* Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
* 2001 Rewrite by Ronnie Sahlberg and Guy Harris
*
- * $Id: packet-smb.c,v 1.344 2003/05/28 22:40:19 guy Exp $
+ * $Id: packet-smb.c,v 1.389 2004/03/30 07:39:05 sharpe Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
#include <string.h>
#include <glib.h>
#include <ctype.h>
+#include <epan/int-64bit.h>
#include <epan/packet.h>
#include <epan/conversation.h>
#include "smb.h"
-#include "alignment.h"
#include <epan/strutil.h>
#include "prefs.h"
#include "reassemble.h"
static int hf_smb_tid = -1;
static int hf_smb_uid = -1;
static int hf_smb_mid = -1;
+static int hf_smb_pid_high = -1;
+static int hf_smb_sig = -1;
static int hf_smb_response_to = -1;
static int hf_smb_time = -1;
static int hf_smb_response_in = -1;
static int hf_smb_copy_flags_tree_copy = -1;
static int hf_smb_copy_flags_ea_action = -1;
static int hf_smb_count = -1;
+static int hf_smb_count_low = -1;
+static int hf_smb_count_high = -1;
static int hf_smb_file_name = -1;
static int hf_smb_open_function_open = -1;
static int hf_smb_open_function_create = -1;
static int hf_smb_file_data = -1;
static int hf_smb_total_data_len = -1;
static int hf_smb_data_len = -1;
+static int hf_smb_data_len_low = -1;
+static int hf_smb_data_len_high = -1;
static int hf_smb_seek_mode = -1;
static int hf_smb_data_size = -1;
static int hf_smb_alloc_size = -1;
static int hf_smb_alloc_size64 = -1;
static int hf_smb_max_count = -1;
+static int hf_smb_max_count_low = -1;
+static int hf_smb_max_count_high = -1;
static int hf_smb_min_count = -1;
static int hf_smb_timeout = -1;
static int hf_smb_high_offset = -1;
static int hf_smb_root_dir_fid = -1;
static int hf_smb_nt_create_disposition = -1;
static int hf_smb_sd_length = -1;
-static int hf_smb_ea_length = -1;
+static int hf_smb_ea_list_length = -1;
+static int hf_smb_ea_flags = -1;
+static int hf_smb_ea_name_length = -1;
+static int hf_smb_ea_data_length = -1;
+static int hf_smb_ea_name = -1;
+static int hf_smb_ea_data = -1;
static int hf_smb_file_name_len = -1;
static int hf_smb_nt_impersonation_level = -1;
static int hf_smb_nt_security_flags_context_tracking = -1;
static int hf_smb_file_id = -1;
static int hf_smb_ea_error_offset = -1;
static int hf_smb_end_of_file = -1;
+static int hf_smb_replace = -1;
+static int hf_smb_root_dir_handle = -1;
+static int hf_smb_target_name_len = -1;
+static int hf_smb_target_name = -1;
static int hf_smb_device_type = -1;
static int hf_smb_is_directory = -1;
static int hf_smb_next_entry_offset = -1;
static int hf_smb_ff2_close = -1;
static int hf_smb_ff2_information_level = -1;
static int hf_smb_qpi_loi = -1;
+static int hf_smb_spi_loi = -1;
#if 0
static int hf_smb_sfi_writetru = -1;
static int hf_smb_sfi_caching = -1;
static int hf_smb_resume = -1;
static int hf_smb_max_referral_level = -1;
static int hf_smb_qfsi_information_level = -1;
-static int hf_smb_ea_size = -1;
-static int hf_smb_list_length = -1;
static int hf_smb_number_of_links = -1;
static int hf_smb_delete_pending = -1;
static int hf_smb_index_number = -1;
static int hf_smb_t2_compressed_unit_shift = -1;
static int hf_smb_t2_compressed_chunk_shift = -1;
static int hf_smb_t2_compressed_cluster_shift = -1;
+static int hf_smb_t2_marked_for_deletion = -1;
static int hf_smb_dfs_path_consumed = -1;
static int hf_smb_dfs_num_referrals = -1;
static int hf_smb_get_dfs_server_hold_storage = -1;
static int hf_smb_short_file_name = -1;
static int hf_smb_short_file_name_len = -1;
static int hf_smb_fs_id = -1;
+static int hf_smb_fs_guid = -1;
static int hf_smb_sector_unit = -1;
static int hf_smb_fs_units = -1;
static int hf_smb_fs_sector = -1;
static int hf_smb_segment_too_long_fragment = -1;
static int hf_smb_segment_error = -1;
static int hf_smb_pipe_write_len = -1;
+static int hf_smb_unix_major_version = -1;
+static int hf_smb_unix_minor_version = -1;
+static int hf_smb_unix_capability_fcntl = -1;
+static int hf_smb_unix_capability_posix_acl = -1;
+static int hf_smb_unix_file_size = -1;
+static int hf_smb_unix_file_num_bytes = -1;
+static int hf_smb_unix_file_last_status = -1;
+static int hf_smb_unix_file_last_access = -1;
+static int hf_smb_unix_file_last_change = -1;
+static int hf_smb_unix_file_uid = -1;
+static int hf_smb_unix_file_gid = -1;
+static int hf_smb_unix_file_type = -1;
+static int hf_smb_unix_file_dev_major = -1;
+static int hf_smb_unix_file_dev_minor = -1;
+static int hf_smb_unix_file_unique_id = -1;
+static int hf_smb_unix_file_permissions = -1;
+static int hf_smb_unix_file_nlinks = -1;
+static int hf_smb_unix_file_link_dest = -1;
+static int hf_smb_unix_find_file_nextoffset = -1;
+static int hf_smb_unix_find_file_resumekey = -1;
static gint ett_smb = -1;
static gint ett_smb_hdr = -1;
static gint ett_smb_quotaflags = -1;
static gint ett_smb_secblob = -1;
static gint ett_smb_unicode_password = -1;
+static gint ett_smb_ea = -1;
+static gint ett_smb_unix_capabilities = -1;
static int smb_tap = -1;
proto_tree *top_tree=NULL; /* ugly */
-static char *decode_smb_name(unsigned char);
+static char *decode_smb_name(guint8);
static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, guint8 cmd, gboolean first_pdu);
/*
#define END_OF_SMB \
if (bc != 0) { \
- proto_tree_add_text(tree, tvb, offset, bc, \
- "Extra byte parameters"); \
+ gint bc_remaining; \
+ bc_remaining=tvb_length_remaining(tvb, offset); \
+ if( ((gint)bc) > bc_remaining){ \
+ bc=bc_remaining; \
+ } \
+ if(bc){ \
+ proto_tree_add_text(tree, tvb, offset, bc, \
+ "Extra byte parameters"); \
+ } \
offset += bc; \
} \
endofcommand:
/*
* Get the time as seconds and nanoseconds.
*/
- tv->secs = d;
- tv->nsecs = (d - tv->secs)*1000000000;
+ tv->secs = (time_t) d;
+ tv->nsecs = (int) ((d - tv->secs)*1000000000);
return TRUE;
}
}
#define SMB_FILE_ATTRIBUTE_READ_ONLY 0x00000001
-#define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
-#define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
-#define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
+#define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
+#define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
+#define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
#define SMB_FILE_ATTRIBUTE_DIRECTORY 0x00000010
-#define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
-#define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
-#define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
+#define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
+#define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
+#define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
#define SMB_FILE_ATTRIBUTE_TEMPORARY 0x00000100
-#define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
-#define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
+#define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
+#define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
#define SMB_FILE_ATTRIBUTE_COMPRESSED 0x00000800
-#define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
+#define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
#define SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
#define SMB_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
/* fid */
fid = tvb_get_letohs(tvb, offset);
- add_fid(tvb, pinfo, tree, offset, 2, fid);
+ add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
offset += 2;
if (!pinfo->fd->flags.visited) {
/* remember the FID for the processing of the response */
/* first check if we have seen the request */
if(si->sip != NULL && si->sip->frame_req>0){
fid=(int)si->sip->extra_info;
- add_fid(tvb, pinfo, tree, 0, 0, fid);
+ add_fid(tvb, pinfo, tree, 0, 0, (guint16) fid);
}
BYTE_COUNT;
/* file data, might be DCERPC on a pipe */
if(bc){
offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
- top_tree, offset, bc, bc, 0, fid);
+ top_tree, offset, bc, bc, 0, (guint16) fid);
bc = 0;
}
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
proto_item *litem = NULL;
proto_tree *ltree = NULL;
if(lt&0x10){
+ guint8 buf[8];
+ guint32 val;
+
/* large lock format */
litem = proto_tree_add_text(tr, tvb, offset, 20,
"Unlock");
/* offset */
CHECK_BYTE_COUNT(8);
- proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
+ val=tvb_get_letohl(tvb, offset);
+ buf[3]=(val>>24)&0xff;
+ buf[2]=(val>>16)&0xff;
+ buf[1]=(val>> 8)&0xff;
+ buf[0]=(val )&0xff;
+ val=tvb_get_letohl(tvb, offset+4);
+ buf[7]=(val>>24)&0xff;
+ buf[6]=(val>>16)&0xff;
+ buf[5]=(val>> 8)&0xff;
+ buf[4]=(val )&0xff;
+ proto_tree_add_string(ltree, hf_smb_lock_long_offset, tvb, offset, 8, u64toa(buf));
COUNT_BYTES(8);
/* length */
CHECK_BYTE_COUNT(8);
- proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
+ val=tvb_get_letohl(tvb, offset);
+ buf[3]=(val>>24)&0xff;
+ buf[2]=(val>>16)&0xff;
+ buf[1]=(val>> 8)&0xff;
+ buf[0]=(val )&0xff;
+ val=tvb_get_letohl(tvb, offset+4);
+ buf[7]=(val>>24)&0xff;
+ buf[6]=(val>>16)&0xff;
+ buf[5]=(val>> 8)&0xff;
+ buf[4]=(val )&0xff;
+ proto_tree_add_string(ltree, hf_smb_lock_long_length, tvb, offset, 8, u64toa(buf));
COUNT_BYTES(8);
} else {
/* normal lock format */
proto_item *litem = NULL;
proto_tree *ltree = NULL;
if(lt&0x10){
+ guint8 buf[8];
+ guint32 val;
+
/* large lock format */
litem = proto_tree_add_text(tr, tvb, offset, 20,
"Lock");
/* offset */
CHECK_BYTE_COUNT(8);
- proto_tree_add_item(ltree, hf_smb_lock_long_offset, tvb, offset, 8, TRUE);
+ val=tvb_get_letohl(tvb, offset);
+ buf[3]=(val )&0xff;
+ buf[2]=(val>> 8)&0xff;
+ buf[1]=(val>>16)&0xff;
+ buf[0]=(val>>24)&0xff;
+ val=tvb_get_letohl(tvb, offset+4);
+ buf[7]=(val )&0xff;
+ buf[6]=(val>> 8)&0xff;
+ buf[5]=(val>>16)&0xff;
+ buf[4]=(val>>24)&0xff;
+ proto_tree_add_string(ltree, hf_smb_lock_long_offset, tvb, offset, 8, u64toa(buf));
COUNT_BYTES(8);
/* length */
CHECK_BYTE_COUNT(8);
- proto_tree_add_item(ltree, hf_smb_lock_long_length, tvb, offset, 8, TRUE);
+ val=tvb_get_letohl(tvb, offset);
+ buf[3]=(val )&0xff;
+ buf[2]=(val>> 8)&0xff;
+ buf[1]=(val>>16)&0xff;
+ buf[0]=(val>>24)&0xff;
+ val=tvb_get_letohl(tvb, offset+4);
+ buf[7]=(val )&0xff;
+ buf[6]=(val>> 8)&0xff;
+ buf[5]=(val>>16)&0xff;
+ buf[4]=(val>>24)&0xff;
+ proto_tree_add_string(ltree, hf_smb_lock_long_length, tvb, offset, 8, u64toa(buf));
COUNT_BYTES(8);
} else {
/* normal lock format */
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
{
guint8 wc, cmd=0xff;
- guint16 andxoffset=0, bc, maxcnt = 0;
+ guint16 andxoffset=0, bc, maxcnt_low;
+ guint32 maxcnt_high;
+ guint32 maxcnt=0;
guint32 ofs = 0;
smb_info_t *si;
unsigned int fid;
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
/* fid */
fid = tvb_get_letohs(tvb, offset);
- add_fid(tvb, pinfo, tree, offset, 2, fid);
+ add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
offset += 2;
if (!pinfo->fd->flags.visited) {
/* remember the FID for the processing of the response */
proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, TRUE);
offset += 4;
- /* max count */
- maxcnt = tvb_get_letohs(tvb, offset);
- proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, TRUE);
+ /* max count low */
+ maxcnt_low = tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_max_count_low, tvb, offset, 2, maxcnt_low);
offset += 2;
- if (check_col(pinfo->cinfo, COL_INFO))
- col_append_fstr(pinfo->cinfo, COL_INFO,
- ", %u byte%s at offset %u", maxcnt,
- (maxcnt == 1) ? "" : "s", ofs);
-
/* min count */
proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, TRUE);
offset += 2;
- /* XXX - max count high */
- proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
+ /*
+ * max count high
+ *
+ * XXX - we should really only do this in case we have seen
+ * LARGE FILE being negotiated. Unfortunately, we might not
+ * have seen the negotiation phase in the capture....
+ *
+ * XXX - this is shown as a ULONG in the SNIA SMB spec, i.e.
+ * it's 32 bits, but the description says "High 16 bits of
+ * MaxCount if CAP_LARGE_READX".
+ *
+ * The SMB File Sharing Protocol Extensions Version 2.0,
+ * Document Version 3.3 spec doesn't speak of an extra 16
+ * bits in max count, but it does show a 32-bit timeout
+ * after the min count field.
+ *
+ * Perhaps the 32-bit timeout field was hijacked as a 16-bit
+ * high count and a 16-bit reserved field.
+ *
+ * We fetch and display it as 32 bits.
+ *
+ * XXX if maxcount high is 0xFFFFFFFF we assume it is just padding
+ * bytes and we just ignore it.
+ */
+ maxcnt_high = tvb_get_letohl(tvb, offset);
+ if(maxcnt_high==0xffffffff){
+ maxcnt_high=0;
+ } else {
+ proto_tree_add_uint(tree, hf_smb_max_count_high, tvb, offset, 4, maxcnt_high);
+ }
+
offset += 4;
+ maxcnt=maxcnt_high;
+ maxcnt=(maxcnt<<16)|maxcnt_low;
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO,
+ ", %u byte%s at offset %u", maxcnt,
+ (maxcnt == 1) ? "" : "s", ofs);
+
/* remaining */
proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
offset += 2;
dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
{
guint8 wc, cmd=0xff;
- guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
+ guint16 andxoffset=0, bc, datalen_low, dataoffset=0;
+ guint32 datalen=0, datalen_high;
smb_info_t *si = (smb_info_t *)pinfo->private_data;
int fid=0;
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
/* first check if we have seen the request */
if(si->sip != NULL && si->sip->frame_req>0){
fid=(int)si->sip->extra_info;
- add_fid(tvb, pinfo, tree, 0, 0, fid);
+ add_fid(tvb, pinfo, tree, 0, 0, (guint16) fid);
}
/* remaining */
proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
offset += 2;
- /* data len */
- datalen = tvb_get_letohs(tvb, offset);
- proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
+ /* data len low */
+ datalen_low = tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
+ offset += 2;
+
+ /* data offset */
+ dataoffset=tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
offset += 2;
+ /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
+ /* data length high */
+ datalen_high = tvb_get_letohl(tvb, offset);
+ if(datalen_high==0xffffffff){
+ datalen_high=0;
+ } else {
+ proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 4, datalen_high);
+ }
+ offset += 4;
+
+ datalen=datalen_high;
+ datalen=(datalen<<16)|datalen_low;
+
+
if (check_col(pinfo->cinfo, COL_INFO))
col_append_fstr(pinfo->cinfo, COL_INFO,
", %u byte%s", datalen,
(datalen == 1) ? "" : "s");
- /* data offset */
- dataoffset=tvb_get_letohs(tvb, offset);
- proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
- offset += 2;
- /* 10 reserved bytes */
- /* XXX - first 2 bytes are data length high, not reserved */
- proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, TRUE);
- offset += 10;
+ /* 6 reserved bytes */
+ proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, TRUE);
+ offset += 6;
BYTE_COUNT;
/* file data, might be DCERPC on a pipe */
if(bc){
offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
- top_tree, offset, bc, datalen, 0, fid);
+ top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
bc = 0;
}
{
guint32 ofs=0;
guint8 wc, cmd=0xff;
- guint16 andxoffset=0, bc, datalen=0, dataoffset=0;
+ guint16 andxoffset=0, bc, dataoffset=0, datalen_low, datalen_high;
+ guint32 datalen=0;
smb_info_t *si = (smb_info_t *)pinfo->private_data;
unsigned int fid=0;
guint16 mode = 0;
-
WORD_COUNT;
/* next smb command */
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
/* fid */
fid = tvb_get_letohs(tvb, offset);
- add_fid(tvb, pinfo, tree, offset, 2, fid);
+ add_fid(tvb, pinfo, tree, offset, 2, (guint16) fid);
offset += 2;
if (!pinfo->fd->flags.visited) {
/* remember the FID for the processing of the response */
proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
offset += 2;
- /* XXX - data length high */
- proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
+ /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
+ /* data length high */
+ datalen_high = tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 2, datalen_high);
offset += 2;
- /* data len */
- datalen = tvb_get_letohs(tvb, offset);
- proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
+ /* data len low */
+ datalen_low = tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
offset += 2;
+ datalen=datalen_high;
+ datalen=(datalen<<16)|datalen_low;
+
/* data offset */
dataoffset=tvb_get_letohs(tvb, offset);
proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
BYTE_COUNT;
/* if both the MessageStart and the WriteRawNamedPipe flags are set
- the first two bytes of the payload is the length of the data
- also this tells us that this is indeed the IPC$ share
- (if we didnt already know that
+ the first two bytes of the payload is the length of the data.
+ Assume that all WriteAndX PDUs that have MESSAGE_START set to
+ be over the IPC$ share and thus they all transport DCERPC.
+ (if we didnt already know that from the TreeConnect call)
*/
- if((mode&(WRITE_MODE_MESSAGE_START|WRITE_MODE_RAW))==(WRITE_MODE_MESSAGE_START|WRITE_MODE_RAW)){
- proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE);
- offset += 2;
- dataoffset += 2;
- bc -= 2;
- datalen -= 2;
+ if(mode&WRITE_MODE_MESSAGE_START){
+ if(mode&WRITE_MODE_RAW){
+ proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE);
+ offset += 2;
+ dataoffset += 2;
+ bc -= 2;
+ datalen -= 2;
+ }
+ if(!pinfo->fd->flags.visited){
+ /* In case we did not see the TreeConnect call,
+ store this TID here as well as a IPC TID
+ so we know that future Read/Writes to this
+ TID is (probably) DCERPC.
+ */
+ if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){
+ g_hash_table_remove(si->ct->tid_service, (void *)si->tid);
+ }
+ g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC);
+ }
if(si->sip){
si->sip->flags|=SMB_SIF_TID_IS_IPC;
}
/* file data, might be DCERPC on a pipe */
if (bc != 0) {
offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
- top_tree, offset, bc, datalen, 0, fid);
+ top_tree, offset, bc, (guint16) datalen, 0, (guint16) fid);
bc = 0;
}
dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
{
guint8 wc, cmd=0xff;
- guint16 andxoffset=0, bc, datalen=0;
+ guint16 andxoffset=0, bc, count_low, count_high;
+ guint32 count=0;
smb_info_t *si;
WORD_COUNT;
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
si = (smb_info_t *)pinfo->private_data;
/* first check if we have seen the request */
if(si->sip != NULL && si->sip->frame_req>0){
- add_fid(tvb, pinfo, tree, 0, 0, (int)si->sip->extra_info);
+ add_fid(tvb, pinfo, tree, 0, 0, (guint16) GPOINTER_TO_UINT(si->sip->extra_info));
}
- /* write count */
- datalen = tvb_get_letohs(tvb, offset);
- proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, TRUE);
+ /* write count low */
+ count_low = tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_count_low, tvb, offset, 2, count_low);
offset += 2;
- if (check_col(pinfo->cinfo, COL_INFO))
- col_append_fstr(pinfo->cinfo, COL_INFO,
- ", %u byte%s", datalen,
- (datalen == 1) ? "" : "s");
-
/* remaining */
proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, TRUE);
offset += 2;
- /* 4 reserved bytes */
- proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
- offset += 4;
+ /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
+ /* write count high */
+ count_high = tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_count_high, tvb, offset, 2, count_high);
+ offset += 2;
+
+ count=count_high;
+ count=(count<<16)|count_low;
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO,
+ ", %u byte%s", count,
+ (count == 1) ? "" : "s");
+
+ /* 2 reserved bytes */
+ proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
+ offset += 2;
BYTE_COUNT;
guint16 pwlen=0;
guint16 sbloblen=0;
guint16 apwlen=0, upwlen=0;
+ gboolean unicodeflag;
WORD_COUNT;
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
COUNT_BYTES(sbloblen);
}
- /* OS */
+ /* OS
+ * Eventhough this field should honour the unicode flag
+ * some ms clients gets this wrong.
+ * At least XP SP1 sends this in ASCII
+ * even when the unicode flag is on.
+ * Test if the first three bytes are "Win"
+ * and if so just override the flag.
+ */
+ unicodeflag=si->unicode;
+ if( !strncmp(tvb_get_ptr(tvb, offset, 3), "Win", 3) ){
+ unicodeflag=FALSE;
+ }
an = get_unicode_or_ascii_string(tvb, &offset,
- si->unicode, &an_len, FALSE, FALSE, &bc);
+ unicodeflag, &an_len, FALSE, FALSE, &bc);
if (an == NULL)
goto endofcommand;
proto_tree_add_string(tree, hf_smb_os, tvb,
* appear to. I suspect that's a bug that got fixed; I also
* suspect that, in practice, nobody ever looks at that field
* because the bug didn't appear to get fixed until NT 5.0....
+ *
+ * Eventhough this field should honour the unicode flag
+ * some ms clients gets this wrong.
+ * At least XP SP1 sends this in ASCII
+ * even when the unicode flag is on.
+ * Test if the first three bytes are "Win"
+ * and if so just override the flag.
*/
+ unicodeflag=si->unicode;
+ if( !strncmp(tvb_get_ptr(tvb, offset, 3), "Win", 3) ){
+ unicodeflag=FALSE;
+ }
an = get_unicode_or_ascii_string(tvb, &offset,
- si->unicode, &an_len, FALSE, FALSE, &bc);
+ unicodeflag, &an_len, FALSE, FALSE, &bc);
if (an == NULL)
goto endofcommand;
proto_tree_add_string(tree, hf_smb_lanman, tvb,
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
int
dissect_nt_access_mask(tvbuff_t *tvb, gint offset, packet_info *pinfo,
- proto_tree *tree, char *drep, int hfindex,
- struct access_mask_info *ami)
+ proto_tree *tree, guint8 *drep, int hfindex,
+ struct access_mask_info *ami, guint32 *perms)
{
proto_item *item;
proto_tree *subtree, *generic_tree, *standard_tree, *specific_tree;
offset += 4;
}
+ if (perms) {
+ *perms = access;
+ }
+
item = proto_tree_add_uint(tree, hfindex, tvb, offset - 4, 4, access);
subtree = proto_item_add_subtree(item, ett_nt_access_mask);
static int
dissect_nt_v2_ace(tvbuff_t *tvb, int offset, packet_info *pinfo,
- proto_tree *parent_tree, char *drep,
+ proto_tree *parent_tree, guint8 *drep,
struct access_mask_info *ami)
{
proto_item *item = NULL;
char *sid_str = NULL;
guint8 type;
guint8 flags;
+ guint32 perms = 0;
if(parent_tree){
item = proto_tree_add_text(parent_tree, tvb, offset, -1,
/* access mask */
offset = dissect_nt_access_mask(
- tvb, offset, pinfo, tree, drep, hf_smb_access_mask, ami);
+ tvb, offset, pinfo, tree, drep,
+ hf_smb_access_mask, ami, &perms);
/* SID */
offset = dissect_nt_sid(tvb, offset, tree, "ACE", &sid_str, -1);
if (item)
proto_item_append_text(
- item, "%s, flags 0x%02x, %s", sid_str, flags,
- val_to_str(type, ace_type_vals, "Unknown ACE type (0x%02x)"));
+ item, "%s, flags 0x%02x, %s, mask 0x%08x", sid_str, flags,
+ val_to_str(type, ace_type_vals, "Unknown ACE type (0x%02x)"),
+ perms);
g_free(sid_str);
static int
dissect_nt_acl(tvbuff_t *tvb, int offset, packet_info *pinfo,
- proto_tree *parent_tree, char *drep, char *name,
+ proto_tree *parent_tree, guint8 *drep, char *name,
struct access_mask_info *ami)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
int old_offset = offset;
- guint16 revision;
+ guint8 revision;
guint32 num_aces;
if(parent_tree){
}
/* revision */
- revision = tvb_get_letohs(tvb, offset);
+ revision = tvb_get_guint8(tvb, offset);
proto_tree_add_uint(tree, hf_smb_acl_revision,
- tvb, offset, 2, revision);
+ tvb, offset, 1, revision);
offset += 2;
switch(revision){
int
dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
- proto_tree *parent_tree, char *drep, int len,
+ proto_tree *parent_tree, guint8 *drep, int len,
struct access_mask_info *ami)
{
proto_item *item = NULL;
/* ea length */
ntd->ea_len = tvb_get_letohl(tvb, offset);
- proto_tree_add_uint(tree, hf_smb_ea_length, tvb, offset, 4, ntd->ea_len);
+ proto_tree_add_uint(tree, hf_smb_ea_list_length, tvb, offset, 4, ntd->ea_len);
COUNT_BYTES(4);
/* file name len */
if(pd_tvb){
/* we have reassembled data, grab param and data from there */
dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
- &ntd, tvb_length(pd_tvb));
+ &ntd, (guint16) tvb_length(pd_tvb));
dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, &ntd);
} else {
/* we do not have reassembled data, just use what we have in the
COUNT_BYTES(2);
/* file data */
- offset = dissect_file_data(tvb, tree, offset, cnt, cnt);
+ offset = dissect_file_data(tvb, tree, offset, (guint16) cnt, (guint16) cnt);
END_OF_SMB
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
if(cmd!=0xff){
proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
} else {
- proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
+ proto_tree_add_text(tree, tvb, offset, 1, "AndXCommand: No further commands (0xff)");
}
offset += 1;
{ 0x00, "OPEN2" },
{ 0x01, "FIND_FIRST2" },
{ 0x02, "FIND_NEXT2" },
- { 0x03, "QUERY_FS_INFORMATION" },
+ { 0x03, "QUERY_FS_INFO" },
{ 0x04, "SET_FS_QUOTA" },
- { 0x05, "QUERY_PATH_INFORMATION" },
- { 0x06, "SET_PATH_INFORMATION" },
- { 0x07, "QUERY_FILE_INFORMATION" },
- { 0x08, "SET_FILE_INFORMATION" },
+ { 0x05, "QUERY_PATH_INFO" },
+ { 0x06, "SET_PATH_INFO" },
+ { 0x07, "QUERY_FILE_INFO" },
+ { 0x08, "SET_FILE_INFO" },
{ 0x09, "FSCTL" },
{ 0x0A, "IOCTL2" },
{ 0x0B, "FIND_NOTIFY_FIRST" },
TRANS2_FIND_FIRST2
*/
static const value_string ff2_il_vals[] = {
- { 1, "Info Standard (4.3.4.1)"},
- { 2, "Info Query EA Size (4.3.4.2)"},
- { 3, "Info Query EAs From List (4.3.4.2)"},
- { 0x0101, "Find File Directory Info (4.3.4.4)"},
- { 0x0102, "Find File Full Directory Info (4.3.4.5)"},
- { 0x0103, "Find File Names Info (4.3.4.7)"},
- { 0x0104, "Find File Both Directory Info (4.3.4.6)"},
- { 0x0202, "Find File UNIX (4.3.4.8)"},
+ { 1, "Info Standard"},
+ { 2, "Info Query EA Size"},
+ { 3, "Info Query EAs From List"},
+ { 0x0101, "Find File Directory Info"},
+ { 0x0102, "Find File Full Directory Info"},
+ { 0x0103, "Find File Names Info"},
+ { 0x0104, "Find File Both Directory Info"},
+ { 0x0202, "Find File UNIX"},
{0, NULL}
};
/* values used by :
TRANS2_QUERY_PATH_INFORMATION
- TRANS2_SET_PATH_INFORMATION
+ TRANS2_QUERY_FILE_INFORMATION
*/
static const value_string qpi_loi_vals[] = {
- { 1, "Info Standard (4.2.14.1)"},
- { 2, "Info Query EA Size (4.2.14.1)"},
- { 3, "Info Query EAs From List (4.2.14.2)"},
- { 4, "Info Query All EAs (4.2.14.2)"},
- { 6, "Info Is Name Valid (4.2.14.3)"},
- { 0x0101, "Query File Basic Info (4.2.14.4)"},
- { 0x0102, "Query File Standard Info (4.2.14.5)"},
- { 0x0103, "Query File EA Info (4.2.14.6)"},
- { 0x0104, "Query File Name Info (4.2.14.7)"},
- { 0x0107, "Query File All Info (4.2.14.8)"},
- { 0x0108, "Query File Alt Name Info (4.2.14.7)"},
- { 0x0109, "Query File Stream Info (4.2.14.10)"},
- { 0x010b, "Query File Compression Info (4.2.14.11)"},
+ { 1, "Info Standard"},
+ { 2, "Info Query EA Size"},
+ { 3, "Info Query EAs From List"},
+ { 4, "Info Query All EAs"},
+ { 6, "Info Is Name Valid"},
+ { 0x0101, "Query File Basic Info"},
+ { 0x0102, "Query File Standard Info"},
+ { 0x0103, "Query File EA Info"},
+ { 0x0104, "Query File Name Info"},
+ { 0x0107, "Query File All Info"},
+ { 0x0108, "Query File Alt Name Info"},
+ { 0x0109, "Query File Stream Info"},
+ { 0x010b, "Query File Compression Info"},
+ { 0x0200, "Query File Unix Basic"},
+ { 0x0201, "Query File Unix Link"},
+ { 1004, "Query File Basic Info"},
+ { 1005, "Query File Standard Info"},
+ { 1006, "Query File Internal Info"},
+ { 1007, "Query File EA Info"},
+ { 1009, "Query File Name Info"},
+ { 1010, "Query File Rename Info"},
+ { 1011, "Query File Link Info"},
+ { 1012, "Query File Names Info"},
+ { 1013, "Query File Disposition Info"},
+ { 1014, "Query File Position Info"},
+ { 1015, "Query File Full EA Info"},
+ { 1016, "Query File Mode Info"},
+ { 1017, "Query File Alignment Info"},
+ { 1018, "Query File All Info"},
+ { 1019, "Query File Allocation Info"},
+ { 1020, "Query File End of File Info"},
+ { 1021, "Query File Alt Name Info"},
+ { 1022, "Query File Stream Info"},
+ { 1023, "Query File Pipe Info"},
+ { 1024, "Query File Pipe Local Info"},
+ { 1025, "Query File Pipe Remote Info"},
+ { 1026, "Query File Mailslot Query Info"},
+ { 1027, "Query File Mailslot Set Info"},
+ { 1028, "Query File Compression Info"},
+ { 1029, "Query File ObjectID Info"},
+ { 1030, "Query File Completion Info"},
+ { 1031, "Query File Move Cluster Info"},
+ { 1032, "Query File Quota Info"},
+ { 1033, "Query File Reparsepoint Info"},
+ { 1034, "Query File Network Open Info"},
+ { 1035, "Query File Attribute Tag Info"},
+ { 1036, "Query File Tracking Info"},
+ { 1037, "Query File Maximum Info"},
+ {0, NULL}
+};
+
+/* values used by :
+ TRANS2_SET_PATH_INFORMATION
+ TRANS2_SET_FILE_INFORMATION
+ (the SNIA CIFS spec lists some only for TRANS2_SET_FILE_INFORMATION,
+ but I'm assuming they apply to TRANS2_SET_PATH_INFORMATION as
+ well; note that they're different from the QUERY_PATH_INFORMATION
+ and QUERY_FILE_INFORMATION values!)
+*/
+static const value_string spi_loi_vals[] = {
+ { 1, "Info Standard"},
+ { 2, "Info Query EA Size"},
+ { 4, "Info Query All EAs"},
+ { 0x0101, "Set File Basic Info"},
+ { 0x0102, "Set File Disposition Info"},
+ { 0x0103, "Set File Allocation Info"},
+ { 0x0104, "Set File End Of File Info"},
{ 0x0200, "Set File Unix Basic"},
{ 0x0201, "Set File Unix Link"},
{ 0x0202, "Set File Unix HardLink"},
- { 1004, "Query File Basic Info (4.2.14.4)"},
- { 1005, "Query File Standard Info (4.2.14.5)"},
- { 1006, "Query File Internal Info (4.2.14.?)"},
- { 1007, "Query File EA Info (4.2.14.6)"},
- { 1009, "Query File Name Info (4.2.14.7)"},
- { 1010, "Query File Rename Info (4.2.14.?)"},
- { 1011, "Query File Link Info (4.2.14.?)"},
- { 1012, "Query File Names Info (4.2.14.?)"},
- { 1013, "Query File Disposition Info (4.2.14.?)"},
- { 1014, "Query File Position Info (4.2.14.?)"},
- { 1015, "Query File Full EA Info (4.2.14.?)"},
- { 1016, "Query File Mode Info (4.2.14.?)"},
- { 1017, "Query File Alignment Info (4.2.14.?)"},
- { 1018, "Query File All Info (4.2.14.8)"},
- { 1019, "Query File Allocation Info (4.2.14.?)"},
- { 1020, "Query File End of File Info (4.2.14.?)"},
- { 1021, "Query File Alt Name Info (4.2.14.7)"},
- { 1022, "Query File Stream Info (4.2.14.10)"},
- { 1023, "Query File Pipe Info (4.2.14.?)"},
- { 1024, "Query File Pipe Local Info (4.2.14.?)"},
- { 1025, "Query File Pipe Remote Info (4.2.14.?)"},
- { 1026, "Query File Mailslot Query Info (4.2.14.?)"},
- { 1027, "Query File Mailslot Set Info (4.2.14.?)"},
- { 1028, "Query File Compression Info (4.2.14.11)"},
- { 1029, "Query File ObjectID Info (4.2.14.?)"},
- { 1030, "Query File Completion Info (4.2.14.?)"},
- { 1031, "Query File Move Cluster Info (4.2.14.?)"},
- { 1032, "Query File Quota Info (4.2.14.?)"},
- { 1033, "Query File Reparsepoint Info (4.2.14.?)"},
- { 1034, "Query File Network Open Info (4.2.14.?)"},
- { 1035, "Query File Attribute Tag Info (4.2.14.?)"},
- { 1036, "Query File Tracking Info (4.2.14.?)"},
- { 1037, "Query File Maximum Info (4.2.14.?)"},
+ { 1004, "Set File Basic Info"},
+ { 1010, "Set Rename Information"},
+ { 1013, "Set Disposition Information"},
+ { 1014, "Set Position Information"},
+ { 1016, "Set Mode Information"},
+ { 1019, "Set Allocation Information"},
+ { 1020, "Set EOF Information"},
+ { 1023, "Set File Pipe Information"},
+ { 1025, "Set File Pipe Remote Information"},
+ { 1029, "Set Copy On Write Information"},
+ { 1032, "Set OLE Class ID Information"},
+ { 1039, "Set Inherit Context Index Information"},
+ { 1040, "Set OLE Information (?)"},
{0, NULL}
};
{ 0x0103, "Query FS Size Info"},
{ 0x0104, "Query FS Device Info"},
{ 0x0105, "Query FS Attribute Info"},
- { 0x0301, "Mac Query FS INFO"},
+ { 0x0200, "Unix Query FS Info"},
+ { 0x0301, "Mac Query FS Info"},
{ 1001, "Query FS Label Info"},
{ 1002, "Query FS Volume Info"},
{ 1003, "Query FS Size Info"},
{ 1005, "Query FS Attribute Info"},
{ 1006, "Query FS Quota Info"},
{ 1007, "Query Full FS Size Info"},
+ { 1008, "Object ID Information"},
{0, NULL}
};
{0, NULL}
};
+static const true_false_string tfs_marked_for_deletion = {
+ "File is MARKED FOR DELETION",
+ "File is NOT marked for deletion"
+};
static const true_false_string tfs_get_dfs_server_hold_storage = {
"Referral SERVER HOLDS STORAGE for the file",
smb_transact2_info_t *t2i;
int fn_len;
const char *fn;
- int old_offset = offset;
si = (smb_info_t *)pinfo->private_data;
if (si->sip != NULL)
proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
COUNT_BYTES_TRANS(2);
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
+ val_to_str(si->info_level, qfsi_vals,
+ "Unknown (0x%02x)"));
+
break;
case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
/* level of interest */
proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
COUNT_BYTES_TRANS(2);
+ if (check_col(pinfo->cinfo, COL_INFO)) {
+ col_append_fstr(
+ pinfo->cinfo, COL_INFO, ", %s",
+ val_to_str(si->info_level, qpi_loi_vals,
+ "Unknown (%u)"));
+ }
+
/* 4 reserved bytes */
CHECK_BYTE_COUNT_TRANS(4);
proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, TRUE);
si->info_level = tvb_get_letohs(tvb, offset);
if (!pinfo->fd->flags.visited)
t2i->info_level = si->info_level;
- proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
+ proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
COUNT_BYTES_TRANS(2);
/* 4 reserved bytes */
proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
COUNT_BYTES_TRANS(2);
+ if (check_col(pinfo->cinfo, COL_INFO)) {
+ col_append_fstr(
+ pinfo->cinfo, COL_INFO, ", %s",
+ val_to_str(si->info_level, qpi_loi_vals,
+ "Unknown (%u)"));
+ }
+
break;
}
case 0x08: { /*TRANS2_SET_FILE_INFORMATION*/
si->info_level = tvb_get_letohs(tvb, offset);
if (!pinfo->fd->flags.visited)
t2i->info_level = si->info_level;
- proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
+ proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
COUNT_BYTES_TRANS(2);
#if 0
}
/* ooops there were data we didnt know how to process */
- if((offset-old_offset) < bc){
- proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
- bc - (offset-old_offset), TRUE);
- offset += bc - (offset-old_offset);
+ if(bc != 0){
+ proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, bc, TRUE);
+ offset += bc;
}
return offset;
/* this dissects the SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE
- as described in 4.2.14.1
+ as described in 4.2.16.1
*/
static int
-dissect_4_2_14_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+dissect_4_2_16_1(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
int offset, guint16 *bcp, gboolean *trunc)
{
/* create time */
offset = dissect_file_attributes(tvb, tree, offset, 2);
*bcp -= 2;
- /* ea size */
+ /* ea length */
CHECK_BYTE_COUNT_SUBR(4);
- proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
+ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
COUNT_BYTES_SUBR(4);
*trunc = FALSE;
}
/* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST and SMB_INFO_QUERY_ALL_EAS
- as described in 4.2.14.2
+ as described in 4.2.16.2
*/
static int
-dissect_4_2_14_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+dissect_4_2_16_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
int offset, guint16 *bcp, gboolean *trunc)
{
- /* list length */
+ guint8 name_len;
+ guint16 data_len;
+ /* EA size */
+
CHECK_BYTE_COUNT_SUBR(4);
- proto_tree_add_item(tree, hf_smb_list_length, tvb, offset, 4, TRUE);
+ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
COUNT_BYTES_SUBR(4);
+ while (*bcp > 0) {
+ proto_item *item;
+ proto_tree *subtree;
+ int start_offset = offset;
+ guint8 *name;
+
+ item = proto_tree_add_text(
+ tree, tvb, offset, 0, "Extended Attribute");
+ subtree = proto_item_add_subtree(item, ett_smb_ea);
+
+ /* EA flags */
+
+ CHECK_BYTE_COUNT_SUBR(1);
+ proto_tree_add_item(
+ subtree, hf_smb_ea_flags, tvb, offset, 1, TRUE);
+ COUNT_BYTES_SUBR(1);
+
+ /* EA name length */
+
+ name_len = tvb_get_guint8(tvb, offset);
+
+ CHECK_BYTE_COUNT_SUBR(1);
+ proto_tree_add_item(
+ subtree, hf_smb_ea_name_length, tvb, offset, 1, TRUE);
+ COUNT_BYTES_SUBR(1);
+
+ /* EA data length */
+
+ data_len = tvb_get_letohs(tvb, offset);
+
+ CHECK_BYTE_COUNT_SUBR(2);
+ proto_tree_add_item(
+ subtree, hf_smb_ea_data_length, tvb, offset, 2, TRUE);
+ COUNT_BYTES_SUBR(2);
+
+ /* EA name */
+
+ name = tvb_get_string(tvb, offset, name_len);
+ proto_item_append_text(item, ": %s", name);
+ g_free(name);
+
+ CHECK_BYTE_COUNT_SUBR(name_len + 1);
+ proto_tree_add_item(
+ subtree, hf_smb_ea_name, tvb, offset, name_len + 1,
+ TRUE);
+ COUNT_BYTES_SUBR(name_len + 1);
+
+ /* EA data */
+
+ CHECK_BYTE_COUNT_SUBR(data_len);
+ proto_tree_add_item(
+ subtree, hf_smb_ea_data, tvb, offset, data_len, TRUE);
+ COUNT_BYTES_SUBR(data_len);
+
+ proto_item_set_len(item, offset - start_offset);
+ }
+
*trunc = FALSE;
return offset;
}
/* this dissects the SMB_INFO_IS_NAME_VALID
- as described in 4.2.14.3
+ as described in 4.2.16.3
*/
static int
-dissect_4_2_14_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+dissect_4_2_16_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
int offset, guint16 *bcp, gboolean *trunc)
{
smb_info_t *si = pinfo->private_data;
}
/* this dissects the SMB_QUERY_FILE_BASIC_INFO
- as described in 4.2.14.4
+ as described in 4.2.16.4
*/
static int
-dissect_4_2_14_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+dissect_4_2_16_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
int offset, guint16 *bcp, gboolean *trunc)
{
/* create time */
}
/* this dissects the SMB_QUERY_FILE_STANDARD_INFO
- as described in 4.2.14.5
+ as described in 4.2.16.5
*/
static int
-dissect_4_2_14_5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+dissect_4_2_16_5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
int offset, guint16 *bcp, gboolean *trunc)
{
/* allocation size */
}
/* this dissects the SMB_QUERY_FILE_EA_INFO
- as described in 4.2.14.6
+ as described in 4.2.16.6
*/
static int
-dissect_4_2_14_6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+dissect_4_2_16_6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
int offset, guint16 *bcp, gboolean *trunc)
{
- /* ea size */
+ /* ea length */
CHECK_BYTE_COUNT_SUBR(4);
- proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
+ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
COUNT_BYTES_SUBR(4);
*trunc = FALSE;
}
/* this dissects the SMB_QUERY_FILE_NAME_INFO
- as described in 4.2.14.7
+ as described in 4.2.16.7
this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
- as described in 4.2.14.9
+ as described in 4.2.16.9
*/
static int
-dissect_4_2_14_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+dissect_4_2_16_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
int offset, guint16 *bcp, gboolean *trunc)
{
smb_info_t *si = pinfo->private_data;
}
/* this dissects the SMB_QUERY_FILE_ALL_INFO
- as described in 4.2.14.8
+ as described in 4.2.16.8
*/
static int
-dissect_4_2_14_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+dissect_4_2_16_8(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
int offset, guint16 *bcp, gboolean *trunc)
{
- offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp, trunc);
+ offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp, trunc);
if (*trunc) {
return offset;
}
- offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp, trunc);
+ offset = dissect_4_2_16_5(tvb, pinfo, tree, offset, bcp, trunc);
if (*trunc) {
return offset;
}
proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
COUNT_BYTES_SUBR(8);
- offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
+ offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp, trunc);
if (*trunc)
return offset;
proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, TRUE);
COUNT_BYTES_SUBR(4);
- offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp, trunc);
+ offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp, trunc);
return offset;
}
/* this dissects the SMB_QUERY_FILE_STREAM_INFO
- as described in 4.2.14.10
+ as described in 4.2.16.10
*/
static int
-dissect_4_2_14_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
+dissect_4_2_16_10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
int offset, guint16 *bcp, gboolean *trunc)
{
proto_item *item;
}
/* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
- as described in 4.2.14.11
+ as described in 4.2.16.11
*/
static int
-dissect_4_2_14_11(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+dissect_4_2_16_11(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
int offset, guint16 *bcp, gboolean *trunc)
{
/* compressed file size */
return offset;
}
+/* 4.2.16.12 - SMB_QUERY_FILE_UNIX_BASIC */
+
+static const value_string unix_file_type_vals[] = {
+ { 0, "File" },
+ { 1, "Directory" },
+ { 2, "Symbolic link" },
+ { 3, "Character device" },
+ { 4, "Block device" },
+ { 5, "FIFO" },
+ { 6, "Socket" },
+ { 0, NULL }
+};
+static int
+dissect_4_2_16_12(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+ int offset, guint16 *bcp, gboolean *trunc)
+{
+ /* End of file (file size) */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Number of bytes */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Last status change */
+ CHECK_BYTE_COUNT_SUBR(8);
+ offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
+ *bcp -= 8; /* dissect_smb_64bit_time() increments offset */
+
+ /* Last access time */
+ CHECK_BYTE_COUNT_SUBR(8);
+ offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
+ *bcp -= 8;
+
+ /* Last modification time */
+ CHECK_BYTE_COUNT_SUBR(8);
+ offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
+ *bcp -= 8;
+
+ /* File owner uid */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* File group gid */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* File type */
+ CHECK_BYTE_COUNT_SUBR(4);
+ proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
+ COUNT_BYTES_SUBR(4);
+
+ /* Major device number */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Minor device number */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Unique id */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Permissions */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Nlinks */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Sometimes there is one extra byte in the data field which I
+ guess could be padding, but we are only using 4 or 8 byte
+ data types so this is a bit confusing. -tpot */
+
+ *trunc = FALSE;
+ return offset;
+}
+
+/* 4.2.16.13 - SMB_QUERY_FILE_UNIX_LINK */
-/*dissect the data block for TRANS2_QUERY_PATH_INFORMATION*/
+static int
+dissect_4_2_16_13(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+ int offset, guint16 *bcp, gboolean *trunc)
+{
+ smb_info_t *si = pinfo->private_data;
+ const char *fn;
+ int fn_len;
+
+ /* Link destination */
+
+ fn = get_unicode_or_ascii_string(
+ tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
+
+ CHECK_STRING_SUBR(fn);
+ proto_tree_add_string(
+ tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
+ COUNT_BYTES_SUBR(fn_len);
+
+ *trunc = FALSE;
+ return offset;
+}
+
+/* this dissects the SMB_SET_FILE_DISPOSITION_INFO
+ as described in 4.2.19.2
+*/
+static int
+dissect_4_2_19_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+ int offset, guint16 *bcp, gboolean *trunc)
+{
+ /* marked for deletion? */
+ CHECK_BYTE_COUNT_SUBR(1);
+ proto_tree_add_item(tree, hf_smb_t2_marked_for_deletion, tvb, offset, 1, TRUE);
+ COUNT_BYTES_SUBR(1);
+
+ *trunc = FALSE;
+ return offset;
+}
+
+/* this dissects the SMB_SET_FILE_ALLOCATION_INFO
+ as described in 4.2.19.3
+*/
+static int
+dissect_4_2_19_3(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+ int offset, guint16 *bcp, gboolean *trunc)
+{
+ /* file allocation size */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ *trunc = FALSE;
+ return offset;
+}
+
+/* this dissects the SMB_SET_FILE_END_OF_FILE_INFO
+ as described in 4.2.19.4
+*/
+static int
+dissect_4_2_19_4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+ int offset, guint16 *bcp, gboolean *trunc)
+{
+ /* file end of file offset */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ *trunc = FALSE;
+ return offset;
+}
+
+/* Set File Rename Info */
+
+static const true_false_string tfs_smb_replace = {
+ "Remove target file if it exists",
+ "Do NOT remove target file if it exists",
+};
+
+static int
+dissect_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+ int offset, guint16 *bcp, gboolean *trunc)
+{
+ smb_info_t *si = pinfo->private_data;
+ const char *fn;
+ guint32 target_name_len;
+ int fn_len;
+
+ /* Replace flag */
+ CHECK_BYTE_COUNT_SUBR(4);
+ proto_tree_add_item(tree, hf_smb_replace, tvb, offset, 4, TRUE);
+ COUNT_BYTES_SUBR(4);
+
+ /* Root directory handle */
+ CHECK_BYTE_COUNT_SUBR(4);
+ proto_tree_add_item(tree, hf_smb_root_dir_handle, tvb, offset, 4, TRUE);
+ COUNT_BYTES_SUBR(4);
+
+ /* Target name length */
+ CHECK_BYTE_COUNT_SUBR(4);
+ target_name_len = tvb_get_letohl(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_target_name_len, tvb, offset, 4, target_name_len);
+ COUNT_BYTES_SUBR(4);
+
+ /* Target name */
+ fn_len = target_name_len;
+ fn = get_unicode_or_ascii_string(
+ tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
+
+ CHECK_STRING_SUBR(fn);
+ proto_tree_add_string(
+ tree, hf_smb_target_name, tvb, offset, fn_len, fn);
+ COUNT_BYTES_SUBR(fn_len);
+
+ *trunc = FALSE;
+ return offset;
+}
+
+/*dissect the data block for TRANS2_QUERY_PATH_INFORMATION and
+ TRANS2_QUERY_FILE_INFORMATION*/
static int
dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
int offset, guint16 *bcp)
si = (smb_info_t *)pinfo->private_data;
switch(si->info_level){
case 1: /*Info Standard*/
+
case 2: /*Info Query EA Size*/
- offset = dissect_4_2_14_1(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
case 3: /*Info Query EAs From List*/
case 4: /*Info Query All EAs*/
- offset = dissect_4_2_14_2(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
case 6: /*Info Is Name Valid*/
- offset = dissect_4_2_14_3(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_3(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
case 0x0101: /*Query File Basic Info*/
case 1004: /* SMB_FILE_BASIC_INFORMATION */
- offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
case 0x0102: /*Query File Standard Info*/
case 1005: /* SMB_FILE_STANDARD_INFORMATION */
- offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_5(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
case 0x0103: /*Query File EA Info*/
case 1007: /* SMB_FILE_EA_INFORMATION */
- offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_6(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
case 0x0104: /*Query File Name Info*/
case 1009: /* SMB_FILE_NAME_INFORMATION */
- offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
case 0x0107: /*Query File All Info*/
case 1018: /* SMB_FILE_ALL_INFORMATION */
- offset = dissect_4_2_14_8(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_8(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
case 0x0108: /*Query File Alt File Info*/
case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
- offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_7(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
case 1022: /* SMB_FILE_STREAM_INFORMATION */
((smb_info_t *)(pinfo->private_data))->unicode = TRUE;
case 0x0109: /*Query File Stream Info*/
- offset = dissect_4_2_14_10(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_10(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
case 0x010b: /*Query File Compression Info*/
case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
- offset = dissect_4_2_14_11(tvb, pinfo, tree, offset, bcp,
+ offset = dissect_4_2_16_11(tvb, pinfo, tree, offset, bcp,
&trunc);
break;
- case 0x0200: /*Set File Unix Basic*/
- /* XXX add this from the SNIA doc */
+ case 0x0200: /* Query File Unix Basic*/
+ offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
+ &trunc);
break;
- case 0x0201: /*Set File Unix Link*/
- /* XXX add this from the SNIA doc */
+ case 0x0201: /* Query File Unix Link*/
+ offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
+ &trunc);
break;
- case 0x0202: /*Set File Unix HardLink*/
+ case 0x0202: /* Query File Unix HardLink*/
/* XXX add this from the SNIA doc */
break;
}
return offset;
}
+/*dissect the data block for TRANS2_SET_PATH_INFORMATION and
+ TRANS2_SET_FILE_INFORMATION*/
+static int
+dissect_spi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
+ int offset, guint16 *bcp)
+{
+ smb_info_t *si;
+ gboolean trunc;
+
+ if(!*bcp){
+ return offset;
+ }
+
+ si = (smb_info_t *)pinfo->private_data;
+ switch(si->info_level){
+ case 1: /*Info Standard*/
+
+ case 2: /*Info Query EA Size*/
+ offset = dissect_4_2_16_1(tvb, pinfo, tree, offset, bcp,
+ &trunc);
+ break;
+ case 4: /*Info Query All EAs*/
+ offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
+ &trunc);
+ break;
+ case 0x0101: /*Set File Basic Info*/
+ case 1004: /* SMB_FILE_BASIC_INFORMATION */
+ offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
+ &trunc);
+ break;
+ case 0x0102: /*Set File Disposition Info*/
+ offset = dissect_4_2_19_2(tvb, pinfo, tree, offset, bcp,
+ &trunc);
+ break;
+ case 0x0103: /*Set File Allocation Info*/
+ offset = dissect_4_2_19_3(tvb, pinfo, tree, offset, bcp,
+ &trunc);
+ break;
+ case 0x0104: /*Set End Of File Info*/
+ offset = dissect_4_2_19_4(tvb, pinfo, tree, offset, bcp,
+ &trunc);
+ break;
+ case 0x0200: /*Set File Unix Basic. Same as query. */
+ offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
+ &trunc);
+ break;
+ case 0x0201: /*Set File Unix Link. Same as query. */
+ offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
+ &trunc);
+ break;
+ case 0x0203: /*Set File Unix HardLink. Same as link query. */
+ offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
+ &trunc);
+ break;
+ case 1010: /* Set File Rename */
+ offset = dissect_rename_info(tvb, pinfo, tree, offset, bcp,
+ &trunc);
+ break;
+ case 1013:
+ case 1014:
+ case 1016:
+ case 1019:
+ case 1020:
+ case 1023:
+ case 1025:
+ case 1029:
+ case 1032:
+ case 1039:
+ case 1040:
+ /* XXX: TODO, extra levels discovered by tridge */
+ break;
+ }
+
+ return offset;
+}
+
static const true_false_string tfs_quota_flags_deny_disk = {
"DENY DISK SPACE for users exceeding quota limit",
*/
break;
case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
- offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
+ offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
break;
case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
/* no data field in this request */
*/
break;
case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
- offset = dissect_qpi_loi_vals(tvb, pinfo, tree, offset, &dc);
+ offset = dissect_spi_loi_vals(tvb, pinfo, tree, offset, &dc);
break;
case 0x09: /*TRANS2_FSCTL*/
/*XXX dont know how to decode this yet */
proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
tvb, offset, 2, subcmd);
if (check_col(pinfo->cinfo, COL_INFO)) {
- col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
val_to_str(subcmd, trans2_cmd_vals,
"Unknown (0x%02x)"));
}
offset = dissect_file_attributes(tvb, tree, offset, 2);
*bcp -= 2;
- /* ea size */
+ /* ea length */
CHECK_BYTE_COUNT_SUBR(4);
- proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
+ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
COUNT_BYTES_SUBR(4);
/* file name len */
proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
COUNT_BYTES_SUBR(4);
- /* ea size */
+ /* ea length */
CHECK_BYTE_COUNT_SUBR(4);
- proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
+ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
COUNT_BYTES_SUBR(4);
/* file name */
proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
COUNT_BYTES_SUBR(4);
- /* ea size */
+ /*
+ * EA length.
+ *
+ * XXX - in one captures, this has the topmost bit set, and the
+ * rest of the bits have the value 7. Is the topmost bit being
+ * set some indication that the value *isn't* the length of
+ * the EAs?
+ */
CHECK_BYTE_COUNT_SUBR(4);
- proto_tree_add_item(tree, hf_smb_ea_size, tvb, offset, 4, TRUE);
+ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
COUNT_BYTES_SUBR(4);
/* short file name len */
proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
COUNT_BYTES_SUBR(1);
- /* short file name */
+ /* short file name - it's not always in Unicode */
sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
CHECK_STRING_SUBR(sfn);
proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
return offset;
}
+/* 4.3.4.8 - SMB_FIND_FILE_UNIX */
+
static int
dissect_4_3_4_8(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
- proto_tree *parent_tree _U_, int offset, guint16 *bcp,
+ proto_tree *tree, int offset, guint16 *bcp,
gboolean *trunc)
{
-/*XXX im lazy. i havnt implemented this */
- offset += *bcp;
- *bcp = 0;
+ smb_info_t *si = pinfo->private_data;
+ const char *fn;
+ int fn_len;
+
+ /* NextEntryOffset */
+ CHECK_BYTE_COUNT_SUBR(4);
+ proto_tree_add_item(tree, hf_smb_unix_find_file_nextoffset, tvb, offset, 4, TRUE);
+ COUNT_BYTES_SUBR(4);
+
+ /* ResumeKey */
+ CHECK_BYTE_COUNT_SUBR(4);
+ proto_tree_add_item(tree, hf_smb_unix_find_file_resumekey, tvb, offset, 4, TRUE);
+ COUNT_BYTES_SUBR(4);
+
+ /* End of file (file size) */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Number of bytes */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Last status change */
+ CHECK_BYTE_COUNT_SUBR(8);
+ offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_status);
+ *bcp -= 8;
+
+ /* Last access time */
+ CHECK_BYTE_COUNT_SUBR(8);
+ offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_access);
+ *bcp -= 8;
+
+ /* Last modification time */
+ CHECK_BYTE_COUNT_SUBR(8);
+ offset = dissect_smb_64bit_time(tvb, tree, offset, hf_smb_unix_file_last_change);
+ *bcp -= 8;
+
+ /* File owner uid */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* File group gid */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* File type */
+ CHECK_BYTE_COUNT_SUBR(4);
+ proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, TRUE);
+ COUNT_BYTES_SUBR(4);
+
+ /* Major device number */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Minor device number */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Unique id */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Permissions */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Nlinks */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Name */
+
+ fn = get_unicode_or_ascii_string(
+ tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, bcp);
+
+ CHECK_STRING_SUBR(fn);
+ proto_tree_add_string(
+ tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
+ COUNT_BYTES_SUBR(fn_len);
+
+ /* Pad to 4 bytes */
+
+ if (offset % 4)
+ offset += 4 - (offset % 4);
+
*trunc = FALSE;
return offset;
}
break;
case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
- case 1001: /* SMB_FS_LABEL_INFORMATION */
+ case 1002: /* SMB_FS_LABEL_INFORMATION */
/* volume label length */
CHECK_BYTE_COUNT_TRANS_SUBR(4);
vll = tvb_get_letohl(tvb, offset);
break;
case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
- case 1002: /* SMB_FS_VOLUME_INFORMATION */
+ case 1001: /* SMB_FS_VOLUME_INFORMATION */
/* create time */
CHECK_BYTE_COUNT_TRANS_SUBR(8);
offset = dissect_smb_64bit_time(tvb, tree, offset,
COUNT_BYTES_TRANS_SUBR(fn_len);
break;
+ case 0x200: { /* SMB_QUERY_CIFS_UNIX_INFO */
+ proto_item *item = NULL;
+ proto_tree *subtree = NULL;
+ guint32 caps_lo, caps_hi;
+
+ /* MajorVersionNumber */
+ CHECK_BYTE_COUNT_TRANS_SUBR(2);
+ proto_tree_add_item(tree, hf_smb_unix_major_version, tvb, offset, 2, TRUE);
+ COUNT_BYTES_TRANS_SUBR(2);
+
+ /* MinorVersionNumber */
+ CHECK_BYTE_COUNT_TRANS_SUBR(2);
+ proto_tree_add_item(tree, hf_smb_unix_minor_version, tvb, offset, 2, TRUE);
+ COUNT_BYTES_TRANS_SUBR(2);
+
+ /* Capability */
+
+ CHECK_BYTE_COUNT_TRANS_SUBR(8);
+
+ caps_lo = tvb_get_letohl(tvb, offset);
+ caps_hi = tvb_get_letohl(tvb, offset + 4);
+
+ if (tree) {
+ item = proto_tree_add_text(
+ tree, tvb, offset, 8, "Capabilities: 0x%08x%08x",
+ caps_hi, caps_lo);
+ subtree = proto_item_add_subtree(
+ item, ett_smb_unix_capabilities);
+ }
+
+ proto_tree_add_boolean(
+ subtree, hf_smb_unix_capability_fcntl, tvb, offset, 8,
+ caps_lo);
+
+ proto_tree_add_boolean(
+ subtree, hf_smb_unix_capability_posix_acl, tvb, offset, 8,
+ caps_lo);
+
+ COUNT_BYTES_TRANS_SUBR(8);
+
+ break;
+ }
case 0x301: /* MAC_QUERY_FS_INFO */
/* Create time */
CHECK_BYTE_COUNT_TRANS_SUBR(8);
proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, TRUE);
COUNT_BYTES_TRANS_SUBR(4);
break;
+ case 1008: /* Query Object ID is GUID plus unknown data */ {
+ e_uuid_t fs_id;
+ char uuid_str[DCERPC_UUID_STR_LEN];
+ int uuid_str_len;
+ guint8 drep = 0x10;
+
+ CHECK_BYTE_COUNT_TRANS_SUBR(16);
+
+ dcerpc_tvb_get_uuid (tvb, offset, &drep, &fs_id);
+
+ uuid_str_len = snprintf(
+ uuid_str, DCERPC_UUID_STR_LEN,
+ "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
+ fs_id.Data1, fs_id.Data2, fs_id.Data3,
+ fs_id.Data4[0], fs_id.Data4[1],
+ fs_id.Data4[2], fs_id.Data4[3],
+ fs_id.Data4[4], fs_id.Data4[5],
+ fs_id.Data4[6], fs_id.Data4[7]);
+
+ proto_tree_add_string_format(
+ tree, hf_smb_fs_guid, tvb,
+ offset, 16, uuid_str, "GUID: %s", uuid_str);
+
+ COUNT_BYTES_TRANS_SUBR(16);
+ break;
+ }
}
return offset;
offset += 2;
/* ea length */
- proto_tree_add_item(tree, hf_smb_ea_length, tvb, offset, 4, TRUE);
+ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
offset += 4;
break;
} else {
proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
if (check_col(pinfo->cinfo, COL_INFO)) {
- col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
val_to_str(t2i->subcmd,
trans2_cmd_vals,
"<unknown (0x%02x)>"));
{ 0x22, "Set Information2" },
{ 0x23, "Query Information2" },
{ 0x24, "Locking AndX" },
- { 0x25, "Transaction" },
- { 0x26, "Transaction Secondary" },
+ { 0x25, "Trans" },
+ { 0x26, "Trans Secondary" },
{ 0x27, "IOCTL" },
{ 0x28, "IOCTL Secondary" },
{ 0x29, "Copy" },
{ 0x2F, "Write AndX" },
{ 0x30, "unknown-0x30" },
{ 0x31, "Close And Tree Disconnect" },
- { 0x32, "Transaction2" },
- { 0x33, "Transaction2 Secondary" },
+ { 0x32, "Trans2" },
+ { 0x33, "Trans2 Secondary" },
{ 0x34, "Find Close2" },
{ 0x35, "Find Notify Close" },
{ 0x36, "unknown-0x36" },
{ 0x9D, "unknown-0x9D" },
{ 0x9E, "unknown-0x9E" },
{ 0x9F, "unknown-0x9F" },
- { 0xA0, "NT Transact" },
- { 0xA1, "NT Transact Secondary" },
+ { 0xA0, "NT Trans" },
+ { 0xA1, "NT Trans Secondary" },
{ 0xA2, "NT Create AndX" },
{ 0xA3, "unknown-0xA3" },
{ 0xA4, "NT Cancel" },
{ 0x00, NULL },
};
-static char *decode_smb_name(unsigned char cmd)
+static char *decode_smb_name(guint8 cmd)
{
return(smb_cmd_vals[cmd].strptr);
}
g_hash_table_destroy(ct->unmatched);
if (ct->matched)
g_hash_table_destroy(ct->matched);
- if (ct->dcerpc_fid_to_frame)
- g_hash_table_destroy(ct->dcerpc_fid_to_frame);
- if (ct->dcerpc_frame_to_dcerpc_pdu)
- g_hash_table_destroy(ct->dcerpc_frame_to_dcerpc_pdu);
if (ct->tid_service)
g_hash_table_destroy(ct->tid_service);
}
{ 0x00000116, "STATUS_CRASH_DUMP" },
{ 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
{ 0x00000118, "STATUS_REPARSE_OBJECT" },
+ { 0x0000045C, "STATUS_NO_SHUTDOWN_IN_PROGRESS" },
{ 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
{ 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
{ 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
smb_saved_info_equal_matched);
si->ct->unmatched= g_hash_table_new(smb_saved_info_hash_unmatched,
smb_saved_info_equal_unmatched);
- si->ct->dcerpc_fid_to_frame=g_hash_table_new(
- smb_saved_info_hash_unmatched,
- smb_saved_info_equal_unmatched);
- si->ct->dcerpc_frame_to_dcerpc_pdu=g_hash_table_new(
- smb_saved_info_hash_unmatched,
- smb_saved_info_equal_unmatched);
si->ct->tid_service=g_hash_table_new(
smb_saved_info_hash_unmatched,
smb_saved_info_equal_unmatched);
new_key->pid_mid = pid_mid;
g_hash_table_insert(si->ct->matched, new_key, sip);
} else {
- /* we have already seen another response to this one, but
- register it anyway so we see which request it matches
+ /* We have already seen another response to this MID.
+ Since the MID in reality is only something like 10 bits
+ this probably means that we just have a MID that is being
+ reused due to the small MID space and that this is a new
+ command we did not see the original request for.
*/
- new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
- new_key->frame = pinfo->fd->num;
- new_key->pid_mid = pid_mid;
- g_hash_table_insert(si->ct->matched, new_key, sip);
+ sip=NULL;
}
}
}
* Network Monitor 2.x dissects the four bytes before the Session ID
* as a "Key", and the two bytes after the SequenceNumber as
* a "Group ID".
+ *
+ * The "High Part of PID" has been seen in calls other than NT
+ * Create and X, although most of them appear to be I/O on DCE RPC
+ * pipes opened with the NT Create and X in question.
*/
+ proto_tree_add_item(htree, hf_smb_pid_high, tvb, offset, 2, TRUE);
+ offset += 2;
+
if (pinfo->ptype == PT_IPX &&
(pinfo->match_port == IPX_SOCKET_NWLINK_SMB_SERVER ||
pinfo->match_port == IPX_SOCKET_NWLINK_SMB_REDIR ||
pinfo->match_port == IPX_SOCKET_NWLINK_SMB_MESSENGER)) {
/*
* This is SMB-over-IPX.
- * XXX - high part of pid?
- * XXX - doe we have to worry about "sequenced commands",
+ * XXX - do we have to worry about "sequenced commands",
* as per the Samba document? They say that for
* "unsequenced commands" (with a sequence number of 0),
* the Mid must be unique, but perhaps the Mid doesn't
* one capture with SMB-over-IPX, however, the Mids
* are unique even for sequenced commands.
*/
- proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2,
- TRUE);
- offset += 2;
-
/* Key */
proto_tree_add_item(htree, hf_smb_key, tvb, offset, 4,
TRUE);
offset += 2;
} else {
/*
- * 12 reserved bytes.
- * XXX - high part of pid?
+ * According to http://ubiqx.org/cifs/SMB.html#SMB.4.2.1
+ * and http://ubiqx.org/cifs/SMB.html#SMB.5.5.1 the 8
+ * bytes after the "High part of PID" are an 8-byte
+ * signature ...
*/
- proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 12, TRUE);
- offset += 12;
+ proto_tree_add_item(htree, hf_smb_sig, tvb, offset, 8, TRUE);
+ offset += 8;
+
+ proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2, TRUE);
+ offset += 2;
}
/* TID */
{ "Reserved", "smb.reserved", FT_BYTES, BASE_HEX,
NULL, 0, "Reserved bytes, must be zero", HFILL }},
+ { &hf_smb_sig,
+ { "Signature", "smb.signature", FT_BYTES, BASE_HEX,
+ NULL, 0, "Signature bytes", HFILL }},
+
{ &hf_smb_key,
{ "Key", "smb.key", FT_UINT32, BASE_HEX,
NULL, 0, "SMB-over-IPX Key", HFILL }},
{ "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
NULL, 0, "Process ID", HFILL }},
+ { &hf_smb_pid_high,
+ { "Process ID High", "smb.pid.high", FT_UINT16, BASE_DEC,
+ NULL, 0, "Process ID High Bytes", HFILL }},
+
{ &hf_smb_tid,
{ "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
NULL, 0, "Tree ID", HFILL }},
{ "Count", "smb.count", FT_UINT32, BASE_DEC,
NULL, 0, "Count number of items/bytes", HFILL }},
+ { &hf_smb_count_low,
+ { "Count Low", "smb.count_low", FT_UINT16, BASE_DEC,
+ NULL, 0, "Count number of items/bytes, Low 16 bits", HFILL }},
+
+ { &hf_smb_count_high,
+ { "Count High (multiply with 64K)", "smb.count_high", FT_UINT16, BASE_DEC,
+ NULL, 0, "Count number of items/bytes, High 16 bits", HFILL }},
+
{ &hf_smb_file_name,
{ "File Name", "smb.file", FT_STRING, BASE_NONE,
NULL, 0, "File Name", HFILL }},
{ "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
NULL, 0, "Length of data", HFILL }},
+ { &hf_smb_data_len_low,
+ { "Data Length Low", "smb.data_len_low", FT_UINT16, BASE_DEC,
+ NULL, 0, "Length of data, Low 16 bits", HFILL }},
+
+ { &hf_smb_data_len_high,
+ { "Data Length High (multiply with 64K)", "smb.data_len_high", FT_UINT16, BASE_DEC,
+ NULL, 0, "Length of data, High 16 bits", HFILL }},
+
{ &hf_smb_seek_mode,
{ "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
{ "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
NULL, 0, "Maximum Count", HFILL }},
+ { &hf_smb_max_count_low,
+ { "Max Count Low", "smb.maxcount_low", FT_UINT16, BASE_DEC,
+ NULL, 0, "Maximum Count, Low 16 bits", HFILL }},
+
+ { &hf_smb_max_count_high,
+ { "Max Count High (multiply with 64K)", "smb.maxcount_high", FT_UINT16, BASE_DEC,
+ NULL, 0, "Maximum Count, High 16 bits", HFILL }},
+
{ &hf_smb_min_count,
{ "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
NULL, 0, "Minimum Count", HFILL }},
NULL, 0, "Number of unlock requests in this request", HFILL }},
{ &hf_smb_lock_long_length,
- { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
+ { "Length", "smb.lock.length", FT_STRING, BASE_DEC,
NULL, 0, "Length of lock/unlock region", HFILL }},
{ &hf_smb_lock_long_offset,
- { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
+ { "Offset", "smb.lock.offset", FT_STRING, BASE_DEC,
NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
{ &hf_smb_file_type,
{ "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
NULL, 0, "Total length of security descriptor", HFILL }},
- { &hf_smb_ea_length,
- { "EA Length", "smb.ea.length", FT_UINT32, BASE_DEC,
- NULL, 0, "Total EA length for opened file", HFILL }},
+ { &hf_smb_ea_list_length,
+ { "EA List Length", "smb.ea.list_length", FT_UINT32, BASE_DEC,
+ NULL, 0, "Total length of extended attributes", HFILL }},
+
+ { &hf_smb_ea_flags,
+ { "EA Flags", "smb.ea.flags", FT_UINT8, BASE_HEX,
+ NULL, 0, "EA Flags", HFILL }},
+
+ { &hf_smb_ea_name_length,
+ { "EA Name Length", "smb.ea.name_length", FT_UINT8, BASE_DEC,
+ NULL, 0, "EA Name Length", HFILL }},
+
+ { &hf_smb_ea_data_length,
+ { "EA Data Length", "smb.ea.data_length", FT_UINT16, BASE_DEC,
+ NULL, 0, "EA Data Length", HFILL }},
+
+ { &hf_smb_ea_name,
+ { "EA Name", "smb.ea.name", FT_STRING, BASE_NONE,
+ NULL, 0, "EA Name", HFILL }},
+
+ { &hf_smb_ea_data,
+ { "EA Data", "smb.ea.data", FT_BYTES, BASE_NONE,
+ NULL, 0, "EA Data", HFILL }},
{ &hf_smb_file_name_len,
{ "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
{ "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
NULL, 0, "Offset to the first free byte in the file", HFILL }},
+ { &hf_smb_replace,
+ { "Replace", "smb.replace", FT_BOOLEAN, BASE_NONE,
+ TFS(&tfs_smb_replace), 0x0, "Remove target if it exists?", HFILL }},
+
+ { &hf_smb_root_dir_handle,
+ { "Root Directory Handle", "smb.root_dir_handle", FT_UINT32, BASE_HEX,
+ NULL, 0, "Root directory handle", HFILL }},
+
+ { &hf_smb_target_name_len,
+ { "Target name length", "smb.target_name_len", FT_UINT32, BASE_DEC,
+ NULL, 0, "Length of target file name", HFILL }},
+
+ { &hf_smb_target_name,
+ { "Target name", "smb.target_name", FT_STRING, BASE_NONE,
+ NULL, 0, "Target file name", HFILL }},
+
{ &hf_smb_device_type,
{ "Device Type", "smb.device.type", FT_UINT32, BASE_HEX,
VALS(device_type_vals), 0, "Type of device", HFILL }},
VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
{ &hf_smb_qpi_loi,
- { "Level of Interest", "smb.loi", FT_UINT16, BASE_DEC,
- VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] commands", HFILL }},
+ { "Level of Interest", "smb.qpi_loi", FT_UINT16, BASE_DEC,
+ VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] QUERY_{FILE,PATH}_INFO commands", HFILL }},
+
+ { &hf_smb_spi_loi,
+ { "Level of Interest", "smb.spi_loi", FT_UINT16, BASE_DEC,
+ VALS(spi_loi_vals), 0, "Level of interest for TRANSACTION[2] SET_{FILE,PATH}_INFO commands", HFILL }},
#if 0
{ &hf_smb_sfi_writetru,
{ "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
NULL, 0, "Number of clusters", HFILL }},
- { &hf_smb_ea_size,
- { "EA Size", "smb.ea_size", FT_UINT32, BASE_DEC,
- NULL, 0, "Size of file's EA information", HFILL }},
-
- { &hf_smb_list_length,
- { "ListLength", "smb.list_len", FT_UINT32, BASE_DEC,
- NULL, 0, "Length of the remaining data", HFILL }},
-
{ &hf_smb_number_of_links,
{ "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
NULL, 0, "Number of hard links to the file", HFILL }},
{ "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
+ { &hf_smb_t2_marked_for_deletion,
+ { "Marked for Deletion", "smb.marked_for_deletion", FT_BOOLEAN, BASE_NONE,
+ TFS(&tfs_marked_for_deletion), 0x0, "Marked for deletion?", HFILL }},
+
{ &hf_smb_dfs_path_consumed,
{ "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
NULL, 0, "Number of RequestFilename bytes client", HFILL }},
{ "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
+ { &hf_smb_fs_guid,
+ { "FS GUID", "smb.fs_guid", FT_STRING, BASE_NONE,
+ NULL, 0, "File System GUID", HFILL }},
+
{ &hf_smb_sector_unit,
{ "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
NULL, 0, "Sectors per allocation unit", HFILL }},
NULL, 0, "Number of authorities for this SID", HFILL }},
{ &hf_smb_acl_revision,
- { "Revision", "smb.acl.revision", FT_UINT16, BASE_DEC,
+ { "Revision", "smb.acl.revision", FT_UINT8, BASE_DEC,
NULL, 0, "Version of NT ACL structure", HFILL }},
{ &hf_smb_acl_size,
{ "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
"SMB Segments", HFILL }},
+ { &hf_smb_unix_major_version,
+ { "Major Version", "smb.unix.major_version", FT_UINT16, BASE_DEC,
+ NULL, 0, "UNIX Major Version", HFILL }},
+
+ { &hf_smb_unix_minor_version,
+ { "Minor Version", "smb.unix.minor_version", FT_UINT16, BASE_DEC,
+ NULL, 0, "UNIX Minor Version", HFILL }},
+
+ { &hf_smb_unix_capability_fcntl,
+ { "FCNTL Capability", "smb.unix.capability.fcntl", FT_BOOLEAN, 32,
+ TFS(&flags_set_truth), 0x00000001, "", HFILL }},
+
+ { &hf_smb_unix_capability_posix_acl,
+ { "POSIX ACL Capability", "smb.unix.capability.posix_acl", FT_BOOLEAN, 32,
+ TFS(&flags_set_truth), 0x00000002, "", HFILL }},
+
+ { &hf_smb_unix_file_size,
+ { "File size", "smb.unix.file.size", FT_UINT64, BASE_DEC,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_num_bytes,
+ { "Number of bytes", "smb.unix.file.num_bytes", FT_UINT64, BASE_DEC,
+ NULL, 0, "Number of bytes used to store the file", HFILL }},
+
+ { &hf_smb_unix_file_last_status,
+ { "Last status change", "smb.unix.file.stime", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_last_access,
+ { "Last access", "smb.unix.file.atime", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_last_change,
+ { "Last modification", "smb.unix.file.mtime", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_uid,
+ { "UID", "smb.unix.file.uid", FT_UINT64, BASE_DEC,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_gid,
+ { "GID", "smb.unix.file.gid", FT_UINT64, BASE_DEC,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_type,
+ { "File type", "smb.unix.file.file_type", FT_UINT32, BASE_DEC,
+ VALS(unix_file_type_vals), 0, "", HFILL }},
+
+ { &hf_smb_unix_file_dev_major,
+ { "Major device", "smb.unix.file.dev_major", FT_UINT64, BASE_HEX,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_dev_minor,
+ { "Minor device", "smb.unix.file.dev_minor", FT_UINT64, BASE_HEX,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_unique_id,
+ { "Unique ID", "smb.unix.file.unique_id", FT_UINT64, BASE_HEX,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_permissions,
+ { "File permissions", "smb.unix.file.perms", FT_UINT64, BASE_HEX,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_nlinks,
+ { "Num links", "smb.unix.file.num_links", FT_UINT64, BASE_DEC,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_file_link_dest,
+ { "Link destination", "smb.unix.file.link_dest", FT_STRING,
+ BASE_NONE, NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_find_file_nextoffset,
+ { "Next entry offset", "smb.unix.find_file.next_offset", FT_UINT32, BASE_DEC,
+ NULL, 0, "", HFILL }},
+
+ { &hf_smb_unix_find_file_resumekey,
+ { "Resume key", "smb.unix.find_file.resume_key", FT_UINT32, BASE_DEC,
+ NULL, 0, "", HFILL }},
+
/* Access masks */
{ &hf_smb_access_mask,
&ett_nt_access_mask_generic,
&ett_nt_access_mask_standard,
&ett_nt_access_mask_specific,
- &ett_smb_unicode_password
+ &ett_smb_unicode_password,
+ &ett_smb_ea,
+ &ett_smb_unix_capabilities
};
module_t *smb_module;