The incomplete potential changes for handling extended response on NTCreate&x

[Richard Sharpe <realrichardsharpe () gmail com>]

Hi folks,

OK, here is what I think is part of what is needed (more soon):

[rsharpe@localhost wireshark]$ svn diff epan/dissectors/packet-smb.*
Index: epan/dissectors/packet-smb.c
===================================================================
--- epan/dissectors/packet-smb.c        (revision 42332)
+++ epan/dissectors/packet-smb.c        (working copy)
@@ -168,6 +168,7 @@
 static int hf_smb_server = -1;
 static int hf_smb_max_raw_buf_size = -1;
 static int hf_smb_server_guid = -1;
+static int hf_smb_volume_guid = -1;
 static int hf_smb_security_blob_len = -1;
 static int hf_smb_security_blob = -1;
 static int hf_smb_sm_mode16 = -1;
@@ -5972,11 +5973,15 @@
        return offset;
 }

+/* [MS-CIFS].pdf 2.2.4.64.2 provides the last two file types, however
+   [MS-SMB].PDF 2.2.4.9.2 elides value 4, Character mode device.  */
 static const value_string filetype_vals[] = {
        { 0,            "Disk file or directory"},
        { 1,            "Named pipe in byte mode"},
        { 2,            "Named pipe in message mode"},
        { 3,            "Spooled printer"},
+       { 4,            "Character mode device"},
+       { 0xFFFF,       "Unknown file type"},
        {0, NULL}
 };
 static int
@@ -10242,6 +10247,20 @@
        proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1,
ENC_LITTLE_ENDIAN);
        offset += 1;

+       /* Do we know whether or not EXTENDED_RESPONSES are required? */
+        /* MS-SMB 2.2.4.9.2 says that there is a Volume GUID, File ID,
+           Maximal Access Rights and Guest Maximal Access Rights here
+           if ExtendedResonses requested. */
+       if (si->sip->extra_info_type == SMB_EI_FILEDATA &&
+               ((smb_fid_saved_info_t *)(si->sip->extra_info))->create_flags & 0x10) {
+           /* The first field is a Volume GUID ... */
+
+               proto_tree_add_item(tree, hf_smb_volume_guid,
+                       tvb, offset, 16, ENC_NA);
+               offset += 16;
+
+       }
+
        /* Try to remember the type of this fid so that we can dissect
         * any future security descriptor (access mask) properly
         */
@@ -18086,6 +18105,10 @@
                { "Server GUID", "smb.server_guid", FT_BYTES, BASE_NONE,
                NULL, 0, "Globally unique identifier for this server", HFILL }},

+       { &hf_smb_volume_guid,
+               { "Volume GUID", "smb.volume_guid", FT_BYTES, BASE_NONE,
+               NULL, 0, "Globally uniques identifer for this volume", HFILL }},
+
        { &hf_smb_security_blob_len,
                { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
                NULL, 0, NULL, HFILL }},


-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe