Wireshark · Wireshark-dev: [Wireshark-dev] The incomplete potential changes for handling extended response on NTCreate&x

Wireshark-dev: [Wireshark-dev] The incomplete potential changes for handling extended response

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>

Date: Sun, 27 May 2012 14:04:11 -0700

Hi folks,

OK, here is what I think is part of what is needed (more soon):

[rsharpe@localhost wireshark]$ svn diff epan/dissectors/packet-smb.*
Index: epan/dissectors/packet-smb.c
===================================================================
--- epan/dissectors/packet-smb.c	(revision 42332)
+++ epan/dissectors/packet-smb.c	(working copy)
@@ -168,6 +168,7 @@
 static int hf_smb_server = -1;
 static int hf_smb_max_raw_buf_size = -1;
 static int hf_smb_server_guid = -1;
+static int hf_smb_volume_guid = -1;
 static int hf_smb_security_blob_len = -1;
 static int hf_smb_security_blob = -1;
 static int hf_smb_sm_mode16 = -1;
@@ -5972,11 +5973,15 @@
 	return offset;
 }

+/* [MS-CIFS].pdf 2.2.4.64.2 provides the last two file types, however
+   [MS-SMB].PDF 2.2.4.9.2 elides value 4, Character mode device.  */
 static const value_string filetype_vals[] = {
 	{ 0,		"Disk file or directory"},
 	{ 1,		"Named pipe in byte mode"},
 	{ 2,		"Named pipe in message mode"},
 	{ 3,		"Spooled printer"},
+	{ 4,		"Character mode device"},
+	{ 0xFFFF,	"Unknown file type"},
 	{0, NULL}
 };
 static int
@@ -10242,6 +10247,20 @@
 	proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1,
ENC_LITTLE_ENDIAN);
 	offset += 1;

+	/* Do we know whether or not EXTENDED_RESPONSES are required? */
+        /* MS-SMB 2.2.4.9.2 says that there is a Volume GUID, File ID,
+           Maximal Access Rights and Guest Maximal Access Rights here
+           if ExtendedResonses requested. */
+	if (si->sip->extra_info_type == SMB_EI_FILEDATA &&
+		((smb_fid_saved_info_t *)(si->sip->extra_info))->create_flags & 0x10) {
+	    /* The first field is a Volume GUID ... */
+
+		proto_tree_add_item(tree, hf_smb_volume_guid,
+			tvb, offset, 16, ENC_NA);
+		offset += 16;
+
+	}
+
 	/* Try to remember the type of this fid so that we can dissect
 	 * any future security descriptor (access mask) properly
 	 */
@@ -18086,6 +18105,10 @@
 		{ "Server GUID", "smb.server_guid", FT_BYTES, BASE_NONE,
 		NULL, 0, "Globally unique identifier for this server", HFILL }},

+	{ &hf_smb_volume_guid,
+		{ "Volume GUID", "smb.volume_guid", FT_BYTES, BASE_NONE,
+		NULL, 0, "Globally uniques identifer for this volume", HFILL }},
+
 	{ &hf_smb_security_blob_len,
 		{ "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
 		NULL, 0, NULL, HFILL }},


-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)

Prev by Date: Re: [Wireshark-dev] There seems to be a problem with dissect_nt_create_andx_response in epan/dissectors/packet_smb.c
Next by Date: [Wireshark-dev] r42853: Add a null check to fix Coverity CID 280210 (packet-jxta.c)
Previous by thread: Re: [Wireshark-dev] make a extension for packet-sctp.c, meet a problem.
Next by thread: [Wireshark-dev] r42853: Add a null check to fix Coverity CID 280210 (packet-jxta.c)
Index(es):
- Date
- Thread