diff options
author | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2007-04-24 05:09:00 +0000 |
---|---|---|
committer | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2007-04-24 05:09:00 +0000 |
commit | 1f80370b858dbb91bffbc6369d514b76958ceb02 (patch) | |
tree | 9032a7b0ecddddb08d99a7bc3a95099d09df1eb9 /epan | |
parent | 6386eda24cc3c74dd869c39a81148ed339efbef3 (diff) |
Add tracking of uid->domain/account mappings for SMB by tapping the ntlmssp tap for the information from the authentication messages
Improve the tid tracking by putting the host/share information on the tid expansion line so one can see it without opening the expansion
svn path=/trunk/; revision=21547
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-smb.c | 102 |
1 files changed, 100 insertions, 2 deletions
diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c index 7afd43beab..b64ccb4233 100644 --- a/epan/dissectors/packet-smb.c +++ b/epan/dissectors/packet-smb.c @@ -654,10 +654,13 @@ static int hf_smb_pipe_info_flag = -1; static int hf_smb_mode = -1; static int hf_smb_attribute = -1; static int hf_smb_reparse_tag = -1; +static int hf_smb_logged_in = -1; +static int hf_smb_logged_out = -1; static gint ett_smb = -1; static gint ett_smb_fid = -1; static gint ett_smb_tid = -1; +static gint ett_smb_uid = -1; static gint ett_smb_hdr = -1; static gint ett_smb_command = -1; static gint ett_smb_fileattributes = -1; @@ -1002,6 +1005,13 @@ static GSList *conv_tables = NULL; +typedef struct _smb_uid_t { + char *domain; + char *account; + int logged_in; + int logged_out; +} smb_uid_t; + static void smb_file_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 mask) { @@ -2575,6 +2585,42 @@ dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree } static int +dissect_smb_uid(tvbuff_t *tvb, proto_tree *parent_tree, int offset, smb_info_t *si) +{ + proto_item *item; + proto_tree *tree; + smb_uid_t *smb_uid=NULL; + + item=proto_tree_add_uint(parent_tree, hf_smb_uid, tvb, offset, 2, si->uid); + tree=proto_item_add_subtree(item, ett_smb_uid); + + smb_uid=se_tree_lookup32(si->ct->uid_tree, si->uid); + if(smb_uid){ + proto_item_append_text(item, " (%s\\%s)", smb_uid->domain, smb_uid->account); + + if(smb_uid->domain){ + item=proto_tree_add_string(tree, hf_smb_primary_domain, tvb, 0, 0, smb_uid->domain); + PROTO_ITEM_SET_GENERATED(item); + } + if(smb_uid->account){ + item=proto_tree_add_string(tree, hf_smb_account, tvb, 0, 0, smb_uid->account); + PROTO_ITEM_SET_GENERATED(item); + } + if(smb_uid->logged_in>0){ + item=proto_tree_add_uint(tree, hf_smb_logged_in, tvb, 0, 0, smb_uid->logged_in); + PROTO_ITEM_SET_GENERATED(item); + } + if(smb_uid->logged_out>0){ + item=proto_tree_add_uint(tree, hf_smb_logged_out, tvb, 0, 0, smb_uid->logged_out); + PROTO_ITEM_SET_GENERATED(item); + } + } + offset += 2; + + return offset; +} + +static int dissect_smb_tid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 tid, gboolean is_created, gboolean is_closed) { smb_info_t *si = pinfo->private_data; @@ -2615,6 +2661,8 @@ dissect_smb_tid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, if(fid_info->opened_in){ if(fid_info->filename){ + proto_item_append_text(it, " (%s)", fid_info->filename); + it=proto_tree_add_string(tr, hf_smb_path, tvb, 0, 0, fid_info->filename); PROTO_ITEM_SET_GENERATED(it); } @@ -6031,6 +6079,21 @@ dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree guint16 sbloblen=0, sbloblen_short; guint16 apwlen=0, upwlen=0; gboolean unicodeflag; + static int ntlmssp_tap_id = 0; + const ntlmssp_header_t *ntlmssph; + + if(!ntlmssp_tap_id){ + GString *error_string; + /* We dont specify any callbacks at all. + * Instead we manually fetch the tapped data after the + * security blob has been fully dissected and before + * we exit from this dissector. + */ + error_string=register_tap_listener("ntlmssp", NULL, NULL, NULL, NULL, NULL); + if(!error_string){ + ntlmssp_tap_id=find_tap_id("ntlmssp"); + } + } DISSECTOR_ASSERT(si); @@ -6180,6 +6243,24 @@ dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree pinfo, blob_tree); } + /* If we have found a uid->acct_name mapping, store it */ + if(!pinfo->fd->flags.visited && si->sip){ + int idx=0; + if((ntlmssph=fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL){ + if(ntlmssph && ntlmssph->type==3){ + smb_uid_t *smb_uid; + + smb_uid=se_alloc(sizeof(smb_uid_t)); + smb_uid->logged_in=-1; + smb_uid->logged_out=-1; + smb_uid->domain=se_strdup(ntlmssph->domain_name); + smb_uid->account=se_strdup(ntlmssph->acct_name); + + si->sip->extra_info=smb_uid; + } + } + } + COUNT_BYTES(sbloblen); } @@ -6373,6 +6454,14 @@ dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tre WORD_COUNT; + if(!pinfo->fd->flags.visited && si->sip && si->sip->extra_info){ + smb_uid_t *smb_uid; + + smb_uid=si->sip->extra_info; + smb_uid->logged_in=pinfo->fd->num; + se_tree_insert32(si->ct->uid_tree, si->uid, smb_uid); + } + /* next smb command */ cmd = tvb_get_guint8(tvb, offset); if(cmd!=0xff){ @@ -15596,6 +15685,7 @@ dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree) si->ct->fid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB fid_tree"); si->ct->tid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB tid_tree"); + si->ct->uid_tree=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SMB uid_tree"); conversation_add_proto_data(conversation, proto_smb, si->ct); } @@ -15995,8 +16085,7 @@ dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree) offset += 2; /* UID */ - proto_tree_add_uint(htree, hf_smb_uid, tvb, offset, 2, si->uid); - offset += 2; + offset=dissect_smb_uid(tvb, htree, offset, si); /* MID */ proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid); @@ -18297,12 +18386,21 @@ proto_register_smb(void) { "Pipe Info", "smb.pipe_info_flag", FT_BOOLEAN, 8, TFS(&tfs_pipe_info_flag), 0x01, "", HFILL }}, + { &hf_smb_logged_in, + { "Logged In", "smb.logged_in", FT_FRAMENUM, BASE_DEC, + NULL, 0, "", HFILL }}, + + { &hf_smb_logged_out, + { "Logged Out", "smb.logged_out", FT_FRAMENUM, BASE_DEC, + NULL, 0, "", HFILL }}, + }; static gint *ett[] = { &ett_smb, &ett_smb_fid, &ett_smb_tid, + &ett_smb_uid, &ett_smb_hdr, &ett_smb_command, &ett_smb_fileattributes, |