diff options
| author | Guy Harris <guy@alum.mit.edu> | 2001-07-08 22:56:22 +0000 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 2001-07-08 22:56:22 +0000 |
| commit | 60e5d8235db85ee4bcc841c8c55269693b2f1f51 (patch) | |
| tree | 44d7d8f27c2f62945408172918baaa80a70f57f3 | |
| parent | de98ec2efa11e0d31344de3231acffcf6d16bbd5 (diff) | |
Display LMNT tokens with the value 0xffff as "Windows NT Networking";
that's how Network Monitor displays them. (What are they if they're not
0xffff?).
The PDC Startup announcement message, if not short, includes an LMNT
token between the NT version and LM20 token.
After the DB Count in an Announce change to UAS or SAM message there are
that number of DBChange Info Structures, according to Network Monitor;
dissect them. After that, there is a domain SID size, and, if that size
is non-zero, a domain SID, and only then
In a SAM LOGON request, the domain SID size is a 4-byte quantity, not a
2-byte quantity, and is followed by a domain SID, an NT version, an LMNT
token, and an LM token, according to Network Monitor.
Display the NT version in decimal, as that's how Network Monitor
displays it.
svn path=/trunk/; revision=3666
| -rw-r--r-- | packet-smb-logon.c | 257 |
1 files changed, 185 insertions, 72 deletions
diff --git a/packet-smb-logon.c b/packet-smb-logon.c index 6e81e0b6ce..a862ebda57 100644 --- a/packet-smb-logon.c +++ b/packet-smb-logon.c @@ -2,7 +2,7 @@ * Routines for SMB net logon packet dissection * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com> * - * $Id: packet-smb-logon.c,v 1.15 2001/07/08 19:31:01 guy Exp $ + * $Id: packet-smb-logon.c,v 1.16 2001/07/08 22:56:22 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -45,7 +45,7 @@ static int hf_lm_token = -1; static int hf_major_version = -1; static int hf_minor_version = -1; static int hf_os_version = -1; -static int hf_time_date = -1; +static int hf_date_time = -1; static int hf_update_type = -1; static int hf_request_count = -1; static int hf_flags_autolock = -1; @@ -60,15 +60,18 @@ static int hf_flags_password_required = -1; static int hf_flags_homedir_required = -1; static int hf_flags_enabled = -1; static int hf_domain_sid_size = -1; +static int hf_domain_sid = -1; static int hf_low_serial = -1; static int hf_pulse = -1; static int hf_random = -1; static int hf_db_count = -1; +static int hf_db_index = -1; +static int hf_large_serial = -1; +static int hf_nt_date_time = -1; static int ett_smb_logon = -1; static int ett_smb_account_flags = -1; - - +static int ett_smb_db_info = -1; #define ACC_FLAG_AUTO_LOCKED 0x0400 #define ACC_FLAG_EXPIRE 0x0200 @@ -137,14 +140,14 @@ dissect_account_control(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto_item *ti = NULL; proto_tree *flags_tree = NULL; guint32 flags; - + flags = tvb_get_letohl(tvb, offset); if (tree) { ti = proto_tree_add_text(tree, tvb, offset, 4, "Account control = 0x%04x", flags); - - flags_tree = proto_item_add_subtree(ti, ett_smb_account_flags); + + flags_tree = proto_item_add_subtree(ti, ett_smb_account_flags); } proto_tree_add_boolean(flags_tree, hf_flags_autolock, tvb, offset, 4, flags); @@ -188,21 +191,44 @@ display_LM_token(tvbuff_t *tvb, int offset, packet_info *pinfo, } static int +display_LMNT_token(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree) +{ + guint16 Token; + + Token = tvb_get_letohs(tvb, offset); + + if (Token == 0xffff) { + proto_tree_add_uint_format(tree, hf_lmnt_token, tvb, offset, 2, + Token, + "LMNT Token: 0x%04x (Windows NT Networking)", Token); + } else { + proto_tree_add_uint_format(tree, hf_lm_token, tvb, offset, 2, + Token, + "LMNT Token: 0x%04x (Unknown)", Token); + } + + offset += 2; + + return offset; +} + +static int dissect_smb_logon_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) { /*** 0x00 (LM1.0/LM2.0 LOGON Request) ***/ /* computer name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name); - + /* user name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_user_name); - + /* mailslot name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name); - + /*$$$$$ here add the Mailslot to the response list (if needed) */ - + /* Request count */ proto_tree_add_item(tree, hf_request_count, tvb, offset, 1, TRUE); offset += 1; @@ -226,10 +252,10 @@ dissect_smb_logon_LM10_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, /* user name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_user_name); - + /* script name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_script_name); - + return offset; } @@ -237,18 +263,17 @@ dissect_smb_logon_LM10_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, static int dissect_smb_logon_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) { - -/*** 0x02 LM1.0 Query - Centralized Initialization ***/ -/*** 0x03 LM1.0 Query - Distributed Initialization ***/ -/*** 0x04 LM1.0 Query - Centralized Query Response ***/ -/*** 0x04 LM1.0 Query - Distributed Query Response ***/ + /*** 0x02 LM1.0 Query - Centralized Initialization ***/ + /*** 0x03 LM1.0 Query - Distributed Initialization ***/ + /*** 0x04 LM1.0 Query - Centralized Query Response ***/ + /*** 0x04 LM1.0 Query - Distributed Query Response ***/ /* computer name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name); - + /* mailslot name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name); - + /* NT version */ proto_tree_add_item(tree, hf_nt_version, tvb, offset, 2, TRUE); offset += 2; @@ -268,7 +293,7 @@ dissect_smb_logon_LM20_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, /* server name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_server_name); - + /* LM token */ offset = display_LM_token(tvb, offset, pinfo, tree); @@ -281,14 +306,13 @@ static int dissect_smb_pdc_query(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) { /*** 0x07 Query for Primary PDC ***/ - /* computer name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name); - + /* mailslot name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name); - + if (tvb_reported_length_remaining(tvb, offset) > 2) { /* * NT-style Query for PDC? @@ -303,14 +327,13 @@ dissect_smb_pdc_query(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int o /* Unicode computer name */ offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_computer_name); - + /* NT version */ proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); offset += 4; /* LMNT token */ - proto_tree_add_item(tree, hf_lmnt_token, tvb, offset, 2, TRUE); - offset += 2; + offset = display_LMNT_token(tvb, offset, pinfo, tree); } /* LM token */ @@ -324,7 +347,6 @@ dissect_smb_pdc_query(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int o static int dissect_smb_pdc_startup(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) { - /*** 0x08 Announce startup of PDC ***/ /* pdc name */ @@ -343,11 +365,14 @@ dissect_smb_pdc_startup(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int /* domain name */ offset = display_unicode_string(tvb, pinfo, tree, offset, hf_domain_name); - + /* NT version */ proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); offset += 4; + /* LMNT token */ + offset = display_LMNT_token(tvb, offset, pinfo, tree); + /* LM token */ offset = display_LM_token(tvb, offset, pinfo, tree); } @@ -360,7 +385,6 @@ dissect_smb_pdc_startup(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int static int dissect_smb_pdc_failure(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) { - /*** 0x09 Announce failure of the PDC ***/ /*** 0x0F LM2.0 Resp. during LOGON pause ***/ /*** 0x10 (LM 2.0 Unknown user response) ***/ @@ -379,16 +403,19 @@ dissect_smb_pdc_failure(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int static int dissect_announce_change(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) { - /*** 0x0A ( Announce change to UAS or SAM ) ***/ - + guint32 info_count; + proto_item *ti = NULL; + proto_tree *info_tree = NULL; + guint32 db_index; + guint32 domain_sid_size; /* low serial number */ proto_tree_add_item(tree, hf_low_serial, tvb, offset, 4, TRUE); offset += 4; - /* time/date */ - proto_tree_add_item(tree, hf_time_date, tvb, offset, 4, TRUE); + /* date/time */ + proto_tree_add_item(tree, hf_date_time, tvb, offset, 4, TRUE); offset += 4; /* pulse */ @@ -401,31 +428,67 @@ dissect_announce_change(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int /* pdc name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_pdc_name); - + /* domain name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_domain_name); - + if (offset % 2) offset++; /* word align ... */ /* pdc name */ offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_pdc_name); - + /* domain name */ offset = display_unicode_string(tvb, pinfo, tree, offset, hf_domain_name); - + /* DB count */ - proto_tree_add_item(tree, hf_db_count, tvb, offset, 4, TRUE); + info_count = tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tree, hf_db_count, tvb, offset, 4, info_count); + offset += 4; + + while (info_count != 0) { + db_index = tvb_get_letohl(tvb, offset); + if (tree) { + ti = proto_tree_add_text(tree, tvb, offset, 20, + "DBChange Info Structure: index %u", db_index); + info_tree = proto_item_add_subtree(ti, ett_smb_db_info); + } + + proto_tree_add_uint(info_tree, hf_db_index, tvb, offset, 4, + db_index); + offset += 4; + + proto_tree_add_item(info_tree, hf_large_serial, tvb, offset, 8, + FALSE); + offset += 8; + + proto_tree_add_item(info_tree, hf_nt_date_time, tvb, offset, 8, + FALSE); + offset += 8; + + info_count--; + } + + /* Domain SID Size */ + domain_sid_size = tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tree, hf_domain_sid_size, tvb, offset, 4, + domain_sid_size); offset += 4; + if (domain_sid_size != 0) { + /* Domain SID */ + proto_tree_add_item(tree, hf_domain_sid, tvb, offset, + domain_sid_size, TRUE); + offset += domain_sid_size; + } + /* NT version */ proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); offset += 4; /* LMNT token */ - proto_tree_add_item(tree, hf_lmnt_token, tvb, offset, 2, TRUE); - offset += 2; + offset = display_LMNT_token(tvb, offset, pinfo, tree); - /* LM token(? - was "Unknown Token") */ + /* LM token */ offset = display_LM_token(tvb, offset, pinfo, tree); return offset; @@ -436,9 +499,9 @@ dissect_announce_change(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int static int dissect_smb_sam_logon_req(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) { - /* Netlogon command 0x12 - decode the SAM logon request from client */ + guint32 domain_sid_size; /* Request count */ proto_tree_add_item(tree, hf_request_count, tvb, offset, 2, TRUE); @@ -446,19 +509,51 @@ dissect_smb_sam_logon_req(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i /* computer name */ offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_computer_name); - + /* user name */ offset = display_unicode_string(tvb, pinfo, tree, offset, hf_user_name); - + /* mailslot name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name); - + /* account control */ offset = dissect_account_control(tvb, pinfo, tree, offset); /* Domain SID Size */ - proto_tree_add_item(tree, hf_domain_sid_size, tvb, offset, 2, TRUE); - offset += 2; + domain_sid_size = tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tree, hf_domain_sid_size, tvb, offset, 4, + domain_sid_size); + offset += 4; + + if (domain_sid_size != 0) { + /* Domain SID */ + proto_tree_add_item(tree, hf_domain_sid, tvb, offset, + domain_sid_size, TRUE); + offset += domain_sid_size; + + /* XXX - at least one packet appears to put the NT version on + a 4-byte boundary, with padding after the domain SID, at + least according to Network Monitor. + + However, another frame, with a zero-length domain SID, + doesn't do any padding, and other packets don't appear + to put the NT version of a 4-byte boundary, so maybe + the padding comes *before* the domain SID, and NetMon + is just confused? (NetMon has been known to misdissect + SMB packets, even though, err, umm, NetMon comes from + the people who are adding all this stuff to SMB....) */ + offset = ((offset + 3)/4)*4; + } + + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); + offset += 4; + + /* LMNT token */ + offset = display_LMNT_token(tvb, offset, pinfo, tree); + + /* LM token */ + offset = display_LM_token(tvb, offset, pinfo, tree); return offset; } @@ -473,7 +568,7 @@ dissect_smb_no_user(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int off /* computer name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name); - return offset; + return offset; } @@ -481,7 +576,6 @@ dissect_smb_no_user(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int off static int dissect_smb_relogon_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) { - /*** 0x0d LanMan Response to relogon request ***/ /* Major version */ @@ -511,28 +605,28 @@ dissect_smb_relogon_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, in static int dissect_smb_acc_update(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) { - guint32 Temp1, Temp2; - /*** 0x11 LM2.1 Announce Acc updates ***/ + guint32 Temp1, Temp2; + Temp1 = tvb_get_letohl(tvb, offset); Temp2 = tvb_get_letohl(tvb, offset + 4); - + /* signature */ proto_tree_add_text(tree, tvb, offset, 8, "Signature: 0x%08x%08x", Temp1, Temp2); offset += 8; - /* time/date */ - proto_tree_add_item(tree, hf_time_date, tvb, offset, 4, TRUE); + /* date/time */ + proto_tree_add_item(tree, hf_date_time, tvb, offset, 4, TRUE); offset += 4; /* computer name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name); - + /* user name */ offset = display_ms_string(tvb, pinfo, tree, offset, hf_user_name); - + /* update type */ proto_tree_add_item(tree, hf_update_type, tvb, offset, 2, TRUE); offset += 2; @@ -571,9 +665,9 @@ dissect_smb_inter_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset += 4; /* LMNT token */ - proto_tree_add_item(tree, hf_lmnt_token, tvb, offset, 2, TRUE); - offset += 2; + offset = display_LMNT_token(tvb, offset, pinfo, tree); + /* XXX - no LM token? */ return offset; } @@ -582,26 +676,25 @@ static int dissect_smb_sam_logon_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) { - guint16 lmt; - /* Netlogon command 0x13 - decode the SAM logon response from server */ + guint16 lmt; + /* server name */ offset = display_unicode_string(tvb, pinfo, tree, offset, hf_server_name); - + /* user name */ offset = display_unicode_string(tvb, pinfo, tree, offset, hf_user_name); - + /* domain name */ offset = display_unicode_string(tvb, pinfo, tree, offset, hf_domain_name); - + /* NT version */ proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); offset += 4; /* LMNT token */ - proto_tree_add_item(tree, hf_lmnt_token, tvb, offset, 2, TRUE); - offset += 2; + offset = display_LMNT_token(tvb, offset, pinfo, tree); /* LM token */ offset = display_LM_token(tvb, offset, pinfo, tree); @@ -662,7 +755,7 @@ static const value_string commands[] = { {0, NULL} }; - + static int (*dissect_smb_logon_cmds[])(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) = { dissect_smb_logon_request, /* 0x00 (LM1.0/LM2.0 LOGON Request) */ dissect_smb_logon_LM10_resp,/* 0x01 (LM1.0 LOGON Response) */ @@ -785,9 +878,11 @@ register_proto_smb_logon( void){ NULL, 0, "NETLOGON Script Name", HFILL }}, { &hf_nt_version, - { "NT Version", "netlogon.nt_version", FT_UINT32, BASE_HEX, + { "NT Version", "netlogon.nt_version", FT_UINT32, BASE_DEC, NULL, 0, "NETLOGON NT Version", HFILL }}, + /* An LMNT Token, if 0xffff, is "WindowsNT Networking"; + what is it otherwise? */ { &hf_lmnt_token, { "LMNT Token", "netlogon.lmnt_token", FT_UINT16, BASE_HEX, NULL, 0, "NETLOGON LMNT Token", HFILL }}, @@ -808,8 +903,8 @@ register_proto_smb_logon( void){ { "Workstation OS Version", "netlogon.os_version", FT_UINT8, BASE_DEC, NULL, 0, "NETLOGON Workstation OS Version", HFILL }}, - { &hf_time_date, - { "Date/Time", "netlogon.date", FT_UINT32, BASE_DEC, + { &hf_date_time, + { "Date/Time", "netlogon.date_time", FT_UINT32, BASE_DEC, NULL, 0, "NETLOGON Date/Time", HFILL }}, { &hf_update_type, @@ -865,9 +960,13 @@ register_proto_smb_logon( void){ TFS(&tfs_flags_enabled), ACC_FLAG_ENABLED, "NETLOGON Is This Account Enabled", HFILL}}, { &hf_domain_sid_size, - { "Domain SID Size", "netlogon.domain_sid_size", FT_UINT16, BASE_DEC, + { "Domain SID Size", "netlogon.domain_sid_size", FT_UINT32, BASE_DEC, NULL, 0, "NETLOGON Domain SID Size", HFILL }}, + { &hf_domain_sid, + { "Domain SID", "netlogon.domain_sid", FT_BYTES, BASE_NONE, + NULL, 0, "NETLOGON Domain SID", HFILL }}, + { &hf_low_serial, { "Low Serial Number", "netlogon.low_serial", FT_UINT32, BASE_DEC, NULL, 0, "NETLOGON Low Serial Number", HFILL }}, @@ -884,11 +983,25 @@ register_proto_smb_logon( void){ { "DB Count", "netlogon.db_count", FT_UINT32, BASE_DEC, NULL, 0, "NETLOGON DB Count", HFILL }}, + { &hf_db_index, + { "Database Index", "netlogon.db_index", FT_UINT32, BASE_DEC, + NULL, 0, "NETLOGON Database Index", HFILL }}, + + /* XXX - 64-bit integer? */ + { &hf_large_serial, + { "Large Serial Number", "netlogon.large_serial", FT_BYTES, BASE_NONE, + NULL, 0, "NETLOGON Large Serial Number", HFILL }}, + + /* XXX - 64-bit FILETIME */ + { &hf_nt_date_time, + { "NT Date/Time", "netlogon.nt_date_time", FT_BYTES, BASE_NONE, + NULL, 0, "NETLOGON NT Date/Time", HFILL }}, }; static gint *ett[] = { &ett_smb_logon, - &ett_smb_account_flags + &ett_smb_account_flags, + &ett_smb_db_info }; proto_smb_logon = proto_register_protocol( |