diff options
| -rw-r--r-- | AUTHORS | 1 | ||||
| -rw-r--r-- | packet-smb-common.c | 130 | ||||
| -rw-r--r-- | packet-smb-common.h | 41 | ||||
| -rw-r--r-- | packet-smb-logon.c | 1040 | ||||
| -rw-r--r-- | packet-smb-logon.h | 14 | ||||
| -rw-r--r-- | packet-smb-mailslot.c | 11 |
6 files changed, 728 insertions, 509 deletions
@@ -537,6 +537,7 @@ Ronnie Sahlberg <rsahlber@bigpond.net.au> { MRDISC support MSNIP support Tvbuffified ISIS dissector + Tvbuffified SMB NETLOGON dissector } Borosa Tomislav <tomislav.borosa@SIEMENS.HR> { diff --git a/packet-smb-common.c b/packet-smb-common.c index ea07153527..05bc8adfda 100644 --- a/packet-smb-common.c +++ b/packet-smb-common.c @@ -2,10 +2,10 @@ * Common routines for smb packet dissection * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com> * - * $Id: packet-smb-common.c,v 1.4 2000/05/11 08:15:44 gram Exp $ + * $Id: packet-smb-common.c,v 1.5 2001/07/08 11:32:02 guy Exp $ * * Ethereal - Network traffic analyzer - * By Gerald Combs <gerald@zing.org> + * By Gerald Combs <gerald@ethereal.com> * Copyright 1998 Gerald Combs * * Copied from packet-pop.c @@ -25,56 +25,35 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - - #include "packet-smb-common.h" +int display_ms_string(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_index) +{ + const char *str; + int len; + /* display a string from the tree and return the new offset */ -int display_ms_value( char *Name, int len, const u_char *pd, int offset, - frame_data *fd, proto_tree *tree) - -{/* display an entry from the tree and return the length */ - - guint32 Temp32; - - if( len == 1) - Temp32 = GBYTE(pd, offset); - else if( len == 2) - Temp32 = GSHORT(pd, offset); - else if( len == 4) - Temp32 = GWORD(pd, offset); - -/* this is an error if we didn't hit one of those three */ - else - return 0; - - proto_tree_add_text( tree, NullTVB, offset, len, "%s: %u", Name, Temp32); - - return len; -} - -int display_ms_string( char *Name, const u_char *pd, int offset, - frame_data *fd, proto_tree *tree) - -{/* display a string from the tree and return the amount to move offset */ + /* XXX - should use tvbuff routines to extract string length */ + str = tvb_get_ptr(tvb, offset, 1); + len = strlen(str); - proto_tree_add_text( tree, NullTVB, offset, strlen( &pd[offset]) + 1, "%s: %s ", - Name, &pd[offset]); + proto_tree_add_string(tree, hf_index, tvb, offset, len, str); - return strlen( &pd[offset]) + 1; + return offset+len+1; } -int display_unicode_string( char *Name, const u_char *pd, int offset, - frame_data *fd, proto_tree *tree){ - -/* display a unicode string from the tree and return amount to move offset */ +int display_unicode_string(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_index) +{ + /* display a unicode string from the tree and return new offset */ char Temp[100], *OutPtr; const char *InPtr; - InPtr = &pd[ offset]; /* point to unicode string */ + /* this will crash if composite tvbuffs are used */ + /* XXX - need tvbuff routine to extract DBCS string lengths */ + InPtr = tvb_get_ptr(tvb, offset, 1); OutPtr = Temp; /* point to temp space */ while ( *InPtr){ /* copy every other byte */ @@ -83,73 +62,22 @@ int display_unicode_string( char *Name, const u_char *pd, int offset, } *OutPtr = 0; /* terminate out string */ - proto_tree_add_text( tree, NullTVB, offset, strlen( Temp) * 2 + 2, "%s: %s ", - Name, Temp); + proto_tree_add_string(tree, hf_index, tvb, + offset, strlen(Temp)*2+2, Temp); - return strlen( Temp) * 2 + 2; + return offset+strlen(Temp)*2+2; } +int +dissect_smb_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ + /* display data as unknown */ -void -dissect_smb_unknown( const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ + guint len; -/* display data as unknown */ + len = tvb_length_remaining(tvb, offset); - proto_tree_add_text(tree, NullTVB, offset, END_OF_FRAME, "Data (%u bytes)", - END_OF_FRAME); + proto_tree_add_text(tree, tvb, offset, len, "Data (%u bytes)", len); + return offset+len; } - - - -void -display_flags( struct flag_array_type *flag_array, int length, - const u_char *pd, int offset, proto_tree *tree){ - -/* Display a bit fields using the flag_array information. */ -/* See packet-smb-common.h for definition of the flag_array structure */ - - -/*** NOTE: currently only handles values that are 1, 2, or 4 octets wide.*/ -/*** This should be expanded to handle any bit width. */ - -/* NOTE: the last entry must have the mask value = 0, this is the end of */ -/* array flag */ - - - struct flag_array_type *array_ptr = flag_array; - - guint32 flags; - - switch (length) { - - case 1: - flags = GBYTE( pd, offset); - break; - - case 2: - flags = GSHORT( pd, offset); - break; - - case 4: - flags = GWORD( pd, offset); - break; - - default: - g_assert_not_reached(); - return; - } - - while( array_ptr->mask) { - proto_tree_add_text( tree, NullTVB, offset, 2, "%s%s%s%s", - decode_boolean_bitfield( flags, array_ptr->mask, - length * 8, "",""), - array_ptr->pre_string, - ((flags & array_ptr->mask) ? array_ptr->true_string : - array_ptr->false_string), - array_ptr->post_string); - - ++array_ptr; - } -} diff --git a/packet-smb-common.h b/packet-smb-common.h index 7166d134da..b8f93d73ae 100644 --- a/packet-smb-common.h +++ b/packet-smb-common.h @@ -2,10 +2,10 @@ * Routines for smb packet dissection * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com> * - * $Id: packet-smb-common.h,v 1.3 2000/08/11 13:34:00 deniel Exp $ + * $Id: packet-smb-common.h,v 1.4 2001/07/08 11:32:02 guy Exp $ * * Ethereal - Network traffic analyzer - * By Gerald Combs <gerald@zing.org> + * By Gerald Combs <gerald@ethereal.com> * Copyright 1998 Gerald Combs * * Copied from packet-pop.c @@ -51,40 +51,11 @@ #include "smb.h" #include "alignment.h" +int dissect_smb_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset); +int display_unicode_string(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, int offset, int hf_index); - - - -#define ShortPacketError proto_tree_add_text(tree, NullTVB, offset, 0, "****FRAME TOO SHORT***"); return; -#define IncAndCheckOffset if ( ++offset > fd->cap_len) {ShortPacketError;} -#define CheckPacketLength(X) if ((offset+X) > fd->cap_len) {ShortPacketError;} - -#define MoveAndCheckOffset(X) {int tmp = X; if (( offset + tmp) > fd->cap_len){ ShortPacketError;} else offset += tmp;} - -#define UnknowData if (tree) proto_tree_add_text(tree, NullTVB, offset, END_OF_FRAME, "Data (%u bytes)",END_OF_FRAME); - - -struct flag_array_type { - guint32 mask; /* bit mask to test for bit set */ - char *pre_string; /* string for front of description */ - char *true_string; /* description string if flag is set */ - char *false_string; /* description string if flag is not set */ - char *post_string; /* string for end of description */ -}; - - -void display_flags( struct flag_array_type *flag_array, int length, - const u_char *pd, int offset, proto_tree *tree); - - -int display_ms_value( char *Name, int len, const u_char *pd, int offset, - frame_data *fd, proto_tree *tree); -int display_ms_string( char *Name, const u_char *pd, int offset, - frame_data *fd, proto_tree *tree); -int display_unicode_string( char *Name, const u_char *pd, int offset, - frame_data *fd, proto_tree *tree); -void dissect_smb_unknown( const u_char *pd, int offset, frame_data *fd, - proto_tree *tree); +int display_ms_string(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_index); #endif diff --git a/packet-smb-logon.c b/packet-smb-logon.c index 78887a97b4..5f06365f9b 100644 --- a/packet-smb-logon.c +++ b/packet-smb-logon.c @@ -2,10 +2,10 @@ * Routines for SMB net logon packet dissection * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com> * - * $Id: packet-smb-logon.c,v 1.13 2001/03/18 03:34:22 guy Exp $ + * $Id: packet-smb-logon.c,v 1.14 2001/07/08 11:32:02 guy Exp $ * * Ethereal - Network traffic analyzer - * By Gerald Combs <gerald@zing.org> + * By Gerald Combs <gerald@ethereal.com> * Copyright 1998 Gerald Combs * * Copied from packet-pop.c @@ -29,536 +29,715 @@ #include "packet-smb-logon.h" static int proto_smb_logon = -1; +static int hf_command = -1; +static int hf_computer_name = -1; +static int hf_unicode_computer_name = -1; +static int hf_server_name = -1; +static int hf_user_name = -1; +static int hf_domain_name = -1; +static int hf_mailslot_name = -1; +static int hf_pdc_name = -1; +static int hf_unicode_pdc_name = -1; +static int hf_script_name = -1; +static int hf_nt_version = -1; +static int hf_lmnt_token = -1; +static int hf_lm_token = -1; +static int hf_major_version = -1; +static int hf_minor_version = -1; +static int hf_os_version = -1; +static int hf_time_date = -1; +static int hf_update_type = -1; +static int hf_request_count = -1; +static int hf_flags_autolock = -1; +static int hf_flags_expire = -1; +static int hf_flags_server_trust = -1; +static int hf_flags_workstation_trust = -1; +static int hf_flags_interdomain_trust = -1; +static int hf_flags_mns_user = -1; +static int hf_flags_normal_user = -1; +static int hf_flags_temp_dup_user = -1; +static int hf_flags_password_required = -1; +static int hf_flags_homedir_required = -1; +static int hf_flags_enabled = -1; +static int hf_domain_sid_size = -1; +static int hf_low_serial = -1; +static int hf_pulse = -1; +static int hf_random = -1; +static int hf_db_count = -1; static int ett_smb_logon = -1; static int ett_smb_account_flags = -1; -static void -dissect_account_control( const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ - -/* display the Allowable Account control bits */ - - proto_tree *flags_tree; - proto_item *ti; - guint32 flags = GWORD( pd, offset); - - struct flag_array_type flag_info[] = { - { 0x400, "User account ", "", "not ", "auto-locked"}, - { 0x200, "User password will ", "not ", "", "expire"}, - { 0x100, "", "", "Not a ", "Server Trust user account"}, - { 0x080, "", "", "Not a ", "Workstation Trust user account"}, - { 0x040, "", "", "Not an ", "Inter-domain Trust user account"}, - { 0x020, "", "", "Not a ", "MNS Logon user account"}, - { 0x010, "", "", "Not a ", "Normal user account"}, - { 0x008, "", "", "Not a ", "temp duplicate user account"}, - { 0x004, "", "No", "", "User password required"}, - { 0x002, "", "No", "", "User home directory required"}, - { 0x001, "User account ", "enabled", "disabled", ""}, - { 0, "", "", "", ""} - }; - - - ti = proto_tree_add_text( tree, NullTVB, offset, 4, - "Account control = 0x%04x", flags); - - flags_tree = proto_item_add_subtree( ti, ett_smb_account_flags); - display_flags( flag_info, 4, pd, offset, flags_tree); -} +#define ACC_FLAG_AUTO_LOCKED 0x0400 +#define ACC_FLAG_EXPIRE 0x0200 +#define ACC_FLAG_SERVER_TRUST 0x0100 +#define ACC_FLAG_WORKSTATION_TRUST 0x0080 +#define ACC_FLAG_INTERDOMAIN_TRUST 0x0040 +#define ACC_FLAG_MNS_USER 0x0020 +#define ACC_FLAG_NORMAL_USER 0x0010 +#define ACC_FLAG_TEMP_DUP_USER 0x0008 +#define ACC_FLAG_PASSWORD_REQUIRED 0x0004 +#define ACC_FLAG_HOMEDIR_REQUIRED 0x0002 +#define ACC_FLAG_ENABLED 0x0001 +static const true_false_string tfs_flags_autolock = { + "User account auto-locked", + "User account NOT auto-locked" +}; +static const true_false_string tfs_flags_expire = { + "User password will NOT expire", + "User password will expire" +}; +static const true_false_string tfs_flags_server_trust = { + "Server Trust user account", + "NOT a Server Trust user account" +}; +static const true_false_string tfs_flags_workstation_trust = { + "Workstation Trust user account", + "NOT a Workstation Trust user account" +}; +static const true_false_string tfs_flags_interdomain_trust = { + "Inter-domain Trust user account", + "NOT a Inter-domain Trust user account" +}; +static const true_false_string tfs_flags_mns_user = { + "MNS Logon user account", + "NOT a MNS Logon user account" +}; +static const true_false_string tfs_flags_normal_user = { + "Normal user account", + "NOT a normal user account" +}; +static const true_false_string tfs_flags_temp_dup_user = { + "Temp duplicate user account", + "NOT a temp duplicate user account" +}; +static const true_false_string tfs_flags_password_required = { + "NO password required", + "Password required" +}; +static const true_false_string tfs_flags_homedir_required = { + "NO homedir required", + "Homedir required" +}; +static const true_false_string tfs_flags_enabled = { + "User account enabled", + "User account disabled" +}; -static void -display_LM_token( const u_char *pd, int *offset, frame_data *fd, - proto_tree *tree) { -/* decode and display the LanMan token */ +static int +dissect_account_control(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ + /* display the Allowable Account control bits */ - guint16 Token; + proto_item *ti = NULL; + proto_tree *flags_tree = NULL; + guint32 flags; + + flags = tvb_get_letohl(tvb, offset); - if (!BYTES_ARE_IN_FRAME(*offset, 2)) { - proto_tree_add_text(tree, NullTVB, *offset, 0,"****FRAME TOO SHORT***"); - return; + if (tree) { + ti = proto_tree_add_text(tree, tvb, offset, 4, + "Account control = 0x%04x", flags); + + flags_tree = proto_item_add_subtree(ti, ett_smb_account_flags); } - Token = GSHORT( pd, *offset); - - if ( Token && 0x01) - proto_tree_add_text( tree, NullTVB, *offset, 2, - "LM20 Token: 0x%x (LanMan 2.0 or higher)", Token); - else - proto_tree_add_text( tree, NullTVB, *offset, 2, - "LM10 Token: 0x%x (WFW Networking)", Token); - *offset += 2; - + proto_tree_add_boolean(flags_tree, hf_flags_autolock, tvb, offset, 4, flags); + proto_tree_add_boolean(flags_tree, hf_flags_expire, tvb, offset, 4, flags); + proto_tree_add_boolean(flags_tree, hf_flags_server_trust, tvb, offset, 4, flags); + proto_tree_add_boolean(flags_tree, hf_flags_workstation_trust, tvb, offset, 4, flags); + proto_tree_add_boolean(flags_tree, hf_flags_interdomain_trust, tvb, offset, 4, flags); + proto_tree_add_boolean(flags_tree, hf_flags_mns_user, tvb, offset, 4, flags); + proto_tree_add_boolean(flags_tree, hf_flags_normal_user, tvb, offset, 4, flags); + proto_tree_add_boolean(flags_tree, hf_flags_temp_dup_user, tvb, offset, 4, flags); + proto_tree_add_boolean(flags_tree, hf_flags_password_required, tvb, offset, 4, flags); + proto_tree_add_boolean(flags_tree, hf_flags_homedir_required, tvb, offset, 4, flags); + proto_tree_add_boolean(flags_tree, hf_flags_enabled, tvb, offset, 4, flags); + + offset += 4; + + return offset; } -static void -display_NT_version( const u_char *pd, int *offset, frame_data *fd, - proto_tree *tree, int length) { +static int +display_LM_token(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree) +{ + guint16 Token; -/* display the NT version */ + Token = tvb_get_letohs(tvb, offset); - guint32 Version; - - if (!BYTES_ARE_IN_FRAME(*offset, length)) { - proto_tree_add_text(tree, NullTVB, *offset, 0, "****FRAME TOO SHORT***"); - return; + if (Token & 0x01) { + proto_tree_add_uint_format(tree, hf_lm_token, tvb, offset, 2, + Token, + "LM20 Token: 0x%04x (LanMan 2.0 or higher)", Token); + } else { + proto_tree_add_uint_format(tree, hf_lm_token, tvb, offset, 2, + Token, + "LM10 Token: 0x%04x (WFW Networking)", Token); } - if ( length == 2) - Version = GSHORT( pd, *offset); - else - Version = GWORD( pd, *offset); - - proto_tree_add_text( tree, NullTVB, *offset, length, "NT Version: 0x%x ", - Version); + offset += 2; - *offset += length; - + return offset; } - - -void dissect_smb_logon_request( const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ - -/*** 0x00 (LM1.0/LM2.0 LOGON Request) ***/ +static int +dissect_smb_logon_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ + /*** 0x00 (LM1.0/LM2.0 LOGON Request) ***/ - MoveAndCheckOffset( display_ms_string( "Computer Name", pd, offset, fd, - tree)); + /* computer name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name); + + /* user name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_user_name); + + /* mailslot name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name); - MoveAndCheckOffset( display_ms_string( "User Name", pd, offset, fd, - tree)); + /*$$$$$ here add the Mailslot to the response list (if needed) */ + + /* Request count */ + proto_tree_add_item(tree, hf_request_count, tvb, offset, 1, TRUE); + offset += 1; - MoveAndCheckOffset( display_ms_string( "Mailslot Name", pd, offset, fd, - tree)); + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 2, TRUE); + offset += 2; -/*$$$$$ here add the Mailslot to the response list (if needed) */ - - MoveAndCheckOffset( display_ms_value( "Request Count", 1, pd, offset, - fd, tree)); + /* LM token */ + offset = display_LM_token(tvb, offset, pinfo, tree); - display_NT_version( pd, &offset, fd, tree,2); - display_LM_token( pd, &offset, fd, tree); + return offset; } -static void -dissect_smb_logon_LM10_resp(const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ +static int +dissect_smb_logon_LM10_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ + /*** 0x01 LanMan 1.0 Logon response ***/ -/*** 0x01 LanMan 1.0 Logon response ***/ - - MoveAndCheckOffset( display_ms_string( "User Name", pd, offset, fd, - tree)); - MoveAndCheckOffset( display_ms_string( "Script Name", pd, offset, fd, - tree)); + /* user name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_user_name); + + /* script name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_script_name); + + return offset; } - -void dissect_smb_logon_2(const u_char *pd, int offset, frame_data *fd, - proto_tree *tree) { +static int +dissect_smb_logon_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ /*** 0x02 LM1.0 Query - Centralized Initialization ***/ /*** 0x03 LM1.0 Query - Distributed Initialization ***/ /*** 0x04 LM1.0 Query - Centralized Query Response ***/ /*** 0x04 LM1.0 Query - Distributed Query Response ***/ - MoveAndCheckOffset( display_ms_string( "Computer Name", pd, offset, fd, tree)); + /* computer name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name); + + /* mailslot name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name); + + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 2, TRUE); + offset += 2; - MoveAndCheckOffset( display_ms_string( "Mailslot Name", pd, offset, fd, tree)); + /* LM token */ + offset = display_LM_token(tvb, offset, pinfo, tree); - display_NT_version( pd, &offset, fd, tree, 2); - display_LM_token( pd, &offset, fd, tree); + return offset; } -static void -dissect_smb_logon_LM20_resp(const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ +static int +dissect_smb_logon_LM20_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ + /*** 0x06 (LM2.0 LOGON Response) ***/ -/*** 0x06 (LM2.0 LOGON Response) ***/ - - ++offset; /* move to the server name */ - - MoveAndCheckOffset( display_ms_string( "Logon Server Name", pd, offset, - fd, tree)); - - display_LM_token( pd, &offset, fd, tree); + /* server name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_server_name); + + /* LM token */ + offset = display_LM_token(tvb, offset, pinfo, tree); + return offset; } -static void -dissect_smb_pdc_query(const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ - -/*** 0x07 Query for Primary PDC ***/ +static int +dissect_smb_pdc_query(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ + /*** 0x07 Query for Primary PDC ***/ - MoveAndCheckOffset( display_ms_string( "Computer Name", pd, offset, - fd, tree)); - - MoveAndCheckOffset( display_ms_string( "Mailslot Name", pd, offset, - fd, tree)); + /* computer name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name); + + /* mailslot name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name); + + if (tvb_reported_length_remaining(tvb, offset) > 2) { + /* + * NT-style Query for PDC? + * If only 2 bytes remain, it's probably a Windows 95-style + * query, which has only an LM token after the mailslot + * name. + * + * XXX - base this on flags in the SMB header, e.g. + * the ASCII/Unicode strings flag? + */ + if (offset % 2) offset++; /* word align ... */ + + /* Unicode computer name */ + offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_computer_name); + + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); + offset += 4; - MoveAndCheckOffset( display_ms_string( "OEM Computer Name", pd, offset, - fd, tree)); + /* LMNT token */ + proto_tree_add_item(tree, hf_lmnt_token, tvb, offset, 2, TRUE); + offset += 2; + } - display_NT_version( pd, &offset, fd, tree, 4); + /* LM token */ + offset = display_LM_token(tvb, offset, pinfo, tree); - proto_tree_add_text( tree, NullTVB, offset, 2, "LMNT Token: 0x%x", - GWORD(pd, offset)); - MoveAndCheckOffset( 2); - - display_LM_token( pd, &offset, fd, tree); + return offset; } -static void -dissect_smb_pdc_startup(const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ +static int +dissect_smb_pdc_startup(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ -/*** 0x08 Announce startup of PDC ***/ + /*** 0x08 Announce startup of PDC ***/ - MoveAndCheckOffset( - display_ms_string( "PDC Name", pd, offset, fd, tree)); + /* pdc name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_pdc_name); /* A short Announce will not have the rest */ - if (END_OF_FRAME > 0) { + if (tvb_length_remaining(tvb, offset) != 0) { if (offset % 2) offset++; /* word align ... */ - MoveAndCheckOffset( - display_unicode_string("Unicode PDC Name", pd, offset, fd, tree)); + /* pdc name */ + offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_pdc_name); if (offset % 2) offset++; - MoveAndCheckOffset( - display_unicode_string("Unicode Domain Name", pd, offset, fd, tree)); - - display_NT_version( pd, &offset, fd, tree, 4); + /* domain name */ + offset = display_unicode_string(tvb, pinfo, tree, offset, hf_domain_name); + + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); + offset += 4; - display_LM_token( pd, &offset, fd, tree); + /* LM token */ + offset = display_LM_token(tvb, offset, pinfo, tree); } + + return offset; } -static void -dissect_smb_pdc_failure( const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ +static int +dissect_smb_pdc_failure(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ + + /*** 0x09 Announce failure of the PDC ***/ + /*** 0x0F LM2.0 Resp. during LOGON pause ***/ + /*** 0x10 (LM 2.0 Unknown user response) ***/ + + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); + offset += 4; -/*** 0x09 Announce failure of the PDC ***/ -/*** 0x0F LM2.0 Resp. during LOGON pause ***/ -/*** 0x10 (LM 2.0 Unknown user response) ***/ + /* LM token */ + offset = display_LM_token(tvb, offset, pinfo, tree); - display_NT_version( pd, &offset, fd, tree, 4); - display_LM_token( pd, &offset, fd, tree); + return offset; } -static void -dissect_announce_change( const u_char *pd, int offset, - frame_data *fd,proto_tree *tree) { +static int +dissect_announce_change(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ -/*** 0x0A ( Announce change to UAS or SAM ) ***/ + /*** 0x0A ( Announce change to UAS or SAM ) ***/ - MoveAndCheckOffset( display_ms_value( "Low serial number", 4, pd, - offset, fd, tree)); - MoveAndCheckOffset( display_ms_value( "Date/Time", 4, pd, offset, fd, - tree)); - MoveAndCheckOffset( - display_ms_value( "Pulse", 4, pd, offset, fd, tree)); - MoveAndCheckOffset( - display_ms_value( "Random", 4, pd, offset, fd, tree)); - MoveAndCheckOffset( - display_ms_string( "PDC Name", pd, offset, fd, tree)); - MoveAndCheckOffset( - display_ms_string( "Domain Name", pd, offset, fd, tree)); + /* low serial number */ + proto_tree_add_item(tree, hf_low_serial, tvb, offset, 4, TRUE); + offset += 4; -/*???? is this needed ??? */ - if ( !( offset & 0x1)) /* add padding if needed */ - ++offset; + /* time/date */ + proto_tree_add_item(tree, hf_time_date, tvb, offset, 4, TRUE); + offset += 4; - MoveAndCheckOffset( display_unicode_string( "Unicode PDC Name", pd, - offset, fd, tree)); + /* pulse */ + proto_tree_add_item(tree, hf_pulse, tvb, offset, 4, TRUE); + offset += 4; - MoveAndCheckOffset( display_unicode_string( "Unicode Domain Name", pd, - offset, fd, tree)); + /* random */ + proto_tree_add_item(tree, hf_random, tvb, offset, 4, TRUE); + offset += 4; - MoveAndCheckOffset( display_ms_value( "DB Count", 4, pd, offset, fd, - tree)); + /* pdc name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_pdc_name); + + /* domain name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_domain_name); + + if (offset % 2) offset++; /* word align ... */ - MoveAndCheckOffset( display_ms_value( "NT Version ", 4, pd, offset, fd, - tree)); + /* pdc name */ + offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_pdc_name); + + /* domain name */ + offset = display_unicode_string(tvb, pinfo, tree, offset, hf_domain_name); + + /* DB count */ + proto_tree_add_item(tree, hf_db_count, tvb, offset, 4, TRUE); + offset += 4; - MoveAndCheckOffset( display_ms_value( "LMNT Token ", 2, pd, offset, fd, - tree)); + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); + offset += 4; - MoveAndCheckOffset( display_ms_value( "Unknown Token ", 2, pd, offset, - fd, tree)); + /* LMNT token */ + proto_tree_add_item(tree, hf_lmnt_token, tvb, offset, 2, TRUE); + offset += 2; + + /* unknown token */ + proto_tree_add_text(tree, tvb, offset, 2, "Unknown Token: 0x%04x", + tvb_get_letohs(tvb, offset)); + offset += 2; + + return offset; } -static void -dissect_smb_sam_logon_req(const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ -/*** Netlogon command 0x12 - decode the SAM logon request from client ***/ +static int +dissect_smb_sam_logon_req(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ + + /* Netlogon command 0x12 - decode the SAM logon request from client */ - proto_tree_add_text( tree, NullTVB, offset, 2, "Request Count = %x", - GSHORT(pd, offset)); + /* Request count */ + proto_tree_add_item(tree, hf_request_count, tvb, offset, 2, TRUE); + offset += 2; - MoveAndCheckOffset( 2); + /* computer name */ + offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_computer_name); - MoveAndCheckOffset( display_unicode_string( "Unicode Computer Name", - pd, offset, fd, tree)); + /* user name */ + offset = display_unicode_string(tvb, pinfo, tree, offset, hf_user_name); - MoveAndCheckOffset( display_unicode_string( "Unicode User Name", - pd, offset, fd, tree)); + /* mailslot name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name); - MoveAndCheckOffset( display_ms_string( "Mailslot Name", pd, offset, fd, - tree)); + /* account control */ + offset = dissect_account_control(tvb, pinfo, tree, offset); - dissect_account_control( pd, offset, fd, tree); - - proto_tree_add_text( tree, NullTVB, offset, 2, "Domain SID Size = %x", - GWORD(pd, offset)); + /* Domain SID Size */ + proto_tree_add_item(tree, hf_domain_sid_size, tvb, offset, 2, TRUE); + offset += 2; + return offset; } -static void -dissect_smb_no_user( const u_char *pd, int offset, frame_data *fd, - proto_tree *tree) +static int +dissect_smb_no_user(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ + /* 0x0B (Announce no user on machine) */ -{/* 0x0B (Announce no user on machine) */ + /* computer name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name); - display_ms_string( "Computer Name", pd, offset, fd, tree); + return offset; } -static void -dissect_smb_relogon_resp( const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ - -/*** 0x0d LanMan Response to relogon request ***/ +static int +dissect_smb_relogon_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ - MoveAndCheckOffset( display_ms_value( "Workstation major version", 1, - pd, offset, fd, tree)); + /*** 0x0d LanMan Response to relogon request ***/ - MoveAndCheckOffset( display_ms_value( "Workstation minor version", 1, - pd, offset, fd, tree)); + /* Major version */ + proto_tree_add_item(tree, hf_major_version, tvb, offset, 1, TRUE); + offset += 1; - MoveAndCheckOffset( display_ms_value( "Workstation OS version", 1, - pd, offset, fd, tree)); + /* Minor version */ + proto_tree_add_item(tree, hf_minor_version, tvb, offset, 1, TRUE); + offset += 1; - display_NT_version( pd, &offset, fd, tree, 4); + /* OS version */ + proto_tree_add_item(tree, hf_os_version, tvb, offset, 1, TRUE); + offset += 1; - display_LM_token( pd, &offset, fd, tree); -} + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); + offset += 4; + /* LM token */ + offset = display_LM_token(tvb, offset, pinfo, tree); + return offset; +} -static void -dissect_smb_acc_update( const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ -/*** 0x11 LM2.1 Announce Acc updates ***/ +static int +dissect_smb_acc_update(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ guint32 Temp1, Temp2; - - Temp1 = GWORD( pd, offset); - Temp2 = GWORD( pd, offset + 4); + /*** 0x11 LM2.1 Announce Acc updates ***/ + + Temp1 = tvb_get_letohl(tvb, offset); + Temp2 = tvb_get_letohl(tvb, offset + 4); - proto_tree_add_text( tree, NullTVB, offset, 2, "Signature: 0x%04x%04x", + /* signature */ + proto_tree_add_text(tree, tvb, offset, 8, "Signature: 0x%08x%08x", Temp1, Temp2); + offset += 8; - MoveAndCheckOffset( 8); + /* time/date */ + proto_tree_add_item(tree, hf_time_date, tvb, offset, 4, TRUE); + offset += 4; - MoveAndCheckOffset( display_ms_value( "Time/Date:", 4, - pd, offset, fd, tree)); + /* computer name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name); - MoveAndCheckOffset( display_ms_string( "Computer name:", - pd, offset, fd, tree)); - - MoveAndCheckOffset( display_ms_string( "User name:", - pd, offset, fd, tree)); + /* user name */ + offset = display_ms_string(tvb, pinfo, tree, offset, hf_user_name); + + /* update type */ + proto_tree_add_item(tree, hf_update_type, tvb, offset, 2, TRUE); + offset += 2; - MoveAndCheckOffset( display_ms_value( "Update Type:", 2, - pd, offset, fd, tree)); + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); + offset += 4; - display_NT_version( pd, &offset, fd, tree, 4); + /* LM token */ + offset = display_LM_token(tvb, offset, pinfo, tree); - display_LM_token( pd, &offset, fd, tree); + return offset; } -static void -dissect_smb_inter_resp( const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ +static int +dissect_smb_inter_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) +{ + /* 0x0e LanMan Response to interrogate request */ -/* 0x0e LanMan Response to interrogate request */ + /* Major version */ + proto_tree_add_item(tree, hf_major_version, tvb, offset, 1, TRUE); + offset += 1; - MoveAndCheckOffset( display_ms_value( "Workstation major version", 1, - pd, offset, fd, tree)); + /* Minor version */ + proto_tree_add_item(tree, hf_minor_version, tvb, offset, 1, TRUE); + offset += 1; - MoveAndCheckOffset( display_ms_value( "Workstation minor version", 1, - pd, offset, fd, tree)); + /* OS version */ + proto_tree_add_item(tree, hf_os_version, tvb, offset, 1, TRUE); + offset += 1; - MoveAndCheckOffset( display_ms_value( "Workstation OS version", 1, pd, - offset, fd, tree)); + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); + offset += 4; - display_NT_version( pd, &offset, fd, tree, 4); + /* LMNT token */ + proto_tree_add_item(tree, hf_lmnt_token, tvb, offset, 2, TRUE); + offset += 2; - MoveAndCheckOffset( display_ms_value( "LMNT Token ", 2, pd, offset, fd, - tree)); + return offset; } -static void -dissect_smb_sam_logon_resp(const u_char *pd, int offset, frame_data *fd, - proto_tree *tree){ +static int +dissect_smb_sam_logon_resp(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, int offset) +{ + guint16 lmt; -/* Netlogon command 0x13 - decode the SAM logon response from server */ + /* Netlogon command 0x13 - decode the SAM logon response from server */ - - MoveAndCheckOffset( display_unicode_string( "Server Name", pd, offset, - fd, tree)); + /* server name */ + offset = display_unicode_string(tvb, pinfo, tree, offset, hf_server_name); + + /* user name */ + offset = display_unicode_string(tvb, pinfo, tree, offset, hf_user_name); - MoveAndCheckOffset( display_unicode_string( "User Name", pd, offset, - fd, tree)); + /* domain name */ + offset = display_unicode_string(tvb, pinfo, tree, offset, hf_domain_name); - MoveAndCheckOffset( display_unicode_string( "Domain Name", pd, offset, - fd, tree)); + /* NT version */ + proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, TRUE); + offset += 4; - display_NT_version( pd, &offset, fd, tree, 4); + /* LMNT token */ + proto_tree_add_item(tree, hf_lmnt_token, tvb, offset, 2, TRUE); + offset += 2; - proto_tree_add_text( tree, NullTVB, offset, 2, "LMNT Token: 0x%x", - GSHORT(pd, offset)); - MoveAndCheckOffset( 2); + /* LM token */ + offset = display_LM_token(tvb, offset, pinfo, tree); - display_LM_token( pd, &offset, fd, tree); + return offset; } -gboolean -dissect_smb_logon(const u_char *pd, int offset, frame_data *fd, - proto_tree *parent, proto_tree *tree, struct smb_info si, - int max_data, int SMB_offset, int errcode, int dirn, - const u_char *command, int DataOffset, int DataCount){ - - -/* decode the Microsoft netlogon protocol */ - -static char* CommandName[] = { - - "LM1.0/LM2.0 LOGON Request", /* 0x00 */ - "LM1.0 LOGON Response", /* 0x01 */ - "LM1.0 Query - Centralized Initialization", /* 0x02 */ - "LM1.0 Query - Distributed Initialization", /* 0x03 */ - "LM1.0 Response - Centralized Query", /* 0x04 */ - "LM1.0 Response - Distributed Initialization", /* 0x05 */ - "LM2.0 Response to LOGON Request", /* 0x06 */ - "Query for PDC", /* 0x07 */ - "Announce Startup of PDC", /* 0x08 */ - "Announce Failed PDC", /* 0x09 */ - "Announce Change to UAS or SAM", /* 0x0A */ - "Announce no user on machine", /* 0x0B */ - "Response from PDC", /* 0x0C */ - "LM1.0/LM2.0 Response to re-LOGON Request", /* 0x0D */ - "LM1.0/LM2.0 Response to Interrogate Request", /* 0x0E */ - "LM2.0 Response during LOGON pause", /* 0x0F */ - "LM2.0 Response - user unknown", /* 0x10 */ - "LM2.0 Announce account updates", /* 0x11 */ - "SAM LOGON request from client", /* 0x12 */ - "Response to SAM LOGON request", /* 0x13 */ - "SAM Response during LOGON pause", /* 0x14 */ - "SAM Response - user unknown", /* 0x15 */ - "SAM Response to Interrogate Request", /* 0x16 */ - "Unknown" /* 0x17 */ - }; +#define LOGON_LM10_LOGON_REQUEST 0x00 +#define LOGON_LM10_LOGON_RESPONSE 0x01 +#define LOGON_LM10_QUERY_CI 0x02 +#define LOGON_LM10_QUERY_DI 0x03 +#define LOGON_LM10_RESPONSE_CI 0x04 +#define LOGON_LM10_RESPONSE_DI 0x05 +#define LOGON_LM20_LOGON_RESPONSE 0x06 +#define LOGON_PDC_QUERY 0x07 +#define LOGON_PDC_STARTUP 0x08 +#define LOGON_PDC_FAILED 0x09 +#define LOGON_UAS_SAM 0x0a +#define LOGON_NO_USER 0x0b +#define LOGON_PDC_RESPONSE 0x0c +#define LOGON_RELOGON_RESPONSE 0x0d +#define LOGON_INTERROGATE_RESPONSE 0x0e +#define LOGON_LM20_RESPONSE_DURING_LOGON 0x0f +#define LOGON_LM20_USER_UNKNOWN 0x10 +#define LOGON_LM20_ACCOUNT_UPDATE 0x11 +#define LOGON_SAM_LOGON_REQUEST 0x12 +#define LOGON_SAM_LOGON_RESPONSE 0x13 +#define LOGON_SAM_RESPONSE_DURING_LOGON 0x14 +#define LOGON_SAM_USER_UNKNOWN 0x15 +#define LOGON_SAM_INTERROGATE_RESPONSE 0x16 +#define LOGON_LAST_CMD 0x17 + +static const value_string commands[] = { + {LOGON_LM10_LOGON_REQUEST, "LM1.0/LM2.0 LOGON Request"}, + {LOGON_LM10_LOGON_RESPONSE, "LM1.0 LOGON Response"}, + {LOGON_LM10_QUERY_CI, "LM1.0 Query - Centralized Initialization"}, + {LOGON_LM10_QUERY_DI, "LM1.0 Query - Distributed Initialization"}, + {LOGON_LM10_RESPONSE_CI, "LM1.0 Response - Centralized Query"}, + {LOGON_LM10_RESPONSE_DI, "LM1.0 Response - Distributed Initialization"}, + {LOGON_LM20_LOGON_RESPONSE, "LM2.0 Response to LOGON Request"}, + {LOGON_PDC_QUERY, "Query for PDC"}, + {LOGON_PDC_STARTUP, "Announce Startup of PDC"}, + {LOGON_PDC_FAILED, "Announce Failed PDC"}, + {LOGON_UAS_SAM, "Announce Change to UAS or SAM"}, + {LOGON_NO_USER, "Announce no user on machine"}, + {LOGON_PDC_RESPONSE, "Response from PDC"}, + {LOGON_RELOGON_RESPONSE, "LM1.0/LM2.0 Response to re-LOGON Request"}, + {LOGON_INTERROGATE_RESPONSE, "LM1.0/LM2.0 Response to Interrogate Request"}, + {LOGON_LM20_RESPONSE_DURING_LOGON,"LM2.0 Response during LOGON pause"}, + {LOGON_LM20_USER_UNKNOWN, "LM2.0 Response - user unknown"}, + {LOGON_LM20_ACCOUNT_UPDATE, "LM2.0 Announce account updates"}, + {LOGON_SAM_LOGON_REQUEST, "SAM LOGON request from client"}, + {LOGON_SAM_LOGON_RESPONSE, "Response to SAM LOGON request"}, + {LOGON_SAM_RESPONSE_DURING_LOGON,"SAM Response during LOGON pause"}, + {LOGON_SAM_USER_UNKNOWN, "SAM Response - user unknown"}, + {LOGON_SAM_INTERROGATE_RESPONSE,"SAM Response to Interrogate Request"}, + {0, NULL} +}; -/* Array of functions to dissect the ms logon commands */ -static void (*dissect_smb_logon_cmds[])(const u_char *, int, frame_data *, - proto_tree *) = { - - dissect_smb_logon_request, /* 0x00 (LM1.0/LM2.0 LOGON Request) */ - dissect_smb_logon_LM10_resp, /* 0x01 (LM1.0 LOGON Response) */ - dissect_smb_logon_2, /* 0x02 (LM1.0 Query Centralized Init.) */ - dissect_smb_logon_2, /* 0x03 (LM1.0 Query Distributed Init.) */ - dissect_smb_logon_2, /* 0x04 (LM1.0 Centralized Query Resp.) */ - dissect_smb_logon_2, /* 0x05 (LM1.0 Distributed Query Resp.) */ - dissect_smb_logon_LM20_resp, /* 0x06 (LM2.0 LOGON Response) */ - dissect_smb_pdc_query, /* 0x07 (Query for PDC) */ - dissect_smb_pdc_startup, /* 0x08 (Announce PDC startup) */ - dissect_smb_pdc_failure, /* 0x09 (Announce Failed PDC) */ - dissect_announce_change, /* 0x0A (Announce change to UAS or SAM) */ - dissect_smb_no_user, /* 0x0B (Announce no user on machine) */ - dissect_smb_pdc_startup, /* 0x0C (Response from PDC) */ - dissect_smb_relogon_resp, /* 0x0D (Relogon response) */ - dissect_smb_inter_resp, /* 0x0E (Interrogate response) */ - dissect_smb_pdc_failure, /* 0x0F (LM2.0 Resp. during LOGON pause */ - dissect_smb_pdc_failure, /* 0x10 (LM 2.0 Unknown user response) */ - dissect_smb_acc_update, /* 0x11 (LM2.1 Announce Acc updates) */ - dissect_smb_sam_logon_req, /* 0x12 (SAM LOGON request ) */ - dissect_smb_sam_logon_resp, /* 0x13 (SAM LOGON response) */ - dissect_smb_unknown, /* 0x14 (SAM Response during LOGON Pause) */ - dissect_smb_unknown, /* 0x15 (SAM Response User Unknown) */ - dissect_smb_unknown, /* 0x16 (SAM Response to Interrogate) */ +static int (*dissect_smb_logon_cmds[])(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) = { + dissect_smb_logon_request, /* 0x00 (LM1.0/LM2.0 LOGON Request) */ + dissect_smb_logon_LM10_resp,/* 0x01 (LM1.0 LOGON Response) */ + dissect_smb_logon_2, /* 0x02 (LM1.0 Query Centralized Init.)*/ + dissect_smb_logon_2, /* 0x03 (LM1.0 Query Distributed Init.)*/ + dissect_smb_logon_2, /* 0x04 (LM1.0 Centralized Query Resp.)*/ + dissect_smb_logon_2, /* 0x05 (LM1.0 Distributed Query Resp.) */ + dissect_smb_logon_LM20_resp,/* 0x06 (LM2.0 LOGON Response) */ + dissect_smb_pdc_query, /* 0x07 (Query for PDC) */ + dissect_smb_pdc_startup, /* 0x08 (Announce PDC startup) */ + dissect_smb_pdc_failure, /* 0x09 (Announce Failed PDC) */ + dissect_announce_change, /* 0x0A (Announce Change to UAS or SAM)*/ + dissect_smb_no_user, /* 0x0B (Announce no user on machine)*/ + dissect_smb_pdc_startup, /* 0x0C (Response from PDC) */ + dissect_smb_relogon_resp, /* 0x0D (Relogon response) */ + dissect_smb_inter_resp, /* 0x0E (Interrogate response) */ + dissect_smb_pdc_failure, /* 0x0F (LM2.0 Resp. during LOGON pause*/ + dissect_smb_pdc_failure, /* 0x10 (LM 2.0 Unknown user response)*/ + dissect_smb_acc_update, /* 0x11 (LM2.1 Announce Acc updates)*/ + dissect_smb_sam_logon_req, /* 0x12 (SAM LOGON request ) */ + dissect_smb_sam_logon_resp, /* 0x13 (SAM LOGON response) */ + dissect_smb_unknown, /* 0x14 (SAM Response during LOGON Pause) */ + dissect_smb_unknown, /* 0x15 (SAM Response User Unknown) */ + dissect_smb_unknown, /* 0x16 (SAM Response to Interrogate) */ }; - - guint8 cmd; - proto_tree *smb_logon_tree; - proto_item *ti; - +gboolean +dissect_smb_logon(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +{ + int offset = 0; + guint8 cmd; + proto_tree *smb_logon_tree = NULL; + proto_item *item = NULL; if (!proto_is_protocol_enabled(proto_smb_logon)) - return FALSE; - /* get the Command field */ - cmd = MIN( GBYTE(pd, offset), array_length(dissect_smb_logon_cmds)-1); + return FALSE; - if (check_col(fd, COL_PROTOCOL)) - col_set_str(fd, COL_PROTOCOL, "NETLOGON"); + pinfo->current_proto = "NETLOGON"; + /* get the Command field */ + cmd = tvb_get_guint8(tvb, offset); - if (check_col(fd, COL_INFO)) - col_add_fstr(fd, COL_INFO, "%s", CommandName[ cmd]); + if (check_col(pinfo->fd, COL_PROTOCOL)) + col_set_str(pinfo->fd, COL_PROTOCOL, "NETLOGON"); + + if (check_col(pinfo->fd, COL_INFO)) + col_add_str(pinfo->fd, COL_INFO, val_to_str(cmd, commands, "Unknown Command:%02x") ); if (tree) { - ti = proto_tree_add_item( parent, proto_smb_logon, NullTVB, offset, - END_OF_FRAME, FALSE); - smb_logon_tree = proto_item_add_subtree(ti, ett_smb_logon); + item = proto_tree_add_item(tree, proto_smb_logon, tvb, + offset, tvb_length_remaining(tvb, offset), FALSE); + + smb_logon_tree = proto_item_add_subtree(item, ett_smb_logon); + } - proto_tree_add_text(smb_logon_tree, NullTVB, offset, 1, - "Command: %u (%s)", cmd, CommandName[ cmd]); - - offset += 2; /* skip to name field */ + /* command */ + proto_tree_add_uint(smb_logon_tree, hf_command, tvb, offset, 1, cmd); + offset += 1; - /* vector to handle commands */ - (dissect_smb_logon_cmds[ cmd]) (pd, offset, fd,smb_logon_tree); + /* skip next byte */ + offset += 1; + if (cmd<LOGON_LAST_CMD) { + offset = (dissect_smb_logon_cmds[cmd])(tvb, pinfo, + smb_logon_tree, offset); + } else { + /* unknown command */ + offset = dissect_smb_unknown(tvb, pinfo, smb_logon_tree, + offset); } - return TRUE; + + return TRUE; } @@ -566,7 +745,148 @@ static void (*dissect_smb_logon_cmds[])(const u_char *, int, frame_data *, void register_proto_smb_logon( void){ -/*** Prep the logon protocol, for now, just register it */ + static hf_register_info hf[] = { + { &hf_command, + { "Command", "netlogon.command", FT_UINT8, BASE_HEX, + VALS(commands), 0, "NETLOGON Command", HFILL }}, + + { &hf_computer_name, + { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE, + NULL, 0, "NETLOGON Computer Name", HFILL }}, + + { &hf_unicode_computer_name, + { "Unicode Computer Name", "netlogon.unicode_computer_name", FT_STRING, BASE_NONE, + NULL, 0, "NETLOGON Unicode Computer Name", HFILL }}, + + { &hf_server_name, + { "Server Name", "netlogon.server_name", FT_STRING, BASE_NONE, + NULL, 0, "NETLOGON Server Name", HFILL }}, + + { &hf_user_name, + { "User Name", "netlogon.user_name", FT_STRING, BASE_NONE, + NULL, 0, "NETLOGON User Name", HFILL }}, + + { &hf_domain_name, + { "Domain Name", "netlogon.domain_name", FT_STRING, BASE_NONE, + NULL, 0, "NETLOGON Domain Name", HFILL }}, + + { &hf_mailslot_name, + { "Mailslot Name", "netlogon.mailslot_name", FT_STRING, BASE_NONE, + NULL, 0, "NETLOGON Mailslot Name", HFILL }}, + + { &hf_pdc_name, + { "PDC Name", "netlogon.pdc_name", FT_STRING, BASE_NONE, + NULL, 0, "NETLOGON PDC Name", HFILL }}, + + { &hf_unicode_pdc_name, + { "Unicode PDC Name", "netlogon.unicode_pdc_name", FT_STRING, BASE_NONE, + NULL, 0, "NETLOGON Unicode PDC Name", HFILL }}, + + { &hf_script_name, + { "Script Name", "netlogon.script_name", FT_STRING, BASE_NONE, + NULL, 0, "NETLOGON Script Name", HFILL }}, + + { &hf_nt_version, + { "NT Version", "netlogon.nt_version", FT_UINT32, BASE_HEX, + NULL, 0, "NETLOGON NT Version", HFILL }}, + + { &hf_lmnt_token, + { "LMNT Token", "netlogon.lmnt_token", FT_UINT16, BASE_HEX, + NULL, 0, "NETLOGON LMNT Token", HFILL }}, + + { &hf_lm_token, + { "LM Token", "netlogon.lm_token", FT_UINT16, BASE_HEX, + NULL, 0, "NETLOGON LM Token", HFILL }}, + + { &hf_major_version, + { "Workstation Major Version", "netlogon.major_version", FT_UINT8, BASE_DEC, + NULL, 0, "NETLOGON Workstation Major Version", HFILL }}, + + { &hf_minor_version, + { "Workstation Minor Version", "netlogon.minor_version", FT_UINT8, BASE_DEC, + NULL, 0, "NETLOGON Workstation Minor Version", HFILL }}, + + { &hf_os_version, + { "Workstation OS Version", "netlogon.os_version", FT_UINT8, BASE_DEC, + NULL, 0, "NETLOGON Workstation OS Version", HFILL }}, + + { &hf_time_date, + { "Date/Time", "netlogon.date", FT_UINT32, BASE_DEC, + NULL, 0, "NETLOGON Date/Time", HFILL }}, + + { &hf_update_type, + { "Update Type", "netlogon.update", FT_UINT16, BASE_DEC, + NULL, 0, "NETLOGON Update Type", HFILL }}, + + { &hf_request_count, + { "Request Count", "netlogon.request_count", FT_UINT16, BASE_DEC, + NULL, 0, "NETLOGON Request Count", HFILL }}, + + { &hf_flags_autolock, + { "Autolock", "netlogon.flags.autolock", FT_BOOLEAN, 32, + TFS(&tfs_flags_autolock), ACC_FLAG_AUTO_LOCKED, "NETLOGON Account Autolock", HFILL}}, + + { &hf_flags_expire, + { "Expire", "netlogon.flags.expire", FT_BOOLEAN, 32, + TFS(&tfs_flags_expire), ACC_FLAG_EXPIRE, "NETLOGON Will Account Expire", HFILL}}, + + { &hf_flags_server_trust, + { "Server Trust", "netlogon.flags.server", FT_BOOLEAN, 32, + TFS(&tfs_flags_server_trust), ACC_FLAG_SERVER_TRUST, "NETLOGON Server Trust Account", HFILL}}, + + { &hf_flags_workstation_trust, + { "Workstation Trust", "netlogon.flags.workstation", FT_BOOLEAN, 32, + TFS(&tfs_flags_workstation_trust), ACC_FLAG_WORKSTATION_TRUST, "NETLOGON Workstation Trust Account", HFILL}}, + + { &hf_flags_interdomain_trust, + { "Interdomain Trust", "netlogon.flags.interdomain", FT_BOOLEAN, 32, + TFS(&tfs_flags_interdomain_trust), ACC_FLAG_INTERDOMAIN_TRUST, "NETLOGON Inter-domain Trust Account", HFILL}}, + + { &hf_flags_mns_user, + { "MNS User", "netlogon.flags.mns", FT_BOOLEAN, 32, + TFS(&tfs_flags_mns_user), ACC_FLAG_MNS_USER, "NETLOGON MNS User Account", HFILL}}, + + { &hf_flags_normal_user, + { "Normal User", "netlogon.flags.normal", FT_BOOLEAN, 32, + TFS(&tfs_flags_normal_user), ACC_FLAG_NORMAL_USER, "NETLOGON Normal User Account", HFILL}}, + + { &hf_flags_temp_dup_user, + { "Temp Duplicate User", "netlogon.flags.temp_dup", FT_BOOLEAN, 32, + TFS(&tfs_flags_temp_dup_user), ACC_FLAG_TEMP_DUP_USER, "NETLOGON Temp Duplicate User Account", HFILL}}, + + { &hf_flags_password_required, + { "Password", "netlogon.flags.password", FT_BOOLEAN, 32, + TFS(&tfs_flags_password_required), ACC_FLAG_PASSWORD_REQUIRED, "NETLOGON Password Required", HFILL}}, + + { &hf_flags_homedir_required, + { "Homedir", "netlogon.flags.homedir", FT_BOOLEAN, 32, + TFS(&tfs_flags_homedir_required), ACC_FLAG_HOMEDIR_REQUIRED, "NETLOGON Homedir Required", HFILL}}, + + { &hf_flags_enabled, + { "Enabled", "netlogon.flags.enabled", FT_BOOLEAN, 32, + TFS(&tfs_flags_enabled), ACC_FLAG_ENABLED, "NETLOGON Is This Account Enabled", HFILL}}, + + { &hf_domain_sid_size, + { "Domain SID Size", "netlogon.domain_sid_size", FT_UINT16, BASE_DEC, + NULL, 0, "NETLOGON Domain SID Size", HFILL }}, + + { &hf_low_serial, + { "Low Serial Number", "netlogon.low_serial", FT_UINT32, BASE_DEC, + NULL, 0, "NETLOGON Low Serial Number", HFILL }}, + + { &hf_pulse, + { "Pulse", "netlogon.pulse", FT_UINT32, BASE_DEC, + NULL, 0, "NETLOGON Pulse", HFILL }}, + + { &hf_random, + { "Random", "netlogon.random", FT_UINT32, BASE_DEC, + NULL, 0, "NETLOGON Random", HFILL }}, + + { &hf_db_count, + { "DB Count", "netlogon.db_count", FT_UINT32, BASE_DEC, + NULL, 0, "NETLOGON DB Count", HFILL }}, + + }; static gint *ett[] = { &ett_smb_logon, @@ -576,10 +896,6 @@ register_proto_smb_logon( void){ proto_smb_logon = proto_register_protocol( "Microsoft Windows Logon Protocol", "NETLOGON", "netlogon"); + proto_register_field_array(proto_smb_logon, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); } - - - - - diff --git a/packet-smb-logon.h b/packet-smb-logon.h index fa3a030770..a153242e37 100644 --- a/packet-smb-logon.h +++ b/packet-smb-logon.h @@ -2,10 +2,10 @@ * Declaration of outines for SMB net logon packet dissection * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com> * - * $Id: packet-smb-logon.h,v 1.1 2001/03/18 03:34:22 guy Exp $ + * $Id: packet-smb-logon.h,v 1.2 2001/07/08 11:32:02 guy Exp $ * * Ethereal - Network traffic analyzer - * By Gerald Combs <gerald@zing.org> + * By Gerald Combs <gerald@ethereal.com> * Copyright 1998 Gerald Combs * * This program is free software; you can redistribute it and/or @@ -23,8 +23,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +#ifndef _PACKET_SMB_LOGON_H_ +#define _PACKET_SMB_LOGON_H_ + gboolean -dissect_smb_logon(const u_char *pd, int offset, frame_data *fd, - proto_tree *parent, proto_tree *tree, struct smb_info si, - int max_data, int SMB_offset, int errcode, int dirn, - const u_char *command, int DataOffset, int DataCount); +dissect_smb_logon(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree); + +#endif diff --git a/packet-smb-mailslot.c b/packet-smb-mailslot.c index f510a3db9a..99343b803c 100644 --- a/packet-smb-mailslot.c +++ b/packet-smb-mailslot.c @@ -2,10 +2,10 @@ * Routines for SMB mailslot packet dissection * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com> * - * $Id: packet-smb-mailslot.c,v 1.11 2001/03/18 03:34:22 guy Exp $ + * $Id: packet-smb-mailslot.c,v 1.12 2001/07/08 11:32:02 guy Exp $ * * Ethereal - Network traffic analyzer - * By Gerald Combs <gerald@zing.org> + * By Gerald Combs <gerald@ethereal.com> * Copyright 1998 Gerald Combs * * Copied from packet-pop.c @@ -143,10 +143,11 @@ dissect_mailslot_smb(const u_char *pd, int offset, frame_data *fd, strncmp(command, "NET", strlen("NET")) == 0) || (strcmp(command, "TEMP\\NETLOGON") == 0) || (strcmp(command, "MSSP") == 0)){ + tvbuff_t *tvb; + packet_info *pinfo = π + tvb = tvb_create_from_top(DataOffset); - return dissect_smb_logon(pd, DataOffset, fd, parent, tree, - si, max_data, SMB_offset, errcode, dirn, - command, DataOffset, DataCount); + return dissect_smb_logon(tvb, pinfo, parent); } return TRUE; |