Wireshark mailing list archives
The incomplete potential changes for handling extended response on NTCreate&x
From: Richard Sharpe <realrichardsharpe () gmail com>
Date: Sun, 27 May 2012 14:04:11 -0700
Hi folks, OK, here is what I think is part of what is needed (more soon): [rsharpe@localhost wireshark]$ svn diff epan/dissectors/packet-smb.* Index: epan/dissectors/packet-smb.c =================================================================== --- epan/dissectors/packet-smb.c (revision 42332) +++ epan/dissectors/packet-smb.c (working copy) @@ -168,6 +168,7 @@ static int hf_smb_server = -1; static int hf_smb_max_raw_buf_size = -1; static int hf_smb_server_guid = -1; +static int hf_smb_volume_guid = -1; static int hf_smb_security_blob_len = -1; static int hf_smb_security_blob = -1; static int hf_smb_sm_mode16 = -1; @@ -5972,11 +5973,15 @@ return offset; } +/* [MS-CIFS].pdf 2.2.4.64.2 provides the last two file types, however + [MS-SMB].PDF 2.2.4.9.2 elides value 4, Character mode device. */ static const value_string filetype_vals[] = { { 0, "Disk file or directory"}, { 1, "Named pipe in byte mode"}, { 2, "Named pipe in message mode"}, { 3, "Spooled printer"}, + { 4, "Character mode device"}, + { 0xFFFF, "Unknown file type"}, {0, NULL} }; static int @@ -10242,6 +10247,20 @@ proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN); offset += 1; + /* Do we know whether or not EXTENDED_RESPONSES are required? */ + /* MS-SMB 2.2.4.9.2 says that there is a Volume GUID, File ID, + Maximal Access Rights and Guest Maximal Access Rights here + if ExtendedResonses requested. */ + if (si->sip->extra_info_type == SMB_EI_FILEDATA && + ((smb_fid_saved_info_t *)(si->sip->extra_info))->create_flags & 0x10) { + /* The first field is a Volume GUID ... */ + + proto_tree_add_item(tree, hf_smb_volume_guid, + tvb, offset, 16, ENC_NA); + offset += 16; + + } + /* Try to remember the type of this fid so that we can dissect * any future security descriptor (access mask) properly */ @@ -18086,6 +18105,10 @@ { "Server GUID", "smb.server_guid", FT_BYTES, BASE_NONE, NULL, 0, "Globally unique identifier for this server", HFILL }}, + { &hf_smb_volume_guid, + { "Volume GUID", "smb.volume_guid", FT_BYTES, BASE_NONE, + NULL, 0, "Globally uniques identifer for this volume", HFILL }}, + { &hf_smb_security_blob_len, { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }}, -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- The incomplete potential changes for handling extended response on NTCreate&x Richard Sharpe (May 27)