2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
6 * $Id: packet-smb.c,v 1.236 2002/03/26 08:23:58 guy Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_NETINET_IN_H
40 # include <netinet/in.h>
47 #include <epan/packet.h>
48 #include <epan/conversation.h>
50 #include "alignment.h"
51 #include <epan/strutil.h>
53 #include "reassemble.h"
55 #include "packet-smb-mailslot.h"
56 #include "packet-smb-pipe.h"
59 * Various specifications and documents about SMB can be found in
61 * ftp://ftp.microsoft.com/developr/drg/CIFS/
63 * and a CIFS draft from the Storage Networking Industry Association
64 * can be found on a link from the page at
66 * http://www.snia.org/English/Work_Groups/NAS/CIFS/WG_CIFS_Docs.html
68 * (it supercedes the document at
70 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
74 * There are also some Open Group publications documenting CIFS for sale;
75 * catalog entries for them are at:
77 * http://www.opengroup.org/products/publications/catalog/c209.htm
79 * http://www.opengroup.org/products/publications/catalog/c195.htm
81 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
84 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
86 * (or, presumably a similar path under the Samba mirrors). As the
87 * ".doc" indicates, it's a Word document. Some of the specs from the
88 * Microsoft FTP site can be found in the
90 * http://www.samba.org/samba/ftp/specs/
94 * Beware - these specs may have errors.
96 static int proto_smb = -1;
97 static int hf_smb_cmd = -1;
98 static int hf_smb_pid = -1;
99 static int hf_smb_tid = -1;
100 static int hf_smb_uid = -1;
101 static int hf_smb_mid = -1;
102 static int hf_smb_response_to = -1;
103 static int hf_smb_response_in = -1;
104 static int hf_smb_continuation_to = -1;
105 static int hf_smb_nt_status = -1;
106 static int hf_smb_error_class = -1;
107 static int hf_smb_error_code = -1;
108 static int hf_smb_reserved = -1;
109 static int hf_smb_flags_lock = -1;
110 static int hf_smb_flags_receive_buffer = -1;
111 static int hf_smb_flags_caseless = -1;
112 static int hf_smb_flags_canon = -1;
113 static int hf_smb_flags_oplock = -1;
114 static int hf_smb_flags_notify = -1;
115 static int hf_smb_flags_response = -1;
116 static int hf_smb_flags2_long_names_allowed = -1;
117 static int hf_smb_flags2_ea = -1;
118 static int hf_smb_flags2_sec_sig = -1;
119 static int hf_smb_flags2_long_names_used = -1;
120 static int hf_smb_flags2_esn = -1;
121 static int hf_smb_flags2_dfs = -1;
122 static int hf_smb_flags2_roe = -1;
123 static int hf_smb_flags2_nt_error = -1;
124 static int hf_smb_flags2_string = -1;
125 static int hf_smb_word_count = -1;
126 static int hf_smb_byte_count = -1;
127 static int hf_smb_buffer_format = -1;
128 static int hf_smb_dialect_name = -1;
129 static int hf_smb_dialect_index = -1;
130 static int hf_smb_max_trans_buf_size = -1;
131 static int hf_smb_max_mpx_count = -1;
132 static int hf_smb_max_vcs_num = -1;
133 static int hf_smb_session_key = -1;
134 static int hf_smb_server_timezone = -1;
135 static int hf_smb_encryption_key_length = -1;
136 static int hf_smb_encryption_key = -1;
137 static int hf_smb_primary_domain = -1;
138 static int hf_smb_max_raw_buf_size = -1;
139 static int hf_smb_server_guid = -1;
140 static int hf_smb_security_blob_len = -1;
141 static int hf_smb_security_blob = -1;
142 static int hf_smb_sm_mode16 = -1;
143 static int hf_smb_sm_password16 = -1;
144 static int hf_smb_sm_mode = -1;
145 static int hf_smb_sm_password = -1;
146 static int hf_smb_sm_signatures = -1;
147 static int hf_smb_sm_sig_required = -1;
148 static int hf_smb_rm_read = -1;
149 static int hf_smb_rm_write = -1;
150 static int hf_smb_server_date_time = -1;
151 static int hf_smb_server_smb_date = -1;
152 static int hf_smb_server_smb_time = -1;
153 static int hf_smb_server_cap_raw_mode = -1;
154 static int hf_smb_server_cap_mpx_mode = -1;
155 static int hf_smb_server_cap_unicode = -1;
156 static int hf_smb_server_cap_large_files = -1;
157 static int hf_smb_server_cap_nt_smbs = -1;
158 static int hf_smb_server_cap_rpc_remote_apis = -1;
159 static int hf_smb_server_cap_nt_status = -1;
160 static int hf_smb_server_cap_level_ii_oplocks = -1;
161 static int hf_smb_server_cap_lock_and_read = -1;
162 static int hf_smb_server_cap_nt_find = -1;
163 static int hf_smb_server_cap_dfs = -1;
164 static int hf_smb_server_cap_infolevel_passthru = -1;
165 static int hf_smb_server_cap_large_readx = -1;
166 static int hf_smb_server_cap_large_writex = -1;
167 static int hf_smb_server_cap_unix = -1;
168 static int hf_smb_server_cap_reserved = -1;
169 static int hf_smb_server_cap_bulk_transfer = -1;
170 static int hf_smb_server_cap_compressed_data = -1;
171 static int hf_smb_server_cap_extended_security = -1;
172 static int hf_smb_system_time = -1;
173 static int hf_smb_unknown = -1;
174 static int hf_smb_dir_name = -1;
175 static int hf_smb_echo_count = -1;
176 static int hf_smb_echo_data = -1;
177 static int hf_smb_echo_seq_num = -1;
178 static int hf_smb_max_buf_size = -1;
179 static int hf_smb_password = -1;
180 static int hf_smb_password_len = -1;
181 static int hf_smb_ansi_password = -1;
182 static int hf_smb_ansi_password_len = -1;
183 static int hf_smb_unicode_password = -1;
184 static int hf_smb_unicode_password_len = -1;
185 static int hf_smb_path = -1;
186 static int hf_smb_service = -1;
187 static int hf_smb_move_flags_file = -1;
188 static int hf_smb_move_flags_dir = -1;
189 static int hf_smb_move_flags_verify = -1;
190 static int hf_smb_move_files_moved = -1;
191 static int hf_smb_count = -1;
192 static int hf_smb_file_name = -1;
193 static int hf_smb_open_function_open = -1;
194 static int hf_smb_open_function_create = -1;
195 static int hf_smb_fid = -1;
196 static int hf_smb_file_attr_read_only_16bit = -1;
197 static int hf_smb_file_attr_read_only_8bit = -1;
198 static int hf_smb_file_attr_hidden_16bit = -1;
199 static int hf_smb_file_attr_hidden_8bit = -1;
200 static int hf_smb_file_attr_system_16bit = -1;
201 static int hf_smb_file_attr_system_8bit = -1;
202 static int hf_smb_file_attr_volume_16bit = -1;
203 static int hf_smb_file_attr_volume_8bit = -1;
204 static int hf_smb_file_attr_directory_16bit = -1;
205 static int hf_smb_file_attr_directory_8bit = -1;
206 static int hf_smb_file_attr_archive_16bit = -1;
207 static int hf_smb_file_attr_archive_8bit = -1;
208 static int hf_smb_file_attr_device = -1;
209 static int hf_smb_file_attr_normal = -1;
210 static int hf_smb_file_attr_temporary = -1;
211 static int hf_smb_file_attr_sparse = -1;
212 static int hf_smb_file_attr_reparse = -1;
213 static int hf_smb_file_attr_compressed = -1;
214 static int hf_smb_file_attr_offline = -1;
215 static int hf_smb_file_attr_not_content_indexed = -1;
216 static int hf_smb_file_attr_encrypted = -1;
217 static int hf_smb_file_size = -1;
218 static int hf_smb_search_attribute_read_only = -1;
219 static int hf_smb_search_attribute_hidden = -1;
220 static int hf_smb_search_attribute_system = -1;
221 static int hf_smb_search_attribute_volume = -1;
222 static int hf_smb_search_attribute_directory = -1;
223 static int hf_smb_search_attribute_archive = -1;
224 static int hf_smb_access_mode = -1;
225 static int hf_smb_access_sharing = -1;
226 static int hf_smb_access_locality = -1;
227 static int hf_smb_access_caching = -1;
228 static int hf_smb_access_writetru = -1;
229 static int hf_smb_create_time = -1;
230 static int hf_smb_create_dos_date = -1;
231 static int hf_smb_create_dos_time = -1;
232 static int hf_smb_last_write_time = -1;
233 static int hf_smb_last_write_dos_date = -1;
234 static int hf_smb_last_write_dos_time = -1;
235 static int hf_smb_access_time = -1;
236 static int hf_smb_access_dos_date = -1;
237 static int hf_smb_access_dos_time = -1;
238 static int hf_smb_old_file_name = -1;
239 static int hf_smb_offset = -1;
240 static int hf_smb_remaining = -1;
241 static int hf_smb_padding = -1;
242 static int hf_smb_file_data = -1;
243 static int hf_smb_total_data_len = -1;
244 static int hf_smb_data_len = -1;
245 static int hf_smb_seek_mode = -1;
246 static int hf_smb_data_size = -1;
247 static int hf_smb_alloc_size = -1;
248 static int hf_smb_alloc_size64 = -1;
249 static int hf_smb_max_count = -1;
250 static int hf_smb_min_count = -1;
251 static int hf_smb_timeout = -1;
252 static int hf_smb_high_offset = -1;
253 static int hf_smb_units = -1;
254 static int hf_smb_bpu = -1;
255 static int hf_smb_blocksize = -1;
256 static int hf_smb_freeunits = -1;
257 static int hf_smb_data_offset = -1;
258 static int hf_smb_dcm = -1;
259 static int hf_smb_request_mask = -1;
260 static int hf_smb_response_mask = -1;
261 static int hf_smb_sid = -1;
262 static int hf_smb_write_mode_write_through = -1;
263 static int hf_smb_write_mode_return_remaining = -1;
264 static int hf_smb_write_mode_raw = -1;
265 static int hf_smb_write_mode_message_start = -1;
266 static int hf_smb_write_mode_connectionless = -1;
267 static int hf_smb_resume_key_len = -1;
268 static int hf_smb_resume_server_cookie = -1;
269 static int hf_smb_resume_client_cookie = -1;
270 static int hf_smb_andxoffset = -1;
271 static int hf_smb_lock_type_large = -1;
272 static int hf_smb_lock_type_cancel = -1;
273 static int hf_smb_lock_type_change = -1;
274 static int hf_smb_lock_type_oplock = -1;
275 static int hf_smb_lock_type_shared = -1;
276 static int hf_smb_locking_ol = -1;
277 static int hf_smb_number_of_locks = -1;
278 static int hf_smb_number_of_unlocks = -1;
279 static int hf_smb_lock_long_offset = -1;
280 static int hf_smb_lock_long_length = -1;
281 static int hf_smb_file_type = -1;
282 static int hf_smb_ipc_state_nonblocking = -1;
283 static int hf_smb_ipc_state_endpoint = -1;
284 static int hf_smb_ipc_state_pipe_type = -1;
285 static int hf_smb_ipc_state_read_mode = -1;
286 static int hf_smb_ipc_state_icount = -1;
287 static int hf_smb_server_fid = -1;
288 static int hf_smb_open_flags_add_info = -1;
289 static int hf_smb_open_flags_ex_oplock = -1;
290 static int hf_smb_open_flags_batch_oplock = -1;
291 static int hf_smb_open_flags_ealen = -1;
292 static int hf_smb_open_action_open = -1;
293 static int hf_smb_open_action_lock = -1;
294 static int hf_smb_vc_num = -1;
295 static int hf_smb_account = -1;
296 static int hf_smb_os = -1;
297 static int hf_smb_lanman = -1;
298 static int hf_smb_setup_action_guest = -1;
299 static int hf_smb_fs = -1;
300 static int hf_smb_connect_flags_dtid = -1;
301 static int hf_smb_connect_support_search = -1;
302 static int hf_smb_connect_support_in_dfs = -1;
303 static int hf_smb_max_setup_count = -1;
304 static int hf_smb_total_param_count = -1;
305 static int hf_smb_total_data_count = -1;
306 static int hf_smb_max_param_count = -1;
307 static int hf_smb_max_data_count = -1;
308 static int hf_smb_param_disp16 = -1;
309 static int hf_smb_param_count16 = -1;
310 static int hf_smb_param_offset16 = -1;
311 static int hf_smb_param_disp32 = -1;
312 static int hf_smb_param_count32 = -1;
313 static int hf_smb_param_offset32 = -1;
314 static int hf_smb_data_disp16 = -1;
315 static int hf_smb_data_count16 = -1;
316 static int hf_smb_data_offset16 = -1;
317 static int hf_smb_data_disp32 = -1;
318 static int hf_smb_data_count32 = -1;
319 static int hf_smb_data_offset32 = -1;
320 static int hf_smb_setup_count = -1;
321 static int hf_smb_nt_trans_subcmd = -1;
322 static int hf_smb_nt_ioctl_function_code = -1;
323 static int hf_smb_nt_ioctl_isfsctl = -1;
324 static int hf_smb_nt_ioctl_flags_root_handle = -1;
325 static int hf_smb_nt_ioctl_data = -1;
326 static int hf_smb_nt_security_information = -1;
327 static int hf_smb_nt_notify_action = -1;
328 static int hf_smb_nt_notify_watch_tree = -1;
329 static int hf_smb_nt_notify_stream_write = -1;
330 static int hf_smb_nt_notify_stream_size = -1;
331 static int hf_smb_nt_notify_stream_name = -1;
332 static int hf_smb_nt_notify_security = -1;
333 static int hf_smb_nt_notify_ea = -1;
334 static int hf_smb_nt_notify_creation = -1;
335 static int hf_smb_nt_notify_last_access = -1;
336 static int hf_smb_nt_notify_last_write = -1;
337 static int hf_smb_nt_notify_size = -1;
338 static int hf_smb_nt_notify_attributes = -1;
339 static int hf_smb_nt_notify_dir_name = -1;
340 static int hf_smb_nt_notify_file_name = -1;
341 static int hf_smb_root_dir_fid = -1;
342 static int hf_smb_nt_create_disposition = -1;
343 static int hf_smb_sd_length = -1;
344 static int hf_smb_ea_length = -1;
345 static int hf_smb_file_name_len = -1;
346 static int hf_smb_nt_impersonation_level = -1;
347 static int hf_smb_nt_security_flags_context_tracking = -1;
348 static int hf_smb_nt_security_flags_effective_only = -1;
349 static int hf_smb_nt_access_mask_generic_read = -1;
350 static int hf_smb_nt_access_mask_generic_write = -1;
351 static int hf_smb_nt_access_mask_generic_execute = -1;
352 static int hf_smb_nt_access_mask_generic_all = -1;
353 static int hf_smb_nt_access_mask_maximum_allowed = -1;
354 static int hf_smb_nt_access_mask_system_security = -1;
355 static int hf_smb_nt_access_mask_synchronize = -1;
356 static int hf_smb_nt_access_mask_write_owner = -1;
357 static int hf_smb_nt_access_mask_write_dac = -1;
358 static int hf_smb_nt_access_mask_read_control = -1;
359 static int hf_smb_nt_access_mask_delete = -1;
360 static int hf_smb_nt_access_mask_write_attributes = -1;
361 static int hf_smb_nt_access_mask_read_attributes = -1;
362 static int hf_smb_nt_access_mask_delete_child = -1;
363 static int hf_smb_nt_access_mask_execute = -1;
364 static int hf_smb_nt_access_mask_write_ea = -1;
365 static int hf_smb_nt_access_mask_read_ea = -1;
366 static int hf_smb_nt_access_mask_append = -1;
367 static int hf_smb_nt_access_mask_write = -1;
368 static int hf_smb_nt_access_mask_read = -1;
369 static int hf_smb_nt_create_bits_oplock = -1;
370 static int hf_smb_nt_create_bits_boplock = -1;
371 static int hf_smb_nt_create_bits_dir = -1;
372 static int hf_smb_nt_create_options_directory_file = -1;
373 static int hf_smb_nt_create_options_write_through = -1;
374 static int hf_smb_nt_create_options_sequential_only = -1;
375 static int hf_smb_nt_create_options_sync_io_alert = -1;
376 static int hf_smb_nt_create_options_sync_io_nonalert = -1;
377 static int hf_smb_nt_create_options_non_directory_file = -1;
378 static int hf_smb_nt_create_options_no_ea_knowledge = -1;
379 static int hf_smb_nt_create_options_eight_dot_three_only = -1;
380 static int hf_smb_nt_create_options_random_access = -1;
381 static int hf_smb_nt_create_options_delete_on_close = -1;
382 static int hf_smb_nt_share_access_read = -1;
383 static int hf_smb_nt_share_access_write = -1;
384 static int hf_smb_nt_share_access_delete = -1;
385 static int hf_smb_file_eattr_read_only = -1;
386 static int hf_smb_file_eattr_hidden = -1;
387 static int hf_smb_file_eattr_system = -1;
388 static int hf_smb_file_eattr_volume = -1;
389 static int hf_smb_file_eattr_directory = -1;
390 static int hf_smb_file_eattr_archive = -1;
391 static int hf_smb_file_eattr_device = -1;
392 static int hf_smb_file_eattr_normal = -1;
393 static int hf_smb_file_eattr_temporary = -1;
394 static int hf_smb_file_eattr_sparse = -1;
395 static int hf_smb_file_eattr_reparse = -1;
396 static int hf_smb_file_eattr_compressed = -1;
397 static int hf_smb_file_eattr_offline = -1;
398 static int hf_smb_file_eattr_not_content_indexed = -1;
399 static int hf_smb_file_eattr_encrypted = -1;
400 static int hf_smb_file_eattr_write_through = -1;
401 static int hf_smb_file_eattr_no_buffering = -1;
402 static int hf_smb_file_eattr_random_access = -1;
403 static int hf_smb_file_eattr_sequential_scan = -1;
404 static int hf_smb_file_eattr_delete_on_close = -1;
405 static int hf_smb_file_eattr_backup_semantics = -1;
406 static int hf_smb_file_eattr_posix_semantics = -1;
407 static int hf_smb_sec_desc_len = -1;
408 static int hf_smb_sec_desc_revision = -1;
409 static int hf_smb_sec_desc_type_owner_defaulted = -1;
410 static int hf_smb_sec_desc_type_group_defaulted = -1;
411 static int hf_smb_sec_desc_type_dacl_present = -1;
412 static int hf_smb_sec_desc_type_dacl_defaulted = -1;
413 static int hf_smb_sec_desc_type_sacl_present = -1;
414 static int hf_smb_sec_desc_type_sacl_defaulted = -1;
415 static int hf_smb_sec_desc_type_dacl_auto_inherit_req = -1;
416 static int hf_smb_sec_desc_type_sacl_auto_inherit_req = -1;
417 static int hf_smb_sec_desc_type_dacl_auto_inherited = -1;
418 static int hf_smb_sec_desc_type_sacl_auto_inherited = -1;
419 static int hf_smb_sec_desc_type_dacl_protected = -1;
420 static int hf_smb_sec_desc_type_sacl_protected = -1;
421 static int hf_smb_sec_desc_type_self_relative = -1;
422 static int hf_smb_sid_revision = -1;
423 static int hf_smb_sid_num_auth = -1;
424 static int hf_smb_acl_revision = -1;
425 static int hf_smb_acl_size = -1;
426 static int hf_smb_acl_num_aces = -1;
427 static int hf_smb_ace_type = -1;
428 static int hf_smb_ace_size = -1;
429 static int hf_smb_ace_flags_object_inherit = -1;
430 static int hf_smb_ace_flags_container_inherit = -1;
431 static int hf_smb_ace_flags_non_propagate_inherit = -1;
432 static int hf_smb_ace_flags_inherit_only = -1;
433 static int hf_smb_ace_flags_inherited_ace = -1;
434 static int hf_smb_ace_flags_successful_access = -1;
435 static int hf_smb_ace_flags_failed_access = -1;
436 static int hf_smb_nt_qsd_owner = -1;
437 static int hf_smb_nt_qsd_group = -1;
438 static int hf_smb_nt_qsd_dacl = -1;
439 static int hf_smb_nt_qsd_sacl = -1;
440 static int hf_smb_extended_attributes = -1;
441 static int hf_smb_oplock_level = -1;
442 static int hf_smb_create_action = -1;
443 static int hf_smb_ea_error_offset = -1;
444 static int hf_smb_end_of_file = -1;
445 static int hf_smb_device_type = -1;
446 static int hf_smb_is_directory = -1;
447 static int hf_smb_next_entry_offset = -1;
448 static int hf_smb_change_time = -1;
449 static int hf_smb_setup_len = -1;
450 static int hf_smb_print_mode = -1;
451 static int hf_smb_print_identifier = -1;
452 static int hf_smb_restart_index = -1;
453 static int hf_smb_print_queue_date = -1;
454 static int hf_smb_print_queue_dos_date = -1;
455 static int hf_smb_print_queue_dos_time = -1;
456 static int hf_smb_print_status = -1;
457 static int hf_smb_print_spool_file_number = -1;
458 static int hf_smb_print_spool_file_size = -1;
459 static int hf_smb_print_spool_file_name = -1;
460 static int hf_smb_start_index = -1;
461 static int hf_smb_cancel_to = -1;
462 static int hf_smb_trans2_subcmd = -1;
463 static int hf_smb_trans_name = -1;
464 static int hf_smb_transaction_flags_dtid = -1;
465 static int hf_smb_transaction_flags_owt = -1;
466 static int hf_smb_search_count = -1;
467 static int hf_smb_search_pattern = -1;
468 static int hf_smb_ff2_backup = -1;
469 static int hf_smb_ff2_continue = -1;
470 static int hf_smb_ff2_resume = -1;
471 static int hf_smb_ff2_close_eos = -1;
472 static int hf_smb_ff2_close = -1;
473 static int hf_smb_ff2_information_level = -1;
474 static int hf_smb_qpi_loi = -1;
475 static int hf_smb_storage_type = -1;
476 static int hf_smb_resume = -1;
477 static int hf_smb_max_referral_level = -1;
478 static int hf_smb_qfsi_information_level = -1;
479 static int hf_smb_ea_size = -1;
480 static int hf_smb_list_length = -1;
481 static int hf_smb_number_of_links = -1;
482 static int hf_smb_delete_pending = -1;
483 static int hf_smb_index_number = -1;
484 static int hf_smb_current_offset = -1;
485 static int hf_smb_t2_alignment = -1;
486 static int hf_smb_t2_stream_name_length = -1;
487 static int hf_smb_t2_stream_size = -1;
488 static int hf_smb_t2_stream_name = -1;
489 static int hf_smb_t2_compressed_file_size = -1;
490 static int hf_smb_t2_compressed_format = -1;
491 static int hf_smb_t2_compressed_unit_shift = -1;
492 static int hf_smb_t2_compressed_chunk_shift = -1;
493 static int hf_smb_t2_compressed_cluster_shift = -1;
494 static int hf_smb_dfs_path_consumed = -1;
495 static int hf_smb_dfs_num_referrals = -1;
496 static int hf_smb_get_dfs_server_hold_storage = -1;
497 static int hf_smb_get_dfs_fielding = -1;
498 static int hf_smb_dfs_referral_version = -1;
499 static int hf_smb_dfs_referral_size = -1;
500 static int hf_smb_dfs_referral_server_type = -1;
501 static int hf_smb_dfs_referral_flags_strip = -1;
502 static int hf_smb_dfs_referral_node_offset = -1;
503 static int hf_smb_dfs_referral_node = -1;
504 static int hf_smb_dfs_referral_proximity = -1;
505 static int hf_smb_dfs_referral_ttl = -1;
506 static int hf_smb_dfs_referral_path_offset = -1;
507 static int hf_smb_dfs_referral_path = -1;
508 static int hf_smb_dfs_referral_alt_path_offset = -1;
509 static int hf_smb_dfs_referral_alt_path = -1;
510 static int hf_smb_end_of_search = -1;
511 static int hf_smb_last_name_offset = -1;
512 static int hf_smb_file_index = -1;
513 static int hf_smb_short_file_name = -1;
514 static int hf_smb_short_file_name_len = -1;
515 static int hf_smb_fs_id = -1;
516 static int hf_smb_sector_unit = -1;
517 static int hf_smb_fs_units = -1;
518 static int hf_smb_fs_sector = -1;
519 static int hf_smb_avail_units = -1;
520 static int hf_smb_volume_serial_num = -1;
521 static int hf_smb_volume_label_len = -1;
522 static int hf_smb_volume_label = -1;
523 static int hf_smb_free_alloc_units64 = -1;
524 static int hf_smb_max_name_len = -1;
525 static int hf_smb_fs_name_len = -1;
526 static int hf_smb_fs_name = -1;
527 static int hf_smb_device_char_removable = -1;
528 static int hf_smb_device_char_read_only = -1;
529 static int hf_smb_device_char_floppy = -1;
530 static int hf_smb_device_char_write_once = -1;
531 static int hf_smb_device_char_remote = -1;
532 static int hf_smb_device_char_mounted = -1;
533 static int hf_smb_device_char_virtual = -1;
534 static int hf_smb_fs_attr_css = -1;
535 static int hf_smb_fs_attr_cpn = -1;
536 static int hf_smb_fs_attr_pacls = -1;
537 static int hf_smb_fs_attr_fc = -1;
538 static int hf_smb_fs_attr_vq = -1;
539 static int hf_smb_fs_attr_dim = -1;
540 static int hf_smb_fs_attr_vic = -1;
541 static int hf_smb_quota_flags_enabled = -1;
542 static int hf_smb_quota_flags_deny_disk = -1;
543 static int hf_smb_quota_flags_log_limit = -1;
544 static int hf_smb_quota_flags_log_warning = -1;
545 static int hf_smb_soft_quota_limit = -1;
546 static int hf_smb_hard_quota_limit = -1;
547 static int hf_smb_user_quota_used = -1;
548 static int hf_smb_user_quota_offset = -1;
550 static gint ett_smb = -1;
551 static gint ett_smb_hdr = -1;
552 static gint ett_smb_command = -1;
553 static gint ett_smb_fileattributes = -1;
554 static gint ett_smb_capabilities = -1;
555 static gint ett_smb_aflags = -1;
556 static gint ett_smb_dialect = -1;
557 static gint ett_smb_dialects = -1;
558 static gint ett_smb_mode = -1;
559 static gint ett_smb_rawmode = -1;
560 static gint ett_smb_flags = -1;
561 static gint ett_smb_flags2 = -1;
562 static gint ett_smb_desiredaccess = -1;
563 static gint ett_smb_search = -1;
564 static gint ett_smb_file = -1;
565 static gint ett_smb_openfunction = -1;
566 static gint ett_smb_filetype = -1;
567 static gint ett_smb_openaction = -1;
568 static gint ett_smb_writemode = -1;
569 static gint ett_smb_lock_type = -1;
570 static gint ett_smb_ssetupandxaction = -1;
571 static gint ett_smb_optionsup = -1;
572 static gint ett_smb_time_date = -1;
573 static gint ett_smb_move_flags = -1;
574 static gint ett_smb_file_attributes = -1;
575 static gint ett_smb_search_resume_key = -1;
576 static gint ett_smb_search_dir_info = -1;
577 static gint ett_smb_unlocks = -1;
578 static gint ett_smb_unlock = -1;
579 static gint ett_smb_locks = -1;
580 static gint ett_smb_lock = -1;
581 static gint ett_smb_open_flags = -1;
582 static gint ett_smb_ipc_state = -1;
583 static gint ett_smb_open_action = -1;
584 static gint ett_smb_setup_action = -1;
585 static gint ett_smb_connect_flags = -1;
586 static gint ett_smb_connect_support_bits = -1;
587 static gint ett_smb_nt_access_mask = -1;
588 static gint ett_smb_nt_create_bits = -1;
589 static gint ett_smb_nt_create_options = -1;
590 static gint ett_smb_nt_share_access = -1;
591 static gint ett_smb_nt_security_flags = -1;
592 static gint ett_smb_nt_trans_setup = -1;
593 static gint ett_smb_nt_trans_data = -1;
594 static gint ett_smb_nt_trans_param = -1;
595 static gint ett_smb_nt_notify_completion_filter = -1;
596 static gint ett_smb_nt_ioctl_flags = -1;
597 static gint ett_smb_security_information_mask = -1;
598 static gint ett_smb_print_queue_entry = -1;
599 static gint ett_smb_transaction_flags = -1;
600 static gint ett_smb_transaction_params = -1;
601 static gint ett_smb_find_first2_flags = -1;
602 static gint ett_smb_transaction_data = -1;
603 static gint ett_smb_stream_info = -1;
604 static gint ett_smb_dfs_referrals = -1;
605 static gint ett_smb_dfs_referral = -1;
606 static gint ett_smb_dfs_referral_flags = -1;
607 static gint ett_smb_get_dfs_flags = -1;
608 static gint ett_smb_ff2_data = -1;
609 static gint ett_smb_device_characteristics = -1;
610 static gint ett_smb_fs_attributes = -1;
611 static gint ett_smb_segments = -1;
612 static gint ett_smb_sec_desc = -1;
613 static gint ett_smb_sid = -1;
614 static gint ett_smb_acl = -1;
615 static gint ett_smb_ace = -1;
616 static gint ett_smb_ace_flags = -1;
617 static gint ett_smb_sec_desc_type = -1;
618 static gint ett_smb_quotaflags = -1;
620 proto_tree *top_tree=NULL; /* ugly */
622 static char *decode_smb_name(unsigned char);
623 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, guint8 cmd);
624 static const gchar *get_unicode_or_ascii_string(tvbuff_t *tvb,
625 int *offsetp, packet_info *pinfo, int *len, gboolean nopad,
626 gboolean exactlen, guint16 *bcp);
629 * Macros for use in the main dissector routines for an SMB.
634 wc = tvb_get_guint8(tvb, offset); \
635 proto_tree_add_uint(tree, hf_smb_word_count, \
636 tvb, offset, 1, wc); \
638 if(wc==0) goto bytecount;
642 bc = tvb_get_letohs(tvb, offset); \
643 proto_tree_add_uint(tree, hf_smb_byte_count, \
644 tvb, offset, 2, bc); \
646 if(bc==0) goto endofcommand;
648 #define CHECK_BYTE_COUNT(len) \
649 if (bc < len) goto endofcommand;
651 #define COUNT_BYTES(len) {\
660 proto_tree_add_text(tree, tvb, offset, bc, \
661 "Extra byte parameters"); \
667 * Macros for use in routines called by them.
669 #define CHECK_BYTE_COUNT_SUBR(len) \
675 #define CHECK_STRING_SUBR(fn) \
681 #define COUNT_BYTES_SUBR(len) \
686 * Macros for use when dissecting transaction parameters and data
688 #define CHECK_BYTE_COUNT_TRANS(len) \
689 if (bc < len) return offset;
691 #define CHECK_STRING_TRANS(fn) \
692 if (fn == NULL) return offset;
694 #define COUNT_BYTES_TRANS(len) \
699 * Macros for use in subrroutines dissecting transaction parameters or data
701 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
702 if (*bcp < len) return offset;
704 #define CHECK_STRING_TRANS_SUBR(fn) \
705 if (fn == NULL) return offset;
707 #define COUNT_BYTES_TRANS_SUBR(len) \
712 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
713 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
714 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
715 static gboolean smb_trans_reassembly = FALSE;
716 gboolean smb_dcerpc_reassembly = FALSE;
718 static GHashTable *smb_trans_fragment_table = NULL;
719 GHashTable *dcerpc_fragment_table = NULL;
722 smb_trans_reassembly_init(void)
724 fragment_table_init(&smb_trans_fragment_table);
727 smb_dcerpc_reassembly_init(void)
729 fragment_table_init(&dcerpc_fragment_table);
733 static fragment_data *
734 smb_trans_defragment(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
735 int offset, int count, int pos, int totlen)
737 fragment_data *fd_head=NULL;
741 more_frags=totlen>(pos+count);
743 si = (smb_info_t *)pinfo->private_data;
744 if (si->sip == NULL) {
746 * We don't have the frame number of the request.
748 * XXX - is there truly nothing we can do here?
749 * Can we not separately keep track of the original
750 * transaction and its continuations, as we did
753 * It is probably not much point in even trying to do something here
754 * if we have never seen the initial request. Without the initial
755 * request we probably miss all parameters and the begining of data
756 * so we cant even call a subdissector since we can not determine
757 * which type of transaction call this is.
762 if(!pinfo->fd->flags.visited){
763 fd_head = fragment_add(tvb, offset, pinfo,
764 si->sip->frame_req, smb_trans_fragment_table,
765 pos, count, more_frags);
767 fd_head = fragment_get(pinfo, si->sip->frame_req, smb_trans_fragment_table);
770 /* we only show the defragmented packet for the first fragment,
771 or else we might end up with dissecting one HUGE transaction PDU
772 a LOT of times. (first fragment is the only one containing the setup
774 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
775 SMBs. Takes a LOT of time dissecting and is not fun.
777 if( (pos==0) && fd_head && fd_head->flags&FD_DEFRAGMENTED){
788 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
789 These variables and functions are used to match
791 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
793 * The information we need to save about a request in order to show the
794 * frame number of the request in the dissection of the reply.
799 } smb_saved_info_key_t;
801 static GMemChunk *smb_saved_info_key_chunk = NULL;
802 static GMemChunk *smb_saved_info_chunk = NULL;
803 static int smb_saved_info_init_count = 200;
805 /* unmatched smb_saved_info structures.
806 For unmatched smb_saved_info structures we store the smb_saved_info
807 structure using the MID and the PID as the key.
809 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
810 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
811 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
814 smb_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
816 register guint32 key1 = (guint32)k1;
817 register guint32 key2 = (guint32)k2;
821 smb_saved_info_hash_unmatched(gconstpointer k)
823 register guint32 key = (guint32)k;
827 /* matched smb_saved_info structures.
828 For matched smb_saved_info structures we store the smb_saved_info
829 structure twice in the table using the frame number, and a combination
830 of the MID and the PID, as the key.
831 The frame number is guaranteed to be unique but if ever someone makes
832 some change that will renumber the frames in a capture we are in BIG trouble.
833 This is not likely though since that would break (among other things) all the
834 reassembly routines as well.
836 We also need the MID as there may be more than one SMB request or reply
837 in a single frame, and we also need the PID as there may be more than
838 one outstanding request with the same MID and different PIDs.
841 smb_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
843 const smb_saved_info_key_t *key1 = k1;
844 const smb_saved_info_key_t *key2 = k2;
845 return key1->frame == key2->frame && key1->pid_mid == key2->pid_mid;
848 smb_saved_info_hash_matched(gconstpointer k)
850 const smb_saved_info_key_t *key = k;
851 return key->frame + key->pid_mid;
855 * The information we need to save about an NT Transaction request in order
856 * to dissect the reply.
860 } smb_nt_transact_info_t;
862 static GMemChunk *smb_nt_transact_info_chunk = NULL;
863 static int smb_nt_transact_info_init_count = 200;
866 * The information we need to save about a Transaction2 request in order
867 * to dissect the reply.
872 } smb_transact2_info_t;
874 static GMemChunk *smb_transact2_info_chunk = NULL;
875 static int smb_transact2_info_init_count = 200;
878 * The information we need to save about a Transaction request in order
879 * to dissect the reply; this includes information for use by the
880 * Remote API dissector.
882 static GMemChunk *smb_transact_info_chunk = NULL;
883 static int smb_transact_info_init_count = 200;
885 static GMemChunk *conv_tables_chunk = NULL;
886 static GSList *conv_tables = NULL;
887 static int conv_tables_count = 10;
890 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
891 End of request/response matching functions
892 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
894 static const value_string buffer_format_vals[] = {
899 {5, "Variable Block"},
904 * UTIME - this is *almost* like a UNIX time stamp, except that it's
905 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
906 * January 1, 1970, 00:00:00 GMT.
908 * This means we have to do some extra work to convert it. This code is
909 * based on the Samba code:
911 * Unix SMB/Netbios implementation.
913 * time handling functions
914 * Copyright (C) Andrew Tridgell 1992-1998
918 * Yield the difference between *A and *B, in seconds, ignoring leap
921 #define TM_YEAR_BASE 1900
924 tm_diff(struct tm *a, struct tm *b)
926 int ay = a->tm_year + (TM_YEAR_BASE - 1);
927 int by = b->tm_year + (TM_YEAR_BASE - 1);
928 int intervening_leap_days =
929 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
932 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
933 int hours = 24*days + (a->tm_hour - b->tm_hour);
934 int minutes = 60*hours + (a->tm_min - b->tm_min);
935 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
941 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
947 struct tm *tm = gmtime(&t);
956 return tm_diff(&tm_utc,tm);
960 * Return the same value as TimeZone, but it should be more efficient.
962 * We keep a table of DST offsets to prevent calling localtime() on each
963 * call of this function. This saves a LOT of time on many unixes.
965 * Updated by Paul Eggert <eggert@twinsun.com>
972 #define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
973 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
976 #define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
980 TimeZoneFaster(time_t t)
982 static struct dst_table {time_t start,end; int zone;} *tdt;
983 static struct dst_table *dst_table = NULL;
984 static int table_size = 0;
991 /* Tunis has a 8 day DST region, we need to be careful ... */
992 #define MAX_DST_WIDTH (365*24*60*60)
993 #define MAX_DST_SKIP (7*24*60*60)
995 for (i = 0; i < table_size; i++) {
996 if (t >= dst_table[i].start && t <= dst_table[i].end)
1000 if (i < table_size) {
1001 zone = dst_table[i].zone;
1006 if (dst_table == NULL)
1007 tdt = g_malloc(sizeof(dst_table[0])*(i+1));
1009 tdt = g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
1018 dst_table[i].zone = zone;
1019 dst_table[i].start = dst_table[i].end = t;
1021 /* no entry will cover more than 6 months */
1022 low = t - MAX_DST_WIDTH/2;
1026 high = t + MAX_DST_WIDTH/2;
1031 * Widen the new entry using two bisection searches.
1033 while (low+60*60 < dst_table[i].start) {
1034 if (dst_table[i].start - low > MAX_DST_SKIP*2)
1035 t = dst_table[i].start - MAX_DST_SKIP;
1037 t = low + (dst_table[i].start-low)/2;
1038 if (TimeZone(t) == zone)
1039 dst_table[i].start = t;
1044 while (high-60*60 > dst_table[i].end) {
1045 if (high - dst_table[i].end > MAX_DST_SKIP*2)
1046 t = dst_table[i].end + MAX_DST_SKIP;
1048 t = high - (high-dst_table[i].end)/2;
1049 if (TimeZone(t) == zone)
1050 dst_table[i].end = t;
1060 * Return the UTC offset in seconds west of UTC, adjusted for extra time
1061 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
1062 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
1063 * daylight savings transitions because some local times are ambiguous.
1064 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
1067 LocTimeDiff(time_t lt)
1069 int d = TimeZoneFaster(lt);
1072 /* if overflow occurred, ignore all the adjustments so far */
1073 if (((t < lt) ^ (d < 0)))
1077 * Now t should be close enough to the true UTC to yield the
1080 return TimeZoneFaster(t);
1084 dissect_smb_UTIME(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_date)
1089 timeval = tvb_get_letohl(tvb, offset);
1090 if (timeval == 0xffffffff) {
1091 proto_tree_add_text(tree, tvb, offset, 4,
1092 "%s: No time specified (0xffffffff)",
1093 proto_registrar_get_name(hf_date));
1099 * We add the local time offset.
1101 ts.secs = timeval + LocTimeDiff(timeval);
1104 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
1110 #define TIME_FIXUP_CONSTANT (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
1113 * Translate an 8-byte FILETIME value, given as the upper and lower 32 bits,
1115 * A FILETIME is a 64-bit integer, giving the time since Jan 1, 1601,
1116 * midnight "UTC", in 100ns units.
1117 * Return TRUE if the conversion succeeds, FALSE otherwise.
1119 * According to the Samba code, it appears to be kludge-GMT (at least for
1120 * file listings). This means it's the GMT you get by taking a local time
1121 * and adding the server time zone offset. This is NOT the same as GMT in
1122 * some cases. However, we don't know the server time zone, so we don't
1123 * do that adjustment.
1125 * This code is based on the Samba code:
1127 * Unix SMB/Netbios implementation.
1129 * time handling functions
1130 * Copyright (C) Andrew Tridgell 1992-1998
1133 nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
1136 /* The next two lines are a fix needed for the
1137 broken SCO compiler. JRA. */
1138 time_t l_time_min = TIME_T_MIN;
1139 time_t l_time_max = TIME_T_MAX;
1141 if (filetime_high == 0)
1145 * Get the time as a double, in seconds and fractional seconds.
1147 d = ((double)filetime_high)*4.0*(double)(1<<30);
1151 /* Now adjust by 369 years, to make the seconds since 1970. */
1152 d -= TIME_FIXUP_CONSTANT;
1154 if (!(l_time_min <= d && d <= l_time_max))
1158 * Get the time as seconds and nanoseconds.
1161 tv->nsecs = (d - tv->secs)*1000000000;
1167 dissect_smb_64bit_time(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_date)
1169 guint32 filetime_high, filetime_low;
1172 /* XXX there seems also to be another special time value which is fairly common :
1174 the meaning of this one is yet unknown
1177 filetime_low = tvb_get_letohl(tvb, offset);
1178 filetime_high = tvb_get_letohl(tvb, offset + 4);
1179 if (filetime_low == 0 && filetime_high == 0) {
1180 proto_tree_add_text(tree, tvb, offset, 8,
1181 "%s: No time specified (0)",
1182 proto_registrar_get_name(hf_date));
1183 } else if(filetime_low==0 && filetime_high==0x80000000){
1184 proto_tree_add_text(tree, tvb, offset, 8,
1185 "%s: Infinity (relative time)",
1186 proto_registrar_get_name(hf_date));
1187 } else if(filetime_low==0xffffffff && filetime_high==0x7fffffff){
1188 proto_tree_add_text(tree, tvb, offset, 8,
1189 "%s: Infinity (absolute time)",
1190 proto_registrar_get_name(hf_date));
1192 if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
1193 proto_tree_add_time(tree, hf_date, tvb,
1196 proto_tree_add_text(tree, tvb, offset, 8,
1197 "%s: Time can't be converted",
1198 proto_registrar_get_name(hf_date));
1208 dissect_smb_datetime(tvbuff_t *tvb, packet_info *pinfo,
1209 proto_tree *parent_tree, int offset, int hf_date, int hf_dos_date,
1210 int hf_dos_time, gboolean time_first)
1212 guint16 dos_time, dos_date;
1213 proto_item *item = NULL;
1214 proto_tree *tree = NULL;
1217 static const int mday_noleap[12] = {
1218 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1220 static const int mday_leap[12] = {
1221 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
1223 #define ISLEAP(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
1227 dos_time = tvb_get_letohs(tvb, offset);
1228 dos_date = tvb_get_letohs(tvb, offset+2);
1230 dos_date = tvb_get_letohs(tvb, offset);
1231 dos_time = tvb_get_letohs(tvb, offset+2);
1234 if ((dos_time == 0xffff && dos_time == 0xffff) ||
1235 (dos_time == 0 && dos_time == 0)) {
1237 * No date/time specified.
1240 proto_tree_add_text(parent_tree, tvb, offset, 4,
1241 "%s: No time specified (0x%08x)",
1242 proto_registrar_get_name(hf_date),
1243 (dos_date << 16) | dos_time);
1249 tm.tm_sec = (dos_time&0x1f)*2;
1250 tm.tm_min = (dos_time>>5)&0x3f;
1251 tm.tm_hour = (dos_time>>11)&0x1f;
1252 tm.tm_mday = dos_date&0x1f;
1253 tm.tm_mon = ((dos_date>>5)&0x0f) - 1;
1254 tm.tm_year = ((dos_date>>9)&0x7f) + 1980 - 1900;
1258 * Do some sanity checks before calling "mktime()";
1259 * "mktime()" doesn't do them, it "normalizes" out-of-range
1262 if (tm.tm_sec > 59 || tm.tm_min > 59 || tm.tm_hour > 23 ||
1263 tm.tm_mon < 0 || tm.tm_mon > 11 ||
1264 (ISLEAP(tm.tm_year + 1900) ?
1265 tm.tm_mday > mday_leap[tm.tm_mon] :
1266 tm.tm_mday > mday_noleap[tm.tm_mon]) ||
1267 (t = mktime(&tm)) == -1) {
1269 * Invalid date/time.
1272 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1274 proto_registrar_get_name(hf_date));
1275 tree = proto_item_add_subtree(item, ett_smb_time_date);
1277 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1278 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1280 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1281 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1292 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
1293 tree = proto_item_add_subtree(item, ett_smb_time_date);
1295 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1296 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1298 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
1299 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
1309 static const value_string da_access_vals[] = {
1310 { 0, "Open for reading"},
1311 { 1, "Open for writing"},
1312 { 2, "Open for reading and writing"},
1313 { 3, "Open for execute"},
1316 static const value_string da_sharing_vals[] = {
1317 { 0, "Compatibility mode"},
1318 { 1, "Deny read/write/execute (exclusive)"},
1320 { 3, "Deny read/execute"},
1324 static const value_string da_locality_vals[] = {
1325 { 0, "Locality of reference unknown"},
1326 { 1, "Mainly sequential access"},
1327 { 2, "Mainly random access"},
1328 { 3, "Random access with some locality"},
1331 static const true_false_string tfs_da_caching = {
1332 "Do not cache this file",
1333 "Caching permitted on this file"
1335 static const true_false_string tfs_da_writetru = {
1336 "Write through enabled",
1337 "Write through disabled"
1340 dissect_access(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, char *type)
1343 proto_item *item = NULL;
1344 proto_tree *tree = NULL;
1346 mask = tvb_get_letohs(tvb, offset);
1349 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1350 "%s Access: 0x%04x", type, mask);
1351 tree = proto_item_add_subtree(item, ett_smb_desiredaccess);
1354 proto_tree_add_boolean(tree, hf_smb_access_writetru,
1355 tvb, offset, 2, mask);
1356 proto_tree_add_boolean(tree, hf_smb_access_caching,
1357 tvb, offset, 2, mask);
1358 proto_tree_add_uint(tree, hf_smb_access_locality,
1359 tvb, offset, 2, mask);
1360 proto_tree_add_uint(tree, hf_smb_access_sharing,
1361 tvb, offset, 2, mask);
1362 proto_tree_add_uint(tree, hf_smb_access_mode,
1363 tvb, offset, 2, mask);
1370 #define FILE_ATTRIBUTE_READ_ONLY 0x00000001
1371 #define FILE_ATTRIBUTE_HIDDEN 0x00000002
1372 #define FILE_ATTRIBUTE_SYSTEM 0x00000004
1373 #define FILE_ATTRIBUTE_VOLUME 0x00000008
1374 #define FILE_ATTRIBUTE_DIRECTORY 0x00000010
1375 #define FILE_ATTRIBUTE_ARCHIVE 0x00000020
1376 #define FILE_ATTRIBUTE_DEVICE 0x00000040
1377 #define FILE_ATTRIBUTE_NORMAL 0x00000080
1378 #define FILE_ATTRIBUTE_TEMPORARY 0x00000100
1379 #define FILE_ATTRIBUTE_SPARSE 0x00000200
1380 #define FILE_ATTRIBUTE_REPARSE 0x00000400
1381 #define FILE_ATTRIBUTE_COMPRESSED 0x00000800
1382 #define FILE_ATTRIBUTE_OFFLINE 0x00001000
1383 #define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
1384 #define FILE_ATTRIBUTE_ENCRYPTED 0x00004000
1387 * These are flags to be used in NT Create operations.
1389 #define FILE_ATTRIBUTE_WRITE_THROUGH 0x80000000
1390 #define FILE_ATTRIBUTE_NO_BUFFERING 0x20000000
1391 #define FILE_ATTRIBUTE_RANDOM_ACCESS 0x10000000
1392 #define FILE_ATTRIBUTE_SEQUENTIAL_SCAN 0x08000000
1393 #define FILE_ATTRIBUTE_DELETE_ON_CLOSE 0x04000000
1394 #define FILE_ATTRIBUTE_BACKUP_SEMANTICS 0x02000000
1395 #define FILE_ATTRIBUTE_POSIX_SEMANTICS 0x01000000
1397 static const true_false_string tfs_file_attribute_write_through = {
1398 "This object requires WRITE THROUGH",
1399 "This object does NOT require write through",
1401 static const true_false_string tfs_file_attribute_no_buffering = {
1402 "This object requires NO BUFFERING",
1403 "This object can be buffered",
1405 static const true_false_string tfs_file_attribute_random_access = {
1406 "This object will be RANDOM ACCESSed",
1407 "Random access is NOT requested",
1409 static const true_false_string tfs_file_attribute_sequential_scan = {
1410 "This object is optimized for SEQUENTIAL SCAN",
1411 "This object is NOT optimized for sequential scan",
1413 static const true_false_string tfs_file_attribute_delete_on_close = {
1414 "This object will be DELETED ON CLOSE",
1415 "This object will not be deleted on close",
1417 static const true_false_string tfs_file_attribute_backup_semantics = {
1418 "This object supports BACKUP SEMANTICS",
1419 "This object does NOT support backup semantics",
1421 static const true_false_string tfs_file_attribute_posix_semantics = {
1422 "This object supports POSIX SEMANTICS",
1423 "This object does NOT support POSIX semantics",
1425 static const true_false_string tfs_file_attribute_read_only = {
1426 "This file is READ ONLY",
1427 "This file is NOT read only",
1429 static const true_false_string tfs_file_attribute_hidden = {
1430 "This is a HIDDEN file",
1431 "This is NOT a hidden file"
1433 static const true_false_string tfs_file_attribute_system = {
1434 "This is a SYSTEM file",
1435 "This is NOT a system file"
1437 static const true_false_string tfs_file_attribute_volume = {
1438 "This is a VOLUME ID",
1439 "This is NOT a volume ID"
1441 static const true_false_string tfs_file_attribute_directory = {
1442 "This is a DIRECTORY",
1443 "This is NOT a directory"
1445 static const true_false_string tfs_file_attribute_archive = {
1446 "This is an ARCHIVE file",
1447 "This is NOT an archive file"
1449 static const true_false_string tfs_file_attribute_device = {
1451 "This is NOT a device"
1453 static const true_false_string tfs_file_attribute_normal = {
1454 "This file is an ordinary file",
1455 "This file has some attribute set"
1457 static const true_false_string tfs_file_attribute_temporary = {
1458 "This is a TEMPORARY file",
1459 "This is NOT a temporary file"
1461 static const true_false_string tfs_file_attribute_sparse = {
1462 "This is a SPARSE file",
1463 "This is NOT a sparse file"
1465 static const true_false_string tfs_file_attribute_reparse = {
1466 "This file has an associated REPARSE POINT",
1467 "This file does NOT have an associated reparse point"
1469 static const true_false_string tfs_file_attribute_compressed = {
1470 "This is a COMPRESSED file",
1471 "This is NOT a compressed file"
1473 static const true_false_string tfs_file_attribute_offline = {
1474 "This file is OFFLINE",
1475 "This file is NOT offline"
1477 static const true_false_string tfs_file_attribute_not_content_indexed = {
1478 "This file MAY NOT be indexed by the CONTENT INDEXING service",
1479 "This file MAY be indexed by the content indexing service"
1481 static const true_false_string tfs_file_attribute_encrypted = {
1482 "This is an ENCRYPTED file",
1483 "This is NOT an encrypted file"
1487 dissect_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1490 proto_item *item = NULL;
1491 proto_tree *tree = NULL;
1493 mask = tvb_get_letohs(tvb, offset);
1496 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1497 "File Attributes: 0x%04x", mask);
1498 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1500 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1501 tvb, offset, 2, mask);
1502 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1503 tvb, offset, 2, mask);
1504 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1505 tvb, offset, 2, mask);
1506 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1507 tvb, offset, 2, mask);
1508 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1509 tvb, offset, 2, mask);
1510 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1511 tvb, offset, 2, mask);
1520 dissect_file_ext_attr(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1523 proto_item *item = NULL;
1524 proto_tree *tree = NULL;
1526 mask = tvb_get_letohl(tvb, offset);
1529 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
1530 "File Attributes: 0x%08x", mask);
1531 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1535 * XXX - Network Monitor disagrees on some of the
1536 * bits, e.g. the bits above temporary are "atomic write"
1537 * and "transaction write", and it says nothing about the
1540 * Does the Win32 API documentation, or the NT Native API book,
1543 proto_tree_add_boolean(tree, hf_smb_file_eattr_write_through,
1544 tvb, offset, 4, mask);
1545 proto_tree_add_boolean(tree, hf_smb_file_eattr_no_buffering,
1546 tvb, offset, 4, mask);
1547 proto_tree_add_boolean(tree, hf_smb_file_eattr_random_access,
1548 tvb, offset, 4, mask);
1549 proto_tree_add_boolean(tree, hf_smb_file_eattr_sequential_scan,
1550 tvb, offset, 4, mask);
1551 proto_tree_add_boolean(tree, hf_smb_file_eattr_delete_on_close,
1552 tvb, offset, 4, mask);
1553 proto_tree_add_boolean(tree, hf_smb_file_eattr_backup_semantics,
1554 tvb, offset, 4, mask);
1555 proto_tree_add_boolean(tree, hf_smb_file_eattr_posix_semantics,
1556 tvb, offset, 4, mask);
1557 proto_tree_add_boolean(tree, hf_smb_file_eattr_encrypted,
1558 tvb, offset, 4, mask);
1559 proto_tree_add_boolean(tree, hf_smb_file_eattr_not_content_indexed,
1560 tvb, offset, 4, mask);
1561 proto_tree_add_boolean(tree, hf_smb_file_eattr_offline,
1562 tvb, offset, 4, mask);
1563 proto_tree_add_boolean(tree, hf_smb_file_eattr_compressed,
1564 tvb, offset, 4, mask);
1565 proto_tree_add_boolean(tree, hf_smb_file_eattr_reparse,
1566 tvb, offset, 4, mask);
1567 proto_tree_add_boolean(tree, hf_smb_file_eattr_sparse,
1568 tvb, offset, 4, mask);
1569 proto_tree_add_boolean(tree, hf_smb_file_eattr_temporary,
1570 tvb, offset, 4, mask);
1571 proto_tree_add_boolean(tree, hf_smb_file_eattr_normal,
1572 tvb, offset, 4, mask);
1573 proto_tree_add_boolean(tree, hf_smb_file_eattr_device,
1574 tvb, offset, 4, mask);
1575 proto_tree_add_boolean(tree, hf_smb_file_eattr_archive,
1576 tvb, offset, 4, mask);
1577 proto_tree_add_boolean(tree, hf_smb_file_eattr_directory,
1578 tvb, offset, 4, mask);
1579 proto_tree_add_boolean(tree, hf_smb_file_eattr_volume,
1580 tvb, offset, 4, mask);
1581 proto_tree_add_boolean(tree, hf_smb_file_eattr_system,
1582 tvb, offset, 4, mask);
1583 proto_tree_add_boolean(tree, hf_smb_file_eattr_hidden,
1584 tvb, offset, 4, mask);
1585 proto_tree_add_boolean(tree, hf_smb_file_eattr_read_only,
1586 tvb, offset, 4, mask);
1594 dissect_dir_info_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1597 proto_item *item = NULL;
1598 proto_tree *tree = NULL;
1600 mask = tvb_get_guint8(tvb, offset);
1603 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1604 "File Attributes: 0x%02x", mask);
1605 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1607 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_8bit,
1608 tvb, offset, 1, mask);
1609 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_8bit,
1610 tvb, offset, 1, mask);
1611 proto_tree_add_boolean(tree, hf_smb_file_attr_system_8bit,
1612 tvb, offset, 1, mask);
1613 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_8bit,
1614 tvb, offset, 1, mask);
1615 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_8bit,
1616 tvb, offset, 1, mask);
1617 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_8bit,
1618 tvb, offset, 1, mask);
1625 static const true_false_string tfs_search_attribute_read_only = {
1626 "Include READ ONLY files in search results",
1627 "Do NOT include read only files in search results",
1629 static const true_false_string tfs_search_attribute_hidden = {
1630 "Include HIDDEN files in search results",
1631 "Do NOT include hidden files in search results"
1633 static const true_false_string tfs_search_attribute_system = {
1634 "Include SYSTEM files in search results",
1635 "Do NOT include system files in search results"
1637 static const true_false_string tfs_search_attribute_volume = {
1638 "Include VOLUME IDs in search results",
1639 "Do NOT include volume IDs in search results"
1641 static const true_false_string tfs_search_attribute_directory = {
1642 "Include DIRECTORIES in search results",
1643 "Do NOT include directories in search results"
1645 static const true_false_string tfs_search_attribute_archive = {
1646 "Include ARCHIVE files in search results",
1647 "Do NOT include archive files in search results"
1651 dissect_search_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1654 proto_item *item = NULL;
1655 proto_tree *tree = NULL;
1657 mask = tvb_get_letohs(tvb, offset);
1660 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1661 "Search Attributes: 0x%04x", mask);
1662 tree = proto_item_add_subtree(item, ett_smb_search);
1665 proto_tree_add_boolean(tree, hf_smb_search_attribute_read_only,
1666 tvb, offset, 2, mask);
1667 proto_tree_add_boolean(tree, hf_smb_search_attribute_hidden,
1668 tvb, offset, 2, mask);
1669 proto_tree_add_boolean(tree, hf_smb_search_attribute_system,
1670 tvb, offset, 2, mask);
1671 proto_tree_add_boolean(tree, hf_smb_search_attribute_volume,
1672 tvb, offset, 2, mask);
1673 proto_tree_add_boolean(tree, hf_smb_search_attribute_directory,
1674 tvb, offset, 2, mask);
1675 proto_tree_add_boolean(tree, hf_smb_search_attribute_archive,
1676 tvb, offset, 2, mask);
1684 * XXX - this isn't used.
1685 * Is this used for anything? NT Create AndX doesn't use it.
1686 * Is there some 16-bit attribute field with more bits than Read Only,
1687 * Hidden, System, Volume ID, Directory, and Archive?
1690 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1693 proto_item *item = NULL;
1694 proto_tree *tree = NULL;
1696 mask = tvb_get_letohl(tvb, offset);
1699 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1700 "File Attributes: 0x%08x", mask);
1701 tree = proto_item_add_subtree(item, ett_smb_file_attributes);
1703 proto_tree_add_boolean(tree, hf_smb_file_attr_read_only_16bit,
1704 tvb, offset, 2, mask);
1705 proto_tree_add_boolean(tree, hf_smb_file_attr_hidden_16bit,
1706 tvb, offset, 2, mask);
1707 proto_tree_add_boolean(tree, hf_smb_file_attr_system_16bit,
1708 tvb, offset, 2, mask);
1709 proto_tree_add_boolean(tree, hf_smb_file_attr_volume_16bit,
1710 tvb, offset, 2, mask);
1711 proto_tree_add_boolean(tree, hf_smb_file_attr_directory_16bit,
1712 tvb, offset, 2, mask);
1713 proto_tree_add_boolean(tree, hf_smb_file_attr_archive_16bit,
1714 tvb, offset, 2, mask);
1715 proto_tree_add_boolean(tree, hf_smb_file_attr_device,
1716 tvb, offset, 2, mask);
1717 proto_tree_add_boolean(tree, hf_smb_file_attr_normal,
1718 tvb, offset, 2, mask);
1719 proto_tree_add_boolean(tree, hf_smb_file_attr_temporary,
1720 tvb, offset, 2, mask);
1721 proto_tree_add_boolean(tree, hf_smb_file_attr_sparse,
1722 tvb, offset, 2, mask);
1723 proto_tree_add_boolean(tree, hf_smb_file_attr_reparse,
1724 tvb, offset, 2, mask);
1725 proto_tree_add_boolean(tree, hf_smb_file_attr_compressed,
1726 tvb, offset, 2, mask);
1727 proto_tree_add_boolean(tree, hf_smb_file_attr_offline,
1728 tvb, offset, 2, mask);
1729 proto_tree_add_boolean(tree, hf_smb_file_attr_not_content_indexed,
1730 tvb, offset, 2, mask);
1731 proto_tree_add_boolean(tree, hf_smb_file_attr_encrypted,
1732 tvb, offset, 2, mask);
1741 #define SERVER_CAP_RAW_MODE 0x00000001
1742 #define SERVER_CAP_MPX_MODE 0x00000002
1743 #define SERVER_CAP_UNICODE 0x00000004
1744 #define SERVER_CAP_LARGE_FILES 0x00000008
1745 #define SERVER_CAP_NT_SMBS 0x00000010
1746 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
1747 #define SERVER_CAP_STATUS32 0x00000040
1748 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
1749 #define SERVER_CAP_LOCK_AND_READ 0x00000100
1750 #define SERVER_CAP_NT_FIND 0x00000200
1751 #define SERVER_CAP_DFS 0x00001000
1752 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
1753 #define SERVER_CAP_LARGE_READX 0x00004000
1754 #define SERVER_CAP_LARGE_WRITEX 0x00008000
1755 #define SERVER_CAP_UNIX 0x00800000
1756 #define SERVER_CAP_RESERVED 0x02000000
1757 #define SERVER_CAP_BULK_TRANSFER 0x20000000
1758 #define SERVER_CAP_COMPRESSED_DATA 0x40000000
1759 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
1760 static const true_false_string tfs_server_cap_raw_mode = {
1761 "Read Raw and Write Raw are supported",
1762 "Read Raw and Write Raw are not supported"
1764 static const true_false_string tfs_server_cap_mpx_mode = {
1765 "Read Mpx and Write Mpx are supported",
1766 "Read Mpx and Write Mpx are not supported"
1768 static const true_false_string tfs_server_cap_unicode = {
1769 "Unicode strings are supported",
1770 "Unicode strings are not supported"
1772 static const true_false_string tfs_server_cap_large_files = {
1773 "Large files are supported",
1774 "Large files are not supported",
1776 static const true_false_string tfs_server_cap_nt_smbs = {
1777 "NT SMBs are supported",
1778 "NT SMBs are not supported"
1780 static const true_false_string tfs_server_cap_rpc_remote_apis = {
1781 "RPC remote APIs are supported",
1782 "RPC remote APIs are not supported"
1784 static const true_false_string tfs_server_cap_nt_status = {
1785 "NT status codes are supported",
1786 "NT status codes are not supported"
1788 static const true_false_string tfs_server_cap_level_ii_oplocks = {
1789 "Level 2 oplocks are supported",
1790 "Level 2 oplocks are not supported"
1792 static const true_false_string tfs_server_cap_lock_and_read = {
1793 "Lock and Read is supported",
1794 "Lock and Read is not supported"
1796 static const true_false_string tfs_server_cap_nt_find = {
1797 "NT Find is supported",
1798 "NT Find is not supported"
1800 static const true_false_string tfs_server_cap_dfs = {
1802 "Dfs is not supported"
1804 static const true_false_string tfs_server_cap_infolevel_passthru = {
1805 "NT information level request passthrough is supported",
1806 "NT information level request passthrough is not supported"
1808 static const true_false_string tfs_server_cap_large_readx = {
1809 "Large Read andX is supported",
1810 "Large Read andX is not supported"
1812 static const true_false_string tfs_server_cap_large_writex = {
1813 "Large Write andX is supported",
1814 "Large Write andX is not supported"
1816 static const true_false_string tfs_server_cap_unix = {
1817 "UNIX extensions are supported",
1818 "UNIX extensions are not supported"
1820 static const true_false_string tfs_server_cap_reserved = {
1824 static const true_false_string tfs_server_cap_bulk_transfer = {
1825 "Bulk Read and Bulk Write are supported",
1826 "Bulk Read and Bulk Write are not supported"
1828 static const true_false_string tfs_server_cap_compressed_data = {
1829 "Compressed data transfer is supported",
1830 "Compressed data transfer is not supported"
1832 static const true_false_string tfs_server_cap_extended_security = {
1833 "Extended security exchanges are supported",
1834 "Extended security exchanges are not supported"
1837 dissect_negprot_capabilities(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1840 proto_item *item = NULL;
1841 proto_tree *tree = NULL;
1843 mask = tvb_get_letohl(tvb, offset);
1846 item = proto_tree_add_text(parent_tree, tvb, offset, 4, "Capabilities: 0x%08x", mask);
1847 tree = proto_item_add_subtree(item, ett_smb_capabilities);
1850 proto_tree_add_boolean(tree, hf_smb_server_cap_raw_mode,
1851 tvb, offset, 4, mask);
1852 proto_tree_add_boolean(tree, hf_smb_server_cap_mpx_mode,
1853 tvb, offset, 4, mask);
1854 proto_tree_add_boolean(tree, hf_smb_server_cap_unicode,
1855 tvb, offset, 4, mask);
1856 proto_tree_add_boolean(tree, hf_smb_server_cap_large_files,
1857 tvb, offset, 4, mask);
1858 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_smbs,
1859 tvb, offset, 4, mask);
1860 proto_tree_add_boolean(tree, hf_smb_server_cap_rpc_remote_apis,
1861 tvb, offset, 4, mask);
1862 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_status,
1863 tvb, offset, 4, mask);
1864 proto_tree_add_boolean(tree, hf_smb_server_cap_level_ii_oplocks,
1865 tvb, offset, 4, mask);
1866 proto_tree_add_boolean(tree, hf_smb_server_cap_lock_and_read,
1867 tvb, offset, 4, mask);
1868 proto_tree_add_boolean(tree, hf_smb_server_cap_nt_find,
1869 tvb, offset, 4, mask);
1870 proto_tree_add_boolean(tree, hf_smb_server_cap_dfs,
1871 tvb, offset, 4, mask);
1872 proto_tree_add_boolean(tree, hf_smb_server_cap_infolevel_passthru,
1873 tvb, offset, 4, mask);
1874 proto_tree_add_boolean(tree, hf_smb_server_cap_large_readx,
1875 tvb, offset, 4, mask);
1876 proto_tree_add_boolean(tree, hf_smb_server_cap_large_writex,
1877 tvb, offset, 4, mask);
1878 proto_tree_add_boolean(tree, hf_smb_server_cap_unix,
1879 tvb, offset, 4, mask);
1880 proto_tree_add_boolean(tree, hf_smb_server_cap_reserved,
1881 tvb, offset, 4, mask);
1882 proto_tree_add_boolean(tree, hf_smb_server_cap_bulk_transfer,
1883 tvb, offset, 4, mask);
1884 proto_tree_add_boolean(tree, hf_smb_server_cap_compressed_data,
1885 tvb, offset, 4, mask);
1886 proto_tree_add_boolean(tree, hf_smb_server_cap_extended_security,
1887 tvb, offset, 4, mask);
1892 #define RAWMODE_READ 0x01
1893 #define RAWMODE_WRITE 0x02
1894 static const true_false_string tfs_rm_read = {
1895 "Read Raw is supported",
1896 "Read Raw is not supported"
1898 static const true_false_string tfs_rm_write = {
1899 "Write Raw is supported",
1900 "Write Raw is not supported"
1904 dissect_negprot_rawmode(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
1907 proto_item *item = NULL;
1908 proto_tree *tree = NULL;
1910 mask = tvb_get_letohs(tvb, offset);
1913 item = proto_tree_add_text(parent_tree, tvb, offset, 2, "Raw Mode: 0x%04x", mask);
1914 tree = proto_item_add_subtree(item, ett_smb_rawmode);
1917 proto_tree_add_boolean(tree, hf_smb_rm_read, tvb, offset, 2, mask);
1918 proto_tree_add_boolean(tree, hf_smb_rm_write, tvb, offset, 2, mask);
1925 #define SECURITY_MODE_MODE 0x01
1926 #define SECURITY_MODE_PASSWORD 0x02
1927 #define SECURITY_MODE_SIGNATURES 0x04
1928 #define SECURITY_MODE_SIG_REQUIRED 0x08
1929 static const true_false_string tfs_sm_mode = {
1930 "USER security mode",
1931 "SHARE security mode"
1933 static const true_false_string tfs_sm_password = {
1934 "ENCRYPTED password. Use challenge/response",
1935 "PLAINTEXT password"
1937 static const true_false_string tfs_sm_signatures = {
1938 "Security signatures ENABLED",
1939 "Security signatures NOT enabled"
1941 static const true_false_string tfs_sm_sig_required = {
1942 "Security signatures REQUIRED",
1943 "Security signatures NOT required"
1947 dissect_negprot_security_mode(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int wc)
1950 proto_item *item = NULL;
1951 proto_tree *tree = NULL;
1955 mask = tvb_get_letohs(tvb, offset);
1956 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
1957 "Security Mode: 0x%04x", mask);
1958 tree = proto_item_add_subtree(item, ett_smb_mode);
1959 proto_tree_add_boolean(tree, hf_smb_sm_mode16, tvb, offset, 2, mask);
1960 proto_tree_add_boolean(tree, hf_smb_sm_password16, tvb, offset, 2, mask);
1965 mask = tvb_get_guint8(tvb, offset);
1966 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
1967 "Security Mode: 0x%02x", mask);
1968 tree = proto_item_add_subtree(item, ett_smb_mode);
1969 proto_tree_add_boolean(tree, hf_smb_sm_mode, tvb, offset, 1, mask);
1970 proto_tree_add_boolean(tree, hf_smb_sm_password, tvb, offset, 1, mask);
1971 proto_tree_add_boolean(tree, hf_smb_sm_signatures, tvb, offset, 1, mask);
1972 proto_tree_add_boolean(tree, hf_smb_sm_sig_required, tvb, offset, 1, mask);
1981 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
1983 proto_item *it = NULL;
1984 proto_tree *tr = NULL;
1993 it = proto_tree_add_text(tree, tvb, offset, bc,
1994 "Requested Dialects");
1995 tr = proto_item_add_subtree(it, ett_smb_dialects);
2001 proto_item *dit = NULL;
2002 proto_tree *dtr = NULL;
2004 /* XXX - what if this runs past bc? */
2005 len = tvb_strsize(tvb, offset+1);
2006 str = tvb_get_ptr(tvb, offset+1, len);
2009 dit = proto_tree_add_text(tr, tvb, offset, len+1,
2010 "Dialect: %s", str);
2011 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2015 CHECK_BYTE_COUNT(1);
2016 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2021 CHECK_BYTE_COUNT(len);
2022 proto_tree_add_string(dtr, hf_smb_dialect_name, tvb, offset,
2033 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2047 dialect = tvb_get_letohs(tvb, offset);
2050 if(dialect==0xffff){
2051 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2052 tvb, offset, 2, dialect,
2053 "Selected Index: -1, PC NETWORK PROGRAM 1.0 choosen");
2055 proto_tree_add_uint(tree, hf_smb_dialect_index,
2056 tvb, offset, 2, dialect);
2060 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2061 tvb, offset, 2, dialect,
2062 "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2065 proto_tree_add_uint_format(tree, hf_smb_dialect_index,
2066 tvb, offset, 2, dialect,
2067 "Dialect Index: %u, greater than LANMAN2.1", dialect);
2070 proto_tree_add_text(tree, tvb, offset, wc*2,
2071 "Words for unknown response format");
2080 offset = dissect_negprot_security_mode(tvb, pinfo, tree, offset,
2083 /* Maximum Transmit Buffer Size */
2084 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2085 tvb, offset, 2, TRUE);
2088 /* Maximum Multiplex Count */
2089 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2090 tvb, offset, 2, TRUE);
2093 /* Maximum Vcs Number */
2094 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2095 tvb, offset, 2, TRUE);
2099 offset = dissect_negprot_rawmode(tvb, pinfo, tree, offset);
2102 proto_tree_add_item(tree, hf_smb_session_key,
2103 tvb, offset, 4, TRUE);
2106 /* current time and date at server */
2107 offset = dissect_smb_datetime(tvb, pinfo, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2111 tz = tvb_get_letohs(tvb, offset);
2112 proto_tree_add_int_format(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "Server Time Zone: %d min from UTC", tz);
2115 /* encryption key length */
2116 ekl = tvb_get_letohs(tvb, offset);
2117 proto_tree_add_uint(tree, hf_smb_encryption_key_length, tvb, offset, 2, ekl);
2120 /* 2 reserved bytes */
2121 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
2128 offset = dissect_negprot_security_mode(tvb, pinfo, tree, offset, wc);
2130 /* Maximum Multiplex Count */
2131 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2132 tvb, offset, 2, TRUE);
2135 /* Maximum Vcs Number */
2136 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2137 tvb, offset, 2, TRUE);
2140 /* Maximum Transmit Buffer Size */
2141 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2142 tvb, offset, 4, TRUE);
2145 /* maximum raw buffer size */
2146 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
2147 tvb, offset, 4, TRUE);
2151 proto_tree_add_item(tree, hf_smb_session_key,
2152 tvb, offset, 4, TRUE);
2155 /* server capabilities */
2156 caps = dissect_negprot_capabilities(tvb, pinfo, tree, offset);
2160 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
2161 hf_smb_system_time);
2164 tz = tvb_get_letohs(tvb, offset);
2165 proto_tree_add_int_format(tree, hf_smb_server_timezone,
2167 "Server Time Zone: %d min from UTC", tz);
2170 /* encryption key length */
2171 ekl = tvb_get_guint8(tvb, offset);
2172 proto_tree_add_uint(tree, hf_smb_encryption_key_length,
2173 tvb, offset, 1, ekl);
2183 /* challenge/response encryption key */
2185 CHECK_BYTE_COUNT(ekl);
2186 proto_tree_add_item(tree, hf_smb_encryption_key, tvb, offset, ekl, TRUE);
2191 dn = get_unicode_or_ascii_string(tvb, &offset,
2192 pinfo, &dn_len, FALSE, FALSE, &bc);
2195 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
2197 COUNT_BYTES(dn_len);
2201 if(!(caps&SERVER_CAP_EXTENDED_SECURITY)){
2204 /* challenge/response encryption key */
2205 /* XXX - is this aligned on an even boundary? */
2207 CHECK_BYTE_COUNT(ekl);
2208 proto_tree_add_item(tree, hf_smb_encryption_key,
2209 tvb, offset, ekl, TRUE);
2214 /* this string is special, unicode is flagged in caps */
2215 /* This string is NOT padded to be 16bit aligned. (seen in actual capture) */
2216 si = pinfo->private_data;
2217 si->unicode = (caps&SERVER_CAP_UNICODE);
2218 dn = get_unicode_or_ascii_string(tvb,
2219 &offset, pinfo, &dn_len, TRUE, FALSE,
2223 proto_tree_add_string(tree, hf_smb_primary_domain,
2224 tvb, offset, dn_len, dn);
2225 COUNT_BYTES(dn_len);
2228 /* XXX - show it in the standard Microsoft format
2230 CHECK_BYTE_COUNT(16);
2231 proto_tree_add_item(tree, hf_smb_server_guid,
2232 tvb, offset, 16, TRUE);
2236 /* XXX - is this ASN.1-encoded? Is it a Kerberos
2237 data structure, at least in NT 5.0-and-later
2240 proto_tree_add_item(tree, hf_smb_security_blob,
2241 tvb, offset, bc, TRUE);
2255 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2267 CHECK_BYTE_COUNT(1);
2268 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2272 dn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &dn_len,
2276 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
2278 COUNT_BYTES(dn_len);
2280 if (check_col(pinfo->cinfo, COL_INFO)) {
2281 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s", dn);
2290 dissect_empty(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2305 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2313 ec = tvb_get_letohs(tvb, offset);
2314 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
2321 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2331 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2338 /* echo sequence number */
2339 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, TRUE);
2346 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, TRUE);
2356 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2368 CHECK_BYTE_COUNT(1);
2369 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2373 an = get_unicode_or_ascii_string(tvb, &offset,
2374 pinfo, &an_len, FALSE, FALSE, &bc);
2377 proto_tree_add_string(tree, hf_smb_path, tvb,
2378 offset, an_len, an);
2379 COUNT_BYTES(an_len);
2381 if (check_col(pinfo->cinfo, COL_INFO)) {
2382 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
2386 CHECK_BYTE_COUNT(1);
2387 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2390 /* password, ANSI */
2391 /* XXX - what if this runs past bc? */
2392 pwlen = tvb_strsize(tvb, offset);
2393 CHECK_BYTE_COUNT(pwlen);
2394 proto_tree_add_item(tree, hf_smb_password,
2395 tvb, offset, pwlen, TRUE);
2399 CHECK_BYTE_COUNT(1);
2400 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2404 an = get_unicode_or_ascii_string(tvb, &offset,
2405 pinfo, &an_len, FALSE, FALSE, &bc);
2408 proto_tree_add_string(tree, hf_smb_service, tvb,
2409 offset, an_len, an);
2410 COUNT_BYTES(an_len);
2418 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2425 /* Maximum Buffer Size */
2426 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
2430 proto_tree_add_item(tree, hf_smb_tid, tvb, offset, 2, TRUE);
2441 static const true_false_string tfs_of_create = {
2442 "Create file if it does not exist",
2443 "Fail if file does not exist"
2445 static const value_string of_open[] = {
2446 { 0, "Fail if file exists"},
2447 { 1, "Open file if it exists"},
2448 { 2, "Truncate file if it exists"},
2452 dissect_open_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
2455 proto_item *item = NULL;
2456 proto_tree *tree = NULL;
2458 mask = tvb_get_letohs(tvb, offset);
2461 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2462 "Open Function: 0x%04x", mask);
2463 tree = proto_item_add_subtree(item, ett_smb_openfunction);
2466 proto_tree_add_boolean(tree, hf_smb_open_function_create,
2467 tvb, offset, 2, mask);
2468 proto_tree_add_uint(tree, hf_smb_open_function_open,
2469 tvb, offset, 2, mask);
2477 static const true_false_string tfs_mf_file = {
2478 "Target must be a file",
2479 "Target needn't be a file"
2481 static const true_false_string tfs_mf_dir = {
2482 "Target must be a directory",
2483 "Target needn't be a directory"
2485 static const true_false_string tfs_mf_verify = {
2486 "MUST verify all writes",
2487 "Don't have to verify writes"
2490 dissect_move_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
2493 proto_item *item = NULL;
2494 proto_tree *tree = NULL;
2496 mask = tvb_get_letohs(tvb, offset);
2499 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2500 "Flags: 0x%04x", mask);
2501 tree = proto_item_add_subtree(item, ett_smb_move_flags);
2504 proto_tree_add_boolean(tree, hf_smb_move_flags_verify,
2505 tvb, offset, 2, mask);
2506 proto_tree_add_boolean(tree, hf_smb_move_flags_dir,
2507 tvb, offset, 2, mask);
2508 proto_tree_add_boolean(tree, hf_smb_move_flags_file,
2509 tvb, offset, 2, mask);
2517 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2528 tid = tvb_get_letohs(tvb, offset);
2529 proto_tree_add_uint_format(tree, hf_smb_tid, tvb, offset, 2, tid,
2530 "TID (target): 0x%04x", tid);
2534 offset = dissect_open_function(tvb, pinfo, tree, offset);
2537 offset = dissect_move_flags(tvb, pinfo, tree, offset);
2542 CHECK_BYTE_COUNT(1);
2543 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2547 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2551 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2552 fn_len, fn, "Old File Name: %s", fn);
2553 COUNT_BYTES(fn_len);
2555 if (check_col(pinfo->cinfo, COL_INFO)) {
2556 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2560 CHECK_BYTE_COUNT(1);
2561 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2565 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2569 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
2570 fn_len, fn, "New File Name: %s", fn);
2571 COUNT_BYTES(fn_len);
2573 if (check_col(pinfo->cinfo, COL_INFO)) {
2574 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2583 dissect_move_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2592 /* # of files moved */
2593 proto_tree_add_item(tree, hf_smb_move_files_moved, tvb, offset, 2, TRUE);
2599 CHECK_BYTE_COUNT(1);
2600 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2604 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2608 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2610 COUNT_BYTES(fn_len);
2618 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2627 /* desired access */
2628 offset = dissect_access(tvb, pinfo, tree, offset, "Desired");
2630 /* Search Attributes */
2631 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
2636 CHECK_BYTE_COUNT(1);
2637 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2641 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2645 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2647 COUNT_BYTES(fn_len);
2649 if (check_col(pinfo->cinfo, COL_INFO)) {
2650 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2659 add_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
2660 int len, guint16 fid)
2662 proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
2663 if (check_col(pinfo->cinfo, COL_INFO))
2664 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
2668 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2677 fid = tvb_get_letohs(tvb, offset);
2678 add_fid(tvb, pinfo, tree, offset, 2, fid);
2681 /* File Attributes */
2682 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2684 /* last write time */
2685 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
2688 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2691 /* granted access */
2692 offset = dissect_access(tvb, pinfo, tree, offset, "Granted");
2702 dissect_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2711 fid = tvb_get_letohs(tvb, offset);
2712 add_fid(tvb, pinfo, tree, offset, 2, fid);
2723 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2732 /* file attributes */
2733 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2736 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_create_time);
2741 CHECK_BYTE_COUNT(1);
2742 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2746 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2750 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2752 COUNT_BYTES(fn_len);
2754 if (check_col(pinfo->cinfo, COL_INFO)) {
2755 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2764 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2772 fid = tvb_get_letohs(tvb, offset);
2773 add_fid(tvb, pinfo, tree, offset, 2, fid);
2776 /* last write time */
2777 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
2787 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2796 /* search attributes */
2797 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
2802 CHECK_BYTE_COUNT(1);
2803 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2807 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2811 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2813 COUNT_BYTES(fn_len);
2815 if (check_col(pinfo->cinfo, COL_INFO)) {
2816 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2825 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2834 /* search attributes */
2835 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
2840 CHECK_BYTE_COUNT(1);
2841 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2845 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2849 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
2851 COUNT_BYTES(fn_len);
2853 if (check_col(pinfo->cinfo, COL_INFO)) {
2854 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s", fn);
2858 CHECK_BYTE_COUNT(1);
2859 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2863 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2867 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2869 COUNT_BYTES(fn_len);
2871 if (check_col(pinfo->cinfo, COL_INFO)) {
2872 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s", fn);
2881 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2893 CHECK_BYTE_COUNT(1);
2894 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2898 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2902 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2904 COUNT_BYTES(fn_len);
2906 if (check_col(pinfo->cinfo, COL_INFO)) {
2907 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2916 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2923 /* File Attributes */
2924 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2926 /* Last Write Time */
2927 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
2930 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
2933 /* 10 reserved bytes */
2934 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
2945 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
2954 /* file attributes */
2955 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
2957 /* last write time */
2958 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
2960 /* 10 reserved bytes */
2961 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
2967 CHECK_BYTE_COUNT(1);
2968 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
2972 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
2976 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
2978 COUNT_BYTES(fn_len);
2980 if (check_col(pinfo->cinfo, COL_INFO)) {
2981 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
2990 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3000 fid = tvb_get_letohs(tvb, offset);
3001 add_fid(tvb, pinfo, tree, offset, 2, fid);
3003 if (!pinfo->fd->flags.visited) {
3004 /* remember the FID for the processing of the response */
3005 si = (smb_info_t *)pinfo->private_data;
3006 si->sip->extra_info=(void *)fid;
3010 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3014 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3018 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3029 dissect_file_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 bc, guint16 datalen)
3034 /* We have some initial padding bytes. */
3035 /* XXX - use the data offset here instead? */
3036 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3038 offset += bc-datalen;
3041 tvblen = tvb_length_remaining(tvb, offset);
3043 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, tvblen, tvb_get_ptr(tvb, offset, tvblen),"File Data: Incomplete. Only %d of %u bytes", tvblen, bc);
3046 proto_tree_add_item(tree, hf_smb_file_data, tvb, offset, bc, TRUE);
3053 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3054 proto_tree *top_tree, int offset, guint16 bc, guint16 datalen, guint16 fid)
3057 tvbuff_t *dcerpc_tvb;
3060 /* We have some initial padding bytes. */
3061 /* XXX - use the data offset here instead? */
3062 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
3064 offset += bc-datalen;
3067 tvblen = tvb_length_remaining(tvb, offset);
3068 dcerpc_tvb = tvb_new_subset(tvb, offset, tvblen, bc);
3069 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid);
3078 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3082 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3088 cnt = tvb_get_letohs(tvb, offset);
3089 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3092 /* 8 reserved bytes */
3093 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3096 /* If we have seen the request, then print which FID this refers to */
3097 /* first check if we have seen the request */
3098 if(si->sip != NULL && si->sip->frame_req>0){
3099 fid=(int)si->sip->extra_info;
3100 add_fid(tvb, pinfo, tree, 0, 0, fid);
3106 CHECK_BYTE_COUNT(1);
3107 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3111 CHECK_BYTE_COUNT(2);
3112 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3115 /* another way to transport DCERPC over SMB is to skip Transaction completely and just
3118 if(si->sip != NULL && si->sip->flags&SMB_SIF_TID_IS_IPC){
3120 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
3121 top_tree, offset, bc, bc, fid);
3123 /* ordinary file data, or we didn't see the request,
3124 so we don't know whether this is a DCERPC call
3126 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, bc);
3137 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3145 cnt = tvb_get_letohs(tvb, offset);
3146 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3149 /* 8 reserved bytes */
3150 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
3156 CHECK_BYTE_COUNT(1);
3157 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3161 CHECK_BYTE_COUNT(2);
3162 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3172 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3175 guint16 cnt=0, bc, fid=0;
3177 smb_info_t *si = (smb_info_t *)pinfo->private_data;
3182 fid = tvb_get_letohs(tvb, offset);
3183 add_fid(tvb, pinfo, tree, offset, 2, fid);
3187 cnt = tvb_get_letohs(tvb, offset);
3188 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3192 ofs = tvb_get_letohl(tvb, offset);
3193 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3196 if (check_col(pinfo->cinfo, COL_INFO))
3197 col_append_fstr(pinfo->cinfo, COL_INFO,
3198 ", %d byte%s at offset %d", cnt,
3199 (cnt == 1) ? "" : "s", ofs);
3202 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3208 CHECK_BYTE_COUNT(1);
3209 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3213 CHECK_BYTE_COUNT(2);
3214 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
3218 if( (si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
3220 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
3221 top_tree, offset, bc, bc, fid);
3223 /* ordinary file data */
3224 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, bc);
3235 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3243 cnt = tvb_get_letohs(tvb, offset);
3244 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3247 if (check_col(pinfo->cinfo, COL_INFO))
3248 col_append_fstr(pinfo->cinfo, COL_INFO,
3249 ", %d byte%s", cnt, (cnt == 1) ? "" : "s");
3259 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3267 fid = tvb_get_letohs(tvb, offset);
3268 add_fid(tvb, pinfo, tree, offset, 2, fid);
3272 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, TRUE);
3276 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3287 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3296 /* 2 reserved bytes */
3297 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3301 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_create_time);
3306 CHECK_BYTE_COUNT(1);
3307 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3310 /* directory name */
3311 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
3315 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
3317 COUNT_BYTES(fn_len);
3319 if (check_col(pinfo->cinfo, COL_INFO)) {
3320 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
3329 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3339 fid = tvb_get_letohs(tvb, offset);
3340 add_fid(tvb, pinfo, tree, offset, 2, fid);
3346 CHECK_BYTE_COUNT(1);
3347 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
3351 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
3355 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3357 COUNT_BYTES(fn_len);
3364 static const value_string seek_mode_vals[] = {
3365 {0, "From Start Of File"},
3366 {1, "From Current Position"},
3367 {2, "From End Of File"},
3372 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3380 fid = tvb_get_letohs(tvb, offset);
3381 add_fid(tvb, pinfo, tree, offset, 2, fid);
3385 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, TRUE);
3389 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3400 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3408 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3419 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3427 fid = tvb_get_letohs(tvb, offset);
3428 add_fid(tvb, pinfo, tree, offset, 2, fid);
3432 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3434 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3437 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3439 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3441 /* last write time */
3442 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3443 hf_smb_last_write_time,
3444 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3454 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3462 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3464 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
3467 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3469 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
3471 /* last write time */
3472 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
3473 hf_smb_last_write_time,
3474 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
3477 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
3480 /* allocation size */
3481 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
3484 /* File Attributes */
3485 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
3495 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3504 fid = tvb_get_letohs(tvb, offset);
3505 add_fid(tvb, pinfo, tree, offset, 2, fid);
3509 cnt = tvb_get_letohs(tvb, offset);
3510 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
3514 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3517 /* last write time */
3518 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
3521 /* 12 reserved bytes */
3522 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, TRUE);
3529 CHECK_BYTE_COUNT(1);
3530 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
3533 offset = dissect_file_data(tvb, pinfo, tree, offset, cnt, cnt);
3542 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3550 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3561 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3570 fid = tvb_get_letohs(tvb, offset);
3571 add_fid(tvb, pinfo, tree, offset, 2, fid);
3575 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3579 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3583 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3587 to = tvb_get_letohl(tvb, offset);
3588 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3591 /* 2 reserved bytes */
3592 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3597 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
3609 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3617 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, TRUE);
3621 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, TRUE);
3625 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, TRUE);
3629 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, TRUE);
3632 /* 2 reserved bytes */
3633 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3644 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3652 fid = tvb_get_letohs(tvb, offset);
3653 add_fid(tvb, pinfo, tree, offset, 2, fid);
3657 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3661 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
3665 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
3668 /* 6 reserved bytes */
3669 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
3680 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3682 guint16 datalen=0, bc;
3688 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3692 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
3695 /* 2 reserved bytes */
3696 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3699 /* data compaction mode */
3700 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
3703 /* 2 reserved bytes */
3704 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3708 datalen = tvb_get_letohs(tvb, offset);
3709 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
3713 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
3719 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
3728 static const true_false_string tfs_write_mode_write_through = {
3729 "WRITE THROUGH requested",
3730 "Write through not requested"
3732 static const true_false_string tfs_write_mode_return_remaining = {
3733 "RETURN REMAINING (pipe/dev) requested",
3734 "DON'T return remaining (pipe/dev)"
3736 static const true_false_string tfs_write_mode_raw = {
3737 "Use WriteRawNamedPipe (pipe)",
3738 "DON'T use WriteRawNamedPipe (pipe)"
3740 static const true_false_string tfs_write_mode_message_start = {
3741 "This is the START of a MESSAGE (pipe)",
3742 "This is NOT the start of a message (pipe)"
3744 static const true_false_string tfs_write_mode_connectionless = {
3745 "CONNECTIONLESS mode requested",
3746 "Connectionless mode NOT requested"
3749 dissect_write_mode(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int bm)
3752 proto_item *item = NULL;
3753 proto_tree *tree = NULL;
3755 mask = tvb_get_letohs(tvb, offset);
3758 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
3759 "Write Mode: 0x%04x", mask);
3760 tree = proto_item_add_subtree(item, ett_smb_rawmode);
3764 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
3765 tvb, offset, 2, mask);
3768 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
3769 tvb, offset, 2, mask);
3772 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
3773 tvb, offset, 2, mask);
3776 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
3777 tvb, offset, 2, mask);
3780 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
3781 tvb, offset, 2, mask);
3789 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3792 guint16 datalen=0, bc, fid;
3798 fid = tvb_get_letohs(tvb, offset);
3799 add_fid(tvb, pinfo, tree, offset, 2, fid);
3802 /* total data length */
3803 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
3806 /* 2 reserved bytes */
3807 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3811 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3815 to = tvb_get_letohl(tvb, offset);
3816 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3820 offset = dissect_write_mode(tvb, pinfo, tree, offset, 0x0003);
3822 /* 4 reserved bytes */
3823 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
3827 datalen = tvb_get_letohs(tvb, offset);
3828 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
3832 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
3838 /* XXX - use the data offset to determine where the data starts? */
3839 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
3848 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3856 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
3867 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3870 guint16 datalen=0, bc, fid;
3876 fid = tvb_get_letohs(tvb, offset);
3877 add_fid(tvb, pinfo, tree, offset, 2, fid);
3880 /* total data length */
3881 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, TRUE);
3884 /* 2 reserved bytes */
3885 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
3889 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
3893 to = tvb_get_letohl(tvb, offset);
3894 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
3898 offset = dissect_write_mode(tvb, pinfo, tree, offset, 0x0083);
3901 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, TRUE);
3905 datalen = tvb_get_letohs(tvb, offset);
3906 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
3910 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, TRUE);
3916 /* XXX - use the data offset to determine where the data starts? */
3917 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
3926 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3934 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, TRUE);
3945 dissect_sid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
3953 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
3964 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
3965 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
3967 proto_item *item = NULL;
3968 proto_tree *tree = NULL;
3974 item = proto_tree_add_text(parent_tree, tvb, offset, 21,
3976 tree = proto_item_add_subtree(item, ett_smb_search_resume_key);
3980 CHECK_BYTE_COUNT_SUBR(1);
3981 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
3982 COUNT_BYTES_SUBR(1);
3986 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
3988 CHECK_STRING_SUBR(fn);
3989 /* ensure that it's null-terminated */
3990 strncpy(fname, fn, 11);
3992 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11,
3994 COUNT_BYTES_SUBR(fn_len);
3997 CHECK_BYTE_COUNT_SUBR(5);
3998 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, TRUE);
3999 COUNT_BYTES_SUBR(5);
4002 CHECK_BYTE_COUNT_SUBR(4);
4003 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, TRUE);
4004 COUNT_BYTES_SUBR(4);
4011 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
4012 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
4014 proto_item *item = NULL;
4015 proto_tree *tree = NULL;
4021 item = proto_tree_add_text(parent_tree, tvb, offset, 46,
4022 "Directory Information");
4023 tree = proto_item_add_subtree(item, ett_smb_search_dir_info);
4027 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp, trunc);
4031 /* File Attributes */
4032 CHECK_BYTE_COUNT_SUBR(1);
4033 offset = dissect_dir_info_file_attributes(tvb, pinfo, tree, offset);
4036 /* last write time */
4037 CHECK_BYTE_COUNT_SUBR(4);
4038 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
4039 hf_smb_last_write_time,
4040 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
4045 CHECK_BYTE_COUNT_SUBR(4);
4046 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4047 COUNT_BYTES_SUBR(4);
4051 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
4053 CHECK_STRING_SUBR(fn);
4054 /* ensure that it's null-terminated */
4055 strncpy(fname, fn, 13);
4057 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4059 COUNT_BYTES_SUBR(fn_len);
4067 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4079 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4082 /* Search Attributes */
4083 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
4088 CHECK_BYTE_COUNT(1);
4089 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4093 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
4097 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4099 COUNT_BYTES(fn_len);
4101 if (check_col(pinfo->cinfo, COL_INFO)) {
4102 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s", fn);
4106 CHECK_BYTE_COUNT(1);
4107 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4110 /* resume key length */
4111 CHECK_BYTE_COUNT(2);
4112 rkl = tvb_get_letohs(tvb, offset);
4113 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
4118 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
4130 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4140 count = tvb_get_letohs(tvb, offset);
4141 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
4147 CHECK_BYTE_COUNT(1);
4148 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
4152 CHECK_BYTE_COUNT(2);
4153 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, TRUE);
4157 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
4168 static const value_string locking_ol_vals[] = {
4169 {0, "Client is not holding oplock on this file"},
4170 {1, "Level 2 oplock currently held by client"},
4174 static const true_false_string tfs_lock_type_large = {
4175 "Large file locking format requested",
4176 "Large file locking format not requested"
4178 static const true_false_string tfs_lock_type_cancel = {
4179 "Cancel outstanding lock request",
4180 "Don't cancel outstanding lock request"
4182 static const true_false_string tfs_lock_type_change = {
4184 "Don't change lock type"
4186 static const true_false_string tfs_lock_type_oplock = {
4187 "This is an oplock break notification/response",
4188 "This is not an oplock break notification/response"
4190 static const true_false_string tfs_lock_type_shared = {
4191 "This is a shared lock",
4192 "This is an exclusive lock"
4195 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4197 guint8 wc, cmd=0xff, lt=0;
4198 guint16 andxoffset=0, un=0, ln=0, bc, fid;
4200 proto_item *litem = NULL;
4201 proto_tree *ltree = NULL;
4202 proto_item *it = NULL;
4203 proto_tree *tr = NULL;
4204 int old_offset = offset;
4208 /* next smb command */
4209 cmd = tvb_get_guint8(tvb, offset);
4211 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4213 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4218 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4222 andxoffset = tvb_get_letohs(tvb, offset);
4223 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4227 fid = tvb_get_letohs(tvb, offset);
4228 add_fid(tvb, pinfo, tree, offset, 2, fid);
4232 lt = tvb_get_guint8(tvb, offset);
4234 litem = proto_tree_add_text(tree, tvb, offset, 1,
4235 "Lock Type: 0x%02x", lt);
4236 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
4238 proto_tree_add_boolean(ltree, hf_smb_lock_type_large,
4239 tvb, offset, 1, lt);
4240 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel,
4241 tvb, offset, 1, lt);
4242 proto_tree_add_boolean(ltree, hf_smb_lock_type_change,
4243 tvb, offset, 1, lt);
4244 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock,
4245 tvb, offset, 1, lt);
4246 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared,
4247 tvb, offset, 1, lt);
4251 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, TRUE);
4255 to = tvb_get_letohl(tvb, offset);
4257 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
4258 else if (to == 0xffffffff)
4259 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
4261 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
4264 /* number of unlocks */
4265 un = tvb_get_letohs(tvb, offset);
4266 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
4269 /* number of locks */
4270 ln = tvb_get_letohs(tvb, offset);
4271 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
4278 old_offset = offset;
4280 it = proto_tree_add_text(tree, tvb, offset, -1,
4282 tr = proto_item_add_subtree(it, ett_smb_unlocks);
4284 proto_item *litem = NULL;
4285 proto_tree *ltree = NULL;
4287 /* large lock format */
4288 litem = proto_tree_add_text(tr, tvb, offset, 20,
4290 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4293 CHECK_BYTE_COUNT(2);
4294 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4297 /* 2 reserved bytes */
4298 CHECK_BYTE_COUNT(2);
4299 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4303 CHECK_BYTE_COUNT(8);
4304 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4308 CHECK_BYTE_COUNT(8);
4309 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4312 /* normal lock format */
4313 litem = proto_tree_add_text(tr, tvb, offset, 10,
4315 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4318 CHECK_BYTE_COUNT(2);
4319 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4323 CHECK_BYTE_COUNT(4);
4324 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4328 CHECK_BYTE_COUNT(4);
4329 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4333 proto_item_set_len(it, offset-old_offset);
4339 old_offset = offset;
4341 it = proto_tree_add_text(tree, tvb, offset, -1,
4343 tr = proto_item_add_subtree(it, ett_smb_locks);
4345 proto_item *litem = NULL;
4346 proto_tree *ltree = NULL;
4348 /* large lock format */
4349 litem = proto_tree_add_text(tr, tvb, offset, 20,
4351 ltree = proto_item_add_subtree(litem, ett_smb_lock);
4354 CHECK_BYTE_COUNT(2);
4355 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4358 /* 2 reserved bytes */
4359 CHECK_BYTE_COUNT(2);
4360 proto_tree_add_item(ltree, hf_smb_reserved, tvb, offset, 2, TRUE);
4364 CHECK_BYTE_COUNT(8);
4365 proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
4369 CHECK_BYTE_COUNT(8);
4370 proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
4373 /* normal lock format */
4374 litem = proto_tree_add_text(tr, tvb, offset, 10,
4376 ltree = proto_item_add_subtree(litem, ett_smb_unlock);
4379 CHECK_BYTE_COUNT(2);
4380 proto_tree_add_item(ltree, hf_smb_pid, tvb, offset, 2, TRUE);
4384 CHECK_BYTE_COUNT(4);
4385 proto_tree_add_item(ltree, hf_smb_offset, tvb, offset, 4, TRUE);
4389 CHECK_BYTE_COUNT(4);
4390 proto_tree_add_item(ltree, hf_smb_count, tvb, offset, 4, TRUE);
4394 proto_item_set_len(it, offset-old_offset);
4402 * We ran out of byte count in the middle of dissecting
4403 * the locks or the unlocks; set the site of the item
4404 * we were dissecting.
4406 proto_item_set_len(it, offset-old_offset);
4409 /* call AndXCommand (if there are any) */
4410 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4416 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4418 guint8 wc, cmd=0xff;
4419 guint16 andxoffset=0;
4424 /* next smb command */
4425 cmd = tvb_get_guint8(tvb, offset);
4427 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4429 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4434 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4438 andxoffset = tvb_get_letohs(tvb, offset);
4439 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4446 /* call AndXCommand (if there are any) */
4447 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4453 static const value_string oa_open_vals[] = {
4454 { 0, "No action taken?"},
4455 { 1, "The file existed and was opened"},
4456 { 2, "The file did not exist but was created"},
4457 { 3, "The file existed and was truncated"},
4460 static const true_false_string tfs_oa_lock = {
4461 "File is currently opened only by this user",
4462 "File is opened by another user (or mode not supported by server)"
4465 dissect_open_action(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
4468 proto_item *item = NULL;
4469 proto_tree *tree = NULL;
4471 mask = tvb_get_letohs(tvb, offset);
4474 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4475 "Action: 0x%04x", mask);
4476 tree = proto_item_add_subtree(item, ett_smb_open_action);
4479 proto_tree_add_boolean(tree, hf_smb_open_action_lock,
4480 tvb, offset, 2, mask);
4481 proto_tree_add_uint(tree, hf_smb_open_action_open,
4482 tvb, offset, 2, mask);
4489 static const true_false_string tfs_open_flags_add_info = {
4490 "Additional information requested",
4491 "Additional information not requested"
4493 static const true_false_string tfs_open_flags_ex_oplock = {
4494 "Exclusive oplock requested",
4495 "Exclusive oplock not requested"
4497 static const true_false_string tfs_open_flags_batch_oplock = {
4498 "Batch oplock requested",
4499 "Batch oplock not requested"
4501 static const true_false_string tfs_open_flags_ealen = {
4502 "Total length of EAs requested",
4503 "Total length of EAs not requested"
4506 dissect_open_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int bm)
4509 proto_item *item = NULL;
4510 proto_tree *tree = NULL;
4512 mask = tvb_get_letohs(tvb, offset);
4515 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4516 "Flags: 0x%04x", mask);
4517 tree = proto_item_add_subtree(item, ett_smb_open_flags);
4521 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
4522 tvb, offset, 2, mask);
4525 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
4526 tvb, offset, 2, mask);
4529 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
4530 tvb, offset, 2, mask);
4533 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
4534 tvb, offset, 2, mask);
4542 static const value_string filetype_vals[] = {
4543 { 0, "Disk file or directory"},
4544 { 1, "Named pipe in byte mode"},
4545 { 2, "Named pipe in message mode"},
4546 { 3, "Spooled printer"},
4550 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4552 guint8 wc, cmd=0xff;
4553 guint16 andxoffset=0, bc;
4559 /* next smb command */
4560 cmd = tvb_get_guint8(tvb, offset);
4562 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4564 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4569 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4573 andxoffset = tvb_get_letohs(tvb, offset);
4574 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4578 offset = dissect_open_flags(tvb, pinfo, tree, offset, 0x0007);
4580 /* desired access */
4581 offset = dissect_access(tvb, pinfo, tree, offset, "Desired");
4583 /* Search Attributes */
4584 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
4586 /* File Attributes */
4587 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
4590 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_create_time);
4593 offset = dissect_open_function(tvb, pinfo, tree, offset);
4595 /* allocation size */
4596 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
4599 /* 8 reserved bytes */
4600 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, TRUE);
4606 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
4610 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4612 COUNT_BYTES(fn_len);
4614 if (check_col(pinfo->cinfo, COL_INFO)) {
4615 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
4620 /* call AndXCommand (if there are any) */
4621 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4626 static const true_false_string tfs_ipc_state_nonblocking = {
4627 "Reads/writes return immediately if no data available",
4628 "Reads/writes block if no data available"
4630 static const value_string ipc_state_endpoint_vals[] = {
4631 { 0, "Consumer end of pipe"},
4632 { 1, "Server end of pipe"},
4635 static const value_string ipc_state_pipe_type_vals[] = {
4636 { 0, "Byte stream pipe"},
4637 { 1, "Message pipe"},
4640 static const value_string ipc_state_read_mode_vals[] = {
4641 { 0, "Read pipe as a byte stream"},
4642 { 1, "Read messages from pipe"},
4647 dissect_ipc_state(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
4648 int offset, gboolean setstate)
4651 proto_item *item = NULL;
4652 proto_tree *tree = NULL;
4654 mask = tvb_get_letohs(tvb, offset);
4657 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
4658 "IPC State: 0x%04x", mask);
4659 tree = proto_item_add_subtree(item, ett_smb_ipc_state);
4662 proto_tree_add_boolean(tree, hf_smb_ipc_state_nonblocking,
4663 tvb, offset, 2, mask);
4665 proto_tree_add_uint(tree, hf_smb_ipc_state_endpoint,
4666 tvb, offset, 2, mask);
4667 proto_tree_add_uint(tree, hf_smb_ipc_state_pipe_type,
4668 tvb, offset, 2, mask);
4670 proto_tree_add_uint(tree, hf_smb_ipc_state_read_mode,
4671 tvb, offset, 2, mask);
4673 proto_tree_add_uint(tree, hf_smb_ipc_state_icount,
4674 tvb, offset, 2, mask);
4683 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4685 guint8 wc, cmd=0xff;
4686 guint16 andxoffset=0, bc;
4691 /* next smb command */
4692 cmd = tvb_get_guint8(tvb, offset);
4694 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4696 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4701 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4705 andxoffset = tvb_get_letohs(tvb, offset);
4706 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4710 fid = tvb_get_letohs(tvb, offset);
4711 add_fid(tvb, pinfo, tree, offset, 2, fid);
4714 /* File Attributes */
4715 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
4717 /* last write time */
4718 offset = dissect_smb_UTIME(tvb, pinfo, tree, offset, hf_smb_last_write_time);
4721 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, TRUE);
4724 /* granted access */
4725 offset = dissect_access(tvb, pinfo, tree, offset, "Granted");
4728 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
4732 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
4735 offset = dissect_open_action(tvb, pinfo, tree, offset);
4738 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, TRUE);
4741 /* 2 reserved bytes */
4742 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4749 /* call AndXCommand (if there are any) */
4750 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4756 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4758 guint8 wc, cmd=0xff;
4759 guint16 andxoffset=0, bc, maxcnt = 0;
4766 /* next smb command */
4767 cmd = tvb_get_guint8(tvb, offset);
4769 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4771 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4776 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4780 andxoffset = tvb_get_letohs(tvb, offset);
4781 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4785 fid = tvb_get_letohs(tvb, offset);
4786 add_fid(tvb, pinfo, tree, offset, 2, fid);
4788 if (!pinfo->fd->flags.visited) {
4789 /* remember the FID for the processing of the response */
4790 si = (smb_info_t *)pinfo->private_data;
4791 si->sip->extra_info=(void *)fid;
4795 ofs = tvb_get_letohl(tvb, offset);
4796 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
4800 maxcnt = tvb_get_letohs(tvb, offset);
4801 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
4804 if (check_col(pinfo->cinfo, COL_INFO))
4805 col_append_fstr(pinfo->cinfo, COL_INFO,
4806 ", %d byte%s at offset %d", maxcnt,
4807 (maxcnt == 1) ? "" : "s", ofs);
4810 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
4813 /* XXX - max count high */
4814 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
4818 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4823 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
4831 /* call AndXCommand (if there are any) */
4832 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4838 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4840 guint8 wc, cmd=0xff;
4841 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
4842 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4847 /* next smb command */
4848 cmd = tvb_get_guint8(tvb, offset);
4850 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4852 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4857 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4861 andxoffset = tvb_get_letohs(tvb, offset);
4862 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
4865 /* If we have seen the request, then print which FID this refers to */
4866 /* first check if we have seen the request */
4867 if(si->sip != NULL && si->sip->frame_req>0){
4868 fid=(int)si->sip->extra_info;
4869 add_fid(tvb, pinfo, tree, 0, 0, fid);
4873 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
4876 /* data compaction mode */
4877 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, TRUE);
4880 /* 2 reserved bytes */
4881 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
4885 datalen = tvb_get_letohs(tvb, offset);
4886 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
4889 if (check_col(pinfo->cinfo, COL_INFO))
4890 col_append_fstr(pinfo->cinfo, COL_INFO,
4891 ", %d byte%s", datalen,
4892 (datalen == 1) ? "" : "s");
4895 dataoffset=tvb_get_letohs(tvb, offset);
4896 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
4899 /* 10 reserved bytes */
4900 /* XXX - first 2 bytes are data length high, not reserved */
4901 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
4906 /* is this part of DCERPC over SMB reassembly?*/
4907 if(smb_dcerpc_reassembly && !pinfo->fd->flags.visited
4908 && (bc<=tvb_length_remaining(tvb, offset)) ){
4909 gpointer hash_value;
4910 if (si->sip != NULL && (hash_value = g_hash_table_lookup(
4911 si->ct->dcerpc_fid_to_frame,
4912 si->sip->extra_info)) != NULL) {
4913 fragment_data *fd_head;
4914 guint32 frame = GPOINTER_TO_UINT(hash_value);
4916 /* first fragment is always from a SMB Trans command and
4917 offset 0 of the following read/write SMB commands start
4918 BEYOND the first Trans SMB payload. Look for offset
4919 in first read fragment */
4920 fd_head=fragment_get(pinfo, frame, dcerpc_fragment_table);
4922 /* skip to last fragment and add this data there*/
4923 while(fd_head->next){
4924 fd_head=fd_head->next;
4926 /* if dataoffset was not specified in the SMB command
4927 then we try to guess it as good as we can
4930 dataoffset=offset+bc-datalen;
4932 fd_head=fragment_add(tvb, dataoffset, pinfo,
4933 frame, dcerpc_fragment_table,
4934 fd_head->offset+fd_head->len,
4936 /* we completed reassembly, abort searching for more
4939 g_hash_table_remove(si->ct->dcerpc_fid_to_frame,
4940 si->sip->extra_info);
4946 /* another way to transport DCERPC over SMB is to skip Transaction completely and just
4949 if(si->sip != NULL && si->sip->flags&SMB_SIF_TID_IS_IPC){
4951 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
4952 top_tree, offset, bc, datalen, fid);
4954 /* ordinary file data, or we didn't see the request,
4955 so we don't know whether this is a DCERPC call
4957 offset = dissect_file_data(tvb, pinfo, tree, offset, bc, datalen);
4964 /* call AndXCommand (if there are any) */
4965 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
4971 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
4974 guint8 wc, cmd=0xff;
4975 guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
4976 smb_info_t *si = (smb_info_t *)pinfo->private_data;
4981 /* next smb command */
4982 cmd = tvb_get_guint8(tvb, offset);
4984 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
4986 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
4991 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
4995 andxoffset = tvb_get_letohs(tvb, offset);
4996 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5000 fid = tvb_get_letohs(tvb, offset);
5001 add_fid(tvb, pinfo, tree, offset, 2, fid);
5003 if (!pinfo->fd->flags.visited) {
5004 /* remember the FID for the processing of the response */
5005 si->sip->extra_info=(void *)fid;
5009 ofs = tvb_get_letohl(tvb, offset);
5010 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
5014 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5018 offset = dissect_write_mode(tvb, pinfo, tree, offset, 0x000f);
5021 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5024 /* XXX - data length high */
5025 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
5029 datalen = tvb_get_letohs(tvb, offset);
5030 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5034 dataoffset=tvb_get_letohs(tvb, offset);
5035 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
5038 /* FIXME: add byte/offset to COL_INFO */
5042 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, TRUE);
5048 /* is this part of DCERPC over SMB reassembly?*/
5049 if(smb_dcerpc_reassembly && !pinfo->fd->flags.visited && (bc<=tvb_length_remaining(tvb, offset)) ){
5050 gpointer hash_value;
5051 hash_value = g_hash_table_lookup(si->ct->dcerpc_fid_to_frame,
5052 si->sip->extra_info);
5054 fragment_data *fd_head;
5055 guint32 frame = GPOINTER_TO_UINT(hash_value);
5057 /* first fragment is always from a SMB Trans command and
5058 offset 0 of the following read/write SMB commands start
5059 BEYOND the first Trans SMB payload. Look for offset
5060 in first read fragment */
5061 fd_head=fragment_get(pinfo, frame, dcerpc_fragment_table);
5063 /* skip to last fragment and add this data there*/
5064 while(fd_head->next){
5065 fd_head=fd_head->next;
5067 /* if dataoffset was not specified in the SMB command
5068 then we try to guess it as good as we can
5071 dataoffset=offset+bc-datalen;
5073 fd_head=fragment_add(tvb, dataoffset, pinfo,
5074 frame, dcerpc_fragment_table,
5075 fd_head->offset+fd_head->len,
5077 /* we completed reassembly, abort searching for more
5080 g_hash_table_remove(si->ct->dcerpc_fid_to_frame,
5081 si->sip->extra_info);
5089 if( (si->sip->flags&SMB_SIF_TID_IS_IPC) && (ofs==0) ){
5091 offset = dissect_file_data_dcerpc(tvb, pinfo, tree,
5092 top_tree, offset, bc, datalen, fid);
5094 /* ordinary file data */
5095 offset = dissect_file_data(tvb, pinfo, tree, offset,
5103 /* call AndXCommand (if there are any) */
5104 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5110 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5112 guint8 wc, cmd=0xff;
5113 guint16 andxoffset=0, bc;
5118 /* next smb command */
5119 cmd = tvb_get_guint8(tvb, offset);
5121 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5123 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5128 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5132 andxoffset = tvb_get_letohs(tvb, offset);
5133 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5136 /* If we have seen the request, then print which FID this refers to */
5137 si = (smb_info_t *)pinfo->private_data;
5138 /* first check if we have seen the request */
5139 if(si->sip != NULL && si->sip->frame_req>0){
5140 add_fid(tvb, pinfo, tree, 0, 0, (int)si->sip->extra_info);
5144 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
5148 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
5151 /* 4 reserved bytes */
5152 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5159 /* call AndXCommand (if there are any) */
5160 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5166 static const true_false_string tfs_setup_action_guest = {
5167 "Logged in as GUEST",
5168 "Not logged in as GUEST"
5171 dissect_setup_action(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5174 proto_item *item = NULL;
5175 proto_tree *tree = NULL;
5177 mask = tvb_get_letohs(tvb, offset);
5180 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5181 "Action: 0x%04x", mask);
5182 tree = proto_item_add_subtree(item, ett_smb_setup_action);
5185 proto_tree_add_boolean(tree, hf_smb_setup_action_guest,
5186 tvb, offset, 2, mask);
5195 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5197 guint8 wc, cmd=0xff;
5199 guint16 andxoffset=0;
5206 guint16 apwlen=0, upwlen=0;
5210 /* next smb command */
5211 cmd = tvb_get_guint8(tvb, offset);
5213 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5215 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5220 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5224 andxoffset = tvb_get_letohs(tvb, offset);
5225 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5228 /* Maximum Buffer Size */
5229 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, TRUE);
5232 /* Maximum Multiplex Count */
5233 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, TRUE);
5237 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, TRUE);
5241 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, TRUE);
5246 /* password length, ASCII*/
5247 pwlen = tvb_get_letohs(tvb, offset);
5248 proto_tree_add_uint(tree, hf_smb_password_len,
5249 tvb, offset, 2, pwlen);
5252 /* 4 reserved bytes */
5253 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5259 /* security blob length */
5260 sbloblen = tvb_get_letohs(tvb, offset);
5261 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5264 /* 4 reserved bytes */
5265 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5269 dissect_negprot_capabilities(tvb, pinfo, tree, offset);
5275 /* password length, ANSI*/
5276 apwlen = tvb_get_letohs(tvb, offset);
5277 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
5278 tvb, offset, 2, apwlen);
5281 /* password length, Unicode*/
5282 upwlen = tvb_get_letohs(tvb, offset);
5283 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
5284 tvb, offset, 2, upwlen);
5287 /* 4 reserved bytes */
5288 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
5292 dissect_negprot_capabilities(tvb, pinfo, tree, offset);
5302 /* XXX - is this ASN.1-encoded? Is it a Kerberos
5303 data structure, at least in NT 5.0-and-later
5306 CHECK_BYTE_COUNT(sbloblen);
5307 proto_tree_add_item(tree, hf_smb_security_blob,
5308 tvb, offset, sbloblen, TRUE);
5309 COUNT_BYTES(sbloblen);
5313 an = get_unicode_or_ascii_string(tvb, &offset,
5314 pinfo, &an_len, FALSE, FALSE, &bc);
5317 proto_tree_add_string(tree, hf_smb_os, tvb,
5318 offset, an_len, an);
5319 COUNT_BYTES(an_len);
5322 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5323 * padding/null string/whatever in front of this. W2K doesn't
5324 * appear to. I suspect that's a bug that got fixed; I also
5325 * suspect that, in practice, nobody ever looks at that field
5326 * because the bug didn't appear to get fixed until NT 5.0....
5328 an = get_unicode_or_ascii_string(tvb, &offset,
5329 pinfo, &an_len, FALSE, FALSE, &bc);
5332 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5333 offset, an_len, an);
5334 COUNT_BYTES(an_len);
5336 /* Primary domain */
5337 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5338 * byte in front of this, at least if all the strings are
5339 * ASCII and the account name is empty. Another bug?
5341 dn = get_unicode_or_ascii_string(tvb, &offset,
5342 pinfo, &dn_len, FALSE, FALSE, &bc);
5345 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5346 offset, dn_len, dn);
5347 COUNT_BYTES(dn_len);
5353 /* password, ASCII */
5354 CHECK_BYTE_COUNT(pwlen);
5355 proto_tree_add_item(tree, hf_smb_password,
5356 tvb, offset, pwlen, TRUE);
5364 /* password, ANSI */
5365 CHECK_BYTE_COUNT(apwlen);
5366 proto_tree_add_item(tree, hf_smb_ansi_password,
5367 tvb, offset, apwlen, TRUE);
5368 COUNT_BYTES(apwlen);
5372 /* password, Unicode */
5373 CHECK_BYTE_COUNT(upwlen);
5374 proto_tree_add_item(tree, hf_smb_unicode_password,
5375 tvb, offset, upwlen, TRUE);
5376 COUNT_BYTES(upwlen);
5383 an = get_unicode_or_ascii_string(tvb, &offset,
5384 pinfo, &an_len, FALSE, FALSE, &bc);
5387 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
5389 COUNT_BYTES(an_len);
5391 /* Primary domain */
5392 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
5393 * byte in front of this, at least if all the strings are
5394 * ASCII and the account name is empty. Another bug?
5396 dn = get_unicode_or_ascii_string(tvb, &offset,
5397 pinfo, &dn_len, FALSE, FALSE, &bc);
5400 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5401 offset, dn_len, dn);
5402 COUNT_BYTES(dn_len);
5404 if (check_col(pinfo->cinfo, COL_INFO)) {
5405 col_append_fstr(pinfo->cinfo, COL_INFO, ", User: ");
5407 if (!dn[0] && !an[0])
5408 col_append_fstr(pinfo->cinfo, COL_INFO,
5411 col_append_fstr(pinfo->cinfo, COL_INFO,
5416 an = get_unicode_or_ascii_string(tvb, &offset,
5417 pinfo, &an_len, FALSE, FALSE, &bc);
5420 proto_tree_add_string(tree, hf_smb_os, tvb,
5421 offset, an_len, an);
5422 COUNT_BYTES(an_len);
5425 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
5426 * padding/null string/whatever in front of this. W2K doesn't
5427 * appear to. I suspect that's a bug that got fixed; I also
5428 * suspect that, in practice, nobody ever looks at that field
5429 * because the bug didn't appear to get fixed until NT 5.0....
5431 an = get_unicode_or_ascii_string(tvb, &offset,
5432 pinfo, &an_len, FALSE, FALSE, &bc);
5435 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5436 offset, an_len, an);
5437 COUNT_BYTES(an_len);
5442 /* call AndXCommand (if there are any) */
5443 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5449 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5451 guint8 wc, cmd=0xff;
5452 guint16 andxoffset=0, bc;
5459 /* next smb command */
5460 cmd = tvb_get_guint8(tvb, offset);
5462 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5464 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5469 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5473 andxoffset = tvb_get_letohs(tvb, offset);
5474 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5478 offset = dissect_setup_action(tvb, pinfo, tree, offset);
5481 /* security blob length */
5482 sbloblen = tvb_get_letohs(tvb, offset);
5483 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
5491 /* XXX - is this ASN.1-encoded? Is it a Kerberos
5492 data structure, at least in NT 5.0-and-later
5495 CHECK_BYTE_COUNT(sbloblen);
5496 proto_tree_add_item(tree, hf_smb_security_blob,
5497 tvb, offset, sbloblen, TRUE);
5498 COUNT_BYTES(sbloblen);
5503 an = get_unicode_or_ascii_string(tvb, &offset,
5504 pinfo, &an_len, FALSE, FALSE, &bc);
5507 proto_tree_add_string(tree, hf_smb_os, tvb,
5508 offset, an_len, an);
5509 COUNT_BYTES(an_len);
5512 an = get_unicode_or_ascii_string(tvb, &offset,
5513 pinfo, &an_len, FALSE, FALSE, &bc);
5516 proto_tree_add_string(tree, hf_smb_lanman, tvb,
5517 offset, an_len, an);
5518 COUNT_BYTES(an_len);
5521 /* Primary domain */
5522 an = get_unicode_or_ascii_string(tvb, &offset,
5523 pinfo, &an_len, FALSE, FALSE, &bc);
5526 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
5527 offset, an_len, an);
5528 COUNT_BYTES(an_len);
5533 /* call AndXCommand (if there are any) */
5534 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5541 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5543 guint8 wc, cmd=0xff;
5544 guint16 andxoffset=0;
5549 /* next smb command */
5550 cmd = tvb_get_guint8(tvb, offset);
5552 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5554 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
5559 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5563 andxoffset = tvb_get_letohs(tvb, offset);
5564 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5571 /* call AndXCommand (if there are any) */
5572 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5578 static const true_false_string tfs_connect_support_search = {
5579 "Exclusive search bits supported",
5580 "Exclusive search bits not supported"
5582 static const true_false_string tfs_connect_support_in_dfs = {
5584 "Share isn't in Dfs"
5588 dissect_connect_support_bits(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5591 proto_item *item = NULL;
5592 proto_tree *tree = NULL;
5594 mask = tvb_get_letohs(tvb, offset);
5597 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5598 "Optional Support: 0x%04x", mask);
5599 tree = proto_item_add_subtree(item, ett_smb_connect_support_bits);
5602 proto_tree_add_boolean(tree, hf_smb_connect_support_search,
5603 tvb, offset, 2, mask);
5604 proto_tree_add_boolean(tree, hf_smb_connect_support_in_dfs,
5605 tvb, offset, 2, mask);
5612 static const true_false_string tfs_disconnect_tid = {
5614 "Do NOT disconnect TID"
5618 dissect_connect_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
5621 proto_item *item = NULL;
5622 proto_tree *tree = NULL;
5624 mask = tvb_get_letohs(tvb, offset);
5627 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
5628 "Flags: 0x%04x", mask);
5629 tree = proto_item_add_subtree(item, ett_smb_connect_flags);
5632 proto_tree_add_boolean(tree, hf_smb_connect_flags_dtid,
5633 tvb, offset, 2, mask);
5641 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5643 guint8 wc, cmd=0xff;
5645 guint16 andxoffset=0, pwlen=0;
5651 /* next smb command */
5652 cmd = tvb_get_guint8(tvb, offset);
5654 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5656 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
5661 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5665 andxoffset = tvb_get_letohs(tvb, offset);
5666 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5670 offset = dissect_connect_flags(tvb, pinfo, tree, offset);
5672 /* password length*/
5673 pwlen = tvb_get_letohs(tvb, offset);
5674 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
5680 CHECK_BYTE_COUNT(pwlen);
5681 proto_tree_add_item(tree, hf_smb_password,
5682 tvb, offset, pwlen, TRUE);
5686 an = get_unicode_or_ascii_string(tvb, &offset,
5687 pinfo, &an_len, FALSE, FALSE, &bc);
5690 proto_tree_add_string(tree, hf_smb_path, tvb,
5691 offset, an_len, an);
5692 COUNT_BYTES(an_len);
5694 if (check_col(pinfo->cinfo, COL_INFO)) {
5695 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", an);
5699 * NOTE: the Service string is always ASCII, even if the
5700 * "strings are Unicode" bit is set in the flags2 field
5705 /* XXX - what if this runs past bc? */
5706 an_len = tvb_strsize(tvb, offset);
5707 CHECK_BYTE_COUNT(an_len);
5708 an = tvb_get_ptr(tvb, offset, an_len);
5709 proto_tree_add_string(tree, hf_smb_service, tvb,
5710 offset, an_len, an);
5711 COUNT_BYTES(an_len);
5715 /* call AndXCommand (if there are any) */
5716 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5723 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
5725 guint8 wc, wleft, cmd=0xff;
5726 guint16 andxoffset=0;
5733 wleft = wc; /* this is at least 1 */
5735 /* next smb command */
5736 cmd = tvb_get_guint8(tvb, offset);
5738 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
5740 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
5745 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
5753 andxoffset = tvb_get_letohs(tvb, offset);
5754 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
5761 offset = dissect_connect_support_bits(tvb, pinfo, tree, offset);
5764 /* XXX - I've seen captures where this is 7, but I have no
5765 idea how to dissect it. I'm guessing the third word
5766 contains connect support bits, which looks plausible
5767 from the values I've seen. */
5769 while (wleft != 0) {
5770 proto_tree_add_text(tree, tvb, offset, 2,
5771 "Word parameter: 0x%04x", tvb_get_letohs(tvb, offset));
5779 * NOTE: even though the SNIA CIFS spec doesn't say there's
5780 * a "Service" string if there's a word count of 2, the
5783 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
5785 * (it's in an ugly format - text intended to be sent to a
5786 * printer, with backspaces and overstrikes used for boldfacing
5787 * and underlining; UNIX "col -b" can be used to strip the
5788 * overstrikes out) says there's a "Service" string there, and
5789 * some network traffic has it.
5793 * NOTE: the Service string is always ASCII, even if the
5794 * "strings are Unicode" bit is set in the flags2 field
5799 /* XXX - what if this runs past bc? */
5800 an_len = tvb_strsize(tvb, offset);
5801 CHECK_BYTE_COUNT(an_len);
5802 an = tvb_get_ptr(tvb, offset, an_len);
5803 proto_tree_add_string(tree, hf_smb_service, tvb,
5804 offset, an_len, an);
5805 COUNT_BYTES(an_len);
5807 /* Now when we know the service type, store it so that we know it for later commands down
5809 if(!pinfo->fd->flags.visited){
5810 smb_info_t *si = (smb_info_t *)pinfo->private_data;
5811 /* Remove any previous entry for this TID */
5812 if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
5813 g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
5815 if(strcmp(an,"IPC") == 0){
5816 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
5818 g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_NORMAL);
5826 * Sometimes this isn't present.
5830 an = get_unicode_or_ascii_string(tvb, &offset,
5831 pinfo, &an_len, /*TRUE*/FALSE, FALSE, &bc);
5834 proto_tree_add_string(tree, hf_smb_fs, tvb,
5835 offset, an_len, an);
5836 COUNT_BYTES(an_len);
5842 /* call AndXCommand (if there are any) */
5843 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
5850 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5851 NT Transaction command begins here
5852 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
5853 #define NT_TRANS_CREATE 1
5854 #define NT_TRANS_IOCTL 2
5855 #define NT_TRANS_SSD 3
5856 #define NT_TRANS_NOTIFY 4
5857 #define NT_TRANS_RENAME 5
5858 #define NT_TRANS_QSD 6
5859 #define NT_TRANS_GET_USER_QUOTA 7
5860 #define NT_TRANS_SET_USER_QUOTA 8
5861 static const value_string nt_cmd_vals[] = {
5862 {NT_TRANS_CREATE, "NT CREATE"},
5863 {NT_TRANS_IOCTL, "NT IOCTL"},
5864 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
5865 {NT_TRANS_NOTIFY, "NT NOTIFY"},
5866 {NT_TRANS_RENAME, "NT RENAME"},
5867 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
5868 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
5869 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
5873 static const value_string nt_ioctl_isfsctl_vals[] = {
5874 {0, "Device IOCTL"},
5875 {1, "FS control : FSCTL"},
5879 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
5880 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
5881 "Apply the command to share root handle (MUST BE Dfs)",
5882 "Apply to this share",
5885 static const value_string nt_notify_action_vals[] = {
5886 {1, "ADDED (object was added"},
5887 {2, "REMOVED (object was removed)"},
5888 {3, "MODIFIED (object was modified)"},
5889 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
5890 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
5891 {6, "ADDED_STREAM (a stream was added)"},
5892 {7, "REMOVED_STREAM (a stream was removed)"},
5893 {8, "MODIFIED_STREAM (a stream was modified)"},
5897 static const value_string watch_tree_vals[] = {
5898 {0, "Current directory only"},
5899 {1, "Subdirectories also"},
5903 #define NT_NOTIFY_STREAM_WRITE 0x00000800
5904 #define NT_NOTIFY_STREAM_SIZE 0x00000400
5905 #define NT_NOTIFY_STREAM_NAME 0x00000200
5906 #define NT_NOTIFY_SECURITY 0x00000100
5907 #define NT_NOTIFY_EA 0x00000080
5908 #define NT_NOTIFY_CREATION 0x00000040
5909 #define NT_NOTIFY_LAST_ACCESS 0x00000020
5910 #define NT_NOTIFY_LAST_WRITE 0x00000010
5911 #define NT_NOTIFY_SIZE 0x00000008
5912 #define NT_NOTIFY_ATTRIBUTES 0x00000004
5913 #define NT_NOTIFY_DIR_NAME 0x00000002
5914 #define NT_NOTIFY_FILE_NAME 0x00000001
5915 static const true_false_string tfs_nt_notify_stream_write = {
5916 "Notify on changes to STREAM WRITE",
5917 "Do NOT notify on changes to stream write",
5919 static const true_false_string tfs_nt_notify_stream_size = {
5920 "Notify on changes to STREAM SIZE",
5921 "Do NOT notify on changes to stream size",
5923 static const true_false_string tfs_nt_notify_stream_name = {
5924 "Notify on changes to STREAM NAME",
5925 "Do NOT notify on changes to stream name",
5927 static const true_false_string tfs_nt_notify_security = {
5928 "Notify on changes to SECURITY",
5929 "Do NOT notify on changes to security",
5931 static const true_false_string tfs_nt_notify_ea = {
5932 "Notify on changes to EA",
5933 "Do NOT notify on changes to EA",
5935 static const true_false_string tfs_nt_notify_creation = {
5936 "Notify on changes to CREATION TIME",
5937 "Do NOT notify on changes to creation time",
5939 static const true_false_string tfs_nt_notify_last_access = {
5940 "Notify on changes to LAST ACCESS TIME",
5941 "Do NOT notify on changes to last access time",
5943 static const true_false_string tfs_nt_notify_last_write = {
5944 "Notify on changes to LAST WRITE TIME",
5945 "Do NOT notify on changes to last write time",
5947 static const true_false_string tfs_nt_notify_size = {
5948 "Notify on changes to SIZE",
5949 "Do NOT notify on changes to size",
5951 static const true_false_string tfs_nt_notify_attributes = {
5952 "Notify on changes to ATTRIBUTES",
5953 "Do NOT notify on changes to attributes",
5955 static const true_false_string tfs_nt_notify_dir_name = {
5956 "Notify on changes to DIR NAME",
5957 "Do NOT notify on changes to dir name",
5959 static const true_false_string tfs_nt_notify_file_name = {
5960 "Notify on changes to FILE NAME",
5961 "Do NOT notify on changes to file name",
5964 static const value_string create_disposition_vals[] = {
5965 {0, "Supersede (supersede existing file (if it exists))"},
5966 {1, "Open (if file exists open it, else fail)"},
5967 {2, "Create (if file exists fail, else create it)"},
5968 {3, "Open If (if file exists open it, else create it)"},
5969 {4, "Overwrite (if file exists overwrite, else fail)"},
5970 {5, "Overwrite If (if file exists overwrite, else create it)"},
5974 static const value_string impersonation_level_vals[] = {
5976 {1, "Identification"},
5977 {2, "Impersonation"},
5982 static const true_false_string tfs_nt_security_flags_context_tracking = {
5983 "Security tracking mode is DYNAMIC",
5984 "Security tracking mode is STATIC",
5987 static const true_false_string tfs_nt_security_flags_effective_only = {
5988 "ONLY ENABLED aspects of the client's security context are available",
5989 "ALL aspects of the client's security context are available",
5992 static const true_false_string tfs_nt_create_bits_oplock = {
5993 "Requesting OPLOCK",
5994 "Does NOT request oplock"
5997 static const true_false_string tfs_nt_create_bits_boplock = {
5998 "Requesting BATCH OPLOCK",
5999 "Does NOT request batch oplock"
6003 * XXX - must be a directory, and can be a file, or can be a directory,
6004 * and must be a file?
6006 static const true_false_string tfs_nt_create_bits_dir = {
6007 "Target of open MUST be a DIRECTORY",
6008 "Target of open can be a file"
6011 static const true_false_string tfs_nt_access_mask_generic_read = {
6012 "GENERIC READ is set",
6013 "Generic read is NOT set"
6015 static const true_false_string tfs_nt_access_mask_generic_write = {
6016 "GENERIC WRITE is set",
6017 "Generic write is NOT set"
6019 static const true_false_string tfs_nt_access_mask_generic_execute = {
6020 "GENERIC EXECUTE is set",
6021 "Generic execute is NOT set"
6023 static const true_false_string tfs_nt_access_mask_generic_all = {
6024 "GENERIC ALL is set",
6025 "Generic all is NOT set"
6027 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
6028 "MAXIMUM ALLOWED is set",
6029 "Maximum allowed is NOT set"
6031 static const true_false_string tfs_nt_access_mask_system_security = {
6032 "SYSTEM SECURITY is set",
6033 "System security is NOT set"
6035 static const true_false_string tfs_nt_access_mask_synchronize = {
6036 "Can wait on handle to SYNCHRONIZE on completion of I/O",
6037 "Can NOT wait on handle to synchronize on completion of I/O"
6039 static const true_false_string tfs_nt_access_mask_write_owner = {
6040 "Can WRITE OWNER (take ownership)",
6041 "Can NOT write owner (take ownership)"
6043 static const true_false_string tfs_nt_access_mask_write_dac = {
6044 "OWNER may WRITE the DAC",
6045 "Owner may NOT write to the DAC"
6047 static const true_false_string tfs_nt_access_mask_read_control = {
6048 "READ ACCESS to owner, group and ACL of the SID",
6049 "Read access is NOT granted to owner, group and ACL of the SID"
6051 static const true_false_string tfs_nt_access_mask_delete = {
6055 static const true_false_string tfs_nt_access_mask_write_attributes = {
6056 "WRITE ATTRIBUTES access",
6057 "NO write attributes access"
6059 static const true_false_string tfs_nt_access_mask_read_attributes = {
6060 "READ ATTRIBUTES access",
6061 "NO read attributes access"
6063 static const true_false_string tfs_nt_access_mask_delete_child = {
6064 "DELETE CHILD access",
6065 "NO delete child access"
6067 static const true_false_string tfs_nt_access_mask_execute = {
6071 static const true_false_string tfs_nt_access_mask_write_ea = {
6072 "WRITE EXTENDED ATTRIBUTES access",
6073 "NO write extended attributes access"
6075 static const true_false_string tfs_nt_access_mask_read_ea = {
6076 "READ EXTENDED ATTRIBUTES access",
6077 "NO read extended attributes access"
6079 static const true_false_string tfs_nt_access_mask_append = {
6083 static const true_false_string tfs_nt_access_mask_write = {
6087 static const true_false_string tfs_nt_access_mask_read = {
6092 static const true_false_string tfs_nt_share_access_delete = {
6093 "Object can be shared for DELETE",
6094 "Object can NOT be shared for delete"
6096 static const true_false_string tfs_nt_share_access_write = {
6097 "Object can be shared for WRITE",
6098 "Object can NOT be shared for write"
6100 static const true_false_string tfs_nt_share_access_read = {
6101 "Object can be shared for READ",
6102 "Object can NOT be shared for delete"
6105 static const value_string oplock_level_vals[] = {
6106 {0, "No oplock granted"},
6107 {1, "Exclusive oplock granted"},
6108 {2, "Batch oplock granted"},
6109 {3, "Level II oplock granted"},
6113 static const value_string device_type_vals[] = {
6114 {0x00000001, "Beep"},
6115 {0x00000002, "CDROM"},
6116 {0x00000003, "CDROM Filesystem"},
6117 {0x00000004, "Controller"},
6118 {0x00000005, "Datalink"},
6119 {0x00000006, "Dfs"},
6120 {0x00000007, "Disk"},
6121 {0x00000008, "Disk Filesystem"},
6122 {0x00000009, "Filesystem"},
6123 {0x0000000a, "Inport Port"},
6124 {0x0000000b, "Keyboard"},
6125 {0x0000000c, "Mailslot"},
6126 {0x0000000d, "MIDI-In"},
6127 {0x0000000e, "MIDI-Out"},
6128 {0x0000000f, "Mouse"},
6129 {0x00000010, "Multi UNC Provider"},
6130 {0x00000011, "Named Pipe"},
6131 {0x00000012, "Network"},
6132 {0x00000013, "Network Browser"},
6133 {0x00000014, "Network Filesystem"},
6134 {0x00000015, "NULL"},
6135 {0x00000016, "Parallel Port"},
6136 {0x00000017, "Physical card"},
6137 {0x00000018, "Printer"},
6138 {0x00000019, "Scanner"},
6139 {0x0000001a, "Serial Mouse port"},
6140 {0x0000001b, "Serial port"},
6141 {0x0000001c, "Screen"},
6142 {0x0000001d, "Sound"},
6143 {0x0000001e, "Streams"},
6144 {0x0000001f, "Tape"},
6145 {0x00000020, "Tape Filesystem"},
6146 {0x00000021, "Transport"},
6147 {0x00000022, "Unknown"},
6148 {0x00000023, "Video"},
6149 {0x00000024, "Virtual Disk"},
6150 {0x00000025, "WAVE-In"},
6151 {0x00000026, "WAVE-Out"},
6152 {0x00000027, "8042 Port"},
6153 {0x00000028, "Network Redirector"},
6154 {0x00000029, "Battery"},
6155 {0x0000002a, "Bus Extender"},
6156 {0x0000002b, "Modem"},
6157 {0x0000002c, "VDM"},
6161 static const value_string is_directory_vals[] = {
6162 {0, "This is NOT a directory"},
6163 {1, "This is a DIRECTORY"},
6167 typedef struct _nt_trans_data {
6176 dissect_nt_security_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6179 proto_item *item = NULL;
6180 proto_tree *tree = NULL;
6182 mask = tvb_get_guint8(tvb, offset);
6185 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6186 "Security Flags: 0x%02x", mask);
6187 tree = proto_item_add_subtree(item, ett_smb_nt_security_flags);
6190 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_context_tracking,
6191 tvb, offset, 1, mask);
6192 proto_tree_add_boolean(tree, hf_smb_nt_security_flags_effective_only,
6193 tvb, offset, 1, mask);
6201 dissect_nt_share_access(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6204 proto_item *item = NULL;
6205 proto_tree *tree = NULL;
6207 mask = tvb_get_letohl(tvb, offset);
6210 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6211 "Share Access: 0x%08x", mask);
6212 tree = proto_item_add_subtree(item, ett_smb_nt_share_access);
6215 proto_tree_add_boolean(tree, hf_smb_nt_share_access_delete,
6216 tvb, offset, 4, mask);
6217 proto_tree_add_boolean(tree, hf_smb_nt_share_access_write,
6218 tvb, offset, 4, mask);
6219 proto_tree_add_boolean(tree, hf_smb_nt_share_access_read,
6220 tvb, offset, 4, mask);
6229 dissect_nt_access_mask(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6232 proto_item *item = NULL;
6233 proto_tree *tree = NULL;
6235 mask = tvb_get_letohl(tvb, offset);
6238 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6239 "Access Mask: 0x%08x", mask);
6240 tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
6244 * Some of these bits come from
6246 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6248 * and others come from the section on ZwOpenFile in "Windows(R)
6249 * NT(R)/2000 Native API Reference".
6251 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
6252 tvb, offset, 4, mask);
6253 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
6254 tvb, offset, 4, mask);
6255 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_execute,
6256 tvb, offset, 4, mask);
6257 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_all,
6258 tvb, offset, 4, mask);
6259 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_maximum_allowed,
6260 tvb, offset, 4, mask);
6261 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_system_security,
6262 tvb, offset, 4, mask);
6263 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_synchronize,
6264 tvb, offset, 4, mask);
6265 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_owner,
6266 tvb, offset, 4, mask);
6267 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_dac,
6268 tvb, offset, 4, mask);
6269 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_control,
6270 tvb, offset, 4, mask);
6271 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete,
6272 tvb, offset, 4, mask);
6273 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_attributes,
6274 tvb, offset, 4, mask);
6275 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_attributes,
6276 tvb, offset, 4, mask);
6277 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_delete_child,
6278 tvb, offset, 4, mask);
6279 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_execute,
6280 tvb, offset, 4, mask);
6281 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write_ea,
6282 tvb, offset, 4, mask);
6283 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read_ea,
6284 tvb, offset, 4, mask);
6285 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_append,
6286 tvb, offset, 4, mask);
6287 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_write,
6288 tvb, offset, 4, mask);
6289 proto_tree_add_boolean(tree, hf_smb_nt_access_mask_read,
6290 tvb, offset, 4, mask);
6298 dissect_nt_create_bits(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6301 proto_item *item = NULL;
6302 proto_tree *tree = NULL;
6304 mask = tvb_get_letohl(tvb, offset);
6307 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6308 "Create Flags: 0x%08x", mask);
6309 tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
6313 * XXX - it's 0x00000016 in at least one capture, but
6314 * Network Monitor doesn't say what the 0x00000010 bit is.
6315 * Does the Win32 API documentation, or NT Native API book,
6318 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
6319 tvb, offset, 4, mask);
6320 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
6321 tvb, offset, 4, mask);
6322 proto_tree_add_boolean(tree, hf_smb_nt_create_bits_oplock,
6323 tvb, offset, 4, mask);
6331 * XXX - there are some more flags in the description of "ZwOpenFile()"
6332 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
6333 * the wire as well? (The spec at
6335 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6337 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
6338 * via the SMB protocol. The NT redirector should convert this option
6339 * to FILE_WRITE_THROUGH."
6341 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
6342 * values one would infer from their position in the list of flags for
6343 * "ZwOpenFile()". Most of the others probably have those values
6344 * as well, although "8.3 only" would collide with FILE_OPEN_FOR_RECOVERY,
6345 * which might go over the wire (for the benefit of backup/restore software).
6347 static const true_false_string tfs_nt_create_options_directory = {
6348 "File being created/opened must be a directory",
6349 "File being created/opened must not be a directory"
6351 static const true_false_string tfs_nt_create_options_write_through = {
6352 "Writes should flush buffered data before completing",
6353 "Writes need not flush buffered data before completing"
6355 static const true_false_string tfs_nt_create_options_sequential_only = {
6356 "The file will only be accessed sequentially",
6357 "The file might not only be accessed sequentially"
6359 static const true_false_string tfs_nt_create_options_sync_io_alert = {
6360 "All operations SYNCHRONOUS, waits subject to termination from alert",
6361 "Operations NOT necessarily synchronous"
6363 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
6364 "All operations SYNCHRONOUS, waits not subject to alert",
6365 "Operations NOT necessarily synchronous"
6367 static const true_false_string tfs_nt_create_options_non_directory = {
6368 "File being created/opened must not be a directory",
6369 "File being created/opened must be a directory"
6371 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
6372 "The client does not understand extended attributes",
6373 "The client understands extended attributes"
6375 static const true_false_string tfs_nt_create_options_eight_dot_three_only = {
6376 "The client understands only 8.3 file names",
6377 "The client understands long file names"
6379 static const true_false_string tfs_nt_create_options_random_access = {
6380 "The file will be accessed randomly",
6381 "The file will not be accessed randomly"
6383 static const true_false_string tfs_nt_create_options_delete_on_close = {
6384 "The file should be deleted when it is closed",
6385 "The file should not be deleted when it is closed"
6389 dissect_nt_create_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6392 proto_item *item = NULL;
6393 proto_tree *tree = NULL;
6395 mask = tvb_get_letohl(tvb, offset);
6398 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6399 "Create Options: 0x%08x", mask);
6400 tree = proto_item_add_subtree(item, ett_smb_nt_create_options);
6406 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
6408 proto_tree_add_boolean(tree, hf_smb_nt_create_options_directory_file,
6409 tvb, offset, 4, mask);
6410 proto_tree_add_boolean(tree, hf_smb_nt_create_options_write_through,
6411 tvb, offset, 4, mask);
6412 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sequential_only,
6413 tvb, offset, 4, mask);
6414 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_alert,
6415 tvb, offset, 4, mask);
6416 proto_tree_add_boolean(tree, hf_smb_nt_create_options_sync_io_nonalert,
6417 tvb, offset, 4, mask);
6418 proto_tree_add_boolean(tree, hf_smb_nt_create_options_non_directory_file,
6419 tvb, offset, 4, mask);
6420 proto_tree_add_boolean(tree, hf_smb_nt_create_options_no_ea_knowledge,
6421 tvb, offset, 4, mask);
6422 proto_tree_add_boolean(tree, hf_smb_nt_create_options_eight_dot_three_only,
6423 tvb, offset, 4, mask);
6424 proto_tree_add_boolean(tree, hf_smb_nt_create_options_random_access,
6425 tvb, offset, 4, mask);
6426 proto_tree_add_boolean(tree, hf_smb_nt_create_options_delete_on_close,
6427 tvb, offset, 4, mask);
6435 dissect_nt_notify_completion_filter(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6438 proto_item *item = NULL;
6439 proto_tree *tree = NULL;
6441 mask = tvb_get_letohl(tvb, offset);
6444 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6445 "Completion Filter: 0x%08x", mask);
6446 tree = proto_item_add_subtree(item, ett_smb_nt_notify_completion_filter);
6449 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_write,
6450 tvb, offset, 4, mask);
6451 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_size,
6452 tvb, offset, 4, mask);
6453 proto_tree_add_boolean(tree, hf_smb_nt_notify_stream_name,
6454 tvb, offset, 4, mask);
6455 proto_tree_add_boolean(tree, hf_smb_nt_notify_security,
6456 tvb, offset, 4, mask);
6457 proto_tree_add_boolean(tree, hf_smb_nt_notify_ea,
6458 tvb, offset, 4, mask);
6459 proto_tree_add_boolean(tree, hf_smb_nt_notify_creation,
6460 tvb, offset, 4, mask);
6461 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_access,
6462 tvb, offset, 4, mask);
6463 proto_tree_add_boolean(tree, hf_smb_nt_notify_last_write,
6464 tvb, offset, 4, mask);
6465 proto_tree_add_boolean(tree, hf_smb_nt_notify_size,
6466 tvb, offset, 4, mask);
6467 proto_tree_add_boolean(tree, hf_smb_nt_notify_attributes,
6468 tvb, offset, 4, mask);
6469 proto_tree_add_boolean(tree, hf_smb_nt_notify_dir_name,
6470 tvb, offset, 4, mask);
6471 proto_tree_add_boolean(tree, hf_smb_nt_notify_file_name,
6472 tvb, offset, 4, mask);
6479 dissect_nt_ioctl_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6482 proto_item *item = NULL;
6483 proto_tree *tree = NULL;
6485 mask = tvb_get_guint8(tvb, offset);
6488 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6489 "Completion Filter: 0x%02x", mask);
6490 tree = proto_item_add_subtree(item, ett_smb_nt_ioctl_flags);
6493 proto_tree_add_boolean(tree, hf_smb_nt_ioctl_flags_root_handle,
6494 tvb, offset, 1, mask);
6501 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
6502 * Native API Reference".
6504 static const true_false_string tfs_nt_qsd_owner = {
6505 "Requesting OWNER security information",
6506 "NOT requesting owner security information",
6509 static const true_false_string tfs_nt_qsd_group = {
6510 "Requesting GROUP security information",
6511 "NOT requesting group security information",
6514 static const true_false_string tfs_nt_qsd_dacl = {
6515 "Requesting DACL security information",
6516 "NOT requesting DACL security information",
6519 static const true_false_string tfs_nt_qsd_sacl = {
6520 "Requesting SACL security information",
6521 "NOT requesting SACL security information",
6524 #define NT_QSD_OWNER 0x00000001
6525 #define NT_QSD_GROUP 0x00000002
6526 #define NT_QSD_DACL 0x00000004
6527 #define NT_QSD_SACL 0x00000008
6530 dissect_security_information_mask(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
6533 proto_item *item = NULL;
6534 proto_tree *tree = NULL;
6536 mask = tvb_get_letohl(tvb, offset);
6539 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
6540 "Security Information: 0x%08x", mask);
6541 tree = proto_item_add_subtree(item, ett_smb_security_information_mask);
6544 proto_tree_add_boolean(tree, hf_smb_nt_qsd_owner,
6545 tvb, offset, 4, mask);
6546 proto_tree_add_boolean(tree, hf_smb_nt_qsd_group,
6547 tvb, offset, 4, mask);
6548 proto_tree_add_boolean(tree, hf_smb_nt_qsd_dacl,
6549 tvb, offset, 4, mask);
6550 proto_tree_add_boolean(tree, hf_smb_nt_qsd_sacl,
6551 tvb, offset, 4, mask);
6559 free_g_string(void *arg)
6561 GString *gstring = arg;
6563 g_string_free(arg, TRUE);
6567 dissect_nt_sid(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name)
6569 proto_item *item = NULL;
6570 proto_tree *tree = NULL;
6571 int old_offset = offset, sa_offset = offset;
6572 guint *s_auths = NULL;
6576 guint auth = 0; /* FIXME: What if it is larger than 32-bits */
6581 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
6583 tree = proto_item_add_subtree(item, ett_smb_sid);
6586 /* revision of sid */
6587 revision = tvb_get_guint8(tvb, offset);
6588 proto_tree_add_item(tree, hf_smb_sid_revision, tvb, offset, 1, TRUE);
6593 case 2: /* Not sure what the different revision numbers mean */
6594 /* number of authorities*/
6595 num_auth = tvb_get_guint8(tvb, offset);
6596 proto_tree_add_item(tree, hf_smb_sid_num_auth, tvb, offset, 1, TRUE);
6599 /* XXX perhaps we should have these thing searchable?
6600 a new FT_xxx thingie? SMB is quite common!*/
6601 /* identifier authorities */
6603 /* FIXME: We should dynamically allocate the authorities array,
6604 which is only one thing. Then we don't have to allocate two
6605 strings below etc ...
6609 auth = (auth << 8) + tvb_get_guint8(tvb, offset);
6614 proto_tree_add_text(tree, tvb, offset - 6, 6, "Authority: %u", auth);
6618 CLEANUP_PUSH(free, s_auths);
6620 s_auths = g_malloc(sizeof(guint) * num_auth);
6622 /* sub authorities, leave RID to last */
6623 /* FIXME: If we take an exception now, we lose the whole
6624 sub-authorities string thang */
6625 for(i=0; i < (num_auth > 4?(num_auth - 1):num_auth); i++){
6626 /* XXX should not be letohl but native byteorder according to
6627 samba header files. considering that all non-x86 NT ports
6628 are dead we can (?) assume that non le byte encodings
6629 will be "uncommon"?*/
6630 s_auths[i] = tvb_get_letohl(tvb, offset);
6634 CLEANUP_CALL_AND_POP;
6636 gstr = g_string_new("");
6638 for (i = 0; i < (num_auth>4?(num_auth - 1):num_auth); i++)
6639 g_string_sprintfa(gstr, (i>0 ? "-%u" : "%u"), s_auths[i]);
6641 proto_tree_add_text(tree, tvb, sa_offset, num_auth * 4, "Sub-authorities: %s", gstr->str);
6644 rid = tvb_get_letohl(tvb, offset);
6645 proto_tree_add_text(tree, tvb, offset, 4, "RID: %u", rid);
6646 proto_item_append_text(item, ": S-1-%u-%s-%u", auth, gstr->str, rid);
6650 proto_item_append_text(item, ": S-1-%u-%s", auth, gstr->str);
6655 proto_item_set_len(item, offset-old_offset);
6660 static const value_string ace_type_vals[] = {
6661 { 0, "Access Allowed"},
6662 { 1, "Access Denied"},
6663 { 2, "System Audit"},
6664 { 3, "System Alarm"},
6667 static const true_false_string tfs_ace_flags_object_inherit = {
6668 "Subordinate files will inherit this ACE",
6669 "Subordinate files will not inherit this ACE"
6671 static const true_false_string tfs_ace_flags_container_inherit = {
6672 "Subordinate containers will inherit this ACE",
6673 "Subordinate containers will not inherit this ACE"
6675 static const true_false_string tfs_ace_flags_non_propagate_inherit = {
6676 "Subordinate object will not propagate the inherited ACE further",
6677 "Subordinate object will propagate the inherited ACE further"
6679 static const true_false_string tfs_ace_flags_inherit_only = {
6680 "This ACE does not apply to the current object",
6681 "This ACE applies to the current object"
6683 static const true_false_string tfs_ace_flags_inherited_ace = {
6684 "This ACE was inherited from its parent object",
6685 "This ACE was not inherited from its parent object"
6687 static const true_false_string tfs_ace_flags_successful_access = {
6688 "Successful accesses will be audited",
6689 "Successful accesses will not be audited"
6691 static const true_false_string tfs_ace_flags_failed_access = {
6692 "Failed accesses will be audited",
6693 "Failed accesses will not be audited"
6696 #define APPEND_ACE_TEXT(flag, item, string) \
6699 proto_item_append_text(item, string, sep); \
6704 dissect_nt_v2_ace_flags(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
6706 proto_item *item = NULL;
6707 proto_tree *tree = NULL;
6711 mask = tvb_get_guint8(tvb, offset);
6713 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
6714 "NT ACE Flags: 0x%02x", mask);
6715 tree = proto_item_add_subtree(item, ett_smb_ace_flags);
6718 proto_tree_add_boolean(tree, hf_smb_ace_flags_failed_access,
6719 tvb, offset, 1, mask);
6720 APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access");
6722 proto_tree_add_boolean(tree, hf_smb_ace_flags_successful_access,
6723 tvb, offset, 1, mask);
6724 APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access");
6726 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherited_ace,
6727 tvb, offset, 1, mask);
6728 APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE");
6730 proto_tree_add_boolean(tree, hf_smb_ace_flags_inherit_only,
6731 tvb, offset, 1, mask);
6732 APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only");
6734 proto_tree_add_boolean(tree, hf_smb_ace_flags_non_propagate_inherit,
6735 tvb, offset, 1, mask);
6736 APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit");
6738 proto_tree_add_boolean(tree, hf_smb_ace_flags_container_inherit,
6739 tvb, offset, 1, mask);
6740 APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit");
6742 proto_tree_add_boolean(tree, hf_smb_ace_flags_object_inherit,
6743 tvb, offset, 1, mask);
6744 APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit");
6752 dissect_nt_v2_ace(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
6754 proto_item *item = NULL;
6755 proto_tree *tree = NULL;
6756 int old_offset = offset;
6759 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
6761 tree = proto_item_add_subtree(item, ett_smb_ace);
6766 proto_item_append_text(item, val_to_str(tvb_get_guint8(tvb, offset), ace_type_vals, "Unknown ACE type (%u)"));
6768 proto_tree_add_item(tree, hf_smb_ace_type, tvb, offset, 1, TRUE);
6772 offset = dissect_nt_v2_ace_flags(tvb, pinfo, offset, tree);
6775 proto_tree_add_item(tree, hf_smb_ace_size, tvb, offset, 2, TRUE);
6779 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
6782 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "ACE");
6784 proto_item_set_len(item, offset-old_offset);
6789 dissect_nt_acl(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name)
6791 proto_item *item = NULL;
6792 proto_tree *tree = NULL;
6793 int old_offset = offset;
6794 guint16 revision, size;
6798 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
6800 tree = proto_item_add_subtree(item, ett_smb_acl);
6804 revision = tvb_get_letohs(tvb, offset);
6805 proto_tree_add_uint(tree, hf_smb_acl_revision,
6806 tvb, offset, 2, revision);
6810 case 2: /* only version we will ever see of this structure?*/
6813 proto_tree_add_item(tree, hf_smb_acl_size, tvb, offset, 2, TRUE);
6816 /* number of ace structures */
6817 num_aces = tvb_get_letohl(tvb, offset);
6818 proto_tree_add_uint(tree, hf_smb_acl_num_aces,
6819 tvb, offset, 4, num_aces);
6823 offset=dissect_nt_v2_ace(tvb, pinfo, offset, tree);
6827 proto_item_set_len(item, offset-old_offset);
6831 static const true_false_string tfs_sec_desc_type_owner_defaulted = {
6832 "OWNER is DEFAULTED",
6833 "Owner is NOT defaulted"
6835 static const true_false_string tfs_sec_desc_type_group_defaulted = {
6836 "GROUP is DEFAULTED",
6837 "Group is NOT defaulted"
6839 static const true_false_string tfs_sec_desc_type_dacl_present = {
6841 "DACL is NOT present"
6843 static const true_false_string tfs_sec_desc_type_dacl_defaulted = {
6844 "DACL is DEFAULTED",
6845 "DACL is NOT defaulted"
6847 static const true_false_string tfs_sec_desc_type_sacl_present = {
6849 "SACL is NOT present"
6851 static const true_false_string tfs_sec_desc_type_sacl_defaulted = {
6852 "SACL is DEFAULTED",
6853 "SACL is NOT defaulted"
6855 static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = {
6856 "DACL has AUTO INHERIT REQUIRED",
6857 "DACL does NOT require auto inherit"
6859 static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = {
6860 "SACL has AUTO INHERIT REQUIRED",
6861 "SACL does NOT require auto inherit"
6863 static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = {
6864 "DACL is AUTO INHERITED",
6865 "DACL is NOT auto inherited"
6867 static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = {
6868 "SACL is AUTO INHERITED",
6869 "SACL is NOT auto inherited"
6871 static const true_false_string tfs_sec_desc_type_dacl_protected = {
6872 "The DACL is PROTECTED",
6873 "The DACL is NOT protected"
6875 static const true_false_string tfs_sec_desc_type_sacl_protected = {
6876 "The SACL is PROTECTED",
6877 "The SACL is NOT protected"
6879 static const true_false_string tfs_sec_desc_type_self_relative = {
6880 "This SecDesc is SELF RELATIVE",
6881 "This SecDesc is NOT self relative"
6886 dissect_nt_sec_desc_type(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
6888 proto_item *item = NULL;
6889 proto_tree *tree = NULL;
6892 mask = tvb_get_letohs(tvb, offset);
6894 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
6895 "Type: 0x%04x", mask);
6896 tree = proto_item_add_subtree(item, ett_smb_sec_desc_type);
6899 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_self_relative,
6900 tvb, offset, 2, mask);
6901 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_protected,
6902 tvb, offset, 2, mask);
6903 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_protected,
6904 tvb, offset, 2, mask);
6905 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherited,
6906 tvb, offset, 2, mask);
6907 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherited,
6908 tvb, offset, 2, mask);
6909 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_auto_inherit_req,
6910 tvb, offset, 2, mask);
6911 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_auto_inherit_req,
6912 tvb, offset, 2, mask);
6913 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_defaulted,
6914 tvb, offset, 2, mask);
6915 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_sacl_present,
6916 tvb, offset, 2, mask);
6917 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_defaulted,
6918 tvb, offset, 2, mask);
6919 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_dacl_present,
6920 tvb, offset, 2, mask);
6921 proto_tree_add_boolean(tree,hf_smb_sec_desc_type_group_defaulted,
6922 tvb, offset, 2, mask);
6923 proto_tree_add_boolean(tree, hf_smb_sec_desc_type_owner_defaulted,
6924 tvb, offset, 2, mask);
6933 dissect_nt_sec_desc(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len)
6935 proto_item *item = NULL;
6936 proto_tree *tree = NULL;
6938 int old_offset = offset;
6939 guint32 owner_sid_offset;
6940 guint32 group_sid_offset;
6941 guint32 sacl_offset;
6942 guint32 dacl_offset;
6945 item = proto_tree_add_text(parent_tree, tvb, offset, len,
6946 "NT Security Descriptor");
6947 tree = proto_item_add_subtree(item, ett_smb_sec_desc);
6951 revision = tvb_get_letohs(tvb, offset);
6952 proto_tree_add_uint(tree, hf_smb_sec_desc_revision,
6953 tvb, offset, 2, revision);
6957 case 1: /* only version we will ever see of this structure?*/
6959 offset = dissect_nt_sec_desc_type(tvb, pinfo, offset, tree);
6961 /* offset to owner sid */
6962 owner_sid_offset = tvb_get_letohl(tvb, offset);
6963 proto_tree_add_text(tree, tvb, offset, 4, "Offset to owner SID: %d", owner_sid_offset);
6966 /* offset to group sid */
6967 group_sid_offset = tvb_get_letohl(tvb, offset);
6968 proto_tree_add_text(tree, tvb, offset, 4, "Offset to group SID: %d", group_sid_offset);
6971 /* offset to sacl */
6972 sacl_offset = tvb_get_letohl(tvb, offset);
6973 proto_tree_add_text(tree, tvb, offset, 4, "Offset to SACL: %d", sacl_offset);
6976 /* offset to dacl */
6977 dacl_offset = tvb_get_letohl(tvb, offset);
6978 proto_tree_add_text(tree, tvb, offset, 4, "Offset to DACL: %d", dacl_offset);
6982 if(owner_sid_offset){
6983 dissect_nt_sid(tvb, pinfo, old_offset+owner_sid_offset, tree, "Owner");
6987 if(group_sid_offset){
6988 dissect_nt_sid(tvb, pinfo, old_offset+group_sid_offset, tree, "Group");
6993 dissect_nt_acl(tvb, pinfo, old_offset+sacl_offset, tree, "System (SACL)");
6998 dissect_nt_acl(tvb, pinfo, old_offset+dacl_offset, tree, "User (DACL)");
7007 dissect_nt_user_quota(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp)
7009 int old_offset, old_sid_offset;
7015 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7016 qsize=tvb_get_letohl(tvb, offset);
7017 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
7018 COUNT_BYTES_TRANS_SUBR(4);
7020 CHECK_BYTE_COUNT_TRANS_SUBR(4);
7022 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7023 COUNT_BYTES_TRANS_SUBR(4);
7025 /* 16 unknown bytes */
7026 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7027 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7029 COUNT_BYTES_TRANS_SUBR(8);
7031 /* number of bytes for used quota */
7032 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7033 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, TRUE);
7034 COUNT_BYTES_TRANS_SUBR(8);
7036 /* number of bytes for quota warning */
7037 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7038 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
7039 COUNT_BYTES_TRANS_SUBR(8);
7041 /* number of bytes for quota limit */
7042 CHECK_BYTE_COUNT_TRANS_SUBR(8);
7043 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
7044 COUNT_BYTES_TRANS_SUBR(8);
7046 /* SID of the user */
7047 old_sid_offset=offset;
7048 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Quota");
7049 *bcp -= (offset-old_sid_offset);
7052 offset = old_offset+qsize;
7062 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, nt_trans_data *ntd)
7064 proto_item *item = NULL;
7065 proto_tree *tree = NULL;
7067 int old_offset = offset;
7068 guint16 bcp=bc; /* XXX fixme */
7070 si = (smb_info_t *)pinfo->private_data;
7073 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
7075 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7076 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7079 switch(ntd->subcmd){
7080 case NT_TRANS_CREATE:
7081 /* security descriptor */
7083 offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, ntd->sd_len);
7086 /* extended attributes */
7088 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ntd->ea_len, TRUE);
7089 offset += ntd->ea_len;
7093 case NT_TRANS_IOCTL:
7095 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, bc, TRUE);
7100 offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, bc);
7102 case NT_TRANS_NOTIFY:
7104 case NT_TRANS_RENAME:
7105 /* XXX not documented */
7109 case NT_TRANS_GET_USER_QUOTA:
7110 /* unknown 4 bytes */
7111 proto_tree_add_item(tree, hf_smb_unknown, tvb,
7116 proto_tree_add_text(tree, tvb, offset, 4, "Length of SID: %d", tvb_get_letohl(tvb, offset));
7119 offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Quota");
7121 case NT_TRANS_SET_USER_QUOTA:
7122 offset = dissect_nt_user_quota(tvb, pinfo, tree, offset, &bcp);
7126 /* ooops there were data we didnt know how to process */
7127 if((offset-old_offset) < bc){
7128 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
7129 bc - (offset-old_offset), TRUE);
7130 offset += bc - (offset-old_offset);
7137 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7139 proto_item *item = NULL;
7140 proto_tree *tree = NULL;
7145 si = (smb_info_t *)pinfo->private_data;
7148 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7150 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7151 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7154 switch(ntd->subcmd){
7155 case NT_TRANS_CREATE:
7157 offset = dissect_nt_create_bits(tvb, pinfo, tree, offset);
7160 /* root directory fid */
7161 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
7164 /* nt access mask */
7165 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
7168 /* allocation size */
7169 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7172 /* Extended File Attributes */
7173 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
7177 offset = dissect_nt_share_access(tvb, pinfo, tree, offset);
7180 /* create disposition */
7181 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
7184 /* create options */
7185 offset = dissect_nt_create_options(tvb, pinfo, tree, offset);
7189 ntd->sd_len = tvb_get_letohl(tvb, offset);
7190 proto_tree_add_uint(tree, hf_smb_sd_length, tvb, offset, 4, ntd->sd_len);
7194 ntd->ea_len = tvb_get_letohl(tvb, offset);
7195 proto_tree_add_uint(tree, hf_smb_ea_length, tvb, offset, 4, ntd->ea_len);
7199 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7200 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7203 /* impersonation level */
7204 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
7207 /* security flags */
7208 offset = dissect_nt_security_flags(tvb, pinfo, tree, offset);
7212 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, TRUE, &bc);
7214 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7216 COUNT_BYTES(fn_len);
7220 case NT_TRANS_IOCTL:
7222 case NT_TRANS_SSD: {
7226 fid = tvb_get_letohs(tvb, offset);
7227 add_fid(tvb, pinfo, tree, offset, 2, fid);
7230 /* 2 reserved bytes */
7231 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7234 /* security information */
7235 offset = dissect_security_information_mask(tvb, pinfo, tree, offset);
7238 case NT_TRANS_NOTIFY:
7240 case NT_TRANS_RENAME:
7241 /* XXX not documented */
7243 case NT_TRANS_QSD: {
7247 fid = tvb_get_letohs(tvb, offset);
7248 add_fid(tvb, pinfo, tree, offset, 2, fid);
7251 /* 2 reserved bytes */
7252 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7255 /* security information */
7256 offset = dissect_security_information_mask(tvb, pinfo, tree, offset);
7259 case NT_TRANS_GET_USER_QUOTA:
7260 /* not decoded yet */
7262 case NT_TRANS_SET_USER_QUOTA:
7263 /* not decoded yet */
7271 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7273 proto_item *item = NULL;
7274 proto_tree *tree = NULL;
7276 int old_offset = offset;
7278 si = (smb_info_t *)pinfo->private_data;
7281 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7283 val_to_str(ntd->subcmd, nt_cmd_vals, "Unknown NT transaction (%u)"));
7284 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7287 switch(ntd->subcmd){
7288 case NT_TRANS_CREATE:
7290 case NT_TRANS_IOCTL: {
7294 proto_tree_add_item(tree, hf_smb_nt_ioctl_function_code, tvb, offset, 4, TRUE);
7298 fid = tvb_get_letohs(tvb, offset);
7299 add_fid(tvb, pinfo, tree, offset, 2, fid);
7303 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, TRUE);
7307 offset = dissect_nt_ioctl_flags(tvb, pinfo, tree, offset);
7313 case NT_TRANS_NOTIFY: {
7316 /* completion filter */
7317 offset = dissect_nt_notify_completion_filter(tvb, pinfo, tree, offset);
7320 fid = tvb_get_letohs(tvb, offset);
7321 add_fid(tvb, pinfo, tree, offset, 2, fid);
7325 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, TRUE);
7329 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7334 case NT_TRANS_RENAME:
7335 /* XXX not documented */
7339 case NT_TRANS_GET_USER_QUOTA:
7340 /* not decoded yet */
7342 case NT_TRANS_SET_USER_QUOTA:
7343 /* not decoded yet */
7347 return old_offset+len;
7352 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7355 guint32 pc=0, po=0, pd, dc=0, od=0, dd;
7357 smb_saved_info_t *sip;
7362 smb_nt_transact_info_t *nti;
7364 si = (smb_info_t *)pinfo->private_data;
7370 /* primary request */
7371 /* max setup count */
7372 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, TRUE);
7375 /* 2 reserved bytes */
7376 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
7379 /* secondary request */
7380 /* 3 reserved bytes */
7381 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
7386 /* total param count */
7387 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 4, TRUE);
7390 /* total data count */
7391 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 4, TRUE);
7395 /* primary request */
7396 /* max param count */
7397 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, TRUE);
7400 /* max data count */
7401 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, TRUE);
7406 pc = tvb_get_letohl(tvb, offset);
7407 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
7411 po = tvb_get_letohl(tvb, offset);
7412 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
7415 /* param displacement */
7417 /* primary request*/
7420 /* secondary request */
7421 pd = tvb_get_letohl(tvb, offset);
7422 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
7427 dc = tvb_get_letohl(tvb, offset);
7428 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
7432 od = tvb_get_letohl(tvb, offset);
7433 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
7436 /* data displacement */
7438 /* primary request */
7441 /* secondary request */
7442 dd = tvb_get_letohl(tvb, offset);
7443 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
7449 /* primary request */
7450 sc = tvb_get_guint8(tvb, offset);
7451 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
7454 /* secondary request */
7460 /* primary request */
7461 subcmd = tvb_get_letohs(tvb, offset);
7462 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
7463 if(check_col(pinfo->cinfo, COL_INFO)){
7464 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
7465 val_to_str(subcmd, nt_cmd_vals, "<unknown>"));
7467 ntd.subcmd = subcmd;
7469 if(!pinfo->fd->flags.visited){
7471 * Allocate a new smb_nt_transact_info_t
7474 nti = g_mem_chunk_alloc(smb_nt_transact_info_chunk);
7475 nti->subcmd = subcmd;
7476 sip->extra_info = nti;
7480 /* secondary request */
7481 if(check_col(pinfo->cinfo, COL_INFO)){
7482 col_append_fstr(pinfo->cinfo, COL_INFO, " (secondary request)");
7487 /* this is a padding byte */
7490 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, TRUE);
7494 /* if there were any setup bytes, decode them */
7496 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, &ntd);
7503 if(po>(guint32)offset){
7504 /* We have some initial padding bytes.
7509 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7510 COUNT_BYTES(padcnt);
7513 CHECK_BYTE_COUNT(pc);
7514 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, &ntd, bc);
7519 if(od>(guint32)offset){
7520 /* We have some initial padding bytes.
7525 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7526 COUNT_BYTES(padcnt);
7529 CHECK_BYTE_COUNT(dc);
7530 dissect_nt_trans_data_request(tvb, pinfo, offset, tree, dc, &ntd);
7542 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7544 proto_item *item = NULL;
7545 proto_tree *tree = NULL;
7547 smb_nt_transact_info_t *nti;
7550 si = (smb_info_t *)pinfo->private_data;
7551 if (si->sip != NULL)
7552 nti = si->sip->extra_info;
7558 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7560 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7563 * We never saw the request to which this is a
7566 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7567 "Unknown NT Transaction Data (matching request not seen)");
7569 tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
7576 switch(nti->subcmd){
7577 case NT_TRANS_CREATE:
7579 case NT_TRANS_IOCTL:
7581 proto_tree_add_item(tree, hf_smb_nt_ioctl_data, tvb, offset, len, TRUE);
7587 case NT_TRANS_NOTIFY:
7589 case NT_TRANS_RENAME:
7590 /* XXX not documented */
7594 * XXX - this is probably a SECURITY_DESCRIPTOR structure,
7595 * which may be documented in the Win32 documentation
7598 offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, len);
7600 case NT_TRANS_GET_USER_QUOTA:
7602 offset = dissect_nt_user_quota(tvb, pinfo, tree, offset, &bcp);
7604 case NT_TRANS_SET_USER_QUOTA:
7605 /* not decoded yet */
7613 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd, guint16 bc)
7615 proto_item *item = NULL;
7616 proto_tree *tree = NULL;
7620 smb_nt_transact_info_t *nti;
7623 si = (smb_info_t *)pinfo->private_data;
7624 if (si->sip != NULL)
7625 nti = si->sip->extra_info;
7631 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7633 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7636 * We never saw the request to which this is a
7639 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7640 "Unknown NT Transaction Parameters (matching request not seen)");
7642 tree = proto_item_add_subtree(item, ett_smb_nt_trans_param);
7649 switch(nti->subcmd){
7650 case NT_TRANS_CREATE:
7652 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
7656 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
7660 fid = tvb_get_letohs(tvb, offset);
7661 add_fid(tvb, pinfo, tree, offset, 2, fid);
7665 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
7668 /* ea error offset */
7669 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, TRUE);
7673 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7674 hf_smb_create_time);
7677 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7678 hf_smb_access_time);
7680 /* last write time */
7681 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7682 hf_smb_last_write_time);
7684 /* last change time */
7685 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
7686 hf_smb_change_time);
7688 /* Extended File Attributes */
7689 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
7691 /* allocation size */
7692 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
7696 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
7700 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
7704 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
7707 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
7710 case NT_TRANS_IOCTL:
7714 case NT_TRANS_NOTIFY:
7716 /* next entry offset */
7717 proto_tree_add_item(tree, hf_smb_next_entry_offset, tvb, offset, 4, TRUE);
7720 /* broken implementations */
7724 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, TRUE);
7727 /* broken implementations */
7731 fn_len = (guint32)tvb_get_letohl(tvb, offset);
7732 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
7735 /* broken implementations */
7739 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, TRUE, &bc);
7742 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
7744 COUNT_BYTES(fn_len);
7746 /* broken implementations */
7751 case NT_TRANS_RENAME:
7752 /* XXX not documented */
7756 * This appears to be the size of the security
7757 * descriptor; the calling sequence of
7758 * "ZwQuerySecurityObject()" suggests that it would
7759 * be. The actual security descriptor wouldn't
7760 * follow if the max data count in the request
7761 * was smaller; this lets the client know how
7762 * big a buffer it needs to provide.
7764 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, TRUE);
7767 case NT_TRANS_GET_USER_QUOTA:
7768 proto_tree_add_text(tree, tvb, offset, 4, "Size of returned Quota data: %d",
7769 tvb_get_letohl(tvb, offset));
7772 case NT_TRANS_SET_USER_QUOTA:
7773 /* not decoded yet */
7781 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, nt_trans_data *ntd)
7783 proto_item *item = NULL;
7784 proto_tree *tree = NULL;
7786 smb_nt_transact_info_t *nti;
7788 si = (smb_info_t *)pinfo->private_data;
7789 if (si->sip != NULL)
7790 nti = si->sip->extra_info;
7796 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7798 val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)"));
7801 * We never saw the request to which this is a
7804 item = proto_tree_add_text(parent_tree, tvb, offset, len,
7805 "Unknown NT Transaction Setup (matching request not seen)");
7807 tree = proto_item_add_subtree(item, ett_smb_nt_trans_setup);
7814 switch(nti->subcmd){
7815 case NT_TRANS_CREATE:
7817 case NT_TRANS_IOCTL:
7821 case NT_TRANS_NOTIFY:
7823 case NT_TRANS_RENAME:
7824 /* XXX not documented */
7828 case NT_TRANS_GET_USER_QUOTA:
7829 /* not decoded yet */
7831 case NT_TRANS_SET_USER_QUOTA:
7832 /* not decoded yet */
7840 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
7843 guint32 pc=0, po=0, pd=0, dc=0, od=0, dd=0;
7846 smb_nt_transact_info_t *nti;
7847 static nt_trans_data ntd;
7850 fragment_data *r_fd = NULL;
7851 tvbuff_t *pd_tvb=NULL;
7852 gboolean save_fragmented;
7854 si = (smb_info_t *)pinfo->private_data;
7855 if (si->sip != NULL)
7856 nti = si->sip->extra_info;
7860 /* primary request */
7862 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
7863 if(check_col(pinfo->cinfo, COL_INFO)){
7864 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
7865 val_to_str(nti->subcmd, nt_cmd_vals, "<unknown (%u)>"));
7868 proto_tree_add_text(tree, tvb, offset, 0,
7869 "Function: <unknown function - could not find matching request>");
7870 if(check_col(pinfo->cinfo, COL_INFO)){
7871 col_append_fstr(pinfo->cinfo, COL_INFO, ", <unknown>");
7877 /* 3 reserved bytes */
7878 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
7881 /* total param count */
7882 tp = tvb_get_letohl(tvb, offset);
7883 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
7886 /* total data count */
7887 td = tvb_get_letohl(tvb, offset);
7888 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
7892 pc = tvb_get_letohl(tvb, offset);
7893 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
7897 po = tvb_get_letohl(tvb, offset);
7898 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
7901 /* param displacement */
7902 pd = tvb_get_letohl(tvb, offset);
7903 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
7907 dc = tvb_get_letohl(tvb, offset);
7908 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
7912 od = tvb_get_letohl(tvb, offset);
7913 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
7916 /* data displacement */
7917 dd = tvb_get_letohl(tvb, offset);
7918 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
7922 sc = tvb_get_guint8(tvb, offset);
7923 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
7928 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, &ntd);
7934 /* reassembly of SMB NT Transaction data payload.
7935 In this section we do reassembly of both the data and parameters
7936 blocks of the SMB transaction command.
7938 save_fragmented = pinfo->fragmented;
7939 /* do we need reassembly? */
7940 if( (td&&(td!=dc)) || (tp&&(tp!=pc)) ){
7941 /* oh yeah, either data or parameter section needs
7944 pinfo->fragmented = TRUE;
7945 if(smb_trans_reassembly){
7946 /* ...and we were told to do reassembly */
7947 if(pc && ((unsigned int)tvb_length_remaining(tvb, po)>=pc) ){
7948 r_fd = smb_trans_defragment(tree, pinfo, tvb,
7952 if((r_fd==NULL) && dc && ((unsigned int)tvb_length_remaining(tvb, od)>=dc) ){
7953 r_fd = smb_trans_defragment(tree, pinfo, tvb,
7954 od, dc, dd+tp, td+tp);
7959 /* if we got a reassembled fd structure from the reassembly routine we
7960 must create pd_tvb from it
7967 it = proto_tree_add_text(tree, tvb, 0, 0, "Fragments");
7968 tr = proto_item_add_subtree(it, ett_smb_segments);
7969 for(fd=r_fd->next;fd;fd=fd->next){
7970 proto_tree_add_text(tr, tvb, 0, 0, "Frame:%u Data:%u-%u",
7971 fd->frame, fd->offset, fd->offset+fd->len-1);
7974 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
7976 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
7977 add_new_data_source(pinfo->fd, pd_tvb, "Reassembled SMB");
7978 pinfo->fragmented = FALSE;
7983 /* we have reassembled data, grab param and data from there */
7984 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
7985 &ntd, tvb_length(pd_tvb));
7986 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
7988 /* we do not have reassembled data, just use what we have in the
7989 packet as well as we can */
7991 if(po>(guint32)offset){
7992 /* We have some initial padding bytes.
7997 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
7998 COUNT_BYTES(padcnt);
8001 CHECK_BYTE_COUNT(pc);
8002 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, &ntd, bc);
8007 if(od>(guint32)offset){
8008 /* We have some initial padding bytes.
8013 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
8014 COUNT_BYTES(padcnt);
8017 CHECK_BYTE_COUNT(dc);
8018 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, &ntd);
8022 pinfo->fragmented = save_fragmented;
8029 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8030 NT Transaction command ends here
8031 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8033 static const value_string print_mode_vals[] = {
8035 {1, "Graphics Mode"},
8040 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8050 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, TRUE);
8054 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, TRUE);
8060 CHECK_BYTE_COUNT(1);
8061 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8064 /* print identifier */
8065 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, FALSE, &bc);
8068 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
8070 COUNT_BYTES(fn_len);
8079 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8088 fid = tvb_get_letohs(tvb, offset);
8089 add_fid(tvb, pinfo, tree, offset, 2, fid);
8095 CHECK_BYTE_COUNT(1);
8096 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8100 CHECK_BYTE_COUNT(2);
8101 cnt = tvb_get_letohs(tvb, offset);
8102 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
8106 offset = dissect_file_data(tvb, pinfo, tree, offset, cnt, cnt);
8114 static const value_string print_status_vals[] = {
8115 {1, "Held or Stopped"},
8117 {3, "Awaiting print"},
8118 {4, "In intercept"},
8119 {5, "File had error"},
8120 {6, "Printer error"},
8125 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8133 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
8137 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, TRUE);
8148 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
8149 proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc)
8151 proto_item *item = NULL;
8152 proto_tree *tree = NULL;
8157 item = proto_tree_add_text(parent_tree, tvb, offset, 28,
8159 tree = proto_item_add_subtree(item, ett_smb_print_queue_entry);
8163 CHECK_BYTE_COUNT_SUBR(4);
8164 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
8165 hf_smb_print_queue_date,
8166 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, FALSE);
8170 CHECK_BYTE_COUNT_SUBR(1);
8171 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, TRUE);
8172 COUNT_BYTES_SUBR(1);
8174 /* spool file number */
8175 CHECK_BYTE_COUNT_SUBR(2);
8176 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, TRUE);
8177 COUNT_BYTES_SUBR(2);
8179 /* spool file size */
8180 CHECK_BYTE_COUNT_SUBR(4);
8181 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, TRUE);
8182 COUNT_BYTES_SUBR(4);
8185 CHECK_BYTE_COUNT_SUBR(1);
8186 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8187 COUNT_BYTES_SUBR(1);
8191 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, TRUE, TRUE, bcp);
8192 CHECK_STRING_SUBR(fn);
8193 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
8195 COUNT_BYTES_SUBR(fn_len);
8202 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8212 cnt = tvb_get_letohs(tvb, offset);
8213 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
8217 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, TRUE);
8223 CHECK_BYTE_COUNT(1);
8224 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, TRUE);
8228 CHECK_BYTE_COUNT(2);
8229 len = tvb_get_letohs(tvb, offset);
8230 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
8233 /* queue elements */
8235 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
8248 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8250 guint8 wc, cmd=0xff;
8251 guint16 andxoffset=0;
8258 /* next smb command */
8259 cmd = tvb_get_guint8(tvb, offset);
8261 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8263 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
8268 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8272 andxoffset = tvb_get_letohs(tvb, offset);
8273 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8277 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8281 fn_len = tvb_get_letohs(tvb, offset);
8282 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
8286 offset = dissect_nt_create_bits(tvb, pinfo, tree, offset);
8288 /* root directory fid */
8289 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
8292 /* nt access mask */
8293 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
8295 /* allocation size */
8296 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8299 /* Extended File Attributes */
8300 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
8303 offset = dissect_nt_share_access(tvb, pinfo, tree, offset);
8305 /* create disposition */
8306 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
8309 /* create options */
8310 offset = dissect_nt_create_options(tvb, pinfo, tree, offset);
8312 /* impersonation level */
8313 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
8316 /* security flags */
8317 offset = dissect_nt_security_flags(tvb, pinfo, tree, offset);
8322 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8325 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8327 COUNT_BYTES(fn_len);
8329 if (check_col(pinfo->cinfo, COL_INFO)) {
8330 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
8335 /* call AndXCommand (if there are any) */
8336 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
8343 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8345 guint8 wc, cmd=0xff;
8346 guint16 andxoffset=0;
8352 /* next smb command */
8353 cmd = tvb_get_guint8(tvb, offset);
8355 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
8357 proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
8362 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
8366 andxoffset = tvb_get_letohs(tvb, offset);
8367 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8371 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
8375 fid = tvb_get_letohs(tvb, offset);
8376 add_fid(tvb, pinfo, tree, offset, 2, fid);
8380 /*XXX is this really the same as create disposition in the request? it looks so*/
8381 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
8385 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8386 hf_smb_create_time);
8389 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8390 hf_smb_access_time);
8392 /* last write time */
8393 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8394 hf_smb_last_write_time);
8396 /* last change time */
8397 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
8398 hf_smb_change_time);
8400 /* Extended File Attributes */
8401 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
8403 /* allocation size */
8404 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
8408 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
8412 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
8416 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
8419 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
8426 /* call AndXCommand (if there are any) */
8427 dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
8434 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
8448 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8449 BEGIN Transaction/Transaction2 Primary and secondary requests
8450 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8453 static const value_string trans2_cmd_vals[] = {
8455 { 0x01, "FIND_FIRST2" },
8456 { 0x02, "FIND_NEXT2" },
8457 { 0x03, "QUERY_FS_INFORMATION" },
8458 { 0x04, "SET_FS_QUOTA" },
8459 { 0x05, "QUERY_PATH_INFORMATION" },
8460 { 0x06, "SET_PATH_INFORMATION" },
8461 { 0x07, "QUERY_FILE_INFORMATION" },
8462 { 0x08, "SET_FILE_INFORMATION" },
8465 { 0x0B, "FIND_NOTIFY_FIRST" },
8466 { 0x0C, "FIND_NOTIFY_NEXT" },
8467 { 0x0D, "CREATE_DIRECTORY" },
8468 { 0x0E, "SESSION_SETUP" },
8469 { 0x10, "GET_DFS_REFERRAL" },
8470 { 0x11, "REPORT_DFS_INCONSISTENCY" },
8474 static const true_false_string tfs_tf_dtid = {
8475 "Also DISCONNECT TID",
8476 "Do NOT disconnect TID"
8478 static const true_false_string tfs_tf_owt = {
8479 "One Way Transaction (NO RESPONSE)",
8480 "Two way transaction"
8483 static const true_false_string tfs_ff2_backup = {
8484 "Find WITH backup intent",
8487 static const true_false_string tfs_ff2_continue = {
8488 "CONTINUE search from previous position",
8489 "New search, do NOT continue from previous position"
8491 static const true_false_string tfs_ff2_resume = {
8492 "Return RESUME keys",
8493 "Do NOT return resume keys"
8495 static const true_false_string tfs_ff2_close_eos = {
8496 "CLOSE search if END OF SEARCH is reached",
8497 "Do NOT close search if end of search reached"
8499 static const true_false_string tfs_ff2_close = {
8500 "CLOSE search after this request",
8501 "Do NOT close search after this request"
8507 static const value_string ff2_il_vals[] = {
8508 { 1, "Info Standard (4.3.4.1)"},
8509 { 2, "Info Query EA Size (4.3.4.2)"},
8510 { 3, "Info Query EAs From List (4.3.4.2)"},
8511 { 0x0101, "Find File Directory Info (4.3.4.4)"},
8512 { 0x0102, "Find File Full Directory Info (4.3.4.5)"},
8513 { 0x0103, "Find File Names Info (4.3.4.7)"},
8514 { 0x0104, "Find File Both Directory Info (4.3.4.6)"},
8515 { 0x0202, "Find File UNIX (4.3.4.8)"},
8520 TRANS2_QUERY_PATH_INFORMATION
8521 TRANS2_SET_PATH_INFORMATION
8523 static const value_string qpi_loi_vals[] = {
8524 { 1, "Info Standard (4.2.14.1)"},
8525 { 2, "Info Query EA Size (4.2.14.1)"},
8526 { 3, "Info Query EAs From List (4.2.14.2)"},
8527 { 4, "Info Query All EAs (4.2.14.2)"},
8528 { 6, "Info Is Name Valid (4.2.14.3)"},
8529 { 0x0101, "Query File Basic Info (4.2.14.4)"},
8530 { 0x0102, "Query File Standard Info (4.2.14.5)"},
8531 { 0x0103, "Query File EA Info (4.2.14.6)"},
8532 { 0x0104, "Query File Name Info (4.2.14.7)"},
8533 { 0x0107, "Query File All Info (4.2.14.8)"},
8534 { 0x0108, "Query File Alt File Info (4.2.14.7)"},
8535 { 0x0109, "Query File Stream Info (4.2.14.10)"},
8536 { 0x010b, "Query File Compression Info (4.2.14.11)"},
8537 { 0x0200, "Set File Unix Basic"},
8538 { 0x0201, "Set File Unix Link"},
8539 { 0x0202, "Set File Unix HardLink"},
8543 static const value_string qfsi_vals[] = {
8544 { 1, "Info Allocation"},
8545 { 2, "Info Volume"},
8546 { 0x0102, "Query FS Volume Info"},
8547 { 0x0103, "Query FS Size Info"},
8548 { 0x0104, "Query FS Device Info"},
8549 { 0x0105, "Query FS Attribute Info"},
8550 { 1006, "Query FS Quota Info"},
8554 static const value_string delete_pending_vals[] = {
8555 {0, "Normal, no pending delete"},
8556 {1, "This object has DELETE PENDING"},
8560 static const value_string alignment_vals[] = {
8561 {0, "Byte alignment"},
8562 {1, "Word (16bit) alignment"},
8563 {3, "Long (32bit) alignment"},
8564 {7, "8 byte boundary alignment"},
8565 {0x0f, "16 byte boundary alignment"},
8566 {0x1f, "32 byte boundary alignment"},
8567 {0x3f, "64 byte boundary alignment"},
8568 {0x7f, "128 byte boundary alignment"},
8569 {0xff, "256 byte boundary alignment"},
8570 {0x1ff, "512 byte boundary alignment"},
8575 static const true_false_string tfs_get_dfs_server_hold_storage = {
8576 "Referral SERVER HOLDS STORAGE for the file",
8577 "Referral server does NOT hold storage for the file"
8579 static const true_false_string tfs_get_dfs_fielding = {
8580 "The server in referral is FIELDING CAPABLE",
8581 "The server in referrals is NOT fielding capable"
8584 static const true_false_string tfs_dfs_referral_flags_strip = {
8585 "STRIP off pathconsumed characters before submitting",
8586 "Do NOT strip off any characters"
8589 static const value_string dfs_referral_server_type_vals[] = {
8592 {2, "Netware Server"},
8593 {3, "Domain Server"},
8598 static const true_false_string tfs_device_char_removable = {
8599 "This is a REMOVABLE device",
8600 "This is NOT a removable device"
8602 static const true_false_string tfs_device_char_read_only = {
8603 "This is a READ-ONLY device",
8604 "This is NOT a read-only device"
8606 static const true_false_string tfs_device_char_floppy = {
8607 "This is a FLOPPY DISK device",
8608 "This is NOT a floppy disk device"
8610 static const true_false_string tfs_device_char_write_once = {
8611 "This is a WRITE-ONCE device",
8612 "This is NOT a write-once device"
8614 static const true_false_string tfs_device_char_remote = {
8615 "This is a REMOTE device",
8616 "This is NOT a remote device"
8618 static const true_false_string tfs_device_char_mounted = {
8619 "This device is MOUNTED",
8620 "This device is NOT mounted"
8622 static const true_false_string tfs_device_char_virtual = {
8623 "This is a VIRTUAL device",
8624 "This is NOT a virtual device"
8628 static const true_false_string tfs_fs_attr_css = {
8629 "This FS supports CASE SENSITIVE SEARCHes",
8630 "This FS does NOT support case sensitive searches"
8632 static const true_false_string tfs_fs_attr_cpn = {
8633 "This FS supports CASE PRESERVED NAMES",
8634 "This FS does NOT support case preserved names"
8636 static const true_false_string tfs_fs_attr_pacls = {
8637 "This FS supports PERSISTENT ACLs",
8638 "This FS does NOT support persistent acls"
8640 static const true_false_string tfs_fs_attr_fc = {
8641 "This FS supports COMPRESSED FILES",
8642 "This FS does NOT support compressed files"
8644 static const true_false_string tfs_fs_attr_vq = {
8645 "This FS supports VOLUME QUOTAS",
8646 "This FS does NOT support volume quotas"
8648 static const true_false_string tfs_fs_attr_dim = {
8649 "This FS is on a MOUNTED DEVICE",
8650 "This FS is NOT on a mounted device"
8652 static const true_false_string tfs_fs_attr_vic = {
8653 "This FS is on a COMPRESSED VOLUME",
8654 "This FS is NOT on a compressed volume"
8660 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
8663 proto_item *item = NULL;
8664 proto_tree *tree = NULL;
8666 mask = tvb_get_letohs(tvb, offset);
8669 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
8670 "Flags: 0x%04x", mask);
8671 tree = proto_item_add_subtree(item, ett_smb_find_first2_flags);
8674 proto_tree_add_boolean(tree, hf_smb_ff2_backup,
8675 tvb, offset, 2, mask);
8676 proto_tree_add_boolean(tree, hf_smb_ff2_continue,
8677 tvb, offset, 2, mask);
8678 proto_tree_add_boolean(tree, hf_smb_ff2_resume,
8679 tvb, offset, 2, mask);
8680 proto_tree_add_boolean(tree, hf_smb_ff2_close_eos,
8681 tvb, offset, 2, mask);
8682 proto_tree_add_boolean(tree, hf_smb_ff2_close,
8683 tvb, offset, 2, mask);
8691 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
8692 proto_tree *parent_tree, int offset, int subcmd, guint16 bc)
8694 proto_item *item = NULL;
8695 proto_tree *tree = NULL;
8697 smb_transact2_info_t *t2i;
8700 int old_offset = offset;
8702 si = (smb_info_t *)pinfo->private_data;
8703 if (si->sip != NULL)
8704 t2i = si->sip->extra_info;
8709 item = proto_tree_add_text(parent_tree, tvb, offset, bc,
8711 val_to_str(subcmd, trans2_cmd_vals,
8712 "Unknown (0x%02x)"));
8713 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
8717 case 0x00: /*TRANS2_OPEN2*/
8719 CHECK_BYTE_COUNT_TRANS(2);
8720 offset = dissect_open_flags(tvb, pinfo, tree, offset, 0x000f);
8723 /* desired access */
8724 CHECK_BYTE_COUNT_TRANS(2);
8725 offset = dissect_access(tvb, pinfo, tree, offset, "Desired");
8728 /* 2 reserved bytes */
8729 CHECK_BYTE_COUNT_TRANS(2);
8730 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8731 COUNT_BYTES_TRANS(2);
8733 /* File Attributes */
8734 CHECK_BYTE_COUNT_TRANS(2);
8735 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
8739 CHECK_BYTE_COUNT_TRANS(4);
8740 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
8742 hf_smb_create_dos_date, hf_smb_create_dos_time,
8747 CHECK_BYTE_COUNT_TRANS(2);
8748 offset = dissect_open_function(tvb, pinfo, tree, offset);
8751 /* allocation size */
8752 CHECK_BYTE_COUNT_TRANS(4);
8753 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
8754 COUNT_BYTES_TRANS(4);
8756 /* 10 reserved bytes */
8757 CHECK_BYTE_COUNT_TRANS(10);
8758 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
8759 COUNT_BYTES_TRANS(10);
8762 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8763 CHECK_STRING_TRANS(fn);
8764 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8766 COUNT_BYTES_TRANS(fn_len);
8768 if (check_col(pinfo->cinfo, COL_INFO)) {
8769 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
8773 /* XXX dont know how to decode FEAList */
8775 case 0x01: /*TRANS2_FIND_FIRST2*/
8776 /* Search Attributes */
8777 CHECK_BYTE_COUNT_TRANS(2);
8778 offset = dissect_search_attributes(tvb, pinfo, tree, offset);
8782 CHECK_BYTE_COUNT_TRANS(2);
8783 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
8784 COUNT_BYTES_TRANS(2);
8786 /* Find First2 flags */
8787 CHECK_BYTE_COUNT_TRANS(2);
8788 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
8791 /* Find First2 information level */
8792 CHECK_BYTE_COUNT_TRANS(2);
8793 si->info_level = tvb_get_letohs(tvb, offset);
8794 if (!pinfo->fd->flags.visited)
8795 t2i->info_level = si->info_level;
8796 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
8797 COUNT_BYTES_TRANS(2);
8800 CHECK_BYTE_COUNT_TRANS(4);
8801 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, TRUE);
8802 COUNT_BYTES_TRANS(4);
8804 /* search pattern */
8805 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8806 CHECK_STRING_TRANS(fn);
8807 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
8809 COUNT_BYTES_TRANS(fn_len);
8811 if (check_col(pinfo->cinfo, COL_INFO)) {
8812 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
8816 /* XXX dont know how to decode FEAList */
8819 case 0x02: /*TRANS2_FIND_NEXT2*/
8821 CHECK_BYTE_COUNT_TRANS(2);
8822 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
8823 COUNT_BYTES_TRANS(2);
8826 CHECK_BYTE_COUNT_TRANS(2);
8827 proto_tree_add_item(tree, hf_smb_search_count, tvb, offset, 2, TRUE);
8828 COUNT_BYTES_TRANS(2);
8830 /* Find First2 information level */
8831 CHECK_BYTE_COUNT_TRANS(2);
8832 si->info_level = tvb_get_letohs(tvb, offset);
8833 if (!pinfo->fd->flags.visited)
8834 t2i->info_level = si->info_level;
8835 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
8836 COUNT_BYTES_TRANS(2);
8839 CHECK_BYTE_COUNT_TRANS(4);
8840 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, TRUE);
8841 COUNT_BYTES_TRANS(4);
8843 /* Find First2 flags */
8844 CHECK_BYTE_COUNT_TRANS(2);
8845 offset = dissect_ff2_flags(tvb, pinfo, tree, offset);
8849 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8850 CHECK_STRING_TRANS(fn);
8851 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8853 COUNT_BYTES_TRANS(fn_len);
8855 if (check_col(pinfo->cinfo, COL_INFO)) {
8856 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue: %s",
8861 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
8862 /* level of interest */
8863 CHECK_BYTE_COUNT_TRANS(2);
8864 si->info_level = tvb_get_letohs(tvb, offset);
8865 if (!pinfo->fd->flags.visited)
8866 t2i->info_level = si->info_level;
8867 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
8868 COUNT_BYTES_TRANS(2);
8871 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
8872 /* level of interest */
8873 CHECK_BYTE_COUNT_TRANS(2);
8874 si->info_level = tvb_get_letohs(tvb, offset);
8875 if (!pinfo->fd->flags.visited)
8876 t2i->info_level = si->info_level;
8877 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
8878 COUNT_BYTES_TRANS(2);
8880 /* 4 reserved bytes */
8881 CHECK_BYTE_COUNT_TRANS(4);
8882 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
8883 COUNT_BYTES_TRANS(4);
8886 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8887 CHECK_STRING_TRANS(fn);
8888 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8890 COUNT_BYTES_TRANS(fn_len);
8892 if (check_col(pinfo->cinfo, COL_INFO)) {
8893 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
8898 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
8899 /* level of interest */
8900 CHECK_BYTE_COUNT_TRANS(2);
8901 si->info_level = tvb_get_letohs(tvb, offset);
8902 if (!pinfo->fd->flags.visited)
8903 t2i->info_level = si->info_level;
8904 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
8905 COUNT_BYTES_TRANS(2);
8907 /* 4 reserved bytes */
8908 CHECK_BYTE_COUNT_TRANS(4);
8909 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
8910 COUNT_BYTES_TRANS(4);
8913 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
8914 CHECK_STRING_TRANS(fn);
8915 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
8917 COUNT_BYTES_TRANS(fn_len);
8919 if (check_col(pinfo->cinfo, COL_INFO)) {
8920 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
8925 case 0x07: { /*TRANS2_QUERY_FILE_INFORMATION*/
8929 CHECK_BYTE_COUNT_TRANS(2);
8930 fid = tvb_get_letohs(tvb, offset);
8931 add_fid(tvb, pinfo, tree, offset, 2, fid);
8932 COUNT_BYTES_TRANS(2);
8934 /* level of interest */
8935 CHECK_BYTE_COUNT_TRANS(2);
8936 si->info_level = tvb_get_letohs(tvb, offset);
8937 if (!pinfo->fd->flags.visited)
8938 t2i->info_level = si->info_level;
8939 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
8940 COUNT_BYTES_TRANS(2);
8944 case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
8948 CHECK_BYTE_COUNT_TRANS(2);
8949 fid = tvb_get_letohs(tvb, offset);
8950 add_fid(tvb, pinfo, tree, offset, 2, fid);
8951 COUNT_BYTES_TRANS(2);
8953 /* level of interest */
8954 CHECK_BYTE_COUNT_TRANS(2);
8955 si->info_level = tvb_get_letohs(tvb, offset);
8956 if (!pinfo->fd->flags.visited)
8957 t2i->info_level = si->info_level;
8958 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
8959 COUNT_BYTES_TRANS(2);
8961 /* 2 reserved bytes */
8962 CHECK_BYTE_COUNT_TRANS(2);
8963 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
8964 COUNT_BYTES_TRANS(2);
8968 case 0x09: /*TRANS2_FSCTL*/
8969 case 0x0a: /*TRANS2_IOCTL2*/
8970 /* these calls have no parameter block in the request */
8972 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
8973 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
8974 /* XXX unknown structure*/
8976 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
8977 /* 4 reserved bytes */
8978 CHECK_BYTE_COUNT_TRANS(4);
8979 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
8980 COUNT_BYTES_TRANS(4);
8983 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len,
8985 CHECK_STRING_TRANS(fn);
8986 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
8988 COUNT_BYTES_TRANS(fn_len);
8990 if (check_col(pinfo->cinfo, COL_INFO)) {
8991 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
8995 /* XXX optional FEAList, unknown what FEAList looks like*/
8997 case 0x0e: /*TRANS2_SESSION_SETUP*/
8998 /* XXX unknown structure*/
9000 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
9001 /* referral level */
9002 CHECK_BYTE_COUNT_TRANS(2);
9003 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, TRUE);
9004 COUNT_BYTES_TRANS(2);
9007 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
9008 CHECK_STRING_TRANS(fn);
9009 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9011 COUNT_BYTES_TRANS(fn_len);
9013 if (check_col(pinfo->cinfo, COL_INFO)) {
9014 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9019 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
9021 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
9022 CHECK_STRING_TRANS(fn);
9023 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9025 COUNT_BYTES_TRANS(fn_len);
9027 if (check_col(pinfo->cinfo, COL_INFO)) {
9028 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
9035 /* ooops there were data we didnt know how to process */
9036 if((offset-old_offset) < bc){
9037 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
9038 bc - (offset-old_offset), TRUE);
9039 offset += bc - (offset-old_offset);
9046 * XXX - just use "dissect_connect_flags()" here?
9049 dissect_transaction_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9052 proto_item *item = NULL;
9053 proto_tree *tree = NULL;
9055 mask = tvb_get_letohs(tvb, offset);
9058 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9059 "Flags: 0x%04x", mask);
9060 tree = proto_item_add_subtree(item, ett_smb_transaction_flags);
9063 proto_tree_add_boolean(tree, hf_smb_transaction_flags_owt,
9064 tvb, offset, 2, mask);
9065 proto_tree_add_boolean(tree, hf_smb_transaction_flags_dtid,
9066 tvb, offset, 2, mask);
9073 dissect_get_dfs_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9076 proto_item *item = NULL;
9077 proto_tree *tree = NULL;
9079 mask = tvb_get_letohs(tvb, offset);
9082 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9083 "Flags: 0x%04x", mask);
9084 tree = proto_item_add_subtree(item, ett_smb_get_dfs_flags);
9087 proto_tree_add_boolean(tree, hf_smb_get_dfs_server_hold_storage,
9088 tvb, offset, 2, mask);
9089 proto_tree_add_boolean(tree, hf_smb_get_dfs_fielding,
9090 tvb, offset, 2, mask);
9097 dissect_dfs_referral_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9100 proto_item *item = NULL;
9101 proto_tree *tree = NULL;
9103 mask = tvb_get_letohs(tvb, offset);
9106 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
9107 "Flags: 0x%04x", mask);
9108 tree = proto_item_add_subtree(item, ett_smb_dfs_referral_flags);
9111 proto_tree_add_boolean(tree, hf_smb_dfs_referral_flags_strip,
9112 tvb, offset, 2, mask);
9120 /* dfs inconsistency data (4.4.2)
9123 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
9124 proto_tree *tree, int offset, guint16 *bcp)
9129 /*XXX shouldn this data hold version and size? unclear from doc*/
9130 /* referral version */
9131 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9132 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, TRUE);
9133 COUNT_BYTES_TRANS_SUBR(2);
9136 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9137 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, TRUE);
9138 COUNT_BYTES_TRANS_SUBR(2);
9140 /* referral server type */
9141 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9142 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9143 COUNT_BYTES_TRANS_SUBR(2);
9145 /* referral flags */
9146 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9147 offset = dissect_dfs_referral_flags(tvb, pinfo, tree, offset);
9151 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9152 CHECK_STRING_TRANS_SUBR(fn);
9153 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9155 COUNT_BYTES_TRANS_SUBR(fn_len);
9160 /* get dfs referral data (4.4.1)
9163 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
9164 proto_tree *tree, int offset, guint16 *bcp)
9169 guint16 altpathoffset;
9181 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9182 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, TRUE);
9183 COUNT_BYTES_TRANS_SUBR(2);
9186 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9187 numref = tvb_get_letohs(tvb, offset);
9188 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
9189 COUNT_BYTES_TRANS_SUBR(2);
9192 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9193 offset = dissect_get_dfs_flags(tvb, pinfo, tree, offset);
9196 /* XXX - in at least one capture there appears to be 2 bytes
9197 of stuff after the Dfs flags, perhaps so that the header
9198 in front of the referral list is a multiple of 4 bytes long. */
9199 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9200 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, TRUE);
9201 COUNT_BYTES_TRANS_SUBR(2);
9203 /* if there are any referrals */
9205 proto_item *ref_item = NULL;
9206 proto_tree *ref_tree = NULL;
9207 int old_offset=offset;
9210 ref_item = proto_tree_add_text(tree,
9211 tvb, offset, *bcp, "Referrals");
9212 ref_tree = proto_item_add_subtree(ref_item,
9213 ett_smb_dfs_referrals);
9218 proto_item *ri = NULL;
9219 proto_tree *rt = NULL;
9220 int old_offset=offset;
9224 ri = proto_tree_add_text(ref_tree,
9225 tvb, offset, *bcp, "Referral");
9226 rt = proto_item_add_subtree(ri,
9227 ett_smb_dfs_referral);
9230 /* referral version */
9231 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9232 version = tvb_get_letohs(tvb, offset);
9233 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
9234 tvb, offset, 2, version);
9235 COUNT_BYTES_TRANS_SUBR(2);
9238 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9239 refsize = tvb_get_letohs(tvb, offset);
9240 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
9241 COUNT_BYTES_TRANS_SUBR(2);
9243 /* referral server type */
9244 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9245 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, TRUE);
9246 COUNT_BYTES_TRANS_SUBR(2);
9248 /* referral flags */
9249 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9250 offset = dissect_dfs_referral_flags(tvb, pinfo, rt, offset);
9257 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9258 CHECK_STRING_TRANS_SUBR(fn);
9259 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
9261 COUNT_BYTES_TRANS_SUBR(fn_len);
9265 case 3: /* XXX - like version 2, but not identical;
9266 seen in a capture, but the format isn't
9269 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9270 proto_tree_add_item(rt, hf_smb_dfs_referral_proximity, tvb, offset, 2, TRUE);
9271 COUNT_BYTES_TRANS_SUBR(2);
9274 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9275 proto_tree_add_item(rt, hf_smb_dfs_referral_ttl, tvb, offset, 2, TRUE);
9276 COUNT_BYTES_TRANS_SUBR(2);
9279 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9280 pathoffset = tvb_get_letohs(tvb, offset);
9281 proto_tree_add_uint(rt, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
9282 COUNT_BYTES_TRANS_SUBR(2);
9284 /* alt path offset */
9285 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9286 altpathoffset = tvb_get_letohs(tvb, offset);
9287 proto_tree_add_uint(rt, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
9288 COUNT_BYTES_TRANS_SUBR(2);
9291 CHECK_BYTE_COUNT_TRANS_SUBR(2);
9292 nodeoffset = tvb_get_letohs(tvb, offset);
9293 proto_tree_add_uint(rt, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
9294 COUNT_BYTES_TRANS_SUBR(2);
9297 if (pathoffset != 0) {
9298 stroffset = old_offset + pathoffset;
9299 offsetoffset = stroffset - offset;
9300 if (offsetoffset > 0 &&
9301 *bcp > offsetoffset) {
9303 *bcp -= offsetoffset;
9304 fn = get_unicode_or_ascii_string(tvb, &stroffset, pinfo, &fn_len, FALSE, FALSE, bcp);
9305 CHECK_STRING_TRANS_SUBR(fn);
9306 proto_tree_add_string(rt, hf_smb_dfs_referral_path, tvb, stroffset, fn_len,
9308 stroffset += fn_len;
9309 if (ucstring_end < stroffset)
9310 ucstring_end = stroffset;
9316 if (altpathoffset != 0) {
9317 stroffset = old_offset + altpathoffset;
9318 offsetoffset = stroffset - offset;
9319 if (offsetoffset > 0 &&
9320 *bcp > offsetoffset) {
9322 *bcp -= offsetoffset;
9323 fn = get_unicode_or_ascii_string(tvb, &stroffset, pinfo, &fn_len, FALSE, FALSE, bcp);
9324 CHECK_STRING_TRANS_SUBR(fn);
9325 proto_tree_add_string(rt, hf_smb_dfs_referral_alt_path, tvb, stroffset, fn_len,
9327 stroffset += fn_len;
9328 if (ucstring_end < stroffset)
9329 ucstring_end = stroffset;
9335 if (nodeoffset != 0) {
9336 stroffset = old_offset + nodeoffset;
9337 offsetoffset = stroffset - offset;
9338 if (offsetoffset > 0 &&
9339 *bcp > offsetoffset) {
9341 *bcp -= offsetoffset;
9342 fn = get_unicode_or_ascii_string(tvb, &stroffset, pinfo, &fn_len, FALSE, FALSE, bcp);
9343 CHECK_STRING_TRANS_SUBR(fn);
9344 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, stroffset, fn_len,
9346 stroffset += fn_len;
9347 if (ucstring_end < stroffset)
9348 ucstring_end = stroffset;
9356 * Show anything beyond the length of the referral
9359 unklen = (old_offset + refsize) - offset;
9362 * XXX - the length is bogus.
9367 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
9368 proto_tree_add_item(rt, hf_smb_unknown, tvb,
9369 offset, unklen, TRUE);
9370 COUNT_BYTES_TRANS_SUBR(unklen);
9373 proto_item_set_len(ri, offset-old_offset);
9377 * Treat the offset past the end of the last Unicode
9378 * string after the referrals (if any) as the last
9381 if (ucstring_end > offset) {
9382 ucstring_len = ucstring_end - offset;
9383 if (*bcp < ucstring_len)
9384 ucstring_len = *bcp;
9385 offset += ucstring_len;
9386 *bcp -= ucstring_len;
9388 proto_item_set_len(ref_item, offset-old_offset);
9395 /* this dissects the SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE
9396 as described in 4.2.14.1
9399 dissect_4_2_14_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9400 int offset, guint16 *bcp, gboolean *trunc)
9403 CHECK_BYTE_COUNT_SUBR(4);
9404 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
9405 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
9410 CHECK_BYTE_COUNT_SUBR(4);
9411 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
9412 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
9416 /* last write time */
9417 CHECK_BYTE_COUNT_SUBR(4);
9418 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
9419 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
9424 CHECK_BYTE_COUNT_SUBR(4);
9425 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
9426 COUNT_BYTES_SUBR(4);
9428 /* allocation size */
9429 CHECK_BYTE_COUNT_SUBR(4);
9430 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
9431 COUNT_BYTES_SUBR(4);
9433 /* File Attributes */
9434 CHECK_BYTE_COUNT_SUBR(2);
9435 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
9439 CHECK_BYTE_COUNT_SUBR(4);
9440 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
9441 COUNT_BYTES_SUBR(4);
9447 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
9448 as described in 4.2.14.2
9451 dissect_4_2_14_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9452 int offset, guint16 *bcp, gboolean *trunc)
9455 CHECK_BYTE_COUNT_SUBR(4);
9456 proto_tree_add_item(tree, hf_smb_list_length, tvb, offset, 4, TRUE);
9457 COUNT_BYTES_SUBR(4);
9463 /* this dissects the SMB_INFO_IS_NAME_VALID
9464 as described in 4.2.14.3
9467 dissect_4_2_14_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9468 int offset, guint16 *bcp, gboolean *trunc)
9474 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9475 CHECK_STRING_SUBR(fn);
9476 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9478 COUNT_BYTES_SUBR(fn_len);
9484 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
9485 as described in 4.2.14.4
9488 dissect_4_2_14_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9489 int offset, guint16 *bcp, gboolean *trunc)
9492 CHECK_BYTE_COUNT_SUBR(8);
9493 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9494 hf_smb_create_time);
9498 CHECK_BYTE_COUNT_SUBR(8);
9499 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9500 hf_smb_access_time);
9503 /* last write time */
9504 CHECK_BYTE_COUNT_SUBR(8);
9505 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9506 hf_smb_last_write_time);
9509 /* last change time */
9510 CHECK_BYTE_COUNT_SUBR(8);
9511 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
9512 hf_smb_change_time);
9515 /* File Attributes */
9516 CHECK_BYTE_COUNT_SUBR(2);
9517 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
9524 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
9525 as described in 4.2.14.5
9528 dissect_4_2_14_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9529 int offset, guint16 *bcp, gboolean *trunc)
9531 /* allocation size */
9532 CHECK_BYTE_COUNT_SUBR(8);
9533 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9534 COUNT_BYTES_SUBR(8);
9537 CHECK_BYTE_COUNT_SUBR(8);
9538 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
9539 COUNT_BYTES_SUBR(8);
9541 /* number of links */
9542 CHECK_BYTE_COUNT_SUBR(4);
9543 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, TRUE);
9544 COUNT_BYTES_SUBR(4);
9546 /* delete pending */
9547 CHECK_BYTE_COUNT_SUBR(2);
9548 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 2, TRUE);
9549 COUNT_BYTES_SUBR(2);
9552 CHECK_BYTE_COUNT_SUBR(1);
9553 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
9554 COUNT_BYTES_SUBR(1);
9560 /* this dissects the SMB_QUERY_FILE_EA_INFO
9561 as described in 4.2.14.6
9564 dissect_4_2_14_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9565 int offset, guint16 *bcp, gboolean *trunc)
9568 CHECK_BYTE_COUNT_SUBR(4);
9569 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
9570 COUNT_BYTES_SUBR(4);
9576 /* this dissects the SMB_QUERY_FILE_NAME_INFO
9577 as described in 4.2.14.7
9578 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
9579 as described in 4.2.14.9
9582 dissect_4_2_14_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9583 int offset, guint16 *bcp, gboolean *trunc)
9589 CHECK_BYTE_COUNT_SUBR(4);
9590 proto_tree_add_item(tree, hf_smb_file_name_len, tvb, offset, 4, TRUE);
9591 COUNT_BYTES_SUBR(4);
9594 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
9595 CHECK_STRING_SUBR(fn);
9596 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9598 COUNT_BYTES_SUBR(fn_len);
9604 /* this dissects the SMB_QUERY_FILE_ALL_INFO
9605 as described in 4.2.14.8
9608 dissect_4_2_14_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9609 int offset, guint16 *bcp, gboolean *trunc)
9612 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp, trunc);
9615 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp, trunc);
9620 CHECK_BYTE_COUNT_SUBR(8);
9621 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
9622 COUNT_BYTES_SUBR(8);
9624 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
9629 CHECK_BYTE_COUNT_SUBR(4);
9630 offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
9631 COUNT_BYTES_SUBR(4);
9634 CHECK_BYTE_COUNT_SUBR(8);
9635 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
9636 COUNT_BYTES_SUBR(8);
9638 /* current offset */
9639 CHECK_BYTE_COUNT_SUBR(8);
9640 proto_tree_add_item(tree, hf_smb_current_offset, tvb, offset, 8, TRUE);
9641 COUNT_BYTES_SUBR(8);
9644 CHECK_BYTE_COUNT_SUBR(4);
9645 offset = dissect_nt_create_options(tvb, pinfo, tree, offset);
9649 CHECK_BYTE_COUNT_SUBR(4);
9650 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
9651 COUNT_BYTES_SUBR(4);
9653 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
9658 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
9659 as described in 4.2.14.10
9662 dissect_4_2_14_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
9663 int offset, guint16 *bcp, gboolean *trunc)
9674 old_offset = offset;
9676 /* next entry offset */
9677 CHECK_BYTE_COUNT_SUBR(4);
9679 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "Stream Info");
9680 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
9686 neo = tvb_get_letohl(tvb, offset);
9687 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
9688 COUNT_BYTES_SUBR(4);
9690 /* stream name len */
9691 CHECK_BYTE_COUNT_SUBR(4);
9692 fn_len = tvb_get_letohl(tvb, offset);
9693 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
9694 COUNT_BYTES_SUBR(4);
9697 CHECK_BYTE_COUNT_SUBR(8);
9698 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, TRUE);
9699 COUNT_BYTES_SUBR(8);
9701 /* allocation size */
9702 CHECK_BYTE_COUNT_SUBR(8);
9703 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
9704 COUNT_BYTES_SUBR(8);
9707 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
9708 CHECK_STRING_SUBR(fn);
9709 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
9711 COUNT_BYTES_SUBR(fn_len);
9713 proto_item_append_text(item, ": %s", fn);
9714 proto_item_set_len(item, offset-old_offset);
9717 break; /* no more structures */
9719 /* skip to next structure */
9720 padcnt = (old_offset + neo) - offset;
9723 * XXX - this is bogus; flag it?
9728 CHECK_BYTE_COUNT_SUBR(padcnt);
9729 COUNT_BYTES_SUBR(padcnt);
9737 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
9738 as described in 4.2.14.11
9741 dissect_4_2_14_11(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9742 int offset, guint16 *bcp, gboolean *trunc)
9744 /* compressed file size */
9745 CHECK_BYTE_COUNT_SUBR(8);
9746 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, TRUE);
9747 COUNT_BYTES_SUBR(8);
9749 /* compression format */
9750 CHECK_BYTE_COUNT_SUBR(2);
9751 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, TRUE);
9752 COUNT_BYTES_SUBR(2);
9754 /* compression unit shift */
9755 CHECK_BYTE_COUNT_SUBR(1);
9756 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift,tvb, offset, 1, TRUE);
9757 COUNT_BYTES_SUBR(1);
9759 /* compression chunk shift */
9760 CHECK_BYTE_COUNT_SUBR(1);
9761 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, TRUE);
9762 COUNT_BYTES_SUBR(1);
9764 /* compression cluster shift */
9765 CHECK_BYTE_COUNT_SUBR(1);
9766 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, TRUE);
9767 COUNT_BYTES_SUBR(1);
9769 /* 3 reserved bytes */
9770 CHECK_BYTE_COUNT_SUBR(3);
9771 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, TRUE);
9772 COUNT_BYTES_SUBR(3);
9780 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION*/
9782 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
9783 int offset, guint16 *bcp)
9792 si = (smb_info_t *)pinfo->private_data;
9793 switch(si->info_level){
9794 case 1: /*Info Standard*/
9795 case 2: /*Info Query EA Size*/
9796 offset = dissect_4_2_14_1(tvb, pinfo, tree, offset, bcp,
9799 case 3: /*Info Query EAs From List*/
9800 case 4: /*Info Query All EAs*/
9801 offset = dissect_4_2_14_2(tvb, pinfo, tree, offset, bcp,
9804 case 6: /*Info Is Name Valid*/
9805 offset = dissect_4_2_14_3(tvb, pinfo, tree, offset, bcp,
9808 case 0x0101: /*Query File Basic Info*/
9809 offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp,
9812 case 0x0102: /*Query File Standard Info*/
9813 offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp,
9816 case 0x0103: /*Query File EA Info*/
9817 offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp,
9820 case 0x0104: /*Query File Name Info*/
9821 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
9824 case 0x0107: /*Query File All Info*/
9825 offset = dissect_4_2_14_8(tvb, pinfo, tree, offset, bcp,
9828 case 0x0108: /*Query File Alt File Info*/
9829 offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
9832 case 0x0109: /*Query File Stream Info*/
9833 offset = dissect_4_2_14_10(tvb, pinfo, tree, offset, bcp,
9836 case 0x010b: /*Query File Compression Info*/
9837 offset = dissect_4_2_14_11(tvb, pinfo, tree, offset, bcp,
9840 case 0x0200: /*Set File Unix Basic*/
9841 /* XXX add this from the SNIA doc */
9843 case 0x0201: /*Set File Unix Link*/
9844 /* XXX add this from the SNIA doc */
9846 case 0x0202: /*Set File Unix HardLink*/
9847 /* XXX add this from the SNIA doc */
9855 static const true_false_string tfs_quota_flags_deny_disk = {
9856 "DENY DISK SPACE for users exceeding quota limit",
9857 "Do NOT deny disk space for users exceeding quota limit"
9859 static const true_false_string tfs_quota_flags_log_limit = {
9860 "LOG EVENT when a user exceeds their QUOTA LIMIT",
9861 "Do NOT log event when a user exceeds their quota limit"
9863 static const true_false_string tfs_quota_flags_log_warning = {
9864 "LOG EVENT when a user exceeds their WARNING LEVEL",
9865 "Do NOT log event when a user exceeds their warning level"
9867 static const true_false_string tfs_quota_flags_enabled = {
9868 "Quotas are ENABLED of this fs",
9869 "Quotas are NOT enabled on this fs"
9872 dissect_quota_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
9875 proto_item *item = NULL;
9876 proto_tree *tree = NULL;
9878 mask = tvb_get_guint8(tvb, offset);
9881 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
9882 "Quota Flags: 0x%02x %s", mask,
9883 mask?"Enabled":"Disabled");
9884 tree = proto_item_add_subtree(item, ett_smb_quotaflags);
9887 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_limit,
9888 tvb, offset, 1, mask);
9889 proto_tree_add_boolean(tree, hf_smb_quota_flags_log_warning,
9890 tvb, offset, 1, mask);
9891 proto_tree_add_boolean(tree, hf_smb_quota_flags_deny_disk,
9892 tvb, offset, 1, mask);
9894 if(mask && (!(mask&0x01))){
9895 proto_tree_add_boolean_hidden(tree, hf_smb_quota_flags_enabled,
9896 tvb, offset, 1, 0x01);
9898 proto_tree_add_boolean(tree, hf_smb_quota_flags_enabled,
9899 tvb, offset, 1, mask);
9905 dissect_nt_quota(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp)
9907 /* first 24 bytes are unknown */
9908 CHECK_BYTE_COUNT_TRANS_SUBR(24);
9909 proto_tree_add_item(tree, hf_smb_unknown, tvb,
9911 COUNT_BYTES_TRANS_SUBR(24);
9913 /* number of bytes for quota warning */
9914 CHECK_BYTE_COUNT_TRANS_SUBR(8);
9915 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, TRUE);
9916 COUNT_BYTES_TRANS_SUBR(8);
9918 /* number of bytes for quota limit */
9919 CHECK_BYTE_COUNT_TRANS_SUBR(8);
9920 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, TRUE);
9921 COUNT_BYTES_TRANS_SUBR(8);
9923 /* one byte of quota flags */
9924 CHECK_BYTE_COUNT_TRANS_SUBR(1);
9925 dissect_quota_flags(tvb, pinfo, tree, offset);
9926 COUNT_BYTES_TRANS_SUBR(1);
9928 /* these 7 bytes are unknown */
9929 CHECK_BYTE_COUNT_TRANS_SUBR(7);
9930 proto_tree_add_item(tree, hf_smb_unknown, tvb,
9932 COUNT_BYTES_TRANS_SUBR(7);
9938 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
9939 proto_tree *parent_tree, int offset, int subcmd, guint16 dc)
9941 proto_item *item = NULL;
9942 proto_tree *tree = NULL;
9945 si = (smb_info_t *)pinfo->private_data;
9948 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
9950 val_to_str(subcmd, trans2_cmd_vals,
9951 "Unknown (0x%02x)"));
9952 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
9956 case 0x00: /*TRANS2_OPEN2*/
9957 /* XXX FAEList here?*/
9959 case 0x01: /*TRANS2_FIND_FIRST2*/
9960 /* XXX FAEList here?*/
9962 case 0x02: /*TRANS2_FIND_NEXT2*/
9963 /* no data field in this request */
9965 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
9966 /* no data field in this request */
9968 case 0x04: /* TRANS2_SET_QUOTA */
9969 offset = dissect_nt_quota(tvb, pinfo, tree, offset, &dc);
9971 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
9972 /* no data field in this request */
9974 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
9975 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
9977 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
9978 /* no data field in this request */
9980 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
9981 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
9983 case 0x09: /*TRANS2_FSCTL*/
9984 /*XXX dont know how to decode this yet */
9986 case 0x0a: /*TRANS2_IOCTL2*/
9987 /*XXX dont know how to decode this yet */
9989 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
9990 /*XXX dont know how to decode this yet */
9992 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
9993 /*XXX dont know how to decode this yet */
9995 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
9996 /* no data block for this one */
9998 case 0x0e: /*TRANS2_SESSION_SETUP*/
9999 /*XXX dont know how to decode this yet */
10001 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
10002 /* no data field in this request */
10004 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
10005 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc);
10009 /* ooops there were data we didnt know how to process */
10011 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
10020 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
10021 packet_info *pinfo, proto_tree *tree)
10028 * Show the setup words.
10030 if (s_tvb != NULL) {
10031 length = tvb_reported_length(s_tvb);
10032 for (i = 0, offset = 0; length >= 2;
10033 i++, offset += 2, length -= 2) {
10035 * XXX - add a setup word filterable field?
10037 proto_tree_add_text(tree, s_tvb, offset, 2,
10038 "Setup Word %d: 0x%04x", i,
10039 tvb_get_letohs(s_tvb, offset));
10044 * Show the parameters, if any.
10046 if (p_tvb != NULL) {
10047 length = tvb_reported_length(p_tvb);
10049 proto_tree_add_text(tree, p_tvb, 0, length,
10051 tvb_bytes_to_str(p_tvb, 0, length));
10056 * Show the data, if any.
10058 if (d_tvb != NULL) {
10059 length = tvb_reported_length(d_tvb);
10061 proto_tree_add_text(tree, d_tvb, 0, length,
10062 "Data: %s", tvb_bytes_to_str(d_tvb, 0, length));
10067 /* This routine handles the following 4 calls
10069 Transaction Secondary 0x26
10071 Transaction2 Secondary 0x33
10074 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
10081 guint16 od=0, tf, po=0, pc=0, dc=0, pd, dd=0;
10085 const char *an = NULL;
10087 smb_transact2_info_t *t2i;
10088 smb_transact_info_t *tri;
10091 gboolean dissected_trans;
10093 si = (smb_info_t *)pinfo->private_data;
10098 /*secondary client request*/
10100 /* total param count, only a 16bit integer here*/
10101 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10104 /* total data count , only 16bit integer here*/
10105 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10109 pc = tvb_get_letohs(tvb, offset);
10110 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
10114 po = tvb_get_letohs(tvb, offset);
10115 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
10119 pd = tvb_get_letohs(tvb, offset);
10120 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
10124 dc = tvb_get_letohs(tvb, offset);
10125 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
10129 od = tvb_get_letohs(tvb, offset);
10130 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
10134 dd = tvb_get_letohs(tvb, offset);
10135 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
10138 if(si->cmd==SMB_COM_TRANSACTION2){
10142 fid = tvb_get_letohs(tvb, offset);
10143 add_fid(tvb, pinfo, tree, offset, 2, fid);
10148 /* There are no setup words. */
10153 /* it is not a secondary request */
10155 /* total param count , only a 16 bit integer here*/
10156 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10159 /* total data count , only 16bit integer here*/
10160 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10163 /* max param count , only 16bit integer here*/
10164 proto_tree_add_uint(tree, hf_smb_max_param_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10167 /* max data count, only 16bit integer here*/
10168 proto_tree_add_uint(tree, hf_smb_max_data_count, tvb, offset, 2, tvb_get_letohs(tvb, offset));
10171 /* max setup count, only 16bit integer here*/
10172 proto_tree_add_uint(tree, hf_smb_max_setup_count, tvb, offset, 1, tvb_get_guint8(tvb, offset));
10175 /* reserved byte */
10176 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
10179 /* transaction flags */
10180 tf = dissect_transaction_flags(tvb, pinfo, tree, offset);
10184 to = tvb_get_letohl(tvb, offset);
10186 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Return immediately (0)");
10187 else if (to == 0xffffffff)
10188 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: Wait indefinitely (-1)");
10190 proto_tree_add_uint_format(tree, hf_smb_timeout, tvb, offset, 4, to, "Timeout: %s", time_msecs_to_str(to));
10193 /* 2 reserved bytes */
10194 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
10198 pc = tvb_get_letohs(tvb, offset);
10199 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
10203 po = tvb_get_letohs(tvb, offset);
10204 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
10207 /* param displacement is zero here */
10211 dc = tvb_get_letohs(tvb, offset);
10212 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
10216 od = tvb_get_letohs(tvb, offset);
10217 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
10220 /* data displacement is zero here */
10224 sc = tvb_get_guint8(tvb, offset);
10225 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
10228 /* reserved byte */
10229 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
10232 /* this is where the setup bytes, if any start */
10236 /* if there were any setup bytes, decode them */
10240 case SMB_COM_TRANSACTION2:
10241 /* TRANSACTION2 only has one setup word and
10242 that is the subcommand code. */
10243 subcmd = tvb_get_letohs(tvb, offset);
10244 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
10245 tvb, offset, 2, subcmd);
10246 if (check_col(pinfo->cinfo, COL_INFO)) {
10247 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10248 val_to_str(subcmd, trans2_cmd_vals,
10249 "Unknown (0x%02x)"));
10252 if(!pinfo->fd->flags.visited){
10255 * smb_transact2_info_t
10258 t2i = g_mem_chunk_alloc(smb_transact2_info_chunk);
10259 t2i->subcmd = subcmd;
10260 t2i->info_level = -1;
10261 si->sip->extra_info = t2i;
10266 case SMB_COM_TRANSACTION:
10267 /* TRANSACTION setup words processed below */
10278 /* primary request */
10279 /* name is NULL if transaction2 */
10280 if(si->cmd == SMB_COM_TRANSACTION){
10281 /* Transaction Name */
10282 an = get_unicode_or_ascii_string(tvb, &offset,
10283 pinfo, &an_len, FALSE, FALSE, &bc);
10286 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
10287 offset, an_len, an);
10288 COUNT_BYTES(an_len);
10293 * The pipe or mailslot arguments for Transaction start with
10294 * the first setup word (or where the first setup word would
10295 * be if there were any setup words), and run to the current
10296 * offset (which could mean that there aren't any).
10299 spc = offset - spo;
10303 /* We have some initial padding bytes.
10305 padcnt = po-offset;
10308 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
10309 COUNT_BYTES(padcnt);
10312 CHECK_BYTE_COUNT(pc);
10315 case SMB_COM_TRANSACTION2:
10316 /* TRANSACTION2 parameters*/
10317 offset = dissect_transaction2_request_parameters(tvb,
10318 pinfo, tree, offset, subcmd, pc);
10322 case SMB_COM_TRANSACTION:
10323 /* TRANSACTION parameters processed below */
10331 /* We have some initial padding bytes.
10333 padcnt = od-offset;
10336 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
10337 COUNT_BYTES(padcnt);
10340 CHECK_BYTE_COUNT(dc);
10343 case SMB_COM_TRANSACTION2:
10344 /* TRANSACTION2 data*/
10345 offset = dissect_transaction2_request_data(tvb, pinfo,
10346 tree, offset, subcmd, dc);
10350 case SMB_COM_TRANSACTION:
10351 /* TRANSACTION data processed below */
10357 /*TRANSACTION request parameters */
10358 if(si->cmd==SMB_COM_TRANSACTION){
10359 /*XXX replace this block with a function and use that one
10360 for both requests/responses*/
10362 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
10363 tvbuff_t *sp_tvb, *pd_tvb;
10366 if(pc>tvb_length_remaining(tvb, po)){
10367 p_tvb = tvb_new_subset(tvb, po, tvb_length_remaining(tvb, po), pc);
10369 p_tvb = tvb_new_subset(tvb, po, pc, pc);
10375 if(dc>tvb_length_remaining(tvb, od)){
10376 d_tvb = tvb_new_subset(tvb, od, tvb_length_remaining(tvb, od), dc);
10378 d_tvb = tvb_new_subset(tvb, od, dc, dc);
10384 if(sl>tvb_length_remaining(tvb, so)){
10385 s_tvb = tvb_new_subset(tvb, so, tvb_length_remaining(tvb, so), sl);
10387 s_tvb = tvb_new_subset(tvb, so, sl, sl);
10394 if(!pinfo->fd->flags.visited){
10396 * Allocate a new smb_transact_info_t
10399 tri = g_mem_chunk_alloc(smb_transact_info_chunk);
10401 tri->trans_subcmd = -1;
10402 tri->function = -1;
10404 tri->lanman_cmd = 0;
10405 tri->param_descrip = NULL;
10406 tri->data_descrip = NULL;
10407 tri->aux_data_descrip = NULL;
10408 tri->info_level = -1;
10409 si->sip->extra_info = tri;
10412 * We already filled the structure
10413 * in; don't bother doing so again.
10419 * This is a unidirectional message, for
10420 * which there will be no reply; don't
10421 * bother allocating an "smb_transact_info_t"
10422 * structure for it.
10426 dissected_trans = FALSE;
10427 if(strncmp("\\PIPE\\", an, 6) == 0){
10429 tri->subcmd=TRANSACTION_PIPE;
10432 * A tvbuff containing the setup words and
10435 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
10438 * A tvbuff containing the parameters and the
10441 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
10443 dissected_trans = dissect_pipe_smb(sp_tvb,
10444 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
10446 } else if(strncmp("\\MAILSLOT\\", an, 10) == 0){
10448 tri->subcmd=TRANSACTION_MAILSLOT;
10451 * A tvbuff containing the setup words and
10452 * the mailslot path.
10454 sp_tvb = tvb_new_subset(tvb, spo, spc, spc);
10455 dissected_trans = dissect_mailslot_smb(sp_tvb,
10456 s_tvb, d_tvb, an+10, pinfo, top_tree);
10458 if (!dissected_trans) {
10459 dissect_trans_data(s_tvb, p_tvb, d_tvb,
10463 if(check_col(pinfo->cinfo, COL_INFO)){
10464 col_append_str(pinfo->cinfo, COL_INFO,
10465 "[transact continuation]");
10478 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10479 int offset, guint16 *bcp, gboolean *trunc)
10483 int old_offset = offset;
10484 proto_item *item = NULL;
10485 proto_tree *tree = NULL;
10488 si = (smb_info_t *)pinfo->private_data;
10491 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10492 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10493 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10497 CHECK_BYTE_COUNT_SUBR(4);
10498 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10499 hf_smb_create_time,
10500 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
10504 CHECK_BYTE_COUNT_SUBR(4);
10505 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10506 hf_smb_access_time,
10507 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
10510 /* last write time */
10511 CHECK_BYTE_COUNT_SUBR(4);
10512 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10513 hf_smb_last_write_time,
10514 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
10518 CHECK_BYTE_COUNT_SUBR(4);
10519 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10520 COUNT_BYTES_SUBR(4);
10522 /* allocation size */
10523 CHECK_BYTE_COUNT_SUBR(4);
10524 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10525 COUNT_BYTES_SUBR(4);
10527 /* File Attributes */
10528 CHECK_BYTE_COUNT_SUBR(2);
10529 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
10532 /* file name len */
10533 CHECK_BYTE_COUNT_SUBR(1);
10534 fn_len = tvb_get_guint8(tvb, offset);
10535 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
10536 COUNT_BYTES_SUBR(1);
10539 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10540 CHECK_STRING_SUBR(fn);
10541 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10543 COUNT_BYTES_SUBR(fn_len);
10545 if (check_col(pinfo->cinfo, COL_INFO)) {
10546 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10550 proto_item_append_text(item, " File: %s", fn);
10551 proto_item_set_len(item, offset-old_offset);
10558 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10559 int offset, guint16 *bcp, gboolean *trunc)
10563 int old_offset = offset;
10564 proto_item *item = NULL;
10565 proto_tree *tree = NULL;
10568 si = (smb_info_t *)pinfo->private_data;
10571 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10572 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10573 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10577 CHECK_BYTE_COUNT_SUBR(4);
10578 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10579 hf_smb_create_time,
10580 hf_smb_create_dos_date, hf_smb_create_dos_time, FALSE);
10584 CHECK_BYTE_COUNT_SUBR(4);
10585 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10586 hf_smb_access_time,
10587 hf_smb_access_dos_date, hf_smb_access_dos_time, FALSE);
10590 /* last write time */
10591 CHECK_BYTE_COUNT_SUBR(4);
10592 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
10593 hf_smb_last_write_time,
10594 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, FALSE);
10598 CHECK_BYTE_COUNT_SUBR(4);
10599 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
10600 COUNT_BYTES_SUBR(4);
10602 /* allocation size */
10603 CHECK_BYTE_COUNT_SUBR(4);
10604 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, TRUE);
10605 COUNT_BYTES_SUBR(4);
10607 /* File Attributes */
10608 CHECK_BYTE_COUNT_SUBR(2);
10609 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
10613 CHECK_BYTE_COUNT_SUBR(4);
10614 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10615 COUNT_BYTES_SUBR(4);
10617 /* file name len */
10618 CHECK_BYTE_COUNT_SUBR(1);
10619 fn_len = tvb_get_guint8(tvb, offset);
10620 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
10621 COUNT_BYTES_SUBR(1);
10624 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10625 CHECK_STRING_SUBR(fn);
10626 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10628 COUNT_BYTES_SUBR(fn_len);
10630 if (check_col(pinfo->cinfo, COL_INFO)) {
10631 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10635 proto_item_append_text(item, " File: %s", fn);
10636 proto_item_set_len(item, offset-old_offset);
10643 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10644 int offset, guint16 *bcp, gboolean *trunc)
10648 int old_offset = offset;
10649 proto_item *item = NULL;
10650 proto_tree *tree = NULL;
10655 si = (smb_info_t *)pinfo->private_data;
10658 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10659 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10660 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10663 /* next entry offset */
10664 CHECK_BYTE_COUNT_SUBR(4);
10665 neo = tvb_get_letohl(tvb, offset);
10666 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10667 COUNT_BYTES_SUBR(4);
10670 CHECK_BYTE_COUNT_SUBR(4);
10671 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
10672 COUNT_BYTES_SUBR(4);
10675 CHECK_BYTE_COUNT_SUBR(8);
10676 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10677 hf_smb_create_time);
10681 CHECK_BYTE_COUNT_SUBR(8);
10682 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10683 hf_smb_access_time);
10686 /* last write time */
10687 CHECK_BYTE_COUNT_SUBR(8);
10688 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10689 hf_smb_last_write_time);
10692 /* last change time */
10693 CHECK_BYTE_COUNT_SUBR(8);
10694 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10695 hf_smb_change_time);
10699 CHECK_BYTE_COUNT_SUBR(8);
10700 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10701 COUNT_BYTES_SUBR(8);
10703 /* allocation size */
10704 CHECK_BYTE_COUNT_SUBR(8);
10705 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10706 COUNT_BYTES_SUBR(8);
10708 /* Extended File Attributes */
10709 CHECK_BYTE_COUNT_SUBR(4);
10710 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
10713 /* file name len */
10714 CHECK_BYTE_COUNT_SUBR(4);
10715 fn_len = tvb_get_letohl(tvb, offset);
10716 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
10717 COUNT_BYTES_SUBR(4);
10720 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10721 CHECK_STRING_SUBR(fn);
10722 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10724 COUNT_BYTES_SUBR(fn_len);
10726 if (check_col(pinfo->cinfo, COL_INFO)) {
10727 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10731 /* skip to next structure */
10733 padcnt = (old_offset + neo) - offset;
10736 * XXX - this is bogus; flag it?
10741 CHECK_BYTE_COUNT_SUBR(padcnt);
10742 COUNT_BYTES_SUBR(padcnt);
10746 proto_item_append_text(item, " File: %s", fn);
10747 proto_item_set_len(item, offset-old_offset);
10754 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10755 int offset, guint16 *bcp, gboolean *trunc)
10759 int old_offset = offset;
10760 proto_item *item = NULL;
10761 proto_tree *tree = NULL;
10766 si = (smb_info_t *)pinfo->private_data;
10769 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10770 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10771 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10774 /* next entry offset */
10775 CHECK_BYTE_COUNT_SUBR(4);
10776 neo = tvb_get_letohl(tvb, offset);
10777 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10778 COUNT_BYTES_SUBR(4);
10781 CHECK_BYTE_COUNT_SUBR(4);
10782 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
10783 COUNT_BYTES_SUBR(4);
10786 CHECK_BYTE_COUNT_SUBR(8);
10787 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10788 hf_smb_create_time);
10792 CHECK_BYTE_COUNT_SUBR(8);
10793 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10794 hf_smb_access_time);
10797 /* last write time */
10798 CHECK_BYTE_COUNT_SUBR(8);
10799 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10800 hf_smb_last_write_time);
10803 /* last change time */
10804 CHECK_BYTE_COUNT_SUBR(8);
10805 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10806 hf_smb_change_time);
10810 CHECK_BYTE_COUNT_SUBR(8);
10811 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10812 COUNT_BYTES_SUBR(8);
10814 /* allocation size */
10815 CHECK_BYTE_COUNT_SUBR(8);
10816 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10817 COUNT_BYTES_SUBR(8);
10819 /* Extended File Attributes */
10820 CHECK_BYTE_COUNT_SUBR(4);
10821 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
10824 /* file name len */
10825 CHECK_BYTE_COUNT_SUBR(4);
10826 fn_len = tvb_get_letohl(tvb, offset);
10827 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
10828 COUNT_BYTES_SUBR(4);
10831 CHECK_BYTE_COUNT_SUBR(4);
10832 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10833 COUNT_BYTES_SUBR(4);
10836 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10837 CHECK_STRING_SUBR(fn);
10838 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10840 COUNT_BYTES_SUBR(fn_len);
10842 if (check_col(pinfo->cinfo, COL_INFO)) {
10843 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10847 /* skip to next structure */
10849 padcnt = (old_offset + neo) - offset;
10852 * XXX - this is bogus; flag it?
10857 CHECK_BYTE_COUNT_SUBR(padcnt);
10858 COUNT_BYTES_SUBR(padcnt);
10862 proto_item_append_text(item, " File: %s", fn);
10863 proto_item_set_len(item, offset-old_offset);
10870 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
10871 int offset, guint16 *bcp, gboolean *trunc)
10873 int fn_len, sfn_len;
10874 const char *fn, *sfn;
10875 int old_offset = offset;
10876 proto_item *item = NULL;
10877 proto_tree *tree = NULL;
10882 si = (smb_info_t *)pinfo->private_data;
10885 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
10886 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
10887 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
10890 /* next entry offset */
10891 CHECK_BYTE_COUNT_SUBR(4);
10892 neo = tvb_get_letohl(tvb, offset);
10893 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
10894 COUNT_BYTES_SUBR(4);
10897 CHECK_BYTE_COUNT_SUBR(4);
10898 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
10899 COUNT_BYTES_SUBR(4);
10902 CHECK_BYTE_COUNT_SUBR(8);
10903 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10904 hf_smb_create_time);
10908 CHECK_BYTE_COUNT_SUBR(8);
10909 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10910 hf_smb_access_time);
10913 /* last write time */
10914 CHECK_BYTE_COUNT_SUBR(8);
10915 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10916 hf_smb_last_write_time);
10919 /* last change time */
10920 CHECK_BYTE_COUNT_SUBR(8);
10921 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
10922 hf_smb_change_time);
10926 CHECK_BYTE_COUNT_SUBR(8);
10927 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
10928 COUNT_BYTES_SUBR(8);
10930 /* allocation size */
10931 CHECK_BYTE_COUNT_SUBR(8);
10932 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
10933 COUNT_BYTES_SUBR(8);
10935 /* Extended File Attributes */
10936 CHECK_BYTE_COUNT_SUBR(4);
10937 offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
10940 /* file name len */
10941 CHECK_BYTE_COUNT_SUBR(4);
10942 fn_len = tvb_get_letohl(tvb, offset);
10943 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
10944 COUNT_BYTES_SUBR(4);
10947 CHECK_BYTE_COUNT_SUBR(4);
10948 proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
10949 COUNT_BYTES_SUBR(4);
10951 /* short file name len */
10952 CHECK_BYTE_COUNT_SUBR(1);
10953 sfn_len = tvb_get_guint8(tvb, offset);
10954 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
10955 COUNT_BYTES_SUBR(1);
10957 /* reserved byte */
10958 CHECK_BYTE_COUNT_SUBR(1);
10959 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
10960 COUNT_BYTES_SUBR(1);
10962 /* short file name */
10963 sfn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &sfn_len, FALSE, TRUE, bcp);
10964 CHECK_STRING_SUBR(sfn);
10965 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
10967 COUNT_BYTES_SUBR(24);
10970 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
10971 CHECK_STRING_SUBR(fn);
10972 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10974 COUNT_BYTES_SUBR(fn_len);
10976 if (check_col(pinfo->cinfo, COL_INFO)) {
10977 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
10981 /* skip to next structure */
10983 padcnt = (old_offset + neo) - offset;
10986 * XXX - this is bogus; flag it?
10991 CHECK_BYTE_COUNT_SUBR(padcnt);
10992 COUNT_BYTES_SUBR(padcnt);
10996 proto_item_append_text(item, " File: %s", fn);
10997 proto_item_set_len(item, offset-old_offset);
11004 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11005 int offset, guint16 *bcp, gboolean *trunc)
11009 int old_offset = offset;
11010 proto_item *item = NULL;
11011 proto_tree *tree = NULL;
11016 si = (smb_info_t *)pinfo->private_data;
11019 item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
11020 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11021 tree = proto_item_add_subtree(item, ett_smb_ff2_data);
11024 /* next entry offset */
11025 CHECK_BYTE_COUNT_SUBR(4);
11026 neo = tvb_get_letohl(tvb, offset);
11027 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
11028 COUNT_BYTES_SUBR(4);
11031 CHECK_BYTE_COUNT_SUBR(4);
11032 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
11033 COUNT_BYTES_SUBR(4);
11035 /* file name len */
11036 CHECK_BYTE_COUNT_SUBR(4);
11037 fn_len = tvb_get_letohl(tvb, offset);
11038 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
11039 COUNT_BYTES_SUBR(4);
11042 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11043 CHECK_STRING_SUBR(fn);
11044 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11046 COUNT_BYTES_SUBR(fn_len);
11048 if (check_col(pinfo->cinfo, COL_INFO)) {
11049 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11053 /* skip to next structure */
11055 padcnt = (old_offset + neo) - offset;
11058 * XXX - this is bogus; flag it?
11063 CHECK_BYTE_COUNT_SUBR(padcnt);
11064 COUNT_BYTES_SUBR(padcnt);
11068 proto_item_append_text(item, " File: %s", fn);
11069 proto_item_set_len(item, offset-old_offset);
11076 dissect_4_3_4_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
11077 int offset, guint16 *bcp, gboolean *trunc)
11079 /*XXX im lazy. i havnt implemented this */
11086 /*dissect the data block for TRANS2_FIND_FIRST2*/
11088 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
11089 proto_tree * tree, int offset, guint16 *bcp, gboolean *trunc)
11097 si = (smb_info_t *)pinfo->private_data;
11098 switch(si->info_level){
11099 case 1: /*Info Standard*/
11100 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
11103 case 2: /*Info Query EA Size*/
11104 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
11107 case 3: /*Info Query EAs From List same as
11109 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
11112 case 0x0101: /*Find File Directory Info*/
11113 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
11116 case 0x0102: /*Find File Full Directory Info*/
11117 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
11120 case 0x0103: /*Find File Names Info*/
11121 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
11124 case 0x0104: /*Find File Both Directory Info*/
11125 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
11128 case 0x0202: /*Find File UNIX*/
11129 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
11132 default: /* unknown info level */
11141 dissect_fs_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
11144 proto_item *item = NULL;
11145 proto_tree *tree = NULL;
11147 mask = tvb_get_letohl(tvb, offset);
11150 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
11151 "FS Attributes: 0x%08x", mask);
11152 tree = proto_item_add_subtree(item, ett_smb_fs_attributes);
11155 proto_tree_add_boolean(tree, hf_smb_fs_attr_css,
11156 tvb, offset, 4, mask);
11157 proto_tree_add_boolean(tree, hf_smb_fs_attr_cpn,
11158 tvb, offset, 4, mask);
11159 proto_tree_add_boolean(tree, hf_smb_fs_attr_pacls,
11160 tvb, offset, 4, mask);
11161 proto_tree_add_boolean(tree, hf_smb_fs_attr_fc,
11162 tvb, offset, 4, mask);
11163 proto_tree_add_boolean(tree, hf_smb_fs_attr_vq,
11164 tvb, offset, 4, mask);
11165 proto_tree_add_boolean(tree, hf_smb_fs_attr_dim,
11166 tvb, offset, 4, mask);
11167 proto_tree_add_boolean(tree, hf_smb_fs_attr_vic,
11168 tvb, offset, 4, mask);
11176 dissect_device_characteristics(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
11179 proto_item *item = NULL;
11180 proto_tree *tree = NULL;
11182 mask = tvb_get_letohl(tvb, offset);
11185 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
11186 "Device Characteristics: 0x%08x", mask);
11187 tree = proto_item_add_subtree(item, ett_smb_device_characteristics);
11190 proto_tree_add_boolean(tree, hf_smb_device_char_removable,
11191 tvb, offset, 4, mask);
11192 proto_tree_add_boolean(tree, hf_smb_device_char_read_only,
11193 tvb, offset, 4, mask);
11194 proto_tree_add_boolean(tree, hf_smb_device_char_floppy,
11195 tvb, offset, 4, mask);
11196 proto_tree_add_boolean(tree, hf_smb_device_char_write_once,
11197 tvb, offset, 4, mask);
11198 proto_tree_add_boolean(tree, hf_smb_device_char_remote,
11199 tvb, offset, 4, mask);
11200 proto_tree_add_boolean(tree, hf_smb_device_char_mounted,
11201 tvb, offset, 4, mask);
11202 proto_tree_add_boolean(tree, hf_smb_device_char_virtual,
11203 tvb, offset, 4, mask);
11209 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
11211 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
11212 int offset, guint16 *bcp)
11215 int fn_len, vll, fnl;
11222 si = (smb_info_t *)pinfo->private_data;
11223 switch(si->info_level){
11224 case 1: /* SMB_INFO_ALLOCATION */
11225 /* filesystem id */
11226 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11227 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, TRUE);
11228 COUNT_BYTES_TRANS_SUBR(4);
11230 /* sectors per unit */
11231 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11232 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
11233 COUNT_BYTES_TRANS_SUBR(4);
11236 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11237 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, TRUE);
11238 COUNT_BYTES_TRANS_SUBR(4);
11241 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11242 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, TRUE);
11243 COUNT_BYTES_TRANS_SUBR(4);
11245 /* bytes per sector, only 16bit integer here */
11246 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11247 proto_tree_add_uint(tree, hf_smb_fs_sector, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11248 COUNT_BYTES_TRANS_SUBR(2);
11251 case 2: /* SMB_INFO_VOLUME */
11252 /* volume serial number */
11253 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11254 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
11255 COUNT_BYTES_TRANS_SUBR(4);
11257 /* volume label length, only one byte here */
11258 CHECK_BYTE_COUNT_TRANS_SUBR(1);
11259 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, tvb_get_guint8(tvb, offset));
11260 COUNT_BYTES_TRANS_SUBR(1);
11263 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, bcp);
11264 CHECK_STRING_TRANS_SUBR(fn);
11265 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
11267 COUNT_BYTES_TRANS_SUBR(fn_len);
11270 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
11272 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11273 offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
11274 hf_smb_create_time);
11277 /* volume serial number */
11278 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11279 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, TRUE);
11280 COUNT_BYTES_TRANS_SUBR(4);
11282 /* volume label length */
11283 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11284 vll = tvb_get_letohl(tvb, offset);
11285 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
11286 COUNT_BYTES_TRANS_SUBR(4);
11288 /* 2 reserved bytes */
11289 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11290 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11291 COUNT_BYTES_TRANS_SUBR(2);
11295 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11296 CHECK_STRING_TRANS_SUBR(fn);
11297 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
11299 COUNT_BYTES_TRANS_SUBR(fn_len);
11302 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
11303 /* allocation size */
11304 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11305 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
11306 COUNT_BYTES_TRANS_SUBR(8);
11308 /* free allocation units */
11309 CHECK_BYTE_COUNT_TRANS_SUBR(8);
11310 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, TRUE);
11311 COUNT_BYTES_TRANS_SUBR(8);
11313 /* sectors per unit */
11314 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11315 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, TRUE);
11316 COUNT_BYTES_TRANS_SUBR(4);
11318 /* bytes per sector */
11319 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11320 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
11321 COUNT_BYTES_TRANS_SUBR(4);
11324 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
11326 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11327 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
11328 COUNT_BYTES_TRANS_SUBR(4);
11330 /* device characteristics */
11331 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11332 offset = dissect_device_characteristics(tvb, pinfo, tree, offset);
11336 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
11337 /* FS attributes */
11338 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11339 offset = dissect_fs_attributes(tvb, pinfo, tree, offset);
11343 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11344 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
11345 COUNT_BYTES_TRANS_SUBR(4);
11347 /* fs name length */
11348 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11349 fnl = tvb_get_letohl(tvb, offset);
11350 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
11351 COUNT_BYTES_TRANS_SUBR(4);
11355 fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
11356 CHECK_STRING_TRANS_SUBR(fn);
11357 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
11359 COUNT_BYTES_TRANS_SUBR(fn_len);
11362 case 1006: /* QUERY_FS_QUOTA_INFO */
11363 offset = dissect_nt_quota(tvb, pinfo, tree, offset, bcp);
11370 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
11371 proto_tree *parent_tree)
11373 proto_item *item = NULL;
11374 proto_tree *tree = NULL;
11376 smb_transact2_info_t *t2i;
11382 dc = tvb_reported_length(tvb);
11384 si = (smb_info_t *)pinfo->private_data;
11385 if (si->sip != NULL)
11386 t2i = si->sip->extra_info;
11391 if (t2i != NULL && t2i->subcmd != -1) {
11392 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11394 val_to_str(t2i->subcmd, trans2_cmd_vals,
11395 "Unknown (0x%02x)"));
11396 tree = proto_item_add_subtree(item, ett_smb_transaction_data);
11398 item = proto_tree_add_text(parent_tree, tvb, offset, dc,
11399 "Unknown Transaction2 Data");
11407 switch(t2i->subcmd){
11408 case 0x00: /*TRANS2_OPEN2*/
11409 /* XXX not implemented yet. See SNIA doc */
11411 case 0x01: /*TRANS2_FIND_FIRST2*/
11412 /* returned data */
11413 count = si->info_count;
11415 if (count && check_col(pinfo->cinfo, COL_INFO)) {
11416 col_append_fstr(pinfo->cinfo, COL_INFO,
11421 offset = dissect_ff2_response_data(tvb, pinfo, tree,
11422 offset, &dc, &trunc);
11427 case 0x02: /*TRANS2_FIND_NEXT2*/
11428 /* returned data */
11429 count = si->info_count;
11431 if (count && check_col(pinfo->cinfo, COL_INFO)) {
11432 col_append_fstr(pinfo->cinfo, COL_INFO,
11437 offset = dissect_ff2_response_data(tvb, pinfo, tree,
11438 offset, &dc, &trunc);
11443 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11444 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc);
11446 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11447 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
11449 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11450 /* no data in this response */
11452 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11453 /* identical to QUERY_PATH_INFO */
11454 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
11456 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11457 /* no data in this response */
11459 case 0x09: /*TRANS2_FSCTL*/
11460 /* XXX dont know how to dissect this one (yet)*/
11462 case 0x0a: /*TRANS2_IOCTL2*/
11463 /* XXX dont know how to dissect this one (yet)*/
11465 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11466 /* XXX dont know how to dissect this one (yet)*/
11468 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11469 /* XXX dont know how to dissect this one (yet)*/
11471 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11472 /* no data in this response */
11474 case 0x0e: /*TRANS2_SESSION_SETUP*/
11475 /* XXX dont know how to dissect this one (yet)*/
11477 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11478 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc);
11480 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11481 /* the SNIA spec appears to say the response has no data */
11485 * We don't know what the matching request was; don't
11486 * bother putting anything else into the tree for the data.
11493 /* ooops there were data we didnt know how to process */
11495 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, TRUE);
11504 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
11506 proto_item *item = NULL;
11507 proto_tree *tree = NULL;
11509 smb_transact2_info_t *t2i;
11515 pc = tvb_reported_length(tvb);
11517 si = (smb_info_t *)pinfo->private_data;
11518 if (si->sip != NULL)
11519 t2i = si->sip->extra_info;
11524 if (t2i != NULL && t2i->subcmd != -1) {
11525 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
11527 val_to_str(t2i->subcmd, trans2_cmd_vals,
11528 "Unknown (0x%02x)"));
11529 tree = proto_item_add_subtree(item, ett_smb_transaction_params);
11531 item = proto_tree_add_text(parent_tree, tvb, offset, pc,
11532 "Unknown Transaction2 Parameters");
11540 switch(t2i->subcmd){
11541 case 0x00: /*TRANS2_OPEN2*/
11543 fid = tvb_get_letohs(tvb, offset);
11544 add_fid(tvb, pinfo, tree, offset, 2, fid);
11547 /* File Attributes */
11548 offset = dissect_file_attributes(tvb, pinfo, tree, offset);
11551 offset = dissect_smb_datetime(tvb, pinfo, tree, offset,
11552 hf_smb_create_time,
11553 hf_smb_create_dos_date, hf_smb_create_dos_time, TRUE);
11556 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, TRUE);
11559 /* granted access */
11560 offset = dissect_access(tvb, pinfo, tree, offset, "Granted");
11563 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
11567 offset = dissect_ipc_state(tvb, pinfo, tree, offset, FALSE);
11570 offset = dissect_open_action(tvb, pinfo, tree, offset);
11572 /* 4 reserved bytes */
11573 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
11576 /* ea error offset, only a 16 bit integer here */
11577 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11581 proto_tree_add_item(tree, hf_smb_ea_length, tvb, offset, 4, TRUE);
11585 case 0x01: /*TRANS2_FIND_FIRST2*/
11586 /* Find First2 information level */
11587 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
11590 proto_tree_add_item(tree, hf_smb_sid, tvb, offset, 2, TRUE);
11594 si->info_count = tvb_get_letohs(tvb, offset);
11595 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
11598 /* end of search */
11599 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
11602 /* ea error offset, only a 16 bit integer here */
11603 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11606 /* last name offset */
11607 lno = tvb_get_letohs(tvb, offset);
11608 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
11612 case 0x02: /*TRANS2_FIND_NEXT2*/
11614 si->info_count = tvb_get_letohs(tvb, offset);
11615 proto_tree_add_uint(tree, hf_smb_search_count, tvb, offset, 2, si->info_count);
11618 /* end of search */
11619 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, TRUE);
11622 /* ea error offset , only a 16 bit integer here*/
11623 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11626 /* last name offset */
11627 lno = tvb_get_letohs(tvb, offset);
11628 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
11632 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
11633 /* no parameter block here */
11635 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
11636 /* no parameter block here */
11638 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
11639 /* no parameter block here */
11641 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
11642 /* no parameter block here */
11644 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
11645 /* no parameter block here */
11647 case 0x09: /*TRANS2_FSCTL*/
11648 /* XXX dont know how to dissect this one (yet)*/
11650 case 0x0a: /*TRANS2_IOCTL2*/
11651 /* XXX dont know how to dissect this one (yet)*/
11653 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
11654 /* XXX dont know how to dissect this one (yet)*/
11656 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
11657 /* XXX dont know how to dissect this one (yet)*/
11659 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
11660 /* ea error offset, only a 16 bit integer here */
11661 proto_tree_add_uint(tree, hf_smb_ea_error_offset, tvb, offset, 2, tvb_get_letohs(tvb, offset));
11665 case 0x0e: /*TRANS2_SESSION_SETUP*/
11666 /* XXX dont know how to dissect this one (yet)*/
11668 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
11669 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
11671 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11672 /* XXX dont know how to dissect this one (yet) see SNIA doc*/
11676 * We don't know what the matching request was; don't
11677 * bother putting anything else into the tree for the data.
11683 /* ooops there were data we didnt know how to process */
11685 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, TRUE);
11686 offset += pc-offset;
11692 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
11695 guint16 od=0, po=0, pc=0, pd=0, dc=0, dd=0, td=0, tp=0;
11696 gboolean reassembled = FALSE;
11698 smb_transact2_info_t *t2i = NULL;
11701 gboolean dissected_trans;
11702 fragment_data *r_fd = NULL;
11703 tvbuff_t *pd_tvb=NULL, *d_tvb=NULL, *p_tvb=NULL;
11704 tvbuff_t *s_tvb=NULL, *sp_tvb=NULL;
11705 gboolean save_fragmented;
11707 si = (smb_info_t *)pinfo->private_data;
11710 case SMB_COM_TRANSACTION2:
11712 if (si->sip != NULL) {
11713 t2i = si->sip->extra_info;
11718 * We didn't see the matching request, so we don't
11719 * know what type of transaction this is.
11721 proto_tree_add_text(tree, tvb, 0, 0,
11722 "Subcommand: <UNKNOWN> since request packet wasn't seen");
11723 if (check_col(pinfo->cinfo, COL_INFO)) {
11724 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
11727 si->info_level = t2i->info_level;
11728 if (t2i->subcmd == -1) {
11730 * We didn't manage to extract the subcommand
11731 * from the matching request (perhaps because
11732 * the frame was short), so we don't know what
11733 * type of transaction this is.
11735 proto_tree_add_text(tree, tvb, 0, 0,
11736 "Subcommand: <UNKNOWN> since transaction code wasn't found in request packet");
11737 if (check_col(pinfo->cinfo, COL_INFO)) {
11738 col_append_fstr(pinfo->cinfo, COL_INFO, "<unknown>");
11741 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
11742 if (check_col(pinfo->cinfo, COL_INFO)) {
11743 col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
11744 val_to_str(t2i->subcmd,
11746 "<unknown (0x%02x)>"));
11755 /* total param count, only a 16bit integer here */
11756 tp = tvb_get_letohs(tvb, offset);
11757 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
11760 /* total data count, only a 16 bit integer here */
11761 td = tvb_get_letohs(tvb, offset);
11762 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
11765 /* 2 reserved bytes */
11766 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
11770 pc = tvb_get_letohs(tvb, offset);
11771 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
11775 po = tvb_get_letohs(tvb, offset);
11776 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
11780 pd = tvb_get_letohs(tvb, offset);
11781 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
11785 dc = tvb_get_letohs(tvb, offset);
11786 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
11790 od = tvb_get_letohs(tvb, offset);
11791 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
11795 dd = tvb_get_letohs(tvb, offset);
11796 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
11800 sc = tvb_get_guint8(tvb, offset);
11801 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
11804 /* reserved byte */
11805 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
11809 /* if there were any setup bytes, put them in a tvb for later */
11811 if((2*sc)>tvb_length_remaining(tvb, offset)){
11812 s_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), 2*sc);
11814 s_tvb = tvb_new_subset(tvb, offset, 2*sc, 2*sc);
11816 sp_tvb = tvb_new_subset(tvb, offset, -1, -1);
11827 /* reassembly of SMB Transaction data payload.
11828 In this section we do reassembly of both the data and parameters
11829 blocks of the SMB transaction command.
11831 save_fragmented = pinfo->fragmented;
11832 /* do we need reassembly? */
11833 if( (td!=dc) || (tp!=pc) ){
11834 /* oh yeah, either data or parameter section needs
11837 pinfo->fragmented = TRUE;
11838 if(smb_trans_reassembly){
11839 /* ...and we were told to do reassembly */
11840 if(pc && (tvb_length_remaining(tvb, po)>=pc) ){
11841 r_fd = smb_trans_defragment(tree, pinfo, tvb,
11842 po, pc, pd, td+tp);
11845 if((r_fd==NULL) && dc && (tvb_length_remaining(tvb, od)>=dc) ){
11846 r_fd = smb_trans_defragment(tree, pinfo, tvb,
11847 od, dc, dd+tp, td+tp);
11852 /* if we got a reassembled fd structure from the reassembly routine we must
11853 create pd_tvb from it
11860 it = proto_tree_add_text(tree, tvb, 0, 0, "Fragments");
11861 tr = proto_item_add_subtree(it, ett_smb_segments);
11862 for(fd=r_fd->next;fd;fd=fd->next){
11863 proto_tree_add_text(tr, tvb, 0, 0, "Frame:%u Data:%u-%u",
11864 fd->frame, fd->offset, fd->offset+fd->len-1);
11867 pd_tvb = tvb_new_real_data(r_fd->data, r_fd->datalen,
11869 tvb_set_child_real_data_tvbuff(tvb, pd_tvb);
11870 add_new_data_source(pinfo->fd, pd_tvb, "Reassembled SMB");
11871 pinfo->fragmented = FALSE;
11876 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
11878 p_tvb = tvb_new_subset(pd_tvb, 0, tp, tp);
11881 d_tvb = tvb_new_subset(pd_tvb, tp, td, td);
11884 /* It was not reassembled. Do as best as we can.
11885 * in this case we always try to dissect the stuff if
11886 * data and param displacement is 0. i.e. for the first
11887 * (and maybe only) packet.
11889 if( (pd==0) && (dd==0) ){
11892 min = MIN(pc,tvb_length_remaining(tvb,po));
11893 reported_min = MIN(pc,tvb_reported_length_remaining(tvb,po));
11894 if(min && reported_min) {
11895 p_tvb = tvb_new_subset(tvb, po, min, reported_min);
11897 min = MIN(dc,tvb_length_remaining(tvb,od));
11898 reported_min = MIN(dc,tvb_reported_length_remaining(tvb,od));
11899 if(min && reported_min) {
11900 d_tvb = tvb_new_subset(tvb, od, min, reported_min);
11903 * A tvbuff containing the parameters
11905 * XXX - check pc and dc as well?
11907 if (tvb_length_remaining(tvb, po)){
11908 pd_tvb = tvb_new_subset(tvb, po, -1, -1);
11917 /* We have some padding bytes.
11919 padcnt = po-offset;
11922 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11923 COUNT_BYTES(padcnt);
11925 if(si->cmd==SMB_COM_TRANSACTION2 && p_tvb){
11926 /* TRANSACTION2 parameters*/
11927 dissect_transaction2_response_parameters(p_tvb, pinfo, tree);
11934 /* We have some initial padding bytes.
11936 padcnt = od-offset;
11939 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, TRUE);
11940 COUNT_BYTES(padcnt);
11943 * If the data count is bigger than the count of bytes
11944 * remaining, clamp it so that the count of bytes remaining
11945 * doesn't go negative.
11953 /* from now on, everything is in separate tvbuffs so we dont count
11954 the bytes with COUNT_BYTES any more.
11955 neither do we reference offset any more (which by now points to the
11956 first byte AFTER this PDU */
11959 if(si->cmd==SMB_COM_TRANSACTION2 && d_tvb){
11960 /* TRANSACTION2 parameters*/
11961 dissect_transaction2_response_data(d_tvb, pinfo, tree);
11965 if(si->cmd==SMB_COM_TRANSACTION){
11966 smb_transact_info_t *tri;
11968 dissected_trans = FALSE;
11969 if (si->sip != NULL)
11970 tri = si->sip->extra_info;
11974 switch(tri->subcmd){
11976 case TRANSACTION_PIPE:
11977 /* This function is safe to call for
11978 s_tvb==sp_tvb==NULL, i.e. if we don't
11979 know them at this point.
11980 It's also safe to call if "p_tvb"
11981 or "d_tvb" are null.
11984 dissected_trans = dissect_pipe_smb(
11985 sp_tvb, s_tvb, pd_tvb, p_tvb,
11986 d_tvb, NULL, pinfo, top_tree);
11990 case TRANSACTION_MAILSLOT:
11991 /* This one should be safe to call
11992 even if s_tvb and sp_tvb is NULL
11995 dissected_trans = dissect_mailslot_smb(
11996 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
12002 if (!dissected_trans) {
12003 /* This one is safe to call for s_tvb==p_tvb==d_tvb==NULL */
12004 dissect_trans_data(s_tvb, p_tvb, d_tvb,
12010 if( (p_tvb==0) && (d_tvb==0) ){
12011 if(check_col(pinfo->cinfo, COL_INFO)){
12012 col_append_str(pinfo->cinfo, COL_INFO,
12013 "[transact continuation]");
12017 pinfo->fragmented = save_fragmented;
12024 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12025 END Transaction/Transaction2 Primary and secondary requests
12026 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
12030 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
12038 proto_tree_add_text(tree, tvb, offset, wc*2, "Word parameters");
12043 proto_tree_add_text(tree, tvb, offset, bc, "Byte parameters");
12050 typedef struct _smb_function {
12051 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
12052 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
12055 smb_function smb_dissector[256] = {
12056 /* 0x00 Create Dir*/ {dissect_old_dir_request, dissect_empty},
12057 /* 0x01 Delete Dir*/ {dissect_old_dir_request, dissect_empty},
12058 /* 0x02 Open File*/ {dissect_open_file_request, dissect_open_file_response},
12059 /* 0x03 Create File*/ {dissect_create_file_request, dissect_fid},
12060 /* 0x04 Close File*/ {dissect_close_file_request, dissect_empty},
12061 /* 0x05 Flush File*/ {dissect_fid, dissect_empty},
12062 /* 0x06 Delete File*/ {dissect_delete_file_request, dissect_empty},
12063 /* 0x07 Rename File*/ {dissect_rename_file_request, dissect_empty},
12064 /* 0x08 Query Info*/ {dissect_query_information_request, dissect_query_information_response},
12065 /* 0x09 Set Info*/ {dissect_set_information_request, dissect_empty},
12066 /* 0x0a Read File*/ {dissect_read_file_request, dissect_read_file_response},
12067 /* 0x0b Write File*/ {dissect_write_file_request, dissect_write_file_response},
12068 /* 0x0c Lock Byte Range*/ {dissect_lock_request, dissect_empty},
12069 /* 0x0d Unlock Byte Range*/ {dissect_lock_request, dissect_empty},
12070 /* 0x0e Create Temp*/ {dissect_create_temporary_request, dissect_create_temporary_response},
12071 /* 0x0f Create New*/ {dissect_create_file_request, dissect_fid},
12073 /* 0x10 Check Dir*/ {dissect_old_dir_request, dissect_empty},
12074 /* 0x11 Process Exit*/ {dissect_empty, dissect_empty},
12075 /* 0x12 Seek File*/ {dissect_seek_file_request, dissect_seek_file_response},
12076 /* 0x13 Lock And Read*/ {dissect_read_file_request, dissect_lock_and_read_response},
12077 /* 0x14 Write And Unlock*/ {dissect_write_file_request, dissect_write_file_response},
12078 /* 0x15 */ {dissect_unknown, dissect_unknown},
12079 /* 0x16 */ {dissect_unknown, dissect_unknown},
12080 /* 0x17 */ {dissect_unknown, dissect_unknown},
12081 /* 0x18 */ {dissect_unknown, dissect_unknown},
12082 /* 0x19 */ {dissect_unknown, dissect_unknown},
12083 /* 0x1a Read Raw*/ {dissect_read_raw_request, dissect_unknown},
12084 /* 0x1b Read MPX*/ {dissect_read_mpx_request, dissect_read_mpx_response},
12085 /* 0x1c */ {dissect_unknown, dissect_unknown},
12086 /* 0x1d Write Raw*/ {dissect_write_raw_request, dissect_write_raw_response},
12087 /* 0x1e Write MPX*/ {dissect_write_mpx_request, dissect_write_mpx_response},
12088 /* 0x1f */ {dissect_unknown, dissect_unknown},
12090 /* 0x20 Write Complete*/ {dissect_unknown, dissect_write_and_close_response},
12091 /* 0x21 */ {dissect_unknown, dissect_unknown},
12092 /* 0x22 Set Info2*/ {dissect_set_information2_request, dissect_empty},
12093 /* 0x23 Query Info2*/ {dissect_fid, dissect_query_information2_response},
12094 /* 0x24 Locking And X*/ {dissect_locking_andx_request, dissect_locking_andx_response},
12095 /* 0x25 Transaction*/ {dissect_transaction_request, dissect_transaction_response},
12096 /* 0x26 Transaction Secondary */ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
12097 /* 0x27 */ {dissect_unknown, dissect_unknown},
12098 /* 0x28 */ {dissect_unknown, dissect_unknown},
12099 /* 0x29 */ {dissect_unknown, dissect_unknown},
12100 /* 0x2a Move File*/ {dissect_move_request, dissect_move_response},
12101 /* 0x2b Echo*/ {dissect_echo_request, dissect_echo_response},
12102 /* 0x2c Write And Close*/ {dissect_write_and_close_request, dissect_write_and_close_response},
12103 /* 0x2d Open And X*/ {dissect_open_andx_request, dissect_open_andx_response},
12104 /* 0x2e Read And X*/ {dissect_read_andx_request, dissect_read_andx_response},
12105 /* 0x2f Write And X*/ {dissect_write_andx_request, dissect_write_andx_response},
12107 /* 0x30 */ {dissect_unknown, dissect_unknown},
12108 /* 0x31 */ {dissect_unknown, dissect_unknown},
12109 /* 0x32 Transaction2*/ {dissect_transaction_request, dissect_transaction_response},
12110 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request, dissect_unknown}, /*This SMB has no response */
12111 /* 0x34 Find Close2*/ {dissect_sid, dissect_empty},
12112 /* 0x35 */ {dissect_unknown, dissect_unknown},
12113 /* 0x36 */ {dissect_unknown, dissect_unknown},
12114 /* 0x37 */ {dissect_unknown, dissect_unknown},
12115 /* 0x38 */ {dissect_unknown, dissect_unknown},
12116 /* 0x39 */ {dissect_unknown, dissect_unknown},
12117 /* 0x3a */ {dissect_unknown, dissect_unknown},
12118 /* 0x3b */ {dissect_unknown, dissect_unknown},
12119 /* 0x3c */ {dissect_unknown, dissect_unknown},
12120 /* 0x3d */ {dissect_unknown, dissect_unknown},
12121 /* 0x3e */ {dissect_unknown, dissect_unknown},
12122 /* 0x3f */ {dissect_unknown, dissect_unknown},
12124 /* 0x40 */ {dissect_unknown, dissect_unknown},
12125 /* 0x41 */ {dissect_unknown, dissect_unknown},
12126 /* 0x42 */ {dissect_unknown, dissect_unknown},
12127 /* 0x43 */ {dissect_unknown, dissect_unknown},
12128 /* 0x44 */ {dissect_unknown, dissect_unknown},
12129 /* 0x45 */ {dissect_unknown, dissect_unknown},
12130 /* 0x46 */ {dissect_unknown, dissect_unknown},
12131 /* 0x47 */ {dissect_unknown, dissect_unknown},
12132 /* 0x48 */ {dissect_unknown, dissect_unknown},
12133 /* 0x49 */ {dissect_unknown, dissect_unknown},
12134 /* 0x4a */ {dissect_unknown, dissect_unknown},
12135 /* 0x4b */ {dissect_unknown, dissect_unknown},
12136 /* 0x4c */ {dissect_unknown, dissect_unknown},
12137 /* 0x4d */ {dissect_unknown, dissect_unknown},
12138 /* 0x4e */ {dissect_unknown, dissect_unknown},
12139 /* 0x4f */ {dissect_unknown, dissect_unknown},
12141 /* 0x50 */ {dissect_unknown, dissect_unknown},
12142 /* 0x51 */ {dissect_unknown, dissect_unknown},
12143 /* 0x52 */ {dissect_unknown, dissect_unknown},
12144 /* 0x53 */ {dissect_unknown, dissect_unknown},
12145 /* 0x54 */ {dissect_unknown, dissect_unknown},
12146 /* 0x55 */ {dissect_unknown, dissect_unknown},
12147 /* 0x56 */ {dissect_unknown, dissect_unknown},
12148 /* 0x57 */ {dissect_unknown, dissect_unknown},
12149 /* 0x58 */ {dissect_unknown, dissect_unknown},
12150 /* 0x59 */ {dissect_unknown, dissect_unknown},
12151 /* 0x5a */ {dissect_unknown, dissect_unknown},
12152 /* 0x5b */ {dissect_unknown, dissect_unknown},
12153 /* 0x5c */ {dissect_unknown, dissect_unknown},
12154 /* 0x5d */ {dissect_unknown, dissect_unknown},
12155 /* 0x5e */ {dissect_unknown, dissect_unknown},
12156 /* 0x5f */ {dissect_unknown, dissect_unknown},
12158 /* 0x60 */ {dissect_unknown, dissect_unknown},
12159 /* 0x61 */ {dissect_unknown, dissect_unknown},
12160 /* 0x62 */ {dissect_unknown, dissect_unknown},
12161 /* 0x63 */ {dissect_unknown, dissect_unknown},
12162 /* 0x64 */ {dissect_unknown, dissect_unknown},
12163 /* 0x65 */ {dissect_unknown, dissect_unknown},
12164 /* 0x66 */ {dissect_unknown, dissect_unknown},
12165 /* 0x67 */ {dissect_unknown, dissect_unknown},
12166 /* 0x68 */ {dissect_unknown, dissect_unknown},
12167 /* 0x69 */ {dissect_unknown, dissect_unknown},
12168 /* 0x6a */ {dissect_unknown, dissect_unknown},
12169 /* 0x6b */ {dissect_unknown, dissect_unknown},
12170 /* 0x6c */ {dissect_unknown, dissect_unknown},
12171 /* 0x6d */ {dissect_unknown, dissect_unknown},
12172 /* 0x6e */ {dissect_unknown, dissect_unknown},
12173 /* 0x6f */ {dissect_unknown, dissect_unknown},
12175 /* 0x70 Tree Connect*/ {dissect_tree_connect_request, dissect_tree_connect_response},
12176 /* 0x71 Tree Disconnect*/ {dissect_empty, dissect_empty},
12177 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request, dissect_negprot_response},
12178 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request, dissect_session_setup_andx_response},
12179 /* 0x74 Logoff And X*/ {dissect_empty_andx, dissect_empty_andx},
12180 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request, dissect_tree_connect_andx_response},
12181 /* 0x76 */ {dissect_unknown, dissect_unknown},
12182 /* 0x77 */ {dissect_unknown, dissect_unknown},
12183 /* 0x78 */ {dissect_unknown, dissect_unknown},
12184 /* 0x79 */ {dissect_unknown, dissect_unknown},
12185 /* 0x7a */ {dissect_unknown, dissect_unknown},
12186 /* 0x7b */ {dissect_unknown, dissect_unknown},
12187 /* 0x7c */ {dissect_unknown, dissect_unknown},
12188 /* 0x7d */ {dissect_unknown, dissect_unknown},
12189 /* 0x7e */ {dissect_unknown, dissect_unknown},
12190 /* 0x7f */ {dissect_unknown, dissect_unknown},
12192 /* 0x80 Query Info Disk*/ {dissect_empty, dissect_query_information_disk_response},
12193 /* 0x81 Search Dir*/ {dissect_search_dir_request, dissect_search_dir_response},
12194 /* 0x82 */ {dissect_unknown, dissect_unknown},
12195 /* 0x83 */ {dissect_unknown, dissect_unknown},
12196 /* 0x84 */ {dissect_unknown, dissect_unknown},
12197 /* 0x85 */ {dissect_unknown, dissect_unknown},
12198 /* 0x86 */ {dissect_unknown, dissect_unknown},
12199 /* 0x87 */ {dissect_unknown, dissect_unknown},
12200 /* 0x88 */ {dissect_unknown, dissect_unknown},
12201 /* 0x89 */ {dissect_unknown, dissect_unknown},
12202 /* 0x8a */ {dissect_unknown, dissect_unknown},
12203 /* 0x8b */ {dissect_unknown, dissect_unknown},
12204 /* 0x8c */ {dissect_unknown, dissect_unknown},
12205 /* 0x8d */ {dissect_unknown, dissect_unknown},
12206 /* 0x8e */ {dissect_unknown, dissect_unknown},
12207 /* 0x8f */ {dissect_unknown, dissect_unknown},
12209 /* 0x90 */ {dissect_unknown, dissect_unknown},
12210 /* 0x91 */ {dissect_unknown, dissect_unknown},
12211 /* 0x92 */ {dissect_unknown, dissect_unknown},
12212 /* 0x93 */ {dissect_unknown, dissect_unknown},
12213 /* 0x94 */ {dissect_unknown, dissect_unknown},
12214 /* 0x95 */ {dissect_unknown, dissect_unknown},
12215 /* 0x96 */ {dissect_unknown, dissect_unknown},
12216 /* 0x97 */ {dissect_unknown, dissect_unknown},
12217 /* 0x98 */ {dissect_unknown, dissect_unknown},
12218 /* 0x99 */ {dissect_unknown, dissect_unknown},
12219 /* 0x9a */ {dissect_unknown, dissect_unknown},
12220 /* 0x9b */ {dissect_unknown, dissect_unknown},
12221 /* 0x9c */ {dissect_unknown, dissect_unknown},
12222 /* 0x9d */ {dissect_unknown, dissect_unknown},
12223 /* 0x9e */ {dissect_unknown, dissect_unknown},
12224 /* 0x9f */ {dissect_unknown, dissect_unknown},
12225 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
12226 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
12227 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
12228 /* 0xa3 */ {dissect_unknown, dissect_unknown},
12229 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, dissect_unknown}, /*no response to this one*/
12230 /* 0xa5 */ {dissect_unknown, dissect_unknown},
12231 /* 0xa6 */ {dissect_unknown, dissect_unknown},
12232 /* 0xa7 */ {dissect_unknown, dissect_unknown},
12233 /* 0xa8 */ {dissect_unknown, dissect_unknown},
12234 /* 0xa9 */ {dissect_unknown, dissect_unknown},
12235 /* 0xaa */ {dissect_unknown, dissect_unknown},
12236 /* 0xab */ {dissect_unknown, dissect_unknown},
12237 /* 0xac */ {dissect_unknown, dissect_unknown},
12238 /* 0xad */ {dissect_unknown, dissect_unknown},
12239 /* 0xae */ {dissect_unknown, dissect_unknown},
12240 /* 0xaf */ {dissect_unknown, dissect_unknown},
12242 /* 0xb0 */ {dissect_unknown, dissect_unknown},
12243 /* 0xb1 */ {dissect_unknown, dissect_unknown},
12244 /* 0xb2 */ {dissect_unknown, dissect_unknown},
12245 /* 0xb3 */ {dissect_unknown, dissect_unknown},
12246 /* 0xb4 */ {dissect_unknown, dissect_unknown},
12247 /* 0xb5 */ {dissect_unknown, dissect_unknown},
12248 /* 0xb6 */ {dissect_unknown, dissect_unknown},
12249 /* 0xb7 */ {dissect_unknown, dissect_unknown},
12250 /* 0xb8 */ {dissect_unknown, dissect_unknown},
12251 /* 0xb9 */ {dissect_unknown, dissect_unknown},
12252 /* 0xba */ {dissect_unknown, dissect_unknown},
12253 /* 0xbb */ {dissect_unknown, dissect_unknown},
12254 /* 0xbc */ {dissect_unknown, dissect_unknown},
12255 /* 0xbd */ {dissect_unknown, dissect_unknown},
12256 /* 0xbe */ {dissect_unknown, dissect_unknown},
12257 /* 0xbf */ {dissect_unknown, dissect_unknown},
12258 /* 0xc0 Open Print File*/ {dissect_open_print_file_request, dissect_fid},
12259 /* 0xc1 Write Print File*/ {dissect_write_print_file_request, dissect_empty},
12260 /* 0xc2 Close Print File*/ {dissect_fid, dissect_empty},
12261 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request, dissect_get_print_queue_response},
12262 /* 0xc4 */ {dissect_unknown, dissect_unknown},
12263 /* 0xc5 */ {dissect_unknown, dissect_unknown},
12264 /* 0xc6 */ {dissect_unknown, dissect_unknown},
12265 /* 0xc7 */ {dissect_unknown, dissect_unknown},
12266 /* 0xc8 */ {dissect_unknown, dissect_unknown},
12267 /* 0xc9 */ {dissect_unknown, dissect_unknown},
12268 /* 0xca */ {dissect_unknown, dissect_unknown},
12269 /* 0xcb */ {dissect_unknown, dissect_unknown},
12270 /* 0xcc */ {dissect_unknown, dissect_unknown},
12271 /* 0xcd */ {dissect_unknown, dissect_unknown},
12272 /* 0xce */ {dissect_unknown, dissect_unknown},
12273 /* 0xcf */ {dissect_unknown, dissect_unknown},
12275 /* 0xd0 */ {dissect_unknown, dissect_unknown},
12276 /* 0xd1 */ {dissect_unknown, dissect_unknown},
12277 /* 0xd2 */ {dissect_unknown, dissect_unknown},
12278 /* 0xd3 */ {dissect_unknown, dissect_unknown},
12279 /* 0xd4 */ {dissect_unknown, dissect_unknown},
12280 /* 0xd5 */ {dissect_unknown, dissect_unknown},
12281 /* 0xd6 */ {dissect_unknown, dissect_unknown},
12282 /* 0xd7 */ {dissect_unknown, dissect_unknown},
12283 /* 0xd8 */ {dissect_unknown, dissect_unknown},
12284 /* 0xd9 */ {dissect_unknown, dissect_unknown},
12285 /* 0xda */ {dissect_unknown, dissect_unknown},
12286 /* 0xdb */ {dissect_unknown, dissect_unknown},
12287 /* 0xdc */ {dissect_unknown, dissect_unknown},
12288 /* 0xdd */ {dissect_unknown, dissect_unknown},
12289 /* 0xde */ {dissect_unknown, dissect_unknown},
12290 /* 0xdf */ {dissect_unknown, dissect_unknown},
12292 /* 0xe0 */ {dissect_unknown, dissect_unknown},
12293 /* 0xe1 */ {dissect_unknown, dissect_unknown},
12294 /* 0xe2 */ {dissect_unknown, dissect_unknown},
12295 /* 0xe3 */ {dissect_unknown, dissect_unknown},
12296 /* 0xe4 */ {dissect_unknown, dissect_unknown},
12297 /* 0xe5 */ {dissect_unknown, dissect_unknown},
12298 /* 0xe6 */ {dissect_unknown, dissect_unknown},
12299 /* 0xe7 */ {dissect_unknown, dissect_unknown},
12300 /* 0xe8 */ {dissect_unknown, dissect_unknown},
12301 /* 0xe9 */ {dissect_unknown, dissect_unknown},
12302 /* 0xea */ {dissect_unknown, dissect_unknown},
12303 /* 0xeb */ {dissect_unknown, dissect_unknown},
12304 /* 0xec */ {dissect_unknown, dissect_unknown},
12305 /* 0xed */ {dissect_unknown, dissect_unknown},
12306 /* 0xee */ {dissect_unknown, dissect_unknown},
12307 /* 0xef */ {dissect_unknown, dissect_unknown},
12309 /* 0xf0 */ {dissect_unknown, dissect_unknown},
12310 /* 0xf1 */ {dissect_unknown, dissect_unknown},
12311 /* 0xf2 */ {dissect_unknown, dissect_unknown},
12312 /* 0xf3 */ {dissect_unknown, dissect_unknown},
12313 /* 0xf4 */ {dissect_unknown, dissect_unknown},
12314 /* 0xf5 */ {dissect_unknown, dissect_unknown},
12315 /* 0xf6 */ {dissect_unknown, dissect_unknown},
12316 /* 0xf7 */ {dissect_unknown, dissect_unknown},
12317 /* 0xf8 */ {dissect_unknown, dissect_unknown},
12318 /* 0xf9 */ {dissect_unknown, dissect_unknown},
12319 /* 0xfa */ {dissect_unknown, dissect_unknown},
12320 /* 0xfb */ {dissect_unknown, dissect_unknown},
12321 /* 0xfc */ {dissect_unknown, dissect_unknown},
12322 /* 0xfd */ {dissect_unknown, dissect_unknown},
12323 /* 0xfe */ {dissect_unknown, dissect_unknown},
12324 /* 0xff */ {dissect_unknown, dissect_unknown},
12328 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree, int offset, proto_tree *smb_tree, guint8 cmd)
12330 int old_offset = offset;
12333 si = pinfo->private_data;
12335 proto_item *cmd_item;
12336 proto_tree *cmd_tree;
12337 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree);
12339 if (check_col(pinfo->cinfo, COL_INFO)) {
12340 col_add_fstr(pinfo->cinfo, COL_INFO, "%s %s",
12341 decode_smb_name(cmd),
12342 (si->request)? "Request" : "Response");
12345 cmd_item = proto_tree_add_text(smb_tree, tvb, offset, -1,
12347 decode_smb_name(cmd),
12348 (si->request)?"Request":"Response",
12351 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb_command);
12353 dissector = (si->request)?
12354 smb_dissector[cmd].request:smb_dissector[cmd].response;
12356 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree);
12357 proto_item_set_len(cmd_item, offset-old_offset);
12363 /* NOTE: this value_string array will also be used to access data directly by
12364 * index instead of val_to_str() since
12365 * 1, the array will always span every value from 0x00 to 0xff and
12366 * 2, smb_cmd_vals[i].strptr is much cheaper than val_to_str(i, smb_cmd_vals,)
12367 * This means that this value_string array MUST always
12368 * 1, contain all entries 0x00 to 0xff
12369 * 2, all entries must be in order.
12371 static const value_string smb_cmd_vals[] = {
12372 { 0x00, "Create Directory" },
12373 { 0x01, "Delete Directory" },
12375 { 0x03, "Create" },
12378 { 0x06, "Delete" },
12379 { 0x07, "Rename" },
12380 { 0x08, "Query Information" },
12381 { 0x09, "Set Information" },
12384 { 0x0C, "Lock Byte Range" },
12385 { 0x0D, "Unlock Byte Range" },
12386 { 0x0E, "Create Temp" },
12387 { 0x0F, "Create New" },
12388 { 0x10, "Check Directory" },
12389 { 0x11, "Process Exit" },
12391 { 0x13, "Lock And Read" },
12392 { 0x14, "Write And Unlock" },
12393 { 0x15, "unknown-0x15" },
12394 { 0x16, "unknown-0x16" },
12395 { 0x17, "unknown-0x17" },
12396 { 0x18, "unknown-0x18" },
12397 { 0x19, "unknown-0x19" },
12398 { 0x1A, "Read Raw" },
12399 { 0x1B, "Read MPX" },
12400 { 0x1C, "Read MPX Secondary" },
12401 { 0x1D, "Write Raw" },
12402 { 0x1E, "Write MPX" },
12403 { 0x1F, "SMBwriteBs" },
12404 { 0x20, "Write Complete" },
12405 { 0x21, "unknown-0x21" },
12406 { 0x22, "Set Information2" },
12407 { 0x23, "Query Information2" },
12408 { 0x24, "Locking AndX" },
12409 { 0x25, "Transaction" },
12410 { 0x26, "Transaction Secondary" },
12412 { 0x28, "IOCTL Secondary" },
12416 { 0x2C, "Write And Close" },
12417 { 0x2D, "Open AndX" },
12418 { 0x2E, "Read AndX" },
12419 { 0x2F, "Write AndX" },
12420 { 0x30, "unknown-0x30" },
12421 { 0x31, "Close And Tree Discover" },
12422 { 0x32, "Transaction2" },
12423 { 0x33, "Transaction2 Secondary" },
12424 { 0x34, "Find Close2" },
12425 { 0x35, "Find Notify Close" },
12426 { 0x36, "unknown-0x36" },
12427 { 0x37, "unknown-0x37" },
12428 { 0x38, "unknown-0x38" },
12429 { 0x39, "unknown-0x39" },
12430 { 0x3A, "unknown-0x3A" },
12431 { 0x3B, "unknown-0x3B" },
12432 { 0x3C, "unknown-0x3C" },
12433 { 0x3D, "unknown-0x3D" },
12434 { 0x3E, "unknown-0x3E" },
12435 { 0x3F, "unknown-0x3F" },
12436 { 0x40, "unknown-0x40" },
12437 { 0x41, "unknown-0x41" },
12438 { 0x42, "unknown-0x42" },
12439 { 0x43, "unknown-0x43" },
12440 { 0x44, "unknown-0x44" },
12441 { 0x45, "unknown-0x45" },
12442 { 0x46, "unknown-0x46" },
12443 { 0x47, "unknown-0x47" },
12444 { 0x48, "unknown-0x48" },
12445 { 0x49, "unknown-0x49" },
12446 { 0x4A, "unknown-0x4A" },
12447 { 0x4B, "unknown-0x4B" },
12448 { 0x4C, "unknown-0x4C" },
12449 { 0x4D, "unknown-0x4D" },
12450 { 0x4E, "unknown-0x4E" },
12451 { 0x4F, "unknown-0x4F" },
12452 { 0x50, "unknown-0x50" },
12453 { 0x51, "unknown-0x51" },
12454 { 0x52, "unknown-0x52" },
12455 { 0x53, "unknown-0x53" },
12456 { 0x54, "unknown-0x54" },
12457 { 0x55, "unknown-0x55" },
12458 { 0x56, "unknown-0x56" },
12459 { 0x57, "unknown-0x57" },
12460 { 0x58, "unknown-0x58" },
12461 { 0x59, "unknown-0x59" },
12462 { 0x5A, "unknown-0x5A" },
12463 { 0x5B, "unknown-0x5B" },
12464 { 0x5C, "unknown-0x5C" },
12465 { 0x5D, "unknown-0x5D" },
12466 { 0x5E, "unknown-0x5E" },
12467 { 0x5F, "unknown-0x5F" },
12468 { 0x60, "unknown-0x60" },
12469 { 0x61, "unknown-0x61" },
12470 { 0x62, "unknown-0x62" },
12471 { 0x63, "unknown-0x63" },
12472 { 0x64, "unknown-0x64" },
12473 { 0x65, "unknown-0x65" },
12474 { 0x66, "unknown-0x66" },
12475 { 0x67, "unknown-0x67" },
12476 { 0x68, "unknown-0x68" },
12477 { 0x69, "unknown-0x69" },
12478 { 0x6A, "unknown-0x6A" },
12479 { 0x6B, "unknown-0x6B" },
12480 { 0x6C, "unknown-0x6C" },
12481 { 0x6D, "unknown-0x6D" },
12482 { 0x6E, "unknown-0x6E" },
12483 { 0x6F, "unknown-0x6F" },
12484 { 0x70, "Tree Connect" },
12485 { 0x71, "Tree Disconnect" },
12486 { 0x72, "Negotiate Protocol" },
12487 { 0x73, "Session Setup AndX" },
12488 { 0x74, "Logoff AndX" },
12489 { 0x75, "Tree Connect AndX" },
12490 { 0x76, "unknown-0x76" },
12491 { 0x77, "unknown-0x77" },
12492 { 0x78, "unknown-0x78" },
12493 { 0x79, "unknown-0x79" },
12494 { 0x7A, "unknown-0x7A" },
12495 { 0x7B, "unknown-0x7B" },
12496 { 0x7C, "unknown-0x7C" },
12497 { 0x7D, "unknown-0x7D" },
12498 { 0x7E, "unknown-0x7E" },
12499 { 0x7F, "unknown-0x7F" },
12500 { 0x80, "Query Information Disk" },
12501 { 0x81, "Search" },
12503 { 0x83, "Find Unique" },
12504 { 0x84, "SMBfclose" },
12505 { 0x85, "unknown-0x85" },
12506 { 0x86, "unknown-0x86" },
12507 { 0x87, "unknown-0x87" },
12508 { 0x88, "unknown-0x88" },
12509 { 0x89, "unknown-0x89" },
12510 { 0x8A, "unknown-0x8A" },
12511 { 0x8B, "unknown-0x8B" },
12512 { 0x8C, "unknown-0x8C" },
12513 { 0x8D, "unknown-0x8D" },
12514 { 0x8E, "unknown-0x8E" },
12515 { 0x8F, "unknown-0x8F" },
12516 { 0x90, "unknown-0x90" },
12517 { 0x91, "unknown-0x91" },
12518 { 0x92, "unknown-0x92" },
12519 { 0x93, "unknown-0x93" },
12520 { 0x94, "unknown-0x94" },
12521 { 0x95, "unknown-0x95" },
12522 { 0x96, "unknown-0x96" },
12523 { 0x97, "unknown-0x97" },
12524 { 0x98, "unknown-0x98" },
12525 { 0x99, "unknown-0x99" },
12526 { 0x9A, "unknown-0x9A" },
12527 { 0x9B, "unknown-0x9B" },
12528 { 0x9C, "unknown-0x9C" },
12529 { 0x9D, "unknown-0x9D" },
12530 { 0x9E, "unknown-0x9E" },
12531 { 0x9F, "unknown-0x9F" },
12532 { 0xA0, "NT Transact" },
12533 { 0xA1, "NT Transact Secondary" },
12534 { 0xA2, "NT Create AndX" },
12535 { 0xA3, "unknown-0xA3" },
12536 { 0xA4, "NT Cancel" },
12537 { 0xA5, "unknown-0xA5" },
12538 { 0xA6, "unknown-0xA6" },
12539 { 0xA7, "unknown-0xA7" },
12540 { 0xA8, "unknown-0xA8" },
12541 { 0xA9, "unknown-0xA9" },
12542 { 0xAA, "unknown-0xAA" },
12543 { 0xAB, "unknown-0xAB" },
12544 { 0xAC, "unknown-0xAC" },
12545 { 0xAD, "unknown-0xAD" },
12546 { 0xAE, "unknown-0xAE" },
12547 { 0xAF, "unknown-0xAF" },
12548 { 0xB0, "unknown-0xB0" },
12549 { 0xB1, "unknown-0xB1" },
12550 { 0xB2, "unknown-0xB2" },
12551 { 0xB3, "unknown-0xB3" },
12552 { 0xB4, "unknown-0xB4" },
12553 { 0xB5, "unknown-0xB5" },
12554 { 0xB6, "unknown-0xB6" },
12555 { 0xB7, "unknown-0xB7" },
12556 { 0xB8, "unknown-0xB8" },
12557 { 0xB9, "unknown-0xB9" },
12558 { 0xBA, "unknown-0xBA" },
12559 { 0xBB, "unknown-0xBB" },
12560 { 0xBC, "unknown-0xBC" },
12561 { 0xBD, "unknown-0xBD" },
12562 { 0xBE, "unknown-0xBE" },
12563 { 0xBF, "unknown-0xBF" },
12564 { 0xC0, "Open Print File" },
12565 { 0xC1, "Write Print File" },
12566 { 0xC2, "Close Print File" },
12567 { 0xC3, "Get Print Queue" },
12568 { 0xC4, "unknown-0xC4" },
12569 { 0xC5, "unknown-0xC5" },
12570 { 0xC6, "unknown-0xC6" },
12571 { 0xC7, "unknown-0xC7" },
12572 { 0xC8, "unknown-0xC8" },
12573 { 0xC9, "unknown-0xC9" },
12574 { 0xCA, "unknown-0xCA" },
12575 { 0xCB, "unknown-0xCB" },
12576 { 0xCC, "unknown-0xCC" },
12577 { 0xCD, "unknown-0xCD" },
12578 { 0xCE, "unknown-0xCE" },
12579 { 0xCF, "unknown-0xCF" },
12580 { 0xD0, "SMBsends" },
12581 { 0xD1, "SMBsendb" },
12582 { 0xD2, "SMBfwdname" },
12583 { 0xD3, "SMBcancelf" },
12584 { 0xD4, "SMBgetmac" },
12585 { 0xD5, "SMBsendstrt" },
12586 { 0xD6, "SMBsendend" },
12587 { 0xD7, "SMBsendtxt" },
12588 { 0xD8, "SMBreadbulk" },
12589 { 0xD9, "SMBwritebulk" },
12590 { 0xDA, "SMBwritebulkdata" },
12591 { 0xDB, "unknown-0xDB" },
12592 { 0xDC, "unknown-0xDC" },
12593 { 0xDD, "unknown-0xDD" },
12594 { 0xDE, "unknown-0xDE" },
12595 { 0xDF, "unknown-0xDF" },
12596 { 0xE0, "unknown-0xE0" },
12597 { 0xE1, "unknown-0xE1" },
12598 { 0xE2, "unknown-0xE2" },
12599 { 0xE3, "unknown-0xE3" },
12600 { 0xE4, "unknown-0xE4" },
12601 { 0xE5, "unknown-0xE5" },
12602 { 0xE6, "unknown-0xE6" },
12603 { 0xE7, "unknown-0xE7" },
12604 { 0xE8, "unknown-0xE8" },
12605 { 0xE9, "unknown-0xE9" },
12606 { 0xEA, "unknown-0xEA" },
12607 { 0xEB, "unknown-0xEB" },
12608 { 0xEC, "unknown-0xEC" },
12609 { 0xED, "unknown-0xED" },
12610 { 0xEE, "unknown-0xEE" },
12611 { 0xEF, "unknown-0xEF" },
12612 { 0xF0, "unknown-0xF0" },
12613 { 0xF1, "unknown-0xF1" },
12614 { 0xF2, "unknown-0xF2" },
12615 { 0xF3, "unknown-0xF3" },
12616 { 0xF4, "unknown-0xF4" },
12617 { 0xF5, "unknown-0xF5" },
12618 { 0xF6, "unknown-0xF6" },
12619 { 0xF7, "unknown-0xF7" },
12620 { 0xF8, "unknown-0xF8" },
12621 { 0xF9, "unknown-0xF9" },
12622 { 0xFA, "unknown-0xFA" },
12623 { 0xFB, "unknown-0xFB" },
12624 { 0xFC, "unknown-0xFC" },
12625 { 0xFD, "unknown-0xFD" },
12626 { 0xFE, "SMBinvalid" },
12627 { 0xFF, "unknown-0xFF" },
12631 static char *decode_smb_name(unsigned char cmd)
12633 return(smb_cmd_vals[cmd].strptr);
12638 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12639 * Everything TVBUFFIFIED above this line
12640 * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
12644 free_hash_tables(gpointer ctarg, gpointer user_data)
12646 conv_tables_t *ct = ctarg;
12649 g_hash_table_destroy(ct->unmatched);
12651 g_hash_table_destroy(ct->matched);
12652 if (ct->dcerpc_fid_to_frame)
12653 g_hash_table_destroy(ct->dcerpc_fid_to_frame);
12654 if (ct->tid_service)
12655 g_hash_table_destroy(ct->tid_service);
12659 smb_init_protocol(void)
12661 if (smb_saved_info_key_chunk)
12662 g_mem_chunk_destroy(smb_saved_info_key_chunk);
12663 if (smb_saved_info_chunk)
12664 g_mem_chunk_destroy(smb_saved_info_chunk);
12665 if (smb_nt_transact_info_chunk)
12666 g_mem_chunk_destroy(smb_nt_transact_info_chunk);
12667 if (smb_transact2_info_chunk)
12668 g_mem_chunk_destroy(smb_transact2_info_chunk);
12669 if (smb_transact_info_chunk)
12670 g_mem_chunk_destroy(smb_transact_info_chunk);
12673 * Free the hash tables attached to the conversation table
12674 * structures, and then free the list of conversation table
12675 * data structures (which doesn't free the data structures
12676 * themselves; that's done by destroying the chunk from
12677 * which they were allocated).
12680 g_slist_foreach(conv_tables, free_hash_tables, NULL);
12681 g_slist_free(conv_tables);
12682 conv_tables = NULL;
12686 * Now destroy the chunk from which the conversation table
12687 * structures were allocated.
12689 if (conv_tables_chunk)
12690 g_mem_chunk_destroy(conv_tables_chunk);
12692 smb_saved_info_chunk = g_mem_chunk_new("smb_saved_info_chunk",
12693 sizeof(smb_saved_info_t),
12694 smb_saved_info_init_count * sizeof(smb_saved_info_t),
12696 smb_saved_info_key_chunk = g_mem_chunk_new("smb_saved_info_key_chunk",
12697 sizeof(smb_saved_info_key_t),
12698 smb_saved_info_init_count * sizeof(smb_saved_info_key_t),
12700 smb_nt_transact_info_chunk = g_mem_chunk_new("smb_nt_transact_info_chunk",
12701 sizeof(smb_nt_transact_info_t),
12702 smb_nt_transact_info_init_count * sizeof(smb_nt_transact_info_t),
12704 smb_transact2_info_chunk = g_mem_chunk_new("smb_transact2_info_chunk",
12705 sizeof(smb_transact2_info_t),
12706 smb_transact2_info_init_count * sizeof(smb_transact2_info_t),
12708 smb_transact_info_chunk = g_mem_chunk_new("smb_transact_info_chunk",
12709 sizeof(smb_transact_info_t),
12710 smb_transact_info_init_count * sizeof(smb_transact_info_t),
12712 conv_tables_chunk = g_mem_chunk_new("conv_tables_chunk",
12713 sizeof(conv_tables_t),
12714 conv_tables_count * sizeof(conv_tables_t),
12718 /* Max string length for displaying Unicode strings. */
12719 #define MAX_UNICODE_STR_LEN 256
12722 /* Turn a little-endian Unicode '\0'-terminated string into a string we
12724 XXX - for now, we just handle the ISO 8859-1 characters.
12725 If exactlen==TRUE then us_lenp contains the exact len of the string in
12726 bytes. It might not be null terminated !
12727 bc specifies the number of bytes in the byte parameters; Windows 2000,
12728 at least, appears, in some cases, to put only 1 byte of 0 at the end
12729 of a Unicode string if the byte count
12732 unicode_to_str(tvbuff_t *tvb, int offset, int *us_lenp, gboolean exactlen,
12735 static gchar str[3][MAX_UNICODE_STR_LEN+3+1];
12743 if (cur == &str[0][0]) {
12745 } else if (cur == &str[1][0]) {
12751 len = MAX_UNICODE_STR_LEN;
12757 /* XXX - explain this */
12759 us_len += 1; /* this is a one-byte null terminator */
12762 uchar = tvb_get_letohs(tvb, offset);
12764 us_len += 2; /* this is a two-byte null terminator */
12768 if ((uchar & 0xFF00) == 0)
12769 *p++ = uchar; /* ISO 8859-1 */
12771 *p++ = '?'; /* not 8859-1 */
12779 if(us_len>= *us_lenp){
12785 /* Note that we're not showing the full string. */
12796 /* nopad == TRUE : Do not add any padding before this string
12797 * exactlen == TRUE : len contains the exact len of the string in bytes.
12798 * bc: pointer to variable with amount of data left in the byte parameters
12801 static const gchar *
12802 get_unicode_or_ascii_string(tvbuff_t *tvb, int *offsetp,
12803 packet_info *pinfo, int *len, gboolean nopad, gboolean exactlen,
12806 static gchar str[3][MAX_UNICODE_STR_LEN+3+1];
12808 const gchar *string;
12814 /* Not enough data in buffer */
12817 si = pinfo->private_data;
12819 if ((!nopad) && (*offsetp % 2)) {
12821 * XXX - this should be an offset relative to the beginning of the SMB,
12822 * not an offset relative to the beginning of the frame; if the stuff
12823 * before the SMB has an odd number of bytes, an offset relative to
12824 * the beginning of the frame will give the wrong answer.
12826 (*offsetp)++; /* Looks like a pad byte there sometimes */
12829 /* Not enough data in buffer */
12835 string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
12837 string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
12842 * The string we return must be null-terminated.
12844 if (cur == &str[0][0]) {
12846 } else if (cur == &str[1][0]) {
12852 if (copylen > MAX_UNICODE_STR_LEN)
12853 copylen = MAX_UNICODE_STR_LEN;
12854 tvb_memcpy(tvb, (guint8 *)cur, *offsetp, copylen);
12855 cur[copylen] = '\0';
12856 if (copylen > MAX_UNICODE_STR_LEN)
12857 strcat(cur, "...");
12861 string_len = tvb_strsize(tvb, *offsetp);
12862 string = tvb_get_ptr(tvb, *offsetp, string_len);
12871 static const value_string errcls_types[] = {
12872 { SMB_SUCCESS, "Success"},
12873 { SMB_ERRDOS, "DOS Error"},
12874 { SMB_ERRSRV, "Server Error"},
12875 { SMB_ERRHRD, "Hardware Error"},
12876 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
12880 const value_string DOS_errors[] = {
12882 {SMBE_insufficientbuffer, "Insufficient buffer"},
12883 {SMBE_badfunc, "Invalid function (or system call)"},
12884 {SMBE_badfile, "File not found (pathname error)"},
12885 {SMBE_badpath, "Directory not found"},
12886 {SMBE_nofids, "Too many open files"},
12887 {SMBE_noaccess, "Access denied"},
12888 {SMBE_badfid, "Invalid fid"},
12889 {SMBE_nomem, "Out of memory"},
12890 {SMBE_badmem, "Invalid memory block address"},
12891 {SMBE_badenv, "Invalid environment"},
12892 {SMBE_badaccess, "Invalid open mode"},
12893 {SMBE_baddata, "Invalid data (only from ioctl call)"},
12894 {SMBE_res, "Reserved error code?"},
12895 {SMBE_baddrive, "Invalid drive"},
12896 {SMBE_remcd, "Attempt to delete current directory"},
12897 {SMBE_diffdevice, "Rename/move across different filesystems"},
12898 {SMBE_nofiles, "No more files found in file search"},
12899 {SMBE_badshare, "Share mode on file conflict with open mode"},
12900 {SMBE_lock, "Lock request conflicts with existing lock"},
12901 {SMBE_unsup, "Request unsupported, returned by Win 95"},
12902 {SMBE_nosuchshare, "Requested share does not exist"},
12903 {SMBE_filexists, "File in operation already exists"},
12904 {SMBE_cannotopen, "Cannot open the file specified"},
12905 {SMBE_unknownlevel, "Unknown info level"},
12906 {SMBE_invalidname, "Invalid name"},
12907 {SMBE_badpipe, "Named pipe invalid"},
12908 {SMBE_pipebusy, "All instances of pipe are busy"},
12909 {SMBE_pipeclosing, "Named pipe close in progress"},
12910 {SMBE_notconnected, "No process on other end of named pipe"},
12911 {SMBE_moredata, "More data to be returned"},
12912 {SMBE_baddirectory, "Invalid directory name in a path."},
12913 {SMBE_eas_didnt_fit, "Extended attributes didn't fit"},
12914 {SMBE_eas_nsup, "Extended attributes not supported"},
12915 {SMBE_notify_buf_small, "Buffer too small to return change notify."},
12916 {SMBE_unknownipc, "Unknown IPC Operation"},
12917 {SMBE_noipc, "Don't support ipc"},
12918 {SMBE_alreadyexists, "File already exists"},
12919 {SMBE_unknownprinterdriver, "Unknown printer driver"},
12920 {SMBE_invalidprintername, "Invalid printer name"},
12921 {SMBE_printeralreadyexists, "Printer already exists"},
12922 {SMBE_invaliddatatype, "Invalid data type"},
12923 {SMBE_invalidenvironment, "Invalid environment"},
12924 {SMBE_printerdriverinuse, "Printer driver in use"},
12925 {SMBE_invalidparam, "Invalid parameter"},
12926 {SMBE_invalidformsize, "Invalid form size"},
12930 /* Error codes for the ERRSRV class */
12932 static const value_string SRV_errors[] = {
12933 {SMBE_error, "Non specific error code"},
12934 {SMBE_badpw, "Bad password"},
12935 {SMBE_badtype, "Reserved"},
12936 {SMBE_access, "No permissions to perform the requested operation"},
12937 {SMBE_invnid, "TID invalid"},
12938 {SMBE_invnetname, "Invalid network name. Service not found"},
12939 {SMBE_invdevice, "Invalid device"},
12940 {SMBE_unknownsmb, "Unknown SMB, from NT 3.5 response"},
12941 {SMBE_qfull, "Print queue full"},
12942 {SMBE_qtoobig, "Queued item too big"},
12943 {SMBE_qeof, "EOF on print queue dump"},
12944 {SMBE_invpfid, "Invalid print file in smb_fid"},
12945 {SMBE_smbcmd, "Unrecognised command"},
12946 {SMBE_srverror, "SMB server internal error"},
12947 {SMBE_filespecs, "Fid and pathname invalid combination"},
12948 {SMBE_badlink, "Bad link in request ???"},
12949 {SMBE_badpermits, "Access specified for a file is not valid"},
12950 {SMBE_badpid, "Bad process id in request"},
12951 {SMBE_setattrmode, "Attribute mode invalid"},
12952 {SMBE_paused, "Message server paused"},
12953 {SMBE_msgoff, "Not receiving messages"},
12954 {SMBE_noroom, "No room for message"},
12955 {SMBE_rmuns, "Too many remote usernames"},
12956 {SMBE_timeout, "Operation timed out"},
12957 {SMBE_noresource, "No resources currently available for request."},
12958 {SMBE_toomanyuids, "Too many userids"},
12959 {SMBE_baduid, "Bad userid"},
12960 {SMBE_useMPX, "Temporarily unable to use raw mode, use MPX mode"},
12961 {SMBE_useSTD, "Temporarily unable to use raw mode, use standard mode"},
12962 {SMBE_contMPX, "Resume MPX mode"},
12963 {SMBE_badPW, "Bad Password???"},
12964 {SMBE_nosupport, "Operation not supported"},
12968 /* Error codes for the ERRHRD class */
12970 static const value_string HRD_errors[] = {
12971 {SMBE_nowrite, "Read only media"},
12972 {SMBE_badunit, "Unknown device"},
12973 {SMBE_notready, "Drive not ready"},
12974 {SMBE_badcmd, "Unknown command"},
12975 {SMBE_data, "Data (CRC) error"},
12976 {SMBE_badreq, "Bad request structure length"},
12977 {SMBE_seek, "Seek error???"},
12978 {SMBE_badmedia, "Bad media???"},
12979 {SMBE_badsector, "Bad sector???"},
12980 {SMBE_nopaper, "No paper in printer???"},
12981 {SMBE_write, "Write error???"},
12982 {SMBE_read, "Read error???"},
12983 {SMBE_general, "General error???"},
12984 {SMBE_badshare, "A open conflicts with an existing open"},
12985 {SMBE_lock, "Lock/unlock error"},
12986 {SMBE_wrongdisk, "Wrong disk???"},
12987 {SMBE_FCBunavail, "FCB unavailable???"},
12988 {SMBE_sharebufexc, "Share buffer excluded???"},
12989 {SMBE_diskfull, "Disk full???"},
12993 static char *decode_smb_error(guint8 errcls, guint16 errcode)
13000 return("No Error"); /* No error ??? */
13005 return(val_to_str(errcode, DOS_errors, "Unknown DOS error (%x)"));
13010 return(val_to_str(errcode, SRV_errors, "Unknown SRV error (%x)"));
13015 return(val_to_str(errcode, HRD_errors, "Unknown HRD error (%x)"));
13020 return("Unknown error class!");
13027 /* These are the MS country codes from
13029 http://www.unicode.org/unicode/onlinedat/countries.html
13031 For countries that share the same number, I choose to use only the
13032 name of the largest country. Apologies for this. If this offends you,
13033 here is the table to change that.
13035 This also includes the code of 0 for "Default", and some fixes for
13036 errors in the Unicode Consortium's table.
13038 Future versions of Microsoft's "winnls.h" header file may include
13039 additional codes; the current version matches the Unicode Consortium's
13040 table, except for the additional code 0 for "Default", and two
13041 errors (that have been reported to the Unicode Consortium, so the
13042 page at the URL listed above might include fixes for those errors
13045 const value_string ms_country_codes[] = {
13051 { 27, "South Africa"},
13053 { 31, "Netherlands"},
13060 { 41, "Switzerland"},
13062 { 44, "United Kingdom"},
13070 { 54, "Argentina"},
13074 { 58, "Venezuela"},
13076 { 61, "Australia"},
13077 { 62, "Indonesia"},
13078 { 63, "Philippines"},
13079 { 64, "New Zealand"},
13080 { 65, "Singapore"},
13083 { 82, "South Korea"},
13095 {298, "Faroe Islands"},
13097 {352, "Luxembourg"},
13103 {370, "Lithuania"},
13112 {389, "Macedonia"},
13113 {420, "Czech Republic"},
13114 {421, "Slovak Republic"},
13116 {502, "Guatemala"},
13117 {503, "El Salvador"},
13119 {505, "Nicaragua"},
13120 {506, "Costa Rica"},
13126 {673, "Brunei Darussalam"},
13127 {852, "Hong Kong"},
13136 {966, "Saudi Arabia"},
13139 {971, "United Arab Emirates"},
13145 {994, "Azerbaijan"},
13147 {996, "Kyrgyzstan"},
13157 * http://www.wildpackets.com/elements/SMB_NT_Status_Codes.txt
13159 const value_string NT_errors[] = {
13160 { 0x00000000, "STATUS_SUCCESS" },
13161 { 0x00000000, "STATUS_WAIT_0" },
13162 { 0x00000001, "STATUS_WAIT_1" },
13163 { 0x00000002, "STATUS_WAIT_2" },
13164 { 0x00000003, "STATUS_WAIT_3" },
13165 { 0x0000003F, "STATUS_WAIT_63" },
13166 { 0x00000080, "STATUS_ABANDONED" },
13167 { 0x00000080, "STATUS_ABANDONED_WAIT_0" },
13168 { 0x000000BF, "STATUS_ABANDONED_WAIT_63" },
13169 { 0x000000C0, "STATUS_USER_APC" },
13170 { 0x00000100, "STATUS_KERNEL_APC" },
13171 { 0x00000101, "STATUS_ALERTED" },
13172 { 0x00000102, "STATUS_TIMEOUT" },
13173 { 0x00000103, "STATUS_PENDING" },
13174 { 0x00000104, "STATUS_REPARSE" },
13175 { 0x00000105, "STATUS_MORE_ENTRIES" },
13176 { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" },
13177 { 0x00000107, "STATUS_SOME_NOT_MAPPED" },
13178 { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" },
13179 { 0x00000109, "STATUS_VOLUME_MOUNTED" },
13180 { 0x0000010A, "STATUS_RXACT_COMMITTED" },
13181 { 0x0000010B, "STATUS_NOTIFY_CLEANUP" },
13182 { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" },
13183 { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" },
13184 { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" },
13185 { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" },
13186 { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" },
13187 { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" },
13188 { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" },
13189 { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" },
13190 { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" },
13191 { 0x00000116, "STATUS_CRASH_DUMP" },
13192 { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
13193 { 0x00000118, "STATUS_REPARSE_OBJECT" },
13194 { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
13195 { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
13196 { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
13197 { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" },
13198 { 0x40000004, "STATUS_RXACT_STATE_CREATED" },
13199 { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" },
13200 { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" },
13201 { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" },
13202 { 0x40000008, "STATUS_SERIAL_MORE_WRITES" },
13203 { 0x40000009, "STATUS_REGISTRY_RECOVERED" },
13204 { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" },
13205 { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" },
13206 { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" },
13207 { 0x4000000D, "STATUS_NULL_LM_PASSWORD" },
13208 { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" },
13209 { 0x4000000F, "STATUS_RECEIVE_PARTIAL" },
13210 { 0x40000010, "STATUS_RECEIVE_EXPEDITED" },
13211 { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" },
13212 { 0x40000012, "STATUS_EVENT_DONE" },
13213 { 0x40000013, "STATUS_EVENT_PENDING" },
13214 { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" },
13215 { 0x40000015, "STATUS_FATAL_APP_EXIT" },
13216 { 0x40000016, "STATUS_PREDEFINED_HANDLE" },
13217 { 0x40000017, "STATUS_WAS_UNLOCKED" },
13218 { 0x40000018, "STATUS_SERVICE_NOTIFICATION" },
13219 { 0x40000019, "STATUS_WAS_LOCKED" },
13220 { 0x4000001A, "STATUS_LOG_HARD_ERROR" },
13221 { 0x4000001B, "STATUS_ALREADY_WIN32" },
13222 { 0x4000001C, "STATUS_WX86_UNSIMULATE" },
13223 { 0x4000001D, "STATUS_WX86_CONTINUE" },
13224 { 0x4000001E, "STATUS_WX86_SINGLE_STEP" },
13225 { 0x4000001F, "STATUS_WX86_BREAKPOINT" },
13226 { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" },
13227 { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" },
13228 { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" },
13229 { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" },
13230 { 0x40000024, "STATUS_NO_YIELD_PERFORMED" },
13231 { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" },
13232 { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" },
13233 { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" },
13234 { 0x80000003, "STATUS_BREAKPOINT" },
13235 { 0x80000004, "STATUS_SINGLE_STEP" },
13236 { 0x80000005, "STATUS_BUFFER_OVERFLOW" },
13237 { 0x80000006, "STATUS_NO_MORE_FILES" },
13238 { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" },
13239 { 0x8000000A, "STATUS_HANDLES_CLOSED" },
13240 { 0x8000000B, "STATUS_NO_INHERITANCE" },
13241 { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" },
13242 { 0x8000000D, "STATUS_PARTIAL_COPY" },
13243 { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" },
13244 { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" },
13245 { 0x80000010, "STATUS_DEVICE_OFF_LINE" },
13246 { 0x80000011, "STATUS_DEVICE_BUSY" },
13247 { 0x80000012, "STATUS_NO_MORE_EAS" },
13248 { 0x80000013, "STATUS_INVALID_EA_NAME" },
13249 { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" },
13250 { 0x80000015, "STATUS_INVALID_EA_FLAG" },
13251 { 0x80000016, "STATUS_VERIFY_REQUIRED" },
13252 { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" },
13253 { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" },
13254 { 0x8000001A, "STATUS_NO_MORE_ENTRIES" },
13255 { 0x8000001B, "STATUS_FILEMARK_DETECTED" },
13256 { 0x8000001C, "STATUS_MEDIA_CHANGED" },
13257 { 0x8000001D, "STATUS_BUS_RESET" },
13258 { 0x8000001E, "STATUS_END_OF_MEDIA" },
13259 { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" },
13260 { 0x80000020, "STATUS_MEDIA_CHECK" },
13261 { 0x80000021, "STATUS_SETMARK_DETECTED" },
13262 { 0x80000022, "STATUS_NO_DATA_DETECTED" },
13263 { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" },
13264 { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" },
13265 { 0x80000025, "STATUS_ALREADY_DISCONNECTED" },
13266 { 0x80000026, "STATUS_LONGJUMP" },
13267 { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" },
13268 { 0x80090301, "SEC_E_INVALID_HANDLE" },
13269 { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" },
13270 { 0x8009030B, "SEC_E_NO_IMPERSONATION" },
13271 { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" },
13272 { 0x8009030E, "SEC_E_NO_CREDENTIALS" },
13273 { 0x8009030F, "SEC_E_MESSAGE_ALTERED" },
13274 { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" },
13275 { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" },
13276 { 0xC0000001, "STATUS_UNSUCCESSFUL" },
13277 { 0xC0000002, "STATUS_NOT_IMPLEMENTED" },
13278 { 0xC0000003, "STATUS_INVALID_INFO_CLASS" },
13279 { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" },
13280 { 0xC0000005, "STATUS_ACCESS_VIOLATION" },
13281 { 0xC0000006, "STATUS_IN_PAGE_ERROR" },
13282 { 0xC0000007, "STATUS_PAGEFILE_QUOTA" },
13283 { 0xC0000008, "STATUS_INVALID_HANDLE" },
13284 { 0xC0000009, "STATUS_BAD_INITIAL_STACK" },
13285 { 0xC000000A, "STATUS_BAD_INITIAL_PC" },
13286 { 0xC000000B, "STATUS_INVALID_CID" },
13287 { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" },
13288 { 0xC000000D, "STATUS_INVALID_PARAMETER" },
13289 { 0xC000000E, "STATUS_NO_SUCH_DEVICE" },
13290 { 0xC000000F, "STATUS_NO_SUCH_FILE" },
13291 { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" },
13292 { 0xC0000011, "STATUS_END_OF_FILE" },
13293 { 0xC0000012, "STATUS_WRONG_VOLUME" },
13294 { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" },
13295 { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" },
13296 { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" },
13297 { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" },
13298 { 0xC0000017, "STATUS_NO_MEMORY" },
13299 { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" },
13300 { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" },
13301 { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" },
13302 { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" },
13303 { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" },
13304 { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" },
13305 { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" },
13306 { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" },
13307 { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" },
13308 { 0xC0000021, "STATUS_ALREADY_COMMITTED" },
13309 { 0xC0000022, "STATUS_ACCESS_DENIED" },
13310 { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" },
13311 { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" },
13312 { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" },
13313 { 0xC0000026, "STATUS_INVALID_DISPOSITION" },
13314 { 0xC0000027, "STATUS_UNWIND" },
13315 { 0xC0000028, "STATUS_BAD_STACK" },
13316 { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" },
13317 { 0xC000002A, "STATUS_NOT_LOCKED" },
13318 { 0xC000002B, "STATUS_PARITY_ERROR" },
13319 { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" },
13320 { 0xC000002D, "STATUS_NOT_COMMITTED" },
13321 { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" },
13322 { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" },
13323 { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" },
13324 { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" },
13325 { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" },
13326 { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" },
13327 { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" },
13328 { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" },
13329 { 0xC0000037, "STATUS_PORT_DISCONNECTED" },
13330 { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" },
13331 { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" },
13332 { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" },
13333 { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" },
13334 { 0xC000003C, "STATUS_DATA_OVERRUN" },
13335 { 0xC000003D, "STATUS_DATA_LATE_ERROR" },
13336 { 0xC000003E, "STATUS_DATA_ERROR" },
13337 { 0xC000003F, "STATUS_CRC_ERROR" },
13338 { 0xC0000040, "STATUS_SECTION_TOO_BIG" },
13339 { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" },
13340 { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" },
13341 { 0xC0000043, "STATUS_SHARING_VIOLATION" },
13342 { 0xC0000044, "STATUS_QUOTA_EXCEEDED" },
13343 { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" },
13344 { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" },
13345 { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" },
13346 { 0xC0000048, "STATUS_PORT_ALREADY_SET" },
13347 { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" },
13348 { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" },
13349 { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" },
13350 { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" },
13351 { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" },
13352 { 0xC000004E, "STATUS_SECTION_PROTECTION" },
13353 { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" },
13354 { 0xC0000050, "STATUS_EA_TOO_LARGE" },
13355 { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" },
13356 { 0xC0000052, "STATUS_NO_EAS_ON_FILE" },
13357 { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" },
13358 { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" },
13359 { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" },
13360 { 0xC0000056, "STATUS_DELETE_PENDING" },
13361 { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" },
13362 { 0xC0000058, "STATUS_UNKNOWN_REVISION" },
13363 { 0xC0000059, "STATUS_REVISION_MISMATCH" },
13364 { 0xC000005A, "STATUS_INVALID_OWNER" },
13365 { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" },
13366 { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" },
13367 { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" },
13368 { 0xC000005E, "STATUS_NO_LOGON_SERVERS" },
13369 { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" },
13370 { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" },
13371 { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" },
13372 { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" },
13373 { 0xC0000063, "STATUS_USER_EXISTS" },
13374 { 0xC0000064, "STATUS_NO_SUCH_USER" },
13375 { 0xC0000065, "STATUS_GROUP_EXISTS" },
13376 { 0xC0000066, "STATUS_NO_SUCH_GROUP" },
13377 { 0xC0000067, "STATUS_MEMBER_IN_GROUP" },
13378 { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" },
13379 { 0xC0000069, "STATUS_LAST_ADMIN" },
13380 { 0xC000006A, "STATUS_WRONG_PASSWORD" },
13381 { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" },
13382 { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" },
13383 { 0xC000006D, "STATUS_LOGON_FAILURE" },
13384 { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" },
13385 { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" },
13386 { 0xC0000070, "STATUS_INVALID_WORKSTATION" },
13387 { 0xC0000071, "STATUS_PASSWORD_EXPIRED" },
13388 { 0xC0000072, "STATUS_ACCOUNT_DISABLED" },
13389 { 0xC0000073, "STATUS_NONE_MAPPED" },
13390 { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" },
13391 { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" },
13392 { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" },
13393 { 0xC0000077, "STATUS_INVALID_ACL" },
13394 { 0xC0000078, "STATUS_INVALID_SID" },
13395 { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" },
13396 { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" },
13397 { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" },
13398 { 0xC000007C, "STATUS_NO_TOKEN" },
13399 { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" },
13400 { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" },
13401 { 0xC000007F, "STATUS_DISK_FULL" },
13402 { 0xC0000080, "STATUS_SERVER_DISABLED" },
13403 { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" },
13404 { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" },
13405 { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" },
13406 { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" },
13407 { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" },
13408 { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" },
13409 { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" },
13410 { 0xC0000088, "STATUS_NOT_MAPPED_DATA" },
13411 { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" },
13412 { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" },
13413 { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" },
13414 { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" },
13415 { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" },
13416 { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" },
13417 { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" },
13418 { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" },
13419 { 0xC0000091, "STATUS_FLOAT_OVERFLOW" },
13420 { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" },
13421 { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" },
13422 { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" },
13423 { 0xC0000095, "STATUS_INTEGER_OVERFLOW" },
13424 { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" },
13425 { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" },
13426 { 0xC0000098, "STATUS_FILE_INVALID" },
13427 { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" },
13428 { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" },
13429 { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" },
13430 { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" },
13431 { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" },
13432 { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" },
13433 { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" },
13434 { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" },
13435 { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" },
13436 { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" },
13437 { 0xC00000A3, "STATUS_DEVICE_NOT_READY" },
13438 { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" },
13439 { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" },
13440 { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" },
13441 { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" },
13442 { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" },
13443 { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" },
13444 { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" },
13445 { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" },
13446 { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" },
13447 { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" },
13448 { 0xC00000AE, "STATUS_PIPE_BUSY" },
13449 { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" },
13450 { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" },
13451 { 0xC00000B1, "STATUS_PIPE_CLOSING" },
13452 { 0xC00000B2, "STATUS_PIPE_CONNECTED" },
13453 { 0xC00000B3, "STATUS_PIPE_LISTENING" },
13454 { 0xC00000B4, "STATUS_INVALID_READ_MODE" },
13455 { 0xC00000B5, "STATUS_IO_TIMEOUT" },
13456 { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" },
13457 { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" },
13458 { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" },
13459 { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" },
13460 { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" },
13461 { 0xC00000BB, "STATUS_NOT_SUPPORTED" },
13462 { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" },
13463 { 0xC00000BD, "STATUS_DUPLICATE_NAME" },
13464 { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" },
13465 { 0xC00000BF, "STATUS_NETWORK_BUSY" },
13466 { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" },
13467 { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" },
13468 { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" },
13469 { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" },
13470 { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" },
13471 { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" },
13472 { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" },
13473 { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" },
13474 { 0xC00000C8, "STATUS_PRINT_CANCELLED" },
13475 { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" },
13476 { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" },
13477 { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" },
13478 { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" },
13479 { 0xC00000CD, "STATUS_TOO_MANY_NAMES" },
13480 { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" },
13481 { 0xC00000CF, "STATUS_SHARING_PAUSED" },
13482 { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" },
13483 { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" },
13484 { 0xC00000D2, "STATUS_NET_WRITE_FAULT" },
13485 { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" },
13486 { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" },
13487 { 0xC00000D5, "STATUS_FILE_RENAMED" },
13488 { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" },
13489 { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" },
13490 { 0xC00000D8, "STATUS_CANT_WAIT" },
13491 { 0xC00000D9, "STATUS_PIPE_EMPTY" },
13492 { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" },
13493 { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" },
13494 { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" },
13495 { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" },
13496 { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" },
13497 { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" },
13498 { 0xC00000E0, "STATUS_DOMAIN_EXISTS" },
13499 { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" },
13500 { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" },
13501 { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" },
13502 { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" },
13503 { 0xC00000E5, "STATUS_INTERNAL_ERROR" },
13504 { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" },
13505 { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" },
13506 { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" },
13507 { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" },
13508 { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" },
13509 { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" },
13510 { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" },
13511 { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" },
13512 { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" },
13513 { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" },
13514 { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" },
13515 { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" },
13516 { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" },
13517 { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" },
13518 { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" },
13519 { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" },
13520 { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" },
13521 { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" },
13522 { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" },
13523 { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" },
13524 { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" },
13525 { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" },
13526 { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" },
13527 { 0xC00000FD, "STATUS_STACK_OVERFLOW" },
13528 { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" },
13529 { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" },
13530 { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" },
13531 { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" },
13532 { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" },
13533 { 0xC0000103, "STATUS_NOT_A_DIRECTORY" },
13534 { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" },
13535 { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" },
13536 { 0xC0000106, "STATUS_NAME_TOO_LONG" },
13537 { 0xC0000107, "STATUS_FILES_OPEN" },
13538 { 0xC0000108, "STATUS_CONNECTION_IN_USE" },
13539 { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" },
13540 { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" },
13541 { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" },
13542 { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" },
13543 { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" },
13544 { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" },
13545 { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" },
13546 { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" },
13547 { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" },
13548 { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" },
13549 { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" },
13550 { 0xC0000114, "STATUS_ABIOS_INVALID_LID" },
13551 { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" },
13552 { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" },
13553 { 0xC0000117, "STATUS_NO_LDT" },
13554 { 0xC0000118, "STATUS_INVALID_LDT_SIZE" },
13555 { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" },
13556 { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" },
13557 { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" },
13558 { 0xC000011C, "STATUS_RXACT_INVALID_STATE" },
13559 { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" },
13560 { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" },
13561 { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" },
13562 { 0xC0000120, "STATUS_CANCELLED" },
13563 { 0xC0000121, "STATUS_CANNOT_DELETE" },
13564 { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" },
13565 { 0xC0000123, "STATUS_FILE_DELETED" },
13566 { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" },
13567 { 0xC0000125, "STATUS_SPECIAL_GROUP" },
13568 { 0xC0000126, "STATUS_SPECIAL_USER" },
13569 { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" },
13570 { 0xC0000128, "STATUS_FILE_CLOSED" },
13571 { 0xC0000129, "STATUS_TOO_MANY_THREADS" },
13572 { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" },
13573 { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" },
13574 { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" },
13575 { 0xC000012D, "STATUS_COMMITMENT_LIMIT" },
13576 { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" },
13577 { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" },
13578 { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" },
13579 { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" },
13580 { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" },
13581 { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" },
13582 { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" },
13583 { 0xC0000135, "STATUS_DLL_NOT_FOUND" },
13584 { 0xC0000136, "STATUS_OPEN_FAILED" },
13585 { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" },
13586 { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" },
13587 { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" },
13588 { 0xC000013A, "STATUS_CONTROL_C_EXIT" },
13589 { 0xC000013B, "STATUS_LOCAL_DISCONNECT" },
13590 { 0xC000013C, "STATUS_REMOTE_DISCONNECT" },
13591 { 0xC000013D, "STATUS_REMOTE_RESOURCES" },
13592 { 0xC000013E, "STATUS_LINK_FAILED" },
13593 { 0xC000013F, "STATUS_LINK_TIMEOUT" },
13594 { 0xC0000140, "STATUS_INVALID_CONNECTION" },
13595 { 0xC0000141, "STATUS_INVALID_ADDRESS" },
13596 { 0xC0000142, "STATUS_DLL_INIT_FAILED" },
13597 { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" },
13598 { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" },
13599 { 0xC0000145, "STATUS_APP_INIT_FAILURE" },
13600 { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" },
13601 { 0xC0000147, "STATUS_NO_PAGEFILE" },
13602 { 0xC0000148, "STATUS_INVALID_LEVEL" },
13603 { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" },
13604 { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" },
13605 { 0xC000014B, "STATUS_PIPE_BROKEN" },
13606 { 0xC000014C, "STATUS_REGISTRY_CORRUPT" },
13607 { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" },
13608 { 0xC000014E, "STATUS_NO_EVENT_PAIR" },
13609 { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" },
13610 { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" },
13611 { 0xC0000151, "STATUS_NO_SUCH_ALIAS" },
13612 { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" },
13613 { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" },
13614 { 0xC0000154, "STATUS_ALIAS_EXISTS" },
13615 { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" },
13616 { 0xC0000156, "STATUS_TOO_MANY_SECRETS" },
13617 { 0xC0000157, "STATUS_SECRET_TOO_LONG" },
13618 { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" },
13619 { 0xC0000159, "STATUS_FULLSCREEN_MODE" },
13620 { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" },
13621 { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" },
13622 { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" },
13623 { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" },
13624 { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" },
13625 { 0xC000015F, "STATUS_FT_MISSING_MEMBER" },
13626 { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" },
13627 { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" },
13628 { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" },
13629 { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" },
13630 { 0xC0000164, "STATUS_FLOPPY_VOLUME" },
13631 { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" },
13632 { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" },
13633 { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" },
13634 { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" },
13635 { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" },
13636 { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" },
13637 { 0xC000016B, "STATUS_DISK_RESET_FAILED" },
13638 { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" },
13639 { 0xC000016D, "STATUS_FT_ORPHANING" },
13640 { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" },
13641 { 0xC0000172, "STATUS_PARTITION_FAILURE" },
13642 { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" },
13643 { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" },
13644 { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" },
13645 { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" },
13646 { 0xC0000177, "STATUS_EOM_OVERFLOW" },
13647 { 0xC0000178, "STATUS_NO_MEDIA" },
13648 { 0xC000017A, "STATUS_NO_SUCH_MEMBER" },
13649 { 0xC000017B, "STATUS_INVALID_MEMBER" },
13650 { 0xC000017C, "STATUS_KEY_DELETED" },
13651 { 0xC000017D, "STATUS_NO_LOG_SPACE" },
13652 { 0xC000017E, "STATUS_TOO_MANY_SIDS" },
13653 { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" },
13654 { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" },
13655 { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" },
13656 { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" },
13657 { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" },
13658 { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" },
13659 { 0xC0000185, "STATUS_IO_DEVICE_ERROR" },
13660 { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" },
13661 { 0xC0000187, "STATUS_BACKUP_CONTROLLER" },
13662 { 0xC0000188, "STATUS_LOG_FILE_FULL" },
13663 { 0xC0000189, "STATUS_TOO_LATE" },
13664 { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" },
13665 { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" },
13666 { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" },
13667 { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" },
13668 { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" },
13669 { 0xC000018F, "STATUS_EVENTLOG_CANT_START" },
13670 { 0xC0000190, "STATUS_TRUST_FAILURE" },
13671 { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" },
13672 { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" },
13673 { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" },
13674 { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" },
13675 { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" },
13676 { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" },
13677 { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" },
13678 { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" },
13679 { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" },
13680 { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" },
13681 { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" },
13682 { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" },
13683 { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" },
13684 { 0xC0000203, "STATUS_USER_SESSION_DELETED" },
13685 { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" },
13686 { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" },
13687 { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" },
13688 { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" },
13689 { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" },
13690 { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" },
13691 { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" },
13692 { 0xC000020B, "STATUS_ADDRESS_CLOSED" },
13693 { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" },
13694 { 0xC000020D, "STATUS_CONNECTION_RESET" },
13695 { 0xC000020E, "STATUS_TOO_MANY_NODES" },
13696 { 0xC000020F, "STATUS_TRANSACTION_ABORTED" },
13697 { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" },
13698 { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" },
13699 { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" },
13700 { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" },
13701 { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" },
13702 { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" },
13703 { 0xC0000216, "STATUS_NOT_SERVER_SESSION" },
13704 { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" },
13705 { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" },
13706 { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" },
13707 { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" },
13708 { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" },
13709 { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" },
13710 { 0xC000021D, "STATUS_VDM_HARD_ERROR" },
13711 { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" },
13712 { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" },
13713 { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" },
13714 { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" },
13715 { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" },
13716 { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" },
13717 { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" },
13718 { 0xC0000225, "STATUS_NOT_FOUND" },
13719 { 0xC0000226, "STATUS_NOT_TINY_STREAM" },
13720 { 0xC0000227, "STATUS_RECOVERY_FAILURE" },
13721 { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" },
13722 { 0xC0000229, "STATUS_FAIL_CHECK" },
13723 { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" },
13724 { 0xC000022B, "STATUS_OBJECTID_EXISTS" },
13725 { 0xC000022C, "STATUS_CONVERT_TO_LARGE" },
13726 { 0xC000022D, "STATUS_RETRY" },
13727 { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" },
13728 { 0xC000022F, "STATUS_ALLOCATE_BUCKET" },
13729 { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" },
13730 { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" },
13731 { 0xC0000232, "STATUS_INVALID_VARIANT" },
13732 { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" },
13733 { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" },
13734 { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" },
13735 { 0xC0000236, "STATUS_CONNECTION_REFUSED" },
13736 { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" },
13737 { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" },
13738 { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" },
13739 { 0xC000023A, "STATUS_CONNECTION_INVALID" },
13740 { 0xC000023B, "STATUS_CONNECTION_ACTIVE" },
13741 { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" },
13742 { 0xC000023D, "STATUS_HOST_UNREACHABLE" },
13743 { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" },
13744 { 0xC000023F, "STATUS_PORT_UNREACHABLE" },
13745 { 0xC0000240, "STATUS_REQUEST_ABORTED" },
13746 { 0xC0000241, "STATUS_CONNECTION_ABORTED" },
13747 { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" },
13748 { 0xC0000243, "STATUS_USER_MAPPED_FILE" },
13749 { 0xC0000244, "STATUS_AUDIT_FAILED" },
13750 { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" },
13751 { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" },
13752 { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" },
13753 { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" },
13754 { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" },
13755 { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" },
13756 { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" },
13757 { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" },
13758 { 0xC0000253, "STATUS_LPC_REPLY_LOST" },
13759 { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" },
13760 { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" },
13761 { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" },
13762 { 0xC0000257, "STATUS_PATH_NOT_COVERED" },
13763 { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" },
13764 { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" },
13765 { 0xC000025A, "STATUS_PWD_TOO_SHORT" },
13766 { 0xC000025B, "STATUS_PWD_TOO_RECENT" },
13767 { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" },
13768 { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" },
13769 { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" },
13770 { 0xC0000260, "STATUS_INVALID_HW_PROFILE" },
13771 { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" },
13772 { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" },
13773 { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" },
13774 { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" },
13775 { 0xC0000265, "STATUS_TOO_MANY_LINKS" },
13776 { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" },
13777 { 0xC0000267, "STATUS_FILE_IS_OFFLINE" },
13778 { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" },
13779 { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" },
13780 { 0xC000026A, "STATUS_LICENSE_VIOLATION" },
13781 { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" },
13782 { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" },
13783 { 0xC000026D, "STATUS_DFS_UNAVAILABLE" },
13784 { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" },
13785 { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" },
13786 { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" },
13787 { 0xC0000271, "STATUS_VALIDATE_CONTINUE" },
13788 { 0xC0000272, "STATUS_NO_MATCH" },
13789 { 0xC0000273, "STATUS_NO_MORE_MATCHES" },
13790 { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" },
13791 { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" },
13792 { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" },
13793 { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" },
13794 { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" },
13795 { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" },
13796 { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" },
13797 { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" },
13798 { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" },
13799 { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" },
13800 { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" },
13801 { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" },
13802 { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" },
13803 { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" },
13804 { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" },
13805 { 0xC000028A, "STATUS_ENCRYPTION_FAILED" },
13806 { 0xC000028B, "STATUS_DECRYPTION_FAILED" },
13807 { 0xC000028C, "STATUS_RANGE_NOT_FOUND" },
13808 { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" },
13809 { 0xC000028E, "STATUS_NO_EFS" },
13810 { 0xC000028F, "STATUS_WRONG_EFS" },
13811 { 0xC0000290, "STATUS_NO_USER_KEYS" },
13812 { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" },
13813 { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" },
13814 { 0xC0000293, "STATUS_FILE_ENCRYPTED" },
13815 { 0x40000294, "STATUS_WAKE_SYSTEM" },
13816 { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" },
13817 { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" },
13818 { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" },
13819 { 0xC0000298, "STATUS_WMI_TRY_AGAIN" },
13820 { 0xC0000299, "STATUS_SHARED_POLICY" },
13821 { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" },
13822 { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" },
13823 { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" },
13824 { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" },
13825 { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" },
13826 { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" },
13827 { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" },
13828 { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" },
13829 { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" },
13830 { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" },
13831 { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" },
13832 { 0xC00002A5, "STATUS_DS_BUSY" },
13833 { 0xC00002A6, "STATUS_DS_UNAVAILABLE" },
13834 { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" },
13835 { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" },
13836 { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" },
13837 { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" },
13838 { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" },
13839 { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" },
13840 { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" },
13841 { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" },
13842 { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" },
13843 { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" },
13844 { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" },
13845 { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" },
13846 { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" },
13847 { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" },
13848 { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" },
13849 { 0xC00002B6, "STATUS_DEVICE_REMOVED" },
13850 { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" },
13851 { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" },
13852 { 0xC00002B9, "STATUS_NOINTERFACE" },
13853 { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" },
13854 { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" },
13855 { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" },
13856 { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" },
13857 { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" },
13858 { 0xC00002C6, "STATUS_WMI_READ_ONLY" },
13859 { 0xC00002C7, "STATUS_WMI_SET_FAILURE" },
13860 { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" },
13861 { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" },
13862 { 0xC00002CA, "STATUS_TRANSPORT_FULL" },
13863 { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" },
13864 { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" },
13865 { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" },
13866 { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" },
13867 { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" },
13868 { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" },
13869 { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" },
13870 { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" },
13871 { 0xC00002D3, "STATUS_POWER_STATE_INVALID" },
13872 { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" },
13873 { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" },
13874 { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" },
13875 { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" },
13876 { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" },
13877 { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" },
13878 { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" },
13879 { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" },
13880 { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" },
13881 { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" },
13882 { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" },
13883 { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" },
13884 { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" },
13885 { 0xC00002E1, "STATUS_DS_CANT_START" },
13886 { 0xC00002E2, "STATUS_DS_INIT_FAILURE" },
13887 { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" },
13888 { 0xC00002E4, "STATUS_DS_GC_REQUIRED" },
13889 { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" },
13890 { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" },
13891 { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" },
13892 { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" },
13893 { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" },
13894 { 0xC0009898, "STATUS_WOW_ASSERTION" },
13895 { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" },
13896 { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" },
13897 { 0xC0020003, "RPC_NT_INVALID_BINDING" },
13898 { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" },
13899 { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" },
13900 { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" },
13901 { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" },
13902 { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" },
13903 { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" },
13904 { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" },
13905 { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" },
13906 { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" },
13907 { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" },
13908 { 0xC002000E, "RPC_NT_ALREADY_LISTENING" },
13909 { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" },
13910 { 0xC0020010, "RPC_NT_NOT_LISTENING" },
13911 { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" },
13912 { 0xC0020012, "RPC_NT_UNKNOWN_IF" },
13913 { 0xC0020013, "RPC_NT_NO_BINDINGS" },
13914 { 0xC0020014, "RPC_NT_NO_PROTSEQS" },
13915 { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" },
13916 { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" },
13917 { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" },
13918 { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" },
13919 { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" },
13920 { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" },
13921 { 0xC002001B, "RPC_NT_CALL_FAILED" },
13922 { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" },
13923 { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" },
13924 { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" },
13925 { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" },
13926 { 0xC0020022, "RPC_NT_INVALID_TAG" },
13927 { 0xC0020023, "RPC_NT_INVALID_BOUND" },
13928 { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" },
13929 { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" },
13930 { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" },
13931 { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" },
13932 { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" },
13933 { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" },
13934 { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" },
13935 { 0xC002002C, "RPC_NT_STRING_TOO_LONG" },
13936 { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" },
13937 { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" },
13938 { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" },
13939 { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" },
13940 { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" },
13941 { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" },
13942 { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" },
13943 { 0xC0020034, "EPT_NT_INVALID_ENTRY" },
13944 { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" },
13945 { 0xC0020036, "EPT_NT_NOT_REGISTERED" },
13946 { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" },
13947 { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" },
13948 { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" },
13949 { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" },
13950 { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" },
13951 { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" },
13952 { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" },
13953 { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" },
13954 { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" },
13955 { 0xC0020040, "RPC_NT_INVALID_NAF_ID" },
13956 { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" },
13957 { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" },
13958 { 0xC0020043, "RPC_NT_INTERNAL_ERROR" },
13959 { 0xC0020044, "RPC_NT_ZERO_DIVIDE" },
13960 { 0xC0020045, "RPC_NT_ADDRESS_ERROR" },
13961 { 0xC0020046, "RPC_NT_FP_DIV_ZERO" },
13962 { 0xC0020047, "RPC_NT_FP_UNDERFLOW" },
13963 { 0xC0020048, "RPC_NT_FP_OVERFLOW" },
13964 { 0xC0021007, "RPC_P_RECEIVE_ALERTED" },
13965 { 0xC0021008, "RPC_P_CONNECTION_CLOSED" },
13966 { 0xC0021009, "RPC_P_RECEIVE_FAILED" },
13967 { 0xC002100A, "RPC_P_SEND_FAILED" },
13968 { 0xC002100B, "RPC_P_TIMEOUT" },
13969 { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" },
13970 { 0xC002100E, "RPC_P_EXCEPTION_OCCURED" },
13971 { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" },
13972 { 0xC0021015, "RPC_P_THREAD_LISTENING" },
13973 { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" },
13974 { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" },
13975 { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" },
13976 { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" },
13977 { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" },
13978 { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" },
13979 { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" },
13980 { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" },
13981 { 0xC0030009, "RPC_NT_NULL_REF_POINTER" },
13982 { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" },
13983 { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" },
13984 { 0xC003000C, "RPC_NT_BAD_STUB_DATA" },
13985 { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" },
13986 { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" },
13987 { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" },
13988 { 0xC002004C, "EPT_NT_CANT_CREATE" },
13989 { 0xC002004D, "RPC_NT_INVALID_OBJECT" },
13990 { 0xC002004F, "RPC_NT_NO_INTERFACES" },
13991 { 0xC0020050, "RPC_NT_CALL_CANCELLED" },
13992 { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" },
13993 { 0xC0020052, "RPC_NT_COMM_FAILURE" },
13994 { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" },
13995 { 0xC0020054, "RPC_NT_NO_PRINC_NAME" },
13996 { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" },
13997 { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" },
13998 { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" },
13999 { 0xC0020058, "RPC_NT_NOT_CANCELLED" },
14000 { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" },
14001 { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" },
14002 { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" },
14003 { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" },
14004 { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" },
14005 { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" },
14006 { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" },
14012 static const true_false_string tfs_smb_flags_lock = {
14013 "Lock&Read, Write&Unlock are supported",
14014 "Lock&Read, Write&Unlock are not supported"
14016 static const true_false_string tfs_smb_flags_receive_buffer = {
14017 "Receive buffer has been posted",
14018 "Receive buffer has not been posted"
14020 static const true_false_string tfs_smb_flags_caseless = {
14021 "Path names are caseless",
14022 "Path names are case sensitive"
14024 static const true_false_string tfs_smb_flags_canon = {
14025 "Pathnames are canonicalized",
14026 "Pathnames are not canonicalized"
14028 static const true_false_string tfs_smb_flags_oplock = {
14029 "OpLock requested/granted",
14030 "OpLock not requested/granted"
14032 static const true_false_string tfs_smb_flags_notify = {
14033 "Notify client on all modifications",
14034 "Notify client only on open"
14036 static const true_false_string tfs_smb_flags_response = {
14037 "Message is a response to the client/redirector",
14038 "Message is a request to the server"
14042 dissect_smb_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
14045 proto_item *item = NULL;
14046 proto_tree *tree = NULL;
14048 mask = tvb_get_guint8(tvb, offset);
14051 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
14052 "Flags: 0x%02x", mask);
14053 tree = proto_item_add_subtree(item, ett_smb_flags);
14055 proto_tree_add_boolean(tree, hf_smb_flags_response,
14056 tvb, offset, 1, mask);
14057 proto_tree_add_boolean(tree, hf_smb_flags_notify,
14058 tvb, offset, 1, mask);
14059 proto_tree_add_boolean(tree, hf_smb_flags_oplock,
14060 tvb, offset, 1, mask);
14061 proto_tree_add_boolean(tree, hf_smb_flags_canon,
14062 tvb, offset, 1, mask);
14063 proto_tree_add_boolean(tree, hf_smb_flags_caseless,
14064 tvb, offset, 1, mask);
14065 proto_tree_add_boolean(tree, hf_smb_flags_receive_buffer,
14066 tvb, offset, 1, mask);
14067 proto_tree_add_boolean(tree, hf_smb_flags_lock,
14068 tvb, offset, 1, mask);
14075 static const true_false_string tfs_smb_flags2_long_names_allowed = {
14076 "Long file names are allowed in the response",
14077 "Long file names are not allowed in the response"
14079 static const true_false_string tfs_smb_flags2_ea = {
14080 "Extended attributes are supported",
14081 "Extended attributes are not supported"
14083 static const true_false_string tfs_smb_flags2_sec_sig = {
14084 "Security signatures are supported",
14085 "Security signatures are not supported"
14087 static const true_false_string tfs_smb_flags2_long_names_used = {
14088 "Path names in request are long file names",
14089 "Path names in request are not long file names"
14091 static const true_false_string tfs_smb_flags2_esn = {
14092 "Extended security negotiation is supported",
14093 "Extended security negotiation is not supported"
14095 static const true_false_string tfs_smb_flags2_dfs = {
14096 "Resolve pathnames with Dfs",
14097 "Don't resolve pathnames with Dfs"
14099 static const true_false_string tfs_smb_flags2_roe = {
14100 "Permit reads if execute-only",
14101 "Don't permit reads if execute-only"
14103 static const true_false_string tfs_smb_flags2_nt_error = {
14104 "Error codes are NT error codes",
14105 "Error codes are DOS error codes"
14107 static const true_false_string tfs_smb_flags2_string = {
14108 "Strings are Unicode",
14109 "Strings are ASCII"
14112 dissect_smb_flags2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
14115 proto_item *item = NULL;
14116 proto_tree *tree = NULL;
14118 mask = tvb_get_letohs(tvb, offset);
14121 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
14122 "Flags2: 0x%04x", mask);
14123 tree = proto_item_add_subtree(item, ett_smb_flags2);
14126 proto_tree_add_boolean(tree, hf_smb_flags2_string,
14127 tvb, offset, 2, mask);
14128 proto_tree_add_boolean(tree, hf_smb_flags2_nt_error,
14129 tvb, offset, 2, mask);
14130 proto_tree_add_boolean(tree, hf_smb_flags2_roe,
14131 tvb, offset, 2, mask);
14132 proto_tree_add_boolean(tree, hf_smb_flags2_dfs,
14133 tvb, offset, 2, mask);
14134 proto_tree_add_boolean(tree, hf_smb_flags2_esn,
14135 tvb, offset, 2, mask);
14136 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_used,
14137 tvb, offset, 2, mask);
14138 proto_tree_add_boolean(tree, hf_smb_flags2_sec_sig,
14139 tvb, offset, 2, mask);
14140 proto_tree_add_boolean(tree, hf_smb_flags2_ea,
14141 tvb, offset, 2, mask);
14142 proto_tree_add_boolean(tree, hf_smb_flags2_long_names_allowed,
14143 tvb, offset, 2, mask);
14151 #define SMB_FLAGS_DIRN 0x80
14155 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
14158 proto_item *item = NULL, *hitem = NULL;
14159 proto_tree *tree = NULL, *htree = NULL;
14163 smb_saved_info_t *sip = NULL;
14164 smb_saved_info_key_t key;
14165 smb_saved_info_key_t *new_key;
14166 guint32 nt_status = 0;
14167 guint8 errclass = 0;
14168 guint16 errcode = 0;
14170 conversation_t *conversation;
14172 top_tree=parent_tree;
14174 /* must check that this really is a smb packet */
14175 if (!tvb_bytes_exist(tvb, 0, 4))
14178 if( (tvb_get_guint8(tvb, 0) != 0xff)
14179 || (tvb_get_guint8(tvb, 1) != 'S')
14180 || (tvb_get_guint8(tvb, 2) != 'M')
14181 || (tvb_get_guint8(tvb, 3) != 'B') ){
14185 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
14186 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
14188 if (check_col(pinfo->cinfo, COL_INFO)){
14189 col_clear(pinfo->cinfo, COL_INFO);
14192 /* start off using the local variable, we will allocate a new one if we
14194 si.cmd = tvb_get_guint8(tvb, offset+4);
14195 flags = tvb_get_guint8(tvb, offset+9);
14196 si.request = !(flags&SMB_FLAGS_DIRN);
14197 flags2 = tvb_get_letohs(tvb, offset+10);
14198 if(flags2 & 0x8000){
14199 si.unicode = TRUE; /* Mark them as Unicode */
14201 si.unicode = FALSE;
14203 si.tid = tvb_get_letohs(tvb, offset+24);
14204 si.pid = tvb_get_letohs(tvb, offset+26);
14205 si.uid = tvb_get_letohs(tvb, offset+28);
14206 si.mid = tvb_get_letohs(tvb, offset+30);
14207 pid_mid = (si.pid << 16) | si.mid;
14208 si.info_level = -1;
14209 si.info_count = -1;
14212 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
14214 tree = proto_item_add_subtree(item, ett_smb);
14216 hitem = proto_tree_add_text(tree, tvb, offset, 32,
14219 htree = proto_item_add_subtree(hitem, ett_smb_hdr);
14222 proto_tree_add_text(htree, tvb, offset, 4, "Server Component: SMB");
14223 offset += 4; /* Skip the marker */
14225 /* find which conversation we are part of and get the tables for that
14227 conversation = find_conversation(&pinfo->src, &pinfo->dst,
14228 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
14230 si.ct=conversation_get_proto_data(conversation, proto_smb);
14232 /* OK this is a new conversation, we must create it
14233 and attach appropriate data (matched and unmatched
14234 table for this conversation)
14236 conversation = conversation_new(&pinfo->src, &pinfo->dst,
14237 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
14238 si.ct = g_mem_chunk_alloc(conv_tables_chunk);
14239 conv_tables = g_slist_prepend(conv_tables, si.ct);
14240 si.ct->matched= g_hash_table_new(smb_saved_info_hash_matched,
14241 smb_saved_info_equal_matched);
14242 si.ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
14243 smb_saved_info_equal_unmatched);
14244 si.ct->dcerpc_fid_to_frame=g_hash_table_new(
14245 smb_saved_info_hash_unmatched,
14246 smb_saved_info_equal_unmatched);
14247 si.ct->tid_service=g_hash_table_new(
14248 smb_saved_info_hash_unmatched,
14249 smb_saved_info_equal_unmatched);
14250 conversation_add_proto_data(conversation, proto_smb, si.ct);
14258 /* this is a broadcast SMB packet, there will not be a reply.
14259 We dont need to do anything
14262 } else if( (si.cmd==SMB_COM_NT_CANCEL) /* NT Cancel */
14263 ||(si.cmd==SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
14264 ||(si.cmd==SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
14265 ||(si.cmd==SMB_COM_NT_TRANSACT_SECONDARY)){ /* NT Transaction Secondary */
14266 /* Ok, we got a special request type. This request is either
14267 an NT Cancel or a continuation relative to a real request
14268 in an earlier packet. In either case, we don't expect any
14269 responses to this packet. For continuations, any later
14270 responses we see really just belong to the original request.
14271 Anyway, we want to remember this packet somehow and
14272 remember which original request it is associated with so
14273 we can say nice things such as "This is a Cancellation to
14274 the request in frame x", but we don't want the
14275 request/response matching to get messed up.
14277 The only thing we do in this case is trying to find which original
14278 request we match with and insert an entry for this "special"
14279 request for later reference. We continue to reference the original
14280 requests smb_saved_info_t but we dont touch it or change anything
14284 si.unidir = TRUE; /*we dont expect an answer to this one*/
14286 if(!pinfo->fd->flags.visited){
14287 /* try to find which original call we match and if we
14288 find it add us to the matched table. Dont touch
14289 anything else since we dont want this one to mess
14290 up the request/response matching. We still consider
14291 the initial call the real request and this is only
14292 some sort of continuation.
14294 /* we only check the unmatched table and assume that the
14295 last seen MID matching ours is the right one.
14296 This can fail but is better than nothing
14298 sip=g_hash_table_lookup(si.ct->unmatched, (void *)pid_mid);
14300 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14301 new_key->frame = pinfo->fd->num;
14302 new_key->pid_mid = pid_mid;
14303 g_hash_table_insert(si.ct->matched, new_key,
14307 /* we have seen this packet before; check the
14310 key.frame = pinfo->fd->num;
14311 key.pid_mid = pid_mid;
14312 sip=g_hash_table_lookup(si.ct->matched, &key);
14316 Too bad, unfortunately there is not really much we can
14317 do now since this means that we never saw the initial
14324 if(sip && sip->frame_req){
14326 case SMB_COM_NT_CANCEL:
14327 proto_tree_add_uint(htree, hf_smb_cancel_to,
14328 tvb, 0, 0, sip->frame_req);
14330 case SMB_COM_TRANSACTION_SECONDARY:
14331 case SMB_COM_TRANSACTION2_SECONDARY:
14332 case SMB_COM_NT_TRANSACT_SECONDARY:
14333 proto_tree_add_uint(htree, hf_smb_continuation_to,
14334 tvb, 0, 0, sip->frame_req);
14339 case SMB_COM_NT_CANCEL:
14340 proto_tree_add_text(htree, tvb, 0, 0,
14341 "Cancellation to: <unknown frame>");
14343 case SMB_COM_TRANSACTION_SECONDARY:
14344 case SMB_COM_TRANSACTION2_SECONDARY:
14345 case SMB_COM_NT_TRANSACT_SECONDARY:
14346 proto_tree_add_text(htree, tvb, 0, 0,
14347 "Continuation to: <unknown frame>");
14351 } else { /* normal bidirectional request or response */
14354 if(!pinfo->fd->flags.visited){
14355 /* first see if we find an unmatched smb "equal" to
14358 sip=g_hash_table_lookup(si.ct->unmatched, (void *)pid_mid);
14360 gboolean cmd_match=FALSE;
14363 * Make sure the SMB we found was the
14364 * same command, or a different command
14365 * that's another valid type of reply
14368 if(si.cmd==sip->cmd){
14371 else if(si.cmd==SMB_COM_NT_CANCEL){
14374 else if((si.cmd==SMB_COM_TRANSACTION_SECONDARY)
14375 && (sip->cmd==SMB_COM_TRANSACTION)){
14378 else if((si.cmd==SMB_COM_TRANSACTION2_SECONDARY)
14379 && (sip->cmd==SMB_COM_TRANSACTION2)){
14382 else if((si.cmd==SMB_COM_NT_TRANSACT_SECONDARY)
14383 && (sip->cmd==SMB_COM_NT_TRANSACT)){
14387 if( (si.request) || (!cmd_match) ) {
14388 /* If we are processing an SMB request but there was already
14389 another "identical" smb resuest we had not matched yet.
14390 This must mean that either we have a retransmission or that the
14391 response to the previous one was lost and the client has reused
14392 the MID for this conversation. In either case it's not much more
14393 we can do than forget the old request and concentrate on the
14394 present one instead.
14396 We also do this cleanup if we see that the cmd in the original
14397 request in sip->cmd is not compatible with the current cmd.
14398 This is to prevent matching errors such as if there were two
14399 SMBs of different cmds but with identical MID and PID values and
14400 if ethereal lost the first reply and the second request.
14402 g_hash_table_remove(si.ct->unmatched, (void *)pid_mid);
14403 sip=NULL; /* XXX should free it as well */
14405 /* we have found a response to some request we have seen earlier.
14406 What we do now depends on whether this is the first response
14407 to that request we see (id frame_res==0) or not.
14409 if(sip->frame_res==0){
14410 /* ok it is the first response we have seen to this packet */
14411 sip->frame_res = pinfo->fd->num;
14412 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14413 new_key->frame = sip->frame_req;
14414 new_key->pid_mid = pid_mid;
14415 g_hash_table_insert(si.ct->matched, new_key, sip);
14416 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14417 new_key->frame = sip->frame_res;
14418 new_key->pid_mid = pid_mid;
14419 g_hash_table_insert(si.ct->matched, new_key, sip);
14421 /* we have already seen another response to this one, but
14422 register it anyway so we see which request it matches
14424 new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
14425 new_key->frame = pinfo->fd->num;
14426 new_key->pid_mid = pid_mid;
14427 g_hash_table_insert(si.ct->matched, new_key, sip);
14432 sip = g_mem_chunk_alloc(smb_saved_info_chunk);
14433 sip->frame_req = pinfo->fd->num;
14434 sip->frame_res = 0;
14436 if(g_hash_table_lookup(si.ct->tid_service, (void *)si.tid)
14437 == (void *)TID_IPC) {
14438 sip->flags |= SMB_SIF_TID_IS_IPC;
14441 sip->extra_info = NULL;
14442 g_hash_table_insert(si.ct->unmatched, (void *)pid_mid, sip);
14445 /* we have seen this packet before; check the
14447 If we haven't yet seen the reply, we won't
14448 find the info for it; we don't need it, as
14449 we only use it to save information, and, as
14450 we've seen this packet before, we've already
14451 saved the information.
14453 key.frame = pinfo->fd->num;
14454 key.pid_mid = pid_mid;
14455 sip=g_hash_table_lookup(si.ct->matched, &key);
14460 * Pass the "sip" on to subdissectors through "si".
14466 * Put in fields for the frame number of the frame to which
14467 * this is a response or the frame with the response to this
14468 * frame - if we know the frame number (i.e., it's not 0).
14471 if (sip->frame_res != 0)
14472 proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
14474 if (sip->frame_req != 0)
14475 proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
14480 proto_tree_add_uint_format(htree, hf_smb_cmd, tvb, offset, 1, si.cmd, "SMB Command: %s (0x%02x)", decode_smb_name(si.cmd), si.cmd);
14483 if(flags2 & 0x4000){
14484 /* handle NT 32 bit error code */
14486 nt_status = tvb_get_letohl(tvb, offset);
14488 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
14493 /* handle DOS error code & class */
14494 errclass = tvb_get_guint8(tvb, offset);
14495 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
14499 /* reserved byte */
14500 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, TRUE);
14504 /* XXX - the type of this field depends on the value of
14505 * "errcls", so there is isn't a single value_string array
14506 * fo it, so there can't be a single field for it.
14508 errcode = tvb_get_letohs(tvb, offset);
14509 proto_tree_add_uint_format(htree, hf_smb_error_code, tvb,
14510 offset, 2, errcode, "Error Code: %s",
14511 decode_smb_error(errclass, errcode));
14516 offset = dissect_smb_flags(tvb, pinfo, htree, offset);
14519 offset = dissect_smb_flags2(tvb, pinfo, htree, offset);
14524 * http://www.samba.org/samba/ftp/specs/smbpub.txt
14526 * (a text version of "Microsoft Networks SMB FILE SHARING
14527 * PROTOCOL, Document Version 6.0p") says that:
14529 * the first 2 bytes of these 12 bytes are, for NT Create and X,
14530 * the "High Part of PID";
14532 * the next four bytes are reserved;
14534 * the next four bytes are, for SMB-over-IPX (with no
14535 * NetBIOS involved) two bytes of Session ID and two bytes
14536 * of SequenceNumber.
14538 * If we ever implement SMB-over-IPX (which I suspect goes over
14539 * IPX sockets 0x0550, 0x0552, and maybe 0x0554, as per the
14540 * document in question), we'd probably want to have some way
14541 * to determine whether this is SMB-over-IPX or not (which could
14542 * be done by adding a PT_IPXSOCKET port type, having the
14543 * IPX dissector set "pinfo->srcport" and "pinfo->destport",
14544 * and having the SMB dissector check for a port type of
14545 * PT_IPXSOCKET and for "pinfo->match_port" being either
14546 * IPX_SOCKET_NWLINK_SMB_SERVER or IPX_SOCKET_NWLINK_SMB_REDIR
14547 * or, if it also uses 0x0554, IPX_SOCKET_NWLINK_SMB_MESSENGER).
14550 /* 12 reserved bytes */
14551 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 12, TRUE);
14555 proto_tree_add_uint(htree, hf_smb_tid, tvb, offset, 2, si.tid);
14559 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si.pid);
14563 proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si.uid);
14567 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si.mid);
14570 pinfo->private_data = &si;
14571 dissect_smb_command(tvb, pinfo, parent_tree, offset, tree, si.cmd);
14573 /* Append error info from this packet to info string. */
14574 if (!si.request && check_col(pinfo->cinfo, COL_INFO)) {
14575 if (flags2 & 0x4000) {
14577 * The status is an NT status code; was there
14580 if (nt_status != 0) {
14585 pinfo->cinfo, COL_INFO, ", Error: %s",
14586 val_to_str(nt_status, NT_errors,
14587 "Unknown (0x%08X)"));
14591 * The status is a DOS error class and code; was
14594 if (errclass != SMB_SUCCESS) {
14599 pinfo->cinfo, COL_INFO, ", Error: %s",
14600 decode_smb_error(errclass, errcode));
14609 proto_register_smb(void)
14611 static hf_register_info hf[] = {
14613 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX,
14614 VALS(smb_cmd_vals), 0x0, "SMB Command", HFILL }},
14616 { &hf_smb_word_count,
14617 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
14618 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
14620 { &hf_smb_byte_count,
14621 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
14622 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
14624 { &hf_smb_response_to,
14625 { "Response to", "smb.response_to", FT_UINT32, BASE_DEC,
14626 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
14628 { &hf_smb_response_in,
14629 { "Response in", "smb.response_in", FT_UINT32, BASE_DEC,
14630 NULL, 0, "The response to this packet is in this packet", HFILL }},
14632 { &hf_smb_continuation_to,
14633 { "Continuation to", "smb.continuation_to", FT_UINT32, BASE_DEC,
14634 NULL, 0, "This packet is a continuation to the packet in this frame", HFILL }},
14636 { &hf_smb_nt_status,
14637 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX,
14638 VALS(NT_errors), 0, "NT Status code", HFILL }},
14640 { &hf_smb_error_class,
14641 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
14642 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
14644 { &hf_smb_error_code,
14645 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
14646 NULL, 0, "DOS Error Code", HFILL }},
14648 { &hf_smb_reserved,
14649 { "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
14650 NULL, 0, "Reserved bytes, must be zero", HFILL }},
14653 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
14654 NULL, 0, "Process ID", HFILL }},
14657 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
14658 NULL, 0, "Tree ID", HFILL }},
14661 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
14662 NULL, 0, "User ID", HFILL }},
14665 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
14666 NULL, 0, "Multiplex ID", HFILL }},
14668 { &hf_smb_flags_lock,
14669 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
14670 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
14672 { &hf_smb_flags_receive_buffer,
14673 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
14674 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
14676 { &hf_smb_flags_caseless,
14677 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
14678 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
14680 { &hf_smb_flags_canon,
14681 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
14682 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
14684 { &hf_smb_flags_oplock,
14685 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
14686 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
14688 { &hf_smb_flags_notify,
14689 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
14690 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
14692 { &hf_smb_flags_response,
14693 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
14694 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
14696 { &hf_smb_flags2_long_names_allowed,
14697 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
14698 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
14700 { &hf_smb_flags2_ea,
14701 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
14702 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
14704 { &hf_smb_flags2_sec_sig,
14705 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
14706 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
14708 { &hf_smb_flags2_long_names_used,
14709 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
14710 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
14712 { &hf_smb_flags2_esn,
14713 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
14714 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
14716 { &hf_smb_flags2_dfs,
14717 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
14718 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
14720 { &hf_smb_flags2_roe,
14721 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
14722 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
14724 { &hf_smb_flags2_nt_error,
14725 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
14726 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
14728 { &hf_smb_flags2_string,
14729 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
14730 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
14732 { &hf_smb_buffer_format,
14733 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
14734 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
14736 { &hf_smb_dialect_name,
14737 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
14738 NULL, 0, "Name of dialect", HFILL }},
14740 { &hf_smb_dialect_index,
14741 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
14742 NULL, 0, "Index of selected dialect", HFILL }},
14744 { &hf_smb_max_trans_buf_size,
14745 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
14746 NULL, 0, "Maximum transmit buffer size", HFILL }},
14748 { &hf_smb_max_mpx_count,
14749 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
14750 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
14752 { &hf_smb_max_vcs_num,
14753 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
14754 NULL, 0, "Maximum VCs between client and server", HFILL }},
14756 { &hf_smb_session_key,
14757 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
14758 NULL, 0, "Unique token identifying this session", HFILL }},
14760 { &hf_smb_server_timezone,
14761 { "Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
14762 NULL, 0, "Current timezone at server.", HFILL }},
14764 { &hf_smb_encryption_key_length,
14765 { "Key Length", "smb.encryption_key_length", FT_UINT16, BASE_DEC,
14766 NULL, 0, "Encryption key length (must be 0 if not LM2.1 dialect)", HFILL }},
14768 { &hf_smb_encryption_key,
14769 { "Encryption Key", "smb.encryption_key", FT_BYTES, BASE_HEX,
14770 NULL, 0, "Challenge/Response Encryption Key (for LM2.1 dialect)", HFILL }},
14772 { &hf_smb_primary_domain,
14773 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
14774 NULL, 0, "The server's primary domain", HFILL }},
14776 { &hf_smb_max_raw_buf_size,
14777 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
14778 NULL, 0, "Maximum raw buffer size", HFILL }},
14780 { &hf_smb_server_guid,
14781 { "Server GUID", "smb.server_guid", FT_BYTES, BASE_HEX,
14782 NULL, 0, "Globally unique identifier for this server", HFILL }},
14784 { &hf_smb_security_blob_len,
14785 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
14786 NULL, 0, "Security blob length", HFILL }},
14788 { &hf_smb_security_blob,
14789 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_HEX,
14790 NULL, 0, "Security blob", HFILL }},
14792 { &hf_smb_sm_mode16,
14793 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
14794 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
14796 { &hf_smb_sm_password16,
14797 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
14798 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
14801 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
14802 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
14804 { &hf_smb_sm_password,
14805 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
14806 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
14808 { &hf_smb_sm_signatures,
14809 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
14810 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
14812 { &hf_smb_sm_sig_required,
14813 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
14814 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
14817 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
14818 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
14820 { &hf_smb_rm_write,
14821 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
14822 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
14824 { &hf_smb_server_date_time,
14825 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, BASE_NONE,
14826 NULL, 0, "Current date and time at server", HFILL }},
14828 { &hf_smb_server_smb_date,
14829 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
14830 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
14832 { &hf_smb_server_smb_time,
14833 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
14834 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
14836 { &hf_smb_server_cap_raw_mode,
14837 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
14838 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
14840 { &hf_smb_server_cap_mpx_mode,
14841 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
14842 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
14844 { &hf_smb_server_cap_unicode,
14845 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
14846 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
14848 { &hf_smb_server_cap_large_files,
14849 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
14850 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
14852 { &hf_smb_server_cap_nt_smbs,
14853 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
14854 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
14856 { &hf_smb_server_cap_rpc_remote_apis,
14857 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
14858 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
14860 { &hf_smb_server_cap_nt_status,
14861 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
14862 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
14864 { &hf_smb_server_cap_level_ii_oplocks,
14865 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
14866 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
14868 { &hf_smb_server_cap_lock_and_read,
14869 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
14870 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
14872 { &hf_smb_server_cap_nt_find,
14873 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
14874 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
14876 { &hf_smb_server_cap_dfs,
14877 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
14878 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
14880 { &hf_smb_server_cap_infolevel_passthru,
14881 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
14882 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
14884 { &hf_smb_server_cap_large_readx,
14885 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
14886 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
14888 { &hf_smb_server_cap_large_writex,
14889 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
14890 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
14892 { &hf_smb_server_cap_unix,
14893 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
14894 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
14896 { &hf_smb_server_cap_reserved,
14897 { "Reserved", "smb.server_cap.reserved", FT_BOOLEAN, 32,
14898 TFS(&tfs_server_cap_reserved), SERVER_CAP_RESERVED, "RESERVED", HFILL }},
14900 { &hf_smb_server_cap_bulk_transfer,
14901 { "Bulk Transfer", "smb.server_cap.bulk_transfer", FT_BOOLEAN, 32,
14902 TFS(&tfs_server_cap_bulk_transfer), SERVER_CAP_BULK_TRANSFER, "Are Bulk Read and Bulk Write supported?", HFILL }},
14904 { &hf_smb_server_cap_compressed_data,
14905 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
14906 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
14908 { &hf_smb_server_cap_extended_security,
14909 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
14910 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
14912 { &hf_smb_system_time,
14913 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, BASE_NONE,
14914 NULL, 0, "System Time", HFILL }},
14917 { "Unknown Data", "smb.unknown", FT_BYTES, BASE_HEX,
14918 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
14920 { &hf_smb_dir_name,
14921 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
14922 NULL, 0, "SMB Directory Name", HFILL }},
14924 { &hf_smb_echo_count,
14925 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
14926 NULL, 0, "Number of times to echo data back", HFILL }},
14928 { &hf_smb_echo_data,
14929 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_HEX,
14930 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
14932 { &hf_smb_echo_seq_num,
14933 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
14934 NULL, 0, "Sequence number for this echo response", HFILL }},
14936 { &hf_smb_max_buf_size,
14937 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
14938 NULL, 0, "Max client buffer size", HFILL }},
14941 { "Path", "smb.path", FT_STRING, BASE_NONE,
14942 NULL, 0, "Path. Server name and share name", HFILL }},
14945 { "Service", "smb.service", FT_STRING, BASE_NONE,
14946 NULL, 0, "Service name", HFILL }},
14948 { &hf_smb_password,
14949 { "Password", "smb.password", FT_BYTES, BASE_NONE,
14950 NULL, 0, "Password", HFILL }},
14952 { &hf_smb_ansi_password,
14953 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
14954 NULL, 0, "ANSI Password", HFILL }},
14956 { &hf_smb_unicode_password,
14957 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
14958 NULL, 0, "Unicode Password", HFILL }},
14960 { &hf_smb_move_flags_file,
14961 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
14962 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
14964 { &hf_smb_move_flags_dir,
14965 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
14966 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
14968 { &hf_smb_move_flags_verify,
14969 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
14970 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
14972 { &hf_smb_move_files_moved,
14973 { "Files Moved", "smb.move.files_moved", FT_UINT16, BASE_DEC,
14974 NULL, 0, "Number of files moved", HFILL }},
14977 { "Count", "smb.count", FT_UINT32, BASE_DEC,
14978 NULL, 0, "Count number of items/bytes", HFILL }},
14980 { &hf_smb_file_name,
14981 { "File Name", "smb.file", FT_STRING, BASE_NONE,
14982 NULL, 0, "File Name", HFILL }},
14984 { &hf_smb_open_function_create,
14985 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
14986 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
14988 { &hf_smb_open_function_open,
14989 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
14990 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
14993 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
14994 NULL, 0, "FID: File ID", HFILL }},
14996 { &hf_smb_file_attr_read_only_16bit,
14997 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
14998 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15000 { &hf_smb_file_attr_read_only_8bit,
15001 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
15002 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15004 { &hf_smb_file_attr_hidden_16bit,
15005 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
15006 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15008 { &hf_smb_file_attr_hidden_8bit,
15009 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
15010 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15012 { &hf_smb_file_attr_system_16bit,
15013 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
15014 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15016 { &hf_smb_file_attr_system_8bit,
15017 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
15018 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15020 { &hf_smb_file_attr_volume_16bit,
15021 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
15022 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
15024 { &hf_smb_file_attr_volume_8bit,
15025 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
15026 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
15028 { &hf_smb_file_attr_directory_16bit,
15029 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
15030 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15032 { &hf_smb_file_attr_directory_8bit,
15033 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
15034 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15036 { &hf_smb_file_attr_archive_16bit,
15037 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
15038 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15040 { &hf_smb_file_attr_archive_8bit,
15041 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
15042 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15044 { &hf_smb_file_attr_device,
15045 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
15046 TFS(&tfs_file_attribute_device), FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
15048 { &hf_smb_file_attr_normal,
15049 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
15050 TFS(&tfs_file_attribute_normal), FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
15052 { &hf_smb_file_attr_temporary,
15053 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
15054 TFS(&tfs_file_attribute_temporary), FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
15056 { &hf_smb_file_attr_sparse,
15057 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
15058 TFS(&tfs_file_attribute_sparse), FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
15060 { &hf_smb_file_attr_reparse,
15061 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
15062 TFS(&tfs_file_attribute_reparse), FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
15064 { &hf_smb_file_attr_compressed,
15065 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
15066 TFS(&tfs_file_attribute_compressed), FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
15068 { &hf_smb_file_attr_offline,
15069 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
15070 TFS(&tfs_file_attribute_offline), FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
15072 { &hf_smb_file_attr_not_content_indexed,
15073 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
15074 TFS(&tfs_file_attribute_not_content_indexed), FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
15076 { &hf_smb_file_attr_encrypted,
15077 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
15078 TFS(&tfs_file_attribute_encrypted), FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
15080 { &hf_smb_file_size,
15081 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
15082 NULL, 0, "File Size", HFILL }},
15084 { &hf_smb_search_attribute_read_only,
15085 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
15086 TFS(&tfs_search_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
15088 { &hf_smb_search_attribute_hidden,
15089 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
15090 TFS(&tfs_search_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
15092 { &hf_smb_search_attribute_system,
15093 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
15094 TFS(&tfs_search_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
15096 { &hf_smb_search_attribute_volume,
15097 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
15098 TFS(&tfs_search_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
15100 { &hf_smb_search_attribute_directory,
15101 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
15102 TFS(&tfs_search_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
15104 { &hf_smb_search_attribute_archive,
15105 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
15106 TFS(&tfs_search_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
15108 { &hf_smb_access_mode,
15109 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
15110 VALS(da_access_vals), 0x0007, "Access Mode", HFILL }},
15112 { &hf_smb_access_sharing,
15113 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
15114 VALS(da_sharing_vals), 0x0070, "Sharing Mode", HFILL }},
15116 { &hf_smb_access_locality,
15117 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
15118 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
15120 { &hf_smb_access_caching,
15121 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
15122 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
15124 { &hf_smb_access_writetru,
15125 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
15126 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
15128 { &hf_smb_create_time,
15129 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, BASE_NONE,
15130 NULL, 0, "Creation Time", HFILL }},
15132 { &hf_smb_create_dos_date,
15133 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
15134 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
15136 { &hf_smb_create_dos_time,
15137 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
15138 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
15140 { &hf_smb_last_write_time,
15141 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, BASE_NONE,
15142 NULL, 0, "Time this file was last written to", HFILL }},
15144 { &hf_smb_last_write_dos_date,
15145 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
15146 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
15148 { &hf_smb_last_write_dos_time,
15149 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
15150 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
15152 { &hf_smb_old_file_name,
15153 { "Old File Name", "smb.file", FT_STRING, BASE_NONE,
15154 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
15157 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
15158 NULL, 0, "Offset in file", HFILL }},
15160 { &hf_smb_remaining,
15161 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
15162 NULL, 0, "Remaining number of bytes", HFILL }},
15165 { "Padding", "smb.padding", FT_BYTES, BASE_HEX,
15166 NULL, 0, "Padding or unknown data", HFILL }},
15168 { &hf_smb_file_data,
15169 { "File Data", "smb.file_data", FT_BYTES, BASE_HEX,
15170 NULL, 0, "Data read/written to the file", HFILL }},
15172 { &hf_smb_total_data_len,
15173 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
15174 NULL, 0, "Total length of data", HFILL }},
15176 { &hf_smb_data_len,
15177 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
15178 NULL, 0, "Length of data", HFILL }},
15180 { &hf_smb_seek_mode,
15181 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
15182 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
15184 { &hf_smb_access_time,
15185 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, BASE_NONE,
15186 NULL, 0, "Last Access Time", HFILL }},
15188 { &hf_smb_access_dos_date,
15189 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
15190 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
15192 { &hf_smb_access_dos_time,
15193 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
15194 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
15196 { &hf_smb_data_size,
15197 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
15198 NULL, 0, "Data Size", HFILL }},
15200 { &hf_smb_alloc_size,
15201 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
15202 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
15204 { &hf_smb_max_count,
15205 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
15206 NULL, 0, "Maximum Count", HFILL }},
15208 { &hf_smb_min_count,
15209 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
15210 NULL, 0, "Minimum Count", HFILL }},
15213 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
15214 NULL, 0, "Timeout in miliseconds", HFILL }},
15216 { &hf_smb_high_offset,
15217 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
15218 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
15221 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
15222 NULL, 0, "Total number of units at server", HFILL }},
15225 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
15226 NULL, 0, "Blocks per unit at server", HFILL }},
15228 { &hf_smb_blocksize,
15229 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
15230 NULL, 0, "Block size (in bytes) at server", HFILL }},
15232 { &hf_smb_freeunits,
15233 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
15234 NULL, 0, "Number of free units at server", HFILL }},
15236 { &hf_smb_data_offset,
15237 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
15238 NULL, 0, "Data Offset", HFILL }},
15241 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
15242 NULL, 0, "Data Compaction Mode", HFILL }},
15244 { &hf_smb_request_mask,
15245 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
15246 NULL, 0, "Connectionless mode mask", HFILL }},
15248 { &hf_smb_response_mask,
15249 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
15250 NULL, 0, "Connectionless mode mask", HFILL }},
15253 { "SID", "smb.sid", FT_UINT16, BASE_HEX,
15254 NULL, 0, "SID: Search ID, handle for find operations", HFILL }},
15256 { &hf_smb_write_mode_write_through,
15257 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
15258 TFS(&tfs_write_mode_write_through), 0x0001, "Write through mode requested?", HFILL }},
15260 { &hf_smb_write_mode_return_remaining,
15261 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
15262 TFS(&tfs_write_mode_return_remaining), 0x0002, "Return remaining data responses?", HFILL }},
15264 { &hf_smb_write_mode_raw,
15265 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
15266 TFS(&tfs_write_mode_raw), 0x0004, "Use WriteRawNamedPipe?", HFILL }},
15268 { &hf_smb_write_mode_message_start,
15269 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
15270 TFS(&tfs_write_mode_message_start), 0x0008, "Is this the start of a message?", HFILL }},
15272 { &hf_smb_write_mode_connectionless,
15273 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
15274 TFS(&tfs_write_mode_connectionless), 0x0080, "Connectionless mode requested?", HFILL }},
15276 { &hf_smb_resume_key_len,
15277 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
15278 NULL, 0, "Resume Key length", HFILL }},
15280 { &hf_smb_resume_server_cookie,
15281 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_HEX,
15282 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
15284 { &hf_smb_resume_client_cookie,
15285 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_HEX,
15286 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
15288 { &hf_smb_andxoffset,
15289 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
15290 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
15292 { &hf_smb_lock_type_large,
15293 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
15294 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
15296 { &hf_smb_lock_type_cancel,
15297 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
15298 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
15300 { &hf_smb_lock_type_change,
15301 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
15302 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
15304 { &hf_smb_lock_type_oplock,
15305 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
15306 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
15308 { &hf_smb_lock_type_shared,
15309 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
15310 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
15312 { &hf_smb_locking_ol,
15313 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
15314 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
15316 { &hf_smb_number_of_locks,
15317 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
15318 NULL, 0, "Number of lock requests in this request", HFILL }},
15320 { &hf_smb_number_of_unlocks,
15321 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
15322 NULL, 0, "Number of unlock requests in this request", HFILL }},
15324 { &hf_smb_lock_long_length,
15325 { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
15326 NULL, 0, "Length of lock/unlock region", HFILL }},
15328 { &hf_smb_lock_long_offset,
15329 { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
15330 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
15332 { &hf_smb_file_type,
15333 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
15334 VALS(filetype_vals), 0, "Type of file", HFILL }},
15336 { &hf_smb_ipc_state_nonblocking,
15337 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
15338 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
15340 { &hf_smb_ipc_state_endpoint,
15341 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
15342 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
15344 { &hf_smb_ipc_state_pipe_type,
15345 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
15346 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
15348 { &hf_smb_ipc_state_read_mode,
15349 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
15350 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
15352 { &hf_smb_ipc_state_icount,
15353 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
15354 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
15356 { &hf_smb_server_fid,
15357 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
15358 NULL, 0, "Server unique File ID", HFILL }},
15360 { &hf_smb_open_flags_add_info,
15361 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
15362 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
15364 { &hf_smb_open_flags_ex_oplock,
15365 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
15366 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
15368 { &hf_smb_open_flags_batch_oplock,
15369 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
15370 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
15372 { &hf_smb_open_flags_ealen,
15373 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
15374 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
15376 { &hf_smb_open_action_open,
15377 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
15378 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
15380 { &hf_smb_open_action_lock,
15381 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
15382 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
15385 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
15386 NULL, 0, "VC Number", HFILL }},
15388 { &hf_smb_password_len,
15389 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
15390 NULL, 0, "Length of password", HFILL }},
15392 { &hf_smb_ansi_password_len,
15393 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
15394 NULL, 0, "Length of ANSI password", HFILL }},
15396 { &hf_smb_unicode_password_len,
15397 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
15398 NULL, 0, "Length of Unicode password", HFILL }},
15401 { "Account", "smb.account", FT_STRING, BASE_NONE,
15402 NULL, 0, "Account, username", HFILL }},
15405 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
15406 NULL, 0, "Which OS we are running", HFILL }},
15409 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
15410 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
15412 { &hf_smb_setup_action_guest,
15413 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
15414 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
15417 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
15418 NULL, 0, "Native File System", HFILL }},
15420 { &hf_smb_connect_flags_dtid,
15421 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
15422 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
15424 { &hf_smb_connect_support_search,
15425 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
15426 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
15428 { &hf_smb_connect_support_in_dfs,
15429 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
15430 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
15432 { &hf_smb_max_setup_count,
15433 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
15434 NULL, 0, "Maximum number of setup words to return", HFILL }},
15436 { &hf_smb_total_param_count,
15437 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
15438 NULL, 0, "Total number of parameter bytes", HFILL }},
15440 { &hf_smb_total_data_count,
15441 { "Total Data Count", "smb.tdc", FT_UINT32, BASE_DEC,
15442 NULL, 0, "Total number of data bytes", HFILL }},
15444 { &hf_smb_max_param_count,
15445 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
15446 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
15448 { &hf_smb_max_data_count,
15449 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
15450 NULL, 0, "Maximum number of data bytes to return", HFILL }},
15452 { &hf_smb_param_disp16,
15453 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
15454 NULL, 0, "Displacement of these parameter bytes", HFILL }},
15456 { &hf_smb_param_count16,
15457 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
15458 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
15460 { &hf_smb_param_offset16,
15461 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
15462 NULL, 0, "Offset (from header start) to parameters", HFILL }},
15464 { &hf_smb_param_disp32,
15465 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
15466 NULL, 0, "Displacement of these parameter bytes", HFILL }},
15468 { &hf_smb_param_count32,
15469 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
15470 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
15472 { &hf_smb_param_offset32,
15473 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
15474 NULL, 0, "Offset (from header start) to parameters", HFILL }},
15476 { &hf_smb_data_count16,
15477 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
15478 NULL, 0, "Number of data bytes in this buffer", HFILL }},
15480 { &hf_smb_data_disp16,
15481 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
15482 NULL, 0, "Data Displacement", HFILL }},
15484 { &hf_smb_data_offset16,
15485 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
15486 NULL, 0, "Data Offset", HFILL }},
15488 { &hf_smb_data_count32,
15489 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
15490 NULL, 0, "Number of data bytes in this buffer", HFILL }},
15492 { &hf_smb_data_disp32,
15493 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
15494 NULL, 0, "Data Displacement", HFILL }},
15496 { &hf_smb_data_offset32,
15497 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
15498 NULL, 0, "Data Offset", HFILL }},
15500 { &hf_smb_setup_count,
15501 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
15502 NULL, 0, "Number of setup words in this buffer", HFILL }},
15504 { &hf_smb_nt_trans_subcmd,
15505 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC,
15506 VALS(nt_cmd_vals), 0, "Function for NT Transaction", HFILL }},
15508 { &hf_smb_nt_ioctl_function_code,
15509 { "Function", "smb.nt.ioctl.function", FT_UINT32, BASE_HEX,
15510 NULL, 0, "NT IOCTL function code", HFILL }},
15512 { &hf_smb_nt_ioctl_isfsctl,
15513 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
15514 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (FALSE) or FS Control (TRUE)", HFILL }},
15516 { &hf_smb_nt_ioctl_flags_root_handle,
15517 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
15518 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
15520 { &hf_smb_nt_ioctl_data,
15521 { "IOCTL Data", "smb.nt.ioctl.data", FT_BYTES, BASE_HEX,
15522 NULL, 0, "Data for the IOCTL call", HFILL }},
15524 { &hf_smb_nt_notify_action,
15525 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
15526 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
15528 { &hf_smb_nt_notify_watch_tree,
15529 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
15530 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
15532 { &hf_smb_nt_notify_stream_write,
15533 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
15534 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
15536 { &hf_smb_nt_notify_stream_size,
15537 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
15538 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
15540 { &hf_smb_nt_notify_stream_name,
15541 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
15542 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
15544 { &hf_smb_nt_notify_security,
15545 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
15546 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
15548 { &hf_smb_nt_notify_ea,
15549 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
15550 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
15552 { &hf_smb_nt_notify_creation,
15553 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
15554 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
15556 { &hf_smb_nt_notify_last_access,
15557 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
15558 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
15560 { &hf_smb_nt_notify_last_write,
15561 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
15562 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
15564 { &hf_smb_nt_notify_size,
15565 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
15566 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
15568 { &hf_smb_nt_notify_attributes,
15569 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
15570 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
15572 { &hf_smb_nt_notify_dir_name,
15573 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
15574 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
15576 { &hf_smb_nt_notify_file_name,
15577 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
15578 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
15580 { &hf_smb_root_dir_fid,
15581 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
15582 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
15584 { &hf_smb_alloc_size64,
15585 { "Allocation Size", "smb.alloc_size", FT_UINT64, BASE_DEC,
15586 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
15588 { &hf_smb_nt_create_disposition,
15589 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
15590 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
15592 { &hf_smb_sd_length,
15593 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
15594 NULL, 0, "Total length of security descriptor", HFILL }},
15596 { &hf_smb_ea_length,
15597 { "EA Length", "smb.ea.length", FT_UINT32, BASE_DEC,
15598 NULL, 0, "Total EA length for opened file", HFILL }},
15600 { &hf_smb_file_name_len,
15601 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
15602 NULL, 0, "Length of File Name", HFILL }},
15604 { &hf_smb_nt_impersonation_level,
15605 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
15606 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
15608 { &hf_smb_nt_security_flags_context_tracking,
15609 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
15610 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
15612 { &hf_smb_nt_security_flags_effective_only,
15613 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
15614 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
15616 { &hf_smb_nt_access_mask_generic_read,
15617 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
15618 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
15620 { &hf_smb_nt_access_mask_generic_write,
15621 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
15622 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
15624 { &hf_smb_nt_access_mask_generic_execute,
15625 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
15626 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
15628 { &hf_smb_nt_access_mask_generic_all,
15629 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
15630 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
15632 { &hf_smb_nt_access_mask_maximum_allowed,
15633 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
15634 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
15636 { &hf_smb_nt_access_mask_system_security,
15637 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
15638 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
15640 { &hf_smb_nt_access_mask_synchronize,
15641 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
15642 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
15644 { &hf_smb_nt_access_mask_write_owner,
15645 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
15646 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
15648 { &hf_smb_nt_access_mask_write_dac,
15649 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
15650 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
15652 { &hf_smb_nt_access_mask_read_control,
15653 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
15654 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
15656 { &hf_smb_nt_access_mask_delete,
15657 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
15658 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
15660 { &hf_smb_nt_access_mask_write_attributes,
15661 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
15662 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
15664 { &hf_smb_nt_access_mask_read_attributes,
15665 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
15666 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
15668 { &hf_smb_nt_access_mask_delete_child,
15669 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
15670 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
15673 * "Execute" for files, "traverse" for directories.
15675 { &hf_smb_nt_access_mask_execute,
15676 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
15677 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
15679 { &hf_smb_nt_access_mask_write_ea,
15680 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
15681 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
15683 { &hf_smb_nt_access_mask_read_ea,
15684 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
15685 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
15688 * "Append data" for files, "add subdirectory" for directories,
15689 * "create pipe instance" for named pipes.
15691 { &hf_smb_nt_access_mask_append,
15692 { "Append", "smb.access.append", FT_BOOLEAN, 32,
15693 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
15696 * "Write data" for files and pipes, "add file" for directory.
15698 { &hf_smb_nt_access_mask_write,
15699 { "Write", "smb.access.write", FT_BOOLEAN, 32,
15700 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
15703 * "Read data" for files and pipes, "list directory" for directory.
15705 { &hf_smb_nt_access_mask_read,
15706 { "Read", "smb.access.read", FT_BOOLEAN, 32,
15707 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
15709 { &hf_smb_nt_create_bits_oplock,
15710 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
15711 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
15713 { &hf_smb_nt_create_bits_boplock,
15714 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
15715 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
15717 { &hf_smb_nt_create_bits_dir,
15718 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
15719 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
15721 { &hf_smb_nt_create_options_directory_file,
15722 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
15723 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
15725 { &hf_smb_nt_create_options_write_through,
15726 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
15727 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
15729 { &hf_smb_nt_create_options_sequential_only,
15730 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
15731 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will accees to thsis file only be sequential?", HFILL }},
15733 { &hf_smb_nt_create_options_sync_io_alert,
15734 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
15735 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
15737 { &hf_smb_nt_create_options_sync_io_nonalert,
15738 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
15739 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
15741 { &hf_smb_nt_create_options_non_directory_file,
15742 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
15743 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
15745 /* 0x00000080 is "tree connect", at least in "NtCreateFile()"
15746 and "NtOpenFile()"; is that sent over the wire? Network
15747 Monitor thinks so, but its author may just have grabbed
15748 the flag bits from a system header file. */
15750 /* 0x00000100 is "complete if oplocked", at least in "NtCreateFile()"
15751 and "NtOpenFile()"; is that sent over the wire? NetMon
15752 thinks so, but see previous comment. */
15754 { &hf_smb_nt_create_options_no_ea_knowledge,
15755 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
15756 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
15758 { &hf_smb_nt_create_options_eight_dot_three_only,
15759 { "8.3 Only", "smb.nt.create_options.eight_dot_three_only", FT_BOOLEAN, 32,
15760 TFS(&tfs_nt_create_options_eight_dot_three_only), 0x00000400, "Does the client understand only 8.3 filenames?", HFILL }},
15762 { &hf_smb_nt_create_options_random_access,
15763 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
15764 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
15766 { &hf_smb_nt_create_options_delete_on_close,
15767 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
15768 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
15770 /* 0x00002000 is "open by FID", or something such as that (which
15771 I suspect is like "open by inumber" on UNIX), at least in
15772 "NtCreateFile()" and "NtOpenFile()"; is that sent over the
15773 wire? NetMon thinks so, but see previous comment. */
15775 /* 0x00004000 is "open for backup", at least in "NtCreateFile()"
15776 and "NtOpenFile()"; is that sent over the wire? NetMon
15777 thinks so, but see previous comment. */
15779 { &hf_smb_nt_share_access_read,
15780 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
15781 TFS(&tfs_nt_share_access_read), 0x00000001, "Can the object be shared for reading?", HFILL }},
15783 { &hf_smb_nt_share_access_write,
15784 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
15785 TFS(&tfs_nt_share_access_write), 0x00000002, "Can the object be shared for write?", HFILL }},
15787 { &hf_smb_nt_share_access_delete,
15788 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
15789 TFS(&tfs_nt_share_access_delete), 0x00000004, "", HFILL }},
15791 { &hf_smb_file_eattr_read_only,
15792 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
15793 TFS(&tfs_file_attribute_read_only), FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
15795 { &hf_smb_file_eattr_hidden,
15796 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
15797 TFS(&tfs_file_attribute_hidden), FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
15799 { &hf_smb_file_eattr_system,
15800 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
15801 TFS(&tfs_file_attribute_system), FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
15803 { &hf_smb_file_eattr_volume,
15804 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
15805 TFS(&tfs_file_attribute_volume), FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
15807 { &hf_smb_file_eattr_directory,
15808 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
15809 TFS(&tfs_file_attribute_directory), FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
15811 { &hf_smb_file_eattr_archive,
15812 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
15813 TFS(&tfs_file_attribute_archive), FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
15815 { &hf_smb_file_eattr_device,
15816 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
15817 TFS(&tfs_file_attribute_device), FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
15819 { &hf_smb_file_eattr_normal,
15820 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
15821 TFS(&tfs_file_attribute_normal), FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
15823 { &hf_smb_file_eattr_temporary,
15824 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
15825 TFS(&tfs_file_attribute_temporary), FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
15827 { &hf_smb_file_eattr_sparse,
15828 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
15829 TFS(&tfs_file_attribute_sparse), FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
15831 { &hf_smb_file_eattr_reparse,
15832 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
15833 TFS(&tfs_file_attribute_reparse), FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
15835 { &hf_smb_file_eattr_compressed,
15836 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
15837 TFS(&tfs_file_attribute_compressed), FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
15839 { &hf_smb_file_eattr_offline,
15840 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
15841 TFS(&tfs_file_attribute_offline), FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
15843 { &hf_smb_file_eattr_not_content_indexed,
15844 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
15845 TFS(&tfs_file_attribute_not_content_indexed), FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
15847 { &hf_smb_file_eattr_encrypted,
15848 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
15849 TFS(&tfs_file_attribute_encrypted), FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
15851 { &hf_smb_file_eattr_write_through,
15852 { "Write Through", "smb.file_attribute.write_through", FT_BOOLEAN, 32,
15853 TFS(&tfs_file_attribute_write_through), FILE_ATTRIBUTE_WRITE_THROUGH, "Does this object need write through?", HFILL }},
15855 { &hf_smb_file_eattr_no_buffering,
15856 { "No Buffering", "smb.file_attribute.no_buffering", FT_BOOLEAN, 32,
15857 TFS(&tfs_file_attribute_no_buffering), FILE_ATTRIBUTE_NO_BUFFERING, "May the server buffer this object?", HFILL }},
15859 { &hf_smb_file_eattr_random_access,
15860 { "Random Access", "smb.file_attribute.random_access", FT_BOOLEAN, 32,
15861 TFS(&tfs_file_attribute_random_access), FILE_ATTRIBUTE_RANDOM_ACCESS, "Optimize for random access", HFILL }},
15863 { &hf_smb_file_eattr_sequential_scan,
15864 { "Sequential Scan", "smb.file_attribute.sequential_scan", FT_BOOLEAN, 32,
15865 TFS(&tfs_file_attribute_sequential_scan), FILE_ATTRIBUTE_SEQUENTIAL_SCAN, "Optimize for sequential scan", HFILL }},
15867 { &hf_smb_file_eattr_delete_on_close,
15868 { "Delete on Close", "smb.file_attribute.delete_on_close", FT_BOOLEAN, 32,
15869 TFS(&tfs_file_attribute_delete_on_close), FILE_ATTRIBUTE_DELETE_ON_CLOSE, "Should this object be deleted on close?", HFILL }},
15871 { &hf_smb_file_eattr_backup_semantics,
15872 { "Backup", "smb.file_attribute.backup_semantics", FT_BOOLEAN, 32,
15873 TFS(&tfs_file_attribute_backup_semantics), FILE_ATTRIBUTE_BACKUP_SEMANTICS, "Does this object need/support backup semantics", HFILL }},
15875 { &hf_smb_file_eattr_posix_semantics,
15876 { "Posix", "smb.file_attribute.posix_semantics", FT_BOOLEAN, 32,
15877 TFS(&tfs_file_attribute_posix_semantics), FILE_ATTRIBUTE_POSIX_SEMANTICS, "Does this object need/support POSIX semantics?", HFILL }},
15879 { &hf_smb_sec_desc_len,
15880 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
15881 NULL, 0, "Security Descriptor Length", HFILL }},
15883 { &hf_smb_nt_qsd_owner,
15884 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
15885 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security informaton being queried?", HFILL }},
15887 { &hf_smb_nt_qsd_group,
15888 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
15889 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security informaton being queried?", HFILL }},
15891 { &hf_smb_nt_qsd_dacl,
15892 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
15893 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security informaton being queried?", HFILL }},
15895 { &hf_smb_nt_qsd_sacl,
15896 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
15897 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security informaton being queried?", HFILL }},
15899 { &hf_smb_extended_attributes,
15900 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_HEX,
15901 NULL, 0, "Extended Attributes", HFILL }},
15903 { &hf_smb_oplock_level,
15904 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
15905 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
15907 { &hf_smb_create_action,
15908 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
15909 VALS(create_disposition_vals), 0, "Type of action taken", HFILL }},
15911 { &hf_smb_ea_error_offset,
15912 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
15913 NULL, 0, "Offset into EA list if EA error", HFILL }},
15915 { &hf_smb_end_of_file,
15916 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
15917 NULL, 0, "Offset to the first free byte in the file", HFILL }},
15919 { &hf_smb_device_type,
15920 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
15921 VALS(device_type_vals), 0, "Type of device", HFILL }},
15923 { &hf_smb_is_directory,
15924 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
15925 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
15927 { &hf_smb_next_entry_offset,
15928 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
15929 NULL, 0, "Offset to next entry", HFILL }},
15931 { &hf_smb_change_time,
15932 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, BASE_NONE,
15933 NULL, 0, "Last Change Time", HFILL }},
15935 { &hf_smb_setup_len,
15936 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
15937 NULL, 0, "Length of prionter setup data", HFILL }},
15939 { &hf_smb_print_mode,
15940 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
15941 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
15943 { &hf_smb_print_identifier,
15944 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
15945 NULL, 0, "Identifier string for this print job", HFILL }},
15947 { &hf_smb_restart_index,
15948 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
15949 NULL, 0, "Index of entry after last returned", HFILL }},
15951 { &hf_smb_print_queue_date,
15952 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, BASE_NONE,
15953 NULL, 0, "Date when this entry was queued", HFILL }},
15955 { &hf_smb_print_queue_dos_date,
15956 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
15957 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
15959 { &hf_smb_print_queue_dos_time,
15960 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
15961 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
15963 { &hf_smb_print_status,
15964 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
15965 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
15967 { &hf_smb_print_spool_file_number,
15968 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
15969 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
15971 { &hf_smb_print_spool_file_size,
15972 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
15973 NULL, 0, "Number of bytes in spool file", HFILL }},
15975 { &hf_smb_print_spool_file_name,
15976 { "Name", "smb.print.spool.name", FT_BYTES, BASE_HEX,
15977 NULL, 0, "Name of client that submitted this job", HFILL }},
15979 { &hf_smb_start_index,
15980 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
15981 NULL, 0, "First queue entry to return", HFILL }},
15983 { &hf_smb_cancel_to,
15984 { "Cancel to", "smb.cancel_to", FT_UINT32, BASE_DEC,
15985 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
15987 { &hf_smb_trans2_subcmd,
15988 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX,
15989 VALS(trans2_cmd_vals), 0, "Subcommand for TRANSACTION2", HFILL }},
15991 { &hf_smb_trans_name,
15992 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
15993 NULL, 0, "Name of transaction", HFILL }},
15995 { &hf_smb_transaction_flags_dtid,
15996 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
15997 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
15999 { &hf_smb_transaction_flags_owt,
16000 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
16001 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
16003 { &hf_smb_search_count,
16004 { "Search Count", "smb.search_count", FT_UINT16, BASE_DEC,
16005 NULL, 0, "Maximum number of search entries to return", HFILL }},
16007 { &hf_smb_search_pattern,
16008 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
16009 NULL, 0, "Search Pattern", HFILL }},
16011 { &hf_smb_ff2_backup,
16012 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
16013 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
16015 { &hf_smb_ff2_continue,
16016 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
16017 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
16019 { &hf_smb_ff2_resume,
16020 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
16021 TFS(&tfs_ff2_resume), 0x0004, "Return resume keys for each entry found", HFILL }},
16023 { &hf_smb_ff2_close_eos,
16024 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
16025 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
16027 { &hf_smb_ff2_close,
16028 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
16029 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
16031 { &hf_smb_ff2_information_level,
16032 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_DEC,
16033 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
16036 { "Level of Interest", "smb.loi", FT_UINT16, BASE_DEC,
16037 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] commands", HFILL }},
16039 { &hf_smb_storage_type,
16040 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
16041 NULL, 0, "Type of storage", HFILL }},
16044 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
16045 NULL, 0, "Resume Key", HFILL }},
16047 { &hf_smb_max_referral_level,
16048 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
16049 NULL, 0, "Latest referral version number understood", HFILL }},
16051 { &hf_smb_qfsi_information_level,
16052 { "Level of Interest", "smb.qfi_loi", FT_UINT16, BASE_DEC,
16053 VALS(qfsi_vals), 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
16056 { "EA Size", "smb.ea_size", FT_UINT32, BASE_DEC,
16057 NULL, 0, "Size of file's EA information", HFILL }},
16059 { &hf_smb_list_length,
16060 { "ListLength", "smb.list_len", FT_UINT32, BASE_DEC,
16061 NULL, 0, "Length of the remaining data", HFILL }},
16063 { &hf_smb_number_of_links,
16064 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
16065 NULL, 0, "Number of hard links to the file", HFILL }},
16067 { &hf_smb_delete_pending,
16068 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
16069 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
16071 { &hf_smb_index_number,
16072 { "Index Number", "smb.index_number", FT_UINT64, BASE_DEC,
16073 NULL, 0, "File system unique identifier", HFILL }},
16075 { &hf_smb_current_offset,
16076 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
16077 NULL, 0, "Current offset in the file", HFILL }},
16079 { &hf_smb_t2_alignment,
16080 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
16081 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
16083 { &hf_smb_t2_stream_name_length,
16084 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
16085 NULL, 0, "Length of stream name", HFILL }},
16087 { &hf_smb_t2_stream_size,
16088 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
16089 NULL, 0, "Size of the stream in number of bytes", HFILL }},
16091 { &hf_smb_t2_stream_name,
16092 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
16093 NULL, 0, "Name of the stream", HFILL }},
16095 { &hf_smb_t2_compressed_file_size,
16096 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
16097 NULL, 0, "Size of the compressed file", HFILL }},
16099 { &hf_smb_t2_compressed_format,
16100 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
16101 NULL, 0, "Compression algorithm used", HFILL }},
16103 { &hf_smb_t2_compressed_unit_shift,
16104 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
16105 NULL, 0, "Size of the stream in number of bytes", HFILL }},
16107 { &hf_smb_t2_compressed_chunk_shift,
16108 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
16109 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
16111 { &hf_smb_t2_compressed_cluster_shift,
16112 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
16113 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
16115 { &hf_smb_dfs_path_consumed,
16116 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
16117 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
16119 { &hf_smb_dfs_num_referrals,
16120 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
16121 NULL, 0, "Number of referrals in this pdu", HFILL }},
16123 { &hf_smb_get_dfs_server_hold_storage,
16124 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
16125 TFS(&tfs_get_dfs_server_hold_storage), 0x02, "The servers in referrals should hold storage for the file", HFILL }},
16127 { &hf_smb_get_dfs_fielding,
16128 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
16129 TFS(&tfs_get_dfs_fielding), 0x01, "The servers in referrals are capable of fielding", HFILL }},
16131 { &hf_smb_dfs_referral_version,
16132 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
16133 NULL, 0, "Version of referral element", HFILL }},
16135 { &hf_smb_dfs_referral_size,
16136 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
16137 NULL, 0, "Size of referral element", HFILL }},
16139 { &hf_smb_dfs_referral_server_type,
16140 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
16141 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
16143 { &hf_smb_dfs_referral_flags_strip,
16144 { "Strip", "smb.dfs.referral.flags.strip", FT_BOOLEAN, 16,
16145 TFS(&tfs_dfs_referral_flags_strip), 0x01, "Should we strip off pathconsumed characters before submitting?", HFILL }},
16147 { &hf_smb_dfs_referral_node_offset,
16148 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
16149 NULL, 0, "Offset of name of entity to visit next", HFILL }},
16151 { &hf_smb_dfs_referral_node,
16152 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
16153 NULL, 0, "Name of entity to visit next", HFILL }},
16155 { &hf_smb_dfs_referral_proximity,
16156 { "Proximity", "smb.dfs.referral.proximity", FT_UINT16, BASE_DEC,
16157 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
16159 { &hf_smb_dfs_referral_ttl,
16160 { "TTL", "smb.dfs.referral.ttl", FT_UINT16, BASE_DEC,
16161 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
16163 { &hf_smb_dfs_referral_path_offset,
16164 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
16165 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
16167 { &hf_smb_dfs_referral_path,
16168 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
16169 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
16171 { &hf_smb_dfs_referral_alt_path_offset,
16172 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
16173 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
16175 { &hf_smb_dfs_referral_alt_path,
16176 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
16177 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
16179 { &hf_smb_end_of_search,
16180 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
16181 NULL, 0, "Was last entry returned?", HFILL }},
16183 { &hf_smb_last_name_offset,
16184 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
16185 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
16187 { &hf_smb_file_index,
16188 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
16189 NULL, 0, "File index", HFILL }},
16191 { &hf_smb_short_file_name,
16192 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
16193 NULL, 0, "Short (8.3) File Name", HFILL }},
16195 { &hf_smb_short_file_name_len,
16196 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
16197 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
16200 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
16201 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
16203 { &hf_smb_sector_unit,
16204 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
16205 NULL, 0, "Sectors per allocation unit", HFILL }},
16207 { &hf_smb_fs_units,
16208 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
16209 NULL, 0, "Total number of units on this filesystem", HFILL }},
16211 { &hf_smb_fs_sector,
16212 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
16213 NULL, 0, "Bytes per sector", HFILL }},
16215 { &hf_smb_avail_units,
16216 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
16217 NULL, 0, "Total number of available units on this filesystem", HFILL }},
16219 { &hf_smb_volume_serial_num,
16220 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
16221 NULL, 0, "Volume serial number", HFILL }},
16223 { &hf_smb_volume_label_len,
16224 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
16225 NULL, 0, "Length of volume label", HFILL }},
16227 { &hf_smb_volume_label,
16228 { "Label", "smb.volume.label", FT_STRING, BASE_DEC,
16229 NULL, 0, "Volume label", HFILL }},
16231 { &hf_smb_free_alloc_units64,
16232 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
16233 NULL, 0, "Number of free allocation units", HFILL }},
16235 { &hf_smb_soft_quota_limit,
16236 { "(Soft) Quota Treshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
16237 NULL, 0, "Soft Quota treshold", HFILL }},
16239 { &hf_smb_hard_quota_limit,
16240 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
16241 NULL, 0, "Hard Quota limit", HFILL }},
16243 { &hf_smb_user_quota_used,
16244 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
16245 NULL, 0, "How much Quota is used by this user", HFILL }},
16247 { &hf_smb_max_name_len,
16248 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
16249 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
16251 { &hf_smb_fs_name_len,
16252 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
16253 NULL, 0, "Length of filesystem name in bytes", HFILL }},
16256 { "FS Name", "smb.fs_name", FT_STRING, BASE_DEC,
16257 NULL, 0, "Name of filesystem", HFILL }},
16259 { &hf_smb_device_char_removable,
16260 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
16261 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
16263 { &hf_smb_device_char_read_only,
16264 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
16265 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
16267 { &hf_smb_device_char_floppy,
16268 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
16269 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
16271 { &hf_smb_device_char_write_once,
16272 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
16273 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
16275 { &hf_smb_device_char_remote,
16276 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
16277 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
16279 { &hf_smb_device_char_mounted,
16280 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
16281 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
16283 { &hf_smb_device_char_virtual,
16284 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
16285 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
16287 { &hf_smb_fs_attr_css,
16288 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
16289 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
16291 { &hf_smb_fs_attr_cpn,
16292 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
16293 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
16295 { &hf_smb_fs_attr_pacls,
16296 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
16297 TFS(&tfs_fs_attr_pacls), 0x00000004, "Does this FS support Persistent ACLs?", HFILL }},
16299 { &hf_smb_fs_attr_fc,
16300 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
16301 TFS(&tfs_fs_attr_fc), 0x00000008, "Does this FS support File Compression?", HFILL }},
16303 { &hf_smb_fs_attr_vq,
16304 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
16305 TFS(&tfs_fs_attr_vq), 0x00000010, "Does this FS support Volume Quotas?", HFILL }},
16307 { &hf_smb_fs_attr_dim,
16308 { "Mounted", "smb.fs_attr.dim", FT_BOOLEAN, 32,
16309 TFS(&tfs_fs_attr_dim), 0x00000020, "Is this FS a Mounted Device?", HFILL }},
16311 { &hf_smb_fs_attr_vic,
16312 { "Compressed", "smb.fs_attr.vic", FT_BOOLEAN, 32,
16313 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS Compressed?", HFILL }},
16315 { &hf_smb_sec_desc_revision,
16316 { "Revision", "smb.sec_desc.revision", FT_UINT16, BASE_DEC,
16317 NULL, 0, "Version of NT Security Descriptor structure", HFILL }},
16319 { &hf_smb_sid_revision,
16320 { "Revision", "smb.sid.revision", FT_UINT8, BASE_DEC,
16321 NULL, 0, "Version of SID structure", HFILL }},
16323 { &hf_smb_sid_num_auth,
16324 { "Num Auth", "smb.sid.num_auth", FT_UINT8, BASE_DEC,
16325 NULL, 0, "Number of authorities for this SID", HFILL }},
16327 { &hf_smb_acl_revision,
16328 { "Revision", "smb.acl.revision", FT_UINT16, BASE_DEC,
16329 NULL, 0, "Version of NT ACL structure", HFILL }},
16331 { &hf_smb_acl_size,
16332 { "Size", "smb.acl.size", FT_UINT16, BASE_DEC,
16333 NULL, 0, "Size of NT ACL structure", HFILL }},
16335 { &hf_smb_acl_num_aces,
16336 { "Num ACEs", "smb.acl.num_aces", FT_UINT32, BASE_DEC,
16337 NULL, 0, "Number of ACE structures for this ACL", HFILL }},
16339 { &hf_smb_user_quota_offset,
16340 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
16341 NULL, 0, "Relative offset to next user quota structure", HFILL }},
16343 { &hf_smb_ace_type,
16344 { "Type", "smb.ace.type", FT_UINT8, BASE_DEC,
16345 VALS(ace_type_vals), 0, "Type of ACE", HFILL }},
16347 { &hf_smb_ace_size,
16348 { "Size", "smb.ace.size", FT_UINT16, BASE_DEC,
16349 NULL, 0, "Size of this ACE", HFILL }},
16351 { &hf_smb_ace_flags_object_inherit,
16352 { "Object Inherit", "smb.ace.flags.object_inherit", FT_BOOLEAN, 8,
16353 TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }},
16355 { &hf_smb_ace_flags_container_inherit,
16356 { "Container Inherit", "smb.ace.flags.container_inherit", FT_BOOLEAN, 8,
16357 TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }},
16359 { &hf_smb_ace_flags_non_propagate_inherit,
16360 { "Non-Propagate Inherit", "smb.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8,
16361 TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }},
16363 { &hf_smb_ace_flags_inherit_only,
16364 { "Inherit Only", "smb.ace.flags.inherit_only", FT_BOOLEAN, 8,
16365 TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }},
16367 { &hf_smb_ace_flags_inherited_ace,
16368 { "Inherited ACE", "smb.ace.flags.inherited_ace", FT_BOOLEAN, 8,
16369 TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }},
16371 { &hf_smb_ace_flags_successful_access,
16372 { "Audit Successful Accesses", "smb.ace.flags.successful_access", FT_BOOLEAN, 8,
16373 TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }},
16375 { &hf_smb_ace_flags_failed_access,
16376 { "Audit Failed Accesses", "smb.ace.flags.failed_access", FT_BOOLEAN, 8,
16377 TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }},
16379 { &hf_smb_sec_desc_type_owner_defaulted,
16380 { "Owner Defaulted", "smb.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16,
16381 TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }},
16383 { &hf_smb_sec_desc_type_group_defaulted,
16384 { "Group Defaulted", "smb.sec_desc.type.group_defaulted", FT_BOOLEAN, 16,
16385 TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }},
16387 { &hf_smb_sec_desc_type_dacl_present,
16388 { "DACL Present", "smb.sec_desc.type.dacl_present", FT_BOOLEAN, 16,
16389 TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }},
16391 { &hf_smb_sec_desc_type_dacl_defaulted,
16392 { "DACL Defaulted", "smb.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16,
16393 TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }},
16395 { &hf_smb_sec_desc_type_sacl_present,
16396 { "SACL Present", "smb.sec_desc.type.sacl_present", FT_BOOLEAN, 16,
16397 TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }},
16399 { &hf_smb_sec_desc_type_sacl_defaulted,
16400 { "SACL Defaulted", "smb.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16,
16401 TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }},
16403 { &hf_smb_sec_desc_type_dacl_auto_inherit_req,
16404 { "DACL Auto Inherit Required", "smb.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16,
16405 TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }},
16407 { &hf_smb_sec_desc_type_sacl_auto_inherit_req,
16408 { "SACL Auto Inherit Required", "smb.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16,
16409 TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }},
16411 { &hf_smb_sec_desc_type_dacl_auto_inherited,
16412 { "DACL Auto Inherited", "smb.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16,
16413 TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }},
16415 { &hf_smb_sec_desc_type_sacl_auto_inherited,
16416 { "SACL Auto Inherited", "smb.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16,
16417 TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }},
16419 { &hf_smb_sec_desc_type_dacl_protected,
16420 { "DACL Protected", "smb.sec_desc.type.dacl_protected", FT_BOOLEAN, 16,
16421 TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }},
16423 { &hf_smb_sec_desc_type_sacl_protected,
16424 { "SACL Protected", "smb.sec_desc.type.sacl_protected", FT_BOOLEAN, 16,
16425 TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }},
16427 { &hf_smb_sec_desc_type_self_relative,
16428 { "Self Relative", "smb.sec_desc.type.self_relative", FT_BOOLEAN, 16,
16429 TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }},
16431 { &hf_smb_quota_flags_deny_disk,
16432 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
16433 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
16435 { &hf_smb_quota_flags_log_limit,
16436 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
16437 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
16439 { &hf_smb_quota_flags_log_warning,
16440 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
16441 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
16443 { &hf_smb_quota_flags_enabled,
16444 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
16445 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
16448 static gint *ett[] = {
16452 &ett_smb_fileattributes,
16453 &ett_smb_capabilities,
16461 &ett_smb_desiredaccess,
16464 &ett_smb_openfunction,
16466 &ett_smb_openaction,
16467 &ett_smb_writemode,
16468 &ett_smb_lock_type,
16469 &ett_smb_ssetupandxaction,
16470 &ett_smb_optionsup,
16471 &ett_smb_time_date,
16472 &ett_smb_move_flags,
16473 &ett_smb_file_attributes,
16474 &ett_smb_search_resume_key,
16475 &ett_smb_search_dir_info,
16480 &ett_smb_open_flags,
16481 &ett_smb_ipc_state,
16482 &ett_smb_open_action,
16483 &ett_smb_setup_action,
16484 &ett_smb_connect_flags,
16485 &ett_smb_connect_support_bits,
16486 &ett_smb_nt_access_mask,
16487 &ett_smb_nt_create_bits,
16488 &ett_smb_nt_create_options,
16489 &ett_smb_nt_share_access,
16490 &ett_smb_nt_security_flags,
16491 &ett_smb_nt_trans_setup,
16492 &ett_smb_nt_trans_data,
16493 &ett_smb_nt_trans_param,
16494 &ett_smb_nt_notify_completion_filter,
16495 &ett_smb_nt_ioctl_flags,
16496 &ett_smb_security_information_mask,
16497 &ett_smb_print_queue_entry,
16498 &ett_smb_transaction_flags,
16499 &ett_smb_transaction_params,
16500 &ett_smb_find_first2_flags,
16501 &ett_smb_transaction_data,
16502 &ett_smb_stream_info,
16503 &ett_smb_dfs_referrals,
16504 &ett_smb_dfs_referral,
16505 &ett_smb_dfs_referral_flags,
16506 &ett_smb_get_dfs_flags,
16508 &ett_smb_device_characteristics,
16509 &ett_smb_fs_attributes,
16515 &ett_smb_ace_flags,
16516 &ett_smb_sec_desc_type,
16517 &ett_smb_quotaflags,
16519 module_t *smb_module;
16521 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
16523 proto_register_subtree_array(ett, array_length(ett));
16524 proto_register_field_array(proto_smb, hf, array_length(hf));
16525 register_init_routine(&smb_init_protocol);
16526 smb_module = prefs_register_protocol(proto_smb, NULL);
16527 prefs_register_bool_preference(smb_module, "trans_reassembly",
16528 "Reassemble SMB Transaction payload",
16529 "Whether the dissector should do reassembly the payload of SMB Transaction commands spanning multiple SMB PDUs",
16530 &smb_trans_reassembly);
16531 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
16532 "Reassemble DCERPC over SMB",
16533 "Whether the dissector should do reassembly of DCERPC over SMB commands",
16534 &smb_dcerpc_reassembly);
16535 register_init_routine(smb_trans_reassembly_init);
16536 register_init_routine(smb_dcerpc_reassembly_init);
16540 proto_reg_handoff_smb(void)
16542 heur_dissector_add("netbios", dissect_smb, proto_smb);