Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: [Wireshark-dev] The incomplete potential changes for handling extended response

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Sun, 27 May 2012 14:04:11 -0700
Hi folks,

OK, here is what I think is part of what is needed (more soon):

[rsharpe@localhost wireshark]$ svn diff epan/dissectors/packet-smb.*
Index: epan/dissectors/packet-smb.c
===================================================================
--- epan/dissectors/packet-smb.c	(revision 42332)
+++ epan/dissectors/packet-smb.c	(working copy)
@@ -168,6 +168,7 @@
 static int hf_smb_server = -1;
 static int hf_smb_max_raw_buf_size = -1;
 static int hf_smb_server_guid = -1;
+static int hf_smb_volume_guid = -1;
 static int hf_smb_security_blob_len = -1;
 static int hf_smb_security_blob = -1;
 static int hf_smb_sm_mode16 = -1;
@@ -5972,11 +5973,15 @@
 	return offset;
 }

+/* [MS-CIFS].pdf 2.2.4.64.2 provides the last two file types, however
+   [MS-SMB].PDF 2.2.4.9.2 elides value 4, Character mode device.  */
 static const value_string filetype_vals[] = {
 	{ 0,		"Disk file or directory"},
 	{ 1,		"Named pipe in byte mode"},
 	{ 2,		"Named pipe in message mode"},
 	{ 3,		"Spooled printer"},
+	{ 4,		"Character mode device"},
+	{ 0xFFFF,	"Unknown file type"},
 	{0, NULL}
 };
 static int
@@ -10242,6 +10247,20 @@
 	proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1,
ENC_LITTLE_ENDIAN);
 	offset += 1;

+	/* Do we know whether or not EXTENDED_RESPONSES are required? */
+        /* MS-SMB 2.2.4.9.2 says that there is a Volume GUID, File ID,
+           Maximal Access Rights and Guest Maximal Access Rights here
+           if ExtendedResonses requested. */
+	if (si->sip->extra_info_type == SMB_EI_FILEDATA &&
+		((smb_fid_saved_info_t *)(si->sip->extra_info))->create_flags & 0x10) {
+	    /* The first field is a Volume GUID ... */
+
+		proto_tree_add_item(tree, hf_smb_volume_guid,
+			tvb, offset, 16, ENC_NA);
+		offset += 16;
+
+	}
+
 	/* Try to remember the type of this fid so that we can dissect
 	 * any future security descriptor (access mask) properly
 	 */
@@ -18086,6 +18105,10 @@
 		{ "Server GUID", "smb.server_guid", FT_BYTES, BASE_NONE,
 		NULL, 0, "Globally unique identifier for this server", HFILL }},

+	{ &hf_smb_volume_guid,
+		{ "Volume GUID", "smb.volume_guid", FT_BYTES, BASE_NONE,
+		NULL, 0, "Globally uniques identifer for this volume", HFILL }},
+
 	{ &hf_smb_security_blob_len,
 		{ "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
 		NULL, 0, NULL, HFILL }},


-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube