Wireshark · Ethereal-dev: [Ethereal-dev] Re: [Ethereal-users] bug with LANMAN NetShareEnum Reponse decoding

Ethereal-dev: [Ethereal-dev] Re: [Ethereal-users] bug with LANMAN NetShareEnum Reponse decodin

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>

Date: Fri, 16 Mar 2001 01:17:33 -0800

On Thu, Mar 15, 2001 at 06:10:26PM +1100, Jesus M. Salvo Jr. wrote:
> * Decoding problem with NetShareEnum because there is _not_ 2048 shares 
> on that w2k box.

>From a look at the "dosextp.txt" document from the Microsoft archive of
SMB specs:

	ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt

frame 2 appears to be an "Interim Response Format" packet:

	9.2.17.  TRANSACTION

		...

	Interim Response Format (if no error  -  ok  send  remaining
	data):

	  BYTE	 smb_wct;   /* value = 0 */
	  WORD	 smb_bcc;   /* value = 0 */

		...

	Response Format (may respond with zero or more of these):

	  BYTE	 smb_wct;	 /* value = (10 + value of smb_suwcnt) */
	  WORD	 smb_tprcnt;	 /* total number of parameter bytes being returned */
	  WORD	 smb_tdrcnt;	 /* total number of data bytes being returned */
	  WORD	 smb_rsvd;	 /* reserved */
	  WORD	 smb_prcnt;	 /* number of parameter bytes being returned this buf */

		...

However, the SMB dissector for TRANSACTION replies doesn't quit at the
"Total Parameter Count" field ("smb_bcc"), but continues on after that -
but there's nothing more in the packet, so it gets the "Parameter Count"
value, and all the other stuff that's after the "Total Parameter Count"
field, from whatever random junk happens to be in memory after the end
of the packet.

(This particular interim response is an error response, but an interim
response could also be sent if the client is sending data to the server
and the data doesn't fit in a single buffer.  There's a rather long
explanation in the document in question, in section 9.2.17.)

So "packet-smb.c" should be patched as follows:

Index: packet-smb.c
===================================================================
RCS file: /usr/local/cvsroot/ethereal/packet-smb.c,v
retrieving revision 1.79
diff -c -r1.79 packet-smb.c
***************
*** 9981,9986 ****
--- 9981,10005 ----
      }
  
      offset += 1; /* Skip Word Count (WCT) */
+ 
+     if (WordCount == 0) {
+ 
+       /* Interim response.
+          XXX - should we tag it as such? */
+ 
+       /* Build display for: Byte Count (BCC) */
+ 
+       ByteCount = GSHORT(pd, offset);
+ 
+       if (tree) {
+ 
+         proto_tree_add_text(tree, NullTVB, offset, 2, "Byte Count (BCC): %u", ByteCount);
+ 
+       }
+ 
+       return;
+ 
+     }
  
      /* Build display for: Total Parameter Count */

Prev by Date: Re: [Ethereal-dev] VJ compressed PPP packets ??
Next by Date: [Ethereal-dev] Re: [Ethereal-users] bug with LANMAN NetShareEnum Reponse decoding
Previous by thread: [Ethereal-dev] Re: NFS
Next by thread: [Ethereal-dev] Re: [Ethereal-users] bug with LANMAN NetShareEnum Reponse decoding
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$