Wireshark-bugs: [Wireshark-bugs] [Bug 5078] New: SMB Tree_Connect_Andx request and response impr
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5078
Summary: SMB Tree_Connect_Andx request and response improper
dissection if 'Extended Response' flag (0x0008) has
set in the Request
Product: Wireshark
Version: SVN
Platform: x86
OS/Version: Windows XP
Status: NEW
Severity: Normal
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: tankeansiong@xxxxxxxxx
CC: tankeansiong@xxxxxxxxx
Tan Kean Siong <tankeansiong@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #5001| |review_for_checkin?
Flag| |
Created an attachment (id=5001)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5001)
Patch for SMB Tree Connect Andx request and response
Build Information:
Version 1.5.0-testing
Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.16.6, (32-bit) with GLib 2.22.4, with WinPcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.8.5, with
Gcrypt 1.4.5, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Aug
4 2010), with AirPcap.
Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.1.1
(packet.dll version 4.1.0.1753), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.
Built using Microsoft Visual C++ 9.0 build 30729
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
Hi,
Greeting.
With the latest version wireshark 1.5.0 from SVN, I found that wireshark is not
able to disect the SMB Tree_Connect_Andx Request and Response properly with
extension request and response that documented in [MS-SMB] — v20100711 which
recently published by Microsoft.
Problem:
1. For SMB Tree_Connect_AndX, in the client request, wireshark only able to
disect the 'flags' field with tfs_disconnect_tid. It should have another 2
options.
2. For SMB Tree_Connect_AndX, in the server response, only 2 options can be
disected which are tfs_connect_support_search and tfs_connect_support_in_dfs.
Another 3 options need to be added.
3. In server response' packet, if WordCount is 7, wireshark will disect the
certain packets with loop through the result as "Word parameter: 0x%04x". This
dissection is incorrect as the bytes should be 2 smb_nt_access_mask value.
These 3 problem has lead to confused and headache when I try to debug my
application that need to analysis this SMB_Tree_Connect_Andx packets. That's
why I spent some time for the solution.
Patch:
1. To solve problem 1, 2 new options have added : tfs_extended_signature and
tfs_extended_response
2. For 2nd problem, 3 new options have added : connect_support_csc_mask_vals[],
tfs_connect_support_uniquefilename,tfs_connect_support_extended_signature
3. For the 3rd problem, the packets has disected with smb_nt_access_mark and
displayed with subtree "Maximal Share Access Rights" and "Guest Maximal Share
Access Rights".
Here attached the patch that I created.
Testing:
1. The problem can be observed by simple executing windows AT command. It is
the task scheduler tool to enumerate, add or delete the scheduled task locally
and remotely. With "at \\192.168.1.3", before the patch, wireshark returns the
inproper information. "at", "net use \\192.168.1.3" or "net view \\192.168.1.3"
from Windows XP SP2 will set the "Extended Response" bit in the
SMB_Tree_Connect_AndX request. After the patch, wireshark can dissect the
packet well.
2. Microsoft Network Monitor able to disect this SMB_Tree_Connect_AndX request
and response well. I use it as comparision during the working.
Thank you.
-Tan Kean Siong
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.