On Tue, Apr 15, 2003 at 12:12:08AM -0700, Huagang Xie wrote:
> in packet-nbns.c
>
>
> if (pinfo->match_port == TCP_PORT_CIFS) {
> /*
> * Windows 2000 CIFS clients can dispense completely
> * with the NETBIOS encapsulation and directly use CIFS
> * over TCP. As would be expected, the framing is
> * identical, except that the length is 24 bits instead
> * of 17. The only message types used are
> * SESSION_MESSAGE and SESSION_KEEP_ALIVE.
> */
> is_cifs = TRUE;
> } else {
> is_cifs = FALSE;
> }
>
> The TCP_PORT_CIFS here is 445, but even if on port 445, the SMB/CIFS
> is still over NETBIOS-SS.
That depends on whether port 445 is the client or server port.
If it's the server port, that's *NOT* NetBIOS Session Service, that's
CIFS running directly over TCP. See Appendix B of the CIFS Technical
Reference:
http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf
which says
10. Appendix B -- TCP transport
When operating CIFS over TCP, connections are established
to TCP port 445, and each message is framed as follows:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ZERO | LENGTH |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
/ SMB (Packet Type Dependent) /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Each CIFS request starts with a 4 byte field encoded as
above: a byte of zero, followed by three bytes of length;
after that follows the body of the request.
> Since this affect the "netbios-length" checking later,
...which is exactly what it's supposed to do.
>
> /*
> * We have enough data for an NBSS header.
> * Get the flags and length of the message,
> * and see if they're sane.
> */
> if (is_cifs) {
> flags = 0;
> length = tvb_get_ntoh24(tvb, offset + 1);
That fetches the 24-bit length field from the header described above,
which is what's correct if the traffic is CIFS-over-TCP.
> } else {
> flags = tvb_get_guint8(tvb, offset + 1);
> length = tvb_get_ntohs(tvb, offset + 2);
> if (flags & NBSS_FLAGS_E)
> length += 65536;
That fetches the flags and length fields from the header in RFC 1002:
All session packets are of the following general structure:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TYPE | FLAGS | LENGTH |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
/ TRAILER (Packet Type Dependent) /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> I will suggest to remove this (is_cifs) checking,
Removing that checking would make Ethereal incorrectly dissect some
traffic.
There are some captures where SMB/CIFS is running atop the NetBIOS
Session Service, and there are other captures where SMB/CIFS is running
atop TCP with the Appendix B encapsulation. Therefore, Ethereal needs
code to support both of them, so there needs to be an "is_cifs" Boolean
that's checked.
The only problem is if you have the client using port 139 or 445 when
the server is using the opposite port number; in that case, as 139 <
445, the TCP dissector will first try to match 139 and then, if that
doesn't match anything, it'll match 445. 139 will match NetBIOS Session
Service, so if you have a client using port 139 to talk to a
CIFS-over-TCP server on port 445, the traffic will be dissected as
NetBIOS-over-TCP, not CIFS-over-TCP.
Attachment:
pgp75D1brhFhz.pgp
Description: PGP signature
