Add tracking of uid->domain/account mappings for SMB by tapping the ntlmssp tap for...

Improve the tid tracking by putting the host/share information on the tid expansion line so one can see it without opening the expansion

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@21547 f5534014-38df-0310-8fa8-9805f1628bb7

diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c
index 7afd43beabe896729a46e3c3e49cc999859fa4cd..b64ccb4233017a2c1c2c9acd98830426ff1e5b15 100644 (file)
--- a/epan/dissectors/packet-smb.c
+++ b/epan/dissectors/packet-smb.c
@@ -654,10 +654,13 @@ static int hf_smb_pipe_info_flag = -1;
 static int hf_smb_mode = -1;
 static int hf_smb_attribute = -1;
 static int hf_smb_reparse_tag = -1;
+static int hf_smb_logged_in = -1;
+static int hf_smb_logged_out = -1;
 
 static gint ett_smb = -1;
 static gint ett_smb_fid = -1;
 static gint ett_smb_tid = -1;
+static gint ett_smb_uid = -1;
 static gint ett_smb_hdr = -1;
 static gint ett_smb_command = -1;
 static gint ett_smb_fileattributes = -1;
@@ -1002,6 +1005,13 @@ static GSList *conv_tables = NULL;
 
 
 
+typedef struct _smb_uid_t {
+       char *domain;
+       char *account;
+       int logged_in;
+       int logged_out;
+} smb_uid_t;
+
 static void
 smb_file_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 mask)
 {
@@ -2574,6 +2584,42 @@ dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree
        return offset;
 }
 
+static int
+dissect_smb_uid(tvbuff_t *tvb, proto_tree *parent_tree, int offset, smb_info_t *si)
+{
+       proto_item *item;
+       proto_tree *tree;
+       smb_uid_t *smb_uid=NULL;
+
+       item=proto_tree_add_uint(parent_tree, hf_smb_uid, tvb, offset, 2, si->uid);
+       tree=proto_item_add_subtree(item, ett_smb_uid);
+
+       smb_uid=se_tree_lookup32(si->ct->uid_tree, si->uid);
+       if(smb_uid){
+               proto_item_append_text(item, "  (%s\\%s)", smb_uid->domain, smb_uid->account);
+
+               if(smb_uid->domain){
+                       item=proto_tree_add_string(tree, hf_smb_primary_domain, tvb, 0, 0, smb_uid->domain);
+                       PROTO_ITEM_SET_GENERATED(item);
+               }
+               if(smb_uid->account){
+                       item=proto_tree_add_string(tree, hf_smb_account, tvb, 0, 0, smb_uid->account);
+                       PROTO_ITEM_SET_GENERATED(item);
+               }
+               if(smb_uid->logged_in>0){
+                       item=proto_tree_add_uint(tree, hf_smb_logged_in, tvb, 0, 0, smb_uid->logged_in);
+                       PROTO_ITEM_SET_GENERATED(item);
+               }
+               if(smb_uid->logged_out>0){
+                       item=proto_tree_add_uint(tree, hf_smb_logged_out, tvb, 0, 0, smb_uid->logged_out);
+                       PROTO_ITEM_SET_GENERATED(item);
+               }
+       }
+       offset += 2;
+
+       return offset;
+}
+
 static int
 dissect_smb_tid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 tid, gboolean is_created, gboolean is_closed)
 {
@@ -2615,6 +2661,8 @@ dissect_smb_tid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
 
        if(fid_info->opened_in){
                if(fid_info->filename){
+                       proto_item_append_text(it, "  (%s)", fid_info->filename);
+
                        it=proto_tree_add_string(tr, hf_smb_path, tvb, 0, 0, fid_info->filename);
                        PROTO_ITEM_SET_GENERATED(it);
                }
@@ -6031,6 +6079,21 @@ dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree
        guint16 sbloblen=0, sbloblen_short;
        guint16 apwlen=0, upwlen=0;
        gboolean unicodeflag;
+       static int ntlmssp_tap_id = 0;
+       const ntlmssp_header_t *ntlmssph;
+
+       if(!ntlmssp_tap_id){
+               GString *error_string;
+               /* We dont specify any callbacks at all.
+                * Instead we manually fetch the tapped data after the
+                * security blob has been fully dissected and before
+                * we exit from this dissector.
+                */
+               error_string=register_tap_listener("ntlmssp", NULL, NULL, NULL, NULL, NULL);
+               if(!error_string){
+                       ntlmssp_tap_id=find_tap_id("ntlmssp");
+               }
+       }
 
        DISSECTOR_ASSERT(si);
 
@@ -6180,6 +6243,24 @@ dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree
                                         pinfo, blob_tree);
                        }
 
+                       /* If we have found a uid->acct_name mapping, store it */
+                       if(!pinfo->fd->flags.visited && si->sip){
+                               int idx=0;
+                               if((ntlmssph=fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL){
+                                       if(ntlmssph && ntlmssph->type==3){
+                                               smb_uid_t *smb_uid;
+       
+                                               smb_uid=se_alloc(sizeof(smb_uid_t));
+                                               smb_uid->logged_in=-1;
+                                               smb_uid->logged_out=-1;
+                                               smb_uid->domain=se_strdup(ntlmssph->domain_name);
+                                               smb_uid->account=se_strdup(ntlmssph->acct_name);
+
+                                               si->sip->extra_info=smb_uid;
+                                       }
+                               }
+                       }
+
                        COUNT_BYTES(sbloblen);
                }
 
@@ -6373,6 +6454,14 @@ dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tre
 
        WORD_COUNT;
 
+       if(!pinfo->fd->flags.visited && si->sip && si->sip->extra_info){
+               smb_uid_t *smb_uid;
+
+               smb_uid=si->sip->extra_info;
+               smb_uid->logged_in=pinfo->fd->num;
+               se_tree_insert32(si->ct->uid_tree, si->uid, smb_uid);
+       }
+
        /* next smb command */
        cmd = tvb_get_guint8(tvb, offset);
        if(cmd!=0xff){
@@ -15596,6 +15685,7 @@ dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
                
                si->ct->fid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB fid_tree");
                si->ct->tid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB tid_tree");
+               si->ct->uid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB uid_tree");
                conversation_add_proto_data(conversation, proto_smb, si->ct);
        }
 
@@ -15995,8 +16085,7 @@ dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
        offset += 2;
 
        /* UID */
-       proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si->uid);
-       offset += 2;
+       offset=dissect_smb_uid(tvb, htree, offset, si);
 
        /* MID */
        proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid);
@@ -18297,12 +18386,21 @@ proto_register_smb(void)
          { "Pipe Info", "smb.pipe_info_flag", FT_BOOLEAN, 8,
                TFS(&tfs_pipe_info_flag), 0x01, "", HFILL }},
 
+       { &hf_smb_logged_in,
+         { "Logged In", "smb.logged_in", FT_FRAMENUM, BASE_DEC,
+               NULL, 0, "", HFILL }},
+
+       { &hf_smb_logged_out,
+         { "Logged Out", "smb.logged_out", FT_FRAMENUM, BASE_DEC,
+               NULL, 0, "", HFILL }},
+
        };
 
        static gint *ett[] = {
                &ett_smb,
                &ett_smb_fid,
                &ett_smb_tid,
+               &ett_smb_uid,
                &ett_smb_hdr,
                &ett_smb_command,
                &ett_smb_fileattributes,