Age | Commit message (Collapse) | Author | Files | Lines |
|
"dissect_nt_sec_desc()".
Also, get rid of code to handle lengths of -1 in "dissect_nt_sec_desc()"
- we never pass it a length of -1, as security descriptors aren't sent
over the wire with NDR syntax.
svn path=/trunk/; revision=5317
|
|
Remove the declaration of "dissect_nt_sid()" from
"packet-dcerpc-samr.c"; get it by including "packet-smb-common.h",
instead.
svn path=/trunk/; revision=5313
|
|
then later construct the sub-authority string from that array; we can
just construct the string as we fetch the sub-authorities.
Given that we're doing that, use the cleanup handler to free the string,
so that we don't leak memory if we throw an exception when fetching the
RID, for example.
svn path=/trunk/; revision=5294
|
|
functions, from David Frascone.
svn path=/trunk/; revision=5288
|
|
response if the negotiated dialect is Windows for Workgroups 3.1a.
svn path=/trunk/; revision=5264
|
|
values.
Note that in a Negotiate Protocol response, the primary domain won't be
present if the negotiated dialect isn't "DOS LANMAN 2.1" or "LANMAN2.1".
At least for Info Standard replies for Transaction2 Find First2
requests, if the request had the "return resume keys" flag set, the
reply will have a resume key at the beginning of each entry. We assume
that to be the case for Info Query EA Size and Info QUery EAs From List;
it does *not* appear to be the case for Find File Directory Info, Find
File Full Directory Info, or Find File Both Directory Info (they don't
have it even if the flag is set, at least in the captures I've seen).
The length of the name string in Find First2 entries doesn't include the
terminating '\0'; count that as well.
svn path=/trunk/; revision=5259
|
|
within the ACE to work out where the end is.
svn path=/trunk/; revision=5235
|
|
svn path=/trunk/; revision=5234
|
|
svn path=/trunk/; revision=5230
|
|
svn path=/trunk/; revision=5217
|
|
svn path=/trunk/; revision=5213
|
|
inside a Netlogon security descriptor.
Correctly dissect NT security descriptors as they appear inside an LSA
security descriptor (at least as those appear inside a Netlogon security
descriptor) - they get sent over the wire, apparently, as an opaque blob
from the point of view of DCE RPC, at least from one capture I've seen,
they do *not* get sent over the wire in DCE RPC NDR syntax.
svn path=/trunk/; revision=5212
|
|
dissector in packet-smb.c so we can call it from DCERPC NDR encoded services.
svn path=/trunk/; revision=5194
|
|
1) handle inter-entry padding;
2) quit when the "next entry offset" is 0 (that being the signal
for the last entry).
svn path=/trunk/; revision=5171
|
|
being dereferenced.
svn path=/trunk/; revision=5137
|
|
svn path=/trunk/; revision=5131
|
|
upset if a negative value is passed as len
svn path=/trunk/; revision=5044
|
|
incorporate the fixes I sent them, so it now matches what we have.
svn path=/trunk/; revision=5032
|
|
top-level item correspond to the reassembled data, and make the item for
each fragment/segment correspond to the part of that reassembled data
that came from that fragment/segment.
svn path=/trunk/; revision=5025
|
|
in our table.
svn path=/trunk/; revision=5023
|
|
that a country code of 0 is for the "default", presumably meaning "don't
override the setting on the desktop machine" or something such as that.
svn path=/trunk/; revision=5015
|
|
offset to go past the last authority (the RID).
svn path=/trunk/; revision=4991
|
|
svn path=/trunk/; revision=4989
|
|
last sub-authority.
svn path=/trunk/; revision=4988
|
|
information, just as is done for Write.
Squelch a compiler warning.
svn path=/trunk/; revision=4987
|
|
svn path=/trunk/; revision=4980
|
|
structures
svn path=/trunk/; revision=4970
|
|
svn path=/trunk/; revision=4969
|
|
svn path=/trunk/; revision=4964
|
|
svn path=/trunk/; revision=4963
|
|
svn path=/trunk/; revision=4962
|
|
svn path=/trunk/; revision=4961
|
|
svn path=/trunk/; revision=4957
|
|
traffic or not, that data doesn't include the padding; handle padding
if you're dissecting it as DCERPC traffic.
Don't treat the traffic as DCERPC traffic unless it's to the IPC$ share.
svn path=/trunk/; revision=4956
|
|
is non-null, as there's no guarantee that the corresponding SMB request
is in the capture. Check whether it's null before using it.
svn path=/trunk/; revision=4954
|
|
I have captures with w2k speaking DCERPC without using the normal
Transaction named pipes SMBs.
Instead DCERPC is just implemented ontop of ordinary read/write calls.
The smb dissector now examines TreeConnectAndX and stores the conversation/tid/type-of-share in a table for later access.
All SMB requests examine that hash table to find out if TID in the header refers
to a normal share or an IPC$ share.
Initial support in read/write SMB calls to detect if the operations are for an
IPC share and thus it assumes it must be DCERPC commands in the payload.
Desegmentation/Reassembly of these types of calls are not implemented yet.
svn path=/trunk/; revision=4952
|
|
svn path=/trunk/; revision=4948
|
|
packet-smb.c so that packet-smb-pipe.c can reference this struct as well.
svn path=/trunk/; revision=4947
|
|
svn path=/trunk/; revision=4946
|
|
there's a space after the colon, and so that there's no extra comma at the
end and only one space between the items.
Fix a typo.
svn path=/trunk/; revision=4940
|
|
to be an unknown special time constant : 0x40000000 00000000 that we dont know
yet what it means.
svn path=/trunk/; revision=4915
|
|
once is enough.
svn path=/trunk/; revision=4901
|
|
setup packets.
svn path=/trunk/; revision=4818
|
|
svn path=/trunk/; revision=4785
|
|
svn path=/trunk/; revision=4771
|
|
string format item) as the third argument to "val_to_str()".
svn path=/trunk/; revision=4770
|
|
A NT security descriptor can be either revision 1 or 2 and seem to be the
same format on the wire.
svn path=/trunk/; revision=4768
|
|
remembers SMBs for request/response matching, and make sure the request
and the response have the same type (or that the response has a
different type but is a valid response to the request).
svn path=/trunk/; revision=4763
|
|
"data source" has a name and a top-level tvbuff, and frames can have a
list of data sources associated with them.
Use the tvbuff pointer to determine which data source is the data source
for a given field; this means we don't have to worry about multiple data
sources with the same name - the only thing the name does is label the
notebook tab for the display of the data source, and label the hex dump
of the data source in print/Tethereal output.
Clean up a bunch of things discovered in the process of doing the above.
svn path=/trunk/; revision=4749
|
|
- For selected read and write SMBs, display the byte count and offset
in the info column. This makes browsing file read/writes easier to
understand.
- In dissect_nt_sids() sometimes the version number is 3 but the rest
of the sid format remains the same. This is purely by observation -
I have no documentation to confirm this.
- Use a GString instead of a fixed buffer in dissect_nt_sids().
svn path=/trunk/; revision=4733
|