_smb_ff2_close_eos = -1;
521 static int hf_smb_ff2_close = -1;
522 static int hf_smb_ff2_information_level = -1;
523 static int hf_smb_qpi_loi = -1;
524 static int hf_smb_spi_loi = -1;
526 static int hf_smb_sfi_writetru = -1;
527 static int hf_smb_sfi_caching = -1;
529 static int hf_smb_storage_type = -1;
530 static int hf_smb_resume = -1;
531 static int hf_smb_max_referral_level = -1;
532 static int hf_smb_qfsi_information_level = -1;
533 static int hf_smb_number_of_links = -1;
534 static int hf_smb_delete_pending = -1;
535 static int hf_smb_index_number = -1;
536 static int hf_smb_current_offset = -1;
537 static int hf_smb_t2_alignment = -1;
538 static int hf_smb_t2_stream_name_length = -1;
539 static int hf_smb_t2_stream_size = -1;
540 static int hf_smb_t2_stream_name = -1;
541 static int hf_smb_t2_compressed_file_size = -1;
542 static int hf_smb_t2_compressed_format = -1;
543 static int hf_smb_t2_compressed_unit_shift = -1;
544 static int hf_smb_t2_compressed_chunk_shift = -1;
545 static int hf_smb_t2_compressed_cluster_shift = -1;
546 static int hf_smb_t2_marked_for_deletion = -1;
547 static int hf_smb_dfs_path_consumed = -1;
548 static int hf_smb_dfs_num_referrals = -1;
549 static int hf_smb_get_dfs_server_hold_storage = -1;
550 static int hf_smb_get_dfs_fielding = -1;
551 static int hf_smb_dfs_referral_version = -1;
552 static int hf_smb_dfs_referral_size = -1;
553 static int hf_smb_dfs_referral_server_type = -1;
554 static int hf_smb_dfs_referral_flags_strip = -1;
555 static int hf_smb_dfs_referral_node_offset = -1;
556 static int hf_smb_dfs_referral_node = -1;
557 static int hf_smb_dfs_referral_proximity = -1;
558 static int hf_smb_dfs_referral_ttl = -1;
559 static int hf_smb_dfs_referral_path_offset = -1;
560 static int hf_smb_dfs_referral_path = -1;
561 static int hf_smb_dfs_referral_alt_path_offset = -1;
562 static int hf_smb_dfs_referral_alt_path = -1;
563 static int hf_smb_end_of_search = -1;
564 static int hf_smb_last_name_offset = -1;
565 static int hf_smb_fn_information_level = -1;
566 static int hf_smb_monitor_handle = -1;
567 static int hf_smb_change_count = -1;
568 static int hf_smb_file_index = -1;
569 static int hf_smb_short_file_name = -1;
570 static int hf_smb_short_file_name_len = -1;
571 static int hf_smb_fs_id = -1;
572 static int hf_smb_fs_guid = -1;
573 static int hf_smb_sector_unit = -1;
574 static int hf_smb_fs_units = -1;
575 static int hf_smb_fs_sector = -1;
576 static int hf_smb_avail_units = -1;
577 static int hf_smb_volume_serial_num = -1;
578 static int hf_smb_volume_label_len = -1;
579 static int hf_smb_volume_label = -1;
580 static int hf_smb_free_alloc_units64 = -1;
581 static int hf_smb_caller_free_alloc_units64 = -1;
582 static int hf_smb_actual_free_alloc_units64 = -1;
583 static int hf_smb_max_name_len = -1;
584 static int hf_smb_fs_name_len = -1;
585 static int hf_smb_fs_name = -1;
586 static int hf_smb_device_char_removable = -1;
587 static int hf_smb_device_char_read_only = -1;
588 static int hf_smb_device_char_floppy = -1;
589 static int hf_smb_device_char_write_once = -1;
590 static int hf_smb_device_char_remote = -1;
591 static int hf_smb_device_char_mounted = -1;
592 static int hf_smb_device_char_virtual = -1;
593 static int hf_smb_fs_attr_css = -1;
594 static int hf_smb_fs_attr_cpn = -1;
595 static int hf_smb_fs_attr_pacls = -1;
596 static int hf_smb_fs_attr_fc = -1;
597 static int hf_smb_fs_attr_vq = -1;
598 static int hf_smb_fs_attr_dim = -1;
599 static int hf_smb_fs_attr_vic = -1;
600 static int hf_smb_quota_flags_enabled = -1;
601 static int hf_smb_quota_flags_deny_disk = -1;
602 static int hf_smb_quota_flags_log_limit = -1;
603 static int hf_smb_quota_flags_log_warning = -1;
604 static int hf_smb_soft_quota_limit = -1;
605 static int hf_smb_hard_quota_limit = -1;
606 static int hf_smb_user_quota_used = -1;
607 static int hf_smb_user_quota_offset = -1;
608 static int hf_smb_nt_rename_level = -1;
609 static int hf_smb_cluster_count = -1;
610 static int hf_smb_segments = -1;
611 static int hf_smb_segment = -1;
612 static int hf_smb_segment_overlap = -1;
613 static int hf_smb_segment_overlap_conflict = -1;
614 static int hf_smb_segment_multiple_tails = -1;
615 static int hf_smb_segment_too_long_fragment = -1;
616 static int hf_smb_segment_error = -1;
617 static int hf_smb_pipe_write_len = -1;
618 static int hf_smb_unix_major_version = -1;
619 static int hf_smb_unix_minor_version = -1;
620 static int hf_smb_unix_capability_fcntl = -1;
621 static int hf_smb_unix_capability_posix_acl = -1;
622 static int hf_smb_unix_file_size = -1;
623 static int hf_smb_unix_file_num_bytes = -1;
624 static int hf_smb_unix_file_last_status = -1;
625 static int hf_smb_unix_file_last_access = -1;
626 static int hf_smb_unix_file_last_change = -1;
627 static int hf_smb_unix_file_uid = -1;
628 static int hf_smb_unix_file_gid = -1;
629 static int hf_smb_unix_file_type = -1;
630 static int hf_smb_unix_file_dev_major = -1;
631 static int hf_smb_unix_file_dev_minor = -1;
632 static int hf_smb_unix_file_unique_id = -1;
633 static int hf_smb_unix_file_permissions = -1;
634 static int hf_smb_unix_file_nlinks = -1;
635 static int hf_smb_unix_file_link_dest = -1;
636 static int hf_smb_unix_find_file_nextoffset = -1;
637 static int hf_smb_unix_find_file_resumekey = -1;
639 static gint ett_smb = -1;
640 static gint ett_smb_hdr = -1;
641 static gint ett_smb_command = -1;
642 static gint ett_smb_fileattributes = -1;
643 static gint ett_smb_capabilities = -1;
644 static gint ett_smb_aflags = -1;
645 static gint ett_smb_dialect = -1;
646 static gint ett_smb_dialects = -1;
647 static gint ett_smb_mode = -1;
648 static gint ett_smb_rawmode = -1;
649 static gint ett_smb_flags = -1;
650 static gint ett_smb_flags2 = -1;
651 static gint ett_smb_desiredaccess = -1;
652 static gint ett_smb_search = -1;
653 static gint ett_smb_file = -1;
654 static gint ett_smb_openfunction = -1;
655 static gint ett_smb_filetype = -1;
656 static gint ett_smb_openaction = -1;
657 static gint ett_smb_writemode = -1;
658 static gint ett_smb_lock_type = -1;
659 static gint ett_smb_ssetupandxaction = -1;
660 static gint ett_smb_optionsup = -1;
661 static gint ett_smb_time_date = -1;
662 static gint ett_smb_move_copy_flags = -1;
663 static gint ett_smb_file_attributes = -1;
664 static gint ett_smb_search_resume_key = -1;
665 static gint ett_smb_search_dir_info = -1;
666 static gint ett_smb_unlocks = -1;
667 static gint ett_smb_unlock = -1;
668 static gint ett_smb_locks = -1;
669 static gint ett_smb_lock = -1;
670 static gint ett_smb_open_flags = -1;
671 static gint ett_smb_ipc_state = -1;
672 static gint ett_smb_open_action = -1;
673 static gint ett_smb_setup_action = -1;
674 static gint ett_smb_connect_flags = -1;
675 static gint ett_smb_connect_support_bits = -1;
676 static gint ett_smb_nt_access_mask = -1;
677 static gint ett_smb_nt_create_bits = -1;
678 static gint ett_smb_nt_create_options = -1;
679 static gint ett_smb_nt_share_access = -1;
680 static gint ett_smb_nt_security_flags = -1;
681 static gint ett_smb_nt_trans_setup = -1;
682 static gint ett_smb_nt_trans_data = -1;
683 static gint ett_smb_nt_trans_param = -1;
684 static gint ett_smb_nt_notify_completion_filter = -1;
685 static gint ett_smb_nt_ioctl_flags = -1;
686 static gint ett_smb_security_information_mask = -1;
687 static gint ett_smb_print_queue_entry = -1;
688 static gint ett_smb_transaction_flags = -1;
689 static gint ett_smb_transaction_params = -1;
690 static gint ett_smb_find_first2_flags = -1;
691 static gint ett_smb_mac_support_flags = -1;
693 static gint ett_smb_ioflag = -1;
695 static gint ett_smb_transaction_data = -1;
696 static gint ett_smb_stream_info = -1;
697 static gint ett_smb_dfs_referrals = -1;
698 static gint ett_smb_dfs_referral = -1;
699 static gint ett_smb_dfs_referral_flags = -1;
700 static gint ett_smb_get_dfs_flags = -1;
701 static gint ett_smb_ff2_data = -1;
702 static gint ett_smb_device_characteristics = -1;
703 static gint ett_smb_fs_attributes = -1;
704 static gint ett_smb_segments = -1;
705 static gint ett_smb_segment = -1;
706 static gint ett_smb_sec_desc = -1;
707 static gint ett_smb_sid = -1;
708 static gint ett_smb_acl = -1;
709 static gint ett_smb_ace = -1;
710 static gint ett_smb_ace_flags = -1;
711 static gint ett_smb_sec_desc_type = -1;
712 static gint ett_smb_quotaflags = -1;
713 static gint ett_smb_secblob = -1;
714 static gint ett_smb_unicode_password = -1;
715 static gint ett_smb_ea = -1;
716 static gint ett_smb_unix_capabilities = -1;
718 static int smb_tap = -1;
720 static dissector_handle_t gssapi_handle = NULL;
721 static dissector_handle_t ntlmssp_handle = NULL;
723 static const fragment_items smb_frag_items = {
729 &hf_smb_segment_overlap,
730 &hf_smb_segment_overlap_conflict,
731 &hf_smb_segment_multiple_tails,
732 &hf_smb_segment_too_long_fragment,
733 &hf_smb_segment_error,
739 proto_tree *top_tree=NULL; /* ugly */
741 static char *decode_smb_name(guint8);
742 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu);
745 * Macros for use in the main dissector routines for an SMB.
750 wc = tvb_get_guint8(tvb, offset); \
751 proto_tree_add_uint(tree, hf_smb_word_count, \
752 tvb, offset, 1, wc); \
754 if(wc==0) goto bytecount;
758 bc = tvb_get_letohs(tvb, offset); \
759 proto_tree_add_uint(tree, hf_smb_byte_count, \
760 tvb, offset, 2, bc); \
762 if(bc==0) goto endofcommand;
764 #define CHECK_BYTE_COUNT(len) \
765 if (bc < len) goto endofcommand;
767 #define COUNT_BYTES(len) {\
777 bc_remaining=tvb_length_remaining(tvb, offset); \
778 if( ((gint)bc) > bc_remaining){ \
782 proto_tree_add_text(tree, tvb, offset, bc, \
783 "Extra byte parameters"); \
790 * Macros for use in routines called by them.
792 #define CHECK_BYTE_COUNT_SUBR(len) \
798 #define CHECK_STRING_SUBR(fn) \
804 #define COUNT_BYTES_SUBR(len) \
809 * Macros for use when dissecting transaction parameters and data
811 #define CHECK_BYTE_COUNT_TRANS(len) \
812 if (bc < len) return offset;
814 #define CHECK_STRING_TRANS(fn) \
815 if (fn == NULL) return offset;
817 #define COUNT_BYTES_TRANS(len) \
822 * Macros for use in subrroutines dissecting transaction parameters or data
824 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
825 if (*bcp < len) return offset;
827 #define CHECK_STRING_TRANS_SUBR(fn) \
828 if (fn == NULL) return offset;
830 #define COUNT_BYTES_TRANS_SUBR(len) \
835 gboolean sid_name_snooping = FALSE;
837 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
838 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
839 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
840 static gboolean smb_trans_reassembly = FALSE;
841 gboolean smb_dcerpc_reassembly = FALSE;
843 static GHashTable *smb_trans_fragment_table = NULL;
846 smb_trans_reassembly_init(void)
848 fragment_table_init(&smb_trans_fragment_table);
851 static fragment_data *
852 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
853 int offset, int count, int pos, int totlen)
855 fragment_data *fd_head=NULL;
859 more_frags=totlen>(pos+count);
861 si = (smb_info_t *)pinfo->private_data;
862 if (si->sip == NULL) {
864 * We don't have the frame number of the request.
866 * XXX - is there truly nothing we can do here?
867 * Can we not separately keep track of the original
868 * transaction and its continuations, as we did
871 * It is probably not much point in even trying to do something here
872 * if we have never seen the initial request. Without the initial
873 * request we probably miss all parameters and the begining of data
874 * so we cant even call a subdissector since we can not determine
875 * which type of transaction call this is.
880 if(!pinfo->fd->flags.visited){
881 fd_head = fragment_add(tvb, offset, pinfo,
882 si->sip->frame_req, smb_trans_fragment_table,
883 pos, count, more_frags);
885 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
888 /* we only show the defragmented packet for the first fragment,
889 or else we might end up with dissecting one HUGE transaction PDU
890 a LOT of times. (first fragment is the only one containing the setup
892 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
893 SMBs. Takes a LOT of time dissecting and is not fun.
895 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
906 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
907 These variables and functions are used to match
909 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
911 * The information we need to save about a request in order to show the
912 * frame number of the request in the dissection of the reply.
917 } smb_saved_info_key_t;
919 static GMemChunk *smb_saved_info_key_chunk = NULL;
920 static GMemChunk *smb_saved_info_chunk = NULL;
921 static int smb_saved_info_init_count = 200;
923 /* unmatched smb_saved_info structures.
924 For unmatched smb_saved_info structures we store the smb_saved_info
925 structure using the MID and the PID as the key.
927 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
928 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
929 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
932 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
934 register guint32 key1 = (guint32)k1;
935 register guint32 key2 = (guint32)k2;
939 smb_saved_info_hash_unmatched(gconstpointer k)
941 register guint32 key = (guint32)k;
945 /* matched smb_saved_info structures.
946 For matched smb_saved_info structures we store the smb_saved_info
947 structure twice in the table using the frame number, and a combination
948 of the MID and the PID, as the key.
949 The frame number is guaranteed to be unique but if ever someone makes
950 some change that will renumber the frames in a capture we are in BIG trouble.
951 This is not likely though since that would break (among other things) all the
952 reassembly routines as well.
954 We also need the MID as there may be more than one SMB request or reply
955 in a single frame, and we also need the PID as there may be more than
956 one outstanding request with the same MID and different PIDs.
959 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
961 const smb_saved_info_key_t *key1 = k1;
962 const smb_saved_info_key_t *key2 = k2;
963 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
966 smb_saved_info_hash_matched(gconstpointer k)
968 const smb_saved_info_key_t *key = k;
969 return key->frame + key->pid_mid;
972 static GMemChunk *smb_nt_transact_info_chunk = NULL;
973 static int smb_nt_transact_info_init_count = 200;
975 static GMemChunk *smb_transact2_info_chunk = NULL;
976 static int smb_transact2_info_init_count = 200;
979 * The information we need to save about a Transaction request in order
980 * to dissect the reply; this includes information for use by the
981 * Remote API dissector.
983 static GMemChunk *smb_transact_info_chunk = NULL;
984 static int smb_transact_info_init_count = 200;
986 static GMemChunk *conv_tables_chunk = NULL;
987 static GSList *conv_tables = NULL;
988 static int conv_tables_count = 10;
991 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
992 End of request/response matching functions
993 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
995 static const value_string buffer_format_vals[] = {
1000 {5, "Variable Block"},
1005 * UTIME - this is *almost* like a UNIX time stamp, except that it's
1006 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
1007 * January 1, 1970, 00:00:00 GMT.
1009 * This means we have to do some extra work to convert it. This code is
1010 * based on the Samba code:
1012 * Unix SMB/Netbios implementation.
1014 * time handling functions
1015 * Copyright (C) Andrew Tridgell 1992-1998
1019 * Yield the difference between *A and *B, in seconds, ignoring leap
1022 #define TM_YEAR_BASE 1900
1025 tm_diff(struct tm *a, struct tm *b)
1027 int ay = a->tm_year + (TM_YEAR_BASE - 1);
1028 int by = b->tm_year + (TM_YEAR_BASE - 1);
1029 int intervening_leap_days =
1030 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
1031 int years = ay - by;
1033 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
1034 int hours = 24*days + (a->tm_hour - b->tm_hour);
1035 int minutes = 60*hours + (a->tm_min - b->tm_min);
1036 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
1042 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
1048 struct tm *tm = gmtime(&t);
1057 return tm_diff(&tm_utc,tm);
1061 * Return the same value as TimeZone, but it should be more efficient.
1063 * We keep a table of DST offsets to prevent calling localtime() on each
1064 * call of this function. This saves a LOT of time on many unixes.
1066 * Updated by Paul Eggert <eggert@twinsun.com>
1073 #define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
1074 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
1077 #define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
1081 TimeZoneFaster(time_t t)
1083 static struct dst_table {time_t start,end; int zone;} *tdt;
1084 static struct dst_table *dst_table = NULL;
1085 static int table_size = 0;
1092 /* Tunis has a 8 day DST region, we need to be careful ... */
1093 #define MAX_DST_WIDTH (365*24*60*60)
1094 #define MAX_DST_SKIP (7*24*60*60)
1096 for (i = 0; i < table_size; i++) {
1097 if (t >= dst_table[i].start && t <= dst_table[i].end)
1101 if (i < table_size) {
1102 zone = dst_table[i].zone;
1107 if (dst_table == NULL)
1108 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1110 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1119 dst_table[i].zone = zone;
1120 dst_table[i].start = dst_table[i].end = t;
1122 /* no entry will cover more than 6 months */
1123 low = t - MAX_DST_WIDTH/2;
1127 high = t + MAX_DST_WIDTH/2;
1132 * Widen the new entry using two bisection searches.
1134 while (low+60*60 < dst_table[i].start) {
1135 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1136 t = dst_table[i].start - MAX_DST_SKIP;
1138 t = low + (dst_table[i].start-low)/2;
1139 if (TimeZone(t) == zone)
1140 dst_table[i].start = t;
1145 while (high-60*60 > dst_table[i].end) {
1146 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1147 t = dst_table[i].end + MAX_DST_SKIP;
1149 t = high - (high-dst_table[i].end)/2;
1150 if (TimeZone(t) == zone)
1151 dst_table[i].end = t;
1161 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1162 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1163 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1164 * daylight savings transitions because some local times are ambiguous.
1165 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1168 LocTimeDiff(time_t lt)
1170 int d = TimeZoneFaster(lt);
1173 /* if overflow occurred, ignore all the adjustments so far */
1174 if (((t < lt) ^ (d < 0)))
1178 * Now t should be close enough to the true UTC to yield the
1181 return TimeZoneFaster(t);
1185 dissect_smb_UTIME(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1190 timeval = tvb_get_letohl(tvb, offset);
1191 if (timeval == 0xffffffff) {
1192 proto_tree_add_text(tree, tvb, offset, 4,
1193 "%s: No time specified (0xffffffff)",
1194 proto_registrar_get_name(hf_date));
1200 * We add the local time offset.
1202 ts.secs = timeval + LocTimeDiff(timeval);
1205 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1211 #define TIME_FIXUP_CONSTANT (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
1214 * Translate an 8-byte FILETIME value, given as the upper and lower 32 bits,
1216 * A FILETIME is a 64-bit integer, giving the time since Jan 1, 1601,
1217 * midnight "UTC", in 100ns units.
1218 * Return TRUE if the conversion succeeds, FALSE otherwise.
1220 * According to the Samba code, it appears to be kludge-GMT (at least for
1221 * file listings). This means it's the GMT you get by taking a local time
1222 * and adding the server time zone offset. This is NOT the same as GMT in
1223 * some cases. However, we don't know the server time zone, so we don't
1224 * do that adjustment.
1226 * This code is based on the Samba code:
1228 * Unix SMB/Netbios implementation.
1230 * time handling functions
1231 * Copyright (C) Andrew Tridgell 1992-1998
1234 nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
1237 /* The next two lines are a fix needed for the
1238 broken SCO compiler. JRA. */
1239 time_t l_time_min = TIME_T_MIN;
1240 time_t l_time_max = TIME_T_MAX;
1242 if (filetime_high == 0)
1246 * Get the time as a double, in seconds and fractional seconds.
1248 d = ((double)filetime_high)*4.0*(double)(1<<30);
1252 /* Now adjust by 369 years, to make the seconds since 1970. */
1253 d -= TIME_FIXUP_CONSTANT;
1255 if (!(l_time_min <= d && d <= l_time_max))
1259 * Get the time as seconds and nanoseconds.
1261 tv->secs = (time_t) d;
1262 tv->nsecs = (int) ((d - tv->secs)*1000000000);
1268 dissect_smb_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1270 guint32 filetime_high, filetime_low;
1273 /* XXX there seems also to be another special time value which is fairly common :
1275 the meaning of this one is yet unknown
1278 filetime_low = tvb_get_letohl(tvb, offset);
1279 filetime_high = tvb_get_letohl(tvb, offset + 4);
1280 if (filetime_low == 0 && filetime_high == 0) {
1281 proto_tree_add_text(tree, tvb, offset, 8,
1282 "%s: No time specified (0)",
1283 proto_registrar_get_name(hf_date));
1284 } else if(filetime_low==0 && filetime_high==0x80000000){
1285 proto_tree_add_text(tree, tvb, offset, 8,
1286 "%s: Infinity (relative time)",
1287 proto_registrar_get_name(hf_date));
1288 } else if(filetime_low==0xffffffff && filetime_high==0x7fffffff){
1289 proto_tree_add_text(tree, tvb, offset, 8,
1290 "%s: Infinity (absolute time)",
1291 proto_registrar_get_name(hf_date));
1293 if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
1294 proto_tree_add_time(tree, hf_date, tvb,
1297 proto_tree_add_text(tree, tvb, offset, 8,
1298 "%s: Time can't be converted",
1299 proto_registrar_get_name(hf_date));
1309 dissect_smb_datetime(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1310 int hf_date, int hf_dos_date, int hf_dos_time, gboolean time_first)
1312 guint16 dos_time, dos_date;
1313 proto_item *item = NULL;
1314 proto_tree *tree = NULL;
1317 static const int mday_noleap[12] = {
1318 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1320 static const int mday_leap[12] = {
1321 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1323 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1327 dos_time = tvb_get_letohs(tvb, offset);
1328 dos_date = tvb_get_letohs(tvb, offset+2);
1330 dos_date = tvb_get_letohs(tvb, offset);
1331 dos_time = tvb_get_letohs(tvb, offset+2);
1334 if ((dos_date == 0xffff && dos_time == 0xffff) ||
1335 (dos_date == 0 && dos_time == 0)) {
1337 * No date/time specified.
1340 proto_tree_add_text(parent_tree, tvb, offset, 4,
1341 "%s: No time specified (0x%08x)",
1342 proto_registrar_get_name(hf_date),
1343 (dos_date << 16) | dos_time);
1349 tm.tm_sec = (dos_time&0x1f)*2;
1350 tm.tm_min = (dos_time>>5)&0x3f;
1351 tm.tm_hour = (dos_time>>11)&0x1f;
1352 tm.tm_mday = dos_date&0x1f;
1353 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1354 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1358 * Do some sanity checks before calling "mktime()";
1359 * "mktime()" doesn't do them, it "normalizes" out-of-range
1362 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1363 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1364 (ISLEAP(tm.tm_year + 1900) ?
1365 tm.tm_mday > mday_leap[tm.tm_mon] :
1366 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1367 (t = mktime(&tm)) == -1) {
1369 * Invalid date/time.
1372 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1374 proto_registrar_get_name(hf_date));
1375 tree = proto_item_add_subtree(item, ett_smb_time_date);
1377 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1378 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1380 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1381 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1392 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1393 tree = proto_item_add_subtree(item, ett_smb_time_date);
1395 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1396 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1398 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1399 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1409 static const value_string da_access_vals[] = {
1410 { 0, "Open for reading"},
1411 { 1, "Open for writing"},
1412 { 2, "Open for reading and writing"},
1413 { 3, "Open for execute"},
1416 static const value_string da_sharing_vals[] = {
1417 { 0, "Compatibility mode"},
1418 { 1, "Deny read/write/execute (exclusive)"},
1420 { 3, "Deny read/execute"},
1424 static const value_string da_locality_vals[] = {
1425 { 0, "Locality of reference unknown"},
1426 { 1, "Mainly sequential access"},
1427 { 2, "Mainly random access"},
1428 { 3, "Random access with some locality"},
1431 static const true_false_string tfs_da_caching = {
1432 "Do not cache this file",
1433 "Caching permitted on this file"
1435 static const true_false_string tfs_da_writetru = {
1436 "Write through enabled",
1437 "Write through disabled"
1440 dissect_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset, char *type)
1443 proto_item *item = NULL;
1444 proto_tree *tree = NULL;
1446 mask = tvb_get_letohs(tvb, offset);
1449 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1450 "%s Access: 0x%04x", type, mask);
1451 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1454 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1455 tvb, offset, 2, mask);
1456 proto_tree_add_boolean(tree, hf_smb_access_caching,
1457 tvb, offset, 2, mask);
1458 proto_tree_add_uint(tree, hf_smb_access_locality,
1459 tvb, offset, 2, mask);
1460 proto_tree_add_uint(tree, hf_smb_access_sharing,
1461 tvb, offset, 2, mask);
1462 proto_tree_add_uint(tree, hf_smb_access_mode,
1463 tvb, offset, 2, mask);
1470 #define SMB_FILE_ATTRIBUTE_READ_ONLY 0x00000001
1471 #define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
1472 #define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
1473 #define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
1474 #define SMB_FILE_ATTRIBUTE_DIRECTORY 0x00000010
1475 #define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
1476 #define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
1477 #define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
1478 #define SMB_FILE_ATTRIBUTE_TEMPORARY 0x00000100
1479 #define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
1480 #define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
1481 #define SMB_FILE_ATTRIBUTE_COMPRESSED 0x00000800
1482 #define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
1483 #define SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1484 #define SMB_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1486 static const true_false_string tfs_file_attribute_read_only = {
1487 "This file is READ ONLY",
1488 "This file is NOT read only",
1490 static const true_false_string tfs_file_attribute_hidden = {
1491 "This is a HIDDEN file",
1492 "This is NOT a hidden file"
1494 static const true_false_string tfs_file_attribute_system = {
1495 "This is a SYSTEM file",
1496 "This is NOT a system file"
1498 static const true_false_string tfs_file_attribute_volume = {
1499 "This is a VOLUME ID",
1500 "This is NOT a volume ID"
1502 static const true_false_string tfs_file_attribute_directory = {
1503 "This is a DIRECTORY",
1504 "This is NOT a directory"
1506 static const true_false_string tfs_file_attribute_archive = {
1507 "This file has been modified since last ARCHIVE",
1508 "This file has NOT been modified since last archive"
1510 static const true_false_string tfs_file_attribute_device = {
1512 "This is NOT a device"
1514 static const true_false_string tfs_file_attribute_normal = {
1515 "This file is an ordinary file",
1516 "This file has some attribute set"
1518 static const true_false_string tfs_file_attribute_temporary = {
1519 "This is a TEMPORARY file",
1520 "This is NOT a temporary file"
1522 static const true_false_string tfs_file_attribute_sparse = {
1523 "This is a SPARSE file",
1524 "This is NOT a sparse file"
1526 static const true_false_string tfs_file_attribute_reparse = {
1527 "This file has an associated REPARSE POINT",
1528 "This file does NOT have an associated reparse point"
1530 static const true_false_string tfs_file_attribute_compressed = {
1531 "This is a COMPRESSED file",
1532 "This is NOT a compressed file"
1534 static const true_false_string tfs_file_attribute_offline = {
1535 "This file is OFFLINE",
1536 "This file is NOT offline"
1538 static const true_false_string tfs_file_attribute_not_content_indexed = {
1539 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1540 "This file MAY be indexed by the content indexing service"
1542 static const true_false_string tfs_file_attribute_encrypted = {
1543 "This is an ENCRYPTED file",
1544 "This is NOT an encrypted file"
1548 * In some places in the CIFS_TR_1p00.pdf, from SNIA, file attributes are
1549 * listed as USHORT, and seem to be in packets in the wild, while in other
1550 * places they are listed as ULONG, and also seem to be.
1552 * So, I (Richard Sharpe), added a parameter to allow us to specify how many
1557 dissect_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
1561 proto_item *item = NULL;
1562 proto_tree *tree = NULL;
1564 if (bytes != 2 && bytes != 4) {
1566 fprintf(stderr, "Incorrect number of bytes passed to dissect_file_attributes.\nMust be 2 or 4, was %d\n", bytes);
1572 * The actual bits of interest appear to only be a USHORT
1574 /* FIXME if this ever changes! */
1575 mask = tvb_get_letohs(tvb, offset);
1578 item = proto_tree_add_text(parent_tree, tvb, offset, bytes,
1579 "File Attributes: 0x%08x", mask);
1580 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1582 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1583 tvb, offset, bytes, mask);
1584 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1585 tvb, offset, bytes, mask);
1586 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1587 tvb, offset, bytes, mask);
1588 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1589 tvb, offset, bytes, mask);
1590 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1591 tvb, offset, bytes, mask);
1592 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1593 tvb, offset, bytes, mask);
1594 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1595 tvb, offset, bytes, mask);
1596 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1597 tvb, offset, bytes, mask);
1598 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1599 tvb, offset, bytes, mask);
1600 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1601 tvb, offset, bytes, mask);
1602 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1603 tvb, offset, bytes, mask);
1604 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1605 tvb, offset, bytes, mask);
1606 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1607 tvb, offset, bytes, mask);
1608 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1609 tvb, offset, bytes, mask);
1610 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1611 tvb, offset, bytes, mask);
1620 dissect_file_ext_attr(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1623 proto_item *item = NULL;
1624 proto_tree *tree = NULL;
1626 mask = tvb_get_letohl(tvb, offset);
1629 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1630 "File Attributes: 0x%08x", mask);
1631 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1635 * XXX - Network Monitor disagrees on some of the
1636 * bits, e.g. the bits above temporary are "atomic write"
1637 * and "transaction write", and it says nothing about the
1640 * Does the Win32 API documentation, or the NT Native API book,
1643 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1644 tvb, offset, 4, mask);
1645 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1646 tvb, offset, 4, mask);
1647 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1648 tvb, offset, 4, mask);
1649 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1650 tvb, offset, 4, mask);
1651 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1652 tvb, offset, 4, mask);
1653 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1654 tvb, offset, 4, mask);
1655 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1656 tvb, offset, 4, mask);
1657 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1658 tvb, offset, 4, mask);
1659 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1660 tvb, offset, 4, mask);
1661 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1662 tvb, offset, 4, mask);
1663 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1664 tvb, offset, 4, mask);
1665 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1666 tvb, offset, 4, mask);
1667 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1668 tvb, offset, 4, mask);
1669 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1670 tvb, offset, 4, mask);
1671 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1672 tvb, offset, 4, mask);
1680 dissect_dir_info_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1683 proto_item *item = NULL;
1684 proto_tree *tree = NULL;
1686 mask = tvb_get_guint8(tvb, offset);
1689 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1690 "File Attributes: 0x%02x", mask);
1691 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1693 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1694 tvb, offset, 1, mask);
1695 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1696 tvb, offset, 1, mask);
1697 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1698 tvb, offset, 1, mask);
1699 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1700 tvb, offset, 1, mask);
1701 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1702 tvb, offset, 1, mask);
1703 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1704 tvb, offset, 1, mask);
1711 static const true_false_string tfs_search_attribute_read_only = {
1712 "Include READ ONLY files in search results",
1713 "Do NOT include read only files in search results",
1715 static const true_false_string tfs_search_attribute_hidden = {
1716 "Include HIDDEN files in search results",
1717 "Do NOT include hidden files in search results"
1719 static const true_false_string tfs_search_attribute_system = {
1720 "Include SYSTEM files in search results",
1721 "Do NOT include system files in search results"
1723 static const true_false_string tfs_search_attribute_volume = {
1724 "Include VOLUME IDs in search results",
1725 "Do NOT include volume IDs in search results"
1727 static const true_false_string tfs_search_attribute_directory = {
1728 "Include DIRECTORIES in search results",
1729 "Do NOT include directories in search results"
1731 static const true_false_string tfs_search_attribute_archive = {
1732 "Include ARCHIVE files in search results",
1733 "Do NOT include archive files in search results"
1737 dissect_search_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1740 proto_item *item = NULL;
1741 proto_tree *tree = NULL;
1743 mask = tvb_get_letohs(tvb, offset);
1746 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1747 "Search Attributes: 0x%04x", mask);
1748 tree = proto_item_add_subtree(item, ett_smb_search);
1751 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1752 tvb, offset, 2, mask);
1753 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1754 tvb, offset, 2, mask);
1755 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1756 tvb, offset, 2, mask);
1757 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1758 tvb, offset, 2, mask);
1759 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1760 tvb, offset, 2, mask);
1761 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1762 tvb, offset, 2, mask);
1770 * XXX - this isn't used.
1771 * Is this used for anything? NT Create AndX doesn't use it.
1772 * Is there some 16-bit attribute field with more bits than Read Only,
1773 * Hidden, System, Volume ID, Directory, and Archive?
1776 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1779 proto_item *item = NULL;
1780 proto_tree *tree = NULL;
1782 mask = tvb_get_letohl(tvb, offset);
1785 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1786 "File Attributes: 0x%08x", mask);
1787 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1789 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1790 tvb, offset, 2, mask);
1791 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1792 tvb, offset, 2, mask);
1793 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1794 tvb, offset, 2, mask);
1795 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1796 tvb, offset, 2, mask);
1797 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1798 tvb, offset, 2, mask);
1799 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1800 tvb, offset, 2, mask);
1801 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1802 tvb, offset, 2, mask);
1803 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1804 tvb, offset, 2, mask);
1805 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1806 tvb, offset, 2, mask);
1807 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1808 tvb, offset, 2, mask);
1809 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1810 tvb, offset, 2, mask);
1811 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1812 tvb, offset, 2, mask);
1813 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1814 tvb, offset, 2, mask);
1815 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1816 tvb, offset, 2, mask);
1817 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1818 tvb, offset, 2, mask);
1827 #define SERVER_CAP_RAW_MODE 0x00000001
1828 #define SERVER_CAP_MPX_MODE 0x00000002
1829 #define SERVER_CAP_UNICODE 0x00000004
1830 #define SERVER_CAP_LARGE_FILES 0x00000008
1831 #define SERVER_CAP_NT_SMBS 0x00000010
1832 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1833 #define SERVER_CAP_STATUS32 0x00000040
1834 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1835 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1836 #define SERVER_CAP_NT_FIND 0x00000200
1837 #define SERVER_CAP_DFS 0x00001000
1838 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1839 #define SERVER_CAP_LARGE_READX 0x00004000
1840 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1841 #define SERVER_CAP_UNIX 0x00800000
1842 #define SERVER_CAP_RESERVED 0x02000000
1843 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1844 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1845 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1846 static const true_false_string tfs_server_cap_raw_mode = {
1847 "Read Raw and Write Raw are supported",
1848 "Read Raw and Write Raw are not supported"
1850 static const true_false_string tfs_server_cap_mpx_mode = {
1851 "Read Mpx and Write Mpx are supported",
1852 "Read Mpx and Write Mpx are not supported"
1854 static const true_false_string tfs_server_cap_unicode = {
1855 "Unicode strings are supported",
1856 "Unicode strings are not supported"
1858 static const true_false_string tfs_server_cap_large_files = {
1859 "Large files are supported",
1860 "Large files are not supported",
1862 static const true_false_string tfs_server_cap_nt_smbs = {
1863 "NT SMBs are supported",
1864 "NT SMBs are not supported"
1866 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1867 "RPC remote APIs are supported",
1868 "RPC remote APIs are not supported"
1870 static const true_false_string tfs_server_cap_nt_status = {
1871 "NT status codes are supported",
1872 "NT status codes are not supported"
1874 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1875 "Level 2 oplocks are supported",
1876 "Level 2 oplocks are not supported"
1878 static const true_false_string tfs_server_cap_lock_and_read = {
1879 "Lock and Read is supported",
1880 "Lock and Read is not supported"
1882 static const true_false_string tfs_server_cap_nt_find = {
1883 "NT Find is supported",
1884 "NT Find is not supported"
1886 static const true_false_string tfs_server_cap_dfs = {
1888 "Dfs is not supported"
1890 static const true_false_string tfs_server_cap_infolevel_passthru = {
1891 "NT information level request passthrough is supported",
1892 "NT information level request passthrough is not supported"
1894 static const true_false_string tfs_server_cap_large_readx = {
1895 "Large Read andX is supported",
1896 "Large Read andX is not supported"
1898 static const true_false_string tfs_server_cap_large_writex = {
1899 "Large Write andX is supported",
1900 "Large Write andX is not supported"
1902 static const true_false_string tfs_server_cap_unix = {
1903 "UNIX extensions are supported",
1904 "UNIX extensions are not supported"
1906 static const true_false_string tfs_server_cap_reserved = {
1910 static const true_false_string tfs_server_cap_bulk_transfer = {
1911 "Bulk Read and Bulk Write are supported",
1912 "Bulk Read and Bulk Write are not supported"
1914 static const true_false_string tfs_server_cap_compressed_data = {
1915 "Compressed data transfer is supported",
1916 "Compressed data transfer is not supported"
1918 static const true_false_string tfs_server_cap_extended_security = {
1919 "Extended security exchanges are supported",
1920 "Extended security exchanges are not supported"
1923 dissect_negprot_capabilities(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1926 proto_item *item = NULL;
1927 proto_tree *tree = NULL;
1929 mask = tvb_get_letohl(tvb, offset);
1932 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1933 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1936 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1937 tvb, offset, 4, mask);
1938 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1939 tvb, offset, 4, mask);
1940 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1941 tvb, offset, 4, mask);
1942 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1943 tvb, offset, 4, mask);
1944 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1945 tvb, offset, 4, mask);
1946 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1947 tvb, offset, 4, mask);
1948 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1949 tvb, offset, 4, mask);
1950 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1951 tvb, offset, 4, mask);
1952 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1953 tvb, offset, 4, mask);
1954 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1955 tvb, offset, 4, mask);
1956 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1957 tvb, offset, 4, mask);
1958 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1959 tvb, offset, 4, mask);
1960 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1961 tvb, offset, 4, mask);
1962 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1963 tvb, offset, 4, mask);
1964 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1965 tvb, offset, 4, mask);
1966 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1967 tvb, offset, 4, mask);
1968 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1969 tvb, offset, 4, mask);
1970 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1971 tvb, offset, 4, mask);
1972 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1973 tvb, offset, 4, mask);
1978 #define RAWMODE_READ 0x01
1979 #define RAWMODE_WRITE 0x02
1980 static const true_false_string tfs_rm_read = {
1981 "Read Raw is supported",
1982 "Read Raw is not supported"
1984 static const true_false_string tfs_rm_write = {
1985 "Write Raw is supported",
1986 "Write Raw is not supported"
1990 dissect_negprot_rawmode(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
1993 proto_item *item = NULL;
1994 proto_tree *tree = NULL;
1996 mask = tvb_get_letohs(tvb, offset);
1999 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
2000 tree = proto_item_add_subtree(item, ett_smb_rawmode);
2003 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
2004 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
2011 #define SECURITY_MODE_MODE 0x01
2012 #define SECURITY_MODE_PASSWORD 0x02
2013 #define SECURITY_MODE_SIGNATURES 0x04
2014 #define SECURITY_MODE_SIG_REQUIRED 0x08
2015 static const true_false_string tfs_sm_mode = {
2016 "USER security mode",
2017 "SHARE security mode"
2019 static const true_false_string tfs_sm_password = {
2020 "ENCRYPTED password. Use challenge/response",
2021 "PLAINTEXT password"
2023 static const true_false_string tfs_sm_signatures = {
2024 "Security signatures ENABLED",
2025 "Security signatures NOT enabled"
2027 static const true_false_string tfs_sm_sig_required = {
2028 "Security signatures REQUIRED",
2029 "Security signatures NOT required"
2033 dissect_negprot_security_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int wc)
2036 proto_item *item = NULL;
2037 proto_tree *tree = NULL;
2041 mask = tvb_get_letohs(tvb, offset);
2042 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2043 "Security Mode: 0x%04x", mask);
2044 tree = proto_item_add_subtree(item, ett_smb_mode);
2045 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
2046 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
2051 mask = tvb_get_guint8(tvb, offset);
2052 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
2053 "Security Mode: 0x%02x", mask);
2054 tree = proto_item_add_subtree(item, ett_smb_mode);
2055 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
2056 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
2057 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
2058 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
2067 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2069 proto_item *it = NULL;
2070 proto_tree *tr = NULL;
2079 it = proto_tree_add_text(tree, tvb, offset, bc,
2080 "Requested Dialects");
2081 tr = proto_item_add_subtree(it, ett_smb_dialects);
2087 proto_item *dit = NULL;
2088 proto_tree *dtr = NULL;
2090 /* XXX - what if this runs past bc? */
2091 len = tvb_strsize(tvb, offset+1);
2092 str = tvb_get_ptr(tvb, offset+1, len);
2095 dit = proto_tree_add_text(tr, tvb, offset, len+1,
2096 "Dialect: %s", str);
2097 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2101 CHECK_BYTE_COUNT(1);
2102 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2107 CHECK_BYTE_COUNT(len);
2108 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
2119 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2121 smb_info_t *si = pinfo->private_data;
2134 dialect = tvb_get_letohs(tvb, offset);
2137 if(dialect==0xffff){
2138 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2139 tvb, offset, 2, dialect,
2140 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2142 proto_tree_add_uint(tree, hf_smb_dialect_index,
2143 tvb, offset, 2, dialect);
2147 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2148 tvb, offset, 2, dialect,
2149 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2152 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2153 tvb, offset, 2, dialect,
2154 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2157 proto_tree_add_text(tree, tvb, offset, wc*2,
2158 "Words for unknown response format");
2167 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2169 /* Maximum Transmit Buffer Size */
2170 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2171 tvb, offset, 2, TRUE);
2174 /* Maximum Multiplex Count */
2175 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2176 tvb, offset, 2, TRUE);
2179 /* Maximum Vcs Number */
2180 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2181 tvb, offset, 2, TRUE);
2185 offset = dissect_negprot_rawmode(tvb, tree, offset);
2188 proto_tree_add_item(tree, hf_smb_session_key,
2189 tvb, offset, 4, TRUE);
2192 /* current time and date at server */
2193 offset = dissect_smb_datetime(tvb, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2197 tz = tvb_get_letohs(tvb, offset);
2198 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2201 /* encryption key length */
2202 ekl = tvb_get_letohs(tvb, offset);
2203 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2206 /* 2 reserved bytes */
2207 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2214 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2216 /* Maximum Multiplex Count */
2217 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2218 tvb, offset, 2, TRUE);
2221 /* Maximum Vcs Number */
2222 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2223 tvb, offset, 2, TRUE);
2226 /* Maximum Transmit Buffer Size */
2227 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2228 tvb, offset, 4, TRUE);
2231 /* maximum raw buffer size */
2232 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2233 tvb, offset, 4, TRUE);
2237 proto_tree_add_item(tree, hf_smb_session_key,
2238 tvb, offset, 4, TRUE);
2241 /* server capabilities */
2242 caps = dissect_negprot_capabilities(tvb, tree, offset);
2246 offset = dissect_smb_64bit_time(tvb, tree, offset,
2247 hf_smb_system_time);
2250 tz = tvb_get_letohs(tvb, offset);
2251 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2253 "Server Time Zone: %d min from UTC", tz);
2256 /* encryption key length */
2257 ekl = tvb_get_guint8(tvb, offset);
2258 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2259 tvb, offset, 1, ekl);
2269 /* challenge/response encryption key */
2271 CHECK_BYTE_COUNT(ekl);
2272 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2279 * XXX - not present if negotiated dialect isn't
2280 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
2281 * have to see the request, or assume what dialect strings
2282 * were sent, to determine that.
2284 * Is this something other than a primary domain if the
2285 * negotiated dialect is Windows for Workgroups 3.1a?
2286 * It appears to be 8 bytes of binary data in at least
2287 * one capture - is that an encryption key or something
2290 dn = get_unicode_or_ascii_string(tvb, &offset,
2291 si->unicode, &dn_len, FALSE, FALSE, &bc);
2294 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2296 COUNT_BYTES(dn_len);
2300 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2301 /* challenge/response encryption key */
2302 /* XXX - is this aligned on an even boundary? */
2304 CHECK_BYTE_COUNT(ekl);
2305 proto_tree_add_item(tree, hf_smb_encryption_key,
2306 tvb, offset, ekl, TRUE);
2311 /* this string is special, unicode is flagged in caps */
2312 /* This string is NOT padded to be 16bit aligned.
2313 (seen in actual capture)
2314 XXX - I've seen a capture where it appears to be
2315 so aligned, but I've also seen captures where
2316 it is. The captures where it appeared to be
2317 aligned may have been from buggy servers. */
2318 /* However, don't get rid of existing setting */
2319 si->unicode = (caps&SERVER_CAP_UNICODE) ||
2322 dn = get_unicode_or_ascii_string(tvb,
2323 &offset, si->unicode, &dn_len, TRUE, FALSE,
2327 proto_tree_add_string(tree, hf_smb_primary_domain,
2328 tvb, offset, dn_len, dn);
2329 COUNT_BYTES(dn_len);
2331 /* server name, seen in w2k pro capture */
2332 dn = get_unicode_or_ascii_string(tvb,
2333 &offset, si->unicode, &dn_len, TRUE, FALSE,
2337 proto_tree_add_string(tree, hf_smb_server,
2338 tvb, offset, dn_len, dn);
2339 COUNT_BYTES(dn_len);
2342 proto_item *blob_item;
2345 /* XXX - show it in the standard Microsoft format
2347 CHECK_BYTE_COUNT(16);
2348 proto_tree_add_item(tree, hf_smb_server_guid,
2349 tvb, offset, 16, TRUE);
2352 blob_item = proto_tree_add_item(
2353 tree, hf_smb_security_blob,
2354 tvb, offset, bc, TRUE);
2358 * If Extended security and BCC == 16, then raw
2359 * NTLMSSP is in use. We need to save this info
2363 tvbuff_t *gssapi_tvb;
2364 proto_tree *gssapi_tree;
2366 gssapi_tree = proto_item_add_subtree(
2367 blob_item, ett_smb_secblob);
2369 gssapi_tvb = tvb_new_subset(
2370 tvb, offset, bc, bc);
2373 gssapi_handle, gssapi_tvb, pinfo,
2377 si->ct->raw_ntlmssp = 0;
2384 * There is no blob. We just have to make sure
2385 * that subsequent routines know to call the
2390 si->ct->raw_ntlmssp = 1;
2404 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2406 smb_info_t *si = pinfo->private_data;
2417 CHECK_BYTE_COUNT(1);
2418 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2422 dn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &dn_len,
2426 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2428 COUNT_BYTES(dn_len);
2430 if (check_col(pinfo->cinfo, COL_INFO)) {
2431 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s", dn);
2440 dissect_empty(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2455 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2463 ec = tvb_get_letohs(tvb, offset);
2464 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2471 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2481 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2488 /* echo sequence number */
2489 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2496 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2506 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2508 smb_info_t *si = pinfo->private_data;
2519 CHECK_BYTE_COUNT(1);
2520 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2524 an = get_unicode_or_ascii_string(tvb, &offset,
2525 si->unicode, &an_len, FALSE, FALSE, &bc);
2528 proto_tree_add_string(tree, hf_smb_path, tvb,
2529 offset, an_len, an);
2530 COUNT_BYTES(an_len);
2532 if (check_col(pinfo->cinfo, COL_INFO)) {
2533 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
2537 CHECK_BYTE_COUNT(1);
2538 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2541 /* password, ANSI */
2542 /* XXX - what if this runs past bc? */
2543 pwlen = tvb_strsize(tvb, offset);
2544 CHECK_BYTE_COUNT(pwlen);
2545 proto_tree_add_item(tree, hf_smb_password,
2546 tvb, offset, pwlen, TRUE);
2550 CHECK_BYTE_COUNT(1);
2551 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2555 an = get_unicode_or_ascii_string(tvb, &offset,
2556 si->unicode, &an_len, FALSE, FALSE, &bc);
2559 proto_tree_add_string(tree, hf_smb_service, tvb,
2560 offset, an_len, an);
2561 COUNT_BYTES(an_len);
2569 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2576 /* Maximum Buffer Size */
2577 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2581 proto_tree_add_item(tree, hf_smb_tid, tvb, offset, 2, TRUE);
2592 static const true_false_string tfs_of_create = {
2593 "Create file if it does not exist",
2594 "Fail if file does not exist"
2596 static const value_string of_open[] = {
2597 { 0, "Fail if file exists"},
2598 { 1, "Open file if it exists"},
2599 { 2, "Truncate file if it exists"},
2603 dissect_open_function(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2606 proto_item *item = NULL;
2607 proto_tree *tree = NULL;
2609 mask = tvb_get_letohs(tvb, offset);
2612 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2613 "Open Function: 0x%04x", mask);
2614 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2617 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2618 tvb, offset, 2, mask);
2619 proto_tree_add_uint(tree, hf_smb_open_function_open,
2620 tvb, offset, 2, mask);
2628 static const true_false_string tfs_mf_file = {
2629 "Target must be a file",
2630 "Target needn't be a file"
2632 static const true_false_string tfs_mf_dir = {
2633 "Target must be a directory",
2634 "Target needn't be a directory"
2636 static const true_false_string tfs_mf_verify = {
2637 "MUST verify all writes",
2638 "Don't have to verify writes"
2641 dissect_move_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2644 proto_item *item = NULL;
2645 proto_tree *tree = NULL;
2647 mask = tvb_get_letohs(tvb, offset);
2650 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2651 "Flags: 0x%04x", mask);
2652 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2655 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2656 tvb, offset, 2, mask);
2657 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2658 tvb, offset, 2, mask);
2659 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2660 tvb, offset, 2, mask);
2667 static const true_false_string tfs_cf_mode = {
2671 static const true_false_string tfs_cf_tree_copy = {
2672 "Copy is a tree copy",
2673 "Copy is a file copy"
2675 static const true_false_string tfs_cf_ea_action = {
2680 dissect_copy_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2683 proto_item *item = NULL;
2684 proto_tree *tree = NULL;
2686 mask = tvb_get_letohs(tvb, offset);
2689 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2690 "Flags: 0x%04x", mask);
2691 tree = proto_item_add_subtree(item, ett_smb_move_copy_flags);
2694 proto_tree_add_boolean(tree, hf_smb_copy_flags_ea_action,
2695 tvb, offset, 2, mask);
2696 proto_tree_add_boolean(tree, hf_smb_copy_flags_tree_copy,
2697 tvb, offset, 2, mask);
2698 proto_tree_add_boolean(tree, hf_smb_copy_flags_verify,
2699 tvb, offset, 2, mask);
2700 proto_tree_add_boolean(tree, hf_smb_copy_flags_source_mode,
2701 tvb, offset, 2, mask);
2702 proto_tree_add_boolean(tree, hf_smb_copy_flags_dest_mode,
2703 tvb, offset, 2, mask);
2704 proto_tree_add_boolean(tree, hf_smb_copy_flags_dir,
2705 tvb, offset, 2, mask);
2706 proto_tree_add_boolean(tree, hf_smb_copy_flags_file,
2707 tvb, offset, 2, mask);
2715 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2717 smb_info_t *si = pinfo->private_data;
2727 tid = tvb_get_letohs(tvb, offset);
2728 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2729 "TID (target): 0x%04x", tid);
2733 offset = dissect_open_function(tvb, tree, offset);
2736 offset = dissect_move_flags(tvb, tree, offset);
2741 CHECK_BYTE_COUNT(1);
2742 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2746 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2750 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2751 fn_len, fn, "Old File Name: %s", fn);
2752 COUNT_BYTES(fn_len);
2754 if (check_col(pinfo->cinfo, COL_INFO)) {
2755 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2759 CHECK_BYTE_COUNT(1);
2760 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2764 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2768 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2769 fn_len, fn, "New File Name: %s", fn);
2770 COUNT_BYTES(fn_len);
2772 if (check_col(pinfo->cinfo, COL_INFO)) {
2773 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2782 dissect_copy_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2784 smb_info_t *si = pinfo->private_data;
2794 tid = tvb_get_letohs(tvb, offset);
2795 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2796 "TID (target): 0x%04x", tid);
2800 offset = dissect_open_function(tvb, tree, offset);
2803 offset = dissect_copy_flags(tvb, tree, offset);
2808 CHECK_BYTE_COUNT(1);
2809 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2813 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2817 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2818 fn_len, fn, "Source File Name: %s", fn);
2819 COUNT_BYTES(fn_len);
2821 if (check_col(pinfo->cinfo, COL_INFO)) {
2822 col_append_fstr(pinfo->cinfo, COL_INFO, ", Source Name: %s", fn);
2826 CHECK_BYTE_COUNT(1);
2827 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2831 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2835 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2836 fn_len, fn, "Destination File Name: %s", fn);
2837 COUNT_BYTES(fn_len);
2839 if (check_col(pinfo->cinfo, COL_INFO)) {
2840 col_append_fstr(pinfo->cinfo, COL_INFO, ", Destination Name: %s", fn);
2849 dissect_move_copy_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2851 smb_info_t *si = pinfo->private_data;
2859 /* # of files moved */
2860 proto_tree_add_item(tree, hf_smb_files_moved, tvb, offset, 2, TRUE);
2866 CHECK_BYTE_COUNT(1);
2867 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2871 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2875 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2877 COUNT_BYTES(fn_len);
2885 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2887 smb_info_t *si = pinfo->private_data;
2895 /* desired access */
2896 offset = dissect_access(tvb, tree, offset, "Desired");
2898 /* Search Attributes */
2899 offset = dissect_search_attributes(tvb, tree, offset);
2904 CHECK_BYTE_COUNT(1);
2905 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2909 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
2913 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2915 COUNT_BYTES(fn_len);
2917 if (check_col(pinfo->cinfo, COL_INFO)) {
2918 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2927 add_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
2928 int len, guint16 fid)
2930 proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
2931 if (check_col(pinfo->cinfo, COL_INFO))
2932 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
2936 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2945 fid = tvb_get_letohs(tvb, offset);
2946 add_fid(tvb, pinfo, tree, offset, 2, fid);
2949 /* File Attributes */
2950 offset = dissect_file_attributes(tvb, tree, offset, 2);
2952 /* last write time */
2953 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
2956 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2959 /* granted access */
2960 offset = dissect_access(tvb, tree, offset, "Granted");
2970 dissect_fid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2979 fid = tvb_get_letohs(tvb, offset);
2980 add_fid(tvb, pinfo, tree, offset, 2, fid);
2991 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
2993 smb_info_t *si = pinfo->private_data;
3001 /* file attributes */
3002 offset = dissect_file_attributes(tvb, tree, offset, 2);
3005 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3010 CHECK_BYTE_COUNT(1);
3011 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3015 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3019 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3021 COUNT_BYTES(fn_len);
3023 if (check_col(pinfo->cinfo, COL_INFO)) {
3024 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3033 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3041 fid = tvb_get_letohs(tvb, offset);
3042 add_fid(tvb, pinfo, tree, offset, 2, fid);
3045 /* last write time */
3046 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3056 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3058 smb_info_t *si = pinfo->private_data;
3066 /* search attributes */
3067 offset = dissect_search_attributes(tvb, tree, offset);
3072 CHECK_BYTE_COUNT(1);
3073 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3077 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3081 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3083 COUNT_BYTES(fn_len);
3085 if (check_col(pinfo->cinfo, COL_INFO)) {
3086 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3095 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3097 smb_info_t *si = pinfo->private_data;
3105 /* search attributes */
3106 offset = dissect_search_attributes(tvb, tree, offset);
3111 CHECK_BYTE_COUNT(1);
3112 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3116 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3120 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3122 COUNT_BYTES(fn_len);
3124 if (check_col(pinfo->cinfo, COL_INFO)) {
3125 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
3129 CHECK_BYTE_COUNT(1);
3130 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3134 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3138 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3140 COUNT_BYTES(fn_len);
3142 if (check_col(pinfo->cinfo, COL_INFO)) {
3143 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
3152 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3154 smb_info_t *si = pinfo->private_data;
3162 /* search attributes */
3163 offset = dissect_search_attributes(tvb, tree, offset);
3165 proto_tree_add_uint(tree, hf_smb_nt_rename_level, tvb, offset, 2, tvb_get_letohs(tvb, offset));
3168 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, TRUE);
3174 CHECK_BYTE_COUNT(1);
3175 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3179 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3183 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
3185 COUNT_BYTES(fn_len);
3187 if (check_col(pinfo->cinfo, COL_INFO)) {
3188 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
3192 CHECK_BYTE_COUNT(1);
3193 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3197 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3201 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3203 COUNT_BYTES(fn_len);
3205 if (check_col(pinfo->cinfo, COL_INFO)) {
3206 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
3216 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3218 smb_info_t *si = pinfo->private_data;
3229 CHECK_BYTE_COUNT(1);
3230 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3234 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3238 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3240 COUNT_BYTES(fn_len);
3242 if (check_col(pinfo->cinfo, COL_INFO)) {
3243 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3252 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3259 /* File Attributes */
3260 offset = dissect_file_attributes(tvb, tree, offset, 2);
3262 /* Last Write Time */
3263 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3266 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
3269 /* 10 reserved bytes */
3270 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3281 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3283 smb_info_t *si = pinfo->private_data;
3291 /* file attributes */
3292 offset = dissect_file_attributes(tvb, tree, offset, 2);
3294 /* last write time */
3295 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3297 /* 10 reserved bytes */
3298 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
3304 CHECK_BYTE_COUNT(1);
3305 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3309 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3313 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3315 COUNT_BYTES(fn_len);
3317 if (check_col(pinfo->cinfo, COL_INFO)) {
3318 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3327 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3338 fid = tvb_get_letohs(tvb, offset);
3339 add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
3341 if (!pinfo->fd->flags.visited) {
3342 /* remember the FID for the processing of the response */
3343 si = (smb_info_t *)pinfo->private_data;
3344 si->sip->extra_info=(void *)fid;
3348 cnt = tvb_get_letohs(tvb, offset);
3349 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3353 ofs = tvb_get_letohl(tvb, offset);
3354 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3357 if (check_col(pinfo->cinfo, COL_INFO))
3358 col_append_fstr(pinfo->cinfo, COL_INFO,
3359 ", %u byte%s at offset %u", cnt,
3360 (cnt == 1) ? "" : "s", ofs);
3363 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3374 dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
3379 /* We have some initial padding bytes. */
3380 /* XXX - use the data offset here instead? */
3381 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3383 offset += bc-datalen;
3386 tvblen = tvb_length_remaining(tvb, offset);
3388 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
3391 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
3398 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3399 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
3402 tvbuff_t *dcerpc_tvb;
3405 /* We have some initial padding bytes. */
3406 /* XXX - use the data offset here instead? */
3407 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3409 offset += bc-datalen;
3412 tvblen = tvb_length_remaining(tvb, offset);
3413 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
3414 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
3423 * transporting DCERPC over SMB seems to be implemented in various
3424 * ways. We might just assume it can be done by an almost random
3425 * mix of Trans/Read/Write calls
3427 * if we suspect dcerpc, just send them all down to packet-smb-pipe.c
3428 * and let him sort them out
3431 dissect_file_data_maybe_dcerpc(tvbuff_t *tvb, packet_info *pinfo,
3432 proto_tree *tree, proto_tree *top_tree, int offset, guint16 bc,
3433 guint16 datalen, guint32 ofs, guint16 fid)
3435 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3437 if( (si->sip && si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
3439 return dissect_file_data_dcerpc(tvb, pinfo, tree,
3440 top_tree, offset, bc, datalen, fid);
3442 /* ordinary file data */
3443 return dissect_file_data(tvb, tree, offset, bc, datalen);
3448 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3452 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3458 cnt = tvb_get_letohs(tvb, offset);
3459 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3462 /* 8 reserved bytes */
3463 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3466 /* If we have seen the request, then print which FID this refers to */
3467 /* first check if we have seen the request */
3468 if(si->sip != NULL && si->sip->frame_req>0){
3469 fid=(int)si->sip->extra_info;
3470 add_fid(tvb, pinfo, tree, 0, 0, (guint16) fid);
3476 CHECK_BYTE_COUNT(1);
3477 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3481 CHECK_BYTE_COUNT(2);
3482 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3485 /* file data, might be DCERPC on a pipe */
3487 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3488 top_tree, offset, bc, bc, 0, (guint16) fid);
3498 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3506 cnt = tvb_get_letohs(tvb, offset);
3507 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3510 /* 8 reserved bytes */
3511 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3517 CHECK_BYTE_COUNT(1);
3518 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3522 CHECK_BYTE_COUNT(2);
3523 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3533 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3536 guint16 cnt=0, bc, fid=0;
3542 fid = tvb_get_letohs(tvb, offset);
3543 add_fid(tvb, pinfo, tree, offset, 2, fid);
3547 cnt = tvb_get_letohs(tvb, offset);
3548 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3552 ofs = tvb_get_letohl(tvb, offset);
3553 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3556 if (check_col(pinfo->cinfo, COL_INFO))
3557 col_append_fstr(pinfo->cinfo, COL_INFO,
3558 ", %u byte%s at offset %u", cnt,
3559 (cnt == 1) ? "" : "s", ofs);
3562 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3568 CHECK_BYTE_COUNT(1);
3569 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3573 CHECK_BYTE_COUNT(2);
3574 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3577 /* file data, might be DCERPC on a pipe */
3579 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
3580 top_tree, offset, bc, bc, ofs, fid);
3590 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3598 cnt = tvb_get_letohs(tvb, offset);
3599 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3602 if (check_col(pinfo->cinfo, COL_INFO))
3603 col_append_fstr(pinfo->cinfo, COL_INFO,
3604 ", %u byte%s", cnt, (cnt == 1) ? "" : "s");
3614 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3622 fid = tvb_get_letohs(tvb, offset);
3623 add_fid(tvb, pinfo, tree, offset, 2, fid);
3627 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
3631 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3642 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3644 smb_info_t *si = pinfo->private_data;
3652 /* 2 reserved bytes */
3653 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3657 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
3662 CHECK_BYTE_COUNT(1);
3663 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3666 /* directory name */
3667 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3671 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
3673 COUNT_BYTES(fn_len);
3675 if (check_col(pinfo->cinfo, COL_INFO)) {
3676 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3685 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3687 smb_info_t *si = pinfo->private_data;
3696 fid = tvb_get_letohs(tvb, offset);
3697 add_fid(tvb, pinfo, tree, offset, 2, fid);
3703 CHECK_BYTE_COUNT(1);
3704 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3708 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
3712 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3714 COUNT_BYTES(fn_len);
3721 static const value_string seek_mode_vals[] = {
3722 {0, "From Start Of File"},
3723 {1, "From Current Position"},
3724 {2, "From End Of File"},
3729 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3737 fid = tvb_get_letohs(tvb, offset);
3738 add_fid(tvb, pinfo, tree, offset, 2, fid);
3742 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
3746 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3757 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3765 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3776 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3784 fid = tvb_get_letohs(tvb, offset);
3785 add_fid(tvb, pinfo, tree, offset, 2, fid);
3789 offset = dissect_smb_datetime(tvb, tree, offset,
3791 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3794 offset = dissect_smb_datetime(tvb, tree, offset,
3796 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3798 /* last write time */
3799 offset = dissect_smb_datetime(tvb, tree, offset,
3800 hf_smb_last_write_time,
3801 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3811 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3819 offset = dissect_smb_datetime(tvb, tree, offset,
3821 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3824 offset = dissect_smb_datetime(tvb, tree, offset,
3826 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3828 /* last write time */
3829 offset = dissect_smb_datetime(tvb, tree, offset,
3830 hf_smb_last_write_time,
3831 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3834 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
3837 /* allocation size */
3838 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
3841 /* File Attributes */
3842 offset = dissect_file_attributes(tvb, tree, offset, 2);
3852 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3861 fid = tvb_get_letohs(tvb, offset);
3862 add_fid(tvb, pinfo, tree, offset, 2, fid);
3866 cnt = tvb_get_letohs(tvb, offset);
3867 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3871 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3874 /* last write time */
3875 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
3878 /* 12 reserved bytes */
3879 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
3886 CHECK_BYTE_COUNT(1);
3887 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
3890 offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
3899 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3907 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3918 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3927 fid = tvb_get_letohs(tvb, offset);
3928 add_fid(tvb, pinfo, tree, offset, 2, fid);
3932 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3936 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3940 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3944 to = tvb_get_letohl(tvb, offset);
3945 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3948 /* 2 reserved bytes */
3949 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3954 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
3966 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
3974 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
3978 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
3982 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
3986 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
3989 /* 2 reserved bytes */
3990 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4001 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4009 fid = tvb_get_letohs(tvb, offset);
4010 add_fid(tvb, pinfo, tree, offset, 2, fid);
4014 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4018 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4022 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
4025 /* 6 reserved bytes */
4026 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
4037 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4039 guint16 datalen=0, bc;
4045 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4049 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
4052 /* 2 reserved bytes */
4053 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4056 /* data compaction mode */
4057 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4060 /* 2 reserved bytes */
4061 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4065 datalen = tvb_get_letohs(tvb, offset);
4066 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4070 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4076 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4085 static const true_false_string tfs_write_mode_write_through = {
4086 "WRITE THROUGH requested",
4087 "Write through not requested"
4089 static const true_false_string tfs_write_mode_return_remaining = {
4090 "RETURN REMAINING (pipe/dev) requested",
4091 "DON'T return remaining (pipe/dev)"
4093 static const true_false_string tfs_write_mode_raw = {
4094 "Use WriteRawNamedPipe (pipe)",
4095 "DON'T use WriteRawNamedPipe (pipe)"
4097 static const true_false_string tfs_write_mode_message_start = {
4098 "This is the START of a MESSAGE (pipe)",
4099 "This is NOT the start of a message (pipe)"
4101 static const true_false_string tfs_write_mode_connectionless = {
4102 "CONNECTIONLESS mode requested",
4103 "Connectionless mode NOT requested"
4106 #define WRITE_MODE_CONNECTIONLESS 0x0080
4107 #define WRITE_MODE_MESSAGE_START 0x0008
4108 #define WRITE_MODE_RAW 0x0004
4109 #define WRITE_MODE_RETURN_REMAINING 0x0002
4110 #define WRITE_MODE_WRITE_THROUGH 0x0001
4113 dissect_write_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
4116 proto_item *item = NULL;
4117 proto_tree *tree = NULL;
4119 mask = tvb_get_letohs(tvb, offset);
4122 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4123 "Write Mode: 0x%04x", mask);
4124 tree = proto_item_add_subtree(item, ett_smb_rawmode);
4127 if(bm&WRITE_MODE_CONNECTIONLESS){
4128 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
4129 tvb, offset, 2, mask);
4131 if(bm&WRITE_MODE_MESSAGE_START){
4132 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
4133 tvb, offset, 2, mask);
4135 if(bm&WRITE_MODE_RAW){
4136 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
4137 tvb, offset, 2, mask);
4139 if(bm&WRITE_MODE_RETURN_REMAINING){
4140 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
4141 tvb, offset, 2, mask);
4143 if(bm&WRITE_MODE_WRITE_THROUGH){
4144 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
4145 tvb, offset, 2, mask);
4153 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4156 guint16 datalen=0, bc, fid;
4162 fid = tvb_get_letohs(tvb, offset);
4163 add_fid(tvb, pinfo, tree, offset, 2, fid);
4166 /* total data length */
4167 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4170 /* 2 reserved bytes */
4171 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4175 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4179 to = tvb_get_letohl(tvb, offset);
4180 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4184 offset = dissect_write_mode(tvb, tree, offset, 0x0003);
4186 /* 4 reserved bytes */
4187 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4191 datalen = tvb_get_letohs(tvb, offset);
4192 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4196 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4202 /* XXX - use the data offset to determine where the data starts? */
4203 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4212 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4220 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4231 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4234 guint16 datalen=0, bc, fid;
4240 fid = tvb_get_letohs(tvb, offset);
4241 add_fid(tvb, pinfo, tree, offset, 2, fid);
4244 /* total data length */
4245 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
4248 /* 2 reserved bytes */
4249 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4253 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4257 to = tvb_get_letohl(tvb, offset);
4258 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4262 offset = dissect_write_mode(tvb, tree, offset, 0x0083);
4265 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
4269 datalen = tvb_get_letohs(tvb, offset);
4270 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4274 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
4280 /* XXX - use the data offset to determine where the data starts? */
4281 offset = dissect_file_data(tvb, tree, offset, bc, datalen);
4290 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4298 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
4309 dissect_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4317 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
4328 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
4329 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4330 gboolean has_find_id)
4332 proto_item *item = NULL;
4333 proto_tree *tree = NULL;
4334 smb_info_t *si = pinfo->private_data;
4340 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
4342 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
4346 CHECK_BYTE_COUNT_SUBR(1);
4347 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4348 COUNT_BYTES_SUBR(1);
4352 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4354 CHECK_STRING_SUBR(fn);
4355 /* ensure that it's null-terminated */
4356 strncpy(fname, fn, 11);
4358 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
4360 COUNT_BYTES_SUBR(fn_len);
4363 CHECK_BYTE_COUNT_SUBR(1);
4364 proto_tree_add_item(tree, hf_smb_resume_find_id, tvb, offset, 1, TRUE);
4365 COUNT_BYTES_SUBR(1);
4368 CHECK_BYTE_COUNT_SUBR(4);
4369 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 4, TRUE);
4370 COUNT_BYTES_SUBR(4);
4373 CHECK_BYTE_COUNT_SUBR(5);
4374 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
4375 COUNT_BYTES_SUBR(5);
4379 CHECK_BYTE_COUNT_SUBR(4);
4380 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
4381 COUNT_BYTES_SUBR(4);
4388 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
4389 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc,
4390 gboolean has_find_id)
4392 proto_item *item = NULL;
4393 proto_tree *tree = NULL;
4394 smb_info_t *si = pinfo->private_data;
4400 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
4401 "Directory Information");
4402 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
4406 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp,
4407 trunc, has_find_id);
4411 /* File Attributes */
4412 CHECK_BYTE_COUNT_SUBR(1);
4413 offset = dissect_dir_info_file_attributes(tvb, tree, offset);
4416 /* last write time */
4417 CHECK_BYTE_COUNT_SUBR(4);
4418 offset = dissect_smb_datetime(tvb, tree, offset,
4419 hf_smb_last_write_time,
4420 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
4425 CHECK_BYTE_COUNT_SUBR(4);
4426 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4427 COUNT_BYTES_SUBR(4);
4431 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4433 CHECK_STRING_SUBR(fn);
4434 /* ensure that it's null-terminated */
4435 strncpy(fname, fn, 13);
4437 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4439 COUNT_BYTES_SUBR(fn_len);
4447 dissect_search_find_request(tvbuff_t *tvb, packet_info *pinfo,
4448 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4449 gboolean has_find_id)
4451 smb_info_t *si = pinfo->private_data;
4462 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4465 /* Search Attributes */
4466 offset = dissect_search_attributes(tvb, tree, offset);
4471 CHECK_BYTE_COUNT(1);
4472 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4476 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
4480 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4482 COUNT_BYTES(fn_len);
4484 if (check_col(pinfo->cinfo, COL_INFO)) {
4485 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s", fn);
4489 CHECK_BYTE_COUNT(1);
4490 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4493 /* resume key length */
4494 CHECK_BYTE_COUNT(2);
4495 rkl = tvb_get_letohs(tvb, offset);
4496 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
4501 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
4502 &bc, &trunc, has_find_id);
4513 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4514 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4516 return dissect_search_find_request(tvb, pinfo, tree, offset,
4521 dissect_find_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4522 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4524 return dissect_search_find_request(tvb, pinfo, tree, offset,
4529 dissect_find_close_request(tvbuff_t *tvb, packet_info *pinfo _U_,
4530 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4532 return dissect_search_find_request(tvb, pinfo, tree, offset,
4537 dissect_search_find_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4538 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
4539 gboolean has_find_id)
4549 count = tvb_get_letohs(tvb, offset);
4550 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
4556 CHECK_BYTE_COUNT(1);
4557 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4561 CHECK_BYTE_COUNT(2);
4562 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4566 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
4567 &bc, &trunc, has_find_id);
4578 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4580 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4585 dissect_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4587 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
4592 dissect_find_close_response(tvbuff_t *tvb, packet_info *pinfo _U_,
4593 proto_tree *tree, int offset, proto_tree *smb_tree _U_)
4602 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4608 CHECK_BYTE_COUNT(1);
4609 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4613 CHECK_BYTE_COUNT(2);
4614 data_len = tvb_get_ntohs(tvb, offset);
4615 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, data_len);
4618 if (data_len != 0) {
4619 CHECK_BYTE_COUNT(data_len);
4620 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset,
4622 COUNT_BYTES(data_len);
4630 static const value_string locking_ol_vals[] = {
4631 {0, "Client is not holding oplock on this file"},
4632 {1, "Level 2 oplock currently held by client"},
4636 static const true_false_string tfs_lock_type_large = {
4637 "Large file locking format requested",
4638 "Large file locking format not requested"
4640 static const true_false_string tfs_lock_type_cancel = {
4641 "Cancel outstanding lock request",
4642 "Don't cancel outstanding lock request"
4644 static const true_false_string tfs_lock_type_change = {
4646 "Don't change lock type"
4648 static const true_false_string tfs_lock_type_oplock = {
4649 "This is an oplock break notification/response",
4650 "This is not an oplock break notification/response"
4652 static const true_false_string tfs_lock_type_shared = {
4653 "This is a shared lock",
4654 "This is an exclusive lock"
4657 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4659 guint8 wc, cmd=0xff, lt=0;
4660 guint16 andxoffset=0, un=0, ln=0, bc, fid;
4662 proto_item *litem = NULL;
4663 proto_tree *ltree = NULL;
4664 proto_item *it = NULL;
4665 proto_tree *tr = NULL;
4666 int old_offset = offset;
4670 /* next smb command */
4671 cmd = tvb_get_guint8(tvb, offset);
4673 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4675 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
4680 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4684 andxoffset = tvb_get_letohs(tvb, offset);
4685 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4689 fid = tvb_get_letohs(tvb, offset);
4690 add_fid(tvb, pinfo, tree, offset, 2, fid);
4694 lt = tvb_get_guint8(tvb, offset);
4696 litem = proto_tree_add_text(tree, tvb, offset, 1,
4697 "Lock Type: 0x%02x", lt);
4698 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
4700 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
4701 tvb, offset, 1, lt);
4702 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
4703 tvb, offset, 1, lt);
4704 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
4705 tvb, offset, 1, lt);
4706 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
4707 tvb, offset, 1, lt);
4708 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
4709 tvb, offset, 1, lt);
4713 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
4717 to = tvb_get_letohl(tvb, offset);
4719 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
4720 else if (to == 0xffffffff)
4721 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
4723 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4726 /* number of unlocks */
4727 un = tvb_get_letohs(tvb, offset);
4728 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
4731 /* number of locks */
4732 ln = tvb_get_letohs(tvb, offset);
4733 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
4740 old_offset = offset;
4742 it = proto_tree_add_text(tree, tvb, offset, -1,
4744 tr = proto_item_add_subtree(it, ett_smb_unlocks);
4746 proto_item *litem = NULL;
4747 proto_tree *ltree = NULL;
4752 /* large lock format */
4753 litem = proto_tree_add_text(tr, tvb, offset, 20,
4755 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4758 CHECK_BYTE_COUNT(2);
4759 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4762 /* 2 reserved bytes */
4763 CHECK_BYTE_COUNT(2);
4764 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4768 CHECK_BYTE_COUNT(8);
4769 val=tvb_get_letohl(tvb, offset);
4770 buf[3]=(val>>24)&0xff;
4771 buf[2]=(val>>16)&0xff;
4772 buf[1]=(val>> 8)&0xff;
4774 val=tvb_get_letohl(tvb, offset+4);
4775 buf[7]=(val>>24)&0xff;
4776 buf[6]=(val>>16)&0xff;
4777 buf[5]=(val>> 8)&0xff;
4779 proto_tree_add_string(ltree, hf_smb_lock_long_offset, tvb, offset, 8, u64toa(buf));
4783 CHECK_BYTE_COUNT(8);
4784 val=tvb_get_letohl(tvb, offset);
4785 buf[3]=(val>>24)&0xff;
4786 buf[2]=(val>>16)&0xff;
4787 buf[1]=(val>> 8)&0xff;
4789 val=tvb_get_letohl(tvb, offset+4);
4790 buf[7]=(val>>24)&0xff;
4791 buf[6]=(val>>16)&0xff;
4792 buf[5]=(val>> 8)&0xff;
4794 proto_tree_add_string(ltree, hf_smb_lock_long_length, tvb, offset, 8, u64toa(buf));
4797 /* normal lock format */
4798 litem = proto_tree_add_text(tr, tvb, offset, 10,
4800 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4803 CHECK_BYTE_COUNT(2);
4804 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4808 CHECK_BYTE_COUNT(4);
4809 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4813 CHECK_BYTE_COUNT(4);
4814 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4818 proto_item_set_len(it, offset-old_offset);
4824 old_offset = offset;
4826 it = proto_tree_add_text(tree, tvb, offset, -1,
4828 tr = proto_item_add_subtree(it, ett_smb_locks);
4830 proto_item *litem = NULL;
4831 proto_tree *ltree = NULL;
4836 /* large lock format */
4837 litem = proto_tree_add_text(tr, tvb, offset, 20,
4839 ltree = proto_item_add_subtree(litem, ett_smb_lock);
4842 CHECK_BYTE_COUNT(2);
4843 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4846 /* 2 reserved bytes */
4847 CHECK_BYTE_COUNT(2);
4848 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4852 CHECK_BYTE_COUNT(8);
4853 val=tvb_get_letohl(tvb, offset);
4855 buf[2]=(val>> 8)&0xff;
4856 buf[1]=(val>>16)&0xff;
4857 buf[0]=(val>>24)&0xff;
4858 val=tvb_get_letohl(tvb, offset+4);
4860 buf[6]=(val>> 8)&0xff;
4861 buf[5]=(val>>16)&0xff;
4862 buf[4]=(val>>24)&0xff;
4863 proto_tree_add_string(ltree, hf_smb_lock_long_offset, tvb, offset, 8, u64toa(buf));
4867 CHECK_BYTE_COUNT(8);
4868 val=tvb_get_letohl(tvb, offset);
4870 buf[2]=(val>> 8)&0xff;
4871 buf[1]=(val>>16)&0xff;
4872 buf[0]=(val>>24)&0xff;
4873 val=tvb_get_letohl(tvb, offset+4);
4875 buf[6]=(val>> 8)&0xff;
4876 buf[5]=(val>>16)&0xff;
4877 buf[4]=(val>>24)&0xff;
4878 proto_tree_add_string(ltree, hf_smb_lock_long_length, tvb, offset, 8, u64toa(buf));
4881 /* normal lock format */
4882 litem = proto_tree_add_text(tr, tvb, offset, 10,
4884 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4887 CHECK_BYTE_COUNT(2);
4888 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4892 CHECK_BYTE_COUNT(4);
4893 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4897 CHECK_BYTE_COUNT(4);
4898 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4902 proto_item_set_len(it, offset-old_offset);
4910 * We ran out of byte count in the middle of dissecting
4911 * the locks or the unlocks; set the site of the item
4912 * we were dissecting.
4914 proto_item_set_len(it, offset-old_offset);
4917 /* call AndXCommand (if there are any) */
4918 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4924 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree)
4926 guint8 wc, cmd=0xff;
4927 guint16 andxoffset=0;
4932 /* next smb command */
4933 cmd = tvb_get_guint8(tvb, offset);
4935 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4937 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
4942 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4946 andxoffset = tvb_get_letohs(tvb, offset);
4947 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4954 /* call AndXCommand (if there are any) */
4955 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
4961 static const value_string oa_open_vals[] = {
4962 { 0, "No action taken?"},
4963 { 1, "The file existed and was opened"},
4964 { 2, "The file did not exist but was created"},
4965 { 3, "The file existed and was truncated"},
4966 { 0x8001, "The file existed and was opened, and an OpLock was granted"},
4967 { 0x8002, "The file did not exist but was created, and an OpLock was granted"},
4968 { 0x8002, "The file existed and was truncated, and an OpLock was granted"},
4971 static const true_false_string tfs_oa_lock = {
4972 "File is currently opened only by this user",
4973 "File is opened by another user (or mode not supported by server)"
4976 dissect_open_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
4979 proto_item *item = NULL;
4980 proto_tree *tree = NULL;
4982 mask = tvb_get_letohs(tvb, offset);
4985 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4986 "Action: 0x%04x", mask);
4987 tree = proto_item_add_subtree(item, ett_smb_open_action);
4990 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
4991 tvb, offset, 2, mask);
4992 proto_tree_add_uint(tree, hf_smb_open_action_open,
4993 tvb, offset, 2, mask);
5000 static const true_false_string tfs_open_flags_add_info = {
5001 "Additional information requested",
5002 "Additional information not requested"
5004 static const true_false_string tfs_open_flags_ex_oplock = {
5005 "Exclusive oplock requested",
5006 "Exclusive oplock not requested"
5008 static const true_false_string tfs_open_flags_batch_oplock = {
5009 "Batch oplock requested",
5010 "Batch oplock not requested"
5012 static const true_false_string tfs_open_flags_ealen = {
5013 "Total length of EAs requested",
5014 "Total length of EAs not requested"
5017 dissect_open_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
5020 proto_item *item = NULL;
5021 proto_tree *tree = NULL;
5023 mask = tvb_get_letohs(tvb, offset);
5026 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5027 "Flags: 0x%04x", mask);
5028 tree = proto_item_add_subtree(item, ett_smb_open_flags);
5032 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
5033 tvb, offset, 2, mask);
5036 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
5037 tvb, offset, 2, mask);
5040 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
5041 tvb, offset, 2, mask);
5044 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
5045 tvb, offset, 2, mask);
5053 static const value_string filetype_vals[] = {
5054 { 0, "Disk file or directory"},
5055 { 1, "Named pipe in byte mode"},
5056 { 2, "Named pipe in message mode"},
5057 { 3, "Spooled printer"},
5061 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5063 guint8 wc, cmd=0xff;
5064 guint16 andxoffset=0, bc;
5065 smb_info_t *si = pinfo->private_data;
5071 /* next smb command */
5072 cmd = tvb_get_guint8(tvb, offset);
5074 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5076 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5081 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5085 andxoffset = tvb_get_letohs(tvb, offset);
5086 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5090 offset = dissect_open_flags(tvb, tree, offset, 0x0007);
5092 /* desired access */
5093 offset = dissect_access(tvb, tree, offset, "Desired");
5095 /* Search Attributes */
5096 offset = dissect_search_attributes(tvb, tree, offset);
5098 /* File Attributes */
5099 offset = dissect_file_attributes(tvb, tree, offset, 2);
5102 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
5105 offset = dissect_open_function(tvb, tree, offset);
5107 /* allocation size */
5108 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
5111 /* 8 reserved bytes */
5112 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
5118 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
5122 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5124 COUNT_BYTES(fn_len);
5126 if (check_col(pinfo->cinfo, COL_INFO)) {
5127 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
5132 /* call AndXCommand (if there are any) */
5133 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5138 static const true_false_string tfs_ipc_state_nonblocking = {
5139 "Reads/writes return immediately if no data available",
5140 "Reads/writes block if no data available"
5142 static const value_string ipc_state_endpoint_vals[] = {
5143 { 0, "Consumer end of pipe"},
5144 { 1, "Server end of pipe"},
5147 static const value_string ipc_state_pipe_type_vals[] = {
5148 { 0, "Byte stream pipe"},
5149 { 1, "Message pipe"},
5152 static const value_string ipc_state_read_mode_vals[] = {
5153 { 0, "Read pipe as a byte stream"},
5154 { 1, "Read messages from pipe"},
5159 dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
5163 proto_item *item = NULL;
5164 proto_tree *tree = NULL;
5166 mask = tvb_get_letohs(tvb, offset);
5169 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5170 "IPC State: 0x%04x", mask);
5171 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
5174 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
5175 tvb, offset, 2, mask);
5177 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
5178 tvb, offset, 2, mask);
5179 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
5180 tvb, offset, 2, mask);
5182 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
5183 tvb, offset, 2, mask);
5185 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
5186 tvb, offset, 2, mask);
5195 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5197 guint8 wc, cmd=0xff;
5198 guint16 andxoffset=0, bc;
5203 /* next smb command */
5204 cmd = tvb_get_guint8(tvb, offset);
5206 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5208 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5213 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5217 andxoffset = tvb_get_letohs(tvb, offset);
5218 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5222 fid = tvb_get_letohs(tvb, offset);
5223 add_fid(tvb, pinfo, tree, offset, 2, fid);
5226 /* File Attributes */
5227 offset = dissect_file_attributes(tvb, tree, offset, 2);
5229 /* last write time */
5230 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
5233 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
5236 /* granted access */
5237 offset = dissect_access(tvb, tree, offset, "Granted");
5240 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
5244 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
5247 offset = dissect_open_action(tvb, tree, offset);
5250 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
5253 /* 2 reserved bytes */
5254 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5261 /* call AndXCommand (if there are any) */
5262 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5268 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5270 guint8 wc, cmd=0xff;
5271 guint16 andxoffset=0, bc, maxcnt_low;
5272 guint32 maxcnt_high;
5280 /* next smb command */
5281 cmd = tvb_get_guint8(tvb, offset);
5283 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5285 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5290 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5294 andxoffset = tvb_get_letohs(tvb, offset);
5295 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5299 fid = tvb_get_letohs(tvb, offset);
5300 add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
5302 if (!pinfo->fd->flags.visited) {
5303 /* remember the FID for the processing of the response */
5304 si = (smb_info_t *)pinfo->private_data;
5305 si->sip->extra_info=(void *)fid;
5309 ofs = tvb_get_letohl(tvb, offset);
5310 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5314 maxcnt_low = tvb_get_letohs(tvb, offset);
5315 proto_tree_add_uint(tree, hf_smb_max_count_low, tvb, offset, 2, maxcnt_low);
5319 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
5325 * XXX - we should really only do this in case we have seen
5326 * LARGE FILE being negotiated. Unfortunately, we might not
5327 * have seen the negotiation phase in the capture....
5329 * XXX - this is shown as a ULONG in the SNIA SMB spec, i.e.
5330 * it's 32 bits, but the description says "High 16 bits of
5331 * MaxCount if CAP_LARGE_READX".
5333 * The SMB File Sharing Protocol Extensions Version 2.0,
5334 * Document Version 3.3 spec doesn't speak of an extra 16
5335 * bits in max count, but it does show a 32-bit timeout
5336 * after the min count field.
5338 * Perhaps the 32-bit timeout field was hijacked as a 16-bit
5339 * high count and a 16-bit reserved field.
5341 * We fetch and display it as 32 bits.
5343 * XXX if maxcount high is 0xFFFFFFFF we assume it is just padding
5344 * bytes and we just ignore it.
5346 maxcnt_high = tvb_get_letohl(tvb, offset);
5347 if(maxcnt_high==0xffffffff){
5350 proto_tree_add_uint(tree, hf_smb_max_count_high, tvb, offset, 4, maxcnt_high);
5356 maxcnt=(maxcnt<<16)|maxcnt_low;
5358 if (check_col(pinfo->cinfo, COL_INFO))
5359 col_append_fstr(pinfo->cinfo, COL_INFO,
5360 ", %u byte%s at offset %u", maxcnt,
5361 (maxcnt == 1) ? "" : "s", ofs);
5364 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5369 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5377 /* call AndXCommand (if there are any) */
5378 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5384 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5386 guint8 wc, cmd=0xff;
5387 guint16 andxoffset=0, bc, datalen_low, dataoffset=0;
5388 guint32 datalen=0, datalen_high;
5389 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5394 /* next smb command */
5395 cmd = tvb_get_guint8(tvb, offset);
5397 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5399 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5404 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5408 andxoffset = tvb_get_letohs(tvb, offset);
5409 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5412 /* If we have seen the request, then print which FID this refers to */
5413 /* first check if we have seen the request */
5414 if(si->sip != NULL && si->sip->frame_req>0){
5415 fid=(int)si->sip->extra_info;
5416 add_fid(tvb, pinfo, tree, 0, 0, (guint16) fid);
5420 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5423 /* data compaction mode */
5424 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
5427 /* 2 reserved bytes */
5428 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5432 datalen_low = tvb_get_letohs(tvb, offset);
5433 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
5437 dataoffset=tvb_get_letohs(tvb, offset);
5438 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5441 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5442 /* data length high */
5443 datalen_high = tvb_get_letohl(tvb, offset);
5444 if(datalen_high==0xffffffff){
5447 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 4, datalen_high);
5451 datalen=datalen_high;
5452 datalen=(datalen<<16)|datalen_low;
5455 if (check_col(pinfo->cinfo, COL_INFO))
5456 col_append_fstr(pinfo->cinfo, COL_INFO,
5457 ", %u byte%s", datalen,
5458 (datalen == 1) ? "" : "s");
5461 /* 6 reserved bytes */
5462 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
5467 /* file data, might be DCERPC on a pipe */
5469 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5470 top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
5476 /* call AndXCommand (if there are any) */
5477 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5483 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5486 guint8 wc, cmd=0xff;
5487 guint16 andxoffset=0, bc, dataoffset=0, datalen_low, datalen_high;
5489 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5495 /* next smb command */
5496 cmd = tvb_get_guint8(tvb, offset);
5498 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5500 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5505 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5509 andxoffset = tvb_get_letohs(tvb, offset);
5510 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5514 fid = tvb_get_letohs(tvb, offset);
5515 add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
5517 if (!pinfo->fd->flags.visited) {
5518 /* remember the FID for the processing of the response */
5519 si->sip->extra_info=(void *)fid;
5523 ofs = tvb_get_letohl(tvb, offset);
5524 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5528 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5532 mode = tvb_get_letohs(tvb, offset);
5533 offset = dissect_write_mode(tvb, tree, offset, 0x000f);
5536 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5539 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5540 /* data length high */
5541 datalen_high = tvb_get_letohs(tvb, offset);
5542 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 2, datalen_high);
5546 datalen_low = tvb_get_letohs(tvb, offset);
5547 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
5550 datalen=datalen_high;
5551 datalen=(datalen<<16)|datalen_low;
5554 dataoffset=tvb_get_letohs(tvb, offset);
5555 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5558 /* FIXME: handle Large (48-bit) byte/offset to COL_INFO */
5559 if (check_col(pinfo->cinfo, COL_INFO))
5560 col_append_fstr(pinfo->cinfo, COL_INFO,
5561 ", %u byte%s at offset %u", datalen,
5562 (datalen == 1) ? "" : "s", ofs);
5566 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5572 /* if both the MessageStart and the WriteRawNamedPipe flags are set
5573 the first two bytes of the payload is the length of the data.
5574 Assume that all WriteAndX PDUs that have MESSAGE_START set to
5575 be over the IPC$ share and thus they all transport DCERPC.
5576 (if we didnt already know that from the TreeConnect call)
5578 if(mode&WRITE_MODE_MESSAGE_START){
5579 if(mode&WRITE_MODE_RAW){
5580 proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE);
5586 if(!pinfo->fd->flags.visited){
5587 /* In case we did not see the TreeConnect call,
5588 store this TID here as well as a IPC TID
5589 so we know that future Read/Writes to this
5590 TID is (probably) DCERPC.
5592 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
5593 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
5595 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
5598 si->sip->flags|=SMB_SIF_TID_IS_IPC;
5602 /* file data, might be DCERPC on a pipe */
5604 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5605 top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
5611 /* call AndXCommand (if there are any) */
5612 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5618 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5620 guint8 wc, cmd=0xff;
5621 guint16 andxoffset=0, bc, count_low, count_high;
5627 /* next smb command */
5628 cmd = tvb_get_guint8(tvb, offset);
5630 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5632 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5637 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5641 andxoffset = tvb_get_letohs(tvb, offset);
5642 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5645 /* If we have seen the request, then print which FID this refers to */
5646 si = (smb_info_t *)pinfo->private_data;
5647 /* first check if we have seen the request */
5648 if(si->sip != NULL && si->sip->frame_req>0){
5649 add_fid(tvb, pinfo, tree, 0, 0, (guint16) GPOINTER_TO_UINT(si->sip->extra_info));
5652 /* write count low */
5653 count_low = tvb_get_letohs(tvb, offset);
5654 proto_tree_add_uint(tree, hf_smb_count_low, tvb, offset, 2, count_low);
5658 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5661 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
5662 /* write count high */
5663 count_high = tvb_get_letohs(tvb, offset);
5664 proto_tree_add_uint(tree, hf_smb_count_high, tvb, offset, 2, count_high);
5668 count=(count<<16)|count_low;
5670 if (check_col(pinfo->cinfo, COL_INFO))
5671 col_append_fstr(pinfo->cinfo, COL_INFO,
5672 ", %u byte%s", count,
5673 (count == 1) ? "" : "s");
5675 /* 2 reserved bytes */
5676 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5683 /* call AndXCommand (if there are any) */
5684 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
5690 static const true_false_string tfs_setup_action_guest = {
5691 "Logged in as GUEST",
5692 "Not logged in as GUEST"
5695 dissect_setup_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
5698 proto_item *item = NULL;
5699 proto_tree *tree = NULL;
5701 mask = tvb_get_letohs(tvb, offset);
5704 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5705 "Action: 0x%04x", mask);
5706 tree = proto_item_add_subtree(item, ett_smb_setup_action);
5709 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
5710 tvb, offset, 2, mask);
5719 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5721 guint8 wc, cmd=0xff;
5723 guint16 andxoffset=0;
5724 smb_info_t *si = pinfo->private_data;
5731 guint16 apwlen=0, upwlen=0;
5735 /* next smb command */
5736 cmd = tvb_get_guint8(tvb, offset);
5738 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5740 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
5745 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5749 andxoffset = tvb_get_letohs(tvb, offset);
5750 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5753 /* Maximum Buffer Size */
5754 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
5757 /* Maximum Multiplex Count */
5758 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
5762 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
5766 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
5771 /* password length, ASCII*/
5772 pwlen = tvb_get_letohs(tvb, offset);
5773 proto_tree_add_uint(tree, hf_smb_password_len,
5774 tvb, offset, 2, pwlen);
5777 /* 4 reserved bytes */
5778 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5784 /* security blob length */
5785 sbloblen = tvb_get_letohs(tvb, offset);
5786 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5789 /* 4 reserved bytes */
5790 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5794 dissect_negprot_capabilities(tvb, tree, offset);
5800 /* password length, ANSI*/
5801 apwlen = tvb_get_letohs(tvb, offset);
5802 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
5803 tvb, offset, 2, apwlen);
5806 /* password length, Unicode*/
5807 upwlen = tvb_get_letohs(tvb, offset);
5808 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
5809 tvb, offset, 2, upwlen);
5812 /* 4 reserved bytes */
5813 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5817 dissect_negprot_capabilities(tvb, tree, offset);
5826 proto_item *blob_item;
5830 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
5831 tvb, offset, sbloblen, TRUE);
5833 /* As an optimization, because Windows is perverse,
5834 we check to see if NTLMSSP is the first part of the
5835 blob, and if so, call the NTLMSSP dissector,
5836 otherwise we call the GSS-API dissector. This is because
5837 Windows can request RAW NTLMSSP, but will happily handle
5838 a client that wraps NTLMSSP in SPNEGO
5843 proto_tree *blob_tree;
5845 blob_tree = proto_item_add_subtree(blob_item,
5847 CHECK_BYTE_COUNT(sbloblen);
5849 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
5852 if (si && si->ct && si->ct->raw_ntlmssp &&
5854 tvb_get_ptr(tvb, offset, 7), 7)) {
5855 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
5860 call_dissector(gssapi_handle, blob_tvb,
5864 COUNT_BYTES(sbloblen);
5868 an = get_unicode_or_ascii_string(tvb, &offset,
5869 si->unicode, &an_len, FALSE, FALSE, &bc);
5872 proto_tree_add_string(tree, hf_smb_os, tvb,
5873 offset, an_len, an);
5874 COUNT_BYTES(an_len);
5877 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5878 * padding/null string/whatever in front of this. W2K doesn't
5879 * appear to. I suspect that's a bug that got fixed; I also
5880 * suspect that, in practice, nobody ever looks at that field
5881 * because the bug didn't appear to get fixed until NT 5.0....
5883 an = get_unicode_or_ascii_string(tvb, &offset,
5884 si->unicode, &an_len, FALSE, FALSE, &bc);
5887 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5888 offset, an_len, an);
5889 COUNT_BYTES(an_len);
5891 /* Primary domain */
5892 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5893 * byte in front of this, at least if all the strings are
5894 * ASCII and the account name is empty. Another bug?
5896 dn = get_unicode_or_ascii_string(tvb, &offset,
5897 si->unicode, &dn_len, FALSE, FALSE, &bc);
5900 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5901 offset, dn_len, dn);
5902 COUNT_BYTES(dn_len);
5908 /* password, ASCII */
5909 CHECK_BYTE_COUNT(pwlen);
5910 proto_tree_add_item(tree, hf_smb_password,
5911 tvb, offset, pwlen, TRUE);
5919 /* password, ANSI */
5920 CHECK_BYTE_COUNT(apwlen);
5921 proto_tree_add_item(tree, hf_smb_ansi_password,
5922 tvb, offset, apwlen, TRUE);
5923 COUNT_BYTES(apwlen);
5929 /* password, Unicode */
5930 CHECK_BYTE_COUNT(upwlen);
5931 item = proto_tree_add_item(tree, hf_smb_unicode_password,
5932 tvb, offset, upwlen, TRUE);
5935 proto_tree *subtree;
5937 subtree = proto_item_add_subtree(item, ett_smb_unicode_password);
5939 dissect_ntlmv2_response(
5940 tvb, subtree, offset, upwlen);
5943 COUNT_BYTES(upwlen);
5950 an = get_unicode_or_ascii_string(tvb, &offset,
5951 si->unicode, &an_len, FALSE, FALSE, &bc);
5954 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
5956 COUNT_BYTES(an_len);
5958 /* Primary domain */
5959 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5960 * byte in front of this, at least if all the strings are
5961 * ASCII and the account name is empty. Another bug?
5963 dn = get_unicode_or_ascii_string(tvb, &offset,
5964 si->unicode, &dn_len, FALSE, FALSE, &bc);
5967 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5968 offset, dn_len, dn);
5969 COUNT_BYTES(dn_len);
5971 if (check_col(pinfo->cinfo, COL_INFO)) {
5972 col_append_fstr(pinfo->cinfo, COL_INFO, ", User: ");
5974 if (!dn[0] && !an[0])
5975 col_append_fstr(pinfo->cinfo, COL_INFO,
5978 col_append_fstr(pinfo->cinfo, COL_INFO,
5983 an = get_unicode_or_ascii_string(tvb, &offset,
5984 si->unicode, &an_len, FALSE, FALSE, &bc);
5987 proto_tree_add_string(tree, hf_smb_os, tvb,
5988 offset, an_len, an);
5989 COUNT_BYTES(an_len);
5992 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5993 * padding/null string/whatever in front of this. W2K doesn't
5994 * appear to. I suspect that's a bug that got fixed; I also
5995 * suspect that, in practice, nobody ever looks at that field
5996 * because the bug didn't appear to get fixed until NT 5.0....
5998 an = get_unicode_or_ascii_string(tvb, &offset,
5999 si->unicode, &an_len, FALSE, FALSE, &bc);
6002 proto_tree_add_string(tree, hf_smb_lanman, tvb,
6003 offset, an_len, an);
6004 COUNT_BYTES(an_len);
6009 /* call AndXCommand (if there are any) */
6010 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6016 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6018 guint8 wc, cmd=0xff;
6019 guint16 andxoffset=0, bc;
6021 smb_info_t *si = pinfo->private_data;
6027 /* next smb command */
6028 cmd = tvb_get_guint8(tvb, offset);
6030 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6032 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6037 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6041 andxoffset = tvb_get_letohs(tvb, offset);
6042 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6046 offset = dissect_setup_action(tvb, tree, offset);
6049 /* security blob length */
6050 sbloblen = tvb_get_letohs(tvb, offset);
6051 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
6058 proto_item *blob_item;
6062 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
6063 tvb, offset, sbloblen, TRUE);
6067 proto_tree *blob_tree;
6069 blob_tree = proto_item_add_subtree(blob_item,
6071 CHECK_BYTE_COUNT(sbloblen);
6073 blob_tvb = tvb_new_subset(tvb, offset, sbloblen,
6076 if (si && si->ct && si->ct->raw_ntlmssp &&
6078 tvb_get_ptr(tvb, offset, 7), 7)) {
6079 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
6084 call_dissector(gssapi_handle, blob_tvb, pinfo,
6089 COUNT_BYTES(sbloblen);
6094 an = get_unicode_or_ascii_string(tvb, &offset,
6095 si->unicode, &an_len, FALSE, FALSE, &bc);
6098 proto_tree_add_string(tree, hf_smb_os, tvb,
6099 offset, an_len, an);
6100 COUNT_BYTES(an_len);
6103 an = get_unicode_or_ascii_string(tvb, &offset,
6104 si->unicode, &an_len, FALSE, FALSE, &bc);
6107 proto_tree_add_string(tree, hf_smb_lanman, tvb,
6108 offset, an_len, an);
6109 COUNT_BYTES(an_len);
6112 /* Primary domain */
6113 an = get_unicode_or_ascii_string(tvb, &offset,
6114 si->unicode, &an_len, FALSE, FALSE, &bc);
6117 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
6118 offset, an_len, an);
6119 COUNT_BYTES(an_len);
6124 /* call AndXCommand (if there are any) */
6125 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6132 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6134 guint8 wc, cmd=0xff;
6135 guint16 andxoffset=0;
6140 /* next smb command */
6141 cmd = tvb_get_guint8(tvb, offset);
6143 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6145 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6150 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6154 andxoffset = tvb_get_letohs(tvb, offset);
6155 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6162 /* call AndXCommand (if there are any) */
6163 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6169 static const true_false_string tfs_connect_support_search = {
6170 "Exclusive search bits supported",
6171 "Exclusive search bits not supported"
6173 static const true_false_string tfs_connect_support_in_dfs = {
6175 "Share isn't in Dfs"
6179 dissect_connect_support_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6182 proto_item *item = NULL;
6183 proto_tree *tree = NULL;
6185 mask = tvb_get_letohs(tvb, offset);
6188 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6189 "Optional Support: 0x%04x", mask);
6190 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
6193 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
6194 tvb, offset, 2, mask);
6195 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
6196 tvb, offset, 2, mask);
6203 static const true_false_string tfs_disconnect_tid = {
6205 "Do NOT disconnect TID"
6209 dissect_connect_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6212 proto_item *item = NULL;
6213 proto_tree *tree = NULL;
6215 mask = tvb_get_letohs(tvb, offset);
6218 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6219 "Flags: 0x%04x", mask);
6220 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
6223 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
6224 tvb, offset, 2, mask);
6232 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6234 guint8 wc, cmd=0xff;
6236 guint16 andxoffset=0, pwlen=0;
6237 smb_info_t *si = pinfo->private_data;
6243 /* next smb command */
6244 cmd = tvb_get_guint8(tvb, offset);
6246 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6248 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6253 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6257 andxoffset = tvb_get_letohs(tvb, offset);
6258 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6262 offset = dissect_connect_flags(tvb, tree, offset);
6264 /* password length*/
6265 pwlen = tvb_get_letohs(tvb, offset);
6266 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
6272 CHECK_BYTE_COUNT(pwlen);
6273 proto_tree_add_item(tree, hf_smb_password,
6274 tvb, offset, pwlen, TRUE);
6278 an = get_unicode_or_ascii_string(tvb, &offset,
6279 si->unicode, &an_len, FALSE, FALSE, &bc);
6282 proto_tree_add_string(tree, hf_smb_path, tvb,
6283 offset, an_len, an);
6284 COUNT_BYTES(an_len);
6286 if (check_col(pinfo->cinfo, COL_INFO)) {
6287 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
6291 * NOTE: the Service string is always ASCII, even if the
6292 * "strings are Unicode" bit is set in the flags2 field
6297 /* XXX - what if this runs past bc? */
6298 an_len = tvb_strsize(tvb, offset);
6299 CHECK_BYTE_COUNT(an_len);
6300 an = tvb_get_ptr(tvb, offset, an_len);
6301 proto_tree_add_string(tree, hf_smb_service, tvb,
6302 offset, an_len, an);
6303 COUNT_BYTES(an_len);
6307 /* call AndXCommand (if there are any) */
6308 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6315 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
6317 guint8 wc, wleft, cmd=0xff;
6318 guint16 andxoffset=0;
6322 smb_info_t *si = pinfo->private_data;
6326 wleft = wc; /* this is at least 1 */
6328 /* next smb command */
6329 cmd = tvb_get_guint8(tvb, offset);
6331 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
6333 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
6338 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
6346 andxoffset = tvb_get_letohs(tvb, offset);
6347 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6354 offset = dissect_connect_support_bits(tvb, tree, offset);
6357 /* XXX - I've seen captures where this is 7, but I have no
6358 idea how to dissect it. I'm guessing the third word
6359 contains connect support bits, which looks plausible
6360 from the values I've seen. */
6362 while (wleft != 0) {
6363 proto_tree_add_text(tree, tvb, offset, 2,
6364 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
6372 * NOTE: even though the SNIA CIFS spec doesn't say there's
6373 * a "Service" string if there's a word count of 2, the
6376 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
6378 * (it's in an ugly format - text intended to be sent to a
6379 * printer, with backspaces and overstrikes used for boldfacing
6380 * and underlining; UNIX "col -b" can be used to strip the
6381 * overstrikes out) says there's a "Service" string there, and
6382 * some network traffic has it.
6386 * NOTE: the Service string is always ASCII, even if the
6387 * "strings are Unicode" bit is set in the flags2 field
6392 /* XXX - what if this runs past bc? */
6393 an_len = tvb_strsize(tvb, offset);
6394 CHECK_BYTE_COUNT(an_len);
6395 an = tvb_get_ptr(tvb, offset, an_len);
6396 proto_tree_add_string(tree, hf_smb_service, tvb,
6397 offset, an_len, an);
6398 COUNT_BYTES(an_len);
6400 /* Now when we know the service type, store it so that we know it for later commands down
6402 if(!pinfo->fd->flags.visited){
6403 /* Remove any previous entry for this TID */
6404 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
6405 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
6407 if(strcmp(an,"IPC") == 0){
6408 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
6410 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_NORMAL);
6418 * Sometimes this isn't present.
6422 an = get_unicode_or_ascii_string(tvb, &offset,
6423 si->unicode, &an_len, /*TRUE*/FALSE, FALSE,
6427 proto_tree_add_string(tree, hf_smb_fs, tvb,
6428 offset, an_len, an);
6429 COUNT_BYTES(an_len);
6435 /* call AndXCommand (if there are any) */
6436 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
6443 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6444 NT Transaction command begins here
6445 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
6446 #define NT_TRANS_CREATE 1
6447 #define NT_TRANS_IOCTL 2
6448 #define NT_TRANS_SSD 3
6449 #define NT_TRANS_NOTIFY 4
6450 #define NT_TRANS_RENAME 5
6451 #define NT_TRANS_QSD 6
6452 #define NT_TRANS_GET_USER_QUOTA 7
6453 #define NT_TRANS_SET_USER_QUOTA 8
6454 const value_string nt_cmd_vals[] = {
6455 {NT_TRANS_CREATE, "NT CREATE"},
6456 {NT_TRANS_IOCTL, "NT IOCTL"},
6457 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
6458 {NT_TRANS_NOTIFY, "NT NOTIFY"},
6459 {NT_TRANS_RENAME, "NT RENAME"},
6460 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
6461 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
6462 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
6466 static const value_string nt_ioctl_isfsctl_vals[] = {
6467 {0, "Device IOCTL"},
6468 {1, "FS control : FSCTL"},
6472 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
6473 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
6474 "Apply the command to share root handle (MUST BE Dfs)",
6475 "Apply to this share",
6478 static const value_string nt_notify_action_vals[] = {
6479 {1, "ADDED (object was added"},
6480 {2, "REMOVED (object was removed)"},
6481 {3, "MODIFIED (object was modified)"},
6482 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
6483 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
6484 {6, "ADDED_STREAM (a stream was added)"},
6485 {7, "REMOVED_STREAM (a stream was removed)"},
6486 {8, "MODIFIED_STREAM (a stream was modified)"},
6490 static const value_string watch_tree_vals[] = {
6491 {0, "Current directory only"},
6492 {1, "Subdirectories also"},
6496 #define NT_NOTIFY_STREAM_WRITE 0x00000800
6497 #define NT_NOTIFY_STREAM_SIZE 0x00000400
6498 #define NT_NOTIFY_STREAM_NAME 0x00000200
6499 #define NT_NOTIFY_SECURITY 0x00000100
6500 #define NT_NOTIFY_EA 0x00000080
6501 #define NT_NOTIFY_CREATION 0x00000040
6502 #define NT_NOTIFY_LAST_ACCESS 0x00000020
6503 #define NT_NOTIFY_LAST_WRITE 0x00000010
6504 #define NT_NOTIFY_SIZE 0x00000008
6505 #define NT_NOTIFY_ATTRIBUTES 0x00000004
6506 #define NT_NOTIFY_DIR_NAME 0x00000002
6507 #define NT_NOTIFY_FILE_NAME 0x00000001
6508 static const true_false_string tfs_nt_notify_stream_write = {
6509 "Notify on changes to STREAM WRITE",
6510 "Do NOT notify on changes to stream write",
6512 static const true_false_string tfs_nt_notify_stream_size = {
6513 "Notify on changes to STREAM SIZE",
6514 "Do NOT notify on changes to stream size",
6516 static const true_false_string tfs_nt_notify_stream_name = {
6517 "Notify on changes to STREAM NAME",
6518 "Do NOT notify on changes to stream name",
6520 static const true_false_string tfs_nt_notify_security = {
6521 "Notify on changes to SECURITY",
6522 "Do NOT notify on changes to security",
6524 static const true_false_string tfs_nt_notify_ea = {
6525 "Notify on changes to EA",
6526 "Do NOT notify on changes to EA",
6528 static const true_false_string tfs_nt_notify_creation = {
6529 "Notify on changes to CREATION TIME",
6530 "Do NOT notify on changes to creation time",
6532 static const true_false_string tfs_nt_notify_last_access = {
6533 "Notify on changes to LAST ACCESS TIME",
6534 "Do NOT notify on changes to last access time",
6536 static const true_false_string tfs_nt_notify_last_write = {
6537 "Notify on changes to LAST WRITE TIME",
6538 "Do NOT notify on changes to last write time",
6540 static const true_false_string tfs_nt_notify_size = {
6541 "Notify on changes to SIZE",
6542 "Do NOT notify on changes to size",
6544 static const true_false_string tfs_nt_notify_attributes = {
6545 "Notify on changes to ATTRIBUTES",
6546 "Do NOT notify on changes to attributes",
6548 static const true_false_string tfs_nt_notify_dir_name = {
6549 "Notify on changes to DIR NAME",
6550 "Do NOT notify on changes to dir name",
6552 static const true_false_string tfs_nt_notify_file_name = {
6553 "Notify on changes to FILE NAME",
6554 "Do NOT notify on changes to file name",
6557 static const value_string create_disposition_vals[] = {
6558 {0, "Supersede (supersede existing file (if it exists))"},
6559 {1, "Open (if file exists open it, else fail)"},
6560 {2, "Create (if file exists fail, else create it)"},
6561 {3, "Open If (if file exists open it, else create it)"},
6562 {4, "Overwrite (if file exists overwrite, else fail)"},
6563 {5, "Overwrite If (if file exists overwrite, else create it)"},
6567 static const value_string impersonation_level_vals[] = {
6569 {1, "Identification"},
6570 {2, "Impersonation"},
6575 static const true_false_string tfs_nt_security_flags_context_tracking = {
6576 "Security tracking mode is DYNAMIC",
6577 "Security tracking mode is STATIC",
6580 static const true_false_string tfs_nt_security_flags_effective_only = {
6581 "ONLY ENABLED aspects of the client's security context are available",
6582 "ALL aspects of the client's security context are available",
6585 static const true_false_string tfs_nt_create_bits_oplock = {
6586 "Requesting OPLOCK",
6587 "Does NOT request oplock"
6590 static const true_false_string tfs_nt_create_bits_boplock = {
6591 "Requesting BATCH OPLOCK",
6592 "Does NOT request batch oplock"
6596 * XXX - must be a directory, and can be a file, or can be a directory,
6597 * and must be a file?
6599 static const true_false_string tfs_nt_create_bits_dir = {
6600 "Target of open MUST be a DIRECTORY",
6601 "Target of open can be a file"
6604 static const true_false_string tfs_nt_create_bits_ext_resp = {
6605 "Extended responses required",
6606 "Extended responses NOT required"
6609 static const true_false_string tfs_nt_access_mask_generic_read = {
6610 "GENERIC READ is set",
6611 "Generic read is NOT set"
6613 static const true_false_string tfs_nt_access_mask_generic_write = {
6614 "GENERIC WRITE is set",
6615 "Generic write is NOT set"
6617 static const true_false_string tfs_nt_access_mask_generic_execute = {
6618 "GENERIC EXECUTE is set",
6619 "Generic execute is NOT set"
6621 static const true_false_string tfs_nt_access_mask_generic_all = {
6622 "GENERIC ALL is set",
6623 "Generic all is NOT set"
6625 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
6626 "MAXIMUM ALLOWED is set",
6627 "Maximum allowed is NOT set"
6629 static const true_false_string tfs_nt_access_mask_system_security = {
6630 "SYSTEM SECURITY is set",
6631 "System security is NOT set"
6633 static const true_false_string tfs_nt_access_mask_synchronize = {
6634 "Can wait on handle to SYNCHRONIZE on completion of I/O",
6635 "Can NOT wait on handle to synchronize on completion of I/O"
6637 static const true_false_string tfs_nt_access_mask_write_owner = {
6638 "Can WRITE OWNER (take ownership)",
6639 "Can NOT write owner (take ownership)"
6641 static const true_false_string tfs_nt_access_mask_write_dac = {
6642 "OWNER may WRITE the DAC",
6643 "Owner may NOT write to the DAC"
6645 static const true_false_string tfs_nt_access_mask_read_control = {
6646 "READ ACCESS to owner, group and ACL of the SID",
6647 "Read access is NOT granted to owner, group and ACL of the SID"
6649 static const true_false_string tfs_nt_access_mask_delete = {
6653 static const true_false_string tfs_nt_access_mask_write_attributes = {
6654 "WRITE ATTRIBUTES access",
6655 "NO write attributes access"
6657 static const true_false_string tfs_nt_access_mask_read_attributes = {
6658 "READ ATTRIBUTES access",
6659 "NO read attributes access"
6661 static const true_false_string tfs_nt_access_mask_delete_child = {
6662 "DELETE CHILD access",
6663 "NO delete child access"
6665 static const true_false_string tfs_nt_access_mask_execute = {
6669 static const true_false_string tfs_nt_access_mask_write_ea = {
6670 "WRITE EXTENDED ATTRIBUTES access",
6671 "NO write extended attributes access"
6673 static const true_false_string tfs_nt_access_mask_read_ea = {
6674 "READ EXTENDED ATTRIBUTES access",
6675 "NO read extended attributes access"
6677 static const true_false_string tfs_nt_access_mask_append = {
6681 static const true_false_string tfs_nt_access_mask_write = {
6685 static const true_false_string tfs_nt_access_mask_read = {
6690 static const true_false_string tfs_nt_share_access_delete = {
6691 "Object can be shared for DELETE",
6692 "Object can NOT be shared for delete"
6694 static const true_false_string tfs_nt_share_access_write = {
6695 "Object can be shared for WRITE",
6696 "Object can NOT be shared for write"
6698 static const true_false_string tfs_nt_share_access_read = {
6699 "Object can be shared for READ",
6700 "Object can NOT be shared for read"
6703 static const value_string oplock_level_vals[] = {
6704 {0, "No oplock granted"},
6705 {1, "Exclusive oplock granted"},
6706 {2, "Batch oplock granted"},
6707 {3, "Level II oplock granted"},
6711 static const value_string device_type_vals[] = {
6712 {0x00000001, "Beep"},
6713 {0x00000002, "CDROM"},
6714 {0x00000003, "CDROM Filesystem"},
6715 {0x00000004, "Controller"},
6716 {0x00000005, "Datalink"},
6717 {0x00000006, "Dfs"},
6718 {0x00000007, "Disk"},
6719 {0x00000008, "Disk Filesystem"},
6720 {0x00000009, "Filesystem"},
6721 {0x0000000a, "Inport Port"},
6722 {0x0000000b, "Keyboard"},
6723 {0x0000000c, "Mailslot"},
6724 {0x0000000d, "MIDI-In"},
6725 {0x0000000e, "MIDI-Out"},
6726 {0x0000000f, "Mouse"},
6727 {0x00000010, "Multi UNC Provider"},
6728 {0x00000011, "Named Pipe"},
6729 {0x00000012, "Network"},
6730 {0x00000013, "Network Browser"},
6731 {0x00000014, "Network Filesystem"},
6732 {0x00000015, "NULL"},
6733 {0x00000016, "Parallel Port"},
6734 {0x00000017, "Physical card"},
6735 {0x00000018, "Printer"},
6736 {0x00000019, "Scanner"},
6737 {0x0000001a, "Serial Mouse port"},
6738 {0x0000001b, "Serial port"},
6739 {0x0000001c, "Screen"},
6740 {0x0000001d, "Sound"},
6741 {0x0000001e, "Streams"},
6742 {0x0000001f, "Tape"},
6743 {0x00000020, "Tape Filesystem"},
6744 {0x00000021, "Transport"},
6745 {0x00000022, "Unknown"},
6746 {0x00000023, "Video"},
6747 {0x00000024, "Virtual Disk"},
6748 {0x00000025, "WAVE-In"},
6749 {0x00000026, "WAVE-Out"},
6750 {0x00000027, "8042 Port"},
6751 {0x00000028, "Network Redirector"},
6752 {0x00000029, "Battery"},
6753 {0x0000002a, "Bus Extender"},
6754 {0x0000002b, "Modem"},
6755 {0x0000002c, "VDM"},
6759 static const value_string is_directory_vals[] = {
6760 {0, "This is NOT a directory"},
6761 {1, "This is a DIRECTORY"},
6765 typedef struct _nt_trans_data {
6774 dissect_nt_security_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6777 proto_item *item = NULL;
6778 proto_tree *tree = NULL;
6780 mask = tvb_get_guint8(tvb, offset);
6783 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6784 "Security Flags: 0x%02x", mask);
6785 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
6788 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
6789 tvb, offset, 1, mask);
6790 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
6791 tvb, offset, 1, mask);
6799 dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6802 proto_item *item = NULL;
6803 proto_tree *tree = NULL;
6805 mask = tvb_get_letohl(tvb, offset);
6808 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6809 "Share Access: 0x%08x", mask);
6810 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
6813 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
6814 tvb, offset, 4, mask);
6815 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
6816 tvb, offset, 4, mask);
6817 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
6818 tvb, offset, 4, mask);
6825 /* FIXME: need to call dissect_nt_access_mask() instead */
6828 dissect_smb_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6831 proto_item *item = NULL;
6832 proto_tree *tree = NULL;
6834 mask = tvb_get_letohl(tvb, offset);
6837 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6838 "Access Mask: 0x%08x", mask);
6839 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
6843 * Some of these bits come from
6845 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6847 * and others come from the section on ZwOpenFile in "Windows(R)
6848 * NT(R)/2000 Native API Reference".
6850 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
6851 tvb, offset, 4, mask);
6852 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
6853 tvb, offset, 4, mask);
6854 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
6855 tvb, offset, 4, mask);
6856 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
6857 tvb, offset, 4, mask);
6858 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
6859 tvb, offset, 4, mask);
6860 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
6861 tvb, offset, 4, mask);
6862 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
6863 tvb, offset, 4, mask);
6864 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
6865 tvb, offset, 4, mask);
6866 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
6867 tvb, offset, 4, mask);
6868 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
6869 tvb, offset, 4, mask);
6870 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
6871 tvb, offset, 4, mask);
6872 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
6873 tvb, offset, 4, mask);
6874 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
6875 tvb, offset, 4, mask);
6876 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
6877 tvb, offset, 4, mask);
6878 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
6879 tvb, offset, 4, mask);
6880 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
6881 tvb, offset, 4, mask);
6882 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
6883 tvb, offset, 4, mask);
6884 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
6885 tvb, offset, 4, mask);
6886 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
6887 tvb, offset, 4, mask);
6888 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
6889 tvb, offset, 4, mask);
6897 dissect_nt_create_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6900 proto_item *item = NULL;
6901 proto_tree *tree = NULL;
6903 mask = tvb_get_letohl(tvb, offset);
6906 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6907 "Create Flags: 0x%08x", mask);
6908 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
6912 * XXX - it's 0x00000016 in at least one capture, but
6913 * Network Monitor doesn't say what the 0x00000010 bit is.
6914 * Does the Win32 API documentation, or NT Native API book,
6917 * That is the extended response desired bit ... RJS, from Samba
6918 * Well, maybe. Samba thinks it is, and uses it to encode
6919 * OpLock granted as the high order bit of the Action field
6920 * in the response. However, Windows does not do that. Or at least
6923 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_ext_resp,
6924 tvb, offset, 4, mask);
6925 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
6926 tvb, offset, 4, mask);
6927 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
6928 tvb, offset, 4, mask);
6929 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
6930 tvb, offset, 4, mask);
6938 * XXX - there are some more flags in the description of "ZwOpenFile()"
6939 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
6940 * the wire as well? (The spec at
6942 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6944 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
6945 * via the SMB protocol. The NT redirector should convert this option
6946 * to FILE_WRITE_THROUGH."
6948 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
6949 * values one would infer from their position in the list of flags for
6950 * "ZwOpenFile()". Most of the others probably have those values
6951 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
6952 * which might go over the wire (for the benefit of backup/restore software).
6954 static const true_false_string tfs_nt_create_options_directory = {
6955 "File being created/opened must be a directory",
6956 "File being created/opened must not be a directory"
6958 static const true_false_string tfs_nt_create_options_write_through = {
6959 "Writes should flush buffered data before completing",
6960 "Writes need not flush buffered data before completing"
6962 static const true_false_string tfs_nt_create_options_sequential_only = {
6963 "The file will only be accessed sequentially",
6964 "The file might not only be accessed sequentially"
6966 static const true_false_string tfs_nt_create_options_sync_io_alert = {
6967 "All operations SYNCHRONOUS, waits subject to termination from alert",
6968 "Operations NOT necessarily synchronous"
6970 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
6971 "All operations SYNCHRONOUS, waits not subject to alert",
6972 "Operations NOT necessarily synchronous"
6974 static const true_false_string tfs_nt_create_options_non_directory = {
6975 "File being created/opened must not be a directory",
6976 "File being created/opened must be a directory"
6978 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
6979 "The client does not understand extended attributes",
6980 "The client understands extended attributes"
6982 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
6983 "The client understands only 8.3 file names",
6984 "The client understands long file names"
6986 static const true_false_string tfs_nt_create_options_random_access = {
6987 "The file will be accessed randomly",
6988 "The file will not be accessed randomly"
6990 static const true_false_string tfs_nt_create_options_delete_on_close = {
6991 "The file should be deleted when it is closed",
6992 "The file should not be deleted when it is closed"
6996 dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6999 proto_item *item = NULL;
7000 proto_tree *tree = NULL;
7002 mask = tvb_get_letohl(tvb, offset);
7005 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7006 "Create Options: 0x%08x", mask);
7007 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
7013 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
7015 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
7016 tvb, offset, 4, mask);
7017 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
7018 tvb, offset, 4, mask);
7019 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
7020 tvb, offset, 4, mask);
7021 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
7022 tvb, offset, 4, mask);
7023 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
7024 tvb, offset, 4, mask);
7025 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
7026 tvb, offset, 4, mask);
7027 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
7028 tvb, offset, 4, mask);
7029 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
7030 tvb, offset, 4, mask);
7031 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
7032 tvb, offset, 4, mask);
7033 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
7034 tvb, offset, 4, mask);
7042 dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7045 proto_item *item = NULL;
7046 proto_tree *tree = NULL;
7048 mask = tvb_get_letohl(tvb, offset);
7051 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7052 "Completion Filter: 0x%08x", mask);
7053 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
7056 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
7057 tvb, offset, 4, mask);
7058 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
7059 tvb, offset, 4, mask);
7060 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
7061 tvb, offset, 4, mask);
7062 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
7063 tvb, offset, 4, mask);
7064 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
7065 tvb, offset, 4, mask);
7066 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
7067 tvb, offset, 4, mask);
7068 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
7069 tvb, offset, 4, mask);
7070 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
7071 tvb, offset, 4, mask);
7072 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
7073 tvb, offset, 4, mask);
7074 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
7075 tvb, offset, 4, mask);
7076 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
7077 tvb, offset, 4, mask);
7078 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
7079 tvb, offset, 4, mask);
7086 dissect_nt_ioctl_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7089 proto_item *item = NULL;
7090 proto_tree *tree = NULL;
7092 mask = tvb_get_guint8(tvb, offset);
7095 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7096 "Completion Filter: 0x%02x", mask);
7097 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
7100 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
7101 tvb, offset, 1, mask);
7108 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
7109 * Native API Reference".
7111 static const true_false_string tfs_nt_qsd_owner = {
7112 "Requesting OWNER security information",
7113 "NOT requesting owner security information",
7116 static const true_false_string tfs_nt_qsd_group = {
7117 "Requesting GROUP security information",
7118 "NOT requesting group security information",
7121 static const true_false_string tfs_nt_qsd_dacl = {
7122 "Requesting DACL security information",
7123 "NOT requesting DACL security information",
7126 static const true_false_string tfs_nt_qsd_sacl = {
7127 "Requesting SACL security information",
7128 "NOT requesting SACL security information",
7131 #define NT_QSD_OWNER 0x00000001
7132 #define NT_QSD_GROUP 0x00000002
7133 #define NT_QSD_DACL 0x00000004
7134 #define NT_QSD_SACL 0x00000008
7137 dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7140 proto_item *item = NULL;
7141 proto_tree *tree = NULL;
7143 mask = tvb_get_letohl(tvb, offset);
7146 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
7147 "Security Information: 0x%08x", mask);
7148 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
7151 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
7152 tvb, offset, 4, mask);
7153 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
7154 tvb, offset, 4, mask);
7155 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
7156 tvb, offset, 4, mask);
7157 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
7158 tvb, offset, 4, mask);
7166 free_g_string(void *arg)
7168 g_string_free(arg, TRUE);
7171 /* Dissect a NT SID. Label it with 'name' and return a string version of
7172 the SID in the 'sid_str' parameter which must be freed by the caller.
7173 hf_sid can be -1 if the caller doesnt care what name is used and then
7174 "smb.sid" will be the default instead. If the caller wants a more
7175 appropriate hf field, it will just pass a FT_STRING hf field here
7179 dissect_nt_sid(tvbuff_t *tvb, int offset, proto_tree *parent_tree, char *name,
7180 char **sid_str, int hf_sid)
7182 proto_item *item = NULL;
7183 proto_tree *tree = NULL;
7184 int old_offset = offset, sa_offset = offset;
7185 gboolean rid_present;
7192 guint auth = 0; /* FIXME: What if it is larger than 32-bits */
7195 char sid_string[245];
7202 /* revision of sid */
7203 revision = tvb_get_guint8(tvb, offset);
7204 rev_offset = offset;
7209 case 2: /* Not sure what the different revision numbers mean */
7210 /* number of authorities*/
7211 num_auth = tvb_get_guint8(tvb, offset);
7215 /* XXX perhaps we should have these thing searchable?
7216 a new FT_xxx thingie? SMB is quite common!*/
7217 /* identifier authorities */
7220 auth = (auth << 8) + tvb_get_guint8(tvb, offset);
7227 gstr = g_string_new("");
7229 CLEANUP_PUSH(free_g_string, gstr);
7231 /* sub authorities, leave RID to last */
7232 for(i=0; i < (num_auth > 4?(num_auth - 1):num_auth); i++){
7234 * XXX should not be letohl but native byteorder according to
7235 * Samba header files.
7237 * However, considering that there were never any NT ports
7238 * to big-endian platforms (PowerPC and MIPS ran little-endian,
7239 * and IA-64 runs little-endian, as does x86-64), we can (?)
7240 * assume that non le byte encodings will be "uncommon"?
7242 g_string_sprintfa(gstr, (i>0 ? "-%u" : "%u"),
7243 tvb_get_letohl(tvb, offset));
7249 rid = tvb_get_letohl(tvb, offset);
7253 sprintf(sid_string, "S-1-%u-%s-%u", auth, gstr->str, rid);
7256 sprintf(sid_string, "S-1-%u-%s", auth, gstr->str);
7260 if(sid_name_snooping){
7261 sid_name=find_sid_name(sid_string);
7266 item = proto_tree_add_string_format(parent_tree, hf_sid, tvb, old_offset, offset-old_offset, sid_string, "%s: %s (%s)", name, sid_string, sid_name);
7268 item = proto_tree_add_string_format(parent_tree, hf_sid, tvb, old_offset, offset-old_offset, sid_string, "%s: %s", name, sid_string);
7270 tree = proto_item_add_subtree(item, ett_smb_sid);
7273 proto_tree_add_item(tree, hf_smb_sid_revision, tvb, rev_offset, 1, TRUE);
7274 proto_tree_add_item(tree, hf_smb_sid_num_auth, tvb, na_offset, 1, TRUE);
7275 proto_tree_add_text(tree, tvb, na_offset+1, 6, "Authority: %u", auth);
7276 proto_tree_add_text(tree, tvb, sa_offset, num_auth * 4, "Sub-authorities: %s", gstr->str);
7279 proto_tree_add_text(tree, tvb, rid_offset, 4, "RID: %u", rid);
7284 *sid_str = g_strdup_printf("%s (%s)", sid_string, sid_name);
7286 *sid_str = g_strdup(sid_string);
7290 CLEANUP_CALL_AND_POP;
7298 static const value_string ace_type_vals[] = {
7299 { 0, "Access Allowed"},
7300 { 1, "Access Denied"},
7301 { 2, "System Audit"},
7302 { 3, "System Alarm"},
7305 static const true_false_string tfs_ace_flags_object_inherit = {
7306 "Subordinate files will inherit this ACE",
7307 "Subordinate files will not inherit this ACE"
7309 static const true_false_string tfs_ace_flags_container_inherit = {
7310 "Subordinate containers will inherit this ACE",
7311 "Subordinate containers will not inherit this ACE"
7313 static const true_false_string tfs_ace_flags_non_propagate_inherit = {
7314 "Subordinate object will not propagate the inherited ACE further",
7315 "Subordinate object will propagate the inherited ACE further"
7317 static const true_false_string tfs_ace_flags_inherit_only = {
7318 "This ACE does not apply to the current object",
7319 "This ACE applies to the current object"
7321 static const true_false_string tfs_ace_flags_inherited_ace = {
7322 "This ACE was inherited from its parent object",
7323 "This ACE was not inherited from its parent object"
7325 static const true_false_string tfs_ace_flags_successful_access = {
7326 "Successful accesses will be audited",
7327 "Successful accesses will not be audited"
7329 static const true_false_string tfs_ace_flags_failed_access = {
7330 "Failed accesses will be audited",
7331 "Failed accesses will not be audited"
7334 #define APPEND_ACE_TEXT(flag, item, string) \
7337 proto_item_append_text(item, string, sep); \
7342 dissect_nt_v2_ace_flags(tvbuff_t *tvb, int offset, proto_tree *parent_tree,
7345 proto_item *item = NULL;
7346 proto_tree *tree = NULL;
7350 mask = tvb_get_guint8(tvb, offset);
7357 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
7358 "NT ACE Flags: 0x%02x", mask);
7359 tree = proto_item_add_subtree(item, ett_smb_ace_flags);
7362 proto_tree_add_boolean(tree, hf_smb_ace_flags_failed_access,
7363 tvb, offset, 1, mask);
7364 APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access");
7366 proto_tree_add_boolean(tree, hf_smb_ace_flags_successful_access,
7367 tvb, offset, 1, mask);
7368 APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access");
7370 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherited_ace,
7371 tvb, offset, 1, mask);
7372 APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE");
7374 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherit_only,
7375 tvb, offset, 1, mask);
7376 APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only");
7378 proto_tree_add_boolean(tree, hf_smb_ace_flags_non_propagate_inherit,
7379 tvb, offset, 1, mask);
7380 APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit");
7382 proto_tree_add_boolean(tree, hf_smb_ace_flags_container_inherit,
7383 tvb, offset, 1, mask);
7384 APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit");
7386 proto_tree_add_boolean(tree, hf_smb_ace_flags_object_inherit,
7387 tvb, offset, 1, mask);
7388 APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit");
7395 /* Dissect an access mask. All this stuff is kind of explained at MSDN:
7397 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/windows_2000_windows_nt_access_mask_format.asp
7401 static gint ett_nt_access_mask = -1;
7402 static gint ett_nt_access_mask_generic = -1;
7403 static gint ett_nt_access_mask_standard = -1;
7404 static gint ett_nt_access_mask_specific = -1;
7406 static int hf_access_sacl = -1;
7407 static int hf_access_maximum_allowed = -1;
7408 static int hf_access_generic_read = -1;
7409 static int hf_access_generic_write = -1;
7410 static int hf_access_generic_execute = -1;
7411 static int hf_access_generic_all = -1;
7412 static int hf_access_standard_delete = -1;
7413 static int hf_access_standard_read_control = -1;
7414 static int hf_access_standard_synchronise = -1;
7415 static int hf_access_standard_write_dac = -1;
7416 static int hf_access_standard_write_owner = -1;
7417 static int hf_access_specific_15 = -1;
7418 static int hf_access_specific_14 = -1;
7419 static int hf_access_specific_13 = -1;
7420 static int hf_access_specific_12 = -1;
7421 static int hf_access_specific_11 = -1;
7422 static int hf_access_specific_10 = -1;
7423 static int hf_access_specific_9 = -1;
7424 static int hf_access_specific_8 = -1;
7425 static int hf_access_specific_7 = -1;
7426 static int hf_access_specific_6 = -1;
7427 static int hf_access_specific_5 = -1;
7428 static int hf_access_specific_4 = -1;
7429 static int hf_access_specific_3 = -1;
7430 static int hf_access_specific_2 = -1;
7431 static int hf_access_specific_1 = -1;
7432 static int hf_access_specific_0 = -1;
7434 /* Map generic permissions to specific permissions */
7436 static void map_generic_access(guint32 *access_mask,
7437 struct generic_mapping *mapping)
7439 if (*access_mask & GENERIC_READ_ACCESS) {
7440 *access_mask &= ~GENERIC_READ_ACCESS;
7441 *access_mask |= mapping->generic_read;
7444 if (*access_mask & GENERIC_WRITE_ACCESS) {
7445 *access_mask &= ~GENERIC_WRITE_ACCESS;
7446 *access_mask |= mapping->generic_write;
7449 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
7450 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
7451 *access_mask |= mapping->generic_execute;
7454 if (*access_mask & GENERIC_ALL_ACCESS) {
7455 *access_mask &= ~GENERIC_ALL_ACCESS;
7456 *access_mask |= mapping->generic_all;
7460 /* Map standard permissions to specific permissions */
7462 static void map_standard_access(guint32 *access_mask,
7463 struct standard_mapping *mapping)
7465 if (*access_mask & READ_CONTROL_ACCESS) {
7466 *access_mask &= ~READ_CONTROL_ACCESS;
7467 *access_mask |= mapping->std_read;
7470 if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|
7471 SYNCHRONIZE_ACCESS)) {
7472 *access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS|
7473 WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS);
7474 *access_mask |= mapping->std_all;
7480 dissect_nt_access_mask(tvbuff_t *tvb, gint offset, packet_info *pinfo,
7481 proto_tree *tree, guint8 *drep, int hfindex,
7482 struct access_mask_info *ami)
7485 proto_tree *subtree, *generic_tree, *standard_tree, *specific_tree;
7490 * Called from a DCE RPC protocol dissector, for a
7491 * protocol where a 32-bit NDR integer contains
7492 * an NT access mask; extract the access mask
7495 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
7499 * Called from SMB, where the access mask is just a
7500 * 4-byte little-endian quantity with no special
7501 * NDR alignment requirement; extract it with
7502 * "tvb_get_letohl()".
7504 access = tvb_get_letohl(tvb, offset);
7508 item = proto_tree_add_uint(tree, hfindex, tvb, offset - 4, 4, access);
7510 subtree = proto_item_add_subtree(item, ett_nt_access_mask);
7512 /* Generic access rights */
7514 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7515 "Generic rights: 0x%08x",
7516 access & GENERIC_RIGHTS_MASK);
7518 generic_tree = proto_item_add_subtree(
7519 item, ett_nt_access_mask_generic);
7521 proto_tree_add_boolean(
7522 generic_tree, hf_access_generic_read, tvb, offset - 4, 4,
7525 proto_tree_add_boolean(
7526 generic_tree, hf_access_generic_write, tvb, offset - 4, 4,
7529 proto_tree_add_boolean(
7530 generic_tree, hf_access_generic_execute, tvb, offset - 4, 4,
7533 proto_tree_add_boolean(
7534 generic_tree, hf_access_generic_all, tvb, offset - 4, 4,
7539 proto_tree_add_boolean(
7540 subtree, hf_access_maximum_allowed, tvb, offset - 4, 4,
7543 /* Access system security */
7545 proto_tree_add_boolean(
7546 subtree, hf_access_sacl, tvb, offset - 4, 4,
7549 /* Standard access rights */
7551 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7552 "Standard rights: 0x%08x",
7553 access & STANDARD_RIGHTS_MASK);
7555 standard_tree = proto_item_add_subtree(
7556 item, ett_nt_access_mask_standard);
7558 proto_tree_add_boolean(
7559 standard_tree, hf_access_standard_synchronise, tvb,
7560 offset - 4, 4, access);
7562 proto_tree_add_boolean(
7563 standard_tree, hf_access_standard_write_owner, tvb,
7564 offset - 4, 4, access);
7566 proto_tree_add_boolean(
7567 standard_tree, hf_access_standard_write_dac, tvb,
7568 offset - 4, 4, access);
7570 proto_tree_add_boolean(
7571 standard_tree, hf_access_standard_read_control, tvb,
7572 offset - 4, 4, access);
7574 proto_tree_add_boolean(
7575 standard_tree, hf_access_standard_delete, tvb, offset - 4, 4,
7578 /* Specific access rights. Call the specific_rights_fn
7579 pointer if we have one, otherwise just display bits 0-15 in
7582 if (ami && ami->specific_rights_name)
7583 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7584 "%s specific rights: 0x%08x",
7585 ami->specific_rights_name,
7586 access & SPECIFIC_RIGHTS_MASK);
7588 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
7589 "Specific rights: 0x%08x",
7590 access & SPECIFIC_RIGHTS_MASK);
7592 specific_tree = proto_item_add_subtree(
7593 item, ett_nt_access_mask_specific);
7595 if (ami && ami->specific_rights_fn) {
7596 guint32 mapped_access = access;
7597 proto_tree *specific_mapped;
7599 specific_mapped = proto_item_add_subtree(
7600 item, ett_nt_access_mask_specific);
7602 ami->specific_rights_fn(
7603 tvb, offset - 4, specific_tree, access);
7605 if (ami->generic_mapping)
7606 map_generic_access(&access, ami->generic_mapping);
7608 if (ami->standard_mapping)
7609 map_standard_access(&access, ami->standard_mapping);
7611 if (access != mapped_access) {
7612 ami->specific_rights_fn(
7613 tvb, offset - 4, specific_mapped,
7620 proto_tree_add_boolean(
7621 specific_tree, hf_access_specific_15, tvb, offset - 4, 4,
7624 proto_tree_add_boolean(
7625 specific_tree, hf_access_specific_14, tvb, offset - 4, 4,
7628 proto_tree_add_boolean(
7629 specific_tree, hf_access_specific_13, tvb, offset - 4, 4,
7632 proto_tree_add_boolean(
7633 specific_tree, hf_access_specific_12, tvb, offset - 4, 4,
7636 proto_tree_add_boolean(
7637 specific_tree, hf_access_specific_11, tvb, offset - 4, 4,
7640 proto_tree_add_boolean(
7641 specific_tree, hf_access_specific_10, tvb, offset - 4, 4,
7644 proto_tree_add_boolean(
7645 specific_tree, hf_access_specific_9, tvb, offset - 4, 4,
7648 proto_tree_add_boolean(
7649 specific_tree, hf_access_specific_8, tvb, offset - 4, 4,
7652 proto_tree_add_boolean(
7653 specific_tree, hf_access_specific_7, tvb, offset - 4, 4,
7656 proto_tree_add_boolean(
7657 specific_tree, hf_access_specific_6, tvb, offset - 4, 4,
7660 proto_tree_add_boolean(
7661 specific_tree, hf_access_specific_5, tvb, offset - 4, 4,
7664 proto_tree_add_boolean(
7665 specific_tree, hf_access_specific_4, tvb, offset - 4, 4,
7668 proto_tree_add_boolean(
7669 specific_tree, hf_access_specific_3, tvb, offset - 4, 4,
7672 proto_tree_add_boolean(
7673 specific_tree, hf_access_specific_2, tvb, offset - 4, 4,
7676 proto_tree_add_boolean(
7677 specific_tree, hf_access_specific_1, tvb, offset - 4, 4,
7680 proto_tree_add_boolean(
7681 specific_tree, hf_access_specific_0, tvb, offset - 4, 4,
7687 static int hf_smb_access_mask = -1;
7690 dissect_nt_v2_ace(tvbuff_t *tvb, int offset, packet_info *pinfo,
7691 proto_tree *parent_tree, guint8 *drep,
7692 struct access_mask_info *ami)
7694 proto_item *item = NULL;
7695 proto_tree *tree = NULL;
7696 int old_offset = offset;
7698 char *sid_str = NULL;
7703 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7705 tree = proto_item_add_subtree(item, ett_smb_ace);
7709 type = tvb_get_guint8(tvb, offset);
7710 proto_tree_add_uint(tree, hf_smb_ace_type, tvb, offset, 1, type);
7714 offset = dissect_nt_v2_ace_flags(tvb, offset, tree, &flags);
7717 size = tvb_get_letohs(tvb, offset);
7718 proto_tree_add_uint(tree, hf_smb_ace_size, tvb, offset, 2, size);
7722 offset = dissect_nt_access_mask(
7723 tvb, offset, pinfo, tree, drep, hf_smb_access_mask, ami);
7726 offset = dissect_nt_sid(tvb, offset, tree, "ACE", &sid_str, -1);
7729 proto_item_append_text(
7730 item, "%s, flags 0x%02x, %s", sid_str, flags,
7731 val_to_str(type, ace_type_vals, "Unknown ACE type (0x%02x)"));
7735 proto_item_set_len(item, offset-old_offset);
7737 /* Sometimes there is some spare space at the end of the ACE so use
7738 the size field to work out where the end is. */
7740 return old_offset + size;
7744 dissect_nt_acl(tvbuff_t *tvb, int offset, packet_info *pinfo,
7745 proto_tree *parent_tree, guint8 *drep, char *name,
7746 struct access_mask_info *ami)
7748 proto_item *item = NULL;
7749 proto_tree *tree = NULL;
7750 int old_offset = offset;
7755 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
7757 tree = proto_item_add_subtree(item, ett_smb_acl);
7761 revision = tvb_get_guint8(tvb, offset);
7762 proto_tree_add_uint(tree, hf_smb_acl_revision,
7763 tvb, offset, 1, revision);
7767 case 2: /* only version we will ever see of this structure?*/
7770 proto_tree_add_item(tree, hf_smb_acl_size, tvb, offset, 2, TRUE);
7773 /* number of ace structures */
7774 num_aces = tvb_get_letohl(tvb, offset);
7775 proto_tree_add_uint(tree, hf_smb_acl_num_aces,
7776 tvb, offset, 4, num_aces);
7780 offset=dissect_nt_v2_ace(
7781 tvb, offset, pinfo, tree, drep, ami);
7785 proto_item_set_len(item, offset-old_offset);
7789 static const true_false_string tfs_sec_desc_type_owner_defaulted = {
7790 "OWNER is DEFAULTED",
7791 "Owner is NOT defaulted"
7793 static const true_false_string tfs_sec_desc_type_group_defaulted = {
7794 "GROUP is DEFAULTED",
7795 "Group is NOT defaulted"
7797 static const true_false_string tfs_sec_desc_type_dacl_present = {
7799 "DACL is NOT present"
7801 static const true_false_string tfs_sec_desc_type_dacl_defaulted = {
7802 "DACL is DEFAULTED",
7803 "DACL is NOT defaulted"
7805 static const true_false_string tfs_sec_desc_type_sacl_present = {
7807 "SACL is NOT present"
7809 static const true_false_string tfs_sec_desc_type_sacl_defaulted = {
7810 "SACL is DEFAULTED",
7811 "SACL is NOT defaulted"
7813 static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = {
7814 "DACL has AUTO INHERIT REQUIRED",
7815 "DACL does NOT require auto inherit"
7817 static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = {
7818 "SACL has AUTO INHERIT REQUIRED",
7819 "SACL does NOT require auto inherit"
7821 static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = {
7822 "DACL is AUTO INHERITED",
7823 "DACL is NOT auto inherited"
7825 static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = {
7826 "SACL is AUTO INHERITED",
7827 "SACL is NOT auto inherited"
7829 static const true_false_string tfs_sec_desc_type_dacl_protected = {
7830 "The DACL is PROTECTED",
7831 "The DACL is NOT protected"
7833 static const true_false_string tfs_sec_desc_type_sacl_protected = {
7834 "The SACL is PROTECTED",
7835 "The SACL is NOT protected"
7837 static const true_false_string tfs_sec_desc_type_self_relative = {
7838 "This SecDesc is SELF RELATIVE",
7839 "This SecDesc is NOT self relative"
7844 dissect_nt_sec_desc_type(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
7846 proto_item *item = NULL;
7847 proto_tree *tree = NULL;
7850 mask = tvb_get_letohs(tvb, offset);
7852 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
7853 "Type: 0x%04x", mask);
7854 tree = proto_item_add_subtree(item, ett_smb_sec_desc_type);
7857 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_self_relative,
7858 tvb, offset, 2, mask);
7859 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_protected,
7860 tvb, offset, 2, mask);
7861 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_protected,
7862 tvb, offset, 2, mask);
7863 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherited,
7864 tvb, offset, 2, mask);
7865 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherited,
7866 tvb, offset, 2, mask);
7867 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherit_req,
7868 tvb, offset, 2, mask);
7869 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherit_req,
7870 tvb, offset, 2, mask);
7871 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_defaulted,
7872 tvb, offset, 2, mask);
7873 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_present,
7874 tvb, offset, 2, mask);
7875 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_defaulted,
7876 tvb, offset, 2, mask);
7877 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_present,
7878 tvb, offset, 2, mask);
7879 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_group_defaulted,
7880 tvb, offset, 2, mask);
7881 proto_tree_add_boolean(tree, hf_smb_sec_desc_type_owner_defaulted,
7882 tvb, offset, 2, mask);
7890 dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
7891 proto_tree *parent_tree, guint8 *drep, int len,
7892 struct access_mask_info *ami)
7894 proto_item *item = NULL;
7895 proto_tree *tree = NULL;
7897 int old_offset = offset;
7898 guint32 owner_sid_offset;
7899 guint32 group_sid_offset;
7900 guint32 sacl_offset;
7901 guint32 dacl_offset;
7904 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7905 "NT Security Descriptor");
7906 tree = proto_item_add_subtree(item, ett_smb_sec_desc);
7910 revision = tvb_get_guint8(tvb, offset);
7911 proto_tree_add_uint(tree, hf_smb_sec_desc_revision,
7912 tvb, offset, 1, revision);
7915 /* next byte should be zero, for now just ignore it */
7920 case 1: /* only version we will ever see of this structure?*/
7922 offset = dissect_nt_sec_desc_type(tvb, offset, tree);
7924 /* offset to owner sid */
7925 owner_sid_offset = tvb_get_letohl(tvb, offset);
7926 proto_tree_add_text(tree, tvb, offset, 4, "Offset to owner SID: %u", owner_sid_offset);
7929 /* offset to group sid */
7930 group_sid_offset = tvb_get_letohl(tvb, offset);
7931 proto_tree_add_text(tree, tvb, offset, 4, "Offset to group SID: %u", group_sid_offset);
7934 /* offset to sacl */
7935 sacl_offset = tvb_get_letohl(tvb, offset);
7936 proto_tree_add_text(tree, tvb, offset, 4, "Offset to SACL: %u", sacl_offset);
7939 /* offset to dacl */
7940 dacl_offset = tvb_get_letohl(tvb, offset);
7941 proto_tree_add_text(tree, tvb, offset, 4, "Offset to DACL: %u", dacl_offset);
7945 if(owner_sid_offset){
7947 offset = dissect_nt_sid(tvb, offset, tree, "Owner", NULL, -1);
7950 tvb, old_offset+owner_sid_offset, tree, "Owner", NULL, -1);
7954 if(group_sid_offset){
7956 tvb, old_offset+group_sid_offset, tree, "Group", NULL, -1);
7961 dissect_nt_acl(tvb, old_offset+sacl_offset, pinfo, tree,
7962 drep, "System (SACL)", ami);
7967 dissect_nt_acl(tvb, old_offset+dacl_offset, pinfo, tree,
7968 drep, "User (DACL)", ami);
7977 dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
7979 int old_offset, old_sid_offset;
7985 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7986 qsize=tvb_get_letohl(tvb, offset);
7987 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
7988 COUNT_BYTES_TRANS_SUBR(4);
7990 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7992 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7993 COUNT_BYTES_TRANS_SUBR(4);
7995 /* 16 unknown bytes */
7996 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7997 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7999 COUNT_BYTES_TRANS_SUBR(8);
8001 /* number of bytes for used quota */
8002 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8003 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
8004 COUNT_BYTES_TRANS_SUBR(8);
8006 /* number of bytes for quota warning */
8007 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8008 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
8009 COUNT_BYTES_TRANS_SUBR(8);
8011 /* number of bytes for quota limit */
8012 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8013 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
8014 COUNT_BYTES_TRANS_SUBR(8);
8016 /* SID of the user */
8017 old_sid_offset=offset;
8018 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
8019 *bcp -= (offset-old_sid_offset);
8022 offset = old_offset+qsize;
8032 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd)
8034 proto_item *item = NULL;
8035 proto_tree *tree = NULL;
8037 int old_offset = offset;
8038 guint16 bcp=bc; /* XXX fixme */
8040 si = (smb_info_t *)pinfo->private_data;
8043 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
8045 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8046 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8049 switch(ntd->subcmd){
8050 case NT_TRANS_CREATE:
8051 /* security descriptor */
8053 offset = dissect_nt_sec_desc(
8054 tvb, offset, pinfo, tree, NULL, ntd->sd_len,
8058 /* extended attributes */
8060 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
8061 offset += ntd->ea_len;
8065 case NT_TRANS_IOCTL:
8067 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, bc, TRUE);
8072 offset = dissect_nt_sec_desc(
8073 tvb, offset, pinfo, tree, NULL, bc, NULL);
8075 case NT_TRANS_NOTIFY:
8077 case NT_TRANS_RENAME:
8078 /* XXX not documented */
8082 case NT_TRANS_GET_USER_QUOTA:
8083 /* unknown 4 bytes */
8084 proto_tree_add_item(tree, hf_smb_unknown, tvb,
8089 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
8092 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
8094 case NT_TRANS_SET_USER_QUOTA:
8095 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8099 /* ooops there were data we didnt know how to process */
8100 if((offset-old_offset) < bc){
8101 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
8102 bc - (offset-old_offset), TRUE);
8103 offset += bc - (offset-old_offset);
8110 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
8112 proto_item *item = NULL;
8113 proto_tree *tree = NULL;
8118 si = (smb_info_t *)pinfo->private_data;
8121 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8123 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8124 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8127 switch(ntd->subcmd){
8128 case NT_TRANS_CREATE:
8130 offset = dissect_nt_create_bits(tvb, tree, offset);
8133 /* root directory fid */
8134 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
8137 /* nt access mask */
8138 offset = dissect_smb_access_mask(tvb, tree, offset);
8141 /* allocation size */
8142 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8145 /* Extended File Attributes */
8146 offset = dissect_file_ext_attr(tvb, tree, offset);
8150 offset = dissect_nt_share_access(tvb, tree, offset);
8153 /* create disposition */
8154 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
8157 /* create options */
8158 offset = dissect_nt_create_options(tvb, tree, offset);
8162 ntd->sd_len = tvb_get_letohl(tvb, offset);
8163 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
8167 ntd->ea_len = tvb_get_letohl(tvb, offset);
8168 proto_tree_add_uint(tree, hf_smb_ea_list_length, tvb, offset, 4, ntd->ea_len);
8172 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8173 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8176 /* impersonation level */
8177 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8180 /* security flags */
8181 offset = dissect_nt_security_flags(tvb, tree, offset);
8185 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8187 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8189 COUNT_BYTES(fn_len);
8193 case NT_TRANS_IOCTL:
8195 case NT_TRANS_SSD: {
8199 fid = tvb_get_letohs(tvb, offset);
8200 add_fid(tvb, pinfo, tree, offset, 2, fid);
8203 /* 2 reserved bytes */
8204 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8207 /* security information */
8208 offset = dissect_security_information_mask(tvb, tree, offset);
8211 case NT_TRANS_NOTIFY:
8213 case NT_TRANS_RENAME:
8214 /* XXX not documented */
8216 case NT_TRANS_QSD: {
8220 fid = tvb_get_letohs(tvb, offset);
8221 add_fid(tvb, pinfo, tree, offset, 2, fid);
8224 /* 2 reserved bytes */
8225 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8228 /* security information */
8229 offset = dissect_security_information_mask(tvb, tree, offset);
8232 case NT_TRANS_GET_USER_QUOTA:
8233 /* not decoded yet */
8235 case NT_TRANS_SET_USER_QUOTA:
8236 /* not decoded yet */
8244 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
8246 proto_item *item = NULL;
8247 proto_tree *tree = NULL;
8249 int old_offset = offset;
8251 si = (smb_info_t *)pinfo->private_data;
8254 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8256 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
8257 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8260 switch(ntd->subcmd){
8261 case NT_TRANS_CREATE:
8263 case NT_TRANS_IOCTL: {
8267 proto_tree_add_item(tree, hf_smb_nt_ioctl_function_code, tvb, offset, 4, TRUE);
8271 fid = tvb_get_letohs(tvb, offset);
8272 add_fid(tvb, pinfo, tree, offset, 2, fid);
8276 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
8280 offset = dissect_nt_ioctl_flags(tvb, tree, offset);
8286 case NT_TRANS_NOTIFY: {
8289 /* completion filter */
8290 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
8293 fid = tvb_get_letohs(tvb, offset);
8294 add_fid(tvb, pinfo, tree, offset, 2, fid);
8298 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
8302 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8307 case NT_TRANS_RENAME:
8308 /* XXX not documented */
8312 case NT_TRANS_GET_USER_QUOTA:
8313 /* not decoded yet */
8315 case NT_TRANS_SET_USER_QUOTA:
8316 /* not decoded yet */
8320 return old_offset+len;
8325 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8328 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
8330 smb_saved_info_t *sip;
8335 smb_nt_transact_info_t *nti;
8337 si = (smb_info_t *)pinfo->private_data;
8343 /* primary request */
8344 /* max setup count */
8345 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
8348 /* 2 reserved bytes */
8349 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8352 /* secondary request */
8353 /* 3 reserved bytes */
8354 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8359 /* total param count */
8360 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
8363 /* total data count */
8364 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
8368 /* primary request */
8369 /* max param count */
8370 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
8373 /* max data count */
8374 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
8379 pc = tvb_get_letohl(tvb, offset);
8380 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8384 po = tvb_get_letohl(tvb, offset);
8385 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8388 /* param displacement */
8390 /* primary request*/
8393 /* secondary request */
8394 pd = tvb_get_letohl(tvb, offset);
8395 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8400 dc = tvb_get_letohl(tvb, offset);
8401 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8405 od = tvb_get_letohl(tvb, offset);
8406 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8409 /* data displacement */
8411 /* primary request */
8414 /* secondary request */
8415 dd = tvb_get_letohl(tvb, offset);
8416 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8422 /* primary request */
8423 sc = tvb_get_guint8(tvb, offset);
8424 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8427 /* secondary request */
8433 /* primary request */
8434 subcmd = tvb_get_letohs(tvb, offset);
8435 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
8436 if(check_col(pinfo->cinfo, COL_INFO)){
8437 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8438 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
8440 ntd.subcmd = subcmd;
8442 if(!pinfo->fd->flags.visited){
8444 * Allocate a new smb_nt_transact_info_t
8447 nti = g_mem_chunk_alloc(smb_nt_transact_info_chunk);
8448 nti->subcmd = subcmd;
8449 sip->extra_info = nti;
8453 /* secondary request */
8454 if(check_col(pinfo->cinfo, COL_INFO)){
8455 col_append_fstr(pinfo->cinfo, COL_INFO, " (secondary request)");
8460 /* this is a padding byte */
8463 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
8467 /* if there were any setup bytes, decode them */
8469 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
8476 if(po>(guint32)offset){
8477 /* We have some initial padding bytes.
8482 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8483 COUNT_BYTES(padcnt);
8486 CHECK_BYTE_COUNT(pc);
8487 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc);
8492 if(od>(guint32)offset){
8493 /* We have some initial padding bytes.
8498 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8499 COUNT_BYTES(padcnt);
8502 CHECK_BYTE_COUNT(dc);
8503 dissect_nt_trans_data_request(
8504 tvb, pinfo, offset, tree, dc, &ntd);
8516 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
8517 int offset, proto_tree *parent_tree, int len,
8518 nt_trans_data *ntd _U_)
8520 proto_item *item = NULL;
8521 proto_tree *tree = NULL;
8523 smb_nt_transact_info_t *nti;
8526 si = (smb_info_t *)pinfo->private_data;
8527 if (si->sip != NULL)
8528 nti = si->sip->extra_info;
8534 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8536 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8539 * We never saw the request to which this is a
8542 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8543 "Unknown NT Transaction Data (matching request not seen)");
8545 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
8552 switch(nti->subcmd){
8553 case NT_TRANS_CREATE:
8555 case NT_TRANS_IOCTL:
8557 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, len, TRUE);
8563 case NT_TRANS_NOTIFY:
8565 case NT_TRANS_RENAME:
8566 /* XXX not documented */
8568 case NT_TRANS_QSD: {
8570 * XXX - this is probably a SECURITY_DESCRIPTOR structure,
8571 * which may be documented in the Win32 documentation
8574 offset = dissect_nt_sec_desc(
8575 tvb, offset, pinfo, tree, NULL, len, NULL);
8578 case NT_TRANS_GET_USER_QUOTA:
8580 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
8582 case NT_TRANS_SET_USER_QUOTA:
8583 /* not decoded yet */
8591 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
8592 int offset, proto_tree *parent_tree,
8593 int len, nt_trans_data *ntd _U_, guint16 bc)
8595 proto_item *item = NULL;
8596 proto_tree *tree = NULL;
8600 smb_nt_transact_info_t *nti;
8606 si = (smb_info_t *)pinfo->private_data;
8607 if (si->sip != NULL)
8608 nti = si->sip->extra_info;
8614 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8616 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8619 * We never saw the request to which this is a
8622 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8623 "Unknown NT Transaction Parameters (matching request not seen)");
8625 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
8632 switch(nti->subcmd){
8633 case NT_TRANS_CREATE:
8635 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8639 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8643 fid = tvb_get_letohs(tvb, offset);
8644 add_fid(tvb, pinfo, tree, offset, 2, fid);
8648 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8651 /* ea error offset */
8652 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
8656 offset = dissect_smb_64bit_time(tvb, tree, offset,
8657 hf_smb_create_time);
8660 offset = dissect_smb_64bit_time(tvb, tree, offset,
8661 hf_smb_access_time);
8663 /* last write time */
8664 offset = dissect_smb_64bit_time(tvb, tree, offset,
8665 hf_smb_last_write_time);
8667 /* last change time */
8668 offset = dissect_smb_64bit_time(tvb, tree, offset,
8669 hf_smb_change_time);
8671 /* Extended File Attributes */
8672 offset = dissect_file_ext_attr(tvb, tree, offset);
8674 /* allocation size */
8675 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8679 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8683 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8687 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
8690 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8693 case NT_TRANS_IOCTL:
8697 case NT_TRANS_NOTIFY:
8699 old_offset = offset;
8701 /* next entry offset */
8702 neo = tvb_get_letohl(tvb, offset);
8703 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
8706 /* broken implementations */
8710 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
8713 /* broken implementations */
8717 fn_len = (guint32)tvb_get_letohl(tvb, offset);
8718 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
8721 /* broken implementations */
8725 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
8728 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8730 COUNT_BYTES(fn_len);
8732 /* broken implementations */
8736 break; /* no more structures */
8738 /* skip to next structure */
8739 padcnt = (old_offset + neo) - offset;
8742 * XXX - this is bogus; flag it?
8747 COUNT_BYTES(padcnt);
8749 /* broken implementations */
8754 case NT_TRANS_RENAME:
8755 /* XXX not documented */
8759 * This appears to be the size of the security
8760 * descriptor; the calling sequence of
8761 * "ZwQuerySecurityObject()" suggests that it would
8762 * be. The actual security descriptor wouldn't
8763 * follow if the max data count in the request
8764 * was smaller; this lets the client know how
8765 * big a buffer it needs to provide.
8767 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
8770 case NT_TRANS_GET_USER_QUOTA:
8771 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
8772 tvb_get_letohl(tvb, offset));
8775 case NT_TRANS_SET_USER_QUOTA:
8776 /* not decoded yet */
8784 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
8785 int offset, proto_tree *parent_tree,
8786 int len, nt_trans_data *ntd _U_)
8788 proto_item *item = NULL;
8789 proto_tree *tree = NULL;
8791 smb_nt_transact_info_t *nti;
8793 si = (smb_info_t *)pinfo->private_data;
8794 if (si->sip != NULL)
8795 nti = si->sip->extra_info;
8801 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8803 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
8806 * We never saw the request to which this is a
8809 item = proto_tree_add_text(parent_tree, tvb, offset, len,
8810 "Unknown NT Transaction Setup (matching request not seen)");
8812 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
8819 switch(nti->subcmd){
8820 case NT_TRANS_CREATE:
8822 case NT_TRANS_IOCTL:
8826 case NT_TRANS_NOTIFY:
8828 case NT_TRANS_RENAME:
8829 /* XXX not documented */
8833 case NT_TRANS_GET_USER_QUOTA:
8834 /* not decoded yet */
8836 case NT_TRANS_SET_USER_QUOTA:
8837 /* not decoded yet */
8845 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
8848 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
8851 smb_nt_transact_info_t *nti;
8852 static nt_trans_data ntd;
8855 fragment_data *r_fd = NULL;
8856 tvbuff_t *pd_tvb=NULL;
8857 gboolean save_fragmented;
8859 si = (smb_info_t *)pinfo->private_data;
8860 if (si->sip != NULL)
8861 nti = si->sip->extra_info;
8865 /* primary request */
8867 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
8868 if(check_col(pinfo->cinfo, COL_INFO)){
8869 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
8870 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
8873 proto_tree_add_text(tree, tvb, offset, 0,
8874 "Function: <unknown function - could not find matching request>");
8875 if(check_col(pinfo->cinfo, COL_INFO)){
8876 col_append_fstr(pinfo->cinfo, COL_INFO, ", <unknown>");
8882 /* 3 reserved bytes */
8883 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
8886 /* total param count */
8887 tp = tvb_get_letohl(tvb, offset);
8888 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
8891 /* total data count */
8892 td = tvb_get_letohl(tvb, offset);
8893 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
8897 pc = tvb_get_letohl(tvb, offset);
8898 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
8902 po = tvb_get_letohl(tvb, offset);
8903 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
8906 /* param displacement */
8907 pd = tvb_get_letohl(tvb, offset);
8908 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
8912 dc = tvb_get_letohl(tvb, offset);
8913 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
8917 od = tvb_get_letohl(tvb, offset);
8918 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
8921 /* data displacement */
8922 dd = tvb_get_letohl(tvb, offset);
8923 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
8927 sc = tvb_get_guint8(tvb, offset);
8928 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
8933 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
8939 /* reassembly of SMB NT Transaction data payload.
8940 In this section we do reassembly of both the data and parameters
8941 blocks of the SMB transaction command.
8943 save_fragmented = pinfo->fragmented;
8944 /* do we need reassembly? */
8945 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
8946 /* oh yeah, either data or parameter section needs
8949 pinfo->fragmented = TRUE;
8950 if(smb_trans_reassembly){
8951 /* ...and we were told to do reassembly */
8952 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
8953 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8957 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
8958 r_fd = smb_trans_defragment(tree, pinfo, tvb,
8959 od, dc, dd+tp, td+tp);
8964 /* if we got a reassembled fd structure from the reassembly routine we
8965 must create pd_tvb from it
8968 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
8970 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
8971 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
8973 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
8978 /* we have reassembled data, grab param and data from there */
8979 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
8980 &ntd, (guint16) tvb_length(pd_tvb));
8981 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
8983 /* we do not have reassembled data, just use what we have in the
8984 packet as well as we can */
8986 if(po>(guint32)offset){
8987 /* We have some initial padding bytes.
8992 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8993 COUNT_BYTES(padcnt);
8996 CHECK_BYTE_COUNT(pc);
8997 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
9002 if(od>(guint32)offset){
9003 /* We have some initial padding bytes.
9008 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
9009 COUNT_BYTES(padcnt);
9012 CHECK_BYTE_COUNT(dc);
9013 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd);
9017 pinfo->fragmented = save_fragmented;
9024 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9025 NT Transaction command ends here
9026 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
9028 static const value_string print_mode_vals[] = {
9030 {1, "Graphics Mode"},
9035 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9037 smb_info_t *si = pinfo->private_data;
9046 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
9050 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
9056 CHECK_BYTE_COUNT(1);
9057 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9060 /* print identifier */
9061 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, FALSE, &bc);
9064 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
9066 COUNT_BYTES(fn_len);
9075 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9084 fid = tvb_get_letohs(tvb, offset);
9085 add_fid(tvb, pinfo, tree, offset, 2, fid);
9091 CHECK_BYTE_COUNT(1);
9092 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9096 CHECK_BYTE_COUNT(2);
9097 cnt = tvb_get_letohs(tvb, offset);
9098 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
9102 offset = dissect_file_data(tvb, tree, offset, (guint16) cnt, (guint16) cnt);
9110 static const value_string print_status_vals[] = {
9111 {1, "Held or Stopped"},
9113 {3, "Awaiting print"},
9114 {4, "In intercept"},
9115 {5, "File had error"},
9116 {6, "Printer error"},
9121 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9129 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
9133 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
9144 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
9145 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
9147 proto_item *item = NULL;
9148 proto_tree *tree = NULL;
9149 smb_info_t *si = pinfo->private_data;
9154 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
9156 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
9160 CHECK_BYTE_COUNT_SUBR(4);
9161 offset = dissect_smb_datetime(tvb, tree, offset,
9162 hf_smb_print_queue_date,
9163 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
9167 CHECK_BYTE_COUNT_SUBR(1);
9168 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
9169 COUNT_BYTES_SUBR(1);
9171 /* spool file number */
9172 CHECK_BYTE_COUNT_SUBR(2);
9173 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
9174 COUNT_BYTES_SUBR(2);
9176 /* spool file size */
9177 CHECK_BYTE_COUNT_SUBR(4);
9178 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
9179 COUNT_BYTES_SUBR(4);
9182 CHECK_BYTE_COUNT_SUBR(1);
9183 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9184 COUNT_BYTES_SUBR(1);
9188 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, bcp);
9189 CHECK_STRING_SUBR(fn);
9190 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
9192 COUNT_BYTES_SUBR(fn_len);
9199 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9209 cnt = tvb_get_letohs(tvb, offset);
9210 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
9214 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
9220 CHECK_BYTE_COUNT(1);
9221 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9225 CHECK_BYTE_COUNT(2);
9226 len = tvb_get_letohs(tvb, offset);
9227 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
9230 /* queue elements */
9232 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
9245 dissect_send_single_block_message_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9250 guint16 message_len;
9257 CHECK_BYTE_COUNT(1);
9258 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9261 /* originator name */
9262 /* XXX - what if this runs past bc? */
9263 name_len = tvb_strsize(tvb, offset);
9264 CHECK_BYTE_COUNT(name_len);
9265 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9267 COUNT_BYTES(name_len);
9270 CHECK_BYTE_COUNT(1);
9271 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9274 /* destination name */
9275 /* XXX - what if this runs past bc? */
9276 name_len = tvb_strsize(tvb, offset);
9277 CHECK_BYTE_COUNT(name_len);
9278 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9280 COUNT_BYTES(name_len);
9283 CHECK_BYTE_COUNT(1);
9284 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9288 CHECK_BYTE_COUNT(2);
9289 message_len = tvb_get_letohs(tvb, offset);
9290 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9295 CHECK_BYTE_COUNT(message_len);
9296 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9298 COUNT_BYTES(message_len);
9306 dissect_send_multi_block_message_start_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9317 CHECK_BYTE_COUNT(1);
9318 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9321 /* originator name */
9322 /* XXX - what if this runs past bc? */
9323 name_len = tvb_strsize(tvb, offset);
9324 CHECK_BYTE_COUNT(name_len);
9325 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
9327 COUNT_BYTES(name_len);
9330 CHECK_BYTE_COUNT(1);
9331 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9334 /* destination name */
9335 /* XXX - what if this runs past bc? */
9336 name_len = tvb_strsize(tvb, offset);
9337 CHECK_BYTE_COUNT(name_len);
9338 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
9340 COUNT_BYTES(name_len);
9348 dissect_message_group_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9355 /* message group ID */
9356 proto_tree_add_item(tree, hf_smb_mgid, tvb, offset, 2, TRUE);
9367 dissect_send_multi_block_message_text_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9371 guint16 message_len;
9378 CHECK_BYTE_COUNT(1);
9379 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9383 CHECK_BYTE_COUNT(2);
9384 message_len = tvb_get_letohs(tvb, offset);
9385 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
9390 CHECK_BYTE_COUNT(message_len);
9391 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
9393 COUNT_BYTES(message_len);
9401 dissect_forwarded_name(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9412 CHECK_BYTE_COUNT(1);
9413 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9416 /* forwarded name */
9417 /* XXX - what if this runs past bc? */
9418 name_len = tvb_strsize(tvb, offset);
9419 CHECK_BYTE_COUNT(name_len);
9420 proto_tree_add_item(tree, hf_smb_forwarded_name, tvb, offset,
9422 COUNT_BYTES(name_len);
9430 dissect_get_machine_name_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9441 CHECK_BYTE_COUNT(1);
9442 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
9446 /* XXX - what if this runs past bc? */
9447 name_len = tvb_strsize(tvb, offset);
9448 CHECK_BYTE_COUNT(name_len);
9449 proto_tree_add_item(tree, hf_smb_machine_name, tvb, offset,
9451 COUNT_BYTES(name_len);
9460 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9462 guint8 wc, cmd=0xff;
9463 guint16 andxoffset=0;
9465 smb_info_t *si = pinfo->private_data;
9471 /* next smb command */
9472 cmd = tvb_get_guint8(tvb, offset);
9474 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9476 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
9481 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9485 andxoffset = tvb_get_letohs(tvb, offset);
9486 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9490 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9494 fn_len = tvb_get_letohs(tvb, offset);
9495 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
9499 offset = dissect_nt_create_bits(tvb, tree, offset);
9501 /* root directory fid */
9502 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
9505 /* nt access mask */
9506 offset = dissect_smb_access_mask(tvb, tree, offset);
9508 /* allocation size */
9509 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9512 /* Extended File Attributes */
9513 offset = dissect_file_ext_attr(tvb, tree, offset);
9516 offset = dissect_nt_share_access(tvb, tree, offset);
9518 /* create disposition */
9519 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
9522 /* create options */
9523 offset = dissect_nt_create_options(tvb, tree, offset);
9525 /* impersonation level */
9526 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
9529 /* security flags */
9530 offset = dissect_nt_security_flags(tvb, tree, offset);
9535 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
9538 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9540 COUNT_BYTES(fn_len);
9542 if (check_col(pinfo->cinfo, COL_INFO)) {
9543 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
9548 /* call AndXCommand (if there are any) */
9549 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9556 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
9558 guint8 wc, cmd=0xff;
9559 guint16 andxoffset=0;
9565 /* next smb command */
9566 cmd = tvb_get_guint8(tvb, offset);
9568 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
9570 proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
9575 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
9579 andxoffset = tvb_get_letohs(tvb, offset);
9580 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
9584 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
9588 fid = tvb_get_letohs(tvb, offset);
9589 add_fid(tvb, pinfo, tree, offset, 2, fid);
9593 /*XXX is this really the same as create disposition in the request? it looks so*/
9594 /* No, it is not. It is the same as the create action from an Open&X request ... RJS */
9595 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
9599 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
9602 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
9604 /* last write time */
9605 offset = dissect_smb_64bit_time(tvb, tree, offset,
9606 hf_smb_last_write_time);
9608 /* last change time */
9609 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
9611 /* Extended File Attributes */
9612 offset = dissect_file_ext_attr(tvb, tree, offset);
9614 /* allocation size */
9615 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9619 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
9623 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
9627 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
9630 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
9637 /* call AndXCommand (if there are any) */
9638 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
9645 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
9659 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9660 BEGIN Transaction/Transaction2 Primary and secondary requests
9661 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
9664 const value_string trans2_cmd_vals[] = {
9666 { 0x01, "FIND_FIRST2" },
9667 { 0x02, "FIND_NEXT2" },
9668 { 0x03, "QUERY_FS_INFO" },
9669 { 0x04, "SET_FS_QUOTA" },
9670 { 0x05, "QUERY_PATH_INFO" },
9671 { 0x06, "SET_PATH_INFO" },
9672 { 0x07, "QUERY_FILE_INFO" },
9673 { 0x08, "SET_FILE_INFO" },
9676 { 0x0B, "FIND_NOTIFY_FIRST" },
9677 { 0x0C, "FIND_NOTIFY_NEXT" },
9678 { 0x0D, "CREATE_DIRECTORY" },
9679 { 0x0E, "SESSION_SETUP" },
9680 { 0x10, "GET_DFS_REFERRAL" },
9681 { 0x11, "REPORT_DFS_INCONSISTENCY" },
9685 static const true_false_string tfs_tf_dtid = {
9686 "Also DISCONNECT TID",
9687 "Do NOT disconnect TID"
9689 static const true_false_string tfs_tf_owt = {
9690 "One Way Transaction (NO RESPONSE)",
9691 "Two way transaction"
9694 static const true_false_string tfs_ff2_backup = {
9695 "Find WITH backup intent",
9698 static const true_false_string tfs_ff2_continue = {
9699 "CONTINUE search from previous position",
9700 "New search, do NOT continue from previous position"
9702 static const true_false_string tfs_ff2_resume = {
9703 "Return RESUME keys",
9704 "Do NOT return resume keys"
9706 static const true_false_string tfs_ff2_close_eos = {
9707 "CLOSE search if END OF SEARCH is reached",
9708 "Do NOT close search if end of search reached"
9710 static const true_false_string tfs_ff2_close = {
9711 "CLOSE search after this request",
9712 "Do NOT close search after this request"
9718 static const value_string ff2_il_vals[] = {
9719 { 1, "Info Standard"},
9720 { 2, "Info Query EA Size"},
9721 { 3, "Info Query EAs From List"},
9722 { 0x0101, "Find File Directory Info"},
9723 { 0x0102, "Find File Full Directory Info"},
9724 { 0x0103, "Find File Names Info"},
9725 { 0x0104, "Find File Both Directory Info"},
9726 { 0x0202, "Find File UNIX"},
9731 TRANS2_QUERY_PATH_INFORMATION
9732 TRANS2_QUERY_FILE_INFORMATION
9734 static const value_string qpi_loi_vals[] = {
9735 { 1, "Info Standard"},
9736 { 2, "Info Query EA Size"},
9737 { 3, "Info Query EAs From List"},
9738 { 4, "Info Query All EAs"},
9739 { 6, "Info Is Name Valid"},
9740 { 0x0101, "Query File Basic Info"},
9741 { 0x0102, "Query File Standard Info"},
9742 { 0x0103, "Query File EA Info"},
9743 { 0x0104, "Query File Name Info"},
9744 { 0x0107, "Query File All Info"},
9745 { 0x0108, "Query File Alt Name Info"},
9746 { 0x0109, "Query File Stream Info"},
9747 { 0x010b, "Query File Compression Info"},
9748 { 0x0200, "Query File Unix Basic"},
9749 { 0x0201, "Query File Unix Link"},
9750 { 1004, "Query File Basic Info"},
9751 { 1005, "Query File Standard Info"},
9752 { 1006, "Query File Internal Info"},
9753 { 1007, "Query File EA Info"},
9754 { 1009, "Query File Name Info"},
9755 { 1010, "Query File Rename Info"},
9756 { 1011, "Query File Link Info"},
9757 { 1012, "Query File Names Info"},
9758 { 1013, "Query File Disposition Info"},
9759 { 1014, "Query File Position Info"},
9760 { 1015, "Query File Full EA Info"},
9761 { 1016, "Query File Mode Info"},
9762 { 1017, "Query File Alignment Info"},
9763 { 1018, "Query File All Info"},
9764 { 1019, "Query File Allocation Info"},
9765 { 1020, "Query File End of File Info"},
9766 { 1021, "Query File Alt Name Info"},
9767 { 1022, "Query File Stream Info"},
9768 { 1023, "Query File Pipe Info"},
9769 { 1024, "Query File Pipe Local Info"},
9770 { 1025, "Query File Pipe Remote Info"},
9771 { 1026, "Query File Mailslot Query Info"},
9772 { 1027, "Query File Mailslot Set Info"},
9773 { 1028, "Query File Compression Info"},
9774 { 1029, "Query File ObjectID Info"},
9775 { 1030, "Query File Completion Info"},
9776 { 1031, "Query File Move Cluster Info"},
9777 { 1032, "Query File Quota Info"},
9778 { 1033, "Query File Reparsepoint Info"},
9779 { 1034, "Query File Network Open Info"},
9780 { 1035, "Query File Attribute Tag Info"},
9781 { 1036, "Query File Tracking Info"},
9782 { 1037, "Query File Maximum Info"},
9787 TRANS2_SET_PATH_INFORMATION
9788 TRANS2_SET_FILE_INFORMATION
9789 (the SNIA CIFS spec lists some only for TRANS2_SET_FILE_INFORMATION,
9790 but I'm assuming they apply to TRANS2_SET_PATH_INFORMATION as
9791 well; note that they're different from the QUERY_PATH_INFORMATION
9792 and QUERY_FILE_INFORMATION values!)
9794 static const value_string spi_loi_vals[] = {
9795 { 1, "Info Standard"},
9796 { 2, "Info Query EA Size"},
9797 { 4, "Info Query All EAs"},
9798 { 0x0101, "Set File Basic Info"},
9799 { 0x0102, "Set File Disposition Info"},
9800 { 0x0103, "Set File Allocation Info"},
9801 { 0x0104, "Set File End Of File Info"},
9802 { 0x0200, "Set File Unix Basic"},
9803 { 0x0201, "Set File Unix Link"},
9804 { 0x0202, "Set File Unix HardLink"},
9805 { 1004, "Set File Basic Info"},
9806 { 1010, "Set Rename Information"},
9807 { 1013, "Set Disposition Information"},
9808 { 1014, "Set Position Information"},
9809 { 1016, "Set Mode Information"},
9810 { 1019, "Set Allocation Information"},
9811 { 1020, "Set EOF Information"},
9812 { 1023, "Set File Pipe Information"},
9813 { 1025, "Set File Pipe Remote Information"},
9814 { 1029, "Set Copy On Write Information"},
9815 { 1032, "Set OLE Class ID Information"},
9816 { 1039, "Set Inherit Context Index Information"},
9817 { 1040, "Set OLE Information (?)"},
9821 static const value_string qfsi_vals[] = {
9822 { 1, "Info Allocation"},
9823 { 2, "Info Volume"},
9824 { 0x0101, "Query FS Label Info"},
9825 { 0x0102, "Query FS Volume Info"},
9826 { 0x0103, "Query FS Size Info"},
9827 { 0x0104, "Query FS Device Info"},
9828 { 0x0105, "Query FS Attribute Info"},
9829 { 0x0200, "Unix Query FS Info"},
9830 { 0x0301, "Mac Query FS Info"},
9831 { 1001, "Query FS Label Info"},
9832 { 1002, "Query FS Volume Info"},
9833 { 1003, "Query FS Size Info"},
9834 { 1004, "Query FS Device Info"},
9835 { 1005, "Query FS Attribute Info"},
9836 { 1006, "Query FS Quota Info"},
9837 { 1007, "Query Full FS Size Info"},
9838 { 1008, "Object ID Information"},
9842 static const value_string nt_rename_vals[] = {
9843 { 0x0103, "Create Hard Link"},
9848 static const value_string delete_pending_vals[] = {
9849 {0, "Normal, no pending delete"},
9850 {1, "This object has DELETE PENDING"},
9854 static const value_string alignment_vals[] = {
9855 {0, "Byte alignment"},
9856 {1, "Word (16bit) alignment"},
9857 {3, "Long (32bit) alignment"},
9858 {7, "8 byte boundary alignment"},
9859 {0x0f, "16 byte boundary alignment"},
9860 {0x1f, "32 byte boundary alignment"},
9861 {0x3f, "64 byte boundary alignment"},
9862 {0x7f, "128 byte boundary alignment"},
9863 {0xff, "256 byte boundary alignment"},
9864 {0x1ff, "512 byte boundary alignment"},
9868 static const true_false_string tfs_marked_for_deletion = {
9869 "File is MARKED FOR DELETION",
9870 "File is NOT marked for deletion"
9873 static const true_false_string tfs_get_dfs_server_hold_storage = {
9874 "Referral SERVER HOLDS STORAGE for the file",
9875 "Referral server does NOT hold storage for the file"
9877 static const true_false_string tfs_get_dfs_fielding = {
9878 "The server in referral is FIELDING CAPABLE",
9879 "The server in referrals is NOT fielding capable"
9882 static const true_false_string tfs_dfs_referral_flags_strip = {
9883 "STRIP off pathconsumed characters before submitting",
9884 "Do NOT strip off any characters"
9887 static const value_string dfs_referral_server_type_vals[] = {
9890 {2, "Netware Server"},
9891 {3, "Domain Server"},
9896 static const true_false_string tfs_device_char_removable = {
9897 "This is a REMOVABLE device",
9898 "This is NOT a removable device"
9900 static const true_false_string tfs_device_char_read_only = {
9901 "This is a READ-ONLY device",
9902 "This is NOT a read-only device"
9904 static const true_false_string tfs_device_char_floppy = {
9905 "This is a FLOPPY DISK device",
9906 "This is NOT a floppy disk device"
9908 static const true_false_string tfs_device_char_write_once = {
9909 "This is a WRITE-ONCE device",
9910 "This is NOT a write-once device"
9912 static const true_false_string tfs_device_char_remote = {
9913 "This is a REMOTE device",
9914 "This is NOT a remote device"
9916 static const true_false_string tfs_device_char_mounted = {
9917 "This device is MOUNTED",
9918 "This device is NOT mounted"
9920 static const true_false_string tfs_device_char_virtual = {
9921 "This is a VIRTUAL device",
9922 "This is NOT a virtual device"
9926 static const true_false_string tfs_fs_attr_css = {
9927 "This FS supports CASE SENSITIVE SEARCHes",
9928 "This FS does NOT support case sensitive searches"
9930 static const true_false_string tfs_fs_attr_cpn = {
9931 "This FS supports CASE PRESERVED NAMES",
9932 "This FS does NOT support case preserved names"
9934 static const true_false_string tfs_fs_attr_pacls = {
9935 "This FS supports PERSISTENT ACLs",
9936 "This FS does NOT support persistent acls"
9938 static const true_false_string tfs_fs_attr_fc = {
9939 "This FS supports COMPRESSED FILES",
9940 "This FS does NOT support compressed files"
9942 static const true_false_string tfs_fs_attr_vq = {
9943 "This FS supports VOLUME QUOTAS",
9944 "This FS does NOT support volume quotas"
9946 static const true_false_string tfs_fs_attr_dim = {
9947 "This FS is on a MOUNTED DEVICE",
9948 "This FS is NOT on a mounted device"
9950 static const true_false_string tfs_fs_attr_vic = {
9951 "This FS is on a COMPRESSED VOLUME",
9952 "This FS is NOT on a compressed volume"
9955 #define FF2_RESUME 0x0004
9958 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9961 proto_item *item = NULL;
9962 proto_tree *tree = NULL;
9964 smb_transact2_info_t *t2i;
9966 mask = tvb_get_letohs(tvb, offset);
9968 si = (smb_info_t *)pinfo->private_data;
9969 if (si->sip != NULL) {
9970 t2i = si->sip->extra_info;
9972 if (!pinfo->fd->flags.visited)
9973 t2i->resume_keys = (mask & FF2_RESUME);
9978 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9979 "Flags: 0x%04x", mask);
9980 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
9983 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
9984 tvb, offset, 2, mask);
9985 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
9986 tvb, offset, 2, mask);
9987 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
9988 tvb, offset, 2, mask);
9989 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
9990 tvb, offset, 2, mask);
9991 proto_tree_add_boolean(tree, hf_smb_ff2_close,
9992 tvb, offset, 2, mask);
10001 dissect_sfi_ioflag(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10004 proto_item *item = NULL;
10005 proto_tree *tree = NULL;
10007 mask = tvb_get_letohs(tvb, offset);
10010 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10011 "IO Flag: 0x%04x", mask);
10012 tree = proto_item_add_subtree(item, ett_smb_ioflag);
10015 proto_tree_add_boolean(tree, hf_smb_sfi_writetru,
10016 tvb, offset, 2, mask);
10017 proto_tree_add_boolean(tree, hf_smb_sfi_caching,
10018 tvb, offset, 2, mask);
10027 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
10028 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
10030 proto_item *item = NULL;
10031 proto_tree *tree = NULL;
10033 smb_transact2_info_t *t2i;
10037 si = (smb_info_t *)pinfo->private_data;
10038 if (si->sip != NULL)
10039 t2i = si->sip->extra_info;
10044 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
10046 val_to_str(subcmd, trans2_cmd_vals,
10047 "Unknown (0x%02x)"));
10048 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
10052 case 0x00: /*TRANS2_OPEN2*/
10054 CHECK_BYTE_COUNT_TRANS(2);
10055 offset = dissect_open_flags(tvb, tree, offset, 0x000f);
10058 /* desired access */
10059 CHECK_BYTE_COUNT_TRANS(2);
10060 offset = dissect_access(tvb, tree, offset, "Desired");
10063 /* Search Attributes */
10064 CHECK_BYTE_COUNT_TRANS(2);
10065 offset = dissect_search_attributes(tvb, tree, offset);
10068 /* File Attributes */
10069 CHECK_BYTE_COUNT_TRANS(2);
10070 offset = dissect_file_attributes(tvb, tree, offset, 2);
10074 CHECK_BYTE_COUNT_TRANS(4);
10075 offset = dissect_smb_datetime(tvb, tree, offset,
10076 hf_smb_create_time,
10077 hf_smb_create_dos_date, hf_smb_create_dos_time,
10081 /* open function */
10082 CHECK_BYTE_COUNT_TRANS(2);
10083 offset = dissect_open_function(tvb, tree, offset);
10086 /* allocation size */
10087 CHECK_BYTE_COUNT_TRANS(4);
10088 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10089 COUNT_BYTES_TRANS(4);
10091 /* 10 reserved bytes */
10092 CHECK_BYTE_COUNT_TRANS(10);
10093 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
10094 COUNT_BYTES_TRANS(10);
10097 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10098 CHECK_STRING_TRANS(fn);
10099 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10101 COUNT_BYTES_TRANS(fn_len);
10103 if (check_col(pinfo->cinfo, COL_INFO)) {
10104 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10108 case 0x01: /*TRANS2_FIND_FIRST2*/
10109 /* Search Attributes */
10110 CHECK_BYTE_COUNT_TRANS(2);
10111 offset = dissect_search_attributes(tvb, tree, offset);
10115 CHECK_BYTE_COUNT_TRANS(2);
10116 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
10117 COUNT_BYTES_TRANS(2);
10119 /* Find First2 flags */
10120 CHECK_BYTE_COUNT_TRANS(2);
10121 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
10124 /* Find First2 information level */
10125 CHECK_BYTE_COUNT_TRANS(2);
10126 si->info_level = tvb_get_letohs(tvb, offset);
10127 if (!pinfo->fd->flags.visited)
10128 t2i->info_level = si->info_level;
10129 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
10130 COUNT_BYTES_TRANS(2);
10133 CHECK_BYTE_COUNT_TRANS(4);
10134 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
10135 COUNT_BYTES_TRANS(4);
10137 /* search pattern */
10138 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10139 CHECK_STRING_TRANS(fn);
10140 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
10142 COUNT_BYTES_TRANS(fn_len);
10144 if (check_col(pinfo->cinfo, COL_INFO)) {
10145 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
10150 case 0x02: /*TRANS2_FIND_NEXT2*/
10152 CHECK_BYTE_COUNT_TRANS(2);
10153 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
10154 COUNT_BYTES_TRANS(2);
10157 CHECK_BYTE_COUNT_TRANS(2);
10158 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
10159 COUNT_BYTES_TRANS(2);
10161 /* Find First2 information level */
10162 CHECK_BYTE_COUNT_TRANS(2);
10163 si->info_level = tvb_get_letohs(tvb, offset);
10164 if (!pinfo->fd->flags.visited)
10165 t2i->info_level = si->info_level;
10166 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
10167 COUNT_BYTES_TRANS(2);
10170 CHECK_BYTE_COUNT_TRANS(4);
10171 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
10172 COUNT_BYTES_TRANS(4);
10174 /* Find First2 flags */
10175 CHECK_BYTE_COUNT_TRANS(2);
10176 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
10180 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10181 CHECK_STRING_TRANS(fn);
10182 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10184 COUNT_BYTES_TRANS(fn_len);
10186 if (check_col(pinfo->cinfo, COL_INFO)) {
10187 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
10192 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
10193 /* level of interest */
10194 CHECK_BYTE_COUNT_TRANS(2);
10195 si->info_level = tvb_get_letohs(tvb, offset);
10196 if (!pinfo->fd->flags.visited)
10197 t2i->info_level = si->info_level;
10198 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
10199 COUNT_BYTES_TRANS(2);
10201 if (check_col(pinfo->cinfo, COL_INFO))
10202 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
10203 val_to_str(si->info_level, qfsi_vals,
10204 "Unknown (0x%02x)"));
10207 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
10208 /* level of interest */
10209 CHECK_BYTE_COUNT_TRANS(2);
10210 si->info_level = tvb_get_letohs(tvb, offset);
10211 if (!pinfo->fd->flags.visited)
10212 t2i->info_level = si->info_level;
10213 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10214 COUNT_BYTES_TRANS(2);
10216 if (check_col(pinfo->cinfo, COL_INFO)) {
10218 pinfo->cinfo, COL_INFO, ", %s",
10219 val_to_str(si->info_level, qpi_loi_vals,
10223 /* 4 reserved bytes */
10224 CHECK_BYTE_COUNT_TRANS(4);
10225 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10226 COUNT_BYTES_TRANS(4);
10229 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10230 CHECK_STRING_TRANS(fn);
10231 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10233 COUNT_BYTES_TRANS(fn_len);
10235 if (check_col(pinfo->cinfo, COL_INFO)) {
10236 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10241 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
10242 /* level of interest */
10243 CHECK_BYTE_COUNT_TRANS(2);
10244 si->info_level = tvb_get_letohs(tvb, offset);
10245 if (!pinfo->fd->flags.visited)
10246 t2i->info_level = si->info_level;
10247 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
10248 COUNT_BYTES_TRANS(2);
10250 /* 4 reserved bytes */
10251 CHECK_BYTE_COUNT_TRANS(4);
10252 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10253 COUNT_BYTES_TRANS(4);
10256 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10257 CHECK_STRING_TRANS(fn);
10258 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10260 COUNT_BYTES_TRANS(fn_len);
10262 if (check_col(pinfo->cinfo, COL_INFO)) {
10263 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10268 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
10272 CHECK_BYTE_COUNT_TRANS(2);
10273 fid = tvb_get_letohs(tvb, offset);
10274 add_fid(tvb, pinfo, tree, offset, 2, fid);
10275 COUNT_BYTES_TRANS(2);
10277 /* level of interest */
10278 CHECK_BYTE_COUNT_TRANS(2);
10279 si->info_level = tvb_get_letohs(tvb, offset);
10280 if (!pinfo->fd->flags.visited)
10281 t2i->info_level = si->info_level;
10282 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
10283 COUNT_BYTES_TRANS(2);
10285 if (check_col(pinfo->cinfo, COL_INFO)) {
10287 pinfo->cinfo, COL_INFO, ", %s",
10288 val_to_str(si->info_level, qpi_loi_vals,
10294 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
10298 CHECK_BYTE_COUNT_TRANS(2);
10299 fid = tvb_get_letohs(tvb, offset);
10300 add_fid(tvb, pinfo, tree, offset, 2, fid);
10301 COUNT_BYTES_TRANS(2);
10303 /* level of interest */
10304 CHECK_BYTE_COUNT_TRANS(2);
10305 si->info_level = tvb_get_letohs(tvb, offset);
10306 if (!pinfo->fd->flags.visited)
10307 t2i->info_level = si->info_level;
10308 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
10309 COUNT_BYTES_TRANS(2);
10313 * XXX - "Microsoft Networks SMB File Sharing Protocol
10314 * Extensions Version 3.0, Document Version 1.11,
10315 * July 19, 1990" says this is I/O flags, but it's
10316 * reserved in the SNIA spec, and some clients appear
10317 * to leave junk in it.
10319 * Is this some field used only if a particular
10320 * dialect was negotiated, so that clients can feel
10321 * safe not setting it if they haven't negotiated that
10322 * dialect? Or do the (non-OS/2) clients simply not care
10323 * about that particular OS/2-oriented dialect?
10327 CHECK_BYTE_COUNT_TRANS(2);
10328 offset = dissect_sfi_ioflag(tvb, tree, offset);
10331 /* 2 reserved bytes */
10332 CHECK_BYTE_COUNT_TRANS(2);
10333 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
10334 COUNT_BYTES_TRANS(2);
10339 case 0x09: /*TRANS2_FSCTL*/
10340 /* this call has no parameter block in the request */
10343 * XXX - "Microsoft Networks SMB File Sharing Protocol
10344 * Extensions Version 3.0, Document Version 1.11,
10345 * July 19, 1990" says this this contains a
10346 * "File system specific parameter block". (That means
10347 * we may not be able to dissect it in any case.)
10350 case 0x0a: /*TRANS2_IOCTL2*/
10351 /* this call has no parameter block in the request */
10354 * XXX - "Microsoft Networks SMB File Sharing Protocol
10355 * Extensions Version 3.0, Document Version 1.11,
10356 * July 19, 1990" says this this contains a
10357 * "Device/function specific parameter block". (That
10358 * means we may not be able to dissect it in any case.)
10361 case 0x0b: { /*TRANS2_FIND_NOTIFY_FIRST*/
10362 /* Search Attributes */
10363 CHECK_BYTE_COUNT_TRANS(2);
10364 offset = dissect_search_attributes(tvb, tree, offset);
10367 /* Number of changes to wait for */
10368 CHECK_BYTE_COUNT_TRANS(2);
10369 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10370 COUNT_BYTES_TRANS(2);
10372 /* Find Notify information level */
10373 CHECK_BYTE_COUNT_TRANS(2);
10374 si->info_level = tvb_get_letohs(tvb, offset);
10375 if (!pinfo->fd->flags.visited)
10376 t2i->info_level = si->info_level;
10377 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, offset, 2, si->info_level);
10378 COUNT_BYTES_TRANS(2);
10380 /* 4 reserved bytes */
10381 CHECK_BYTE_COUNT_TRANS(4);
10382 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10383 COUNT_BYTES_TRANS(4);
10386 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10387 CHECK_STRING_TRANS(fn);
10388 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10390 COUNT_BYTES_TRANS(fn_len);
10392 if (check_col(pinfo->cinfo, COL_INFO)) {
10393 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10399 case 0x0c: { /*TRANS2_FIND_NOTIFY_NEXT*/
10400 /* Monitor handle */
10401 CHECK_BYTE_COUNT_TRANS(2);
10402 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
10403 COUNT_BYTES_TRANS(2);
10405 /* Number of changes to wait for */
10406 CHECK_BYTE_COUNT_TRANS(2);
10407 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, TRUE);
10408 COUNT_BYTES_TRANS(2);
10412 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
10413 /* 4 reserved bytes */
10414 CHECK_BYTE_COUNT_TRANS(4);
10415 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
10416 COUNT_BYTES_TRANS(4);
10419 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
10420 FALSE, FALSE, &bc);
10421 CHECK_STRING_TRANS(fn);
10422 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
10424 COUNT_BYTES_TRANS(fn_len);
10426 if (check_col(pinfo->cinfo, COL_INFO)) {
10427 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
10431 case 0x0e: /*TRANS2_SESSION_SETUP*/
10432 /* XXX unknown structure*/
10434 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
10435 /* referral level */
10436 CHECK_BYTE_COUNT_TRANS(2);
10437 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
10438 COUNT_BYTES_TRANS(2);
10441 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10442 CHECK_STRING_TRANS(fn);
10443 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10445 COUNT_BYTES_TRANS(fn_len);
10447 if (check_col(pinfo->cinfo, COL_INFO)) {
10448 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10453 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
10455 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc);
10456 CHECK_STRING_TRANS(fn);
10457 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10459 COUNT_BYTES_TRANS(fn_len);
10461 if (check_col(pinfo->cinfo, COL_INFO)) {
10462 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
10469 /* ooops there were data we didnt know how to process */
10471 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, bc, TRUE);
10479 * XXX - just use "dissect_connect_flags()" here?
10482 dissect_transaction_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10485 proto_item *item = NULL;
10486 proto_tree *tree = NULL;
10488 mask = tvb_get_letohs(tvb, offset);
10491 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10492 "Flags: 0x%04x", mask);
10493 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
10496 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
10497 tvb, offset, 2, mask);
10498 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
10499 tvb, offset, 2, mask);
10506 dissect_get_dfs_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10509 proto_item *item = NULL;
10510 proto_tree *tree = NULL;
10512 mask = tvb_get_letohs(tvb, offset);
10515 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10516 "Flags: 0x%04x", mask);
10517 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
10520 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
10521 tvb, offset, 2, mask);
10522 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
10523 tvb, offset, 2, mask);
10530 dissect_dfs_referral_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
10533 proto_item *item = NULL;
10534 proto_tree *tree = NULL;
10536 mask = tvb_get_letohs(tvb, offset);
10539 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
10540 "Flags: 0x%04x", mask);
10541 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
10544 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
10545 tvb, offset, 2, mask);
10553 /* dfs inconsistency data (4.4.2)
10556 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
10557 proto_tree *tree, int offset, guint16 *bcp)
10559 smb_info_t *si = pinfo->private_data;
10563 /*XXX shouldn this data hold version and size? unclear from doc*/
10564 /* referral version */
10565 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10566 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
10567 COUNT_BYTES_TRANS_SUBR(2);
10569 /* referral size */
10570 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10571 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
10572 COUNT_BYTES_TRANS_SUBR(2);
10574 /* referral server type */
10575 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10576 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10577 COUNT_BYTES_TRANS_SUBR(2);
10579 /* referral flags */
10580 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10581 offset = dissect_dfs_referral_flags(tvb, tree, offset);
10585 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10586 CHECK_STRING_TRANS_SUBR(fn);
10587 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10589 COUNT_BYTES_TRANS_SUBR(fn_len);
10594 /* get dfs referral data (4.4.1)
10597 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
10598 proto_tree *tree, int offset, guint16 *bcp)
10600 smb_info_t *si = pinfo->private_data;
10603 guint16 pathoffset;
10604 guint16 altpathoffset;
10605 guint16 nodeoffset;
10615 /* path consumed */
10616 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10617 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
10618 COUNT_BYTES_TRANS_SUBR(2);
10620 /* num referrals */
10621 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10622 numref = tvb_get_letohs(tvb, offset);
10623 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
10624 COUNT_BYTES_TRANS_SUBR(2);
10626 /* get dfs flags */
10627 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10628 offset = dissect_get_dfs_flags(tvb, tree, offset);
10631 /* XXX - in at least one capture there appears to be 2 bytes
10632 of stuff after the Dfs flags, perhaps so that the header
10633 in front of the referral list is a multiple of 4 bytes long. */
10634 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10635 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
10636 COUNT_BYTES_TRANS_SUBR(2);
10638 /* if there are any referrals */
10640 proto_item *ref_item = NULL;
10641 proto_tree *ref_tree = NULL;
10642 int old_offset=offset;
10645 ref_item = proto_tree_add_text(tree,
10646 tvb, offset, *bcp, "Referrals");
10647 ref_tree = proto_item_add_subtree(ref_item,
10648 ett_smb_dfs_referrals);
10653 proto_item *ri = NULL;
10654 proto_tree *rt = NULL;
10655 int old_offset=offset;
10659 ri = proto_tree_add_text(ref_tree,
10660 tvb, offset, *bcp, "Referral");
10661 rt = proto_item_add_subtree(ri,
10662 ett_smb_dfs_referral);
10665 /* referral version */
10666 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10667 version = tvb_get_letohs(tvb, offset);
10668 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
10669 tvb, offset, 2, version);
10670 COUNT_BYTES_TRANS_SUBR(2);
10672 /* referral size */
10673 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10674 refsize = tvb_get_letohs(tvb, offset);
10675 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
10676 COUNT_BYTES_TRANS_SUBR(2);
10678 /* referral server type */
10679 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10680 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
10681 COUNT_BYTES_TRANS_SUBR(2);
10683 /* referral flags */
10684 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10685 offset = dissect_dfs_referral_flags(tvb, rt, offset);
10692 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10693 CHECK_STRING_TRANS_SUBR(fn);
10694 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
10696 COUNT_BYTES_TRANS_SUBR(fn_len);
10700 case 3: /* XXX - like version 2, but not identical;
10701 seen in a capture, but the format isn't
10704 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10705 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
10706 COUNT_BYTES_TRANS_SUBR(2);
10709 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10710 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
10711 COUNT_BYTES_TRANS_SUBR(2);
10714 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10715 pathoffset = tvb_get_letohs(tvb, offset);
10716 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
10717 COUNT_BYTES_TRANS_SUBR(2);
10719 /* alt path offset */
10720 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10721 altpathoffset = tvb_get_letohs(tvb, offset);
10722 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
10723 COUNT_BYTES_TRANS_SUBR(2);
10726 CHECK_BYTE_COUNT_TRANS_SUBR(2);
10727 nodeoffset = tvb_get_letohs(tvb, offset);
10728 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
10729 COUNT_BYTES_TRANS_SUBR(2);
10732 if (pathoffset != 0) {
10733 stroffset = old_offset + pathoffset;
10734 offsetoffset = stroffset - offset;
10735 if (offsetoffset > 0 &&
10736 *bcp > offsetoffset) {
10738 *bcp -= offsetoffset;
10739 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10740 CHECK_STRING_TRANS_SUBR(fn);
10741 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
10743 stroffset += fn_len;
10744 if (ucstring_end < stroffset)
10745 ucstring_end = stroffset;
10751 if (altpathoffset != 0) {
10752 stroffset = old_offset + altpathoffset;
10753 offsetoffset = stroffset - offset;
10754 if (offsetoffset > 0 &&
10755 *bcp > offsetoffset) {
10757 *bcp -= offsetoffset;
10758 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10759 CHECK_STRING_TRANS_SUBR(fn);
10760 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
10762 stroffset += fn_len;
10763 if (ucstring_end < stroffset)
10764 ucstring_end = stroffset;
10770 if (nodeoffset != 0) {
10771 stroffset = old_offset + nodeoffset;
10772 offsetoffset = stroffset - offset;
10773 if (offsetoffset > 0 &&
10774 *bcp > offsetoffset) {
10776 *bcp -= offsetoffset;
10777 fn = get_unicode_or_ascii_string(tvb, &stroffset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10778 CHECK_STRING_TRANS_SUBR(fn);
10779 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
10781 stroffset += fn_len;
10782 if (ucstring_end < stroffset)
10783 ucstring_end = stroffset;
10791 * Show anything beyond the length of the referral
10794 unklen = (old_offset + refsize) - offset;
10797 * XXX - the length is bogus.
10802 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
10803 proto_tree_add_item(rt, hf_smb_unknown, tvb,
10804 offset, unklen, TRUE);
10805 COUNT_BYTES_TRANS_SUBR(unklen);
10808 proto_item_set_len(ri, offset-old_offset);
10812 * Treat the offset past the end of the last Unicode
10813 * string after the referrals (if any) as the last
10816 if (ucstring_end > offset) {
10817 ucstring_len = ucstring_end - offset;
10818 if (*bcp < ucstring_len)
10819 ucstring_len = *bcp;
10820 offset += ucstring_len;
10821 *bcp -= ucstring_len;
10823 proto_item_set_len(ref_item, offset-old_offset);
10830 /* this dissects the SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE
10831 as described in 4.2.16.1
10834 dissect_4_2_16_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10835 int offset, guint16 *bcp, gboolean *trunc)
10838 CHECK_BYTE_COUNT_SUBR(4);
10839 offset = dissect_smb_datetime(tvb, tree, offset,
10840 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
10845 CHECK_BYTE_COUNT_SUBR(4);
10846 offset = dissect_smb_datetime(tvb, tree, offset,
10847 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
10851 /* last write time */
10852 CHECK_BYTE_COUNT_SUBR(4);
10853 offset = dissect_smb_datetime(tvb, tree, offset,
10854 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
10859 CHECK_BYTE_COUNT_SUBR(4);
10860 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10861 COUNT_BYTES_SUBR(4);
10863 /* allocation size */
10864 CHECK_BYTE_COUNT_SUBR(4);
10865 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10866 COUNT_BYTES_SUBR(4);
10868 /* File Attributes */
10869 CHECK_BYTE_COUNT_SUBR(2);
10870 offset = dissect_file_attributes(tvb, tree, offset, 2);
10874 CHECK_BYTE_COUNT_SUBR(4);
10875 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
10876 COUNT_BYTES_SUBR(4);
10882 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
10883 as described in 4.2.16.2
10886 dissect_4_2_16_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10887 int offset, guint16 *bcp, gboolean *trunc)
10893 CHECK_BYTE_COUNT_SUBR(4);
10894 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
10895 COUNT_BYTES_SUBR(4);
10899 proto_tree *subtree;
10900 int start_offset = offset;
10903 item = proto_tree_add_text(
10904 tree, tvb, offset, 0, "Extended Attribute");
10905 subtree = proto_item_add_subtree(item, ett_smb_ea);
10909 CHECK_BYTE_COUNT_SUBR(1);
10910 proto_tree_add_item(
10911 subtree, hf_smb_ea_flags, tvb, offset, 1, TRUE);
10912 COUNT_BYTES_SUBR(1);
10914 /* EA name length */
10916 name_len = tvb_get_guint8(tvb, offset);
10918 CHECK_BYTE_COUNT_SUBR(1);
10919 proto_tree_add_item(
10920 subtree, hf_smb_ea_name_length, tvb, offset, 1, TRUE);
10921 COUNT_BYTES_SUBR(1);
10923 /* EA data length */
10925 data_len = tvb_get_letohs(tvb, offset);
10927 CHECK_BYTE_COUNT_SUBR(2);
10928 proto_tree_add_item(
10929 subtree, hf_smb_ea_data_length, tvb, offset, 2, TRUE);
10930 COUNT_BYTES_SUBR(2);
10934 name = tvb_get_string(tvb, offset, name_len);
10935 proto_item_append_text(item, ": %s", name);
10938 CHECK_BYTE_COUNT_SUBR(name_len + 1);
10939 proto_tree_add_item(
10940 subtree, hf_smb_ea_name, tvb, offset, name_len + 1,
10942 COUNT_BYTES_SUBR(name_len + 1);
10946 CHECK_BYTE_COUNT_SUBR(data_len);
10947 proto_tree_add_item(
10948 subtree, hf_smb_ea_data, tvb, offset, data_len, TRUE);
10949 COUNT_BYTES_SUBR(data_len);
10951 proto_item_set_len(item, offset - start_offset);
10958 /* this dissects the SMB_INFO_IS_NAME_VALID
10959 as described in 4.2.16.3
10962 dissect_4_2_16_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10963 int offset, guint16 *bcp, gboolean *trunc)
10965 smb_info_t *si = pinfo->private_data;
10970 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
10971 CHECK_STRING_SUBR(fn);
10972 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10974 COUNT_BYTES_SUBR(fn_len);
10980 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
10981 as described in 4.2.16.4
10984 dissect_4_2_16_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
10985 int offset, guint16 *bcp, gboolean *trunc)
10988 CHECK_BYTE_COUNT_SUBR(8);
10989 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
10993 CHECK_BYTE_COUNT_SUBR(8);
10994 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
10997 /* last write time */
10998 CHECK_BYTE_COUNT_SUBR(8);
10999 offset = dissect_smb_64bit_time(tvb, tree, offset,
11000 hf_smb_last_write_time);
11003 /* last change time */
11004 CHECK_BYTE_COUNT_SUBR(8);
11005 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
11008 /* File Attributes */
11009 CHECK_BYTE_COUNT_SUBR(4);
11010 offset = dissect_file_attributes(tvb, tree, offset, 4);
11017 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
11018 as described in 4.2.16.5
11021 dissect_4_2_16_5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11022 int offset, guint16 *bcp, gboolean *trunc)
11024 /* allocation size */
11025 CHECK_BYTE_COUNT_SUBR(8);
11026 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11027 COUNT_BYTES_SUBR(8);
11030 CHECK_BYTE_COUNT_SUBR(8);
11031 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11032 COUNT_BYTES_SUBR(8);
11034 /* number of links */
11035 CHECK_BYTE_COUNT_SUBR(4);
11036 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
11037 COUNT_BYTES_SUBR(4);
11039 /* delete pending */
11040 CHECK_BYTE_COUNT_SUBR(1);
11041 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, TRUE);
11042 COUNT_BYTES_SUBR(1);
11045 CHECK_BYTE_COUNT_SUBR(1);
11046 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
11047 COUNT_BYTES_SUBR(1);
11053 /* this dissects the SMB_QUERY_FILE_EA_INFO
11054 as described in 4.2.16.6
11057 dissect_4_2_16_6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11058 int offset, guint16 *bcp, gboolean *trunc)
11061 CHECK_BYTE_COUNT_SUBR(4);
11062 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
11063 COUNT_BYTES_SUBR(4);
11069 /* this dissects the SMB_QUERY_FILE_NAME_INFO
11070 as described in 4.2.16.7
11071 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
11072 as described in 4.2.16.9
11075 dissect_4_2_16_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
11076 int offset, guint16 *bcp, gboolean *trunc)
11078 smb_info_t *si = pinfo->private_data;
11082 /* file name len */
11083 CHECK_BYTE_COUNT_SUBR(4);
11084 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
11085 COUNT_BYTES_SUBR(4);
11088 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
11089 CHECK_STRING_SUBR(fn);
11090 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11092 COUNT_BYTES_SUBR(fn_len);
11098 /* this dissects the SMB_QUERY_FILE_ALL_INFO
11099 as described in 4.2.16.8
11102 dissect_4_2_16_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
11103 int offset, guint16 *bcp, gboolean *trunc)
11106 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp, trunc);
11110 offset = dissect_4_2_16_5(tvb, pinfo, tree, offset, bcp, trunc);
11116 CHECK_BYTE_COUNT_SUBR(8);
11117 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
11118 COUNT_BYTES_SUBR(8);
11120 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp, trunc);
11125 CHECK_BYTE_COUNT_SUBR(4);
11126 offset = dissect_smb_access_mask(tvb, tree, offset);
11127 COUNT_BYTES_SUBR(4);
11130 CHECK_BYTE_COUNT_SUBR(8);
11131 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
11132 COUNT_BYTES_SUBR(8);
11134 /* current offset */
11135 CHECK_BYTE_COUNT_SUBR(8);
11136 proto_tree_add_item(tree, hf_smb_current_offset, tvb, offset, 8, TRUE);
11137 COUNT_BYTES_SUBR(8);
11140 CHECK_BYTE_COUNT_SUBR(4);
11141 offset = dissect_nt_create_options(tvb, tree, offset);
11145 CHECK_BYTE_COUNT_SUBR(4);
11146 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
11147 COUNT_BYTES_SUBR(4);
11149 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp, trunc);
11154 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
11155 as described in 4.2.16.10
11158 dissect_4_2_16_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11159 int offset, guint16 *bcp, gboolean *trunc)
11165 smb_info_t *si = pinfo->private_data;
11171 old_offset = offset;
11173 /* next entry offset */
11174 CHECK_BYTE_COUNT_SUBR(4);
11176 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
11177 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11183 neo = tvb_get_letohl(tvb, offset);
11184 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11185 COUNT_BYTES_SUBR(4);
11187 /* stream name len */
11188 CHECK_BYTE_COUNT_SUBR(4);
11189 fn_len = tvb_get_letohl(tvb, offset);
11190 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
11191 COUNT_BYTES_SUBR(4);
11194 CHECK_BYTE_COUNT_SUBR(8);
11195 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
11196 COUNT_BYTES_SUBR(8);
11198 /* allocation size */
11199 CHECK_BYTE_COUNT_SUBR(8);
11200 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11201 COUNT_BYTES_SUBR(8);
11204 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11205 CHECK_STRING_SUBR(fn);
11206 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
11208 COUNT_BYTES_SUBR(fn_len);
11210 proto_item_append_text(item, ": %s", fn);
11211 proto_item_set_len(item, offset-old_offset);
11214 break; /* no more structures */
11216 /* skip to next structure */
11217 padcnt = (old_offset + neo) - offset;
11220 * XXX - this is bogus; flag it?
11225 CHECK_BYTE_COUNT_SUBR(padcnt);
11226 COUNT_BYTES_SUBR(padcnt);
11234 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
11235 as described in 4.2.16.11
11238 dissect_4_2_16_11(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11239 int offset, guint16 *bcp, gboolean *trunc)
11241 /* compressed file size */
11242 CHECK_BYTE_COUNT_SUBR(8);
11243 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
11244 COUNT_BYTES_SUBR(8);
11246 /* compression format */
11247 CHECK_BYTE_COUNT_SUBR(2);
11248 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
11249 COUNT_BYTES_SUBR(2);
11251 /* compression unit shift */
11252 CHECK_BYTE_COUNT_SUBR(1);
11253 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
11254 COUNT_BYTES_SUBR(1);
11256 /* compression chunk shift */
11257 CHECK_BYTE_COUNT_SUBR(1);
11258 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
11259 COUNT_BYTES_SUBR(1);
11261 /* compression cluster shift */
11262 CHECK_BYTE_COUNT_SUBR(1);
11263 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
11264 COUNT_BYTES_SUBR(1);
11266 /* 3 reserved bytes */
11267 CHECK_BYTE_COUNT_SUBR(3);
11268 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
11269 COUNT_BYTES_SUBR(3);
11275 /* 4.2.16.12 - SMB_QUERY_FILE_UNIX_BASIC */
11277 static const value_string unix_file_type_vals[] = {
11279 { 1, "Directory" },
11280 { 2, "Symbolic link" },
11281 { 3, "Character device" },
11282 { 4, "Block device" },
11289 dissect_4_2_16_12(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11290 int offset, guint16 *bcp, gboolean *trunc)
11292 /* End of file (file size) */
11293 CHECK_BYTE_COUNT_SUBR(8);
11294 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
11295 COUNT_BYTES_SUBR(8);
11297 /* Number of bytes */
11298 CHECK_BYTE_COUNT_SUBR(8);
11299 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
11300 COUNT_BYTES_SUBR(8);
11302 /* Last status change */
11303 CHECK_BYTE_COUNT_SUBR(8);
11304 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
11305 *bcp -= 8; /* dissect_smb_64bit_time() increments offset */
11307 /* Last access time */
11308 CHECK_BYTE_COUNT_SUBR(8);
11309 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
11312 /* Last modification time */
11313 CHECK_BYTE_COUNT_SUBR(8);
11314 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
11317 /* File owner uid */
11318 CHECK_BYTE_COUNT_SUBR(8);
11319 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
11320 COUNT_BYTES_SUBR(8);
11322 /* File group gid */
11323 CHECK_BYTE_COUNT_SUBR(8);
11324 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
11325 COUNT_BYTES_SUBR(8);
11328 CHECK_BYTE_COUNT_SUBR(4);
11329 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
11330 COUNT_BYTES_SUBR(4);
11332 /* Major device number */
11333 CHECK_BYTE_COUNT_SUBR(8);
11334 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
11335 COUNT_BYTES_SUBR(8);
11337 /* Minor device number */
11338 CHECK_BYTE_COUNT_SUBR(8);
11339 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
11340 COUNT_BYTES_SUBR(8);
11343 CHECK_BYTE_COUNT_SUBR(8);
11344 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
11345 COUNT_BYTES_SUBR(8);
11348 CHECK_BYTE_COUNT_SUBR(8);
11349 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
11350 COUNT_BYTES_SUBR(8);
11353 CHECK_BYTE_COUNT_SUBR(8);
11354 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
11355 COUNT_BYTES_SUBR(8);
11357 /* Sometimes there is one extra byte in the data field which I
11358 guess could be padding, but we are only using 4 or 8 byte
11359 data types so this is a bit confusing. -tpot */
11365 /* 4.2.16.13 - SMB_QUERY_FILE_UNIX_LINK */
11368 dissect_4_2_16_13(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11369 int offset, guint16 *bcp, gboolean *trunc)
11371 smb_info_t *si = pinfo->private_data;
11375 /* Link destination */
11377 fn = get_unicode_or_ascii_string(
11378 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11380 CHECK_STRING_SUBR(fn);
11381 proto_tree_add_string(
11382 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
11383 COUNT_BYTES_SUBR(fn_len);
11389 /* this dissects the SMB_SET_FILE_DISPOSITION_INFO
11390 as described in 4.2.19.2
11393 dissect_4_2_19_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11394 int offset, guint16 *bcp, gboolean *trunc)
11396 /* marked for deletion? */
11397 CHECK_BYTE_COUNT_SUBR(1);
11398 proto_tree_add_item(tree, hf_smb_t2_marked_for_deletion, tvb, offset, 1, TRUE);
11399 COUNT_BYTES_SUBR(1);
11405 /* this dissects the SMB_SET_FILE_ALLOCATION_INFO
11406 as described in 4.2.19.3
11409 dissect_4_2_19_3(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11410 int offset, guint16 *bcp, gboolean *trunc)
11412 /* file allocation size */
11413 CHECK_BYTE_COUNT_SUBR(8);
11414 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11415 COUNT_BYTES_SUBR(8);
11421 /* this dissects the SMB_SET_FILE_END_OF_FILE_INFO
11422 as described in 4.2.19.4
11425 dissect_4_2_19_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11426 int offset, guint16 *bcp, gboolean *trunc)
11428 /* file end of file offset */
11429 CHECK_BYTE_COUNT_SUBR(8);
11430 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
11431 COUNT_BYTES_SUBR(8);
11437 /* Set File Rename Info */
11439 static const true_false_string tfs_smb_replace = {
11440 "Remove target file if it exists",
11441 "Do NOT remove target file if it exists",
11445 dissect_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
11446 int offset, guint16 *bcp, gboolean *trunc)
11448 smb_info_t *si = pinfo->private_data;
11450 guint32 target_name_len;
11454 CHECK_BYTE_COUNT_SUBR(4);
11455 proto_tree_add_item(tree, hf_smb_replace, tvb, offset, 4, TRUE);
11456 COUNT_BYTES_SUBR(4);
11458 /* Root directory handle */
11459 CHECK_BYTE_COUNT_SUBR(4);
11460 proto_tree_add_item(tree, hf_smb_root_dir_handle, tvb, offset, 4, TRUE);
11461 COUNT_BYTES_SUBR(4);
11463 /* Target name length */
11464 CHECK_BYTE_COUNT_SUBR(4);
11465 target_name_len = tvb_get_letohl(tvb, offset);
11466 proto_tree_add_uint(tree, hf_smb_target_name_len, tvb, offset, 4, target_name_len);
11467 COUNT_BYTES_SUBR(4);
11470 fn_len = target_name_len;
11471 fn = get_unicode_or_ascii_string(
11472 tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
11474 CHECK_STRING_SUBR(fn);
11475 proto_tree_add_string(
11476 tree, hf_smb_target_name, tvb, offset, fn_len, fn);
11477 COUNT_BYTES_SUBR(fn_len);
11483 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION and
11484 TRANS2_QUERY_FILE_INFORMATION*/
11486 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
11487 int offset, guint16 *bcp)
11496 si = (smb_info_t *)pinfo->private_data;
11497 switch(si->info_level){
11498 case 1: /*Info Standard*/
11500 case 2: /*Info Query EA Size*/
11501 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
11504 case 3: /*Info Query EAs From List*/
11505 case 4: /*Info Query All EAs*/
11506 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
11509 case 6: /*Info Is Name Valid*/
11510 offset = dissect_4_2_16_3(tvb, pinfo, tree, offset, bcp,
11513 case 0x0101: /*Query File Basic Info*/
11514 case 1004: /* SMB_FILE_BASIC_INFORMATION */
11515 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
11518 case 0x0102: /*Query File Standard Info*/
11519 case 1005: /* SMB_FILE_STANDARD_INFORMATION */
11520 offset = dissect_4_2_16_5(tvb, pinfo, tree, offset, bcp,
11523 case 0x0103: /*Query File EA Info*/
11524 case 1007: /* SMB_FILE_EA_INFORMATION */
11525 offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp,
11528 case 0x0104: /*Query File Name Info*/
11529 case 1009: /* SMB_FILE_NAME_INFORMATION */
11530 offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp,
11533 case 0x0107: /*Query File All Info*/
11534 case 1018: /* SMB_FILE_ALL_INFORMATION */
11535 offset = dissect_4_2_16_8(tvb, pinfo, tree, offset, bcp,
11538 case 0x0108: /*Query File Alt File Info*/
11539 case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
11540 offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp,
11543 case 1022: /* SMB_FILE_STREAM_INFORMATION */
11544 ((smb_info_t *)(pinfo->private_data))->unicode = TRUE;
11545 case 0x0109: /*Query File Stream Info*/
11546 offset = dissect_4_2_16_10(tvb, pinfo, tree, offset, bcp,
11549 case 0x010b: /*Query File Compression Info*/
11550 case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
11551 offset = dissect_4_2_16_11(tvb, pinfo, tree, offset, bcp,
11554 case 0x0200: /* Query File Unix Basic*/
11555 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
11558 case 0x0201: /* Query File Unix Link*/
11559 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
11562 case 0x0202: /* Query File Unix HardLink*/
11563 /* XXX add this from the SNIA doc */
11570 /*dissect the data block for TRANS2_SET_PATH_INFORMATION and
11571 TRANS2_SET_FILE_INFORMATION*/
11573 dissect_spi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
11574 int offset, guint16 *bcp)
11583 si = (smb_info_t *)pinfo->private_data;
11584 switch(si->info_level){
11585 case 1: /*Info Standard*/
11587 case 2: /*Info Query EA Size*/
11588 offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
11591 case 4: /*Info Query All EAs*/
11592 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
11595 case 0x0101: /*Set File Basic Info*/
11596 case 1004: /* SMB_FILE_BASIC_INFORMATION */
11597 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
11600 case 0x0102: /*Set File Disposition Info*/
11601 offset = dissect_4_2_19_2(tvb, pinfo, tree, offset, bcp,
11604 case 0x0103: /*Set File Allocation Info*/
11605 offset = dissect_4_2_19_3(tvb, pinfo, tree, offset, bcp,
11608 case 0x0104: /*Set End Of File Info*/
11609 offset = dissect_4_2_19_4(tvb, pinfo, tree, offset, bcp,
11612 case 0x0200: /*Set File Unix Basic. Same as query. */
11613 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
11616 case 0x0201: /*Set File Unix Link. Same as query. */
11617 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
11620 case 0x0203: /*Set File Unix HardLink. Same as link query. */
11621 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
11624 case 1010: /* Set File Rename */
11625 offset = dissect_rename_info(tvb, pinfo, tree, offset, bcp,
11639 /* XXX: TODO, extra levels discovered by tridge */
11647 static const true_false_string tfs_quota_flags_deny_disk = {
11648 "DENY DISK SPACE for users exceeding quota limit",
11649 "Do NOT deny disk space for users exceeding quota limit"
11651 static const true_false_string tfs_quota_flags_log_limit = {
11652 "LOG EVENT when a user exceeds their QUOTA LIMIT",
11653 "Do NOT log event when a user exceeds their quota limit"
11655 static const true_false_string tfs_quota_flags_log_warning = {
11656 "LOG EVENT when a user exceeds their WARNING LEVEL",
11657 "Do NOT log event when a user exceeds their warning level"
11659 static const true_false_string tfs_quota_flags_enabled = {
11660 "Quotas are ENABLED of this fs",
11661 "Quotas are NOT enabled on this fs"
11664 dissect_quota_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
11667 proto_item *item = NULL;
11668 proto_tree *tree = NULL;
11670 mask = tvb_get_guint8(tvb, offset);
11673 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
11674 "Quota Flags: 0x%02x %s", mask,
11675 mask?"Enabled":"Disabled");
11676 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
11679 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
11680 tvb, offset, 1, mask);
11681 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
11682 tvb, offset, 1, mask);
11683 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
11684 tvb, offset, 1, mask);
11686 if(mask && (!(mask&0x01))){
11687 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
11688 tvb, offset, 1, 0x01);
11690 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
11691 tvb, offset, 1, mask);
11697 dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
11699 /* first 24 bytes are unknown */
11700 CHECK_BYTE_COUNT_TRANS_SUBR(24);
11701 proto_tree_add_item(tree, hf_smb_unknown, tvb,
11703 COUNT_BYTES_TRANS_SUBR(24);
11705 /* number of bytes for quota warning */
11706 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11707 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
11708 COUNT_BYTES_TRANS_SUBR(8);
11710 /* number of bytes for quota limit */
11711 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11712 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
11713 COUNT_BYTES_TRANS_SUBR(8);
11715 /* one byte of quota flags */
11716 CHECK_BYTE_COUNT_TRANS_SUBR(1);
11717 dissect_quota_flags(tvb, tree, offset);
11718 COUNT_BYTES_TRANS_SUBR(1);
11720 /* these 7 bytes are unknown */
11721 CHECK_BYTE_COUNT_TRANS_SUBR(7);
11722 proto_tree_add_item(tree, hf_smb_unknown, tvb,
11724 COUNT_BYTES_TRANS_SUBR(7);
11730 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
11731 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
11733 proto_item *item = NULL;
11734 proto_tree *tree = NULL;
11737 si = (smb_info_t *)pinfo->private_data;
11740 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11742 val_to_str(subcmd, trans2_cmd_vals,
11743 "Unknown (0x%02x)"));
11744 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
11748 case 0x00: /*TRANS2_OPEN2*/
11749 /* XXX dont know how to decode FEAList */
11751 case 0x01: /*TRANS2_FIND_FIRST2*/
11752 /* XXX dont know how to decode FEAList */
11754 case 0x02: /*TRANS2_FIND_NEXT2*/
11755 /* XXX dont know how to decode FEAList */
11757 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11758 /* no data field in this request */
11760 case 0x04: /* TRANS2_SET_QUOTA */
11761 offset = dissect_nt_quota(tvb, tree, offset, &dc);
11763 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11764 /* no data field in this request */
11766 * XXX - "Microsoft Networks SMB File Sharing Protocol
11767 * Extensions Version 3.0, Document Version 1.11,
11768 * July 19, 1990" says there may be "Additional
11769 * FileInfoLevel dependent information" here.
11771 * Was that just a cut-and-pasteo?
11772 * TRANS2_SET_PATH_INFORMATION *does* have that information
11776 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11777 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
11779 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11780 /* no data field in this request */
11782 * XXX - "Microsoft Networks SMB File Sharing Protocol
11783 * Extensions Version 3.0, Document Version 1.11,
11784 * July 19, 1990" says there may be "Additional
11785 * FileInfoLevel dependent information" here.
11787 * Was that just a cut-and-pasteo?
11788 * TRANS2_SET_FILE_INFORMATION *does* have that information
11792 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11793 offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
11795 case 0x09: /*TRANS2_FSCTL*/
11796 /*XXX dont know how to decode this yet */
11799 * XXX - "Microsoft Networks SMB File Sharing Protocol
11800 * Extensions Version 3.0, Document Version 1.11,
11801 * July 19, 1990" says this this contains a
11802 * "File system specific data block". (That means we
11803 * may not be able to dissect it in any case.)
11806 case 0x0a: /*TRANS2_IOCTL2*/
11807 /*XXX dont know how to decode this yet */
11810 * XXX - "Microsoft Networks SMB File Sharing Protocol
11811 * Extensions Version 3.0, Document Version 1.11,
11812 * July 19, 1990" says this this contains a
11813 * "Device/function specific data block". (That
11814 * means we may not be able to dissect it in any case.)
11817 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11818 /*XXX dont know how to decode this yet */
11821 * XXX - "Microsoft Networks SMB File Sharing Protocol
11822 * Extensions Version 3.0, Document Version 1.11,
11823 * July 19, 1990" says this this contains "additional
11824 * level dependent match data".
11827 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11828 /*XXX dont know how to decode this yet */
11831 * XXX - "Microsoft Networks SMB File Sharing Protocol
11832 * Extensions Version 3.0, Document Version 1.11,
11833 * July 19, 1990" says this this contains "additional
11834 * level dependent monitor information".
11837 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11838 /* XXX optional FEAList, unknown what FEAList looks like*/
11840 case 0x0e: /*TRANS2_SESSION_SETUP*/
11841 /*XXX dont know how to decode this yet */
11843 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11844 /* no data field in this request */
11846 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11847 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
11851 /* ooops there were data we didnt know how to process */
11853 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
11862 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
11870 * Show the setup words.
11872 if (s_tvb != NULL) {
11873 length = tvb_reported_length(s_tvb);
11874 for (i = 0, offset = 0; length >= 2;
11875 i++, offset += 2, length -= 2) {
11877 * XXX - add a setup word filterable field?
11879 proto_tree_add_text(tree, s_tvb, offset, 2,
11880 "Setup Word %d: 0x%04x", i,
11881 tvb_get_letohs(s_tvb, offset));
11886 * Show the parameters, if any.
11888 if (p_tvb != NULL) {
11889 length = tvb_reported_length(p_tvb);
11891 proto_tree_add_text(tree, p_tvb, 0, length,
11893 tvb_bytes_to_str(p_tvb, 0, length));
11898 * Show the data, if any.
11900 if (d_tvb != NULL) {
11901 length = tvb_reported_length(d_tvb);
11903 proto_tree_add_text(tree, d_tvb, 0, length,
11904 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
11909 /* This routine handles the following 4 calls
11911 Transaction Secondary 0x26
11913 Transaction2 Secondary 0x33
11916 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
11923 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
11927 const char *an = NULL;
11929 smb_transact2_info_t *t2i;
11930 smb_transact_info_t *tri;
11933 gboolean dissected_trans;
11935 si = (smb_info_t *)pinfo->private_data;
11940 /*secondary client request*/
11942 /* total param count, only a 16bit integer here*/
11943 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11946 /* total data count , only 16bit integer here*/
11947 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11951 pc = tvb_get_letohs(tvb, offset);
11952 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11956 po = tvb_get_letohs(tvb, offset);
11957 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11961 pd = tvb_get_letohs(tvb, offset);
11962 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
11966 dc = tvb_get_letohs(tvb, offset);
11967 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11971 od = tvb_get_letohs(tvb, offset);
11972 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11976 dd = tvb_get_letohs(tvb, offset);
11977 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
11980 if(si->cmd==SMB_COM_TRANSACTION2){
11984 fid = tvb_get_letohs(tvb, offset);
11985 add_fid(tvb, pinfo, tree, offset, 2, fid);
11990 /* There are no setup words. */
11995 /* it is not a secondary request */
11997 /* total param count , only a 16 bit integer here*/
11998 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12001 /* total data count , only 16bit integer here*/
12002 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12005 /* max param count , only 16bit integer here*/
12006 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12009 /* max data count, only 16bit integer here*/
12010 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
12013 /* max setup count, only 16bit integer here*/
12014 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
12017 /* reserved byte */
12018 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12021 /* transaction flags */
12022 tf = dissect_transaction_flags(tvb, tree, offset);
12026 to = tvb_get_letohl(tvb, offset);
12028 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
12029 else if (to == 0xffffffff)
12030 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
12032 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
12035 /* 2 reserved bytes */
12036 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
12040 pc = tvb_get_letohs(tvb, offset);
12041 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
12045 po = tvb_get_letohs(tvb, offset);
12046 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
12049 /* param displacement is zero here */
12053 dc = tvb_get_letohs(tvb, offset);
12054 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
12058 od = tvb_get_letohs(tvb, offset);
12059 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
12062 /* data displacement is zero here */
12066 sc = tvb_get_guint8(tvb, offset);
12067 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
12070 /* reserved byte */
12071 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12074 /* this is where the setup bytes, if any start */
12078 /* if there were any setup bytes, decode them */
12082 case SMB_COM_TRANSACTION2:
12083 /* TRANSACTION2 only has one setup word and
12084 that is the subcommand code.
12086 XXX - except for TRANS2_FSCTL
12087 and TRANS2_IOCTL. */
12088 subcmd = tvb_get_letohs(tvb, offset);
12089 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
12090 tvb, offset, 2, subcmd);
12091 if (check_col(pinfo->cinfo, COL_INFO)) {
12092 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
12093 val_to_str(subcmd, trans2_cmd_vals,
12094 "Unknown (0x%02x)"));
12097 if(!pinfo->fd->flags.visited){
12100 * smb_transact2_info_t
12103 t2i = g_mem_chunk_alloc(smb_transact2_info_chunk);
12104 t2i->subcmd = subcmd;
12105 t2i->info_level = -1;
12106 t2i->resume_keys = FALSE;
12107 si->sip->extra_info = t2i;
12112 * XXX - process TRANS2_FSCTL and
12113 * TRANS2_IOCTL setup words here.
12117 case SMB_COM_TRANSACTION:
12118 /* TRANSACTION setup words processed below */
12129 /* primary request */
12130 /* name is NULL if transaction2 */
12131 if(si->cmd == SMB_COM_TRANSACTION){
12132 /* Transaction Name */
12133 an = get_unicode_or_ascii_string(tvb, &offset,
12134 si->unicode, &an_len, FALSE, FALSE, &bc);
12137 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
12138 offset, an_len, an);
12139 COUNT_BYTES(an_len);
12144 * The pipe or mailslot arguments for Transaction start with
12145 * the first setup word (or where the first setup word would
12146 * be if there were any setup words), and run to the current
12147 * offset (which could mean that there aren't any).
12150 spc = offset - spo;
12154 /* We have some initial padding bytes.
12156 padcnt = po-offset;
12159 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
12160 COUNT_BYTES(padcnt);
12163 CHECK_BYTE_COUNT(pc);
12166 case SMB_COM_TRANSACTION2:
12167 /* TRANSACTION2 parameters*/
12168 offset = dissect_transaction2_request_parameters(tvb,
12169 pinfo, tree, offset, subcmd, pc);
12173 case SMB_COM_TRANSACTION:
12174 /* TRANSACTION parameters processed below */
12182 /* We have some initial padding bytes.
12184 padcnt = od-offset;
12187 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
12188 COUNT_BYTES(padcnt);
12191 CHECK_BYTE_COUNT(dc);
12194 case SMB_COM_TRANSACTION2:
12195 /* TRANSACTION2 data*/
12196 offset = dissect_transaction2_request_data(tvb, pinfo,
12197 tree, offset, subcmd, dc);
12201 case SMB_COM_TRANSACTION:
12202 /* TRANSACTION data processed below */
12208 /*TRANSACTION request parameters */
12209 if(si->cmd==SMB_COM_TRANSACTION){
12210 /*XXX replace this block with a function and use that one
12211 for both requests/responses*/
12213 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
12214 tvbuff_t *sp_tvb, *pd_tvb;
12217 if(pc>tvb_length_remaining(tvb, po)){
12218 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
12220 p_tvb = tvb_new_subset(tvb, po, pc, pc);
12226 if(dc>tvb_length_remaining(tvb, od)){
12227 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
12229 d_tvb = tvb_new_subset(tvb, od, dc, dc);
12235 if(sl>tvb_length_remaining(tvb, so)){
12236 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
12238 s_tvb = tvb_new_subset(tvb, so, sl, sl);
12245 if(!pinfo->fd->flags.visited){
12247 * Allocate a new smb_transact_info_t
12250 tri = g_mem_chunk_alloc(smb_transact_info_chunk);
12252 tri->trans_subcmd = -1;
12253 tri->function = -1;
12255 tri->lanman_cmd = 0;
12256 tri->param_descrip = NULL;
12257 tri->data_descrip = NULL;
12258 tri->aux_data_descrip = NULL;
12259 tri->info_level = -1;
12260 si->sip->extra_info = tri;
12263 * We already filled the structure
12264 * in; don't bother doing so again.
12270 * This is a unidirectional message, for
12271 * which there will be no reply; don't
12272 * bother allocating an "smb_transact_info_t"
12273 * structure for it.
12277 dissected_trans = FALSE;
12278 if(strncmp("\\PIPE\\", an, 6) == 0){
12280 tri->subcmd=TRANSACTION_PIPE;
12283 * A tvbuff containing the setup words and
12286 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
12289 * A tvbuff containing the parameters and the
12292 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
12294 dissected_trans = dissect_pipe_smb(sp_tvb,
12295 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
12298 /* In case we did not see the TreeConnect call,
12299 store this TID here as well as a IPC TID
12300 so we know that future Read/Writes to this
12301 TID is (probably) DCERPC.
12303 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
12304 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
12306 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
12307 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
12309 tri->subcmd=TRANSACTION_MAILSLOT;
12312 * A tvbuff containing the setup words and
12313 * the mailslot path.
12315 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
12316 dissected_trans = dissect_mailslot_smb(sp_tvb,
12317 s_tvb, d_tvb, an+10, pinfo, top_tree);
12319 if (!dissected_trans)
12320 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
12322 if(check_col(pinfo->cinfo, COL_INFO)){
12323 col_append_str(pinfo->cinfo, COL_INFO,
12324 "[transact continuation]");
12337 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12338 int offset, guint16 *bcp, gboolean *trunc)
12342 int old_offset = offset;
12343 proto_item *item = NULL;
12344 proto_tree *tree = NULL;
12346 smb_transact2_info_t *t2i;
12347 gboolean resume_keys = FALSE;
12349 si = (smb_info_t *)pinfo->private_data;
12350 if (si->sip != NULL) {
12351 t2i = si->sip->extra_info;
12353 resume_keys = t2i->resume_keys;
12357 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12358 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12359 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12364 CHECK_BYTE_COUNT_SUBR(4);
12365 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
12366 COUNT_BYTES_SUBR(4);
12370 CHECK_BYTE_COUNT_SUBR(4);
12371 offset = dissect_smb_datetime(tvb, tree, offset,
12372 hf_smb_create_time,
12373 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
12377 CHECK_BYTE_COUNT_SUBR(4);
12378 offset = dissect_smb_datetime(tvb, tree, offset,
12379 hf_smb_access_time,
12380 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
12383 /* last write time */
12384 CHECK_BYTE_COUNT_SUBR(4);
12385 offset = dissect_smb_datetime(tvb, tree, offset,
12386 hf_smb_last_write_time,
12387 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
12391 CHECK_BYTE_COUNT_SUBR(4);
12392 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
12393 COUNT_BYTES_SUBR(4);
12395 /* allocation size */
12396 CHECK_BYTE_COUNT_SUBR(4);
12397 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
12398 COUNT_BYTES_SUBR(4);
12400 /* File Attributes */
12401 CHECK_BYTE_COUNT_SUBR(2);
12402 offset = dissect_file_attributes(tvb, tree, offset, 2);
12405 /* file name len */
12406 CHECK_BYTE_COUNT_SUBR(1);
12407 fn_len = tvb_get_guint8(tvb, offset);
12408 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
12409 COUNT_BYTES_SUBR(1);
12411 fn_len += 2; /* include terminating '\0' */
12413 fn_len++; /* include terminating '\0' */
12416 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12417 CHECK_STRING_SUBR(fn);
12418 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12420 COUNT_BYTES_SUBR(fn_len);
12422 if (check_col(pinfo->cinfo, COL_INFO)) {
12423 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12427 proto_item_append_text(item, " File: %s", fn);
12428 proto_item_set_len(item, offset-old_offset);
12435 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12436 int offset, guint16 *bcp, gboolean *trunc)
12440 int old_offset = offset;
12441 proto_item *item = NULL;
12442 proto_tree *tree = NULL;
12444 smb_transact2_info_t *t2i;
12445 gboolean resume_keys = FALSE;
12447 si = (smb_info_t *)pinfo->private_data;
12448 if (si->sip != NULL) {
12449 t2i = si->sip->extra_info;
12451 resume_keys = t2i->resume_keys;
12455 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12456 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12457 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12462 CHECK_BYTE_COUNT_SUBR(4);
12463 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
12464 COUNT_BYTES_SUBR(4);
12468 CHECK_BYTE_COUNT_SUBR(4);
12469 offset = dissect_smb_datetime(tvb, tree, offset,
12470 hf_smb_create_time,
12471 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
12475 CHECK_BYTE_COUNT_SUBR(4);
12476 offset = dissect_smb_datetime(tvb, tree, offset,
12477 hf_smb_access_time,
12478 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
12481 /* last write time */
12482 CHECK_BYTE_COUNT_SUBR(4);
12483 offset = dissect_smb_datetime(tvb, tree, offset,
12484 hf_smb_last_write_time,
12485 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
12489 CHECK_BYTE_COUNT_SUBR(4);
12490 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
12491 COUNT_BYTES_SUBR(4);
12493 /* allocation size */
12494 CHECK_BYTE_COUNT_SUBR(4);
12495 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
12496 COUNT_BYTES_SUBR(4);
12498 /* File Attributes */
12499 CHECK_BYTE_COUNT_SUBR(2);
12500 offset = dissect_file_attributes(tvb, tree, offset, 2);
12504 CHECK_BYTE_COUNT_SUBR(4);
12505 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
12506 COUNT_BYTES_SUBR(4);
12508 /* file name len */
12509 CHECK_BYTE_COUNT_SUBR(1);
12510 fn_len = tvb_get_guint8(tvb, offset);
12511 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
12512 COUNT_BYTES_SUBR(1);
12514 fn_len += 2; /* include terminating '\0' */
12516 fn_len++; /* include terminating '\0' */
12519 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12520 CHECK_STRING_SUBR(fn);
12521 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12523 COUNT_BYTES_SUBR(fn_len);
12525 if (check_col(pinfo->cinfo, COL_INFO)) {
12526 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12530 proto_item_append_text(item, " File: %s", fn);
12531 proto_item_set_len(item, offset-old_offset);
12538 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12539 int offset, guint16 *bcp, gboolean *trunc)
12543 int old_offset = offset;
12544 proto_item *item = NULL;
12545 proto_tree *tree = NULL;
12550 si = (smb_info_t *)pinfo->private_data;
12553 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12554 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12555 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12559 * We assume that the presence of a next entry offset implies the
12560 * absence of a resume key, as appears to be the case for 4.3.4.6.
12563 /* next entry offset */
12564 CHECK_BYTE_COUNT_SUBR(4);
12565 neo = tvb_get_letohl(tvb, offset);
12566 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12567 COUNT_BYTES_SUBR(4);
12570 CHECK_BYTE_COUNT_SUBR(4);
12571 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12572 COUNT_BYTES_SUBR(4);
12575 CHECK_BYTE_COUNT_SUBR(8);
12576 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12580 CHECK_BYTE_COUNT_SUBR(8);
12581 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12584 /* last write time */
12585 CHECK_BYTE_COUNT_SUBR(8);
12586 offset = dissect_smb_64bit_time(tvb, tree, offset,
12587 hf_smb_last_write_time);
12590 /* last change time */
12591 CHECK_BYTE_COUNT_SUBR(8);
12592 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12596 CHECK_BYTE_COUNT_SUBR(8);
12597 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12598 COUNT_BYTES_SUBR(8);
12600 /* allocation size */
12601 CHECK_BYTE_COUNT_SUBR(8);
12602 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12603 COUNT_BYTES_SUBR(8);
12605 /* Extended File Attributes */
12606 CHECK_BYTE_COUNT_SUBR(4);
12607 offset = dissect_file_ext_attr(tvb, tree, offset);
12610 /* file name len */
12611 CHECK_BYTE_COUNT_SUBR(4);
12612 fn_len = tvb_get_letohl(tvb, offset);
12613 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12614 COUNT_BYTES_SUBR(4);
12617 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12618 CHECK_STRING_SUBR(fn);
12619 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12621 COUNT_BYTES_SUBR(fn_len);
12623 if (check_col(pinfo->cinfo, COL_INFO)) {
12624 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12628 /* skip to next structure */
12630 padcnt = (old_offset + neo) - offset;
12633 * XXX - this is bogus; flag it?
12638 CHECK_BYTE_COUNT_SUBR(padcnt);
12639 COUNT_BYTES_SUBR(padcnt);
12643 proto_item_append_text(item, " File: %s", fn);
12644 proto_item_set_len(item, offset-old_offset);
12651 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12652 int offset, guint16 *bcp, gboolean *trunc)
12656 int old_offset = offset;
12657 proto_item *item = NULL;
12658 proto_tree *tree = NULL;
12663 si = (smb_info_t *)pinfo->private_data;
12666 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12667 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12668 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12672 * We assume that the presence of a next entry offset implies the
12673 * absence of a resume key, as appears to be the case for 4.3.4.6.
12676 /* next entry offset */
12677 CHECK_BYTE_COUNT_SUBR(4);
12678 neo = tvb_get_letohl(tvb, offset);
12679 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12680 COUNT_BYTES_SUBR(4);
12683 CHECK_BYTE_COUNT_SUBR(4);
12684 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12685 COUNT_BYTES_SUBR(4);
12688 CHECK_BYTE_COUNT_SUBR(8);
12689 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12693 CHECK_BYTE_COUNT_SUBR(8);
12694 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12697 /* last write time */
12698 CHECK_BYTE_COUNT_SUBR(8);
12699 offset = dissect_smb_64bit_time(tvb, tree, offset,
12700 hf_smb_last_write_time);
12703 /* last change time */
12704 CHECK_BYTE_COUNT_SUBR(8);
12705 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12709 CHECK_BYTE_COUNT_SUBR(8);
12710 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12711 COUNT_BYTES_SUBR(8);
12713 /* allocation size */
12714 CHECK_BYTE_COUNT_SUBR(8);
12715 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12716 COUNT_BYTES_SUBR(8);
12718 /* Extended File Attributes */
12719 CHECK_BYTE_COUNT_SUBR(4);
12720 offset = dissect_file_ext_attr(tvb, tree, offset);
12723 /* file name len */
12724 CHECK_BYTE_COUNT_SUBR(4);
12725 fn_len = tvb_get_letohl(tvb, offset);
12726 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12727 COUNT_BYTES_SUBR(4);
12730 CHECK_BYTE_COUNT_SUBR(4);
12731 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
12732 COUNT_BYTES_SUBR(4);
12735 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12736 CHECK_STRING_SUBR(fn);
12737 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12739 COUNT_BYTES_SUBR(fn_len);
12741 if (check_col(pinfo->cinfo, COL_INFO)) {
12742 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12746 /* skip to next structure */
12748 padcnt = (old_offset + neo) - offset;
12751 * XXX - this is bogus; flag it?
12756 CHECK_BYTE_COUNT_SUBR(padcnt);
12757 COUNT_BYTES_SUBR(padcnt);
12761 proto_item_append_text(item, " File: %s", fn);
12762 proto_item_set_len(item, offset-old_offset);
12769 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12770 int offset, guint16 *bcp, gboolean *trunc)
12772 int fn_len, sfn_len;
12773 const char *fn, *sfn;
12774 int old_offset = offset;
12775 proto_item *item = NULL;
12776 proto_tree *tree = NULL;
12781 si = (smb_info_t *)pinfo->private_data;
12784 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12785 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12786 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12790 * XXX - I have not seen any of these that contain a resume
12791 * key, even though some of the requests had the "return resume
12795 /* next entry offset */
12796 CHECK_BYTE_COUNT_SUBR(4);
12797 neo = tvb_get_letohl(tvb, offset);
12798 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12799 COUNT_BYTES_SUBR(4);
12802 CHECK_BYTE_COUNT_SUBR(4);
12803 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12804 COUNT_BYTES_SUBR(4);
12807 CHECK_BYTE_COUNT_SUBR(8);
12808 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
12812 CHECK_BYTE_COUNT_SUBR(8);
12813 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_access_time);
12816 /* last write time */
12817 CHECK_BYTE_COUNT_SUBR(8);
12818 offset = dissect_smb_64bit_time(tvb, tree, offset,
12819 hf_smb_last_write_time);
12822 /* last change time */
12823 CHECK_BYTE_COUNT_SUBR(8);
12824 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_change_time);
12828 CHECK_BYTE_COUNT_SUBR(8);
12829 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
12830 COUNT_BYTES_SUBR(8);
12832 /* allocation size */
12833 CHECK_BYTE_COUNT_SUBR(8);
12834 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
12835 COUNT_BYTES_SUBR(8);
12837 /* Extended File Attributes */
12838 CHECK_BYTE_COUNT_SUBR(4);
12839 offset = dissect_file_ext_attr(tvb, tree, offset);
12842 /* file name len */
12843 CHECK_BYTE_COUNT_SUBR(4);
12844 fn_len = tvb_get_letohl(tvb, offset);
12845 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12846 COUNT_BYTES_SUBR(4);
12851 * XXX - in one captures, this has the topmost bit set, and the
12852 * rest of the bits have the value 7. Is the topmost bit being
12853 * set some indication that the value *isn't* the length of
12856 CHECK_BYTE_COUNT_SUBR(4);
12857 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
12858 COUNT_BYTES_SUBR(4);
12860 /* short file name len */
12861 CHECK_BYTE_COUNT_SUBR(1);
12862 sfn_len = tvb_get_guint8(tvb, offset);
12863 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
12864 COUNT_BYTES_SUBR(1);
12866 /* reserved byte */
12867 CHECK_BYTE_COUNT_SUBR(1);
12868 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
12869 COUNT_BYTES_SUBR(1);
12871 /* short file name - it's not always in Unicode */
12872 sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
12873 CHECK_STRING_SUBR(sfn);
12874 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
12876 COUNT_BYTES_SUBR(24);
12879 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12880 CHECK_STRING_SUBR(fn);
12881 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12883 COUNT_BYTES_SUBR(fn_len);
12885 if (check_col(pinfo->cinfo, COL_INFO)) {
12886 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12890 /* skip to next structure */
12892 padcnt = (old_offset + neo) - offset;
12895 * XXX - this is bogus; flag it?
12900 CHECK_BYTE_COUNT_SUBR(padcnt);
12901 COUNT_BYTES_SUBR(padcnt);
12905 proto_item_append_text(item, " File: %s", fn);
12906 proto_item_set_len(item, offset-old_offset);
12913 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12914 int offset, guint16 *bcp, gboolean *trunc)
12918 int old_offset = offset;
12919 proto_item *item = NULL;
12920 proto_tree *tree = NULL;
12925 si = (smb_info_t *)pinfo->private_data;
12928 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
12929 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
12930 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
12934 * We assume that the presence of a next entry offset implies the
12935 * absence of a resume key, as appears to be the case for 4.3.4.6.
12938 /* next entry offset */
12939 CHECK_BYTE_COUNT_SUBR(4);
12940 neo = tvb_get_letohl(tvb, offset);
12941 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12942 COUNT_BYTES_SUBR(4);
12945 CHECK_BYTE_COUNT_SUBR(4);
12946 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
12947 COUNT_BYTES_SUBR(4);
12949 /* file name len */
12950 CHECK_BYTE_COUNT_SUBR(4);
12951 fn_len = tvb_get_letohl(tvb, offset);
12952 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12953 COUNT_BYTES_SUBR(4);
12956 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
12957 CHECK_STRING_SUBR(fn);
12958 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12960 COUNT_BYTES_SUBR(fn_len);
12962 if (check_col(pinfo->cinfo, COL_INFO)) {
12963 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
12967 /* skip to next structure */
12969 padcnt = (old_offset + neo) - offset;
12972 * XXX - this is bogus; flag it?
12977 CHECK_BYTE_COUNT_SUBR(padcnt);
12978 COUNT_BYTES_SUBR(padcnt);
12982 proto_item_append_text(item, " File: %s", fn);
12983 proto_item_set_len(item, offset-old_offset);
12989 /* 4.3.4.8 - SMB_FIND_FILE_UNIX */
12992 dissect_4_3_4_8(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
12993 proto_tree *tree, int offset, guint16 *bcp,
12996 smb_info_t *si = pinfo->private_data;
13000 /* NextEntryOffset */
13001 CHECK_BYTE_COUNT_SUBR(4);
13002 proto_tree_add_item(tree, hf_smb_unix_find_file_nextoffset, tvb, offset, 4, TRUE);
13003 COUNT_BYTES_SUBR(4);
13006 CHECK_BYTE_COUNT_SUBR(4);
13007 proto_tree_add_item(tree, hf_smb_unix_find_file_resumekey, tvb, offset, 4, TRUE);
13008 COUNT_BYTES_SUBR(4);
13010 /* End of file (file size) */
13011 CHECK_BYTE_COUNT_SUBR(8);
13012 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
13013 COUNT_BYTES_SUBR(8);
13015 /* Number of bytes */
13016 CHECK_BYTE_COUNT_SUBR(8);
13017 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
13018 COUNT_BYTES_SUBR(8);
13020 /* Last status change */
13021 CHECK_BYTE_COUNT_SUBR(8);
13022 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
13025 /* Last access time */
13026 CHECK_BYTE_COUNT_SUBR(8);
13027 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
13030 /* Last modification time */
13031 CHECK_BYTE_COUNT_SUBR(8);
13032 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
13035 /* File owner uid */
13036 CHECK_BYTE_COUNT_SUBR(8);
13037 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
13038 COUNT_BYTES_SUBR(8);
13040 /* File group gid */
13041 CHECK_BYTE_COUNT_SUBR(8);
13042 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
13043 COUNT_BYTES_SUBR(8);
13046 CHECK_BYTE_COUNT_SUBR(4);
13047 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
13048 COUNT_BYTES_SUBR(4);
13050 /* Major device number */
13051 CHECK_BYTE_COUNT_SUBR(8);
13052 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
13053 COUNT_BYTES_SUBR(8);
13055 /* Minor device number */
13056 CHECK_BYTE_COUNT_SUBR(8);
13057 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
13058 COUNT_BYTES_SUBR(8);
13061 CHECK_BYTE_COUNT_SUBR(8);
13062 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
13063 COUNT_BYTES_SUBR(8);
13066 CHECK_BYTE_COUNT_SUBR(8);
13067 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
13068 COUNT_BYTES_SUBR(8);
13071 CHECK_BYTE_COUNT_SUBR(8);
13072 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
13073 COUNT_BYTES_SUBR(8);
13077 fn = get_unicode_or_ascii_string(
13078 tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
13080 CHECK_STRING_SUBR(fn);
13081 proto_tree_add_string(
13082 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
13083 COUNT_BYTES_SUBR(fn_len);
13085 /* Pad to 4 bytes */
13088 offset += 4 - (offset % 4);
13094 /*dissect the data block for TRANS2_FIND_FIRST2*/
13096 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
13097 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
13105 si = (smb_info_t *)pinfo->private_data;
13106 switch(si->info_level){
13107 case 1: /*Info Standard*/
13108 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
13111 case 2: /*Info Query EA Size*/
13112 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
13115 case 3: /*Info Query EAs From List same as
13117 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
13120 case 0x0101: /*Find File Directory Info*/
13121 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
13124 case 0x0102: /*Find File Full Directory Info*/
13125 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
13128 case 0x0103: /*Find File Names Info*/
13129 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
13132 case 0x0104: /*Find File Both Directory Info*/
13133 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
13136 case 0x0202: /*Find File UNIX*/
13137 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
13140 default: /* unknown info level */
13149 dissect_fs_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
13152 proto_item *item = NULL;
13153 proto_tree *tree = NULL;
13155 mask = tvb_get_letohl(tvb, offset);
13158 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
13159 "FS Attributes: 0x%08x", mask);
13160 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
13163 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
13164 tvb, offset, 4, mask);
13165 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
13166 tvb, offset, 4, mask);
13167 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
13168 tvb, offset, 4, mask);
13169 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
13170 tvb, offset, 4, mask);
13171 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
13172 tvb, offset, 4, mask);
13173 proto_tree_add_boolean(tree, hf_smb_fs_attr_dim,
13174 tvb, offset, 4, mask);
13175 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
13176 tvb, offset, 4, mask);
13184 dissect_device_characteristics(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
13187 proto_item *item = NULL;
13188 proto_tree *tree = NULL;
13190 mask = tvb_get_letohl(tvb, offset);
13193 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
13194 "Device Characteristics: 0x%08x", mask);
13195 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
13198 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
13199 tvb, offset, 4, mask);
13200 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
13201 tvb, offset, 4, mask);
13202 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
13203 tvb, offset, 4, mask);
13204 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
13205 tvb, offset, 4, mask);
13206 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
13207 tvb, offset, 4, mask);
13208 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
13209 tvb, offset, 4, mask);
13210 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
13211 tvb, offset, 4, mask);
13217 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
13219 static const true_false_string tfs_smb_mac_access_ctrl = {
13220 "Macintosh Access Control Supported",
13221 "Macintosh Access Control Not Supported"
13224 static const true_false_string tfs_smb_mac_getset_comments = {
13225 "Macintosh Get & Set Comments Supported",
13226 "Macintosh Get & Set Comments Not Supported"
13229 static const true_false_string tfs_smb_mac_desktopdb_calls = {
13230 "Macintosh Get & Set Desktop Database Info Supported",
13231 "Macintosh Get & Set Desktop Database Info Supported"
13234 static const true_false_string tfs_smb_mac_unique_ids = {
13235 "Macintosh Unique IDs Supported",
13236 "Macintosh Unique IDs Not Supported"
13239 static const true_false_string tfs_smb_mac_streams = {
13240 "Macintosh and Streams Extensions Not Supported",
13241 "Macintosh and Streams Extensions Supported"
13245 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
13246 int offset, guint16 *bcp)
13249 int fn_len, vll, fnl;
13252 proto_item *item = NULL;
13253 proto_tree *ti = NULL;
13259 si = (smb_info_t *)pinfo->private_data;
13260 switch(si->info_level){
13261 case 1: /* SMB_INFO_ALLOCATION */
13262 /* filesystem id */
13263 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13264 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
13265 COUNT_BYTES_TRANS_SUBR(4);
13267 /* sectors per unit */
13268 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13269 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
13270 COUNT_BYTES_TRANS_SUBR(4);
13273 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13274 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
13275 COUNT_BYTES_TRANS_SUBR(4);
13278 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13279 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
13280 COUNT_BYTES_TRANS_SUBR(4);
13282 /* bytes per sector, only 16bit integer here */
13283 CHECK_BYTE_COUNT_TRANS_SUBR(2);
13284 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13285 COUNT_BYTES_TRANS_SUBR(2);
13288 case 2: /* SMB_INFO_VOLUME */
13289 /* volume serial number */
13290 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13291 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
13292 COUNT_BYTES_TRANS_SUBR(4);
13294 /* volume label length, only one byte here */
13295 CHECK_BYTE_COUNT_TRANS_SUBR(1);
13296 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
13297 COUNT_BYTES_TRANS_SUBR(1);
13300 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
13301 CHECK_STRING_TRANS_SUBR(fn);
13302 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
13304 COUNT_BYTES_TRANS_SUBR(fn_len);
13307 case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
13308 case 1002: /* SMB_FS_LABEL_INFORMATION */
13309 /* volume label length */
13310 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13311 vll = tvb_get_letohl(tvb, offset);
13312 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
13313 COUNT_BYTES_TRANS_SUBR(4);
13317 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13318 CHECK_STRING_TRANS_SUBR(fn);
13319 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
13321 COUNT_BYTES_TRANS_SUBR(fn_len);
13324 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
13325 case 1001: /* SMB_FS_VOLUME_INFORMATION */
13327 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13328 offset = dissect_smb_64bit_time(tvb, tree, offset,
13329 hf_smb_create_time);
13332 /* volume serial number */
13333 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13334 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
13335 COUNT_BYTES_TRANS_SUBR(4);
13337 /* volume label length */
13338 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13339 vll = tvb_get_letohl(tvb, offset);
13340 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
13341 COUNT_BYTES_TRANS_SUBR(4);
13343 /* 2 reserved bytes */
13344 CHECK_BYTE_COUNT_TRANS_SUBR(2);
13345 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
13346 COUNT_BYTES_TRANS_SUBR(2);
13350 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13351 CHECK_STRING_TRANS_SUBR(fn);
13352 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
13354 COUNT_BYTES_TRANS_SUBR(fn_len);
13357 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
13358 case 1003: /* SMB_FS_SIZE_INFORMATION */
13359 /* allocation size */
13360 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13361 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13362 COUNT_BYTES_TRANS_SUBR(8);
13364 /* free allocation units */
13365 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13366 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
13367 COUNT_BYTES_TRANS_SUBR(8);
13369 /* sectors per unit */
13370 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13371 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
13372 COUNT_BYTES_TRANS_SUBR(4);
13374 /* bytes per sector */
13375 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13376 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
13377 COUNT_BYTES_TRANS_SUBR(4);
13380 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
13381 case 1004: /* SMB_FS_DEVICE_INFORMATION */
13383 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13384 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
13385 COUNT_BYTES_TRANS_SUBR(4);
13387 /* device characteristics */
13388 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13389 offset = dissect_device_characteristics(tvb, tree, offset);
13393 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
13394 case 1005: /* SMB_FS_ATTRIBUTE_INFORMATION */
13395 /* FS attributes */
13396 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13397 offset = dissect_fs_attributes(tvb, tree, offset);
13401 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13402 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
13403 COUNT_BYTES_TRANS_SUBR(4);
13405 /* fs name length */
13406 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13407 fnl = tvb_get_letohl(tvb, offset);
13408 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
13409 COUNT_BYTES_TRANS_SUBR(4);
13413 fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
13414 CHECK_STRING_TRANS_SUBR(fn);
13415 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
13417 COUNT_BYTES_TRANS_SUBR(fn_len);
13420 case 0x200: { /* SMB_QUERY_CIFS_UNIX_INFO */
13421 proto_item *item = NULL;
13422 proto_tree *subtree = NULL;
13423 guint32 caps_lo, caps_hi;
13425 /* MajorVersionNumber */
13426 CHECK_BYTE_COUNT_TRANS_SUBR(2);
13427 proto_tree_add_item(tree, hf_smb_unix_major_version, tvb, offset, 2, TRUE);
13428 COUNT_BYTES_TRANS_SUBR(2);
13430 /* MinorVersionNumber */
13431 CHECK_BYTE_COUNT_TRANS_SUBR(2);
13432 proto_tree_add_item(tree, hf_smb_unix_minor_version, tvb, offset, 2, TRUE);
13433 COUNT_BYTES_TRANS_SUBR(2);
13437 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13439 caps_lo = tvb_get_letohl(tvb, offset);
13440 caps_hi = tvb_get_letohl(tvb, offset + 4);
13443 item = proto_tree_add_text(
13444 tree, tvb, offset, 8, "Capabilities: 0x%08x%08x",
13446 subtree = proto_item_add_subtree(
13447 item, ett_smb_unix_capabilities);
13450 proto_tree_add_boolean(
13451 subtree, hf_smb_unix_capability_fcntl, tvb, offset, 8,
13454 proto_tree_add_boolean(
13455 subtree, hf_smb_unix_capability_posix_acl, tvb, offset, 8,
13458 COUNT_BYTES_TRANS_SUBR(8);
13462 case 0x301: /* MAC_QUERY_FS_INFO */
13464 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13465 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_create_time);
13468 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13469 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_modify_time);
13472 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13473 offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_backup_time);
13475 /* Allocation blocks */
13476 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13477 proto_tree_add_item(tree, hf_smb_mac_alloc_block_count, tvb,
13480 COUNT_BYTES_TRANS_SUBR(4);
13481 /* Allocation Block Size */
13482 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13483 proto_tree_add_item(tree, hf_smb_mac_alloc_block_size, tvb,
13485 COUNT_BYTES_TRANS_SUBR(4);
13486 /* Free Block Count */
13487 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13488 proto_tree_add_item(tree, hf_smb_mac_free_block_count, tvb,
13490 COUNT_BYTES_TRANS_SUBR(4);
13491 /* Finder Info ... */
13492 CHECK_BYTE_COUNT_TRANS_SUBR(32);
13493 proto_tree_add_bytes_format(tree, hf_smb_mac_fndrinfo, tvb,
13495 tvb_get_ptr(tvb, offset,32),
13497 tvb_format_text(tvb, offset, 32));
13498 COUNT_BYTES_TRANS_SUBR(32);
13500 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13501 proto_tree_add_item(tree, hf_smb_mac_root_file_count, tvb,
13503 COUNT_BYTES_TRANS_SUBR(4);
13504 /* Number of Root Directories */
13505 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13506 proto_tree_add_item(tree, hf_smb_mac_root_dir_count, tvb,
13508 COUNT_BYTES_TRANS_SUBR(4);
13509 /* Number of files */
13510 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13511 proto_tree_add_item(tree, hf_smb_mac_file_count, tvb,
13513 COUNT_BYTES_TRANS_SUBR(4);
13515 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13516 proto_tree_add_item(tree, hf_smb_mac_dir_count, tvb,
13518 COUNT_BYTES_TRANS_SUBR(4);
13519 /* Mac Support Flags */
13520 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13521 support = tvb_get_ntohl(tvb, offset);
13522 item = proto_tree_add_text(tree, tvb, offset, 4,
13523 "Mac Support Flags: 0x%08x", support);
13524 ti = proto_item_add_subtree(item, ett_smb_mac_support_flags);
13525 proto_tree_add_boolean(ti, hf_smb_mac_sup_access_ctrl,
13526 tvb, offset, 4, support);
13527 proto_tree_add_boolean(ti, hf_smb_mac_sup_getset_comments,
13528 tvb, offset, 4, support);
13529 proto_tree_add_boolean(ti, hf_smb_mac_sup_desktopdb_calls,
13530 tvb, offset, 4, support);
13531 proto_tree_add_boolean(ti, hf_smb_mac_sup_unique_ids,
13532 tvb, offset, 4, support);
13533 proto_tree_add_boolean(ti, hf_smb_mac_sup_streams,
13534 tvb, offset, 4, support);
13535 COUNT_BYTES_TRANS_SUBR(4);
13537 case 1006: /* QUERY_FS_QUOTA_INFO */
13538 offset = dissect_nt_quota(tvb, tree, offset, bcp);
13540 case 1007: /* SMB_FS_FULL_SIZE_INFORMATION */
13541 /* allocation size */
13542 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13543 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
13544 COUNT_BYTES_TRANS_SUBR(8);
13546 /* caller free allocation units */
13547 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13548 proto_tree_add_item(tree, hf_smb_caller_free_alloc_units64, tvb, offset, 8, TRUE);
13549 COUNT_BYTES_TRANS_SUBR(8);
13551 /* actual free allocation units */
13552 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13553 proto_tree_add_item(tree, hf_smb_actual_free_alloc_units64, tvb, offset, 8, TRUE);
13554 COUNT_BYTES_TRANS_SUBR(8);
13556 /* sectors per unit */
13557 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13558 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
13559 COUNT_BYTES_TRANS_SUBR(4);
13561 /* bytes per sector */
13562 CHECK_BYTE_COUNT_TRANS_SUBR(4);
13563 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
13564 COUNT_BYTES_TRANS_SUBR(4);
13566 case 1008: /* Query Object ID is GUID plus unknown data */ {
13568 char uuid_str[DCERPC_UUID_STR_LEN];
13570 guint8 drep = 0x10;
13572 CHECK_BYTE_COUNT_TRANS_SUBR(16);
13574 dcerpc_tvb_get_uuid (tvb, offset, &drep, &fs_id);
13576 uuid_str_len = snprintf(
13577 uuid_str, DCERPC_UUID_STR_LEN,
13578 "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
13579 fs_id.Data1, fs_id.Data2, fs_id.Data3,
13580 fs_id.Data4[0], fs_id.Data4[1],
13581 fs_id.Data4[2], fs_id.Data4[3],
13582 fs_id.Data4[4], fs_id.Data4[5],
13583 fs_id.Data4[6], fs_id.Data4[7]);
13585 proto_tree_add_string_format(
13586 tree, hf_smb_fs_guid, tvb,
13587 offset, 16, uuid_str, "GUID: %s", uuid_str);
13589 COUNT_BYTES_TRANS_SUBR(16);
13598 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
13599 proto_tree *parent_tree)
13601 proto_item *item = NULL;
13602 proto_tree *tree = NULL;
13604 smb_transact2_info_t *t2i;
13610 dc = tvb_reported_length(tvb);
13612 si = (smb_info_t *)pinfo->private_data;
13613 if (si->sip != NULL)
13614 t2i = si->sip->extra_info;
13619 if (t2i != NULL && t2i->subcmd != -1) {
13620 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
13622 val_to_str(t2i->subcmd, trans2_cmd_vals,
13623 "Unknown (0x%02x)"));
13624 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
13626 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
13627 "Unknown Transaction2 Data");
13635 switch(t2i->subcmd){
13636 case 0x00: /*TRANS2_OPEN2*/
13637 /* XXX not implemented yet. See SNIA doc */
13639 case 0x01: /*TRANS2_FIND_FIRST2*/
13640 /* returned data */
13641 count = si->info_count;
13643 if (count && check_col(pinfo->cinfo, COL_INFO)) {
13644 col_append_fstr(pinfo->cinfo, COL_INFO,
13649 offset = dissect_ff2_response_data(tvb, pinfo, tree,
13650 offset, &dc, &trunc);
13655 case 0x02: /*TRANS2_FIND_NEXT2*/
13656 /* returned data */
13657 count = si->info_count;
13659 if (count && check_col(pinfo->cinfo, COL_INFO)) {
13660 col_append_fstr(pinfo->cinfo, COL_INFO,
13665 offset = dissect_ff2_response_data(tvb, pinfo, tree,
13666 offset, &dc, &trunc);
13671 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
13672 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
13674 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
13675 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
13677 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
13678 /* no data in this response */
13680 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
13681 /* identical to QUERY_PATH_INFO */
13682 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
13684 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
13685 /* no data in this response */
13687 case 0x09: /*TRANS2_FSCTL*/
13688 /* XXX dont know how to dissect this one (yet)*/
13691 * XXX - "Microsoft Networks SMB File Sharing Protocol
13692 * Extensions Version 3.0, Document Version 1.11,
13693 * July 19, 1990" says this this contains a
13694 * "File system specific return data block".
13695 * (That means we may not be able to dissect it in any
13699 case 0x0a: /*TRANS2_IOCTL2*/
13700 /* XXX dont know how to dissect this one (yet)*/
13703 * XXX - "Microsoft Networks SMB File Sharing Protocol
13704 * Extensions Version 3.0, Document Version 1.11,
13705 * July 19, 1990" says this this contains a
13706 * "Device/function specific return data block".
13707 * (That means we may not be able to dissect it in any
13711 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
13712 /* XXX dont know how to dissect this one (yet)*/
13715 * XXX - "Microsoft Networks SMB File Sharing Protocol
13716 * Extensions Version 3.0, Document Version 1.11,
13717 * July 19, 1990" says this this contains "the level
13718 * dependent information about the changes which
13722 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
13723 /* XXX dont know how to dissect this one (yet)*/
13726 * XXX - "Microsoft Networks SMB File Sharing Protocol
13727 * Extensions Version 3.0, Document Version 1.11,
13728 * July 19, 1990" says this this contains "the level
13729 * dependent information about the changes which
13733 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
13734 /* no data in this response */
13736 case 0x0e: /*TRANS2_SESSION_SETUP*/
13737 /* XXX dont know how to dissect this one (yet)*/
13739 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
13740 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
13742 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
13743 /* the SNIA spec appears to say the response has no data */
13747 * We don't know what the matching request was; don't
13748 * bother putting anything else into the tree for the data.
13755 /* ooops there were data we didnt know how to process */
13757 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
13766 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
13768 proto_item *item = NULL;
13769 proto_tree *tree = NULL;
13771 smb_transact2_info_t *t2i;
13777 pc = tvb_reported_length(tvb);
13779 si = (smb_info_t *)pinfo->private_data;
13780 if (si->sip != NULL)
13781 t2i = si->sip->extra_info;
13786 if (t2i != NULL && t2i->subcmd != -1) {
13787 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
13789 val_to_str(t2i->subcmd, trans2_cmd_vals,
13790 "Unknown (0x%02x)"));
13791 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
13793 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
13794 "Unknown Transaction2 Parameters");
13802 switch(t2i->subcmd){
13803 case 0x00: /*TRANS2_OPEN2*/
13805 fid = tvb_get_letohs(tvb, offset);
13806 add_fid(tvb, pinfo, tree, offset, 2, fid);
13810 * XXX - Microsoft Networks SMB File Sharing Protocol
13811 * Extensions Version 3.0, Document Version 1.11,
13812 * July 19, 1990 says that the file attributes, create
13813 * time (which it says is the last modification time),
13814 * data size, granted access, file type, and IPC state
13815 * are returned only if bit 0 is set in the open flags,
13816 * and that the EA length is returned only if bit 3
13817 * is set in the open flags. Does that mean that,
13818 * at least in that SMB dialect, those fields are not
13819 * present in the reply parameters if the bits in
13820 * question aren't set?
13823 /* File Attributes */
13824 offset = dissect_file_attributes(tvb, tree, offset, 2);
13827 offset = dissect_smb_datetime(tvb, tree, offset,
13828 hf_smb_create_time,
13829 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
13832 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
13835 /* granted access */
13836 offset = dissect_access(tvb, tree, offset, "Granted");
13839 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
13843 offset = dissect_ipc_state(tvb, tree, offset, FALSE);
13846 offset = dissect_open_action(tvb, tree, offset);
13848 /* server unique file ID */
13849 proto_tree_add_item(tree, hf_smb_file_id, tvb, offset, 4, TRUE);
13852 /* ea error offset, only a 16 bit integer here */
13853 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13857 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
13861 case 0x01: /*TRANS2_FIND_FIRST2*/
13862 /* Find First2 information level */
13863 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
13866 proto_tree_add_item(tree, hf_smb_search_id, tvb, offset, 2, TRUE);
13870 si->info_count = tvb_get_letohs(tvb, offset);
13871 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13874 /* end of search */
13875 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13878 /* ea error offset, only a 16 bit integer here */
13879 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13882 /* last name offset */
13883 lno = tvb_get_letohs(tvb, offset);
13884 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13888 case 0x02: /*TRANS2_FIND_NEXT2*/
13890 si->info_count = tvb_get_letohs(tvb, offset);
13891 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
13894 /* end of search */
13895 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
13898 /* ea_error_offset, only a 16 bit integer here*/
13899 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13902 /* last name offset */
13903 lno = tvb_get_letohs(tvb, offset);
13904 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
13908 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
13909 /* no parameter block here */
13911 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
13912 /* ea_error_offset, only a 16 bit integer here*/
13913 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13917 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
13918 /* ea_error_offset, only a 16 bit integer here*/
13919 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13923 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
13924 /* ea_error_offset, only a 16 bit integer here*/
13925 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13929 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
13930 /* ea_error_offset, only a 16 bit integer here*/
13931 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13935 case 0x09: /*TRANS2_FSCTL*/
13936 /* XXX dont know how to dissect this one (yet)*/
13939 * XXX - "Microsoft Networks SMB File Sharing Protocol
13940 * Extensions Version 3.0, Document Version 1.11,
13941 * July 19, 1990" says this this contains a
13942 * "File system specific return parameter block".
13943 * (That means we may not be able to dissect it in any
13947 case 0x0a: /*TRANS2_IOCTL2*/
13948 /* XXX dont know how to dissect this one (yet)*/
13951 * XXX - "Microsoft Networks SMB File Sharing Protocol
13952 * Extensions Version 3.0, Document Version 1.11,
13953 * July 19, 1990" says this this contains a
13954 * "Device/function specific return parameter block".
13955 * (That means we may not be able to dissect it in any
13959 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
13960 /* Find Notify information level */
13961 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13963 /* Monitor handle */
13964 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
13968 si->info_count = tvb_get_letohs(tvb, offset);
13969 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13972 /* ea_error_offset, only a 16 bit integer here*/
13973 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13977 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
13978 /* Find Notify information level */
13979 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
13982 si->info_count = tvb_get_letohs(tvb, offset);
13983 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
13986 /* ea_error_offset, only a 16 bit integer here*/
13987 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13991 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
13992 /* ea error offset, only a 16 bit integer here */
13993 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
13997 case 0x0e: /*TRANS2_SESSION_SETUP*/
13998 /* XXX dont know how to dissect this one (yet)*/
14000 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
14001 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
14003 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
14004 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
14008 * We don't know what the matching request was; don't
14009 * bother putting anything else into the tree for the data.
14015 /* ooops there were data we didnt know how to process */
14017 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
14018 offset += pc-offset;
14024 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
14027 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
14029 smb_transact2_info_t *t2i = NULL;
14032 gboolean dissected_trans;
14033 fragment_data *r_fd = NULL;
14034 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
14035 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
14036 gboolean save_fragmented;
14038 si = (smb_info_t *)pinfo->private_data;
14041 case SMB_COM_TRANSACTION2:
14043 if (si->sip != NULL) {
14044 t2i = si->sip->extra_info;
14049 * We didn't see the matching request, so we don't
14050 * know what type of transaction this is.
14052 proto_tree_add_text(tree, tvb, 0, 0,
14053 "Subcommand: <UNKNOWN> since request packet wasn't seen");
14054 if (check_col(pinfo->cinfo, COL_INFO)) {
14055 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
14058 si->info_level = t2i->info_level;
14059 if (t2i->subcmd == -1) {
14061 * We didn't manage to extract the subcommand
14062 * from the matching request (perhaps because
14063 * the frame was short), so we don't know what
14064 * type of transaction this is.
14066 proto_tree_add_text(tree, tvb, 0, 0,
14067 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
14068 if (check_col(pinfo->cinfo, COL_INFO)) {
14069 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
14072 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
14073 if (check_col(pinfo->cinfo, COL_INFO)) {
14074 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
14075 val_to_str(t2i->subcmd,
14077 "<unknown (0x%02x)>"));
14086 /* total param count, only a 16bit integer here */
14087 tp = tvb_get_letohs(tvb, offset);
14088 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
14091 /* total data count, only a 16 bit integer here */
14092 td = tvb_get_letohs(tvb, offset);
14093 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
14096 /* 2 reserved bytes */
14097 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
14101 pc = tvb_get_letohs(tvb, offset);
14102 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
14106 po = tvb_get_letohs(tvb, offset);
14107 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
14111 pd = tvb_get_letohs(tvb, offset);
14112 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
14116 dc = tvb_get_letohs(tvb, offset);
14117 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
14121 od = tvb_get_letohs(tvb, offset);
14122 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
14126 dd = tvb_get_letohs(tvb, offset);
14127 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
14131 sc = tvb_get_guint8(tvb, offset);
14132 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
14135 /* reserved byte */
14136 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
14140 /* if there were any setup bytes, put them in a tvb for later */
14142 if((2*sc)>tvb_length_remaining(tvb, offset)){
14143 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
14145 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
14147 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
14158 /* reassembly of SMB Transaction data payload.
14159 In this section we do reassembly of both the data and parameters
14160 blocks of the SMB transaction command.
14162 save_fragmented = pinfo->fragmented;
14163 /* do we need reassembly? */
14164 if( (td!=dc) || (tp!=pc) ){
14165 /* oh yeah, either data or parameter section needs
14168 pinfo->fragmented = TRUE;
14169 if(smb_trans_reassembly){
14170 /* ...and we were told to do reassembly */
14171 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
14172 r_fd = smb_trans_defragment(tree, pinfo, tvb,
14173 po, pc, pd, td+tp);
14176 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
14177 r_fd = smb_trans_defragment(tree, pinfo, tvb,
14178 od, dc, dd+tp, td+tp);
14183 /* if we got a reassembled fd structure from the reassembly routine we must
14184 create pd_tvb from it
14187 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
14189 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
14190 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
14191 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb);
14196 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
14198 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
14201 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
14204 /* It was not reassembled. Do as best as we can.
14205 * in this case we always try to dissect the stuff if
14206 * data and param displacement is 0. i.e. for the first
14207 * (and maybe only) packet.
14209 if( (pd==0) && (dd==0) ){
14212 min = MIN(pc,tvb_length_remaining(tvb,po));
14213 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
14214 if(min && reported_min) {
14215 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
14217 min = MIN(dc,tvb_length_remaining(tvb,od));
14218 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
14219 if(min && reported_min) {
14220 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
14223 * A tvbuff containing the parameters
14225 * XXX - check pc and dc as well?
14227 if (tvb_length_remaining(tvb, po)){
14228 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
14237 /* We have some padding bytes.
14239 padcnt = po-offset;
14242 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
14243 COUNT_BYTES(padcnt);
14245 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
14246 /* TRANSACTION2 parameters*/
14247 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
14254 /* We have some initial padding bytes.
14256 padcnt = od-offset;
14259 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
14260 COUNT_BYTES(padcnt);
14263 * If the data count is bigger than the count of bytes
14264 * remaining, clamp it so that the count of bytes remaining
14265 * doesn't go negative.
14273 /* from now on, everything is in separate tvbuffs so we dont count
14274 the bytes with COUNT_BYTES any more.
14275 neither do we reference offset any more (which by now points to the
14276 first byte AFTER this PDU */
14279 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
14280 /* TRANSACTION2 parameters*/
14281 dissect_transaction2_response_data(d_tvb, pinfo, tree);
14285 if(si->cmd==SMB_COM_TRANSACTION){
14286 smb_transact_info_t *tri;
14288 dissected_trans = FALSE;
14289 if (si->sip != NULL)
14290 tri = si->sip->extra_info;
14294 switch(tri->subcmd){
14296 case TRANSACTION_PIPE:
14297 /* This function is safe to call for
14298 s_tvb==sp_tvb==NULL, i.e. if we don't
14299 know them at this point.
14300 It's also safe to call if "p_tvb"
14301 or "d_tvb" are null.
14304 dissected_trans = dissect_pipe_smb(
14305 sp_tvb, s_tvb, pd_tvb, p_tvb,
14306 d_tvb, NULL, pinfo, top_tree);
14310 case TRANSACTION_MAILSLOT:
14311 /* This one should be safe to call
14312 even if s_tvb and sp_tvb is NULL
14315 dissected_trans = dissect_mailslot_smb(
14316 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
14322 if (!dissected_trans) {
14323 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
14324 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
14329 if( (p_tvb==0) && (d_tvb==0) ){
14330 if(check_col(pinfo->cinfo, COL_INFO)){
14331 col_append_str(pinfo->cinfo, COL_INFO,
14332 "[transact continuation]");
14336 pinfo->fragmented = save_fragmented;
14344 dissect_find_notify_close(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
14351 /* Monitor handle */
14352 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, TRUE);
14362 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14363 END Transaction/Transaction2 Primary and secondary requests
14364 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
14368 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_)
14376 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
14383 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
14393 typedef struct _smb_function {
14394 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
14395 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
14398 static smb_function smb_dissector[256] = {
14399 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
14400 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
14401 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
14402 /* 0x03 Create File*/ {dissect_create_file_request, dissect_fid},
14403 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
14404 /* 0x05 Flush File*/ {dissect_fid, dissect_empty},
14405 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
14406 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_empty},
14407 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
14408 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
14409 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
14410 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
14411 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
14412 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
14413 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
14414 /* 0x0f Create New*/ {dissect_create_file_request, dissect_fid},
14416 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
14417 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
14418 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
14419 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
14420 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
14421 /* 0x15 */ {dissect_unknown, dissect_unknown},
14422 /* 0x16 */ {dissect_unknown, dissect_unknown},
14423 /* 0x17 */ {dissect_unknown, dissect_unknown},
14424 /* 0x18 */ {dissect_unknown, dissect_unknown},
14425 /* 0x19 */ {dissect_unknown, dissect_unknown},
14426 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
14427 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
14428 /* 0x1c Read MPX Secondary*/ {dissect_unknown, dissect_unknown},
14429 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
14430 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
14431 /* 0x1f Write MPX Secondary*/ {dissect_unknown, dissect_unknown},
14433 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
14434 /* 0x21 */ {dissect_unknown, dissect_unknown},
14435 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
14436 /* 0x23 Query Info2*/ {dissect_fid, dissect_query_information2_response},
14437 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
14438 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
14439 /* 0x26 Transaction Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
14440 /* 0x27 IOCTL*/ {dissect_unknown, dissect_unknown},
14441 /* 0x28 IOCTL Secondary*/ {dissect_unknown, dissect_unknown},
14442 /* 0x29 Copy File*/ {dissect_copy_request, dissect_move_copy_response},
14443 /* 0x2a Move File*/ {dissect_move_request, dissect_move_copy_response},
14444 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
14445 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
14446 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
14447 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
14448 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
14450 /* 0x30 */ {dissect_unknown, dissect_unknown},
14451 /* 0x31 Close And Tree Disconnect */ {dissect_close_file_request, dissect_empty},
14452 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
14453 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
14454 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
14455 /* 0x35 Find Notify Close*/ {dissect_find_notify_close, dissect_empty},
14456 /* 0x36 */ {dissect_unknown, dissect_unknown},
14457 /* 0x37 */ {dissect_unknown, dissect_unknown},
14458 /* 0x38 */ {dissect_unknown, dissect_unknown},
14459 /* 0x39 */ {dissect_unknown, dissect_unknown},
14460 /* 0x3a */ {dissect_unknown, dissect_unknown},
14461 /* 0x3b */ {dissect_unknown, dissect_unknown},
14462 /* 0x3c */ {dissect_unknown, dissect_unknown},
14463 /* 0x3d */ {dissect_unknown, dissect_unknown},
14464 /* 0x3e */ {dissect_unknown, dissect_unknown},
14465 /* 0x3f */ {dissect_unknown, dissect_unknown},
14467 /* 0x40 */ {dissect_unknown, dissect_unknown},
14468 /* 0x41 */ {dissect_unknown, dissect_unknown},
14469 /* 0x42 */ {dissect_unknown, dissect_unknown},
14470 /* 0x43 */ {dissect_unknown, dissect_unknown},
14471 /* 0x44 */ {dissect_unknown, dissect_unknown},
14472 /* 0x45 */ {dissect_unknown, dissect_unknown},
14473 /* 0x46 */ {dissect_unknown, dissect_unknown},
14474 /* 0x47 */ {dissect_unknown, dissect_unknown},
14475 /* 0x48 */ {dissect_unknown, dissect_unknown},
14476 /* 0x49 */ {dissect_unknown, dissect_unknown},
14477 /* 0x4a */ {dissect_unknown, dissect_unknown},
14478 /* 0x4b */ {dissect_unknown, dissect_unknown},
14479 /* 0x4c */ {dissect_unknown, dissect_unknown},
14480 /* 0x4d */ {dissect_unknown, dissect_unknown},
14481 /* 0x4e */ {dissect_unknown, dissect_unknown},
14482 /* 0x4f */ {dissect_unknown, dissect_unknown},
14484 /* 0x50 */ {dissect_unknown, dissect_unknown},
14485 /* 0x51 */ {dissect_unknown, dissect_unknown},
14486 /* 0x52 */ {dissect_unknown, dissect_unknown},
14487 /* 0x53 */ {dissect_unknown, dissect_unknown},
14488 /* 0x54 */ {dissect_unknown, dissect_unknown},
14489 /* 0x55 */ {dissect_unknown, dissect_unknown},
14490 /* 0x56 */ {dissect_unknown, dissect_unknown},
14491 /* 0x57 */ {dissect_unknown, dissect_unknown},
14492 /* 0x58 */ {dissect_unknown, dissect_unknown},
14493 /* 0x59 */ {dissect_unknown, dissect_unknown},
14494 /* 0x5a */ {dissect_unknown, dissect_unknown},
14495 /* 0x5b */ {dissect_unknown, dissect_unknown},
14496 /* 0x5c */ {dissect_unknown, dissect_unknown},
14497 /* 0x5d */ {dissect_unknown, dissect_unknown},
14498 /* 0x5e */ {dissect_unknown, dissect_unknown},
14499 /* 0x5f */ {dissect_unknown, dissect_unknown},
14501 /* 0x60 */ {dissect_unknown, dissect_unknown},
14502 /* 0x61 */ {dissect_unknown, dissect_unknown},
14503 /* 0x62 */ {dissect_unknown, dissect_unknown},
14504 /* 0x63 */ {dissect_unknown, dissect_unknown},
14505 /* 0x64 */ {dissect_unknown, dissect_unknown},
14506 /* 0x65 */ {dissect_unknown, dissect_unknown},
14507 /* 0x66 */ {dissect_unknown, dissect_unknown},
14508 /* 0x67 */ {dissect_unknown, dissect_unknown},
14509 /* 0x68 */ {dissect_unknown, dissect_unknown},
14510 /* 0x69 */ {dissect_unknown, dissect_unknown},
14511 /* 0x6a */ {dissect_unknown, dissect_unknown},
14512 /* 0x6b */ {dissect_unknown, dissect_unknown},
14513 /* 0x6c */ {dissect_unknown, dissect_unknown},
14514 /* 0x6d */ {dissect_unknown, dissect_unknown},
14515 /* 0x6e */ {dissect_unknown, dissect_unknown},
14516 /* 0x6f */ {dissect_unknown, dissect_unknown},
14518 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
14519 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
14520 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
14521 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
14522 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
14523 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
14524 /* 0x76 */ {dissect_unknown, dissect_unknown},
14525 /* 0x77 */ {dissect_unknown, dissect_unknown},
14526 /* 0x78 */ {dissect_unknown, dissect_unknown},
14527 /* 0x79 */ {dissect_unknown, dissect_unknown},
14528 /* 0x7a */ {dissect_unknown, dissect_unknown},
14529 /* 0x7b */ {dissect_unknown, dissect_unknown},
14530 /* 0x7c */ {dissect_unknown, dissect_unknown},
14531 /* 0x7d */ {dissect_unknown, dissect_unknown},
14532 /* 0x7e */ {dissect_unknown, dissect_unknown},
14533 /* 0x7f */ {dissect_unknown, dissect_unknown},
14535 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
14536 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
14537 /* 0x82 Find*/ {dissect_find_request, dissect_find_response},
14538 /* 0x83 Find Unique*/ {dissect_find_request, dissect_find_response},
14539 /* 0x84 Find Close*/ {dissect_find_close_request, dissect_find_close_response},
14540 /* 0x85 */ {dissect_unknown, dissect_unknown},
14541 /* 0x86 */ {dissect_unknown, dissect_unknown},
14542 /* 0x87 */ {dissect_unknown, dissect_unknown},
14543 /* 0x88 */ {dissect_unknown, dissect_unknown},
14544 /* 0x89 */ {dissect_unknown, dissect_unknown},
14545 /* 0x8a */ {dissect_unknown, dissect_unknown},
14546 /* 0x8b */ {dissect_unknown, dissect_unknown},
14547 /* 0x8c */ {dissect_unknown, dissect_unknown},
14548 /* 0x8d */ {dissect_unknown, dissect_unknown},
14549 /* 0x8e */ {dissect_unknown, dissect_unknown},
14550 /* 0x8f */ {dissect_unknown, dissect_unknown},
14552 /* 0x90 */ {dissect_unknown, dissect_unknown},
14553 /* 0x91 */ {dissect_unknown, dissect_unknown},
14554 /* 0x92 */ {dissect_unknown, dissect_unknown},
14555 /* 0x93 */ {dissect_unknown, dissect_unknown},
14556 /* 0x94 */ {dissect_unknown, dissect_unknown},
14557 /* 0x95 */ {dissect_unknown, dissect_unknown},
14558 /* 0x96 */ {dissect_unknown, dissect_unknown},
14559 /* 0x97 */ {dissect_unknown, dissect_unknown},
14560 /* 0x98 */ {dissect_unknown, dissect_unknown},
14561 /* 0x99 */ {dissect_unknown, dissect_unknown},
14562 /* 0x9a */ {dissect_unknown, dissect_unknown},
14563 /* 0x9b */ {dissect_unknown, dissect_unknown},
14564 /* 0x9c */ {dissect_unknown, dissect_unknown},
14565 /* 0x9d */ {dissect_unknown, dissect_unknown},
14566 /* 0x9e */ {dissect_unknown, dissect_unknown},
14567 /* 0x9f */ {dissect_unknown, dissect_unknown},
14569 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
14570 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
14571 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
14572 /* 0xa3 */ {dissect_unknown, dissect_unknown},
14573 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
14574 /* 0xa5 NT Rename*/ {dissect_nt_rename_file_request, dissect_empty},
14575 /* 0xa6 */ {dissect_unknown, dissect_unknown},
14576 /* 0xa7 */ {dissect_unknown, dissect_unknown},
14577 /* 0xa8 */ {dissect_unknown, dissect_unknown},
14578 /* 0xa9 */ {dissect_unknown, dissect_unknown},
14579 /* 0xaa */ {dissect_unknown, dissect_unknown},
14580 /* 0xab */ {dissect_unknown, dissect_unknown},
14581 /* 0xac */ {dissect_unknown, dissect_unknown},
14582 /* 0xad */ {dissect_unknown, dissect_unknown},
14583 /* 0xae */ {dissect_unknown, dissect_unknown},
14584 /* 0xaf */ {dissect_unknown, dissect_unknown},
14586 /* 0xb0 */ {dissect_unknown, dissect_unknown},
14587 /* 0xb1 */ {dissect_unknown, dissect_unknown},
14588 /* 0xb2 */ {dissect_unknown, dissect_unknown},
14589 /* 0xb3 */ {dissect_unknown, dissect_unknown},
14590 /* 0xb4 */ {dissect_unknown, dissect_unknown},
14591 /* 0xb5 */ {dissect_unknown, dissect_unknown},
14592 /* 0xb6 */ {dissect_unknown, dissect_unknown},
14593 /* 0xb7 */ {dissect_unknown, dissect_unknown},
14594 /* 0xb8 */ {dissect_unknown, dissect_unknown},
14595 /* 0xb9 */ {dissect_unknown, dissect_unknown},
14596 /* 0xba */ {dissect_unknown, dissect_unknown},
14597 /* 0xbb */ {dissect_unknown, dissect_unknown},
14598 /* 0xbc */ {dissect_unknown, dissect_unknown},
14599 /* 0xbd */ {dissect_unknown, dissect_unknown},
14600 /* 0xbe */ {dissect_unknown, dissect_unknown},
14601 /* 0xbf */ {dissect_unknown, dissect_unknown},
14603 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_fid},
14604 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
14605 /* 0xc2 Close Print File*/ {dissect_fid, dissect_empty},
14606 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
14607 /* 0xc4 */ {dissect_unknown, dissect_unknown},
14608 /* 0xc5 */ {dissect_unknown, dissect_unknown},
14609 /* 0xc6 */ {dissect_unknown, dissect_unknown},
14610 /* 0xc7 */ {dissect_unknown, dissect_unknown},
14611 /* 0xc8 */ {dissect_unknown, dissect_unknown},
14612 /* 0xc9 */ {dissect_unknown, dissect_unknown},
14613 /* 0xca */ {dissect_unknown, dissect_unknown},
14614 /* 0xcb */ {dissect_unknown, dissect_unknown},
14615 /* 0xcc */ {dissect_unknown, dissect_unknown},
14616 /* 0xcd */ {dissect_unknown, dissect_unknown},
14617 /* 0xce */ {dissect_unknown, dissect_unknown},
14618 /* 0xcf */ {dissect_unknown, dissect_unknown},
14620 /* 0xd0 Send Single Block Message*/ {dissect_send_single_block_message_request, dissect_empty},
14621 /* 0xd1 Send Broadcast Message*/ {dissect_send_single_block_message_request, dissect_empty},
14622 /* 0xd2 Forward User Name*/ {dissect_forwarded_name, dissect_empty},
14623 /* 0xd3 Cancel Forward*/ {dissect_forwarded_name, dissect_empty},
14624 /* 0xd4 Get Machine Name*/ {dissect_empty, dissect_get_machine_name_response},
14625 /* 0xd5 Send Start of Multi-block Message*/ {dissect_send_multi_block_message_start_request, dissect_message_group_id},
14626 /* 0xd6 Send End of Multi-block Message*/ {dissect_message_group_id, dissect_empty},
14627 /* 0xd7 Send Text of Multi-block Message*/ {dissect_send_multi_block_message_text_request, dissect_empty},
14628 /* 0xd8 SMBreadbulk*/ {dissect_unknown, dissect_unknown},
14629 /* 0xd9 SMBwritebulk*/ {dissect_unknown, dissect_unknown},
14630 /* 0xda SMBwritebulkdata*/ {dissect_unknown, dissect_unknown},
14631 /* 0xdb */ {dissect_unknown, dissect_unknown},
14632 /* 0xdc */ {dissect_unknown, dissect_unknown},
14633 /* 0xdd */ {dissect_unknown, dissect_unknown},
14634 /* 0xde */ {dissect_unknown, dissect_unknown},
14635 /* 0xdf */ {dissect_unknown, dissect_unknown},
14637 /* 0xe0 */ {dissect_unknown, dissect_unknown},
14638 /* 0xe1 */ {dissect_unknown, dissect_unknown},
14639 /* 0xe2 */ {dissect_unknown, dissect_unknown},
14640 /* 0xe3 */ {dissect_unknown, dissect_unknown},
14641 /* 0xe4 */ {dissect_unknown, dissect_unknown},
14642 /* 0xe5 */ {dissect_unknown, dissect_unknown},
14643 /* 0xe6 */ {dissect_unknown, dissect_unknown},
14644 /* 0xe7 */ {dissect_unknown, dissect_unknown},
14645 /* 0xe8 */ {dissect_unknown, dissect_unknown},
14646 /* 0xe9 */ {dissect_unknown, dissect_unknown},
14647 /* 0xea */ {dissect_unknown, dissect_unknown},
14648 /* 0xeb */ {dissect_unknown, dissect_unknown},
14649 /* 0xec */ {dissect_unknown, dissect_unknown},
14650 /* 0xed */ {dissect_unknown, dissect_unknown},
14651 /* 0xee */ {dissect_unknown, dissect_unknown},
14652 /* 0xef */ {dissect_unknown, dissect_unknown},
14654 /* 0xf0 */ {dissect_unknown, dissect_unknown},
14655 /* 0xf1 */ {dissect_unknown, dissect_unknown},
14656 /* 0xf2 */ {dissect_unknown, dissect_unknown},
14657 /* 0xf3 */ {dissect_unknown, dissect_unknown},
14658 /* 0xf4 */ {dissect_unknown, dissect_unknown},
14659 /* 0xf5 */ {dissect_unknown, dissect_unknown},
14660 /* 0xf6 */ {dissect_unknown, dissect_unknown},
14661 /* 0xf7 */ {dissect_unknown, dissect_unknown},
14662 /* 0xf8 */ {dissect_unknown, dissect_unknown},
14663 /* 0xf9 */ {dissect_unknown, dissect_unknown},
14664 /* 0xfa */ {dissect_unknown, dissect_unknown},
14665 /* 0xfb */ {dissect_unknown, dissect_unknown},
14666 /* 0xfc */ {dissect_unknown, dissect_unknown},
14667 /* 0xfd */ {dissect_unknown, dissect_unknown},
14668 /* 0xfe */ {dissect_unknown, dissect_unknown},
14669 /* 0xff */ {dissect_unknown, dissect_unknown},
14673 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu)
14677 si = pinfo->private_data;
14679 proto_item *cmd_item;
14680 proto_tree *cmd_tree;
14681 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
14683 if (check_col(pinfo->cinfo, COL_INFO)) {
14685 col_append_fstr(pinfo->cinfo, COL_INFO,
14687 decode_smb_name(cmd),
14688 (si->request)? "Request" : "Response");
14690 col_append_fstr(pinfo->cinfo, COL_INFO,
14692 decode_smb_name(cmd));
14697 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
14699 decode_smb_name(cmd),
14700 (si->request)?"Request":"Response",
14703 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
14705 dissector = (si->request)?
14706 smb_dissector[cmd].request:smb_dissector[cmd].response;
14708 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
14709 proto_item_set_end(cmd_item, tvb, offset);
14715 /* NOTE: this value_string array will also be used to access data directly by
14716 * index instead of val_to_str() since
14717 * 1, the array will always span every value from 0x00 to 0xff and
14718 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
14719 * This means that this value_string array MUST always
14720 * 1, contain all entries 0x00 to 0xff
14721 * 2, all entries must be in order.
14723 const value_string smb_cmd_vals[] = {
14724 { 0x00, "Create Directory" },
14725 { 0x01, "Delete Directory" },
14727 { 0x03, "Create" },
14730 { 0x06, "Delete" },
14731 { 0x07, "Rename" },
14732 { 0x08, "Query Information" },
14733 { 0x09, "Set Information" },
14736 { 0x0C, "Lock Byte Range" },
14737 { 0x0D, "Unlock Byte Range" },
14738 { 0x0E, "Create Temp" },
14739 { 0x0F, "Create New" },
14740 { 0x10, "Check Directory" },
14741 { 0x11, "Process Exit" },
14743 { 0x13, "Lock And Read" },
14744 { 0x14, "Write And Unlock" },
14745 { 0x15, "unknown-0x15" },
14746 { 0x16, "unknown-0x16" },
14747 { 0x17, "unknown-0x17" },
14748 { 0x18, "unknown-0x18" },
14749 { 0x19, "unknown-0x19" },
14750 { 0x1A, "Read Raw" },
14751 { 0x1B, "Read MPX" },
14752 { 0x1C, "Read MPX Secondary" },
14753 { 0x1D, "Write Raw" },
14754 { 0x1E, "Write MPX" },
14755 { 0x1F, "Write MPX Secondary" },
14756 { 0x20, "Write Complete" },
14757 { 0x21, "unknown-0x21" },
14758 { 0x22, "Set Information2" },
14759 { 0x23, "Query Information2" },
14760 { 0x24, "Locking AndX" },
14762 { 0x26, "Trans Secondary" },
14764 { 0x28, "IOCTL Secondary" },
14768 { 0x2C, "Write And Close" },
14769 { 0x2D, "Open AndX" },
14770 { 0x2E, "Read AndX" },
14771 { 0x2F, "Write AndX" },
14772 { 0x30, "unknown-0x30" },
14773 { 0x31, "Close And Tree Disconnect" },
14774 { 0x32, "Trans2" },
14775 { 0x33, "Trans2 Secondary" },
14776 { 0x34, "Find Close2" },
14777 { 0x35, "Find Notify Close" },
14778 { 0x36, "unknown-0x36" },
14779 { 0x37, "unknown-0x37" },
14780 { 0x38, "unknown-0x38" },
14781 { 0x39, "unknown-0x39" },
14782 { 0x3A, "unknown-0x3A" },
14783 { 0x3B, "unknown-0x3B" },
14784 { 0x3C, "unknown-0x3C" },
14785 { 0x3D, "unknown-0x3D" },
14786 { 0x3E, "unknown-0x3E" },
14787 { 0x3F, "unknown-0x3F" },
14788 { 0x40, "unknown-0x40" },
14789 { 0x41, "unknown-0x41" },
14790 { 0x42, "unknown-0x42" },
14791 { 0x43, "unknown-0x43" },
14792 { 0x44, "unknown-0x44" },
14793 { 0x45, "unknown-0x45" },
14794 { 0x46, "unknown-0x46" },
14795 { 0x47, "unknown-0x47" },
14796 { 0x48, "unknown-0x48" },
14797 { 0x49, "unknown-0x49" },
14798 { 0x4A, "unknown-0x4A" },
14799 { 0x4B, "unknown-0x4B" },
14800 { 0x4C, "unknown-0x4C" },
14801 { 0x4D, "unknown-0x4D" },
14802 { 0x4E, "unknown-0x4E" },
14803 { 0x4F, "unknown-0x4F" },
14804 { 0x50, "unknown-0x50" },
14805 { 0x51, "unknown-0x51" },
14806 { 0x52, "unknown-0x52" },
14807 { 0x53, "unknown-0x53" },
14808 { 0x54, "unknown-0x54" },
14809 { 0x55, "unknown-0x55" },
14810 { 0x56, "unknown-0x56" },
14811 { 0x57, "unknown-0x57" },
14812 { 0x58, "unknown-0x58" },
14813 { 0x59, "unknown-0x59" },
14814 { 0x5A, "unknown-0x5A" },
14815 { 0x5B, "unknown-0x5B" },
14816 { 0x5C, "unknown-0x5C" },
14817 { 0x5D, "unknown-0x5D" },
14818 { 0x5E, "unknown-0x5E" },
14819 { 0x5F, "unknown-0x5F" },
14820 { 0x60, "unknown-0x60" },
14821 { 0x61, "unknown-0x61" },
14822 { 0x62, "unknown-0x62" },
14823 { 0x63, "unknown-0x63" },
14824 { 0x64, "unknown-0x64" },
14825 { 0x65, "unknown-0x65" },
14826 { 0x66, "unknown-0x66" },
14827 { 0x67, "unknown-0x67" },
14828 { 0x68, "unknown-0x68" },
14829 { 0x69, "unknown-0x69" },
14830 { 0x6A, "unknown-0x6A" },
14831 { 0x6B, "unknown-0x6B" },
14832 { 0x6C, "unknown-0x6C" },
14833 { 0x6D, "unknown-0x6D" },
14834 { 0x6E, "unknown-0x6E" },
14835 { 0x6F, "unknown-0x6F" },
14836 { 0x70, "Tree Connect" },
14837 { 0x71, "Tree Disconnect" },
14838 { 0x72, "Negotiate Protocol" },
14839 { 0x73, "Session Setup AndX" },
14840 { 0x74, "Logoff AndX" },
14841 { 0x75, "Tree Connect AndX" },
14842 { 0x76, "unknown-0x76" },
14843 { 0x77, "unknown-0x77" },
14844 { 0x78, "unknown-0x78" },
14845 { 0x79, "unknown-0x79" },
14846 { 0x7A, "unknown-0x7A" },
14847 { 0x7B, "unknown-0x7B" },
14848 { 0x7C, "unknown-0x7C" },
14849 { 0x7D, "unknown-0x7D" },
14850 { 0x7E, "unknown-0x7E" },
14851 { 0x7F, "unknown-0x7F" },
14852 { 0x80, "Query Information Disk" },
14853 { 0x81, "Search" },
14855 { 0x83, "Find Unique" },
14856 { 0x84, "Find Close" },
14857 { 0x85, "unknown-0x85" },
14858 { 0x86, "unknown-0x86" },
14859 { 0x87, "unknown-0x87" },
14860 { 0x88, "unknown-0x88" },
14861 { 0x89, "unknown-0x89" },
14862 { 0x8A, "unknown-0x8A" },
14863 { 0x8B, "unknown-0x8B" },
14864 { 0x8C, "unknown-0x8C" },
14865 { 0x8D, "unknown-0x8D" },
14866 { 0x8E, "unknown-0x8E" },
14867 { 0x8F, "unknown-0x8F" },
14868 { 0x90, "unknown-0x90" },
14869 { 0x91, "unknown-0x91" },
14870 { 0x92, "unknown-0x92" },
14871 { 0x93, "unknown-0x93" },
14872 { 0x94, "unknown-0x94" },
14873 { 0x95, "unknown-0x95" },
14874 { 0x96, "unknown-0x96" },
14875 { 0x97, "unknown-0x97" },
14876 { 0x98, "unknown-0x98" },
14877 { 0x99, "unknown-0x99" },
14878 { 0x9A, "unknown-0x9A" },
14879 { 0x9B, "unknown-0x9B" },
14880 { 0x9C, "unknown-0x9C" },
14881 { 0x9D, "unknown-0x9D" },
14882 { 0x9E, "unknown-0x9E" },
14883 { 0x9F, "unknown-0x9F" },
14884 { 0xA0, "NT Trans" },
14885 { 0xA1, "NT Trans Secondary" },
14886 { 0xA2, "NT Create AndX" },
14887 { 0xA3, "unknown-0xA3" },
14888 { 0xA4, "NT Cancel" },
14889 { 0xA5, "NT Rename" },
14890 { 0xA6, "unknown-0xA6" },
14891 { 0xA7, "unknown-0xA7" },
14892 { 0xA8, "unknown-0xA8" },
14893 { 0xA9, "unknown-0xA9" },
14894 { 0xAA, "unknown-0xAA" },
14895 { 0xAB, "unknown-0xAB" },
14896 { 0xAC, "unknown-0xAC" },
14897 { 0xAD, "unknown-0xAD" },
14898 { 0xAE, "unknown-0xAE" },
14899 { 0xAF, "unknown-0xAF" },
14900 { 0xB0, "unknown-0xB0" },
14901 { 0xB1, "unknown-0xB1" },
14902 { 0xB2, "unknown-0xB2" },
14903 { 0xB3, "unknown-0xB3" },
14904 { 0xB4, "unknown-0xB4" },
14905 { 0xB5, "unknown-0xB5" },
14906 { 0xB6, "unknown-0xB6" },
14907 { 0xB7, "unknown-0xB7" },
14908 { 0xB8, "unknown-0xB8" },
14909 { 0xB9, "unknown-0xB9" },
14910 { 0xBA, "unknown-0xBA" },
14911 { 0xBB, "unknown-0xBB" },
14912 { 0xBC, "unknown-0xBC" },
14913 { 0xBD, "unknown-0xBD" },
14914 { 0xBE, "unknown-0xBE" },
14915 { 0xBF, "unknown-0xBF" },
14916 { 0xC0, "Open Print File" },
14917 { 0xC1, "Write Print File" },
14918 { 0xC2, "Close Print File" },
14919 { 0xC3, "Get Print Queue" },
14920 { 0xC4, "unknown-0xC4" },
14921 { 0xC5, "unknown-0xC5" },
14922 { 0xC6, "unknown-0xC6" },
14923 { 0xC7, "unknown-0xC7" },
14924 { 0xC8, "unknown-0xC8" },
14925 { 0xC9, "unknown-0xC9" },
14926 { 0xCA, "unknown-0xCA" },
14927 { 0xCB, "unknown-0xCB" },
14928 { 0xCC, "unknown-0xCC" },
14929 { 0xCD, "unknown-0xCD" },
14930 { 0xCE, "unknown-0xCE" },
14931 { 0xCF, "unknown-0xCF" },
14932 { 0xD0, "Send Single Block Message" },
14933 { 0xD1, "Send Broadcast Message" },
14934 { 0xD2, "Forward User Name" },
14935 { 0xD3, "Cancel Forward" },
14936 { 0xD4, "Get Machine Name" },
14937 { 0xD5, "Send Start of Multi-block Message" },
14938 { 0xD6, "Send End of Multi-block Message" },
14939 { 0xD7, "Send Text of Multi-block Message" },
14940 { 0xD8, "SMBreadbulk" },
14941 { 0xD9, "SMBwritebulk" },
14942 { 0xDA, "SMBwritebulkdata" },
14943 { 0xDB, "unknown-0xDB" },
14944 { 0xDC, "unknown-0xDC" },
14945 { 0xDD, "unknown-0xDD" },
14946 { 0xDE, "unknown-0xDE" },
14947 { 0xDF, "unknown-0xDF" },
14948 { 0xE0, "unknown-0xE0" },
14949 { 0xE1, "unknown-0xE1" },
14950 { 0xE2, "unknown-0xE2" },
14951 { 0xE3, "unknown-0xE3" },
14952 { 0xE4, "unknown-0xE4" },
14953 { 0xE5, "unknown-0xE5" },
14954 { 0xE6, "unknown-0xE6" },
14955 { 0xE7, "unknown-0xE7" },
14956 { 0xE8, "unknown-0xE8" },
14957 { 0xE9, "unknown-0xE9" },
14958 { 0xEA, "unknown-0xEA" },
14959 { 0xEB, "unknown-0xEB" },
14960 { 0xEC, "unknown-0xEC" },
14961 { 0xED, "unknown-0xED" },
14962 { 0xEE, "unknown-0xEE" },
14963 { 0xEF, "unknown-0xEF" },
14964 { 0xF0, "unknown-0xF0" },
14965 { 0xF1, "unknown-0xF1" },
14966 { 0xF2, "unknown-0xF2" },
14967 { 0xF3, "unknown-0xF3" },
14968 { 0xF4, "unknown-0xF4" },
14969 { 0xF5, "unknown-0xF5" },
14970 { 0xF6, "unknown-0xF6" },
14971 { 0xF7, "unknown-0xF7" },
14972 { 0xF8, "unknown-0xF8" },
14973 { 0xF9, "unknown-0xF9" },
14974 { 0xFA, "unknown-0xFA" },
14975 { 0xFB, "unknown-0xFB" },
14976 { 0xFC, "unknown-0xFC" },
14977 { 0xFD, "unknown-0xFD" },
14978 { 0xFE, "SMBinvalid" },
14979 { 0xFF, "unknown-0xFF" },
14983 static char *decode_smb_name(guint8 cmd)
14985 return(smb_cmd_vals[cmd].strptr);
14990 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14991 * Everything TVBUFFIFIED above this line
14992 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
14996 free_hash_tables(gpointer ctarg, gpointer user_data _U_)
14998 conv_tables_t *ct = ctarg;
15001 g_hash_table_destroy(ct->unmatched);
15003 g_hash_table_destroy(ct->matched);
15004 if (ct->tid_service)
15005 g_hash_table_destroy(ct->tid_service);
15009 smb_init_protocol(void)
15011 if (smb_saved_info_key_chunk)
15012 g_mem_chunk_destroy(smb_saved_info_key_chunk);
15013 if (smb_saved_info_chunk)
15014 g_mem_chunk_destroy(smb_saved_info_chunk);
15015 if (smb_nt_transact_info_chunk)
15016 g_mem_chunk_destroy(smb_nt_transact_info_chunk);
15017 if (smb_transact2_info_chunk)
15018 g_mem_chunk_destroy(smb_transact2_info_chunk);
15019 if (smb_transact_info_chunk)
15020 g_mem_chunk_destroy(smb_transact_info_chunk);
15023 * Free the hash tables attached to the conversation table
15024 * structures, and then free the list of conversation table
15025 * data structures (which doesn't free the data structures
15026 * themselves; that's done by destroying the chunk from
15027 * which they were allocated).
15030 g_slist_foreach(conv_tables, free_hash_tables, NULL);
15031 g_slist_free(conv_tables);
15032 conv_tables = NULL;
15036 * Now destroy the chunk from which the conversation table
15037 * structures were allocated.
15039 if (conv_tables_chunk)
15040 g_mem_chunk_destroy(conv_tables_chunk);
15042 smb_saved_info_chunk = g_mem_chunk_new("smb_saved_info_chunk",
15043 sizeof(smb_saved_info_t),
15044 smb_saved_info_init_count * sizeof(smb_saved_info_t),
15046 smb_saved_info_key_chunk = g_mem_chunk_new("smb_saved_info_key_chunk",
15047 sizeof(smb_saved_info_key_t),
15048 smb_saved_info_init_count * sizeof(smb_saved_info_key_t),
15050 smb_nt_transact_info_chunk = g_mem_chunk_new("smb_nt_transact_info_chunk",
15051 sizeof(smb_nt_transact_info_t),
15052 smb_nt_transact_info_init_count * sizeof(smb_nt_transact_info_t),
15054 smb_transact2_info_chunk = g_mem_chunk_new("smb_transact2_info_chunk",
15055 sizeof(smb_transact2_info_t),
15056 smb_transact2_info_init_count * sizeof(smb_transact2_info_t),
15058 smb_transact_info_chunk = g_mem_chunk_new("smb_transact_info_chunk",
15059 sizeof(smb_transact_info_t),
15060 smb_transact_info_init_count * sizeof(smb_transact_info_t),
15062 conv_tables_chunk = g_mem_chunk_new("conv_tables_chunk",
15063 sizeof(conv_tables_t),
15064 conv_tables_count * sizeof(conv_tables_t),
15068 static const value_string errcls_types[] = {
15069 { SMB_SUCCESS, "Success"},
15070 { SMB_ERRDOS, "DOS Error"},
15071 { SMB_ERRSRV, "Server Error"},
15072 { SMB_ERRHRD, "Hardware Error"},
15073 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
15077 const value_string DOS_errors[] = {
15079 {SMBE_insufficientbuffer, "Insufficient buffer"},
15080 {SMBE_badfunc, "Invalid function (or system call)"},
15081 {SMBE_badfile, "File not found (pathname error)"},
15082 {SMBE_badpath, "Directory not found"},
15083 {SMBE_nofids, "Too many open files"},
15084 {SMBE_noaccess, "Access denied"},
15085 {SMBE_badfid, "Invalid fid"},
15086 {SMBE_nomem, "Out of memory"},
15087 {SMBE_badmem, "Invalid memory block address"},
15088 {SMBE_badenv, "Invalid environment"},
15089 {SMBE_badaccess, "Invalid open mode"},
15090 {SMBE_baddata, "Invalid data (only from ioctl call)"},
15091 {SMBE_res, "Reserved error code?"},
15092 {SMBE_baddrive, "Invalid drive"},
15093 {SMBE_remcd, "Attempt to delete current directory"},
15094 {SMBE_diffdevice, "Rename/move across different filesystems"},
15095 {SMBE_nofiles, "No more files found in file search"},
15096 {SMBE_badshare, "Share mode on file conflict with open mode"},
15097 {SMBE_lock, "Lock request conflicts with existing lock"},
15098 {SMBE_unsup, "Request unsupported, returned by Win 95"},
15099 {SMBE_nosuchshare, "Requested share does not exist"},
15100 {SMBE_filexists, "File in operation already exists"},
15101 {SMBE_cannotopen, "Cannot open the file specified"},
15102 {SMBE_unknownlevel, "Unknown info level"},
15103 {SMBE_invalidname, "Invalid name"},
15104 {SMBE_badpipe, "Named pipe invalid"},
15105 {SMBE_pipebusy, "All instances of pipe are busy"},
15106 {SMBE_pipeclosing, "Named pipe close in progress"},
15107 {SMBE_notconnected, "No process on other end of named pipe"},
15108 {SMBE_moredata, "More data to be returned"},
15109 {SMBE_baddirectory, "Invalid directory name in a path."},
15110 {SMBE_eas_didnt_fit, "Extended attributes didn't fit"},
15111 {SMBE_eas_nsup, "Extended attributes not supported"},
15112 {SMBE_notify_buf_small, "Buffer too small to return change notify."},
15113 {SMBE_unknownipc, "Unknown IPC Operation"},
15114 {SMBE_noipc, "Don't support ipc"},
15115 {SMBE_alreadyexists, "File already exists"},
15116 {SMBE_unknownprinterdriver, "Unknown printer driver"},
15117 {SMBE_invalidprintername, "Invalid printer name"},
15118 {SMBE_printeralreadyexists, "Printer already exists"},
15119 {SMBE_invaliddatatype, "Invalid data type"},
15120 {SMBE_invalidenvironment, "Invalid environment"},
15121 {SMBE_printerdriverinuse, "Printer driver in use"},
15122 {SMBE_invalidparam, "Invalid parameter"},
15123 {SMBE_invalidformsize, "Invalid form size"},
15124 {SMBE_invalidsecuritydescriptor, "Invalid security descriptor"},
15125 {SMBE_invalidowner, "Invalid owner"},
15126 {SMBE_nomoreitems, "No more items"},
15127 {SMBE_serverunavailable, "Server unavailable"},
15131 /* Error codes for the ERRSRV class */
15133 static const value_string SRV_errors[] = {
15134 {SMBE_error, "Non specific error code"},
15135 {SMBE_badpw, "Bad password"},
15136 {SMBE_badtype, "Reserved"},
15137 {SMBE_access, "No permissions to perform the requested operation"},
15138 {SMBE_invnid, "TID invalid"},
15139 {SMBE_invnetname, "Invalid network name. Service not found"},
15140 {SMBE_invdevice, "Invalid device"},
15141 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
15142 {SMBE_qfull, "Print queue full"},
15143 {SMBE_qtoobig, "Queued item too big"},
15144 {SMBE_qeof, "EOF on print queue dump"},
15145 {SMBE_invpfid, "Invalid print file in smb_fid"},
15146 {SMBE_smbcmd, "Unrecognised command"},
15147 {SMBE_srverror, "SMB server internal error"},
15148 {SMBE_filespecs, "Fid and pathname invalid combination"},
15149 {SMBE_badlink, "Bad link in request ???"},
15150 {SMBE_badpermits, "Access specified for a file is not valid"},
15151 {SMBE_badpid, "Bad process id in request"},
15152 {SMBE_setattrmode, "Attribute mode invalid"},
15153 {SMBE_paused, "Message server paused"},
15154 {SMBE_msgoff, "Not receiving messages"},
15155 {SMBE_noroom, "No room for message"},
15156 {SMBE_rmuns, "Too many remote usernames"},
15157 {SMBE_timeout, "Operation timed out"},
15158 {SMBE_noresource, "No resources currently available for request."},
15159 {SMBE_toomanyuids, "Too many userids"},
15160 {SMBE_baduid, "Bad userid"},
15161 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
15162 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
15163 {SMBE_contMPX, "Resume MPX mode"},
15164 {SMBE_badPW, "Bad Password???"},
15165 {SMBE_nosupport, "Operation not supported"},
15169 /* Error codes for the ERRHRD class */
15171 static const value_string HRD_errors[] = {
15172 {SMBE_nowrite, "Read only media"},
15173 {SMBE_badunit, "Unknown device"},
15174 {SMBE_notready, "Drive not ready"},
15175 {SMBE_badcmd, "Unknown command"},
15176 {SMBE_data, "Data (CRC) error"},
15177 {SMBE_badreq, "Bad request structure length"},
15178 {SMBE_seek, "Seek error"},
15179 {SMBE_badmedia, "Unknown media type"},
15180 {SMBE_badsector, "Sector not found"},
15181 {SMBE_nopaper, "Printer out of paper"},
15182 {SMBE_write, "Write fault"},
15183 {SMBE_read, "Read fault"},
15184 {SMBE_general, "General failure"},
15185 {SMBE_badshare, "A open conflicts with an existing open"},
15186 {SMBE_lock, "Lock conflict/invalid mode, or unlock of another process's lock"},
15187 {SMBE_wrongdisk, "The wrong disk was found in a drive"},
15188 {SMBE_FCBunavail, "No FCBs are available to process request"},
15189 {SMBE_sharebufexc, "A sharing buffer has been exceeded"},
15190 {SMBE_diskfull, "Disk full???"},
15194 static char *decode_smb_error(guint8 errcls, guint16 errcode)
15201 return("No Error"); /* No error ??? */
15206 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
15211 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
15216 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
15221 return("Unknown error class!");
15228 /* These are the MS country codes from
15230 http://www.unicode.org/unicode/onlinedat/countries.html
15232 For countries that share the same number, I choose to use only the
15233 name of the largest country. Apologies for this. If this offends you,
15234 here is the table to change that.
15236 This also includes the code of 0 for "Default", which isn't in
15237 that list, but is in Microsoft's SDKs and the Cygnus "winnls.h"
15238 header file. Presumably it means "don't override the setting
15239 on the user's machine".
15241 Future versions of Microsoft's "winnls.h" header file might include
15242 additional codes; the current version matches the Unicode Consortium's
15245 const value_string ms_country_codes[] = {
15251 { 27, "South Africa"},
15253 { 31, "Netherlands"},
15260 { 41, "Switzerland"},
15262 { 44, "United Kingdom"},
15270 { 54, "Argentina"},
15274 { 58, "Venezuela"},
15276 { 61, "Australia"},
15277 { 62, "Indonesia"},
15278 { 63, "Philippines"},
15279 { 64, "New Zealand"},
15280 { 65, "Singapore"},
15283 { 82, "South Korea"},
15295 {298, "Faroe Islands"},
15297 {352, "Luxembourg"},
15303 {370, "Lithuania"},
15312 {389, "Macedonia"},
15313 {420, "Czech Republic"},
15314 {421, "Slovak Republic"},
15316 {502, "Guatemala"},
15317 {503, "El Salvador"},
15319 {505, "Nicaragua"},
15320 {506, "Costa Rica"},
15326 {673, "Brunei Darussalam"},
15327 {852, "Hong Kong"},
15336 {966, "Saudi Arabia"},
15339 {971, "United Arab Emirates"},
15345 {994, "Azerbaijan"},
15347 {996, "Kyrgyzstan"},
15357 * http://www.wildpackets.com/elements/SMB_NT_Status_Codes.txt
15359 const value_string NT_errors[] = {
15360 { 0x00000000, "STATUS_SUCCESS" },
15361 { 0x00000000, "STATUS_WAIT_0" },
15362 { 0x00000001, "STATUS_WAIT_1" },
15363 { 0x00000002, "STATUS_WAIT_2" },
15364 { 0x00000003, "STATUS_WAIT_3" },
15365 { 0x0000003F, "STATUS_WAIT_63" },
15366 { 0x00000080, "STATUS_ABANDONED" },
15367 { 0x00000080, "STATUS_ABANDONED_WAIT_0" },
15368 { 0x000000BF, "STATUS_ABANDONED_WAIT_63" },
15369 { 0x000000C0, "STATUS_USER_APC" },
15370 { 0x00000100, "STATUS_KERNEL_APC" },
15371 { 0x00000101, "STATUS_ALERTED" },
15372 { 0x00000102, "STATUS_TIMEOUT" },
15373 { 0x00000103, "STATUS_PENDING" },
15374 { 0x00000104, "STATUS_REPARSE" },
15375 { 0x00000105, "STATUS_MORE_ENTRIES" },
15376 { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" },
15377 { 0x00000107, "STATUS_SOME_NOT_MAPPED" },
15378 { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" },
15379 { 0x00000109, "STATUS_VOLUME_MOUNTED" },
15380 { 0x0000010A, "STATUS_RXACT_COMMITTED" },
15381 { 0x0000010B, "STATUS_NOTIFY_CLEANUP" },
15382 { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" },
15383 { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" },
15384 { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" },
15385 { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" },
15386 { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" },
15387 { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" },
15388 { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" },
15389 { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" },
15390 { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" },
15391 { 0x00000116, "STATUS_CRASH_DUMP" },
15392 { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
15393 { 0x00000118, "STATUS_REPARSE_OBJECT" },
15394 { 0x0000045C, "STATUS_NO_SHUTDOWN_IN_PROGRESS" },
15395 { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
15396 { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
15397 { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
15398 { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" },
15399 { 0x40000004, "STATUS_RXACT_STATE_CREATED" },
15400 { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" },
15401 { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" },
15402 { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" },
15403 { 0x40000008, "STATUS_SERIAL_MORE_WRITES" },
15404 { 0x40000009, "STATUS_REGISTRY_RECOVERED" },
15405 { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" },
15406 { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" },
15407 { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" },
15408 { 0x4000000D, "STATUS_NULL_LM_PASSWORD" },
15409 { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" },
15410 { 0x4000000F, "STATUS_RECEIVE_PARTIAL" },
15411 { 0x40000010, "STATUS_RECEIVE_EXPEDITED" },
15412 { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" },
15413 { 0x40000012, "STATUS_EVENT_DONE" },
15414 { 0x40000013, "STATUS_EVENT_PENDING" },
15415 { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" },
15416 { 0x40000015, "STATUS_FATAL_APP_EXIT" },
15417 { 0x40000016, "STATUS_PREDEFINED_HANDLE" },
15418 { 0x40000017, "STATUS_WAS_UNLOCKED" },
15419 { 0x40000018, "STATUS_SERVICE_NOTIFICATION" },
15420 { 0x40000019, "STATUS_WAS_LOCKED" },
15421 { 0x4000001A, "STATUS_LOG_HARD_ERROR" },
15422 { 0x4000001B, "STATUS_ALREADY_WIN32" },
15423 { 0x4000001C, "STATUS_WX86_UNSIMULATE" },
15424 { 0x4000001D, "STATUS_WX86_CONTINUE" },
15425 { 0x4000001E, "STATUS_WX86_SINGLE_STEP" },
15426 { 0x4000001F, "STATUS_WX86_BREAKPOINT" },
15427 { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" },
15428 { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" },
15429 { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" },
15430 { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" },
15431 { 0x40000024, "STATUS_NO_YIELD_PERFORMED" },
15432 { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" },
15433 { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" },
15434 { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" },
15435 { 0x80000003, "STATUS_BREAKPOINT" },
15436 { 0x80000004, "STATUS_SINGLE_STEP" },
15437 { 0x80000005, "STATUS_BUFFER_OVERFLOW" },
15438 { 0x80000006, "STATUS_NO_MORE_FILES" },
15439 { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" },
15440 { 0x8000000A, "STATUS_HANDLES_CLOSED" },
15441 { 0x8000000B, "STATUS_NO_INHERITANCE" },
15442 { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" },
15443 { 0x8000000D, "STATUS_PARTIAL_COPY" },
15444 { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" },
15445 { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" },
15446 { 0x80000010, "STATUS_DEVICE_OFF_LINE" },
15447 { 0x80000011, "STATUS_DEVICE_BUSY" },
15448 { 0x80000012, "STATUS_NO_MORE_EAS" },
15449 { 0x80000013, "STATUS_INVALID_EA_NAME" },
15450 { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" },
15451 { 0x80000015, "STATUS_INVALID_EA_FLAG" },
15452 { 0x80000016, "STATUS_VERIFY_REQUIRED" },
15453 { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" },
15454 { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" },
15455 { 0x8000001A, "STATUS_NO_MORE_ENTRIES" },
15456 { 0x8000001B, "STATUS_FILEMARK_DETECTED" },
15457 { 0x8000001C, "STATUS_MEDIA_CHANGED" },
15458 { 0x8000001D, "STATUS_BUS_RESET" },
15459 { 0x8000001E, "STATUS_END_OF_MEDIA" },
15460 { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" },
15461 { 0x80000020, "STATUS_MEDIA_CHECK" },
15462 { 0x80000021, "STATUS_SETMARK_DETECTED" },
15463 { 0x80000022, "STATUS_NO_DATA_DETECTED" },
15464 { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" },
15465 { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" },
15466 { 0x80000025, "STATUS_ALREADY_DISCONNECTED" },
15467 { 0x80000026, "STATUS_LONGJUMP" },
15468 { 0x80040111, "MAPI_E_LOGON_FAILED" },
15469 { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" },
15470 { 0x80090301, "SEC_E_INVALID_HANDLE" },
15471 { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" },
15472 { 0x8009030B, "SEC_E_NO_IMPERSONATION" },
15473 { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" },
15474 { 0x8009030E, "SEC_E_NO_CREDENTIALS" },
15475 { 0x8009030F, "SEC_E_MESSAGE_ALTERED" },
15476 { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" },
15477 { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" },
15478 { 0xC0000001, "STATUS_UNSUCCESSFUL" },
15479 { 0xC0000002, "STATUS_NOT_IMPLEMENTED" },
15480 { 0xC0000003, "STATUS_INVALID_INFO_CLASS" },
15481 { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" },
15482 { 0xC0000005, "STATUS_ACCESS_VIOLATION" },
15483 { 0xC0000006, "STATUS_IN_PAGE_ERROR" },
15484 { 0xC0000007, "STATUS_PAGEFILE_QUOTA" },
15485 { 0xC0000008, "STATUS_INVALID_HANDLE" },
15486 { 0xC0000009, "STATUS_BAD_INITIAL_STACK" },
15487 { 0xC000000A, "STATUS_BAD_INITIAL_PC" },
15488 { 0xC000000B, "STATUS_INVALID_CID" },
15489 { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" },
15490 { 0xC000000D, "STATUS_INVALID_PARAMETER" },
15491 { 0xC000000E, "STATUS_NO_SUCH_DEVICE" },
15492 { 0xC000000F, "STATUS_NO_SUCH_FILE" },
15493 { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" },
15494 { 0xC0000011, "STATUS_END_OF_FILE" },
15495 { 0xC0000012, "STATUS_WRONG_VOLUME" },
15496 { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" },
15497 { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" },
15498 { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" },
15499 { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" },
15500 { 0xC0000017, "STATUS_NO_MEMORY" },
15501 { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" },
15502 { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" },
15503 { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" },
15504 { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" },
15505 { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" },
15506 { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" },
15507 { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" },
15508 { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" },
15509 { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" },
15510 { 0xC0000021, "STATUS_ALREADY_COMMITTED" },
15511 { 0xC0000022, "STATUS_ACCESS_DENIED" },
15512 { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" },
15513 { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" },
15514 { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" },
15515 { 0xC0000026, "STATUS_INVALID_DISPOSITION" },
15516 { 0xC0000027, "STATUS_UNWIND" },
15517 { 0xC0000028, "STATUS_BAD_STACK" },
15518 { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" },
15519 { 0xC000002A, "STATUS_NOT_LOCKED" },
15520 { 0xC000002B, "STATUS_PARITY_ERROR" },
15521 { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" },
15522 { 0xC000002D, "STATUS_NOT_COMMITTED" },
15523 { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" },
15524 { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" },
15525 { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" },
15526 { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" },
15527 { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" },
15528 { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" },
15529 { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" },
15530 { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" },
15531 { 0xC0000037, "STATUS_PORT_DISCONNECTED" },
15532 { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" },
15533 { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" },
15534 { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" },
15535 { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" },
15536 { 0xC000003C, "STATUS_DATA_OVERRUN" },
15537 { 0xC000003D, "STATUS_DATA_LATE_ERROR" },
15538 { 0xC000003E, "STATUS_DATA_ERROR" },
15539 { 0xC000003F, "STATUS_CRC_ERROR" },
15540 { 0xC0000040, "STATUS_SECTION_TOO_BIG" },
15541 { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" },
15542 { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" },
15543 { 0xC0000043, "STATUS_SHARING_VIOLATION" },
15544 { 0xC0000044, "STATUS_QUOTA_EXCEEDED" },
15545 { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" },
15546 { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" },
15547 { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" },
15548 { 0xC0000048, "STATUS_PORT_ALREADY_SET" },
15549 { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" },
15550 { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" },
15551 { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" },
15552 { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" },
15553 { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" },
15554 { 0xC000004E, "STATUS_SECTION_PROTECTION" },
15555 { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" },
15556 { 0xC0000050, "STATUS_EA_TOO_LARGE" },
15557 { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" },
15558 { 0xC0000052, "STATUS_NO_EAS_ON_FILE" },
15559 { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" },
15560 { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" },
15561 { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" },
15562 { 0xC0000056, "STATUS_DELETE_PENDING" },
15563 { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" },
15564 { 0xC0000058, "STATUS_UNKNOWN_REVISION" },
15565 { 0xC0000059, "STATUS_REVISION_MISMATCH" },
15566 { 0xC000005A, "STATUS_INVALID_OWNER" },
15567 { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" },
15568 { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" },
15569 { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" },
15570 { 0xC000005E, "STATUS_NO_LOGON_SERVERS" },
15571 { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" },
15572 { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" },
15573 { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" },
15574 { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" },
15575 { 0xC0000063, "STATUS_USER_EXISTS" },
15576 { 0xC0000064, "STATUS_NO_SUCH_USER" },
15577 { 0xC0000065, "STATUS_GROUP_EXISTS" },
15578 { 0xC0000066, "STATUS_NO_SUCH_GROUP" },
15579 { 0xC0000067, "STATUS_MEMBER_IN_GROUP" },
15580 { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" },
15581 { 0xC0000069, "STATUS_LAST_ADMIN" },
15582 { 0xC000006A, "STATUS_WRONG_PASSWORD" },
15583 { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" },
15584 { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" },
15585 { 0xC000006D, "STATUS_LOGON_FAILURE" },
15586 { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" },
15587 { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" },
15588 { 0xC0000070, "STATUS_INVALID_WORKSTATION" },
15589 { 0xC0000071, "STATUS_PASSWORD_EXPIRED" },
15590 { 0xC0000072, "STATUS_ACCOUNT_DISABLED" },
15591 { 0xC0000073, "STATUS_NONE_MAPPED" },
15592 { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" },
15593 { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" },
15594 { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" },
15595 { 0xC0000077, "STATUS_INVALID_ACL" },
15596 { 0xC0000078, "STATUS_INVALID_SID" },
15597 { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" },
15598 { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" },
15599 { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" },
15600 { 0xC000007C, "STATUS_NO_TOKEN" },
15601 { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" },
15602 { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" },
15603 { 0xC000007F, "STATUS_DISK_FULL" },
15604 { 0xC0000080, "STATUS_SERVER_DISABLED" },
15605 { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" },
15606 { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" },
15607 { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" },
15608 { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" },
15609 { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" },
15610 { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" },
15611 { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" },
15612 { 0xC0000088, "STATUS_NOT_MAPPED_DATA" },
15613 { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" },
15614 { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" },
15615 { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" },
15616 { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" },
15617 { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" },
15618 { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" },
15619 { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" },
15620 { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" },
15621 { 0xC0000091, "STATUS_FLOAT_OVERFLOW" },
15622 { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" },
15623 { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" },
15624 { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" },
15625 { 0xC0000095, "STATUS_INTEGER_OVERFLOW" },
15626 { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" },
15627 { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" },
15628 { 0xC0000098, "STATUS_FILE_INVALID" },
15629 { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" },
15630 { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" },
15631 { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" },
15632 { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" },
15633 { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" },
15634 { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" },
15635 { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" },
15636 { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" },
15637 { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" },
15638 { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" },
15639 { 0xC00000A3, "STATUS_DEVICE_NOT_READY" },
15640 { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" },
15641 { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" },
15642 { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" },
15643 { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" },
15644 { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" },
15645 { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" },
15646 { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" },
15647 { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" },
15648 { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" },
15649 { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" },
15650 { 0xC00000AE, "STATUS_PIPE_BUSY" },
15651 { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" },
15652 { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" },
15653 { 0xC00000B1, "STATUS_PIPE_CLOSING" },
15654 { 0xC00000B2, "STATUS_PIPE_CONNECTED" },
15655 { 0xC00000B3, "STATUS_PIPE_LISTENING" },
15656 { 0xC00000B4, "STATUS_INVALID_READ_MODE" },
15657 { 0xC00000B5, "STATUS_IO_TIMEOUT" },
15658 { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" },
15659 { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" },
15660 { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" },
15661 { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" },
15662 { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" },
15663 { 0xC00000BB, "STATUS_NOT_SUPPORTED" },
15664 { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" },
15665 { 0xC00000BD, "STATUS_DUPLICATE_NAME" },
15666 { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" },
15667 { 0xC00000BF, "STATUS_NETWORK_BUSY" },
15668 { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" },
15669 { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" },
15670 { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" },
15671 { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" },
15672 { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" },
15673 { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" },
15674 { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" },
15675 { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" },
15676 { 0xC00000C8, "STATUS_PRINT_CANCELLED" },
15677 { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" },
15678 { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" },
15679 { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" },
15680 { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" },
15681 { 0xC00000CD, "STATUS_TOO_MANY_NAMES" },
15682 { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" },
15683 { 0xC00000CF, "STATUS_SHARING_PAUSED" },
15684 { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" },
15685 { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" },
15686 { 0xC00000D2, "STATUS_NET_WRITE_FAULT" },
15687 { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" },
15688 { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" },
15689 { 0xC00000D5, "STATUS_FILE_RENAMED" },
15690 { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" },
15691 { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" },
15692 { 0xC00000D8, "STATUS_CANT_WAIT" },
15693 { 0xC00000D9, "STATUS_PIPE_EMPTY" },
15694 { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" },
15695 { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" },
15696 { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" },
15697 { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" },
15698 { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" },
15699 { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" },
15700 { 0xC00000E0, "STATUS_DOMAIN_EXISTS" },
15701 { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" },
15702 { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" },
15703 { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" },
15704 { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" },
15705 { 0xC00000E5, "STATUS_INTERNAL_ERROR" },
15706 { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" },
15707 { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" },
15708 { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" },
15709 { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" },
15710 { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" },
15711 { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" },
15712 { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" },
15713 { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" },
15714 { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" },
15715 { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" },
15716 { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" },
15717 { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" },
15718 { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" },
15719 { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" },
15720 { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" },
15721 { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" },
15722 { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" },
15723 { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" },
15724 { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" },
15725 { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" },
15726 { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" },
15727 { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" },
15728 { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" },
15729 { 0xC00000FD, "STATUS_STACK_OVERFLOW" },
15730 { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" },
15731 { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" },
15732 { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" },
15733 { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" },
15734 { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" },
15735 { 0xC0000103, "STATUS_NOT_A_DIRECTORY" },
15736 { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" },
15737 { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" },
15738 { 0xC0000106, "STATUS_NAME_TOO_LONG" },
15739 { 0xC0000107, "STATUS_FILES_OPEN" },
15740 { 0xC0000108, "STATUS_CONNECTION_IN_USE" },
15741 { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" },
15742 { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" },
15743 { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" },
15744 { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" },
15745 { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" },
15746 { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" },
15747 { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" },
15748 { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" },
15749 { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" },
15750 { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" },
15751 { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" },
15752 { 0xC0000114, "STATUS_ABIOS_INVALID_LID" },
15753 { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" },
15754 { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" },
15755 { 0xC0000117, "STATUS_NO_LDT" },
15756 { 0xC0000118, "STATUS_INVALID_LDT_SIZE" },
15757 { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" },
15758 { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" },
15759 { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" },
15760 { 0xC000011C, "STATUS_RXACT_INVALID_STATE" },
15761 { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" },
15762 { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" },
15763 { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" },
15764 { 0xC0000120, "STATUS_CANCELLED" },
15765 { 0xC0000121, "STATUS_CANNOT_DELETE" },
15766 { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" },
15767 { 0xC0000123, "STATUS_FILE_DELETED" },
15768 { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" },
15769 { 0xC0000125, "STATUS_SPECIAL_GROUP" },
15770 { 0xC0000126, "STATUS_SPECIAL_USER" },
15771 { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" },
15772 { 0xC0000128, "STATUS_FILE_CLOSED" },
15773 { 0xC0000129, "STATUS_TOO_MANY_THREADS" },
15774 { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" },
15775 { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" },
15776 { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" },
15777 { 0xC000012D, "STATUS_COMMITMENT_LIMIT" },
15778 { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" },
15779 { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" },
15780 { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" },
15781 { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" },
15782 { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" },
15783 { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" },
15784 { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" },
15785 { 0xC0000135, "STATUS_DLL_NOT_FOUND" },
15786 { 0xC0000136, "STATUS_OPEN_FAILED" },
15787 { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" },
15788 { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" },
15789 { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" },
15790 { 0xC000013A, "STATUS_CONTROL_C_EXIT" },
15791 { 0xC000013B, "STATUS_LOCAL_DISCONNECT" },
15792 { 0xC000013C, "STATUS_REMOTE_DISCONNECT" },
15793 { 0xC000013D, "STATUS_REMOTE_RESOURCES" },
15794 { 0xC000013E, "STATUS_LINK_FAILED" },
15795 { 0xC000013F, "STATUS_LINK_TIMEOUT" },
15796 { 0xC0000140, "STATUS_INVALID_CONNECTION" },
15797 { 0xC0000141, "STATUS_INVALID_ADDRESS" },
15798 { 0xC0000142, "STATUS_DLL_INIT_FAILED" },
15799 { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" },
15800 { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" },
15801 { 0xC0000145, "STATUS_APP_INIT_FAILURE" },
15802 { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" },
15803 { 0xC0000147, "STATUS_NO_PAGEFILE" },
15804 { 0xC0000148, "STATUS_INVALID_LEVEL" },
15805 { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" },
15806 { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" },
15807 { 0xC000014B, "STATUS_PIPE_BROKEN" },
15808 { 0xC000014C, "STATUS_REGISTRY_CORRUPT" },
15809 { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" },
15810 { 0xC000014E, "STATUS_NO_EVENT_PAIR" },
15811 { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" },
15812 { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" },
15813 { 0xC0000151, "STATUS_NO_SUCH_ALIAS" },
15814 { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" },
15815 { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" },
15816 { 0xC0000154, "STATUS_ALIAS_EXISTS" },
15817 { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" },
15818 { 0xC0000156, "STATUS_TOO_MANY_SECRETS" },
15819 { 0xC0000157, "STATUS_SECRET_TOO_LONG" },
15820 { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" },
15821 { 0xC0000159, "STATUS_FULLSCREEN_MODE" },
15822 { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" },
15823 { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" },
15824 { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" },
15825 { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" },
15826 { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" },
15827 { 0xC000015F, "STATUS_FT_MISSING_MEMBER" },
15828 { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" },
15829 { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" },
15830 { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" },
15831 { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" },
15832 { 0xC0000164, "STATUS_FLOPPY_VOLUME" },
15833 { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" },
15834 { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" },
15835 { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" },
15836 { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" },
15837 { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" },
15838 { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" },
15839 { 0xC000016B, "STATUS_DISK_RESET_FAILED" },
15840 { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" },
15841 { 0xC000016D, "STATUS_FT_ORPHANING" },
15842 { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" },
15843 { 0xC0000172, "STATUS_PARTITION_FAILURE" },
15844 { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" },
15845 { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" },
15846 { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" },
15847 { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" },
15848 { 0xC0000177, "STATUS_EOM_OVERFLOW" },
15849 { 0xC0000178, "STATUS_NO_MEDIA" },
15850 { 0xC000017A, "STATUS_NO_SUCH_MEMBER" },
15851 { 0xC000017B, "STATUS_INVALID_MEMBER" },
15852 { 0xC000017C, "STATUS_KEY_DELETED" },
15853 { 0xC000017D, "STATUS_NO_LOG_SPACE" },
15854 { 0xC000017E, "STATUS_TOO_MANY_SIDS" },
15855 { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" },
15856 { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" },
15857 { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" },
15858 { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" },
15859 { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" },
15860 { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" },
15861 { 0xC0000185, "STATUS_IO_DEVICE_ERROR" },
15862 { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" },
15863 { 0xC0000187, "STATUS_BACKUP_CONTROLLER" },
15864 { 0xC0000188, "STATUS_LOG_FILE_FULL" },
15865 { 0xC0000189, "STATUS_TOO_LATE" },
15866 { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" },
15867 { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" },
15868 { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" },
15869 { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" },
15870 { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" },
15871 { 0xC000018F, "STATUS_EVENTLOG_CANT_START" },
15872 { 0xC0000190, "STATUS_TRUST_FAILURE" },
15873 { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" },
15874 { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" },
15875 { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" },
15876 { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" },
15877 { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" },
15878 { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" },
15879 { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" },
15880 { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" },
15881 { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" },
15882 { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" },
15883 { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" },
15884 { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" },
15885 { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" },
15886 { 0xC0000203, "STATUS_USER_SESSION_DELETED" },
15887 { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" },
15888 { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" },
15889 { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" },
15890 { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" },
15891 { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" },
15892 { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" },
15893 { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" },
15894 { 0xC000020B, "STATUS_ADDRESS_CLOSED" },
15895 { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" },
15896 { 0xC000020D, "STATUS_CONNECTION_RESET" },
15897 { 0xC000020E, "STATUS_TOO_MANY_NODES" },
15898 { 0xC000020F, "STATUS_TRANSACTION_ABORTED" },
15899 { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" },
15900 { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" },
15901 { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" },
15902 { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" },
15903 { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" },
15904 { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" },
15905 { 0xC0000216, "STATUS_NOT_SERVER_SESSION" },
15906 { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" },
15907 { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" },
15908 { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" },
15909 { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" },
15910 { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" },
15911 { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" },
15912 { 0xC000021D, "STATUS_VDM_HARD_ERROR" },
15913 { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" },
15914 { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" },
15915 { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" },
15916 { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" },
15917 { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" },
15918 { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" },
15919 { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" },
15920 { 0xC0000225, "STATUS_NOT_FOUND" },
15921 { 0xC0000226, "STATUS_NOT_TINY_STREAM" },
15922 { 0xC0000227, "STATUS_RECOVERY_FAILURE" },
15923 { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" },
15924 { 0xC0000229, "STATUS_FAIL_CHECK" },
15925 { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" },
15926 { 0xC000022B, "STATUS_OBJECTID_EXISTS" },
15927 { 0xC000022C, "STATUS_CONVERT_TO_LARGE" },
15928 { 0xC000022D, "STATUS_RETRY" },
15929 { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" },
15930 { 0xC000022F, "STATUS_ALLOCATE_BUCKET" },
15931 { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" },
15932 { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" },
15933 { 0xC0000232, "STATUS_INVALID_VARIANT" },
15934 { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" },
15935 { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" },
15936 { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" },
15937 { 0xC0000236, "STATUS_CONNECTION_REFUSED" },
15938 { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" },
15939 { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" },
15940 { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" },
15941 { 0xC000023A, "STATUS_CONNECTION_INVALID" },
15942 { 0xC000023B, "STATUS_CONNECTION_ACTIVE" },
15943 { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" },
15944 { 0xC000023D, "STATUS_HOST_UNREACHABLE" },
15945 { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" },
15946 { 0xC000023F, "STATUS_PORT_UNREACHABLE" },
15947 { 0xC0000240, "STATUS_REQUEST_ABORTED" },
15948 { 0xC0000241, "STATUS_CONNECTION_ABORTED" },
15949 { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" },
15950 { 0xC0000243, "STATUS_USER_MAPPED_FILE" },
15951 { 0xC0000244, "STATUS_AUDIT_FAILED" },
15952 { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" },
15953 { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" },
15954 { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" },
15955 { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" },
15956 { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" },
15957 { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" },
15958 { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" },
15959 { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" },
15960 { 0xC0000253, "STATUS_LPC_REPLY_LOST" },
15961 { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" },
15962 { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" },
15963 { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" },
15964 { 0xC0000257, "STATUS_PATH_NOT_COVERED" },
15965 { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" },
15966 { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" },
15967 { 0xC000025A, "STATUS_PWD_TOO_SHORT" },
15968 { 0xC000025B, "STATUS_PWD_TOO_RECENT" },
15969 { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" },
15970 { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" },
15971 { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" },
15972 { 0xC0000260, "STATUS_INVALID_HW_PROFILE" },
15973 { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" },
15974 { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" },
15975 { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" },
15976 { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" },
15977 { 0xC0000265, "STATUS_TOO_MANY_LINKS" },
15978 { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" },
15979 { 0xC0000267, "STATUS_FILE_IS_OFFLINE" },
15980 { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" },
15981 { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" },
15982 { 0xC000026A, "STATUS_LICENSE_VIOLATION" },
15983 { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" },
15984 { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" },
15985 { 0xC000026D, "STATUS_DFS_UNAVAILABLE" },
15986 { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" },
15987 { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" },
15988 { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" },
15989 { 0xC0000271, "STATUS_VALIDATE_CONTINUE" },
15990 { 0xC0000272, "STATUS_NO_MATCH" },
15991 { 0xC0000273, "STATUS_NO_MORE_MATCHES" },
15992 { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" },
15993 { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" },
15994 { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" },
15995 { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" },
15996 { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" },
15997 { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" },
15998 { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" },
15999 { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" },
16000 { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" },
16001 { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" },
16002 { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" },
16003 { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" },
16004 { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" },
16005 { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" },
16006 { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" },
16007 { 0xC000028A, "STATUS_ENCRYPTION_FAILED" },
16008 { 0xC000028B, "STATUS_DECRYPTION_FAILED" },
16009 { 0xC000028C, "STATUS_RANGE_NOT_FOUND" },
16010 { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" },
16011 { 0xC000028E, "STATUS_NO_EFS" },
16012 { 0xC000028F, "STATUS_WRONG_EFS" },
16013 { 0xC0000290, "STATUS_NO_USER_KEYS" },
16014 { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" },
16015 { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" },
16016 { 0xC0000293, "STATUS_FILE_ENCRYPTED" },
16017 { 0x40000294, "STATUS_WAKE_SYSTEM" },
16018 { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" },
16019 { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" },
16020 { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" },
16021 { 0xC0000298, "STATUS_WMI_TRY_AGAIN" },
16022 { 0xC0000299, "STATUS_SHARED_POLICY" },
16023 { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" },
16024 { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" },
16025 { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" },
16026 { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" },
16027 { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" },
16028 { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" },
16029 { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" },
16030 { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" },
16031 { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" },
16032 { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" },
16033 { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" },
16034 { 0xC00002A5, "STATUS_DS_BUSY" },
16035 { 0xC00002A6, "STATUS_DS_UNAVAILABLE" },
16036 { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" },
16037 { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" },
16038 { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" },
16039 { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" },
16040 { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" },
16041 { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" },
16042 { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" },
16043 { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" },
16044 { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" },
16045 { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" },
16046 { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" },
16047 { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" },
16048 { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" },
16049 { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" },
16050 { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" },
16051 { 0xC00002B6, "STATUS_DEVICE_REMOVED" },
16052 { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" },
16053 { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" },
16054 { 0xC00002B9, "STATUS_NOINTERFACE" },
16055 { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" },
16056 { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" },
16057 { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" },
16058 { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" },
16059 { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" },
16060 { 0xC00002C6, "STATUS_WMI_READ_ONLY" },
16061 { 0xC00002C7, "STATUS_WMI_SET_FAILURE" },
16062 { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" },
16063 { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" },
16064 { 0xC00002CA, "STATUS_TRANSPORT_FULL" },
16065 { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" },
16066 { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" },
16067 { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" },
16068 { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" },
16069 { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" },
16070 { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" },
16071 { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" },
16072 { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" },
16073 { 0xC00002D3, "STATUS_POWER_STATE_INVALID" },
16074 { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" },
16075 { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" },
16076 { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" },
16077 { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" },
16078 { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" },
16079 { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" },
16080 { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" },
16081 { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" },
16082 { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" },
16083 { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" },
16084 { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" },
16085 { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" },
16086 { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" },
16087 { 0xC00002E1, "STATUS_DS_CANT_START" },
16088 { 0xC00002E2, "STATUS_DS_INIT_FAILURE" },
16089 { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" },
16090 { 0xC00002E4, "STATUS_DS_GC_REQUIRED" },
16091 { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" },
16092 { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" },
16093 { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" },
16094 { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" },
16095 { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" },
16096 { 0xC0009898, "STATUS_WOW_ASSERTION" },
16097 { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" },
16098 { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" },
16099 { 0xC0020003, "RPC_NT_INVALID_BINDING" },
16100 { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" },
16101 { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" },
16102 { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" },
16103 { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" },
16104 { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" },
16105 { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" },
16106 { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" },
16107 { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" },
16108 { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" },
16109 { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" },
16110 { 0xC002000E, "RPC_NT_ALREADY_LISTENING" },
16111 { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" },
16112 { 0xC0020010, "RPC_NT_NOT_LISTENING" },
16113 { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" },
16114 { 0xC0020012, "RPC_NT_UNKNOWN_IF" },
16115 { 0xC0020013, "RPC_NT_NO_BINDINGS" },
16116 { 0xC0020014, "RPC_NT_NO_PROTSEQS" },
16117 { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" },
16118 { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" },
16119 { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" },
16120 { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" },
16121 { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" },
16122 { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" },
16123 { 0xC002001B, "RPC_NT_CALL_FAILED" },
16124 { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" },
16125 { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" },
16126 { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" },
16127 { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" },
16128 { 0xC0020022, "RPC_NT_INVALID_TAG" },
16129 { 0xC0020023, "RPC_NT_INVALID_BOUND" },
16130 { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" },
16131 { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" },
16132 { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" },
16133 { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" },
16134 { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" },
16135 { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" },
16136 { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" },
16137 { 0xC002002C, "RPC_NT_STRING_TOO_LONG" },
16138 { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" },
16139 { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" },
16140 { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" },
16141 { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" },
16142 { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" },
16143 { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" },
16144 { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" },
16145 { 0xC0020034, "EPT_NT_INVALID_ENTRY" },
16146 { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" },
16147 { 0xC0020036, "EPT_NT_NOT_REGISTERED" },
16148 { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" },
16149 { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" },
16150 { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" },
16151 { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" },
16152 { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" },
16153 { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" },
16154 { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" },
16155 { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" },
16156 { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" },
16157 { 0xC0020040, "RPC_NT_INVALID_NAF_ID" },
16158 { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" },
16159 { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" },
16160 { 0xC0020043, "RPC_NT_INTERNAL_ERROR" },
16161 { 0xC0020044, "RPC_NT_ZERO_DIVIDE" },
16162 { 0xC0020045, "RPC_NT_ADDRESS_ERROR" },
16163 { 0xC0020046, "RPC_NT_FP_DIV_ZERO" },
16164 { 0xC0020047, "RPC_NT_FP_UNDERFLOW" },
16165 { 0xC0020048, "RPC_NT_FP_OVERFLOW" },
16166 { 0xC0021007, "RPC_P_RECEIVE_ALERTED" },
16167 { 0xC0021008, "RPC_P_CONNECTION_CLOSED" },
16168 { 0xC0021009, "RPC_P_RECEIVE_FAILED" },
16169 { 0xC002100A, "RPC_P_SEND_FAILED" },
16170 { 0xC002100B, "RPC_P_TIMEOUT" },
16171 { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" },
16172 { 0xC002100E, "RPC_P_EXCEPTION_OCCURED" },
16173 { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" },
16174 { 0xC0021015, "RPC_P_THREAD_LISTENING" },
16175 { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" },
16176 { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" },
16177 { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" },
16178 { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" },
16179 { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" },
16180 { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" },
16181 { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" },
16182 { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" },
16183 { 0xC0030009, "RPC_NT_NULL_REF_POINTER" },
16184 { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" },
16185 { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" },
16186 { 0xC003000C, "RPC_NT_BAD_STUB_DATA" },
16187 { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" },
16188 { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" },
16189 { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" },
16190 { 0xC002004C, "EPT_NT_CANT_CREATE" },
16191 { 0xC002004D, "RPC_NT_INVALID_OBJECT" },
16192 { 0xC002004F, "RPC_NT_NO_INTERFACES" },
16193 { 0xC0020050, "RPC_NT_CALL_CANCELLED" },
16194 { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" },
16195 { 0xC0020052, "RPC_NT_COMM_FAILURE" },
16196 { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" },
16197 { 0xC0020054, "RPC_NT_NO_PRINC_NAME" },
16198 { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" },
16199 { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" },
16200 { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" },
16201 { 0xC0020058, "RPC_NT_NOT_CANCELLED" },
16202 { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" },
16203 { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" },
16204 { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" },
16205 { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" },
16206 { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" },
16207 { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" },
16208 { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" },
16214 static const true_false_string tfs_smb_flags_lock = {
16215 "Lock&Read, Write&Unlock are supported",
16216 "Lock&Read, Write&Unlock are not supported"
16218 static const true_false_string tfs_smb_flags_receive_buffer = {
16219 "Receive buffer has been posted",
16220 "Receive buffer has not been posted"
16222 static const true_false_string tfs_smb_flags_caseless = {
16223 "Path names are caseless",
16224 "Path names are case sensitive"
16226 static const true_false_string tfs_smb_flags_canon = {
16227 "Pathnames are canonicalized",
16228 "Pathnames are not canonicalized"
16230 static const true_false_string tfs_smb_flags_oplock = {
16231 "OpLock requested/granted",
16232 "OpLock not requested/granted"
16234 static const true_false_string tfs_smb_flags_notify = {
16235 "Notify client on all modifications",
16236 "Notify client only on open"
16238 static const true_false_string tfs_smb_flags_response = {
16239 "Message is a response to the client/redirector",
16240 "Message is a request to the server"
16244 dissect_smb_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
16247 proto_item *item = NULL;
16248 proto_tree *tree = NULL;
16250 mask = tvb_get_guint8(tvb, offset);
16253 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
16254 "Flags: 0x%02x", mask);
16255 tree = proto_item_add_subtree(item, ett_smb_flags);
16257 proto_tree_add_boolean(tree, hf_smb_flags_response,
16258 tvb, offset, 1, mask);
16259 proto_tree_add_boolean(tree, hf_smb_flags_notify,
16260 tvb, offset, 1, mask);
16261 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
16262 tvb, offset, 1, mask);
16263 proto_tree_add_boolean(tree, hf_smb_flags_canon,
16264 tvb, offset, 1, mask);
16265 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
16266 tvb, offset, 1, mask);
16267 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
16268 tvb, offset, 1, mask);
16269 proto_tree_add_boolean(tree, hf_smb_flags_lock,
16270 tvb, offset, 1, mask);
16277 static const true_false_string tfs_smb_flags2_long_names_allowed = {
16278 "Long file names are allowed in the response",
16279 "Long file names are not allowed in the response"
16281 static const true_false_string tfs_smb_flags2_ea = {
16282 "Extended attributes are supported",
16283 "Extended attributes are not supported"
16285 static const true_false_string tfs_smb_flags2_sec_sig = {
16286 "Security signatures are supported",
16287 "Security signatures are not supported"
16289 static const true_false_string tfs_smb_flags2_long_names_used = {
16290 "Path names in request are long file names",
16291 "Path names in request are not long file names"
16293 static const true_false_string tfs_smb_flags2_esn = {
16294 "Extended security negotiation is supported",
16295 "Extended security negotiation is not supported"
16297 static const true_false_string tfs_smb_flags2_dfs = {
16298 "Resolve pathnames with Dfs",
16299 "Don't resolve pathnames with Dfs"
16301 static const true_false_string tfs_smb_flags2_roe = {
16302 "Permit reads if execute-only",
16303 "Don't permit reads if execute-only"
16305 static const true_false_string tfs_smb_flags2_nt_error = {
16306 "Error codes are NT error codes",
16307 "Error codes are DOS error codes"
16309 static const true_false_string tfs_smb_flags2_string = {
16310 "Strings are Unicode",
16311 "Strings are ASCII"
16314 dissect_smb_flags2(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
16317 proto_item *item = NULL;
16318 proto_tree *tree = NULL;
16320 mask = tvb_get_letohs(tvb, offset);
16323 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
16324 "Flags2: 0x%04x", mask);
16325 tree = proto_item_add_subtree(item, ett_smb_flags2);
16328 proto_tree_add_boolean(tree, hf_smb_flags2_string,
16329 tvb, offset, 2, mask);
16330 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
16331 tvb, offset, 2, mask);
16332 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
16333 tvb, offset, 2, mask);
16334 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
16335 tvb, offset, 2, mask);
16336 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
16337 tvb, offset, 2, mask);
16338 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
16339 tvb, offset, 2, mask);
16340 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
16341 tvb, offset, 2, mask);
16342 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
16343 tvb, offset, 2, mask);
16344 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
16345 tvb, offset, 2, mask);
16353 #define SMB_FLAGS_DIRN 0x80
16357 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
16360 proto_item *item = NULL, *hitem = NULL;
16361 proto_tree *tree = NULL, *htree = NULL;
16364 static smb_info_t si_arr[20];
16365 static int si_counter=0;
16367 smb_saved_info_t *sip = NULL;
16368 smb_saved_info_key_t key;
16369 smb_saved_info_key_t *new_key;
16370 guint32 nt_status = 0;
16371 guint8 errclass = 0;
16372 guint16 errcode = 0;
16374 conversation_t *conversation;
16378 if(si_counter==20){
16381 si=&si_arr[si_counter];
16383 top_tree=parent_tree;
16385 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
16386 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
16388 if (check_col(pinfo->cinfo, COL_INFO)){
16389 col_clear(pinfo->cinfo, COL_INFO);
16392 /* start off using the local variable, we will allocate a new one if we
16394 si->cmd = tvb_get_guint8(tvb, offset+4);
16395 flags = tvb_get_guint8(tvb, offset+9);
16397 * XXX - in some SMB-over-OSI-transport and SMB-over-Vines traffic,
16398 * the direction flag appears never to be set, even for what appear
16399 * to be replies. Do some SMB servers fail to set that flag,
16400 * under the assumption that the client knows it's a reply because
16403 si->request = !(flags&SMB_FLAGS_DIRN);
16404 flags2 = tvb_get_letohs(tvb, offset+10);
16405 if(flags2 & 0x8000){
16406 si->unicode = TRUE; /* Mark them as Unicode */
16408 si->unicode = FALSE;
16410 si->tid = tvb_get_letohs(tvb, offset+24);
16411 si->pid = tvb_get_letohs(tvb, offset+26);
16412 si->uid = tvb_get_letohs(tvb, offset+28);
16413 si->mid = tvb_get_letohs(tvb, offset+30);
16414 pid_mid = (si->pid << 16) | si->mid;
16415 si->info_level = -1;
16416 si->info_count = -1;
16419 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
16421 tree = proto_item_add_subtree(item, ett_smb);
16423 hitem = proto_tree_add_text(tree, tvb, offset, 32,
16426 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
16429 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
16430 offset += 4; /* Skip the marker */
16432 /* find which conversation we are part of and get the tables for that
16434 conversation = find_conversation(&pinfo->src, &pinfo->dst,
16435 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
16437 /* OK this is a new conversation so lets create it */
16438 conversation = conversation_new(&pinfo->src, &pinfo->dst,
16439 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
16441 /* see if we already have the smb data for this conversation */
16442 si->ct=conversation_get_proto_data(conversation, proto_smb);
16444 /* No, not yet. create it and attach it to the conversation */
16445 si->ct = g_mem_chunk_alloc(conv_tables_chunk);
16446 conv_tables = g_slist_prepend(conv_tables, si->ct);
16447 si->ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
16448 smb_saved_info_equal_matched);
16449 si->ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
16450 smb_saved_info_equal_unmatched);
16451 si->ct->tid_service=g_hash_table_new(
16452 smb_saved_info_hash_unmatched,
16453 smb_saved_info_equal_unmatched);
16454 conversation_add_proto_data(conversation, proto_smb, si->ct);
16462 /* this is a broadcast SMB packet, there will not be a reply.
16463 We dont need to do anything
16466 } else if( (si->cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
16467 ||(si->cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
16468 ||(si->cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
16469 ||(si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
16470 /* Ok, we got a special request type. This request is either
16471 an NT Cancel or a continuation relative to a real request
16472 in an earlier packet. In either case, we don't expect any
16473 responses to this packet. For continuations, any later
16474 responses we see really just belong to the original request.
16475 Anyway, we want to remember this packet somehow and
16476 remember which original request it is associated with so
16477 we can say nice things such as "This is a Cancellation to
16478 the request in frame x", but we don't want the
16479 request/response matching to get messed up.
16481 The only thing we do in this case is trying to find which original
16482 request we match with and insert an entry for this "special"
16483 request for later reference. We continue to reference the original
16484 requests smb_saved_info_t but we dont touch it or change anything
16488 si->unidir = TRUE; /*we dont expect an answer to this one*/
16490 if(!pinfo->fd->flags.visited){
16491 /* try to find which original call we match and if we
16492 find it add us to the matched table. Dont touch
16493 anything else since we dont want this one to mess
16494 up the request/response matching. We still consider
16495 the initial call the real request and this is only
16496 some sort of continuation.
16498 /* we only check the unmatched table and assume that the
16499 last seen MID matching ours is the right one.
16500 This can fail but is better than nothing
16502 sip=g_hash_table_lookup(si->ct->unmatched, (void *)pid_mid);
16504 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
16505 new_key->frame = pinfo->fd->num;
16506 new_key->pid_mid = pid_mid;
16507 g_hash_table_insert(si->ct->matched, new_key,
16511 /* we have seen this packet before; check the
16514 key.frame = pinfo->fd->num;
16515 key.pid_mid = pid_mid;
16516 sip=g_hash_table_lookup(si->ct->matched, &key);
16520 Too bad, unfortunately there is not really much we can
16521 do now since this means that we never saw the initial
16528 if(sip && sip->frame_req){
16530 case SMB_COM_NT_CANCEL:
16531 proto_tree_add_uint(htree, hf_smb_cancel_to,
16532 tvb, 0, 0, sip->frame_req);
16534 case SMB_COM_TRANSACTION_SECONDARY:
16535 case SMB_COM_TRANSACTION2_SECONDARY:
16536 case SMB_COM_NT_TRANSACT_SECONDARY:
16537 proto_tree_add_uint(htree, hf_smb_continuation_to,
16538 tvb, 0, 0, sip->frame_req);
16543 case SMB_COM_NT_CANCEL:
16544 proto_tree_add_text(htree, tvb, 0, 0,
16545 "Cancellation to: <unknown frame>");
16547 case SMB_COM_TRANSACTION_SECONDARY:
16548 case SMB_COM_TRANSACTION2_SECONDARY:
16549 case SMB_COM_NT_TRANSACT_SECONDARY:
16550 proto_tree_add_text(htree, tvb, 0, 0,
16551 "Continuation to: <unknown frame>");
16555 } else { /* normal bidirectional request or response */
16556 si->unidir = FALSE;
16558 if(!pinfo->fd->flags.visited){
16559 /* first see if we find an unmatched smb "equal" to
16562 sip=g_hash_table_lookup(si->ct->unmatched, (void *)pid_mid);
16564 gboolean cmd_match=FALSE;
16567 * Make sure the SMB we found was the
16568 * same command, or a different command
16569 * that's another valid type of reply
16572 if(si->cmd==sip->cmd){
16575 else if(si->cmd==SMB_COM_NT_CANCEL){
16578 else if((si->cmd==SMB_COM_TRANSACTION_SECONDARY)
16579 && (sip->cmd==SMB_COM_TRANSACTION)){
16582 else if((si->cmd==SMB_COM_TRANSACTION2_SECONDARY)
16583 && (sip->cmd==SMB_COM_TRANSACTION2)){
16586 else if((si->cmd==SMB_COM_NT_TRANSACT_SECONDARY)
16587 && (sip->cmd==SMB_COM_NT_TRANSACT)){
16591 if( (si->request) || (!cmd_match) ) {
16592 /* If we are processing an SMB request but there was already
16593 another "identical" smb resuest we had not matched yet.
16594 This must mean that either we have a retransmission or that the
16595 response to the previous one was lost and the client has reused
16596 the MID for this conversation. In either case it's not much more
16597 we can do than forget the old request and concentrate on the
16598 present one instead.
16600 We also do this cleanup if we see that the cmd in the original
16601 request in sip->cmd is not compatible with the current cmd.
16602 This is to prevent matching errors such as if there were two
16603 SMBs of different cmds but with identical MID and PID values and
16604 if ethereal lost the first reply and the second request.
16606 g_hash_table_remove(si->ct->unmatched, (void *)pid_mid);
16607 sip=NULL; /* XXX should free it as well */
16609 /* we have found a response to some request we have seen earlier.
16610 What we do now depends on whether this is the first response
16611 to that request we see (id frame_res==0) or not.
16613 if(sip->frame_res==0){
16614 /* ok it is the first response we have seen to this packet */
16615 sip->frame_res = pinfo->fd->num;
16616 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
16617 new_key->frame = sip->frame_res;
16618 new_key->pid_mid = pid_mid;
16619 g_hash_table_insert(si->ct->matched, new_key, sip);
16621 /* We have already seen another response to this MID.
16622 Since the MID in reality is only something like 10 bits
16623 this probably means that we just have a MID that is being
16624 reused due to the small MID space and that this is a new
16625 command we did not see the original request for.
16632 sip = g_mem_chunk_alloc(smb_saved_info_chunk);
16633 sip->frame_req = pinfo->fd->num;
16634 sip->frame_res = 0;
16635 sip->req_time.secs=pinfo->fd->abs_secs;
16636 sip->req_time.nsecs=pinfo->fd->abs_usecs*1000;
16638 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)
16639 == (void *)TID_IPC) {
16640 sip->flags |= SMB_SIF_TID_IS_IPC;
16642 sip->cmd = si->cmd;
16643 sip->extra_info = NULL;
16644 g_hash_table_insert(si->ct->unmatched, (void *)pid_mid, sip);
16645 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
16646 new_key->frame = sip->frame_req;
16647 new_key->pid_mid = pid_mid;
16648 g_hash_table_insert(si->ct->matched, new_key, sip);
16651 /* we have seen this packet before; check the
16653 If we haven't yet seen the reply, we won't
16654 find the info for it; we don't need it, as
16655 we only use it to save information, and, as
16656 we've seen this packet before, we've already
16657 saved the information.
16659 key.frame = pinfo->fd->num;
16660 key.pid_mid = pid_mid;
16661 sip=g_hash_table_lookup(si->ct->matched, &key);
16666 * Pass the "sip" on to subdissectors through "si".
16672 * Put in fields for the frame number of the frame to which
16673 * this is a response or the frame with the response to this
16674 * frame - if we know the frame number (i.e., it's not 0).
16677 if (sip->frame_res != 0)
16678 proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
16680 if (sip->frame_req != 0) {
16681 proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
16682 ns.secs = pinfo->fd->abs_secs - sip->req_time.secs;
16683 ns.nsecs = pinfo->fd->abs_usecs*1000 - sip->req_time.nsecs;
16685 ns.nsecs+=1000000000;
16688 proto_tree_add_time(htree, hf_smb_time, tvb,
16695 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si->cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si->cmd), si->cmd);
16698 if(flags2 & 0x4000){
16699 /* handle NT 32 bit error code */
16701 nt_status = tvb_get_letohl(tvb, offset);
16703 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
16708 /* handle DOS error code & class */
16709 errclass = tvb_get_guint8(tvb, offset);
16710 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
16714 /* reserved byte */
16715 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
16719 /* XXX - the type of this field depends on the value of
16720 * "errcls", so there is isn't a single value_string array
16721 * fo it, so there can't be a single field for it.
16723 errcode = tvb_get_letohs(tvb, offset);
16724 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
16725 offset, 2, errcode, "Error Code: %s",
16726 decode_smb_error(errclass, errcode));
16731 offset = dissect_smb_flags(tvb, htree, offset);
16734 offset = dissect_smb_flags2(tvb, htree, offset);
16739 * http://www.samba.org/samba/ftp/specs/smbpub.txt
16741 * (a text version of "Microsoft Networks SMB FILE SHARING
16742 * PROTOCOL, Document Version 6.0p") says that:
16744 * the first 2 bytes of these 12 bytes are, for NT Create and X,
16745 * the "High Part of PID";
16747 * the next four bytes are reserved;
16749 * the next four bytes are, for SMB-over-IPX (with no
16750 * NetBIOS involved) two bytes of Session ID and two bytes
16751 * of SequenceNumber.
16753 * Network Monitor 2.x dissects the four bytes before the Session ID
16754 * as a "Key", and the two bytes after the SequenceNumber as
16757 * The "High Part of PID" has been seen in calls other than NT
16758 * Create and X, although most of them appear to be I/O on DCE RPC
16759 * pipes opened with the NT Create and X in question.
16761 proto_tree_add_item(htree, hf_smb_pid_high, tvb, offset, 2, TRUE);
16764 if (pinfo->ptype == PT_IPX &&
16765 (pinfo->match_port == IPX_SOCKET_NWLINK_SMB_SERVER ||
16766 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_REDIR ||
16767 pinfo->match_port == IPX_SOCKET_NWLINK_SMB_MESSENGER)) {
16769 * This is SMB-over-IPX.
16770 * XXX - do we have to worry about "sequenced commands",
16771 * as per the Samba document? They say that for
16772 * "unsequenced commands" (with a sequence number of 0),
16773 * the Mid must be unique, but perhaps the Mid doesn't
16774 * have to be unique for sequenced commands. In at least
16775 * one capture with SMB-over-IPX, however, the Mids
16776 * are unique even for sequenced commands.
16779 proto_tree_add_item(htree, hf_smb_key, tvb, offset, 4,
16784 proto_tree_add_item(htree, hf_smb_session_id, tvb, offset, 2,
16788 /* Sequence number */
16789 proto_tree_add_item(htree, hf_smb_sequence_num, tvb, offset, 2,
16794 proto_tree_add_item(htree, hf_smb_group_id, tvb, offset, 2,
16799 * According to http://ubiqx.org/cifs/SMB.html#SMB.4.2.1
16800 * and http://ubiqx.org/cifs/SMB.html#SMB.5.5.1 the 8
16801 * bytes after the "High part of PID" are an 8-byte
16804 proto_tree_add_item(htree, hf_smb_sig, tvb, offset, 8, TRUE);
16807 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2, TRUE);
16812 proto_tree_add_uint(htree, hf_smb_tid, tvb, offset, 2, si->tid);
16816 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si->pid);
16820 proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si->uid);
16824 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid);
16827 pinfo->private_data = si;
16829 /* tap the packet before the dissectors are called so we still get
16830 the tap listener called even if there is an exception.
16832 tap_queue_packet(smb_tap, pinfo, si);
16833 dissect_smb_command(tvb, pinfo, offset, tree, si->cmd, TRUE);
16835 /* Append error info from this packet to info string. */
16836 if (!si->request && check_col(pinfo->cinfo, COL_INFO)) {
16837 if (flags2 & 0x4000) {
16839 * The status is an NT status code; was there
16842 if ((nt_status & 0xC0000000) == 0xC0000000) {
16847 pinfo->cinfo, COL_INFO, ", Error: %s",
16848 val_to_str(nt_status, NT_errors,
16849 "Unknown (0x%08X)"));
16853 * The status is a DOS error class and code; was
16856 if (errclass != SMB_SUCCESS) {
16861 pinfo->cinfo, COL_INFO, ", Error: %s",
16862 decode_smb_error(errclass, errcode));
16869 dissect_smb_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
16871 /* must check that this really is a smb packet */
16872 if (!tvb_bytes_exist(tvb, 0, 4))
16875 if( (tvb_get_guint8(tvb, 0) != 0xff)
16876 || (tvb_get_guint8(tvb, 1) != 'S')
16877 || (tvb_get_guint8(tvb, 2) != 'M')
16878 || (tvb_get_guint8(tvb, 3) != 'B') ){
16882 dissect_smb(tvb, pinfo, parent_tree);
16887 proto_register_smb(void)
16889 static hf_register_info hf[] = {
16891 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
16892 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
16894 { &hf_smb_word_count,
16895 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
16896 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
16898 { &hf_smb_byte_count,
16899 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
16900 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
16902 { &hf_smb_response_to,
16903 { "Response to", "smb.response_to", FT_FRAMENUM, BASE_NONE,
16904 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
16907 { "Time from request", "smb.time", FT_RELATIVE_TIME, BASE_NONE,
16908 NULL, 0, "Time between Request and Response for SMB cmds", HFILL }},
16910 { &hf_smb_response_in,
16911 { "Response in", "smb.response_in", FT_FRAMENUM, BASE_NONE,
16912 NULL, 0, "The response to this packet is in this packet", HFILL }},
16914 { &hf_smb_continuation_to,
16915 { "Continuation to", "smb.continuation_to", FT_FRAMENUM, BASE_NONE,
16916 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
16918 { &hf_smb_nt_status,
16919 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
16920 VALS(NT_errors), 0, "NT Status code", HFILL }},
16922 { &hf_smb_error_class,
16923 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
16924 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
16926 { &hf_smb_error_code,
16927 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
16928 NULL, 0, "DOS Error Code", HFILL }},
16930 { &hf_smb_reserved,
16931 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
16932 NULL, 0, "Reserved bytes, must be zero", HFILL }},
16935 { "Signature", "smb.signature", FT_BYTES, BASE_HEX,
16936 NULL, 0, "Signature bytes", HFILL }},
16939 { "Key", "smb.key", FT_UINT32, BASE_HEX,
16940 NULL, 0, "SMB-over-IPX Key", HFILL }},
16942 { &hf_smb_session_id,
16943 { "Session ID", "smb.sessid", FT_UINT16, BASE_DEC,
16944 NULL, 0, "SMB-over-IPX Session ID", HFILL }},
16946 { &hf_smb_sequence_num,
16947 { "Sequence Number", "smb.sequence_num", FT_UINT16, BASE_DEC,
16948 NULL, 0, "SMB-over-IPX Sequence Number", HFILL }},
16950 { &hf_smb_group_id,
16951 { "Group ID", "smb.group_id", FT_UINT16, BASE_DEC,
16952 NULL, 0, "SMB-over-IPX Group ID", HFILL }},
16955 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
16956 NULL, 0, "Process ID", HFILL }},
16958 { &hf_smb_pid_high,
16959 { "Process ID High", "smb.pid.high", FT_UINT16, BASE_DEC,
16960 NULL, 0, "Process ID High Bytes", HFILL }},
16963 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
16964 NULL, 0, "Tree ID", HFILL }},
16967 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
16968 NULL, 0, "User ID", HFILL }},
16971 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
16972 NULL, 0, "Multiplex ID", HFILL }},
16974 { &hf_smb_flags_lock,
16975 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
16976 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
16978 { &hf_smb_flags_receive_buffer,
16979 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
16980 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
16982 { &hf_smb_flags_caseless,
16983 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
16984 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
16986 { &hf_smb_flags_canon,
16987 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
16988 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
16990 { &hf_smb_flags_oplock,
16991 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
16992 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
16994 { &hf_smb_flags_notify,
16995 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
16996 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
16998 { &hf_smb_flags_response,
16999 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
17000 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
17002 { &hf_smb_flags2_long_names_allowed,
17003 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
17004 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
17006 { &hf_smb_flags2_ea,
17007 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
17008 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
17010 { &hf_smb_flags2_sec_sig,
17011 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
17012 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
17014 { &hf_smb_flags2_long_names_used,
17015 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
17016 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
17018 { &hf_smb_flags2_esn,
17019 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
17020 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
17022 { &hf_smb_flags2_dfs,
17023 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
17024 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
17026 { &hf_smb_flags2_roe,
17027 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
17028 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
17030 { &hf_smb_flags2_nt_error,
17031 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
17032 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
17034 { &hf_smb_flags2_string,
17035 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
17036 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
17038 { &hf_smb_buffer_format,
17039 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
17040 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
17042 { &hf_smb_dialect_name,
17043 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
17044 NULL, 0, "Name of dialect", HFILL }},
17046 { &hf_smb_dialect_index,
17047 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
17048 NULL, 0, "Index of selected dialect", HFILL }},
17050 { &hf_smb_max_trans_buf_size,
17051 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
17052 NULL, 0, "Maximum transmit buffer size", HFILL }},
17054 { &hf_smb_max_mpx_count,
17055 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
17056 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
17058 { &hf_smb_max_vcs_num,
17059 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
17060 NULL, 0, "Maximum VCs between client and server", HFILL }},
17062 { &hf_smb_session_key,
17063 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
17064 NULL, 0, "Unique token identifying this session", HFILL }},
17066 { &hf_smb_server_timezone,
17067 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
17068 NULL, 0, "Current timezone at server.", HFILL }},
17070 { &hf_smb_encryption_key_length,
17071 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
17072 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
17074 { &hf_smb_encryption_key,
17075 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
17076 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
17078 { &hf_smb_primary_domain,
17079 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
17080 NULL, 0, "The server's primary domain", HFILL }},
17083 { "Server", "smb.server", FT_STRING, BASE_NONE,
17084 NULL, 0, "The name of the DC/server", HFILL }},
17086 { &hf_smb_max_raw_buf_size,
17087 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
17088 NULL, 0, "Maximum raw buffer size", HFILL }},
17090 { &hf_smb_server_guid,
17091 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
17092 NULL, 0, "Globally unique identifier for this server", HFILL }},
17094 { &hf_smb_security_blob_len,
17095 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
17096 NULL, 0, "Security blob length", HFILL }},
17098 { &hf_smb_security_blob,
17099 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
17100 NULL, 0, "Security blob", HFILL }},
17102 { &hf_smb_sm_mode16,
17103 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
17104 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
17106 { &hf_smb_sm_password16,
17107 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
17108 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
17111 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
17112 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
17114 { &hf_smb_sm_password,
17115 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
17116 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
17118 { &hf_smb_sm_signatures,
17119 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
17120 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
17122 { &hf_smb_sm_sig_required,
17123 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
17124 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
17127 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
17128 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
17130 { &hf_smb_rm_write,
17131 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
17132 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
17134 { &hf_smb_server_date_time,
17135 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
17136 NULL, 0, "Current date and time at server", HFILL }},
17138 { &hf_smb_server_smb_date,
17139 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
17140 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
17142 { &hf_smb_server_smb_time,
17143 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
17144 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
17146 { &hf_smb_server_cap_raw_mode,
17147 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
17148 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
17150 { &hf_smb_server_cap_mpx_mode,
17151 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
17152 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
17154 { &hf_smb_server_cap_unicode,
17155 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
17156 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
17158 { &hf_smb_server_cap_large_files,
17159 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
17160 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
17162 { &hf_smb_server_cap_nt_smbs,
17163 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
17164 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
17166 { &hf_smb_server_cap_rpc_remote_apis,
17167 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
17168 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
17170 { &hf_smb_server_cap_nt_status,
17171 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
17172 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
17174 { &hf_smb_server_cap_level_ii_oplocks,
17175 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
17176 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
17178 { &hf_smb_server_cap_lock_and_read,
17179 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
17180 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
17182 { &hf_smb_server_cap_nt_find,
17183 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
17184 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
17186 { &hf_smb_server_cap_dfs,
17187 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
17188 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
17190 { &hf_smb_server_cap_infolevel_passthru,
17191 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
17192 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
17194 { &hf_smb_server_cap_large_readx,
17195 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
17196 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
17198 { &hf_smb_server_cap_large_writex,
17199 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
17200 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
17202 { &hf_smb_server_cap_unix,
17203 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
17204 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
17206 { &hf_smb_server_cap_reserved,
17207 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
17208 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
17210 { &hf_smb_server_cap_bulk_transfer,
17211 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
17212 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
17214 { &hf_smb_server_cap_compressed_data,
17215 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
17216 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
17218 { &hf_smb_server_cap_extended_security,
17219 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
17220 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
17222 { &hf_smb_system_time,
17223 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
17224 NULL, 0, "System Time", HFILL }},
17227 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
17228 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
17230 { &hf_smb_dir_name,
17231 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
17232 NULL, 0, "SMB Directory Name", HFILL }},
17234 { &hf_smb_echo_count,
17235 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
17236 NULL, 0, "Number of times to echo data back", HFILL }},
17238 { &hf_smb_echo_data,
17239 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
17240 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
17242 { &hf_smb_echo_seq_num,
17243 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
17244 NULL, 0, "Sequence number for this echo response", HFILL }},
17246 { &hf_smb_max_buf_size,
17247 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
17248 NULL, 0, "Max client buffer size", HFILL }},
17251 { "Path", "smb.path", FT_STRING, BASE_NONE,
17252 NULL, 0, "Path. Server name and share name", HFILL }},
17255 { "Service", "smb.service", FT_STRING, BASE_NONE,
17256 NULL, 0, "Service name", HFILL }},
17258 { &hf_smb_password,
17259 { "Password", "smb.password", FT_BYTES, BASE_NONE,
17260 NULL, 0, "Password", HFILL }},
17262 { &hf_smb_ansi_password,
17263 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
17264 NULL, 0, "ANSI Password", HFILL }},
17266 { &hf_smb_unicode_password,
17267 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
17268 NULL, 0, "Unicode Password", HFILL }},
17270 { &hf_smb_move_flags_file,
17271 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
17272 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
17274 { &hf_smb_move_flags_dir,
17275 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
17276 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
17278 { &hf_smb_move_flags_verify,
17279 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
17280 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
17282 { &hf_smb_files_moved,
17283 { "Files Moved", "smb.files_moved", FT_UINT16, BASE_DEC,
17284 NULL, 0, "Number of files moved", HFILL }},
17286 { &hf_smb_copy_flags_file,
17287 { "Must be file", "smb.copy.flags.file", FT_BOOLEAN, 16,
17288 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
17290 { &hf_smb_copy_flags_dir,
17291 { "Must be directory", "smb.copy.flags.dir", FT_BOOLEAN, 16,
17292 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
17294 { &hf_smb_copy_flags_dest_mode,
17295 { "Destination mode", "smb.copy.flags.dest_mode", FT_BOOLEAN, 16,
17296 TFS(&tfs_cf_mode), 0x0004, "Is destination in ASCII?", HFILL }},
17298 { &hf_smb_copy_flags_source_mode,
17299 { "Source mode", "smb.copy.flags.source_mode", FT_BOOLEAN, 16,
17300 TFS(&tfs_cf_mode), 0x0008, "Is source in ASCII?", HFILL }},
17302 { &hf_smb_copy_flags_verify,
17303 { "Verify writes", "smb.copy.flags.verify", FT_BOOLEAN, 16,
17304 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
17306 { &hf_smb_copy_flags_tree_copy,
17307 { "Tree copy", "smb.copy.flags.tree_copy", FT_BOOLEAN, 16,
17308 TFS(&tfs_cf_tree_copy), 0x0010, "Is copy a tree copy?", HFILL }},
17310 { &hf_smb_copy_flags_ea_action,
17311 { "EA action if EAs not supported on dest", "smb.copy.flags.ea_action", FT_BOOLEAN, 16,
17312 TFS(&tfs_cf_ea_action), 0x0010, "Fail copy if source file has EAs and dest doesn't support EAs?", HFILL }},
17315 { "Count", "smb.count", FT_UINT32, BASE_DEC,
17316 NULL, 0, "Count number of items/bytes", HFILL }},
17318 { &hf_smb_count_low,
17319 { "Count Low", "smb.count_low", FT_UINT16, BASE_DEC,
17320 NULL, 0, "Count number of items/bytes, Low 16 bits", HFILL }},
17322 { &hf_smb_count_high,
17323 { "Count High (multiply with 64K)", "smb.count_high", FT_UINT16, BASE_DEC,
17324 NULL, 0, "Count number of items/bytes, High 16 bits", HFILL }},
17326 { &hf_smb_file_name,
17327 { "File Name", "smb.file", FT_STRING, BASE_NONE,
17328 NULL, 0, "File Name", HFILL }},
17330 { &hf_smb_open_function_create,
17331 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
17332 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
17334 { &hf_smb_open_function_open,
17335 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
17336 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
17339 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
17340 NULL, 0, "FID: File ID", HFILL }},
17342 { &hf_smb_file_attr_read_only_16bit,
17343 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
17344 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
17346 { &hf_smb_file_attr_read_only_8bit,
17347 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
17348 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
17350 { &hf_smb_file_attr_hidden_16bit,
17351 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
17352 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
17354 { &hf_smb_file_attr_hidden_8bit,
17355 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
17356 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
17358 { &hf_smb_file_attr_system_16bit,
17359 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
17360 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
17362 { &hf_smb_file_attr_system_8bit,
17363 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
17364 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
17366 { &hf_smb_file_attr_volume_16bit,
17367 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
17368 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
17370 { &hf_smb_file_attr_volume_8bit,
17371 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
17372 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
17374 { &hf_smb_file_attr_directory_16bit,
17375 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
17376 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
17378 { &hf_smb_file_attr_directory_8bit,
17379 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
17380 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
17382 { &hf_smb_file_attr_archive_16bit,
17383 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
17384 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17386 { &hf_smb_file_attr_archive_8bit,
17387 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
17388 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
17390 { &hf_smb_file_attr_device,
17391 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
17392 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
17394 { &hf_smb_file_attr_normal,
17395 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
17396 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
17398 { &hf_smb_file_attr_temporary,
17399 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
17400 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
17402 { &hf_smb_file_attr_sparse,
17403 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
17404 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
17406 { &hf_smb_file_attr_reparse,
17407 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
17408 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
17410 { &hf_smb_file_attr_compressed,
17411 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
17412 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
17414 { &hf_smb_file_attr_offline,
17415 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
17416 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
17418 { &hf_smb_file_attr_not_content_indexed,
17419 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
17420 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
17422 { &hf_smb_file_attr_encrypted,
17423 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
17424 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
17426 { &hf_smb_file_size,
17427 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
17428 NULL, 0, "File Size", HFILL }},
17430 { &hf_smb_search_attribute_read_only,
17431 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
17432 TFS(&tfs_search_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
17434 { &hf_smb_search_attribute_hidden,
17435 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
17436 TFS(&tfs_search_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
17438 { &hf_smb_search_attribute_system,
17439 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
17440 TFS(&tfs_search_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
17442 { &hf_smb_search_attribute_volume,
17443 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
17444 TFS(&tfs_search_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
17446 { &hf_smb_search_attribute_directory,
17447 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
17448 TFS(&tfs_search_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
17450 { &hf_smb_search_attribute_archive,
17451 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
17452 TFS(&tfs_search_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
17454 { &hf_smb_access_mode,
17455 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
17456 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
17458 { &hf_smb_access_sharing,
17459 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
17460 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
17462 { &hf_smb_access_locality,
17463 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
17464 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
17466 { &hf_smb_access_caching,
17467 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
17468 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
17470 { &hf_smb_access_writetru,
17471 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
17472 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
17474 { &hf_smb_create_time,
17475 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
17476 NULL, 0, "Creation Time", HFILL }},
17478 { &hf_smb_modify_time,
17479 { "Modified", "smb.modify.time", FT_ABSOLUTE_TIME, BASE_NONE,
17480 NULL, 0, "Modification Time", HFILL }},
17482 { &hf_smb_backup_time,
17483 { "Backed-up", "smb.backup.time", FT_ABSOLUTE_TIME, BASE_NONE,
17484 NULL, 0, "Backup time", HFILL}},
17486 { &hf_smb_mac_alloc_block_count,
17487 { "Allocation Block Count", "smb.alloc.count", FT_UINT32, BASE_DEC,
17488 NULL, 0, "Allocation Block Count", HFILL}},
17490 { &hf_smb_mac_alloc_block_size,
17491 { "Allocation Block Count", "smb.alloc.size", FT_UINT32, BASE_DEC,
17492 NULL, 0, "Allocation Block Size", HFILL}},
17494 { &hf_smb_mac_free_block_count,
17495 { "Free Block Count", "smb.free_block.count", FT_UINT32, BASE_DEC,
17496 NULL, 0, "Free Block Count", HFILL}},
17498 { &hf_smb_mac_root_file_count,
17499 { "Root File Count", "smb.root.file.count", FT_UINT32, BASE_DEC,
17500 NULL, 0, "Root File Count", HFILL}},
17502 { &hf_smb_mac_root_dir_count,
17503 { "Root Directory Count", "smb.root.dir.count", FT_UINT32, BASE_DEC,
17504 NULL, 0, "Root Directory Count", HFILL}},
17506 { &hf_smb_mac_file_count,
17507 { "Root File Count", "smb.file.count", FT_UINT32, BASE_DEC,
17508 NULL, 0, "File Count", HFILL}},
17510 { &hf_smb_mac_dir_count,
17511 { "Root Directory Count", "smb.dir.count", FT_UINT32, BASE_DEC,
17512 NULL, 0, "Directory Count", HFILL}},
17514 { &hf_smb_mac_support_flags,
17515 { "Mac Support Flags", "smb.mac.support.flags", FT_UINT32, BASE_DEC,
17516 NULL, 0, "Mac Support Flags", HFILL}},
17518 { &hf_smb_mac_sup_access_ctrl,
17519 { "Mac Access Control", "smb.mac.access_control", FT_BOOLEAN, 32,
17520 TFS(&tfs_smb_mac_access_ctrl), 0x0010, "Are Mac Access Control Supported", HFILL }},
17522 { &hf_smb_mac_sup_getset_comments,
17523 { "Get Set Comments", "smb.mac.get_set_comments", FT_BOOLEAN, 32,
17524 TFS(&tfs_smb_mac_getset_comments), 0x0020, "Are Mac Get Set Comments supported?", HFILL }},
17526 { &hf_smb_mac_sup_desktopdb_calls,
17527 { "Desktop DB Calls", "smb.mac.desktop_db_calls", FT_BOOLEAN, 32,
17528 TFS(&tfs_smb_mac_desktopdb_calls), 0x0040, "Are Macintosh Desktop DB Calls Supported?", HFILL }},
17530 { &hf_smb_mac_sup_unique_ids,
17531 { "Macintosh Unique IDs", "smb.mac.uids", FT_BOOLEAN, 32,
17532 TFS(&tfs_smb_mac_unique_ids), 0x0080, "Are Unique IDs supported", HFILL }},
17534 { &hf_smb_mac_sup_streams,
17535 { "Mac Streams", "smb.mac.streams_support", FT_BOOLEAN, 32,
17536 TFS(&tfs_smb_mac_streams), 0x0100, "Are Mac Extensions and streams supported?", HFILL }},
17538 { &hf_smb_create_dos_date,
17539 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
17540 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
17542 { &hf_smb_create_dos_time,
17543 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
17544 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
17546 { &hf_smb_last_write_time,
17547 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
17548 NULL, 0, "Time this file was last written to", HFILL }},
17550 { &hf_smb_last_write_dos_date,
17551 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
17552 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
17554 { &hf_smb_last_write_dos_time,
17555 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
17556 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
17558 { &hf_smb_old_file_name,
17559 { "Old File Name", "smb.file", FT_STRING, BASE_NONE,
17560 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
17563 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
17564 NULL, 0, "Offset in file", HFILL }},
17566 { &hf_smb_remaining,
17567 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
17568 NULL, 0, "Remaining number of bytes", HFILL }},
17571 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
17572 NULL, 0, "Padding or unknown data", HFILL }},
17574 { &hf_smb_file_data,
17575 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
17576 NULL, 0, "Data read/written to the file", HFILL }},
17578 { &hf_smb_mac_fndrinfo,
17579 { "Finder Info", "smb.mac.finderinfo", FT_BYTES, BASE_HEX,
17580 NULL, 0, "Finder Info", HFILL}},
17582 { &hf_smb_total_data_len,
17583 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
17584 NULL, 0, "Total length of data", HFILL }},
17586 { &hf_smb_data_len,
17587 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
17588 NULL, 0, "Length of data", HFILL }},
17590 { &hf_smb_data_len_low,
17591 { "Data Length Low", "smb.data_len_low", FT_UINT16, BASE_DEC,
17592 NULL, 0, "Length of data, Low 16 bits", HFILL }},
17594 { &hf_smb_data_len_high,
17595 { "Data Length High (multiply with 64K)", "smb.data_len_high", FT_UINT16, BASE_DEC,
17596 NULL, 0, "Length of data, High 16 bits", HFILL }},
17598 { &hf_smb_seek_mode,
17599 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
17600 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
17602 { &hf_smb_access_time,
17603 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
17604 NULL, 0, "Last Access Time", HFILL }},
17606 { &hf_smb_access_dos_date,
17607 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
17608 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
17610 { &hf_smb_access_dos_time,
17611 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
17612 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
17614 { &hf_smb_data_size,
17615 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
17616 NULL, 0, "Data Size", HFILL }},
17618 { &hf_smb_alloc_size,
17619 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
17620 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
17622 { &hf_smb_max_count,
17623 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
17624 NULL, 0, "Maximum Count", HFILL }},
17626 { &hf_smb_max_count_low,
17627 { "Max Count Low", "smb.maxcount_low", FT_UINT16, BASE_DEC,
17628 NULL, 0, "Maximum Count, Low 16 bits", HFILL }},
17630 { &hf_smb_max_count_high,
17631 { "Max Count High (multiply with 64K)", "smb.maxcount_high", FT_UINT16, BASE_DEC,
17632 NULL, 0, "Maximum Count, High 16 bits", HFILL }},
17634 { &hf_smb_min_count,
17635 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
17636 NULL, 0, "Minimum Count", HFILL }},
17639 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
17640 NULL, 0, "Timeout in miliseconds", HFILL }},
17642 { &hf_smb_high_offset,
17643 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
17644 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
17647 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
17648 NULL, 0, "Total number of units at server", HFILL }},
17651 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
17652 NULL, 0, "Blocks per unit at server", HFILL }},
17654 { &hf_smb_blocksize,
17655 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
17656 NULL, 0, "Block size (in bytes) at server", HFILL }},
17658 { &hf_smb_freeunits,
17659 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
17660 NULL, 0, "Number of free units at server", HFILL }},
17662 { &hf_smb_data_offset,
17663 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
17664 NULL, 0, "Data Offset", HFILL }},
17667 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
17668 NULL, 0, "Data Compaction Mode", HFILL }},
17670 { &hf_smb_request_mask,
17671 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
17672 NULL, 0, "Connectionless mode mask", HFILL }},
17674 { &hf_smb_response_mask,
17675 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
17676 NULL, 0, "Connectionless mode mask", HFILL }},
17678 { &hf_smb_search_id,
17679 { "Search ID", "smb.search_id", FT_UINT16, BASE_HEX,
17680 NULL, 0, "Search ID, handle for find operations", HFILL }},
17682 { &hf_smb_write_mode_write_through,
17683 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
17684 TFS(&tfs_write_mode_write_through), WRITE_MODE_WRITE_THROUGH, "Write through mode requested?", HFILL }},
17686 { &hf_smb_write_mode_return_remaining,
17687 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
17688 TFS(&tfs_write_mode_return_remaining), WRITE_MODE_RETURN_REMAINING, "Return remaining data responses?", HFILL }},
17690 { &hf_smb_write_mode_raw,
17691 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
17692 TFS(&tfs_write_mode_raw), WRITE_MODE_RAW, "Use WriteRawNamedPipe?", HFILL }},
17694 { &hf_smb_write_mode_message_start,
17695 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
17696 TFS(&tfs_write_mode_message_start), WRITE_MODE_MESSAGE_START, "Is this the start of a message?", HFILL }},
17698 { &hf_smb_write_mode_connectionless,
17699 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
17700 TFS(&tfs_write_mode_connectionless), WRITE_MODE_CONNECTIONLESS, "Connectionless mode requested?", HFILL }},
17702 { &hf_smb_resume_key_len,
17703 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
17704 NULL, 0, "Resume Key length", HFILL }},
17706 { &hf_smb_resume_find_id,
17707 { "Find ID", "smb.resume.find_id", FT_UINT8, BASE_HEX,
17708 NULL, 0, "Handle for Find operation", HFILL }},
17710 { &hf_smb_resume_server_cookie,
17711 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
17712 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
17714 { &hf_smb_resume_client_cookie,
17715 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
17716 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
17718 { &hf_smb_andxoffset,
17719 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
17720 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
17722 { &hf_smb_lock_type_large,
17723 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
17724 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
17726 { &hf_smb_lock_type_cancel,
17727 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
17728 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
17730 { &hf_smb_lock_type_change,
17731 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
17732 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
17734 { &hf_smb_lock_type_oplock,
17735 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
17736 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
17738 { &hf_smb_lock_type_shared,
17739 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
17740 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
17742 { &hf_smb_locking_ol,
17743 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
17744 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
17746 { &hf_smb_number_of_locks,
17747 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
17748 NULL, 0, "Number of lock requests in this request", HFILL }},
17750 { &hf_smb_number_of_unlocks,
17751 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
17752 NULL, 0, "Number of unlock requests in this request", HFILL }},
17754 { &hf_smb_lock_long_length,
17755 { "Length", "smb.lock.length", FT_STRING, BASE_DEC,
17756 NULL, 0, "Length of lock/unlock region", HFILL }},
17758 { &hf_smb_lock_long_offset,
17759 { "Offset", "smb.lock.offset", FT_STRING, BASE_DEC,
17760 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
17762 { &hf_smb_file_type,
17763 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
17764 VALS(filetype_vals), 0, "Type of file", HFILL }},
17766 { &hf_smb_ipc_state_nonblocking,
17767 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
17768 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
17770 { &hf_smb_ipc_state_endpoint,
17771 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
17772 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
17774 { &hf_smb_ipc_state_pipe_type,
17775 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
17776 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
17778 { &hf_smb_ipc_state_read_mode,
17779 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
17780 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
17782 { &hf_smb_ipc_state_icount,
17783 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
17784 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
17786 { &hf_smb_server_fid,
17787 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
17788 NULL, 0, "Server unique File ID", HFILL }},
17790 { &hf_smb_open_flags_add_info,
17791 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
17792 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
17794 { &hf_smb_open_flags_ex_oplock,
17795 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
17796 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
17798 { &hf_smb_open_flags_batch_oplock,
17799 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
17800 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
17802 { &hf_smb_open_flags_ealen,
17803 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
17804 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
17806 { &hf_smb_open_action_open,
17807 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
17808 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
17810 { &hf_smb_open_action_lock,
17811 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
17812 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
17815 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
17816 NULL, 0, "VC Number", HFILL }},
17818 { &hf_smb_password_len,
17819 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
17820 NULL, 0, "Length of password", HFILL }},
17822 { &hf_smb_ansi_password_len,
17823 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
17824 NULL, 0, "Length of ANSI password", HFILL }},
17826 { &hf_smb_unicode_password_len,
17827 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
17828 NULL, 0, "Length of Unicode password", HFILL }},
17831 { "Account", "smb.account", FT_STRING, BASE_NONE,
17832 NULL, 0, "Account, username", HFILL }},
17835 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
17836 NULL, 0, "Which OS we are running", HFILL }},
17839 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
17840 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
17842 { &hf_smb_setup_action_guest,
17843 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
17844 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
17847 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
17848 NULL, 0, "Native File System", HFILL }},
17850 { &hf_smb_connect_flags_dtid,
17851 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
17852 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
17854 { &hf_smb_connect_support_search,
17855 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
17856 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
17858 { &hf_smb_connect_support_in_dfs,
17859 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
17860 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
17862 { &hf_smb_max_setup_count,
17863 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
17864 NULL, 0, "Maximum number of setup words to return", HFILL }},
17866 { &hf_smb_total_param_count,
17867 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
17868 NULL, 0, "Total number of parameter bytes", HFILL }},
17870 { &hf_smb_total_data_count,
17871 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
17872 NULL, 0, "Total number of data bytes", HFILL }},
17874 { &hf_smb_max_param_count,
17875 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
17876 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
17878 { &hf_smb_max_data_count,
17879 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
17880 NULL, 0, "Maximum number of data bytes to return", HFILL }},
17882 { &hf_smb_param_disp16,
17883 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
17884 NULL, 0, "Displacement of these parameter bytes", HFILL }},
17886 { &hf_smb_param_count16,
17887 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
17888 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
17890 { &hf_smb_param_offset16,
17891 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
17892 NULL, 0, "Offset (from header start) to parameters", HFILL }},
17894 { &hf_smb_param_disp32,
17895 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
17896 NULL, 0, "Displacement of these parameter bytes", HFILL }},
17898 { &hf_smb_param_count32,
17899 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
17900 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
17902 { &hf_smb_param_offset32,
17903 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
17904 NULL, 0, "Offset (from header start) to parameters", HFILL }},
17906 { &hf_smb_data_count16,
17907 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
17908 NULL, 0, "Number of data bytes in this buffer", HFILL }},
17910 { &hf_smb_data_disp16,
17911 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
17912 NULL, 0, "Data Displacement", HFILL }},
17914 { &hf_smb_data_offset16,
17915 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
17916 NULL, 0, "Data Offset", HFILL }},
17918 { &hf_smb_data_count32,
17919 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
17920 NULL, 0, "Number of data bytes in this buffer", HFILL }},
17922 { &hf_smb_data_disp32,
17923 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
17924 NULL, 0, "Data Displacement", HFILL }},
17926 { &hf_smb_data_offset32,
17927 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
17928 NULL, 0, "Data Offset", HFILL }},
17930 { &hf_smb_setup_count,
17931 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
17932 NULL, 0, "Number of setup words in this buffer", HFILL }},
17934 { &hf_smb_nt_trans_subcmd,
17935 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
17936 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
17938 { &hf_smb_nt_ioctl_function_code,
17939 { "Function", "smb.nt.ioctl.function", FT_UINT32, BASE_HEX,
17940 NULL, 0, "NT IOCTL function code", HFILL }},
17942 { &hf_smb_nt_ioctl_isfsctl,
17943 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
17944 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
17946 { &hf_smb_nt_ioctl_flags_root_handle,
17947 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
17948 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
17950 { &hf_smb_nt_ioctl_data,
17951 { "IOCTL Data", "smb.nt.ioctl.data", FT_BYTES, BASE_HEX,
17952 NULL, 0, "Data for the IOCTL call", HFILL }},
17954 { &hf_smb_nt_notify_action,
17955 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
17956 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
17958 { &hf_smb_nt_notify_watch_tree,
17959 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
17960 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
17962 { &hf_smb_nt_notify_stream_write,
17963 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
17964 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
17966 { &hf_smb_nt_notify_stream_size,
17967 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
17968 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
17970 { &hf_smb_nt_notify_stream_name,
17971 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
17972 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
17974 { &hf_smb_nt_notify_security,
17975 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
17976 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
17978 { &hf_smb_nt_notify_ea,
17979 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
17980 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
17982 { &hf_smb_nt_notify_creation,
17983 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
17984 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
17986 { &hf_smb_nt_notify_last_access,
17987 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
17988 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
17990 { &hf_smb_nt_notify_last_write,
17991 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
17992 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
17994 { &hf_smb_nt_notify_size,
17995 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
17996 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
17998 { &hf_smb_nt_notify_attributes,
17999 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
18000 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
18002 { &hf_smb_nt_notify_dir_name,
18003 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
18004 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
18006 { &hf_smb_nt_notify_file_name,
18007 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
18008 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
18010 { &hf_smb_root_dir_fid,
18011 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
18012 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
18014 { &hf_smb_alloc_size64,
18015 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
18016 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
18018 { &hf_smb_nt_create_disposition,
18019 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
18020 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
18022 { &hf_smb_sd_length,
18023 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
18024 NULL, 0, "Total length of security descriptor", HFILL }},
18026 { &hf_smb_ea_list_length,
18027 { "EA List Length", "smb.ea.list_length", FT_UINT32, BASE_DEC,
18028 NULL, 0, "Total length of extended attributes", HFILL }},
18030 { &hf_smb_ea_flags,
18031 { "EA Flags", "smb.ea.flags", FT_UINT8, BASE_HEX,
18032 NULL, 0, "EA Flags", HFILL }},
18034 { &hf_smb_ea_name_length,
18035 { "EA Name Length", "smb.ea.name_length", FT_UINT8, BASE_DEC,
18036 NULL, 0, "EA Name Length", HFILL }},
18038 { &hf_smb_ea_data_length,
18039 { "EA Data Length", "smb.ea.data_length", FT_UINT16, BASE_DEC,
18040 NULL, 0, "EA Data Length", HFILL }},
18043 { "EA Name", "smb.ea.name", FT_STRING, BASE_NONE,
18044 NULL, 0, "EA Name", HFILL }},
18047 { "EA Data", "smb.ea.data", FT_BYTES, BASE_NONE,
18048 NULL, 0, "EA Data", HFILL }},
18050 { &hf_smb_file_name_len,
18051 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
18052 NULL, 0, "Length of File Name", HFILL }},
18054 { &hf_smb_nt_impersonation_level,
18055 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
18056 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
18058 { &hf_smb_nt_security_flags_context_tracking,
18059 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
18060 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
18062 { &hf_smb_nt_security_flags_effective_only,
18063 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
18064 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
18066 { &hf_smb_nt_access_mask_generic_read,
18067 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
18068 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
18070 { &hf_smb_nt_access_mask_generic_write,
18071 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
18072 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
18074 { &hf_smb_nt_access_mask_generic_execute,
18075 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
18076 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
18078 { &hf_smb_nt_access_mask_generic_all,
18079 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
18080 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
18082 { &hf_smb_nt_access_mask_maximum_allowed,
18083 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
18084 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
18086 { &hf_smb_nt_access_mask_system_security,
18087 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
18088 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
18090 { &hf_smb_nt_access_mask_synchronize,
18091 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
18092 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
18094 { &hf_smb_nt_access_mask_write_owner,
18095 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
18096 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
18098 { &hf_smb_nt_access_mask_write_dac,
18099 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
18100 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
18102 { &hf_smb_nt_access_mask_read_control,
18103 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
18104 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
18106 { &hf_smb_nt_access_mask_delete,
18107 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
18108 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
18110 { &hf_smb_nt_access_mask_write_attributes,
18111 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
18112 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
18114 { &hf_smb_nt_access_mask_read_attributes,
18115 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
18116 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
18118 { &hf_smb_nt_access_mask_delete_child,
18119 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
18120 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
18123 * "Execute" for files, "traverse" for directories.
18125 { &hf_smb_nt_access_mask_execute,
18126 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
18127 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
18129 { &hf_smb_nt_access_mask_write_ea,
18130 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
18131 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
18133 { &hf_smb_nt_access_mask_read_ea,
18134 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
18135 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
18138 * "Append data" for files, "add subdirectory" for directories,
18139 * "create pipe instance" for named pipes.
18141 { &hf_smb_nt_access_mask_append,
18142 { "Append", "smb.access.append", FT_BOOLEAN, 32,
18143 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
18146 * "Write data" for files and pipes, "add file" for directory.
18148 { &hf_smb_nt_access_mask_write,
18149 { "Write", "smb.access.write", FT_BOOLEAN, 32,
18150 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
18153 * "Read data" for files and pipes, "list directory" for directory.
18155 { &hf_smb_nt_access_mask_read,
18156 { "Read", "smb.access.read", FT_BOOLEAN, 32,
18157 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
18159 { &hf_smb_nt_create_bits_oplock,
18160 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
18161 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
18163 { &hf_smb_nt_create_bits_boplock,
18164 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
18165 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
18167 { &hf_smb_nt_create_bits_dir,
18168 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
18169 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
18171 { &hf_smb_nt_create_bits_ext_resp,
18172 { "Extended Response", "smb.nt.create.ext", FT_BOOLEAN, 32,
18173 TFS(&tfs_nt_create_bits_ext_resp), 0x00000010, "Extended response required?", HFILL }},
18175 { &hf_smb_nt_create_options_directory_file,
18176 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
18177 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
18179 { &hf_smb_nt_create_options_write_through,
18180 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
18181 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
18183 { &hf_smb_nt_create_options_sequential_only,
18184 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
18185 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
18187 { &hf_smb_nt_create_options_sync_io_alert,
18188 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
18189 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
18191 { &hf_smb_nt_create_options_sync_io_nonalert,
18192 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
18193 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
18195 { &hf_smb_nt_create_options_non_directory_file,
18196 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
18197 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
18199 /* 0x00000080 is "tree connect", at least in "NtCreateFile()"
18200 and "NtOpenFile()"; is that sent over the wire? Network
18201 Monitor thinks so, but its author may just have grabbed
18202 the flag bits from a system header file. */
18204 /* 0x00000100 is "complete if oplocked", at least in "NtCreateFile()"
18205 and "NtOpenFile()"; is that sent over the wire? NetMon
18206 thinks so, but see previous comment. */
18208 { &hf_smb_nt_create_options_no_ea_knowledge,
18209 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
18210 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
18212 { &hf_smb_nt_create_options_eight_dot_three_only,
18213 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
18214 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
18216 { &hf_smb_nt_create_options_random_access,
18217 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
18218 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
18220 { &hf_smb_nt_create_options_delete_on_close,
18221 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
18222 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
18224 /* 0x00002000 is "open by FID", or something such as that (which
18225 I suspect is like "open by inumber" on UNIX), at least in
18226 "NtCreateFile()" and "NtOpenFile()"; is that sent over the
18227 wire? NetMon thinks so, but see previous comment. */
18229 /* 0x00004000 is "open for backup", at least in "NtCreateFile()"
18230 and "NtOpenFile()"; is that sent over the wire? NetMon
18231 thinks so, but see previous comment. */
18233 { &hf_smb_nt_share_access_read,
18234 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
18235 TFS(&tfs_nt_share_access_read), 0x00000001, "Can the object be shared for reading?", HFILL }},
18237 { &hf_smb_nt_share_access_write,
18238 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
18239 TFS(&tfs_nt_share_access_write), 0x00000002, "Can the object be shared for write?", HFILL }},
18241 { &hf_smb_nt_share_access_delete,
18242 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
18243 TFS(&tfs_nt_share_access_delete), 0x00000004, "", HFILL }},
18245 { &hf_smb_file_eattr_read_only,
18246 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
18247 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
18249 { &hf_smb_file_eattr_hidden,
18250 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
18251 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
18253 { &hf_smb_file_eattr_system,
18254 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
18255 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
18257 { &hf_smb_file_eattr_volume,
18258 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
18259 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
18261 { &hf_smb_file_eattr_directory,
18262 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
18263 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
18265 { &hf_smb_file_eattr_archive,
18266 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
18267 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
18269 { &hf_smb_file_eattr_device,
18270 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
18271 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
18273 { &hf_smb_file_eattr_normal,
18274 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
18275 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
18277 { &hf_smb_file_eattr_temporary,
18278 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
18279 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
18281 { &hf_smb_file_eattr_sparse,
18282 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
18283 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
18285 { &hf_smb_file_eattr_reparse,
18286 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
18287 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
18289 { &hf_smb_file_eattr_compressed,
18290 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
18291 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
18293 { &hf_smb_file_eattr_offline,
18294 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
18295 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
18297 { &hf_smb_file_eattr_not_content_indexed,
18298 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
18299 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
18301 { &hf_smb_file_eattr_encrypted,
18302 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
18303 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
18305 { &hf_smb_sec_desc_len,
18306 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
18307 NULL, 0, "Security Descriptor Length", HFILL }},
18309 { &hf_smb_nt_qsd_owner,
18310 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
18311 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
18313 { &hf_smb_nt_qsd_group,
18314 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
18315 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
18317 { &hf_smb_nt_qsd_dacl,
18318 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
18319 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
18321 { &hf_smb_nt_qsd_sacl,
18322 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
18323 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
18325 { &hf_smb_extended_attributes,
18326 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
18327 NULL, 0, "Extended Attributes", HFILL }},
18329 { &hf_smb_oplock_level,
18330 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
18331 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
18333 { &hf_smb_create_action,
18334 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
18335 VALS(oa_open_vals), 0, "Type of action taken", HFILL }},
18338 { "Server unique file ID", "smb.create.file_id", FT_UINT32, BASE_HEX,
18339 NULL, 0, "Server unique file ID", HFILL }},
18341 { &hf_smb_ea_error_offset,
18342 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
18343 NULL, 0, "Offset into EA list if EA error", HFILL }},
18345 { &hf_smb_end_of_file,
18346 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
18347 NULL, 0, "Offset to the first free byte in the file", HFILL }},
18350 { "Replace", "smb.replace", FT_BOOLEAN, BASE_NONE,
18351 TFS(&tfs_smb_replace), 0x0, "Remove target if it exists?", HFILL }},
18353 { &hf_smb_root_dir_handle,
18354 { "Root Directory Handle", "smb.root_dir_handle", FT_UINT32, BASE_HEX,
18355 NULL, 0, "Root directory handle", HFILL }},
18357 { &hf_smb_target_name_len,
18358 { "Target name length", "smb.target_name_len", FT_UINT32, BASE_DEC,
18359 NULL, 0, "Length of target file name", HFILL }},
18361 { &hf_smb_target_name,
18362 { "Target name", "smb.target_name", FT_STRING, BASE_NONE,
18363 NULL, 0, "Target file name", HFILL }},
18365 { &hf_smb_device_type,
18366 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
18367 VALS(device_type_vals), 0, "Type of device", HFILL }},
18369 { &hf_smb_is_directory,
18370 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
18371 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
18373 { &hf_smb_next_entry_offset,
18374 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
18375 NULL, 0, "Offset to next entry", HFILL }},
18377 { &hf_smb_change_time,
18378 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
18379 NULL, 0, "Last Change Time", HFILL }},
18381 { &hf_smb_setup_len,
18382 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
18383 NULL, 0, "Length of printer setup data", HFILL }},
18385 { &hf_smb_print_mode,
18386 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
18387 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
18389 { &hf_smb_print_identifier,
18390 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
18391 NULL, 0, "Identifier string for this print job", HFILL }},
18393 { &hf_smb_restart_index,
18394 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
18395 NULL, 0, "Index of entry after last returned", HFILL }},
18397 { &hf_smb_print_queue_date,
18398 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
18399 NULL, 0, "Date when this entry was queued", HFILL }},
18401 { &hf_smb_print_queue_dos_date,
18402 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
18403 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
18405 { &hf_smb_print_queue_dos_time,
18406 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
18407 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
18409 { &hf_smb_print_status,
18410 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
18411 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
18413 { &hf_smb_print_spool_file_number,
18414 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
18415 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
18417 { &hf_smb_print_spool_file_size,
18418 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
18419 NULL, 0, "Number of bytes in spool file", HFILL }},
18421 { &hf_smb_print_spool_file_name,
18422 { "Name", "smb.print.spool.name", FT_BYTES, BASE_HEX,
18423 NULL, 0, "Name of client that submitted this job", HFILL }},
18425 { &hf_smb_start_index,
18426 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
18427 NULL, 0, "First queue entry to return", HFILL }},
18429 { &hf_smb_originator_name,
18430 { "Originator Name", "smb.originator_name", FT_STRINGZ, BASE_NONE,
18431 NULL, 0, "Name of sender of message", HFILL }},
18433 { &hf_smb_destination_name,
18434 { "Destination Name", "smb.destination_name", FT_STRINGZ, BASE_NONE,
18435 NULL, 0, "Name of recipient of message", HFILL }},
18437 { &hf_smb_message_len,
18438 { "Message Len", "smb.message.len", FT_UINT16, BASE_DEC,
18439 NULL, 0, "Length of message", HFILL }},
18442 { "Message", "smb.message", FT_STRING, BASE_NONE,
18443 NULL, 0, "Message text", HFILL }},
18446 { "Message Group ID", "smb.mgid", FT_UINT16, BASE_DEC,
18447 NULL, 0, "Message group ID for multi-block messages", HFILL }},
18449 { &hf_smb_forwarded_name,
18450 { "Forwarded Name", "smb.forwarded_name", FT_STRINGZ, BASE_NONE,
18451 NULL, 0, "Recipient name being forwarded", HFILL }},
18453 { &hf_smb_machine_name,
18454 { "Machine Name", "smb.machine_name", FT_STRINGZ, BASE_NONE,
18455 NULL, 0, "Name of target machine", HFILL }},
18457 { &hf_smb_cancel_to,
18458 { "Cancel to", "smb.cancel_to", FT_FRAMENUM, BASE_NONE,
18459 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
18461 { &hf_smb_trans2_subcmd,
18462 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
18463 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
18465 { &hf_smb_trans_name,
18466 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
18467 NULL, 0, "Name of transaction", HFILL }},
18469 { &hf_smb_transaction_flags_dtid,
18470 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
18471 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
18473 { &hf_smb_transaction_flags_owt,
18474 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
18475 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
18477 { &hf_smb_search_count,
18478 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
18479 NULL, 0, "Maximum number of search entries to return", HFILL }},
18481 { &hf_smb_search_pattern,
18482 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
18483 NULL, 0, "Search Pattern", HFILL }},
18485 { &hf_smb_ff2_backup,
18486 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
18487 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
18489 { &hf_smb_ff2_continue,
18490 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
18491 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
18493 { &hf_smb_ff2_resume,
18494 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
18495 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
18497 { &hf_smb_ff2_close_eos,
18498 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
18499 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
18501 { &hf_smb_ff2_close,
18502 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
18503 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
18505 { &hf_smb_ff2_information_level,
18506 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
18507 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
18510 { "Level of Interest", "smb.qpi_loi", FT_UINT16, BASE_DEC,
18511 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] QUERY_{FILE,PATH}_INFO commands", HFILL }},
18514 { "Level of Interest", "smb.spi_loi", FT_UINT16, BASE_DEC,
18515 VALS(spi_loi_vals), 0, "Level of interest for TRANSACTION[2] SET_{FILE,PATH}_INFO commands", HFILL }},
18518 { &hf_smb_sfi_writetru,
18519 { "Writethrough", "smb.sfi_writethrough", FT_BOOLEAN, 16,
18520 TFS(&tfs_da_writetru), 0x0010, "Writethrough mode?", HFILL }},
18522 { &hf_smb_sfi_caching,
18523 { "Caching", "smb.sfi_caching", FT_BOOLEAN, 16,
18524 TFS(&tfs_da_caching), 0x0020, "Caching mode?", HFILL }},
18527 { &hf_smb_storage_type,
18528 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
18529 NULL, 0, "Type of storage", HFILL }},
18532 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
18533 NULL, 0, "Resume Key", HFILL }},
18535 { &hf_smb_max_referral_level,
18536 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
18537 NULL, 0, "Latest referral version number understood", HFILL }},
18539 { &hf_smb_qfsi_information_level,
18540 { "Level of Interest", "smb.qfi_loi", FT_UINT16, BASE_HEX,
18541 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
18543 { &hf_smb_nt_rename_level,
18544 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
18545 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
18547 { &hf_smb_cluster_count,
18548 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
18549 NULL, 0, "Number of clusters", HFILL }},
18551 { &hf_smb_number_of_links,
18552 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
18553 NULL, 0, "Number of hard links to the file", HFILL }},
18555 { &hf_smb_delete_pending,
18556 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
18557 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
18559 { &hf_smb_index_number,
18560 { "Index Number", "smb.index_number", FT_UINT64, BASE_DEC,
18561 NULL, 0, "File system unique identifier", HFILL }},
18563 { &hf_smb_current_offset,
18564 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
18565 NULL, 0, "Current offset in the file", HFILL }},
18567 { &hf_smb_t2_alignment,
18568 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
18569 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
18571 { &hf_smb_t2_stream_name_length,
18572 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
18573 NULL, 0, "Length of stream name", HFILL }},
18575 { &hf_smb_t2_stream_size,
18576 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
18577 NULL, 0, "Size of the stream in number of bytes", HFILL }},
18579 { &hf_smb_t2_stream_name,
18580 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
18581 NULL, 0, "Name of the stream", HFILL }},
18583 { &hf_smb_t2_compressed_file_size,
18584 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
18585 NULL, 0, "Size of the compressed file", HFILL }},
18587 { &hf_smb_t2_compressed_format,
18588 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
18589 NULL, 0, "Compression algorithm used", HFILL }},
18591 { &hf_smb_t2_compressed_unit_shift,
18592 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
18593 NULL, 0, "Size of the stream in number of bytes", HFILL }},
18595 { &hf_smb_t2_compressed_chunk_shift,
18596 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
18597 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
18599 { &hf_smb_t2_compressed_cluster_shift,
18600 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
18601 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
18603 { &hf_smb_t2_marked_for_deletion,
18604 { "Marked for Deletion", "smb.marked_for_deletion", FT_BOOLEAN, BASE_NONE,
18605 TFS(&tfs_marked_for_deletion), 0x0, "Marked for deletion?", HFILL }},
18607 { &hf_smb_dfs_path_consumed,
18608 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
18609 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
18611 { &hf_smb_dfs_num_referrals,
18612 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
18613 NULL, 0, "Number of referrals in this pdu", HFILL }},
18615 { &hf_smb_get_dfs_server_hold_storage,
18616 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
18617 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
18619 { &hf_smb_get_dfs_fielding,
18620 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
18621 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
18623 { &hf_smb_dfs_referral_version,
18624 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
18625 NULL, 0, "Version of referral element", HFILL }},
18627 { &hf_smb_dfs_referral_size,
18628 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
18629 NULL, 0, "Size of referral element", HFILL }},
18631 { &hf_smb_dfs_referral_server_type,
18632 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
18633 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
18635 { &hf_smb_dfs_referral_flags_strip,
18636 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
18637 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
18639 { &hf_smb_dfs_referral_node_offset,
18640 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
18641 NULL, 0, "Offset of name of entity to visit next", HFILL }},
18643 { &hf_smb_dfs_referral_node,
18644 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
18645 NULL, 0, "Name of entity to visit next", HFILL }},
18647 { &hf_smb_dfs_referral_proximity,
18648 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
18649 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
18651 { &hf_smb_dfs_referral_ttl,
18652 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
18653 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
18655 { &hf_smb_dfs_referral_path_offset,
18656 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
18657 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
18659 { &hf_smb_dfs_referral_path,
18660 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
18661 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
18663 { &hf_smb_dfs_referral_alt_path_offset,
18664 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
18665 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
18667 { &hf_smb_dfs_referral_alt_path,
18668 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
18669 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
18671 { &hf_smb_end_of_search,
18672 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
18673 NULL, 0, "Was last entry returned?", HFILL }},
18675 { &hf_smb_last_name_offset,
18676 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
18677 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
18679 { &hf_smb_fn_information_level,
18680 { "Level of Interest", "smb.fn_loi", FT_UINT16, BASE_DEC,
18681 NULL, 0, "Level of interest for FIND_NOTIFY command", HFILL }},
18683 { &hf_smb_monitor_handle,
18684 { "Monitor Handle", "smb.monitor_handle", FT_UINT16, BASE_HEX,
18685 NULL, 0, "Handle for Find Notify operations", HFILL }},
18687 { &hf_smb_change_count,
18688 { "Change Count", "smb.change_count", FT_UINT16, BASE_DEC,
18689 NULL, 0, "Number of changes to wait for", HFILL }},
18691 { &hf_smb_file_index,
18692 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
18693 NULL, 0, "File index", HFILL }},
18695 { &hf_smb_short_file_name,
18696 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
18697 NULL, 0, "Short (8.3) File Name", HFILL }},
18699 { &hf_smb_short_file_name_len,
18700 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
18701 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
18704 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
18705 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
18708 { "FS GUID", "smb.fs_guid", FT_STRING, BASE_NONE,
18709 NULL, 0, "File System GUID", HFILL }},
18711 { &hf_smb_sector_unit,
18712 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
18713 NULL, 0, "Sectors per allocation unit", HFILL }},
18715 { &hf_smb_fs_units,
18716 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
18717 NULL, 0, "Total number of units on this filesystem", HFILL }},
18719 { &hf_smb_fs_sector,
18720 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
18721 NULL, 0, "Bytes per sector", HFILL }},
18723 { &hf_smb_avail_units,
18724 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
18725 NULL, 0, "Total number of available units on this filesystem", HFILL }},
18727 { &hf_smb_volume_serial_num,
18728 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
18729 NULL, 0, "Volume serial number", HFILL }},
18731 { &hf_smb_volume_label_len,
18732 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
18733 NULL, 0, "Length of volume label", HFILL }},
18735 { &hf_smb_volume_label,
18736 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
18737 NULL, 0, "Volume label", HFILL }},
18739 { &hf_smb_free_alloc_units64,
18740 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
18741 NULL, 0, "Number of free allocation units", HFILL }},
18743 { &hf_smb_caller_free_alloc_units64,
18744 { "Caller Free Units", "smb.caller_free_alloc_units", FT_UINT64, BASE_DEC,
18745 NULL, 0, "Number of caller free allocation units", HFILL }},
18747 { &hf_smb_actual_free_alloc_units64,
18748 { "Actual Free Units", "smb.actual_free_alloc_units", FT_UINT64, BASE_DEC,
18749 NULL, 0, "Number of actual free allocation units", HFILL }},
18751 { &hf_smb_soft_quota_limit,
18752 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
18753 NULL, 0, "Soft Quota treshold", HFILL }},
18755 { &hf_smb_hard_quota_limit,
18756 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
18757 NULL, 0, "Hard Quota limit", HFILL }},
18759 { &hf_smb_user_quota_used,
18760 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
18761 NULL, 0, "How much Quota is used by this user", HFILL }},
18763 { &hf_smb_max_name_len,
18764 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
18765 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
18767 { &hf_smb_fs_name_len,
18768 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
18769 NULL, 0, "Length of filesystem name in bytes", HFILL }},
18772 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
18773 NULL, 0, "Name of filesystem", HFILL }},
18775 { &hf_smb_device_char_removable,
18776 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
18777 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
18779 { &hf_smb_device_char_read_only,
18780 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
18781 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
18783 { &hf_smb_device_char_floppy,
18784 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
18785 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
18787 { &hf_smb_device_char_write_once,
18788 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
18789 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
18791 { &hf_smb_device_char_remote,
18792 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
18793 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
18795 { &hf_smb_device_char_mounted,
18796 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
18797 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
18799 { &hf_smb_device_char_virtual,
18800 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
18801 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
18803 { &hf_smb_fs_attr_css,
18804 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
18805 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
18807 { &hf_smb_fs_attr_cpn,
18808 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
18809 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
18811 { &hf_smb_fs_attr_pacls,
18812 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
18813 TFS(&tfs_fs_attr_pacls), 0x00000004, "Does this FS support Persistent ACLs?", HFILL }},
18815 { &hf_smb_fs_attr_fc,
18816 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
18817 TFS(&tfs_fs_attr_fc), 0x00000008, "Does this FS support File Compression?", HFILL }},
18819 { &hf_smb_fs_attr_vq,
18820 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
18821 TFS(&tfs_fs_attr_vq), 0x00000010, "Does this FS support Volume Quotas?", HFILL }},
18823 { &hf_smb_fs_attr_dim,
18824 { "Mounted", "smb.fs_attr.dim", FT_BOOLEAN, 32,
18825 TFS(&tfs_fs_attr_dim), 0x00000020, "Is this FS a Mounted Device?", HFILL }},
18827 { &hf_smb_fs_attr_vic,
18828 { "Compressed", "smb.fs_attr.vic", FT_BOOLEAN, 32,
18829 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS Compressed?", HFILL }},
18831 { &hf_smb_sec_desc_revision,
18832 { "Revision", "smb.sec_desc.revision", FT_UINT8, BASE_DEC,
18833 NULL, 0, "Version of NT Security Descriptor structure", HFILL }},
18836 { "SID", "smb.sid", FT_STRING, BASE_DEC,
18837 NULL, 0, "SID: Security Identifier", HFILL }},
18839 { &hf_smb_sid_revision,
18840 { "Revision", "smb.sid.revision", FT_UINT8, BASE_DEC,
18841 NULL, 0, "Version of SID structure", HFILL }},
18843 { &hf_smb_sid_num_auth,
18844 { "Num Auth", "smb.sid.num_auth", FT_UINT8, BASE_DEC,
18845 NULL, 0, "Number of authorities for this SID", HFILL }},
18847 { &hf_smb_acl_revision,
18848 { "Revision", "smb.acl.revision", FT_UINT8, BASE_DEC,
18849 NULL, 0, "Version of NT ACL structure", HFILL }},
18851 { &hf_smb_acl_size,
18852 { "Size", "smb.acl.size", FT_UINT16, BASE_DEC,
18853 NULL, 0, "Size of NT ACL structure", HFILL }},
18855 { &hf_smb_acl_num_aces,
18856 { "Num ACEs", "smb.acl.num_aces", FT_UINT32, BASE_DEC,
18857 NULL, 0, "Number of ACE structures for this ACL", HFILL }},
18859 { &hf_smb_user_quota_offset,
18860 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
18861 NULL, 0, "Relative offset to next user quota structure", HFILL }},
18863 { &hf_smb_ace_type,
18864 { "Type", "smb.ace.type", FT_UINT8, BASE_DEC,
18865 VALS(ace_type_vals), 0, "Type of ACE", HFILL }},
18867 { &hf_smb_pipe_write_len,
18868 { "Pipe Write Len", "smb.pipe.write_len", FT_UINT16, BASE_DEC,
18869 NULL, 0, "Number of bytes written to pipe", HFILL }},
18871 { &hf_smb_ace_size,
18872 { "Size", "smb.ace.size", FT_UINT16, BASE_DEC,
18873 NULL, 0, "Size of this ACE", HFILL }},
18875 { &hf_smb_ace_flags_object_inherit,
18876 { "Object Inherit", "smb.ace.flags.object_inherit", FT_BOOLEAN, 8,
18877 TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }},
18879 { &hf_smb_ace_flags_container_inherit,
18880 { "Container Inherit", "smb.ace.flags.container_inherit", FT_BOOLEAN, 8,
18881 TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }},
18883 { &hf_smb_ace_flags_non_propagate_inherit,
18884 { "Non-Propagate Inherit", "smb.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8,
18885 TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }},
18887 { &hf_smb_ace_flags_inherit_only,
18888 { "Inherit Only", "smb.ace.flags.inherit_only", FT_BOOLEAN, 8,
18889 TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }},
18891 { &hf_smb_ace_flags_inherited_ace,
18892 { "Inherited ACE", "smb.ace.flags.inherited_ace", FT_BOOLEAN, 8,
18893 TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }},
18895 { &hf_smb_ace_flags_successful_access,
18896 { "Audit Successful Accesses", "smb.ace.flags.successful_access", FT_BOOLEAN, 8,
18897 TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }},
18899 { &hf_smb_ace_flags_failed_access,
18900 { "Audit Failed Accesses", "smb.ace.flags.failed_access", FT_BOOLEAN, 8,
18901 TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }},
18903 { &hf_smb_sec_desc_type_owner_defaulted,
18904 { "Owner Defaulted", "smb.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16,
18905 TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }},
18907 { &hf_smb_sec_desc_type_group_defaulted,
18908 { "Group Defaulted", "smb.sec_desc.type.group_defaulted", FT_BOOLEAN, 16,
18909 TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }},
18911 { &hf_smb_sec_desc_type_dacl_present,
18912 { "DACL Present", "smb.sec_desc.type.dacl_present", FT_BOOLEAN, 16,
18913 TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }},
18915 { &hf_smb_sec_desc_type_dacl_defaulted,
18916 { "DACL Defaulted", "smb.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16,
18917 TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }},
18919 { &hf_smb_sec_desc_type_sacl_present,
18920 { "SACL Present", "smb.sec_desc.type.sacl_present", FT_BOOLEAN, 16,
18921 TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }},
18923 { &hf_smb_sec_desc_type_sacl_defaulted,
18924 { "SACL Defaulted", "smb.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16,
18925 TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }},
18927 { &hf_smb_sec_desc_type_dacl_auto_inherit_req,
18928 { "DACL Auto Inherit Required", "smb.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16,
18929 TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }},
18931 { &hf_smb_sec_desc_type_sacl_auto_inherit_req,
18932 { "SACL Auto Inherit Required", "smb.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16,
18933 TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }},
18935 { &hf_smb_sec_desc_type_dacl_auto_inherited,
18936 { "DACL Auto Inherited", "smb.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16,
18937 TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }},
18939 { &hf_smb_sec_desc_type_sacl_auto_inherited,
18940 { "SACL Auto Inherited", "smb.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16,
18941 TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }},
18943 { &hf_smb_sec_desc_type_dacl_protected,
18944 { "DACL Protected", "smb.sec_desc.type.dacl_protected", FT_BOOLEAN, 16,
18945 TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }},
18947 { &hf_smb_sec_desc_type_sacl_protected,
18948 { "SACL Protected", "smb.sec_desc.type.sacl_protected", FT_BOOLEAN, 16,
18949 TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }},
18951 { &hf_smb_sec_desc_type_self_relative,
18952 { "Self Relative", "smb.sec_desc.type.self_relative", FT_BOOLEAN, 16,
18953 TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }},
18955 { &hf_smb_quota_flags_deny_disk,
18956 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
18957 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
18959 { &hf_smb_quota_flags_log_limit,
18960 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
18961 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
18963 { &hf_smb_quota_flags_log_warning,
18964 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
18965 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
18967 { &hf_smb_quota_flags_enabled,
18968 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
18969 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
18971 { &hf_smb_segment_overlap,
18972 { "Fragment overlap", "smb.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18973 "Fragment overlaps with other fragments", HFILL }},
18975 { &hf_smb_segment_overlap_conflict,
18976 { "Conflicting data in fragment overlap", "smb.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18977 "Overlapping fragments contained conflicting data", HFILL }},
18979 { &hf_smb_segment_multiple_tails,
18980 { "Multiple tail fragments found", "smb.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18981 "Several tails were found when defragmenting the packet", HFILL }},
18983 { &hf_smb_segment_too_long_fragment,
18984 { "Fragment too long", "smb.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
18985 "Fragment contained data past end of packet", HFILL }},
18987 { &hf_smb_segment_error,
18988 { "Defragmentation error", "smb.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18989 "Defragmentation error due to illegal fragments", HFILL }},
18992 { "SMB Segment", "smb.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
18993 "SMB Segment", HFILL }},
18995 { &hf_smb_segments,
18996 { "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
18997 "SMB Segments", HFILL }},
18999 { &hf_smb_unix_major_version,
19000 { "Major Version", "smb.unix.major_version", FT_UINT16, BASE_DEC,
19001 NULL, 0, "UNIX Major Version", HFILL }},
19003 { &hf_smb_unix_minor_version,
19004 { "Minor Version", "smb.unix.minor_version", FT_UINT16, BASE_DEC,
19005 NULL, 0, "UNIX Minor Version", HFILL }},
19007 { &hf_smb_unix_capability_fcntl,
19008 { "FCNTL Capability", "smb.unix.capability.fcntl", FT_BOOLEAN, 32,
19009 TFS(&flags_set_truth), 0x00000001, "", HFILL }},
19011 { &hf_smb_unix_capability_posix_acl,
19012 { "POSIX ACL Capability", "smb.unix.capability.posix_acl", FT_BOOLEAN, 32,
19013 TFS(&flags_set_truth), 0x00000002, "", HFILL }},
19015 { &hf_smb_unix_file_size,
19016 { "File size", "smb.unix.file.size", FT_UINT64, BASE_DEC,
19017 NULL, 0, "", HFILL }},
19019 { &hf_smb_unix_file_num_bytes,
19020 { "Number of bytes", "smb.unix.file.num_bytes", FT_UINT64, BASE_DEC,
19021 NULL, 0, "Number of bytes used to store the file", HFILL }},
19023 { &hf_smb_unix_file_last_status,
19024 { "Last status change", "smb.unix.file.stime", FT_ABSOLUTE_TIME, BASE_NONE,
19025 NULL, 0, "", HFILL }},
19027 { &hf_smb_unix_file_last_access,
19028 { "Last access", "smb.unix.file.atime", FT_ABSOLUTE_TIME, BASE_NONE,
19029 NULL, 0, "", HFILL }},
19031 { &hf_smb_unix_file_last_change,
19032 { "Last modification", "smb.unix.file.mtime", FT_ABSOLUTE_TIME, BASE_NONE,
19033 NULL, 0, "", HFILL }},
19035 { &hf_smb_unix_file_uid,
19036 { "UID", "smb.unix.file.uid", FT_UINT64, BASE_DEC,
19037 NULL, 0, "", HFILL }},
19039 { &hf_smb_unix_file_gid,
19040 { "GID", "smb.unix.file.gid", FT_UINT64, BASE_DEC,
19041 NULL, 0, "", HFILL }},
19043 { &hf_smb_unix_file_type,
19044 { "File type", "smb.unix.file.file_type", FT_UINT32, BASE_DEC,
19045 VALS(unix_file_type_vals), 0, "", HFILL }},
19047 { &hf_smb_unix_file_dev_major,
19048 { "Major device", "smb.unix.file.dev_major", FT_UINT64, BASE_HEX,
19049 NULL, 0, "", HFILL }},
19051 { &hf_smb_unix_file_dev_minor,
19052 { "Minor device", "smb.unix.file.dev_minor", FT_UINT64, BASE_HEX,
19053 NULL, 0, "", HFILL }},
19055 { &hf_smb_unix_file_unique_id,
19056 { "Unique ID", "smb.unix.file.unique_id", FT_UINT64, BASE_HEX,
19057 NULL, 0, "", HFILL }},
19059 { &hf_smb_unix_file_permissions,
19060 { "File permissions", "smb.unix.file.perms", FT_UINT64, BASE_HEX,
19061 NULL, 0, "", HFILL }},
19063 { &hf_smb_unix_file_nlinks,
19064 { "Num links", "smb.unix.file.num_links", FT_UINT64, BASE_DEC,
19065 NULL, 0, "", HFILL }},
19067 { &hf_smb_unix_file_link_dest,
19068 { "Link destination", "smb.unix.file.link_dest", FT_STRING,
19069 BASE_NONE, NULL, 0, "", HFILL }},
19071 { &hf_smb_unix_find_file_nextoffset,
19072 { "Next entry offset", "smb.unix.find_file.next_offset", FT_UINT32, BASE_DEC,
19073 NULL, 0, "", HFILL }},
19075 { &hf_smb_unix_find_file_resumekey,
19076 { "Resume key", "smb.unix.find_file.resume_key", FT_UINT32, BASE_DEC,
19077 NULL, 0, "", HFILL }},
19081 { &hf_smb_access_mask,
19082 { "Access required", "smb.access_mask",
19083 FT_UINT32, BASE_HEX, NULL, 0x0, "Access mask",
19085 { &hf_access_generic_read,
19086 { "Generic read", "nt.access_mask.generic_read",
19087 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19088 GENERIC_READ_ACCESS, "Generic read", HFILL }},
19090 { &hf_access_generic_write,
19091 { "Generic write", "nt.access_mask.generic_write",
19092 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19093 GENERIC_WRITE_ACCESS, "Generic write", HFILL }},
19095 { &hf_access_generic_execute,
19096 { "Generic execute", "nt.access_mask.generic_execute",
19097 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19098 GENERIC_EXECUTE_ACCESS, "Generic execute", HFILL }},
19100 { &hf_access_generic_all,
19101 { "Generic all", "nt.access_mask.generic_all",
19102 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19103 GENERIC_ALL_ACCESS, "Generic all", HFILL }},
19105 { &hf_access_maximum_allowed,
19106 { "Maximum allowed", "nt.access_mask.maximum_allowed",
19107 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19108 MAXIMUM_ALLOWED_ACCESS, "Maximum allowed", HFILL }},
19111 { "Access SACL", "nt.access_mask.access_sacl",
19112 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19113 ACCESS_SACL_ACCESS, "Access SACL", HFILL }},
19115 { &hf_access_standard_read_control,
19116 { "Read control", "nt.access_mask.read_control",
19117 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19118 READ_CONTROL_ACCESS, "Read control", HFILL }},
19120 { &hf_access_standard_delete,
19121 { "Delete", "nt.access_mask.delete",
19122 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19123 DELETE_ACCESS, "Delete", HFILL }},
19125 { &hf_access_standard_synchronise,
19126 { "Synchronise", "nt.access_mask.synchronise",
19127 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19128 SYNCHRONIZE_ACCESS, "Synchronise", HFILL }},
19130 { &hf_access_standard_write_dac,
19131 { "Write DAC", "nt.access_mask.write_dac",
19132 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19133 WRITE_DAC_ACCESS, "Write DAC", HFILL }},
19135 { &hf_access_standard_write_owner,
19136 { "Write owner", "nt.access_mask.write_owner",
19137 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19138 WRITE_OWNER_ACCESS, "Write owner", HFILL }},
19140 { &hf_access_specific_15,
19141 { "Specific access, bit 15", "nt.access_mask.specific_15",
19142 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19143 0x8000, "Specific access, bit 15", HFILL }},
19145 { &hf_access_specific_14,
19146 { "Specific access, bit 14", "nt.access_mask.specific_14",
19147 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19148 0x4000, "Specific access, bit 14", HFILL }},
19150 { &hf_access_specific_13,
19151 { "Specific access, bit 13", "nt.access_mask.specific_13",
19152 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19153 0x2000, "Specific access, bit 13", HFILL }},
19155 { &hf_access_specific_12,
19156 { "Specific access, bit 12", "nt.access_mask.specific_12",
19157 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19158 0x1000, "Specific access, bit 12", HFILL }},
19160 { &hf_access_specific_11,
19161 { "Specific access, bit 11", "nt.access_mask.specific_11",
19162 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19163 0x0800, "Specific access, bit 11", HFILL }},
19165 { &hf_access_specific_10,
19166 { "Specific access, bit 10", "nt.access_mask.specific_10",
19167 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19168 0x0400, "Specific access, bit 10", HFILL }},
19170 { &hf_access_specific_9,
19171 { "Specific access, bit 9", "nt.access_mask.specific_9",
19172 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19173 0x0200, "Specific access, bit 9", HFILL }},
19175 { &hf_access_specific_8,
19176 { "Specific access, bit 8", "nt.access_mask.specific_8",
19177 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19178 0x0100, "Specific access, bit 8", HFILL }},
19180 { &hf_access_specific_7,
19181 { "Specific access, bit 7", "nt.access_mask.specific_7",
19182 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19183 0x0080, "Specific access, bit 7", HFILL }},
19185 { &hf_access_specific_6,
19186 { "Specific access, bit 6", "nt.access_mask.specific_6",
19187 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19188 0x0040, "Specific access, bit 6", HFILL }},
19190 { &hf_access_specific_5,
19191 { "Specific access, bit 5", "nt.access_mask.specific_5",
19192 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19193 0x0020, "Specific access, bit 5", HFILL }},
19195 { &hf_access_specific_4,
19196 { "Specific access, bit 4", "nt.access_mask.specific_4",
19197 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19198 0x0010, "Specific access, bit 4", HFILL }},
19200 { &hf_access_specific_3,
19201 { "Specific access, bit 3", "nt.access_mask.specific_3",
19202 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19203 0x0008, "Specific access, bit 3", HFILL }},
19205 { &hf_access_specific_2,
19206 { "Specific access, bit 2", "nt.access_mask.specific_2",
19207 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19208 0x0004, "Specific access, bit 2", HFILL }},
19210 { &hf_access_specific_1,
19211 { "Specific access, bit 1", "nt.access_mask.specific_1",
19212 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19213 0x0002, "Specific access, bit 1", HFILL }},
19215 { &hf_access_specific_0,
19216 { "Specific access, bit 0", "nt.access_mask.specific_0",
19217 FT_BOOLEAN, 32, TFS(&flags_set_truth),
19218 0x0001, "Specific access, bit 0", HFILL }}
19221 static gint *ett[] = {
19225 &ett_smb_fileattributes,
19226 &ett_smb_capabilities,
19234 &ett_smb_desiredaccess,
19237 &ett_smb_openfunction,
19239 &ett_smb_openaction,
19240 &ett_smb_writemode,
19241 &ett_smb_lock_type,
19242 &ett_smb_ssetupandxaction,
19243 &ett_smb_optionsup,
19244 &ett_smb_time_date,
19245 &ett_smb_move_copy_flags,
19246 &ett_smb_file_attributes,
19247 &ett_smb_search_resume_key,
19248 &ett_smb_search_dir_info,
19253 &ett_smb_open_flags,
19254 &ett_smb_ipc_state,
19255 &ett_smb_open_action,
19256 &ett_smb_setup_action,
19257 &ett_smb_connect_flags,
19258 &ett_smb_connect_support_bits,
19259 &ett_smb_nt_access_mask,
19260 &ett_smb_nt_create_bits,
19261 &ett_smb_nt_create_options,
19262 &ett_smb_nt_share_access,
19263 &ett_smb_nt_security_flags,
19264 &ett_smb_nt_trans_setup,
19265 &ett_smb_nt_trans_data,
19266 &ett_smb_nt_trans_param,
19267 &ett_smb_nt_notify_completion_filter,
19268 &ett_smb_nt_ioctl_flags,
19269 &ett_smb_security_information_mask,
19270 &ett_smb_print_queue_entry,
19271 &ett_smb_transaction_flags,
19272 &ett_smb_transaction_params,
19273 &ett_smb_find_first2_flags,
19277 &ett_smb_transaction_data,
19278 &ett_smb_stream_info,
19279 &ett_smb_dfs_referrals,
19280 &ett_smb_dfs_referral,
19281 &ett_smb_dfs_referral_flags,
19282 &ett_smb_get_dfs_flags,
19284 &ett_smb_device_characteristics,
19285 &ett_smb_fs_attributes,
19292 &ett_smb_ace_flags,
19293 &ett_smb_sec_desc_type,
19294 &ett_smb_quotaflags,
19296 &ett_smb_mac_support_flags,
19297 &ett_nt_access_mask,
19298 &ett_nt_access_mask_generic,
19299 &ett_nt_access_mask_standard,
19300 &ett_nt_access_mask_specific,
19301 &ett_smb_unicode_password,
19303 &ett_smb_unix_capabilities
19305 module_t *smb_module;
19307 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
19309 proto_register_subtree_array(ett, array_length(ett));
19310 proto_register_field_array(proto_smb, hf, array_length(hf));
19312 register_smb_common(proto_smb);
19314 register_init_routine(&smb_init_protocol);
19315 smb_module = prefs_register_protocol(proto_smb, NULL);
19316 prefs_register_bool_preference(smb_module, "trans_reassembly",
19317 "Reassemble SMB Transaction payload",
19318 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
19319 &smb_trans_reassembly);
19320 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
19321 "Reassemble DCERPC over SMB",
19322 "Whether the dissector should reassemble DCERPC over SMB commands",
19323 &smb_dcerpc_reassembly);
19324 prefs_register_bool_preference(smb_module, "sid_name_snooping",
19325 "Snoop SID to Name mappings",
19326 "Whether the dissector should snoop SMB and related CIFS protocols to discover and display Names associated with SIDs",
19327 &sid_name_snooping);
19329 register_init_routine(smb_trans_reassembly_init);
19330 smb_tap = register_tap("smb");
19334 proto_reg_handoff_smb(void)
19336 dissector_handle_t smb_handle;
19338 gssapi_handle = find_dissector("gssapi");
19339 ntlmssp_handle = find_dissector("ntlmssp");
19341 heur_dissector_add("netbios", dissect_smb_heur, proto_smb);
19342 heur_dissector_add("cotp", dissect_smb_heur, proto_smb);
19343 heur_dissector_add("vines_spp", dissect_smb_heur, proto_smb);
19344 smb_handle = create_dissector_handle(dissect_smb, proto_smb);
19345 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_SERVER, smb_handle);
19346 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_REDIR, smb_handle);
19347 dissector_add("ipx.socket", IPX_SOCKET_NWLINK_SMB_MESSENGER,