aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--packet-smb.c287
1 files changed, 280 insertions, 7 deletions
diff --git a/packet-smb.c b/packet-smb.c
index 2cd3e4f997..49bd6d729e 100644
--- a/packet-smb.c
+++ b/packet-smb.c
@@ -2,7 +2,7 @@
* Routines for smb packet dissection
* Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
*
- * $Id: packet-smb.c,v 1.140 2001/11/09 06:43:38 guy Exp $
+ * $Id: packet-smb.c,v 1.141 2001/11/09 22:45:22 guy Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
@@ -387,6 +387,7 @@ static int hf_smb_print_spool_file_number = -1;
static int hf_smb_print_spool_file_size = -1;
static int hf_smb_print_spool_file_name = -1;
static int hf_smb_start_index = -1;
+static int hf_smb_cancel_to = -1;
static gint ett_smb = -1;
static gint ett_smb_hdr = -1;
@@ -1126,6 +1127,15 @@ dissect_file_ext_attr(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree
tree = proto_item_add_subtree(item, ett_smb_file_attributes);
}
+ /*
+ * XXX - Network Monitor disagrees on some of the
+ * bits, e.g. the bits above temporary are "atomic write"
+ * and "transaction write", and it says nothing about the
+ * bits above that.
+ *
+ * Does the Win32 API documentation, or the NT Native API book,
+ * suggest anything?
+ */
proto_tree_add_boolean(tree, hf_smb_file_eattr_write_through,
tvb, offset, 4, mask);
proto_tree_add_boolean(tree, hf_smb_file_eattr_no_buffering,
@@ -1240,6 +1250,13 @@ dissect_search_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_
return offset;
}
+#if 0
+/*
+ * XXX - this isn't used.
+ * Is this used for anything? NT Create AndX doesn't use it.
+ * Is there some 16-bit attribute field with more bits than Read Only,
+ * Hidden, System, Volume ID, Directory, and Archive?
+ */
static int
dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
{
@@ -1289,6 +1306,7 @@ dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *
return offset;
}
+#endif
#define SERVER_CAP_RAW_MODE 0x00000001
@@ -5153,8 +5171,8 @@ static const true_false_string tfs_nt_security_flags_context_tracking = {
};
static const true_false_string tfs_nt_security_flags_effective_only = {
- "ONLY ENABLED aspects of the clients security context are available",
- "ALL aspects of the clients security context are available",
+ "ONLY ENABLED aspects of the client's security context are available",
+ "ALL aspects of the client's security context are available",
};
static const true_false_string tfs_nt_create_bits_oplock = {
@@ -5167,6 +5185,10 @@ static const true_false_string tfs_nt_create_bits_boplock = {
"Does NOT request batch oplock"
};
+/*
+ * XXX - must be a directory, and can be a file, or can be a directory,
+ * and must be a file?
+ */
static const true_false_string tfs_nt_create_bits_dir = {
"Target of open MUST be a DIRECTORY",
"Target of open can be a file"
@@ -5174,7 +5196,7 @@ static const true_false_string tfs_nt_create_bits_dir = {
static const true_false_string tfs_nt_access_mask_generic_read = {
"GENERIC READ is set",
- "Generic read in NOT set"
+ "Generic read is NOT set"
};
static const true_false_string tfs_nt_access_mask_generic_write = {
"GENERIC WRITE is set",
@@ -5367,6 +5389,25 @@ dissect_nt_access_mask(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tre
tree = proto_item_add_subtree(item, ett_smb_nt_access_mask);
}
+ /*
+ * XXX - Microsoft Network Monitor says the bottom 9 bits
+ * are, going down to the bottommost bit:
+ *
+ * write attributes permission
+ * read attributes permission
+ * delete permission
+ * execute permission
+ * write extended attributes permission
+ * read extended attributes permission
+ * append permission
+ * write permission
+ * read permission
+ *
+ * and says nothing about the bits above it.
+ *
+ * Does the Win32 API documentation, or the NT Native API book,
+ * suggest anything?
+ */
proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_read,
tvb, offset, 4, mask);
proto_tree_add_boolean(tree, hf_smb_nt_access_mask_generic_write,
@@ -5410,6 +5451,12 @@ dissect_nt_create_bits(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tre
tree = proto_item_add_subtree(item, ett_smb_nt_create_bits);
}
+ /*
+ * XXX - it's 0x00000016 in at least one capture, but
+ * Network Monitor doesn't say what the 0x00000010 bit is.
+ * Does the Win32 API documentation, or NT Native API book,
+ * suggest anything?
+ */
proto_tree_add_boolean(tree, hf_smb_nt_create_bits_dir,
tvb, offset, 4, mask);
proto_tree_add_boolean(tree, hf_smb_nt_create_bits_boplock,
@@ -6572,8 +6619,229 @@ dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *
return offset;
}
+
+static int
+dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
+{
+ guint8 wc, cmd=0xff;
+ guint16 andxoffset=0;
+ guint16 bc;
+ int fn_len;
+ const char *fn;
+
+ WORD_COUNT;
+
+ /* next smb command */
+ cmd = tvb_get_guint8(tvb, offset);
+ if(cmd!=0xff){
+ proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
+ } else {
+ proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands (0xff)");
+ }
+ offset += 1;
+
+ /* reserved byte */
+ proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
+ offset += 1;
+
+ /* andxoffset */
+ andxoffset = tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
+ offset += 2;
+
+ /* reserved byte */
+ proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
+ offset += 1;
+
+ /* file name len */
+ fn_len = tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
+ offset += 2;
+
+ /* Create flags */
+ offset = dissect_nt_create_bits(tvb, pinfo, tree, offset);
+
+ /* root directory fid */
+ proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, TRUE);
+ offset += 4;
+
+ /* nt access mask */
+ offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);
+
+ /* allocation size */
+ proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
+ offset += 8;
+
+ /* Extended File Attributes */
+ offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
+
+ /* share access */
+ offset = dissect_nt_share_access(tvb, pinfo, tree, offset);
+
+ /* create disposition */
+ proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, TRUE);
+ offset += 4;
+
+ /* create options */
+ /*
+ * XXX - Network Monitor dissects this as a pile of bits,
+ * including "directory, "write through", "sequential",
+ * etc..
+ *
+ * Does the Win32 API documentation or the NT Native API
+ * book suggest anything?
+ */
+ proto_tree_add_item(tree, hf_smb_nt_create_options, tvb, offset, 4, TRUE);
+ offset += 4;
+
+ /* impersonation level */
+ proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, TRUE);
+ offset += 4;
+
+ /* security flags */
+ offset = dissect_nt_security_flags(tvb, pinfo, tree, offset);
+
+ BYTE_COUNT;
+
+ /* file name */
+ fn = get_unicode_or_ascii_string_tvb(tvb, &offset, pinfo, &fn_len, FALSE, FALSE, &bc);
+ if (fn == NULL)
+ goto endofcommand;
+ proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
+ fn);
+ COUNT_BYTES(fn_len);
+
+ if (check_col(pinfo->fd, COL_INFO)) {
+ col_append_fstr(pinfo->fd, COL_INFO, ", Path: %s", fn);
+ }
+
+ END_OF_SMB
+
+ /* call AndXCommand (if there are any) */
+ dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
+
+ return offset;
+}
+static int
+dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
+{
+ guint8 wc, cmd=0xff;
+ guint16 andxoffset=0;
+ guint16 bc;
+
+ WORD_COUNT;
+
+ /* next smb command */
+ cmd = tvb_get_guint8(tvb, offset);
+ if(cmd!=0xff){
+ proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: %s (0x%02x)", decode_smb_name(cmd), cmd);
+ } else {
+ proto_tree_add_uint_format(tree, hf_smb_cmd, tvb, offset, 1, cmd, "AndXCommand: No further commands");
+ }
+ offset += 1;
+
+ /* reserved byte */
+ proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
+ offset += 1;
+
+ /* andxoffset */
+ andxoffset = tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
+ offset += 2;
+
+ /* oplock level */
+ proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, TRUE);
+ offset += 1;
+
+ /* fid */
+ proto_tree_add_item(tree, hf_smb_fid, tvb, offset, 2, TRUE);
+ offset += 2;
+
+ /* create action */
+ /*XXX is this really the same as create disposition in the request? it looks so*/
+ proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
+ offset += 4;
+
+ /* create time */
+ offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
+ "Create Time", hf_smb_create_time);
+
+ /* access time */
+ offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
+ "Access Time", hf_smb_access_time);
+
+ /* last write time */
+ offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
+ "Write Time", hf_smb_last_write_time);
+
+ /* last change time */
+ offset = dissect_smb_64bit_time(tvb, pinfo, tree, offset,
+ "Change Time", hf_smb_change_time);
+
+ /* Extended File Attributes */
+ offset = dissect_file_ext_attr(tvb, pinfo, tree, offset);
+
+ /* allocation size */
+ proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
+ offset += 8;
+
+ /* end of file */
+ proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
+ offset += 8;
+
+ /* File Type */
+ proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, TRUE);
+ offset += 2;
+
+ /* IPC State */
+ offset = dissect_ipc_state(tvb, pinfo, tree, offset);
+
+ /* is directory */
+ proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, TRUE);
+ offset += 1;
+
+ BYTE_COUNT;
+
+ END_OF_SMB
+
+ /* call AndXCommand (if there are any) */
+ dissect_smb_command(tvb, pinfo, tree, andxoffset, smb_tree, cmd);
+
+ return offset;
+}
+
+
+static int
+dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree)
+{
+ smb_info_t *sip;
+ guint8 wc;
+ guint16 bc;
+
+ /* XXX I think this correct to find the matching request, must test */
+ sip = pinfo->private_data;
+ sip->src = &pinfo->src;
+ sip->dst = &pinfo->dst;
+ sip = g_hash_table_lookup(smb_info_table, sip);
+ if(sip){
+ proto_tree_add_uint(tree, hf_smb_cancel_to, tvb, 0, 0, sip->frame_req);
+ } else {
+ proto_tree_add_text(tree, tvb, 0, 0,
+ "Cancelation to: <unknown frame>");
+ }
+
+ WORD_COUNT;
+
+ BYTE_COUNT;
+
+ END_OF_SMB
+
+ return offset;
+}
+
+
typedef struct _smb_function {
@@ -6753,9 +7021,9 @@ smb_function smb_dissector[256] = {
/* 0x9f */ {NULL, NULL},
/* 0xa0 NT Transaction*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
/* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request, dissect_nt_transaction_response},
- /* 0xa2 */ {NULL, NULL},
+ /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request, dissect_nt_create_andx_response},
/* 0xa3 */ {NULL, NULL},
- /* 0xa4 */ {NULL, NULL},
+ /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request, NULL}, /*no response to this one*/
/* 0xa5 */ {NULL, NULL},
/* 0xa6 */ {NULL, NULL},
/* 0xa7 */ {NULL, NULL},
@@ -11902,7 +12170,7 @@ proto_register_smb(void)
VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
{ &hf_smb_nt_create_options,
- { "Options", "smb.create.options", FT_UINT32, BASE_DEC,
+ { "Options", "smb.create.options", FT_UINT32, BASE_HEX,
NULL, 0, "What to do if creating a file", HFILL }},
{ &hf_smb_sd_length,
@@ -12193,6 +12461,11 @@ proto_register_smb(void)
{ "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
NULL, 0, "First queue entry to return", HFILL }},
+ { &hf_smb_cancel_to,
+ { "Cancel to", "smb.cancel_to", FT_UINT32, BASE_DEC,
+ NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
+
+
};
static gint *ett[] = {