From 87be6de73410eaa6cde7991f4302dbcfccabd00a Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Mon, 12 Jul 1999 14:26:16 +0000 Subject: Some more updates. Now have open_andx decoded mostly ... Still some funnies and some difficult things. I should not have blown away any of Gilbert's stuff this time around ... Hope not anyway ... svn path=/trunk/; revision=357 --- packet-smb.c | 1757 ++++++++++++++++++++++++++++------------------------------ packet.h | 116 ++-- 2 files changed, 872 insertions(+), 1001 deletions(-) diff --git a/packet-smb.c b/packet-smb.c index 10a4346d75..0290b237c3 100644 --- a/packet-smb.c +++ b/packet-smb.c @@ -2,7 +2,7 @@ * Routines for smb packet dissection * Copyright 1999, Richard Sharpe * - * $Id: packet-smb.c,v 1.17 1999/07/11 07:24:57 guy Exp $ + * $Id: packet-smb.c,v 1.18 1999/07/12 14:26:13 sharpe Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -577,7 +577,6 @@ dissect_ssetup_andx_smb(const u_char *pd, int offset, frame_data *fd, proto_tree guint8 WordCount; guint8 AndXReserved; guint8 AndXCommand; - int AndXCmdOffset; guint32 SessionKey; guint32 Reserved; guint32 Capabilities; @@ -621,13 +620,12 @@ dissect_ssetup_andx_smb(const u_char *pd, int offset, frame_data *fd, proto_tree /* Build display for: AndXCommand */ AndXCommand = GBYTE(pd, offset); - AndXCmdOffset = offset; - /* if (tree) { + if (tree) { proto_tree_add_text(tree, offset, 1, "AndXCommand: %u", AndXCommand); - } */ + } offset += 1; /* Skip AndXCommand */ @@ -794,13 +792,12 @@ dissect_ssetup_andx_smb(const u_char *pd, int offset, frame_data *fd, proto_tree /* Build display for: AndXCommand */ AndXCommand = GBYTE(pd, offset); - AndXCmdOffset = offset; - /* if (tree) { + if (tree) { proto_tree_add_text(tree, offset, 1, "AndXCommand: %u", AndXCommand); - } */ + } offset += 1; /* Skip AndXCommand */ @@ -923,7 +920,7 @@ dissect_ssetup_andx_smb(const u_char *pd, int offset, frame_data *fd, proto_tree proto_tree_add_text(Capabilities_tree, offset, 4, "%s", decode_boolean_bitfield(Capabilities, 0x0001, 32, " Raw Mode supported", " Raw Mode not supported")); proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0002, 32, " MPX Mode supported", " MPX Mode not supported")); + decode_boolean_bitfield(Capabilities, 0x0002, 32, " Raw Mode supported", " MPX Mode not supported")); proto_tree_add_text(Capabilities_tree, offset, 4, "%s", decode_boolean_bitfield(Capabilities, 0x0004, 32," Unicode supported", " Unicode not supported")); proto_tree_add_text(Capabilities_tree, offset, 4, "%s", @@ -1048,12 +1045,6 @@ dissect_ssetup_andx_smb(const u_char *pd, int offset, frame_data *fd, proto_tree if (AndXCommand != 0xFF) { - if (tree) { - - proto_tree_add_text(tree, AndXCmdOffset, 1, "Command: %s", decode_smb_name(AndXCommand)); - - } - (dissect[AndXCommand])(pd, offset, fd, tree, max_data, dirn); } @@ -1182,1425 +1173,1334 @@ dissect_ssetup_andx_smb(const u_char *pd, int offset, frame_data *fd, proto_tree } void -dissect_open_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) +dissect_tcon_andx_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) { - guint8 WordCount; - guint8 BufferFormat; - guint32 DataSize; - guint16 SearchAttributes; - guint16 LastWriteTime; - guint16 LastWriteDate; - guint16 FileAttributes; - guint16 FID; - guint16 DesiredAccess; - guint16 ByteCount; - guint16 AccessGranted; - const char *FileName; + guint8 wct, andxcmd; + guint16 andxoffs, flags, passwdlen, bcc, optionsup; + const char *str; + proto_tree *flags_tree; + proto_item *ti; - if (dirn == 1) { /* Request(s) dissect code */ + wct = pd[offset]; - /* Build display for: Desired Access (Mode) */ + /* Now figure out what format we are talking about, 2, 3, or 4 response + * words ... + */ - DesiredAccess = GSHORT(pd, offset); + if (!((dirn == 1) && (wct == 4)) && !((dirn == 0) && (wct == 2)) && + !((dirn == 0) && (wct == 3))) { if (tree) { - proto_tree_add_text(tree, offset, 2, "Desired Access (Mode): %u", DesiredAccess); - - } - - offset += 2; /* Skip Desired Access (Mode) */ + proto_tree_add_text(tree, offset, 1, "Invalid TCON_ANDX format. WCT should be 2, 3, or 4 ..., not %u", wct); - /* Build display for: Search Attributes */ + proto_tree_add_text(tree, offset, END_OF_FRAME, "Data"); - SearchAttributes = GSHORT(pd, offset); + return; - if (tree) { + } + + } - proto_tree_add_text(tree, offset, 2, "Search Attributes: %u", SearchAttributes); + if (tree) { - } + proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", wct); - offset += 2; /* Skip Search Attributes */ + } - /* Build display for: Byte Count (BCC) */ + offset += 1; - ByteCount = GSHORT(pd, offset); + andxcmd = pd[offset]; - if (tree) { + if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); + proto_tree_add_text(tree, offset, 1, "Next Command: %s", + (andxcmd == 0xFF) ? "No further commands": + decode_smb_name(andxcmd)); + + proto_tree_add_text(tree, offset + 1, 1, "Reserved (MBZ): %u", pd[offset+1]); - } + } - offset += 2; /* Skip Byte Count (BCC) */ + offset += 2; - /* Build display for: Buffer Format */ + andxoffs = GSHORT(pd, offset); - BufferFormat = GBYTE(pd, offset); + if (tree) { - if (tree) { + proto_tree_add_text(tree, offset, 2, "Offset to next command: %u", andxoffs); - proto_tree_add_text(tree, offset, 1, "Buffer Format: %u", BufferFormat); + } - } + offset += 2; - offset += 1; /* Skip Buffer Format */ + switch (wct) { - /* Build display for: File Name */ + case 4: - FileName = pd + offset; + flags = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, strlen(FileName) + 1, "File Name: %s", FileName); + ti = proto_tree_add_text(tree, offset, 2, "Additional Flags: 0x%02x", flags); + flags_tree = proto_item_add_subtree(ti, ETT_SMB_AFLAGS); + proto_tree_add_text(flags_tree, offset, 2, "%s", + decode_boolean_bitfield(flags, 0x01, 16, + "Disconnect TID", + "Don't disconnect TID")); } - offset += strlen(FileName) + 1; /* Skip File Name */ - - } - - if (dirn == 0) { /* Response(s) dissect code */ - - /* Build display for: Word Count (WCT) */ + offset += 2; - WordCount = GBYTE(pd, offset); + passwdlen = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); + proto_tree_add_text(tree, offset, 2, "Password Length: %u", passwdlen); } - offset += 1; /* Skip Word Count (WCT) */ - - /* Build display for: FID (File Handle) */ + offset += 2; - FID = GSHORT(pd, offset); + bcc = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "FID (File Handle): %u", FID); + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); } - offset += 2; /* Skip FID (File Handle) */ - - /* Build display for: File Attributes */ + offset += 2; - FileAttributes = GSHORT(pd, offset); + str = pd + offset; if (tree) { - proto_tree_add_text(tree, offset, 2, "File Attributes: %u", FileAttributes); + proto_tree_add_text(tree, offset, strlen(str) + 1, "Password: %s", str); } - offset += 2; /* Skip File Attributes */ - - /* Build display for: Last Write Date */ + offset += strlen(str) + 1; - LastWriteDate = GSHORT(pd, offset); + str = pd + offset; if (tree) { - proto_tree_add_text(tree, offset, 2, "Last Write Date: %s", dissect_dos_date(LastWriteDate)); + proto_tree_add_text(tree, offset, strlen(str) + 1, "Path: %s", str); } - offset += 2; /* Skip Last Write Date */ - - /* Build display for: Last Write Time */ + offset += strlen(str) + 1; - LastWriteTime = GSHORT(pd, offset); + str = pd + offset; if (tree) { - proto_tree_add_text(tree, offset, 2, "Last Write Time: %s", dissect_dos_time(LastWriteTime)); + proto_tree_add_text(tree, offset, strlen(str) + 1, "Service: %s", str); } - offset += 2; /* Skip Last Write Time */ + break; - /* Build display for: Data Size */ + case 2: - DataSize = GWORD(pd, offset); + offset += 2; + + bcc = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 4, "Data Size: %u", DataSize); + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); } - offset += 4; /* Skip Data Size */ - - /* Build display for: Access Granted */ + offset += 2; - AccessGranted = GSHORT(pd, offset); + str = pd + offset; if (tree) { - proto_tree_add_text(tree, offset, 2, "Access Granted: %u", AccessGranted); + proto_tree_add_text(tree, offset, strlen(str) + 1, "Service Type: %s", + str); } - offset += 2; /* Skip Access Granted */ - - /* Build display for: Byte Count (BCC) */ + offset += strlen(str) + 1; - ByteCount = GSHORT(pd, offset); + break; - if (tree) { + case 3: - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); + optionsup = GSHORT(pd, offset); - } + if (tree) { /* Should break out the bits */ - offset += 2; /* Skip Byte Count (BCC) */ + proto_tree_add_text(tree, offset, 2, "Optional Support: 0x%04x", + optionsup); - } + } -} + offset += 2; -void -dissect_open_andx_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) + bcc = GSHORT(pd, offset); -{ + if (tree) { - proto_tree *Flags_tree; - proto_tree *OpenFunction_tree; - proto_item *ti; - guint8 WordCount; - guint8 BufferFormat; - guint8 AndXReserved; - guint8 AndXCommand; - guint32 ServerFID; - guint32 Reserved2; - guint32 Reserved1; - static const value_string OpenFunction_0x10[] = { - { 0, " Fail if file does not exist"}, - { 1, " Create file if it does not exist"}, - { 2, ""}, - { 0, NULL} - }; - static const value_string OpenFunction_0x03[] = { - { 0, " Fail if file exists"}, - { 1, " Open file if it exists"}, - { 2, " Truncate File if it exists"}, - { 0, NULL} - }; - guint32 DataSize; - guint32 AllocatedSize; - guint16 SearchAttributes; - guint16 Reserved; - guint16 OpenFunction; - guint16 LastWriteTime; - guint16 LastWriteDate; - guint16 GrantedAccess; - guint16 Flags; - guint16 FileType; - guint16 FileAttributes; - guint16 FID; - guint16 DeviceState; - guint16 DesiredAccess; - guint16 CreationTime; - guint16 CreationDate; - guint16 ByteCount; - guint16 Attributed; - guint16 AndXOffset; - guint16 Action; - const char *FileName; + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); - if (dirn == 1) { /* Request(s) dissect code */ + } - /* Build display for: Word Count (WCT) */ + offset += 2; - WordCount = GBYTE(pd, offset); + str = pd + offset; if (tree) { - proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); + proto_tree_add_text(tree, offset, strlen(str) + 1, "Service: %s", str); } - offset += 1; /* Skip Word Count (WCT) */ - - /* Build display for: AndXCommand */ + offset += strlen(str) + 1; - AndXCommand = GBYTE(pd, offset); + str = pd + offset; if (tree) { - proto_tree_add_text(tree, offset, 1, "AndXCommand: %u", AndXCommand); + proto_tree_add_text(tree, offset, strlen(str) + 1, "Native File System: %s", str); } - offset += 1; /* Skip AndXCommand */ + offset += strlen(str) + 1; - /* Build display for: AndXReserved */ + + break; - AndXReserved = GBYTE(pd, offset); + default: - if (tree) { + } - proto_tree_add_text(tree, offset, 1, "AndXReserved: %u", AndXReserved); + if (andxcmd != 0xFF) /* Process that next command ... ??? */ - } + (dissect[andxcmd])(pd, offset, fd, tree, max_data - offset, dirn); - offset += 1; /* Skip AndXReserved */ +} - /* Build display for: AndXOffset */ +void +dissect_negprot_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) +{ + guint8 wct, enckeylen; + guint16 bcc, mode, rawmode, dialect; + guint32 caps; + proto_tree *dialects = NULL, *mode_tree, *caps_tree, *rawmode_tree; + proto_item *ti; + const char *str; + char *ustr; + int ustr_len; - AndXOffset = GSHORT(pd, offset); + wct = pd[offset]; /* Should be 0, 1 or 13 or 17, I think */ + if (!((wct == 0) && (dirn == 1)) && !((wct == 1) && (dirn == 0)) && + !((wct == 13) && (dirn == 0)) && !((wct == 17) && (dirn == 0))) { if (tree) { - proto_tree_add_text(tree, offset, 2, "AndXOffset: %u", AndXOffset); + proto_tree_add_text(tree, offset, 1, "Invalid Negotiate Protocol format. WCT should be zero or 1 or 13 or 17 ..., not %u", wct); + + proto_tree_add_text(tree, offset, END_OF_FRAME, "Data"); + return; } + } - offset += 2; /* Skip AndXOffset */ + if (tree) { - /* Build display for: Flags */ + proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %d", wct); - Flags = GSHORT(pd, offset); + } - if (tree) { + offset += 1; - ti = proto_tree_add_text(tree, offset, 2, "Flags: 0x%02x", Flags); - Flags_tree = proto_item_add_subtree(ti, ETT_SMB_FLAGS); - proto_tree_add_text(Flags_tree, offset, 2, "%s", - decode_boolean_bitfield(Flags, 0x01, 16, " Dont Return Additional Info", " Return Additional Info")); - proto_tree_add_text(Flags_tree, offset, 2, "%s", - decode_boolean_bitfield(Flags, 0x02, 16, " Exclusive OpLock not Requested", " Exclusive OpLock Requested")); - proto_tree_add_text(Flags_tree, offset, 2, "%s", - decode_boolean_bitfield(Flags, 0x04, 16, " Batch OpLock not Requested", " Batch OpLock Requested")); - -} + /* Now decode the various formats ... */ - offset += 2; /* Skip Flags */ + switch (wct) { - /* Build display for: Desired Access */ + case 0: /* A request */ - DesiredAccess = GSHORT(pd, offset); + bcc = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Desired Access: %u", DesiredAccess); + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); } - offset += 2; /* Skip Desired Access */ - - /* Build display for: Search Attributes */ - - SearchAttributes = GSHORT(pd, offset); + offset += 2; if (tree) { - proto_tree_add_text(tree, offset, 2, "Search Attributes: %u", SearchAttributes); + ti = proto_tree_add_text(tree, offset, END_OF_FRAME, "Dialects"); + dialects = proto_item_add_subtree(ti, ETT_SMB_DIALECTS); } - offset += 2; /* Skip Search Attributes */ - - /* Build display for: File Attributes */ + while (fd->cap_len > offset) { + const char *str; - FileAttributes = GSHORT(pd, offset); + if (tree) { - if (tree) { + proto_tree_add_text(dialects, offset, 1, "Dialect Marker: %d", pd[offset]); - proto_tree_add_text(tree, offset, 2, "File Attributes: %u", FileAttributes); + } - } + offset += 1; - offset += 2; /* Skip File Attributes */ + str = pd + offset; - /* Build display for: Creation Time */ + if (tree) { - CreationTime = GSHORT(pd, offset); + proto_tree_add_text(dialects, offset, strlen(str)+1, "Dialect: %s", str); - if (tree) { + } - proto_tree_add_text(tree, offset, 2, "Creation Time: %s", dissect_dos_date(CreationTime)); + offset += strlen(str) + 1; } + break; - offset += 2; /* Skip Creation Time */ + case 1: /* PC NETWORK PROGRAM 1.0 */ - /* Build display for: Creation Date */ + dialect = GSHORT(pd, offset); - CreationDate = GSHORT(pd, offset); + if (tree) { /* Hmmmm, what if none of the dialects is recognized */ - if (tree) { + if (dialect == 0xFFFF) { /* Server didn't like them dialects */ - proto_tree_add_text(tree, offset, 2, "Creation Date: %s", dissect_dos_time(CreationDate)); + proto_tree_add_text(tree, offset, 2, "Supplied dialects not recognized"); - } + } + else { - offset += 2; /* Skip Creation Date */ + proto_tree_add_text(tree, offset, 2, "Dialect Index: %u, PC NETWORK PROTGRAM 1.0", dialect); - /* Build display for: Open Function */ + } - OpenFunction = GSHORT(pd, offset); + } + + offset += 2; + + bcc = GSHORT(pd, offset); if (tree) { - ti = proto_tree_add_text(tree, offset, 2, "Open Function: 0x%02x", OpenFunction); - OpenFunction_tree = proto_item_add_subtree(ti, ETT_SMB_OPENFUNCTION); - proto_tree_add_text(OpenFunction_tree, offset, 2, "%s", - decode_enumerated_bitfield(OpenFunction, 0x10, 16, OpenFunction_0x10, "%s")); - proto_tree_add_text(OpenFunction_tree, offset, 2, "%s", - decode_enumerated_bitfield(OpenFunction, 0x03, 16, OpenFunction_0x03, "%s")); + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); } - offset += 2; /* Skip Open Function */ - - /* Build display for: Allocated Size */ + break; - AllocatedSize = GWORD(pd, offset); + case 13: /* Greater than Core and up to and incl LANMAN2.1 */ if (tree) { - proto_tree_add_text(tree, offset, 4, "Allocated Size: %u", AllocatedSize); + proto_tree_add_text(tree, offset, 2, "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", GSHORT(pd, offset)); } - offset += 4; /* Skip Allocated Size */ + /* Much of this is similar to response 17 below */ - /* Build display for: Reserved1 */ + offset += 2; - Reserved1 = GWORD(pd, offset); + mode = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 4, "Reserved1: %u", Reserved1); + ti = proto_tree_add_text(tree, offset, 2, "Security Mode: 0x%04x", mode); + mode_tree = proto_item_add_subtree(ti, ETT_SMB_MODE); + proto_tree_add_text(mode_tree, offset, 2, "%s", + decode_boolean_bitfield(mode, 0x0001, 16, + "Security = User", + "Security = Share")); + proto_tree_add_text(mode_tree, offset, 2, "%s", + decode_boolean_bitfield(mode, 0x0002, 16, + "Passwords = Encrypted", + "Passwords = Plaintext")); } - offset += 4; /* Skip Reserved1 */ - - /* Build display for: Reserved2 */ - - Reserved2 = GWORD(pd, offset); + offset += 2; if (tree) { - proto_tree_add_text(tree, offset, 4, "Reserved2: %u", Reserved2); + proto_tree_add_text(tree, offset, 2, "Max buffer size: %u", GSHORT(pd, offset)); } - offset += 4; /* Skip Reserved2 */ + offset += 2; - /* Build display for: Byte Count */ + if (tree) { - ByteCount = GSHORT(pd, offset); + proto_tree_add_text(tree, offset, 2, "Max multiplex count: %u", GSHORT(pd, offset)); + + } + + offset += 2; if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count: %u", ByteCount); + proto_tree_add_text(tree, offset, 2, "Max vcs: %u", GSHORT(pd, offset)); } - offset += 2; /* Skip Byte Count */ - - /* Build display for: Buffer Format */ + offset += 2; - /* BufferFormat = GBYTE(pd, offset); + rawmode = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "Buffer Format: %u", BufferFormat); + ti = proto_tree_add_text(tree, offset, 2, "Raw Mode: 0x%04x", rawmode); + rawmode_tree = proto_item_add_subtree(ti, ETT_SMB_RAWMODE); + proto_tree_add_text(rawmode_tree, offset, 2, "%s", + decode_boolean_bitfield(rawmode, 0x01, 16, + "Read Raw supported", + "Read Raw not supported")); + proto_tree_add_text(rawmode_tree, offset, 2, "%s", + decode_boolean_bitfield(rawmode, 0x02, 16, + "Write Raw supported", + "Write Raw not supported")); } - offset += 1;*/ /* Skip Buffer Format */ - - /* Build display for: File Name */ - - FileName = pd + offset; + offset += 2; if (tree) { - proto_tree_add_text(tree, offset, strlen(FileName) + 1, "File Name: %s", FileName); + proto_tree_add_text(tree, offset, 4, "Session key: %08x", GWORD(pd, offset)); } - offset += strlen(FileName) + 1; /* Skip File Name */ + offset += 4; + /* Now the server time, two short parameters ... */ - if (AndXCommand != 0xFF) { + if (tree) { - (dissect[AndXCommand])(pd, offset, fd, tree, max_data, dirn); + proto_tree_add_text(tree, offset, 2, "Server Time: %s", + dissect_dos_time(GSHORT(pd, offset))); + proto_tree_add_text(tree, offset + 2, 2, "Server Date: %s", + dissect_dos_date(GSHORT(pd, offset + 2))); } - } - - if (dirn == 0) { /* Response(s) dissect code */ - - /* Build display for: Word Count (WCT) */ + offset += 4; - WordCount = GBYTE(pd, offset); + /* Server Time Zone, SHORT */ if (tree) { - proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); + proto_tree_add_text(tree, offset, 2, "Server time zone: %i min from UTC", + (signed)GSSHORT(pd, offset)); } - offset += 1; /* Skip Word Count (WCT) */ + offset += 2; - /* Build display for: AndXCommand */ + /* Challenge Length */ - AndXCommand = GBYTE(pd, offset); + enckeylen = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "AndXCommand: %u", AndXCommand); + proto_tree_add_text(tree, offset, 2, "Challenge Length: %u", enckeylen); } - offset += 1; /* Skip AndXCommand */ - - /* Build display for: AndXReserved */ - - AndXReserved = GBYTE(pd, offset); + offset += 2; if (tree) { - proto_tree_add_text(tree, offset, 1, "AndXReserved: %u", AndXReserved); + proto_tree_add_text(tree, offset, 2, "Reserved: %u (MBZ)", GSHORT(pd, offset)); } - offset += 1; /* Skip AndXReserved */ - - /* Build display for: AndXOffset */ + offset += 2; - AndXOffset = GSHORT(pd, offset); + bcc = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "AndXOffset: %u", AndXOffset); + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); } - offset += 2; /* Skip AndXOffset */ + offset += 2; - /* Build display for: FID */ + if (enckeylen) { /* only if non-zero key len */ - FID = GSHORT(pd, offset); + str = pd + offset; - if (tree) { + if (tree) { - proto_tree_add_text(tree, offset, 2, "FID: %u", FID); + proto_tree_add_text(tree, offset, enckeylen, "Challenge: %s", + bytes_to_str(str, enckeylen)); + } - } + offset += enckeylen; - offset += 2; /* Skip FID */ + } - /* Build display for: Attributed */ + /* Primary Domain ... */ - Attributed = GSHORT(pd, offset); + str = pd + offset; if (tree) { - proto_tree_add_text(tree, offset, 2, "Attributed: %u", Attributed); + proto_tree_add_text(tree, offset, strlen(str)+1, "Primary Domain: %s", str); } - offset += 2; /* Skip Attributed */ - - /* Build display for: Last Write Time */ + break; - LastWriteTime = GSHORT(pd, offset); + case 17: /* Greater than LANMAN2.1 */ if (tree) { - proto_tree_add_text(tree, offset, 2, "Last Write Time: %s", dissect_dos_time(LastWriteTime)); + proto_tree_add_text(tree, offset, 2, "Dialect Index: %u, Greater than LANMAN2.1", GSHORT(pd, offset)); } - offset += 2; /* Skip Last Write Time */ - - /* Build display for: Last Write Date */ + offset += 2; - LastWriteDate = GSHORT(pd, offset); + mode = GBYTE(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Last Write Date: %s", dissect_dos_date(LastWriteDate)); + ti = proto_tree_add_text(tree, offset, 1, "Security Mode: 0x%02x", mode); + mode_tree = proto_item_add_subtree(ti, ETT_SMB_MODE); + proto_tree_add_text(mode_tree, offset, 1, "%s", + decode_boolean_bitfield(mode, 0x01, 8, + "Security = User", + "Security = Share")); + proto_tree_add_text(mode_tree, offset, 1, "%s", + decode_boolean_bitfield(mode, 0x02, 8, + "Passwords = Encrypted", + "Passwords = Plaintext")); + proto_tree_add_text(mode_tree, offset, 1, "%s", + decode_boolean_bitfield(mode, 0x04, 8, + "Security signatures enabled", + "Security signatures not enabled")); + proto_tree_add_text(mode_tree, offset, 1, "%s", + decode_boolean_bitfield(mode, 0x08, 8, + "Security signatures required", + "Security signatures not required")); } - offset += 2; /* Skip Last Write Date */ - - /* Build display for: Data Size */ - - DataSize = GWORD(pd, offset); + offset += 1; if (tree) { - proto_tree_add_text(tree, offset, 4, "Data Size: %u", DataSize); + proto_tree_add_text(tree, offset, 2, "Max multiplex count: %u", GSHORT(pd, offset)); } + + offset += 2; - offset += 4; /* Skip Data Size */ + if (tree) { - /* Build display for: Granted Access */ + proto_tree_add_text(tree, offset, 2, "Max vcs: %u", GSHORT(pd, offset)); - GrantedAccess = GSHORT(pd, offset); + } + + offset += 2; if (tree) { - proto_tree_add_text(tree, offset, 2, "Granted Access: %u", GrantedAccess); + proto_tree_add_text(tree, offset, 2, "Max buffer size: %u", GWORD(pd, offset)); } - offset += 2; /* Skip Granted Access */ + offset += 4; - /* Build display for: File Type */ + if (tree) { - FileType = GSHORT(pd, offset); + proto_tree_add_text(tree, offset, 4, "Max raw size: %u", GWORD(pd, offset)); + + } + + offset += 4; if (tree) { - proto_tree_add_text(tree, offset, 2, "File Type: %u", FileType); + proto_tree_add_text(tree, offset, 4, "Session key: %08x", GWORD(pd, offset)); } - offset += 2; /* Skip File Type */ + offset += 4; - /* Build display for: Device State */ + caps = GWORD(pd, offset); - DeviceState = GSHORT(pd, offset); + if (tree) { + + ti = proto_tree_add_text(tree, offset, 4, "Capabilities: 0x%04x", caps); + caps_tree = proto_item_add_subtree(ti, ETT_SMB_CAPABILITIES); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x0001, 32, + "Raw Mode supported", + "Raw Mode not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x0002, 32, + "MPX Mode supported", + "MPX Mode not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x0004, 32, + "Unicode supported", + "Unicode not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x0008, 32, + "Large files supported", + "Large files not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x0010, 32, + "NT LM 0.12 SMBs supported", + "NT LM 0.12 SMBs not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x0020, 32, + "RPC remote APIs supported", + "RPC remote APIs not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x0040, 32, + "NT status codes supported", + "NT status codes not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x0080, 32, + "Level 2 OpLocks supported", + "Level 2 OpLocks not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x0100, 32, + "Lock&Read supported", + "Lock&Read not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x0200, 32, + "NT Find supported", + "NT Find not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x1000, 32, + "DFS supported", + "DFS not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x4000, 32, + "Large READX supported", + "Large READX not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x8000, 32, + "Large WRITEX supported", + "Large WRITEX not supported")); + proto_tree_add_text(caps_tree, offset, 4, "%s", + decode_boolean_bitfield(caps, 0x80000000, 32, + "Extended security exchanges supported", + "Extended security exchanges not supported")); + } + + offset += 4; + + /* Server time, 2 WORDS */ if (tree) { - proto_tree_add_text(tree, offset, 2, "Device State: %u", DeviceState); + proto_tree_add_text(tree, offset, 4, "System Time Low: 0x%08x", GWORD(pd, offset)); + proto_tree_add_text(tree, offset + 4, 4, "System Time High: 0x%08x", GWORD(pd, offset + 4)); } - offset += 2; /* Skip Device State */ - - /* Build display for: Action */ + offset += 8; - Action = GSHORT(pd, offset); + /* Server Time Zone, SHORT */ if (tree) { - proto_tree_add_text(tree, offset, 2, "Action: %u", Action); + proto_tree_add_text(tree, offset, 2, "Server time zone: %i min from UTC", + (signed)GSSHORT(pd, offset)); } - offset += 2; /* Skip Action */ + offset += 2; - /* Build display for: Server FID */ + /* Encryption key len */ - ServerFID = GWORD(pd, offset); + enckeylen = pd[offset]; if (tree) { - proto_tree_add_text(tree, offset, 4, "Server FID: %u", ServerFID); + proto_tree_add_text(tree, offset, 1, "Encryption key len: %u", enckeylen); } - offset += 4; /* Skip Server FID */ - - /* Build display for: Reserved */ + offset += 1; - Reserved = GSHORT(pd, offset); + bcc = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Reserved: %u", Reserved); + proto_tree_add_text(tree, offset, 2, "Byte count (BCC): %u", bcc); } - offset += 2; /* Skip Reserved */ + offset += 2; - /* Build display for: Byte Count */ + if (enckeylen) { /* only if non-zero key len */ - ByteCount = GSHORT(pd, offset); + /* Encryption challenge key */ - if (tree) { + str = pd + offset; - proto_tree_add_text(tree, offset, 2, "Byte Count: %u", ByteCount); + if (tree) { + + proto_tree_add_text(tree, offset, enckeylen, "Challenge encryption key: %s", + bytes_to_str(str, enckeylen)); + + } + + offset += enckeylen; } - offset += 2; /* Skip Byte Count */ + /* The domain, a null terminated string; Unicode if "caps" has + the 0x0004 bit set, ASCII (OEM character set) otherwise. + XXX - for now, we just handle the ISO 8859-1 subset of Unicode. */ + str = pd + offset; - if (AndXCommand != 0xFF) { + if (tree) { - (dissect[AndXCommand])(pd, offset, fd, tree, max_data, dirn); + if (caps & 0x0004) { + ustr = unicode_to_str(str, &ustr_len); + proto_tree_add_text(tree, offset, ustr_len+2, "OEM domain name: %s", ustr); + } else { + proto_tree_add_text(tree, offset, strlen(str)+1, "OEM domain name: %s", str); + } } + break; + + default: /* Baddd */ + + if (tree) + proto_tree_add_text(tree, offset, 1, "Bad format, should never get here"); + return; + } } void -dissect_tcon_andx_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) +dissect_deletedir_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) { - guint8 wct, andxcmd; - guint16 andxoffs, flags, passwdlen, bcc, optionsup; - const char *str; - proto_tree *flags_tree; - proto_item *ti; + guint8 WordCount; + guint8 BufferFormat; + guint16 ByteCount; + const char *DirectoryName; - wct = pd[offset]; + if (dirn == 1) { /* Request(s) dissect code */ - /* Now figure out what format we are talking about, 2, 3, or 4 response - * words ... - */ + /* Build display for: Word Count (WCT) */ - if (!((dirn == 1) && (wct == 4)) && !((dirn == 0) && (wct == 2)) && - !((dirn == 0) && (wct == 3))) { + WordCount = GBYTE(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "Invalid TCON_ANDX format. WCT should be 2, 3, or 4 ..., not %u", wct); + proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); - proto_tree_add_text(tree, offset, END_OF_FRAME, "Data"); + } - return; + offset += 1; /* Skip Word Count (WCT) */ + + /* Build display for: Byte Count (BCC) */ + + ByteCount = GSHORT(pd, offset); + + if (tree) { + + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); } - - } - if (tree) { + offset += 2; /* Skip Byte Count (BCC) */ - proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", wct); + /* Build display for: Buffer Format */ - } + BufferFormat = GBYTE(pd, offset); - offset += 1; + if (tree) { - andxcmd = pd[offset]; + proto_tree_add_text(tree, offset, 1, "Buffer Format: %u", BufferFormat); - if (tree) { + } - proto_tree_add_text(tree, offset, 1, "Next Command: %s", - (andxcmd == 0xFF) ? "No further commands": - decode_smb_name(andxcmd)); - - proto_tree_add_text(tree, offset + 1, 1, "Reserved (MBZ): %u", pd[offset+1]); + offset += 1; /* Skip Buffer Format */ - } + /* Build display for: Directory Name */ - offset += 2; + DirectoryName = pd + offset; - andxoffs = GSHORT(pd, offset); + if (tree) { - if (tree) { + proto_tree_add_text(tree, offset, strlen(DirectoryName) + 1, "Directory Name: %s", DirectoryName); - proto_tree_add_text(tree, offset, 2, "Offset to next command: %u", andxoffs); + } - } + offset += strlen(DirectoryName) + 1; /* Skip Directory Name */ - offset += 2; + } - switch (wct) { + if (dirn == 0) { /* Response(s) dissect code */ - case 4: + /* Build display for: Word Count (WCT) */ - flags = GSHORT(pd, offset); + WordCount = GBYTE(pd, offset); if (tree) { - ti = proto_tree_add_text(tree, offset, 2, "Additional Flags: 0x%02x", flags); - flags_tree = proto_item_add_subtree(ti, ETT_SMB_AFLAGS); - proto_tree_add_text(flags_tree, offset, 2, "%s", - decode_boolean_bitfield(flags, 0x01, 16, - "Disconnect TID", - "Don't disconnect TID")); + proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); } - offset += 2; + offset += 1; /* Skip Word Count (WCT) */ - passwdlen = GSHORT(pd, offset); + /* Build display for: Byte Count (BCC) */ + + ByteCount = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Password Length: %u", passwdlen); + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); } - offset += 2; + offset += 2; /* Skip Byte Count (BCC) */ - bcc = GSHORT(pd, offset); + } - if (tree) { +} - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); +void +dissect_createdir_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) - } +{ + guint8 WordCount; + guint8 BufferFormat; + guint16 ByteCount; + const char *DirectoryName; - offset += 2; + if (dirn == 1) { /* Request(s) dissect code */ - str = pd + offset; + /* Build display for: Word Count (WCT) */ + + WordCount = GBYTE(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, strlen(str) + 1, "Password: %s", str); + proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); } - offset += strlen(str) + 1; + offset += 1; /* Skip Word Count (WCT) */ - str = pd + offset; + /* Build display for: Byte Count (BCC) */ + + ByteCount = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, strlen(str) + 1, "Path: %s", str); + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); } - offset += strlen(str) + 1; + offset += 2; /* Skip Byte Count (BCC) */ - str = pd + offset; + /* Build display for: Buffer Format */ + + BufferFormat = GBYTE(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, strlen(str) + 1, "Service: %s", str); + proto_tree_add_text(tree, offset, 1, "Buffer Format: %u", BufferFormat); } - break; - - case 2: + offset += 1; /* Skip Buffer Format */ - offset += 2; + /* Build display for: Directory Name */ - bcc = GSHORT(pd, offset); + DirectoryName = pd + offset; if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); + proto_tree_add_text(tree, offset, strlen(DirectoryName) + 1, "Directory Name: %s", DirectoryName); } - offset += 2; + offset += strlen(DirectoryName) + 1; /* Skip Directory Name */ - str = pd + offset; + } - if (tree) { - - proto_tree_add_text(tree, offset, strlen(str) + 1, "Service Type: %s", - str); - - } - - offset += strlen(str) + 1; - - break; - - case 3: - - optionsup = GSHORT(pd, offset); - - if (tree) { /* Should break out the bits */ - - proto_tree_add_text(tree, offset, 2, "Optional Support: 0x%04x", - optionsup); - - } + if (dirn == 0) { /* Response(s) dissect code */ - offset += 2; + /* Build display for: Word Count (WCT) */ - bcc = GSHORT(pd, offset); + WordCount = GBYTE(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); + proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); } - offset += 2; - - str = pd + offset; - - if (tree) { - - proto_tree_add_text(tree, offset, strlen(str) + 1, "Service: %s", str); - - } + offset += 1; /* Skip Word Count (WCT) */ - offset += strlen(str) + 1; + /* Build display for: Byte Count (BCC) */ - str = pd + offset; + ByteCount = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, strlen(str) + 1, "Native File System: %s", str); + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); } - offset += strlen(str) + 1; - - - break; - - default: + offset += 2; /* Skip Byte Count (BCC) */ } - if (andxcmd != 0xFF) /* Process that next command ... ??? */ - - (dissect[andxcmd])(pd, offset, fd, tree, max_data - offset, dirn); - } -void -dissect_negprot_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) -{ - guint8 wct, enckeylen; - guint16 bcc, mode, rawmode, dialect; - guint32 Capabilities; - proto_tree *dialects = NULL, *mode_tree, *Capabilities_tree, *rawmode_tree; - proto_item *ti; - const char *str; - char *ustr; - int ustr_len; - - wct = pd[offset]; /* Should be 0, 1 or 13 or 17, I think */ - - if (!((wct == 0) && (dirn == 1)) && !((wct == 1) && (dirn == 0)) && - !((wct == 13) && (dirn == 0)) && !((wct == 17) && (dirn == 0))) { - if (tree) { - - proto_tree_add_text(tree, offset, 1, "Invalid Negotiate Protocol format. WCT should be zero or 1 or 13 or 17 ..., not %u", wct); - - proto_tree_add_text(tree, offset, END_OF_FRAME, "Data"); - - return; - } - } - - if (tree) { - - proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %d", wct); - - } - - offset += 1; - - /* Now decode the various formats ... */ - - switch (wct) { - - case 0: /* A request */ - - bcc = GSHORT(pd, offset); +void +dissect_checkdir_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) - if (tree) { +{ + guint8 WordCount; + guint8 BufferFormat; + guint16 ByteCount; + const char *DirectoryName; - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); + if (dirn == 1) { /* Request(s) dissect code */ - } + /* Build display for: Word Count (WCT) */ - offset += 2; + WordCount = GBYTE(pd, offset); if (tree) { - ti = proto_tree_add_text(tree, offset, END_OF_FRAME, "Dialects"); - dialects = proto_item_add_subtree(ti, ETT_SMB_DIALECTS); - - } - - while (fd->cap_len > offset) { - const char *str; - - if (tree) { - - proto_tree_add_text(dialects, offset, 1, "Dialect Marker: %d", pd[offset]); - - } - - offset += 1; - - str = pd + offset; - - if (tree) { - - proto_tree_add_text(dialects, offset, strlen(str)+1, "Dialect: %s", str); - - } - - offset += strlen(str) + 1; - - } - break; - - case 1: /* PC NETWORK PROGRAM 1.0 */ - - dialect = GSHORT(pd, offset); - - if (tree) { /* Hmmmm, what if none of the dialects is recognized */ - - if (dialect == 0xFFFF) { /* Server didn't like them dialects */ - - proto_tree_add_text(tree, offset, 2, "Supplied dialects not recognized"); - - } - else { - - proto_tree_add_text(tree, offset, 2, "Dialect Index: %u, PC NETWORK PROTGRAM 1.0", dialect); - - } + proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); } - offset += 2; - - bcc = GSHORT(pd, offset); - - if (tree) { - - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); - - } + offset += 1; /* Skip Word Count (WCT) */ - break; + /* Build display for: Byte Count (BCC) */ - case 13: /* Greater than Core and up to and incl LANMAN2.1 */ + ByteCount = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Dialect Index: %u, Greater than CORE PROTOCOL and up to LANMAN2.1", GSHORT(pd, offset)); + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); } - /* Much of this is similar to response 17 below */ + offset += 2; /* Skip Byte Count (BCC) */ - offset += 2; + /* Build display for: Buffer Format */ - mode = GSHORT(pd, offset); + BufferFormat = GBYTE(pd, offset); if (tree) { - ti = proto_tree_add_text(tree, offset, 2, "Security Mode: 0x%04x", mode); - mode_tree = proto_item_add_subtree(ti, ETT_SMB_MODE); - proto_tree_add_text(mode_tree, offset, 2, "%s", - decode_boolean_bitfield(mode, 0x0001, 16, - "Security = User", - "Security = Share")); - proto_tree_add_text(mode_tree, offset, 2, "%s", - decode_boolean_bitfield(mode, 0x0002, 16, - "Passwords = Encrypted", - "Passwords = Plaintext")); + proto_tree_add_text(tree, offset, 1, "Buffer Format: %u", BufferFormat); } - offset += 2; - - if (tree) { - - proto_tree_add_text(tree, offset, 2, "Max buffer size: %u", GSHORT(pd, offset)); + offset += 1; /* Skip Buffer Format */ - } + /* Build display for: Directory Name */ - offset += 2; + DirectoryName = pd + offset; if (tree) { - proto_tree_add_text(tree, offset, 2, "Max multiplex count: %u", GSHORT(pd, offset)); + proto_tree_add_text(tree, offset, strlen(DirectoryName) + 1, "Directory Name: %s", DirectoryName); } - - offset += 2; - if (tree) { + offset += strlen(DirectoryName) + 1; /* Skip Directory Name */ - proto_tree_add_text(tree, offset, 2, "Max vcs: %u", GSHORT(pd, offset)); + } - } + if (dirn == 0) { /* Response(s) dissect code */ - offset += 2; + /* Build display for: Word Count (WCT) */ - rawmode = GSHORT(pd, offset); + WordCount = GBYTE(pd, offset); if (tree) { - ti = proto_tree_add_text(tree, offset, 2, "Raw Mode: 0x%04x", rawmode); - rawmode_tree = proto_item_add_subtree(ti, ETT_SMB_RAWMODE); - proto_tree_add_text(rawmode_tree, offset, 2, "%s", - decode_boolean_bitfield(rawmode, 0x01, 16, - "Read Raw supported", - "Read Raw not supported")); - proto_tree_add_text(rawmode_tree, offset, 2, "%s", - decode_boolean_bitfield(rawmode, 0x02, 16, - "Write Raw supported", - "Write Raw not supported")); + proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); } - offset += 2; - - if (tree) { - - proto_tree_add_text(tree, offset, 4, "Session key: %08x", GWORD(pd, offset)); - - } + offset += 1; /* Skip Word Count (WCT) */ - offset += 4; + /* Build display for: Byte Count (BCC) */ - /* Now the server time, two short parameters ... */ + ByteCount = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Server Time: %s", - dissect_dos_time(GSHORT(pd, offset))); - proto_tree_add_text(tree, offset + 2, 2, "Server Date: %s", - dissect_dos_date(GSHORT(pd, offset + 2))); + proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); } - offset += 4; + offset += 2; /* Skip Byte Count (BCC) */ - /* Server Time Zone, SHORT */ + } - if (tree) { +} - proto_tree_add_text(tree, offset, 2, "Server time zone: %i min from UTC", - (signed)GSSHORT(pd, offset)); +void +dissect_open_andx_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) - } +{ + static const value_string OpenFunction_0x10[] = { + { 0, "Fail if file does not exist"}, + { 16, "Create file if it does not exist"}, + { 0, NULL} + }; + static const value_string OpenFunction_0x03[] = { + { 0, "Fail if file exists"}, + { 1, "Open file if it exists"}, + { 2, "Truncate File if it exists"}, + { 0, NULL} + }; + static const value_string FileType_0xFFFF[] = { + { 0, "Disk file or directory"}, + { 1, "Named pipe in byte mode"}, + { 2, "Named pipe in message mode"}, + { 3, "Spooled printer"}, + { 0, NULL} + }; + static const value_string DesiredAccess_0x70[] = { + { 00, "Compatibility mode"}, + { 16, "Deny read/write/execute (exclusive)"}, + { 32, "Deny write"}, + { 48, "Deny read/execute"}, + { 64, "Deny none"}, + { 0, NULL} + }; + static const value_string DesiredAccess_0x700[] = { + { 0, "Locality of reference unknown"}, + { 256, "Mainly sequential access"}, + { 512, "Mainly random access"}, + { 768, "Random access with some locality"}, + {0, NULL} + }; + static const value_string DesiredAccess_0x4000[] = { + { 0, "Write through mode disabled"}, + { 16384, "Write through mode enabled"}, + {0, NULL} + }; + static const value_string DesiredAccess_0x1000[] = { + { 0, "Normal file (caching permitted)"}, + { 4096, "Do not cache this file"}, + {0, NULL} + }; + static const value_string DesiredAccess_0x07[] = { + { 0, "Open for reading"}, + { 1, "Open for writing"}, + { 2, "Open for reading and writing"}, + { 3, "Open for execute"}, + {0, NULL} + }; + static const value_string Action_0x8000[] = { + { 0, "File opened by another user (or mode not supported by server)"}, + { 32768, "File is opened only by this user at present"}, + {0, NULL} + }; + static const value_string Action_0x0003[] = { + { 0, "No action taken?"}, + { 1, "The file existed and was opened"}, + { 2, "The file did not exist but was created"}, + { 3, "The file existed and was truncated"}, + {0, NULL} + }; + proto_tree *Search_tree; + proto_tree *OpenFunction_tree; + proto_tree *Flags_tree; + proto_tree *File_tree; + proto_tree *FileType_tree; + proto_tree *FileAttributes_tree; + proto_tree *DesiredAccess_tree; + proto_tree *Action_tree; + proto_item *ti; + guint8 WordCount; + guint8 BufferFormat; + guint8 AndXReserved; + guint8 AndXCommand; + guint32 ServerFID; + guint32 Reserved2; + guint32 Reserved1; + guint32 DataSize; + guint32 AllocatedSize; + guint16 Search; + guint16 Reserved; + guint16 OpenFunction; + guint16 LastWriteTime; + guint16 LastWriteDate; + guint16 GrantedAccess; + guint16 Flags; + guint16 FileType; + guint16 FileAttributes; + guint16 File; + guint16 FID; + guint16 DeviceState; + guint16 DesiredAccess; + guint16 CreationTime; + guint16 CreationDate; + guint16 ByteCount; + guint16 AndXOffset; + guint16 Action; + const char *FileName; - offset += 2; + if (dirn == 1) { /* Request(s) dissect code */ - /* Challenge Length */ + /* Build display for: Word Count (WCT) */ - enckeylen = GSHORT(pd, offset); + WordCount = GBYTE(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Challenge Length: %u", enckeylen); + proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); } - offset += 2; - - if (tree) { - - proto_tree_add_text(tree, offset, 2, "Reserved: %u (MBZ)", GSHORT(pd, offset)); - - } + offset += 1; /* Skip Word Count (WCT) */ - offset += 2; + /* Build display for: AndXCommand */ - bcc = GSHORT(pd, offset); + AndXCommand = GBYTE(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", bcc); - - } - - offset += 2; - - if (enckeylen) { /* only if non-zero key len */ - - str = pd + offset; - - if (tree) { - - proto_tree_add_text(tree, offset, enckeylen, "Challenge: %s", - bytes_to_str(str, enckeylen)); - } - - offset += enckeylen; + proto_tree_add_text(tree, offset, 1, "AndXCommand: %u", AndXCommand); } - /* Primary Domain ... */ - - str = pd + offset; - - if (tree) { - - proto_tree_add_text(tree, offset, strlen(str)+1, "Primary Domain: %s", str); - - } + offset += 1; /* Skip AndXCommand */ - break; + /* Build display for: AndXReserved */ - case 17: /* Greater than LANMAN2.1 */ + AndXReserved = GBYTE(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Dialect Index: %u, Greater than LANMAN2.1", GSHORT(pd, offset)); + proto_tree_add_text(tree, offset, 1, "AndXReserved: %u", AndXReserved); } - offset += 2; - - mode = GBYTE(pd, offset); - - if (tree) { - - ti = proto_tree_add_text(tree, offset, 1, "Security Mode: 0x%02x", mode); - mode_tree = proto_item_add_subtree(ti, ETT_SMB_MODE); - proto_tree_add_text(mode_tree, offset, 1, "%s", - decode_boolean_bitfield(mode, 0x01, 8, - "Security = User", - "Security = Share")); - proto_tree_add_text(mode_tree, offset, 1, "%s", - decode_boolean_bitfield(mode, 0x02, 8, - "Passwords = Encrypted", - "Passwords = Plaintext")); - proto_tree_add_text(mode_tree, offset, 1, "%s", - decode_boolean_bitfield(mode, 0x04, 8, - "Security signatures enabled", - "Security signatures not enabled")); - proto_tree_add_text(mode_tree, offset, 1, "%s", - decode_boolean_bitfield(mode, 0x08, 8, - "Security signatures required", - "Security signatures not required")); + offset += 1; /* Skip AndXReserved */ - } + /* Build display for: AndXOffset */ - offset += 1; + AndXOffset = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Max multiplex count: %u", GSHORT(pd, offset)); + proto_tree_add_text(tree, offset, 2, "AndXOffset: %u", AndXOffset); } - - offset += 2; - if (tree) { - - proto_tree_add_text(tree, offset, 2, "Max vcs: %u", GSHORT(pd, offset)); + offset += 2; /* Skip AndXOffset */ - } + /* Build display for: Flags */ - offset += 2; + Flags = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Max buffer size: %u", GWORD(pd, offset)); - - } - - offset += 4; - - if (tree) { + ti = proto_tree_add_text(tree, offset, 2, "Flags: 0x%02x", Flags); + Flags_tree = proto_item_add_subtree(ti, ETT_SMB_FLAGS); + proto_tree_add_text(Flags_tree, offset, 2, "%s", + decode_boolean_bitfield(Flags, 0x01, 16, "Dont Return Additional Info", "Return Additional Info")); + proto_tree_add_text(Flags_tree, offset, 2, "%s", + decode_boolean_bitfield(Flags, 0x02, 16, "Exclusive OpLock not Requested", "Exclusive OpLock Requested")); + proto_tree_add_text(Flags_tree, offset, 2, "%s", + decode_boolean_bitfield(Flags, 0x04, 16, "Batch OpLock not Requested", "Batch OpLock Requested")); + +} - proto_tree_add_text(tree, offset, 4, "Max raw size: %u", GWORD(pd, offset)); + offset += 2; /* Skip Flags */ - } + /* Build display for: Desired Access */ - offset += 4; + DesiredAccess = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 4, "Session key: %08x", GWORD(pd, offset)); - - } - - offset += 4; - - Capabilities = GWORD(pd, offset); - - if (tree) { + ti = proto_tree_add_text(tree, offset, 2, "Desired Access: 0x%02x", DesiredAccess); + DesiredAccess_tree = proto_item_add_subtree(ti, ETT_SMB_DESIREDACCESS); + proto_tree_add_text(DesiredAccess_tree, offset, 2, "%s", + decode_enumerated_bitfield(DesiredAccess, 0x07, 16, DesiredAccess_0x07, "%s")); + proto_tree_add_text(DesiredAccess_tree, offset, 2, "%s", + decode_enumerated_bitfield(DesiredAccess, 0x70, 16, DesiredAccess_0x70, "%s")); + proto_tree_add_text(DesiredAccess_tree, offset, 2, "%s", + decode_enumerated_bitfield(DesiredAccess, 0x700, 16, DesiredAccess_0x700, "%s")); + proto_tree_add_text(DesiredAccess_tree, offset, 2, "%s", + decode_enumerated_bitfield(DesiredAccess, 0x1000, 16, DesiredAccess_0x1000, "%s")); + proto_tree_add_text(DesiredAccess_tree, offset, 2, "%s", + decode_enumerated_bitfield(DesiredAccess, 0x4000, 16, DesiredAccess_0x4000, "%s")); + +} - ti = proto_tree_add_text(tree, offset, 4, "Capabilities: 0x%04x", Capabilities); - Capabilities_tree = proto_item_add_subtree(ti, ETT_SMB_CAPABILITIES); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0001, 32, - "Raw Mode supported", - "Raw Mode not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0002, 32, - "MPX Mode supported", - "MPX Mode not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0004, 32, - "Unicode supported", - "Unicode not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0008, 32, - "Large files supported", - "Large files not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0010, 32, - "NT LM 0.12 SMBs supported", - "NT LM 0.12 SMBs not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0020, 32, - "RPC remote APIs supported", - "RPC remote APIs not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0040, 32, - "NT status codes supported", - "NT status codes not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0080, 32, - "Level 2 OpLocks supported", - "Level 2 OpLocks not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0100, 32, - "Lock&Read supported", - "Lock&Read not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x0200, 32, - "NT Find supported", - "NT Find not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x1000, 32, - "DFS supported", - "DFS not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x4000, 32, - "Large READX supported", - "Large READX not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x8000, 32, - "Large WRITEX supported", - "Large WRITEX not supported")); - proto_tree_add_text(Capabilities_tree, offset, 4, "%s", - decode_boolean_bitfield(Capabilities, 0x80000000, 32, - "Extended security exchanges supported", - "Extended security exchanges not supported")); - } + offset += 2; /* Skip Desired Access */ - offset += 4; + /* Build display for: Search */ - /* Server time, 2 WORDS */ + Search = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 4, "System Time Low: 0x%08x", GWORD(pd, offset)); - proto_tree_add_text(tree, offset + 4, 4, "System Time High: 0x%08x", GWORD(pd, offset + 4)); + ti = proto_tree_add_text(tree, offset, 2, "Search: 0x%02x", Search); + Search_tree = proto_item_add_subtree(ti, ETT_SMB_SEARCH); + proto_tree_add_text(Search_tree, offset, 2, "%s", + decode_boolean_bitfield(Search, 0x01, 16, "Read only file", "Not a read only file")); + proto_tree_add_text(Search_tree, offset, 2, "%s", + decode_boolean_bitfield(Search, 0x02, 16, "Hidden file", "Not a hidden file")); + proto_tree_add_text(Search_tree, offset, 2, "%s", + decode_boolean_bitfield(Search, 0x04, 16, "System file", "Not a system file")); + proto_tree_add_text(Search_tree, offset, 2, "%s", + decode_boolean_bitfield(Search, 0x08, 16, " Volume", "Not a volume")); + proto_tree_add_text(Search_tree, offset, 2, "%s", + decode_boolean_bitfield(Search, 0x10, 16, " Directory", "Not a directory")); + proto_tree_add_text(Search_tree, offset, 2, "%s", + decode_boolean_bitfield(Search, 0x20, 16, "Archive file", "Do not archive file")); + +} - } + offset += 2; /* Skip Search */ - offset += 8; + /* Build display for: File */ - /* Server Time Zone, SHORT */ + File = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Server time zone: %i min from UTC", - (signed)GSSHORT(pd, offset)); - - } + ti = proto_tree_add_text(tree, offset, 2, "File: 0x%02x", File); + File_tree = proto_item_add_subtree(ti, ETT_SMB_FILE); + proto_tree_add_text(File_tree, offset, 2, "%s", + decode_boolean_bitfield(File, 0x01, 16, "Read only file", "Not a read only file")); + proto_tree_add_text(File_tree, offset, 2, "%s", + decode_boolean_bitfield(File, 0x02, 16, "Hidden file", "Not a hidden file")); + proto_tree_add_text(File_tree, offset, 2, "%s", + decode_boolean_bitfield(File, 0x04, 16, "System file", "Not a system file")); + proto_tree_add_text(File_tree, offset, 2, "%s", + decode_boolean_bitfield(File, 0x08, 16, " Volume", "Not a volume")); + proto_tree_add_text(File_tree, offset, 2, "%s", + decode_boolean_bitfield(File, 0x10, 16, " Directory", "Not a directory")); + proto_tree_add_text(File_tree, offset, 2, "%s", + decode_boolean_bitfield(File, 0x20, 16, "Archive file", "Do not archive file")); + +} - offset += 2; + offset += 2; /* Skip File */ - /* Encryption key len */ + /* Build display for: Creation Time */ - enckeylen = pd[offset]; + CreationTime = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "Encryption key len: %u", enckeylen); + proto_tree_add_text(tree, offset, 2, "Creation Time: %s", dissect_dos_time(CreationTime)); } - offset += 1; + offset += 2; /* Skip Creation Time */ - bcc = GSHORT(pd, offset); + /* Build display for: Creation Date */ + + CreationDate = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte count (BCC): %u", bcc); + proto_tree_add_text(tree, offset, 2, "Creation Date: %s", dissect_dos_date(CreationDate)); } - offset += 2; - - if (enckeylen) { /* only if non-zero key len */ - - /* Encryption challenge key */ - - str = pd + offset; + offset += 2; /* Skip Creation Date */ - if (tree) { + /* Build display for: Open Function */ - proto_tree_add_text(tree, offset, enckeylen, "Challenge encryption key: %s", - bytes_to_str(str, enckeylen)); + OpenFunction = GSHORT(pd, offset); - } + if (tree) { - offset += enckeylen; + ti = proto_tree_add_text(tree, offset, 2, "Open Function: 0x%02x", OpenFunction); + OpenFunction_tree = proto_item_add_subtree(ti, ETT_SMB_OPENFUNCTION); + proto_tree_add_text(OpenFunction_tree, offset, 2, "%s", + decode_enumerated_bitfield(OpenFunction, 0x10, 16, OpenFunction_0x10, "%s")); + proto_tree_add_text(OpenFunction_tree, offset, 2, "%s", + decode_enumerated_bitfield(OpenFunction, 0x03, 16, OpenFunction_0x03, "%s")); + +} - } + offset += 2; /* Skip Open Function */ - /* The domain, a null terminated string; Unicode if "caps" has - the 0x0004 bit set, ASCII (OEM character set) otherwise. - XXX - for now, we just handle the ISO 8859-1 subset of Unicode. */ + /* Build display for: Allocated Size */ - str = pd + offset; + AllocatedSize = GWORD(pd, offset); if (tree) { - if (Capabilities & 0x0004) { - ustr = unicode_to_str(str, &ustr_len); - proto_tree_add_text(tree, offset, ustr_len+2, "OEM domain name: %s", ustr); - } else { - proto_tree_add_text(tree, offset, strlen(str)+1, "OEM domain name: %s", str); - } + proto_tree_add_text(tree, offset, 4, "Allocated Size: %u", AllocatedSize); } - break; - - default: /* Baddd */ + offset += 4; /* Skip Allocated Size */ - if (tree) - proto_tree_add_text(tree, offset, 1, "Bad format, should never get here"); - return; + /* Build display for: Reserved1 */ - } + Reserved1 = GWORD(pd, offset); -} + if (tree) { -void -dissect_deletedir_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) + proto_tree_add_text(tree, offset, 4, "Reserved1: %u", Reserved1); -{ - guint8 WordCount; - guint8 BufferFormat; - guint16 ByteCount; - const char *DirectoryName; + } - if (dirn == 1) { /* Request(s) dissect code */ + offset += 4; /* Skip Reserved1 */ - /* Build display for: Word Count (WCT) */ + /* Build display for: Reserved2 */ - WordCount = GBYTE(pd, offset); + Reserved2 = GWORD(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); + proto_tree_add_text(tree, offset, 4, "Reserved2: %u", Reserved2); } - offset += 1; /* Skip Word Count (WCT) */ + offset += 4; /* Skip Reserved2 */ - /* Build display for: Byte Count (BCC) */ + /* Build display for: Byte Count */ ByteCount = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); + proto_tree_add_text(tree, offset, 2, "Byte Count: %u", ByteCount); } - offset += 2; /* Skip Byte Count (BCC) */ + offset += 2; /* Skip Byte Count */ /* Build display for: Buffer Format */ @@ -2614,17 +2514,24 @@ dissect_deletedir_smb(const u_char *pd, int offset, frame_data *fd, proto_tree * offset += 1; /* Skip Buffer Format */ - /* Build display for: Directory Name */ + /* Build display for: File Name */ - DirectoryName = pd + offset; + FileName = pd + offset; if (tree) { - proto_tree_add_text(tree, offset, strlen(DirectoryName) + 1, "Directory Name: %s", DirectoryName); + proto_tree_add_text(tree, offset, strlen(FileName) + 1, "File Name: %s", FileName); } - offset += strlen(DirectoryName) + 1; /* Skip Directory Name */ + offset += strlen(FileName) + 1; /* Skip File Name */ + + + if (AndXCommand != 0xFF) { + + (dissect[AndXCommand])(pd, offset, fd, tree, max_data, dirn); + + } } @@ -2642,199 +2549,213 @@ dissect_deletedir_smb(const u_char *pd, int offset, frame_data *fd, proto_tree * offset += 1; /* Skip Word Count (WCT) */ - /* Build display for: Byte Count (BCC) */ + /* Build display for: AndXCommand */ - ByteCount = GSHORT(pd, offset); + AndXCommand = GBYTE(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); + proto_tree_add_text(tree, offset, 1, "AndXCommand: %u", AndXCommand); } - offset += 2; /* Skip Byte Count (BCC) */ + offset += 1; /* Skip AndXCommand */ - } + /* Build display for: AndXReserved */ -} + AndXReserved = GBYTE(pd, offset); -void -dissect_createdir_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) + if (tree) { -{ - guint8 WordCount; - guint8 BufferFormat; - guint16 ByteCount; - const char *DirectoryName; + proto_tree_add_text(tree, offset, 1, "AndXReserved: %u", AndXReserved); - if (dirn == 1) { /* Request(s) dissect code */ + } - /* Build display for: Word Count (WCT) */ + offset += 1; /* Skip AndXReserved */ - WordCount = GBYTE(pd, offset); + /* Build display for: AndXOffset */ + + AndXOffset = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); + proto_tree_add_text(tree, offset, 2, "AndXOffset: %u", AndXOffset); } - offset += 1; /* Skip Word Count (WCT) */ + offset += 2; /* Skip AndXOffset */ - /* Build display for: Byte Count (BCC) */ + /* Build display for: FID */ - ByteCount = GSHORT(pd, offset); + FID = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); + proto_tree_add_text(tree, offset, 2, "FID: %u", FID); } - offset += 2; /* Skip Byte Count (BCC) */ + offset += 2; /* Skip FID */ - /* Build display for: Buffer Format */ + /* Build display for: FileAttributes */ - BufferFormat = GBYTE(pd, offset); + FileAttributes = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "Buffer Format: %u", BufferFormat); - - } + ti = proto_tree_add_text(tree, offset, 2, "FileAttributes: 0x%02x", FileAttributes); + FileAttributes_tree = proto_item_add_subtree(ti, ETT_SMB_FILEATTRIBUTES); + proto_tree_add_text(FileAttributes_tree, offset, 2, "%s", + decode_boolean_bitfield(FileAttributes, 0x01, 16, "Read only file", "Not a read only file")); + proto_tree_add_text(FileAttributes_tree, offset, 2, "%s", + decode_boolean_bitfield(FileAttributes, 0x02, 16, "Hidden file", "Not a hidden file")); + proto_tree_add_text(FileAttributes_tree, offset, 2, "%s", + decode_boolean_bitfield(FileAttributes, 0x04, 16, "System file", "Not a system file")); + proto_tree_add_text(FileAttributes_tree, offset, 2, "%s", + decode_boolean_bitfield(FileAttributes, 0x08, 16, " Volume", "Not a volume")); + proto_tree_add_text(FileAttributes_tree, offset, 2, "%s", + decode_boolean_bitfield(FileAttributes, 0x10, 16, " Directory", "Not a directory")); + proto_tree_add_text(FileAttributes_tree, offset, 2, "%s", + decode_boolean_bitfield(FileAttributes, 0x20, 16, "Archive file", "Do not archive file")); + +} - offset += 1; /* Skip Buffer Format */ + offset += 2; /* Skip FileAttributes */ - /* Build display for: Directory Name */ + /* Build display for: Last Write Time */ - DirectoryName = pd + offset; + LastWriteTime = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, strlen(DirectoryName) + 1, "Directory Name: %s", DirectoryName); + proto_tree_add_text(tree, offset, 2, "Last Write Time: %s", dissect_dos_time(LastWriteTime)); } - offset += strlen(DirectoryName) + 1; /* Skip Directory Name */ - - } - - if (dirn == 0) { /* Response(s) dissect code */ + offset += 2; /* Skip Last Write Time */ - /* Build display for: Word Count (WCT) */ + /* Build display for: Last Write Date */ - WordCount = GBYTE(pd, offset); + LastWriteDate = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); + proto_tree_add_text(tree, offset, 2, "Last Write Date: %s", dissect_dos_date(LastWriteDate)); } - offset += 1; /* Skip Word Count (WCT) */ + offset += 2; /* Skip Last Write Date */ - /* Build display for: Byte Count (BCC) */ + /* Build display for: Data Size */ - ByteCount = GSHORT(pd, offset); + DataSize = GWORD(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); + proto_tree_add_text(tree, offset, 4, "Data Size: %u", DataSize); } - offset += 2; /* Skip Byte Count (BCC) */ + offset += 4; /* Skip Data Size */ - } + /* Build display for: Granted Access */ -} + GrantedAccess = GSHORT(pd, offset); -void -dissect_checkdir_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int dirn) + if (tree) { -{ - guint8 WordCount; - guint8 BufferFormat; - guint16 ByteCount; - const char *DirectoryName; + proto_tree_add_text(tree, offset, 2, "Granted Access: %u", GrantedAccess); - if (dirn == 1) { /* Request(s) dissect code */ + } - /* Build display for: Word Count (WCT) */ + offset += 2; /* Skip Granted Access */ - WordCount = GBYTE(pd, offset); + /* Build display for: File Type */ - if (tree) { + FileType = GSHORT(pd, offset); - proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); + if (tree) { - } + ti = proto_tree_add_text(tree, offset, 2, "File Type: 0x%02x", FileType); + FileType_tree = proto_item_add_subtree(ti, ETT_SMB_FILETYPE); + proto_tree_add_text(FileType_tree, offset, 2, "%s", + decode_enumerated_bitfield(FileType, 0xFFFF, 16, FileType_0xFFFF, "%s")); + +} - offset += 1; /* Skip Word Count (WCT) */ + offset += 2; /* Skip File Type */ - /* Build display for: Byte Count (BCC) */ + /* Build display for: Device State */ - ByteCount = GSHORT(pd, offset); + DeviceState = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); + proto_tree_add_text(tree, offset, 2, "Device State: %u", DeviceState); } - offset += 2; /* Skip Byte Count (BCC) */ + offset += 2; /* Skip Device State */ - /* Build display for: Buffer Format */ + /* Build display for: Action */ - BufferFormat = GBYTE(pd, offset); + Action = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "Buffer Format: %u", BufferFormat); - - } + ti = proto_tree_add_text(tree, offset, 2, "Action: 0x%02x", Action); + Action_tree = proto_item_add_subtree(ti, ETT_SMB_ACTION); + proto_tree_add_text(Action_tree, offset, 2, "%s", + decode_enumerated_bitfield(Action, 0x8000, 16, Action_0x8000, "%s")); + proto_tree_add_text(Action_tree, offset, 2, "%s", + decode_enumerated_bitfield(Action, 0x0003, 16, Action_0x0003, "%s")); + +} - offset += 1; /* Skip Buffer Format */ + offset += 2; /* Skip Action */ - /* Build display for: Directory Name */ + /* Build display for: Server FID */ - DirectoryName = pd + offset; + ServerFID = GWORD(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, strlen(DirectoryName) + 1, "Directory Name: %s", DirectoryName); + proto_tree_add_text(tree, offset, 4, "Server FID: %u", ServerFID); } - offset += strlen(DirectoryName) + 1; /* Skip Directory Name */ - - } - - if (dirn == 0) { /* Response(s) dissect code */ + offset += 4; /* Skip Server FID */ - /* Build display for: Word Count (WCT) */ + /* Build display for: Reserved */ - WordCount = GBYTE(pd, offset); + Reserved = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 1, "Word Count (WCT): %u", WordCount); + proto_tree_add_text(tree, offset, 2, "Reserved: %u", Reserved); } - offset += 1; /* Skip Word Count (WCT) */ + offset += 2; /* Skip Reserved */ - /* Build display for: Byte Count (BCC) */ + /* Build display for: Byte Count */ ByteCount = GSHORT(pd, offset); if (tree) { - proto_tree_add_text(tree, offset, 2, "Byte Count (BCC): %u", ByteCount); + proto_tree_add_text(tree, offset, 2, "Byte Count: %u", ByteCount); } - offset += 2; /* Skip Byte Count (BCC) */ + offset += 2; /* Skip Byte Count */ + + + if (AndXCommand != 0xFF) { + + (dissect[AndXCommand])(pd, offset, fd, tree, max_data, dirn); + + } } @@ -2887,7 +2808,7 @@ void (*dissect[256])(const u_char *, int, frame_data *, proto_tree *, int, int) dissect_unknown_smb, /* SMBmove move */ dissect_unknown_smb, /* SMBecho echo */ dissect_unknown_smb, /* SMBwriteclose write a file and then close it */ - dissect_open_andx_smb, /* SMBopenX open and X */ + dissect_open_andx_smb, /* SMBopenX open and X */ dissect_unknown_smb, /* SMBreadX read and X */ dissect_unknown_smb, /* SMBwriteX write and X */ dissect_unknown_smb, /* unknown SMB 0x30 */ diff --git a/packet.h b/packet.h index 7cd1e16d97..ae905e5712 100644 --- a/packet.h +++ b/packet.h @@ -1,7 +1,7 @@ /* packet.h * Definitions for packet disassembly structures and routines * - * $Id: packet.h,v 1.69 1999/07/11 07:24:57 guy Exp $ + * $Id: packet.h,v 1.70 1999/07/12 14:26:16 sharpe Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -27,10 +27,6 @@ #ifndef __PACKET_H__ #define __PACKET_H__ -#ifndef __PROTO_H__ -#include "proto.h" -#endif - /* Pointer versions of ntohs and ntohl. Given a pointer to a member of a * byte array, returns the value of the two or four bytes at the pointer. * The pletoh[sl] versions return the little-endian representation. @@ -69,24 +65,17 @@ #endif #endif -/* Useful when you have an array whose size you can tell at compile-time */ -#define array_length(x) (sizeof x / sizeof x[0]) - /* Useful when highlighting regions inside a dissect_*() function. With this * macro, you can highlight from an arbitrary offset to the end of the * frame. See dissect_data() for an example. */ #define END_OF_FRAME (fd->cap_len - offset) -/* To pass one of two strings, singular or plural */ -#define plurality(d,s,p) ((d) == 1 ? (s) : (p)) typedef struct _column_info { gint num_cols; /* Number of columns */ - gchar **col_title;/* Column title */ gboolean **fmt_matx; /* Specifies which formats apply to a column */ gchar **col_data; /* Column data */ - gint *col_width; /* Column width */ } column_info; #define COL_MAX_LEN 256 @@ -95,7 +84,6 @@ typedef struct _packet_counts { gint tcp; gint udp; gint ospf; - gint gre; gint other; gint total; } packet_counts; @@ -111,8 +99,9 @@ typedef struct _frame_data { guint32 del_usecs; /* Delta microseconds */ long file_off; /* File offset */ column_info *cinfo; /* Column formatting information */ - int lnk_t; /* Per-packet encapsulation/data-link type */ - gboolean passed_dfilter; /* TRUE = display, FALSE = no display */ +#ifdef WITH_WIRETAP + int lnk_t; /* Per-packet encapsulation/data-link type */ +#endif } frame_data; typedef struct _packet_info { @@ -148,14 +137,11 @@ typedef struct tcp_extra_data { add_subtree() call. */ enum { - ETT_NONE, ETT_FRAME, ETT_IEEE8023, ETT_ETHER2, ETT_LLC, ETT_TOKEN_RING, - ETT_TOKEN_RING_AC, - ETT_TOKEN_RING_FC, ETT_TR_IERR_CNT, ETT_TR_NERR_CNT, ETT_TR_MAC, @@ -180,17 +166,12 @@ enum { ETT_IPX, ETT_SPX, ETT_NCP, - ETT_NCP_REQUEST_FIELDS, - ETT_NCP_REPLY_FIELDS, ETT_DNS, ETT_DNS_FLAGS, ETT_DNS_QRY, ETT_DNS_QD, ETT_DNS_ANS, ETT_DNS_RR, - ETT_ISAKMP, - ETT_ISAKMP_FLAGS, - ETT_ISAKMP_PAYLOAD, ETT_RIP, ETT_RIP_VEC, ETT_OSPF, @@ -242,51 +223,15 @@ enum { ETT_TELNET, ETT_TELNET_SUBOPT, ETT_NNTP, - ETT_SNMP, ETT_NBSS, ETT_NBSS_FLAGS, ETT_SMB, ETT_SMB_FLAGS, - ETT_SMB_FLAGS2, ETT_SMB_DIALECTS, ETT_SMB_MODE, - ETT_SMB_CAPABILITIES, + ETT_SMB_CAPS, ETT_SMB_RAWMODE, ETT_SMB_AFLAGS, - ETT_SMB_OPENFUNCTION, - ETT_PPTP, - ETT_GRE, - ETT_GRE_FLAGS, - ETT_PPPOED, - ETT_PPPOED_TAGS, - ETT_PPPOES, - ETT_LCP, - ETT_IPCP, - ETT_RSVP, - ETT_RSVP_UNKNOWN_CLASS, - ETT_RSVP_HDR, - ETT_RSVP_SESSION, - ETT_RSVP_SGROUP, - ETT_RSVP_HOP, - ETT_RSVP_INTEGRITY, - ETT_RSVP_TIME_VALUES, - ETT_RSVP_ERROR, - ETT_RSVP_SCOPE, - ETT_RSVP_STYLE, - ETT_RSVP_FLOWSPEC, - ETT_RSVP_FILTER_SPEC, - ETT_RSVP_SENDER_TEMPLATE, - ETT_RSVP_SENDER_TSPEC, - ETT_RSVP_ADSPEC, - ETT_RSVP_POLICY, - ETT_RSVP_CONFIRM, - ETT_RSVP_ADSPEC_SUBTREE1, - ETT_RSVP_ADSPEC_SUBTREE2, - ETT_RSVP_ADSPEC_SUBTREE3, - ETT_RTSP, - ETT_SDP, - ETT_RADIUS, - ETT_RADIUS_AVP, NUM_TREE_TYPES /* last item number plus one */ }; @@ -310,9 +255,7 @@ enum { /* Utility routines used by packet*.c */ gchar* ether_to_str(const guint8 *); gchar* ip_to_str(const guint8 *); -gchar* abs_time_to_str(struct timeval*); gchar* time_secs_to_str(guint32); -gchar* bytes_to_str(const guint8 *, int); const u_char *find_line_end(const u_char *data, const u_char *dataend, const u_char **eol); int get_token_len(const u_char *linep, const u_char *lineend, @@ -327,7 +270,6 @@ const char *decode_enumerated_bitfield(guint32 val, guint32 mask, int width, const char *decode_numeric_bitfield(guint32 val, guint32 mask, int width, const char *fmt); gint check_col(frame_data *, gint); -void col_add_cls_time(frame_data *); #if __GNUC__ == 2 void col_add_fstr(frame_data *, gint, gchar *, ...) __attribute__((format (printf, 3, 4))); @@ -337,11 +279,30 @@ void col_append_fstr(frame_data *, gint, gchar *, ...) void col_add_fstr(frame_data *, gint, gchar *, ...); void col_append_fstr(frame_data *, gint, gchar *, ...); #endif -void col_add_str(frame_data *, gint, const gchar *); +void col_add_str(frame_data *, gint, gchar *); void col_append_str(frame_data *, gint, gchar *); -void dissect_packet(const u_char *, frame_data *, proto_tree *); +/* Routines in packet.c */ + +typedef struct GtkWidget proto_tree; +typedef struct GtkWidget proto_item; + +struct GtkWidget; +void proto_item_set_len(proto_item *ti, gint len); +proto_tree* proto_tree_new(void); +void proto_item_add_subtree(proto_item *ti, proto_tree *subtree, gint idx); + +#if __GNUC__ == 2 +proto_item* proto_tree_add_item(proto_tree *tree, gint start, gint len, + gchar *format, ...) + __attribute__((format (printf, 4, 5))); +#else +proto_item* proto_tree_add_item(proto_tree *tree, gint start, gint len, + gchar *format, ...); +#endif + +void dissect_packet(const u_char *, frame_data *, proto_tree *); /* * Routines in packet-*.c * Routines should take three args: packet data *, cap_len, packet_counts * @@ -400,25 +361,17 @@ void dissect_ipv6(const u_char *, int, frame_data *, proto_tree *); void dissect_ipx(const u_char *, int, frame_data *, proto_tree *); void dissect_llc(const u_char *, int, frame_data *, proto_tree *); void dissect_lpd(const u_char *, int, frame_data *, proto_tree *); -void dissect_nbdgm(const u_char *, int, frame_data *, proto_tree *, int); -void dissect_nbipx_ns(const u_char *, int, frame_data *, proto_tree *, int); +void dissect_nbdgm(const u_char *, int, frame_data *, proto_tree *); +void dissect_nbipx_ns(const u_char *, int, frame_data *, proto_tree *); void dissect_nbns(const u_char *, int, frame_data *, proto_tree *); -void dissect_ncp(const u_char *, int, frame_data *, proto_tree *, int); -void dissect_nwlink_dg(const u_char *, int, frame_data *, proto_tree *, int); +void dissect_ncp(const u_char *, int, frame_data *, proto_tree *); +void dissect_nwlink_dg(const u_char *, int, frame_data *, proto_tree *); void dissect_osi(const u_char *, int, frame_data *, proto_tree *); void dissect_ospf(const u_char *, int, frame_data *, proto_tree *); void dissect_ospf_hello(const u_char *, int, frame_data *, proto_tree *); -void dissect_pppoed(const u_char *, int, frame_data *, proto_tree *); -void dissect_pppoes(const u_char *, int, frame_data *, proto_tree *); -void dissect_isakmp(const u_char *, int, frame_data *, proto_tree *); -void dissect_radius(const u_char *, int, frame_data *, proto_tree *); void dissect_rip(const u_char *, int, frame_data *, proto_tree *); -void dissect_rsvp(const u_char *, int, frame_data *, proto_tree *); -void dissect_rtsp(const u_char *, int, frame_data *, proto_tree *); -void dissect_sdp(const u_char *, int, frame_data *, proto_tree *); -void dissect_snmp(const u_char *, int, frame_data *, proto_tree *); void dissect_tcp(const u_char *, int, frame_data *, proto_tree *); -void dissect_tftp(const u_char *, int, frame_data *, proto_tree *); +void dissect_tftp(const u_char *, int, frame_data *, proto_tree *, int); void dissect_trmac(const u_char *, int, frame_data *, proto_tree *); void dissect_udp(const u_char *, int, frame_data *, proto_tree *); void dissect_vines(const u_char *, int, frame_data *, proto_tree *); @@ -428,7 +381,6 @@ void dissect_vines_icp(const u_char *, int, frame_data *, proto_tree *); void dissect_vines_ipc(const u_char *, int, frame_data *, proto_tree *); void dissect_vines_rtp(const u_char *, int, frame_data *, proto_tree *); void dissect_vines_spp(const u_char *, int, frame_data *, proto_tree *); -void dissect_payload_ppp(const u_char *, int, frame_data *, proto_tree *); void dissect_ftp(const u_char *, int, frame_data *, proto_tree *, int); void dissect_ftpdata(const u_char *, int, frame_data *, proto_tree *, int); @@ -437,18 +389,16 @@ void dissect_nntp(const u_char *, int, frame_data *, proto_tree *, int); void dissect_pop(const u_char *, int, frame_data *, proto_tree *, int); void dissect_smb(const u_char *, int, frame_data *, proto_tree *, int); void dissect_telnet(const u_char *, int, frame_data *, proto_tree *, int); -void dissect_pptp(const u_char *, int, frame_data *, proto_tree *); -void dissect_gre(const u_char *, int, frame_data *, proto_tree *); void init_dissect_udp(void); /* These functions are in ethertype.c */ +gchar *ethertype_to_str(guint16 etype, const char *fmt); void capture_ethertype(guint16 etype, int offset, const u_char *pd, guint32 cap_len, packet_counts *ld); void ethertype(guint16 etype, int offset, const u_char *pd, frame_data *fd, proto_tree *tree, - proto_tree *fh_tree, int item_id); -extern const value_string etype_vals[]; + proto_tree *fh_tree); /* These functions are in packet-arp.c */ gchar *arphrdaddr_to_str(guint8 *ad, int ad_len, guint16 type); -- cgit v1.2.3