diff options
| author | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2004-03-01 08:34:34 +0000 |
|---|---|---|
| committer | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2004-03-01 08:34:34 +0000 |
| commit | aea831b03b1fb176343a805098cfa37708e02362 (patch) | |
| tree | 0fe99fba3979f7794c1cfe178cdf24f995a23148 /packet-smb.c | |
| parent | 38f076a3016cab6e17f230af21e89022ea315183 (diff) | |
Make the SMB dissector better at catching what is probably a DCERPC payload
inside Write commands and make sure the proper things are stored in the hash so
we remember what is and what is not a IPC$ share ontop of which all file i/o is to dcerpc interfaces.
svn path=/trunk/; revision=10268
Diffstat (limited to 'packet-smb.c')
| -rw-r--r-- | packet-smb.c | 34 |
1 files changed, 24 insertions, 10 deletions
diff --git a/packet-smb.c b/packet-smb.c index 8f29789d31..d024578707 100644 --- a/packet-smb.c +++ b/packet-smb.c @@ -3,7 +3,7 @@ * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com> * 2001 Rewrite by Ronnie Sahlberg and Guy Harris * - * $Id: packet-smb.c,v 1.386 2004/02/25 06:22:35 guy Exp $ + * $Id: packet-smb.c,v 1.387 2004/03/01 08:34:34 sahlberg Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -5570,16 +5570,30 @@ dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, BYTE_COUNT; /* if both the MessageStart and the WriteRawNamedPipe flags are set - the first two bytes of the payload is the length of the data - also this tells us that this is indeed the IPC$ share - (if we didnt already know that + the first two bytes of the payload is the length of the data. + Assume that all WriteAndX PDUs that have MESSAGE_START set to + be over the IPC$ share and thus they all transport DCERPC. + (if we didnt already know that from the TreeConnect call) */ - if((mode&(WRITE_MODE_MESSAGE_START|WRITE_MODE_RAW))==(WRITE_MODE_MESSAGE_START|WRITE_MODE_RAW)){ - proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE); - offset += 2; - dataoffset += 2; - bc -= 2; - datalen -= 2; + if(mode&WRITE_MODE_MESSAGE_START){ + if(mode&WRITE_MODE_RAW){ + proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, TRUE); + offset += 2; + dataoffset += 2; + bc -= 2; + datalen -= 2; + } + if(!pinfo->fd->flags.visited){ + /* In case we did not see the TreeConnect call, + store this TID here as well as a IPC TID + so we know that future Read/Writes to this + TID is (probably) DCERPC. + */ + if(g_hash_table_lookup(si->ct->tid_service, (void *)si->tid)){ + g_hash_table_remove(si->ct->tid_service, (void *)si->tid); + } + g_hash_table_insert(si->ct->tid_service, (void *)si->tid, (void *)TID_IPC); + } if(si->sip){ si->sip->flags|=SMB_SIF_TID_IS_IPC; } |