Smb2-protocol: Re: [Smb2-protocol] Re: Two more smb2 header flags
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Stefan (metze) Metzmacher" <metze@xxxxxxxxx>
Date: Tue, 07 Feb 2006 11:36:16 +0100
ronnie sahlberg schrieb: > Ah, > > > Flag 0x02 is "ProcessID is valid" > > See attached capture for a transaction with Notify and Cancel where this bit > is used. > This bit is also set for Ioctl and Reads to named pipes when they also > return STATUS_PENDING. These replies also have a valid (non-0xfffe PID > value) > > > All other packets i have seen always specify this bit as clear and ProcessID > as 0xfffe which is likely some default value. Hi Ronnie, can you apply this patch? I also noticed that the 0x02 flag also mean that the tid is invalid, so it seems either the TID or the PID is valid... metze
=== epan/dissectors/packet-nbap.h ================================================================== --- epan/dissectors/packet-nbap.h (revision 1496) +++ epan/dissectors/packet-nbap.h (local) @@ -10,7 +10,7 @@ * Routines for UMTS Node B Application Part(NBAP) packet dissection * Copyright 2005, Anders Broman <anders.broman@xxxxxxxxxxxx> * - * $Id: packet-nbap-template.h 16293 2005-10-24 21:16:44Z etxrab $ + * $Id$ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@xxxxxxxxxxxx> === epan/dissectors/packet-smb2.c ================================================================== --- epan/dissectors/packet-smb2.c (revision 1496) +++ epan/dissectors/packet-smb2.c (local) @@ -63,6 +63,7 @@ static int hf_smb2_tid = -1; static int hf_smb2_uid = -1; static int hf_smb2_flags_response = -1; +static int hf_smb2_flags_valid_pid = -1; static int hf_smb2_response_buffer_offset = -1; static int hf_smb2_security_blob_offset = -1; static int hf_smb2_security_blob_len = -1; @@ -188,6 +189,7 @@ static gint ett_smb2_ea = -1; static gint ett_smb2_header = -1; static gint ett_smb2_command = -1; +static gint ett_smb2_flags = -1; static gint ett_smb2_secblob = -1; static gint ett_smb2_file_basic_info = -1; static gint ett_smb2_file_standard_info = -1; @@ -654,13 +656,16 @@ int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si); } smb2_function; -#define SMB2_FLAGS_RESPONSE 0x01 - static const true_false_string tfs_flags_response = { "This is a RESPONSE", "This is a REQUEST" }; +static const true_false_string tfs_flags_valid_pid = { + "PID field is invalid", + "PID field is valid", +}; + static const value_string compression_format_vals[] = { { 0, "COMPRESSION_FORMAT_NONE" }, { 1, "COMPRESSION_FORMAT_DEFAULT" }, @@ -2133,7 +2138,7 @@ }; value_string *vs; - if(si->response){ + if(si->flags & SMB2_FLAGS_RESPONSE){ if(!si->saved){ return offset; } @@ -2170,17 +2175,17 @@ /* class */ item=proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl); - if(si->response){ + if(si->flags & SMB2_FLAGS_RESPONSE){ PROTO_ITEM_SET_GENERATED(item); } /* infolevel */ item=proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il); - if(si->response){ + if(si->flags & SMB2_FLAGS_RESPONSE){ PROTO_ITEM_SET_GENERATED(item); } offset += 2; - if(!si->response){ + if(!si->flags & SMB2_FLAGS_RESPONSE){ /* Only update COL_INFO for requests. It clutters the * display ab bit too much if we do it for replies * as well. @@ -3608,9 +3613,10 @@ { 0xFF, "unknown-0xFF" }, { 0x00, NULL }, }; -static const char *decode_smb2_name(guint8 cmd) +static const char *decode_smb2_name(guint16 cmd) { - return(smb2_cmd_vals[cmd].strptr); + if (cmd > 0xFF) return "unknown"; + return(smb2_cmd_vals[cmd & 0xFF].strptr); } static smb2_function smb2_dissector[256] = { @@ -3919,12 +3925,12 @@ cmd_item = proto_tree_add_text(tree, tvb, offset, -1, "%s %s (0x%02x)", decode_smb2_name(si->opcode), - si->response?"Response":"Request", + (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request", si->opcode); cmd_tree = proto_item_add_subtree(cmd_item, ett_smb2_command); - cmd_dissector=si->response? + cmd_dissector=(si->flags & SMB2_FLAGS_RESPONSE)? smb2_dissector[si->opcode&0xff].response: smb2_dissector[si->opcode&0xff].request; if(cmd_dissector){ @@ -4032,6 +4038,8 @@ proto_tree *tree=NULL; proto_item *header_item=NULL; proto_tree *header_tree=NULL; + proto_item *flags_item=NULL; + proto_tree *flags_tree=NULL; int offset=0; int old_offset; guint16 header_len; @@ -4113,7 +4121,7 @@ /* opcode */ - si->opcode=tvb_get_guint8(tvb, offset); + si->opcode=tvb_get_letohs(tvb, offset); proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, TRUE); offset += 2; @@ -4122,13 +4130,20 @@ offset += 2; /* flags */ - si->response=tvb_get_guint8(tvb, offset)&SMB2_FLAGS_RESPONSE; - proto_tree_add_item(header_tree, hf_smb2_flags_response, tvb, offset, 1, FALSE); - offset += 1; + si->flags=tvb_get_letohl(tvb, offset); + if(header_tree){ + flags_item = proto_tree_add_text(header_tree, tvb, offset, 2, + "Flags: 0x%08x", si->flags); + flags_tree = proto_item_add_subtree(flags_item, ett_smb2_flags); + } + proto_tree_add_boolean(flags_tree, hf_smb2_flags_valid_pid, tvb, offset, 4, si->flags); + proto_tree_add_boolean(flags_tree, hf_smb2_flags_response, tvb, offset, 4, si->flags); + offset += 4; + /* some unknown bytes */ - proto_tree_add_item(header_tree, hf_smb2_unknown, tvb, offset, 7, FALSE); - offset += 7; + proto_tree_add_item(header_tree, hf_smb2_unknown, tvb, offset, 4, FALSE); + offset += 4; /* command sequence number*/ si->seqnum=tvb_get_letoh64(tvb, offset); @@ -4158,7 +4173,7 @@ if (check_col(pinfo->cinfo, COL_INFO)){ col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s", decode_smb2_name(si->opcode), - si->response?"Response":"Request"); + (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request"); if(si->status){ col_append_fstr( pinfo->cinfo, COL_INFO, ", Error: %s", @@ -4172,7 +4187,7 @@ /* see if we can find this seqnum in the unmatched table */ ssi=g_hash_table_lookup(si->conv->unmatched, &ssi_key); - if(!si->response){ + if(!(si->flags & SMB2_FLAGS_RESPONSE)){ /* This is a request */ if(ssi){ /* this is a request and we already found @@ -4218,7 +4233,7 @@ } if(ssi){ - if(!si->response){ + if(!(si->flags & SMB2_FLAGS_RESPONSE)){ if(ssi->frame_res){ proto_item *tmp_item; tmp_item=proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res); @@ -4332,8 +4347,11 @@ { "Process Id", "smb2.pid", FT_UINT32, BASE_HEX, NULL, 0, "SMB2 Process Id", HFILL }}, { &hf_smb2_flags_response, - { "Response", "smb2.flags.response", FT_BOOLEAN, 8, + { "Response", "smb2.flags.response", FT_BOOLEAN, 32, TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }}, + { &hf_smb2_flags_valid_pid, + { "Response", "smb2.flags.valid_pid", FT_BOOLEAN, 32, + TFS(&tfs_flags_valid_pid), SMB2_FLAGS_VALID_PID, "Whether the PID field of the SMB2 Header is valid", HFILL }}, { &hf_smb2_tree, { "Tree", "smb2.tree", FT_STRING, BASE_NONE, NULL, 0, "Name of the Tree/Share", HFILL }}, @@ -4776,6 +4794,7 @@ &ett_smb2_olb, &ett_smb2_header, &ett_smb2_command, + &ett_smb2_flags, &ett_smb2_secblob, &ett_smb2_file_basic_info, &ett_smb2_file_standard_info, === epan/dissectors/packet-smb2.h ================================================================== --- epan/dissectors/packet-smb2.h (revision 1496) +++ epan/dissectors/packet-smb2.h (local) @@ -87,7 +87,7 @@ guint32 tid; guint64 uid; guint64 seqnum; - gboolean response; /* is this a response ? */ + guint32 flags; smb2_conv_info_t *conv; smb2_saved_info_t *saved; smb2_tid_info_t *tree; @@ -95,6 +95,8 @@ proto_tree *top_tree; } smb2_info_t; +#define SMB2_FLAGS_RESPONSE 0x00000001 +#define SMB2_FLAGS_VALID_PID 0x00000002 int dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset); === gtk/smb2_stat.c ================================================================== --- gtk/smb2_stat.c (revision 1496) +++ gtk/smb2_stat.c (local) @@ -88,7 +88,7 @@ const smb2_info_t *si=psi; /* we are only interested in reply packets */ - if(!si->response){ + if(!(si->flags & SMB2_FLAGS_RESPONSE)){ return 0; } /* if we havnt seen the request, just ignore it */
Attachment:
signature.asc
Description: OpenPGP digital signature
- Follow-Ups:
- Re: [Smb2-protocol] Re: Two more smb2 header flags
- From: Stefan (metze) Metzmacher
- Re: [Smb2-protocol] Re: Two more smb2 header flags
- References:
- [Smb2-protocol] Two more smb2 header flags
- From: ronnie sahlberg
- [Smb2-protocol] Re: Two more smb2 header flags
- From: ronnie sahlberg
- [Smb2-protocol] Two more smb2 header flags
- Prev by Date: [Smb2-protocol] Re: Two more smb2 header flags
- Next by Date: [Smb2-protocol] more flags...
- Previous by thread: [Smb2-protocol] Re: Two more smb2 header flags
- Next by thread: Re: [Smb2-protocol] Re: Two more smb2 header flags
- Index(es):