search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-nbipx.c
blob1a38f3333864209fd736f351dee4ba58cdd57f21
1 /* packet-nbipx.c
2 * Routines for NetBIOS over IPX packet disassembly
3 * Gilbert Ramirez <gram@alumni.rice.edu>
4 *
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
8 *
9 * SPDX-License-Identifier: GPL-2.0-or-later
10 */
11
12 #include "config.h"
13
14 #include <epan/packet.h>
15 #include <epan/tfs.h>
16 #include <wsutil/array.h>
17 #include "packet-ipx.h"
18 #include "packet-netbios.h"
19
20 void proto_register_nbipx(void);
21 void proto_reg_handoff_nbipx(void);
22 void proto_register_nmpi(void);
23 void proto_reg_handoff_nmpi(void);
24
25 static dissector_handle_t nbipx_handle;
26 static dissector_handle_t nmpi_handle;
27
28 static int proto_nbipx;
29 static int hf_nbipx_packettype;
30 static int hf_nbipx_name_flags;
31 static int hf_nbipx_name_flags_group;
32 static int hf_nbipx_name_flags_in_use;
33 static int hf_nbipx_name_flags_registered;
34 static int hf_nbipx_name_flags_duplicated;
35 static int hf_nbipx_name_flags_deregistered;
36 static int hf_nbipx_conn_control;
37 static int hf_nbipx_conn_control_sys_packet;
38 static int hf_nbipx_conn_control_ack;
39 static int hf_nbipx_conn_control_attention;
40 static int hf_nbipx_conn_control_end_msg;
41 static int hf_nbipx_conn_control_resend;
42 static int hf_nbipx_session_src_conn_id;
43 static int hf_nbipx_session_dest_conn_id;
44 static int hf_nbipx_session_send_seq_number;
45 static int hf_nbipx_session_total_data_length;
46 static int hf_nbipx_session_offset;
47 static int hf_nbipx_session_data_length;
48 static int hf_nbipx_session_recv_seq_number;
49 static int hf_nbipx_session_bytes_received;
50 static int hf_nbipx_ipx_network;
51 static int hf_nbipx_opcode;
52 static int hf_nbipx_name_type;
53 static int hf_nbipx_messageid;
54
55 static int ett_nbipx;
56 static int ett_nbipx_conn_ctrl;
57 static int ett_nbipx_name_type_flags;
58
59 static void dissect_conn_control(tvbuff_t *tvb, int offset, proto_tree *tree);
60
61 static heur_dissector_list_t netbios_heur_subdissector_list;
62
63 /* There is no RFC or public specification of Netware or Microsoft
64 * NetBIOS over IPX packets. I have had to decode the protocol myself,
65 * so there are holes and perhaps errors in this code. (gram)
66 *
67 * A list of "NovelNetBIOS" packet types can be found at
68 *
69 * http://web.archive.org/web/20150319134837/http://www.protocols.com/pbook/novel.htm#NetBIOS
70 *
71 * and at least some of those packet types appear to match what's in
72 * some NBIPX packets.
73 *
74 * Note, however, that it appears that sometimes NBIPX packets have
75 * 8 IPX addresses at the beginning, and sometimes they don't.
76 *
77 * In the section on "NetBIOS Broadcasts", the document at
78 *
79 * http://www.microsoft.com/technet/network/ipxrout.asp
80 *
81 * says that "the NetBIOS over IPX Broadcast header" contains 8 IPX
82 * network numbers in the "IPX WAN broadcast header", and that it's
83 * followed by a "Name Type Flags" byte (giving information about the
84 * name being registered, deregistered, or checked), a "Data Stream
85 * Type 2" byte giving the type of operation (NBIPX_FIND_NAME,
86 * NBIPX_NAME_RECOGNIZED, or NBIPX_CHECK_NAME - the latter is called
87 * "Add Name"), and a 16-byte NetBIOS name.
88 *
89 * It also says that "NetBIOS over IPX Broadcast packets" have a
90 * packet type of 0x14 (20, or IPX_PACKET_TYPE_WANBCAST) and a
91 * socket number of 0x455 (IPX_SOCKET_NETBIOS).
92 *
93 * However, there are also non-broadcast packets that *also* contain
94 * the 8 IPX network numbers; they appear to be replies to broadcast
95 * packets, and have a packet type of 0x4 (IPX_PACKET_TYPE_PEP).
96 *
97 * Other IPX_PACKET_TYPE_PEP packets to and from the IPX_SOCKET_NETBIOS
98 * socket, however, *don't* have the 8 IPX network numbers; there does
99 * not seem to be any obvious algorithm to determine whether the packet
100 * has the addresses or not. Microsoft Knowledge Base article Q128335
101 * appears to show some code from the NBIPX implementation in NT that
102 * tries to determine the packet type - and it appears to use heuristics
103 * based on the packet length and on looking at what might be the NBIPX
104 * "Data Stream Type" byte depending on whether the packet has the 8
105 * IPX network numbers or not.
106 *
107 * So, for now, we treat *all* NBIPX packets as having a "Data Stream
108 * Type" byte, preceded by another byte of NBIPX information and
109 * followed by more NBIPX stuff, and assume that it's preceded by
110 * 8 IPX network numbers iff:
111 *
112 * the packet is a WAN Broadcast packet
113 *
114 * or
115 *
116 * the packet is the right size for one of those PEP name replies
117 * (50 bytes) *and* has a name packet type as the Data Stream
118 * Type byte at the offset where that byte would be if the packet
119 * does have the 8 IPX network numbers at the beginning.
120 *
121 * The page at
122 *
123 * http://ourworld.compuserve.com/homepages/TimothyDEvans/encap.htm
124 *
125 * indicates, under "NBIPX session packets", that "NBIPX session packets"
126 * have
127 *
128 * 1 byte of NBIPX connection control flag
129 * 1 byte of data stream type
130 * 2 bytes of source connection ID
131 * 2 bytes of destination connection ID
132 * 2 bytes of send sequence number
133 * 2 bytes of total data length
134 * 2 bytes of offset
135 * 2 bytes of data length
136 * 2 bytes of receive sequence number
137 * 2 bytes of "bytes received"
138 *
139 * followed by data.
140 *
141 * Packets with a data stream type of NBIPX_DIRECTED_DATAGRAM appear to
142 * have, following the data stream type, two NetBIOS names, the first
143 * of which is the receiver's NetBIOS name and the second of which is
144 * the sender's NetBIOS name. The page at
145 *
146 * http://support.microsoft.com/support/kb/articles/q203/0/51.asp
147 *
148 * speaks of type 4 (PEP) packets as being used for "SAP, NetBIOS sessions
149 * and directed datagrams" and type 20 (WAN Broadcast) as being used for
150 * "NetBIOS name resolution broadcasts" (but nothing about the non-broadcast
151 * type 4 name resolution stuff).
152 *
153 * We assume that this means that, once you get past the 8 IPX network
154 * numbers if present:
155 *
156 * the first byte is a name type byte for the name packets
157 * and a connection control flag for the other packets;
158 *
159 * the second byte is a data stream type;
160 *
161 * the rest of the bytes are:
162 *
163 * the NetBIOS name being registered/deregistered/etc.,
164 * for name packets;
165 *
166 * the two NetBIOS names, followed by the NetBIOS
167 * datagram, for NBIPX_DIRECTED_DATAGRAM packets;
168 *
169 * the session packet header, possibly followed by
170 * session data, for session packets.
171 *
172 * We don't know yet how to interpret NBIPX_STATUS_QUERY or
173 * NBIPX_STATUS_RESPONSE.
174 *
175 * For now, we treat the datagrams and session data as SMB stuff.
176 */
177 #define NBIPX_FIND_NAME 1
178 #define NBIPX_NAME_RECOGNIZED 2
179 #define NBIPX_CHECK_NAME 3
180 #define NBIPX_NAME_IN_USE 4
181 #define NBIPX_DEREGISTER_NAME 5
182 #define NBIPX_SESSION_DATA 6
183 #define NBIPX_SESSION_END 7
184 #define NBIPX_SESSION_END_ACK 8
185 #define NBIPX_STATUS_QUERY 9
186 #define NBIPX_STATUS_RESPONSE 10
187 #define NBIPX_DIRECTED_DATAGRAM 11
188
189 static const value_string nbipx_data_stream_type_vals[] = {
190 {NBIPX_FIND_NAME, "Find name"},
191 {NBIPX_NAME_RECOGNIZED, "Name recognized"},
192 {NBIPX_CHECK_NAME, "Check name"},
193 {NBIPX_NAME_IN_USE, "Name in use"},
194 {NBIPX_DEREGISTER_NAME, "Deregister name"},
195 {NBIPX_SESSION_DATA, "Session data"},
196 {NBIPX_SESSION_END, "Session end"},
197 {NBIPX_SESSION_END_ACK, "Session end ACK"},
198 {NBIPX_STATUS_QUERY, "Status query"},
199 {NBIPX_STATUS_RESPONSE, "Status response"},
200 {NBIPX_DIRECTED_DATAGRAM, "Directed datagram"},
201 {0, NULL}
202 };
203
204 /*
205 * Opcodes.
206 */
207 #define INAME_CLAIM 0xf1
208 #define INAME_DELETE 0xf2
209 #define INAME_QUERY 0xf3
210 #define INAME_FOUND 0xf4
211 #define IMSG_HANGUP 0xf5
212 #define IMSLOT_SEND 0xfc
213 #define IMSLOT_FIND 0xfd
214 #define IMSLOT_NAME 0xfe
215
216 static const value_string nmpi_opcode_vals[] = {
217 {INAME_CLAIM, "Claim name"},
218 {INAME_DELETE, "Delete name"},
219 {INAME_QUERY, "Query name"},
220 {INAME_FOUND, "Name found"},
221 {IMSG_HANGUP, "Messenger hangup"},
222 {IMSLOT_SEND, "Mailslot write"},
223 {IMSLOT_FIND, "Find mailslot name"},
224 {IMSLOT_NAME, "Mailslot name found"},
225 {0, NULL}
226 };
227
228 /*
229 * Name types.
230 */
231 #define INTYPE_MACHINE 1
232 #define INTYPE_WORKGROUP 2
233 #define INTYPE_BROWSER 3
234
235 static const value_string nmpi_name_type_vals[] = {
236 {INTYPE_MACHINE, "Machine"},
237 {INTYPE_WORKGROUP, "Workgroup"},
238 {INTYPE_BROWSER, "Browser"},
239 {0, NULL}
240 };
241
242 static const true_false_string tfs_system_non_system = { "System packet", "Non-system packet" };
243
244 static void
245 add_routers(proto_tree *tree, tvbuff_t *tvb, int offset)
246 {
247 int i;
248
249 /* Eight routers are listed */
250 for (i = 0; i < 8; i++) {
251 if (tvb_get_ntohl(tvb, offset) != 0) {
252 proto_tree_add_item(tree, hf_nbipx_ipx_network, tvb, offset, 4, ENC_NA);
253 }
254 offset += 4;
255 }
256 }
257
258 static void
259 dissect_netbios_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
260 {
261 heur_dtbl_entry_t *hdtbl_entry;
262
263 /*
264 * Try the heuristic dissectors for NetBIOS; if none of them
265 * accept the packet, dissect it as data.
266 */
267 if (!dissector_try_heuristic(netbios_heur_subdissector_list,
268 tvb, pinfo, tree, &hdtbl_entry, NULL))
269 call_data_dissector(tvb, pinfo, tree);
270 }
271
272 static int
273 dissect_nbipx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
274 {
275 bool has_routes;
276 proto_tree *nbipx_tree = NULL;
277 proto_item *ti = NULL;
278 int offset = 0;
279 uint8_t packet_type;
280 proto_tree *name_type_flag_tree;
281 proto_item *tf;
282 char name[(NETBIOS_NAME_LEN - 1)*4 + 1];
283 int name_type;
284 bool has_payload;
285 tvbuff_t *next_tvb;
286 ipxhdr_t *ipxh;
287
288 /* Reject the packet if data is NULL */
289 if (data == NULL)
290 return 0;
291 ipxh = (ipxhdr_t*)data;
292
293 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NBIPX");
294 col_clear(pinfo->cinfo, COL_INFO);
295
296 if (ipxh->ipx_type == IPX_PACKET_TYPE_WANBCAST) {
297 /*
298 * This is a WAN Broadcast packet; we assume it will have
299 * 8 IPX addresses at the beginning.
300 */
301 has_routes = true;
302 } else {
303 /*
304 * This isn't a WAN Broadcast packet, but it still might
305 * have the 8 addresses.
306 *
307 * If it's the right length for a name operation,
308 * and, if we assume it has routes, the packet type
309 * is a name operation, assume it has routes.
310 *
311 * NOTE: this will throw an exception if the byte that
312 * would be the packet type byte if this has the 8
313 * addresses isn't present; if that's the case, we don't
314 * know how to interpret this packet, so we can't dissect
315 * it anyway.
316 */
317 has_routes = false; /* start out assuming it doesn't */
318 if (tvb_reported_length(tvb) == 50) {
319 packet_type = tvb_get_uint8(tvb, offset + 32 + 1);
320 switch (packet_type) {
321
322 case NBIPX_FIND_NAME:
323 case NBIPX_NAME_RECOGNIZED:
324 case NBIPX_CHECK_NAME:
325 case NBIPX_NAME_IN_USE:
326 case NBIPX_DEREGISTER_NAME:
327 has_routes = true;
328 break;
329 }
330 }
331 }
332
333 if (tree) {
334 ti = proto_tree_add_item(tree, proto_nbipx, tvb, 0,
335 -1, ENC_NA);
336 nbipx_tree = proto_item_add_subtree(ti, ett_nbipx);
337 }
338
339 if (has_routes) {
340 if (tree)
341 add_routers(nbipx_tree, tvb, 0);
342 offset += 32;
343 }
344
345 packet_type = tvb_get_uint8(tvb, offset + 1);
346
347 switch (packet_type) {
348
349 case NBIPX_FIND_NAME:
350 case NBIPX_NAME_RECOGNIZED:
351 case NBIPX_CHECK_NAME:
352 case NBIPX_NAME_IN_USE:
353 case NBIPX_DEREGISTER_NAME:
354 name_type = get_netbios_name(tvb, offset+2, name, (NETBIOS_NAME_LEN - 1)*4 + 1);
355 col_add_fstr(pinfo->cinfo, COL_INFO, "%s %s<%02x>",
356 val_to_str_const(packet_type, nbipx_data_stream_type_vals, "Unknown"),
357 name, name_type);
358
359 if (nbipx_tree) {
360 tf = proto_tree_add_item(nbipx_tree, hf_nbipx_name_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
361 name_type_flag_tree = proto_item_add_subtree(tf, ett_nbipx_name_type_flags);
362
363 proto_tree_add_item(name_type_flag_tree, hf_nbipx_name_flags_group, tvb, offset, 1, ENC_LITTLE_ENDIAN);
364 proto_tree_add_item(name_type_flag_tree, hf_nbipx_name_flags_in_use, tvb, offset, 1, ENC_LITTLE_ENDIAN);
365 proto_tree_add_item(name_type_flag_tree, hf_nbipx_name_flags_registered, tvb, offset, 1, ENC_LITTLE_ENDIAN);
366 proto_tree_add_item(name_type_flag_tree, hf_nbipx_name_flags_duplicated, tvb, offset, 1, ENC_LITTLE_ENDIAN);
367 proto_tree_add_item(name_type_flag_tree, hf_nbipx_name_flags_deregistered, tvb, offset, 1, ENC_LITTLE_ENDIAN);
368 }
369 offset += 1;
370
371 proto_tree_add_uint(nbipx_tree, hf_nbipx_packettype, tvb, offset, 1, packet_type);
372 offset += 1;
373
374 if (nbipx_tree)
375 netbios_add_name("Name", tvb, offset, nbipx_tree);
376 offset += NETBIOS_NAME_LEN;
377
378 /*
379 * No payload to be interpreted by another protocol.
380 */
381 has_payload = false;
382 break;
383
384 case NBIPX_SESSION_DATA:
385 case NBIPX_SESSION_END:
386 case NBIPX_SESSION_END_ACK:
387 col_set_str(pinfo->cinfo, COL_INFO,
388 val_to_str_const(packet_type, nbipx_data_stream_type_vals, "Unknown"));
389
390 dissect_conn_control(tvb, offset, nbipx_tree);
391 offset += 1;
392
393 proto_tree_add_uint(nbipx_tree, hf_nbipx_packettype, tvb, offset, 1, packet_type);
394 offset += 1;
395
396 proto_tree_add_item(nbipx_tree, hf_nbipx_session_src_conn_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
397 offset += 2;
398
399 proto_tree_add_item(nbipx_tree, hf_nbipx_session_dest_conn_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
400 offset += 2;
401
402 proto_tree_add_item(nbipx_tree, hf_nbipx_session_send_seq_number, tvb, offset, 2, ENC_LITTLE_ENDIAN);
403 offset += 2;
404
405 proto_tree_add_item(nbipx_tree, hf_nbipx_session_total_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
406 offset += 2;
407
408 proto_tree_add_item(nbipx_tree, hf_nbipx_session_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
409 offset += 2;
410
411 proto_tree_add_item(nbipx_tree, hf_nbipx_session_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
412 offset += 2;
413
414 proto_tree_add_item(nbipx_tree, hf_nbipx_session_recv_seq_number, tvb, offset, 2, ENC_LITTLE_ENDIAN);
415 offset += 2;
416
417 proto_tree_add_item(nbipx_tree, hf_nbipx_session_bytes_received, tvb, offset, 2, ENC_LITTLE_ENDIAN);
418 offset += 2;
419
420 /*
421 * We may have payload to dissect.
422 */
423 has_payload = true;
424 break;
425
426 case NBIPX_DIRECTED_DATAGRAM:
427 col_set_str(pinfo->cinfo, COL_INFO,
428 val_to_str_const(packet_type, nbipx_data_stream_type_vals, "Unknown"));
429
430 dissect_conn_control(tvb, offset, nbipx_tree);
431 offset += 1;
432
433 proto_tree_add_uint(nbipx_tree, hf_nbipx_packettype, tvb, offset, 1, packet_type);
434 offset += 1;
435
436 if (nbipx_tree)
437 netbios_add_name("Receiver's Name", tvb, offset,
438 nbipx_tree);
439 offset += NETBIOS_NAME_LEN;
440
441 if (nbipx_tree)
442 netbios_add_name("Sender's Name", tvb, offset,
443 nbipx_tree);
444 offset += NETBIOS_NAME_LEN;
445
446 /*
447 * We may have payload to dissect.
448 */
449 has_payload = true;
450 break;
451
452 default:
453 col_set_str(pinfo->cinfo, COL_INFO,
454 val_to_str_const(packet_type, nbipx_data_stream_type_vals, "Unknown"));
455
456 /*
457 * We don't know what the first byte is.
458 */
459 offset += 1;
460
461 /*
462 * The second byte is a data stream type byte.
463 */
464 proto_tree_add_uint(nbipx_tree, hf_nbipx_packettype, tvb, offset, 1, packet_type);
465 offset += 1;
466
467 /*
468 * We don't know what the rest of the packet is.
469 */
470 has_payload = false;
471 }
472
473 /*
474 * Set the length of the NBIPX tree item.
475 */
476 if (ti != NULL)
477 proto_item_set_len(ti, offset);
478
479 if (has_payload && tvb_offset_exists(tvb, offset)) {
480 next_tvb = tvb_new_subset_remaining(tvb, offset);
481 dissect_netbios_payload(next_tvb, pinfo, tree);
482 }
483
484 return tvb_captured_length(tvb);
485 }
486
487 static void
488 dissect_conn_control(tvbuff_t *tvb, int offset, proto_tree *tree)
489 {
490 proto_item *ti;
491 proto_tree *cc_tree;
492
493 if (tree) {
494 ti = proto_tree_add_item(tree, hf_nbipx_conn_control, tvb, offset, 1, ENC_LITTLE_ENDIAN);
495 cc_tree = proto_item_add_subtree(ti, ett_nbipx_conn_ctrl);
496 proto_tree_add_item(cc_tree, hf_nbipx_conn_control_sys_packet, tvb, offset, 1, ENC_LITTLE_ENDIAN);
497 proto_tree_add_item(cc_tree, hf_nbipx_conn_control_ack, tvb, offset, 1, ENC_LITTLE_ENDIAN);
498 proto_tree_add_item(cc_tree, hf_nbipx_conn_control_attention, tvb, offset, 1, ENC_LITTLE_ENDIAN);
499 proto_tree_add_item(cc_tree, hf_nbipx_conn_control_end_msg, tvb, offset, 1, ENC_LITTLE_ENDIAN);
500 proto_tree_add_item(cc_tree, hf_nbipx_conn_control_resend, tvb, offset, 1, ENC_LITTLE_ENDIAN);
501 }
502 }
503
504 void
505 proto_register_nbipx(void)
506 {
507 static hf_register_info hf[] = {
508 { &hf_nbipx_packettype,
509 { "Packet Type", "nmpi.packettype",
510 FT_UINT8, BASE_HEX, VALS(nbipx_data_stream_type_vals), 0,
511 NULL, HFILL }
512 },
513 { &hf_nbipx_name_flags,
514 { "Name type flag", "nmpi.name_flags",
515 FT_UINT8, BASE_HEX, NULL, 0,
516 NULL, HFILL }
517 },
518 { &hf_nbipx_name_flags_group,
519 { "Name", "nmpi.name_flags.group",
520 FT_BOOLEAN, 8, TFS(&tfs_group_unique_name), 0x80,
521 NULL, HFILL }
522 },
523 { &hf_nbipx_name_flags_in_use,
524 { "In use", "nmpi.name_flags.in_use",
525 FT_BOOLEAN, 8, TFS(&tfs_used_notused), 0x40,
526 NULL, HFILL }
527 },
528 { &hf_nbipx_name_flags_registered,
529 { "Registered", "nmpi.name_flags.registered",
530 FT_BOOLEAN, 8, TFS(&tfs_yes_no), 0x04,
531 NULL, HFILL }
532 },
533 { &hf_nbipx_name_flags_duplicated,
534 { "Duplicated", "nmpi.name_flags.duplicated",
535 FT_BOOLEAN, 8, TFS(&tfs_yes_no), 0x02,
536 NULL, HFILL }
537 },
538 { &hf_nbipx_name_flags_deregistered,
539 { "Deregistered", "nmpi.name_flags.deregistered",
540 FT_BOOLEAN, 8, TFS(&tfs_yes_no), 0x01,
541 NULL, HFILL }
542 },
543 { &hf_nbipx_conn_control,
544 { "Connection control", "nmpi.conn_control",
545 FT_UINT8, BASE_HEX, NULL, 0,
546 NULL, HFILL }
547 },
548 { &hf_nbipx_conn_control_sys_packet,
549 { "Packet", "nmpi.conn_control.sys_packet",
550 FT_BOOLEAN, 8, TFS(&tfs_system_non_system), 0x80,
551 NULL, HFILL }
552 },
553 { &hf_nbipx_conn_control_ack,
554 { "Acknowledgement", "nmpi.conn_control.ack",
555 FT_BOOLEAN, 8, TFS(&tfs_required_not_required), 0x40,
556 NULL, HFILL }
557 },
558 { &hf_nbipx_conn_control_attention,
559 { "Attention", "nmpi.conn_control.attention",
560 FT_BOOLEAN, 8, TFS(&tfs_yes_no), 0x20,
561 NULL, HFILL }
562 },
563 { &hf_nbipx_conn_control_end_msg,
564 { "End of message", "nmpi.conn_control.end_msg",
565 FT_BOOLEAN, 8, TFS(&tfs_yes_no), 0x10,
566 NULL, HFILL }
567 },
568 { &hf_nbipx_conn_control_resend,
569 { "Resend", "nmpi.conn_control.resend",
570 FT_BOOLEAN, 8, TFS(&tfs_yes_no), 0x08,
571 NULL, HFILL }
572 },
573 { &hf_nbipx_session_src_conn_id,
574 { "Source connection ID", "nmpi.session.src_conn_id",
575 FT_UINT16, BASE_HEX, NULL, 0,
576 NULL, HFILL }
577 },
578 { &hf_nbipx_session_dest_conn_id,
579 { "Destination connection ID", "nmpi.session.dest_conn_id",
580 FT_UINT16, BASE_HEX, NULL, 0,
581 NULL, HFILL }
582 },
583 { &hf_nbipx_session_send_seq_number,
584 { "Send sequence number", "nmpi.session.send_seq_number",
585 FT_UINT16, BASE_DEC, NULL, 0,
586 NULL, HFILL }
587 },
588 { &hf_nbipx_session_total_data_length,
589 { "Total data length", "nmpi.session.total_data_length",
590 FT_UINT16, BASE_DEC, NULL, 0,
591 NULL, HFILL }
592 },
593 { &hf_nbipx_session_offset,
594 { "Offset", "nmpi.session.offset",
595 FT_UINT16, BASE_DEC, NULL, 0,
596 NULL, HFILL }
597 },
598 { &hf_nbipx_session_data_length,
599 { "Data length", "nmpi.session.data_length",
600 FT_UINT16, BASE_DEC, NULL, 0,
601 NULL, HFILL }
602 },
603 { &hf_nbipx_session_recv_seq_number,
604 { "Receive sequence number", "nmpi.session.recv_seq_number",
605 FT_UINT16, BASE_DEC, NULL, 0,
606 NULL, HFILL }
607 },
608 { &hf_nbipx_session_bytes_received,
609 { "Bytes received", "nmpi.session.bytes_received",
610 FT_UINT16, BASE_DEC, NULL, 0,
611 NULL, HFILL }
612 },
613 { &hf_nbipx_ipx_network,
614 { "IPX Network", "nmpi.ipx_network",
615 FT_IPXNET, BASE_NONE, NULL, 0,
616 NULL, HFILL }
617 },
618 { &hf_nbipx_opcode,
619 { "Opcode", "nmpi.opcode",
620 FT_UINT8, BASE_HEX, VALS(nmpi_opcode_vals), 0,
621 NULL, HFILL }
622 },
623 { &hf_nbipx_name_type,
624 { "Name Type", "nmpi.name_type",
625 FT_UINT8, BASE_HEX, VALS(nmpi_name_type_vals), 0,
626 NULL, HFILL }
627 },
628 { &hf_nbipx_messageid,
629 { "Message ID", "nmpi.messageid",
630 FT_UINT16, BASE_HEX, NULL, 0,
631 NULL, HFILL }
632 },
633 };
634
635 static int *ett[] = {
636 &ett_nbipx,
637 &ett_nbipx_conn_ctrl,
638 &ett_nbipx_name_type_flags,
639 };
640
641 proto_nbipx = proto_register_protocol("NetBIOS over IPX", "NBIPX", "nbipx");
642 proto_register_field_array(proto_nbipx, hf, array_length(hf));
643 proto_register_subtree_array(ett, array_length(ett));
644
645 nbipx_handle = register_dissector("nbipx", dissect_nbipx, proto_nbipx);
646 }
647
648 void
649 proto_reg_handoff_nbipx(void)
650 {
651 dissector_add_uint("ipx.socket", IPX_SOCKET_NETBIOS, nbipx_handle);
652 netbios_heur_subdissector_list = find_heur_dissector_list("netbios");
653 }
654
655 /*
656 * Microsoft appear to have something they call "direct hosting", where
657 * SMB - and, I infer, related stuff, such as name resolution - runs
658 * directly over IPX. (In Windows 2000, they also run SMB directly over
659 * TCP, on port 445, and that also appears to be called "direct hosting".
660 * Wireshark handles SMB-over-TCP.)
661 *
662 * The document at
663 *
664 * http://support.microsoft.com/support/kb/articles/q203/0/51.asp
665 *
666 * speaks of NMPI - the "Name Management Protocol on IPX" - as being
667 * "Microsoft's protocol for name management support when you use IPX
668 * without the NetBIOS interface," and says that "This process of routing
669 * the SMB protocol directly through IPX is known as Direct Hosting."
670 *
671 * It speaks of IPX socket 0x551 as being for NMPI; we define it as
672 * IPX_SOCKET_NWLINK_SMB_NAMEQUERY.
673 *
674 * We also define IPX_SOCKET_NWLINK_SMB_DGRAM as 0x0553 and define
675 * IPX_SOCKET_NWLINK_SMB_BROWSE as 0x0555 (with a "? not sure on this"
676 * comment after the latter one).
677 *
678 * We have seen at least some browser announcements on IPX socket 0x553;
679 * those are WAN broadcast packets, complete with 8 IPX network
680 * numbers, and with the header containing the usual two NetBIOS names
681 * that show up in NetBIOS datagrams.
682 *
683 * Network Monitor calls those packets NMPI packets, even though they're
684 * on socket 0x553, not socket 0x551, and contain SMB datagrams, not name
685 * resolution packets.
686 *
687 * At least some of this is discussed in the "SMBPUB.DOC" Word document
688 * stored in
689 *
690 * ftp://ftp.microsoft.com/developr/drg/CIFS/smbpub.zip
691 *
692 * which can also be found in text form at
693 *
694 * http://www.samba.org/samba/ftp/specs/smbpub.txt
695 *
696 * which says that for "connectionless IPX transport" the sockets that
697 * are used are:
698 *
699 * SMB_SERVER_SOCKET (0x550) - SMB requests from clients
700 * SMB_NAME_SOCKET (0x551) - name claims and name query messages
701 * REDIR_SOCKET (0x552) - used by the redirector (client) for
702 * sending SMB requests and receiving SMB replies
703 * MAILSLOT_SOCKET (0x553) - used by the redirector and browser
704 * for mailslot datagrams
705 * MESSENGER_SOCKET (0x554) - used by the redirector to send
706 * messages from client to client
707 *
708 * Name claim/query packets, and mailslot datagrams, are:
709 *
710 * 8 IPX network addresses
711 * 1 byte of opcode
712 * 1 byte of name type
713 * 2 bytes of message ID
714 * 16 bytes of name being sought or claimed
715 * 16 bytes of requesting machine
716 *
717 * The opcode is one of:
718 *
719 * INAME_CLAIM (0xf1) - server name claim message
720 * INAME_DELETE (0xf2) - relinquish server name
721 * INAME_QUERY (0xf3) - locate server name
722 * INAME_FOUND (0xf4) - response to INAME_QUERY
723 * IMSG_HANGUP (0xf5) - messenger hangup
724 * IMSLOT_SEND (0xfc) - mailslot write
725 * IMSLOT_FIND (0xfd) - find name for mailslot write
726 * IMSLOT_NAME (0xfe) - response to IMSLOT_FIND
727 *
728 * The name type is one of:
729 *
730 * INTYPE_MACHINE 1
731 * INTYPE_WKGROUP 2
732 * INTYPE_BROWSER 3
733 */
734 static int proto_nmpi;
735
736 static int ett_nmpi;
737 static int ett_nmpi_name_type_flags;
738
739
740 static int
741 dissect_nmpi(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
742 {
743 proto_tree *nmpi_tree = NULL;
744 proto_item *ti;
745 int offset = 0;
746 uint8_t opcode;
747 char name[(NETBIOS_NAME_LEN - 1)*4 + 1];
748 int name_type;
749 char node_name[(NETBIOS_NAME_LEN - 1)*4 + 1];
750 /*int node_name_type = 0;*/
751 tvbuff_t *next_tvb;
752
753 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NMPI");
754 col_clear(pinfo->cinfo, COL_INFO);
755
756 if (tree) {
757 ti = proto_tree_add_item(tree, proto_nmpi, tvb, offset, 68,
758 ENC_NA);
759 nmpi_tree = proto_item_add_subtree(ti, ett_nmpi);
760
761 add_routers(nmpi_tree, tvb, offset);
762 }
763 offset += 32;
764
765 /*
766 * XXX - we don't use "node_name" or "node_name_type".
767 */
768 opcode = tvb_get_uint8(tvb, offset);
769 name_type = get_netbios_name(tvb, offset+4, name, (NETBIOS_NAME_LEN - 1)*4 + 1);
770 /*node_name_type = */get_netbios_name(tvb, offset+20, node_name, (NETBIOS_NAME_LEN - 1)*4 + 1);
771
772 switch (opcode) {
773
774 case INAME_CLAIM:
775 col_add_fstr(pinfo->cinfo, COL_INFO, "Claim name %s<%02x>",
776 name, name_type);
777 break;
778
779 case INAME_DELETE:
780 col_add_fstr(pinfo->cinfo, COL_INFO, "Delete name %s<%02x>",
781 name, name_type);
782 break;
783
784 case INAME_QUERY:
785 col_add_fstr(pinfo->cinfo, COL_INFO, "Query name %s<%02x>",
786 name, name_type);
787 break;
788
789 case INAME_FOUND:
790 col_add_fstr(pinfo->cinfo, COL_INFO, "Name %s<%02x> found",
791 name, name_type);
792 break;
793
794 case IMSG_HANGUP:
795 col_add_fstr(pinfo->cinfo, COL_INFO,
796 "Messenger hangup on %s<%02x>", name, name_type);
797 break;
798
799 case IMSLOT_SEND:
800 col_add_fstr(pinfo->cinfo, COL_INFO,
801 "Mailslot write to %s<%02x>", name, name_type);
802 break;
803
804 case IMSLOT_FIND:
805 col_add_fstr(pinfo->cinfo, COL_INFO,
806 "Find mailslot name %s<%02x>", name, name_type);
807 break;
808
809 case IMSLOT_NAME:
810 col_add_fstr(pinfo->cinfo, COL_INFO,
811 "Mailslot name %s<%02x> found", name, name_type);
812 break;
813
814 default:
815 col_add_fstr(pinfo->cinfo, COL_INFO,
816 "Unknown NMPI op 0x%02x: name %s<%02x>",
817 opcode, name, name_type);
818 break;
819 }
820
821 if (tree) {
822 proto_tree_add_item(nmpi_tree, hf_nbipx_opcode, tvb, offset, 1, ENC_LITTLE_ENDIAN);
823 proto_tree_add_item(nmpi_tree, hf_nbipx_name_type, tvb, offset+1, 1, ENC_LITTLE_ENDIAN);
824 proto_tree_add_item(nmpi_tree, hf_nbipx_messageid, tvb, offset+2, 2, ENC_LITTLE_ENDIAN);
825 netbios_add_name("Requested name", tvb, offset+4, nmpi_tree);
826 netbios_add_name("Source name", tvb, offset+20, nmpi_tree);
827 }
828
829 offset += 1 + 1 + 2 + NETBIOS_NAME_LEN + NETBIOS_NAME_LEN;
830
831 if (opcode == IMSLOT_SEND && tvb_offset_exists(tvb, offset)) {
832 next_tvb = tvb_new_subset_remaining(tvb, offset);
833 dissect_netbios_payload(next_tvb, pinfo, tree);
834 }
835 return tvb_captured_length(tvb);
836 }
837
838 void
839 proto_register_nmpi(void)
840 {
841 /*
842 static hf_register_info hf[] = {
843 { &variable,
844 { "Name", "nmpi.abbreviation", TYPE, VALS_POINTER }},
845 }; */
846 static int *ett[] = {
847 &ett_nmpi,
848 &ett_nmpi_name_type_flags,
849 };
850
851 proto_nmpi = proto_register_protocol("Name Management Protocol over IPX",
852 "NMPI", "nmpi");
853 /* proto_register_field_array(proto_nmpi, hf, array_length(hf));*/
854 proto_register_subtree_array(ett, array_length(ett));
855
856 nmpi_handle = register_dissector("nmpi", dissect_nmpi, proto_nmpi);
857 }
858
859 void
860 proto_reg_handoff_nmpi(void)
861 {
862 dissector_add_uint("ipx.socket", IPX_SOCKET_NWLINK_SMB_NAMEQUERY,
863 nmpi_handle);
864 dissector_add_uint("ipx.socket", IPX_SOCKET_NWLINK_SMB_MAILSLOT,
865 nmpi_handle);
866 }
867
868 /*
869 * Editor modelines - https://www.wireshark.org/tools/modelines.html
870 *
871 * Local variables:
872 * c-basic-offset: 8
873 * tab-width: 8
874 * indent-tabs-mode: t
875 * End:
876 *
877 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
878 * :indentSize=8:tabSize=8:noTabs=false:
879 */
Metzes wireshark repo